[noidontwant]

can somebody drop the hash this shit is taking forever

dont do time-based, other injection methods work too

[drunkp]

8200 ?? where did u found this port

once you get user, linpeas finds it

[osamy7593]

password for cacti admin:greencacti2001

not work on cacti its for the the original domain

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed

[hexforce]

Found out that you can bypass auth since you have access to the duplicati db in /opt/duplicati ... I didnt manage to get the exploit to work yet, but could lead to user?

[wtfduw]

password for cacti admin:greencacti2001

not work on cacti its for the the original domain

It does connect on both.

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[mascon]

can somebody drop the hash this shit is taking forever

dont do time-based, other injection methods work too

The only thing that worked was Stacked Query, basically changing the admin password hash to something like md5 of '1234' and using that pw to login, but I don't see anything interesting and the hashes can't be cracked with rockyou and john.

What do you mean it's faster? Elaborate please

[drunkp]

can somebody drop the hash this shit is taking forever

dont do time-based, other injection methods work too

The only thing that worked was Stacked Query, basically changing the admin password hash to something like md5 of '1234' and using that pw to login, but I don't see anything interesting and the hashes can't be cracked with rockyou and john.

What do you mean it's faster? Elaborate please

yeah, stack queries isn't the right path. plus you ruin the box for everyone else

i could only do time based. But then, you only need a password hash. It's manageable to get within 5-10 minutes.

[mascon]

can somebody drop the hash this shit is taking forever

dont do time-based, other injection methods work too

The only thing that worked was Stacked Query, basically changing the admin password hash to something like md5 of '1234' and using that pw to login, but I don't see anything interesting and the hashes can't be cracked with rockyou and john.

What do you mean it's faster? Elaborate please

yeah, stack queries isn't the right path. plus you ruin the box for everyone else

i could only do time based. But then, you only need a password hash. It's manageable to get within 5-10 minutes.

How so? It literally took me over 2h to dump db name, and I guessed table and column name, and started dumping only password column.
EDIT: and I'm on a personalized instance

[noidontwant]

can somebody drop the hash this shit is taking forever

dont do time-based, other injection methods work too

The only thing that worked was Stacked Query, basically changing the admin password hash to something like md5 of '1234' and using that pw to login, but I don't see anything interesting and the hashes can't be cracked with rockyou and john.

What do you mean it's faster? Elaborate please

I don't really know what u mean, but boolean-based blind is possible:
sqlmap -r req2.txt --dbms=mysql --technique=B -T users -D monitorsthree_db --dump
U get hashes and crack with hashcat -m 0.
Login to vhost cacti

[drunkp]

Found out that you can bypass auth since you have access to the duplicati db in /opt/duplicati ... I didnt manage to get the exploit to work yet, but could lead to user?

/opt/duplicati doesn't contain dbs

---

can somebody drop the hash this shit is taking forever

dont do time-based, other injection methods work too

The only thing that worked was Stacked Query, basically changing the admin password hash to something like md5 of '1234' and using that pw to login, but I don't see anything interesting and the hashes can't be cracked with rockyou and john.

What do you mean it's faster? Elaborate please

I don't really know what u mean, but boolean-based blind is possible:
sqlmap -r req2.txt --dbms=mysql --technique=B -T users -D monitorsthree_db --dump
U get hashes and crack with hashcat -m 0.
Login to vhost cacti

I meant changing admin pass would ruin it. but good that non-time based works

---

can somebody drop the hash this shit is taking forever

dont do time-based, other injection methods work too

The only thing that worked was Stacked Query, basically changing the admin password hash to something like md5 of '1234' and using that pw to login, but I don't see anything interesting and the hashes can't be cracked with rockyou and john.

What do you mean it's faster? Elaborate please

yeah, stack queries isn't the right path. plus you ruin the box for everyone else

i could only do time based. But then, you only need a password hash. It's manageable to get within 5-10 minutes.

How so? It literally took me over 2h to dump db name, and I guessed table and column name, and started dumping only password column.
EDIT: and I'm on a personalized instance

hm, I used a command something like (when promted follow redirect, say N) : 

sqlmap -r req --second-url "http://10.10.11.xxx/reset-password.php"