From 51c9a9d7e3970ebc696ef6fd66c79ffdbc922c9c Mon Sep 17 00:00:00 2001 From: CPol Date: Tue, 6 Jul 2021 18:11:30 +0000 Subject: [PATCH] GitBook: [master] 6 pages and 12 assets modified --- ...1).png => image (466) (2) (2) (2) (2) (1).png} | Bin ...2).png => image (466) (2) (2) (2) (2) (2).png} | Bin ...1).png => image (477) (2) (2) (2) (2) (1).png} | Bin ...2).png => image (477) (2) (2) (2) (2) (2).png} | Bin .../{image (507).png => image (507) (2) (1).png} | Bin .../{image (554).png => image (535) (1).png} | Bin brute-force.md | 1 + .../windows-forensics/README.md | 2 +- mobile-apps-pentesting/ios-pentesting/README.md | 2 +- pentesting-web/saml-attacks/README.md | 2 +- pentesting/pentesting-ftp/README.md | 1 + .../disable_functions-bypass-php-fpm-fastcgi.md | 14 ++++---------- 12 files changed, 9 insertions(+), 13 deletions(-) rename .gitbook/assets/{image (466) (2) (2) (2) (1).png => image (466) (2) (2) (2) (2) (1).png} (100%) rename .gitbook/assets/{image (466) (2) (2) (2).png => image (466) (2) (2) (2) (2) (2).png} (100%) rename .gitbook/assets/{image (477) (2) (2) (2) (1).png => image (477) (2) (2) (2) (2) (1).png} (100%) rename .gitbook/assets/{image (477) (2) (2) (2).png => image (477) (2) (2) (2) (2) (2).png} (100%) rename .gitbook/assets/{image (507).png => image (507) (2) (1).png} (100%) rename .gitbook/assets/{image (554).png => image (535) (1).png} (100%) diff --git a/.gitbook/assets/image (466) (2) (2) (2) (1).png b/.gitbook/assets/image (466) (2) (2) (2) (2) (1).png similarity index 100% rename from .gitbook/assets/image (466) (2) (2) (2) (1).png rename to .gitbook/assets/image (466) (2) (2) (2) (2) (1).png diff --git a/.gitbook/assets/image (466) (2) (2) (2).png b/.gitbook/assets/image (466) (2) (2) (2) (2) (2).png similarity index 100% rename from .gitbook/assets/image (466) (2) (2) (2).png rename to .gitbook/assets/image (466) (2) (2) (2) (2) (2).png diff --git a/.gitbook/assets/image (477) (2) (2) (2) (1).png b/.gitbook/assets/image (477) (2) (2) (2) (2) (1).png similarity index 100% rename from .gitbook/assets/image (477) (2) (2) (2) (1).png rename to .gitbook/assets/image (477) (2) (2) (2) (2) (1).png diff --git a/.gitbook/assets/image (477) (2) (2) (2).png b/.gitbook/assets/image (477) (2) (2) (2) (2) (2).png similarity index 100% rename from .gitbook/assets/image (477) (2) (2) (2).png rename to .gitbook/assets/image (477) (2) (2) (2) (2) (2).png diff --git a/.gitbook/assets/image (507).png b/.gitbook/assets/image (507) (2) (1).png similarity index 100% rename from .gitbook/assets/image (507).png rename to .gitbook/assets/image (507) (2) (1).png diff --git a/.gitbook/assets/image (554).png b/.gitbook/assets/image (535) (1).png similarity index 100% rename from .gitbook/assets/image (554).png rename to .gitbook/assets/image (535) (1).png diff --git a/brute-force.md b/brute-force.md index 3dba9ef04..5c10aefff 100644 --- a/brute-force.md +++ b/brute-force.md @@ -367,6 +367,7 @@ msf> use auxiliary/scanner/mssql/mssql_login #Be carefull, you can block account hydra -l root -P passwords.txt [-t 32] ssh ncrack -p 22 --user root -P passwords.txt [-T 5] medusa -u root -P 500-worst-passwords.txt -h -M ssh +patator ssh_login host= port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed' ``` ### Telnet diff --git a/forensics/basic-forensic-methodology/windows-forensics/README.md b/forensics/basic-forensic-methodology/windows-forensics/README.md index 387be8875..13fc4a7a4 100644 --- a/forensics/basic-forensic-methodology/windows-forensics/README.md +++ b/forensics/basic-forensic-methodology/windows-forensics/README.md @@ -130,7 +130,7 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced \(search for `Section start`\). -![](../../../.gitbook/assets/image%20%28477%29%20%282%29%20%282%29%20%282%29%20%281%29.png) +![](../../../.gitbook/assets/image%20%28477%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29.png) ### USB Detective diff --git a/mobile-apps-pentesting/ios-pentesting/README.md b/mobile-apps-pentesting/ios-pentesting/README.md index f91cfc660..a1651d946 100644 --- a/mobile-apps-pentesting/ios-pentesting/README.md +++ b/mobile-apps-pentesting/ios-pentesting/README.md @@ -601,7 +601,7 @@ Many apps log informative \(and potentially sensitive\) messages to the console 5. Reproduce the problem. 6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window. -![](../../.gitbook/assets/image%20%28466%29%20%282%29%20%282%29%20%282%29%20%281%29.png) +![](../../.gitbook/assets/image%20%28466%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29.png) You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command: diff --git a/pentesting-web/saml-attacks/README.md b/pentesting-web/saml-attacks/README.md index d0a81a78c..673fbf923 100644 --- a/pentesting-web/saml-attacks/README.md +++ b/pentesting-web/saml-attacks/README.md @@ -6,7 +6,7 @@ ## Attacks Graphic -![](../../.gitbook/assets/image%20%28554%29.png) +![](../../.gitbook/assets/image%20%28535%29%20%281%29.png) ## Tool diff --git a/pentesting/pentesting-ftp/README.md b/pentesting/pentesting-ftp/README.md index f5d7a7658..745fb568e 100644 --- a/pentesting/pentesting-ftp/README.md +++ b/pentesting/pentesting-ftp/README.md @@ -15,6 +15,7 @@ PORT STATE SERVICE ## Enumeration ### Nmap FTP scripts + ```bash nmap --script ftp-* -p 21 ``` diff --git a/pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.md b/pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.md index fcddbd4d5..76fbdfb02 100644 --- a/pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.md +++ b/pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.md @@ -13,7 +13,7 @@ Normally web pages, files and all of the documents which are transferred from th If **CGI** is installed on the server, the specific cgi-bin directory is also added there, for example home/user/public\_html/cgi-bin. CGI scripts are stored in this directory. **Each file in the directory is treated as an executable program**. When accessing a script from the directory, the server sends request to the application, responsible for this script, instead of sending file's content to the browser. **After the input data processing is completed, the application sends the output data** to the web server which forwards the data to the HTTP client. -For example, when the CGI script http://mysitename.com/**cgi-bin/file.pl** is accessed, the server will run the appropriate Perl application through CGI. The data generated from script execution will be sent by the application to the web server. The server, on the other hand, will transfer data to the browser. If the server did not have CGI, the browser would have displayed the **.pl** file code itself. \(explanation from [here](https://help.superhosting.bg/en/cgi-common-gateway-interface-fastcgi.html)\) +For example, when the CGI script [http://mysitename.com/\*\*cgi-bin/file.pl\*\*](http://mysitename.com/**cgi-bin/file.pl**) is accessed, the server will run the appropriate Perl application through CGI. The data generated from script execution will be sent by the application to the web server. The server, on the other hand, will transfer data to the browser. If the server did not have CGI, the browser would have displayed the **.pl** file code itself. \(explanation from [here](https://help.superhosting.bg/en/cgi-common-gateway-interface-fastcgi.html)\) ### FastCGI @@ -21,10 +21,6 @@ For example, when the CGI script http://mysitename.com/**cgi-bin/file.pl** is ac The need to develop FastCGI is that Web was arisen by applications' rapid development and complexity, as well to address the scalability shortcomings of CGI technology. To meet those requirements [Open Market](http://en.wikipedia.org/wiki/Open_Market) introduced **FastCGI – a high performance version of the CGI technology with enhanced capabilities.** -## RCE \(7.\[123\].x\) - -This [**metasploit module**](https://www.rapid7.com/db/modules/exploit/multi/http/php_fpm_rce/) exploits an underflow vulnerability in versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 of **PHP-FPM on Nginx**. - ## disable\_functions bypass It's possible to run PHP code abusing the FastCGI and avoiding the `disable_functions` limitations. @@ -32,14 +28,14 @@ It's possible to run PHP code abusing the FastCGI and avoiding the `disable_func ### Via Gopherus {% hint style="danger" %} -I'm not sure if this is working in modern versions because I tried once and it didn't execute anything. Please, if you have more information about this contact me via ****[**PEASS & HackTricks telegram group here**](https://t.me/peass), or twitter [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +I'm not sure if this is working in modern versions because I tried once and it didn't execute anything. Please, if you have more information about this contact me via **\*\*\[**PEASS & HackTricks telegram group here**\]\(**[https://t.me/peass](https://t.me/peass)**\), or twitter \[**@carlospolopm**\]\(**[https://twitter.com/carlospolopm](https://twitter.com/carlospolopm)**\)**.\*\* {% endhint %} Using [Gopherus](https://github.com/tarunkant/Gopherus) you can generate a payload to send to the FastCGI listener and execute arbitrary commands: ![](../../../../.gitbook/assets/image%20%28385%29.png) -Then, you can grab the urlencoded payload and decode it and transform to base64, [**using this recipe of cyberchef for example**](http://icyberchef.com/#recipe=URL_Decode%28%29To_Base64%28'A-Za-z0-9%2B/%3D'%29&input=JTAxJTAxJTAwJTAxJTAwJTA4JTAwJTAwJTAwJTAxJTAwJTAwJTAwJTAwJTAwJTAwJTAxJTA0JTAwJTAxJTAxJTA0JTA0JTAwJTBGJTEwU0VSVkVSX1NPRlRXQVJFZ28lMjAvJTIwZmNnaWNsaWVudCUyMCUwQiUwOVJFTU9URV9BRERSMTI3LjAuMC4xJTBGJTA4U0VSVkVSX1BST1RPQ09MSFRUUC8xLjElMEUlMDJDT05URU5UX0xFTkdUSDc2JTBFJTA0UkVRVUVTVF9NRVRIT0RQT1NUJTA5S1BIUF9WQUxVRWFsbG93X3VybF9pbmNsdWRlJTIwJTNEJTIwT24lMEFkaXNhYmxlX2Z1bmN0aW9ucyUyMCUzRCUyMCUwQWF1dG9fcHJlcGVuZF9maWxlJTIwJTNEJTIwcGhwJTNBLy9pbnB1dCUwRiUxN1NDUklQVF9GSUxFTkFNRS92YXIvd3d3L2h0bWwvaW5kZXgucGhwJTBEJTAxRE9DVU1FTlRfUk9PVC8lMDAlMDAlMDAlMDAlMDElMDQlMDAlMDElMDAlMDAlMDAlMDAlMDElMDUlMDAlMDElMDBMJTA0JTAwJTNDJTNGcGhwJTIwc3lzdGVtJTI4JTI3d2hvYW1pJTIwJTNFJTIwL3RtcC93aG9hbWkudHh0JTI3JTI5JTNCZGllJTI4JTI3LS0tLS1NYWRlLWJ5LVNweUQzci0tLS0tJTBBJTI3JTI5JTNCJTNGJTNFJTAwJTAwJTAwJTAw). And then copy/pasting the abse64 in this php code: +Then, you can grab the urlencoded payload and decode it and transform to base64, \[**using this recipe of cyberchef for example**\]\([http://icyberchef.com/\#recipe=URL\_Decode%28%29To\_Base64%28'A-Za-z0-9%2B/%3D'%29&input=JTAxJTAxJTAwJTAxJTAwJTA4JTAwJTAwJTAwJTAxJTAwJTAwJTAwJTAwJTAwJTAwJTAxJTA0JTAwJTAxJTAxJTA0JTA0JTAwJTBGJTEwU0VSVkVSX1NPRlRXQVJFZ28lMjAvJTIwZmNnaWNsaWVudCUyMCUwQiUwOVJFTU9URV9BRERSMTI3LjAuMC4xJTBGJTA4U0VSVkVSX1BST1RPQ09MSFRUUC8xLjElMEUlMDJDT05URU5UX0xFTkdUSDc2JTBFJTA0UkVRVUVTVF9NRVRIT0RQT1NUJTA5S1BIUF9WQUxVRWFsbG93X3VybF9pbmNsdWRlJTIwJTNEJTIwT24lMEFkaXNhYmxlX2Z1bmN0aW9ucyUyMCUzRCUyMCUwQWF1dG9fcHJlcGVuZF9maWxlJTIwJTNEJTIwcGhwJTNBLy9pbnB1dCUwRiUxN1NDUklQVF9GSUxFTkFNRS92YXIvd3d3L2h0bWwvaW5kZXgucGhwJTBEJTAxRE9DVU1FTlRfUk9PVC8lMDAlMDAlMDAlMDAlMDElMDQlMDAlMDElMDAlMDAlMDAlMDAlMDElMDUlMDAlMDElMDBMJTA0JTAwJTNDJTNGcGhwJTIwc3lzdGVtJTI4JTI3d2hvYW1pJTIwJTNFJTIwL3RtcC93aG9hbWkudHh0JTI3JTI5JTNCZGllJTI4JTI3LS0tLS1NYWRlLWJ5LVNweUQzci0tLS0tJTBBJTI3JTI5JTNCJTNGJTNFJTAwJTAwJTAwJTAw](http://icyberchef.com/#recipe=URL_Decode%28%29To_Base64%28'A-Za-z0-9%2B/%3D'%29&input=JTAxJTAxJTAwJTAxJTAwJTA4JTAwJTAwJTAwJTAxJTAwJTAwJTAwJTAwJTAwJTAwJTAxJTA0JTAwJTAxJTAxJTA0JTA0JTAwJTBGJTEwU0VSVkVSX1NPRlRXQVJFZ28lMjAvJTIwZmNnaWNsaWVudCUyMCUwQiUwOVJFTU9URV9BRERSMTI3LjAuMC4xJTBGJTA4U0VSVkVSX1BST1RPQ09MSFRUUC8xLjElMEUlMDJDT05URU5UX0xFTkdUSDc2JTBFJTA0UkVRVUVTVF9NRVRIT0RQT1NUJTA5S1BIUF9WQUxVRWFsbG93X3VybF9pbmNsdWRlJTIwJTNEJTIwT24lMEFkaXNhYmxlX2Z1bmN0aW9ucyUyMCUzRCUyMCUwQWF1dG9fcHJlcGVuZF9maWxlJTIwJTNEJTIwcGhwJTNBLy9pbnB1dCUwRiUxN1NDUklQVF9GSUxFTkFNRS92YXIvd3d3L2h0bWwvaW5kZXgucGhwJTBEJTAxRE9DVU1FTlRfUk9PVC8lMDAlMDAlMDAlMDAlMDElMDQlMDAlMDElMDAlMDAlMDAlMDAlMDElMDUlMDAlMDElMDBMJTA0JTAwJTNDJTNGcGhwJTIwc3lzdGVtJTI4JTI3d2hvYW1pJTIwJTNFJTIwL3RtcC93aG9hbWkudHh0JTI3JTI5JTNCZGllJTI4JTI3LS0tLS1NYWRlLWJ5LVNweUQzci0tLS0tJTBBJTI3JTI5JTNCJTNGJTNFJTAwJTAwJTAwJTAw)\). And then copy/pasting the abse64 in this php code: ```php