GitBook: [master] 6 pages and 12 assets modified

This commit is contained in:
CPol 2021-07-06 18:11:30 +00:00 committed by gitbook-bot
parent 47cae5fddd
commit 51c9a9d7e3
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
12 changed files with 9 additions and 13 deletions

View file

Before

Width:  |  Height:  |  Size: 341 KiB

After

Width:  |  Height:  |  Size: 341 KiB

View file

Before

Width:  |  Height:  |  Size: 341 KiB

After

Width:  |  Height:  |  Size: 341 KiB

View file

Before

Width:  |  Height:  |  Size: 10 KiB

After

Width:  |  Height:  |  Size: 10 KiB

View file

Before

Width:  |  Height:  |  Size: 10 KiB

After

Width:  |  Height:  |  Size: 10 KiB

View file

Before

Width:  |  Height:  |  Size: 35 KiB

After

Width:  |  Height:  |  Size: 35 KiB

View file

Before

Width:  |  Height:  |  Size: 1.3 MiB

After

Width:  |  Height:  |  Size: 1.3 MiB

View file

@ -367,6 +367,7 @@ msf> use auxiliary/scanner/mssql/mssql_login #Be carefull, you can block account
hydra -l root -P passwords.txt [-t 32] <IP> ssh
ncrack -p 22 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ssh
patator ssh_login host=<ip> port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed'
```
### Telnet

View file

@ -130,7 +130,7 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi
Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced \(search for `Section start`\).
![](../../../.gitbook/assets/image%20%28477%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
![](../../../.gitbook/assets/image%20%28477%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
### USB Detective

View file

@ -601,7 +601,7 @@ Many apps log informative \(and potentially sensitive\) messages to the console
5. Reproduce the problem.
6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window.
![](../../.gitbook/assets/image%20%28466%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
![](../../.gitbook/assets/image%20%28466%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command:

View file

@ -6,7 +6,7 @@
## Attacks Graphic
![](../../.gitbook/assets/image%20%28554%29.png)
![](../../.gitbook/assets/image%20%28535%29%20%281%29.png)
## Tool

View file

@ -15,6 +15,7 @@ PORT STATE SERVICE
## Enumeration
### Nmap FTP scripts
```bash
nmap --script ftp-* -p 21 <ip>
```

View file

@ -13,7 +13,7 @@ Normally web pages, files and all of the documents which are transferred from th
If **CGI** is installed on the server, the specific cgi-bin directory is also added there, for example home/user/public\_html/cgi-bin. CGI scripts are stored in this directory. **Each file in the directory is treated as an executable program**. When accessing a script from the directory, the server sends request to the application, responsible for this script, instead of sending file's content to the browser. **After the input data processing is completed, the application sends the output data** to the web server which forwards the data to the HTTP client.
For example, when the CGI script http://mysitename.com/**cgi-bin/file.pl** is accessed, the server will run the appropriate Perl application through CGI. The data generated from script execution will be sent by the application to the web server. The server, on the other hand, will transfer data to the browser. If the server did not have CGI, the browser would have displayed the **.pl** file code itself. \(explanation from [here](https://help.superhosting.bg/en/cgi-common-gateway-interface-fastcgi.html)\)
For example, when the CGI script [http://mysitename.com/\*\*cgi-bin/file.pl\*\*](http://mysitename.com/**cgi-bin/file.pl**) is accessed, the server will run the appropriate Perl application through CGI. The data generated from script execution will be sent by the application to the web server. The server, on the other hand, will transfer data to the browser. If the server did not have CGI, the browser would have displayed the **.pl** file code itself. \(explanation from [here](https://help.superhosting.bg/en/cgi-common-gateway-interface-fastcgi.html)\)
### FastCGI
@ -21,10 +21,6 @@ For example, when the CGI script http://mysitename.com/**cgi-bin/file.pl** is ac
The need to develop FastCGI is that Web was arisen by applications' rapid development and complexity, as well to address the scalability shortcomings of CGI technology. To meet those requirements [Open Market](http://en.wikipedia.org/wiki/Open_Market) introduced **FastCGI a high performance version of the CGI technology with enhanced capabilities.**
## RCE \(7.\[123\].x\)
This [**metasploit module**](https://www.rapid7.com/db/modules/exploit/multi/http/php_fpm_rce/) exploits an underflow vulnerability in versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 of **PHP-FPM on Nginx**.
## disable\_functions bypass
It's possible to run PHP code abusing the FastCGI and avoiding the `disable_functions` limitations.
@ -32,14 +28,14 @@ It's possible to run PHP code abusing the FastCGI and avoiding the `disable_func
### Via Gopherus
{% hint style="danger" %}
I'm not sure if this is working in modern versions because I tried once and it didn't execute anything. Please, if you have more information about this contact me via ****[**PEASS & HackTricks telegram group here**](https://t.me/peass), or twitter [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
I'm not sure if this is working in modern versions because I tried once and it didn't execute anything. Please, if you have more information about this contact me via **\*\*\[**PEASS & HackTricks telegram group here**\]\(**[https://t.me/peass](https://t.me/peass)**\), or twitter \[**@carlospolopm**\]\(**[https://twitter.com/carlospolopm](https://twitter.com/carlospolopm)**\)**.\*\*
{% endhint %}
Using [Gopherus](https://github.com/tarunkant/Gopherus) you can generate a payload to send to the FastCGI listener and execute arbitrary commands:
![](../../../../.gitbook/assets/image%20%28385%29.png)
Then, you can grab the urlencoded payload and decode it and transform to base64, [**using this recipe of cyberchef for example**](http://icyberchef.com/#recipe=URL_Decode%28%29To_Base64%28'A-Za-z0-9%2B/%3D'%29&input=JTAxJTAxJTAwJTAxJTAwJTA4JTAwJTAwJTAwJTAxJTAwJTAwJTAwJTAwJTAwJTAwJTAxJTA0JTAwJTAxJTAxJTA0JTA0JTAwJTBGJTEwU0VSVkVSX1NPRlRXQVJFZ28lMjAvJTIwZmNnaWNsaWVudCUyMCUwQiUwOVJFTU9URV9BRERSMTI3LjAuMC4xJTBGJTA4U0VSVkVSX1BST1RPQ09MSFRUUC8xLjElMEUlMDJDT05URU5UX0xFTkdUSDc2JTBFJTA0UkVRVUVTVF9NRVRIT0RQT1NUJTA5S1BIUF9WQUxVRWFsbG93X3VybF9pbmNsdWRlJTIwJTNEJTIwT24lMEFkaXNhYmxlX2Z1bmN0aW9ucyUyMCUzRCUyMCUwQWF1dG9fcHJlcGVuZF9maWxlJTIwJTNEJTIwcGhwJTNBLy9pbnB1dCUwRiUxN1NDUklQVF9GSUxFTkFNRS92YXIvd3d3L2h0bWwvaW5kZXgucGhwJTBEJTAxRE9DVU1FTlRfUk9PVC8lMDAlMDAlMDAlMDAlMDElMDQlMDAlMDElMDAlMDAlMDAlMDAlMDElMDUlMDAlMDElMDBMJTA0JTAwJTNDJTNGcGhwJTIwc3lzdGVtJTI4JTI3d2hvYW1pJTIwJTNFJTIwL3RtcC93aG9hbWkudHh0JTI3JTI5JTNCZGllJTI4JTI3LS0tLS1NYWRlLWJ5LVNweUQzci0tLS0tJTBBJTI3JTI5JTNCJTNGJTNFJTAwJTAwJTAwJTAw). And then copy/pasting the abse64 in this php code:
Then, you can grab the urlencoded payload and decode it and transform to base64, \[**using this recipe of cyberchef for example**\]\([http://icyberchef.com/\#recipe=URL\_Decode%28%29To\_Base64%28'A-Za-z0-9%2B/%3D'%29&input=JTAxJTAxJTAwJTAxJTAwJTA4JTAwJTAwJTAwJTAxJTAwJTAwJTAwJTAwJTAwJTAwJTAxJTA0JTAwJTAxJTAxJTA0JTA0JTAwJTBGJTEwU0VSVkVSX1NPRlRXQVJFZ28lMjAvJTIwZmNnaWNsaWVudCUyMCUwQiUwOVJFTU9URV9BRERSMTI3LjAuMC4xJTBGJTA4U0VSVkVSX1BST1RPQ09MSFRUUC8xLjElMEUlMDJDT05URU5UX0xFTkdUSDc2JTBFJTA0UkVRVUVTVF9NRVRIT0RQT1NUJTA5S1BIUF9WQUxVRWFsbG93X3VybF9pbmNsdWRlJTIwJTNEJTIwT24lMEFkaXNhYmxlX2Z1bmN0aW9ucyUyMCUzRCUyMCUwQWF1dG9fcHJlcGVuZF9maWxlJTIwJTNEJTIwcGhwJTNBLy9pbnB1dCUwRiUxN1NDUklQVF9GSUxFTkFNRS92YXIvd3d3L2h0bWwvaW5kZXgucGhwJTBEJTAxRE9DVU1FTlRfUk9PVC8lMDAlMDAlMDAlMDAlMDElMDQlMDAlMDElMDAlMDAlMDAlMDAlMDElMDUlMDAlMDElMDBMJTA0JTAwJTNDJTNGcGhwJTIwc3lzdGVtJTI4JTI3d2hvYW1pJTIwJTNFJTIwL3RtcC93aG9hbWkudHh0JTI3JTI5JTNCZGllJTI4JTI3LS0tLS1NYWRlLWJ5LVNweUQzci0tLS0tJTBBJTI3JTI5JTNCJTNGJTNFJTAwJTAwJTAwJTAw](http://icyberchef.com/#recipe=URL_Decode%28%29To_Base64%28'A-Za-z0-9%2B/%3D'%29&input=JTAxJTAxJTAwJTAxJTAwJTA4JTAwJTAwJTAwJTAxJTAwJTAwJTAwJTAwJTAwJTAwJTAxJTA0JTAwJTAxJTAxJTA0JTA0JTAwJTBGJTEwU0VSVkVSX1NPRlRXQVJFZ28lMjAvJTIwZmNnaWNsaWVudCUyMCUwQiUwOVJFTU9URV9BRERSMTI3LjAuMC4xJTBGJTA4U0VSVkVSX1BST1RPQ09MSFRUUC8xLjElMEUlMDJDT05URU5UX0xFTkdUSDc2JTBFJTA0UkVRVUVTVF9NRVRIT0RQT1NUJTA5S1BIUF9WQUxVRWFsbG93X3VybF9pbmNsdWRlJTIwJTNEJTIwT24lMEFkaXNhYmxlX2Z1bmN0aW9ucyUyMCUzRCUyMCUwQWF1dG9fcHJlcGVuZF9maWxlJTIwJTNEJTIwcGhwJTNBLy9pbnB1dCUwRiUxN1NDUklQVF9GSUxFTkFNRS92YXIvd3d3L2h0bWwvaW5kZXgucGhwJTBEJTAxRE9DVU1FTlRfUk9PVC8lMDAlMDAlMDAlMDAlMDElMDQlMDAlMDElMDAlMDAlMDAlMDAlMDElMDUlMDAlMDElMDBMJTA0JTAwJTNDJTNGcGhwJTIwc3lzdGVtJTI4JTI3d2hvYW1pJTIwJTNFJTIwL3RtcC93aG9hbWkudHh0JTI3JTI5JTNCZGllJTI4JTI3LS0tLS1NYWRlLWJ5LVNweUQzci0tLS0tJTBBJTI3JTI5JTNCJTNGJTNFJTAwJTAwJTAwJTAw)\). And then copy/pasting the abse64 in this php code:
```php
<?php
@ -51,7 +47,7 @@ Uploading and accessing this script the exploit is going to be sent to FastCGI \
### PHP exploit
{% hint style="danger" %}
I'm not sure if this is working in modern versions because I tried once and I couldn't execute anything. Actually I managed to see that `phpinfo()` from FastCGI execution indicated that `disable_functions` was empty, but PHP \(somehow\) was still preventing me from executing any previously disabled function. Please, if you have more information about this contact me via ****[**PEASS & HackTricks telegram group here**](https://t.me/peass), or twitter [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
I'm not sure if this is working in modern versions because I tried once and I couldn't execute anything. Actually I managed to see that `phpinfo()` from FastCGI execution indicated that `disable_functions` was empty, but PHP \(somehow\) was still preventing me from executing any previously disabled function. Please, if you have more information about this contact me via **\*\*\[**PEASS & HackTricks telegram group here**\]\(**[https://t.me/peass](https://t.me/peass)**\), or twitter \[**@carlospolopm**\]\(**[https://twitter.com/carlospolopm](https://twitter.com/carlospolopm)**\)**.\*\*
{% endhint %}
```php
@ -435,5 +431,3 @@ You will find that the exploit is very similar to the previous code, but instead
You can exploit this vulnerability with [**phuip-fpizdam**](https://github.com/neex/phuip-fpizdam) and test is using this docker environment: [https://github.com/vulhub/vulhub/tree/master/php/CVE-2019-11043](https://github.com/vulhub/vulhub/tree/master/php/CVE-2019-11043).
You can also find an analysis of the vulnerability [**here**](https://medium.com/@knownsec404team/php-fpm-remote-code-execution-vulnerability-cve-2019-11043-analysis-35fd605dd2dc)**.**