pentest
php-findsock-shell
This tool is designed for those situations during a pentest where you have upload access to a webserver that’s running PHP, you want an interactive shell, but the Firewall is doing proper egress and ingress filtering – so bindshells and reverse shells won’t work. Upload php-findsock-shell to somewhere in the web root then run it […]
Owning Firefox on Windows
I just read Thor’s great write-up of the recent Firefox vulnerability. Well worth a read.
DB2 SQL Injection Cheat Sheet
Finding a SQL injection vulnerability in a web application backed by DB2 isn’t too common in my experience. When you do find one, though it pays to be prepared…
Ingres SQL Injection Cheat Sheet
Ingres seems to be one of the less common database backends for web applications, so I thought it would be worth installing it and making some notes to make my next Ingres-based web app test a little easier.
Stealing Usernames and Passwords from SSHD
I just read a really cool blog post by Sebastian Krahmer. He discusses a post-exploitation technique to snoop on incomming SSH sessions – including the username and password used to authenticate.
Finding the NIS Domain Name from Bootparamd
NIS (Network Information Service) is not a particularly common protocol on modern internal networks. This is for good reason really consider its security weaknesses. Its presense is often a gift to penetration testers (and probably hackers too). This blog entry briefly documents one way that all important NIS Domain Name can be found remotely.
php-reverse-shell
This tool is designed for those situations during a pentest where you have upload access to a webserver that’s running PHP. Upload this script to somewhere in the web root then run it by accessing the appropriate URL in your browser. The script will open an outbound TCP connection from the webserver to a host […]
perl-reverse-shell
This tool is designed for those situations during a pentest where you have upload access to a webserver that’s running PERL. Upload this script to somewhere in the web root then run it by accessing the appropriate URL in your browser. The script will open an outbound TCP connection from the webserver to a host […]
The Perfect Web Backdoor
I’m sure most pentesters have had cause to use the likes of cmdasp.asp, or cobble together a simple PHP script based around “passthru” or “system”. There’s loads more functionality that would be useful in such backdoors, though. They could be made less dangerous by building in authentication, and more functional by building in database client […]
Breaking out of rbash using scp
I was recently challenged to break out of a restricted shellenvironment in which the only accessible command was scp.