On most linux systems we can use tree
to dump the directory structure, but if for some reason the tree command isn’t available, we can use the following one-line command:
find / -type d | perl -lne 'print tr:/::, " $_"' | sort -n | cut -d' ' -f2
Notes on penetration testing journeys
On most linux systems we can use tree
to dump the directory structure, but if for some reason the tree command isn’t available, we can use the following one-line command:
find / -type d | perl -lne 'print tr:/::, " $_"' | sort -n | cut -d' ' -f2
After accessing a system, one of the first things to do is to find executables with SUID set. Use the following command:
find / \( -perm -4000 -o -perm -2000 \) -type f -exec ls -la {} \;
The following function calculates the permutations of a given list (typically an array) and lets you group the results by a given number. This is useful when automatically testing login forms bypass, using the strings you can find on this post.
<?php function permutations($pool, $r = null) { $n = count($pool); if ($r == null) $r = $n; if ($r > $n) return; $indices = range(0, $n - 1); $cycles = range($n, $n - $r + 1, -1); yield array_slice($pool, 0, $r); if ($n <= 0) return; while (true) { $exit_early = false; for ($i = $r;$i--;$i >= 0) { $cycles[$i]-= 1; if ($cycles[$i] == 0) { if ($i < count($indices)) { $removed = array_splice($indices, $i, 1); array_push($indices, $removed[0]); } $cycles[$i] = $n - $i; } else { $j = $cycles[$i]; $i_val = $indices[$i]; $neg_j_val = $indices[count($indices) - $j]; $indices[$i] = $neg_j_val; $indices[count($indices) - $j] = $i_val; $result = []; $counter = 0; foreach ($indices as $indx) { array_push($result, $pool[$indx]); $counter++; if ($counter == $r) break; } yield $result; $exit_early = true; break; } } if (!$exit_early) break; } } $result = iterator_to_array(permutations(array("a","b","c","d","e", 2)); foreach ($result as $row) print implode(" || ", $row) . PHP_EOL; echo count($result); ?>
The above code will output the following:
a || b a || c a || d a || e b || a b || c b || d b || e c || a c || b c || d c || e d || a d || b d || c d || e e || a e || b e || c e || d 20
To upload a file to a server using PHP and cURL you can use the following script. If you need to make a simple POST request, without sending any file, check out my article: “POST request with cURL”.
<?php function postRequest($url, $curl_data) { $options = array( CURLOPT_RETURNTRANSFER => true, CURLOPT_HEADER => false, CURLOPT_FOLLOWLOCATION => true, CURLOPT_ENCODING => "", CURLOPT_USERAGENT => "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.53 Safari/525.19", CURLOPT_AUTOREFERER => true, CURLOPT_CONNECTTIMEOUT => 9, CURLOPT_TIMEOUT => 29, CURLOPT_MAXREDIRS => 3, CURLOPT_POST => 1, CURLOPT_POSTFIELDS => $curl_data, CURLOPT_SSL_VERIFYHOST => 0, CURLOPT_SSL_VERIFYPEER => false, CURLOPT_VERBOSE => 1, CURLOPT_COOKIE => "", CURLOPT_PROXY => null ); $ch = curl_init($url); curl_setopt_array($ch, $options); $content = curl_exec($ch); $err = curl_errno($ch); $errmsg = curl_error($ch) ; $header = curl_getinfo($ch); curl_close($ch); $header['errno'] = $err; $header['errmsg'] = $errmsg; $header['content'] = $content; return $header; } $file_name_with_full_path = realpath("file_to_upload"); if (function_exists('curl_file_create')) // php 5.5+ $cFile = curl_file_create($file_name_with_full_path); else $cFile = '@' . realpath($file_name_with_full_path); $postData = array("file" => $cFile); echo print_r(postRequest("http://targeturl.com", $postData), true); ?>
I’m using the following simple PHP script to make post requests. If you need to upload a file instead, check my article: “upload a file with cURL”.
<?php function postRequest($url, $curl_data) { $options = array( CURLOPT_RETURNTRANSFER => true, CURLOPT_HEADER => false, CURLOPT_FOLLOWLOCATION => true, CURLOPT_ENCODING => "", CURLOPT_USERAGENT => "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.53 Safari/525.19", CURLOPT_AUTOREFERER => true, CURLOPT_CONNECTTIMEOUT => 9, CURLOPT_TIMEOUT => 15, CURLOPT_MAXREDIRS => 3, CURLOPT_POST => 1, CURLOPT_POSTFIELDS => $curl_data, CURLOPT_SSL_VERIFYHOST => 0, CURLOPT_SSL_VERIFYPEER => false, CURLOPT_VERBOSE => 1, CURLOPT_PROXY => null // if using a proxy, use the syntax "proxyuser:proxypass@proxyurl:proxyport" ); $ch = curl_init($url); curl_setopt_array($ch, $options); $content = curl_exec($ch); $err = curl_errno($ch); $errmsg = curl_error($ch) ; $header = curl_getinfo($ch); curl_close($ch); $header['errno'] = $err; $header['errmsg'] = $errmsg; $header['content'] = $content; return $header; } echo print_r(postRequest("http://targeturl.com", "fieldA=valueA&fieldB=valueB"), true); ?>