Directory Traversal CVE 2018 Spring

This commit is contained in:
Swissky 2019-07-27 13:02:16 +02:00
parent 98124178db
commit 6baa446144
3 changed files with 9 additions and 3 deletions
Directory Traversal
Methodology and Resources
README.md

View File

@ -70,6 +70,8 @@ Sometimes you encounter a WAF which remove the "../" characters from the strings
\ = %255c \ = %255c
``` ```
**e.g:** Spring MVC Directory Traversal Vulnerability (CVE-2018-1271) with `http://localhost:8080/spring-mvc-showcase/resources/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini`
### UNC Bypass ### UNC Bypass
An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software system to potentially redirect access to an unintended location or arbitrary file. An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software system to potentially redirect access to an unintended location or arbitrary file.

View File

@ -628,6 +628,8 @@ domainA.local domainB.local TreeRoot Bidirectional
### Unconstrained delegation ### Unconstrained delegation
> The user sends a TGS to access the service, along with their TGT, and then the service can use the users TGT to request a TGS for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
#### Find delegation #### Find delegation
Check the `TrustedForDelegation` property. Check the `TrustedForDelegation` property.
@ -678,6 +680,10 @@ Then you can use DCsync or another attack : `Mimikatz> lsadump::dcsync /user:HAC
### Resource-Based Constrained Delegation ### Resource-Based Constrained Delegation
Resource-based Constrained Delegation was introduced in Windows Server 2012.
> The user sends a TGS to access the service ("Service A"), and if the service is allowed to delegate to another pre-defined service ("Service B"), then Service A can present to the authentication service the TGS that the user provided and obtain a TGS for the user to Service B. https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
1. Import **Powermad** and **Powerview** 1. Import **Powermad** and **Powerview**
```powershell ```powershell

View File

@ -4,9 +4,7 @@ A list of useful payloads and bypasses for Web Application Security.
Feel free to improve with your payloads and techniques ! Feel free to improve with your payloads and techniques !
I :heart: pull requests :) I :heart: pull requests :)
You can also contribute with a :beers: IRL or with `buymeacoffee.com` You can also contribute with a :beers: IRL
[![Coffee](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://buymeacoff.ee/swissky)
Every section contains the following files, you can use the `_template_vuln` folder to create a new chapter: Every section contains the following files, you can use the `_template_vuln` folder to create a new chapter: