Directory Traversal CVE 2018 Spring
parent
98124178db
commit
6baa446144
|
@ -70,6 +70,8 @@ Sometimes you encounter a WAF which remove the "../" characters from the strings
|
|||
\ = %255c
|
||||
```
|
||||
|
||||
**e.g:** Spring MVC Directory Traversal Vulnerability (CVE-2018-1271) with `http://localhost:8080/spring-mvc-showcase/resources/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini`
|
||||
|
||||
### UNC Bypass
|
||||
|
||||
An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software system to potentially redirect access to an unintended location or arbitrary file.
|
||||
|
|
|
@ -628,6 +628,8 @@ domainA.local domainB.local TreeRoot Bidirectional
|
|||
|
||||
### Unconstrained delegation
|
||||
|
||||
> The user sends a TGS to access the service, along with their TGT, and then the service can use the user’s TGT to request a TGS for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
|
||||
|
||||
#### Find delegation
|
||||
|
||||
Check the `TrustedForDelegation` property.
|
||||
|
@ -678,6 +680,10 @@ Then you can use DCsync or another attack : `Mimikatz> lsadump::dcsync /user:HAC
|
|||
|
||||
### Resource-Based Constrained Delegation
|
||||
|
||||
Resource-based Constrained Delegation was introduced in Windows Server 2012.
|
||||
|
||||
> The user sends a TGS to access the service ("Service A"), and if the service is allowed to delegate to another pre-defined service ("Service B"), then Service A can present to the authentication service the TGS that the user provided and obtain a TGS for the user to Service B. https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
|
||||
|
||||
1. Import **Powermad** and **Powerview**
|
||||
|
||||
```powershell
|
||||
|
|
|
@ -4,9 +4,7 @@ A list of useful payloads and bypasses for Web Application Security.
|
|||
Feel free to improve with your payloads and techniques !
|
||||
I :heart: pull requests :)
|
||||
|
||||
You can also contribute with a :beers: IRL or with `buymeacoffee.com`
|
||||
|
||||
[![Coffee](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://buymeacoff.ee/swissky)
|
||||
You can also contribute with a :beers: IRL
|
||||
|
||||
Every section contains the following files, you can use the `_template_vuln` folder to create a new chapter:
|
||||
|
||||
|
|
Loading…
Reference in New Issue