From 6baa44614459cd136db8b3610fd61b8441bc108e Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sat, 27 Jul 2019 13:02:16 +0200 Subject: [PATCH] Directory Traversal CVE 2018 Spring --- Directory Traversal/README.md | 2 ++ Methodology and Resources/Active Directory Attack.md | 6 ++++++ README.md | 4 +--- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/Directory Traversal/README.md b/Directory Traversal/README.md index 0a0941c..cedc13c 100644 --- a/Directory Traversal/README.md +++ b/Directory Traversal/README.md @@ -70,6 +70,8 @@ Sometimes you encounter a WAF which remove the "../" characters from the strings \ = %255c ``` +**e.g:** Spring MVC Directory Traversal Vulnerability (CVE-2018-1271) with `http://localhost:8080/spring-mvc-showcase/resources/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini` + ### UNC Bypass An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software system to potentially redirect access to an unintended location or arbitrary file. diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index bbef792..56f32db 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -628,6 +628,8 @@ domainA.local domainB.local TreeRoot Bidirectional ### Unconstrained delegation +> The user sends a TGS to access the service, along with their TGT, and then the service can use the user’s TGT to request a TGS for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html + #### Find delegation Check the `TrustedForDelegation` property. @@ -678,6 +680,10 @@ Then you can use DCsync or another attack : `Mimikatz> lsadump::dcsync /user:HAC ### Resource-Based Constrained Delegation +Resource-based Constrained Delegation was introduced in Windows Server 2012. + +> The user sends a TGS to access the service ("Service A"), and if the service is allowed to delegate to another pre-defined service ("Service B"), then Service A can present to the authentication service the TGS that the user provided and obtain a TGS for the user to Service B. https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html + 1. Import **Powermad** and **Powerview** ```powershell diff --git a/README.md b/README.md index 5b27360..3279666 100644 --- a/README.md +++ b/README.md @@ -4,9 +4,7 @@ A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques ! I :heart: pull requests :) -You can also contribute with a :beers: IRL or with `buymeacoffee.com` - -[![Coffee](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://buymeacoff.ee/swissky) +You can also contribute with a :beers: IRL Every section contains the following files, you can use the `_template_vuln` folder to create a new chapter: