From 38de54e8a1cee8a600cd637c6446e4335bef6ef8 Mon Sep 17 00:00:00 2001 From: CPol Date: Sun, 18 Aug 2024 15:52:20 +0000 Subject: [PATCH] GITBOOK-4380: No subject --- SUMMARY.md | 1 + .../pentesting-web/nextjs.md | 37 +++++++++++++++++++ pentesting-web/race-condition.md | 26 ++++++++----- 3 files changed, 54 insertions(+), 10 deletions(-) create mode 100644 network-services-pentesting/pentesting-web/nextjs.md diff --git a/SUMMARY.md b/SUMMARY.md index 87eee4342..b26e5d200 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -398,6 +398,7 @@ * [Laravel](network-services-pentesting/pentesting-web/laravel.md) * [Moodle](network-services-pentesting/pentesting-web/moodle.md) * [Nginx](network-services-pentesting/pentesting-web/nginx.md) + * [NextJS](network-services-pentesting/pentesting-web/nextjs.md) * [PHP Tricks](network-services-pentesting/pentesting-web/php-tricks-esp/README.md) * [PHP - Useful Functions & disable\_functions/open\_basedir bypass](network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable\_functions-open\_basedir-bypass/README.md) * [disable\_functions bypass - php-fpm/FastCGI](network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable\_functions-open\_basedir-bypass/disable\_functions-bypass-php-fpm-fastcgi.md) diff --git a/network-services-pentesting/pentesting-web/nextjs.md b/network-services-pentesting/pentesting-web/nextjs.md new file mode 100644 index 000000000..05a7d64cf --- /dev/null +++ b/network-services-pentesting/pentesting-web/nextjs.md @@ -0,0 +1,37 @@ +# NextJS + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} + + + + + + + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} diff --git a/pentesting-web/race-condition.md b/pentesting-web/race-condition.md index 59dc78249..4960675f3 100644 --- a/pentesting-web/race-condition.md +++ b/pentesting-web/race-condition.md @@ -3,14 +3,14 @@
\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=race-condition) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ +Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=race-condition) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ Get Access Today: {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=race-condition" %} {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
@@ -223,9 +223,6 @@ while "objetivo" not in response.text: temp_data_bytes += bytes(d) h2_conn.send_bytes(temp_headers_bytes) - - - # wait some time sleep(0.1) @@ -249,7 +246,16 @@ while "objetivo" not in response.text: response = requests.get(url, verify=False) ``` -### Raw BF +### Improving Single Packet Attack + +In the original research it's explained that this attack has a limit of 1,500 bytes. However, in [**this post**](https://flatt.tech/research/posts/beyond-the-limit-expanding-single-packet-race-condition-with-first-sequence-sync/), it was explained how it's possible to extend the 1,500-byte limitation of the single packet attack to the **65,535 B window limitation of TCP by using IP layer fragmentation** (splitting a single packet into multiple IP packets) and sending them in different order, allowed to prevent reassembling the packet until all the fragments reached the server. This technique allowed the researcher to send 10,000 requests in about 166ms. + +Note that although this improvement makes the attack more reliable in RC that requiers hundreds/thousands of packets to arrive at the same time, it might also have some software limitations. Some popular HTTP servers like Apache, Nginx and Go have a strict `SETTINGS_MAX_CONCURRENT_STREAMS` setting to 100, 128 and 250. However, other like NodeJS and nghttp2 has it unlimited.\ +This basically mean that Apache will only consider 100 HTTP connections from a single TCP connection (limiting this RC attack). + +You can find some examples using this tehcnique in the repo [https://github.com/Ry0taK/first-sequence-sync/tree/main](https://github.com/Ry0taK/first-sequence-sync/tree/main). + +## Raw BF Before the previous research these were some payloads used which just tried to send the packets as fast as possible to cause a RC. @@ -410,8 +416,8 @@ In [**WS\_RaceCondition\_PoC**](https://github.com/redrays-io/WS\_RaceCondition\ * [https://portswigger.net/web-security/race-conditions](https://portswigger.net/web-security/race-conditions) {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
@@ -427,7 +433,7 @@ Learn & practice GCP Hacking:
\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=race-condition) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ +Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=race-condition) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ Get Access Today: {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=race-condition" %}