From 60552d5b69bd3e74cd016f3b8e2a128bf0862b12 Mon Sep 17 00:00:00 2001 From: CPol Date: Wed, 21 Aug 2024 09:06:14 +0000 Subject: [PATCH] GITBOOK-4386: No subject --- SUMMARY.md | 1 + .../pentesting-web/drupal/README.md | 17 ++++----- .../pentesting-web/joomla.md | 18 ++++++---- .../pentesting-web/prestashop.md | 36 +++++++++++++++++++ .../pentesting-web/wordpress.md | 11 +++++- 5 files changed, 68 insertions(+), 15 deletions(-) create mode 100644 network-services-pentesting/pentesting-web/prestashop.md diff --git a/SUMMARY.md b/SUMMARY.md index 11c0f5734..15aed9799 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -418,6 +418,7 @@ * [disable\_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl\_exec](network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable\_functions-open\_basedir-bypass/disable\_functions-bypass-php-4-greater-than-4.2.0-php-5-pcntl\_exec.md) * [PHP - RCE abusing object creation: new $\_GET\["a"\]($\_GET\["b"\])](network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd\_get-a-usd\_get-b.md) * [PHP SSRF](network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md) + * [PrestaShop](network-services-pentesting/pentesting-web/prestashop.md) * [Python](network-services-pentesting/pentesting-web/python.md) * [Rocket Chat](network-services-pentesting/pentesting-web/rocket-chat.md) * [Special HTTP headers](network-services-pentesting/pentesting-web/special-http-headers.md) diff --git a/network-services-pentesting/pentesting-web/drupal/README.md b/network-services-pentesting/pentesting-web/drupal/README.md index f669c6d91..a36a0b85c 100644 --- a/network-services-pentesting/pentesting-web/drupal/README.md +++ b/network-services-pentesting/pentesting-web/drupal/README.md @@ -1,8 +1,8 @@ # Drupal {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
@@ -112,10 +112,11 @@ If you have access to the Drupal web console check these options to get RCE: [drupal-rce.md](drupal-rce.md) {% endcontent-ref %} -## Drupal From XSS to RCE -Through this technique, it is possible to achieve **Remote Code Execution (RCE)** in Drupal via **Cross-Site Scripting (XSS)**. https://github.com/nowak0x01/Drupalwned -

-**For more detailed steps check:** https://nowak0x01.github.io/papers/76bc0832a8f682a7e0ed921627f85d1d.html +## From XSS to RCE + +* [**Drupalwned**](https://github.com/nowak0x01/Drupalwned): Drupal Exploitation Script that **elevate XSS to RCE or Others Critical Vulnerabilities.** For more info check [**this post**](https://nowak0x01.github.io/papers/76bc0832a8f682a7e0ed921627f85d1d.html). It provides **support for Drupal Versions 7.X.X, 8.X.X, 9.X.X and 10.X.X, and allows to:** + * _**Privilege Escalation:**_ Creates an administrative user in Drupal. + * _**(RCE) Upload Template:**_ Upload custom templates backdoored to Drupal. ## Post Exploitation @@ -140,8 +141,8 @@ mysql -u drupaluser --password='2r9u8hu23t532erew' -e 'use drupal; select * from {% embed url="https://websec.nl/" %} {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
diff --git a/network-services-pentesting/pentesting-web/joomla.md b/network-services-pentesting/pentesting-web/joomla.md index beea030f6..8821d2a98 100644 --- a/network-services-pentesting/pentesting-web/joomla.md +++ b/network-services-pentesting/pentesting-web/joomla.md @@ -1,8 +1,8 @@ # Joomla {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
@@ -95,12 +95,11 @@ droopescan scan joomla --url http://joomla-site.local/ In[ **80,443 - Pentesting Web Methodology is a section about CMS scanners**](./#cms-scanners) that can scan Joomla. - ### API Unauthenticated Information Disclosure: + Versions From 4.0.0 to 4.2.7 are vulnerable to Unauthenticated information disclosure (CVE-2023-23752) that will dump creds and other information. * Users: `http:///api/v1/users?public=true` - * Config File: `http:///api/index.php/v1/config/application?public=true` **MSF Module**: `scanner/http/joomla_api_improper_access_checks` or ruby script: [51334](https://www.exploit-db.com/exploits/51334) @@ -126,9 +125,16 @@ If you managed to get **admin credentials** you can **RCE inside of it** by addi 4. **Save & Close** 5. `curl -s http://joomla-site.local/templates/protostar/error.php?cmd=id` +## From XSS to RCE + +* [**JoomSploit**](https://github.com/nowak0x01/JoomSploit): Joomla Exploitation Script that **elevate XSS to RCE or Others Critical Vulnerabilities**. For more info check [**this post**](https://nowak0x01.github.io/papers/76bc0832a8f682a7e0ed921627f85d1d.html). It provides **support for Joomla Versions 5.X.X, 4.X.X, and 3.X.X, and allows to:** + * _**Privilege Escalation:**_ Creates an user in Joomla. + * _**(RCE) Built-In Templates Edit:**_ Edit a Built-In Templates in Joomla. + * _**(Custom) Custom Exploits:**_ Custom Exploits for Third-Party Joomla Plugins. + {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
diff --git a/network-services-pentesting/pentesting-web/prestashop.md b/network-services-pentesting/pentesting-web/prestashop.md new file mode 100644 index 000000000..e3a1d216d --- /dev/null +++ b/network-services-pentesting/pentesting-web/prestashop.md @@ -0,0 +1,36 @@ +# PrestaShop + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} + +## From XSS to RCE + +* [**PrestaXSRF**](https://github.com/nowak0x01/PrestaXSRF): PrestaShop Exploitation Script that elevate **XSS to RCE or Others Critical Vulnerabilities.** For more info check [**this post**](https://nowak0x01.github.io/papers/76bc0832a8f682a7e0ed921627f85d1d.html). It provides **provides support for PrestaShop Versions 8.X.X and 1.7.X.X, and allows to:** + * _**(RCE) PSUploadModule(); - Upload a custom Module:**_ Upload a Persistent Module (backdoor) to PrestaShop. + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} diff --git a/network-services-pentesting/pentesting-web/wordpress.md b/network-services-pentesting/pentesting-web/wordpress.md index 27ad5bb90..d7966aacc 100644 --- a/network-services-pentesting/pentesting-web/wordpress.md +++ b/network-services-pentesting/pentesting-web/wordpress.md @@ -386,7 +386,16 @@ This method involves the installation of a malicious plugin known to be vulnerab The content includes visual aids depicting the steps in the WordPress dashboard for installing and activating the plugin. However, it's important to note that exploiting vulnerabilities in this manner is illegal and unethical without proper authorization. This information should be used responsibly and only in a legal context, such as penetration testing with explicit permission. -**For more detailed steps check:** [**https://www.hackingarticles.in/wordpress-reverse-shell/\*\***](https://www.hackingarticles.in/wordpress-reverse-shell/) +**For more detailed steps check:** [**https://www.hackingarticles.in/wordpress-reverse-shell/**](https://www.hackingarticles.in/wordpress-reverse-shell/) + +## From XSS to RCE + +* [**WPXStrike**](https://github.com/nowak0x01/WPXStrike): _**WPXStrike**_ is a script designed to escalate a **Cross-Site Scripting (XSS)** vulnerability to **Remote Code Execution (RCE)** or other's criticals vulnerabilities in WordPress. For more info check [**this post**](https://nowak0x01.github.io/papers/76bc0832a8f682a7e0ed921627f85d1d.html). It provides **support for Wordpress Versions 6.X.X, 5.X.X and 4.X.X. and allows to:** + * _**Privilege Escalation:**_ Creates an user in WordPress. + * _**(RCE) Custom Plugin (backdoor) Upload:**_ Upload your custom plugin (backdoor) to WordPress. + * _**(RCE) Built-In Plugin Edit:**_ Edit a Built-In Plugins in WordPress. + * _**(RCE) Built-In Theme Edit:**_ Edit a Built-In Themes in WordPress. + * _**(Custom) Custom Exploits:**_ Custom Exploits for Third-Party WordPress Plugins/Themes. ## Post Exploitation