mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-24 21:53:54 +00:00
GITBOOK-4386: No subject
This commit is contained in:
parent
1c44281dc4
commit
60552d5b69
5 changed files with 68 additions and 15 deletions
|
@ -418,6 +418,7 @@
|
||||||
* [disable\_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl\_exec](network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable\_functions-open\_basedir-bypass/disable\_functions-bypass-php-4-greater-than-4.2.0-php-5-pcntl\_exec.md)
|
* [disable\_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl\_exec](network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable\_functions-open\_basedir-bypass/disable\_functions-bypass-php-4-greater-than-4.2.0-php-5-pcntl\_exec.md)
|
||||||
* [PHP - RCE abusing object creation: new $\_GET\["a"\]($\_GET\["b"\])](network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd\_get-a-usd\_get-b.md)
|
* [PHP - RCE abusing object creation: new $\_GET\["a"\]($\_GET\["b"\])](network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd\_get-a-usd\_get-b.md)
|
||||||
* [PHP SSRF](network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md)
|
* [PHP SSRF](network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md)
|
||||||
|
* [PrestaShop](network-services-pentesting/pentesting-web/prestashop.md)
|
||||||
* [Python](network-services-pentesting/pentesting-web/python.md)
|
* [Python](network-services-pentesting/pentesting-web/python.md)
|
||||||
* [Rocket Chat](network-services-pentesting/pentesting-web/rocket-chat.md)
|
* [Rocket Chat](network-services-pentesting/pentesting-web/rocket-chat.md)
|
||||||
* [Special HTTP headers](network-services-pentesting/pentesting-web/special-http-headers.md)
|
* [Special HTTP headers](network-services-pentesting/pentesting-web/special-http-headers.md)
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
# Drupal
|
# Drupal
|
||||||
|
|
||||||
{% hint style="success" %}
|
{% hint style="success" %}
|
||||||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
|
@ -112,10 +112,11 @@ If you have access to the Drupal web console check these options to get RCE:
|
||||||
[drupal-rce.md](drupal-rce.md)
|
[drupal-rce.md](drupal-rce.md)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
## Drupal From XSS to RCE
|
## From XSS to RCE
|
||||||
Through this technique, it is possible to achieve **Remote Code Execution (RCE)** in Drupal via **Cross-Site Scripting (XSS)**. https://github.com/nowak0x01/Drupalwned
|
|
||||||
<br><br>
|
* [**Drupalwned**](https://github.com/nowak0x01/Drupalwned): Drupal Exploitation Script that **elevate XSS to RCE or Others Critical Vulnerabilities.** For more info check [**this post**](https://nowak0x01.github.io/papers/76bc0832a8f682a7e0ed921627f85d1d.html). It provides **support for Drupal Versions 7.X.X, 8.X.X, 9.X.X and 10.X.X, and allows to:**
|
||||||
**For more detailed steps check:** https://nowak0x01.github.io/papers/76bc0832a8f682a7e0ed921627f85d1d.html
|
* _**Privilege Escalation:**_ Creates an administrative user in Drupal.
|
||||||
|
* _**(RCE) Upload Template:**_ Upload custom templates backdoored to Drupal.
|
||||||
|
|
||||||
## Post Exploitation
|
## Post Exploitation
|
||||||
|
|
||||||
|
@ -140,8 +141,8 @@ mysql -u drupaluser --password='2r9u8hu23t532erew' -e 'use drupal; select * from
|
||||||
{% embed url="https://websec.nl/" %}
|
{% embed url="https://websec.nl/" %}
|
||||||
|
|
||||||
{% hint style="success" %}
|
{% hint style="success" %}
|
||||||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
# Joomla
|
# Joomla
|
||||||
|
|
||||||
{% hint style="success" %}
|
{% hint style="success" %}
|
||||||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
|
@ -95,12 +95,11 @@ droopescan scan joomla --url http://joomla-site.local/
|
||||||
|
|
||||||
In[ **80,443 - Pentesting Web Methodology is a section about CMS scanners**](./#cms-scanners) that can scan Joomla.
|
In[ **80,443 - Pentesting Web Methodology is a section about CMS scanners**](./#cms-scanners) that can scan Joomla.
|
||||||
|
|
||||||
|
|
||||||
### API Unauthenticated Information Disclosure:
|
### API Unauthenticated Information Disclosure:
|
||||||
|
|
||||||
Versions From 4.0.0 to 4.2.7 are vulnerable to Unauthenticated information disclosure (CVE-2023-23752) that will dump creds and other information.
|
Versions From 4.0.0 to 4.2.7 are vulnerable to Unauthenticated information disclosure (CVE-2023-23752) that will dump creds and other information.
|
||||||
|
|
||||||
* Users: `http://<host>/api/v1/users?public=true`
|
* Users: `http://<host>/api/v1/users?public=true`
|
||||||
|
|
||||||
* Config File: `http://<host>/api/index.php/v1/config/application?public=true`
|
* Config File: `http://<host>/api/index.php/v1/config/application?public=true`
|
||||||
|
|
||||||
**MSF Module**: `scanner/http/joomla_api_improper_access_checks` or ruby script: [51334](https://www.exploit-db.com/exploits/51334)
|
**MSF Module**: `scanner/http/joomla_api_improper_access_checks` or ruby script: [51334](https://www.exploit-db.com/exploits/51334)
|
||||||
|
@ -126,9 +125,16 @@ If you managed to get **admin credentials** you can **RCE inside of it** by addi
|
||||||
4. **Save & Close**
|
4. **Save & Close**
|
||||||
5. `curl -s http://joomla-site.local/templates/protostar/error.php?cmd=id`
|
5. `curl -s http://joomla-site.local/templates/protostar/error.php?cmd=id`
|
||||||
|
|
||||||
|
## From XSS to RCE
|
||||||
|
|
||||||
|
* [**JoomSploit**](https://github.com/nowak0x01/JoomSploit): Joomla Exploitation Script that **elevate XSS to RCE or Others Critical Vulnerabilities**. For more info check [**this post**](https://nowak0x01.github.io/papers/76bc0832a8f682a7e0ed921627f85d1d.html). It provides **support for Joomla Versions 5.X.X, 4.X.X, and 3.X.X, and allows to:**
|
||||||
|
* _**Privilege Escalation:**_ Creates an user in Joomla.
|
||||||
|
* _**(RCE) Built-In Templates Edit:**_ Edit a Built-In Templates in Joomla.
|
||||||
|
* _**(Custom) Custom Exploits:**_ Custom Exploits for Third-Party Joomla Plugins.
|
||||||
|
|
||||||
{% hint style="success" %}
|
{% hint style="success" %}
|
||||||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
|
|
36
network-services-pentesting/pentesting-web/prestashop.md
Normal file
36
network-services-pentesting/pentesting-web/prestashop.md
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
# PrestaShop
|
||||||
|
|
||||||
|
{% hint style="success" %}
|
||||||
|
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||||
|
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary>Support HackTricks</summary>
|
||||||
|
|
||||||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
|
</details>
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
|
## From XSS to RCE
|
||||||
|
|
||||||
|
* [**PrestaXSRF**](https://github.com/nowak0x01/PrestaXSRF): PrestaShop Exploitation Script that elevate **XSS to RCE or Others Critical Vulnerabilities.** For more info check [**this post**](https://nowak0x01.github.io/papers/76bc0832a8f682a7e0ed921627f85d1d.html). It provides **provides support for PrestaShop Versions 8.X.X and 1.7.X.X, and allows to:**
|
||||||
|
* _**(RCE) PSUploadModule(); - Upload a custom Module:**_ Upload a Persistent Module (backdoor) to PrestaShop.
|
||||||
|
|
||||||
|
{% hint style="success" %}
|
||||||
|
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||||
|
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary>Support HackTricks</summary>
|
||||||
|
|
||||||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
|
</details>
|
||||||
|
{% endhint %}
|
|
@ -386,7 +386,16 @@ This method involves the installation of a malicious plugin known to be vulnerab
|
||||||
|
|
||||||
The content includes visual aids depicting the steps in the WordPress dashboard for installing and activating the plugin. However, it's important to note that exploiting vulnerabilities in this manner is illegal and unethical without proper authorization. This information should be used responsibly and only in a legal context, such as penetration testing with explicit permission.
|
The content includes visual aids depicting the steps in the WordPress dashboard for installing and activating the plugin. However, it's important to note that exploiting vulnerabilities in this manner is illegal and unethical without proper authorization. This information should be used responsibly and only in a legal context, such as penetration testing with explicit permission.
|
||||||
|
|
||||||
**For more detailed steps check:** [**https://www.hackingarticles.in/wordpress-reverse-shell/\*\***](https://www.hackingarticles.in/wordpress-reverse-shell/)
|
**For more detailed steps check:** [**https://www.hackingarticles.in/wordpress-reverse-shell/**](https://www.hackingarticles.in/wordpress-reverse-shell/)
|
||||||
|
|
||||||
|
## From XSS to RCE
|
||||||
|
|
||||||
|
* [**WPXStrike**](https://github.com/nowak0x01/WPXStrike): _**WPXStrike**_ is a script designed to escalate a **Cross-Site Scripting (XSS)** vulnerability to **Remote Code Execution (RCE)** or other's criticals vulnerabilities in WordPress. For more info check [**this post**](https://nowak0x01.github.io/papers/76bc0832a8f682a7e0ed921627f85d1d.html). It provides **support for Wordpress Versions 6.X.X, 5.X.X and 4.X.X. and allows to:**
|
||||||
|
* _**Privilege Escalation:**_ Creates an user in WordPress.
|
||||||
|
* _**(RCE) Custom Plugin (backdoor) Upload:**_ Upload your custom plugin (backdoor) to WordPress.
|
||||||
|
* _**(RCE) Built-In Plugin Edit:**_ Edit a Built-In Plugins in WordPress.
|
||||||
|
* _**(RCE) Built-In Theme Edit:**_ Edit a Built-In Themes in WordPress.
|
||||||
|
* _**(Custom) Custom Exploits:**_ Custom Exploits for Third-Party WordPress Plugins/Themes.
|
||||||
|
|
||||||
## Post Exploitation
|
## Post Exploitation
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue