mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-24 21:53:54 +00:00
GITBOOK-4427: No subject
This commit is contained in:
parent
18c345f182
commit
6b9a5ce3bf
3 changed files with 24 additions and 5 deletions
|
@ -15,7 +15,7 @@ Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/grte.png" alt="
|
||||||
</details>
|
</details>
|
||||||
{% endhint %}
|
{% endhint %}
|
||||||
|
|
||||||
<figure><img src="/.gitbook/assets/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Get a hacker's perspective on your web apps, network, and cloud**
|
**Get a hacker's perspective on your web apps, network, and cloud**
|
||||||
|
|
||||||
|
@ -23,8 +23,6 @@ Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/grte.png" alt="
|
||||||
|
|
||||||
{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
|
{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
These are some tricks to bypass python sandbox protections and execute arbitrary commands.
|
These are some tricks to bypass python sandbox protections and execute arbitrary commands.
|
||||||
|
|
||||||
## Command Execution Libraries
|
## Command Execution Libraries
|
||||||
|
@ -814,6 +812,10 @@ x = new_user.User(username='{i.find.__globals__[so].mapperlib.sys.modules[__main
|
||||||
str(x) # Out: clueless
|
str(x) # Out: clueless
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### LLM Jails bypass
|
||||||
|
|
||||||
|
From [here](https://www.cyberark.com/resources/threat-research-blog/anatomy-of-an-llm-rce): `().class.base.subclasses()[108].load_module('os').system('dir')`
|
||||||
|
|
||||||
### From format to RCE loading libraries
|
### From format to RCE loading libraries
|
||||||
|
|
||||||
According to the [**TypeMonkey chall from this writeup**](https://corgi.rip/posts/buckeye-writeups/) it's possible to load arbitrary libraries from disk abusing the format string vulnerability in python.
|
According to the [**TypeMonkey chall from this writeup**](https://corgi.rip/posts/buckeye-writeups/) it's possible to load arbitrary libraries from disk abusing the format string vulnerability in python.
|
||||||
|
@ -1171,7 +1173,7 @@ will be bypassed
|
||||||
* [https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html](https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html)
|
* [https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html](https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html)
|
||||||
* [https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6](https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6)
|
* [https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6](https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6)
|
||||||
|
|
||||||
<figure><img src="/.gitbook/assets/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Get a hacker's perspective on your web apps, network, and cloud**
|
**Get a hacker's perspective on your web apps, network, and cloud**
|
||||||
|
|
||||||
|
|
|
@ -271,6 +271,12 @@ Access-Control-Allow-Origin: https://target.application}.arbitrary.com
|
||||||
Access-Control-Allow-Credentials: true
|
Access-Control-Allow-Credentials: true
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### **Other funny URL tricks**
|
||||||
|
|
||||||
|
{% content-ref url="ssrf-server-side-request-forgery/url-format-bypass.md" %}
|
||||||
|
[url-format-bypass.md](ssrf-server-side-request-forgery/url-format-bypass.md)
|
||||||
|
{% endcontent-ref %}
|
||||||
|
|
||||||
### **Server-side cache poisoning**
|
### **Server-side cache poisoning**
|
||||||
|
|
||||||
[**From this research**](https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties)
|
[**From this research**](https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties)
|
||||||
|
|
|
@ -61,6 +61,10 @@ http://0xc0a80014/ = http://192.168.0.20
|
||||||
0x7f.0x00.0x00.0x01
|
0x7f.0x00.0x00.0x01
|
||||||
0x0000007f.0x00000000.0x00000000.0x00000001
|
0x0000007f.0x00000000.0x00000000.0x00000001
|
||||||
|
|
||||||
|
# Mixed encodings bypass
|
||||||
|
169.254.43518 -> Partial Decimal (Class B) format combines the third and fourth parts of the IP address into a decimal number
|
||||||
|
0xA9.254.0251.0376 -> hexadecimal, decimal and octal
|
||||||
|
|
||||||
# Add 0s bypass
|
# Add 0s bypass
|
||||||
127.000000000000.1
|
127.000000000000.1
|
||||||
|
|
||||||
|
@ -174,7 +178,9 @@ The tool [**recollapse**](https://github.com/0xacb/recollapse) can generate vari
|
||||||
|
|
||||||
### Automatic Custom Wordlists
|
### Automatic Custom Wordlists
|
||||||
|
|
||||||
Check out the [**URL validation bypass cheat sheet** webapp](https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet) from portswigger were you can introduce the allowed host and the attacekrs one and it'll generate a list of URLs to try for you. It also considers if you can use the URL in a parameter, in a Host header or in a CORS header.
|
Check out the [**URL validation bypass cheat sheet** webapp](https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet) from portswigger were you can introduce the allowed host and the attackers one and it'll generate a list of URLs to try for you. It also considers if you can use the URL in a parameter, in a Host header or in a CORS header.
|
||||||
|
|
||||||
|
{% embed url="https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet" %}
|
||||||
|
|
||||||
### Bypass via redirect
|
### Bypass via redirect
|
||||||
|
|
||||||
|
@ -211,6 +217,10 @@ The _backslash-trick_ exploits a difference between the [WHATWG URL Standard](ht
|
||||||
|
|
||||||
![https://bugs.xdavidhu.me/assets/posts/2021-12-30-fixing-the-unfixable-story-of-a-google-cloud-ssrf/spec\_difference.jpg](https://bugs.xdavidhu.me/assets/posts/2021-12-30-fixing-the-unfixable-story-of-a-google-cloud-ssrf/spec\_difference.jpg)
|
![https://bugs.xdavidhu.me/assets/posts/2021-12-30-fixing-the-unfixable-story-of-a-google-cloud-ssrf/spec\_difference.jpg](https://bugs.xdavidhu.me/assets/posts/2021-12-30-fixing-the-unfixable-story-of-a-google-cloud-ssrf/spec\_difference.jpg)
|
||||||
|
|
||||||
|
### Left square bracket
|
||||||
|
|
||||||
|
The “left square bracket” character `[` in the userinfo segment can cause Spring’s UriComponentsBuilder to return a hostname value that differs from browsers: [https://example.com\[@attacker.com](https://portswigger.net/url-cheat-sheet#id=1da2f627d702248b9e61cc23912d2c729e52f878)
|
||||||
|
|
||||||
### Other Confusions
|
### Other Confusions
|
||||||
|
|
||||||
![https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/](<../../.gitbook/assets/image (600).png>)
|
![https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/](<../../.gitbook/assets/image (600).png>)
|
||||||
|
@ -221,6 +231,7 @@ image from [https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-
|
||||||
|
|
||||||
* [https://as745591.medium.com/albussec-penetration-list-08-server-side-request-forgery-ssrf-sample-90267f095d25](https://as745591.medium.com/albussec-penetration-list-08-server-side-request-forgery-ssrf-sample-90267f095d25)
|
* [https://as745591.medium.com/albussec-penetration-list-08-server-side-request-forgery-ssrf-sample-90267f095d25](https://as745591.medium.com/albussec-penetration-list-08-server-side-request-forgery-ssrf-sample-90267f095d25)
|
||||||
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md)
|
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md)
|
||||||
|
* [https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet](https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet)
|
||||||
|
|
||||||
{% hint style="success" %}
|
{% hint style="success" %}
|
||||||
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||||
|
|
Loading…
Reference in a new issue