Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [master] 5 pages and 8 assets modified

Browse source
This commit is contained in:
CPol 2021-01-18 14:15:45 +00:00 committed by gitbook-bot
parent 2410f95b66
commit 77d3e6535d
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
9 changed files with 10 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

0
.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (1).png → .gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (1).png
View file

Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 93 KiB

After

Width:  |  Height:  |  Size: 93 KiB

0
.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2).png → .gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (2).png
View file

Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 93 KiB

After

Width:  |  Height:  |  Size: 93 KiB

0
.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (1).png → .gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (1).png
View file

Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 13 KiB

After

Width:  |  Height:  |  Size: 13 KiB

0
.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2).png → .gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2).png
View file

Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 13 KiB

After

Width:  |  Height:  |  Size: 13 KiB

2
1911-pentesting-fox.md
View file

@ -10,7 +10,7 @@ dht udp "DHT Nodes"
![](.gitbook/assets/image%20%28182%29.png)
![](.gitbook/assets/image%20%28345%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
![](.gitbook/assets/image%20%28345%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
InfluxDB

2
linux-unix/privilege-escalation/README.md
View file

@ -1083,7 +1083,7 @@ screen -ls
**Attach to a session**
```bash
screen -dr <session> #The -d is to detacche whoeevr is attached to it
screen -dr <session> #The -d is to detacche whoever is attached to it
screen -dr 3350.foo #In the example of the image
```

10
misc/basic-python/bypass-python-sandboxes.md
View file

@ -85,7 +85,7 @@ For example, let's compile and execute manually a function that reads _./poc.py_
#Locally
def read():
return open("./poc.py",'r').read()
read.__code__.co_code
't\x00\x00d\x01\x00d\x02\x00\x83\x02\x00j\x01\x00\x83\x00\x00S'
```
@ -121,7 +121,7 @@ f(42)
## Builtins
[Builtins functions of python2
[Builtins functions of python2
](https://docs.python.org/2/library/functions.html)[Builtins functions of python3](https://docs.python.org/3/library/functions.html)
If you can access to the**`__builtins__`** object you can import libraries \(notice that you could also use here other string representation showed in last section\):
@ -268,7 +268,7 @@ dis.dis(get_flag)
8 >> 40 LOAD_CONST 6 ('Nope')
43 RETURN_VALUE
44 LOAD_CONST 0 (None)
47 RETURN_VALUE
47 RETURN_VALUE
```
Notice that **if you cannot import `dis` in the python sandbox** you can obtain the **bytecode** of the function \(`get_flag.func_code.co_code`\) and **disassemble** it locally. You won't see the content of the variables being loaded \(`LOAD_CONST`\) but you can guess them from \(`get_flag.func_code.co_consts`\) because `LOAD_CONST`also tells the offset of the variable being loaded.
@ -292,7 +292,7 @@ dis.dis('d\x01\x00}\x01\x00d\x02\x00}\x02\x00d\x03\x00d\x04\x00g\x02\x00}\x03\x0
>> 40 LOAD_CONST 6 (6)
43 RETURN_VALUE
44 LOAD_CONST 0 (0)
47 RETURN_VALUE
47 RETURN_VALUE
```
## References
@ -301,7 +301,7 @@ dis.dis('d\x01\x00}\x01\x00d\x02\x00}\x02\x00d\x03\x00d\x04\x00g\x02\x00}\x03\x0
* [https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape/](https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape/)
* [https://blog.delroth.net/2013/03/escaping-a-python-sandbox-ndh-2013-quals-writeup/](https://blog.delroth.net/2013/03/escaping-a-python-sandbox-ndh-2013-quals-writeup/)
* [https://gynvael.coldwind.pl/n/python\_sandbox\_escape](https://gynvael.coldwind.pl/n/python_sandbox_escape)
* [https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html)
* [https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html](https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html)
\*\*\*\*

2
pentesting-web/formula-injection.md
View file

@ -41,5 +41,5 @@ The good news is that **this payload is executed automatically when the file is
It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
![](../.gitbook/assets/image%20%2825%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
![](../.gitbook/assets/image%20%2825%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29.png)

4
reset-password.md
View file

@ -1,4 +1,4 @@
# Reset/Forgotten Password Bypass
# Reset/Forgoten Password Bypass
## HTTP Headers
@ -7,7 +7,7 @@ Sometimes in order to reset a password you contact an api endpoint and **send th
![](.gitbook/assets/1_6qc-agcjyzwmf8rgnvr_eg.png)
The back-end may take the information present in the **Host header** and use it for the link where the token to reset the password is going to be sent.
For example, in this case if could send the reset password email to _something@gmail.com_ and set the token link to _https://bing.com/resetpasswd?token=12348rhfblrihvkurewfwu23_
For example, in this case if could send the reset password email to _something@gmail.com_ and set the token link to [https://bing.com/resetpasswd?token=12348rhfblrihvkurewfwu23](https://bing.com/resetpasswd?token=12348rhfblrihvkurewfwu23)
Example from [https://medium.com/@abhishake100/password-reset-poisoning-to-ato-and-otp-bypass-1a3b0eba5491](https://medium.com/@abhishake100/password-reset-poisoning-to-ato-and-otp-bypass-1a3b0eba5491)