GitBook: [master] 5 pages and 8 assets modified

This commit is contained in:
CPol 2021-01-18 14:15:45 +00:00 committed by gitbook-bot
parent 2410f95b66
commit 77d3e6535d
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
9 changed files with 10 additions and 10 deletions

View file

Before

Width:  |  Height:  |  Size: 93 KiB

After

Width:  |  Height:  |  Size: 93 KiB

View file

Before

Width:  |  Height:  |  Size: 93 KiB

After

Width:  |  Height:  |  Size: 93 KiB

View file

Before

Width:  |  Height:  |  Size: 13 KiB

After

Width:  |  Height:  |  Size: 13 KiB

View file

Before

Width:  |  Height:  |  Size: 13 KiB

After

Width:  |  Height:  |  Size: 13 KiB

View file

@ -10,7 +10,7 @@ dht udp "DHT Nodes"
![](.gitbook/assets/image%20%28182%29.png) ![](.gitbook/assets/image%20%28182%29.png)
![](.gitbook/assets/image%20%28345%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png) ![](.gitbook/assets/image%20%28345%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
InfluxDB InfluxDB

View file

@ -1083,7 +1083,7 @@ screen -ls
**Attach to a session** **Attach to a session**
```bash ```bash
screen -dr <session> #The -d is to detacche whoeevr is attached to it screen -dr <session> #The -d is to detacche whoever is attached to it
screen -dr 3350.foo #In the example of the image screen -dr 3350.foo #In the example of the image
``` ```

View file

@ -85,7 +85,7 @@ For example, let's compile and execute manually a function that reads _./poc.py_
#Locally #Locally
def read(): def read():
return open("./poc.py",'r').read() return open("./poc.py",'r').read()
read.__code__.co_code read.__code__.co_code
't\x00\x00d\x01\x00d\x02\x00\x83\x02\x00j\x01\x00\x83\x00\x00S' 't\x00\x00d\x01\x00d\x02\x00\x83\x02\x00j\x01\x00\x83\x00\x00S'
``` ```
@ -121,7 +121,7 @@ f(42)
## Builtins ## Builtins
[Builtins functions of python2 [Builtins functions of python2
](https://docs.python.org/2/library/functions.html)[Builtins functions of python3](https://docs.python.org/3/library/functions.html) ](https://docs.python.org/2/library/functions.html)[Builtins functions of python3](https://docs.python.org/3/library/functions.html)
If you can access to the**`__builtins__`** object you can import libraries \(notice that you could also use here other string representation showed in last section\): If you can access to the**`__builtins__`** object you can import libraries \(notice that you could also use here other string representation showed in last section\):
@ -268,7 +268,7 @@ dis.dis(get_flag)
8 >> 40 LOAD_CONST 6 ('Nope') 8 >> 40 LOAD_CONST 6 ('Nope')
43 RETURN_VALUE 43 RETURN_VALUE
44 LOAD_CONST 0 (None) 44 LOAD_CONST 0 (None)
47 RETURN_VALUE 47 RETURN_VALUE
``` ```
Notice that **if you cannot import `dis` in the python sandbox** you can obtain the **bytecode** of the function \(`get_flag.func_code.co_code`\) and **disassemble** it locally. You won't see the content of the variables being loaded \(`LOAD_CONST`\) but you can guess them from \(`get_flag.func_code.co_consts`\) because `LOAD_CONST`also tells the offset of the variable being loaded. Notice that **if you cannot import `dis` in the python sandbox** you can obtain the **bytecode** of the function \(`get_flag.func_code.co_code`\) and **disassemble** it locally. You won't see the content of the variables being loaded \(`LOAD_CONST`\) but you can guess them from \(`get_flag.func_code.co_consts`\) because `LOAD_CONST`also tells the offset of the variable being loaded.
@ -292,7 +292,7 @@ dis.dis('d\x01\x00}\x01\x00d\x02\x00}\x02\x00d\x03\x00d\x04\x00g\x02\x00}\x03\x0
>> 40 LOAD_CONST 6 (6) >> 40 LOAD_CONST 6 (6)
43 RETURN_VALUE 43 RETURN_VALUE
44 LOAD_CONST 0 (0) 44 LOAD_CONST 0 (0)
47 RETURN_VALUE 47 RETURN_VALUE
``` ```
## References ## References
@ -301,7 +301,7 @@ dis.dis('d\x01\x00}\x01\x00d\x02\x00}\x02\x00d\x03\x00d\x04\x00g\x02\x00}\x03\x0
* [https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape/](https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape/) * [https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape/](https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape/)
* [https://blog.delroth.net/2013/03/escaping-a-python-sandbox-ndh-2013-quals-writeup/](https://blog.delroth.net/2013/03/escaping-a-python-sandbox-ndh-2013-quals-writeup/) * [https://blog.delroth.net/2013/03/escaping-a-python-sandbox-ndh-2013-quals-writeup/](https://blog.delroth.net/2013/03/escaping-a-python-sandbox-ndh-2013-quals-writeup/)
* [https://gynvael.coldwind.pl/n/python\_sandbox\_escape](https://gynvael.coldwind.pl/n/python_sandbox_escape) * [https://gynvael.coldwind.pl/n/python\_sandbox\_escape](https://gynvael.coldwind.pl/n/python_sandbox_escape)
* [https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html) * [https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html](https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html)
\*\*\*\* \*\*\*\*

View file

@ -41,5 +41,5 @@ The good news is that **this payload is executed automatically when the file is
It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`** It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
![](../.gitbook/assets/image%20%2825%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29.png) ![](../.gitbook/assets/image%20%2825%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29.png)

View file

@ -1,4 +1,4 @@
# Reset/Forgotten Password Bypass # Reset/Forgoten Password Bypass
## HTTP Headers ## HTTP Headers
@ -7,7 +7,7 @@ Sometimes in order to reset a password you contact an api endpoint and **send th
![](.gitbook/assets/1_6qc-agcjyzwmf8rgnvr_eg.png) ![](.gitbook/assets/1_6qc-agcjyzwmf8rgnvr_eg.png)
The back-end may take the information present in the **Host header** and use it for the link where the token to reset the password is going to be sent. The back-end may take the information present in the **Host header** and use it for the link where the token to reset the password is going to be sent.
For example, in this case if could send the reset password email to _something@gmail.com_ and set the token link to _https://bing.com/resetpasswd?token=12348rhfblrihvkurewfwu23_ For example, in this case if could send the reset password email to _something@gmail.com_ and set the token link to [https://bing.com/resetpasswd?token=12348rhfblrihvkurewfwu23](https://bing.com/resetpasswd?token=12348rhfblrihvkurewfwu23)
Example from [https://medium.com/@abhishake100/password-reset-poisoning-to-ato-and-otp-bypass-1a3b0eba5491](https://medium.com/@abhishake100/password-reset-poisoning-to-ato-and-otp-bypass-1a3b0eba5491) Example from [https://medium.com/@abhishake100/password-reset-poisoning-to-ato-and-otp-bypass-1a3b0eba5491](https://medium.com/@abhishake100/password-reset-poisoning-to-ato-and-otp-bypass-1a3b0eba5491)