GitBook: [master] 5 pages and 8 assets modified
Before Width: | Height: | Size: 93 KiB After Width: | Height: | Size: 93 KiB |
Before Width: | Height: | Size: 93 KiB After Width: | Height: | Size: 93 KiB |
Before Width: | Height: | Size: 13 KiB After Width: | Height: | Size: 13 KiB |
Before Width: | Height: | Size: 13 KiB After Width: | Height: | Size: 13 KiB |
|
@ -10,7 +10,7 @@ dht udp "DHT Nodes"
|
||||||
|
|
||||||
![](.gitbook/assets/image%20%28182%29.png)
|
![](.gitbook/assets/image%20%28182%29.png)
|
||||||
|
|
||||||
![](.gitbook/assets/image%20%28345%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
|
![](.gitbook/assets/image%20%28345%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
|
||||||
|
|
||||||
InfluxDB
|
InfluxDB
|
||||||
|
|
||||||
|
|
|
@ -1083,7 +1083,7 @@ screen -ls
|
||||||
**Attach to a session**
|
**Attach to a session**
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
screen -dr <session> #The -d is to detacche whoeevr is attached to it
|
screen -dr <session> #The -d is to detacche whoever is attached to it
|
||||||
screen -dr 3350.foo #In the example of the image
|
screen -dr 3350.foo #In the example of the image
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
|
@ -85,7 +85,7 @@ For example, let's compile and execute manually a function that reads _./poc.py_
|
||||||
#Locally
|
#Locally
|
||||||
def read():
|
def read():
|
||||||
return open("./poc.py",'r').read()
|
return open("./poc.py",'r').read()
|
||||||
|
|
||||||
read.__code__.co_code
|
read.__code__.co_code
|
||||||
't\x00\x00d\x01\x00d\x02\x00\x83\x02\x00j\x01\x00\x83\x00\x00S'
|
't\x00\x00d\x01\x00d\x02\x00\x83\x02\x00j\x01\x00\x83\x00\x00S'
|
||||||
```
|
```
|
||||||
|
@ -121,7 +121,7 @@ f(42)
|
||||||
|
|
||||||
## Builtins
|
## Builtins
|
||||||
|
|
||||||
[Builtins functions of python2
|
[Builtins functions of python2
|
||||||
](https://docs.python.org/2/library/functions.html)[Builtins functions of python3](https://docs.python.org/3/library/functions.html)
|
](https://docs.python.org/2/library/functions.html)[Builtins functions of python3](https://docs.python.org/3/library/functions.html)
|
||||||
|
|
||||||
If you can access to the**`__builtins__`** object you can import libraries \(notice that you could also use here other string representation showed in last section\):
|
If you can access to the**`__builtins__`** object you can import libraries \(notice that you could also use here other string representation showed in last section\):
|
||||||
|
@ -268,7 +268,7 @@ dis.dis(get_flag)
|
||||||
8 >> 40 LOAD_CONST 6 ('Nope')
|
8 >> 40 LOAD_CONST 6 ('Nope')
|
||||||
43 RETURN_VALUE
|
43 RETURN_VALUE
|
||||||
44 LOAD_CONST 0 (None)
|
44 LOAD_CONST 0 (None)
|
||||||
47 RETURN_VALUE
|
47 RETURN_VALUE
|
||||||
```
|
```
|
||||||
|
|
||||||
Notice that **if you cannot import `dis` in the python sandbox** you can obtain the **bytecode** of the function \(`get_flag.func_code.co_code`\) and **disassemble** it locally. You won't see the content of the variables being loaded \(`LOAD_CONST`\) but you can guess them from \(`get_flag.func_code.co_consts`\) because `LOAD_CONST`also tells the offset of the variable being loaded.
|
Notice that **if you cannot import `dis` in the python sandbox** you can obtain the **bytecode** of the function \(`get_flag.func_code.co_code`\) and **disassemble** it locally. You won't see the content of the variables being loaded \(`LOAD_CONST`\) but you can guess them from \(`get_flag.func_code.co_consts`\) because `LOAD_CONST`also tells the offset of the variable being loaded.
|
||||||
|
@ -292,7 +292,7 @@ dis.dis('d\x01\x00}\x01\x00d\x02\x00}\x02\x00d\x03\x00d\x04\x00g\x02\x00}\x03\x0
|
||||||
>> 40 LOAD_CONST 6 (6)
|
>> 40 LOAD_CONST 6 (6)
|
||||||
43 RETURN_VALUE
|
43 RETURN_VALUE
|
||||||
44 LOAD_CONST 0 (0)
|
44 LOAD_CONST 0 (0)
|
||||||
47 RETURN_VALUE
|
47 RETURN_VALUE
|
||||||
```
|
```
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
@ -301,7 +301,7 @@ dis.dis('d\x01\x00}\x01\x00d\x02\x00}\x02\x00d\x03\x00d\x04\x00g\x02\x00}\x03\x0
|
||||||
* [https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape/](https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape/)
|
* [https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape/](https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape/)
|
||||||
* [https://blog.delroth.net/2013/03/escaping-a-python-sandbox-ndh-2013-quals-writeup/](https://blog.delroth.net/2013/03/escaping-a-python-sandbox-ndh-2013-quals-writeup/)
|
* [https://blog.delroth.net/2013/03/escaping-a-python-sandbox-ndh-2013-quals-writeup/](https://blog.delroth.net/2013/03/escaping-a-python-sandbox-ndh-2013-quals-writeup/)
|
||||||
* [https://gynvael.coldwind.pl/n/python\_sandbox\_escape](https://gynvael.coldwind.pl/n/python_sandbox_escape)
|
* [https://gynvael.coldwind.pl/n/python\_sandbox\_escape](https://gynvael.coldwind.pl/n/python_sandbox_escape)
|
||||||
* [https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html)
|
* [https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html](https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html)
|
||||||
|
|
||||||
\*\*\*\*
|
\*\*\*\*
|
||||||
|
|
||||||
|
|
|
@ -41,5 +41,5 @@ The good news is that **this payload is executed automatically when the file is
|
||||||
|
|
||||||
It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
|
It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
|
||||||
|
|
||||||
![](../.gitbook/assets/image%20%2825%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
|
![](../.gitbook/assets/image%20%2825%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# Reset/Forgotten Password Bypass
|
# Reset/Forgoten Password Bypass
|
||||||
|
|
||||||
## HTTP Headers
|
## HTTP Headers
|
||||||
|
|
||||||
|
@ -7,7 +7,7 @@ Sometimes in order to reset a password you contact an api endpoint and **send th
|
||||||
![](.gitbook/assets/1_6qc-agcjyzwmf8rgnvr_eg.png)
|
![](.gitbook/assets/1_6qc-agcjyzwmf8rgnvr_eg.png)
|
||||||
|
|
||||||
The back-end may take the information present in the **Host header** and use it for the link where the token to reset the password is going to be sent.
|
The back-end may take the information present in the **Host header** and use it for the link where the token to reset the password is going to be sent.
|
||||||
For example, in this case if could send the reset password email to _something@gmail.com_ and set the token link to _https://bing.com/resetpasswd?token=12348rhfblrihvkurewfwu23_
|
For example, in this case if could send the reset password email to _something@gmail.com_ and set the token link to [https://bing.com/resetpasswd?token=12348rhfblrihvkurewfwu23](https://bing.com/resetpasswd?token=12348rhfblrihvkurewfwu23)
|
||||||
|
|
||||||
Example from [https://medium.com/@abhishake100/password-reset-poisoning-to-ato-and-otp-bypass-1a3b0eba5491](https://medium.com/@abhishake100/password-reset-poisoning-to-ato-and-otp-bypass-1a3b0eba5491)
|
Example from [https://medium.com/@abhishake100/password-reset-poisoning-to-ato-and-otp-bypass-1a3b0eba5491](https://medium.com/@abhishake100/password-reset-poisoning-to-ato-and-otp-bypass-1a3b0eba5491)
|
||||||
|
|
||||||
|
|