mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 06:00:40 +00:00
GitBook: [master] 3 pages and 2 assets modified
This commit is contained in:
parent
c2f54291aa
commit
8bbe345910
4 changed files with 159 additions and 161 deletions
Before Width: | Height: | Size: 1.6 KiB After Width: | Height: | Size: 1.6 KiB |
|
@ -97,7 +97,7 @@ In this case you could try to abuse the functionality creating a web with the fo
|
|||
|
||||
In order to find the **code that will be executed in the App**, go to the activity called by the deeplink and search the function **`onNewIntent`**.
|
||||
|
||||
![](../../.gitbook/assets/image%20%28436%29%20%281%29.png)
|
||||
![](../../.gitbook/assets/image%20%28436%29%20%281%29%20%281%29.png)
|
||||
|
||||
Learn how to [call deep links without using HTML pages below](./#exploiting-schemes-deep-links).
|
||||
|
||||
|
@ -455,7 +455,7 @@ _Note that you can **omit the package name** and the mobile will automatically c
|
|||
|
||||
In order to find the **code that will be executed in the App**, go to the activity called by the deeplink and search the function **`onNewIntent`**.
|
||||
|
||||
![](../../.gitbook/assets/image%20%28436%29.png)
|
||||
![](../../.gitbook/assets/image%20%28436%29%20%281%29.png)
|
||||
|
||||
#### Sensitive info
|
||||
|
||||
|
|
|
@ -39,7 +39,7 @@ Other useful extensions:
|
|||
5. Add **another layer of extensions** to the previous check:
|
||||
* _file.png.jpg.php_
|
||||
* _file.php%00.png%00.jpg_
|
||||
6. Try to put the **exec extension before the valid extension** and pray so the server is misconfigured. ****\(useful to exploit Apache misconfigurations where anything with extension _.php_, but **not necessarily ending in .php** will execute code\):
|
||||
6. Try to put the **exec extension before the valid extension** and pray so the server is misconfigured. **\*\*\(useful to exploit Apache misconfigurations where anything with extension** _**.php**_**, but** not necessarily ending in .php\*\* will execute code\):
|
||||
* _ex: file.php.png_
|
||||
7. Using **NTFS alternate data stream \(ADS\)** in **Windows**. In this case, a colon character “:” will be inserted after a forbidden extension and before a permitted one. As a result, an **empty file with the forbidden extension** will be created on the server \(e.g. “file.asax:.jpg”\). This file might be edited later using other techniques such as using its short filename. The “**::$data**” pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions \(.e.g. “file.asp::$data.”\)
|
||||
|
||||
|
@ -192,7 +192,7 @@ if(isset($_REQUEST['cmd'])){
|
|||
}?>
|
||||
```
|
||||
|
||||
2. Use “file spraying” and create a compressed zip file:
|
||||
1. Use “file spraying” and create a compressed zip file:
|
||||
|
||||
```text
|
||||
root@s2crew:/tmp# for i in `seq 1 10`;do FILE=$FILE"xxA"; cp simple-backdoor.php $FILE"cmd.php";done
|
||||
|
@ -257,5 +257,3 @@ This helps to upload a file that complins with the format of several different f
|
|||
|
||||
More information in: [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -1,21 +1,21 @@
|
|||
# PostgreSQL injection
|
||||
|
||||
**This page aims to explain different tricks that could help you to exploit a SQLinjection found in a postgresql database and to compliment the tricks you can find on** [**https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md)\*\*\*\*
|
||||
**This page aims to explain different tricks that could help you to exploit a SQLinjection found in a postgresql database and to compliment the tricks you can find on** [**https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md)
|
||||
|
||||
## Network Interaction - Privilege Escalation, Port Scanner, NTLM challenge response disclosure & Exfiltration
|
||||
|
||||
**`dblink`** is a **PostgreSQL module** that offers several interesting options from the attacker point of view. It can be used to **connect to other PostgreSQL instances** of perform **TCP connections**.
|
||||
**These functionalities** along with the **`COPY FROM`** functionality can be used to **escalate privileges**, perform **port scanning** or grab **NTLM challenge responses**.
|
||||
[**You can read here how to perform these attacked.**](network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md)\*\*\*\*
|
||||
[**You can read here how to perform these attacked.**](network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md)
|
||||
|
||||
### **Exfiltration example using dblink and large objects**
|
||||
|
||||
You can [**read this example**](dblink-lo_import-data-exfiltration.md) ****to see a CTF example of **how to load data inside large objects and then exfiltrate the content of large objects inside the username** of the function `dblink_connect`.
|
||||
You can [**read this example**](dblink-lo_import-data-exfiltration.md) **\*\*to see a CTF example of** how to load data inside large objects and then exfiltrate the content of large objects inside the username\*\* of the function `dblink_connect`.
|
||||
|
||||
## PL/pgSQL password bruteforce
|
||||
|
||||
PL/pgSQL, as a **fully featured programming language**, allows much more procedural control than SQL, including the **ability to use loops and other control structures**. SQL statements and triggers can call functions created in the PL/pgSQL language.
|
||||
**You can abuse this language in order to ask PostgreSQL to brute-force the users credentials.** [**Read this to learn how.**](pl-pgsql-password-bruteforce.md)\*\*\*\*
|
||||
**You can abuse this language in order to ask PostgreSQL to brute-force the users credentials.** [**Read this to learn how.**](pl-pgsql-password-bruteforce.md)
|
||||
|
||||
## File-system actions
|
||||
|
||||
|
@ -40,7 +40,7 @@ A very important limitation of this technique is that **`copy` cannot be used to
|
|||
### **Binary files upload**
|
||||
|
||||
However, there are **other techniques to upload big binary files**.
|
||||
[**Read this page to learn how to do it.**](big-binary-files-upload-postgresql.md)\*\*\*\*
|
||||
[**Read this page to learn how to do it.**](big-binary-files-upload-postgresql.md)
|
||||
|
||||
## RCE
|
||||
|
||||
|
@ -67,7 +67,7 @@ More information about this vulnerability [**here**](https://medium.com/greenwol
|
|||
### RCE with PostgreSQL extensions
|
||||
|
||||
Once you have **learned** from the previous post **how to upload binary files** you could try obtain **RCE uploading a postgresql extension and loading it**.
|
||||
[**Lear how to abuse this functionality reading this post.**](rce-with-postgresql-extensions.md)\*\*\*\*
|
||||
[**Lear how to abuse this functionality reading this post.**](rce-with-postgresql-extensions.md)
|
||||
|
||||
### PostgreSQL configuration file RCE
|
||||
|
||||
|
|
Loading…
Reference in a new issue