Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-14 08:57:55 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [master] 3 pages and 2 assets modified

Browse source
This commit is contained in:
CPol 2021-03-02 21:51:01 +00:00 committed by gitbook-bot
parent c2f54291aa
commit 8bbe345910
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
4 changed files with 159 additions and 161 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

0
.gitbook/assets/image (436).png → .gitbook/assets/image (436) (1) (1).png
View file

Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.6 KiB

After

Width:  |  Height:  |  Size: 1.6 KiB

4
mobile-apps-pentesting/android-app-pentesting/README.md
View file

@ -97,7 +97,7 @@ In this case you could try to abuse the functionality creating a web with the fo
In order to find the **code that will be executed in the App**, go to the activity called by the deeplink and search the function **`onNewIntent`**.
![](../../.gitbook/assets/image%20%28436%29%20%281%29.png)
![](../../.gitbook/assets/image%20%28436%29%20%281%29%20%281%29.png)
Learn how to [call deep links without using HTML pages below](./#exploiting-schemes-deep-links).
@ -455,7 +455,7 @@ _Note that you can **omit the package name** and the mobile will automatically c
In order to find the **code that will be executed in the App**, go to the activity called by the deeplink and search the function **`onNewIntent`**.
![](../../.gitbook/assets/image%20%28436%29.png)
![](../../.gitbook/assets/image%20%28436%29%20%281%29.png)
#### Sensitive info

6
pentesting-web/file-upload/README.md
View file

@ -39,7 +39,7 @@ Other useful extensions:
5. Add **another layer of extensions** to the previous check:
* _file.png.jpg.php_
* _file.php%00.png%00.jpg_
6. Try to put the **exec extension before the valid extension** and pray so the server is misconfigured. ****\(useful to exploit Apache misconfigurations where anything with extension _.php_, but **not necessarily ending in .php** will execute code\):
6. Try to put the **exec extension before the valid extension** and pray so the server is misconfigured. **\*\*\(useful to exploit Apache misconfigurations where anything with extension** _**.php**_**, but** not necessarily ending in .php\*\* will execute code\):
* _ex: file.php.png_
7. Using **NTFS alternate data stream \(ADS\)** in **Windows**. In this case, a colon character “:” will be inserted after a forbidden extension and before a permitted one. As a result, an **empty file with the forbidden extension** will be created on the server \(e.g. “file.asax:.jpg”\). This file might be edited later using other techniques such as using its short filename. The “**::$data**” pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions \(.e.g. “file.asp::$data.”\)
@ -192,7 +192,7 @@ if(isset($_REQUEST['cmd'])){
}?>
```
2. Use “file spraying” and create a compressed zip file:
1. Use “file spraying” and create a compressed zip file:
```text
root@s2crew:/tmp# for i in `seq 1 10`;do FILE=$FILE"xxA"; cp simple-backdoor.php $FILE"cmd.php";done
@ -257,5 +257,3 @@ This helps to upload a file that complins with the format of several different f
More information in: [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)

12
pentesting-web/sql-injection/postgresql-injection/README.md
View file

@ -1,21 +1,21 @@
# PostgreSQL injection
**This page aims to explain different tricks that could help you to exploit a SQLinjection found in a postgresql database and to compliment the tricks you can find on** [**https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md)\*\*\*\*
**This page aims to explain different tricks that could help you to exploit a SQLinjection found in a postgresql database and to compliment the tricks you can find on** [**https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md)
## Network Interaction - Privilege Escalation, Port Scanner, NTLM challenge response disclosure & Exfiltration
**`dblink`** is a **PostgreSQL module** that offers several interesting options from the attacker point of view. It can be used to **connect to other PostgreSQL instances** of perform **TCP connections**.
**These functionalities** along with the **`COPY FROM`** functionality can be used to **escalate privileges**, perform **port scanning** or grab **NTLM challenge responses**.
[**You can read here how to perform these attacked.**](network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md)\*\*\*\*
[**You can read here how to perform these attacked.**](network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md)
### **Exfiltration example using dblink and large objects**
You can [**read this example**](dblink-lo_import-data-exfiltration.md) ****to see a CTF example of **how to load data inside large objects and then exfiltrate the content of large objects inside the username** of the function `dblink_connect`.
You can [**read this example**](dblink-lo_import-data-exfiltration.md) **\*\*to see a CTF example of** how to load data inside large objects and then exfiltrate the content of large objects inside the username\*\* of the function `dblink_connect`.
## PL/pgSQL password bruteforce
PL/pgSQL, as a **fully featured programming language**, allows much more procedural control than SQL, including the **ability to use loops and other control structures**. SQL statements and triggers can call functions created in the PL/pgSQL language.
**You can abuse this language in order to ask PostgreSQL to brute-force the users credentials.** [**Read this to learn how.**](pl-pgsql-password-bruteforce.md)\*\*\*\*
**You can abuse this language in order to ask PostgreSQL to brute-force the users credentials.** [**Read this to learn how.**](pl-pgsql-password-bruteforce.md)
## File-system actions
@ -40,7 +40,7 @@ A very important limitation of this technique is that **`copy` cannot be used to
### **Binary files upload**
However, there are **other techniques to upload big binary files**.
[**Read this page to learn how to do it.**](big-binary-files-upload-postgresql.md)\*\*\*\*
[**Read this page to learn how to do it.**](big-binary-files-upload-postgresql.md)
## RCE
@ -67,7 +67,7 @@ More information about this vulnerability [**here**](https://medium.com/greenwol
### RCE with PostgreSQL extensions
Once you have **learned** from the previous post **how to upload binary files** you could try obtain **RCE uploading a postgresql extension and loading it**.
[**Lear how to abuse this functionality reading this post.**](rce-with-postgresql-extensions.md)\*\*\*\*
[**Lear how to abuse this functionality reading this post.**](rce-with-postgresql-extensions.md)
### PostgreSQL configuration file RCE