GitBook: [master] 9 pages and 8 assets modified

This commit is contained in:
CPol 2021-10-07 12:54:05 +00:00 committed by gitbook-bot
parent 46bae2b77c
commit 9839455cf7
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
13 changed files with 1036 additions and 51 deletions

View file

Before

Width:  |  Height:  |  Size: 740 KiB

After

Width:  |  Height:  |  Size: 740 KiB

View file

Before

Width:  |  Height:  |  Size: 740 KiB

After

Width:  |  Height:  |  Size: 740 KiB

View file

Before

Width:  |  Height:  |  Size: 15 KiB

After

Width:  |  Height:  |  Size: 15 KiB

View file

Before

Width:  |  Height:  |  Size: 24 KiB

After

Width:  |  Height:  |  Size: 24 KiB

File diff suppressed because it is too large Load diff

View file

@ -387,7 +387,7 @@ Get the address to this table with: **`objdump -s -j .got ./exec`**
Observe how after **loading** the **executable** in GEF you can **see** the **functions** that are in the **GOT**: `gef➤ x/20x 0xDIR_GOT`
![](../../.gitbook/assets/image%20%28620%29.png)
![](../../.gitbook/assets/image%20%28621%29.png)
Using GEF you can **start** a **debugging** session and execute **`got`** to see the got table:

View file

@ -128,7 +128,7 @@ The response is a JSON dictionary with some important data like:
* Signed using the **device identity certificate \(from APNS\)**
* **Certificate chain** includes expired **Apple iPhone Device CA**
![](../../../.gitbook/assets/image%20%28567%29%20%281%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
![](../../../.gitbook/assets/image%20%28567%29%20%281%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
### Step 6: Profile Installation

View file

@ -73,7 +73,7 @@ zipalign -v 4 infile.apk
### **Sign the new APK \(again?\)**
If you **prefer** to use ****[**apksigner**](https://developer.android.com/studio/command-line/apksigner) **instead of jarsigner,** you should sing the apk **after applying** the optimization with **zipaling**. BUT NOTICE THAT **YOU ONLY HAVE TO SIGN THE APPLCIATION ONCE** WITH jarsigner \(before zipalign\) OR WITH aspsigner\(after zipaling\).
If you **prefer** to use **\*\*\[**apksigner**\]\(**[https://developer.android.com/studio/command-line/apksigner](https://developer.android.com/studio/command-line/apksigner)**\)** instead of jarsigner, **you should sing the apk** after applying **the optimization with** zipaling**. BUT NOTICE THAT** YOU ONLY HAVE TO SIGN THE APPLCIATION ONCE\*\* WITH jarsigner \(before zipalign\) OR WITH aspsigner\(after zipaling\).
```bash
apksigner sign --ks key.jks ./dist/mycompiled.apk
@ -99,7 +99,6 @@ The Smali code would be:
invoke-virtual {v0,v1}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V
return-void
.end method
```
The Smali instruction set is available [here](https://source.android.com/devices/tech/dalvik/dalvik-bytecode#instructions).

View file

@ -175,6 +175,7 @@ This isn't directly exploitable because there's no way for an attacker to make s
### **Client-Side cache poisoning**
You may have occasionally encountered a page with [reflected XSS](https://portswigger.net/web-security/cross-site-scripting/reflected) in a custom HTTP header. Say a web page reflects the contents of a custom header without encoding:
```http
GET / HTTP/1.1
Host: example.com

View file

@ -66,7 +66,7 @@ In order to **find event listeners** in the current page you can:
* **Search** the JS code for ****`window.addEventListener` and `$(window).on` \(_JQuery version_\)
* **Execute** in the developer tools console: `getEventListeners(window)`
![](../.gitbook/assets/image%20%28618%29.png)
![](../.gitbook/assets/image%20%28618%29%20%281%29.png)
* **Go to** _Elements --> Event Listeners_ in the developer tools of the browser

View file

@ -6,15 +6,15 @@ A bucket is typically considered “public” if any user can list the contents
It should be emphasized that a public bucket is not a risk created by Amazon but rather a misconfiguration caused by the owner of the bucket. And although a file might be listed in a bucket it does not necessarily mean that it can be downloaded. Buckets and objects have their own access control lists \(ACLs\). Amazon provides information on managing access controls for buckets [here](http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAuthAccess.html). Furthermore, Amazon helps their users by publishing a best practices document on [public access considerations around S3 buckets](http://aws.amazon.com/articles/5050). The default configuration of an S3 bucket is private.
**Learn about AWS-S3 misconfiguration here:** [ **http://flaws.cloud**](%20http://flaws.cloud) **and** [**http://flaws2.cloud/**](http://flaws2.cloud/) **\(Most of the information here has been taken from those resources\)**
**Learn about AWS-S3 misconfiguration here:** [ **http://flaws.cloud**](../../../) **and** [**http://flaws2.cloud/**](http://flaws2.cloud/) **\(Most of the information here has been taken from those resources\)**
#### **Regions**
* US Standard = http://s3.amazonaws.com
* Ireland = http://s3-eu-west-1.amazonaws.com
* Northern California = http://s3-us-west-1.amazonaws.com
* Singapore = http://s3-ap-southeast-1.amazonaws.com
* Tokyo = http://s3-ap-northeast-1.amazonaws.com
* US Standard = [http://s3.amazonaws.com](http://s3.amazonaws.com)
* Ireland = [http://s3-eu-west-1.amazonaws.com](http://s3-eu-west-1.amazonaws.com)
* Northern California = [http://s3-us-west-1.amazonaws.com](http://s3-us-west-1.amazonaws.com)
* Singapore = [http://s3-ap-southeast-1.amazonaws.com](http://s3-ap-southeast-1.amazonaws.com)
* Tokyo = [http://s3-ap-northeast-1.amazonaws.com](http://s3-ap-northeast-1.amazonaws.com)
## AWS Configuration
@ -202,7 +202,7 @@ docker inspect sha256:079aee8a89950717cdccd15b8f17c80e9bc4421a855fcdc120e1c534e4
### Get Snapshots
Notice that ****AWS allows you to make snapshots of EC2's and databases \(RDS\). The main purpose for that is to make backups, but people sometimes use snapshots to get access back to their own EC2's when they forget the passwords.
Notice that _\*\*_AWS allows you to make snapshots of EC2's and databases \(RDS\). The main purpose for that is to make backups, but people sometimes use snapshots to get access back to their own EC2's when they forget the passwords.
Look for snapshots this user has access to \(note the **SnapshotId**\):
@ -247,27 +247,25 @@ The above command will list the disk you attached to your instance.
If you want to read about how can you exploit meta-data in AWS [you should read this page](../../../pentesting-web/ssrf-server-side-request-forgery.md#abusing-ssrf-in-aws-environment)
## Tools to scan the configuration of buckets **or to discover buckets**
{% embed url="https://github.com/sa7mon/S3Scanner" %}
{% embed url="https://github.com/sa7mon/S3Scanner" caption="" %}
{% embed url="https://github.com/kromtech/s3-inspector" %}
{% embed url="https://github.com/kromtech/s3-inspector" caption="" %}
{% embed url="https://github.com/jordanpotti/AWSBucketDump" %}
{% embed url="https://github.com/jordanpotti/AWSBucketDump" caption="" %}
{% embed url="https://github.com/fellchase/flumberboozle" %}
{% embed url="https://github.com/fellchase/flumberboozle" caption="" %}
{% embed url="https://github.com/smaranchand/bucky" %}
{% embed url="https://github.com/smaranchand/bucky" caption="" %}
{% embed url="https://github.com/tomdev/teh\_s3\_bucketeers" %}
{% embed url="https://github.com/tomdev/teh\_s3\_bucketeers" caption="" %}
\*\*\*\*
## **List of Open Buckets**
{% embed url="https://buckets.grayhatwarfare.com/" %}
{% embed url="https://buckets.grayhatwarfare.com/" caption="" %}
\*\*\*\*

View file

@ -586,6 +586,7 @@ There are several ways to bypass disable\_functions if some specific module is b
* 7.3 - all versions to date
* 7.4 - all versions to date
* 8.0 - all versions to date
* \*\*\*\*[**From 7.0 to 8.0 exploit \(Unix only\)**](https://github.com/mm0r1/exploits/blob/master/php-filter-bypass/exploit.php)\*\*\*\*
* [**FastCGI/PHP-FPM \(FastCGI Process Manager\)**](disable_functions-bypass-php-fpm-fastcgi.md)\*\*\*\*
* **dl function**
* \*\*\*\*[**PHP 7.0=7.4 \(\*nix\)**](disable_functions-bypass-php-7.0-7.4-nix-only.md#php-7-0-7-4-nix-only)\*\*\*\*

View file

@ -188,7 +188,7 @@ action=open Setup.exe
## Shell Command Files
It is possible to obtain passwords hashes of domain users or shells when writing permissions given to unauthenticated users. SCF (Shell Command Files) can perform a limited set of operations like showing the Windows desktop or opening a Windows Explorer. Save the code below as `ordinary.scf` and put it into a network share.
It is possible to obtain passwords hashes of domain users or shells when writing permissions given to unauthenticated users. SCF \(Shell Command Files\) can perform a limited set of operations like showing the Windows desktop or opening a Windows Explorer. Save the code below as `ordinary.scf` and put it into a network share.
```text
[Shell]