GitBook: [master] 9 pages and 8 assets modified
Before Width: | Height: | Size: 740 KiB After Width: | Height: | Size: 740 KiB |
Before Width: | Height: | Size: 740 KiB After Width: | Height: | Size: 740 KiB |
Before Width: | Height: | Size: 15 KiB After Width: | Height: | Size: 15 KiB |
Before Width: | Height: | Size: 24 KiB After Width: | Height: | Size: 24 KiB |
|
@ -387,7 +387,7 @@ Get the address to this table with: **`objdump -s -j .got ./exec`**
|
|||
|
||||
Observe how after **loading** the **executable** in GEF you can **see** the **functions** that are in the **GOT**: `gef➤ x/20x 0xDIR_GOT`
|
||||
|
||||
![](../../.gitbook/assets/image%20%28620%29.png)
|
||||
![](../../.gitbook/assets/image%20%28621%29.png)
|
||||
|
||||
Using GEF you can **start** a **debugging** session and execute **`got`** to see the got table:
|
||||
|
||||
|
|
|
@ -128,7 +128,7 @@ The response is a JSON dictionary with some important data like:
|
|||
* Signed using the **device identity certificate \(from APNS\)**
|
||||
* **Certificate chain** includes expired **Apple iPhone Device CA**
|
||||
|
||||
![](../../../.gitbook/assets/image%20%28567%29%20%281%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
|
||||
![](../../../.gitbook/assets/image%20%28567%29%20%281%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
|
||||
|
||||
### Step 6: Profile Installation
|
||||
|
||||
|
|
|
@ -73,7 +73,7 @@ zipalign -v 4 infile.apk
|
|||
|
||||
### **Sign the new APK \(again?\)**
|
||||
|
||||
If you **prefer** to use ****[**apksigner**](https://developer.android.com/studio/command-line/apksigner) **instead of jarsigner,** you should sing the apk **after applying** the optimization with **zipaling**. BUT NOTICE THAT **YOU ONLY HAVE TO SIGN THE APPLCIATION ONCE** WITH jarsigner \(before zipalign\) OR WITH aspsigner\(after zipaling\).
|
||||
If you **prefer** to use **\*\*\[**apksigner**\]\(**[https://developer.android.com/studio/command-line/apksigner](https://developer.android.com/studio/command-line/apksigner)**\)** instead of jarsigner, **you should sing the apk** after applying **the optimization with** zipaling**. BUT NOTICE THAT** YOU ONLY HAVE TO SIGN THE APPLCIATION ONCE\*\* WITH jarsigner \(before zipalign\) OR WITH aspsigner\(after zipaling\).
|
||||
|
||||
```bash
|
||||
apksigner sign --ks key.jks ./dist/mycompiled.apk
|
||||
|
@ -85,7 +85,7 @@ For the following Hello World Java code:
|
|||
|
||||
```text
|
||||
public static void printHelloWorld() {
|
||||
System.out.println("Hello World")
|
||||
System.out.println("Hello World")
|
||||
}
|
||||
```
|
||||
|
||||
|
@ -93,13 +93,12 @@ The Smali code would be:
|
|||
|
||||
```text
|
||||
.method public static printHelloWorld()V
|
||||
.registers 2
|
||||
sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream;
|
||||
const-string v1, "Hello World"
|
||||
invoke-virtual {v0,v1}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V
|
||||
return-void
|
||||
.registers 2
|
||||
sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream;
|
||||
const-string v1, "Hello World"
|
||||
invoke-virtual {v0,v1}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V
|
||||
return-void
|
||||
.end method
|
||||
|
||||
```
|
||||
|
||||
The Smali instruction set is available [here](https://source.android.com/devices/tech/dalvik/dalvik-bytecode#instructions).
|
||||
|
|
|
@ -175,6 +175,7 @@ This isn't directly exploitable because there's no way for an attacker to make s
|
|||
### **Client-Side cache poisoning**
|
||||
|
||||
You may have occasionally encountered a page with [reflected XSS](https://portswigger.net/web-security/cross-site-scripting/reflected) in a custom HTTP header. Say a web page reflects the contents of a custom header without encoding:
|
||||
|
||||
```http
|
||||
GET / HTTP/1.1
|
||||
Host: example.com
|
||||
|
|
|
@ -66,7 +66,7 @@ In order to **find event listeners** in the current page you can:
|
|||
* **Search** the JS code for ****`window.addEventListener` and `$(window).on` \(_JQuery version_\)
|
||||
* **Execute** in the developer tools console: `getEventListeners(window)`
|
||||
|
||||
![](../.gitbook/assets/image%20%28618%29.png)
|
||||
![](../.gitbook/assets/image%20%28618%29%20%281%29.png)
|
||||
|
||||
* **Go to** _Elements --> Event Listeners_ in the developer tools of the browser
|
||||
|
||||
|
|
|
@ -4,17 +4,17 @@
|
|||
|
||||
A bucket is typically considered “public” if any user can list the contents of the bucket, and “private” if the bucket's contents can only be listed or written by certain S3 users. This is important to understand and emphasize. _**A public bucket will list all of its files and directories to any user that asks.**_
|
||||
|
||||
It should be emphasized that a public bucket is not a risk created by Amazon but rather a misconfiguration caused by the owner of the bucket. And although a file might be listed in a bucket it does not necessarily mean that it can be downloaded. Buckets and objects have their own access control lists \(ACLs\). Amazon provides information on managing access controls for buckets [here](http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAuthAccess.html). Furthermore, Amazon helps their users by publishing a best practices document on [public access considerations around S3 buckets](http://aws.amazon.com/articles/5050). The default configuration of an S3 bucket is private.
|
||||
It should be emphasized that a public bucket is not a risk created by Amazon but rather a misconfiguration caused by the owner of the bucket. And although a file might be listed in a bucket it does not necessarily mean that it can be downloaded. Buckets and objects have their own access control lists \(ACLs\). Amazon provides information on managing access controls for buckets [here](http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAuthAccess.html). Furthermore, Amazon helps their users by publishing a best practices document on [public access considerations around S3 buckets](http://aws.amazon.com/articles/5050). The default configuration of an S3 bucket is private.
|
||||
|
||||
**Learn about AWS-S3 misconfiguration here:** [ **http://flaws.cloud**](%20http://flaws.cloud) **and** [**http://flaws2.cloud/**](http://flaws2.cloud/) **\(Most of the information here has been taken from those resources\)**
|
||||
**Learn about AWS-S3 misconfiguration here:** [ **http://flaws.cloud**](../../../) **and** [**http://flaws2.cloud/**](http://flaws2.cloud/) **\(Most of the information here has been taken from those resources\)**
|
||||
|
||||
#### **Regions**
|
||||
|
||||
* US Standard = http://s3.amazonaws.com
|
||||
* Ireland = http://s3-eu-west-1.amazonaws.com
|
||||
* Northern California = http://s3-us-west-1.amazonaws.com
|
||||
* Singapore = http://s3-ap-southeast-1.amazonaws.com
|
||||
* Tokyo = http://s3-ap-northeast-1.amazonaws.com
|
||||
* US Standard = [http://s3.amazonaws.com](http://s3.amazonaws.com)
|
||||
* Ireland = [http://s3-eu-west-1.amazonaws.com](http://s3-eu-west-1.amazonaws.com)
|
||||
* Northern California = [http://s3-us-west-1.amazonaws.com](http://s3-us-west-1.amazonaws.com)
|
||||
* Singapore = [http://s3-ap-southeast-1.amazonaws.com](http://s3-ap-southeast-1.amazonaws.com)
|
||||
* Tokyo = [http://s3-ap-northeast-1.amazonaws.com](http://s3-ap-northeast-1.amazonaws.com)
|
||||
|
||||
## AWS Configuration
|
||||
|
||||
|
@ -69,7 +69,7 @@ Non-authoritative answer:
|
|||
|
||||
Check that the resolved domain have the word "website".
|
||||
You can access the static website going to: `flaws.cloud.s3-website-us-west-2.amazonaws.com`
|
||||
or you can access the bucket visiting: `flaws.cloud.s3-us-west-2.amazonaws.com`
|
||||
or you can access the bucket visiting: `flaws.cloud.s3-us-west-2.amazonaws.com`
|
||||
|
||||
If you try to access a bucket, but in the domain name you specify another region \(for example the bucket is in `bucket.s3.amazonaws.com` but you try to access `bucket.s3-website-us-west-2.amazonaws.com`, then you will be redirected to the correct location.
|
||||
|
||||
|
@ -202,7 +202,7 @@ docker inspect sha256:079aee8a89950717cdccd15b8f17c80e9bc4421a855fcdc120e1c534e4
|
|||
|
||||
### Get Snapshots
|
||||
|
||||
Notice that ****AWS allows you to make snapshots of EC2's and databases \(RDS\). The main purpose for that is to make backups, but people sometimes use snapshots to get access back to their own EC2's when they forget the passwords.
|
||||
Notice that _\*\*_AWS allows you to make snapshots of EC2's and databases \(RDS\). The main purpose for that is to make backups, but people sometimes use snapshots to get access back to their own EC2's when they forget the passwords.
|
||||
|
||||
Look for snapshots this user has access to \(note the **SnapshotId**\):
|
||||
|
||||
|
@ -247,27 +247,25 @@ The above command will list the disk you attached to your instance.
|
|||
|
||||
If you want to read about how can you exploit meta-data in AWS [you should read this page](../../../pentesting-web/ssrf-server-side-request-forgery.md#abusing-ssrf-in-aws-environment)
|
||||
|
||||
|
||||
|
||||
## Tools to scan the configuration of buckets **or to discover buckets**
|
||||
|
||||
{% embed url="https://github.com/sa7mon/S3Scanner" %}
|
||||
{% embed url="https://github.com/sa7mon/S3Scanner" caption="" %}
|
||||
|
||||
{% embed url="https://github.com/kromtech/s3-inspector" %}
|
||||
{% embed url="https://github.com/kromtech/s3-inspector" caption="" %}
|
||||
|
||||
{% embed url="https://github.com/jordanpotti/AWSBucketDump" %}
|
||||
{% embed url="https://github.com/jordanpotti/AWSBucketDump" caption="" %}
|
||||
|
||||
{% embed url="https://github.com/fellchase/flumberboozle" %}
|
||||
{% embed url="https://github.com/fellchase/flumberboozle" caption="" %}
|
||||
|
||||
{% embed url="https://github.com/smaranchand/bucky" %}
|
||||
{% embed url="https://github.com/smaranchand/bucky" caption="" %}
|
||||
|
||||
{% embed url="https://github.com/tomdev/teh\_s3\_bucketeers" %}
|
||||
{% embed url="https://github.com/tomdev/teh\_s3\_bucketeers" caption="" %}
|
||||
|
||||
\*\*\*\*
|
||||
|
||||
## **List of Open Buckets**
|
||||
|
||||
{% embed url="https://buckets.grayhatwarfare.com/" %}
|
||||
{% embed url="https://buckets.grayhatwarfare.com/" caption="" %}
|
||||
|
||||
\*\*\*\*
|
||||
|
||||
|
|
|
@ -586,6 +586,7 @@ There are several ways to bypass disable\_functions if some specific module is b
|
|||
* 7.3 - all versions to date
|
||||
* 7.4 - all versions to date
|
||||
* 8.0 - all versions to date
|
||||
* \*\*\*\*[**From 7.0 to 8.0 exploit \(Unix only\)**](https://github.com/mm0r1/exploits/blob/master/php-filter-bypass/exploit.php)\*\*\*\*
|
||||
* [**FastCGI/PHP-FPM \(FastCGI Process Manager\)**](disable_functions-bypass-php-fpm-fastcgi.md)\*\*\*\*
|
||||
* **dl function**
|
||||
* \*\*\*\*[**PHP 7.0=7.4 \(\*nix\)**](disable_functions-bypass-php-7.0-7.4-nix-only.md#php-7-0-7-4-nix-only)\*\*\*\*
|
||||
|
|
|
@ -188,7 +188,7 @@ action=open Setup.exe
|
|||
|
||||
## Shell Command Files
|
||||
|
||||
It is possible to obtain passwords hashes of domain users or shells when writing permissions given to unauthenticated users. SCF (Shell Command Files) can perform a limited set of operations like showing the Windows desktop or opening a Windows Explorer. Save the code below as `ordinary.scf` and put it into a network share.
|
||||
It is possible to obtain passwords hashes of domain users or shells when writing permissions given to unauthenticated users. SCF \(Shell Command Files\) can perform a limited set of operations like showing the Windows desktop or opening a Windows Explorer. Save the code below as `ordinary.scf` and put it into a network share.
|
||||
|
||||
```text
|
||||
[Shell]
|
||||
|
|