Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #802 from chiyochichi/patch-1

Browse source 
minor phrasing mistakes
This commit is contained in:
HackTricks 2024-03-10 14:28:25 +01:00 committed by GitHub
commit c61db4fcd3
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 20 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
pentesting-web/captcha-bypass.md
View file

@ -25,7 +25,7 @@ To **bypass** the captcha during **server testing** and automate user input func
2. **Value Extraction and Reuse**:
* **Source Code Inspection**: Search for the captcha value within the page's source code.
* **Cookie Analysis**: Examine the cookies to find if the captcha value is stored and reused.
* **Reuse Old Captcha Values**: Attempt to use previously successful captcha values again.
* **Reuse Old Captcha Values**: Attempt to use previously successful captcha values again. Keep in mind that they might expire at any time.
* **Session Manipulation**: Try using the same captcha value across different sessions or the same session ID.
3. **Automation and Recognition**:
@ -42,15 +42,11 @@ To **bypass** the captcha during **server testing** and automate user input func
* **Audio Captcha Analysis**: If an audio captcha option is available, use speech-to-text services to interpret and solve the captcha.
## Online Services to bypass captchas
## Online Services to solve captchas
### [Capsolver](https://www.capsolver.com/)
Capsolvers automatic captcha solver offers the **most affordable and quick captcha-solving solution**. You may rapidly combine it with your program using its simple integration option to achieve the best results in a matter of seconds.
With a success rate of 99.15%, Capsolver can **answer more than 10M captchas every minute**. This implies that your automation or scrape will have a 99.99% uptime. You may buy a captcha package if you have a large budget.
At the lowest price on the market, you may receive a variety of solutions, including reCAPTCHA V2, reCAPTCHA V3, hCaptcha, hCaptcha Click, reCaptcha click, Funcaptcha Click, FunCaptcha, datadome captcha, aws captcha, picture-to-text, binance / coinmarketcap captcha, geetest v3 / v3, and more. With this service, **0.1s is the slowest speed ever measured**.
Capsolver's automatic captcha solver offers an **affordable and quick captcha-solving solution**. You may rapidly combine it with your program using its simple integration option to achieve the best results in a matter of seconds. It can solve reCAPTCHA V2 and V3, hCaptcha, FunCaptcha, datadome, aws captcha, picture-to-text, binance / coinmarketcap captcha, geetest v3, and more. However, this is not a bypass per-se.
<details>

6
pentesting-web/client-side-template-injection-csti.md
View file

@ -17,9 +17,9 @@ Other ways to support HackTricks:
# Summary
It is like a [**Server Side Template Injection**](ssti-server-side-template-injection/) but in the **client**. The **SSTI** can allow you to **execute code** on the remote server, the **CSTI** could allow you to **execute arbitrary JavaScript** code in the victim.
It is like a [**Server Side Template Injection**](ssti-server-side-template-injection/) but in the **client**. The **SSTI** can allow you to **execute code** on the remote server, the **CSTI** could allow you to **execute arbitrary JavaScript** code in the victim's browser.
The way to **test** for this vulnerability is very **similar** as in the case of **SSTI**, the interpreter is going to expect something to execute **between doubles keys** and will execute it. For example using something like: `{{ 7-7 }}` if the server is **vulnerable** you will see a `0` and if not you will see the original: `{{ 7-7 }}`
**Testing** for this vulnerability is very **similar** as in the case of **SSTI**, the interpreter expects **a template** and will execute it. For example, with a payload like `{{ 7-7 }}`, if the app is **vulnerable** you will see a `0`, and if not, you will see the original: `{{ 7-7 }}`
# AngularJS
@ -44,7 +44,7 @@ You can find a very **basic online example** of the vulnerability in **AngularJS
# VueJS
You can find a **vulnerable vue.js** implementation in [https://vue-client-side-template-injection-example.azu.now.sh/](https://vue-client-side-template-injection-example.azu.now.sh)\
You can find a **vulnerable Vue** implementation in [https://vue-client-side-template-injection-example.azu.now.sh/](https://vue-client-side-template-injection-example.azu.now.sh)\
Working payload: [`https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor(%27alert(%22foo%22)%27)()%7D%`](https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor\(%27alert\(%22foo%22\)%27\)\(\)%7D%7D)
And the **source code** of the vulnerable example here: [https://github.com/azu/vue-client-side-template-injection-example](https://github.com/azu/vue-client-side-template-injection-example)

29
reversing/reversing-tools-basic-methods/README.md
View file

@ -33,7 +33,7 @@ Software:
* [https://www.pnfsoftware.com/jeb/demo](https://www.pnfsoftware.com/jeb/demo)
* [https://github.com/wwwg/wasmdec](https://github.com/wwwg/wasmdec)
## .Net decompiler
## .NET decompiler
### [dotPeek](https://www.jetbrains.com/decompiler/)
@ -41,7 +41,7 @@ dotPeek is a decompiler that **decompiles and examines multiple formats**, inclu
The merit here is that if a lost source code requires restoration from a legacy assembly, this action can save time. Further, dotPeek provides handy navigation throughout the decompiled code, making it one of the perfect tools for **Xamarin algorithm analysis.**
### [.Net Reflector](https://www.red-gate.com/products/reflector/)
### [.NET Reflector](https://www.red-gate.com/products/reflector/)
With a comprehensive add-in model and an API that extends the tool to suit your exact needs, .NET reflector saves time and simplifies development. Let's take a look at the plethora of reverse engineering services this tool provides:
@ -55,14 +55,13 @@ With a comprehensive add-in model and an API that extends the tool to suit your
### [ILSpy](https://github.com/icsharpcode/ILSpy) & [dnSpy](https://github.com/dnSpy/dnSpy/releases)
[ILSpy plugin for Visual Studio Code](https://github.com/icsharpcode/ilspy-vscode): You can have it in any OS (you can install it directly from VSCode, no need to download the git. Click on **Extensions** and **search ILSpy**).\
If you need to **decompile**, **modify** and **recompile** again you can use: [**https://github.com/0xd4d/dnSpy/releases**](https://github.com/0xd4d/dnSpy/releases) (**Right Click -> Modify Method** to change something inside a function).\
You cloud also try [https://www.jetbrains.com/es-es/decompiler/](https://www.jetbrains.com/es-es/decompiler/)
If you need to **decompile**, **modify** and **recompile** again you can use [**dnSpy**](https://github.com/dnSpy/dnSpy/releases) or an actively maintained fork of it, [**dnSpyEx**](https://github.com/dnSpyEx/dnSpy/releases). (**Right Click -> Modify Method** to change something inside a function).
### DNSpy Logging
In order to make **DNSpy log some information in a file**, you could use this .Net lines:
In order to make **DNSpy log some information in a file**, you could use this snippet:
```bash
```cs
using System.IO;
path = "C:\\inetpub\\temp\\MyTest2.txt";
File.AppendAllText(path, "Password: " + password + "\n");
@ -95,13 +94,13 @@ And click on **compile**:
![](<../../.gitbook/assets/image (314) (1) (1).png>)
Then save the new file on _**File >> Save module...**_:
Then save the new file via _**File >> Save module...**_:
![](<../../.gitbook/assets/image (279).png>)
This is necessary because if you don't do this, at **runtime** several **optimisations** will be applied to the code and it could be possible that while debugging a **break-point is never hit** or some **variables don't exist**.
Then, if your .Net application is being **run** by **IIS** you can **restart** it with:
Then, if your .NET application is being **run** by **IIS** you can **restart** it with:
```
iisreset /noforce
@ -121,7 +120,7 @@ Now that we are debugging the process, it's time to stop it and load all the mod
![](<../../.gitbook/assets/image (283).png>)
Click any module on **Modules** and selec**t Open All Modules**:
Click any module on **Modules** and select **Open All Modules**:
![](<../../.gitbook/assets/image (284).png>)
@ -239,16 +238,16 @@ The **Create Dump** option will dump the final shellcode if any change is done t
### Disassembling using CyberChef
Upload you shellcode file as input and use the following receipt to decompile it: [https://gchq.github.io/CyberChef/#recipe=To\_Hex('Space',0)Disassemble\_x86('32','Full%20x86%20architecture',16,0,true,true)](https://gchq.github.io/CyberChef/#recipe=To\_Hex\('Space',0\)Disassemble\_x86\('32','Full%20x86%20architecture',16,0,true,true\))
Upload your shellcode file as input and use the following recipe to decompile it: [https://gchq.github.io/CyberChef/#recipe=To\_Hex('Space',0)Disassemble\_x86('32','Full%20x86%20architecture',16,0,true,true)](https://gchq.github.io/CyberChef/#recipe=To\_Hex\('Space',0\)Disassemble\_x86\('32','Full%20x86%20architecture',16,0,true,true\))
## [Movfuscator](https://github.com/xoreaxeaxeax/movfuscator)
This obfuscator **modify all the instructions for `mov`**(yeah, really cool). It also uses interruptions to change executions flows. For more information about how does it works:
This obfuscator **modifies all the instructions for `mov`**(yeah, really cool). It also uses interruptions to change executions flows. For more information about how does it works:
* [https://www.youtube.com/watch?v=2VF\_wPkiBJY](https://www.youtube.com/watch?v=2VF\_wPkiBJY)
* [https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas\_2015\_the\_movfuscator.pdf](https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas\_2015\_the\_movfuscator.pdf)
If you are lucky [demovfuscator ](https://github.com/kirschju/demovfuscator)will deofuscate the binary. It has several dependencies
If you are lucky [demovfuscator](https://github.com/kirschju/demovfuscator) will deofuscate the binary. It has several dependencies
```
apt-get install libcapstone-dev
@ -272,7 +271,7 @@ Having the **name** of the **functions** being called, search for them on the **
For Delphi compiled binaries you can use [https://github.com/crypto2011/IDR](https://github.com/crypto2011/IDR)
I you have to reverse a Delphi binary I would suggest you to use the IDA plugin [https://github.com/Coldzer0/IDA-For-Delphi](https://github.com/Coldzer0/IDA-For-Delphi)
If you have to reverse a Delphi binary I would suggest you to use the IDA plugin [https://github.com/Coldzer0/IDA-For-Delphi](https://github.com/Coldzer0/IDA-For-Delphi)
Just press **ATL+f7** (import python plugin in IDA) and select the python plugin.
@ -282,7 +281,7 @@ It is also very interesting because if you press a button in the graphic applica
## Golang
I you have to reverse a Golang binary I would suggest you to use the IDA plugin [https://github.com/sibears/IDAGolangHelper](https://github.com/sibears/IDAGolangHelper)
If you have to reverse a Golang binary I would suggest you to use the IDA plugin [https://github.com/sibears/IDAGolangHelper](https://github.com/sibears/IDAGolangHelper)
Just press **ATL+f7** (import python plugin in IDA) and select the python plugin.
@ -324,7 +323,7 @@ R = 256
L = 256
```
So, in this kind of programs, the an interesting part will be **how the program treats the user input**. In the address **0x4000130** you will find the commonly found function: **KEYINPUT.**
So, in this kind of program, the interesting part will be **how the program treats the user input**. In the address **0x4000130** you will find the commonly found function: **KEYINPUT**.
![](<../../.gitbook/assets/image (579).png>)