mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 06:00:40 +00:00
Merge pull request #802 from chiyochichi/patch-1
minor phrasing mistakes
This commit is contained in:
commit
c61db4fcd3
3 changed files with 20 additions and 25 deletions
|
@ -25,7 +25,7 @@ To **bypass** the captcha during **server testing** and automate user input func
|
||||||
2. **Value Extraction and Reuse**:
|
2. **Value Extraction and Reuse**:
|
||||||
* **Source Code Inspection**: Search for the captcha value within the page's source code.
|
* **Source Code Inspection**: Search for the captcha value within the page's source code.
|
||||||
* **Cookie Analysis**: Examine the cookies to find if the captcha value is stored and reused.
|
* **Cookie Analysis**: Examine the cookies to find if the captcha value is stored and reused.
|
||||||
* **Reuse Old Captcha Values**: Attempt to use previously successful captcha values again.
|
* **Reuse Old Captcha Values**: Attempt to use previously successful captcha values again. Keep in mind that they might expire at any time.
|
||||||
* **Session Manipulation**: Try using the same captcha value across different sessions or the same session ID.
|
* **Session Manipulation**: Try using the same captcha value across different sessions or the same session ID.
|
||||||
|
|
||||||
3. **Automation and Recognition**:
|
3. **Automation and Recognition**:
|
||||||
|
@ -42,15 +42,11 @@ To **bypass** the captcha during **server testing** and automate user input func
|
||||||
* **Audio Captcha Analysis**: If an audio captcha option is available, use speech-to-text services to interpret and solve the captcha.
|
* **Audio Captcha Analysis**: If an audio captcha option is available, use speech-to-text services to interpret and solve the captcha.
|
||||||
|
|
||||||
|
|
||||||
## Online Services to bypass captchas
|
## Online Services to solve captchas
|
||||||
|
|
||||||
### [Capsolver](https://www.capsolver.com/)
|
### [Capsolver](https://www.capsolver.com/)
|
||||||
|
|
||||||
Capsolver‘s automatic captcha solver offers the **most affordable and quick captcha-solving solution**. You may rapidly combine it with your program using its simple integration option to achieve the best results in a matter of seconds.
|
Capsolver's automatic captcha solver offers an **affordable and quick captcha-solving solution**. You may rapidly combine it with your program using its simple integration option to achieve the best results in a matter of seconds. It can solve reCAPTCHA V2 and V3, hCaptcha, FunCaptcha, datadome, aws captcha, picture-to-text, binance / coinmarketcap captcha, geetest v3, and more. However, this is not a bypass per-se.
|
||||||
|
|
||||||
With a success rate of 99.15%, Capsolver can **answer more than 10M captchas every minute**. This implies that your automation or scrape will have a 99.99% uptime. You may buy a captcha package if you have a large budget.
|
|
||||||
|
|
||||||
At the lowest price on the market, you may receive a variety of solutions, including reCAPTCHA V2, reCAPTCHA V3, hCaptcha, hCaptcha Click, reCaptcha click, Funcaptcha Click, FunCaptcha, datadome captcha, aws captcha, picture-to-text, binance / coinmarketcap captcha, geetest v3 / v3, and more. With this service, **0.1s is the slowest speed ever measured**.
|
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
|
|
|
@ -17,9 +17,9 @@ Other ways to support HackTricks:
|
||||||
|
|
||||||
# Summary
|
# Summary
|
||||||
|
|
||||||
It is like a [**Server Side Template Injection**](ssti-server-side-template-injection/) but in the **client**. The **SSTI** can allow you to **execute code** on the remote server, the **CSTI** could allow you to **execute arbitrary JavaScript** code in the victim.
|
It is like a [**Server Side Template Injection**](ssti-server-side-template-injection/) but in the **client**. The **SSTI** can allow you to **execute code** on the remote server, the **CSTI** could allow you to **execute arbitrary JavaScript** code in the victim's browser.
|
||||||
|
|
||||||
The way to **test** for this vulnerability is very **similar** as in the case of **SSTI**, the interpreter is going to expect something to execute **between doubles keys** and will execute it. For example using something like: `{{ 7-7 }}` if the server is **vulnerable** you will see a `0` and if not you will see the original: `{{ 7-7 }}`
|
**Testing** for this vulnerability is very **similar** as in the case of **SSTI**, the interpreter expects **a template** and will execute it. For example, with a payload like `{{ 7-7 }}`, if the app is **vulnerable** you will see a `0`, and if not, you will see the original: `{{ 7-7 }}`
|
||||||
|
|
||||||
# AngularJS
|
# AngularJS
|
||||||
|
|
||||||
|
@ -44,7 +44,7 @@ You can find a very **basic online example** of the vulnerability in **AngularJS
|
||||||
|
|
||||||
# VueJS
|
# VueJS
|
||||||
|
|
||||||
You can find a **vulnerable vue.js** implementation in [https://vue-client-side-template-injection-example.azu.now.sh/](https://vue-client-side-template-injection-example.azu.now.sh)\
|
You can find a **vulnerable Vue** implementation in [https://vue-client-side-template-injection-example.azu.now.sh/](https://vue-client-side-template-injection-example.azu.now.sh)\
|
||||||
Working payload: [`https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor(%27alert(%22foo%22)%27)()%7D%`](https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor\(%27alert\(%22foo%22\)%27\)\(\)%7D%7D)
|
Working payload: [`https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor(%27alert(%22foo%22)%27)()%7D%`](https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor\(%27alert\(%22foo%22\)%27\)\(\)%7D%7D)
|
||||||
|
|
||||||
And the **source code** of the vulnerable example here: [https://github.com/azu/vue-client-side-template-injection-example](https://github.com/azu/vue-client-side-template-injection-example)
|
And the **source code** of the vulnerable example here: [https://github.com/azu/vue-client-side-template-injection-example](https://github.com/azu/vue-client-side-template-injection-example)
|
||||||
|
|
|
@ -33,7 +33,7 @@ Software:
|
||||||
* [https://www.pnfsoftware.com/jeb/demo](https://www.pnfsoftware.com/jeb/demo)
|
* [https://www.pnfsoftware.com/jeb/demo](https://www.pnfsoftware.com/jeb/demo)
|
||||||
* [https://github.com/wwwg/wasmdec](https://github.com/wwwg/wasmdec)
|
* [https://github.com/wwwg/wasmdec](https://github.com/wwwg/wasmdec)
|
||||||
|
|
||||||
## .Net decompiler
|
## .NET decompiler
|
||||||
|
|
||||||
### [dotPeek](https://www.jetbrains.com/decompiler/)
|
### [dotPeek](https://www.jetbrains.com/decompiler/)
|
||||||
|
|
||||||
|
@ -41,7 +41,7 @@ dotPeek is a decompiler that **decompiles and examines multiple formats**, inclu
|
||||||
|
|
||||||
The merit here is that if a lost source code requires restoration from a legacy assembly, this action can save time. Further, dotPeek provides handy navigation throughout the decompiled code, making it one of the perfect tools for **Xamarin algorithm analysis.**
|
The merit here is that if a lost source code requires restoration from a legacy assembly, this action can save time. Further, dotPeek provides handy navigation throughout the decompiled code, making it one of the perfect tools for **Xamarin algorithm analysis.**
|
||||||
|
|
||||||
### [.Net Reflector](https://www.red-gate.com/products/reflector/)
|
### [.NET Reflector](https://www.red-gate.com/products/reflector/)
|
||||||
|
|
||||||
With a comprehensive add-in model and an API that extends the tool to suit your exact needs, .NET reflector saves time and simplifies development. Let's take a look at the plethora of reverse engineering services this tool provides:
|
With a comprehensive add-in model and an API that extends the tool to suit your exact needs, .NET reflector saves time and simplifies development. Let's take a look at the plethora of reverse engineering services this tool provides:
|
||||||
|
|
||||||
|
@ -55,14 +55,13 @@ With a comprehensive add-in model and an API that extends the tool to suit your
|
||||||
### [ILSpy](https://github.com/icsharpcode/ILSpy) & [dnSpy](https://github.com/dnSpy/dnSpy/releases)
|
### [ILSpy](https://github.com/icsharpcode/ILSpy) & [dnSpy](https://github.com/dnSpy/dnSpy/releases)
|
||||||
|
|
||||||
[ILSpy plugin for Visual Studio Code](https://github.com/icsharpcode/ilspy-vscode): You can have it in any OS (you can install it directly from VSCode, no need to download the git. Click on **Extensions** and **search ILSpy**).\
|
[ILSpy plugin for Visual Studio Code](https://github.com/icsharpcode/ilspy-vscode): You can have it in any OS (you can install it directly from VSCode, no need to download the git. Click on **Extensions** and **search ILSpy**).\
|
||||||
If you need to **decompile**, **modify** and **recompile** again you can use: [**https://github.com/0xd4d/dnSpy/releases**](https://github.com/0xd4d/dnSpy/releases) (**Right Click -> Modify Method** to change something inside a function).\
|
If you need to **decompile**, **modify** and **recompile** again you can use [**dnSpy**](https://github.com/dnSpy/dnSpy/releases) or an actively maintained fork of it, [**dnSpyEx**](https://github.com/dnSpyEx/dnSpy/releases). (**Right Click -> Modify Method** to change something inside a function).
|
||||||
You cloud also try [https://www.jetbrains.com/es-es/decompiler/](https://www.jetbrains.com/es-es/decompiler/)
|
|
||||||
|
|
||||||
### DNSpy Logging
|
### DNSpy Logging
|
||||||
|
|
||||||
In order to make **DNSpy log some information in a file**, you could use this .Net lines:
|
In order to make **DNSpy log some information in a file**, you could use this snippet:
|
||||||
|
|
||||||
```bash
|
```cs
|
||||||
using System.IO;
|
using System.IO;
|
||||||
path = "C:\\inetpub\\temp\\MyTest2.txt";
|
path = "C:\\inetpub\\temp\\MyTest2.txt";
|
||||||
File.AppendAllText(path, "Password: " + password + "\n");
|
File.AppendAllText(path, "Password: " + password + "\n");
|
||||||
|
@ -95,13 +94,13 @@ And click on **compile**:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (314) (1) (1).png>)
|
![](<../../.gitbook/assets/image (314) (1) (1).png>)
|
||||||
|
|
||||||
Then save the new file on _**File >> Save module...**_:
|
Then save the new file via _**File >> Save module...**_:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (279).png>)
|
![](<../../.gitbook/assets/image (279).png>)
|
||||||
|
|
||||||
This is necessary because if you don't do this, at **runtime** several **optimisations** will be applied to the code and it could be possible that while debugging a **break-point is never hit** or some **variables don't exist**.
|
This is necessary because if you don't do this, at **runtime** several **optimisations** will be applied to the code and it could be possible that while debugging a **break-point is never hit** or some **variables don't exist**.
|
||||||
|
|
||||||
Then, if your .Net application is being **run** by **IIS** you can **restart** it with:
|
Then, if your .NET application is being **run** by **IIS** you can **restart** it with:
|
||||||
|
|
||||||
```
|
```
|
||||||
iisreset /noforce
|
iisreset /noforce
|
||||||
|
@ -121,7 +120,7 @@ Now that we are debugging the process, it's time to stop it and load all the mod
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (283).png>)
|
![](<../../.gitbook/assets/image (283).png>)
|
||||||
|
|
||||||
Click any module on **Modules** and selec**t Open All Modules**:
|
Click any module on **Modules** and select **Open All Modules**:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (284).png>)
|
![](<../../.gitbook/assets/image (284).png>)
|
||||||
|
|
||||||
|
@ -239,16 +238,16 @@ The **Create Dump** option will dump the final shellcode if any change is done t
|
||||||
|
|
||||||
### Disassembling using CyberChef
|
### Disassembling using CyberChef
|
||||||
|
|
||||||
Upload you shellcode file as input and use the following receipt to decompile it: [https://gchq.github.io/CyberChef/#recipe=To\_Hex('Space',0)Disassemble\_x86('32','Full%20x86%20architecture',16,0,true,true)](https://gchq.github.io/CyberChef/#recipe=To\_Hex\('Space',0\)Disassemble\_x86\('32','Full%20x86%20architecture',16,0,true,true\))
|
Upload your shellcode file as input and use the following recipe to decompile it: [https://gchq.github.io/CyberChef/#recipe=To\_Hex('Space',0)Disassemble\_x86('32','Full%20x86%20architecture',16,0,true,true)](https://gchq.github.io/CyberChef/#recipe=To\_Hex\('Space',0\)Disassemble\_x86\('32','Full%20x86%20architecture',16,0,true,true\))
|
||||||
|
|
||||||
## [Movfuscator](https://github.com/xoreaxeaxeax/movfuscator)
|
## [Movfuscator](https://github.com/xoreaxeaxeax/movfuscator)
|
||||||
|
|
||||||
This obfuscator **modify all the instructions for `mov`**(yeah, really cool). It also uses interruptions to change executions flows. For more information about how does it works:
|
This obfuscator **modifies all the instructions for `mov`**(yeah, really cool). It also uses interruptions to change executions flows. For more information about how does it works:
|
||||||
|
|
||||||
* [https://www.youtube.com/watch?v=2VF\_wPkiBJY](https://www.youtube.com/watch?v=2VF\_wPkiBJY)
|
* [https://www.youtube.com/watch?v=2VF\_wPkiBJY](https://www.youtube.com/watch?v=2VF\_wPkiBJY)
|
||||||
* [https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas\_2015\_the\_movfuscator.pdf](https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas\_2015\_the\_movfuscator.pdf)
|
* [https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas\_2015\_the\_movfuscator.pdf](https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas\_2015\_the\_movfuscator.pdf)
|
||||||
|
|
||||||
If you are lucky [demovfuscator ](https://github.com/kirschju/demovfuscator)will deofuscate the binary. It has several dependencies
|
If you are lucky [demovfuscator](https://github.com/kirschju/demovfuscator) will deofuscate the binary. It has several dependencies
|
||||||
|
|
||||||
```
|
```
|
||||||
apt-get install libcapstone-dev
|
apt-get install libcapstone-dev
|
||||||
|
@ -272,7 +271,7 @@ Having the **name** of the **functions** being called, search for them on the **
|
||||||
|
|
||||||
For Delphi compiled binaries you can use [https://github.com/crypto2011/IDR](https://github.com/crypto2011/IDR)
|
For Delphi compiled binaries you can use [https://github.com/crypto2011/IDR](https://github.com/crypto2011/IDR)
|
||||||
|
|
||||||
I you have to reverse a Delphi binary I would suggest you to use the IDA plugin [https://github.com/Coldzer0/IDA-For-Delphi](https://github.com/Coldzer0/IDA-For-Delphi)
|
If you have to reverse a Delphi binary I would suggest you to use the IDA plugin [https://github.com/Coldzer0/IDA-For-Delphi](https://github.com/Coldzer0/IDA-For-Delphi)
|
||||||
|
|
||||||
Just press **ATL+f7** (import python plugin in IDA) and select the python plugin.
|
Just press **ATL+f7** (import python plugin in IDA) and select the python plugin.
|
||||||
|
|
||||||
|
@ -282,7 +281,7 @@ It is also very interesting because if you press a button in the graphic applica
|
||||||
|
|
||||||
## Golang
|
## Golang
|
||||||
|
|
||||||
I you have to reverse a Golang binary I would suggest you to use the IDA plugin [https://github.com/sibears/IDAGolangHelper](https://github.com/sibears/IDAGolangHelper)
|
If you have to reverse a Golang binary I would suggest you to use the IDA plugin [https://github.com/sibears/IDAGolangHelper](https://github.com/sibears/IDAGolangHelper)
|
||||||
|
|
||||||
Just press **ATL+f7** (import python plugin in IDA) and select the python plugin.
|
Just press **ATL+f7** (import python plugin in IDA) and select the python plugin.
|
||||||
|
|
||||||
|
@ -324,7 +323,7 @@ R = 256
|
||||||
L = 256
|
L = 256
|
||||||
```
|
```
|
||||||
|
|
||||||
So, in this kind of programs, the an interesting part will be **how the program treats the user input**. In the address **0x4000130** you will find the commonly found function: **KEYINPUT.**
|
So, in this kind of program, the interesting part will be **how the program treats the user input**. In the address **0x4000130** you will find the commonly found function: **KEYINPUT**.
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (579).png>)
|
![](<../../.gitbook/assets/image (579).png>)
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue