GitBook: [#3669] No subject

This commit is contained in:
CPol 2022-12-03 18:45:54 +00:00 committed by gitbook-bot
parent 0ba8c55692
commit e51198173a
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
11 changed files with 52 additions and 32 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 2.7 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 2.7 KiB

After

Width:  |  Height:  |  Size: 230 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 71 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 71 KiB

After

Width:  |  Height:  |  Size: 719 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 31 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 31 KiB

After

Width:  |  Height:  |  Size: 238 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 238 KiB

After

Width:  |  Height:  |  Size: 127 KiB

View file

@ -164,7 +164,7 @@ In this case you can see that **you shouldn't use the char 0x0A** (nothing is sa
In this case you can see that **the char 0x0D is avoided**: In this case you can see that **the char 0x0D is avoided**:
![](<../.gitbook/assets/image (34).png>) ![](<../.gitbook/assets/image (34) (1).png>)
## Find a JMP ESP as a return address ## Find a JMP ESP as a return address
@ -182,7 +182,7 @@ You will **list the memory maps**. Search for some DLl that has:
* **NXCompat: False** * **NXCompat: False**
* **OS Dll: True** * **OS Dll: True**
![](<../.gitbook/assets/image (35).png>) ![](<../.gitbook/assets/image (35) (1).png>)
Now, inside this memory you should find some JMP ESP bytes, to do that execute: Now, inside this memory you should find some JMP ESP bytes, to do that execute:
@ -193,7 +193,7 @@ Now, inside this memory you should find some JMP ESP bytes, to do that execute:
**Then, if some address is found, choose one that don't contain any badchar:** **Then, if some address is found, choose one that don't contain any badchar:**
![](<../.gitbook/assets/image (36).png>) ![](<../.gitbook/assets/image (36) (1).png>)
**In this case, for example: \_0x5f4a358f**\_ **In this case, for example: \_0x5f4a358f**\_

View file

@ -57,6 +57,10 @@ The desktop application might have access to the users device through Node AP
* **`contextIsolation`** - is `on` by default. If on, main and renderer processes aren't isolated. * **`contextIsolation`** - is `on` by default. If on, main and renderer processes aren't isolated.
* **`preload`** - empty by default. * **`preload`** - empty by default.
* [**`sandbox`**](https://docs.w3cub.com/electron/api/sandbox-option) - is off by default. It will restrict the actions NodeJS can perform. * [**`sandbox`**](https://docs.w3cub.com/electron/api/sandbox-option) - is off by default. It will restrict the actions NodeJS can perform.
* Node Integration in Workers
* **`nodeIntegrationInSubframes`**- is `off` by default.
* If **`nodeIntregation`** is **enabled**, this would allow the use of **Node.js APIs** in web pages that are **loaded in iframes** within an Electron application.
* If **`nodeIntregation`** is **disabled**, then preloads will load in the iframe
Example of configuration: Example of configuration:
@ -75,7 +79,9 @@ const mainWindowOptions = {
webPreferences: { webPreferences: {
blinkFeatures: 'EnumerateDevices,AudioOutputDevices', blinkFeatures: 'EnumerateDevices,AudioOutputDevices',
nodeIntegration: false, nodeIntegration: false,
contextIsolation: false contextIsolation: false,
sandbox: false,
nodeIntegrationInSubFrames: false,
preload: _path2.default.join(__dirname, 'mainScreenPreload.js'), preload: _path2.default.join(__dirname, 'mainScreenPreload.js'),
nativeWindowOpen: true, nativeWindowOpen: true,
enableRemoteModule: false, enableRemoteModule: false,
@ -118,6 +124,8 @@ If the **nodeIntegration** is set to **on**, a web page's JavaScript can use Nod
</script> </script>
``` ```
<figure><img src="../../../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
## RCE: preload ## RCE: preload
The script indicated in this setting is l**oaded before other scripts in the renderer**, so it has **unlimited access to Node APIs**: The script indicated in this setting is l**oaded before other scripts in the renderer**, so it has **unlimited access to Node APIs**:
@ -263,7 +271,7 @@ webContents.on("new-window", function (event, url, disposition, options) {} // o
webContents.on("will-navigate", function (event, url) {} // opens the custom openInternally function (it is declared below) webContents.on("will-navigate", function (event, url) {} // opens the custom openInternally function (it is declared below)
``` ```
The call to \*\* `openInternally`\*\* will decide if the **link** will be **opened** in the **desktop window** as it's a link belonging to the platform, **or** if will be opened in the **browser as a 3rd party resource**. The call to **`openInternally`** will decide if the **link** will be **opened** in the **desktop window** as it's a link belonging to the platform, **or** if will be opened in the **browser as a 3rd party resource**.
In the case the **regex** used by the function is **vulnerable to bypasses** (for example by **not escaping the dots of subdomains**) an attacker could abuse the XSS to **open a new window which** will be located in the attackers infrastructure **asking for credentials** to the user: In the case the **regex** used by the function is **vulnerable to bypasses** (for example by **not escaping the dots of subdomains**) an attacker could abuse the XSS to **open a new window which** will be located in the attackers infrastructure **asking for credentials** to the user:
@ -317,6 +325,7 @@ npm start
* [https://www.youtube.com/watch?v=a-YnG3Mx-Tg](https://www.youtube.com/watch?v=a-YnG3Mx-Tg) * [https://www.youtube.com/watch?v=a-YnG3Mx-Tg](https://www.youtube.com/watch?v=a-YnG3Mx-Tg)
* [https://www.youtube.com/watch?v=xILfQGkLXQo\&t=22s](https://www.youtube.com/watch?v=xILfQGkLXQo\&t=22s) * [https://www.youtube.com/watch?v=xILfQGkLXQo\&t=22s](https://www.youtube.com/watch?v=xILfQGkLXQo\&t=22s)
* More researches and write-ups about Electron security in [https://github.com/doyensec/awesome-electronjs-hacking](https://github.com/doyensec/awesome-electronjs-hacking) * More researches and write-ups about Electron security in [https://github.com/doyensec/awesome-electronjs-hacking](https://github.com/doyensec/awesome-electronjs-hacking)
* [https://www.youtube.com/watch?v=Tzo8ucHA5xw\&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq\&index=81](https://www.youtube.com/watch?v=Tzo8ucHA5xw\&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq\&index=81)
<details> <details>

View file

@ -4,15 +4,11 @@
<summary><strong>Support HackTricks and get benefits!</strong></summary> <summary><strong>Support HackTricks and get benefits!</strong></summary>
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>
@ -62,18 +58,26 @@ location.reload();//Trigger the "exit" event
</script> </script>
``` ```
## Example 2
Get **require object from prototype pollution**. From [https://www.youtube.com/watch?v=Tzo8ucHA5xw\&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq\&index=81](https://www.youtube.com/watch?v=Tzo8ucHA5xw\&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq\&index=81)
Leak:
<figure><img src="../../../.gitbook/assets/image (34).png" alt=""><figcaption></figcaption></figure>
Exploit:
<figure><img src="../../../.gitbook/assets/image (35).png" alt=""><figcaption></figcaption></figure>
<details> <details>
<summary><strong>Support HackTricks and get benefits!</strong></summary> <summary><strong>Support HackTricks and get benefits!</strong></summary>
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>

View file

@ -12,7 +12,7 @@
</details> </details>
<figure><img src="../../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure> <figure><img src="../../.gitbook/assets/image (36).png" alt=""><figcaption></figcaption></figure>
Did you know that crypto projects pay more bounty rewards than their web2 counterparts?\ Did you know that crypto projects pay more bounty rewards than their web2 counterparts?\
This [**crypto bounty alone**](https://hackenproof.com/jungle/jungle-smart-contract) is worth $1.000.000!\ This [**crypto bounty alone**](https://hackenproof.com/jungle/jungle-smart-contract) is worth $1.000.000!\
@ -112,30 +112,37 @@ http://example.com/index.php?page=utils/scripts/../../../../../etc/passwd
### Identifying folders on a server ### Identifying folders on a server
Depending on the applicative code / allowed characters, it might be possible to recursively explore the file system by discovering folders and not just files. In order to do so: Depending on the applicative code / allowed characters, it might be possible to recursively explore the file system by discovering folders and not just files. In order to do so:
- identify the "depth" of you current directory by succesfully retrieving `/etc/passwd` (if on Linux):
* identify the "depth" of you current directory by succesfully retrieving `/etc/passwd` (if on Linux):
``` ```
http://example.com/index.php?page=../../../etc/passwd # depth of 3 http://example.com/index.php?page=../../../etc/passwd # depth of 3
```` ```
- try and guess the name of a folder in the current directory by adding the folder name (here, `private`), and then going back to `/etc/passwd`:
* try and guess the name of a folder in the current directory by adding the folder name (here, `private`), and then going back to `/etc/passwd`:
``` ```
http://example.com/index.php?page=private/../../../../etc/passwd # we went deeper down one level, so we have to go 3+1=4 levels up to go back to /etc/passwd http://example.com/index.php?page=private/../../../../etc/passwd # we went deeper down one level, so we have to go 3+1=4 levels up to go back to /etc/passwd
``` ```
- if the application is vulnerable, there might be two different outcomes to the request:
- if you get an error / no output, the `private` folder does not exist at this location
- if you get the content from `/etc/passwd`, you validated that there is indeed a `private`folder in your current directory
- the folder(s) you discovered using this techniques can then be fuzzed for files (using a classic LFI method) or for subdirectories using the same technique recursively. * if the application is vulnerable, there might be two different outcomes to the request:
* if you get an error / no output, the `private` folder does not exist at this location
* if you get the content from `/etc/passwd`, you validated that there is indeed a `private`folder in your current directory
* the folder(s) you discovered using this techniques can then be fuzzed for files (using a classic LFI method) or for subdirectories using the same technique recursively.
It is possible to adapt this technique to find directories at any location in the file system. For instance, if, under the same hypothesis (current directory at depth 3 of the file system) you want to check if `/var/www/` contains a `private` directory, use the following payload: It is possible to adapt this technique to find directories at any location in the file system. For instance, if, under the same hypothesis (current directory at depth 3 of the file system) you want to check if `/var/www/` contains a `private` directory, use the following payload:
``` ```
http://example.com/index.php?page=../../../var/www/private/../../../etc/passwd http://example.com/index.php?page=../../../var/www/private/../../../etc/passwd
``` ```
The following sequence of commands allows the generation of payloads using `sed` (1) as input for url fuzzing tools such as `ffuf` (2): The following sequence of commands allows the generation of payloads using `sed` (1) as input for url fuzzing tools such as `ffuf` (2):
``` ```
$ sed 's_^_../../../var/www/_g' /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt | sed 's_$_/../../../etc/passwd_g' > payloads.txt $ sed 's_^_../../../var/www/_g' /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt | sed 's_$_/../../../etc/passwd_g' > payloads.txt
$ ffuf -u http://example.com/index.php?page=FUZZ -w payloads.txt -mr "root" $ ffuf -u http://example.com/index.php?page=FUZZ -w payloads.txt -mr "root"
``` ```
Of course, adapt there payloads to your needs in terms of depth / location / input directory list. Of course, adapt there payloads to your needs in terms of depth / location / input directory list.
### **Path truncation** ### **Path truncation**