restructured Exploits

2022-11-13 22:51:45 +01:00 · 2022-11-13 22:38:01 +01:00
178 changed files with 102 additions and 2485 deletions
--- a/.gitmodules
+++ b/.gitmodules
@ -13,9 +13,6 @@
 [submodule "reverse_shells/One-Lin3r"]
 	path = reverse_shells/One-Lin3r
 	url = https://github.com/D4Vinci/One-Lin3r.git
-[submodule "exploit/web/php/Chankro"]
-	path = exploit/web/php/Chankro
-	url = https://github.com/TarlogicSecurity/Chankro.git
 [submodule "enumeration/enumeration"]
 	path = enumeration/enumeration
 	url = https://github.com/digininja/CeWL.git
@ -34,9 +31,6 @@
 [submodule "enumeration/priv_esc/deepce"]
 	path = enumeration/priv_esc/deepce
 	url = https://github.com/stealthcopter/deepce.git
-[submodule "exploit/web/content_security_policy/JSONBee"]
-	path = exploit/web/content_security_policy/JSONBee
-	url = https://github.com/zigoo0/JSONBee.git
 [submodule "post_exploitation/firefox_decrypt"]
 	path = post_exploitation/firefox_decrypt
 	url = https://github.com/unode/firefox_decrypt.git
@ -55,63 +49,30 @@
 [submodule "reverse_shells/phpreverseshell"]
 	path = reverse_shells/phpreverseshell
 	url = https://github.com/rootkral4/phpreverseshell.git
-[submodule "exploit/web/xxe/xxeserv"]
-	path = exploit/web/xxe/xxeserv
-	url = https://github.com/staaldraad/xxeserv.git
 [submodule "reverse_engineering/SCDBG"]
 	path = reverse_engineering/SCDBG
 	url = https://github.com/dzzie/SCDBG.git
 [submodule "reverse_engineering/java/deobfuscator"]
 	path = reverse_engineering/java/deobfuscator
 	url = https://github.com/java-deobfuscator/deobfuscator.git
-[submodule "exploit/windows/CrackMapExec"]
-	path = exploit/windows/CrackMapExec
-	url = https://github.com/byt3bl33d3r/CrackMapExec.git
 [submodule "telecommunications/sipvicious"]
 	path = telecommunications/sipvicious
 	url = https://github.com/EnableSecurity/sipvicious.git
 [submodule "exploit/windows/PrintNightmare"]
 	path = exploit/windows/PrintNightmare
 	url = https://github.com/ly4k/PrintNightmare.git
-[submodule "exploit/web/php/phpggc"]
-	path = exploit/web/php/phpggc
-	url = https://github.com/ambionics/phpggc.git
 [submodule "post_exploitation/priv_esc/sucrack"]
 	path = post_exploitation/priv_esc/sucrack
 	url = https://github.com/hemp3l/sucrack.git
-[submodule "exploit/java/JNDI-Exploit-Kit"]
-	path = exploit/java/JNDI-Exploit-Kit
-	url = https://github.com/pimps/JNDI-Exploit-Kit.git
-[submodule "exploit/binaries/buffer_overflow/ropstar"]
-	path = exploit/binaries/buffer_overflow/ropstar
-	url = https://github.com/xct/ropstar.git
-[submodule "exploit/java/log4j-scan"]
-	path = exploit/java/log4j-scan
-	url = https://github.com/fullhunt/log4j-scan.git
 [submodule "exploit/windows/printspoofer"]
 	path = exploit/windows/printspoofer
 	url = https://github.com/dievus/printspoofer.git
 [submodule "post_exploitation/powershell"]
 	path = post_exploitation/powershell
 	url = https://github.com/puckiestyle/powershell.git
-[submodule "exploit/macOS/ds_store_exp"]
-	path = exploit/macOS/ds_store_exp
-	url = https://github.com/lijiejie/ds_store_exp.git
-[submodule "exploit/macOS/DS_Store_crawler_parser"]
-	path = exploit/macOS/DS_Store_crawler_parser
-	url = https://github.com/anantshri/DS_Store_crawler_parser.git
-[submodule "exploit/macOS/Python-dsstore"]
-	path = exploit/macOS/Python-dsstore
-	url = https://github.com/gehaxelt/Python-dsstore.git
 [submodule "post_exploitation/armitage"]
 	path = post_exploitation/armitage
 	url = https://gitlab.com/kalilinux/packages/armitage.git
-[submodule "exploit/linux/dirty_pipe/CVE-2022-0847-dirty-pipe-exploit"]
-	path = exploit/linux/dirty_pipe/CVE-2022-0847-dirty-pipe-exploit
-	url = https://github.com/cspshivam/CVE-2022-0847-dirty-pipe-exploit.git
-[submodule "exploit/padding/PadBuster"]
-	path = exploit/padding/PadBuster
-	url = https://github.com/AonCyberLabs/PadBuster.git
 [submodule "post_exploitation/bc_security/Empire"]
 	path = post_exploitation/bc_security/Empire
 	url = https://github.com/BC-SECURITY/Empire.git
@ -121,33 +82,6 @@
 [submodule "misc/bruteforce/patator"]
 	path = misc/bruteforce/patator
 	url = https://github.com/lanjelot/patator.git
-[submodule "exploit/samba/smbmap"]
-	path = exploit/samba/smbmap
-	url = https://github.com/ShawnDEvans/smbmap.git
-[submodule "exploit/web/beef"]
-	path = exploit/web/beef
-	url = https://github.com/beefproject/beef.git
-[submodule "exploit/web/jwt/jwt-cracker"]
-	path = exploit/web/jwt/jwt-cracker
-	url = https://github.com/lmammino/jwt-cracker.git
-[submodule "exploit/web/jwt/jwt_tool"]
-	path = exploit/web/jwt/jwt_tool
-	url = https://github.com/ticarpi/jwt_tool.git
-[submodule "exploit/web/ssti/tplmap"]
-	path = exploit/web/ssti/tplmap
-	url = https://github.com/epinna/tplmap.git
-[submodule "exploit/windows/impacket"]
-	path = exploit/windows/impacket
-	url = https://github.com/SecureAuthCorp/impacket.git
-[submodule "exploit/windows/windows-kernel-exploits"]
-	path = exploit/windows/windows-kernel-exploits
-	url = https://github.com/SecWiki/windows-kernel-exploits.git
-[submodule "exploit/PayloadsAllTheThings"]
-	path = exploit/PayloadsAllTheThings
-	url = https://github.com/swisskyrepo/PayloadsAllTheThings.git
-[submodule "exploit/GitTools"]
-	path = exploit/GitTools
-	url = https://github.com/internetwache/GitTools
 [submodule "misc/level3_hypervisor/docker_sec/dive"]
 	path = misc/level3_hypervisor/docker_sec/dive
 	url = https://github.com/wagoodman/dive.git
@ -169,9 +103,3 @@
 [submodule "reverse_shells/windows/evil-winrm"]
 	path = reverse_shells/windows/evil-winrm
 	url = https://github.com/Hackplayers/evil-winrm.git
-[submodule "exploit/level3_hypervisor/docker_sec/dive"]
-	path = exploit/level3_hypervisor/docker_sec/dive
-	url = https://github.com/wagoodman/dive.git
-[submodule "exploit/level3_hypervisor/kubeletctl"]
-	path = exploit/level3_hypervisor/kubeletctl
-	url = https://github.com/cyberark/kubeletctl.git
--- a/Exploits/Binaries/ASLR.md
+++ b/Exploits/Binaries/ASLR.md
--- a/exploit/binaries/buffer_overflow/docs/buffer_overflow.md
+++ b/exploit/binaries/buffer_overflow/docs/buffer_overflow.md
--- a/exploit/binaries/canary_bypass/canary_bypass.md
+++ b/exploit/binaries/canary_bypass/canary_bypass.md
--- a/exploit/binaries/buffer_overflow/docs/cut_stack_in_half.md
+++ b/exploit/binaries/buffer_overflow/docs/cut_stack_in_half.md
--- a/exploit/binaries/format_string/format_string.md
+++ b/exploit/binaries/format_string/format_string.md
--- a/exploit/binaries/integral_promotion/integral_promotion.md
+++ b/exploit/binaries/integral_promotion/integral_promotion.md
--- a/Exploits/Binaries/PLT+GOT.md
+++ b/Exploits/Binaries/PLT+GOT.md
--- a/exploit/binaries/buffer_overflow/docs/ret_address_reuse.md
+++ b/exploit/binaries/buffer_overflow/docs/ret_address_reuse.md
--- a/exploit/binaries/buffer_overflow/ropping.md
+++ b/exploit/binaries/buffer_overflow/ropping.md
--- a/exploit/binaries/buffer_overflow/bad_chars.py
+++ b/exploit/binaries/buffer_overflow/bad_chars.py
--- a/exploit/binaries/buffer_overflow/brainstorm.py
+++ b/exploit/binaries/buffer_overflow/brainstorm.py
--- a/exploit/binaries/buffer_overflow/buffer_overflow.py
+++ b/exploit/binaries/buffer_overflow/buffer_overflow.py
--- a/exploit/binaries/canary_bypass/canary_bypass.py
+++ b/exploit/binaries/canary_bypass/canary_bypass.py
--- a/exploit/binaries/buffer_overflow/fuzzer.py
+++ b/exploit/binaries/buffer_overflow/fuzzer.py
--- a/exploit/binaries/buffer_overflow/fuzzer2.py
+++ b/exploit/binaries/buffer_overflow/fuzzer2.py
--- a/exploit/binaries/buffer_overflow/fuzzer_BO.py
+++ b/exploit/binaries/buffer_overflow/fuzzer_BO.py
--- a/exploit/binaries/buffer_overflow/pwn_fuzz.py
+++ b/exploit/binaries/buffer_overflow/pwn_fuzz.py
--- a/Exploits/Binaries/Shellcode.md
+++ b/Exploits/Binaries/Shellcode.md
--- a/exploit/binaries/buffer_overflow/docs/amd64_instructions.md
+++ b/exploit/binaries/buffer_overflow/docs/amd64_instructions.md
--- a/exploit/binaries/buffer_overflow/docs/amd64.md
+++ b/exploit/binaries/buffer_overflow/docs/amd64.md
--- a/exploit/binaries/buffer_overflow/docs/pwntools_specifics.md
+++ b/exploit/binaries/buffer_overflow/docs/pwntools_specifics.md
--- a/Exploits/Binaries/radare2.md
+++ b/Exploits/Binaries/radare2.md
--- a/Exploits/Binaries/ret2libc.md
+++ b/Exploits/Binaries/ret2libc.md
--- a/exploit/binaries/buffer_overflow/docs/shellcodes/setreuid_shell.as
+++ b/exploit/binaries/buffer_overflow/docs/shellcodes/setreuid_shell.as
--- a/exploit/binaries/buffer_overflow/docs/shellcodes/setuid_shell.as
+++ b/exploit/binaries/buffer_overflow/docs/shellcodes/setuid_shell.as
--- a/Exploits/CPUs/Meltdown.md
+++ b/Exploits/CPUs/Meltdown.md
--- a/exploit/level3_hypervisor/docker_sec/docker.md
+++ b/exploit/level3_hypervisor/docker_sec/docker.md
--- a/exploit/level3_hypervisor/kubernetes.md
+++ b/exploit/level3_hypervisor/kubernetes.md
--- a/exploit/level3_hypervisor/lxc.md
+++ b/exploit/level3_hypervisor/lxc.md
--- a/exploit/level3_hypervisor/microk8s.md
+++ b/exploit/level3_hypervisor/microk8s.md
--- a/exploit/dns/zone_transfer.md
+++ b/exploit/dns/zone_transfer.md
--- a/Exploits/Databases/MSSQL.md
+++ b/Exploits/Databases/MSSQL.md
--- a/Exploits/Databases/NoSQL
+++ b/Exploits/Databases/NoSQL
--- a/Exploits/Databases/SQL
+++ b/Exploits/Databases/SQL
--- a/Exploits/Databases/SQLmap.md
+++ b/Exploits/Databases/SQLmap.md
@ -20,6 +20,7 @@ sqlmap -u http://<target-IP>/site.php --forms --dump-all


 |Parameter|Details|
+|---------|-------|
 |-r|Uses the intercepted request save as a file|
 |--dbms|DBMS of target|
 |--dump|Dump the entire database|
--- a/Exploits/ImageMagick/ImageTragick.md
+++ b/Exploits/ImageMagick/ImageTragick.md
--- a/exploit/java/OGNL/cve_2022_26134.md
+++ b/exploit/java/OGNL/cve_2022_26134.md
--- a/exploit/java/ghidra_debug.md
+++ b/exploit/java/ghidra_debug.md
--- a/Exploits/Java/Ghostcat.md
+++ b/Exploits/Java/Ghostcat.md
--- a/Exploits/Java/Log4Shell.md
+++ b/Exploits/Java/Log4Shell.md
--- a/Exploits/Java/Spring4Shell.md
+++ b/Exploits/Java/Spring4Shell.md
--- a/Exploits/Linux/Capabilities.md
+++ b/Exploits/Linux/Capabilities.md
--- a/exploit/linux/dirty_pipe/dirty_pipe.md
+++ b/exploit/linux/dirty_pipe/dirty_pipe.md
--- a/Exploits/Linux/ExifTool.md
+++ b/Exploits/Linux/ExifTool.md
--- a/Exploits/Linux/Groups.md
+++ b/Exploits/Linux/Groups.md
--- a/exploit/linux/ld_preload.md
+++ b/exploit/linux/ld_preload.md
--- a/exploit/linux/nfs_rootsquash.md
+++ b/exploit/linux/nfs_rootsquash.md
--- a/Exploits/Linux/OverlayFS.md
+++ b/Exploits/Linux/OverlayFS.md
--- a/Exploits/Linux/PolKit.md
+++ b/Exploits/Linux/PolKit.md
--- a/exploit/linux/racing_conditions.md
+++ b/exploit/linux/racing_conditions.md
--- a/Exploits/Linux/SetCap.md
+++ b/Exploits/Linux/SetCap.md
--- a/exploit/linux/shared_object_injection.md
+++ b/exploit/linux/shared_object_injection.md
--- a/exploit/linux/shell_shock.md
+++ b/exploit/linux/shell_shock.md
--- a/exploit/linux/wildard_exploitation.md
+++ b/exploit/linux/wildard_exploitation.md
--- a/exploit/linux/pkexec/CVE_2021_4034.md
+++ b/exploit/linux/pkexec/CVE_2021_4034.md
--- a/Exploits/Linux/sudo.md
+++ b/Exploits/Linux/sudo.md
@ -0,0 +1,58 @@
+# CVE-2021-3156 Baron Samedit
+
+* [Animesh Jain's blog post on Qualys](https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit)
+* [blasty's PoC](https://github.com/blasty/CVE-2021-3156.git)
+* Heap based overflow
+* Versions 1.8.2-1.8.31p2, 1.9.0-1.9.5p1
+* Check vulnerability via
+```sh
+sudoedit -s '\' $(python -c "print('\x41' * 10000)")
+```
+* Defaults to try
+```sh
+./brute.sh 90 120 50 70 150 300
+```
+
+## CVE-2019-14287
+
+* Versions < 1.8.28
+
+### Usage 
+
+* Integer overflow with resulting root status.
+```sh
+sudo -u#-1 <app>
+```
+## CVE-18634 
+
+* Sudo pwnge with pwfeedback()
+* Sudo version 1.7.1 to 1.8.30
+* [Saleem's github](https://github.com/saleemrashid/sudo-cve-2019-18634)
+
+
+## Reusing Sudo Token
+
+* Reuse sudo token of currently logged in user
+* [Hacktricks' site](https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens)
+
+* `ptrace` has to be fully enabled
+```sh
+cat /proc/sys/kernel/yama/ptrace_scope
+0
+```
+* sudo has to be triggered the last 15 minutes, check `ps wuax`
+* `gdb` has to be installed
+* One must be logged in as the same user which should be owned
+* Use [nongiach's exploit](https://github.com/nongiach/sudo_inject)
+
+## Heap Based Overflow
+
+* [CVE-2022-43995](https://bugzilla.redhat.com/show_bug.cgi?id=2139911)
+
+Marco Benatto: 
+> Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains  
+a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result  
+in a heap-based buffer over-read. This can be triggered by arbitrary local  
+users with access to Sudo by entering a password of seven characters or 
+ fewer. The impact could vary depending on the compiler and processor architecture.
+
--- a/exploit/network/mac_spoofing.md
+++ b/exploit/network/mac_spoofing.md
--- a/Exploits/Printers/preta.md
+++ b/Exploits/Printers/preta.md
@ -0,0 +1,4 @@
+# Printer Hacking
+
+* [Preta](https://github.com/RUB-NDS/PRET)
+* [Cheat Sheet](http://hacking-printers.net/wiki/index.php/Printer_Security_Testing_Cheat_Sheet)
--- a/exploit/python/code_injection.md
+++ b/exploit/python/code_injection.md
--- a/Exploits/Python/Decompile
+++ b/Exploits/Python/Decompile
--- a/exploit/python/flask_cookie_decode.py
+++ b/exploit/python/flask_cookie_decode.py
--- a/exploit/python/jail_escape.md
+++ b/exploit/python/jail_escape.md
--- a/exploit/python/lib_hijack.md
+++ b/exploit/python/lib_hijack.md
--- a/Exploits/Python/Pickle.md
+++ b/Exploits/Python/Pickle.md
--- a/Exploits/Python/Scapy.md
+++ b/Exploits/Python/Scapy.md
--- a/Exploits/Python/pwntools.md
+++ b/Exploits/Python/pwntools.md
--- a/Exploits/References.md
+++ b/Exploits/References.md
@ -0,0 +1,38 @@
+# Exploit References
+
+[PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings.git)
+
+## Recover git Repositories
+[Internetwache's gitTools](https://github.com/internetwache/GitTools.git)
+
+## Web
+
+[Padbuster - padding Oracle Attacks](https://github.com/AonCyberLabs/PadBuster.git)
+
+## Printer Exploitation
+[RUB-NDS Printer Exploitation Framework](https://github.com/RUB-NDS/PRET.git)
+
+## Python
+
+[pwntools doc](https://docs.pwntools.com/en/stable/)
+[pwntools installation](https://docs.pwntools.com/en/stable/install.html)
+
+## Java
+
+[fullhunt's log4j-scan](https://github.com/fullhunt/log4j-scan.git)
+[pimps' JNID-Exploit-Kit](https://github.com/pimps/JNDI-Exploit-Kit.git)
+
+## Linux
+
+[DirtyPipe](https://github.com/cspshivam/CVE-2022-0847-dirty-pipe-exploit.git)
+
+## macOS
+
+[DS Store Crawler Parser](https://github.com/anantshri/DS_Store_crawler_parser.git)
+[DS Store Exp](https://github.com/lijiejie/ds_store_exp.git)
+[DS Store Exp Python3](https://github.com/qiuluo-oss/ds_store_exp_py3.git)
+
+## Windows
+
+[PowerSploit](https://github.com/PowerShellMafia/PowerSploit.git)
+[nishang](https://github.com/samratashok/nishang.git)
--- a/Exploits/SSL+TLS/Heartbleed.md
+++ b/Exploits/SSL+TLS/Heartbleed.md
--- a/exploit/web/javascript/bypass_filters.md
+++ b/exploit/web/javascript/bypass_filters.md
--- a/exploit/web/content_security_policy/content_security_policy.md
+++ b/exploit/web/content_security_policy/content_security_policy.md
--- a/Exploits/Web/CSRF.md
+++ b/Exploits/Web/CSRF.md
--- a/exploit/web/command_injection.md
+++ b/exploit/web/command_injection.md
--- a/exploit/web/cookie_tampering.md
+++ b/exploit/web/cookie_tampering.md
--- a/exploit/web/forced_browsing/forced_browsing.md
+++ b/exploit/web/forced_browsing/forced_browsing.md
--- a/exploit/web/http_header_injection.md
+++ b/exploit/web/http_header_injection.md
--- a/exploit/web/idor/idor.md
+++ b/exploit/web/idor/idor.md
--- a/exploit/web/ssrf/iframe.md
+++ b/exploit/web/ssrf/iframe.md
--- a/exploit/web/jwt/jwt.md
+++ b/exploit/web/jwt/jwt.md
--- a/exploit/web/local_file_inclusion.md
+++ b/exploit/web/local_file_inclusion.md
--- a/Exploits/Web/Methodology.md
+++ b/Exploits/Web/Methodology.md
--- a/exploit/web/nodejs/deserialization.md
+++ b/exploit/web/nodejs/deserialization.md
--- a/exploit/padding/padbuster.md
+++ b/exploit/padding/padbuster.md
--- a/exploit/web/javascript/prototype_pollution.md
+++ b/exploit/web/javascript/prototype_pollution.md
--- a/exploit/web/bypass_rate_limiting/bypass_rate_limiting.md
+++ b/exploit/web/bypass_rate_limiting/bypass_rate_limiting.md
--- a/exploit/web/remote_file_inclusion.md
+++ b/exploit/web/remote_file_inclusion.md
--- a/Exploits/Web/Reregistration.md
+++ b/Exploits/Web/Reregistration.md
--- a/exploit/web/ssrf/ssrf.md
+++ b/exploit/web/ssrf/ssrf.md
--- a/exploit/web/ssti/ssti.md
+++ b/exploit/web/ssti/ssti.md
--- a/Exploits/Web/Scripts/check_ssrf.py
+++ b/Exploits/Web/Scripts/check_ssrf.py
--- a/Exploits/Web/Scripts/curl_ssrf.sh
+++ b/Exploits/Web/Scripts/curl_ssrf.sh
@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 for x in {1..65535};
-    do cmd=$(curl -so /dev/null http://10.10.214.67:8000/attack?url=http://2130706433:${x} \
+    do cmd=$(curl -so /dev/null http://$TARGET_IP:$TARGET_PORT/attack?url=http://2130706433:${x} \
        -w '%{size_download}');
    if [ $cmd != 1045 ]; then
        echo "Open port: $x"
--- a/Exploits/Web/Scripts/ip_to_hexdec.py
+++ b/Exploits/Web/Scripts/ip_to_hexdec.py
--- a/exploit/web/url_forgery.md
+++ b/exploit/web/url_forgery.md
--- a/Exploits/Web/Wordpress.md
+++ b/Exploits/Web/Wordpress.md
--- a/Exploits/Web/XPath.md
+++ b/Exploits/Web/XPath.md
--- a/Exploits/Web/XSS.md
+++ b/Exploits/Web/XSS.md
--- a/exploit/web/xxe/wp_xxe_.md
+++ b/exploit/web/xxe/wp_xxe_.md
--- a/exploit/web/xxe/xml_external_entity.md
+++ b/exploit/web/xxe/xml_external_entity.md
--- a/exploit/yaml/deserialization.md
+++ b/exploit/yaml/deserialization.md
--- a/exploit/windows/docs/always_installed_elevated.md
+++ b/exploit/windows/docs/always_installed_elevated.md
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Stefan Etringer	b75bcb944f	restructured Exploits	2022-11-13 22:51:45 +01:00
Stefan Etringer	a1efefe7cf	restructured Exploits	2022-11-13 22:38:01 +01:00