0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GITBOOK-4065: change request with no subject merged in GitBook

This commit is contained in:
CPol 2023-09-04 14:02:39 +00:00 committed by gitbook-bot
parent 987e1109d8
commit 8cd2f11ec3
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
5 changed files with 345 additions and 134 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
SUMMARY.md
View File

@ -371,7 +371,7 @@
* [Buckets](network-services-pentesting/pentesting-web/buckets/README.md)
* [Firebase Database](network-services-pentesting/pentesting-web/buckets/firebase-database.md)
* [CGI](network-services-pentesting/pentesting-web/cgi.md)
* [Code Review Tools](network-services-pentesting/pentesting-web/code-review-tools.md)
* [Source code Review / SAST Tools](network-services-pentesting/pentesting-web/code-review-tools.md)
* [DotNetNuke (DNN)](network-services-pentesting/pentesting-web/dotnetnuke-dnn.md)
* [Drupal](network-services-pentesting/pentesting-web/drupal.md)
* [Flask](network-services-pentesting/pentesting-web/flask.md)

1
generic-methodologies-and-resources/external-recon-methodology/github-leaked-secrets.md
View File

@ -27,6 +27,7 @@ Now that we have built the list of assets of our scope it's time to search for s
* [https://github.com/dxa4481/truffleHog](https://github.com/dxa4481/truffleHog)
* [https://github.com/gitleaks/gitleaks](https://github.com/gitleaks/gitleaks)
* [https://github.com/Yelp/detect-secrets](https://github.com/Yelp/detect-secrets)
* [https://github.com/hisxo/gitGraber](https://github.com/hisxo/gitGraber)
* [https://github.com/eth0izzle/shhgit](https://github.com/eth0izzle/shhgit)
* [https://github.com/techgaun/github-dorks](https://github.com/techgaun/github-dorks)

2
generic-methodologies-and-resources/phishing-methodology/README.md
View File

@ -446,7 +446,7 @@ Check out the following page for some examples:
The previous attack is pretty clever as you are faking a real website and gathering the information set by the user. Unfortunately, if the user didn't put the correct password or if the application you faked is configured with 2FA, **this information won't allow you to impersonate the tricked user**.
This is where tools like [**evilginx2**](https://github.com/kgretzky/evilginx2) or [**CredSniper**](https://github.com/ustayready/CredSniper) are useful. This tool will allow you to generate a MitM like attack. Basically, the attacks works in the following way:
This is where tools like [**evilginx2**](https://github.com/kgretzky/evilginx2)**,** [**CredSniper**](https://github.com/ustayready/CredSniper) and [**muraena**](https://github.com/muraenateam/muraena) are useful. This tool will allow you to generate a MitM like attack. Basically, the attacks works in the following way:
1. You **impersonate the login** form of the real webpage.
2. The user **send** his **credentials** to your fake page and the tool send those to the real webpage, **checking if the credentials work**.

449
network-services-pentesting/pentesting-web/code-review-tools.md
View File

@ -1,151 +1,251 @@
# Code Review Tools
# Source code Review / SAST Tools
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
</details>
## General
## Guidance and & Lists of tools
* [**https://owasp.org/www-community/Source\_Code\_Analysis\_Tools**](https://owasp.org/www-community/Source\_Code\_Analysis\_Tools)\
* [**https://owasp.org/www-community/Source\_Code\_Analysis\_Tools**](https://owasp.org/www-community/Source\_Code\_Analysis\_Tools)
* [**https://github.com/analysis-tools-dev/static-analysis**](https://github.com/analysis-tools-dev/static-analysis)
```bash
https://www.sonarqube.org/downloads/
https://deepsource.io/signup/
https://github.com/pyupio/safety
https://github.com/returntocorp/semgrep
https://github.com/WhaleShark-Team/cobra
https://github.com/insidersec/insider
## Multi-Language Tools
# Find interesting strings
https://github.com/s0md3v/hardcodes
https://github.com/micha3lb3n/SourceWolf
https://libraries.io/pypi/detect-secrets
### [Naxus - AI-Gents](https://www.naxusai.com/)
There is a **free package to review PRs**.
### [**Semgrep**](https://github.com/returntocorp/semgrep)
It's an **Open Source tool**.
#### Supported Languages
| Category | Languages |
| ------------ | ----------------------------------------------------------------------------------------------------- |
| GA | C# · Go · Java · JavaScript · JSX · JSON · PHP · Python · Ruby · Scala · Terraform · TypeScript · TSX |
| Beta | Kotlin · Rust |
| Experimental | Bash · C · C++ · Clojure · Dart · Dockerfile · Elixir · HTML · Julia · Jsonnet · Lisp · |
#### Quick Start
{% code overflow="wrap" %}
```bash
# Install https://github.com/returntocorp/semgrep#option-1-getting-started-from-the-cli
brew install semgrep
# Go to your repo code and scan
cd repo
semgrep scan --config auto
```
{% endcode %}
You can also use the [**semgrep VSCode Extension**](https://marketplace.visualstudio.com/items?itemName=Semgrep.semgrep) to get the findings inside VSCode.
### [**SonarQube**](https://www.sonarsource.com/products/sonarqube/downloads/)
There is an installable **free version**.
#### Quick Start
{% code overflow="wrap" %}
```bash
# Run the paltform in docker
docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest
# Install cli tool
brew install sonar-scanner
# Go to localhost:9000 and login with admin:admin or admin:sonar
# Generate a local project and then a TOKEN for it
# Using the token and from the folder with the repo, scan it
cd path/to/repo
sonar-scanner \
-Dsonar.projectKey=<project-name> \
-Dsonar.sources=. \
-Dsonar.host.url=http://localhost:9000 \
-Dsonar.token=<sonar_project_token>
```
{% endcode %}
### [**Snyk**](https://snyk.io/product/snyk-code/)
There is an **installable free version**.
#### Quick Start
```bash
# Install
sudo npm install -g snyk
# Authenticate (you can use a free account)
snyk auth
# Test for open source vulns & license issues
snyk test [--all-projects]
# Test for code vulnerabilities
## This will upload your code and you need to enable this option in: Settings > Snyk Code
snyk test code
# Test for vulns in images
snyk container test [image]
# Test for IaC vulns
snyk iac test
```
## JavaScript
### Discovery
1. Burp:
- Spider and discover content
- Sitemap > filter
- Sitemap > right-click domain > Engagement tools > Find scripts
2. [WaybackURLs](https://github.com/tomnomnom/waybackurls):
- `waybackurls <domain> |grep -i "\.js" |sort -u`
### Static Analysis
#### Unminimize/Beautify/Prettify
https://prettier.io/playground/
https://beautifier.io/
#### Deobfuscate/Unpack
__Note__: It may not be possible to fully deobfuscate.
1. Find and use .map files:
- If the .map files are exposed, they can be used to easily deobfuscate.
- Commonly, foo.js.map maps to foo.js. Manually look for them.
- Use [JS Miner](https://github.com/PortSwigger/js-miner) to look for them.
- Ensure active scan is conducted.
- Read '[Tips/Notes](https://github.com/minamo7sen/burp-JS-Miner/wiki#tips--notes)'
- If found, use [Maximize](https://www.npmjs.com/package/maximize) to deobfuscate.
2. Without .map files, try JSnice:
- References: http://jsnice.org/ & https://www.npmjs.com/package/jsnice
- Tips:
- If using jsnice.org, click on the options button next to the "Nicify JavaScript" button, and de-select "Infer types" to reduce cluttering the code with comments.
- Ensure you do not leave any empty lines before the script, as it may affect the deobfuscation process and give inaccurate results.
3. Use console.log(<packerReturnVariable>);
- Find the return value at the end and change it to `console.log(<packerReturnVariable>);` so the deobfuscated js is printed instead of being executing.
- Then, paste the modified (and still obfuscated) js into https://jsconsole.com/ to see the deobfuscated js logged to the console.
- Finally, paste the deobfuscated output into https://prettier.io/playground/ to beautify it for analysis.
- __Note__: If you are still seeing packed (but different) js, it may be recursively packed. Repeat the process.
#### Analyze
References:
https://medium.com/techiepedia/javascript-code-review-guide-for-bug-bounty-hunters-c95a8aa7037a
You can also use the [**snyk VSCode Extension**](https://marketplace.visualstudio.com/items?itemName=snyk-security.snyk-vulnerability-scanner) to get findings inside VSCode.
Look for:
- Anti-debug loading
- Angular: [enableProdMode](https://blog.nvisium.com/angular-for-pentesters-part-2)
- Secrets
- Use:
- [JS Miner](https://github.com/PortSwigger/js-miner)
- [RegHex](https://github.com/l4yton/RegHex) patterns
- [gf](https://github.com/tomnomnom/gf/tree/master/examples) patterns
- Grep relevant dictionary patterns:
- pass, user, admin
- auth, login, sign, challenge, 2fa
- key, apikey, api_key, api-key, jwt, token
- secret, security, secure
- ...
- Manual review
- If API key found, check here for potential usage syntax: https://github.com/streaak/keyhacks.
- Vuln functions
- InnerHTML() - If you found this, it means there is a potential chance for XSS if no proper sanitisation takes place. Even if your payload is sanitised, dont worry. Trace the code to find out where the sanitisation takes place. Study it and try to get around the sanitisation.
- Postmessage() - If you have read my previous post (https://medium.com/techiepedia/what-are-sop-cors-and-ways-to-exploit-it-62a5e02100dc), you would notice that Postmessage() might lead to potential CORS issue. If the second parameter of the function set to *, you are the lucky one. Checkout my previous post to understand more about the mechanism behind.
- String.prototype.search() - This function looks normal. Why would it be a dangerous function? Well, it is because some developers used this to find occurrence of a string inside another string. However, “.” is treated as wildcard in this function. So, if this function is used as sanitisation check, you can simply bypass it by inputting “.”. Checkout Filedescryptors hackerone report: https://hackerone.com/reports/129873
- Endpoints & params
- Use [LinkFinder](https://github.com/GerbenJavado/LinkFinder) & [JS Miner](https://github.com/PortSwigger/js-miner).
- Vuln libs & deps
- Use [Retire.js](https://retirejs.github.io/retire.js/) and [NPM](https://snyk.io/advisor/) (scroll down to security section > all versions link).
- Cloud URLs
- Use [JS Miner](https://github.com/PortSwigger/js-miner).
- Subdomains
- Use [JS Miner](https://github.com/PortSwigger/js-miner).
- Logic Flaws
- Gain situational awareness:
- `use strict;`?
- Grep for client-side controls:
- disable, enable, hidden, hide, show
- catch, finally, throw, try
- input, validate, verify, valid, correct, check, confirm, require, ..
- Grep for non-primatives:
- function , =>
- class
### Dynamic Analysis
### CodeQL
References
- https://www.youtube.com/watch?v=_v8r_t4v6hQ
- https://blog.nvisium.com/angular-for-pentesters-part-1
- https://blog.nvisium.com/angular-for-pentesters-part-2
There is an **installable free version**.
Tools
- https://portswigger.net/burp/documentation/desktop/tools/dom-invader
#### Install
#### Less Used References
- https://cyberchef.org/
- https://olajs.com/javascript-prettifier
- https://jshint.com/
- https://github.com/jshint/jshint/
```bash
brew install codeql
# Check it's correctly installed
codeql resolve qlpacks
```
Or
{% code overflow="wrap" %}
```bash
# Download your release from https://github.com/github/codeql-action/releases
## Example
wget https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.14.3/codeql-bundle-osx64.tar.gz
# Move it to the destination folder
mkdir ~/codeql
mv codeql-bundle* ~/codeql
# Decompress it
cd ~/codeql
tar -xzvf codeql-bundle-*.tar.gz
rm codeql-bundle-*.tar.gz
# Add to path
echo 'export PATH="$PATH:/Users/username/codeql/codeql"' >> ~/.zshrc
# Check it's correctly installed
## Open a new terminal
codeql resolve qlpacks
```
{% endcode %}
#### Quick Start
{% code overflow="wrap" %}
```bash
# Prepare the database
## You need to export a GITHUB_TOKEN (codeql will detect languages automatically)
export GITHUB_TOKEN=ghp_32849y23hij4...
codeql database create <database> --db-cluster --source-root </path/to/repo>
## Or to indicate the languages yourself (https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis#running-codeql-database-create)
codeql database create <database> --language=<language-identifier> --source-root </path/to/repo>
## For example
export GITHUB_TOKEN=ghp_32849y23hij4...
codeql database create /tmp/codeql_db --db-cluster --source-root /path/to/repo # Generate the folder /tmp/codeql_db
# Analyze the code
codeql database analyze <database> --format=<format> --output=</out/file/path> --download
## Example
codeql database analyze /tmp/codeql_db --download --format=csv --output=/tmp/graphql_results.csv
```
{% endcode %}
You can also use the [**VSCode extension**](https://marketplace.visualstudio.com/items?itemName=GitHub.vscode-codeql) to get the findings inside VSCode.
### [Insider](https://github.com/insidersec/insider)
It's **Open Source**, but looks **unmaintained**.
#### Supported Languages
Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, and Javascript (Node.js).
#### Quick Start
```bash
# Check the correct release for your environment
$ wget https://github.com/insidersec/insider/releases/download/2.1.0/insider_2.1.0_linux_x86_64.tar.gz
$ tar -xf insider_2.1.0_linux_x86_64.tar.gz
$ chmod +x insider
$ ./insider --tech javascript --target <projectfolder>
```
### [**DeepSource**](https://deepsource.com/pricing)&#x20;
Free for **public repos**.
## NodeJS
* **`yarn`**
```bash
# Install
brew isntall yarn
# Run
cd /path/to/repo
yarn audit
```
https://github.com/ajinabraham/nodejsscan
* [**nodejsscan**](https://github.com/ajinabraham/nodejsscan)**:** Static security code scanner (SAST) for Node.js applications powered by [libsast](https://github.com/ajinabraham/libsast) and [semgrep](https://github.com/returntocorp/semgrep).
```bash
# Install & run
docker run -it -p 9090:9090 opensecurity/nodejsscan:latest
# Got to localhost:9090
# Upload a zip file with the code
```
* [**RetireJS**](https://github.com/RetireJS/retire.js)**:** The goal of Retire.js is to help you detect the use of JS-library versions with known vulnerabilities.
```bash
# Install
npm install -g retire
# Run
cd /path/to/repo
retire --colors
```
## Electron
```
https://github.com/doyensec/electronegativity
```
* [**electronegativity**](https://github.com/doyensec/electronegativity)**:** It's a tool to identify misconfigurations and security anti-patterns in Electron-based applications.
## Python
* [**Bandit**](https://github.com/PyCQA/bandit)**:** Bandit is a tool designed to find common security issues in Python code. To do this Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files it generates a report.
```bash
# bandit
https://github.com/PyCQA/bandit
# pyt
https://github.com/python-security/pyt
# Install
pip3 install bandit
# Run
bandit -r <path to folder>
```
* [**safety**](https://github.com/pyupio/safety): Safety checks Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected. Safety can be run on developer machines, in CI/CD pipelines and on production systems.
```bash
# Install
pip install safety
# Run
safety check
```
* [~~**Pyt**~~](https://github.com/python-security/pyt): Unmaintained
## .NET
```bash
@ -199,18 +299,117 @@ https://github.com/securego/gosec
* [https://www.npmjs.com/package/solium](https://www.npmjs.com/package/solium)
## JavaScript
### Discovery
1. Burp:
* Spider and discover content
* Sitemap > filter
* Sitemap > right-click domain > Engagement tools > Find scripts
2. [WaybackURLs](https://github.com/tomnomnom/waybackurls):
* `waybackurls <domain> |grep -i "\.js" |sort -u`
### Static Analysis
#### Unminimize/Beautify/Prettify
* [https://prettier.io/playground/](https://prettier.io/playground/)
* [https://beautifier.io/](https://beautifier.io/)
#### Deobfuscate/Unpack
**Note**: It may not be possible to fully deobfuscate.
1. Find and use .map files:
* If the .map files are exposed, they can be used to easily deobfuscate.
* Commonly, foo.js.map maps to foo.js. Manually look for them.
* Use [JS Miner](https://github.com/PortSwigger/js-miner) to look for them.
* Ensure active scan is conducted.
* Read '[Tips/Notes](https://github.com/minamo7sen/burp-JS-Miner/wiki#tips--notes)'
* If found, use [Maximize](https://www.npmjs.com/package/maximize) to deobfuscate.
2. Without .map files, try JSnice:
* References: http://jsnice.org/ & https://www.npmjs.com/package/jsnice
* Tips:
* If using jsnice.org, click on the options button next to the "Nicify JavaScript" button, and de-select "Infer types" to reduce cluttering the code with comments.
* Ensure you do not leave any empty lines before the script, as it may affect the deobfuscation process and give inaccurate results.
3. Use console.log();
* Find the return value at the end and change it to `console.log(<packerReturnVariable>);` so the deobfuscated js is printed instead of being executing.
* Then, paste the modified (and still obfuscated) js into https://jsconsole.com/ to see the deobfuscated js logged to the console.
* Finally, paste the deobfuscated output into https://prettier.io/playground/ to beautify it for analysis.
* **Note**: If you are still seeing packed (but different) js, it may be recursively packed. Repeat the process.
#### Analyze
References: https://medium.com/techiepedia/javascript-code-review-guide-for-bug-bounty-hunters-c95a8aa7037a
Look for:
* Anti-debug loading
* Angular: [enableProdMode](https://blog.nvisium.com/angular-for-pentesters-part-2)
* Secrets
* Use:
* [JS Miner](https://github.com/PortSwigger/js-miner)
* [RegHex](https://github.com/l4yton/RegHex) patterns
* [gf](https://github.com/tomnomnom/gf/tree/master/examples) patterns
* Grep relevant dictionary patterns:
* pass, user, admin
* auth, login, sign, challenge, 2fa
* key, apikey, api\_key, api-key, jwt, token
* secret, security, secure
* ...
* Manual review
* If API key found, check here for potential usage syntax: https://github.com/streaak/keyhacks.
* Vuln functions
* InnerHTML() - If you found this, it means there is a potential chance for XSS if no proper sanitisation takes place. Even if your payload is sanitised, dont worry. Trace the code to find out where the sanitisation takes place. Study it and try to get around the sanitisation.
* Postmessage() - If you have read my previous post (https://medium.com/techiepedia/what-are-sop-cors-and-ways-to-exploit-it-62a5e02100dc), you would notice that Postmessage() might lead to potential CORS issue. If the second parameter of the function set to \*, you are the lucky one. Checkout my previous post to understand more about the mechanism behind.
* String.prototype.search() - This function looks normal. Why would it be a dangerous function? Well, it is because some developers used this to find occurrence of a string inside another string. However, “.” is treated as wildcard in this function. So, if this function is used as sanitisation check, you can simply bypass it by inputting “.”. Checkout Filedescryptors hackerone report: https://hackerone.com/reports/129873
* Endpoints & params
* Use [LinkFinder](https://github.com/GerbenJavado/LinkFinder) & [JS Miner](https://github.com/PortSwigger/js-miner).
* Vuln libs & deps
* Use [Retire.js](https://retirejs.github.io/retire.js/) and [NPM](https://snyk.io/advisor/) (scroll down to security section > all versions link).
* Cloud URLs
* Use [JS Miner](https://github.com/PortSwigger/js-miner).
* Subdomains
* Use [JS Miner](https://github.com/PortSwigger/js-miner).
* Logic Flaws
* Gain situational awareness:
* `use strict;`?
* Grep for client-side controls:
* disable, enable, hidden, hide, show
* catch, finally, throw, try
* input, validate, verify, valid, correct, check, confirm, require, ..
* Grep for non-primatives:
* function , =>
* class
### Dynamic Analysis
References
* https://www.youtube.com/watch?v=\_v8r\_t4v6hQ
* https://blog.nvisium.com/angular-for-pentesters-part-1
* https://blog.nvisium.com/angular-for-pentesters-part-2
Tools
* https://portswigger.net/burp/documentation/desktop/tools/dom-invader
#### Less Used References
* https://cyberchef.org/
* https://olajs.com/javascript-prettifier
* https://jshint.com/
* https://github.com/jshint/jshint/
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
</details>

25
network-services-pentesting/pentesting-web/php-tricks-esp/README.md
View File

@ -7,7 +7,7 @@
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
</details>
@ -191,7 +191,7 @@ In the following scenario the **attacker made the server throw some big errors**
[Check this for more useful PHP functions](php-useful-functions-disable\_functions-open\_basedir-bypass/)
### **Code execution using** **preg\_replace()**
### **RCE via** **preg\_replace()**
```php
preg_replace(pattern,replace,base)
@ -201,7 +201,7 @@ preg_replace("/a/e","phpinfo()","whatever")
To execute the code in the "replace" argument is needed at least one match.\
This option of preg\_replace has been **deprecated as of PHP 5.5.0.**
### **Code execution with Eval()**
### **RCE via Eval()**
```
'.system('uname -a'); $dummy='
@ -211,7 +211,7 @@ This option of preg\_replace has been **deprecated as of PHP 5.5.0.**
<?php phpinfo(); ?>
```
### **Code execution with Assert()**
### **RCE via Assert()**
This function within php allows you to **execute code that is written in a string** in order to **return true or false** (and depending on this alter the execution). Usually the user variable will be inserted in the middle of a string. For example:\
`assert("strpos($_GET['page']),'..') === false")` --> In this case to get **RCE** you could do:
@ -226,7 +226,7 @@ You will need to **break** the code **syntax**, **add** your **payload**, and th
**Other option** (if you have the internal code) is to modify some variable to alter the execution: `$file = "hola"`
### **Code execution with usort()**
### **RCE via usort()**
This function is used to sort an array of items using an specific function.\
To abuse this function:
@ -259,12 +259,23 @@ To discover the number of parenthesis that you need to close:
* `?order=id);}//`: we get a **warning**. That seems about right.
* `?order=id));}//`: we get an error message (`Parse error: syntax error, unexpected ')' i`). We probably have too many closing brackets.
### **Code execution via .httaccess**
### **RCE via .httaccess**
If you can **upload** a **.htaccess**, then you can **configure** several things and even execute code (configuring that files with extension .htaccess can be **executed**).
Different .htaccess shells can be found [here](https://github.com/wireghoul/htshells)
### RCE via Env Variables
If you find a vulnerability that allows you to **modify env variables in PHP** (and another one to upload files, although with more research maybe this can be bypassed), you could abuse this behaviour to get **RCE**.
* [**`LD_PRELOAD`**](../../../linux-hardening/privilege-escalation/#ld\_preload-and-ld\_library\_path): This env variable allows you load arbitrary libraries when executing other binaries (although in this case it might not work).
* **`PHPRC`** : Instructs PHP on **where to locate its configuration file**, usually called `php.ini`. If you can upload your own config file, then, use `PHPRC` to point PHP at it. Add an **`auto_prepend_file`** entry specifying a second uploaded file. This second file contains normal **PHP code, which is then executed** by the PHP runtime before any other code.
1. Upload a PHP file containing our shellcode
2. Upload a second file, containing an **`auto_prepend_file`** directive instructing the PHP preprocessor to execute the file we uploaded in step 1
3. &#x20;Set the `PHPRC` variable to the file we uploaded in step 2.
* Get more info on how to execute this chain [**from the original report**](https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/).
## PHP Static analysis
Look if you can insert code in calls to these functions (from [here](https://www.youtube.com/watch?v=SyWUsN0yHKI\&feature=youtu.be)):
@ -421,7 +432,7 @@ $___($_[_]); // ASSERT($_POST[_]);
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
</details>