1
2
Fork 0
mirror of https://github.com/carlospolop/hacktricks.git synced 2023-12-14 19:12:55 +01:00

GitBook: [#2780] asd

This commit is contained in:
CPol 2021-10-19 00:01:07 +00:00 committed by gitbook-bot
parent c6a254f363
commit bb1345bf9f
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
14 changed files with 205 additions and 112 deletions

View file

@ -45,7 +45,7 @@
* [lxd/lxc Group - Privilege escalation](linux-unix/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md)
* [ld.so exploit example](linux-unix/privilege-escalation/ld.so.conf-example.md)
* [Linux Capabilities](linux-unix/privilege-escalation/linux-capabilities.md)
* [NFS no_root_squash/no_all_squash misconfiguration PE](linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md)
* [NFS no\_root\_squash/no\_all\_squash misconfiguration PE](linux-unix/privilege-escalation/nfs-no\_root\_squash-misconfiguration-pe.md)
* [Payloads to execute](linux-unix/privilege-escalation/payloads-to-execute.md)
* [RunC Privilege Escalation](linux-unix/privilege-escalation/runc-privilege-escalation.md)
* [Splunk LPE and Persistence](linux-unix/privilege-escalation/splunk-lpe-and-persistence.md)
@ -251,22 +251,22 @@
* [Moodle](pentesting/pentesting-web/moodle.md)
* [Nginx](pentesting/pentesting-web/nginx.md)
* [PHP Tricks (SPA)](pentesting/pentesting-web/php-tricks-esp/README.md)
* [PHP - Useful Functions & disable_functions/open_basedir bypass](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/README.md)
* [disable_functions bypass - php-fpm/FastCGI](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.md)
* [disable_functions bypass - dl function](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-dl-function.md)
* [disable_functions bypass - PHP 7.0-7.4 (\*nix only)](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-7.0-7.4-nix-only.md)
* [disable_functions bypass - Imagick <= 3.3.0 PHP >= 5.4 Exploit](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit.md)
* [disable_functions - PHP 5.x Shellshock Exploit](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-php-5.x-shellshock-exploit.md)
* [disable_functions - PHP 5.2.4 ionCube extension Exploit](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-php-5.2.4-ioncube-extension-exploit.md)
* [disable_functions bypass - PHP <= 5.2.9 on windows](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-less-than-5.2.9-on-windows.md)
* [disable_functions bypass - PHP 5.2.4 and 5.2.5 PHP cURL](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2.4-and-5.2.5-php-curl.md)
* [disable_functions bypass - PHP safe_mode bypass via proc_open() and custom environment Exploit](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-safe_mode-bypass-via-proc_open-and-custom-environment-exploit.md)
* [disable_functions bypass - PHP Perl Extension Safe_mode Bypass Exploit](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-perl-extension-safe_mode-bypass-exploit.md)
* [disable_functions bypass - PHP 5.2.3 - Win32std ext Protections Bypass](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2.3-win32std-ext-protections-bypass.md)
* [disable_functions bypass - PHP 5.2 - FOpen Exploit](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2-fopen-exploit.md)
* [disable_functions bypass - via mem](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-via-mem.md)
* [disable_functions bypass - mod_cgi](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-mod_cgi.md)
* [disable_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl_exec](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-4-greater-than-4.2.0-php-5-pcntl_exec.md)
* [PHP - Useful Functions & disable\_functions/open\_basedir bypass](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable\_functions-open\_basedir-bypass/README.md)
* [disable\_functions bypass - php-fpm/FastCGI](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable\_functions-open\_basedir-bypass/disable\_functions-bypass-php-fpm-fastcgi.md)
* [disable\_functions bypass - dl function](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable\_functions-open\_basedir-bypass/disable\_functions-bypass-dl-function.md)
* [disable\_functions bypass - PHP 7.0-7.4 (\*nix only)](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable\_functions-open\_basedir-bypass/disable\_functions-bypass-php-7.0-7.4-nix-only.md)
* [disable\_functions bypass - Imagick <= 3.3.0 PHP >= 5.4 Exploit](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable\_functions-open\_basedir-bypass/disable\_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit.md)
* [disable\_functions - PHP 5.x Shellshock Exploit](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable\_functions-open\_basedir-bypass/disable\_functions-php-5.x-shellshock-exploit.md)
* [disable\_functions - PHP 5.2.4 ionCube extension Exploit](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable\_functions-open\_basedir-bypass/disable\_functions-php-5.2.4-ioncube-extension-exploit.md)
* [disable\_functions bypass - PHP <= 5.2.9 on windows](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable\_functions-open\_basedir-bypass/disable\_functions-bypass-php-less-than-5.2.9-on-windows.md)
* [disable\_functions bypass - PHP 5.2.4 and 5.2.5 PHP cURL](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable\_functions-open\_basedir-bypass/disable\_functions-bypass-php-5.2.4-and-5.2.5-php-curl.md)
* [disable\_functions bypass - PHP safe\_mode bypass via proc\_open() and custom environment Exploit](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable\_functions-open\_basedir-bypass/disable\_functions-bypass-php-safe\_mode-bypass-via-proc\_open-and-custom-environment-exploit.md)
* [disable\_functions bypass - PHP Perl Extension Safe\_mode Bypass Exploit](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable\_functions-open\_basedir-bypass/disable\_functions-bypass-php-perl-extension-safe\_mode-bypass-exploit.md)
* [disable\_functions bypass - PHP 5.2.3 - Win32std ext Protections Bypass](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable\_functions-open\_basedir-bypass/disable\_functions-bypass-php-5.2.3-win32std-ext-protections-bypass.md)
* [disable\_functions bypass - PHP 5.2 - FOpen Exploit](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable\_functions-open\_basedir-bypass/disable\_functions-bypass-php-5.2-fopen-exploit.md)
* [disable\_functions bypass - via mem](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable\_functions-open\_basedir-bypass/disable\_functions-bypass-via-mem.md)
* [disable\_functions bypass - mod\_cgi](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable\_functions-open\_basedir-bypass/disable\_functions-bypass-mod\_cgi.md)
* [disable\_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl\_exec](pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable\_functions-open\_basedir-bypass/disable\_functions-bypass-php-4-greater-than-4.2.0-php-5-pcntl\_exec.md)
* [Python](pentesting/pentesting-web/python.md)
* [Special HTTP headers](pentesting/pentesting-web/special-http-headers.md)
* [Spring Actuators](pentesting/pentesting-web/spring-actuators.md)
@ -367,21 +367,23 @@
* [Client Side Template Injection (CSTI)](pentesting-web/client-side-template-injection-csti.md)
* [Command Injection](pentesting-web/command-injection.md)
* [Content Security Policy (CSP) Bypass](pentesting-web/content-security-policy-csp-bypass.md)
* [Cookies Hacking](pentesting-web/hacking-with-cookies.md)
* [Cookies Hacking](pentesting-web/hacking-with-cookies/README.md)
* [Cookie Tossing](pentesting-web/hacking-with-cookies/cookie-tossing.md)
* [Cookie Jar Overflow](pentesting-web/hacking-with-cookies/cookie-jar-overflow.md)
* [CORS - Misconfigurations & Bypass](pentesting-web/cors-bypass.md)
* [CRLF (%0D%0A) Injection](pentesting-web/crlf-0d-0a.md)
* [Cross-site WebSocket hijacking (CSWSH)](pentesting-web/cross-site-websocket-hijacking-cswsh.md)
* [CSRF (Cross Site Request Forgery)](pentesting-web/csrf-cross-site-request-forgery.md)
* [Dangling Markup - HTML scriptless injection](pentesting-web/dangling-markup-html-scriptless-injection.md)
* [Deserialization](pentesting-web/deserialization/README.md)
* [NodeJS - \__proto\_\_ & prototype Pollution](pentesting-web/deserialization/nodejs-proto-prototype-pollution.md)
* [NodeJS - \_\_proto\_\_ & prototype Pollution](pentesting-web/deserialization/nodejs-proto-prototype-pollution.md)
* [Java JSF ViewState (.faces) Deserialization](pentesting-web/deserialization/java-jsf-viewstate-.faces-deserialization.md)
* [Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner](pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.md)
* [Basic Java Deserialization (ObjectInputStream, readObject)](pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.md)
* [CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep](pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.md)
* [Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)](pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md)
* [Exploiting \__VIEWSTATE knowing the secrets](pentesting-web/deserialization/exploiting-\__viewstate-knowing-the-secret.md)
* [Exploiting \__VIEWSTATE without knowing the secrets](pentesting-web/deserialization/exploiting-\__viewstate-parameter.md)
* [Exploiting \_\_VIEWSTATE knowing the secrets](pentesting-web/deserialization/exploiting-\_\_viewstate-knowing-the-secret.md)
* [Exploiting \_\_VIEWSTATE without knowing the secrets](pentesting-web/deserialization/exploiting-\_\_viewstate-parameter.md)
* [Domain/Subdomain takeover](pentesting-web/domain-subdomain-takeover.md)
* [Email Header Injection](pentesting-web/email-header-injection.md)
* [File Inclusion/Path traversal](pentesting-web/file-inclusion/README.md)
@ -413,7 +415,7 @@
* [MSSQL Injection](pentesting-web/sql-injection/mssql-injection.md)
* [Oracle injection](pentesting-web/sql-injection/oracle-injection.md)
* [PostgreSQL injection](pentesting-web/sql-injection/postgresql-injection/README.md)
* [dblink/lo_import data exfiltration](pentesting-web/sql-injection/postgresql-injection/dblink-lo_import-data-exfiltration.md)
* [dblink/lo\_import data exfiltration](pentesting-web/sql-injection/postgresql-injection/dblink-lo\_import-data-exfiltration.md)
* [PL/pgSQL Password Bruteforce](pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md)
* [Network - Privesc, Port Scanner and NTLM chanllenge response disclosure](pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md)
* [Big Binary Files Upload (PostgreSQL)](pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md)
@ -520,7 +522,7 @@
* [Linux Exploiting (Basic) (SPA)](exploiting/linux-exploiting-basic-esp/README.md)
* [Format Strings Template](exploiting/linux-exploiting-basic-esp/format-strings-template.md)
* [ROP - call sys_execve](exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md)
* [ROP - call sys\_execve](exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md)
* [ROP - Leaking LIBC address](exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md)
* [ROP - Leaking LIBC template](exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/rop-leaking-libc-template.md)
* [Bypassing Canary & PIE](exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md)

View file

@ -180,7 +180,7 @@ rpm -qa --root=/ mntpath/var/lib/rpm
### Other
**Not all installed programs will be listed by the above commands** because some applications are not available as packages for certain systems and must be installed from source. Therefore, a review of locations such as _**/usr/local**_ and _**/opt**_ may reveal other applications that have been compiled and installed from source code.
**Not all installed programs will be listed by the above commands** because some applications are not available as packages for certain systems and must be installed from source. Therefore, a review of locations such as _**/usr/local**_ and _**/opt**_ may reveal other applications that have been compiled and installed from source code.&#x20;
```bash
ls /opt /usr/local
@ -219,9 +219,9 @@ ls -l /usr/lib/cron/tabs/ /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Libra
It is extremely common for malware to entrench itself as a new, unauthorized service. Linux has a number of scripts that are used to start services as the computer boots. The initialization startup script _**/etc/inittab**_ calls other scripts such as rc.sysinit and various startup scripts under the _**/etc/rc.d/**_ directory, or _**/etc/rc.boot/**_ in some older versions. On other versions of Linux, such as Debian, startup scripts are stored in the _**/etc/init.d/**_ directory. In addition, some common services are enabled in _**/etc/inetd.conf**_ or _**/etc/xinetd/**_ depending on the version of Linux. Digital investigators should inspect each of these startup scripts for anomalous entries.
* _**/etc/inittab**_
* _**/etc/rc.d/**_
* _**/etc/rc.d/**_&#x20;
* _**/etc/rc.boot/**_
* _**/etc/init.d/**_
* _**/etc/init.d/**_&#x20;
* _**/etc/inetd.conf**_
* _**/etc/xinetd/**_
* _**/etc/systemd/system**_
@ -236,7 +236,7 @@ On Linux systems, kernel modules are commonly used as rootkit components to malw
There are several configuration files that Linux uses to automatically launch an executable when a user logs into the system that may contain traces of malware.
* _**/etc/profile.d/\***_ , _**/etc/profile**_ , _**/etc/bash.bashrc**_ are executed when any user account logs in.
* _**/.bashrc **_, _**/.bash_profile**_ , _**\~/.profile**_ , _**/.config/autostart**_ are executed when the specific user logs in.
* _**/.bashrc **_, _**/.bash\_profile**_ , _**\~/.profile**_ , _**/.config/autostart**_ are executed when the specific user logs in.
* _**/etc/rc.local**_ It is traditionally executed after all the normal system services are started, at the end of the process of switching to a multiuser runlevel.
## Examine Logs
@ -248,9 +248,9 @@ Look in all available log files on the compromised system for traces of maliciou
**Logon **events recorded in the system and security logs, including logons via the network, can reveal that **malware **or an **intruder gained access **to a compromised system via a given account at a specific time. Other events around the time of a malware infection can be captured in system logs, including the **creation **of a **new** **service **or new accounts around the time of an incident.\
Interesting system logons:
* **/var/log/syslog **(debian)** **or **/var/log/messages **(Redhat)
* &#x20;**/var/log/syslog **(debian)** **or **/var/log/messages **(Redhat)
* Shows general messages and info regarding the system. Basically a data log of all activity throughout the global system.
* **/var/log/auth.log **(debian)** **or **/var/log/secure **(Redhat)
* &#x20;**/var/log/auth.log **(debian)** **or **/var/log/secure **(Redhat)
* Keep authentication logs for both successful or failed logins, and authentication processes. Storage depends on system type.
* `cat /var/log/auth.log | grep -iE "session opened for|accepted password|new session|not in sudoers"`
* **/var/log/boot.log**: start-up messages and boot info.
@ -261,7 +261,7 @@ Interesting system logons:
* **/var/log/cron**: keeps a record of Crond-related messages (cron jobs). Like when the cron daemon started a job.
* **/var/log/daemon.log:** keeps track of running background services but doesnt represent them graphically.
* **/var/log/btmp**: keeps a note of all failed login attempts.
* **/var/log/httpd/**: a directory containing error_log and access_log files of the Apache httpd daemon. Every error that httpd comes across is kept in the **error_log **file. Think of memory problems and other system-related errors. **access_log** logs all requests which come in via HTTP.
* **/var/log/httpd/**: a directory containing error\_log and access\_log files of the Apache httpd daemon. Every error that httpd comes across is kept in the **error\_log **file. Think of memory problems and other system-related errors. **access\_log** logs all requests which come in via HTTP.
* **/var/log/mysqld.log **or** /var/log/mysql.log **: MySQL log file that records every debug, failure and success message, including starting, stopping and restarting of MySQL daemon mysqld. The system decides on the directory. RedHat, CentOS, Fedora, and other RedHat-based systems use /var/log/mariadb/mariadb.log. However, Debian/Ubuntu use /var/log/mysql/error.log directory.
* **/var/log/xferlog**: keeps FTP file transfer sessions. Includes info like file names and user-initiated FTP transfers.
* **/var/log/\*** : You should always check for unexpected logs in this directory
@ -274,9 +274,9 @@ Linux system logs and audit subsystems may be disabled or deleted in an intrusio
Many Linux systems are configured to maintain a command history for each user account:
* \~/.bash_history
* \~/.bash\_history
* \~/.history
* \~/.sh_history
* \~/.sh\_history
* \~/.\*\_history
### Logins
@ -293,16 +293,16 @@ Note that you can also **take a look to this information reading the logs**.
### Application Traces
* **SSH**: Connections to systems made using SSH to and from a compromised system result in entries being made in files for each user account (_**/.ssh/authorized_keys**_ and _**/.ssh/known_keys**_). These entries can reveal the hostname or IP address of the remote hosts.
* **SSH**: Connections to systems made using SSH to and from a compromised system result in entries being made in files for each user account (_**/.ssh/authorized\_keys**_ and _**/.ssh/known\_keys**_). These entries can reveal the hostname or IP address of the remote hosts.
* **Gnome Desktop**: User accounts may have a _**/.recently-used.xbel**_ file that contains information about files that were recently accessed using applications running in the Gnome desktop.
* **VIM**: User accounts may have a _**/.viminfo**_ file that contains details about the use of VIM, including search string history and paths to files that were opened using vim.
* **Open Office**: Recent files.
* **MySQL**: User accounts may have a _**/.mysql_history**_ file that contains queries executed using MySQL.
* **MySQL**: User accounts may have a _**/.mysql\_history**_ file that contains queries executed using MySQL.
* **Less**: User accounts may have a _**/.lesshst**_ file that contains details about the use of less, including search string history and shell commands executed via less
### USB Logs
[**usbrip**](https://github.com/snovvcrash/usbrip) is a small piece of software written in pure Python 3 which parses Linux log files (`/var/log/syslog*` or `/var/log/messages*` depending on the distro) for constructing USB event history tables.
&#x20;[**usbrip**](https://github.com/snovvcrash/usbrip) is a small piece of software written in pure Python 3 which parses Linux log files (`/var/log/syslog*` or `/var/log/messages*` depending on the distro) for constructing USB event history tables.
It is interesting to **know all the USBs that have been used** and it will be more useful if you have an authorized list of USB to find "violation events" (the use of USBs that aren't inside that list).
@ -348,7 +348,7 @@ To deal with such anti-forensic techniques, it is necessary to pay **careful att
* It's interesting to see the files and folders of a directory **sorted by creation date** instead alphabetically to see which files/folders are more recent (last ones usually).
You can check the most recent files of a folder using `ls -laR --sort=time /bin`\
You can check the inodes of the files inside a folder using `ls -lai /bin |sort -n`
You can check the inodes of the files inside a folder using `ls -lai /bin |sort -n`&#x20;
{% hint style="info" %}
Note that an **attacker **can **modify **the **time **to make **files appear** **legitimate**, but he **cannot **modify the **inode**. If you find that a **file **indicates that it was created and modify at the **same time **of the rest of the files in the same folder, but the **inode **is **unexpectedly bigger**, then the **timestamps of that file were modified**.
@ -386,5 +386,5 @@ Note that not all diffs can feature all types. For instance, diffs from the inde
## References
* [https://cdn.ttgtmedia.com/rms/security/Malware%20Forensics%20Field%20Guide%20for%20Linux%20Systems_Ch3.pdf](https://cdn.ttgtmedia.com/rms/security/Malware%20Forensics%20Field%20Guide%20for%20Linux%20Systems_Ch3.pdf)
* [https://cdn.ttgtmedia.com/rms/security/Malware%20Forensics%20Field%20Guide%20for%20Linux%20Systems\_Ch3.pdf](https://cdn.ttgtmedia.com/rms/security/Malware%20Forensics%20Field%20Guide%20for%20Linux%20Systems\_Ch3.pdf)
* [https://www.plesk.com/blog/featured/linux-logs-explained/](https://www.plesk.com/blog/featured/linux-logs-explained/)

View file

@ -61,11 +61,11 @@ Under _**Statistics --> I/O Graph **_you can find a **graph of the communication
Here you can find wireshark filter depending on the protocol: [https://www.wireshark.org/docs/dfref/](https://www.wireshark.org/docs/dfref/)\
Other interesting filters:
* `(http.request or ssl.handshake.type == 1) and !(udp.port eq 1900)`
* &#x20;`(http.request or ssl.handshake.type == 1) and !(udp.port eq 1900)`
* HTTP and initial HTTPS traffic
* `(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002) and !(udp.port eq 1900)`
* &#x20;`(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002) and !(udp.port eq 1900)`
* HTTP and initial HTTPS traffic + TCP SYN
* `(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)`
* &#x20;`(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)`
* HTTP and initial HTTPS traffic + TCP SYN + DNS requests
### Search

View file

@ -117,9 +117,9 @@ struct mach_header {
Filetypes:
* MH_EXECUTE (0x2): Standard Mach-O executable
* MH_DYLIB (0x6): A Mach-O dynamic linked library (i.e. .dylib)
* MH_BUNDLE (0x8): A Mach-O bundle (i.e. .bundle)
* MH\_EXECUTE (0x2): Standard Mach-O executable &#x20;
* MH\_DYLIB (0x6): A Mach-O dynamic linked library (i.e. .dylib)
* MH\_BUNDLE (0x8): A Mach-O bundle (i.e. .bundle)
#### ****
@ -128,7 +128,7 @@ Filetypes:
This specifies the **layout of the file in memory**. It contains the **location of the symbol table**, the main thread context at the beginning of execution, and which **shared libraries** are required.\
The commands basically instruct the dynamic loader **(dyld) how to load the binary in memory.**
Load commands all begin with a **load_command** structure, defined in mach-o/loader.h:
Load commands all begin with a **load\_command** structure, defined in mach-o/loader.h:
```objectivec
struct load_command {
@ -137,7 +137,7 @@ struct load_command {
};
```
A **common** type of load command is **LC_SEGMENT/LC_SEGMENT\_64**, which **describes** a **segment:** \
A **common** type of load command is **LC\_SEGMENT/LC\_SEGMENT\_64**, which **describes** a **segment:** \
_A segment defines a **range of bytes **in a Mach-O file and the **addresses** and **memory** **protection** **attributes** at which those bytes are **mapped into **virtual memory when the dynamic linker loads the application._
![](<../../.gitbook/assets/image (557).png>)
@ -151,11 +151,11 @@ Common segments:
* **`__DATA`**: Contains data that is **writable.**
* `__data`: Global variables (that have been initialized)
* `__bss`: Static variables (that have not been initialized)
* `__objc_*` (\__objc_classlist, \__objc_protolist, etc): Information used by the Objective-C runtime
* `__objc_*` (\_\_objc\_classlist, \_\_objc\_protolist, etc): Information used by the Objective-C runtime&#x20;
* **`__LINKEDIT`**: Contains information for the linker (dyld) such as, "symbol, string, and relocation table entries."
* **`__OBJC`**: Contains information used by the Objective-C runtime. Though this information might also be found in the \__DATA segment, within various in \__objc_\* sections.
* **`__OBJC`**: Contains information used by the Objective-C runtime. Though this information might also be found in the \_\_DATA segment, within various in \_\_objc\_\* sections.
* **`LC_MAIN`**: Contains the entrypoint in the **entryoff attribute. **At load time, **dyld** simply **adds** this value to the (in-memory) **base of the binary**, then **jumps** to this instruction to kickoff execution of the binarys code.
* **`LC_LOAD_DYLIB`**:** **This load command describes a **dynamic** **library** dependency which **instructs** the **loader** (dyld) to l**oad and link said library**. There is a LC_LOAD_DYLIB load command **for each library **that the Mach-O binary requires.
* **`LC_LOAD_DYLIB`**:** **This load command describes a **dynamic** **library** dependency which **instructs** the **loader** (dyld) to l**oad and link said library**. There is a LC\_LOAD\_DYLIB load command **for each library **that the Mach-O binary requires.
* This load command is a structure of type **`dylib_command`** (which contains a struct dylib, describing the actual dependent dynamic library):
@ -183,8 +183,8 @@ Some potential malware related libraries are:
* **CoreWLAN**: Wifi scans.
{% hint style="info" %}
A Mach-O binary can contain one or **more** **constructors**, that will be **executed** **before** the address specified in **LC_MAIN**. \
The offsets of any constructors are held in the **\__mod_init_func** section of the **\__DATA_CONST** segment.
A Mach-O binary can contain one or **more** **constructors**, that will be **executed** **before** the address specified in **LC\_MAIN**. \
The offsets of any constructors are held in the **\_\_mod\_init\_func** section of the **\_\_DATA\_CONST** segment.
{% endhint %}
#### ****
@ -219,10 +219,10 @@ ls -lR /Applications/Safari.app/Contents
Contains **code-signing information** about the application (i.e., hashes, etc.).
* `Contents/MacOS`
Contains the **applications binary** (which is executed when the user double-clicks the application icon in the UI).
Contains the **applications binary** (which is executed when the user double-clicks the application icon in the UI).&#x20;
* `Contents/Resources`
Contains **UI elements of the application**, such as images, documents, and nib/xib files (that describe various user interfaces).
Contains **UI elements of the application**, such as images, documents, and nib/xib files (that describe various user interfaces).&#x20;
* `Contents/Info.plist`\
****The applications main “**configuration file.**” Apple notes that “the system relies on the presence of this file to identify relevant information about \[the] application and any related files”.
* **Plist** **files** contains configuration information. You can find find information about the meaning of they plist keys in [https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Introduction/Introduction.html](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Introduction/Introduction.html)
@ -264,12 +264,12 @@ There are some projects that allow to generate a binary executable by MacOS cont
* **Platypus**: Generate MacOS binary executing** **shell scripts, Python, Perl, Ruby, PHP, Swift, Expect, Tcl, AWK, JavaScript, AppleScript or any other user-specified interpreter.
* **It saves the script in `Contents/Resources/script`. So finding this script is a good indicator that Platypus was used.**
* **PyInstaller: **Python
* Ways to detect this is the use of the embedded** **string** “Py_SetPythonHome” **or a a **call** into a function named **`pyi_main`.**
* Ways to detect this is the use of the embedded** **string** “Py\_SetPythonHome” **or a a **call** into a function named **`pyi_main`.**
* **Electron: **JavaScript, HTML, and CSS.
* These binaries will use **Electron Framework.framework**. Moreover, the non-binary components (e.g. JavaScript files) maybe found in the applications **`Contents/Resources/`** directory, achieved in `.asar` files. These binaries will use Electron Framework.framework. Moreover, the non-binary components (e.g. JavaScript files) maybe found in the applications **`Contents/Resources/`** directory, achieved in **`.asar` files**. It's possible **unpack** such archives via the **asar** node module, or the **npx** **utility: **`npx asar extract StrongBox.app/Contents/Resources/app.asar appUnpacked`\
## References
* ****[**The Mac Hacker's Handbook**](https://www.amazon.com/-/es/Charlie-Miller-ebook-dp-B004U7MUMU/dp/B004U7MUMU/ref=mt_other?\_encoding=UTF8\&me=\&qid=)****
* ****[**The Mac Hacker's Handbook**](https://www.amazon.com/-/es/Charlie-Miller-ebook-dp-B004U7MUMU/dp/B004U7MUMU/ref=mt\_other?\_encoding=UTF8\&me=\&qid=)****
* ****[**https://taomm.org/vol1/analysis.html**](https://taomm.org/vol1/analysis.html)****

View file

@ -55,7 +55,7 @@ Reading the **manifest** you can find **vulnerabilities**:
* [Learn here](drozer-tutorial/#is-debuggeable) how to find debuggeable applications in a phone and exploit them
* **Backup**: The **`android:allowBackup`** attribute defines whether application data can be backed up and restored by a user who has enabled usb debugging. If backup flag is set to true, it allows an attacker to take the backup of the application data via adb even if the device is not rooted. Therefore applications that handle and store sensitive information such as card details, passwords etc. should have this setting explicitly set to **false** because by default it is set to **true** to prevent such risks.
* `<application android:allowBackup="false"`
* **NetworkSecurity:** The application network security can be overwritten the defaults values with **`android:networkSecurityConfig="@xml/network_security_config"`**. A file with that name may be put in _**res/xml.**_ This file will configure important security settings like certificate pins or if it allows HTTP traffic. You can read here more information about all the things that can be configure, but check this example about how to configure HTTP traffic for some domains:
* **NetworkSecurity:** The application network security can be overwritten the defaults values with **`android:networkSecurityConfig="@xml/network_security_config"`**. A file with that name may be put in _**res/xml.**_ This file will configure important security settings like certificate pins or if it allows HTTP traffic. You can read here more information about all the things that can be configure, but check this example about how to configure HTTP traffic for some domains:&#x20;
* `<domain-config cleartextTrafficPermitted="true"> <domain includeSubdomains="true">formation-software.co.uk </domain></domain-config>`
* **Exported activities**: Check for exported activities inside the manifest as this could be dangerous. Later in the dynamic analysis it will be explained how [you can abuse this behaviour](./#exploiting-exported-activities-authorisation-bypass).
* **Content Providers**: If an exported provider is being exposed, you could b able to access/modify interesting information. In dynamic analysis [you will learn how to abuse them](./#exploiting-content-providers-accessing-and-manipulating-sensitive-information).
@ -181,11 +181,11 @@ Then, decompress all the DLsL using [**xamarin-decompress**](https://github.com/
python3 xamarin-decompress.py -o /path/to/decompressed/apk
```
and finally you can use [**these recommended tools**](../../reversing/reversing-tools-basic-methods/#net-decompiler) to** read C# code** from the DLLs.
&#x20;and finally you can use [**these recommended tools**](../../reversing/reversing-tools-basic-methods/#net-decompiler) to** read C# code** from the DLLs.
### Other interesting functions
* **Code execution**: `Runtime.exec(), ProcessBuilder(), native code:system()`
* **Code execution**: `Runtime.exec(), ProcessBuilder(), native code:system()`&#x20;
* **Send SMSs**: `sendTextMessage, sendMultipartTestMessage`
* **Native functions** declared as `native`: `public native, System.loadLibrary, System.load`
* [Read this to learn **how to reverse native functions**](reversing-native-libraries.md)
@ -214,8 +214,8 @@ Thanks to the ADB connection you can use **Drozer** and **Frida** inside the emu
You can use some **emulator** like:
* [**Android Studio**](https://developer.android.com/studio) **(**You can create **x86** and **arm** devices, and according to [**this** ](https://android-developers.googleblog.com/2020/03/run-arm-apps-on-android-emulator.html)**latest x86** versions **support ARM libraries** without needing an slow arm emulator).
* If you want to try to **install** an **image** and then you want to **delete it** you can do that on Windows:`C:\Users\<User>\AppData\Local\Android\sdk\system-images\` or Mac: `/Users/myeongsic/Library/Android/sdk/system-image`
* [**Android Studio**](https://developer.android.com/studio) **(**You can create **x86** and **arm** devices, and according to [**this** ](https://android-developers.googleblog.com/2020/03/run-arm-apps-on-android-emulator.html)**latest x86** versions **support ARM libraries** without needing an slow arm emulator).&#x20;
* If you want to try to **install** an **image** and then you want to **delete it** you can do that on Windows:`C:\Users\<User>\AppData\Local\Android\sdk\system-images\` or Mac: `/Users/myeongsic/Library/Android/sdk/system-image`&#x20;
* This is the **main emulator I recommend to use and you can**[ **learn to set it up in this page**](avd-android-virtual-device.md).
* \*\*\*\*[**Genymotion**](https://www.genymotion.com/fun-zone/) **\*\*(\_Free version: **Personal Edition**, you need to **create** an **account\*\*.\_)
* \*\*\*\*[Nox](https://es.bignox.com) (Free, but it doesn't support Frida or Drozer).
@ -417,7 +417,7 @@ Dynamic instrumentation toolkit for developers, reverse-engineers, and security
### **Android Application Analyzer**
This tool could help you managing different tools during the dynamic analysis: [https://github.com/NotSoSecure/android_application_analyzer](https://github.com/NotSoSecure/android_application_analyzer)
This tool could help you managing different tools during the dynamic analysis: [https://github.com/NotSoSecure/android\_application\_analyzer](https://github.com/NotSoSecure/android\_application\_analyzer)
### Intent Injection
@ -433,7 +433,7 @@ Probably you know about this kind of vulnerabilities from the Web. You have to b
* **JavaScript Injection (XSS):** Verify that JavaScript and Plugin support is disabled for any WebViews (disabled by default). [More info here](webview-attacks.md#javascript-enabled).
* **Local File Inclusion:** Verify that File System Access is disabled for any WebViews (enabled by default) `(webview.getSettings().setAllowFileAccess(false);)`. [More info here](webview-attacks.md#javascript-enabled).
* **Eternal cookies**: In several cases when the android application finish the session the cookie isn't revoked or it could be even saved to disk
* \*\*\*\*[**Secure Flag** in cookies](../../pentesting-web/hacking-with-cookies.md#cookies-flags)
* \*\*\*\*[**Secure Flag** in cookies](../../pentesting-web/hacking-with-cookies/#cookies-flags)
## Automatic Analysis
@ -583,7 +583,7 @@ super-analyzer {apk_file}
![](<../../.gitbook/assets/image (62).png>)
StaCoAn is a **crossplatform** tool which aids developers, bugbounty hunters and ethical hackers performing [static code analysis](https://en.wikipedia.org/wiki/Static_program_analysis) on mobile applications\*.
StaCoAn is a **crossplatform** tool which aids developers, bugbounty hunters and ethical hackers performing [static code analysis](https://en.wikipedia.org/wiki/Static\_program\_analysis) on mobile applications\*.
The concept is that you drag and drop your mobile application file (an .apk or .ipa file) on the StaCoAn application and it will generate a visual and portable report for you. You can tweak the settings and wordlists to get a customized experience.
@ -593,10 +593,10 @@ Download[ latest release](https://github.com/vincentcox/StaCoAn/releases):
./stacoan
```
### [AndroBugs](https://github.com/AndroBugs/AndroBugs_Framework)
### [AndroBugs](https://github.com/AndroBugs/AndroBugs\_Framework)
AndroBugs Framework is an Android vulnerability analysis system that helps developers or hackers find potential security vulnerabilities in Android applications.\
[Windows releases](https://github.com/AndroBugs/AndroBugs_Framework/releases)
[Windows releases](https://github.com/AndroBugs/AndroBugs\_Framework/releases)
```
python androbugs.py -f [APK file]
@ -615,7 +615,7 @@ This tool looks for **common behavior of "bad" applications** like: Telephony id
python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3
```
### [MARA Framework](https://github.com/xtiankisutsa/MARA_Framework)
### [MARA Framework](https://github.com/xtiankisutsa/MARA\_Framework)
![](<../../.gitbook/assets/image (81).png>)
@ -624,7 +624,7 @@ python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3
It is able to:
* Extract Java and Smali code using different tools
* Analyze APKs using: [smalisca](https://github.com/dorneanu/smalisca), [ClassyShark](https://github.com/google/android-classyshark), [androbugs](https://github.com/AndroBugs/AndroBugs_Framework), [androwarn](https://github.com/maaaaz/androwarn), [APKiD](https://github.com/rednaga/APKiD)
* Analyze APKs using: [smalisca](https://github.com/dorneanu/smalisca), [ClassyShark](https://github.com/google/android-classyshark), [androbugs](https://github.com/AndroBugs/AndroBugs\_Framework), [androwarn](https://github.com/maaaaz/androwarn), [APKiD](https://github.com/rednaga/APKiD)
* Extract private information from the APK using regexps.
* Analyze the Manifest.
* Analyze found domains using: [pyssltest](https://github.com/moheshmohan/pyssltest), [testssl](https://github.com/drwetter/testssl.sh) and [whatweb](https://github.com/urbanadventurer/WhatWeb)
@ -638,13 +638,13 @@ Useful to detect malware: [https://koodous.com/](https://koodous.com)
Note that depending the service and configuration you use to obfuscate the code. Secrets may or may not ended obfuscated.
### [ProGuard](https://en.wikipedia.org/wiki/ProGuard_\(software\))
### [ProGuard](https://en.wikipedia.org/wiki/ProGuard\_\(software\))
**ProGuard** is an open source command-line tool that shrinks, optimizes and obfuscates Java code. It is able to optimize bytecode as well as detect and remove unused instructions. ProGuard is free software and is distributed under the GNU General Public License, version 2.
ProGuard is distributed as part of the Android SDK and runs when building the application in release mode.
From: [https://en.wikipedia.org/wiki/ProGuard\_(software)](https://en.wikipedia.org/wiki/ProGuard_\(software\))
From: [https://en.wikipedia.org/wiki/ProGuard\_(software)](https://en.wikipedia.org/wiki/ProGuard\_\(software\))
### [DeGuard](http://apk-deguard.com)
@ -677,7 +677,7 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th
### Git Repos
[https://github.com/riddhi-shree/nullCommunity/tree/master/Android](https://github.com/riddhi-shree/nullCommunity/tree/master/Android)\
[https://www.youtube.com/watch?v=PMKnPaGWxtg\&feature=youtu.be\&ab_channel=B3nacSec](https://www.youtube.com/watch?v=PMKnPaGWxtg\&feature=youtu.be\&ab_channel=B3nacSec)
[https://www.youtube.com/watch?v=PMKnPaGWxtg\&feature=youtu.be\&ab\_channel=B3nacSec](https://www.youtube.com/watch?v=PMKnPaGWxtg\&feature=youtu.be\&ab\_channel=B3nacSec)
## References

View file

@ -69,7 +69,7 @@ Once a device is rooted, any app could request access as root. If a malicious ap
## Android Application Fundamentals <a href="2-android-application-fundamentals" id="2-android-application-fundamentals"></a>
This introduction is taken from [https://maddiestone.github.io/AndroidAppRE/app_fundamentals.html](https://maddiestone.github.io/AndroidAppRE/app_fundamentals.html)
This introduction is taken from [https://maddiestone.github.io/AndroidAppRE/app\_fundamentals.html](https://maddiestone.github.io/AndroidAppRE/app\_fundamentals.html)
### Fundamentals Review <a href="fundamentals-review" id="fundamentals-review"></a>
@ -78,7 +78,7 @@ This introduction is taken from [https://maddiestone.github.io/AndroidAppRE/app_
* **AndroidManifest.xml**
* resources.arsc/strings.xml
* resources.arsc: a file containing precompiled resources, such as binary XML for example.
* res/xml/files_paths.xml
* res/xml/files\_paths.xml
* META-INF/
* Certificate lives here!
* **classes.dex**
@ -92,7 +92,7 @@ This introduction is taken from [https://maddiestone.github.io/AndroidAppRE/app_
* assets/
* Any other files that may be needed by the app.
* Additional native libraries or DEX files may be included here. This can happen especially when malware authors want to try and “hide” additional code, native or Dalvik, by not including it in the default locations.
* res/
* &#x20;res/
* the directory containing resources not compiled into resources.arsc
### **Dalvik & Smali**
@ -140,7 +140,7 @@ Intents are programatically created using an Intent constructor:
Intent email = new Intent(Intent.ACTION_SEND, Uri.parse("mailto:"));
```
The **Action** of the previously declared intent is **ACTION_SEND** and the **Extra** is a mailto **Uri** (the Extra if the extra information the intent is expecting).
The **Action** of the previously declared intent is **ACTION\_SEND** and the **Extra** is a mailto **Uri** (the Extra if the extra information the intent is expecting).
This intent should be declared inside the manifest as in the following example:
@ -198,7 +198,7 @@ If you find functions containing the word "sticky" like **`sendStickyBroadcast`*
## Deep links / URL schemes
**Deep links allow to trigger an Intent via URL**. An application can declare an **URL schema **inside and activity so every time the Android device try to **access an address using that schema** the applications activity will be called:
**Deep links allow to trigger an Intent via URL**. An application can declare an **URL schema **inside and activity so every time the Android device try to **access an address using that schema** the applications activity will be called:&#x20;
![](<../../.gitbook/assets/image (214).png>)
@ -210,7 +210,7 @@ If inside the `intent-filter`you find something like this:
Then, it's expecting something like `http://www.example.com/gizmos`
If you find something like this:
&#x20;If you find something like this:
![](<../../.gitbook/assets/image (262).png>)

View file

@ -13,7 +13,7 @@ Several **counter-measures** could be in place to avoid this vulnerability.
### **Common defenses**
* [**SameSite cookies**](hacking-with-cookies.md#samesite): If the session cookie is using this flag, you may not be able to send the cookie from arbitrary web sites.
* [**SameSite cookies**](hacking-with-cookies/#samesite): If the session cookie is using this flag, you may not be able to send the cookie from arbitrary web sites.
* [**Cross-origin resource sharing**](cors-bypass.md): Depending on which kind of HTTP request you need to perform to abuse the relevant action, you may take int account the** CORS policy of the victim site**. _Note that the CORS policy won't affect if you just want to send a GET request or a POST request from a form and you don't need to read the response._
* Ask for the **password** user to authorise the action.
* Resolve a **captcha**
@ -73,7 +73,7 @@ In this situation, the attacker can again perform a CSRF** attack if the web sit
### Content-Type change
According to [**this**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests), in order to **avoid preflight** requests using **POST** method these are the allowed Content-Type values:
According to [**this**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple\_requests), in order to **avoid preflight** requests using **POST** method these are the allowed Content-Type values:
* **`application/x-www-form-urlencoded`**
* **`multipart/form-data`**

View file

@ -7,7 +7,7 @@
In many occasions you can find some code in the server side that unserialize some object given by the user.\
In this case, you can send a malicious payload to make the server side behave unexpectedly.
**You should read: **[**https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html**](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html)** for learn how to attack.**
**You should read: **[**https://cheatsheetseries.owasp.org/cheatsheets/Deserialization\_Cheat\_Sheet.html**](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization\_Cheat\_Sheet.html)** for learn how to attack.**
## PHP
@ -17,8 +17,8 @@ Magic method used with serialization:
Magic method used with deserialization
* `__wakeup` is called when an object is deserialized.
* `__destruct` is called when PHP script end and object is destroyed.
* `__wakeup` is called when an object is deserialized.&#x20;
* `__destruct` is called when PHP script end and object is destroyed.&#x20;
* `__toString` uses object as string but also can be used to read file or more than that based on function call inside it.
```php
@ -85,7 +85,7 @@ Note than in several cases you **won't be able to find a way to abuse a deserial
### phar:// metadata deserialization
If you have found a LFI that is just reading the file and not executing the php code inside of it, for example using functions like_** file_get_contents(), fopen(), file() or file_exists(), md5\_file(), filemtime() or filesize()**_**. **You can try to abuse a **deserialization** occurring when **reading** a **file** using the **phar** protocol.\
If you have found a LFI that is just reading the file and not executing the php code inside of it, for example using functions like_** file\_get\_contents(), fopen(), file() or file\_exists(), md5\_file(), filemtime() or filesize()**_**. **You can try to abuse a **deserialization** occurring when **reading** a **file** using the **phar** protocol.\
For more information read the following post:
{% content-ref url="../file-inclusion/phar-deserialization.md" %}
@ -96,7 +96,7 @@ For more information read the following post:
### **Pickle**
When the object gets unpickle, the function _\__reduce\_\__ will be executed.\
When the object gets unpickle, the function _\_\_reduce\_\__ will be executed.\
When exploited, server could return an error.
```python
@ -374,7 +374,7 @@ generate('Linux', 'ping -c 1 nix.REPLACE.server.local')
#### serialkillerbypassgadgets
You can **use **[**https://github.com/pwntester/SerialKillerBypassGadgetCollection**](https://github.com/pwntester/SerialKillerBypassGadgetCollection)** along with ysoserial to create more exploits**. More information about this tool in the **slides of the talk** where the tool was presented: [https://es.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class?next_slideshow=1](https://es.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class?next_slideshow=1)
You can **use **[**https://github.com/pwntester/SerialKillerBypassGadgetCollection**](https://github.com/pwntester/SerialKillerBypassGadgetCollection)** along with ysoserial to create more exploits**. More information about this tool in the **slides of the talk** where the tool was presented: [https://es.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class?next\_slideshow=1](https://es.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class?next\_slideshow=1)
#### marshalsec
@ -480,7 +480,7 @@ public class LookAheadObjectInputStream extends ObjectInputStream {
**Harden All java.io.ObjectInputStream Usage with an Agent**
If you don't own the code or can't wait for a patch, using an agent to weave in hardening to `java.io.ObjectInputStream` is the best solution.\
&#x20;If you don't own the code or can't wait for a patch, using an agent to weave in hardening to `java.io.ObjectInputStream` is the best solution.\
Using this approach you can only Blacklist known malicious types and not whitelist them as you don't know which object are being serialized.
To enable these agents, simply add a new JVM parameter:
@ -506,7 +506,7 @@ Example: [rO0 by Contrast Security](https://github.com/Contrast-Security-OSS/co
## JMS - Java Message Service
> The **Java Message Service** (**JMS**) API is a Java message-oriented middleware API for sending messages between two or more clients. It is an implementation to handle the producerconsumer problem. JMS is a part of the Java Platform, Enterprise Edition (Java EE), and was defined by a specification developed at Sun Microsystems, but which has since been guided by the Java Community Process. It is a messaging standard that allows application components based on Java EE to create, send, receive, and read messages. It allows the communication between different components of a distributed application to be loosely coupled, reliable, and asynchronous. (From [Wikipedia](https://en.wikipedia.org/wiki/Java_Message_Service)).
> The **Java Message Service** (**JMS**) API is a Java message-oriented middleware API for sending messages between two or more clients. It is an implementation to handle the producerconsumer problem. JMS is a part of the Java Platform, Enterprise Edition (Java EE), and was defined by a specification developed at Sun Microsystems, but which has since been guided by the Java Community Process. It is a messaging standard that allows application components based on Java EE to create, send, receive, and read messages. It allows the communication between different components of a distributed application to be loosely coupled, reliable, and asynchronous. (From [Wikipedia](https://en.wikipedia.org/wiki/Java\_Message\_Service)).
### Products
@ -521,7 +521,7 @@ There are several products using this middleware to send messages:
So, basically there are a **bunch of services using JMS on a dangerous way**. Therefore, if you have **enough privileges** to send messages to this services (usually you will need valid credentials) you could be able to send **malicious objects serialized that will be deserialized by the consumer/subscriber**.\
This means that in this exploitation all the **clients that are going to use that message will get infected**.
You should remember that even if a service is vulnerable (because it's insecurely deserializing user input) you still need to find valid gadgets to exploit the vulnerability.
You should remember that even if a service is vulnerable (because it's insecurely deserializing user input) you still need to find valid gadgets to exploit the vulnerability.&#x20;
The tool [JMET](https://github.com/matthiaskaiser/jmet) was created to** connect and attack this services sending several malicious objects serialized using known gadgets**. These exploits will work if the service is still vulnerable and if any of the used gadgets is inside the vulnerable application.
@ -558,8 +558,8 @@ If you want to learn about **how does ysoserial.net creates it's exploit **you c
The main options of **ysoserial.net** are: **`--gadget`**, **`--formatter`**, **`--output` **and **`--plugin`.**
* **`--gadget`** used to indicate the gadget to abuse (indicate the class/function that will be abused during deserialization to execute commands).
* **`--formatter`**, used to indicated the method to serialized the exploit (you need to know which library is using the back-end to deserialize the payload and use the same to serialize it)
* **`--output` **used to indicate if you want the exploit in **raw **or **base64 **encoded. _Note that **ysoserial.net** will **encode **the payload using** UTF-16LE** (encoding used by default on Windows) so if you get the raw and just encode it from a linux console you might have some **encoding compatibility problems **that will prevent the exploit from working properly (in HTB JSON box the payload worked in both UTF-16LE and ASCII but this doesn't mean it will always work)._
* &#x20;**`--formatter`**, used to indicated the method to serialized the exploit (you need to know which library is using the back-end to deserialize the payload and use the same to serialize it)
* &#x20;**`--output` **used to indicate if you want the exploit in **raw **or **base64 **encoded. _Note that **ysoserial.net** will **encode **the payload using** UTF-16LE** (encoding used by default on Windows) so if you get the raw and just encode it from a linux console you might have some **encoding compatibility problems **that will prevent the exploit from working properly (in HTB JSON box the payload worked in both UTF-16LE and ASCII but this doesn't mean it will always work)._
* **`--plugin` **ysoserial.net supports plugins to craft **exploits for specific frameworks** like ViewState
#### More ysoserial.net parameters
@ -606,7 +606,7 @@ This parameter is helpful because if you review the code you will find chucks of
}
```
This means that in order to test the exploit the code will call [serializersHelper.JsonNet_deserialize](https://github.com/pwntester/ysoserial.net/blob/c53bd83a45fb17eae60ecc82f7147b5c04b07e42/ysoserial/Helpers/SerializersHelper.cs#L539)
This means that in order to test the exploit the code will call [serializersHelper.JsonNet\_deserialize](https://github.com/pwntester/ysoserial.net/blob/c53bd83a45fb17eae60ecc82f7147b5c04b07e42/ysoserial/Helpers/SerializersHelper.cs#L539)
```java
public static object JsonNet_deserialize(string str)
@ -624,7 +624,7 @@ Therefore the **`--test`** parameter allows us to understand** which chunks of c
### ViewState
Take a look to [this POST about **how to try to exploit the \__ViewState parameter of .Net **](exploiting-\__viewstate-parameter.md)to **execute arbitrary code. **If you** already know the secrets **used by the victim machine,** **[**read this post to know to execute code**](exploiting-\__viewstate-knowing-the-secret.md)**.**
Take a look to [this POST about **how to try to exploit the \_\_ViewState parameter of .Net **](exploiting-\_\_viewstate-parameter.md)to **execute arbitrary code. **If you** already know the secrets **used by the victim machine,** **[**read this post to know to execute code**](exploiting-\_\_viewstate-knowing-the-secret.md)**.**
### **Prevention**
@ -680,8 +680,8 @@ Try to keep any code that might create potential gadgets separate from any code
### **References**
* Java and .Net JSON deserialization** paper: **[**https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf**](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf)**,** talk: [https://www.youtube.com/watch?v=oUAeWhW5b8c](https://www.youtube.com/watch?v=oUAeWhW5b8c) and slides: [https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf)
* [https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html#net-csharp](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html#net-csharp)
* [https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US\_12\_Forshaw_Are_You_My_Type_WP.pdf](https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US\_12\_Forshaw_Are_You_My_Type_WP.pdf)
* [https://cheatsheetseries.owasp.org/cheatsheets/Deserialization\_Cheat\_Sheet.html#net-csharp](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization\_Cheat\_Sheet.html#net-csharp)
* [https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH\_US\_12\_Forshaw\_Are\_You\_My\_Type\_WP.pdf](https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH\_US\_12\_Forshaw\_Are\_You\_My\_Type\_WP.pdf)
* [https://www.slideshare.net/MSbluehat/dangerous-contents-securing-net-deserialization](https://www.slideshare.net/MSbluehat/dangerous-contents-securing-net-deserialization)
## **Ruby**
@ -690,7 +690,7 @@ Ruby has two methods to implement serialization inside the **marshal **library:
Ruby uses HMAC to sign the serialized object and saves the key on one of the following files:
* config/environment.rb
* config/initializers/secret_token.rb
* config/initializers/secret\_token.rb
* config/secrets.yml
* /proc/self/environ

View file

@ -14,13 +14,25 @@ Steal a cookie and use it to impersonate the user inside an application
### Session fixation
The attacker get a cookie from a web page and send to the victim a link so the victim logins using the cookie of the attacker. If the cookie is not changed when a user logs in, this could be useful because the attacker could be able to impersonate the user using the cookie.
The attacker get a cookie from a web page and send to the victim a link so the **victim logins using the cookie of the attacker**. If the cookie is not changed when a user logs in, this could be useful because the attacker could be able to impersonate the user using the cookie.
If you found a **XSS in a subdomain** or you** control a subdomain**, read:
{% content-ref url="cookie-tossing.md" %}
[cookie-tossing.md](cookie-tossing.md)
{% endcontent-ref %}
### Session donation
The attacker sends his own session to the victim. The victim will see that he is already loged and will suppose that he is inside his own account but the actions will be performed inside the attackers account.
The attacker sends his own session to the victim. The victim will see that he is already loged and will suppose that he is inside his own account but **the actions will be performed inside the attackers account**.
### [JWT Cookie](hacking-jwt-json-web-tokens.md)
If you found a **XSS in a subdomain** or you** control a subdomain**, read:
{% content-ref url="cookie-tossing.md" %}
[cookie-tossing.md](cookie-tossing.md)
{% endcontent-ref %}
### [JWT Cookie](../hacking-jwt-json-web-tokens.md)
Click on the previous link to access a page explaining possible flaws in JWT.
@ -142,6 +154,11 @@ This avoids the **client **to access the cookie (Via **Javascript **for example:
* This could be Bypassed with **TRACE** **HTTP** requests as the response from the server (if this HTTP method is available) will reflect the cookies sent. This technique is called **Cross-Site Tracking**.
* This technique is avoided by **modern browsers by not permitting sending a TRACE **request from JS. However, some bypassed to this have been found in specific software like sending `\r\nTRACE` instead of `TRACE` to IE6.0 SP2.
* Another way is the exploitation of zero/day vulnerabilities of the browsers.
* It's possible to **overwrite HttpOnly cookies** by performing a Cookie Jar overflow attack:
{% content-ref url="cookie-jar-overflow.md" %}
[cookie-jar-overflow.md](cookie-jar-overflow.md)
{% endcontent-ref %}
### Secure

View file

@ -0,0 +1,23 @@
# Cookie Jar Overflow
The browsers have a **limit on the number of cookies** that they can store for a page. Then, if for some cause you need to** make a cookie disappear**, you can **overflow the cookie jar** as the oldest ones will be deleted before:
```javascript
// Set many cookies
for (let i = 0; i < 700; i++) {
document.cookie = `cookie${i}=${i}; Secure`;
}
// Remove all cookies
for (let i = 0; i < 700; i++) {
document.cookie = `cookie${i}=${i};expires=Thu, 01 Jan 1970 00:00:01 GMT`;
}
```
Notice, that third party cookies pointing to a different domain won't be overwritten.
{% hint style="danger" %}
This attack can also be used to **overwrite HttpOnly cookies as you can delete it and then reset it with the value you want**.
Check this in [**this post with a lab**](https://www.sjoerdlangkemper.nl/2020/05/27/overwriting-httponly-cookies-from-javascript-using-cookie-jar-overflow/).
{% endhint %}

View file

@ -0,0 +1,51 @@
# Cookie Tossing
If an attacker is able to **control a subdomain of the domain of a company or finds a XSS in a subdomain** he will be able to perform this attack.
As it was indicated in the Cookies Hacking section, when a **cookie is set to a domain (specifying it) it will be used in the domain and in subdomains.**
{% hint style="danger" %}
Therefore, **an attacker is going to be able to set to the domain and subdomains an specific cookie doing something like **`document.cookie="session=1234; Path=/app/login; domain=.example.com"`
{% endhint %}
This can be really dangerous as the attacker may be able to:
* **Fixate the cookie of the victim to the attackers account **so if the user doesn't notice, **he will perform the actions in the attackers account **and the attacker may obtain some interesting information (check the history of the searches of the user in the platform, the victim may set his credit card in the account...)
* If the **cookie doesn't change after login**, the attacker may just **fixate a cookie**, wait until the victim logs in and then **use that cookie to log in as the victim**.
* If the **cookie is setting some initial value** (like in flask where the **cookie **may **set **the **CSRF token **of the session and this value will be maintained after the victim logs in), the **attacker may set this known value and then abuse it** (in that scenario, the attacker may then make the user perform a CSRF request as he knows the CSRF token).
### Cookie Order
When a browser receives two cookies with the same name **partially affecting the same scope** (domain, subdomains and path), the **browser will send both values of the cookie** when both are valid for the request.
Depending on who was the **oldest one**, and which has **the most specific path **indicated (when you set a cookie you indicates a path) the browser will **set the value of the cookie first** and then the value of the other one like in: `Cookie: iduser=MoreSpecificAndOldestCookie; iduser=LessSpecific;`
Most **web sites will only use the first value**. Then, if an attacker wants to set a cookie it's better to set it before another one if set or set it with a more specific path.
{% hint style="warning" %}
Moreover, the capability to **set a cookie in a more specific path** is very interesting as you will be able to make the **victim work with his cookie except in the specific path where the malicious cookie set will be sent before**.
{% endhint %}
### Protection Bypass
A possible protection against this attack would be that the **web server won't accept requests with two cookies with the same name but two different values**.
To bypass the scenario where the attacker is setting a cookie after the victim was already given the cookie, the attacker could cause a **cookie overflow** and then, once the** legit cookie is deleted, set the malicious one**.
{% content-ref url="cookie-jar-overflow.md" %}
[cookie-jar-overflow.md](cookie-jar-overflow.md)
{% endcontent-ref %}
Another useful **bypass **could be to **URL encode the name of the cookie** as some protections check for 2 cookies with the same name in a request and then the server will decode the names of the cookies.
### Defense**s**
#### **Use the prefix `__Host` in the cookie name**
* If a cookie name has this prefix, it **will only be accepted** in a Set-Cookie directive if it is marked Secure, was sent from a secure origin, does not include a Domain attribute, and has the Path attribute set to /
* **This prevents subdomains from forcing a cookie to the apex domain since these cookies can be seen as "domain-locked"**
### References
* ****[**@blueminimal**](https://twitter.com/blueminimal)****
* ****[**https://github.blog/2013-04-09-yummy-cookies-across-domains/**](https://github.blog/2013-04-09-yummy-cookies-across-domains/)****

View file

@ -19,7 +19,7 @@ Nowadays **web** **applications** usually **uses** some kind of **intermediary**
## **User input**
{% hint style="info" %}
Most of the web applications will **allow users to input some data that will be processed later.**\
&#x20;Most of the web applications will **allow users to input some data that will be processed later.**\
****Depending on the structure of the data the server is expecting some vulnerabilities may or may not apply.
{% endhint %}
@ -74,7 +74,7 @@ Depending on the HTTP headers given by the web server some vulnerabilities might
* [ ] [**Clickjacking**](clickjacking.md)****
* [ ] ****[**Content Security Policy bypass**](content-security-policy-csp-bypass.md)****
* [ ] ****[**Cookies Hacking**](hacking-with-cookies.md)****
* [ ] ****[**Cookies Hacking**](hacking-with-cookies/)****
* [ ] ****[**CORS - Misconfigurations & Bypass**](cors-bypass.md)****
### **Bypasses**
@ -93,7 +93,7 @@ There are several specific functionalities were some workarounds might be useful
### **Structured objects / Specific functionalities**
Some functionalities will require the **data to be structured on a very specific format** (like a language serialized object or a XML). Therefore, it's more easy to identify is the application might be vulnerable as it needs to be processing that kind of data.\
Some** specific functionalities** my be also vulnerable if a **specific format of the input is used** (like Email Header Injections).
Some** specific functionalities** my be also vulnerable if a **specific format of the input is used** (like Email Header Injections).&#x20;
* [ ] ****[**Deserialization**](deserialization/)****
* [ ] ****[**Email Header Injection**](email-header-injection.md)****

View file

@ -6,7 +6,7 @@
2. **Find the context** where it's reflected/used.
3. If **reflected**
1. Check **which symbols can you use** and depending on that, prepare the payload:
1. In **raw HTML**:
1. In **raw HTML**:&#x20;
1. Can you create new HTML tags?
2. Can you use events or attributes supporting `javascript:` protocol?
3. Can you bypass protections?
@ -258,7 +258,7 @@ Note that **any kind of HTML encode is valid**:
### Special Protocols Within the attribute
There you can use the protocols **`javascript:`** or **`data:`** in some places to **execute arbitrary JS code**. Some will require user interaction on some won't.
There you can use the protocols **`javascript:`** or **`data:`** in some places to **execute arbitrary JS code**. Some will require user interaction on some won't.&#x20;
```javascript
javascript:alert(1)
@ -571,7 +571,7 @@ Also, don't forget that **at the end of the mentioned post** you can find an exp
You could check is the **reflected values** are being **unicode normalized** in the server (or in the client side) and abuse this functionality to bypass protections. [**Find an example here**](../unicode-normalization-vulnerability.md#xss-cross-site-scripting).
### PHP FILTER_VALIDATE_EMAIL flag Bypass
### PHP FILTER\_VALIDATE\_EMAIL flag Bypass
```javascript
"><svg/onload=confirm(1)>"@x.y
@ -637,11 +637,11 @@ Past known protocols: `mailto://`, `//x:1/`, `ws://`, `wss://`, _empty Location
### Obfuscation & Advanced Bypass
* [https://github.com/aemkei/katakana.js](https://github.com/aemkei/katakana.js)
* [https://ooze.ninja/javascript/poisonjs](https://ooze.ninja/javascript/poisonjs)
* [https://javascriptobfuscator.herokuapp.com/](https://javascriptobfuscator.herokuapp.com)
* [https://skalman.github.io/UglifyJS-online/](https://skalman.github.io/UglifyJS-online/)
* [https://ooze.ninja/javascript/poisonjs](https://ooze.ninja/javascript/poisonjs)&#x20;
* [https://javascriptobfuscator.herokuapp.com/](https://javascriptobfuscator.herokuapp.com)&#x20;
* [https://skalman.github.io/UglifyJS-online/](https://skalman.github.io/UglifyJS-online/)&#x20;
* [http://www.jsfuck.com/](http://www.jsfuck.com)
* More sofisticated JSFuck: [https://medium.com/@Master_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce](https://medium.com/@Master_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce)
* More sofisticated JSFuck: [https://medium.com/@Master\_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce](https://medium.com/@Master\_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce)
* [http://utf-8.jp/public/jjencode.html](http://utf-8.jp/public/jjencode.html)
* [https://utf-8.jp/public/aaencode.html](https://utf-8.jp/public/aaencode.html)
@ -692,7 +692,7 @@ Past known protocols: `mailto://`, `//x:1/`, `ws://`, `wss://`, _empty Location
```
{% hint style="info" %}
You **won't be able to access the cookies from JavaScript** if the HTTPOnly flag is set in the cookie. But here you have [some ways to bypass this protection](../hacking-with-cookies.md#httponly) if you are lucky enough.
You **won't be able to access the cookies from JavaScript** if the HTTPOnly flag is set in the cookie. But here you have [some ways to bypass this protection](../hacking-with-cookies/#httponly) if you are lucky enough.
{% endhint %}
### Steal Page Content
@ -735,7 +735,7 @@ for(var i=0; i<ports.length; i++) {
_Short times indicate a responding port_ _Longer times indicate no response._
Review the list of ports banned in Chrome [**here**](https://src.chromium.org/viewvc/chrome/trunk/src/net/base/net_util.cc) and in Firefox [**here**](https://www-archive.mozilla.org/projects/netlib/portbanning#portlist).
Review the list of ports banned in Chrome [**here**](https://src.chromium.org/viewvc/chrome/trunk/src/net/base/net\_util.cc) and in Firefox [**here**](https://www-archive.mozilla.org/projects/netlib/portbanning#portlist).
### Box to ask for credentials

View file

@ -69,7 +69,7 @@ Database
| ****[**Client-Side SQl injection**](dom-xss.md#client-side-sql-injection)**** | ****[**Web-message manipulation**](dom-xss.md#web-message-manipulation)**** | `history.replaceState()` | `WebSocket` |
| `executeSql()` | `postMessage()` | `` | `` |
The **`innerHTML`** sink doesn't accept `script` elements on any modern browser, nor will `svg onload` events fire. This means you will need to use alternative elements like `img` or `iframe`.
&#x20;The **`innerHTML`** sink doesn't accept `script` elements on any modern browser, nor will `svg onload` events fire. This means you will need to use alternative elements like `img` or `iframe`.
This kind of XSS is probably the **hardest to find**, as you need to look inside the JS code, see if it's **using **any object whose **value you control**, and in that case, see if there is **any way to abuse** it to execute arbitrary JS.
@ -112,7 +112,7 @@ From: [https://portswigger.net/web-security/dom-based/cookie-manipulation](https
#### How
DOM-based cookie-manipulation vulnerabilities arise when a script writes **attacker-controllable data into the value of a cookie**.\
This could be abuse to make the page behaves on unexpected manner (if the cookie is used in the web) or to perform a [session fixation](../hacking-with-cookies.md#session-fixation) attack (if the cookie is used to track the user's session).
This could be abuse to make the page behaves on unexpected manner (if the cookie is used in the web) or to perform a [session fixation](../hacking-with-cookies/#session-fixation) attack (if the cookie is used to track the user's session).
#### Sinks
@ -151,7 +151,7 @@ From: [https://portswigger.net/web-security/dom-based/document-domain-manipulati
Document-domain manipulation vulnerabilities arise when a script uses **attacker-controllable data to set **the **`document.domain`** property.
The `document.domain` property is used by browsers in their **enforcement **of the **same origin policy**. If **two pages** from **different **origins explicitly set the **same `document.domain`** value, then those two pages can **interact in unrestricted ways**.\
&#x20;The `document.domain` property is used by browsers in their **enforcement **of the **same origin policy**. If **two pages** from **different **origins explicitly set the **same `document.domain`** value, then those two pages can **interact in unrestricted ways**.\
Browsers **generally enforce some restrictions** on the values that can be assigned to `document.domain`, and may prevent the use of completely different values than the actual origin of the page.** But this doesn't occur always **and they usually** allow to use child **or **parent** domains.
#### Sinks
@ -170,7 +170,7 @@ WebSocket-URL poisoning occurs when a script uses **controllable data as the tar
#### Sinks
The `WebSocket` constructor can lead to WebSocket-URL poisoning vulnerabilities.
&#x20;The `WebSocket` constructor can lead to WebSocket-URL poisoning vulnerabilities.
### Link manipulation