Scribd Logo
Upload

Welcome to Scribd!

  • Advanced Web Attacks and Exploitation

    Uploaded by

    leary
    47 views4 pages

    Original Title

    2

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    47 views4 pages

    Advanced Web Attacks and Exploitation

    Uploaded by

    leary

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 4

    Advanced Web Attacks and Exploitation

    5.2.6 Triggering the Vulnerability..............................................................................................142


    .3.2 How Houdini Escapes...............................................................................................................5.3
    . 145
    Using CHR and String Concatenation ........................................................................... 147
    5.3.3 It Makes Lexical Sense .....................................................................................................148
    5.4 Blind Bats ....................... ......................................................................................................... 148
    5.5 Accessing the File System ........................................................................................................ 149
    5.5.2 Reverse Shell Via Copy To ............................................................................................... 151
    5.6 PostgreSQL Extensions ............................................................................................................. 158
    5.6.1 Build Environment ............................................................................................................. 158
    5.6.2 Testing the Extension ......................................................................................................161
    5.6.3 Loading the Extension from a Remote Location .........................................................162
    5.7 UDF Reverse Shell ...................................................................................................................... 162
    5.8 More Shells!!! ............................................................................................................................... 165
    5.8.1 PostgreSQL Large Objects .............................................................................................. 165
    5.8.2 Large Object Reverse Shell ..............................................................................................168
    5.9 Summary ...................................................................................................................................... 171
    6. Bassmaster NodeJS Arbitrary JavaScript Injection Vulnerability............................................... 172
    6.1 Getting Started ............................................................................................................................ 172
    6.2 The Bassmaster Plugin ............................................................................................................. 172
    6.3 Vulnerability Discovery .............................................................................................................. 173
    6.4 Triggering the Vulnerability ....................................................................................................... 181
    6.5 Obtaining a Reverse Shell ......................................................................................................... 183
    6.6 Wrapping Up ................................................................................................................................ 187
    7. DotNetNuke Cookie Deserialization RCE ......................................................................................... 188
    7.1 Serialization Basics .................................................................................................................... 188
    7.1.1 XmlSerializer Limitations ................................................................................................. 189
    7.1.2 Basic XmlSerializer Example...........................................................................................189
    7.1.3 Expanded XmlSerializer Example...................................................................................193
    7.1.4 Watch your Type, Dude ...................................................................................................197
    .2.1 DotNetNuke Vulnerability Analysis.........................................................................................7.2
    . 207
    0
    Vulnerability Overview ...................................................................................................... 200
    7.2.2 Manipulation of Assembly Attributes for Debugging ................................................203
    7.2.3 Debugging DotNetNuke Using dnSpy ...........................................................................206
    7.2.4 How Did We Get Here? ....................................................................................................208
    7.3 Payload Options..........................................................................................................................211

    WEB-300 Copyright © 2022 Hide01.ir Free Learning. All rights reserved. 5


    Advanced Web Attacks and Exploitation

    7.3.1 FileSystemUtils PullFile Method .....................................................................................212


    7.3.2 ObjectDataProvider Class ................................................................................................212
    7.3.3 Example Use of the ObjectDataProvider Instance ......................................................216
    7.3.4 Serialization of the ObjectDataProvider .......................................................................220
    7.3.5 Enter The Dragon (ExpandedWrapper Class) ..............................................................223
    7.4 Putting It All Together ................................................................................................................ 228
    7.5 Wrapping Up ................................................................................................................................ 233
    8. ERPNext Authentication Bypass and Server Side Template Injection ....................................... 234
    8.1 Getting Started ............................................................................................................................ 234
    8.1.1 Configuring the SMTP Server.......................................................................................... 234
    8.1.2 Configuring Remote Debugging ....................................................................................235
    8.1.3 Configuring MariaDB Query Logging .............................................................................244
    .2.1 Introduction to MVC, Metadata-Driven Architecture, and HTTP Routing .......................8.2
    . 248
    5
    Model-View-Controller Introduction ............................................................................... 245
    8.2.2 Metadata-driven Design Patterns...................................................................................248
    8.2.3 HTTP Routing in Frappe...................................................................................................252
    .3.1 Authentication Bypass Discovery ...........................................................................................8.3
    . 258
    7
    Discovering the SQL Injection ......................................................................................... 257
    8.4 Authentication Bypass Exploitation ........................................................................................ 266
    8.4.1 Obtaining Admin User Information ................................................................................ 267
    8.4.2 Resetting the Admin Password .....................................................................................268
    .5.1 SSTI Vulnerability Discovery ....................................................................................................8.5
    . 278
    7
    Introduction to Templating Engines .............................................................................. 277
    8.5.2 Discovering The Rendering Function ............................................................................282
    8.5.3 SSTI Vulnerability Filter Evasion ....................................................................................290
    .6.1 SSTI Vulnerability Exploitation .............. m..............................................................................8.6
    . 293
    8
    Finding a Method for Remote Com and Execution .................................................. 293
    8.6.2 Gaining Remote Command Execution ..........................................................................298
    8.7 Wrapping Up ................................................................................................................................ 299
    9. openCRX Authentication Bypass and Remote Code Execution.................................................. 300
    9.1 Getting Started ............................................................................................................................ 300
    9.2 Password Reset Vulnerability Discovery................................................................................ 300
    9.2.1 When Random Isn’t ........................................................................................................... 308
    9.2.2 Account Determination ...................................................................................................311
    9.2.3 Timing the Reset Request ...............................................................................................312

    WEB-300 Copyright © 2022 Hide01.ir Free Learning. All rights reserved. 6


    Advanced Web Attacks and Exploitation

    9.2.4 Generate Token List ..........................................................................................................313


    9.2.5 Automating Resets ...........................................................................................................315
    .3.2 XML External Entity Vulnerability Discovery .......................................................................... 39.3
    19
    Introduction to XML .......................................................................................................... 320
    9.3.3 XML Parsing ......................................................................................................................320
    9.3.4 XML Entities........................................................................................................................321
    9.3.5 Understanding XML External Entity Processing Vulnerabilities ..............................322
    9.3.6 Finding the Attack Vector ................................................................................................323
    9.3.7 CDATA ................................................................................................................................329
    9.3.8 Updating the XXE Exploit ................................................................................................330
    9.3.9 Gaining Remote Access to HSQLDB .............................................................................331
    9.3.10 Java Language Routines .................................................................................................336
    .4.2 Remote Code Execution ...........................................................................................................9.4
    . 336
    9
    Finding the Write Location ............................................................................................... 342
    9.4.3 Writing Web Shells ...........................................................................................................342
    9.5 Wrapping Up ................................................................................................................................ 343
    10. openITCOCKPIT XSS and OS Command Injection - Blackbox ............................................... 344
    10.1 Getting Started ............................................................................................................................ 344
    10.2 Black Box Testing in openITCOCKPIT .................................................................................... 344
    10.3 Application Discovery ................................................................................................................ 345
    10.3.1 Building a Sitemap ............................................................................................................ 345
    10.3.2 Targeted Discovery ..........................................................................................................350
    10.4 Intro To DOM-based XSS .......................................................................................................... 355
    10.5 XSS Hunting ................................................................................................................................. 357
    10.6 Advanced XSS Exploitation ...................................................................................................... 359
    10.6.1 What We Can and Can’t Do ............................................................................................. 359
    10.6.2 Writing to DOM...................................................................................................................361
    10.6.3 Creating the Database ......................................................................................................364
    10.6.4 Creating the API .................................................................................................................367
    10.6.5 Scraping Content...............................................................................................................369
    10.6.6 Dumping the Contents .....................................................................................................372
    10.7 RCE Hunting ................................................................................................................................ 373
    10.7.1 Discovery ............................................................................................................................. 374
    10.7.2 Reading and Understanding the JavaScript.................................................................376
    10.7.3 Interacting With the WebSocket Server ........................................................................381

    WEB-300 Copyright © 2022 Hide01.ir Free Learning. All rights reserved. 7


    Advanced Web Attacks and Exploitation

    10.7.4 Building a Client ................................................................................................................381


    10.7.5 Attempting to Inject Commands ....................................................................................385
    10.7.6 Digging Deeper...................................................................................................................386
    10.8 Wrapping Up ................................................................................................................................ 389
    11. Concord Authentication Bypass to RCE ..................................................................................... 391
    11.1 Getting Started ............................................................................................................................ 391
    11.2 Authentication Bypass: Round One - CSRF and CORS ....................................................... 395
    11.2.1 Same-Origin Policy (SOP) ................................................................................................ 396
    11.2.2 Cross-Origin Resource Sharing (CORS) .......................................................................401
    11.2.3 Discovering Unsafe CORS Headers ..............................................................................409
    11.2.4 SameSite Attribute ...........................................................................................................411
    11.2.5 Exploit Permissive CORS and CSRF .............................................................................414
    11.3 Authentication Bypass: Round Two - Insecure Defaults..................................................... 428
    11.4 Wrapping Up ................................................................................................................................ 435
    12. Server Side Request Forgery......................................................................................................... 437
    12.1 Getting Started ............................................................................................................................ 437
    12.2 Introduction to Microservices .................................................................................................. 437
    12.2.2 Web Service URL Formats ............................................................................................... 438
    12.3 API Discovery via Verb Tampering .......................................................................................... 440
    12.3.1 Initial Enumeration ... ..................................................................................................... 440
    12.3.2 Advanced Enumeration with Verb Tampering .............................................................445
    12.4 Introduction to Server-Side Request Forgery ........................................................................ 448
    12.4.1 Server-Side Request Forgery Discovery ........................................................................ 448
    12.4.2 Source Code Analysis .......................................................................................................450
    12.4.3 Exploiting Blind SSRF in Directus ..................................................................................452
    12.4.4 Port Scanning via Blind SSRF .........................................................................................454
    12.4.5 Subnet Scanning with SSRF ............................................................................................456
    12.4.6 Host Enumeration ............................................................................................................459
    12.5 Render API Auth Bypass ........................................................................................................... 461
    2 .6
    1 Exploiting Headless Chrome .................................................................................................... 463
    12.6.2 Using JavaScript to Exfiltrate Data ................................................................................ 465
    12.6.3 Stealing Credentials from Kong Admin API .................................................................467
    12.6.4 URL to PDF Microservice Source Code Analysis ........................................................468
    12.7 Remote Code Execution ............................................................................................................ 472
    12.7.1 RCE in Kong Admin API .................................................................................................... 473

    WEB-300 Copyright © 2022 Hide01.ir Free Learning. All rights reserved. 8

    You might also like