Scribd
Upload
409 views4 pages

Advanced Web Attacks and Exploitation

Uploaded by

leary
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
409 views4 pages

Advanced Web Attacks and Exploitation

Uploaded by

leary
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Advanced Web Attacks and Exploitation

5.2.6 Triggering the Vulnerability..............................................................................................142


.3.2 How Houdini Escapes...............................................................................................................5.3
. 145
Using CHR and String Concatenation ........................................................................... 147
5.3.3 It Makes Lexical Sense .....................................................................................................148
5.4 Blind Bats ....................... ......................................................................................................... 148
5.5 Accessing the File System ........................................................................................................ 149
5.5.2 Reverse Shell Via Copy To ............................................................................................... 151
5.6 PostgreSQL Extensions ............................................................................................................. 158
5.6.1 Build Environment ............................................................................................................. 158
5.6.2 Testing the Extension ......................................................................................................161
5.6.3 Loading the Extension from a Remote Location .........................................................162
5.7 UDF Reverse Shell ...................................................................................................................... 162
5.8 More Shells!!! ............................................................................................................................... 165
5.8.1 PostgreSQL Large Objects .............................................................................................. 165
5.8.2 Large Object Reverse Shell ..............................................................................................168
5.9 Summary ...................................................................................................................................... 171
6. Bassmaster NodeJS Arbitrary JavaScript Injection Vulnerability............................................... 172
6.1 Getting Started ............................................................................................................................ 172
6.2 The Bassmaster Plugin ............................................................................................................. 172
6.3 Vulnerability Discovery .............................................................................................................. 173
6.4 Triggering the Vulnerability ....................................................................................................... 181
6.5 Obtaining a Reverse Shell ......................................................................................................... 183
6.6 Wrapping Up ................................................................................................................................ 187
7. DotNetNuke Cookie Deserialization RCE ......................................................................................... 188
7.1 Serialization Basics .................................................................................................................... 188
7.1.1 XmlSerializer Limitations ................................................................................................. 189
7.1.2 Basic XmlSerializer Example...........................................................................................189
7.1.3 Expanded XmlSerializer Example...................................................................................193
7.1.4 Watch your Type, Dude ...................................................................................................197
.2.1 DotNetNuke Vulnerability Analysis.........................................................................................7.2
. 207
0
Vulnerability Overview ...................................................................................................... 200
7.2.2 Manipulation of Assembly Attributes for Debugging ................................................203
7.2.3 Debugging DotNetNuke Using dnSpy ...........................................................................206
7.2.4 How Did We Get Here? ....................................................................................................208
7.3 Payload Options..........................................................................................................................211

WEB-300 Copyright © 2022 Hide01.ir Free Learning. All rights reserved. 5


Advanced Web Attacks and Exploitation

7.3.1 FileSystemUtils PullFile Method .....................................................................................212


7.3.2 ObjectDataProvider Class ................................................................................................212
7.3.3 Example Use of the ObjectDataProvider Instance ......................................................216
7.3.4 Serialization of the ObjectDataProvider .......................................................................220
7.3.5 Enter The Dragon (ExpandedWrapper Class) ..............................................................223
7.4 Putting It All Together ................................................................................................................ 228
7.5 Wrapping Up ................................................................................................................................ 233
8. ERPNext Authentication Bypass and Server Side Template Injection ....................................... 234
8.1 Getting Started ............................................................................................................................ 234
8.1.1 Configuring the SMTP Server.......................................................................................... 234
8.1.2 Configuring Remote Debugging ....................................................................................235
8.1.3 Configuring MariaDB Query Logging .............................................................................244
.2.1 Introduction to MVC, Metadata-Driven Architecture, and HTTP Routing .......................8.2
. 248
5
Model-View-Controller Introduction ............................................................................... 245
8.2.2 Metadata-driven Design Patterns...................................................................................248
8.2.3 HTTP Routing in Frappe...................................................................................................252
.3.1 Authentication Bypass Discovery ...........................................................................................8.3
. 258
7
Discovering the SQL Injection ......................................................................................... 257
8.4 Authentication Bypass Exploitation ........................................................................................ 266
8.4.1 Obtaining Admin User Information ................................................................................ 267
8.4.2 Resetting the Admin Password .....................................................................................268
.5.1 SSTI Vulnerability Discovery ....................................................................................................8.5
. 278
7
Introduction to Templating Engines .............................................................................. 277
8.5.2 Discovering The Rendering Function ............................................................................282
8.5.3 SSTI Vulnerability Filter Evasion ....................................................................................290
.6.1 SSTI Vulnerability Exploitation .............. m..............................................................................8.6
. 293
8
Finding a Method for Remote Com and Execution .................................................. 293
8.6.2 Gaining Remote Command Execution ..........................................................................298
8.7 Wrapping Up ................................................................................................................................ 299
9. openCRX Authentication Bypass and Remote Code Execution.................................................. 300
9.1 Getting Started ............................................................................................................................ 300
9.2 Password Reset Vulnerability Discovery................................................................................ 300
9.2.1 When Random Isn’t ........................................................................................................... 308
9.2.2 Account Determination ...................................................................................................311
9.2.3 Timing the Reset Request ...............................................................................................312

WEB-300 Copyright © 2022 Hide01.ir Free Learning. All rights reserved. 6


Advanced Web Attacks and Exploitation

9.2.4 Generate Token List ..........................................................................................................313


9.2.5 Automating Resets ...........................................................................................................315
.3.2 XML External Entity Vulnerability Discovery .......................................................................... 39.3
19
Introduction to XML .......................................................................................................... 320
9.3.3 XML Parsing ......................................................................................................................320
9.3.4 XML Entities........................................................................................................................321
9.3.5 Understanding XML External Entity Processing Vulnerabilities ..............................322
9.3.6 Finding the Attack Vector ................................................................................................323
9.3.7 CDATA ................................................................................................................................329
9.3.8 Updating the XXE Exploit ................................................................................................330
9.3.9 Gaining Remote Access to HSQLDB .............................................................................331
9.3.10 Java Language Routines .................................................................................................336
.4.2 Remote Code Execution ...........................................................................................................9.4
. 336
9
Finding the Write Location ............................................................................................... 342
9.4.3 Writing Web Shells ...........................................................................................................342
9.5 Wrapping Up ................................................................................................................................ 343
10. openITCOCKPIT XSS and OS Command Injection - Blackbox ............................................... 344
10.1 Getting Started ............................................................................................................................ 344
10.2 Black Box Testing in openITCOCKPIT .................................................................................... 344
10.3 Application Discovery ................................................................................................................ 345
10.3.1 Building a Sitemap ............................................................................................................ 345
10.3.2 Targeted Discovery ..........................................................................................................350
10.4 Intro To DOM-based XSS .......................................................................................................... 355
10.5 XSS Hunting ................................................................................................................................. 357
10.6 Advanced XSS Exploitation ...................................................................................................... 359
10.6.1 What We Can and Can’t Do ............................................................................................. 359
10.6.2 Writing to DOM...................................................................................................................361
10.6.3 Creating the Database ......................................................................................................364
10.6.4 Creating the API .................................................................................................................367
10.6.5 Scraping Content...............................................................................................................369
10.6.6 Dumping the Contents .....................................................................................................372
10.7 RCE Hunting ................................................................................................................................ 373
10.7.1 Discovery ............................................................................................................................. 374
10.7.2 Reading and Understanding the JavaScript.................................................................376
10.7.3 Interacting With the WebSocket Server ........................................................................381

WEB-300 Copyright © 2022 Hide01.ir Free Learning. All rights reserved. 7


Advanced Web Attacks and Exploitation

10.7.4 Building a Client ................................................................................................................381


10.7.5 Attempting to Inject Commands ....................................................................................385
10.7.6 Digging Deeper...................................................................................................................386
10.8 Wrapping Up ................................................................................................................................ 389
11. Concord Authentication Bypass to RCE ..................................................................................... 391
11.1 Getting Started ............................................................................................................................ 391
11.2 Authentication Bypass: Round One - CSRF and CORS ....................................................... 395
11.2.1 Same-Origin Policy (SOP) ................................................................................................ 396
11.2.2 Cross-Origin Resource Sharing (CORS) .......................................................................401
11.2.3 Discovering Unsafe CORS Headers ..............................................................................409
11.2.4 SameSite Attribute ...........................................................................................................411
11.2.5 Exploit Permissive CORS and CSRF .............................................................................414
11.3 Authentication Bypass: Round Two - Insecure Defaults..................................................... 428
11.4 Wrapping Up ................................................................................................................................ 435
12. Server Side Request Forgery......................................................................................................... 437
12.1 Getting Started ............................................................................................................................ 437
12.2 Introduction to Microservices .................................................................................................. 437
12.2.2 Web Service URL Formats ............................................................................................... 438
12.3 API Discovery via Verb Tampering .......................................................................................... 440
12.3.1 Initial Enumeration ... ..................................................................................................... 440
12.3.2 Advanced Enumeration with Verb Tampering .............................................................445
12.4 Introduction to Server-Side Request Forgery ........................................................................ 448
12.4.1 Server-Side Request Forgery Discovery ........................................................................ 448
12.4.2 Source Code Analysis .......................................................................................................450
12.4.3 Exploiting Blind SSRF in Directus ..................................................................................452
12.4.4 Port Scanning via Blind SSRF .........................................................................................454
12.4.5 Subnet Scanning with SSRF ............................................................................................456
12.4.6 Host Enumeration ............................................................................................................459
12.5 Render API Auth Bypass ........................................................................................................... 461
2 .6
1 Exploiting Headless Chrome .................................................................................................... 463
12.6.2 Using JavaScript to Exfiltrate Data ................................................................................ 465
12.6.3 Stealing Credentials from Kong Admin API .................................................................467
12.6.4 URL to PDF Microservice Source Code Analysis ........................................................468
12.7 Remote Code Execution ............................................................................................................ 472
12.7.1 RCE in Kong Admin API .................................................................................................... 473

WEB-300 Copyright © 2022 Hide01.ir Free Learning. All rights reserved. 8

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy