This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
id: apache-webdav-dir-listing | |
info: | |
name: Apache WebDAV Module PROPFIND Arbitrary Directory Listing | |
author: segfolt | |
severity: Medium | |
# https://vuldb.com/?id.16000 | |
requests: | |
- raw: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
id: CVE-2002-0561 | |
info: | |
name: Oracle 9iAS PL/SQL Gateway Web Admin Interface Null Authentication | |
author: Segfolt | |
severity: High | |
requests: | |
- method: GET | |
path: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
id: CVE-2017-12542 | |
info: | |
name: iLO 4 < 2.53 - Add New Administrator User | |
author: segfolt | |
severity: High | |
# Exploit Source: https://www.exploit-db.com/exploits/44005 | |
# Reference: https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbhf03769en_us | |
requests: | |
- raw: |
A Pen by Creative Tim on CodePen.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// shared by @Retrospected: https://github.com/Retrospected/spring-rce-poc | |
@InitBinder | |
public void initBinder(WebDataBinder binder) { | |
String[] blackList = {"class.*","Class.*","*.class.*",".*Class.*"}; | |
binder.setDisallowedFields(blackList); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/expect -f | |
# Constants | |
set user "" | |
set pass "" | |
set timeout -1 | |
# Options | |
match_max 100000 | |
log_user 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Get container id | |
docker ps | grep mysql | |
# Backup | |
docker exec -it <container_id> mysqldump -u defectdojo --password=defectdojo defectdojo > backup.sql | |
# Restore | |
docker exec -i <container_id> mysql -u defectdojo --password=defectdojo defectdojo < cat backup.sql |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
certifi==2021.5.30 | |
charset-normalizer==2.0.6 | |
click==8.0.1 | |
Flask==2.0.1 | |
Flask-SQLAlchemy==2.5.1 | |
greenlet==1.1.1 | |
idna==3.2 | |
itsdangerous==2.0.1 | |
Jinja2==3.0.1 | |
MarkupSafe==2.0.1 |
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
- Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
- Relaying that machine authentication to LDAPS for configuring RBCD
- RBCD takeover
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
NewerOlder