Posts

Showing posts from December, 2020

Apache Tomcat AJP Connector Request Injection (Ghostcat)

Image
Apache Tomcat AJP Connector Request Injection (Ghostcat)- Ghostcat [CVE-2020–1938] is a LFI vulnerability in AJP service. An attacker can exploit Ghostcat vulnerability and read the contents of configuration files and source code files of all webapps deployed on Tomcat. For example, the /WEB-INF/web.xml file is the Web Root directory who’s access is restricted and cannot be accessed by anyone over HTTP Tomcat server. So by exploiting the Ghostcat [CVE-2020–1938] vulnerability, it is possible to read contents of the files in the Web server directory from AJP13 protocol (LFI vulnerability). In our case the /WEB-INF/web.xml file. Run below command from the terminal- (Downloaded exploit at https://github.com/00theway/Ghostcat-CNVD-2020-10487/blob/master/ajpShooter.py Location) python3 ajpShooter.py http://IP:8080 8009 /WEB-INF/web.xml read Impact-A file read/inclusion vulnerability was found in AJP connector. A remote, unauthenticated attacker could exploit this vulnerability to read web a...

FFUF Commands

  List of Useful FFUF command- ffuf -w wordlist.txt:FUZZ -w urls.txt:HOSTS -u https://HOSTS/FUZZ -c ffuf -u https://Target URL/W1 -w ./wordlist.txt:W1 ffuf -u https://W2/W1 -w ./wordlist.txt:W1,./domains.txt:W2 ffuf -u https://FUZZDOMAIN/FUZZDIR -w ./wordlist.txt:FUZZDIR,./domains.txt:FUZZDOMAIN ffuf -u https://FUZZDOMAIN/FUZZDIR -w ./domains.txt:FUZZDOMAIN,./wordlist.txt:FUZZDIR  ffuf -u https://W2/W1 -w ./wordlist.txt:W1 -w ./domains.txt:W2 To remove this, and only show results that line up with the matcher filters, you can use the silent flag, -s. This flag will enforce only successful hits to be shown. For example, our command from earlier, if exapnded with -s becomes: ffuf -u https://codingo.io/FUZZ -w ./wordlist.txt -s Also, use mc and fc option to match or filter the responses. Thanks!!

Adding Module To Metasploit From Searchsploit (ExploitDB)

Adding Module To Metasploit From Searchsploit (ExploitDB) 1-Look for the exploit you want to add: searchsploit sonicwall 8.1.0.2-14sv Make a note of the path for the exploit. 2-Next, you would need to create a folder in the .msf4/modules directory that correlates with the path in exploit-db. So in this case I will add cgi/webapps. 3-Go to your newly created folder and copy the exploit: cp /usr/share/exploitdb/exploits/cgi/webapps/42344.rb /root/.msf4/modules/exploits/cgi/webapps/ 4-Make sure that you specify both, the root path (its specified right underneath the title “Path” in the searchsploit search output) and the relative path. 5-Once you are done run updatedb. 6-If your msfconsole is running make sure to close it and reopen again after running updatedb. You can now use the exploit.You will also see that the number of exploits is increased by one.