Skip to content

Commit 555e1b7

Browse files
committed
update
1 parent d879338 commit 555e1b7

7 files changed

Lines changed: 327 additions & 0 deletions

File tree

src/AI/AI-MCP-Servers.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -90,6 +90,8 @@ Note that depending of the client settings it might be possible to run arbitrary
9090

9191
Moreover, note that the description could indicate to use other functions that could facilitate these attacks. For example, if there is already a function that allows to exfiltrate data maybe sending an email (e.g. the user is using a MCP server connect to his gmail ccount), the description could indicate to use that function instead of running a `curl` command, which would be more likely to be noticed by the user. An example can be found in this [blog post](https://blog.trailofbits.com/2025/04/23/how-mcp-servers-can-steal-your-conversation-history/).
9292

93+
Furthermore, [**this blog post**](https://www.cyberark.com/resources/threat-research-blog/poison-everywhere-no-output-from-your-mcp-server-is-safe) describes how it's possible to add the prompt injection not only in the description of the tools but also in the type, in variable names, in extra fields returned in the JSON response by the MCP server and even in an unexpected response from a tool, making the prompt injection attack even more stealthy and difficult to detect.
94+
9395

9496
### Prompt Injection via Indirect Data
9597

src/SUMMARY.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -609,6 +609,7 @@
609609
- [hop-by-hop headers](pentesting-web/abusing-hop-by-hop-headers.md)
610610
- [IDOR](pentesting-web/idor.md)
611611
- [JWT Vulnerabilities (Json Web Tokens)](pentesting-web/hacking-jwt-json-web-tokens.md)
612+
- [JSON, XML and YAML Hacking](pentesting-web/json-xml-yaml-hacking.md)
612613
- [LDAP Injection](pentesting-web/ldap-injection.md)
613614
- [Login Bypass](pentesting-web/login-bypass/README.md)
614615
- [Login bypass List](pentesting-web/login-bypass/sql-login-bypass.md)

src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -357,6 +357,8 @@ In several occasions you will find that the **container has some volume mounted
357357
docker run --rm -it -v /:/host ubuntu bash
358358
```
359359
360+
Another interesting example can be found in [**this blog**](https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce) where it's indicated that the host's `/usr/bin/` and `/bin/` folders are mounted inside the container allowing the root user of the container to modify binaries inside these folders. Therefore, if a cron job is using any binary from there, like `/etc/cron.d/popularity-contest` this allows to escape from the container by modifying a binary used by the cron job.
361+
360362
### Privilege Escalation with 2 shells and host mount
361363
362364
If you have access as **root inside a container** that has some folder from the host mounted and you have **escaped as a non privileged user to the host** and have read access over the mounted folder.\
Lines changed: 143 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,143 @@
1+
# JSON, XML & Yaml Hacking & Issues
2+
3+
{{#include ../banners/hacktricks-training.md}}
4+
5+
## Go JSON Decoder
6+
7+
The following issues were detected in the Go JSON although they could be present in other languages as well. These issues were published in [**this blog post**](https://blog.trailofbits.com/2025/06/17/unexpected-security-footguns-in-gos-parsers/).
8+
9+
Go’s JSON, XML, and YAML parsers have a long trail of inconsistencies and insecure defaults that can be abused to **bypass authentication**, **escalate privileges**, or **exfiltrate sensitive data**.
10+
11+
12+
### (Un)Marshaling Unexpected Data
13+
14+
The goal is to exploit structs that allow an attacker to read/write sensitive fields (e.g., `IsAdmin`, `Password`).
15+
16+
- Example Struct:
17+
```go
18+
type User struct {
19+
Username string `json:"username,omitempty"`
20+
Password string `json:"password,omitempty"`
21+
IsAdmin bool `json:"-"`
22+
}
23+
```
24+
25+
- Common Vulnerabilities
26+
27+
1. **Missing tag** (no tag = field is still parsed by default):
28+
```go
29+
type User struct {
30+
Username string
31+
}
32+
```
33+
34+
Payload:
35+
```json
36+
{"Username": "admin"}
37+
```
38+
39+
2. **Incorrect use of `-`**:
40+
```go
41+
type User struct {
42+
IsAdmin bool `json:"-,omitempty"` // ❌ wrong
43+
}
44+
```
45+
46+
Payload:
47+
```json
48+
{"-": true}
49+
```
50+
51+
✔️ Proper way to block field from being (un)marshaled:
52+
```go
53+
type User struct {
54+
IsAdmin bool `json:"-"`
55+
}
56+
```
57+
58+
59+
### Parser Differentials
60+
61+
The goal is to bypass authorization by exploiting how different parsers interpret the same payload differently like in:
62+
- CVE-2017-12635: Apache CouchDB bypass via duplicate keys
63+
- 2022: Zoom 0-click RCE via XML parser inconsistency
64+
- GitLab 2025 SAML bypass via XML quirks
65+
66+
67+
**1. Duplicate Fields:**
68+
Go's `encoding/json` takes the **last** field.
69+
70+
```go
71+
json.Unmarshal([]byte(`{"action":"UserAction", "action":"AdminAction"}`), &req)
72+
fmt.Println(req.Action) // AdminAction
73+
```
74+
75+
Other parsers (e.g., Java’s Jackson) may take the **first**.
76+
77+
**2. Case Insensitivity:**
78+
Go is case-insensitive:
79+
```go
80+
json.Unmarshal([]byte(`{"AcTiOn":"AdminAction"}`), &req)
81+
// matches `Action` field
82+
```
83+
84+
Even Unicode tricks work:
85+
```go
86+
json.Unmarshal([]byte(`{"aKtionſ": "bypass"}`), &req)
87+
```
88+
89+
**3. Cross-service mismatch:**
90+
Imagine:
91+
- Proxy written in Go
92+
- AuthZ service written in Python
93+
94+
Attacker sends:
95+
```json
96+
{
97+
"action": "UserAction",
98+
"AcTiOn": "AdminAction"
99+
}
100+
```
101+
102+
- Python sees `UserAction`, allows it
103+
- Go sees `AdminAction`, executes it
104+
105+
106+
### Data Format Confusion (Polyglots)
107+
108+
The goal is to exploit systems that mix formats (JSON/XML/YAML) or fail open on parser errors like:
109+
- **CVE-2020-16250**: HashiCorp Vault parsed JSON with an XML parser after STS returned JSON instead of XML.
110+
111+
Attacker controls:
112+
- The `Accept: application/json` header
113+
- Partial control of JSON body
114+
115+
Go’s XML parser parsed it **anyway** and trusted the injected identity.
116+
117+
- Crafted payload:
118+
```json
119+
{
120+
"action": "Action_1",
121+
"AcTiOn": "Action_2",
122+
"ignored": "<?xml version=\"1.0\"?><Action>Action_3</Action>"
123+
}
124+
```
125+
126+
Result:
127+
- **Go JSON** parser: `Action_2` (case-insensitive + last wins)
128+
- **YAML** parser: `Action_1` (case-sensitive)
129+
- **XML** parser: parses `"Action_3"` inside the string
130+
131+
132+
### 🔐 Mitigations
133+
134+
| Risk | Fix |
135+
|-----------------------------|---------------------------------------|
136+
| Unknown fields | `decoder.DisallowUnknownFields()` |
137+
| Duplicate fields (JSON) | ❌ No fix in stdlib |
138+
| Case-insensitive match | ❌ No fix in stdlib |
139+
| XML garbage data | ❌ No fix in stdlib |
140+
| YAML: unknown keys | `yaml.KnownFields(true)` |
141+
142+
143+
{{#include ../banners/hacktricks-training.md}}

src/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -455,6 +455,9 @@ $userData = Invoke- RestMethod -Headers @{"Metadata"="true"} -Method GET -Uri "h
455455
{{#endtab}}
456456
{{#endtabs}}
457457
458+
> [!WARNING]
459+
> Note that the endpoint **`http://169.254.169.254/metadata/v1/instanceinfo` doesn't require the `Metadata: True` header** which is great to show impact in SSRF vulnerabilities in Azure were you cannot add this header.
460+
458461
### Azure App & Functions Services & Automation Accounts
459462
460463
From the **env** you can get the values of **`IDENTITY_HEADER`** and **`IDENTITY_ENDPOINT`**. That you can use to gather a token to speak with the metadata server.

src/pentesting-web/websocket-attacks.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -95,6 +95,10 @@ You can use the **tool** [**https://github.com/PalindromeLabs/STEWS**](https://g
9595

9696
In [**Burp-Suite-Extender-Montoya-Course**](https://github.com/federicodotta/Burp-Suite-Extender-Montoya-Course) you have a code to launch a web using websockets and in [**this post**](https://security.humanativaspa.it/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-3/) you can find an explanation.
9797

98+
## Websocket Fuzzing
99+
100+
The burp extension [**Backslash Powered Scanner**](https://github.com/PortSwigger/backslash-powered-scanner) now allows to fuzz also WebSocket messages. You can read more infromation abou this [**here**](https://arete06.com/posts/fuzzing-ws/#adding-websocket-support-to-backslash-powered-scanner).
101+
98102
## Cross-site WebSocket hijacking (CSWSH)
99103

100104
**Cross-site WebSocket hijacking**, also known as **cross-origin WebSocket hijacking**, is identified as a specific case of **[Cross-Site Request Forgery (CSRF)](csrf-cross-site-request-forgery.md)** affecting WebSocket handshakes. This vulnerability arises when WebSocket handshakes authenticate solely via **HTTP cookies** without **CSRF tokens** or similar security measures.

src/windows-hardening/windows-local-privilege-escalation/README.md

Lines changed: 172 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1525,6 +1525,178 @@ Then **read this to learn about UAC and UAC bypasses:**
15251525
../authentication-credentials-uac-and-efs/uac-user-account-control.md
15261526
{{#endref}}
15271527
1528+
## From Arbitrary Folder Delete/Move/Rename to SYSTEM EoP
1529+
1530+
The technique described [**in this blog post**](https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks) with a exploit code [**available here**](https://github.com/thezdi/PoC/tree/main/FilesystemEoPs).
1531+
1532+
The attack basically consist of abusing the Windows Installer's rollback feature to replace legitimate files with malicious ones during the uninstallation process. For this the attacker needs to create a **malicious MSI installer** that will be used to hijack the `C:\Config.Msi` folder, which will later be used by he Windows Installer to store rollback files during the uninstallation of other MSI packages where the rollback files would have been modified to contain the malicious payload.
1533+
1534+
The summarized technique is the following:
1535+
1536+
1. **Stage 1 – Preparing for the Hijack (leave `C:\Config.Msi` empty)**
1537+
1538+
- Step 1: Install the MSI
1539+
- Create an `.msi` that installs a harmless file (e.g., `dummy.txt`) in a writable folder (`TARGETDIR`).
1540+
- Mark the installer as **"UAC Compliant"**, so a **non-admin user** can run it.
1541+
- Keep a **handle** open to the file after install.
1542+
1543+
- Step 2: Begin Uninstall
1544+
- Uninstall the same `.msi`.
1545+
- The uninstall process starts moving files to `C:\Config.Msi` and renaming them to `.rbf` files (rollback backups).
1546+
- **Poll the open file handle** using `GetFinalPathNameByHandle` to detect when the file becomes `C:\Config.Msi\<random>.rbf`.
1547+
1548+
- Step 3: Custom Syncing
1549+
- The `.msi` includes a **custom uninstall action (`SyncOnRbfWritten`)** that:
1550+
- Signals when `.rbf` has been written.
1551+
- Then **waits** on another event before continuing the uninstall.
1552+
1553+
- Step 4: Block Deletion of `.rbf`
1554+
- When signaled, **open the `.rbf` file** without `FILE_SHARE_DELETE` — this **prevents it from being deleted**.
1555+
- Then **signal back** so the uninstall can finish.
1556+
- Windows Installer fails to delete the `.rbf`, and because it can’t delete all contents, **`C:\Config.Msi` is not removed**.
1557+
1558+
- Step 5: Manually Delete `.rbf`
1559+
- You (attacker) delete the `.rbf` file manually.
1560+
- Now **`C:\Config.Msi` is empty**, ready to be hijacked.
1561+
1562+
> At this point, **trigger the SYSTEM-level arbitrary folder delete vulnerability** to delete `C:\Config.Msi`.
1563+
1564+
2. **Stage 2 – Replacing Rollback Scripts with Malicious Ones**
1565+
1566+
- Step 6: Recreate `C:\Config.Msi` with Weak ACLs
1567+
- Recreate the `C:\Config.Msi` folder yourself.
1568+
- Set **weak DACLs** (e.g., Everyone:F), and **keep a handle open** with `WRITE_DAC`.
1569+
1570+
- Step 7: Run Another Install
1571+
- Install the `.msi` again, with:
1572+
- `TARGETDIR`: Writable location.
1573+
- `ERROROUT`: A variable that triggers a forced failure.
1574+
- This install will be used to trigger **rollback** again, which reads `.rbs` and `.rbf`.
1575+
1576+
- Step 8: Monitor for `.rbs`
1577+
- Use `ReadDirectoryChangesW` to monitor `C:\Config.Msi` until a new `.rbs` appears.
1578+
- Capture its filename.
1579+
1580+
- Step 9: Sync Before Rollback
1581+
- The `.msi` contains a **custom install action (`SyncBeforeRollback`)** that:
1582+
- Signals an event when the `.rbs` is created.
1583+
- Then **waits** before continuing.
1584+
1585+
- Step 10: Reapply Weak ACL
1586+
- After receiving the `.rbs created` event:
1587+
- The Windows Installer **reapplies strong ACLs** to `C:\Config.Msi`.
1588+
- But since you still have a handle with `WRITE_DAC`, you can **reapply weak ACLs** again.
1589+
1590+
> ACLs are **only enforced on handle open**, so you can still write to the folder.
1591+
1592+
- Step 11: Drop Fake `.rbs` and `.rbf`
1593+
- Overwrite the `.rbs` file with a **fake rollback script** that tells Windows to:
1594+
- Restore your `.rbf` file (malicious DLL) into a **privileged location** (e.g., `C:\Program Files\Common Files\microsoft shared\ink\HID.DLL`).
1595+
- Drop your fake `.rbf` containing a **malicious SYSTEM-level payload DLL**.
1596+
1597+
- Step 12: Trigger the Rollback
1598+
- Signal the sync event so the installer resumes.
1599+
- A **type 19 custom action (`ErrorOut`)** is configured to **intentionally fail the install** at a known point.
1600+
- This causes **rollback to begin**.
1601+
1602+
- Step 13: SYSTEM Installs Your DLL
1603+
- Windows Installer:
1604+
- Reads your malicious `.rbs`.
1605+
- Copies your `.rbf` DLL into the target location.
1606+
- You now have your **malicious DLL in a SYSTEM-loaded path**.
1607+
1608+
- Final Step: Execute SYSTEM Code
1609+
- Run a trusted **auto-elevated binary** (e.g., `osk.exe`) that loads the DLL you hijacked.
1610+
- **Boom**: Your code is executed **as SYSTEM**.
1611+
1612+
1613+
### From Arbitrary File Delete/Move/Rename to SYSTEM EoP
1614+
1615+
The main MSI rollback technique (the previous one) assumes you can delete an **entire folder** (e.g., `C:\Config.Msi`). But what if your vulnerability only allows **arbitrary file deletion** ?
1616+
1617+
You could exploit **NTFS internals**: every folder has a hidden alternate data stream called:
1618+
1619+
```
1620+
C:\SomeFolder::$INDEX_ALLOCATION
1621+
```
1622+
1623+
This stream stores the **index metadata** of the folder.
1624+
1625+
So, if you **delete the `::$INDEX_ALLOCATION` stream** of a folder, NTFS **removes the entire folder** from the filesystem.
1626+
1627+
You can do this using standard file deletion APIs like:
1628+
```c
1629+
DeleteFileW(L"C:\\Config.Msi::$INDEX_ALLOCATION");
1630+
```
1631+
1632+
> Even though you're calling a *file* delete API, it **deletes the folder itself**.
1633+
1634+
### From Folder Contents Delete to SYSTEM EoP
1635+
What if your primitive doesn’t allow you to delete arbitrary files/folders, but it **does allow deletion of the *contents* of an attacker-controlled folder**?
1636+
1637+
1. Step 1: Setup a bait folder and file
1638+
- Create: `C:\temp\folder1`
1639+
- Inside it: `C:\temp\folder1\file1.txt`
1640+
1641+
2. Step 2: Place an **oplock** on `file1.txt`
1642+
- The oplock **pauses execution** when a privileged process tries to delete `file1.txt`.
1643+
1644+
```c
1645+
// pseudo-code
1646+
RequestOplock("C:\\temp\\folder1\\file1.txt");
1647+
WaitForDeleteToTriggerOplock();
1648+
```
1649+
1650+
3. Step 3: Trigger SYSTEM process (e.g., `SilentCleanup`)
1651+
- This process scans folders (e.g., `%TEMP%`) and tries to delete their contents.
1652+
- When it reaches `file1.txt`, the **oplock triggers** and hands control to your callback.
1653+
1654+
4. Step 4: Inside the oplock callback – redirect the deletion
1655+
1656+
- Option A: Move `file1.txt` elsewhere
1657+
- This empties `folder1` without breaking the oplock.
1658+
- Don't delete `file1.txt` directly — that would release the oplock prematurely.
1659+
1660+
- Option B: Convert `folder1` into a **junction**:
1661+
1662+
```bash
1663+
# folder1 is now a junction to \RPC Control (non-filesystem namespace)
1664+
mklink /J C:\temp\folder1 \\?\GLOBALROOT\RPC Control
1665+
```
1666+
1667+
- Option C: Create a **symlink** in `\RPC Control`:
1668+
```bash
1669+
# Make file1.txt point to a sensitive folder stream
1670+
CreateSymlink("\\RPC Control\\file1.txt", "C:\\Config.Msi::$INDEX_ALLOCATION")
1671+
```
1672+
1673+
> This targets the NTFS internal stream that stores folder metadata — deleting it deletes the folder.
1674+
1675+
5. Step 5: Release the oplock
1676+
- SYSTEM process continues and tries to delete `file1.txt`.
1677+
- But now, due to the junction + symlink, it's actually deleting:
1678+
```
1679+
C:\Config.Msi::$INDEX_ALLOCATION
1680+
```
1681+
1682+
**Result**: `C:\Config.Msi` is deleted by SYSTEM.
1683+
1684+
### From Arbitrary Folder Create to Permanent DoS
1685+
1686+
Exploit a primitive that lets you **create an arbitrary folder as SYSTEM/admin** — even if **you can’t write files** or **set weak permissions**.
1687+
1688+
Create a **folder** (not a file) with the name of a **critical Windows driver**, e.g.:
1689+
```
1690+
C:\Windows\System32\cng.sys
1691+
```
1692+
1693+
- This path normally corresponds to the `cng.sys` kernel-mode driver.
1694+
- If you **pre-create it as a folder**, Windows fails to load the actual driver on boot.
1695+
- Then, Windows tries to load `cng.sys` during boot.
1696+
- It sees the folder, **fails to resolve the actual driver**, and **crashes or halts boot**.
1697+
- There’s **no fallback**, and **no recovery** without external intervention (e.g., boot repair or disk access).
1698+
1699+
15281700
## **From High Integrity to System**
15291701
15301702
### **New service**

0 commit comments

Comments
 (0)