Skip to content

Commit

Permalink
Merge pull request #802 from chiyochichi/patch-1
Browse files Browse the repository at this point in the history
minor phrasing mistakes
  • Loading branch information
carlospolop authored Mar 10, 2024
2 parents 944eaa1 + 1858528 commit c61db4f
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 25 deletions.
10 changes: 3 additions & 7 deletions pentesting-web/captcha-bypass.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ To **bypass** the captcha during **server testing** and automate user input func
2. **Value Extraction and Reuse**:
* **Source Code Inspection**: Search for the captcha value within the page's source code.
* **Cookie Analysis**: Examine the cookies to find if the captcha value is stored and reused.
* **Reuse Old Captcha Values**: Attempt to use previously successful captcha values again.
* **Reuse Old Captcha Values**: Attempt to use previously successful captcha values again. Keep in mind that they might expire at any time.
* **Session Manipulation**: Try using the same captcha value across different sessions or the same session ID.

3. **Automation and Recognition**:
Expand All @@ -42,15 +42,11 @@ To **bypass** the captcha during **server testing** and automate user input func
* **Audio Captcha Analysis**: If an audio captcha option is available, use speech-to-text services to interpret and solve the captcha.


## Online Services to bypass captchas
## Online Services to solve captchas

### [Capsolver](https://www.capsolver.com/)

Capsolver‘s automatic captcha solver offers the **most affordable and quick captcha-solving solution**. You may rapidly combine it with your program using its simple integration option to achieve the best results in a matter of seconds.

With a success rate of 99.15%, Capsolver can **answer more than 10M captchas every minute**. This implies that your automation or scrape will have a 99.99% uptime. You may buy a captcha package if you have a large budget.

At the lowest price on the market, you may receive a variety of solutions, including reCAPTCHA V2, reCAPTCHA V3, hCaptcha, hCaptcha Click, reCaptcha click, Funcaptcha Click, FunCaptcha, datadome captcha, aws captcha, picture-to-text, binance / coinmarketcap captcha, geetest v3 / v3, and more. With this service, **0.1s is the slowest speed ever measured**.
Capsolver's automatic captcha solver offers an **affordable and quick captcha-solving solution**. You may rapidly combine it with your program using its simple integration option to achieve the best results in a matter of seconds. It can solve reCAPTCHA V2 and V3, hCaptcha, FunCaptcha, datadome, aws captcha, picture-to-text, binance / coinmarketcap captcha, geetest v3, and more. However, this is not a bypass per-se.

<details>

Expand Down
6 changes: 3 additions & 3 deletions pentesting-web/client-side-template-injection-csti.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,9 @@ Other ways to support HackTricks:

# Summary

It is like a [**Server Side Template Injection**](ssti-server-side-template-injection/) but in the **client**. The **SSTI** can allow you to **execute code** on the remote server, the **CSTI** could allow you to **execute arbitrary JavaScript** code in the victim.
It is like a [**Server Side Template Injection**](ssti-server-side-template-injection/) but in the **client**. The **SSTI** can allow you to **execute code** on the remote server, the **CSTI** could allow you to **execute arbitrary JavaScript** code in the victim's browser.

The way to **test** for this vulnerability is very **similar** as in the case of **SSTI**, the interpreter is going to expect something to execute **between doubles keys** and will execute it. For example using something like: `{{ 7-7 }}` if the server is **vulnerable** you will see a `0` and if not you will see the original: `{{ 7-7 }}`
**Testing** for this vulnerability is very **similar** as in the case of **SSTI**, the interpreter expects **a template** and will execute it. For example, with a payload like `{{ 7-7 }}`, if the app is **vulnerable** you will see a `0`, and if not, you will see the original: `{{ 7-7 }}`

# AngularJS

Expand All @@ -44,7 +44,7 @@ You can find a very **basic online example** of the vulnerability in **AngularJS
# VueJS
You can find a **vulnerable vue.js** implementation in [https://vue-client-side-template-injection-example.azu.now.sh/](https://vue-client-side-template-injection-example.azu.now.sh)\
You can find a **vulnerable Vue** implementation in [https://vue-client-side-template-injection-example.azu.now.sh/](https://vue-client-side-template-injection-example.azu.now.sh)\
Working payload: [`https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor(%27alert(%22foo%22)%27)()%7D%`](https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor\(%27alert\(%22foo%22\)%27\)\(\)%7D%7D)

And the **source code** of the vulnerable example here: [https://github.com/azu/vue-client-side-template-injection-example](https://github.com/azu/vue-client-side-template-injection-example)
Expand Down
29 changes: 14 additions & 15 deletions reversing/reversing-tools-basic-methods/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,15 +33,15 @@ Software:
* [https://www.pnfsoftware.com/jeb/demo](https://www.pnfsoftware.com/jeb/demo)
* [https://github.com/wwwg/wasmdec](https://github.com/wwwg/wasmdec)

## .Net decompiler
## .NET decompiler

### [dotPeek](https://www.jetbrains.com/decompiler/)

dotPeek is a decompiler that **decompiles and examines multiple formats**, including **libraries** (.dll), **Windows metadata file**s (.winmd), and **executables** (.exe). Once decompiled, an assembly can be saved as a Visual Studio project (.csproj).

The merit here is that if a lost source code requires restoration from a legacy assembly, this action can save time. Further, dotPeek provides handy navigation throughout the decompiled code, making it one of the perfect tools for **Xamarin algorithm analysis.**

### [.Net Reflector](https://www.red-gate.com/products/reflector/)
### [.NET Reflector](https://www.red-gate.com/products/reflector/)

With a comprehensive add-in model and an API that extends the tool to suit your exact needs, .NET reflector saves time and simplifies development. Let's take a look at the plethora of reverse engineering services this tool provides:

Expand All @@ -55,14 +55,13 @@ With a comprehensive add-in model and an API that extends the tool to suit your
### [ILSpy](https://github.com/icsharpcode/ILSpy) & [dnSpy](https://github.com/dnSpy/dnSpy/releases)

[ILSpy plugin for Visual Studio Code](https://github.com/icsharpcode/ilspy-vscode): You can have it in any OS (you can install it directly from VSCode, no need to download the git. Click on **Extensions** and **search ILSpy**).\
If you need to **decompile**, **modify** and **recompile** again you can use: [**https://github.com/0xd4d/dnSpy/releases**](https://github.com/0xd4d/dnSpy/releases) (**Right Click -> Modify Method** to change something inside a function).\
You cloud also try [https://www.jetbrains.com/es-es/decompiler/](https://www.jetbrains.com/es-es/decompiler/)
If you need to **decompile**, **modify** and **recompile** again you can use [**dnSpy**](https://github.com/dnSpy/dnSpy/releases) or an actively maintained fork of it, [**dnSpyEx**](https://github.com/dnSpyEx/dnSpy/releases). (**Right Click -> Modify Method** to change something inside a function).

### DNSpy Logging

In order to make **DNSpy log some information in a file**, you could use this .Net lines:
In order to make **DNSpy log some information in a file**, you could use this snippet:

```bash
```cs
using System.IO;
path = "C:\\inetpub\\temp\\MyTest2.txt";
File.AppendAllText(path, "Password: " + password + "\n");
Expand Down Expand Up @@ -95,13 +94,13 @@ And click on **compile**:

![](<../../.gitbook/assets/image (314) (1) (1).png>)

Then save the new file on _**File >> Save module...**_:
Then save the new file via _**File >> Save module...**_:

![](<../../.gitbook/assets/image (279).png>)

This is necessary because if you don't do this, at **runtime** several **optimisations** will be applied to the code and it could be possible that while debugging a **break-point is never hit** or some **variables don't exist**.

Then, if your .Net application is being **run** by **IIS** you can **restart** it with:
Then, if your .NET application is being **run** by **IIS** you can **restart** it with:

```
iisreset /noforce
Expand All @@ -121,7 +120,7 @@ Now that we are debugging the process, it's time to stop it and load all the mod

![](<../../.gitbook/assets/image (283).png>)

Click any module on **Modules** and selec**t Open All Modules**:
Click any module on **Modules** and select **Open All Modules**:

![](<../../.gitbook/assets/image (284).png>)

Expand Down Expand Up @@ -239,16 +238,16 @@ The **Create Dump** option will dump the final shellcode if any change is done t

### Disassembling using CyberChef

Upload you shellcode file as input and use the following receipt to decompile it: [https://gchq.github.io/CyberChef/#recipe=To\_Hex('Space',0)Disassemble\_x86('32','Full%20x86%20architecture',16,0,true,true)](https://gchq.github.io/CyberChef/#recipe=To\_Hex\('Space',0\)Disassemble\_x86\('32','Full%20x86%20architecture',16,0,true,true\))
Upload your shellcode file as input and use the following recipe to decompile it: [https://gchq.github.io/CyberChef/#recipe=To\_Hex('Space',0)Disassemble\_x86('32','Full%20x86%20architecture',16,0,true,true)](https://gchq.github.io/CyberChef/#recipe=To\_Hex\('Space',0\)Disassemble\_x86\('32','Full%20x86%20architecture',16,0,true,true\))

## [Movfuscator](https://github.com/xoreaxeaxeax/movfuscator)

This obfuscator **modify all the instructions for `mov`**(yeah, really cool). It also uses interruptions to change executions flows. For more information about how does it works:
This obfuscator **modifies all the instructions for `mov`**(yeah, really cool). It also uses interruptions to change executions flows. For more information about how does it works:

* [https://www.youtube.com/watch?v=2VF\_wPkiBJY](https://www.youtube.com/watch?v=2VF\_wPkiBJY)
* [https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas\_2015\_the\_movfuscator.pdf](https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas\_2015\_the\_movfuscator.pdf)

If you are lucky [demovfuscator ](https://github.com/kirschju/demovfuscator)will deofuscate the binary. It has several dependencies
If you are lucky [demovfuscator](https://github.com/kirschju/demovfuscator) will deofuscate the binary. It has several dependencies

```
apt-get install libcapstone-dev
Expand All @@ -272,7 +271,7 @@ Having the **name** of the **functions** being called, search for them on the **

For Delphi compiled binaries you can use [https://github.com/crypto2011/IDR](https://github.com/crypto2011/IDR)

I you have to reverse a Delphi binary I would suggest you to use the IDA plugin [https://github.com/Coldzer0/IDA-For-Delphi](https://github.com/Coldzer0/IDA-For-Delphi)
If you have to reverse a Delphi binary I would suggest you to use the IDA plugin [https://github.com/Coldzer0/IDA-For-Delphi](https://github.com/Coldzer0/IDA-For-Delphi)

Just press **ATL+f7** (import python plugin in IDA) and select the python plugin.

Expand All @@ -282,7 +281,7 @@ It is also very interesting because if you press a button in the graphic applica

## Golang

I you have to reverse a Golang binary I would suggest you to use the IDA plugin [https://github.com/sibears/IDAGolangHelper](https://github.com/sibears/IDAGolangHelper)
If you have to reverse a Golang binary I would suggest you to use the IDA plugin [https://github.com/sibears/IDAGolangHelper](https://github.com/sibears/IDAGolangHelper)

Just press **ATL+f7** (import python plugin in IDA) and select the python plugin.

Expand Down Expand Up @@ -324,7 +323,7 @@ R = 256
L = 256
```

So, in this kind of programs, the an interesting part will be **how the program treats the user input**. In the address **0x4000130** you will find the commonly found function: **KEYINPUT.**
So, in this kind of program, the interesting part will be **how the program treats the user input**. In the address **0x4000130** you will find the commonly found function: **KEYINPUT**.

![](<../../.gitbook/assets/image (579).png>)

Expand Down

0 comments on commit c61db4f

Please sign in to comment.