1N73LL1G3NC3

🌩 Azurehound Queries Collection of BloodHound queries for Azure (100+ New Azure Queries for Bloodhound). Easily identify advanced privilege escalations in both EntraID and Azure. Cloud only queries

SSD ADVISORY – SONICWALL SMA100 STORED XSS TO RCE There are pre-auth stored XSS and post-auth remote command injection vulnerabilities in SonicWall SMA100. These vulnerabilities allow unauthenticated attackers to execute arbitrary command when an authenticated user is exposed to the stored XSS.

IHxExec Process Injection Alternative Research

AMSI_VEH A PowerShell AMSI Bypass technique via Vectored Exception Handler (VEH). This technique does not perform assembly instruction patching, function hooking, or Import Address Table (IAT) modification. For this technique to work, you must first inject the VEH DLL into the PowerShell process. This can be done either by injecting the DLL or via DLL hijacking. This technique works by setting up a hardware breakpoint on the function AmsiScanBuffer on all PowerShell process threads, then installing a VEH to handle the trigger of this breakpoint. When a thread calls AmsiScanBuffer, the VEH will make the thread to exit the function without executing anything and setting the result of the function to AMSI_RESULT_CLEAN. This is all done inside the VEH, without modifying the code of the process or without any PE modifications.

Graphpython Modular Python tool for cross-platform Microsoft Graph API enumeration and exploitation. It builds upon the capabilities of AAD-Internals (Killchain.ps1), GraphRunner, and TokenTactics(V2) to provide a comprehensive solution for interacting with the Microsoft Graph API for red team and cloud assumed breach operations. It covers various Microsoft services, including Entra ID (Azure AD), Office 365 (Outlook, SharePoint, OneDrive, Teams), and Intune (Endpoint Management).

Chaining Three Bugs to Access All Your ServiceNow Data Critical exploit chain affecting 40k+ instances of ServiceNow, leading to unauthenticated arbitrary code execution and data access. Template Injection:

http://1337/login.do?jvar_page_title=<style><j:jelly xmlns:j="jelly" xmlns:g='glide'><g:evaluate>gs.addErrorMessage(7*7);</g:evaluate></j:jelly></style>

BrowserBruter In scenarios where encryption is implemented, the HTTP traffic is encrypted, making it difficult for traditional penetration testing tools to inject payloads and detect vulnerabilities. This limitation can hinder the effectiveness of these tools in identifying certain types of security vulnerabilities. BrowserBruter is designed to overcome the limitations posed by encryption and other security mechanisms. By utilizing browser automation techniques, it is able to interact with web applications at browser level, so all of the attack will be as they have been manually done by the user by typing payloads in the input fields of the web application on browser, bypassing the encryption and injecting payloads in a way that traditional tools cannot. This allows BrowserBruter to effectively identify vulnerabilities and security issues that may be missed by other tools. This approach:

  • Allows Pentester to fuzz the web application forms when the HTTP body (or part of the body) is encrypted making HTTP proxy tools like ZAP and BurpSuite or SQLMap unable to insert payloads in such traffic. Learn more here.
   • Creates a way to bypass captchas by allowing the pentester to manually perform the required human interactions and then proceed to payload insertions.
   • Can fuzz front-end when there is no HTTP traffic, for example when Input is utilized on the client side, i.e. when you want to brute force OTP input which is validated on the client side, so there is no HTTP Traffic.
   • Removes the burden of session management, auth handling and other micro management like CSRF handling while using HTTP proxy tools.

Trying to find SQLInjection using BurpSuite: https://net-square.com/browserbruter/img/burp-scan.mp4 Trying to find SQLInjection using SQLMAP: https://net-square.com/browserbruter/img/sqlmap.mp4 Finding SQL Injection which can not be found in other tools using the BrowserBruter: https://net-square.com/browserbruter/img/sql-injection.mp4 Official documentation: https://net-square.com/browserbruter/

🖼️ Microsoft SharePoint Server 20219 — RCE PoC for: — CVE-2024-38094 — CVE-2024-38024 — CVE-2024-38023 🔗 Source: https://github.com/testanull/MS-SharePoint-July-Patch-RCE-PoC #sharepoint #poc #rce #cve

Ghostly Hollowing Via Tampered Syscalls Implementing the ghostly hollowing (a hybrid technique between Process Hollowing and Process Ghosting) PE injection technique using tampered syscalls (to bypass userland hooks while simultaneously spoofing the invoked syscall's arguments).

Dumping LSA secrets: a story about task decorrelation Decorrelate attack tool behaviour to avoid EDR interference. In this blog post we’ll see how remote LSA secrets dumping works and a fancy way of retrieving the Windows computer's BOOTKEY using less common methods (without having to dump the SYSTEM hive).