hahwul

Offensive Security Engineer, Rubyist/Crystalist/Gopher and H4cker

Posts - Page 15 of 86

Github repo ๋‚ด Languages ๋ณ€๊ฒฝํ•˜๊ธฐ (.gitattributes)

  • 1 min read

Github repository ํŽ˜์ด์ง€์˜ ์šฐ์ธก์—๋Š” ํ•ด๋‹น repo์˜ ์–ธ์–ด ํ†ต๊ณ„์ธ Languages๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋Š” ํŽ˜์ด์ง€์— ์ ‘๊ทผํ•œ ์‚ฌ์šฉ์ž๋กœ ํ•˜์—ฌ๊ธˆ ์ด ํ”„๋กœ์ ํŠธ๊ฐ€ ์–ด๋–ค ์–ธ์–ด๋ฅผ ์ฃผ๋ ฅ์œผ๋กœ ๊ตฌ์„ฑ๋˜์—ˆ๋Š”์ง€ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋Š” ์ง€ํ‘œ๊ฐ€ ๋˜๊ณ , ์ผ๋ถ€ ๋„๊ตฌ๋“ค์€ ์ด ๋ฐ์ดํ„ฐ๋ฅผ ๊ธฐ๋ฐ˜์œผ๋กœ ์˜คํ”ˆ์†Œ์Šค ํ”„๋กœ์ ํŠธ๋“ค์„ ๋ถ„๋ฅ˜ํ•˜๊ธฐ๋„ ํ•ฉ๋‹ˆ๋‹ค.

Read More

Go์—์„œ ์•„์ฃผ ํฐ JSON ํŒŒ์ผ์„ ํ•ธ๋“ค๋งํ•˜๊ธฐ

  • 2 min read

์ตœ๊ทผ์— ์‹œ๋ฅ์ง€ ์•Š์€ ๋ฌธ์ œ๋กœ ๊ตฌ๊ธ€๋งํ•˜๋‹ค๊ฐ€ ๋‹จ์ˆœํ•˜๊ฒŒ ํ•ด๊ฒฐํ•œ ์ผ์ด ์žˆ์–ด์„œ ์งง๊ฒŒ ๊ธ€๋กœ ๊ณต์œ  ํ•ด๋ณผ๊นŒ ํ•ฉ๋‹ˆ๋‹ค. ๋ณต์žกํ•œ ๋ฌธ์ œ๋กœ ์ƒ๊ฐํ•ด์„œ ์˜คํžˆ๋ ค ๊ฐ€๊นŒ์ด์— ์žˆ๋Š” ๋‹ต์„ ๋†“์น˜๊ณ  ๋ง์•˜์—ˆ๋„ค์š”.

Read More

[Cullinan #21] Add RFD(Remote File Download)

  • ~1 min read

์ปฌ๋ฆฌ๋„Œ ์—…๋ฐ์ดํŠธ ๋กœ๊ทธย #21์ž…๋‹ˆ๋‹ค. RFD(Remote File Download)๋ฅผ ์ถ”๊ฐ€ํ•˜๊ณ  Cache Poisoning์—์„œ wordlist ๋ถ€๋ถ„ ์ˆ˜์ •ํ–ˆ์Šต๋‹ˆ๋‹ค.

Read More

[Cullinan #20] LDAP Injection, ClickJacking, Cache Poisoning ๊ทธ๋ฆฌ๊ณ  ๊ฐœ์„ ์‚ฌํ•ญ

  • ~1 min read

์ปฌ๋ฆฌ๋„Œ ์—…๋ฐ์ดํŠธ ๋กœ๊ทธย #20์ž…๋‹ˆ๋‹ค. ์˜ˆ์ „ Jekyll ๋ธ”๋กœ๊ทธ์—์„œ ์‚ฌ์šฉํ•˜๋˜ ๊ฒƒ๊ณผ ๋™์ผํ•˜๊ฒŒ Cullinan์˜ ๋ฉ”์ธ ํŽ˜์ด์ง€๋ฅผ ๊ตฌ์„ฑํ–ˆ๊ณ  Slug ๋ถ€๋ถ„์— ๊ฐœ์„ ์„ ํ•ด์„œ, ์ œ๋ชฉ์— ์•ฝ์ž ๋“ฑ ์ผ๋ถ€ ๋‚ด์šฉ๋“ค์ด ๋” ์ถ”๊ฐ€๋˜์—ˆ์Šต๋‹ˆ๋‹ค. ๊ทธ๋ฆฌ๊ณ  LDAP Injection, ClickJacking, Web Cache Poisoning ํ•ญ๋ชฉ์„ ์ถ”๊ฐ€ํ–ˆ์Šต๋‹ˆ๋‹ค :D

Read More

New technic of HTTP Request Smuggling (chunked extension)

  • 2 min read

์˜ค๋žœ๋งŒ์— HRS(HTTP Request Smugglin) ๊ด€๋ จ ํ…Œํฌ๋‹‰์ด ์ถ”๊ฐ€๋˜์—ˆ์Šต๋‹ˆ๋‹ค. ์•„์ง ์‹ค์ œ๋กœ ๊ณต๊ฒฉ ๊ฐ€๋Šฅํ–ˆ๋˜ ์‚ฌ๋ก€๊ฐ€ ์žˆ๋Š”๊ฑด ์•„๋‹ˆ๋ผ ์˜คํ”ผ์…œ์€ ์•„๋‹ˆ์ง€๋งŒ, ์–ด๋Š์ •๋„ ์‹ ๋น™์„ฑ์ด ์žˆ์–ด์„œ ๊ธ€๋กœ ์ž‘์„ฑํ•ด๋ด…๋‹ˆ๋‹ค.

Read More

[Cullinan #19] Add SQLi and Cookie Bomb

  • ~1 min read

์ปฌ๋ฆฌ๋„Œ ์—…๋ฐ์ดํŠธ ๋กœ๊ทธ #19์ž…๋‹ˆ๋‹ค. SQL Injection๊ณผ Cookie Bomb Attack์ด ์ถ”๊ฐ€๋ฌ๊ณ , Amass ๋ถ€๋ถ„์— ์ˆ˜์ •์ด ์žˆ์—ˆ์Šต๋‹ˆ๋‹ค. ๊ทธ๋ฆฌ๊ณ  ์ด๋ฒˆ์— chunked extension ๊ธฐ๋ฐ˜์˜ HTTP Request Smuggling ๊ด€๋ จ ๊ธ€์„ ์ž‘์„ฑํ•˜๋ฉด์„œ Cullinan - HTTP Requset Smuggling ๋ถ€๋ถ„์—๋„ ํ•ด๋‹น ๋‚ด์šฉ์„ ์ถ”๊ฐ€ํ•˜์˜€์Šต๋‹ˆ๋‹ค.

Read More

Amass + Scripting = ์ตœ๊ณ ์˜ ์„œ๋ธŒ๋„๋ฉ”์ธ ํƒ์ƒ‰

  • 4 min read

์—ฌ๋Ÿฌ๋ถ„๋“ค Amass ๋งŽ์ด ์‚ฌ์šฉํ•˜์‹œ๋‚˜์š”? Amass๋Š” subdomain์„ ํƒ์ƒ‰ํ•˜๊ธฐ ์œ„ํ•œ ๋„๊ตฌ๋“ค ์ค‘ ํ•˜๋‚˜๋กœ ZAP๊ณผ ๋งˆ์ฐฌ๊ฐ€์ง€๋กœ OWASP์— ํ”Œ๋ž˜๊ทธ์‰ฝ ํ”„๋กœ์ ํŠธ์ž…๋‹ˆ๋‹ค. ๋˜ํ•œ ๋น„์Šทํ•œ ๋„๊ตฌ์ธ subfinder, assetfinder, findomain ๋“ฑ ์—ฌ๋Ÿฌ๊ฐ€์ง€์™€ ๋น„๊ตํ•ด๋ด๋„ ๊ฑฐ์˜ ์ตœ๊ณ ๋กœ ์†๊ผฝ์„ ์ˆ˜ ์žˆ๋Š” ๋„๊ตฌ์ž…๋‹ˆ๋‹ค.

Read More