GitBook: [#3248] No subject

carlospolop · gitbook-bot · commit 5a5755cca20e · 2022-06-08T21:20:05.000Z
diff --git a/generic-methodologies-and-resources/brute-force.md b/generic-methodologies-and-resources/brute-force.md
@@ -455,6 +455,23 @@ hashcat.exe -m 13600 -a 0 .\hashzip.txt .\wordlists\rockyou.txt
 .\hashcat.exe -m 13600 -i -a 0 .\hashzip.txt #Incremental attack
 ```
 
+#### Known plaintext zip attack
+
+You need to know the **plaintext** (or part of the plaintext) **of a file contained inside** the encrypted zip. You can check **filenames and size of files contained inside** an encrypted zip running: **`7z l encrypted.zip`**\
+Download [**bkcrack** ](https://github.com/kimci86/bkcrack/releases/tag/v1.4.0)from the releases page.
+
+```bash
+# You need to create a zip file containing only the file that is inside the encrypted zip
+zip plaintext.zip plaintext.file
+
+./bkcrack -C <encrypted.zip> -c <plaintext.file> -P <plaintext.zip> -p <plaintext.file>
+# Now wait, this should print akey such as 7b549874 ebc25ec5 7e465e18
+# With that key you can create a new zip file with the content of encrypted.zip
+# but with a different pass that you set (so you can decrypt it)
+./bkcrack -C <encrypted.zip> -U unlocked.zip -k 7b549874 ebc25ec5 7e465e18 new_pwd 
+unzip unlocked.zip #User new_pwd as password
+```
+
 ### 7z
 
 ```bash
diff --git a/linux-hardening/useful-linux-commands/README.md b/linux-hardening/useful-linux-commands/README.md
@@ -132,6 +132,9 @@ echo "CIKUmMesGw==" | base64 -d | protoc --decode_raw
 #Set not removable bit
 sudo chattr +i file.txt
 sudo chattr -i file.txt #Remove the bit so you can delete it
+
+# List files inside zip
+7z l file.zip
 ```
 
 ## Bash for Windows
diff --git a/pentesting-web/login-bypass/README.md b/pentesting-web/login-bypass/README.md
@@ -24,6 +24,8 @@ If you find a login page, here you can find some techniques to try to bypass it:
 * Check if you can **directly access the restricted pages**
 * Check to **not send the parameters** (do not send any or only 1)
 * Check the **PHP comparisons error:** `user[]=a&pwd=b` , `user=a&pwd[]=b` , `user[]=a&pwd[]=b`
+* **Change content type to json** and send json values (bool true included)
+  * If you get a response saying that POST is not supported you can try to send the **JSON in the body but with a GET request**
 * Check nodejs potential parsing error (read [**this**](https://flattsecurity.medium.com/finding-an-unseen-sql-injection-by-bypassing-escape-functions-in-mysqljs-mysql-90b27f6542b4)): `password[password]=1`
   * Nodejs will transform that payload to a query similar to the following one: ` SELECT id, username, left(password, 8) AS snipped_password, email FROM accounts WHERE username='admin' AND`` `` `**`password=password=1`**`;` which makes the password bit to be always true.
   * If you can send a JSON object you can send `"password":{"password": 1}` to bypass the login.
