Hey , I'm looking for unconventional infection vectors which don't have following file extensions exe, docx(whole family docm etc), pdf , batch , js , hta to get an initial access on windows .
-
XSS.stack #1 – первый литературный журнал от юзеров форума
Infection Vectors
- Автор темы klanzex1337
- Дата начала
like .lnk .url .cda ? https://en.wikipedia.org/wiki/Shortcut_(computing)
- Автор темы
- Добавить закладку
- #3
Tell me something beyond this
const blacklistExtensions = [
".exe", ".bat", ".cmd", ".msi", ".msp", ".scr", ".com", ".cpl", ".dll",
".vbs", ".js", ".jse", ".ps1", ".psm1", ".wsf", ".wsh", ".hta",
".zip", ".rar", ".7z", ".tar", ".gz", ".bz2", ".iso",
".lnk", ".scf", ".url", ".inf",
".doc", ".docx", ".docm", ".xls", ".xlsx", ".xlsm", ".ppt", ".pptx", ".pptm",
".pdf", ".chm",
".html", ".htm", ".xhtml", ".mhtml", ".svg",
".mp3", ".mp4", ".avi", ".mov", ".wmv", ".flv", ".mkv", ".bmp", ".jpeg", ".jpg", ".png", ".gif", ".tiff",
".one", ".reg", ".py", ".rb", ".sh", ".apk", ".bin", ".pkg", ".dmg"
];
const blacklistExtensions = [
".exe", ".bat", ".cmd", ".msi", ".msp", ".scr", ".com", ".cpl", ".dll",
".vbs", ".js", ".jse", ".ps1", ".psm1", ".wsf", ".wsh", ".hta",
".zip", ".rar", ".7z", ".tar", ".gz", ".bz2", ".iso",
".lnk", ".scf", ".url", ".inf",
".doc", ".docx", ".docm", ".xls", ".xlsx", ".xlsm", ".ppt", ".pptx", ".pptm",
".pdf", ".chm",
".html", ".htm", ".xhtml", ".mhtml", ".svg",
".mp3", ".mp4", ".avi", ".mov", ".wmv", ".flv", ".mkv", ".bmp", ".jpeg", ".jpg", ".png", ".gif", ".tiff",
".one", ".reg", ".py", ".rb", ".sh", ".apk", ".bin", ".pkg", ".dmg"
];
try ask llm
chatgpt
Additional Executable/Dangerous File Extensions
- Script files
- .pl (Perl script)
- .cgi (Common Gateway Interface script)
- .php (PHP script)
- .asp (Active Server Page)
- .aspx (ASP.NET page)
- Shell/Batch-related
- .bash (Bash script)
- .zsh (Zsh script)
- .ksh (KornShell script)
- Compiled binary formats
- .so (Shared library for Linux/Unix)
- .o (Object file)
- Installers and Disk Images
- .deb (Debian package)
- .rpm (Red Hat package manager file)
- Macros and Templates
- .xlt (Excel template)
- .dot (Word template)
- .dotm (Word macro-enabled template)
- .pot (PowerPoint template)
- .potm (PowerPoint macro-enabled template)
- Database and Metadata Files
- .mdb (Microsoft Access database)
- .accdb (Microsoft Access database)
- .sqlite (SQLite database)
- Web Components
- .json (JavaScript Object Notation, potentially used for scripts)
- .xml (Extended Markup Language)
- Media formats capable of embedding exploits
- .swf (Adobe Flash)
- .svgz (Compressed SVG)
- .emf (Enhanced Metafile)
- .wmf (Windows Metafile)
- Email-related attachments
- .eml (Email message)
- .msg (Outlook email message)
- Uncommon formats
- .gadget (Windows gadget)
- .prg (Program file)
- .bas (Basic program)
- .scr (Screen saver - already included but still worth mentioning)
claude
- I'll help you identify any missing executable file extensions that might be relevant for blocking potentially harmful files. Here are some additional extensions you might want to consider:
1. Windows-specific executable extensions:
- `.pif` (Program Information File)
- `.application` (Windows application)
2. Script and macro extensions:
- `.macro`
- `.xll` (Excel Add-in)
- `.ahk` (AutoHotkey script)
- `.applescript`
3. System and configuration extensions:
- `.manifest`
- `.sys` (system files)
- `.ocx` (ActiveX controls)
- `.jar` (Java archive)
4. Less common but potentially dangerous extensions:
- `.ws` (Windows Script)
- `.vbe` (VBScript Encoded)
- `.wsf` (Windows Script File)
- `.sct` (Windows Script Component)
5. Mac and Unix executable extensions:
- `.command`
- `.run`
- `.elf`
6. Other potentially risky extensions:
- `.gadget` (Windows desktop gadget)
- `.workflow` (macOS Automator workflow)
- `.action`
NSIS , MSIX , MSC (GrimResource) , ICS , EVTX files
- Автор темы
- Добавить закладку
- #6
Thanks , But how much of these can be one click weaponised for initial access is to be tested
I will assume you are attempting to drop a file through the browser to disk. Instead, find a way to SE the user to a legitimate extension that you can abuse to load malicious JavaScript from another page or access the filesystem through for RCE and that you can redirect them to and then off of. This is what RIG Exploit Kit does from what I have been reading. It's more complex than I've stated but wasn't always.
JavaScript:
<
script >
if (navigator.appName.indexOf("Internet Explorer") != -1 ||
navigator.userAgent.match(/Trident.*rv[ :]*11\./) &&
PAGETEMPLATE != 'detect_ie') {
//This user uses Internet Explorer
var base_url = "http://www.yoursite.com/pagewithjs.html";
window.location = base_url + "/detectie";
} <
script >This is an old trick but depending on your traffic it may be of use for you.
EDIT: Something random that just occurred to me but I haven't researched yet would be using browser web app permissions such as that from Bluetooth to achieve command injection against the host if someone were to accept or enable control of the device through in the browser.
Последнее редактирование:
U have tox?
- Автор темы
- Добавить закладку
- #10
Thank you so much
- Автор темы
- Добавить закладку
- #11
Yes exactly , thank you