XSS and bypassing an Imperva WAF with JSFuck
As ever, I was reading up and revising my latest exam topics – As I failed my last Microsoft Exam, by only a few points, which really made me grumpy! I decided to put some real deep effort in to covering everything in the exam topics! Dam it I want my MCSE!
As I was researching more about the DCCloning methods employed in Server 2012/R2 and how the mechanics of the cloning process works under the hood! Check this Technet post for more information on the whole cloning process – https://technet.microsoft.com/en-us/library/jj574118.aspx
I was reading and I read the line – RID pool is expired – (hence why when doing DCCLoning you need access to the RID Master FSMO role, in order for a new RID pool to be given to the new DC! See everything thing makes sense when you understand the process and not just learn the answers to exam questions… <looks around the office at eyes certain people>
Well if there is a danger the RID pool could run out – is there an easy way to check how many RIDs are left for the domain! Common sense and prior knowledge tells me the RID pool is huge – but what if your company AD has been around for a very long time and is very large – this might actually become an issue – perhaps maybe….
I remember that there is a command to help me out with the RIDMaster DCDiag /test:Ridmanager – but grrrr this could didn’t tell me how many rids i had used or had left – I thought it did!!! A bit of Google Magic and it turned out that the grumpy admin was doing it wrong, and I missed a /v switch so the whole command should be
dcdiag /test:ridmanager /v
This throws a whole screen of useful diagnosis information at you!!! not good as I want quick information at a glance…. GREP!!! where are you my
friend…. meh! The lack of grep makes me grumpy in Powershell… but that another story!
What we can use here in this instance is to pipe the output of dcdiag to find command – they are old command prompt commands but they work so our whole command is like this
dcdiag /test:ridmanager /v | find /i “RID Pool”
There is our answer of how many rids we have left on the domain — this is good and simple! but…. dcdiag and find are not Powershell commands… I was sure someone out there would of done this in Powershell – A quick Google and I find this technet blog
He even use the same method of using DCDiag and Find 🙂 My implementation of that was better than his though as his find statement was larger than mine 🙂 and Grumpy Admin is a lazy admin, so less key strokes are a win in my book! Ha have that you MVP / MSFT employee!! – who actually is no doubt is smarter than me and I have no doubt stolen lots of his code! So don’t sue me. Grumpy Admin respects you really!
Now there no point me rewriting code that works, so I am lifting the following code right from his blog and reposting it here! it works, why
reinvent the wheel… Read through it and have a look at how he is processing the returned information
$property = get-adobject “cn=rid manager$,cn=system,$domainDN” -property ridavailablepool -server ((Get-ADDomain $domaindn).RidMaster)
$rid = $property.ridavailablepool
[int32]$totalSIDS = $($rid) / ([math]::Pow(2,32))
[int64]$temp64val = $totalSIDS * ([math]::Pow(2,32))
[int32]$currentRIDPoolCount = $($rid) – $temp64val
$ridsremaining = $totalSIDS – $currentRIDPoolCount
Write-Host “RIDs issued: $currentRIDPoolCount”
Write-Host “RIDs remaining: $ridsremaining”
Now to execute you need to put your base domain in the LDAP format – so execute it like this
and wham you never have to worry about RID pools being exhausted – as well in my production domain we had over a Billion RIDs left!!!