# Web Exploits [My list of common web vulnerabilities.](http://bt3gl.github.io/a-list-of-common-web-vulnerabilities.html) ## OS Command Injection --- ## SQLi - Brute force password - Timed SQLi - Cookie force brute --- ## PHP Shells - php primer - xor - exploits ---- ## Scanners - heartbleed ----- ## User ID - cookie auth - user id ---- ## Other Resources #### When we have a Website/IP Address: - Try to add folders to the domain, such as http://csaw2014.website.com or http://key.website.com. - We brute force the subdomains, for example, with [subbrute.py]. This tool performs multi-threaded DNS lookups to a configurable list of DNS resolvers, searching through a list of possible subdomains. - Use the command ```dig``` or ```ping``` in Linux to find the IP address of the website. - *wgetting* the entire website with something like ```wget -e robots=off --tries=40 -r -H -l 4 ```. - Check the *robot.txt* file for hidden folders. - Inspect the DOM using the browser's developer tools to look for HTML comments (plain view-source won't work when the content is loaded through Ajax). ----- ## URLs #### Octal - Example: http://017700000001 --> 127.0.0.1 - For example 206.191.158.50: ((206 * 256 + 191) * 256 + 158 ) * 256 + 50 = 3468664370. Now, there is a further step that can make this address even more obscure. You can add to this dword number, any multiple of the quantity 4294967296 (2564) #### Great @ -Everything between "http://" and "@" is completely irrelevant ``` http://doesn'tmatter@www.google.org http://!$^&*()_+`-={}|[]:;@www.google.com ``` - @ symbol can be represented by its hex code %40 - dots are %2e ---- ## HTTP The first line of a request is modified to include protocol version information and it's followed by zero or more name:value pairs (headers): - User-Agent: browser version information - Host: URL hostanme - Accept: supported MIME documents( such as text/plain or audio/MPEG) - Accept-Language: supported language codes - Referer: originating page for the request The headers are terminated with a single empty line, which may be followerd by any payload the client wishes to pass to the server (the lenght should be specified with the Content-Length header). The payload is usually browser data, but there is no requirements. ----- ## Tools - [Burp Suite] - [FireBug] in Firefox ----------------- [FireBug]: http://getfirebug.com/ [Burp Suite]: http://portswigger.net/burp/ [pngcheck]: http://www.libpng.org/pub/png/apps/pngcheck.html [karmadecay]: http://karmadecay.com/ [tineye]: https://www.tineye.com/ [images.google.com]: https://images.google.com/?gws_rd=ssl [base64 decoding]: http://www.motobit.com/util/base64-decoder-encoder.asp [subbrute.py]: https://github.com/SparkleHearts/subbrute [pnginfo]: http://www.stillhq.com/pngtools/ [namechk]: http://namechk.com