mirror of
https://github.com/autistic-symposium/sec-pentesting-toolkit.git
synced 2025-04-27 19:16:08 -04:00
120 lines
2.8 KiB
Markdown
120 lines
2.8 KiB
Markdown
# Web Exploits
|
|
|
|
[My list of common web vulnerabilities.](http://bt3gl.github.io/a-list-of-common-web-vulnerabilities.html)
|
|
|
|
## OS Command Injection
|
|
|
|
---
|
|
|
|
## SQLi
|
|
|
|
- Brute force password
|
|
- Timed SQLi
|
|
- Cookie force brute
|
|
|
|
|
|
---
|
|
## PHP Shells
|
|
|
|
- php primer
|
|
- xor
|
|
- exploits
|
|
|
|
----
|
|
|
|
## Scanners
|
|
|
|
- heartbleed
|
|
|
|
|
|
-----
|
|
## User ID
|
|
- cookie auth
|
|
- user id
|
|
|
|
----
|
|
|
|
## Other Resources
|
|
|
|
#### When we have a Website/IP Address:
|
|
|
|
- Try to add folders to the domain, such as http://csaw2014.website.com or http://key.website.com.
|
|
|
|
- We brute force the subdomains, for example, with [subbrute.py]. This tool performs multi-threaded DNS lookups to a configurable list of DNS resolvers, searching through a list of possible subdomains.
|
|
|
|
- Use the command ```dig``` or ```ping``` in Linux to find the IP address of the website.
|
|
|
|
- *wgetting* the entire website with something like ```wget -e robots=off --tries=40 -r -H -l 4 <WEBSITE>```.
|
|
|
|
- Check the *robot.txt* file for hidden folders.
|
|
|
|
- Inspect the DOM using the browser's developer tools to look for HTML comments (plain view-source won't work when the content is loaded through Ajax).
|
|
|
|
|
|
-----
|
|
|
|
## URLs
|
|
|
|
#### Octal
|
|
|
|
- Example: http://017700000001 --> 127.0.0.1
|
|
|
|
- For example 206.191.158.50:
|
|
|
|
((206 * 256 + 191) * 256 + 158 ) * 256 + 50 = 3468664370.
|
|
|
|
Now, there is a further step that can make this address even more obscure. You can add to this dword number, any multiple of the quantity 4294967296 (2564)
|
|
|
|
|
|
#### Great @
|
|
|
|
-Everything between "http://" and "@" is completely irrelevant
|
|
|
|
```
|
|
http://doesn'tmatter@www.google.org
|
|
http://!$^&*()_+`-={}|[]:;@www.google.com
|
|
```
|
|
|
|
- @ symbol can be represented by its hex code %40
|
|
- dots are %2e
|
|
|
|
|
|
|
|
----
|
|
|
|
## HTTP
|
|
|
|
The first line of a request is modified to include protocol version information and it's followed by zero or more name:value pairs (headers):
|
|
- User-Agent: browser version information
|
|
- Host: URL hostanme
|
|
- Accept: supported MIME documents( such as text/plain or audio/MPEG)
|
|
- Accept-Language: supported language codes
|
|
- Referer: originating page for the request
|
|
|
|
The headers are terminated with a single empty line, which may be followerd by any payload the client wishes to pass to the server (the lenght should be specified with the Content-Length header). The payload is usually browser data, but there is no requirements.
|
|
|
|
|
|
|
|
-----
|
|
## Tools
|
|
|
|
- [Burp Suite]
|
|
- [FireBug] in Firefox
|
|
|
|
|
|
|
|
|
|
|
|
-----------------
|
|
[FireBug]: http://getfirebug.com/
|
|
[Burp Suite]: http://portswigger.net/burp/
|
|
[pngcheck]: http://www.libpng.org/pub/png/apps/pngcheck.html
|
|
[karmadecay]: http://karmadecay.com/
|
|
[tineye]: https://www.tineye.com/
|
|
[images.google.com]: https://images.google.com/?gws_rd=ssl
|
|
[base64 decoding]: http://www.motobit.com/util/base64-decoder-encoder.asp
|
|
[subbrute.py]: https://github.com/SparkleHearts/subbrute
|
|
[pnginfo]: http://www.stillhq.com/pngtools/
|
|
[namechk]: http://namechk.com
|
|
|