Prerequisites

This should not be enabled on any modern secure systems, but if it is, you can use it to create a remote shell.

secure_file_priv ↗️ can have the following values:

• null: cannot write anywhere on system
• "" (empty string): can write anywhere
• "/path/to/dir": can write only to specified path

SHOW VARIABLES LIKE 'secure_file_priv';

You can get this by querying the information_schema using a union injection

UNION SELECT VARIABLE_NAME,VARIABLE_VALUE FROM INFORMATION_SCHEMA.GLOBAL_VARIABLES 

Do it

SELECT "OOPS!" INTO OUTFILE "/var/www/html/poc.txt"

References

• Enumerating databases, tables, columns, and user privileges with SQL injection 🌿

A union injection causes additional rows to be added to the result set by using the UNION clause. To do this, we need to know the number of columns in the target result set.

There are two easy strategies for this. Using order by or union. Assume that the following is vulnerable:

SELECT * from users where username='$oops'

order by

In MySQL you can use numeric arguments for order by which you can use to infer the number of columns. Let $oops = "test' order by 1 -- then the query becomes:

Here are some resources containing XSS payloads:

• PayloadsAllTheThings ↗️
• payloadbox ↗️
• findxss ↗️

base64

echo 'test' | base64
echo 'dGVzdAo=' | base64 -d

hex

echo 'test' | xxd -p
echo '746573740a' | xxd -p -r

rot13

echo 'test' | tr 'A-Za-z' 'N-ZA-Mn-za-m'
echo 'grfg' | tr 'A-Za-z' 'N-ZA-Mn-za-m'

• unpacker ↗️ reverses jspacker. Signature eval(function(p,a,c,k,e,r)

References

• Encoding and decoding with base64, hex, etc on command line 🌱

Some example ffuf commands

In each case, FUZZ is the placeholder for word replacement.**

Fuzzing for specific extensions

ffuf \
  -w /usr/share/seclists/Discovery/Web-Content/common.txt \
  -u http://example.com/target_dir/FUZZ 
  -e .txt,.html,.bak # etc 

Recursive fuzzing

ffuf \
  -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
  -u http://example.com/target_dir/FUZZ \
  -recursion

Fuzzing a POST parameter

ffuf \
  -w /usr/share/seclists/Discovery/Web-Content/common.txt \
  -u http://example.com/example.php \
  -X POST \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "y=FUZZ"
  -ic

Fuzzing a GET parameter

ffuf \
  -w /usr/share/seclists/Discovery/Web-Content/common.txt \
  -u http://example.com/example.php?x=FUZZ \
  -ic

References

• Brute forcing subdomain enumeration 🌿

dnsenum

Performs various dns-level and osint searches to find sub domains.

dnsenum \
  --enum target.tld \
  -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

gobuster

You can do virtual host subdomain brute forcing with gobuster. You can specify the target as a hostname or ip.

gobuster vhost \
  -u http[s]://targetip[:port] \
  -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt \
  --append-domain

You can do a DNS zone transfer using dig by using axfr

dig axfr @dns-server.com target.tld

This will return all dns records for target.tld. It’s intended to copy all records from a primary to secondary server and should only happen if trusted, but misconfigured servers may allow unauthorised transfers allowing for enumeration without brute forcing 🌿 .

The seclists from https://github.com/danielmiessler/SecLists ↗️ can be installed on Kali using apt

apt install seclists

They’re installed into /usr/share/seclists/

proxychains ↗️ is a tool which forwards TCP traffic via a proxy. You run other applications via it. For example

proxychains curl www.example.com

The relevant part of config for HTTP traffic is in /etc/proxychains.conf

#socks4         127.0.0.1 9050 # comment this line out. TODO: Why?
# Add the following line
http 127.0.0.1 8080

This config forwards the traffic to a proxy on 8080 which is the default for burp. Change the setup as needed for other tools.