The gMan nixWiki

Because the mind is made of Teflon...

User Tools

Site Tools

You are here: start » method_4_exploitation
method_4_exploitation

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
method_4_exploitation [2022/12/31 22:18] – [Tool: SQLMap] gmanmethod_4_exploitation [2023/01/12 00:27] (current) – [Defaults] gman
Line 49: Line 49:
 ---- ----
  
 +====== Defaults ======
 +
 +Many folks leave many devices with factory defaults. You can quickly look up the default login creds here: 
 +  * https://www.defaultpassword.com/
 +  * https://default-password.info/
 +  * https://cirt.net/passwords
 +  * [[https://www.google.com/search?q=default+passwords | Or just Google "default passwords"]]. There are a ton of sites.
 +
 +---- 
 ====== Tools ====== ====== Tools ======
  
Line 192: Line 201:
 ---- ----
  
-====== Shells ======+====== Injection Attacks ======
  
-===== Reverse Shells =====+===== Command =====
  
-{{ :images:shell_reverse_netcat.jpg?nolink |}}+**Command Injection Attacks:** These are attacks that attempt to send commands through a web app to the operating system. 
 +  * It would give you the ability to directly manipulate the o/s. 
 +  * On Linux, use the ''system()'' call to send commands to the o/s itself.
  
-In reverse shella victim machine connects back to us at the attack machine. +**Example:** If an app asks for username to set up an account (assuming the username dbag) 
-  * You will use reverse shells 95% of the time+  * When we create our account with the username "dbag," the back-end result sent to the o/s would be something like:  
 +    * ''system('mkdir /home/dbag')'' 
 +  * Using command injection, you add commands to our user input: 
 +    * ''dbag & rm -rf /home'' 
 +  * This would result in a command like this:  
 +    * ''system('mkdir /home/dbag & rm -rf /home')'' 
 +  * And that's bad.
  
-https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/ +===== SQLi =====
-http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet +
- +
-**PHP Reverse Shell:**  +
-  * Instructions: http://pentestmonkey.net/tools/web-shells/php-reverse-shell +
-  * Download: https://github.com/pentestmonkey/php-reverse-shell +
- +
-===== Bind Shells ===== +
- +
-{{ :images:shell_bind_netcat.jpg?nolink |}} +
- +
-In a bind shell, we connect to the target.  +
-  * You fire off an exploint into the target machine, open up a port, and then use the attack machine to connect. +
- +
-https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/  (scroll down) +
- +
-----+
  
-====== SQLi ====== 
  
 **SQL Injection:** One quick way to check to see if the server is vulnerable to SQL injections, type the following into the query box. **SQL Injection:** One quick way to check to see if the server is vulnerable to SQL injections, type the following into the query box.
Line 227: Line 227:
 </code> </code>
  
-===== Tool: SQLMap =====+==== Tool: SQLMap ====
  
 Automates SQLi enumeration and exploitation. Use it only after you have manually verified there is indeed an SQLi vulnerability on the target. Automates SQLi enumeration and exploitation. Use it only after you have manually verified there is indeed an SQLi vulnerability on the target.
  
-===== Blind SQLi =====+==== Blind SQLi ====
  
 Blind SQL injection takes two forms: boolean-based (T/F) and timing-based. Blind SQL injection takes two forms: boolean-based (T/F) and timing-based.
  
-**Boolean-Based SQLi:** Uses a boolean (T/F) SQL injection statement to test if the injected code gets through. +**Boolean-Based Blind SQLi:** Uses a boolean (T/F) SQL injection statement to test if the injected code gets through. 
   - Test for a standard SQL injection vulnerability by placing a boolean TRUE after valid input.   - Test for a standard SQL injection vulnerability by placing a boolean TRUE after valid input.
     * If it is vulnerable it will match ALL results.     * If it is vulnerable it will match ALL results.
Line 251: Line 251:
 [valid input]' AND 1=2;-- [valid input]' AND 1=2;--
 </code> </code>
 +
 +**Timing-Based Blind SQLi:** relies on the amount of time required to process a query.
 +  * If the app returns on the query immediately, it's probably not vulnerable.
 +  * If there is a delay/pause (based on your query statement) before the return, the injection worked.
 +  * Example:
 +
 +<code>[valid input]'; WAITFOR DELAY '00:00:15';--</code>
 +
 +**Tools:** Metasploit & SQLMap.
 +  * They automate these timing-based attacks, making them fairly easy. 
 +
 +----
 +
 +====== Shells ======
 +
 +===== Reverse Shells =====
 +
 +{{ :images:shell_reverse_netcat.jpg?nolink |}}
 +
 +In a reverse shell, a victim machine connects back to us at the attack machine.
 +  * You will use reverse shells 95% of the time
 +
 +https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/
 +http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
 +
 +**PHP Reverse Shell:** 
 +  * Instructions: http://pentestmonkey.net/tools/web-shells/php-reverse-shell
 +  * Download: https://github.com/pentestmonkey/php-reverse-shell
 +
 +===== Bind Shells =====
 +
 +{{ :images:shell_bind_netcat.jpg?nolink |}}
 +
 +In a bind shell, we connect to the target. 
 +  * You fire off an exploint into the target machine, open up a port, and then use the attack machine to connect.
 +
 +https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/  (scroll down)
  
 ---- ----
method_4_exploitation.1672525098.txt.gz · Last modified: by gman