SQL Injection Cheatsheet SQL Injection Cheatsheet is the great source to find the vulnerabilities and help to protect your website. SQL injection is one of the most common Website security Vulnerability. It is a code injection vulnerability that might dump your database. OS Command Injection Defense Cheat Sheet Introduction. Command injection (or OS Command Injection) is a type of injection where software that constructs a system command using externally influenced input does not correctly neutralize the input from special elements that can modify the initially intended command. Following cheat sheet to inject formulas to disclose information, exfiltrate data/credentials, or obtain remote code execution: Formula initiating characters = =SUM(1,1) - SUM(1,1) + +SUM(1,1) @ @SUM(1,1) Useful Formulas for Injection NOW Can be used to determine if real -time server side formula evaluation is being performed. Cheat Sheets (Includes scripts) Meterpreter Stuff. Huge collection of common commands and scripts as well as general pentest info. Pentester Bookmarks, huge collection of blogs, forums, and resources. Pentest Checklist. OSCP Writeups, blogs, and notes. Enumeration General Enumeration: nmap -vv -Pn -A -sC -sS -T 4 -p- 10. Some useful syntax reminders for SQL Injection into MySQL databases This post is part of a series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend.
Command Injection vulnerabilities are a class of application security issue where an attacker can cause the application to execute an underlying operating system command. For that reason it’s generally a high impact issue. It can be exploited simply by chaining commands along with the expected input by using shell control characters such as:
Developers have a variety of reasons why they might want their web applications to execute underlying operating system commands. One example could be an application that allows a user to check if a host is online by pinging its IP address. The URL for this function could look something like this:
and the output on the screen could be:
However if user input is insecurely passed to this function a user could chain a command on the end, such as ” && id” and this would be executed along with the main command, changing the input in our example to this:
and so the output on the screen would be:
As you might guess from above, the user gains the permissions that the affected application has, so if it’s running as www-data or root you’d get that privilege level! An easy way to compromise a box and potentially allow an attacker to take over the webserver, deface the application or steal confidential data!
However things get more complicated for the attacker is the system does not show the output in the application itself, it might just silently execute the command and output something generic like “Success” or “done”. If this is the case an attacker can still determine the existance of the vulnerability and blindly exploit it through inference.
For example imaging chaining to the end of the input the linux command “sleep”, such as:
With this request the output, if vulnerable, would come through as expected with the “Success” message, however it would take a noticable about of time to return – something around 10 seconds longer than without the payload. To determine if this was just a laggy server or not you could try multiple different delay levels to see if the received delay matches the expected amount. So sleep 10 causes approximately a 10 second delay and sleep 30 causes approximately a 30 second delay, reducing the likelihood that this is a false positive.
At this point you’ve got a successful Blind Command Injection vulnerability! Before I get on to how to utilise that as an attacker however, there’s one more type to deal with. Blind injection with out-of-band detection. This class occurs is a vulnerability is vulnerable but no change in output can be perceived through the application, for example if the application executes the request in a new thread, so delaying the server through the “sleep” command doesn’t work (or at least can’t be perceived through the application itself).
In this case we can get our “noticable change” by calling out to another server and monitoring that server for requests. For example you could try a payload like the following:
This would cause an affected (Linux) server to call out to the attacker’s machine. The wget command online requests the server download a web page. Therefore the attacker could see that the payload worked successfully as their logs would show a GET request to the file: /?attacksuccessful
Command Injection Cheat Sheet Pdf
Now to turn that into a viable attack payload to, for example, steal confidential files the attacker could try chaining the contents of the file in the request to the attackers server! A payload like this would be effective:
Here the attacker is taking the contents of the confidential file /etc/password, encoding it with base64 so that it’s possible to transmit it in a URL and then using the wget command again to send that file in a HTTP GET request to the atttacker controlled server! One thing to remember is that the base64 command will line wrap by default after 76 characters, but you can use -w 0 parameter to disable this, like this:
As you can imagine, this is a pretty bad vulnerability which I’ve seen multiple times during Penetration Testing engagements but I’ve seen little in the way of content online about the issue, so I thought I’d throw a few notes down in a post. The important part though: there are specific ways to secure command execution depending on your underlying language and programming framework however one thing that’ll work for general cases is effective user input filtering! Luckily, I’ve written about that here!
Again, the minimum characters to consider dangerous in regards to this issue are:
Payloads can be incredibly varied as the attacker has an awful lot of flexibility, but a few simple ones are things like:
Description of the vulnerability
PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context.
The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function.
In order to successfully exploit a PHP Object Injection vulnerability two conditions must be met:
- The application must have a class which implements a PHP magic method (such as __wakeup or __destruct) that can be used to carry out malicious attacks, or to start a “POP chain”.
- All of the classes used during the attack must be declared when the vulnerable unserialize() is being called, otherwise object autoloading must be supported for such classes.
Example:
Known Vulnerable Software
| Software | Version | Reference |
|---|---|---|
| WordPress | 3.6.1 | https://nvd.nist.gov/vuln/detail/CVE-2013-4338 |
| Magento | 1.9.0.1 | https://magento.com/security/patches/supee-10415 |
| Joomla | 3.0.3 | https://packetstormsecurity.com/files/121442/Joomla-3.0.3-PHP-Object-Injection.html |
| IP Board | 3.3.4 | https://www.exploit-db.com/exploits/22398/ |
| Dotclear | 2.6.1 | https://www.cvedetails.com/cve/CVE-2014-1613/ |
| OpenCart | 1.5.6.4 | http://karmainsecurity.com/KIS-2014-08 |
| CubeCart | 5.2.0 | http://karmainsecurity.com/KIS-2013-02 |
| Drupal | 7.34 | https://websec.wordpress.com/2015/01/09/drupal-7-34-admin-php-object-injection/ |
| vBulletin | 5.1.0 | https://blog.sucuri.net/2014/03/security-exploit-patched-on-vbulletin-php-object-injection.html |
| Tuelap | 7.6-4 | http://karmainsecurity.com/KIS-2014-13 |
| Moodle | 2.5.0 | http://disse.cting.org/2013/09/16/2013-09-16-moodle-2-5-0-1-badges-external-object-injection |
| WHMCS | 5.2.12 | http://security-geeks.blogspot.com/2013/11/whmcs-5112-php-object-injectoin.html |
PHP Magic Methods
| __construct() | __set() | __toString() |
| __destruct() | __isset() | __invoke() |
| __call() | __unset() | __set_state() |
| __callStatic() | __sleep() | __clone() |
| __get() | __wakeup() | __debugInfo() |
Examples of PHP Object Injection
Exploit with the __destruct method
Vulnerable code:
Payload:
Exploit with the __wakeup in the unserialize function
Vulnerable code:
Payload:
Authentication bypass - Type juggling
Vulnerable code:
Payload:
Authentication bypass - Object reference
Vulnerable code:
Payload:
Command Injection Cheat Sheet
Authentication bypass - Object reference
Vulnerable code:
Payload:
Others exploits
Reverse Shell
Blind Command Injection Cheat Sheet
Finding and using gadgets (PHPGGC)
PHPGGC is a library of unserialize() payloads along with a tool to generate them, from command line or programmatically. When encountering an unserialize on a website you don’t have the code of, or simply when trying to build an exploit, this tool allows you to generate the payload without having to go through the tedious steps of finding gadgets and combining them.
Example:
Mssql Injection Cheat Sheet
Thanks to
This article is composed of information found on the folowing links (+ plus some minor additions). I use this article to quick observe or demonstrate situations and as a personal reference to all the infromation needed in exploiting the PHP Object Injection Vulnerability.
Comments are closed.