# File Transfers === ## Windows Fileless attack: Attack executed through file in memory rather than in actual storage Files: - BAT; windows command line file - DLL; windows library file Base64 Powershell HTTP download FTP SMB WebDav (SMB over HTTP) ## linux Base64 Tool: bash HTTP download - wget - curl - python HTTP upload - python - php SSH upload/download - ssh - scp ## Coding Python PHP Perl Ruby Javascript VBScript ## Miscellaneous netcat powershell remote session RDP; remote desktop protocol ## Protected file transfers Encryption - AES Protocols - SSH - HTTPS - SFTP - OpenSSL ## HTTP transfers webservers - Apache - Nginx curl ## Living off the land GTFOBins LOLBAS ## Detection # Local FIle Inclusions === ## HTTP GET parameters and link techniques - Referencing `../` in GET parameters to get to back track to `/etc` - If that fails, try the hexadecimal encoding for `../` - Null bytes injection; using a null byte to signify end of a string - path truncationa ## PHP Filters PHP filter is a type of PHP wrapper that takes an input and filters it, initiated as `php://filters/` Types - String - Encryption - Compression - Conversion fuzzing: directort brute forcing using base64 PHP filter to leak PHP source ## PHP Wrappers `data://` Used to send data in a specified form by a datastream, only available when allow\_url\_include is true. This can be used to upload php code, which in turn can be used to create a form of shell, possibly by taking in a HTTP GET parameter as a command `php://input/` Used to send data in a specified form by HTTP post `expect://` Used to parse command outputs, why the fuck does this even exist... (the expect extension must be added, but who the hell would add such a thing?!?) `phar://` ## RFI - Including foreign links (perhaps from your edge) ## File Uploads - Uploading .gif file with magic number but with a PHP script to give RCE - Otherwise uploading compressed PHP RCE file and using zip:// wrapper to decompress it in the link - Or compiling a phar file that uses the phar:// wrapper to write to some text file ## Log inclusion - using requests to write to the log file and using parameters to execute functions, by parsing HTTP parameters (like user agent) as RCE code, then calling up the log file and gg - You could also poison the cookie log and bring that up, so many possibilities! /var/log/apache2 /var/log/nginx /var/log/sshd.log /var/log/mail.log /var/log/vsfpt.log ## Automation - You can automate this stuff with fuzzing ## prevention - You can make sanitising functions in PHP and change permissions on log files as well as blocking commands in the php.ini # SQL INJECTION === ## Relational databases - Database with fields that have foreign keys, as you know. They use SQL ## Non Relational databases - Database with fields that have no foreign keys. THey use JSON or XML ## Types of SQL injection - In band; SQL result can be directly printed to user - Blind; User has no output for feedback - Out of band ## Logic manipulating ### OR injection By injecting an OR statement with the secondary value in the OR statement being true, we can create a tautology so that we always return the details that we want `SELECT * FROM logins WHERE username='admin' AND password='imnotreallysure'` (username && password) <- username and password both need to be right `SELECT * FROM logins WHERE username='admin' OR '1'='1'AND password='imnotreallysure'` (username || true && password) <- A correct username always returns a result ### comments Comments can be used to tell text not to be compiled, this is useful if we want to ignore future conditions the SQL query may pose `SELECT * FROM logins WHERE username='admin' AND password='imnotreallysure'` (username && password) <- username and password both need to be right `SELECT * FROM logins WHERE username='admin'--' AND password='imnotreallysure'` (username) <- A correct username always returns a result ### UNION injection Unions allow to combine the results of two queries with the same amount of columns into one query. This can be used to include ### Column testing When implementing UNION injections, we want the amount of columns from both the records to be the same. we can check this through the UNION or ORDER BY words. It is beneficial to create extra columns as numbers so that on output you can see whcih columns are actually displayed to the user ## Fingerprinting ### Command/variable inclusion SOmetimes we want to see the type of SQL we have available (since there are many implementations). We can do this by: - Version testing with `SELECT @@version` - Seeing if functions specific to one version are available like `SELECT POW(1,1)` and `SELECT SLEEP(5)` ### INFORMATION\_SCHEMA inclusion The table SCHEMATA in the INFORMATION\_SCHEMA database has a record for all databases the application is running (schema\_name shows the name of this database) INFORMATION\_SCHEMA --- SCHEMATA TABLES COLUMS ## Reading filesa USER(); shows current user, good for seeing permissions LOAD\_FILE(); loads a file ## writing files secure\_file\_priv; a variable that determines whether file-writing is possible