Web

Git

Look for /.git/HEAD or /.git/config to see if the .git directory is exposed. If it is, we can use GitTools to download the entire repository and look for the flag, or at least a vulnerability to get it.

Another good tool to check for this is GitDumper, which also has a browser extension that can be used to check for exposed .git directories automatically. A more obscure one is Mercurial, which may be worth checking for if nothing else is working; the directory can be downloaded with Sprengel.

When we intercept a request with Burp Suite, we can modify the request before it is sent to the server. This can be used to modify the cookie value to bypass authentication, such as changing admin=false to admin=true.

The same goes for JWTs, or JSON Web Tokens. We can use jwt.io to decode the token, modify the payload, and then encode it again.

SQL Injection

Reference.

sqlmap

sqlmap is a tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Installation

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
cd sqlmap-dev

Usage

The full usage guide can be referenced here. A standard example:

python3 sqlmap.py -u "https://url.com/page.html?q=a" --batch

Manual

One payload that could be entered into a form search field is 1"; SELECT * FROM USERS WHERE "%"=". This will return all users from the database and all of their information. This payload would work if the search field logic uses the SQL LIKE operator.