cheatsheet in the phase of Enumeration against WEB service.
Scanner
Gobuster
<Command Options>
-u <url/domain>: The target URL or Domain
-w <wordlist>: Path to the wordlist
-o <file>: specify a file name to write the output to
-t <threads>: number of threads to run (default: 10)
-s <status codes>: comma-separated set of the list of status codes to be deemed a “positive” (default: 200,204,301,302,307)
-x <extensions>: list of extensions to check for, if any
-a <user agent string>: specify a user agent string to send in the request header
<Example of Usage>
gobuster -u http://<target ip> -w /usr/share/wordlists/dirb/small.txt
gobuster -u https:<target ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -x txt
gobuster -u http://10.10.10.56 -w /usr/share/wordlists/dirb/small.txt -s 200,204,301,302,307,403
gobuster -u http://10.10.10.56/cgi-bin/ -w /usr/share/wordlists/dirb/small.txt -s 200,204,301,302,307,403 -x sh,pl
gobuster -u http://10.10.10.79 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuser.log -t 50
# Make request with specific useragent
gobuster -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt -a Mozilla/5.0 -fw
Local file inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected. Although most examples point to vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others.
Remote File Inclusion (also known as RFI) is the process of including remote files through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing external URL to be injected. Although most examples point to vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others.
An SQL injection attack consists of insertion or “injection” of either a partial or complete SQL query via the data input or transmitted from the client (browser) to the web application. A successful SQL injection attack can read sensitive data from the database, modify database data (insert/update/delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file existing on the DBMS file system or write files into the file system, and, in some cases, issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.
<Command Options>
--url, -u <target url>: The WordPress URL/domain to scan
--enumerate | -e [option(s)]: Enumeration.
option :
u usernames from id 1 to 10
u[10-20] usernames from id 10 to 20 (you must write [] chars)
p plugins
vp only vulnerable plugins
ap all plugins (can take a long time)
tt timthumbs
t themes
vt only vulnerable themes
at all themes (can take a long time)
Multiple values are allowed : "-e tt,p" will enumerate timthumbs and plugins
<Example of Usage>
wpscan --url http://10.10.10.10/ --enumerate t --enumerate p --enumerate u
#Standard Technique
SELECT * FROM Users WHERE Username='1' OR '1' = '1' AND Password='1' OR '1' = '1'
$username = 1' or '1' = '1
$password = 1' or '1' = '1
