WEB (80,443)

cheatsheet in the phase of Enumeration against WEB service.

Scanner

Gobuster

<Command Options>
-u <url/domain>: The target URL or Domain
-w <wordlist>: Path to the wordlist
-o <file>: specify a file name to write the output to
-t <threads>: number of threads to run (default: 10)
-s <status codes>: comma-separated set of the list of status codes to be deemed a “positive” (default: 200,204,301,302,307)
-x <extensions>: list of extensions to check for, if any
-a <user agent string>: specify a user agent string to send in the request header

<Example of Usage>
gobuster -u http://<target ip> -w /usr/share/wordlists/dirb/small.txt
gobuster -u https:<target ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -x txt
gobuster -u http://10.10.10.56 -w /usr/share/wordlists/dirb/small.txt -s 200,204,301,302,307,403
gobuster -u http://10.10.10.56/cgi-bin/ -w /usr/share/wordlists/dirb/small.txt -s 200,204,301,302,307,403 -x sh,pl
gobuster -u http://10.10.10.79 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuser.log -t 50

# Make request with specific useragent
gobuster -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt -a Mozilla/5.0 -fw
Logogobuster | Kali Linux ToolsKali Linux
LogoComprehensive Guide on Gobuster Tool - Hacking ArticlesHacking Articles

DIRB

dirb http://<target ip>
Logodirb | Kali Linux ToolsKali Linux
LogoComprehensive Guide on Dirb Tool - Hacking ArticlesHacking Articles

Nikto

nikto http://<target ip>
Logonikto | Kali Linux ToolsKali Linux

Uniscan

<Command Options>
-u  <url>: target url

<Example of Usage>
uniscan -u <target ip> -qweds
Logouniscan | Kali Linux ToolsKali Linux
LogoScan Website Vulnerability using Uniscan (Beginner Guide) - Hacking ArticlesHacking Articles

DavTest

davtest -url http://10.10.10.15
Logodavtest | Kali Linux ToolsKali Linux

Droopescan

droopescan scan drupal -u 10.10.10.9

WPScan

<Command Options>
--url, -u <target url>: The WordPress URL/domain to scan
--enumerate | -e [option(s)]: Enumeration.
  option :
    u        usernames from id 1 to 10
    u[10-20] usernames from id 10 to 20 (you must write [] chars)
    p        plugins
    vp       only vulnerable plugins
    ap       all plugins (can take a long time)
    tt       timthumbs
    t        themes
    vt       only vulnerable themes
    at       all themes (can take a long time)
  Multiple values are allowed : "-e tt,p" will enumerate timthumbs and plugins

<Example of Usage>
wpscan --url http://10.10.10.10/ --enumerate t --enumerate p --enumerate u

Web Application Attacks

Local File Inclusion (LFI)

http://10.10.10.84/browse.php?file=../../../../../../../../../etc/passwd

Local file inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected. Although most examples point to vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others.

Remote File Inclusion (RFI)

Remote File Inclusion (also known as RFI) is the process of including remote files through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing external URL to be injected. Although most examples point to vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others.

SQL Injection

#Standard Technique
SELECT * FROM Users WHERE Username='1' OR '1' = '1' AND Password='1' OR '1' = '1'
$username = 1' or '1' = '1
$password = 1' or '1' = '1

An SQL injection attack consists of insertion or “injection” of either a partial or complete SQL query via the data input or transmitted from the client (browser) to the web application. A successful SQL injection attack can read sensitive data from the database, modify database data (insert/update/delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file existing on the DBMS file system or write files into the file system, and, in some cases, issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.

PreviousSMTP (25)NextPOP3 (110)

Last updated