LinkedInGithub
Edit

Web Attacks

LFI:

  1. cat /etc/passwd

  2. cat service config files

  3. Upload a reverse shell and locate it

  4. Chain with file upload (FTP/Redis/Web console)

  5. Check /etc/knockd

  6. /proc/self/environ (shell in user-agent)

  7. Apache log poisoning (shell in user-agent)

CSRF

  1. Try to test POST to GET conversion and vice versa

  2. Send GET link for sensitive action in any form that goes to another user

  3. Generate CSRF PoC and upload

SQLi:

  1. Pentestmonkey cheatsheet

  2. Try admin'# (valid username, see netsparker sqli cheatsheet)

  3. Try abcd' or 1=1;--

  4. Use UNION SELECT null,null,.. instead of 1,2,.. to avoid type conversion errors

  5. For mssql,

    1. xp_cmdshell

    2. Use concat for listing 2 or more column data in one

  6. For mysql,

    1. udf

    2. See banzai for UDF exploit issues

    3. try a' or 1='1 -- -

    4. A' union select "" into outfile "C:\xampp\htdocs\run.php" -- -'

SSRF:

  1. Try to open other subdomains

  2. Bypass restrictions with case switching

  3. Use other protocols, file://, ftp (single line http like auth and access, ftp://user:pass@server/path

  4. Try inline meta chars $(),`

Creds:

  1. Default username/passwords

  2. Username as default password as service name

  3. Default username and password bruteforce

  4. Password reuse

  5. Null password

  6. Check config files

  7. Generate custom wordlist with cewl (--with-numbers)

  8. Use hashcat rules if hints point to it, (-r rule_path, best64 should work)

File Upload:

  1. Change mime type

  2. Add image headers

  3. Add payload in exiftool comment and name file as file.php.png

SSTI:

  1. Identify with tplmap.py

  2. Use SSTI -> RCE

  3. Use SSTI chart to identify template engine

PreviousTools Quick UseNextWordpress

Last updated