Git-Mirrors/sec-pentesting-toolkit
1
0
Fork 0
mirror of https://github.com/autistic-symposium/sec-pentesting-toolkit.git synced 2025-04-27 11:09:09 -04:00
Code Issues Packages Projects Releases Wiki Activity
sec-pentesting-toolkit/Web_Exploits/README.md
bt3gl 0df35f519f readme
2014-11-19 13:03:04 -05:00

2.8 KiB
Raw Blame History

Web Exploits

My list of common web vulnerabilities.

OS Command Injection

SQLi

  • Brute force password
  • Timed SQLi
  • Cookie force brute

PHP Shells

  • php primer
  • xor
  • exploits

Scanners

  • heartbleed

User ID

  • cookie auth
  • user id

Other Resources

When we have a Website/IP Address:

  • Try to add folders to the domain, such as http://csaw2014.website.com or http://key.website.com.

  • We brute force the subdomains, for example, with subbrute.py. This tool performs multi-threaded DNS lookups to a configurable list of DNS resolvers, searching through a list of possible subdomains.

  • Use the command dig or ping in Linux to find the IP address of the website.

  • wgetting the entire website with something like wget -e robots=off --tries=40 -r -H -l 4 <WEBSITE>.

  • Check the robot.txt file for hidden folders.

  • Inspect the DOM using the browser's developer tools to look for HTML comments (plain view-source won't work when the content is loaded through Ajax).

URLs

Octal

((206 * 256 + 191) * 256 + 158 ) * 256 + 50 = 3468664370.

Now, there is a further step that can make this address even more obscure. You can add to this dword number, any multiple of the quantity 4294967296 (2564)

Great @

-Everything between "http://" and "@" is completely irrelevant

http://doesn'tmatter@www.google.org
http://!$^&*()_+`-={}|[]:;@www.google.com
  • @ symbol can be represented by its hex code %40
  • dots are %2e

HTTP

The first line of a request is modified to include protocol version information and it's followed by zero or more name:value pairs (headers):

  • User-Agent: browser version information
  • Host: URL hostanme
  • Accept: supported MIME documents( such as text/plain or audio/MPEG)
  • Accept-Language: supported language codes
  • Referer: originating page for the request

The headers are terminated with a single empty line, which may be followerd by any payload the client wishes to pass to the server (the lenght should be specified with the Content-Length header). The payload is usually browser data, but there is no requirements.

Tools