Web Application (80/443)
set the variable
Normal URL
export URL=http://
<web url>
File fuzzing
export URL=http://
<web url>
/FUZZ
Directory fuzzing
export URL=http://
<web url>
/FUZZ/
Manual Checking
Grep a username or subdomain
curl $URL -s -q |grep -o http://.*.worker.htb
curl $URL -s -q | grep -o */*.js
Important files
robots.txt
.svn
.DS_STORE
cgi-bin/
.git
# check backend
index.php
index.html
Additional Checks
Check the copy right web apps and search the version
Search version with changelog
example: FreePBX 2.8.1.4 changelog
maybe you will discover a juicy info about the last version's vulnerability
Check cookies
Check date in the pictures
Check backend language
Check metadata of the pictures
Check source code
Fuzzing
[Important] Please check without exclude 404 code, because you will mis any third parties control. Go forward with exclude 404 if it is an inhouse production web apps
Wordlist
big.txt --> for getting a juicy file
directory-list-2.3-medium.txt --> for directory
Next level wordlist using SecLists.
If your Kali haven't installed SecLists, use this command:
sudo apt install seclists
cp -r /usr/share/seclists /usr/share/wordlists/SecLists
FUZZ Files
export URL="http://<web url>/FUZZ"
wfuzz -c -z file,/usr/share/wordlists/SecLists/Discovery/Web-Content/raft-large-files.txt --hc 404 "$URL"
FUZZ Directory
export URL="http://<web url>/FUZZ/"
wfuzz -c -z file,/usr/share/wordlists/SecLists/Discovery/Web-Content/raft-large-directories.txt --hc 404 "$URL"
FUZZ Subdomain / VHOST
export URL="http://<web url>
wfuzz
wfuzz -u $URL -H "Host: FUZZ.<domain>.htb" -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --hh <some number>
gobuster
gobuster vhost -u <domain> -w /usr/share/wordlists/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt -t 100
FUZZ Params
If you have a .php file but no output try this:
/secret/evil.php
export URL="http://$IP/secret/evil.php?FUZZ=../../../../../../../etc/passwd"
wfuzz -c -z file,/usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt --hc 404 "$URL"
Sub domain
gobuster dns -d realcorp.htb -r 0.10.10.224 -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -o gobuster-dns.out
Last updated