gitea-mirror/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2026-03-01 15:03:12 -08:00
Code Issues Packages Projects Releases Wiki Activity

Methodo, SQL,RCE,XSS,XXE updated

Browse Source
This commit is contained in:
swisskyrepo
2016-12-20 19:46:06 +01:00
parent a39a10f175
commit 14a82a14a4
8 changed files with 77 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
Methodology_and_enumeration.md
View File

@@ -3,6 +3,12 @@
## Bug Hunting Methodology
* Enumerate all subdomains (only if the scope is *.domain.ext)
Using Subbrute
```
python subbrute.py domain.example.com
```
Using KnockPy with Daniel Miesslers SecLists for subdomain "/Discover/DNS"
```
git clone https://github.com/guelfoweb/knock
@@ -11,6 +17,13 @@ git clone https://github.com/danielmiessler/SecLists.git
knockpy domain.com -w /PATH_TO_SECLISTS/Discover/DNS/subdomains-top1mil-110000.txt
```
Using Google Dorks
```
site:*.domain.com -www
site:http://domain.com ext:php
site:http://domain.com filetype:pdf
```
Using Jason Haddix's enumall Recon-ng script,
```
git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
@@ -58,7 +71,9 @@ sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv
• -T4 defines the timing for the task (options are 0-5 and higher is faster)
```
* List all the subdirectories with DirBuster or GoBuster
* List all the subdirectories and files
Using DirBuster or GoBuster
```
./gobuster -u http://buffered.io/ -w words.txt -t 10
-u url
@@ -67,15 +82,40 @@ sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv
More subdomain :
./gobuster -m dns -w subdomains.txt -u google.com -i
gobuster -w wordlist -u URL -r -e
```
* Explore the website
Using a script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois)
```
#!/bin/bash
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
wget -t 1 -T 3 http://${ipa}/phpinfo.php; done &
```
Using a script to detect all .htpasswd files in a range of IPs
```
#!/bin/bash
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
```
* Explore the website with a proxy (ZAP/Burp Suite)
```
- Start ZAP proxy, visit the main target site and perform a Forced Browse to discover files and directories
- Map technologies used with Wappalyzer and Burp Suite (or ZAP) proxy
- Explore and understand available functionality, noting areas that correspond to vulnerability types
```
* Look for Web Vulns
```
- SQLi
- XSS
- RCE
- LFI/RFI
etc
```
* Look for private information in GitHub repos with GitRob
```
git clone https://github.com/michenriksen/gitrob.git
@@ -86,31 +126,5 @@ gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.
* Launch a Nikto scan in case you missed something
## Google Dorks
Google Dork to find subdomains
```
site:*.domain.com -www
site:http://domain.com ext:php
site:http://domain.com filetype:pdf
```
## Scripts
Script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois)
```
#!/bin/bash
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
wget -t 1 -T 3 http://${ipa}/phpinfo.php; done &
```
Script to detect all .htpasswd files in a range of IPs
```
#!/bin/bash
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
```
## Thanks to
* http://blog.it-securityguard.com/bugbounty-yahoo-phpinfo-php-disclosure-2/