mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
412 lines
28 KiB
Markdown
412 lines
28 KiB
Markdown
# 80,443 - Pentesting Web Methodology
|
|
|
|
{{#include ../../banners/hacktricks-training.md}}
|
|
|
|
## Basic Info
|
|
|
|
Huduma ya wavuti ni huduma **ya kawaida na pana zaidi** na aina nyingi za **vulnerabilities tofauti** zipo.
|
|
|
|
**Port ya default:** 80 (HTTP), 443(HTTPS)
|
|
```bash
|
|
PORT STATE SERVICE
|
|
80/tcp open http
|
|
443/tcp open ssl/https
|
|
```
|
|
|
|
```bash
|
|
nc -v domain.com 80 # GET / HTTP/1.0
|
|
openssl s_client -connect domain.com:443 # GET / HTTP/1.0
|
|
```
|
|
### Web API Guidance
|
|
|
|
{{#ref}}
|
|
web-api-pentesting.md
|
|
{{#endref}}
|
|
|
|
## Methodology summary
|
|
|
|
> Katika mbinu hii tunaenda kudhani kwamba unataka kushambulia kikoa (au subdomain) na tu hicho. Hivyo, unapaswa kutumia mbinu hii kwa kila kikoa, subdomain au IP iliyogunduliwa yenye seva ya wavuti isiyojulikana ndani ya upeo.
|
|
|
|
- [ ] Anza kwa **kutambua** **teknolojia** zinazotumiwa na seva ya wavuti. Tafuta **hila** za kukumbuka wakati wa mtihani mzima ikiwa utaweza kutambua teknolojia hiyo kwa mafanikio.
|
|
- [ ] Je, kuna **udhaifu** wowote unaojulikana wa toleo la teknolojia hiyo?
|
|
- [ ] Unatumia **teknolojia maarufu** yoyote? Je, kuna **hila** yoyote ya manufaa ya kupata taarifa zaidi?
|
|
- [ ] Je, kuna **scanner maalum** yoyote ya kukimbia (kama wpscan)?
|
|
- [ ] Uzindua **scanners za matumizi ya jumla**. Hujui kamwe kama wataweza kupata kitu au kama wataweza kupata taarifa za kuvutia.
|
|
- [ ] Anza na **ukaguzi wa awali**: **robots**, **sitemap**, **404** makosa na **SSL/TLS scan** (ikiwa HTTPS).
|
|
- [ ] Anza **kupeleleza** ukurasa wa wavuti: Ni wakati wa **kupata** faili, folda na **parameta** zote zinazotumika. Pia, angalia kwa **matokeo maalum**.
|
|
- [ ] _Kumbuka kwamba kila wakati directory mpya inagunduliwa wakati wa brute-forcing au kupeleleza, inapaswa kupelelezwa._
|
|
- [ ] **Directory Brute-Forcing**: Jaribu kufanya brute force kwa folda zote zilizogunduliwa kutafuta **faili** na **directories** mpya.
|
|
- [ ] _Kumbuka kwamba kila wakati directory mpya inagunduliwa wakati wa brute-forcing au kupeleleza, inapaswa kufanywa Brute-Forced._
|
|
- [ ] **Kuangalia nakala za akiba**: Jaribu kuona kama unaweza kupata **nakala za akiba** za **faili zilizogunduliwa** ukiongeza nyongeza za kawaida za akiba.
|
|
- [ ] **Brute-Force parameters**: Jaribu **kupata parameta zilizofichwa**.
|
|
- [ ] Mara tu unapokuwa umeshawishi **kila mwisho** unaokubali **ingizo la mtumiaji**, angalia aina zote za **udhaifu** zinazohusiana na hiyo.
|
|
- [ ] [Fuata orodha hii ya ukaguzi](../../pentesting-web/web-vulnerabilities-methodology.md)
|
|
|
|
## Server Version (Vulnerable?)
|
|
|
|
### Identify
|
|
|
|
Angalia kama kuna **udhaifu unaojulikana** kwa **toleo** la seva inayotumika.\
|
|
**HTTP headers na cookies za jibu** zinaweza kuwa na manufaa sana katika **kutambua** **teknolojia** na/au **toleo** linalotumika. **Nmap scan** inaweza kutambua toleo la seva, lakini inaweza pia kuwa na manufaa kutumia zana [**whatweb**](https://github.com/urbanadventurer/WhatWeb)**,** [**webtech** ](https://github.com/ShielderSec/webtech)au [**https://builtwith.com/**](https://builtwith.com)**:**
|
|
```bash
|
|
whatweb -a 1 <URL> #Stealthy
|
|
whatweb -a 3 <URL> #Aggresive
|
|
webtech -u <URL>
|
|
webanalyze -host https://google.com -crawl 2
|
|
```
|
|
Search **for** [**vulnerabilities of the web application** **version**](../../generic-hacking/search-exploits.md)
|
|
|
|
### **Check if any WAF**
|
|
|
|
- [**https://github.com/EnableSecurity/wafw00f**](https://github.com/EnableSecurity/wafw00f)
|
|
- [**https://github.com/Ekultek/WhatWaf.git**](https://github.com/Ekultek/WhatWaf.git)
|
|
- [**https://nmap.org/nsedoc/scripts/http-waf-detect.html**](https://nmap.org/nsedoc/scripts/http-waf-detect.html)
|
|
|
|
### Web tech tricks
|
|
|
|
Baadhi ya **tricks** za **finding vulnerabilities** katika **technologies** maarufu zinazotumika:
|
|
|
|
- [**AEM - Adobe Experience Cloud**](aem-adobe-experience-cloud.md)
|
|
- [**Apache**](apache.md)
|
|
- [**Artifactory**](artifactory-hacking-guide.md)
|
|
- [**Buckets**](buckets/index.html)
|
|
- [**CGI**](cgi.md)
|
|
- [**Drupal**](drupal/index.html)
|
|
- [**Flask**](flask.md)
|
|
- [**Git**](git.md)
|
|
- [**Golang**](golang.md)
|
|
- [**GraphQL**](graphql.md)
|
|
- [**H2 - Java SQL database**](h2-java-sql-database.md)
|
|
- [**IIS tricks**](iis-internet-information-services.md)
|
|
- [**JBOSS**](jboss.md)
|
|
- [**Jenkins**](<[https:/github.com/carlospolop/hacktricks/blob/master/network-services-pentesting/pentesting-web/broken-reference/README.md](https:/github.com/HackTricks-wiki/hacktricks-cloud/tree/master/pentesting-ci-cd/jenkins-security)/>)
|
|
- [**Jira**](jira.md)
|
|
- [**Joomla**](joomla.md)
|
|
- [**JSP**](jsp.md)
|
|
- [**Laravel**](laravel.md)
|
|
- [**Moodle**](moodle.md)
|
|
- [**Nginx**](nginx.md)
|
|
- [**PHP (php has a lot of interesting tricks that could be exploited)**](php-tricks-esp/index.html)
|
|
- [**Python**](python.md)
|
|
- [**Spring Actuators**](spring-actuators.md)
|
|
- [**Symphony**](symphony.md)
|
|
- [**Tomcat**](tomcat/index.html)
|
|
- [**VMWare**](vmware-esx-vcenter....md)
|
|
- [**Web API Pentesting**](web-api-pentesting.md)
|
|
- [**WebDav**](put-method-webdav.md)
|
|
- [**Werkzeug**](werkzeug.md)
|
|
- [**Wordpress**](wordpress.md)
|
|
- [**Electron Desktop (XSS to RCE)**](electron-desktop-apps/index.html)
|
|
|
|
_Kumbuka kwamba **domain** hiyo hiyo inaweza kuwa inatumia **technologies** tofauti katika **ports**, **folders** na **subdomains**._\
|
|
Ikiwa programu ya wavuti inatumia **tech/platform** maarufu zilizoorodheshwa hapo juu au **zingine yoyote**, usisahau **kutafuta kwenye Mtandao** tricks mpya (na unijulishe!).
|
|
|
|
### Source Code Review
|
|
|
|
Ikiwa **source code** ya programu inapatikana katika **github**, mbali na kufanya **mtihani wa White box** wa programu hiyo kuna **maelezo** ambayo yanaweza kuwa **muhimu** kwa **Black-Box testing** ya sasa:
|
|
|
|
- Je, kuna **Change-log au Readme au Version** file au chochote chenye **version info accessible** kupitia wavuti?
|
|
- Je, **credentials** zimehifadhiwaje na wapi? Je, kuna **file** yoyote (inayopatikana?) yenye credentials (majina ya watumiaji au nywila)?
|
|
- Je, **passwords** ziko katika **plain text**, **encrypted** au ni **hashing algorithm** gani inatumika?
|
|
- Je, inatumia **master key** yoyote kwa ajili ya kuandika kitu? Ni **algorithm** gani inatumika?
|
|
- Je, unaweza **kufikia yoyote ya hizi files** kwa kutumia udhaifu wowote?
|
|
- Je, kuna **maelezo ya kuvutia katika github** (masuala yaliyotatuliwa na yasiyotatuliwa)? Au katika **commit history** (labda **password iliyoingizwa ndani ya commit ya zamani**)?
|
|
|
|
{{#ref}}
|
|
code-review-tools.md
|
|
{{#endref}}
|
|
|
|
### Automatic scanners
|
|
|
|
#### General purpose automatic scanners
|
|
```bash
|
|
nikto -h <URL>
|
|
whatweb -a 4 <URL>
|
|
wapiti -u <URL>
|
|
W3af
|
|
zaproxy #You can use an API
|
|
nuclei -ut && nuclei -target <URL>
|
|
|
|
# https://github.com/ignis-sec/puff (client side vulns fuzzer)
|
|
node puff.js -w ./wordlist-examples/xss.txt -u "http://www.xssgame.com/f/m4KKGHi2rVUN/?query=FUZZ"
|
|
```
|
|
#### CMS scanners
|
|
|
|
Ikiwa CMS inatumika usisahau **kufanya skana**, labda kitu cha kuvutia kitatokea:
|
|
|
|
[**Clusterd**](https://github.com/hatRiot/clusterd)**:** [**JBoss**](jboss.md)**, ColdFusion, WebLogic,** [**Tomcat**](tomcat/index.html)**, Railo, Axis2, Glassfish**\
|
|
[**CMSScan**](https://github.com/ajinabraham/CMSScan): [**WordPress**](wordpress.md), [**Drupal**](drupal/index.html), **Joomla**, **vBulletin** tovuti za masuala ya Usalama. (GUI)\
|
|
[**VulnX**](https://github.com/anouarbensaad/vulnx)**:** [**Joomla**](joomla.md)**,** [**Wordpress**](wordpress.md)**,** [**Drupal**](drupal/index.html)**, PrestaShop, Opencart**\
|
|
**CMSMap**: [**(W)ordpress**](wordpress.md)**,** [**(J)oomla**](joomla.md)**,** [**(D)rupal**](drupal/index.html) **au** [**(M)oodle**](moodle.md)\
|
|
[**droopscan**](https://github.com/droope/droopescan)**:** [**Drupal**](drupal/index.html)**,** [**Joomla**](joomla.md)**,** [**Moodle**](moodle.md)**, Silverstripe,** [**Wordpress**](wordpress.md)
|
|
```bash
|
|
cmsmap [-f W] -F -d <URL>
|
|
wpscan --force update -e --url <URL>
|
|
joomscan --ec -u <URL>
|
|
joomlavs.rb #https://github.com/rastating/joomlavs
|
|
```
|
|
> Katika hatua hii unapaswa kuwa na taarifa fulani kuhusu seva ya wavuti inayotumiwa na mteja (ikiwa kuna data yoyote iliyotolewa) na mbinu fulani za kukumbuka wakati wa mtihani. Ikiwa una bahati umepata hata CMS na kuendesha skana.
|
|
|
|
## Hatua kwa hatua Ugunduzi wa Programu za Wavuti
|
|
|
|
> Kutoka hapa tutaanza kuingiliana na programu ya wavuti.
|
|
|
|
### Ukaguzi wa Awali
|
|
|
|
**Kurasa za Kawaida zenye taarifa za kuvutia:**
|
|
|
|
- /robots.txt
|
|
- /sitemap.xml
|
|
- /crossdomain.xml
|
|
- /clientaccesspolicy.xml
|
|
- /.well-known/
|
|
- Angalia pia maoni katika kurasa kuu na za sekondari.
|
|
|
|
**Kusababisha makosa**
|
|
|
|
Seva za wavuti zinaweza **kufanya kazi kwa njia isiyo ya kawaida** wakati data za ajabu zinatumwa kwao. Hii inaweza kufungua **vulnerabilities** au **kufichua taarifa nyeti**.
|
|
|
|
- Fikia **kurasa za uwongo** kama /whatever_fake.php (.aspx,.html,.n.k)
|
|
- **Ongeza "\[]", "]]", na "\[\["** katika **maadili ya cookie** na **maadili ya parameter** ili kuunda makosa
|
|
- Tengeneza kosa kwa kutoa ingizo kama **`/~randomthing/%s`** kwenye **mwisho** wa **URL**
|
|
- Jaribu **HTTP Verbs tofauti** kama PATCH, DEBUG au makosa kama FAKE
|
|
|
|
#### **Angalia kama unaweza kupakia faili (**[**PUT verb, WebDav**](put-method-webdav.md)**)**
|
|
|
|
Ikiwa unapata kuwa **WebDav** ime **wezeshwa** lakini huna ruhusa za kutosha za **kupakia faili** kwenye folda ya mzizi jaribu:
|
|
|
|
- **Brute Force** akidi
|
|
- **Pakia faili** kupitia WebDav kwenye **sehemu** za **folda zilizopatikana** ndani ya ukurasa wa wavuti. Unaweza kuwa na ruhusa za kupakia faili katika folda nyingine.
|
|
|
|
### **Vulnerabilities za SSL/TLS**
|
|
|
|
- Ikiwa programu **haiwalazimishi watumiaji kutumia HTTPS** katika sehemu yoyote, basi ni **vulnerable to MitM**
|
|
- Ikiwa programu inatumia **kutuma data nyeti (nywila) kwa kutumia HTTP**. Basi ni vulnerability kubwa.
|
|
|
|
Tumia [**testssl.sh**](https://github.com/drwetter/testssl.sh) kuangalia **vulnerabilities** (Katika programu za Bug Bounty labda aina hizi za vulnerabilities hazitakubaliwa) na tumia [**a2sv** ](https://github.com/hahwul/a2sv)kuangalia tena vulnerabilities:
|
|
```bash
|
|
./testssl.sh [--htmlfile] 10.10.10.10:443
|
|
#Use the --htmlfile to save the output inside an htmlfile also
|
|
|
|
# You can also use other tools, by testssl.sh at this momment is the best one (I think)
|
|
sslscan <host:port>
|
|
sslyze --regular <ip:port>
|
|
```
|
|
Habari kuhusu SSL/TLS udhaifu:
|
|
|
|
- [https://www.gracefulsecurity.com/tls-ssl-vulnerabilities/](https://www.gracefulsecurity.com/tls-ssl-vulnerabilities/)
|
|
- [https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/](https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/)
|
|
|
|
### Spidering
|
|
|
|
Zindua aina fulani ya **spider** ndani ya wavuti. Lengo la spider ni **kupata njia nyingi kadri iwezekanavyo** kutoka kwa programu iliyojaribiwa. Kwa hivyo, kuvinjari wavuti na vyanzo vya nje vinapaswa kutumika ili kupata njia halali nyingi kadri iwezekanavyo.
|
|
|
|
- [**gospider**](https://github.com/jaeles-project/gospider) (go): HTML spider, LinkFinder katika faili za JS na vyanzo vya nje (Archive.org, CommonCrawl.org, VirusTotal.com, AlienVault.com).
|
|
- [**hakrawler**](https://github.com/hakluke/hakrawler) (go): HML spider, na LinkFider kwa faili za JS na Archive.org kama chanzo cha nje.
|
|
- [**dirhunt**](https://github.com/Nekmo/dirhunt) (python): HTML spider, pia inaonyesha "faili za juisi".
|
|
- [**evine** ](https://github.com/saeeddhqan/evine)(go): Interactive CLI HTML spider. Pia inatafuta katika Archive.org
|
|
- [**meg**](https://github.com/tomnomnom/meg) (go): Chombo hiki si spider lakini kinaweza kuwa na manufaa. Unaweza tu kuashiria faili yenye mwenyeji na faili yenye njia na meg itachukua kila njia kwenye kila mwenyeji na kuhifadhi jibu.
|
|
- [**urlgrab**](https://github.com/IAmStoxe/urlgrab) (go): HTML spider yenye uwezo wa kutafsiri JS. Hata hivyo, inaonekana kama haijatunzwa, toleo lililotayarishwa ni la zamani na msimbo wa sasa haujajitengeneza.
|
|
- [**gau**](https://github.com/lc/gau) (go): HTML spider inayotumia watoa huduma wa nje (wayback, otx, commoncrawl)
|
|
- [**ParamSpider**](https://github.com/devanshbatham/ParamSpider): Hii ni skripti itakayopata URLs zenye parameta na kuziorodhesha.
|
|
- [**galer**](https://github.com/dwisiswant0/galer) (go): HTML spider yenye uwezo wa kutafsiri JS.
|
|
- [**LinkFinder**](https://github.com/GerbenJavado/LinkFinder) (python): HTML spider, yenye uwezo wa kuboresha JS inayoweza kutafuta njia mpya katika faili za JS. Inaweza kuwa na manufaa pia kuangalia [JSScanner](https://github.com/dark-warlord14/JSScanner), ambayo ni wrapper ya LinkFinder.
|
|
- [**goLinkFinder**](https://github.com/0xsha/GoLinkFinder) (go): Kutolewa kwa mwisho katika chanzo cha HTML na faili za javascript zilizojumuishwa. Inafaida kwa wawindaji wa makosa, timu nyekundu, na ninjas wa infosec.
|
|
- [**JSParser**](https://github.com/nahamsec/JSParser) (python2.7): Skripti ya python 2.7 inayotumia Tornado na JSBeautifier kutafsiri URLs zinazohusiana kutoka kwa faili za JavaScript. Inafaida kwa kugundua maombi ya AJAX kwa urahisi. Inaonekana kama haijatunzwa.
|
|
- [**relative-url-extractor**](https://github.com/jobertabma/relative-url-extractor) (ruby): Iwapo kuna faili (HTML) itatoa URLs kutoka kwake kwa kutumia kanuni nzuri za kawaida kutafuta na kutoa URLs zinazohusiana kutoka kwa faili mbaya (minify).
|
|
- [**JSFScan**](https://github.com/KathanP19/JSFScan.sh) (bash, zana kadhaa): Kusanya habari za kuvutia kutoka kwa faili za JS kwa kutumia zana kadhaa.
|
|
- [**subjs**](https://github.com/lc/subjs) (go): Pata faili za JS.
|
|
- [**page-fetch**](https://github.com/detectify/page-fetch) (go): Pakia ukurasa katika kivinjari kisichokuwa na kichwa na uchapishe URLs zote zilizopakiwa ili kupakia ukurasa.
|
|
- [**Feroxbuster**](https://github.com/epi052/feroxbuster) (rust): Chombo cha kugundua maudhui kinachochanganya chaguzi kadhaa za zana za awali.
|
|
- [**Javascript Parsing**](https://github.com/xnl-h4ck3r/burp-extensions): Kiendelezi cha Burp kutafuta njia na parameta katika faili za JS.
|
|
- [**Sourcemapper**](https://github.com/denandz/sourcemapper): Chombo ambacho kwa URL ya .js.map kitakuletea msimbo wa JS ulioimarishwa.
|
|
- [**xnLinkFinder**](https://github.com/xnl-h4ck3r/xnLinkFinder): Hii ni chombo kinachotumika kugundua mwisho kwa lengo fulani.
|
|
- [**waymore**](https://github.com/xnl-h4ck3r/waymore)**:** Gundua viungo kutoka kwa mashine ya wayback (pia kupakua majibu katika wayback na kutafuta viungo zaidi).
|
|
- [**HTTPLoot**](https://github.com/redhuntlabs/HTTPLoot) (go): Crawl (hata kwa kujaza fomu) na pia pata habari nyeti kwa kutumia regex maalum.
|
|
- [**SpiderSuite**](https://github.com/3nock/SpiderSuite): Spider Suite ni kivinjari cha wavuti cha GUI chenye vipengele vingi vilivyoundwa kwa wataalamu wa usalama wa mtandao.
|
|
- [**jsluice**](https://github.com/BishopFox/jsluice) (go): Ni pakiti ya Go na [chombo cha amri](https://github.com/BishopFox/jsluice/blob/main/cmd/jsluice) cha kutoa URLs, njia, siri, na data nyingine za kuvutia kutoka kwa msimbo wa chanzo wa JavaScript.
|
|
- [**ParaForge**](https://github.com/Anof-cyber/ParaForge): ParaForge ni kiendelezi rahisi cha **Burp Suite** kutolewa **parameta na mwisho** kutoka kwa ombi ili kuunda orodha ya maneno ya kawaida kwa fuzzing na orodha.
|
|
- [**katana**](https://github.com/projectdiscovery/katana) (go): Chombo bora kwa hili.
|
|
- [**Crawley**](https://github.com/s0rg/crawley) (go): Chapisha kila kiungo kinachoweza kupatikana.
|
|
|
|
### Brute Force directories and files
|
|
|
|
Anza **brute-forcing** kutoka kwenye folda ya mzizi na uhakikishe unafanya brute-force **zote** **directories zilizopatikana** kwa kutumia **hii mbinu** na zote **directories zilizogunduliwa** na **Spidering** (unaweza kufanya brute-forcing hii **kikamilifu** na kuongeza mwanzoni mwa orodha ya maneno iliyotumika majina ya directories zilizopatikana).\
|
|
Zana:
|
|
|
|
- **Dirb** / **Dirbuster** - Imejumuishwa katika Kali, **ya zamani** (na **polepole**) lakini inafanya kazi. Inaruhusu vyeti vilivyojitiisha kiotomatiki na utafutaji wa kurudiwa. Polepole sana ikilinganishwa na chaguzi nyingine.
|
|
- [**Dirsearch**](https://github.com/maurosoria/dirsearch) (python)**: Haikubali vyeti vilivyojitiisha kiotomatiki lakini** inaruhusu utafutaji wa kurudiwa.
|
|
- [**Gobuster**](https://github.com/OJ/gobuster) (go): Inaruhusu vyeti vilivyojitiisha kiotomatiki, **haikubali** **utaftaji wa kurudiwa**.
|
|
- [**Feroxbuster**](https://github.com/epi052/feroxbuster) **- Haraka, inasaidia utafutaji wa kurudiwa.**
|
|
- [**wfuzz**](https://github.com/xmendez/wfuzz) `wfuzz -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt https://domain.com/api/FUZZ`
|
|
- [**ffuf** ](https://github.com/ffuf/ffuf)- Haraka: `ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.10/FUZZ`
|
|
- [**uro**](https://github.com/s0md3v/uro) (python): Hii si spider bali ni chombo ambacho kwa orodha ya URLs zilizopatikana kitafuta "URLs zilizojirudia".
|
|
- [**Scavenger**](https://github.com/0xDexter0us/Scavenger): Kiendelezi cha Burp kuunda orodha ya directories kutoka kwa historia ya burp ya kurasa tofauti.
|
|
- [**TrashCompactor**](https://github.com/michael1026/trashcompactor): Ondoa URLs zenye kazi zilizojirudia (kulingana na uagizaji wa js).
|
|
- [**Chamaleon**](https://github.com/iustin24/chameleon): Inatumia wapalyzer kugundua teknolojia zinazotumika na kuchagua orodha za maneno za kutumia.
|
|
|
|
**Orodha za maneno zinazopendekezwa:**
|
|
|
|
- [https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/bf_directories.txt](https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/bf_directories.txt)
|
|
- [**Dirsearch** orodha iliyojumuishwa](https://github.com/maurosoria/dirsearch/blob/master/db/dicc.txt)
|
|
- [http://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10](http://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10)
|
|
- [Assetnote wordlists](https://wordlists.assetnote.io)
|
|
- [https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content](https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content)
|
|
- raft-large-directories-lowercase.txt
|
|
- directory-list-2.3-medium.txt
|
|
- RobotsDisallowed/top10000.txt
|
|
- [https://github.com/random-robbie/bruteforce-lists](https://github.com/random-robbie/bruteforce-lists)
|
|
- [https://github.com/google/fuzzing/tree/master/dictionaries](https://github.com/google/fuzzing/tree/master/dictionaries)
|
|
- [https://github.com/six2dez/OneListForAll](https://github.com/six2dez/OneListForAll)
|
|
- [https://github.com/random-robbie/bruteforce-lists](https://github.com/random-robbie/bruteforce-lists)
|
|
- [https://github.com/ayoubfathi/leaky-paths](https://github.com/ayoubfathi/leaky-paths)
|
|
- _/usr/share/wordlists/dirb/common.txt_
|
|
- _/usr/share/wordlists/dirb/big.txt_
|
|
- _/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt_
|
|
|
|
_Kumbuka kwamba kila wakati directory mpya inapatikana wakati wa brute-forcing au spidering, inapaswa kufanywa Brute-Forced._
|
|
|
|
### Nini cha kuangalia kwenye kila faili iliyopatikana
|
|
|
|
- [**Broken link checker**](https://github.com/stevenvachon/broken-link-checker): Pata viungo vilivyovunjika ndani ya HTMLs ambavyo vinaweza kuwa na hatari ya kuchukuliwa.
|
|
- **File Backups**: Mara tu unapopata faili zote, angalia nakala za faili zote zinazotekelezeka ("_.php_", "_.aspx_"...). Mabadiliko ya kawaida ya kutaja nakala ni: _file.ext\~, #file.ext#, \~file.ext, file.ext.bak, file.ext.tmp, file.ext.old, file.bak, file.tmp na file.old._ Unaweza pia kutumia chombo [**bfac**](https://github.com/mazen160/bfac) **au** [**backup-gen**](https://github.com/Nishantbhagat57/backup-gen)**.**
|
|
- **Gundua parameta mpya**: Unaweza kutumia zana kama [**Arjun**](https://github.com/s0md3v/Arjun)**,** [**parameth**](https://github.com/maK-/parameth)**,** [**x8**](https://github.com/sh1yo/x8) **na** [**Param Miner**](https://github.com/PortSwigger/param-miner) **kugundua parameta zilizofichwa. Ikiwa unaweza, unaweza kujaribu kutafuta** parameta zilizofichwa kwenye kila faili ya wavuti inayotekelezeka.
|
|
- _Arjun orodha zote za maneno za kawaida:_ [https://github.com/s0md3v/Arjun/tree/master/arjun/db](https://github.com/s0md3v/Arjun/tree/master/arjun/db)
|
|
- _Param-miner “params” :_ [https://github.com/PortSwigger/param-miner/blob/master/resources/params](https://github.com/PortSwigger/param-miner/blob/master/resources/params)
|
|
- _Assetnote “parameters_top_1m”:_ [https://wordlists.assetnote.io/](https://wordlists.assetnote.io)
|
|
- _nullenc0de “params.txt”:_ [https://gist.github.com/nullenc0de/9cb36260207924f8e1787279a05eb773](https://gist.github.com/nullenc0de/9cb36260207924f8e1787279a05eb773)
|
|
- **Maoni:** Angalia maoni ya faili zote, unaweza kupata **akili** au **kazi zilizofichwa**.
|
|
- Ikiwa unacheza **CTF**, hila "ya kawaida" ni **kuficha** **habari** ndani ya maoni upande wa **kulia** wa **ukurasa** (ukitumia **mifumo** ya **maelfu** ili usione data ikiwa unafungua msimbo wa chanzo na kivinjari). Uwezekano mwingine ni kutumia **michoro kadhaa mipya** na **kuficha habari** katika maoni kwenye **chini** ya ukurasa wa wavuti.
|
|
- **API keys**: Ikiwa **unapata funguo zozote za API** kuna mwongozo unaoelekeza jinsi ya kutumia funguo za API za majukwaa tofauti: [**keyhacks**](https://github.com/streaak/keyhacks)**,** [**zile**](https://github.com/xyele/zile.git)**,** [**truffleHog**](https://github.com/trufflesecurity/truffleHog)**,** [**SecretFinder**](https://github.com/m4ll0k/SecretFinder)**,** [**RegHex**](<https://github.com/l4yton/RegHex)/>)**,** [**DumpsterDive**](https://github.com/securing/DumpsterDiver)**,** [**EarlyBird**](https://github.com/americanexpress/earlybird)
|
|
- Funguo za Google API: Ikiwa unapata funguo zozote za API zinazoonekana kama **AIza**SyA-qLheq6xjDiEIRisP_ujUseYLQCHUjik unaweza kutumia mradi [**gmapapiscanner**](https://github.com/ozguralp/gmapsapiscanner) kuangalia ni APIs zipi funguo hiyo inaweza kufikia.
|
|
- **S3 Buckets**: Wakati wa spidering angalia ikiwa **subdomain** au kiungo chochote kinahusiana na **S3 bucket**. Katika kesi hiyo, [**angalia** **idhini** ya ndoo](buckets/index.html).
|
|
|
|
### Matokeo Maalum
|
|
|
|
**Wakati** wa kufanya **spidering** na **brute-forcing** unaweza kupata **mambo ya kuvutia** ambayo unapaswa **kuangazia**.
|
|
|
|
**Faili za Kuvutia**
|
|
|
|
- Angalia **viungo** kwa faili nyingine ndani ya **CSS**.
|
|
- [Ikiwa unapata faili ya _**.git**_ habari fulani inaweza kutolewa](git.md)
|
|
- Ikiwa unapata _**.env**_ habari kama funguo za api, nywila za db na habari nyingine zinaweza kupatikana.
|
|
- Ikiwa unapata **API endpoints** unapaswa pia kujaribu [hizi](web-api-pentesting.md). Hizi si faili, lakini labda "zitakavyoonekana" kama hizo.
|
|
- **Faili za JS**: Katika sehemu ya spidering zana kadhaa ambazo zinaweza kutoa njia kutoka kwa faili za JS zilitajwa. Pia, itakuwa ya kuvutia **kufuatilia kila faili ya JS iliyopatikana**, kwani katika baadhi ya matukio, mabadiliko yanaweza kuashiria kuwa udhaifu wa uwezekano umeingizwa katika msimbo. Unaweza kutumia kwa mfano [**JSMon**](https://github.com/robre/jsmon)**.**
|
|
- Unapaswa pia kuangalia faili za JS zilizogunduliwa na [**RetireJS**](https://github.com/retirejs/retire.js/) au [**JSHole**](https://github.com/callforpapers-source/jshole) ili kuona ikiwa ina udhaifu.
|
|
- **Javascript Deobfuscator na Unpacker:** [https://lelinhtinh.github.io/de4js/](https://lelinhtinh.github.io/de4js/), [https://www.dcode.fr/javascript-unobfuscator](https://www.dcode.fr/javascript-unobfuscator)
|
|
- **Javascript Beautifier:** [http://jsbeautifier.org/](https://beautifier.io), [http://jsnice.org/](http://jsnice.org)
|
|
- **JsFuck deobfuscation** (javascript na herufi:"\[]!+" [https://enkhee-osiris.github.io/Decoder-JSFuck/](https://enkhee-osiris.github.io/Decoder-JSFuck/))
|
|
- [**TrainFuck**](https://github.com/taco-c/trainfuck)**:** `+72.+29.+7..+3.-67.-12.+55.+24.+3.-6.-8.-67.-23.`
|
|
- Katika matukio kadhaa, utahitaji **kuelewa kanuni za kawaida** zinazotumika. Hii itakuwa na manufaa: [https://regex101.com/](https://regex101.com) au [https://pythonium.net/regex](https://pythonium.net/regex)
|
|
- Unaweza pia **kufuatilia faili ambapo fomu zilipatikana**, kwani mabadiliko katika parameta au kuonekana kwa fomu mpya kunaweza kuashiria kazi mpya inayoweza kuwa na udhaifu.
|
|
|
|
**403 Forbidden/Basic Authentication/401 Unauthorized (bypass)**
|
|
|
|
{{#ref}}
|
|
403-and-401-bypasses.md
|
|
{{#endref}}
|
|
|
|
**502 Proxy Error**
|
|
|
|
Ikiwa ukurasa wowote **unajibu** na **nambari** hiyo, labda ni **proxy iliyo na makosa**. **Ikiwa utatuma ombi la HTTP kama: `GET https://google.com HTTP/1.1`** (pamoja na kichwa cha mwenyeji na vichwa vingine vya kawaida), **proxy** itajaribu **kufikia** _**google.com**_ **na utakuwa umepata** SSRF.
|
|
|
|
**NTLM Authentication - Info disclosure**
|
|
|
|
Ikiwa seva inayotumika inahitaji uthibitisho ni **Windows** au unapata kuingia inayohitaji **akili zako** (na kuomba **jina la** **domain**), unaweza kusababisha **ufichuzi wa habari**.\
|
|
**Tuma** **kichwa**: `“Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=”` na kutokana na jinsi **uthibitisho wa NTLM unavyofanya kazi**, seva itajibu kwa habari za ndani (toleo la IIS, toleo la Windows...) ndani ya kichwa "WWW-Authenticate".\
|
|
Unaweza **kujiandaa** hii kwa kutumia **nmap plugin** "_http-ntlm-info.nse_".
|
|
|
|
**HTTP Redirect (CTF)**
|
|
|
|
Inawezekana **kweka maudhui** ndani ya **Redirection**. Maudhui haya **hayataonyeshwa kwa mtumiaji** (kama kivinjari kitatekeleza uelekeo) lakini kitu kinaweza kuwa **kimefichwa** huko.
|
|
|
|
### Web Vulnerabilities Checking
|
|
|
|
Sasa kwamba orodha kamili ya programu ya wavuti imefanywa ni wakati wa kuangalia udhaifu wengi wanaoweza kutokea. Unaweza kupata orodha ya ukaguzi hapa:
|
|
|
|
{{#ref}}
|
|
../../pentesting-web/web-vulnerabilities-methodology.md
|
|
{{#endref}}
|
|
|
|
Pata maelezo zaidi kuhusu udhaifu wa wavuti katika:
|
|
|
|
- [https://six2dez.gitbook.io/pentest-book/others/web-checklist](https://six2dez.gitbook.io/pentest-book/others/web-checklist)
|
|
- [https://kennel209.gitbooks.io/owasp-testing-guide-v4/content/en/web_application_security_testing/configuration_and_deployment_management_testing.html](https://kennel209.gitbooks.io/owasp-testing-guide-v4/content/en/web_application_security_testing/configuration_and_deployment_management_testing.html)
|
|
- [https://owasp-skf.gitbook.io/asvs-write-ups/kbid-111-client-side-template-injection](https://owasp-skf.gitbook.io/asvs-write-ups/kbid-111-client-side-template-injection)
|
|
|
|
### Monitor Pages for changes
|
|
|
|
Unaweza kutumia zana kama [https://github.com/dgtlmoon/changedetection.io](https://github.com/dgtlmoon/changedetection.io) kufuatilia kurasa kwa mabadiliko ambayo yanaweza kuingiza udhaifu.
|
|
|
|
### HackTricks Automatic Commands
|
|
```
|
|
Protocol_Name: Web #Protocol Abbreviation if there is one.
|
|
Port_Number: 80,443 #Comma separated if there is more than one.
|
|
Protocol_Description: Web #Protocol Abbreviation Spelled out
|
|
|
|
Entry_1:
|
|
Name: Notes
|
|
Description: Notes for Web
|
|
Note: |
|
|
https://book.hacktricks.xyz/pentesting/pentesting-web
|
|
|
|
Entry_2:
|
|
Name: Quick Web Scan
|
|
Description: Nikto and GoBuster
|
|
Command: nikto -host {Web_Proto}://{IP}:{Web_Port} &&&& gobuster dir -w {Small_Dirlist} -u {Web_Proto}://{IP}:{Web_Port} && gobuster dir -w {Big_Dirlist} -u {Web_Proto}://{IP}:{Web_Port}
|
|
|
|
Entry_3:
|
|
Name: Nikto
|
|
Description: Basic Site Info via Nikto
|
|
Command: nikto -host {Web_Proto}://{IP}:{Web_Port}
|
|
|
|
Entry_4:
|
|
Name: WhatWeb
|
|
Description: General purpose auto scanner
|
|
Command: whatweb -a 4 {IP}
|
|
|
|
Entry_5:
|
|
Name: Directory Brute Force Non-Recursive
|
|
Description: Non-Recursive Directory Brute Force
|
|
Command: gobuster dir -w {Big_Dirlist} -u {Web_Proto}://{IP}:{Web_Port}
|
|
|
|
Entry_6:
|
|
Name: Directory Brute Force Recursive
|
|
Description: Recursive Directory Brute Force
|
|
Command: python3 {Tool_Dir}dirsearch/dirsearch.py -w {Small_Dirlist} -e php,exe,sh,py,html,pl -f -t 20 -u {Web_Proto}://{IP}:{Web_Port} -r 10
|
|
|
|
Entry_7:
|
|
Name: Directory Brute Force CGI
|
|
Description: Common Gateway Interface Brute Force
|
|
Command: gobuster dir -u {Web_Proto}://{IP}:{Web_Port}/ -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -s 200
|
|
|
|
Entry_8:
|
|
Name: Nmap Web Vuln Scan
|
|
Description: Tailored Nmap Scan for web Vulnerabilities
|
|
Command: nmap -vv --reason -Pn -sV -p {Web_Port} --script=`banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)` {IP}
|
|
|
|
Entry_9:
|
|
Name: Drupal
|
|
Description: Drupal Enumeration Notes
|
|
Note: |
|
|
git clone https://github.com/immunIT/drupwn.git for low hanging fruit and git clone https://github.com/droope/droopescan.git for deeper enumeration
|
|
|
|
Entry_10:
|
|
Name: WordPress
|
|
Description: WordPress Enumeration with WPScan
|
|
Command: |
|
|
?What is the location of the wp-login.php? Example: /Yeet/cannon/wp-login.php
|
|
wpscan --url {Web_Proto}://{IP}{1} --enumerate ap,at,cb,dbe && wpscan --url {Web_Proto}://{IP}{1} --enumerate u,tt,t,vp --passwords {Big_Passwordlist} -e
|
|
|
|
Entry_11:
|
|
Name: WordPress Hydra Brute Force
|
|
Description: Need User (admin is default)
|
|
Command: hydra -l admin -P {Big_Passwordlist} {IP} -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
|
|
|
|
Entry_12:
|
|
Name: Ffuf Vhost
|
|
Description: Simple Scan with Ffuf for discovering additional vhosts
|
|
Command: ffuf -w {Subdomain_List}:FUZZ -u {Web_Proto}://{Domain_Name} -H "Host:FUZZ.{Domain_Name}" -c -mc all {Ffuf_Filters}
|
|
```
|
|
{{#include ../../banners/hacktricks-training.md}}
|