Methodology

Enumerate

When you enumerate the website, you will try to identify how to make your attack. That can be like the following:

• Upload a malicious file
• XSS attacks
• Identify the backend
• Get all directories

Directories

We can identifies all directories of a website:

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://example.com

Also, for a specific content, we can get all files:

gobuster dir -x jpeg,jpg,png -w <wordlist.txt> -u http://example.com/uploads

Also, that can help to identify all html page or php page for instance:

gobuster dir -x jpeg,html,htm,php -w <wordlist.txt> -u http://example.com/

You can also use Nikto, which is a good tool:

nikto -h example.com

Identify backend

If we want to execute a RCE (Remote Code Execution), we need to identify the backend of the site. So, for doing that, we can use the webite https://www.wappalyzer.com or sometimes, when we do a HTTP request, in the attribute Header X-Powered-By, we can have the information:

curl -v http://jewel.uploadvulns.thm
* TCP_NODELAY set
* Connected to jewel.uploadvulns.thm (10.10.251.98) port 80 (#0)
> GET / HTTP/1.1
> Host: jewel.uploadvulns.thm
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx/1.14.0 (Ubuntu)
< Date: Tue, 06 Feb 2024 13:22:47 GMT
< Content-Type: text/html; charset=UTF-8
< Content-Length: 1514
< Connection: keep-alive
< X-Powered-By: Express
< Access-Control-Allow-Origin: *
< Accept-Ranges: bytes
< Cache-Control: public, max-age=0

Upload malicious file

If we want to execute a RCE, we need to push our code into the server. When a website provide to the user a feature for uploading files, like images, we can enumerate for discovering the filtering:

• Identifying the MIME type
• Try to find the maximum file size

XSS attacks

MIMEtype

https://developer.mozilla.org/fr/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types

https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload