2. Perform Web applications Attacks
1. Brute force using Burp
set the burp proxy in browser, intercept the request, right click it and send it to intruder.
Now clear the fields and set the targets
sniper if you are only brute forcing password.
cluster if bruteforcing both username and password
set the payload, wordlists and launch attack. Different values of length will indicate the successful attempt.
Other Bruteforcing tools
Hydra Brute force cheatsheat
2. Parameter tampering using Burp
In the proxy tab, go to the inspector session where value and name will be visible. You can change it and see the response.
3. Identify XSS using PwnXss
4. Exploit Parameter tempering with XSS
5. Perform CSRF attacks
WPSCAN
Add --random-user-agent to avoid firewalls
6. Hack a wordpress site with WPSCAN and Metasploit
Installation
Enumerate wordpress users
WPSCAN can be used to enumerate users, themes, plugins etc
Now launch the Metasploit with database
Now set the options to brute force it
WPSCAN brute forcing
Reference
7. Remote command execution to compromise a target server
Setup and complete DVWA Guides
Windows Command Injection
8. Exploit File upload vulnerability
Generating the payload
Run multi/handler to catch the shell
Check the above DVWA walkthroughs. For high mode add the following on top of payload and save it as jpeg
Now in command prompt, rename the file
open the shell, and you will get the meterpreter session.
9. Exploit Log4j vulnerability
Todo
Last updated