Forced Browsing
Forced browsing is a technique in which we test URLs crafted from a list of common files/folders and we try to find something juicy.
- π§ Configuration files (ex: .config)
- π Old files (ex: index.php.old)
- π΅ Backup files (ex: xxx.bak, backup.xxx, xxx~)
- π Admin/CMS panels (ex: WordPress admin login page)
- π° Private files (ex: documents...)
Refer to wordlists#forced browsing for wordlists. β οΈ Start with small wordlists, then move to bigger one. They don't have the same entries.
Additional Notes
Version Control Files Disclosure
Sometimes, version control files such as .git for GIT may be exposed. They can be used to find the current and the previous versions of the code. For instance, after downloading a .git:
$ cd .git
$ git diff # it says the code is missing
$ git restore * # restore current version
$ git log -p -- config.php # look at config.php history
π» Automated tools: GitHacker, GitTools, GitHack, etc.
π .git may be blocked (403) but .git/index, .git/HEAD, etc. may not.
CGI Scripts
Common Gateway Interface (CGI) Applications are rarely used as they are dangerous. They were often used to connect multiple applications. CGI scripts can be written in many languages. They have a few advantages and many major disadvantages. To look for them:
$ ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u URL/cgi/FUZZ -e .bat,.cmd
$ ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u URL/cgi-bin/FUZZ -e .cgi,.pl,.c,.sh,.py
π Apache Tomcat returns 404 for /cgi even when it exists.
β οΈ Bash [<4.3] has a vulnerability called shellshock:
$ curl -H 'User-Agent: () { :; }; <write code here>' 'URL/cgi-bin/some_script'
π» To-do π»
Stuff that I found, but never read/used yet.
- AJax Rendered Page, automation?