Gray Box Testing
← Older revision
Revision as of 00:24, 10 April 2016
(4 intermediate revisions by the same user not shown)
Line 47:
Line 47:
<br>
<br>
+
+
Each web framework may have its own admin default pages or path. For example
+
+
WebSphere:
+
<pre>
+
/admin
+
/admin-authz.xml
+
/admin.conf
+
/admin.passwd
+
/admin/*
+
/admin/logon.jsp
+
/admin/secure/logon.jsp
+
</pre>
+
+
PHP:
+
<pre>
+
/phpinfo
+
/phpmyadmin/
+
/phpMyAdmin/
+
/mysqladmin/
+
/MySQLadmin
+
/MySQLAdmin
+
/login.php
+
/logon.php
+
/xmlrpc.php
+
/dbadmin
+
</pre>
+
+
+
FrontPage:
+
<pre>
+
/admin.dll
+
/admin.exe
+
/administrators.pwd
+
/author.dll
+
/author.exe
+
/author.log
+
/authors.pwd
+
/cgi-bin
+
</pre>
+
+
WebLogic:
+
<pre>
+
/AdminCaptureRootCA
+
/AdminClients
+
/AdminConnections
+
/AdminEvents
+
/AdminJDBC
+
/AdminLicense
+
/AdminMain
+
/AdminProps
+
/AdminRealm
+
/AdminThreads
+
</pre>
+
+
WordPress:
+
<pre>
+
wp-admin/
+
wp-admin/about.php
+
wp-admin/admin-ajax.php
+
wp-admin/admin-db.php
+
wp-admin/admin-footer.php
+
wp-admin/admin-functions.php
+
wp-admin/admin-header.php
+
</pre>
== Tools ==
== Tools ==
Line 52:
Line 117:
* [https://www.thc.org/thc-hydra/ THC-HYDRA] is a tool that allows brute-forcing of many interfaces, including form-based HTTP authentication.
* [https://www.thc.org/thc-hydra/ THC-HYDRA] is a tool that allows brute-forcing of many interfaces, including form-based HTTP authentication.
*A brute forcer is much better when it uses a good dictionary, for example the [https://www.netsparker.com/blog/web-security/svn-digger-better-lists-for-forced-browsing/ netsparker] dictionary.
*A brute forcer is much better when it uses a good dictionary, for example the [https://www.netsparker.com/blog/web-security/svn-digger-better-lists-for-forced-browsing/ netsparker] dictionary.
−
== References ==
== References ==
* Default Password list: http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php
* Default Password list: http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php
* Default Password list: http://www.cirt.net/passwords
* Default Password list: http://www.cirt.net/passwords
+
* FuzzDB can be used to do brute force browsing.
+
* admin login path [https://github.com/fuzzdb-project/fuzzdb/blob/f801f5c5adc9aa5e54f20d273d213c5ab58826b9/discovery/predictable-filepaths/login-file-locations/Logins.fuzz.txt]
+
* Common admin or debugging parameters [https://github.com/fuzzdb-project/fuzzdb/blob/f801f5c5adc9aa5e54f20d273d213c5ab58826b9/attack/business-logic/CommonDebugParamNames.fuzz.txt]