search

Further directory discovery

The word lists used in this phase are from Daniel Miessler's seclist: https://jarrettgxz-sec.gitbook.io/offensive-security-concepts/tools-services/wordlistsarrow-up-right.

The word list path shown in the examples below will be displayed as a redacted relative directory.

hashtag
1. Enumeration of /

$ gobuster dir -x php -u http://<target>:1337/ -w Discovery/Web-Content/common.txt

Important options to note:

1.1 -x php : Fuzz with a .php extension added to each item in the word list

Interesting directories

/config.php -> empty page with no interesting source code content

/javascript and /vendor -> FORBIDDEN

/phpmyadmin -> php admin login page

hashtag
2. Further enumeration

1

hashtag
2.1 /phpmyadmin directory

After looking through the sitemap in burp suite (refer to the burp suite sitemap section), I discovered an interesting looking directory: /phpmyadmin/js . This directory contained a lot of .js and .php files — as shown from burp suite.

Thus, I decided to further enumerate this directory with a common word list:

Important options to note:

  1. -x php,js : Fuzz with a .php and .js extension added to each item in the word list

Note: specifying 2 extensions will double the runtime as the fuzzer will duplicate the requests

2

hashtag
2.2 /javascript and /vendor directory

Looking back at the results from the first enumeration phase (part 1.1 of Initial Enumeration), I decided to further enumerate the /javascript and /vendor directories.

2.2.1 /javascript

2.2.2 /vendor

Upon visiting /vendor/composer, I was presented with a index listing.

Looking each file in this directory, I found out from the /vendor/composer/installed.json that this application uses firebase/php-jwt v6.10.0.

Previous/hmrNext/phpmyadmin

Last updated