Local File Inclusion (LFI)

Scripts that takes filenames as parameters without sanitizing the user input is typically good candidates for LFI vulnerabilities. For example, a PHP script : foo.php?file=image2.jpg An attacker would replace image2.jpg with a directory traversel payload: foo.php?file=../../../../../../../etc/passwd Or other sensitive files

Brute forcing protocols/services

Ncrack ncrack can brute force RDP.

Hydra Hydra brute force against SNMP

Hydra FTP known user and rockyou password list

Hydra SSH using list of users and passwords

Hydra SSH using a known password and a

Compiling exploits to Windows on Kali

Compile Win32 exploit with Wine install mingw

install some libs mingw needs


Command Injection – Tools and methods

Below is a list of common tools and methods to test for command injection. Commix



SMB Following could be used to achieve command execution and pop a reverse shell via poorly configured SMB.


SQLMap is a tool that can be used to automate scanning and exploiting of SQL Injection. Below is some examples using SQLMap.

In below examle the scan is based on login.req which is the HTTP captured and exported from

SQL Injection – RCE and LFI Methods

Upload PHP Command Injection Following can be used to get RCE / Command Execution when target is vulnerable to SQLi.

Load File via SQLi Following can be used to read files from target.



Resources for MS17-010 Exploit: https://github.com/3ndG4me/AutoBlue-MS17-010 https://github.com/helviojunior/MS17-010   Scan for Vulnerable MS17-010: