Selasa, 18 Maret 2014

Pentesting DVWA [MEDIUM]

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

Now, I will try to exploin how to exploit for each vulnerabilities.

1. BruteForce

Tools :

IceWeasel Browser
BurpSuite

Step :

Setting proxy on browser to grab cookies on BurpSuite.

Send captured data to Intruder. (right click on captured data >> Send to Intruder)

Go to Intruder and select Positions, change the sniper to Cluster bomb.

Set Payload 1 to username which is we want to attack.

Set Payload 2 to our password lists.

Select Intruder on the top menu and choose Start Attack.

Brute force will success depend on how good is our wordlists. I say this is DONE!!

Lets go to the next task.

2. Command Execution.

I put google.com to the input and get this result.

input : google.com

from the result above we can see that the result from ping will be printed on the page. lets try to add another command berhind the google.com.

input : google.com; ls

it gave me nothing. lets try something else.

input : google.com | ls

Bypassed.. Next task....

3. Cross Site Request Forgery

First, I'll try to change the password into admin1.

Its not a POST request. Its a GET request which is mean we can use iframe and send to the admin to visit our iframe with defined password to change the password.

Case closed. Next...

4. Local File Inclusion

Lets change the path into /etc/passwd

passwd printed into web page. Next...

5. SQL Injection

I put ' and i got this error :

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1

Now i'll try to grab the dbname, version and userdb.

Got this error :

Unknown column '3' in 'order clause'

Thats mean it has no more than 3 column.

Lets start grabbing database info.

Yes we got the database info.

Now we try to extracting the data using SQLMAP using our login cookies.

Command : sqlmap -u 'http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit' --cookie='security=medium; PHPSESSID=at4ddi40169u5p1migj2nm6193' --dbs

Command : sqlmap -u 'http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit' --cookie='security=medium; PHPSESSID=at4ddi40169u5p1migj2nm6193' -D dvwa --tables

Command : sqlmap -u 'http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit' --cookie='security=medium; PHPSESSID=at4ddi40169u5p1migj2nm6193' -D dvwa -T users --columns

Command : sqlmap -u 'http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit' --cookie='security=medium; PHPSESSID=at4ddi40169u5p1migj2nm6193' -D dvwa -T users -C username,password --dump

Task completed. Next...

6. SQL Injection (Blind)

SQLi Blind has same technique, but the page wont give us any error reporting.

So, lets start to attack it rather than to test it.

Nothing.. Lets try to add the number.

Yes, we got the vulnerability sign.

We can use the manual technique or SQLmap.

Task completed.

7. Bypass Upload Filter.

Lets try to upload the php shell.

Its failed. I want to change the mime type while its in upload process using Tamper Data (Mozilla Addons).

And its uploaded.

Check the file..

Tast completed..

Next..

8. XSS Reflected

Lets try to put a text into the input form.

input : is2c

yes, its printed..

now lets try Javascript.

input : <script>alert('XSS IS2C')</script>

from the result above, we can see that the word <script> and </script> is removed. lets try to bypass it by using caps button. XD

input : <SCRIPT>alert('XSS IS2C')</SCRIPT>

Done.. Next..

9. XSS Stored

This vulnerability make the page storing our input text into the page.
Lets begin using CAPS..

input : <IFRAME=SRC='http://google.com'>

Not worked.. lets try the others..

input : <SCRIPT>alert('XSS STORED IS2C')</SCRIPT>

Not worked.. agaaaiiinnn.. but we try the name input.

input : <SCRIPT>alert("XSS STORED IS2C")</SCRIPT>

when i enter it, it wont allow me to put more than 10 character. Now i'll try to bypass it using Tamper Data, again....


PS : For high level, you can attack using the same way, but you have to change the cookie when tampering the data. change the high into medium or low. :)

--= Mission Completed =--

Results Advanced IG on IS2C-DOJO.COM

Advanced Information Gathering

Target : is2c-dojo.com
Tools : Maltego & Shodan

Possible domain related to is2c-dojo.com :

partnerit.us

ns1.partnerit.us
ns2.partnerit.us

is2c-dojo.com

ftp.is2c-dojo.com
mail.is2c-dojo.com

resellercamp.com

whois.resellercamp.com

blogspot.com

itsecuritynewbie.blogspot.com
scx010c06f.blogspot.com
otakku-udang.blogspot.com
scx010c06d.blogspot.com
elhasite.blogspot.com

nist.gov

nvd.nist.gov

woothemes.com

demo.woothemes.com

securitytube.net
itb.ac.id

gemastik.itc.ac.id

studio443.com
digital-echidna.org
corelan.be
pwdhash.com
google.com

docs.google.com

mile2.com
linkedin.com

Possible services running on is2c-dojo.com :

mod_ssl
Limiter Modules
Wordpress
Unix
OpenSSL 0.9.8
PNG Fix
SuperFish
JQuery
PHP
Apache 2.2

Possible Email Used in is2c-dojo.com :

adinugroho@gmail.com

adinugrohobusiness@gmail.com
nugr84@gmail.com

kumel@is2c-dojo.com

Possible IP Address related to is2c-dojo.com

192.111.*.*

192.111.155.72-192.111.155.79
192.111.144.0-192.111.159.255
192.111.155.0-192.111.155.255

Sabtu, 15 Maret 2014

Pentesting SIPS (created by IS2C staff)

SIPS created by one of IS2C staff. This is a vulnerable Web Application and he asks me to find the bugs.

Lets begin..

1. I will try to register into SIPS.

But, while I am registering, lets try to capture the data and use it to test SQL injection using SQLMAP.

URL : http://localhost/sips/perpustakaan/proses/anggota_insert1.php
DATA : username=damn&pwd=code&nama_anggota=damn&alamat=asdsaf&telpon=384525252&simpan=Simpan

Yes, its vulnerable..
Lets start digging..

I found column anggota and pegawai, but pegawai has higher level than anggota. Lets dump those data.

Next, checking the userDB if its a DBA.

Yes, its a DBA. lets try to upload web shell.

ahh.. its failed, maybe i got no perms to write on the dir.

SKIP!! Lets try another page.

I found this URL :

http://localhost/sips/perpustakaan/read/?book=owasp.html&view=Read

Its interesting.. maybe it got LFI vulns. Lets try..

Yep, Its Vulnerable..

=============== EOF ===============

Pentesting OWASP Mutillidae

Yesterday I got a task from my sensei to find at least 2 vulnerabilities in Mutillidae.
If you dont know what is OWASP Mutillidae, you can see and download HERE.

Lets begin..

First time i open it, I take my cursor to this URL:

http://127.0.0.1/mutillidae/index.php?page=home.php

Its like using include or require function. Lets test this page manually.

I change the home.php to /etc/passwd.

http://127.0.0.1/mutillidae/index.php?page=/etc/passwd

And yes, its vulnerable to LFI ( Local File Inclusion ).

1 vulnerable discovered ( LFI )

Next, I am interested to the LOG word. Yes, Its like something I dont know yet, but Its make me curious what is the content inside this page.

http://127.0.0.1/mutillidae/index.php?page=show-log.php

It got variable page on index file. But I have already discover it and i dont want to test it again. I found a printed text on the page and its our User Agent. I tried to change my User Agent into this :