🔬Web App Attacks
Passive Crawling - Burp Suite
🔬 Passive Crawling with Burp Suite
Target IP:
192.230.181.3
Multillidae II
Open the browser and navigate to
http://192.230.181.3/
Activate
FoxyProxy
Plugin
Start
BurpSuite
(set User options/Display/Look to Darcula and restart BurpSuite)Intercept the home page request and turn off the intercept
Check the
HTTP history
tabBrowse the Multillidae web app and Burp will crawl the visited pages
Check the
Target
tab for a Site mapAdd site to the Scope
SQL Injection - SQLMap
Target IP:
192.42.186.3
bWAPP
Open the browser and navigate to
http://192.42.186.3/
, login withbee
:bug
, selectSQL Injection (GET/Search)
and click Hack buttonInput a string and search
http://192.42.186.3/sqli_1.php?title=hacking&action=search
Activate
FoxyProxy
PluginStart
BurpSuite
in Interception modeRefresh the page, intercept the request and copy the cookie
Cookie:
PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0
Run
sqlmap
, definingtitle
as the test parameter
In BurpSuite, send the request to Repeater
Copy the first payload from SQLMap and paste it as part of the
title
parameter
Use
sqlmap
to get a list of tables for thebWAPP
database
Use
sqlmap
to get a list of columns in theusers
table of thebWAPP
database
Dump
password
andemail
for admin from theusers
table
Turn off Intercept mode in BurpSuite, navigate to
http://192.42.186.3/sqli_6.php
and turn back on Intercept mode.Search
example
string from the page and intercept itCopy to file the request and name the filerequest`
Use
sqlmap
with this request file
In BurpSuite, send the request to Repeater
Try the proposed payloads from SQLMap
Change the request to pass
version()
function to the database
XSS Attack - XSSer
Target IP:
192.131.167.3
Multillidae II
Navigate to the XSS Reflected - DNS Lookup webpage:
http://192.131.167.3/index.php?page=dns-lookup.php
Enter any text and
Lookup DNS
The value is reflected back on the web page
Activate
FoxyProxy
PluginStart
BurpSuite
Enter any text and
Lookup DNS
and intercept the request inBurpSuite
Copy the payload and input
XSS
in the target_host
Use
xsser
to check the vulnerability
Use a custom XSS payload
Copy the
Final Attack
payload and use it in the browser or BurpSuite to trigger the XSS attackhttp://192.131.167.3/index.php?page=dns-lookup.php&target_host=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&dns-lookup-php-submit-button=Lookup+DNS
Perform an XSS Poll Question attack over
GET
requesthttp://192.131.167.3/index.php?page=user-poll.php
copy the
URL
, replace thenmap
value withXSS
and pass it to XSSerhttp://192.131.167.3/index.php?page=user-poll.php&csrf-token=&choice=nmap&initials=2&user-poll-php-submit-button=Submit+Vote
Open the
Final Attack
link in the browserhttp://192.131.167.3/index.php?page=user-poll.php&csrf-token=&choice=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&initials=2&user-poll-php-submit-button=Submit+Vote
Authenticated XSS Attack - XSSer
🔬 Authenticated XSS Attack with XSSer
Target IP:
192.56.179.3
bWAPP
Login with
bug
:bee
, select theHTML Injection - Reflected (GET)
bug and input any value. Copy the URLhttp://192.56.179.3/htmli_get.php?firstname=hi&lastname=hi&form=submit
Activate
FoxyProxy
Plugin, startBurpSuite
, refresh the webpage and copy theCookie
from the Proxy intercepted requestPHPSESSID=lb3rg4q495t9sqph907sdhjgg1; security_level=0
Run the
xsser
tool byreplacing the
firstname
value string withXSS
feeding the Cookie
stop BurpSuite interceptor
Attacking HTTP Login Form - Hydra
🔬 Attacking HTTP Login Form with Hydra
Target IP:
192.210.201.3
bWAPP
Open the
http://192.210.201.3/login.php
page, view source code and check the parameters passed in the login form.
Prepare a usernames and a passwords list
Use
hydra
to retrieve the credentials
Attacking Basic Auth - BurpSuite
🔬 Attacking Basic Auth with Burp Suite
Target IP:
192.190.241.3
bWAPP
Open Firefox, activate
FoxyProxy
Plugin, startBurpSuite
, openhttp://192.190.241.3/basic
and intercepted the request. Forward the request, input some data and intercept the request./basic
directory uses Basic Authsend the request to Intruder
Navigate to Intruder - Positions tab
Decode the
base64
string, it will becometest:test
, like the input data from the login form
Replace the credentials with a parameter to be substituted like
§credentials§
In the Payload Options, Load the
/root/Desktop/wordlists/100-common-passwords.txt:
listIn the Payload Processing -
Add prefix
rule, and inputadmin:
to append it to all the passwordsAdd a
Encode - Base64-encode
rule too
Start the attack
Check the entry result with status code
301
Send to Decoder the
Authorization: Basic
valueCheck the BurpSuite Decoder tab
Decoded as base64 string is
admin:cookie1
Turn off BurpSuite interceptor, open the web page and insert the found credentials
🚩 The flag is
d25db4ce54b60b49dfd7b32c52ed8d26
Attacking HTTP Login Form - ZAProxy
🔬 Attacking HTTP Login Form with ZAProxy
Target IP:
192.145.79.3
bWAPP
Open the
owasp-zap
tool, Manual Explore, input the URL and launch browserhttp://192.145.79.3
Attempt login with bad credentials. The website will be added to the sitemap inside
ZAP
Right click on the
POST
request and select Fuzz...
Select the input username, click the Add button, Add again and input the payloads for username. Confirm with OK
Select the input password and do the same thing with a list of possible password
Start Fuzzer to start the attack and check the results and the
302
response
Last updated