web for pentesters 2 mass assignment

For this post I’ll be going through the mass assignment examples in web for pentesters 2. Mass assignments takes advantage of how some programming frameworks allow a programmers to bind HTTP request parameters to variables. The attacker abuses this by sending request parameters to the system in hope of overwriting existing code parameters. OWASP have a great write on how it works for different languages and how to protect against it.

This walk through will show you have to exploit this flaw using a web proxy. These examples takes advantage of the mass assignment flaw found in ruby.

Example 1:

So first off load up the example page then the proxy of your choice, make sure its setup to intercept the traffic.

Then sign up as a regular user.

Once the request has been sent, go to your proxy app.

In the GET request add the parameter &user[admin]=1 after the parameters. 

Example 2:

Same as above, I think i may have done the first example a little wrong :S


Example 3:

This example follows the same steps as before, except instead of user[admin]=1 to get admin, you add user[company_id]=2 to gain access to company 2’s secret data.

That will be it for now, hopefully by next week I’ll have either the captcha examples done or the randomness issues example done.


Web for pentesters 2-Authentication

Today I’ll be going through the authentication exercise from web for pentesters 2. This exercise wasn’t to difficult, the hard part was example 2, which I’ll get into later on, but otherwise it’s pretty straight forward. So lets get into it.

Example 1:

For the first example the username is given to you, admin, however the password you have to guess. You could run a password cracker and get it or as it’s a weak password you could easily guess it. The password is admin.

Example 2:

This example was a pain to do and I still haven’t cracked it yet with the script(which is available on my bitbucket account here). However the username and password are in the ruby file for this example, username:hacker password:p4ssw0rd (zero not o).

Example 3:

In the third example you are going to need to use a proxy like burpsuite and owasp ZAP. Once you have that installed and set up, follow the steps below to cracked the exercise.

  1. Load the page. (Make sure that no parameters are in the url as this screws with the process)
  2. Load up the proxy.
  3. Find the user variable in the cookie.
  4. Make the user variable equal admin
  5. Submit the request

Boom! you are now admin.

Example 4:

Here you have to run a password cracker. Any online cracker should work, yet to run on this exercise, will update this post once I do.

Example 5:

In this example there is a flaw in the registration process. Here we can create a user with admin privileges with the following  steps:

  1. Click on the register link.
  2.  Create a user with username Admin and any password you want.

This will get you admin rights, the problem lies in the mysql database username comparison.

Example 6:

In the last example we are again exploiting the logic in the register page to get admin privileges.

  1. Go to the register page.
  2. Create a user with the username admin with a space after the username and any password.

Boom! you are now an admin XD. The problem lies again in the comparison of the new username and usernames on the database as admin and admin (with a space) are two different users on the system.

Thanks for reading, if you have any questions, comments please leave them below.

Web for pentesters 2 Authorisation

This week I’ll go over the authorisation bypass examples for web for pentesters 2. I know last week I said I would go through the authentication examples, but I wasn’t able to finish it in time ( example 2 is a pain). Without much further to do lets go through the exercise.

Example 1:

In this example, we try to bypass any authorisation by just altering the number at the end, like so:


This will give you direct access to the resources, even when you aren’t logged in.

Example 2:

In this example, you can access other users files by just simply incrementing through the number at the end of the url.

These will work, but nothing after that, you’ll get an internal server error.

Example 3:

This example is similar to the attack above, however we need to exploit it through the edit page.

First you’ll need to log in and click on any of the posts.Then change the number at the end of the url to 3. You now have access to the information from user2.

That will do it for now, in the next post I’ll hopefully have mass assignment done. Until then keep on hacking.

Web for Pentesters 2-SQL Injection

Aaaanndd I’m back, sorry for the lack of posts over the last couple of weeks, but it’s the end of the semester which means that assignments are due and exams are coming up.However, now i should be able to get back to a regular posting schedule.
So lets start with the SQL injection from web for pentesters 2. This vm carries on from web for pentesters 1 and introduces some new and
more difficult attacks.

SQLi 1:

First enter a single quote (‘) in the username field, this will produce an error
and reveal the sql command for the database:
SELECT * FROM users WHERE username=”’ AND password=”

Now we need to escape the command:
SELECT * FROM users WHERE username=’‘or 1=1 — ‘‘ AND password=”
This will escape the command print out success.

‘or 1=1 # also works.

SQLi 2:

Here we follow the same steps as SQLi 1 but also need to include the limit command like so:
‘ or 1=1 limit 1 — ‘
We use 1 because the developer has limited the number of users displayed to one.

SQLi 3:

Here is where things get a little more difficult.
Since single quotes are being escaped from user input, we need to insert a backslash () to escape.
Once we escape the command we can inject our own sql code like so:
in the username field:

in the password field:
‘or 1=1 # ‘

SQLi 4:

For this exercise we are injectiing directly into a where clause.

You can produce and error this to look at the command by simply removing everything after username.
SELECT * FROM users WHERE username=;
or put in an unknown username like admin.
Mysql2::Error: Unknown column ‘admin’ in ‘where clause’: SELECT * FROM users WHERE username=admin;

Basically you can input anything you into their to display the users.
this will display all the users in the system.

SQLi 5:

Here we inject into the url bar.

To get an error message, try putting in or 1=1.
This will produce an error and show us the sql command:
SELECT * FROM users LIMIT 3 or 1=1;
Just like the pentester labs description, we exploit this through a union select command like so:
union select * from users.
This will display the entire users table of the database.

The union command combines the output of multiple select statements.

SQLi 6:

Same procedure as above, only this time we’re exploiting the GROUP BY command instead of the LIMIT command:
to get the entire users table:
union select * from users

SQLi 7:

In this example we follow the steps shown by pentesterlab and inject this as the id parameter:

This will produce an error with the mysql version.

SQLi 8:

Now we move into attacks that are exploited later in the system.Here we have to inject our sql into the username field
and then go to the users page to see the injection work.

First create a bunch of user profiles, you don’t need to put a password.
For one of the users, use just a single quote in the username field and submit it.
Then go to the single quote user page, this will show you the error with the sql syntax.

To see the users page, click on the id of the user.

Now for the exploitation.
Inject this into the username field:
name’union select * from users where id=1 #
This should return the first users page.

SQLi 9:

Now for the last sql injection exercise.

Here the problem occurs because the application does not handle chinese characters correctly.
So all we need is a chinese character and statement that always evaluates to true like so:
脫’ or 1=1 #

Tune in next week for authentication walkthrough.

Resources for beginners

So you’re looking to get into the wonderful world of penetration testing, but have no clue where to start? Don’t worry I was just like you (hence why started this blog). In this post I’ll provide some resources to help get you started.

Programming Languages

To be able to exploit a system, you will need to know how to program and (at least) know the basics of the language the system uses, that you are exploiting. A simple scripting language that I recommend is python. It’s easy to learn and allows you build quick scripts to help exploit a system. Also, since you’ll most likely be starting off by exploiting web pages and web applications, you should learn HTML, JavaScript and php. A lot of web pages and applications are built using these languages, along with CSS. Codecademy is a good site to help you learn these languages, they offer great tutorials in all these languages and more.

Basic Exploitation walk-through.

Now that you have learnt how a web apps are put together, how do you start exploiting a site or a companies network? Penetration Testing: A hands on introduction to hacking is a great resource for beginners. It covers the basics in  the penetration testing process and some of the tools used in each process. It definitely helped me get started and wrap my head around some of the tools used.

Another great resource to help you get started with basic web application testing is pentesterlab, particularly the web for pentesters series give you a great solid understanding of the type of exploits that are found on web applications. P.S I have a basic walk through of the first web for pentesters vm on my blog.

How do I sharpen my skills?

Now that you know the basics, you need to practice your skills, but how? Pentesterlab has some more advanced tutorials for you to try. Another similar vulnerable vm is webgoat, it has a similar style to pentesterslab vm, where they walk through with each of the exploits and explain why the exploit exists. 
Whats that, you want something a little more challenging? Well then vulnhub has you covered. They offer community made virtual machines and the solutions offered are made by people who have completed the challenge. They are challenging, but not impossible and if you get stuck you can always look at the solutions and see how that person solved it.

Write your own exploits.

A great book to learn how to write your exploits, one that I am currently working through, violent python. This book teaches you how to write your own exploits, botnet, viruses in python. This is of course is a little advanced and could be something to build up to.

Some advice.

Lastly, I’ll leave you with some advice that I wish I knew earlier. PRACTICE,PRACTICE,PRACTICE. Just practice and really spend the time understanding how an exploit happens and why. Also build applications yourself, exploit them and patch them. This will help you understand what to look for when trying to find exploits in a system or web application. 
If you have any questions or suggestions, drop me a line in the comment section below. Until next time, keep on hacking.