Attacks on web applications open wide opportunities for intruders: this is the theft of critical information or sensitive information; Breaking business logic for financial gain; Also, a successful attack of a web application can be a harbinger of hacking the company’s corporate network. In this article, I’ll talk about the evolution of Web application attacks.
Lets continue the last article since i was busy with my real life. From the last article i successfully get into the server from SSH service. Now lets enumerate the network inside the server based on this network diagram. First, lets check if Nmap already installed on the server:
|
1 2 3 4 5 6 7 |
e.lindsey@tl10-ssh:~$ nmap -version Nmap version 6.00 ( http://nmap.org ) Platform: x86_64-unknown-linux-gnu Compiled with: liblua-5.1.5 openssl-1.0.1e libpcre-8.30 libpcap-1.3.0 nmap-libdnet-1.12 ipv6 Compiled without: e.lindsey@tl10-ssh:~$ |
Great!! lets mapping the network.
Lets playing around with pentestit.ru testlab v.10. Target IP : 192.168.101.9 Nmap :
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
$ nmap 192.168.101.9 -A Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-09 22:27 EDT Nmap scan report for gds.lab (192.168.101.9) Host is up (0.56s latency). Not shown: 995 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u6 (protocol 2.0) | ssh-hostkey: | 1024 bd:04:9b:d8:8d:0e:5b:e3:11:a7:57:18:c0:ce:9f:83 (DSA) | 2048 98:e6:d0:35:6d:11:c4:d1:fb:7c:0f:87:c6:b6:8e:da (RSA) |_ 256 2c:58:fd:06:ea:46:8e:f7:b5:28:58:58:06:fa:dc:38 (ECDSA) 25/tcp open smtp CommuniGate Pro mail server 6.0.9 |_smtp-commands: SMTP EHLO gds.lab: failed to receive data: connection timeout 80/tcp open http nginx 1.10.1 |_http-server-header: nginx/1.10.1 | http-title: 400 Bad Request |_Requested resource was http://store.gds.lab 443/tcp open http nginx 1.2.1 |_http-server-header: nginx/1.2.1 |_http-title: Security Blog by GlobalDataSecurity 8100/tcp open http CommuniGate Pro httpd 6.0.9 | http-methods: |_ Potentially risky methods: PUT DELETE LOCK UNLOCK MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH ACL MKCALENDAR |_http-server-header: CommuniGatePro/6.0.9 |_http-svn-info: ERROR: Script execution failed (use -d to debug) |_http-title: CommuniGate Pro gds.lab Entrance | http-webdav-scan: | Server Type: CommuniGatePro/6.0.9 | Public Options: OPTIONS, GET, HEAD, POST, PUT, DELETE, LOCK, UNLOCK, MKCOL, PROPFIND, PROPPATCH, MOVE, COPY, REPORT, SEARCH, ACL, MKCALENDAR | Allowed Methods: OPTIONS, GET, HEAD, POST, PUT, DELETE, LOCK, UNLOCK, MKCOL, PROPFIND, PROPPATCH, MOVE, COPY, REPORT, SEARCH, ACL, MKCALENDAR | WebDAV type: Unkown | Server Date: Mon, 10 Apr 2017 02:28:28 GMT | Directory Listing: | / | /CalDAV/ | /CalDAV/INBOX/ | /CalDAV/Outbox/ | /WebDAV/private/caldav/ |_ /CalDAV/Notify/ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 164.07 seconds |
Lets check HTTP header on port 80 :
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
$ curl -I http://192.168.101.9 HTTP/1.1 200 OK Server: nginx/1.10.1 Date: Mon, 10 Apr 2017 00:34:08 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive X-Powered-By: PHP/5.4.45-0+deb7u5 Set-Cookie: PHPSESSID=fcll0vv9bgfv5t8qf2nklig4p3; path=/; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: default=963592ccd56622f61d552345b8; path=/; httponly Set-Cookie: language=en-gb; expires=Wed, 10-May-2017 00:34:08 GMT; path=/; domain=192.168.101.9 Set-Cookie: currency=USD; expires=Wed, 10-May-2017 00:34:08 GMT; path=/; domain=192.168.101.9 |
I tried to open the IP address through web browser but its like taking forever to load the page. 🙁 Ok, lets examine the source of the page:
|
1 2 3 4 5 6 7 8 9 10 |
<html dir="ltr" lang="en"> <!--<![endif]--> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title>GDS WARE</title> <base href="http://store.gds.lab/" /> <meta name="description" content="GDS WARE" /> <meta name="keywords" content= "GDS WARE" /> |
I found store.gds.lab domain inside
Today, i wanna try to create a simple undetected (hopefully FUD) web shell backdoor. I am using VirusTotal (yes, i want them to check my file, lol..). So, what is FUD? Fully undetectable (usually shortened as “FUD”) can stand for data that had been encrypted, making it appear to be random noise. It can also stand
Hi there, Today i just want to share about buffer overflow and a fuzzing tool to check buffer overflow vulnerability. What is Buffer Overflow? A buffer overflow occurs when a program or process attempts to write more data to a fixed length block of memory, or buffer, than the buffer is allocated to hold. Since buffers are created