E049-Forum vulnerability analysis and utilization-Exploration of web penetration testing for bwapp

Course name:

E049-Forum vulnerability analysis and utilization-Exploration of web penetration testing for bwapp

Course Category:

Forum vulnerability analysis and utilization

————————————————– ————————————————– ————————–

Experimental Level:

intermediate

Task scenario:

【Task Scenario】

Panshi Company invites penetration testers to conduct penetration testing on the company’s forum. Due to the particularity of the company’s departments, the company requires penetration tester Xiao Wang to work together with the company’s website operation and maintenance to identify potential security risks. We know the target Test the website source code and other information, and dig out potential security risks by analyzing the code.

————————————————– ————————————————– ————————–

Task analysis:

【Task Analysis】

The simplest and most direct explanation of penetration testing is: completely simulate the attack techniques and vulnerability discovery techniques that hackers may use, conduct in-depth detection of the security of the target system (Web, business software, operating system), and discover the most vulnerable links of the system. It can fully understand the current security risks of the enterprise network. Penetration test operators, with the knowledge and authorization of the customer, stand from the perspective of a hacker and the way of thinking of an intruder, and use various methods that hackers will use to conduct testing on the target information system. Comprehensive and in-depth penetration intrusion, trying to find the weakest link in system security. The process of penetration testing is like practicing a real network intrusion incident. Through simulation experiments on professional penetration testing platforms, information system managers can understand the thinking of intruders.

————————————————– ————————————————– ————————–

Preliminary knowledge:

【Preliminary knowledge】

buggy web application This is an open source web application that integrates various common vulnerabilities and the latest vulnerabilities. The purpose is to help network security enthusiasts, developers and students discover and prevent network vulnerabilities. Contains more than 100 vulnerabilities, covering all major known web vulnerabilities, including OWASP Top10 security risks, which also integrates OpenSSL and ShellShock vulnerabilities

1.Injection vulnerabilities like SQL, SSI, XML/XPath, JSON, LDAP, HTML, iFrame, OS Command and SMTP injection

//Injection vulnerabilities such as SQL, SSI, XML/XPath, JSON, LDAP, HTML, iFrame, OS commands and SMTP injection

2.Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF)

//Cross-site scripting, cross-site tracking attacks, cross-site request forgery

3.Unrestricted file uploads and backdoor files

//Unrestricted file uploads and backdoor files

4.Authentication, authorization and session management issues

//Authentication, authorization and session management issues

5.Arbitrary file access and directory traversals

//Arbitrary file access and directory traversal

6.Local and remote file inclusions (LFI/RFI)

//Local and remote files included

7.Server Side Request Forgery (SSRF)

//Server side request forgery

8.XML External Entity Attacks (XXE)

//XML external entity attack

9.Heartbleed vulnerability (OpenSSL)

//OpenSSL Heartbleed Vulnerability

10.Shellshock vulnerability (CGI)

// Shell breaking vulnerability

11.Drupal SQL injection (Drupageddon)

//Drupal injection vulnerability

12.Configuration issues: Man-in-the-Middle, cross-domain policy file, information disclosures,…

//Configuration issues: middlemen, cross-domain policy files, information disclosure,…

13.HTTP parameter pollution and HTTP response splitting

// HTTP parameter pollution and HTTP response splitting attacks

14.Denial-of-Service (DoS) attacks

//denial of service attack

15.HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues

//HTML5 click hijacking, cross-domain resource sharing, Web storage issues

16.Unvalidated redirects and forwards

//Unvalidated redirects and forwards

17.Parameter tampering

//Parameter string change

18.PHP-CGI vulnerability

//PHP-CGI vulnerability

20.Insecure cryptographic storage

//Insecure encrypted storage

21.AJAX and Web Services issues (JSON/XML/SOAP)

//AJAX and Web service issues (JSON/XML/SOAP)

22.Cookie and password reset poisoning

//Cookie and password reset poisoning

23.Insecure FTP, SNMP and WebDAV configurations

//Insecure FTP, SNMP and WebDAV configuration

. . . . . . . . . . . . .

————————————————– ————————————————– ————————–

Task implementation:

E049-Forum vulnerability analysis and utilization-Exploration of web penetration testing for bwapp

Task environment description:

Server scenario: p9_kali-6 (username: root; password: toor)

Server scenario operating system: Kali Linux

Server scenario: p9_linux-3 (username: bee; password: 123456)

Server scenario operating system: linux

————————————————– ————————————————– ————————–

Network topology

————————————————– ————————————————– ————————–

Reproduction in actual combat:

Open a terminal, write a simple page in the /var/www/html directory, and then use the command service apache2 start to start the apache server:

Use the command firefox to open the Firefox browser, and then visit the target machine address http://172.16.1.6/bWAPP/login.php

Log in using the default username bee and password bug, and set the security level to low, then click login to enter the website

Select A1-HTML Injection-Reflected (GET), click the Hack button, and perform reflective HTML injection:

After opening the web page, you find a form and try to fill in the following code in the input field:

<a href=http://172.16.1.12/index.php >Click ME</a> Then click Go to submit the request to the server

<a href=http://172.16.1.12/index.php >Click ME</a>

Click Click ME! on the next page. After submission, you can see that the submitted information is displayed directly on the page.

You can see our information in the address bar. This is one of the characteristics of the get request:

Try to forge the execution of a malicious URL with an XSS vulnerability, and collect the client’s access information by submitting the code you want to execute. Fill in the following code at the First name in the input field: , fill in any information in Last name as shown below:

After submitting the request, it was found that the user’s cookie was successfully obtained:

Enter the drone scene, switch the path to /var/www/bWAPP, and view htmli_get.php in the directory

Looking at the source code, we found that when the security protection is low, the data input by the user is not processed, and the echo output is not filtered in any way:

Return to the penetration machine Kali and set the security level to medium on the login interface:

Repeat the above steps, fill in the input box: <script>alert(document.cookie)</script>, and check the returned results after submission.

<script>alert(document.cookie)</script>

It is found that there is another pop-up box but the content input by the user is output directly to the front-end page:

By looking at the detailed protection code in the target machine, we found that when the security level is medium, the str_replace() function is used to filter the two special characters “<" and ">“. Finally, use The urldecode() function decodes and restores the URL encoding to a string.

According to the idea of the code, we can first urlencode “<" and ">” to bypass the filtering of the str_replace() function. It is recommended to encode all special symbols, such as “=”, “/”, etc.

Return to the penetration machine kali, continue to inject the html injection-reflected (GET) page, press F12 to open the Firefox page debugging function, find the Hackbar plug-in, and then enter the injection statement.

Convert the <, >, / symbols in the statement to ascii code for injection:

The converted code is as follows

Copy the code into the input box and submit:

After submitting, check the page and find that it has been successfully bypassed:

Check the source code directly and conduct an audit:

It was found that the code uses the function htmlspecialchars() to filter user input. The function of this function is to convert predefined strings into HTML entities.

The predefined characters are:

// & amp; (ampersand) becomes & amp;

// " (double quote) becomes "

// ' (single quote) becomes '

// < (less than) becomes <

// > (greater than) becomes >

The syntax of this function is htmlspecialchars(string,flags,character-set,double_encode). The second parameter flags needs important attention. The developer did not pay attention to this parameter and was bypassed when using the htmlspecialchars() function to filter XSS. Because the flags parameter encodes quotes as follows:
Available quote types:

ENT_COMPAT - Default. Only double quotes are encoded.
ENT_QUOTES - Encodes double and single quotes.
ENT_NOQUOTES - Do not encode any quotes. 

When the experiment is over, shut down the virtual machine.