Web Application Penetration Tests - Exploiting Vulnerabilities and Manual Testing

Web Application Pentesting

Exploitation and Manual Testing


In this next section, we will address the following process: • Scope of Engagement

• Information Gathering

• Vulnerability Identification

• Exploitation

• Post Exploitation

• Reporting

2


In typical Web App pentest scenarios, the Exploitation and Post Exploitation phases consist of gathering vulnerabilities and beginning to see how they can be exploited. Part of that process includes eliminating any of the findings that may be false positives.

Netsparker eliminates a lot of the work by the virtue of their Proof-Based Scanning Technology which actually validates a finding by exploiting it and providing proof-of-exploit or proof-of-concept in the finding details.

3


Once a vulnerability has been marked as confirmed, depending on the vulnerability type, Netsparker allows us to exploit and perform further operation against the web application.

For example, if a SQL injection is available, Netsparker allows us to run SQL statements on the target application database. Thanks to this feature we will be able to read and edit the entire application database. But this is only one of the features that Netsparker offers.

In the next slides we will see some different exploitation and post-exploitation operations that we can perform on vulnerabilities found in the previous phase.

4


Selecting a Confirmedvulnerability presents additional options to validate the exploit works.

At the attack menu, we see that the Generate WAF Rules, and Execute SQL Commands button are available.

5


Selecting the Execute SQL commands option opens the SQL Injection Window below the finding. In this window we can run SQL commands to gain information.

This is the time saving example of Proof-based-scanning technology, as we are actually exploiting the vulnerability through the scanner.

6


In this example, we entered @@HOSTNAME and click the Run Query button, off to the right, which executes the command on the remote host.

7


The information returned from the host is displayed in the window below the command line.

We can also see the LFI (Local File Inclusion) and Code Injection tabs available in this window.

8


In the top bar of the vulnerability section, the Generate WAF Rules button is also available.

If we select it, we can generate Web Application Firewall (WAF) rules to implement blocks for the specific vulnerability.

9


Selecting the Generate WAF Rules button, we see the ModSecuritypop out below.

Selecting the ModSecurity pop out, we get the option to save the WAF file to a local directory.

10

https://www.modsecurity.org/


The image above shows the Web Application Firewall rules generated by Netsparker for inclusion/import into any WAF deployed at the customer location.

11


We can explore some of the other vulnerabilities to see the functionality offered by the LFI and Command Injection tab.

Let’s click on the Local File Inclusion vulnerability from the site map on the left, and then we can click the LFI Tab below, in the exploit panel.

12


On the right we can click the down arrow ( ) to the right of the download button and click download known files.

13


We can now see the available files from the target host that we can access. By selecting any of the files on the left, such as the windows/system32/etc/hostsfile allows us to see the contents of that specific file.

From the download menu, you can also export those files for local analysis.

14


The image to the right shows the contents of the remote etc/hosts file which shows another application name that can be possibly scanned named aspnettestsparker.

Now we can take a look at using the code execution tab to gain further information.

15


To test the code injection, we can select the command injection vulnerability from the site map to the left.

Then, in the Exploitation panel, select the Code Execution tab.

16


Type in whoami and press the execute command.

We see the results:

=> whoami

ip-0aa6bb64\apacheuser

17


As another test, we can try the ipconfig command and execute it, we see the results:

=> ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : ec2.internal

IPv4 Address. . . . . . . . . . . : 10.166.187.100

Subnet Mask . . . . . . . . . . . : 255.255.255.192

Default Gateway . . . . . . . . . : 10.166.187.65

Tunnel adapter isatap.ec2.internal:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . : ec2.internal

[…]

18

Internet

Web Application Penetration Tests - Exploiting Vulnerabilities and Manual Testing