Category: Website Hacking

Posted on by

Command Injection for Beginners

Hello aspiring Ethical hackers. In this blogpost, you will learn about another hacking attack Command Injection. This vulnerability can be found in a wide range of web applications, from small personal websites to large corporate applications.

What is Command Injection?

Command Injection is a security vulnerability that allows an attacker to execute arbitrary commands on a target system. It occurs when an attacker can inject malicious code into a vulnerable application, which the application then executes with the privileges of the application itself.

How Command Injection Attacks Work?

Command Injection attacks work by exploiting vulnerabilities in an application that accepts user input and then passes that input directly to a shell or command interpreter. This allows attackers to inject arbitrary commands into the input that are executed with the same privileges as the application.

Attackers can use various techniques to exploit this vulnerability, such as appending commands to existing commands or using shell metacharacters to execute multiple commands in sequence. The impact of a successful attack can be significant, ranging from unauthorized access to sensitive data to full system compromise.

Command Injection

Command Injection is a serious threat to web applications because it can allow attackers to bypass application-level security measures and gain unauthorized access to sensitive data or systems. Moreover, these attacks can be difficult to detect and can lead to serious consequences, such as data breaches, system compromise, and financial loss.

Common vulnerable points for Command Injection

Common entry points for Injection attacks include web application forms, user input fields, and API endpoints. Any input that is passed to a shell or command interpreter without proper validation and sanitization can be vulnerable to Command Injection attacks.

For example, vulnerabilities can be introduced in code through improper input validation and sanitization, as well as through the use of system commands that are not properly escaped or sanitized. Examples of vulnerable code include:

perl
$command = $_GET[‘command’];
system(‘ls ‘ . $command);

In the above code, an attacker could inject arbitrary commands into the $command variable, which would then be executed by the system function. Examples of command Injection payloads and techniques include using shell metacharacters to execute multiple commands, appending commands to existing commands, and using the $(…) syntax to execute subcommands. An example of payload using shell metacharacters might look like this:

bash
; cat /etc/passwd

This would execute the cat command to display the contents of the /etc/passwd file.

Real World Examples

Command injection attacks are a serious threat to web applications and have been responsible for numerous security breaches in the past. In this section, we will discuss some real-world examples of this attacks.

1. Shellshock Bash vulnerability:

In 2014, a critical vulnerability was discovered in the Bash shell, which is used on many Unix-based systems. The vulnerability allowed an attacker to execute arbitrary commands by exploiting the way that Bash processed environment variables. This vulnerability affected millions of servers and devices worldwide, including many web servers.

2. EquiFax Data Breach:

In 2017, Equifax suffered a massive data breach that exposed the personal information of over 140 million people. The breach was the result of a command injection attack that targeted a vulnerability in the company’s web application framework. The attackers were able to execute arbitrary commands on the server and steal sensitive data.

These are just a few examples of the devastating consequences of command injection attacks. In each case, the attackers were able to gain unauthorized access to sensitive data by exploiting vulnerabilities in web applications.

Detection and Prevention

To identify Command Injection vulnerabilities, developers should thoroughly review their code for any input that is passed to a shell or command interpreter without proper validation and sanitization. There are several strategies that organizations can use to detect command injection vulnerabilities, including:

1. Manual Code Reviews

Developers should review code for any instances where user input is passed to a command shell or operating system.

2. Automated Testing:

Organizations can use tools like Burp Suite, OWASP ZAP, and Nikto to scan for command injection vulnerabilities automatically.

3. Web Application Firewalls:

WAFs can be configured to detect and block command injection attacks before they reach the server.

There are several techniques that can be used to mitigate Command Injection attacks. Some of these techniques are:

  1. Input Validation: One of the most effective techniques to mitigate Command Injection attacks is to validate all user input. This includes validating the length, format, and type of input. Input validation can be done on the client-side, server-side, or both. It is essential to ensure that the input is sanitized to remove any characters that could be used for injection attacks.
  2. Restricted Shell Access: To prevent attackers from executing arbitrary commands on the server, it is recommended to restrict shell access. This can be achieved by using a chroot jail, a containerization technology like Docker, or by limiting the commands that can be executed by the user.
  3. Principle of Least Privilege: The principle of least privilege is a security best practice that recommends limiting the access and permissions of users to only what is required to perform their tasks. This means that the user should not have unnecessary access to the server or application.
  4. Update and Patch Software: It is essential to keep all software updated and patched to prevent known vulnerabilities that can be exploited by attackers. This includes the operating system, web server, database server, and any other software used in the application.
  5. Use Security Libraries and Frameworks: Using security libraries and frameworks can help in mitigating Command Injection attacks. These libraries and frameworks are designed to handle input validation, encryption, and other security-related tasks.
  6. Monitor and Log Activity: Monitoring and logging activity can help in detecting Command Injection attacks. By monitoring the application and server logs, it is possible to identify suspicious activity and take appropriate action.

That’s all about Command Injection. We will be back with a new vulnerability vey soon. Until then, Good Bye.

Posted on by

Server Side Request Forgery For Beginners

Hello aspiring Ethical Hackers. In this blogpost, you will learn about Server Side Request Forgery. Server Side Request Forgery (SSRF) is a web application vulnerability that can allow attackers to send unauthorized requests from a server. This can lead to a wide range of security issues, such as unauthorized access to sensitive information, system compromise, and data exfiltration and it is one of the most common web application vulnerabilities.

In this article, we’ll discuss what SSRF is, how it works, types of SSRF attacks, examples of SSRF attacks, how to prevent and detect SSRF attacks, and case studies of notable SSRF attacks.

What is Server Side Request Forgery?

Server Side Request Forgery (SSRF) is a web application vulnerability that occurs when an attacker can manipulate a web application into sending unauthorized requests to other servers. In an SSRF attack, an attacker can exploit a web application to send requests to other internal or external servers, bypassing access controls and security mechanisms.

Server Side Request Forgery

SSRF attacks differ from other web application vulnerabilities, such as Cross-Site Scripting (XSS) or SQL Injection (SQLi), in that they do not rely on injecting malicious code into a web page. Instead, SSRF attacks exploit the application’s ability to send requests to other servers.

How SSRF Attacks Work?

  1. The attacker sends a request to the vulnerable web application, often by manipulating a user-controlled input field such as a URL parameter.
  2. The web application processes the request and sends a request to another server, typically based on the user’s input.
  3. The attacker intercepts the request and modifies it to send a request to a different server, often an internal server that is not accessible from outside the network.
  4. The vulnerable web application sends the unauthorized request to the attacker’s desired server, bypassing access controls and security mechanisms.
SSRF 2
SSRf 3

Common use cases for SSRF attacks include accessing sensitive information on internal servers, bypassing authentication mechanisms, and sending requests to cloud infrastructure providers to obtain credentials or perform other malicious actions.

Types of SSRF attacks

SSRF attacks can be classified into three main categories:

  1. Basic SSRF attacks,
  2. Advanced SSRF attacks, and
  3. Blind SSRF attacks.

Basic SSRF Attacks:

Basic SSRF attacks are the simplest form of SSRF attacks and involve manipulating user-controlled input to send unauthorized requests to other servers. These attacks can be prevented by validating and sanitizing input, limiting the scope of the request, and restricting the types of URLs that can be accessed.

Advanced SSRF Attack:

Advanced SSRF attacks are more complex and involve chaining together multiple vulnerabilities to achieve the desired result. These attacks can involve exploiting logic flaws, race conditions, or other vulnerabilities to bypass security mechanisms and gain access to sensitive information.

Blind SSRF Attack:

Blind SSRF attacks are a type of SSRF attack where the attacker does not receive a direct response from the target server. Instead, the attacker can use timing or error messages to determine whether the request was successful. Blind SSRF attacks can be more difficult to detect and prevent as the attacker is not receiving a direct response.

Real World Examples of SSRF Exploitation

SSRF attacks can have a wide range of consequences, from accessing sensitive information to system compromise and data exfiltration. Here are some examples of real-world SSRF attacks.

1. Yahoo Data Breach:

In 2016, Yahoo suffered a massive data breach that exposed the personal information of over 500 million users. The attack was carried out using an SSRF vulnerability that allowed the attacker to access Yahoo’s internal systems and steal the user data. The attacker used a common vulnerability in Yahoo’s image processing system that allowed users to submit URLs to be resized or cropped. By submitting a specially crafted URL that included instructions to access Yahoo’s internal systems, the attacker was able to gain access to sensitive information and cause widespread damage.

2. CapitalOne Data Breach:

In 2019, when Capital One suffered a massive data breach that exposed the personal information of over 100 million customers. The attack was carried out by exploiting an SSRF vulnerability in Capital One’s web application firewall, which allowed the attacker to access the company’s AWS server and steal sensitive information. The attacker was able to use the SSRF vulnerability to obtain AWS credentials and gain access to the server, which contained sensitive information such as names, addresses, credit scores, and Social Security numbers.

3. Shopify:

In 2018, a security researcher discovered an SSRF vulnerability in Shopify that allowed an attacker to obtain the API keys for the company’s payment gateway. By exploiting the vulnerability, the attacker was able to obtain sensitive information and perform unauthorized transactions.

4. Tesla Cloud Credential Theft:

In 2018, a researcher discovered an SSRF vulnerability in Tesla’s cloud infrastructure that allowed them to obtain access tokens for the company’s AWS account. The attacker was able to use the access tokens to launch instances in the company’s AWS account and perform other malicious actions.

5. Jenkins CI Server Compromise:

In 2017, a vulnerability in the Jenkins CI server allowed an attacker to compromise the server and gain access to sensitive information. The vulnerability was caused by an SSRF vulnerability that allowed the attacker to access internal servers.

Prevention and Detection

Preventing and detecting SSRF attacks requires a combination of secure coding practices, network security measures, and security testing. Here are some best practices for preventing and detecting SSRF attacks:

1. Secure Coding Practices

Using secure coding practices can help prevent SSRF vulnerabilities from being introduced into the application. Developers should validate and sanitize user input, limit the scope of requests, and restrict access to sensitive information and systems.

2. Restricting External Requests:

Restricting external requests can help prevent unauthorized requests from leaving the network. Applications should only be able to send requests to approved external servers, and any user input should be validated and sanitized before being used in a request.

3. Network Security Measures:

To prevent SSRF attacks, it’s essential to implement network security measures that restrict unauthorized requests from leaving the network. Best practices include using a Firewall and implementing access controls.

A firewall can help restrict incoming and outgoing traffic, preventing unauthorized requests from leaving the network. Firewalls can be configured to block requests to specific IP addresses or ranges, limiting the scope of potential SSRF attacks. Implementing access controls can help prevent unauthorized users from accessing sensitive information or systems. Access controls can be used to restrict access to internal servers and APIs, limiting the scope of potential SSRF attacks.

Posted on by

Joomla enumeration with Metasploit

Hello, aspiring ethical hackers. In this article, you will learn how to perform Joomla enumeration with Metasploit. Although its share is less than WordPress in CMS usage, Joomla is still one of the top 5 used CMS. To further improve its features Joomla has components or extensions which can be installed by the web admin as per requirement. These are similar to plugins in WordPress. Metasploit has some modules which can be used to enumerate a website using Joomla.

Version Detection

The first Metasploit module you will learn about is the version detection module of Joomla. Prior to starting Metasploit, we open Shodan and search for “Joomla”. We will get many IP addresses where Joomla is running. We collect some.

Next, we start Metasploit and load the joomla_version auxiliary module given below. Type command “show options” to see the required options for this module.

Joomla V1

We need to set two options for this module to do its job: RHOSTS (which are target IP addresses) and Targeturi. Set Targeturi as shown below. Coming to “RHOSTS” option, we copy and paste the IP addresses we got in our Shodan search giving space between each IP address as shown below. Here I have given five IP addresses.

Joomla V2

Check whether all options are set correctly by typing command “show options“.

Joomla V3

All the options are set. Next, it’s time to run our exploit. Type command “run” and you will get the results as shown below.

Joomla V4

As readers can see, the versions of Joomla running on the target machines are displayed.

Plugin Enumeration

Once we know the version of Joomla running on the target website, the next important information to find out is about the extensions installed on the target Joomla. Metasploit has a module for that too. Since the Joomla extensions or components are similar to WordPress plugins, this module is called as Joomla Plugin enumeration module. Load the module as shown below.

Joomla Plugins1

Just like the earlier module, this module too can be used to scan multiple targets at once. Set the IP addresses of targets as shown below with space between each IP address.

Joomla V2

Next, execute the module.

joomla enumeration

As readers can see, all the plugins installed on the target Joomla site are displayed. But how does this module scan for plugins? The list of plugins this module scans are in file “usr/share/metasploit-framework/data/wordlists/joomla.txt”.

Joomla Plugins4

If the plugin you want to scan for is not in this list, you can just add it manually by opening this file with any text editor.

Joomla Plugins5

Don’t forget to save changes after making them. I once again execute the module after applying changes and the result is shown below.

Joomla Plugins6

Webpage Enumeration

Metasploit also has a module for enumerating webpages on the Joomla target. This module can be useful in viewing pages of a Joomla website that can give further information about the website. Load the module as shown below. Type command “show options” to see the options we need to set.

Joomla Pages1

We can set multiple IP addresses to scan for their pages with space in between as shown below. Set the targeturi.

Joomla V2

Execute the exploit. We will get the result as shown below.

Joomla Pages3

As readers can see, this module enumerated the webpages of our target. That is how we can perform Joomla enumeration with Metasploit. Read how to perform WordPress enumeration with Metasploit.

Posted on by

WordPress enumeration with Metasploit

Hello aspiring Ethical Hackers. In this article, readers will learn how to perform WordPress enumeration using Metasploit. WordPress is one of the most popular CMS available and as of 2021, 39.5% percent of websites are powered by WordPress. Hence gauging the security of WordPress installation is always important.

Metasploit has a few modules that can be used to perform WordPress Enumeration. Let’s see a few of them. The first module we will see is the WordPress Scanner module that scans for installed themes, installed plugins, installed WordPress version and more information about target WordPress.

Let’s see how this Module works. Start Metasploit and load the WordPress scanner module. Then, type command “show options” to see the options we require for this module. We are testing this module on WordPress installed on Ubuntu 20.

Wordpress Enumeration 1
Wordpress Enumeration 2 1
Wordpress Enumeration 3
Wordpress Enumeration 4

After all the options are set and the module is executed,

Wordpress Enumeration 5
Wordpress Enumeration 6

the module successfully detected the target WordPress version as 6.0. It also detected plugins installed on the target WordPress along with their versions. The module will also try to enumerate users although it failed to detect any users here.

This module can be useful to find if there are any vulnerabilities on the WordPress target. For example, one of the plugins installed on this target wp_pie_register has an exploit module related to it.

Wordpress Enumeration 7 1

Some of the vulnerabilities in WordPress require credentials for successful exploitation. Metasploit also has a WordPress login enumeration module that not only helps in user enumeration but also brute forcing their password.

Load the WordPress user enumeration exploit as shown below. Type command “show options” to see the options this module requires.

Wordpress Enumeration 8
Wordpress Enumeration 9
Wordpress Enumeration 10
Wordpress Enumeration 11
Wordpress Enumeration 12

Assuming we have no idea about any user credentials on the target machine, the first thing to do is enumerating and validating usernames. So set “bruteforce” option to false as shown below.

Wordpress Enumeration 13a

Validating usernames is a process where we check if a particular username is present on the target WordPress site. We can validate a single username or many usernames using a wordlist. For example, let’s use the wordlist “common.txt” as users file. We also want to set the STOP_ON_SUCCESS option to TRUE. This will stop the enumeration as soon as we get one valid username.

Wordpress Enumeration 13

Let’s execute the module now.

Wordpress Enumeration 14
Wordpress Enumeration 15

The module found one valid username on the target. It’s “admin”. Since we have found one valid username on the target, lets try to find out the password for this user. For doing this, we need to set the options as shown below.

ENUMERATE_USERNAMES : FALSE

VALIDATE_USERS : FALSE

BRUTEFORCE : TRUE

We need to also set the password file for that is required for brute forcing. Since we now know the username, we set it using option “username” option.

Wordpress Enumeration 16

We need to also set the password file for that is required for brute forcing. Since we now know the username, we set it using option “username” option.

Wordpress Enumeration 17
wordpress enumeration

The module found one successful LOGIN using credentials “admin : admin”. See how to perform WordPress Enumeration with WPScan.

Posted on by

WordPress Reverse Shell : Multiple Methods

Hello aspiring Ethical Hackers. In this article you will learn about multiple WordPress reverse shell methods. As you all might already know, WordPress is a popular open source Content Management System (CMS) based on PHP and MySQL or MariaDB as database. It was released in year 2003.

SInce then, it grew out to be one of the most popular CMS around the world. It is used as blogging software, membership site and online store etc. WordPress is used by over 60 million websites.

In this article we will show you how to gain a reverse shell on a WordPress website once we have the credentials of the website. This is a comprehensive collection methods to gain reverse shell on WordPress.

This Tutorial assumes that you have already acquired WordPress credentials and can access the WordPress dashboard.

Wp Shell 1 1024x425
Wp Shell 2a 1024x464

1. Reverse Shell Through Vulnerable Plugins

One of the reasons for the popularity of the WordPress CMS is its plugins. WordPress plugins are additional extensions that are used to extend the functionality of the WordPress CMS. WordPress has over 58,559 plugins. Sometimes these vulnerable plugins are the reason attackers get a reverse shell on the WordPress target.
There are many vulnerable plugins which can be downloaded from websites like Exploit Database. We will use one such WordPress plugin Responsive Thumbnail slider version 1.0. This version of the plugin has an arbitrary file upload vulnerability which is used to upload malicious payload into the website. Since this target doesn’t have this vulnerable plugin installed, let’s upload this plugin ourselves and activate it.

Wp Shell 2 1024x492
Wp Shell 3 1024x530

Once the plugin is uploaded and activated, Metasploit can be used to exploit this vulnerable plugin. Start Metasploit and load the wp_responsive_thumbnail_slider_upload module as shown below.

Wp Shell 4

Use check command to confirm if the target is indeed vulnerable.

Wp Shell 6

After setting the credentials and executing the module, a meterpreter session on the target is gained.

Wp Shell 7

Here’s another famous wordpress plugin that can be exploited.

2. Reverse Shell Through Editing WordPress Theme

WordPress Themes enhance the look of the WordPress websites. The content of these theme can be edited to upload a reverse shell on the target. For this tutorial, we will upload the infamous C99 webshell. Here’s more about c99 web shell.

Wp Shell 9 1024x512
Wp Shell 10 1024x507

Here’s the 404.php page of the theme has been edited to copy the code of the C99 web shell into that page. Once the edited file is saved all that is needed to be done is visiting that page.

Wp Shell 11 1024x277

With C99 shell on the target website, there are a host of options to lay with.

3. Reverse Shell Through Uploading A Malicious Plugin

Uploading a malicious plugin is another way of gaining a reverse shell on a WordPress website. Github has many options of these WordPress malicious plugins. Let’s use one of them named malicious wordpress plugin that can be downloaded from here.

Wp Shell 15

After navigating into the “malicious-wordpress-plugin” directory, execute the wordpwn.py script. It will show the usage of the script.

wordpress reverse shell

Execute the script again by setting the LHOST, LPORT and by enabling the handler option. i.e the “Y” option. This will start a Metasploit handler.

Wp Shell 17
Wp Shell 18

By this time, a new file named “malicious.zip” is created in the “malicious-wordpress-plugin” directory.

Wp Shell 19

Upload this plugin into WordPress and activate it just like any other plugin.

Wp Shell 20 1024x307
Wp Shell 21 1024x304
Wp Shell 22 1024x345

This newly uploaded web shell can be accessed from two URLs given below

http://(target)/wp-content/plugins/malicious/wetw0rk_maybe.php
http://(target)/wp-content/plugins/malicious/QwertyRocks.php

In this specific instance, the web shell got executed by visiting the first URL. This will give us a meterpreter session on the already listening handler.

Wp Shell 23
Wp Shell 24

4. Reverse Shell Through Metasploit Framework

Here is another simple method to gain a reverse shell. Metasploit Framework has a module that uploads a reverse shell as payload once the WordPress credentials are known.

Start Metasploit and load the exploit/unix/webapp/wp_admin_shell_upload module.

Wp Shell 25
Wp Shell 26

Set all the required options that includes credentials and execute the module.

Wp Shell 27
Wp Shell 28

This will give us a meterpreter session successfully. These are the four common methods through which a reverse shell can be achieved on the WordPress. Now, you decide Which is your favorite method of gaining a reverse shell on WordPress?