Categories
Web Application Security

SQL Injection Filter Evasion with Sqlmap

Whenever I find a SQL injection vulnerability I always throw sqlmap at the injection point. It’s a simple, easy to use tools that will not only prove the vulnerability but allow you to extract data, gain command execution, and generally push further on with your penetration test. If I come across a filter or a web application firewall then I’ll habitually break out Burp Suite and start working on filter evasion manually, however there’s often a simpler way.

Categories
Web Application Security

VulnVM

Graceful’s VulnVM is web application running on a virtual machine, it’s designed to simulate a simple eCommerce style website which is purposely vulnerable to a number of well know security issues commonly seen in web applications. This is really a pre-release preview of the project but it’s certainly functional as it stands, but I’m planning on doing a lot of work on this in the near future.

The plan is ultimately to have the application vulnerable to a large number of issues with a selection of different filters at different difficulties that way the as testers become better at detecting and exploiting issues the application can get hardened against common exploitation methods to allow the testers a wider ranger of experiences.

The first filters have now been implemented! The application now supports “levels” where Level 1 includes no real filtration of user input and Level 2 includes a simple filter for each vulnerable function.

The Virtual Machine is available for download here, in a 7 Zip archive. 
Version 0.0.5
900MB.

Currently it’s vulnerable to:
SQL Injection (Error-based)
SQL Injection (Blind)
Reflected Cross-Site Scripting
Stored Cross-Site Scripting
Insecure Direct-Object Reference
Username Enumeration
Path Traversal
Exposed phpinfo()
Exposed Administrative Interface
Weak Admin Credentials
Command Injection (Blind)
Command Injection (Non-blind)
Privilege Escalation

Extracting the Virtual Machine

Install p7zip to unzip *.7z files on Fedora:

sudo dnf install p7zip

Install p7zip to unzip *.7z files on Debian and Ubuntu:

sudo apt-get install p7zip

Extract the archive:

7z x Seattle-0.0.3.7z

Then you can simply start up the virtual machine using Virtual Box! The root user account has a password of PASSWORD

Categories
Web Application Security

Introduction to Directory Traversal

Directory Traversal, or path traversal, is a vulnerability in web applications that can allow an attacker to access files which they should not be able to. Such as files outside of the application web root.

Categories
Web Application Security

Hacking a Corporation From the Outside: External Penetration Tests

This is one part of a two part series, maybe take a look at Hacking a Corporation From the Inside: Internal Penetration Tests too!

Introduction

Occasionally I get asked by clients how I approach the technical aspects of a Penetration Test, you know, what are all those little black boxes with green text that I’ve got open on my screen? Also occasionally, when I’m talking to new testers and people interested in becoming a penetration tester, they understand tool use and they often understand the specifics of vulnerabilities but don’t necessarily know how it all goes together.

Categories
Infrastructure

Hacking a Corporation From the Inside: Internal Penetration Tests

This is one part of a two part series, maybe take a look at Hacking a Corporation From the Outside: External Penetration Tests too!

Introduction

Occasionally I get asked by clients how I approach the technical aspects of a Penetration Test, you know, what are all those little black boxes with green text that I’ve got open on my screen? Also occasionally, when I’m talking to new testers and people interested in becoming a penetration tester, they understand tool use and they often understand the specifics of vulnerabilities but don’t necessarily know how it all goes together.

Additionally, GracefulSecurity.com is filled with information on Infrastructure security, but there’s no guide about how it all fits together!  So I plan here, to write up a step-by-step example of how I go from plugging in to a corporate network and end up leaving that day as a Domain Administrator.

Categories
Build Security

Citrix Breakout

I previously posted about breaking out of restrictive desktop environments to gain access to a CMD shell or acess to Powershell. However sometimes the environment is even tighter, for example with Citrix environments you may not even be on a desktop but simply have an application exposed to you.

Categories
Infrastructure

BMC/Numara Track-It! Decrypt Pass Tool

Today during a Penetration Test of a client I came across a piece of software called “Track-It!” by Numara, who was since acquired by BMC. Now this application is used by IT Helpdesks to offer centralised control of assets, so it was definitely worth a look at from a testing point of view. I found an open (Readable by Domain Users) network share on the installation server named “TrackIt” which internally exposed configuration files such as trackit.cfg which contained intersting lines such as:

RemoteInstallPass=AAABASE64HEREAAA==
DomainAdminPass=BBBBASE64HEREBBB==
Categories
Infrastructure Web Application Security

Becoming a Penetration Tester

The aim of this post is not to talk about how to perform effective penetration tests, but it’s more around taking the first steps towards a career as a Penetration Tester. I want to talk about the kind of things that I look for in candidates, the kind of skills that I found useful when starting out, and as a candidate what to look at first. Information Security is a huge field and you’ve got a whole career to learn all of the details, but where should you start?

Categories
Web Application Security

Cross-domain Flash and Silverlight (crossdomain.xml)

Now I’ve posted previously about cross-domain communication with things like HTML5 CORS and HTML5 postMessages, I’ve also written about the browsers built in protections through Same-Origin Policy. However, recently I saw a discussion about Cross-domain Flash and Silverlight and how those are different, how specifically the exploitation works and what it offers an attacker.

Categories
Web Application Security

HTTP Header Injection

HTTP Header Injection vulnerabilities occur when user input is insecurely included within server responses headers. Specifically they are based around the idea that an attacker can cause the server to generate a response which includes carriage-return and line-feed characters (or %0D and %0A respectively in their URI encoded forms) within the server response header the attacker may be able to add crafted headers themselves. Header Injection can allow for attacks such as response splitting, session fixation, cross-site scripting, and malicious redirection.