Penetration Test Black Box type - Web Application
•
0 likes•34 views
The document aims to analyze in detail the main phases of a web Application penetration test describing the principale techniques associated with authentication bypass and server-side vulnerability exploitation The attacker machine is based on kali distribution.
Recommended
Recommended
More Related Content
Similar to Penetration Test Black Box type - Web Application
Similar to Penetration Test Black Box type - Web Application (20)
More from luigi capuzzello
Recently uploaded
Recently uploaded (20)
Penetration Test Black Box type - Web Application
- 1. TCP/IP Penetration Test – web Application Page 1 / 104 Linkedin: https://www.linkedin.com/in/luigi-capuzzello/ Slideshare: http://www.slideshare.net/luigicapuzzello Twitter: @FisherKasparov Skype: luigi.capuzzello Summary: TCP/IP Penetration Test – web Application Description of the last modification: Insert description of the last modification here Issued by: Date LUIGI CAPUZZELLO 10/05/2022 TCP/IP Penetration Test – web Application
- 2. TCP/IP Penetration Test Page 2 / 104 Linkedin: https://www.linkedin.com/in/luigi-capuzzello/ Slideshare: http://www.slideshare.net/luigicapuzzello Twitter: @FisherKasparov Skype: luigi.capuzzello INDEX 1. LEGAL DISCLAIMER ................................................................................................................................................... 5 2. ATTACK PATH DESCRIPTION ..................................................................................................................................... 6 3. SERVICE AND SITE FINGERPRINT............................................................................................................................... 7 3.1. SERVICE FINGERPRINT ..................................................................................................................................................... 7 3.2. GOOGLE DORK............................................................................................................................................................... 8 3.3. INFORMATION GATHERING FROM WEB ............................................................................................................................... 8 3.4. SITE STRUCTURE INFORMATION ........................................................................................................................................ 8 3.5. VIRTUAL HOST............................................................................................................................................................. 10 3.6. GUSSING GET PARAMETER............................................................................................................................................ 10 3.7. OTHER SITE INFORMATION............................................................................................................................................. 11 3.8. VULNERABILITY QUICK SEARCH ....................................................................................................................................... 11 4. AUTHENTICATION BYPASS.......................................................................................................................................13 4.1. SQL INJECTION............................................................................................................................................................ 13 sqlmap............................................................................................................................................................. 13 MS-SQL: a mano.............................................................................................................................................. 17 MySQL/MariaDB: a mano ............................................................................................................................... 21 SQL-lite: a mano .............................................................................................................................................. 22 Access: a mano................................................................................................................................................ 22 NoSQL injection ............................................................................................................................................... 24 4.2. BRUTEFORCE CREDENTIALS ............................................................................................................................................ 27 Standard Credentials....................................................................................................................................... 27 POST con wfuzz................................................................................................................................................ 28 POST con Hydra............................................................................................................................................... 28 Basic AuthN com Hydra................................................................................................................................... 29 Basic Auth con medusa.................................................................................................................................... 29 Manuale con CSRF........................................................................................................................................... 29 Manuale senza CSRF........................................................................................................................................ 31 4.3. XSS........................................................................................................................................................................... 31 Description ...................................................................................................................................................... 31 Verify XSS......................................................................................................................................................... 32 XSS Filter bypass.............................................................................................................................................. 33 XSS + PDF creator -> LFI................................................................................................................................... 34 BeEF:................................................................................................................................................................ 34 Beef attivato con bettercap............................................................................................................................. 37 Shell meterpreter: with autopwn. ................................................................................................................... 37 4.4. CSRF: CROSS SITE REFERENCE FORGERY. ......................................................................................................................... 37 4.5. BUFFEROVERFLOW ....................................................................................................................................................... 39 4.6. MITM....................................................................................................................................................................... 39 4.7. SOCIAL ENGINEERING.................................................................................................................................................... 39 4.8. JWT TOKEN................................................................................................................................................................ 39 4.9. PHP DESERIALIZATION ATTACK....................................................................................................................................... 41 Attack Description ........................................................................................................................................... 41 PHP Serialization Attack.................................................................................................................................. 44 4.10. JAVA DESERIALIZATION ATTACK..................................................................................................................................... 46 4.11. .NET (JSON) DESERIALIZATION ATTACK .......................................................................................................................... 48 5. WEB APPLICATION SERVER VULNERABILITY ............................................................................................................51 5.1. XXE: EXTERNAL ENTITY INJECTION .................................................................................................................................. 51 How does it work?........................................................................................................................................... 51
- 3. TCP/IP Penetration Test Page 3 / 104 Linkedin: https://www.linkedin.com/in/luigi-capuzzello/ Slideshare: http://www.slideshare.net/luigicapuzzello Twitter: @FisherKasparov Skype: luigi.capuzzello Exploiting XXE to retrieve files......................................................................................................................... 52 Exploiting XXE to perform SSRF attacks........................................................................................................... 52 XInclude attacks .............................................................................................................................................. 53 XXE attacks via modified content type ............................................................................................................ 53 Blind XXE: upload SVG ..................................................................................................................................... 53 Blind XXE: UPLOAD DOCX2PDF........................................................................................................................ 54 5.2. INPUT VALIDATION ATTACK............................................................................................................................................ 55 5.3. COMMAND INJECTION ............................................................................................................................................ 56 Verifica e Preperazione.................................................................................................................................... 56 Reverse Shell.................................................................................................................................................... 57 Reverse Shell: 2................................................................................................................................................ 57 Bypassare shell python bloccata ..................................................................................................................... 58 Bypassare caratteri bloccati............................................................................................................................ 59 WINDOWS: Command Injection...................................................................................................................... 60 5.4. SSRF......................................................................................................................................................................... 62 5.5. SSI............................................................................................................................................................................ 64 5.6. UPLOAD FILE............................................................................................................................................................... 64 UPLOAD Image................................................................................................................................................ 64 UPLOAD Filmati............................................................................................................................................... 66 UPLOAD ZIP. .................................................................................................................................................... 67 5.7. LFI – RFI – PATH TRAVERSAL......................................................................................................................................... 67 Check LFI.......................................................................................................................................................... 67 Bypassare path traversal verification.............................................................................................................. 68 read files automatically................................................................................................................................... 68 Read interesting File........................................................................................................................................ 68 Code Execution ................................................................................................................................................ 70 Local Port Scan sul Server Target .................................................................................................................... 75 LFI + Target windows + PHP site -> SHELL ...................................................................................................... 75 5.8. SSTI (SERVER SIDE TEMPLATE INJECTION).......................................................................................................................... 78 6. CMS: JOOMLA, WORDPRESS, DRUPAL .....................................................................................................................80 7. OTHER ATTACK ........................................................................................................................................................83 7.1. ADMINER.PHP ............................................................................................................................................................. 83 7.2. FROM WRITE INETPUB -> POWERSHELL ......................................................................................................................... 83 7.3. FROM WRITE INETPUB -> POWERSHELL (NC.EXE)............................................................................................................. 84 7.4. FROM REVERSE SHELL -> METERPRETER (UNICORN)............................................................................................................ 84 7.5. DOUBLE ENCODING ATTACK........................................................................................................................................... 85 7.6. COOKIE: IKNOWMAG1K ................................................................................................................................................ 85 7.7. TOMCAT..................................................................................................................................................................... 87 7.8. GET <-> POST ........................................................................................................................................................... 89 7.9. .HTACCESS .................................................................................................................................................................. 89 8. HTTP3 (QUIC)...........................................................................................................................................................89 9. HTTPS ......................................................................................................................................................................90 9.1. READ SSL TRAFFIC IN PLAINTEXT...................................................................................................................................... 92 10. MODULE CLIENT SIDE ATTACK. ..............................................................................................................................94 10.1. XSS: CROSS SITE SCRIPTING......................................................................................................................................... 94 1. BeEF:.......................................................................................................................................................... 94 Beef and bettercap........................................................................................................................................ 96 2. Shell meterpreter: with autopwn. ............................................................................................................. 96 3. Grab the cookies........................................................................................................................................ 96 XSS Filter........................................................................................................................................................ 97 10.2. CATCH SITE PASSWORD: [SET] SITE CLONE...................................................................................................................... 97
- 4. TCP/IP Penetration Test Page 4 / 104 Linkedin: https://www.linkedin.com/in/luigi-capuzzello/ Slideshare: http://www.slideshare.net/luigicapuzzello Twitter: @FisherKasparov Skype: luigi.capuzzello 10.3. REVERSE SHELL: [MSFCONSOLE] AURORA/AUTOPWN:...................................................................................................... 98 10.4. REVERSE SHELL: [MSFCONSOLE] SMB_RELAY ................................................................................................................... 98 10.5. CRACK WINDOWS PASSWORD: [MSFCONSOLE] SMB.......................................................................................................... 99 10.6. REVERSE SHELL: [SET + METASPLOIT] MACRO WORD ........................................................................................................ 99 10.7. REVERSE SHELL: [MSFVENOM] WINDOWS BACKDOOR.....................................................................................................101 10.8. REVERSE SHELL: [HYPERION] WINDOWS BACKDOOR .......................................................................................................101 10.9. REVERSE SHELL: [MANUAL] WINDOWS BACKDOOR .........................................................................................................102 10.10. REVERSE SHELL: [MSFVENOM] APK BACKDOOR ...........................................................................................................103 10.11. ARMITAGE CLIENT SIDE ATTACK .................................................................................................................................104
- 5. TCP/IP Penetration Test Page 5 / 104 Linkedin: https://www.linkedin.com/in/luigi-capuzzello/ Slideshare: http://www.slideshare.net/luigicapuzzello Twitter: @FisherKasparov Skype: luigi.capuzzello 1. LEGAL DISCLAIMER Usage of this document for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Author assume no liability and are not responsible for any misuse or damage caused by this docuemnt.