The document aims to analyze in detail the main phases of a web Application penetration test describing the principale techniques associated with authentication bypass and server-side vulnerability exploitation
The attacker machine is based on kali distribution.
1. TCP/IP Penetration Test – web Application
Page 1 / 104
Linkedin: https://www.linkedin.com/in/luigi-capuzzello/
Slideshare: http://www.slideshare.net/luigicapuzzello
Twitter: @FisherKasparov
Skype: luigi.capuzzello
Summary:
TCP/IP Penetration Test – web Application
Description of the last modification:
Insert description of the last modification here
Issued by: Date
LUIGI CAPUZZELLO 10/05/2022
TCP/IP Penetration Test – web
Application
2. TCP/IP Penetration Test
Page 2 / 104
Linkedin: https://www.linkedin.com/in/luigi-capuzzello/
Slideshare: http://www.slideshare.net/luigicapuzzello
Twitter: @FisherKasparov
Skype: luigi.capuzzello
INDEX
1. LEGAL DISCLAIMER ................................................................................................................................................... 5
2. ATTACK PATH DESCRIPTION ..................................................................................................................................... 6
3. SERVICE AND SITE FINGERPRINT............................................................................................................................... 7
3.1. SERVICE FINGERPRINT ..................................................................................................................................................... 7
3.2. GOOGLE DORK............................................................................................................................................................... 8
3.3. INFORMATION GATHERING FROM WEB ............................................................................................................................... 8
3.4. SITE STRUCTURE INFORMATION ........................................................................................................................................ 8
3.5. VIRTUAL HOST............................................................................................................................................................. 10
3.6. GUSSING GET PARAMETER............................................................................................................................................ 10
3.7. OTHER SITE INFORMATION............................................................................................................................................. 11
3.8. VULNERABILITY QUICK SEARCH ....................................................................................................................................... 11
4. AUTHENTICATION BYPASS.......................................................................................................................................13
4.1. SQL INJECTION............................................................................................................................................................ 13
sqlmap............................................................................................................................................................. 13
MS-SQL: a mano.............................................................................................................................................. 17
MySQL/MariaDB: a mano ............................................................................................................................... 21
SQL-lite: a mano .............................................................................................................................................. 22
Access: a mano................................................................................................................................................ 22
NoSQL injection ............................................................................................................................................... 24
4.2. BRUTEFORCE CREDENTIALS ............................................................................................................................................ 27
Standard Credentials....................................................................................................................................... 27
POST con wfuzz................................................................................................................................................ 28
POST con Hydra............................................................................................................................................... 28
Basic AuthN com Hydra................................................................................................................................... 29
Basic Auth con medusa.................................................................................................................................... 29
Manuale con CSRF........................................................................................................................................... 29
Manuale senza CSRF........................................................................................................................................ 31
4.3. XSS........................................................................................................................................................................... 31
Description ...................................................................................................................................................... 31
Verify XSS......................................................................................................................................................... 32
XSS Filter bypass.............................................................................................................................................. 33
XSS + PDF creator -> LFI................................................................................................................................... 34
BeEF:................................................................................................................................................................ 34
Beef attivato con bettercap............................................................................................................................. 37
Shell meterpreter: with autopwn. ................................................................................................................... 37
4.4. CSRF: CROSS SITE REFERENCE FORGERY. ......................................................................................................................... 37
4.5. BUFFEROVERFLOW ....................................................................................................................................................... 39
4.6. MITM....................................................................................................................................................................... 39
4.7. SOCIAL ENGINEERING.................................................................................................................................................... 39
4.8. JWT TOKEN................................................................................................................................................................ 39
4.9. PHP DESERIALIZATION ATTACK....................................................................................................................................... 41
Attack Description ........................................................................................................................................... 41
PHP Serialization Attack.................................................................................................................................. 44
4.10. JAVA DESERIALIZATION ATTACK..................................................................................................................................... 46
4.11. .NET (JSON) DESERIALIZATION ATTACK .......................................................................................................................... 48
5. WEB APPLICATION SERVER VULNERABILITY ............................................................................................................51
5.1. XXE: EXTERNAL ENTITY INJECTION .................................................................................................................................. 51
How does it work?........................................................................................................................................... 51
5. TCP/IP Penetration Test
Page 5 / 104
Linkedin: https://www.linkedin.com/in/luigi-capuzzello/
Slideshare: http://www.slideshare.net/luigicapuzzello
Twitter: @FisherKasparov
Skype: luigi.capuzzello
1. LEGAL DISCLAIMER
Usage of this document for attacking targets without prior mutual consent is
illegal. It is the end user's responsibility to obey all applicable local, state
and federal laws. Author assume no liability and are not responsible for any
misuse or damage caused by this docuemnt.