Walkthrough : testphp.vulnweb.com
About testphp.vulnweb.com
It is an example PHP application, which is intentionally vulnerable to web attacks. It is intended to help you test Acunetix. It also helps you understand how developer errors and bad configuration may let someone break into your website. You can use it to test other tools and your manual hacking skills as well.
EXECUTIVE SUMMARY
This VAPT was performed during my winter vacation. The detailed report and findings are described below.
OBJECTIVE
The objective of this test was to determine security vulnerabilities in the web server configuration and website running on the server. The tests were carried out assuming the identity of an attacker or with malicious intent. At the same time due care was taken not to harm the web server. This is the vulnerability assessment and penetration testing (VAPT) of testphp.vulnweb.com and our finding are described below.
SCOPE
The scope is to find OWASP top 10 vulnerabilities on the website Also, find other potential vulnerabilities testphp.vulnweb.com.
OWASP top 10–2017
A1 Injection
A2 Broken Authentication
A3 Sensitive Data exposure
A4 XML External Entities
A5 Broken Access control
A6 Security Misconfiguration
A7 Cross site Scripting
A8 Insecure Deserialization
A9 Using components with known vulnerabilities
A10 Insufficient logging and monitoring
Disclaimer
All information, techniques and tools described in this write-up are for educational purposes only. Use anything in this write-up at your own discretion, I cannot be held responsible for any damages caused to any systems or yourselves legally. Usage of all tools and techniques described in this write-up for attacking individuals or organizations without their prior consent is highly illegal. It is your responsibility to obey all applicable local, state and federal laws. I assume and accept no liability and will not be responsible for any misuse or damage caused by using information herein.
HTML Injection , XSS(Client side scripting)
Hypertext Markup Language (HTML) injection is a technique used to take advantage of non-validated input to modify a web page presented by a web application to its users. Attackers take advantage of the fact that the content of a web page is often related to a previous interaction with users.
Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application.
In the search art box form I had given following html code & script
After running the following script & code I found this
After successful login it gives us this following input
In this the name form is vulnerable it accepts the cross site script and it get stored in database which is reflecting when we call the current_user or system_user or we can use simple html h1 tag
Directory Listing , Improper Error Handling
A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers. Extended Description. A directory listing provides an attacker with the complete index of all the resources located inside of the directory.
Improper error handling flaws occur when an error message that’s displayed to an end user provides clues about how an application or website operates.
I went to the source page and I found this images/logo.gif
After clicking on that I had removed logo.gif so I had found this
DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the responses.
After this I used dirb and I found following output
After this I had visited each directory http://testphp.vulnweb.com/admin/
And that create.sql file gives me this information
After this http://testphp.vulnweb.com/cgi-bin/ gives information about server & port number
After this http://testphp.vulnweb.com/CVS/Repository its downloading a file and showing this information
After this http://testphp.vulnweb.com/index.php/ its giving information about nginx & its version
After this http://testphp.vulnweb.com/pictures/ its showing some text file and some html
Credentials.txt
Ipaddresses.txt
path-disclosure-unix.html
path-disclosure-win.html
Wp-config.bak
After login I had tried to refresh its gives me this information
Broken Authentication & SQL Injection
Broken authentication attacks aim to take over one or more accounts giving the attacker the same privileges as the attacked user. Authentication is “broken” when attackers are able to compromise passwords, keys or session tokens, user account information, and other details to assume user identities.
SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access
Weak password test & test Easy to crack by using brute force
SQL injection using SQL queries using ‘ or 1=1 — -
SQLmap is an open-source tool used in penetration testing to detect and exploit SQL injection flaws. SQLmap automates the process of detecting and exploiting SQL injection. SQL Injection attacks can take control of databases that utilize SQL.
Now I am going to use SQLMAP
sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 –dump
And I get the database name
sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 — dump -D acuart
After trying with sqlmap now we are trying from the victim directly without using sqlmap tool.
Now will run some MYSQL query to inject and try to get table details
It had given all the table name from all the database in target machine now will ask the specific database table name.
A list of table shown
Artists
Carts
Categ
Featured
And many more in below snap
Now will ask the particular table name data for eg: users
We can see a list columns in below snap
Directory traversal & Local File Inclusion
Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application.
Local File Inclusion is an attack technique in which attackers trick a web application into either running or exposing files on a web server. LFI attacks can expose sensitive information, and in severe cases, they can lead to cross-site scripting (XSS) and remote code execution.
In burp suite I had captured this particular image request
After capturing the request I had tried local file inclusion and successfully done
Business Price change
I had seen in the categories we can buy a product so I captured that request in burp suite
The price of the given product is $10000.
Now I am going to buy it in $10 as you can see my cart
Information Disclosure within a cookie
We can see username and password when we capture the request in burpsuite in cookie field
CONCLUSIONS
Experience has shown that a focused effort to problem outlined in this report can result in dramatic security improvements. Most of the identified problems do not required high-tech solutions, just knowledge of and commitment to good practices. For system to remain secure, however, security posture must be evaluated and improved continuously. Establishing the organisation structure that will support these ongoing improvements is essential in order to maintain control of corporate information systems. We conclude that the overall security needs to improve. We hope that the issues cited in this report will be addressed.
Thank you for reading this write-up.