Different Types Of Website Vulnerabilities (bWAPP)

Dolyetyus

Dolyetyus

Co Admin
21 Nis 2020
1,205
666
Delft
banner.jpg


Hi, under this topic, bWAPP solutions will be made from the beginning to the end. We will complete it as the Web CTF Club. the steps will be as follows;
- Determination and Detection of Vulnerability Type,
- Exploitation of the Vulnerability Type,
- Damage Caused by the Found Deficit and Methods of Closing the Gap.



1- HTML Injection - Reflected (GET) Reflected xss: It is an error that occurs because the parameter expected to be entered from the user is entered in the form of payload and it gives an error due to not being considered important. There is no significant damage to the server or database. But for security purposes, the get method can be prevented. First, I show our default screen, it appears as an interface in this way:

1.png


Likewise, the code structure that concerns us in the background can be seen in this image.

2.png


First we enter data, we want to see what will appear, and when we enter the data:

3.png


Yes, that was what we wanted to learn, how to give us an output and we learned, now let's look at the codes,

4.png


We saw that it processes the text that we directly enter in an uncontrolled way in the codes, now let's try it with html tags.

5.png


We write it with the <h1> header tag, and we see that it differs from the previous Hydra entry. Let's look at the codes now.

6.png



As you can see, for codes that are processed in the form of <h1>Hydra /h1>, this is because there is no code written for security where we enter data.

7.png


The steps to be taken to take precautions are to write code for control purposes, and to pull the captured data as a "post" instead of "get".




Source: https://www.turkhackteam.org/capture-flag/1934054-web-site-zafiyet-cesitleri-bwapp.html
Translator: Dolyetyus
 
Dolyetyus

Dolyetyus

Co Admin
21 Nis 2020
1,205
666
Delft
Solution For bWAPP SQL Injection (GET/Search)

First of all what is SQL Injection (GET/SEARCH)? In our example, we have a movie database and we do a search, so if there is a match in the database with the movie we wrote, we get it with this GET. The error here is that there is a Syntax in the database, so we can run SQL commands at the search place due to a typo.


First of all, let's see if there is any vulnerabilities with the ' (quotation) sign, without doing any action.

Y1DiXw.png


As you can see, we received a message stating that there was an error in SQL syntax and we also realized that there was no filtering.

Now let's try to UNION SELECT operation for users table after entering a movie name.

s3eFPo.png


We can explain the error we received as follows. Our UNION SELECT operation, our attempt to access the data, was successful, but the reason for the error here is that the movies (we do not know the name in the database) users table do not have the same number of columns.

Now let's draw only 5 columns as in the movies table. Let's remove the star between SELECT and FROM and put 1,2,3,4,5.

uK68ZE.png


As you can see, we got the same error again. Since the movies table has 5 viewable columns here, let's keep trying from 6 onwards.

uK68ZE.png


Let us try the 7

pLQqzu.png


And yes, we managed to infiltrate the database, although there is no data which makes sense at the moment.

The precaution to be taken to prevent this leak is to filter the place where the query is made.




Source: https://www.turkhackteam.org/capture-flag/1934054-web-site-zafiyet-cesitleri-bwapp.html
Translator: Dolyetyus
 
Dolyetyus

Dolyetyus

Co Admin
21 Nis 2020
1,205
666
Delft
bWAPP iFrame Injection (Low Security)

First, we select iFrame Injection from the top right and select low from the security level section. After selecting it, we press the "Hack" button.

BVOeJJ.png


As you can see, a robots.txt section appears before us.

UBebUc.png


We can see that iframe is used from the source code.

f9RyfR.png


We try to inject the codes we want through the URL in accordance with the source code and URL and reach the admin panel. (BurpSuite tool could also be used instead of URL.)

6Q0835.png


To prevent this injection, iframe codes must be written correctly and their configurations must be set correctly.




Source: https://www.turkhackteam.org/capture-flag/1934054-web-site-zafiyet-cesitleri-bwapp.html
Translator: Dolyetyus
 
Dolyetyus

Dolyetyus

Co Admin
21 Nis 2020
1,205
666
Delft
code-web-development-development-html-wallpaper-preview.jpg



Hi, today I am going to explain HTML Injection - Reflected (POST) Vulnerability today. It has a simple logic.

The scenario is: There are places where we can login on the site (User entry places, visitor message section, in-site search section, etc.). This prints the data we entered on the screen.

jg2LQH.png


1oCkAh.png


How can we exploit this? Let's examine;

First of all, let's write any word, let's see what kind of change happens in the source code

DSis2A.png


As you can see, it adds the things we enter directly under the code without any security measures.
Let's think like this: If I write codes that will affect the structure of the site in these entry places, will they also add these codes? Let's try;
I want to add a picture here. If I write this in HTML code, will it read this code and print my picture on the screen?

Kod: 
[COLOR="PaleGreen"]<img src="https://i.hizliresim.com/UXGP5l.png">[/COLOR]

kTt9dP.png


Let's click "go"

EDbnUM.png


Yeah! That's it! It printed the picture I entered with HTML code on the screen.

------------

Well, what does this mean? :)

The site is open because it processes the data it receives from us without passing through certain filters.
And we can run code on the site as we wish. As you can see below, it added our code directly to the site.

1Y2u1X.png


This was all I had to tell. Good work to you all :D

PositiveAnguishedKitfox-size_restricted.gif





Source: https://www.turkhackteam.org/capture-flag/1934054-web-site-zafiyet-cesitleri-bwapp.html
Translator: Dolyetyus
 
Dolyetyus

Dolyetyus

Co Admin
21 Nis 2020
1,205
666
Delft
Cross-Site Request Forgery (Password)

This vulnerability allows you to manually change the parameters the site requests from you.
With Request Forgery , when you send a request to any user with the GET method (including its parameters), if the user is logged in, his password changes according to your request. (Including Admin)


Solution For bWAPP CSRF (Change Password)

First of all, we're sending the required password and confirmation password as asd, asd and looking at the BurpSuite data.

Q7S9qa.png


This is the parameters sent or the site receives from us

jtEtzn.png


In order to repeat this process serially and not to get tired, right click in the Burp Suite and call Send To Repeater. Repeater overview is can be seen below.

Qb30uF.png


After we are sure of our parameters, we say "Send" and send us "The password has been changed!" meets us.

eYLQt6.png


We try again after changing one of the parameters to asd2.

5JIO3l.png


As you can see "The password don't match!", it threw this error.

KBnGQd.png


After that, we re-open Bee-Bug as if another user entered and we see that the bee bug password and username are no longer valid.

f4MnIP.png


When we enter with the password we changed, we see that the bWAPP main menu opens.

zu0iWN.png


The measures that can be taken to prevent the attack are;
Since the parameters are sent in the form of a URL, it is one of the measures that can be taken to prevent the parameters that are open to intervention to the account by clicking on the link.




Source: https://www.turkhackteam.org/capture-flag/1934054-web-site-zafiyet-cesitleri-bwapp.html
Translator: Dolyetyus
 
Dolyetyus

Dolyetyus

Co Admin
21 Nis 2020
1,205
666
Delft
Vulnerability: SQL Injection (Login Form/Hero)

The logic is this;
User entries that are not filtered through the necessary filters can affect the database.
We will also exploit from this here. So what are the codes that will make an impact?
I will use a payload for this. I'll share the link below as well.
You can find different payloads from other sites, and you can create your own payload with programming information.

Payload: https://medium.com/@ismailtasdelen/sql-injection-payload-list-b97656cfd66b

The payload I chose is admin'or 1 = 1 or '' = '
_____________


Here is our vulnerable page;

Wa821X.png


_____________
When we type anything, it normally gives an error because the username and password are incorrect.
Does not allow.

FF966L.png


_____________
Let's write our payload;

OUqwcW.png



As you can see, welcome neo ....
So? I mean, we entered without a user password just because the necessary precautions were not taken.

gfIPMg.png



That was all. Have a good day, mates...




Source: https://www.turkhackteam.org/capture-flag/1934054-web-site-zafiyet-cesitleri-bwapp.html
Translator: Dolyetyus
 
Dolyetyus

Dolyetyus

Co Admin
21 Nis 2020
1,205
666
Delft
Vulnerability: XSS - Reflected (Back Button)

The logic is;
When we click on any button within the site, the button directs us with commands.
Let's think illegally: How about trying to interfere with the button's commands? Let's try...

wLHh15.png


When we click the button, it takes us back. Let's look at the codes;
See below, there is a command that directs the user. We will try to interfere with this.

kyVObw.png


We will use the burp suite tool to intervene
You can understand the use of the Burp suite by watching videos.
Also, there are many topics related to this topic in the forum. You can use the search section.

First, let's come to the main page and run burp, then select the open page and go there.

pzyvje.png


Today, for the first time, I wrote payload by looking at the source code of a site. I will share it with you.
It's common but I DID :D
Of course, you can find payloads from other sites or write your own.

Payload: '"><img src="https://i.hizliresim.com/7ozE4m.png">

Let's replace the referer parts with payload.

trS1aP.png


When we click on forward, the site starts working and prints our picture on the screen.

38XZcq.png


Let's look at the source codes;

5S9jOc.png


No need to explain, you see...




Source: https://www.turkhackteam.org/capture-flag/1934054-web-site-zafiyet-cesitleri-bwapp.html
Translator: Dolyetyus
 
Dolyetyus

Dolyetyus

Co Admin
21 Nis 2020
1,205
666
Delft
Subject: Man-in-the-Middle Attack (HTTP)

Everyone has heard of the man in the middle attack. We will talk about it today.
The logic is simple: we get between the target and the server. and we catch whatever it is, because the information passes over us, it is a password or personal information etc. We capture every entry the victim makes from http protocols.


MITM.jpg


There is also an entrance here.
We will listen to this network and try to catch the password entered by the user.

cQlKLx.png


We will use Ettercap to listen to the network. It comes preinstalled on Linux.
There are many topics and videos about Ettercap in our forum. MITM is also made through different software.
You can use the search section in our forum.

Let's run Ettercap;
We will see such a screen.
Let's hit sniffing at startup and select our primary interface (you can type ifconfig and see) and confirm.
It will automatically listen

loLV07.png


cqKh4J.png


Let's return to our page and login;

KxZAZv.png


As you can see, Ettercap has caught user input

9qbmJk.png


Let me get to the point here: Don't join every free wi-fi like that. Do not be in the same network with people you do not know. Use https whenever possible.

That was all I was going to tell, good work...




Source: https://www.turkhackteam.org/capture-flag/1934054-web-site-zafiyet-cesitleri-bwapp.html
Translator: Dolyetyus
 
Dolyetyus

Dolyetyus

Co Admin
21 Nis 2020
1,205
666
Delft
XSS Reflected - GET

The logic of the vulnerability is to run script code where any information or text is requested from us.
Let's go to our site and see how the site works, I printed Ego1st THT Ego1st

Ka1irV.png


As you can see, it takes the name and surname values as they are and prints them below. Now let's try to run xss code in the name part.

nitKm9.png


Yes, now let's look at the URL after running it.

87wIFE.png


As you can see in the picture and the title, this is not a Stored Vulnerability. In other words, another user does not get an error when entering the same page.
However, if the script code goes to the URL where it is run, the script code is run and many operations can be done, including accessing the user's information.
A simple filtering process will be sufficient for the measure. For example, printing it if there is a < or > sign at the beginning of the text.




Source: https://www.turkhackteam.org/capture-flag/1934054-web-site-zafiyet-cesitleri-bwapp.html
Translator: Dolyetyus

XSS Stored User-Agent

There is a site that records and displays the date, IP Address, browser and system information every time we log in.

tuIKBm.png


Now we open the intercept from Burp Suite and réfresh the page. Then we write our script code instead of the user-agent information sent to the site by our computer.

EIxf9a.png


When we do forward forward with Intercept open, it gives us /bWAPP/'xx:xx'onerror=alert(1) in the middle, when we try it, we see that our script code does not work.

dyyjbW.png


Let's try by changing our script code this time.

SJDJA2.png


As you can see we managed to get the 1 message. From now on, every person entering the site will see 1 message.

HVU3ZM.png


The precaution to be taken to close the vulnerability is the filtering process.




Source: https://www.turkhackteam.org/capture-flag/1934054-web-site-zafiyet-cesitleri-bwapp.html
Translator: Dolyetyus
 
Cevap yazmak için giriş yap yada kayıt ol.
Üst

Turkhackteam.org internet sitesi 5651 sayılı kanun’un 2. maddesinin 1. fıkrasının m) bendi ile aynı kanunun 5. maddesi kapsamında "Yer Sağlayıcı" konumundadır. İçerikler ön onay olmaksızın tamamen kullanıcılar tarafından oluşturulmaktadır. Turkhackteam.org; Yer sağlayıcı olarak, kullanıcılar tarafından oluşturulan içeriği ya da hukuka aykırı paylaşımı kontrol etmekle ya da araştırmakla yükümlü değildir. Türkhackteam saldırı timleri Türk sitelerine hiçbir zararlı faaliyette bulunmaz. Türkhackteam üyelerinin yaptığı bireysel hack faaliyetlerinden Türkhackteam sorumlu değildir. Sitelerinize Türkhackteam ismi kullanılarak hack faaliyetinde bulunulursa, site-sunucu erişim loglarından bu faaliyeti gerçekleştiren ip adresini tespit edip diğer kanıtlarla birlikte savcılığa suç duyurusunda bulununuz.