Posted on 4 Comments

WordPress vulnerability assessment with WPscan

Good Evening friends. Hope you’re fine. After focusing on Joomla for some time, with this howto I have decided to focus on another popular CMS, that is WordPress. This howto is a pre-prequel to one of my articles on how to hack wordpress right here. This howto will have two other sequels and watch out for some easter eggs in this howto. ( Mind my talk about sequels, prequels and easter eggs, but did I tell you I am a big Marvel fan). Ok, ok, ok. Now let’s begin. The tool we will use here is called WPscan. WPScan is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues and also for enumeration. It is by default installed in Kali Linux Sana. Now open a terminal and update our tool by typing command as shown below.

To scan a wordpress website, you have to give the url as shown below. For this howto, I am using a local installation of wordpress as target.  Assign the target as shown below. The scan will start as shown below.

Here are the screenshots of result of this scan. . As you can see we have  13 vulnerabilities in the present installation and the vulnerabilities are given below.

One of the easiest ways to hack a wordpress site is to exploit the plugins installed in the target as most of the wordpress vulnerabilities nowadays exist in the plugins installed on it. So it is very important to enumerate the plugins installed on our wordpress target. We can enumerate the plugins using the “enumerate” option as shown below.

The scan result will be as shown below.( And there you have the first Easter egg). So totally we found four plugins. The first one is Ajax Load More Plugin. As the red exclamation mark shows, it is vulnerable and we have seen how to exploit this vulnerability in the sequel I told you about. If you haven’t gone through it, it’s here.

The second plugin is the vulnerable version of Akismet.

The third vulnerable plugin is the WordPress Slider revolution plugin. We will see more about this in our next howto.

Another important aspect to find vulnerabilities in the wordpress is its theme.  Now let’s enumerate the theme as shown below. The vulnerabilities present in the theme are given below.

After that let’s enumerate the users in our remote target as shown below.

We can see that the only username in our target. That’s WPscan for you. Hope it was helpful to you and wait for the sequels.

Posted on

Joomscan : Vulnerability assessment of Joomla

Joomla is one of the most popular  CMS which is widely used for its flexibility, user-friendliness and extensibility. The downside of  popularity in software world is that it becomes a target for hackers.  We have just recently seen how to exploit some recent vulnerabilities in Joomla. It would be pretty helpful if the users or testers know the vulnerabilities in their Joomla CMS before any hacker takes advantage of them. Joomscan is one such tool which will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla! sites.

Joomscan has features like

Exact version Probing
Common Joomla! based web application firewall detection
Searching known vulnerabilities of Joomla! and its components
Reporting to Text & HTML output
Immediate update capability via scanner or svn.

Joomscan is installed by default in Kali Linux. Now let’s see how to use this tool. Open a terminal and type command “joomscan update” first. We will update the tool first.

Once the tool is updated as shown above, type command “joomscan” to see the options as shown below.

Next, give the target joomla website as shown below. In this howto, I’m using my own Joomla website.

The result would seem like below. Below we see that our target doesn’t have any firewall, it’s server is apache and it is powered by PHP version 5.3.10. Unfortunately it didn’t detect the version. Hmm, no probs.

Next it will scan for vulnerabilities and check whether if this site is vulnerable for a particular vulnerability as shown below.

At the end, it will show us the number of vulnerabilities present in our target.

We can see that our target has 2 vulnerabilities as shown in the above image. We will see how to exploit those vulnerabilities in our future howtos. But for now we have successfully performed a vulnerability assessment of our target.

Posted on 3 Comments

SQL Injection with Sqlmap : Step by step guide

Hi Friends. Today we will see how to perform SQL injection with  Sqlmap. Sqlmap  is an “open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers “. It is pre-installed in Kali Linux. For this tutorial I am using Vulnerawa as target and it is necessary to setup a webapp pentest lab with it. See how to set up a webapp pentest lab.

If the webapp pentest lab is all ready. Open the browser in Kali linux and type the address as shown below.( the ip address may differ for you ). You should see the Vulnerawa web page as shown below. Click on “About”.

The below webpage will open. It shows about the founders of Vulnerawa.

Click on “founder 1”. It will show brief details about him as shown below.

Similarly go back and click on “Founder 2” and “Founder 3”. The result will be as below.  Now if you have observed, the “id” parameter in the URL changes as we click on different users. For founder 1, it is 1 and sequentially.

Now introduce a single quote( ‘ ) character in the URL. after the number as shown below.

Click on “Enter” and the page will show an error as shown below. “You have an error as shown below……..”. This is a clear sign that the webpage is vulnerable to SQL injection.

Now open SQLmap from the path as shown below.

Now copy the vulnerable url and type the following command the terminal. Here -u stands for url.

The result will be as shown below. It will reveal the website technology and the scripting language used.

Now let’s grab the banner of the website. Type the following command and hit “Enter”.

You can see the banner as shown below.

To see the current user of the website, type the following command.

The current user  can be seen as below.

Now let us see the current database used by the website. Type the following command.

We can see that the current database is “Vulneraw”.

Now let us see all the tables present in the database “Vulneraw” by using following command.

We see that we have only one table in the current database. The table is “users”.

Now lets see the number of columns in the table “users”. Type the following command.

We see there are four columns in table “users”.

Now let’s dump the values of two columns username and password by typing the following command.

The result is as below. we got the username and passwords.

\

If we want to dump all the entries of the table, type the following command.

Here are the entries.

Now let’s see if we are lucky enough to get the shell of the target. Shell is the target machine’s command line or terminal. Type the following command.

It will prompt us to enter the application language being used by the website. We already know it is PHP. Enter its value. Next it will prompt you to enter the writable directory. You cam choose your option wisely. I chose the default root directory for Wamp server. Hit on “Enter”.

I successfully got the os-shell. Now let’s try some commands. Type “dir” to see the contents  of the root directory. It works as shown below.

Let’s see how many users are there on the system. Type the command “net user” . We can see the users listed as below. Happy hacking practice.

To find sites vulnerable to this sql injection use google dork “site:.com inurl:id=1” or similar dorks. That’s all in this tutorial. 

Posted on 21 Comments

SQL injection with Havij : Step by step guide

NOTE : This is strictly for educative purposes.

Havij is an automated SQL injection tool. To say in the own words of its creators,

” Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page. It can take advantage of a vulnerable web application. By using this software, user can perform back-end database fingerprinting, retrieve DBMS login names and password hashes, dump tables and columns, fetch data from the database, execute SQL statements against the server, and even access the underlying file system and execute operating system shell commands. “

It is available both in free and commercial versions. Today we are going to see how to dump the contents of a database using Havij. For this I am going to use the free version. First download Havij from here and install it. Then open it and enter the vulnerable page url in the target column ( for this tut I am using my own vulnerable webpage ).

Set the database option to ‘auto detect‘ and hit analyze. This should show you the current database name as shown below.

Click on the “info” tab. This will show you information about the victim’s system. We can see information like Host IP address, web server version etc.

Click on the “Tables” tab.

Click on “Get DBs” option. This will list all the databases as shown below.

To get tables in a specific database, select the database and click on Get Tables”. This will list all the tables present in the selected database. I selected database “shunya” here.

We can see that there is on table ‘users’ in our database ‘shunya’ .To get columns , select the table ‘ users’ and click on “Get Columns”.

This will list all the columns in the table. We can see that we have five columns in the table ‘users’.all the columns. It’s time to dump the values of columns. Select the columns whose data we want to dump and click on Get data”. Here I selected all the columns.

We got all the data including usernames and passwords. But passwords seem to be encrypted. No problem. Click on the password hashes and copy them. Then click on MD5″ tab and paste the password. Click on “Start”. Havij automatically decrypts the password for us. Decrypt all passwords in the similar manner.

Click on “Find admin”. This option finds the admin  page of the website automatically. When it finds the admin page, you can try the username and passwords to get access to the website. Hope this was helpful.

Posted on 2 Comments

Nmap – Target Specification

Nmap is a popular port scanner. Today we are going to see target specification in nmap. In Nmap target can be specified in six different ways. We are going to look at each one of them. For this, I am using Kali Linux connected internally with IP address 10.10.10.2.

1. nmap -iL <input filename>

This option reads targets from a specific file. Let’s create a file named alpha with a few   newline separated or tab-limited or space separated IP addresses using vi on Desktop.

Then, move to Desktop directory and type the command “nmap -iL alpha” as shown below. It scans the four IP addresses listed in our file.

2. nmap -iR <number of hosts>

This option is used to specify random hosts to scan. Nmap generates its own targets to scan. The <number of hosts> argument tells nmap the number of IP’s to generate. Let’s type command “nmap -iR 5″. We can see that nmap generated five random targets to scan. The scan failed to determine route to the generated IP addresses because my system is not connected to Internet. Why didn’t it generate any internal IP addresses? Because in this scan private, multicast and unallocated address ranges are automatically skipped.

3. nmap <IP address/dir>

This option is used to scan the entire subnet.  Assuming you know CIDR let’s type the command nmap 10.10.10.1/29 to scan eight IP addresses from 10.10.10.1 to 10.10.10.8 and see the result below.

4. nmap [targets] -exclude[targets]

This option specifies a comma separated list of targets to be excluded from the scan even if they are part of overall network range we specify. For example, in our previous scan we saw that one host 10.10.10.2( which is the system I am working on) is alive. Now I decided to exclude that host and another host from the scan. So I type the command “nmap 10.10.10.0/29 -exclude 10.10.10.2,10.10.10.7″ and press “Enter”. We can see that nmap has only scanned six IP addresses.

5. nmap [targets] -excludefile[file name]

Now what if the subnet was very big and there are more number of hosts to be excluded from the scan. The above option helps us to achieve this. Remember the file “alpha”( with four IP addresses) we created. Now let’s specify nmap to quit scanning the hosts listed in the file. Type command “nmap 10.10.10.0/29 -excludefile alpha”. We can see that nmap scanned only four hosts in the subnet.

6. nmap [target1 target2  target3]

This option specifies nmap to scan multiple targets separated by space. Type the command  “nmap 10.10.10.1 10.10.10.2″. We can see the result below.

Hope this was helpful.