Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • Pentest Report

    Încărcat de

    TimotheeC
    228 vizualizări11 pagini
    The Report of the Penetration Testing I did with my group.

    Drepturi de autor

    © © All Rights Reserved

    Formate disponibile

    PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    The Report of the Penetration Testing I did with my group.

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    228 vizualizări11 pagini

    Pentest Report

    Încărcat de

    TimotheeC
    The Report of the Penetration Testing I did with my group.

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 11

    Test Report:

    Pen-Testing Library App


    (Group 12’s App)

    Group 13
    Stefani IVANOVA; Natalia FILIPKIEWICZ; Carles JUAN MARTINEZ;
    Michael COZZOLINO; Timothée CAPALDI.
    Contents

    The application 3

    Testing conditions 4

    SQL injection 5

    XSS and File Upload 6

    Brute Force 9

    Path traversal 10

    Conclusion and advice 11


    Advice 11

    2
    The application
    The application is a book store app. it’s accessible here:
    http://sepr.myvisiontoday.com/sepr/​.

    3
    Testing conditions
    We are going to do penetration test in a black box (we have no information about the
    design/structure of the website) with only a test username and password to try out
    functionalities before hacking.

    Test account ​username​/​password​: t​ est​/​test.

    Practical tests​:

    ● SQL injection
    ● Brute Force
    ● XSS
    ● File upload
    ● Path transversal

    4
    SQL injection
    First thing we are going to try is SQL injecting the path of the browser on a book details
    page.
    http://sepr.myvisiontoday.com/sepr/book_description.php?isbn=0071592539

    test:​ to query ​select * from book where isbn=’12345’​ we injected ‘ ​or ‘t’=’t’
    http://sepr.myvisiontoday.com/sepr/book_description.php?isbn=0071592539​’ or ‘t’=’t’

    result:​ SQL error

    Warning​: mysqli_num_rows() expects parameter 1 to be mysqli_result, boolean given in


    /home4/myvision/sepr.myvisiontoday.com/sepr/book_description.php​ on line ​9

    Warning​: Cannot modify header information - headers already sent by (output started at
    /home4/myvision/sepr.myvisiontoday.com/sepr/book_description.php:9) in
    /home4/myvision/sepr.myvisiontoday.com/sepr/book_description.php​ on line ​10

    We have also tried it using Kali Linux. It returned false positives, but we could know the
    version of the database:

    5
    As the screenshot shows, the parameter number (GET) seems to be injectable, but it’s a
    false positive. The server has some kind of WAF/IDS/IPS.

    XSS and File Upload


    Next try is to try to upload a script (Cross Site Scripting) attack.

    On upload book page, we wanted to upload a “.js” file ​<script>alert(“hello”)</script>.


    A security allows us to upload txt files only.

    Also it is written on the page that once a file is upload, the developers can choose to add an
    entry for it or not. Human verification is a security we cannot break.
    This attack didn’t work.

    We also have tried to change the request with Burp. Changing the type file or inserting a null
    byte in the name, but it hasn’t worked:

    6
    We have changed the name index.phpD.txt in the request, inserting a null byte in the place
    of “D”. It doesn’t work.

    Last test we did was uploading a message in the forum. But when we put a message with
    some script, the server block this content.

    But ​we have found​ an XSS stored vulnerability in the forum with the following payload:

    And this is our result:

    7
    8
    Brute Force
    After those tests, we tried to Brute force the password on the login page. In order to do this
    we took the most popular passwords from the internet and we copied them into a text file.
    Then we added the admin as a username in front of all the passwords. Afterwards, we linked
    the text file to the brute force tool and we executed it. The tool required a 10 minutes waiting
    time for testing all the passwords we inserted, in case there was a match we will login to the
    system. In our case there wasn’t any password match, therefore we couldn’t login. The
    following implementation shows the code that we performed in order to Brute force the
    system.

    [IMACROS CODE] (the name of the programming language)

    VERSION BUILD=8970419 RECORDER=FX


    TAB T=1
    SET !DATASOURCE C:\logins.txt
    SET !DATASOURCE_COLUMNS 2
    SET !DATASOURCE_LINE {{!LOOP}}
    'URL GOTO=http://sepr.myvisiontoday.com/sepr/login.php
    TAG POS=1 TYPE=INPUT:TEXT FORM=ACTION:login.php ATTR=NAME:username
    CONTENT={{!COL1}}
    SET !ENCRYPTION NO
    TAG POS=1 TYPE=INPUT:PASSWORD FORM=ACTION:login.php ATTR=NAME:password
    CONTENT={{!COL2}}
    TAG POS=1 TYPE=BUTTON FORM=ACTION:login.php ATTR=NAME:login_user
    BACK

    This is the list containing all the usernames and password that we tried to Brute force:
    ● logins.txt

    9
    Path traversal
    The next hacking technique we implemented was the path thraveral by inserting the
    following http address:
    ● http://sepr.myvisiontoday.com/sepr/DB/registration.sql

    We get the whole database content and structure, because the group put backup files in the
    web page itself.

    Furthermore, by inserting these ones:


    ● http://sepr.myvisiontoday.com/sepr/DB/23-03-2018/registration_users.sql
    ● http://sepr.myvisiontoday.com/sepr/DB/23-03-2018/registration_board.sql
    ● http://sepr.myvisiontoday.com/sepr/DB/23-03-2018/registration_books.sql

    We were able to see the users, the board and the books data recorded in the system.

    For example, the users:

    10
    Conclusion and advice
    As a conclusion, we revise the vulnerabilities we found. Path traversal and XSS weren’t well
    protected, but we haven’t been able to bypass the others.

    No SQL injections were possible because inputs are correctly protected. They have some
    protection implemented for the hosting service. Something like a WAF, IPS or IDS.
    Moreover, we think that they have also implemented some protection by themselves.

    It was also impossible to Upload a corrupted file because the security allows us to upload txt
    only and furthermore, they are only uploaded once reviewed by Developers.

    In the case of XSS we have found some vulnerabilities in the forum. So they are stored type.

    Bruteforce didn’t work because they made sure users passwords were including capital
    letters and numbers. in another hand, the admin password was very easy to guess without
    any algorithm.

    Finaly, Path traversal worked great because the database was simply accessible at
    http://sepr.myvisiontoday.com/sepr/DB/registration.sql​. We just had to insert what we wanted
    to get to print it.

    Advice
    After this pen-testing, we are able to give advices to the owners of the website in order to
    add more protection.

    1st: Host the database on a secured server instead of /DB

    2nd: Improve XSS vulnerability by checking other tags.

    3rd: It’s a bad practice showing the errors on the client side. That way, a malicious attacker
    can gather information about the server and learn possible vulnerabilities. There are several
    web pages with the known vulnerabilities of each server, remaining the version.

    11

    S-ar putea să vă placă și