Video Activity

Vulnerability Scanning (part 5) WebApp, XAMPP, WEBDAV, nikto

Video Transcript

Okay. One thing we've neglected is our Web applications broker or X p. Any bungee systems have a Web application, or they at least have a Web server. Will look more Web application work later on the course. We have a custom Web application on Windows seven, where both of these you're just gonna be more like off the shelf kinds of Web applications. But we should see a fair number of these, particularly internally.

I see a lot of Tomcat J boss cold fusion. Things like that lying around like a HP Web management are late management are all sorts of power management, kind of whom pages just a lot of things that have Web interfaces as part of the software that it's not. It's full function like we should. We have examined here and like Tomcats and things their Web servers. But sometimes you just see stuff that it's just a Web server functionality for whatever is running that may have Cem bad configuration settings that give us access. We particularly like stuff that lets us upload code and run it or gives us access to a database or something like that. We saw that my sequel database is running on next Pee, but we don't have access to it. If we actually try to talk to it, we try and do.

Why she cool host is 1 91 68 at one of 76. Not a lot of connected to the server. We saw it came out in map and said it was unauthorized for actually not allowed to connect to it. It would be nice if we could. Maybe we'd be able to see interesting data or better yet, run commands on the system. So maybe there's another way. Who knows? Well, let's take a look at our two Web servers. You always just browsing to them would be a good idea. It's like we saw this exam to 1.7 point two in map found that went the scripting engines so it doesn't look particularly interesting is like a splash page, but a couple things that you always on a check for with exams. And of course, this is gonna be exempt. Pacific would have to come up with Tom Cat or J. Moss or something.

There's again, like certain things you can look for it, really like open access and the ability to upload stuff. We can upload files to it and then execute them to the observer. Be a job of files or PHP. Piles like this would be PHP, but they like Tomcat or J ball should be java. But if we can't upload like a war file and executed, that would be awesome as well. So you may find something like that in some of your environments. Um, then again, access to back in databases. So we have possibly the ability to upload files with damped may have webbed. I've enabled it. Looks like there is a web of test page here. So a tool I like to use to talk to with its cold cadaver. I want to talk to you in those box rubbed off. No, it helps if you spoke cadaver correctly. Whatever. And this one does require all syndication like I I s older versions of I s would, like, have open what does that caused the problem? This one does actually have credentials, but does require username and password. But on set up, it doesn't actually ask you to set one so it may have a default.

We could ask it. Let's see So this is Sam. 1.7 point two with uh, occurred in shows are never spill credentials, right? Oh, I did exploit exam ped with medicine boy framework stamped a webbed of a blue dot PHP is it looks like week webbed of passwords on them servers that uses supplied credentials to upload a PHP payload and executed. It looks like there's a medicinally Montel trying to do what we're trying to figure out if we can do so. If this does indeed work confined credentials, Mike could use medicine, will you for it. Or we could do it manually. Nothing like celebrity edge. At least it's not for ***, right? What does it say? What the default are wonders the medicine. Wait. Module says, Let's see, It looks like in the Medicis late model. It has defaults in here like our passes, His exam PD and our user is lamp. So I wonder if that's the default. No reason not to at least try it.

So since the user name should be passwords, Sam, well, that seems to have worked. We're now logged in, so we should be able to use this to upload files, potentially even code been Zampa is gonna be a Cage p base, so we want to create PHP payloads as opposed to like Java War file. We're working with Tom Cat, J Boss, but we'll see if that works in there. Exploitation phase. So potentially. We have access here, and it's a week password. Issue a default password issue. I can see that very, very often, and it's often a good way to get a foothold in the environment. Exit out of here for now. Another thing we might want to look at. If there's a PHP my advance appeared people have been is gonna be for the database that should require credentials. Unfortunately, on some Samp versions, it didn't bite a fault. Require any credentials. There wasn't even a default. There's just nothing open it says Your configuration file contains settings route with no password that corresponded to default.

My sequel, Privileged account. You're my sequel servers running with this default is open to intrusion, and he really should fix the security. Hold less, setting a password for route unless you know about this or want to spend the time to read the manual when you install something rather than getting started on your coating. Chances are you're not going to bother to do so. This actually gives us access to that. My sequel database that were previously unable to connect to. He's gonna the sequel Time here and run Any sequel worries we like. So it's like, Oh, it's secure because nobody can attach to it. But the local hose, Well, that's all well and good, except we have this PHP my admin that's open to the world. Oops, that's definitely something we want to look at. Unfortunately, we're going to have to figure out how to do sequel queries, which I didn't pay too much attention in database classes. So I generally have to give release. But we will find something that works and around it that is pretty cool there. So even though there's not really a website here, we found two ways that might be interesting to us. Here. Let's take a look at the legs first. It works the default install page for Apache. That's all exciting, but it's just the page that says it works. Good luck trying to exploit that.

I wonder if there's anything like lying around here. Um, one of it is ph d you know, I haven't know if it has webbed of, um okay, No. So I could just keep guessing. Or hopefully I would come up with the grand idea that maybe I should use a tool to do this. It seems like an ideal thing for a tool to do. Kind of like brute force off the word list. Potential directories. One to overdoing. This is called there, Buster. Doorbuster does have a gooey Oh, our target. You are? Well, 90 don't want eight of one. That 80 show are a bunch of system. Do you need to give it word list? User share here, Buster Whips should have a default word list in here. You, of course, we'll look at password testing, but you can always put in your own word list. You want to, um, directory lists? One point. Let's just do this small one if it finds something. So this is always something worth looking at.

And it does specifically look for directories better, potentially hidden. Another tool I like. Think it finds like the falls like icons and stuff. Another thing that's like, somebody refines the way to use those to exploit something that will be very famous because it comes up everywhere. Uh, may or may not find anything interesting. Another tool I like for this sort of thing is something called Nick Toe. Well, we have to do by the fault with Nick does just give it a host. What Nick Joe was going to do does it looks for its very similar to like NASA's for Web applications, which against custom Web applications, makes it all that useless. We'll see custom Web applications later on, but against known applications like it's looking for the Web server in here, it confined known vulnerabilities. It basically has a database of known vulnerabilities and checks to find them. So where is it's not gonna find, like sequel injection in your custom log in page, it is going to be able to find if you have commercial off the shelf software.

Open source software. What you do see a lot of people don't always write their own stuff. They use other free tools or by something like for their weak ese or payroll or time sheets or things like that. So you often find things that are off the shelf so it looks like this did find a few things out of date. Apache stuff the trees. Option icons. Tractor Again, which Durbar buster also find, um, session I d without the http only flag. I generally report on stuff like that. I'm missing the secure flagon. Http only flag on our cookie ist that could potentially, in the case of, like across a scripting attack, be an issue. But with most interesting here is this tiki wiki graph form formula. So not only did it find something called Tiki Wiki who seems to have found our hidden directory but also found a vulnerability in that software, it's it's ticky wicky contains a vulnerability which allows remote Attackers to execute arbitrary PHP code. So sure enough, we take a look at Chicky Wicky. There it is. This is its version 1.9 point H on dhe.

Just this is open source vulnerability data Bish 44 7 age course. We can always go to the vulnerabilities repositories. Most exciting. It didn't take me Google. You see what my hosting providers right now we've just gained information about me. At the very least, figure out where I live down to a certain extent. Um uh, looks like they have Cloudflare. Yes, well, they should. I imagine they get attacked a lot since then by the same people who make attrition. Um, have some more information about those command execution flaws. So command execution. Hello. There are always nice because we don't have Thio necessarily do anything like a buffer overflow, which is much more likely to cause a crash. It's just like a unsanitized parameter in a Web application, less likely to cause a problem that be something we might want to attack. So again, we're gonna look at custom Web applications in the Web application section. This is just kind of the Web applications that you will run into web applications off where exams are on Adam. Like this tiki wiki that may be subject to security issues that will give you access to the systems

Course link:
Advanced Penetration Testing Course & Pen Testing Training
The Advanced Penetration Testing course teaches the cyber attack lifecycle from the perspective of an adversary. Become more familiar with the most widely used penetration-testing tools, manipulate network traffic, and perform web application attacks such as cross-site scripting and SQL injection.
Instructed by
Georgia Weidman

I am the founder and CTO at Shevirah and Bulb Security LLC. I am a serial entrepreneur, penetration tester, security researcher, speaker, trainer, and author. I hold an MS in computer science, and I also hold the CISSP, CEH, and OSCP certifications.